npm - @forklaunch/infrastructure-s3 - Versions diffs - 1.2.9 → 1.3.0 - Mend

@forklaunch/infrastructure-s3 1.2.9 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/lib/eject/infrastructure/s3.ts +71 -5
package/lib/index.d.mts +31 -3
package/lib/index.d.ts +31 -3
package/lib/index.js +46 -5
package/lib/index.js.map +1 -1
package/lib/index.mjs +48 -5
package/lib/index.mjs.map +1 -1
package/package.json +3 -3

package/lib/eject/infrastructure/s3.ts CHANGED Viewed

@@ -14,9 +14,30 @@ import {
   OpenTelemetryCollector,
   TelemetryOptions
 } from '@forklaunch/core/http';
+import {
+  getCurrentTenantId,
+  type FieldEncryptor
+} from '@forklaunch/core/persistence';
 import { ObjectStore } from '@forklaunch/core/objectstore';
 import { Readable } from 'stream';
+const ENCRYPTED_PREFIXES = ['v1:', 'v2:'] as const;
+function isEncrypted(value: string): boolean {
+  return ENCRYPTED_PREFIXES.some((p) => value.startsWith(p));
+}
+/**
+ * Options for configuring encryption on the S3 object store.
+ * Required — every consumer must explicitly configure encryption.
+ */
+export interface S3EncryptionOptions {
+  /** The FieldEncryptor instance to use for encrypting object bodies. */
+  encryptor: FieldEncryptor;
+  /** Set to true to disable encryption. Defaults to false (encryption enabled). */
+  disabled?: boolean;
+}
 /**
  * Options for configuring the S3ObjectStore.
  *
@@ -39,6 +60,10 @@ interface S3ObjectStoreOptions {
  * S3-backed implementation of the ObjectStore interface.
  * Provides methods for storing, retrieving, streaming, and deleting objects in S3.
  *
+ * Encryption is enabled by default when an encryptor is provided. Object bodies
+ * are encrypted before upload and decrypted after download using AES-256-GCM
+ * with per-tenant key derivation.
+ *
  * @example
  * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
  * await store.putObject({ key: 'user-1', name: 'Alice' });
@@ -48,26 +73,60 @@ export class S3ObjectStore implements ObjectStore<S3Client> {
   private s3: S3Client;
   private bucket: string;
   private initialized: boolean;
+  private encryptor?: FieldEncryptor;
+  private encryptionDisabled: boolean;
   /**
    * Creates a new S3ObjectStore instance.
    * @param openTelemetryCollector - Collector for OpenTelemetry metrics.
    * @param options - S3 configuration options.
    * @param telemetryOptions - Telemetry configuration options.
+   * @param encryption - Encryption configuration (enabled by default when encryptor provided).
    *
    * @example
-   * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
+   * const store = new S3ObjectStore(
+   *   otelCollector,
+   *   { bucket: 'my-bucket' },
+   *   telemetryOptions,
+   *   { encryptor }
+   * );
    */
   constructor(
     private openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>,
     options: S3ObjectStoreOptions,
-    private telemetryOptions: TelemetryOptions
+    private telemetryOptions: TelemetryOptions,
+    encryption: S3EncryptionOptions
   ) {
     this.s3 = options.client || new S3Client(options.clientConfig || {});
     this.bucket = options.bucket;
     this.initialized = false;
+    this.encryptor = encryption.encryptor;
+    this.encryptionDisabled = encryption.disabled ?? false;
   }
+  // ---------------------------------------------------------------------------
+  // Encryption helpers
+  // ---------------------------------------------------------------------------
+  private encryptBody(body: string): string {
+    if (!this.encryptor || this.encryptionDisabled) return body;
+    return this.encryptor.encrypt(body, getCurrentTenantId()) ?? body;
+  }
+  private decryptBody(body: string): string {
+    if (!this.encryptor || this.encryptionDisabled) return body;
+    if (!isEncrypted(body)) return body;
+    try {
+      return this.encryptor.decrypt(body, getCurrentTenantId()) ?? body;
+    } catch {
+      return body;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Internal
+  // ---------------------------------------------------------------------------
   private async ensureBucketExists() {
     try {
       await this.s3.send(new HeadBucketCommand({ Bucket: this.bucket }));
@@ -92,10 +151,11 @@ export class S3ObjectStore implements ObjectStore<S3Client> {
     }
     const { key, ...rest } = object;
+    const body = this.encryptBody(JSON.stringify(rest));
     const params: PutObjectCommandInput = {
       Bucket: this.bucket,
       Key: key,
-      Body: JSON.stringify(rest),
+      Body: body,
       ContentType: 'application/json'
     };
     await this.s3.send(new PutObjectCommand(params));
@@ -186,7 +246,8 @@ export class S3ObjectStore implements ObjectStore<S3Client> {
       throw new Error('S3 did not return a body');
     }
-    return JSON.parse(await resp.Body.transformToString()) as T;
+    const raw = await resp.Body.transformToString();
+    return JSON.parse(this.decryptBody(raw)) as T;
   }
   /**
@@ -204,6 +265,8 @@ export class S3ObjectStore implements ObjectStore<S3Client> {
   /**
    * Streams an object download from the S3 bucket.
+   * Note: Streaming bypasses application-level encryption/decryption.
+   * Use readObject for encrypted objects.
    * @param objectKey - The key of the object to download.
    * @returns A readable stream of the object's contents.
    * @throws If the S3 response does not include a readable stream.
@@ -228,6 +291,7 @@ export class S3ObjectStore implements ObjectStore<S3Client> {
   /**
    * Streams multiple object downloads from the S3 bucket.
+   * Note: Streaming bypasses application-level encryption/decryption.
    * @param objectKeys - The keys of the objects to download.
    * @returns An array of readable streams.
    *
@@ -236,7 +300,9 @@ export class S3ObjectStore implements ObjectStore<S3Client> {
    * streams[0].pipe(fs.createWriteStream('user-1.json'));
    */
   async streamDownloadBatchObjects(objectKeys: string[]): Promise<Readable[]> {
-    return Promise.all(objectKeys.map((key) => this.streamDownloadObject(key)));
+    return Promise.all(
+      objectKeys.map((key) => this.streamDownloadObject(key))
+    );
   }
   /**

package/lib/index.d.mts CHANGED Viewed

@@ -1,8 +1,19 @@
 import { S3Client } from '@aws-sdk/client-s3';
 import { OpenTelemetryCollector, MetricsDefinition, TelemetryOptions } from '@forklaunch/core/http';
+import { FieldEncryptor } from '@forklaunch/core/persistence';
 import { ObjectStore } from '@forklaunch/core/objectstore';
 import { Readable } from 'stream';
+/**
+ * Options for configuring encryption on the S3 object store.
+ * Required — every consumer must explicitly configure encryption.
+ */
+interface S3EncryptionOptions {
+    /** The FieldEncryptor instance to use for encrypting object bodies. */
+    encryptor: FieldEncryptor;
+    /** Set to true to disable encryption. Defaults to false (encryption enabled). */
+    disabled?: boolean;
+}
 /**
  * Options for configuring the S3ObjectStore.
  *
@@ -24,6 +35,10 @@ interface S3ObjectStoreOptions {
  * S3-backed implementation of the ObjectStore interface.
  * Provides methods for storing, retrieving, streaming, and deleting objects in S3.
  *
+ * Encryption is enabled by default when an encryptor is provided. Object bodies
+ * are encrypted before upload and decrypted after download using AES-256-GCM
+ * with per-tenant key derivation.
+ *
  * @example
  * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
  * await store.putObject({ key: 'user-1', name: 'Alice' });
@@ -35,16 +50,26 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     private s3;
     private bucket;
     private initialized;
+    private encryptor?;
+    private encryptionDisabled;
     /**
      * Creates a new S3ObjectStore instance.
      * @param openTelemetryCollector - Collector for OpenTelemetry metrics.
      * @param options - S3 configuration options.
      * @param telemetryOptions - Telemetry configuration options.
+     * @param encryption - Encryption configuration (enabled by default when encryptor provided).
      *
      * @example
-     * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
+     * const store = new S3ObjectStore(
+     *   otelCollector,
+     *   { bucket: 'my-bucket' },
+     *   telemetryOptions,
+     *   { encryptor }
+     * );
      */
-    constructor(openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>, options: S3ObjectStoreOptions, telemetryOptions: TelemetryOptions);
+    constructor(openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>, options: S3ObjectStoreOptions, telemetryOptions: TelemetryOptions, encryption: S3EncryptionOptions);
+    private encryptBody;
+    private decryptBody;
     private ensureBucketExists;
     /**
      * Stores an object in the S3 bucket.
@@ -127,6 +152,8 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     readBatchObjects<T>(objectKeys: string[]): Promise<T[]>;
     /**
      * Streams an object download from the S3 bucket.
+     * Note: Streaming bypasses application-level encryption/decryption.
+     * Use readObject for encrypted objects.
      * @param objectKey - The key of the object to download.
      * @returns A readable stream of the object's contents.
      * @throws If the S3 response does not include a readable stream.
@@ -138,6 +165,7 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     streamDownloadObject(objectKey: string): Promise<Readable>;
     /**
      * Streams multiple object downloads from the S3 bucket.
+     * Note: Streaming bypasses application-level encryption/decryption.
      * @param objectKeys - The keys of the objects to download.
      * @returns An array of readable streams.
      *
@@ -156,4 +184,4 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     getClient(): S3Client;
 }
-export { S3ObjectStore };
+export { type S3EncryptionOptions, S3ObjectStore };

package/lib/index.d.ts CHANGED Viewed

@@ -1,8 +1,19 @@
 import { S3Client } from '@aws-sdk/client-s3';
 import { OpenTelemetryCollector, MetricsDefinition, TelemetryOptions } from '@forklaunch/core/http';
+import { FieldEncryptor } from '@forklaunch/core/persistence';
 import { ObjectStore } from '@forklaunch/core/objectstore';
 import { Readable } from 'stream';
+/**
+ * Options for configuring encryption on the S3 object store.
+ * Required — every consumer must explicitly configure encryption.
+ */
+interface S3EncryptionOptions {
+    /** The FieldEncryptor instance to use for encrypting object bodies. */
+    encryptor: FieldEncryptor;
+    /** Set to true to disable encryption. Defaults to false (encryption enabled). */
+    disabled?: boolean;
+}
 /**
  * Options for configuring the S3ObjectStore.
  *
@@ -24,6 +35,10 @@ interface S3ObjectStoreOptions {
  * S3-backed implementation of the ObjectStore interface.
  * Provides methods for storing, retrieving, streaming, and deleting objects in S3.
  *
+ * Encryption is enabled by default when an encryptor is provided. Object bodies
+ * are encrypted before upload and decrypted after download using AES-256-GCM
+ * with per-tenant key derivation.
+ *
  * @example
  * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
  * await store.putObject({ key: 'user-1', name: 'Alice' });
@@ -35,16 +50,26 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     private s3;
     private bucket;
     private initialized;
+    private encryptor?;
+    private encryptionDisabled;
     /**
      * Creates a new S3ObjectStore instance.
      * @param openTelemetryCollector - Collector for OpenTelemetry metrics.
      * @param options - S3 configuration options.
      * @param telemetryOptions - Telemetry configuration options.
+     * @param encryption - Encryption configuration (enabled by default when encryptor provided).
      *
      * @example
-     * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
+     * const store = new S3ObjectStore(
+     *   otelCollector,
+     *   { bucket: 'my-bucket' },
+     *   telemetryOptions,
+     *   { encryptor }
+     * );
      */
-    constructor(openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>, options: S3ObjectStoreOptions, telemetryOptions: TelemetryOptions);
+    constructor(openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>, options: S3ObjectStoreOptions, telemetryOptions: TelemetryOptions, encryption: S3EncryptionOptions);
+    private encryptBody;
+    private decryptBody;
     private ensureBucketExists;
     /**
      * Stores an object in the S3 bucket.
@@ -127,6 +152,8 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     readBatchObjects<T>(objectKeys: string[]): Promise<T[]>;
     /**
      * Streams an object download from the S3 bucket.
+     * Note: Streaming bypasses application-level encryption/decryption.
+     * Use readObject for encrypted objects.
      * @param objectKey - The key of the object to download.
      * @returns A readable stream of the object's contents.
      * @throws If the S3 response does not include a readable stream.
@@ -138,6 +165,7 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     streamDownloadObject(objectKey: string): Promise<Readable>;
     /**
      * Streams multiple object downloads from the S3 bucket.
+     * Note: Streaming bypasses application-level encryption/decryption.
      * @param objectKeys - The keys of the objects to download.
      * @returns An array of readable streams.
      *
@@ -156,4 +184,4 @@ declare class S3ObjectStore implements ObjectStore<S3Client> {
     getClient(): S3Client;
 }
-export { S3ObjectStore };
+export { type S3EncryptionOptions, S3ObjectStore };

package/lib/index.js CHANGED Viewed

@@ -24,27 +24,61 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 var import_client_s3 = require("@aws-sdk/client-s3");
+var import_persistence = require("@forklaunch/core/persistence");
 var import_stream = require("stream");
+var ENCRYPTED_PREFIXES = ["v1:", "v2:"];
+function isEncrypted(value) {
+  return ENCRYPTED_PREFIXES.some((p) => value.startsWith(p));
+}
 var S3ObjectStore = class {
   /**
    * Creates a new S3ObjectStore instance.
    * @param openTelemetryCollector - Collector for OpenTelemetry metrics.
    * @param options - S3 configuration options.
    * @param telemetryOptions - Telemetry configuration options.
+   * @param encryption - Encryption configuration (enabled by default when encryptor provided).
    *
    * @example
-   * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
+   * const store = new S3ObjectStore(
+   *   otelCollector,
+   *   { bucket: 'my-bucket' },
+   *   telemetryOptions,
+   *   { encryptor }
+   * );
    */
-  constructor(openTelemetryCollector, options, telemetryOptions) {
+  constructor(openTelemetryCollector, options, telemetryOptions, encryption) {
     this.openTelemetryCollector = openTelemetryCollector;
     this.telemetryOptions = telemetryOptions;
     this.s3 = options.client || new import_client_s3.S3Client(options.clientConfig || {});
     this.bucket = options.bucket;
     this.initialized = false;
+    this.encryptor = encryption.encryptor;
+    this.encryptionDisabled = encryption.disabled ?? false;
   }
   s3;
   bucket;
   initialized;
+  encryptor;
+  encryptionDisabled;
+  // ---------------------------------------------------------------------------
+  // Encryption helpers
+  // ---------------------------------------------------------------------------
+  encryptBody(body) {
+    if (!this.encryptor || this.encryptionDisabled) return body;
+    return this.encryptor.encrypt(body, (0, import_persistence.getCurrentTenantId)()) ?? body;
+  }
+  decryptBody(body) {
+    if (!this.encryptor || this.encryptionDisabled) return body;
+    if (!isEncrypted(body)) return body;
+    try {
+      return this.encryptor.decrypt(body, (0, import_persistence.getCurrentTenantId)()) ?? body;
+    } catch {
+      return body;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Internal
+  // ---------------------------------------------------------------------------
   async ensureBucketExists() {
     try {
       await this.s3.send(new import_client_s3.HeadBucketCommand({ Bucket: this.bucket }));
@@ -66,10 +100,11 @@ var S3ObjectStore = class {
       await this.ensureBucketExists();
     }
     const { key, ...rest } = object;
+    const body = this.encryptBody(JSON.stringify(rest));
     const params = {
       Bucket: this.bucket,
       Key: key,
-      Body: JSON.stringify(rest),
+      Body: body,
       ContentType: "application/json"
     };
     await this.s3.send(new import_client_s3.PutObjectCommand(params));
@@ -150,7 +185,8 @@ var S3ObjectStore = class {
     if (!resp.Body) {
       throw new Error("S3 did not return a body");
     }
-    return JSON.parse(await resp.Body.transformToString());
+    const raw = await resp.Body.transformToString();
+    return JSON.parse(this.decryptBody(raw));
   }
   /**
    * Reads multiple objects from the S3 bucket.
@@ -166,6 +202,8 @@ var S3ObjectStore = class {
   }
   /**
    * Streams an object download from the S3 bucket.
+   * Note: Streaming bypasses application-level encryption/decryption.
+   * Use readObject for encrypted objects.
    * @param objectKey - The key of the object to download.
    * @returns A readable stream of the object's contents.
    * @throws If the S3 response does not include a readable stream.
@@ -188,6 +226,7 @@ var S3ObjectStore = class {
   }
   /**
    * Streams multiple object downloads from the S3 bucket.
+   * Note: Streaming bypasses application-level encryption/decryption.
    * @param objectKeys - The keys of the objects to download.
    * @returns An array of readable streams.
    *
@@ -196,7 +235,9 @@ var S3ObjectStore = class {
    * streams[0].pipe(fs.createWriteStream('user-1.json'));
    */
   async streamDownloadBatchObjects(objectKeys) {
-    return Promise.all(objectKeys.map((key) => this.streamDownloadObject(key)));
+    return Promise.all(
+      objectKeys.map((key) => this.streamDownloadObject(key))
+    );
   }
   /**
    * Gets the underlying S3 client instance.

package/lib/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../index.ts"],"sourcesContent":["import {\n CreateBucketCommand,\n DeleteObjectCommand,\n DeleteObjectsCommand,\n DeleteObjectsCommandInput,\n GetObjectCommand,\n HeadBucketCommand,\n PutObjectCommand,\n PutObjectCommandInput,\n S3Client\n} from '@aws-sdk/client-s3';\nimport {\n MetricsDefinition,\n OpenTelemetryCollector,\n TelemetryOptions\n} from '@forklaunch/core/http';\nimport { ObjectStore } from '@forklaunch/core/objectstore';\nimport { Readable } from 'stream';\n\n/*\n Options for configuring the S3ObjectStore.\n \n @example\n * const options: S3ObjectStoreOptions = {\n * bucket: 'my-bucket',\n * clientConfig: { region: 'us-west-2' }\n * };\n /\ninterface S3ObjectStoreOptions {\n /* The S3 bucket name. /\n bucket: string;\n /* Optional existing S3 client instance. /\n client?: S3Client;\n /* Optional configuration for creating a new S3 client. /\n clientConfig?: ConstructorParameters<typeof S3Client>[0];\n}\n\n/\n S3-backed implementation of the ObjectStore interface.\n * Provides methods for storing, retrieving, streaming, and deleting objects in S3.\n \n @example\n * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n * const user = await store.readObject<{ name: string }>('user-1');\n /\nexport class S3ObjectStore implements ObjectStore<S3Client> {\n private s3: S3Client;\n private bucket: string;\n private initialized: boolean;\n\n /\n Creates a new S3ObjectStore instance.\n * @param openTelemetryCollector - Collector for OpenTelemetry metrics.\n * @param options - S3 configuration options.\n * @param telemetryOptions - Telemetry configuration options.\n \n @example\n * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);\n /\n constructor(\n private openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>,\n options: S3ObjectStoreOptions,\n private telemetryOptions: TelemetryOptions\n ) {\n this.s3 = options.client \|\| new S3Client(options.clientConfig \|\| {});\n this.bucket = options.bucket;\n this.initialized = false;\n }\n\n private async ensureBucketExists() {\n try {\n await this.s3.send(new HeadBucketCommand({ Bucket: this.bucket }));\n } catch {\n await this.s3.send(new CreateBucketCommand({ Bucket: this.bucket }));\n }\n\n this.initialized = true;\n }\n\n /\n Stores an object in the S3 bucket.\n * @template T - The type of the object being stored.\n * @param object - The object to store. Must include a `key` property.\n \n @example\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n /\n async putObject<T>(object: T & { key: string }): Promise<void> {\n if (!this.initialized) {\n await this.ensureBucketExists();\n }\n\n const { key, ...rest } = object;\n const params: PutObjectCommandInput = {\n Bucket: this.bucket,\n Key: key,\n Body: JSON.stringify(rest),\n ContentType: 'application/json'\n };\n await this.s3.send(new PutObjectCommand(params));\n }\n\n /\n Stores multiple objects in the S3 bucket.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to store. Each must include a `key` property.\n \n @example\n * await store.putBatchObjects([\n * { key: 'user-1', name: 'Alice' },\n * { key: 'user-2', name: 'Bob' }\n * ]);\n /\n async putBatchObjects<T>(objects: (T & { key: string })[]): Promise<void> {\n await Promise.all(objects.map((obj) => this.putObject(obj)));\n }\n\n /\n Streams an object upload to the S3 bucket.\n * For compatibility; uses putObject internally.\n * @template T - The type of the object being stored.\n * @param object - The object to stream-upload. Must include a `key` property.\n /\n async streamUploadObject<T>(object: T & { key: string }): Promise<void> {\n await this.putObject(object);\n }\n\n /\n Streams multiple object uploads to the S3 bucket.\n * For compatibility; uses putBatchObjects internally.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to stream-upload. Each must include a `key` property.\n /\n async streamUploadBatchObjects<T>(\n objects: (T & { key: string })[]\n ): Promise<void> {\n await this.putBatchObjects(objects);\n }\n\n /\n Deletes an object from the S3 bucket.\n * @param objectKey - The key of the object to delete.\n \n @example\n * await store.deleteObject('user-1');\n /\n async deleteObject(objectKey: string): Promise<void> {\n await this.s3.send(\n new DeleteObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n }\n\n /\n Deletes multiple objects from the S3 bucket.\n * @param objectKeys - The keys of the objects to delete.\n \n @example\n * await store.deleteBatchObjects(['user-1', 'user-2']);\n /\n async deleteBatchObjects(objectKeys: string[]): Promise<void> {\n const params: DeleteObjectsCommandInput = {\n Bucket: this.bucket,\n Delete: {\n Objects: objectKeys.map((Key) => ({ Key }))\n }\n };\n await this.s3.send(new DeleteObjectsCommand(params));\n }\n\n /\n Reads an object from the S3 bucket.\n * @template T - The expected type of the object.\n * @param objectKey - The key of the object to read.\n * @returns The parsed object.\n \n @example\n * const user = await store.readObject<{ name: string }>('user-1');\n /\n async readObject<T>(objectKey: string): Promise<T> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n\n if (!resp.Body) {\n throw new Error('S3 did not return a body');\n }\n\n return JSON.parse(await resp.Body.transformToString()) as T;\n }\n\n /\n Reads multiple objects from the S3 bucket.\n * @template T - The expected type of the objects.\n * @param objectKeys - The keys of the objects to read.\n * @returns An array of parsed objects.\n \n @example\n * const users = await store.readBatchObjects<{ name: string }>(['user-1', 'user-2']);\n /\n async readBatchObjects<T>(objectKeys: string[]): Promise<T[]> {\n return Promise.all(objectKeys.map((key) => this.readObject<T>(key)));\n }\n\n /\n Streams an object download from the S3 bucket.\n * @param objectKey - The key of the object to download.\n * @returns A readable stream of the object's contents.\n * @throws If the S3 response does not include a readable stream.\n \n @example\n * const stream = await store.streamDownloadObject('user-1');\n * stream.pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadObject(objectKey: string): Promise<Readable> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n const webStream = resp.Body?.transformToWebStream();\n if (!webStream) {\n throw new Error('S3 did not return a stream');\n }\n\n return Readable.fromWeb(\n webStream as Parameters<typeof Readable.fromWeb>[0]\n );\n }\n\n /\n Streams multiple object downloads from the S3 bucket.\n * @param objectKeys - The keys of the objects to download.\n * @returns An array of readable streams.\n \n @example\n * const streams = await store.streamDownloadBatchObjects(['user-1', 'user-2']);\n * streams[0].pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadBatchObjects(objectKeys: string[]): Promise<Readable[]> {\n return Promise.all(objectKeys.map((key) => this.streamDownloadObject(key)));\n }\n\n /\n Gets the underlying S3 client instance.\n * @returns The S3Client instance used by this store.\n \n @example\n * const s3Client = store.getClient();\n */\n getClient(): S3Client {\n return this.s3;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAUO;AAOP,oBAAyB;AA6BlB,IAAM,gBAAN,MAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAc1D,YACU,wBACR,SACQ,kBACR;AAHQ;AAEA;AAER,SAAK,KAAK,QAAQ,UAAU,IAAI,0BAAS,QAAQ,gBAAgB,CAAC,CAAC;AACnE,SAAK,SAAS,QAAQ;AACtB,SAAK,cAAc;AAAA,EACrB;AAAA,EArBQ;AAAA,EACA;AAAA,EACA;AAAA,EAqBR,MAAc,qBAAqB;AACjC,QAAI;AACF,YAAM,KAAK,GAAG,KAAK,IAAI,mCAAkB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACnE,QAAQ;AACN,YAAM,KAAK,GAAG,KAAK,IAAI,qCAAoB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACrE;AAEA,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAa,QAA4C;AAC7D,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,KAAK,mBAAmB;AAAA,IAChC;AAEA,UAAM,EAAE,KAAK,GAAG,KAAK,IAAI;AACzB,UAAM,SAAgC;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,KAAK;AAAA,MACL,MAAM,KAAK,UAAU,IAAI;AAAA,MACzB,aAAa;AAAA,IACf;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,kCAAiB,MAAM,CAAC;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,gBAAmB,SAAiD;AACxE,UAAM,QAAQ,IAAI,QAAQ,IAAI,CAAC,QAAQ,KAAK,UAAU,GAAG,CAAC,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,mBAAsB,QAA4C;AACtE,UAAM,KAAK,UAAU,MAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,yBACJ,SACe;AACf,UAAM,KAAK,gBAAgB,OAAO;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,WAAkC;AACnD,UAAM,KAAK,GAAG;AAAA,MACZ,IAAI,qCAAoB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,YAAqC;AAC5D,UAAM,SAAoC;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,QAAQ;AAAA,QACN,SAAS,WAAW,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;AAAA,MAC5C;AAAA,IACF;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,sCAAqB,MAAM,CAAC;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,WAAc,WAA+B;AACjD,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,kCAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,WAAO,KAAK,MAAM,MAAM,KAAK,KAAK,kBAAkB,CAAC;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAoB,YAAoC;AAC5D,WAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,KAAK,WAAc,GAAG,CAAC,CAAC;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,qBAAqB,WAAsC;AAC/D,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,kCAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AACA,UAAM,YAAY,KAAK,MAAM,qBAAqB;AAClD,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,WAAO,uBAAS;AAAA,MACd;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,2BAA2B,YAA2C;AAC1E,WAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,KAAK,qBAAqB,GAAG,CAAC,CAAC;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAsB;AACpB,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}
1	+ {"version":3,"sources":["../index.ts"],"sourcesContent":["import {\n CreateBucketCommand,\n DeleteObjectCommand,\n DeleteObjectsCommand,\n DeleteObjectsCommandInput,\n GetObjectCommand,\n HeadBucketCommand,\n PutObjectCommand,\n PutObjectCommandInput,\n S3Client\n} from '@aws-sdk/client-s3';\nimport {\n MetricsDefinition,\n OpenTelemetryCollector,\n TelemetryOptions\n} from '@forklaunch/core/http';\nimport {\n getCurrentTenantId,\n type FieldEncryptor\n} from '@forklaunch/core/persistence';\nimport { ObjectStore } from '@forklaunch/core/objectstore';\nimport { Readable } from 'stream';\n\nconst ENCRYPTED_PREFIXES = ['v1:', 'v2:'] as const;\n\nfunction isEncrypted(value: string): boolean {\n return ENCRYPTED_PREFIXES.some((p) => value.startsWith(p));\n}\n\n/*\n Options for configuring encryption on the S3 object store.\n * Required — every consumer must explicitly configure encryption.\n /\nexport interface S3EncryptionOptions {\n /* The FieldEncryptor instance to use for encrypting object bodies. /\n encryptor: FieldEncryptor;\n /* Set to true to disable encryption. Defaults to false (encryption enabled). /\n disabled?: boolean;\n}\n\n/\n Options for configuring the S3ObjectStore.\n \n @example\n * const options: S3ObjectStoreOptions = {\n * bucket: 'my-bucket',\n * clientConfig: { region: 'us-west-2' }\n * };\n /\ninterface S3ObjectStoreOptions {\n /* The S3 bucket name. /\n bucket: string;\n /* Optional existing S3 client instance. /\n client?: S3Client;\n /* Optional configuration for creating a new S3 client. /\n clientConfig?: ConstructorParameters<typeof S3Client>[0];\n}\n\n/\n S3-backed implementation of the ObjectStore interface.\n * Provides methods for storing, retrieving, streaming, and deleting objects in S3.\n \n Encryption is enabled by default when an encryptor is provided. Object bodies\n * are encrypted before upload and decrypted after download using AES-256-GCM\n * with per-tenant key derivation.\n \n @example\n * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n * const user = await store.readObject<{ name: string }>('user-1');\n /\nexport class S3ObjectStore implements ObjectStore<S3Client> {\n private s3: S3Client;\n private bucket: string;\n private initialized: boolean;\n private encryptor?: FieldEncryptor;\n private encryptionDisabled: boolean;\n\n /\n Creates a new S3ObjectStore instance.\n * @param openTelemetryCollector - Collector for OpenTelemetry metrics.\n * @param options - S3 configuration options.\n * @param telemetryOptions - Telemetry configuration options.\n * @param encryption - Encryption configuration (enabled by default when encryptor provided).\n \n @example\n * const store = new S3ObjectStore(\n * otelCollector,\n * { bucket: 'my-bucket' },\n * telemetryOptions,\n * { encryptor }\n * );\n /\n constructor(\n private openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>,\n options: S3ObjectStoreOptions,\n private telemetryOptions: TelemetryOptions,\n encryption: S3EncryptionOptions\n ) {\n this.s3 = options.client \|\| new S3Client(options.clientConfig \|\| {});\n this.bucket = options.bucket;\n this.initialized = false;\n this.encryptor = encryption.encryptor;\n this.encryptionDisabled = encryption.disabled ?? false;\n }\n\n // ---------------------------------------------------------------------------\n // Encryption helpers\n // ---------------------------------------------------------------------------\n\n private encryptBody(body: string): string {\n if (!this.encryptor \|\| this.encryptionDisabled) return body;\n return this.encryptor.encrypt(body, getCurrentTenantId()) ?? body;\n }\n\n private decryptBody(body: string): string {\n if (!this.encryptor \|\| this.encryptionDisabled) return body;\n if (!isEncrypted(body)) return body;\n try {\n return this.encryptor.decrypt(body, getCurrentTenantId()) ?? body;\n } catch {\n return body;\n }\n }\n\n // ---------------------------------------------------------------------------\n // Internal\n // ---------------------------------------------------------------------------\n\n private async ensureBucketExists() {\n try {\n await this.s3.send(new HeadBucketCommand({ Bucket: this.bucket }));\n } catch {\n await this.s3.send(new CreateBucketCommand({ Bucket: this.bucket }));\n }\n\n this.initialized = true;\n }\n\n /\n Stores an object in the S3 bucket.\n * @template T - The type of the object being stored.\n * @param object - The object to store. Must include a `key` property.\n \n @example\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n /\n async putObject<T>(object: T & { key: string }): Promise<void> {\n if (!this.initialized) {\n await this.ensureBucketExists();\n }\n\n const { key, ...rest } = object;\n const body = this.encryptBody(JSON.stringify(rest));\n const params: PutObjectCommandInput = {\n Bucket: this.bucket,\n Key: key,\n Body: body,\n ContentType: 'application/json'\n };\n await this.s3.send(new PutObjectCommand(params));\n }\n\n /\n Stores multiple objects in the S3 bucket.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to store. Each must include a `key` property.\n \n @example\n * await store.putBatchObjects([\n * { key: 'user-1', name: 'Alice' },\n * { key: 'user-2', name: 'Bob' }\n * ]);\n /\n async putBatchObjects<T>(objects: (T & { key: string })[]): Promise<void> {\n await Promise.all(objects.map((obj) => this.putObject(obj)));\n }\n\n /\n Streams an object upload to the S3 bucket.\n * For compatibility; uses putObject internally.\n * @template T - The type of the object being stored.\n * @param object - The object to stream-upload. Must include a `key` property.\n /\n async streamUploadObject<T>(object: T & { key: string }): Promise<void> {\n await this.putObject(object);\n }\n\n /\n Streams multiple object uploads to the S3 bucket.\n * For compatibility; uses putBatchObjects internally.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to stream-upload. Each must include a `key` property.\n /\n async streamUploadBatchObjects<T>(\n objects: (T & { key: string })[]\n ): Promise<void> {\n await this.putBatchObjects(objects);\n }\n\n /\n Deletes an object from the S3 bucket.\n * @param objectKey - The key of the object to delete.\n \n @example\n * await store.deleteObject('user-1');\n /\n async deleteObject(objectKey: string): Promise<void> {\n await this.s3.send(\n new DeleteObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n }\n\n /\n Deletes multiple objects from the S3 bucket.\n * @param objectKeys - The keys of the objects to delete.\n \n @example\n * await store.deleteBatchObjects(['user-1', 'user-2']);\n /\n async deleteBatchObjects(objectKeys: string[]): Promise<void> {\n const params: DeleteObjectsCommandInput = {\n Bucket: this.bucket,\n Delete: {\n Objects: objectKeys.map((Key) => ({ Key }))\n }\n };\n await this.s3.send(new DeleteObjectsCommand(params));\n }\n\n /\n Reads an object from the S3 bucket.\n * @template T - The expected type of the object.\n * @param objectKey - The key of the object to read.\n * @returns The parsed object.\n \n @example\n * const user = await store.readObject<{ name: string }>('user-1');\n /\n async readObject<T>(objectKey: string): Promise<T> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n\n if (!resp.Body) {\n throw new Error('S3 did not return a body');\n }\n\n const raw = await resp.Body.transformToString();\n return JSON.parse(this.decryptBody(raw)) as T;\n }\n\n /\n Reads multiple objects from the S3 bucket.\n * @template T - The expected type of the objects.\n * @param objectKeys - The keys of the objects to read.\n * @returns An array of parsed objects.\n \n @example\n * const users = await store.readBatchObjects<{ name: string }>(['user-1', 'user-2']);\n /\n async readBatchObjects<T>(objectKeys: string[]): Promise<T[]> {\n return Promise.all(objectKeys.map((key) => this.readObject<T>(key)));\n }\n\n /\n Streams an object download from the S3 bucket.\n * Note: Streaming bypasses application-level encryption/decryption.\n * Use readObject for encrypted objects.\n * @param objectKey - The key of the object to download.\n * @returns A readable stream of the object's contents.\n * @throws If the S3 response does not include a readable stream.\n \n @example\n * const stream = await store.streamDownloadObject('user-1');\n * stream.pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadObject(objectKey: string): Promise<Readable> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n const webStream = resp.Body?.transformToWebStream();\n if (!webStream) {\n throw new Error('S3 did not return a stream');\n }\n\n return Readable.fromWeb(\n webStream as Parameters<typeof Readable.fromWeb>[0]\n );\n }\n\n /\n Streams multiple object downloads from the S3 bucket.\n * Note: Streaming bypasses application-level encryption/decryption.\n * @param objectKeys - The keys of the objects to download.\n * @returns An array of readable streams.\n \n @example\n * const streams = await store.streamDownloadBatchObjects(['user-1', 'user-2']);\n * streams[0].pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadBatchObjects(objectKeys: string[]): Promise<Readable[]> {\n return Promise.all(\n objectKeys.map((key) => this.streamDownloadObject(key))\n );\n }\n\n /\n Gets the underlying S3 client instance.\n * @returns The S3Client instance used by this store.\n \n @example\n * const s3Client = store.getClient();\n */\n getClient(): S3Client {\n return this.s3;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAUO;AAMP,yBAGO;AAEP,oBAAyB;AAEzB,IAAM,qBAAqB,CAAC,OAAO,KAAK;AAExC,SAAS,YAAY,OAAwB;AAC3C,SAAO,mBAAmB,KAAK,CAAC,MAAM,MAAM,WAAW,CAAC,CAAC;AAC3D;AA4CO,IAAM,gBAAN,MAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsB1D,YACU,wBACR,SACQ,kBACR,YACA;AAJQ;AAEA;AAGR,SAAK,KAAK,QAAQ,UAAU,IAAI,0BAAS,QAAQ,gBAAgB,CAAC,CAAC;AACnE,SAAK,SAAS,QAAQ;AACtB,SAAK,cAAc;AACnB,SAAK,YAAY,WAAW;AAC5B,SAAK,qBAAqB,WAAW,YAAY;AAAA,EACnD;AAAA,EAhCQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA,EAkCA,YAAY,MAAsB;AACxC,QAAI,CAAC,KAAK,aAAa,KAAK,mBAAoB,QAAO;AACvD,WAAO,KAAK,UAAU,QAAQ,UAAM,uCAAmB,CAAC,KAAK;AAAA,EAC/D;AAAA,EAEQ,YAAY,MAAsB;AACxC,QAAI,CAAC,KAAK,aAAa,KAAK,mBAAoB,QAAO;AACvD,QAAI,CAAC,YAAY,IAAI,EAAG,QAAO;AAC/B,QAAI;AACF,aAAO,KAAK,UAAU,QAAQ,UAAM,uCAAmB,CAAC,KAAK;AAAA,IAC/D,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,qBAAqB;AACjC,QAAI;AACF,YAAM,KAAK,GAAG,KAAK,IAAI,mCAAkB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACnE,QAAQ;AACN,YAAM,KAAK,GAAG,KAAK,IAAI,qCAAoB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACrE;AAEA,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAa,QAA4C;AAC7D,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,KAAK,mBAAmB;AAAA,IAChC;AAEA,UAAM,EAAE,KAAK,GAAG,KAAK,IAAI;AACzB,UAAM,OAAO,KAAK,YAAY,KAAK,UAAU,IAAI,CAAC;AAClD,UAAM,SAAgC;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,KAAK;AAAA,MACL,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,kCAAiB,MAAM,CAAC;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,gBAAmB,SAAiD;AACxE,UAAM,QAAQ,IAAI,QAAQ,IAAI,CAAC,QAAQ,KAAK,UAAU,GAAG,CAAC,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,mBAAsB,QAA4C;AACtE,UAAM,KAAK,UAAU,MAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,yBACJ,SACe;AACf,UAAM,KAAK,gBAAgB,OAAO;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,WAAkC;AACnD,UAAM,KAAK,GAAG;AAAA,MACZ,IAAI,qCAAoB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,YAAqC;AAC5D,UAAM,SAAoC;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,QAAQ;AAAA,QACN,SAAS,WAAW,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;AAAA,MAC5C;AAAA,IACF;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,sCAAqB,MAAM,CAAC;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,WAAc,WAA+B;AACjD,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,kCAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,UAAM,MAAM,MAAM,KAAK,KAAK,kBAAkB;AAC9C,WAAO,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAoB,YAAoC;AAC5D,WAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,KAAK,WAAc,GAAG,CAAC,CAAC;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,qBAAqB,WAAsC;AAC/D,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,kCAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AACA,UAAM,YAAY,KAAK,MAAM,qBAAqB;AAClD,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,WAAO,uBAAS;AAAA,MACd;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,2BAA2B,YAA2C;AAC1E,WAAO,QAAQ;AAAA,MACb,WAAW,IAAI,CAAC,QAAQ,KAAK,qBAAqB,GAAG,CAAC;AAAA,IACxD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAsB;AACpB,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}

package/lib/index.mjs CHANGED Viewed

@@ -8,27 +8,63 @@ import {
   PutObjectCommand,
   S3Client
 } from "@aws-sdk/client-s3";
+import {
+  getCurrentTenantId
+} from "@forklaunch/core/persistence";
 import { Readable } from "stream";
+var ENCRYPTED_PREFIXES = ["v1:", "v2:"];
+function isEncrypted(value) {
+  return ENCRYPTED_PREFIXES.some((p) => value.startsWith(p));
+}
 var S3ObjectStore = class {
   /**
    * Creates a new S3ObjectStore instance.
    * @param openTelemetryCollector - Collector for OpenTelemetry metrics.
    * @param options - S3 configuration options.
    * @param telemetryOptions - Telemetry configuration options.
+   * @param encryption - Encryption configuration (enabled by default when encryptor provided).
    *
    * @example
-   * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);
+   * const store = new S3ObjectStore(
+   *   otelCollector,
+   *   { bucket: 'my-bucket' },
+   *   telemetryOptions,
+   *   { encryptor }
+   * );
    */
-  constructor(openTelemetryCollector, options, telemetryOptions) {
+  constructor(openTelemetryCollector, options, telemetryOptions, encryption) {
     this.openTelemetryCollector = openTelemetryCollector;
     this.telemetryOptions = telemetryOptions;
     this.s3 = options.client || new S3Client(options.clientConfig || {});
     this.bucket = options.bucket;
     this.initialized = false;
+    this.encryptor = encryption.encryptor;
+    this.encryptionDisabled = encryption.disabled ?? false;
   }
   s3;
   bucket;
   initialized;
+  encryptor;
+  encryptionDisabled;
+  // ---------------------------------------------------------------------------
+  // Encryption helpers
+  // ---------------------------------------------------------------------------
+  encryptBody(body) {
+    if (!this.encryptor || this.encryptionDisabled) return body;
+    return this.encryptor.encrypt(body, getCurrentTenantId()) ?? body;
+  }
+  decryptBody(body) {
+    if (!this.encryptor || this.encryptionDisabled) return body;
+    if (!isEncrypted(body)) return body;
+    try {
+      return this.encryptor.decrypt(body, getCurrentTenantId()) ?? body;
+    } catch {
+      return body;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Internal
+  // ---------------------------------------------------------------------------
   async ensureBucketExists() {
     try {
       await this.s3.send(new HeadBucketCommand({ Bucket: this.bucket }));
@@ -50,10 +86,11 @@ var S3ObjectStore = class {
       await this.ensureBucketExists();
     }
     const { key, ...rest } = object;
+    const body = this.encryptBody(JSON.stringify(rest));
     const params = {
       Bucket: this.bucket,
       Key: key,
-      Body: JSON.stringify(rest),
+      Body: body,
       ContentType: "application/json"
     };
     await this.s3.send(new PutObjectCommand(params));
@@ -134,7 +171,8 @@ var S3ObjectStore = class {
     if (!resp.Body) {
       throw new Error("S3 did not return a body");
     }
-    return JSON.parse(await resp.Body.transformToString());
+    const raw = await resp.Body.transformToString();
+    return JSON.parse(this.decryptBody(raw));
   }
   /**
    * Reads multiple objects from the S3 bucket.
@@ -150,6 +188,8 @@ var S3ObjectStore = class {
   }
   /**
    * Streams an object download from the S3 bucket.
+   * Note: Streaming bypasses application-level encryption/decryption.
+   * Use readObject for encrypted objects.
    * @param objectKey - The key of the object to download.
    * @returns A readable stream of the object's contents.
    * @throws If the S3 response does not include a readable stream.
@@ -172,6 +212,7 @@ var S3ObjectStore = class {
   }
   /**
    * Streams multiple object downloads from the S3 bucket.
+   * Note: Streaming bypasses application-level encryption/decryption.
    * @param objectKeys - The keys of the objects to download.
    * @returns An array of readable streams.
    *
@@ -180,7 +221,9 @@ var S3ObjectStore = class {
    * streams[0].pipe(fs.createWriteStream('user-1.json'));
    */
   async streamDownloadBatchObjects(objectKeys) {
-    return Promise.all(objectKeys.map((key) => this.streamDownloadObject(key)));
+    return Promise.all(
+      objectKeys.map((key) => this.streamDownloadObject(key))
+    );
   }
   /**
    * Gets the underlying S3 client instance.

package/lib/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../index.ts"],"sourcesContent":["import {\n CreateBucketCommand,\n DeleteObjectCommand,\n DeleteObjectsCommand,\n DeleteObjectsCommandInput,\n GetObjectCommand,\n HeadBucketCommand,\n PutObjectCommand,\n PutObjectCommandInput,\n S3Client\n} from '@aws-sdk/client-s3';\nimport {\n MetricsDefinition,\n OpenTelemetryCollector,\n TelemetryOptions\n} from '@forklaunch/core/http';\nimport { ObjectStore } from '@forklaunch/core/objectstore';\nimport { Readable } from 'stream';\n\n/*\n Options for configuring the S3ObjectStore.\n \n @example\n * const options: S3ObjectStoreOptions = {\n * bucket: 'my-bucket',\n * clientConfig: { region: 'us-west-2' }\n * };\n /\ninterface S3ObjectStoreOptions {\n /* The S3 bucket name. /\n bucket: string;\n /* Optional existing S3 client instance. /\n client?: S3Client;\n /* Optional configuration for creating a new S3 client. /\n clientConfig?: ConstructorParameters<typeof S3Client>[0];\n}\n\n/\n S3-backed implementation of the ObjectStore interface.\n * Provides methods for storing, retrieving, streaming, and deleting objects in S3.\n \n @example\n * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n * const user = await store.readObject<{ name: string }>('user-1');\n /\nexport class S3ObjectStore implements ObjectStore<S3Client> {\n private s3: S3Client;\n private bucket: string;\n private initialized: boolean;\n\n /\n Creates a new S3ObjectStore instance.\n * @param openTelemetryCollector - Collector for OpenTelemetry metrics.\n * @param options - S3 configuration options.\n * @param telemetryOptions - Telemetry configuration options.\n \n @example\n * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);\n /\n constructor(\n private openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>,\n options: S3ObjectStoreOptions,\n private telemetryOptions: TelemetryOptions\n ) {\n this.s3 = options.client \|\| new S3Client(options.clientConfig \|\| {});\n this.bucket = options.bucket;\n this.initialized = false;\n }\n\n private async ensureBucketExists() {\n try {\n await this.s3.send(new HeadBucketCommand({ Bucket: this.bucket }));\n } catch {\n await this.s3.send(new CreateBucketCommand({ Bucket: this.bucket }));\n }\n\n this.initialized = true;\n }\n\n /\n Stores an object in the S3 bucket.\n * @template T - The type of the object being stored.\n * @param object - The object to store. Must include a `key` property.\n \n @example\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n /\n async putObject<T>(object: T & { key: string }): Promise<void> {\n if (!this.initialized) {\n await this.ensureBucketExists();\n }\n\n const { key, ...rest } = object;\n const params: PutObjectCommandInput = {\n Bucket: this.bucket,\n Key: key,\n Body: JSON.stringify(rest),\n ContentType: 'application/json'\n };\n await this.s3.send(new PutObjectCommand(params));\n }\n\n /\n Stores multiple objects in the S3 bucket.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to store. Each must include a `key` property.\n \n @example\n * await store.putBatchObjects([\n * { key: 'user-1', name: 'Alice' },\n * { key: 'user-2', name: 'Bob' }\n * ]);\n /\n async putBatchObjects<T>(objects: (T & { key: string })[]): Promise<void> {\n await Promise.all(objects.map((obj) => this.putObject(obj)));\n }\n\n /\n Streams an object upload to the S3 bucket.\n * For compatibility; uses putObject internally.\n * @template T - The type of the object being stored.\n * @param object - The object to stream-upload. Must include a `key` property.\n /\n async streamUploadObject<T>(object: T & { key: string }): Promise<void> {\n await this.putObject(object);\n }\n\n /\n Streams multiple object uploads to the S3 bucket.\n * For compatibility; uses putBatchObjects internally.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to stream-upload. Each must include a `key` property.\n /\n async streamUploadBatchObjects<T>(\n objects: (T & { key: string })[]\n ): Promise<void> {\n await this.putBatchObjects(objects);\n }\n\n /\n Deletes an object from the S3 bucket.\n * @param objectKey - The key of the object to delete.\n \n @example\n * await store.deleteObject('user-1');\n /\n async deleteObject(objectKey: string): Promise<void> {\n await this.s3.send(\n new DeleteObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n }\n\n /\n Deletes multiple objects from the S3 bucket.\n * @param objectKeys - The keys of the objects to delete.\n \n @example\n * await store.deleteBatchObjects(['user-1', 'user-2']);\n /\n async deleteBatchObjects(objectKeys: string[]): Promise<void> {\n const params: DeleteObjectsCommandInput = {\n Bucket: this.bucket,\n Delete: {\n Objects: objectKeys.map((Key) => ({ Key }))\n }\n };\n await this.s3.send(new DeleteObjectsCommand(params));\n }\n\n /\n Reads an object from the S3 bucket.\n * @template T - The expected type of the object.\n * @param objectKey - The key of the object to read.\n * @returns The parsed object.\n \n @example\n * const user = await store.readObject<{ name: string }>('user-1');\n /\n async readObject<T>(objectKey: string): Promise<T> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n\n if (!resp.Body) {\n throw new Error('S3 did not return a body');\n }\n\n return JSON.parse(await resp.Body.transformToString()) as T;\n }\n\n /\n Reads multiple objects from the S3 bucket.\n * @template T - The expected type of the objects.\n * @param objectKeys - The keys of the objects to read.\n * @returns An array of parsed objects.\n \n @example\n * const users = await store.readBatchObjects<{ name: string }>(['user-1', 'user-2']);\n /\n async readBatchObjects<T>(objectKeys: string[]): Promise<T[]> {\n return Promise.all(objectKeys.map((key) => this.readObject<T>(key)));\n }\n\n /\n Streams an object download from the S3 bucket.\n * @param objectKey - The key of the object to download.\n * @returns A readable stream of the object's contents.\n * @throws If the S3 response does not include a readable stream.\n \n @example\n * const stream = await store.streamDownloadObject('user-1');\n * stream.pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadObject(objectKey: string): Promise<Readable> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n const webStream = resp.Body?.transformToWebStream();\n if (!webStream) {\n throw new Error('S3 did not return a stream');\n }\n\n return Readable.fromWeb(\n webStream as Parameters<typeof Readable.fromWeb>[0]\n );\n }\n\n /\n Streams multiple object downloads from the S3 bucket.\n * @param objectKeys - The keys of the objects to download.\n * @returns An array of readable streams.\n \n @example\n * const streams = await store.streamDownloadBatchObjects(['user-1', 'user-2']);\n * streams[0].pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadBatchObjects(objectKeys: string[]): Promise<Readable[]> {\n return Promise.all(objectKeys.map((key) => this.streamDownloadObject(key)));\n }\n\n /\n Gets the underlying S3 client instance.\n * @returns The S3Client instance used by this store.\n \n @example\n * const s3Client = store.getClient();\n */\n getClient(): S3Client {\n return this.s3;\n }\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,OACK;AAOP,SAAS,gBAAgB;AA6BlB,IAAM,gBAAN,MAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAc1D,YACU,wBACR,SACQ,kBACR;AAHQ;AAEA;AAER,SAAK,KAAK,QAAQ,UAAU,IAAI,SAAS,QAAQ,gBAAgB,CAAC,CAAC;AACnE,SAAK,SAAS,QAAQ;AACtB,SAAK,cAAc;AAAA,EACrB;AAAA,EArBQ;AAAA,EACA;AAAA,EACA;AAAA,EAqBR,MAAc,qBAAqB;AACjC,QAAI;AACF,YAAM,KAAK,GAAG,KAAK,IAAI,kBAAkB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACnE,QAAQ;AACN,YAAM,KAAK,GAAG,KAAK,IAAI,oBAAoB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACrE;AAEA,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAa,QAA4C;AAC7D,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,KAAK,mBAAmB;AAAA,IAChC;AAEA,UAAM,EAAE,KAAK,GAAG,KAAK,IAAI;AACzB,UAAM,SAAgC;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,KAAK;AAAA,MACL,MAAM,KAAK,UAAU,IAAI;AAAA,MACzB,aAAa;AAAA,IACf;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,iBAAiB,MAAM,CAAC;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,gBAAmB,SAAiD;AACxE,UAAM,QAAQ,IAAI,QAAQ,IAAI,CAAC,QAAQ,KAAK,UAAU,GAAG,CAAC,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,mBAAsB,QAA4C;AACtE,UAAM,KAAK,UAAU,MAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,yBACJ,SACe;AACf,UAAM,KAAK,gBAAgB,OAAO;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,WAAkC;AACnD,UAAM,KAAK,GAAG;AAAA,MACZ,IAAI,oBAAoB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,YAAqC;AAC5D,UAAM,SAAoC;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,QAAQ;AAAA,QACN,SAAS,WAAW,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;AAAA,MAC5C;AAAA,IACF;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,qBAAqB,MAAM,CAAC;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,WAAc,WAA+B;AACjD,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,iBAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,WAAO,KAAK,MAAM,MAAM,KAAK,KAAK,kBAAkB,CAAC;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAoB,YAAoC;AAC5D,WAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,KAAK,WAAc,GAAG,CAAC,CAAC;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,qBAAqB,WAAsC;AAC/D,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,iBAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AACA,UAAM,YAAY,KAAK,MAAM,qBAAqB;AAClD,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,WAAO,SAAS;AAAA,MACd;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,2BAA2B,YAA2C;AAC1E,WAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,KAAK,qBAAqB,GAAG,CAAC,CAAC;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAsB;AACpB,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}
1	+ {"version":3,"sources":["../index.ts"],"sourcesContent":["import {\n CreateBucketCommand,\n DeleteObjectCommand,\n DeleteObjectsCommand,\n DeleteObjectsCommandInput,\n GetObjectCommand,\n HeadBucketCommand,\n PutObjectCommand,\n PutObjectCommandInput,\n S3Client\n} from '@aws-sdk/client-s3';\nimport {\n MetricsDefinition,\n OpenTelemetryCollector,\n TelemetryOptions\n} from '@forklaunch/core/http';\nimport {\n getCurrentTenantId,\n type FieldEncryptor\n} from '@forklaunch/core/persistence';\nimport { ObjectStore } from '@forklaunch/core/objectstore';\nimport { Readable } from 'stream';\n\nconst ENCRYPTED_PREFIXES = ['v1:', 'v2:'] as const;\n\nfunction isEncrypted(value: string): boolean {\n return ENCRYPTED_PREFIXES.some((p) => value.startsWith(p));\n}\n\n/*\n Options for configuring encryption on the S3 object store.\n * Required — every consumer must explicitly configure encryption.\n /\nexport interface S3EncryptionOptions {\n /* The FieldEncryptor instance to use for encrypting object bodies. /\n encryptor: FieldEncryptor;\n /* Set to true to disable encryption. Defaults to false (encryption enabled). /\n disabled?: boolean;\n}\n\n/\n Options for configuring the S3ObjectStore.\n \n @example\n * const options: S3ObjectStoreOptions = {\n * bucket: 'my-bucket',\n * clientConfig: { region: 'us-west-2' }\n * };\n /\ninterface S3ObjectStoreOptions {\n /* The S3 bucket name. /\n bucket: string;\n /* Optional existing S3 client instance. /\n client?: S3Client;\n /* Optional configuration for creating a new S3 client. /\n clientConfig?: ConstructorParameters<typeof S3Client>[0];\n}\n\n/\n S3-backed implementation of the ObjectStore interface.\n * Provides methods for storing, retrieving, streaming, and deleting objects in S3.\n \n Encryption is enabled by default when an encryptor is provided. Object bodies\n * are encrypted before upload and decrypted after download using AES-256-GCM\n * with per-tenant key derivation.\n \n @example\n * const store = new S3ObjectStore(otelCollector, { bucket: 'my-bucket' }, telemetryOptions);\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n * const user = await store.readObject<{ name: string }>('user-1');\n /\nexport class S3ObjectStore implements ObjectStore<S3Client> {\n private s3: S3Client;\n private bucket: string;\n private initialized: boolean;\n private encryptor?: FieldEncryptor;\n private encryptionDisabled: boolean;\n\n /\n Creates a new S3ObjectStore instance.\n * @param openTelemetryCollector - Collector for OpenTelemetry metrics.\n * @param options - S3 configuration options.\n * @param telemetryOptions - Telemetry configuration options.\n * @param encryption - Encryption configuration (enabled by default when encryptor provided).\n \n @example\n * const store = new S3ObjectStore(\n * otelCollector,\n * { bucket: 'my-bucket' },\n * telemetryOptions,\n * { encryptor }\n * );\n /\n constructor(\n private openTelemetryCollector: OpenTelemetryCollector<MetricsDefinition>,\n options: S3ObjectStoreOptions,\n private telemetryOptions: TelemetryOptions,\n encryption: S3EncryptionOptions\n ) {\n this.s3 = options.client \|\| new S3Client(options.clientConfig \|\| {});\n this.bucket = options.bucket;\n this.initialized = false;\n this.encryptor = encryption.encryptor;\n this.encryptionDisabled = encryption.disabled ?? false;\n }\n\n // ---------------------------------------------------------------------------\n // Encryption helpers\n // ---------------------------------------------------------------------------\n\n private encryptBody(body: string): string {\n if (!this.encryptor \|\| this.encryptionDisabled) return body;\n return this.encryptor.encrypt(body, getCurrentTenantId()) ?? body;\n }\n\n private decryptBody(body: string): string {\n if (!this.encryptor \|\| this.encryptionDisabled) return body;\n if (!isEncrypted(body)) return body;\n try {\n return this.encryptor.decrypt(body, getCurrentTenantId()) ?? body;\n } catch {\n return body;\n }\n }\n\n // ---------------------------------------------------------------------------\n // Internal\n // ---------------------------------------------------------------------------\n\n private async ensureBucketExists() {\n try {\n await this.s3.send(new HeadBucketCommand({ Bucket: this.bucket }));\n } catch {\n await this.s3.send(new CreateBucketCommand({ Bucket: this.bucket }));\n }\n\n this.initialized = true;\n }\n\n /\n Stores an object in the S3 bucket.\n * @template T - The type of the object being stored.\n * @param object - The object to store. Must include a `key` property.\n \n @example\n * await store.putObject({ key: 'user-1', name: 'Alice' });\n /\n async putObject<T>(object: T & { key: string }): Promise<void> {\n if (!this.initialized) {\n await this.ensureBucketExists();\n }\n\n const { key, ...rest } = object;\n const body = this.encryptBody(JSON.stringify(rest));\n const params: PutObjectCommandInput = {\n Bucket: this.bucket,\n Key: key,\n Body: body,\n ContentType: 'application/json'\n };\n await this.s3.send(new PutObjectCommand(params));\n }\n\n /\n Stores multiple objects in the S3 bucket.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to store. Each must include a `key` property.\n \n @example\n * await store.putBatchObjects([\n * { key: 'user-1', name: 'Alice' },\n * { key: 'user-2', name: 'Bob' }\n * ]);\n /\n async putBatchObjects<T>(objects: (T & { key: string })[]): Promise<void> {\n await Promise.all(objects.map((obj) => this.putObject(obj)));\n }\n\n /\n Streams an object upload to the S3 bucket.\n * For compatibility; uses putObject internally.\n * @template T - The type of the object being stored.\n * @param object - The object to stream-upload. Must include a `key` property.\n /\n async streamUploadObject<T>(object: T & { key: string }): Promise<void> {\n await this.putObject(object);\n }\n\n /\n Streams multiple object uploads to the S3 bucket.\n * For compatibility; uses putBatchObjects internally.\n * @template T - The type of the objects being stored.\n * @param objects - The objects to stream-upload. Each must include a `key` property.\n /\n async streamUploadBatchObjects<T>(\n objects: (T & { key: string })[]\n ): Promise<void> {\n await this.putBatchObjects(objects);\n }\n\n /\n Deletes an object from the S3 bucket.\n * @param objectKey - The key of the object to delete.\n \n @example\n * await store.deleteObject('user-1');\n /\n async deleteObject(objectKey: string): Promise<void> {\n await this.s3.send(\n new DeleteObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n }\n\n /\n Deletes multiple objects from the S3 bucket.\n * @param objectKeys - The keys of the objects to delete.\n \n @example\n * await store.deleteBatchObjects(['user-1', 'user-2']);\n /\n async deleteBatchObjects(objectKeys: string[]): Promise<void> {\n const params: DeleteObjectsCommandInput = {\n Bucket: this.bucket,\n Delete: {\n Objects: objectKeys.map((Key) => ({ Key }))\n }\n };\n await this.s3.send(new DeleteObjectsCommand(params));\n }\n\n /\n Reads an object from the S3 bucket.\n * @template T - The expected type of the object.\n * @param objectKey - The key of the object to read.\n * @returns The parsed object.\n \n @example\n * const user = await store.readObject<{ name: string }>('user-1');\n /\n async readObject<T>(objectKey: string): Promise<T> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n\n if (!resp.Body) {\n throw new Error('S3 did not return a body');\n }\n\n const raw = await resp.Body.transformToString();\n return JSON.parse(this.decryptBody(raw)) as T;\n }\n\n /\n Reads multiple objects from the S3 bucket.\n * @template T - The expected type of the objects.\n * @param objectKeys - The keys of the objects to read.\n * @returns An array of parsed objects.\n \n @example\n * const users = await store.readBatchObjects<{ name: string }>(['user-1', 'user-2']);\n /\n async readBatchObjects<T>(objectKeys: string[]): Promise<T[]> {\n return Promise.all(objectKeys.map((key) => this.readObject<T>(key)));\n }\n\n /\n Streams an object download from the S3 bucket.\n * Note: Streaming bypasses application-level encryption/decryption.\n * Use readObject for encrypted objects.\n * @param objectKey - The key of the object to download.\n * @returns A readable stream of the object's contents.\n * @throws If the S3 response does not include a readable stream.\n \n @example\n * const stream = await store.streamDownloadObject('user-1');\n * stream.pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadObject(objectKey: string): Promise<Readable> {\n const resp = await this.s3.send(\n new GetObjectCommand({ Bucket: this.bucket, Key: objectKey })\n );\n const webStream = resp.Body?.transformToWebStream();\n if (!webStream) {\n throw new Error('S3 did not return a stream');\n }\n\n return Readable.fromWeb(\n webStream as Parameters<typeof Readable.fromWeb>[0]\n );\n }\n\n /\n Streams multiple object downloads from the S3 bucket.\n * Note: Streaming bypasses application-level encryption/decryption.\n * @param objectKeys - The keys of the objects to download.\n * @returns An array of readable streams.\n \n @example\n * const streams = await store.streamDownloadBatchObjects(['user-1', 'user-2']);\n * streams[0].pipe(fs.createWriteStream('user-1.json'));\n /\n async streamDownloadBatchObjects(objectKeys: string[]): Promise<Readable[]> {\n return Promise.all(\n objectKeys.map((key) => this.streamDownloadObject(key))\n );\n }\n\n /\n Gets the underlying S3 client instance.\n * @returns The S3Client instance used by this store.\n \n @example\n * const s3Client = store.getClient();\n */\n getClient(): S3Client {\n return this.s3;\n }\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,OACK;AAMP;AAAA,EACE;AAAA,OAEK;AAEP,SAAS,gBAAgB;AAEzB,IAAM,qBAAqB,CAAC,OAAO,KAAK;AAExC,SAAS,YAAY,OAAwB;AAC3C,SAAO,mBAAmB,KAAK,CAAC,MAAM,MAAM,WAAW,CAAC,CAAC;AAC3D;AA4CO,IAAM,gBAAN,MAAqD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsB1D,YACU,wBACR,SACQ,kBACR,YACA;AAJQ;AAEA;AAGR,SAAK,KAAK,QAAQ,UAAU,IAAI,SAAS,QAAQ,gBAAgB,CAAC,CAAC;AACnE,SAAK,SAAS,QAAQ;AACtB,SAAK,cAAc;AACnB,SAAK,YAAY,WAAW;AAC5B,SAAK,qBAAqB,WAAW,YAAY;AAAA,EACnD;AAAA,EAhCQ;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA,EAkCA,YAAY,MAAsB;AACxC,QAAI,CAAC,KAAK,aAAa,KAAK,mBAAoB,QAAO;AACvD,WAAO,KAAK,UAAU,QAAQ,MAAM,mBAAmB,CAAC,KAAK;AAAA,EAC/D;AAAA,EAEQ,YAAY,MAAsB;AACxC,QAAI,CAAC,KAAK,aAAa,KAAK,mBAAoB,QAAO;AACvD,QAAI,CAAC,YAAY,IAAI,EAAG,QAAO;AAC/B,QAAI;AACF,aAAO,KAAK,UAAU,QAAQ,MAAM,mBAAmB,CAAC,KAAK;AAAA,IAC/D,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,qBAAqB;AACjC,QAAI;AACF,YAAM,KAAK,GAAG,KAAK,IAAI,kBAAkB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACnE,QAAQ;AACN,YAAM,KAAK,GAAG,KAAK,IAAI,oBAAoB,EAAE,QAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,IACrE;AAEA,SAAK,cAAc;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAa,QAA4C;AAC7D,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,KAAK,mBAAmB;AAAA,IAChC;AAEA,UAAM,EAAE,KAAK,GAAG,KAAK,IAAI;AACzB,UAAM,OAAO,KAAK,YAAY,KAAK,UAAU,IAAI,CAAC;AAClD,UAAM,SAAgC;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,KAAK;AAAA,MACL,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,iBAAiB,MAAM,CAAC;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,gBAAmB,SAAiD;AACxE,UAAM,QAAQ,IAAI,QAAQ,IAAI,CAAC,QAAQ,KAAK,UAAU,GAAG,CAAC,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,mBAAsB,QAA4C;AACtE,UAAM,KAAK,UAAU,MAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,yBACJ,SACe;AACf,UAAM,KAAK,gBAAgB,OAAO;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,WAAkC;AACnD,UAAM,KAAK,GAAG;AAAA,MACZ,IAAI,oBAAoB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,YAAqC;AAC5D,UAAM,SAAoC;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,QAAQ;AAAA,QACN,SAAS,WAAW,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE;AAAA,MAC5C;AAAA,IACF;AACA,UAAM,KAAK,GAAG,KAAK,IAAI,qBAAqB,MAAM,CAAC;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,WAAc,WAA+B;AACjD,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,iBAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AAEA,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,UAAM,MAAM,MAAM,KAAK,KAAK,kBAAkB;AAC9C,WAAO,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAoB,YAAoC;AAC5D,WAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,KAAK,WAAc,GAAG,CAAC,CAAC;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,qBAAqB,WAAsC;AAC/D,UAAM,OAAO,MAAM,KAAK,GAAG;AAAA,MACzB,IAAI,iBAAiB,EAAE,QAAQ,KAAK,QAAQ,KAAK,UAAU,CAAC;AAAA,IAC9D;AACA,UAAM,YAAY,KAAK,MAAM,qBAAqB;AAClD,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,4BAA4B;AAAA,IAC9C;AAEA,WAAO,SAAS;AAAA,MACd;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,2BAA2B,YAA2C;AAC1E,WAAO,QAAQ;AAAA,MACb,WAAW,IAAI,CAAC,QAAQ,KAAK,qBAAqB,GAAG,CAAC;AAAA,IACxD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAsB;AACpB,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@forklaunch/infrastructure-s3",
-  "version": "1.2.9",
+  "version": "1.3.0",
   "description": "S3 infrastructure for ForkLaunch components.",
   "homepage": "https://github.com/forklaunch/forklaunch-js#readme",
   "bugs": {
@@ -29,8 +29,8 @@
   ],
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1019.0",
-    "@forklaunch/core": "1.2.9",
-    "@forklaunch/common": "1.2.4"
+    "@forklaunch/common": "1.2.6",
+    "@forklaunch/core": "1.3.2"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",