@forklaunch/interfaces-worker 1.0.2 → 1.0.4

package/lib/eject/domain/interfaces/decryptingWorker.consumer.ts

@@ -0,0 +1,99 @@
+import type { WorkerEventEntity } from '../types/workerEventEntity.types';
+import type {
+  WorkerProcessFunction,
+  WorkerProcessFailureResult,
+  WorkerFailureHandler
+} from '../types/worker.consumer.types';
+import type {
+  EventEncryptor,
+  EncryptedEventEnvelope
+} from '../types/eventEncryptor.types';
+import type { WorkerConsumer } from './worker.consumer.interface';
+
+/**
+ * Wraps a WorkerConsumer that reads EncryptedEventEnvelope and exposes
+ * the decrypted user-typed event T.
+ */
+export class DecryptingWorkerConsumer<T extends WorkerEventEntity>
+  implements WorkerConsumer<T>
+{
+  constructor(
+    private readonly inner: WorkerConsumer<EncryptedEventEnvelope>,
+    private readonly encryptor: EventEncryptor
+  ) {}
+
+  async peekEvents(): Promise<T[]> {
+    const events = await this.inner.peekEvents();
+    return events.map((event) => decryptEvent<T>(event, this.encryptor));
+  }
+
+  async start(): Promise<void> {
+    await this.inner.start();
+  }
+}
+
+/**
+ * Wraps a user-typed WorkerProcessFunction to accept EncryptedEventEnvelope,
+ * decrypt before processing, and map failures back to the envelope type.
+ */
+export function withDecryption<T extends WorkerEventEntity>(
+  processFn: WorkerProcessFunction<T>,
+  encryptor: EventEncryptor
+): WorkerProcessFunction<EncryptedEventEnvelope> {
+  return async (events: EncryptedEventEnvelope[]) => {
+    const decrypted = events.map((e) => decryptEvent<T>(e, encryptor));
+    const failures = await processFn(decrypted);
+    // Map failures back: find the original envelope by id
+    return failures.map((f) => ({
+      value: events.find((e) => e.id === f.value.id)!,
+      error: f.error
+    }));
+  };
+}
+
+/**
+ * Wraps a user-typed WorkerFailureHandler to accept EncryptedEventEnvelope failures,
+ * decrypting before passing to the user handler.
+ */
+export function withDecryptionFailureHandler<T extends WorkerEventEntity>(
+  handler: WorkerFailureHandler<T>,
+  encryptor: EventEncryptor
+): WorkerFailureHandler<EncryptedEventEnvelope> {
+  return async (
+    results: WorkerProcessFailureResult<EncryptedEventEnvelope>[]
+  ) => {
+    const decrypted = results.map((r) => ({
+      ...r,
+      value: decryptEvent<T>(r.value, encryptor)
+    }));
+    return handler(decrypted);
+  };
+}
+
+function decryptEvent<T extends WorkerEventEntity>(
+  envelope: EncryptedEventEnvelope,
+  encryptor: EventEncryptor
+): T {
+  const {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    encryptedPayload
+  } = envelope;
+
+  const decrypted = encryptor.decrypt(encryptedPayload, tenantId);
+  const payload = JSON.parse(decrypted!);
+
+  return {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    ...payload
+  } as T;
+}

package/lib/eject/domain/interfaces/encryptingWorker.producer.ts

@@ -0,0 +1,56 @@
+import type { WorkerEventEntity } from '../types/workerEventEntity.types';
+import type {
+  EventEncryptor,
+  EncryptedEventEnvelope
+} from '../types/eventEncryptor.types';
+import type { WorkerProducer } from './worker.producer.interface';
+
+/**
+ * Wraps any WorkerProducer to encrypt the entire event payload before enqueueing.
+ * Base WorkerEventEntity fields (id, retryCount, processed, createdAt, updatedAt)
+ * are preserved in the clear for queue infrastructure. All remaining fields are
+ * JSON-serialized and encrypted into a single `encryptedPayload` field.
+ *
+ * tenantId is injected at construction (from request scope context) and stored
+ * on the envelope for key derivation during decryption.
+ */
+export class EncryptingWorkerProducer<T extends WorkerEventEntity>
+  implements WorkerProducer<T>
+{
+  constructor(
+    private readonly inner: WorkerProducer<EncryptedEventEnvelope>,
+    private readonly encryptor: EventEncryptor,
+    private readonly tenantId: string
+  ) {}
+
+  async enqueueJob(job: T): Promise<void> {
+    await this.inner.enqueueJob(
+      encryptEvent(job, this.encryptor, this.tenantId)
+    );
+  }
+
+  async enqueueBatchJobs(jobs: T[]): Promise<void> {
+    await this.inner.enqueueBatchJobs(
+      jobs.map((job) => encryptEvent(job, this.encryptor, this.tenantId))
+    );
+  }
+}
+
+function encryptEvent<T extends WorkerEventEntity>(
+  event: T,
+  encryptor: EventEncryptor,
+  tenantId: string
+): EncryptedEventEnvelope {
+  const { id, retryCount, processed, createdAt, updatedAt, ...payload } =
+    event as WorkerEventEntity & Record<string, unknown>;
+
+  return {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    encryptedPayload: encryptor.encrypt(JSON.stringify(payload), tenantId)!
+  };
+}

package/lib/eject/domain/interfaces/index.ts

@@ -1,2 +1,4 @@
 export * from './worker.consumer.interface';
 export * from './worker.producer.interface';
+export * from './encryptingWorker.producer';
+export * from './decryptingWorker.consumer';

package/lib/eject/domain/types/eventEncryptor.types.ts

@@ -0,0 +1,21 @@
+import type { WorkerEventEntity } from './workerEventEntity.types';
+
+/**
+ * Minimal encryptor interface for worker event payload encryption.
+ * Keeps interfaces-worker free of @forklaunch/core dependency.
+ * Implement with FieldEncryptor from @forklaunch/core/persistence.
+ */
+export interface EventEncryptor {
+  encrypt(plaintext: string | null, tenantId: string): string | null;
+  decrypt(ciphertext: string | null, tenantId: string): string | null;
+}
+
+/**
+ * The on-wire shape stored in the queue. Base fields are in the clear
+ * for queue infrastructure (retry logic, dedup, etc.). The user's
+ * payload fields are serialized and encrypted into `encryptedPayload`.
+ */
+export type EncryptedEventEnvelope = WorkerEventEntity & {
+  tenantId: string;
+  encryptedPayload: string;
+};

package/lib/eject/domain/types/index.ts

@@ -1,2 +1,3 @@
 export * from './worker.consumer.types';
 export * from './workerEventEntity.types';
+export * from './eventEncryptor.types';

package/lib/interfaces/index.d.mts

@@ -1,3 +1,5 @@
+import { WorkerEventEntity, EncryptedEventEnvelope, EventEncryptor, WorkerProcessFunction, WorkerFailureHandler } from '../types/index.mjs';
+
 interface WorkerConsumer<T> {
     peekEvents: () => Promise<T[]>;
     start: () => Promise<void>;
@@ -8,4 +10,44 @@ interface WorkerProducer<T> {
     enqueueBatchJobs: (jobs: T[]) => Promise<void>;
 }
 
-export type { WorkerConsumer, WorkerProducer };
+/**
+ * Wraps any WorkerProducer to encrypt the entire event payload before enqueueing.
+ * Base WorkerEventEntity fields (id, retryCount, processed, createdAt, updatedAt)
+ * are preserved in the clear for queue infrastructure. All remaining fields are
+ * JSON-serialized and encrypted into a single `encryptedPayload` field.
+ *
+ * tenantId is injected at construction (from request scope context) and stored
+ * on the envelope for key derivation during decryption.
+ */
+declare class EncryptingWorkerProducer<T extends WorkerEventEntity> implements WorkerProducer<T> {
+    private readonly inner;
+    private readonly encryptor;
+    private readonly tenantId;
+    constructor(inner: WorkerProducer<EncryptedEventEnvelope>, encryptor: EventEncryptor, tenantId: string);
+    enqueueJob(job: T): Promise<void>;
+    enqueueBatchJobs(jobs: T[]): Promise<void>;
+}
+
+/**
+ * Wraps a WorkerConsumer that reads EncryptedEventEnvelope and exposes
+ * the decrypted user-typed event T.
+ */
+declare class DecryptingWorkerConsumer<T extends WorkerEventEntity> implements WorkerConsumer<T> {
+    private readonly inner;
+    private readonly encryptor;
+    constructor(inner: WorkerConsumer<EncryptedEventEnvelope>, encryptor: EventEncryptor);
+    peekEvents(): Promise<T[]>;
+    start(): Promise<void>;
+}
+/**
+ * Wraps a user-typed WorkerProcessFunction to accept EncryptedEventEnvelope,
+ * decrypt before processing, and map failures back to the envelope type.
+ */
+declare function withDecryption<T extends WorkerEventEntity>(processFn: WorkerProcessFunction<T>, encryptor: EventEncryptor): WorkerProcessFunction<EncryptedEventEnvelope>;
+/**
+ * Wraps a user-typed WorkerFailureHandler to accept EncryptedEventEnvelope failures,
+ * decrypting before passing to the user handler.
+ */
+declare function withDecryptionFailureHandler<T extends WorkerEventEntity>(handler: WorkerFailureHandler<T>, encryptor: EventEncryptor): WorkerFailureHandler<EncryptedEventEnvelope>;
+
+export { DecryptingWorkerConsumer, EncryptingWorkerProducer, type WorkerConsumer, type WorkerProducer, withDecryption, withDecryptionFailureHandler };

package/lib/interfaces/index.d.ts

@@ -1,3 +1,5 @@
+import { WorkerEventEntity, EncryptedEventEnvelope, EventEncryptor, WorkerProcessFunction, WorkerFailureHandler } from '../types/index.js';
+
 interface WorkerConsumer<T> {
     peekEvents: () => Promise<T[]>;
     start: () => Promise<void>;
@@ -8,4 +10,44 @@ interface WorkerProducer<T> {
     enqueueBatchJobs: (jobs: T[]) => Promise<void>;
 }
 
-export type { WorkerConsumer, WorkerProducer };
+/**
+ * Wraps any WorkerProducer to encrypt the entire event payload before enqueueing.
+ * Base WorkerEventEntity fields (id, retryCount, processed, createdAt, updatedAt)
+ * are preserved in the clear for queue infrastructure. All remaining fields are
+ * JSON-serialized and encrypted into a single `encryptedPayload` field.
+ *
+ * tenantId is injected at construction (from request scope context) and stored
+ * on the envelope for key derivation during decryption.
+ */
+declare class EncryptingWorkerProducer<T extends WorkerEventEntity> implements WorkerProducer<T> {
+    private readonly inner;
+    private readonly encryptor;
+    private readonly tenantId;
+    constructor(inner: WorkerProducer<EncryptedEventEnvelope>, encryptor: EventEncryptor, tenantId: string);
+    enqueueJob(job: T): Promise<void>;
+    enqueueBatchJobs(jobs: T[]): Promise<void>;
+}
+
+/**
+ * Wraps a WorkerConsumer that reads EncryptedEventEnvelope and exposes
+ * the decrypted user-typed event T.
+ */
+declare class DecryptingWorkerConsumer<T extends WorkerEventEntity> implements WorkerConsumer<T> {
+    private readonly inner;
+    private readonly encryptor;
+    constructor(inner: WorkerConsumer<EncryptedEventEnvelope>, encryptor: EventEncryptor);
+    peekEvents(): Promise<T[]>;
+    start(): Promise<void>;
+}
+/**
+ * Wraps a user-typed WorkerProcessFunction to accept EncryptedEventEnvelope,
+ * decrypt before processing, and map failures back to the envelope type.
+ */
+declare function withDecryption<T extends WorkerEventEntity>(processFn: WorkerProcessFunction<T>, encryptor: EventEncryptor): WorkerProcessFunction<EncryptedEventEnvelope>;
+/**
+ * Wraps a user-typed WorkerFailureHandler to accept EncryptedEventEnvelope failures,
+ * decrypting before passing to the user handler.
+ */
+declare function withDecryptionFailureHandler<T extends WorkerEventEntity>(handler: WorkerFailureHandler<T>, encryptor: EventEncryptor): WorkerFailureHandler<EncryptedEventEnvelope>;
+
+export { DecryptingWorkerConsumer, EncryptingWorkerProducer, type WorkerConsumer, type WorkerProducer, withDecryption, withDecryptionFailureHandler };

package/lib/interfaces/index.js

@@ -3,6 +3,10 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
@@ -15,4 +19,104 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 
 // interfaces/index.ts
 var interfaces_exports = {};
+__export(interfaces_exports, {
+  DecryptingWorkerConsumer: () => DecryptingWorkerConsumer,
+  EncryptingWorkerProducer: () => EncryptingWorkerProducer,
+  withDecryption: () => withDecryption,
+  withDecryptionFailureHandler: () => withDecryptionFailureHandler
+});
 module.exports = __toCommonJS(interfaces_exports);
+
+// interfaces/encryptingWorker.producer.ts
+var EncryptingWorkerProducer = class {
+  constructor(inner, encryptor, tenantId) {
+    this.inner = inner;
+    this.encryptor = encryptor;
+    this.tenantId = tenantId;
+  }
+  async enqueueJob(job) {
+    await this.inner.enqueueJob(
+      encryptEvent(job, this.encryptor, this.tenantId)
+    );
+  }
+  async enqueueBatchJobs(jobs) {
+    await this.inner.enqueueBatchJobs(
+      jobs.map((job) => encryptEvent(job, this.encryptor, this.tenantId))
+    );
+  }
+};
+function encryptEvent(event, encryptor, tenantId) {
+  const { id, retryCount, processed, createdAt, updatedAt, ...payload } = event;
+  return {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    encryptedPayload: encryptor.encrypt(JSON.stringify(payload), tenantId)
+  };
+}
+
+// interfaces/decryptingWorker.consumer.ts
+var DecryptingWorkerConsumer = class {
+  constructor(inner, encryptor) {
+    this.inner = inner;
+    this.encryptor = encryptor;
+  }
+  async peekEvents() {
+    const events = await this.inner.peekEvents();
+    return events.map((event) => decryptEvent(event, this.encryptor));
+  }
+  async start() {
+    await this.inner.start();
+  }
+};
+function withDecryption(processFn, encryptor) {
+  return async (events) => {
+    const decrypted = events.map((e) => decryptEvent(e, encryptor));
+    const failures = await processFn(decrypted);
+    return failures.map((f) => ({
+      value: events.find((e) => e.id === f.value.id),
+      error: f.error
+    }));
+  };
+}
+function withDecryptionFailureHandler(handler, encryptor) {
+  return async (results) => {
+    const decrypted = results.map((r) => ({
+      ...r,
+      value: decryptEvent(r.value, encryptor)
+    }));
+    return handler(decrypted);
+  };
+}
+function decryptEvent(envelope, encryptor) {
+  const {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    encryptedPayload
+  } = envelope;
+  const decrypted = encryptor.decrypt(encryptedPayload, tenantId);
+  const payload = JSON.parse(decrypted);
+  return {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    ...payload
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DecryptingWorkerConsumer,
+  EncryptingWorkerProducer,
+  withDecryption,
+  withDecryptionFailureHandler
+});

package/lib/interfaces/index.mjs

@@ -0,0 +1,92 @@
+// interfaces/encryptingWorker.producer.ts
+var EncryptingWorkerProducer = class {
+  constructor(inner, encryptor, tenantId) {
+    this.inner = inner;
+    this.encryptor = encryptor;
+    this.tenantId = tenantId;
+  }
+  async enqueueJob(job) {
+    await this.inner.enqueueJob(
+      encryptEvent(job, this.encryptor, this.tenantId)
+    );
+  }
+  async enqueueBatchJobs(jobs) {
+    await this.inner.enqueueBatchJobs(
+      jobs.map((job) => encryptEvent(job, this.encryptor, this.tenantId))
+    );
+  }
+};
+function encryptEvent(event, encryptor, tenantId) {
+  const { id, retryCount, processed, createdAt, updatedAt, ...payload } = event;
+  return {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    encryptedPayload: encryptor.encrypt(JSON.stringify(payload), tenantId)
+  };
+}
+
+// interfaces/decryptingWorker.consumer.ts
+var DecryptingWorkerConsumer = class {
+  constructor(inner, encryptor) {
+    this.inner = inner;
+    this.encryptor = encryptor;
+  }
+  async peekEvents() {
+    const events = await this.inner.peekEvents();
+    return events.map((event) => decryptEvent(event, this.encryptor));
+  }
+  async start() {
+    await this.inner.start();
+  }
+};
+function withDecryption(processFn, encryptor) {
+  return async (events) => {
+    const decrypted = events.map((e) => decryptEvent(e, encryptor));
+    const failures = await processFn(decrypted);
+    return failures.map((f) => ({
+      value: events.find((e) => e.id === f.value.id),
+      error: f.error
+    }));
+  };
+}
+function withDecryptionFailureHandler(handler, encryptor) {
+  return async (results) => {
+    const decrypted = results.map((r) => ({
+      ...r,
+      value: decryptEvent(r.value, encryptor)
+    }));
+    return handler(decrypted);
+  };
+}
+function decryptEvent(envelope, encryptor) {
+  const {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    encryptedPayload
+  } = envelope;
+  const decrypted = encryptor.decrypt(encryptedPayload, tenantId);
+  const payload = JSON.parse(decrypted);
+  return {
+    id,
+    tenantId,
+    retryCount,
+    processed,
+    createdAt,
+    updatedAt,
+    ...payload
+  };
+}
+export {
+  DecryptingWorkerConsumer,
+  EncryptingWorkerProducer,
+  withDecryption,
+  withDecryptionFailureHandler
+};

package/lib/types/index.d.mts

@@ -1,10 +1,3 @@
-type WorkerProcessFailureResult<T> = {
-    value: T;
-    error: Error;
-};
-type WorkerProcessFunction<T> = (events: T[]) => Promise<WorkerProcessFailureResult<T>[]>;
-type WorkerFailureHandler<T> = (results: WorkerProcessFailureResult<T>[]) => Promise<void>;
-
 type WorkerEventEntity = {
     id: string;
     retryCount: number;
@@ -13,4 +6,30 @@ type WorkerEventEntity = {
     updatedAt: Date;
 };
 
-export type { WorkerEventEntity, WorkerFailureHandler, WorkerProcessFailureResult, WorkerProcessFunction };
+/**
+ * Minimal encryptor interface for worker event payload encryption.
+ * Keeps interfaces-worker free of @forklaunch/core dependency.
+ * Implement with FieldEncryptor from @forklaunch/core/persistence.
+ */
+interface EventEncryptor {
+    encrypt(plaintext: string | null, tenantId: string): string | null;
+    decrypt(ciphertext: string | null, tenantId: string): string | null;
+}
+/**
+ * The on-wire shape stored in the queue. Base fields are in the clear
+ * for queue infrastructure (retry logic, dedup, etc.). The user's
+ * payload fields are serialized and encrypted into `encryptedPayload`.
+ */
+type EncryptedEventEnvelope = WorkerEventEntity & {
+    tenantId: string;
+    encryptedPayload: string;
+};
+
+type WorkerProcessFailureResult<T> = {
+    value: T;
+    error: Error;
+};
+type WorkerProcessFunction<T> = (events: T[]) => Promise<WorkerProcessFailureResult<T>[]>;
+type WorkerFailureHandler<T> = (results: WorkerProcessFailureResult<T>[]) => Promise<void>;
+
+export type { EncryptedEventEnvelope, EventEncryptor, WorkerEventEntity, WorkerFailureHandler, WorkerProcessFailureResult, WorkerProcessFunction };

package/lib/types/index.d.ts

@@ -1,10 +1,3 @@
-type WorkerProcessFailureResult<T> = {
-    value: T;
-    error: Error;
-};
-type WorkerProcessFunction<T> = (events: T[]) => Promise<WorkerProcessFailureResult<T>[]>;
-type WorkerFailureHandler<T> = (results: WorkerProcessFailureResult<T>[]) => Promise<void>;
-
 type WorkerEventEntity = {
     id: string;
     retryCount: number;
@@ -13,4 +6,30 @@ type WorkerEventEntity = {
     updatedAt: Date;
 };
 
-export type { WorkerEventEntity, WorkerFailureHandler, WorkerProcessFailureResult, WorkerProcessFunction };
+/**
+ * Minimal encryptor interface for worker event payload encryption.
+ * Keeps interfaces-worker free of @forklaunch/core dependency.
+ * Implement with FieldEncryptor from @forklaunch/core/persistence.
+ */
+interface EventEncryptor {
+    encrypt(plaintext: string | null, tenantId: string): string | null;
+    decrypt(ciphertext: string | null, tenantId: string): string | null;
+}
+/**
+ * The on-wire shape stored in the queue. Base fields are in the clear
+ * for queue infrastructure (retry logic, dedup, etc.). The user's
+ * payload fields are serialized and encrypted into `encryptedPayload`.
+ */
+type EncryptedEventEnvelope = WorkerEventEntity & {
+    tenantId: string;
+    encryptedPayload: string;
+};
+
+type WorkerProcessFailureResult<T> = {
+    value: T;
+    error: Error;
+};
+type WorkerProcessFunction<T> = (events: T[]) => Promise<WorkerProcessFailureResult<T>[]>;
+type WorkerFailureHandler<T> = (results: WorkerProcessFailureResult<T>[]) => Promise<void>;
+
+export type { EncryptedEventEnvelope, EventEncryptor, WorkerEventEntity, WorkerFailureHandler, WorkerProcessFailureResult, WorkerProcessFunction };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forklaunch/interfaces-worker",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Worker interfaces for forklaunch",
   "homepage": "https://github.com/forklaunch/forklaunch-js#readme",
   "bugs": {