@nixxie-cms/fields-encrypted 1.0.1

package/LICENSE

@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2026 Nixxie International DMCC
+Portions Copyright (c) 2023 Thinkmill Labs Pty Ltd and contributors
+(this software is derived from the KeystoneJS project, https://keystonejs.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,19 @@
+# @nixxie-cms/fields-encrypted
+
+A field that is transparently encrypted at rest for Nixxie CMS. Values are encrypted with
+AES-256-GCM before being written to the database and decrypted when read back through GraphQL — the
+plaintext is never stored on disk.
+
+```ts
+import { encrypted } from '@nixxie-cms/fields-encrypted'
+
+fields: {
+  ssn: encrypted({ secret: process.env.FIELD_ENCRYPTION_KEY! }),
+}
+```
+
+- Keep `secret` out of source control (use an env var). Rotating it makes previously-stored values
+  undecryptable, so plan a re-encryption migration if you must rotate.
+- The stored column holds ciphertext (`enc:v1:<iv>:<tag>:<data>`), so it is not searchable or
+  sortable on plaintext.
+- `encrypt`, `decrypt` and `isEncrypted` helpers are also exported for migrations.

package/dist/declarations/src/crypto.d.ts

@@ -0,0 +1,7 @@
+/** Encrypt a string with AES-256-GCM. Output: `enc:v1:<iv>:<tag>:<ciphertext>` (all base64). */
+export declare function encrypt(plaintext: string, secret: string): string;
+/** Whether a stored value looks like ciphertext produced by `encrypt`. */
+export declare function isEncrypted(value: string): boolean;
+/** Decrypt a value produced by `encrypt`. Returns the input unchanged if it isn't encrypted. */
+export declare function decrypt(value: string, secret: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/declarations/src/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"../../../src","sources":["crypto.ts"],"names":[],"mappings":"AASA,gGAAgG;AAChG,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAOjE;AAED,0EAA0E;AAC1E,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElD;AAED,gGAAgG;AAChG,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAS7D"}

package/dist/declarations/src/index.d.ts

@@ -0,0 +1,20 @@
+import { type BaseListTypeInfo, type CommonFieldConfig, type FieldTypeFunc, type SimpleFieldTypeInfo } from '@nixxie-cms/core/types';
+export type EncryptedFieldConfig<ListTypeInfo extends BaseListTypeInfo> = CommonFieldConfig<ListTypeInfo, SimpleFieldTypeInfo<'String'>> & {
+    /**
+     * Encryption secret. Data is encrypted at rest with AES-256-GCM using a key derived from this
+     * value. Store it outside source control (e.g. `process.env.FIELD_ENCRYPTION_KEY`). Rotating it
+     * makes previously-stored values undecryptable.
+     */
+    secret: string;
+    db?: {
+        isNullable?: boolean;
+        map?: string;
+    };
+};
+/**
+ * A field whose value is transparently encrypted (AES-256-GCM) before being written to the
+ * database and decrypted when read back through GraphQL. The plaintext never touches disk.
+ */
+export declare function encrypted<ListTypeInfo extends BaseListTypeInfo>(config: EncryptedFieldConfig<ListTypeInfo>): FieldTypeFunc<ListTypeInfo>;
+export { encrypt, decrypt, isEncrypted } from "./crypto.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/declarations/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"../../../src","sources":["index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EAGzB,MAAM,wBAAwB,CAAA;AAG/B,MAAM,MAAM,oBAAoB,CAAC,YAAY,SAAS,gBAAgB,IAAI,iBAAiB,CACzF,YAAY,EACZ,mBAAmB,CAAC,QAAQ,CAAC,CAC9B,GAAG;IACF;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAC5C,CAAA;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,YAAY,SAAS,gBAAgB,EAC7D,MAAM,EAAE,oBAAoB,CAAC,YAAY,CAAC,GACzC,aAAa,CAAC,YAAY,CAAC,CAiD7B;AAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,oBAAgB"}

package/dist/declarations/src/views.d.ts

@@ -0,0 +1,5 @@
+import type { FieldController, FieldControllerConfig, FieldProps } from '@nixxie-cms/core/types';
+/** Item-page / create-modal input. The value shown is the decrypted plaintext. */
+export declare function Field({ autoFocus, field, onChange, value }: FieldProps<typeof controller>): import("react/jsx-runtime").JSX.Element;
+export declare function controller(config: FieldControllerConfig<Record<string, never>>): FieldController<string | null, string>;
+//# sourceMappingURL=views.d.ts.map

package/dist/declarations/src/views.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"views.d.ts","sourceRoot":"../../../src","sources":["views.tsx"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AAEhG,kFAAkF;AAClF,wBAAgB,KAAK,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,UAAU,CAAC,OAAO,UAAU,CAAC,2CAWzF;AAED,wBAAgB,UAAU,CACxB,MAAM,EAAE,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,GACnD,eAAe,CAAC,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC,CAaxC"}

package/dist/nixxie-cms-fields-encrypted.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "./declarations/src/index.js";
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibml4eGllLWNtcy1maWVsZHMtZW5jcnlwdGVkLmNqcy5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi9kZWNsYXJhdGlvbnMvc3JjL2luZGV4LmQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEifQ==

package/dist/nixxie-cms-fields-encrypted.cjs.js

@@ -0,0 +1,111 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var core = require('@nixxie-cms/core');
+var types = require('@nixxie-cms/core/types');
+var node_crypto = require('node:crypto');
+
+const PREFIX = 'enc:v1:';
+function deriveKey(secret) {
+  // Deterministic 32-byte key from the configured secret.
+  return node_crypto.scryptSync(secret, 'nixxie-encrypted-field', 32);
+}
+
+/** Encrypt a string with AES-256-GCM. Output: `enc:v1:<iv>:<tag>:<ciphertext>` (all base64). */
+function encrypt(plaintext, secret) {
+  const key = deriveKey(secret);
+  const iv = node_crypto.randomBytes(12);
+  const cipher = node_crypto.createCipheriv('aes-256-gcm', key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${PREFIX}${iv.toString('base64')}:${tag.toString('base64')}:${ciphertext.toString('base64')}`;
+}
+
+/** Whether a stored value looks like ciphertext produced by `encrypt`. */
+function isEncrypted(value) {
+  return value.startsWith(PREFIX);
+}
+
+/** Decrypt a value produced by `encrypt`. Returns the input unchanged if it isn't encrypted. */
+function decrypt(value, secret) {
+  if (!isEncrypted(value)) return value;
+  const [,, ivB64, tagB64, dataB64] = value.split(':');
+  const key = deriveKey(secret);
+  const decipher = node_crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(ivB64, 'base64'));
+  decipher.setAuthTag(Buffer.from(tagB64, 'base64'));
+  return Buffer.concat([decipher.update(Buffer.from(dataB64, 'base64')), decipher.final()]).toString('utf8');
+}
+
+/**
+ * A field whose value is transparently encrypted (AES-256-GCM) before being written to the
+ * database and decrypted when read back through GraphQL. The plaintext never touches disk.
+ */
+function encrypted(config) {
+  if (!config.secret) {
+    throw new Error('@nixxie-cms/fields-encrypted: a `secret` is required');
+  }
+  const {
+    secret
+  } = config;
+  return () => {
+    var _config$db;
+    return types.fieldType({
+      kind: 'scalar',
+      mode: 'optional',
+      scalar: 'String',
+      map: (_config$db = config.db) === null || _config$db === void 0 ? void 0 : _config$db.map
+    })({
+      ...config,
+      input: {
+        create: {
+          arg: core.g.arg({
+            type: core.g.String
+          }),
+          resolve(val) {
+            if (val == null) return val;
+            return encrypt(val, secret);
+          }
+        },
+        update: {
+          arg: core.g.arg({
+            type: core.g.String
+          }),
+          resolve(val) {
+            if (val === undefined) return undefined;
+            if (val === null) return null;
+            return encrypt(val, secret);
+          }
+        },
+        orderBy: {
+          arg: core.g.arg({
+            type: types.orderDirectionEnum
+          })
+        }
+      },
+      output: core.g.field({
+        type: core.g.String,
+        resolve({
+          value
+        }) {
+          if (value == null) return value;
+          try {
+            return decrypt(value, secret);
+          } catch {
+            // Wrong key or corrupted data — return null rather than leaking ciphertext.
+            return null;
+          }
+        }
+      }),
+      views: '@nixxie-cms/fields-encrypted/views',
+      getAdminMeta() {
+        return {};
+      }
+    });
+  };
+}
+
+exports.decrypt = decrypt;
+exports.encrypt = encrypt;
+exports.encrypted = encrypted;
+exports.isEncrypted = isEncrypted;

package/dist/nixxie-cms-fields-encrypted.esm.js

@@ -0,0 +1,104 @@
+import { g } from '@nixxie-cms/core';
+import { fieldType, orderDirectionEnum } from '@nixxie-cms/core/types';
+import { randomBytes, createCipheriv, createDecipheriv, scryptSync } from 'node:crypto';
+
+const PREFIX = 'enc:v1:';
+function deriveKey(secret) {
+  // Deterministic 32-byte key from the configured secret.
+  return scryptSync(secret, 'nixxie-encrypted-field', 32);
+}
+
+/** Encrypt a string with AES-256-GCM. Output: `enc:v1:<iv>:<tag>:<ciphertext>` (all base64). */
+function encrypt(plaintext, secret) {
+  const key = deriveKey(secret);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv('aes-256-gcm', key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${PREFIX}${iv.toString('base64')}:${tag.toString('base64')}:${ciphertext.toString('base64')}`;
+}
+
+/** Whether a stored value looks like ciphertext produced by `encrypt`. */
+function isEncrypted(value) {
+  return value.startsWith(PREFIX);
+}
+
+/** Decrypt a value produced by `encrypt`. Returns the input unchanged if it isn't encrypted. */
+function decrypt(value, secret) {
+  if (!isEncrypted(value)) return value;
+  const [,, ivB64, tagB64, dataB64] = value.split(':');
+  const key = deriveKey(secret);
+  const decipher = createDecipheriv('aes-256-gcm', key, Buffer.from(ivB64, 'base64'));
+  decipher.setAuthTag(Buffer.from(tagB64, 'base64'));
+  return Buffer.concat([decipher.update(Buffer.from(dataB64, 'base64')), decipher.final()]).toString('utf8');
+}
+
+/**
+ * A field whose value is transparently encrypted (AES-256-GCM) before being written to the
+ * database and decrypted when read back through GraphQL. The plaintext never touches disk.
+ */
+function encrypted(config) {
+  if (!config.secret) {
+    throw new Error('@nixxie-cms/fields-encrypted: a `secret` is required');
+  }
+  const {
+    secret
+  } = config;
+  return () => {
+    var _config$db;
+    return fieldType({
+      kind: 'scalar',
+      mode: 'optional',
+      scalar: 'String',
+      map: (_config$db = config.db) === null || _config$db === void 0 ? void 0 : _config$db.map
+    })({
+      ...config,
+      input: {
+        create: {
+          arg: g.arg({
+            type: g.String
+          }),
+          resolve(val) {
+            if (val == null) return val;
+            return encrypt(val, secret);
+          }
+        },
+        update: {
+          arg: g.arg({
+            type: g.String
+          }),
+          resolve(val) {
+            if (val === undefined) return undefined;
+            if (val === null) return null;
+            return encrypt(val, secret);
+          }
+        },
+        orderBy: {
+          arg: g.arg({
+            type: orderDirectionEnum
+          })
+        }
+      },
+      output: g.field({
+        type: g.String,
+        resolve({
+          value
+        }) {
+          if (value == null) return value;
+          try {
+            return decrypt(value, secret);
+          } catch {
+            // Wrong key or corrupted data — return null rather than leaking ciphertext.
+            return null;
+          }
+        }
+      }),
+      views: '@nixxie-cms/fields-encrypted/views',
+      getAdminMeta() {
+        return {};
+      }
+    });
+  };
+}
+
+export { decrypt, encrypt, encrypted, isEncrypted };

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@nixxie-cms/fields-encrypted",
+  "version": "1.0.1",
+  "license": "MIT",
+  "main": "dist/nixxie-cms-fields-encrypted.cjs.js",
+  "module": "dist/nixxie-cms-fields-encrypted.esm.js",
+  "exports": {
+    ".": {
+      "types": "./dist/nixxie-cms-fields-encrypted.cjs.js",
+      "module": "./dist/nixxie-cms-fields-encrypted.esm.js",
+      "default": "./dist/nixxie-cms-fields-encrypted.cjs.js"
+    },
+    "./views": {
+      "types": "./views/dist/nixxie-cms-fields-encrypted-views.cjs.js",
+      "module": "./views/dist/nixxie-cms-fields-encrypted-views.esm.js",
+      "default": "./views/dist/nixxie-cms-fields-encrypted-views.cjs.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "dependencies": {
+    "@babel/runtime": "^7.24.7",
+    "@keystar/ui": "^0.7.21",
+    "graphql": "^16.8.1"
+  },
+  "devDependencies": {
+    "react": "^19.2.4",
+    "@nixxie-cms/core": "^1.0.1"
+  },
+  "peerDependencies": {
+    "@nixxie-cms/core": "^1.0.1",
+    "react": "^19.2.4"
+  },
+  "preconstruct": {
+    "entrypoints": [
+      "index.ts",
+      "views.tsx"
+    ]
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nixxiecms/nixxie/tree/main/packages/fields-encrypted"
+  }
+}

package/src/crypto.ts

@@ -0,0 +1,35 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto'
+
+const PREFIX = 'enc:v1:'
+
+function deriveKey(secret: string): Buffer {
+  // Deterministic 32-byte key from the configured secret.
+  return scryptSync(secret, 'nixxie-encrypted-field', 32)
+}
+
+/** Encrypt a string with AES-256-GCM. Output: `enc:v1:<iv>:<tag>:<ciphertext>` (all base64). */
+export function encrypt(plaintext: string, secret: string): string {
+  const key = deriveKey(secret)
+  const iv = randomBytes(12)
+  const cipher = createCipheriv('aes-256-gcm', key, iv)
+  const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
+  const tag = cipher.getAuthTag()
+  return `${PREFIX}${iv.toString('base64')}:${tag.toString('base64')}:${ciphertext.toString('base64')}`
+}
+
+/** Whether a stored value looks like ciphertext produced by `encrypt`. */
+export function isEncrypted(value: string): boolean {
+  return value.startsWith(PREFIX)
+}
+
+/** Decrypt a value produced by `encrypt`. Returns the input unchanged if it isn't encrypted. */
+export function decrypt(value: string, secret: string): string {
+  if (!isEncrypted(value)) return value
+  const [, , ivB64, tagB64, dataB64] = value.split(':')
+  const key = deriveKey(secret)
+  const decipher = createDecipheriv('aes-256-gcm', key, Buffer.from(ivB64, 'base64'))
+  decipher.setAuthTag(Buffer.from(tagB64, 'base64'))
+  return Buffer.concat([decipher.update(Buffer.from(dataB64, 'base64')), decipher.final()]).toString(
+    'utf8'
+  )
+}

package/src/index.ts

@@ -0,0 +1,82 @@
+import { g } from '@nixxie-cms/core'
+import {
+  type BaseListTypeInfo,
+  type CommonFieldConfig,
+  type FieldTypeFunc,
+  type SimpleFieldTypeInfo,
+  fieldType,
+  orderDirectionEnum,
+} from '@nixxie-cms/core/types'
+import { decrypt, encrypt } from './crypto'
+
+export type EncryptedFieldConfig<ListTypeInfo extends BaseListTypeInfo> = CommonFieldConfig<
+  ListTypeInfo,
+  SimpleFieldTypeInfo<'String'>
+> & {
+  /**
+   * Encryption secret. Data is encrypted at rest with AES-256-GCM using a key derived from this
+   * value. Store it outside source control (e.g. `process.env.FIELD_ENCRYPTION_KEY`). Rotating it
+   * makes previously-stored values undecryptable.
+   */
+  secret: string
+  db?: { isNullable?: boolean; map?: string }
+}
+
+/**
+ * A field whose value is transparently encrypted (AES-256-GCM) before being written to the
+ * database and decrypted when read back through GraphQL. The plaintext never touches disk.
+ */
+export function encrypted<ListTypeInfo extends BaseListTypeInfo>(
+  config: EncryptedFieldConfig<ListTypeInfo>
+): FieldTypeFunc<ListTypeInfo> {
+  if (!config.secret) {
+    throw new Error('@nixxie-cms/fields-encrypted: a `secret` is required')
+  }
+  const { secret } = config
+
+  return () =>
+    fieldType({
+      kind: 'scalar',
+      mode: 'optional',
+      scalar: 'String',
+      map: config.db?.map,
+    })({
+      ...config,
+      input: {
+        create: {
+          arg: g.arg({ type: g.String }),
+          resolve(val) {
+            if (val == null) return val
+            return encrypt(val, secret)
+          },
+        },
+        update: {
+          arg: g.arg({ type: g.String }),
+          resolve(val) {
+            if (val === undefined) return undefined
+            if (val === null) return null
+            return encrypt(val, secret)
+          },
+        },
+        orderBy: { arg: g.arg({ type: orderDirectionEnum }) },
+      },
+      output: g.field({
+        type: g.String,
+        resolve({ value }) {
+          if (value == null) return value
+          try {
+            return decrypt(value, secret)
+          } catch {
+            // Wrong key or corrupted data — return null rather than leaking ciphertext.
+            return null
+          }
+        },
+      }),
+      views: '@nixxie-cms/fields-encrypted/views',
+      getAdminMeta() {
+        return {}
+      },
+    })
+}
+
+export { encrypt, decrypt, isEncrypted } from './crypto'

package/src/views.tsx

@@ -0,0 +1,33 @@
+import { TextField } from '@keystar/ui/text-field'
+import type { FieldController, FieldControllerConfig, FieldProps } from '@nixxie-cms/core/types'
+
+/** Item-page / create-modal input. The value shown is the decrypted plaintext. */
+export function Field({ autoFocus, field, onChange, value }: FieldProps<typeof controller>) {
+  return (
+    <TextField
+      label={field.label}
+      description={field.description || undefined}
+      autoFocus={autoFocus}
+      isReadOnly={onChange === undefined}
+      value={value ?? ''}
+      onChange={onChange ? text => onChange(text === '' ? null : text) : undefined}
+    />
+  )
+}
+
+export function controller(
+  config: FieldControllerConfig<Record<string, never>>
+): FieldController<string | null, string> {
+  return {
+    fieldKey: config.fieldKey,
+    label: config.label,
+    description: config.description ?? '',
+    defaultValue: null,
+    deserialize: data => {
+      const value = data[config.fieldKey]
+      return typeof value === 'string' ? value : null
+    },
+    serialize: value => ({ [config.fieldKey]: value === '' ? null : value }),
+    graphqlSelection: config.fieldKey,
+  }
+}

package/views/dist/nixxie-cms-fields-encrypted-views.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "../../dist/declarations/src/views.js";
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibml4eGllLWNtcy1maWVsZHMtZW5jcnlwdGVkLXZpZXdzLmNqcy5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vZGlzdC9kZWNsYXJhdGlvbnMvc3JjL3ZpZXdzLmQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEifQ==

package/views/dist/nixxie-cms-fields-encrypted-views.cjs.js

@@ -0,0 +1,43 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var textField = require('@keystar/ui/text-field');
+var jsxRuntime = require('react/jsx-runtime');
+
+/** Item-page / create-modal input. The value shown is the decrypted plaintext. */
+function Field({
+  autoFocus,
+  field,
+  onChange,
+  value
+}) {
+  return /*#__PURE__*/jsxRuntime.jsx(textField.TextField, {
+    label: field.label,
+    description: field.description || undefined,
+    autoFocus: autoFocus,
+    isReadOnly: onChange === undefined,
+    value: value !== null && value !== void 0 ? value : '',
+    onChange: onChange ? text => onChange(text === '' ? null : text) : undefined
+  });
+}
+function controller(config) {
+  var _config$description;
+  return {
+    fieldKey: config.fieldKey,
+    label: config.label,
+    description: (_config$description = config.description) !== null && _config$description !== void 0 ? _config$description : '',
+    defaultValue: null,
+    deserialize: data => {
+      const value = data[config.fieldKey];
+      return typeof value === 'string' ? value : null;
+    },
+    serialize: value => ({
+      [config.fieldKey]: value === '' ? null : value
+    }),
+    graphqlSelection: config.fieldKey
+  };
+}
+
+exports.Field = Field;
+exports.controller = controller;

package/views/dist/nixxie-cms-fields-encrypted-views.esm.js

@@ -0,0 +1,38 @@
+import { TextField } from '@keystar/ui/text-field';
+import { jsx } from 'react/jsx-runtime';
+
+/** Item-page / create-modal input. The value shown is the decrypted plaintext. */
+function Field({
+  autoFocus,
+  field,
+  onChange,
+  value
+}) {
+  return /*#__PURE__*/jsx(TextField, {
+    label: field.label,
+    description: field.description || undefined,
+    autoFocus: autoFocus,
+    isReadOnly: onChange === undefined,
+    value: value !== null && value !== void 0 ? value : '',
+    onChange: onChange ? text => onChange(text === '' ? null : text) : undefined
+  });
+}
+function controller(config) {
+  var _config$description;
+  return {
+    fieldKey: config.fieldKey,
+    label: config.label,
+    description: (_config$description = config.description) !== null && _config$description !== void 0 ? _config$description : '',
+    defaultValue: null,
+    deserialize: data => {
+      const value = data[config.fieldKey];
+      return typeof value === 'string' ? value : null;
+    },
+    serialize: value => ({
+      [config.fieldKey]: value === '' ? null : value
+    }),
+    graphqlSelection: config.fieldKey
+  };
+}
+
+export { Field, controller };

package/views/package.json

@@ -0,0 +1,4 @@
+{
+  "main": "dist/nixxie-cms-fields-encrypted-views.cjs.js",
+  "module": "dist/nixxie-cms-fields-encrypted-views.esm.js"
+}