@open-mercato/shared 0.4.2-canary-c02407ff85

package/dist/lib/di/container.js

@@ -0,0 +1,94 @@
+import { createContainer, asValue, InjectionMode } from "awilix";
+import { RequestContext } from "@mikro-orm/core";
+import { getOrm } from "@open-mercato/shared/lib/db/mikro";
+import { BasicQueryEngine } from "@open-mercato/shared/lib/query/engine";
+import { DefaultDataEngine } from "@open-mercato/shared/lib/data/engine";
+import { commandRegistry, CommandBus } from "@open-mercato/shared/lib/commands";
+const GLOBAL_KEY = "__openMercatoDiRegistrars__";
+function getGlobalRegistrars() {
+  return globalThis[GLOBAL_KEY] ?? null;
+}
+function setGlobalRegistrars(registrars) {
+  globalThis[GLOBAL_KEY] = registrars;
+}
+function registerDiRegistrars(registrars) {
+  const existing = getGlobalRegistrars();
+  if (existing !== null && process.env.NODE_ENV === "development") {
+    console.debug("[Bootstrap] DI registrars re-registered (this may occur during HMR)");
+  }
+  setGlobalRegistrars(registrars);
+}
+function getDiRegistrars() {
+  const registrars = getGlobalRegistrars();
+  if (!registrars) {
+    throw new Error("[Bootstrap] DI registrars not registered. Call registerDiRegistrars() at bootstrap.");
+  }
+  return registrars;
+}
+async function createRequestContainer() {
+  const diRegistrars = getDiRegistrars();
+  const orm = await getOrm();
+  const baseEm = RequestContext.getEntityManager() ?? orm.em;
+  const em = baseEm.fork({ clear: true, freshEventManager: true, useContext: true });
+  const container = createContainer({ injectionMode: InjectionMode.CLASSIC });
+  container.register({
+    em: asValue(em),
+    queryEngine: asValue(new BasicQueryEngine(em, void 0, () => {
+      try {
+        return container.resolve("tenantEncryptionService");
+      } catch {
+        return null;
+      }
+    })),
+    dataEngine: asValue(new DefaultDataEngine(em, container)),
+    commandRegistry: asValue(commandRegistry),
+    commandBus: asValue(new CommandBus())
+  });
+  for (const reg of diRegistrars) {
+    try {
+      reg?.(container);
+    } catch {
+    }
+  }
+  try {
+    const { bootstrap } = await import("@open-mercato/core/bootstrap");
+    if (bootstrap && typeof bootstrap === "function") {
+      const alreadyBootstrapped = !!container.registrations?.eventBus;
+      if (!alreadyBootstrapped) {
+        await bootstrap(container);
+      }
+    }
+  } catch {
+  }
+  try {
+    const appDi = await import("@/di");
+    if (appDi?.register) {
+      try {
+        const maybe = appDi.register(container);
+        if (maybe && typeof maybe.then === "function") await maybe;
+      } catch {
+      }
+    }
+  } catch {
+  }
+  try {
+    const emForEnc = container.resolve("em");
+    const tenantEncryptionService = container.hasRegistration("tenantEncryptionService") ? container.resolve("tenantEncryptionService") : null;
+    if (emForEnc && tenantEncryptionService?.isEnabled?.()) {
+      const { registerTenantEncryptionSubscriber } = await import("@open-mercato/shared/lib/encryption/subscriber");
+      registerTenantEncryptionSubscriber(emForEnc, tenantEncryptionService);
+    }
+  } catch {
+  }
+  return container;
+}
+try {
+  require("server-only");
+} catch {
+}
+export {
+  createRequestContainer,
+  getDiRegistrars,
+  registerDiRegistrars
+};
+//# sourceMappingURL=container.js.map

package/dist/lib/di/container.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/di/container.ts"],
+  "sourcesContent": ["import { createContainer, asValue, AwilixContainer, InjectionMode } from 'awilix'\nimport { RequestContext } from '@mikro-orm/core'\nimport { getOrm } from '@open-mercato/shared/lib/db/mikro'\nimport { EntityManager } from '@mikro-orm/postgresql'\nimport { BasicQueryEngine } from '@open-mercato/shared/lib/query/engine'\nimport { DefaultDataEngine } from '@open-mercato/shared/lib/data/engine'\nimport { commandRegistry, CommandBus } from '@open-mercato/shared/lib/commands'\n\nexport type AppContainer = AwilixContainer\nexport type DiRegistrar = (container: AwilixContainer) => void\n\n// Registration pattern for publishable packages\n// Use globalThis to survive tsx/esbuild module duplication issue where the same\n// file can be loaded as multiple module instances when mixing dynamic and static imports\nconst GLOBAL_KEY = '__openMercatoDiRegistrars__'\n\nfunction getGlobalRegistrars(): DiRegistrar[] | null {\n  return (globalThis as any)[GLOBAL_KEY] ?? null\n}\n\nfunction setGlobalRegistrars(registrars: DiRegistrar[]): void {\n  (globalThis as any)[GLOBAL_KEY] = registrars\n}\n\nexport function registerDiRegistrars(registrars: DiRegistrar[]) {\n  const existing = getGlobalRegistrars()\n  if (existing !== null && process.env.NODE_ENV === 'development') {\n    console.debug('[Bootstrap] DI registrars re-registered (this may occur during HMR)')\n  }\n  setGlobalRegistrars(registrars)\n}\n\nexport function getDiRegistrars(): DiRegistrar[] {\n  const registrars = getGlobalRegistrars()\n  if (!registrars) {\n    throw new Error('[Bootstrap] DI registrars not registered. Call registerDiRegistrars() at bootstrap.')\n  }\n  return registrars\n}\n\nexport async function createRequestContainer(): Promise<AppContainer> {\n  const diRegistrars = getDiRegistrars()\n  const orm = await getOrm()\n  // Use a fresh event manager so request-level subscribers (e.g., encryption) don't pile up globally\n  const baseEm = (RequestContext.getEntityManager() as any) ?? orm.em\n  const em = baseEm.fork({ clear: true, freshEventManager: true, useContext: true }) as unknown as EntityManager\n  const container = createContainer({ injectionMode: InjectionMode.CLASSIC })\n  // Core registrations\n  container.register({\n    em: asValue(em),\n    queryEngine: asValue(new BasicQueryEngine(em, undefined, () => {\n      try { return container.resolve('tenantEncryptionService') as any } catch { return null }\n    })),\n    dataEngine: asValue(new DefaultDataEngine(em, container as any)),\n    commandRegistry: asValue(commandRegistry),\n    commandBus: asValue(new CommandBus()),\n  })\n  // Allow modules to override/extend\n  for (const reg of diRegistrars) {\n    try { reg?.(container) } catch {}\n  }\n  // Core bootstrap (cache, event bus, encryption subscriber/KMS, module subscribers)\n  try {\n    const { bootstrap } = await import('@open-mercato/core/bootstrap') as any\n    if (bootstrap && typeof bootstrap === 'function') {\n      // Avoid double bootstrap if caller already wired it\n      const alreadyBootstrapped = !!container.registrations?.eventBus\n      if (!alreadyBootstrapped) {\n        await bootstrap(container)\n      }\n    }\n  } catch { /* optional */ }\n  // App-level DI override (last chance)\n  // This import path resolves only in the app context, not in packages\n  try {\n    // @ts-ignore - @/di only exists in app context, not in packages\n    const appDi = await import('@/di') as any\n    if (appDi?.register) {\n      try {\n        const maybe = appDi.register(container)\n        if (maybe && typeof maybe.then === 'function') await maybe\n      } catch {}\n    }\n  } catch {}\n  // Ensure tenant encryption subscriber is always registered on the fresh request-scoped EM\n  try {\n    const emForEnc = container.resolve('em') as any\n    const tenantEncryptionService = container.hasRegistration('tenantEncryptionService')\n      ? (container.resolve('tenantEncryptionService') as any)\n      : null\n    if (emForEnc && tenantEncryptionService?.isEnabled?.()) {\n      const { registerTenantEncryptionSubscriber } = await import('@open-mercato/shared/lib/encryption/subscriber')\n      registerTenantEncryptionSubscriber(emForEnc, tenantEncryptionService)\n    }\n  } catch {\n    // best-effort; do not block container creation\n  }\n  return container\n}\ntry {\n  // eslint-disable-next-line @typescript-eslint/no-var-requires\n  require('server-only')\n} catch {\n  // allow CLI/generator usage where Next server-only is not present\n}\n"],
+  "mappings": "AAAA,SAAS,iBAAiB,SAA0B,qBAAqB;AACzE,SAAS,sBAAsB;AAC/B,SAAS,cAAc;AAEvB,SAAS,wBAAwB;AACjC,SAAS,yBAAyB;AAClC,SAAS,iBAAiB,kBAAkB;AAQ5C,MAAM,aAAa;AAEnB,SAAS,sBAA4C;AACnD,SAAQ,WAAmB,UAAU,KAAK;AAC5C;AAEA,SAAS,oBAAoB,YAAiC;AAC5D,EAAC,WAAmB,UAAU,IAAI;AACpC;AAEO,SAAS,qBAAqB,YAA2B;AAC9D,QAAM,WAAW,oBAAoB;AACrC,MAAI,aAAa,QAAQ,QAAQ,IAAI,aAAa,eAAe;AAC/D,YAAQ,MAAM,qEAAqE;AAAA,EACrF;AACA,sBAAoB,UAAU;AAChC;AAEO,SAAS,kBAAiC;AAC/C,QAAM,aAAa,oBAAoB;AACvC,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,qFAAqF;AAAA,EACvG;AACA,SAAO;AACT;AAEA,eAAsB,yBAAgD;AACpE,QAAM,eAAe,gBAAgB;AACrC,QAAM,MAAM,MAAM,OAAO;AAEzB,QAAM,SAAU,eAAe,iBAAiB,KAAa,IAAI;AACjE,QAAM,KAAK,OAAO,KAAK,EAAE,OAAO,MAAM,mBAAmB,MAAM,YAAY,KAAK,CAAC;AACjF,QAAM,YAAY,gBAAgB,EAAE,eAAe,cAAc,QAAQ,CAAC;AAE1E,YAAU,SAAS;AAAA,IACjB,IAAI,QAAQ,EAAE;AAAA,IACd,aAAa,QAAQ,IAAI,iBAAiB,IAAI,QAAW,MAAM;AAC7D,UAAI;AAAE,eAAO,UAAU,QAAQ,yBAAyB;AAAA,MAAS,QAAQ;AAAE,eAAO;AAAA,MAAK;AAAA,IACzF,CAAC,CAAC;AAAA,IACF,YAAY,QAAQ,IAAI,kBAAkB,IAAI,SAAgB,CAAC;AAAA,IAC/D,iBAAiB,QAAQ,eAAe;AAAA,IACxC,YAAY,QAAQ,IAAI,WAAW,CAAC;AAAA,EACtC,CAAC;AAED,aAAW,OAAO,cAAc;AAC9B,QAAI;AAAE,YAAM,SAAS;AAAA,IAAE,QAAQ;AAAA,IAAC;AAAA,EAClC;AAEA,MAAI;AACF,UAAM,EAAE,UAAU,IAAI,MAAM,OAAO,8BAA8B;AACjE,QAAI,aAAa,OAAO,cAAc,YAAY;AAEhD,YAAM,sBAAsB,CAAC,CAAC,UAAU,eAAe;AACvD,UAAI,CAAC,qBAAqB;AACxB,cAAM,UAAU,SAAS;AAAA,MAC3B;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAAiB;AAGzB,MAAI;AAEF,UAAM,QAAQ,MAAM,OAAO,MAAM;AACjC,QAAI,OAAO,UAAU;AACnB,UAAI;AACF,cAAM,QAAQ,MAAM,SAAS,SAAS;AACtC,YAAI,SAAS,OAAO,MAAM,SAAS,WAAY,OAAM;AAAA,MACvD,QAAQ;AAAA,MAAC;AAAA,IACX;AAAA,EACF,QAAQ;AAAA,EAAC;AAET,MAAI;AACF,UAAM,WAAW,UAAU,QAAQ,IAAI;AACvC,UAAM,0BAA0B,UAAU,gBAAgB,yBAAyB,IAC9E,UAAU,QAAQ,yBAAyB,IAC5C;AACJ,QAAI,YAAY,yBAAyB,YAAY,GAAG;AACtD,YAAM,EAAE,mCAAmC,IAAI,MAAM,OAAO,gDAAgD;AAC5G,yCAAmC,UAAU,uBAAuB;AAAA,IACtE;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AACA,IAAI;AAEF,UAAQ,aAAa;AACvB,QAAQ;AAER;",
+  "names": []
+}

package/dist/lib/email/send.js

@@ -0,0 +1,12 @@
+import { Resend } from "resend";
+async function sendEmail({ to, subject, react, from }) {
+  const apiKey = process.env.RESEND_API_KEY;
+  if (!apiKey) throw new Error("RESEND_API_KEY is not set");
+  const resend = new Resend(apiKey);
+  const fromAddr = from || process.env.EMAIL_FROM || "no-reply@localhost";
+  await resend.emails.send({ to, subject, from: fromAddr, react });
+}
+export {
+  sendEmail
+};
+//# sourceMappingURL=send.js.map

package/dist/lib/email/send.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/email/send.ts"],
+  "sourcesContent": ["import { Resend } from 'resend'\nimport React from 'react'\n\nexport type SendEmailOptions = {\n  to: string\n  subject: string\n  react: React.ReactElement\n  from?: string\n}\n\nexport async function sendEmail({ to, subject, react, from }: SendEmailOptions) {\n  const apiKey = process.env.RESEND_API_KEY\n  if (!apiKey) throw new Error('RESEND_API_KEY is not set')\n  const resend = new Resend(apiKey)\n  const fromAddr = from || process.env.EMAIL_FROM || 'no-reply@localhost'\n  await resend.emails.send({ to, subject, from: fromAddr, react })\n}\n\n"],
+  "mappings": "AAAA,SAAS,cAAc;AAUvB,eAAsB,UAAU,EAAE,IAAI,SAAS,OAAO,KAAK,GAAqB;AAC9E,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,2BAA2B;AACxD,QAAM,SAAS,IAAI,OAAO,MAAM;AAChC,QAAM,WAAW,QAAQ,QAAQ,IAAI,cAAc;AACnD,QAAM,OAAO,OAAO,KAAK,EAAE,IAAI,SAAS,MAAM,UAAU,MAAM,CAAC;AACjE;",
+  "names": []
+}

package/dist/lib/encryption/aes.js

@@ -0,0 +1,58 @@
+import crypto from "node:crypto";
+import { isEncryptionDebugEnabled } from "./toggles.js";
+function generateDek() {
+  return crypto.randomBytes(32).toString("base64");
+}
+function logDebug(event, payload) {
+  if (!isEncryptionDebugEnabled()) return;
+  try {
+    console.debug("[encryption]", event, payload);
+  } catch {
+  }
+}
+function encryptWithAesGcm(value, dekBase64) {
+  const dek = Buffer.from(dekBase64, "base64");
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv("aes-256-gcm", dek, iv);
+  const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const payload = [
+    iv.toString("base64"),
+    ciphertext.toString("base64"),
+    tag.toString("base64"),
+    "v1"
+  ].join(":");
+  logDebug("encrypt", { length: ciphertext.length });
+  return { value: payload, raw: payload, version: "v1" };
+}
+function decryptWithAesGcm(payload, dekBase64) {
+  if (!payload) return null;
+  const parts = payload.split(":");
+  if (parts.length !== 4) return null;
+  const [ivB64, ciphertextB64, tagB64, version] = parts;
+  if (version !== "v1") return null;
+  const dek = Buffer.from(dekBase64, "base64");
+  const iv = Buffer.from(ivB64, "base64");
+  const ciphertext = Buffer.from(ciphertextB64, "base64");
+  const tag = Buffer.from(tagB64, "base64");
+  try {
+    const decipher = crypto.createDecipheriv("aes-256-gcm", dek, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+    logDebug("decrypt", { iv: ivB64, tag: tagB64 });
+    return decrypted;
+  } catch (err) {
+    logDebug("decrypt_error", { message: err?.message || String(err) });
+    return null;
+  }
+}
+function hashForLookup(value) {
+  return crypto.createHash("sha256").update(value.toLowerCase().trim()).digest("hex");
+}
+export {
+  decryptWithAesGcm,
+  encryptWithAesGcm,
+  generateDek,
+  hashForLookup
+};
+//# sourceMappingURL=aes.js.map

package/dist/lib/encryption/aes.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/aes.ts"],
+  "sourcesContent": ["import crypto from 'node:crypto'\nimport { isEncryptionDebugEnabled } from './toggles'\n\nexport type EncryptionPayload = {\n  value: string | null\n  raw: string\n  version: string\n}\n\nexport function generateDek(): string {\n  return crypto.randomBytes(32).toString('base64')\n}\n\nfunction logDebug(event: string, payload: Record<string, unknown>) {\n  if (!isEncryptionDebugEnabled()) return\n  try {\n    // eslint-disable-next-line no-console\n    console.debug('[encryption]', event, payload)\n  } catch {\n    // ignore\n  }\n}\n\nexport function encryptWithAesGcm(value: string, dekBase64: string): EncryptionPayload {\n  const dek = Buffer.from(dekBase64, 'base64')\n  const iv = crypto.randomBytes(12)\n  const cipher = crypto.createCipheriv('aes-256-gcm', dek, iv)\n  const ciphertext = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n  const payload = [\n    iv.toString('base64'),\n    ciphertext.toString('base64'),\n    tag.toString('base64'),\n    'v1',\n  ].join(':')\n  logDebug('encrypt', { length: ciphertext.length })\n  return { value: payload, raw: payload, version: 'v1' }\n}\n\nexport function decryptWithAesGcm(payload: string, dekBase64: string): string | null {\n  if (!payload) return null\n  const parts = payload.split(':')\n  if (parts.length !== 4) return null\n  const [ivB64, ciphertextB64, tagB64, version] = parts\n  if (version !== 'v1') return null\n  const dek = Buffer.from(dekBase64, 'base64')\n  const iv = Buffer.from(ivB64, 'base64')\n  const ciphertext = Buffer.from(ciphertextB64, 'base64')\n  const tag = Buffer.from(tagB64, 'base64')\n  try {\n    const decipher = crypto.createDecipheriv('aes-256-gcm', dek, iv)\n    decipher.setAuthTag(tag)\n    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8')\n    logDebug('decrypt', { iv: ivB64, tag: tagB64 })\n    return decrypted\n  } catch (err) {\n    logDebug('decrypt_error', { message: (err as Error)?.message || String(err) })\n    return null\n  }\n}\n\nexport function hashForLookup(value: string): string {\n  return crypto.createHash('sha256').update(value.toLowerCase().trim()).digest('hex')\n}\n"],
+  "mappings": "AAAA,OAAO,YAAY;AACnB,SAAS,gCAAgC;AAQlC,SAAS,cAAsB;AACpC,SAAO,OAAO,YAAY,EAAE,EAAE,SAAS,QAAQ;AACjD;AAEA,SAAS,SAAS,OAAe,SAAkC;AACjE,MAAI,CAAC,yBAAyB,EAAG;AACjC,MAAI;AAEF,YAAQ,MAAM,gBAAgB,OAAO,OAAO;AAAA,EAC9C,QAAQ;AAAA,EAER;AACF;AAEO,SAAS,kBAAkB,OAAe,WAAsC;AACrF,QAAM,MAAM,OAAO,KAAK,WAAW,QAAQ;AAC3C,QAAM,KAAK,OAAO,YAAY,EAAE;AAChC,QAAM,SAAS,OAAO,eAAe,eAAe,KAAK,EAAE;AAC3D,QAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,OAAO,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC/E,QAAM,MAAM,OAAO,WAAW;AAC9B,QAAM,UAAU;AAAA,IACd,GAAG,SAAS,QAAQ;AAAA,IACpB,WAAW,SAAS,QAAQ;AAAA,IAC5B,IAAI,SAAS,QAAQ;AAAA,IACrB;AAAA,EACF,EAAE,KAAK,GAAG;AACV,WAAS,WAAW,EAAE,QAAQ,WAAW,OAAO,CAAC;AACjD,SAAO,EAAE,OAAO,SAAS,KAAK,SAAS,SAAS,KAAK;AACvD;AAEO,SAAS,kBAAkB,SAAiB,WAAkC;AACnF,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,QAAQ,QAAQ,MAAM,GAAG;AAC/B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,QAAM,CAAC,OAAO,eAAe,QAAQ,OAAO,IAAI;AAChD,MAAI,YAAY,KAAM,QAAO;AAC7B,QAAM,MAAM,OAAO,KAAK,WAAW,QAAQ;AAC3C,QAAM,KAAK,OAAO,KAAK,OAAO,QAAQ;AACtC,QAAM,aAAa,OAAO,KAAK,eAAe,QAAQ;AACtD,QAAM,MAAM,OAAO,KAAK,QAAQ,QAAQ;AACxC,MAAI;AACF,UAAM,WAAW,OAAO,iBAAiB,eAAe,KAAK,EAAE;AAC/D,aAAS,WAAW,GAAG;AACvB,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC,EAAE,SAAS,MAAM;AAChG,aAAS,WAAW,EAAE,IAAI,OAAO,KAAK,OAAO,CAAC;AAC9C,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,aAAS,iBAAiB,EAAE,SAAU,KAAe,WAAW,OAAO,GAAG,EAAE,CAAC;AAC7E,WAAO;AAAA,EACT;AACF;AAEO,SAAS,cAAc,OAAuB;AACnD,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,YAAY,EAAE,KAAK,CAAC,EAAE,OAAO,KAAK;AACpF;",
+  "names": []
+}

package/dist/lib/encryption/customFieldValues.js

@@ -0,0 +1,49 @@
+import { encryptWithAesGcm, decryptWithAesGcm } from "./aes.js";
+import { TenantDataEncryptionService } from "./tenantDataEncryptionService.js";
+const serviceCache = /* @__PURE__ */ new WeakMap();
+function resolveTenantEncryptionService(em, provided) {
+  if (provided) return provided;
+  const cached = serviceCache.get(em);
+  if (cached) return cached;
+  const service = new TenantDataEncryptionService(em);
+  serviceCache.set(em, service);
+  return service;
+}
+async function resolveDekKey(service, tenantId, cache, opts) {
+  const scopedTenantId = tenantId ?? null;
+  if (!service || !service.isEnabled() || !scopedTenantId) return null;
+  if (cache?.has(scopedTenantId)) return cache.get(scopedTenantId) ?? null;
+  const dek = await service.getDek(scopedTenantId);
+  let key = dek?.key ?? null;
+  if (!key && opts?.createIfMissing && typeof service.createDek === "function") {
+    const created = await service.createDek(scopedTenantId);
+    key = created?.key ?? null;
+  }
+  cache?.set(scopedTenantId, key);
+  return key;
+}
+async function encryptCustomFieldValue(value, tenantId, service, cache) {
+  if (value === void 0 || value === null) return value;
+  const key = await resolveDekKey(service, tenantId, cache, { createIfMissing: true });
+  if (!key) return value;
+  const serialized = typeof value === "string" ? value : JSON.stringify(value);
+  return encryptWithAesGcm(serialized, key).value;
+}
+async function decryptCustomFieldValue(value, tenantId, service, cache) {
+  if (value === void 0 || value === null || typeof value !== "string") return value;
+  const key = await resolveDekKey(service, tenantId, cache);
+  if (!key) return value;
+  const decrypted = decryptWithAesGcm(value, key);
+  if (decrypted === null) return value;
+  try {
+    return JSON.parse(decrypted);
+  } catch {
+    return decrypted;
+  }
+}
+export {
+  decryptCustomFieldValue,
+  encryptCustomFieldValue,
+  resolveTenantEncryptionService
+};
+//# sourceMappingURL=customFieldValues.js.map

package/dist/lib/encryption/customFieldValues.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/customFieldValues.ts"],
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/core'\nimport { encryptWithAesGcm, decryptWithAesGcm } from './aes'\nimport { TenantDataEncryptionService } from './tenantDataEncryptionService'\n\nconst serviceCache = new WeakMap<EntityManager, TenantDataEncryptionService>()\n\nexport function resolveTenantEncryptionService(\n  em: EntityManager,\n  provided?: TenantDataEncryptionService | null,\n): TenantDataEncryptionService | null {\n  if (provided) return provided\n  const cached = serviceCache.get(em)\n  if (cached) return cached\n  const service = new TenantDataEncryptionService(em as any)\n  serviceCache.set(em, service)\n  return service\n}\n\nasync function resolveDekKey(\n  service: TenantDataEncryptionService | null,\n  tenantId: string | null | undefined,\n  cache?: Map<string | null, string | null>,\n  opts?: { createIfMissing?: boolean },\n): Promise<string | null> {\n  const scopedTenantId = tenantId ?? null\n  if (!service || !service.isEnabled() || !scopedTenantId) return null\n  if (cache?.has(scopedTenantId)) return cache.get(scopedTenantId) ?? null\n  const dek = await service.getDek(scopedTenantId)\n  let key = dek?.key ?? null\n  if (!key && opts?.createIfMissing && typeof service.createDek === 'function') {\n    const created = await service.createDek(scopedTenantId)\n    key = created?.key ?? null\n  }\n  cache?.set(scopedTenantId, key)\n  return key\n}\n\nexport async function encryptCustomFieldValue(\n  value: unknown,\n  tenantId: string | null | undefined,\n  service: TenantDataEncryptionService | null,\n  cache?: Map<string | null, string | null>,\n): Promise<unknown> {\n  if (value === undefined || value === null) return value\n  const key = await resolveDekKey(service, tenantId, cache, { createIfMissing: true })\n  if (!key) return value\n  const serialized = typeof value === 'string' ? value : JSON.stringify(value)\n  return encryptWithAesGcm(serialized, key).value\n}\n\nexport async function decryptCustomFieldValue(\n  value: unknown,\n  tenantId: string | null | undefined,\n  service: TenantDataEncryptionService | null,\n  cache?: Map<string | null, string | null>,\n): Promise<unknown> {\n  if (value === undefined || value === null || typeof value !== 'string') return value\n  const key = await resolveDekKey(service, tenantId, cache)\n  if (!key) return value\n  const decrypted = decryptWithAesGcm(value, key)\n  if (decrypted === null) return value\n  try {\n    return JSON.parse(decrypted)\n  } catch {\n    return decrypted\n  }\n}\n"],
+  "mappings": "AACA,SAAS,mBAAmB,yBAAyB;AACrD,SAAS,mCAAmC;AAE5C,MAAM,eAAe,oBAAI,QAAoD;AAEtE,SAAS,+BACd,IACA,UACoC;AACpC,MAAI,SAAU,QAAO;AACrB,QAAM,SAAS,aAAa,IAAI,EAAE;AAClC,MAAI,OAAQ,QAAO;AACnB,QAAM,UAAU,IAAI,4BAA4B,EAAS;AACzD,eAAa,IAAI,IAAI,OAAO;AAC5B,SAAO;AACT;AAEA,eAAe,cACb,SACA,UACA,OACA,MACwB;AACxB,QAAM,iBAAiB,YAAY;AACnC,MAAI,CAAC,WAAW,CAAC,QAAQ,UAAU,KAAK,CAAC,eAAgB,QAAO;AAChE,MAAI,OAAO,IAAI,cAAc,EAAG,QAAO,MAAM,IAAI,cAAc,KAAK;AACpE,QAAM,MAAM,MAAM,QAAQ,OAAO,cAAc;AAC/C,MAAI,MAAM,KAAK,OAAO;AACtB,MAAI,CAAC,OAAO,MAAM,mBAAmB,OAAO,QAAQ,cAAc,YAAY;AAC5E,UAAM,UAAU,MAAM,QAAQ,UAAU,cAAc;AACtD,UAAM,SAAS,OAAO;AAAA,EACxB;AACA,SAAO,IAAI,gBAAgB,GAAG;AAC9B,SAAO;AACT;AAEA,eAAsB,wBACpB,OACA,UACA,SACA,OACkB;AAClB,MAAI,UAAU,UAAa,UAAU,KAAM,QAAO;AAClD,QAAM,MAAM,MAAM,cAAc,SAAS,UAAU,OAAO,EAAE,iBAAiB,KAAK,CAAC;AACnF,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,aAAa,OAAO,UAAU,WAAW,QAAQ,KAAK,UAAU,KAAK;AAC3E,SAAO,kBAAkB,YAAY,GAAG,EAAE;AAC5C;AAEA,eAAsB,wBACpB,OACA,UACA,SACA,OACkB;AAClB,MAAI,UAAU,UAAa,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO;AAC/E,QAAM,MAAM,MAAM,cAAc,SAAS,UAAU,KAAK;AACxD,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,YAAY,kBAAkB,OAAO,GAAG;AAC9C,MAAI,cAAc,KAAM,QAAO;AAC/B,MAAI;AACF,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;",
+  "names": []
+}

package/dist/lib/encryption/entityFields.js

@@ -0,0 +1,26 @@
+let _entityFieldsRegistry = null;
+function registerEntityFields(registry) {
+  if (_entityFieldsRegistry !== null && process.env.NODE_ENV === "development") {
+    console.debug("[Bootstrap] Entity fields re-registered (this may occur during HMR)");
+  }
+  _entityFieldsRegistry = registry;
+}
+function getEntityFieldsRegistry(throwIfNotRegistered = true) {
+  if (!_entityFieldsRegistry) {
+    if (throwIfNotRegistered) {
+      throw new Error("[Bootstrap] Entity fields not registered. Call registerEntityFields() at bootstrap.");
+    }
+    return {};
+  }
+  return _entityFieldsRegistry;
+}
+function getEntityFields(slug) {
+  const registry = getEntityFieldsRegistry(false);
+  return registry[slug];
+}
+export {
+  getEntityFields,
+  getEntityFieldsRegistry,
+  registerEntityFields
+};
+//# sourceMappingURL=entityFields.js.map

package/dist/lib/encryption/entityFields.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/entityFields.ts"],
+  "sourcesContent": ["// Registration pattern for entity fields (for Turbopack compatibility)\nexport type EntityFieldsRegistry = Record<string, Record<string, string>>\n\nlet _entityFieldsRegistry: EntityFieldsRegistry | null = null\n\nexport function registerEntityFields(registry: EntityFieldsRegistry) {\n  if (_entityFieldsRegistry !== null && process.env.NODE_ENV === 'development') {\n    console.debug('[Bootstrap] Entity fields re-registered (this may occur during HMR)')\n  }\n  _entityFieldsRegistry = registry\n}\n\n/**\n * Get registered entity fields.\n *\n * @param throwIfNotRegistered - If true, throws error when entity fields are not registered.\n *                               If false, returns empty object (useful during module load).\n *                               Default: true\n */\nexport function getEntityFieldsRegistry(throwIfNotRegistered = true): EntityFieldsRegistry {\n  if (!_entityFieldsRegistry) {\n    if (throwIfNotRegistered) {\n      throw new Error('[Bootstrap] Entity fields not registered. Call registerEntityFields() at bootstrap.')\n    }\n    return {} as EntityFieldsRegistry\n  }\n  return _entityFieldsRegistry\n}\n\n/**\n * Get fields for a specific entity by slug.\n *\n * @param slug - The entity slug (e.g., 'user', 'sales_order')\n * @returns The entity's fields or undefined if not found\n */\nexport function getEntityFields(slug: string): Record<string, string> | undefined {\n  const registry = getEntityFieldsRegistry(false)\n  return registry[slug]\n}\n"],
+  "mappings": "AAGA,IAAI,wBAAqD;AAElD,SAAS,qBAAqB,UAAgC;AACnE,MAAI,0BAA0B,QAAQ,QAAQ,IAAI,aAAa,eAAe;AAC5E,YAAQ,MAAM,qEAAqE;AAAA,EACrF;AACA,0BAAwB;AAC1B;AASO,SAAS,wBAAwB,uBAAuB,MAA4B;AACzF,MAAI,CAAC,uBAAuB;AAC1B,QAAI,sBAAsB;AACxB,YAAM,IAAI,MAAM,qFAAqF;AAAA,IACvG;AACA,WAAO,CAAC;AAAA,EACV;AACA,SAAO;AACT;AAQO,SAAS,gBAAgB,MAAkD;AAChF,QAAM,WAAW,wBAAwB,KAAK;AAC9C,SAAO,SAAS,IAAI;AACtB;",
+  "names": []
+}

package/dist/lib/encryption/entityIds.js

@@ -0,0 +1,80 @@
+let _entityIds = null;
+let _entityIdLookup = null;
+function registerEntityIds(E) {
+  if (_entityIds !== null && process.env.NODE_ENV === "development") {
+    console.debug("[Bootstrap] Entity IDs re-registered (this may occur during HMR)");
+  }
+  _entityIds = E;
+  _entityIdLookup = null;
+}
+function getEntityIds(throwIfNotRegistered = true) {
+  if (!_entityIds) {
+    if (throwIfNotRegistered) {
+      throw new Error("[Bootstrap] Entity IDs not registered. Call registerEntityIds() at bootstrap.");
+    }
+    return {};
+  }
+  return _entityIds;
+}
+const toSnake = (value) => value.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[\s-]+/g, "_").replace(/__+/g, "_").toLowerCase();
+function getEntityIdLookup() {
+  if (_entityIdLookup) return _entityIdLookup;
+  const E = getEntityIds();
+  const map = /* @__PURE__ */ new Map();
+  for (const mod of Object.values(E || {})) {
+    for (const [key, entityId] of Object.entries(mod || {})) {
+      const snake = toSnake(key);
+      map.set(snake, entityId);
+      map.set(key.toLowerCase(), entityId);
+      map.set(
+        key.split("_").map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join(""),
+        entityId
+      );
+    }
+  }
+  _entityIdLookup = map;
+  return map;
+}
+const normalizeKey = (value) => value.replace(/["'`]/g, "").replace(/[\W]+/g, "_").replace(/__+/g, "_").toLowerCase();
+const maybeSingularize = (value) => {
+  if (value.endsWith("ies")) return `${value.slice(0, -3)}y`;
+  if (value.endsWith("s")) return value.slice(0, -1);
+  return value;
+};
+function resolveEntityIdFromMetadata(meta) {
+  if (!meta) return null;
+  const candidates = [
+    meta.className,
+    meta.name,
+    meta.collection,
+    meta.tableName
+  ].filter(Boolean);
+  for (const raw of candidates) {
+    const normalized = normalizeKey(raw);
+    const singular = maybeSingularize(normalized);
+    const snake = toSnake(raw);
+    const snakeSingular = maybeSingularize(snake);
+    const variants = [
+      normalized,
+      singular,
+      normalized.replace(/_/g, ""),
+      // Pascal-ish fallback
+      singular.replace(/_/g, ""),
+      snake,
+      snakeSingular
+    ];
+    const lookup = getEntityIdLookup();
+    for (const candidate of variants) {
+      if (!candidate) continue;
+      const id = lookup.get(candidate);
+      if (id) return id;
+    }
+  }
+  return null;
+}
+export {
+  getEntityIds,
+  registerEntityIds,
+  resolveEntityIdFromMetadata
+};
+//# sourceMappingURL=entityIds.js.map

package/dist/lib/encryption/entityIds.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/entityIds.ts"],
+  "sourcesContent": ["import type { EntityMetadata } from '@mikro-orm/core'\n\n// Registration pattern for publishable packages\nexport type EntityIds = Record<string, Record<string, string>>\n\nlet _entityIds: EntityIds | null = null\nlet _entityIdLookup: Map<string, string> | null = null\n\nexport function registerEntityIds(E: EntityIds) {\n  if (_entityIds !== null && process.env.NODE_ENV === 'development') {\n    console.debug('[Bootstrap] Entity IDs re-registered (this may occur during HMR)')\n  }\n  _entityIds = E\n  _entityIdLookup = null // Reset cache on re-registration\n}\n\n/**\n * Get registered entity IDs.\n *\n * @param throwIfNotRegistered - If true, throws error when entity IDs are not registered.\n *                               If false, returns empty object (useful during module load).\n *                               Default: true\n */\nexport function getEntityIds(throwIfNotRegistered = true): EntityIds {\n  if (!_entityIds) {\n    if (throwIfNotRegistered) {\n      throw new Error('[Bootstrap] Entity IDs not registered. Call registerEntityIds() at bootstrap.')\n    }\n    return {} as EntityIds\n  }\n  return _entityIds\n}\n\nconst toSnake = (value: string): string =>\n  value\n    .replace(/([a-z0-9])([A-Z])/g, '$1_$2')\n    .replace(/[\\s-]+/g, '_')\n    .replace(/__+/g, '_')\n    .toLowerCase()\n\nfunction getEntityIdLookup(): Map<string, string> {\n  if (_entityIdLookup) return _entityIdLookup\n  const E = getEntityIds()\n  const map = new Map<string, string>()\n  for (const mod of Object.values(E || {})) {\n    for (const [key, entityId] of Object.entries(mod || {})) {\n      const snake = toSnake(key)\n      map.set(snake, entityId)\n      // Also allow the original key and PascalCase class names to resolve\n      map.set(key.toLowerCase(), entityId)\n      map.set(\n        key\n          .split('_')\n          .map((part) => part.charAt(0).toUpperCase() + part.slice(1))\n          .join(''),\n        entityId,\n      )\n    }\n  }\n  _entityIdLookup = map\n  return map\n}\n\nconst normalizeKey = (value: string): string =>\n  value\n    .replace(/[\"'`]/g, '')\n    .replace(/[\\W]+/g, '_')\n    .replace(/__+/g, '_')\n    .toLowerCase()\n\nconst maybeSingularize = (value: string): string => {\n  if (value.endsWith('ies')) return `${value.slice(0, -3)}y`\n  if (value.endsWith('s')) return value.slice(0, -1)\n  return value\n}\n\nexport function resolveEntityIdFromMetadata(meta: EntityMetadata<any> | undefined): string | null {\n  if (!meta) return null\n  const candidates = [\n    (meta as any).className,\n    meta.name,\n    (meta as any).collection,\n    (meta as any).tableName,\n  ].filter(Boolean) as string[]\n\n  for (const raw of candidates) {\n    const normalized = normalizeKey(raw)\n    const singular = maybeSingularize(normalized)\n    const snake = toSnake(raw)\n    const snakeSingular = maybeSingularize(snake)\n    const variants = [\n      normalized,\n      singular,\n      normalized.replace(/_/g, ''), // Pascal-ish fallback\n      singular.replace(/_/g, ''),\n      snake,\n      snakeSingular,\n    ]\n    const lookup = getEntityIdLookup()\n    for (const candidate of variants) {\n      if (!candidate) continue\n      const id = lookup.get(candidate)\n      if (id) return id\n    }\n  }\n  return null\n}\n"],
+  "mappings": "AAKA,IAAI,aAA+B;AACnC,IAAI,kBAA8C;AAE3C,SAAS,kBAAkB,GAAc;AAC9C,MAAI,eAAe,QAAQ,QAAQ,IAAI,aAAa,eAAe;AACjE,YAAQ,MAAM,kEAAkE;AAAA,EAClF;AACA,eAAa;AACb,oBAAkB;AACpB;AASO,SAAS,aAAa,uBAAuB,MAAiB;AACnE,MAAI,CAAC,YAAY;AACf,QAAI,sBAAsB;AACxB,YAAM,IAAI,MAAM,+EAA+E;AAAA,IACjG;AACA,WAAO,CAAC;AAAA,EACV;AACA,SAAO;AACT;AAEA,MAAM,UAAU,CAAC,UACf,MACG,QAAQ,sBAAsB,OAAO,EACrC,QAAQ,WAAW,GAAG,EACtB,QAAQ,QAAQ,GAAG,EACnB,YAAY;AAEjB,SAAS,oBAAyC;AAChD,MAAI,gBAAiB,QAAO;AAC5B,QAAM,IAAI,aAAa;AACvB,QAAM,MAAM,oBAAI,IAAoB;AACpC,aAAW,OAAO,OAAO,OAAO,KAAK,CAAC,CAAC,GAAG;AACxC,eAAW,CAAC,KAAK,QAAQ,KAAK,OAAO,QAAQ,OAAO,CAAC,CAAC,GAAG;AACvD,YAAM,QAAQ,QAAQ,GAAG;AACzB,UAAI,IAAI,OAAO,QAAQ;AAEvB,UAAI,IAAI,IAAI,YAAY,GAAG,QAAQ;AACnC,UAAI;AAAA,QACF,IACG,MAAM,GAAG,EACT,IAAI,CAAC,SAAS,KAAK,OAAO,CAAC,EAAE,YAAY,IAAI,KAAK,MAAM,CAAC,CAAC,EAC1D,KAAK,EAAE;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACA,oBAAkB;AAClB,SAAO;AACT;AAEA,MAAM,eAAe,CAAC,UACpB,MACG,QAAQ,UAAU,EAAE,EACpB,QAAQ,UAAU,GAAG,EACrB,QAAQ,QAAQ,GAAG,EACnB,YAAY;AAEjB,MAAM,mBAAmB,CAAC,UAA0B;AAClD,MAAI,MAAM,SAAS,KAAK,EAAG,QAAO,GAAG,MAAM,MAAM,GAAG,EAAE,CAAC;AACvD,MAAI,MAAM,SAAS,GAAG,EAAG,QAAO,MAAM,MAAM,GAAG,EAAE;AACjD,SAAO;AACT;AAEO,SAAS,4BAA4B,MAAsD;AAChG,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,aAAa;AAAA,IAChB,KAAa;AAAA,IACd,KAAK;AAAA,IACJ,KAAa;AAAA,IACb,KAAa;AAAA,EAChB,EAAE,OAAO,OAAO;AAEhB,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,aAAa,GAAG;AACnC,UAAM,WAAW,iBAAiB,UAAU;AAC5C,UAAM,QAAQ,QAAQ,GAAG;AACzB,UAAM,gBAAgB,iBAAiB,KAAK;AAC5C,UAAM,WAAW;AAAA,MACf;AAAA,MACA;AAAA,MACA,WAAW,QAAQ,MAAM,EAAE;AAAA;AAAA,MAC3B,SAAS,QAAQ,MAAM,EAAE;AAAA,MACzB;AAAA,MACA;AAAA,IACF;AACA,UAAM,SAAS,kBAAkB;AACjC,eAAW,aAAa,UAAU;AAChC,UAAI,CAAC,UAAW;AAChB,YAAM,KAAK,OAAO,IAAI,SAAS;AAC/B,UAAI,GAAI,QAAO;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;",
+  "names": []
+}

package/dist/lib/encryption/find.js

@@ -0,0 +1,45 @@
+import { decryptEntitiesWithFallbackScope } from "./subscriber.js";
+async function findWithDecryption(em, entityName, where, options, scope) {
+  const records = await em.find(entityName, where, options);
+  if (!Array.isArray(records) || records.length === 0) return records ?? [];
+  await decryptEntitiesWithFallbackScope(records, {
+    em,
+    tenantId: scope?.tenantId ?? null,
+    organizationId: scope?.organizationId ?? null,
+    encryptionService: scope?.encryptionService ?? null
+  });
+  return records;
+}
+async function findOneWithDecryption(em, entityName, where, options, scope) {
+  const record = await em.findOne(entityName, where, options);
+  if (!record) return record;
+  await decryptEntitiesWithFallbackScope(record, {
+    em,
+    tenantId: scope?.tenantId ?? null,
+    organizationId: scope?.organizationId ?? null,
+    encryptionService: scope?.encryptionService ?? null
+  });
+  return record;
+}
+async function findAndCountWithDecryption(em, entityName, where, options, scope) {
+  const [recordsRaw, count] = await em.findAndCount(
+    entityName,
+    where,
+    options
+  );
+  const records = Array.isArray(recordsRaw) ? recordsRaw : [];
+  if (!records.length) return [records, count];
+  await decryptEntitiesWithFallbackScope(records, {
+    em,
+    tenantId: scope?.tenantId ?? null,
+    organizationId: scope?.organizationId ?? null,
+    encryptionService: scope?.encryptionService ?? null
+  });
+  return [records, count];
+}
+export {
+  findAndCountWithDecryption,
+  findOneWithDecryption,
+  findWithDecryption
+};
+//# sourceMappingURL=find.js.map

package/dist/lib/encryption/find.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/find.ts"],
+  "sourcesContent": ["import type {\n  EntityManager,\n  EntityName,\n  FilterQuery,\n  FindOneOptions,\n  FindOptions,\n} from '@mikro-orm/postgresql'\nimport { decryptEntitiesWithFallbackScope } from './subscriber'\nimport type { TenantDataEncryptionService } from './tenantDataEncryptionService'\n\nexport type DecryptionScope = {\n  tenantId?: string | null\n  organizationId?: string | null\n  encryptionService?: TenantDataEncryptionService | null\n}\n\ntype AnyFindOptions<Entity extends object, Hint extends string = any> = FindOptions<Entity, Hint, any, any>\ntype AnyFindOneOptions<Entity extends object, Hint extends string = any> = FindOneOptions<Entity, Hint, any, any>\n\nexport async function findWithDecryption<Entity extends object, Hint extends string = any>(\n  em: EntityManager,\n  entityName: EntityName<Entity>,\n  where: FilterQuery<Entity>,\n  options?: AnyFindOptions<Entity, Hint>,\n  scope?: DecryptionScope,\n): Promise<Entity[]> {\n  const records = (await em.find<Entity, Hint, any, any>(entityName as any, where as any, options as any)) as any as\n    | Entity[]\n    | undefined\n  if (!Array.isArray(records) || records.length === 0) return records ?? []\n  await decryptEntitiesWithFallbackScope(records, {\n    em,\n    tenantId: scope?.tenantId ?? null,\n    organizationId: scope?.organizationId ?? null,\n    encryptionService: scope?.encryptionService ?? null,\n  })\n  return records\n}\n\nexport async function findOneWithDecryption<Entity extends object, Hint extends string = any>(\n  em: EntityManager,\n  entityName: EntityName<Entity>,\n  where: FilterQuery<Entity>,\n  options?: AnyFindOneOptions<Entity, Hint>,\n  scope?: DecryptionScope,\n): Promise<Entity | null> {\n  const record = (await em.findOne<Entity, Hint, any, any>(entityName as any, where as any, options as any)) as any as\n    | Entity\n    | null\n  if (!record) return record\n  await decryptEntitiesWithFallbackScope(record, {\n    em,\n    tenantId: scope?.tenantId ?? null,\n    organizationId: scope?.organizationId ?? null,\n    encryptionService: scope?.encryptionService ?? null,\n  })\n  return record\n}\n\nexport async function findAndCountWithDecryption<Entity extends object, Hint extends string = any>(\n  em: EntityManager,\n  entityName: EntityName<Entity>,\n  where: FilterQuery<Entity>,\n  options?: AnyFindOptions<Entity, Hint>,\n  scope?: DecryptionScope,\n): Promise<[Entity[], number]> {\n  const [recordsRaw, count] = await em.findAndCount<Entity, Hint, any, any>(\n    entityName as any,\n    where as any,\n    options as any,\n  ) as any as [Entity[] | undefined, number]\n  const records = Array.isArray(recordsRaw) ? recordsRaw : []\n  if (!records.length) return [records, count]\n  await decryptEntitiesWithFallbackScope(records, {\n    em,\n    tenantId: scope?.tenantId ?? null,\n    organizationId: scope?.organizationId ?? null,\n    encryptionService: scope?.encryptionService ?? null,\n  })\n  return [records, count]\n}\n"],
+  "mappings": "AAOA,SAAS,wCAAwC;AAYjD,eAAsB,mBACpB,IACA,YACA,OACA,SACA,OACmB;AACnB,QAAM,UAAW,MAAM,GAAG,KAA6B,YAAmB,OAAc,OAAc;AAGtG,MAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,QAAQ,WAAW,EAAG,QAAO,WAAW,CAAC;AACxE,QAAM,iCAAiC,SAAS;AAAA,IAC9C;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,gBAAgB,OAAO,kBAAkB;AAAA,IACzC,mBAAmB,OAAO,qBAAqB;AAAA,EACjD,CAAC;AACD,SAAO;AACT;AAEA,eAAsB,sBACpB,IACA,YACA,OACA,SACA,OACwB;AACxB,QAAM,SAAU,MAAM,GAAG,QAAgC,YAAmB,OAAc,OAAc;AAGxG,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,iCAAiC,QAAQ;AAAA,IAC7C;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,gBAAgB,OAAO,kBAAkB;AAAA,IACzC,mBAAmB,OAAO,qBAAqB;AAAA,EACjD,CAAC;AACD,SAAO;AACT;AAEA,eAAsB,2BACpB,IACA,YACA,OACA,SACA,OAC6B;AAC7B,QAAM,CAAC,YAAY,KAAK,IAAI,MAAM,GAAG;AAAA,IACnC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,MAAM,QAAQ,UAAU,IAAI,aAAa,CAAC;AAC1D,MAAI,CAAC,QAAQ,OAAQ,QAAO,CAAC,SAAS,KAAK;AAC3C,QAAM,iCAAiC,SAAS;AAAA,IAC9C;AAAA,IACA,UAAU,OAAO,YAAY;AAAA,IAC7B,gBAAgB,OAAO,kBAAkB;AAAA,IACzC,mBAAmB,OAAO,qBAAqB;AAAA,EACjD,CAAC;AACD,SAAO,CAAC,SAAS,KAAK;AACxB;",
+  "names": []
+}

package/dist/lib/encryption/indexDoc.js

@@ -0,0 +1,69 @@
+import { decryptCustomFieldValue } from "./customFieldValues.js";
+async function decryptValue(value, scope, service, cache) {
+  if (Array.isArray(value)) {
+    return Promise.all(value.map((entry) => decryptCustomFieldValue(entry, scope.tenantId, service, cache)));
+  }
+  return decryptCustomFieldValue(value, scope.tenantId, service, cache);
+}
+async function decryptIndexDocCustomFields(doc, scope, service, cache) {
+  const keys = Object.keys(doc).filter((key) => key.startsWith("cf:") || key.startsWith("cf_"));
+  if (!keys.length) return doc;
+  const working = { ...doc };
+  await Promise.all(
+    keys.map(async (key) => {
+      try {
+        working[key] = await decryptValue(working[key], scope, service, cache);
+      } catch {
+      }
+    })
+  );
+  return working;
+}
+async function decryptIndexDocForSearch(entityId, doc, scope, service, cache) {
+  if (!service || typeof service.decryptEntityPayload !== "function") {
+    return decryptIndexDocCustomFields(doc, scope, service, cache);
+  }
+  if (service.isEnabled?.() === false) {
+    return decryptIndexDocCustomFields(doc, scope, service, cache);
+  }
+  let working = doc;
+  const decryptEntity = async (targetEntityId) => {
+    const decrypted = await service.decryptEntityPayload(
+      targetEntityId,
+      working,
+      scope.tenantId ?? null,
+      scope.organizationId ?? null
+    );
+    working = { ...working, ...decrypted };
+  };
+  await decryptEntity(entityId);
+  if (entityId === "customers:customer_person_profile" || entityId === "customers:customer_company_profile") {
+    await decryptEntity("customers:customer_entity");
+  }
+  return decryptIndexDocCustomFields(working, scope, service, cache);
+}
+async function encryptIndexDocForStorage(entityId, doc, scope, service) {
+  if (!service || typeof service.encryptEntityPayload !== "function") return doc;
+  if (service.isEnabled?.() === false) return doc;
+  let working = doc;
+  const encryptEntity = async (targetEntityId) => {
+    const encrypted = await service.encryptEntityPayload(
+      targetEntityId,
+      working,
+      scope.tenantId ?? null,
+      scope.organizationId ?? null
+    );
+    working = { ...working, ...encrypted };
+  };
+  await encryptEntity(entityId);
+  if (entityId === "customers:customer_person_profile" || entityId === "customers:customer_company_profile") {
+    await encryptEntity("customers:customer_entity");
+  }
+  return working;
+}
+export {
+  decryptIndexDocCustomFields,
+  decryptIndexDocForSearch,
+  encryptIndexDocForStorage
+};
+//# sourceMappingURL=indexDoc.js.map

package/dist/lib/encryption/indexDoc.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/indexDoc.ts"],
+  "sourcesContent": ["import { decryptCustomFieldValue } from './customFieldValues'\nimport type { TenantDataEncryptionService } from './tenantDataEncryptionService'\n\nexport type IndexDocScope = {\n  tenantId: string | null\n  organizationId?: string | null\n}\n\nasync function decryptValue(\n  value: unknown,\n  scope: IndexDocScope,\n  service: TenantDataEncryptionService | null,\n  cache?: Map<string | null, string | null>,\n): Promise<unknown> {\n  if (Array.isArray(value)) {\n    return Promise.all(value.map((entry) => decryptCustomFieldValue(entry, scope.tenantId, service, cache)))\n  }\n  return decryptCustomFieldValue(value, scope.tenantId, service, cache)\n}\n\nexport async function decryptIndexDocCustomFields(\n  doc: Record<string, unknown>,\n  scope: IndexDocScope,\n  service: TenantDataEncryptionService | null,\n  cache?: Map<string | null, string | null>,\n): Promise<Record<string, unknown>> {\n  // HybridQueryEngine aliases cf keys as `cf_<key>` (sanitized), while index docs use `cf:<key>`.\n  // Support both shapes to keep decryption consistent across query paths.\n  const keys = Object.keys(doc).filter((key) => key.startsWith('cf:') || key.startsWith('cf_'))\n  if (!keys.length) return doc\n\n  const working: Record<string, unknown> = { ...doc }\n  await Promise.all(\n    keys.map(async (key) => {\n      try {\n        working[key] = await decryptValue(working[key], scope, service, cache)\n      } catch {\n        // ignore; keep original value\n      }\n    }),\n  )\n  return working\n}\n\nexport async function decryptIndexDocForSearch(\n  entityId: string,\n  doc: Record<string, unknown>,\n  scope: IndexDocScope,\n  service: TenantDataEncryptionService | null,\n  cache?: Map<string | null, string | null>,\n): Promise<Record<string, unknown>> {\n  if (!service || typeof service.decryptEntityPayload !== 'function') {\n    return decryptIndexDocCustomFields(doc, scope, service, cache)\n  }\n  if (service.isEnabled?.() === false) {\n    return decryptIndexDocCustomFields(doc, scope, service, cache)\n  }\n\n  let working: Record<string, unknown> = doc\n  const decryptEntity = async (targetEntityId: string) => {\n    const decrypted = await service.decryptEntityPayload(\n      targetEntityId,\n      working,\n      scope.tenantId ?? null,\n      scope.organizationId ?? null,\n    )\n    working = { ...working, ...decrypted }\n  }\n\n  await decryptEntity(entityId)\n  if (entityId === 'customers:customer_person_profile' || entityId === 'customers:customer_company_profile') {\n    await decryptEntity('customers:customer_entity')\n  }\n\n  return decryptIndexDocCustomFields(working, scope, service, cache)\n}\n\nexport async function encryptIndexDocForStorage(\n  entityId: string,\n  doc: Record<string, unknown>,\n  scope: IndexDocScope,\n  service: TenantDataEncryptionService | null,\n): Promise<Record<string, unknown>> {\n  if (!service || typeof service.encryptEntityPayload !== 'function') return doc\n  if (service.isEnabled?.() === false) return doc\n\n  let working: Record<string, unknown> = doc\n  const encryptEntity = async (targetEntityId: string) => {\n    const encrypted = await service.encryptEntityPayload(\n      targetEntityId,\n      working,\n      scope.tenantId ?? null,\n      scope.organizationId ?? null,\n    )\n    working = { ...working, ...encrypted }\n  }\n\n  await encryptEntity(entityId)\n  if (entityId === 'customers:customer_person_profile' || entityId === 'customers:customer_company_profile') {\n    await encryptEntity('customers:customer_entity')\n  }\n\n  return working\n}\n"],
+  "mappings": "AAAA,SAAS,+BAA+B;AAQxC,eAAe,aACb,OACA,OACA,SACA,OACkB;AAClB,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,QAAQ,IAAI,MAAM,IAAI,CAAC,UAAU,wBAAwB,OAAO,MAAM,UAAU,SAAS,KAAK,CAAC,CAAC;AAAA,EACzG;AACA,SAAO,wBAAwB,OAAO,MAAM,UAAU,SAAS,KAAK;AACtE;AAEA,eAAsB,4BACpB,KACA,OACA,SACA,OACkC;AAGlC,QAAM,OAAO,OAAO,KAAK,GAAG,EAAE,OAAO,CAAC,QAAQ,IAAI,WAAW,KAAK,KAAK,IAAI,WAAW,KAAK,CAAC;AAC5F,MAAI,CAAC,KAAK,OAAQ,QAAO;AAEzB,QAAM,UAAmC,EAAE,GAAG,IAAI;AAClD,QAAM,QAAQ;AAAA,IACZ,KAAK,IAAI,OAAO,QAAQ;AACtB,UAAI;AACF,gBAAQ,GAAG,IAAI,MAAM,aAAa,QAAQ,GAAG,GAAG,OAAO,SAAS,KAAK;AAAA,MACvE,QAAQ;AAAA,MAER;AAAA,IACF,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,eAAsB,yBACpB,UACA,KACA,OACA,SACA,OACkC;AAClC,MAAI,CAAC,WAAW,OAAO,QAAQ,yBAAyB,YAAY;AAClE,WAAO,4BAA4B,KAAK,OAAO,SAAS,KAAK;AAAA,EAC/D;AACA,MAAI,QAAQ,YAAY,MAAM,OAAO;AACnC,WAAO,4BAA4B,KAAK,OAAO,SAAS,KAAK;AAAA,EAC/D;AAEA,MAAI,UAAmC;AACvC,QAAM,gBAAgB,OAAO,mBAA2B;AACtD,UAAM,YAAY,MAAM,QAAQ;AAAA,MAC9B;AAAA,MACA;AAAA,MACA,MAAM,YAAY;AAAA,MAClB,MAAM,kBAAkB;AAAA,IAC1B;AACA,cAAU,EAAE,GAAG,SAAS,GAAG,UAAU;AAAA,EACvC;AAEA,QAAM,cAAc,QAAQ;AAC5B,MAAI,aAAa,uCAAuC,aAAa,sCAAsC;AACzG,UAAM,cAAc,2BAA2B;AAAA,EACjD;AAEA,SAAO,4BAA4B,SAAS,OAAO,SAAS,KAAK;AACnE;AAEA,eAAsB,0BACpB,UACA,KACA,OACA,SACkC;AAClC,MAAI,CAAC,WAAW,OAAO,QAAQ,yBAAyB,WAAY,QAAO;AAC3E,MAAI,QAAQ,YAAY,MAAM,MAAO,QAAO;AAE5C,MAAI,UAAmC;AACvC,QAAM,gBAAgB,OAAO,mBAA2B;AACtD,UAAM,YAAY,MAAM,QAAQ;AAAA,MAC9B;AAAA,MACA;AAAA,MACA,MAAM,YAAY;AAAA,MAClB,MAAM,kBAAkB;AAAA,IAC1B;AACA,cAAU,EAAE,GAAG,SAAS,GAAG,UAAU;AAAA,EACvC;AAEA,QAAM,cAAc,QAAQ;AAC5B,MAAI,aAAa,uCAAuC,aAAa,sCAAsC;AACzG,UAAM,cAAc,2BAA2B;AAAA,EACjD;AAEA,SAAO;AACT;",
+  "names": []
+}