@open-mercato/shared 0.4.2-canary-c02407ff85

package/dist/lib/encryption/kms.js

@@ -0,0 +1,282 @@
+import crypto from "node:crypto";
+import { generateDek, hashForLookup } from "./aes.js";
+import { isEncryptionDebugEnabled, isTenantDataEncryptionEnabled } from "./toggles.js";
+class FallbackKmsService {
+  constructor(primary, fallback, onFallback) {
+    this.primary = primary;
+    this.fallback = fallback;
+    this.onFallback = onFallback;
+    this.notified = false;
+  }
+  isHealthy() {
+    return this.primary.isHealthy() || Boolean(this.fallback?.isHealthy?.());
+  }
+  notifyFallback() {
+    if (this.notified) return;
+    this.notified = true;
+    this.onFallback?.();
+  }
+  async fromPrimary(op) {
+    try {
+      return await op();
+    } catch (err) {
+      console.warn("\u26A0\uFE0F [encryption][kms] Primary KMS failed, will try fallback", {
+        error: err?.message || String(err)
+      });
+      return null;
+    }
+  }
+  async getTenantDek(tenantId) {
+    if (this.primary.isHealthy()) {
+      const dek = await this.fromPrimary(() => this.primary.getTenantDek(tenantId));
+      if (dek) return dek;
+    }
+    if (this.fallback?.isHealthy()) {
+      this.notifyFallback();
+      return this.fallback.getTenantDek(tenantId);
+    }
+    return null;
+  }
+  async createTenantDek(tenantId) {
+    if (this.primary.isHealthy()) {
+      const dek = await this.fromPrimary(() => this.primary.createTenantDek(tenantId));
+      if (dek) return dek;
+    }
+    if (this.fallback?.isHealthy()) {
+      this.notifyFallback();
+      return this.fallback.createTenantDek(tenantId);
+    }
+    return null;
+  }
+}
+function normalizeEnv(value) {
+  if (!value) return "";
+  return value.trim().replace(/^['"]|['"]$/g, "");
+}
+function resolveDerivedKeySecret() {
+  const candidates = [
+    { value: process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY ?? null, envName: "TENANT_DATA_ENCRYPTION_FALLBACK_KEY" },
+    { value: process.env.TENANT_DATA_ENCRYPTION_KEY ?? null, envName: "TENANT_DATA_ENCRYPTION_KEY" },
+    { value: process.env.AUTH_SECRET ?? null, envName: "AUTH_SECRET" },
+    { value: process.env.NEXTAUTH_SECRET ?? null, envName: "NEXTAUTH_SECRET" }
+  ];
+  for (const raw of candidates) {
+    const normalized = normalizeEnv(raw.value ?? void 0);
+    if (normalized) return { secret: normalized, source: "explicit", envName: raw.envName };
+  }
+  if (process.env.NODE_ENV !== "production") {
+    return { secret: "om-dev-tenant-encryption", source: "dev-default", envName: "DEV_DEFAULT" };
+  }
+  return null;
+}
+class NoopKmsService {
+  isHealthy() {
+    return !isTenantDataEncryptionEnabled();
+  }
+  async getTenantDek() {
+    return null;
+  }
+  async createTenantDek() {
+    return null;
+  }
+}
+class DerivedKmsService {
+  constructor(secret) {
+    this.root = crypto.createHash("sha256").update(secret).digest();
+  }
+  isHealthy() {
+    return true;
+  }
+  deriveKey(tenantId) {
+    const iterations = 31e4;
+    const keyLength = 32;
+    const derived = crypto.pbkdf2Sync(this.root, tenantId, iterations, keyLength, "sha512");
+    return derived.toString("base64");
+  }
+  async getTenantDek(tenantId) {
+    if (!tenantId) return null;
+    return { tenantId, key: this.deriveKey(tenantId), fetchedAt: Date.now() };
+  }
+  async createTenantDek(tenantId) {
+    return this.getTenantDek(tenantId);
+  }
+}
+class HashicorpVaultKmsService {
+  constructor(opts = {}) {
+    this.cache = /* @__PURE__ */ new Map();
+    this.healthy = true;
+    this.vaultAddr = normalizeEnv(opts.vaultAddr || process.env.VAULT_ADDR || "");
+    this.vaultToken = normalizeEnv(opts.vaultToken || process.env.VAULT_TOKEN || "");
+    this.mountPath = (opts.mountPath || process.env.VAULT_KV_PATH || "secret/data").replace(/\/+$/, "");
+    this.ttlMs = opts.ttlMs ?? 15 * 60 * 1e3;
+    this.debugEnabled = isEncryptionDebugEnabled();
+    if (!this.vaultAddr || !this.vaultToken) {
+      this.healthy = false;
+      if (this.debugEnabled) {
+        console.warn("\u26A0\uFE0F [encryption][kms] Vault misconfigured (missing VAULT_ADDR or VAULT_TOKEN)");
+      }
+    }
+    if (this.healthy && !HashicorpVaultKmsService.loggedInit && this.debugEnabled) {
+      HashicorpVaultKmsService.loggedInit = true;
+      if (this.debugEnabled) {
+        console.info("\u{1F510} [encryption][kms] Hashicorp Vault KMS enabled");
+      }
+    }
+  }
+  static {
+    this.loggedInit = false;
+  }
+  isHealthy() {
+    return this.healthy;
+  }
+  now() {
+    return Date.now();
+  }
+  cacheHit(tenantId) {
+    const entry = this.cache.get(tenantId);
+    if (!entry) return null;
+    if (this.now() - entry.fetchedAt > this.ttlMs) {
+      this.cache.delete(tenantId);
+      return null;
+    }
+    return entry;
+  }
+  async readVault(path) {
+    if (!this.vaultAddr || !this.vaultToken) {
+      this.healthy = false;
+      return null;
+    }
+    try {
+      const res = await fetch(`${this.vaultAddr}/v1/${path}`, {
+        method: "GET",
+        headers: { "X-Vault-Token": this.vaultToken }
+      });
+      if (!res.ok) {
+        this.healthy = res.status < 500;
+        console.warn("\u26A0\uFE0F [encryption][kms] Vault read failed", { path, status: res.status });
+        return null;
+      }
+      if (this.debugEnabled) {
+        console.info("\u{1F50D} [encryption][kms] Vault read ok", { path });
+      }
+      return await res.json();
+    } catch (err) {
+      this.healthy = false;
+      console.warn("\u26A0\uFE0F [encryption][kms] Vault read error", { path, error: err?.message || String(err) });
+      return null;
+    }
+  }
+  async writeVault(path, key) {
+    if (!this.vaultAddr || !this.vaultToken) {
+      this.healthy = false;
+      return false;
+    }
+    try {
+      const res = await fetch(`${this.vaultAddr}/v1/${path}`, {
+        method: "POST",
+        headers: {
+          "X-Vault-Token": this.vaultToken,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({ data: { key } })
+      });
+      this.healthy = res.ok;
+      if (!res.ok) {
+        console.warn("\u26A0\uFE0F [encryption][kms] Vault write failed", { path, status: res.status });
+      }
+      return res.ok;
+    } catch (err) {
+      this.healthy = false;
+      console.warn("\u26A0\uFE0F [encryption][kms] Vault write error", { path, error: err?.message || String(err) });
+      return false;
+    }
+  }
+  buildKeyPath(tenantId) {
+    const suffix = `tenant_key_${tenantId}`;
+    const normalizedMount = this.mountPath.replace(/^\/+/, "");
+    return `${normalizedMount}/${suffix}`;
+  }
+  remember(entry) {
+    this.cache.set(entry.tenantId, entry);
+    return entry;
+  }
+  async getTenantDek(tenantId) {
+    const cached = this.cacheHit(tenantId);
+    if (cached) return cached;
+    const path = this.buildKeyPath(tenantId);
+    const res = await this.readVault(path);
+    const key = res?.data?.data?.key;
+    if (!key) {
+      console.warn("\u26A0\uFE0F [encryption][kms] No tenant DEK found in Vault", { tenantId, path });
+      return null;
+    }
+    const dek = { tenantId, key, fetchedAt: this.now() };
+    return this.remember(dek);
+  }
+  async createTenantDek(tenantId) {
+    const key = generateDek();
+    const path = this.buildKeyPath(tenantId);
+    const ok = await this.writeVault(path, key);
+    if (ok) {
+      console.info("\u{1F511} [encryption][kms] Stored tenant DEK in Vault", { tenantId, path });
+    } else {
+      console.warn("\u26A0\uFE0F [encryption][kms] Failed to store tenant DEK in Vault", { tenantId, path });
+    }
+    if (!ok) return null;
+    return this.remember({ tenantId, key, fetchedAt: this.now() });
+  }
+}
+let loggedDerivedKeyFallbackBanner = false;
+function logDerivedKeyFallbackBanner(opts) {
+  if (process.env.NODE_ENV === "test" || loggedDerivedKeyFallbackBanner) return;
+  loggedDerivedKeyFallbackBanner = true;
+  const redBg = "\x1B[41m";
+  const white = "\x1B[97m";
+  const reset = "\x1B[0m";
+  const width = 110;
+  const border = `${redBg}${white}${"\u2501".repeat(width)}${reset}`;
+  const isProduction = process.env.NODE_ENV === "production";
+  const sourceLine = opts.source === "explicit" ? `Source: ${opts.envName}` : "Source: dev default secret (do NOT use in production)";
+  const body = [
+    "\u{1F6A8} Using derived tenant encryption keys (Vault unavailable / no DEK)",
+    sourceLine,
+    isProduction ? "Secret: [redacted in production]" : `Secret: ${opts.secret}`,
+    "Persist this secret securely. Without it, encrypted tenant data cannot be recovered after restart."
+  ];
+  console.warn(border);
+  for (const line of body) {
+    const padded = line.padEnd(width - 2, " ");
+    console.warn(`${redBg}${white} ${padded} ${reset}`);
+  }
+  console.warn(border);
+}
+function createKmsService() {
+  if (!isTenantDataEncryptionEnabled()) return new NoopKmsService();
+  const primary = new HashicorpVaultKmsService();
+  const derived = resolveDerivedKeySecret();
+  const fallback = derived ? new DerivedKmsService(derived.secret) : null;
+  const notifyFallback = derived ? () => {
+    logDerivedKeyFallbackBanner(derived);
+  } : void 0;
+  if (!primary.isHealthy()) {
+    if (fallback) {
+      notifyFallback?.();
+      return fallback;
+    }
+    console.warn(
+      "\u26A0\uFE0F [encryption][kms] Vault not healthy or misconfigured (missing VAULT_ADDR/VAULT_TOKEN) and no fallback secret provided; falling back to noop KMS"
+    );
+    return new NoopKmsService();
+  }
+  if (fallback) {
+    return new FallbackKmsService(primary, fallback, notifyFallback);
+  }
+  return primary;
+}
+export {
+  HashicorpVaultKmsService,
+  NoopKmsService,
+  createKmsService,
+  hashForLookup
+};
+//# sourceMappingURL=kms.js.map

package/dist/lib/encryption/kms.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/encryption/kms.ts"],
+  "sourcesContent": ["import crypto from 'node:crypto'\nimport { generateDek, hashForLookup } from './aes'\nimport { isEncryptionDebugEnabled, isTenantDataEncryptionEnabled } from './toggles'\n\nexport type TenantDek = {\n  tenantId: string\n  key: string // base64\n  fetchedAt: number\n}\n\nexport interface KmsService {\n  getTenantDek(tenantId: string): Promise<TenantDek | null>\n  createTenantDek(tenantId: string): Promise<TenantDek | null>\n  isHealthy(): boolean\n}\n\nclass FallbackKmsService implements KmsService {\n  private notified = false\n  constructor(\n    private readonly primary: KmsService,\n    private readonly fallback: KmsService | null,\n    private readonly onFallback?: () => void,\n  ) {}\n\n  isHealthy(): boolean {\n    return this.primary.isHealthy() || Boolean(this.fallback?.isHealthy?.())\n  }\n\n  private notifyFallback() {\n    if (this.notified) return\n    this.notified = true\n    this.onFallback?.()\n  }\n\n  private async fromPrimary<T>(op: () => Promise<T | null>): Promise<T | null> {\n    try {\n      return await op()\n    } catch (err) {\n      console.warn('\u26A0\uFE0F [encryption][kms] Primary KMS failed, will try fallback', {\n        error: (err as Error)?.message || String(err),\n      })\n      return null\n    }\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (this.primary.isHealthy()) {\n      const dek = await this.fromPrimary(() => this.primary.getTenantDek(tenantId))\n      if (dek) return dek\n    }\n    if (this.fallback?.isHealthy()) {\n      this.notifyFallback()\n      return this.fallback.getTenantDek(tenantId)\n    }\n    return null\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (this.primary.isHealthy()) {\n      const dek = await this.fromPrimary(() => this.primary.createTenantDek(tenantId))\n      if (dek) return dek\n    }\n    if (this.fallback?.isHealthy()) {\n      this.notifyFallback()\n      return this.fallback.createTenantDek(tenantId)\n    }\n    return null\n  }\n}\n\ntype VaultClientOpts = {\n  vaultAddr?: string\n  vaultToken?: string\n  mountPath?: string\n  ttlMs?: number\n}\n\ntype VaultReadResponse = {\n  data?: { data?: { key?: string; version?: number }; metadata?: Record<string, unknown> }\n}\n\nfunction normalizeEnv(value: string | undefined): string {\n  if (!value) return ''\n  return value.trim().replace(/^['\"]|['\"]$/g, '')\n}\n\ntype DerivedSecret = { secret: string; source: 'explicit' | 'dev-default'; envName: string }\n\nfunction resolveDerivedKeySecret(): DerivedSecret | null {\n  const candidates: Array<{ value: string | null; envName: string }> = [\n    { value: process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY ?? null, envName: 'TENANT_DATA_ENCRYPTION_FALLBACK_KEY' },\n    { value: process.env.TENANT_DATA_ENCRYPTION_KEY ?? null, envName: 'TENANT_DATA_ENCRYPTION_KEY' },\n    { value: process.env.AUTH_SECRET ?? null, envName: 'AUTH_SECRET' },\n    { value: process.env.NEXTAUTH_SECRET ?? null, envName: 'NEXTAUTH_SECRET' },\n  ]\n  for (const raw of candidates) {\n    const normalized = normalizeEnv(raw.value ?? undefined)\n    if (normalized) return { secret: normalized, source: 'explicit', envName: raw.envName }\n  }\n  if (process.env.NODE_ENV !== 'production') {\n    return { secret: 'om-dev-tenant-encryption', source: 'dev-default', envName: 'DEV_DEFAULT' }\n  }\n  return null\n}\n\nexport class NoopKmsService implements KmsService {\n  isHealthy(): boolean { return !isTenantDataEncryptionEnabled() }\n  async getTenantDek(): Promise<TenantDek | null> { return null }\n  async createTenantDek(): Promise<TenantDek | null> { return null }\n}\n\nclass DerivedKmsService implements KmsService {\n  private root: Buffer\n  constructor(secret: string) {\n    // Derive a stable root key from the provided secret so derived tenant keys are deterministic\n    this.root = crypto.createHash('sha256').update(secret).digest()\n  }\n\n  isHealthy(): boolean {\n    return true\n  }\n\n  private deriveKey(tenantId: string): string {\n    const iterations = 310_000\n    const keyLength = 32\n    const derived = crypto.pbkdf2Sync(this.root, tenantId, iterations, keyLength, 'sha512')\n    return derived.toString('base64')\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (!tenantId) return null\n    return { tenantId, key: this.deriveKey(tenantId), fetchedAt: Date.now() }\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    return this.getTenantDek(tenantId)\n  }\n}\n\nexport class HashicorpVaultKmsService implements KmsService {\n  private cache = new Map<string, TenantDek>()\n  private readonly vaultAddr: string\n  private readonly vaultToken: string\n  private readonly mountPath: string\n  private readonly ttlMs: number\n  private healthy = true\n  private readonly debugEnabled: boolean\n  private static loggedInit = false\n\n  constructor(opts: VaultClientOpts = {}) {\n    this.vaultAddr = normalizeEnv(opts.vaultAddr || process.env.VAULT_ADDR || '')\n    this.vaultToken = normalizeEnv(opts.vaultToken || process.env.VAULT_TOKEN || '')\n    this.mountPath = (opts.mountPath || process.env.VAULT_KV_PATH || 'secret/data').replace(/\\/+$/, '')\n    this.ttlMs = opts.ttlMs ?? 15 * 60 * 1000\n    this.debugEnabled = isEncryptionDebugEnabled()\n    if (!this.vaultAddr || !this.vaultToken) {\n      this.healthy = false\n      if (this.debugEnabled) {\n        console.warn('\u26A0\uFE0F [encryption][kms] Vault misconfigured (missing VAULT_ADDR or VAULT_TOKEN)')\n      }\n    }\n    if (this.healthy && !HashicorpVaultKmsService.loggedInit && this.debugEnabled) {\n      HashicorpVaultKmsService.loggedInit = true\n      if(this.debugEnabled) {\n        console.info('\uD83D\uDD10 [encryption][kms] Hashicorp Vault KMS enabled')\n      }\n    }\n  }\n\n  isHealthy(): boolean {\n    return this.healthy\n  }\n\n  private now(): number {\n    return Date.now()\n  }\n\n  private cacheHit(tenantId: string): TenantDek | null {\n    const entry = this.cache.get(tenantId)\n    if (!entry) return null\n    if (this.now() - entry.fetchedAt > this.ttlMs) {\n      this.cache.delete(tenantId)\n      return null\n    }\n    return entry\n  }\n\n  private async readVault(path: string): Promise<VaultReadResponse | null> {\n    if (!this.vaultAddr || !this.vaultToken) {\n      this.healthy = false\n      return null\n    }\n    try {\n      const res = await fetch(`${this.vaultAddr}/v1/${path}`, {\n        method: 'GET',\n        headers: { 'X-Vault-Token': this.vaultToken },\n      })\n      if (!res.ok) {\n        this.healthy = res.status < 500\n        console.warn('\u26A0\uFE0F [encryption][kms] Vault read failed', { path, status: res.status })\n        return null\n      }\n      if (this.debugEnabled) {\n        console.info('\uD83D\uDD0D [encryption][kms] Vault read ok', { path })\n      }\n      return (await res.json()) as VaultReadResponse\n    } catch (err) {\n      this.healthy = false\n      console.warn('\u26A0\uFE0F [encryption][kms] Vault read error', { path, error: (err as Error)?.message || String(err) })\n      return null\n    }\n  }\n\n  private async writeVault(path: string, key: string): Promise<boolean> {\n    if (!this.vaultAddr || !this.vaultToken) {\n      this.healthy = false\n      return false\n    }\n    try {\n      const res = await fetch(`${this.vaultAddr}/v1/${path}`, {\n\n        method: 'POST',\n        headers: {\n          'X-Vault-Token': this.vaultToken,\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({ data: { key } }),\n      })\n      this.healthy = res.ok\n      if (!res.ok) {\n        console.warn('\u26A0\uFE0F [encryption][kms] Vault write failed', { path, status: res.status })\n      }\n      return res.ok\n    } catch (err) {\n      this.healthy = false\n      console.warn('\u26A0\uFE0F [encryption][kms] Vault write error', { path, error: (err as Error)?.message || String(err) })\n      return false\n    }\n  }\n\n  private buildKeyPath(tenantId: string): string {\n    const suffix = `tenant_key_${tenantId}`\n    const normalizedMount = this.mountPath.replace(/^\\/+/, '')\n    return `${normalizedMount}/${suffix}`\n  }\n\n  private remember(entry: TenantDek): TenantDek {\n    this.cache.set(entry.tenantId, entry)\n    return entry\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    const cached = this.cacheHit(tenantId)\n    if (cached) return cached\n    const path = this.buildKeyPath(tenantId)\n    const res = await this.readVault(path)\n    const key = res?.data?.data?.key\n    if (!key) {\n      console.warn('\u26A0\uFE0F [encryption][kms] No tenant DEK found in Vault', { tenantId, path })\n      return null\n    }\n    const dek: TenantDek = { tenantId, key, fetchedAt: this.now() }\n    return this.remember(dek)\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    const key = generateDek()\n    const path = this.buildKeyPath(tenantId)\n    const ok = await this.writeVault(path, key)\n    if (ok) {\n      console.info('\uD83D\uDD11 [encryption][kms] Stored tenant DEK in Vault', { tenantId, path })\n    } else {\n      console.warn('\u26A0\uFE0F [encryption][kms] Failed to store tenant DEK in Vault', { tenantId, path })\n    }\n    if (!ok) return null\n    return this.remember({ tenantId, key, fetchedAt: this.now() })\n  }\n}\n\nlet loggedDerivedKeyFallbackBanner = false\n\nfunction logDerivedKeyFallbackBanner(opts: DerivedSecret): void {\n  if (process.env.NODE_ENV === 'test' || loggedDerivedKeyFallbackBanner) return\n  loggedDerivedKeyFallbackBanner = true\n  const redBg = '\\x1b[41m'\n  const white = '\\x1b[97m'\n  const reset = '\\x1b[0m'\n  const width = 110\n  const border = `${redBg}${white}${'\u2501'.repeat(width)}${reset}`\n  const isProduction = process.env.NODE_ENV === 'production'\n  const sourceLine =\n    opts.source === 'explicit' ? `Source: ${opts.envName}` : 'Source: dev default secret (do NOT use in production)'\n  const body = [\n    '\uD83D\uDEA8 Using derived tenant encryption keys (Vault unavailable / no DEK)',\n    sourceLine,\n    isProduction ? 'Secret: [redacted in production]' : `Secret: ${opts.secret}`,\n    'Persist this secret securely. Without it, encrypted tenant data cannot be recovered after restart.',\n  ]\n  console.warn(border)\n  for (const line of body) {\n    const padded = line.padEnd(width - 2, ' ')\n    console.warn(`${redBg}${white} ${padded} ${reset}`)\n  }\n  console.warn(border)\n}\n\nexport function createKmsService(): KmsService {\n  if (!isTenantDataEncryptionEnabled()) return new NoopKmsService()\n  const primary = new HashicorpVaultKmsService()\n\n  const derived = resolveDerivedKeySecret()\n  const fallback = derived ? new DerivedKmsService(derived.secret) : null\n  const notifyFallback = derived\n    ? () => {\n        logDerivedKeyFallbackBanner(derived)\n      }\n    : undefined\n\n  if (!primary.isHealthy()) {\n    if (fallback) {\n      notifyFallback?.()\n      return fallback\n    }\n    console.warn(\n      '\u26A0\uFE0F [encryption][kms] Vault not healthy or misconfigured (missing VAULT_ADDR/VAULT_TOKEN) and no fallback secret provided; falling back to noop KMS',\n    )\n    return new NoopKmsService()\n  }\n\n  if (fallback) {\n    return new FallbackKmsService(primary, fallback, notifyFallback)\n  }\n\n  return primary\n}\n\nexport { hashForLookup }\n"],
+  "mappings": "AAAA,OAAO,YAAY;AACnB,SAAS,aAAa,qBAAqB;AAC3C,SAAS,0BAA0B,qCAAqC;AAcxE,MAAM,mBAAyC;AAAA,EAE7C,YACmB,SACA,UACA,YACjB;AAHiB;AACA;AACA;AAJnB,SAAQ,WAAW;AAAA,EAKhB;AAAA,EAEH,YAAqB;AACnB,WAAO,KAAK,QAAQ,UAAU,KAAK,QAAQ,KAAK,UAAU,YAAY,CAAC;AAAA,EACzE;AAAA,EAEQ,iBAAiB;AACvB,QAAI,KAAK,SAAU;AACnB,SAAK,WAAW;AAChB,SAAK,aAAa;AAAA,EACpB;AAAA,EAEA,MAAc,YAAe,IAAgD;AAC3E,QAAI;AACF,aAAO,MAAM,GAAG;AAAA,IAClB,SAAS,KAAK;AACZ,cAAQ,KAAK,wEAA8D;AAAA,QACzE,OAAQ,KAAe,WAAW,OAAO,GAAG;AAAA,MAC9C,CAAC;AACD,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,QAAI,KAAK,QAAQ,UAAU,GAAG;AAC5B,YAAM,MAAM,MAAM,KAAK,YAAY,MAAM,KAAK,QAAQ,aAAa,QAAQ,CAAC;AAC5E,UAAI,IAAK,QAAO;AAAA,IAClB;AACA,QAAI,KAAK,UAAU,UAAU,GAAG;AAC9B,WAAK,eAAe;AACpB,aAAO,KAAK,SAAS,aAAa,QAAQ;AAAA,IAC5C;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,QAAI,KAAK,QAAQ,UAAU,GAAG;AAC5B,YAAM,MAAM,MAAM,KAAK,YAAY,MAAM,KAAK,QAAQ,gBAAgB,QAAQ,CAAC;AAC/E,UAAI,IAAK,QAAO;AAAA,IAClB;AACA,QAAI,KAAK,UAAU,UAAU,GAAG;AAC9B,WAAK,eAAe;AACpB,aAAO,KAAK,SAAS,gBAAgB,QAAQ;AAAA,IAC/C;AACA,WAAO;AAAA,EACT;AACF;AAaA,SAAS,aAAa,OAAmC;AACvD,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,MAAM,KAAK,EAAE,QAAQ,gBAAgB,EAAE;AAChD;AAIA,SAAS,0BAAgD;AACvD,QAAM,aAA+D;AAAA,IACnE,EAAE,OAAO,QAAQ,IAAI,uCAAuC,MAAM,SAAS,sCAAsC;AAAA,IACjH,EAAE,OAAO,QAAQ,IAAI,8BAA8B,MAAM,SAAS,6BAA6B;AAAA,IAC/F,EAAE,OAAO,QAAQ,IAAI,eAAe,MAAM,SAAS,cAAc;AAAA,IACjE,EAAE,OAAO,QAAQ,IAAI,mBAAmB,MAAM,SAAS,kBAAkB;AAAA,EAC3E;AACA,aAAW,OAAO,YAAY;AAC5B,UAAM,aAAa,aAAa,IAAI,SAAS,MAAS;AACtD,QAAI,WAAY,QAAO,EAAE,QAAQ,YAAY,QAAQ,YAAY,SAAS,IAAI,QAAQ;AAAA,EACxF;AACA,MAAI,QAAQ,IAAI,aAAa,cAAc;AACzC,WAAO,EAAE,QAAQ,4BAA4B,QAAQ,eAAe,SAAS,cAAc;AAAA,EAC7F;AACA,SAAO;AACT;AAEO,MAAM,eAAqC;AAAA,EAChD,YAAqB;AAAE,WAAO,CAAC,8BAA8B;AAAA,EAAE;AAAA,EAC/D,MAAM,eAA0C;AAAE,WAAO;AAAA,EAAK;AAAA,EAC9D,MAAM,kBAA6C;AAAE,WAAO;AAAA,EAAK;AACnE;AAEA,MAAM,kBAAwC;AAAA,EAE5C,YAAY,QAAgB;AAE1B,SAAK,OAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,MAAM,EAAE,OAAO;AAAA,EAChE;AAAA,EAEA,YAAqB;AACnB,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,UAA0B;AAC1C,UAAM,aAAa;AACnB,UAAM,YAAY;AAClB,UAAM,UAAU,OAAO,WAAW,KAAK,MAAM,UAAU,YAAY,WAAW,QAAQ;AACtF,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,QAAI,CAAC,SAAU,QAAO;AACtB,WAAO,EAAE,UAAU,KAAK,KAAK,UAAU,QAAQ,GAAG,WAAW,KAAK,IAAI,EAAE;AAAA,EAC1E;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,WAAO,KAAK,aAAa,QAAQ;AAAA,EACnC;AACF;AAEO,MAAM,yBAA+C;AAAA,EAU1D,YAAY,OAAwB,CAAC,GAAG;AATxC,SAAQ,QAAQ,oBAAI,IAAuB;AAK3C,SAAQ,UAAU;AAKhB,SAAK,YAAY,aAAa,KAAK,aAAa,QAAQ,IAAI,cAAc,EAAE;AAC5E,SAAK,aAAa,aAAa,KAAK,cAAc,QAAQ,IAAI,eAAe,EAAE;AAC/E,SAAK,aAAa,KAAK,aAAa,QAAQ,IAAI,iBAAiB,eAAe,QAAQ,QAAQ,EAAE;AAClG,SAAK,QAAQ,KAAK,SAAS,KAAK,KAAK;AACrC,SAAK,eAAe,yBAAyB;AAC7C,QAAI,CAAC,KAAK,aAAa,CAAC,KAAK,YAAY;AACvC,WAAK,UAAU;AACf,UAAI,KAAK,cAAc;AACrB,gBAAQ,KAAK,wFAA8E;AAAA,MAC7F;AAAA,IACF;AACA,QAAI,KAAK,WAAW,CAAC,yBAAyB,cAAc,KAAK,cAAc;AAC7E,+BAAyB,aAAa;AACtC,UAAG,KAAK,cAAc;AACpB,gBAAQ,KAAK,yDAAkD;AAAA,MACjE;AAAA,IACF;AAAA,EACF;AAAA,EApBA;AAAA,SAAe,aAAa;AAAA;AAAA,EAsB5B,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,MAAc;AACpB,WAAO,KAAK,IAAI;AAAA,EAClB;AAAA,EAEQ,SAAS,UAAoC;AACnD,UAAM,QAAQ,KAAK,MAAM,IAAI,QAAQ;AACrC,QAAI,CAAC,MAAO,QAAO;AACnB,QAAI,KAAK,IAAI,IAAI,MAAM,YAAY,KAAK,OAAO;AAC7C,WAAK,MAAM,OAAO,QAAQ;AAC1B,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,UAAU,MAAiD;AACvE,QAAI,CAAC,KAAK,aAAa,CAAC,KAAK,YAAY;AACvC,WAAK,UAAU;AACf,aAAO;AAAA,IACT;AACA,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,GAAG,KAAK,SAAS,OAAO,IAAI,IAAI;AAAA,QACtD,QAAQ;AAAA,QACR,SAAS,EAAE,iBAAiB,KAAK,WAAW;AAAA,MAC9C,CAAC;AACD,UAAI,CAAC,IAAI,IAAI;AACX,aAAK,UAAU,IAAI,SAAS;AAC5B,gBAAQ,KAAK,oDAA0C,EAAE,MAAM,QAAQ,IAAI,OAAO,CAAC;AACnF,eAAO;AAAA,MACT;AACA,UAAI,KAAK,cAAc;AACrB,gBAAQ,KAAK,6CAAsC,EAAE,KAAK,CAAC;AAAA,MAC7D;AACA,aAAQ,MAAM,IAAI,KAAK;AAAA,IACzB,SAAS,KAAK;AACZ,WAAK,UAAU;AACf,cAAQ,KAAK,mDAAyC,EAAE,MAAM,OAAQ,KAAe,WAAW,OAAO,GAAG,EAAE,CAAC;AAC7G,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,WAAW,MAAc,KAA+B;AACpE,QAAI,CAAC,KAAK,aAAa,CAAC,KAAK,YAAY;AACvC,WAAK,UAAU;AACf,aAAO;AAAA,IACT;AACA,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,GAAG,KAAK,SAAS,OAAO,IAAI,IAAI;AAAA,QAEtD,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,iBAAiB,KAAK;AAAA,UACtB,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAAA,MACxC,CAAC;AACD,WAAK,UAAU,IAAI;AACnB,UAAI,CAAC,IAAI,IAAI;AACX,gBAAQ,KAAK,qDAA2C,EAAE,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,MACtF;AACA,aAAO,IAAI;AAAA,IACb,SAAS,KAAK;AACZ,WAAK,UAAU;AACf,cAAQ,KAAK,oDAA0C,EAAE,MAAM,OAAQ,KAAe,WAAW,OAAO,GAAG,EAAE,CAAC;AAC9G,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,aAAa,UAA0B;AAC7C,UAAM,SAAS,cAAc,QAAQ;AACrC,UAAM,kBAAkB,KAAK,UAAU,QAAQ,QAAQ,EAAE;AACzD,WAAO,GAAG,eAAe,IAAI,MAAM;AAAA,EACrC;AAAA,EAEQ,SAAS,OAA6B;AAC5C,SAAK,MAAM,IAAI,MAAM,UAAU,KAAK;AACpC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,UAAM,SAAS,KAAK,SAAS,QAAQ;AACrC,QAAI,OAAQ,QAAO;AACnB,UAAM,OAAO,KAAK,aAAa,QAAQ;AACvC,UAAM,MAAM,MAAM,KAAK,UAAU,IAAI;AACrC,UAAM,MAAM,KAAK,MAAM,MAAM;AAC7B,QAAI,CAAC,KAAK;AACR,cAAQ,KAAK,+DAAqD,EAAE,UAAU,KAAK,CAAC;AACpF,aAAO;AAAA,IACT;AACA,UAAM,MAAiB,EAAE,UAAU,KAAK,WAAW,KAAK,IAAI,EAAE;AAC9D,WAAO,KAAK,SAAS,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,UAAM,MAAM,YAAY;AACxB,UAAM,OAAO,KAAK,aAAa,QAAQ;AACvC,UAAM,KAAK,MAAM,KAAK,WAAW,MAAM,GAAG;AAC1C,QAAI,IAAI;AACN,cAAQ,KAAK,0DAAmD,EAAE,UAAU,KAAK,CAAC;AAAA,IACpF,OAAO;AACL,cAAQ,KAAK,sEAA4D,EAAE,UAAU,KAAK,CAAC;AAAA,IAC7F;AACA,QAAI,CAAC,GAAI,QAAO;AAChB,WAAO,KAAK,SAAS,EAAE,UAAU,KAAK,WAAW,KAAK,IAAI,EAAE,CAAC;AAAA,EAC/D;AACF;AAEA,IAAI,iCAAiC;AAErC,SAAS,4BAA4B,MAA2B;AAC9D,MAAI,QAAQ,IAAI,aAAa,UAAU,+BAAgC;AACvE,mCAAiC;AACjC,QAAM,QAAQ;AACd,QAAM,QAAQ;AACd,QAAM,QAAQ;AACd,QAAM,QAAQ;AACd,QAAM,SAAS,GAAG,KAAK,GAAG,KAAK,GAAG,SAAI,OAAO,KAAK,CAAC,GAAG,KAAK;AAC3D,QAAM,eAAe,QAAQ,IAAI,aAAa;AAC9C,QAAM,aACJ,KAAK,WAAW,aAAa,WAAW,KAAK,OAAO,KAAK;AAC3D,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA,eAAe,qCAAqC,WAAW,KAAK,MAAM;AAAA,IAC1E;AAAA,EACF;AACA,UAAQ,KAAK,MAAM;AACnB,aAAW,QAAQ,MAAM;AACvB,UAAM,SAAS,KAAK,OAAO,QAAQ,GAAG,GAAG;AACzC,YAAQ,KAAK,GAAG,KAAK,GAAG,KAAK,IAAI,MAAM,IAAI,KAAK,EAAE;AAAA,EACpD;AACA,UAAQ,KAAK,MAAM;AACrB;AAEO,SAAS,mBAA+B;AAC7C,MAAI,CAAC,8BAA8B,EAAG,QAAO,IAAI,eAAe;AAChE,QAAM,UAAU,IAAI,yBAAyB;AAE7C,QAAM,UAAU,wBAAwB;AACxC,QAAM,WAAW,UAAU,IAAI,kBAAkB,QAAQ,MAAM,IAAI;AACnE,QAAM,iBAAiB,UACnB,MAAM;AACJ,gCAA4B,OAAO;AAAA,EACrC,IACA;AAEJ,MAAI,CAAC,QAAQ,UAAU,GAAG;AACxB,QAAI,UAAU;AACZ,uBAAiB;AACjB,aAAO;AAAA,IACT;AACA,YAAQ;AAAA,MACN;AAAA,IACF;AACA,WAAO,IAAI,eAAe;AAAA,EAC5B;AAEA,MAAI,UAAU;AACZ,WAAO,IAAI,mBAAmB,SAAS,UAAU,cAAc;AAAA,EACjE;AAEA,SAAO;AACT;",
+  "names": []
+}

package/dist/lib/encryption/subscriber.js

@@ -0,0 +1,330 @@
+import { ReferenceKind } from "@mikro-orm/core";
+import { resolveEntityIdFromMetadata } from "./entityIds.js";
+import { isTenantDataEncryptionEnabled } from "./toggles.js";
+import { isEncryptionDebugEnabled } from "./toggles.js";
+import { resolveTenantEncryptionService } from "./customFieldValues.js";
+function resolveScope(entity) {
+  const tenantId = entity.tenantId ?? entity.tenant_id ?? entity.tenant?.id ?? null;
+  const organizationId = entity.organizationId ?? entity.organization_id ?? entity.organization?.id ?? null;
+  return {
+    tenantId: tenantId ? String(tenantId) : null,
+    organizationId: organizationId ? String(organizationId) : null
+  };
+}
+function debug(event, payload) {
+  if (!isEncryptionDebugEnabled()) return;
+  try {
+    console.debug(event, payload);
+  } catch {
+  }
+}
+const registeredEventManagers = /* @__PURE__ */ new WeakSet();
+const toSnakeCase = (value) => value.replace(/([A-Z])/g, "_$1").replace(/__/g, "_").toLowerCase();
+class TenantEncryptionSubscriber {
+  constructor(service) {
+    this.service = service;
+  }
+  getSubscribedEntities() {
+    return [];
+  }
+  resolveMeta(meta, entity, em) {
+    if (meta) return meta;
+    const ctor = entity?.constructor;
+    const name = ctor?.name;
+    const registry = em?.getMetadata?.();
+    if (!registry || !name) return meta;
+    try {
+      return registry.find?.(name);
+    } catch {
+    }
+    try {
+      return registry.find?.(ctor);
+    } catch {
+    }
+    try {
+      return registry.get?.(name);
+    } catch {
+    }
+    try {
+      return registry.get?.(ctor);
+    } catch {
+    }
+    const all = typeof registry.getAll === "function" && registry.getAll() || (Array.isArray(registry.metadata) ? registry.metadata : void 0) || registry.metadata || {};
+    try {
+      const entries = Array.isArray(all) ? all : Object.values(all);
+      const match = entries.find(
+        (m) => m?.className === name || m?.name === name || m?.entityName === name || m?.collection === ctor?.prototype?.__meta?.tableName || m?.tableName === ctor?.prototype?.__meta?.tableName
+      );
+      if (match) return match;
+    } catch {
+    }
+    return meta;
+  }
+  resolveEntityId(meta) {
+    try {
+      return resolveEntityIdFromMetadata(meta);
+    } catch {
+      return null;
+    }
+  }
+  syncOriginalEntityData(target, meta, em) {
+    const helper = target?.__helper;
+    if (!helper || typeof helper !== "object") return;
+    try {
+      const comparator = em?.getComparator?.();
+      if (comparator?.prepareEntity) {
+        helper.__originalEntityData = comparator.prepareEntity(target);
+        helper.__touched = false;
+        return;
+      }
+    } catch (err) {
+      debug("\u26AA\uFE0F subscriber.sync_original.comparator_failed", {
+        entity: meta?.className || meta?.name,
+        message: err?.message ?? String(err)
+      });
+    }
+    const properties = meta?.properties ? Object.values(meta.properties) : [];
+    if (properties.length === 0) return;
+    const snapshot = { ...helper.__originalEntityData ?? {} };
+    for (const prop of properties) {
+      if ([ReferenceKind.ONE_TO_MANY, ReferenceKind.MANY_TO_MANY].includes(prop.kind)) continue;
+      const name = prop.name;
+      if (typeof name !== "string" || !name.length) continue;
+      snapshot[name] = target[name];
+    }
+    helper.__originalEntityData = snapshot;
+    helper.__touched = false;
+  }
+  async encrypt(target, meta, em, changeSet) {
+    if (!isTenantDataEncryptionEnabled() || !this.service.isEnabled()) {
+      debug("\u26AA\uFE0F subscriber.skip", { reason: "disabled", entity: meta?.className || meta?.name });
+      return;
+    }
+    const resolvedMeta = this.resolveMeta(meta, target, em);
+    const entityId = this.resolveEntityId(resolvedMeta);
+    if (!entityId) {
+      debug("\u26A0\uFE0F subscriber.decrypt.skip.entity_id_missing", {
+        metaName: resolvedMeta?.className || resolvedMeta?.name,
+        table: resolvedMeta?.tableName
+      });
+      return;
+    }
+    const { tenantId, organizationId } = resolveScope(target);
+    if (!tenantId) {
+      debug("\u26AA\uFE0F subscriber.skip", { reason: "no-tenant", entityId });
+      return;
+    }
+    const encrypted = await this.service.encryptEntityPayload(entityId, target, tenantId, organizationId);
+    const metaProps = resolvedMeta?.properties && typeof resolvedMeta.properties === "object" ? resolvedMeta.properties : {};
+    const payloadObj = changeSet && typeof changeSet === "object" ? typeof changeSet.payload === "object" && changeSet.payload ? changeSet.payload : changeSet.payload = {} : null;
+    const updates = {};
+    const columnNameFor = (propKey, prop) => {
+      try {
+        if (prop && typeof prop === "object") {
+          const explicit = prop?.fieldName;
+          if (typeof explicit === "string" && explicit.length) return explicit;
+          const name = prop?.name;
+          if (typeof name === "string" && name.length) return name;
+        }
+      } catch (err) {
+        debug("\u26A0\uFE0F subscriber.column_name.resolve", {
+          entityId,
+          propKey,
+          message: err?.message ?? String(err)
+        });
+      }
+      return toSnakeCase(propKey);
+    };
+    for (const [key, value] of Object.entries(encrypted)) {
+      const prop = metaProps[key];
+      if (!prop || typeof prop !== "object") continue;
+      if (target[key] === value) continue;
+      updates[key] = value;
+    }
+    if (Object.keys(updates).length === 0) return;
+    Object.assign(target, updates);
+    if (payloadObj) {
+      try {
+        const ensureColumnKey = (propKey, value) => {
+          const columnName = columnNameFor(propKey, metaProps[propKey]);
+          const canonicalKey = columnName || toSnakeCase(propKey);
+          const aliases = new Set(
+            [propKey, toSnakeCase(propKey), columnName, columnName ? toSnakeCase(columnName) : void 0].filter(
+              (v) => typeof v === "string" && v.length > 0
+            )
+          );
+          for (const alias of aliases) {
+            if (Object.prototype.hasOwnProperty.call(payloadObj, alias)) delete payloadObj[alias];
+          }
+          const finalKey = columnName || toSnakeCase(propKey);
+          payloadObj[finalKey] = value;
+        };
+        for (const key of Object.keys(updates)) {
+          ensureColumnKey(key, updates[key]);
+        }
+      } catch (err) {
+        debug("\u26A0\uFE0F subscriber.payload.normalize.error", {
+          entityId,
+          message: err?.message ?? String(err)
+        });
+      }
+    }
+  }
+  async decryptEntityGraph(target, meta, em, opts = {}) {
+    await this.decrypt(target, meta, em, opts);
+  }
+  async decrypt(target, meta, em, {
+    syncOriginal = false,
+    seen,
+    fallbackScope
+  } = {}) {
+    const visited = seen ?? /* @__PURE__ */ new WeakSet();
+    if (visited.has(target)) return;
+    visited.add(target);
+    if (!isTenantDataEncryptionEnabled() || !this.service.isEnabled()) {
+      debug("\u26AA\uFE0F subscriber.skip", { reason: "disabled", entity: meta?.className || meta?.name });
+      return;
+    }
+    const resolvedMeta = this.resolveMeta(meta, target, em);
+    const entityId = this.resolveEntityId(resolvedMeta);
+    if (!entityId) return;
+    const { tenantId, organizationId } = resolveScope(target);
+    const scopedTenantId = tenantId ?? fallbackScope?.tenantId ?? null;
+    const scopedOrgId = organizationId ?? fallbackScope?.organizationId ?? null;
+    if (!scopedTenantId) {
+      debug("\u26AA\uFE0F subscriber.skip", { reason: "no-tenant", entityId });
+      return;
+    }
+    const decrypted = await this.service.decryptEntityPayload(entityId, target, scopedTenantId, scopedOrgId);
+    Object.assign(target, decrypted);
+    if (syncOriginal) {
+      this.syncOriginalEntityData(target, resolvedMeta, em);
+    }
+    const nextFallback = fallbackScope ?? (tenantId || organizationId ? { tenantId: tenantId ?? null, organizationId: organizationId ?? null } : { tenantId: scopedTenantId, organizationId: scopedOrgId });
+    try {
+      const extractEntities = (value) => {
+        if (!value) return [];
+        if (typeof value === "object" && typeof value.isInitialized === "function") {
+          try {
+            if (value.isInitialized()) {
+              const unwrapped = typeof value.unwrap === "function" ? value.unwrap() : value.__entity ?? value;
+              if (unwrapped && typeof unwrapped === "object") return [unwrapped];
+            }
+          } catch {
+          }
+          return [];
+        }
+        if (typeof value === "object" && typeof value.isInitialized === "function" && typeof value.getItems === "function") {
+          try {
+            return value.isInitialized() ? value.getItems() ?? [] : [];
+          } catch {
+            return [];
+          }
+        }
+        if (Array.isArray(value)) return value;
+        if (typeof value === "object") return [value];
+        return [];
+      };
+      const props = resolvedMeta?.properties ? Object.values(resolvedMeta.properties) : [];
+      for (const prop of props) {
+        const kind = prop?.kind;
+        const name = prop?.name;
+        if (typeof name !== "string" || !name.length) continue;
+        const value = target[name];
+        if (!value) continue;
+        if ([ReferenceKind.MANY_TO_ONE, ReferenceKind.ONE_TO_ONE].includes(kind)) {
+          const nestedEntities = extractEntities(value);
+          for (const nested of nestedEntities) {
+            const nestedMeta = this.resolveMeta(nested.__meta ?? nested.__helper?.__meta, nested, em);
+            await this.decrypt(nested, nestedMeta, em, {
+              syncOriginal: true,
+              seen: visited,
+              fallbackScope: nextFallback
+            });
+          }
+          continue;
+        }
+        if ([ReferenceKind.ONE_TO_MANY, ReferenceKind.MANY_TO_MANY].includes(kind)) {
+          const items = extractEntities(value);
+          for (const item of items) {
+            if (!item || typeof item !== "object") continue;
+            const nestedMeta = this.resolveMeta(item.__meta ?? item.__helper?.__meta, item, em);
+            await this.decrypt(item, nestedMeta, em, {
+              syncOriginal: true,
+              seen: visited,
+              fallbackScope: nextFallback
+            });
+          }
+        }
+      }
+    } catch (err) {
+      debug("\u26A0\uFE0F subscriber.deep_decrypt.error", {
+        entityId,
+        message: err?.message ?? String(err)
+      });
+    }
+  }
+  async beforeCreate(args) {
+    await this.encrypt(args.entity, args.meta, args.em, args.changeSet);
+  }
+  async beforeUpdate(args) {
+    await this.decrypt(args.entity, args.meta, args.em);
+    await this.encrypt(args.entity, args.meta, args.em, args.changeSet);
+  }
+  async afterCreate(args) {
+    await this.decrypt(args.entity, args.meta, args.em, { syncOriginal: true });
+  }
+  async afterUpdate(args) {
+    await this.decrypt(args.entity, args.meta, args.em, { syncOriginal: true });
+  }
+  async afterUpsert(args) {
+    await this.decrypt(args.entity, args.meta, args.em, { syncOriginal: true });
+  }
+  async onLoad(args) {
+    await this.decrypt(args.entity, args.meta, args.em, { syncOriginal: true });
+  }
+  async afterFind(args) {
+    const entities = Array.isArray(args.entities) ? args.entities : [];
+    for (const entity of entities) {
+      await this.decrypt(entity, args.meta, args.em, { syncOriginal: true });
+    }
+  }
+}
+function registerTenantEncryptionSubscriber(em, service) {
+  const eventManager = em?.getEventManager?.();
+  if (!eventManager || typeof eventManager.registerSubscriber !== "function") return;
+  if (registeredEventManagers.has(eventManager)) return;
+  eventManager.registerSubscriber(new TenantEncryptionSubscriber(service));
+  registeredEventManagers.add(eventManager);
+}
+async function decryptEntitiesWithFallbackScope(targets, {
+  em,
+  tenantId,
+  organizationId,
+  encryptionService
+}) {
+  if (!isTenantDataEncryptionEnabled()) return;
+  const list = Array.isArray(targets) ? targets : [targets];
+  if (!list.length) return;
+  const service = encryptionService ?? resolveTenantEncryptionService(em);
+  if (!service || !service.isEnabled()) return;
+  const subscriber = new TenantEncryptionSubscriber(service);
+  const fallback = tenantId || organizationId ? {
+    tenantId: tenantId ?? null,
+    organizationId: organizationId ?? null
+  } : void 0;
+  for (const entity of list) {
+    if (!entity || typeof entity !== "object") continue;
+    const meta = entity.__meta ?? entity.__helper?.__meta;
+    await subscriber.decryptEntityGraph(entity, meta, em, {
+      syncOriginal: true,
+      fallbackScope: fallback
+    });
+  }
+}
+export {
+  TenantEncryptionSubscriber,
+  decryptEntitiesWithFallbackScope,
+  registerTenantEncryptionSubscriber
+};
+//# sourceMappingURL=subscriber.js.map