@prisma-next/extension-cipherstash 0.0.1

package/README.md

@@ -0,0 +1,153 @@
+# @prisma-next/extension-cipherstash
+
+[CipherStash](https://cipherstash.com) extension for Prisma Next: searchable application-layer encryption for Postgres via the EQL bundle.
+
+## What this package provides
+
+- `EncryptedString` envelope + `cipherstash/string@1` codec runtime — the runtime side of the field-level encryption.
+- `cipherstash.EncryptedString()` PSL constructor and `encryptedString()` TS contract factory (byte-identical lowering). Both accept an optional `{ equality?, freeTextSearch? }` object whose flags default to `true`.
+- `SqlControlExtensionDescriptor` carrying the EQL contract space (the `eql_v2_configuration` table, the `eql_v2_encrypted` / `ore_*` composite types, the `eql_v2` domains) plus a baseline migration that installs the vendored EQL bundle SQL.
+- `bulkEncryptMiddleware(sdk)` — coalesces `EncryptedString` parameters into one `bulkEncrypt` SDK call per `(table, column)` before the wire encode.
+- `cipherstashEq(value)` / `cipherstashIlike(pattern)` query operations — lower to `eql_v2.eq(...)` / `eql_v2.ilike(...)` on cipherstash columns.
+- `decryptAll(rows, opts?)` — opt-in read-side amortization that walks a result set, coalesces every `EncryptedString` it finds into one `bulkDecrypt` SDK call per `(table, column)` group, and caches the resolved plaintexts back onto each envelope so subsequent `envelope.decrypt()` calls return synchronously without consulting the SDK.
+
+Search operators are deliberately exposed under the cipherstash-namespaced names `cipherstashEq` and `cipherstashIlike` rather than the framework's built-in `eq` / `ilike`. The cipherstash codec declares no `equality` codec trait, so the framework's trait-gated `eq` is not reachable on cipherstash columns — calling `email.eq(...)` on a cipherstash column is `undefined` (typechecks as a no-such-method error). Equality search uses `email.cipherstashEq(value)`, which lowers to `eql_v2.eq(...)`; free-text search uses `email.cipherstashIlike(pattern)` lowering to `eql_v2.ilike(...)`. The user-facing `EncryptedString({ equality: true })` flag is unrelated to the codec trait — it controls whether the codec lifecycle hook emits an `add_search_config` op for the column's `unique` index at migration time.
+
+## Subpath exports
+
+
+| Subpath          | Purpose                                                       |
+| ---------------- | ------------------------------------------------------------- |
+| `./control`      | `SqlControlExtensionDescriptor` (contract space + pack meta)  |
+| `./runtime`      | `EncryptedString` envelope + `CipherstashSdk` + codec runtime + `decryptAll` |
+| `./middleware`   | `bulkEncryptMiddleware(sdk)`                                  |
+| `./pack`         | `cipherstashPackMeta` for TS contract authoring               |
+| `./column-types` | `encryptedString({ equality?, freeTextSearch? })` TS factory  |
+
+The `./control` and `./runtime` / `./middleware` planes are tree-shakable: a runtime consumer never pulls the EQL bundle SQL or the codec lifecycle hook, and a control-plane consumer never pulls the SDK interface, the codec runtime, or the bulk-encrypt middleware. See [`DEVELOPING.md`](./DEVELOPING.md) — design choices.
+
+
+## Configuration
+
+Add the extension to your `prisma-next.config.ts`:
+
+```ts
+import { defineConfig } from '@prisma-next/cli/config-types';
+import postgresAdapter from '@prisma-next/adapter-postgres/control';
+import sql from '@prisma-next/family-sql/control';
+import postgres from '@prisma-next/target-postgres/control';
+import cipherstash from '@prisma-next/extension-cipherstash/control';
+
+export default defineConfig({
+  family: sql,
+  target: postgres,
+  adapter: postgresAdapter,
+  extensionPacks: [cipherstash],
+});
+```
+
+## Authoring
+
+### PSL
+
+```prisma
+model User {
+  id    Int @id @default(autoincrement())
+  email cipherstash.EncryptedString()
+  notes cipherstash.EncryptedString({ freeTextSearch: false })?
+}
+```
+
+### TypeScript
+
+```ts
+import { encryptedString } from '@prisma-next/extension-cipherstash/column-types';
+import cipherstash from '@prisma-next/extension-cipherstash/pack';
+import sqlFamily from '@prisma-next/family-sql/pack';
+import { defineContract, field, model } from '@prisma-next/sql-contract-ts/contract-builder';
+import postgres from '@prisma-next/target-postgres/pack';
+
+export const contract = defineContract({
+  family: sqlFamily,
+  target: postgres,
+  extensionPacks: { cipherstash },
+  models: {
+    User: model('User', {
+      fields: {
+        id: field.column({ codecId: 'pg/int4@1', nativeType: 'int4' })
+          .defaultSql('autoincrement()').id(),
+        email: field.column(encryptedString()),
+        notes: field.column(encryptedString({ freeTextSearch: false })).optional(),
+      },
+    }).sql({ table: 'user' }),
+  },
+});
+```
+
+Both authoring forms emit byte-identical `contract.json`. The codec registers under the `cipherstash/string@1` codec id and maps to the EQL `eql_v2_encrypted` Postgres native type.
+
+Per-column search-mode flags `equality` and `freeTextSearch` both default to `true` — searchable encryption is the legitimate default for an extension whose entire reason for existing is to make encrypted columns queryable. Opt out explicitly when you want storage-only encryption (e.g. `cipherstash.EncryptedString({ equality: false, freeTextSearch: false })` / `encryptedString({ equality: false, freeTextSearch: false })`) or to disable just one mode. The flags are validated at the contract boundary by an arktype schema and threaded through the parameterized-codec descriptor model — see [ADR 208 — Higher-order codecs for parameterized types](../../../docs/architecture%20docs/adrs/ADR%20208%20-%20Higher-order%20codecs%20for%20parameterized%20types.md). The codec's `decode` site reads the cell's `(table, column)` from the per-call codec context — see [ADR 207 — Codec call context per-query AbortSignal and column metadata](../../../docs/architecture%20docs/adrs/ADR%20207%20-%20Codec%20call%20context%20per-query%20AbortSignal%20and%20column%20metadata.md).
+
+## Database setup
+
+The extension contributes its database scaffolding (the `eql_v2_configuration` table, the `eql_v2_encrypted` / `ore_*` composite types, the `eql_v2.bloom_filter` / `hmac_256` / `blake3` domains, and the EQL bundle SQL) as a **contract space** so the Prisma Next framework can plan, apply, and verify it the same way it manages an application's own schema.
+
+After `prisma-next migrate plan`, the user's repo gains:
+
+- `migrations/cipherstash/contract.json`,
+- `migrations/cipherstash/contract.d.ts`,
+- `migrations/cipherstash/refs/head.json`,
+- `migrations/cipherstash/<name>/` migration directories.
+
+`db apply` then runs CipherStash's migrations against the live database in the same transaction as any application-space migration emitted in the same `migrate` invocation.
+
+## Runtime usage
+
+A worked end-to-end example lives at [`examples/cipherstash-integration/`](../../../examples/cipherstash-integration/) — schema, runtime composition, demo SDK stub, and an `insert` → `cipherstashEq` → `cipherstashIlike` → `decryptAll` flow against a real Postgres database.
+
+The minimal runtime composition wires the cipherstash runtime descriptor and the bulk-encrypt middleware into the SQL runtime (sharing one SDK binding):
+
+```ts
+import { bulkEncryptMiddleware } from '@prisma-next/extension-cipherstash/middleware';
+import {
+  createCipherstashRuntimeDescriptor,
+  decryptAll,
+  EncryptedString,
+} from '@prisma-next/extension-cipherstash/runtime';
+import postgres from '@prisma-next/postgres/runtime';
+import type { Contract } from './prisma/contract.d';
+import contractJson from './prisma/contract.json' with { type: 'json' };
+
+const sdk = /* your CipherstashSdk implementation */;
+
+const db = postgres<Contract>({
+  contractJson,
+  extensions: [createCipherstashRuntimeDescriptor({ sdk })],
+  middleware: [bulkEncryptMiddleware(sdk)],
+});
+
+await db.orm.User.create({ id: 'u1', email: EncryptedString.from('alice@example.com') });
+
+const rows = await db.orm.User.where((u) => u.email.cipherstashEq('alice@example.com')).all();
+await decryptAll(rows);
+console.log(await rows[0]?.email.decrypt());
+```
+
+`EncryptedString.from(plaintext)` creates a write-side envelope; the bulk-encrypt middleware fills in the ciphertext at execute time. Read-side envelopes are constructed by the codec's `decode` and carry their `(table, column)` routing key for `decrypt` / `decryptAll`.
+
+## Security model
+
+- **Plaintext lifetime**. The write-side handle retains its plaintext slot post-encrypt — JS strings are immutable and zeroing is best-effort, so the GC-driven lifecycle is the sufficient bound. Practical implication: the original `EncryptedString.from(plaintext)` envelope's `decrypt()` returns the plaintext synchronously without consulting the SDK. Treat envelope objects as plaintext-equivalent for the lifetime of the variable.
+- **Ciphertext routing**. Every read-side envelope carries the `(table, column)` it was decoded from; `decrypt` / `decryptAll` route their bulk SDK calls by that key so the SDK can pick the right key material per column.
+- **Operator semantics**. Encrypted equality uses `eql_v2.eq` (deterministic-index lookup); encrypted free-text uses `eql_v2.ilike` (bloom-filter lookup). The framework's built-in `eq` / `ilike` are unreachable on cipherstash columns — the codec declares zero traits so no wrong-SQL footgun can exist where a randomized EQL ciphertext is compared with `=` directly.
+- **Cancellation**. Every cipherstash-internal SDK call accepts an `AbortSignal`; mid-flight cancellation surfaces a `RUNTIME.ABORTED` envelope with a phase tag (`bulk-encrypt`, `decrypt`, or `decrypt-all`) mirroring the framework's envelope shape from [ADR 207](../../../docs/architecture%20docs/adrs/ADR%20207%20-%20Codec%20call%20context%20per-query%20AbortSignal%20and%20column%20metadata.md).
+
+## Contributing
+
+See [`DEVELOPING.md`](./DEVELOPING.md) for source layout, design choices, and the canonical Acceptance Criteria list.
+
+## References
+
+- [CipherStash](https://cipherstash.com) — managed application-layer encryption for Postgres.
+- [Prisma Next Architecture Overview](../../../docs/Architecture%20Overview.md).
+- [Extension Packs Naming and Layout](../../../docs/reference/Extension-Packs-Naming-and-Layout.md).

package/dist/call-classes-CSvD7w8U.mjs

@@ -0,0 +1,206 @@
+import { TsExpression, jsonToTsSource } from "@prisma-next/ts-render";
+import { ifDefined } from "@prisma-next/utils/defined";
+//#region src/migration/call-classes.ts
+const CIPHERSTASH_MIGRATION_MODULE = "@prisma-next/extension-cipherstash/migration";
+/** Mirrors `eql_v2.add_search_config(table, column, index_name, cast_as)`. */
+const DEFAULT_CAST_AS = "text";
+/**
+* Escape a string so it can be embedded inside a Postgres single-quoted
+* literal. Identifiers in our IR are unlikely to contain apostrophes,
+* but doubling them keeps the emitted SQL safe under any future
+* relaxation.
+*/
+function sqlLiteral(value) {
+	return `'${value.replace(/'/g, "''")}'`;
+}
+function invariantIdFor(tableName, fieldName, action, indexName) {
+	return `cipherstash-codec:${tableName}.${fieldName}:${action}:${indexName}@v1`;
+}
+/**
+* Base class for cipherstash migration IR nodes.
+*
+* Each instance is *both* an `OpFactoryCall` (renderable to TypeScript,
+* lowerable to a runtime op via `toOp()`) and a structurally-valid
+* {@link CipherstashOp} — `id`, `label`, `operationClass`,
+* `invariantId`, `target`, `precheck`, `execute`, `postcheck` are
+* stored as enumerable own properties, populated in the concrete
+* subclass constructors. So when the planner-rendered `migration.ts`
+* runs and the user's `operations` getter returns Call instances
+* directly, both `MigrationOpSchema` validation (which checks `id` /
+* `label` / `operationClass`) and `JSON.stringify` (which writes
+* `ops.json`) see the runtime op shape unchanged.
+*
+* The cipherstash-specific identity fields (`factoryName`, `table`,
+* `column`, `index`, `castAs`) live on the subclass prototype as
+* accessor getters and on a per-instance backing record kept in a
+* private slot (`#args`). Accessor properties on the class are
+* non-enumerable, and the backing record is a private field, so
+* `Object.keys(call)` and `canonicalizeJson(...)` see only the op
+* fields — `ops.json` and `migrationHash` stay byte-stable.
+*/
+var CipherstashOpFactoryCallNode = class extends TsExpression {
+	importRequirements() {
+		return [{
+			moduleSpecifier: CIPHERSTASH_MIGRATION_MODULE,
+			symbol: this.factoryName
+		}];
+	}
+	/**
+	* Re-expose the runtime op view for callers that prefer to lower
+	* Calls explicitly (notably {@link renderOps} on the postgres lane).
+	* The returned object is a plain copy of this Call's op-shaped
+	* fields.
+	*/
+	toOp() {
+		return {
+			id: this.id,
+			label: this.label,
+			operationClass: this.operationClass,
+			invariantId: this.invariantId,
+			target: this.target,
+			precheck: this.precheck,
+			execute: this.execute,
+			postcheck: this.postcheck
+		};
+	}
+	freeze() {
+		Object.freeze(this);
+	}
+};
+var CipherstashAddSearchConfigCall = class extends CipherstashOpFactoryCallNode {
+	id;
+	label;
+	operationClass;
+	invariantId;
+	target;
+	precheck;
+	execute;
+	postcheck;
+	#args;
+	constructor(table, column, index, castAs = DEFAULT_CAST_AS) {
+		super();
+		this.#args = {
+			table,
+			column,
+			index,
+			castAs
+		};
+		this.id = `cipherstash-codec.${table}.${column}.add-search-config.${index}`;
+		this.label = `Enable cipherstash search on ${table}.${column}`;
+		this.operationClass = "additive";
+		this.invariantId = invariantIdFor(table, column, "add-search-config", index);
+		this.target = { id: "postgres" };
+		this.precheck = [];
+		this.execute = [{
+			description: `Register cipherstash ${index} search config for ${table}.${column}`,
+			sql: `SELECT eql_v2.add_search_config(${sqlLiteral(table)}, ${sqlLiteral(column)}, ${sqlLiteral(index)}, ${sqlLiteral(castAs)});`
+		}];
+		this.postcheck = [];
+		this.freeze();
+	}
+	get factoryName() {
+		return "cipherstashAddSearchConfig";
+	}
+	get table() {
+		return this.#args.table;
+	}
+	get column() {
+		return this.#args.column;
+	}
+	get index() {
+		return this.#args.index;
+	}
+	get castAs() {
+		return this.#args.castAs;
+	}
+	renderTypeScript() {
+		return `cipherstashAddSearchConfig(${jsonToTsSource({
+			table: this.#args.table,
+			column: this.#args.column,
+			index: this.#args.index,
+			...ifDefined("castAs", this.#args.castAs !== DEFAULT_CAST_AS ? this.#args.castAs : void 0)
+		})})`;
+	}
+};
+var CipherstashRemoveSearchConfigCall = class extends CipherstashOpFactoryCallNode {
+	id;
+	label;
+	operationClass;
+	invariantId;
+	target;
+	precheck;
+	execute;
+	postcheck;
+	#args;
+	constructor(table, column, index) {
+		super();
+		this.#args = {
+			table,
+			column,
+			index
+		};
+		this.id = `cipherstash-codec.${table}.${column}.remove-search-config.${index}`;
+		this.label = `Disable cipherstash search on ${table}.${column}`;
+		this.operationClass = "destructive";
+		this.invariantId = invariantIdFor(table, column, "remove-search-config", index);
+		this.target = { id: "postgres" };
+		this.precheck = [];
+		this.execute = [{
+			description: `Remove cipherstash ${index} search config for ${table}.${column}`,
+			sql: `SELECT eql_v2.remove_search_config(${sqlLiteral(table)}, ${sqlLiteral(column)}, ${sqlLiteral(index)});`
+		}];
+		this.postcheck = [];
+		this.freeze();
+	}
+	get factoryName() {
+		return "cipherstashRemoveSearchConfig";
+	}
+	get table() {
+		return this.#args.table;
+	}
+	get column() {
+		return this.#args.column;
+	}
+	get index() {
+		return this.#args.index;
+	}
+	renderTypeScript() {
+		return `cipherstashRemoveSearchConfig(${jsonToTsSource({
+			table: this.#args.table,
+			column: this.#args.column,
+			index: this.#args.index
+		})})`;
+	}
+};
+/**
+* Public factory: register a cipherstash search-config row.
+*
+* Use from a hand-written migration when you need to wire EQL
+* search-config alongside a `createTable` / `addColumn`. The
+* `Encrypted<string>` codec hook calls this factory automatically when
+* planning a contract diff that adds a `searchable: true` column.
+*
+* Returns the {@link CipherstashAddSearchConfigCall} IR node, which
+* implements `OpFactoryCall` and is itself a `SqlMigrationPlanOperation`
+* (its readonly op-shaped fields are populated in the constructor) — so
+* the same value flows through both the renderer (planner-time IR) and
+* the runtime ops list (`Migration.operations`) without an extra
+* lowering step at the call site.
+*/
+function cipherstashAddSearchConfig(args) {
+	return new CipherstashAddSearchConfigCall(args.table, args.column, args.index, args.castAs ?? DEFAULT_CAST_AS);
+}
+/**
+* Public factory: invert {@link cipherstashAddSearchConfig} for the
+* same (table, column, index) tuple.
+*
+* Returns the {@link CipherstashRemoveSearchConfigCall} IR node — see
+* {@link cipherstashAddSearchConfig} for the rationale.
+*/
+function cipherstashRemoveSearchConfig(args) {
+	return new CipherstashRemoveSearchConfigCall(args.table, args.column, args.index);
+}
+//#endregion
+export { cipherstashRemoveSearchConfig as n, cipherstashAddSearchConfig as t };
+
+//# sourceMappingURL=call-classes-CSvD7w8U.mjs.map

package/dist/call-classes-CSvD7w8U.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"call-classes-CSvD7w8U.mjs","names":["#args"],"sources":["../src/migration/call-classes.ts"],"sourcesContent":["/**\n * Cipherstash migration IR — renderable `*Call` classes for the codec\n * lifecycle hook + the public `@prisma-next/extension-cipherstash/migration`\n * factory functions.\n *\n * Each `*Call` implements the framework `OpFactoryCall` interface (ADR\n * 195) directly, so cipherstash's contributions flow through the postgres\n * planner as first-class IR nodes — no `RawSqlCall` wrap, no detour\n * through the unstructured-op fallback. The codec hook\n * (`./cipherstash-codec.ts`) returns Calls; the postgres planner adds\n * them to its call list and renders them via `renderCallsToTypeScript`.\n *\n * Public factory functions (`cipherstashAddSearchConfig` /\n * `cipherstashRemoveSearchConfig`) are re-exported from\n * `@prisma-next/extension-cipherstash/migration`. Users authoring a\n * hand-written migration can call them directly:\n *\n * ```ts\n * import { cipherstashAddSearchConfig } from '@prisma-next/extension-cipherstash/migration';\n *\n * createTable('public', 'user', [...]);\n * cipherstashAddSearchConfig({ table: 'user', column: 'email', index: 'unique' });\n * ```\n *\n * Round-trip invariant: `toOp()` produces the same op shape the codec\n * hook would emit directly — `ops.json` stays byte-identical;\n * `migration.ts` carries a factory call instead of an opaque\n * `rawSql({...})` block.\n */\n\nimport type { SqlMigrationPlanOperation } from '@prisma-next/family-sql/control';\nimport type {\n  MigrationOperationClass,\n  OpFactoryCall,\n} from '@prisma-next/framework-components/control';\nimport { type ImportRequirement, jsonToTsSource, TsExpression } from '@prisma-next/ts-render';\nimport { ifDefined } from '@prisma-next/utils/defined';\n\nconst CIPHERSTASH_MIGRATION_MODULE = '@prisma-next/extension-cipherstash/migration';\n\n/** Mirrors `eql_v2.add_search_config(table, column, index_name, cast_as)`. */\nconst DEFAULT_CAST_AS = 'text';\n\n/**\n * Two-valued enumeration matching the EQL search-config indices the\n * cipherstash codec emits — one per enabled flag in\n * `Encrypted<string>`'s `typeParams`:\n *\n *   - `equality: true`        → `'unique'` index\n *   - `freeTextSearch: true`  → `'match'`  index\n */\nexport type CipherstashSearchIndex = 'unique' | 'match';\n\n/**\n * Args shape accepted by the public `cipherstashAddSearchConfig` /\n * `cipherstashRemoveSearchConfig` factory functions.\n *\n * `castAs` defaults to `'text'` — matches the cipherstash codec hook's\n * canonical output and the EQL bundle's expected cast for\n * `eql_v2_encrypted` columns. Override only if you know the runtime\n * cast for your column differs.\n */\nexport interface CipherstashSearchConfigArgs {\n  readonly table: string;\n  readonly column: string;\n  readonly index: CipherstashSearchIndex;\n  readonly castAs?: string;\n}\n\ntype CipherstashOp = SqlMigrationPlanOperation<unknown>;\ntype OpStep = CipherstashOp['execute'][number];\n\n/**\n * Escape a string so it can be embedded inside a Postgres single-quoted\n * literal. Identifiers in our IR are unlikely to contain apostrophes,\n * but doubling them keeps the emitted SQL safe under any future\n * relaxation.\n */\nfunction sqlLiteral(value: string): string {\n  return `'${value.replace(/'/g, \"''\")}'`;\n}\n\nfunction invariantIdFor(\n  tableName: string,\n  fieldName: string,\n  action: 'add-search-config' | 'remove-search-config',\n  indexName: CipherstashSearchIndex,\n): string {\n  return `cipherstash-codec:${tableName}.${fieldName}:${action}:${indexName}@v1`;\n}\n\n/**\n * Base class for cipherstash migration IR nodes.\n *\n * Each instance is *both* an `OpFactoryCall` (renderable to TypeScript,\n * lowerable to a runtime op via `toOp()`) and a structurally-valid\n * {@link CipherstashOp} — `id`, `label`, `operationClass`,\n * `invariantId`, `target`, `precheck`, `execute`, `postcheck` are\n * stored as enumerable own properties, populated in the concrete\n * subclass constructors. So when the planner-rendered `migration.ts`\n * runs and the user's `operations` getter returns Call instances\n * directly, both `MigrationOpSchema` validation (which checks `id` /\n * `label` / `operationClass`) and `JSON.stringify` (which writes\n * `ops.json`) see the runtime op shape unchanged.\n *\n * The cipherstash-specific identity fields (`factoryName`, `table`,\n * `column`, `index`, `castAs`) live on the subclass prototype as\n * accessor getters and on a per-instance backing record kept in a\n * private slot (`#args`). Accessor properties on the class are\n * non-enumerable, and the backing record is a private field, so\n * `Object.keys(call)` and `canonicalizeJson(...)` see only the op\n * fields — `ops.json` and `migrationHash` stay byte-stable.\n */\nabstract class CipherstashOpFactoryCallNode extends TsExpression implements OpFactoryCall {\n  abstract get factoryName(): string;\n  abstract readonly operationClass: MigrationOperationClass;\n  abstract readonly label: string;\n  abstract readonly id: string;\n  abstract readonly invariantId: string;\n  abstract readonly target: { readonly id: string };\n  abstract readonly precheck: readonly OpStep[];\n  abstract readonly execute: readonly OpStep[];\n  abstract readonly postcheck: readonly OpStep[];\n\n  importRequirements(): readonly ImportRequirement[] {\n    return [{ moduleSpecifier: CIPHERSTASH_MIGRATION_MODULE, symbol: this.factoryName }];\n  }\n\n  /**\n   * Re-expose the runtime op view for callers that prefer to lower\n   * Calls explicitly (notably {@link renderOps} on the postgres lane).\n   * The returned object is a plain copy of this Call's op-shaped\n   * fields.\n   */\n  toOp(): CipherstashOp {\n    return {\n      id: this.id,\n      label: this.label,\n      operationClass: this.operationClass,\n      invariantId: this.invariantId,\n      target: this.target,\n      precheck: this.precheck,\n      execute: this.execute,\n      postcheck: this.postcheck,\n    };\n  }\n\n  protected freeze(): void {\n    Object.freeze(this);\n  }\n}\n\n/**\n * `cipherstashAddSearchConfig` — register an EQL search-config row for\n * the given column / index combination. Lowers to a `SELECT\n * eql_v2.add_search_config('<table>', '<column>', '<index>',\n * '<castAs>')` op, classified `'additive'`.\n */\ninterface AddArgs {\n  readonly table: string;\n  readonly column: string;\n  readonly index: CipherstashSearchIndex;\n  readonly castAs: string;\n}\n\nexport class CipherstashAddSearchConfigCall extends CipherstashOpFactoryCallNode {\n  readonly id: string;\n  readonly label: string;\n  readonly operationClass: 'additive';\n  readonly invariantId: string;\n  readonly target: { readonly id: string };\n  readonly precheck: readonly OpStep[];\n  readonly execute: readonly OpStep[];\n  readonly postcheck: readonly OpStep[];\n\n  // Private slot keeps the renderer-side args off the enumerable\n  // own-property surface; the public accessors below expose them\n  // read-only on the prototype, so neither `Object.keys` nor\n  // `canonicalizeJson` walks them.\n  readonly #args: AddArgs;\n\n  constructor(\n    table: string,\n    column: string,\n    index: CipherstashSearchIndex,\n    castAs: string = DEFAULT_CAST_AS,\n  ) {\n    super();\n    this.#args = { table, column, index, castAs };\n    // Property assignment order is fixed (id → label → operationClass\n    // → invariantId → target → precheck → execute → postcheck) so\n    // `JSON.stringify(call)` lays out keys in the byte order the\n    // baseline `ops.json` carries.\n    this.id = `cipherstash-codec.${table}.${column}.add-search-config.${index}`;\n    this.label = `Enable cipherstash search on ${table}.${column}`;\n    this.operationClass = 'additive';\n    this.invariantId = invariantIdFor(table, column, 'add-search-config', index);\n    this.target = { id: 'postgres' };\n    this.precheck = [];\n    this.execute = [\n      {\n        description: `Register cipherstash ${index} search config for ${table}.${column}`,\n        sql: `SELECT eql_v2.add_search_config(${sqlLiteral(table)}, ${sqlLiteral(column)}, ${sqlLiteral(index)}, ${sqlLiteral(castAs)});`,\n      },\n    ];\n    this.postcheck = [];\n    this.freeze();\n  }\n\n  get factoryName(): 'cipherstashAddSearchConfig' {\n    return 'cipherstashAddSearchConfig';\n  }\n\n  get table(): string {\n    return this.#args.table;\n  }\n\n  get column(): string {\n    return this.#args.column;\n  }\n\n  get index(): CipherstashSearchIndex {\n    return this.#args.index;\n  }\n\n  get castAs(): string {\n    return this.#args.castAs;\n  }\n\n  renderTypeScript(): string {\n    const args = {\n      table: this.#args.table,\n      column: this.#args.column,\n      index: this.#args.index,\n      ...ifDefined('castAs', this.#args.castAs !== DEFAULT_CAST_AS ? this.#args.castAs : undefined),\n    };\n    return `cipherstashAddSearchConfig(${jsonToTsSource(args)})`;\n  }\n}\n\n/**\n * `cipherstashRemoveSearchConfig` — invert\n * {@link CipherstashAddSearchConfigCall} for the same (table, column,\n * index) tuple. Lowers to `SELECT eql_v2.remove_search_config('<table>',\n * '<column>', '<index>')`, classified `'destructive'`.\n *\n * No `castAs` argument — `eql_v2.remove_search_config` takes only the\n * three identifying fields; the cast was applied at the index's add\n * site.\n */\ninterface RemoveArgs {\n  readonly table: string;\n  readonly column: string;\n  readonly index: CipherstashSearchIndex;\n}\n\nexport class CipherstashRemoveSearchConfigCall extends CipherstashOpFactoryCallNode {\n  readonly id: string;\n  readonly label: string;\n  readonly operationClass: 'destructive';\n  readonly invariantId: string;\n  readonly target: { readonly id: string };\n  readonly precheck: readonly OpStep[];\n  readonly execute: readonly OpStep[];\n  readonly postcheck: readonly OpStep[];\n\n  readonly #args: RemoveArgs;\n\n  constructor(table: string, column: string, index: CipherstashSearchIndex) {\n    super();\n    this.#args = { table, column, index };\n    this.id = `cipherstash-codec.${table}.${column}.remove-search-config.${index}`;\n    this.label = `Disable cipherstash search on ${table}.${column}`;\n    this.operationClass = 'destructive';\n    this.invariantId = invariantIdFor(table, column, 'remove-search-config', index);\n    this.target = { id: 'postgres' };\n    this.precheck = [];\n    this.execute = [\n      {\n        description: `Remove cipherstash ${index} search config for ${table}.${column}`,\n        sql: `SELECT eql_v2.remove_search_config(${sqlLiteral(table)}, ${sqlLiteral(column)}, ${sqlLiteral(index)});`,\n      },\n    ];\n    this.postcheck = [];\n    this.freeze();\n  }\n\n  get factoryName(): 'cipherstashRemoveSearchConfig' {\n    return 'cipherstashRemoveSearchConfig';\n  }\n\n  get table(): string {\n    return this.#args.table;\n  }\n\n  get column(): string {\n    return this.#args.column;\n  }\n\n  get index(): CipherstashSearchIndex {\n    return this.#args.index;\n  }\n\n  renderTypeScript(): string {\n    return `cipherstashRemoveSearchConfig(${jsonToTsSource({\n      table: this.#args.table,\n      column: this.#args.column,\n      index: this.#args.index,\n    })})`;\n  }\n}\n\n/**\n * Public factory: register a cipherstash search-config row.\n *\n * Use from a hand-written migration when you need to wire EQL\n * search-config alongside a `createTable` / `addColumn`. The\n * `Encrypted<string>` codec hook calls this factory automatically when\n * planning a contract diff that adds a `searchable: true` column.\n *\n * Returns the {@link CipherstashAddSearchConfigCall} IR node, which\n * implements `OpFactoryCall` and is itself a `SqlMigrationPlanOperation`\n * (its readonly op-shaped fields are populated in the constructor) — so\n * the same value flows through both the renderer (planner-time IR) and\n * the runtime ops list (`Migration.operations`) without an extra\n * lowering step at the call site.\n */\nexport function cipherstashAddSearchConfig(\n  args: CipherstashSearchConfigArgs,\n): CipherstashAddSearchConfigCall {\n  return new CipherstashAddSearchConfigCall(\n    args.table,\n    args.column,\n    args.index,\n    args.castAs ?? DEFAULT_CAST_AS,\n  );\n}\n\n/**\n * Public factory: invert {@link cipherstashAddSearchConfig} for the\n * same (table, column, index) tuple.\n *\n * Returns the {@link CipherstashRemoveSearchConfigCall} IR node — see\n * {@link cipherstashAddSearchConfig} for the rationale.\n */\nexport function cipherstashRemoveSearchConfig(\n  args: CipherstashSearchConfigArgs,\n): CipherstashRemoveSearchConfigCall {\n  return new CipherstashRemoveSearchConfigCall(args.table, args.column, args.index);\n}\n"],"mappings":";;;AAsCA,MAAM,+BAA+B;;AAGrC,MAAM,kBAAkB;;;;;;;AAqCxB,SAAS,WAAW,OAAuB;CACzC,OAAO,IAAI,MAAM,QAAQ,MAAM,KAAK,CAAC;;AAGvC,SAAS,eACP,WACA,WACA,QACA,WACQ;CACR,OAAO,qBAAqB,UAAU,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU;;;;;;;;;;;;;;;;;;;;;;;;AAyB5E,IAAe,+BAAf,cAAoD,aAAsC;CAWxF,qBAAmD;EACjD,OAAO,CAAC;GAAE,iBAAiB;GAA8B,QAAQ,KAAK;GAAa,CAAC;;;;;;;;CAStF,OAAsB;EACpB,OAAO;GACL,IAAI,KAAK;GACT,OAAO,KAAK;GACZ,gBAAgB,KAAK;GACrB,aAAa,KAAK;GAClB,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,SAAS,KAAK;GACd,WAAW,KAAK;GACjB;;CAGH,SAAyB;EACvB,OAAO,OAAO,KAAK;;;AAiBvB,IAAa,iCAAb,cAAoD,6BAA6B;CAC/E;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CAMA;CAEA,YACE,OACA,QACA,OACA,SAAiB,iBACjB;EACA,OAAO;EACP,KAAKA,QAAQ;GAAE;GAAO;GAAQ;GAAO;GAAQ;EAK7C,KAAK,KAAK,qBAAqB,MAAM,GAAG,OAAO,qBAAqB;EACpE,KAAK,QAAQ,gCAAgC,MAAM,GAAG;EACtD,KAAK,iBAAiB;EACtB,KAAK,cAAc,eAAe,OAAO,QAAQ,qBAAqB,MAAM;EAC5E,KAAK,SAAS,EAAE,IAAI,YAAY;EAChC,KAAK,WAAW,EAAE;EAClB,KAAK,UAAU,CACb;GACE,aAAa,wBAAwB,MAAM,qBAAqB,MAAM,GAAG;GACzE,KAAK,mCAAmC,WAAW,MAAM,CAAC,IAAI,WAAW,OAAO,CAAC,IAAI,WAAW,MAAM,CAAC,IAAI,WAAW,OAAO,CAAC;GAC/H,CACF;EACD,KAAK,YAAY,EAAE;EACnB,KAAK,QAAQ;;CAGf,IAAI,cAA4C;EAC9C,OAAO;;CAGT,IAAI,QAAgB;EAClB,OAAO,KAAKA,MAAM;;CAGpB,IAAI,SAAiB;EACnB,OAAO,KAAKA,MAAM;;CAGpB,IAAI,QAAgC;EAClC,OAAO,KAAKA,MAAM;;CAGpB,IAAI,SAAiB;EACnB,OAAO,KAAKA,MAAM;;CAGpB,mBAA2B;EAOzB,OAAO,8BAA8B,eAAe;GALlD,OAAO,KAAKA,MAAM;GAClB,QAAQ,KAAKA,MAAM;GACnB,OAAO,KAAKA,MAAM;GAClB,GAAG,UAAU,UAAU,KAAKA,MAAM,WAAW,kBAAkB,KAAKA,MAAM,SAAS,KAAA,EAAU;GAEvC,CAAC,CAAC;;;AAoB9D,IAAa,oCAAb,cAAuD,6BAA6B;CAClF;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CAEA;CAEA,YAAY,OAAe,QAAgB,OAA+B;EACxE,OAAO;EACP,KAAKA,QAAQ;GAAE;GAAO;GAAQ;GAAO;EACrC,KAAK,KAAK,qBAAqB,MAAM,GAAG,OAAO,wBAAwB;EACvE,KAAK,QAAQ,iCAAiC,MAAM,GAAG;EACvD,KAAK,iBAAiB;EACtB,KAAK,cAAc,eAAe,OAAO,QAAQ,wBAAwB,MAAM;EAC/E,KAAK,SAAS,EAAE,IAAI,YAAY;EAChC,KAAK,WAAW,EAAE;EAClB,KAAK,UAAU,CACb;GACE,aAAa,sBAAsB,MAAM,qBAAqB,MAAM,GAAG;GACvE,KAAK,sCAAsC,WAAW,MAAM,CAAC,IAAI,WAAW,OAAO,CAAC,IAAI,WAAW,MAAM,CAAC;GAC3G,CACF;EACD,KAAK,YAAY,EAAE;EACnB,KAAK,QAAQ;;CAGf,IAAI,cAA+C;EACjD,OAAO;;CAGT,IAAI,QAAgB;EAClB,OAAO,KAAKA,MAAM;;CAGpB,IAAI,SAAiB;EACnB,OAAO,KAAKA,MAAM;;CAGpB,IAAI,QAAgC;EAClC,OAAO,KAAKA,MAAM;;CAGpB,mBAA2B;EACzB,OAAO,iCAAiC,eAAe;GACrD,OAAO,KAAKA,MAAM;GAClB,QAAQ,KAAKA,MAAM;GACnB,OAAO,KAAKA,MAAM;GACnB,CAAC,CAAC;;;;;;;;;;;;;;;;;;AAmBP,SAAgB,2BACd,MACgC;CAChC,OAAO,IAAI,+BACT,KAAK,OACL,KAAK,QACL,KAAK,OACL,KAAK,UAAU,gBAChB;;;;;;;;;AAUH,SAAgB,8BACd,MACmC;CACnC,OAAO,IAAI,kCAAkC,KAAK,OAAO,KAAK,QAAQ,KAAK,MAAM"}

package/dist/column-types.d.mts

@@ -0,0 +1,33 @@
+import { n as CIPHERSTASH_STRING_CODEC_ID, r as EQL_V2_ENCRYPTED_TYPE } from "./constants-BDxL9Pe3.mjs";
+
+//#region src/exports/column-types.d.ts
+/**
+ * Search-mode parameters for `encryptedString({...})`. Both flags are
+ * optional and default to `true` when omitted.
+ */
+interface EncryptedStringOptions {
+  readonly equality?: boolean;
+  readonly freeTextSearch?: boolean;
+}
+interface EncryptedStringColumnDescriptor {
+  readonly codecId: typeof CIPHERSTASH_STRING_CODEC_ID;
+  readonly nativeType: typeof EQL_V2_ENCRYPTED_TYPE;
+  readonly typeParams: {
+    readonly equality: boolean;
+    readonly freeTextSearch: boolean;
+  };
+}
+/**
+ * `encryptedString({ equality?, freeTextSearch? })` — TS contract
+ * factory that lowers to a `ColumnTypeDescriptor` with the
+ * `cipherstash/string@1` codec and the `eql_v2_encrypted` Postgres
+ * native type. The two boolean flags become `typeParams.equality` and
+ * `typeParams.freeTextSearch`. Both default to `true`.
+ *
+ * The shape matches what the PSL constructor
+ * `cipherstash.EncryptedString({...})` lowers to, byte-for-byte.
+ */
+declare function encryptedString(options?: EncryptedStringOptions): EncryptedStringColumnDescriptor;
+//#endregion
+export { EncryptedStringColumnDescriptor, EncryptedStringOptions, encryptedString };
+//# sourceMappingURL=column-types.d.mts.map

package/dist/column-types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"column-types.d.mts","names":[],"sources":["../src/exports/column-types.ts"],"mappings":";;;;;;;UA0BiB,sBAAA;EAAA,SACN,QAAA;EAAA,SACA,cAAA;AAAA;AAAA,UAGM,+BAAA;EAAA,SACN,OAAA,SAAgB,2BAAA;EAAA,SAChB,UAAA,SAAmB,qBAAA;EAAA,SACnB,UAAA;IAAA,SACE,QAAA;IAAA,SACA,cAAA;EAAA;AAAA;;;;;;;;;;;iBAcG,eAAA,CACd,OAAA,GAAS,sBAAA,GACR,+BAAA"}

package/dist/column-types.mjs

@@ -0,0 +1,42 @@
+import { a as EQL_V2_ENCRYPTED_TYPE, i as CIPHERSTASH_STRING_CODEC_ID } from "./constants-B_2TNvUi.mjs";
+//#region src/exports/column-types.ts
+/**
+* TS contract factory for cipherstash-encrypted string columns.
+*
+* Counterpart to the PSL constructor `cipherstash.EncryptedString({...})`
+* registered in `../contract/authoring.ts`. Both factories produce the same
+* `ColumnTypeDescriptor` shape so PSL- and TS-authored contracts emit
+* byte-identical `contract.json` (verified by the parity fixture under
+* `test/integration/test/authoring/parity/cipherstash-encrypted-string/`).
+*
+* Both flags default to `true` — searchable encryption is the
+* legitimate default for an extension whose entire reason for existing
+* is to make encrypted columns queryable. Users who want storage-only
+* encryption opt out explicitly: `encryptedString({ equality: false,
+* freeTextSearch: false })`. Mirrors the PSL constructor's `true`
+* defaults declared via `AuthoringArgRef.default`.
+*/
+/**
+* `encryptedString({ equality?, freeTextSearch? })` — TS contract
+* factory that lowers to a `ColumnTypeDescriptor` with the
+* `cipherstash/string@1` codec and the `eql_v2_encrypted` Postgres
+* native type. The two boolean flags become `typeParams.equality` and
+* `typeParams.freeTextSearch`. Both default to `true`.
+*
+* The shape matches what the PSL constructor
+* `cipherstash.EncryptedString({...})` lowers to, byte-for-byte.
+*/
+function encryptedString(options = {}) {
+	return {
+		codecId: CIPHERSTASH_STRING_CODEC_ID,
+		nativeType: EQL_V2_ENCRYPTED_TYPE,
+		typeParams: {
+			equality: options.equality ?? true,
+			freeTextSearch: options.freeTextSearch ?? true
+		}
+	};
+}
+//#endregion
+export { encryptedString };
+
+//# sourceMappingURL=column-types.mjs.map

package/dist/column-types.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"column-types.mjs","names":[],"sources":["../src/exports/column-types.ts"],"sourcesContent":["/**\n * TS contract factory for cipherstash-encrypted string columns.\n *\n * Counterpart to the PSL constructor `cipherstash.EncryptedString({...})`\n * registered in `../contract/authoring.ts`. Both factories produce the same\n * `ColumnTypeDescriptor` shape so PSL- and TS-authored contracts emit\n * byte-identical `contract.json` (verified by the parity fixture under\n * `test/integration/test/authoring/parity/cipherstash-encrypted-string/`).\n *\n * Both flags default to `true` — searchable encryption is the\n * legitimate default for an extension whose entire reason for existing\n * is to make encrypted columns queryable. Users who want storage-only\n * encryption opt out explicitly: `encryptedString({ equality: false,\n * freeTextSearch: false })`. Mirrors the PSL constructor's `true`\n * defaults declared via `AuthoringArgRef.default`.\n */\n\nimport {\n  CIPHERSTASH_STRING_CODEC_ID,\n  EQL_V2_ENCRYPTED_TYPE,\n} from '../extension-metadata/constants';\n\n/**\n * Search-mode parameters for `encryptedString({...})`. Both flags are\n * optional and default to `true` when omitted.\n */\nexport interface EncryptedStringOptions {\n  readonly equality?: boolean;\n  readonly freeTextSearch?: boolean;\n}\n\nexport interface EncryptedStringColumnDescriptor {\n  readonly codecId: typeof CIPHERSTASH_STRING_CODEC_ID;\n  readonly nativeType: typeof EQL_V2_ENCRYPTED_TYPE;\n  readonly typeParams: {\n    readonly equality: boolean;\n    readonly freeTextSearch: boolean;\n  };\n}\n\n/**\n * `encryptedString({ equality?, freeTextSearch? })` — TS contract\n * factory that lowers to a `ColumnTypeDescriptor` with the\n * `cipherstash/string@1` codec and the `eql_v2_encrypted` Postgres\n * native type. The two boolean flags become `typeParams.equality` and\n * `typeParams.freeTextSearch`. Both default to `true`.\n *\n * The shape matches what the PSL constructor\n * `cipherstash.EncryptedString({...})` lowers to, byte-for-byte.\n */\nexport function encryptedString(\n  options: EncryptedStringOptions = {},\n): EncryptedStringColumnDescriptor {\n  return {\n    codecId: CIPHERSTASH_STRING_CODEC_ID,\n    nativeType: EQL_V2_ENCRYPTED_TYPE,\n    typeParams: {\n      equality: options.equality ?? true,\n      freeTextSearch: options.freeTextSearch ?? true,\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDA,SAAgB,gBACd,UAAkC,EAAE,EACH;CACjC,OAAO;EACL,SAAS;EACT,YAAY;EACZ,YAAY;GACV,UAAU,QAAQ,YAAY;GAC9B,gBAAgB,QAAQ,kBAAkB;GAC3C;EACF"}

package/dist/constants-BDxL9Pe3.d.mts

@@ -0,0 +1,22 @@
+//#region src/extension-metadata/constants.d.ts
+/**
+ * Version advertised by both `cipherstashPackMeta.version` (control plane)
+ * and the SDK-bound `SqlRuntimeExtensionDescriptor` (runtime plane).
+ *
+ * Single source of truth so the descriptor surfaces and the contract-emit
+ * pack metadata cannot drift apart; consumed downstream by capability
+ * gating and contract round-trips.
+ */
+declare const CIPHERSTASH_EXTENSION_VERSION: "0.0.1";
+/**
+ * Codec id the application-side `Encrypted<string>` lowering targets.
+ * Lives here so the codec lifecycle hook (which emits
+ * `add_search_config` / `remove_search_config` ops on field events) and
+ * the descriptor's `controlPlaneHooks` wiring share the same constant.
+ */
+declare const CIPHERSTASH_STRING_CODEC_ID = "cipherstash/string@1";
+/** JSONB-domain composite type user `Encrypted<string>` columns reference. */
+declare const EQL_V2_ENCRYPTED_TYPE = "eql_v2_encrypted";
+//#endregion
+export { CIPHERSTASH_STRING_CODEC_ID as n, EQL_V2_ENCRYPTED_TYPE as r, CIPHERSTASH_EXTENSION_VERSION as t };
+//# sourceMappingURL=constants-BDxL9Pe3.d.mts.map

package/dist/constants-BDxL9Pe3.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants-BDxL9Pe3.d.mts","names":[],"sources":["../src/extension-metadata/constants.ts"],"mappings":";;;;;;;;;cAyBa,6BAAA;;;;;;;cAQA,2BAAA;;cAYA,qBAAA"}

package/dist/constants-B_2TNvUi.mjs

@@ -0,0 +1,46 @@
+//#region src/extension-metadata/constants.ts
+/**
+* Static names and identifiers used across CipherStash's contract space.
+*
+* Centralising the strings here so:
+*   - the contract IR (`./contract`), the migration ops (`./migrations`),
+*     the head ref (`./head-ref`), and the descriptor (`../exports/control`)
+*     all reference the same values without typos;
+*   - the `cipherstash:*` invariantId namespace is locked in one place
+*     (once published, an invariantId cannot be renamed).
+*
+* The space identifier `'cipherstash'` is what the framework writes to
+* `migrations/cipherstash/` in the user's repo and what the marker table's
+* `space` column carries for CipherStash-owned rows.
+*/
+const CIPHERSTASH_SPACE_ID = "cipherstash";
+/**
+* Version advertised by both `cipherstashPackMeta.version` (control plane)
+* and the SDK-bound `SqlRuntimeExtensionDescriptor` (runtime plane).
+*
+* Single source of truth so the descriptor surfaces and the contract-emit
+* pack metadata cannot drift apart; consumed downstream by capability
+* gating and contract round-trips.
+*/
+const CIPHERSTASH_EXTENSION_VERSION = "0.0.1";
+/**
+* Codec id the application-side `Encrypted<string>` lowering targets.
+* Lives here so the codec lifecycle hook (which emits
+* `add_search_config` / `remove_search_config` ops on field events) and
+* the descriptor's `controlPlaneHooks` wiring share the same constant.
+*/
+const CIPHERSTASH_STRING_CODEC_ID = "cipherstash/string@1";
+/** JSONB-domain composite type user `Encrypted<string>` columns reference. */
+const EQL_V2_ENCRYPTED_TYPE = "eql_v2_encrypted";
+/**
+* Migration directory name for the baseline.
+*
+* Per the framework's per-space layout convention this name is
+* preserved verbatim when the framework writes the package to
+* `migrations/cipherstash/<this-name>/` in the user's repo.
+*/
+const CIPHERSTASH_BASELINE_MIGRATION_NAME = "20260601T0000_install_eql_bundle";
+//#endregion
+export { EQL_V2_ENCRYPTED_TYPE as a, CIPHERSTASH_STRING_CODEC_ID as i, CIPHERSTASH_EXTENSION_VERSION as n, CIPHERSTASH_SPACE_ID as r, CIPHERSTASH_BASELINE_MIGRATION_NAME as t };
+
+//# sourceMappingURL=constants-B_2TNvUi.mjs.map

package/dist/constants-B_2TNvUi.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants-B_2TNvUi.mjs","names":[],"sources":["../src/extension-metadata/constants.ts"],"sourcesContent":["/**\n * Static names and identifiers used across CipherStash's contract space.\n *\n * Centralising the strings here so:\n *   - the contract IR (`./contract`), the migration ops (`./migrations`),\n *     the head ref (`./head-ref`), and the descriptor (`../exports/control`)\n *     all reference the same values without typos;\n *   - the `cipherstash:*` invariantId namespace is locked in one place\n *     (once published, an invariantId cannot be renamed).\n *\n * The space identifier `'cipherstash'` is what the framework writes to\n * `migrations/cipherstash/` in the user's repo and what the marker table's\n * `space` column carries for CipherStash-owned rows.\n */\n\nexport const CIPHERSTASH_SPACE_ID = 'cipherstash';\n\n/**\n * Version advertised by both `cipherstashPackMeta.version` (control plane)\n * and the SDK-bound `SqlRuntimeExtensionDescriptor` (runtime plane).\n *\n * Single source of truth so the descriptor surfaces and the contract-emit\n * pack metadata cannot drift apart; consumed downstream by capability\n * gating and contract round-trips.\n */\nexport const CIPHERSTASH_EXTENSION_VERSION = '0.0.1' as const;\n\n/**\n * Codec id the application-side `Encrypted<string>` lowering targets.\n * Lives here so the codec lifecycle hook (which emits\n * `add_search_config` / `remove_search_config` ops on field events) and\n * the descriptor's `controlPlaneHooks` wiring share the same constant.\n */\nexport const CIPHERSTASH_STRING_CODEC_ID = 'cipherstash/string@1';\n\n/** Schema CipherStash installs its functions/operators/casts/types into. */\nexport const EQL_V2_SCHEMA = 'eql_v2';\n\n/** Configuration table used by EQL's per-column index configuration. */\nexport const EQL_V2_CONFIGURATION_TABLE = 'eql_v2_configuration';\n\n/** Enum type backing the `state` column on `eql_v2_configuration`. */\nexport const EQL_V2_CONFIGURATION_STATE_TYPE = 'eql_v2_configuration_state';\n\n/** JSONB-domain composite type user `Encrypted<string>` columns reference. */\nexport const EQL_V2_ENCRYPTED_TYPE = 'eql_v2_encrypted';\n\n/**\n * Migration directory name for the baseline.\n *\n * Per the framework's per-space layout convention this name is\n * preserved verbatim when the framework writes the package to\n * `migrations/cipherstash/<this-name>/` in the user's repo.\n */\nexport const CIPHERSTASH_BASELINE_MIGRATION_NAME = '20260601T0000_install_eql_bundle';\n\n/**\n * `cipherstash:*` invariantIds emitted by the baseline migration. Each\n * `cipherstash:*` id, once published, is immutable: downstream\n * consumers (other extensions, the marker table) reference them by\n * literal string match.\n *\n * Today the baseline emits a single op (`installBundle`); the bundle\n * SQL is the source of truth for every typed object it creates inside\n * the `eql_v2` schema. New bundle versions or additional structural\n * ops will mint new `cipherstash:*` ids alongside this entry.\n */\nexport const CIPHERSTASH_INVARIANTS = {\n  installBundle: 'cipherstash:install-eql-bundle-v1',\n} as const;\n"],"mappings":";;;;;;;;;;;;;;;AAeA,MAAa,uBAAuB;;;;;;;;;AAUpC,MAAa,gCAAgC;;;;;;;AAQ7C,MAAa,8BAA8B;;AAY3C,MAAa,wBAAwB;;;;;;;;AASrC,MAAa,sCAAsC"}

package/dist/control.d.mts

@@ -0,0 +1,7 @@
+import { SqlControlExtensionDescriptor } from "@prisma-next/family-sql/control";
+
+//#region src/exports/control.d.ts
+declare const cipherstashExtensionDescriptor: SqlControlExtensionDescriptor<'postgres'>;
+//#endregion
+export { cipherstashExtensionDescriptor, cipherstashExtensionDescriptor as default };
+//# sourceMappingURL=control.d.mts.map

package/dist/control.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"control.d.mts","names":[],"sources":["../src/exports/control.ts"],"mappings":";;;cAuFM,8BAAA,EAAgC,6BAAA"}