@prisma-next/extension-cipherstash 0.0.1

package/dist/middleware.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.mjs","names":[],"sources":["../src/execution/routing.ts","../src/middleware/bulk-encrypt.ts"],"sourcesContent":["/**\n * Routing-key derivation for cipherstash bulk operations.\n *\n * The routing key is derived from the envelope handle's\n * `(table, column)` — there is no per-column override surface. Every\n * cipherstash envelope passing through `bulkEncryptMiddleware` (and\n * `decryptAll`) carries `(table, column)` on its handle, populated by\n * the middleware's AST walk before the bulk-encrypt phase begins.\n *\n * `groupByRoutingKey` produces one homogeneous group per\n * `(table, column)` pair so each `bulkEncrypt` call serves a single\n * routing key — matching the SDK's\n * `bulkEncrypt({ routingKey, values, signal })` shape. Heterogeneous\n * batching is a future optimization.\n */\n\nimport type { EncryptedString } from './envelope';\nimport type { CipherstashRoutingKey } from './sdk';\n\n/**\n * Per-target context the bulk-encrypt middleware accumulates while\n * walking `params.entries()`. Each target carries the envelope, its\n * routing key (derived from the handle), the plaintext to encrypt, and\n * the param-ref handle the mutator yielded so the post-encrypt\n * `replaceValues` write-back can find the slot.\n */\nexport interface BulkEncryptTarget<TRef = unknown> {\n  readonly ref: TRef;\n  readonly plaintext: string;\n  readonly envelope: EncryptedString;\n  readonly routingKey: CipherstashRoutingKey;\n}\n\n/**\n * Stable string key used to group targets by their `(table, column)`\n * routing key. Exported for tests; not part of the package's public\n * surface. Uses a NUL byte as the separator so the id never collides\n * across pairs whose names happen to share a literal concatenation\n * (e.g. `(a, bc)` vs `(ab, c)`).\n */\nexport function routingKeyId(routingKey: CipherstashRoutingKey): string {\n  return `${routingKey.table}\\u0000${routingKey.column}`;\n}\n\n/**\n * Read the routing key from an envelope's internal handle. Throws if\n * the handle's `(table, column)` slots are unset — which happens when\n * the bulk-encrypt middleware's AST walk did not see this envelope\n * (typical cause: the envelope was passed in a context the AST walk\n * does not yet handle, e.g. a raw-SQL plan with no `InsertAst` /\n * `UpdateAst` arm). The throw matches the codec's\n * \"missing ciphertext\" diagnostic shape: it points at the workflow that\n * should have populated the slot.\n */\nexport function getRoutingKey(envelope: EncryptedString): CipherstashRoutingKey {\n  const handle = envelope.expose();\n  if (handle.table === undefined || handle.column === undefined) {\n    throw new Error(\n      'cipherstash bulk-encrypt: envelope has no (table, column) routing context. ' +\n        'The bulk-encrypt middleware stamps routing context from the lowered AST ' +\n        '(insert/update); raw-SQL plans embedding cipherstash envelopes must stamp ' +\n        'routing context explicitly before execute.',\n    );\n  }\n  return { table: handle.table, column: handle.column };\n}\n\n/**\n * Group bulk-encrypt targets by `(table, column)` routing key. Each\n * `Map` entry yields one homogeneous batch suitable for a single\n * `sdk.bulkEncrypt({ routingKey, values, signal })` call.\n *\n * Order preservation: within each group, targets keep the order they\n * were collected from `params.entries()` — which is the canonical\n * ParamRef order the renderer's `$N` index map and the encode-side walk\n * both consume. Iteration order across groups follows the order each\n * routing key was first observed in the input.\n */\nexport function groupByRoutingKey<TRef>(\n  targets: ReadonlyArray<BulkEncryptTarget<TRef>>,\n): Map<string, BulkEncryptTarget<TRef>[]> {\n  const groups = new Map<string, BulkEncryptTarget<TRef>[]>();\n  for (const target of targets) {\n    const id = routingKeyId(target.routingKey);\n    let group = groups.get(id);\n    if (!group) {\n      group = [];\n      groups.set(id, group);\n    }\n    group.push(target);\n  }\n  return groups;\n}\n","/**\n * Bulk-encrypt middleware for cipherstash envelopes.\n *\n * The middleware sits in the SQL runtime's `beforeExecute` chain and:\n *\n * 1. Walks the lowered query AST (`InsertAst` / `UpdateAst`) and stamps\n *    `(table, column)` routing context onto every `EncryptedString`\n *    envelope embedded in a `ParamRef`. The handle's `(table, column)`\n *    slots are the canonical input to {@link groupByRoutingKey}; this\n *    walk is the single place the AST's structural column metadata gets\n *    attached to the envelopes the SDK will see.\n *\n * 2. Iterates `params.entries()` to collect every cipherstash-codec'd\n *    `ParamRef` whose value is an `EncryptedString`, groups them by\n *    routing key, and issues exactly one `sdk.bulkEncrypt(...)` call\n *    per group. Routing-key derivation is `(table, column)` —\n *    homogeneous batches only.\n *\n * 3. Stamps each returned ciphertext onto the envelope's handle via\n *    `setHandleCiphertext` and writes the envelope back through\n *    `params.replaceValues` so the runtime's `currentParams()` view\n *    reflects the post-mutation slot. The handle's `plaintext` slot\n *    is **retained** — `envelope.decrypt()` continues to return the\n *    plaintext synchronously without consulting the SDK.\n *\n * Cancellation: `ctx.signal` is forwarded by identity to every\n * `bulkEncrypt` call via `ifDefined`; the SDK is responsible for\n * honoring it. The awaiting middleware also races the SDK promise\n * against `ctx.signal` via `raceCipherstashAbort` so a caller-side\n * abort surfaces a `RUNTIME.ABORTED { phase: 'bulk-encrypt' }`\n * envelope promptly even when the SDK body itself ignores the signal.\n * A pre-flight `checkCipherstashAborted` short-circuits before any\n * SDK round-trip is scheduled when the signal is already aborted at\n * entry.\n */\n\nimport type {\n  AnyQueryAst,\n  ColumnRef,\n  DefaultValueExpr,\n  InsertAst,\n  ParamRef,\n  UpdateAst,\n} from '@prisma-next/sql-relational-core/ast';\nimport type {\n  ParamRefHandle,\n  SqlParamRefMutator,\n} from '@prisma-next/sql-relational-core/middleware';\nimport type { SqlMiddleware } from '@prisma-next/sql-runtime';\nimport { ifDefined } from '@prisma-next/utils/defined';\nimport { checkCipherstashAborted, raceCipherstashAbort } from '../execution/abort';\nimport { EncryptedString, setHandleCiphertext, setHandleRoutingKey } from '../execution/envelope';\nimport { type BulkEncryptTarget, groupByRoutingKey } from '../execution/routing';\nimport type { CipherstashSdk } from '../execution/sdk';\nimport { CIPHERSTASH_STRING_CODEC_ID } from '../extension-metadata/constants';\n\n/**\n * Construct the bulk-encrypt middleware. The returned middleware is\n * stateless aside from the captured `sdk` reference; one instance per\n * runtime extension is the expected pattern.\n */\nexport function bulkEncryptMiddleware(sdk: CipherstashSdk): SqlMiddleware {\n  return {\n    name: 'cipherstash.bulk-encrypt',\n    familyId: 'sql',\n    async beforeExecute(plan, ctx, params) {\n      if (!params) {\n        return;\n      }\n\n      stampRoutingKeysFromAst(plan.ast);\n\n      const targets = collectTargets(params);\n      if (targets.length === 0) {\n        return;\n      }\n\n      const groups = groupByRoutingKey(targets);\n      for (const [groupKey, group] of groups) {\n        const first = group[0];\n        if (!first) continue;\n        const routingKey = first.routingKey;\n\n        checkCipherstashAborted(ctx.signal, 'bulk-encrypt');\n        const ciphertexts = await raceCipherstashAbort(\n          sdk.bulkEncrypt({\n            routingKey,\n            values: group.map((t) => t.plaintext),\n            ...ifDefined('signal', ctx.signal),\n          }),\n          ctx.signal,\n          'bulk-encrypt',\n        );\n\n        if (ciphertexts.length !== group.length) {\n          throw new Error(\n            `cipherstash bulk-encrypt: SDK returned ${ciphertexts.length} ciphertexts ` +\n              `for routing key ${groupKey} but ${group.length} were requested.`,\n          );\n        }\n\n        params.replaceValues(\n          group.map((t, i) => {\n            const ciphertext = ciphertexts[i];\n            setHandleCiphertext(t.envelope, ciphertext);\n            return { ref: t.ref, newValue: t.envelope };\n          }),\n        );\n      }\n    },\n  };\n}\n\nfunction collectTargets(\n  params: SqlParamRefMutator,\n): BulkEncryptTarget<ParamRefHandle<string | undefined>>[] {\n  const targets: BulkEncryptTarget<ParamRefHandle<string | undefined>>[] = [];\n  for (const entry of params.entries()) {\n    if (entry.codecId !== CIPHERSTASH_STRING_CODEC_ID) continue;\n    const value = entry.value;\n    if (!(value instanceof EncryptedString)) continue;\n    const handle = value.expose();\n    if (handle.plaintext === undefined) {\n      throw new Error(\n        'cipherstash bulk-encrypt: encountered an envelope with no plaintext on the write path. ' +\n          'Use `EncryptedString.from(plaintext)` to construct write-side envelopes.',\n      );\n    }\n    if (handle.table === undefined || handle.column === undefined) {\n      throw new Error(\n        'cipherstash bulk-encrypt: envelope reached the bulk-encrypt phase without a (table, column) ' +\n          \"routing context. The middleware's AST walk only handles `InsertAst` and `UpdateAst`; \" +\n          'cipherstash envelopes embedded in other plan shapes (e.g. raw SQL) must stamp routing ' +\n          'context explicitly via `setHandleRoutingKey` before execute.',\n      );\n    }\n    targets.push({\n      ref: entry.ref,\n      plaintext: handle.plaintext,\n      envelope: value,\n      routingKey: { table: handle.table, column: handle.column },\n    });\n  }\n  return targets;\n}\n\nfunction stampRoutingKeysFromAst(ast: AnyQueryAst | undefined): void {\n  if (!ast) return;\n  switch (ast.kind) {\n    case 'insert':\n      stampInsert(ast);\n      return;\n    case 'update':\n      stampUpdate(ast);\n      return;\n    default:\n      return;\n  }\n}\n\nfunction stampInsert(ast: InsertAst): void {\n  const tableName = ast.table.name;\n  for (const row of ast.rows) {\n    for (const [column, value] of Object.entries(row)) {\n      stampParamRefIfEnvelope(value, tableName, column);\n    }\n  }\n  if (ast.onConflict?.action.kind === 'do-update-set') {\n    for (const [column, value] of Object.entries(ast.onConflict.action.set)) {\n      stampParamRefIfEnvelope(value, tableName, column);\n    }\n  }\n}\n\nfunction stampUpdate(ast: UpdateAst): void {\n  const tableName = ast.table.name;\n  for (const [column, value] of Object.entries(ast.set)) {\n    stampParamRefIfEnvelope(value, tableName, column);\n  }\n}\n\nfunction stampParamRefIfEnvelope(\n  value: ColumnRef | ParamRef | DefaultValueExpr,\n  table: string,\n  column: string,\n): void {\n  if (value.kind !== 'param-ref') return;\n  const inner = value.value;\n  if (inner instanceof EncryptedString) {\n    setHandleRoutingKey(inner, table, column);\n  }\n}\n"],"mappings":";;;;;;;;;;;AAwCA,SAAgB,aAAa,YAA2C;CACtE,OAAO,GAAG,WAAW,MAAM,QAAQ,WAAW;;;;;;;;;;;;;AAqChD,SAAgB,kBACd,SACwC;CACxC,MAAM,yBAAS,IAAI,KAAwC;CAC3D,KAAK,MAAM,UAAU,SAAS;EAC5B,MAAM,KAAK,aAAa,OAAO,WAAW;EAC1C,IAAI,QAAQ,OAAO,IAAI,GAAG;EAC1B,IAAI,CAAC,OAAO;GACV,QAAQ,EAAE;GACV,OAAO,IAAI,IAAI,MAAM;;EAEvB,MAAM,KAAK,OAAO;;CAEpB,OAAO;;;;;;;;;AC9BT,SAAgB,sBAAsB,KAAoC;CACxE,OAAO;EACL,MAAM;EACN,UAAU;EACV,MAAM,cAAc,MAAM,KAAK,QAAQ;GACrC,IAAI,CAAC,QACH;GAGF,wBAAwB,KAAK,IAAI;GAEjC,MAAM,UAAU,eAAe,OAAO;GACtC,IAAI,QAAQ,WAAW,GACrB;GAGF,MAAM,SAAS,kBAAkB,QAAQ;GACzC,KAAK,MAAM,CAAC,UAAU,UAAU,QAAQ;IACtC,MAAM,QAAQ,MAAM;IACpB,IAAI,CAAC,OAAO;IACZ,MAAM,aAAa,MAAM;IAEzB,wBAAwB,IAAI,QAAQ,eAAe;IACnD,MAAM,cAAc,MAAM,qBACxB,IAAI,YAAY;KACd;KACA,QAAQ,MAAM,KAAK,MAAM,EAAE,UAAU;KACrC,GAAG,UAAU,UAAU,IAAI,OAAO;KACnC,CAAC,EACF,IAAI,QACJ,eACD;IAED,IAAI,YAAY,WAAW,MAAM,QAC/B,MAAM,IAAI,MACR,0CAA0C,YAAY,OAAO,+BACxC,SAAS,OAAO,MAAM,OAAO,kBACnD;IAGH,OAAO,cACL,MAAM,KAAK,GAAG,MAAM;KAClB,MAAM,aAAa,YAAY;KAC/B,oBAAoB,EAAE,UAAU,WAAW;KAC3C,OAAO;MAAE,KAAK,EAAE;MAAK,UAAU,EAAE;MAAU;MAC3C,CACH;;;EAGN;;AAGH,SAAS,eACP,QACyD;CACzD,MAAM,UAAmE,EAAE;CAC3E,KAAK,MAAM,SAAS,OAAO,SAAS,EAAE;EACpC,IAAI,MAAM,YAAA,wBAAyC;EACnD,MAAM,QAAQ,MAAM;EACpB,IAAI,EAAE,iBAAiB,kBAAkB;EACzC,MAAM,SAAS,MAAM,QAAQ;EAC7B,IAAI,OAAO,cAAc,KAAA,GACvB,MAAM,IAAI,MACR,kKAED;EAEH,IAAI,OAAO,UAAU,KAAA,KAAa,OAAO,WAAW,KAAA,GAClD,MAAM,IAAI,MACR,sUAID;EAEH,QAAQ,KAAK;GACX,KAAK,MAAM;GACX,WAAW,OAAO;GAClB,UAAU;GACV,YAAY;IAAE,OAAO,OAAO;IAAO,QAAQ,OAAO;IAAQ;GAC3D,CAAC;;CAEJ,OAAO;;AAGT,SAAS,wBAAwB,KAAoC;CACnE,IAAI,CAAC,KAAK;CACV,QAAQ,IAAI,MAAZ;EACE,KAAK;GACH,YAAY,IAAI;GAChB;EACF,KAAK;GACH,YAAY,IAAI;GAChB;EACF,SACE;;;AAIN,SAAS,YAAY,KAAsB;CACzC,MAAM,YAAY,IAAI,MAAM;CAC5B,KAAK,MAAM,OAAO,IAAI,MACpB,KAAK,MAAM,CAAC,QAAQ,UAAU,OAAO,QAAQ,IAAI,EAC/C,wBAAwB,OAAO,WAAW,OAAO;CAGrD,IAAI,IAAI,YAAY,OAAO,SAAS,iBAClC,KAAK,MAAM,CAAC,QAAQ,UAAU,OAAO,QAAQ,IAAI,WAAW,OAAO,IAAI,EACrE,wBAAwB,OAAO,WAAW,OAAO;;AAKvD,SAAS,YAAY,KAAsB;CACzC,MAAM,YAAY,IAAI,MAAM;CAC5B,KAAK,MAAM,CAAC,QAAQ,UAAU,OAAO,QAAQ,IAAI,IAAI,EACnD,wBAAwB,OAAO,WAAW,OAAO;;AAIrD,SAAS,wBACP,OACA,OACA,QACM;CACN,IAAI,MAAM,SAAS,aAAa;CAChC,MAAM,QAAQ,MAAM;CACpB,IAAI,iBAAiB,iBACnB,oBAAoB,OAAO,OAAO,OAAO"}

package/dist/migration.d.mts

@@ -0,0 +1,141 @@
+import { ImportRequirement, TsExpression } from "@prisma-next/ts-render";
+import { SqlMigrationPlanOperation } from "@prisma-next/family-sql/control";
+import { MigrationOperationClass, OpFactoryCall } from "@prisma-next/framework-components/control";
+
+//#region src/migration/call-classes.d.ts
+/**
+ * Two-valued enumeration matching the EQL search-config indices the
+ * cipherstash codec emits — one per enabled flag in
+ * `Encrypted<string>`'s `typeParams`:
+ *
+ *   - `equality: true`        → `'unique'` index
+ *   - `freeTextSearch: true`  → `'match'`  index
+ */
+type CipherstashSearchIndex = 'unique' | 'match';
+/**
+ * Args shape accepted by the public `cipherstashAddSearchConfig` /
+ * `cipherstashRemoveSearchConfig` factory functions.
+ *
+ * `castAs` defaults to `'text'` — matches the cipherstash codec hook's
+ * canonical output and the EQL bundle's expected cast for
+ * `eql_v2_encrypted` columns. Override only if you know the runtime
+ * cast for your column differs.
+ */
+interface CipherstashSearchConfigArgs {
+  readonly table: string;
+  readonly column: string;
+  readonly index: CipherstashSearchIndex;
+  readonly castAs?: string;
+}
+type CipherstashOp = SqlMigrationPlanOperation<unknown>;
+type OpStep = CipherstashOp['execute'][number];
+/**
+ * Base class for cipherstash migration IR nodes.
+ *
+ * Each instance is *both* an `OpFactoryCall` (renderable to TypeScript,
+ * lowerable to a runtime op via `toOp()`) and a structurally-valid
+ * {@link CipherstashOp} — `id`, `label`, `operationClass`,
+ * `invariantId`, `target`, `precheck`, `execute`, `postcheck` are
+ * stored as enumerable own properties, populated in the concrete
+ * subclass constructors. So when the planner-rendered `migration.ts`
+ * runs and the user's `operations` getter returns Call instances
+ * directly, both `MigrationOpSchema` validation (which checks `id` /
+ * `label` / `operationClass`) and `JSON.stringify` (which writes
+ * `ops.json`) see the runtime op shape unchanged.
+ *
+ * The cipherstash-specific identity fields (`factoryName`, `table`,
+ * `column`, `index`, `castAs`) live on the subclass prototype as
+ * accessor getters and on a per-instance backing record kept in a
+ * private slot (`#args`). Accessor properties on the class are
+ * non-enumerable, and the backing record is a private field, so
+ * `Object.keys(call)` and `canonicalizeJson(...)` see only the op
+ * fields — `ops.json` and `migrationHash` stay byte-stable.
+ */
+declare abstract class CipherstashOpFactoryCallNode extends TsExpression implements OpFactoryCall {
+  abstract get factoryName(): string;
+  abstract readonly operationClass: MigrationOperationClass;
+  abstract readonly label: string;
+  abstract readonly id: string;
+  abstract readonly invariantId: string;
+  abstract readonly target: {
+    readonly id: string;
+  };
+  abstract readonly precheck: readonly OpStep[];
+  abstract readonly execute: readonly OpStep[];
+  abstract readonly postcheck: readonly OpStep[];
+  importRequirements(): readonly ImportRequirement[];
+  /**
+   * Re-expose the runtime op view for callers that prefer to lower
+   * Calls explicitly (notably {@link renderOps} on the postgres lane).
+   * The returned object is a plain copy of this Call's op-shaped
+   * fields.
+   */
+  toOp(): CipherstashOp;
+  protected freeze(): void;
+}
+declare class CipherstashAddSearchConfigCall extends CipherstashOpFactoryCallNode {
+  #private;
+  readonly id: string;
+  readonly label: string;
+  readonly operationClass: 'additive';
+  readonly invariantId: string;
+  readonly target: {
+    readonly id: string;
+  };
+  readonly precheck: readonly OpStep[];
+  readonly execute: readonly OpStep[];
+  readonly postcheck: readonly OpStep[];
+  constructor(table: string, column: string, index: CipherstashSearchIndex, castAs?: string);
+  get factoryName(): 'cipherstashAddSearchConfig';
+  get table(): string;
+  get column(): string;
+  get index(): CipherstashSearchIndex;
+  get castAs(): string;
+  renderTypeScript(): string;
+}
+declare class CipherstashRemoveSearchConfigCall extends CipherstashOpFactoryCallNode {
+  #private;
+  readonly id: string;
+  readonly label: string;
+  readonly operationClass: 'destructive';
+  readonly invariantId: string;
+  readonly target: {
+    readonly id: string;
+  };
+  readonly precheck: readonly OpStep[];
+  readonly execute: readonly OpStep[];
+  readonly postcheck: readonly OpStep[];
+  constructor(table: string, column: string, index: CipherstashSearchIndex);
+  get factoryName(): 'cipherstashRemoveSearchConfig';
+  get table(): string;
+  get column(): string;
+  get index(): CipherstashSearchIndex;
+  renderTypeScript(): string;
+}
+/**
+ * Public factory: register a cipherstash search-config row.
+ *
+ * Use from a hand-written migration when you need to wire EQL
+ * search-config alongside a `createTable` / `addColumn`. The
+ * `Encrypted<string>` codec hook calls this factory automatically when
+ * planning a contract diff that adds a `searchable: true` column.
+ *
+ * Returns the {@link CipherstashAddSearchConfigCall} IR node, which
+ * implements `OpFactoryCall` and is itself a `SqlMigrationPlanOperation`
+ * (its readonly op-shaped fields are populated in the constructor) — so
+ * the same value flows through both the renderer (planner-time IR) and
+ * the runtime ops list (`Migration.operations`) without an extra
+ * lowering step at the call site.
+ */
+declare function cipherstashAddSearchConfig(args: CipherstashSearchConfigArgs): CipherstashAddSearchConfigCall;
+/**
+ * Public factory: invert {@link cipherstashAddSearchConfig} for the
+ * same (table, column, index) tuple.
+ *
+ * Returns the {@link CipherstashRemoveSearchConfigCall} IR node — see
+ * {@link cipherstashAddSearchConfig} for the rationale.
+ */
+declare function cipherstashRemoveSearchConfig(args: CipherstashSearchConfigArgs): CipherstashRemoveSearchConfigCall;
+//#endregion
+export { type CipherstashSearchConfigArgs, type CipherstashSearchIndex, cipherstashAddSearchConfig, cipherstashRemoveSearchConfig };
+//# sourceMappingURL=migration.d.mts.map

package/dist/migration.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migration.d.mts","names":[],"sources":["../src/migration/call-classes.ts"],"mappings":";;;;;;;;;;;;;KAmDY,sBAAA;;;;;;;;;;UAWK,2BAAA;EAAA,SACN,KAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA,EAAO,sBAAA;EAAA,SACP,MAAA;AAAA;AAAA,KAGN,aAAA,GAAgB,yBAAA;AAAA,KAChB,MAAA,GAAS,aAAA;;;;;;;;;;AA+Fd;;;;;;;;;;;;;uBApDe,4BAAA,SAAqC,YAAA,YAAwB,aAAA;EAAA,aAC7D,WAAA,CAAA;EAAA,kBACK,cAAA,EAAgB,uBAAA;EAAA,kBAChB,KAAA;EAAA,kBACA,EAAA;EAAA,kBACA,WAAA;EAAA,kBACA,MAAA;IAAA,SAAmB,EAAA;EAAA;EAAA,kBACnB,QAAA,WAAmB,MAAA;EAAA,kBACnB,OAAA,WAAkB,MAAA;EAAA,kBAClB,SAAA,WAAoB,MAAA;EAEtC,kBAAA,CAAA,YAA+B,iBAAA;EA0D7B;;;;;;EAhDF,IAAA,CAAA,GAAQ,aAAA;EAAA,UAaE,MAAA,CAAA;AAAA;AAAA,cAkBC,8BAAA,SAAuC,4BAAA;EAAA;WACzC,EAAA;EAAA,SACA,KAAA;EAAA,SACA,cAAA;EAAA,SACA,WAAA;EAAA,SACA,MAAA;IAAA,SAAmB,EAAA;EAAA;EAAA,SACnB,QAAA,WAAmB,MAAA;EAAA,SACnB,OAAA,WAAkB,MAAA;EAAA,SAClB,SAAA,WAAoB,MAAA;cAS3B,KAAA,UACA,MAAA,UACA,KAAA,EAAO,sBAAA,EACP,MAAA;EAAA,IAwBE,WAAA,CAAA;EAAA,IAIA,KAAA,CAAA;EAAA,IAIA,MAAA,CAAA;EAAA,IAIA,KAAA,CAAA,GAAS,sBAAA;EAAA,IAIT,MAAA,CAAA;EAIJ,gBAAA,CAAA;AAAA;AAAA,cA2BW,iCAAA,SAA0C,4BAAA;EAAA;WAC5C,EAAA;EAAA,SACA,KAAA;EAAA,SACA,cAAA;EAAA,SACA,WAAA;EAAA,SACA,MAAA;IAAA,SAAmB,EAAA;EAAA;EAAA,SACnB,QAAA,WAAmB,MAAA;EAAA,SACnB,OAAA,WAAkB,MAAA;EAAA,SAClB,SAAA,WAAoB,MAAA;cAIjB,KAAA,UAAe,MAAA,UAAgB,KAAA,EAAO,sBAAA;EAAA,IAmB9C,WAAA,CAAA;EAAA,IAIA,KAAA,CAAA;EAAA,IAIA,MAAA,CAAA;EAAA,IAIA,KAAA,CAAA,GAAS,sBAAA;EAIb,gBAAA,CAAA;AAAA;;;;;AAwBF;;;;;;;;;AAkBA;;iBAlBgB,0BAAA,CACd,IAAA,EAAM,2BAAA,GACL,8BAAA;;;;;;;;iBAgBa,6BAAA,CACd,IAAA,EAAM,2BAAA,GACL,iCAAA"}

package/dist/migration.mjs

@@ -0,0 +1,2 @@
+import { n as cipherstashRemoveSearchConfig, t as cipherstashAddSearchConfig } from "./call-classes-CSvD7w8U.mjs";
+export { cipherstashAddSearchConfig, cipherstashRemoveSearchConfig };

package/dist/operation-types.d.mts

@@ -0,0 +1,49 @@
+import { CodecExpression, Expression } from "@prisma-next/sql-relational-core/expression";
+import { SqlQueryOperationTypes } from "@prisma-next/sql-contract/types";
+
+//#region src/types/operation-types.d.ts
+type CodecTypesBase = Record<string, {
+  readonly input: unknown;
+  readonly output: unknown;
+}>;
+declare const CIPHERSTASH_STRING_CODEC = "cipherstash/string@1";
+type CipherstashStringCodec = typeof CIPHERSTASH_STRING_CODEC;
+/**
+ * Flat operation signatures consumed by the SQL query builder. Read
+ * via the `queryOperations` slot on the runtime context to project
+ * `t.email.cipherstashEq(...)` onto `cipherstash/string@1` column
+ * accessors inside `sql(t).where(...)` callbacks.
+ *
+ * Both operators take an encrypted-string `self` and a plaintext-or-
+ * envelope `other`/`pattern`; the runtime implementation
+ * (`eqlOperator` in `../execution/operators.ts`) wraps the user-supplied
+ * second argument in an `EncryptedString` envelope, stamps the
+ * column's routing context, and lowers to `eql_v2.eq` / `eql_v2.ilike`.
+ *
+ * Return type is the postgres `pg/bool@1` codec — that's the codec
+ * the framework's predicate machinery looks at via the `'boolean'`
+ * trait to decide a value is suitable for a WHERE clause.
+ */
+type QueryOperationTypes<CT extends CodecTypesBase> = SqlQueryOperationTypes<CT, {
+  readonly cipherstashEq: {
+    readonly self: {
+      readonly codecId: CipherstashStringCodec;
+    };
+    readonly impl: (self: CodecExpression<CipherstashStringCodec, boolean, CT>, other: CodecExpression<'pg/text@1', boolean, CT>) => Expression<{
+      codecId: 'pg/bool@1';
+      nullable: false;
+    }>;
+  };
+  readonly cipherstashIlike: {
+    readonly self: {
+      readonly codecId: CipherstashStringCodec;
+    };
+    readonly impl: (self: CodecExpression<CipherstashStringCodec, boolean, CT>, pattern: CodecExpression<'pg/text@1', boolean, CT>) => Expression<{
+      codecId: 'pg/bool@1';
+      nullable: false;
+    }>;
+  };
+}>;
+//#endregion
+export { type QueryOperationTypes };
+//# sourceMappingURL=operation-types.d.mts.map

package/dist/operation-types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"operation-types.d.mts","names":[],"sources":["../src/types/operation-types.ts"],"mappings":";;;;KAyBK,cAAA,GAAiB,MAAA;EAAA,SAA0B,KAAA;EAAA,SAAyB,MAAA;AAAA;AAAA,cAEnE,wBAAA;AAAA,KACD,sBAAA,UAAgC,wBAAA;;;;;;;;;;;;;;;;;KAkBzB,mBAAA,YAA+B,cAAA,IAAkB,sBAAA,CAC3D,EAAA;EAAA,SAEW,aAAA;IAAA,SACE,IAAA;MAAA,SAAiB,OAAA,EAAS,sBAAA;IAAA;IAAA,SAC1B,IAAA,GACP,IAAA,EAAM,eAAA,CAAgB,sBAAA,WAAiC,EAAA,GAavD,KAAA,EAAO,eAAA,uBAAsC,EAAA,MAC1C,UAAA;MAAa,OAAA;MAAsB,QAAA;IAAA;EAAA;EAAA,SAEjC,gBAAA;IAAA,SACE,IAAA;MAAA,SAAiB,OAAA,EAAS,sBAAA;IAAA;IAAA,SAC1B,IAAA,GACP,IAAA,EAAM,eAAA,CAAgB,sBAAA,WAAiC,EAAA,GAKvD,OAAA,EAAS,eAAA,uBAAsC,EAAA,MAC5C,UAAA;MAAa,OAAA;MAAsB,QAAA;IAAA;EAAA;AAAA"}

package/dist/operation-types.mjs

@@ -0,0 +1 @@
+export {};

package/dist/pack.d.mts

@@ -0,0 +1,86 @@
+import * as _$_prisma_next_framework_components_codec0 from "@prisma-next/framework-components/codec";
+import * as _$_prisma_next_contract_types0 from "@prisma-next/contract/types";
+
+//#region src/extension-metadata/descriptor-meta.d.ts
+declare const cipherstashPackMeta: {
+  readonly kind: "extension";
+  readonly id: "cipherstash";
+  readonly familyId: "sql";
+  readonly targetId: "postgres";
+  readonly version: "0.0.1";
+  readonly authoring: {
+    readonly type: {
+      readonly cipherstash: {
+        readonly EncryptedString: {
+          readonly kind: "typeConstructor";
+          readonly args: readonly [{
+            readonly kind: "object";
+            readonly name: "options";
+            readonly optional: true;
+            readonly properties: {
+              readonly equality: {
+                readonly kind: "boolean";
+                readonly optional: true;
+              };
+              readonly freeTextSearch: {
+                readonly kind: "boolean";
+                readonly optional: true;
+              };
+            };
+          }];
+          readonly output: {
+            readonly codecId: "cipherstash/string@1";
+            readonly nativeType: "eql_v2_encrypted";
+            readonly typeParams: {
+              readonly equality: {
+                readonly kind: "arg";
+                readonly index: 0;
+                readonly path: readonly ["equality"];
+                readonly default: true;
+              };
+              readonly freeTextSearch: {
+                readonly kind: "arg";
+                readonly index: 0;
+                readonly path: readonly ["freeTextSearch"];
+                readonly default: true;
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+  readonly types: {
+    readonly codecTypes: {
+      readonly codecInstances: readonly [{
+        encode(): Promise<unknown>;
+        decode(): Promise<unknown>;
+        encodeJson(): _$_prisma_next_contract_types0.JsonValue;
+        decodeJson(): unknown;
+        readonly descriptor: _$_prisma_next_framework_components_codec0.CodecDescriptor<any>;
+        get id(): "cipherstash/string@1";
+      }];
+      readonly typeImports: readonly [{
+        readonly package: "@prisma-next/extension-cipherstash/runtime";
+        readonly named: "EncryptedString";
+        readonly alias: "EncryptedString";
+      }];
+    };
+    readonly queryOperationTypes: {
+      readonly import: {
+        readonly package: "@prisma-next/extension-cipherstash/operation-types";
+        readonly named: "QueryOperationTypes";
+        readonly alias: "CipherstashQueryOperationTypes";
+      };
+    };
+    readonly storage: readonly [{
+      readonly typeId: "cipherstash/string@1";
+      readonly familyId: "sql";
+      readonly targetId: "postgres";
+      readonly nativeType: "eql_v2_encrypted";
+    }];
+  };
+};
+//#endregion
+export { cipherstashPackMeta as default };
+//# sourceMappingURL=pack.d.mts.map

package/dist/pack.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pack.d.mts","names":[],"sources":["../src/extension-metadata/descriptor-meta.ts"],"mappings":";;;;cAkCa,mBAAA;EAAA"}

package/dist/pack.mjs

@@ -0,0 +1,2 @@
+import { t as cipherstashPackMeta } from "./descriptor-meta-BgQfZTAF.mjs";
+export { cipherstashPackMeta as default };

package/dist/runtime.d.mts

@@ -0,0 +1,207 @@
+import { n as CIPHERSTASH_STRING_CODEC_ID, t as CIPHERSTASH_EXTENSION_VERSION } from "./constants-BDxL9Pe3.mjs";
+import { a as CipherstashSingleDecryptArgs, i as CipherstashSdk, n as CipherstashBulkEncryptArgs, r as CipherstashRoutingKey, t as CipherstashBulkDecryptArgs } from "./sdk-D5FTGyzp.mjs";
+import { AnyCodecDescriptor, CodecImpl } from "@prisma-next/framework-components/codec";
+import { Codec, SqlCodecCallContext } from "@prisma-next/sql-relational-core/ast";
+import { RuntimeParameterizedCodecDescriptor, SqlRuntimeExtensionDescriptor } from "@prisma-next/sql-runtime";
+import { JsonValue } from "@prisma-next/contract/types";
+import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
+
+//#region src/execution/envelope.d.ts
+/**
+ * The mutable state of an `EncryptedString` — exposed by `expose()` for
+ * callers that explicitly opt in. Mutating these slots from outside the
+ * package is supported (we don't stop you) but unusual; the framework's
+ * own lifecycle mutators (`setHandleCiphertext`, `setHandleRoutingKey`,
+ * etc.) are the conventional path.
+ */
+interface EncryptedStringHandle {
+  plaintext: string | undefined;
+  ciphertext: unknown;
+  table: string | undefined;
+  column: string | undefined;
+  sdk: CipherstashSdk | undefined;
+}
+interface EncryptedStringFromInternalArgs {
+  readonly ciphertext: unknown;
+  readonly table: string;
+  readonly column: string;
+  readonly sdk: CipherstashSdk;
+}
+declare class EncryptedString {
+  #private;
+  private constructor();
+  /**
+   * Construct a write-side envelope from plaintext. Bulk-encrypt
+   * middleware populates the handle's ciphertext slot before the codec
+   * encodes the envelope to wire format.
+   */
+  static from(plaintext: string): EncryptedString;
+  /**
+   * Construct a read-side envelope from a wire ciphertext + the column
+   * identity + the SDK used to decrypt the cell. Called from the codec
+   * `decode` body.
+   */
+  static fromInternal(args: EncryptedStringFromInternalArgs): EncryptedString;
+  /**
+   * Explicitly retrieve the wrapped handle. Modelled on Rust `secrecy`'s
+   * `SecretBox<T>::expose_secret`: the handle is reachable, but you have
+   * to ask for it by name. Callers reach for `expose()` when they need
+   * to inspect or transport the ciphertext envelope, debug lifecycle
+   * state, or wire ad-hoc tooling around the SDK reference.
+   *
+   * Mutating the returned handle is supported but unusual — the
+   * framework's lifecycle mutators (`setHandleCiphertext`,
+   * `setHandleRoutingKey`, etc.) are the conventional path during
+   * encrypt / decrypt flow.
+   */
+  expose(): EncryptedStringHandle;
+  /**
+   * Decrypt and return the plaintext.
+   *
+   * - If the handle's `plaintext` slot is already populated (write-side
+   *   envelopes from `from(plaintext)`, or read-side envelopes already
+   *   materialized by `decryptAll(...)` or a prior `decrypt()`), returns
+   *   the cached plaintext synchronously without consulting the SDK.
+   * - Otherwise (read-side handle without a cached plaintext), invokes
+   *   the SDK's single-cell `decrypt` with the handle's routing context.
+   *   The caller-supplied `signal` is forwarded to the SDK by identity
+   *   per the umbrella cancellation contract; the SDK promise is also
+   *   raced against the signal so an abort surfaces a `RUNTIME.ABORTED
+   *   { phase: 'decrypt' }` envelope promptly even if the SDK body
+   *   ignores the signal. The cached-plaintext fast path returns
+   *   synchronously without consulting the signal — no IO, no abort
+   *   observation point.
+   */
+  decrypt(opts?: {
+    signal?: AbortSignal;
+  }): Promise<string>;
+  toJSON(): string;
+  toString(): string;
+  valueOf(): string;
+  [Symbol.toPrimitive](): string;
+}
+//#endregion
+//#region src/execution/codec-runtime.d.ts
+declare const CIPHERSTASH_STRING_TRAITS: readonly [];
+declare class CipherstashStringCodec extends CodecImpl<typeof CIPHERSTASH_STRING_CODEC_ID, typeof CIPHERSTASH_STRING_TRAITS, unknown, EncryptedString> implements Codec<typeof CIPHERSTASH_STRING_CODEC_ID, typeof CIPHERSTASH_STRING_TRAITS, unknown, EncryptedString> {
+  readonly sdk: CipherstashSdk | undefined;
+  constructor(descriptor: AnyCodecDescriptor, sdk: CipherstashSdk | undefined);
+  encode(value: EncryptedString, _ctx: SqlCodecCallContext): Promise<unknown>;
+  decode(wire: unknown, ctx: SqlCodecCallContext): Promise<EncryptedString>;
+  encodeJson(_value: EncryptedString): JsonValue;
+  decodeJson(_json: JsonValue): EncryptedString;
+}
+declare function createCipherstashStringCodec(sdk: CipherstashSdk): CipherstashStringCodec;
+//#endregion
+//#region src/execution/decrypt-all.d.ts
+/**
+ * `decryptAll` — read-side bulk-decrypt walker.
+ *
+ * Public utility users invoke after `findMany` (or any other read
+ * surface) to materialize the plaintext for every `EncryptedString`
+ * envelope reachable from the result set in a fixed number of bulk SDK
+ * round-trips:
+ *
+ *     const rows = await db.select(...).from(User).execute();
+ *     await decryptAll(rows);
+ *     // every envelope's `decrypt()` now returns plaintext synchronously.
+ *
+ * Why a separate utility (rather than middleware that auto-decrypts on
+ * every read): the framework`s streaming-read path cannot bulk-amortize
+ * decryption across rows it`s yielding incrementally — by the time row
+ * N is yielded, rows 1..N-1 have already been delivered to the caller.
+ * The `decryptAll` shape lets the caller buffer the result set
+ * explicitly (with `await stream.toArray()`) and then opt into bulk
+ * decryption in one round-trip per `(table, column)` group. The runtime
+ * descriptor wrapper deliberately does NOT register an implicit-decrypt
+ * middleware for this reason.
+ *
+ * **Walker shape**.
+ *
+ * - Recursive on plain objects + plain arrays only. Date / Map / Set /
+ *   typed arrays / Buffer / function / etc. are not recursed into:
+ *   cipherstash envelopes are user data and would not normally embed
+ *   inside these host containers; if a future caller needs to bulk-
+ *   decrypt envelopes inside such a container they extract them into a
+ *   plain row first. The narrow scope keeps the walker`s behavior
+ *   trivially predictable and avoids the cycle / iterator / lazy-eval
+ *   surface those exotic types bring.
+ * - Cycle-safe via a `WeakSet` of visited objects/arrays; the same
+ *   envelope appearing in N positions is collected once.
+ * - Skips envelopes whose plaintext slot is already populated
+ *   (write-side envelopes from `EncryptedString.from(plaintext)`, or
+ *   read-side envelopes already materialized by a prior
+ *   `decrypt()` / `decryptAll(...)`). The skip means a re-run is a
+ *   no-op and a mixed write/read row tree only round-trips for the
+ *   envelopes that need it.
+ *
+ * **Grouping**. Envelopes are grouped by `(sdk, table, column)` —
+ * routing key plus the envelope handle`s SDK reference. The SDK split
+ * preserves the per-tenant SDK isolation `runtime.ts`'s docblock spells
+ * out: each tenant constructs its own runtime descriptor with its own
+ * SDK so per-tenant key material never crosses runtimes. Envelopes from
+ * different tenants happening to share `(table, column)` therefore
+ * still receive separate `bulkDecrypt` calls.
+ *
+ * **Cancellation**. `opts.signal` is forwarded by identity to every
+ * `bulkDecrypt` call via `ifDefined` — the same shape the bulk-encrypt
+ * middleware and `EncryptedString.decrypt({ signal? })` use. The
+ * walker also races each SDK promise against `opts.signal` via
+ * `raceCipherstashAbort` so an abort surfaces `RUNTIME.ABORTED
+ * { phase: 'decrypt-all' }` promptly even when the SDK body itself
+ * ignores the signal. A pre-check before the first SDK round-trip
+ * short-circuits when the signal is already aborted at entry; the
+ * no-envelopes-reachable fast path returns immediately without
+ * observing the signal.
+ */
+interface DecryptAllOptions {
+  readonly signal?: AbortSignal;
+}
+/**
+ * Walk a result set and bulk-decrypt every `EncryptedString` envelope
+ * reachable from it. After the returned promise resolves, every touched
+ * envelope's `decrypt()` returns the cached plaintext synchronously
+ * without consulting the SDK.
+ *
+ * The walker is a no-op when no envelopes are reachable (returns
+ * without making any SDK call), so it is cheap to call defensively
+ * after queries that may or may not contain encrypted columns.
+ */
+declare function decryptAll(rows: unknown, opts?: DecryptAllOptions): Promise<void>;
+//#endregion
+//#region src/execution/parameterized.d.ts
+interface CipherstashStringParams {
+  readonly equality: boolean;
+  readonly freeTextSearch: boolean;
+}
+declare const encryptedStringParamsSchema: _$arktype_internal_variants_object_ts0.ObjectType<{
+  equality: boolean;
+  freeTextSearch: boolean;
+}, {}>;
+declare function renderEncryptedStringOutputType(_params: CipherstashStringParams): string;
+declare function createParameterizedCodecDescriptors(sdk: CipherstashSdk): ReadonlyArray<RuntimeParameterizedCodecDescriptor<CipherstashStringParams>>;
+//#endregion
+//#region src/exports/runtime.d.ts
+interface CreateCipherstashRuntimeDescriptorOptions {
+  readonly sdk: CipherstashSdk;
+}
+/**
+ * Compose the SDK-bound codec runtime + parameterized codec descriptors
+ * + runtime-plane codec-instances metadata into a single
+ * `SqlRuntimeExtensionDescriptor<'postgres'>`.
+ *
+ * The descriptor is per-SDK: cipherstash's codec captures the SDK at
+ * `decode` time (read-side single-cell `decrypt`) and the bulk-encrypt
+ * middleware captures it at `beforeExecute` time (write-side bulk
+ * round-trip). Multi-tenant deployments construct one descriptor per
+ * tenant SDK so per-tenant key material never crosses runtimes.
+ *
+ * Mirrors `packages/3-extensions/pgvector/src/exports/runtime.ts` —
+ * pgvector's vectorRuntimeDescriptor is a static default-export because
+ * its codec is fully stateless; cipherstash needs the factory wrapper
+ * because the codec depends on `sdk`.
+ */
+declare function createCipherstashRuntimeDescriptor(opts: CreateCipherstashRuntimeDescriptorOptions): SqlRuntimeExtensionDescriptor<'postgres'>;
+//#endregion
+export { CIPHERSTASH_EXTENSION_VERSION, CIPHERSTASH_STRING_CODEC_ID, type CipherstashBulkDecryptArgs, type CipherstashBulkEncryptArgs, type CipherstashRoutingKey, type CipherstashSdk, type CipherstashSingleDecryptArgs, type CipherstashStringCodec, type CipherstashStringParams, CreateCipherstashRuntimeDescriptorOptions, type DecryptAllOptions, EncryptedString, type EncryptedStringFromInternalArgs, type EncryptedStringHandle, createCipherstashRuntimeDescriptor, createCipherstashStringCodec, createParameterizedCodecDescriptors, decryptAll, encryptedStringParamsSchema, renderEncryptedStringOutputType };
+//# sourceMappingURL=runtime.d.mts.map

package/dist/runtime.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.mts","names":[],"sources":["../src/execution/envelope.ts","../src/execution/codec-runtime.ts","../src/execution/decrypt-all.ts","../src/execution/parameterized.ts","../src/exports/runtime.ts"],"mappings":";;;;;;;;;;;;;;;;UA8DiB,qBAAA;EACf,SAAA;EACA,UAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA,EAAK,cAAA;AAAA;AAAA,UAKU,+BAAA;EAAA,SACN,UAAA;EAAA,SACA,KAAA;EAAA,SACA,MAAA;EAAA,SACA,GAAA,EAAK,cAAA;AAAA;AAAA,cAGH,eAAA;EAAA;UAGJ,WAAA,CAAA;ECtBoC;AAkD7C;;;;EAlD6C,OD+BpC,IAAA,CAAK,SAAA,WAAoB,eAAA;ECwB9B;;;;;EAAA,ODTK,YAAA,CAAa,IAAA,EAAM,+BAAA,GAAkC,eAAA;ECqBX;;;;;;;;;;;;EDCjD,MAAA,CAAA,GAAU,qBAAA;ECVH;;;;;;;;;;;;;;;;;ED+BD,OAAA,CAAQ,IAAA;IAAS,MAAA,GAAS,WAAA;EAAA,IAAgB,OAAA;EA6BhD,MAAA,CAAA;EAIA,QAAA,CAAA;EAIA,OAAA,CAAA;EAAA,CAIC,MAAA,CAAO,WAAA;AAAA;;;cClIJ,yBAAA;AAAA,cAkDO,sBAAA,SACH,SAAA,QACC,2BAAA,SACA,yBAAA,WAEP,eAAA,aAGA,KAAA,QACS,2BAAA,SACA,yBAAA,WAEP,eAAA;EAAA,SAGK,GAAA,EAAK,cAAA;cAEF,UAAA,EAAY,kBAAA,EAAoB,GAAA,EAAK,cAAA;EAK3C,MAAA,CAAO,KAAA,EAAO,eAAA,EAAiB,IAAA,EAAM,mBAAA,GAAsB,OAAA;EAW3D,MAAA,CAAO,IAAA,WAAe,GAAA,EAAK,mBAAA,GAAsB,OAAA,CAAQ,eAAA;EAsB/D,UAAA,CAAW,MAAA,EAAQ,eAAA,GAAkB,SAAA;EAIrC,UAAA,CAAW,KAAA,EAAO,SAAA,GAAY,eAAA;AAAA;AAAA,iBAmChB,4BAAA,CAA6B,GAAA,EAAK,cAAA,GAAiB,sBAAA;;;;;;;;;;;;AD9InE;;;;;;;;;;;;AAUA;;;;;;;;;;;AAOA;;;;;;;;;;;;;;;;;;;;;;;;;;;;UEbiB,iBAAA;EAAA,SACN,MAAA,GAAS,WAAA;AAAA;;;;;;;;AD7BwB;;;iBCiDtB,UAAA,CAAW,IAAA,WAAe,IAAA,GAAO,iBAAA,GAAoB,OAAA;;;UCzD1D,uBAAA;EAAA,SACN,QAAA;EAAA,SACA,cAAA;AAAA;AAAA,cAGE,2BAAA,EAGX,sCAAA,CAHsC,UAAA;;;;iBAKxB,+BAAA,CAAgC,OAAA,EAAS,uBAAA;AAAA,iBAIzC,mCAAA,CACd,GAAA,EAAK,cAAA,GACJ,aAAA,CAAc,mCAAA,CAAoC,uBAAA;;;UCiBpC,yCAAA;EAAA,SACN,GAAA,EAAK,cAAA;AAAA;;;;;;;;;;;;;;;;;iBAmBA,kCAAA,CACd,IAAA,EAAM,yCAAA,GACL,6BAAA"}