@syncular/client-plugin-encryption 0.0.1 → 0.0.2-127

package/README.md

@@ -0,0 +1,36 @@
+# @syncular/client-plugin-encryption
+
+End-to-end encryption plugin for the Syncular client. Supports field-level encryption with key sharing between devices.
+
+## Install
+
+```bash
+npm install @syncular/client-plugin-encryption
+```
+
+## Usage
+
+```ts
+import {
+  createFieldEncryptionPlugin,
+  createStaticFieldEncryptionKeys,
+} from '@syncular/client-plugin-encryption';
+
+const encryption = createFieldEncryptionPlugin({
+  rules: [{ scope: 'user', table: 'notes', fields: ['body'] }],
+  keys: createStaticFieldEncryptionKeys({
+    keys: { default: 'base64url:...' },
+  }),
+});
+```
+
+## Documentation
+
+- Encryption guide: https://syncular.dev/docs/build/encryption
+
+## Links
+
+- GitHub: https://github.com/syncular/syncular
+- Issues: https://github.com/syncular/syncular/issues
+
+> Status: Alpha. APIs and storage layouts may change between releases.

package/dist/crypto-utils.d.ts

@@ -0,0 +1,7 @@
+export declare function randomBytes(length: number): Uint8Array;
+export declare function bytesToBase64(bytes: Uint8Array): string;
+export declare function base64ToBytes(base64: string): Uint8Array;
+export declare function bytesToBase64Url(bytes: Uint8Array): string;
+export declare function base64UrlToBytes(base64url: string): Uint8Array;
+export declare function hexToBytes(hex: string): Uint8Array;
+//# sourceMappingURL=crypto-utils.d.ts.map

package/dist/crypto-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.d.ts","sourceRoot":"","sources":["../src/crypto-utils.ts"],"names":[],"mappings":"AAYA,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAWtD;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAqCvD;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CA8BxD;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAK1D;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,CAO9D;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAYlD"}

package/dist/crypto-utils.js

@@ -0,0 +1,110 @@
+const BASE64_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+const BASE64_LOOKUP = new Uint8Array(256);
+for (let i = 0; i < BASE64_CHARS.length; i++) {
+    BASE64_LOOKUP[BASE64_CHARS.charCodeAt(i)] = i;
+}
+const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+const BASE64_URL_PATTERN = /^[A-Za-z0-9_-]*$/;
+export function randomBytes(length) {
+    const cryptoObj = globalThis.crypto;
+    if (!cryptoObj?.getRandomValues) {
+        throw new Error('Secure random generator is not available (crypto.getRandomValues). ' +
+            'Ensure you are running in a secure context or polyfill crypto.');
+    }
+    const out = new Uint8Array(length);
+    cryptoObj.getRandomValues(out);
+    return out;
+}
+export function bytesToBase64(bytes) {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(bytes).toString('base64');
+    }
+    let result = '';
+    const len = bytes.length;
+    const remainder = len % 3;
+    for (let i = 0; i < len - remainder; i += 3) {
+        const a = bytes[i];
+        const b = bytes[i + 1];
+        const c = bytes[i + 2];
+        result +=
+            BASE64_CHARS.charAt((a >> 2) & 0x3f) +
+                BASE64_CHARS.charAt(((a << 4) | (b >> 4)) & 0x3f) +
+                BASE64_CHARS.charAt(((b << 2) | (c >> 6)) & 0x3f) +
+                BASE64_CHARS.charAt(c & 0x3f);
+    }
+    if (remainder === 1) {
+        const a = bytes[len - 1];
+        result +=
+            BASE64_CHARS.charAt((a >> 2) & 0x3f) +
+                BASE64_CHARS.charAt((a << 4) & 0x3f) +
+                '==';
+    }
+    else if (remainder === 2) {
+        const a = bytes[len - 2];
+        const b = bytes[len - 1];
+        result +=
+            BASE64_CHARS.charAt((a >> 2) & 0x3f) +
+                BASE64_CHARS.charAt(((a << 4) | (b >> 4)) & 0x3f) +
+                BASE64_CHARS.charAt((b << 2) & 0x3f) +
+                '=';
+    }
+    return result;
+}
+export function base64ToBytes(base64) {
+    if (!BASE64_PATTERN.test(base64)) {
+        throw new Error('Invalid base64 string');
+    }
+    if (typeof Buffer !== 'undefined') {
+        return new Uint8Array(Buffer.from(base64, 'base64'));
+    }
+    const len = base64.length;
+    let padding = 0;
+    if (base64[len - 1] === '=')
+        padding++;
+    if (base64[len - 2] === '=')
+        padding++;
+    const outputLen = (len * 3) / 4 - padding;
+    const out = new Uint8Array(outputLen);
+    let outIdx = 0;
+    for (let i = 0; i < len; i += 4) {
+        const a = BASE64_LOOKUP[base64.charCodeAt(i)];
+        const b = BASE64_LOOKUP[base64.charCodeAt(i + 1)];
+        const c = BASE64_LOOKUP[base64.charCodeAt(i + 2)];
+        const d = BASE64_LOOKUP[base64.charCodeAt(i + 3)];
+        out[outIdx++] = (a << 2) | (b >> 4);
+        if (outIdx < outputLen)
+            out[outIdx++] = ((b << 4) | (c >> 2)) & 0xff;
+        if (outIdx < outputLen)
+            out[outIdx++] = ((c << 6) | d) & 0xff;
+    }
+    return out;
+}
+export function bytesToBase64Url(bytes) {
+    return bytesToBase64(bytes)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+export function base64UrlToBytes(base64url) {
+    if (!BASE64_URL_PATTERN.test(base64url)) {
+        throw new Error('Invalid base64url string');
+    }
+    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = base64 + '==='.slice((base64.length + 3) % 4);
+    return base64ToBytes(padded);
+}
+export function hexToBytes(hex) {
+    const normalized = hex.trim().toLowerCase();
+    if (normalized.length % 2 !== 0) {
+        throw new Error('Invalid hex string (length must be even)');
+    }
+    const out = new Uint8Array(normalized.length / 2);
+    for (let i = 0; i < out.length; i++) {
+        const byte = Number.parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
+        if (!Number.isFinite(byte))
+            throw new Error('Invalid hex string');
+        out[i] = byte;
+    }
+    return out;
+}
+//# sourceMappingURL=crypto-utils.js.map

package/dist/crypto-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.js","sourceRoot":"","sources":["../src/crypto-utils.ts"],"names":[],"mappings":"AAAA,MAAM,YAAY,GAChB,kEAAkE,CAAC;AACrE,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;IAC7C,aAAa,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,cAAc,GAClB,kEAAkE,CAAC;AACrE,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;AAE9C,MAAM,UAAU,WAAW,CAAC,MAAc,EAAc;IACtD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC;IACpC,IAAI,CAAC,SAAS,EAAE,eAAe,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,qEAAqE;YACnE,gEAAgE,CACnE,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,SAAS,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,GAAG,CAAC;AAAA,CACZ;AAED,MAAM,UAAU,aAAa,CAAC,KAAiB,EAAU;IACvD,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;IACzB,MAAM,SAAS,GAAG,GAAG,GAAG,CAAC,CAAC;IAE1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,GAAG,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACpB,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QACxB,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC;QACxB,MAAM;YACJ,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;gBACpC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;gBACjD,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;gBACjD,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;QACpB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC;QAC1B,MAAM;YACJ,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;gBACpC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;gBACpC,IAAI,CAAC;IACT,CAAC;SAAM,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAE,CAAC;QAC1B,MAAM;YACJ,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;gBACpC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;gBACjD,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;gBACpC,GAAG,CAAC;IACR,CAAC;IAED,OAAO,MAAM,CAAC;AAAA,CACf;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAc;IACxD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;IAC1B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IAEvC,MAAM,SAAS,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAEtC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC;QACnD,MAAM,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC;QACnD,MAAM,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC;QAEnD,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACpC,IAAI,MAAM,GAAG,SAAS;YAAE,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QACrE,IAAI,MAAM,GAAG,SAAS;YAAE,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;IAChE,CAAC;IAED,OAAO,GAAG,CAAC;AAAA,CACZ;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAiB,EAAU;IAC1D,OAAO,aAAa,CAAC,KAAK,CAAC;SACxB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAAA,CACxB;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAc;IAC9D,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IACD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC;AAAA,CAC9B;AAED,MAAM,UAAU,UAAU,CAAC,GAAW,EAAc;IAClD,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC5C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAClE,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,OAAO,GAAG,CAAC;AAAA,CACZ"}

package/dist/index.d.ts

@@ -1,8 +1,8 @@
-import type { SyncClientDb, SyncClientPlugin, SyncClientPluginContext } from '@syncular/client';
+import type { SyncClientDb, SyncClientPlugin, SyncClientPluginContext, SyncEngine } from '@syncular/client';
 import { type Kysely } from 'kysely';
 export * from './key-sharing';
-export type FieldDecryptionErrorMode = 'throw' | 'keepCiphertext';
-export interface FieldEncryptionRule {
+type FieldDecryptionErrorMode = 'throw' | 'keepCiphertext';
+interface FieldEncryptionRule {
     scope: string;
     /**
      * Optional table selector. Strongly recommended for correctness:
@@ -35,7 +35,7 @@ export interface FieldEncryptionKeys {
         field: string;
     }) => string | Promise<string>;
 }
-export interface FieldEncryptionPluginOptions {
+interface FieldEncryptionPluginOptions {
     name?: string;
     rules: FieldEncryptionRule[];
     keys: FieldEncryptionKeys;
@@ -50,7 +50,7 @@ export interface FieldEncryptionPluginOptions {
      */
     envelopePrefix?: string;
 }
-export interface RefreshEncryptedFieldsTarget {
+interface RefreshEncryptedFieldsTarget {
     scope: string;
     table: string;
     fields?: string[];
@@ -61,17 +61,9 @@ export interface RefreshEncryptedFieldsResult {
     rowsUpdated: number;
     fieldsUpdated: number;
 }
-export interface RefreshEncryptedFieldsOptions<DB extends SyncClientDb = SyncClientDb> {
-    db: Kysely<DB>;
-    rules: FieldEncryptionRule[];
-    keys: FieldEncryptionKeys;
-    envelopePrefix?: string;
-    decryptionErrorMode?: FieldDecryptionErrorMode;
-    targets?: RefreshEncryptedFieldsTarget[];
-    ctx?: Partial<SyncClientPluginContext>;
-}
 export interface FieldEncryptionPluginRefreshRequest<DB extends SyncClientDb = SyncClientDb> {
     db: Kysely<DB>;
+    engine?: Pick<SyncEngine<DB>, 'recordLocalMutations'>;
     targets?: RefreshEncryptedFieldsTarget[];
     ctx?: Partial<SyncClientPluginContext>;
 }
@@ -82,6 +74,5 @@ export declare function createStaticFieldEncryptionKeys(args: {
     keys: Record<string, Uint8Array | string>;
     encryptionKid?: string;
 }): FieldEncryptionKeys;
-export declare function refreshEncryptedFields<DB extends SyncClientDb = SyncClientDb>(options: RefreshEncryptedFieldsOptions<DB>): Promise<RefreshEncryptedFieldsResult>;
 export declare function createFieldEncryptionPlugin(pluginOptions: FieldEncryptionPluginOptions): FieldEncryptionPlugin;
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACxB,MAAM,kBAAkB,CAAC;AAO1B,OAAO,EAAO,KAAK,MAAM,EAAE,MAAM,QAAQ,CAAC;AAG1C,cAAc,eAAe,CAAC;AAI9B,MAAM,MAAM,wBAAwB,GAAG,OAAO,GAAG,gBAAgB,CAAC;AAElE,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sCAAsC;IACtC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1D;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CACjB,GAAG,EAAE,uBAAuB,EAC5B,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,KACjE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,4BAA4B;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAC7B,IAAI,EAAE,mBAAmB,CAAC;IAC1B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,wBAAwB,CAAC;IAC/C;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,4BAA4B;IAC3C,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,6BAA6B,CAC5C,EAAE,SAAS,YAAY,GAAG,YAAY;IAEtC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAC7B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,wBAAwB,CAAC;IAC/C,OAAO,CAAC,EAAE,4BAA4B,EAAE,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,mCAAmC,CAClD,EAAE,SAAS,YAAY,GAAG,YAAY;IAEtC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,CAAC,EAAE,4BAA4B,EAAE,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,sBAAsB,EAAE,CAAC,EAAE,SAAS,YAAY,GAAG,YAAY,EAC7D,OAAO,EAAE,mCAAmC,CAAC,EAAE,CAAC,KAC7C,OAAO,CAAC,4BAA4B,CAAC,CAAC;CAC5C;AAgKD,wBAAgB,+BAA+B,CAAC,IAAI,EAAE;IACpD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,mBAAmB,CAiBtB;AAuYD,wBAAsB,sBAAsB,CAC1C,EAAE,SAAS,YAAY,GAAG,YAAY,EACtC,OAAO,EAAE,6BAA6B,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,4BAA4B,CAAC,CAiHnF;AAED,wBAAgB,2BAA2B,CACzC,aAAa,EAAE,4BAA4B,GAC1C,qBAAqB,CA6LvB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,UAAU,EACX,MAAM,kBAAkB,CAAC;AAQ1B,OAAO,EAAE,KAAK,MAAM,EAAO,MAAM,QAAQ,CAAC;AAU1C,cAAc,eAAe,CAAC;AAI9B,KAAK,wBAAwB,GAAG,OAAO,GAAG,gBAAgB,CAAC;AAE3D,UAAU,mBAAmB;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sCAAsC;IACtC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1D;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CACjB,GAAG,EAAE,uBAAuB,EAC5B,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,KACjE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED,UAAU,4BAA4B;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAC7B,IAAI,EAAE,mBAAmB,CAAC;IAC1B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,wBAAwB,CAAC;IAC/C;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,UAAU,4BAA4B;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,4BAA4B;IAC3C,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;CACvB;AAeD,MAAM,WAAW,mCAAmC,CAClD,EAAE,SAAS,YAAY,GAAG,YAAY;IAEtC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IACf,MAAM,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,sBAAsB,CAAC,CAAC;IACtD,OAAO,CAAC,EAAE,4BAA4B,EAAE,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,sBAAsB,EAAE,CAAC,EAAE,SAAS,YAAY,GAAG,YAAY,EAC7D,OAAO,EAAE,mCAAmC,CAAC,EAAE,CAAC,KAC7C,OAAO,CAAC,4BAA4B,CAAC,CAAC;CAC5C;AA0BD,wBAAgB,+BAA+B,CAAC,IAAI,EAAE;IACpD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAAC,CAAC;IAC1C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,mBAAmB,CAsBtB;AAqjBD,wBAAgB,2BAA2B,CACzC,aAAa,EAAE,4BAA4B,GAC1C,qBAAqB,CA0MvB"}

package/dist/index.js

@@ -1,130 +1,12 @@
 import { xchacha20poly1305 } from '@noble/ciphers/chacha.js';
+import { isRecord } from '@syncular/core';
 import { sql } from 'kysely';
+import { base64ToBytes, base64UrlToBytes, bytesToBase64Url, hexToBytes, randomBytes, } from './crypto-utils.js';
 // Re-export key sharing utilities
-export * from './key-sharing';
+export * from './key-sharing.js';
 const DEFAULT_PREFIX = 'dgsync:e2ee:1:';
 const encoder = new TextEncoder();
 const decoder = new TextDecoder();
-// Base64 lookup tables for universal encoding/decoding (works in all runtimes)
-const BASE64_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
-const BASE64_LOOKUP = new Uint8Array(256);
-for (let i = 0; i < BASE64_CHARS.length; i++) {
-    BASE64_LOOKUP[BASE64_CHARS.charCodeAt(i)] = i;
-}
-function isRecord(value) {
-    return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
-function randomBytes(length) {
-    const cryptoObj = globalThis.crypto;
-    if (!cryptoObj?.getRandomValues) {
-        throw new Error('Secure random generator is not available (crypto.getRandomValues). ' +
-            'Ensure you are running in a secure context or polyfill crypto.');
-    }
-    const out = new Uint8Array(length);
-    cryptoObj.getRandomValues(out);
-    return out;
-}
-/**
- * Universal base64 encoding that works in all JavaScript runtimes.
- * Uses Buffer for Node/Bun (fast), lookup table for others (RN-compatible).
- */
-function bytesToBase64(bytes) {
-    // Node/Bun fast path
-    if (typeof Buffer !== 'undefined') {
-        return Buffer.from(bytes).toString('base64');
-    }
-    // Universal fallback using lookup table (works in RN, browsers, etc.)
-    let result = '';
-    const len = bytes.length;
-    const remainder = len % 3;
-    // Process 3 bytes at a time
-    for (let i = 0; i < len - remainder; i += 3) {
-        const a = bytes[i];
-        const b = bytes[i + 1];
-        const c = bytes[i + 2];
-        result +=
-            BASE64_CHARS.charAt((a >> 2) & 0x3f) +
-                BASE64_CHARS.charAt(((a << 4) | (b >> 4)) & 0x3f) +
-                BASE64_CHARS.charAt(((b << 2) | (c >> 6)) & 0x3f) +
-                BASE64_CHARS.charAt(c & 0x3f);
-    }
-    // Handle remaining bytes
-    if (remainder === 1) {
-        const a = bytes[len - 1];
-        result +=
-            BASE64_CHARS.charAt((a >> 2) & 0x3f) +
-                BASE64_CHARS.charAt((a << 4) & 0x3f) +
-                '==';
-    }
-    else if (remainder === 2) {
-        const a = bytes[len - 2];
-        const b = bytes[len - 1];
-        result +=
-            BASE64_CHARS.charAt((a >> 2) & 0x3f) +
-                BASE64_CHARS.charAt(((a << 4) | (b >> 4)) & 0x3f) +
-                BASE64_CHARS.charAt((b << 2) & 0x3f) +
-                '=';
-    }
-    return result;
-}
-/**
- * Universal base64 decoding that works in all JavaScript runtimes.
- * Uses Buffer for Node/Bun (fast), lookup table for others (RN-compatible).
- */
-function base64ToBytes(base64) {
-    // Node/Bun fast path
-    if (typeof Buffer !== 'undefined') {
-        return new Uint8Array(Buffer.from(base64, 'base64'));
-    }
-    // Universal fallback using lookup table (works in RN, browsers, etc.)
-    // Remove padding and calculate output length
-    const len = base64.length;
-    let padding = 0;
-    if (base64[len - 1] === '=')
-        padding++;
-    if (base64[len - 2] === '=')
-        padding++;
-    const outputLen = (len * 3) / 4 - padding;
-    const out = new Uint8Array(outputLen);
-    let outIdx = 0;
-    for (let i = 0; i < len; i += 4) {
-        const a = BASE64_LOOKUP[base64.charCodeAt(i)];
-        const b = BASE64_LOOKUP[base64.charCodeAt(i + 1)];
-        const c = BASE64_LOOKUP[base64.charCodeAt(i + 2)];
-        const d = BASE64_LOOKUP[base64.charCodeAt(i + 3)];
-        out[outIdx++] = (a << 2) | (b >> 4);
-        if (outIdx < outputLen)
-            out[outIdx++] = ((b << 4) | (c >> 2)) & 0xff;
-        if (outIdx < outputLen)
-            out[outIdx++] = ((c << 6) | d) & 0xff;
-    }
-    return out;
-}
-function bytesToBase64Url(bytes) {
-    return bytesToBase64(bytes)
-        .replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=+$/g, '');
-}
-function base64UrlToBytes(base64url) {
-    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
-    const padded = base64 + '==='.slice((base64.length + 3) % 4);
-    return base64ToBytes(padded);
-}
-function hexToBytes(hex) {
-    const normalized = hex.trim().toLowerCase();
-    if (normalized.length % 2 !== 0) {
-        throw new Error('Invalid hex string (length must be even)');
-    }
-    const out = new Uint8Array(normalized.length / 2);
-    for (let i = 0; i < out.length; i++) {
-        const byte = Number.parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
-        if (!Number.isFinite(byte))
-            throw new Error('Invalid hex string');
-        out[i] = byte;
-    }
-    return out;
-}
 function decodeKeyMaterial(key) {
     if (key instanceof Uint8Array)
         return key;
@@ -151,6 +33,9 @@ export function createStaticFieldEncryptionKeys(args) {
             if (!raw)
                 throw new Error(`Missing encryption key for kid "${kid}"`);
             const decoded = decodeKeyMaterial(raw);
+            if (decoded.length !== 32) {
+                throw new Error(`Encryption key for kid "${kid}" must be 32 bytes (got ${decoded.length})`);
+            }
             cache.set(kid, decoded);
             return decoded;
         },
@@ -177,11 +62,16 @@ function decodeEnvelope(prefix, value) {
     const [kid, nonceB64, ctB64] = parts;
     if (!kid || !nonceB64 || !ctB64)
         return null;
-    return {
-        kid,
-        nonce: base64UrlToBytes(nonceB64),
-        ciphertext: base64UrlToBytes(ctB64),
-    };
+    try {
+        return {
+            kid,
+            nonce: base64UrlToBytes(nonceB64),
+            ciphertext: base64UrlToBytes(ctB64),
+        };
+    }
+    catch {
+        return null;
+    }
 }
 async function getKeyOrThrow(keys, kid) {
     const key = await keys.getKey(kid);
@@ -255,6 +145,7 @@ async function decryptValue(args) {
 function buildRuleIndex(rules) {
     const byScopeTable = new Map();
     const tablesByScope = new Map();
+    const scopesByTable = new Map();
     for (const rule of rules) {
         const scope = rule.scope;
         const table = rule.table ?? '*';
@@ -274,9 +165,12 @@ function buildRuleIndex(rules) {
             byScopeTable.set(key, { fields: new Set(rule.fields), rowIdField });
         }
         if (table !== '*') {
-            const set = tablesByScope.get(scope) ?? new Set();
-            set.add(table);
-            tablesByScope.set(scope, set);
+            const tables = tablesByScope.get(scope) ?? new Set();
+            tables.add(table);
+            tablesByScope.set(scope, tables);
+            const scopes = scopesByTable.get(table) ?? new Set();
+            scopes.add(scope);
+            scopesByTable.set(table, scopes);
         }
     }
     // Freeze sets to make accidental mutation harder.
@@ -286,7 +180,7 @@ function buildRuleIndex(rules) {
             rowIdField: v.rowIdField,
         });
     }
-    return { byScopeTable, tablesByScope };
+    return { byScopeTable, tablesByScope, scopesByTable };
 }
 function getRuleConfig(index, args) {
     const exact = index.byScopeTable.get(`${args.scope}\u001f${args.table}`);
@@ -295,6 +189,26 @@ function getRuleConfig(index, args) {
     const wildcard = index.byScopeTable.get(`${args.scope}\u001f*`);
     return wildcard ?? null;
 }
+function resolveScopeAndTable(args) {
+    const direct = getRuleConfig(args.index, {
+        scope: args.identifier,
+        table: args.identifier,
+    });
+    if (direct) {
+        return { scope: args.identifier, table: args.identifier };
+    }
+    const tablesForScope = args.index.tablesByScope.get(args.identifier);
+    if (tablesForScope && tablesForScope.size === 1) {
+        const table = Array.from(tablesForScope)[0];
+        return { scope: args.identifier, table };
+    }
+    const scopesForTable = args.index.scopesByTable.get(args.identifier);
+    if (scopesForTable && scopesForTable.size === 1) {
+        const scope = Array.from(scopesForTable)[0];
+        return { scope, table: args.identifier };
+    }
+    return { scope: args.identifier, table: args.identifier };
+}
 function inferSnapshotTable(args) {
     if (isRecord(args.row)) {
         const tn = args.row.table_name;
@@ -442,7 +356,7 @@ function resolveRefreshTargets(args) {
         fields: Array.from(target.fields),
     }));
 }
-export async function refreshEncryptedFields(options) {
+async function refreshEncryptedFields(options) {
     const prefix = options.envelopePrefix ?? DEFAULT_PREFIX;
     if (!prefix.endsWith(':')) {
         throw new Error('RefreshEncryptedFieldsOptions.envelopePrefix must end with ":"');
@@ -468,6 +382,7 @@ export async function refreshEncryptedFields(options) {
     let rowsScanned = 0;
     let rowsUpdated = 0;
     let fieldsUpdated = 0;
+    const updatedRows = [];
     await options.db.transaction().execute(async (trx) => {
         for (const target of targets) {
             const columns = [target.rowIdField, ...target.fields];
@@ -530,9 +445,21 @@ export async function refreshEncryptedFields(options) {
         `.execute(trx);
                 rowsUpdated += 1;
                 fieldsUpdated += changedFields;
+                updatedRows.push({ table: target.table, rowId });
             }
         }
     });
+    if (updatedRows.length > 0 && options.engine) {
+        const deduped = new Map();
+        for (const row of updatedRows) {
+            deduped.set(`${row.table}\u001f${row.rowId}`, row);
+        }
+        options.engine.recordLocalMutations(Array.from(deduped.values()).map((row) => ({
+            table: row.table,
+            rowId: row.rowId,
+            op: 'upsert',
+        })));
+    }
     return {
         tablesProcessed: targets.length,
         rowsScanned,
@@ -552,6 +479,7 @@ export function createFieldEncryptionPlugin(pluginOptions) {
         name,
         refreshEncryptedFields: (options) => refreshEncryptedFields({
             db: options.db,
+            engine: options.engine,
             rules: pluginOptions.rules,
             keys: pluginOptions.keys,
             envelopePrefix: prefix,
@@ -570,6 +498,10 @@ export function createFieldEncryptionPlugin(pluginOptions) {
                 if (!op.payload)
                     return op;
                 const payload = op.payload;
+                const target = resolveScopeAndTable({
+                    index,
+                    identifier: op.table,
+                });
                 const nextPayload = await transformRecordFields({
                     ctx,
                     index,
@@ -577,8 +509,8 @@ export function createFieldEncryptionPlugin(pluginOptions) {
                     prefix,
                     decryptionErrorMode,
                     mode: 'encrypt',
-                    scope: op.table,
-                    table: op.table,
+                    scope: target.scope,
+                    table: target.table,
                     rowId: op.row_id,
                     record: payload,
                 });
@@ -604,6 +536,10 @@ export function createFieldEncryptionPlugin(pluginOptions) {
                     return r;
                 if (!isRecord(r.server_row))
                     return r;
+                const target = resolveScopeAndTable({
+                    index,
+                    identifier: op.table,
+                });
                 const nextRow = await transformRecordFields({
                     ctx,
                     index,
@@ -611,8 +547,8 @@ export function createFieldEncryptionPlugin(pluginOptions) {
                     prefix,
                     decryptionErrorMode,
                     mode: 'decrypt',
-                    scope: op.table,
-                    table: op.table,
+                    scope: target.scope,
+                    table: target.table,
                     rowId: op.row_id,
                     record: r.server_row,
                 });
@@ -672,6 +608,10 @@ export function createFieldEncryptionPlugin(pluginOptions) {
                             return change;
                         if (!isRecord(change.row_json))
                             return change;
+                        const target = resolveScopeAndTable({
+                            index,
+                            identifier: change.table,
+                        });
                         const nextRow = await transformRecordFields({
                             ctx,
                             index,
@@ -679,8 +619,8 @@ export function createFieldEncryptionPlugin(pluginOptions) {
                             prefix,
                             decryptionErrorMode,
                             mode: 'decrypt',
-                            scope: change.table,
-                            table: change.table,
+                            scope: target.scope,
+                            table: target.table,
                             rowId: change.row_id,
                             record: change.row_json,
                         });