@vollcrypt/db-guard 0.1.2 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +16 -0
- package/LICENSE-COMMERCIAL.md +71 -0
- package/LICENSE-GPL +674 -0
- package/dist/blind-index.d.ts +1 -7
- package/dist/blind-index.js +3 -22
- package/dist/cli.js +3 -3
- package/dist/drivers.js +52 -16
- package/dist/drizzle.js +23 -22
- package/dist/index.d.ts +2 -6
- package/dist/index.js +4 -12
- package/dist/kms.d.ts +10 -0
- package/dist/kms.js +58 -2
- package/dist/mongoose.d.ts +1 -1
- package/dist/mongoose.js +33 -24
- package/dist/prisma.d.ts +4 -24
- package/dist/prisma.js +44 -176
- package/dist/provenance.json +37 -21
- package/dist/provenance.json.sig +2 -1
- package/dist/sbom.json +45 -21
- package/dist/sbom.json.sig +1 -2
- package/dist/security.d.ts +11 -3
- package/dist/security.js +223 -76
- package/dist/typeorm.d.ts +1 -1
- package/dist/typeorm.js +12 -11
- package/package.json +105 -50
package/dist/prisma.d.ts
CHANGED
|
@@ -1,13 +1,6 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { DbGuardKeysOptions } from './kms';
|
|
2
2
|
import { RateLimiterOptions } from './security';
|
|
3
|
-
export interface PrismaDbGuardOptions {
|
|
4
|
-
key?: Buffer | Record<string, Buffer>;
|
|
5
|
-
kms?: {
|
|
6
|
-
provider: KmsProvider;
|
|
7
|
-
wrappedKey: Buffer | Record<string, Buffer>;
|
|
8
|
-
wrappedKek?: Buffer | Record<string, Buffer>;
|
|
9
|
-
activeKeyVersion?: string;
|
|
10
|
-
};
|
|
3
|
+
export interface PrismaDbGuardOptions extends DbGuardKeysOptions {
|
|
11
4
|
models: Record<string, string[]>;
|
|
12
5
|
blindIndexes?: {
|
|
13
6
|
rootSalt: Buffer;
|
|
@@ -31,24 +24,11 @@ export interface PrismaDbGuardOptions {
|
|
|
31
24
|
} | undefined>;
|
|
32
25
|
};
|
|
33
26
|
}
|
|
34
|
-
/**
|
|
35
|
-
* Resolves the plaintext keys asynchronously from local config or KMS provider.
|
|
36
|
-
*/
|
|
37
|
-
export declare function resolveKeys(options: PrismaDbGuardOptions): Promise<Record<string, Buffer>>;
|
|
38
|
-
export declare function encryptValue(val: any, key: Buffer, version: string): string;
|
|
39
|
-
export declare function decryptValue(stored: any, keys: Record<string, Buffer>): any;
|
|
40
|
-
/**
|
|
41
|
-
* Traverses query `where` arguments to rewrite exact match queries on encrypted fields
|
|
42
|
-
* to target shadow `_bidx` columns using dynamic HKDF-SHA256 blind indexing.
|
|
43
|
-
*/
|
|
44
|
-
export declare function rewriteQueryWhere(where: any, fields: string[], rootSalt: Buffer, modelName: string): void;
|
|
45
|
-
/**
|
|
46
|
-
* Appends calculated blind indexes to the write payload (create/update).
|
|
47
|
-
*/
|
|
48
|
-
export declare function addBlindIndexes(data: any, fields: string[], rootSalt: Buffer, modelName: string): void;
|
|
49
27
|
/**
|
|
50
28
|
* Prisma DbGuard Extension Factory
|
|
51
29
|
*
|
|
52
30
|
* Bootstraps client-level field encryption, query translation, and automatic decryption.
|
|
53
31
|
*/
|
|
54
32
|
export declare const prismaDbGuard: (options: PrismaDbGuardOptions, resolvedKeys?: Record<string, Buffer>) => (client: any) => import("@prisma/client").PrismaClientExtends<import("@prisma/client/runtime/library").InternalArgs<{}, {}, {}, {}> & import("@prisma/client/runtime/library").DefaultArgs>;
|
|
33
|
+
export { encryptValue, decryptValue, rewriteQueryWhere, addBlindIndexes } from './security';
|
|
34
|
+
export { resolveKeys } from './kms';
|
package/dist/prisma.js
CHANGED
|
@@ -1,164 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.prismaDbGuard = void 0;
|
|
4
|
-
exports.resolveKeys = resolveKeys;
|
|
5
|
-
exports.encryptValue = encryptValue;
|
|
6
|
-
exports.decryptValue = decryptValue;
|
|
7
|
-
exports.rewriteQueryWhere = rewriteQueryWhere;
|
|
8
|
-
exports.addBlindIndexes = addBlindIndexes;
|
|
9
|
-
const client_1 = require("@prisma/client");
|
|
10
|
-
const blind_index_1 = require("./blind-index");
|
|
3
|
+
exports.resolveKeys = exports.addBlindIndexes = exports.rewriteQueryWhere = exports.decryptValue = exports.encryptValue = exports.prismaDbGuard = void 0;
|
|
11
4
|
const kms_1 = require("./kms");
|
|
12
5
|
const security_1 = require("./security");
|
|
13
|
-
/**
|
|
14
|
-
* Resolves the plaintext keys asynchronously from local config or KMS provider.
|
|
15
|
-
*/
|
|
16
|
-
async function resolveKeys(options) {
|
|
17
|
-
let rawKeys = {};
|
|
18
|
-
if (options.key) {
|
|
19
|
-
if (Buffer.isBuffer(options.key)) {
|
|
20
|
-
rawKeys = { '1': options.key };
|
|
21
|
-
}
|
|
22
|
-
else {
|
|
23
|
-
rawKeys = { ...options.key };
|
|
24
|
-
}
|
|
25
|
-
}
|
|
26
|
-
else if (options.kms) {
|
|
27
|
-
const { provider, wrappedKey, wrappedKek } = options.kms;
|
|
28
|
-
if (Buffer.isBuffer(wrappedKey)) {
|
|
29
|
-
if (wrappedKek && Buffer.isBuffer(wrappedKek)) {
|
|
30
|
-
const unwrappedKek = await provider.decrypt(wrappedKek);
|
|
31
|
-
const dek = (0, kms_1.unwrapDekLocal)(wrappedKey, unwrappedKek);
|
|
32
|
-
unwrappedKek.fill(0); // RAM Security: zeroize KEK immediately
|
|
33
|
-
rawKeys = { '1': dek };
|
|
34
|
-
}
|
|
35
|
-
else {
|
|
36
|
-
const key = await provider.decrypt(wrappedKey);
|
|
37
|
-
rawKeys = { '1': key };
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
|
-
else {
|
|
41
|
-
for (const [ver, wrapped] of Object.entries(wrappedKey)) {
|
|
42
|
-
if (wrappedKek) {
|
|
43
|
-
const wKek = Buffer.isBuffer(wrappedKek) ? wrappedKek : wrappedKek[ver];
|
|
44
|
-
if (wKek) {
|
|
45
|
-
const unwrappedKek = await provider.decrypt(wKek);
|
|
46
|
-
const dek = (0, kms_1.unwrapDekLocal)(wrapped, unwrappedKek);
|
|
47
|
-
unwrappedKek.fill(0); // RAM Security: zeroize KEK immediately
|
|
48
|
-
rawKeys[ver] = dek;
|
|
49
|
-
}
|
|
50
|
-
else {
|
|
51
|
-
rawKeys[ver] = await provider.decrypt(wrapped);
|
|
52
|
-
}
|
|
53
|
-
}
|
|
54
|
-
else {
|
|
55
|
-
rawKeys[ver] = await provider.decrypt(wrapped);
|
|
56
|
-
}
|
|
57
|
-
}
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
else {
|
|
61
|
-
throw new Error("Either 'key' or 'kms' configuration must be provided.");
|
|
62
|
-
}
|
|
63
|
-
return rawKeys;
|
|
64
|
-
}
|
|
65
|
-
function encryptValue(val, key, version) {
|
|
66
|
-
if (val === null || val === undefined)
|
|
67
|
-
return val;
|
|
68
|
-
const plaintext = typeof val === 'string' ? val : JSON.stringify(val);
|
|
69
|
-
const plaintextBuf = Buffer.from(plaintext, 'utf8');
|
|
70
|
-
const encrypted = security_1.CRYPTO_ALGORITHMS['1'].encrypt(plaintextBuf, key);
|
|
71
|
-
// RAM Security: Zeroize the plaintext buffer immediately
|
|
72
|
-
plaintextBuf.fill(0);
|
|
73
|
-
return `VOLLVALT:v${version}:${encrypted.toString('base64')}`;
|
|
74
|
-
}
|
|
75
|
-
function decryptValue(stored, keys) {
|
|
76
|
-
if (typeof stored !== 'string') {
|
|
77
|
-
return stored;
|
|
78
|
-
}
|
|
79
|
-
const parsed = (0, security_1.parseCiphertext)(stored);
|
|
80
|
-
if (!parsed) {
|
|
81
|
-
return stored;
|
|
82
|
-
}
|
|
83
|
-
const { algoId, version, base64Data } = parsed;
|
|
84
|
-
const key = keys[version];
|
|
85
|
-
if (!key) {
|
|
86
|
-
throw new Error(`Decryption key version "${version}" not found in registered keys`);
|
|
87
|
-
}
|
|
88
|
-
try {
|
|
89
|
-
const encryptedBuf = Buffer.from(base64Data, 'base64');
|
|
90
|
-
const decryptor = security_1.CRYPTO_ALGORITHMS[algoId];
|
|
91
|
-
if (!decryptor) {
|
|
92
|
-
throw new Error(`Unsupported decryption algorithm ID "${algoId}"`);
|
|
93
|
-
}
|
|
94
|
-
const decrypted = decryptor.decrypt(encryptedBuf, key);
|
|
95
|
-
const plaintext = decrypted.toString('utf8');
|
|
96
|
-
// RAM Security: Zeroize the decrypted buffer
|
|
97
|
-
decrypted.fill(0);
|
|
98
|
-
try {
|
|
99
|
-
return JSON.parse(plaintext);
|
|
100
|
-
}
|
|
101
|
-
catch {
|
|
102
|
-
return plaintext;
|
|
103
|
-
}
|
|
104
|
-
}
|
|
105
|
-
catch (err) {
|
|
106
|
-
throw new Error(`Failed to decrypt field value: ${err.message}`);
|
|
107
|
-
}
|
|
108
|
-
}
|
|
109
|
-
/**
|
|
110
|
-
* Traverses query `where` arguments to rewrite exact match queries on encrypted fields
|
|
111
|
-
* to target shadow `_bidx` columns using dynamic HKDF-SHA256 blind indexing.
|
|
112
|
-
*/
|
|
113
|
-
function rewriteQueryWhere(where, fields, rootSalt, modelName) {
|
|
114
|
-
if (!where || typeof where !== 'object')
|
|
115
|
-
return;
|
|
116
|
-
for (const field of fields) {
|
|
117
|
-
if (where[field] !== undefined) {
|
|
118
|
-
const val = where[field];
|
|
119
|
-
const bidxField = `${field}_bidx`;
|
|
120
|
-
if (typeof val === 'string' || typeof val === 'number' || typeof val === 'boolean') {
|
|
121
|
-
where[bidxField] = (0, blind_index_1.computeBlindIndex)(val, rootSalt, `${modelName}.${field}`);
|
|
122
|
-
delete where[field];
|
|
123
|
-
}
|
|
124
|
-
else if (val && typeof val === 'object') {
|
|
125
|
-
if (val.equals !== undefined) {
|
|
126
|
-
where[bidxField] = {
|
|
127
|
-
equals: (0, blind_index_1.computeBlindIndex)(val.equals, rootSalt, `${modelName}.${field}`),
|
|
128
|
-
};
|
|
129
|
-
delete where[field];
|
|
130
|
-
}
|
|
131
|
-
}
|
|
132
|
-
}
|
|
133
|
-
}
|
|
134
|
-
// Recurse into compound logical operators
|
|
135
|
-
const operators = ['AND', 'OR', 'NOT'];
|
|
136
|
-
for (const op of operators) {
|
|
137
|
-
if (Array.isArray(where[op])) {
|
|
138
|
-
where[op].forEach((item) => rewriteQueryWhere(item, fields, rootSalt, modelName));
|
|
139
|
-
}
|
|
140
|
-
else if (where[op] && typeof where[op] === 'object') {
|
|
141
|
-
rewriteQueryWhere(where[op], fields, rootSalt, modelName);
|
|
142
|
-
}
|
|
143
|
-
}
|
|
144
|
-
}
|
|
145
|
-
/**
|
|
146
|
-
* Appends calculated blind indexes to the write payload (create/update).
|
|
147
|
-
*/
|
|
148
|
-
function addBlindIndexes(data, fields, rootSalt, modelName) {
|
|
149
|
-
if (!data || typeof data !== 'object')
|
|
150
|
-
return;
|
|
151
|
-
if (Array.isArray(data)) {
|
|
152
|
-
data.forEach((item) => addBlindIndexes(item, fields, rootSalt, modelName));
|
|
153
|
-
return;
|
|
154
|
-
}
|
|
155
|
-
for (const field of fields) {
|
|
156
|
-
if (data[field] !== undefined && data[field] !== null) {
|
|
157
|
-
const bidxField = `${field}_bidx`;
|
|
158
|
-
data[bidxField] = (0, blind_index_1.computeBlindIndex)(data[field], rootSalt, `${modelName}.${field}`);
|
|
159
|
-
}
|
|
160
|
-
}
|
|
161
|
-
}
|
|
162
6
|
/**
|
|
163
7
|
* Prisma DbGuard Extension Factory
|
|
164
8
|
*
|
|
@@ -169,10 +13,13 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
169
13
|
if (!keys) {
|
|
170
14
|
if (options.key) {
|
|
171
15
|
if (Buffer.isBuffer(options.key)) {
|
|
172
|
-
keys = { '1': options.key };
|
|
16
|
+
keys = { '1': Buffer.from(options.key) };
|
|
173
17
|
}
|
|
174
18
|
else {
|
|
175
|
-
keys = {
|
|
19
|
+
keys = {};
|
|
20
|
+
for (const [v, k] of Object.entries(options.key)) {
|
|
21
|
+
keys[v] = Buffer.from(k);
|
|
22
|
+
}
|
|
176
23
|
}
|
|
177
24
|
}
|
|
178
25
|
else if (options.kms || options.multiTenant) {
|
|
@@ -183,6 +30,11 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
183
30
|
}
|
|
184
31
|
}
|
|
185
32
|
if (keys) {
|
|
33
|
+
const clonedKeys = {};
|
|
34
|
+
for (const [v, k] of Object.entries(keys)) {
|
|
35
|
+
clonedKeys[v] = Buffer.from(k);
|
|
36
|
+
}
|
|
37
|
+
keys = clonedKeys;
|
|
186
38
|
(0, security_1.registerKeysForZeroization)(keys);
|
|
187
39
|
}
|
|
188
40
|
const activeVersion = options.kms?.activeKeyVersion || '1';
|
|
@@ -194,41 +46,49 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
194
46
|
return { keys: { '1': bgKey }, activeKey: bgKey, activeVersion: '1' };
|
|
195
47
|
}
|
|
196
48
|
}
|
|
197
|
-
if (
|
|
49
|
+
if (options.multiTenant && !tenantId) {
|
|
50
|
+
throw new Error("Vollcrypt Security: tenantId must be provided in multi-tenant mode.");
|
|
51
|
+
}
|
|
52
|
+
if (!options.multiTenant) {
|
|
198
53
|
if (!keys || !activeKey) {
|
|
199
54
|
throw new Error("Vollcrypt Security: Global keys are not resolved.");
|
|
200
55
|
}
|
|
201
56
|
return { keys, activeKey, activeVersion };
|
|
202
57
|
}
|
|
58
|
+
const tId = tenantId;
|
|
203
59
|
// Check Secure TTL Cache
|
|
204
|
-
const cachedActiveKey = (0, security_1.getCachedKey)(
|
|
60
|
+
const cachedActiveKey = (0, security_1.getCachedKey)(tId, activeVersion);
|
|
205
61
|
if (cachedActiveKey) {
|
|
206
62
|
return { keys: { [activeVersion]: cachedActiveKey }, activeKey: cachedActiveKey, activeVersion };
|
|
207
63
|
}
|
|
208
64
|
// Cache miss: resolve configuration
|
|
209
65
|
let tenantConfig;
|
|
210
66
|
if (options.multiTenant.tenants) {
|
|
211
|
-
tenantConfig = options.multiTenant.tenants[
|
|
67
|
+
tenantConfig = options.multiTenant.tenants[tId];
|
|
212
68
|
}
|
|
213
69
|
else if (options.multiTenant.getTenantConfig) {
|
|
214
|
-
tenantConfig = await options.multiTenant.getTenantConfig(
|
|
70
|
+
tenantConfig = await options.multiTenant.getTenantConfig(tId);
|
|
215
71
|
}
|
|
216
72
|
if (!tenantConfig) {
|
|
217
|
-
throw new Error(`Vollcrypt Security: Configuration not found for tenantId "${
|
|
73
|
+
throw new Error(`Vollcrypt Security: Configuration not found for tenantId "${tId}".`);
|
|
218
74
|
}
|
|
219
|
-
const
|
|
75
|
+
const resolvedTenantKeysRaw = await (0, kms_1.resolveKeys)({
|
|
220
76
|
...options,
|
|
221
77
|
key: tenantConfig.key,
|
|
222
78
|
kms: tenantConfig.kms
|
|
223
79
|
});
|
|
224
|
-
|
|
80
|
+
const resolvedTenantKeys = {};
|
|
81
|
+
for (const [v, k] of Object.entries(resolvedTenantKeysRaw)) {
|
|
82
|
+
resolvedTenantKeys[v] = Buffer.from(k);
|
|
83
|
+
}
|
|
84
|
+
(0, security_1.registerKeysForZeroization)(resolvedTenantKeys, tId);
|
|
225
85
|
const tActiveVersion = tenantConfig.kms?.activeKeyVersion || '1';
|
|
226
86
|
const tActiveKey = resolvedTenantKeys[tActiveVersion];
|
|
227
87
|
if (!tActiveKey) {
|
|
228
|
-
throw new Error(`Vollcrypt Security: Active key version "${tActiveVersion}" not found for tenantId "${
|
|
88
|
+
throw new Error(`Vollcrypt Security: Active key version "${tActiveVersion}" not found for tenantId "${tId}".`);
|
|
229
89
|
}
|
|
230
90
|
for (const [ver, keyBuf] of Object.entries(resolvedTenantKeys)) {
|
|
231
|
-
(0, security_1.setCachedKey)(
|
|
91
|
+
(0, security_1.setCachedKey)(tId, ver, keyBuf);
|
|
232
92
|
}
|
|
233
93
|
return { keys: resolvedTenantKeys, activeKey: tActiveKey, activeVersion: tActiveVersion };
|
|
234
94
|
};
|
|
@@ -239,7 +99,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
239
99
|
const cloned = { ...data };
|
|
240
100
|
for (const field of fieldsToEncrypt) {
|
|
241
101
|
if (cloned[field] !== undefined) {
|
|
242
|
-
cloned[field] = encryptValue(cloned[field], encKey, encVer);
|
|
102
|
+
cloned[field] = (0, security_1.encryptValue)(cloned[field], encKey, encVer);
|
|
243
103
|
}
|
|
244
104
|
}
|
|
245
105
|
return cloned;
|
|
@@ -263,7 +123,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
263
123
|
const cloned = { ...result };
|
|
264
124
|
for (const field of fieldsToEncrypt) {
|
|
265
125
|
if (cloned[field] !== undefined) {
|
|
266
|
-
cloned[field] = (0, security_1.decryptWithSecurity)(cloned[field], (val) => decryptValue(val, decKeys), modelName, field, cloned.id || cloned._id, options);
|
|
126
|
+
cloned[field] = (0, security_1.decryptWithSecurity)(cloned[field], (val) => (0, security_1.decryptValue)(val, decKeys), modelName, field, cloned.id || cloned._id, options);
|
|
267
127
|
}
|
|
268
128
|
}
|
|
269
129
|
return cloned;
|
|
@@ -285,13 +145,13 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
285
145
|
const bidxFields = options.blindIndexes?.models[modelName];
|
|
286
146
|
if (bidxFields && options.blindIndexes?.rootSalt) {
|
|
287
147
|
if (args.data) {
|
|
288
|
-
addBlindIndexes(args.data, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
148
|
+
(0, security_1.addBlindIndexes)(args.data, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
289
149
|
}
|
|
290
150
|
if (args.create) {
|
|
291
|
-
addBlindIndexes(args.create, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
151
|
+
(0, security_1.addBlindIndexes)(args.create, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
292
152
|
}
|
|
293
153
|
if (args.update) {
|
|
294
|
-
addBlindIndexes(args.update, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
154
|
+
(0, security_1.addBlindIndexes)(args.update, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
295
155
|
}
|
|
296
156
|
}
|
|
297
157
|
};
|
|
@@ -301,10 +161,11 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
301
161
|
// Rewrite queries targeting encrypted columns to use the blind index column
|
|
302
162
|
const bidxFields = options.blindIndexes?.models[modelName];
|
|
303
163
|
if (bidxFields && options.blindIndexes?.rootSalt && args.where) {
|
|
304
|
-
rewriteQueryWhere(args.where, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
164
|
+
(0, security_1.rewriteQueryWhere)(args.where, bidxFields, options.blindIndexes.rootSalt, modelName);
|
|
305
165
|
}
|
|
306
166
|
};
|
|
307
|
-
|
|
167
|
+
const { Prisma } = require('@prisma/client');
|
|
168
|
+
return Prisma.defineExtension((client) => {
|
|
308
169
|
return client.$extends({
|
|
309
170
|
name: 'vollcrypt-db-guard',
|
|
310
171
|
query: {
|
|
@@ -325,7 +186,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
325
186
|
const encrypted = encryptPayload(model, item, resolved.activeKey, resolved.activeVersion);
|
|
326
187
|
const bidxFields = options.blindIndexes?.models[model];
|
|
327
188
|
if (bidxFields && options.blindIndexes?.rootSalt) {
|
|
328
|
-
addBlindIndexes(encrypted, bidxFields, options.blindIndexes.rootSalt, model);
|
|
189
|
+
(0, security_1.addBlindIndexes)(encrypted, bidxFields, options.blindIndexes.rootSalt, model);
|
|
329
190
|
}
|
|
330
191
|
return encrypted;
|
|
331
192
|
});
|
|
@@ -388,3 +249,10 @@ const prismaDbGuard = (options, resolvedKeys) => {
|
|
|
388
249
|
});
|
|
389
250
|
};
|
|
390
251
|
exports.prismaDbGuard = prismaDbGuard;
|
|
252
|
+
var security_2 = require("./security");
|
|
253
|
+
Object.defineProperty(exports, "encryptValue", { enumerable: true, get: function () { return security_2.encryptValue; } });
|
|
254
|
+
Object.defineProperty(exports, "decryptValue", { enumerable: true, get: function () { return security_2.decryptValue; } });
|
|
255
|
+
Object.defineProperty(exports, "rewriteQueryWhere", { enumerable: true, get: function () { return security_2.rewriteQueryWhere; } });
|
|
256
|
+
Object.defineProperty(exports, "addBlindIndexes", { enumerable: true, get: function () { return security_2.addBlindIndexes; } });
|
|
257
|
+
var kms_2 = require("./kms");
|
|
258
|
+
Object.defineProperty(exports, "resolveKeys", { enumerable: true, get: function () { return kms_2.resolveKeys; } });
|
package/dist/provenance.json
CHANGED
|
@@ -4,13 +4,13 @@
|
|
|
4
4
|
{
|
|
5
5
|
"name": "dist/blind-index.d.ts",
|
|
6
6
|
"digest": {
|
|
7
|
-
"sha256": "
|
|
7
|
+
"sha256": "54df5b23b93c61111ba6124b9557fb4fe3f5e4af8ef18d1aeb5477826679363f"
|
|
8
8
|
}
|
|
9
9
|
},
|
|
10
10
|
{
|
|
11
11
|
"name": "dist/blind-index.js",
|
|
12
12
|
"digest": {
|
|
13
|
-
"sha256": "
|
|
13
|
+
"sha256": "d417966c32408676efa5399b6e960b68d6015d66837b9b2bad9fa0bb9396b4be"
|
|
14
14
|
}
|
|
15
15
|
},
|
|
16
16
|
{
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
{
|
|
23
23
|
"name": "dist/cli.js",
|
|
24
24
|
"digest": {
|
|
25
|
-
"sha256": "
|
|
25
|
+
"sha256": "33c313c9195a9e00099652c3e8fac9eac169ac3b94088222fbe97e7a2e51442a"
|
|
26
26
|
}
|
|
27
27
|
},
|
|
28
28
|
{
|
|
@@ -46,7 +46,7 @@
|
|
|
46
46
|
{
|
|
47
47
|
"name": "dist/drivers.js",
|
|
48
48
|
"digest": {
|
|
49
|
-
"sha256": "
|
|
49
|
+
"sha256": "fac1fd60cc16c2dafa9daf234177fd2f17d41cf1015d4fcd1821adb2cdbdb970"
|
|
50
50
|
}
|
|
51
51
|
},
|
|
52
52
|
{
|
|
@@ -58,79 +58,79 @@
|
|
|
58
58
|
{
|
|
59
59
|
"name": "dist/drizzle.js",
|
|
60
60
|
"digest": {
|
|
61
|
-
"sha256": "
|
|
61
|
+
"sha256": "3686b5a03b627e3262257f6a6d2d3addcb7f2cf3377ece458c434aad3b15d2ba"
|
|
62
62
|
}
|
|
63
63
|
},
|
|
64
64
|
{
|
|
65
65
|
"name": "dist/index.d.ts",
|
|
66
66
|
"digest": {
|
|
67
|
-
"sha256": "
|
|
67
|
+
"sha256": "ed2935e0d96814bcf3192294462ae707acfe6934ce2aed9f859683aed88a3ea8"
|
|
68
68
|
}
|
|
69
69
|
},
|
|
70
70
|
{
|
|
71
71
|
"name": "dist/index.js",
|
|
72
72
|
"digest": {
|
|
73
|
-
"sha256": "
|
|
73
|
+
"sha256": "37b74d238138bb80b65341520257b9390be3cc5b9b1f5adf579894eb4995c2ab"
|
|
74
74
|
}
|
|
75
75
|
},
|
|
76
76
|
{
|
|
77
77
|
"name": "dist/kms.d.ts",
|
|
78
78
|
"digest": {
|
|
79
|
-
"sha256": "
|
|
79
|
+
"sha256": "757dba651cf48b6ab68e11b5c92e8ccc81c1ca6eb9129f60a2a3b224fc4f712e"
|
|
80
80
|
}
|
|
81
81
|
},
|
|
82
82
|
{
|
|
83
83
|
"name": "dist/kms.js",
|
|
84
84
|
"digest": {
|
|
85
|
-
"sha256": "
|
|
85
|
+
"sha256": "1619f068398e57c2044457d18d24ee1c626b54e12153246093d4c51add64368c"
|
|
86
86
|
}
|
|
87
87
|
},
|
|
88
88
|
{
|
|
89
89
|
"name": "dist/mongoose.d.ts",
|
|
90
90
|
"digest": {
|
|
91
|
-
"sha256": "
|
|
91
|
+
"sha256": "18f77aa838f2cd861cd31dd5a03fdfd86d34563a090340177dba1420b5ea9b53"
|
|
92
92
|
}
|
|
93
93
|
},
|
|
94
94
|
{
|
|
95
95
|
"name": "dist/mongoose.js",
|
|
96
96
|
"digest": {
|
|
97
|
-
"sha256": "
|
|
97
|
+
"sha256": "0b7c921d254a3c12d6d0924f3778ac39d7e95383086f1f8a893ff361a29c380b"
|
|
98
98
|
}
|
|
99
99
|
},
|
|
100
100
|
{
|
|
101
101
|
"name": "dist/prisma.d.ts",
|
|
102
102
|
"digest": {
|
|
103
|
-
"sha256": "
|
|
103
|
+
"sha256": "d55f39802671b594be9c0a0512c06cb1828569dea9024c78e890c53085cf0232"
|
|
104
104
|
}
|
|
105
105
|
},
|
|
106
106
|
{
|
|
107
107
|
"name": "dist/prisma.js",
|
|
108
108
|
"digest": {
|
|
109
|
-
"sha256": "
|
|
109
|
+
"sha256": "de57df0c3fc6657a996c804d6deee6ff83f889f457c82f55ea35064df6372eab"
|
|
110
110
|
}
|
|
111
111
|
},
|
|
112
112
|
{
|
|
113
113
|
"name": "dist/security.d.ts",
|
|
114
114
|
"digest": {
|
|
115
|
-
"sha256": "
|
|
115
|
+
"sha256": "dbe2dce83e417dc20d476e5bd476e31c3cf43e58fd363011a77dbc56ab82386f"
|
|
116
116
|
}
|
|
117
117
|
},
|
|
118
118
|
{
|
|
119
119
|
"name": "dist/security.js",
|
|
120
120
|
"digest": {
|
|
121
|
-
"sha256": "
|
|
121
|
+
"sha256": "390eb8dbf9f2eab968445dadc43e1dfa6a13217851aa2b5138a5215059c487ed"
|
|
122
122
|
}
|
|
123
123
|
},
|
|
124
124
|
{
|
|
125
125
|
"name": "dist/typeorm.d.ts",
|
|
126
126
|
"digest": {
|
|
127
|
-
"sha256": "
|
|
127
|
+
"sha256": "47200df068a368cdd80b5818ae8dafc749686f8a09a0be8bd9847b175dd89fe6"
|
|
128
128
|
}
|
|
129
129
|
},
|
|
130
130
|
{
|
|
131
131
|
"name": "dist/typeorm.js",
|
|
132
132
|
"digest": {
|
|
133
|
-
"sha256": "
|
|
133
|
+
"sha256": "80e1908e97ffc89c426e89c71efbbd7dbea98191ec7da8ecc9d37cc439a262d8"
|
|
134
134
|
}
|
|
135
135
|
}
|
|
136
136
|
],
|
|
@@ -141,7 +141,7 @@
|
|
|
141
141
|
"externalParameters": {
|
|
142
142
|
"packageJson": {
|
|
143
143
|
"name": "@vollcrypt/db-guard",
|
|
144
|
-
"version": "0.1
|
|
144
|
+
"version": "0.9.1",
|
|
145
145
|
"scripts": {
|
|
146
146
|
"build": "tsc && node scripts/generate-sbom.js",
|
|
147
147
|
"test": "node --import tsx --test tests/*.test.ts"
|
|
@@ -170,6 +170,22 @@
|
|
|
170
170
|
"uri": "pkg:npm/typeorm@0.3.0",
|
|
171
171
|
"digest": {}
|
|
172
172
|
},
|
|
173
|
+
{
|
|
174
|
+
"uri": "pkg:npm/@aws-sdk/client-kms@3.0.0",
|
|
175
|
+
"digest": {}
|
|
176
|
+
},
|
|
177
|
+
{
|
|
178
|
+
"uri": "pkg:npm/@google-cloud/kms@3.0.0",
|
|
179
|
+
"digest": {}
|
|
180
|
+
},
|
|
181
|
+
{
|
|
182
|
+
"uri": "pkg:npm/node-vault@0.9.0",
|
|
183
|
+
"digest": {}
|
|
184
|
+
},
|
|
185
|
+
{
|
|
186
|
+
"uri": "pkg:npm/pkcs11js@1.0.0",
|
|
187
|
+
"digest": {}
|
|
188
|
+
},
|
|
173
189
|
{
|
|
174
190
|
"uri": "pkg:rust/aes-gcm",
|
|
175
191
|
"digest": {}
|
|
@@ -225,9 +241,9 @@
|
|
|
225
241
|
"id": "https://vollcrypt.dev/builders/local-hermetic-env"
|
|
226
242
|
},
|
|
227
243
|
"metadata": {
|
|
228
|
-
"invocationId": "
|
|
229
|
-
"startedOn": "2026-
|
|
230
|
-
"finishedOn": "2026-
|
|
244
|
+
"invocationId": "e52b6b317496bccb3dd2fbc3c609d1f0",
|
|
245
|
+
"startedOn": "2026-07-09T19:07:03.950Z",
|
|
246
|
+
"finishedOn": "2026-07-09T19:07:03.951Z"
|
|
231
247
|
}
|
|
232
248
|
}
|
|
233
249
|
}
|
package/dist/provenance.json.sig
CHANGED
|
@@ -1 +1,2 @@
|
|
|
1
|
-
|
|
1
|
+
T&�~����*F��
|
|
2
|
+
p��ƕ�A9�>t���V7��b���ޡA����z�oח�%!��)�
|