@vollcrypt/db-guard 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/prisma.js CHANGED
@@ -1,172 +1,8 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.prismaDbGuard = void 0;
4
- exports.resolveKeys = resolveKeys;
5
- exports.encryptValue = encryptValue;
6
- exports.decryptValue = decryptValue;
7
- exports.rewriteQueryWhere = rewriteQueryWhere;
8
- exports.addBlindIndexes = addBlindIndexes;
9
- const client_1 = require("@prisma/client");
10
- const blind_index_1 = require("./blind-index");
3
+ exports.resolveKeys = exports.addBlindIndexes = exports.rewriteQueryWhere = exports.decryptValue = exports.encryptValue = exports.prismaDbGuard = void 0;
11
4
  const kms_1 = require("./kms");
12
5
  const security_1 = require("./security");
13
- /**
14
- * Resolves the plaintext keys asynchronously from local config or KMS provider.
15
- */
16
- async function resolveKeys(options) {
17
- let rawKeys = {};
18
- if (options.key) {
19
- if (Buffer.isBuffer(options.key)) {
20
- rawKeys = { '1': options.key };
21
- }
22
- else {
23
- rawKeys = { ...options.key };
24
- }
25
- }
26
- else if (options.kms) {
27
- const { provider, wrappedKey, wrappedKek } = options.kms;
28
- if (Buffer.isBuffer(wrappedKey)) {
29
- if (wrappedKek && Buffer.isBuffer(wrappedKek)) {
30
- const unwrappedKek = await provider.decrypt(wrappedKek);
31
- const dek = (0, kms_1.unwrapDekLocal)(wrappedKey, unwrappedKek);
32
- unwrappedKek.fill(0); // RAM Security: zeroize KEK immediately
33
- rawKeys = { '1': dek };
34
- }
35
- else {
36
- const key = await provider.decrypt(wrappedKey);
37
- rawKeys = { '1': key };
38
- }
39
- }
40
- else {
41
- for (const [ver, wrapped] of Object.entries(wrappedKey)) {
42
- if (wrappedKek) {
43
- const wKek = Buffer.isBuffer(wrappedKek) ? wrappedKek : wrappedKek[ver];
44
- if (wKek) {
45
- const unwrappedKek = await provider.decrypt(wKek);
46
- const dek = (0, kms_1.unwrapDekLocal)(wrapped, unwrappedKek);
47
- unwrappedKek.fill(0); // RAM Security: zeroize KEK immediately
48
- rawKeys[ver] = dek;
49
- }
50
- else {
51
- rawKeys[ver] = await provider.decrypt(wrapped);
52
- }
53
- }
54
- else {
55
- rawKeys[ver] = await provider.decrypt(wrapped);
56
- }
57
- }
58
- }
59
- }
60
- else {
61
- throw new Error("Either 'key' or 'kms' configuration must be provided.");
62
- }
63
- return rawKeys;
64
- }
65
- function encryptValue(val, key, version) {
66
- if (val === null || val === undefined)
67
- return val;
68
- const context = security_1.dbGuardContextStore.getStore();
69
- const tId = context?.tenantId || 'global';
70
- if (key.every(b => b === 0) || (0, security_1.getFailClosedStatus)(tId)) {
71
- throw new Error(`Vollcrypt Security: Fail-Closed mode is active for tenant "${tId}". Encryption blocked.`);
72
- }
73
- const plaintext = typeof val === 'string' ? val : JSON.stringify(val);
74
- const plaintextBuf = Buffer.from(plaintext, 'utf8');
75
- const encrypted = security_1.CRYPTO_ALGORITHMS['1'].encrypt(plaintextBuf, key);
76
- // RAM Security: Zeroize the plaintext buffer immediately
77
- plaintextBuf.fill(0);
78
- return `VOLLVALT:v${version}:${encrypted.toString('base64')}`;
79
- }
80
- function decryptValue(stored, keys) {
81
- if (typeof stored !== 'string') {
82
- return stored;
83
- }
84
- const parsed = (0, security_1.parseCiphertext)(stored);
85
- if (!parsed) {
86
- return stored;
87
- }
88
- const { algoId, version, base64Data } = parsed;
89
- const key = keys[version];
90
- if (!key) {
91
- throw new Error(`Decryption key version "${version}" not found in registered keys`);
92
- }
93
- if (key.every(b => b === 0)) {
94
- throw new Error(`Vollcrypt Security: Decryption blocked. Key version "${version}" is zeroized due to a Fail-Closed event.`);
95
- }
96
- try {
97
- const encryptedBuf = Buffer.from(base64Data, 'base64');
98
- const decryptor = security_1.CRYPTO_ALGORITHMS[algoId];
99
- if (!decryptor) {
100
- throw new Error(`Unsupported decryption algorithm ID "${algoId}"`);
101
- }
102
- const decrypted = decryptor.decrypt(encryptedBuf, key);
103
- const plaintext = decrypted.toString('utf8');
104
- // RAM Security: Zeroize the decrypted buffer
105
- decrypted.fill(0);
106
- try {
107
- return JSON.parse(plaintext);
108
- }
109
- catch {
110
- return plaintext;
111
- }
112
- }
113
- catch (err) {
114
- throw new Error(`Failed to decrypt field value: ${err.message}`);
115
- }
116
- }
117
- /**
118
- * Traverses query `where` arguments to rewrite exact match queries on encrypted fields
119
- * to target shadow `_bidx` columns using dynamic HKDF-SHA256 blind indexing.
120
- */
121
- function rewriteQueryWhere(where, fields, rootSalt, modelName) {
122
- if (!where || typeof where !== 'object')
123
- return;
124
- for (const field of fields) {
125
- if (where[field] !== undefined) {
126
- const val = where[field];
127
- const bidxField = `${field}_bidx`;
128
- if (typeof val === 'string' || typeof val === 'number' || typeof val === 'boolean') {
129
- where[bidxField] = (0, blind_index_1.computeBlindIndex)(val, rootSalt, `${modelName}.${field}`);
130
- delete where[field];
131
- }
132
- else if (val && typeof val === 'object') {
133
- if (val.equals !== undefined) {
134
- where[bidxField] = {
135
- equals: (0, blind_index_1.computeBlindIndex)(val.equals, rootSalt, `${modelName}.${field}`),
136
- };
137
- delete where[field];
138
- }
139
- }
140
- }
141
- }
142
- // Recurse into compound logical operators
143
- const operators = ['AND', 'OR', 'NOT'];
144
- for (const op of operators) {
145
- if (Array.isArray(where[op])) {
146
- where[op].forEach((item) => rewriteQueryWhere(item, fields, rootSalt, modelName));
147
- }
148
- else if (where[op] && typeof where[op] === 'object') {
149
- rewriteQueryWhere(where[op], fields, rootSalt, modelName);
150
- }
151
- }
152
- }
153
- /**
154
- * Appends calculated blind indexes to the write payload (create/update).
155
- */
156
- function addBlindIndexes(data, fields, rootSalt, modelName) {
157
- if (!data || typeof data !== 'object')
158
- return;
159
- if (Array.isArray(data)) {
160
- data.forEach((item) => addBlindIndexes(item, fields, rootSalt, modelName));
161
- return;
162
- }
163
- for (const field of fields) {
164
- if (data[field] !== undefined && data[field] !== null) {
165
- const bidxField = `${field}_bidx`;
166
- data[bidxField] = (0, blind_index_1.computeBlindIndex)(data[field], rootSalt, `${modelName}.${field}`);
167
- }
168
- }
169
- }
170
6
  /**
171
7
  * Prisma DbGuard Extension Factory
172
8
  *
@@ -236,7 +72,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
236
72
  if (!tenantConfig) {
237
73
  throw new Error(`Vollcrypt Security: Configuration not found for tenantId "${tId}".`);
238
74
  }
239
- const resolvedTenantKeysRaw = await resolveKeys({
75
+ const resolvedTenantKeysRaw = await (0, kms_1.resolveKeys)({
240
76
  ...options,
241
77
  key: tenantConfig.key,
242
78
  kms: tenantConfig.kms
@@ -263,7 +99,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
263
99
  const cloned = { ...data };
264
100
  for (const field of fieldsToEncrypt) {
265
101
  if (cloned[field] !== undefined) {
266
- cloned[field] = encryptValue(cloned[field], encKey, encVer);
102
+ cloned[field] = (0, security_1.encryptValue)(cloned[field], encKey, encVer);
267
103
  }
268
104
  }
269
105
  return cloned;
@@ -287,7 +123,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
287
123
  const cloned = { ...result };
288
124
  for (const field of fieldsToEncrypt) {
289
125
  if (cloned[field] !== undefined) {
290
- cloned[field] = (0, security_1.decryptWithSecurity)(cloned[field], (val) => decryptValue(val, decKeys), modelName, field, cloned.id || cloned._id, options);
126
+ cloned[field] = (0, security_1.decryptWithSecurity)(cloned[field], (val) => (0, security_1.decryptValue)(val, decKeys), modelName, field, cloned.id || cloned._id, options);
291
127
  }
292
128
  }
293
129
  return cloned;
@@ -309,13 +145,13 @@ const prismaDbGuard = (options, resolvedKeys) => {
309
145
  const bidxFields = options.blindIndexes?.models[modelName];
310
146
  if (bidxFields && options.blindIndexes?.rootSalt) {
311
147
  if (args.data) {
312
- addBlindIndexes(args.data, bidxFields, options.blindIndexes.rootSalt, modelName);
148
+ (0, security_1.addBlindIndexes)(args.data, bidxFields, options.blindIndexes.rootSalt, modelName);
313
149
  }
314
150
  if (args.create) {
315
- addBlindIndexes(args.create, bidxFields, options.blindIndexes.rootSalt, modelName);
151
+ (0, security_1.addBlindIndexes)(args.create, bidxFields, options.blindIndexes.rootSalt, modelName);
316
152
  }
317
153
  if (args.update) {
318
- addBlindIndexes(args.update, bidxFields, options.blindIndexes.rootSalt, modelName);
154
+ (0, security_1.addBlindIndexes)(args.update, bidxFields, options.blindIndexes.rootSalt, modelName);
319
155
  }
320
156
  }
321
157
  };
@@ -325,10 +161,11 @@ const prismaDbGuard = (options, resolvedKeys) => {
325
161
  // Rewrite queries targeting encrypted columns to use the blind index column
326
162
  const bidxFields = options.blindIndexes?.models[modelName];
327
163
  if (bidxFields && options.blindIndexes?.rootSalt && args.where) {
328
- rewriteQueryWhere(args.where, bidxFields, options.blindIndexes.rootSalt, modelName);
164
+ (0, security_1.rewriteQueryWhere)(args.where, bidxFields, options.blindIndexes.rootSalt, modelName);
329
165
  }
330
166
  };
331
- return client_1.Prisma.defineExtension((client) => {
167
+ const { Prisma } = require('@prisma/client');
168
+ return Prisma.defineExtension((client) => {
332
169
  return client.$extends({
333
170
  name: 'vollcrypt-db-guard',
334
171
  query: {
@@ -349,7 +186,7 @@ const prismaDbGuard = (options, resolvedKeys) => {
349
186
  const encrypted = encryptPayload(model, item, resolved.activeKey, resolved.activeVersion);
350
187
  const bidxFields = options.blindIndexes?.models[model];
351
188
  if (bidxFields && options.blindIndexes?.rootSalt) {
352
- addBlindIndexes(encrypted, bidxFields, options.blindIndexes.rootSalt, model);
189
+ (0, security_1.addBlindIndexes)(encrypted, bidxFields, options.blindIndexes.rootSalt, model);
353
190
  }
354
191
  return encrypted;
355
192
  });
@@ -412,3 +249,10 @@ const prismaDbGuard = (options, resolvedKeys) => {
412
249
  });
413
250
  };
414
251
  exports.prismaDbGuard = prismaDbGuard;
252
+ var security_2 = require("./security");
253
+ Object.defineProperty(exports, "encryptValue", { enumerable: true, get: function () { return security_2.encryptValue; } });
254
+ Object.defineProperty(exports, "decryptValue", { enumerable: true, get: function () { return security_2.decryptValue; } });
255
+ Object.defineProperty(exports, "rewriteQueryWhere", { enumerable: true, get: function () { return security_2.rewriteQueryWhere; } });
256
+ Object.defineProperty(exports, "addBlindIndexes", { enumerable: true, get: function () { return security_2.addBlindIndexes; } });
257
+ var kms_2 = require("./kms");
258
+ Object.defineProperty(exports, "resolveKeys", { enumerable: true, get: function () { return kms_2.resolveKeys; } });
@@ -4,13 +4,13 @@
4
4
  {
5
5
  "name": "dist/blind-index.d.ts",
6
6
  "digest": {
7
- "sha256": "7e613b58cf47bc14d647cfbfa2a9cc0f9e805dbab7562daa00ac679c30830ba7"
7
+ "sha256": "54df5b23b93c61111ba6124b9557fb4fe3f5e4af8ef18d1aeb5477826679363f"
8
8
  }
9
9
  },
10
10
  {
11
11
  "name": "dist/blind-index.js",
12
12
  "digest": {
13
- "sha256": "83364c9d2a86d43f775f15537ee10bdfb8e06c852adceb5b3c7358bcfc412907"
13
+ "sha256": "d417966c32408676efa5399b6e960b68d6015d66837b9b2bad9fa0bb9396b4be"
14
14
  }
15
15
  },
16
16
  {
@@ -22,7 +22,7 @@
22
22
  {
23
23
  "name": "dist/cli.js",
24
24
  "digest": {
25
- "sha256": "bf91d9b9d820796590d8b030e409031623d177e45cc487da8bcb66af13078ec0"
25
+ "sha256": "33c313c9195a9e00099652c3e8fac9eac169ac3b94088222fbe97e7a2e51442a"
26
26
  }
27
27
  },
28
28
  {
@@ -46,7 +46,7 @@
46
46
  {
47
47
  "name": "dist/drivers.js",
48
48
  "digest": {
49
- "sha256": "4b418fae086ee440bd1c9fe99328c86923ab83467ecfb70fd9bb4ebee324e7f6"
49
+ "sha256": "fac1fd60cc16c2dafa9daf234177fd2f17d41cf1015d4fcd1821adb2cdbdb970"
50
50
  }
51
51
  },
52
52
  {
@@ -58,79 +58,79 @@
58
58
  {
59
59
  "name": "dist/drizzle.js",
60
60
  "digest": {
61
- "sha256": "c7b3210b0cca48f2b45c5b789cea13f55f14fc2c620e155d15987b9b8e434f4a"
61
+ "sha256": "3686b5a03b627e3262257f6a6d2d3addcb7f2cf3377ece458c434aad3b15d2ba"
62
62
  }
63
63
  },
64
64
  {
65
65
  "name": "dist/index.d.ts",
66
66
  "digest": {
67
- "sha256": "a4864c4ea0bb9e9cc9bc1f58cdbc31863e5543a572e6049ee900b53b9fecb003"
67
+ "sha256": "ed2935e0d96814bcf3192294462ae707acfe6934ce2aed9f859683aed88a3ea8"
68
68
  }
69
69
  },
70
70
  {
71
71
  "name": "dist/index.js",
72
72
  "digest": {
73
- "sha256": "496292f1edd16bd779f6e8712291c4b90e5b3f404d71b54f5c369c6736c26814"
73
+ "sha256": "37b74d238138bb80b65341520257b9390be3cc5b9b1f5adf579894eb4995c2ab"
74
74
  }
75
75
  },
76
76
  {
77
77
  "name": "dist/kms.d.ts",
78
78
  "digest": {
79
- "sha256": "822f37608176917f438febaaea06a3b65508c45474bd7e137c4df815c50b4854"
79
+ "sha256": "757dba651cf48b6ab68e11b5c92e8ccc81c1ca6eb9129f60a2a3b224fc4f712e"
80
80
  }
81
81
  },
82
82
  {
83
83
  "name": "dist/kms.js",
84
84
  "digest": {
85
- "sha256": "5c748722412b465c01cebd70e2242836f8f0c10f4303189548061f88d67eb4e4"
85
+ "sha256": "1619f068398e57c2044457d18d24ee1c626b54e12153246093d4c51add64368c"
86
86
  }
87
87
  },
88
88
  {
89
89
  "name": "dist/mongoose.d.ts",
90
90
  "digest": {
91
- "sha256": "a3bf00d62fecf9266325a9dd18c4ec272de9559355dbf3f9f43836a4688fe86b"
91
+ "sha256": "18f77aa838f2cd861cd31dd5a03fdfd86d34563a090340177dba1420b5ea9b53"
92
92
  }
93
93
  },
94
94
  {
95
95
  "name": "dist/mongoose.js",
96
96
  "digest": {
97
- "sha256": "a2ff33065a1c52707bdc3b7b1b49e79c5878e7edc547e219779426d3376a8f5b"
97
+ "sha256": "0b7c921d254a3c12d6d0924f3778ac39d7e95383086f1f8a893ff361a29c380b"
98
98
  }
99
99
  },
100
100
  {
101
101
  "name": "dist/prisma.d.ts",
102
102
  "digest": {
103
- "sha256": "f6b85a786a9bb964f0620df4bcad0787e5c972e853df35551cf8fc902bb79691"
103
+ "sha256": "d55f39802671b594be9c0a0512c06cb1828569dea9024c78e890c53085cf0232"
104
104
  }
105
105
  },
106
106
  {
107
107
  "name": "dist/prisma.js",
108
108
  "digest": {
109
- "sha256": "dc5d221dfc6e2f790fd13abc1408e98e4d8a3a1f61ee876cc691963d5517395a"
109
+ "sha256": "de57df0c3fc6657a996c804d6deee6ff83f889f457c82f55ea35064df6372eab"
110
110
  }
111
111
  },
112
112
  {
113
113
  "name": "dist/security.d.ts",
114
114
  "digest": {
115
- "sha256": "6fed9ab5d0e7d940fd8e0e65f3e0a6be6581fbeddb82a6ad9706397efa4ec2b2"
115
+ "sha256": "dbe2dce83e417dc20d476e5bd476e31c3cf43e58fd363011a77dbc56ab82386f"
116
116
  }
117
117
  },
118
118
  {
119
119
  "name": "dist/security.js",
120
120
  "digest": {
121
- "sha256": "a7323f84eaa90838dcaba18f82cba8c48d6fdb708715786cae1c60bdaeb0050d"
121
+ "sha256": "390eb8dbf9f2eab968445dadc43e1dfa6a13217851aa2b5138a5215059c487ed"
122
122
  }
123
123
  },
124
124
  {
125
125
  "name": "dist/typeorm.d.ts",
126
126
  "digest": {
127
- "sha256": "6cc82bbbe82e260abcc789495fe85f984138c5c8368901881edaece1ffa46d8c"
127
+ "sha256": "47200df068a368cdd80b5818ae8dafc749686f8a09a0be8bd9847b175dd89fe6"
128
128
  }
129
129
  },
130
130
  {
131
131
  "name": "dist/typeorm.js",
132
132
  "digest": {
133
- "sha256": "d88d0aa0eff62675e732c5fd2f7c7885d601d5234729687aecbd5b1282e6a7bd"
133
+ "sha256": "80e1908e97ffc89c426e89c71efbbd7dbea98191ec7da8ecc9d37cc439a262d8"
134
134
  }
135
135
  }
136
136
  ],
@@ -141,7 +141,7 @@
141
141
  "externalParameters": {
142
142
  "packageJson": {
143
143
  "name": "@vollcrypt/db-guard",
144
- "version": "0.9.0",
144
+ "version": "0.9.1",
145
145
  "scripts": {
146
146
  "build": "tsc && node scripts/generate-sbom.js",
147
147
  "test": "node --import tsx --test tests/*.test.ts"
@@ -241,9 +241,9 @@
241
241
  "id": "https://vollcrypt.dev/builders/local-hermetic-env"
242
242
  },
243
243
  "metadata": {
244
- "invocationId": "394b345f273d241cc656eb0efdf34f57",
245
- "startedOn": "2026-07-08T14:31:16.765Z",
246
- "finishedOn": "2026-07-08T14:31:16.767Z"
244
+ "invocationId": "e52b6b317496bccb3dd2fbc3c609d1f0",
245
+ "startedOn": "2026-07-09T19:07:03.950Z",
246
+ "finishedOn": "2026-07-09T19:07:03.951Z"
247
247
  }
248
248
  }
249
249
  }
@@ -1 +1,2 @@
1
- &�/�!/�[ 5_\4|�%�u����C>t}���Ɋ��kV[�3SI!�#� K�%#�cP��
1
+ T&�~���� *F��
2
+ p��ƕ�A9�>t���V7��b���ޡA����z�oח�%!��)�
package/dist/sbom.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "bomFormat": "CycloneDX",
3
3
  "specVersion": "1.5",
4
- "serialNumber": "urn:uuid:dc37a041-235d-478b-85b1-b33d761679d6",
4
+ "serialNumber": "urn:uuid:54f5fdbd-84b0-47fe-95c1-e86fe565dcf8",
5
5
  "version": 1,
6
6
  "metadata": {
7
- "timestamp": "2026-07-08T14:31:16.765Z",
7
+ "timestamp": "2026-07-09T19:07:03.950Z",
8
8
  "tools": [
9
9
  {
10
10
  "vendor": "Vollcrypt",
@@ -13,19 +13,19 @@
13
13
  }
14
14
  ],
15
15
  "component": {
16
- "bomRef": "pkg:npm/@vollcrypt/db-guard@0.9.0",
16
+ "bomRef": "pkg:npm/@vollcrypt/db-guard@0.9.1",
17
17
  "type": "library",
18
18
  "name": "@vollcrypt/db-guard",
19
- "version": "0.9.0",
19
+ "version": "0.9.1",
20
20
  "description": "Database field-level encryption integrations for Vollcrypt (Prisma, Mongoose, Drizzle, TypeORM)",
21
21
  "hashes": [
22
22
  {
23
23
  "alg": "SHA-256",
24
- "content": "7e613b58cf47bc14d647cfbfa2a9cc0f9e805dbab7562daa00ac679c30830ba7"
24
+ "content": "54df5b23b93c61111ba6124b9557fb4fe3f5e4af8ef18d1aeb5477826679363f"
25
25
  },
26
26
  {
27
27
  "alg": "SHA-256",
28
- "content": "83364c9d2a86d43f775f15537ee10bdfb8e06c852adceb5b3c7358bcfc412907"
28
+ "content": "d417966c32408676efa5399b6e960b68d6015d66837b9b2bad9fa0bb9396b4be"
29
29
  },
30
30
  {
31
31
  "alg": "SHA-256",
@@ -33,7 +33,7 @@
33
33
  },
34
34
  {
35
35
  "alg": "SHA-256",
36
- "content": "bf91d9b9d820796590d8b030e409031623d177e45cc487da8bcb66af13078ec0"
36
+ "content": "33c313c9195a9e00099652c3e8fac9eac169ac3b94088222fbe97e7a2e51442a"
37
37
  },
38
38
  {
39
39
  "alg": "SHA-256",
@@ -49,7 +49,7 @@
49
49
  },
50
50
  {
51
51
  "alg": "SHA-256",
52
- "content": "4b418fae086ee440bd1c9fe99328c86923ab83467ecfb70fd9bb4ebee324e7f6"
52
+ "content": "fac1fd60cc16c2dafa9daf234177fd2f17d41cf1015d4fcd1821adb2cdbdb970"
53
53
  },
54
54
  {
55
55
  "alg": "SHA-256",
@@ -57,55 +57,55 @@
57
57
  },
58
58
  {
59
59
  "alg": "SHA-256",
60
- "content": "c7b3210b0cca48f2b45c5b789cea13f55f14fc2c620e155d15987b9b8e434f4a"
60
+ "content": "3686b5a03b627e3262257f6a6d2d3addcb7f2cf3377ece458c434aad3b15d2ba"
61
61
  },
62
62
  {
63
63
  "alg": "SHA-256",
64
- "content": "a4864c4ea0bb9e9cc9bc1f58cdbc31863e5543a572e6049ee900b53b9fecb003"
64
+ "content": "ed2935e0d96814bcf3192294462ae707acfe6934ce2aed9f859683aed88a3ea8"
65
65
  },
66
66
  {
67
67
  "alg": "SHA-256",
68
- "content": "496292f1edd16bd779f6e8712291c4b90e5b3f404d71b54f5c369c6736c26814"
68
+ "content": "37b74d238138bb80b65341520257b9390be3cc5b9b1f5adf579894eb4995c2ab"
69
69
  },
70
70
  {
71
71
  "alg": "SHA-256",
72
- "content": "822f37608176917f438febaaea06a3b65508c45474bd7e137c4df815c50b4854"
72
+ "content": "757dba651cf48b6ab68e11b5c92e8ccc81c1ca6eb9129f60a2a3b224fc4f712e"
73
73
  },
74
74
  {
75
75
  "alg": "SHA-256",
76
- "content": "5c748722412b465c01cebd70e2242836f8f0c10f4303189548061f88d67eb4e4"
76
+ "content": "1619f068398e57c2044457d18d24ee1c626b54e12153246093d4c51add64368c"
77
77
  },
78
78
  {
79
79
  "alg": "SHA-256",
80
- "content": "a3bf00d62fecf9266325a9dd18c4ec272de9559355dbf3f9f43836a4688fe86b"
80
+ "content": "18f77aa838f2cd861cd31dd5a03fdfd86d34563a090340177dba1420b5ea9b53"
81
81
  },
82
82
  {
83
83
  "alg": "SHA-256",
84
- "content": "a2ff33065a1c52707bdc3b7b1b49e79c5878e7edc547e219779426d3376a8f5b"
84
+ "content": "0b7c921d254a3c12d6d0924f3778ac39d7e95383086f1f8a893ff361a29c380b"
85
85
  },
86
86
  {
87
87
  "alg": "SHA-256",
88
- "content": "f6b85a786a9bb964f0620df4bcad0787e5c972e853df35551cf8fc902bb79691"
88
+ "content": "d55f39802671b594be9c0a0512c06cb1828569dea9024c78e890c53085cf0232"
89
89
  },
90
90
  {
91
91
  "alg": "SHA-256",
92
- "content": "dc5d221dfc6e2f790fd13abc1408e98e4d8a3a1f61ee876cc691963d5517395a"
92
+ "content": "de57df0c3fc6657a996c804d6deee6ff83f889f457c82f55ea35064df6372eab"
93
93
  },
94
94
  {
95
95
  "alg": "SHA-256",
96
- "content": "6fed9ab5d0e7d940fd8e0e65f3e0a6be6581fbeddb82a6ad9706397efa4ec2b2"
96
+ "content": "dbe2dce83e417dc20d476e5bd476e31c3cf43e58fd363011a77dbc56ab82386f"
97
97
  },
98
98
  {
99
99
  "alg": "SHA-256",
100
- "content": "a7323f84eaa90838dcaba18f82cba8c48d6fdb708715786cae1c60bdaeb0050d"
100
+ "content": "390eb8dbf9f2eab968445dadc43e1dfa6a13217851aa2b5138a5215059c487ed"
101
101
  },
102
102
  {
103
103
  "alg": "SHA-256",
104
- "content": "6cc82bbbe82e260abcc789495fe85f984138c5c8368901881edaece1ffa46d8c"
104
+ "content": "47200df068a368cdd80b5818ae8dafc749686f8a09a0be8bd9847b175dd89fe6"
105
105
  },
106
106
  {
107
107
  "alg": "SHA-256",
108
- "content": "d88d0aa0eff62675e732c5fd2f7c7885d601d5234729687aecbd5b1282e6a7bd"
108
+ "content": "80e1908e97ffc89c426e89c71efbbd7dbea98191ec7da8ecc9d37cc439a262d8"
109
109
  }
110
110
  ]
111
111
  },
@@ -1,2 +1 @@
1
- ���ǂDm�`�� Z>s=��"Y&��ؐ7�#b"h��S��W��
2
- "�ޚ���*P?��
1
+ �0��cWA��8��c.*�+�F֛�U��g{s_7O�=��$�V�¿��Я�n9�Ҧ�
@@ -88,3 +88,11 @@ export declare function parseCiphertext(stored: string): {
88
88
  version: string;
89
89
  base64Data: string;
90
90
  } | null;
91
+ /**
92
+ * Computes a hardened, frequency-resistant blind index for a database field.
93
+ */
94
+ export declare function computeBlindIndex(value: any, rootSalt: Buffer, columnName: string): string;
95
+ export declare function encryptValue(val: any, key: Buffer, version: string): string;
96
+ export declare function decryptValue(stored: any, keys: Record<string, Buffer>): any;
97
+ export declare function rewriteQueryWhere(where: any, fields: string[], rootSalt: Buffer, modelName: string): void;
98
+ export declare function addBlindIndexes(data: any, fields: string[], rootSalt: Buffer, modelName: string): void;