aegis-lock 2.0.0 → 2.0.1

package/README.md

@@ -1,9 +1,17 @@
 # aegis-lock
 
-**Database-agnostic client-side AES-256-GCM field-level encryption.**
+[![npm version](https://badge.fury.io/js/aegis-lock.svg)](https://badge.fury.io/js/aegis-lock)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Database-agnostic client-side AES-256-GCM field-level encryption with Contextual Binding and Blind Indexing.**
 
 Encrypt sensitive fields before they leave the browser or server. Decrypt after select. Zero plaintext hits the wire or your database. Works with **Supabase**, **MongoDB**, or any database via custom adapters.
 
+> **⚠️ SECURITY WARNING:** `aegis-lock` provides the cryptographic primitives, but **you are responsible for your keys.** Never hardcode `CryptoKey` exports in your source code. Always use a secure Key Management Service (KMS) or strict, vault-backed environment variables to inject your keys at runtime.
+
+## Requirements
+* Node.js 18+ (or any environment supporting the standard Web Crypto API, such as modern browsers, Cloudflare Workers, or Vercel Edge functions).
+
 ## Install
 
 ```bash
@@ -14,26 +22,41 @@ npm install aegis-lock
 
 ```typescript
 import { createClient } from "@supabase/supabase-js";
-import { AegisClient, SupabaseAdapter, generateKey, exportKey } from "aegis-lock";
+import { AegisClient, SupabaseAdapter, generateKey, generateBidxKey, exportKey } from "aegis-lock";
 
 const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
 const adapter = new SupabaseAdapter(supabase);
 
+// Generate your master encryption key and searchable blind index key
 const key = await generateKey();
-const exported = await exportKey(key); // save this securely!
-
-const aegis = new AegisClient(adapter, key, {
-  secure_fields: ["encrypted_content", "ssn", "credit_card"],
-});
+const bidxKey = await generateBidxKey(); 
+
+// Export and save these securely! e.g., await exportKey(key)
+
+const aegis = new AegisClient({
+  adapter,
+  primaryKeyField: "record_id", // REQUIRED: Binds ciphertext to the row to prevent tampering
+  encryptedFields: {
+    secure_fields: ["encrypted_content", "ssn", "email"]
+  },
+  bidxFields: {
+    secure_fields: ["email"] // Optional: Creates an 'email_bidx' column for searching
+  }
+}, key, bidxKey);
 
-// Insert — fields are auto-encrypted
+// Insert — fields are auto-encrypted. 
+// Note: You MUST provide the primary key application-side!
 await aegis.insert("secure_fields", {
-  record_id: "some-uuid",
+  record_id: "uuid-1234-5678", 
+  email: "alice@example.com",
   encrypted_content: "Top secret",
 });
 
-// Select — fields are auto-decrypted
-const { data } = await aegis.select("secure_fields");
+// Select — Aegis automatically hashes the email to search the 'email_bidx' column securely
+const { data } = await aegis.select("secure_fields", { 
+  column: "email", 
+  value: "alice@example.com" 
+});
 ```
 
 ## Quick Start — MongoDB
@@ -41,6 +64,7 @@ const { data } = await aegis.select("secure_fields");
 ```typescript
 import { MongoClient } from "mongodb";
 import { AegisClient, MongoDBAdapter, generateKey } from "aegis-lock";
+import { v4 as uuidv4 } from "uuid";
 
 const mongo = new MongoClient("mongodb://localhost:27017");
 await mongo.connect();
@@ -48,11 +72,18 @@ const adapter = new MongoDBAdapter(mongo.db("myapp"));
 
 const key = await generateKey();
 
-const aegis = new AegisClient(adapter, key, {
-  users: ["ssn", "credit_card"],
-});
+const aegis = new AegisClient({
+  adapter,
+  primaryKeyField: "_id", 
+  encryptedFields: {
+    users: ["ssn", "credit_card"]
+  }
+}, key);
 
-await aegis.insert("users", { name: "Alice", ssn: "123-45-6789" });
+// Insert with a client-generated ID
+await aegis.insert("users", { _id: uuidv4(), name: "Alice", ssn: "123-45-6789" });
+
+// Select by an unencrypted field
 const { data } = await aegis.select("users", { column: "name", value: "Alice" });
 // data[0].ssn → "123-45-6789" (decrypted)
 ```
@@ -62,7 +93,7 @@ const { data } = await aegis.select("users", { column: "name", value: "Alice" })
 Implement the `DatabaseAdapter` interface for any database:
 
 ```typescript
-import { DatabaseAdapter, AegisClient } from "aegis-lock";
+import { DatabaseAdapter } from "aegis-lock";
 
 class MyAdapter implements DatabaseAdapter {
   async insert(table: string, data: Record<string, unknown>) {
@@ -78,26 +109,35 @@ class MyAdapter implements DatabaseAdapter {
 
 ## API
 
-### `new AegisClient(adapter, key, encryptedFields)`
-- `adapter` — any `DatabaseAdapter` (SupabaseAdapter, MongoDBAdapter, or custom)
-- `key` — CryptoKey from `generateKey()` or `importKey()`
-- `encryptedFields` — `Record<tableName, fieldName[]>`
+### `new AegisClient(config, key, bidxKey?)`
+
+* `config` — `AegisConfig` object:
+  * `adapter`: any `DatabaseAdapter` (SupabaseAdapter, MongoDBAdapter, or custom)
+  * `primaryKeyField`: `string` (The ID field used for cryptographic contextual binding)
+  * `encryptedFields`: `Record<tableName, fieldName[]>`
+  * `bidxFields`: *(Optional)* `Record<tableName, fieldName[]>`
+
+* `key` — CryptoKey from `generateKey()` or `importKey()`
+* `bidxKey` — *(Optional)* CryptoKey from `generateBidxKey()` or `importKey()`
 
 ### Adapters
-- `new SupabaseAdapter(supabaseClient)`
-- `new MongoDBAdapter(mongoDb)`
 
-### Crypto
-- `generateKey()` / `exportKey(key)` / `importKey(base64)`
-- `encrypt(plaintext, key)` / `decrypt(payload, key)`
+* `new SupabaseAdapter(supabaseClient)`
+* `new MongoDBAdapter(mongoDb)`
+
+### Crypto Utilities
+
+* `generateKey()` / `generateBidxKey()`
+* `exportKey(key)` / `importKey(base64)`
 
-## How It Works
+## How It Works (Security Architecture)
 
-- **Web Crypto API** (AES-256-GCM) — runs in any modern browser or edge runtime
-- Each row gets a unique **IV** stored alongside the ciphertext
-- Encryption/decryption happens client-side — your server never sees plaintext
-- Database-agnostic: swap adapters without changing application code
+* **Web Crypto API (AES-256-GCM):** Runs natively in any modern browser or edge runtime.
+* **Field-Level IVs:** Every single encrypted field gets a unique, mathematically random Initialization Vector (IV) stored as a composite string (`iv:ciphertext`) to prevent keystream reuse attacks.
+* **Contextual Binding (AAD):** Ciphertexts are cryptographically bound to the row's `primaryKeyField`. If an attacker copies an encrypted SSN from User A and pastes it into User B's row, the decryption will strictly fail.
+* **Blind Indexing (HMAC-SHA256):** Because AES-GCM is non-deterministic (the same text encrypts differently every time), you cannot query standard encrypted fields. If configured via `bidxFields`, Aegis-Lock automatically generates deterministic, memory-aligned HMAC hashes. This allows you to search for exact matches (like looking up an email address) without exposing the plaintext to the database.
+* **Database-agnostic:** Swap adapters without changing your core application code.
 
 ## License
 
-MIT
+MIT

package/dist/client.d.ts

@@ -1,15 +1,16 @@
-import type { DatabaseAdapter } from "./types";
+import type { DatabaseAdapter, AegisConfig } from "./types";
 export declare class AegisClient {
     private adapter;
     private key;
+    private bidxKey?;
     private encryptedFields;
-    constructor(adapter: DatabaseAdapter, key: CryptoKey, encryptedFields: Record<string, string[]>);
-    /** Insert a row, auto-encrypting configured fields. Returns a shared IV for the row. */
+    private bidxFields;
+    private primaryKeyField;
+    constructor(config: AegisConfig, key: CryptoKey, bidxKey?: CryptoKey);
     insert(table: string, data: Record<string, unknown>): Promise<{
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Select rows, auto-decrypting configured fields. */
     select(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -18,7 +19,6 @@ export declare class AegisClient {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Select rows WITHOUT decrypting — exposes raw ciphertext. */
     selectRaw(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -27,7 +27,6 @@ export declare class AegisClient {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Access the underlying database adapter. */
     get db(): DatabaseAdapter;
 }
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAG/C,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,eAAe,CAA2B;gBAEtC,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAM/F,wFAAwF;IAClF,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAsBzD,sDAAsD;IAChD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAgCxF,+DAA+D;IACzD,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAI3F,8CAA8C;IAC9C,IAAI,EAAE,IAAI,eAAe,CAExB;CACF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAG5D,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,OAAO,CAAC,CAAY;IAC5B,OAAO,CAAC,eAAe,CAA2B;IAClD,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,eAAe,CAAS;gBAGpB,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,SAAS;IAS9D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAyCnD,MAAM,CACV,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IA6DxD,SAAS,CACb,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAK9D,IAAI,EAAE,IAAI,eAAe,CAExB;CACF"}

package/dist/client.js

@@ -1,31 +1,59 @@
-import { encrypt, decrypt } from "./crypto";
+import { encrypt, decrypt, generateBlindIndex } from "./crypto";
 export class AegisClient {
-    constructor(adapter, key, encryptedFields) {
-        this.adapter = adapter;
+    // Updated constructor to accept the optional BIDX key
+    constructor(config, key, bidxKey) {
+        this.adapter = config.adapter;
         this.key = key;
-        this.encryptedFields = encryptedFields;
+        this.bidxKey = bidxKey;
+        this.encryptedFields = config.encryptedFields;
+        this.bidxFields = config.bidxFields || {};
+        this.primaryKeyField = config.primaryKeyField;
     }
-    /** Insert a row, auto-encrypting configured fields. Returns a shared IV for the row. */
     async insert(table, data) {
         const fields = this.encryptedFields[table] || [];
+        const bidxFields = this.bidxFields[table] || [];
         const row = { ...data };
-        // Generate a single IV and reuse it for all fields in this row
-        const ivBuffer = crypto.getRandomValues(new Uint8Array(12));
-        const sharedIv = btoa(String.fromCharCode(...ivBuffer));
-        for (const field of fields) {
-            if (row[field] != null) {
-                const { ciphertext } = await encrypt(String(row[field]), this.key, ivBuffer);
-                row[field] = ciphertext;
+        if (fields.length > 0 || bidxFields.length > 0) {
+            const rowId = row[this.primaryKeyField];
+            if (!rowId) {
+                throw new Error(`Aegis: Cannot encrypt. Missing primary key '${this.primaryKeyField}' in payload.`);
+            }
+            const aadContext = String(rowId);
+            // 1. Handle Blind Indexing FIRST (While row data is still plaintext)
+            for (const field of bidxFields) {
+                if (row[field] != null && this.bidxKey) {
+                    row[`${field}_bidx`] = await generateBlindIndex(String(row[field]), // Safe: This is still "alice@example.com"
+                    this.bidxKey);
+                }
+            }
+            // 2. Handle Encryption SECOND (This overwrites the plaintext)
+            for (const field of fields) {
+                if (row[field] != null) {
+                    const { ciphertext, iv } = await encrypt(String(row[field]), this.key, aadContext);
+                    row[field] = `${iv}:${ciphertext}`;
+                }
             }
-        }
-        if (fields.length > 0) {
-            row.iv = sharedIv;
         }
         return this.adapter.insert(table, row);
     }
-    /** Select rows, auto-decrypting configured fields. */
     async select(table, query) {
-        const { data, error } = await this.adapter.select(table, query);
+        // Intercept and swap query for Blind Indexing (NEW)
+        const bidxFields = this.bidxFields[table] || [];
+        let activeQuery = query;
+        // Make sure this uses THIS.bidxKey
+        // Inside your select method in client.ts
+        if (query?.column &&
+            query?.value &&
+            bidxFields.includes(query.column) &&
+            this.bidxKey) {
+            const blindIndexValue = await generateBlindIndex(String(query.value), this.bidxKey);
+            activeQuery = {
+                ...query,
+                column: `${query.column}_bidx`,
+                value: blindIndexValue, // Pass the resulting string
+            };
+        }
+        const { data, error } = await this.adapter.select(table, activeQuery);
         if (error || !data)
             return { data, error };
         const fields = this.encryptedFields[table] || [];
@@ -33,16 +61,19 @@ export class AegisClient {
             return { data, error };
         const decrypted = await Promise.all(data.map(async (row) => {
             const decRow = { ...row };
-            const iv = row.iv;
-            if (!iv)
+            const rowId = decRow[this.primaryKeyField];
+            if (!rowId)
                 return decRow;
+            const aadContext = String(rowId);
             for (const field of fields) {
-                if (decRow[field] != null) {
+                const payload = decRow[field];
+                if (typeof payload === "string" && payload.includes(":")) {
+                    const [iv, ciphertext] = payload.split(":");
                     try {
-                        decRow[field] = await decrypt({ ciphertext: String(decRow[field]), iv }, this.key);
+                        decRow[field] = await decrypt({ ciphertext, iv }, this.key, aadContext);
                     }
                     catch {
-                        // leave as ciphertext if decryption fails
+                        // Tampering detected
                     }
                 }
             }
@@ -50,13 +81,145 @@ export class AegisClient {
         }));
         return { data: decrypted, error };
     }
-    /** Select rows WITHOUT decrypting — exposes raw ciphertext. */
     async selectRaw(table, query) {
         return this.adapter.select(table, query);
     }
-    /** Access the underlying database adapter. */
     get db() {
         return this.adapter;
     }
 }
+// export class AegisClient {
+//   private adapter: DatabaseAdapter;
+//   private key: CryptoKey;
+//   private bidxKey?: CryptoKey;
+//   private encryptedFields: Record<string, string[]>;
+//   private bidxFields: Record<string, string[]>;
+//   private primaryKeyField: string;
+//   constructor(config: AegisConfig, key: CryptoKey) {
+//     this.adapter = config.adapter;
+//     this.key = key;
+//     this.bidxKey = bidxKey;
+//     this.encryptedFields = config.encryptedFields;
+//     this.bidxFields = config.bidxFields || {};
+//     this.primaryKeyField = config.primaryKeyField;
+//   }
+//   async insert(table: string, data: Record<string, unknown>) {
+//     const fields = this.encryptedFields[table] || [];
+//     const row: Record<string, unknown> = { ...data };
+//     if (fields.length > 0) {
+//       const rowId = row[this.primaryKeyField];
+//       if (!rowId) {
+//         throw new Error(`Aegis: Cannot encrypt. Missing primary key '${this.primaryKeyField}' in payload.`);
+//       }
+//       const aadContext = String(rowId);
+//       for (const field of fields) {
+//         if (row[field] != null) {
+//           // Generates unique IV per field and binds to the row ID
+//           const { ciphertext, iv } = await encrypt(String(row[field]), this.key, aadContext);
+//           row[field] = `${iv}:${ciphertext}`;
+//         }
+//       }
+//     }
+//     return this.adapter.insert(table, row);
+//   }
+//   async select(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
+//     const { data, error } = await this.adapter.select(table, query);
+//     if (error || !data) return { data, error };
+//     const fields = this.encryptedFields[table] || [];
+//     if (fields.length === 0) return { data, error };
+//     const decrypted = await Promise.all(
+//       data.map(async (row: Record<string, unknown>) => {
+//         const decRow = { ...row };
+//         const rowId = decRow[this.primaryKeyField];
+//         if (!rowId) return decRow; // Cannot decrypt without context
+//         const aadContext = String(rowId);
+//         for (const field of fields) {
+//           const payload = decRow[field];
+//           if (typeof payload === 'string' && payload.includes(':')) {
+//             const [iv, ciphertext] = payload.split(':');
+//             try {
+//               decRow[field] = await decrypt({ ciphertext, iv }, this.key, aadContext);
+//             } catch {
+//               // Tampering detected (invalid tag or swapped ciphertext). Leave as raw string.
+//             }
+//           }
+//         }
+//         return decRow;
+//       })
+//     );
+//     return { data: decrypted, error };
+//   }
+//   async selectRaw(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
+//     return this.adapter.select(table, query);
+//   }
+//   get db(): DatabaseAdapter {
+//     return this.adapter;
+//   }
+// }
+// import type { DatabaseAdapter } from "./types";
+// import { encrypt, decrypt } from "./crypto";
+// export class AegisClient {
+//   private adapter: DatabaseAdapter;
+//   private key: CryptoKey;
+//   private encryptedFields: Record<string, string[]>;
+//   constructor(adapter: DatabaseAdapter, key: CryptoKey, encryptedFields: Record<string, string[]>) {
+//     this.adapter = adapter;
+//     this.key = key;
+//     this.encryptedFields = encryptedFields;
+//   }
+//   /** Insert a row, auto-encrypting configured fields. Returns a shared IV for the row. */
+//   async insert(table: string, data: Record<string, unknown>) {
+//     const fields = this.encryptedFields[table] || [];
+//     const row: Record<string, unknown> = { ...data };
+//     // Generate a single IV and reuse it for all fields in this row
+//     const ivBuffer = crypto.getRandomValues(new Uint8Array(12));
+//     const sharedIv = btoa(String.fromCharCode(...ivBuffer));
+//     for (const field of fields) {
+//       if (row[field] != null) {
+//         const { ciphertext } = await encrypt(String(row[field]), this.key, ivBuffer);
+//         row[field] = ciphertext;
+//       }
+//     }
+//     if (fields.length > 0) {
+//       row.iv = sharedIv;
+//     }
+//     return this.adapter.insert(table, row);
+//   }
+//   /** Select rows, auto-decrypting configured fields. */
+//   async select(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
+//     const { data, error } = await this.adapter.select(table, query);
+//     if (error || !data) return { data, error };
+//     const fields = this.encryptedFields[table] || [];
+//     if (fields.length === 0) return { data, error };
+//     const decrypted = await Promise.all(
+//       data.map(async (row: Record<string, unknown>) => {
+//         const decRow = { ...row };
+//         const iv = row.iv as string;
+//         if (!iv) return decRow;
+//         for (const field of fields) {
+//           if (decRow[field] != null) {
+//             try {
+//               decRow[field] = await decrypt(
+//                 { ciphertext: String(decRow[field]), iv },
+//                 this.key
+//               );
+//             } catch {
+//               // leave as ciphertext if decryption fails
+//             }
+//           }
+//         }
+//         return decRow;
+//       })
+//     );
+//     return { data: decrypted, error };
+//   }
+//   /** Select rows WITHOUT decrypting — exposes raw ciphertext. */
+//   async selectRaw(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
+//     return this.adapter.select(table, query);
+//   }
+//   /** Access the underlying database adapter. */
+//   get db(): DatabaseAdapter {
+//     return this.adapter;
+//   }
+// }
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAE5C,MAAM,OAAO,WAAW;IAKtB,YAAY,OAAwB,EAAE,GAAc,EAAE,eAAyC;QAC7F,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED,wFAAwF;IACxF,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,+DAA+D;QAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;gBAC7E,GAAG,CAAC,KAAK,CAAC,GAAG,UAAU,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,GAAG,CAAC,EAAE,GAAG,QAAQ,CAAC;QACpB,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,sDAAsD;IACtD,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAChE,IAAI,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEhD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAA4B,EAAE,EAAE;YAC9C,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;YAC1B,MAAM,EAAE,GAAG,GAAG,CAAC,EAAY,CAAC;YAC5B,IAAI,CAAC,EAAE;gBAAE,OAAO,MAAM,CAAC;YAEvB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBAC1B,IAAI,CAAC;wBACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,CAC3B,EAAE,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,EACzC,IAAI,CAAC,GAAG,CACT,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,0CAA0C;oBAC5C,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,KAA4D;QACzF,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,8CAA8C;IAC9C,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAEhE,MAAM,OAAO,WAAW;IAQtB,sDAAsD;IACtD,YAAY,MAAmB,EAAE,GAAc,EAAE,OAAmB;QAClE,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACxC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,eAAe,eAAe,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,qEAAqE;YACrE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACvC,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,MAAM,kBAAkB,CAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,0CAA0C;oBAC9D,IAAI,CAAC,OAAO,CACb,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,MAAM,OAAO,CACtC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAClB,IAAI,CAAC,GAAG,EACR,UAAU,CACX,CAAC;oBACF,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,IAAI,UAAU,EAAE,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,MAAM,CACV,KAAa,EACb,KAA4D;QAE5D,oDAAoD;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,mCAAmC;QACnC,yCAAyC;QACzC,IACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,KAAK;YACZ,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,CAAC,OAAO,EACZ,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EACnB,IAAI,CAAC,OAAO,CACb,CAAC;YACF,WAAW,GAAG;gBACZ,GAAG,KAAK;gBACR,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,OAAO;gBAC9B,KAAK,EAAE,eAAe,EAAE,4BAA4B;aACrD,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEhD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAA4B,EAAE,EAAE;YAC9C,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAE3C,IAAI,CAAC,KAAK;gBAAE,OAAO,MAAM,CAAC;YAC1B,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzD,MAAM,CAAC,EAAE,EAAE,UAAU,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC5C,IAAI,CAAC;wBACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,CAC3B,EAAE,UAAU,EAAE,EAAE,EAAE,EAClB,IAAI,CAAC,GAAG,EACR,UAAU,CACX,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,KAA4D;QAE5D,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF;AACD,6BAA6B;AAC7B,sCAAsC;AACtC,4BAA4B;AAC5B,iCAAiC;AACjC,uDAAuD;AACvD,kDAAkD;AAClD,qCAAqC;AAErC,uDAAuD;AACvD,qCAAqC;AACrC,sBAAsB;AACtB,8BAA8B;AAC9B,qDAAqD;AACrD,iDAAiD;AACjD,qDAAqD;AACrD,MAAM;AAEN,iEAAiE;AACjE,wDAAwD;AACxD,wDAAwD;AAExD,+BAA+B;AAC/B,iDAAiD;AACjD,sBAAsB;AACtB,+GAA+G;AAC/G,UAAU;AAEV,0CAA0C;AAE1C,sCAAsC;AACtC,oCAAoC;AACpC,qEAAqE;AACrE,gGAAgG;AAChG,gDAAgD;AAChD,YAAY;AACZ,UAAU;AACV,QAAQ;AAER,8CAA8C;AAC9C,MAAM;AAEN,gGAAgG;AAChG,uEAAuE;AACvE,kDAAkD;AAElD,wDAAwD;AACxD,uDAAuD;AAEvD,2CAA2C;AAC3C,2DAA2D;AAC3D,qCAAqC;AACrC,sDAAsD;AAEtD,uEAAuE;AACvE,4CAA4C;AAE5C,wCAAwC;AACxC,2CAA2C;AAE3C,wEAAwE;AACxE,2DAA2D;AAC3D,oBAAoB;AACpB,yFAAyF;AACzF,wBAAwB;AACxB,gGAAgG;AAChG,gBAAgB;AAChB,cAAc;AACd,YAAY;AACZ,yBAAyB;AACzB,WAAW;AACX,SAAS;AAET,yCAAyC;AACzC,MAAM;AAEN,mGAAmG;AACnG,gDAAgD;AAChD,MAAM;AAEN,gCAAgC;AAChC,2BAA2B;AAC3B,MAAM;AACN,IAAI;AAEJ,kDAAkD;AAClD,+CAA+C;AAE/C,6BAA6B;AAC7B,sCAAsC;AACtC,4BAA4B;AAC5B,uDAAuD;AAEvD,uGAAuG;AACvG,8BAA8B;AAC9B,sBAAsB;AACtB,8CAA8C;AAC9C,MAAM;AAEN,6FAA6F;AAC7F,iEAAiE;AACjE,wDAAwD;AACxD,wDAAwD;AAExD,sEAAsE;AACtE,mEAAmE;AACnE,+DAA+D;AAE/D,oCAAoC;AACpC,kCAAkC;AAClC,wFAAwF;AACxF,mCAAmC;AACnC,UAAU;AACV,QAAQ;AAER,+BAA+B;AAC/B,2BAA2B;AAC3B,QAAQ;AAER,8CAA8C;AAC9C,MAAM;AAEN,2DAA2D;AAC3D,gGAAgG;AAChG,uEAAuE;AACvE,kDAAkD;AAElD,wDAAwD;AACxD,uDAAuD;AAEvD,2CAA2C;AAC3C,2DAA2D;AAC3D,qCAAqC;AACrC,uCAAuC;AACvC,kCAAkC;AAElC,wCAAwC;AACxC,yCAAyC;AACzC,oBAAoB;AACpB,+CAA+C;AAC/C,6DAA6D;AAC7D,2BAA2B;AAC3B,mBAAmB;AACnB,wBAAwB;AACxB,2DAA2D;AAC3D,gBAAgB;AAChB,cAAc;AACd,YAAY;AACZ,yBAAyB;AACzB,WAAW;AACX,SAAS;AAET,yCAAyC;AACzC,MAAM;AAEN,oEAAoE;AACpE,mGAAmG;AACnG,gDAAgD;AAChD,MAAM;AAEN,mDAAmD;AACnD,gCAAgC;AAChC,2BAA2B;AAC3B,MAAM;AACN,IAAI"}

package/dist/crypto.d.ts

@@ -2,6 +2,10 @@ import { EncryptedPayload } from "./types";
 export declare function generateKey(): Promise<CryptoKey>;
 export declare function exportKey(key: CryptoKey): Promise<string>;
 export declare function importKey(base64: string): Promise<CryptoKey>;
-export declare function encrypt(plaintext: string, key: CryptoKey, existingIv?: Uint8Array): Promise<EncryptedPayload>;
-export declare function decrypt(payload: EncryptedPayload, key: CryptoKey): Promise<string>;
+export declare function encrypt(plaintext: string, key: CryptoKey, aadContext: string): Promise<EncryptedPayload>;
+export declare function decrypt(payload: EncryptedPayload, key: CryptoKey, aadContext: string): Promise<string>;
+/** Generates a dedicated key for deterministic Blind Indexing */
+export declare function generateBidxKey(): Promise<CryptoKey>;
+/** Generates a deterministic hash for database searching */
+export declare function generateBlindIndex(plaintext: string, key: CryptoKey): Promise<string>;
 //# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAK3C,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAMtD;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAMlE;AAED,wBAAsB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAQnH;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAKxF"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AA0B3C,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAKtD;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CASlE;AAED,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,gBAAgB,CAAC,CAsB3B;AAED,wBAAsB,OAAO,CAC3B,OAAO,EAAE,gBAAgB,EACzB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAsBjB;AAID,iEAAiE;AACjE,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAK1D;AAED,4DAA4D;AAC5D,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,GACb,OAAO,CAAC,MAAM,CAAC,CAkBjB"}

package/dist/crypto.js

@@ -1,32 +1,116 @@
 const ALGO = "AES-GCM";
 const KEY_LENGTH = 256;
+// Memory-safe Base64 conversion helpers
+function bufferToBase64(buffer) {
+    let binary = "";
+    // Normalize to Uint8Array safely
+    const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+    const len = bytes.byteLength;
+    for (let i = 0; i < len; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+function base64ToBuffer(base64) {
+    const binaryString = atob(base64);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes;
+}
 export async function generateKey() {
-    return crypto.subtle.generateKey({ name: ALGO, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
+    return crypto.subtle.generateKey({ name: ALGO, length: KEY_LENGTH }, true, [
+        "encrypt",
+        "decrypt",
+    ]);
 }
 export async function exportKey(key) {
     const raw = await crypto.subtle.exportKey("raw", key);
-    return btoa(String.fromCharCode(...new Uint8Array(raw)));
+    return bufferToBase64(raw);
 }
 export async function importKey(base64) {
-    const raw = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-    return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, [
-        "encrypt",
-        "decrypt",
-    ]);
+    const raw = base64ToBuffer(base64);
+    return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
 }
-export async function encrypt(plaintext, key, existingIv) {
-    const iv = existingIv ? new Uint8Array(existingIv) : crypto.getRandomValues(new Uint8Array(12));
+export async function encrypt(plaintext, key, aadContext) {
+    const iv = crypto.getRandomValues(new Uint8Array(12)); // ALWAYS unique
     const encoded = new TextEncoder().encode(plaintext);
-    const cipherBuffer = await crypto.subtle.encrypt({ name: ALGO, iv }, key, encoded);
-    return {
-        ciphertext: btoa(String.fromCharCode(...new Uint8Array(cipherBuffer))),
-        iv: btoa(String.fromCharCode(...iv)),
+    const algorithm = {
+        name: ALGO,
+        iv: iv,
     };
+    if (aadContext) {
+        algorithm.additionalData = new TextEncoder().encode(aadContext);
+    }
+    const cipherBuffer = await crypto.subtle.encrypt(algorithm, key, encoded);
+    return { ciphertext: bufferToBase64(cipherBuffer), iv: bufferToBase64(iv) };
 }
-export async function decrypt(payload, key) {
-    const cipherBytes = Uint8Array.from(atob(payload.ciphertext), (c) => c.charCodeAt(0));
-    const iv = Uint8Array.from(atob(payload.iv), (c) => c.charCodeAt(0));
-    const decrypted = await crypto.subtle.decrypt({ name: ALGO, iv }, key, cipherBytes);
+export async function decrypt(payload, key, aadContext) {
+    const cipherBytes = base64ToBuffer(payload.ciphertext);
+    const iv = base64ToBuffer(payload.iv);
+    const algorithm = {
+        name: ALGO,
+        iv: iv,
+    };
+    if (aadContext) {
+        algorithm.additionalData = new TextEncoder().encode(aadContext);
+    }
+    const decrypted = await crypto.subtle.decrypt(algorithm, key, cipherBytes);
     return new TextDecoder().decode(decrypted);
 }
+const HMAC_ALGO = "HMAC";
+/** Generates a dedicated key for deterministic Blind Indexing */
+export async function generateBidxKey() {
+    return crypto.subtle.generateKey({ name: HMAC_ALGO, hash: "SHA-256" }, true, [
+        "sign",
+        "verify",
+    ]);
+}
+/** Generates a deterministic hash for database searching */
+export async function generateBlindIndex(plaintext, key) {
+    const encoder = new TextEncoder();
+    const encoded = encoder.encode(plaintext);
+    // PRODUCTION FIX: Isolated buffer extraction.
+    // This ensures the HMAC signature is deterministic regardless of memory alignment.
+    const cleanBuffer = encoded.buffer.slice(encoded.byteOffset, encoded.byteOffset + encoded.byteLength);
+    const signature = await crypto.subtle.sign("HMAC", key, cleanBuffer);
+    return bufferToBase64(signature);
+}
+// import { EncryptedPayload } from "./types";
+// const ALGO = "AES-GCM";
+// const KEY_LENGTH = 256;
+// export async function generateKey(): Promise<CryptoKey> {
+//   return crypto.subtle.generateKey(
+//     { name: ALGO, length: KEY_LENGTH },
+//     true,
+//     ["encrypt", "decrypt"]
+//   );
+// }
+// export async function exportKey(key: CryptoKey): Promise<string> {
+//   const raw = await crypto.subtle.exportKey("raw", key);
+//   return btoa(String.fromCharCode(...new Uint8Array(raw)));
+// }
+// export async function importKey(base64: string): Promise<CryptoKey> {
+//   const raw = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
+//   return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, [
+//     "encrypt",
+//     "decrypt",
+//   ]);
+// }
+// export async function encrypt(plaintext: string, key: CryptoKey, existingIv?: Uint8Array): Promise<EncryptedPayload> {
+//   const iv = existingIv ? new Uint8Array(existingIv) : crypto.getRandomValues(new Uint8Array(12));
+//   const encoded = new TextEncoder().encode(plaintext);
+//   const cipherBuffer = await crypto.subtle.encrypt({ name: ALGO, iv }, key, encoded);
+//   return {
+//     ciphertext: btoa(String.fromCharCode(...new Uint8Array(cipherBuffer))),
+//     iv: btoa(String.fromCharCode(...iv)),
+//   };
+// }
+// export async function decrypt(payload: EncryptedPayload, key: CryptoKey): Promise<string> {
+//   const cipherBytes = Uint8Array.from(atob(payload.ciphertext), (c) => c.charCodeAt(0));
+//   const iv = Uint8Array.from(atob(payload.iv), (c) => c.charCodeAt(0));
+//   const decrypted = await crypto.subtle.decrypt({ name: ALGO, iv }, key, cipherBytes);
+//   return new TextDecoder().decode(decrypted);
+// }
 //# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAEA,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9B,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAClC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE;QACnF,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAc,EAAE,UAAuB;IACtF,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAChG,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IACnF,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;QACtE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC;KACrC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAyB,EAAE,GAAc;IACrE,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACtF,MAAM,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;IACpF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAEA,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB,wCAAwC;AACxC,SAAS,cAAc,CAAC,MAAgC;IACtD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,iCAAiC;IACjC,MAAM,KAAK,GAAG,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE;QACzE,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,GAAmB,EACnB,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAClC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,SAAiB,EACjB,GAAc,EACd,UAAkB;IAElB,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB;IACvE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEpD,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC9C,SAAS,EACT,GAAG,EACH,OAAuB,CACxB,CAAC;IAEF,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAyB,EACzB,GAAc,EACd,UAAkB;IAElB,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,SAAS,EACT,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,SAAS,GAAG,MAAM,CAAC;AAEzB,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE;QAC3E,MAAM;QACN,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED,4DAA4D;AAC5D,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,GAAc;IAEd,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE1C,8CAA8C;IAC9C,mFAAmF;IACnF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CACxC,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,MAAM,EACN,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED,8CAA8C;AAE9C,0BAA0B;AAC1B,0BAA0B;AAE1B,4DAA4D;AAC5D,sCAAsC;AACtC,0CAA0C;AAC1C,YAAY;AACZ,6BAA6B;AAC7B,OAAO;AACP,IAAI;AAEJ,qEAAqE;AACrE,2DAA2D;AAC3D,8DAA8D;AAC9D,IAAI;AAEJ,wEAAwE;AACxE,uEAAuE;AACvE,2FAA2F;AAC3F,iBAAiB;AACjB,iBAAiB;AACjB,QAAQ;AACR,IAAI;AAEJ,yHAAyH;AACzH,qGAAqG;AACrG,yDAAyD;AACzD,wFAAwF;AACxF,aAAa;AACb,8EAA8E;AAC9E,4CAA4C;AAC5C,OAAO;AACP,IAAI;AAEJ,8FAA8F;AAC9F,2FAA2F;AAC3F,0EAA0E;AAC1E,yFAAyF;AACzF,gDAAgD;AAChD,IAAI"}

package/dist/types.d.ts

@@ -1,11 +1,8 @@
-/** Generic database adapter interface — implement this for any database. */
 export interface DatabaseAdapter {
-    /** Insert a row into a table/collection. Returns the inserted data. */
     insert(table: string, data: Record<string, unknown>): Promise<{
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Select rows from a table/collection with optional filters. */
     select(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -18,6 +15,8 @@ export interface DatabaseAdapter {
 export interface AegisConfig {
     adapter: DatabaseAdapter;
     encryptedFields: Record<string, string[]>;
+    primaryKeyField: string;
+    bidxFields?: Record<string, string[]>;
 }
 export interface EncryptedPayload {
     ciphertext: string;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,MAAM,WAAW,eAAe;IAC9B,uEAAuE;IACvE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAE1H,iEAAiE;IACjE,MAAM,CACJ,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAC3D,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CACxE;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,eAAe,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1H,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC1J;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,eAAe,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1C,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/types.js

@@ -1,2 +1,24 @@
 export {};
+// /** Generic database adapter interface — implement this for any database. */
+// export interface DatabaseAdapter {
+//   /** Insert a row into a table/collection. Returns the inserted data. */
+//   insert(table: string, data: Record<string, unknown>): Promise<{ data: Record<string, unknown>[] | null; error: unknown }>;
+//   /** Select rows from a table/collection with optional filters. */
+//   select(
+//     table: string,
+//     query?: { column?: string; value?: unknown; limit?: number }
+//   ): Promise<{ data: Record<string, unknown>[] | null; error: unknown }>;
+// }
+// export interface AegisConfig {
+//   adapter: DatabaseAdapter;
+//   encryptedFields: Record<string, string[]>;
+// }
+// export interface EncryptedPayload {
+//   ciphertext: string;
+//   iv: string;
+// }
+// export interface AegisKeyPair {
+//   key: CryptoKey;
+//   exported: string;
+// }
 //# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":""}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":";AAqBA,+EAA+E;AAC/E,qCAAqC;AACrC,4EAA4E;AAC5E,+HAA+H;AAE/H,sEAAsE;AACtE,YAAY;AACZ,qBAAqB;AACrB,mEAAmE;AACnE,4EAA4E;AAC5E,IAAI;AAEJ,iCAAiC;AACjC,8BAA8B;AAC9B,+CAA+C;AAC/C,IAAI;AAEJ,sCAAsC;AACtC,wBAAwB;AACxB,gBAAgB;AAChB,IAAI;AAEJ,kCAAkC;AAClC,oBAAoB;AACpB,sBAAsB;AACtB,IAAI"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegis-lock",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Database-agnostic client-side AES-256-GCM field-level encryption. Works with Supabase, MongoDB, or any database via pluggable adapters.",
   "type": "module",
   "main": "dist/index.js",
@@ -26,7 +26,8 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "test": "jest"
   },
   "keywords": [
     "encryption",
@@ -53,6 +54,10 @@
   },
   "devDependencies": {
     "@supabase/supabase-js": "^2.0.0",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^25.3.5",
+    "jest": "^30.2.0",
+    "ts-jest": "^29.4.6",
     "typescript": "^5.9.3"
   }
 }