aegis-lock 2.0.0 → 2.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 API-Alchemist
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,9 +1,17 @@
 # aegis-lock
 
-**Database-agnostic client-side AES-256-GCM field-level encryption.**
+[![npm version](https://badge.fury.io/js/aegis-lock.svg)](https://badge.fury.io/js/aegis-lock)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Database-agnostic client-side AES-256-GCM field-level encryption with Contextual Binding and Blind Indexing.**
 
 Encrypt sensitive fields before they leave the browser or server. Decrypt after select. Zero plaintext hits the wire or your database. Works with **Supabase**, **MongoDB**, or any database via custom adapters.
 
+> **⚠️ SECURITY WARNING:** `aegis-lock` provides the cryptographic primitives, but **you are responsible for your keys.** Never hardcode `CryptoKey` exports in your source code. Always use a secure Key Management Service (KMS) or strict, vault-backed environment variables to inject your keys at runtime.
+
+## Requirements
+* Node.js 18+ (or any environment supporting the standard Web Crypto API, such as modern browsers, Cloudflare Workers, or Vercel Edge functions).
+
 ## Install
 
 ```bash
@@ -14,26 +22,54 @@ npm install aegis-lock
 
 ```typescript
 import { createClient } from "@supabase/supabase-js";
-import { AegisClient, SupabaseAdapter, generateKey, exportKey } from "aegis-lock";
+import { AegisClient, SupabaseAdapter, generateKey, generateBidxKey, exportKey } from "aegis-lock";
 
 const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
 const adapter = new SupabaseAdapter(supabase);
 
+// Generate your master encryption key and searchable blind index key
 const key = await generateKey();
-const exported = await exportKey(key); // save this securely!
-
-const aegis = new AegisClient(adapter, key, {
-  secure_fields: ["encrypted_content", "ssn", "credit_card"],
-});
+const bidxKey = await generateBidxKey(); 
+
+// Export and save these securely! e.g., await exportKey(key)
+
+const aegis = new AegisClient({
+  adapter,
+  primaryKeyField: "record_id", // REQUIRED: Binds ciphertext to the row to prevent tampering
+  encryptedFields: {
+    secure_fields: ["encrypted_content", "ssn", "email"]
+  },
+  bidxFields: {
+    secure_fields: ["email"] // Optional: Creates an 'email_bidx' column for searching
+  }
+}, key, bidxKey);
 
-// Insert — fields are auto-encrypted
+// 1. Insert — fields are auto-encrypted. 
+// Note: You MUST provide the primary key application-side!
 await aegis.insert("secure_fields", {
-  record_id: "some-uuid",
+  record_id: "uuid-1234-5678", 
+  email: "alice@example.com",
   encrypted_content: "Top secret",
 });
 
-// Select — fields are auto-decrypted
-const { data } = await aegis.select("secure_fields");
+// 2. Select — Aegis automatically hashes the email to search the 'email_bidx' column securely
+const { data } = await aegis.select("secure_fields", { 
+  column: "email", 
+  value: "alice@example.com" 
+});
+
+// 3. Update — automatically re-encrypts with a new IV and updates the blind index
+await aegis.update("secure_fields", {
+  record_id: "uuid-1234-5678", // Must include the primary key!
+  email: "new_alice@example.com",
+  encrypted_content: "New secret"
+});
+
+// 4. Delete — Aegis automatically hashes the email to find the correct row to delete
+await aegis.delete("secure_fields", {
+  column: "email",
+  value: "new_alice@example.com"
+});
 ```
 
 ## Quick Start — MongoDB
@@ -41,6 +77,7 @@ const { data } = await aegis.select("secure_fields");
 ```typescript
 import { MongoClient } from "mongodb";
 import { AegisClient, MongoDBAdapter, generateKey } from "aegis-lock";
+import { v4 as uuidv4 } from "uuid";
 
 const mongo = new MongoClient("mongodb://localhost:27017");
 await mongo.connect();
@@ -48,13 +85,42 @@ const adapter = new MongoDBAdapter(mongo.db("myapp"));
 
 const key = await generateKey();
 
-const aegis = new AegisClient(adapter, key, {
-  users: ["ssn", "credit_card"],
+const aegis = new AegisClient({
+  adapter,
+  primaryKeyField: "_id", 
+  encryptedFields: {
+    users: ["ssn", "credit_card"]
+  }
+}, key);
+
+const newUserId = uuidv4();
+
+// 1. Insert with a client-generated ID
+await aegis.insert("users", { 
+  _id: newUserId, 
+  name: "Alice", 
+  ssn: "123-45-6789" 
 });
 
-await aegis.insert("users", { name: "Alice", ssn: "123-45-6789" });
-const { data } = await aegis.select("users", { column: "name", value: "Alice" });
+// 2. Select by an unencrypted field
+const { data } = await aegis.select("users", { 
+  column: "name", 
+  value: "Alice" 
+});
 // data[0].ssn → "123-45-6789" (decrypted)
+
+// 3. Update — automatically re-encrypts the SSN with a new IV
+await aegis.update("users", { 
+  _id: newUserId, // Must include the primary key!
+  name: "Alice", 
+  ssn: "999-99-9999" 
+});
+
+// 4. Delete — Removes the record from the database
+await aegis.delete("users", { 
+  column: "_id", 
+  value: newUserId 
+});
 ```
 
 ## Custom Adapter
@@ -62,7 +128,7 @@ const { data } = await aegis.select("users", { column: "name", value: "Alice" })
 Implement the `DatabaseAdapter` interface for any database:
 
 ```typescript
-import { DatabaseAdapter, AegisClient } from "aegis-lock";
+import { DatabaseAdapter } from "aegis-lock";
 
 class MyAdapter implements DatabaseAdapter {
   async insert(table: string, data: Record<string, unknown>) {
@@ -73,31 +139,59 @@ class MyAdapter implements DatabaseAdapter {
     // your select logic
     return { data: [], error: null };
   }
+  async update(table: string, data: Record<string, unknown>) {
+    // your update logic
+    return { data: [data], error: null };
+  }
+  async delete(table: string, query: { column: string; value: unknown }) {
+    // your delete logic
+    return { data: [], error: null };
+  }
 }
 ```
 
 ## API
 
-### `new AegisClient(adapter, key, encryptedFields)`
-- `adapter` — any `DatabaseAdapter` (SupabaseAdapter, MongoDBAdapter, or custom)
-- `key` — CryptoKey from `generateKey()` or `importKey()`
-- `encryptedFields` — `Record<tableName, fieldName[]>`
+### `new AegisClient(config, key, bidxKey?)`
+
+* `config` — `AegisConfig` object:
+  * `adapter`: any `DatabaseAdapter` (`SupabaseAdapter`, `MongoDBAdapter`, or custom)
+  * `primaryKeyField`: `string` (The ID field used for cryptographic contextual binding)
+  * `encryptedFields`: `Record<tableName, fieldName[]>`
+  * `bidxFields`: *(Optional)* `Record<tableName, fieldName[]>`
+* `key` — `CryptoKey` from `generateKey()` or `importKey()`
+* `bidxKey` — *(Optional)* `CryptoKey` from `generateBidxKey()` or `importKey()`
+
+### `AegisClient` Methods
+
+* `insert(table, data)`: Encrypts data and creates blind indexes before saving.
+* `select(table, query)`: Fetches and automatically decrypts data. Intercepts blind index queries.
+* `update(table, data)`: Re-encrypts modified fields with new IVs and updates blind indexes.
+* `delete(table, query)`: Intercepts queries to securely delete by blind-indexed fields.
+* `selectRaw(table, query)`: Bypasses decryption to return raw database records (useful for auditing or migrations).
 
 ### Adapters
-- `new SupabaseAdapter(supabaseClient)`
-- `new MongoDBAdapter(mongoDb)`
 
-### Crypto
-- `generateKey()` / `exportKey(key)` / `importKey(base64)`
-- `encrypt(plaintext, key)` / `decrypt(payload, key)`
+* `new SupabaseAdapter(supabaseClient)`
+* `new MongoDBAdapter(mongoDb)`
+
+### Crypto Utilities
+
+* `generateKey()` / `generateBidxKey()`
+* `exportKey(key)` / `importKey(base64)`
+
+---
+
+## How It Works (Security Architecture)
+
 
-## How It Works
 
-- **Web Crypto API** (AES-256-GCM) — runs in any modern browser or edge runtime
-- Each row gets a unique **IV** stored alongside the ciphertext
-- Encryption/decryption happens client-side — your server never sees plaintext
-- Database-agnostic: swap adapters without changing application code
+* **Web Crypto API (AES-256-GCM):** Runs natively in any modern browser or edge runtime.
+* **Field-Level IVs:** Every single encrypted field gets a unique, mathematically random Initialization Vector (IV) stored as a composite string (`iv:ciphertext`) to prevent keystream reuse attacks.
+* **Contextual Binding (AAD):** Ciphertexts are cryptographically bound to the row's `primaryKeyField`. If an attacker copies an encrypted SSN from User A and pastes it into User B's row, the decryption will strictly fail.
+* **Blind Indexing (HMAC-SHA256):** Because AES-GCM is non-deterministic (the same text encrypts differently every time), you cannot query standard encrypted fields. If configured via `bidxFields`, Aegis-Lock automatically generates deterministic, memory-aligned HMAC hashes. This allows you to search for exact matches (like looking up an email address) without exposing the plaintext to the database.
+* **Database-agnostic:** Swap adapters without changing your core application code.
 
 ## License
 
-MIT
+MIT

package/dist/adapters/mongodb.d.ts

@@ -1,19 +1,8 @@
 import type { DatabaseAdapter } from "../types";
 /**
- * MongoDB adapter for aegis-mern.
+ * MongoDB adapter for aegis-lock.
  *
- * Works with any MongoDB client that exposes a `db()` method (e.g. the official
- * `mongodb` Node.js driver). Pass the Db instance directly.
- *
- * Usage:
- * ```ts
- * import { MongoClient } from "mongodb";
- * import { MongoDBAdapter } from "aegis-mern/adapters/mongodb";
- *
- * const client = new MongoClient(uri);
- * await client.connect();
- * const adapter = new MongoDBAdapter(client.db("mydb"));
- * ```
+ * Works with any MongoDB client that exposes a `db()` method.
  */
 export declare class MongoDBAdapter implements DatabaseAdapter {
     private db;
@@ -38,7 +27,23 @@ export declare class MongoDBAdapter implements DatabaseAdapter {
         data: null;
         error: unknown;
     }>;
-    /** Access the underlying MongoDB Db instance. */
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: Record<string, unknown>[];
+        error: null;
+    } | {
+        data: null;
+        error: unknown;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: never[];
+        error: null;
+    } | {
+        data: null;
+        error: unknown;
+    }>;
     get database(): any;
 }
 //# sourceMappingURL=mongodb.d.ts.map

package/dist/adapters/mongodb.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mongodb.d.ts","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,cAAe,YAAW,eAAe;IACpD,OAAO,CAAC,EAAE,CAAM;gBAEJ,EAAE,EAAE,GAAG;IAIb,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;;;IAWnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAY7D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;;;;;;IAMpD,iDAAiD;IACjD,IAAI,QAAQ,QAEX;CACF"}
+{"version":3,"file":"mongodb.d.ts","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD;;;;GAIG;AACH,qBAAa,cAAe,YAAW,eAAe;IACpD,OAAO,CAAC,EAAE,CAAM;gBAEJ,EAAE,EAAE,GAAG;IAIb,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;;;IAWnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAY7D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;;;;;;IAM9C,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;IAqBnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE;;;;;;;IAWrE,IAAI,QAAQ,QAEX;CACF"}

package/dist/adapters/mongodb.js

@@ -1,18 +1,7 @@
 /**
- * MongoDB adapter for aegis-mern.
+ * MongoDB adapter for aegis-lock.
  *
- * Works with any MongoDB client that exposes a `db()` method (e.g. the official
- * `mongodb` Node.js driver). Pass the Db instance directly.
- *
- * Usage:
- * ```ts
- * import { MongoClient } from "mongodb";
- * import { MongoDBAdapter } from "aegis-mern/adapters/mongodb";
- *
- * const client = new MongoClient(uri);
- * await client.connect();
- * const adapter = new MongoDBAdapter(client.db("mydb"));
- * ```
+ * Works with any MongoDB client that exposes a `db()` method.
  */
 export class MongoDBAdapter {
     constructor(db) {
@@ -47,7 +36,32 @@ export class MongoDBAdapter {
             return { data: null, error };
         }
     }
-    /** Access the underlying MongoDB Db instance. */
+    async update(table, data) {
+        try {
+            const collection = this.db.collection(table);
+            // Auto-detect the primary key field for MongoDB (usually _id or id)
+            const pkField = data._id ? '_id' : (data.id ? 'id' : null);
+            if (!pkField)
+                throw new Error("MongoDB Adapter: Missing '_id' or 'id' in data payload for update.");
+            const { [pkField]: pkValue, ...updateData } = data;
+            await collection.updateOne({ [pkField]: pkValue }, { $set: updateData });
+            return { data: [data], error: null };
+        }
+        catch (error) {
+            return { data: null, error };
+        }
+    }
+    async delete(table, query) {
+        try {
+            const collection = this.db.collection(table);
+            const filter = { [query.column]: query.value };
+            await collection.deleteMany(filter);
+            return { data: [], error: null };
+        }
+        catch (error) {
+            return { data: null, error };
+        }
+    }
     get database() {
         return this.db;
     }

package/dist/adapters/mongodb.js.map

@@ -1 +1 @@
-{"version":3,"file":"mongodb.js","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,cAAc;IAGzB,YAAY,EAAO;QACjB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;YACrD,OAAO,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;gBAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;YACrC,CAAC;YACD,IAAI,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;gBACjB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,IAAiC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,EAAE,CAAC;IACjB,CAAC;CACF"}
+{"version":3,"file":"mongodb.js","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,OAAO,cAAc;IAGzB,YAAY,EAAO;QACjB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;YACrD,OAAO,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;gBAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;YACrC,CAAC;YACD,IAAI,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;gBACjB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,IAAiC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAE7C,oEAAoE;YACpE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YAEpG,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,GAAG,UAAU,EAAE,GAAG,IAAI,CAAC;YAEnD,MAAM,UAAU,CAAC,SAAS,CACxB,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,EACtB,EAAE,IAAI,EAAE,UAAU,EAAE,CACrB,CAAC;YAEF,OAAO,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAAyC;QACnE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/C,MAAM,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,EAAE,CAAC;IACjB,CAAC;CACF"}

package/dist/adapters/supabase.d.ts

@@ -1,6 +1,6 @@
 import type { SupabaseClient } from "@supabase/supabase-js";
 import type { DatabaseAdapter } from "../types";
-/** Supabase adapter for aegis-mern. */
+/** Supabase adapter for aegis-lock. */
 export declare class SupabaseAdapter implements DatabaseAdapter {
     private supabase;
     constructor(supabase: SupabaseClient);
@@ -16,7 +16,20 @@ export declare class SupabaseAdapter implements DatabaseAdapter {
         data: Record<string, unknown>[] | null;
         error: import("@supabase/postgrest-js").PostgrestError | null;
     }>;
-    /** Access the underlying Supabase client for non-encrypted ops. */
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: null;
+        error: Error;
+    } | {
+        data: Record<string, unknown>[] | null;
+        error: import("@supabase/postgrest-js").PostgrestError | null;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: Record<string, unknown>[] | null;
+        error: import("@supabase/postgrest-js").PostgrestError | null;
+    }>;
     get client(): SupabaseClient<any, "public", "public", any, any>;
 }
 //# sourceMappingURL=supabase.d.ts.map

package/dist/adapters/supabase.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD,uCAAuC;AACvC,qBAAa,eAAgB,YAAW,eAAe;IACrD,OAAO,CAAC,QAAQ,CAAiB;gBAErB,QAAQ,EAAE,cAAc;IAI9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;cAE9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAS/D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGzD,mEAAmE;IACnE,IAAI,MAAM,sDAET;CACF"}
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD,uCAAuC;AACvC,qBAAa,eAAgB,YAAW,eAAe;IACrD,OAAO,CAAC,QAAQ,CAAiB;gBAErB,QAAQ,EAAE,cAAc;IAI9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;cAE9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAS/D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;cAc9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE;cAO1C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAG3D,IAAI,MAAM,sDAET;CACF"}

package/dist/adapters/supabase.js

@@ -1,4 +1,4 @@
-/** Supabase adapter for aegis-mern. */
+/** Supabase adapter for aegis-lock. */
 export class SupabaseAdapter {
     constructor(supabase) {
         this.supabase = supabase;
@@ -18,7 +18,27 @@ export class SupabaseAdapter {
         const { data, error } = await q;
         return { data: data, error };
     }
-    /** Access the underlying Supabase client for non-encrypted ops. */
+    async update(table, data) {
+        // Auto-detect primary key (Supabase usually uses 'id')
+        const pkField = data.id ? 'id' : (data._id ? '_id' : null);
+        if (!pkField) {
+            return { data: null, error: new Error("Supabase Adapter: Missing 'id' in data payload for update.") };
+        }
+        const { data: result, error } = await this.supabase
+            .from(table)
+            .update(data)
+            .eq(pkField, data[pkField])
+            .select();
+        return { data: result, error };
+    }
+    async delete(table, query) {
+        const { data: result, error } = await this.supabase
+            .from(table)
+            .delete()
+            .eq(query.column, query.value)
+            .select();
+        return { data: result, error };
+    }
     get client() {
         return this.supabase;
     }

package/dist/adapters/supabase.js.map

@@ -1 +1 @@
-{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAGA,uCAAuC;AACvC,MAAM,OAAO,eAAe;IAG1B,YAAY,QAAwB;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QACtF,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChD,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;YACjB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,IAAwC,EAAE,KAAK,EAAE,CAAC;IACnE,CAAC;IAED,mEAAmE;IACnE,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}
+{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAGA,uCAAuC;AACvC,MAAM,OAAO,eAAe;IAG1B,YAAY,QAAwB;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QACtF,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChD,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;YACjB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,IAAwC,EAAE,KAAK,EAAE,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,uDAAuD;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAE3D,IAAI,CAAC,OAAO,EAAE,CAAC;YACZ,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,4DAA4D,CAAC,EAAE,CAAC;QACzG,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ;aAChD,IAAI,CAAC,KAAK,CAAC;aACX,MAAM,CAAC,IAAI,CAAC;aACZ,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;aAC1B,MAAM,EAAE,CAAC;QAEZ,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAAyC;QACnE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ;aAChD,IAAI,CAAC,KAAK,CAAC;aACX,MAAM,EAAE;aACR,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC;aAC7B,MAAM,EAAE,CAAC;QAEZ,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}

package/dist/client.d.ts

@@ -1,15 +1,41 @@
-import type { DatabaseAdapter } from "./types";
+import type { DatabaseAdapter, AegisConfig } from "./types";
+/**
+ * The primary client for aegis-lock.
+ * Handles automatic encryption, decryption, contextual binding, and blind indexing
+ * before interacting with the underlying database adapter.
+ */
 export declare class AegisClient {
     private adapter;
     private key;
+    private bidxKey?;
     private encryptedFields;
-    constructor(adapter: DatabaseAdapter, key: CryptoKey, encryptedFields: Record<string, string[]>);
-    /** Insert a row, auto-encrypting configured fields. Returns a shared IV for the row. */
+    private bidxFields;
+    private primaryKeyField;
+    /**
+     * Initializes the AegisClient.
+     * * @param config - Configuration including the database adapter, primary key field, and field rules.
+     * @param key - The master CryptoKey used for AES-GCM encryption.
+     * @param bidxKey - (Optional) The CryptoKey used for generating HMAC-SHA256 blind indexes.
+     */
+    constructor(config: AegisConfig, key: CryptoKey, bidxKey?: CryptoKey);
+    /**
+     * Securely inserts a new record into the database.
+     * Automatically generates blind indexes and encrypts configured fields.
+     * * @param table - The database table or collection name.
+     * @param data - The plaintext data object to insert. Must include the primary key.
+     * @returns The inserted data (as stored in the database) or an error.
+     */
     insert(table: string, data: Record<string, unknown>): Promise<{
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Select rows, auto-decrypting configured fields. */
+    /**
+     * Retrieves and automatically decrypts records from the database.
+     * If querying by a configured blind index field, the query is automatically intercepted and hashed.
+     * * @param table - The database table or collection name.
+     * @param query - The column and value to search for (e.g., { column: "email", value: "alice@example.com" }).
+     * @returns The decrypted plaintext data or an error.
+     */
     select(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -18,7 +44,38 @@ export declare class AegisClient {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Select rows WITHOUT decrypting — exposes raw ciphertext. */
+    /**
+     * Securely modifies an existing record.
+     * Re-encrypts data with a new unique IV and updates blind indexes.
+     * * @param table - The database table or collection name.
+     * @param data - The updated plaintext data. Must include the primary key.
+     * @returns The updated data (as stored in the database) or an error.
+     */
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
+    /**
+     * Securely removes records from the database.
+     * Automatically hashes the search query if deleting by a blind-indexed field.
+     * * @param table - The database table or collection name.
+     * @param query - The column and value to identify the record to delete.
+     * @returns The result of the deletion operation or an error.
+     */
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
+    /**
+     * Bypasses decryption and retrieves the raw, encrypted data directly from the database.
+     * Useful for database migrations, auditing, or debugging.
+     * * @param table - The database table or collection name.
+     * @param query - The raw query to execute against the database.
+     * @returns The raw, encrypted database rows.
+     */
     selectRaw(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -27,7 +84,10 @@ export declare class AegisClient {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Access the underlying database adapter. */
+    /**
+     * Gets the underlying database adapter instance.
+     * Useful for executing custom database commands outside of Aegis's encryption flow.
+     */
     get db(): DatabaseAdapter;
 }
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAG/C,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,eAAe,CAA2B;gBAEtC,OAAO,EAAE,eAAe,EAAE,GAAG,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAM/F,wFAAwF;IAClF,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAsBzD,sDAAsD;IAChD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAgCxF,+DAA+D;IACzD,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAI3F,8CAA8C;IAC9C,IAAI,EAAE,IAAI,eAAe,CAExB;CACF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAG5D;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,OAAO,CAAC,CAAY;IAC5B,OAAO,CAAC,eAAe,CAA2B;IAClD,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,eAAe,CAAS;IAEhC;;;;;OAKG;gBACS,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,SAAS;IASpE;;;;;;OAMG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAyCzD;;;;;;OAMG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IA6D9D;;;;;;OAMG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAkCzD;;;;;;OAMG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE;;;;IAkBrE;;;;;;OAMG;IACG,SAAS,CACb,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAK9D;;;OAGG;IACH,IAAI,EAAE,IAAI,eAAe,CAExB;CACF"}

package/dist/client.js

@@ -1,31 +1,83 @@
-import { encrypt, decrypt } from "./crypto";
+import { encrypt, decrypt, generateBlindIndex } from "./crypto";
+/**
+ * The primary client for aegis-lock.
+ * Handles automatic encryption, decryption, contextual binding, and blind indexing
+ * before interacting with the underlying database adapter.
+ */
 export class AegisClient {
-    constructor(adapter, key, encryptedFields) {
-        this.adapter = adapter;
+    /**
+     * Initializes the AegisClient.
+     * * @param config - Configuration including the database adapter, primary key field, and field rules.
+     * @param key - The master CryptoKey used for AES-GCM encryption.
+     * @param bidxKey - (Optional) The CryptoKey used for generating HMAC-SHA256 blind indexes.
+     */
+    constructor(config, key, bidxKey) {
+        this.adapter = config.adapter;
         this.key = key;
-        this.encryptedFields = encryptedFields;
+        this.bidxKey = bidxKey; // Optional Blind Index Key
+        this.encryptedFields = config.encryptedFields;
+        this.bidxFields = config.bidxFields || {};
+        this.primaryKeyField = config.primaryKeyField;
     }
-    /** Insert a row, auto-encrypting configured fields. Returns a shared IV for the row. */
+    /**
+     * Securely inserts a new record into the database.
+     * Automatically generates blind indexes and encrypts configured fields.
+     * * @param table - The database table or collection name.
+     * @param data - The plaintext data object to insert. Must include the primary key.
+     * @returns The inserted data (as stored in the database) or an error.
+     */
     async insert(table, data) {
         const fields = this.encryptedFields[table] || [];
+        const bidxFields = this.bidxFields[table] || [];
         const row = { ...data };
-        // Generate a single IV and reuse it for all fields in this row
-        const ivBuffer = crypto.getRandomValues(new Uint8Array(12));
-        const sharedIv = btoa(String.fromCharCode(...ivBuffer));
-        for (const field of fields) {
-            if (row[field] != null) {
-                const { ciphertext } = await encrypt(String(row[field]), this.key, ivBuffer);
-                row[field] = ciphertext;
+        if (fields.length > 0 || bidxFields.length > 0) {
+            const rowId = row[this.primaryKeyField];
+            if (!rowId) {
+                throw new Error(`Aegis: Cannot encrypt. Missing primary key '${this.primaryKeyField}' in payload.`);
+            }
+            const aadContext = String(rowId);
+            // 1. Handle Blind Indexing FIRST (While row data is still plaintext)
+            for (const field of bidxFields) {
+                if (row[field] != null && this.bidxKey) {
+                    row[`${field}_bidx`] = await generateBlindIndex(String(row[field]), // Safe: This is still "alice@example.com"
+                    this.bidxKey);
+                }
+            }
+            // 2. Handle Encryption SECOND (This overwrites the plaintext)
+            for (const field of fields) {
+                if (row[field] != null) {
+                    const { ciphertext, iv } = await encrypt(String(row[field]), this.key, aadContext);
+                    row[field] = `${iv}:${ciphertext}`;
+                }
             }
-        }
-        if (fields.length > 0) {
-            row.iv = sharedIv;
         }
         return this.adapter.insert(table, row);
     }
-    /** Select rows, auto-decrypting configured fields. */
+    /**
+     * Retrieves and automatically decrypts records from the database.
+     * If querying by a configured blind index field, the query is automatically intercepted and hashed.
+     * * @param table - The database table or collection name.
+     * @param query - The column and value to search for (e.g., { column: "email", value: "alice@example.com" }).
+     * @returns The decrypted plaintext data or an error.
+     */
     async select(table, query) {
-        const { data, error } = await this.adapter.select(table, query);
+        // Intercept and swap query for Blind Indexing (NEW)
+        const bidxFields = this.bidxFields[table] || [];
+        let activeQuery = query;
+        // Make sure this uses THIS.bidxKey
+        // Inside your select method in client.ts
+        if (query?.column &&
+            query?.value &&
+            bidxFields.includes(query.column) &&
+            this.bidxKey) {
+            const blindIndexValue = await generateBlindIndex(String(query.value), this.bidxKey);
+            activeQuery = {
+                ...query,
+                column: `${query.column}_bidx`,
+                value: blindIndexValue, // Pass the resulting string
+            };
+        }
+        const { data, error } = await this.adapter.select(table, activeQuery);
         if (error || !data)
             return { data, error };
         const fields = this.encryptedFields[table] || [];
@@ -33,16 +85,19 @@ export class AegisClient {
             return { data, error };
         const decrypted = await Promise.all(data.map(async (row) => {
             const decRow = { ...row };
-            const iv = row.iv;
-            if (!iv)
+            const rowId = decRow[this.primaryKeyField];
+            if (!rowId)
                 return decRow;
+            const aadContext = String(rowId);
             for (const field of fields) {
-                if (decRow[field] != null) {
+                const payload = decRow[field];
+                if (typeof payload === "string" && payload.includes(":")) {
+                    const [iv, ciphertext] = payload.split(":");
                     try {
-                        decRow[field] = await decrypt({ ciphertext: String(decRow[field]), iv }, this.key);
+                        decRow[field] = await decrypt({ ciphertext, iv }, this.key, aadContext);
                     }
                     catch {
-                        // leave as ciphertext if decryption fails
+                        // Tampering detected
                     }
                 }
             }
@@ -50,11 +105,75 @@ export class AegisClient {
         }));
         return { data: decrypted, error };
     }
-    /** Select rows WITHOUT decrypting — exposes raw ciphertext. */
+    /**
+     * Securely modifies an existing record.
+     * Re-encrypts data with a new unique IV and updates blind indexes.
+     * * @param table - The database table or collection name.
+     * @param data - The updated plaintext data. Must include the primary key.
+     * @returns The updated data (as stored in the database) or an error.
+     */
+    async update(table, data) {
+        const fields = this.encryptedFields[table] || [];
+        const bidxFields = this.bidxFields[table] || [];
+        const row = { ...data };
+        const rowId = row[this.primaryKeyField];
+        if (!rowId) {
+            throw new Error(`Aegis: Cannot update. Missing primary key '${this.primaryKeyField}' in payload.`);
+        }
+        const aadContext = String(rowId);
+        if (fields.length > 0 || bidxFields.length > 0) {
+            // 1. Update Blind Indexes
+            for (const field of bidxFields) {
+                if (row[field] != null && this.bidxKey) {
+                    row[`${field}_bidx`] = await generateBlindIndex(String(row[field]), this.bidxKey);
+                }
+            }
+            // 2. Encrypt updated fields with a brand new IV
+            for (const field of fields) {
+                if (row[field] != null) {
+                    const { ciphertext, iv } = await encrypt(String(row[field]), this.key, aadContext);
+                    row[field] = `${iv}:${ciphertext}`;
+                }
+            }
+        }
+        return this.adapter.update(table, row);
+    }
+    /**
+     * Securely removes records from the database.
+     * Automatically hashes the search query if deleting by a blind-indexed field.
+     * * @param table - The database table or collection name.
+     * @param query - The column and value to identify the record to delete.
+     * @returns The result of the deletion operation or an error.
+     */
+    async delete(table, query) {
+        const bidxFields = this.bidxFields[table] || [];
+        let activeQuery = query;
+        // Intercept the query! If they are deleting by an encrypted field (like email),
+        // we must hash the value so the database knows which row to delete.
+        if (bidxFields.includes(query.column) && this.bidxKey) {
+            const blindIndexValue = await generateBlindIndex(String(query.value), this.bidxKey);
+            activeQuery = {
+                ...query,
+                column: `${query.column}_bidx`,
+                value: blindIndexValue,
+            };
+        }
+        return this.adapter.delete(table, activeQuery);
+    }
+    /**
+     * Bypasses decryption and retrieves the raw, encrypted data directly from the database.
+     * Useful for database migrations, auditing, or debugging.
+     * * @param table - The database table or collection name.
+     * @param query - The raw query to execute against the database.
+     * @returns The raw, encrypted database rows.
+     */
     async selectRaw(table, query) {
         return this.adapter.select(table, query);
     }
-    /** Access the underlying database adapter. */
+    /**
+     * Gets the underlying database adapter instance.
+     * Useful for executing custom database commands outside of Aegis's encryption flow.
+     */
     get db() {
         return this.adapter;
     }

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAE5C,MAAM,OAAO,WAAW;IAKtB,YAAY,OAAwB,EAAE,GAAc,EAAE,eAAyC;QAC7F,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED,wFAAwF;IACxF,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,+DAA+D;QAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC;QAExD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;gBAC7E,GAAG,CAAC,KAAK,CAAC,GAAG,UAAU,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,GAAG,CAAC,EAAE,GAAG,QAAQ,CAAC;QACpB,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,sDAAsD;IACtD,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAChE,IAAI,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEhD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAA4B,EAAE,EAAE;YAC9C,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;YAC1B,MAAM,EAAE,GAAG,GAAG,CAAC,EAAY,CAAC;YAC5B,IAAI,CAAC,EAAE;gBAAE,OAAO,MAAM,CAAC;YAEvB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBAC1B,IAAI,CAAC;wBACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,CAC3B,EAAE,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,EACzC,IAAI,CAAC,GAAG,CACT,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,0CAA0C;oBAC5C,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,KAA4D;QACzF,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,8CAA8C;IAC9C,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAEhE;;;;GAIG;AACH,MAAM,OAAO,WAAW;IAQtB;;;;;OAKG;IACH,YAAY,MAAmB,EAAE,GAAc,EAAE,OAAmB;QAClE,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,CAAC,2BAA2B;QACnD,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;IAChD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACxC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,eAAe,eAAe,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,qEAAqE;YACrE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACvC,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,MAAM,kBAAkB,CAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,0CAA0C;oBAC9D,IAAI,CAAC,OAAO,CACb,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,MAAM,OAAO,CACtC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAClB,IAAI,CAAC,GAAG,EACR,UAAU,CACX,CAAC;oBACF,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,IAAI,UAAU,EAAE,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,KAA4D;QAE5D,oDAAoD;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,mCAAmC;QACnC,yCAAyC;QACzC,IACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,KAAK;YACZ,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,CAAC,OAAO,EACZ,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EACnB,IAAI,CAAC,OAAO,CACb,CAAC;YACF,WAAW,GAAG;gBACZ,GAAG,KAAK;gBACR,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,OAAO;gBAC9B,KAAK,EAAE,eAAe,EAAE,4BAA4B;aACrD,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEhD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAA4B,EAAE,EAAE;YAC9C,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAE3C,IAAI,CAAC,KAAK;gBAAE,OAAO,MAAM,CAAC;YAC1B,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzD,MAAM,CAAC,EAAE,EAAE,UAAU,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC5C,IAAI,CAAC;wBACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,CAC3B,EAAE,UAAU,EAAE,EAAE,EAAE,EAClB,IAAI,CAAC,GAAG,EACR,UAAU,CACX,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,CAAC,eAAe,eAAe,CAClF,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAEjC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,0BAA0B;YAC1B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACvC,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,gDAAgD;YAChD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;oBACnF,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,IAAI,UAAU,EAAE,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAAyC;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,gFAAgF;QAChF,oEAAoE;QACpE,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YACpF,WAAW,GAAG;gBACZ,GAAG,KAAK;gBACR,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,OAAO;gBAC9B,KAAK,EAAE,eAAe;aACvB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,SAAS,CACb,KAAa,EACb,KAA4D;QAE5D,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED;;;OAGG;IACH,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF"}

package/dist/crypto.d.ts

@@ -1,7 +1,53 @@
 import { EncryptedPayload } from "./types";
+/**
+ * Generates a strong, 256-bit master key for AES-GCM encryption and decryption.
+ * * @returns A Promise resolving to a native Web Crypto API CryptoKey.
+ */
 export declare function generateKey(): Promise<CryptoKey>;
+/**
+ * Exports a CryptoKey into a raw Base64 string so it can be safely stored
+ * in an environment variable or Key Management Service (KMS).
+ * * @param key - The CryptoKey to export.
+ * @returns A Promise resolving to the Base64 representation of the key.
+ */
 export declare function exportKey(key: CryptoKey): Promise<string>;
+/**
+ * Imports a Base64 string back into a usable CryptoKey for AES-GCM operations.
+ * * @param base64 - The Base64 encoded key string (usually from environment variables).
+ * @returns A Promise resolving to the imported CryptoKey.
+ */
 export declare function importKey(base64: string): Promise<CryptoKey>;
-export declare function encrypt(plaintext: string, key: CryptoKey, existingIv?: Uint8Array): Promise<EncryptedPayload>;
-export declare function decrypt(payload: EncryptedPayload, key: CryptoKey): Promise<string>;
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Automatically generates a unique 12-byte Initialization Vector (IV) and applies
+ * Contextual Binding (AAD) to tie the ciphertext to a specific database row.
+ * * @param plaintext - The sensitive data to encrypt.
+ * @param key - The master AES-GCM CryptoKey.
+ * @param aadContext - The row ID or primary key to bind this ciphertext to.
+ * @returns A Promise resolving to an object containing the Base64 `ciphertext` and `iv`.
+ */
+export declare function encrypt(plaintext: string, key: CryptoKey, aadContext: string): Promise<EncryptedPayload>;
+/**
+ * Decrypts an AES-256-GCM payload back into plaintext.
+ * Strictly verifies the Additional Authenticated Data (AAD) to ensure the data
+ * has not been tampered with or copied from another database row.
+ * * @param payload - The object containing the Base64 `ciphertext` and `iv`.
+ * @param key - The master AES-GCM CryptoKey.
+ * @param aadContext - The row ID or primary key that this ciphertext is bound to.
+ * @returns A Promise resolving to the decrypted plaintext string.
+ */
+export declare function decrypt(payload: EncryptedPayload, key: CryptoKey, aadContext: string): Promise<string>;
+/** * Generates a dedicated HMAC-SHA256 key for deterministic Blind Indexing.
+ * This key should be kept separate from the master encryption key.
+ * * @returns A Promise resolving to an HMAC CryptoKey.
+ */
+export declare function generateBidxKey(): Promise<CryptoKey>;
+/** * Generates a deterministic hash for database searching without exposing plaintext.
+ * Safely extracts the underlying memory buffer to guarantee identical hashes
+ * across different JavaScript runtimes (Node.js, Browsers, Edge).
+ * * @param plaintext - The data to hash (e.g., an email address).
+ * @param key - The HMAC Blind Index CryptoKey.
+ * @returns A Promise resolving to a deterministic Base64 hash string.
+ */
+export declare function generateBlindIndex(plaintext: string, key: CryptoKey): Promise<string>;
 //# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAK3C,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAMtD;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAMlE;AAED,wBAAsB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAQnH;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAKxF"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAqC3C;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAKtD;AAED;;;;;GAKG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CASlE;AAED;;;;;;;;GAQG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,gBAAgB,CAAC,CAsB3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,gBAAgB,EACzB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAsBjB;AAID;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAK1D;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,GACb,OAAO,CAAC,MAAM,CAAC,CAkBjB"}

package/dist/crypto.js

@@ -1,32 +1,133 @@
 const ALGO = "AES-GCM";
 const KEY_LENGTH = 256;
+/**
+ * Safely converts an ArrayBuffer or Uint8Array to a Base64 string.
+ * Used internally to format ciphertexts, IVs, and exported keys for safe database storage.
+ * * @param buffer - The raw byte array to convert.
+ * @returns A Base64 encoded string.
+ */
+function bufferToBase64(buffer) {
+    let binary = "";
+    // Normalize to Uint8Array safely
+    const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+    const len = bytes.byteLength;
+    for (let i = 0; i < len; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+/**
+ * Converts a Base64 string back into a Uint8Array.
+ * Used internally to reconstruct buffers for decryption or key importing.
+ * * @param base64 - The Base64 encoded string.
+ * @returns A Uint8Array containing the raw bytes.
+ */
+function base64ToBuffer(base64) {
+    const binaryString = atob(base64);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes;
+}
+/**
+ * Generates a strong, 256-bit master key for AES-GCM encryption and decryption.
+ * * @returns A Promise resolving to a native Web Crypto API CryptoKey.
+ */
 export async function generateKey() {
-    return crypto.subtle.generateKey({ name: ALGO, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
+    return crypto.subtle.generateKey({ name: ALGO, length: KEY_LENGTH }, true, [
+        "encrypt",
+        "decrypt",
+    ]);
 }
+/**
+ * Exports a CryptoKey into a raw Base64 string so it can be safely stored
+ * in an environment variable or Key Management Service (KMS).
+ * * @param key - The CryptoKey to export.
+ * @returns A Promise resolving to the Base64 representation of the key.
+ */
 export async function exportKey(key) {
     const raw = await crypto.subtle.exportKey("raw", key);
-    return btoa(String.fromCharCode(...new Uint8Array(raw)));
+    return bufferToBase64(raw);
 }
+/**
+ * Imports a Base64 string back into a usable CryptoKey for AES-GCM operations.
+ * * @param base64 - The Base64 encoded key string (usually from environment variables).
+ * @returns A Promise resolving to the imported CryptoKey.
+ */
 export async function importKey(base64) {
-    const raw = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-    return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, [
-        "encrypt",
-        "decrypt",
-    ]);
+    const raw = base64ToBuffer(base64);
+    return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
 }
-export async function encrypt(plaintext, key, existingIv) {
-    const iv = existingIv ? new Uint8Array(existingIv) : crypto.getRandomValues(new Uint8Array(12));
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Automatically generates a unique 12-byte Initialization Vector (IV) and applies
+ * Contextual Binding (AAD) to tie the ciphertext to a specific database row.
+ * * @param plaintext - The sensitive data to encrypt.
+ * @param key - The master AES-GCM CryptoKey.
+ * @param aadContext - The row ID or primary key to bind this ciphertext to.
+ * @returns A Promise resolving to an object containing the Base64 `ciphertext` and `iv`.
+ */
+export async function encrypt(plaintext, key, aadContext) {
+    const iv = crypto.getRandomValues(new Uint8Array(12)); // ALWAYS unique
     const encoded = new TextEncoder().encode(plaintext);
-    const cipherBuffer = await crypto.subtle.encrypt({ name: ALGO, iv }, key, encoded);
-    return {
-        ciphertext: btoa(String.fromCharCode(...new Uint8Array(cipherBuffer))),
-        iv: btoa(String.fromCharCode(...iv)),
+    const algorithm = {
+        name: ALGO,
+        iv: iv,
     };
+    if (aadContext) {
+        algorithm.additionalData = new TextEncoder().encode(aadContext);
+    }
+    const cipherBuffer = await crypto.subtle.encrypt(algorithm, key, encoded);
+    return { ciphertext: bufferToBase64(cipherBuffer), iv: bufferToBase64(iv) };
 }
-export async function decrypt(payload, key) {
-    const cipherBytes = Uint8Array.from(atob(payload.ciphertext), (c) => c.charCodeAt(0));
-    const iv = Uint8Array.from(atob(payload.iv), (c) => c.charCodeAt(0));
-    const decrypted = await crypto.subtle.decrypt({ name: ALGO, iv }, key, cipherBytes);
+/**
+ * Decrypts an AES-256-GCM payload back into plaintext.
+ * Strictly verifies the Additional Authenticated Data (AAD) to ensure the data
+ * has not been tampered with or copied from another database row.
+ * * @param payload - The object containing the Base64 `ciphertext` and `iv`.
+ * @param key - The master AES-GCM CryptoKey.
+ * @param aadContext - The row ID or primary key that this ciphertext is bound to.
+ * @returns A Promise resolving to the decrypted plaintext string.
+ */
+export async function decrypt(payload, key, aadContext) {
+    const cipherBytes = base64ToBuffer(payload.ciphertext);
+    const iv = base64ToBuffer(payload.iv);
+    const algorithm = {
+        name: ALGO,
+        iv: iv,
+    };
+    if (aadContext) {
+        algorithm.additionalData = new TextEncoder().encode(aadContext);
+    }
+    const decrypted = await crypto.subtle.decrypt(algorithm, key, cipherBytes);
     return new TextDecoder().decode(decrypted);
 }
+const HMAC_ALGO = "HMAC";
+/** * Generates a dedicated HMAC-SHA256 key for deterministic Blind Indexing.
+ * This key should be kept separate from the master encryption key.
+ * * @returns A Promise resolving to an HMAC CryptoKey.
+ */
+export async function generateBidxKey() {
+    return crypto.subtle.generateKey({ name: HMAC_ALGO, hash: "SHA-256" }, true, [
+        "sign",
+        "verify",
+    ]);
+}
+/** * Generates a deterministic hash for database searching without exposing plaintext.
+ * Safely extracts the underlying memory buffer to guarantee identical hashes
+ * across different JavaScript runtimes (Node.js, Browsers, Edge).
+ * * @param plaintext - The data to hash (e.g., an email address).
+ * @param key - The HMAC Blind Index CryptoKey.
+ * @returns A Promise resolving to a deterministic Base64 hash string.
+ */
+export async function generateBlindIndex(plaintext, key) {
+    const encoder = new TextEncoder();
+    const encoded = encoder.encode(plaintext);
+    // PRODUCTION FIX: Isolated buffer extraction.
+    // This ensures the HMAC signature is deterministic regardless of memory alignment.
+    const cleanBuffer = encoded.buffer.slice(encoded.byteOffset, encoded.byteOffset + encoded.byteLength);
+    const signature = await crypto.subtle.sign("HMAC", key, cleanBuffer);
+    return bufferToBase64(signature);
+}
 //# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAEA,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9B,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAClC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE;QACnF,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAc,EAAE,UAAuB;IACtF,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAChG,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IACnF,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;QACtE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC;KACrC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAyB,EAAE,GAAc;IACrE,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACtF,MAAM,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;IACpF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAEA,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB;;;;;GAKG;AACH,SAAS,cAAc,CAAC,MAAgC;IACtD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,iCAAiC;IACjC,MAAM,KAAK,GAAG,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE;QACzE,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,GAAmB,EACnB,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAClC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,SAAiB,EACjB,GAAc,EACd,UAAkB;IAElB,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB;IACvE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEpD,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC9C,SAAS,EACT,GAAG,EACH,OAAuB,CACxB,CAAC;IAEF,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9E,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAyB,EACzB,GAAc,EACd,UAAkB;IAElB,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,SAAS,EACT,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,SAAS,GAAG,MAAM,CAAC;AAEzB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE;QAC3E,MAAM;QACN,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,GAAc;IAEd,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE1C,8CAA8C;IAC9C,mFAAmF;IACnF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CACxC,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,MAAM,EACN,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { AegisClient } from "./client";
-export { generateKey, exportKey, importKey, encrypt, decrypt } from "./crypto";
+export { generateKey, generateBidxKey, exportKey, importKey } from "./crypto";
 export { SupabaseAdapter } from "./adapters/supabase";
 export { MongoDBAdapter } from "./adapters/mongodb";
 export type { AegisConfig, EncryptedPayload, AegisKeyPair, DatabaseAdapter } from "./types";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -1,5 +1,5 @@
 export { AegisClient } from "./client";
-export { generateKey, exportKey, importKey, encrypt, decrypt } from "./crypto";
+export { generateKey, generateBidxKey, exportKey, importKey } from "./crypto";
 export { SupabaseAdapter } from "./adapters/supabase";
 export { MongoDBAdapter } from "./adapters/mongodb";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/types.d.ts

@@ -1,11 +1,8 @@
-/** Generic database adapter interface — implement this for any database. */
 export interface DatabaseAdapter {
-    /** Insert a row into a table/collection. Returns the inserted data. */
     insert(table: string, data: Record<string, unknown>): Promise<{
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
-    /** Select rows from a table/collection with optional filters. */
     select(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -14,10 +11,23 @@ export interface DatabaseAdapter {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
 }
 export interface AegisConfig {
     adapter: DatabaseAdapter;
     encryptedFields: Record<string, string[]>;
+    primaryKeyField: string;
+    bidxFields?: Record<string, string[]>;
 }
 export interface EncryptedPayload {
     ciphertext: string;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,MAAM,WAAW,eAAe;IAC9B,uEAAuE;IACvE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAE1H,iEAAiE;IACjE,MAAM,CACJ,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAC3D,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CACxE;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,eAAe,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1H,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACzJ,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,GAAG,CAAA;KAAE,CAAC,CAAC;IAClG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,GAAG,CAAA;KAAE,CAAC,CAAC;CAC/G;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,eAAe,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1C,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegis-lock",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Database-agnostic client-side AES-256-GCM field-level encryption. Works with Supabase, MongoDB, or any database via pluggable adapters.",
   "type": "module",
   "main": "dist/index.js",
@@ -26,7 +26,8 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "test": "jest"
   },
   "keywords": [
     "encryption",
@@ -53,6 +54,10 @@
   },
   "devDependencies": {
     "@supabase/supabase-js": "^2.0.0",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^25.3.5",
+    "jest": "^30.2.0",
+    "ts-jest": "^29.4.6",
     "typescript": "^5.9.3"
   }
 }