aegis-lock 2.0.1 → 2.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 API-Alchemist
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,11 +1,11 @@
 # aegis-lock
 
-[![npm version](https://badge.fury.io/js/aegis-lock.svg)](https://badge.fury.io/js/aegis-lock)
+[![npm version](https://badge.fury.io/js/aegis-lock.svg?v=2.1.0)](https://badge.fury.io/js/aegis-lock)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-**Database-agnostic client-side AES-256-GCM field-level encryption with Contextual Binding and Blind Indexing.**
+**Database-agnostic client-side AES-256-GCM field-level encryption with Contextual Binding, Blind Indexing, and Seamless Key Rotation.**
 
-Encrypt sensitive fields before they leave the browser or server. Decrypt after select. Zero plaintext hits the wire or your database. Works with **Supabase**, **MongoDB**, or any database via custom adapters.
+Encrypt sensitive fields before they leave the browser or server. Decrypt after select. Zero plaintext hits the wire or your database. Works with Supabase, MongoDB, or any database via custom adapters.
 
 > **⚠️ SECURITY WARNING:** `aegis-lock` provides the cryptographic primitives, but **you are responsible for your keys.** Never hardcode `CryptoKey` exports in your source code. Always use a secure Key Management Service (KMS) or strict, vault-backed environment variables to inject your keys at runtime.
 
@@ -22,17 +22,22 @@ npm install aegis-lock
 
 ```typescript
 import { createClient } from "@supabase/supabase-js";
-import { AegisClient, SupabaseAdapter, generateKey, generateBidxKey, exportKey } from "aegis-lock";
+import { AegisClient, SupabaseAdapter, importKey, generateBidxKey } from "aegis-lock";
 
 const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
 const adapter = new SupabaseAdapter(supabase);
 
-// Generate your master encryption key and searchable blind index key
-const key = await generateKey();
-const bidxKey = await generateBidxKey(); 
+// 1. Setup your Key Ring for Key Rotation
+// You should load these base64 strings securely from your environment variables
+const keyRing = {
+  "v1": await importKey(process.env.AEGIS_KEY_V1),
+  "v2": await importKey(process.env.AEGIS_KEY_V2) // Your newest key
+};
+const activeVersion = "v2"; 
 
-// Export and save these securely! e.g., await exportKey(key)
+const bidxKey = await generateBidxKey(); // Or import your saved blind index key
 
+// 2. Initialize the Client
 const aegis = new AegisClient({
   adapter,
   primaryKeyField: "record_id", // REQUIRED: Binds ciphertext to the row to prevent tampering
@@ -42,9 +47,9 @@ const aegis = new AegisClient({
   bidxFields: {
     secure_fields: ["email"] // Optional: Creates an 'email_bidx' column for searching
   }
-}, key, bidxKey);
+}, keyRing, activeVersion, bidxKey);
 
-// Insert — fields are auto-encrypted. 
+// 3. Insert — fields are auto-encrypted using the 'v2' key. 
 // Note: You MUST provide the primary key application-side!
 await aegis.insert("secure_fields", {
   record_id: "uuid-1234-5678", 
@@ -52,25 +57,39 @@ await aegis.insert("secure_fields", {
   encrypted_content: "Top secret",
 });
 
-// Select — Aegis automatically hashes the email to search the 'email_bidx' column securely
+// 4. Select — Aegis automatically hashes the email to search the 'email_bidx' column securely.
+// It will dynamically select the correct key from the KeyRing to decrypt the results.
 const { data } = await aegis.select("secure_fields", { 
   column: "email", 
   value: "alice@example.com" 
 });
+
+// 5. Update — automatically re-encrypts with a new IV and the active 'v2' key.
+await aegis.update("secure_fields", {
+  record_id: "uuid-1234-5678", // Must include the primary key!
+  email: "new_alice@example.com",
+  encrypted_content: "New secret"
+});
+
+// 6. Delete — Aegis automatically hashes the email to find the correct row to delete
+await aegis.delete("secure_fields", {
+  column: "email",
+  value: "new_alice@example.com"
+});
 ```
 
 ## Quick Start — MongoDB
 
 ```typescript
 import { MongoClient } from "mongodb";
-import { AegisClient, MongoDBAdapter, generateKey } from "aegis-lock";
+import { AegisClient, MongoDBAdapter, importKey } from "aegis-lock";
 import { v4 as uuidv4 } from "uuid";
 
 const mongo = new MongoClient("mongodb://localhost:27017");
 await mongo.connect();
 const adapter = new MongoDBAdapter(mongo.db("myapp"));
 
-const key = await generateKey();
+const keyRing = { "v1": await importKey(process.env.AEGIS_MASTER_KEY) };
 
 const aegis = new AegisClient({
   adapter,
@@ -78,13 +97,22 @@ const aegis = new AegisClient({
   encryptedFields: {
     users: ["ssn", "credit_card"]
   }
-}, key);
+}, keyRing, "v1");
+
+const newUserId = uuidv4();
 
 // Insert with a client-generated ID
-await aegis.insert("users", { _id: uuidv4(), name: "Alice", ssn: "123-45-6789" });
+await aegis.insert("users", { 
+  _id: newUserId, 
+  name: "Alice", 
+  ssn: "123-45-6789" 
+});
 
 // Select by an unencrypted field
-const { data } = await aegis.select("users", { column: "name", value: "Alice" });
+const { data } = await aegis.select("users", { 
+  column: "name", 
+  value: "Alice" 
+});
 // data[0].ssn → "123-45-6789" (decrypted)
 ```
 
@@ -104,21 +132,37 @@ class MyAdapter implements DatabaseAdapter {
     // your select logic
     return { data: [], error: null };
   }
+  async update(table: string, data: Record<string, unknown>) {
+    // your update logic
+    return { data: [data], error: null };
+  }
+  async delete(table: string, query: { column: string; value: unknown }) {
+    // your delete logic
+    return { data: [], error: null };
+  }
 }
 ```
 
 ## API
 
-### `new AegisClient(config, key, bidxKey?)`
+### `new AegisClient(config, keyRing, currentKeyVersion, bidxKey?)`
+
+* **`config`** — `AegisConfig` object:
+  * **`adapter`**: any `DatabaseAdapter` (`SupabaseAdapter`, `MongoDBAdapter`, or custom)
+  * **`primaryKeyField`**: `string` (The ID field used for cryptographic contextual binding)
+  * **`encryptedFields`**: `Record<tableName, fieldName[]>`
+  * **`bidxFields`**: *(Optional)* `Record<tableName, fieldName[]>`
+* **`keyRing`** — `Record<string, CryptoKey>` (A dictionary of all active and historical keys).
+* **`currentKeyVersion`** — `string` (The version tag of the key to use for *new* encryptions).
+* **`bidxKey`** — *(Optional)* `CryptoKey` from `generateBidxKey()` or `importKey()`
 
-* `config` — `AegisConfig` object:
-  * `adapter`: any `DatabaseAdapter` (SupabaseAdapter, MongoDBAdapter, or custom)
-  * `primaryKeyField`: `string` (The ID field used for cryptographic contextual binding)
-  * `encryptedFields`: `Record<tableName, fieldName[]>`
-  * `bidxFields`: *(Optional)* `Record<tableName, fieldName[]>`
+### `AegisClient` Methods
 
-* `key` — CryptoKey from `generateKey()` or `importKey()`
-* `bidxKey` — *(Optional)* CryptoKey from `generateBidxKey()` or `importKey()`
+* **`insert(table, data)`**: Encrypts data and creates blind indexes before saving.
+* **`select(table, query)`**: Fetches and automatically decrypts data. Intercepts blind index queries.
+* **`update(table, data)`**: Re-encrypts modified fields with new IVs and updates blind indexes.
+* **`delete(table, query)`**: Intercepts queries to securely delete by blind-indexed fields.
+* **`selectRaw(table, query)`**: Bypasses decryption to return raw database records (useful for auditing or migrations).
 
 ### Adapters
 
@@ -130,14 +174,17 @@ class MyAdapter implements DatabaseAdapter {
 * `generateKey()` / `generateBidxKey()`
 * `exportKey(key)` / `importKey(base64)`
 
+---
+
 ## How It Works (Security Architecture)
 
-* **Web Crypto API (AES-256-GCM):** Runs natively in any modern browser or edge runtime.
-* **Field-Level IVs:** Every single encrypted field gets a unique, mathematically random Initialization Vector (IV) stored as a composite string (`iv:ciphertext`) to prevent keystream reuse attacks.
+* **Web Crypto API (AES-256-GCM):** Runs natively in any modern browser or edge runtime without bloated dependencies.
+* **Seamless Key Rotation:** Aegis-Lock accepts a dictionary of keys. It tags every database payload with the active key's version string. If a key is compromised, you simply introduce a `v2` key. New data is secured with `v2`, while historical data seamlessly decrypts using `v1` without a single second of database downtime.
+* **Field-Level IVs:** Every single encrypted field gets a unique, mathematically random Initialization Vector (IV). The final database payload is formatted as `version:iv:ciphertext` to prevent keystream reuse attacks.
 * **Contextual Binding (AAD):** Ciphertexts are cryptographically bound to the row's `primaryKeyField`. If an attacker copies an encrypted SSN from User A and pastes it into User B's row, the decryption will strictly fail.
 * **Blind Indexing (HMAC-SHA256):** Because AES-GCM is non-deterministic (the same text encrypts differently every time), you cannot query standard encrypted fields. If configured via `bidxFields`, Aegis-Lock automatically generates deterministic, memory-aligned HMAC hashes. This allows you to search for exact matches (like looking up an email address) without exposing the plaintext to the database.
-* **Database-agnostic:** Swap adapters without changing your core application code.
+* **Database-Agnostic:** Swap adapters without changing your core application code.
 
 ## License
 
-MIT
+MIT

package/dist/adapters/mongodb.d.ts

@@ -1,19 +1,8 @@
 import type { DatabaseAdapter } from "../types";
 /**
- * MongoDB adapter for aegis-mern.
+ * MongoDB adapter for aegis-lock.
  *
- * Works with any MongoDB client that exposes a `db()` method (e.g. the official
- * `mongodb` Node.js driver). Pass the Db instance directly.
- *
- * Usage:
- * ```ts
- * import { MongoClient } from "mongodb";
- * import { MongoDBAdapter } from "aegis-mern/adapters/mongodb";
- *
- * const client = new MongoClient(uri);
- * await client.connect();
- * const adapter = new MongoDBAdapter(client.db("mydb"));
- * ```
+ * Works with any MongoDB client that exposes a `db()` method.
  */
 export declare class MongoDBAdapter implements DatabaseAdapter {
     private db;
@@ -38,7 +27,23 @@ export declare class MongoDBAdapter implements DatabaseAdapter {
         data: null;
         error: unknown;
     }>;
-    /** Access the underlying MongoDB Db instance. */
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: Record<string, unknown>[];
+        error: null;
+    } | {
+        data: null;
+        error: unknown;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: never[];
+        error: null;
+    } | {
+        data: null;
+        error: unknown;
+    }>;
     get database(): any;
 }
 //# sourceMappingURL=mongodb.d.ts.map

package/dist/adapters/mongodb.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mongodb.d.ts","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,cAAe,YAAW,eAAe;IACpD,OAAO,CAAC,EAAE,CAAM;gBAEJ,EAAE,EAAE,GAAG;IAIb,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;;;IAWnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAY7D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;;;;;;IAMpD,iDAAiD;IACjD,IAAI,QAAQ,QAEX;CACF"}
+{"version":3,"file":"mongodb.d.ts","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD;;;;GAIG;AACH,qBAAa,cAAe,YAAW,eAAe;IACpD,OAAO,CAAC,EAAE,CAAM;gBAEJ,EAAE,EAAE,GAAG;IAIb,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;;;IAWnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAY7D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;;;;;;IAM9C,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;;;;IAqBnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE;;;;;;;IAWrE,IAAI,QAAQ,QAEX;CACF"}

package/dist/adapters/mongodb.js

@@ -1,18 +1,7 @@
 /**
- * MongoDB adapter for aegis-mern.
+ * MongoDB adapter for aegis-lock.
  *
- * Works with any MongoDB client that exposes a `db()` method (e.g. the official
- * `mongodb` Node.js driver). Pass the Db instance directly.
- *
- * Usage:
- * ```ts
- * import { MongoClient } from "mongodb";
- * import { MongoDBAdapter } from "aegis-mern/adapters/mongodb";
- *
- * const client = new MongoClient(uri);
- * await client.connect();
- * const adapter = new MongoDBAdapter(client.db("mydb"));
- * ```
+ * Works with any MongoDB client that exposes a `db()` method.
  */
 export class MongoDBAdapter {
     constructor(db) {
@@ -47,7 +36,32 @@ export class MongoDBAdapter {
             return { data: null, error };
         }
     }
-    /** Access the underlying MongoDB Db instance. */
+    async update(table, data) {
+        try {
+            const collection = this.db.collection(table);
+            // Auto-detect the primary key field for MongoDB (usually _id or id)
+            const pkField = data._id ? '_id' : (data.id ? 'id' : null);
+            if (!pkField)
+                throw new Error("MongoDB Adapter: Missing '_id' or 'id' in data payload for update.");
+            const { [pkField]: pkValue, ...updateData } = data;
+            await collection.updateOne({ [pkField]: pkValue }, { $set: updateData });
+            return { data: [data], error: null };
+        }
+        catch (error) {
+            return { data: null, error };
+        }
+    }
+    async delete(table, query) {
+        try {
+            const collection = this.db.collection(table);
+            const filter = { [query.column]: query.value };
+            await collection.deleteMany(filter);
+            return { data: [], error: null };
+        }
+        catch (error) {
+            return { data: null, error };
+        }
+    }
     get database() {
         return this.db;
     }

package/dist/adapters/mongodb.js.map

@@ -1 +1 @@
-{"version":3,"file":"mongodb.js","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,cAAc;IAGzB,YAAY,EAAO;QACjB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;YACrD,OAAO,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;gBAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;YACrC,CAAC;YACD,IAAI,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;gBACjB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,IAAiC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,EAAE,CAAC;IACjB,CAAC;CACF"}
+{"version":3,"file":"mongodb.js","sourceRoot":"","sources":["../../adapters/mongodb.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,OAAO,cAAc;IAGzB,YAAY,EAAO;QACjB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC;YACrD,OAAO,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;gBAChD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;YACrC,CAAC;YACD,IAAI,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;gBACjB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,IAAiC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAE7C,oEAAoE;YACpE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YAEpG,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,GAAG,UAAU,EAAE,GAAG,IAAI,CAAC;YAEnD,MAAM,UAAU,CAAC,SAAS,CACxB,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,EACtB,EAAE,IAAI,EAAE,UAAU,EAAE,CACrB,CAAC;YAEF,OAAO,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAAyC;QACnE,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;YAC/C,MAAM,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YACpC,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,EAAE,CAAC;IACjB,CAAC;CACF"}

package/dist/adapters/supabase.d.ts

@@ -1,6 +1,6 @@
 import type { SupabaseClient } from "@supabase/supabase-js";
 import type { DatabaseAdapter } from "../types";
-/** Supabase adapter for aegis-mern. */
+/** Supabase adapter for aegis-lock. */
 export declare class SupabaseAdapter implements DatabaseAdapter {
     private supabase;
     constructor(supabase: SupabaseClient);
@@ -16,7 +16,20 @@ export declare class SupabaseAdapter implements DatabaseAdapter {
         data: Record<string, unknown>[] | null;
         error: import("@supabase/postgrest-js").PostgrestError | null;
     }>;
-    /** Access the underlying Supabase client for non-encrypted ops. */
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: null;
+        error: Error;
+    } | {
+        data: Record<string, unknown>[] | null;
+        error: import("@supabase/postgrest-js").PostgrestError | null;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: Record<string, unknown>[] | null;
+        error: import("@supabase/postgrest-js").PostgrestError | null;
+    }>;
     get client(): SupabaseClient<any, "public", "public", any, any>;
 }
 //# sourceMappingURL=supabase.d.ts.map

package/dist/adapters/supabase.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD,uCAAuC;AACvC,qBAAa,eAAgB,YAAW,eAAe;IACrD,OAAO,CAAC,QAAQ,CAAiB;gBAErB,QAAQ,EAAE,cAAc;IAI9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;cAE9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAS/D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGzD,mEAAmE;IACnE,IAAI,MAAM,sDAET;CACF"}
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD,uCAAuC;AACvC,qBAAa,eAAgB,YAAW,eAAe;IACrD,OAAO,CAAC,QAAQ,CAAiB;gBAErB,QAAQ,EAAE,cAAc;IAI9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;cAE9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;cAS/D,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;cAc9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAGrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE;cAO1C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI;;;IAG3D,IAAI,MAAM,sDAET;CACF"}

package/dist/adapters/supabase.js

@@ -1,4 +1,4 @@
-/** Supabase adapter for aegis-mern. */
+/** Supabase adapter for aegis-lock. */
 export class SupabaseAdapter {
     constructor(supabase) {
         this.supabase = supabase;
@@ -18,7 +18,27 @@ export class SupabaseAdapter {
         const { data, error } = await q;
         return { data: data, error };
     }
-    /** Access the underlying Supabase client for non-encrypted ops. */
+    async update(table, data) {
+        // Auto-detect primary key (Supabase usually uses 'id')
+        const pkField = data.id ? 'id' : (data._id ? '_id' : null);
+        if (!pkField) {
+            return { data: null, error: new Error("Supabase Adapter: Missing 'id' in data payload for update.") };
+        }
+        const { data: result, error } = await this.supabase
+            .from(table)
+            .update(data)
+            .eq(pkField, data[pkField])
+            .select();
+        return { data: result, error };
+    }
+    async delete(table, query) {
+        const { data: result, error } = await this.supabase
+            .from(table)
+            .delete()
+            .eq(query.column, query.value)
+            .select();
+        return { data: result, error };
+    }
     get client() {
         return this.supabase;
     }

package/dist/adapters/supabase.js.map

@@ -1 +1 @@
-{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAGA,uCAAuC;AACvC,MAAM,OAAO,eAAe;IAG1B,YAAY,QAAwB;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QACtF,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChD,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;YACjB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,IAAwC,EAAE,KAAK,EAAE,CAAC;IACnE,CAAC;IAED,mEAAmE;IACnE,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}
+{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../../adapters/supabase.ts"],"names":[],"mappings":"AAGA,uCAAuC;AACvC,MAAM,OAAO,eAAe;IAG1B,YAAY,QAAwB;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;QACtF,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAA4D;QACtF,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,KAAK,EAAE,MAAM,IAAI,KAAK,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChD,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,EAAE,KAAK,EAAE,CAAC;YACjB,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,IAAwC,EAAE,KAAK,EAAE,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,uDAAuD;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAE3D,IAAI,CAAC,OAAO,EAAE,CAAC;YACZ,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,4DAA4D,CAAC,EAAE,CAAC;QACzG,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ;aAChD,IAAI,CAAC,KAAK,CAAC;aACX,MAAM,CAAC,IAAI,CAAC;aACZ,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;aAC1B,MAAM,EAAE,CAAC;QAEZ,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAAyC;QACnE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ;aAChD,IAAI,CAAC,KAAK,CAAC;aACX,MAAM,EAAE;aACR,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC;aAC7B,MAAM,EAAE,CAAC;QAEZ,OAAO,EAAE,IAAI,EAAE,MAA0C,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}

package/dist/client.d.ts

@@ -1,16 +1,38 @@
 import type { DatabaseAdapter, AegisConfig } from "./types";
+/**
+ * The primary client for aegis-lock.
+ * Handles automatic encryption, decryption, contextual binding, blind indexing,
+ * and Key Rotation before interacting with the underlying database adapter.
+ */
 export declare class AegisClient {
     private adapter;
-    private key;
+    private keyRing;
+    private currentKeyVersion;
     private bidxKey?;
     private encryptedFields;
     private bidxFields;
     private primaryKeyField;
-    constructor(config: AegisConfig, key: CryptoKey, bidxKey?: CryptoKey);
+    /**
+     * Initializes the AegisClient with Key Rotation support.
+     *
+     * @param config - Configuration including the database adapter, primary key field, and field rules.
+     * @param keyRing - A dictionary of historical and active CryptoKeys (e.g., { v1: key1, v2: key2 }).
+     * @param currentKeyVersion - The string identifier of the key to use for NEW encryptions (e.g., "v2").
+     * @param bidxKey - (Optional) The CryptoKey used for generating HMAC-SHA256 blind indexes.
+     */
+    constructor(config: AegisConfig, keyRing: Record<string, CryptoKey>, currentKeyVersion: string, bidxKey?: CryptoKey);
+    /**
+     * Securely inserts a new record into the database.
+     * Automatically generates blind indexes and encrypts configured fields using the CURRENT key version.
+     */
     insert(table: string, data: Record<string, unknown>): Promise<{
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
+    /**
+     * Retrieves and automatically decrypts records from the database.
+     * Dynamically selects the correct decryption key based on the payload's version tag.
+     */
     select(table: string, query?: {
         column?: string;
         value?: unknown;
@@ -19,6 +41,21 @@ export declare class AegisClient {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
+    /**
+     * Securely modifies an existing record.
+     * Re-encrypts data with a new unique IV and the CURRENT key version.
+     */
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
     selectRaw(table: string, query?: {
         column?: string;
         value?: unknown;

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAG5D,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,OAAO,CAAC,CAAY;IAC5B,OAAO,CAAC,eAAe,CAA2B;IAClD,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,eAAe,CAAS;gBAGpB,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,SAAS;IAS9D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAyCnD,MAAM,CACV,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IA6DxD,SAAS,CACb,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAK9D,IAAI,EAAE,IAAI,eAAe,CAExB;CACF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAG5D;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAkB;IACjC,OAAO,CAAC,OAAO,CAA4B;IAC3C,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,OAAO,CAAC,CAAY;IAC5B,OAAO,CAAC,eAAe,CAA2B;IAClD,OAAO,CAAC,UAAU,CAA2B;IAC7C,OAAO,CAAC,eAAe,CAAS;IAEhC;;;;;;;OAOG;gBAED,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EAClC,iBAAiB,EAAE,MAAM,EACzB,OAAO,CAAC,EAAE,SAAS;IAWrB;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IA6CzD;;;OAGG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAgE9D;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;;;;IAsCnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE;;;;IAgB/D,SAAS,CACb,KAAK,EAAE,MAAM,EACb,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;;;;IAK9D,IAAI,EAAE,IAAI,eAAe,CAExB;CACF"}

package/dist/client.js

@@ -1,14 +1,31 @@
 import { encrypt, decrypt, generateBlindIndex } from "./crypto";
+/**
+ * The primary client for aegis-lock.
+ * Handles automatic encryption, decryption, contextual binding, blind indexing,
+ * and Key Rotation before interacting with the underlying database adapter.
+ */
 export class AegisClient {
-    // Updated constructor to accept the optional BIDX key
-    constructor(config, key, bidxKey) {
+    /**
+     * Initializes the AegisClient with Key Rotation support.
+     *
+     * @param config - Configuration including the database adapter, primary key field, and field rules.
+     * @param keyRing - A dictionary of historical and active CryptoKeys (e.g., { v1: key1, v2: key2 }).
+     * @param currentKeyVersion - The string identifier of the key to use for NEW encryptions (e.g., "v2").
+     * @param bidxKey - (Optional) The CryptoKey used for generating HMAC-SHA256 blind indexes.
+     */
+    constructor(config, keyRing, currentKeyVersion, bidxKey) {
         this.adapter = config.adapter;
-        this.key = key;
+        this.keyRing = keyRing;
+        this.currentKeyVersion = currentKeyVersion;
         this.bidxKey = bidxKey;
         this.encryptedFields = config.encryptedFields;
         this.bidxFields = config.bidxFields || {};
         this.primaryKeyField = config.primaryKeyField;
     }
+    /**
+     * Securely inserts a new record into the database.
+     * Automatically generates blind indexes and encrypts configured fields using the CURRENT key version.
+     */
     async insert(table, data) {
         const fields = this.encryptedFields[table] || [];
         const bidxFields = this.bidxFields[table] || [];
@@ -19,29 +36,32 @@ export class AegisClient {
                 throw new Error(`Aegis: Cannot encrypt. Missing primary key '${this.primaryKeyField}' in payload.`);
             }
             const aadContext = String(rowId);
-            // 1. Handle Blind Indexing FIRST (While row data is still plaintext)
+            const activeKey = this.keyRing[this.currentKeyVersion]; // Grab the active key
+            // 1. Handle Blind Indexing FIRST
             for (const field of bidxFields) {
                 if (row[field] != null && this.bidxKey) {
-                    row[`${field}_bidx`] = await generateBlindIndex(String(row[field]), // Safe: This is still "alice@example.com"
-                    this.bidxKey);
+                    row[`${field}_bidx`] = await generateBlindIndex(String(row[field]), this.bidxKey);
                 }
             }
-            // 2. Handle Encryption SECOND (This overwrites the plaintext)
+            // 2. Handle Encryption SECOND
             for (const field of fields) {
                 if (row[field] != null) {
-                    const { ciphertext, iv } = await encrypt(String(row[field]), this.key, aadContext);
-                    row[field] = `${iv}:${ciphertext}`;
+                    // Pass the active key and the version tag to the new encrypt function
+                    const { version, ciphertext, iv } = await encrypt(String(row[field]), activeKey, this.currentKeyVersion, aadContext);
+                    // Store it in the DB as "version:iv:ciphertext"
+                    row[field] = `${version}:${iv}:${ciphertext}`;
                 }
             }
         }
         return this.adapter.insert(table, row);
     }
+    /**
+     * Retrieves and automatically decrypts records from the database.
+     * Dynamically selects the correct decryption key based on the payload's version tag.
+     */
     async select(table, query) {
-        // Intercept and swap query for Blind Indexing (NEW)
         const bidxFields = this.bidxFields[table] || [];
         let activeQuery = query;
-        // Make sure this uses THIS.bidxKey
-        // Inside your select method in client.ts
         if (query?.column &&
             query?.value &&
             bidxFields.includes(query.column) &&
@@ -50,7 +70,7 @@ export class AegisClient {
             activeQuery = {
                 ...query,
                 column: `${query.column}_bidx`,
-                value: blindIndexValue, // Pass the resulting string
+                value: blindIndexValue,
             };
         }
         const { data, error } = await this.adapter.select(table, activeQuery);
@@ -66,14 +86,19 @@ export class AegisClient {
                 return decRow;
             const aadContext = String(rowId);
             for (const field of fields) {
-                const payload = decRow[field];
-                if (typeof payload === "string" && payload.includes(":")) {
-                    const [iv, ciphertext] = payload.split(":");
-                    try {
-                        decRow[field] = await decrypt({ ciphertext, iv }, this.key, aadContext);
-                    }
-                    catch {
-                        // Tampering detected
+                const payloadStr = decRow[field];
+                if (typeof payloadStr === "string" && payloadStr.includes(":")) {
+                    const parts = payloadStr.split(":");
+                    // Check for our new 3-part versioned payload
+                    if (parts.length === 3) {
+                        const [version, iv, ciphertext] = parts;
+                        try {
+                            // Pass the whole KeyRing. crypto.ts will pick the right one.
+                            decRow[field] = await decrypt({ version, ciphertext, iv }, this.keyRing, aadContext);
+                        }
+                        catch {
+                            // Tampering detected or wrong key
+                        }
                     }
                 }
             }
@@ -81,6 +106,48 @@ export class AegisClient {
         }));
         return { data: decrypted, error };
     }
+    /**
+     * Securely modifies an existing record.
+     * Re-encrypts data with a new unique IV and the CURRENT key version.
+     */
+    async update(table, data) {
+        const fields = this.encryptedFields[table] || [];
+        const bidxFields = this.bidxFields[table] || [];
+        const row = { ...data };
+        const rowId = row[this.primaryKeyField];
+        if (!rowId) {
+            throw new Error(`Aegis: Cannot update. Missing primary key '${this.primaryKeyField}' in payload.`);
+        }
+        const aadContext = String(rowId);
+        const activeKey = this.keyRing[this.currentKeyVersion];
+        if (fields.length > 0 || bidxFields.length > 0) {
+            for (const field of bidxFields) {
+                if (row[field] != null && this.bidxKey) {
+                    row[`${field}_bidx`] = await generateBlindIndex(String(row[field]), this.bidxKey);
+                }
+            }
+            for (const field of fields) {
+                if (row[field] != null) {
+                    const { version, ciphertext, iv } = await encrypt(String(row[field]), activeKey, this.currentKeyVersion, aadContext);
+                    row[field] = `${version}:${iv}:${ciphertext}`;
+                }
+            }
+        }
+        return this.adapter.update(table, row);
+    }
+    async delete(table, query) {
+        const bidxFields = this.bidxFields[table] || [];
+        let activeQuery = query;
+        if (bidxFields.includes(query.column) && this.bidxKey) {
+            const blindIndexValue = await generateBlindIndex(String(query.value), this.bidxKey);
+            activeQuery = {
+                ...query,
+                column: `${query.column}_bidx`,
+                value: blindIndexValue,
+            };
+        }
+        return this.adapter.delete(table, activeQuery);
+    }
     async selectRaw(table, query) {
         return this.adapter.select(table, query);
     }
@@ -88,138 +155,4 @@ export class AegisClient {
         return this.adapter;
     }
 }
-// export class AegisClient {
-//   private adapter: DatabaseAdapter;
-//   private key: CryptoKey;
-//   private bidxKey?: CryptoKey;
-//   private encryptedFields: Record<string, string[]>;
-//   private bidxFields: Record<string, string[]>;
-//   private primaryKeyField: string;
-//   constructor(config: AegisConfig, key: CryptoKey) {
-//     this.adapter = config.adapter;
-//     this.key = key;
-//     this.bidxKey = bidxKey;
-//     this.encryptedFields = config.encryptedFields;
-//     this.bidxFields = config.bidxFields || {};
-//     this.primaryKeyField = config.primaryKeyField;
-//   }
-//   async insert(table: string, data: Record<string, unknown>) {
-//     const fields = this.encryptedFields[table] || [];
-//     const row: Record<string, unknown> = { ...data };
-//     if (fields.length > 0) {
-//       const rowId = row[this.primaryKeyField];
-//       if (!rowId) {
-//         throw new Error(`Aegis: Cannot encrypt. Missing primary key '${this.primaryKeyField}' in payload.`);
-//       }
-//       const aadContext = String(rowId);
-//       for (const field of fields) {
-//         if (row[field] != null) {
-//           // Generates unique IV per field and binds to the row ID
-//           const { ciphertext, iv } = await encrypt(String(row[field]), this.key, aadContext);
-//           row[field] = `${iv}:${ciphertext}`;
-//         }
-//       }
-//     }
-//     return this.adapter.insert(table, row);
-//   }
-//   async select(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
-//     const { data, error } = await this.adapter.select(table, query);
-//     if (error || !data) return { data, error };
-//     const fields = this.encryptedFields[table] || [];
-//     if (fields.length === 0) return { data, error };
-//     const decrypted = await Promise.all(
-//       data.map(async (row: Record<string, unknown>) => {
-//         const decRow = { ...row };
-//         const rowId = decRow[this.primaryKeyField];
-//         if (!rowId) return decRow; // Cannot decrypt without context
-//         const aadContext = String(rowId);
-//         for (const field of fields) {
-//           const payload = decRow[field];
-//           if (typeof payload === 'string' && payload.includes(':')) {
-//             const [iv, ciphertext] = payload.split(':');
-//             try {
-//               decRow[field] = await decrypt({ ciphertext, iv }, this.key, aadContext);
-//             } catch {
-//               // Tampering detected (invalid tag or swapped ciphertext). Leave as raw string.
-//             }
-//           }
-//         }
-//         return decRow;
-//       })
-//     );
-//     return { data: decrypted, error };
-//   }
-//   async selectRaw(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
-//     return this.adapter.select(table, query);
-//   }
-//   get db(): DatabaseAdapter {
-//     return this.adapter;
-//   }
-// }
-// import type { DatabaseAdapter } from "./types";
-// import { encrypt, decrypt } from "./crypto";
-// export class AegisClient {
-//   private adapter: DatabaseAdapter;
-//   private key: CryptoKey;
-//   private encryptedFields: Record<string, string[]>;
-//   constructor(adapter: DatabaseAdapter, key: CryptoKey, encryptedFields: Record<string, string[]>) {
-//     this.adapter = adapter;
-//     this.key = key;
-//     this.encryptedFields = encryptedFields;
-//   }
-//   /** Insert a row, auto-encrypting configured fields. Returns a shared IV for the row. */
-//   async insert(table: string, data: Record<string, unknown>) {
-//     const fields = this.encryptedFields[table] || [];
-//     const row: Record<string, unknown> = { ...data };
-//     // Generate a single IV and reuse it for all fields in this row
-//     const ivBuffer = crypto.getRandomValues(new Uint8Array(12));
-//     const sharedIv = btoa(String.fromCharCode(...ivBuffer));
-//     for (const field of fields) {
-//       if (row[field] != null) {
-//         const { ciphertext } = await encrypt(String(row[field]), this.key, ivBuffer);
-//         row[field] = ciphertext;
-//       }
-//     }
-//     if (fields.length > 0) {
-//       row.iv = sharedIv;
-//     }
-//     return this.adapter.insert(table, row);
-//   }
-//   /** Select rows, auto-decrypting configured fields. */
-//   async select(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
-//     const { data, error } = await this.adapter.select(table, query);
-//     if (error || !data) return { data, error };
-//     const fields = this.encryptedFields[table] || [];
-//     if (fields.length === 0) return { data, error };
-//     const decrypted = await Promise.all(
-//       data.map(async (row: Record<string, unknown>) => {
-//         const decRow = { ...row };
-//         const iv = row.iv as string;
-//         if (!iv) return decRow;
-//         for (const field of fields) {
-//           if (decRow[field] != null) {
-//             try {
-//               decRow[field] = await decrypt(
-//                 { ciphertext: String(decRow[field]), iv },
-//                 this.key
-//               );
-//             } catch {
-//               // leave as ciphertext if decryption fails
-//             }
-//           }
-//         }
-//         return decRow;
-//       })
-//     );
-//     return { data: decrypted, error };
-//   }
-//   /** Select rows WITHOUT decrypting — exposes raw ciphertext. */
-//   async selectRaw(table: string, query?: { column?: string; value?: unknown; limit?: number }) {
-//     return this.adapter.select(table, query);
-//   }
-//   /** Access the underlying database adapter. */
-//   get db(): DatabaseAdapter {
-//     return this.adapter;
-//   }
-// }
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAEhE,MAAM,OAAO,WAAW;IAQtB,sDAAsD;IACtD,YAAY,MAAmB,EAAE,GAAc,EAAE,OAAmB;QAClE,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACxC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,eAAe,eAAe,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,qEAAqE;YACrE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACvC,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,MAAM,kBAAkB,CAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,0CAA0C;oBAC9D,IAAI,CAAC,OAAO,CACb,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,MAAM,OAAO,CACtC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAClB,IAAI,CAAC,GAAG,EACR,UAAU,CACX,CAAC;oBACF,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,IAAI,UAAU,EAAE,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,MAAM,CACV,KAAa,EACb,KAA4D;QAE5D,oDAAoD;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,mCAAmC;QACnC,yCAAyC;QACzC,IACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,KAAK;YACZ,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,CAAC,OAAO,EACZ,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EACnB,IAAI,CAAC,OAAO,CACb,CAAC;YACF,WAAW,GAAG;gBACZ,GAAG,KAAK;gBACR,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,OAAO;gBAC9B,KAAK,EAAE,eAAe,EAAE,4BAA4B;aACrD,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEhD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAA4B,EAAE,EAAE;YAC9C,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAE3C,IAAI,CAAC,KAAK;gBAAE,OAAO,MAAM,CAAC;YAC1B,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACzD,MAAM,CAAC,EAAE,EAAE,UAAU,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC5C,IAAI,CAAC;wBACH,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,CAC3B,EAAE,UAAU,EAAE,EAAE,EAAE,EAClB,IAAI,CAAC,GAAG,EACR,UAAU,CACX,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,qBAAqB;oBACvB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,KAA4D;QAE5D,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF;AACD,6BAA6B;AAC7B,sCAAsC;AACtC,4BAA4B;AAC5B,iCAAiC;AACjC,uDAAuD;AACvD,kDAAkD;AAClD,qCAAqC;AAErC,uDAAuD;AACvD,qCAAqC;AACrC,sBAAsB;AACtB,8BAA8B;AAC9B,qDAAqD;AACrD,iDAAiD;AACjD,qDAAqD;AACrD,MAAM;AAEN,iEAAiE;AACjE,wDAAwD;AACxD,wDAAwD;AAExD,+BAA+B;AAC/B,iDAAiD;AACjD,sBAAsB;AACtB,+GAA+G;AAC/G,UAAU;AAEV,0CAA0C;AAE1C,sCAAsC;AACtC,oCAAoC;AACpC,qEAAqE;AACrE,gGAAgG;AAChG,gDAAgD;AAChD,YAAY;AACZ,UAAU;AACV,QAAQ;AAER,8CAA8C;AAC9C,MAAM;AAEN,gGAAgG;AAChG,uEAAuE;AACvE,kDAAkD;AAElD,wDAAwD;AACxD,uDAAuD;AAEvD,2CAA2C;AAC3C,2DAA2D;AAC3D,qCAAqC;AACrC,sDAAsD;AAEtD,uEAAuE;AACvE,4CAA4C;AAE5C,wCAAwC;AACxC,2CAA2C;AAE3C,wEAAwE;AACxE,2DAA2D;AAC3D,oBAAoB;AACpB,yFAAyF;AACzF,wBAAwB;AACxB,gGAAgG;AAChG,gBAAgB;AAChB,cAAc;AACd,YAAY;AACZ,yBAAyB;AACzB,WAAW;AACX,SAAS;AAET,yCAAyC;AACzC,MAAM;AAEN,mGAAmG;AACnG,gDAAgD;AAChD,MAAM;AAEN,gCAAgC;AAChC,2BAA2B;AAC3B,MAAM;AACN,IAAI;AAEJ,kDAAkD;AAClD,+CAA+C;AAE/C,6BAA6B;AAC7B,sCAAsC;AACtC,4BAA4B;AAC5B,uDAAuD;AAEvD,uGAAuG;AACvG,8BAA8B;AAC9B,sBAAsB;AACtB,8CAA8C;AAC9C,MAAM;AAEN,6FAA6F;AAC7F,iEAAiE;AACjE,wDAAwD;AACxD,wDAAwD;AAExD,sEAAsE;AACtE,mEAAmE;AACnE,+DAA+D;AAE/D,oCAAoC;AACpC,kCAAkC;AAClC,wFAAwF;AACxF,mCAAmC;AACnC,UAAU;AACV,QAAQ;AAER,+BAA+B;AAC/B,2BAA2B;AAC3B,QAAQ;AAER,8CAA8C;AAC9C,MAAM;AAEN,2DAA2D;AAC3D,gGAAgG;AAChG,uEAAuE;AACvE,kDAAkD;AAElD,wDAAwD;AACxD,uDAAuD;AAEvD,2CAA2C;AAC3C,2DAA2D;AAC3D,qCAAqC;AACrC,uCAAuC;AACvC,kCAAkC;AAElC,wCAAwC;AACxC,yCAAyC;AACzC,oBAAoB;AACpB,+CAA+C;AAC/C,6DAA6D;AAC7D,2BAA2B;AAC3B,mBAAmB;AACnB,wBAAwB;AACxB,2DAA2D;AAC3D,gBAAgB;AAChB,cAAc;AACd,YAAY;AACZ,yBAAyB;AACzB,WAAW;AACX,SAAS;AAET,yCAAyC;AACzC,MAAM;AAEN,oEAAoE;AACpE,mGAAmG;AACnG,gDAAgD;AAChD,MAAM;AAEN,mDAAmD;AACnD,gCAAgC;AAChC,2BAA2B;AAC3B,MAAM;AACN,IAAI"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAEhE;;;;GAIG;AACH,MAAM,OAAO,WAAW;IAStB;;;;;;;OAOG;IACH,YACE,MAAmB,EACnB,OAAkC,EAClC,iBAAyB,EACzB,OAAmB;QAEnB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACxC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,eAAe,eAAe,CACnF,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YACjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,sBAAsB;YAE9E,iCAAiC;YACjC,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACvC,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,MAAM,kBAAkB,CAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAClB,IAAI,CAAC,OAAO,CACb,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,8BAA8B;YAC9B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBACvB,sEAAsE;oBACtE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,MAAM,OAAO,CAC/C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAClB,SAAS,EACT,IAAI,CAAC,iBAAiB,EACtB,UAAU,CACX,CAAC;oBACF,gDAAgD;oBAChD,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,OAAO,IAAI,EAAE,IAAI,UAAU,EAAE,CAAC;gBAChD,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,KAA4D;QAE5D,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,IACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,KAAK;YACZ,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,CAAC,OAAO,EACZ,CAAC;YACD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EACnB,IAAI,CAAC,OAAO,CACb,CAAC;YACF,WAAW,GAAG;gBACZ,GAAG,KAAK;gBACR,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,OAAO;gBAC9B,KAAK,EAAE,eAAe;aACvB,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QAEhD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAA4B,EAAE,EAAE;YAC9C,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAE3C,IAAI,CAAC,KAAK;gBAAE,OAAO,MAAM,CAAC;YAC1B,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBACjC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/D,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAEpC,6CAA6C;oBAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACvB,MAAM,CAAC,OAAO,EAAE,EAAE,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;wBACxC,IAAI,CAAC;4BACH,6DAA6D;4BAC7D,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,CAC3B,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,EAC3B,IAAI,CAAC,OAAO,EACZ,UAAU,CACX,CAAC;wBACJ,CAAC;wBAAC,MAAM,CAAC;4BACP,kCAAkC;wBACpC,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;QAEjD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,CAAC,eAAe,eAAe,CAClF,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAEvD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/C,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACvC,GAAG,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,GAAG,MAAM,OAAO,CAC/C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAClB,SAAS,EACT,IAAI,CAAC,iBAAiB,EACtB,UAAU,CACX,CAAC;oBACF,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,OAAO,IAAI,EAAE,IAAI,UAAU,EAAE,CAAC;gBAChD,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,KAAyC;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACtD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YACpF,WAAW,GAAG;gBACZ,GAAG,KAAK;gBACR,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,OAAO;gBAC9B,KAAK,EAAE,eAAe;aACvB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CACb,KAAa,EACb,KAA4D;QAE5D,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,EAAE;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF"}

package/dist/crypto.d.ts

@@ -1,11 +1,56 @@
 import { EncryptedPayload } from "./types";
+/**
+ * Generates a strong, 256-bit master key for AES-GCM encryption and decryption.
+ * * @returns A Promise resolving to a native Web Crypto API CryptoKey.
+ */
 export declare function generateKey(): Promise<CryptoKey>;
+/**
+ * Exports a CryptoKey into a raw Base64 string so it can be safely stored
+ * in an environment variable or Key Management Service (KMS).
+ * * @param key - The CryptoKey to export.
+ * @returns A Promise resolving to the Base64 representation of the key.
+ */
 export declare function exportKey(key: CryptoKey): Promise<string>;
+/**
+ * Imports a Base64 string back into a usable CryptoKey for AES-GCM operations.
+ * * @param base64 - The Base64 encoded key string (usually from environment variables).
+ * @returns A Promise resolving to the imported CryptoKey.
+ */
 export declare function importKey(base64: string): Promise<CryptoKey>;
-export declare function encrypt(plaintext: string, key: CryptoKey, aadContext: string): Promise<EncryptedPayload>;
-export declare function decrypt(payload: EncryptedPayload, key: CryptoKey, aadContext: string): Promise<string>;
-/** Generates a dedicated key for deterministic Blind Indexing */
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Automatically generates a unique 12-byte Initialization Vector (IV) and applies
+ * Contextual Binding (AAD) to tie the ciphertext to a specific database row.
+ * @param plaintext - The sensitive data to encrypt.
+ * @param key - The master AES-GCM CryptoKey.
+ * @param keyVersion - The string identifier for the active key (e.g., "v2").
+ * @param aadContext - The row ID or primary key to bind this ciphertext to.
+ * @returns A Promise resolving to an object containing the Base64 `ciphertext` and `iv`.
+ */
+export declare function encrypt(plaintext: string, key: CryptoKey, keyVersion: string, aadContext: string): Promise<EncryptedPayload>;
+/**
+ * Decrypts an AES-256-GCM payload back into plaintext.
+ * Supports Key Rotation by reading the payload's version and selecting the correct key.
+ * Strictly verifies the Context (AAD) to ensure data integrity.
+ *
+ * @param payload - The EncryptedPayload containing `version`, `ciphertext`, and `iv`.
+ * @param keyRing - A dictionary of historical and active CryptoKeys (e.g., { "v1": key1, "v2": key2 }).
+ * @param aadContext - The row ID or primary key that this ciphertext is bound to.
+ * @returns A Promise resolving to the decrypted plaintext string.
+ */
+export declare function decrypt(payload: EncryptedPayload, keyRing: Record<string, CryptoKey>, // Accepts multiple keys
+aadContext: string): Promise<string>;
+/** * Generates a dedicated HMAC-SHA256 key for deterministic Blind Indexing.
+ * This key should be kept separate from the master encryption key.
+ * * @returns A Promise resolving to an HMAC CryptoKey.
+ */
 export declare function generateBidxKey(): Promise<CryptoKey>;
-/** Generates a deterministic hash for database searching */
+/** * Generates a deterministic hash for database searching without exposing plaintext.
+ * Safely extracts the underlying memory buffer to guarantee identical hashes
+ * across different JavaScript runtimes (Node.js, Browsers, Edge).
+ * * @param plaintext - The data to hash (e.g., an email address).
+ * @param key - The HMAC Blind Index CryptoKey.
+ * @returns A Promise resolving to a deterministic Base64 hash string.
+ */
 export declare function generateBlindIndex(plaintext: string, key: CryptoKey): Promise<string>;
 //# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AA0B3C,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAKtD;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CASlE;AAED,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,gBAAgB,CAAC,CAsB3B;AAED,wBAAsB,OAAO,CAC3B,OAAO,EAAE,gBAAgB,EACzB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAsBjB;AAID,iEAAiE;AACjE,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAK1D;AAED,4DAA4D;AAC5D,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,GACb,OAAO,CAAC,MAAM,CAAC,CAkBjB"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAqC3C;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,SAAS,CAAC,CAKtD;AAED;;;;;GAKG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CASlE;AAED;;;;;;;;;GASG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,gBAAgB,CAAC,CAsB3B;AAED;;;;;;;;;GASG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,wBAAwB;AAC5D,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CA6BjB;AAID;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,SAAS,CAAC,CAK1D;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,SAAS,GACb,OAAO,CAAC,MAAM,CAAC,CAkBjB"}

package/dist/crypto.js

@@ -1,6 +1,11 @@
 const ALGO = "AES-GCM";
 const KEY_LENGTH = 256;
-// Memory-safe Base64 conversion helpers
+/**
+ * Safely converts an ArrayBuffer or Uint8Array to a Base64 string.
+ * Used internally to format ciphertexts, IVs, and exported keys for safe database storage.
+ * * @param buffer - The raw byte array to convert.
+ * @returns A Base64 encoded string.
+ */
 function bufferToBase64(buffer) {
     let binary = "";
     // Normalize to Uint8Array safely
@@ -11,6 +16,12 @@ function bufferToBase64(buffer) {
     }
     return btoa(binary);
 }
+/**
+ * Converts a Base64 string back into a Uint8Array.
+ * Used internally to reconstruct buffers for decryption or key importing.
+ * * @param base64 - The Base64 encoded string.
+ * @returns A Uint8Array containing the raw bytes.
+ */
 function base64ToBuffer(base64) {
     const binaryString = atob(base64);
     const bytes = new Uint8Array(binaryString.length);
@@ -19,21 +30,46 @@ function base64ToBuffer(base64) {
     }
     return bytes;
 }
+/**
+ * Generates a strong, 256-bit master key for AES-GCM encryption and decryption.
+ * * @returns A Promise resolving to a native Web Crypto API CryptoKey.
+ */
 export async function generateKey() {
     return crypto.subtle.generateKey({ name: ALGO, length: KEY_LENGTH }, true, [
         "encrypt",
         "decrypt",
     ]);
 }
+/**
+ * Exports a CryptoKey into a raw Base64 string so it can be safely stored
+ * in an environment variable or Key Management Service (KMS).
+ * * @param key - The CryptoKey to export.
+ * @returns A Promise resolving to the Base64 representation of the key.
+ */
 export async function exportKey(key) {
     const raw = await crypto.subtle.exportKey("raw", key);
     return bufferToBase64(raw);
 }
+/**
+ * Imports a Base64 string back into a usable CryptoKey for AES-GCM operations.
+ * * @param base64 - The Base64 encoded key string (usually from environment variables).
+ * @returns A Promise resolving to the imported CryptoKey.
+ */
 export async function importKey(base64) {
     const raw = base64ToBuffer(base64);
     return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, ["encrypt", "decrypt"]);
 }
-export async function encrypt(plaintext, key, aadContext) {
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Automatically generates a unique 12-byte Initialization Vector (IV) and applies
+ * Contextual Binding (AAD) to tie the ciphertext to a specific database row.
+ * @param plaintext - The sensitive data to encrypt.
+ * @param key - The master AES-GCM CryptoKey.
+ * @param keyVersion - The string identifier for the active key (e.g., "v2").
+ * @param aadContext - The row ID or primary key to bind this ciphertext to.
+ * @returns A Promise resolving to an object containing the Base64 `ciphertext` and `iv`.
+ */
+export async function encrypt(plaintext, key, keyVersion, aadContext) {
     const iv = crypto.getRandomValues(new Uint8Array(12)); // ALWAYS unique
     const encoded = new TextEncoder().encode(plaintext);
     const algorithm = {
@@ -44,9 +80,25 @@ export async function encrypt(plaintext, key, aadContext) {
         algorithm.additionalData = new TextEncoder().encode(aadContext);
     }
     const cipherBuffer = await crypto.subtle.encrypt(algorithm, key, encoded);
-    return { ciphertext: bufferToBase64(cipherBuffer), iv: bufferToBase64(iv) };
+    return { version: keyVersion, ciphertext: bufferToBase64(cipherBuffer), iv: bufferToBase64(iv) };
 }
-export async function decrypt(payload, key, aadContext) {
+/**
+ * Decrypts an AES-256-GCM payload back into plaintext.
+ * Supports Key Rotation by reading the payload's version and selecting the correct key.
+ * Strictly verifies the Context (AAD) to ensure data integrity.
+ *
+ * @param payload - The EncryptedPayload containing `version`, `ciphertext`, and `iv`.
+ * @param keyRing - A dictionary of historical and active CryptoKeys (e.g., { "v1": key1, "v2": key2 }).
+ * @param aadContext - The row ID or primary key that this ciphertext is bound to.
+ * @returns A Promise resolving to the decrypted plaintext string.
+ */
+export async function decrypt(payload, keyRing, // Accepts multiple keys
+aadContext) {
+    // Identify which key to use based on the payload's version tag
+    const targetKey = keyRing[payload.version];
+    if (!targetKey) {
+        throw new Error(`CRITICAL: Key version [${payload.version}] not found in provided KeyRing.`);
+    }
     const cipherBytes = base64ToBuffer(payload.ciphertext);
     const iv = base64ToBuffer(payload.iv);
     const algorithm = {
@@ -56,18 +108,28 @@ export async function decrypt(payload, key, aadContext) {
     if (aadContext) {
         algorithm.additionalData = new TextEncoder().encode(aadContext);
     }
-    const decrypted = await crypto.subtle.decrypt(algorithm, key, cipherBytes);
+    const decrypted = await crypto.subtle.decrypt(algorithm, targetKey, // Use the dynamically selected key
+    cipherBytes);
     return new TextDecoder().decode(decrypted);
 }
 const HMAC_ALGO = "HMAC";
-/** Generates a dedicated key for deterministic Blind Indexing */
+/** * Generates a dedicated HMAC-SHA256 key for deterministic Blind Indexing.
+ * This key should be kept separate from the master encryption key.
+ * * @returns A Promise resolving to an HMAC CryptoKey.
+ */
 export async function generateBidxKey() {
     return crypto.subtle.generateKey({ name: HMAC_ALGO, hash: "SHA-256" }, true, [
         "sign",
         "verify",
     ]);
 }
-/** Generates a deterministic hash for database searching */
+/** * Generates a deterministic hash for database searching without exposing plaintext.
+ * Safely extracts the underlying memory buffer to guarantee identical hashes
+ * across different JavaScript runtimes (Node.js, Browsers, Edge).
+ * * @param plaintext - The data to hash (e.g., an email address).
+ * @param key - The HMAC Blind Index CryptoKey.
+ * @returns A Promise resolving to a deterministic Base64 hash string.
+ */
 export async function generateBlindIndex(plaintext, key) {
     const encoder = new TextEncoder();
     const encoded = encoder.encode(plaintext);
@@ -77,40 +139,4 @@ export async function generateBlindIndex(plaintext, key) {
     const signature = await crypto.subtle.sign("HMAC", key, cleanBuffer);
     return bufferToBase64(signature);
 }
-// import { EncryptedPayload } from "./types";
-// const ALGO = "AES-GCM";
-// const KEY_LENGTH = 256;
-// export async function generateKey(): Promise<CryptoKey> {
-//   return crypto.subtle.generateKey(
-//     { name: ALGO, length: KEY_LENGTH },
-//     true,
-//     ["encrypt", "decrypt"]
-//   );
-// }
-// export async function exportKey(key: CryptoKey): Promise<string> {
-//   const raw = await crypto.subtle.exportKey("raw", key);
-//   return btoa(String.fromCharCode(...new Uint8Array(raw)));
-// }
-// export async function importKey(base64: string): Promise<CryptoKey> {
-//   const raw = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-//   return crypto.subtle.importKey("raw", raw, { name: ALGO, length: KEY_LENGTH }, true, [
-//     "encrypt",
-//     "decrypt",
-//   ]);
-// }
-// export async function encrypt(plaintext: string, key: CryptoKey, existingIv?: Uint8Array): Promise<EncryptedPayload> {
-//   const iv = existingIv ? new Uint8Array(existingIv) : crypto.getRandomValues(new Uint8Array(12));
-//   const encoded = new TextEncoder().encode(plaintext);
-//   const cipherBuffer = await crypto.subtle.encrypt({ name: ALGO, iv }, key, encoded);
-//   return {
-//     ciphertext: btoa(String.fromCharCode(...new Uint8Array(cipherBuffer))),
-//     iv: btoa(String.fromCharCode(...iv)),
-//   };
-// }
-// export async function decrypt(payload: EncryptedPayload, key: CryptoKey): Promise<string> {
-//   const cipherBytes = Uint8Array.from(atob(payload.ciphertext), (c) => c.charCodeAt(0));
-//   const iv = Uint8Array.from(atob(payload.iv), (c) => c.charCodeAt(0));
-//   const decrypted = await crypto.subtle.decrypt({ name: ALGO, iv }, key, cipherBytes);
-//   return new TextDecoder().decode(decrypted);
-// }
 //# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAEA,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB,wCAAwC;AACxC,SAAS,cAAc,CAAC,MAAgC;IACtD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,iCAAiC;IACjC,MAAM,KAAK,GAAG,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE;QACzE,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,GAAmB,EACnB,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAClC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,SAAiB,EACjB,GAAc,EACd,UAAkB;IAElB,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB;IACvE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEpD,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC9C,SAAS,EACT,GAAG,EACH,OAAuB,CACxB,CAAC;IAEF,OAAO,EAAE,UAAU,EAAE,cAAc,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAyB,EACzB,GAAc,EACd,UAAkB;IAElB,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,SAAS,EACT,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,SAAS,GAAG,MAAM,CAAC;AAEzB,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE;QAC3E,MAAM;QACN,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED,4DAA4D;AAC5D,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,GAAc;IAEd,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE1C,8CAA8C;IAC9C,mFAAmF;IACnF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CACxC,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,MAAM,EACN,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED,8CAA8C;AAE9C,0BAA0B;AAC1B,0BAA0B;AAE1B,4DAA4D;AAC5D,sCAAsC;AACtC,0CAA0C;AAC1C,YAAY;AACZ,6BAA6B;AAC7B,OAAO;AACP,IAAI;AAEJ,qEAAqE;AACrE,2DAA2D;AAC3D,8DAA8D;AAC9D,IAAI;AAEJ,wEAAwE;AACxE,uEAAuE;AACvE,2FAA2F;AAC3F,iBAAiB;AACjB,iBAAiB;AACjB,QAAQ;AACR,IAAI;AAEJ,yHAAyH;AACzH,qGAAqG;AACrG,yDAAyD;AACzD,wFAAwF;AACxF,aAAa;AACb,8EAA8E;AAC9E,4CAA4C;AAC5C,OAAO;AACP,IAAI;AAEJ,8FAA8F;AAC9F,2FAA2F;AAC3F,0EAA0E;AAC1E,yFAAyF;AACzF,gDAAgD;AAChD,IAAI"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../crypto.ts"],"names":[],"mappings":"AAEA,MAAM,IAAI,GAAG,SAAS,CAAC;AACvB,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB;;;;;GAKG;AACH,SAAS,cAAc,CAAC,MAAgC;IACtD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,iCAAiC;IACjC,MAAM,KAAK,GAAG,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,KAAK,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE;QACzE,SAAS;QACT,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,GAAmB,EACnB,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,EAClC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,SAAiB,EACjB,GAAc,EACd,UAAkB,EAClB,UAAkB;IAElB,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB;IACvE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEpD,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC9C,SAAS,EACT,GAAG,EACH,OAAuB,CACxB,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC;AACnG,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAyB,EACzB,OAAkC,EAAE,wBAAwB;AAC5D,UAAkB;IAElB,+DAA+D;IAC/D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,0BAA0B,OAAO,CAAC,OAAO,kCAAkC,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAiB;QAC9B,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAkB;KACvB,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACjD,UAAU,CACK,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,SAAS,EACT,SAAS,EAAE,mCAAmC;IAC9C,WAA2B,CAC5B,CAAC;IAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,SAAS,GAAG,MAAM,CAAC;AAEzB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE;QAC3E,MAAM;QACN,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,GAAc;IAEd,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE1C,8CAA8C;IAC9C,mFAAmF;IACnF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CACtC,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CACxC,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,MAAM,EACN,GAAG,EACH,WAA2B,CAC5B,CAAC;IAEF,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { AegisClient } from "./client";
-export { generateKey, exportKey, importKey, encrypt, decrypt } from "./crypto";
+export { generateKey, generateBidxKey, exportKey, importKey } from "./crypto";
 export { SupabaseAdapter } from "./adapters/supabase";
 export { MongoDBAdapter } from "./adapters/mongodb";
 export type { AegisConfig, EncryptedPayload, AegisKeyPair, DatabaseAdapter } from "./types";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -1,5 +1,5 @@
 export { AegisClient } from "./client";
-export { generateKey, exportKey, importKey, encrypt, decrypt } from "./crypto";
+export { generateKey, generateBidxKey, exportKey, importKey } from "./crypto";
 export { SupabaseAdapter } from "./adapters/supabase";
 export { MongoDBAdapter } from "./adapters/mongodb";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/types.d.ts

@@ -11,6 +11,17 @@ export interface DatabaseAdapter {
         data: Record<string, unknown>[] | null;
         error: unknown;
     }>;
+    update(table: string, data: Record<string, unknown>): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
+    delete(table: string, query: {
+        column: string;
+        value: unknown;
+    }): Promise<{
+        data: any[] | null;
+        error: any;
+    }>;
 }
 export interface AegisConfig {
     adapter: DatabaseAdapter;
@@ -19,6 +30,7 @@ export interface AegisConfig {
     bidxFields?: Record<string, string[]>;
 }
 export interface EncryptedPayload {
+    version: string;
     ciphertext: string;
     iv: string;
 }

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1H,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC1J;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,eAAe,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1C,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1H,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACzJ,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,GAAG,CAAA;KAAE,CAAC,CAAC;IAClG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAAC,KAAK,EAAE,GAAG,CAAA;KAAE,CAAC,CAAC;CAC/G;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,eAAe,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1C,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/types.js

@@ -1,24 +1,2 @@
 export {};
-// /** Generic database adapter interface — implement this for any database. */
-// export interface DatabaseAdapter {
-//   /** Insert a row into a table/collection. Returns the inserted data. */
-//   insert(table: string, data: Record<string, unknown>): Promise<{ data: Record<string, unknown>[] | null; error: unknown }>;
-//   /** Select rows from a table/collection with optional filters. */
-//   select(
-//     table: string,
-//     query?: { column?: string; value?: unknown; limit?: number }
-//   ): Promise<{ data: Record<string, unknown>[] | null; error: unknown }>;
-// }
-// export interface AegisConfig {
-//   adapter: DatabaseAdapter;
-//   encryptedFields: Record<string, string[]>;
-// }
-// export interface EncryptedPayload {
-//   ciphertext: string;
-//   iv: string;
-// }
-// export interface AegisKeyPair {
-//   key: CryptoKey;
-//   exported: string;
-// }
 //# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":";AAqBA,+EAA+E;AAC/E,qCAAqC;AACrC,4EAA4E;AAC5E,+HAA+H;AAE/H,sEAAsE;AACtE,YAAY;AACZ,qBAAqB;AACrB,mEAAmE;AACnE,4EAA4E;AAC5E,IAAI;AAEJ,iCAAiC;AACjC,8BAA8B;AAC9B,+CAA+C;AAC/C,IAAI;AAEJ,sCAAsC;AACtC,wBAAwB;AACxB,gBAAgB;AAChB,IAAI;AAEJ,kCAAkC;AAClC,oBAAoB;AACpB,sBAAsB;AACtB,IAAI"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../types.ts"],"names":[],"mappings":""}

package/package.json

@@ -1,7 +1,15 @@
 {
   "name": "aegis-lock",
-  "version": "2.0.1",
+  "version": "2.2.0",
   "description": "Database-agnostic client-side AES-256-GCM field-level encryption. Works with Supabase, MongoDB, or any database via pluggable adapters.",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/hritesh-saha/aegis-lock.git"
+  },
+  "bugs": {
+    "url": "https://github.com/hritesh-saha/aegis-lock/issues"
+  },
+  "homepage": "https://github.com/hritesh-saha/aegis-lock#readme",
   "type": "module",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -50,6 +58,9 @@
   "peerDependenciesMeta": {
     "@supabase/supabase-js": {
       "optional": true
+    },
+    "mongodb": {
+      "optional": true
     }
   },
   "devDependencies": {
@@ -57,6 +68,7 @@
     "@types/jest": "^30.0.0",
     "@types/node": "^25.3.5",
     "jest": "^30.2.0",
+    "mongodb": "^7.1.1",
     "ts-jest": "^29.4.6",
     "typescript": "^5.9.3"
   }