asherah 4.0.34 → 4.0.35

package/README.md

@@ -14,260 +14,348 @@ npm install asherah
 
 Requires Node.js >= 18.
 
-## Quick Start (Static API)
+## Choosing an API style
 
-The static API uses a global singleton. Call `setup()` once, then `encrypt`/`decrypt` from anywhere.
+Two API styles are exposed; both are fully supported and produce the same
+wire format. New code should prefer the **Factory / Session API**.
+
+| Style | When to use |
+|---|---|
+| **Static / module-level** (`asherah.setup`, `asherah.encrypt`, …) | Drop-in compatibility with the canonical `godaddy/asherah-node` package. Simplest call surface. Singleton lifecycle (`setup()` once, `shutdown()` once). |
+| **Factory / Session** (`new SessionFactory(...)`, `factory.getSession(...)`) | Recommended for new code. Explicit lifecycle, no hidden singleton, multi-tenant isolation is obvious in code. |
+
+A complete runnable example exercising both styles plus async, log hook, and
+metrics hook is in [`samples/node/index.mjs`](../samples/node/index.mjs).
+
+## Quick start (static API)
 
 ```js
 const asherah = require('asherah');
 
-// Static master key for local development only.
-// In production, use kms: 'aws' with a region map.
-process.env.STATIC_MASTER_KEY_HEX = '22'.repeat(32);
+process.env.STATIC_MASTER_KEY_HEX = '22'.repeat(32); // testing only
 
 asherah.setup({
   serviceName: 'my-service',
   productId: 'my-product',
-  metastore: 'memory',   // testing only
-  kms: 'static',         // testing only
-  enableSessionCaching: true,
+  metastore: 'memory',   // testing only — use 'rdbms' or 'dynamodb' in production
+  kms: 'static',         // testing only — use 'aws' in production
 });
 
-// Encrypt raw bytes
-const ciphertext = asherah.encrypt('my-partition', Buffer.from('secret data'));
-const plaintext = asherah.decrypt('my-partition', ciphertext);
-console.log(plaintext.toString()); // 'secret data'
-
-// Or use the string convenience methods
-const ct = asherah.encryptString('my-partition', 'hello world');
-const pt = asherah.decryptString('my-partition', ct);
-console.log(pt); // 'hello world'
+const ct = asherah.encryptString('user-42', 'secret');
+const pt = asherah.decryptString('user-42', ct);
 
 asherah.shutdown();
 ```
 
-## Session-Based API
-
-The `SessionFactory` / `AsherahSession` pattern is preferred for production. It
-avoids the global singleton and gives you explicit control over session
-lifetimes.
+## Quick start (factory / session API)
 
 ```js
 const { SessionFactory } = require('asherah');
 
-process.env.STATIC_MASTER_KEY_HEX = '22'.repeat(32);
-
 const factory = new SessionFactory({
   serviceName: 'my-service',
   productId: 'my-product',
-  metastore: 'memory',   // testing only
-  kms: 'static',         // testing only
+  metastore: 'memory',
+  kms: 'static',
 });
+const session = factory.getSession('user-42');
+try {
+  const ct = session.encryptString('secret');
+  const pt = session.decryptString(ct);
+} finally {
+  session.close();
+  factory.close();
+}
+```
 
-const session = factory.getSession('my-partition');
-
-const ct = session.encrypt(Buffer.from('secret'));
-const pt = session.decrypt(ct);
-console.log(pt.toString()); // 'secret'
+## Async API
 
-// String variants
-const ct2 = session.encryptString('hello');
-const pt2 = session.decryptString(ct2);
-console.log(pt2); // 'hello'
+Every sync function has a `*Async` counterpart that returns a `Promise` and
+runs on the Rust tokio runtime — the Node event loop is not blocked.
 
-session.close();
-factory.close();
+```js
+await asherah.setupAsync(config);
+const ct = await asherah.encryptStringAsync('user-42', 'secret');
+const pt = await asherah.decryptStringAsync('user-42', ct);
+await asherah.shutdownAsync();
 ```
 
-You can also create a factory from environment variables:
+| Metastore | Async path | Blocks event loop? |
+|-----------|------------|---------------------|
+| In-memory | tokio worker thread | No |
+| DynamoDB  | true async AWS SDK calls on tokio | No |
+| MySQL     | `spawn_blocking` (sync driver on tokio thread pool) | No |
+| Postgres  | `spawn_blocking` (sync driver on tokio thread pool) | No |
 
-```js
-const factory = SessionFactory.fromEnv();
-```
+Tradeoff: ~12µs async vs ~1µs sync per call (hot cache, 64 B payload). Use
+sync in tight loops where latency matters; async when you need to keep the
+event loop responsive.
 
-## Async API
+## Observability hooks
+
+### Log hook
 
-Every sync function has an async counterpart that returns a Promise and never
-blocks the Node.js event loop.
+Receive every log event from the Rust core (encrypt/decrypt path, metastore
+drivers, KMS clients).
 
 ```js
-const asherah = require('asherah');
+asherah.setLogHook((event) => {
+  // event = { level, message, target }
+  // level ∈ 'trace' | 'debug' | 'info' | 'warn' | 'error'
+  if (event.level === 'warn' || event.level === 'error') {
+    console.error(`[asherah ${event.level}] ${event.message}`);
+  }
+});
 
-process.env.STATIC_MASTER_KEY_HEX = '22'.repeat(32);
+// later, to deregister:
+asherah.setLogHook(null);
+```
 
-await asherah.setupAsync({
-  serviceName: 'my-service',
-  productId: 'my-product',
-  metastore: 'memory',   // testing only
-  kms: 'static',         // testing only
+The snake_case alias `set_log_hook` also accepts the canonical
+`(level: number, message: string)` signature for backward compatibility with
+the Go-based `asherah` npm package.
+
+```js
+asherah.set_log_hook((level, message) => {
+  // level is a number 0..4 (0=trace, 1=debug, 2=info, 3=warn, 4=error)
+  console.log(`[level ${level}] ${message}`);
 });
+```
 
-const ct = await asherah.encryptStringAsync('my-partition', 'secret');
-const pt = await asherah.decryptStringAsync('my-partition', ct);
-console.log(pt); // 'secret'
+Log events are delivered via N-API ThreadsafeFunction — they run on the Node
+main thread, so synchronous code in the callback is safe.
 
-await asherah.shutdownAsync();
+### Metrics hook
+
+Receive timing events for encrypt/decrypt/store/load and counter events for
+cache hit/miss/stale.
+
+```js
+asherah.setMetricsHook((event) => {
+  switch (event.type) {
+    case 'encrypt':
+    case 'decrypt':
+    case 'store':
+    case 'load':
+      // event = { type, durationNs }
+      myHistogram.observe(event.type, event.durationNs / 1e6);
+      break;
+    case 'cache_hit':
+    case 'cache_miss':
+    case 'cache_stale':
+      // event = { type, name }
+      myCounter.inc({ result: event.type, cache: event.name });
+      break;
+  }
+});
+
+// later:
+asherah.setMetricsHook(null);
 ```
 
-## Async Behavior
+Metrics collection is enabled automatically when a hook is installed, and
+disabled when cleared.
 
-Async operations run on a Rust tokio runtime, separate from the Node.js event
-loop. The exact execution strategy depends on the metastore:
+## Input contract
 
-| Metastore | Async Encrypt/Decrypt | Blocks Event Loop? |
-|-----------|----------------------|-------------------|
-| In-Memory | Runs on tokio worker thread | No |
-| DynamoDB  | True async AWS SDK calls on tokio | No |
-| MySQL     | `spawn_blocking` (sync driver on tokio thread pool) | No |
-| Postgres  | `spawn_blocking` (sync driver on tokio thread pool) | No |
+**Partition ID** (`null`, `undefined`, `""`): always rejected as
+programming errors with `TypeError` (sync) or rejected `Promise`
+(async). No row is ever written to the metastore under a degenerate
+partition ID.
+
+**Plaintext** to encrypt:
+- `null` / `undefined` → `TypeError` from N-API marshalling (sync) or
+  rejected `Promise` (async).
+- Empty `string` (`""`) and `Buffer.alloc(0)` are **valid** plaintexts.
+  `encrypt(...)` / `encryptString(...)` produces a real `DataRowRecord`
+  envelope; the matching `decrypt(...)` returns exactly `""` or an
+  empty `Buffer`.
 
-**Async never blocks the Node.js event loop.** The tradeoff is ~12us overhead
-per async call vs ~1us for sync (hot cache, 64B payload). Use sync in tight
-loops where latency matters; use async when you need to keep the event loop
-responsive.
+**Ciphertext** to decrypt:
+- `null` / `undefined` → `TypeError`.
+- Empty `string` / empty `Buffer` → `Error` from native layer (not
+  valid `DataRowRecord` JSON).
+
+**Do not short-circuit empty plaintext encryption in caller code** —
+empty data is real data, encrypting it produces a genuine envelope, and
+skipping encryption leaks the fact that the value was empty. See
+[docs/input-contract.md](../docs/input-contract.md) for the full
+rationale.
 
 ## Configuration
 
-Pass a config object to `setup()`, `setupAsync()`, or the `SessionFactory`
-constructor. Both camelCase and PascalCase field names are accepted (PascalCase
-is auto-mapped for backward compatibility with the canonical Go-based package).
+All fields can be passed in `camelCase` (native) or `PascalCase` (canonical Go
+SDK) — both are auto-mapped. Pass to `setup()`, `setupAsync()`, or the
+`SessionFactory` constructor.
 
 | Field | Type | Default | Description |
 |-------|------|---------|-------------|
-| `serviceName` | `string` | **(required)** | Service identifier for key hierarchy |
-| `productId` | `string` | **(required)** | Product identifier for key hierarchy |
-| `metastore` | `string` | **(required)** | `"rdbms"`, `"dynamodb"`, `"memory"` (testing) |
-| `kms` | `string` | `"static"` | `"static"` or `"aws"` |
-| `connectionString` | `string` | | Connection string for sqlite or rdbms metastore |
-| `sqlMetastoreDBType` | `string` | | `"mysql"` or `"postgres"` (for rdbms metastore) |
-| `enableSessionCaching` | `boolean` | `true` | Cache sessions by partition ID |
-| `sessionCacheMaxSize` | `number` | `1000` | Max cached sessions |
-| `sessionCacheDuration` | `number` | | Session cache TTL in milliseconds |
-| `regionMap` | `object` | | `{ "us-west-2": "arn:aws:kms:..." }` for AWS KMS multi-region |
-| `preferredRegion` | `string` | | Preferred AWS region for KMS |
-| `enableRegionSuffix` | `boolean` | | Append region suffix to system key IDs |
-| `expireAfter` | `number` | | Key expiration in milliseconds |
-| `checkInterval` | `number` | | Key rotation check interval in milliseconds |
-| `dynamoDBEndpoint` | `string` | | Custom DynamoDB endpoint URL |
-| `dynamoDBRegion` | `string` | | DynamoDB region |
-| `dynamoDBTableName` | `string` | | DynamoDB table name |
-| `replicaReadConsistency` | `string` | | DynamoDB read consistency |
-| `verbose` | `boolean` | `false` | Enable debug logging |
-| `enableCanaries` | `boolean` | | Enable canary key verification |
-| `disableZeroCopy` | `boolean` | | Disable zero-copy optimizations |
-| `nullDataCheck` | `boolean` | | Verify data is not null before decrypt |
-| `poolMaxOpen` | `number` | `0` | Max open DB connections (0 = unlimited) |
-| `poolMaxIdle` | `number` | `2` | Max idle connections to retain |
-| `poolMaxLifetime` | `number` | `0` | Max connection lifetime in seconds (0 = unlimited) |
-| `poolMaxIdleTime` | `number` | `0` | Max idle time per connection in seconds (0 = unlimited) |
-
-### Environment Variables
-
-- `STATIC_MASTER_KEY_HEX` -- 64 hex chars (32 bytes) for static KMS. **Testing only.**
-- `ASHERAH_NODE_DEBUG=1` -- Enable native debug logging.
-- `ASHERAH_POOL_MAX_OPEN` -- Max open DB connections (overrides config).
-- `ASHERAH_POOL_MAX_IDLE` -- Max idle connections (overrides config).
-- `ASHERAH_POOL_MAX_LIFETIME` -- Max connection lifetime in seconds (overrides config).
-- `ASHERAH_POOL_MAX_IDLE_TIME` -- Max idle time per connection in seconds (overrides config).
+| `serviceName` | `string` | **required** | Service identifier for the key hierarchy. |
+| `productId` | `string` | **required** | Product identifier for the key hierarchy. |
+| `metastore` | `'memory' \| 'rdbms' \| 'dynamodb'` | **required** | `'memory'` is testing-only and does not persist across processes. |
+| `kms` | `'static' \| 'aws'` | `'static'` | `'static'` is testing-only (uses a hard-coded master key). |
+| `connectionString` | `string` | | Connection string for `rdbms` metastore. |
+| `sqlMetastoreDbType` | `'mysql' \| 'postgres'` | | SQL driver. |
+| `enableSessionCaching` | `boolean` | `true` | Cache `Session` objects by partition ID. |
+| `sessionCacheMaxSize` | `number` | `1000` | Max cached sessions. |
+| `sessionCacheDuration` | `number` | | Session cache TTL in seconds. |
+| `regionMap` | `Record<string, string>` | | AWS KMS multi-region key ARN map. |
+| `preferredRegion` | `string` | | Preferred AWS region from `regionMap`. |
+| `enableRegionSuffix` | `boolean` | | Append AWS region suffix to key IDs. |
+| `expireAfter` | `number` | 90 days | Intermediate-key expiration in seconds. |
+| `checkInterval` | `number` | 60 minutes | Revoke-check interval in seconds. |
+| `dynamoDbEndpoint` | `string` | | DynamoDB endpoint URL (for local DynamoDB). |
+| `dynamoDbRegion` | `string` | | AWS region for DynamoDB. |
+| `dynamoDbTableName` | `string` | `'EncryptionKey'` | DynamoDB table name. |
+| `dynamoDbSigningRegion` | `string` | | Region used for SigV4 signing. |
+| `replicaReadConsistency` | `'eventual' \| 'global' \| 'session'` | | DynamoDB read consistency. |
+| `verbose` | `boolean` | `false` | Emit verbose log events (use a log hook to consume). |
+| `enableCanaries` | `boolean` | `false` | Enable in-memory canary buffers around plaintexts. |
+| `disableZeroCopy` | `boolean` | | Compatibility shim — accepted but no effect. |
+| `nullDataCheck` | `boolean` | | Compatibility shim — accepted but no effect. |
+| `poolMaxOpen` | `number` | `0` | Max open DB connections (0 = unlimited). |
+| `poolMaxIdle` | `number` | `2` | Max idle DB connections to retain. |
+| `poolMaxLifetime` | `number` | `0` | Max connection lifetime in seconds (0 = unlimited). |
+| `poolMaxIdleTime` | `number` | `0` | Max idle time in seconds per connection (0 = unlimited). |
+
+### Environment variables
+
+| Variable | Effect |
+|---|---|
+| `STATIC_MASTER_KEY_HEX` | 64 hex chars (32 bytes) for static KMS. **Testing only.** |
+| `ASHERAH_NODE_DEBUG=1` | Enable native-side debug logging. |
+| `ASHERAH_POOL_MAX_OPEN` | Override `poolMaxOpen`. |
+| `ASHERAH_POOL_MAX_IDLE` | Override `poolMaxIdle`. |
+| `ASHERAH_POOL_MAX_LIFETIME` | Override `poolMaxLifetime`. |
+| `ASHERAH_POOL_MAX_IDLE_TIME` | Override `poolMaxIdleTime`. |
 
 ## Performance
 
-This is a native Rust implementation compiled via napi-rs. Typical latencies on
-Apple M4 Max (in-memory metastore, session caching enabled, 64-byte payload):
+Native Rust implementation compiled via napi-rs. Typical latencies on Apple
+M4 Max (in-memory metastore, session caching enabled, 64-byte payload):
 
 | Operation | Sync | Async |
 |-----------|------|-------|
-| Encrypt   | ~970 ns | ~12 us |
-| Decrypt   | ~1,200 ns | ~12 us |
+| Encrypt   | ~970 ns | ~12 µs |
+| Decrypt   | ~1.2 µs | ~12 µs |
 
 See `scripts/benchmark.sh` for head-to-head comparisons with the canonical
 Go-based implementation.
 
-## Migration from Canonical (v3.x)
+## Migration from the canonical Go-based `asherah` (v3.x)
 
-This package is a drop-in replacement for the Go-based `asherah` npm package
-(v3.x). The JavaScript wrapper provides full backward compatibility:
+Drop-in replacement. The npm wrapper provides full backward compatibility:
 
-- **PascalCase config** -- `ServiceName`, `ProductID`, `Metastore`, etc. are
-  auto-mapped to camelCase equivalents.
-- **snake_case function aliases** -- `set_log_hook`, `get_setup_status`,
-  `encrypt_string`, `decrypt_string_async`, etc. all work.
-- **Metastore/KMS aliases** -- `"test-debug-memory"`, `"test-debug-static"`,
-  etc. are normalized to their short forms.
-- **`set_log_hook` callback signature** -- Both the canonical
-  `(level: number, message: string)` and the native
-  `(event: { level, message, target })` signatures are supported.
+- **PascalCase config** — `ServiceName`, `ProductID`, `Metastore`, etc. are
+  auto-mapped to camelCase.
+- **snake_case function aliases** — `set_log_hook`, `set_metrics_hook`,
+  `get_setup_status`, `encrypt_string`, `decrypt_string_async`, etc.
+- **Metastore/KMS aliases** — `'test-debug-memory'`, `'test-debug-static'`
+  normalize to the short forms.
+- **`set_log_hook` signature variants** — both the canonical
+  `(level: number, message: string)` and the structured
+  `(event: { level, message, target })` are supported.
 
-To migrate, update your package version. No code changes required.
+To migrate: change your dependency from `asherah@^3` to this package. No code
+changes required.
 
-## Supported Platforms
+## Supported platforms
 
 | Platform | Architecture | Notes |
-|----------|-------------|-------|
-| Linux    | x64         | glibc (most distros) |
-| Linux    | x64         | musl (Alpine) |
-| Linux    | ARM64       | glibc |
-| Linux    | ARM64       | musl (Alpine) |
-| macOS    | x64         | Intel Macs |
-| macOS    | ARM64       | Apple Silicon |
-| Windows  | x64         | MSVC |
-| Windows  | ARM64       | MSVC |
+|----------|--------------|-------|
+| Linux    | x64          | glibc (most distros) |
+| Linux    | x64          | musl (Alpine) |
+| Linux    | ARM64        | glibc |
+| Linux    | ARM64        | musl (Alpine) |
+| macOS    | x64          | Intel |
+| macOS    | ARM64        | Apple Silicon |
+| Windows  | x64          | MSVC |
+| Windows  | ARM64        | MSVC |
 
 ## API Reference
 
-### Setup / Teardown
-
-- `setup(config)` -- Initialize the global Asherah instance.
-- `setupAsync(config)` -- Async variant of `setup`.
-- `shutdown()` -- Shut down and release all resources.
-- `shutdownAsync()` -- Async variant of `shutdown`.
-- `getSetupStatus()` -- Returns `true` if `setup` has been called.
-
-### Encrypt / Decrypt (Static API)
-
-- `encrypt(partitionId, data: Buffer)` -- Returns JSON string (DataRowRecord).
-- `encryptAsync(partitionId, data: Buffer)` -- Async variant.
-- `encryptString(partitionId, data: string)` -- String-in, string-out convenience.
-- `encryptStringAsync(partitionId, data: string)` -- Async variant.
-- `decrypt(partitionId, dataRowRecord: string | Buffer)` -- Returns `Buffer`.
-- `decryptAsync(partitionId, dataRowRecord: string | Buffer)` -- Async variant.
-- `decryptString(partitionId, dataRowRecord: string)` -- Returns `string`.
-- `decryptStringAsync(partitionId, dataRowRecord: string)` -- Async variant.
-
-### Session-Based API
-
-- `new SessionFactory(config)` -- Create a factory with explicit config.
-- `SessionFactory.fromEnv()` -- Create a factory from environment variables.
-- `factory.getSession(partitionId)` -- Get a session for a partition.
-- `factory.close()` -- Close the factory and release resources.
-- `session.encrypt(data: Buffer)` -- Returns JSON string.
-- `session.encryptString(data: string)` -- String convenience.
-- `session.decrypt(dataRowRecord: string)` -- Returns `Buffer`.
-- `session.decryptString(dataRowRecord: string)` -- Returns `string`.
-- `session.close()` -- Close the session.
-
-### Hooks
-
-- `setLogHook(callback)` / `set_log_hook(callback)` -- Receive log events.
-  Pass `null` to disable.
-- `setMetricsHook(callback)` -- Receive metrics events
-  (`{ type, durationNs?, name? }`). Pass `null` to disable.
-
-### Utility
-
-- `setenv(lines: string)` -- Set environment variables from `KEY=VALUE` lines.
-- `setMaxStackAllocItemSize(n)` -- No-op (compatibility stub).
-- `setSafetyPaddingOverhead(n)` -- No-op (compatibility stub).
-
-## Features
-
-- Synchronous and asynchronous encrypt/decrypt APIs
-- Session-based API with factory pattern
-- Compatible with Go, Python, Ruby, Java, and .NET Asherah implementations
-- SQLite, MySQL, PostgreSQL, and DynamoDB metastore support
-- AWS KMS and static key management
-- Log and metrics hooks
-- Automatic key rotation with configurable intervals
+> Full TSDoc lives in `index.d.ts` and surfaces in your IDE on hover. The
+> tables below summarize each API; the type file is the source of truth.
+
+### Static / module-level API (legacy compatibility)
+
+#### Lifecycle
+
+| Function | Description |
+|---|---|
+| `setup(config)` | Initialize the global instance. Throws if already configured. |
+| `setupAsync(config)` | Async variant. Returns `Promise<void>`. |
+| `shutdown()` | Tear down the global instance and clear cached sessions. Idempotent. |
+| `shutdownAsync()` | Async variant. Returns `Promise<void>`. |
+| `getSetupStatus()` | `boolean` — true if `setup()` has been called and `shutdown()` has not. |
+| `setenv(envJson)` | Apply env vars from a JSON string before `setup()`. Mirrors the canonical SDK. |
+
+#### Encrypt / decrypt
+
+| Function | Param 1 | Param 2 | Returns |
+|---|---|---|---|
+| `encrypt(partitionId, data)` | `string` (non-empty) | `Buffer` (empty OK) | `string` (DRR JSON) |
+| `encryptAsync(partitionId, data)` | `string` | `Buffer` | `Promise<string>` |
+| `encryptString(partitionId, data)` | `string` | `string` (empty OK) | `string` (DRR JSON) |
+| `encryptStringAsync(partitionId, data)` | `string` | `string` | `Promise<string>` |
+| `decrypt(partitionId, drr)` | `string` | `string` (DRR JSON) | `Buffer` |
+| `decryptAsync(partitionId, drr)` | `string` | `string` | `Promise<Buffer>` |
+| `decryptString(partitionId, drr)` | `string` | `string` | `string` |
+| `decryptStringAsync(partitionId, drr)` | `string` | `string` | `Promise<string>` |
+
+All accept the snake_case aliases `encrypt_async`, `encrypt_string`,
+`encrypt_string_async`, `decrypt_async`, `decrypt_string`,
+`decrypt_string_async`, `setup_async`, `shutdown_async`, `get_setup_status`.
+
+#### Hooks
+
+| Function | Description |
+|---|---|
+| `setLogHook(cb)` / `set_log_hook(cb)` | Register a structured-event log callback. Pass `null` to deregister. The snake_case alias also accepts the canonical `(level, message)` signature. |
+| `setMetricsHook(cb)` / `set_metrics_hook(cb)` | Register a metrics callback. Pass `null` to deregister. |
+
+### Factory / Session API (recommended)
+
+#### `class SessionFactory`
+
+| Member | Description |
+|---|---|
+| `new SessionFactory(config)` | Construct from inline config. |
+| `static SessionFactory.fromEnv()` | Construct from environment variables. |
+| `factory.getSession(partitionId)` | Get a per-partition session. Throws on null/empty partition. |
+| `factory.close()` | Release native resources. After close, `getSession()` throws. |
+
+#### `class AsherahSession`
+
+| Member | Description |
+|---|---|
+| `session.encrypt(data)` | `Buffer` → DRR JSON `string`. Empty `Buffer` is valid. |
+| `session.encryptString(data)` | `string` → DRR JSON `string`. Empty `string` is valid. |
+| `session.decrypt(drr)` | DRR JSON `string` → `Buffer`. |
+| `session.decryptString(drr)` | DRR JSON `string` → `string`. |
+| `session.close()` | Release native resources. |
+
+### Type aliases
+
+```ts
+type LogLevel = 'trace' | 'debug' | 'info' | 'warn' | 'error';
+
+type LogEvent = {
+  level: LogLevel;
+  message: string;
+  target: string;
+};
+
+type MetricsEvent =
+  | { type: 'encrypt' | 'decrypt' | 'store' | 'load'; durationNs: number }
+  | { type: 'cache_hit' | 'cache_miss' | 'cache_stale'; name: string };
+```
+
+### Compatibility shims
+
+`setMaxStackAllocItemSize(n)` and `setSafetyPaddingOverhead(n)` are accepted
+for parity with the canonical Go-based asherah-node package but have no
+effect in this Rust binding.
 
 ## License
 

package/index.d.ts

@@ -1,40 +1,129 @@
 /// <reference types="node" />
 
+// ============================================================================
+//
+// Asherah for Node.js
+//
+// Application-layer envelope encryption with automatic key rotation and a
+// pluggable KMS / metastore. Drop-in compatible with the canonical
+// `asherah` npm package (PascalCase config + snake_case API aliases) and
+// significantly faster (Rust core via napi-rs).
+//
+// Two API styles are exposed; both are fully supported and produce the
+// same wire format:
+//
+//   1. **Static / module-level API** (legacy): `setup()` once at process
+//      startup, then call free `encrypt()` / `decrypt()` functions on the
+//      module. This mirrors the canonical `godaddy/asherah-node` API and
+//      is the easiest path for existing callers to migrate.
+//
+//   2. **Factory / Session API** (recommended for new code): construct a
+//      `SessionFactory`, hold one or more `AsherahSession` instances, and
+//      call `encrypt()` / `decrypt()` on the session. This avoids the
+//      hidden-singleton lifecycle of the static API and makes session
+//      isolation explicit per partition.
+//
+// See `samples/node/index.mjs` for a runnable end-to-end example covering
+// both styles plus async, log hook, metrics hook, and config variants.
+//
+// ============================================================================
+
+// ─── Configuration types ────────────────────────────────────────────────────
+
+/**
+ * Asherah configuration object using camelCase field names. This is the
+ * native shape; it is passed to `setup()`, `setupAsync()`, and the
+ * `SessionFactory` constructor.
+ *
+ * The PascalCase variant ({@link AsherahConfigCompat}) is also accepted
+ * everywhere this type is — fields are auto-mapped for compatibility with
+ * the canonical Go-based asherah package.
+ */
 export type AsherahConfig = {
+  /** Service name. Forms part of the key hierarchy partition path. Required. */
   serviceName: string;
+
+  /** Product ID. Forms part of the key hierarchy partition path. Required. */
   productId: string;
+
+  /** Intermediate-key expiration in seconds. Default: 90 days. */
   expireAfter?: number | null;
+
+  /** Revoke-check interval in seconds — how often to re-read parent keys
+   *  to pick up revocation. Default: 60 minutes. */
   checkInterval?: number | null;
+
+  /** Metastore backend. `'memory'` is testing-only and will not persist
+   *  across processes. */
   metastore: 'memory' | 'rdbms' | 'dynamodb';
+
+  /** SQL connection string when `metastore` is `'rdbms'`. Format depends
+   *  on `sqlMetastoreDbType`. */
   connectionString?: string | null;
+
+  /** RDBMS replica read consistency: `'eventual'`, `'global'`, or `'session'`. */
   replicaReadConsistency?: string | null;
+
+  /** DynamoDB endpoint URL (typically only set for local DynamoDB). */
   dynamoDbEndpoint?: string | null;
+  /** AWS region for DynamoDB. */
   dynamoDbRegion?: string | null;
+  /** DynamoDB table name. Default: `EncryptionKey`. */
   dynamoDbTableName?: string | null;
-  /** @deprecated Use dynamoDbEndpoint */
+  /** AWS region used for SigV4 signing of DynamoDB requests. */
+  dynamoDbSigningRegion?: string | null;
+
+  /** @deprecated Use `dynamoDbEndpoint` (lowercase `b`). */
   dynamoDBEndpoint?: string | null;
-  /** @deprecated Use dynamoDbRegion */
+  /** @deprecated Use `dynamoDbRegion` (lowercase `b`). */
   dynamoDBRegion?: string | null;
-  /** @deprecated Use dynamoDbTableName */
+  /** @deprecated Use `dynamoDbTableName` (lowercase `b`). */
   dynamoDBTableName?: string | null;
+
+  /** Maximum number of cached sessions. */
   sessionCacheMaxSize?: number | null;
+  /** Session cache TTL in seconds. */
   sessionCacheDuration?: number | null;
+
+  /** KMS backend. `'static'` is testing-only (uses a hard-coded master key). */
   kms?: 'aws' | 'static' | null;
+
+  /** AWS KMS region-to-key-ARN map for multi-region KMS. */
   regionMap?: Record<string, string> | null;
+  /** Preferred AWS region when `regionMap` is set. */
   preferredRegion?: string | null;
+  /** Append the AWS region as a suffix to the key ID. */
   enableRegionSuffix?: boolean | null;
+
+  /** Cache `Session` objects by partition ID. Default: `true`. */
   enableSessionCaching?: boolean | null;
+
+  /** Emit verbose log events at the `info`/`debug` level. Use a log hook
+   *  ({@link setLogHook}) to consume them. */
   verbose?: boolean | null;
-  dynamoDbSigningRegion?: string | null;
+
+  /** SQL driver: `'mysql'` or `'postgres'` (used with `metastore: 'rdbms'`). */
   sqlMetastoreDbType?: string | null;
-  /** @deprecated Use sqlMetastoreDbType */
+  /** @deprecated Use `sqlMetastoreDbType` (lowercase `b`). */
   sqlMetastoreDBType?: string | null;
+
+  /** Compatibility shim for the canonical Go-based asherah-node package.
+   *  Has no effect in this Rust-based binding (which is always zero-copy
+   *  where possible). */
   disableZeroCopy?: boolean | null;
+  /** Compatibility shim — accepted but has no effect (this binding always
+   *  validates inputs). */
   nullDataCheck?: boolean | null;
+  /** Enable in-memory canary buffers around plaintexts. Costs a small
+   *  amount of allocation overhead per operation. */
   enableCanaries?: boolean | null;
 };
 
-/** Canonical godaddy/asherah-node PascalCase config format */
+/**
+ * Asherah configuration in canonical PascalCase format, matching the
+ * canonical `asherah` npm package. Accepted everywhere {@link AsherahConfig}
+ * is — fields are auto-mapped on the way in.
+ */
 export type AsherahConfigCompat = {
   readonly ServiceName: string;
   readonly ProductID: string;
@@ -60,67 +149,305 @@ export type AsherahConfigCompat = {
   readonly EnableCanaries?: boolean | null;
 };
 
-/** Canonical godaddy/asherah-node log hook callback: (level: number, message: string) => void */
-export type LogHookCallback = (level: number, message: string) => void;
+// ─── Static / module-level API (legacy) ─────────────────────────────────────
 
+/**
+ * Initialize the global Asherah instance. Must be called once before any
+ * `encrypt()` / `decrypt()` call on the static API.
+ *
+ * Subsequent calls to `setup()` without an intervening `shutdown()` throw.
+ * For new code, prefer the {@link SessionFactory} API, which avoids the
+ * hidden-singleton lifecycle.
+ *
+ * @example
+ * ```js
+ * const asherah = require('asherah');
+ * asherah.setup({
+ *   serviceName: 'my-svc',
+ *   productId: 'my-prod',
+ *   metastore: 'memory',     // production: 'rdbms' or 'dynamodb'
+ *   kms: 'static',           // production: 'aws'
+ * });
+ * ```
+ *
+ * @throws if Asherah is already configured (call {@link shutdown} first)
+ *         or if the config is invalid.
+ */
 export declare function setup(config: AsherahConfig | AsherahConfigCompat): void;
+
+/**
+ * Async variant of {@link setup}. Resolves once the global instance is
+ * configured and the metastore/KMS are reachable. Safe to call from an
+ * async context — does not block the Node event loop on KMS/SDK setup.
+ */
 export declare function setupAsync(config: AsherahConfig | AsherahConfigCompat): Promise<void>;
+
+/**
+ * Tear down the global Asherah instance. Releases the native factory and
+ * clears any cached sessions. Idempotent — calling on an already-shut-down
+ * instance is a no-op.
+ */
 export declare function shutdown(): void;
+
+/** Async variant of {@link shutdown}. */
 export declare function shutdownAsync(): Promise<void>;
+
+/** Returns `true` when {@link setup} has been called and {@link shutdown}
+ *  has not yet been called. */
 export declare function getSetupStatus(): boolean;
+
+/**
+ * Apply a JSON object of environment variables before {@link setup} is
+ * called. Equivalent to `process.env[k] = v` for each entry, but evaluated
+ * by the native side so configuration via env-var works identically to
+ * the canonical SDK.
+ *
+ * @param env JSON string. Keys must be strings; values may be strings or
+ *            `null` (a `null` value unsets the variable).
+ */
 export declare function setenv(env: string): void;
 
+/**
+ * Encrypt `data` for the given partition. Returns a `DataRowRecord` JSON
+ * string suitable for storing in a database column.
+ *
+ * @param partitionId Tenant / user / record-owner identifier. Must be
+ *                    non-empty — `null`, `undefined`, and `""` are
+ *                    rejected as programming errors.
+ * @param data Plaintext bytes. Empty `Buffer` is **valid** and round-trips
+ *             to an empty `Buffer` on decrypt — do not short-circuit empty
+ *             inputs in caller code (see docs/input-contract.md).
+ * @returns The full `DataRowRecord` JSON envelope (Key, Data,
+ *          ParentKeyMeta).
+ * @throws TypeError if `partitionId` or `data` is null/undefined.
+ * @throws Error from the native layer on encryption failure.
+ *
+ * @example
+ * ```js
+ * const drr = asherah.encrypt('user-42', Buffer.from('secret'));
+ * // store drr in your database
+ * ```
+ */
 export declare function encrypt(partitionId: string, data: Buffer): string;
+
+/** Async variant of {@link encrypt}. The work runs on the Rust tokio
+ *  runtime; the Node event loop is NOT blocked. */
 export declare function encryptAsync(partitionId: string, data: Buffer): Promise<string>;
+
+/**
+ * Decrypt a `DataRowRecord` JSON string produced by {@link encrypt}.
+ *
+ * @param partitionId Must match the partition the value was encrypted
+ *                    under. Non-empty.
+ * @param dataRowRecordJson The DRR JSON envelope as a string.
+ * @returns Plaintext as a `Buffer`. Length 0 if the original plaintext
+ *          was empty — empty round-trips to empty.
+ * @throws TypeError if either argument is null/undefined.
+ * @throws Error if the JSON is malformed, the partition doesn't match,
+ *               the parent key has been revoked, or the AEAD tag fails.
+ */
 export declare function decrypt(partitionId: string, dataRowRecordJson: string): Buffer;
+
+/** Async variant of {@link decrypt}. */
 export declare function decryptAsync(partitionId: string, dataRowRecordJson: string): Promise<Buffer>;
 
+/** UTF-8 string-typed wrapper around {@link encrypt}. Empty `string`
+ *  ("") is valid and round-trips. */
 export declare function encryptString(partitionId: string, data: string): string;
+
+/** Async variant of {@link encryptString}. */
 export declare function encryptStringAsync(partitionId: string, data: string): Promise<string>;
+
+/** UTF-8 string-typed wrapper around {@link decrypt}. */
 export declare function decryptString(partitionId: string, dataRowRecordJson: string): string;
+
+/** Async variant of {@link decryptString}. */
 export declare function decryptStringAsync(partitionId: string, dataRowRecordJson: string): Promise<string>;
 
-export declare function setMaxStackAllocItemSize(n: number): void;
-export declare function setSafetyPaddingOverhead(n: number): void;
+// ─── Factory / Session API (recommended) ────────────────────────────────────
 
+/**
+ * Factory for creating per-partition `AsherahSession` instances. Holding
+ * a long-lived factory is cheaper than calling `setup()`/`shutdown()`
+ * repeatedly and makes session isolation explicit.
+ *
+ * @example
+ * ```js
+ * const factory = new asherah.SessionFactory({
+ *   serviceName: 'my-svc',
+ *   productId: 'my-prod',
+ *   metastore: 'memory',
+ *   kms: 'static',
+ * });
+ * const session = factory.getSession('user-42');
+ * try {
+ *   const ct = session.encryptString('secret');
+ *   const pt = session.decryptString(ct);
+ * } finally {
+ *   session.close();
+ *   factory.close();
+ * }
+ * ```
+ */
 export declare class SessionFactory {
+  /** Construct a factory from an inline config object. */
   constructor(config: AsherahConfig | AsherahConfigCompat);
+
+  /** Construct a factory from environment variables (for parity with the
+   *  canonical Go-based asherah module). */
   static fromEnv(): SessionFactory;
+
+  /**
+   * Get a session for the given partition. Sessions returned for the same
+   * partition share the underlying intermediate key; different partitions
+   * are cryptographically isolated.
+   *
+   * @param partitionId Non-empty tenant / record-owner identifier.
+   * @throws TypeError if `partitionId` is null/undefined.
+   * @throws Error if `partitionId` is the empty string.
+   */
   getSession(partitionId: string): AsherahSession;
+
+  /** Release native resources. After `close()`, `getSession()` will throw. */
   close(): void;
 }
 
+/**
+ * Per-partition encrypt/decrypt session. Created via
+ * {@link SessionFactory.getSession}. Always pair with `close()` to release
+ * native resources promptly.
+ */
 export declare class AsherahSession {
+  /** Encrypt a `Buffer` and return the DRR JSON. Empty `Buffer` is valid. */
   encrypt(data: Buffer): string;
+  /** Encrypt a UTF-8 string and return the DRR JSON. Empty string is valid. */
   encryptString(data: string): string;
+  /** Decrypt a DRR JSON string and return the plaintext as a `Buffer`. */
   decrypt(dataRowRecordJson: string): Buffer;
+  /** Decrypt a DRR JSON string and return the plaintext as a UTF-8 string. */
   decryptString(dataRowRecordJson: string): string;
+  /** Release native resources. */
   close(): void;
 }
 
+// ─── Observability hooks ────────────────────────────────────────────────────
+
+/** Log severity strings carried in {@link LogEvent.level}. */
+export type LogLevel = 'trace' | 'debug' | 'info' | 'warn' | 'error';
+
+/**
+ * Structured log event delivered to a log hook. Includes the source
+ * `target` (typically the Rust module path that emitted the log) and the
+ * formatted `message`.
+ */
 export type LogEvent = {
-  level: 'trace' | 'debug' | 'info' | 'warn' | 'error';
+  /** Severity. Mirrors the Rust `log::Level`. */
+  level: LogLevel;
+  /** Formatted log message. */
   message: string;
+  /** Source module / target string. Useful for filtering. */
   target: string;
 };
 
+/** Numeric-level callback for compatibility with the canonical
+ *  `godaddy/asherah-node` log hook signature. New code should prefer the
+ *  structured {@link LogEvent} variant. */
+export type LogHookCallback = (level: number, message: string) => void;
+
+/**
+ * Metrics event delivered to a metrics hook. Timing events
+ * (`encrypt`/`decrypt`/`store`/`load`) carry `durationNs`; cache events
+ * (`cache_hit`/`cache_miss`/`cache_stale`) carry the cache `name`.
+ */
 export type MetricsEvent =
   | { type: 'encrypt' | 'decrypt' | 'store' | 'load'; durationNs: number }
-  | { type: 'cache_hit' | 'cache_miss'; name: string };
+  | { type: 'cache_hit' | 'cache_miss' | 'cache_stale'; name: string };
+
+/**
+ * Install a callback that fires for every log event emitted by the Rust
+ * core (encrypt/decrypt path, metastore drivers, KMS clients, etc.).
+ *
+ * Pass `null` to deregister.
+ *
+ * Callbacks may fire from any thread (Rust tokio worker threads, DB
+ * driver threads). The N-API ThreadsafeFunction layer marshals each
+ * event back to the Node event loop, so the callback runs on the main
+ * thread — synchronous code in the callback is safe.
+ *
+ * @example
+ * ```js
+ * asherah.setLogHook((event) => {
+ *   if (event.level === 'warn' || event.level === 'error') {
+ *     console.error(`[asherah ${event.level}] ${event.message}`);
+ *   }
+ * });
+ * ```
+ */
+export declare function setLogHook(
+  hook: ((event: LogEvent) => void) | LogHookCallback | null,
+): void;
+
+/**
+ * Install a callback that fires for every metrics event (encrypt/decrypt
+ * timings, store/load timings, cache hit/miss/stale counters).
+ *
+ * Pass `null` to deregister. Same threading semantics as
+ * {@link setLogHook}.
+ *
+ * @example
+ * ```js
+ * asherah.setMetricsHook((event) => {
+ *   if (event.type === 'encrypt') {
+ *     histogram.observe(event.durationNs / 1e6); // ms
+ *   } else if (event.type === 'cache_miss') {
+ *     counter.inc({ cache: event.name });
+ *   }
+ * });
+ * ```
+ */
+export declare function setMetricsHook(
+  hook: ((event: MetricsEvent) => void) | null,
+): void;
+
+// ─── Performance tuning ─────────────────────────────────────────────────────
+
+/** Compatibility shim — accepted but has no effect in the Rust binding
+ *  (which manages its own buffer allocation strategy). Provided for API
+ *  parity with the canonical Go-based asherah-node package. */
+export declare function setMaxStackAllocItemSize(n: number): void;
+
+/** Compatibility shim — accepted but has no effect. */
+export declare function setSafetyPaddingOverhead(n: number): void;
 
-export declare function setLogHook(hook: ((event: LogEvent) => void) | LogHookCallback | null): void;
-export declare function setMetricsHook(hook: ((event: MetricsEvent) => void) | null): void;
+// ─── snake_case aliases (canonical asherah-node compatibility) ──────────────
 
-// Canonical godaddy/asherah-node snake_case aliases
+/** Alias for {@link setupAsync}. */
 export declare function setup_async(config: AsherahConfig | AsherahConfigCompat): Promise<void>;
+/** Alias for {@link shutdownAsync}. */
 export declare function shutdown_async(): Promise<void>;
+/** Alias for {@link encryptAsync}. */
 export declare function encrypt_async(partitionId: string, data: Buffer): Promise<string>;
+/** Alias for {@link encryptString}. */
 export declare function encrypt_string(partitionId: string, data: string): string;
+/** Alias for {@link encryptStringAsync}. */
 export declare function encrypt_string_async(partitionId: string, data: string): Promise<string>;
+/** Alias for {@link decryptAsync}. */
 export declare function decrypt_async(partitionId: string, dataRowRecordJson: string): Promise<Buffer>;
+/** Alias for {@link decryptString}. */
 export declare function decrypt_string(partitionId: string, dataRowRecordJson: string): string;
+/** Alias for {@link decryptStringAsync}. */
 export declare function decrypt_string_async(partitionId: string, dataRowRecordJson: string): Promise<string>;
+/** Alias for {@link setMaxStackAllocItemSize}. */
 export declare function set_max_stack_alloc_item_size(n: number): void;
+/** Alias for {@link setSafetyPaddingOverhead}. */
 export declare function set_safety_padding_overhead(n: number): void;
-export declare function set_log_hook(hook: ((event: LogEvent) => void) | LogHookCallback | null): void;
+/** Alias for {@link setLogHook}. */
+export declare function set_log_hook(
+  hook: ((event: LogEvent) => void) | LogHookCallback | null,
+): void;
+/** Alias for {@link setMetricsHook}. */
+export declare function set_metrics_hook(
+  hook: ((event: MetricsEvent) => void) | null,
+): void;
+/** Alias for {@link getSetupStatus}. */
 export declare function get_setup_status(): boolean;

package/npm/index.js

@@ -284,4 +284,5 @@ module.exports.decrypt_string_async = native.decryptStringAsync;
 module.exports.set_max_stack_alloc_item_size = native.setMaxStackAllocItemSize;
 module.exports.set_safety_padding_overhead = native.setSafetyPaddingOverhead;
 module.exports.set_log_hook = set_log_hook;
+module.exports.set_metrics_hook = native.setMetricsHook;
 module.exports.get_setup_status = native.getSetupStatus;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "asherah",
-  "version": "4.0.34",
+  "version": "4.0.35",
   "private": false,
   "description": "Asherah application-layer encryption for Node.js with automatic key rotation, powered by the native Rust implementation.",
   "author": "Jay Gowdy",
@@ -70,13 +70,13 @@
     "node": ">= 18"
   },
   "optionalDependencies": {
-    "asherah-darwin-arm64": "4.0.34",
-    "asherah-darwin-x64": "4.0.34",
-    "asherah-linux-x64-gnu": "4.0.34",
-    "asherah-linux-arm64-gnu": "4.0.34",
-    "asherah-linux-x64-musl": "4.0.34",
-    "asherah-linux-arm64-musl": "4.0.34",
-    "asherah-windows-x64": "4.0.34",
-    "asherah-windows-arm64": "4.0.34"
+    "asherah-darwin-arm64": "4.0.35",
+    "asherah-darwin-x64": "4.0.35",
+    "asherah-linux-x64-gnu": "4.0.35",
+    "asherah-linux-arm64-gnu": "4.0.35",
+    "asherah-linux-x64-musl": "4.0.35",
+    "asherah-linux-arm64-musl": "4.0.35",
+    "asherah-windows-x64": "4.0.35",
+    "asherah-windows-arm64": "4.0.35"
   }
 }