pomegranate-db 0.1.1 → 1.1.0

package/README.md

@@ -12,6 +12,10 @@
   Build powerful React and React Native apps that scale from hundreds to tens of thousands of records and remain <em>fast</em> ⚡️
 </p>
 
+<p align="center">
+  <a href="https://snack.expo.dev/@bobbyquantum/pomegranate-snack">Try the live Expo Snack demo</a>
+</p>
+
 ---
 
 ### ⚡️ Instant Launch
@@ -110,12 +114,58 @@ function PostList() {
 }
 ```
 
+## Installation
+
+```sh
+npm install pomegranate-db
+```
+
+Install adapter-specific peers only when you use those entry points:
+
+- `pomegranate-db` -> `react`
+- `pomegranate-db/expo` -> `react`, `expo-sqlite`
+- `pomegranate-db/encryption` -> no extra peers, uses Web Crypto
+- `pomegranate-db/encryption/node` -> Node.js only
+- `pomegranate-db/encryption/react-native` -> React Native / Expo Web Crypto runtime
+- `pomegranate-db/op-sqlite` -> `@op-engineering/op-sqlite`
+- `pomegranate-db/native-sqlite` -> React Native app with the bundled native module
+
+## Entry Points
+
+PomegranateDB ships a small set of explicit subpath exports for common setups:
+
+```ts
+import { Database, LokiAdapter } from 'pomegranate-db'
+import { createExpoSQLiteDriver } from 'pomegranate-db/expo'
+import { EncryptingAdapter } from 'pomegranate-db/encryption'
+import { nodeCryptoProvider } from 'pomegranate-db/encryption/node'
+import { createOpSQLiteDriver } from 'pomegranate-db/op-sqlite'
+import { createNativeSQLiteDriver } from 'pomegranate-db/native-sqlite'
+```
+
+The root package intentionally excludes encryption exports so Expo Snack can install
+`pomegranate-db` without resolving Node's `crypto` module. Import encryption through
+the explicit `./encryption`, `./encryption/node`, or `./encryption/react-native`
+subpaths instead.
+
+## Migrations
+
+Manual migrations are supported across Loki and SQLite adapters with these step types:
+
+- `createTable`
+- `addColumn`
+- `destroyTable`
+- `sql`
+
+Use `sql` for targeted backfills such as setting a new column value on existing rows.
+Schema diff generation is not automated yet, so migration steps are still authored manually.
+
 ## Next Steps
 
-- [Installation](https://bobbyquantum.github.io/pomegranate/docs/installation) — add PomegranateDB to your project
-- [Schema & Models](https://bobbyquantum.github.io/pomegranate/docs/schema) — define your data model
-- [CRUD Operations](https://bobbyquantum.github.io/pomegranate/docs/crud) — create, read, update, delete
-- [React Hooks](https://bobbyquantum.github.io/pomegranate/docs/react-hooks) — reactive UI integration
+- [Installation](https://bobbyquantum.github.io/pomegranate/installation) — add PomegranateDB to your project
+- [Schema & Models](https://bobbyquantum.github.io/pomegranate/schema) — define your data model
+- [CRUD Operations](https://bobbyquantum.github.io/pomegranate/crud) — create, read, update, delete
+- [React Hooks](https://bobbyquantum.github.io/pomegranate/react-hooks) — reactive UI integration
 
 ## License
 

package/dist/adapters/loki/worker/LokiExecutor.d.ts

@@ -56,6 +56,10 @@ export declare class LokiExecutor {
     initialize(schema: DatabaseSchema): Promise<void>;
     private _createLokiDb;
     private _getCollection;
+    private _getMetadataCollection;
+    private _setSchemaVersion;
+    private _addColumn;
+    private _executeSqlMigration;
     /**
      * Persist to storage adapter.
      * No-op when: no persistence configured, or saveStrategy is 'auto' (timer handles it).

package/dist/adapters/loki/worker/LokiExecutor.js

@@ -123,6 +123,41 @@ class LokiExecutor {
             throw new Error(`Collection "${table}" not found`);
         return col;
     }
+    _getMetadataCollection() {
+        return this._getCollection('__pomegranate_metadata');
+    }
+    _setSchemaVersion(version) {
+        const metaCollection = this._getMetadataCollection();
+        const existing = metaCollection.findOne({ key: 'schema_version' });
+        if (existing) {
+            existing.value = String(version);
+            metaCollection.update(existing);
+        }
+        else {
+            metaCollection.insert({ key: 'schema_version', value: String(version) });
+        }
+        this._schemaVersion = version;
+    }
+    _addColumn(table, column, columnType, isOptional = false) {
+        const col = this._getCollection(table);
+        const defaultValue = getDefaultValueForMigrationColumn(columnType, isOptional);
+        for (const doc of col.find()) {
+            if (!(column in doc)) {
+                doc[column] = defaultValue;
+                col.update(doc);
+            }
+        }
+    }
+    _executeSqlMigration(query) {
+        const statement = parseLokiMigrationSql(query);
+        const col = this._getCollection(statement.table);
+        for (const doc of col.find()) {
+            if (matchesLokiMigrationWhere(doc, statement.where)) {
+                doc[statement.column] = statement.value;
+                col.update(doc);
+            }
+        }
+    }
     /**
      * Persist to storage adapter.
      * No-op when: no persistence configured, or saveStrategy is 'auto' (timer handles it).
@@ -335,20 +370,35 @@ class LokiExecutor {
     }
     // ─── Migration ──────────────────────────────────────────────────────
     async migrate(migrations) {
-        for (const migration of migrations) {
+        const applicable = migrations
+            .filter((migration) => migration.fromVersion >= this._schemaVersion)
+            .toSorted((a, b) => a.fromVersion - b.fromVersion);
+        for (const migration of applicable) {
             for (const step of migration.steps) {
                 switch (step.type) {
                     case 'createTable':
                         if (!this._db.getCollection(step.schema.name)) {
-                            this._db.addCollection(step.schema.name, { unique: ['id'] });
+                            const indices = step.schema.columns.filter((c) => c.isIndexed).map((c) => c.name);
+                            this._db.addCollection(step.schema.name, {
+                                unique: ['id'],
+                                indices: ['_status', ...indices],
+                            });
                         }
                         break;
+                    case 'addColumn':
+                        this._addColumn(step.table, step.column, step.columnType, step.isOptional);
+                        break;
                     case 'destroyTable':
                         this._db.removeCollection(step.table);
                         break;
+                    case 'sql':
+                        this._executeSqlMigration(step.query);
+                        break;
                 }
             }
+            this._setSchemaVersion(migration.toVersion);
         }
+        await this._save();
     }
     // ─── Reset ──────────────────────────────────────────────────────────
     async reset() {
@@ -451,6 +501,96 @@ function operatorToLoki(op, value) {
             throw new Error(`Unknown operator: ${op}`);
     }
 }
+function getDefaultValueForMigrationColumn(columnType, isOptional) {
+    if (isOptional) {
+        return null;
+    }
+    switch (columnType.trim().toLowerCase()) {
+        case 'bool':
+        case 'boolean':
+            return 0;
+        case 'date':
+        case 'datetime':
+        case 'float':
+        case 'int':
+        case 'integer':
+        case 'number':
+        case 'numeric':
+        case 'real':
+            return 0;
+        case 'string':
+            return '';
+    }
+    return '';
+}
+function parseLokiMigrationSql(query) {
+    const match = query.match(/^\s*UPDATE\s+"([^"]+)"\s+SET\s+"([^"]+)"\s*=\s*(.+?)(?:\s+WHERE\s+(.+?))?\s*;?\s*$/i);
+    if (!match) {
+        throw new Error(`Unsupported Loki migration SQL: ${query}`);
+    }
+    const [, table, column, rawValue, rawWhere] = match;
+    return {
+        table,
+        column,
+        value: parseSqlLiteral(rawValue),
+        where: rawWhere ? parseSqlWhere(rawWhere) : undefined,
+    };
+}
+function parseSqlWhere(whereClause) {
+    const isNotNull = whereClause.match(/^"([^"]+)"\s+IS\s+NOT\s+NULL$/i);
+    if (isNotNull) {
+        return { type: 'isNotNull', column: isNotNull[1] };
+    }
+    const isNull = whereClause.match(/^"([^"]+)"\s+IS\s+NULL$/i);
+    if (isNull) {
+        return { type: 'isNull', column: isNull[1] };
+    }
+    const eq = whereClause.match(/^"([^"]+)"\s*=\s*(.+)$/i);
+    if (eq) {
+        return { type: 'eq', column: eq[1], value: parseSqlLiteral(eq[2]) };
+    }
+    const neq = whereClause.match(/^"([^"]+)"\s*(?:!=|<>)\s*(.+)$/i);
+    if (neq) {
+        return { type: 'neq', column: neq[1], value: parseSqlLiteral(neq[2]) };
+    }
+    throw new Error(`Unsupported Loki migration WHERE clause: ${whereClause}`);
+}
+function parseSqlLiteral(value) {
+    const trimmed = value.trim();
+    if (/^null$/i.test(trimmed)) {
+        return null;
+    }
+    if (/^true$/i.test(trimmed)) {
+        return true;
+    }
+    if (/^false$/i.test(trimmed)) {
+        return false;
+    }
+    if (/^-?\d+(?:\.\d+)?$/.test(trimmed)) {
+        return Number(trimmed);
+    }
+    const stringMatch = trimmed.match(/^'(.*)'$/s);
+    if (stringMatch) {
+        return stringMatch[1].replaceAll("''", "'");
+    }
+    throw new Error(`Unsupported Loki migration SQL literal: ${value}`);
+}
+function matchesLokiMigrationWhere(doc, where) {
+    if (!where) {
+        return true;
+    }
+    const value = doc[where.column];
+    switch (where.type) {
+        case 'isNull':
+            return value == null;
+        case 'isNotNull':
+            return value != null;
+        case 'eq':
+            return value === where.value;
+        case 'neq':
+            return value !== where.value;
+    }
+}
 // ─── Strip LokiJS internal metadata ($loki, meta) ────────────────────────
 function stripLokiMeta(docs) {
     return docs.map(stripLokiMetaSingle);

package/dist/database/Database.d.ts

@@ -16,7 +16,8 @@
  */
 import type { StorageAdapter } from '../adapters/types';
 import type { EncryptionConfig } from '../adapters/types';
-import type { ModelSchema, RawRecord } from '../schema/types';
+import type { ModelSchema } from '../schema/types';
+import type { SyncConfig, SyncLog, SyncState } from '../sync/types';
 import { Collection } from '../collection/Collection';
 import type { Model } from '../model/Model';
 import type { ModelStatic, ModelDatabaseRef } from '../model/Model';
@@ -38,6 +39,9 @@ export type DatabaseEvent = {
     type: 'sync_started';
 } | {
     type: 'sync_completed';
+} | {
+    type: 'sync_failed';
+    error: string;
 } | {
     type: 'reset';
 };
@@ -51,6 +55,8 @@ export declare class Database implements ModelDatabaseRef {
     private _writeQueue;
     private _isProcessingQueue;
     private _events$;
+    private _syncState$;
+    private _syncLog$;
     private _schemaVersion;
     constructor(config: DatabaseConfig);
     /**
@@ -90,35 +96,28 @@ export declare class Database implements ModelDatabaseRef {
     batch(operations: BatchOperation[]): Promise<void>;
     /** @internal used by Model */
     _batch(operations: BatchOperation[]): Promise<void>;
+    /** @internal Find a record by table+id for relation resolution */
+    _findById(table: string, id: string): Promise<Model | null>;
+    /** @internal Observe a record by table+id for relation resolution */
+    _observeById(table: string, id: string): Observable<Model | null>;
+    /** @internal Fetch related records for has-many relation */
+    _fetchRelated(table: string, foreignKey: string, id: string): Promise<Model[]>;
+    /** @internal Observe related records for has-many relation */
+    _observeRelated(table: string, foreignKey: string, id: string): Observable<Model[]>;
     /**
      * Run a sync cycle.
      * See sync/index.ts for the full implementation.
      */
-    sync(opts: {
-        pullChanges: (params: {
-            lastPulledAt: number | null;
-        }) => Promise<{
-            changes: Record<string, {
-                created: RawRecord[];
-                updated: RawRecord[];
-                deleted: string[];
-            }>;
-            timestamp: number;
-        }>;
-        pushChanges: (params: {
-            changes: Record<string, {
-                created: RawRecord[];
-                updated: RawRecord[];
-                deleted: string[];
-            }>;
-            lastPulledAt: number;
-        }) => Promise<void>;
-    }): Promise<void>;
+    sync(opts: SyncConfig): Promise<void>;
     /**
      * Completely reset the database — drops all data.
      */
     reset(): Promise<void>;
     get events$(): Observable<DatabaseEvent>;
+    get syncState$(): Observable<SyncState>;
+    get syncLog$(): Observable<SyncLog | null>;
+    observeSyncState(): Observable<SyncState>;
+    observeSyncLog(): Observable<SyncLog | null>;
     close(): Promise<void>;
     private _ensureInitialized;
     /**

package/dist/database/Database.js

@@ -63,6 +63,8 @@ class Database {
     _writeQueue = [];
     _isProcessingQueue = false;
     _events$ = new Subject_1.Subject();
+    _syncState$ = new Subject_1.BehaviorSubject('idle');
+    _syncLog$ = new Subject_1.BehaviorSubject(null);
     _schemaVersion;
     constructor(config) {
         this.config = config;
@@ -219,6 +221,45 @@ class Database {
     async _batch(operations) {
         await this._adapter.batch(operations);
     }
+    // ─── Relation Resolution (RelationDatabaseRef) ─────────────────────
+    /** @internal Find a record by table+id for relation resolution */
+    async _findById(table, id) {
+        const collection = this._collections.get(table);
+        if (!collection) {
+            throw new Error(`No collection registered for table "${table}"`);
+        }
+        return collection.findById(id);
+    }
+    /** @internal Observe a record by table+id for relation resolution */
+    _observeById(table, id) {
+        const collection = this._collections.get(table);
+        if (!collection) {
+            throw new Error(`No collection registered for table "${table}"`);
+        }
+        return collection.observeById(id);
+    }
+    /** @internal Fetch related records for has-many relation */
+    async _fetchRelated(table, foreignKey, id) {
+        const collection = this._collections.get(table);
+        if (!collection) {
+            throw new Error(`No collection registered for table "${table}"`);
+        }
+        const qb = collection.query((q) => {
+            q.where(foreignKey, 'eq', id);
+        });
+        return collection.fetch(qb);
+    }
+    /** @internal Observe related records for has-many relation */
+    _observeRelated(table, foreignKey, id) {
+        const collection = this._collections.get(table);
+        if (!collection) {
+            throw new Error(`No collection registered for table "${table}"`);
+        }
+        const qb = collection.query((q) => {
+            q.where(foreignKey, 'eq', id);
+        });
+        return collection.observeQuery(qb);
+    }
     // ─── Sync ──────────────────────────────────────────────────────────
     /**
      * Run a sync cycle.
@@ -226,9 +267,25 @@ class Database {
      */
     async sync(opts) {
         this._ensureInitialized();
+        this._events$.next({ type: 'sync_started' });
         // Import sync dynamically to keep the module boundary clean
         const { performSync } = await Promise.resolve().then(() => __importStar(require('../sync')));
-        await performSync(this, opts);
+        try {
+            await performSync(this, opts, {
+                onStateChange: (state) => {
+                    this._syncState$.next(state);
+                },
+                onLogChange: (log) => {
+                    this._syncLog$.next(log);
+                },
+            });
+            this._events$.next({ type: 'sync_completed' });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            this._events$.next({ type: 'sync_failed', error: message });
+            throw error;
+        }
     }
     // ─── Reset ──────────────────────────────────────────────────────────
     /**
@@ -245,6 +302,18 @@ class Database {
     get events$() {
         return this._events$;
     }
+    get syncState$() {
+        return this._syncState$;
+    }
+    get syncLog$() {
+        return this._syncLog$;
+    }
+    observeSyncState() {
+        return this._syncState$;
+    }
+    observeSyncLog() {
+        return this._syncLog$;
+    }
     // ─── Close ──────────────────────────────────────────────────────────
     async close() {
         await this._adapter.close();

package/dist/encryption/index.d.ts

@@ -1,20 +1,32 @@
 /**
  * Encryption layer — transparent encrypt/decrypt for storage adapters.
  *
- * Wraps a StorageAdapter, encrypting record values before writes
- * and decrypting after reads. Uses AES-GCM (Web Crypto API or Node crypto).
- *
- * The encryption is transparent to the model/collection layer.
- * Only user-data columns are encrypted; id, _status, _changed are stored in plaintext
- * so the adapter can still query by them.
+ * This shared entry only depends on Web Crypto primitives so it stays safe for
+ * Expo Snack and React Native bundles. Node-specific crypto support lives in
+ * `pomegranate-db/encryption/node`.
  */
 import type { StorageAdapter, Migration } from '../adapters/types';
 import type { QueryDescriptor, SearchDescriptor, BatchOperation } from '../query/types';
 import type { DatabaseSchema, RawRecord } from '../schema/types';
+export interface EncryptionProvider {
+    readonly name: string;
+    readonly supportsAuthTag: boolean;
+    randomBytes(length: number): Promise<Uint8Array> | Uint8Array;
+    encrypt(key: Uint8Array, iv: Uint8Array, plaintext: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        tag?: Uint8Array;
+    }> | {
+        ciphertext: Uint8Array;
+        tag?: Uint8Array;
+    };
+    decrypt(key: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array, tag?: Uint8Array): Promise<Uint8Array> | Uint8Array;
+}
+export declare const webCryptoProvider: EncryptionProvider;
 export declare class EncryptionManager {
     private _key;
     private _keyProvider;
-    constructor(keyProvider: () => Promise<Uint8Array>);
+    private _provider;
+    constructor(keyProvider: () => Promise<Uint8Array>, provider?: EncryptionProvider);
     getKey(): Promise<Uint8Array>;
     /** Encrypt a string value */
     encrypt(plaintext: string): Promise<string>;
@@ -28,7 +40,7 @@ export declare class EncryptionManager {
 export declare class EncryptingAdapter implements StorageAdapter {
     private _inner;
     private _encryption;
-    constructor(inner: StorageAdapter, keyProvider: () => Promise<Uint8Array>);
+    constructor(inner: StorageAdapter, keyProvider: () => Promise<Uint8Array>, provider?: EncryptionProvider);
     initialize(schema: DatabaseSchema): Promise<void>;
     find(query: QueryDescriptor): Promise<RawRecord[]>;
     count(query: QueryDescriptor): Promise<number>;

package/dist/encryption/index.js

@@ -2,24 +2,59 @@
 /**
  * Encryption layer — transparent encrypt/decrypt for storage adapters.
  *
- * Wraps a StorageAdapter, encrypting record values before writes
- * and decrypting after reads. Uses AES-GCM (Web Crypto API or Node crypto).
- *
- * The encryption is transparent to the model/collection layer.
- * Only user-data columns are encrypted; id, _status, _changed are stored in plaintext
- * so the adapter can still query by them.
+ * This shared entry only depends on Web Crypto primitives so it stays safe for
+ * Expo Snack and React Native bundles. Node-specific crypto support lives in
+ * `pomegranate-db/encryption/node`.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.EncryptingAdapter = exports.EncryptionManager = void 0;
-const nodeCrypto_1 = require("./nodeCrypto");
+exports.EncryptingAdapter = exports.EncryptionManager = exports.webCryptoProvider = void 0;
+function getWebCrypto() {
+    if (globalThis.crypto === undefined || globalThis.crypto.subtle === undefined) {
+        throw new Error('Web Crypto API is not available in this runtime. '
+            + 'Import pomegranate-db/encryption/node in Node.js environments '
+            + 'without globalThis.crypto.subtle.');
+    }
+    return globalThis.crypto;
+}
+exports.webCryptoProvider = {
+    name: 'web-crypto',
+    supportsAuthTag: false,
+    randomBytes(length) {
+        if (globalThis.crypto?.getRandomValues) {
+            const buf = new Uint8Array(length);
+            globalThis.crypto.getRandomValues(buf);
+            return buf;
+        }
+        // Last resort for non-cryptographic test environments.
+        const buf = new Uint8Array(length);
+        for (let i = 0; i < length; i++) {
+            buf[i] = Math.floor(Math.random() * 256);
+        }
+        return buf;
+    },
+    async encrypt(key, iv, plaintext) {
+        const crypto = getWebCrypto();
+        const cryptoKey = await crypto.subtle.importKey('raw', key.buffer, { name: 'AES-GCM' }, false, ['encrypt']);
+        const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: iv.buffer }, cryptoKey, plaintext.buffer);
+        return { ciphertext: new Uint8Array(encrypted) };
+    },
+    async decrypt(key, iv, ciphertext) {
+        const crypto = getWebCrypto();
+        const cryptoKey = await crypto.subtle.importKey('raw', key.buffer, { name: 'AES-GCM' }, false, ['decrypt']);
+        const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: iv.buffer }, cryptoKey, ciphertext.buffer);
+        return new Uint8Array(decrypted);
+    },
+};
 // ─── Columns that are never encrypted ──────────────────────────────────
 const PLAINTEXT_COLUMNS = new Set(['id', '_status', '_changed']);
 // ─── Encryption Manager ───────────────────────────────────────────────
 class EncryptionManager {
     _key = null;
     _keyProvider;
-    constructor(keyProvider) {
+    _provider;
+    constructor(keyProvider, provider = exports.webCryptoProvider) {
         this._keyProvider = keyProvider;
+        this._provider = provider;
     }
     async getKey() {
         if (!this._key) {
@@ -30,57 +65,34 @@ class EncryptionManager {
     /** Encrypt a string value */
     async encrypt(plaintext) {
         const key = await this.getKey();
-        const iv = await randomBytes(12);
+        const iv = await this._provider.randomBytes(12);
         const encoder = new TextEncoder();
         const data = encoder.encode(plaintext);
-        if (globalThis.crypto !== undefined && globalThis.crypto.subtle) {
-            // Web Crypto API
-            const cryptoKey = await globalThis.crypto.subtle.importKey('raw', key.buffer, { name: 'AES-GCM' }, false, ['encrypt']);
-            const encrypted = await globalThis.crypto.subtle.encrypt({ name: 'AES-GCM', iv: iv.buffer }, cryptoKey, data.buffer);
-            return encodeBase64(iv) + ':' + encodeBase64(new Uint8Array(encrypted));
-        }
-        // Fallback: Node.js crypto
-        if (nodeCrypto_1.isNodeCryptoAvailable) {
-            try {
-                const cipher = (0, nodeCrypto_1.createCipheriv)('aes-256-gcm', key, iv);
-                const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
-                const tag = cipher.getAuthTag();
-                return encodeBase64(iv) + ':' + encodeBase64(encrypted) + ':' + encodeBase64(tag);
-            }
-            catch {
-                throw new Error('No crypto implementation available for encryption');
+        try {
+            const { ciphertext, tag } = await this._provider.encrypt(key, iv, data);
+            if (this._provider.supportsAuthTag && tag) {
+                return encodeBase64(iv) + ':' + encodeBase64(ciphertext) + ':' + encodeBase64(tag);
             }
+            return encodeBase64(iv) + ':' + encodeBase64(ciphertext);
+        }
+        catch {
+            throw new Error('No crypto implementation available for encryption');
         }
-        throw new Error('No crypto implementation available for encryption');
     }
     /** Decrypt a string value */
     async decrypt(ciphertext) {
         const key = await this.getKey();
         const parts = ciphertext.split(':');
-        if (globalThis.crypto !== undefined && globalThis.crypto.subtle) {
-            // Web Crypto API
+        try {
             const iv = decodeBase64(parts[0]);
             const data = decodeBase64(parts[1]);
-            const cryptoKey = await globalThis.crypto.subtle.importKey('raw', key.buffer, { name: 'AES-GCM' }, false, ['decrypt']);
-            const decrypted = await globalThis.crypto.subtle.decrypt({ name: 'AES-GCM', iv: iv.buffer }, cryptoKey, data.buffer);
+            const tag = parts[2] ? decodeBase64(parts[2]) : undefined;
+            const decrypted = await this._provider.decrypt(key, iv, data, tag);
             return new TextDecoder().decode(decrypted);
         }
-        // Fallback: Node.js crypto
-        if (nodeCrypto_1.isNodeCryptoAvailable) {
-            try {
-                const iv = decodeBase64(parts[0]);
-                const data = decodeBase64(parts[1]);
-                const tag = decodeBase64(parts[2]);
-                const decipher = (0, nodeCrypto_1.createDecipheriv)('aes-256-gcm', key, iv);
-                decipher.setAuthTag(tag);
-                const decrypted = Buffer.concat([decipher.update(data), decipher.final()]);
-                return new TextDecoder().decode(decrypted);
-            }
-            catch (error) {
-                throw new Error(`Decryption failed: ${error}`, { cause: error });
-            }
+        catch (error) {
+            throw new Error(`Decryption failed: ${error}`, { cause: error });
         }
-        throw new Error('No crypto implementation available for decryption');
     }
 }
 exports.EncryptionManager = EncryptionManager;
@@ -92,9 +104,9 @@ exports.EncryptionManager = EncryptionManager;
 class EncryptingAdapter {
     _inner;
     _encryption;
-    constructor(inner, keyProvider) {
+    constructor(inner, keyProvider, provider = exports.webCryptoProvider) {
         this._inner = inner;
-        this._encryption = new EncryptionManager(keyProvider);
+        this._encryption = new EncryptionManager(keyProvider, provider);
     }
     async initialize(schema) {
         await this._inner.initialize(schema);
@@ -230,26 +242,6 @@ class EncryptingAdapter {
     }
 }
 exports.EncryptingAdapter = EncryptingAdapter;
-// ─── Utility functions ──────────────────────────────────────────────────
-async function randomBytes(length) {
-    if (globalThis.crypto !== undefined && globalThis.crypto.getRandomValues) {
-        const buf = new Uint8Array(length);
-        globalThis.crypto.getRandomValues(buf);
-        return buf;
-    }
-    if (nodeCrypto_1.isNodeCryptoAvailable) {
-        try {
-            return (0, nodeCrypto_1.randomBytesNode)(length);
-        }
-        catch { /* fall through to Math.random */ }
-    }
-    // Last resort: Math.random (NOT cryptographically secure)
-    const buf = new Uint8Array(length);
-    for (let i = 0; i < length; i++) {
-        buf[i] = Math.floor(Math.random() * 256);
-    }
-    return buf;
-}
 function encodeBase64(data) {
     if (typeof Buffer !== 'undefined') {
         return Buffer.from(data).toString('base64');

package/dist/encryption/node.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Node.js-specific crypto provider for environments that do not expose
+ * `globalThis.crypto.subtle`.
+ */
+import type { EncryptionProvider } from './index';
+export declare const nodeCryptoProvider: EncryptionProvider;
+export { EncryptingAdapter, EncryptionManager } from './index';
+export type { EncryptionProvider } from './index';