npm - zenstack-encryption - Versions diffs - 0.1.0 - Mend

zenstack-encryption 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,162 @@
+# zenstack-encryption
+A [ZenStack](https://zenstack.dev) v3 community plugin that provides transparent field-level encryption and decryption using the `@encrypted` attribute.
+## Features
+- **AES-256-GCM** encryption via the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API) (no native dependencies)
+- **Transparent** encrypt-on-write, decrypt-on-read through ZenStack's `onQuery` plugin hook
+- **Key rotation** — add previous keys to a fallback list so existing data can still be decrypted while new writes use the latest key
+- **Custom encryption** — bring your own encrypt/decrypt functions for KMS integration, envelope encryption, etc.
+- **Nested writes** — handles `create`, `createMany`, `update`, `updateMany`, `upsert`, and `connectOrCreate` across relations
+## How It Works
+The plugin hooks into the ZenStack ORM's query lifecycle via `onQuery`. When a write operation (`create`, `update`, etc.) is performed, the plugin inspects the schema for fields marked `@encrypted` and encrypts their values before they reach the database. When data is read back, encrypted fields are automatically decrypted before being returned to the caller.
+```
+Write path:  app → plugin encrypts @encrypted fields → database
+Read path:   database → plugin decrypts @encrypted fields → app
+```
+Encrypted values are stored as a base64 string with the format `{metadata}.{ciphertext}`, where metadata includes the encryption version, algorithm, and a key digest (used for key rotation lookups). Each encryption uses a random 12-byte IV, so the same plaintext produces different ciphertext every time.
+> **Note:** Because the plugin operates at the ORM level, direct Kysely query builder calls (`client.$qb`) bypass encryption entirely.
+## Installation
+```bash
+# npm
+npm install zenstack-encryption
+# pnpm
+pnpm add zenstack-encryption
+```
+## Setup
+### 1. Register the plugin in your ZModel schema
+Add a `plugin` block to your `.zmodel` file. This makes the `@encrypted` attribute available in your schema:
+```zmodel
+plugin encryption {
+    provider = 'zenstack-encryption'
+}
+```
+### 2. Mark fields with `@encrypted`
+Apply `@encrypted` to any `String` field you want to encrypt at rest:
+```zmodel
+model User {
+    id          String @id @default(cuid())
+    email       String @unique
+    name        String?
+    secretToken String @encrypted
+    posts       Post[]
+}
+model Post {
+    id        String @id @default(cuid())
+    title     String
+    content   String? @encrypted
+    author    User   @relation(fields: [authorId], references: [id])
+    authorId  String
+}
+```
+### 3. Generate your schema
+```bash
+npx zenstack generate
+```
+### 4. Configure the plugin at runtime
+```typescript
+import { ZenStackClient } from '@zenstackhq/orm';
+import { createEncryptionPlugin, ENCRYPTION_KEY_BYTES } from 'zenstack-encryption';
+import schema from './schema.js';
+// Load your 32-byte key from environment, KMS, vault, etc.
+const encryptionKey = new Uint8Array(
+    Buffer.from(process.env.ENCRYPTION_KEY!, 'base64')
+);
+const encryptionPlugin = createEncryptionPlugin({ encryptionKey });
+const client = new ZenStackClient(schema, {
+    plugins: [encryptionPlugin],
+});
+// Fields are encrypted/decrypted transparently
+const user = await client.user.create({
+    data: {
+        email: 'alice@example.com',
+        secretToken: 'super-secret-value',
+    },
+});
+console.log(user.secretToken); // → "super-secret-value" (decrypted)
+```
+## Key Rotation
+When you need to rotate encryption keys, pass old keys via `decryptionKeys`. The plugin will use the primary `encryptionKey` for new writes, but try all keys (primary + decryption) when decrypting:
+```typescript
+const plugin = createEncryptionPlugin({
+    encryptionKey: newKey,        // used for all new encryptions
+    decryptionKeys: [oldKey],     // tried during decryption alongside newKey
+});
+```
+This enables zero-downtime key rotation:
+1. Deploy with both keys configured (new key as primary, old key in `decryptionKeys`)
+2. Existing data encrypted with the old key is still readable
+3. New writes use the new key
+4. Optionally re-encrypt old data by reading and updating records
+## Custom Encryption
+For integration with AWS KMS, HashiCorp Vault, or any other encryption provider, pass custom `encrypt` and `decrypt` functions:
+```typescript
+import type { FieldDef } from '@zenstackhq/orm/schema';
+const plugin = createEncryptionPlugin({
+    encrypt: async (model: string, field: FieldDef, plaintext: string) => {
+        // Call your encryption service
+        return await myKms.encrypt(plaintext);
+    },
+    decrypt: async (model: string, field: FieldDef, ciphertext: string) => {
+        // Call your decryption service
+        return await myKms.decrypt(ciphertext);
+    },
+});
+```
+The `model` and `field` parameters let you use different keys or strategies per model/field.
+## Adding to an existing client
+You can also add the plugin to an existing `ZenStackClient` instance using `$use`:
+```typescript
+const baseClient = new ZenStackClient(schema);
+const client = baseClient.$use(createEncryptionPlugin({ encryptionKey }));
+```
+## Limitations
+- **ORM only** — only applies to ORM CRUD operations, not direct Kysely query builder calls via `client.$qb`
+- **String fields only** — `@encrypted` can only be applied to `String` fields
+- **No encrypted filtering** — encrypted fields cannot be used in `where` clauses since encryption is non-deterministic (each encryption produces different ciphertext due to random IVs)
+- **Storage overhead** — encrypted values are longer than the original plaintext due to base64 encoding + metadata; ensure your database column can accommodate the larger size
+## License
+MIT

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,91 @@
+import * as _zenstackhq_orm0 from "@zenstackhq/orm";
+import { FieldDef, SchemaDef } from "@zenstackhq/orm/schema";
+//#region src/decrypter.d.ts
+/**
+ * Default decrypter with support for key rotation
+ */
+declare class Decrypter {
+  private readonly decryptionKeys;
+  private keys;
+  constructor(decryptionKeys: Uint8Array[]);
+  /**
+   * Decrypts the given data
+   */
+  decrypt(data: string): Promise<string>;
+}
+//#endregion
+//#region src/encrypter.d.ts
+/**
+ * Default encrypter using AES-256-GCM
+ */
+declare class Encrypter {
+  private readonly encryptionKey;
+  private key;
+  private keyDigest;
+  constructor(encryptionKey: Uint8Array);
+  /**
+   * Encrypts the given data
+   */
+  encrypt(data: string): Promise<string>;
+}
+//#endregion
+//#region src/types.d.ts
+/**
+ * Simple encryption configuration using built-in AES-256-GCM encryption
+ */
+type SimpleEncryption = {
+  /**
+   * The encryption key (must be 32 bytes / 256 bits)
+   */
+  encryptionKey: Uint8Array;
+  /**
+   * Additional decryption keys for key rotation support.
+   * When decrypting, all keys (encryptionKey + decryptionKeys) are tried.
+   */
+  decryptionKeys?: Uint8Array[];
+};
+/**
+ * Custom encryption configuration for user-provided encryption handlers
+ */
+type CustomEncryption = {
+  /**
+   * Custom encryption function
+   * @param model The model name
+   * @param field The field definition
+   * @param plain The plaintext value to encrypt
+   * @returns The encrypted value
+   */
+  encrypt: (model: string, field: FieldDef, plain: string) => Promise<string>;
+  /**
+   * Custom decryption function
+   * @param model The model name
+   * @param field The field definition
+   * @param cipher The encrypted value to decrypt
+   * @returns The decrypted value
+   */
+  decrypt: (model: string, field: FieldDef, cipher: string) => Promise<string>;
+};
+/**
+ * Encryption configuration - either simple (built-in) or custom
+ */
+type EncryptionConfig = SimpleEncryption | CustomEncryption;
+/**
+ * Type guard to check if encryption config is custom
+ */
+declare function isCustomEncryption(config: EncryptionConfig): config is CustomEncryption;
+//#endregion
+//#region src/plugin.d.ts
+/**
+ * Creates an encryption plugin for ZenStack ORM
+ *
+ * @param config Encryption configuration (simple or custom)
+ * @returns A runtime plugin that handles field encryption/decryption
+ */
+declare function createEncryptionPlugin<Schema extends SchemaDef>(config: EncryptionConfig): _zenstackhq_orm0.RuntimePlugin<any, {}, {}>;
+//#endregion
+//#region src/utils.d.ts
+declare const ENCRYPTION_KEY_BYTES = 32;
+//#endregion
+export { type CustomEncryption, Decrypter, ENCRYPTION_KEY_BYTES, Encrypter, type EncryptionConfig, type SimpleEncryption, createEncryptionPlugin, isCustomEncryption };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.mts","names":[],"sources":["../src/decrypter.ts","../src/encrypter.ts","../src/types.ts","../src/plugin.ts","../src/utils.ts"],"mappings":";;;;;;;cAKa,SAAA;EAAA,iBAGoB,cAAA;EAAA,QAFrB,IAAA;cAEqB,cAAA,EAAgB,UAAA;EAeT;;;EAA9B,OAAA,CAAQ,IAAA,WAAe,OAAA;AAAA;;;;;;cClBpB,SAAA;EAAA,iBAIoB,aAAA;EAAA,QAHrB,GAAA;EAAA,QACA,SAAA;cAEqB,aAAA,EAAe,UAAA;EDDf;;;ECUvB,OAAA,CAAQ,IAAA,WAAe,OAAA;AAAA;;;;;;KCbrB,gBAAA;EFAU;;;EEIlB,aAAA,EAAe,UAAA;EFHP;;;;EESR,cAAA,GAAiB,UAAA;AAAA;;;;KAMT,gBAAA;;;ADhBZ;;;;;ECwBI,OAAA,GAAU,KAAA,UAAe,KAAA,EAAO,QAAA,EAAU,KAAA,aAAkB,OAAA;EDtBpD;;;;;;;EC+BR,OAAA,GAAU,KAAA,UAAe,KAAA,EAAO,QAAA,EAAU,MAAA,aAAmB,OAAA;AAAA;;;;KAMrD,gBAAA,GAAmB,gBAAA,GAAmB,gBAAA;;;;iBAKlC,kBAAA,CAAmB,MAAA,EAAQ,gBAAA,GAAmB,MAAA,IAAU,gBAAA;;;;;AF5CxE;;;;iBGwBgB,sBAAA,gBAAsC,SAAA,CAAA,CAAW,MAAA,EAAQ,gBAAA,GAAgB,gBAAA,CAAA,aAAA;;;cC1B5E,oBAAA"}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,310 @@
+import { z } from "zod";
+import { definePlugin } from "@zenstackhq/orm";
+//#region src/utils.ts
+const ENCRYPTER_VERSION = 1;
+const ENCRYPTION_KEY_BYTES = 32;
+const IV_BYTES = 12;
+const ALGORITHM = "AES-GCM";
+const KEY_DIGEST_BYTES = 8;
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+const encryptionMetaSchema = z.object({
+	v: z.number(),
+	a: z.string(),
+	k: z.string()
+});
+/**
+* Load a raw encryption key into a CryptoKey object
+*/
+async function loadKey(key, keyUsages) {
+	const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength);
+	return crypto.subtle.importKey("raw", keyBuffer, ALGORITHM, false, keyUsages);
+}
+/**
+* Get a digest of the encryption key for identification
+*/
+async function getKeyDigest(key) {
+	const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength);
+	const rawDigest = await crypto.subtle.digest("SHA-256", keyBuffer);
+	return new Uint8Array(rawDigest.slice(0, KEY_DIGEST_BYTES)).reduce((acc, byte) => acc + byte.toString(16).padStart(2, "0"), "");
+}
+/**
+* Encrypt data using AES-GCM
+*/
+async function _encrypt(data, key, keyDigest) {
+	const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
+	const encrypted = await crypto.subtle.encrypt({
+		name: ALGORITHM,
+		iv
+	}, key, encoder.encode(data));
+	const cipherBytes = [...iv, ...new Uint8Array(encrypted)];
+	const meta = {
+		v: ENCRYPTER_VERSION,
+		a: ALGORITHM,
+		k: keyDigest
+	};
+	return `${btoa(JSON.stringify(meta))}.${btoa(String.fromCharCode(...cipherBytes))}`;
+}
+/**
+* Decrypt data using AES-GCM
+*/
+async function _decrypt(data, findKey) {
+	const [metaText, cipherText] = data.split(".");
+	if (!metaText || !cipherText) throw new Error("Malformed encrypted data");
+	let metaObj;
+	try {
+		metaObj = JSON.parse(atob(metaText));
+	} catch {
+		throw new Error("Malformed metadata");
+	}
+	const { a: algorithm, k: keyDigest } = encryptionMetaSchema.parse(metaObj);
+	const keys = await findKey(keyDigest);
+	if (keys.length === 0) throw new Error("No matching decryption key found");
+	const bytes = Uint8Array.from(atob(cipherText), (c) => c.charCodeAt(0));
+	const iv = bytes.slice(0, IV_BYTES);
+	const cipher = bytes.slice(IV_BYTES);
+	let lastError;
+	for (const key of keys) {
+		let decrypted;
+		try {
+			decrypted = await crypto.subtle.decrypt({
+				name: algorithm,
+				iv
+			}, key, cipher);
+		} catch (err) {
+			lastError = err;
+			continue;
+		}
+		return decoder.decode(decrypted);
+	}
+	throw lastError;
+}
+//#endregion
+//#region src/decrypter.ts
+/**
+* Default decrypter with support for key rotation
+*/
+var Decrypter = class {
+	constructor(decryptionKeys) {
+		this.decryptionKeys = decryptionKeys;
+		this.keys = [];
+		if (decryptionKeys.length === 0) throw new Error("At least one decryption key must be provided");
+		for (const key of decryptionKeys) if (key.length !== ENCRYPTION_KEY_BYTES) throw new Error(`Decryption key must be ${ENCRYPTION_KEY_BYTES} bytes`);
+	}
+	/**
+	* Decrypts the given data
+	*/
+	async decrypt(data) {
+		if (this.keys.length === 0) this.keys = await Promise.all(this.decryptionKeys.map(async (key) => ({
+			key: await loadKey(key, ["decrypt"]),
+			digest: await getKeyDigest(key)
+		})));
+		return _decrypt(data, async (digest) => this.keys.filter((entry) => entry.digest === digest).map((entry) => entry.key));
+	}
+};
+//#endregion
+//#region src/encrypter.ts
+/**
+* Default encrypter using AES-256-GCM
+*/
+var Encrypter = class {
+	constructor(encryptionKey) {
+		this.encryptionKey = encryptionKey;
+		if (encryptionKey.length !== ENCRYPTION_KEY_BYTES) throw new Error(`Encryption key must be ${ENCRYPTION_KEY_BYTES} bytes`);
+	}
+	/**
+	* Encrypts the given data
+	*/
+	async encrypt(data) {
+		if (!this.key) this.key = await loadKey(this.encryptionKey, ["encrypt"]);
+		if (!this.keyDigest) this.keyDigest = await getKeyDigest(this.encryptionKey);
+		return _encrypt(data, this.key, this.keyDigest);
+	}
+};
+//#endregion
+//#region src/types.ts
+/**
+* Type guard to check if encryption config is custom
+*/
+function isCustomEncryption(config) {
+	return "encrypt" in config && "decrypt" in config;
+}
+//#endregion
+//#region src/plugin.ts
+const ENCRYPTED_ATTRIBUTE = "@encrypted";
+/**
+* Check if a field has the @encrypted attribute
+*/
+function isEncryptedField(field) {
+	return field.attributes?.some((attr) => attr.name === ENCRYPTED_ATTRIBUTE) ?? false;
+}
+/**
+* Check if a model has any encrypted fields
+*/
+function hasEncryptedFields(model) {
+	return Object.values(model.fields).some(isEncryptedField);
+}
+/**
+* Creates an encryption plugin for ZenStack ORM
+*
+* @param config Encryption configuration (simple or custom)
+* @returns A runtime plugin that handles field encryption/decryption
+*/
+function createEncryptionPlugin(config) {
+	let encrypter;
+	let decrypter;
+	let customEncryption;
+	if (isCustomEncryption(config)) customEncryption = config;
+	else {
+		const simpleConfig = config;
+		encrypter = new Encrypter(simpleConfig.encryptionKey);
+		decrypter = new Decrypter([simpleConfig.encryptionKey, ...simpleConfig.decryptionKeys ?? []]);
+	}
+	async function encryptValue(model, field, value) {
+		if (customEncryption) return customEncryption.encrypt(model, field, value);
+		return encrypter.encrypt(value);
+	}
+	async function decryptValue(model, field, value) {
+		if (customEncryption) return customEncryption.decrypt(model, field, value);
+		return decrypter.decrypt(value);
+	}
+	/**
+	* Recursively encrypt fields in write data
+	*/
+	async function encryptWriteData(schema, modelName, data) {
+		const model = schema.models[modelName];
+		if (!model) return;
+		for (const [fieldName, value] of Object.entries(data)) {
+			if (value === null || value === void 0 || value === "") continue;
+			const field = model.fields[fieldName];
+			if (!field) continue;
+			if (isEncryptedField(field) && typeof value === "string") {
+				data[fieldName] = await encryptValue(modelName, field, value);
+				continue;
+			}
+			if (field.relation && typeof value === "object") {
+				const relatedModel = field.type;
+				await encryptNestedWrites(schema, relatedModel, value);
+			}
+		}
+	}
+	/**
+	* Handle nested write operations (create, update, connect, etc.)
+	*/
+	async function encryptNestedWrites(schema, modelName, data) {
+		const createData = data["create"];
+		if (createData) if (Array.isArray(createData)) for (const item of createData) await encryptWriteData(schema, modelName, item);
+		else await encryptWriteData(schema, modelName, createData);
+		const createManyData = data["createMany"];
+		if (createManyData && typeof createManyData === "object") {
+			const createManyItems = createManyData["data"];
+			if (Array.isArray(createManyItems)) for (const item of createManyItems) await encryptWriteData(schema, modelName, item);
+		}
+		const updateData = data["update"];
+		if (updateData) if (Array.isArray(updateData)) for (const item of updateData) {
+			const itemData = item["data"];
+			if (itemData) await encryptWriteData(schema, modelName, itemData);
+		}
+		else {
+			const updateObj = updateData;
+			const nestedData = updateObj["data"];
+			if (nestedData) await encryptWriteData(schema, modelName, nestedData);
+			else await encryptWriteData(schema, modelName, updateObj);
+		}
+		const updateManyData = data["updateMany"];
+		if (updateManyData) if (Array.isArray(updateManyData)) for (const item of updateManyData) {
+			const itemData = item["data"];
+			if (itemData) await encryptWriteData(schema, modelName, itemData);
+		}
+		else {
+			const nestedData = updateManyData["data"];
+			if (nestedData) await encryptWriteData(schema, modelName, nestedData);
+		}
+		const upsertData = data["upsert"];
+		if (upsertData) if (Array.isArray(upsertData)) for (const item of upsertData) {
+			const upsertItem = item;
+			const createPart = upsertItem["create"];
+			const updatePart = upsertItem["update"];
+			if (createPart) await encryptWriteData(schema, modelName, createPart);
+			if (updatePart) await encryptWriteData(schema, modelName, updatePart);
+		}
+		else {
+			const upsertObj = upsertData;
+			const createPart = upsertObj["create"];
+			const updatePart = upsertObj["update"];
+			if (createPart) await encryptWriteData(schema, modelName, createPart);
+			if (updatePart) await encryptWriteData(schema, modelName, updatePart);
+		}
+		const connectOrCreateData = data["connectOrCreate"];
+		if (connectOrCreateData) if (Array.isArray(connectOrCreateData)) for (const item of connectOrCreateData) {
+			const createPart = item["create"];
+			if (createPart) await encryptWriteData(schema, modelName, createPart);
+		}
+		else {
+			const createPart = connectOrCreateData["create"];
+			if (createPart) await encryptWriteData(schema, modelName, createPart);
+		}
+	}
+	/**
+	* Recursively decrypt fields in result data
+	*/
+	async function decryptResultData(schema, modelName, data) {
+		const model = schema.models[modelName];
+		if (!model) return;
+		for (const [fieldName, value] of Object.entries(data)) {
+			if (value === null || value === void 0 || value === "") continue;
+			const field = model.fields[fieldName];
+			if (!field) continue;
+			if (isEncryptedField(field) && typeof value === "string") {
+				try {
+					data[fieldName] = await decryptValue(modelName, field, value);
+				} catch (error) {
+					console.warn(`Failed to decrypt field ${modelName}.${fieldName}:`, error);
+				}
+				continue;
+			}
+			if (field.relation && value !== null) {
+				const relatedModel = field.type;
+				if (Array.isArray(value)) {
+					for (const item of value) if (typeof item === "object" && item !== null) await decryptResultData(schema, relatedModel, item);
+				} else if (typeof value === "object") await decryptResultData(schema, relatedModel, value);
+			}
+		}
+	}
+	return definePlugin({
+		id: "encryption",
+		name: "Encryption Plugin",
+		description: "Automatically encrypts and decrypts fields marked with @encrypted",
+		onQuery: async (ctx) => {
+			const { model, operation, args, proceed, client } = ctx;
+			const schema = client.schema;
+			const modelDef = schema.models[model];
+			if (!modelDef || !hasEncryptedFields(modelDef)) return proceed(args);
+			const processedArgs = args ? JSON.parse(JSON.stringify(args)) : void 0;
+			if (operation === "create" || operation === "update" || operation === "upsert" || operation === "createMany" || operation === "updateMany" || operation === "createManyAndReturn") {
+				if (processedArgs?.data) if (Array.isArray(processedArgs.data)) for (const item of processedArgs.data) await encryptWriteData(schema, model, item);
+				else await encryptWriteData(schema, model, processedArgs.data);
+				if (operation === "upsert") {
+					if (processedArgs?.create) await encryptWriteData(schema, model, processedArgs.create);
+					if (processedArgs?.update) await encryptWriteData(schema, model, processedArgs.update);
+				}
+			}
+			const result = await proceed(processedArgs);
+			if (result !== null && result !== void 0) {
+				if (Array.isArray(result)) {
+					for (const item of result) if (typeof item === "object" && item !== null) await decryptResultData(schema, model, item);
+				} else if (typeof result === "object") await decryptResultData(schema, model, result);
+			}
+			return result;
+		}
+	});
+}
+//#endregion
+export { Decrypter, ENCRYPTION_KEY_BYTES, Encrypter, createEncryptionPlugin, isCustomEncryption };
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.mjs","names":[],"sources":["../src/utils.ts","../src/decrypter.ts","../src/encrypter.ts","../src/types.ts","../src/plugin.ts"],"sourcesContent":["import { z } from 'zod';\n\nexport const ENCRYPTER_VERSION = 1;\nexport const ENCRYPTION_KEY_BYTES = 32;\nexport const IV_BYTES = 12;\nexport const ALGORITHM = 'AES-GCM';\nexport const KEY_DIGEST_BYTES = 8;\n\nconst encoder = new TextEncoder();\nconst decoder = new TextDecoder();\n\nconst encryptionMetaSchema = z.object({\n // version\n v: z.number(),\n // algorithm\n a: z.string(),\n // key digest\n k: z.string(),\n});\n\n/**\n * Load a raw encryption key into a CryptoKey object\n */\nexport async function loadKey(key: Uint8Array, keyUsages: KeyUsage[]): Promise<CryptoKey> {\n // Convert to ArrayBuffer for crypto.subtle compatibility\n const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength) as ArrayBuffer;\n return crypto.subtle.importKey('raw', keyBuffer, ALGORITHM, false, keyUsages);\n}\n\n/**\n * Get a digest of the encryption key for identification\n */\nexport async function getKeyDigest(key: Uint8Array): Promise<string> {\n // Convert to ArrayBuffer for crypto.subtle compatibility\n const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength) as ArrayBuffer;\n const rawDigest = await crypto.subtle.digest('SHA-256', keyBuffer);\n return new Uint8Array(rawDigest.slice(0, KEY_DIGEST_BYTES)).reduce(\n (acc, byte) => acc + byte.toString(16).padStart(2, '0'),\n '',\n );\n}\n\n/**\n * Encrypt data using AES-GCM\n */\nexport async function _encrypt(data: string, key: CryptoKey, keyDigest: string): Promise<string> {\n const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));\n const encrypted = await crypto.subtle.encrypt(\n {\n name: ALGORITHM,\n iv,\n },\n key,\n encoder.encode(data),\n );\n\n // combine IV and encrypted data into a single array of bytes\n const cipherBytes = [...iv, ...new Uint8Array(encrypted)];\n\n // encryption metadata\n const meta = { v: ENCRYPTER_VERSION, a: ALGORITHM, k: keyDigest };\n\n // convert concatenated result to base64 string\n return `${btoa(JSON.stringify(meta))}.${btoa(String.fromCharCode(...cipherBytes))}`;\n}\n\n/**\n * Decrypt data using AES-GCM\n */\nexport async function _decrypt(data: string, findKey: (digest: string) => Promise<CryptoKey[]>): Promise<string> {\n const [metaText, cipherText] = data.split('.');\n if (!metaText || !cipherText) {\n throw new Error('Malformed encrypted data');\n }\n\n let metaObj: unknown;\n try {\n metaObj = JSON.parse(atob(metaText));\n } catch {\n throw new Error('Malformed metadata');\n }\n\n // parse meta\n const { a: algorithm, k: keyDigest } = encryptionMetaSchema.parse(metaObj);\n\n // find a matching decryption key\n const keys = await findKey(keyDigest);\n if (keys.length === 0) {\n throw new Error('No matching decryption key found');\n }\n\n // convert base64 back to bytes\n const bytes = Uint8Array.from(atob(cipherText), (c) => c.charCodeAt(0));\n\n // extract IV from the head\n const iv = bytes.slice(0, IV_BYTES);\n const cipher = bytes.slice(IV_BYTES);\n let lastError: unknown;\n\n for (const key of keys) {\n let decrypted: ArrayBuffer;\n try {\n decrypted = await crypto.subtle.decrypt({ name: algorithm, iv }, key, cipher);\n } catch (err) {\n lastError = err;\n continue;\n }\n return decoder.decode(decrypted);\n }\n\n throw lastError;\n}\n","import { _decrypt, ENCRYPTION_KEY_BYTES, getKeyDigest, loadKey } from './utils.js';\n\n/**\n * Default decrypter with support for key rotation\n */\nexport class Decrypter {\n private keys: Array<{ key: CryptoKey; digest: string }> = [];\n\n constructor(private readonly decryptionKeys: Uint8Array[]) {\n if (decryptionKeys.length === 0) {\n throw new Error('At least one decryption key must be provided');\n }\n\n for (const key of decryptionKeys) {\n if (key.length !== ENCRYPTION_KEY_BYTES) {\n throw new Error(`Decryption key must be ${ENCRYPTION_KEY_BYTES} bytes`);\n }\n }\n }\n\n /**\n * Decrypts the given data\n */\n async decrypt(data: string): Promise<string> {\n if (this.keys.length === 0) {\n this.keys = await Promise.all(\n this.decryptionKeys.map(async (key) => ({\n key: await loadKey(key, ['decrypt']),\n digest: await getKeyDigest(key),\n })),\n );\n }\n\n return _decrypt(data, async (digest) =>\n this.keys.filter((entry) => entry.digest === digest).map((entry) => entry.key),\n );\n }\n}\n","import { _encrypt, ENCRYPTION_KEY_BYTES, getKeyDigest, loadKey } from './utils.js';\n\n/**\n * Default encrypter using AES-256-GCM\n */\nexport class Encrypter {\n private key: CryptoKey | undefined;\n private keyDigest: string | undefined;\n\n constructor(private readonly encryptionKey: Uint8Array) {\n if (encryptionKey.length !== ENCRYPTION_KEY_BYTES) {\n throw new Error(`Encryption key must be ${ENCRYPTION_KEY_BYTES} bytes`);\n }\n }\n\n /**\n * Encrypts the given data\n */\n async encrypt(data: string): Promise<string> {\n if (!this.key) {\n this.key = await loadKey(this.encryptionKey, ['encrypt']);\n }\n\n if (!this.keyDigest) {\n this.keyDigest = await getKeyDigest(this.encryptionKey);\n }\n\n return _encrypt(data, this.key, this.keyDigest);\n }\n}\n","import type { FieldDef } from '@zenstackhq/orm/schema';\n\n/**\n * Simple encryption configuration using built-in AES-256-GCM encryption\n */\nexport type SimpleEncryption = {\n /**\n * The encryption key (must be 32 bytes / 256 bits)\n */\n encryptionKey: Uint8Array;\n\n /**\n * Additional decryption keys for key rotation support.\n * When decrypting, all keys (encryptionKey + decryptionKeys) are tried.\n */\n decryptionKeys?: Uint8Array[];\n};\n\n/**\n * Custom encryption configuration for user-provided encryption handlers\n */\nexport type CustomEncryption = {\n /**\n * Custom encryption function\n * @param model The model name\n * @param field The field definition\n * @param plain The plaintext value to encrypt\n * @returns The encrypted value\n */\n encrypt: (model: string, field: FieldDef, plain: string) => Promise<string>;\n\n /**\n * Custom decryption function\n * @param model The model name\n * @param field The field definition\n * @param cipher The encrypted value to decrypt\n * @returns The decrypted value\n */\n decrypt: (model: string, field: FieldDef, cipher: string) => Promise<string>;\n};\n\n/**\n * Encryption configuration - either simple (built-in) or custom\n */\nexport type EncryptionConfig = SimpleEncryption | CustomEncryption;\n\n/**\n * Type guard to check if encryption config is custom\n */\nexport function isCustomEncryption(config: EncryptionConfig): config is CustomEncryption {\n return 'encrypt' in config && 'decrypt' in config;\n}\n","import { definePlugin } from '@zenstackhq/orm';\nimport type { FieldDef, ModelDef, SchemaDef } from '@zenstackhq/orm/schema';\nimport { Decrypter } from './decrypter.js';\nimport { Encrypter } from './encrypter.js';\nimport type { CustomEncryption, EncryptionConfig, SimpleEncryption } from './types.js';\nimport { isCustomEncryption } from './types.js';\n\nconst ENCRYPTED_ATTRIBUTE = '@encrypted';\n\n/**\n * Check if a field has the @encrypted attribute\n */\nfunction isEncryptedField(field: FieldDef): boolean {\n return field.attributes?.some((attr) => attr.name === ENCRYPTED_ATTRIBUTE) ?? false;\n}\n\n/**\n * Check if a model has any encrypted fields\n */\nfunction hasEncryptedFields(model: ModelDef): boolean {\n return Object.values(model.fields).some(isEncryptedField);\n}\n\n/**\n * Creates an encryption plugin for ZenStack ORM\n *\n * @param config Encryption configuration (simple or custom)\n * @returns A runtime plugin that handles field encryption/decryption\n */\nexport function createEncryptionPlugin<Schema extends SchemaDef>(config: EncryptionConfig) {\n let encrypter: Encrypter | undefined;\n let decrypter: Decrypter | undefined;\n let customEncryption: CustomEncryption | undefined;\n\n if (isCustomEncryption(config)) {\n customEncryption = config;\n } else {\n const simpleConfig = config as SimpleEncryption;\n encrypter = new Encrypter(simpleConfig.encryptionKey);\n const allDecryptionKeys = [simpleConfig.encryptionKey, ...(simpleConfig.decryptionKeys ?? [])];\n decrypter = new Decrypter(allDecryptionKeys);\n }\n\n async function encryptValue(model: string, field: FieldDef, value: string): Promise<string> {\n if (customEncryption) {\n return customEncryption.encrypt(model, field, value);\n }\n return encrypter!.encrypt(value);\n }\n\n async function decryptValue(model: string, field: FieldDef, value: string): Promise<string> {\n if (customEncryption) {\n return customEncryption.decrypt(model, field, value);\n }\n return decrypter!.decrypt(value);\n }\n\n /**\n * Recursively encrypt fields in write data\n */\n async function encryptWriteData(\n schema: SchemaDef,\n modelName: string,\n data: Record<string, unknown>,\n ): Promise<void> {\n const model = schema.models[modelName];\n if (!model) return;\n\n for (const [fieldName, value] of Object.entries(data)) {\n if (value === null || value === undefined || value === '') {\n continue;\n }\n\n const field = model.fields[fieldName];\n if (!field) continue;\n\n // Handle encrypted string fields\n if (isEncryptedField(field) && typeof value === 'string') {\n data[fieldName] = await encryptValue(modelName, field, value);\n continue;\n }\n\n // Handle relation fields (nested writes)\n if (field.relation && typeof value === 'object') {\n const relatedModel = field.type;\n await encryptNestedWrites(schema, relatedModel, value as Record<string, unknown>);\n }\n }\n }\n\n /**\n * Handle nested write operations (create, update, connect, etc.)\n */\n async function encryptNestedWrites(\n schema: SchemaDef,\n modelName: string,\n data: Record<string, unknown>,\n ): Promise<void> {\n // Handle create\n const createData = data['create'];\n if (createData) {\n if (Array.isArray(createData)) {\n for (const item of createData) {\n await encryptWriteData(schema, modelName, item as Record<string, unknown>);\n }\n } else {\n await encryptWriteData(schema, modelName, createData as Record<string, unknown>);\n }\n }\n\n // Handle createMany\n const createManyData = data['createMany'];\n if (createManyData && typeof createManyData === 'object') {\n const createManyItems = (createManyData as Record<string, unknown>)['data'];\n if (Array.isArray(createManyItems)) {\n for (const item of createManyItems) {\n await encryptWriteData(schema, modelName, item as Record<string, unknown>);\n }\n }\n }\n\n // Handle update\n const updateData = data['update'];\n if (updateData) {\n if (Array.isArray(updateData)) {\n for (const item of updateData) {\n const updateItem = item as Record<string, unknown>;\n const itemData = updateItem['data'];\n if (itemData) {\n await encryptWriteData(schema, modelName, itemData as Record<string, unknown>);\n }\n }\n } else {\n const updateObj = updateData as Record<string, unknown>;\n const nestedData = updateObj['data'];\n if (nestedData) {\n await encryptWriteData(schema, modelName, nestedData as Record<string, unknown>);\n } else {\n await encryptWriteData(schema, modelName, updateObj);\n }\n }\n }\n\n // Handle updateMany\n const updateManyData = data['updateMany'];\n if (updateManyData) {\n if (Array.isArray(updateManyData)) {\n for (const item of updateManyData) {\n const updateItem = item as Record<string, unknown>;\n const itemData = updateItem['data'];\n if (itemData) {\n await encryptWriteData(schema, modelName, itemData as Record<string, unknown>);\n }\n }\n } else {\n const updateObj = updateManyData as Record<string, unknown>;\n const nestedData = updateObj['data'];\n if (nestedData) {\n await encryptWriteData(schema, modelName, nestedData as Record<string, unknown>);\n }\n }\n }\n\n // Handle upsert\n const upsertData = data['upsert'];\n if (upsertData) {\n if (Array.isArray(upsertData)) {\n for (const item of upsertData) {\n const upsertItem = item as Record<string, unknown>;\n const createPart = upsertItem['create'];\n const updatePart = upsertItem['update'];\n if (createPart) {\n await encryptWriteData(schema, modelName, createPart as Record<string, unknown>);\n }\n if (updatePart) {\n await encryptWriteData(schema, modelName, updatePart as Record<string, unknown>);\n }\n }\n } else {\n const upsertObj = upsertData as Record<string, unknown>;\n const createPart = upsertObj['create'];\n const updatePart = upsertObj['update'];\n if (createPart) {\n await encryptWriteData(schema, modelName, createPart as Record<string, unknown>);\n }\n if (updatePart) {\n await encryptWriteData(schema, modelName, updatePart as Record<string, unknown>);\n }\n }\n }\n\n // Handle connectOrCreate\n const connectOrCreateData = data['connectOrCreate'];\n if (connectOrCreateData) {\n if (Array.isArray(connectOrCreateData)) {\n for (const item of connectOrCreateData) {\n const cocItem = item as Record<string, unknown>;\n const createPart = cocItem['create'];\n if (createPart) {\n await encryptWriteData(schema, modelName, createPart as Record<string, unknown>);\n }\n }\n } else {\n const cocObj = connectOrCreateData as Record<string, unknown>;\n const createPart = cocObj['create'];\n if (createPart) {\n await encryptWriteData(schema, modelName, createPart as Record<string, unknown>);\n }\n }\n }\n }\n\n /**\n * Recursively decrypt fields in result data\n */\n async function decryptResultData(\n schema: SchemaDef,\n modelName: string,\n data: Record<string, unknown>,\n ): Promise<void> {\n const model = schema.models[modelName];\n if (!model) return;\n\n for (const [fieldName, value] of Object.entries(data)) {\n if (value === null || value === undefined || value === '') {\n continue;\n }\n\n const field = model.fields[fieldName];\n if (!field) continue;\n\n // Handle encrypted string fields\n if (isEncryptedField(field) && typeof value === 'string') {\n try {\n data[fieldName] = await decryptValue(modelName, field, value);\n } catch (error) {\n // If decryption fails, log warning and keep original value\n console.warn(`Failed to decrypt field ${modelName}.${fieldName}:`, error);\n }\n continue;\n }\n\n // Handle relation fields (nested data)\n if (field.relation && value !== null) {\n const relatedModel = field.type;\n if (Array.isArray(value)) {\n for (const item of value) {\n if (typeof item === 'object' && item !== null) {\n await decryptResultData(schema, relatedModel, item as Record<string, unknown>);\n }\n }\n } else if (typeof value === 'object') {\n await decryptResultData(schema, relatedModel, value as Record<string, unknown>);\n }\n }\n }\n }\n\n return definePlugin<Schema, {}, {}>({\n id: 'encryption',\n name: 'Encryption Plugin',\n description: 'Automatically encrypts and decrypts fields marked with @encrypted',\n\n onQuery: async (ctx) => {\n const { model, operation, args, proceed, client } = ctx;\n const schema = (client as any).schema as SchemaDef;\n const modelDef = schema.models[model];\n\n // Check if this model has any encrypted fields\n if (!modelDef || !hasEncryptedFields(modelDef)) {\n return proceed(args);\n }\n\n // Clone args to avoid mutating original\n const processedArgs = args ? JSON.parse(JSON.stringify(args)) : undefined;\n\n // Handle write operations - encrypt data before writing\n if (\n operation === 'create' ||\n operation === 'update' ||\n operation === 'upsert' ||\n operation === 'createMany' ||\n operation === 'updateMany' ||\n operation === 'createManyAndReturn'\n ) {\n if (processedArgs?.data) {\n if (Array.isArray(processedArgs.data)) {\n for (const item of processedArgs.data) {\n await encryptWriteData(schema, model, item);\n }\n } else {\n await encryptWriteData(schema, model, processedArgs.data);\n }\n }\n\n // Handle upsert create/update\n if (operation === 'upsert') {\n if (processedArgs?.create) {\n await encryptWriteData(schema, model, processedArgs.create);\n }\n if (processedArgs?.update) {\n await encryptWriteData(schema, model, processedArgs.update);\n }\n }\n }\n\n // Execute the query\n const result = await proceed(processedArgs);\n\n // Handle read operations - decrypt data after reading\n if (result !== null && result !== undefined) {\n if (Array.isArray(result)) {\n for (const item of result) {\n if (typeof item === 'object' && item !== null) {\n await decryptResultData(schema, model, item as Record<string, unknown>);\n }\n }\n } else if (typeof result === 'object') {\n await decryptResultData(schema, model, result as Record<string, unknown>);\n }\n }\n\n return result;\n },\n });\n}\n"],"mappings":";;;;AAEA,MAAa,oBAAoB;AACjC,MAAa,uBAAuB;AACpC,MAAa,WAAW;AACxB,MAAa,YAAY;AACzB,MAAa,mBAAmB;AAEhC,MAAM,UAAU,IAAI,aAAa;AACjC,MAAM,UAAU,IAAI,aAAa;AAEjC,MAAM,uBAAuB,EAAE,OAAO;CAElC,GAAG,EAAE,QAAQ;CAEb,GAAG,EAAE,QAAQ;CAEb,GAAG,EAAE,QAAQ;CAChB,CAAC;;;;AAKF,eAAsB,QAAQ,KAAiB,WAA2C;CAEtF,MAAM,YAAY,IAAI,OAAO,MAAM,IAAI,YAAY,IAAI,aAAa,IAAI,WAAW;AACnF,QAAO,OAAO,OAAO,UAAU,OAAO,WAAW,WAAW,OAAO,UAAU;;;;;AAMjF,eAAsB,aAAa,KAAkC;CAEjE,MAAM,YAAY,IAAI,OAAO,MAAM,IAAI,YAAY,IAAI,aAAa,IAAI,WAAW;CACnF,MAAM,YAAY,MAAM,OAAO,OAAO,OAAO,WAAW,UAAU;AAClE,QAAO,IAAI,WAAW,UAAU,MAAM,GAAG,iBAAiB,CAAC,CAAC,QACvD,KAAK,SAAS,MAAM,KAAK,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,EACvD,GACH;;;;;AAML,eAAsB,SAAS,MAAc,KAAgB,WAAoC;CAC7F,MAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,SAAS,CAAC;CAC3D,MAAM,YAAY,MAAM,OAAO,OAAO,QAClC;EACI,MAAM;EACN;EACH,EACD,KACA,QAAQ,OAAO,KAAK,CACvB;CAGD,MAAM,cAAc,CAAC,GAAG,IAAI,GAAG,IAAI,WAAW,UAAU,CAAC;CAGzD,MAAM,OAAO;EAAE,GAAG;EAAmB,GAAG;EAAW,GAAG;EAAW;AAGjE,QAAO,GAAG,KAAK,KAAK,UAAU,KAAK,CAAC,CAAC,GAAG,KAAK,OAAO,aAAa,GAAG,YAAY,CAAC;;;;;AAMrF,eAAsB,SAAS,MAAc,SAAoE;CAC7G,MAAM,CAAC,UAAU,cAAc,KAAK,MAAM,IAAI;AAC9C,KAAI,CAAC,YAAY,CAAC,WACd,OAAM,IAAI,MAAM,2BAA2B;CAG/C,IAAI;AACJ,KAAI;AACA,YAAU,KAAK,MAAM,KAAK,SAAS,CAAC;SAChC;AACJ,QAAM,IAAI,MAAM,qBAAqB;;CAIzC,MAAM,EAAE,GAAG,WAAW,GAAG,cAAc,qBAAqB,MAAM,QAAQ;CAG1E,MAAM,OAAO,MAAM,QAAQ,UAAU;AACrC,KAAI,KAAK,WAAW,EAChB,OAAM,IAAI,MAAM,mCAAmC;CAIvD,MAAM,QAAQ,WAAW,KAAK,KAAK,WAAW,GAAG,MAAM,EAAE,WAAW,EAAE,CAAC;CAGvE,MAAM,KAAK,MAAM,MAAM,GAAG,SAAS;CACnC,MAAM,SAAS,MAAM,MAAM,SAAS;CACpC,IAAI;AAEJ,MAAK,MAAM,OAAO,MAAM;EACpB,IAAI;AACJ,MAAI;AACA,eAAY,MAAM,OAAO,OAAO,QAAQ;IAAE,MAAM;IAAW;IAAI,EAAE,KAAK,OAAO;WACxE,KAAK;AACV,eAAY;AACZ;;AAEJ,SAAO,QAAQ,OAAO,UAAU;;AAGpC,OAAM;;;;;;;;ACzGV,IAAa,YAAb,MAAuB;CAGnB,YAAY,AAAiB,gBAA8B;EAA9B;cAF6B,EAAE;AAGxD,MAAI,eAAe,WAAW,EAC1B,OAAM,IAAI,MAAM,+CAA+C;AAGnE,OAAK,MAAM,OAAO,eACd,KAAI,IAAI,WAAW,qBACf,OAAM,IAAI,MAAM,0BAA0B,qBAAqB,QAAQ;;;;;CAQnF,MAAM,QAAQ,MAA+B;AACzC,MAAI,KAAK,KAAK,WAAW,EACrB,MAAK,OAAO,MAAM,QAAQ,IACtB,KAAK,eAAe,IAAI,OAAO,SAAS;GACpC,KAAK,MAAM,QAAQ,KAAK,CAAC,UAAU,CAAC;GACpC,QAAQ,MAAM,aAAa,IAAI;GAClC,EAAE,CACN;AAGL,SAAO,SAAS,MAAM,OAAO,WACzB,KAAK,KAAK,QAAQ,UAAU,MAAM,WAAW,OAAO,CAAC,KAAK,UAAU,MAAM,IAAI,CACjF;;;;;;;;;AC9BT,IAAa,YAAb,MAAuB;CAInB,YAAY,AAAiB,eAA2B;EAA3B;AACzB,MAAI,cAAc,WAAW,qBACzB,OAAM,IAAI,MAAM,0BAA0B,qBAAqB,QAAQ;;;;;CAO/E,MAAM,QAAQ,MAA+B;AACzC,MAAI,CAAC,KAAK,IACN,MAAK,MAAM,MAAM,QAAQ,KAAK,eAAe,CAAC,UAAU,CAAC;AAG7D,MAAI,CAAC,KAAK,UACN,MAAK,YAAY,MAAM,aAAa,KAAK,cAAc;AAG3D,SAAO,SAAS,MAAM,KAAK,KAAK,KAAK,UAAU;;;;;;;;;ACsBvD,SAAgB,mBAAmB,QAAsD;AACrF,QAAO,aAAa,UAAU,aAAa;;;;;AC3C/C,MAAM,sBAAsB;;;;AAK5B,SAAS,iBAAiB,OAA0B;AAChD,QAAO,MAAM,YAAY,MAAM,SAAS,KAAK,SAAS,oBAAoB,IAAI;;;;;AAMlF,SAAS,mBAAmB,OAA0B;AAClD,QAAO,OAAO,OAAO,MAAM,OAAO,CAAC,KAAK,iBAAiB;;;;;;;;AAS7D,SAAgB,uBAAiD,QAA0B;CACvF,IAAI;CACJ,IAAI;CACJ,IAAI;AAEJ,KAAI,mBAAmB,OAAO,CAC1B,oBAAmB;MAChB;EACH,MAAM,eAAe;AACrB,cAAY,IAAI,UAAU,aAAa,cAAc;AAErD,cAAY,IAAI,UADU,CAAC,aAAa,eAAe,GAAI,aAAa,kBAAkB,EAAE,CAAE,CAClD;;CAGhD,eAAe,aAAa,OAAe,OAAiB,OAAgC;AACxF,MAAI,iBACA,QAAO,iBAAiB,QAAQ,OAAO,OAAO,MAAM;AAExD,SAAO,UAAW,QAAQ,MAAM;;CAGpC,eAAe,aAAa,OAAe,OAAiB,OAAgC;AACxF,MAAI,iBACA,QAAO,iBAAiB,QAAQ,OAAO,OAAO,MAAM;AAExD,SAAO,UAAW,QAAQ,MAAM;;;;;CAMpC,eAAe,iBACX,QACA,WACA,MACa;EACb,MAAM,QAAQ,OAAO,OAAO;AAC5B,MAAI,CAAC,MAAO;AAEZ,OAAK,MAAM,CAAC,WAAW,UAAU,OAAO,QAAQ,KAAK,EAAE;AACnD,OAAI,UAAU,QAAQ,UAAU,UAAa,UAAU,GACnD;GAGJ,MAAM,QAAQ,MAAM,OAAO;AAC3B,OAAI,CAAC,MAAO;AAGZ,OAAI,iBAAiB,MAAM,IAAI,OAAO,UAAU,UAAU;AACtD,SAAK,aAAa,MAAM,aAAa,WAAW,OAAO,MAAM;AAC7D;;AAIJ,OAAI,MAAM,YAAY,OAAO,UAAU,UAAU;IAC7C,MAAM,eAAe,MAAM;AAC3B,UAAM,oBAAoB,QAAQ,cAAc,MAAiC;;;;;;;CAQ7F,eAAe,oBACX,QACA,WACA,MACa;EAEb,MAAM,aAAa,KAAK;AACxB,MAAI,WACA,KAAI,MAAM,QAAQ,WAAW,CACzB,MAAK,MAAM,QAAQ,WACf,OAAM,iBAAiB,QAAQ,WAAW,KAAgC;MAG9E,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;EAKxF,MAAM,iBAAiB,KAAK;AAC5B,MAAI,kBAAkB,OAAO,mBAAmB,UAAU;GACtD,MAAM,kBAAmB,eAA2C;AACpE,OAAI,MAAM,QAAQ,gBAAgB,CAC9B,MAAK,MAAM,QAAQ,gBACf,OAAM,iBAAiB,QAAQ,WAAW,KAAgC;;EAMtF,MAAM,aAAa,KAAK;AACxB,MAAI,WACA,KAAI,MAAM,QAAQ,WAAW,CACzB,MAAK,MAAM,QAAQ,YAAY;GAE3B,MAAM,WADa,KACS;AAC5B,OAAI,SACA,OAAM,iBAAiB,QAAQ,WAAW,SAAoC;;OAGnF;GACH,MAAM,YAAY;GAClB,MAAM,aAAa,UAAU;AAC7B,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;OAEhF,OAAM,iBAAiB,QAAQ,WAAW,UAAU;;EAMhE,MAAM,iBAAiB,KAAK;AAC5B,MAAI,eACA,KAAI,MAAM,QAAQ,eAAe,CAC7B,MAAK,MAAM,QAAQ,gBAAgB;GAE/B,MAAM,WADa,KACS;AAC5B,OAAI,SACA,OAAM,iBAAiB,QAAQ,WAAW,SAAoC;;OAGnF;GAEH,MAAM,aADY,eACW;AAC7B,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;;EAM5F,MAAM,aAAa,KAAK;AACxB,MAAI,WACA,KAAI,MAAM,QAAQ,WAAW,CACzB,MAAK,MAAM,QAAQ,YAAY;GAC3B,MAAM,aAAa;GACnB,MAAM,aAAa,WAAW;GAC9B,MAAM,aAAa,WAAW;AAC9B,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;AAEpF,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;;OAGrF;GACH,MAAM,YAAY;GAClB,MAAM,aAAa,UAAU;GAC7B,MAAM,aAAa,UAAU;AAC7B,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;AAEpF,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;;EAM5F,MAAM,sBAAsB,KAAK;AACjC,MAAI,oBACA,KAAI,MAAM,QAAQ,oBAAoB,CAClC,MAAK,MAAM,QAAQ,qBAAqB;GAEpC,MAAM,aADU,KACW;AAC3B,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;;OAGrF;GAEH,MAAM,aADS,oBACW;AAC1B,OAAI,WACA,OAAM,iBAAiB,QAAQ,WAAW,WAAsC;;;;;;CAShG,eAAe,kBACX,QACA,WACA,MACa;EACb,MAAM,QAAQ,OAAO,OAAO;AAC5B,MAAI,CAAC,MAAO;AAEZ,OAAK,MAAM,CAAC,WAAW,UAAU,OAAO,QAAQ,KAAK,EAAE;AACnD,OAAI,UAAU,QAAQ,UAAU,UAAa,UAAU,GACnD;GAGJ,MAAM,QAAQ,MAAM,OAAO;AAC3B,OAAI,CAAC,MAAO;AAGZ,OAAI,iBAAiB,MAAM,IAAI,OAAO,UAAU,UAAU;AACtD,QAAI;AACA,UAAK,aAAa,MAAM,aAAa,WAAW,OAAO,MAAM;aACxD,OAAO;AAEZ,aAAQ,KAAK,2BAA2B,UAAU,GAAG,UAAU,IAAI,MAAM;;AAE7E;;AAIJ,OAAI,MAAM,YAAY,UAAU,MAAM;IAClC,MAAM,eAAe,MAAM;AAC3B,QAAI,MAAM,QAAQ,MAAM,EACpB;UAAK,MAAM,QAAQ,MACf,KAAI,OAAO,SAAS,YAAY,SAAS,KACrC,OAAM,kBAAkB,QAAQ,cAAc,KAAgC;eAG/E,OAAO,UAAU,SACxB,OAAM,kBAAkB,QAAQ,cAAc,MAAiC;;;;AAM/F,QAAO,aAA6B;EAChC,IAAI;EACJ,MAAM;EACN,aAAa;EAEb,SAAS,OAAO,QAAQ;GACpB,MAAM,EAAE,OAAO,WAAW,MAAM,SAAS,WAAW;GACpD,MAAM,SAAU,OAAe;GAC/B,MAAM,WAAW,OAAO,OAAO;AAG/B,OAAI,CAAC,YAAY,CAAC,mBAAmB,SAAS,CAC1C,QAAO,QAAQ,KAAK;GAIxB,MAAM,gBAAgB,OAAO,KAAK,MAAM,KAAK,UAAU,KAAK,CAAC,GAAG;AAGhE,OACI,cAAc,YACd,cAAc,YACd,cAAc,YACd,cAAc,gBACd,cAAc,gBACd,cAAc,uBAChB;AACE,QAAI,eAAe,KACf,KAAI,MAAM,QAAQ,cAAc,KAAK,CACjC,MAAK,MAAM,QAAQ,cAAc,KAC7B,OAAM,iBAAiB,QAAQ,OAAO,KAAK;QAG/C,OAAM,iBAAiB,QAAQ,OAAO,cAAc,KAAK;AAKjE,QAAI,cAAc,UAAU;AACxB,SAAI,eAAe,OACf,OAAM,iBAAiB,QAAQ,OAAO,cAAc,OAAO;AAE/D,SAAI,eAAe,OACf,OAAM,iBAAiB,QAAQ,OAAO,cAAc,OAAO;;;GAMvE,MAAM,SAAS,MAAM,QAAQ,cAAc;AAG3C,OAAI,WAAW,QAAQ,WAAW,QAC9B;QAAI,MAAM,QAAQ,OAAO,EACrB;UAAK,MAAM,QAAQ,OACf,KAAI,OAAO,SAAS,YAAY,SAAS,KACrC,OAAM,kBAAkB,QAAQ,OAAO,KAAgC;eAGxE,OAAO,WAAW,SACzB,OAAM,kBAAkB,QAAQ,OAAO,OAAkC;;AAIjF,UAAO;;EAEd,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,60 @@
+{
+  "name": "zenstack-encryption",
+  "version": "0.1.0",
+  "description": "ZenStack Encryption Plugin - Automatic field encryption/decryption for @encrypted fields",
+  "keywords": [
+    "zenstack",
+    "encryption",
+    "aes",
+    "crypto",
+    "plugin"
+  ],
+  "homepage": "https://github.com/genu/zenstack-encryption#readme",
+  "bugs": {
+    "url": "https://github.com/genu/zenstack-encryption/issues"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/genu/zenstack-encryption.git"
+  },
+  "files": [
+    "dist",
+    "plugin.zmodel",
+    "LICENSE",
+    "README.md"
+  ],
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.mts",
+      "default": "./dist/index.mjs"
+    },
+    "./plugin.zmodel": "./plugin.zmodel",
+    "./package.json": "./package.json"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@zenstackhq/orm": ">=3.3.0"
+  },
+  "dependencies": {
+    "zod": "4.0.0"
+  },
+  "devDependencies": {
+    "@zenstackhq/orm": "3.3.2",
+    "eslint": "9.0.0",
+    "tsdown": "0.20.0",
+    "typescript": "5.9.0",
+    "typescript-eslint": "8.0.0",
+    "vitest": "3.0.0"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "watch": "tsdown --watch",
+    "lint": "eslint .",
+    "test": "vitest run"
+  }
+}

package/plugin.zmodel ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Indicates that the field should be encrypted when storing in the database and decrypted when read.
+ * Only applicable to String fields. The encryption uses AES-256-GCM via the Web Crypto API.
+ *
+ * To use this attribute, you must configure encryption options when creating the ZenStackClient.
+ */
+attribute @encrypted() @@@targetField([StringField])