feat: upgrade to eql 2.3.1

Author: calvinbrewer

.changeset/protect-ffi-0-22-0.md

@@ -7,13 +7,13 @@
 "stash": minor
 ---
 
-Upgrade `@cipherstash/protect-ffi` to `0.22.0` and the bundled CipherStash EQL extension to `eql-2.3.0`.
+Upgrade `@cipherstash/protect-ffi` to `0.22.0` and the bundled CipherStash EQL extension to `eql-2.3.1`.
 
 Breaking upstream changes adopted in this release:
 
 - **Encrypt-config schema version**: `buildEncryptConfig` now emits `{ v: 1, ... }` (was `{ v: 2, ... }`). protect-ffi `0.22.0` validates this field and rejects any value other than `1` with the new `UNSUPPORTED_CONFIG_VERSION` error code.
 - **SteVec encoding default flipped**: protect-ffi's default `mode` for `ste_vec` indexes changed from `compat` to `standard`. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under `compat` will need to be re-encrypted to be queryable. The stack adopts the new `standard` default — there is no longer a way to pin `compat` from the SDK.
-- **EQL extension bumped to `eql-2.3.0`**: the new SteVec `standard` encoding requires matching support in the database EQL extension. The CLI's bundled SQL (`packages/cli/src/sql/*.sql`) and the `@cipherstash/prisma-next` install bundle (`migrations/20260601T0000_install_eql_bundle/ops.json` + `eql-install.generated.ts`) are updated to `eql-2.3.0`. Databases installed with an older EQL extension must be reinstalled (`stash db install`) before containment / contained-by queries against SteVec columns will work.
+- **EQL extension bumped to `eql-2.3.1`**: the new SteVec `standard` encoding requires matching support in the database EQL extension. The CLI's bundled SQL (`packages/cli/src/sql/*.sql`) and the `@cipherstash/prisma-next` install bundle (`migrations/20260601T0000_install_eql_bundle/ops.json` + `eql-install.generated.ts`) are updated to `eql-2.3.1`. Databases installed with an older EQL extension must be reinstalled (`stash db install`) before containment / contained-by queries against SteVec columns will work. `eql-2.3.1` ships the `_encrypted_check_c` fix for SteVec storage payloads ([cipherstash/encrypt-query-language#232](https://github.com/cipherstash/encrypt-query-language/issues/232)).
 - **New error codes**: `ProtectErrorCode` (re-exported from `@cipherstash/protect-ffi`) gains `MATCH_REQUIRES_TEXT` and `UNSUPPORTED_CONFIG_VERSION`. Exhaustive switches over `ProtectErrorCode` will need additional cases.
 - **`match` index validation**: protect-ffi now rejects `match` indexes on columns whose `cast_as` is not text-family (`'text'` / `'string'`) with `MATCH_REQUIRES_TEXT`. The stack's `freeTextSearch()` builder is unaffected because it only targets string-typed columns.
 - **`Encrypted` ciphertext shape**: protect-ffi's `Encrypted` type is now a discriminated union keyed on `k` (`'ct'` for scalars, `'sv'` for SteVec). SteVec storage payloads now place the root document ciphertext at `sv[0].c`. The stack's `isEncryptedPayload` runtime check continues to work because storage payloads still carry `c` (scalar) or `sv` (SteVec). The DynamoDB helpers (`toEncryptedDynamoItem`, `SearchTermsOperation`) now narrow on `k` before reading variant-only fields.

packages/cli/src/sql/cipherstash-encrypt-no-operator-family.sql

@@ -2915,7 +2915,7 @@ CREATE FUNCTION eql_v2.version()
   RETURNS text
   IMMUTABLE STRICT PARALLEL SAFE
 AS $$
-  SELECT 'eql-2.3.0';
+  SELECT 'eql-2.3.1';
 $$ LANGUAGE SQL;
 
 
@@ -6221,12 +6221,21 @@ $$ LANGUAGE plpgsql;
 --! @brief Validate ciphertext field in encrypted payload
 --! @internal
 --!
---! Checks that the encrypted payload contains the required 'c' (ciphertext) field
---! which stores the encrypted data.
+--! Checks that the encrypted payload carries the required root-level ciphertext
+--! envelope. The v2.3 payload schema admits two mutually exclusive top-level
+--! shapes (`docs/reference/schema/eql-payload-v2.3.schema.json`):
+--!
+--!   - `EncryptedPayload` (scalar) — carries `c` at the root.
+--!   - `SteVecPayload` (jsonb / structured) — carries `sv` at the root; the
+--!     root document ciphertext lives inside `sv[0].c`, so `c` is absent at
+--!     the root.
+--!
+--! Either shape satisfies this check. Per-element ciphertext validity on
+--! `sv` entries is enforced separately by the `eql_v2.ste_vec_entry` DOMAIN.
 --!
 --! @param jsonb Encrypted payload to validate
---! @return Boolean True if 'c' field is present
---! @throws Exception if 'c' field is missing
+--! @return Boolean True if either 'c' or 'sv' is present at the root
+--! @throws Exception if neither 'c' nor 'sv' is present
 --!
 --! @note Used in CHECK constraints to ensure payload structure
 --! @see eql_v2.check_encrypted
@@ -6235,10 +6244,10 @@ CREATE FUNCTION eql_v2._encrypted_check_c(val jsonb)
   SET search_path = pg_catalog, extensions, public
 AS $$
 	BEGIN
-    IF (val ? 'c') THEN
+    IF (val ? 'c') OR (val ? 'sv') THEN
       RETURN true;
     END IF;
-    RAISE 'Encrypted column missing ciphertext (c) field: %', val;
+    RAISE 'Encrypted column missing ciphertext (c) or ste_vec (sv) field: %', val;
   END;
 $$ LANGUAGE plpgsql;
 

packages/cli/src/sql/cipherstash-encrypt-supabase.sql

@@ -2915,7 +2915,7 @@ CREATE FUNCTION eql_v2.version()
   RETURNS text
   IMMUTABLE STRICT PARALLEL SAFE
 AS $$
-  SELECT 'eql-2.3.0';
+  SELECT 'eql-2.3.1';
 $$ LANGUAGE SQL;
 
 
@@ -6221,12 +6221,21 @@ $$ LANGUAGE plpgsql;
 --! @brief Validate ciphertext field in encrypted payload
 --! @internal
 --!
---! Checks that the encrypted payload contains the required 'c' (ciphertext) field
---! which stores the encrypted data.
+--! Checks that the encrypted payload carries the required root-level ciphertext
+--! envelope. The v2.3 payload schema admits two mutually exclusive top-level
+--! shapes (`docs/reference/schema/eql-payload-v2.3.schema.json`):
+--!
+--!   - `EncryptedPayload` (scalar) — carries `c` at the root.
+--!   - `SteVecPayload` (jsonb / structured) — carries `sv` at the root; the
+--!     root document ciphertext lives inside `sv[0].c`, so `c` is absent at
+--!     the root.
+--!
+--! Either shape satisfies this check. Per-element ciphertext validity on
+--! `sv` entries is enforced separately by the `eql_v2.ste_vec_entry` DOMAIN.
 --!
 --! @param jsonb Encrypted payload to validate
---! @return Boolean True if 'c' field is present
---! @throws Exception if 'c' field is missing
+--! @return Boolean True if either 'c' or 'sv' is present at the root
+--! @throws Exception if neither 'c' nor 'sv' is present
 --!
 --! @note Used in CHECK constraints to ensure payload structure
 --! @see eql_v2.check_encrypted
@@ -6235,10 +6244,10 @@ CREATE FUNCTION eql_v2._encrypted_check_c(val jsonb)
   SET search_path = pg_catalog, extensions, public
 AS $$
 	BEGIN
-    IF (val ? 'c') THEN
+    IF (val ? 'c') OR (val ? 'sv') THEN
       RETURN true;
     END IF;
-    RAISE 'Encrypted column missing ciphertext (c) field: %', val;
+    RAISE 'Encrypted column missing ciphertext (c) or ste_vec (sv) field: %', val;
   END;
 $$ LANGUAGE plpgsql;
 

packages/cli/src/sql/cipherstash-encrypt.sql

@@ -3843,7 +3843,7 @@ CREATE FUNCTION eql_v2.version()
   RETURNS text
   IMMUTABLE STRICT PARALLEL SAFE
 AS $$
-  SELECT 'eql-2.3.0';
+  SELECT 'eql-2.3.1';
 $$ LANGUAGE SQL;
 
 
@@ -6460,12 +6460,21 @@ $$ LANGUAGE plpgsql;
 --! @brief Validate ciphertext field in encrypted payload
 --! @internal
 --!
---! Checks that the encrypted payload contains the required 'c' (ciphertext) field
---! which stores the encrypted data.
+--! Checks that the encrypted payload carries the required root-level ciphertext
+--! envelope. The v2.3 payload schema admits two mutually exclusive top-level
+--! shapes (`docs/reference/schema/eql-payload-v2.3.schema.json`):
+--!
+--!   - `EncryptedPayload` (scalar) — carries `c` at the root.
+--!   - `SteVecPayload` (jsonb / structured) — carries `sv` at the root; the
+--!     root document ciphertext lives inside `sv[0].c`, so `c` is absent at
+--!     the root.
+--!
+--! Either shape satisfies this check. Per-element ciphertext validity on
+--! `sv` entries is enforced separately by the `eql_v2.ste_vec_entry` DOMAIN.
 --!
 --! @param jsonb Encrypted payload to validate
---! @return Boolean True if 'c' field is present
---! @throws Exception if 'c' field is missing
+--! @return Boolean True if either 'c' or 'sv' is present at the root
+--! @throws Exception if neither 'c' nor 'sv' is present
 --!
 --! @note Used in CHECK constraints to ensure payload structure
 --! @see eql_v2.check_encrypted
@@ -6474,10 +6483,10 @@ CREATE FUNCTION eql_v2._encrypted_check_c(val jsonb)
   SET search_path = pg_catalog, extensions, public
 AS $$
 	BEGIN
-    IF (val ? 'c') THEN
+    IF (val ? 'c') OR (val ? 'sv') THEN
       RETURN true;
     END IF;
-    RAISE 'Encrypted column missing ciphertext (c) field: %', val;
+    RAISE 'Encrypted column missing ciphertext (c) or ste_vec (sv) field: %', val;
   END;
 $$ LANGUAGE plpgsql;
 

packages/prisma-next/migrations/20260601T0000_install_eql_bundle/ops.json

@@ -2,7 +2,7 @@
  * Vendored CipherStash EQL bundle SQL.
  *
  * The CipherStash team ships the bundle as a single Postgres script
- * (~5,750 lines, currently `eql-2.2.1`) that creates the `eql_v2`
+ * (~7,650 lines, currently `eql-2.3.1`) that creates the `eql_v2`
  * schema, the `eql_v2_*` composite types / domains, the
  * `eql_v2_configuration` table, plus roughly 169 functions, 46
  * operators, 4 casts, and 9 operator classes / families. CipherStash

packages/prisma-next/src/migration/eql-bundle.ts

@@ -1,12 +1,12 @@
 // @generated — DO NOT EDIT.
 // Source: scripts/vendor-eql-install.ts
-// Bundle pinned version: eql-2.3.0
+// Bundle pinned version: eql-2.3.1
 //
 // This file is committed to source control so dev environments and
 // offline builds work without network access. Regenerate with
 // `pnpm vendor-eql-install` after bumping EQL_VERSION in the script.
 
-export const EQL_INSTALL_VERSION = 'eql-2.3.0' as const;
+export const EQL_INSTALL_VERSION = 'eql-2.3.1' as const;
 
 export const EQL_INSTALL_SQL: string = `--! @file schema.sql
 --! @brief EQL v2 schema creation
@@ -3853,7 +3853,7 @@ CREATE FUNCTION eql_v2.version()
   RETURNS text
   IMMUTABLE STRICT PARALLEL SAFE
 AS $$
-  SELECT 'eql-2.3.0';
+  SELECT 'eql-2.3.1';
 $$ LANGUAGE SQL;
 
 
@@ -6470,12 +6470,21 @@ $$ LANGUAGE plpgsql;
 --! @brief Validate ciphertext field in encrypted payload
 --! @internal
 --!
---! Checks that the encrypted payload contains the required 'c' (ciphertext) field
---! which stores the encrypted data.
+--! Checks that the encrypted payload carries the required root-level ciphertext
+--! envelope. The v2.3 payload schema admits two mutually exclusive top-level
+--! shapes (\`docs/reference/schema/eql-payload-v2.3.schema.json\`):
+--!
+--!   - \`EncryptedPayload\` (scalar) — carries \`c\` at the root.
+--!   - \`SteVecPayload\` (jsonb / structured) — carries \`sv\` at the root; the
+--!     root document ciphertext lives inside \`sv[0].c\`, so \`c\` is absent at
+--!     the root.
+--!
+--! Either shape satisfies this check. Per-element ciphertext validity on
+--! \`sv\` entries is enforced separately by the \`eql_v2.ste_vec_entry\` DOMAIN.
 --!
 --! @param jsonb Encrypted payload to validate
---! @return Boolean True if 'c' field is present
---! @throws Exception if 'c' field is missing
+--! @return Boolean True if either 'c' or 'sv' is present at the root
+--! @throws Exception if neither 'c' nor 'sv' is present
 --!
 --! @note Used in CHECK constraints to ensure payload structure
 --! @see eql_v2.check_encrypted
@@ -6484,10 +6493,10 @@ CREATE FUNCTION eql_v2._encrypted_check_c(val jsonb)
   SET search_path = pg_catalog, extensions, public
 AS $$
 	BEGIN
-    IF (val ? 'c') THEN
+    IF (val ? 'c') OR (val ? 'sv') THEN
       RETURN true;
     END IF;
-    RAISE 'Encrypted column missing ciphertext (c) field: %', val;
+    RAISE 'Encrypted column missing ciphertext (c) or ste_vec (sv) field: %', val;
   END;
 $$ LANGUAGE plpgsql;