fix(stack): address Copilot review on null guard restoration

- Keep public encrypt() / decrypt() return types narrow. The runtime
  guards now cast `null as unknown as Encrypted` / `JsPlaintext` at the
  short-circuit site so callers who respect the input contract get a
  non-nullable `data` field as before. The cast acknowledges that the
  null branch is unreachable by the public type — defense in depth only
  trips on direct construction with a cast plaintext / ciphertext.
- Public `Encryption.decrypt()` reverts to `decrypt(encryptedData:
  Encrypted)` (was widened to `Encrypted | null`). JSDoc gets a
  `@remarks` block documenting the runtime null short-circuit so the
  defense-in-depth behavior is discoverable.
- encrypt-query operations no longer carry a redundant `| null` in
  their generic / execute return — `EncryptedQueryResult` already
  includes null, so the union was double-nullable.
- encrypt-query: capture a local `const plaintext: JsPlaintext` after
  the null/undefined guard so the three `as JsPlaintext` casts inside
  withResult drop. Same in the WithLockContext variant.
- bulk-encrypt: consolidate the two `@/types` import statements.
- Add `__tests__/null-guards.test.ts` covering encrypt(null),
  decrypt(null), bulkEncrypt all-null, bulkDecrypt all-null,
  encryptQuery(null|undefined), and batchEncryptQuery all-null/undefined.
  Constructs operation classes directly so the test runs without
  credentials — the short-circuits return before any FFI call.

Author: coderdan

.changeset/restore-null-guards-in-encryption-ops.md

@@ -19,5 +19,4 @@ Type adjustments to support the runtime behavior honestly:
 
 - `BulkEncryptPayload['plaintext']`, `BulkEncryptedData['data']`, `BulkDecryptPayload['data']`, and the `T` of `BulkDecryptedData` all widen to `... | null`. Bulk APIs now accept and return mixed nullable arrays without filtering ahead of time.
 - `EncryptedQueryResult` widens to include `null` so the batch query path can return position-stable arrays with null slots.
-- `Encryption.decrypt()` accepts `Encrypted | null` (returns null for null input).
-- `Encryption.encrypt()`'s public signature is unchanged — still `JsPlaintext` (no null). The runtime guard is defense in depth for the cases the type system can't catch.
+- `Encryption.encrypt()` and `Encryption.decrypt()` public signatures are unchanged — still narrow (`JsPlaintext` / `Encrypted` input, `Encrypted` / `JsPlaintext` non-nullable output). The runtime null short-circuit in `EncryptOperation` / `DecryptOperation` is defense in depth for callers reaching the operation classes through casts, dynamic field walking, or JS interop. The narrow-return contract holds for any caller that respects the input contract.

packages/stack/__tests__/null-guards.test.ts

@@ -0,0 +1,108 @@
+// Defense-in-depth tests for the runtime null short-circuits restored
+// across the encryption operation classes. These hit the operation
+// constructors directly rather than going through `Encryption()` so they
+// don't need credentials or a network — the guard short-circuits before
+// any FFI call. See `fix(stack): restore runtime null guards in
+// encryption operations` for context.
+
+import { BatchEncryptQueryOperation } from '@/encryption/operations/batch-encrypt-query'
+import { BulkDecryptOperation } from '@/encryption/operations/bulk-decrypt'
+import { BulkEncryptOperation } from '@/encryption/operations/bulk-encrypt'
+import { DecryptOperation } from '@/encryption/operations/decrypt'
+import { EncryptQueryOperation } from '@/encryption/operations/encrypt-query'
+import { EncryptOperation } from '@/encryption/operations/encrypt'
+import { encryptedColumn, encryptedTable } from '@/schema'
+import { describe, expect, it } from 'vitest'
+
+const table = encryptedTable('null-guards-test', {
+  metadata: encryptedColumn('metadata').searchableJson(),
+})
+
+// Any truthy stand-in — the guard returns before the client is touched.
+const stubClient = {} as any
+
+describe('runtime null guards (defense in depth)', () => {
+  it('encrypt(null) short-circuits without an FFI call', async () => {
+    const op = new EncryptOperation(stubClient, null, {
+      column: table.metadata,
+      table,
+    })
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toBeNull()
+  })
+
+  it('decrypt(null) short-circuits without an FFI call', async () => {
+    const op = new DecryptOperation(stubClient, null)
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toBeNull()
+  })
+
+  it('bulkEncrypt preserves null positions in mixed arrays', async () => {
+    // Single null-only input — no FFI call should happen, the all-null
+    // fast path returns a {data: null} placeholder per element.
+    const op = new BulkEncryptOperation(
+      stubClient,
+      [{ id: 'a', plaintext: null }],
+      { column: table.metadata, table },
+    )
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toEqual([{ id: 'a', data: null }])
+  })
+
+  it('bulkDecrypt preserves null positions in mixed arrays', async () => {
+    const op = new BulkDecryptOperation(stubClient, [{ id: 'a', data: null }])
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toEqual([{ id: 'a', data: null }])
+  })
+
+  it('encryptQuery(null) short-circuits to { data: null }', async () => {
+    const op = new EncryptQueryOperation(stubClient, null, {
+      column: table.metadata,
+      table,
+      queryType: 'steVecSelector',
+      returnType: 'composite-literal',
+    } as any)
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toBeNull()
+  })
+
+  it('encryptQuery(undefined) short-circuits to { data: null }', async () => {
+    const op = new EncryptQueryOperation(stubClient, undefined, {
+      column: table.metadata,
+      table,
+      queryType: 'steVecSelector',
+      returnType: 'composite-literal',
+    } as any)
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toBeNull()
+  })
+
+  it('batchEncryptQuery preserves null/undefined slots position-stably', async () => {
+    // All-null/undefined batch — no FFI call needed.
+    const op = new BatchEncryptQueryOperation(stubClient, [
+      {
+        column: table.metadata,
+        table,
+        queryType: 'steVecSelector',
+        returnType: 'composite-literal',
+        value: null,
+      } as any,
+      {
+        column: table.metadata,
+        table,
+        queryType: 'steVecSelector',
+        returnType: 'composite-literal',
+        value: undefined,
+      } as any,
+    ])
+    const result = await op.execute()
+    if (result.failure) throw new Error(result.failure.message)
+    expect(result.data).toEqual([null, null])
+  })
+})

packages/stack/src/encryption/index.ts

@@ -308,10 +308,17 @@ export class EncryptionClient {
    *      .withLockContext(lockContext)
    * ```
    *
+   * @remarks
+   * The public input type rejects null, but at runtime `decrypt` will
+   * short-circuit and return null when given a null ciphertext
+   * (defense in depth for legacy / manually-NULLed DB rows reached via
+   * casts or dynamic field walking). The narrow return type holds for
+   * any caller that respects the input contract.
+   *
    * @see {@link LockContext}
    * @see {@link DecryptOperation}
    */
-  decrypt(encryptedData: Encrypted | null): DecryptOperation {
+  decrypt(encryptedData: Encrypted): DecryptOperation {
     return new DecryptOperation(this.client, encryptedData)
   }
 

packages/stack/src/encryption/operations/bulk-encrypt.ts

@@ -11,10 +11,10 @@ import type {
   BulkEncryptPayload,
   BulkEncryptedData,
   Client,
+  Encrypted,
   EncryptOptions,
 } from '@/types'
 import { createRequestLogger } from '@/utils/logger'
-import type { Encrypted } from '@/types'
 import { type Result, withResult } from '@byteslice/result'
 import { type JsPlaintext, encryptBulk } from '@cipherstash/protect-ffi'
 import { noClientError } from '../index'

packages/stack/src/encryption/operations/decrypt.ts

@@ -15,10 +15,12 @@ import { EncryptionOperation } from './base-operation'
  * Decrypts an encrypted payload using the provided client.
  * This is the type returned by the {@link EncryptionClient.decrypt | decrypt} method of the {@link EncryptionClient}.
  */
-export class DecryptOperation extends EncryptionOperation<JsPlaintext | null> {
+export class DecryptOperation extends EncryptionOperation<JsPlaintext> {
   private client: Client
-  // Widened to allow null so legacy / manually-NULLed rows can be
-  // round-tripped through decrypt without misbehaving in protect-ffi.
+  // Internally widened to allow null so the runtime guard below can
+  // short-circuit on legacy / manually-NULLed rows. The public
+  // `Encryption.decrypt()` signature still rejects null at the type
+  // layer; this is defense in depth for direct construction.
   private encryptedData: Encrypted | null
 
   constructor(client: Client, encryptedData: Encrypted | null) {
@@ -33,7 +35,7 @@ export class DecryptOperation extends EncryptionOperation<JsPlaintext | null> {
     return new DecryptOperationWithLockContext(this, lockContext)
   }
 
-  public async execute(): Promise<Result<JsPlaintext | null, EncryptionError>> {
+  public async execute(): Promise<Result<JsPlaintext, EncryptionError>> {
     const log = createRequestLogger()
     log.set({
       op: 'decrypt',
@@ -47,7 +49,8 @@ export class DecryptOperation extends EncryptionOperation<JsPlaintext | null> {
         }
 
         if (this.encryptedData === null) {
-          return null
+          // See encrypt.ts for the same defense-in-depth pattern.
+          return null as unknown as JsPlaintext
         }
 
         const { metadata } = this.getAuditData()
@@ -83,9 +86,7 @@ export class DecryptOperation extends EncryptionOperation<JsPlaintext | null> {
   }
 }
 
-export class DecryptOperationWithLockContext extends EncryptionOperation<
-  JsPlaintext | null
-> {
+export class DecryptOperationWithLockContext extends EncryptionOperation<JsPlaintext> {
   private operation: DecryptOperation
   private lockContext: LockContext
 
@@ -99,7 +100,7 @@ export class DecryptOperationWithLockContext extends EncryptionOperation<
     }
   }
 
-  public async execute(): Promise<Result<JsPlaintext | null, EncryptionError>> {
+  public async execute(): Promise<Result<JsPlaintext, EncryptionError>> {
     const log = createRequestLogger()
     log.set({
       op: 'decrypt',
@@ -115,7 +116,7 @@ export class DecryptOperationWithLockContext extends EncryptionOperation<
         }
 
         if (encryptedData === null) {
-          return null
+          return null as unknown as JsPlaintext
         }
 
         const { metadata } = this.getAuditData()

packages/stack/src/encryption/operations/encrypt-query.ts

@@ -20,9 +20,7 @@ import { EncryptionOperation } from './base-operation'
 /**
  * @internal Use {@link EncryptionClient.encryptQuery} instead.
  */
-export class EncryptQueryOperation extends EncryptionOperation<
-  EncryptedQueryResult | null
-> {
+export class EncryptQueryOperation extends EncryptionOperation<EncryptedQueryResult> {
   constructor(
     private client: Client,
     private plaintext: JsPlaintext | null | undefined,
@@ -44,7 +42,7 @@ export class EncryptQueryOperation extends EncryptionOperation<
   }
 
   public async execute(): Promise<
-    Result<EncryptedQueryResult | null, EncryptionError>
+    Result<EncryptedQueryResult, EncryptionError>
   > {
     const log = createRequestLogger()
     log.set({
@@ -60,7 +58,9 @@ export class EncryptQueryOperation extends EncryptionOperation<
       return { data: null }
     }
 
-    const validationError = validateNumericValue(this.plaintext)
+    const plaintext: JsPlaintext = this.plaintext
+
+    const validationError = validateNumericValue(plaintext)
     if (validationError?.failure) {
       log.emit()
       return { failure: validationError.failure }
@@ -75,18 +75,18 @@ export class EncryptQueryOperation extends EncryptionOperation<
         const { indexType, queryOp } = resolveIndexType(
           this.opts.column,
           this.opts.queryType,
-          this.plaintext as JsPlaintext,
+          plaintext,
         )
 
         // Validate value/index compatibility
         assertValueIndexCompatibility(
-          this.plaintext as JsPlaintext,
+          plaintext,
           indexType,
           this.opts.column.getName(),
         )
 
         const encrypted = await ffiEncryptQuery(this.client, {
-          plaintext: this.plaintext as JsPlaintext,
+          plaintext,
           column: this.opts.column.getName(),
           table: this.opts.table.tableName,
           indexType,
@@ -117,9 +117,7 @@ export class EncryptQueryOperation extends EncryptionOperation<
 /**
  * @internal Use {@link EncryptionClient.encryptQuery} with `.withLockContext()` instead.
  */
-export class EncryptQueryOperationWithLockContext extends EncryptionOperation<
-  EncryptedQueryResult | null
-> {
+export class EncryptQueryOperationWithLockContext extends EncryptionOperation<EncryptedQueryResult> {
   constructor(
     private client: Client,
     private plaintext: JsPlaintext | null | undefined,
@@ -132,7 +130,7 @@ export class EncryptQueryOperationWithLockContext extends EncryptionOperation<
   }
 
   public async execute(): Promise<
-    Result<EncryptedQueryResult | null, EncryptionError>
+    Result<EncryptedQueryResult, EncryptionError>
   > {
     const log = createRequestLogger()
     log.set({
@@ -148,7 +146,9 @@ export class EncryptQueryOperationWithLockContext extends EncryptionOperation<
       return { data: null }
     }
 
-    const validationError = validateNumericValue(this.plaintext)
+    const plaintext: JsPlaintext = this.plaintext
+
+    const validationError = validateNumericValue(plaintext)
     if (validationError?.failure) {
       log.emit()
       return { failure: validationError.failure }
@@ -171,18 +171,18 @@ export class EncryptQueryOperationWithLockContext extends EncryptionOperation<
         const { indexType, queryOp } = resolveIndexType(
           this.opts.column,
           this.opts.queryType,
-          this.plaintext as JsPlaintext,
+          plaintext,
         )
 
         // Validate value/index compatibility
         assertValueIndexCompatibility(
-          this.plaintext as JsPlaintext,
+          plaintext,
           indexType,
           this.opts.column.getName(),
         )
 
         const encrypted = await ffiEncryptQuery(this.client, {
-          plaintext: this.plaintext as JsPlaintext,
+          plaintext,
           column: this.opts.column.getName(),
           table: this.opts.table.tableName,
           indexType,

packages/stack/src/encryption/operations/encrypt.ts

@@ -17,7 +17,7 @@ import {
 import { noClientError } from '../index'
 import { EncryptionOperation } from './base-operation'
 
-export class EncryptOperation extends EncryptionOperation<Encrypted | null> {
+export class EncryptOperation extends EncryptionOperation<Encrypted> {
   private client: Client
   // Internally widened to allow null so the runtime guard below can
   // short-circuit. The public `Encryption.encrypt()` signature still
@@ -45,7 +45,7 @@ export class EncryptOperation extends EncryptionOperation<Encrypted | null> {
     return new EncryptOperationWithLockContext(this, lockContext)
   }
 
-  public async execute(): Promise<Result<Encrypted | null, EncryptionError>> {
+  public async execute(): Promise<Result<Encrypted, EncryptionError>> {
     const log = createRequestLogger()
     log.set({
       op: 'encrypt',
@@ -61,7 +61,13 @@ export class EncryptOperation extends EncryptionOperation<Encrypted | null> {
         }
 
         if (this.plaintext === null) {
-          return null
+          // Defense in depth: the public `Encryption.encrypt()` signature
+          // rejects null, but null can still arrive here via casts or
+          // dynamic field walking. Return null directly so the result
+          // matches DB NULL semantics rather than encrypting JSON null
+          // into a SteVec. The cast acknowledges the type-narrow
+          // contract at the public boundary.
+          return null as unknown as Encrypted
         }
 
         if (
@@ -115,7 +121,7 @@ export class EncryptOperation extends EncryptionOperation<Encrypted | null> {
   }
 }
 
-export class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted | null> {
+export class EncryptOperationWithLockContext extends EncryptionOperation<Encrypted> {
   private operation: EncryptOperation
   private lockContext: LockContext
 
@@ -129,7 +135,7 @@ export class EncryptOperationWithLockContext extends EncryptionOperation<Encrypt
     }
   }
 
-  public async execute(): Promise<Result<Encrypted | null, EncryptionError>> {
+  public async execute(): Promise<Result<Encrypted, EncryptionError>> {
     const { client, plaintext, column, table } = this.operation.getOperation()
 
     const log = createRequestLogger()
@@ -147,7 +153,7 @@ export class EncryptOperationWithLockContext extends EncryptionOperation<Encrypt
         }
 
         if (plaintext === null) {
-          return null
+          return null as unknown as Encrypted
         }
 
         const { metadata } = this.getAuditData()