Skip to content

@cipherstash/protect@12.0.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 02 Jun 04:08
@cipherstash/protect@12.0.0
917b5c0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Major Changes

  • f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

    Breaking upstream changes adopted in this release:

    • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
    • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
    • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
    • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
    • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
    • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
    • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
    • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

Patch Changes

  • Updated dependencies [f743fcc]
    • @cipherstash/schema@3.0.0
Assets 2
Loading