/**
 * @bytelyst/field-encrypt
 *
 * Application-layer field encryption for ByteLyst ecosystem.
 * AES-256-GCM with envelope encryption (MEK → DEK).
 *
 * @example
 * ```typescript
 * import { createFieldEncryptor } from '@bytelyst/field-encrypt';
 *
 * const encryptor = createFieldEncryptor({
 *   keyProvider: 'memory', // 'akv' | 'env' | 'memory'
 * });
 *
 * const encrypted = await encryptor.encrypt('sensitive data', {
 *   userId: 'user_123',
 *   context: 'transcripts',
 * });
 *
 * const plaintext = await encryptor.decrypt(encrypted, {
 *   userId: 'user_123',
 *   context: 'transcripts',
 * });
 * ```
 */

// ── Main API ────────────────────────────────────────
export { createFieldEncryptor, FieldEncryptor, NullFieldEncryptor } from './field-encryptor.js';

// ── Type guards ─────────────────────────────────────
export { isEncryptedField } from './guards.js';

// ── Types ───────────────────────────────────────────
export type {
  EncryptedField,
  WrappedDek,
  FieldEncryptContext,
  FieldEncryptorConfig,
  KeyProvider,
  KeyProviderType,
  DekStore,
} from './types.js';

// ── Low-level (for custom integrations) ─────────────
export { encryptField, decryptField, generateAesKey } from './aes-gcm.js';
export { buildDekId, getOrCreateDek, rewrapAllDeks } from './envelope.js';
export { DekCache } from './key-cache.js';
export { MemoryDekStore } from './dek-store-memory.js';

// ── Key providers (for direct use / testing) ────────
export { MemoryKeyProvider } from './key-provider-memory.js';
export { EnvKeyProvider } from './key-provider-env.js';
export { AkvKeyProvider } from './key-provider-akv.js';

// ── Migration ───────────────────────────────────────
export { migrateDocuments } from './migration.js';
export type { MigrationResult, MigrateDocumentsOptions } from './migration.js';