bb3f5385fc
- 10 source files: types, aes-gcm, 3 key providers (memory/env/akv), envelope, key-cache, dek-store, guards, migration, factory - 42 Vitest tests: AES-GCM roundtrips, tamper detection, unicode, 100KB payloads, key providers, DEK cache TTL/LRU, envelope lifecycle, migration (dry-run + idempotent), config validation - AKV MEK creation script (scripts/create-encryption-keys.sh) for 10 product MEKs - .env.example updated with FIELD_ENCRYPT_* vars
28 lines
681 B
TypeScript
28 lines
681 B
TypeScript
/**
|
|
* @bytelyst/field-encrypt — Type guards
|
|
*
|
|
* Utility to detect encrypted vs plaintext fields during migration.
|
|
*/
|
|
|
|
import type { EncryptedField } from './types.js';
|
|
|
|
/**
|
|
* Check if a value is an EncryptedField.
|
|
*
|
|
* Use this in repositories to handle both encrypted and plaintext fields
|
|
* during the migration period.
|
|
*/
|
|
export function isEncryptedField(value: unknown): value is EncryptedField {
|
|
return (
|
|
typeof value === 'object' &&
|
|
value !== null &&
|
|
'__encrypted' in value &&
|
|
(value as Record<string, unknown>).__encrypted === true &&
|
|
'v' in value &&
|
|
'ct' in value &&
|
|
'iv' in value &&
|
|
'tag' in value &&
|
|
'dekId' in value
|
|
);
|
|
}
|