Important
If you are looking to implement this package into your application please use the official protect package.
This project provides the JS bindings for the CipherStash Client Rust SDK and is bootstrapped by create-neon.
Building requires a supported version of Node and Rust.
To run the build, run:
$ npm run buildThis command uses the @neon-rs/cli utility to assemble the binary Node addon from the output of cargo.
You can use the stash CLI tool to set up your local environment.
You will be prompted to sign in or create an account and follow steps to create a keyset and client key.
brew install cipherstash/tap/stash
stash setupAfter building protect-ffi, you can explore its exports at the Node console.
CS_CLIENT_ID and CS_CLIENT_KEY must be set in your environment for the call to newClient() to succeed.
$ npm i
$ npm run build
$ node
> const addon = require(".");
> const client = await addon.newClient(JSON.stringify({v: 1, tables: {users: {email: {indexes: {ore: {}, match: {}, unique: {}}}}}}));
> const ciphertext = await addon.encrypt(client, "plaintext", "email", "users");
> const plaintext = await addon.decrypt(client, JSON.parse(ciphertext).c);
> console.log({ciphertext, plaintext});In the project directory, you can run:
Builds the Node addon (index.node) from source, generating a release build with cargo --release.
Additional cargo build arguments may be passed to npm run build and similar commands. For example, to enable a cargo feature:
npm run build -- --feature=beetle
Similar to npm run build but generates a debug build with cargo.
Similar to npm run build but uses cross-rs to cross-compile for another platform. Use the CARGO_BUILD_TARGET environment variable to select the build target.
Initiate a full build and publication of a new patch release of this library via GitHub Actions.
Initiate a dry run of a patch release of this library via GitHub Actions. This performs a full build but does not publish the final result.
Formats and lints Rust and TypeScript code. Also runs Rust tests.
Note: npm test at project root does not run integration tests.
For integration tests, see below.
The directory structure of this project is:
protect-ffi/
├── Cargo.toml
├── README.md
├── integration-tests/
├── lib/
├── src/
| ├── index.mts
| └── index.cts
├── crates/
| └── protect-ffi/
| └── src/
| └── lib.rs
├── platforms/
├── package.json
└── target/
| Entry | Purpose |
|---|---|
Cargo.toml |
The Cargo manifest file, which informs the cargo command. |
README.md |
This file. |
integration-tests/ |
The directory containing integration tests. |
lib/ |
The directory containing the generated output from tsc. |
src/ |
The directory containing the TypeScript source files. |
index.mts |
Entry point for when this library is loaded via ESM import syntax. |
index.cts |
Entry point for when this library is loaded via CJS require. |
crates/ |
The directory tree containing the Rust source code for the project. |
lib.rs |
Entry point for the Rust source code. |
platforms/ |
The directory containing distributions of the binary addon backend for each platform supported by this library. |
package.json |
The npm manifest file, which informs the npm command. |
target/ |
Binary artifacts generated by the Rust build. |
Integration tests live in the ./integration-tests directory.
These tests use the local build of Rust and JavaScript artifacts to test @cipherstash/protect-ffi as API consumers would.
These tests rely on:
- CipherStash to be configured (via
.tomlconfig or environment variables), and - Environment variables for Postgres to be set
Example environment variables:
CS_CLIENT_ID=
CS_CLIENT_KEY=
CS_CLIENT_ACCESS_KEY=
CS_WORKSPACE_CRN=
PGPORT=5432
PGDATABASE=cipherstash
PGUSER=cipherstash
PGPASSWORD=password
PGHOST=localhost
To run integration tests:
mise setup
mise test:integrationYou can also run the integration tests in "watch" mode:
mise test:integration --watchBy default lock context tests are not included because invalid lock contexts fire security warnings in ZeroKMS. To include these, run:
mise test:integration:allReleases are handled by GitHub Actions using a workflow_dispatch event trigger.
The release workflow was generated by Neon.
The release workflow is responsible for:
- Building and publishing the main
@cipherstash/protect-ffipackage as well as the native packages for each platform (e.g.@cipherstash/protect-ffi-darwin-arm64). - Creating the GitHub release.
- Creating a Git tag for the version.
To perform a release:
- Navigate to the "Release" workflow page in GitHub.
- Click on "Run workflow".
- Select the branch to release from.
Use the default of
mainunless you want to do a pre-release version or dry run from a branch. - Select whether or not to do a dry run. Dry runs are useful for verifying that the build will succeed for all platforms before doing a full run with a publish.
- Choose a version to publish.
The options are similar to
npm version. Select "custom" in the dropdown and fill in the "Custom version" text box if you want to use a semver string instead of the shorthand (patch, minor, major, etc.). - Click "Run workflow".
Note that we currently don't have any automation around release notes or a changelog. However, you can add release notes after running the workflow by editing the release on GitHub.
Learn more about: