Skip to content

docs(encryption): align index & query recipes with EQL 2.3#21

Open
coderdan wants to merge 3 commits into
mainfrom
docs/eql-2.3-index-query-recipes
Open

docs(encryption): align index & query recipes with EQL 2.3#21
coderdan wants to merge 3 commits into
mainfrom
docs/eql-2.3-index-query-recipes

Conversation

@coderdan
Copy link
Copy Markdown
Contributor

@coderdan coderdan commented May 20, 2026
edited
Loading

Draft — hold until eql-2.3.0 final ships. Cross-checked against EQL 2.3 (eql-2.3.0-pre.4 + in-flight fixes).

Why

The encryption docs were written against pre-2.3 EQL, where a bare WHERE col = $1 did not engage a functional index. They taught two models:

  1. operator-class B-tree indexes for self-hosted vs functional indexes for Supabase;
  2. on Supabase, hand-wrapping queries as WHERE eql_v2.hmac_256(col) = eql_v2.hmac_256($1).

EQL 2.3's functional-index inlining (U-001 / PR #193) makes functional indexes the single recipe for both deployments, and bare-form queries engage them automatically. The docs' central "wrong vs right query form" guidance is now backwards.

Changes

indexes.mdx — rewritten around functional indexes:

  • one recipe per query type;
  • equality USING hash (eql_v2.hmac_256), match USING gin (eql_v2.bloom_filter), JSONB USING gin (eql_v2.jsonb_array), range USING btree (eql_v2.ore_block_u64_8_256);
  • equality / match / JSONB work on all providers; range additionally needs a custom operator class on the ORE term type — available on most providers (self-hosted, AWS RDS) but not Supabase;
  • dropped the obsolete "Supabase query forms" wrong/right section and the "OPE-index work in progress" note (OPE was removed entirely in 2.3).

queries.mdx — collapsed the self-hosted/Supabase equality split into one bare-form query; fixed ORDER BY to the functional eql_v2.ore_block_u64_8_256(col) form; replaced the dead cs_ste_vec_v2(...) function name.

searchable-encryption.mdx — same ORDER BY and cs_ste_vec_v2 fixes.

Verify before merge

  • JSONB containment query form. I used eql_v2.jsonb_array(col) @> eql_v2.jsonb_array($1) (EQL's own database-indexes.md recipe). EQL 2.3 also has a typed stevec_query @> path — confirm which is the recommended public recipe, and that the SDK's JSONB query generation matches.
  • Final eql-2.3.0 does not shift any function name vs pre.4.

Out of scope (follow-ups)

  • reference/eql/index.mdx — generated by scripts/generate-eql-docs.ts from the latest EQL release. Not edited here. It still shows blake3 / ocf / ocv; re-run bun run generate-docs:eql once eql-2.3.0 is released to refresh it.
  • reference/cipher-cell.mdx — documents the payload format with the removed b3 / ocf / ocv fields (now hm / oc). Needs a separate pass.
  • reference/drizzle.mdx, security-architecture.mdx, comparisons/fhe.mdx — operator-family / Blake3 mentions; some (Blake3 as a cipher-cell integrity hash) may still be accurate — needs a crypto-team eye.

@coderdan
docs(encryption): align index & query recipes with EQL 2.3
1f33bad 
Pre-2.3 docs assumed a bare `WHERE col = $1` would not engage a
functional index, so they taught two models: operator-class B-tree
indexes for self-hosted, hand-wrapped `eql_v2.hmac_256(...)` queries
for Supabase. EQL 2.3's functional-index inlining makes functional
indexes the single recipe for both deployments, and bare-form queries
engage them automatically.

indexes.mdx — rewrite around functional indexes: one recipe per query
type (equality `USING hash (eql_v2.hmac_256)`, match `USING gin
(eql_v2.bloom_filter)`, JSONB `USING gin (eql_v2.jsonb_array)`, range
`USING btree (eql_v2.ore_block_u64_8_256)`); range is the lone
self-hosted-only case (its ORE-term operator class needs superuser);
drop the obsolete "Supabase query forms" wrong/right section and the
removed-in-2.3 OPE references.

queries.mdx — collapse the self-hosted/Supabase equality split into a
single bare-form query; fix ORDER BY to the functional
`eql_v2.ore_block_u64_8_256(col)` form; replace the dead
`cs_ste_vec_v2(...)` function name.

searchable-encryption.mdx — same ORDER BY and `cs_ste_vec_v2` fixes.
@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
public-docs Ready Ready Preview, Comment May 20, 2026 11:40am

Request Review

coderdan added 2 commits May 20, 2026 21:39
@coderdan
docs(encryption): range index availability is "most providers", not s…
e741aac 
…elf-hosted only

The range index needs a custom operator class on the ORE term type.
That is not a self-hosted-vs-managed split: any provider that allows
operator-class creation supports it — self-hosted PostgreSQL and AWS RDS
included. Supabase is the notable exception, not "all managed databases".

Reword the range-index availability across indexes.mdx, queries.mdx, and
searchable-encryption.mdx — "most providers" rather than "self-hosted
only", and drop the over-specific "requires superuser" claim.
@coderdan
docs(encryption): reword the last 'self-hosted only' ORDER BY label
d20d210
@coderdan coderdan mentioned this pull request May 20, 2026
Open
7 tasks
@coderdan coderdan marked this pull request as ready for review May 20, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@calvinbrewer calvinbrewer calvinbrewer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coderdan @calvinbrewer