cipherstash · coderdan · Jun 2, 2026 · Jun 2, 2026
@@ -1,5 +1,13 @@
 # @cipherstash/basic-example
 
+## 1.2.12
+
+### Patch Changes
+
+- Updated dependencies [6e7ae4e]
+- Updated dependencies [712d7fa]
+  - @cipherstash/stack@0.18.0
+
 ## 1.2.11
 
 ### Patch Changes

@@ -1,7 +1,7 @@
 {
   "name": "@cipherstash/basic-example",
   "private": true,
-  "version": "1.2.11",
+  "version": "1.2.12",
   "type": "module",
   "scripts": {
     "start": "tsx index.ts"

@@ -1,5 +1,14 @@
 # @cipherstash/prisma-next-example
 
+## 0.0.4
+
+### Patch Changes
+
+- Updated dependencies [6e7ae4e]
+- Updated dependencies [712d7fa]
+  - @cipherstash/stack@0.18.0
+  - @cipherstash/prisma-next@0.3.1
+
 ## 0.0.3
 
 ### Patch Changes

@@ -1,7 +1,7 @@
 {
   "name": "@cipherstash/prisma-next-example",
   "private": true,
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "End-to-end example of @cipherstash/prisma-next: searchable application-layer encryption for Postgres with Prisma Next, using @cipherstash/stack as the SDK.",
   "type": "module",
   "scripts": {

@@ -1,5 +1,13 @@
 # @cipherstash/bench
 
+## 0.0.3
+
+### Patch Changes
+
+- Updated dependencies [6e7ae4e]
+- Updated dependencies [712d7fa]
+  - @cipherstash/stack@0.18.0
+
 ## 0.0.2
 
 ### Patch Changes

@@ -1,6 +1,6 @@
 {
   "name": "@cipherstash/bench",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "private": true,
   "description": "Performance / index-engagement benchmarks for stack integrations (Drizzle, encryptedSupabase, Prisma).",
   "type": "module",

@@ -1,5 +1,13 @@
 # @cipherstash/prisma-next
 
+## 0.3.1
+
+### Patch Changes
+
+- Updated dependencies [6e7ae4e]
+- Updated dependencies [712d7fa]
+  - @cipherstash/stack@0.18.0
+
 ## 0.3.0
 
 ### Minor Changes

@@ -1,6 +1,6 @@
 {
 	"name": "@cipherstash/prisma-next",
-	"version": "0.3.0",
+	"version": "0.3.1",
 	"license": "MIT",
 	"author": "CipherStash <support@cipherstash.com>",
 	"description": "CipherStash extension for Prisma Next: searchable application-layer field-level encryption for Postgres, with six encrypted column types, 17 query operators, bulk encrypt/decrypt middleware, and a baseline migration that installs the vendored EQL bundle SQL byte-for-byte.",

@@ -1,5 +1,40 @@
 # @cipherstash/stack
 
+## 0.18.0
+
+### Minor Changes
+
+- 6e7ae4e: Export the operation classes returned by the encryption and DynamoDB clients as public API.
+
+  The classes returned from public methods are now exported and documented in the API reference, so their types can be named and their TSDoc links resolve.
+
+  - From `@cipherstash/stack/encryption`: `EncryptOperation`, `EncryptQueryOperation`, `BatchEncryptQueryOperation`, `DecryptOperation`, `EncryptModelOperation`, `DecryptModelOperation`, `BulkEncryptOperation`, `BulkDecryptOperation`, `BulkEncryptModelsOperation`, `BulkDecryptModelsOperation`. `EncryptQueryOperation` and `BatchEncryptQueryOperation` were previously marked `@internal`; since they are returned from `EncryptionClient.encryptQuery`, they are now public for consistency with the other operations.
+  - From `@cipherstash/stack/dynamodb`: `EncryptModelOperation`, `DecryptModelOperation`, `BulkEncryptModelsOperation`, `BulkDecryptModelsOperation`.
+  - From `@cipherstash/stack/types`: `EncryptedQuery` and `EncryptedFromSchema`.
+
+  The `*WithLockContext` variants returned by `.withLockContext()` remain internal — they share the same awaitable shape and are not intended to be named directly.
+
+  No runtime behaviour changes; this only widens the exported surface and corrects TSDoc cross-references that previously failed to resolve.
+
+- 712d7fa: Fix: restore runtime null short-circuits in the encryption operation classes.
+
+  A prior refactor (`feat(stack): remove null from Encrypted type`) tightened the type signatures to disallow `null` and, alongside that, deleted the `if (value === null) return null` guards from every operation in `packages/stack/src/encryption/operations/`. The type guard does not survive runtime: callers reaching the operation through a cast (e.g. `null as any`), dynamic model walking, or JS interop would then have their null silently encrypted by protect-ffi into a real SteVec ciphertext (`{ k: 'sv', v: 2, ... }`) — which is observable, surprising, and breaks symmetry with the model-helpers layer that does still treat null as "absent" at the field level.
+
+  Restored, mirroring the pattern in `@cipherstash/protect`:
+
+  - `encrypt` / `encryptWithLockContext`: `if (plaintext === null) return null`.
+  - `bulkEncrypt` / `bulkEncryptWithLockContext`: per-element null filter; nulls are preserved in position in the output.
+  - `decrypt` / `decryptWithLockContext`: `if (encryptedData === null) return null`.
+  - `bulkDecrypt` / `bulkDecryptWithLockContext`: per-element null filter, position-preserving merge.
+  - `encryptQuery` / `encryptQueryWithLockContext`: `if (plaintext === null || plaintext === undefined) return { data: null }`.
+  - `batchEncryptQuery` / `batchEncryptQueryWithLockContext`: per-element null/undefined filter; null slots in the input array stay null in the result array.
+
+  Type adjustments to support the runtime behavior honestly:
+
+  - `BulkEncryptPayload['plaintext']`, `BulkEncryptedData['data']`, `BulkDecryptPayload['data']`, and the `T` of `BulkDecryptedData` all widen to `... | null`. Bulk APIs now accept and return mixed nullable arrays without filtering ahead of time.
+  - `EncryptedQueryResult` widens to include `null` so the batch query path can return position-stable arrays with null slots.
+  - `Encryption.encrypt()` and `Encryption.decrypt()` public signatures are unchanged — still narrow (`JsPlaintext` / `Encrypted` input, `Encrypted` / `JsPlaintext` non-nullable output). The runtime null short-circuit in `EncryptOperation` / `DecryptOperation` is defense in depth for callers reaching the operation classes through casts, dynamic field walking, or JS interop. The narrow-return contract holds for any caller that respects the input contract.
+
 ## 0.17.0
 
 ### Minor Changes

@@ -1,6 +1,6 @@
 {
 	"name": "@cipherstash/stack",
-	"version": "0.17.0",
+	"version": "0.18.0",
 	"description": "CipherStash Stack for TypeScript and JavaScript",
 	"keywords": [
 		"encrypted",