Merge pull request #155 from cipherstash/protect-installer

calvinbrewer · web-flow · commit 9277114e384f · 2025-12-09T08:35:15.000-07:00
feat(build): add protect variant for ProtectJS customers
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -34,8 +34,16 @@ This project uses `mise` for task management. Common commands:
 - Dependencies are resolved using `-- REQUIRE:` comments in SQL files
 - Build outputs to `release/` directory:
   - `cipherstash-encrypt.sql` - Main installer
-  - `cipherstash-encrypt-supabase.sql` - Supabase-compatible installer
-  - `cipherstash-encrypt-uninstall.sql` - Uninstaller
+  - `cipherstash-encrypt-supabase.sql` - Supabase-compatible (excludes operator classes)
+  - `cipherstash-encrypt-protect.sql` - ProtectJS variant (excludes config management)
+  - Corresponding uninstallers for each variant
+
+#### Build Variants
+| Variant | Excludes | Use Case |
+|---------|----------|----------|
+| Main | Nothing | Full EQL with all features |
+| Supabase | Operator classes | Supabase compatibility |
+| Protect | `src/config/*`, `src/encryptindex/*` | ProtectJS (no database-side config) |
 
 ## Project Architecture
 
diff --git a/tasks/build.sh b/tasks/build.sh
@@ -2,7 +2,7 @@
 #MISE description="Build SQL into single release file"
 #MISE alias="b"
 #MISE sources=["src/**/*.sql"]
-#MISE outputs=["release/cipherstash-encrypt.sql","release/cipherstash-encrypt-uninstall.sql"]
+#MISE outputs=["release/cipherstash-encrypt.sql","release/cipherstash-encrypt-uninstall.sql","release/cipherstash-encrypt-protect.sql","release/cipherstash-encrypt-protect-uninstall.sql"]
 #USAGE flag "--version <version>" help="Specify release version of EQL" default="DEV"
 
 #!/bin/bash
@@ -17,9 +17,14 @@ rm -f release/cipherstash-encrypt.sql
 rm -f release/cipherstash-encrypt-uninstall-supabase.sql
 rm -f release/cipherstash-encrypt-supabase.sql
 
+rm -f release/cipherstash-encrypt-protect.sql
+rm -f release/cipherstash-encrypt-protect-uninstall.sql
+
 rm -f src/version.sql
 rm -f src/deps-supabase.txt
 rm -f src/deps-ordered-supabase.txt
+rm -f src/deps-protect.txt
+rm -f src/deps-ordered-protect.txt
 
 
 RELEASE_VERSION=${usage_version:-DEV}
@@ -85,6 +90,29 @@ cat src/deps-ordered-supabase.txt | xargs cat | grep -v REQUIRE >> dbdev/eql--0.
 cat tasks/uninstall.sql >> release/cipherstash-encrypt-uninstall-supabase.sql
 
 
+# Protect variant build - excludes config management and encryptindex
+find src -type f -path "*.sql" ! -path "*_test.sql" ! -path "**/config/*" ! -path "**/encryptindex/*" | while IFS= read -r sql_file; do
+    echo $sql_file
+
+    echo "$sql_file $sql_file" >> src/deps-protect.txt
+
+    while IFS= read -r line; do
+        if [[ "$line" == *"-- REQUIRE:"* ]]; then
+            deps=${line#*-- REQUIRE: }
+            for dep in $deps; do
+                echo "$sql_file $dep" >> src/deps-protect.txt
+            done
+        fi
+    done < "$sql_file"
+done
+
+cat src/deps-protect.txt | tsort | tac > src/deps-ordered-protect.txt
+
+cat src/deps-ordered-protect.txt | xargs cat | grep -v REQUIRE >> release/cipherstash-encrypt-protect.sql
+
+cat tasks/uninstall-protect.sql >> release/cipherstash-encrypt-protect-uninstall.sql
+
+
 set +x
 echo
 echo '###############################################'
@@ -94,7 +122,9 @@ echo
 echo 'Installer:'
 echo '    release/cipherstash-encrypt.sql'
 echo '    release/cipherstash-encrypt-supabase.sql'
+echo '    release/cipherstash-encrypt-protect.sql'
 echo
 echo 'Uninstaller:'
 echo '    release/cipherstash-encrypt-uninstall.sql'
 echo '    release/cipherstash-encrypt-uninstall-supabase.sql'
+echo '    release/cipherstash-encrypt-protect-uninstall.sql'
diff --git a/tasks/uninstall-protect.sql b/tasks/uninstall-protect.sql
@@ -0,0 +1 @@
+DROP SCHEMA IF EXISTS eql_v2 CASCADE;
diff --git a/tests/sqlx/tests/build_validation_tests.rs b/tests/sqlx/tests/build_validation_tests.rs
@@ -0,0 +1,149 @@
+//! Build output validation tests
+//!
+//! Validates that build variants contain/exclude the expected components.
+//! These tests run against the built SQL files, not the database.
+
+use std::fs;
+use std::path::Path;
+
+/// Helper to read a release SQL file
+fn read_release_sql(filename: &str) -> String {
+    let path = format!("../../release/{}", filename);
+    fs::read_to_string(&path).unwrap_or_else(|_| panic!("Failed to read {}", path))
+}
+
+// =============================================================================
+// Protect Variant Tests
+// =============================================================================
+
+#[test]
+fn protect_variant_file_exists() {
+    assert!(
+        Path::new("../../release/cipherstash-encrypt-protect.sql").exists(),
+        "protect variant installer should exist"
+    );
+}
+
+#[test]
+fn protect_uninstaller_exists() {
+    assert!(
+        Path::new("../../release/cipherstash-encrypt-protect-uninstall.sql").exists(),
+        "protect variant uninstaller should exist"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_config_table() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("CREATE TABLE") || !sql.contains("eql_v2_configuration"),
+        "protect variant should not contain eql_v2_configuration table"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_config_state_type() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("eql_v2_configuration_state"),
+        "protect variant should not contain eql_v2_configuration_state enum"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_add_search_config() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("CREATE FUNCTION eql_v2.add_search_config")
+            && !sql.contains("CREATE OR REPLACE FUNCTION eql_v2.add_search_config"),
+        "protect variant should not contain add_search_config function"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_add_column() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("CREATE FUNCTION eql_v2.add_column")
+            && !sql.contains("CREATE OR REPLACE FUNCTION eql_v2.add_column"),
+        "protect variant should not contain add_column function"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_migrate_config() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("CREATE FUNCTION eql_v2.migrate_config")
+            && !sql.contains("CREATE OR REPLACE FUNCTION eql_v2.migrate_config"),
+        "protect variant should not contain migrate_config function"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_create_encrypted_columns() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("CREATE FUNCTION eql_v2.create_encrypted_columns")
+            && !sql.contains("CREATE OR REPLACE FUNCTION eql_v2.create_encrypted_columns"),
+        "protect variant should not contain create_encrypted_columns function"
+    );
+}
+
+#[test]
+fn protect_variant_excludes_diff_config() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        !sql.contains("CREATE FUNCTION eql_v2.diff_config")
+            && !sql.contains("CREATE OR REPLACE FUNCTION eql_v2.diff_config"),
+        "protect variant should not contain diff_config function"
+    );
+}
+
+#[test]
+fn protect_variant_includes_core_encrypted_type() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        sql.contains("eql_v2_encrypted"),
+        "protect variant should contain eql_v2_encrypted type"
+    );
+}
+
+#[test]
+fn protect_variant_includes_operators() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        sql.contains("CREATE OPERATOR"),
+        "protect variant should contain operators"
+    );
+}
+
+#[test]
+fn protect_variant_includes_blake3() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        sql.contains("eql_v2.blake3"),
+        "protect variant should contain blake3 index type"
+    );
+}
+
+#[test]
+fn protect_variant_includes_hmac_256() {
+    let sql = read_release_sql("cipherstash-encrypt-protect.sql");
+    assert!(
+        sql.contains("eql_v2.hmac_256"),
+        "protect variant should contain hmac_256 index type"
+    );
+}
+
+#[test]
+fn protect_variant_is_smaller_than_full() {
+    let protect = read_release_sql("cipherstash-encrypt-protect.sql");
+    let full = read_release_sql("cipherstash-encrypt.sql");
+    assert!(
+        protect.len() < full.len(),
+        "protect variant ({} bytes) should be smaller than full variant ({} bytes)",
+        protect.len(),
+        full.len()
+    );
+}
