Merge pull request #294 from cipherstash/stack-package

docs: clean up docs for Stash Stack

Author: calvinbrewer

docs/README.md

@@ -1,6 +1,6 @@
-# CipherStash Encryption documentation
+# CipherStash documentation
 
-The documentation for CipherStash Encryption is organized into the following sections:
+## Getting started
 
 - [Getting started](./getting-started.md)
 
@@ -10,16 +10,20 @@ The documentation for CipherStash Encryption is organized into the following sec
 
 ## Reference
 
+- [Workspace plans and limits](./reference/plans.md)
 - [Configuration and production deployment](./reference/configuration.md)
-- [Searchable encryption with PostgreSQL](./reference/searchable-encryption-postgres.md) (includes JSONB queries with searchableJson)
 - [Encryption schemas](./reference/schema.md)
 - [Model operations with bulk crypto functions](./reference/model-operations.md)
+- [Searchable encryption with PostgreSQL](./reference/searchable-encryption-postgres.md) (includes JSONB queries with searchableJson)
+- [Secrets management](./reference/secrets.md)
+- [Identity-aware encryption](./reference/identity.md)
 
 ### ORMs and frameworks
 
 - [Supabase SDK](./reference/supabase-sdk.md)
+- [DynamoDB integration](./reference/dynamodb.md)
 
-### Drizzle ORM Integration
+### Drizzle ORM integration
 
 - [Encryption Operators Pattern](reference/drizzle/drizzle.md) - Recommended approach with auto-encrypting operators
 - [Manual Encryption Pattern](reference/drizzle/drizzle-protect.md) - Explicit control over encryption workflow

docs/reference/configuration.md

@@ -2,7 +2,7 @@
 
 CipherStash Encryption is configured with [toml](https://toml.io/en/) files or environment variables, and is used to initialize the Encryption client.
 
-Environment variables will take precedence over configuration files and it's recommented to use them for sensitive values.
+Environment variables will take precedence over configuration files and it's recommended to use them for sensitive values.
 
 ## Table of contents
 
@@ -99,9 +99,8 @@ The following environment variables are supported:
 
 ## Configuring the Encryption client directly
 
-You can also configure the Encryption client directly by passing a `EncryptionClientConfig` object to the `Encryption` function during initialization.
-This is useful if you want to configure the Encryption client specific to your application.
-An exmaple of this might be if you want to use a secret manager to store your client key and access key rather than relying on environment variables or configuration files.
+You can also configure the Encryption client directly by passing an `EncryptionClientConfig` object to the `Encryption` function during initialization.
+This is useful if you want to use a secret manager to store your client key and access key rather than relying on environment variables or configuration files.
 
 ```ts
 import { Encryption, type EncryptionClientConfig } from "@cipherstash/stack";
@@ -119,6 +118,52 @@ const config: EncryptionClientConfig = {
 const client = await Encryption(config);
 ```
 
+### Multi-tenant keyset configuration
+
+For multi-tenant applications, you can specify a keyset to isolate encryption keys per tenant.
+A keyset can be identified by name or by UUID:
+
+```ts
+const client = await Encryption({
+  schemas: [users],
+  config: {
+    workspaceCrn: "your-workspace-crn",
+    accessKey: "your-access-key",
+    clientId: "your-client-id",
+    clientKey: "your-client-key",
+    keyset: { name: "tenant-acme" },
+    // or by UUID:
+    // keyset: { id: "550e8400-e29b-41d4-a716-446655440000" },
+  },
+});
+```
+
+Each keyset provides an isolated set of encryption keys, so data encrypted under one keyset cannot be decrypted with another.
+
+### Logging configuration
+
+You can configure structured logging for the Encryption client:
+
+```ts
+const client = await Encryption({
+  schemas: [users],
+  logging: {
+    enabled: true,
+    pretty: true, // Pretty-print log output (auto-detected in development)
+    drain: (ctx) => {
+      // Forward logs to your logging service
+      myLogger.log(ctx)
+    },
+  },
+});
+```
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enabled` | `boolean` | `true` | Toggle logging on or off. |
+| `pretty` | `boolean` | Auto-detected | Enable pretty-printed log format. |
+| `drain` | `(ctx) => void` | `undefined` | Callback for forwarding log events to an external platform. |
+
 ## Deploying to production
 
 > [!TIP]

docs/reference/dynamodb.md

@@ -0,0 +1,246 @@
+# DynamoDB integration
+
+CipherStash Encryption provides a DynamoDB helper that transparently encrypts and decrypts items according to your encryption schema.
+The helper wraps your existing DynamoDB workflow — you handle the DynamoDB client calls, and the helper handles encryption.
+
+## Table of contents
+
+- [Overview](#overview)
+- [Installation](#installation)
+- [Setting up encryptedDynamoDB](#setting-up-encrypteddynamodb)
+- [Encrypting a model](#encrypting-a-model)
+- [Decrypting a model](#decrypting-a-model)
+- [Bulk operations](#bulk-operations)
+  - [Bulk encryption](#bulk-encryption)
+  - [Bulk decryption](#bulk-decryption)
+- [Using nested objects](#using-nested-objects)
+- [Error handling](#error-handling)
+
+## Overview
+
+The `encryptedDynamoDB` function creates a helper bound to your `EncryptionClient`.
+It provides `encryptModel`, `decryptModel`, `bulkEncryptModels`, and `bulkDecryptModels` methods that work with your DynamoDB items.
+
+Unlike the Supabase and Drizzle integrations, the DynamoDB helper does not wrap a database client.
+You use it to encrypt items before sending them to DynamoDB and decrypt items after retrieving them.
+
+## Installation
+
+The DynamoDB helper is included in the `@cipherstash/stack` package:
+
+```bash
+npm install @cipherstash/stack
+```
+
+Import from the `@cipherstash/stack/dynamodb` subpath:
+
+```typescript
+import { encryptedDynamoDB } from '@cipherstash/stack/dynamodb'
+```
+
+## Setting up encryptedDynamoDB
+
+Create an encryption schema and initialize the helper:
+
+```typescript
+import { Encryption } from '@cipherstash/stack'
+import { encryptedDynamoDB } from '@cipherstash/stack/dynamodb'
+import { encryptedTable, encryptedColumn } from '@cipherstash/stack/schema'
+
+// 1. Define your encryption schema
+const users = encryptedTable('users', {
+  email: encryptedColumn('email').equality(),
+  name: encryptedColumn('name'),
+})
+
+// 2. Initialize the encryption client
+const client = await Encryption({ schemas: [users] })
+
+// 3. Create the DynamoDB helper
+const dynamo = encryptedDynamoDB({ encryptionClient: client })
+```
+
+### Configuration options
+
+The `encryptedDynamoDB` function accepts an `EncryptedDynamoDBConfig` object:
+
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `encryptionClient` | `EncryptionClient` | Yes | The initialized encryption client. |
+| `options.logger` | `{ error: (message, error) => void }` | No | Custom logger for error reporting. |
+| `options.errorHandler` | `(error: EncryptedDynamoDBError) => void` | No | Custom error handler callback. |
+
+## Encrypting a model
+
+Use `encryptModel` to encrypt an item before writing it to DynamoDB:
+
+```typescript
+import { DynamoDBClient, PutItemCommand } from '@aws-sdk/client-dynamodb'
+import { marshall } from '@aws-sdk/util-dynamodb'
+
+const user = {
+  id: '1',
+  email: 'user@example.com',
+  name: 'Alice Johnson',
+  role: 'admin', // Not in schema — will remain unchanged
+}
+
+const encryptedResult = await dynamo.encryptModel(user, users)
+
+if (encryptedResult.failure) {
+  console.error('Encryption failed:', encryptedResult.failure.message)
+  return
+}
+
+// Write the encrypted item to DynamoDB
+const dynamoClient = new DynamoDBClient({})
+await dynamoClient.send(
+  new PutItemCommand({
+    TableName: 'users',
+    Item: marshall(encryptedResult.data),
+  })
+)
+```
+
+Fields defined in the encryption schema (`email`, `name`) are encrypted.
+Fields not in the schema (`id`, `role`) pass through unchanged.
+
+## Decrypting a model
+
+Use `decryptModel` to decrypt an item after reading it from DynamoDB:
+
+```typescript
+import { GetItemCommand } from '@aws-sdk/client-dynamodb'
+import { unmarshall } from '@aws-sdk/util-dynamodb'
+
+const response = await dynamoClient.send(
+  new GetItemCommand({
+    TableName: 'users',
+    Key: marshall({ id: '1' }),
+  })
+)
+
+const item = unmarshall(response.Item!)
+
+const decryptedResult = await dynamo.decryptModel(item, users)
+
+if (decryptedResult.failure) {
+  console.error('Decryption failed:', decryptedResult.failure.message)
+  return
+}
+
+console.log(decryptedResult.data.email) // 'user@example.com'
+```
+
+## Bulk operations
+
+### Bulk encryption
+
+Use `bulkEncryptModels` for encrypting multiple items:
+
+```typescript
+const items = [
+  { id: '1', email: 'alice@example.com', name: 'Alice' },
+  { id: '2', email: 'bob@example.com', name: 'Bob' },
+]
+
+const encryptedResult = await dynamo.bulkEncryptModels(items, users)
+
+if (encryptedResult.failure) {
+  console.error('Bulk encryption failed:', encryptedResult.failure.message)
+  return
+}
+
+// Write encrypted items to DynamoDB using BatchWriteItem
+```
+
+### Bulk decryption
+
+Use `bulkDecryptModels` for decrypting multiple items:
+
+```typescript
+const decryptedResult = await dynamo.bulkDecryptModels(encryptedItems, users)
+
+if (decryptedResult.failure) {
+  console.error('Bulk decryption failed:', decryptedResult.failure.message)
+  return
+}
+
+const decryptedUsers = decryptedResult.data
+```
+
+## Using nested objects
+
+The DynamoDB helper supports nested object encryption using `encryptedValue`:
+
+```typescript
+import { encryptedTable, encryptedColumn, encryptedValue } from '@cipherstash/stack/schema'
+
+const users = encryptedTable('users', {
+  email: encryptedColumn('email'),
+  profile: {
+    name: encryptedValue('profile.name'),
+    address: {
+      street: encryptedValue('profile.address.street'),
+    },
+  },
+})
+
+const dynamo = encryptedDynamoDB({ encryptionClient: client })
+
+const user = {
+  id: '1',
+  email: 'user@example.com',
+  profile: {
+    name: 'Alice Johnson',
+    address: {
+      street: '123 Main St',
+      city: 'Sydney', // Not in schema — unchanged
+    },
+  },
+}
+
+const encryptedResult = await dynamo.encryptModel(user, users)
+```
+
+> [!NOTE]
+> Nested objects support encryption up to 3 levels deep. Searchable encryption is not supported on nested fields.
+
+## Error handling
+
+All DynamoDB helper methods return a `Result` type:
+
+```typescript
+const result = await dynamo.encryptModel(item, users)
+
+if (result.failure) {
+  console.error('Error:', result.failure.type, result.failure.message)
+  return
+}
+
+const encryptedItem = result.data
+```
+
+You can also provide a custom error handler in the configuration:
+
+```typescript
+const dynamo = encryptedDynamoDB({
+  encryptionClient: client,
+  options: {
+    errorHandler: (error) => {
+      console.error(`DynamoDB encryption error [${error.code}]:`, error.message)
+    },
+    logger: {
+      error: (message, error) => {
+        // Send to your logging service
+      },
+    },
+  },
+})
+```
+
+---
+
+### Didn't find what you wanted?
+
+[Click here to let us know what was missing from our docs.](https://github.com/cipherstash/protectjs/issues/new?template=docs-feedback.yml&title=[Docs:]%20Feedback%20on%20dynamodb.md)