suggestions

mdb-ad · mdb-ad · commit 223e65e68984 · 2025-08-11T12:59:09.000-07:00
diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md
@@ -1814,59 +1814,39 @@ metadata.
 
 Data keys are stored in the MongoDB key vault collection with the following schema:
 
-|              |                  |                                                                                                                          |
-| ------------ | ---------------- | ------------------------------------------------------------------------------------------------------------------------ |
-| **Name**     | **Type**         | **Description**                                                                                                          |
-| \_id         | UUID             | A unique identifier for the key.                                                                                         |
-| version      | Int64            | A numeric identifier for the schema version of this document. Implicitly 0 if unset.                                     |
-| keyAltNames  | Array of strings | Alternate names to search for keys by. Used for a per-document key scenario in support of GDPR scenarios.                |
-| keyMaterial  | BinData          | Encrypted data key material, BinData type General                                                                        |
-| creationDate | Date             | The datetime the wrapped data key material was imported into the Key Database.                                           |
-| updateDate   | Date             | The datetime the wrapped data key material was last modified. On initial import, this value will be set to creationDate. |
-| status       | Int              | 0 = enabled, 1 = disabled                                                                                                |
-| masterKey    | Document         | Per provider master key definition, see below                                                                            |
+| | | | | \------------ | ---------------- |
+\------------------------------------------------------------------------------------------------------------------------
+| | **Name** | **Type** | **Description** | | \_id | UUID | A unique identifier for the key. | | version | Int64 | A
+numeric identifier for the schema version of this document. Implicitly 0 if unset. | | keyAltNames | Array of strings |
+Alternate names to search for keys by. Used for a per-document key scenario in support of GDPR scenarios. | |
+keyMaterial | BinData | Encrypted data key material, BinData type General | | creationDate | Date | The datetime the
+wrapped data key material was imported into the Key Database. | | updateDate | Date | The datetime the wrapped data key
+material was last modified. On initial import, this value will be set to creationDate. | | status | Int | 0 = enabled, 1
+= disabled | | masterKey | Document | Per provider master key definition, see below |
 
 #### masterKey contents
 
-|          |          |                                                                       |
-| -------- | -------- | --------------------------------------------------------------------- |
-| **Name** | **Type** | **Description**                                                       |
-| provider | "aws"    |                                                                       |
-| key      | String   | AWS ARN. Only applicable for "aws" provider.                          |
-| region   | String   | AWS Region that contains AWS ARN. Only applicable for "aws" provider. |
-| endpoint | String   | Alternate AWS endpoint (needed for FIPS endpoints)                    |
-
-|                  |          |                                                               |
-| ---------------- | -------- | ------------------------------------------------------------- |
-| **Name**         | **Type** | **Description**                                               |
-| provider         | "azure"  |                                                               |
-| keyVaultEndpoint | String   | Required key vault endpoint. (e.g. "example.vault.azure.net") |
-| keyName          | String   | Required key name.                                            |
-| keyVersion       | String   | Optional key version.                                         |
-
-|            |          |                                                                  |
-| ---------- | -------- | ---------------------------------------------------------------- |
-| **Name**   | **Type** | **Description**                                                  |
-| provider   | "gcp"    |                                                                  |
-| projectId  | String   | Required project ID.                                             |
-| location   | String   | Required location name (e.g. "global")                           |
-| keyRing    | String   | Required key ring name.                                          |
-| keyName    | String   | Required key name.                                               |
-| keyVersion | String   | Optional key version.                                            |
-| endpoint   | String   | Optional, KMS URL, defaults to <https://cloudkms.googleapis.com> |
-
-|          |          |                 |
-| -------- | -------- | --------------- |
-| **Name** | **Type** | **Description** |
-| provider | "local"  |                 |
-
-|           |          |                                                                                        |
-| --------- | -------- | -------------------------------------------------------------------------------------- |
-| **Name**  | **Type** | **Description**                                                                        |
-| provider  | "kmip"   |                                                                                        |
-| endpoint  | String   | Optional. Defaults to kmip.endpoint from KMS providers.                                |
-| delegated | Boolean  | Optional. Defaults to false.                                                           |
-| keyId     | String   | Required. keyId is the Unique Identifier to a 96 byte KMIP Secret Data managed object. |
+| | | | | -------- | -------- | --------------------------------------------------------------------- | | **Name** |
+**Type** | **Description** | | provider | "aws" | | | key | String | AWS ARN. Only applicable for "aws" provider. | |
+region | String | AWS Region that contains AWS ARN. Only applicable for "aws" provider. | | endpoint | String |
+Alternate AWS endpoint (needed for FIPS endpoints) |
+
+| | | | | ---------------- | -------- | ------------------------------------------------------------- | | **Name** |
+**Type** | **Description** | | provider | "azure" | | | keyVaultEndpoint | String | Required key vault endpoint. (e.g.
+"example.vault.azure.net") | | keyName | String | Required key name. | | keyVersion | String | Optional key version. |
+
+| | | | | ---------- | -------- | ---------------------------------------------------------------- | | **Name** |
+**Type** | **Description** | | provider | "gcp" | | | projectId | String | Required project ID. | | location | String |
+Required location name (e.g. "global") | | keyRing | String | Required key ring name. | | keyName | String | Required
+key name. | | keyVersion | String | Optional key version. | | endpoint | String | Optional, KMS URL, defaults to
+<https://cloudkms.googleapis.com> |
+
+| | | | | -------- | -------- | --------------- | | **Name** | **Type** | **Description** | | provider | "local" | |
+
+| | | | | \--------- | -------- | --------------------------------------------------------------------------------------
+| | **Name** | **Type** | **Description** | | provider | "kmip" | | | endpoint | String | Optional. Defaults to
+kmip.endpoint from KMS providers. | | delegated | Boolean | Optional. Defaults to false. | | keyId | String | Required.
+keyId is the Unique Identifier to a 96 byte KMIP Secret Data managed object. |
 
 Data keys are needed for encryption and decryption. They are identified in the intent-to-encrypt marking and ciphertext.
 Data keys may be retrieved by querying the "\_id" with a UUID or by querying the "keyAltName" with a string.
@@ -1943,11 +1923,12 @@ encrypt : {
 
 Each field is briefly described as follows:
 
-| Name      | Type                    | Description                                                                                                                                 |
-| --------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| bsonType  | string                  | The bsonType of the underlying encrypted field.                                                                                             |
-| algorithm | string                  | "AEAD_AES_256_CBC_HMAC_SHA_512-Random" or <br>"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"                                                 |
-| keyId     | string or array of UUID | If string, it is a JSON pointer to a field with a scalar value <br>identifying a key by keyAltName.<br>If array, an array of eligible keys. |
+| Name | Type | Description | | --------- | ----------------------- |
+\-------------------------------------------------------------------------------------------------------------------------------------------
+| | bsonType | string | The bsonType of the underlying encrypted field. | | algorithm | string |
+"AEAD_AES_256_CBC_HMAC_SHA_512-Random" or <br>"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" | | keyId | string or array
+of UUID | If string, it is a JSON pointer to a field with a scalar value <br>identifying a key by keyAltName.<br>If
+array, an array of eligible keys. |
 
 ### libmongocrypt: Prohibitions and warnings
 
@@ -1996,46 +1977,16 @@ IV key and any given encryption operation will derive the IV from the IV key and
 libmongocrypt determines whether or not the command requires encryption (i.e. is sent to mongocryptd) based on the table
 below. Commands not listed in this table will result in an error returned by libmongocrypt.
 
-|                          |             |
-| ------------------------ | ----------- |
-| **Command**              | **Action**  |
-| aggregate (collection)   | AUTOENCRYPT |
-| count                    | AUTOENCRYPT |
-| distinct                 | AUTOENCRYPT |
-| delete                   | AUTOENCRYPT |
-| find                     | AUTOENCRYPT |
-| findAndModify            | AUTOENCRYPT |
-| getMore                  | BYPASS      |
-| insert                   | AUTOENCRYPT |
-| update                   | AUTOENCRYPT |
-| authenticate             | BYPASS      |
-| getnonce                 | BYPASS      |
-| logout                   | BYPASS      |
-| hello                    | BYPASS      |
-| legacy hello             | BYPASS      |
-| abortTransaction         | BYPASS      |
-| commitTransaction        | BYPASS      |
-| endSessions              | BYPASS      |
-| startSession             | BYPASS      |
-| create                   | BYPASS      |
-| createIndexes            | BYPASS      |
-| createSearchIndexes      | BYPASS      |
-| drop                     | BYPASS      |
-| dropDatabase             | BYPASS      |
-| dropIndexes              | BYPASS      |
-| dropSearchIndex          | BYPASS      |
-| killCursors              | BYPASS      |
-| listCollections          | BYPASS      |
-| listDatabases            | BYPASS      |
-| listIndexes              | BYPASS      |
-| renameCollection         | BYPASS      |
-| explain                  | AUTOENCRYPT |
-| ping                     | BYPASS      |
-| killAllSessions          | BYPASS      |
-| killSessions             | BYPASS      |
-| killAllSessionsByPattern | BYPASS      |
-| refreshSessions          | BYPASS      |
-| updateSearchIndex        | BYPASS      |
+| | | | ------------------------ | ----------- | | **Command** | **Action** | | aggregate (collection) | AUTOENCRYPT | |
+count | AUTOENCRYPT | | distinct | AUTOENCRYPT | | delete | AUTOENCRYPT | | find | AUTOENCRYPT | | findAndModify |
+AUTOENCRYPT | | getMore | BYPASS | | insert | AUTOENCRYPT | | update | AUTOENCRYPT | | authenticate | BYPASS | |
+getnonce | BYPASS | | logout | BYPASS | | hello | BYPASS | | legacy hello | BYPASS | | abortTransaction | BYPASS | |
+commitTransaction | BYPASS | | endSessions | BYPASS | | startSession | BYPASS | | create | BYPASS | | createIndexes |
+BYPASS | | createSearchIndexes | BYPASS | | drop | BYPASS | | dropDatabase | BYPASS | | dropIndexes | BYPASS | |
+dropSearchIndex | BYPASS | | killCursors | BYPASS | | listCollections | BYPASS | | listDatabases | BYPASS | |
+listIndexes | BYPASS | | renameCollection | BYPASS | | explain | AUTOENCRYPT | | ping | BYPASS | | killAllSessions |
+BYPASS | | killSessions | BYPASS | | killAllSessionsByPattern | BYPASS | | refreshSessions | BYPASS | |
+updateSearchIndex | BYPASS |
 
 All AUTOENCRYPT commands are sent to mongocryptd, even if there is no JSONSchema. This is to ensure that commands that
 reference other collections (e.g. aggregate with `$lookup`) are handled properly.
diff --git a/source/client-side-encryption/etc/data/encryptedFields-prefix-suffix.json b/source/client-side-encryption/etc/data/encryptedFields-prefix-suffix.json
@@ -7,7 +7,7 @@
                     "subType": "04"
                 }
             },
-            "path": "encrypted-textPreview",
+            "path": "encryptedText",
             "bsonType": "string",
             "queries": [
                 {
diff --git a/source/client-side-encryption/etc/data/encryptedFields-substring.json b/source/client-side-encryption/etc/data/encryptedFields-substring.json
@@ -7,7 +7,7 @@
                     "subType": "04"
                 }
             },
-            "path": "encrypted-textPreview",
+            "path": "encryptedText",
             "bsonType": "string",
             "queries": [
                 {
diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md
@@ -3834,6 +3834,36 @@ class EncryptOpts {
 }
 ```
 
+Where prefix, suffix, or substring options are required, use the following:
+
+1. Prefix
+
+    ```typescript
+    class PrefixOpts {
+       strMaxQueryLength: 10,
+       strMinQueryLength: 2,
+    }
+    ```
+
+2. Suffix
+
+    ```typescript
+    class SuffixOpts {
+       strMaxQueryLength: 10,
+       strMinQueryLength: 2,
+    }
+    ```
+
+3. Substring
+
+    ```typescript
+    class SubstringOpts {
+       strMaxLength: 10,
+       strMaxQueryLength: 10,
+       strMinQueryLength: 2,
+    }
+    ```
+
 Use `encryptedClient` to insert the following document into `db.prefix-suffix`:
 
 ```javascript
@@ -3885,42 +3915,14 @@ class EncryptOpts {
 }
 ```
 
-1. Prefix
-
-    ```typescript
-    class PrefixOpts {
-       strMaxQueryLength: 10,
-       strMinQueryLength: 2,
-    }
-    ```
-
-2. Suffix
-
-    ```typescript
-    class SuffixOpts {
-       strMaxQueryLength: 10,
-       strMinQueryLength: 2,
-    }
-    ```
-
-3. Substring
-
-    ```typescript
-    class SubstringOpts {
-       strMaxLength: 10,
-       strMaxQueryLength: 10,
-       strMinQueryLength: 2,
-    }
-    ```
-
 #### Case 1: can find a document by prefix
 
 Use `clientEncryption.encrypt()` to encrypt the string `"foo"`. Store the resulting payload in `findPayload`.
 
 Use `encryptedClient` to run a "find" operation on the `db.prefix-suffix` collection with the following filter:
 
 ```javascript
-{ "$expr": { "$encStrStartsWith": {"input": "$encryptedText", "prefix": <findPayload>}, } }
+{ $expr: { $encStrStartsWith: {input: '$encryptedText', prefix: <findPayload>}, } }
 ```
 
 Assert the following document is returned:
@@ -3931,12 +3933,12 @@ Assert the following document is returned:
 
 #### Case 2: can find a document by suffix
 
-Use `clientEncryption.encrypt()` to encrypt the string `"foo"`. Store the resulting payload in `findPayload`.
+Use `clientEncryption.encrypt()` to encrypt the string `"baz"`. Store the resulting payload in `findPayload`.
 
 Use `encryptedClient` to run a "find" operation on the `db.prefix-suffix` collection with the following filter:
 
 ```javascript
-{ "$expr": { "$encStrStartsWith": {"input": "$encryptedText", "prefix": <findPayload>}, } }
+{ $expr: { $encStrEndsWith: {input: '$encryptedText', suffix: <findPayload>}, } }
 ```
 
 Assert the following document is returned:
@@ -3947,12 +3949,12 @@ Assert the following document is returned:
 
 #### Case 3: assert no document found by prefix
 
-Use `clientEncryption.encrypt()` to encrypt the string `"foo"`. Store the resulting payload in `findPayload`.
+Use `clientEncryption.encrypt()` to encrypt the string `"baz"`. Store the resulting payload in `findPayload`.
 
 Use `encryptedClient` to run a "find" operation on the `db.prefix-suffix` collection with the following filter:
 
 ```javascript
-{ "$expr": { "$encStrStartsWith": {"input": "$encryptedText", "prefix": <findPayload>}, } }
+{ $expr: { $encStrStartsWith: {input: '$encryptedText', prefix: <findPayload>}, } }
 ```
 
 Assert that no documents are returned.
@@ -3964,7 +3966,7 @@ Use `clientEncryption.encrypt()` to encrypt the string `"foo"`. Store the result
 Use `encryptedClient` to run a "find" operation on the `db.prefix-suffix` collection with the following filter:
 
 ```javascript
-{ "$expr": { "$encStrStartsWith": {"input": "$encryptedText", "suffix": <findPayload>}, } }
+{ $expr: { $encStrEndsWith: {input: '$encryptedText', suffix: <findPayload>}, } }
 ```
 
 Assert that no documents are returned.
@@ -3976,7 +3978,7 @@ Use `clientEncryption.encrypt()` to encrypt the string `"foo"`. Store the result
 Use `encryptedClient` to run a "find" operation on the `db.substring` collection with the following filter:
 
 ```javascript
-{ "$expr": { "$encStrStartsWith": {"input": "$encryptedText", "prefix": <findPayload>}, } }
+{ $expr: { $encStrContains: {input: '$encryptedText', substring: <findPayload>}, } }
 ```
 
 Assert the following document is returned:
@@ -3992,7 +3994,7 @@ Use `clientEncryption.encrypt()` to encrypt the string `"qux"`. Store the result
 Use `encryptedClient` to run a "find" operation on the `db.substring` collection with the following filter:
 
 ```javascript
-{ "$expr": { "$encStrStartsWith": {"input": "$encryptedText", "prefix": <findPayload>}, } }
+{ $expr: { $encStrContains: {input: '$encryptedText', substring: <findPayload>}, } }
 ```
 
 Assert that no documents are returned.

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`"subType": "04"`
`8`	`8`	`}`
`9`	`9`	`},`
`10`		`- "path": "encrypted-textPreview",`
	`10`	`+ "path": "encryptedText",`
`11`	`11`	`"bsonType": "string",`
`12`	`12`	`"queries": [`
`13`	`13`	`{`