Graphorin API reference v0.1.0
Graphorin API reference / @graphorin/store-sqlite / encryption
encryption
Encryption-at-rest interface hooks.
Phase 05 declares the surface; the cipher path itself ships in the optional @graphorin/store-sqlite-encrypted subpackage in Phase 16 (DEC-129 / ADR-030). Default behaviour is encryption disabled.
If the caller passes encryption.enabled: true and the cipher peer (better-sqlite3-multiple-ciphers) is missing, the connection layer fails fast with CipherPeerMissingError rather than silently degrading to an unencrypted DB.
Classes
| Class | Description |
|---|---|
| CipherPeerMissingError | Raised when the operator opts in to encryption-at-rest but the cipher peer (better-sqlite3-multiple-ciphers) is missing. The Phase 05 acceptance criteria require this to be a fatal startup error — never silently downgrade to an unencrypted DB. |
Type Aliases
| Type Alias | Description |
|---|---|
| EncryptionCipher | Cipher selection. The default 'sqlcipher' mirrors the most-shipped variant of better-sqlite3-multiple-ciphers. Other variants ('wxsqlite3', 'rc4', …) are accepted by the cipher peer; we validate the string only at the resolver boundary. |
| EncryptionConfig | Encryption-at-rest configuration. Default { enabled: false }. |
| PassphraseResolver | Passphrase resolver shape. Implementations live in @graphorin/security ('env:GRAPHORIN_DB_PASSPHRASE', 'keyring:graphorin/db', …). The resolver may return Buffer for binary-keyed cipher variants. |
Functions
| Function | Description |
|---|---|
| loadCipherDriver | Loads the cipher peer (better-sqlite3-multiple-ciphers). Lazy by design — the import only fires when encryption-at-rest is enabled. |
| resolvePassphrase | Resolves the configured passphrase to a SQL-literal-ready value suitable for PRAGMA key = <literal>. UTF-8 passphrases are returned as a single-quoted SQL string with internal ' doubled; binary keys are returned in the cipher peer's hex form (x'<hex>'). |