types

JSON-serializable dictionary type for structured data encryption.

Handler for encrypting opaque blob data like checkpoints.

Note: Must be an async function. Encryption typically involves I/O operations (calling external KMS services), which should be async.

Handler for decrypting opaque blob data like checkpoints.

Note: Must be an async function. Decryption typically involves I/O operations (calling external KMS services), which should be async.

Handler for encrypting structured JSON data.

Note: Must be an async function. Encryption typically involves I/O operations (calling external KMS services), which should be async.

Used for encrypting structured data like metadata, context, kwargs, values, and other JSON-serializable fields across different model types.

Maps plaintext fields to encrypted fields. A practical approach:

• Keep "owner" field unencrypted for search/filtering
• Encrypt VALUES (not keys) for fields with specific prefix (e.g., "my.customer.org/")
• Pass through all other fields unencrypted

Handler for decrypting structured JSON data.

Note: Must be an async function. Decryption typically involves I/O operations (calling external KMS services), which should be async.

Inverse of JsonEncryptor. Must be able to decrypt data that was encrypted by the corresponding encryptor.

Handler for deriving encryption context from authenticated user info.

Note: Must be an async function as it may involve I/O operations.

The context handler is called once per request in middleware (after auth), allowing encryption context to be derived from JWT claims, user properties, or other auth-derived data instead of requiring a separate X-Encryption-Context header.

The return value becomes ctx.metadata for subsequent encrypt/decrypt operations and is persisted with encrypted data for later decryption.

Note: ctx.model and ctx.field will be None in context handlers since the handler runs once per request before any specific model/field is known.

Context passed to encryption/decryption handlers.

Contains arbitrary non-secret key-values that will be stored on encrypt. These key-values are intended to be sent to an external service that manages keys and handles the actual encryption and decryption of data.