Encryption and decryption types for LangGraph.
This module defines the core types used for custom at-rest encryption in LangGraph. It includes context types and typed dictionaries for encryption operations.
JSON-serializable dictionary type for structured data encryption.
Handler for encrypting opaque blob data like checkpoints.
Note: Must be an async function. Encryption typically involves I/O operations (calling external KMS services), which should be async.
Handler for decrypting opaque blob data like checkpoints.
Note: Must be an async function. Decryption typically involves I/O operations (calling external KMS services), which should be async.
Handler for encrypting structured JSON data.
Note: Must be an async function. Encryption typically involves I/O operations (calling external KMS services), which should be async.
Used for encrypting structured data like metadata, context, kwargs, values, and other JSON-serializable fields across different model types.
Maps plaintext fields to encrypted fields. A practical approach:
Handler for decrypting structured JSON data.
Note: Must be an async function. Decryption typically involves I/O operations (calling external KMS services), which should be async.
Inverse of JsonEncryptor. Must be able to decrypt data that was encrypted by the corresponding encryptor.
Handler for deriving encryption context from authenticated user info.
Note: Must be an async function as it may involve I/O operations.
The context handler is called once per request in middleware (after auth), allowing encryption context to be derived from JWT claims, user properties, or other auth-derived data instead of requiring a separate X-Encryption-Context header.
The return value becomes ctx.metadata for subsequent encrypt/decrypt operations and is persisted with encrypted data for later decryption.
Note: ctx.model and ctx.field will be None in context handlers since the handler runs once per request before any specific model/field is known.
