feat(proxy): support OPE index type

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+### Added
+
+- **OPE (Order-Preserving Encryption) index**: New `ope` index type alongside the existing `ore` for range and ordering queries. OPE ciphertexts compare under standard lexicographic byte ordering, so they're a drop-in alternative to ORE for range and `ORDER BY`. Configure with `SELECT eql_v2.add_search_config('table', 'column', 'ope', 'int')` (any cast type that `ore` supports). Requires EQL with OPE support and a CipherStash client/config build that includes `IndexType::Ope`.
+
 ## [2.2.0-alpha.1] - 2026-03-25
 
 ### Changed

docs/how-to/index.md

@@ -201,7 +201,7 @@ This statement adds a `unique` index for the `email` column in the `users` table
 
 `unique` indexes are used to find records with columns with unique values, like with the `=` operator.
 
-There are two other types of encrypted indexes you can use on `text` data:
+There are other types of encrypted indexes you can use on `text` data:
 
 ```sql
 SELECT eql_v2.add_search_config(
@@ -217,10 +217,18 @@ SELECT eql_v2.add_search_config(
   'ore',
   'text'
 );
+
+SELECT eql_v2.add_search_config(
+  'users',
+  'email',
+  'ope',
+  'text'
+);
 ```
 
 The first SQL statement adds a `match` index, which is used for partial matches with `LIKE`.
-The second SQL statement adds an `ore` index, which is used for ordering with `ORDER BY`.
+The second SQL statement adds an `ore` index, which is used for ordering with `ORDER BY` and range comparisons (`<`, `<=`, `>`, `>=`).
+The third SQL statement adds an `ope` index, which supports the same range and ordering operators as `ore` and is a drop-in alternative — pick `ope` or `ore` per column, not both.
 
 
 > ![IMPORTANT]

docs/reference/searchable-json.md

@@ -127,7 +127,7 @@ Encrypted literals cannot be passed as arguments to SQL functions. Encrypted col
 
 Examples:
 - `AVG()` cannot be used on encrypted numeric values ❌
-- `MIN()` and `MAX()` can be used on encrypted values with ORE index ✅
+- `MIN()` and `MAX()` can be used on encrypted values with an `ore` or `ope` index ✅
 - `LOWER()` cannot be used on encrypted text (operates only on plaintext) ❌
 
 ⚠️ **CAST Operations**: CAST operations cannot work on encrypted data because casting would require decryption within the database, which is impossible. EQL's `ste_vec` configuration enables direct comparison and ordering operations on encrypted values without requiring CAST.

docs/sql/schema-example.sql

@@ -23,6 +23,8 @@ SELECT eql_v2.add_search_config(
   'text'
 );
 
+-- 'ore' supports ordering and range comparisons. 'ope' is a drop-in
+-- alternative with the same operator support — choose one per column.
 SELECT eql_v2.add_search_config(
   'users',
   'encrypted_email',

packages/cipherstash-proxy-integration/src/common.rs

@@ -88,6 +88,18 @@ pub async fn clear_with_client(client: &Client) {
     client.simple_query(sql).await.unwrap();
 }
 
+/// Truncate a single table by name. Useful for tests that own a dedicated
+/// fixture table (e.g. the per-test ORE/OPE tables) and don't need to wipe
+/// the shared `encrypted`/`plaintext` tables.
+pub async fn clear_table_with_client(client: &Client, table: &str) {
+    let sql = format!("TRUNCATE {}", table);
+    client.simple_query(&sql).await.unwrap();
+}
+
+pub async fn clear_table(table: &str) {
+    clear_table_with_client(&connect_with_tls(PROXY).await, table).await;
+}
+
 pub async fn reset_schema() {
     let port = std::env::var("CS_DATABASE__PORT")
         .map(|s| s.parse().unwrap())

packages/cipherstash-proxy-integration/src/lib.rs

@@ -12,6 +12,8 @@ mod map_concat;
 mod map_literals;
 mod map_match_index;
 mod map_nulls;
+mod map_ope_index_order;
+mod map_ope_index_where;
 mod map_ore_index_order;
 mod map_ore_index_where;
 mod map_params;

packages/cipherstash-proxy-integration/src/map_ope_index_order.rs

@@ -0,0 +1,162 @@
+#[cfg(test)]
+mod tests {
+    use crate::common::{
+        clear_table, connect_with_tls, interleaved_indices, random_id, trace, PROXY,
+    };
+
+    #[tokio::test]
+    async fn map_ope_order_text_asc() {
+        trace();
+        let table = "encrypted_ope_order_text_asc";
+        clear_table(table).await;
+        let client = connect_with_tls(PROXY).await;
+
+        let values = ["aardvark", "aplomb", "chimera", "chrysalis", "zephyr"];
+
+        let insert = format!("INSERT INTO {table} (id, encrypted_text) VALUES ($1, $2)");
+        for idx in interleaved_indices(values.len()) {
+            client
+                .query(&insert, &[&random_id(), &values[idx]])
+                .await
+                .unwrap();
+        }
+
+        let select = format!("SELECT encrypted_text FROM {table} ORDER BY encrypted_text");
+        let rows = client.query(&select, &[]).await.unwrap();
+
+        let actual: Vec<String> = rows.iter().map(|r| r.get(0)).collect();
+        let expected: Vec<String> = values.iter().map(|s| s.to_string()).collect();
+
+        assert_eq!(actual, expected);
+    }
+
+    #[tokio::test]
+    async fn map_ope_order_text_desc() {
+        trace();
+        let table = "encrypted_ope_order_text_desc";
+        clear_table(table).await;
+        let client = connect_with_tls(PROXY).await;
+
+        let values = ["aardvark", "aplomb", "chimera", "chrysalis", "zephyr"];
+
+        let insert = format!("INSERT INTO {table} (id, encrypted_text) VALUES ($1, $2)");
+        for idx in interleaved_indices(values.len()) {
+            client
+                .query(&insert, &[&random_id(), &values[idx]])
+                .await
+                .unwrap();
+        }
+
+        let select = format!("SELECT encrypted_text FROM {table} ORDER BY encrypted_text DESC");
+        let rows = client.query(&select, &[]).await.unwrap();
+
+        let actual: Vec<String> = rows.iter().map(|r| r.get(0)).collect();
+        let expected: Vec<String> = values.iter().rev().map(|s| s.to_string()).collect();
+
+        assert_eq!(actual, expected);
+    }
+
+    #[tokio::test]
+    async fn map_ope_order_int4_asc() {
+        trace();
+        let table = "encrypted_ope_order_int4_asc";
+        clear_table(table).await;
+        let client = connect_with_tls(PROXY).await;
+
+        let values: Vec<i32> = vec![-100, -1, 0, 1, 42, 1000, i32::MAX];
+
+        let insert = format!("INSERT INTO {table} (id, encrypted_int4) VALUES ($1, $2)");
+        for idx in interleaved_indices(values.len()) {
+            client
+                .query(&insert, &[&random_id(), &values[idx]])
+                .await
+                .unwrap();
+        }
+
+        let select = format!("SELECT encrypted_int4 FROM {table} ORDER BY encrypted_int4");
+        let rows = client.query(&select, &[]).await.unwrap();
+
+        let actual: Vec<i32> = rows.iter().map(|r| r.get(0)).collect();
+        assert_eq!(actual, values);
+    }
+
+    #[tokio::test]
+    async fn map_ope_order_int4_desc() {
+        trace();
+        let table = "encrypted_ope_order_int4_desc";
+        clear_table(table).await;
+        let client = connect_with_tls(PROXY).await;
+
+        let values: Vec<i32> = vec![-100, -1, 0, 1, 42, 1000, i32::MAX];
+
+        let insert = format!("INSERT INTO {table} (id, encrypted_int4) VALUES ($1, $2)");
+        for idx in interleaved_indices(values.len()) {
+            client
+                .query(&insert, &[&random_id(), &values[idx]])
+                .await
+                .unwrap();
+        }
+
+        let select = format!("SELECT encrypted_int4 FROM {table} ORDER BY encrypted_int4 DESC");
+        let rows = client.query(&select, &[]).await.unwrap();
+
+        let actual: Vec<i32> = rows.iter().map(|r| r.get(0)).collect();
+        let expected: Vec<i32> = values.into_iter().rev().collect();
+        assert_eq!(actual, expected);
+    }
+
+    #[tokio::test]
+    async fn map_ope_order_nulls_last_by_default() {
+        trace();
+        let table = "encrypted_ope_order_nulls_last";
+        clear_table(table).await;
+        let client = connect_with_tls(PROXY).await;
+
+        let null_insert = format!("INSERT INTO {table} (id) VALUES ($1)");
+        client.query(&null_insert, &[&random_id()]).await.unwrap();
+
+        let insert = format!("INSERT INTO {table} (id, encrypted_text) VALUES ($1, $2), ($3, $4)");
+        client
+            .query(&insert, &[&random_id(), &"a", &random_id(), &"b"])
+            .await
+            .unwrap();
+
+        let select = format!("SELECT encrypted_text FROM {table} ORDER BY encrypted_text");
+        let rows = client.query(&select, &[]).await.unwrap();
+
+        let actual: Vec<Option<String>> = rows.iter().map(|r| r.get(0)).collect();
+        assert_eq!(
+            actual,
+            vec![Some("a".into()), Some("b".into()), None],
+            "NULLs should sort last by default"
+        );
+    }
+
+    #[tokio::test]
+    async fn map_ope_order_nulls_first() {
+        trace();
+        let table = "encrypted_ope_order_nulls_first";
+        clear_table(table).await;
+        let client = connect_with_tls(PROXY).await;
+
+        let insert = format!("INSERT INTO {table} (id, encrypted_text) VALUES ($1, $2), ($3, $4)");
+        client
+            .query(&insert, &[&random_id(), &"a", &random_id(), &"b"])
+            .await
+            .unwrap();
+
+        let null_insert = format!("INSERT INTO {table} (id) VALUES ($1)");
+        client.query(&null_insert, &[&random_id()]).await.unwrap();
+
+        let select =
+            format!("SELECT encrypted_text FROM {table} ORDER BY encrypted_text NULLS FIRST");
+        let rows = client.query(&select, &[]).await.unwrap();
+
+        let actual: Vec<Option<String>> = rows.iter().map(|r| r.get(0)).collect();
+        assert_eq!(
+            actual,
+            vec![None, Some("a".into()), Some("b".into())],
+            "NULLS FIRST should explicitly sort NULLs first"
+        );
+    }
+}