Skip to content

Version Packages (rc)#678

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main
Open

Version Packages (rc)#678
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

stash@1.0.0-rc.3

Minor Changes

  • 3a86939: EQL v3 support for the encryption rollout lifecycle (Make @cipherstash/migrate (and stash encrypt *) compatible with EQL v3 #648). The stash encrypt * commands (and @cipherstash/migrate underneath) now resolve a
    column's EQL version and its encrypted counterpart from the Postgres domain
    types
    — the EQL v3 types are self-describing, so the <col>_encrypted
    naming is a convention only, never enforced or relied upon — and follow the
    right lifecycle, no new flags:

    • encrypt backfill works on v3 columns unchanged (the engine was always
      version-agnostic; pass an EncryptionV3 client and real v3 envelopes land
      in the concrete eql_v3_* domain column — verified live against a real
      database, including the domain CHECK and a decrypt round-trip). The
      manifest records the detected version, the encrypted column's name, and the
      v3 target phase, and the command prints v3-appropriate next steps.
    • encrypt cutover on a backfilled v3 column reports "not applicable"
      (exit 0) with guidance: v3 has no rename cut-over — the application
      switches to the encrypted column by name. Before backfill completes it
      exits 1 and says to finish the backfill instead of instructing the switch.
      On a database with no eql_v2_configuration table (a v3-only install) the
      v2 path now explains that instead of surfacing a raw Postgres error.
    • encrypt drop is version-aware: v3 runs from the backfilled phase,
      verifies live coverage (refuses to generate the migration while any row
      still has the plaintext set and the encrypted column NULL — the
      countUnencrypted check), and drops the ORIGINAL plaintext column (there
      is no <col>_plaintext under v3); v2 behaviour is unchanged. The generated
      v3 migration re-verifies coverage at apply time — it locks the table,
      re-counts, and aborts without dropping if plaintext-only rows appeared
      after generation. And because dropping is the one irreversible step, it
      requires a positively asserted plaintext↔ciphertext pairing (the
      manifest's recorded encryptedColumn or the naming convention): a match
      found only by being the table's sole EQL column is refused with
      instructions, and an ambiguous table (several EQL columns, none
      identifiable) fails closed listing the candidates — as does cutover.
    • encrypt status classifies each column from the observed domain type
      (manifest as fallback), shows v3 in the EQL column, and no longer raises
      the v2-only not-registered / plaintext-col-missing drift flags for v3
      columns. stash status's quest ladder and the stash init agent handoff
      prompt teach the version-appropriate next step (no more "run cutover" on
      v3 columns).
    • New @cipherstash/migrate exports: classifyEqlDomain,
      resolveEncryptedColumn, pickEncryptedColumn, listEncryptedColumns
      (domain-type resolution — case-exact for quoted/mixed-case table names),
      countEncrypted / countUnencrypted (coverage counts), and manifest
      eqlVersion + encryptedColumn fields. EqlVersion is numeric (2 | 3),
      matching the manifest and the installer. Resolved columns carry via: 'hint' | 'convention' | 'sole' so callers can tell a positively asserted
      pairing from a by-elimination guess.
    • Fixed: encrypt cutover/encrypt drop precondition failures now actually
      exit 1 — the early-return guards previously skipped the exit-code path
      entirely, so failed preconditions exited 0. (This also applies to v2
      preconditions: scripted pipelines that relied on the erroneous exit 0 will
      now see the documented exit 1.)

    The stash-cli and stash-encryption skills and the @cipherstash/migrate
    README document the two lifecycles (v2: backfill → cutover → drop;
    v3: backfill → switch-by-name → drop).

  • b0634df: stash plan --complete-rollout is now automatable and has an honest exit code.
    It skips the production-deploy gate, so it needs explicit consent — previously
    that was an interactive prompt with no bypass, so a non-interactive run
    auto-cancelled (default-no) and exited 0 without drafting a plan, leaving
    automation to assume a plan existed.

    • New --yes flag confirms the gate-skip without a prompt (for CI/agents).
    • Without --yes, a non-interactive --complete-rollout run now refuses
      with a non-zero exit
      and points at --yes, instead of silently succeeding.
    • Interactive behaviour is unchanged (default-no confirm).
  • f188c7a: stash env now works: it mints deployment credentials from your device-code
    session and prints them as env vars — no dashboard copy-paste. The command
    creates a fresh ZeroKMS client and a member-role CipherStash access key (named
    via --name; the role is pinned in the request and verified on the response —
    the CLI deliberately cannot mint admin keys), then emits CS_WORKSPACE_CRN,
    CS_CLIENT_ID, CS_CLIENT_KEY, and CS_CLIENT_ACCESS_KEY.

    Output goes to stdout by default — and stdout is pipe-clean (progress UI is on
    stderr), so stash env --name x > prod.env and pipes into secret stores are
    safe. --write [path] writes a file instead (default .env.production.local,
    enforced mode 0600 even when overwriting), confirming before overwriting and
    refusing non-interactively — always before anything is minted, so a refusal
    never discards the shown-exactly-once access key. --json emits NDJSON; with
    --write the confirmation event is deliberately secret-free. API responses
    are schema-validated so a service change can never print undefined into a
    credentials file. Creating access keys requires the admin role in the
    workspace.

    This is also the supported credential path for WASM/edge local development
    (Supabase Edge Functions, Cloudflare Workers, Deno), where the runtime cannot
    read the ~/.cipherstash device profile: mint a key and feed it via
    supabase functions serve --env-file or the platform's secret store.

    The STASH_EXPERIMENTAL_ENV_CMD gate is removed.

Patch Changes

  • 8b2551a: Fix "Failed to load native binding" on project-local installs of the CLI/SDK
    (npm). @cipherstash/auth was pinned at 0.41.0 while the six
    @cipherstash/auth-* platform bindings declared in stack/stash/wizard's
    optionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
    exact-version optional peer dependencies, the skew made npm nest per-consumer
    binding copies that the hoisted auth package could not resolve — any command
    or import touching auth then died at startup. All seven packages now move in
    lockstep at 0.42.0, Dependabot is barred from bumping any of them
    independently, and a supply-chain CI test fails on any future skew.
  • Updated dependencies [3a86939]
    • @cipherstash/migrate@1.0.0-rc.1

@cipherstash/migrate@1.0.0-rc.1

Minor Changes

  • 3a86939: EQL v3 support for the encryption rollout lifecycle (Make @cipherstash/migrate (and stash encrypt *) compatible with EQL v3 #648). The stash encrypt * commands (and @cipherstash/migrate underneath) now resolve a
    column's EQL version and its encrypted counterpart from the Postgres domain
    types
    — the EQL v3 types are self-describing, so the <col>_encrypted
    naming is a convention only, never enforced or relied upon — and follow the
    right lifecycle, no new flags:

    • encrypt backfill works on v3 columns unchanged (the engine was always
      version-agnostic; pass an EncryptionV3 client and real v3 envelopes land
      in the concrete eql_v3_* domain column — verified live against a real
      database, including the domain CHECK and a decrypt round-trip). The
      manifest records the detected version, the encrypted column's name, and the
      v3 target phase, and the command prints v3-appropriate next steps.
    • encrypt cutover on a backfilled v3 column reports "not applicable"
      (exit 0) with guidance: v3 has no rename cut-over — the application
      switches to the encrypted column by name. Before backfill completes it
      exits 1 and says to finish the backfill instead of instructing the switch.
      On a database with no eql_v2_configuration table (a v3-only install) the
      v2 path now explains that instead of surfacing a raw Postgres error.
    • encrypt drop is version-aware: v3 runs from the backfilled phase,
      verifies live coverage (refuses to generate the migration while any row
      still has the plaintext set and the encrypted column NULL — the
      countUnencrypted check), and drops the ORIGINAL plaintext column (there
      is no <col>_plaintext under v3); v2 behaviour is unchanged. The generated
      v3 migration re-verifies coverage at apply time — it locks the table,
      re-counts, and aborts without dropping if plaintext-only rows appeared
      after generation. And because dropping is the one irreversible step, it
      requires a positively asserted plaintext↔ciphertext pairing (the
      manifest's recorded encryptedColumn or the naming convention): a match
      found only by being the table's sole EQL column is refused with
      instructions, and an ambiguous table (several EQL columns, none
      identifiable) fails closed listing the candidates — as does cutover.
    • encrypt status classifies each column from the observed domain type
      (manifest as fallback), shows v3 in the EQL column, and no longer raises
      the v2-only not-registered / plaintext-col-missing drift flags for v3
      columns. stash status's quest ladder and the stash init agent handoff
      prompt teach the version-appropriate next step (no more "run cutover" on
      v3 columns).
    • New @cipherstash/migrate exports: classifyEqlDomain,
      resolveEncryptedColumn, pickEncryptedColumn, listEncryptedColumns
      (domain-type resolution — case-exact for quoted/mixed-case table names),
      countEncrypted / countUnencrypted (coverage counts), and manifest
      eqlVersion + encryptedColumn fields. EqlVersion is numeric (2 | 3),
      matching the manifest and the installer. Resolved columns carry via: 'hint' | 'convention' | 'sole' so callers can tell a positively asserted
      pairing from a by-elimination guess.
    • Fixed: encrypt cutover/encrypt drop precondition failures now actually
      exit 1 — the early-return guards previously skipped the exit-code path
      entirely, so failed preconditions exited 0. (This also applies to v2
      preconditions: scripted pipelines that relied on the erroneous exit 0 will
      now see the documented exit 1.)

    The stash-cli and stash-encryption skills and the @cipherstash/migrate
    README document the two lifecycles (v2: backfill → cutover → drop;
    v3: backfill → switch-by-name → drop).

@cipherstash/prisma-next@1.0.0-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3

@cipherstash/stack@1.0.0-rc.3

Patch Changes

  • 8b2551a: Fix "Failed to load native binding" on project-local installs of the CLI/SDK
    (npm). @cipherstash/auth was pinned at 0.41.0 while the six
    @cipherstash/auth-* platform bindings declared in stack/stash/wizard's
    optionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
    exact-version optional peer dependencies, the skew made npm nest per-consumer
    binding copies that the hoisted auth package could not resolve — any command
    or import touching auth then died at startup. All seven packages now move in
    lockstep at 0.42.0, Dependabot is barred from bumping any of them
    independently, and a supply-chain CI test fails on any future skew.

@cipherstash/stack-drizzle@1.0.0-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3

@cipherstash/stack-supabase@1.0.0-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3

@cipherstash/wizard@1.0.0-rc.3

Patch Changes

  • 8b2551a: Fix "Failed to load native binding" on project-local installs of the CLI/SDK
    (npm). @cipherstash/auth was pinned at 0.41.0 while the six
    @cipherstash/auth-* platform bindings declared in stack/stash/wizard's
    optionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
    exact-version optional peer dependencies, the skew made npm nest per-consumer
    binding copies that the hoisted auth package could not resolve — any command
    or import touching auth then died at startup. All seven packages now move in
    lockstep at 0.42.0, Dependabot is barred from bumping any of them
    independently, and a supply-chain CI test fails on any future skew.

@cipherstash/e2e@0.0.3-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
  • Updated dependencies [3a86939]
  • Updated dependencies [b0634df]
  • Updated dependencies [f188c7a]
    • @cipherstash/stack@1.0.0-rc.3
    • stash@1.0.0-rc.3
    • @cipherstash/wizard@1.0.0-rc.3

@cipherstash/basic-example@1.2.14-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3
    • @cipherstash/stack-drizzle@1.0.0-rc.3
    • @cipherstash/stack-supabase@1.0.0-rc.3

@cipherstash/prisma-next-example@0.0.6-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3
    • @cipherstash/prisma-next@1.0.0-rc.3

@cipherstash/bench@0.0.5-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3
    • @cipherstash/stack-drizzle@1.0.0-rc.3

@cipherstash/test-kit@0.0.1-rc.3

Patch Changes

  • Updated dependencies [8b2551a]
    • @cipherstash/stack@1.0.0-rc.3

@github-actions
github-actions Bot requested a review from a team as a code owner July 17, 2026 01:01
@github-actions
github-actions Bot force-pushed the changeset-release/main branch 3 times, most recently from 5a63e8d to 50d8fb1 Compare July 17, 2026 11:16
@github-actions
github-actions Bot force-pushed the changeset-release/main branch from 50d8fb1 to 01fcd75 Compare July 17, 2026 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants