Version Packages (rc)#678
Open
github-actions[bot] wants to merge 1 commit into
Open
Conversation
github-actions
Bot
force-pushed
the
changeset-release/main
branch
3 times, most recently
from
July 17, 2026 11:16
5a63e8d to
50d8fb1
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
July 17, 2026 11:28
50d8fb1 to
01fcd75
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
mainis currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, runchangeset pre exitonmain.Releases
stash@1.0.0-rc.3
Minor Changes
3a86939: EQL v3 support for the encryption rollout lifecycle (Make @cipherstash/migrate (and
stash encrypt *) compatible with EQL v3 #648). Thestash encrypt *commands (and@cipherstash/migrateunderneath) now resolve acolumn's EQL version and its encrypted counterpart from the Postgres domain
types — the EQL v3 types are self-describing, so the
<col>_encryptednaming is a convention only, never enforced or relied upon — and follow the
right lifecycle, no new flags:
encrypt backfillworks on v3 columns unchanged (the engine was alwaysversion-agnostic; pass an
EncryptionV3client and real v3 envelopes landin the concrete
eql_v3_*domain column — verified live against a realdatabase, including the domain CHECK and a decrypt round-trip). The
manifest records the detected version, the encrypted column's name, and the
v3 target phase, and the command prints v3-appropriate next steps.
encrypt cutoveron a backfilled v3 column reports "not applicable"(exit 0) with guidance: v3 has no rename cut-over — the application
switches to the encrypted column by name. Before backfill completes it
exits 1 and says to finish the backfill instead of instructing the switch.
On a database with no
eql_v2_configurationtable (a v3-only install) thev2 path now explains that instead of surfacing a raw Postgres error.
encrypt dropis version-aware: v3 runs from thebackfilledphase,verifies live coverage (refuses to generate the migration while any row
still has the plaintext set and the encrypted column NULL — the
countUnencryptedcheck), and drops the ORIGINAL plaintext column (thereis no
<col>_plaintextunder v3); v2 behaviour is unchanged. The generatedv3 migration re-verifies coverage at apply time — it locks the table,
re-counts, and aborts without dropping if plaintext-only rows appeared
after generation. And because dropping is the one irreversible step, it
requires a positively asserted plaintext↔ciphertext pairing (the
manifest's recorded
encryptedColumnor the naming convention): a matchfound only by being the table's sole EQL column is refused with
instructions, and an ambiguous table (several EQL columns, none
identifiable) fails closed listing the candidates — as does
cutover.encrypt statusclassifies each column from the observed domain type(manifest as fallback), shows
v3in the EQL column, and no longer raisesthe v2-only
not-registered/plaintext-col-missingdrift flags for v3columns.
stash status's quest ladder and thestash initagent handoffprompt teach the version-appropriate next step (no more "run cutover" on
v3 columns).
@cipherstash/migrateexports:classifyEqlDomain,resolveEncryptedColumn,pickEncryptedColumn,listEncryptedColumns(domain-type resolution — case-exact for quoted/mixed-case table names),
countEncrypted/countUnencrypted(coverage counts), and manifesteqlVersion+encryptedColumnfields.EqlVersionis numeric (2 | 3),matching the manifest and the installer. Resolved columns carry
via: 'hint' | 'convention' | 'sole'so callers can tell a positively assertedpairing from a by-elimination guess.
encrypt cutover/encrypt dropprecondition failures now actuallyexit 1 — the early-return guards previously skipped the exit-code path
entirely, so failed preconditions exited 0. (This also applies to v2
preconditions: scripted pipelines that relied on the erroneous exit 0 will
now see the documented exit 1.)
The
stash-cliandstash-encryptionskills and the@cipherstash/migrateREADME document the two lifecycles (v2: backfill → cutover → drop;
v3: backfill → switch-by-name → drop).
b0634df:
stash plan --complete-rolloutis now automatable and has an honest exit code.It skips the production-deploy gate, so it needs explicit consent — previously
that was an interactive prompt with no bypass, so a non-interactive run
auto-cancelled (default-no) and exited 0 without drafting a plan, leaving
automation to assume a plan existed.
--yesflag confirms the gate-skip without a prompt (for CI/agents).--yes, a non-interactive--complete-rolloutrun now refuseswith a non-zero exit and points at
--yes, instead of silently succeeding.f188c7a:
stash envnow works: it mints deployment credentials from your device-codesession and prints them as env vars — no dashboard copy-paste. The command
creates a fresh ZeroKMS client and a member-role CipherStash access key (named
via
--name; the role is pinned in the request and verified on the response —the CLI deliberately cannot mint admin keys), then emits
CS_WORKSPACE_CRN,CS_CLIENT_ID,CS_CLIENT_KEY, andCS_CLIENT_ACCESS_KEY.Output goes to stdout by default — and stdout is pipe-clean (progress UI is on
stderr), so
stash env --name x > prod.envand pipes into secret stores aresafe.
--write [path]writes a file instead (default.env.production.local,enforced mode 0600 even when overwriting), confirming before overwriting and
refusing non-interactively — always before anything is minted, so a refusal
never discards the shown-exactly-once access key.
--jsonemits NDJSON; with--writethe confirmation event is deliberately secret-free. API responsesare schema-validated so a service change can never print
undefinedinto acredentials file. Creating access keys requires the admin role in the
workspace.
This is also the supported credential path for WASM/edge local development
(Supabase Edge Functions, Cloudflare Workers, Deno), where the runtime cannot
read the
~/.cipherstashdevice profile: mint a key and feed it viasupabase functions serve --env-fileor the platform's secret store.The
STASH_EXPERIMENTAL_ENV_CMDgate is removed.Patch Changes
(npm).
@cipherstash/authwas pinned at 0.41.0 while the six@cipherstash/auth-*platform bindings declared in stack/stash/wizard'soptionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
exact-version optional peer dependencies, the skew made npm nest per-consumer
binding copies that the hoisted
authpackage could not resolve — any commandor import touching auth then died at startup. All seven packages now move in
lockstep at 0.42.0, Dependabot is barred from bumping any of them
independently, and a supply-chain CI test fails on any future skew.
@cipherstash/migrate@1.0.0-rc.1
Minor Changes
3a86939: EQL v3 support for the encryption rollout lifecycle (Make @cipherstash/migrate (and
stash encrypt *) compatible with EQL v3 #648). Thestash encrypt *commands (and@cipherstash/migrateunderneath) now resolve acolumn's EQL version and its encrypted counterpart from the Postgres domain
types — the EQL v3 types are self-describing, so the
<col>_encryptednaming is a convention only, never enforced or relied upon — and follow the
right lifecycle, no new flags:
encrypt backfillworks on v3 columns unchanged (the engine was alwaysversion-agnostic; pass an
EncryptionV3client and real v3 envelopes landin the concrete
eql_v3_*domain column — verified live against a realdatabase, including the domain CHECK and a decrypt round-trip). The
manifest records the detected version, the encrypted column's name, and the
v3 target phase, and the command prints v3-appropriate next steps.
encrypt cutoveron a backfilled v3 column reports "not applicable"(exit 0) with guidance: v3 has no rename cut-over — the application
switches to the encrypted column by name. Before backfill completes it
exits 1 and says to finish the backfill instead of instructing the switch.
On a database with no
eql_v2_configurationtable (a v3-only install) thev2 path now explains that instead of surfacing a raw Postgres error.
encrypt dropis version-aware: v3 runs from thebackfilledphase,verifies live coverage (refuses to generate the migration while any row
still has the plaintext set and the encrypted column NULL — the
countUnencryptedcheck), and drops the ORIGINAL plaintext column (thereis no
<col>_plaintextunder v3); v2 behaviour is unchanged. The generatedv3 migration re-verifies coverage at apply time — it locks the table,
re-counts, and aborts without dropping if plaintext-only rows appeared
after generation. And because dropping is the one irreversible step, it
requires a positively asserted plaintext↔ciphertext pairing (the
manifest's recorded
encryptedColumnor the naming convention): a matchfound only by being the table's sole EQL column is refused with
instructions, and an ambiguous table (several EQL columns, none
identifiable) fails closed listing the candidates — as does
cutover.encrypt statusclassifies each column from the observed domain type(manifest as fallback), shows
v3in the EQL column, and no longer raisesthe v2-only
not-registered/plaintext-col-missingdrift flags for v3columns.
stash status's quest ladder and thestash initagent handoffprompt teach the version-appropriate next step (no more "run cutover" on
v3 columns).
@cipherstash/migrateexports:classifyEqlDomain,resolveEncryptedColumn,pickEncryptedColumn,listEncryptedColumns(domain-type resolution — case-exact for quoted/mixed-case table names),
countEncrypted/countUnencrypted(coverage counts), and manifesteqlVersion+encryptedColumnfields.EqlVersionis numeric (2 | 3),matching the manifest and the installer. Resolved columns carry
via: 'hint' | 'convention' | 'sole'so callers can tell a positively assertedpairing from a by-elimination guess.
encrypt cutover/encrypt dropprecondition failures now actuallyexit 1 — the early-return guards previously skipped the exit-code path
entirely, so failed preconditions exited 0. (This also applies to v2
preconditions: scripted pipelines that relied on the erroneous exit 0 will
now see the documented exit 1.)
The
stash-cliandstash-encryptionskills and the@cipherstash/migrateREADME document the two lifecycles (v2: backfill → cutover → drop;
v3: backfill → switch-by-name → drop).
@cipherstash/prisma-next@1.0.0-rc.3
Patch Changes
@cipherstash/stack@1.0.0-rc.3
Patch Changes
(npm).
@cipherstash/authwas pinned at 0.41.0 while the six@cipherstash/auth-*platform bindings declared in stack/stash/wizard'soptionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
exact-version optional peer dependencies, the skew made npm nest per-consumer
binding copies that the hoisted
authpackage could not resolve — any commandor import touching auth then died at startup. All seven packages now move in
lockstep at 0.42.0, Dependabot is barred from bumping any of them
independently, and a supply-chain CI test fails on any future skew.
@cipherstash/stack-drizzle@1.0.0-rc.3
Patch Changes
@cipherstash/stack-supabase@1.0.0-rc.3
Patch Changes
@cipherstash/wizard@1.0.0-rc.3
Patch Changes
(npm).
@cipherstash/authwas pinned at 0.41.0 while the six@cipherstash/auth-*platform bindings declared in stack/stash/wizard'soptionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
exact-version optional peer dependencies, the skew made npm nest per-consumer
binding copies that the hoisted
authpackage could not resolve — any commandor import touching auth then died at startup. All seven packages now move in
lockstep at 0.42.0, Dependabot is barred from bumping any of them
independently, and a supply-chain CI test fails on any future skew.
@cipherstash/e2e@0.0.3-rc.3
Patch Changes
@cipherstash/basic-example@1.2.14-rc.3
Patch Changes
@cipherstash/prisma-next-example@0.0.6-rc.3
Patch Changes
@cipherstash/bench@0.0.5-rc.3
Patch Changes
@cipherstash/test-kit@0.0.1-rc.3
Patch Changes