Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .changeset/pre.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
"changesets": [
"adapter-package-split",
"adapter-split-skills",
"auth-binding-lockstep",
"cli-anonymous-telemetry",
"cli-eql-v3-single-bundle",
"eql-v3-adapter-type-robustness",
Expand All @@ -46,6 +47,8 @@
"eql-v3-typed-schema",
"eql-v3-wasm-inline",
"init-pins-runtime-versions",
"migrate-eql-v3",
"plan-complete-rollout-yes",
"prisma-next-0-14",
"prisma-next-joins-release-train",
"release-train-coupling",
Expand All @@ -59,6 +62,7 @@
"stash-cli-eql-v3-default",
"stash-cli-skill-refresh",
"stash-drizzle-skill-encrypt-query",
"stash-env-mint-credentials",
"stash-skills-contains-to-matches",
"stash-supabase-contains-substrings",
"supabase-encryption-error",
Expand Down
12 changes: 12 additions & 0 deletions e2e/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
# @cipherstash/e2e

## 0.0.3-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- Updated dependencies [3a86939]
- Updated dependencies [b0634df]
- Updated dependencies [f188c7a]
- @cipherstash/stack@1.0.0-rc.3
- stash@1.0.0-rc.3
- @cipherstash/wizard@1.0.0-rc.3

## 0.0.3-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion e2e/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/e2e",
"version": "0.0.3-rc.2",
"version": "0.0.3-rc.3",
"private": true,
"description": "End-to-end tests that exercise built CipherStash binaries and cross-package behaviour.",
"type": "module",
Expand Down
9 changes: 9 additions & 0 deletions examples/basic/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,14 @@
# @cipherstash/basic-example

## 1.2.14-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- @cipherstash/stack@1.0.0-rc.3
- @cipherstash/stack-drizzle@1.0.0-rc.3
- @cipherstash/stack-supabase@1.0.0-rc.3

## 1.2.14-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion examples/basic/package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@cipherstash/basic-example",
"private": true,
"version": "1.2.14-rc.2",
"version": "1.2.14-rc.3",
"type": "module",
"scripts": {
"start": "tsx index.ts"
Expand Down
8 changes: 8 additions & 0 deletions examples/prisma/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# @cipherstash/prisma-next-example

## 0.0.6-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- @cipherstash/stack@1.0.0-rc.3
- @cipherstash/prisma-next@1.0.0-rc.3

## 0.0.6-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion examples/prisma/package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@cipherstash/prisma-next-example",
"private": true,
"version": "0.0.6-rc.2",
"version": "0.0.6-rc.3",
"description": "End-to-end example of @cipherstash/prisma-next: searchable application-layer encryption for Postgres with Prisma Next, using @cipherstash/stack as the SDK.",
"type": "module",
"scripts": {
Expand Down
8 changes: 8 additions & 0 deletions packages/bench/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# @cipherstash/bench

## 0.0.5-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- @cipherstash/stack@1.0.0-rc.3
- @cipherstash/stack-drizzle@1.0.0-rc.3

## 0.0.5-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/bench/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/bench",
"version": "0.0.5-rc.2",
"version": "0.0.5-rc.3",
"private": true,
"description": "Performance / index-engagement benchmarks for stack integrations (Drizzle, encryptedSupabase, Prisma).",
"type": "module",
Expand Down
110 changes: 110 additions & 0 deletions packages/cli/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,115 @@
# @cipherstash/cli

## 1.0.0-rc.3

### Minor Changes

- 3a86939: EQL v3 support for the encryption rollout lifecycle (#648). The `stash
encrypt *` commands (and `@cipherstash/migrate` underneath) now resolve a
column's EQL version and its encrypted counterpart from the **Postgres domain
types** — the EQL v3 types are self-describing, so the `<col>_encrypted`
naming is a convention only, never enforced or relied upon — and follow the
right lifecycle, no new flags:

- **`encrypt backfill`** works on v3 columns unchanged (the engine was always
version-agnostic; pass an `EncryptionV3` client and real v3 envelopes land
in the concrete `eql_v3_*` domain column — verified live against a real
database, including the domain CHECK and a decrypt round-trip). The
manifest records the detected version, the encrypted column's name, and the
v3 target phase, and the command prints v3-appropriate next steps.
- **`encrypt cutover`** on a backfilled v3 column reports "not applicable"
(exit 0) with guidance: v3 has no rename cut-over — the application
switches to the encrypted column by name. Before backfill completes it
exits 1 and says to finish the backfill instead of instructing the switch.
On a database with no `eql_v2_configuration` table (a v3-only install) the
v2 path now explains that instead of surfacing a raw Postgres error.
- **`encrypt drop`** is version-aware: v3 runs from the `backfilled` phase,
**verifies live coverage** (refuses to generate the migration while any row
still has the plaintext set and the encrypted column NULL — the
`countUnencrypted` check), and drops the ORIGINAL plaintext column (there
is no `<col>_plaintext` under v3); v2 behaviour is unchanged. The generated
v3 migration **re-verifies coverage at apply time** — it locks the table,
re-counts, and aborts without dropping if plaintext-only rows appeared
after generation. And because dropping is the one irreversible step, it
requires a positively asserted plaintext↔ciphertext pairing (the
manifest's recorded `encryptedColumn` or the naming convention): a match
found only by being the table's sole EQL column is refused with
instructions, and an ambiguous table (several EQL columns, none
identifiable) fails closed listing the candidates — as does `cutover`.
- **`encrypt status`** classifies each column from the observed domain type
(manifest as fallback), shows `v3` in the EQL column, and no longer raises
the v2-only `not-registered` / `plaintext-col-missing` drift flags for v3
columns. `stash status`'s quest ladder and the `stash init` agent handoff
prompt teach the version-appropriate next step (no more "run cutover" on
v3 columns).
- New `@cipherstash/migrate` exports: `classifyEqlDomain`,
`resolveEncryptedColumn`, `pickEncryptedColumn`, `listEncryptedColumns`
(domain-type resolution — case-exact for quoted/mixed-case table names),
`countEncrypted` / `countUnencrypted` (coverage counts), and manifest
`eqlVersion` + `encryptedColumn` fields. `EqlVersion` is numeric (`2 | 3`),
matching the manifest and the installer. Resolved columns carry `via:
'hint' | 'convention' | 'sole'` so callers can tell a positively asserted
pairing from a by-elimination guess.
- Fixed: `encrypt cutover`/`encrypt drop` precondition failures now actually
exit 1 — the early-return guards previously skipped the exit-code path
entirely, so failed preconditions exited 0. (This also applies to v2
preconditions: scripted pipelines that relied on the erroneous exit 0 will
now see the documented exit 1.)

The `stash-cli` and `stash-encryption` skills and the `@cipherstash/migrate`
README document the two lifecycles (v2: backfill → cutover → drop;
v3: backfill → switch-by-name → drop).

- b0634df: `stash plan --complete-rollout` is now automatable and has an honest exit code.
It skips the production-deploy gate, so it needs explicit consent — previously
that was an interactive prompt with no bypass, so a non-interactive run
auto-cancelled (default-no) and exited **0** without drafting a plan, leaving
automation to assume a plan existed.

- New `--yes` flag confirms the gate-skip without a prompt (for CI/agents).
- Without `--yes`, a non-interactive `--complete-rollout` run now **refuses
with a non-zero exit** and points at `--yes`, instead of silently succeeding.
- Interactive behaviour is unchanged (default-no confirm).

- f188c7a: `stash env` now works: it mints deployment credentials from your device-code
session and prints them as env vars — no dashboard copy-paste. The command
creates a fresh ZeroKMS client and a member-role CipherStash access key (named
via `--name`; the role is pinned in the request and verified on the response —
the CLI deliberately cannot mint admin keys), then emits `CS_WORKSPACE_CRN`,
`CS_CLIENT_ID`, `CS_CLIENT_KEY`, and `CS_CLIENT_ACCESS_KEY`.

Output goes to stdout by default — and stdout is pipe-clean (progress UI is on
stderr), so `stash env --name x > prod.env` and pipes into secret stores are
safe. `--write [path]` writes a file instead (default `.env.production.local`,
enforced mode 0600 even when overwriting), confirming before overwriting and
refusing non-interactively — always _before_ anything is minted, so a refusal
never discards the shown-exactly-once access key. `--json` emits NDJSON; with
`--write` the confirmation event is deliberately secret-free. API responses
are schema-validated so a service change can never print `undefined` into a
credentials file. Creating access keys requires the admin role in the
workspace.

This is also the supported credential path for WASM/edge local development
(Supabase Edge Functions, Cloudflare Workers, Deno), where the runtime cannot
read the `~/.cipherstash` device profile: mint a key and feed it via
`supabase functions serve --env-file` or the platform's secret store.

The `STASH_EXPERIMENTAL_ENV_CMD` gate is removed.

### Patch Changes

- 8b2551a: Fix "Failed to load native binding" on project-local installs of the CLI/SDK
(npm). `@cipherstash/auth` was pinned at 0.41.0 while the six
`@cipherstash/auth-*` platform bindings declared in stack/stash/wizard's
optionalDependencies were pinned at 0.42.0. Because auth pins its bindings as
exact-version optional peer dependencies, the skew made npm nest per-consumer
binding copies that the hoisted `auth` package could not resolve — any command
or import touching auth then died at startup. All seven packages now move in
lockstep at 0.42.0, Dependabot is barred from bumping any of them
independently, and a supply-chain CI test fails on any future skew.
- Updated dependencies [3a86939]
- @cipherstash/migrate@1.0.0-rc.1

## 1.0.0-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/cli/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "stash",
"version": "1.0.0-rc.2",
"version": "1.0.0-rc.3",
"description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.",
"repository": {
"type": "git",
Expand Down
60 changes: 60 additions & 0 deletions packages/migrate/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,65 @@
# @cipherstash/migrate

## 1.0.0-rc.1

### Minor Changes

- 3a86939: EQL v3 support for the encryption rollout lifecycle (#648). The `stash
encrypt *` commands (and `@cipherstash/migrate` underneath) now resolve a
column's EQL version and its encrypted counterpart from the **Postgres domain
types** — the EQL v3 types are self-describing, so the `<col>_encrypted`
naming is a convention only, never enforced or relied upon — and follow the
right lifecycle, no new flags:

- **`encrypt backfill`** works on v3 columns unchanged (the engine was always
version-agnostic; pass an `EncryptionV3` client and real v3 envelopes land
in the concrete `eql_v3_*` domain column — verified live against a real
database, including the domain CHECK and a decrypt round-trip). The
manifest records the detected version, the encrypted column's name, and the
v3 target phase, and the command prints v3-appropriate next steps.
- **`encrypt cutover`** on a backfilled v3 column reports "not applicable"
(exit 0) with guidance: v3 has no rename cut-over — the application
switches to the encrypted column by name. Before backfill completes it
exits 1 and says to finish the backfill instead of instructing the switch.
On a database with no `eql_v2_configuration` table (a v3-only install) the
v2 path now explains that instead of surfacing a raw Postgres error.
- **`encrypt drop`** is version-aware: v3 runs from the `backfilled` phase,
**verifies live coverage** (refuses to generate the migration while any row
still has the plaintext set and the encrypted column NULL — the
`countUnencrypted` check), and drops the ORIGINAL plaintext column (there
is no `<col>_plaintext` under v3); v2 behaviour is unchanged. The generated
v3 migration **re-verifies coverage at apply time** — it locks the table,
re-counts, and aborts without dropping if plaintext-only rows appeared
after generation. And because dropping is the one irreversible step, it
requires a positively asserted plaintext↔ciphertext pairing (the
manifest's recorded `encryptedColumn` or the naming convention): a match
found only by being the table's sole EQL column is refused with
instructions, and an ambiguous table (several EQL columns, none
identifiable) fails closed listing the candidates — as does `cutover`.
- **`encrypt status`** classifies each column from the observed domain type
(manifest as fallback), shows `v3` in the EQL column, and no longer raises
the v2-only `not-registered` / `plaintext-col-missing` drift flags for v3
columns. `stash status`'s quest ladder and the `stash init` agent handoff
prompt teach the version-appropriate next step (no more "run cutover" on
v3 columns).
- New `@cipherstash/migrate` exports: `classifyEqlDomain`,
`resolveEncryptedColumn`, `pickEncryptedColumn`, `listEncryptedColumns`
(domain-type resolution — case-exact for quoted/mixed-case table names),
`countEncrypted` / `countUnencrypted` (coverage counts), and manifest
`eqlVersion` + `encryptedColumn` fields. `EqlVersion` is numeric (`2 | 3`),
matching the manifest and the installer. Resolved columns carry `via:
'hint' | 'convention' | 'sole'` so callers can tell a positively asserted
pairing from a by-elimination guess.
- Fixed: `encrypt cutover`/`encrypt drop` precondition failures now actually
exit 1 — the early-return guards previously skipped the exit-code path
entirely, so failed preconditions exited 0. (This also applies to v2
preconditions: scripted pipelines that relied on the erroneous exit 0 will
now see the documented exit 1.)

The `stash-cli` and `stash-encryption` skills and the `@cipherstash/migrate`
README document the two lifecycles (v2: backfill → cutover → drop;
v3: backfill → switch-by-name → drop).

## 1.0.0-rc.0

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/migrate/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/migrate",
"version": "1.0.0-rc.0",
"version": "1.0.0-rc.1",
"description": "Plaintext-to-encrypted column migration for CipherStash: resumable backfill, per-column state, and EQL lifecycle orchestration.",
"repository": {
"type": "git",
Expand Down
7 changes: 7 additions & 0 deletions packages/prisma-next/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @cipherstash/prisma-next

## 1.0.0-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- @cipherstash/stack@1.0.0-rc.3

## 1.0.0-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/prisma-next/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/prisma-next",
"version": "1.0.0-rc.2",
"version": "1.0.0-rc.3",
"license": "MIT",
"author": "CipherStash <support@cipherstash.com>",
"description": "CipherStash extension for Prisma Next: searchable application-layer field-level encryption for Postgres, with six encrypted column types, 17 query operators, bulk encrypt/decrypt middleware, and a baseline migration that installs the vendored EQL bundle SQL byte-for-byte.",
Expand Down
7 changes: 7 additions & 0 deletions packages/stack-drizzle/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @cipherstash/stack-drizzle

## 1.0.0-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- @cipherstash/stack@1.0.0-rc.3

## 1.0.0-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/stack-drizzle/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/stack-drizzle",
"version": "1.0.0-rc.2",
"version": "1.0.0-rc.3",
"description": "CipherStash Stack Drizzle ORM integration: searchable, application-layer field-level encryption for PostgreSQL.",
"keywords": [
"encrypted",
Expand Down
7 changes: 7 additions & 0 deletions packages/stack-supabase/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @cipherstash/stack-supabase

## 1.0.0-rc.3

### Patch Changes

- Updated dependencies [8b2551a]
- @cipherstash/stack@1.0.0-rc.3

## 1.0.0-rc.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/stack-supabase/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/stack-supabase",
"version": "1.0.0-rc.2",
"version": "1.0.0-rc.3",
"description": "CipherStash Stack Supabase integration: transparent, searchable field-level encryption for Supabase.",
"keywords": [
"encrypted",
Expand Down
Loading