Skip to content

feat(cli): read EQL v3 install SQL from @cipherstash/eql at runtime (CIP-3518)#692

Open
coderdan wants to merge 1 commit into
mainfrom
feat/eql-v3-source-from-package
Open

feat(cli): read EQL v3 install SQL from @cipherstash/eql at runtime (CIP-3518)#692
coderdan wants to merge 1 commit into
mainfrom
feat/eql-v3-source-from-package

Conversation

@coderdan

@coderdan coderdan commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Why

The v3 install SQL was vendored into packages/cli/src/sql/cipherstash-encrypt-v3.sql (~44k lines) by a build script (gen:eql-v3-sql), sha256-verified against the pinned @cipherstash/eql. That copy defeats the point of depending on @cipherstash/eql:

  • it drifts from the pin on every bump (a manual re-vendor is required), and
  • as ~44k lines of plpgsql in the tree, it made GitHub classify the whole repo as plpgsql (CIP-3518, Supabase-launch milestone).

What

Read it from the package at runtime instead — @cipherstash/eql is the single source of truth (the same readInstallSql() the @cipherstash/stack installer and prisma-next already consume):

  • readV3InstallSql() calls @cipherstash/eql/sql readInstallSql(); the v3 branches of loadBundledEqlSql and EQLInstaller route to it, so resolveBundledFilename is now v2-only.
  • @cipherstash/eql moves devDependency → dependency, externalized in tsup so the real package (and its dist/sql/*.sql) resolves at runtime (the bin already externalizes all deps via skipNodeModulesBundle).
  • Delete cipherstash-encrypt-v3.sql + scripts/build-eql-v3-sql.mjs + the gen:eql-v3-sql script and its CI drift-check.

Net: −44,130 lines. A @cipherstash/eql bump now flows straight through.

No behaviour change

Same one-artifact v3 bundle. There is no Supabase/no-operator-family variant for v3 — the bundle self-adapts to non-superuser environments (its operator-class statements run inside a DO block that catches insufficient_privilege and skips, then disables the ORE domains if absent). The v2 path (vendored .sql, variant selection) is untouched.

Verified

  • readInstallSql() returns the v3 bundle (1.67 MB, correct content) resolved from the installed package.
  • Built bin reads it from an external cwd (verified via the eql migration dry-run on the stacked branch, which shares this installer code).
  • 540 cli unit green (incl. the v3 load path), build + biome clean, pnpm install --frozen-lockfile consistent.

Changeset: stash patch.

Follow-ups (separate): the v2 vendored files (~22k more plpgsql lines) still sit in the tree — fully closing CIP-3518 means dropping v2 or sourcing it likewise; and a repo-wide @cipherstash/eql 3.0.0 → 3.0.1 bump (npm latest) with a prisma-next re-emit.

https://claude.ai/code/session_01MxTTPaPP16m6br7Hoab94w

Summary by CodeRabbit

  • Bug Fixes
    • Improved EQL v3 installation reliability by loading the installation SQL directly from the bundled EQL package.
    • Updated installer messaging to clarify how EQL v3 handles the --latest option.
    • Preserved the existing EQL v2 installation flow.

…CIP-3518)

The v3 install SQL was vendored into packages/cli/src/sql/cipherstash-encrypt-v3.sql
(~44k lines) by a build script (gen:eql-v3-sql), sha256-verified against the pinned
@cipherstash/eql. That copy defeats the point of depending on @cipherstash/eql: it
drifts from the pin on every bump (re-vendor required) and — as ~44k lines of
plpgsql in the tree — made GitHub classify the whole repo as plpgsql (CIP-3518).

Read it from the package at runtime instead:
- `readV3InstallSql()` calls `@cipherstash/eql/sql` `readInstallSql()` (the same
  source the stack + prisma-next consume); the v3 branches of `loadBundledEqlSql`
  and `EQLInstaller` route to it, so `resolveBundledFilename` is now v2-only.
- `@cipherstash/eql` moves devDependency → dependency, externalized in tsup so the
  real package (and its `dist/sql/*.sql`) resolves at runtime.
- Delete `cipherstash-encrypt-v3.sql` + `scripts/build-eql-v3-sql.mjs` + the
  `gen:eql-v3-sql` script and its CI drift-check (tests.yml).

No behaviour change: same one-artifact v3 bundle (self-adapts to non-superuser /
Supabase via the DO-block privilege catch), v2 path untouched. A `@cipherstash/eql`
bump now flows straight through. 557 cli unit green; bundle read verified via the
bin from an external cwd.

Claude-Session: https://claude.ai/code/session_01MxTTPaPP16m6br7Hoab94w
@coderdan
coderdan requested a review from a team as a code owner July 17, 2026 13:53
@changeset-bot

changeset-bot Bot commented Jul 17, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 8d46579

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages
Name Type
stash Patch
@cipherstash/basic-example Patch
@cipherstash/e2e Patch
@cipherstash/stack Patch
@cipherstash/stack-drizzle Patch
@cipherstash/stack-supabase Patch
@cipherstash/prisma-next Patch
@cipherstash/wizard Patch
@cipherstash/bench Patch
@cipherstash/test-kit Patch
@cipherstash/prisma-next-example Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e5a9b78f-bb93-415f-97a3-c91a192deabb

📥 Commits

Reviewing files that changed from the base of the PR and between 457705c and 8d46579.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (7)
  • .changeset/eql-v3-source-from-package.md
  • .github/workflows/tests.yml
  • packages/cli/package.json
  • packages/cli/scripts/build-eql-v3-sql.mjs
  • packages/cli/src/installer/index.ts
  • packages/cli/src/sql/cipherstash-encrypt-v3.sql
  • packages/cli/tsup.config.ts
💤 Files with no reviewable changes (2)
  • packages/cli/scripts/build-eql-v3-sql.mjs
  • .github/workflows/tests.yml

📝 Walkthrough

Walkthrough

Changes

EQL v3 runtime source

Layer / File(s) Summary
Runtime package and build wiring
packages/cli/package.json, packages/cli/tsup.config.ts
The CLI uses @cipherstash/eql as a runtime dependency, and the EQL modules are externalized from the build output.
Installer runtime routing
packages/cli/src/installer/index.ts
EQL v3 SQL is read through readInstallSql() with wrapped errors; v2 continues using the bundled-file path, while vendored v3 filename resolution now fails explicitly.
Vendoring workflow removal
.github/workflows/tests.yml, .changeset/eql-v3-source-from-package.md
The vendored SQL drift check is removed and the changeset documents runtime sourcing for v3 and the unchanged v2 path.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related issues

  • cipherstash/stack issue 690 — Proposes migration generation built on the EQL v3 runtime loader changed here.

Possibly related PRs

Suggested reviewers: calvinbrewer

Sequence Diagram(s)

sequenceDiagram
  participant EQLInstaller
  participant readV3InstallSql
  participant EQLPackage as `@cipherstash/eql`
  EQLInstaller->>readV3InstallSql: request v3 install SQL
  readV3InstallSql->>EQLPackage: readInstallSql()
  EQLPackage-->>readV3InstallSql: return SQL bundle
  readV3InstallSql-->>EQLInstaller: return SQL or wrapped error
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: CLI now reads EQL v3 install SQL from @cipherstash/eql at runtime.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/eql-v3-source-from-package

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant