Skip to content

Releases: cipherstash/stack

stash@0.17.1

Choose a tag to compare

@github-actions github-actions released this 08 Jul 11:46
c67169f

Patch Changes

  • cb8fa1d: Fix two config-scaffold dead-ends in the CLI (#578, #579).

    • Missing config is now actionable. When a command that needs a
      stash.config.ts can't find one, the error recommends stash init /
      stash eql install (runner-aware) instead of only telling you to hand-write
      the file.
    • stash eql install no longer requires a stash.config.ts. It only needs
      a database URL, so it now resolves one directly (--database-url → env →
      supabase status → prompt) instead of scaffolding a config and loading it.
      That means a standalone npx stash eql install --database-url ... works in a
      bare project with zero dependencies — no more crash with a raw
      Cannot find module 'stash' from the config's import. A plain
      stash eql install still honours an existing config (later workflow commands
      rely on it) and offers to scaffold one otherwise. An explicit --database-url
      is a one-shot install: it resolves that URL directly and leaves the project
      untouched — no config or client is scaffolded, and an existing config is
      bypassed so the flag can't be silently overridden by a hand-edited literal
      databaseUrl (including one in a parent directory).
    • As a safety net, loadStashConfig translates a missing-module load failure
      (a project that has a config but lacks the CLI packages) into the same
      actionable guidance for every command, instead of a jiti/Node stack trace.
  • cbece82: Render per-command --help from the command-descriptor registry, and slim the
    global banner. This is the documented follow-on to the manifest/registry work in
    docs/plans/cli-help-and-manifest.md.

    • stash <command> --help now prints command-specific help instead of the global
      banner. A leaf command (stash eql install --help, stash auth login --help)
      shows its usage, summary, long description, flags, and examples; a command
      group (stash eql --help, stash auth --help) lists its subcommands and points
      at their own --help. All of it renders from src/cli/registry.ts, so it can't
      drift from stash manifest.
    • -h is now honoured after a command too (stash eql install -h), not just as a
      bare stash -h.
    • The global stash --help banner no longer inlines every command's flags; it
      lists the commands and directs users to <command> --help for the detail.

@cipherstash/nextjs@4.1.1

Choose a tag to compare

@github-actions github-actions released this 08 Jul 05:43
7dba25d

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.

@cipherstash/drizzle@3.0.3

Choose a tag to compare

@github-actions github-actions released this 08 Jul 05:43
7dba25d

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.

stash@0.16.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Minor Changes

  • f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

    Breaking upstream changes adopted in this release:

    • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
    • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
    • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
    • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
    • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
    • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
    • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
    • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.
  • bb9764d: stash db push is no longer included by default in stash plan / stash impl agent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer see stash db push baked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.

    Pass --proxy to stash init (or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to .cipherstash/context.json as usesProxy and is honoured by stash plan, stash impl, and the wizard's post-agent step. Existing .cipherstash/context.json files without the field default to SDK-only.

    Known gap: stash encrypt cutover currently requires a pending EQL config registered via stash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: run stash db push once before stash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.

Patch Changes

  • 8fe2496: stash impl and stash plan no longer hang in non-TTY contexts (CI, pipes, automation harnesses). The agent-target picker previously read from /dev/tty and waited forever. You can now pass --target <claude-code|codex|agents-md|wizard> to select a handoff target non-interactively, and when neither --target nor a TTY is available the command prints a hint and exits cleanly instead of blocking.
    • @cipherstash/migrate@0.2.0

@cipherstash/wizard@0.3.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Minor Changes

  • bb9764d: stash db push is no longer included by default in stash plan / stash impl agent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer see stash db push baked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.

    Pass --proxy to stash init (or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to .cipherstash/context.json as usesProxy and is honoured by stash plan, stash impl, and the wizard's post-agent step. Existing .cipherstash/context.json files without the field default to SDK-only.

    Known gap: stash encrypt cutover currently requires a pending EQL config registered via stash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: run stash db push once before stash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.

@cipherstash/stack@0.18.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Minor Changes

  • 6e7ae4e: Export the operation classes returned by the encryption and DynamoDB clients as public API.

    The classes returned from public methods are now exported and documented in the API reference, so their types can be named and their TSDoc links resolve.

    • From @cipherstash/stack/encryption: EncryptOperation, EncryptQueryOperation, BatchEncryptQueryOperation, DecryptOperation, EncryptModelOperation, DecryptModelOperation, BulkEncryptOperation, BulkDecryptOperation, BulkEncryptModelsOperation, BulkDecryptModelsOperation. EncryptQueryOperation and BatchEncryptQueryOperation were previously marked @internal; since they are returned from EncryptionClient.encryptQuery, they are now public for consistency with the other operations.
    • From @cipherstash/stack/dynamodb: EncryptModelOperation, DecryptModelOperation, BulkEncryptModelsOperation, BulkDecryptModelsOperation.
    • From @cipherstash/stack/types: EncryptedQuery and EncryptedFromSchema.

    The *WithLockContext variants returned by .withLockContext() remain internal — they share the same awaitable shape and are not intended to be named directly.

    No runtime behaviour changes; this only widens the exported surface and corrects TSDoc cross-references that previously failed to resolve.

  • 712d7fa: Fix: restore runtime null short-circuits in the encryption operation classes.

    A prior refactor (feat(stack): remove null from Encrypted type) tightened the type signatures to disallow null and, alongside that, deleted the if (value === null) return null guards from every operation in packages/stack/src/encryption/operations/. The type guard does not survive runtime: callers reaching the operation through a cast (e.g. null as any), dynamic model walking, or JS interop would then have their null silently encrypted by protect-ffi into a real SteVec ciphertext ({ k: 'sv', v: 2, ... }) — which is observable, surprising, and breaks symmetry with the model-helpers layer that does still treat null as "absent" at the field level.

    Restored, mirroring the pattern in @cipherstash/protect:

    • encrypt / encryptWithLockContext: if (plaintext === null) return null.
    • bulkEncrypt / bulkEncryptWithLockContext: per-element null filter; nulls are preserved in position in the output.
    • decrypt / decryptWithLockContext: if (encryptedData === null) return null.
    • bulkDecrypt / bulkDecryptWithLockContext: per-element null filter, position-preserving merge.
    • encryptQuery / encryptQueryWithLockContext: if (plaintext === null || plaintext === undefined) return { data: null }.
    • batchEncryptQuery / batchEncryptQueryWithLockContext: per-element null/undefined filter; null slots in the input array stay null in the result array.

    Type adjustments to support the runtime behavior honestly:

    • BulkEncryptPayload['plaintext'], BulkEncryptedData['data'], BulkDecryptPayload['data'], and the T of BulkDecryptedData all widen to ... | null. Bulk APIs now accept and return mixed nullable arrays without filtering ahead of time.
    • EncryptedQueryResult widens to include null so the batch query path can return position-stable arrays with null slots.
    • Encryption.encrypt() and Encryption.decrypt() public signatures are unchanged — still narrow (JsPlaintext / Encrypted input, Encrypted / JsPlaintext non-nullable output). The runtime null short-circuit in EncryptOperation / DecryptOperation is defense in depth for callers reaching the operation classes through casts, dynamic field walking, or JS interop. The narrow-return contract holds for any caller that respects the input contract.

@cipherstash/schema@3.0.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Major Changes

  • f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

    Breaking upstream changes adopted in this release:

    • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
    • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
    • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
    • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
    • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
    • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
    • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
    • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

@cipherstash/protect@12.0.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Major Changes

  • f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

    Breaking upstream changes adopted in this release:

    • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
    • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
    • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
    • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
    • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
    • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
    • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
    • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

Patch Changes

  • Updated dependencies [f743fcc]
    • @cipherstash/schema@3.0.0

@cipherstash/protect-dynamodb@12.0.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Patch Changes

  • f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

    Breaking upstream changes adopted in this release:

    • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
    • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
    • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
    • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
    • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
    • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
    • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
    • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.
  • Updated dependencies [f743fcc]

    • @cipherstash/protect@12.0.0

@cipherstash/prisma-next@0.3.1

Choose a tag to compare

@github-actions github-actions released this 02 Jun 04:08
917b5c0

Patch Changes

  • Updated dependencies [6e7ae4e]
  • Updated dependencies [712d7fa]
    • @cipherstash/stack@0.18.0