Releases: cipherstash/stack
Release list
stash@0.17.1
Patch Changes
-
cb8fa1d: Fix two config-scaffold dead-ends in the CLI (#578, #579).
- Missing config is now actionable. When a command that needs a
stash.config.tscan't find one, the error recommendsstash init/
stash eql install(runner-aware) instead of only telling you to hand-write
the file. stash eql installno longer requires astash.config.ts. It only needs
a database URL, so it now resolves one directly (--database-url→ env →
supabase status→ prompt) instead of scaffolding a config and loading it.
That means a standalonenpx stash eql install --database-url ...works in a
bare project with zero dependencies — no more crash with a raw
Cannot find module 'stash'from the config'simport. A plain
stash eql installstill honours an existing config (later workflow commands
rely on it) and offers to scaffold one otherwise. An explicit--database-url
is a one-shot install: it resolves that URL directly and leaves the project
untouched — no config or client is scaffolded, and an existing config is
bypassed so the flag can't be silently overridden by a hand-edited literal
databaseUrl(including one in a parent directory).- As a safety net,
loadStashConfigtranslates a missing-module load failure
(a project that has a config but lacks the CLI packages) into the same
actionable guidance for every command, instead of a jiti/Node stack trace.
- Missing config is now actionable. When a command that needs a
-
cbece82: Render per-command
--helpfrom the command-descriptor registry, and slim the
global banner. This is the documented follow-on to the manifest/registry work in
docs/plans/cli-help-and-manifest.md.stash <command> --helpnow prints command-specific help instead of the global
banner. A leaf command (stash eql install --help,stash auth login --help)
shows its usage, summary, long description, flags, and examples; a command
group (stash eql --help,stash auth --help) lists its subcommands and points
at their own--help. All of it renders fromsrc/cli/registry.ts, so it can't
drift fromstash manifest.-his now honoured after a command too (stash eql install -h), not just as a
barestash -h.- The global
stash --helpbanner no longer inlines every command's flags; it
lists the commands and directs users to<command> --helpfor the detail.
@cipherstash/nextjs@4.1.1
Patch Changes
- aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.
@cipherstash/drizzle@3.0.3
Patch Changes
- aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.
stash@0.16.0
Minor Changes
-
f743fcc: Upgrade
@cipherstash/protect-ffito0.23.0and the bundled CipherStash EQL extension toeql-2.3.1.Breaking upstream changes adopted in this release:
- Encrypt-config schema version:
buildEncryptConfignow emits{ v: 1, ... }(was{ v: 2, ... }). protect-ffi0.22.0started validating this field and rejects any value other than1with the newUNSUPPORTED_CONFIG_VERSIONerror code. - Storage and query payloads are now distinct types (protect-ffi
0.23.0): the previously-conflatedEncryptedtype splits intoEncrypted(storage-only,crequired) and a newEncryptedQuery(search terms — scalarunique/match/orelookups andste_vec_selectorJSON path queries; noc). JSON containment queries (ste_vec_term) still return a storage-shapedEncryptedpayload.encryptQuery/encryptQueryBulknow returnEncrypted | EncryptedQuery, and the stack'sEncryptedSearchTerm/EncryptedQueryResultunions widen to match.decryptrejects query payloads at the type level. The DynamoDBSearchTermsOperationnarrows via'hm' in termrather thanterm.hm. - SteVec encoding default flipped: protect-ffi's default
modeforste_vecindexes changed fromcompattostandard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed undercompatwill need to be re-encrypted to be queryable. The stack adopts the newstandarddefault — there is no longer a way to pincompatfrom the SDK. - EQL extension bumped to
eql-2.3.1: the new SteVecstandardencoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the@cipherstash/prisma-nextinstall bundle (migrations/20260601T0000_install_eql_bundle/ops.json+eql-install.generated.ts) are updated toeql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work.eql-2.3.1ships the_encrypted_check_cfix for SteVec storage payloads (cipherstash/encrypt-query-language#232). - New error codes:
ProtectErrorCode(re-exported from@cipherstash/protect-ffi) gainsMATCH_REQUIRES_TEXTandUNSUPPORTED_CONFIG_VERSION. Exhaustive switches overProtectErrorCodewill need additional cases. matchindex validation: protect-ffi now rejectsmatchindexes on columns whosecast_asis not text-family ('text'/'string') withMATCH_REQUIRES_TEXT. The stack'sfreeTextSearch()builder is unaffected because it only targets string-typed columns.Encryptedciphertext shape: protect-ffi'sEncryptedtype is now a discriminated union keyed onk('ct'for scalars,'sv'for SteVec). SteVec storage payloads now place the root document ciphertext atsv[0].c. The stack'sisEncryptedPayloadruntime check continues to work because storage payloads still carryc(scalar) orsv(SteVec). The DynamoDB helpers (toEncryptedDynamoItem,SearchTermsOperation) now narrow onkbefore reading variant-only fields.- Config-validation error message wording: error messages for config-validation failures now come from upstream
ConfigError.ProtectError.codevalues are preserved; consumers that string-match onerr.messagefor config-validation errors must update.
- Encrypt-config schema version:
-
bb9764d:
stash db pushis no longer included by default instash plan/stash implagent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer seestash db pushbaked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.Pass
--proxytostash init(or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to.cipherstash/context.jsonasusesProxyand is honoured bystash plan,stash impl, and the wizard's post-agent step. Existing.cipherstash/context.jsonfiles without the field default to SDK-only.Known gap:
stash encrypt cutovercurrently requires a pending EQL config registered viastash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: runstash db pushonce beforestash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.
Patch Changes
- 8fe2496:
stash implandstash planno longer hang in non-TTY contexts (CI, pipes, automation harnesses). The agent-target picker previously read from/dev/ttyand waited forever. You can now pass--target <claude-code|codex|agents-md|wizard>to select a handoff target non-interactively, and when neither--targetnor a TTY is available the command prints a hint and exits cleanly instead of blocking.- @cipherstash/migrate@0.2.0
@cipherstash/wizard@0.3.0
Minor Changes
-
bb9764d:
stash db pushis no longer included by default instash plan/stash implagent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer seestash db pushbaked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.Pass
--proxytostash init(or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to.cipherstash/context.jsonasusesProxyand is honoured bystash plan,stash impl, and the wizard's post-agent step. Existing.cipherstash/context.jsonfiles without the field default to SDK-only.Known gap:
stash encrypt cutovercurrently requires a pending EQL config registered viastash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: runstash db pushonce beforestash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.
@cipherstash/stack@0.18.0
Minor Changes
-
6e7ae4e: Export the operation classes returned by the encryption and DynamoDB clients as public API.
The classes returned from public methods are now exported and documented in the API reference, so their types can be named and their TSDoc links resolve.
- From
@cipherstash/stack/encryption:EncryptOperation,EncryptQueryOperation,BatchEncryptQueryOperation,DecryptOperation,EncryptModelOperation,DecryptModelOperation,BulkEncryptOperation,BulkDecryptOperation,BulkEncryptModelsOperation,BulkDecryptModelsOperation.EncryptQueryOperationandBatchEncryptQueryOperationwere previously marked@internal; since they are returned fromEncryptionClient.encryptQuery, they are now public for consistency with the other operations. - From
@cipherstash/stack/dynamodb:EncryptModelOperation,DecryptModelOperation,BulkEncryptModelsOperation,BulkDecryptModelsOperation. - From
@cipherstash/stack/types:EncryptedQueryandEncryptedFromSchema.
The
*WithLockContextvariants returned by.withLockContext()remain internal — they share the same awaitable shape and are not intended to be named directly.No runtime behaviour changes; this only widens the exported surface and corrects TSDoc cross-references that previously failed to resolve.
- From
-
712d7fa: Fix: restore runtime null short-circuits in the encryption operation classes.
A prior refactor (
feat(stack): remove null from Encrypted type) tightened the type signatures to disallownulland, alongside that, deleted theif (value === null) return nullguards from every operation inpackages/stack/src/encryption/operations/. The type guard does not survive runtime: callers reaching the operation through a cast (e.g.null as any), dynamic model walking, or JS interop would then have their null silently encrypted by protect-ffi into a real SteVec ciphertext ({ k: 'sv', v: 2, ... }) — which is observable, surprising, and breaks symmetry with the model-helpers layer that does still treat null as "absent" at the field level.Restored, mirroring the pattern in
@cipherstash/protect:encrypt/encryptWithLockContext:if (plaintext === null) return null.bulkEncrypt/bulkEncryptWithLockContext: per-element null filter; nulls are preserved in position in the output.decrypt/decryptWithLockContext:if (encryptedData === null) return null.bulkDecrypt/bulkDecryptWithLockContext: per-element null filter, position-preserving merge.encryptQuery/encryptQueryWithLockContext:if (plaintext === null || plaintext === undefined) return { data: null }.batchEncryptQuery/batchEncryptQueryWithLockContext: per-element null/undefined filter; null slots in the input array stay null in the result array.
Type adjustments to support the runtime behavior honestly:
BulkEncryptPayload['plaintext'],BulkEncryptedData['data'],BulkDecryptPayload['data'], and theTofBulkDecryptedDataall widen to... | null. Bulk APIs now accept and return mixed nullable arrays without filtering ahead of time.EncryptedQueryResultwidens to includenullso the batch query path can return position-stable arrays with null slots.Encryption.encrypt()andEncryption.decrypt()public signatures are unchanged — still narrow (JsPlaintext/Encryptedinput,Encrypted/JsPlaintextnon-nullable output). The runtime null short-circuit inEncryptOperation/DecryptOperationis defense in depth for callers reaching the operation classes through casts, dynamic field walking, or JS interop. The narrow-return contract holds for any caller that respects the input contract.
@cipherstash/schema@3.0.0
Major Changes
-
f743fcc: Upgrade
@cipherstash/protect-ffito0.23.0and the bundled CipherStash EQL extension toeql-2.3.1.Breaking upstream changes adopted in this release:
- Encrypt-config schema version:
buildEncryptConfignow emits{ v: 1, ... }(was{ v: 2, ... }). protect-ffi0.22.0started validating this field and rejects any value other than1with the newUNSUPPORTED_CONFIG_VERSIONerror code. - Storage and query payloads are now distinct types (protect-ffi
0.23.0): the previously-conflatedEncryptedtype splits intoEncrypted(storage-only,crequired) and a newEncryptedQuery(search terms — scalarunique/match/orelookups andste_vec_selectorJSON path queries; noc). JSON containment queries (ste_vec_term) still return a storage-shapedEncryptedpayload.encryptQuery/encryptQueryBulknow returnEncrypted | EncryptedQuery, and the stack'sEncryptedSearchTerm/EncryptedQueryResultunions widen to match.decryptrejects query payloads at the type level. The DynamoDBSearchTermsOperationnarrows via'hm' in termrather thanterm.hm. - SteVec encoding default flipped: protect-ffi's default
modeforste_vecindexes changed fromcompattostandard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed undercompatwill need to be re-encrypted to be queryable. The stack adopts the newstandarddefault — there is no longer a way to pincompatfrom the SDK. - EQL extension bumped to
eql-2.3.1: the new SteVecstandardencoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the@cipherstash/prisma-nextinstall bundle (migrations/20260601T0000_install_eql_bundle/ops.json+eql-install.generated.ts) are updated toeql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work.eql-2.3.1ships the_encrypted_check_cfix for SteVec storage payloads (cipherstash/encrypt-query-language#232). - New error codes:
ProtectErrorCode(re-exported from@cipherstash/protect-ffi) gainsMATCH_REQUIRES_TEXTandUNSUPPORTED_CONFIG_VERSION. Exhaustive switches overProtectErrorCodewill need additional cases. matchindex validation: protect-ffi now rejectsmatchindexes on columns whosecast_asis not text-family ('text'/'string') withMATCH_REQUIRES_TEXT. The stack'sfreeTextSearch()builder is unaffected because it only targets string-typed columns.Encryptedciphertext shape: protect-ffi'sEncryptedtype is now a discriminated union keyed onk('ct'for scalars,'sv'for SteVec). SteVec storage payloads now place the root document ciphertext atsv[0].c. The stack'sisEncryptedPayloadruntime check continues to work because storage payloads still carryc(scalar) orsv(SteVec). The DynamoDB helpers (toEncryptedDynamoItem,SearchTermsOperation) now narrow onkbefore reading variant-only fields.- Config-validation error message wording: error messages for config-validation failures now come from upstream
ConfigError.ProtectError.codevalues are preserved; consumers that string-match onerr.messagefor config-validation errors must update.
- Encrypt-config schema version:
@cipherstash/protect@12.0.0
Major Changes
-
f743fcc: Upgrade
@cipherstash/protect-ffito0.23.0and the bundled CipherStash EQL extension toeql-2.3.1.Breaking upstream changes adopted in this release:
- Encrypt-config schema version:
buildEncryptConfignow emits{ v: 1, ... }(was{ v: 2, ... }). protect-ffi0.22.0started validating this field and rejects any value other than1with the newUNSUPPORTED_CONFIG_VERSIONerror code. - Storage and query payloads are now distinct types (protect-ffi
0.23.0): the previously-conflatedEncryptedtype splits intoEncrypted(storage-only,crequired) and a newEncryptedQuery(search terms — scalarunique/match/orelookups andste_vec_selectorJSON path queries; noc). JSON containment queries (ste_vec_term) still return a storage-shapedEncryptedpayload.encryptQuery/encryptQueryBulknow returnEncrypted | EncryptedQuery, and the stack'sEncryptedSearchTerm/EncryptedQueryResultunions widen to match.decryptrejects query payloads at the type level. The DynamoDBSearchTermsOperationnarrows via'hm' in termrather thanterm.hm. - SteVec encoding default flipped: protect-ffi's default
modeforste_vecindexes changed fromcompattostandard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed undercompatwill need to be re-encrypted to be queryable. The stack adopts the newstandarddefault — there is no longer a way to pincompatfrom the SDK. - EQL extension bumped to
eql-2.3.1: the new SteVecstandardencoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the@cipherstash/prisma-nextinstall bundle (migrations/20260601T0000_install_eql_bundle/ops.json+eql-install.generated.ts) are updated toeql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work.eql-2.3.1ships the_encrypted_check_cfix for SteVec storage payloads (cipherstash/encrypt-query-language#232). - New error codes:
ProtectErrorCode(re-exported from@cipherstash/protect-ffi) gainsMATCH_REQUIRES_TEXTandUNSUPPORTED_CONFIG_VERSION. Exhaustive switches overProtectErrorCodewill need additional cases. matchindex validation: protect-ffi now rejectsmatchindexes on columns whosecast_asis not text-family ('text'/'string') withMATCH_REQUIRES_TEXT. The stack'sfreeTextSearch()builder is unaffected because it only targets string-typed columns.Encryptedciphertext shape: protect-ffi'sEncryptedtype is now a discriminated union keyed onk('ct'for scalars,'sv'for SteVec). SteVec storage payloads now place the root document ciphertext atsv[0].c. The stack'sisEncryptedPayloadruntime check continues to work because storage payloads still carryc(scalar) orsv(SteVec). The DynamoDB helpers (toEncryptedDynamoItem,SearchTermsOperation) now narrow onkbefore reading variant-only fields.- Config-validation error message wording: error messages for config-validation failures now come from upstream
ConfigError.ProtectError.codevalues are preserved; consumers that string-match onerr.messagefor config-validation errors must update.
- Encrypt-config schema version:
Patch Changes
- Updated dependencies [f743fcc]
- @cipherstash/schema@3.0.0
@cipherstash/protect-dynamodb@12.0.0
Patch Changes
-
f743fcc: Upgrade
@cipherstash/protect-ffito0.23.0and the bundled CipherStash EQL extension toeql-2.3.1.Breaking upstream changes adopted in this release:
- Encrypt-config schema version:
buildEncryptConfignow emits{ v: 1, ... }(was{ v: 2, ... }). protect-ffi0.22.0started validating this field and rejects any value other than1with the newUNSUPPORTED_CONFIG_VERSIONerror code. - Storage and query payloads are now distinct types (protect-ffi
0.23.0): the previously-conflatedEncryptedtype splits intoEncrypted(storage-only,crequired) and a newEncryptedQuery(search terms — scalarunique/match/orelookups andste_vec_selectorJSON path queries; noc). JSON containment queries (ste_vec_term) still return a storage-shapedEncryptedpayload.encryptQuery/encryptQueryBulknow returnEncrypted | EncryptedQuery, and the stack'sEncryptedSearchTerm/EncryptedQueryResultunions widen to match.decryptrejects query payloads at the type level. The DynamoDBSearchTermsOperationnarrows via'hm' in termrather thanterm.hm. - SteVec encoding default flipped: protect-ffi's default
modeforste_vecindexes changed fromcompattostandard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed undercompatwill need to be re-encrypted to be queryable. The stack adopts the newstandarddefault — there is no longer a way to pincompatfrom the SDK. - EQL extension bumped to
eql-2.3.1: the new SteVecstandardencoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the@cipherstash/prisma-nextinstall bundle (migrations/20260601T0000_install_eql_bundle/ops.json+eql-install.generated.ts) are updated toeql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work.eql-2.3.1ships the_encrypted_check_cfix for SteVec storage payloads (cipherstash/encrypt-query-language#232). - New error codes:
ProtectErrorCode(re-exported from@cipherstash/protect-ffi) gainsMATCH_REQUIRES_TEXTandUNSUPPORTED_CONFIG_VERSION. Exhaustive switches overProtectErrorCodewill need additional cases. matchindex validation: protect-ffi now rejectsmatchindexes on columns whosecast_asis not text-family ('text'/'string') withMATCH_REQUIRES_TEXT. The stack'sfreeTextSearch()builder is unaffected because it only targets string-typed columns.Encryptedciphertext shape: protect-ffi'sEncryptedtype is now a discriminated union keyed onk('ct'for scalars,'sv'for SteVec). SteVec storage payloads now place the root document ciphertext atsv[0].c. The stack'sisEncryptedPayloadruntime check continues to work because storage payloads still carryc(scalar) orsv(SteVec). The DynamoDB helpers (toEncryptedDynamoItem,SearchTermsOperation) now narrow onkbefore reading variant-only fields.- Config-validation error message wording: error messages for config-validation failures now come from upstream
ConfigError.ProtectError.codevalues are preserved; consumers that string-match onerr.messagefor config-validation errors must update.
- Encrypt-config schema version:
-
Updated dependencies [f743fcc]
- @cipherstash/protect@12.0.0