| stash | patch |
|---|
Refresh the bundled stash-cli agent skill and the CLI README against the current
command surface. The skills directory ships inside the stash tarball and is copied
into the user's .claude/skills/ / .codex/skills/ (or inlined into AGENTS.md) at
handoff time, so a stale skill becomes stale guidance in the user's project.
- New
Start hereandAuthenticationsections. Setup is driven through the CLI: agents readstash manifest --jsonfirst, then triggerstash auth login --jsonand surface the verification URL for a human to approve, then runstash init. Authenticating beforeinitmatters —init's auth step is interactive and would otherwise try to open a browser on the agent's host. - New
Never read theseinvariant, mirrored into theAGENTS.mddoctrine: agents must never read~/.cipherstash/secretkey.json,~/.cipherstash/auth.json, anything under~/.cipherstash/workspaces/, or.env*. The wizard already blocks these paths in code; the other handoff targets had no written rule. - Documents
manifest,doctor,wizard, andauth regions, which the skill omitted entirely, plus the non-interactive interface (per-command escape hatches, exit codes, theDATABASE_URLresolution order, theauth login --jsonNDJSON event contract). - Corrects the
db→eqlmove.db install,db upgrade, anddb statusare deprecated aliases that warn and forward;db push,db activate,db validate,db test-connection, anddb migrateremain in thedbgroup. - Scopes
db push/db activateas EQL v2 + CipherStash Proxy only, in both the skill and the README's recommended flow. SDK users hold their encryption config in application code and don't need them. - Adds the missing
--database-url,--eql-version,--prisma-next,--proxy/--no-proxy, and--regionflags; corrects six programmatic API signatures; fixes the README's claim thatstash initends in an agent-handoff menu (that belongs tostash plan/stash impl); and marksstash envas the non-functional stub it currently is.