Merge branch 'main' of https://github.com/cipherstash/stack into feat/allow-claude-yolo

Author: calvinbrewer

packages/cli/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @cipherstash/cli
 
+## 0.13.0
+
+### Minor Changes
+
+- e16b282: Split agent handoff out of `stash init` into a new `stash impl` command. `init` now owns scaffolding only (auth, database, encryption client, EQL extension) and exits at a clean checkpoint pointing at `stash impl`. `stash impl` derives plan-vs-implement mode from disk state — if `.cipherstash/plan.md` is missing it asks the agent to draft a plan; if it exists, the agent executes the plan as the source of truth. `--continue-without-plan` skips the planning checkpoint after an interactive confirmation. The earlier in-init `Plan first / Go straight to implementation` picker is removed in favour of the new command boundary.
+- db163e1: `stash impl` now renders a plan summary panel and asks the user to confirm before launching the implementation agent. When a plan exists, the CLI parses a machine-readable `<!-- cipherstash:plan-summary {...} -->` block (the planning agent is instructed to emit one at the top of `.cipherstash/plan.md`) and prints column counts, per-column paths, and whether the work is single-deploy or staged across 4 deploys. Default-yes on the confirm so the path of least resistance is to proceed; saying No exits cleanly. Older plans without the summary block fall back to a soft "open in your editor" panel — never an error. Non-TTY runs (CI, pipes) skip the confirm and proceed.
+- 59b138b: Extract planning into its own `stash plan` command. Three commands now own the setup lifecycle:
+
+  - `stash init` — scaffold (auth, db, deps, EQL). Ends with a chain prompt to `stash plan`.
+  - `stash plan` — draft a reviewable plan at `.cipherstash/plan.md`. Ends with a chain prompt to `stash impl`.
+  - `stash impl` — execute. With a plan, shows the summary panel and confirms. Without one, presents a `Draft a plan first / Continue without a plan` picker (the second option goes through a security confirm). `--continue-without-plan` skips the picker.
+
+  `stash status` reflects the new flow — its "Plan written" stage and `Next:` line route to `stash plan` when init is done but no plan exists. Non-TTY runs of `stash impl` without a plan now error out with a clear next-action rather than guessing intent.
+
+- db163e1: Add `stash status` — a top-level lifecycle map for the project. Reads `.cipherstash/context.json`, `.cipherstash/plan.md`, and `.cipherstash/setup-prompt.md` from disk to render a panel showing whether init is done, whether a plan has been written, and whether an agent has been engaged. Points at `stash db status` for EQL install info and `stash encrypt status` for per-column migration phase. Runs in milliseconds — no auth, no database connection required. The existing `stash db status` is unchanged.
+
 ## 0.12.1
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "stash",
-	"version": "0.12.1",
+	"version": "0.13.0",
 	"description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.",
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",

packages/cli/src/bin/stash.ts

@@ -16,9 +16,12 @@ import * as p from '@clack/prompts'
 // Commands that depend on @cipherstash/stack are lazy-loaded in the switch below.
 import {
   authCommand,
+  dbStatusCommand,
   envCommand,
+  implCommand,
   initCommand,
   installCommand,
+  planCommand,
   statusCommand,
   testConnectionCommand,
   upgradeCommand,
@@ -74,6 +77,9 @@ ${messages.cli.usagePrefix}${STASH} <command> [options]
 
 Commands:
   init                 Initialize CipherStash for your project
+  plan                 Draft a reviewable encryption plan at .cipherstash/plan.md
+  impl                 Execute the plan with a local agent
+  status               Displays implementation status
   auth <subcommand>    Authenticate with CipherStash
   wizard               AI-guided encryption setup (reads your codebase)
 
@@ -104,6 +110,10 @@ Init Flags:
   --supabase           Use Supabase-specific setup flow
   --drizzle            Use Drizzle-specific setup flow
 
+Impl Flags:
+  --continue-without-plan  Skip planning and go straight to implementation
+                           (interactively confirms before proceeding)
+
 DB Flags:
   --force                    (install) Reinstall / overwrite even if already installed
   --dry-run                  (install, push, upgrade) Show what would happen without making changes
@@ -119,6 +129,10 @@ DB Flags:
 Examples:
   ${STASH} init
   ${STASH} init --supabase
+  ${STASH} plan
+  ${STASH} impl
+  ${STASH} impl --continue-without-plan
+  ${STASH} status
   ${STASH} auth login
   ${STASH} wizard
   ${STASH} db install
@@ -224,7 +238,7 @@ async function runDbCommand(
       break
     }
     case 'status':
-      await statusCommand({ databaseUrl })
+      await dbStatusCommand({ databaseUrl })
       break
     case 'test-connection':
       await testConnectionCommand({ databaseUrl })
@@ -367,6 +381,15 @@ async function main() {
     case 'init':
       await initCommand(flags)
       break
+    case 'plan':
+      await planCommand()
+      break
+    case 'impl':
+      await implCommand(flags)
+      break
+    case 'status':
+      await statusCommand()
+      break
     case 'auth': {
       const authArgs = subcommand ? [subcommand, ...commandArgs] : commandArgs
       await authCommand(authArgs, flags)

packages/cli/src/commands/impl/__tests__/how-to-proceed.test.ts

@@ -0,0 +1,69 @@
+import { describe, expect, it } from 'vitest'
+import type { AgentEnvironment } from '../../init/detect-agents.js'
+import type { InitState } from '../../init/types.js'
+import { buildOptions, defaultChoice } from '../steps/how-to-proceed.js'
+
+function makeAgents(claudeCode: boolean, codex: boolean): AgentEnvironment {
+  return {
+    cli: { claudeCode, codex },
+    project: {
+      claudeDir: false,
+      claudeMd: false,
+      claudeSkillsDir: false,
+      agentsMd: false,
+    },
+    editor: 'unknown',
+  }
+}
+
+const noAgents: InitState = { agents: makeAgents(false, false) }
+const claudeOnly: InitState = { agents: makeAgents(true, false) }
+const codexOnly: InitState = { agents: makeAgents(false, true) }
+
+describe('howToProceed — buildOptions', () => {
+  it('offers all four targets in implement mode', () => {
+    const opts = buildOptions(noAgents, 'implement')
+    const values = opts.map((o) => o.value)
+    expect(values).toEqual(['claude-code', 'codex', 'wizard', 'agents-md'])
+  })
+
+  it('offers only claude-code and codex in plan mode', () => {
+    const opts = buildOptions(noAgents, 'plan')
+    const values = opts.map((o) => o.value)
+    expect(values).toEqual(['claude-code', 'codex'])
+  })
+
+  it('reflects detection state in hints regardless of mode', () => {
+    const implement = buildOptions(claudeOnly, 'implement')
+    const plan = buildOptions(claudeOnly, 'plan')
+
+    const implementClaude = implement.find((o) => o.value === 'claude-code')
+    const planClaude = plan.find((o) => o.value === 'claude-code')
+
+    expect(implementClaude?.hint).toMatch(/detected/)
+    expect(planClaude?.hint).toMatch(/detected/)
+  })
+})
+
+describe('howToProceed — defaultChoice', () => {
+  it('prefers claude-code when detected', () => {
+    expect(defaultChoice(claudeOnly, 'implement')).toBe('claude-code')
+    expect(defaultChoice(claudeOnly, 'plan')).toBe('claude-code')
+  })
+
+  it('prefers codex when claude is absent and codex is detected', () => {
+    expect(defaultChoice(codexOnly, 'implement')).toBe('codex')
+    expect(defaultChoice(codexOnly, 'plan')).toBe('codex')
+  })
+
+  it('falls back to agents-md in implement mode when no CLI is detected', () => {
+    expect(defaultChoice(noAgents, 'implement')).toBe('agents-md')
+  })
+
+  it('falls back to claude-code in plan mode when no CLI is detected', () => {
+    // Plan mode never offers agents-md; claude-code is the listed default
+    // so the picker has a valid initialValue rather than falling through
+    // to a hidden option.
+    expect(defaultChoice(noAgents, 'plan')).toBe('claude-code')
+  })
+})

packages/cli/src/commands/impl/index.ts

@@ -0,0 +1,167 @@
+import { existsSync, readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import * as p from '@clack/prompts'
+import { type AgentEnvironment, detectAgents } from '../init/detect-agents.js'
+import { parsePlanSummary, renderPlanSummary } from '../init/lib/parse-plan.js'
+import { readContextFile } from '../init/lib/read-context.js'
+import { PLAN_REL_PATH } from '../init/lib/setup-prompt.js'
+import {
+  CONTEXT_REL_PATH,
+  type ContextFile,
+} from '../init/lib/write-context.js'
+import { CancelledError, type InitState } from '../init/types.js'
+import { detectPackageManager, runnerCommand } from '../init/utils.js'
+import { howToProceedStep } from './steps/how-to-proceed.js'
+
+function buildStateFromContext(
+  ctx: ContextFile,
+  agents: AgentEnvironment,
+): InitState {
+  return {
+    integration: ctx.integration,
+    clientFilePath: ctx.encryptionClientPath,
+    schemas: ctx.schemas,
+    envKeys: ctx.envKeys,
+    stackInstalled: true,
+    cliInstalled: true,
+    eqlInstalled: true,
+    agents,
+    mode: 'implement',
+  }
+}
+
+/**
+ * Confirm before launching implementation when the user has chosen to
+ * skip the planning checkpoint. Default-no is the security stance —
+ * passing through this prompt by accident is the failure mode we're
+ * guarding against.
+ */
+async function confirmContinueWithoutPlan(): Promise<void> {
+  const confirmed = await p.confirm({
+    message: 'Implementation can take some time. Continue?',
+    initialValue: false,
+  })
+  if (p.isCancel(confirmed) || !confirmed) {
+    throw new CancelledError()
+  }
+}
+
+/**
+ * `stash impl` — execute an encryption plan.
+ *
+ * Always runs in implement mode. Behaviour branches on disk state and
+ * flags:
+ *
+ *   - **Plan exists** (TTY): parse the structured summary block, render
+ *     a confirmation panel, ask the user to proceed. Default-yes.
+ *   - **Plan exists** (non-TTY): proceed without confirmation.
+ *   - **No plan, `--continue-without-plan`**: confirm once, then implement.
+ *   - **No plan, TTY**: present a `p.select` — draft a plan first
+ *     (delegates to `planCommand`) or continue without one (confirms
+ *     once, then implements).
+ *   - **No plan, non-TTY**: error out with a clear next-action; CI must
+ *     pass `--continue-without-plan` or run `stash plan` first.
+ */
+export async function implCommand(flags: Record<string, boolean>) {
+  const cwd = process.cwd()
+  const pm = detectPackageManager()
+  const cli = runnerCommand(pm, 'stash')
+
+  const ctx = readContextFile(cwd)
+  if (!ctx) {
+    p.log.error(
+      `No CipherStash context found at \`${CONTEXT_REL_PATH}\`. Run \`${cli} init\` first.`,
+    )
+    process.exit(1)
+  }
+
+  p.intro('CipherStash Implementation')
+
+  const planPath = resolve(cwd, PLAN_REL_PATH)
+  const planExists = existsSync(planPath)
+  const continueWithoutPlan = flags['continue-without-plan'] === true
+  const isTTY = process.stdout.isTTY
+
+  try {
+    if (planExists) {
+      // Plan-summary checkpoint: the last save point before launching the
+      // (potentially hour-long) implementation phase.
+      if (isTTY) {
+        const summary = parsePlanSummary(readFileSync(planPath, 'utf-8'))
+        if (summary) {
+          p.note(renderPlanSummary(summary), 'Plan summary')
+        } else {
+          p.note(
+            `Plan at \`${PLAN_REL_PATH}\` doesn't include a machine-readable summary. Open it in your editor before proceeding.`,
+            'Plan ready',
+          )
+        }
+        const proceed = await p.confirm({
+          message: 'Proceed with implementation against this plan?',
+          initialValue: true,
+        })
+        if (p.isCancel(proceed) || !proceed) {
+          throw new CancelledError()
+        }
+      } else {
+        p.log.info(
+          `Plan at \`${PLAN_REL_PATH}\` — agent will execute it as the source of truth.`,
+        )
+      }
+    } else {
+      // No plan on disk. Branch on flag / TTY / interactive.
+      if (continueWithoutPlan) {
+        await confirmContinueWithoutPlan()
+      } else if (!isTTY) {
+        p.log.error(
+          `No plan at \`${PLAN_REL_PATH}\`. Run \`${cli} plan\` first, or pass --continue-without-plan to skip planning.`,
+        )
+        process.exit(1)
+      } else {
+        const choice = await p.select<'plan' | 'continue'>({
+          message: 'No plan found. What would you like to do?',
+          options: [
+            {
+              value: 'plan',
+              label: 'Draft a plan first (recommended)',
+              hint: `runs \`${cli} plan\` — usually 1–3 min`,
+            },
+            {
+              value: 'continue',
+              label: 'Continue without a plan',
+              hint: 'skip the planning checkpoint',
+            },
+          ],
+          initialValue: 'plan',
+        })
+        if (p.isCancel(choice)) throw new CancelledError()
+
+        if (choice === 'plan') {
+          // Lazy import avoids a circular module load between plan ↔ impl.
+          const { planCommand } = await import('../plan/index.js')
+          // Close the current intro frame before plan opens its own.
+          p.outro('Handing off to `stash plan`.')
+          await planCommand()
+          return
+        }
+
+        await confirmContinueWithoutPlan()
+      }
+    }
+
+    const agents = detectAgents(cwd, process.env)
+    const state = buildStateFromContext(ctx, agents)
+
+    await howToProceedStep.run(state)
+
+    p.outro(
+      `Implementation handoff complete. Run \`${cli} db status\` to verify state.`,
+    )
+  } catch (err) {
+    if (err instanceof CancelledError) {
+      p.cancel('Cancelled.')
+      process.exit(0)
+    }
+    throw err
+  }
+}

…commands/init/steps/handoff-agents-md.ts …commands/impl/steps/handoff-agents-md.tspackages/cli/src/commands/init/steps/handoff-agents-md.ts renamed to packages/cli/src/commands/impl/steps/handoff-agents-md.ts packages/cli/src/commands/init/steps/handoff-agents-md.ts renamed to packages/cli/src/commands/impl/steps/handoff-agents-md.ts

@@ -1,14 +1,14 @@
 import { existsSync, readFileSync, writeFileSync } from 'node:fs'
 import { resolve } from 'node:path'
 import * as p from '@clack/prompts'
-import { buildAgentsMdBody } from '../lib/build-agents-md.js'
-import { writeArtifacts } from '../lib/handoff-helpers.js'
-import { upsertManagedBlock } from '../lib/sentinel-upsert.js'
+import { buildAgentsMdBody } from '../../init/lib/build-agents-md.js'
+import { writeArtifacts } from '../../init/lib/handoff-helpers.js'
+import { upsertManagedBlock } from '../../init/lib/sentinel-upsert.js'
 import {
   CONTEXT_REL_PATH,
   SETUP_PROMPT_REL_PATH,
-} from '../lib/write-context.js'
-import type { InitProvider, InitState, InitStep } from '../types.js'
+} from '../../init/lib/write-context.js'
+import type { HandoffStep, InitState } from '../../init/types.js'
 
 const AGENTS_MD_REL_PATH = 'AGENTS.md'
 
@@ -25,10 +25,10 @@ const AGENTS_MD_REL_PATH = 'AGENTS.md'
  * tools wouldn't know to look there. Re-runs replace only the sentinel
  * region in AGENTS.md.
  */
-export const handoffAgentsMdStep: InitStep = {
+export const handoffAgentsMdStep: HandoffStep = {
   id: 'handoff-agents-md',
   name: 'Write AGENTS.md',
-  async run(state: InitState, _provider: InitProvider): Promise<InitState> {
+  async run(state: InitState): Promise<InitState> {
     const cwd = process.cwd()
     const integration = state.integration ?? 'postgresql'