Skip to content

Commit cd521a0

Browse files
calvinbrewerclaude
andcommitted
Merge branch 'main' into feat/eql-v3-text-search-schema
Reconciles the parallel EQL v3 evolution on both sides. The branch side carried the newer stack surface (bigint domain family, freeTextSearch tuner removal, DOMAIN_REGISTRY, supabase adapter with introspection and or()-string hardening, null-prototype column maps, grants.ts extraction); the main side carried the newer CLI (registry-driven help + manifest, decoupled eql install / offerStashConfig, one-shot --database-url, eql upgrade/status group), auth 0.41 Result API + authStrategy rename, generation-aware isInstalled, and the eql-3.0.0-alpha.2 vendored bundle. Resolution notes: - stack src/tests: branch side kept; authStrategy rename and its wasm latch taken from main; Plaintext keeps the branch bigint arm. - encrypt-lock-context-guards now builds one client per wire format (main's mixed-schema guard rejects a shared client). - EncryptionV3 pins eqlVersion 3 (branch semantics); the main-side override test now asserts the pin. - supabase-v3.test.ts (main) removed: superseded by the branch's supabase-v3-pgrest-live/matrix/grants/introspect suites on the contains() surface. - query-builder.ts: dropped main's apply-time filterColumnName calls in favour of the branch's translate-once-at-toDbSpace boundary; removed main's orphaned {select,keyToDb} addJsonbCastsV3 twin. - SQL bundles/fixture: main's alpha.2 copies for now — re-vendored to eql-3.0.0 in the follow-up FFI 0.29 upgrade. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2 parents bf3e1ea + e9e81e6 commit cd521a0

208 files changed

Lines changed: 97385 additions & 67428 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.changeset/native-binary-guards.md

Lines changed: 0 additions & 9 deletions
This file was deleted.

.changeset/prisma-next-0-14.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
'@cipherstash/prisma-next': minor
3+
---
4+
5+
Upgrade to Prisma Next 0.14.0 (from 0.8.0). Every `@prisma-next/*` dependency is now pinned at 0.14.0; consuming apps must run Prisma Next 0.14 to use this release.
6+
7+
Highlights of the upgrade:
8+
9+
- The extension contract space is re-emitted in the 0.14 canonical shape: storage is namespace-enveloped (`storage.namespaces.public.entries.table`), the domain plane replaces flat `models`, and the baseline EQL-install migration is re-pinned to the new storage hash. The vendored EQL bundle SQL is unchanged byte-for-byte.
10+
- `deriveStackSchemas` reads the namespace-enveloped contract shape emitted by Prisma Next 0.10+.
11+
- The bulk-encrypt middleware accepts the widened insert/update AST value unions introduced through 0.9–0.11.
12+
- README examples use the namespace-qualified ORM accessors (`db.orm.public.User`) required since Prisma Next 0.14.
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
---
2+
"@cipherstash/stack": patch
3+
"stash": patch
4+
---
5+
6+
Remove the leftovers from the secrets removal (`1929c8fe`), which deleted
7+
`packages/stack/src/secrets/` but left its export, build entry, skill, and docs
8+
behind. Secrets tooling is not ready; nothing here was functional.
9+
10+
- **Drop the dead `@cipherstash/stack/secrets` subpath export.** It pointed at
11+
`./dist/secrets/index.js`, which has no source and is not in the tarball, so
12+
`import '@cipherstash/stack/secrets'` has been throwing `ERR_MODULE_NOT_FOUND`
13+
for every consumer since the source was removed. Also drops the dangling
14+
`src/secrets/index.ts` entry from `tsup.config.ts`. Removing an export that
15+
cannot resolve breaks nothing.
16+
- **Remove the `stash-secrets` agent skill** and its references in `AGENTS.md`
17+
and the init setup-prompt skill index. It was never installed by `stash init`
18+
(it is absent from `SKILL_MAP`), so no user project ever received it.
19+
- **Remove the secrets documentation** from both published READMEs: the
20+
`Secrets` class API and the `npx stash secrets` command reference in
21+
`@cipherstash/stack`, and the `npx stash secrets` section in `stash`. The CLI
22+
command does not exist — `stash secrets` returns `Unknown command`.

.changeset/stack-protect-ffi-0-26-oidc-strategy.md

Lines changed: 0 additions & 32 deletions
This file was deleted.
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
"stash": patch
3+
---
4+
5+
Refresh the bundled `stash-cli` agent skill and the CLI README against the current
6+
command surface. The skills directory ships inside the `stash` tarball and is copied
7+
into the user's `.claude/skills/` / `.codex/skills/` (or inlined into `AGENTS.md`) at
8+
handoff time, so a stale skill becomes stale guidance in the user's project.
9+
10+
- **New `Start here` and `Authentication` sections.** Setup is driven through the CLI:
11+
agents read `stash manifest --json` first, then trigger `stash auth login --json` and
12+
surface the verification URL for a human to approve, then run `stash init`. Authenticating
13+
before `init` matters — `init`'s auth step is interactive and would otherwise try to open
14+
a browser on the agent's host.
15+
- **New `Never read these` invariant**, mirrored into the `AGENTS.md` doctrine: agents must
16+
never read `~/.cipherstash/secretkey.json`, `~/.cipherstash/auth.json`, anything under
17+
`~/.cipherstash/workspaces/`, or `.env*`. The wizard already blocks these paths in code;
18+
the other handoff targets had no written rule.
19+
- **Documents `manifest`, `doctor`, `wizard`, and `auth regions`**, which the skill omitted
20+
entirely, plus the non-interactive interface (per-command escape hatches, exit codes, the
21+
`DATABASE_URL` resolution order, the `auth login --json` NDJSON event contract).
22+
- **Corrects the `db``eql` move.** `db install`, `db upgrade`, and `db status` are
23+
deprecated aliases that warn and forward; `db push`, `db activate`, `db validate`,
24+
`db test-connection`, and `db migrate` remain in the `db` group.
25+
- **Scopes `db push` / `db activate` as EQL v2 + CipherStash Proxy only**, in both the skill
26+
and the README's recommended flow. SDK users hold their encryption config in application
27+
code and don't need them.
28+
- Adds the missing `--database-url`, `--eql-version`, `--prisma-next`, `--proxy`/`--no-proxy`,
29+
and `--region` flags; corrects six programmatic API signatures; fixes the README's claim
30+
that `stash init` ends in an agent-handoff menu (that belongs to `stash plan` / `stash impl`);
31+
and marks `stash env` as the non-functional stub it currently is.
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
---
2+
"@cipherstash/wizard": patch
3+
---
4+
5+
Stop the agent guard from blocking `.env.example`.
6+
7+
`SENSITIVE_FILE_PATTERNS` matched `/\.env($|\.)/`, which tests true against
8+
`.env.example`. Because the guard covers `Edit` and `Write` as well as `Read`,
9+
the wizard's agent was blocked from creating or editing the very file the
10+
CipherStash doctrine tells it to write ("New env keys go in `.env.example` with
11+
placeholders"). Committed env templates carry placeholder key names, not values.
12+
13+
`.env.example`, `.env.sample` and `.env.template` are now readable and writable.
14+
Everything else is unchanged: `.env`, `.env.local`, `.env.production`, and
15+
value-bearing files that merely start with a template name
16+
(`.env.example.local`, `.env.example.bak`) stay blocked, as do `auth.json`,
17+
`secretkey.json` and credential files. Bash access to any env file — including
18+
the templates — remains blocked; `Read`/`Write` is the sanctioned path.

.cursor/commands/create-example-app.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
1-
# Cursor Super-Prompt: Protect.js Example Apps (Framework/ORM-Agnostic, No-Cheese)
1+
# Cursor Super-Prompt: CipherStash Stack Example Apps (Framework/ORM-Agnostic, No-Cheese)
22

33
ROLE
4-
You are a senior systems engineer focused on developer experience and a core maintainer of `@cipherstash/protect`. Your mission: create a polished set of runnable **Protect.js example apps** across multiple stacks. Each example must be minimal, factual, and runnable in minutes.
4+
You are a senior systems engineer focused on developer experience and a core maintainer of `@cipherstash/stack`. Your mission: create a polished set of runnable **CipherStash Stack example apps** across multiple stacks. Each example must be minimal, factual, and runnable in minutes.
55

66
GROUNDING & SOURCES (use @ref; do not guess)
7-
- Protect.js APIs: the Protect.js main README is the single source of truth. If not accessible, STOP and ask for the exact snippet/repo path. Do not invent APIs.
7+
- Stack APIs: the main repo README and https://cipherstash.com/docs are the source of truth (`Encryption({ schemas })`, `encryptedTable`, `encryptedColumn`). If not accessible, STOP and ask for the exact snippet/repo path. Do not invent APIs.
8+
- `@cipherstash/protect-ffi` is a native Node-API module: examples that bundle (Next.js, SST) must externalize it. See https://cipherstash.com/docs/stack/deploy/bundling
89
- ORM/DB docs (pick per stack):
910
@ref https://www.prisma.io/docs
1011
@ref https://typeorm.io
@@ -26,7 +27,7 @@ STACK MATRIX (generate now)
2627
Optional (time-permitting): nextjs-prisma (App Router), fastify-knex.
2728

2829
NO-CHEESE RULES (hard requirements)
29-
Goal: smallest possible working example that clearly demonstrates Protect.js. Clarity > patterns > abstractions.
30+
Goal: smallest possible working example that clearly demonstrates CipherStash Stack. Clarity > patterns > abstractions.
3031
DON'TS
3132
- No Singletons/Factories/Service-Locators/DI frameworks.
3233
- No ports & adapters/custom repo abstractions for tiny demos—call the ORM/client directly.
@@ -41,7 +42,7 @@ README tone
4142
---
4243
Simplicity budget (per example)
4344
- ≤ 8 TS source files (excluding migrations).
44-
- Deps: ORM/client + `@cipherstash/protect` + dev tooling (ts-node or tsx). Nothing else unless required by the stack.
45+
- Deps: ORM/client + `@cipherstash/stack` + dev tooling (ts-node or tsx). Nothing else unless required by the stack.
4546
- One `.env.example`; use `dotenv`. No layered config.
4647

4748
CODE STYLE
@@ -61,8 +62,8 @@ REQUIRED DX & SCRIPTS (per example)
6162
- `seed` → seed sensible data
6263
- `demo` → prints proof of encryption & queries
6364
- `typecheck``tsc --noEmit`
64-
- `.env.example` includes DB vars and **exact** Protect.js env names from the Protect README (do not invent):
65-
{{PROTECT_ENV_VARS := "e.g., PROTECT_PROJECT_ID, PROTECT_CLIENT_KEY, PROTECT_SERVER_URL (replace with real names from README)"}}
65+
- Local dev auth: prefer the CipherStash profile via `npx stash auth login` (no env vars needed). For CI/deployment, `.env.example` includes DB vars and the **exact** CipherStash env names (do not invent):
66+
`CS_WORKSPACE_CRN`, `CS_CLIENT_ID`, `CS_CLIENT_KEY`, `CS_CLIENT_ACCESS_KEY`
6667

6768
PROJECT LAYOUT (monorepo, minimal)
6869
- Root:
@@ -80,10 +81,10 @@ README REQUIREMENTS (every example)
8081
- AI banner (exact text) at the very top with {{BOOK_CHAT_URL}}.
8182
- 90-second Quickstart (copy/paste only).
8283
- "What this shows" checklist (encrypted fields, CRUD, query).
83-
- "How encryption works here" (short, accurate, tied to Protect.js).
84+
- "How encryption works here" (short, accurate, tied to CipherStash Stack).
8485
- Config notes for the stack (e.g., why CJS for TypeORM).
85-
- Troubleshooting (ESM/CJS, ts-node/tsx, migration pitfalls).
86-
- `@ref` links to stack docs + Protect README.
86+
- Troubleshooting (ESM/CJS, ts-node/tsx, migration pitfalls, native module externalization).
87+
- `@ref` links to https://cipherstash.com/docs + the repo README.
8788

8889
DELIVERABLES (return in one message/PR)
8990
- Root `README.md` + `docker-compose.yml`.
@@ -118,4 +119,3 @@ OUTPUT FORMAT
118119
VARIABLES TO FILL BEFORE RUN
119120
- {{BOOK_CHAT_URL}} = your booking link
120121
- {{STACKS}} = list of stacks to generate
121-
- {{PROTECT_ENV_VARS}} = exact names from Protect.js README

.cursorrules

Lines changed: 0 additions & 50 deletions
This file was deleted.

.github/ISSUE_TEMPLATE/docs-feedback.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ body:
3535
id: terms
3636
attributes:
3737
label: Code of conduct
38-
description: By submitting this issue, you agree to follow our [Code of conduct](https://github.com/cipherstash/protectjs/blob/main/CODE_OF_CONDUCT.md).
38+
description: By submitting this issue, you agree to follow our [Code of conduct](https://github.com/cipherstash/stack/blob/main/CODE_OF_CONDUCT.md).
3939
options:
4040
- label: I agree to follow this project's Code of conduct
4141
required: true

.github/workflows/tests.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,14 @@ jobs:
7878
- name: Test — lint script self-tests
7979
run: pnpm run test:scripts
8080

81+
# The EQL v3 bundles in packages/cli/src/sql are vendored (derived from
82+
# the stack fixture monolith by gen:eql-v3-sql). Regenerate and fail on
83+
# any diff so the fixture and the shipped bundles cannot drift silently.
84+
- name: Check — vendored EQL v3 SQL bundles are in sync
85+
run: |
86+
pnpm --filter stash run gen:eql-v3-sql
87+
git diff --exit-code -- packages/cli/src/sql/cipherstash-encrypt-v3.sql packages/cli/src/sql/cipherstash-encrypt-v3-supabase.sql
88+
8189
- name: Create .env file in ./packages/protect/
8290
run: |
8391
touch ./packages/protect/.env

0 commit comments

Comments
 (0)