@cipherstash/drizzle@3.0.2

Patch Changes

• a8dbb65: Render every user-facing CLI string and execute every shell-out under the detected package manager (npx / bunx / pnpm dlx / yarn dlx), completing the work started in #379. Affected surfaces: @cipherstash/cli top-level + auth + env help, db install Drizzle migration steps, db migrate not-implemented warning, the Supabase migration SQL header, the Supabase status fallback exec, the @cipherstash/protect stash Stricli help (set/get/list/delete), the @cipherstash/wizard usage line and agent command allowlist, and the @cipherstash/drizzle generate-eql-migration help + drizzle-kit invocation. A new pnpm run lint:runners lint runs in CI and fails on any reintroduction of a hardcoded runner literal.

stash@0.11.0

Minor Changes

• de9c02c: Rename the CLI package from @cipherstash/cli to stash. The published code, commands, and flags are unchanged — this is a pure rename so the day-to-day invocation drops from npx @cipherstash/cli ... to npx stash ....

  Migration

  1. Update your package.json devDependencies:

     -  "@cipherstash/cli": "^0.10.0"
     +  "stash": "^0.10.1"

  2. Update the defineConfig import in stash.config.ts:

     - import { defineConfig } from '@cipherstash/cli'
     + import { defineConfig } from 'stash'

  3. Update any npx @cipherstash/cli ... / bunx @cipherstash/cli ... / pnpm dlx @cipherstash/cli ... / yarn dlx @cipherstash/cli ... invocations in scripts, CI, READMEs, and team docs to use stash instead. Programmatic exports (defineConfig, loadStashConfig, EQLInstaller, loadBundledEqlSql, downloadEqlSql, PermissionCheckResult) are re-exported from stash with the same shapes.

  Wizard impact (@cipherstash/wizard)

  The wizard's post-agent step and its prerequisite / agent-error hints now reference stash (e.g. Run: bunx stash auth login, Running bunx stash db install...) rather than @cipherstash/cli. The wizard package name and stash-wizard binary are unchanged — only the strings the wizard prints and the commands it shells out to are affected.

• 8ee11fd: Layered DATABASE_URL resolution for DB / schema commands.

  Previously, any DB-touching command (db install, db push, db upgrade, db status, db validate, db test-connection, schema build) failed with the cryptic Zod error:

  Error: Invalid stash.config.ts
    - databaseUrl: Invalid input: expected nonoptional, received undefined
  

  if DATABASE_URL wasn't already in the environment. The CLI auto-loaded .env.local / .env.development.local / .env.development / .env, but had no story for --database-url flags, local Supabase, or pasted-once values.

  The scaffolded stash.config.ts now calls a resolver directly:

  import { defineConfig, resolveDatabaseUrl } from "stash";
  
  export default defineConfig({
    databaseUrl: await resolveDatabaseUrl(),
    client: "./src/encryption/index.ts",
  });

  resolveDatabaseUrl() walks sources in order; first hit wins:

  1. --database-url <url> flag — new, accepted on all seven DB / schema commands. Used for this run only; never written to disk.
  2. process.env.DATABASE_URL — covers shell exports, mise, direnv, dotenv-cli, the existing dotenv loads.
  3. supabase status --output env → DB_URL — auto-engaged when --supabase is set or a supabase/config.toml is detected. Useful for local Supabase users who haven't exported the URL yet.
  4. Interactive prompt — opens with a tip listing the alternatives (flag, env, the user's actual dotenv file). Skipped under CI=true or non-TTY stdin.
  5. Hard fail with a source-naming error message.

  The connection string is never persisted to disk — stash.config.ts only contains the await resolveDatabaseUrl() call, never a literal URL. The resolver also doesn't mutate process.env; CLI flag context is threaded into the config evaluation via AsyncLocalStorage so concurrent loads stay isolated. Source labels are logged on non-env paths (Using DATABASE_URL from --database-url flag / from supabase status / from prompt) but the URL itself is never echoed.

  db test-connection's connection-failure hint is now source-aware: it points users at --database-url, the env var, and the actual dotenv file in their project (.env.local if present, .env otherwise) — not the misleading stash.config.ts it used to suggest.

@cipherstash/wizard@0.1.2

Patch Changes

• de9c02c: Rename the CLI package from @cipherstash/cli to stash. The published code, commands, and flags are unchanged — this is a pure rename so the day-to-day invocation drops from npx @cipherstash/cli ... to npx stash ....

  Migration

  1. Update your package.json devDependencies:

     -  "@cipherstash/cli": "^0.10.0"
     +  "stash": "^0.10.1"

  2. Update the defineConfig import in stash.config.ts:

     - import { defineConfig } from '@cipherstash/cli'
     + import { defineConfig } from 'stash'

  3. Update any npx @cipherstash/cli ... / bunx @cipherstash/cli ... / pnpm dlx @cipherstash/cli ... / yarn dlx @cipherstash/cli ... invocations in scripts, CI, READMEs, and team docs to use stash instead. Programmatic exports (defineConfig, loadStashConfig, EQLInstaller, loadBundledEqlSql, downloadEqlSql, PermissionCheckResult) are re-exported from stash with the same shapes.

  Wizard impact (@cipherstash/wizard)

  The wizard's post-agent step and its prerequisite / agent-error hints now reference stash (e.g. Run: bunx stash auth login, Running bunx stash db install...) rather than @cipherstash/cli. The wizard package name and stash-wizard binary are unchanged — only the strings the wizard prints and the commands it shells out to are affected.

@cipherstash/stack@0.15.3

Patch Changes

• afe6810: Bump protect-ffi version

@cipherstash/protect@11.1.1

Patch Changes

• afe6810: Bump protect-ffi version

@cipherstash/protect-dynamodb@11.0.1

Patch Changes

• Updated dependencies [afe6810]
  • @cipherstash/protect@11.1.1

@cipherstash/wizard@0.1.1

Patch Changes

• f34fe9d: Show and execute commands using the detected package manager's runner (npx / bunx / pnpm dlx / yarn dlx) instead of always emitting npx. A user who runs bunx @cipherstash/cli init now sees a "Next Steps" panel that suggests bunx @cipherstash/cli db install and bunx @cipherstash/wizard, and the wizard's post-agent step both displays and shells out to bunx @cipherstash/cli db push (was: Failed: npx @cipherstash/cli db push). Wizard prerequisite messages and AI-agent error hints (e.g. on a 401, Run: bunx @cipherstash/cli auth login) follow the same rule. Detection sources are unchanged: npm_config_user_agent first, then lockfile, then npx fallback.

@cipherstash/wizard@0.1.0

Minor Changes

• 5d3eb13: Initial release of @cipherstash/wizard — AI-powered encryption setup for CipherStash, extracted from @cipherstash/cli.

  Run it once per project, after stash init:

  npx @cipherstash/wizard
  pnpm dlx @cipherstash/wizard
  yarn dlx @cipherstash/wizard
  bunx @cipherstash/wizard

  The wizard reads your codebase, asks which columns to encrypt, hands a surgical prompt to the Claude Agent SDK against the CipherStash-hosted LLM gateway, and runs deterministic post-agent steps (package install, db install, db push, framework migrations). Same behavior as the previous stash wizard command — just shipped as its own package so it doesn't bloat the cli's dependency tree.

@cipherstash/cli@0.9.0

Minor Changes

• 5d3eb13: Reduce friction in stash init.

  • No more "How will you connect to your database?" prompt. Init now auto-detects Drizzle (from drizzle.config.* or drizzle-orm/drizzle-kit in package.json) and Supabase (from the host in DATABASE_URL), and silently picks the matching encryption client template. Falls back to a generic Postgres template otherwise.
  • No more "Where should we create your encryption client?" prompt. Init writes to ./src/encryption/index.ts by default. The "file already exists, what would you like to do?" prompt still appears so existing client files aren't silently overwritten.
  • Single combined dependency-install prompt. Previously init asked twice (once for @cipherstash/stack, once for @cipherstash/cli). It now asks once, listing both, and runs the installs in sequence. When both packages are already in node_modules, no prompt appears at all.
  • Already-authenticated users skip the "Continue with workspace X?" prompt. Init logs Using workspace X and proceeds. Run stash auth login directly to switch workspaces.

  stash db install now also calls into the same encryption-client scaffolder as a safety net — users who run db install without init first still get a working client file generated at the path their stash.config.ts points to.

• 5d3eb13: Breaking: the stash wizard command has been removed. The AI-guided encryption setup is now its own package — run it via npx @cipherstash/wizard (or pnpm dlx, bunx, yarn dlx).

  The wizard was pulling @anthropic-ai/claude-agent-sdk (47MB unpacked) into every npx @cipherstash/cli invocation, even for fast commands like init, auth, and db install. Splitting it out keeps cli's dependency tree small and lets each package manager handle the wizard's install natively — no more shelling out to npm from inside the cli, no Yarn PnP / Bun-only failure modes.

  The next-steps output from init and db install still recommends npx @cipherstash/wizard as the automated path. The schema build command no longer offers a wizard/builder selection prompt — it goes straight to the schema builder.

@cipherstash/cli@0.10.1

Patch Changes

• f34fe9d: Show and execute commands using the detected package manager's runner (npx / bunx / pnpm dlx / yarn dlx) instead of always emitting npx. A user who runs bunx @cipherstash/cli init now sees a "Next Steps" panel that suggests bunx @cipherstash/cli db install and bunx @cipherstash/wizard, and the wizard's post-agent step both displays and shells out to bunx @cipherstash/cli db push (was: Failed: npx @cipherstash/cli db push). Wizard prerequisite messages and AI-agent error hints (e.g. on a 401, Run: bunx @cipherstash/cli auth login) follow the same rule. Detection sources are unchanged: npm_config_user_agent first, then lockfile, then npx fallback.