@cipherstash/protect@11.1.2

Patch Changes

• a8dbb65: Render every user-facing CLI string and execute every shell-out under the detected package manager (npx / bunx / pnpm dlx / yarn dlx), completing the work started in #379. Affected surfaces: @cipherstash/cli top-level + auth + env help, db install Drizzle migration steps, db migrate not-implemented warning, the Supabase migration SQL header, the Supabase status fallback exec, the @cipherstash/protect stash Stricli help (set/get/list/delete), the @cipherstash/wizard usage line and agent command allowlist, and the @cipherstash/drizzle generate-eql-migration help + drizzle-kit invocation. A new pnpm run lint:runners lint runs in CI and fails on any reintroduction of a hardcoded runner literal.

@cipherstash/protect-dynamodb@11.0.2

Patch Changes

• Updated dependencies [a8dbb65]
  • @cipherstash/protect@11.1.2

@cipherstash/migrate@0.2.0

Minor Changes

• add4357: Add stash encrypt command group and @cipherstash/migrate library for plaintext → encrypted column migrations.

  New CLI commands:

  • stash encrypt status — per-column migration status (phase, backfill progress, drift between intent and state, EQL registration).
  • stash encrypt plan — diff .cipherstash/migrations.json (intent) vs observed state.
  • stash encrypt backfill --table <t> --column <c> — resumable, idempotent, chunked encryption of plaintext into <col>_encrypted. Uses the user's encryption client (Protect/Stack). SIGINT-safe; re-run to resume. The first run on a column prompts to confirm dual-writes are deployed (or accept --confirm-dual-writes-deployed for non-interactive contexts), records the dual_writing transition in cs_migrations, then runs the chunked encryption loop. --force re-encrypts every plaintext row regardless of current state — recovery path for drift caused by an earlier backfill running before dual-writes were actually live.
  • stash encrypt cutover --table <t> --column <c> — runs eql_v2.rename_encrypted_columns() inside a transaction; optionally forces Proxy config refresh via CIPHERSTASH_PROXY_URL. After cutover, apps reading <col> transparently receive the encrypted column.
  • stash encrypt drop --table <t> --column <c> — generates a migration file that drops the old plaintext column.

  stash db install now also installs a cipherstash.cs_migrations table used to track per-column migration runtime state (current phase, backfill cursor, rows processed). The table is append-only (event-log shape) and kept separate from eql_v2_configuration which remains the authoritative EQL intent store used by Proxy.

  The new @cipherstash/migrate package exposes the same primitives as a library for users who want to embed backfill in their own workers or cron jobs — all commands are thin wrappers around its exports (runBackfill, appendEvent, latestByColumn, progress, renameEncryptedColumns, reloadConfig, readManifest, writeManifest).

@cipherstash/drizzle@3.0.2

Patch Changes

• a8dbb65: Render every user-facing CLI string and execute every shell-out under the detected package manager (npx / bunx / pnpm dlx / yarn dlx), completing the work started in #379. Affected surfaces: @cipherstash/cli top-level + auth + env help, db install Drizzle migration steps, db migrate not-implemented warning, the Supabase migration SQL header, the Supabase status fallback exec, the @cipherstash/protect stash Stricli help (set/get/list/delete), the @cipherstash/wizard usage line and agent command allowlist, and the @cipherstash/drizzle generate-eql-migration help + drizzle-kit invocation. A new pnpm run lint:runners lint runs in CI and fails on any reintroduction of a hardcoded runner literal.

stash@0.11.0

Minor Changes

• de9c02c: Rename the CLI package from @cipherstash/cli to stash. The published code, commands, and flags are unchanged — this is a pure rename so the day-to-day invocation drops from npx @cipherstash/cli ... to npx stash ....

  Migration

  1. Update your package.json devDependencies:

     -  "@cipherstash/cli": "^0.10.0"
     +  "stash": "^0.10.1"

  2. Update the defineConfig import in stash.config.ts:

     - import { defineConfig } from '@cipherstash/cli'
     + import { defineConfig } from 'stash'

  3. Update any npx @cipherstash/cli ... / bunx @cipherstash/cli ... / pnpm dlx @cipherstash/cli ... / yarn dlx @cipherstash/cli ... invocations in scripts, CI, READMEs, and team docs to use stash instead. Programmatic exports (defineConfig, loadStashConfig, EQLInstaller, loadBundledEqlSql, downloadEqlSql, PermissionCheckResult) are re-exported from stash with the same shapes.

  Wizard impact (@cipherstash/wizard)

  The wizard's post-agent step and its prerequisite / agent-error hints now reference stash (e.g. Run: bunx stash auth login, Running bunx stash db install...) rather than @cipherstash/cli. The wizard package name and stash-wizard binary are unchanged — only the strings the wizard prints and the commands it shells out to are affected.

• 8ee11fd: Layered DATABASE_URL resolution for DB / schema commands.

  Previously, any DB-touching command (db install, db push, db upgrade, db status, db validate, db test-connection, schema build) failed with the cryptic Zod error:

  Error: Invalid stash.config.ts
    - databaseUrl: Invalid input: expected nonoptional, received undefined
  

  if DATABASE_URL wasn't already in the environment. The CLI auto-loaded .env.local / .env.development.local / .env.development / .env, but had no story for --database-url flags, local Supabase, or pasted-once values.

  The scaffolded stash.config.ts now calls a resolver directly:

  import { defineConfig, resolveDatabaseUrl } from "stash";
  
  export default defineConfig({
    databaseUrl: await resolveDatabaseUrl(),
    client: "./src/encryption/index.ts",
  });

  resolveDatabaseUrl() walks sources in order; first hit wins:

  1. --database-url <url> flag — new, accepted on all seven DB / schema commands. Used for this run only; never written to disk.
  2. process.env.DATABASE_URL — covers shell exports, mise, direnv, dotenv-cli, the existing dotenv loads.
  3. supabase status --output env → DB_URL — auto-engaged when --supabase is set or a supabase/config.toml is detected. Useful for local Supabase users who haven't exported the URL yet.
  4. Interactive prompt — opens with a tip listing the alternatives (flag, env, the user's actual dotenv file). Skipped under CI=true or non-TTY stdin.
  5. Hard fail with a source-naming error message.

  The connection string is never persisted to disk — stash.config.ts only contains the await resolveDatabaseUrl() call, never a literal URL. The resolver also doesn't mutate process.env; CLI flag context is threaded into the config evaluation via AsyncLocalStorage so concurrent loads stay isolated. Source labels are logged on non-env paths (Using DATABASE_URL from --database-url flag / from supabase status / from prompt) but the URL itself is never echoed.

  db test-connection's connection-failure hint is now source-aware: it points users at --database-url, the env var, and the actual dotenv file in their project (.env.local if present, .env otherwise) — not the misleading stash.config.ts it used to suggest.

@cipherstash/wizard@0.1.2

Patch Changes

• de9c02c: Rename the CLI package from @cipherstash/cli to stash. The published code, commands, and flags are unchanged — this is a pure rename so the day-to-day invocation drops from npx @cipherstash/cli ... to npx stash ....

  Migration

  1. Update your package.json devDependencies:

     -  "@cipherstash/cli": "^0.10.0"
     +  "stash": "^0.10.1"

  2. Update the defineConfig import in stash.config.ts:

     - import { defineConfig } from '@cipherstash/cli'
     + import { defineConfig } from 'stash'

  3. Update any npx @cipherstash/cli ... / bunx @cipherstash/cli ... / pnpm dlx @cipherstash/cli ... / yarn dlx @cipherstash/cli ... invocations in scripts, CI, READMEs, and team docs to use stash instead. Programmatic exports (defineConfig, loadStashConfig, EQLInstaller, loadBundledEqlSql, downloadEqlSql, PermissionCheckResult) are re-exported from stash with the same shapes.

  Wizard impact (@cipherstash/wizard)

  The wizard's post-agent step and its prerequisite / agent-error hints now reference stash (e.g. Run: bunx stash auth login, Running bunx stash db install...) rather than @cipherstash/cli. The wizard package name and stash-wizard binary are unchanged — only the strings the wizard prints and the commands it shells out to are affected.

@cipherstash/stack@0.15.3

Patch Changes

• afe6810: Bump protect-ffi version

@cipherstash/protect@11.1.1

Patch Changes

• afe6810: Bump protect-ffi version

@cipherstash/protect-dynamodb@11.0.1

Patch Changes

• Updated dependencies [afe6810]
  • @cipherstash/protect@11.1.1

@cipherstash/wizard@0.1.1

Patch Changes

• f34fe9d: Show and execute commands using the detected package manager's runner (npx / bunx / pnpm dlx / yarn dlx) instead of always emitting npx. A user who runs bunx @cipherstash/cli init now sees a "Next Steps" panel that suggests bunx @cipherstash/cli db install and bunx @cipherstash/wizard, and the wizard's post-agent step both displays and shells out to bunx @cipherstash/cli db push (was: Failed: npx @cipherstash/cli db push). Wizard prerequisite messages and AI-agent error hints (e.g. on a 401, Run: bunx @cipherstash/cli auth login) follow the same rule. Detection sources are unchanged: npm_config_user_agent first, then lockfile, then npx fallback.