Version Packages (rc)#652
Merged
Merged
Conversation
ebd2e4f to
c6a13a0
Compare
c6a13a0 to
af26f99
Compare
coderdan
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
mainis currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, runchangeset pre exitonmain.Releases
stash@1.0.0-rc.1
Minor Changes
134fd43: Add anonymous, opt-out usage analytics to the
stashCLI, plus astash telemetry [status|enable|disable]command to manage it.Only coarse events are collected — command name, CLI version, OS/arch, Node
version, success/failure, duration, and a coarse caller class (e.g.
claude-code,cursor,interactive) derived from environment markers so wecan gauge agent- vs human-driven usage. Events carry a random install
identifier (a locally generated UUID, not derived from any machine or user
attribute) used only to de-duplicate events in aggregate. Plaintext, schema,
table/column names,
connection strings, argument values, and any session/trace identifier are never
collected — enforced by a property-key allowlist at the emitter boundary plus
closed-vocabulary coercion of every argv- or error-derived value (unrecognised
commands, subcommands, and error class names all collapse to
<other>). Aone-time notice is shown on first run, and nothing is sent on that run.
Telemetry is off by default in CI and can be disabled with
DO_NOT_TRACK=1(the cross-tool standard),
STASH_TELEMETRY_DISABLED=1, orstash telemetry disable(persisted to~/.cipherstash/telemetry.json).Events are sent via a first-party proxy and never block or slow the CLI. The
feature ships dormant — no events are sent until a PostHog project key is
embedded at release. Updates the
stash-cliskill to document the command andopt-out controls.
Patch Changes
59b994e: Add EQL v3 JSON selector-with-constraint querying to the Drizzle integration
(EQL v3 JSON: implement JSONPath selector-with-constraint querying (->, ->>) #623).
ops.selector(col, '$.path')returns comparison methods bound to aJSONPath into a
types.Jsoncolumn —eq/ne/gt/gte/lt/lte— emittingcol->'<selector>' <op> <value>over the encrypted document. Its unique powerover
containsis ordering at a path (col->'$.age' > 21), whichcontainment cannot express.
Complements the existing
contains(JSONB@>) containment operator. Core@cipherstash/stackneeds no change — the selector hash and comparison entry areproduced by
encryptQuery/encrypton the existingtypes.Jsonsurface. v1supports dot-notation object paths; array-index/wildcard paths are rejected with
a clear error. The Supabase adapter is tracked separately.
The right-hand comparison operand is currently a storage-encrypted needle (its
ste_vec entry carries the ordering term), pending a ciphertext-free ordering
query needle from protect-ffi (EQL v3 ste_vec: encryptQuery can't mint an ordering (op) JSON query needle for selector-with-constraint protectjs-ffi#137); until then the
value's ciphertext appears in the WHERE clause.
The bundled
stash-encryptionandstash-drizzleskills document the newops.selector(...)surface (they previously said JSONPath selector queries werenot yet implemented).
e297f64: Docs: EQL v3 is now the sole documented approach. The
stash-encryption,stash-drizzle, andstash-supabaseskills and the@cipherstash/stackREADME teach only the v3 typed surface (
EncryptionV3,types.*concretedomains,
@cipherstash/stack-drizzle/v3,encryptedSupabaseV3); EQL v2shrinks to one short Legacy section per document. Two explicit exceptions are
called out: DynamoDB still requires the v2 schema surface (DynamoDB: support EQL v3 schemas in encryptedDynamoDB #657), and the
encrypt rollout tooling (
stash encrypt backfill/cutover,@cipherstash/migrate) currently targets v2 columns (Make @cipherstash/migrate (andstash encrypt *) compatible with EQL v3 #648) — its guidance iskept under a version callout. Also corrects the legacy
@cipherstash/drizzleREADME's pointer to the removed
@cipherstash/stack/drizzlesubpath (now theseparate
@cipherstash/stack-drizzlepackage).40ab142: Docs: stop teaching the deprecated
LockContext.identify()as the primaryidentity-aware-encryption path (Agent skills and README teach the deprecated LockContext.identify() identity API #591). The
stash-encryptionandstash-supabaseskills and the
@cipherstash/stackREADME now lead with the current pattern —authenticate the client with
OidcFederationStrategy, then bind the claim peroperation with
.withLockContext({ identityClaim })— and demoteLockContext.identify()to a clearly-marked deprecated note (per-operation CTStokens were removed in protect-ffi 0.25). Skills ship in the
stashtarball, sothis keeps the bundled guidance correct for the 1.0 surface.
5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A
types.Jsoncolumn now supports exact encrypted containment —
contains(col, subDocument)(ste_vec
@>via PostgRESTcs, with the sub-document storage-encryptedagainst the column) — and JSONPath selector predicates:
selectorEq(col, path, value)andselectorNe(col, path, value)(dot-notation paths;neincludesrows where the path is absent, mirroring the Drizzle selector's semantics).
Raw
.filter(col, 'cs', subDocument)andnot(col, 'contains', …)routethrough the same encrypted path. Selector ordering is not expressible over
PostgREST yet (needs an EQL-bundle overload — see
EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
ops.selector()covers ordering today.In core,
QueryTypesForColumngains thesearchableJsonarm (atypes.Jsoncolumn no longer resolves to
never, so typed adapter key sets can includeit), and the JSONPath selector-path helpers the Drizzle adapter introduced in
feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to
@cipherstash/stack/adapter-kitso both adapters share onevalidation surface (
@cipherstash/stack-drizzlere-exports them unchanged).The bundled
stash-supabaseandstash-encryptionskills are updated todocument the new querying surface (including the array-leaf and SQL-NULL
semantics, and the operand-exposure caveat) — skills ship inside the
stashtarball, hence the patch.
@cipherstash/stack@1.0.0-rc.1
Minor Changes
5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A
types.Jsoncolumn now supports exact encrypted containment —
contains(col, subDocument)(ste_vec
@>via PostgRESTcs, with the sub-document storage-encryptedagainst the column) — and JSONPath selector predicates:
selectorEq(col, path, value)andselectorNe(col, path, value)(dot-notation paths;neincludesrows where the path is absent, mirroring the Drizzle selector's semantics).
Raw
.filter(col, 'cs', subDocument)andnot(col, 'contains', …)routethrough the same encrypted path. Selector ordering is not expressible over
PostgREST yet (needs an EQL-bundle overload — see
EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
ops.selector()covers ordering today.In core,
QueryTypesForColumngains thesearchableJsonarm (atypes.Jsoncolumn no longer resolves to
never, so typed adapter key sets can includeit), and the JSONPath selector-path helpers the Drizzle adapter introduced in
feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to
@cipherstash/stack/adapter-kitso both adapters share onevalidation surface (
@cipherstash/stack-drizzlere-exports them unchanged).The bundled
stash-supabaseandstash-encryptionskills are updated todocument the new querying surface (including the array-leaf and SQL-NULL
semantics, and the operand-exposure caveat) — skills ship inside the
stashtarball, hence the patch.
Patch Changes
e297f64: Docs: EQL v3 is now the sole documented approach. The
stash-encryption,stash-drizzle, andstash-supabaseskills and the@cipherstash/stackREADME teach only the v3 typed surface (
EncryptionV3,types.*concretedomains,
@cipherstash/stack-drizzle/v3,encryptedSupabaseV3); EQL v2shrinks to one short Legacy section per document. Two explicit exceptions are
called out: DynamoDB still requires the v2 schema surface (DynamoDB: support EQL v3 schemas in encryptedDynamoDB #657), and the
encrypt rollout tooling (
stash encrypt backfill/cutover,@cipherstash/migrate) currently targets v2 columns (Make @cipherstash/migrate (andstash encrypt *) compatible with EQL v3 #648) — its guidance iskept under a version callout. Also corrects the legacy
@cipherstash/drizzleREADME's pointer to the removed
@cipherstash/stack/drizzlesubpath (now theseparate
@cipherstash/stack-drizzlepackage).40ab142: Docs: stop teaching the deprecated
LockContext.identify()as the primaryidentity-aware-encryption path (Agent skills and README teach the deprecated LockContext.identify() identity API #591). The
stash-encryptionandstash-supabaseskills and the
@cipherstash/stackREADME now lead with the current pattern —authenticate the client with
OidcFederationStrategy, then bind the claim peroperation with
.withLockContext({ identityClaim })— and demoteLockContext.identify()to a clearly-marked deprecated note (per-operation CTStokens were removed in protect-ffi 0.25). Skills ship in the
stashtarball, sothis keeps the bundled guidance correct for the 1.0 surface.
7b53141: Three correctness fixes surfaced while documenting the v3 surface:
matches()now rejects a short free-text needle. A needlebelow the tokenizer's
token_lengthblooms to zero tokens, sobloom @> {}matched (and the caller decrypted) every row — a fail-open exposure. The
guard (
matchNeedleError) was wired into the Drizzle adapter only; theSupabase adapter now applies it at the same term-resolution choke point, so
both first-party surfaces reject identically. (Authoritative FFI-level backstop
for the
encryptQuerypaths tracked in encryptQuery: reject a free-text query term that tokenizes to zero tokens (fail-open needle) protectjs-ffi#138.).withLockContext()accepts the plain{ identityClaim }form,not only a
LockContextinstance — matching the stack-level operations andthe documented identity-aware example (widened to
LockContextInput).EncryptionErrorTypesis nowas const, so theStackErrorunionactually discriminates:
switch (error.type)narrows anderror.codeisreachable on the relevant branches. Without it every
typewasstringandthe documented exhaustive error handler did not compile.
@cipherstash/stack-drizzle@1.0.0-rc.1
Minor Changes
59b994e: Add EQL v3 JSON selector-with-constraint querying to the Drizzle integration
(EQL v3 JSON: implement JSONPath selector-with-constraint querying (->, ->>) #623).
ops.selector(col, '$.path')returns comparison methods bound to aJSONPath into a
types.Jsoncolumn —eq/ne/gt/gte/lt/lte— emittingcol->'<selector>' <op> <value>over the encrypted document. Its unique powerover
containsis ordering at a path (col->'$.age' > 21), whichcontainment cannot express.
Complements the existing
contains(JSONB@>) containment operator. Core@cipherstash/stackneeds no change — the selector hash and comparison entry areproduced by
encryptQuery/encrypton the existingtypes.Jsonsurface. v1supports dot-notation object paths; array-index/wildcard paths are rejected with
a clear error. The Supabase adapter is tracked separately.
The right-hand comparison operand is currently a storage-encrypted needle (its
ste_vec entry carries the ordering term), pending a ciphertext-free ordering
query needle from protect-ffi (EQL v3 ste_vec: encryptQuery can't mint an ordering (op) JSON query needle for selector-with-constraint protectjs-ffi#137); until then the
value's ciphertext appears in the WHERE clause.
The bundled
stash-encryptionandstash-drizzleskills document the newops.selector(...)surface (they previously said JSONPath selector queries werenot yet implemented).
Patch Changes
@cipherstash/stack-supabase@1.0.0-rc.1
Minor Changes
5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A
types.Jsoncolumn now supports exact encrypted containment —
contains(col, subDocument)(ste_vec
@>via PostgRESTcs, with the sub-document storage-encryptedagainst the column) — and JSONPath selector predicates:
selectorEq(col, path, value)andselectorNe(col, path, value)(dot-notation paths;neincludesrows where the path is absent, mirroring the Drizzle selector's semantics).
Raw
.filter(col, 'cs', subDocument)andnot(col, 'contains', …)routethrough the same encrypted path. Selector ordering is not expressible over
PostgREST yet (needs an EQL-bundle overload — see
EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
ops.selector()covers ordering today.In core,
QueryTypesForColumngains thesearchableJsonarm (atypes.Jsoncolumn no longer resolves to
never, so typed adapter key sets can includeit), and the JSONPath selector-path helpers the Drizzle adapter introduced in
feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to
@cipherstash/stack/adapter-kitso both adapters share onevalidation surface (
@cipherstash/stack-drizzlere-exports them unchanged).The bundled
stash-supabaseandstash-encryptionskills are updated todocument the new querying surface (including the array-leaf and SQL-NULL
semantics, and the operand-exposure caveat) — skills ship inside the
stashtarball, hence the patch.
Patch Changes
7b53141: Three correctness fixes surfaced while documenting the v3 surface:
matches()now rejects a short free-text needle. A needlebelow the tokenizer's
token_lengthblooms to zero tokens, sobloom @> {}matched (and the caller decrypted) every row — a fail-open exposure. The
guard (
matchNeedleError) was wired into the Drizzle adapter only; theSupabase adapter now applies it at the same term-resolution choke point, so
both first-party surfaces reject identically. (Authoritative FFI-level backstop
for the
encryptQuerypaths tracked in encryptQuery: reject a free-text query term that tokenizes to zero tokens (fail-open needle) protectjs-ffi#138.).withLockContext()accepts the plain{ identityClaim }form,not only a
LockContextinstance — matching the stack-level operations andthe documented identity-aware example (widened to
LockContextInput).EncryptionErrorTypesis nowas const, so theStackErrorunionactually discriminates:
switch (error.type)narrows anderror.codeisreachable on the relevant branches. Without it every
typewasstringandthe documented exhaustive error handler did not compile.
Updated dependencies [e297f64]
Updated dependencies [40ab142]
Updated dependencies [5fe9a2f]
Updated dependencies [7b53141]
@cipherstash/drizzle@3.0.4-rc.1
Patch Changes
@cipherstash/stack/drizzlesubpath; it now points at the separate@cipherstash/stack-drizzlepackage (EQL v3 on its/v3subpath).@cipherstash/prisma-next@0.4.0-rc.1
Patch Changes
@cipherstash/wizard@0.5.0-rc.1
Patch Changes
stashCLI's telemetry privacy contract.The wizard now honors
DO_NOT_TRACK,STASH_TELEMETRY_DISABLED, and CIauto-detection; uses a random per-session identifier instead of one derived
from username@hostname; disables IP→geo resolution; and reports error events as
fixed labels / error class names instead of raw messages (which could embed
schema names or connection details). Analytics remain dormant unless a PostHog
key is configured at build time.
@cipherstash/e2e@0.0.3-rc.1
Patch Changes
@cipherstash/basic-example@1.2.14-rc.1
Patch Changes
@cipherstash/prisma-next-example@0.0.6-rc.1
Patch Changes
@cipherstash/bench@0.0.5-rc.1
Patch Changes
@cipherstash/test-kit@0.0.1-rc.1
Patch Changes