stash@0.16.0

Minor Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

• bb9764d: stash db push is no longer included by default in stash plan / stash impl agent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer see stash db push baked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.

  Pass --proxy to stash init (or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to .cipherstash/context.json as usesProxy and is honoured by stash plan, stash impl, and the wizard's post-agent step. Existing .cipherstash/context.json files without the field default to SDK-only.

  Known gap: stash encrypt cutover currently requires a pending EQL config registered via stash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: run stash db push once before stash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.

Patch Changes

• 8fe2496: stash impl and stash plan no longer hang in non-TTY contexts (CI, pipes, automation harnesses). The agent-target picker previously read from /dev/tty and waited forever. You can now pass --target <claude-code|codex|agents-md|wizard> to select a handoff target non-interactively, and when neither --target nor a TTY is available the command prints a hint and exits cleanly instead of blocking.
  • @cipherstash/migrate@0.2.0

@cipherstash/wizard@0.3.0

Minor Changes

• bb9764d: stash db push is no longer included by default in stash plan / stash impl agent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer see stash db push baked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.

  Pass --proxy to stash init (or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to .cipherstash/context.json as usesProxy and is honoured by stash plan, stash impl, and the wizard's post-agent step. Existing .cipherstash/context.json files without the field default to SDK-only.

  Known gap: stash encrypt cutover currently requires a pending EQL config registered via stash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: run stash db push once before stash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.

@cipherstash/stack@0.18.0

Minor Changes

• 6e7ae4e: Export the operation classes returned by the encryption and DynamoDB clients as public API.

  The classes returned from public methods are now exported and documented in the API reference, so their types can be named and their TSDoc links resolve.

  • From @cipherstash/stack/encryption: EncryptOperation, EncryptQueryOperation, BatchEncryptQueryOperation, DecryptOperation, EncryptModelOperation, DecryptModelOperation, BulkEncryptOperation, BulkDecryptOperation, BulkEncryptModelsOperation, BulkDecryptModelsOperation. EncryptQueryOperation and BatchEncryptQueryOperation were previously marked @internal; since they are returned from EncryptionClient.encryptQuery, they are now public for consistency with the other operations.
  • From @cipherstash/stack/dynamodb: EncryptModelOperation, DecryptModelOperation, BulkEncryptModelsOperation, BulkDecryptModelsOperation.
  • From @cipherstash/stack/types: EncryptedQuery and EncryptedFromSchema.

  The *WithLockContext variants returned by .withLockContext() remain internal — they share the same awaitable shape and are not intended to be named directly.

  No runtime behaviour changes; this only widens the exported surface and corrects TSDoc cross-references that previously failed to resolve.

• 712d7fa: Fix: restore runtime null short-circuits in the encryption operation classes.

  A prior refactor (feat(stack): remove null from Encrypted type) tightened the type signatures to disallow null and, alongside that, deleted the if (value === null) return null guards from every operation in packages/stack/src/encryption/operations/. The type guard does not survive runtime: callers reaching the operation through a cast (e.g. null as any), dynamic model walking, or JS interop would then have their null silently encrypted by protect-ffi into a real SteVec ciphertext ({ k: 'sv', v: 2, ... }) — which is observable, surprising, and breaks symmetry with the model-helpers layer that does still treat null as "absent" at the field level.

  Restored, mirroring the pattern in @cipherstash/protect:

  • encrypt / encryptWithLockContext: if (plaintext === null) return null.
  • bulkEncrypt / bulkEncryptWithLockContext: per-element null filter; nulls are preserved in position in the output.
  • decrypt / decryptWithLockContext: if (encryptedData === null) return null.
  • bulkDecrypt / bulkDecryptWithLockContext: per-element null filter, position-preserving merge.
  • encryptQuery / encryptQueryWithLockContext: if (plaintext === null || plaintext === undefined) return { data: null }.
  • batchEncryptQuery / batchEncryptQueryWithLockContext: per-element null/undefined filter; null slots in the input array stay null in the result array.

  Type adjustments to support the runtime behavior honestly:

  • BulkEncryptPayload['plaintext'], BulkEncryptedData['data'], BulkDecryptPayload['data'], and the T of BulkDecryptedData all widen to ... | null. Bulk APIs now accept and return mixed nullable arrays without filtering ahead of time.
  • EncryptedQueryResult widens to include null so the batch query path can return position-stable arrays with null slots.
  • Encryption.encrypt() and Encryption.decrypt() public signatures are unchanged — still narrow (JsPlaintext / Encrypted input, Encrypted / JsPlaintext non-nullable output). The runtime null short-circuit in EncryptOperation / DecryptOperation is defense in depth for callers reaching the operation classes through casts, dynamic field walking, or JS interop. The narrow-return contract holds for any caller that respects the input contract.

@cipherstash/schema@3.0.0

Major Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

@cipherstash/protect@12.0.0

Major Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

Patch Changes

• Updated dependencies [f743fcc]
  • @cipherstash/schema@3.0.0

@cipherstash/protect-dynamodb@12.0.0

Patch Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

• Updated dependencies [f743fcc]

  • @cipherstash/protect@12.0.0

@cipherstash/prisma-next@0.3.1

Patch Changes

• Updated dependencies [6e7ae4e]
• Updated dependencies [712d7fa]
  • @cipherstash/stack@0.18.0

@cipherstash/stack@0.16.0

Minor Changes

• 1c2fdbf: Fix CJS consumers crashing with Must use import to load ES Module: .../uuid/dist-node/index.js. The uuid package is pure ESM and has no CJS entry point, so the CJS build of @cipherstash/stack could not require() it at runtime. uuid is now bundled into the CJS output (the ESM build is unchanged).

  Expose EncryptedTable.columnBuilders as a public, read-only field so consumers can iterate the typed column-builder map of an encrypted table without reaching into the built TableDefinition (schema.build().columns) or the private internal.

@cipherstash/prisma-next@0.2.0

Minor Changes

• f2aca22: Upgrade @prisma-next/* peer/runtime stack from 0.6.0-dev.8 to 0.8.0.

  @prisma-next/sql-runtime@0.8 reordered the SQL execution pipeline so the beforeExecute middleware chain fires before encodeParams. bulkEncryptMiddleware now mutates params via replaceValues(...) ahead of encode, which means CipherstashCellCodec.encode is invoked with the wire-format string rather than the original EncryptedEnvelopeBase. The cell codec now short-circuits string values through unchanged; the envelope path is preserved for direct (non-runtime) callers such as the codec unit tests.

  SqlMiddlewareContext.scope ("runtime" | "connection" | "transaction") also became required in 0.8 (was optional in 0.7); test mocks now set scope: 'runtime' explicitly.

Patch Changes

• Updated dependencies [1c2fdbf]
  • @cipherstash/stack@0.16.0

@cipherstash/prisma-next@0.1.0

Minor Changes

• dc02d0b: Add @cipherstash/prisma-next — searchable application-layer encryption for Postgres with Prisma Next. The framework's migration system installs the EQL bundle in the same prisma-next migration apply sweep that creates the application schema; no separate stash db install step.

  @cipherstash/prisma-next (new package, initial release)

  • Six encrypted column types — EncryptedString, EncryptedDouble, EncryptedBigInt, EncryptedDate, EncryptedBoolean, EncryptedJson — declared via PSL constructors (cipherstash.Encrypted*()) or TS factories (encryptedString(), etc.).
  • 17 query operators — 13 predicate operators surfaced as column methods (cipherstashEq, cipherstashIlike, cipherstashGt, cipherstashBetween, cipherstashInArray, cipherstashJsonbPathExists, …) and 4 free-standing helpers (cipherstashAsc, cipherstashDesc, cipherstashJsonbPathQueryFirst, cipherstashJsonbGet).
  • Per-codec search-mode flags (equality, freeTextSearch, orderAndRange, searchableJson) drive the EQL search-config indices the codec lifecycle hook emits at migration time. Defaults to true across the board.
  • One-call setup via cipherstashFromStack({ contractJson }) from @cipherstash/prisma-next/stack — derives the stack encryptedTable / encryptedColumn schemas from contract.json (single source of truth, no duplicate hand-written declarations), constructs the @cipherstash/stack EncryptionClient, builds the framework-native CipherstashSdk adapter, and returns ready-to-spread { extensions, middleware, encryptionClient } for postgres<Contract>({...}).
  • Layered API — deriveStackSchemas(contractJson) and createCipherstashSdk(client, schemas) exposed as primitives for advanced users (custom keysets, multi-tenant routing, non-stack KMS).
  • Bulk-encrypt middleware (bulkEncryptMiddleware(sdk)) coalesces every plaintext placeholder across a query into one bulkEncrypt SDK round-trip per (table, column) group. decryptAll(rows) does the symmetric coalescing on the read side.
  • Misconfig diagnostic — if the user constructs the runtime descriptor but forgets to register bulkEncryptMiddleware(sdk) against the same SDK, the codec's encode throws a RUNTIME.ENCODE_FAILED envelope with a copy-pasteable wiring snippet at the first encrypted write.
  • Subpath exports — ./stack, ./control, ./runtime, ./middleware, ./pack, ./column-types; tree-shakable along the control / runtime / middleware seams.
  • Contributes an EQL contract space — installs the eql_v2 schema, eql_v2_encrypted composite type, ore_* types, EQL functions / operators / casts via the cipherstash extension's baseline migration. Runs in the same control-plane sweep as the application schema.
  • Full docs: https://cipherstash.com/docs/stack/cipherstash/encryption/prisma-next.

  stash (new feature)

  • stash init --prisma-next — new init provider for Prisma Next projects. Reuses authenticate + resolve-database + install-deps (additionally installs @cipherstash/prisma-next), skips install-eql (the framework handles it via prisma-next migration apply) and build-schema (cipherstashFromStack derives schemas from the contract — no hand-written encryption client file). Detected automatically when a prisma-next.config.* or @cipherstash/prisma-next dependency is present in the project.
  • detectPrismaNext(cwd) — new export from commands/db/detect.ts mirroring the existing detectDrizzle / detectSupabase helpers.