Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
bdfb2a2
feat(v2): scaffold the V2 information architecture (CIP-3325)
coderdan Jul 2, 2026
af92d2c
fix(v2): quote colon-bearing frontmatter descriptions; unshadow /refe…
coderdan Jul 2, 2026
a6a4274
feat(v2): serve the /docs landing inside the docs navigation; redirec…
coderdan Jul 2, 2026
5c34cef
docs(v2): note landing-page state in IA.md checklist
coderdan Jul 2, 2026
b604d4f
fix(v2): merge folder index pages into their nav rows
coderdan Jul 2, 2026
f5c9e81
fix(v2): no chevron on nav items without sub-pages
coderdan Jul 2, 2026
8514932
fix(v2): make all MDX links basePath-relative
coderdan Jul 2, 2026
d415a48
feat(v2): EQL v3 reference section (CIP-3326)
coderdan Jul 2, 2026
dd2a8d6
refactor(v2): restructure EQL reference Tailwind-style (CIP-3326)
coderdan Jul 2, 2026
9cecb45
refactor(v2): SEM specifiers, Tailwind-style variant enumeration, pay…
coderdan Jul 2, 2026
127f0a6
refactor(v2): split numbers/dates pages, Example headings, separate O…
coderdan Jul 2, 2026
123a544
docs(v2): track EQL 3.0.0 release-alignment gate in IA.md (CIP-3352)
coderdan Jul 2, 2026
896eae5
docs(v2): address Copilot review on EQL reference (PR #38)
coderdan Jul 2, 2026
d0ccd7e
docs(v2): address PR #37 review comments
coderdan Jul 2, 2026
5e5641c
Merge v2 review fixes (placeholder pages, non-permanent redirects)
coderdan Jul 2, 2026
19a132b
Merge pull request #38 from cipherstash/cip-3326-eql-v3-reference
coderdan Jul 2, 2026
4901b0f
docs(v2): add the two-axis content model to IA.md
coderdan Jul 5, 2026
299c1cb
docs(v2): reconcile structure with the two-axis IA
coderdan Jul 6, 2026
9bbdcfb
chore(v2): fix Biome lint errors so `bun run lint` passes clean
coderdan Jul 7, 2026
a900369
chore: ignore .serena/ (local MCP tooling state)
coderdan Jul 7, 2026
064c176
fix(eql-docs): strip Doxygen <tt> tags so a stray one can't break the…
coderdan Jul 8, 2026
fd4ddbb
Merge pull request #52 from cipherstash/fix/eql-docs-strip-tt-tag
coderdan Jul 8, 2026
ccca2e5
docs(v2): prototype — generate the CLI reference from `stash --help`
coderdan Jul 5, 2026
7371257
docs(v2): CLI generator tracks latest published stash + wire into pre…
coderdan Jul 5, 2026
22dd036
docs(v2): hybrid CLI reference — merge hand-authored supplements + ex…
coderdan Jul 5, 2026
6a7ac7b
docs(cli): generate the CLI reference from `stash manifest --json`
coderdan Jul 8, 2026
a10e6b7
docs(v2): add nested EQL v2 reference for existing v2.2 deployments
coderdan Jul 5, 2026
40ee221
fix(cli-docs): escape MDX braces in manifest-derived prose
coderdan Jul 8, 2026
261b69c
docs(cli): address auth-page review feedback
coderdan Jul 8, 2026
7d1dcff
fix(cli-docs): harden manifest loading (Copilot review)
coderdan Jul 8, 2026
f736ffa
Merge pull request #45 from cipherstash/docs/v2-cli-generator
coderdan Jul 8, 2026
089645d
chore(cli-docs): drop the internal tracker ref from the generator header
coderdan Jul 8, 2026
83ae605
Merge pull request #53 from cipherstash/chore/cli-gen-cip3460
coderdan Jul 8, 2026
c9cc2ef
Merge pull request #44 from cipherstash/docs/v2-eql-v2-reference
coderdan Jul 8, 2026
1dd4b98
docs(v2): generate the EQL function catalog from the manifest + drift…
coderdan Jul 5, 2026
1f08e4f
docs(v2): render the EQL domain/variant matrix + extend the drift-lin…
coderdan Jul 5, 2026
200ee2e
docs(v2): switch the domain matrix to the catalog-driven shape
coderdan Jul 6, 2026
1e9f6f8
docs(v2): consume jsonb domains + extractor functions from the manifest
coderdan Jul 6, 2026
7e5f301
docs(eql): schema-aware drift-lint + sweep pages to the shipped surface
coderdan Jul 6, 2026
d5e1910
docs(eql): fix schema placeholders + add 'The three schemas' section
coderdan Jul 6, 2026
a0e9204
docs(eql): rename public.jsonb_query -> eql_v3.query_jsonb
coderdan Jul 8, 2026
79b8833
docs(eql): add an EQL-version banner linking to the v2 reference
coderdan Jul 8, 2026
88b819f
Merge pull request #46 from cipherstash/docs/v2-eql-manifest-consumer
coderdan Jul 8, 2026
78a4a22
docs(eql): install via `stash eql install` CLI
coderdan Jul 8, 2026
e19f7d0
docs(eql): document stash.config.ts
coderdan Jul 8, 2026
4c05054
Merge pull request #51 from cipherstash/eql-install-cli
coderdan Jul 8, 2026
212f894
docs(reference): port proxy, workspace, glossary, agent-skills
coderdan Jul 9, 2026
e2c33a9
docs(workspace): link to pricing instead of listing plan prices and l…
coderdan Jul 9, 2026
d9a5b6c
docs(workspace): drop per-plan subsections from billing
coderdan Jul 9, 2026
026a5a0
Merge pull request #55 from cipherstash/docs/v2-reference-mechanical-…
coderdan Jul 9, 2026
f3d4554
docs(solutions): port ai-and-rag, data-residency, provable-access, index
coderdan Jul 9, 2026
6d7268f
docs(solutions): address review, move to strategy-based identity API
coderdan Jul 9, 2026
619c122
docs(solutions): narrow the LockContext deprecation to identify()
coderdan Jul 9, 2026
9804cd6
docs(solutions): make the authStrategy dependency explicit in provabl…
coderdan Jul 9, 2026
b4883db
Merge pull request #56 from cipherstash/docs/v2-solutions-port
coderdan Jul 9, 2026
9484ffb
chore: merge main into v2
coderdan Jul 9, 2026
e8e1542
chore(ci): gate the build on deprecated and non-existent API in docs
coderdan Jul 9, 2026
779f6aa
Merge pull request #61 from cipherstash/chore/deprecated-api-lint
coderdan Jul 9, 2026
0bf6fe5
docs(security): write the canonical architecture page
coderdan Jul 9, 2026
005d22c
docs(security): rename Architecture to Cryptography, label the index …
coderdan Jul 9, 2026
5cbb9ce
feat(mdx): render mermaid code fences as diagrams
coderdan Jul 9, 2026
cabc111
docs(solutions): convert the data-residency diagrams to mermaid
coderdan Jul 9, 2026
9cdfb8f
docs(security): correct the key exchange, the client key never leaves
coderdan Jul 9, 2026
d17c110
docs(security): show the key-ID request in the ZeroKMS diagram
coderdan Jul 9, 2026
f3575c6
chore: merge main into v2
coderdan Jul 9, 2026
802dae2
Merge pull request #64 from cipherstash/chore/merge-main-into-v2-2
coderdan Jul 9, 2026
353615c
Merge pull request #62 from cipherstash/docs/v2-security-architecture
coderdan Jul 9, 2026
c6ed577
docs(get-started): rewrite the quickstart on EQL v3
coderdan Jul 9, 2026
1b4f340
docs(get-started): tell the quickstart to install EQL v3 explicitly
coderdan Jul 9, 2026
4f13b93
docs(get-started): write the section overview, fix the landing page
coderdan Jul 9, 2026
c255d16
fix(eql): document the CLLW OPE ordering term, unblocking the build
coderdan Jul 9, 2026
60ce290
fix(eql): rename the remaining oc payload keys, and pin the EQL release
coderdan Jul 9, 2026
393dddc
Merge pull request #66 from cipherstash/fix/eql-ope-cllw-drift
coderdan Jul 9, 2026
217319f
Merge remote-tracking branch 'origin/v2' into docs/v2-quickstart
coderdan Jul 9, 2026
6fe86b1
docs(get-started): write what-is-cipherstash and choose-your-stack
coderdan Jul 9, 2026
7f7b38c
docs(get-started): restore the performance numbers, with 14x for AWS KMS
coderdan Jul 9, 2026
2f79af0
docs(get-started): frame leakage as a design choice, not a confession
coderdan Jul 9, 2026
2961856
docs(get-started): apply the choose-your-stack preview comments
coderdan Jul 9, 2026
bf32cef
Merge pull request #65 from cipherstash/docs/v2-quickstart
coderdan Jul 9, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,8 @@ content/stack/reference/drizzle/latest/
content/stack/reference/drizzle/v*/
.tmp-*
.env.local

# serena (local MCP tooling state)
.serena/
# EQL release manifest extracted by generate-eql-docs.ts (see generate-eql-api-docs.ts)
.eql-manifest.release.json
457 changes: 457 additions & 0 deletions IA.md

Large diffs are not rendered by default.

12 changes: 10 additions & 2 deletions biome.json
Original file line number Diff line number Diff line change
@@ -1,13 +1,21 @@
{
"$schema": "https://biomejs.dev/schemas/2.2.0/schema.json",
"$schema": "https://biomejs.dev/schemas/2.3.15/schema.json",
"vcs": {
"enabled": true,
"clientKind": "git",
"useIgnoreFile": true
},
"files": {
"ignoreUnknown": true,
"includes": ["**", "!node_modules", "!.next", "!dist", "!build", "!.source"]
"includes": [
"**",
"!node_modules",
"!.next",
"!dist",
"!build",
"!.source",
"!src/app/global.css"
]
},
"formatter": {
"enabled": true,
Expand Down
311 changes: 306 additions & 5 deletions bun.lock

Large diffs are not rendered by default.

9 changes: 9 additions & 0 deletions content/docs/concepts/compare/index.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: Comparisons
description: "How CipherStash compares to other approaches to protecting data."
type: concept
---

This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md).

Until it lands, current documentation lives in the [existing docs](/stack).
5 changes: 5 additions & 0 deletions content/docs/concepts/compare/meta.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"title": "Comparisons",
"icon": "Scale",
"pages": ["..."]
}
9 changes: 9 additions & 0 deletions content/docs/concepts/index.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: Concepts
description: "How CipherStash works and how to think about searchable encryption, keys, and identity."
type: concept
---

This section is being built as part of the docs V2 overhaul ([CIP-3307](https://linear.app/cipherstash/issue/CIP-3307)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md).

Until it lands, current documentation lives in the [existing docs](/stack).
5 changes: 5 additions & 0 deletions content/docs/concepts/meta.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"title": "Concepts",
"icon": "Lightbulb",
"pages": ["...", "compare"]
}
9 changes: 9 additions & 0 deletions content/docs/concepts/searchable-encryption.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: Searchable encryption
description: "How querying encrypted data works, and exactly what each index term reveals."
type: concept
---

This page is being rewritten as part of the docs V2 overhaul ([CIP-3333](https://linear.app/cipherstash/issue/CIP-3333)). Track progress in [IA.md](https://github.com/cipherstash/docs/blob/v2/IA.md).

Until it lands, the current version lives in the [existing docs](/stack/cipherstash/encryption/searchable-encryption).
105 changes: 105 additions & 0 deletions content/docs/get-started/choose-your-stack.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
---
title: Choose your stack
description: "Pick an integration path: SDK or Proxy, your Postgres platform, your ORM, and your identity provider."
type: guide
components: [encryption, proxy, eql, platform]
audience: [developer, cto]
---

Four decisions, in order. The first one matters most; the rest usually follow from what you already run.

## 1. SDK or Proxy

| | [Stack SDK](/reference/stack) | [Proxy](/reference/proxy) |
|---|---|---|
| Where encryption happens | In your application process | In the proxy, which you run |
| Application changes | Encrypt and decrypt calls, or an ORM wrapper that adds them for you | Point your connection string at the proxy |
| Best when | You own the code and want fine-grained control | You cannot change the application, or it isn't TypeScript |
| Language | TypeScript / JavaScript | Any. It speaks the Postgres wire protocol |
| Runs where | Your app | A container or sidecar in your infrastructure |

Both produce the same ciphertext and both speak [EQL](/reference/eql), so this is not a one-way door. You can move a table from one to the other without re-encrypting it.

Start with the SDK unless you already know you can't change the application.

## 2. Your Postgres

EQL installs into any Postgres you can connect to. It needs no extension, no superuser, and no `postgresql.conf` changes.

| Platform | Works | Notes |
|---|---|---|
| Supabase | Yes | [Supabase integration](/integrations/supabase). Expose the `eql_v3` schema in the dashboard. |
| Neon, RDS, Aurora, Cloud SQL | Yes | `stash eql install` detects a non-superuser role and adapts. |
| Self-hosted Postgres | Yes | Full operator-class support, so the ORE ordering mechanism is available. |
| Postgres behind PgBouncer | Yes | Transaction pooling is fine. Proxy has its own pooling. |
| DynamoDB | Yes, without EQL | [DynamoDB integration](/stack/cipherstash/encryption/dynamodb). Encrypted attributes and HMAC key lookups; no EQL, because there's no Postgres. |
| MySQL, MongoDB, others | Not yet | The SDK still encrypts values for you, but nothing is queryable server-side. |

<Callout type="info">
Managed platforms usually block custom operator class creation. That's why the default ordering mechanism is moving to OPE, which indexes under Postgres's default btree operator class. See [SEM specifiers](/reference/eql/core-concepts#sem-specifiers).
</Callout>

## 3. Your ORM

| Query layer | Path | What it looks like |
|---|---|---|
| Drizzle | [Drizzle integration](/stack/cipherstash/encryption/drizzle) | An `encryptedType` column and typed query operators. Your Drizzle code keeps its shape. |
| Supabase JS | [Supabase integration](/integrations/supabase) | `encryptedSupabase` wraps the client. `.eq()`, `.like()`, `.gt()` keep working. |
| Prisma | [Prisma integration](/stack/cipherstash/encryption/prisma-next) | Encrypt in the data layer around Prisma calls. |
| Raw SQL | [Quickstart](/get-started/quickstart) | Encrypt the value, insert it, cast the query operand. |
| An ORM we don't list | The SDK | Encrypt before write, decrypt after read. Every ORM supports that. |

If you use no ORM, nothing is missing. The SDK's `encrypt` and `encryptQuery` are the whole surface.

## 4. Identity binding

Reach for this when a value should be decryptable only by the user it belongs to, rather than by anything holding the application's credentials. It is also what shrinks the blast radius of a compromised application process.

It requires an OIDC provider, registered on the [OIDC providers](https://dashboard.cipherstash.com/workspaces/_/oidc-providers) page in the Dashboard.

| Provider | Supported |
|---|---|
| Supabase Auth | Yes |
| Clerk | Yes |
| Auth0 | Yes |
| Okta | Yes |
| Any OIDC issuer | Yes, if it publishes a discovery endpoint |

See [provable access control](/solutions/provable-access) for what this buys you, and what it does not.

## Where CipherStash sits among the encryption you already have

Encryption at rest and in transit are not alternatives to this. They protect different things, and you should keep both.

| | At rest | In transit | In use |
|---|---|---|---|
| Protects the disk | Yes | No | Yes |
| Protects the wire | No | Yes | Yes |
| Protects during a query | No | No | Yes |
| Plaintext visible to the database | Yes | Yes | **No** |
| Queryable without decrypting | n/a | n/a | Yes |

A database breach defeats encryption at rest, because the database decrypts on read. That is the gap this fills.

## From development to production

| Stage | Credentials | Setup |
|---|---|---|
| Local development | Device-based | `stash init` per developer. No environment variables. |
| CI and staging | Machine | An application client key, plus `CS_*` environment variables. |
| Production | Machine | Same, with the client key held in your secret manager. |

Device auth gives each developer their own identity, so local decryptions are attributable. There's no interactive device in CI, hence the switch. See [going to production](/stack/deploy/going-to-production).

## Still not sure

A [discovery session](https://cipherstash.com/contact) is a 60-minute conversation with our engineering team. No slides. Bring whoever owns the data layer, and a compliance lead if that's someone else.

Worth thinking through beforehand:

- Which fields are sensitive, and which regulations cover them.
- Whether you need those fields **searchable**, or only stored and retrieved. Encrypt-only columns carry no index terms and leak nothing.
- Whether you need per-user decryption, or per-tenant isolation, or both.
- Your database, ORM, and deployment target, plus any restriction on native Node modules.

You'll leave with a recommended path and answers to whatever is blocking you.
24 changes: 24 additions & 0 deletions content/docs/get-started/index.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
title: Get started
navTitle: Overview
description: "Encrypt your first field in ten minutes, then pick the integration path that matches your stack."
type: tutorial
audience: [developer]
---

CipherStash encrypts your data at the field level, in your application, and keeps the ciphertext queryable in Postgres. The database never sees plaintext, and neither do we.

This section gets you from nothing to an encrypted, queryable field. It owns no mechanics: each page links to the reference that does.

## Start here

- **[What is CipherStash?](/get-started/what-is-cipherstash)** is the mental model. What the pieces are, what the trade is, and which door to walk through.
- **[Quickstart](/get-started/quickstart)** is ten minutes of typing. Encrypt a field, store it, query it without decrypting it, and read it back. It works against any Postgres: Supabase, Neon, RDS, or a container.
- **[Choose your stack](/get-started/choose-your-stack)** picks your integration path: SDK or Proxy, your platform, your ORM, and your identity provider.

## Then pick your path

- **Adopting CipherStash into an existing app?** [Integrations](/integrations) covers the platforms, ORMs, frameworks, and auth providers that wrap your existing client, so your queries keep the shape they already have.
- **Can't change the application?** [CipherStash Proxy](/reference/proxy) sits in front of Postgres and encrypts on the wire.
- **Want to understand it before you install it?** [Concepts](/concepts) explains searchable encryption, key management, and identity-aware encryption.
- **Evaluating for a security review?** [Architecture & security](/security) is written to be read end to end, starting with [Cryptography](/security/cryptography).
11 changes: 11 additions & 0 deletions content/docs/get-started/meta.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"title": "Get started",
"icon": "Rocket",
"pages": [
"index",
"what-is-cipherstash",
"quickstart",
"choose-your-stack",
"..."
]
}
Loading