From 7eac4d64e9662a67ae3f2dfef33c35d76c4b62ac Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 9 Jul 2026 14:31:18 +0000 Subject: [PATCH] Version Packages --- .changeset/prisma-next-0-14.md | 12 ------ .changeset/remove-secrets-leftovers.md | 22 ---------- .changeset/stash-cli-skill-refresh.md | 31 -------------- .changeset/wizard-allow-env-templates.md | 18 --------- e2e/CHANGELOG.md | 11 +++++ e2e/package.json | 2 +- examples/basic/CHANGELOG.md | 7 ++++ examples/basic/package.json | 2 +- examples/prisma/CHANGELOG.md | 9 +++++ examples/prisma/package.json | 2 +- packages/bench/CHANGELOG.md | 7 ++++ packages/bench/package.json | 2 +- packages/cli/CHANGELOG.md | 51 ++++++++++++++++++++++++ packages/cli/package.json | 2 +- packages/prisma-next/CHANGELOG.md | 18 +++++++++ packages/prisma-next/package.json | 2 +- packages/stack/CHANGELOG.md | 22 ++++++++++ packages/stack/package.json | 2 +- packages/wizard/CHANGELOG.md | 19 +++++++++ packages/wizard/package.json | 2 +- 20 files changed, 152 insertions(+), 91 deletions(-) delete mode 100644 .changeset/prisma-next-0-14.md delete mode 100644 .changeset/remove-secrets-leftovers.md delete mode 100644 .changeset/stash-cli-skill-refresh.md delete mode 100644 .changeset/wizard-allow-env-templates.md diff --git a/.changeset/prisma-next-0-14.md b/.changeset/prisma-next-0-14.md deleted file mode 100644 index f1ad6d5a5..000000000 --- a/.changeset/prisma-next-0-14.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -'@cipherstash/prisma-next': minor ---- - -Upgrade to Prisma Next 0.14.0 (from 0.8.0). Every `@prisma-next/*` dependency is now pinned at 0.14.0; consuming apps must run Prisma Next 0.14 to use this release. - -Highlights of the upgrade: - -- The extension contract space is re-emitted in the 0.14 canonical shape: storage is namespace-enveloped (`storage.namespaces.public.entries.table`), the domain plane replaces flat `models`, and the baseline EQL-install migration is re-pinned to the new storage hash. The vendored EQL bundle SQL is unchanged byte-for-byte. -- `deriveStackSchemas` reads the namespace-enveloped contract shape emitted by Prisma Next 0.10+. -- The bulk-encrypt middleware accepts the widened insert/update AST value unions introduced through 0.9–0.11. -- README examples use the namespace-qualified ORM accessors (`db.orm.public.User`) required since Prisma Next 0.14. diff --git a/.changeset/remove-secrets-leftovers.md b/.changeset/remove-secrets-leftovers.md deleted file mode 100644 index 84033d4e4..000000000 --- a/.changeset/remove-secrets-leftovers.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -"@cipherstash/stack": patch -"stash": patch ---- - -Remove the leftovers from the secrets removal (`1929c8fe`), which deleted -`packages/stack/src/secrets/` but left its export, build entry, skill, and docs -behind. Secrets tooling is not ready; nothing here was functional. - -- **Drop the dead `@cipherstash/stack/secrets` subpath export.** It pointed at - `./dist/secrets/index.js`, which has no source and is not in the tarball, so - `import '@cipherstash/stack/secrets'` has been throwing `ERR_MODULE_NOT_FOUND` - for every consumer since the source was removed. Also drops the dangling - `src/secrets/index.ts` entry from `tsup.config.ts`. Removing an export that - cannot resolve breaks nothing. -- **Remove the `stash-secrets` agent skill** and its references in `AGENTS.md` - and the init setup-prompt skill index. It was never installed by `stash init` - (it is absent from `SKILL_MAP`), so no user project ever received it. -- **Remove the secrets documentation** from both published READMEs: the - `Secrets` class API and the `npx stash secrets` command reference in - `@cipherstash/stack`, and the `npx stash secrets` section in `stash`. The CLI - command does not exist — `stash secrets` returns `Unknown command`. diff --git a/.changeset/stash-cli-skill-refresh.md b/.changeset/stash-cli-skill-refresh.md deleted file mode 100644 index 7a65d45c8..000000000 --- a/.changeset/stash-cli-skill-refresh.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -"stash": patch ---- - -Refresh the bundled `stash-cli` agent skill and the CLI README against the current -command surface. The skills directory ships inside the `stash` tarball and is copied -into the user's `.claude/skills/` / `.codex/skills/` (or inlined into `AGENTS.md`) at -handoff time, so a stale skill becomes stale guidance in the user's project. - -- **New `Start here` and `Authentication` sections.** Setup is driven through the CLI: - agents read `stash manifest --json` first, then trigger `stash auth login --json` and - surface the verification URL for a human to approve, then run `stash init`. Authenticating - before `init` matters — `init`'s auth step is interactive and would otherwise try to open - a browser on the agent's host. -- **New `Never read these` invariant**, mirrored into the `AGENTS.md` doctrine: agents must - never read `~/.cipherstash/secretkey.json`, `~/.cipherstash/auth.json`, anything under - `~/.cipherstash/workspaces/`, or `.env*`. The wizard already blocks these paths in code; - the other handoff targets had no written rule. -- **Documents `manifest`, `doctor`, `wizard`, and `auth regions`**, which the skill omitted - entirely, plus the non-interactive interface (per-command escape hatches, exit codes, the - `DATABASE_URL` resolution order, the `auth login --json` NDJSON event contract). -- **Corrects the `db` → `eql` move.** `db install`, `db upgrade`, and `db status` are - deprecated aliases that warn and forward; `db push`, `db activate`, `db validate`, - `db test-connection`, and `db migrate` remain in the `db` group. -- **Scopes `db push` / `db activate` as EQL v2 + CipherStash Proxy only**, in both the skill - and the README's recommended flow. SDK users hold their encryption config in application - code and don't need them. -- Adds the missing `--database-url`, `--eql-version`, `--prisma-next`, `--proxy`/`--no-proxy`, - and `--region` flags; corrects six programmatic API signatures; fixes the README's claim - that `stash init` ends in an agent-handoff menu (that belongs to `stash plan` / `stash impl`); - and marks `stash env` as the non-functional stub it currently is. diff --git a/.changeset/wizard-allow-env-templates.md b/.changeset/wizard-allow-env-templates.md deleted file mode 100644 index 7c5e48b4e..000000000 --- a/.changeset/wizard-allow-env-templates.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -"@cipherstash/wizard": patch ---- - -Stop the agent guard from blocking `.env.example`. - -`SENSITIVE_FILE_PATTERNS` matched `/\.env($|\.)/`, which tests true against -`.env.example`. Because the guard covers `Edit` and `Write` as well as `Read`, -the wizard's agent was blocked from creating or editing the very file the -CipherStash doctrine tells it to write ("New env keys go in `.env.example` with -placeholders"). Committed env templates carry placeholder key names, not values. - -`.env.example`, `.env.sample` and `.env.template` are now readable and writable. -Everything else is unchanged: `.env`, `.env.local`, `.env.production`, and -value-bearing files that merely start with a template name -(`.env.example.local`, `.env.example.bak`) stay blocked, as do `auth.json`, -`secretkey.json` and credential files. Bash access to any env file — including -the templates — remains blocked; `Read`/`Write` is the sanctioned path. diff --git a/e2e/CHANGELOG.md b/e2e/CHANGELOG.md index 2ab6bf48c..2f8929031 100644 --- a/e2e/CHANGELOG.md +++ b/e2e/CHANGELOG.md @@ -1,5 +1,16 @@ # @cipherstash/e2e +## 0.0.3 + +### Patch Changes + +- Updated dependencies [f23f952] +- Updated dependencies [1a9d190] +- Updated dependencies [9c673bb] + - @cipherstash/stack@0.19.1 + - stash@0.17.2 + - @cipherstash/wizard@0.4.1 + ## 0.0.2 ### Patch Changes diff --git a/e2e/package.json b/e2e/package.json index 0f623dfb4..453725d2c 100644 --- a/e2e/package.json +++ b/e2e/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/e2e", - "version": "0.0.2", + "version": "0.0.3", "private": true, "description": "End-to-end tests that exercise built CipherStash binaries and cross-package behaviour.", "type": "module", diff --git a/examples/basic/CHANGELOG.md b/examples/basic/CHANGELOG.md index b35e63dd9..868419e3d 100644 --- a/examples/basic/CHANGELOG.md +++ b/examples/basic/CHANGELOG.md @@ -1,5 +1,12 @@ # @cipherstash/basic-example +## 1.2.14 + +### Patch Changes + +- Updated dependencies [f23f952] + - @cipherstash/stack@0.19.1 + ## 1.2.13 ### Patch Changes diff --git a/examples/basic/package.json b/examples/basic/package.json index 87c6c8fd9..59362f81b 100644 --- a/examples/basic/package.json +++ b/examples/basic/package.json @@ -1,7 +1,7 @@ { "name": "@cipherstash/basic-example", "private": true, - "version": "1.2.13", + "version": "1.2.14", "type": "module", "scripts": { "start": "tsx index.ts" diff --git a/examples/prisma/CHANGELOG.md b/examples/prisma/CHANGELOG.md index f815e3476..998e90d9e 100644 --- a/examples/prisma/CHANGELOG.md +++ b/examples/prisma/CHANGELOG.md @@ -1,5 +1,14 @@ # @cipherstash/prisma-next-example +## 0.0.6 + +### Patch Changes + +- Updated dependencies [d6d23be] +- Updated dependencies [f23f952] + - @cipherstash/prisma-next@0.4.0 + - @cipherstash/stack@0.19.1 + ## 0.0.5 ### Patch Changes diff --git a/examples/prisma/package.json b/examples/prisma/package.json index 7ad4aff1b..336a113d4 100644 --- a/examples/prisma/package.json +++ b/examples/prisma/package.json @@ -1,7 +1,7 @@ { "name": "@cipherstash/prisma-next-example", "private": true, - "version": "0.0.5", + "version": "0.0.6", "description": "End-to-end example of @cipherstash/prisma-next: searchable application-layer encryption for Postgres with Prisma Next, using @cipherstash/stack as the SDK.", "type": "module", "scripts": { diff --git a/packages/bench/CHANGELOG.md b/packages/bench/CHANGELOG.md index 4652e87f6..864f57235 100644 --- a/packages/bench/CHANGELOG.md +++ b/packages/bench/CHANGELOG.md @@ -1,5 +1,12 @@ # @cipherstash/bench +## 0.0.5 + +### Patch Changes + +- Updated dependencies [f23f952] + - @cipherstash/stack@0.19.1 + ## 0.0.4 ### Patch Changes diff --git a/packages/bench/package.json b/packages/bench/package.json index 40dcc4a79..7ddbb42c9 100644 --- a/packages/bench/package.json +++ b/packages/bench/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/bench", - "version": "0.0.4", + "version": "0.0.5", "private": true, "description": "Performance / index-engagement benchmarks for stack integrations (Drizzle, encryptedSupabase, Prisma).", "type": "module", diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md index c676c6138..873a91ad3 100644 --- a/packages/cli/CHANGELOG.md +++ b/packages/cli/CHANGELOG.md @@ -1,5 +1,56 @@ # @cipherstash/cli +## 0.17.2 + +### Patch Changes + +- f23f952: Remove the leftovers from the secrets removal (`1929c8fe`), which deleted + `packages/stack/src/secrets/` but left its export, build entry, skill, and docs + behind. Secrets tooling is not ready; nothing here was functional. + + - **Drop the dead `@cipherstash/stack/secrets` subpath export.** It pointed at + `./dist/secrets/index.js`, which has no source and is not in the tarball, so + `import '@cipherstash/stack/secrets'` has been throwing `ERR_MODULE_NOT_FOUND` + for every consumer since the source was removed. Also drops the dangling + `src/secrets/index.ts` entry from `tsup.config.ts`. Removing an export that + cannot resolve breaks nothing. + - **Remove the `stash-secrets` agent skill** and its references in `AGENTS.md` + and the init setup-prompt skill index. It was never installed by `stash init` + (it is absent from `SKILL_MAP`), so no user project ever received it. + - **Remove the secrets documentation** from both published READMEs: the + `Secrets` class API and the `npx stash secrets` command reference in + `@cipherstash/stack`, and the `npx stash secrets` section in `stash`. The CLI + command does not exist — `stash secrets` returns `Unknown command`. + +- 1a9d190: Refresh the bundled `stash-cli` agent skill and the CLI README against the current + command surface. The skills directory ships inside the `stash` tarball and is copied + into the user's `.claude/skills/` / `.codex/skills/` (or inlined into `AGENTS.md`) at + handoff time, so a stale skill becomes stale guidance in the user's project. + + - **New `Start here` and `Authentication` sections.** Setup is driven through the CLI: + agents read `stash manifest --json` first, then trigger `stash auth login --json` and + surface the verification URL for a human to approve, then run `stash init`. Authenticating + before `init` matters — `init`'s auth step is interactive and would otherwise try to open + a browser on the agent's host. + - **New `Never read these` invariant**, mirrored into the `AGENTS.md` doctrine: agents must + never read `~/.cipherstash/secretkey.json`, `~/.cipherstash/auth.json`, anything under + `~/.cipherstash/workspaces/`, or `.env*`. The wizard already blocks these paths in code; + the other handoff targets had no written rule. + - **Documents `manifest`, `doctor`, `wizard`, and `auth regions`**, which the skill omitted + entirely, plus the non-interactive interface (per-command escape hatches, exit codes, the + `DATABASE_URL` resolution order, the `auth login --json` NDJSON event contract). + - **Corrects the `db` → `eql` move.** `db install`, `db upgrade`, and `db status` are + deprecated aliases that warn and forward; `db push`, `db activate`, `db validate`, + `db test-connection`, and `db migrate` remain in the `db` group. + - **Scopes `db push` / `db activate` as EQL v2 + CipherStash Proxy only**, in both the skill + and the README's recommended flow. SDK users hold their encryption config in application + code and don't need them. + - Adds the missing `--database-url`, `--eql-version`, `--prisma-next`, `--proxy`/`--no-proxy`, + and `--region` flags; corrects six programmatic API signatures; fixes the README's claim + that `stash init` ends in an agent-handoff menu (that belongs to `stash plan` / `stash impl`); + and marks `stash env` as the non-functional stub it currently is. + - @cipherstash/migrate@0.2.0 + ## 0.17.1 ### Patch Changes diff --git a/packages/cli/package.json b/packages/cli/package.json index fef7f871a..89e6c2102 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "stash", - "version": "0.17.1", + "version": "0.17.2", "description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.", "repository": { "type": "git", diff --git a/packages/prisma-next/CHANGELOG.md b/packages/prisma-next/CHANGELOG.md index c1bb5907c..d9f8cfa12 100644 --- a/packages/prisma-next/CHANGELOG.md +++ b/packages/prisma-next/CHANGELOG.md @@ -1,5 +1,23 @@ # @cipherstash/prisma-next +## 0.4.0 + +### Minor Changes + +- d6d23be: Upgrade to Prisma Next 0.14.0 (from 0.8.0). Every `@prisma-next/*` dependency is now pinned at 0.14.0; consuming apps must run Prisma Next 0.14 to use this release. + + Highlights of the upgrade: + + - The extension contract space is re-emitted in the 0.14 canonical shape: storage is namespace-enveloped (`storage.namespaces.public.entries.table`), the domain plane replaces flat `models`, and the baseline EQL-install migration is re-pinned to the new storage hash. The vendored EQL bundle SQL is unchanged byte-for-byte. + - `deriveStackSchemas` reads the namespace-enveloped contract shape emitted by Prisma Next 0.10+. + - The bulk-encrypt middleware accepts the widened insert/update AST value unions introduced through 0.9–0.11. + - README examples use the namespace-qualified ORM accessors (`db.orm.public.User`) required since Prisma Next 0.14. + +### Patch Changes + +- Updated dependencies [f23f952] + - @cipherstash/stack@0.19.1 + ## 0.3.2 ### Patch Changes diff --git a/packages/prisma-next/package.json b/packages/prisma-next/package.json index 36937fada..02c00247d 100644 --- a/packages/prisma-next/package.json +++ b/packages/prisma-next/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/prisma-next", - "version": "0.3.2", + "version": "0.4.0", "license": "MIT", "author": "CipherStash ", "description": "CipherStash extension for Prisma Next: searchable application-layer field-level encryption for Postgres, with six encrypted column types, 17 query operators, bulk encrypt/decrypt middleware, and a baseline migration that installs the vendored EQL bundle SQL byte-for-byte.", diff --git a/packages/stack/CHANGELOG.md b/packages/stack/CHANGELOG.md index 4a97e92c6..e09fd6a46 100644 --- a/packages/stack/CHANGELOG.md +++ b/packages/stack/CHANGELOG.md @@ -1,5 +1,27 @@ # @cipherstash/stack +## 0.19.1 + +### Patch Changes + +- f23f952: Remove the leftovers from the secrets removal (`1929c8fe`), which deleted + `packages/stack/src/secrets/` but left its export, build entry, skill, and docs + behind. Secrets tooling is not ready; nothing here was functional. + + - **Drop the dead `@cipherstash/stack/secrets` subpath export.** It pointed at + `./dist/secrets/index.js`, which has no source and is not in the tarball, so + `import '@cipherstash/stack/secrets'` has been throwing `ERR_MODULE_NOT_FOUND` + for every consumer since the source was removed. Also drops the dangling + `src/secrets/index.ts` entry from `tsup.config.ts`. Removing an export that + cannot resolve breaks nothing. + - **Remove the `stash-secrets` agent skill** and its references in `AGENTS.md` + and the init setup-prompt skill index. It was never installed by `stash init` + (it is absent from `SKILL_MAP`), so no user project ever received it. + - **Remove the secrets documentation** from both published READMEs: the + `Secrets` class API and the `npx stash secrets` command reference in + `@cipherstash/stack`, and the `npx stash secrets` section in `stash`. The CLI + command does not exist — `stash secrets` returns `Unknown command`. + ## 0.19.0 ### Minor Changes diff --git a/packages/stack/package.json b/packages/stack/package.json index 51ab9b44b..269128d9b 100644 --- a/packages/stack/package.json +++ b/packages/stack/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/stack", - "version": "0.19.0", + "version": "0.19.1", "description": "CipherStash Stack for TypeScript and JavaScript", "keywords": [ "encrypted", diff --git a/packages/wizard/CHANGELOG.md b/packages/wizard/CHANGELOG.md index aef9d034c..711a329ec 100644 --- a/packages/wizard/CHANGELOG.md +++ b/packages/wizard/CHANGELOG.md @@ -1,5 +1,24 @@ # @cipherstash/wizard +## 0.4.1 + +### Patch Changes + +- 9c673bb: Stop the agent guard from blocking `.env.example`. + + `SENSITIVE_FILE_PATTERNS` matched `/\.env($|\.)/`, which tests true against + `.env.example`. Because the guard covers `Edit` and `Write` as well as `Read`, + the wizard's agent was blocked from creating or editing the very file the + CipherStash doctrine tells it to write ("New env keys go in `.env.example` with + placeholders"). Committed env templates carry placeholder key names, not values. + + `.env.example`, `.env.sample` and `.env.template` are now readable and writable. + Everything else is unchanged: `.env`, `.env.local`, `.env.production`, and + value-bearing files that merely start with a template name + (`.env.example.local`, `.env.example.bak`) stay blocked, as do `auth.json`, + `secretkey.json` and credential files. Bash access to any env file — including + the templates — remains blocked; `Read`/`Write` is the sanctioned path. + ## 0.4.0 ### Minor Changes diff --git a/packages/wizard/package.json b/packages/wizard/package.json index 70a6d071b..fe972e029 100644 --- a/packages/wizard/package.json +++ b/packages/wizard/package.json @@ -1,6 +1,6 @@ { "name": "@cipherstash/wizard", - "version": "0.4.0", + "version": "0.4.1", "description": "AI-powered encryption setup for CipherStash. Reads your codebase, picks columns to encrypt, and wires everything up.", "repository": { "type": "git",