stash@0.11.0

Minor Changes

• de9c02c: Rename the CLI package from @cipherstash/cli to stash. The published code, commands, and flags are unchanged — this is a pure rename so the day-to-day invocation drops from npx @cipherstash/cli ... to npx stash ....

  Migration

  1. Update your package.json devDependencies:

     -  "@cipherstash/cli": "^0.10.0"
     +  "stash": "^0.10.1"

  2. Update the defineConfig import in stash.config.ts:

     - import { defineConfig } from '@cipherstash/cli'
     + import { defineConfig } from 'stash'

  3. Update any npx @cipherstash/cli ... / bunx @cipherstash/cli ... / pnpm dlx @cipherstash/cli ... / yarn dlx @cipherstash/cli ... invocations in scripts, CI, READMEs, and team docs to use stash instead. Programmatic exports (defineConfig, loadStashConfig, EQLInstaller, loadBundledEqlSql, downloadEqlSql, PermissionCheckResult) are re-exported from stash with the same shapes.

  Wizard impact (@cipherstash/wizard)

  The wizard's post-agent step and its prerequisite / agent-error hints now reference stash (e.g. Run: bunx stash auth login, Running bunx stash db install...) rather than @cipherstash/cli. The wizard package name and stash-wizard binary are unchanged — only the strings the wizard prints and the commands it shells out to are affected.

• 8ee11fd: Layered DATABASE_URL resolution for DB / schema commands.

  Previously, any DB-touching command (db install, db push, db upgrade, db status, db validate, db test-connection, schema build) failed with the cryptic Zod error:

  Error: Invalid stash.config.ts
    - databaseUrl: Invalid input: expected nonoptional, received undefined
  

  if DATABASE_URL wasn't already in the environment. The CLI auto-loaded .env.local / .env.development.local / .env.development / .env, but had no story for --database-url flags, local Supabase, or pasted-once values.

  The scaffolded stash.config.ts now calls a resolver directly:

  import { defineConfig, resolveDatabaseUrl } from "stash";
  
  export default defineConfig({
    databaseUrl: await resolveDatabaseUrl(),
    client: "./src/encryption/index.ts",
  });

  resolveDatabaseUrl() walks sources in order; first hit wins:

  1. --database-url <url> flag — new, accepted on all seven DB / schema commands. Used for this run only; never written to disk.
  2. process.env.DATABASE_URL — covers shell exports, mise, direnv, dotenv-cli, the existing dotenv loads.
  3. supabase status --output env → DB_URL — auto-engaged when --supabase is set or a supabase/config.toml is detected. Useful for local Supabase users who haven't exported the URL yet.
  4. Interactive prompt — opens with a tip listing the alternatives (flag, env, the user's actual dotenv file). Skipped under CI=true or non-TTY stdin.
  5. Hard fail with a source-naming error message.

  The connection string is never persisted to disk — stash.config.ts only contains the await resolveDatabaseUrl() call, never a literal URL. The resolver also doesn't mutate process.env; CLI flag context is threaded into the config evaluation via AsyncLocalStorage so concurrent loads stay isolated. Source labels are logged on non-env paths (Using DATABASE_URL from --database-url flag / from supabase status / from prompt) but the URL itself is never echoed.

  db test-connection's connection-failure hint is now source-aware: it points users at --database-url, the env var, and the actual dotenv file in their project (.env.local if present, .env otherwise) — not the misleading stash.config.ts it used to suggest.

@cipherstash/wizard@0.1.2

Patch Changes

• de9c02c: Rename the CLI package from @cipherstash/cli to stash. The published code, commands, and flags are unchanged — this is a pure rename so the day-to-day invocation drops from npx @cipherstash/cli ... to npx stash ....

  Migration

  1. Update your package.json devDependencies:

     -  "@cipherstash/cli": "^0.10.0"
     +  "stash": "^0.10.1"

  2. Update the defineConfig import in stash.config.ts:

     - import { defineConfig } from '@cipherstash/cli'
     + import { defineConfig } from 'stash'

  3. Update any npx @cipherstash/cli ... / bunx @cipherstash/cli ... / pnpm dlx @cipherstash/cli ... / yarn dlx @cipherstash/cli ... invocations in scripts, CI, READMEs, and team docs to use stash instead. Programmatic exports (defineConfig, loadStashConfig, EQLInstaller, loadBundledEqlSql, downloadEqlSql, PermissionCheckResult) are re-exported from stash with the same shapes.

  Wizard impact (@cipherstash/wizard)

  The wizard's post-agent step and its prerequisite / agent-error hints now reference stash (e.g. Run: bunx stash auth login, Running bunx stash db install...) rather than @cipherstash/cli. The wizard package name and stash-wizard binary are unchanged — only the strings the wizard prints and the commands it shells out to are affected.

@cipherstash/stack@0.15.3

Patch Changes

• afe6810: Bump protect-ffi version

@cipherstash/protect@11.1.1

Patch Changes

• afe6810: Bump protect-ffi version

@cipherstash/protect-dynamodb@11.0.1

Patch Changes

• Updated dependencies [afe6810]
  • @cipherstash/protect@11.1.1

@cipherstash/wizard@0.1.1

Patch Changes

• f34fe9d: Show and execute commands using the detected package manager's runner (npx / bunx / pnpm dlx / yarn dlx) instead of always emitting npx. A user who runs bunx @cipherstash/cli init now sees a "Next Steps" panel that suggests bunx @cipherstash/cli db install and bunx @cipherstash/wizard, and the wizard's post-agent step both displays and shells out to bunx @cipherstash/cli db push (was: Failed: npx @cipherstash/cli db push). Wizard prerequisite messages and AI-agent error hints (e.g. on a 401, Run: bunx @cipherstash/cli auth login) follow the same rule. Detection sources are unchanged: npm_config_user_agent first, then lockfile, then npx fallback.

@cipherstash/wizard@0.1.0

Minor Changes

• 5d3eb13: Initial release of @cipherstash/wizard — AI-powered encryption setup for CipherStash, extracted from @cipherstash/cli.

  Run it once per project, after stash init:

  npx @cipherstash/wizard
  pnpm dlx @cipherstash/wizard
  yarn dlx @cipherstash/wizard
  bunx @cipherstash/wizard

  The wizard reads your codebase, asks which columns to encrypt, hands a surgical prompt to the Claude Agent SDK against the CipherStash-hosted LLM gateway, and runs deterministic post-agent steps (package install, db install, db push, framework migrations). Same behavior as the previous stash wizard command — just shipped as its own package so it doesn't bloat the cli's dependency tree.

@cipherstash/cli@0.9.0

Minor Changes

• 5d3eb13: Reduce friction in stash init.

  • No more "How will you connect to your database?" prompt. Init now auto-detects Drizzle (from drizzle.config.* or drizzle-orm/drizzle-kit in package.json) and Supabase (from the host in DATABASE_URL), and silently picks the matching encryption client template. Falls back to a generic Postgres template otherwise.
  • No more "Where should we create your encryption client?" prompt. Init writes to ./src/encryption/index.ts by default. The "file already exists, what would you like to do?" prompt still appears so existing client files aren't silently overwritten.
  • Single combined dependency-install prompt. Previously init asked twice (once for @cipherstash/stack, once for @cipherstash/cli). It now asks once, listing both, and runs the installs in sequence. When both packages are already in node_modules, no prompt appears at all.
  • Already-authenticated users skip the "Continue with workspace X?" prompt. Init logs Using workspace X and proceeds. Run stash auth login directly to switch workspaces.

  stash db install now also calls into the same encryption-client scaffolder as a safety net — users who run db install without init first still get a working client file generated at the path their stash.config.ts points to.

• 5d3eb13: Breaking: the stash wizard command has been removed. The AI-guided encryption setup is now its own package — run it via npx @cipherstash/wizard (or pnpm dlx, bunx, yarn dlx).

  The wizard was pulling @anthropic-ai/claude-agent-sdk (47MB unpacked) into every npx @cipherstash/cli invocation, even for fast commands like init, auth, and db install. Splitting it out keeps cli's dependency tree small and lets each package manager handle the wizard's install natively — no more shelling out to npm from inside the cli, no Yarn PnP / Bun-only failure modes.

  The next-steps output from init and db install still recommends npx @cipherstash/wizard as the automated path. The schema build command no longer offers a wizard/builder selection prompt — it goes straight to the schema builder.

@cipherstash/cli@0.10.1

Patch Changes

• f34fe9d: Show and execute commands using the detected package manager's runner (npx / bunx / pnpm dlx / yarn dlx) instead of always emitting npx. A user who runs bunx @cipherstash/cli init now sees a "Next Steps" panel that suggests bunx @cipherstash/cli db install and bunx @cipherstash/wizard, and the wizard's post-agent step both displays and shells out to bunx @cipherstash/cli db push (was: Failed: npx @cipherstash/cli db push). Wizard prerequisite messages and AI-agent error hints (e.g. on a 401, Run: bunx @cipherstash/cli auth login) follow the same rule. Detection sources are unchanged: npm_config_user_agent first, then lockfile, then npx fallback.

@cipherstash/cli@0.10.0

Minor Changes

• 79f4a0b: Fix loadStashConfig to correctly unwrap the default export from stash.config.ts. Previously, any database-touching command (db install, db push, db validate, db status, db test-connection, schema build) would fail validation against a perfectly valid config with:

  Error: Invalid stash.config.ts
  
    - databaseUrl: Invalid input: expected nonoptional, received undefined
  

  The issue: in jiti 2.x, the interopDefault: true option passed to createJiti(...) only applies to the deprecated synchronous jiti(id) callable form. The async jiti.import() ignores it and always returns the full module namespace. With export default defineConfig({...}) that meant Zod was validating { default: { databaseUrl, client } } and reporting databaseUrl as undefined even when the user's config plainly set it.

  Switched to jiti's per-call { default: true } option, which does work on jiti.import(). Added an integration test that exercises real jiti against a real temp stash.config.ts so future regressions get caught — the previous mocked test was passing the bug straight through.

  This bug surfaced after db install started loading stash.config.ts (during the onboarding overhaul), but affected every other command that reads the config.