Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@cipherstash/protect@12.0.0

Major Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

Patch Changes

• Updated dependencies [f743fcc]
  • @cipherstash/schema@3.0.0

@cipherstash/schema@3.0.0

Major Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

stash@0.16.0

Minor Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

• bb9764d: stash db push is no longer included by default in stash plan / stash impl agent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer see stash db push baked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.

  Pass --proxy to stash init (or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to .cipherstash/context.json as usesProxy and is honoured by stash plan, stash impl, and the wizard's post-agent step. Existing .cipherstash/context.json files without the field default to SDK-only.

  Known gap: stash encrypt cutover currently requires a pending EQL config registered via stash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: run stash db push once before stash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.

Patch Changes

• 8fe2496: stash impl and stash plan no longer hang in non-TTY contexts (CI, pipes, automation harnesses). The agent-target picker previously read from /dev/tty and waited forever. You can now pass --target <claude-code|codex|agents-md|wizard> to select a handoff target non-interactively, and when neither --target nor a TTY is available the command prints a hint and exits cleanly instead of blocking.
  • @cipherstash/migrate@0.2.0

@cipherstash/prisma-next@0.3.0

Minor Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

Patch Changes

• Updated dependencies [f743fcc]
  • @cipherstash/stack@0.17.0

@cipherstash/stack@0.17.0

Minor Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

@cipherstash/wizard@0.3.0

Minor Changes

• bb9764d: stash db push is no longer included by default in stash plan / stash impl agent prompts or the wizard's post-agent step. SDK users (Drizzle, Supabase, plain PostgreSQL) no longer see stash db push baked into their rollout/cutover walkthroughs — the encryption config lives in app code, so the database doesn't need a copy.

  Pass --proxy to stash init (or answer the new interactive prompt) if you query encrypted data via CipherStash Proxy. The choice is persisted to .cipherstash/context.json as usesProxy and is honoured by stash plan, stash impl, and the wizard's post-agent step. Existing .cipherstash/context.json files without the field default to SDK-only.

  Known gap: stash encrypt cutover currently requires a pending EQL config registered via stash db push, so SDK-only users running the migrate-existing-column flow will hit a "No pending EQL configuration" error from cutover. Workaround: run stash db push once before stash encrypt cutover. Decoupling cutover from EQL config for SDK-only users is tracked as a follow-up to #447.

@cipherstash/protect-dynamodb@12.0.0

Patch Changes

• f743fcc: Upgrade @cipherstash/protect-ffi to 0.23.0 and the bundled CipherStash EQL extension to eql-2.3.1.

  Breaking upstream changes adopted in this release:

  • Encrypt-config schema version: buildEncryptConfig now emits { v: 1, ... } (was { v: 2, ... }). protect-ffi 0.22.0 started validating this field and rejects any value other than 1 with the new UNSUPPORTED_CONFIG_VERSION error code.
  • Storage and query payloads are now distinct types (protect-ffi 0.23.0): the previously-conflated Encrypted type splits into Encrypted (storage-only, c required) and a new EncryptedQuery (search terms — scalar unique/match/ore lookups and ste_vec_selector JSON path queries; no c). JSON containment queries (ste_vec_term) still return a storage-shaped Encrypted payload. encryptQuery / encryptQueryBulk now return Encrypted | EncryptedQuery, and the stack's EncryptedSearchTerm / EncryptedQueryResult unions widen to match. decrypt rejects query payloads at the type level. The DynamoDB SearchTermsOperation narrows via 'hm' in term rather than term.hm.
  • SteVec encoding default flipped: protect-ffi's default mode for ste_vec indexes changed from compat to standard. The two encodings are not cross-compatible. Existing JSON-searchable data that was indexed under compat will need to be re-encrypted to be queryable. The stack adopts the new standard default — there is no longer a way to pin compat from the SDK.
  • EQL extension bumped to eql-2.3.1: the new SteVec standard encoding requires matching support in the database EQL extension. The CLI's bundled SQL (packages/cli/src/sql/*.sql) and the @cipherstash/prisma-next install bundle (migrations/20260601T0000_install_eql_bundle/ops.json + eql-install.generated.ts) are updated to eql-2.3.1. Databases installed with an older EQL extension must be reinstalled (stash db install) before containment / contained-by queries against SteVec columns will work. eql-2.3.1 ships the _encrypted_check_c fix for SteVec storage payloads (cipherstash/encrypt-query-language#232).
  • New error codes: ProtectErrorCode (re-exported from @cipherstash/protect-ffi) gains MATCH_REQUIRES_TEXT and UNSUPPORTED_CONFIG_VERSION. Exhaustive switches over ProtectErrorCode will need additional cases.
  • match index validation: protect-ffi now rejects match indexes on columns whose cast_as is not text-family ('text' / 'string') with MATCH_REQUIRES_TEXT. The stack's freeTextSearch() builder is unaffected because it only targets string-typed columns.
  • Encrypted ciphertext shape: protect-ffi's Encrypted type is now a discriminated union keyed on k ('ct' for scalars, 'sv' for SteVec). SteVec storage payloads now place the root document ciphertext at sv[0].c. The stack's isEncryptedPayload runtime check continues to work because storage payloads still carry c (scalar) or sv (SteVec). The DynamoDB helpers (toEncryptedDynamoItem, SearchTermsOperation) now narrow on k before reading variant-only fields.
  • Config-validation error message wording: error messages for config-validation failures now come from upstream ConfigError. ProtectError.code values are preserved; consumers that string-match on err.message for config-validation errors must update.

• Updated dependencies [f743fcc]

  • @cipherstash/protect@12.0.0

@cipherstash/basic-example@1.2.11

Patch Changes

• Updated dependencies [f743fcc]
  • @cipherstash/stack@0.17.0

@cipherstash/prisma-next-example@0.0.3

Patch Changes

• Updated dependencies [f743fcc]
  • @cipherstash/stack@0.17.0
  • @cipherstash/prisma-next@0.3.0

@cipherstash/bench@0.0.2

Patch Changes

• Updated dependencies [f743fcc]
  • @cipherstash/stack@0.17.0