Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/drizzle-legacy-readme-pointer.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
'@cipherstash/drizzle': patch
---

Docs: the README's "for new projects" pointer named the removed
`@cipherstash/stack/drizzle` subpath; it now points at the separate
`@cipherstash/stack-drizzle` package (EQL v3 on its `/v3` subpath).
16 changes: 16 additions & 0 deletions .changeset/eql-v3-sole-docs.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
'stash': patch
'@cipherstash/stack': patch
---

Docs: EQL v3 is now the sole documented approach. The `stash-encryption`,
`stash-drizzle`, and `stash-supabase` skills and the `@cipherstash/stack`
README teach only the v3 typed surface (`EncryptionV3`, `types.*` concrete
domains, `@cipherstash/stack-drizzle/v3`, `encryptedSupabaseV3`); EQL v2
shrinks to one short Legacy section per document. Two explicit exceptions are
called out: DynamoDB still requires the v2 schema surface (#657), and the
encrypt rollout tooling (`stash encrypt backfill`/`cutover`,
`@cipherstash/migrate`) currently targets v2 columns (#648) — its guidance is
kept under a version callout. Also corrects the legacy `@cipherstash/drizzle`
README's pointer to the removed `@cipherstash/stack/drizzle` subpath (now the
separate `@cipherstash/stack-drizzle` package).
13 changes: 13 additions & 0 deletions .changeset/skills-identity-docs-refresh.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
'stash': patch
'@cipherstash/stack': patch
---

Docs: stop teaching the deprecated `LockContext.identify()` as the primary
identity-aware-encryption path (#591). The `stash-encryption` and `stash-supabase`
skills and the `@cipherstash/stack` README now lead with the current pattern —
authenticate the client with `OidcFederationStrategy`, then bind the claim per
operation with `.withLockContext({ identityClaim })` — and demote
`LockContext.identify()` to a clearly-marked deprecated note (per-operation CTS
tokens were removed in protect-ffi 0.25). Skills ship in the `stash` tarball, so
this keeps the bundled guidance correct for the 1.0 surface.
4 changes: 2 additions & 2 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,8 @@ Three rules to remember when editing CI or pnpm config:

## Key Concepts and APIs

- **Initialization**: `Encryption({ schemas })` returns an initialized `EncryptionClient`. Provide at least one `encryptedTable`.
- **Schema**: Define tables/columns with `encryptedTable` and `encryptedColumn` from `@cipherstash/stack/schema`. Add `.freeTextSearch().equality().orderAndRange()` to enable searchable encryption on PostgreSQL. Use `.searchableJson()` for encrypted JSONB queries. Use `encryptedField` for nested object encryption (DynamoDB).
- **Initialization**: `EncryptionV3({ schemas })` returns the typed EQL v3 client. (`Encryption({ schemas })` is the legacy v2 client.) Provide at least one `encryptedTable`.
- **Schema (EQL v3, the documented approach)**: Define tables/columns with `encryptedTable` and the `types.*` concrete-domain factories from `@cipherstash/stack/eql/v3` (`types.TextSearch`, `types.IntegerOrd`, `types.Json`, …) — each domain's query capabilities are fixed by its type; there are no chainable capability tuners. Build the client with `EncryptionV3` from `@cipherstash/stack/v3`. (Legacy EQL v2 — `Encryption` + `encryptedColumn(...).equality().freeTextSearch().orderAndRange().searchableJson()` from `@cipherstash/stack/schema` — remains for existing deployments and is what DynamoDB (`encryptedField`) still requires; see #657.)
- **Operations** (all return Result-like objects and support chaining `.withLockContext(lockContext)` and `.audit()` when applicable):
- `encrypt(plaintext, { table, column })`
- `decrypt(encryptedPayload)`
Expand Down
2 changes: 1 addition & 1 deletion packages/drizzle/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Seamlessly integrate CipherStash encryption with Drizzle ORM and PostgreSQL to encrypt your data while maintaining full query capabilities—equality, range queries, text search, and sorting—all with complete TypeScript type safety.

> [!TIP]
> For new projects we recommend [`@cipherstash/stack`](https://www.npmjs.com/package/@cipherstash/stack), which provides this integration as `encryptedType`, `extractEncryptionSchema`, and `createEncryptionOperators` from `@cipherstash/stack/drizzle`. See the [Drizzle docs](https://cipherstash.com/docs/stack/cipherstash/encryption/drizzle). This package documents the legacy `@cipherstash/protect`-based API.
> For new projects we recommend [`@cipherstash/stack`](https://www.npmjs.com/package/@cipherstash/stack), which provides this integration via the separate [`@cipherstash/stack-drizzle`](https://www.npmjs.com/package/@cipherstash/stack-drizzle) package (EQL v3 on its `/v3` subpath). See the [Drizzle docs](https://cipherstash.com/docs). This package documents the legacy `@cipherstash/protect`-based API.

## Features

Expand Down
Loading
Loading