Skip to content
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/drizzle-legacy-readme-pointer.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
'@cipherstash/drizzle': patch
---

Docs: the README's "for new projects" pointer named the removed
`@cipherstash/stack/drizzle` subpath; it now points at the separate
`@cipherstash/stack-drizzle` package (EQL v3 on its `/v3` subpath).
16 changes: 16 additions & 0 deletions .changeset/eql-v3-sole-docs.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
'stash': patch
'@cipherstash/stack': patch
---

Docs: EQL v3 is now the sole documented approach. The `stash-encryption`,
`stash-drizzle`, and `stash-supabase` skills and the `@cipherstash/stack`
README teach only the v3 typed surface (`EncryptionV3`, `types.*` concrete
domains, `@cipherstash/stack-drizzle/v3`, `encryptedSupabaseV3`); EQL v2
shrinks to one short Legacy section per document. Two explicit exceptions are
called out: DynamoDB still requires the v2 schema surface (#657), and the
encrypt rollout tooling (`stash encrypt backfill`/`cutover`,
`@cipherstash/migrate`) currently targets v2 columns (#648) — its guidance is
kept under a version callout. Also corrects the legacy `@cipherstash/drizzle`
README's pointer to the removed `@cipherstash/stack/drizzle` subpath (now the
separate `@cipherstash/stack-drizzle` package).
13 changes: 13 additions & 0 deletions .changeset/skills-identity-docs-refresh.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
'stash': patch
'@cipherstash/stack': patch
---

Docs: stop teaching the deprecated `LockContext.identify()` as the primary
identity-aware-encryption path (#591). The `stash-encryption` and `stash-supabase`
skills and the `@cipherstash/stack` README now lead with the current pattern —
authenticate the client with `OidcFederationStrategy`, then bind the claim per
operation with `.withLockContext({ identityClaim })` — and demote
`LockContext.identify()` to a clearly-marked deprecated note (per-operation CTS
tokens were removed in protect-ffi 0.25). Skills ship in the `stash` tarball, so
this keeps the bundled guidance correct for the 1.0 surface.
4 changes: 2 additions & 2 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,8 @@ Three rules to remember when editing CI or pnpm config:

## Key Concepts and APIs

- **Initialization**: `Encryption({ schemas })` returns an initialized `EncryptionClient`. Provide at least one `encryptedTable`.
- **Schema**: Define tables/columns with `encryptedTable` and `encryptedColumn` from `@cipherstash/stack/schema`. Add `.freeTextSearch().equality().orderAndRange()` to enable searchable encryption on PostgreSQL. Use `.searchableJson()` for encrypted JSONB queries. Use `encryptedField` for nested object encryption (DynamoDB).
- **Initialization**: `EncryptionV3({ schemas })` returns the typed EQL v3 client. (`Encryption({ schemas })` is the legacy v2 client.) Provide at least one `encryptedTable`.
- **Schema (EQL v3, the documented approach)**: Define tables/columns with `encryptedTable` and the `types.*` concrete-domain factories from `@cipherstash/stack/eql/v3` (`types.TextSearch`, `types.IntegerOrd`, `types.Json`, …) — each domain's query capabilities are fixed by its type; there are no chainable capability tuners. Build the client with `EncryptionV3` from `@cipherstash/stack/v3`. (Legacy EQL v2 — `Encryption` + `encryptedColumn(...).equality().freeTextSearch().orderAndRange().searchableJson()` from `@cipherstash/stack/schema` — remains for existing deployments and is what DynamoDB (`encryptedField`) still requires; see #657.)
- **Operations** (all return Result-like objects and support chaining `.withLockContext(lockContext)` and `.audit()` when applicable):
- `encrypt(plaintext, { table, column })`
- `decrypt(encryptedPayload)`
Expand Down
2 changes: 1 addition & 1 deletion packages/drizzle/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Seamlessly integrate CipherStash encryption with Drizzle ORM and PostgreSQL to encrypt your data while maintaining full query capabilities—equality, range queries, text search, and sorting—all with complete TypeScript type safety.

> [!TIP]
> For new projects we recommend [`@cipherstash/stack`](https://www.npmjs.com/package/@cipherstash/stack), which provides this integration as `encryptedType`, `extractEncryptionSchema`, and `createEncryptionOperators` from `@cipherstash/stack/drizzle`. See the [Drizzle docs](https://cipherstash.com/docs/stack/cipherstash/encryption/drizzle). This package documents the legacy `@cipherstash/protect`-based API.
> For new projects we recommend [`@cipherstash/stack`](https://www.npmjs.com/package/@cipherstash/stack), which provides this integration via the separate [`@cipherstash/stack-drizzle`](https://www.npmjs.com/package/@cipherstash/stack-drizzle) package (EQL v3 on its `/v3` subpath). See the [Drizzle docs](https://cipherstash.com/docs). This package documents the legacy `@cipherstash/protect`-based API.

## Features

Expand Down
Loading
Loading