Version Packages (rc)#652
Open
github-actions[bot] wants to merge 1 commit into
Open
Conversation
f41e1a0 to
02c8093
Compare
02c8093 to
baa213d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
mainis currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, runchangeset pre exitonmain.Releases
stash@1.0.0-rc.1
Minor Changes
134fd43: Add anonymous, opt-out usage analytics to the
stashCLI, plus astash telemetry [status|enable|disable]command to manage it.Only coarse events are collected — command name, CLI version, OS/arch, Node
version, success/failure, duration, and a coarse caller class (e.g.
claude-code,cursor,interactive) derived from environment markers so wecan gauge agent- vs human-driven usage. Events carry a random install
identifier (a locally generated UUID, not derived from any machine or user
attribute) used only to de-duplicate events in aggregate. Plaintext, schema,
table/column names,
connection strings, argument values, and any session/trace identifier are never
collected — enforced by a property-key allowlist at the emitter boundary plus
closed-vocabulary coercion of every argv- or error-derived value (unrecognised
commands, subcommands, and error class names all collapse to
<other>). Aone-time notice is shown on first run, and nothing is sent on that run.
Telemetry is off by default in CI and can be disabled with
DO_NOT_TRACK=1(the cross-tool standard),
STASH_TELEMETRY_DISABLED=1, orstash telemetry disable(persisted to~/.cipherstash/telemetry.json).Events are sent via a first-party proxy and never block or slow the CLI. The
feature ships dormant — no events are sent until a PostHog project key is
embedded at release. Updates the
stash-cliskill to document the command andopt-out controls.
Patch Changes
59b994e: Add EQL v3 JSON selector-with-constraint querying to the Drizzle integration
(EQL v3 JSON: implement JSONPath selector-with-constraint querying (->, ->>) #623).
ops.selector(col, '$.path')returns comparison methods bound to aJSONPath into a
types.Jsoncolumn —eq/ne/gt/gte/lt/lte— emittingcol->'<selector>' <op> <value>over the encrypted document. Its unique powerover
containsis ordering at a path (col->'$.age' > 21), whichcontainment cannot express.
Complements the existing
contains(JSONB@>) containment operator. Core@cipherstash/stackneeds no change — the selector hash and comparison entry areproduced by
encryptQuery/encrypton the existingtypes.Jsonsurface. v1supports dot-notation object paths; array-index/wildcard paths are rejected with
a clear error. The Supabase adapter is tracked separately.
The right-hand comparison operand is currently a storage-encrypted needle (its
ste_vec entry carries the ordering term), pending a ciphertext-free ordering
query needle from protect-ffi (EQL v3 ste_vec: encryptQuery can't mint an ordering (op) JSON query needle for selector-with-constraint protectjs-ffi#137); until then the
value's ciphertext appears in the WHERE clause.
The bundled
stash-encryptionandstash-drizzleskills document the newops.selector(...)surface (they previously said JSONPath selector queries werenot yet implemented).
5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A
types.Jsoncolumn now supports exact encrypted containment —
contains(col, subDocument)(ste_vec
@>via PostgRESTcs, with the sub-document storage-encryptedagainst the column) — and JSONPath selector predicates:
selectorEq(col, path, value)andselectorNe(col, path, value)(dot-notation paths;neincludesrows where the path is absent, mirroring the Drizzle selector's semantics).
Raw
.filter(col, 'cs', subDocument)andnot(col, 'contains', …)routethrough the same encrypted path. Selector ordering is not expressible over
PostgREST yet (needs an EQL-bundle overload — see
EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
ops.selector()covers ordering today.In core,
QueryTypesForColumngains thesearchableJsonarm (atypes.Jsoncolumn no longer resolves to
never, so typed adapter key sets can includeit), and the JSONPath selector-path helpers the Drizzle adapter introduced in
feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to
@cipherstash/stack/adapter-kitso both adapters share onevalidation surface (
@cipherstash/stack-drizzlere-exports them unchanged).The bundled
stash-supabaseandstash-encryptionskills are updated todocument the new querying surface (including the array-leaf and SQL-NULL
semantics, and the operand-exposure caveat) — skills ship inside the
stashtarball, hence the patch.
@cipherstash/stack@1.0.0-rc.1
Minor Changes
5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A
types.Jsoncolumn now supports exact encrypted containment —
contains(col, subDocument)(ste_vec
@>via PostgRESTcs, with the sub-document storage-encryptedagainst the column) — and JSONPath selector predicates:
selectorEq(col, path, value)andselectorNe(col, path, value)(dot-notation paths;neincludesrows where the path is absent, mirroring the Drizzle selector's semantics).
Raw
.filter(col, 'cs', subDocument)andnot(col, 'contains', …)routethrough the same encrypted path. Selector ordering is not expressible over
PostgREST yet (needs an EQL-bundle overload — see
EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
ops.selector()covers ordering today.In core,
QueryTypesForColumngains thesearchableJsonarm (atypes.Jsoncolumn no longer resolves to
never, so typed adapter key sets can includeit), and the JSONPath selector-path helpers the Drizzle adapter introduced in
feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to
@cipherstash/stack/adapter-kitso both adapters share onevalidation surface (
@cipherstash/stack-drizzlere-exports them unchanged).The bundled
stash-supabaseandstash-encryptionskills are updated todocument the new querying surface (including the array-leaf and SQL-NULL
semantics, and the operand-exposure caveat) — skills ship inside the
stashtarball, hence the patch.
@cipherstash/stack-drizzle@1.0.0-rc.1
Minor Changes
59b994e: Add EQL v3 JSON selector-with-constraint querying to the Drizzle integration
(EQL v3 JSON: implement JSONPath selector-with-constraint querying (->, ->>) #623).
ops.selector(col, '$.path')returns comparison methods bound to aJSONPath into a
types.Jsoncolumn —eq/ne/gt/gte/lt/lte— emittingcol->'<selector>' <op> <value>over the encrypted document. Its unique powerover
containsis ordering at a path (col->'$.age' > 21), whichcontainment cannot express.
Complements the existing
contains(JSONB@>) containment operator. Core@cipherstash/stackneeds no change — the selector hash and comparison entry areproduced by
encryptQuery/encrypton the existingtypes.Jsonsurface. v1supports dot-notation object paths; array-index/wildcard paths are rejected with
a clear error. The Supabase adapter is tracked separately.
The right-hand comparison operand is currently a storage-encrypted needle (its
ste_vec entry carries the ordering term), pending a ciphertext-free ordering
query needle from protect-ffi (EQL v3 ste_vec: encryptQuery can't mint an ordering (op) JSON query needle for selector-with-constraint protectjs-ffi#137); until then the
value's ciphertext appears in the WHERE clause.
The bundled
stash-encryptionandstash-drizzleskills document the newops.selector(...)surface (they previously said JSONPath selector queries werenot yet implemented).
Patch Changes
@cipherstash/stack-supabase@1.0.0-rc.1
Minor Changes
5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A
types.Jsoncolumn now supports exact encrypted containment —
contains(col, subDocument)(ste_vec
@>via PostgRESTcs, with the sub-document storage-encryptedagainst the column) — and JSONPath selector predicates:
selectorEq(col, path, value)andselectorNe(col, path, value)(dot-notation paths;neincludesrows where the path is absent, mirroring the Drizzle selector's semantics).
Raw
.filter(col, 'cs', subDocument)andnot(col, 'contains', …)routethrough the same encrypted path. Selector ordering is not expressible over
PostgREST yet (needs an EQL-bundle overload — see
EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
ops.selector()covers ordering today.In core,
QueryTypesForColumngains thesearchableJsonarm (atypes.Jsoncolumn no longer resolves to
never, so typed adapter key sets can includeit), and the JSONPath selector-path helpers the Drizzle adapter introduced in
feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to
@cipherstash/stack/adapter-kitso both adapters share onevalidation surface (
@cipherstash/stack-drizzlere-exports them unchanged).The bundled
stash-supabaseandstash-encryptionskills are updated todocument the new querying surface (including the array-leaf and SQL-NULL
semantics, and the operand-exposure caveat) — skills ship inside the
stashtarball, hence the patch.
Patch Changes
@cipherstash/prisma-next@0.4.0-rc.1
Patch Changes
@cipherstash/wizard@0.5.0-rc.1
Patch Changes
stashCLI's telemetry privacy contract.The wizard now honors
DO_NOT_TRACK,STASH_TELEMETRY_DISABLED, and CIauto-detection; uses a random per-session identifier instead of one derived
from username@hostname; disables IP→geo resolution; and reports error events as
fixed labels / error class names instead of raw messages (which could embed
schema names or connection details). Analytics remain dormant unless a PostHog
key is configured at build time.
@cipherstash/e2e@0.0.3-rc.1
Patch Changes
@cipherstash/basic-example@1.2.14-rc.1
Patch Changes
@cipherstash/prisma-next-example@0.0.6-rc.1
Patch Changes
@cipherstash/bench@0.0.5-rc.1
Patch Changes
@cipherstash/test-kit@0.0.1-rc.1
Patch Changes