Skip to content

Version Packages (rc)#652

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main
Open

Version Packages (rc)#652
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

stash@1.0.0-rc.1

Minor Changes

  • 134fd43: Add anonymous, opt-out usage analytics to the stash CLI, plus a
    stash telemetry [status|enable|disable] command to manage it.

    Only coarse events are collected — command name, CLI version, OS/arch, Node
    version, success/failure, duration, and a coarse caller class (e.g.
    claude-code, cursor, interactive) derived from environment markers so we
    can gauge agent- vs human-driven usage. Events carry a random install
    identifier (a locally generated UUID, not derived from any machine or user
    attribute) used only to de-duplicate events in aggregate. Plaintext, schema,
    table/column names,
    connection strings, argument values, and any session/trace identifier are never
    collected — enforced by a property-key allowlist at the emitter boundary plus
    closed-vocabulary coercion of every argv- or error-derived value (unrecognised
    commands, subcommands, and error class names all collapse to <other>). A
    one-time notice is shown on first run, and nothing is sent on that run.

    Telemetry is off by default in CI and can be disabled with DO_NOT_TRACK=1
    (the cross-tool standard), STASH_TELEMETRY_DISABLED=1, or
    stash telemetry disable (persisted to ~/.cipherstash/telemetry.json).

    Events are sent via a first-party proxy and never block or slow the CLI. The
    feature ships dormant — no events are sent until a PostHog project key is
    embedded at release. Updates the stash-cli skill to document the command and
    opt-out controls.

Patch Changes

  • 59b994e: Add EQL v3 JSON selector-with-constraint querying to the Drizzle integration
    (EQL v3 JSON: implement JSONPath selector-with-constraint querying (->, ->>) #623). ops.selector(col, '$.path') returns comparison methods bound to a
    JSONPath into a types.Json column — eq/ne/gt/gte/lt/lte — emitting
    col->'<selector>' <op> <value> over the encrypted document. Its unique power
    over contains is ordering at a path (col->'$.age' > 21), which
    containment cannot express.

    Complements the existing contains (JSONB @>) containment operator. Core
    @cipherstash/stack needs no change — the selector hash and comparison entry are
    produced by encryptQuery/encrypt on the existing types.Json surface. v1
    supports dot-notation object paths; array-index/wildcard paths are rejected with
    a clear error. The Supabase adapter is tracked separately.

    The right-hand comparison operand is currently a storage-encrypted needle (its
    ste_vec entry carries the ordering term), pending a ciphertext-free ordering
    query needle from protect-ffi (EQL v3 ste_vec: encryptQuery can't mint an ordering (op) JSON query needle for selector-with-constraint protectjs-ffi#137); until then the
    value's ciphertext appears in the WHERE clause.

    The bundled stash-encryption and stash-drizzle skills document the new
    ops.selector(...) surface (they previously said JSONPath selector queries were
    not yet implemented).

  • 5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A types.Json
    column now supports exact encrypted containment — contains(col, subDocument)
    (ste_vec @> via PostgREST cs, with the sub-document storage-encrypted
    against the column) — and JSONPath selector predicates: selectorEq(col, path, value) and selectorNe(col, path, value) (dot-notation paths; ne includes
    rows where the path is absent, mirroring the Drizzle selector's semantics).
    Raw .filter(col, 'cs', subDocument) and not(col, 'contains', …) route
    through the same encrypted path. Selector ordering is not expressible over
    PostgREST yet (needs an EQL-bundle overload — see
    EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
    ops.selector() covers ordering today.

    In core, QueryTypesForColumn gains the searchableJson arm (a types.Json
    column no longer resolves to never, so typed adapter key sets can include
    it), and the JSONPath selector-path helpers the Drizzle adapter introduced in
    feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to @cipherstash/stack/adapter-kit so both adapters share one
    validation surface (@cipherstash/stack-drizzle re-exports them unchanged).

    The bundled stash-supabase and stash-encryption skills are updated to
    document the new querying surface (including the array-leaf and SQL-NULL
    semantics, and the operand-exposure caveat) — skills ship inside the stash
    tarball, hence the patch.

    • @cipherstash/migrate@1.0.0-rc.0

@cipherstash/stack@1.0.0-rc.1

Minor Changes

  • 5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A types.Json
    column now supports exact encrypted containment — contains(col, subDocument)
    (ste_vec @> via PostgREST cs, with the sub-document storage-encrypted
    against the column) — and JSONPath selector predicates: selectorEq(col, path, value) and selectorNe(col, path, value) (dot-notation paths; ne includes
    rows where the path is absent, mirroring the Drizzle selector's semantics).
    Raw .filter(col, 'cs', subDocument) and not(col, 'contains', …) route
    through the same encrypted path. Selector ordering is not expressible over
    PostgREST yet (needs an EQL-bundle overload — see
    EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
    ops.selector() covers ordering today.

    In core, QueryTypesForColumn gains the searchableJson arm (a types.Json
    column no longer resolves to never, so typed adapter key sets can include
    it), and the JSONPath selector-path helpers the Drizzle adapter introduced in
    feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to @cipherstash/stack/adapter-kit so both adapters share one
    validation surface (@cipherstash/stack-drizzle re-exports them unchanged).

    The bundled stash-supabase and stash-encryption skills are updated to
    document the new querying surface (including the array-leaf and SQL-NULL
    semantics, and the operand-exposure caveat) — skills ship inside the stash
    tarball, hence the patch.

@cipherstash/stack-drizzle@1.0.0-rc.1

Minor Changes

  • 59b994e: Add EQL v3 JSON selector-with-constraint querying to the Drizzle integration
    (EQL v3 JSON: implement JSONPath selector-with-constraint querying (->, ->>) #623). ops.selector(col, '$.path') returns comparison methods bound to a
    JSONPath into a types.Json column — eq/ne/gt/gte/lt/lte — emitting
    col->'<selector>' <op> <value> over the encrypted document. Its unique power
    over contains is ordering at a path (col->'$.age' > 21), which
    containment cannot express.

    Complements the existing contains (JSONB @>) containment operator. Core
    @cipherstash/stack needs no change — the selector hash and comparison entry are
    produced by encryptQuery/encrypt on the existing types.Json surface. v1
    supports dot-notation object paths; array-index/wildcard paths are rejected with
    a clear error. The Supabase adapter is tracked separately.

    The right-hand comparison operand is currently a storage-encrypted needle (its
    ste_vec entry carries the ordering term), pending a ciphertext-free ordering
    query needle from protect-ffi (EQL v3 ste_vec: encryptQuery can't mint an ordering (op) JSON query needle for selector-with-constraint protectjs-ffi#137); until then the
    value's ciphertext appears in the WHERE clause.

    The bundled stash-encryption and stash-drizzle skills document the new
    ops.selector(...) surface (they previously said JSONPath selector queries were
    not yet implemented).

Patch Changes

  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack@1.0.0-rc.1

@cipherstash/stack-supabase@1.0.0-rc.1

Minor Changes

  • 5fe9a2f: Encrypted-JSON querying on the v3 Supabase surface (EQL v3 JSON on Supabase: encrypted containment + JSONPath selector querying #650). A types.Json
    column now supports exact encrypted containment — contains(col, subDocument)
    (ste_vec @> via PostgREST cs, with the sub-document storage-encrypted
    against the column) — and JSONPath selector predicates: selectorEq(col, path, value) and selectorNe(col, path, value) (dot-notation paths; ne includes
    rows where the path is absent, mirroring the Drizzle selector's semantics).
    Raw .filter(col, 'cs', subDocument) and not(col, 'contains', …) route
    through the same encrypted path. Selector ordering is not expressible over
    PostgREST yet (needs an EQL-bundle overload — see
    EQL v3: ordering-at-selector needs a (eql_v3_json, eql_v3_json) comparison overload for PostgREST encrypt-query-language#407); the Drizzle integration's
    ops.selector() covers ordering today.

    In core, QueryTypesForColumn gains the searchableJson arm (a types.Json
    column no longer resolves to never, so typed adapter key sets can include
    it), and the JSONPath selector-path helpers the Drizzle adapter introduced in
    feat(stack-drizzle): EQL v3 JSON selector-with-constraint querying #651 moved to @cipherstash/stack/adapter-kit so both adapters share one
    validation surface (@cipherstash/stack-drizzle re-exports them unchanged).

    The bundled stash-supabase and stash-encryption skills are updated to
    document the new querying surface (including the array-leaf and SQL-NULL
    semantics, and the operand-exposure caveat) — skills ship inside the stash
    tarball, hence the patch.

Patch Changes

  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack@1.0.0-rc.1

@cipherstash/prisma-next@0.4.0-rc.1

Patch Changes

  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack@1.0.0-rc.1

@cipherstash/wizard@0.5.0-rc.1

Patch Changes

  • d8e0c1d: Align the wizard's analytics with the stash CLI's telemetry privacy contract.
    The wizard now honors DO_NOT_TRACK, STASH_TELEMETRY_DISABLED, and CI
    auto-detection; uses a random per-session identifier instead of one derived
    from username@hostname; disables IP→geo resolution; and reports error events as
    fixed labels / error class names instead of raw messages (which could embed
    schema names or connection details). Analytics remain dormant unless a PostHog
    key is configured at build time.

@cipherstash/e2e@0.0.3-rc.1

Patch Changes

  • Updated dependencies [134fd43]
  • Updated dependencies [59b994e]
  • Updated dependencies [5fe9a2f]
  • Updated dependencies [d8e0c1d]
    • stash@1.0.0-rc.1
    • @cipherstash/stack@1.0.0-rc.1
    • @cipherstash/wizard@0.5.0-rc.1

@cipherstash/basic-example@1.2.14-rc.1

Patch Changes

  • Updated dependencies [59b994e]
  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack-drizzle@1.0.0-rc.1
    • @cipherstash/stack-supabase@1.0.0-rc.1
    • @cipherstash/stack@1.0.0-rc.1

@cipherstash/prisma-next-example@0.0.6-rc.1

Patch Changes

  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack@1.0.0-rc.1
    • @cipherstash/prisma-next@0.4.0-rc.1

@cipherstash/bench@0.0.5-rc.1

Patch Changes

  • Updated dependencies [59b994e]
  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack-drizzle@1.0.0-rc.1
    • @cipherstash/stack@1.0.0-rc.1

@cipherstash/test-kit@0.0.1-rc.1

Patch Changes

  • Updated dependencies [5fe9a2f]
    • @cipherstash/stack@1.0.0-rc.1

@github-actions github-actions Bot requested a review from a team as a code owner July 15, 2026 04:58
@github-actions github-actions Bot force-pushed the changeset-release/main branch from f41e1a0 to 02c8093 Compare July 15, 2026 09:13
@github-actions github-actions Bot force-pushed the changeset-release/main branch from 02c8093 to baa213d Compare July 15, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants