From 999ebe29af033af027d5c5d88ddc051634299e1e Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Fri, 3 Jul 2026 16:04:28 +1000 Subject: [PATCH 1/2] docs: rename `stash db install` to `stash eql install` The CLI command moved to a dedicated `eql` command group; `db install` remains as a deprecated alias that prints a warning. Update all pages that reference the command and note the deprecated alias on the install page. --- content/stack/cipherstash/cli/index.mdx | 8 ++--- content/stack/cipherstash/cli/init.mdx | 12 +++---- content/stack/cipherstash/cli/install.mdx | 34 ++++++++++--------- .../stack/cipherstash/cli/troubleshooting.mdx | 10 +++--- .../stack/cipherstash/encryption/drizzle.mdx | 2 +- .../cipherstash/encryption/prisma-next.mdx | 2 +- .../encryption/searchable-encryption.mdx | 2 +- .../cipherstash/encryption/storing-data.mdx | 2 +- .../stack/cipherstash/encryption/supabase.mdx | 4 +-- content/stack/cipherstash/supabase.mdx | 10 +++--- content/stack/deploy/testing.mdx | 2 +- content/stack/deploy/troubleshooting.mdx | 2 +- content/stack/reference/agent-skills.mdx | 2 +- .../dashboard-supabase-integration.mdx | 4 +-- content/stack/reference/drizzle.mdx | 4 +-- 15 files changed, 51 insertions(+), 49 deletions(-) diff --git a/content/stack/cipherstash/cli/index.mdx b/content/stack/cipherstash/cli/index.mdx index 7197e5e..81d1d5b 100644 --- a/content/stack/cipherstash/cli/index.mdx +++ b/content/stack/cipherstash/cli/index.mdx @@ -58,7 +58,7 @@ The setup lifecycle has three explicit save-points. Each command can be run stan ### Manual setup -If you prefer to configure things yourself rather than running `stash init`, you can scaffold the config file manually and run `stash db install` directly. +If you prefer to configure things yourself rather than running `stash init`, you can scaffold the config file manually and run `stash eql install` directly. @@ -95,7 +95,7 @@ If you prefer to configure things yourself rather than running `stash init`, you ### Install EQL ```bash - npx stash db install + npx stash eql install ``` @@ -148,7 +148,7 @@ yarn dlx @cipherstash/wizard # yarn Before running the wizard, your project should have: - An authenticated CipherStash session (`npx stash auth login`) -- A `stash.config.ts` (run `npx stash init` or `npx stash db install` to scaffold one) +- A `stash.config.ts` (run `npx stash init` or `npx stash eql install` to scaffold one) - A reachable database via `DATABASE_URL` ### What the wizard does @@ -157,7 +157,7 @@ Before running the wizard, your project should have: 2. Runs health checks against the CipherStash gateway and your database. 3. Prompts you to pick the tables and columns to encrypt. 4. Sends a prompt to the Claude Agent SDK, which edits your schema and call sites to use `@cipherstash/stack`'s encryption APIs. The agent runs against a CipherStash-hosted LLM gateway. No Anthropic API key is required. -5. Runs post-agent steps: package install, `db install`, `db push`, and framework-specific migrations. +5. Runs post-agent steps: package install, `eql install`, `db push`, and framework-specific migrations. 6. Scans for remaining call sites that need `encryptModel`/`decryptModel` wiring and prints a summary. These locations are not edited automatically. 7. Offers to install integration-appropriate [agent skills](/stack/reference/agent-skills) into `./.claude/skills/`. diff --git a/content/stack/cipherstash/cli/init.mdx b/content/stack/cipherstash/cli/init.mdx index 50459f6..968e1fc 100644 --- a/content/stack/cipherstash/cli/init.mdx +++ b/content/stack/cipherstash/cli/init.mdx @@ -17,7 +17,7 @@ Init runs six steps with minimal prompts: 2. **Resolves the database**: Reads your `DATABASE_URL` and verifies a connection can be made. Detects your Postgres provider (Supabase from the URL host, or generic Postgres). 3. **Generates the encryption client file**: Auto-detects your integration (Drizzle from `drizzle.config.*` or `drizzle-orm`/`drizzle-kit` in `package.json`, Supabase from the `DATABASE_URL` host, or generic Postgres). Writes a placeholder client to `./src/encryption/index.ts` silently. If that file already exists, it prompts you to keep it or overwrite it. 4. **Installs dependencies**: Checks whether `@cipherstash/stack` and `stash` are already in `node_modules`. If both are present, skips silently. If either is missing, shows a single combined install prompt. Detects your package manager (npm, pnpm, yarn, bun) automatically. -5. **Installs EQL**: Runs the same logic as `stash db install`. Scaffolds `stash.config.ts` if missing, detects your provider, and installs the EQL extension into your database. You do not need to run `stash db install` separately after init. +5. **Installs EQL**: Runs the same logic as `stash eql install`. Scaffolds `stash.config.ts` if missing, detects your provider, and installs the EQL extension into your database. You do not need to run `stash eql install` separately after init. 6. **Gathers context**: Writes `.cipherstash/context.json` with the detected integration, package manager, schemas, environment keys, and available agents. This file is required by `stash plan` and `stash impl`. Best case: 0 prompts (already authenticated, both packages installed, no existing client file, database reachable). Worst case: 2 prompts (region selection for first-time login, install confirmation for missing packages). @@ -73,14 +73,14 @@ Answering yes launches `stash plan` immediately. Answering no (or running non-in Next: run `stash plan` to draft your encryption plan. ``` -## db install flags +## eql install flags -If you need to run EQL installation with specific flags (for example, writing a Supabase migration file), use `stash db install` directly after init: +If you need to run EQL installation with specific flags (for example, writing a Supabase migration file), use `stash eql install` directly after init: ```bash -npx stash db install --supabase --migration -npx stash db install --drizzle -npx stash db install --drizzle --supabase +npx stash eql install --supabase --migration +npx stash eql install --drizzle +npx stash eql install --drizzle --supabase ``` > **Good to know**: You can pass `--drizzle` and `--supabase` together. The CLI combines both behaviors: Supabase-compatible SQL output as a Drizzle migration. diff --git a/content/stack/cipherstash/cli/install.mdx b/content/stack/cipherstash/cli/install.mdx index 9c12b3e..ca84e11 100644 --- a/content/stack/cipherstash/cli/install.mdx +++ b/content/stack/cipherstash/cli/install.mdx @@ -8,10 +8,12 @@ description: Install or upgrade EQL extensions in Postgres with the stash CLI, c Install the CipherStash EQL extensions into your database. Uses bundled SQL by default for offline, deterministic installs. ```bash -npx stash db install [options] +npx stash eql install [options] ``` -`db install` scaffolds `stash.config.ts` if it is missing. The command: +`stash db install` is a deprecated alias for `stash eql install` — it still works, but prints a deprecation warning. Use `eql install` going forward. + +`eql install` scaffolds `stash.config.ts` if it is missing. The command: 1. **Scaffolds `stash.config.ts`** with the database URL and client path (if the file does not already exist). 2. **Scaffolds the encryption client file** at the path referenced in `stash.config.ts` if the file does not exist. Uses the same auto-detected integration template as `init` (Drizzle, Supabase, or generic Postgres). Silent, no prompt. @@ -37,36 +39,36 @@ After a successful install, the CLI prints a summary of what was installed. If y Standard install: ```bash -npx stash db install +npx stash eql install ``` Dry run to preview changes: ```bash -npx stash db install --dry-run +npx stash eql install --dry-run ``` Fetch the latest EQL from GitHub: ```bash -npx stash db install --latest +npx stash eql install --latest ``` ### Auto-detection -`db install` auto-detects two things before prompting you: +`eql install` auto-detects two things before prompting you: - **Supabase**: If `DATABASE_URL` contains a `*.supabase.co`, `*.supabase.com`, or `*.pooler.supabase.com` host, the CLI uses the Supabase-compatible install automatically. You can still pass `--supabase` explicitly to override. - **Drizzle**: If a `drizzle.config.*` file exists or `drizzle-orm`/`drizzle-kit` appears in `package.json`, the CLI generates a Drizzle migration automatically. You can still pass `--drizzle` explicitly. ### Automatic OPE fallback -On managed databases (Supabase, Neon, RDS), the connected role is often not a superuser. `db install` detects this and automatically uses the no-operator-family (OPE) install variant, logging a line to inform you. You do not need to pass `--exclude-operator-family` manually on these hosts. +On managed databases (Supabase, Neon, RDS), the connected role is often not a superuser. `eql install` detects this and automatically uses the no-operator-family (OPE) install variant, logging a line to inform you. You do not need to pass `--exclude-operator-family` manually on these hosts. ### Supabase install ```bash -npx stash db install --supabase +npx stash eql install --supabase ``` The `--supabase` flag uses the Supabase-specific SQL variant. It omits `CREATE OPERATOR FAMILY` and grants `USAGE`, table, routine, and sequence permissions on the `eql_v2` schema to `anon`, `authenticated`, and `service_role`. @@ -83,13 +85,13 @@ The migration-file path writes EQL SQL into `supabase/migrations/00000000000000_ ```bash # Write EQL as a migration file -npx stash db install --supabase --migration +npx stash eql install --supabase --migration # Push EQL directly to the database -npx stash db install --supabase --direct +npx stash eql install --supabase --direct # Override the migrations directory -npx stash db install --supabase --migration --migrations-dir ./db/migrations +npx stash eql install --supabase --migration --migrations-dir ./db/migrations ``` @@ -109,7 +111,7 @@ npx stash db install --supabase --migration --migrations-dir ./db/migrations If you use Drizzle ORM and want EQL installation as part of your migration history, use `--drizzle`: ```bash -npx stash db install --drizzle +npx stash eql install --drizzle npx drizzle-kit migrate ``` @@ -122,7 +124,7 @@ This process: To customize the migration name and output directory: ```bash -npx stash db install --drizzle --name setup-eql --out ./migrations +npx stash eql install --drizzle --name setup-eql --out ./migrations ``` `drizzle-kit` must be installed. The `--out` value must match your Drizzle config. @@ -130,7 +132,7 @@ npx stash db install --drizzle --name setup-eql --out ./migrations You can combine `--drizzle` and `--supabase`: ```bash -npx stash db install --drizzle --supabase +npx stash eql install --drizzle --supabase ``` This generates a Supabase-compatible EQL migration file. @@ -139,7 +141,7 @@ This generates a Supabase-compatible EQL migration file. When you add `encryptedType` to a Drizzle column that already has data, `drizzle-kit generate` emits an `ALTER TABLE ... ALTER COLUMN ... SET DATA TYPE eql_v2_encrypted` statement. Postgres cannot cast existing data to `eql_v2_encrypted` implicitly, so this migration would fail. -`db install --drizzle` automatically rewrites those statements into a safe `ADD COLUMN / DROP COLUMN / RENAME COLUMN` sequence. The rewrite adds a comment in the migration to remind you to backfill the new column with `encryptModel` before dropping the old one. You are responsible for writing and running that backfill in your application code before applying the DROP step. +`eql install --drizzle` automatically rewrites those statements into a safe `ADD COLUMN / DROP COLUMN / RENAME COLUMN` sequence. The rewrite adds a comment in the migration to remind you to backfill the new column with `encryptModel` before dropping the old one. You are responsible for writing and running that backfill in your application code before applying the DROP step. ### Permission pre-checks @@ -168,7 +170,7 @@ npx stash db upgrade [options] | `--exclude-operator-family` | Skip operator family creation | | `--latest` | Fetch the latest EQL from GitHub instead of using the bundled version | -The EQL install SQL is idempotent and safe to re-run. The CLI checks the current version, re-runs the install SQL, and reports the new version. If EQL is not installed, the CLI suggests running `npx stash db install` instead. +The EQL install SQL is idempotent and safe to re-run. The CLI checks the current version, re-runs the install SQL, and reports the new version. If EQL is not installed, the CLI suggests running `npx stash eql install` instead. ## Bundled EQL SQL diff --git a/content/stack/cipherstash/cli/troubleshooting.mdx b/content/stack/cipherstash/cli/troubleshooting.mdx index 6018185..80d7186 100644 --- a/content/stack/cipherstash/cli/troubleshooting.mdx +++ b/content/stack/cipherstash/cli/troubleshooting.mdx @@ -7,14 +7,14 @@ description: Fix common CipherStash CLI errors covering config files, database p | Error | Cause | Fix | |---|---|---| -| `Could not find stash.config.ts` | No config file in cwd or parent dirs | Run `npx stash init` (which runs `db install` automatically), or run `npx stash db install` directly, or create `stash.config.ts` manually | +| `Could not find stash.config.ts` | No config file in cwd or parent dirs | Run `npx stash init` (which runs `eql install` automatically), or run `npx stash eql install` directly, or create `stash.config.ts` manually | | `databaseUrl is required` | Config missing `databaseUrl` | Add `databaseUrl` to config and check `.env` is loaded | | `must be superuser to create an operator family` | Standard SQL requires superuser | The CLI falls back to OPE mode automatically on managed databases. Pass `--exclude-operator-family` if you see this on self-hosted Postgres. | | `Insufficient database permissions` | Role lacks `CREATE` privileges | Connect as superuser or grant permissions | | `EQL is already installed` | `eql_v2` schema exists | Use `--force` to reinstall | | `Encrypt client file not found` | `push`/`validate` can't find the file at `config.client` | Set `client` in `stash.config.ts` to the correct path | | `drizzle-kit generate failed` | drizzle-kit not installed or wrong output dir | Install `drizzle-kit` and set `--out` to match your Drizzle config | -| EQL missing after `supabase db reset` | EQL was installed via direct push, not as a migration | Re-run `db install --supabase --migration` to add EQL to `supabase/migrations/`. See [below](#supabase-db-reset). | +| EQL missing after `supabase db reset` | EQL was installed via direct push, not as a migration | Re-run `eql install --supabase --migration` to add EQL to `supabase/migrations/`. See [below](#supabase-db-reset). | ## Permission issues @@ -54,10 +54,10 @@ When adding `encryptedType` to a column that already has data, the CLI rewrites ### Fix for new installs -Re-run `db install` and choose the migration-file path: +Re-run `eql install` and choose the migration-file path: ```bash -npx stash db install --supabase --migration +npx stash eql install --supabase --migration ``` The CLI writes EQL SQL to `supabase/migrations/00000000000000_cipherstash_eql.sql`. The all-zero timestamp prefix ensures it runs before any user migrations that reference `eql_v2_encrypted`. After the file is created, `supabase db reset` will reinstall EQL automatically on every reset. @@ -67,7 +67,7 @@ The CLI writes EQL SQL to `supabase/migrations/00000000000000_cipherstash_eql.sq If you already ran a direct-push install and your live database is working, your existing install is not broken. To get a migration file going forward without disrupting the live database, run: ```bash -npx stash db install --supabase --migration --force +npx stash eql install --supabase --migration --force ``` The EQL SQL is idempotent. The `--force` flag regenerates the install even though EQL is already present. Your live install is unaffected. After this, `supabase db reset` reinstalls EQL from the migration file. diff --git a/content/stack/cipherstash/encryption/drizzle.mdx b/content/stack/cipherstash/encryption/drizzle.mdx index 1ca35f9..cd33eef 100644 --- a/content/stack/cipherstash/encryption/drizzle.mdx +++ b/content/stack/cipherstash/encryption/drizzle.mdx @@ -24,7 +24,7 @@ The Drizzle integration is included in `@cipherstash/stack` and imports from `@c Use the [CipherStash CLI](/stack/cipherstash/cli) to generate a Drizzle migration that installs the [EQL](/stack/reference/eql-guide) extension: ```bash -npx stash db install --drizzle +npx stash eql install --drizzle npx drizzle-kit migrate ``` diff --git a/content/stack/cipherstash/encryption/prisma-next.mdx b/content/stack/cipherstash/encryption/prisma-next.mdx index 0ab08f2..0e8895f 100644 --- a/content/stack/cipherstash/encryption/prisma-next.mdx +++ b/content/stack/cipherstash/encryption/prisma-next.mdx @@ -7,7 +7,7 @@ description: Searchable field-level encryption for Postgres with Prisma Next, th CipherStash provides first-class [Prisma Next](https://www.npmjs.com/package/@prisma-next/cli) integration through [`@cipherstash/prisma-next`](https://www.npmjs.com/package/@cipherstash/prisma-next). Declare encrypted columns directly in `schema.prisma` with `cipherstash.Encrypted*()` constructors, and use auto-encrypting query operators that make encrypted queries look like standard Prisma Next code. -The Prisma Next integration has a meaningfully shorter onboarding path than the [Drizzle](/stack/cipherstash/encryption/drizzle) or [Supabase](/stack/cipherstash/encryption/supabase) integrations because the framework's migration system absorbs the database-side install. **You do not run `stash db install` for the EQL bundle** — `prisma-next migration apply` installs the EQL extension in the same control-plane sweep that creates your application tables. +The Prisma Next integration has a meaningfully shorter onboarding path than the [Drizzle](/stack/cipherstash/encryption/drizzle) or [Supabase](/stack/cipherstash/encryption/supabase) integrations because the framework's migration system absorbs the database-side install. **You do not run `stash eql install` for the EQL bundle** — `prisma-next migration apply` installs the EQL extension in the same control-plane sweep that creates your application tables. ## Installation diff --git a/content/stack/cipherstash/encryption/searchable-encryption.mdx b/content/stack/cipherstash/encryption/searchable-encryption.mdx index f15d179..b0a93aa 100644 --- a/content/stack/cipherstash/encryption/searchable-encryption.mdx +++ b/content/stack/cipherstash/encryption/searchable-encryption.mdx @@ -27,7 +27,7 @@ The result: your data is encrypted at rest, in transit, and during query evaluat 1. Install [EQL](/stack/reference/eql-guide) in your PostgreSQL database using the [CipherStash CLI](/stack/cipherstash/cli): ```bash - npx stash db install + npx stash eql install ``` 2. Define your encryption schema with the appropriate search indexes 3. Create PostgreSQL indexes on your encrypted columns. See [Setting up indexes](/stack/cipherstash/encryption/indexes) for the correct `CREATE INDEX` syntax for your deployment (self-hosted vs Supabase). diff --git a/content/stack/cipherstash/encryption/storing-data.mdx b/content/stack/cipherstash/encryption/storing-data.mdx index 16270c8..201edf1 100644 --- a/content/stack/cipherstash/encryption/storing-data.mdx +++ b/content/stack/cipherstash/encryption/storing-data.mdx @@ -30,7 +30,7 @@ The Encryption SDK works with any database that supports JSON or JSONB column ty To enable searchable encryption in PostgreSQL, install [EQL](/stack/reference/eql-guide) using the [CipherStash CLI](/stack/cipherstash/cli) so you can use the `eql_v2_encrypted` data type. If you don't need searchable encryption, use `jsonb` instead (you can migrate to EQL later). ```bash -npx stash db install +npx stash eql install ``` diff --git a/content/stack/cipherstash/encryption/supabase.mdx b/content/stack/cipherstash/encryption/supabase.mdx index be8851a..c31143b 100644 --- a/content/stack/cipherstash/encryption/supabase.mdx +++ b/content/stack/cipherstash/encryption/supabase.mdx @@ -10,7 +10,7 @@ The `encryptedSupabase` wrapper makes encrypted queries look nearly identical to ```bash -npx stash db install --supabase +npx stash eql install --supabase ``` The `--supabase` flag installs a Supabase-compatible version of EQL and grants the required permissions on the `eql_v2` schema to `anon`, `authenticated`, and `service_role`. @@ -411,7 +411,7 @@ type EncryptedSupabaseError = { ## Exposing EQL schema for Supabase -If you installed EQL with `npx stash db install --supabase`, the role grants are already applied. You still need to expose the schema in the Supabase dashboard: +If you installed EQL with `npx stash eql install --supabase`, the role grants are already applied. You still need to expose the schema in the Supabase dashboard: Go to [API settings](https://supabase.com/dashboard/project/_/settings/api) and add `eql_v2` to **Exposed schemas**. diff --git a/content/stack/cipherstash/supabase.mdx b/content/stack/cipherstash/supabase.mdx index 90a5904..afe7515 100644 --- a/content/stack/cipherstash/supabase.mdx +++ b/content/stack/cipherstash/supabase.mdx @@ -46,7 +46,7 @@ Encrypted values aren't strings or plain JSONB. They're structured ciphertext ob ### What the CLI installs on Supabase -`db install --supabase` uses a Supabase-compatible EQL variant. It omits `CREATE OPERATOR FAMILY` (which requires superuser), and grants `USAGE`, table, routine, and sequence permissions on the `eql_v2` schema to `anon`, `authenticated`, and `service_role`. +`eql install --supabase` uses a Supabase-compatible EQL variant. It omits `CREATE OPERATOR FAMILY` (which requires superuser), and grants `USAGE`, table, routine, and sequence permissions on the `eql_v2` schema to `anon`, `authenticated`, and `service_role`. ## Packages @@ -92,7 +92,7 @@ CipherStash splits its functionality across two packages: a runtime SDK that you ### Control how EQL is installed (optional) - `stash init` installs EQL automatically. If you need to control the install method — for example, to write a Supabase migration file instead of pushing directly — run `stash db install` with explicit flags. + `stash init` installs EQL automatically. If you need to control the install method — for example, to write a Supabase migration file instead of pushing directly — run `stash eql install` with explicit flags. The CLI prompts you to choose how EQL is installed. If a `supabase/migrations/` directory is detected, the migration-file option is pre-selected. @@ -101,7 +101,7 @@ CipherStash splits its functionality across two packages: a runtime SDK that you Pass `--migration` to write the EQL SQL into a Supabase migration file, or choose "Create a Supabase migration file" at the prompt. ```bash - npx stash db install --supabase --migration + npx stash eql install --supabase --migration ``` The CLI writes the EQL SQL to: @@ -115,7 +115,7 @@ CipherStash splits its functionality across two packages: a runtime SDK that you To write the migration file to a different directory, use `--migrations-dir`: ```bash - npx stash db install --supabase --migration --migrations-dir ./db/migrations + npx stash eql install --supabase --migration --migrations-dir ./db/migrations ``` @@ -127,7 +127,7 @@ CipherStash splits its functionality across two packages: a runtime SDK that you Pass `--direct` to push EQL directly to the database without creating a migration file. ```bash - npx stash db install --supabase --direct + npx stash eql install --supabase --direct ``` diff --git a/content/stack/deploy/testing.mdx b/content/stack/deploy/testing.mdx index 9ba4c92..7384c6f 100644 --- a/content/stack/deploy/testing.mdx +++ b/content/stack/deploy/testing.mdx @@ -77,7 +77,7 @@ beforeAll(async () => { pool = new Pool({ connectionString: process.env.TEST_DATABASE_URL }) // EQL must be installed before running tests. - // Run `npx stash db install` against your test database first. + // Run `npx stash eql install` against your test database first. // See: /stack/cipherstash/cli // Initialize encryption client with test credentials diff --git a/content/stack/deploy/troubleshooting.mdx b/content/stack/deploy/troubleshooting.mdx index 1042ff9..d6d1e93 100644 --- a/content/stack/deploy/troubleshooting.mdx +++ b/content/stack/deploy/troubleshooting.mdx @@ -90,7 +90,7 @@ Searchable encryption requires the [EQL PostgreSQL extension](/stack/reference/e **Fix**: Install EQL using the [CipherStash CLI](/stack/cipherstash/cli): ```bash -npx stash db install +npx stash eql install ``` ### Wrong query type diff --git a/content/stack/reference/agent-skills.mdx b/content/stack/reference/agent-skills.mdx index dbafbdd..5932edc 100644 --- a/content/stack/reference/agent-skills.mdx +++ b/content/stack/reference/agent-skills.mdx @@ -56,7 +56,7 @@ The CipherStash CLI (`stash`) for database setup, schema management, and project - `stash.config.ts` configuration - Setup lifecycle: `init` (scaffold + EQL + context), `plan` (draft plan.md), `impl` (execute plan), `status` (lifecycle map) -- Database commands: `db install`, `db upgrade`, `db push`, `db validate`, `db status`, `db test-connection` +- Database commands: `eql install`, `db upgrade`, `db push`, `db validate`, `db status`, `db test-connection` - Schema building with `schema build` - Authentication with `auth login` - Programmatic API (`EQLInstaller`, `loadStashConfig`, `defineConfig`, `loadBundledEqlSql`) diff --git a/content/stack/reference/dashboard-supabase-integration.mdx b/content/stack/reference/dashboard-supabase-integration.mdx index c8dd753..e958309 100644 --- a/content/stack/reference/dashboard-supabase-integration.mdx +++ b/content/stack/reference/dashboard-supabase-integration.mdx @@ -80,7 +80,7 @@ For the selected project, the dashboard verifies: When project health, EQL, and OIDC are all satisfied, the hub shows a **Stack-ready** badge. - EQL detection uses `eql_v2.version()`, not a `pg_extension` lookup. If EQL is missing, run `npx stash db install --supabase --migration` in your application repo. + EQL detection uses `eql_v2.version()`, not a `pg_extension` lookup. If EQL is missing, run `npx stash eql install --supabase --migration` in your application repo. ### Configure OIDC from the dashboard @@ -106,7 +106,7 @@ npm install @cipherstash/stack npm install -D stash npx stash auth login npx stash init --supabase -npx stash db install --supabase --migration +npx stash eql install --supabase --migration ``` It also generates a `.env.local` snippet for the selected project, including: diff --git a/content/stack/reference/drizzle.mdx b/content/stack/reference/drizzle.mdx index c7d67bd..c5cb32f 100644 --- a/content/stack/reference/drizzle.mdx +++ b/content/stack/reference/drizzle.mdx @@ -115,12 +115,12 @@ const results = await db Run the migration generator after defining your table: ```bash -npx @cipherstash/cli db install +npx @cipherstash/cli eql install ``` The CLI reads your Drizzle config and calls `extractEncryptionSchema` internally to determine which columns need EQL indexes. It then produces a timestamped SQL migration file in your Drizzle migrations directory. -See the [CipherStash CLI reference](/stack/cipherstash/cli) for all `db install` options. +See the [CipherStash CLI reference](/stack/cipherstash/cli) for all `eql install` options. ## Cross-links From 92541256666d184f744366fb583c054714986765 Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Fri, 3 Jul 2026 16:15:32 +1000 Subject: [PATCH 2/2] docs: move `db upgrade` and `db status` to the `eql` command group MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The stash CLI also renamed `db upgrade` → `eql upgrade` and `db status` → `eql status`; the old spellings remain as deprecated aliases. --- content/stack/cipherstash/cli/impl.mdx | 4 ++-- content/stack/cipherstash/cli/install.mdx | 2 +- content/stack/cipherstash/cli/push.mdx | 4 ++-- content/stack/cipherstash/cli/status.mdx | 4 ++-- content/stack/cipherstash/cli/troubleshooting.mdx | 2 +- content/stack/cipherstash/encryption/index.mdx | 2 +- content/stack/reference/agent-skills.mdx | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/stack/cipherstash/cli/impl.mdx b/content/stack/cipherstash/cli/impl.mdx index 12db2c2..094cd7c 100644 --- a/content/stack/cipherstash/cli/impl.mdx +++ b/content/stack/cipherstash/cli/impl.mdx @@ -121,10 +121,10 @@ No plan at `.cipherstash/plan.md`. Run `stash plan` first, or pass --continue-wi When the agent handoff completes, `stash impl` prints: ``` -Implementation handoff complete. Run `stash db status` to verify state. +Implementation handoff complete. Run `stash eql status` to verify state. ``` -Run `stash db status` to check EQL installation and `stash encrypt status` for per-column migration state. +Run `stash eql status` to check EQL installation and `stash encrypt status` for per-column migration state. ## Next steps diff --git a/content/stack/cipherstash/cli/install.mdx b/content/stack/cipherstash/cli/install.mdx index ca84e11..7756762 100644 --- a/content/stack/cipherstash/cli/install.mdx +++ b/content/stack/cipherstash/cli/install.mdx @@ -160,7 +160,7 @@ If the role is not a superuser, the CLI falls back automatically to the OPE (no- Upgrade an existing EQL installation to the version bundled with the package, or to the latest version from GitHub. ```bash -npx stash db upgrade [options] +npx stash eql upgrade [options] ``` | Option | Description | diff --git a/content/stack/cipherstash/cli/push.mdx b/content/stack/cipherstash/cli/push.mdx index 0146c61..cf47226 100644 --- a/content/stack/cipherstash/cli/push.mdx +++ b/content/stack/cipherstash/cli/push.mdx @@ -1,6 +1,6 @@ --- title: Push and status -description: Push your CipherStash encryption schema to PostgreSQL and use db status and test-connection to check EQL installation and database connectivity. +description: Push your CipherStash encryption schema to PostgreSQL and use eql status and test-connection to check EQL installation and database connectivity. --- ## push @@ -48,7 +48,7 @@ The SDK uses developer-friendly type names, but EQL expects PostgreSQL-aligned t Show the current state of EQL in your database. ```bash -npx stash db status +npx stash eql status ``` Reports: diff --git a/content/stack/cipherstash/cli/status.mdx b/content/stack/cipherstash/cli/status.mdx index 7c15002..43163f6 100644 --- a/content/stack/cipherstash/cli/status.mdx +++ b/content/stack/cipherstash/cli/status.mdx @@ -34,7 +34,7 @@ Lifecycle ◯ Implementation waiting on plan Deeper inspection -Database state: `stash db status` +Database state: `stash eql status` Per-column state: `stash encrypt status` Next: run `stash plan` to draft your encryption plan. @@ -61,7 +61,7 @@ Next: run `stash plan` to draft your encryption plan. | Command | What it shows | |---|---| -| `stash db status` | EQL installation state, database permissions, active encrypt config | +| `stash eql status` | EQL installation state, database permissions, active encrypt config | | `stash encrypt status` | Per-column migration state: phase, progress, and drift | ## When to use stash status diff --git a/content/stack/cipherstash/cli/troubleshooting.mdx b/content/stack/cipherstash/cli/troubleshooting.mdx index 80d7186..8340a79 100644 --- a/content/stack/cipherstash/cli/troubleshooting.mdx +++ b/content/stack/cipherstash/cli/troubleshooting.mdx @@ -23,7 +23,7 @@ The `install` command checks database permissions before running. On managed dat If you still see permission errors: 1. Run `npx stash db test-connection` to verify your database URL is correct. -2. Run `npx stash db status` to check the current EQL state. +2. Run `npx stash eql status` to check the current EQL state. 3. Ensure the connected role has `CREATE` privileges on the database and `public` schema. 4. For the `pgcrypto` extension, the role needs `SUPERUSER` or extension owner privileges. diff --git a/content/stack/cipherstash/encryption/index.mdx b/content/stack/cipherstash/encryption/index.mdx index aa55580..7d2edf6 100644 --- a/content/stack/cipherstash/encryption/index.mdx +++ b/content/stack/cipherstash/encryption/index.mdx @@ -56,7 +56,7 @@ npx stash init # Interactive project setup (auth, EQL install, clien npx stash plan # Draft a reviewable encryption plan npx stash impl # Execute the plan with a coding agent npx stash db validate # Check schema for misconfigurations -npx stash db status # Show EQL installation state +npx stash eql status # Show EQL installation state ``` diff --git a/content/stack/reference/agent-skills.mdx b/content/stack/reference/agent-skills.mdx index 5932edc..211dada 100644 --- a/content/stack/reference/agent-skills.mdx +++ b/content/stack/reference/agent-skills.mdx @@ -56,7 +56,7 @@ The CipherStash CLI (`stash`) for database setup, schema management, and project - `stash.config.ts` configuration - Setup lifecycle: `init` (scaffold + EQL + context), `plan` (draft plan.md), `impl` (execute plan), `status` (lifecycle map) -- Database commands: `eql install`, `db upgrade`, `db push`, `db validate`, `db status`, `db test-connection` +- Database commands: `eql install`, `eql upgrade`, `db push`, `db validate`, `eql status`, `db test-connection` - Schema building with `schema build` - Authentication with `auth login` - Programmatic API (`EQLInstaller`, `loadStashConfig`, `defineConfig`, `loadBundledEqlSql`)