Merge pull request #336 from cipherstash/cli

feat: consolidate cli tools into @cipherstash/cli

Author: calvinbrewer

examples/basic/index.ts

@@ -1,6 +1,7 @@
 import 'dotenv/config'
 import readline from 'node:readline'
 import { client, users } from './encrypt'
+import { getAllContacts, createContact } from './src/queries/contacts'
 
 const rl = readline.createInterface({
   input: process.stdin,
@@ -68,6 +69,31 @@ async function main() {
 
   console.log('Bulk encrypted data:', bulkEncryptResult.data)
 
+  // Demonstrate Supabase integration with CipherStash encryption
+  console.log('\n--- Supabase Integration Demo ---')
+
+  try {
+    // Example: Create a new contact (would insert into encrypted Supabase table)
+    console.log('Creating encrypted contact...')
+    const newContact = {
+      name: 'John Doe',
+      email: 'john@example.com',
+      role: 'Developer'  // This field will be encrypted using CipherStash
+    }
+
+    // Note: This would fail in this basic example since we don't have actual Supabase setup
+    // but shows the pattern for encrypted Supabase usage
+    console.log('Contact data to encrypt:', newContact)
+
+    // Example: Fetch contacts (would decrypt results from Supabase)
+    console.log('Fetching encrypted contacts...')
+    // const contacts = await getAllContacts()
+    // console.log('Decrypted contacts:', contacts.data)
+
+  } catch (error) {
+    console.log('Supabase demo skipped (no actual Supabase connection in this basic example)')
+  }
+
   rl.close()
 }
 

examples/basic/package.json

@@ -16,7 +16,7 @@
     "pg": "8.13.1"
   },
   "devDependencies": {
-    "@cipherstash/stack-forge": "workspace:*",
+    "@cipherstash/cli": "workspace:*",
     "tsx": "catalog:repo",
     "typescript": "catalog:repo"
   }

examples/basic/src/encryption/index.ts

@@ -1,13 +1,22 @@
-import { encryptedTable, encryptedColumn } from '@cipherstash/stack/schema'
+import { pgTable, integer, timestamp } from 'drizzle-orm/pg-core'
+import { encryptedType, extractEncryptionSchema } from '@cipherstash/stack/drizzle'
 import { Encryption } from '@cipherstash/stack'
 
-export const usersTable = encryptedTable('users', {
-  email: encryptedColumn('email')
-    .equality()
-    .orderAndRange()
-    .freeTextSearch(),
+export const usersTable = pgTable('users', {
+  id: integer('id').primaryKey().generatedAlwaysAsIdentity(),
+  email: encryptedType<string>('email', {
+    equality: true,
+    freeTextSearch: true,
+  }),
+  name: encryptedType<string>('name', {
+    equality: true,
+    freeTextSearch: true,
+  }),
+  createdAt: timestamp('created_at').defaultNow(),
 })
 
+const usersSchema = extractEncryptionSchema(usersTable)
+
 export const encryptionClient = await Encryption({
-  schemas: [usersTable],
+  schemas: [usersSchema],
 })

examples/basic/src/lib/supabase/encrypted.ts

@@ -0,0 +1,9 @@
+import { encryptedSupabase } from '@cipherstash/stack/supabase'
+import { encryptionClient, contactsTable } from '../../encryption/index'
+import { createServerClient } from './server'
+
+const supabase = await createServerClient()
+export const eSupabase = encryptedSupabase({
+  encryptionClient,
+  supabaseClient: supabase,
+})

examples/basic/src/lib/supabase/server.ts

@@ -0,0 +1,8 @@
+import { createClient } from '@supabase/supabase-js'
+
+export async function createServerClient() {
+  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!
+  const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+
+  return createClient(supabaseUrl, supabaseKey)
+}

examples/basic/src/queries/contacts.ts

@@ -0,0 +1,61 @@
+import { eSupabase } from '../lib/supabase/encrypted'
+import { contactsTable } from '../encryption/index'
+
+// Example queries using encrypted Supabase wrapper
+
+export async function getAllContacts() {
+  const { data, error } = await eSupabase
+    .from('contacts', contactsTable)
+    .select('id, name, email, role')  // explicit columns, no *
+    .order('created_at', { ascending: false })
+
+  return { data, error }
+}
+
+export async function getContactsByRole(role: string) {
+  const { data, error } = await eSupabase
+    .from('contacts', contactsTable)
+    .select('id, name, email, role')
+    .eq('role', role)  // auto-encrypted
+
+  return { data, error }
+}
+
+export async function searchContactsByName(searchTerm: string) {
+  const { data, error } = await eSupabase
+    .from('contacts', contactsTable)
+    .select('id, name, email, role')
+    .ilike('name', `%${searchTerm}%`)  // auto-encrypted
+
+  return { data, error }
+}
+
+export async function createContact(contact: { name: string; email: string; role: string }) {
+  const { data, error } = await eSupabase
+    .from('contacts', contactsTable)
+    .insert(contact)  // auto-encrypted
+    .select('id, name, email, role')
+    .single()
+
+  return { data, error }
+}
+
+export async function updateContact(id: string, updates: Partial<{ name: string; email: string; role: string }>) {
+  const { data, error } = await eSupabase
+    .from('contacts', contactsTable)
+    .update(updates)  // auto-encrypted
+    .eq('id', id)
+    .select('id, name, email, role')
+    .single()
+
+  return { data, error }
+}
+
+export async function deleteContact(id: string) {
+  const { error } = await eSupabase
+    .from('contacts', contactsTable)
+    .delete()
+    .eq('id', id)
+
+  return { error }
+}

examples/basic/stash.config.ts

@@ -1,4 +1,4 @@
-import { defineConfig } from '@cipherstash/stack-forge'
+import { defineConfig } from '@cipherstash/cli'
 
 export default defineConfig({
   databaseUrl: process.env.DATABASE_URL!,

package.json

@@ -18,10 +18,26 @@
     "url": "git+https://github.com/cipherstash/protectjs.git"
   },
   "license": "MIT",
-  "workspaces": [
-    "examples/*",
-    "packages/*"
-  ],
+  "workspaces": {
+    "packages": [
+      "packages/*",
+      "examples/*"
+    ],
+    "catalogs": {
+      "repo": {
+        "@cipherstash/auth": "0.35.0",
+        "tsup": "8.4.0",
+        "tsx": "4.19.3",
+        "typescript": "5.6.3",
+        "vitest": "3.1.3"
+      },
+      "security": {
+        "@clerk/nextjs": "6.31.2",
+        "next": "15.5.10",
+        "vite": "6.4.1"
+      }
+    }
+  },
   "scripts": {
     "build": "turbo build --filter './packages/*'",
     "build:js": "turbo build --filter './packages/protect' --filter './packages/nextjs'",
@@ -46,29 +62,6 @@
     "node": ">=22"
   },
   "pnpm": {
-    "overrides": {
-      "@cipherstash/protect-ffi": "0.21.0",
-      "@babel/runtime": "7.26.10",
-      "brace-expansion@^5": ">=5.0.5",
-      "body-parser": "2.2.1",
-      "vite": "catalog:security",
-      "pg": "^8.16.3",
-      "postgres": "^3.4.7",
-      "js-yaml": "3.14.2",
-      "test-exclude": "^7.0.1",
-      "glob": ">=11.1.0",
-      "qs": ">=6.14.1",
-      "lodash": ">=4.17.23",
-      "minimatch": ">=10.2.3",
-      "@isaacs/brace-expansion": ">=5.0.1",
-      "fast-xml-parser": ">=5.3.4",
-      "next": ">=15.5.10",
-      "ajv": ">=8.18.0",
-      "esbuild@<=0.24.2": ">=0.25.0",
-      "picomatch@^4": ">=4.0.4",
-      "picomatch@^2": ">=2.3.2",
-      "rollup@>=4.0.0 <4.59.0": ">=4.59.0"
-    },
     "peerDependencyRules": {
       "ignoreMissing": [
         "@types/pg",
@@ -80,5 +73,27 @@
       }
     },
     "dedupe-peer-dependents": true
+  },
+  "overrides": {
+    "@babel/runtime": "7.26.10",
+    "brace-expansion@^5": ">=5.0.5",
+    "body-parser": "2.2.1",
+    "vite": "catalog:security",
+    "pg": "^8.16.3",
+    "postgres": "^3.4.7",
+    "js-yaml": "3.14.2",
+    "test-exclude": "^7.0.1",
+    "glob": ">=11.1.0",
+    "qs": ">=6.14.1",
+    "lodash": ">=4.17.23",
+    "minimatch": ">=10.2.3",
+    "@isaacs/brace-expansion": ">=5.0.1",
+    "fast-xml-parser": ">=5.3.4",
+    "next": ">=15.5.10",
+    "ajv": ">=8.18.0",
+    "esbuild@<=0.24.2": ">=0.25.0",
+    "picomatch@^4": ">=4.0.4",
+    "picomatch@^2": ">=2.3.2",
+    "rollup@>=4.0.0 <4.59.0": ">=4.59.0"
   }
 }

packages/stack-forge/CHANGELOG.md packages/cli/CHANGELOG.mdpackages/stack-forge/CHANGELOG.md renamed to packages/cli/CHANGELOG.md

@@ -1,4 +1,6 @@
-# @cipherstash/stack-forge
+# @cipherstash/cli
+
+> Renamed from `@cipherstash/stack-forge`. The standalone `@cipherstash/wizard` package was absorbed into this CLI as `npx @cipherstash/cli wizard`. The single binary is now invoked via `npx @cipherstash/cli` (replaces `stash-forge` and `cipherstash-wizard`).
 
 ## 0.4.0