Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions .cursor/commands/create-example-app.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
# Cursor Super-Prompt: Protect.js Example Apps (Framework/ORM-Agnostic, No-Cheese)
# Cursor Super-Prompt: CipherStash Stack Example Apps (Framework/ORM-Agnostic, No-Cheese)

ROLE
You are a senior systems engineer focused on developer experience and a core maintainer of `@cipherstash/protect`. Your mission: create a polished set of runnable **Protect.js example apps** across multiple stacks. Each example must be minimal, factual, and runnable in minutes.
You are a senior systems engineer focused on developer experience and a core maintainer of `@cipherstash/stack`. Your mission: create a polished set of runnable **CipherStash Stack example apps** across multiple stacks. Each example must be minimal, factual, and runnable in minutes.

GROUNDING & SOURCES (use @ref; do not guess)
- Protect.js APIs: the Protect.js main README is the single source of truth. If not accessible, STOP and ask for the exact snippet/repo path. Do not invent APIs.
- Stack APIs: the main repo README and https://cipherstash.com/docs are the source of truth (`Encryption({ schemas })`, `encryptedTable`, `encryptedColumn`). If not accessible, STOP and ask for the exact snippet/repo path. Do not invent APIs.
- `@cipherstash/protect-ffi` is a native Node-API module: examples that bundle (Next.js, SST) must externalize it. See https://cipherstash.com/docs/stack/deploy/bundling
- ORM/DB docs (pick per stack):
@ref https://www.prisma.io/docs
@ref https://typeorm.io
Expand All @@ -26,7 +27,7 @@ STACK MATRIX (generate now)
Optional (time-permitting): nextjs-prisma (App Router), fastify-knex.

NO-CHEESE RULES (hard requirements)
Goal: smallest possible working example that clearly demonstrates Protect.js. Clarity > patterns > abstractions.
Goal: smallest possible working example that clearly demonstrates CipherStash Stack. Clarity > patterns > abstractions.
DON'TS
- No Singletons/Factories/Service-Locators/DI frameworks.
- No ports & adapters/custom repo abstractions for tiny demos—call the ORM/client directly.
Expand All @@ -41,7 +42,7 @@ README tone
---
Simplicity budget (per example)
- ≤ 8 TS source files (excluding migrations).
- Deps: ORM/client + `@cipherstash/protect` + dev tooling (ts-node or tsx). Nothing else unless required by the stack.
- Deps: ORM/client + `@cipherstash/stack` + dev tooling (ts-node or tsx). Nothing else unless required by the stack.
- One `.env.example`; use `dotenv`. No layered config.

CODE STYLE
Expand All @@ -61,8 +62,8 @@ REQUIRED DX & SCRIPTS (per example)
- `seed` → seed sensible data
- `demo` → prints proof of encryption & queries
- `typecheck` → `tsc --noEmit`
- `.env.example` includes DB vars and **exact** Protect.js env names from the Protect README (do not invent):
{{PROTECT_ENV_VARS := "e.g., PROTECT_PROJECT_ID, PROTECT_CLIENT_KEY, PROTECT_SERVER_URL (replace with real names from README)"}}
- Local dev auth: prefer the CipherStash profile via `npx stash auth login` (no env vars needed). For CI/deployment, `.env.example` includes DB vars and the **exact** CipherStash env names (do not invent):
`CS_WORKSPACE_CRN`, `CS_CLIENT_ID`, `CS_CLIENT_KEY`, `CS_CLIENT_ACCESS_KEY`

PROJECT LAYOUT (monorepo, minimal)
- Root:
Expand All @@ -80,10 +81,10 @@ README REQUIREMENTS (every example)
- AI banner (exact text) at the very top with {{BOOK_CHAT_URL}}.
- 90-second Quickstart (copy/paste only).
- "What this shows" checklist (encrypted fields, CRUD, query).
- "How encryption works here" (short, accurate, tied to Protect.js).
- "How encryption works here" (short, accurate, tied to CipherStash Stack).
- Config notes for the stack (e.g., why CJS for TypeORM).
- Troubleshooting (ESM/CJS, ts-node/tsx, migration pitfalls).
- `@ref` links to stack docs + Protect README.
- Troubleshooting (ESM/CJS, ts-node/tsx, migration pitfalls, native module externalization).
- `@ref` links to https://cipherstash.com/docs + the repo README.

DELIVERABLES (return in one message/PR)
- Root `README.md` + `docker-compose.yml`.
Expand Down Expand Up @@ -118,4 +119,3 @@ OUTPUT FORMAT
VARIABLES TO FILL BEFORE RUN
- {{BOOK_CHAT_URL}} = your booking link
- {{STACKS}} = list of stacks to generate
- {{PROTECT_ENV_VARS}} = exact names from Protect.js README
50 changes: 0 additions & 50 deletions .cursorrules

This file was deleted.

2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/docs-feedback.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ body:
id: terms
attributes:
label: Code of conduct
description: By submitting this issue, you agree to follow our [Code of conduct](https://github.com/cipherstash/protectjs/blob/main/CODE_OF_CONDUCT.md).
description: By submitting this issue, you agree to follow our [Code of conduct](https://github.com/cipherstash/stack/blob/main/CODE_OF_CONDUCT.md).
options:
- label: I agree to follow this project's Code of conduct
required: true
62 changes: 33 additions & 29 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
This is the Protect.js repository - End-to-end, per-value encryption for JavaScript/TypeScript with zero‑knowledge key management (via CipherStash ZeroKMS). Encrypted data is stored as EQL JSON payloads; searchable encryption is currently supported for PostgreSQL.
This is the CipherStash Stack repository (`cipherstash/stack`) - End-to-end, per-value encryption for JavaScript/TypeScript with zero‑knowledge key management (via CipherStash ZeroKMS). Encrypted data is stored as EQL JSON payloads; searchable encryption is currently supported for PostgreSQL.

## Prerequisites

Expand Down Expand Up @@ -72,20 +72,26 @@ If these variables are missing, tests that require live encryption will fail or
## Repository Layout

- `packages/stack`: Main package (`@cipherstash/stack`) containing the encryption client and all integrations
- Subpath exports: `@cipherstash/stack`, `@cipherstash/stack/schema`, `@cipherstash/stack/identity`, `@cipherstash/stack/secrets`, `@cipherstash/stack/drizzle`, `@cipherstash/stack/supabase`, `@cipherstash/stack/dynamodb`, `@cipherstash/stack/client`, `@cipherstash/stack/types`
- Subpath exports: `@cipherstash/stack`, `@cipherstash/stack/client`, `@cipherstash/stack/identity`, `@cipherstash/stack/secrets`, `@cipherstash/stack/schema`, `@cipherstash/stack/types`, `@cipherstash/stack/drizzle`, `@cipherstash/stack/dynamodb`, `@cipherstash/stack/supabase`, `@cipherstash/stack/encryption`, `@cipherstash/stack/errors`, `@cipherstash/stack/wasm-inline`
- `packages/protect`: Core encryption library (internal, re-exported via `@cipherstash/stack`)
- `src/index.ts`: Public API (`Encryption`, exports)
- `src/ffi/index.ts`: `EncryptionClient` implementation, bridges to `@cipherstash/protect-ffi`
- `src/ffi/operations/*`: Encrypt/decrypt/model/bulk/query operations (thenable pattern with optional `.withLockContext()`)
- `__tests__/*`: End-to-end and API contract tests (Vitest)
- `packages/cli`: The `stash` CLI — auth, init, encryption schema, database setup (`stash eql install`), and secrets. Has its own `AGENTS.md`.
- `packages/wizard`: AI-powered encryption setup (`@cipherstash/wizard`)
- `packages/migrate`: Plaintext-to-encrypted column migration (`@cipherstash/migrate`) — resumable backfill, per-column state
- `packages/prisma-next`: Prisma Next integration (`@cipherstash/prisma-next`) — searchable field-level encryption for Postgres
- `packages/schema`: Schema builder utilities and types (`encryptedTable`, `encryptedColumn`, `encryptedField`)
- `packages/drizzle`: Drizzle ORM integration (`encryptedType`, `extractEncryptionSchema`, `createEncryptionOperators`)
- `packages/nextjs`: Next.js helpers and Clerk integration (`./clerk` export)
- `packages/protect-dynamodb`: DynamoDB helpers (`encryptedDynamoDB`)
- `packages/utils`: Shared config (`utils/config`) and logger (`utils/logger`)
- `examples/*`: Working apps (basic, drizzle, nextjs-clerk, next-drizzle-mysql, dynamo, hono-supabase)
- `docs/*`: Concepts, how-to guides (Next.js bundling, SST, npm lockfile v3), reference
- `skills/*`: Agent skills (`stash-encryption`, `stash-drizzle`, `stash-dynamodb`, `stash-secrets`, `stash-supabase`, `stash-supply-chain-security`)
- `packages/bench`: Performance / index-engagement benchmarks (private, not published)
- `e2e/*`: Cross-package end-to-end tests (package managers, supply chain, Prisma example README)
- `examples/*`: Working apps (basic, prisma, supabase-worker)
- `docs/plans/*`: Internal design plans. User-facing documentation lives at https://cipherstash.com/docs (not in this repo).
- `skills/*`: Agent skills (`stash-cli`, `stash-encryption`, `stash-drizzle`, `stash-dynamodb`, `stash-secrets`, `stash-supabase`, `stash-supply-chain-security`)

## Supply Chain Security

Expand Down Expand Up @@ -118,10 +124,7 @@ Three rules to remember when editing CI or pnpm config:

## Critical Gotchas (read before coding)

- **Native Node.js module**: `@cipherstash/stack` relies on `@cipherstash/protect-ffi` (Node-API). It must be loaded via native Node.js `require`. Do NOT bundle this module; configure bundlers to externalize it.
- Next.js: see `docs/how-to/nextjs-external-packages.md`
- SST/Serverless: see `docs/how-to/sst-external-packages.md`
- npm lockfile v3 on Linux: see `docs/how-to/npm-lockfile-v3.md`
- **Native module vs WASM entry**: The default `@cipherstash/stack` entry relies on `@cipherstash/protect-ffi` (Node-API) and must be loaded via native Node.js `require` — if your tooling bundles server code with it, externalize the module. For bundled or non-Node runtimes (Deno, Bun, Cloudflare Workers, Supabase Edge Functions), use `@cipherstash/stack/wasm-inline` instead: it inlines the WASM build into the JS bundle, so no externalization is needed. See the bundling guide: https://cipherstash.com/docs/stack/deploy/bundling
- **Do not log plaintext**: The library never logs plaintext by design. Don't add logs that risk leaking sensitive data.
- **Result shape is contract**: Operations return `{ data }` or `{ failure }`. Preserve this shape and error `type` values in `EncryptionErrorTypes`.
- **Encrypted payload shape is contract**: Keys like `c` in the EQL payload are validated by tests and downstream tools. Don't change them.
Expand Down Expand Up @@ -158,9 +161,10 @@ pnpm changeset:publish

## Bundling and Deployment Notes

- When integrating into frameworks/build tools, ensure native modules are externalized and loaded via Node's runtime require.
- For Next.js, configure `serverExternalPackages` as documented in `docs/how-to/nextjs-external-packages.md`.
- For serverless/Linux targets with npm lockfile v3, see `docs/how-to/npm-lockfile-v3.md` to avoid runtime load errors.
- Two deployment paths:
- **Native (default entry)**: keep `@cipherstash/protect-ffi` external and loaded via Node's runtime require — e.g. Next.js `serverExternalPackages`. Covers Node servers where native modules are fine.
- **WASM (`@cipherstash/stack/wasm-inline`)**: designed to be bundled — no native module, no externalization. Use for edge/serverless runtimes (Deno, Bun, Cloudflare Workers, Supabase Edge Functions) or wherever bundler externalization is awkward.
- For SST/serverless and npm-lockfile-v3 quirks on Linux, see the bundling guide: https://cipherstash.com/docs/stack/deploy/bundling

## Adding Features Safely (LLM checklist)

Expand All @@ -175,8 +179,13 @@ pnpm changeset:publish
- `pnpm run code:fix`
- `pnpm --filter <changed-pkg> build`
- `pnpm --filter <changed-pkg> test`
6. Update docs in `docs/*` and usage examples if APIs change.
7. **Add a changeset before opening or finalising the PR** when the
6. If APIs change, update usage examples in this repo and flag that the docs site (cipherstash.com/docs, maintained separately) needs a corresponding update.
7. **Keep the meta files honest.** If your change adds/removes/renames a
package, example, skill, or subpath export, update the Repository
Layout in this file and the package list in `SECURITY.md` in the
same PR. These files have drifted badly before; don't let them.

8. **Add a changeset before opening or finalising the PR** when the
change affects a published package's public behaviour or surface
(new feature, bug fix, breaking change, UX-visible tweak). Run
`pnpm changeset` (interactive) or hand-write a markdown file under
Expand All @@ -198,26 +207,21 @@ pnpm changeset:publish
`CHANGELOG.md` entries, so a missing changeset means the change
ships invisibly.

## Useful Links in this repo
## Useful Links

- `README.md` for quickstart and feature overview
- `docs/concepts/searchable-encryption.md`
- `docs/concepts/aws-kms-vs-cipherstash-comparison.md`
- `docs/reference/schema.md`
- `docs/reference/searchable-encryption-postgres.md`
- `docs/reference/configuration.md`
- `docs/reference/identity.md`
- `docs/reference/secrets.md`
- `docs/reference/dynamodb.md`
- `docs/reference/supabase-sdk.md`
- `docs/reference/drizzle/drizzle.md`
- `docs/how-to/nextjs-external-packages.md`
- `docs/how-to/sst-external-packages.md`
- `docs/how-to/npm-lockfile-v3.md`
- `packages/cli/AGENTS.md` for CLI-specific guidance
- `e2e/README.md` for the cross-package E2E suite
- `skills/*/SKILL.md` for per-integration agent guides
- User-facing docs (concepts, reference, how-to) live on the docs site:
- https://cipherstash.com/docs
- https://cipherstash.com/docs/stack/quickstart
- https://cipherstash.com/docs/stack/reference
- https://cipherstash.com/docs/stack/deploy/bundling

## Troubleshooting

- Module load errors on Linux/serverless: review the npm lockfile v3 guide.
- Module load errors on Linux/serverless: switch to `@cipherstash/stack/wasm-inline`, or review the bundling guide (https://cipherstash.com/docs/stack/deploy/bundling).
- Can't decrypt after encrypting with a lock context: ensure the exact same lock context is provided to decrypt.
- Tests failing due to missing credentials: provide `CS_*` env vars; lock-context tests are skipped without `USER_JWT`.
- Performance testing: prefer bulk operations (`bulkEncrypt*` / `bulkDecrypt*`) to exercise ZeroKMS bulk speed.
Loading
Loading