feat: migrate @cipherstash/cli to stash

[calvinbrewer]

Summary by CodeRabbit

• Package Updates
  • CLI package renamed from @cipherstash/cli to stash.
  • Updated all command invocations from npx @cipherstash/cli to npx stash.
  • Configuration imports now reference stash instead of @cipherstash/cli.
  • All documentation and examples updated accordingly.

[changeset-bot]

🦋 Changeset detected

Latest commit: db50f07

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
stash	Minor
@cipherstash/wizard	Patch
@cipherstash/e2e	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Warning

Rate limit exceeded

@calvinbrewer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 40 minutes and 42 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a14bca3d-0fdc-41bb-9bad-db950d645e7e

📥 Commits

Reviewing files that changed from the base of the PR and between de9c02c and db50f07.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (15)

• .changeset/cli-database-url-resolution.md
• AGENTS.md
• packages/cli/src/bin/stash.ts
• packages/cli/src/commands/db/config-scaffold.ts
• packages/cli/src/commands/db/install.ts
• packages/cli/src/commands/db/push.ts
• packages/cli/src/commands/db/status.ts
• packages/cli/src/commands/db/test-connection.ts
• packages/cli/src/commands/db/upgrade.ts
• packages/cli/src/commands/db/validate.ts
• packages/cli/src/config/database-url.ts
• packages/cli/src/config/index.ts
• packages/cli/src/index.ts
• packages/cli/src/messages.ts
• packages/cli/tests/e2e/database-url.e2e.test.ts

📝 Walkthrough

Walkthrough

This PR renames the CLI package from @cipherstash/cli to stash across the codebase, updating the package manifest, all command help text, error messages, configuration references, test expectations, documentation, and dependencies. The published commands and their flags remain unchanged.

Changes

Cohort / File(s)	Summary
Package Manifest & Deps packages/cli/package.json, e2e/package.json, examples/basic/package.json	CLI package name changed from @cipherstash/cli to stash in manifest; workspace dependencies updated to reference stash instead of scoped package name.
Configuration & Imports examples/basic/stash.config.ts, packages/cli/src/config/index.ts, packages/cli/src/index.ts	Import source and documentation updated from @cipherstash/cli to stash for defineConfig and related config utilities.
Scaffold & Templates packages/cli/src/commands/db/config-scaffold.ts	Generated stash.config.ts template updated to import from stash instead of @cipherstash/cli.
CLI Help & Messages packages/cli/src/bin/stash.ts, packages/cli/src/commands/auth/index.ts, packages/cli/src/commands/env/index.ts, packages/cli/src/messages.ts, packages/protect/src/bin/stash.ts	User-facing help text and example commands updated throughout to show npx stash ... instead of npx @cipherstash/cli ...; exported message constants updated.
DB Commands Output packages/cli/src/commands/db/install.ts, packages/cli/src/commands/db/push.ts, packages/cli/src/commands/db/upgrade.ts, packages/cli/src/commands/db/validate.ts, packages/cli/src/commands/db/test-connection.ts, packages/cli/src/commands/db/status.ts, packages/cli/src/commands/db/rewrite-migrations.ts, packages/cli/src/commands/db/supabase-migration.ts	Startup messages, guidance text, and generated migration comments updated to reference npx stash commands instead of npx @cipherstash/cli``.
Installer Messages packages/cli/src/installer/index.ts	Error recovery guidance text updated to suggest reinstalling stash instead of @cipherstash/cli.
Init Providers & Utils packages/cli/src/commands/init/providers/base.ts, packages/cli/src/commands/init/providers/drizzle.ts, packages/cli/src/commands/init/providers/supabase.ts, packages/cli/src/commands/init/steps/install-forge.ts, packages/cli/src/commands/init/utils.ts	runnerCommand calls and package references updated to use 'stash' instead of '@cipherstash/cli' for generating init next-step instructions; package detection logic updated.
Wizard Integration packages/wizard/src/agent/commandments.ts, packages/wizard/src/agent/errors.ts, packages/wizard/src/agent/interface.ts, packages/wizard/src/lib/post-agent.ts, packages/wizard/src/lib/prerequisites.ts, packages/wizard/src/lib/rewrite-migrations.ts	Agent prompts, error instructions, allowed commands, and post-agent step invocations updated to use stash instead of @cipherstash/cli; tool execution allowlist updated.
CLI Tests packages/cli/src/commands/init/__tests__/utils.test.ts, packages/cli/src/commands/init/providers/__tests__/base.test.ts, packages/cli/src/commands/init/providers/__tests__/drizzle.test.ts, packages/cli/src/commands/init/providers/__tests__/supabase.test.ts, packages/cli/tests/helpers/pty.ts	Test expectations for generated init commands and helper comments updated to expect stash instead of @cipherstash/cli in CLI invocations.
Wizard Tests packages/wizard/src/__tests__/errors-runner.test.ts, packages/wizard/src/__tests__/format.test.ts, packages/wizard/src/__tests__/gateway-messages.test.ts, packages/wizard/src/__tests__/interface.test.ts, packages/wizard/src/__tests__/post-agent.test.ts, packages/wizard/src/__tests__/prerequisites.test.ts	Expected command strings and remediation guidance in test fixtures updated to reference npx stash instead of npx @cipherstash/cli``.
E2E Tests e2e/tests/package-managers.e2e.test.ts	Expected "database install" command strings updated across package managers to use stash db install instead of @cipherstash/cli db install.
Documentation packages/cli/README.md, packages/cli/AGENTS.md, packages/stack/README.md, packages/wizard/README.md, docs/plans/cli-pty-integration-tests.md, skills/stash-cli/SKILL.md, skills/stash-secrets/SKILL.md	All CLI usage examples and references updated from @cipherstash/cli to stash; import statements and command examples updated throughout.
CI & Infrastructure .github/workflows/tests.yml, AGENTS.md, .changeset/breezy-cloths-wave.md	Workflow and documentation updated to filter on stash package instead of @cipherstash/cli; changeset documenting the coordinated release added.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: package manager aware commands #379: Both PRs modify the same init/wizard command-generation logic and runnerCommand usage patterns to control what CLI invocations are output in generated next-steps.
• test(cli): add node-pty E2E suite for the stash CLI #370: Both PRs modify CLI package metadata, CI/test scripts, and AGENTS.md documentation alongside updating references to the CLI binary identity.
• refactor(cli): route assertion-stable strings through messages.ts #371: Both PRs modify and update the centralized packages/cli/src/messages.ts file—the retrieved PR introduced the module while this PR updates the message constants to reference stash.

Suggested reviewers

• coderdan
• auxesis

---

🐰 A hop, skip, and a rebrand so fine,
From @cipherstash/cli to stash in perfect line,
With messages bright and examples new,
Your CLI's identity has gotten its due! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: renaming the CLI package from @cipherstash/cli to stash, which is the primary objective across all file modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stash-cli-rebrand

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 40 minutes and 42 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

examples/basic/package.json (1)

1-23: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit Node/pnpm constraints for the example package.

This touched example manifest still doesn’t declare the required runtime/tooling versions, which can cause inconsistent local behavior.

Proposed fix

 {
   "name": "@cipherstash/basic-example",
   "private": true,
   "version": "1.2.8",
   "type": "module",
+  "engines": {
+    "node": ">=22"
+  },
+  "packageManager": "pnpm@9",
   "scripts": {
     "start": "tsx index.ts"
   },

As per coding guidelines examples/**/package.json: Use Node.js >= 22 and pnpm 9.x for example apps.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/basic/package.json` around lines 1 - 23, Add explicit Node and pnpm
constraints to the package.json by adding an "engines" entry and a
"packageManager" field: set "engines.node" to ">=22" and "engines.pnpm" (or
"packageManager") to require pnpm 9.x (e.g., "pnpm": ">=9 <10" and
"packageManager": "pnpm@9"). Update the top-level manifest keys in this
package.json so tooling and runtime enforce Node.js >=22 and pnpm 9.x.

packages/stack/README.md (1)

497-497: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix stale auth command in Local Development section.

Line 497 still points to npx @cipherstash/stack auth login, which is not the CLI invocation used elsewhere in this rename and can mislead users.

📝 Proposed doc fix

-No environment variables or credentials are needed for local development. Run `npx `@cipherstash/stack` auth login` to authenticate via the device code flow, and the SDK and CLI will use the token saved to `~/.cipherstash/auth.json`.
+No environment variables or credentials are needed for local development. Run `npx stash auth login` to authenticate via the device code flow, and the SDK and CLI will use the token saved to `~/.cipherstash/auth.json`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/stack/README.md` at line 497, Update the stale CLI example: replace
the old invocation string "npx `@cipherstash/stack` auth login" in the Local
Development paragraph with the current CLI command used across the repository
(use the renamed invocation without the deprecated "auth" subcommand, e.g., "npx
`@cipherstash/stack` login"), ensuring the README's text and the saved token path
reference (~/.cipherstash/auth.json) remain accurate.

🧹 Nitpick comments (2)

packages/cli/src/installer/index.ts (1)

318-319: ⚡ Quick win

Deduplicate the bundled-script error copy

Both catch blocks now carry the same message literal. Extracting one shared formatter/constant will prevent future divergence.

♻️ Proposed cleanup

+const bundledSqlLoadError = (filename: string) =>
+  `Failed to load bundled EQL install script (${filename}). The package may be corrupted — try reinstalling stash.`
...
-      throw new Error(
-        `Failed to load bundled EQL install script (${filename}). The package may be corrupted — try reinstalling stash.`,
-        { cause: error },
-      )
+      throw new Error(bundledSqlLoadError(filename), { cause: error })
...
-    throw new Error(
-      `Failed to load bundled EQL install script (${filename}). The package may be corrupted — try reinstalling stash.`,
-      { cause: error },
-    )
+    throw new Error(bundledSqlLoadError(filename), { cause: error })

Based on learnings: "Update E2E tests when changing user-facing exit messages and strings; store assertion-stable strings in src/messages.ts as a typed const object grouped by area (cli, auth, db)."

Also applies to: 389-390

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/cli/src/installer/index.ts` around lines 318 - 319, The same error
message literal used in two catch blocks in installer/index.ts should be
extracted to a shared constant or formatter (e.g. export const
MESSAGES.cli.bundledEqlScriptLoadFailure = (filename) => `Failed to load bundled
EQL install script (${filename}). The package may be corrupted — try
reinstalling stash.`) and both error-handling sites should call that
constant/formatter and pass the same { cause: error } into processLogger.error /
exit so the message is not duplicated; update any tests that assert the literal
to reference the new constant if needed.

AGENTS.md (1)

144-147: ⚡ Quick win

Make the “requires a build” note more actionable (explicit build step or dependency).

Right now Line 145-147 says the E2E suite “requires a build”, but doesn’t spell out the recommended command sequence. Given the E2E suite typically asserts against the built CLI artifact, it would help to add one concrete line like:

• pnpm --filter stash build (or: “pnpm --filter stash test:e2e depends on build”)

This reduces contributor confusion and flakiness when dist/bin/stash.js is missing/outdated.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 144 - 147, Update the note in AGENTS.md about the
pty-driven E2E tests under packages/cli/tests/e2e/** to explicitly state the
required build step and give the concrete command to run before tests; e.g., say
that pnpm --filter stash test:e2e depends on the built CLI artifact and instruct
contributors to run pnpm --filter stash build (or run pnpm --filter stash build
&& pnpm --filter stash test:e2e) so dist/bin/stash.js is present and up to date
when running the E2E suite.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/protect/src/bin/stash.ts`:
- Around line 169-171: Replace all example CLI invocations that use the unscoped
"npx stash" with the scoped package invocation so users run
`@cipherstash/protect`; specifically update the example lines that show commands
like "npx stash secrets set ..." to use either "npx -p `@cipherstash/protect`
stash ..." or "npx `@cipherstash/protect` ..." instead. Locate the invocation
examples in this file (instances of the string "npx stash" around the examples
shown and other occurrences reported) and perform a global replace of those
example prefixes to the scoped form while preserving the rest of each example
command.

In `@packages/wizard/src/agent/interface.ts`:
- Around line 69-70: The allowlist currently uses startsWith so strings like
"npx stash db push && rm -rf /" bypass it; change the validation around the
entries 'npx stash db' and 'stash db' so you don't allow arbitrary shell
operators: instead of startsWith, split the user input into tokens (whitespace),
verify the first N tokens exactly match one of the allowed token sequences
(e.g., ['npx','stash','db'] or ['stash','db']), and then either require there
are no further tokens or validate remaining tokens only match known safe
subcommands; additionally reject any input containing shell metacharacters (&&,
||, ;, |, ``, $(), >, <) before accepting. Ensure you update the
startsWith-based check to use this tokenized exact-match plus metacharacter
rejection logic.

---

Outside diff comments:
In `@examples/basic/package.json`:
- Around line 1-23: Add explicit Node and pnpm constraints to the package.json
by adding an "engines" entry and a "packageManager" field: set "engines.node" to
">=22" and "engines.pnpm" (or "packageManager") to require pnpm 9.x (e.g.,
"pnpm": ">=9 <10" and "packageManager": "pnpm@9"). Update the top-level manifest
keys in this package.json so tooling and runtime enforce Node.js >=22 and pnpm
9.x.

In `@packages/stack/README.md`:
- Line 497: Update the stale CLI example: replace the old invocation string "npx
`@cipherstash/stack` auth login" in the Local Development paragraph with the
current CLI command used across the repository (use the renamed invocation
without the deprecated "auth" subcommand, e.g., "npx `@cipherstash/stack` login"),
ensuring the README's text and the saved token path reference
(~/.cipherstash/auth.json) remain accurate.

---

Nitpick comments:
In `@AGENTS.md`:
- Around line 144-147: Update the note in AGENTS.md about the pty-driven E2E
tests under packages/cli/tests/e2e/** to explicitly state the required build
step and give the concrete command to run before tests; e.g., say that pnpm
--filter stash test:e2e depends on the built CLI artifact and instruct
contributors to run pnpm --filter stash build (or run pnpm --filter stash build
&& pnpm --filter stash test:e2e) so dist/bin/stash.js is present and up to date
when running the E2E suite.

In `@packages/cli/src/installer/index.ts`:
- Around line 318-319: The same error message literal used in two catch blocks
in installer/index.ts should be extracted to a shared constant or formatter
(e.g. export const MESSAGES.cli.bundledEqlScriptLoadFailure = (filename) =>
`Failed to load bundled EQL install script (${filename}). The package may be
corrupted — try reinstalling stash.`) and both error-handling sites should call
that constant/formatter and pass the same { cause: error } into
processLogger.error / exit so the message is not duplicated; update any tests
that assert the literal to reference the new constant if needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 317cd4e5-dbe7-410e-9d7d-53c304fae660

📥 Commits

Reviewing files that changed from the base of the PR and between bd77e01 and de9c02c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (54)

• .changeset/breezy-cloths-wave.md
• .github/workflows/tests.yml
• AGENTS.md
• docs/plans/cli-pty-integration-tests.md
• e2e/package.json
• e2e/tests/package-managers.e2e.test.ts
• examples/basic/package.json
• examples/basic/stash.config.ts
• packages/cli/AGENTS.md
• packages/cli/README.md
• packages/cli/package.json
• packages/cli/src/bin/stash.ts
• packages/cli/src/commands/auth/index.ts
• packages/cli/src/commands/db/config-scaffold.ts
• packages/cli/src/commands/db/install.ts
• packages/cli/src/commands/db/push.ts
• packages/cli/src/commands/db/rewrite-migrations.ts
• packages/cli/src/commands/db/status.ts
• packages/cli/src/commands/db/supabase-migration.ts
• packages/cli/src/commands/db/test-connection.ts
• packages/cli/src/commands/db/upgrade.ts
• packages/cli/src/commands/db/validate.ts
• packages/cli/src/commands/env/index.ts
• packages/cli/src/commands/init/__tests__/utils.test.ts
• packages/cli/src/commands/init/providers/__tests__/base.test.ts
• packages/cli/src/commands/init/providers/__tests__/drizzle.test.ts
• packages/cli/src/commands/init/providers/__tests__/supabase.test.ts
• packages/cli/src/commands/init/providers/base.ts
• packages/cli/src/commands/init/providers/drizzle.ts
• packages/cli/src/commands/init/providers/supabase.ts
• packages/cli/src/commands/init/steps/install-forge.ts
• packages/cli/src/commands/init/utils.ts
• packages/cli/src/config/index.ts
• packages/cli/src/index.ts
• packages/cli/src/installer/index.ts
• packages/cli/src/messages.ts
• packages/cli/tests/helpers/pty.ts
• packages/protect/src/bin/stash.ts
• packages/stack/README.md
• packages/wizard/README.md
• packages/wizard/src/__tests__/errors-runner.test.ts
• packages/wizard/src/__tests__/format.test.ts
• packages/wizard/src/__tests__/gateway-messages.test.ts
• packages/wizard/src/__tests__/interface.test.ts
• packages/wizard/src/__tests__/post-agent.test.ts
• packages/wizard/src/__tests__/prerequisites.test.ts
• packages/wizard/src/agent/commandments.ts
• packages/wizard/src/agent/errors.ts
• packages/wizard/src/agent/interface.ts
• packages/wizard/src/lib/post-agent.ts
• packages/wizard/src/lib/prerequisites.ts
• packages/wizard/src/lib/rewrite-migrations.ts
• skills/stash-cli/SKILL.md
• skills/stash-secrets/SKILL.md