Skip to content

feat: remove secrets and mark as coming soon #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
calvinbrewer merged 1 commit into from
Apr 15, 2026
Merged

feat: remove secrets and mark as coming soon #346

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changeset/wide-pets-brush.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
"@cipherstash/stack": minor
"@cipherstash/cli": minor
---

Mark secrets as a coming soon feature and remove existing SDK integration.
Comment on lines +1 to +6
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for remaining secrets CLI command files
echo "=== Checking for secrets CLI command files ==="
fd -t f . packages/cli/src/commands/secrets/ 2>/dev/null || echo "Directory not found or empty"

echo -e "\n=== Checking for secrets route registration in CLI ==="
rg -n "secretsRouteMap|secrets:.*secretsRouteMap" packages/protect/src/bin/ packages/cli/src/

echo -e "\n=== Checking for Stash client exports ==="
rg -n "export.*class Stash|export.*interface.*Secret" packages/protect/src/stash/ packages/stack/src/

echo -e "\n=== Checking for secrets module in SDK exports ==="
rg -n "export.*from.*['\"].*secrets" packages/stack/src/index.ts 2>/dev/null || echo "File not found"

echo -e "\n=== Checking if secrets implementation directory exists ==="
fd -t d "^secrets$" packages/stack/src/ packages/cli/src/commands/

Repository: cipherstash/stack

Length of output: 878

Critical inconsistency: Changeset claims SDK integration removed, but secrets code remains active in the codebase.

The changeset states "remove existing SDK integration," but the evidence reveals incomplete removal:

  1. Route registration still active: packages/protect/src/bin/stash.ts (lines 398, 442) still defines and registers secretsRouteMap with all secrets commands in the route map.
  2. SDK exports still present: packages/protect/src/stash/index.ts still exports the Stash class and multiple secret-related interfaces (SecretMetadata, ListSecretsResponse, GetSecretResponse, DecryptedSecretResponse).

While CLI command files appear to have been removed, the route integration and SDK exports remain, making the changeset description misleading. Users reading "remove existing SDK integration" will expect secrets to be unavailable, but the Stash client still exposes full secrets management capabilities.

Either complete the removal by deleting the route registration and SDK exports, or update the changeset description to reflect the actual state.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.changeset/wide-pets-brush.md around lines 1 - 6, The changeset claims SDK
integration was removed but code still registers secretsRouteMap and exports
secret APIs; either fully remove the SDK parts or update the changeset. Option
A: delete the secrets route registration in stash.ts (remove references to
secretsRouteMap and its registration lines) and remove the exports of Stash and
secret interfaces (SecretMetadata, ListSecretsResponse, GetSecretResponse,
DecryptedSecretResponse) from packages/protect/src/stash/index.ts. Option B:
keep the code as-is and revise the changeset text to accurately state that CLI
commands were removed but SDK route registration and exports remain (e.g., "Mark
secrets as coming soon; CLI commands removed, SDK integration retained"). Ensure
only one of these paths is applied to make the changeset consistent with the
code.

21 changes: 1 addition & 20 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
## What is the stack?

- [Encryption](https://cipherstash.com/docs/stack/cipherstash/encryption): Field-level encryption for TypeScript apps with searchable encrypted queries, zero-knowledge key management, and first-class ORM support.
- [Secrets](https://cipherstash.com/docs/stack/cipherstash/secrets): Zero-trust secrets management with end-to-end encryption. Plaintext never leaves your application.

## Quick look at the stack in action

Expand Down Expand Up @@ -48,21 +47,6 @@ if (decryptResult.failure) {
// decryptResult.data => "secret@example.com"
```

**Secrets**

```typescript
import { Secrets } from "@cipherstash/stack";

// 1. Initialize the secrets client
const secrets = new Secrets({ environment: "production" });

// 2. Set a secret with the SDK or the CLI
await secrets.set("DATABASE_URL", "postgres://user:pass@host:5432/db");

// 3. Consume the secret in your application
const secret = await secrets.get("DATABASE_URL");
```

## Install

```bash
Expand All @@ -86,7 +70,6 @@ bun add @cipherstash/stack
- **[Type-safe schema](https://cipherstash.com/docs/stack/cipherstash/encryption/schema)**: define encrypted tables and columns with `encryptedTable` / `encryptedColumn`
- **[Model & bulk operations](https://cipherstash.com/docs/stack/cipherstash/encryption/encrypt-decrypt#model-operations)**: encrypt and decrypt entire objects or batches with `encryptModel` / `bulkEncryptModels`.
- **[Identity-aware encryption](https://cipherstash.com/docs/stack/cipherstash/encryption/identity)**: bind encryption to user identity with lock contexts for policy-based access control.
- **[Secrets management](https://cipherstash.com/docs/stack/cipherstash/secrets)**: store and retrieve encrypted secrets via the Secrets SDK and CLI.

## Integrations

Expand All @@ -97,14 +80,12 @@ bun add @cipherstash/stack
## Use cases

- **Trusted data access**: ensure only your end-users can access their sensitive data using identity-bound encryption
- **Sensitive config management**: store API keys and database credentials with zero-trust encryption and full audit trails
- **Reduce breach impact**: limit the blast radius of exploited vulnerabilities to only the data the affected user can decrypt

## Documentation

- [Documentation](https://cipherstash.com/docs)
- [Encryption getting started guide](https://cipherstash.com/docs/stack/quickstart)
- [Secrets getting started guide](https://cipherstash.com/docs/stack/cipherstash/secrets/getting-started)
- [Quickstart](https://cipherstash.com/docs/stack/quickstart)
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Documentation change depends on complete secrets removal.

The update to a unified "Quickstart" link is appropriate for removing secrets documentation. However, this change assumes secrets have been fully removed from the SDK and CLI, which may not be the case based on the critical inconsistency identified in the changeset (see comment on .changeset/wide-pets-brush.md).

Ensure secrets code is actually removed before merging documentation changes that eliminate references to the feature.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 88, You changed README.md to remove secrets docs
(replacing the previous link with a unified Quickstart) but the codebase may
still contain secrets-related functionality; before merging, confirm and remove
all secrets references: search the repo for "secrets", the "secrets" module, any
classes or functions named SecretManager/SecretClient, CLI commands like
"cipherstash secrets", tests that assert secrets behavior, and the
.changeset/wide-pets-brush.md entry to ensure it reflects the code removal; if
secrets code still exists, revert the README Quickstart change (or add a
conditional note) and finish deleting/renaming the secrets code and tests, then
update .changeset/wide-pets-brush.md and README.md together so docs only change
once the implementation is gone.

- [SDK and API reference](https://cipherstash.com/docs/stack/reference)

## Contributing
Expand Down
10 changes: 0 additions & 10 deletions packages/cli/src/bin/stash.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ Usage: npx @cipherstash/cli <command> [options]
Commands:
init Initialize CipherStash for your project
auth <subcommand> Authenticate with CipherStash
secrets <subcommand> Manage encrypted secrets
wizard AI-powered encryption setup (reads your codebase)

db install Install EQL extensions into your database
Expand Down Expand Up @@ -91,7 +90,6 @@ Examples:
npx @cipherstash/cli db setup
npx @cipherstash/cli db push
npx @cipherstash/cli schema build
npx @cipherstash/cli secrets set -n DATABASE_URL -V "postgres://..." -e production
`.trim()

interface ParsedArgs {
Expand Down Expand Up @@ -241,14 +239,6 @@ async function main() {
await authCommand(authArgs, flags)
break
}
case 'secrets': {
const { secretsCommand } = await requireStack(() => import('../commands/secrets/index.js'))
const secretsArgs = subcommand
? [subcommand, ...commandArgs]
: commandArgs
await secretsCommand(secretsArgs)
break
}
case 'wizard': {
// Lazy-load the wizard so the agent SDK is only imported when needed.
const { run } = await import('../commands/wizard/run.js')
Expand Down
40 changes: 0 additions & 40 deletions packages/cli/src/commands/secrets/delete.ts
View file
Open in desktop

This file was deleted.

27 changes: 0 additions & 27 deletions packages/cli/src/commands/secrets/get-many.ts
View file
Open in desktop

This file was deleted.

24 changes: 0 additions & 24 deletions packages/cli/src/commands/secrets/get.ts
View file
Open in desktop

This file was deleted.

75 changes: 0 additions & 75 deletions packages/cli/src/commands/secrets/helpers.ts
View file
Open in desktop

This file was deleted.

137 changes: 0 additions & 137 deletions packages/cli/src/commands/secrets/index.ts
View file
Open in desktop

This file was deleted.

Loading
Loading