CipherStash Forge
Dev-time CLI for managing EQL installation, encryption schemas, and database setup
CipherStash Forge
@cipherstash/cli is a dev-time CLI and library for managing CipherStash EQL (Encrypted Query Language) in PostgreSQL.
@cipherstash/stack is the runtime encryption SDK. It stays lean with no heavy dependencies like pg. @cipherstash/cli is a devDependency that handles database tooling: installing EQL extensions, checking permissions, validating schemas, and managing schema lifecycle.
Think of it like Prisma CLI or Drizzle Kit. It sets up the database while the main SDK handles runtime operations.
| Package | Role | Install as |
|---|---|---|
@cipherstash/stack | Runtime encryption and decryption | dependency |
@cipherstash/cli | Database setup and schema management | devDependency |
Quick start
Interactive (recommended)
Run the init wizard
The npx @cipherstash/cli init command authenticates you, generates your encryption schema, and installs dependencies.
npx @cipherstash/cli initSet up your database
Run the interactive setup to install EQL and configure your database:
npx @cipherstash/cli db setupEQL is now installed and your encryption schema is ready.
Build your schema with AI (optional)
Use the AI-powered wizard to generate an encryption schema from your database:
npx @cipherstash/cli wizardManual setup
Install the CLI
npm install -D @cipherstash/cliCreate stash.config.ts
Create stash.config.ts in your project root:
import { defineConfig } from '@cipherstash/cli'
export default defineConfig({
databaseUrl: process.env.DATABASE_URL!,
})Add your database URL
DATABASE_URL=postgresql://user:password@localhost:5432/mydbSet up your database
npx @cipherstash/cli db setupGood to know: Using Drizzle? Run npx @cipherstash/cli db install --drizzle to generate a migration directly, then npx drizzle-kit migrate to apply it.
Configuration
The stash.config.ts file is the single source of truth for Forge. Use defineConfig for type safety.
import { defineConfig } from '@cipherstash/cli'
export default defineConfig({
databaseUrl: process.env.DATABASE_URL!,
client: './src/encryption/index.ts',
})| Option | Required | Default | Description |
|---|---|---|---|
databaseUrl | Yes | PostgreSQL connection string | |
client | No | ./src/encryption/index.ts | Path to your encryption client file. Used by push and validate. |
The CLI automatically loads .env before evaluating the config, so process.env references work without any extra setup. The config file is resolved by walking up from the current working directory, similar to how tsconfig.json resolution works.
Next steps
Init wizard
Use the interactive wizard to set up Forge in your project.
Install and upgrade
Install or upgrade EQL in your database.
Schema validation
Validate your encryption schema for common misconfigurations.
Push to database
Push your encryption schema to the database for use with CipherStash Proxy.
Programmatic API
Use Forge as a library in your own scripts and tooling.