Interactive setup

npx stash init is the first step in the CipherStash setup lifecycle. It authenticates you, resolves your database, scaffolds an encryption client, installs dependencies, installs the EQL extension, and writes a context file. When it finishes, it prompts you to continue to stash plan.

npx stash init

What init does

Init runs six steps with minimal prompts:

1. Authenticates with CipherStash: If you are already authenticated, it logs Using workspace <id> (region) and moves on. No prompt. If you are not authenticated, it opens your browser for device-based authentication. Your token is saved to ~/.cipherstash/auth.json.
2. Resolves the database: Reads your DATABASE_URL and verifies a connection can be made. Detects your Postgres provider (Supabase from the URL host, or generic Postgres).
3. Generates the encryption client file: Auto-detects your integration (Drizzle from drizzle.config.* or drizzle-orm/drizzle-kit in package.json, Supabase from the DATABASE_URL host, or generic Postgres). Writes a placeholder client to ./src/encryption/index.ts silently. If that file already exists, it prompts you to keep it or overwrite it.
4. Installs dependencies: Checks whether @cipherstash/stack and stash are already in node_modules. If both are present, skips silently. If either is missing, shows a single combined install prompt. Detects your package manager (npm, pnpm, yarn, bun) automatically.
5. Installs EQL: Runs the same logic as stash db install. Scaffolds stash.config.ts if missing, detects your provider, and installs the EQL extension into your database. You do not need to run stash db install separately after init.
6. Gathers context: Writes .cipherstash/context.json with the detected integration, package manager, schemas, environment keys, and available agents. This file is required by stash plan and stash impl.

Best case: 0 prompts (already authenticated, both packages installed, no existing client file, database reachable). Worst case: 2 prompts (region selection for first-time login, install confirmation for missing packages).

Generated files

Init produces two files:

./src/encryption/index.ts: A placeholder encryption client. The template matches your detected integration. For a generic Postgres project it generates:

import { Encryption } from "@cipherstash/stack"
import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"

const users = encryptedTable("users", {
  email: encryptedColumn("email").equality().freeTextSearch(),
  name: encryptedColumn("name").equality().freeTextSearch(),
})

export default await Encryption({ schemas: [users] })

.cipherstash/context.json: Detected facts about your project. stash plan and stash impl read this file. It includes your integration type, package manager, detected schemas, environment keys, and available coding agents.

After init

When init completes, it shows a summary panel:

Setup complete
✓ Authenticated to CipherStash
✓ Database connection verified
✓ Encryption client scaffolded
✓ `@cipherstash/stack` installed
✓ `stash` CLI installed
✓ EQL extension installed

Then it asks (default-yes):

Continue to `stash plan` now to draft your encryption plan? (Y/n)

Answering yes launches stash plan immediately. Answering no (or running non-interactively) prints:

Next: run `stash plan` to draft your encryption plan.

db install flags

If you need to run EQL installation with specific flags (for example, writing a Supabase migration file), use stash db install directly after init:

npx stash db install --supabase --migration
npx stash db install --drizzle
npx stash db install --drizzle --supabase

Good to know: You can pass --drizzle and --supabase together. The CLI combines both behaviors: Supabase-compatible SQL output as a Drizzle migration.

See Install and upgrade EQL for the full flag reference.

Next steps