cipherstash · calvinbrewer · Apr 30, 2026 · Apr 30, 2026 · coderabbitai · Apr 30, 2026
@@ -0,0 +1,12 @@
+---
+'@cipherstash/cli': minor
+---
+
+Reduce friction in `stash init`.
+
+- **No more "How will you connect to your database?" prompt.** Init now auto-detects Drizzle (from `drizzle.config.*` or `drizzle-orm`/`drizzle-kit` in `package.json`) and Supabase (from the host in `DATABASE_URL`), and silently picks the matching encryption client template. Falls back to a generic Postgres template otherwise.
+- **No more "Where should we create your encryption client?" prompt.** Init writes to `./src/encryption/index.ts` by default. The "file already exists, what would you like to do?" prompt still appears so existing client files aren't silently overwritten.
+- **Single combined dependency-install prompt.** Previously init asked twice (once for `@cipherstash/stack`, once for `@cipherstash/cli`). It now asks once, listing both, and runs the installs in sequence. When both packages are already in `node_modules`, no prompt appears at all.
+- **Already-authenticated users skip the "Continue with workspace X?" prompt.** Init logs `Using workspace X` and proceeds. Run `stash auth login` directly to switch workspaces.
+
+`stash db install` now also calls into the same encryption-client scaffolder as a safety net — users who run `db install` without `init` first still get a working client file generated at the path their `stash.config.ts` points to.
@@ -0,0 +1,9 @@
+---
+'@cipherstash/cli': minor
+---
+
+**Breaking:** the `stash wizard` command has been removed. The AI-guided encryption setup is now its own package — run it via `npx @cipherstash/wizard` (or `pnpm dlx`, `bunx`, `yarn dlx`).
+
+The wizard was pulling `@anthropic-ai/claude-agent-sdk` (47MB unpacked) into every `npx @cipherstash/cli` invocation, even for fast commands like `init`, `auth`, and `db install`. Splitting it out keeps cli's dependency tree small and lets each package manager handle the wizard's install natively — no more shelling out to `npm` from inside the cli, no Yarn PnP / Bun-only failure modes.
+
+The next-steps output from `init` and `db install` still recommends `npx @cipherstash/wizard` as the automated path. The `schema build` command no longer offers a wizard/builder selection prompt — it goes straight to the schema builder.
@@ -0,0 +1,16 @@
+---
+'@cipherstash/wizard': minor
+---
+
+Initial release of `@cipherstash/wizard` — AI-powered encryption setup for CipherStash, extracted from `@cipherstash/cli`.
+
+Run it once per project, after `stash init`:
+
+```bash
+npx @cipherstash/wizard
+pnpm dlx @cipherstash/wizard
+yarn dlx @cipherstash/wizard
+bunx @cipherstash/wizard
+```
+
+The wizard reads your codebase, asks which columns to encrypt, hands a surgical prompt to the Claude Agent SDK against the CipherStash-hosted LLM gateway, and runs deterministic post-agent steps (package install, `db install`, `db push`, framework migrations). Same behavior as the previous `stash wizard` command — just shipped as its own package so it doesn't bloat the cli's dependency tree.
@@ -3,7 +3,7 @@
 [![npm version](https://img.shields.io/npm/v/@cipherstash/cli.svg?style=for-the-badge&labelColor=000000)](https://www.npmjs.com/package/@cipherstash/cli)
 [![License: MIT](https://img.shields.io/npm/l/@cipherstash/cli.svg?style=for-the-badge&labelColor=000000)](https://github.com/cipherstash/protectjs/blob/main/LICENSE.md)
 
-The single CLI for CipherStash. It handles authentication, project initialization, AI-guided encryption setup, EQL database lifecycle (install, upgrade, validate, push, migrate), schema building, and encrypted secrets management. Install it as a devDependency alongside the runtime SDK `@cipherstash/stack`.
+The single CLI for CipherStash. It handles authentication, project initialization, EQL database lifecycle (install, upgrade, validate, push, migrate), schema building, and encrypted secrets management. Install it as a devDependency alongside the runtime SDK `@cipherstash/stack`.
 
 ---
 
@@ -14,29 +14,30 @@ npm install -D @cipherstash/cli
 npx @cipherstash/cli auth login    # authenticate with CipherStash
 npx @cipherstash/cli init          # scaffold encryption schema and install dependencies
 npx @cipherstash/cli db install    # scaffold stash.config.ts (if missing) and install EQL
-npx @cipherstash/cli wizard        # AI agent wires encryption into your codebase
 ```
 
 What each step does:
 
 - `auth login` — opens a browser-based device code flow and saves a token to `~/.cipherstash/auth.json`.
 - `init` — generates your encryption client file and installs `@cipherstash/cli` as a dev dependency. Pass `--supabase` or `--drizzle` for provider-specific setup.
 - `db install` — detects your encryption client, writes `stash.config.ts` if it's missing, and installs EQL extensions in a single step.
-- `wizard` — reads your codebase with an AI agent (uses the CipherStash-hosted LLM gateway, no Anthropic API key required) and modifies your schema files in place.
+
+After `db install`, declare which columns to encrypt — either run [`@cipherstash/wizard`](https://www.npmjs.com/package/@cipherstash/wizard) to do it automatically, or edit your encryption client file (default `./src/encryption/index.ts`) by hand.
 
 ---
 
 ## Recommended flow
 
 ```
-npx @cipherstash/cli init
-    └── npx @cipherstash/cli db install
-            └── npx @cipherstash/cli wizard        ← fast path: AI edits your files
-                    OR
-                Edit schema files by hand  ← escape hatch
+npx @cipherstash/cli auth login
+    └── npx @cipherstash/cli init
+            └── npx @cipherstash/cli db install
+                    └── npx @cipherstash/wizard       ← fast path: AI edits your files
+                            OR
+                        Edit schema files by hand     ← escape hatch
 ```
 
-`npx @cipherstash/cli wizard` is the recommended path after `db install`. It detects your framework (Drizzle, Supabase, Prisma, raw SQL), introspects your database, and integrates encryption directly into your existing schema definitions. If you prefer to write the schema by hand, skip the wizard and edit your encryption client file directly.
+`@cipherstash/cli` covers authentication, initialization, EQL install/upgrade/validate/push/migrate, and schema introspection. The wizard ([`@cipherstash/wizard`](https://www.npmjs.com/package/@cipherstash/wizard)) is a separate package that calls back into these cli commands after its AI agent finishes editing your schema files.
 
 ---
 
@@ -79,7 +80,7 @@ npx @cipherstash/cli init [--supabase] [--drizzle]
 | `--supabase` | Use the Supabase-specific setup flow |
 | `--drizzle` | Use the Drizzle-specific setup flow |
 
-After `init` completes, the Next Steps output tells you to run `npx @cipherstash/cli db install`, then either `npx @cipherstash/cli wizard` or edit the schema manually.
+After `init` completes, the Next Steps output tells you to run `npx @cipherstash/cli db install`, then edit your encryption client file directly.
 
 ---
 
@@ -91,25 +92,7 @@ Authenticate with CipherStash using a browser-based device code flow.
 npx @cipherstash/cli auth login
 ```
 
-Saves the token to `~/.cipherstash/auth.json`. The wizard checks for this file as a prerequisite before running.
-
----
-
-### `npx @cipherstash/cli wizard`
-
-AI-powered encryption setup. The wizard reads your codebase, detects your framework, introspects your database schema, and edits your existing schema files to add encrypted column definitions.
-
-```bash
-npx @cipherstash/cli wizard
-```
-
-Prerequisites:
-- Authenticated (`npx @cipherstash/cli auth login` completed).
-- `stash.config.ts` present (run `npx @cipherstash/cli db install` first; it will scaffold the config if missing).
-
-Supported integrations: Drizzle ORM, Supabase JS Client, Prisma (experimental), raw SQL / other.
-
-The wizard uses the CipherStash-hosted LLM gateway. No Anthropic API key is required.
+Saves the token to `~/.cipherstash/auth.json`. Database-touching commands check for this file before running.
 
 ---
 
@@ -286,7 +269,7 @@ Build an encryption client file from your database schema using DB introspection
 npx @cipherstash/cli schema build [--supabase]
 ```
 
-The first prompt offers `npx @cipherstash/cli wizard` as the recommended path. If you choose the manual builder, the command connects to your database, lets you select tables and columns to encrypt, asks about searchable indexes, and generates a typed encryption client file.
+Connects to your database, lets you select tables and columns to encrypt, asks about searchable indexes, and generates a typed encryption client file.
 
 Reads `databaseUrl` from `stash.config.ts`.
 
@@ -422,7 +405,7 @@ const sql = await downloadEqlSql(true)         // no operator family variant
 
 ## Relationship to `@cipherstash/stack`
 
-`@cipherstash/stack` is the runtime SDK. It stays lean with no heavy dependencies like `pg` and ships in your production bundle. `@cipherstash/cli` is a devDependency: it handles database tooling, AI-guided setup, and schema lifecycle at development time. Think of it like Drizzle Kit — a companion tool that prepares the database while the runtime SDK handles queries.
+`@cipherstash/stack` is the runtime SDK. It stays lean with no heavy dependencies like `pg` and ships in your production bundle. `@cipherstash/cli` is a devDependency: it handles database tooling and schema lifecycle at development time. Think of it like Drizzle Kit — a companion tool that prepares the database while the runtime SDK handles queries.
 
 ---
 

@@ -1,7 +1,7 @@
 {
 	"name": "@cipherstash/cli",
 	"version": "0.8.0",
-	"description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, secrets, and the AI wizard.",
+	"description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.",
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",
 	"files": [
@@ -40,7 +40,6 @@
 		"lint": "biome check ."
 	},
 	"dependencies": {
-		"@anthropic-ai/claude-agent-sdk": "^0.2.87",
 		"@cipherstash/auth": "catalog:repo",
 		"@clack/prompts": "0.10.1",
 		"dotenv": "16.4.7",

@@ -61,7 +61,6 @@ Usage: npx @cipherstash/cli <command> [options]
 Commands:
   init                 Initialize CipherStash for your project
   auth <subcommand>    Authenticate with CipherStash
-  wizard               AI-powered encryption setup (reads your codebase)
 
   db install           Scaffold stash.config.ts (if missing) and install EQL extensions
   db upgrade           Upgrade EQL extensions to the latest version
@@ -98,7 +97,6 @@ Examples:
   npx @cipherstash/cli init
   npx @cipherstash/cli init --supabase
   npx @cipherstash/cli auth login
-  npx @cipherstash/cli wizard
   npx @cipherstash/cli db install
   npx @cipherstash/cli db push
   npx @cipherstash/cli schema build
@@ -248,16 +246,6 @@ async function main() {
       await authCommand(authArgs, flags)
       break
     }
-    case 'wizard': {
-      // Lazy-load the wizard so the agent SDK is only imported when needed.
-      const { run } = await import('../commands/wizard/run.js')
-      await run({
-        cwd: process.cwd(),
-        debug: flags.debug,
-        cliVersion: pkg.version,
-      })
-      break
-    }
     case 'db':
       await runDbCommand(subcommand, flags, values)
       break

@@ -0,0 +1,52 @@
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs'
+import { dirname, resolve } from 'node:path'
+import * as p from '@clack/prompts'
+import type { Integration } from '../init/types.js'
+import { generatePlaceholderClient } from '../init/utils.js'
+import { detectDrizzle, detectSupabase } from './detect.js'
+
+/**
+ * Pick a placeholder template using the same signals `db install` already
+ * detects. Drizzle wins over Supabase when both look present (a Drizzle-on-
+ * Supabase project is more naturally scaffolded as Drizzle).
+ */
+function detectIntegration(
+  cwd: string,
+  databaseUrl: string | undefined,
+): Integration {
+  if (detectDrizzle(cwd)) return 'drizzle'
+  if (detectSupabase(databaseUrl)) return 'supabase'
+  return 'postgresql'
+}
+
+/**
+ * Scaffold an encryption client file at `clientPath` if one doesn't exist.
+ * No-op when the file is already present. Silent — never prompts.
+ *
+ * `init`'s `buildSchemaStep` is the primary path that creates this file
+ * (and handles the "file already exists" case interactively). This function
+ * exists as a safety net for users who run `db install` directly without
+ * `init` first — they still get a working client file rather than failing
+ * later when the config tries to load a non-existent path.
+ */
+export function ensureEncryptionClient(
+  clientPath: string,
+  cwd: string = process.cwd(),
+  databaseUrl: string | undefined = process.env.DATABASE_URL,
+): void {
+  const resolved = resolve(cwd, clientPath)
+  if (existsSync(resolved)) return
+
+  const integration = detectIntegration(cwd, databaseUrl)
+  const contents = generatePlaceholderClient(integration)
+
+  const dir = dirname(resolved)
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true })
+  }
+  writeFileSync(resolved, contents, 'utf-8')
+
+  p.log.success(
+    `Scaffolded encryption client at ${clientPath} (${integration} template)`,
+  )
+}
@@ -9,6 +9,7 @@ import {
   loadBundledEqlSql,
 } from '@/installer/index.js'
 import * as p from '@clack/prompts'
+import { ensureEncryptionClient } from './client-scaffold.js'
 import { ensureStashConfig } from './config-scaffold.js'
 import {
   type SupabaseProjectInfo,
@@ -86,6 +87,11 @@ export async function installCommand(options: InstallOptions) {
   const config = await loadStashConfig()
   s.stop('Configuration loaded.')
 
+  // Safety net: if the user ran `db install` without first running `init`,
+  // scaffold the encryption client file so config.client points somewhere
+  // real. No-op when the file already exists.
+  ensureEncryptionClient(config.client, process.cwd(), config.databaseUrl)
-  // Safety net: if the user ran `db install` without first running `init`,
-  // scaffold the encryption client file so config.client points somewhere
-  // real. No-op when the file already exists.
-  ensureEncryptionClient(config.client, process.cwd(), config.databaseUrl)
+  // Safety net: if the user ran `db install` without first running `init`,
+  // scaffold the encryption client file so config.client points somewhere
+  // real. No-op when the file already exists.
+  if (!options.dryRun) {
+    ensureEncryptionClient(config.client, process.cwd(), config.databaseUrl)
+  }
-  // Safety net: if the user ran `db install` without first running `init`,
-  // scaffold the encryption client file so config.client points somewhere
-  // real. No-op when the file already exists.
-  ensureEncryptionClient(config.client, process.cwd(), config.databaseUrl)
+  // Safety net: if the user ran `db install` without first running `init`,
+  // scaffold the encryption client file so config.client points somewhere
+  // real. No-op when the file already exists.
+  if (!options.dryRun) {
+    ensureEncryptionClient(config.client, process.cwd(), config.databaseUrl)
+  }
+
   // Auto-detect provider hints when the user didn't explicitly pass flags.
   // CIP-2985.
   const resolved = resolveProviderOptions(options, config.databaseUrl)
@@ -258,8 +264,8 @@ function printNextSteps(): void {
     [
       'Next steps:',
       '',
-      '  1. Wire up encrypt/decrypt with the wizard:',
-      '       npx @cipherstash/cli wizard',
+      '  1. Wire up encrypt/decrypt with the wizard (AI-guided, automated):',
+      '       npx @cipherstash/wizard',
       '',
       '  2. Or use the client directly from @cipherstash/stack:',
       "       import { Encryption } from '@cipherstash/stack'",

@@ -6,7 +6,6 @@ import { authenticateStep } from './steps/authenticate.js'
 import { buildSchemaStep } from './steps/build-schema.js'
 import { installForgeStep } from './steps/install-forge.js'
 import { nextStepsStep } from './steps/next-steps.js'
-import { selectConnectionStep } from './steps/select-connection.js'
 import type { InitProvider, InitState } from './types.js'
 import { CancelledError } from './types.js'
 
@@ -17,7 +16,6 @@ const PROVIDER_MAP: Record<string, () => InitProvider> = {
 
 const STEPS = [
   authenticateStep,
-  selectConnectionStep,
   buildSchemaStep,
   installForgeStep,
   nextStepsStep,

@@ -4,26 +4,16 @@ export function createBaseProvider(): InitProvider {
   return {
     name: 'base',
     introMessage: 'Setting up CipherStash for your project...',
-    connectionOptions: [
-      { value: 'drizzle', label: 'Drizzle ORM' },
-      { value: 'supabase-js', label: 'Supabase JS Client' },
-      { value: 'prisma', label: 'Prisma' },
-      { value: 'raw-sql', label: 'Raw SQL / pg' },
-    ],
     getNextSteps(state: InitState): string[] {
-      const steps = ['Set up your database: npx @cipherstash/cli db install']
-
       const manualEdit = state.clientFilePath
         ? `edit ${state.clientFilePath} directly`
         : 'edit your encryption schema directly'
-      steps.push(
-        `Customize your schema: npx @cipherstash/cli wizard (AI-guided, automated) — or ${manualEdit}`,
-      )
-
-      steps.push('Quickstart: https://cipherstash.com/docs/stack/quickstart')
-      steps.push('Dashboard: https://dashboard.cipherstash.com/workspaces')
-
-      return steps
+      return [
+        'Set up your database: npx @cipherstash/cli db install',
+        `Customize your schema: npx @cipherstash/wizard (AI-guided, automated) — or ${manualEdit}`,
+        'Quickstart: https://cipherstash.com/docs/stack/quickstart',
+        'Dashboard: https://dashboard.cipherstash.com/workspaces',
+      ]
     },
   }
 }
@@ -4,20 +4,14 @@ export function createDrizzleProvider(): InitProvider {
   return {
     name: 'drizzle',
     introMessage: 'Setting up CipherStash for your Drizzle project...',
-    connectionOptions: [
-      { value: 'drizzle', label: 'Drizzle ORM', hint: 'recommended' },
-      { value: 'supabase-js', label: 'Supabase JS Client' },
-      { value: 'prisma', label: 'Prisma' },
-      { value: 'raw-sql', label: 'Raw SQL / pg' },
-    ],
     getNextSteps(state: InitState): string[] {
       const steps = ['Set up your database: npx @cipherstash/cli db install --drizzle']
 
       const manualEdit = state.clientFilePath
         ? `edit ${state.clientFilePath} directly`
         : 'edit your encryption schema directly'
       steps.push(
-        `Customize your schema: npx @cipherstash/cli wizard (AI-guided, automated) — or ${manualEdit}`,
+        `Customize your schema: npx @cipherstash/wizard (AI-guided, automated) — or ${manualEdit}`,
       )
 
       steps.push(

@@ -4,16 +4,6 @@ export function createSupabaseProvider(): InitProvider {
   return {
     name: 'supabase',
     introMessage: 'Setting up CipherStash for your Supabase project...',
-    connectionOptions: [
-      {
-        value: 'supabase-js',
-        label: 'Supabase JS Client',
-        hint: 'recommended',
-      },
-      { value: 'drizzle', label: 'Drizzle ORM' },
-      { value: 'prisma', label: 'Prisma' },
-      { value: 'raw-sql', label: 'Raw SQL / pg' },
-    ],
     getNextSteps(state: InitState): string[] {
       const steps = [
         'Install EQL: npx @cipherstash/cli db install --supabase (prompts for migration vs direct)',
@@ -24,7 +14,7 @@ export function createSupabaseProvider(): InitProvider {
         ? `edit ${state.clientFilePath} directly`
         : 'edit your encryption schema directly'
       steps.push(
-        `Customize your schema: npx @cipherstash/cli wizard (AI-guided, automated) — or ${manualEdit}`,
+        `Customize your schema: npx @cipherstash/wizard (AI-guided, automated) — or ${manualEdit}`,
       )
 
       steps.push(