Background
stash init (and stash schema build) introspects the database and lets the user pick which columns to encrypt via a @clack/prompts multi-select. Three issues with the current flow:
1. Empty submission silently advances past the prompt
The multiselect is keyed on space-bar to toggle, enter to confirm. Users frequently hit enter expecting it to "select" the highlighted column — instead they're submitting with nothing toggled. clack's required: true should reject this, but on a re-run any pre-existing eql_v2_encrypted columns are pre-selected, so the user can press enter immediately and only that one column gets recorded — typically not what they meant.
There's no way to back out of the prompt once advanced.
2. eql_v2_configuration is offered as a candidate table
The introspection query returns every BASE TABLE in public, including EQL's own configuration store (eql_v2_configuration, and any future eql_v2_* tables EQL adds). Selecting it for encryption would break EQL itself — the table needs to be readable in plaintext for EQL to function.
3. Already-encrypted columns can be silently dropped
Columns whose Postgres type is eql_v2_encrypted are pre-selected in the multiselect, but nothing stops the user from deselecting them. Doing so drops the column from the regenerated schema even though it's still encrypted in the database — a footgun on re-runs.
Proposed fix (PR #TBD)
- Drop
required: true. On empty submission: warn-and-reprompt if no other tables have been configured this run; otherwise offer "Skip encryption for the <x> table" as an explicit escape.
- Add a "Encrypt N columns in
<x>: a, b, c — proceed?" confirmation summary after the multiselect so misclicks are recoverable.
- Lift
eql_v2_encrypted columns out of the multiselect entirely. Display them as a "will be kept as-is" note above the prompt and merge them into the schema automatically. (clack has no disabled-row affordance, so this is the closest we can get to "shown but not toggleable".)
- Filter
eql_v2_* tables out of introspection at the SQL level so EQL-managed tables never reach the picker.
Background
stash init(andstash schema build) introspects the database and lets the user pick which columns to encrypt via a@clack/promptsmulti-select. Three issues with the current flow:1. Empty submission silently advances past the prompt
The multiselect is keyed on space-bar to toggle, enter to confirm. Users frequently hit enter expecting it to "select" the highlighted column — instead they're submitting with nothing toggled. clack's
required: trueshould reject this, but on a re-run any pre-existingeql_v2_encryptedcolumns are pre-selected, so the user can press enter immediately and only that one column gets recorded — typically not what they meant.There's no way to back out of the prompt once advanced.
2.
eql_v2_configurationis offered as a candidate tableThe introspection query returns every
BASE TABLEinpublic, including EQL's own configuration store (eql_v2_configuration, and any futureeql_v2_*tables EQL adds). Selecting it for encryption would break EQL itself — the table needs to be readable in plaintext for EQL to function.3. Already-encrypted columns can be silently dropped
Columns whose Postgres type is
eql_v2_encryptedare pre-selected in the multiselect, but nothing stops the user from deselecting them. Doing so drops the column from the regenerated schema even though it's still encrypted in the database — a footgun on re-runs.Proposed fix (PR #TBD)
required: true. On empty submission: warn-and-reprompt if no other tables have been configured this run; otherwise offer "Skip encryption for the<x>table" as an explicit escape.<x>: a, b, c — proceed?" confirmation summary after the multiselect so misclicks are recoverable.eql_v2_encryptedcolumns out of the multiselect entirely. Display them as a "will be kept as-is" note above the prompt and merge them into the schema automatically. (clack has no disabled-row affordance, so this is the closest we can get to "shown but not toggleable".)eql_v2_*tables out of introspection at the SQL level so EQL-managed tables never reach the picker.