cipherstash · tobyhede · May 29, 2026 · May 21, 2026 · May 21, 2026 · May 25, 2026
diff --git a/.github/workflows/test-eql.yml b/.github/workflows/test-eql.yml
@@ -64,6 +64,10 @@ jobs:
 
     env:
       POSTGRES_VERSION: ${{ matrix.postgres-version }}
+      CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
+      CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
+      CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
+      CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
 
     steps:
       - uses: actions/checkout@v6
@@ -126,4 +130,3 @@ jobs:
           mise run --output prefix test:splinter --postgres ${POSTGRES_VERSION}
 
 
-
diff --git a/.gitignore b/.gitignore
@@ -123,6 +123,10 @@ web_modules/
 .env.local
 .envrc
 
+# Local mise overrides (CipherStash credentials, etc.)
+mise.local.toml
+.mise.local.toml
+
 # parcel-bundler cache (https://parceljs.org/)
 
 .parcel-cache
@@ -215,6 +219,10 @@ eql--*.sql
 # Generated SQLx migration (built from src/, never commit)
 tests/sqlx/migrations/001_install_eql.sql
 
+# Generated SQLx fixtures (regenerated via `mise run fixture:generate`,
+# never commit — stale fixtures hide bugs)
+tests/sqlx/fixtures/eql_v2_int4.sql
+
 # Large generated test data files
 tests/ste_vec_vast.sql
 tests/ste_vec_*M.sql*
@@ -225,6 +233,7 @@ tests/sqlx/target/
 # Work files (agent-generated, not for version control)
 .work/
 .serena/
+docs/superpowers/
 
 # Build variants - protect variant deps
 src/deps-protect.txt

diff --git a/mise.toml b/mise.toml
@@ -14,7 +14,7 @@
 "python" = "3.13"
 
 [task_config]
-includes = ["tasks", "tasks/postgres.toml"]
+includes = ["tasks", "tasks/postgres.toml", "tasks/fixtures.toml"]
 
 [env]
 POSTGRES_DB = "cipherstash"
@@ -34,6 +34,11 @@ run = """
 
 [tasks."test:sqlx"]
 description = "Run SQLx tests with hybrid migration approach"
+# `build` produces release/cipherstash-encrypt.sql, which is then cp'd into
+# tests/sqlx/migrations/001_install_eql.sql below. Without this dep, a stale
+# release artifact silently ships an old EQL extension into the test DB and
+# regression-guard migrations (e.g. 003_install_ste_vec_data.sql) fail.
+depends = ["build"]
 dir = "{{config_root}}"
 run = """
 # Copy built SQL to SQLx migrations (EQL install is generated, not static)
@@ -45,7 +50,18 @@ echo "Running SQLx migrations..."
 cd tests/sqlx
 sqlx migrate run
 
+# Regenerate fixtures every run — they are not committed (see .gitignore).
+# Generator encrypts via cipherstash-client directly, which needs BOTH a
+# ZeroKMS auth credential (CS_CLIENT_ACCESS_KEY + CS_WORKSPACE_CRN, via
+# AutoStrategy) AND a client key (CS_CLIENT_ID + CS_CLIENT_KEY, via
+# EnvKeyProvider) in the shell environment. Auth and key material are
+# separate roles — the two pairs are not alternatives.
+echo "Regenerating SQLx fixtures..."
+cd "{{config_root}}"
+mise run fixture:generate eql_v2_int4
+
 echo "Running Rust tests..."
+cd tests/sqlx
 cargo test
 """
 

diff --git a/tasks/fixtures.toml b/tasks/fixtures.toml
@@ -0,0 +1,25 @@
+["fixture:generate"]
+description = "Generate a SQLx fixture script via cipherstash-client"
+# Runs the gated generator for the named fixture. Writes
+# tests/sqlx/fixtures/<fixture>.sql. Must run inside the crate — there is no
+# root Cargo.toml — matching test:schema / test:sqlx:watch.
+#
+# Prerequisites:
+#   - mise run postgres:up   (Postgres with EQL installed)
+#   - CS_* credentials in the shell environment. The generator needs BOTH
+#     pairs — they are not alternatives:
+#       CS_CLIENT_ACCESS_KEY + CS_WORKSPACE_CRN  ZeroKMS auth (AutoStrategy)
+#       CS_CLIENT_ID + CS_CLIENT_KEY             client key (EnvKeyProvider)
+#
+# Usage: mise run fixture:generate eql_v2_int4
+dir = "{{config_root}}/tests/sqlx"
+run = """
+fixture="{{arg(name="fixture")}}"
+case "$fixture" in
+  (*[!a-z0-9_]*|'') echo "Invalid fixture name: $fixture (expected [a-z0-9_]+)" >&2; exit 1 ;;
+esac
+
+cargo test --features fixture-gen --lib \
+  "fixtures::${fixture}::generate" \
+  -- --ignored --exact --nocapture
+"""