Summary
cipherstash/stack#497 (protect-ffi 0.26 / auth 0.40) changes how identity-aware encryption is wired: it replaces the LockContext.identify(jwt) ceremony with a strategy-based model — authenticate the client as the user via config.strategy: OidcFederationStrategy.create(workspaceCrn, getJwt) and bind the data key with .withLockContext({ identityClaim }). LockContext.identify() / getLockContext() are now deprecated (kept for back-compat).
Our content/stack/** docs are written almost entirely around the deprecated ceremony and have zero coverage of the new strategy model. This issue tracks the docs work.
Sequencing: land these edits with the #497 release, not before. The deprecated model still ships today, so the current docs correctly describe the published version. The strategy model isn't released yet, so documenting it now would describe unreleased API.
Stale — built on the deprecated LockContext.identify(jwt) ceremony
| File |
What's there |
content/stack/cipherstash/encryption/identity.mdx |
The core doc. "How it works" (create → identify(jwt) → pass) + the Clerk getCtsToken / new LockContext({ ctsToken }) section. Needs to lead with the strategy model and mark identify()/getLockContext() deprecated. |
content/stack/cipherstash/encryption/supabase.mdx (~L326) |
new LockContext() + identify(userJwt). Edge = wasm-inline, so the ideal example is OidcFederationStrategy.create(workspaceCrn, getJwt, { store: cookieStore(...) }). |
content/stack/cipherstash/encryption/models.mdx (~L224) |
new LockContext() + identify(). |
content/stack/cipherstash/encryption/bulk-operations.mdx (~L168) |
new LockContext() + identify(). |
content/stack/reference/error-handling.mdx (L30, L127) |
Lists LockContext.identify() as a primary method + example. |
content/stack/reference/comparisons/aws-kms.mdx (~L132) |
new LockContext() + identify(). |
Gaps — new #497 features with no coverage
- No page documents
config.strategy / OidcFederationStrategy / AccessKeyStrategy — the headline of #497 (authenticate the client as the user; strategies re-exported from @cipherstash/stack and @cipherstash/stack/wasm-inline). Likely warrants a new "Authentication strategies" page, with the Clerk/Supabase/Auth0 federation flow.
- The plain
.withLockContext({ identityClaim }) form (no LockContext instance, no identify()) isn't shown anywhere.
Already correct — no change needed
- Config/env:
configuration.mdx + all deploy/* already use CS_WORKSPACE_CRN (CRN format), workspaceCrn, CS_CLIENT_ACCESS_KEY. The region→CRN migration is already reflected; no CS_REGION anywhere.
- No
serviceToken references (the field removed in protect-ffi 0.25+).
Bonus — pre-existing inaccuracies (not caused by #497, fix in the same pass)
content/stack/reference/use-cases/compliance.mdx and provable-access.mdx use .withLockContext({ identityToken: JWT }) — wrong arg shape (API takes { identityClaim: [...] }, not { identityToken }) and wrong chaining order (client.withLockContext(...).decrypt(...) instead of client.decrypt(...).withLockContext(...)). Already wrong against the shipped API; #497's { identityClaim } is what they were reaching for.
Source PR: cipherstash/stack#497
Summary
cipherstash/stack#497(protect-ffi 0.26 / auth 0.40) changes how identity-aware encryption is wired: it replaces theLockContext.identify(jwt)ceremony with a strategy-based model — authenticate the client as the user viaconfig.strategy: OidcFederationStrategy.create(workspaceCrn, getJwt)and bind the data key with.withLockContext({ identityClaim }).LockContext.identify()/getLockContext()are now deprecated (kept for back-compat).Our
content/stack/**docs are written almost entirely around the deprecated ceremony and have zero coverage of the new strategy model. This issue tracks the docs work.Stale — built on the deprecated
LockContext.identify(jwt)ceremonycontent/stack/cipherstash/encryption/identity.mdxidentify(jwt)→ pass) + the ClerkgetCtsToken/new LockContext({ ctsToken })section. Needs to lead with the strategy model and markidentify()/getLockContext()deprecated.content/stack/cipherstash/encryption/supabase.mdx(~L326)new LockContext()+identify(userJwt). Edge = wasm-inline, so the ideal example isOidcFederationStrategy.create(workspaceCrn, getJwt, { store: cookieStore(...) }).content/stack/cipherstash/encryption/models.mdx(~L224)new LockContext()+identify().content/stack/cipherstash/encryption/bulk-operations.mdx(~L168)new LockContext()+identify().content/stack/reference/error-handling.mdx(L30, L127)LockContext.identify()as a primary method + example.content/stack/reference/comparisons/aws-kms.mdx(~L132)new LockContext()+identify().Gaps — new #497 features with no coverage
config.strategy/OidcFederationStrategy/AccessKeyStrategy— the headline of #497 (authenticate the client as the user; strategies re-exported from@cipherstash/stackand@cipherstash/stack/wasm-inline). Likely warrants a new "Authentication strategies" page, with the Clerk/Supabase/Auth0 federation flow..withLockContext({ identityClaim })form (noLockContextinstance, noidentify()) isn't shown anywhere.Already correct — no change needed
configuration.mdx+ alldeploy/*already useCS_WORKSPACE_CRN(CRN format),workspaceCrn,CS_CLIENT_ACCESS_KEY. The region→CRN migration is already reflected; noCS_REGIONanywhere.serviceTokenreferences (the field removed in protect-ffi 0.25+).Bonus — pre-existing inaccuracies (not caused by #497, fix in the same pass)
content/stack/reference/use-cases/compliance.mdxandprovable-access.mdxuse.withLockContext({ identityToken: JWT })— wrong arg shape (API takes{ identityClaim: [...] }, not{ identityToken }) and wrong chaining order (client.withLockContext(...).decrypt(...)instead ofclient.decrypt(...).withLockContext(...)). Already wrong against the shipped API; #497's{ identityClaim }is what they were reaching for.Source PR: cipherstash/stack#497