feat(stack): protect-ffi 0.26.0 + auth 0.39 OidcFederationStrategy (stacked on #496)#497
Merged
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughUpdates auth and encryption flows to use strategy-based initialization, synchronous lock-context resolution, and ChangesOIDC Strategy and Lock-Context Migration
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related issues
Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🦋 Changeset detectedLatest commit: fa7b656 The changes in this PR will be included in the next version bump. This PR includes changesets to release 6 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
coderdan
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR upgrades Stack’s Protect/Auth dependencies and updates the identity-bound encryption flow to match protect-ffi ≥0.25’s removal of per-operation serviceToken, moving authentication to a client-level config.strategy (notably via OidcFederationStrategy) while keeping lock context as a pure { identityClaim } value.
Changes:
- Bump
@cipherstash/protect-ffito0.26.0and@cipherstash/authto0.39.0, updating workspace config to useworkspaceCrnconsistently (including/wasm-inline). - Replace the lock-context “token ceremony” with a synchronous lock-context resolution (
.withLockContext({ identityClaim })orLockContext), and stop forwardingserviceTokenin all operations. - Re-export auth strategies from
@cipherstash/stack(and selected ones from/wasm-inline), add wiring tests to ensureidentityClaimis forwarded andserviceTokenis never sent.
Reviewed changes
Copilot reviewed 34 out of 35 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates identity-aware encryption docs to the strategy-based approach. |
| pnpm-workspace.yaml | Bumps @cipherstash/auth* catalog versions to 0.39.0. |
| pnpm-lock.yaml | Regenerated lockfile reflecting new auth/protect versions and optional deps. |
| packages/stack/src/wasm-inline.ts | Switches WASM config to workspaceCrn, supports OIDC strategy, updates protect-ffi wasm newClient call shape, and re-exports strategies. |
| packages/stack/src/types.ts | Re-exports protect-ffi AuthStrategy type and adds ClientConfig.strategy. |
| packages/stack/src/types-public.ts | Exposes AuthStrategy in public type surface. |
| packages/stack/src/index.ts | Re-exports auth strategies from @cipherstash/auth in an ESM-compatible way. |
| packages/stack/src/identity/index.ts | Adds LockContextInput + resolveLockContext, deprecates old token ceremony methods, makes CTS token optional in response type. |
| packages/stack/src/encryption/operations/encrypt.ts | Uses synchronous lock-context resolution; removes serviceToken forwarding. |
| packages/stack/src/encryption/operations/encrypt-query.ts | Uses synchronous lock-context resolution; removes serviceToken forwarding. |
| packages/stack/src/encryption/operations/encrypt-model.ts | Uses synchronous lock-context resolution and passes Context through model helpers. |
| packages/stack/src/encryption/operations/decrypt.ts | Uses synchronous lock-context resolution; removes serviceToken forwarding. |
| packages/stack/src/encryption/operations/decrypt-model.ts | Uses synchronous lock-context resolution and passes Context through model helpers. |
| packages/stack/src/encryption/operations/bulk-encrypt.ts | Uses synchronous lock-context resolution; removes serviceToken forwarding. |
| packages/stack/src/encryption/operations/bulk-encrypt-models.ts | Uses synchronous lock-context resolution and passes Context through model helpers. |
| packages/stack/src/encryption/operations/bulk-decrypt.ts | Uses synchronous lock-context resolution; removes serviceToken forwarding. |
| packages/stack/src/encryption/operations/bulk-decrypt-models.ts | Uses synchronous lock-context resolution and passes Context through model helpers. |
| packages/stack/src/encryption/operations/batch-encrypt-query.ts | Uses synchronous lock-context resolution; removes serviceToken forwarding. |
| packages/stack/src/encryption/index.ts | Plumbs optional config.strategy into protect-ffi newClient and documents identity-bound usage. |
| packages/stack/src/encryption/helpers/model-helpers.ts | Removes CTS token plumbing from model bulk encrypt/decrypt helpers. |
| packages/stack/package.json | Bumps protect-ffi and adds optionalDependencies for auth platform binaries. |
| packages/stack/tests/lock-context.test.ts | Rewrites live identity-bound tests to use OidcFederationStrategy + { identityClaim }. |
| packages/stack/tests/lock-context-wiring.test.ts | Adds offline mocks ensuring identityClaim is forwarded and serviceToken is never sent. |
| packages/stack/tests/init-strategy.test.ts | Adds tests verifying config.strategy is forwarded to protect-ffi newClient. |
| packages/stack/tests/fixtures/index.ts | Simplifies lock-context fixtures to a plain { identityClaim } input. |
| packages/stack/tests/encrypt-query.test.ts | Updates lock-context tests to use plain { identityClaim } input and removes CTS-token-failure cases. |
| packages/stack/tests/encrypt-query-searchable-json.test.ts | Updates lock-context tests to use plain { identityClaim } input and removes CTS-token-failure cases. |
| examples/supabase-worker/supabase/functions/cipherstash-roundtrip/index.ts | Updates example config to use CS_WORKSPACE_CRN (no CS_REGION). |
| examples/supabase-worker/README.md | Updates env setup instructions to include CS_WORKSPACE_CRN. |
| examples/supabase-worker/.env.example | Updates example env file to use CS_WORKSPACE_CRN and remove CS_REGION. |
| e2e/wasm/roundtrip.test.ts | Updates WASM e2e to require/use CS_WORKSPACE_CRN and drop explicit region. |
| e2e/wasm/deno.json | Pins protect/auth wasm-inline imports to 0.26.0 / 0.39.0. |
| AGENTS.md | Updates guidance to the strategy-based identity-aware encryption flow. |
| .github/workflows/tests.yml | Exposes CS_WORKSPACE_CRN to wasm e2e job and asserts it’s present. |
| .changeset/stack-protect-ffi-0-26-oidc-strategy.md | Adds release notes for the dependency bumps and new identity-bound strategy flow. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Comments suppressed due to low confidence (1)
packages/stack/tests/lock-context.test.ts:145
- This test tries to assert that decrypting without the lock context fails, but
decryptModel()returns a Result (it doesn’t throw). As written, the try/catch never runs and the test will pass without asserting anything. Assert on the returned Result’sfailureinstead.
try {
await protectClient.decryptModel(encryptedModel.data)
} catch (error) {
const e = error as Error
expect(e.message.startsWith('Failed to retrieve key')).toEqual(true)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
auxesis
requested review from
auxesis and
freshtonic
and removed request for
a team
protect-ffi 0.25.0 is a breaking release for both entries: WASM (@cipherstash/stack/wasm-inline): - newClient(strategy, opts) -> newClient(opts) with strategy nested. - Config takes a workspaceCrn instead of region; the AccessKeyStrategy region is derived from the CRN (crn:<region>:<workspace-id>). CS_REGION is no longer consulted; set CS_WORKSPACE_CRN. Node: - serviceToken removed from the encrypt/decrypt/query option types (and the CtsToken export). The per-operation CTS token is no longer forwarded; lock contexts still travel as lockContext.identityClaim. Public LockContext/identify() API is unchanged. Adds offline lock-context wiring tests (mock protect-ffi) asserting every operation forwards identityClaim and never sends serviceToken, plus extractRegionFromCrn unit tests. Updates the Deno e2e test, Supabase example, and wasm-e2e CI job to CS_WORKSPACE_CRN.
protect-ffi 0.25 lets newClient take an AuthStrategy (any
{ getToken(): Promise<{ token }> } object). Expose it on the Node
Encryption client via config.strategy: when supplied, getToken() is
invoked on every ZeroKMS request, taking precedence over the
credentials-derived default (clientKey is still used for encryption).
Omitting it preserves existing credentials/env behaviour.
Kept on init (rather than a separate initWithStrategy) so a future
keyProvider option can land in the same config. AuthStrategy is
re-exported from @cipherstash/stack for consumers to type their own.
…lace lock-context ceremony
Supersedes the 0.25.0 bump with protect-ffi 0.26.0 (API-identical; internal
fixes only) and @cipherstash/auth 0.39.0, and uses the new
OidcFederationStrategy to replace the lock-context token ceremony with a
strategy-based approach for identity-bound encryption.
- bump @cipherstash/protect-ffi 0.25.0 -> 0.26.0; @cipherstash/auth catalog
(and platform entries) 0.38.0 -> 0.39.0; e2e/wasm/deno.json pins; lockfile
- .withLockContext() now accepts a plain { identityClaim } (or a LockContext)
and resolves the claim synchronously — no CTS token, no identify() call
- deprecate LockContext.identify() / getLockContext(); the client strategy
(OidcFederationStrategy) now handles user token acquisition
- re-export OidcFederationStrategy/AccessKeyStrategy/AutoStrategy/
DeviceSessionStrategy from @cipherstash/stack, and the strategies from
@cipherstash/stack/wasm-inline
- broaden the wasm-inline config strategy type to accept OidcFederationStrategy
- declare @cipherstash/auth platform optionalDependencies (auth ships them as
optional peer deps, not auto-installed) so the re-exported Node strategies
resolve their native binding for consumers
- update wiring/init/live tests, JSDoc, AGENTS.md, README, changeset
…Dependencies The optionalDependencies block added to packages/stack/package.json was not reflected in pnpm-lock.yaml, breaking `pnpm install --frozen-lockfile` in CI.
@cipherstash/auth 0.39 changed AccessKeyStrategy.create(region, accessKey) to AccessKeyStrategy.create(workspaceCrn, accessKey) — it derives the region from the CRN itself. The wasm-inline resolveStrategy still passed a derived region, so the Deno WASM e2e failed with 'Invalid CRN: <region>'. Pass the CRN directly and drop the now-obsolete extractRegionFromCrn helper + tests. (OidcFederationStrategy.create still takes region + workspaceId.)
…ext tests
- index.ts: @cipherstash/auth's Node entry is CJS with `module.exports =
{ ...native }`; the spread defeats cjs-module-lexer so a static
`export { AccessKeyStrategy } from` throws 'Named export not found' under
real Node ESM (the E2E cli failure). Default-import the module (which is
module.exports at runtime, all names present) and re-export each binding
explicitly, with instance types for the strategy classes.
- encrypt-query / encrypt-query-searchable-json tests + fixtures: the ops no
longer call getLockContext(); .withLockContext() takes a plain
{ identityClaim }. createMockLockContext() now returns that shape; dropped
the getLockContext spy assertions and the obsolete failure / null-context
cases (resolveLockContext is synchronous and cannot fail).
coderdan
force-pushed
the
feat/stack-protect-ffi-025
branch
from
1efdd03 to
a23fe7e
Compare
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/stack/src/encryption/operations/batch-encrypt-query.ts`:
- Around line 207-209: The resolveLockContext call is positioned outside the
withResult wrapper, which allows resolution errors to escape instead of being
caught and returned as a failure Result. Move the
resolveLockContext(this.lockContext) call from before the withResult statement
into the callback function that is passed to withResult, so that any errors
during lock context resolution are properly wrapped and returned as { failure }
according to the Result contract required by the encryption operations
guidelines.
In `@packages/stack/src/encryption/operations/encrypt-query.ts`:
- Around line 151-153: Move the resolveLockContext(this.lockContext) call inside
the withResult callback to ensure backward-compatible LockContext resolution
errors are properly caught and converted to the Result contract shape { failure
}. The context resolution should happen as the first step within the async
callback passed to withResult, matching the pattern used in other migrated
encryption operations in this codebase. This ensures all potential failures are
wrapped in the Result contract rather than rejecting before withResult can
handle them.
In `@packages/stack/src/identity/index.ts`:
- Around line 66-67: The OIDC example using OidcFederationStrategy.create() at
lines 66–67 uses the outdated signature with separate region and workspaceId
parameters. Update the example to use the current signature where workspaceCrn
is passed as the first parameter instead of region and workspaceId, while
keeping the callback function () => getJwt() as the second parameter to match
the `@cipherstash/auth` v0.39.0+ API.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f4cfb06e-dd68-43d7-ae11-abd864deb732
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (34)
.changeset/stack-protect-ffi-0-26-oidc-strategy.md.github/workflows/tests.ymlAGENTS.mdREADME.mde2e/wasm/deno.jsone2e/wasm/roundtrip.test.tsexamples/supabase-worker/.env.exampleexamples/supabase-worker/README.mdexamples/supabase-worker/supabase/functions/cipherstash-roundtrip/index.tspackages/stack/__tests__/encrypt-query-searchable-json.test.tspackages/stack/__tests__/encrypt-query.test.tspackages/stack/__tests__/fixtures/index.tspackages/stack/__tests__/init-strategy.test.tspackages/stack/__tests__/lock-context-wiring.test.tspackages/stack/__tests__/lock-context.test.tspackages/stack/package.jsonpackages/stack/src/encryption/helpers/model-helpers.tspackages/stack/src/encryption/index.tspackages/stack/src/encryption/operations/batch-encrypt-query.tspackages/stack/src/encryption/operations/bulk-decrypt-models.tspackages/stack/src/encryption/operations/bulk-decrypt.tspackages/stack/src/encryption/operations/bulk-encrypt-models.tspackages/stack/src/encryption/operations/bulk-encrypt.tspackages/stack/src/encryption/operations/decrypt-model.tspackages/stack/src/encryption/operations/decrypt.tspackages/stack/src/encryption/operations/encrypt-model.tspackages/stack/src/encryption/operations/encrypt-query.tspackages/stack/src/encryption/operations/encrypt.tspackages/stack/src/identity/index.tspackages/stack/src/index.tspackages/stack/src/types-public.tspackages/stack/src/types.tspackages/stack/src/wasm-inline.tspnpm-workspace.yaml
auxesis
reviewed
Jun 24, 2026
auxesis
left a comment
auxesis
left a comment
Contributor
There was a problem hiding this comment.
Test-coverage review — PR #497 (protect-ffi 0.26 / auth 0.39, strategy-based lock context)
Verdict: Strong test coverage for the core change. The new lock-context-wiring.test.ts exhaustively asserts that every operation forwards identityClaim and never re-introduces serviceToken, and init-strategy.test.ts covers config.strategy forwarding well. Two gaps are clearly worth closing: the PR's headline auth-strategy re-exports have no test guarding the deliberate ESM workaround, and the new central resolveLockContext branch has no direct unit test that distinguishes a constructed claim from the default.
No crypto/security concerns to flag — the change removes the per-operation CTS token entirely and moves auth onto the client strategy, which is a design decision reviewed elsewhere.
Additional coverage gaps not posted inline
packages/stack/src/identity/index.ts:187—getLockContext()'s contract changed: the guard that threw when no CTS token was set has been removed, andctsTokenmay now beundefined. No test asserts the new non-throwing behaviour. It's a deprecated method (low priority), but a cheap regression test would lock it down:const r = await new LockContext().getLockContext(); expect(r.failure).toBeUndefined(); expect(r.data.ctsToken).toBeUndefined()(withCS_WORKSPACE_CRNset).packages/stack/src/wasm-inline.ts:374— the WASMEncryptionaccessKey+workspaceCrnpath now buildsAccessKeyStrategy.create(cfg.workspaceCrn, …)(region derived from the CRN, replacing the oldregionfield). This is only covered by the gated Deno e2e (e2e/wasm/roundtrip.test.ts), which skips without realCS_*secrets. There's no offline unit test — mirroringwasm-inline-normalize.test.ts— asserting the CRN reachesAccessKeyStrategy.create(or thatstrategy+accessKeytogether still throw).packages/stack/__tests__/lock-context-wiring.test.ts— the plain{ identityClaim }input (as opposed to aLockContextinstance) is only asserted forencrypt/decrypt; the model/bulk/query operations are exercised only with aLockContext. Low risk since they all funnel throughresolveLockContext, but the alternate-input axis is lopsided across the 11 operations.
This was referenced Jun 29, 2026
…egy takes workspaceCrn Picks up the CRN-based OidcFederationStrategy that shipped in @cipherstash/auth 0.40.0 (cipherstash-suite#2049, CIP-3201): create() now takes a single workspaceCrn instead of (region, workspaceId), matching AccessKeyStrategy. Simplifies the strategy wiring uniformly. - catalog: @cipherstash/auth* 0.39.0 → 0.40.0 (+ lockfile) - lock-context test passes the CRN straight through; drops the local region/workspace-id splitter - update OidcFederationStrategy.create examples (node + wasm-inline) and the changeset to the workspaceCrn signature
Contributor
Author
|
Bumped For context: the standalone CIP-3245 PR (#528) and a LockContext follow-up issue (#529) were opened against this work and then closed as redundant — this PR already covers both. |
Code-review caught three trailing inconsistencies after the 0.39 → 0.40 catalog bump: - e2e/wasm/deno.json: the Deno import map still pinned @cipherstash/auth@0.39.0/wasm-inline, so the WASM E2E job (the only CI that executes the auth WASM path) was resolving 0.39, not the 0.40 this PR ships. Bumped to 0.40.0. - package.json: the duplicate `workspaces.catalogs.repo` block (read by npm/Bun, ignored by pnpm) still pinned @cipherstash/auth 0.35.0, contradicting pnpm-workspace.yaml. Synced the auth entry to 0.40.0. (The block's other entries are independently stale — pre-existing, left for a separate cleanup.) - changeset: reworded "0.40 adds OidcFederationStrategy" — the strategy was added in 0.39; 0.40 reworked its constructor to take a workspaceCrn.
Add offline unit tests for the surfaces auxesis flagged as untested:
- auth-reexports.test.ts: assert the four strategy re-exports from
@cipherstash/stack resolve to the real @cipherstash/auth binding,
guarding the deliberate ESM default-import workaround in src/index.ts
(a naive `export { X } from` goes undefined under Node ESM).
- resolve-lock-context.test.ts: directly unit-test resolveLockContext
(the synchronous funnel that replaced the old getLockContext() flow) so
a regression returning the default ['sub'] instead of the constructed
claim is caught; plus a regression for getLockContext()'s now
non-throwing, ctsToken-optional contract.
- wasm-inline-strategy.test.ts: export resolveStrategy and assert the
workspace CRN reaches AccessKeyStrategy.create, an explicit strategy is
used verbatim, and strategy+accessKey still throw — the access-key path
was only covered by the gated Deno e2e.
- lock-context-wiring.test.ts: add plain { identityClaim } cases for the
per-payload and per-query placement shapes.
No production behaviour change (resolveStrategy gains an `export`).
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/stack/__tests__/wasm-inline-strategy.test.ts`:
- Around line 61-70: The current test for resolveStrategy only asserts the
mutual-exclusion error, so it can still pass even if AccessKeyStrategy.create()
is invoked first. Update the test around resolveStrategy in
wasm-inline-strategy.test.ts to also assert that strategy construction is not
reached when both accessKey and strategy are present, using a spy/mock on
AccessKeyStrategy.create or an equivalent construction path and verifying it is
never called before the error is thrown.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e426a816-3098-42fc-a766-dc49f9e1e8d4
📒 Files selected for processing (5)
packages/stack/__tests__/auth-reexports.test.tspackages/stack/__tests__/lock-context-wiring.test.tspackages/stack/__tests__/resolve-lock-context.test.tspackages/stack/__tests__/wasm-inline-strategy.test.tspackages/stack/src/wasm-inline.ts
✅ Files skipped from review due to trivial changes (2)
- packages/stack/tests/auth-reexports.test.ts
- packages/stack/tests/resolve-lock-context.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
- packages/stack/tests/lock-context-wiring.test.ts
- packages/stack/src/wasm-inline.ts
…trategy WasmClientConfig required workspaceCrn unconditionally, but the strategy path never reads it — resolveStrategy only consumes workspaceCrn on the access-key arm (to build AccessKeyStrategy), and a pre-built strategy (e.g. OidcFederationStrategy.create(workspaceCrn, …)) already encapsulates the CRN and region. Move workspaceCrn into the discriminated-union arms: required with accessKey, optional with strategy. This also makes the OIDC JSDoc example (which omits workspaceCrn) typecheck, resolving the Copilot review comment on the example. No runtime change.
Open
3 tasks
…ery ops
encrypt-query and batch-encrypt-query resolved the lock context before the
withResult wrapper, unlike the other 8 migrated operations which resolve it
inside the callback. Move the resolveLockContext call inside so any failure
is captured as a { failure } Result, matching the rest and the Result-contract
guideline. resolveLockContext is synchronous today so this is a no-op at
runtime — it's consistency + defense-in-depth.
Also strengthen the wasm-inline resolveStrategy mutual-exclusion test to assert
AccessKeyStrategy.create is never called, proving the guard short-circuits
before strategy construction.
Addresses the remaining CodeRabbit comments on #497.
coderdan
added a commit
that referenced
this pull request
Jun 30, 2026
Reflects the auth changes in #497: replace the deprecated LockContext.identify() ceremony with client-level OidcFederationStrategy + .withLockContext({ identityClaim }), which makes every OIDC provider (Clerk, Supabase, Auth0, Okta) first-class.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on top of #496 (
feat/stack-wasm-inline) — review/merge that first; this PR's base is the #496 branch, notmain.Supersedes the earlier 0.25.0 work: bumps to
@cipherstash/protect-ffi@0.26.0and@cipherstash/auth@0.39.0, and uses the newOidcFederationStrategyto replace the lock-context token ceremony with a simpler, strategy-based approach for identity-bound encryption.1. Version bumps
@cipherstash/protect-ffi0.25.0→0.26.0. The public TypeScript API is identical to0.25.0(verified by diffing the publishedlib/index.d.cts);0.26.0is internal fixes only (per-isolate NeonChannelcleanup,try_catcharound the JSgetToken).@cipherstash/authcatalog (and the six platform entries)0.38.0→0.39.0, which addsOidcFederationStrategy.e2e/wasm/deno.jsonpins +pnpm-lock.yamlregenerated.2. Strategy-based, identity-bound encryption (replaces the ceremony)
protect-ffi 0.25 removed the per-operation
serviceToken, which left the oldLockContextceremony half-broken:identify()fetched a CTS token the operations no longer sent, so the request authenticated as the service whileidentityClaimasked ZeroKMS to bind to a user it couldn't verify.OidcFederationStrategyandidentityClaimcompose: the strategy federates the end user's OIDC JWT into a CTS token at the client level (so requests authenticate as the user), andidentityClaimstill selects which claim ZeroKMS bakes into the data-key tag..withLockContext()now accepts a plain{ identityClaim }(or aLockContext) and resolves the claim synchronously — no CTS token, noidentify()call.LockContext.identify()/getLockContext()are deprecated (kept for back-compat); the client strategy handles token acquisition.config.strategyand existing credential/env behaviour is unchanged; existing.withLockContext(lockContext)call sites still compile.3. Strategy re-exports
OidcFederationStrategy,AccessKeyStrategy,AutoStrategy,DeviceSessionStrategyre-exported from@cipherstash/stack;OidcFederationStrategy/AccessKeyStrategyfrom@cipherstash/stack/wasm-inline(+ the wasmconfig.strategytype broadened to accept either). Integrators no longer need a separate@cipherstash/authinstall.@cipherstash/stacknow declares the@cipherstash/auth-<platform>packages asoptionalDependencies—@cipherstash/authships them as optional peer deps (not auto-installed), so this is required for the re-exported Node strategies to resolve their native binding for consumers.Also updated
lock-context-wiring.test.ts— asserts both aLockContextand a plain{ identityClaim }forwardidentityClaim, andserviceTokenis still never sent.init-strategy.test.ts— adds anOidcFederationStrategy-shaped forwarding case.lock-context.test.ts— live (USER_JWT-gated) round-trip rewritten to useOidcFederationStrategy+.withLockContext({ identityClaim }), confirming per-user binding.Encryption(),LockContext,ClientConfig.strategy),AGENTS.md,README.md, changeset.Summary by CodeRabbit
Release Notes
New Features
OidcFederationStrategy.config.strategyto drive ZeroKMS authentication..withLockContext({ identityClaim })(plain input orLockContext).Documentation
CS_WORKSPACE_CRNas the single source of truth (WASM/edge setup updated accordingly).Deprecations
LockContext.identify()andLockContext.getLockContext()remain deprecated.Chores / Tests
CS_WORKSPACE_CRN; minor auth/protect-ffi bumps.