Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 0 additions & 9 deletions .changeset/native-binary-guards.md

This file was deleted.

32 changes: 0 additions & 32 deletions .changeset/stack-protect-ffi-0-26-oidc-strategy.md

This file was deleted.

7 changes: 7 additions & 0 deletions examples/basic/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @cipherstash/basic-example

## 1.2.13

### Patch Changes

- Updated dependencies [35b9ed6]
- @cipherstash/stack@0.19.0

## 1.2.12

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion examples/basic/package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@cipherstash/basic-example",
"private": true,
"version": "1.2.12",
"version": "1.2.13",
"type": "module",
"scripts": {
"start": "tsx index.ts"
Expand Down
8 changes: 8 additions & 0 deletions examples/prisma/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# @cipherstash/prisma-next-example

## 0.0.5

### Patch Changes

- Updated dependencies [35b9ed6]
- @cipherstash/stack@0.19.0
- @cipherstash/prisma-next@0.3.2

## 0.0.4

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion examples/prisma/package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@cipherstash/prisma-next-example",
"private": true,
"version": "0.0.4",
"version": "0.0.5",
"description": "End-to-end example of @cipherstash/prisma-next: searchable application-layer encryption for Postgres with Prisma Next, using @cipherstash/stack as the SDK.",
"type": "module",
"scripts": {
Expand Down
7 changes: 7 additions & 0 deletions packages/bench/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @cipherstash/bench

## 0.0.4

### Patch Changes

- Updated dependencies [35b9ed6]
- @cipherstash/stack@0.19.0

## 0.0.3

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/bench/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/bench",
"version": "0.0.3",
"version": "0.0.4",
"private": true,
"description": "Performance / index-engagement benchmarks for stack integrations (Drizzle, encryptedSupabase, Prisma).",
"type": "module",
Expand Down
14 changes: 14 additions & 0 deletions packages/cli/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
# @cipherstash/cli

## 0.17.0

### Minor Changes

- eb94ac8: Add guards for missing native binaries. When npm skips the platform-specific
optional dependency (a known npm bug), stash now prints actionable fix
guidance instead of a raw `MODULE_NOT_FOUND` stack trace. Adds a new
`stash doctor` command that diagnoses the runtime and native modules and works
even when a binary is missing.

### Patch Changes

- @cipherstash/migrate@0.2.0

## 0.16.0

### Minor Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/cli/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "stash",
"version": "0.16.0",
"version": "0.17.0",
"description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.",
"repository": {
"type": "git",
Expand Down
7 changes: 7 additions & 0 deletions packages/prisma-next/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @cipherstash/prisma-next

## 0.3.2

### Patch Changes

- Updated dependencies [35b9ed6]
- @cipherstash/stack@0.19.0

## 0.3.1

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/prisma-next/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/prisma-next",
"version": "0.3.1",
"version": "0.3.2",
"license": "MIT",
"author": "CipherStash <support@cipherstash.com>",
"description": "CipherStash extension for Prisma Next: searchable application-layer field-level encryption for Postgres, with six encrypted column types, 17 query operators, bulk encrypt/decrypt middleware, and a baseline migration that installs the vendored EQL bundle SQL byte-for-byte.",
Expand Down
33 changes: 33 additions & 0 deletions packages/stack/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,38 @@
# @cipherstash/stack

## 0.19.0

### Minor Changes

- 35b9ed6: Bump `@cipherstash/protect-ffi` to `0.26.0` and `@cipherstash/auth` to `0.40.0`, and replace the lock-context token ceremony with a strategy-based approach for identity-bound encryption.

**protect-ffi `0.26.0`** supersedes `0.25.0`. The public API is unchanged from `0.25` (internal fixes only). As in `0.25`, `serviceToken` is gone from the encrypt / decrypt / query option types; auth flows through the client's strategy / credentials, and lock contexts travel as `lockContext.identityClaim`. The WASM-inline path takes a single options object with the auth strategy nested under `strategy`, and `Encryption()` config uses **`workspaceCrn`** (`CS_WORKSPACE_CRN`) as the single source of truth — `CS_REGION` is no longer consulted. On that path `workspaceCrn` is required only alongside an `accessKey` (it derives the region); with a pre-built `strategy` it is **optional**, since the strategy already carries the CRN.

**Strategy-based, identity-bound encryption.** `OidcFederationStrategy` federates an end user's third-party OIDC JWT (Clerk, Supabase, Auth0, …) into a CTS service token. As of `@cipherstash/auth` `0.40` it takes a `workspaceCrn` (region derived from the CRN), matching `AccessKeyStrategy`. Pass it as `config.strategy` so every ZeroKMS request authenticates _as that user_, then bind the data key to a claim with `.withLockContext({ identityClaim })`:

```ts
import { Encryption, OidcFederationStrategy } from "@cipherstash/stack";

const client = await Encryption({
schemas: [users],
config: {
strategy: OidcFederationStrategy.create(workspaceCrn, () => getUserJwt()),
},
});

await client
.encrypt("alice@example.com", { column: users.email, table: users })
.withLockContext({ identityClaim: ["sub"] });
```

This replaces the old ceremony (`new LockContext()` → `await lc.identify(jwt)` → `.withLockContext(lc)`), which relied on a per-operation CTS token that protect-ffi removed in `0.25`.

- **`.withLockContext()`** now accepts a plain `{ identityClaim }` object (as well as a `LockContext`) and no longer requires a CTS token or an `identify()` call — it carries the identity claim only.
- **`LockContext.identify()` / `getLockContext()`** are **deprecated** (kept for backwards compatibility); the strategy handles token acquisition.
- **Strategies are re-exported** from `@cipherstash/stack` (`OidcFederationStrategy`, `AccessKeyStrategy`, `AutoStrategy`, `DeviceSessionStrategy`) and from `@cipherstash/stack/wasm-inline` (`OidcFederationStrategy`, `AccessKeyStrategy`) so integrators don't need a separate `@cipherstash/auth` install. `AuthStrategy` remains re-exported for the structural type.

Existing credential / env behaviour is preserved when `config.strategy` is omitted.

## 0.18.0

### Minor Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/stack/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@cipherstash/stack",
"version": "0.18.0",
"version": "0.19.0",
"description": "CipherStash Stack for TypeScript and JavaScript",
"keywords": [
"encrypted",
Expand Down