feat(stack)!: wasm-inline takes workspaceCrn, not region (CIP-3245)

[coderdan]

Summary

Closes #523. Brings @cipherstash/stack/wasm-inline to parity with the Node entry on workspace identity.

The WASM-inline path previously required an explicit region and ignored CS_WORKSPACE_CRN, because the underlying @cipherstash/auth/wasm-inline AccessKeyStrategy.create() took a region argument. That blocker is now resolved: @cipherstash/auth 0.39.0+ takes a workspaceCrn, derives the region from it, and asserts the bearer token's workspace against it (WORKSPACE_MISMATCH).

This PR bumps @cipherstash/auth 0.38.0 → 0.40.0 (catalog, in lockstep) and adopts the new signature:

• WasmClientConfig.region (required, @deprecated) → workspaceCrn — single source of truth (crn:<region>:<workspace-id>); region is derived and the access-key token's workspace is asserted against the CRN.
• resolveStrategy passes the CRN to AccessKeyStrategy.create(workspaceCrn, accessKey).
• Re-add CS_WORKSPACE_CRN to the supabase-worker example (.env.example, function, README) and the wasm-e2e-tests CI job (env + secret-presence assertion); removed the "deliberately omitted" notes.
• Update the Deno round-trip e2e test and the doc comments / deprecation note.

Breaking change for consumers of @cipherstash/stack/wasm-inline: replace config.region (e.g. "ap-southeast-2.aws") with config.workspaceCrn (e.g. "crn:ap-southeast-2.aws:<workspace-id>"). Changeset included (@cipherstash/stack, minor — pre-1.0).

The @cipherstash/auth bump is low-impact elsewhere: wizard/cli use AutoStrategy/device-flow/getToken(), whose signatures and TokenResult shape are unchanged across 0.38→0.40; the OAuthStrategy → DeviceSessionStrategy rename keeps a deprecated alias.

Summary by CodeRabbit

• New Features

  • WASM inline clients now use workspaceCrn as the workspace identifier.

• Breaking Changes

  • Replaced region with workspaceCrn in WASM client configuration.
  • Workspace identity is now validated against the access key, with mismatches returning WORKSPACE_MISMATCH.

• Bug Fixes

  • Updated example apps, tests, and CI checks to require the new workspace identifier, reducing silent misconfiguration.

[changeset-bot]

🦋 Changeset detected

Latest commit: b6c0e91

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
@cipherstash/stack	Minor
@cipherstash/bench	Patch
@cipherstash/prisma-next	Patch
@cipherstash/basic-example	Patch
@cipherstash/prisma-next-example	Patch
@cipherstash/e2e	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

WasmClientConfig replaces region: string with workspaceCrn: string. The resolveStrategy runtime call to AccessKeyStrategy.create is updated accordingly. @cipherstash/auth is bumped to 0.40.0 across all platform catalog entries. The change propagates to the Supabase worker example, WASM e2e tests, CI secrets, and a breaking-change changeset.

Changes

workspaceCrn Migration

Layer / File(s)	Summary
WasmClientConfig type and resolveStrategy update packages/stack/src/wasm-inline.ts	Removes region field; adds required workspaceCrn: string; updates resolveStrategy to pass cfg.workspaceCrn to AccessKeyStrategy.create; updates inline docs and examples.
@cipherstash/auth bump to 0.40.0 pnpm-workspace.yaml	Bumps all platform-scoped @cipherstash/auth catalog entries from 0.38.0 to 0.40.0.
WASM e2e test update e2e/wasm/roundtrip.test.ts	Adds CS_WORKSPACE_CRN to REQUIRED_ENV; switches Encryption client config from hard-coded region to workspaceCrn: env!.CS_WORKSPACE_CRN.
Supabase worker example update examples/supabase-worker/supabase/functions/cipherstash-roundtrip/index.ts, examples/supabase-worker/.env.example, examples/supabase-worker/README.md	Reads CS_WORKSPACE_CRN from env, includes it in missing-var validation, switches Encryption config from region to workspaceCrn; updates .env.example and README.
CI secrets and changeset .github/workflows/tests.yml, .changeset/wasm-inline-workspace-crn.md	Adds CS_WORKSPACE_CRN to CI env and secret-presence check; updates auth version comment; adds the breaking-change changeset entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• WASM-inline: support CS_WORKSPACE_CRN / derive region from workspace CRN #523: This PR directly implements the WasmClientConfig.region → workspaceCrn migration and CS_WORKSPACE_CRN plumbing described in that issue.

Possibly related PRs

• cipherstash/stack#350: Both PRs bump @cipherstash/auth via pnpm-workspace.yaml catalog entries.
• cipherstash/stack#496: Introduced the WASM-inline entry with the region-based WasmClientConfig that this PR migrates to workspaceCrn.

Suggested reviewers

• calvinbrewer
• tobyhede

Poem

🐇 Hop, hop — no more region to find,
A CRN carries the workspace behind!
The token is checked, the mismatch is caught,
Auth bumped to forty, just as it ought.
New secrets in CI, examples all set —
The cleanest of configs the rabbit could get! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the breaking wasm-inline config change from region to workspaceCrn.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dan/cip-3245-wasm-inline-support-cs_workspace_crn-derive-region-from

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/stack/src/wasm-inline.ts (1)

318-330: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Fail fast when workspaceCrn is missing for JS callers.

The runtime already compensates for plain JS bypassing the accessKey/strategy union, but Lines 329-330 still pass cfg.workspaceCrn through unchecked. A caller that upgrades late and still sends region will now fall into the auth factory with undefined instead of getting a package-level error that points at the migration.

Suggested fix

   if (cfg.strategy) return cfg.strategy
-  if (cfg.accessKey)
-    return AccessKeyStrategy.create(cfg.workspaceCrn, cfg.accessKey)
+  if (cfg.accessKey) {
+    if (!cfg.workspaceCrn) {
+      throw new Error(
+        '[encryption]: `config.workspaceCrn` is required when using `config.accessKey`.',
+      )
+    }
+    return AccessKeyStrategy.create(cfg.workspaceCrn, cfg.accessKey)
+  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack/src/wasm-inline.ts` around lines 318 - 330, `resolveStrategy`
currently guards the `strategy`/`accessKey` conflict, but it still forwards
`cfg.workspaceCrn` unchecked when creating the access key strategy. Add a
runtime validation in `resolveStrategy` so JS callers get a package-level error
if `workspaceCrn` is missing before calling `AccessKeyStrategy.create`, and keep
the failure message tied to the encryption config shape for easy migration
debugging.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/stack/src/wasm-inline.ts`:
- Around line 318-330: `resolveStrategy` currently guards the
`strategy`/`accessKey` conflict, but it still forwards `cfg.workspaceCrn`
unchecked when creating the access key strategy. Add a runtime validation in
`resolveStrategy` so JS callers get a package-level error if `workspaceCrn` is
missing before calling `AccessKeyStrategy.create`, and keep the failure message
tied to the encryption config shape for easy migration debugging.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5b83d6e6-bf4e-4ab4-a93e-7de82dc9bbee

📥 Commits

Reviewing files that changed from the base of the PR and between df9c8e3 and b6c0e91.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (8)

• .changeset/wasm-inline-workspace-crn.md
• .github/workflows/tests.yml
• e2e/wasm/roundtrip.test.ts
• examples/supabase-worker/.env.example
• examples/supabase-worker/README.md
• examples/supabase-worker/supabase/functions/cipherstash-roundtrip/index.ts
• packages/stack/src/wasm-inline.ts
• pnpm-workspace.yaml

[coderdan]

Superseded by #497, which already implements this wasm-inline region→workspaceCrn change as part of the auth + protect-ffi bump. #497 was on hold pending stack-auth fixes and is the path forward, so this standalone PR is redundant. CIP-3245 is tracked on #497.