Skip to content

docs(stack): protect-ffi 0.26 changeset — region→workspaceCrn migration + server-side lock-context enforcement note#549

Merged
freshtonic merged 1 commit into
mainfrom
docs/protect-ffi-026-changeset-migration-notes
Jul 4, 2026
Merged

docs(stack): protect-ffi 0.26 changeset — region→workspaceCrn migration + server-side lock-context enforcement note#549
freshtonic merged 1 commit into
mainfrom
docs/protect-ffi-026-changeset-migration-notes

Conversation

@freshtonic

@freshtonic freshtonic commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Two wording additions to .changeset/stack-protect-ffi-0-26-oidc-strategy.md, flagged by the consolidated review on #547 (🟢 items — the review confirmed the minor bump is semver-correct pre-1.0, so this is documentation only):

  1. Explicit regionworkspaceCrn migration paragraph for the WASM-inline path: set workspaceCrn / CS_WORKSPACE_CRN to the dashboard CRN (crn:<region>.aws:<workspace-id>), the region is derived from it, and a passed region is ignored.
  2. Server-side-only lock-context enforcement spelled out: the client no longer resolves a per-user CTS token at withLockContext time, so a wrong/missing identity claim surfaces as a ZeroKMS decryption failure rather than a client-side throw. Guarantee unchanged (ZeroKMS enforces); early-feedback callers should assert on the operation's failure result.

No code changes.

Summary by CodeRabbit

  • Documentation
    • Added migration guidance for users upgrading to the latest encryption and auth packages.
    • Clarified the new configuration format for inline WASM encryption, including the switch from region-based settings to workspace CRN values.
    • Noted that region settings are now ignored if still provided.
  • Bug Fixes
    • Documented a change in lock-context error handling: identity-related issues may now appear during decryption instead of failing immediately, and callers should check operation results for failures.

…on + server-side lock-context note

Two additions flagged by the consolidated review on #547:

- an explicit region→workspaceCrn migration paragraph for the
  WASM-inline path (what to set, where the CRN comes from, that region
  is now ignored)
- a paragraph spelling out that lock-context enforcement is now
  server-side only: a wrong/missing identity claim surfaces as a
  ZeroKMS decryption failure rather than a client-side throw
@freshtonic freshtonic requested a review from a team as a code owner July 4, 2026 02:57
@changeset-bot

changeset-bot Bot commented Jul 4, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 08fbfc9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 6 packages
Name Type
@cipherstash/stack Minor
@cipherstash/bench Patch
@cipherstash/prisma-next Patch
@cipherstash/basic-example Patch
@cipherstash/prisma-next-example Patch
@cipherstash/e2e Patch

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68752880-45df-4ec1-8b94-bec83661c17f

📥 Commits

Reviewing files that changed from the base of the PR and between b650a8c and 08fbfc9.

📒 Files selected for processing (1)
  • .changeset/stack-protect-ffi-0-26-oidc-strategy.md

📝 Walkthrough

Walkthrough

This PR adds a changeset documenting migration guidance for @cipherstash/protect-ffi@0.26.0 and @cipherstash/auth@0.40.0, instructing use of workspaceCrn/CS_WORKSPACE_CRN in place of region/CS_REGION, and clarifying that lock-context claim failures now surface as ZeroKMS decryption failures rather than client-side errors.

Changes

Changeset Documentation Update

Layer / File(s) Summary
Migration guidance update
.changeset/stack-protect-ffi-0-26-oidc-strategy.md
Documents replacing region/CS_REGION with workspaceCrn/CS_WORKSPACE_CRN, notes that region is ignored, and clarifies that invalid/missing identity claims no longer fail client-side but surface as ZeroKMS decryption failures, requiring checks against the operation's failure result.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

  • cipherstash/stack#326: Shares the same protect-ffi workspace/env credential migration to workspaceCrn/CS_WORKSPACE_CRN.
  • cipherstash/stack#350: Overlaps in the @cipherstash/auth dependency upgrade path referenced in this changeset.
  • cipherstash/stack#497: Implements the OIDC/withLockContext lock-context resolution refactor documented in this changeset.

Suggested reviewers: auxesis

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the two documentation changes: the region to workspaceCrn migration and the lock-context enforcement clarification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/protect-ffi-026-changeset-migration-notes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@freshtonic freshtonic self-assigned this Jul 4, 2026
@freshtonic freshtonic requested review from coderdan and tobyhede July 4, 2026 03:41
@freshtonic freshtonic merged commit 195076c into main Jul 4, 2026
9 checks passed
@freshtonic freshtonic deleted the docs/protect-ffi-026-changeset-migration-notes branch July 4, 2026 03:53
@coderdan

coderdan commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

The CS_REGION only version was never published so this is a non-issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants