diff --git a/.changeset/stack-protect-ffi-0-26-oidc-strategy.md b/.changeset/stack-protect-ffi-0-26-oidc-strategy.md index 0b86f49b..0e38ab81 100644 --- a/.changeset/stack-protect-ffi-0-26-oidc-strategy.md +++ b/.changeset/stack-protect-ffi-0-26-oidc-strategy.md @@ -29,4 +29,8 @@ This replaces the old ceremony (`new LockContext()` → `await lc.identify(jwt)` - **`LockContext.identify()` / `getLockContext()`** are **deprecated** (kept for backwards compatibility); the strategy handles token acquisition. - **Strategies are re-exported** from `@cipherstash/stack` (`OidcFederationStrategy`, `AccessKeyStrategy`, `AutoStrategy`, `DeviceSessionStrategy`) and from `@cipherstash/stack/wasm-inline` (`OidcFederationStrategy`, `AccessKeyStrategy`) so integrators don't need a separate `@cipherstash/auth` install. `AuthStrategy` remains re-exported for the structural type. +**Migrating `region` → `workspaceCrn` (WASM-inline).** If you previously passed `region` (or relied on `CS_REGION`) to the WASM-inline `Encryption()` path, replace it with your workspace CRN: set `workspaceCrn` in config (or `CS_WORKSPACE_CRN` in the environment) to the value shown in the CipherStash dashboard (`crn:.aws:` — it embeds the region, which is now derived from it). `region` is ignored if passed. + +**Lock-context enforcement is now server-side only.** Because the client no longer resolves a per-user CTS token at `withLockContext` time, it also cannot fail fast there: a wrong or missing identity claim surfaces as a ZeroKMS **decryption failure** (the data key simply doesn't unlock), not as a client-side error before the request. The cryptographic guarantee is unchanged — enforcement happens in ZeroKMS — but anyone relying on the old client-side throw for early feedback should assert on the operation's `failure` result instead. + Existing credential / env behaviour is preserved when `config.strategy` is omitted.