From 08fbfc9249784b9e6c8f8ea7d889cb6ecabb4941 Mon Sep 17 00:00:00 2001 From: James Sadler Date: Sat, 4 Jul 2026 12:57:43 +1000 Subject: [PATCH] =?UTF-8?q?docs(stack):=20protect-ffi=200.26=20changeset?= =?UTF-8?q?=20=E2=80=94=20region=E2=86=92workspaceCrn=20migration=20+=20se?= =?UTF-8?q?rver-side=20lock-context=20note?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two additions flagged by the consolidated review on #547: - an explicit region→workspaceCrn migration paragraph for the WASM-inline path (what to set, where the CRN comes from, that region is now ignored) - a paragraph spelling out that lock-context enforcement is now server-side only: a wrong/missing identity claim surfaces as a ZeroKMS decryption failure rather than a client-side throw --- .changeset/stack-protect-ffi-0-26-oidc-strategy.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.changeset/stack-protect-ffi-0-26-oidc-strategy.md b/.changeset/stack-protect-ffi-0-26-oidc-strategy.md index 0b86f49b..0e38ab81 100644 --- a/.changeset/stack-protect-ffi-0-26-oidc-strategy.md +++ b/.changeset/stack-protect-ffi-0-26-oidc-strategy.md @@ -29,4 +29,8 @@ This replaces the old ceremony (`new LockContext()` → `await lc.identify(jwt)` - **`LockContext.identify()` / `getLockContext()`** are **deprecated** (kept for backwards compatibility); the strategy handles token acquisition. - **Strategies are re-exported** from `@cipherstash/stack` (`OidcFederationStrategy`, `AccessKeyStrategy`, `AutoStrategy`, `DeviceSessionStrategy`) and from `@cipherstash/stack/wasm-inline` (`OidcFederationStrategy`, `AccessKeyStrategy`) so integrators don't need a separate `@cipherstash/auth` install. `AuthStrategy` remains re-exported for the structural type. +**Migrating `region` → `workspaceCrn` (WASM-inline).** If you previously passed `region` (or relied on `CS_REGION`) to the WASM-inline `Encryption()` path, replace it with your workspace CRN: set `workspaceCrn` in config (or `CS_WORKSPACE_CRN` in the environment) to the value shown in the CipherStash dashboard (`crn:.aws:` — it embeds the region, which is now derived from it). `region` is ignored if passed. + +**Lock-context enforcement is now server-side only.** Because the client no longer resolves a per-user CTS token at `withLockContext` time, it also cannot fail fast there: a wrong or missing identity claim surfaces as a ZeroKMS **decryption failure** (the data key simply doesn't unlock), not as a client-side error before the request. The cryptographic guarantee is unchanged — enforcement happens in ZeroKMS — but anyone relying on the old client-side throw for early feedback should assert on the operation's `failure` result instead. + Existing credential / env behaviour is preserved when `config.strategy` is omitted.