Skip to content

Version Packages#551

Closed
github-actions[bot] wants to merge 0 commit into
mainfrom
changeset-release/main
Closed

Version Packages#551
github-actions[bot] wants to merge 0 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

stash@0.17.0

Minor Changes

  • eb94ac8: Add guards for missing native binaries. When npm skips the platform-specific
    optional dependency (a known npm bug), stash now prints actionable fix
    guidance instead of a raw MODULE_NOT_FOUND stack trace. Adds a new
    stash doctor command that diagnoses the runtime and native modules and works
    even when a binary is missing.
  • 64fdeb2: Rename stash db install, stash db upgrade, and stash db status to
    stash eql install, stash eql upgrade, and stash eql status. These
    commands manage the EQL extension itself, so they now live under a dedicated
    eql command group. The old db spellings keep working as deprecated
    aliases that print a warning pointing at the new names. All help text,
    hints, generated migration headers, and wizard steps now reference the
    eql commands.

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.
    • @cipherstash/migrate@0.2.0

@cipherstash/stack@0.19.0

Minor Changes

  • 35b9ed6: Bump @cipherstash/protect-ffi to 0.26.0 and @cipherstash/auth to 0.40.0, and replace the lock-context token ceremony with a strategy-based approach for identity-bound encryption.

    protect-ffi 0.26.0 supersedes 0.25.0. The public API is unchanged from 0.25 (internal fixes only). As in 0.25, serviceToken is gone from the encrypt / decrypt / query option types; auth flows through the client's strategy / credentials, and lock contexts travel as lockContext.identityClaim. The WASM-inline path takes a single options object with the auth strategy nested under strategy, and Encryption() config uses workspaceCrn (CS_WORKSPACE_CRN) as the single source of truth — CS_REGION is no longer consulted. On that path workspaceCrn is required only alongside an accessKey (it derives the region); with a pre-built strategy it is optional, since the strategy already carries the CRN.

    Strategy-based, identity-bound encryption. OidcFederationStrategy federates an end user's third-party OIDC JWT (Clerk, Supabase, Auth0, …) into a CTS service token. As of @cipherstash/auth 0.40 it takes a workspaceCrn (region derived from the CRN), matching AccessKeyStrategy. Pass it as config.strategy so every ZeroKMS request authenticates as that user, then bind the data key to a claim with .withLockContext({ identityClaim }):

    import { Encryption, OidcFederationStrategy } from "@cipherstash/stack";
    
    const client = await Encryption({
      schemas: [users],
      config: {
        strategy: OidcFederationStrategy.create(workspaceCrn, () => getUserJwt()),
      },
    });
    
    await client
      .encrypt("alice@example.com", { column: users.email, table: users })
      .withLockContext({ identityClaim: ["sub"] });

    This replaces the old ceremony (new LockContext()await lc.identify(jwt).withLockContext(lc)), which relied on a per-operation CTS token that protect-ffi removed in 0.25.

    • .withLockContext() now accepts a plain { identityClaim } object (as well as a LockContext) and no longer requires a CTS token or an identify() call — it carries the identity claim only.
    • LockContext.identify() / getLockContext() are deprecated (kept for backwards compatibility); the strategy handles token acquisition.
    • Strategies are re-exported from @cipherstash/stack (OidcFederationStrategy, AccessKeyStrategy, AutoStrategy, DeviceSessionStrategy) and from @cipherstash/stack/wasm-inline (OidcFederationStrategy, AccessKeyStrategy) so integrators don't need a separate @cipherstash/auth install. AuthStrategy remains re-exported for the structural type.

    Migrating regionworkspaceCrn (WASM-inline). If you previously passed region (or relied on CS_REGION) to the WASM-inline Encryption() path, replace it with your workspace CRN: set workspaceCrn in config (or CS_WORKSPACE_CRN in the environment) to the value shown in the CipherStash dashboard (crn:<region>.aws:<workspace-id> — it embeds the region, which is now derived from it). region is ignored if passed.

    Lock-context enforcement is now server-side only. Because the client no longer resolves a per-user CTS token at withLockContext time, it also cannot fail fast there: a wrong or missing identity claim surfaces as a ZeroKMS decryption failure (the data key simply doesn't unlock), not as a client-side error before the request. The cryptographic guarantee is unchanged — enforcement happens in ZeroKMS — but anyone relying on the old client-side throw for early feedback should assert on the operation's failure result instead.

    Existing credential / env behaviour is preserved when config.strategy is omitted.

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.

@cipherstash/wizard@0.4.0

Minor Changes

  • 64fdeb2: Rename stash db install, stash db upgrade, and stash db status to
    stash eql install, stash eql upgrade, and stash eql status. These
    commands manage the EQL extension itself, so they now live under a dedicated
    eql command group. The old db spellings keep working as deprecated
    aliases that print a warning pointing at the new names. All help text,
    hints, generated migration headers, and wizard steps now reference the
    eql commands.

@cipherstash/drizzle@3.0.3

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.

@cipherstash/nextjs@4.1.1

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.

@cipherstash/prisma-next@0.3.2

Patch Changes

  • Updated dependencies [aa9c4b1]
  • Updated dependencies [35b9ed6]
    • @cipherstash/stack@0.19.0

@cipherstash/protect@12.0.1

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.
  • Updated dependencies [aa9c4b1]
    • @cipherstash/schema@3.0.1

@cipherstash/protect-dynamodb@12.0.1

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.
  • Updated dependencies [aa9c4b1]
    • @cipherstash/protect@12.0.1

@cipherstash/schema@3.0.1

Patch Changes

  • aa9c4b1: Documentation: refresh package READMEs after the protectjs → stack repository rename. Fixed repository and license links, replaced dead in-repo docs links with cipherstash.com/docs URLs, rewrote the incorrect @cipherstash/nextjs README, and added guidance pointing new projects to @cipherstash/stack.

@cipherstash/basic-example@1.2.13

Patch Changes

  • Updated dependencies [aa9c4b1]
  • Updated dependencies [35b9ed6]
    • @cipherstash/stack@0.19.0

@cipherstash/prisma-next-example@0.0.5

Patch Changes

  • Updated dependencies [aa9c4b1]
  • Updated dependencies [35b9ed6]
    • @cipherstash/stack@0.19.0
    • @cipherstash/prisma-next@0.3.2

@cipherstash/bench@0.0.4

Patch Changes

  • Updated dependencies [aa9c4b1]
  • Updated dependencies [35b9ed6]
    • @cipherstash/stack@0.19.0

@github-actions github-actions Bot requested a review from a team as a code owner July 4, 2026 03:55
@github-actions github-actions Bot closed this Jul 4, 2026
@github-actions github-actions Bot force-pushed the changeset-release/main branch from 079eb1c to 7535a18 Compare July 4, 2026 04:55
@github-actions github-actions Bot reopened this Jul 4, 2026
@github-actions github-actions Bot closed this Jul 4, 2026
@github-actions github-actions Bot force-pushed the changeset-release/main branch from 244b8b5 to 29eb0ee Compare July 4, 2026 08:53
@github-actions github-actions Bot reopened this Jul 4, 2026
@github-actions github-actions Bot closed this Jul 4, 2026
@github-actions github-actions Bot force-pushed the changeset-release/main branch from 66eea4e to b405a54 Compare July 4, 2026 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants