Skip to content

feat(stack): rename config.strategy to authStrategy; document auth + keysets#562

Open
coderdan wants to merge 4 commits into
mainfrom
feat/encryption-auth-strategy-rename
Open

feat(stack): rename config.strategy to authStrategy; document auth + keysets#562
coderdan wants to merge 4 commits into
mainfrom
feat/encryption-auth-strategy-rename

Conversation

@coderdan

@coderdan coderdan commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Closes #563
Closes #564

What

Renames the encryption client's auth strategy field from strategy to authStrategy (to make its purpose clear), keeps strategy as a deprecated alias, and rewrites the Encryption() TypeDoc to actually walk developers through authentication and keysets.

Rename (backwards compatible)

  • ClientConfig.authStrategy is now the documented field; ClientConfig.strategy is retained with an @deprecated tag.
  • Passing strategy still forwards to the client but logs a one-time console.warn deprecation notice (deduped per process so repeated Encryption() calls don't spam). console.warn is used deliberately — the Stack logger.warn is sampled to 0 at the default error log level, so a logger-based notice would be invisible.
  • authStrategy takes precedence when both are set (the warning still fires whenever the deprecated field is present, so the leftover gets cleaned up).
  • EncryptionClient.init's internal config param is renamed to authStrategy accordingly; the FFI option name (strategy) is unchanged.

WASM entry kept in sync (@cipherstash/stack/wasm-inline)

The Deno / Edge / Workers / Bun entry gets the same rename so both interfaces match: WasmClientConfig.authStrategy is the documented field, strategy is a deprecated alias. resolveStrategy resolves authStrategy ?? strategy, keeps the auth-strategy-vs-accessKey mutual-exclusion guard (now covering both fields), and emits the same one-time runtime deprecation warning. (Closes #564.)

TypeDoc rewrite (Encryption())

Now covers:

  • Default auto strategy — tries the CS_* env vars first, then falls back to the local dev profile (which also supplies the client key).
  • Local dev: npx stash auth login.
  • Production / CI: table of CS_WORKSPACE_CRN, CS_CLIENT_ID, CS_CLIENT_KEY, CS_CLIENT_ACCESS_KEY with a dashboard link.
  • Custom strategies via authStrategy: AccessKeyStrategy (service/CI) and OidcFederationStrategy (per-user via your own IdP — Supabase/Clerk/Auth0/Okta, with the /workspaces/_/oidc-providers link).
  • Lock context as an identity-bound capability layered on OidcFederationStrategy (and why AccessKeyStrategy isn't valid for it).
  • Keysets (multi-tenant isolation) — name/UUID identification, dashboard link, workspace-default fallback, one client per tenant, orthogonal to authStrategy/lock context.

Stray config.strategy doc references (the AuthStrategy type doc, the re-export comment in index.ts, and the LockContext example/deprecation note in identity/index.ts) were updated to authStrategy.

Tests

__tests__/init-strategy.test.ts now covers the authStrategy field (forwarding, alongside clientOpts, OIDC-shaped, unset), plus a deprecated-alias suite asserting the legacy strategy path still forwards and warns, and that authStrategy beats strategy. lock-context.test.ts migrated to authStrategy. All pass (18 tests across the two files).

Verification

  • tsc -p tsconfig.typecheck.json --noEmit — clean.
  • Strategy + lock-context tests — green.
  • The pre-existing vitest-typecheck failures (EncryptedPayload/EncryptedV3Query in types.ts:4,6) and noNonNullAssertion lint warnings are unrelated (confirmed identical on a clean tree).

Follow-ups (issues opened from the same discussion)

Summary by CodeRabbit

  • New Features
    • Added authStrategy as the primary encryption authentication configuration option, with the same supported strategy types and default behavior as before.
  • Bug Fixes
    • Improved precedence handling: when both are provided, authStrategy takes precedence over the deprecated strategy alias.
    • Ensured deprecation warnings for strategy are emitted deterministically (one-time per process).
  • Documentation
    • Updated encryption, identity/lock context, and WASM-inline guidance and examples to use authStrategy.
  • Tests
    • Expanded coverage for deprecated alias behavior and warning/precedence scenarios.

…keysets

Rename the encryption client's auth strategy field from `strategy` to
`authStrategy`. The old `strategy` field is retained as a deprecated alias:
passing it still works and forwards to the client, but logs a one-time runtime
deprecation warning. `authStrategy` wins when both are set.

Also rewrites the `Encryption()` TypeDoc to walk through authentication:
- the default `auto` strategy (env vars, then local dev profile which also
  supplies the client key)
- `npx stash auth login` for local development
- the four `CS_*` env vars for production/CI (table + dashboard link)
- custom strategies via `authStrategy` (AccessKeyStrategy, OidcFederationStrategy)
- lock context as an identity-bound capability on top of OidcFederationStrategy
- keysets for multi-tenant isolation (one client per tenant)

Tests cover the new `authStrategy` field, the deprecated `strategy` alias
(forwarding + warning), and precedence when both are supplied.
@coderdan coderdan requested a review from a team as a code owner July 6, 2026 05:18
@changeset-bot

changeset-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 9e08252

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages
Name Type
@cipherstash/stack Minor
@cipherstash/bench Patch
@cipherstash/prisma-next Patch
@cipherstash/basic-example Patch
@cipherstash/prisma-next-example Patch
@cipherstash/e2e Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@coderdan, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 25 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ecaed0be-1921-4e13-b5fb-dfad4e9fd3c7

📥 Commits

Reviewing files that changed from the base of the PR and between db9a756 and 9e08252.

📒 Files selected for processing (2)
  • packages/stack/__tests__/wasm-inline-strategy.test.ts
  • packages/stack/src/wasm-inline.ts
📝 Walkthrough

Walkthrough

This PR renames the primary encryption auth config to authStrategy, keeps strategy as a deprecated alias with runtime warnings, updates wasm-inline strategy resolution, and revises tests, TSDoc, examples, and the changeset.

Changes

authStrategy rename and deprecation

Layer / File(s) Summary
EncryptionClient init and FFI wiring
packages/stack/src/encryption/index.ts
EncryptionClient.init() accepts authStrategy and forwards it to newClient as the FFI strategy option.
Encryption alias resolution and warning
packages/stack/src/encryption/index.ts
Encryption() warns once on legacy config.strategy, resolves authStrategy ?? strategy, and passes the resolved value into client.init().
Wasm-inline authStrategy and resolveStrategy
packages/stack/src/wasm-inline.ts, packages/stack/__tests__/wasm-inline-new-client.test.ts, packages/stack/__tests__/wasm-inline-strategy.test.ts
WasmClientConfig now centers authStrategy, keeps strategy as a deprecated alias, and updates resolveStrategy tests for warnings, precedence, and validation.
Tests and documentation updates
packages/stack/__tests__/init-strategy.test.ts, packages/stack/__tests__/lock-context.test.ts, packages/stack/src/types.ts, packages/stack/src/identity/index.ts, packages/stack/src/index.ts, .changeset/rename-strategy-to-auth-strategy.md
Tests, TSDoc, examples, and the changeset are updated to describe authStrategy, deprecated strategy, and the updated auth flow.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related issues

Possibly related PRs

  • cipherstash/stack#496: Updates the wasm-inline entry point and related auth wiring that this PR extends with authStrategy naming and deprecation handling.
  • cipherstash/stack#497: Touches the same encryption auth wiring path around strategy resolution and federation strategy handling.
  • cipherstash/stack#562: This PR.

Suggested reviewers: tobyhede, freshtonic

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The changes implement the backward-compatible authStrategy rename, deprecation warning, tests, and the requested Encryption TypeDoc updates.
Out of Scope Changes check ✅ Passed The modified WASM-inline code, tests, and docs all support the same authStrategy rename and deprecation work, with no clear unrelated additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main rename and documentation update in the stack package.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/encryption-auth-strategy-rename

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/stack/src/encryption/index.ts`:
- Around line 844-850: The deprecation warning in the auth strategy resolution
path is being skipped when both `strategy` and `authStrategy` are provided.
Update the logic in the `authStrategy` resolution block in `index.ts` so
`warnStrategyDeprecated()` runs whenever `clientConfig?.strategy` is present,
even if `clientConfig.authStrategy` also exists, while still keeping
`authStrategy` as the value that wins.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c280f4b-9cbc-49a8-a17d-92120b0969b2

📥 Commits

Reviewing files that changed from the base of the PR and between 7f67e11 and ac2a686.

📒 Files selected for processing (6)
  • packages/stack/__tests__/init-strategy.test.ts
  • packages/stack/__tests__/lock-context.test.ts
  • packages/stack/src/encryption/index.ts
  • packages/stack/src/identity/index.ts
  • packages/stack/src/index.ts
  • packages/stack/src/types.ts

Comment thread packages/stack/src/encryption/index.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Renames the Stack client configuration field for authentication from config.strategy to config.authStrategy (keeping strategy as a deprecated alias), and expands the Encryption() TypeDoc to document authentication flows and keysets more thoroughly.

Changes:

  • Add ClientConfig.authStrategy (documented) and retain ClientConfig.strategy as a deprecated alias.
  • Implement one-time runtime deprecation warning when config.strategy is used (and wire authStrategy through to the FFI opts.strategy).
  • Update docs/examples and tests to use authStrategy, and add coverage for the deprecated alias behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
packages/stack/src/types.ts Adds authStrategy to ClientConfig, deprecates strategy, and updates TSDoc references and keyset docs.
packages/stack/src/index.ts Updates the auth-strategy re-export comment to reference config.authStrategy.
packages/stack/src/identity/index.ts Updates identity docs/examples to use authStrategy.
packages/stack/src/encryption/index.ts Renames internal init config field to authStrategy, forwards to FFI strategy, adds one-time deprecation warning, and rewrites Encryption() TypeDoc (auth + keysets).
packages/stack/tests/lock-context.test.ts Migrates lock-context tests to configure OidcFederationStrategy via authStrategy.
packages/stack/tests/init-strategy.test.ts Adds/updates tests for authStrategy, deprecated alias behavior, and precedence rules.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/stack/src/encryption/index.ts
Comment thread packages/stack/src/encryption/index.ts
Comment thread packages/stack/src/encryption/index.ts
Comment thread packages/stack/__tests__/init-strategy.test.ts Outdated
coderdan added 2 commits July 6, 2026 16:14
- Warn whenever the deprecated `config.strategy` is present, even when
  `config.authStrategy` is also set (matches the ClientConfig TSDoc, which
  states passing `strategy` always warns). `authStrategy` still wins.
- Harden the deprecation test: reset the once-per-process warning latch and
  spy console.warn in beforeEach, restore in afterEach (no leak on assertion
  throw), drop the order-dependent guard comment, and add a negative test that
  authStrategy alone does not warn.
- Add an @internal reset hook (not re-exported from the package entry) so the
  test controls the warning latch deterministically.
- TypeDoc: note that the auth/keyset snippets reuse the `users` schema and
  placeholder workspaceCrn/accessKey credentials.
- Add changeset (minor).
Keep the Node and WASM interfaces in sync: the `@cipherstash/stack/wasm-inline`
entry now uses `config.authStrategy` as the documented field, with
`config.strategy` retained as a deprecated alias.

- `WasmClientConfig` gains an `authStrategy` arm; the deprecated `strategy` is
  kept as an alias (mutually exclusive with `accessKey`, as before).
- `resolveStrategy` resolves `authStrategy ?? strategy`, guards the auth-strategy
  vs `accessKey` mutual exclusion against both fields, and emits a one-time
  runtime deprecation warning when `strategy` is used (mirroring the Node entry,
  with its own `@internal` reset hook for deterministic tests).
- Update wasm-inline docs/examples and the offline resolveStrategy /
  new-client tests to cover authStrategy, the deprecated alias, and the warning.

Closes #564.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/stack/src/wasm-inline.ts`:
- Around line 442-451: The mutual-exclusion error in wasm-inline.ts is using the
resolved authStrategy value but always mentions config.authStrategy, which is
misleading when the deprecated config.strategy field triggered the conflict.
Update the guard around authStrategy and cfg.accessKey so the thrown message
names the actual field provided by the caller (authStrategy vs strategy), and
adjust the wasm-inline-strategy test to assert the precise message for the
deprecated strategy case.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 434ac99e-f512-4a62-9b97-3f8b64bfb1b2

📥 Commits

Reviewing files that changed from the base of the PR and between 90d19fb and db9a756.

📒 Files selected for processing (4)
  • .changeset/rename-strategy-to-auth-strategy.md
  • packages/stack/__tests__/wasm-inline-new-client.test.ts
  • packages/stack/__tests__/wasm-inline-strategy.test.ts
  • packages/stack/src/wasm-inline.ts
✅ Files skipped from review due to trivial changes (1)
  • .changeset/rename-strategy-to-auth-strategy.md

Comment thread packages/stack/src/wasm-inline.ts
When the deprecated `config.strategy` is set alongside `accessKey`, the
mutual-exclusion error now says `config.strategy` (not the resolved
`config.authStrategy`), so it names the field the caller actually set. Tests
assert the precise message for both the `authStrategy` and deprecated
`strategy` cases.

@coderdan coderdan left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test coverage review — PR #562 (config.strategyconfig.authStrategy)

The rename is well-covered: both entries (Node init-strategy.test.ts, WASM wasm-inline-strategy.test.ts) test forwarding of authStrategy, precedence of authStrategy over the deprecated strategy, the warn-vs-no-warn split, and the mutual-exclusion guard now naming the field the caller actually set. Good, symmetric coverage across the Node and WASM paths.

One genuine gap on both entries: the deprecation warning is guarded by an explicit once-per-process latch (if (warnedStrategyDeprecated) return), and a __resetStrategyDeprecationWarningForTests() hook was added specifically to make the warning deterministic — yet no test asserts the actual "at most once per process" contract. Every test resets the latch in beforeEach, so the short-circuit arm is exercised but never verified. Removing the guard (making it warn on every call) would pass the entire suite. Two inline comments below.

No crypto/security concerns noted; changes are config-plumbing and docs.

Comment thread packages/stack/src/encryption/index.ts
Comment thread packages/stack/src/wasm-inline.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

3 participants