chore: merge main into v2 (recover the identity-API fixes)#60
Merged
Conversation
…abase docs The v2 docs branch will host the Supabase page at /docs/integrations/supabase but isn't published yet. Add a temporary (307) redirect from that future URL to the current Supabase overview page (/stack/cipherstash/supabase) so external links resolve until v2 ships, at which point this entry should be removed.
…ons-supabase chore(redirects): temp redirect /integrations/supabase → current Supabase docs
… build The EQL reference generator fetches the latest release's API.md at build time and passes lowercase-led tags (e.g. `<tt>`) through as real HTML. MDX requires every tag to be balanced, so a mangled SQL-comment source that emits an unclosed `<tt>` fails the whole Vercel build — which is exactly what eql-3.0.0-alpha.3 did (index.mdx:2153, `Expected a closing tag for <tt>`). `<tt>` is Doxygen's teletype tag; MDX doesn't need it. Strip `<tt>`/`</tt>` (non-code text only) before escaping, so malformed upstream docs degrade gracefully instead of taking the deploy down. Verified: regenerated content/stack/reference/eql/index.mdx from the live eql-3.0.0-alpha.3 release and `next build` compiles all 329 pages.
fix(eql-docs): strip Doxygen <tt> tags so a stray one can't break the build
The live docs teach `new LockContext().identify(jwt)`. Per-operation CTS
tokens were removed in protect-ffi 0.25, so `identify()` is deprecated: it
still compiles and logs a warning, but the token it fetches is no longer
used by encryption operations. Readers copying these examples get code that
appears to bind an identity and does not.
Correct usage authenticates the client as the end user with
OidcFederationStrategy (config.authStrategy), then names the claim to bind:
const client = await Encryption({
schemas: [users],
config: { authStrategy: OidcFederationStrategy.create(crn, () => getJwt()) },
})
await client.encrypt(v, opts).withLockContext({ identityClaim: ["sub"] })
Two pages also used `client.withLockContext({ identityToken })`, a call shape
that never existed in any release.
Verified against the shipped type definitions of @cipherstash/stack 0.19.0
and @cipherstash/auth 0.42.0.
docs: update identity-aware encryption to the strategy-based API
Follow-up to #57, from review feedback on the v2 port (#56). The client setup blocks configure `authStrategy`, but the examples below them import an already-built client, so a reader skimming the encrypt and decrypt snippets sees `.withLockContext()` with no strategy in view and could reasonably conclude the claim binding stands alone. - Warn that OidcFederationStrategy is the only strategy supporting lock contexts. AccessKeyStrategy authenticates as the service, so there is no end-user identity for ZeroKMS to resolve the claim against. - State that the examples depend on the authStrategy-configured client. - Explain that `_` in the dashboard OIDC providers URL is the selected workspace. Dropped the "AccessKeyStrategy is also re-exported" aside from identity.mdx: naming it in a lock-context section was what invited the confusion.
…arifications docs: clarify that lock contexts require OidcFederationStrategy
Brings the identity-API fixes (#57, #59) and the EQL docs build fix (#58) into the v2 branch. Without this, merging v2 to main at launch would revert them: v2's copy of content/stack still taught LockContext.identify(), which is deprecated and no longer affects encryption. One conflict, in scripts/generate-eql-docs.ts. Both branches carry the same `<tt>`-stripping fix; they differ only in whether the .replace chain is wrapped in parentheses. Kept v2's formatting.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v2is 8 commits behindmainand its copy ofcontent/stackstill teaches the deprecated identity API. Mergingv2tomainat launch would revert #57 and #59.Why this matters now
#57 and #59 fixed the live docs on
main:LockContext.identify()is deprecated (per-operation CTS tokens were removed inprotect-ffi0.25 — it compiles, warns, and no longer affects encryption).v2never received those commits, so itscontent/stackstill contains the old flow across 8 files.content/stackis served at/stackuntil the launch merge deletes it, so this isn't only a future-revert problem: the v2 preview currently serves the broken examples.Same class of bug as the one I just fixed in #43. Two long-lived branches, one fix applied to only one of them.
What comes across
encryption/{identity,supabase,encrypt-decrypt,bulk-operations,models}.mdxreference/{error-handling,agent-skills}.mdx,reference/comparisons/aws-kms.mdxreference/use-cases/{provable-access,compliance}.mdxscripts/generate-eql-docs.ts<tt>strip (#58)next.config.mjsThe one conflict
scripts/generate-eql-docs.ts. Both branches carry the same<tt>-stripping fix, because #58 ported #52 across. They differ only in whether the.replacechain is wrapped in parentheses — a formatting artifact of how I resolved that cherry-pick. Keptv2's version. No semantic difference.Checks
bun run buildpasses, 714 pages.grep -rE "\.identify\(|identityToken|new LockContext\(\)" content/returns nothing outside generated TypeDoc and deliberate deprecation callouts. The whole tree is clean for the first time.bun run validate-redirectspasses.A CI guard so this can't recur is coming as a separate PR.