Follow-up from #496 / #522. The existing CRN tracking issue covers the Rust crate; this is the equivalent gap in @cipherstash/stack.
Problem
The WASM-inline entry (@cipherstash/stack/wasm-inline) currently:
- Ignores
CS_WORKSPACE_CRN — the WASM client derives workspace identity from the access-key token, not from the CRN. The Node entry consumes the CRN, so this is a parity gap. examples/supabase-worker/.env.example and the wasm-e2e-tests CI job both deliberately omit the var with a comment pointing here.
- Requires
region explicitly — WasmClientConfig.region is a required field, marked @deprecated in packages/stack/src/wasm-inline.ts, because the underlying @cipherstash/auth/wasm-inline AccessKeyStrategy.create() still takes a region argument.
Desired end state
Once @cipherstash/auth switches AccessKeyStrategy.create() to take a workspaceCrn and derive the region from it:
- Replace the required
region field with workspaceCrn on WasmClientConfig (single source of truth).
- Assert the bearer token's workspace against the CRN.
- Re-add
CS_WORKSPACE_CRN to the Supabase example .env.example + the wasm-e2e-tests job env, and remove the "deliberately omitted" comments.
- Update the
region deprecation note / docs accordingly.
Blocked on
A @cipherstash/auth/wasm-inline release whose AccessKeyStrategy.create() accepts a workspaceCrn.
See the region deprecation comment in packages/stack/src/wasm-inline.ts for context.
Follow-up from #496 / #522. The existing CRN tracking issue covers the Rust crate; this is the equivalent gap in
@cipherstash/stack.Problem
The WASM-inline entry (
@cipherstash/stack/wasm-inline) currently:CS_WORKSPACE_CRN— the WASM client derives workspace identity from the access-key token, not from the CRN. The Node entry consumes the CRN, so this is a parity gap.examples/supabase-worker/.env.exampleand thewasm-e2e-testsCI job both deliberately omit the var with a comment pointing here.regionexplicitly —WasmClientConfig.regionis a required field, marked@deprecatedinpackages/stack/src/wasm-inline.ts, because the underlying@cipherstash/auth/wasm-inlineAccessKeyStrategy.create()still takes a region argument.Desired end state
Once
@cipherstash/authswitchesAccessKeyStrategy.create()to take aworkspaceCrnand derive the region from it:regionfield withworkspaceCrnonWasmClientConfig(single source of truth).CS_WORKSPACE_CRNto the Supabase example.env.example+ thewasm-e2e-testsjob env, and remove the "deliberately omitted" comments.regiondeprecation note / docs accordingly.Blocked on
A
@cipherstash/auth/wasm-inlinerelease whoseAccessKeyStrategy.create()accepts aworkspaceCrn.See the
regiondeprecation comment inpackages/stack/src/wasm-inline.tsfor context.