Skip to content

feat: delegate credential loading to protect-ffi#326

Merged
coderdan merged 8 commits intomainfrom
feat/update-ffi
Mar 24, 2026
Merged

feat: delegate credential loading to protect-ffi#326
coderdan merged 8 commits intomainfrom
feat/update-ffi

Conversation

@coderdan
Copy link
Contributor

@coderdan coderdan commented Mar 21, 2026
edited by coderabbitai bot
Loading

Summary

  • Remove eager workspace CRN checks from ProtectClient and EncryptionClient constructors. Credential resolution (workspace CRN, access key, client key) is now fully handled by protect-ffi via stack-auth and the ~/.cipherstash profile — no env vars or cipherstash.toml required.
  • Use ensureKeyset from protect-ffi in keyset tests instead of hardcoded UUIDs, so tests create/find the keyset dynamically.
  • Upgrade EQL to 2.2.1 in the local Docker setup.

Dependency

This PR depends on a new version of @cipherstash/protect-ffi which has not yet been published. The pnpm override in package.json currently points to a local link. Before merging, protect-ffi must be published and the override replaced with the published version.

Summary by CodeRabbit

  • New Features

    • Credential resolution now delegated to underlying crypto library for improved environment-based handling.
    • Enhanced support for JSON array operations with complete indexing capabilities.

  • Improvements

    • Upgraded @cipherstash/protect-ffi to 0.21.0.
    • EQL SQL files now dynamically fetched at build/runtime instead of bundled versions.
    • Expanded ProtectClientConfig with optional credential fields for flexible multi-tenant scenarios.

coderdan added 2 commits March 21, 2026 20:18
@coderdan
feat: delegate credential loading to protect-ffi
81d304b 
Remove eager workspace CRN checks from ProtectClient and
EncryptionClient constructors — protect-ffi now handles credential
resolution internally via stack-auth and the cipherstash profile.

- Remove loadWorkSpaceId calls and unused clientInfo methods
- Override protect-ffi to use local linked build
- Use ensureKeyset in keyset tests instead of hardcoded UUIDs
@coderdan
chore: upgrade EQL to 2.2.1 in local Docker setup
60a3c3e
@changeset-bot
Copy link

changeset-bot bot commented Mar 21, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: d2a9c3b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Mar 21, 2026
edited
Loading

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR upgrades @cipherstash/protect-ffi to version 0.21.0 and refactors credential and EQL retrieval handling. It removes workspace ID state from client initialization, enables array_index_mode: 'all' for STE vector indexes on JSON columns, and switches from bundled SQL files to dynamic download of the latest EQL script at build time.

Changes

Cohort / File(s) Summary
Dependency & Package Configuration
.changeset/upgrade-protect-ffi.md, package.json, packages/protect/package.json, packages/stack/package.json		 Upgraded @cipherstash/protect-ffi to 0.21.0 across packages and added pnpm override; removed bundled SQL file from @cipherstash/schema published files.
EQL Retrieval & Build
local/Dockerfile, local/postgres-entrypoint.sh, packages/drizzle/src/bin/generate-eql-migration.ts		 Replaced static bundled SQL file approach with dynamic download from GitHub releases at build time; added fetch logic, environment-based URL constant, and improved error handling; updated initialization scripts to reference downloaded file.
Array Index Mode Configuration
packages/schema/src/index.ts, packages/stack/src/schema/index.ts, packages/stack/__tests__/schema-builders.test.ts		 Introduced arrayIndexModeSchema Zod validation and wired array_index_mode: 'all' into STE-Vec index configuration for JSON-searchable columns; updated test expectations to verify new index mode setting.
Client Initialization & Credential Handling
packages/protect/src/ffi/index.ts, packages/protect/src/index.ts, packages/stack/src/encryption/index.ts, packages/stack/src/types.ts		 Removed workspaceId state and constructor parameters from ProtectClient and EncryptionClient; eliminated clientInfo() method; expanded ProtectClientConfig with optional workspaceCrn, accessKey, clientId, and clientKey fields; delegated credential resolution to protect-ffi's environment variable handling.
Test Updates
packages/protect/__tests__/keysets.test.ts, packages/stack/__tests__/keysets.test.ts		 Updated keyset-id test scenarios to use dynamically provisioned keysets via ensureKeyset() in beforeAll hooks instead of hardcoded UUIDs, ensuring keyset existence before test execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • feat: add stash forge package #314: Both PRs shift EQL SQL retrieval from bundled static files to dynamic download at runtime/build, addressing the same distribution and version management challenge.
  • chore: usability improvements #317: Both PRs implement the same code-level change of replacing bundled EQL SQL files with runtime download logic and related installer/CLI wiring.
  • feat: stack usability and docs updates #306: Both PRs refactor client initialization surfaces—removing constructor-based workspace ID handling and reworking how credentials are delegated to the FFI layer.

Suggested reviewers

  • auxesis

🐰 With credentials now in paws of the FFI,
And EQL scripts freshly downloaded from the sky,
Array indexes bloom in their glorious 'all',
Our clients stand simpler, heeding no hall—
A cleaner refactor, both nimble and tall!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title 'feat: delegate credential loading to protect-ffi' accurately describes the main objective of removing credential resolution from ProtectClient/EncryptionClient constructors and delegating it to protect-ffi's credential handling.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/update-ffi

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

tobyhede
tobyhede approved these changes Mar 24, 2026
View reviewed changes
coderdan added 5 commits March 24, 2026 16:06
@coderdan
chore: upgrade protect-ffi to 0.21.0
40f708e 
Replace the local link override with the published 0.21.0 version
of @cipherstash/protect-ffi across all packages.
@coderdan
feat: enable array_index_mode for searchable JSON
2ba6702 
Set array_index_mode to 'all' on STE vec indexes so the FFI
correctly flags array entries and generates distinct hashes for
array element values. This fixes JSON array operations including
jsonb_array_elements, jsonb_array_length, and array containment
queries.
@coderdan
fix: remove redundant env var fallback and improve credential docs
edd5021 
newClient in protect-ffi already handles env var fallback via
withEnvCredentials, so remove the manual fallback from
EncryptionClient. Add typedocs to ProtectClientConfig fields
documenting env var fallbacks, and remove stale TOML config
reference from ClientConfig.
@coderdan
chore: download latest EQL instead of bundling hardcoded SQL files
afeb1e5 
Remove hardcoded EQL SQL files from local/ and packages/schema/.
The local Docker setup now downloads the latest EQL release at
build time, and the drizzle migration generator fetches it at
runtime. This matches the pattern already used in stack-forge.
@coderdan
fix: sync array_index_mode to stack schema and clean up code
d2a9c3b 
- Add array_index_mode support to packages/stack/src/schema (was
  only in packages/schema, causing silent divergence)
- Update stack schema builder tests for array_index_mode
- Remove empty constructors from ProtectClient and EncryptionClient
- Replace TOCTOU existsSync check with try/catch in drizzle migration generator
@coderdan coderdan mentioned this pull request Mar 24, 2026
Open
@coderdan coderdan marked this pull request as ready for review March 24, 2026 10:19
@coderdan coderdan merged commit 913dbbb into main Mar 24, 2026
5 of 6 checks passed
@coderdan coderdan deleted the feat/update-ffi branch March 24, 2026 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tobyhede tobyhede tobyhede approved these changes

@calvinbrewer calvinbrewer Awaiting requested review from calvinbrewer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coderdan @tobyhede