chore: bump cipherstash-client and stack-auth to 0.37.0

[coderdan]

Summary

Updates cipherstash-client and stack-auth to 0.37.0. Also bumps the lockstep crates cts-common and stack-profile to 0.37.0 so the dependency tree doesn't end up with duplicate 0.36/0.37 copies (cipherstash-client 0.37 pulls in the 0.37 versions transitively).

Transitive bumps that came along: cipherstash-config, cipherstash-core → 0.37.0, zerokms-protocol → 0.12.17.

This branch also includes the OIDC federation test coverage from #101 (merged in): bumps @cipherstash/auth to ^0.39.0 and adds OidcFederationStrategy contract tests, plus the AccessKeyStrategy.create full-CRN update across the existing strategy suites.

Testing

• cargo test — 71 passed
• npm run build:wasm — clean build + inline shim generated
• Full integration suite is green in CI (see the Tests check) — including tests/keyset.test.ts.

Local-only keyset failures (these pass in CI)

Running mise run test:integration:all locally shows 2 failures in tests/keyset.test.ts (Failed to load keyset: NotFound). They reproduce only against local credentials — root cause is a workspace-permission gap, visible in beforeAll:

Warning: grant_keyset failed (may be already granted): Failed to send request: Forbidden: Request forbidden

The local credentials can't provision/grant the Test keyset. CI runs with workspace credentials that can, so those tests — and the whole suite — pass green in CI. Either way it's environment/access-control related and independent of the version bump.

Summary by CodeRabbit

• Chores
  • Bumped several internal dependency versions to current releases for compatibility and stability.
• Tests
  • Added integration coverage for OIDC federation auth and enhanced wasm/JS auth strategy tests.
  • Updated test fixtures to use the full workspace identifier when constructing auth strategies.

[coderabbitai]

Too many files changed? Review this PR in Change Stack to see how the pieces fit before you dive in.

Warning

Review limit reached

@coderdan, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 42 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b3438aaf-fa33-43df-a3b6-6be5f7049fb3

📥 Commits

Reviewing files that changed from the base of the PR and between a8535c9 and a37dd25.

📒 Files selected for processing (1)

• integration-tests/tests/oidc-federation.test.ts

📝 Walkthrough

Walkthrough

Pins protect-ffi Rust dependencies to =0.37.0, updates integration-tests to use @cipherstash/auth v0.39, changes AccessKeyStrategy construction to accept the full workspace CRN in fixtures and wasm/js tests, and adds OIDC federation contract tests validating the AuthStrategy shape and error propagation.

Changes

Dependency pins and integration-test updates

Layer / File(s)	Summary
Rust dependency bump to 0.37.0 crates/protect-ffi/Cargo.toml	cipherstash-client, cts-common, stack-auth and stack-profile pinned from =0.36.0 to =0.37.0, preserving feature flags and the non-wasm target config.
Auth package update and CRN wiring changes integration-tests/package.json, integration-tests/tests/fixtures/event-loop-exit-jsbacked.cjs, integration-tests/tests/js-strategy.test.ts, integration-tests/tests/wasm-round-trip.test.ts	integration-tests updates @cipherstash/auth from ^0.38.0 to ^0.39.0. Fixtures and tests now pass the full CS_WORKSPACE_CRN into AccessKeyStrategy.create(...) instead of extracting a <region>.<provider> segment.
Add OIDC federation contract tests integration-tests/tests/oidc-federation.test.ts	New tests assert OidcFederationStrategy satisfies the FFI AuthStrategy shape (including getToken) and that a rejecting getToken causes newClient(...) to throw the original error.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• cipherstash/protectjs-ffi#78: Overlaps with dependency version updates in crates/protect-ffi/Cargo.toml.
• cipherstash/protectjs-ffi#101: Related test additions and CRN wiring changes in integration-tests.
• cipherstash/protectjs-ffi#90: Similar changes touching wasm round-trip auth strategy construction.

Suggested reviewers

• calvinbrewer
• freshtonic
• auxesis

Poem

🐇 I hopped through Cargo.toml to find,
Versions aligned, neat and kind.
Tests rewired, CRNs no longer split,
OIDC checks added — a tidy little bit.
Cheers from the rabbit, code now fits!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'chore: bump cipherstash-client and stack-auth to 0.37.0' accurately summarizes the main change of updating dependency versions in the protect-ffi crate, though it does not explicitly mention the secondary dependency bumps (cts-common, stack-profile) or the integration-test package.json update to @cipherstash/auth 0.39.0.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-cipherstash-stack-0.37

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the Rust-side CipherStash client/auth crate versions to 0.37.0 (plus related lockstep crates) and updates the JS integration test harness to @cipherstash/auth@^0.39.0, including new contract coverage for the OIDC federation strategy and updating AccessKeyStrategy.create call sites to use the full workspace CRN.

Changes:

• Bump Rust dependencies (cipherstash-client, stack-auth, cts-common, stack-profile) to 0.37.0 and update Cargo.lock accordingly.
• Bump @cipherstash/auth to ^0.39.0 in integration-tests and adjust strategy construction to pass the full workspace CRN.
• Add OidcFederationStrategy contract tests to validate structural compatibility with the FFI strategy contract and error propagation behavior.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
integration-tests/tests/wasm-round-trip.test.ts	Update wasm round-trip test to use full workspace CRN with AccessKeyStrategy.create.
integration-tests/tests/oidc-federation.test.ts	Add OIDC federation strategy contract tests.
integration-tests/tests/js-strategy.test.ts	Update JsBacked strategy tests to use full workspace CRN with AccessKeyStrategy.create.
integration-tests/tests/fixtures/event-loop-exit-jsbacked.cjs	Update fixture to use full workspace CRN with AccessKeyStrategy.create.
integration-tests/package.json	Bump @cipherstash/auth dependency to ^0.39.0.
integration-tests/package-lock.json	Lockfile updates for @cipherstash/auth@0.39.0 and local package version.
crates/protect-ffi/Cargo.toml	Bump Rust crate dependencies to =0.37.0.
Cargo.lock	Lockfile updates for Rust crate bumps, including zerokms-protocol transitive update.

Files not reviewed (1)

• integration-tests/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderdan]

Good catch — confirmed and fixed in a37dd25.

You're right that clientOpts from process.env made this non-deterministic. Verified empirically: with the CS_ vars unset, newClient resolves and deserializes the client key into a ProxyKeySet before it ever calls getToken, so it fails with a key-provider error (Client key not configured / Invalid client key: … expected struct ProxyKeySet) rather than the strategy error being asserted. A fabricated dummy key can't get past that eager structural check, so the test can't be made hermetic by swapping in dummy creds.

That test also used a generic { getToken } stub rather than the real OidcFederationStrategy, which made it an exact duplicate of js-strategy.test.ts's propagates a rejected getToken Promise (already runs in CI with creds) — so it added no OIDC-specific coverage.

Fix: dropped it and kept only the genuinely hermetic, OIDC-specific contract test (the real published OidcFederationStrategy constructs via .create and is structurally assignable to the FFI AuthStrategy with a callable getToken). It now passes identically with CS_ vars set or unset — no credentials, no network, no env dependence. The header points at js-strategy.test.ts for the newClient-propagation coverage.