Summary
Rename the encryption client's auth strategy field from strategy to authStrategy to make its purpose clear, and document the client's authentication and keyset model properly in the Encryption() TypeDoc.
Scope
- Rename (backwards compatible):
ClientConfig.authStrategy becomes the documented field; ClientConfig.strategy is retained as a @deprecated alias that still works but logs a one-time runtime deprecation warning. authStrategy wins when both are set.
- TypeDoc rewrite for
Encryption():
- Default
auto strategy (env vars → local dev profile, which also supplies the client key).
npx stash auth login for local development.
- The four
CS_* env vars for production/CI (table + dashboard link).
- Custom strategies via
authStrategy — AccessKeyStrategy and OidcFederationStrategy.
- Lock context as an identity-bound capability on top of
OidcFederationStrategy.
- Keysets for multi-tenant isolation (one client per tenant).
- Tests for the
authStrategy field, the deprecated strategy alias (forwarding + warning), and precedence.
Resolved by
#562
Related follow-ups
Summary
Rename the encryption client's auth strategy field from
strategytoauthStrategyto make its purpose clear, and document the client's authentication and keyset model properly in theEncryption()TypeDoc.Scope
ClientConfig.authStrategybecomes the documented field;ClientConfig.strategyis retained as a@deprecatedalias that still works but logs a one-time runtime deprecation warning.authStrategywins when both are set.Encryption():autostrategy (env vars → local dev profile, which also supplies the client key).npx stash auth loginfor local development.CS_*env vars for production/CI (table + dashboard link).authStrategy—AccessKeyStrategyandOidcFederationStrategy.OidcFederationStrategy.authStrategyfield, the deprecatedstrategyalias (forwarding + warning), and precedence.Resolved by
#562
Related follow-ups