fix: backport stack-auth token-refresh fix (CIP-3159)

Access-key auth on 2.2.2 saw ZeroKMS "Request not authorized" begin ~15 min (the access-token lifetime) after startup. A get_token() future cancelled in the post-HTTP, pre-install window of stack-auth's AutoRefresh::refresh_non_blocking defused its CancelGuard too early, stranding refresh_in_progress = true. Every later refresh then wedged; once the cached token crossed real expiry, callers hung in wait_for_in_flight_refresh forever.

The upstream fix (move defuse() after the token install + flag clear) first ships in stack-auth >= 0.36.0, but bumping cipherstash-client to that line drags in an unrelated EQL API redesign. Instead, vendor the published stack-auth 0.34.1-alpha.4 source, apply the CancelGuard reordering, and override the transitive dependency via [patch.crates-io] (same version satisfies cipherstash-client's exact pin, so no republish). Includes a regression test that fails on the pre-fix ordering.

Remove the patch once Proxy moves to cipherstash-client built against stack-auth >= 0.36.0.

Author: freshtonic

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+### Fixed
+
+- **ZeroKMS authentication failures ~15 minutes after startup**: Fixed a token-refresh wedge in the access-key authentication path. When an in-flight request was cancelled at the wrong moment (for example, a client disconnecting mid-query), token refresh could permanently stall, causing `ZeroKMS error: Request not authorized` on all encrypt/decrypt operations roughly 15 minutes (the access-token lifetime) after connecting. Connections worked on startup and then began failing in lockstep. Backports the upstream `stack-auth` token-refresh fix (CIP-3159).
+
 ## [2.2.2] - 2026-06-01
 
 ### Fixed

Cargo.lock

@@ -1,6 +1,8 @@
 [workspace]
 resolver = "2"
 members = ["packages/*"]
+# Vendored crate is consumed only via [patch.crates-io] below, not as a member.
+exclude = ["vendor/stack-auth"]
 
 [workspace.package]
 version = "2.2.2"
@@ -56,3 +58,13 @@ tracing-subscriber = { version = "^0.3.20", features = [
   "env-filter",
   "std",
 ] }
+
+# HOTFIX (CIP-3159): backport the stack-auth token-refresh CancelGuard fix onto
+# the 0.34.1-alpha.4 source that cipherstash-client 0.34.1-alpha.4 pins. Without
+# this, a cancelled get_token() future could strand `refresh_in_progress = true`,
+# wedging all later refreshes and causing ZeroKMS "Request not authorized" exactly
+# ~15 min (token TTL) after startup. The patch keeps version 0.34.1-alpha.4 so it
+# satisfies cipherstash-client's exact pin while replacing the registry source.
+# Remove once Proxy moves to a cipherstash-client built against stack-auth >= 0.36.0.
+[patch.crates-io]
+stack-auth = { path = "vendor/stack-auth" }

Cargo.toml

@@ -0,0 +1 @@
+/target

vendor/stack-auth/.gitignore

@@ -0,0 +1,167 @@
+
+
+
+### Miscellaneous
+
+- release v0.34.1-alpha.2
+
+
+### Miscellaneous
+
+- release
+- use explicit versions for cipherstash-client and stack-auth
+
+
+### Miscellaneous
+
+- updated the following local packages: cts-common, cts-common, stack-profile, zerokms-protocol
+
+
+### Documentation
+
+- 📝 add TypeScript example for AutoStrategy usage
+- 📝 add CHANGELOG.md for @cipherstash/auth
+- 📝 add INVALID_CRN to changelog error codes
+- 📝 demonstrate whoami (subject/workspace) in examples
+- 📝 update CHANGELOG with whoami fields and security notes
+
+### Features
+
+- ✨ expose auth strategies in @cipherstash/auth Node bindings
+- ✨ add subject() and workspace_id() to ServiceToken
+- add multi-workspace profile support (CIP-2942)
+- require workspace to exist before switching
+
+### Fixes
+
+- 🩹 add INVALID_CRN error code and deduplicate zerokms_url
+- 🔒️ derive OpaqueDebug on TokenResult to prevent token leaks
+- 🔒️ derive OpaqueDebug on AutoStrategyOptions
+- update integration tests for workspace-scoped profiles
+- hard-error on token persistence failure, strengthen test assertions
+- use npm install instead of npm ci in integration test tasks
+
+### Miscellaneous
+
+- 🔖 bump @cipherstash/auth to 0.35.0
+- 🔧 regenerate index.d.ts from napi build
+- release
+
+### Refactoring
+
+- ♻️ restructure stack-auth-node tests to follow conventions
+- simplify workspace store usage
+
+### Testing
+
+- ✅ add unit tests for exposed auth strategies
+
+### Style
+
+- 💄 fix cargo fmt formatting
+- 🎨 remove redundant comments from examples
+
+
+### Documentation
+
+- 📝 add TypeScript example for AutoStrategy usage
+- 📝 add CHANGELOG.md for @cipherstash/auth
+- 📝 add INVALID_CRN to changelog error codes
+- 📝 demonstrate whoami (subject/workspace) in examples
+- 📝 update CHANGELOG with whoami fields and security notes
+
+### Features
+
+- ✨ expose auth strategies in @cipherstash/auth Node bindings
+- ✨ add subject() and workspace_id() to ServiceToken
+
+### Fixes
+
+- 🩹 add INVALID_CRN error code and deduplicate zerokms_url
+- 🔒️ derive OpaqueDebug on TokenResult to prevent token leaks
+- 🔒️ derive OpaqueDebug on AutoStrategyOptions
+
+### Miscellaneous
+
+- 🔖 bump @cipherstash/auth to 0.35.0
+- 🔧 regenerate index.d.ts from napi build
+
+### Refactoring
+
+- ♻️ restructure stack-auth-node tests to follow conventions
+
+### Testing
+
+- ✅ add unit tests for exposed auth strategies
+
+### Style
+
+- 💄 fix cargo fmt formatting
+- 🎨 remove redundant comments from examples
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+### Features
+
+- add provisionDeviceClient Node.js binding and tests
+
+### Fixes
+
+- lock file
+- add User-Agent header, rename to device_client, surface errors
+
+### Miscellaneous
+
+- clean up test imports and simplify mise task
+
+### Refactoring
+
+- extract device client provisioning from CLI into stack-auth
+- rename provisionDeviceClient to bindClientDevice
+
+
+### Documentation
+
+- add README for stack-auth and include it as module docs
+- add README for @cipherstash/auth npm package
+
+### Fixes
+
+- remove blank line to satisfy cargo fmt
+- update vitaminc imports for 0.1.0-pre4.2 module restructure
+
+
+### Documentation
+
+- 📝 move token refresh docs and mermaid diagram to public AuthStrategy trait
+
+### Fixes
+
+- 🐛 fix race condition in get_token() when token expires during refresh
+
+### Testing
+
+- ✅ restructure auto_refresh tests into nested scenario modules
+
+
+### Documentation
+
+- 📝 fix AutoStrategy docs to reference CS_WORKSPACE_CRN not CS_REGION
+
+### Features
+
+- add AutoStrategyBuilder, Option<T> KeyProvider, and SecretKey::from_hex
+
+### Fixes
+
+- 🔥 remove unreleased AutoStrategy::new() deprecated method
+- 🩹 remove unnecessary bytes.clone() and improve MissingWorkspaceCrn message
+- 🩹 address PR review feedback
+
+### Refactoring
+
+- ♻️ replace with_region with with_workspace_crn and add