cipherstash · freshtonic · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [2.2.3] - 2026-06-17
+
+### Fixed
+
+- **ZeroKMS authentication failures ~15 minutes after startup**: Fixed an issue in the access-key authentication path where, after an in-flight request was interrupted at the wrong moment (for example, a client disconnecting mid-query), access-token renewal could stall. This caused `ZeroKMS error: Request not authorized` on all encrypt/decrypt operations roughly 15 minutes (the access-token lifetime) after connecting — connections worked on startup and then began failing in lockstep.
+
 ## [2.2.2] - 2026-06-01
 
 ### Fixed
@@ -261,7 +267,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Integration with CipherStash ZeroKMS.
 - Encrypt Query Language (EQL) for indexing and searching encrypted data.
 
-[Unreleased]: https://github.com/cipherstash/proxy/compare/v2.2.2...HEAD
+[Unreleased]: https://github.com/cipherstash/proxy/compare/v2.2.3...HEAD
+[2.2.3]: https://github.com/cipherstash/proxy/compare/v2.2.2...v2.2.3
 [2.2.2]: https://github.com/cipherstash/proxy/compare/v2.2.1...v2.2.2
 [2.2.1]: https://github.com/cipherstash/proxy/compare/v2.2.0-alpha.1...v2.2.1
 [2.2.0-alpha.1]: https://github.com/cipherstash/proxy/compare/v2.1.22...v2.2.0-alpha.1

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,9 +1,11 @@
 [workspace]
 resolver = "2"
 members = ["packages/*"]
+# Vendored crate is consumed only via [patch.crates-io] below, not as a member.
+exclude = ["vendor/stack-auth"]
 
 [workspace.package]
-version = "2.2.2"
+version = "2.2.3"
 edition = "2021"
 
 [profile.dev]
@@ -56,3 +58,13 @@ tracing-subscriber = { version = "^0.3.20", features = [
   "env-filter",
   "std",
 ] }
+
+# HOTFIX (CIP-3159): backport the stack-auth token-refresh CancelGuard fix onto
+# the 0.34.1-alpha.4 source that cipherstash-client 0.34.1-alpha.4 pins. Without
+# this, a cancelled get_token() future could strand `refresh_in_progress = true`,
+# wedging all later refreshes and causing ZeroKMS "Request not authorized" exactly
+# ~15 min (token TTL) after startup. The patch keeps version 0.34.1-alpha.4 so it
+# satisfies cipherstash-client's exact pin while replacing the registry source.
+# Remove once Proxy moves to a cipherstash-client built against stack-auth >= 0.36.0.
+[patch.crates-io]
+stack-auth = { path = "vendor/stack-auth" }
diff --git a/vendor/stack-auth/.gitignore b/vendor/stack-auth/.gitignore
@@ -0,0 +1 @@
+/target