fix(config): restore development endpoint overrides for zerokms_host

The cipherstash-client 0.34 migration removed development.zerokms_host
and development.cts_host from DevelopmentConfig. Existing configs with
these keys were silently ignored, regressing local and non-prod setups.

- Restore zerokms_host and wire through to ZeroKMSBuilder::with_base_url()
- Restore cts_host field but warn at startup since the new client library
  resolves CTS endpoint from credentials automatically
- Add url crate dependency for Url::parse

Author: tobyhede

Cargo.lock

@@ -57,6 +57,7 @@ tracing-subscriber = { workspace = true }
 uuid = { version = "1.11.0", features = ["serde", "v4"] }
 vitaminc-protected = "0.1.0-pre4.2"
 x509-parser = "0.17.0"
+url = "2.5.8"
 
 
 [dev-dependencies]

packages/cipherstash-proxy/Cargo.toml

@@ -67,6 +67,12 @@ pub struct DevelopmentConfig {
 
     #[serde(default)]
     pub enable_mapping_errors: bool,
+
+    #[serde(default)]
+    pub zerokms_host: Option<String>,
+
+    #[serde(default)]
+    pub cts_host: Option<String>,
 }
 
 /// Config defaults to a file called `tandem` in the current directory.
@@ -252,6 +258,18 @@ impl TandemConfig {
         }
     }
 
+    pub fn zerokms_host(&self) -> Option<String> {
+        self.development
+            .as_ref()
+            .and_then(|dev| dev.zerokms_host.clone())
+    }
+
+    pub fn cts_host(&self) -> Option<String> {
+        self.development
+            .as_ref()
+            .and_then(|dev| dev.cts_host.clone())
+    }
+
     pub fn use_structured_logging(&self) -> bool {
         matches!(self.log.format, LogFormat::Structured)
     }

packages/cipherstash-proxy/src/config/tandem.rs

@@ -9,12 +9,22 @@ use cipherstash_client::{
     zerokms::{ClientKey, ZeroKMSBuilder},
     AutoStrategy, ZeroKMS,
 };
+use url::Url;
 
 pub type ScopedCipher = cipherstash_client::encryption::ScopedCipher<AutoStrategy>;
 
 pub type ZerokmsClient = ZeroKMS<AutoStrategy, ClientKey>;
 
 pub(crate) fn init_zerokms_client(config: &TandemConfig) -> Result<ZerokmsClient, Error> {
+    if config.cts_host().is_some() {
+        tracing::warn!(
+            target: "config",
+            "development.cts_host is configured but no longer supported. \
+             CTS endpoint is now resolved automatically from credentials. \
+             Remove development.cts_host from your configuration."
+        );
+    }
+
     let strategy = AutoStrategy::builder()
         .with_access_key(&config.auth.client_access_key)
         .with_workspace_crn(config.auth.workspace_crn.clone())
@@ -26,6 +36,17 @@ pub(crate) fn init_zerokms_client(config: &TandemConfig) -> Result<ZerokmsClient
 
     let client_key = config.encrypt.build_client_key()?;
 
-    let builder = ZeroKMSBuilder::new(strategy);
+    let mut builder = ZeroKMSBuilder::new(strategy);
+
+    if let Some(zerokms_host) = config.zerokms_host() {
+        let url = Url::parse(&zerokms_host).map_err(|_| {
+            Error::from(crate::error::ConfigError::InvalidParameter {
+                name: "development.zerokms_host".to_string(),
+                value: zerokms_host,
+            })
+        })?;
+        builder = builder.with_base_url(url);
+    }
+
     Ok(builder.with_client_key(client_key).build()?)
 }