docs: sync documentation after cipherstash-client 0.34 upgrade

Fix stale references across project documentation identified by
dual-verification review:

- CLAUDE.md: fix non-existent directory refs (encrypt/ → proxy/zerokms/,
  eql/ → proxy/encrypt_config/), add [env] header to mise snippet,
  remove disabled Elixir from test list, clarify check description
- errors.md: fix ZeroKMS anchor mismatch (broken production help link),
  update UnsupportedParameterType message, fix TOC (duplicate entry,
  double-encrypt link, missing ZeroKMS entry), add MissingEncryptConfiguration
  and UnexpectedSetKeyset sections
- CHANGELOG.md: add missing v2.1.21/v2.1.22 link definitions, update
  Unreleased compare link, add cipherstash-client upgrade entry

Author: tobyhede

CHANGELOG.md

@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Changed
 
 - **Log target renamed**: `KEYSET` log target renamed to `ZEROKMS`. The environment variable `CS_LOG__KEYSET_LEVEL` is now `CS_LOG__ZEROKMS_LEVEL`.
+- **Dependency upgrade**: Updated `cipherstash-client` from 0.33.2 to 0.34.0-alpha.4 with new `ZeroKMSBuilder` API and `AutoStrategy` authentication.
 
 ### Removed
 
@@ -247,7 +248,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Integration with CipherStash ZeroKMS.
 - Encrypt Query Language (EQL) for indexing and searching encrypted data.
 
-[Unreleased]: https://github.com/cipherstash/proxy/compare/v2.1.20...HEAD
+[Unreleased]: https://github.com/cipherstash/proxy/compare/v2.1.22...HEAD
+[2.1.22]: https://github.com/cipherstash/proxy/releases/tag/v2.1.22
+[2.1.21]: https://github.com/cipherstash/proxy/releases/tag/v2.1.21
 [2.1.20]: https://github.com/cipherstash/proxy/releases/tag/v2.1.20
 [2.1.9]: https://github.com/cipherstash/proxy/releases/tag/v2.1.9
 [2.1.8]: https://github.com/cipherstash/proxy/releases/tag/v2.1.8

CLAUDE.md

@@ -18,9 +18,9 @@ Key capabilities:
 
 **Core Proxy (`packages/cipherstash-proxy/`):**
 - `postgresql/` - PostgreSQL wire protocol implementation, message parsing, and client handling
-- `encrypt/` - Integration with CipherStash ZeroKMS for key management and encryption operations
+- `proxy/zerokms/` - ZeroKMS client initialization and key management
 - `config/` - Configuration management for database connections, TLS, and encryption settings
-- `eql/` - EQL v2 types and encryption abstractions
+- `proxy/encrypt_config/` - Encryption configuration and schema management
 
 **EQL Mapper (`packages/eql-mapper/`):**
 - SQL parsing and type inference engine
@@ -29,7 +29,7 @@ Key capabilities:
 
 **Integration Tests (`packages/cipherstash-proxy-integration/`):**
 - Comprehensive test suite covering encryption scenarios
-- Language-specific integration tests (Python, Go, Elixir)
+- Language-specific integration tests (Python, Go)
 
 **Showcase (`packages/showcase/`):**
 - Healthcare data model demonstrating EQL v2 encryption
@@ -76,7 +76,7 @@ mise run reset
 # Full test suite (hygiene + unit + integration)
 mise run test
 
-# Hygiene checks only
+# Hygiene checks (compilation, formatting, clippy)
 mise run check
 
 # Unit tests only
@@ -111,6 +111,7 @@ mise run postgres:down
 ### Authentication & Encryption
 Proxy requires CipherStash credentials configured in `mise.local.toml`:
 ```toml
+[env]
 CS_WORKSPACE_CRN = "crn:region:workspace-id"
 CS_CLIENT_ACCESS_KEY = "your-access-key"
 CS_DEFAULT_KEYSET_ID = "your-keyset-id"

Cargo.lock

@@ -5,6 +5,7 @@
 - Authentication errors:
   - [Database](#authentication-failed-database)
   - [Client](#authentication-failed-client)
+  - [ZeroKMS](#zerokms-authentication-failed)
 
 - Mapping errors:
   - [Invalid parameter](#mapping-invalid-parameter)
@@ -15,8 +16,7 @@
 
 - Encrypt errors:
   - [Column could not be encrypted](#encrypt-column-could-not-be-encrypted)
-  - [Column could not be encrypted](#encrypt-column-could-not-be-encrypted)
-  - [Could not decrypt data for keyset](#encrypt-encrypt-could-not-decrypt-data-for-keyset)
+  - [Could not decrypt data for keyset](#encrypt-could-not-decrypt-data-for-keyset)
   - [KeysetId could not be parsed](#encrypt-keyset-id-could-not-be-parsed)
   - [KeysetId could not be set](#encrypt-keyset-id-could-not-be-set)
   - [KeysetName could not be set](#encrypt-keyset-name-could-not-be-set)
@@ -26,6 +26,8 @@
   - [Unknown table](#encrypt-unknown-table)
   - [Unknown index term](#encrypt-unknown-index-term)
   - [Column configuration mismatch](#encrypt-column-config-mismatch)
+  - [Missing encrypt configuration](#encrypt-missing-encrypt-configuration)
+  - [Unexpected SET keyset](#encrypt-unexpected-set-keyset)
 
 - Decrypt errors:
    - [Column could not be deserialised](#encrypt-column-could-not-be-deserialised)
@@ -91,7 +93,7 @@ Client authentication failed. Check username and password.
 <!-- ---------------------------------------------------------------------------------------------------- -->
 
 
-## ZeroKMS  <a id='authentication-failed-zerokms'></a>
+## ZeroKMS  <a id='zerokms-authentication-failed'></a>
 
 Authentication failed when connecting to ZeroKMS.
 
@@ -184,7 +186,7 @@ The parameter type is not supported.
 ### Error message
 
 ```
-Encryption of PostgreSQL {name} (OID {oid}) types is not currently supported.
+Encryption of EQL column {column_type} using strategy {eql_term} is not supported.
 ```
 
 ### How to fix
@@ -577,6 +579,41 @@ If the error persists, please contact CipherStash [support](https://cipherstash.
 <!-- ---------------------------------------------------------------------------------------------------- -->
 
 
+## Missing encrypt configuration <a id='encrypt-missing-encrypt-configuration'></a>
+
+The encrypted column type does not have a matching encrypt configuration.
+
+
+### Error message
+
+```
+Missing encrypt configuration for column type `{plaintext_type}`.
+```
+
+### How to fix
+
+1. Define the encrypted configuration for the column type using [EQL](https://github.com/cipherstash/encrypt-query-language).
+2. If this error persists, please contact CipherStash [support](https://cipherstash.com/support) as this may indicate a bug.
+
+
+<!-- ---------------------------------------------------------------------------------------------------- -->
+
+
+## Unexpected SET keyset <a id='encrypt-unexpected-set-keyset'></a>
+
+A `SET CIPHERSTASH.KEYSET` statement was used when a default keyset has already been configured.
+
+
+### Error message
+
+```
+Cannot SET CIPHERSTASH.KEYSET if a default keyset has been configured.
+```
+
+### How to fix
+
+1. Remove the `SET CIPHERSTASH.KEYSET` statement from your application code.
+2. Or remove the `default_keyset_id` from the proxy configuration to allow dynamic keyset selection.
 
 
 <!-- ---------------------------------------------------------------------------------------------------- -->

docs/errors.md

@@ -57,6 +57,7 @@ tracing-subscriber = { workspace = true }
 uuid = { version = "1.11.0", features = ["serde", "v4"] }
 vitaminc-protected = "0.1.0-pre4.2"
 x509-parser = "0.17.0"
+url = "2.5.8"
 
 
 [dev-dependencies]

packages/cipherstash-proxy/Cargo.toml

@@ -67,6 +67,12 @@ pub struct DevelopmentConfig {
 
     #[serde(default)]
     pub enable_mapping_errors: bool,
+
+    #[serde(default)]
+    pub zerokms_host: Option<String>,
+
+    #[serde(default)]
+    pub cts_host: Option<String>,
 }
 
 /// Config defaults to a file called `tandem` in the current directory.
@@ -252,6 +258,18 @@ impl TandemConfig {
         }
     }
 
+    pub fn zerokms_host(&self) -> Option<String> {
+        self.development
+            .as_ref()
+            .and_then(|dev| dev.zerokms_host.clone())
+    }
+
+    pub fn cts_host(&self) -> Option<String> {
+        self.development
+            .as_ref()
+            .and_then(|dev| dev.cts_host.clone())
+    }
+
     pub fn use_structured_logging(&self) -> bool {
         matches!(self.log.format, LogFormat::Structured)
     }

packages/cipherstash-proxy/src/config/tandem.rs

@@ -9,12 +9,22 @@ use cipherstash_client::{
     zerokms::{ClientKey, ZeroKMSBuilder},
     AutoStrategy, ZeroKMS,
 };
+use url::Url;
 
 pub type ScopedCipher = cipherstash_client::encryption::ScopedCipher<AutoStrategy>;
 
 pub type ZerokmsClient = ZeroKMS<AutoStrategy, ClientKey>;
 
 pub(crate) fn init_zerokms_client(config: &TandemConfig) -> Result<ZerokmsClient, Error> {
+    if config.cts_host().is_some() {
+        tracing::warn!(
+            target: "config",
+            "development.cts_host is configured but no longer supported. \
+             CTS endpoint is now resolved automatically from credentials. \
+             Remove development.cts_host from your configuration."
+        );
+    }
+
     let strategy = AutoStrategy::builder()
         .with_access_key(&config.auth.client_access_key)
         .with_workspace_crn(config.auth.workspace_crn.clone())
@@ -26,6 +36,17 @@ pub(crate) fn init_zerokms_client(config: &TandemConfig) -> Result<ZerokmsClient
 
     let client_key = config.encrypt.build_client_key()?;
 
-    let builder = ZeroKMSBuilder::new(strategy);
+    let mut builder = ZeroKMSBuilder::new(strategy);
+
+    if let Some(zerokms_host) = config.zerokms_host() {
+        let url = Url::parse(&zerokms_host).map_err(|_| {
+            Error::from(crate::error::ConfigError::InvalidParameter {
+                name: "development.zerokms_host".to_string(),
+                value: zerokms_host,
+            })
+        })?;
+        builder = builder.with_base_url(url);
+    }
+
     Ok(builder.with_client_key(client_key).build()?)
 }