fix(deps): bump cipherstash-client from 0.33.2 to 0.34.0-alpha.2

Migrate ZeroKMS initialization from config-builder chain
(ConsoleConfig/CtsConfig/ZeroKMSConfig/EnvSource) to the new
ZeroKMSBuilder + AutoStrategy API.

- Replace AutoRefresh<ServiceCredentials> with AutoStrategy
- Use ClientKey::from_hex_v1 for client key construction
- Update error variant: zerokms::Error::Credentials -> Error::Auth
- Add ZeroKMSBuilderError variant to Error enum
- Remove build_zerokms_config (replaced by init_zerokms_client)
- Update cts-common to 0.34.0-alpha.3
- Pin vitaminc to 0.1.0-pre4.1 (pre4.2 broke backward compat)

Author: tobyhede

Cargo.lock

@@ -43,8 +43,8 @@ debug = true
 
 [workspace.dependencies]
 sqltk = { version = "0.10.0" }
-cipherstash-client = { version = "0.33.2" }
-cts-common = { version = "0.4.1" }
+cipherstash-client = { version = "0.34.0-alpha.2" }
+cts-common = { version = "0.34.0-alpha.3" }
 
 thiserror = "2.0.9"
 tokio = { version = "1.44.2", features = ["full"] }

Cargo.toml

@@ -1,14 +1,12 @@
 #[cfg(test)]
 mod tests {
     use crate::common::trace;
-    use cipherstash_client::config::EnvSource;
-    use cipherstash_client::credentials::auto_refresh::AutoRefresh;
     use cipherstash_client::encryption::{
         Encrypted, EncryptedSteVecTerm, JsonIndexer, JsonIndexerOptions, OreTerm, Plaintext,
         PlaintextTarget, ReferencedPendingPipeline,
     };
+    use cipherstash_client::zerokms::{ClientKey, ZeroKMSBuilder};
     use cipherstash_client::{encryption::ScopedCipher, zerokms::EncryptedRecord};
-    use cipherstash_client::{ConsoleConfig, CtsConfig, ZeroKMSConfig};
     use cipherstash_config::column::{ArrayIndexMode, Index, IndexType};
     use cipherstash_config::{ColumnConfig, ColumnType};
     use cipherstash_proxy::Identifier;
@@ -129,16 +127,19 @@ mod tests {
         // clear().await;
         // let client = connect_with_tls(PROXY).await;
 
-        let console_config = ConsoleConfig::builder().with_env().build().unwrap();
-        let cts_config = CtsConfig::builder().with_env().build().unwrap();
-        let zerokms_config = ZeroKMSConfig::builder()
-            .add_source(EnvSource::default())
-            .console_config(&console_config)
-            .cts_config(&cts_config)
-            .build_with_client_key()
+        let client_id: uuid::Uuid = std::env::var("CS_CLIENT_ID")
+            .expect("CS_CLIENT_ID must be set")
+            .parse()
+            .expect("CS_CLIENT_ID must be a valid UUID");
+        let client_key_hex =
+            std::env::var("CS_CLIENT_KEY").expect("CS_CLIENT_KEY must be set");
+        let client_key = ClientKey::from_hex_v1(client_id, &client_key_hex)
+            .expect("CS_CLIENT_KEY must be valid hex");
+        let zerokms_client = ZeroKMSBuilder::auto()
+            .unwrap()
+            .with_client_key(client_key)
+            .build()
             .unwrap();
-        let zerokms_client = zerokms_config
-            .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials()));
 
         let dataset_id = Uuid::parse_str("295504329cb045c398dc464c52a287a1").unwrap();
 

packages/cipherstash-proxy-integration/src/generate.rs

@@ -54,9 +54,15 @@ tokio-rustls = "0.26.0"
 tokio-util = { version = "0.7.13", features = ["rt"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
+url = "2"
+# Pin vitaminc to 0.1.0-pre4.1 — pre4.2 removed root-level re-exports breaking cts-common
+vitaminc = { version = "= 0.1.0-pre4.1", features = ["random", "protected", "encrypt"] }
+vitaminc-random = { version = "= 0.1.0-pre4.1" }
+vitaminc-protected = { version = "= 0.1.0-pre4.1" }
+vitaminc-encrypt = { version = "= 0.1.0-pre4.1" }
+vitaminc-traits = { version = "= 0.1.0-pre4.1" }
 uuid = { version = "1.11.0", features = ["serde", "v4"] }
 x509-parser = "0.17.0"
-vitaminc-protected = "0.1.0-pre2"
 
 
 [dev-dependencies]

packages/cipherstash-proxy/Cargo.toml

@@ -54,6 +54,9 @@ pub enum Error {
     #[error(transparent)]
     ZeroKMS(#[from] ZeroKMSError),
 
+    #[error(transparent)]
+    ZeroKMSBuilder(#[from] cipherstash_client::zerokms::ZeroKMSBuilderError),
+
     #[error("Unknown error")]
     Unknown,
 

packages/cipherstash-proxy/src/error.rs

@@ -166,57 +166,3 @@ pub trait EncryptionService: Send + Sync {
     ) -> Result<Vec<Option<Plaintext>>, Error>;
 }
 
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::config::TandemConfig;
-    use crate::test_helpers::with_no_cs_vars;
-    use cts_common::WorkspaceId;
-
-    fn build_tandem_config(env: Vec<(&str, Option<&str>)>) -> TandemConfig {
-        with_no_cs_vars(|| {
-            temp_env::with_vars(env, || {
-                TandemConfig::build_path("tests/config/unknown.toml").unwrap()
-            })
-        })
-    }
-
-    fn default_env_vars() -> Vec<(&'static str, Option<&'static str>)> {
-        vec![
-            ("CS_DATABASE__USERNAME", Some("postgres")),
-            ("CS_DATABASE__PASSWORD", Some("password")),
-            ("CS_DATABASE__NAME", Some("db")),
-            ("CS_DATABASE__HOST", Some("localhost")),
-            ("CS_DATABASE__PORT", Some("5432")),
-            ("CS_ENCRYPT__KEYSET_ID", Some("c50d8463-60e9-41a5-86cd-5782e03a503c")),
-            ("CS_ENCRYPT__CLIENT_ID", Some("e40f1692-6bb7-4bbd-a552-4c0f155be073")),
-            ("CS_ENCRYPT__CLIENT_KEY", Some("a4627031a16b7065726d75746174696f6e90090e0805000b0d0c0106040f0a0302076770325f66726f6da16b7065726d75746174696f6e9007060a0b02090d080c00040f0305010e6570325f746fa16b7065726d75746174696f6e900a0206090b04050c070f0e010d030800627033a16b7065726d75746174696f6e98210514181d0818200a18190b1112181809130f15181a0717181e000e0103181f0d181c1602040c181b1006")),
-        ]
-    }
-
-    #[test]
-    fn build_zerokms_config_with_crn() {
-        with_no_cs_vars(|| {
-            let mut env = default_env_vars();
-            env.push(("CS_CLIENT_ACCESS_KEY", Some("client-access-key")));
-            env.push((
-                "CS_WORKSPACE_CRN",
-                Some("crn:ap-southeast-2.aws:3KISDURL3ZCWYZ2O"),
-            ));
-
-            let tandem_config = build_tandem_config(env);
-
-            let zerokms_config = zerokms::build_zerokms_config(&tandem_config).unwrap();
-
-            assert_eq!(
-                WorkspaceId::try_from("3KISDURL3ZCWYZ2O").unwrap(),
-                zerokms_config.workspace_id()
-            );
-
-            assert!(zerokms_config
-                .base_url()
-                .to_string()
-                .contains("ap-southeast-2.aws"));
-        });
-    }
-}

packages/cipherstash-proxy/src/proxy/mod.rs

@@ -4,56 +4,43 @@ mod zerokms;
 pub use zerokms::ZeroKms;
 
 use crate::config::TandemConfig;
-use cipherstash_client::config::{ConfigError, ZeroKMSConfigWithClientKey};
 use cipherstash_client::{
-    config::EnvSource,
-    credentials::{auto_refresh::AutoRefresh, ServiceCredentials},
-    zerokms::ClientKey,
-    ConsoleConfig, CtsConfig, ZeroKMS, ZeroKMSConfig,
+    zerokms::{ClientKey, ZeroKMSBuilder, ZeroKMSBuilderError},
+    AutoStrategy, ZeroKMS,
 };
 
-pub type ScopedCipher =
-    cipherstash_client::encryption::ScopedCipher<AutoRefresh<ServiceCredentials>>;
+pub type ScopedCipher = cipherstash_client::encryption::ScopedCipher<AutoStrategy>;
 
-pub type ZerokmsClient = ZeroKMS<AutoRefresh<ServiceCredentials>, ClientKey>;
+pub type ZerokmsClient = ZeroKMS<AutoStrategy, ClientKey>;
 
 pub(crate) fn init_zerokms_client(
     config: &TandemConfig,
-) -> Result<ZeroKMS<AutoRefresh<ServiceCredentials>, ClientKey>, ConfigError> {
-    let zerokms_config = build_zerokms_config(config)?;
-
-    Ok(zerokms_config
-        .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials())))
-}
-
-pub fn build_zerokms_config(
-    config: &TandemConfig,
-) -> Result<ZeroKMSConfigWithClientKey, ConfigError> {
-    let console_config = ConsoleConfig::builder().with_env().build()?;
-
-    let builder = CtsConfig::builder().with_env();
-    let builder = if let Some(cts_host) = config.cts_host() {
-        builder.base_url(&cts_host)
-    } else {
-        builder
-    };
-    let cts_config = builder.build()?;
-
-    // Not using with_env because the proxy config should take precedence
-    let builder = ZeroKMSConfig::builder()
-        .add_source(EnvSource::default())
-        .workspace_crn(config.auth.workspace_crn.clone())
-        .access_key(&config.auth.client_access_key)
-        .try_with_client_id(&config.encrypt.client_id)?
-        .try_with_client_key(&config.encrypt.client_key)?
-        .console_config(&console_config)
-        .cts_config(&cts_config);
-
-    let builder = if let Some(zerokms_host) = config.zerokms_host() {
-        builder.base_url(zerokms_host)
-    } else {
-        builder
-    };
-
-    builder.build_with_client_key()
+) -> Result<ZerokmsClient, ZeroKMSBuilderError> {
+    // 1. Build auth strategy from proxy config
+    let strategy = AutoStrategy::builder()
+        .with_access_key(&config.auth.client_access_key)
+        .with_workspace_crn(config.auth.workspace_crn.clone())
+        .detect()?;
+
+    // 2. Parse client key
+    let client_id: uuid::Uuid = config
+        .encrypt
+        .client_id
+        .parse()
+        .expect("client_id must be a valid UUID");
+    let client_key = ClientKey::from_hex_v1(client_id, &config.encrypt.client_key)
+        .expect("client_key must be valid hex");
+
+    // 3. Build ZeroKMS client (with_base_url must be called before with_client_key)
+    let mut builder = ZeroKMSBuilder::new(strategy);
+
+    // Optional: override ZeroKMS endpoint for development
+    if let Some(zerokms_host) = config.zerokms_host() {
+        let url: url::Url = zerokms_host
+            .parse()
+            .expect("zerokms_host must be a valid URL");
+        builder = builder.with_base_url(url);
+    }
+
+    builder.with_client_key(client_key).build()
 }

packages/cipherstash-proxy/src/proxy/zerokms/mod.rs

@@ -137,7 +137,7 @@ impl ZeroKms {
                         }
                         .into())
                     }
-                    cipherstash_client::zerokms::Error::Credentials(_) => {
+                    cipherstash_client::zerokms::Error::Auth(_) => {
                         Err(ZeroKMSError::AuthenticationFailed.into())
                     }
                     _ => Err(Error::ZeroKMS(err.into())),