refactor(config): move client_key validation to build() and remove dev endpoint config

Move ClientKey::from_hex_v1 validation from load() to build() so all
config validation happens in one place. This also ensures build_path()
callers get the same validation. Add EncryptConfig::client_key() accessor
that returns Result instead of requiring callers to validate manually.

Replace expect() with proper error propagation in init_zerokms_client.
Remove zerokms_host/cts_host dev config fields now handled directly by
cipherstash-client via CS_ZEROKMS_HOST/CS_CTS_HOST env vars.

Author: tobyhede

Cargo.lock

@@ -501,29 +501,14 @@ Certificates are generated by `mkcert`, and live in `tests/tls/`.
 
 #### Configuration: development endpoints
 
+ZeroKMS and CTS host endpoints can be configured for local development using environment variables.
 
-ZeroKMS and CTS host endpoints can be configured for local development.
+These are read directly by `cipherstash-client` and do not require proxy configuration:
 
-Env variables are `CS_DEVELOPMENT__ZEROKMS_HOST` and `CS_DEVELOPMENT__CTS_HOST`.
-
-
-```toml
-
-[development]
-# ZeroKMS host
-# Optional
-# Defaults to CipherStash Production ZeroKMS host
-# Env: CS_DEVELOPMENT__ZEROKMS_HOST
-zerokms_host = "1.1.1.1"
-
-
-# CTS host
-# Optional
-# Defaults to CipherStash Production CTS host
-# Env: CS_DEVELOPMENT__CTS_HOST
-cts_host = "1.1.1.1"
-
-```
+| Variable | Description |
+|---|---|
+| `CS_ZEROKMS_HOST` | Override ZeroKMS endpoint (default: resolved from JWT `services` claim) |
+| `CS_CTS_HOST` | Override CTS auth endpoint (default: resolved from workspace CRN region) |
 
 
 

DEVELOPMENT.md

@@ -54,7 +54,6 @@ tokio-rustls = "0.26.0"
 tokio-util = { version = "0.7.13", features = ["rt"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
-url = "2"
 # Pin vitaminc to 0.1.0-pre4.1 — pre4.2 removed root-level re-exports breaking cts-common
 vitaminc = { version = "= 0.1.0-pre4.1", features = ["random", "protected", "encrypt"] }
 vitaminc-random = { version = "= 0.1.0-pre4.1" }

packages/cipherstash-proxy/Cargo.toml

@@ -67,12 +67,6 @@ pub struct DevelopmentConfig {
 
     #[serde(default)]
     pub enable_mapping_errors: bool,
-
-    #[serde(default)]
-    pub zerokms_host: Option<url::Url>,
-
-    #[serde(default)]
-    pub cts_host: Option<String>,
 }
 
 /// Config defaults to a file called `tandem` in the current directory.
@@ -114,9 +108,6 @@ impl TandemConfig {
             config.log.format = args.log_format;
         }
 
-        ClientKey::from_hex_v1(config.encrypt.client_id, &config.encrypt.client_key)
-            .map_err(|e| ConfigError::InvalidClientKey(e.into()))?;
-
         Ok(config)
     }
 
@@ -226,6 +217,9 @@ impl TandemConfig {
                 }
             })?;
 
+        ClientKey::from_hex_v1(config.encrypt.client_id, &config.encrypt.client_key)
+            .map_err(|e| ConfigError::InvalidClientKey(e.into()))?;
+
         Ok(config)
     }
 
@@ -250,18 +244,6 @@ impl TandemConfig {
         }
     }
 
-    pub fn zerokms_host(&self) -> Option<url::Url> {
-        self.development
-            .as_ref()
-            .and_then(|dev| dev.zerokms_host.clone())
-    }
-
-    pub fn cts_host(&self) -> Option<String> {
-        self.development
-            .as_ref()
-            .and_then(|dev| dev.cts_host.clone())
-    }
-
     pub fn use_structured_logging(&self) -> bool {
         matches!(self.log.format, LogFormat::Structured)
     }
@@ -344,6 +326,13 @@ impl TandemConfig {
     }
 }
 
+impl EncryptConfig {
+    pub fn client_key(&self) -> Result<ClientKey, Error> {
+        ClientKey::from_hex_v1(self.client_id, &self.client_key)
+            .map_err(|e| ConfigError::InvalidClientKey(e.into()).into())
+    }
+}
+
 impl PrometheusConfig {
     pub fn default_port() -> u16 {
         9930
@@ -435,7 +424,7 @@ mod tests {
                         Some("11111111-1111-1111-1111-111111111111"),
                     ),
                     (CS_CLIENT_ID, Some("22222222-2222-2222-2222-222222222222")),
-                    (CS_CLIENT_KEY, Some("test_key")),
+                    (CS_CLIENT_KEY, Some("a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14")),
                     (
                         CS_DEFAULT_KEYSET_ID,
                         Some("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac"),
@@ -594,7 +583,7 @@ mod tests {
     fn default_env_vars() -> Vec<(&'static str, Option<&'static str>)> {
         vec![
             ("CS_CLIENT_ID", Some("00000000-0000-0000-0000-000000000000")),
-            ("CS_CLIENT_KEY", Some("CS_CLIENT_KEY")),
+            ("CS_CLIENT_KEY", Some("a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14")),
             (
                 "CS_DEFAULT_KEYSET_ID",
                 Some("00000000-0000-0000-0000-000000000000"),

packages/cipherstash-proxy/src/config/tandem.rs

@@ -4,31 +4,25 @@ mod zerokms;
 pub use zerokms::ZeroKms;
 
 use crate::config::TandemConfig;
+use crate::error::{Error, ZeroKMSError};
 use cipherstash_client::{
-    zerokms::{ClientKey, ZeroKMSBuilder, ZeroKMSBuilderError},
+    zerokms::{ClientKey, ZeroKMSBuilder},
     AutoStrategy, ZeroKMS,
 };
 
 pub type ScopedCipher = cipherstash_client::encryption::ScopedCipher<AutoStrategy>;
 
 pub type ZerokmsClient = ZeroKMS<AutoStrategy, ClientKey>;
 
-pub(crate) fn init_zerokms_client(
-    config: &TandemConfig,
-) -> Result<ZerokmsClient, ZeroKMSBuilderError> {
+pub(crate) fn init_zerokms_client(config: &TandemConfig) -> Result<ZerokmsClient, Error> {
     let strategy = AutoStrategy::builder()
         .with_access_key(&config.auth.client_access_key)
         .with_workspace_crn(config.auth.workspace_crn.clone())
-        .detect()?;
+        .detect()
+        .map_err(|_| ZeroKMSError::AuthenticationFailed)?;
 
-    let client_key = ClientKey::from_hex_v1(config.encrypt.client_id, &config.encrypt.client_key)
-        .expect("validated during config loading");
+    let client_key = config.encrypt.client_key()?;
 
-    let mut builder = ZeroKMSBuilder::new(strategy);
-
-    if let Some(url) = config.zerokms_host() {
-        builder = builder.with_base_url(url);
-    }
-
-    builder.with_client_key(client_key).build()
+    let builder = ZeroKMSBuilder::new(strategy);
+    Ok(builder.with_client_key(client_key).build()?)
 }

packages/cipherstash-proxy/src/proxy/zerokms/mod.rs

@@ -16,4 +16,4 @@ client_access_key = "client_access_key"
 [encrypt]
 default_keyset_id = "484cd205-99e8-41ca-acfe-55a7e25a8ec2" # generated guid for validation
 client_id = "5912717c-2c3b-4fb6-a051-0a8e71cd9e37"  # generated guid for validation
-client_key = "client_key"
+client_key = "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14"

packages/cipherstash-proxy/tests/config/cipherstash-proxy-test.toml

@@ -9,4 +9,4 @@ password = "password"
 
 [encrypt]
 client_id = "5912717c-2c3b-4fb6-a051-0a8e71cd9e37"  # generated guid for validation
-client_key = "client_key"
+client_key = "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14"