fix(deps): bump cipherstash-client from 0.33.2 to 0.34.0-alpha.2

Migrate ZeroKMS initialization from config-builder chain
(ConsoleConfig/CtsConfig/ZeroKMSConfig/EnvSource) to the new
ZeroKMSBuilder + AutoStrategy API.

- Replace AutoRefresh<ServiceCredentials> with AutoStrategy
- Use ClientKey::from_hex_v1 for client key construction
- Update error variant: zerokms::Error::Credentials -> Error::Auth
- Add ZeroKMSBuilderError variant to Error enum
- Remove build_zerokms_config (replaced by init_zerokms_client)
- Update cts-common to 0.34.0-alpha.3
- Pin vitaminc to 0.1.0-pre4.1 (pre4.2 broke backward compat)

Author: tobyhede

Cargo.lock

@@ -43,8 +43,8 @@ debug = true
 
 [workspace.dependencies]
 sqltk = { version = "0.10.0" }
-cipherstash-client = { version = "0.33.2" }
-cts-common = { version = "0.4.1" }
+cipherstash-client = { version = "0.34.0-alpha.2" }
+cts-common = { version = "0.34.0-alpha.3" }
 
 thiserror = "2.0.9"
 tokio = { version = "1.44.2", features = ["full"] }

Cargo.toml

@@ -43,6 +43,8 @@ services:
       - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true}
       - CS_DATABASE__INSTALL_EQL=true            # install EQL into the PostgreSQL database
       - CS_DATABASE__INSTALL_EXAMPLE_SCHEMA=true # install example schema into the PostgreSQL database
+      - CS_CTS_HOST=${CS_CTS_HOST:-}
+      - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-}
     networks:
       - cipherstash
 

docker-compose.yml

@@ -1,14 +1,12 @@
 #[cfg(test)]
 mod tests {
     use crate::common::trace;
-    use cipherstash_client::config::EnvSource;
-    use cipherstash_client::credentials::auto_refresh::AutoRefresh;
     use cipherstash_client::encryption::{
         Encrypted, EncryptedSteVecTerm, JsonIndexer, JsonIndexerOptions, OreTerm, Plaintext,
         PlaintextTarget, ReferencedPendingPipeline,
     };
+    use cipherstash_client::zerokms::{ClientKey, ZeroKMSBuilder};
     use cipherstash_client::{encryption::ScopedCipher, zerokms::EncryptedRecord};
-    use cipherstash_client::{ConsoleConfig, CtsConfig, ZeroKMSConfig};
     use cipherstash_config::column::{ArrayIndexMode, Index, IndexType};
     use cipherstash_config::{ColumnConfig, ColumnType};
     use cipherstash_proxy::Identifier;
@@ -129,16 +127,19 @@ mod tests {
         // clear().await;
         // let client = connect_with_tls(PROXY).await;
 
-        let console_config = ConsoleConfig::builder().with_env().build().unwrap();
-        let cts_config = CtsConfig::builder().with_env().build().unwrap();
-        let zerokms_config = ZeroKMSConfig::builder()
-            .add_source(EnvSource::default())
-            .console_config(&console_config)
-            .cts_config(&cts_config)
-            .build_with_client_key()
+        let client_id: uuid::Uuid = std::env::var("CS_CLIENT_ID")
+            .expect("CS_CLIENT_ID must be set")
+            .parse()
+            .expect("CS_CLIENT_ID must be a valid UUID");
+        let client_key_hex =
+            std::env::var("CS_CLIENT_KEY").expect("CS_CLIENT_KEY must be set");
+        let client_key = ClientKey::from_hex_v1(client_id, &client_key_hex)
+            .expect("CS_CLIENT_KEY must be valid hex");
+        let zerokms_client = ZeroKMSBuilder::auto()
+            .unwrap()
+            .with_client_key(client_key)
+            .build()
             .unwrap();
-        let zerokms_client = zerokms_config
-            .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials()));
 
         let dataset_id = Uuid::parse_str("295504329cb045c398dc464c52a287a1").unwrap();
 

packages/cipherstash-proxy-integration/src/generate.rs

@@ -54,9 +54,15 @@ tokio-rustls = "0.26.0"
 tokio-util = { version = "0.7.13", features = ["rt"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
+url = "2"
+# Pin vitaminc to 0.1.0-pre4.1 — pre4.2 removed root-level re-exports breaking cts-common
+vitaminc = { version = "= 0.1.0-pre4.1", features = ["random", "protected", "encrypt"] }
+vitaminc-random = { version = "= 0.1.0-pre4.1" }
+vitaminc-protected = { version = "= 0.1.0-pre4.1" }
+vitaminc-encrypt = { version = "= 0.1.0-pre4.1" }
+vitaminc-traits = { version = "= 0.1.0-pre4.1" }
 uuid = { version = "1.11.0", features = ["serde", "v4"] }
 x509-parser = "0.17.0"
-vitaminc-protected = "0.1.0-pre2"
 
 
 [dev-dependencies]

packages/cipherstash-proxy/Cargo.toml

@@ -54,6 +54,9 @@ pub enum Error {
     #[error(transparent)]
     ZeroKMS(#[from] ZeroKMSError),
 
+    #[error(transparent)]
+    ZeroKMSBuilder(#[from] cipherstash_client::zerokms::ZeroKMSBuilderError),
+
     #[error("Unknown error")]
     Unknown,
 

packages/cipherstash-proxy/src/error.rs

@@ -168,10 +168,10 @@ pub trait EncryptionService: Send + Sync {
 
 #[cfg(test)]
 mod tests {
-    use super::*;
     use crate::config::TandemConfig;
     use crate::test_helpers::with_no_cs_vars;
-    use cts_common::WorkspaceId;
+
+    use super::zerokms;
 
     fn build_tandem_config(env: Vec<(&str, Option<&str>)>) -> TandemConfig {
         with_no_cs_vars(|| {
@@ -195,28 +195,23 @@ mod tests {
     }
 
     #[test]
-    fn build_zerokms_config_with_crn() {
+    fn init_zerokms_client_with_crn() {
         with_no_cs_vars(|| {
             let mut env = default_env_vars();
-            env.push(("CS_CLIENT_ACCESS_KEY", Some("client-access-key")));
+            env.push(("CS_CLIENT_ACCESS_KEY", Some("CSAKtestKeyId.testKeySecret")));
             env.push((
                 "CS_WORKSPACE_CRN",
                 Some("crn:ap-southeast-2.aws:3KISDURL3ZCWYZ2O"),
             ));
 
             let tandem_config = build_tandem_config(env);
 
-            let zerokms_config = zerokms::build_zerokms_config(&tandem_config).unwrap();
-
-            assert_eq!(
-                WorkspaceId::try_from("3KISDURL3ZCWYZ2O").unwrap(),
-                zerokms_config.workspace_id()
+            let result = zerokms::init_zerokms_client(&tandem_config);
+            assert!(
+                result.is_ok(),
+                "init_zerokms_client failed: {:?}",
+                result.err()
             );
-
-            assert!(zerokms_config
-                .base_url()
-                .to_string()
-                .contains("ap-southeast-2.aws"));
         });
     }
 }

packages/cipherstash-proxy/src/proxy/mod.rs

@@ -4,56 +4,43 @@ mod zerokms;
 pub use zerokms::ZeroKms;
 
 use crate::config::TandemConfig;
-use cipherstash_client::config::{ConfigError, ZeroKMSConfigWithClientKey};
 use cipherstash_client::{
-    config::EnvSource,
-    credentials::{auto_refresh::AutoRefresh, ServiceCredentials},
-    zerokms::ClientKey,
-    ConsoleConfig, CtsConfig, ZeroKMS, ZeroKMSConfig,
+    zerokms::{ClientKey, ZeroKMSBuilder, ZeroKMSBuilderError},
+    AutoStrategy, ZeroKMS,
 };
 
-pub type ScopedCipher =
-    cipherstash_client::encryption::ScopedCipher<AutoRefresh<ServiceCredentials>>;
+pub type ScopedCipher = cipherstash_client::encryption::ScopedCipher<AutoStrategy>;
 
-pub type ZerokmsClient = ZeroKMS<AutoRefresh<ServiceCredentials>, ClientKey>;
+pub type ZerokmsClient = ZeroKMS<AutoStrategy, ClientKey>;
 
 pub(crate) fn init_zerokms_client(
     config: &TandemConfig,
-) -> Result<ZeroKMS<AutoRefresh<ServiceCredentials>, ClientKey>, ConfigError> {
-    let zerokms_config = build_zerokms_config(config)?;
-
-    Ok(zerokms_config
-        .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials())))
-}
-
-pub fn build_zerokms_config(
-    config: &TandemConfig,
-) -> Result<ZeroKMSConfigWithClientKey, ConfigError> {
-    let console_config = ConsoleConfig::builder().with_env().build()?;
-
-    let builder = CtsConfig::builder().with_env();
-    let builder = if let Some(cts_host) = config.cts_host() {
-        builder.base_url(&cts_host)
-    } else {
-        builder
-    };
-    let cts_config = builder.build()?;
-
-    // Not using with_env because the proxy config should take precedence
-    let builder = ZeroKMSConfig::builder()
-        .add_source(EnvSource::default())
-        .workspace_crn(config.auth.workspace_crn.clone())
-        .access_key(&config.auth.client_access_key)
-        .try_with_client_id(&config.encrypt.client_id)?
-        .try_with_client_key(&config.encrypt.client_key)?
-        .console_config(&console_config)
-        .cts_config(&cts_config);
-
-    let builder = if let Some(zerokms_host) = config.zerokms_host() {
-        builder.base_url(zerokms_host)
-    } else {
-        builder
-    };
-
-    builder.build_with_client_key()
+) -> Result<ZerokmsClient, ZeroKMSBuilderError> {
+    // 1. Build auth strategy from proxy config
+    let strategy = AutoStrategy::builder()
+        .with_access_key(&config.auth.client_access_key)
+        .with_workspace_crn(config.auth.workspace_crn.clone())
+        .detect()?;
+
+    // 2. Parse client key
+    let client_id: uuid::Uuid = config
+        .encrypt
+        .client_id
+        .parse()
+        .expect("client_id must be a valid UUID");
+    let client_key = ClientKey::from_hex_v1(client_id, &config.encrypt.client_key)
+        .expect("client_key must be valid hex");
+
+    // 3. Build ZeroKMS client (with_base_url must be called before with_client_key)
+    let mut builder = ZeroKMSBuilder::new(strategy);
+
+    // Optional: override ZeroKMS endpoint for development
+    if let Some(zerokms_host) = config.zerokms_host() {
+        let url: url::Url = zerokms_host
+            .parse()
+            .expect("zerokms_host must be a valid URL");
+        builder = builder.with_base_url(url);
+    }
+
+    builder.with_client_key(client_key).build()
 }

packages/cipherstash-proxy/src/proxy/zerokms/mod.rs

@@ -137,7 +137,7 @@ impl ZeroKms {
                         }
                         .into())
                     }
-                    cipherstash_client::zerokms::Error::Credentials(_) => {
+                    cipherstash_client::zerokms::Error::Auth(_) => {
                         Err(ZeroKMSError::AuthenticationFailed.into())
                     }
                     _ => Err(Error::ZeroKMS(err.into())),

packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs

@@ -65,6 +65,8 @@ services:
       - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true}
       - CS_SERVER__WORKER_THREADS=${CS_SERVER__WORKER_THREADS:-4}
       - CS_WORKSPACE_CRN=${CS_WORKSPACE_CRN}
+      - CS_CTS_HOST=${CS_CTS_HOST:-}
+      - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-}
       - CS_LOG__FORMAT=${CS_LOG__FORMAT:-pretty}
       - CS_LOG__LEVEL=${CS_LOG__LEVEL:-debug}
       - CS_LOG__PROTOCOL_LEVEL=${CS_LOG__PROTOCOL_LEVEL:-debug}
@@ -109,6 +111,8 @@ services:
       - CS_SERVER__REQUIRE_TLS=true
       - CS_PROMETHEUS__ENABLED=${CS_PROMETHEUS__ENABLED:-true}
       - CS_WORKSPACE_CRN=${CS_WORKSPACE_CRN}
+      - CS_CTS_HOST=${CS_CTS_HOST:-}
+      - CS_ZEROKMS_HOST=${CS_ZEROKMS_HOST:-}
       - CS_LOG__FORMAT=${CS_LOG__FORMAT:-pretty}
       - CS_LOG__LEVEL=${CS_LOG__LEVEL:-debug}
       - CS_LOG__PROTOCOL_LEVEL=${CS_LOG__PROTOCOL_LEVEL:-debug}