refactor(config): validate client_id, client_key, and zerokms_host at config load

Push parsing errors into the config boundary instead of panicking at
construction time. EncryptConfig.client_id is now Uuid and
DevelopmentConfig.zerokms_host is now url::Url, so serde enforces
validity at deserialization. client_key hex is validated in load().

Folds Error::ZeroKMSBuilder into ZeroKMSError::Builder to maintain
domain-grouped error taxonomy.

Author: tobyhede

packages/cipherstash-proxy/src/config/tandem.rs

@@ -42,7 +42,7 @@ pub struct AuthConfig {
 
 #[derive(Debug, Deserialize, Clone, PartialEq)]
 pub struct EncryptConfig {
-    pub client_id: String,
+    pub client_id: Uuid,
     pub client_key: String,
     pub default_keyset_id: Option<Uuid>,
 }
@@ -68,7 +68,7 @@ pub struct DevelopmentConfig {
     pub enable_mapping_errors: bool,
 
     #[serde(default)]
-    pub zerokms_host: Option<String>,
+    pub zerokms_host: Option<url::Url>,
 
     #[serde(default)]
     pub cts_host: Option<String>,
@@ -113,6 +113,16 @@ impl TandemConfig {
             config.log.format = args.log_format;
         }
 
+        // Validate client_key is valid hex for the given client_id
+        cipherstash_client::zerokms::ClientKey::from_hex_v1(
+            config.encrypt.client_id,
+            &config.encrypt.client_key,
+        )
+        .map_err(|e| ConfigError::InvalidParameter {
+            name: "client_key".to_string(),
+            value: format!("{e}"),
+        })?;
+
         Ok(config)
     }
 
@@ -191,7 +201,7 @@ impl TandemConfig {
         }
 
         // Source order is important!
-        let config = Config::builder()
+        let config: TandemConfig = Config::builder()
             .add_source(config::File::with_name(&args.config_file_path).required(false))
             .add_source(cs_env_source)
             .add_source(stash_setup_source)
@@ -246,7 +256,7 @@ impl TandemConfig {
         }
     }
 
-    pub fn zerokms_host(&self) -> Option<String> {
+    pub fn zerokms_host(&self) -> Option<url::Url> {
         self.development
             .as_ref()
             .and_then(|dev| dev.zerokms_host.clone())
@@ -326,7 +336,7 @@ impl TandemConfig {
                 client_access_key: "test".to_string(),
             },
             encrypt: EncryptConfig {
-                client_id: "test".to_string(),
+                client_id: Uuid::parse_str("00000000-0000-0000-0000-000000000001").unwrap(),
                 client_key: "test".to_string(),
                 default_keyset_id: Some(
                     Uuid::parse_str("00000000-0000-0000-0000-000000000000").unwrap(),
@@ -426,9 +436,9 @@ mod tests {
             temp_env::with_vars(
                 [
                     // Orignal recipe ENV var
-                    ("CS_ENCRYPT__CLIENT_ID", Some("CS_ENCRYPT__CLIENT_ID")),
-                    (CS_CLIENT_ID, Some("CS_CLIENT_ID")),
-                    (CS_CLIENT_KEY, Some("CS_CLIENT_KEY")),
+                    ("CS_ENCRYPT__CLIENT_ID", Some("11111111-1111-1111-1111-111111111111")),
+                    (CS_CLIENT_ID, Some("22222222-2222-2222-2222-222222222222")),
+                    (CS_CLIENT_KEY, Some("test_key")),
                     (
                         CS_DEFAULT_KEYSET_ID,
                         Some("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac"),
@@ -440,7 +450,10 @@ mod tests {
                         TandemConfig::build_path("tests/config/cipherstash-proxy-test.toml")
                             .unwrap();
 
-                    assert_eq!(config.encrypt.client_id, "CS_CLIENT_ID".to_string());
+                    assert_eq!(
+                        config.encrypt.client_id,
+                        Uuid::parse_str("22222222-2222-2222-2222-222222222222").unwrap()
+                    );
 
                     assert_eq!(
                         config.auth.client_access_key,
@@ -474,8 +487,8 @@ mod tests {
                             .unwrap();
 
                     assert_eq!(
-                        &config.encrypt.client_id,
-                        "dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac"
+                        config.encrypt.client_id,
+                        Uuid::parse_str("dd0a239f-02e2-4c8e-ba20-d9f0f85af9ac").unwrap()
                     );
                 },
             );

packages/cipherstash-proxy/src/error.rs

@@ -54,9 +54,6 @@ pub enum Error {
     #[error(transparent)]
     ZeroKMS(#[from] ZeroKMSError),
 
-    #[error(transparent)]
-    ZeroKMSBuilder(#[from] cipherstash_client::zerokms::ZeroKMSBuilderError),
-
     #[error("Unknown error")]
     Unknown,
 
@@ -75,6 +72,9 @@ pub enum ZeroKMSError {
     #[error("ZeroKMS authentication failed. Check the configured credentials. For help visit {}#zerokms-authentication-failed", ERROR_DOC_BASE_URL)]
     AuthenticationFailed,
 
+    #[error(transparent)]
+    Builder(#[from] cipherstash_client::zerokms::ZeroKMSBuilderError),
+
     #[error(transparent)]
     System(#[from] cipherstash_client::zerokms::Error),
 }
@@ -439,6 +439,12 @@ impl From<config::ConfigError> for Error {
     }
 }
 
+impl From<cipherstash_client::zerokms::ZeroKMSBuilderError> for Error {
+    fn from(e: cipherstash_client::zerokms::ZeroKMSBuilderError) -> Self {
+        Error::ZeroKMS(e.into())
+    }
+}
+
 impl From<cipherstash_client::encryption::TypeParseError> for Error {
     fn from(e: cipherstash_client::encryption::TypeParseError) -> Self {
         Error::Encrypt(e.into())

packages/cipherstash-proxy/src/proxy/zerokms/mod.rs

@@ -16,29 +16,25 @@ pub type ZerokmsClient = ZeroKMS<AutoStrategy, ClientKey>;
 pub(crate) fn init_zerokms_client(
     config: &TandemConfig,
 ) -> Result<ZerokmsClient, ZeroKMSBuilderError> {
-    // 1. Build auth strategy from proxy config
+    // Bridge development.cts_host from TOML config to CS_CTS_HOST env var
+    // so AutoStrategy picks it up. Env var takes precedence if already set.
+    if let Some(cts_host) = config.cts_host() {
+        if std::env::var("CS_CTS_HOST").is_err() {
+            std::env::set_var("CS_CTS_HOST", cts_host);
+        }
+    }
+
     let strategy = AutoStrategy::builder()
         .with_access_key(&config.auth.client_access_key)
         .with_workspace_crn(config.auth.workspace_crn.clone())
         .detect()?;
 
-    // 2. Parse client key
-    let client_id: uuid::Uuid = config
-        .encrypt
-        .client_id
-        .parse()
-        .expect("client_id must be a valid UUID");
-    let client_key = ClientKey::from_hex_v1(client_id, &config.encrypt.client_key)
-        .expect("client_key must be valid hex");
+    let client_key = ClientKey::from_hex_v1(config.encrypt.client_id, &config.encrypt.client_key)
+        .expect("validated during config loading");
 
-    // 3. Build ZeroKMS client (with_base_url must be called before with_client_key)
     let mut builder = ZeroKMSBuilder::new(strategy);
 
-    // Optional: override ZeroKMS endpoint for development
-    if let Some(zerokms_host) = config.zerokms_host() {
-        let url: url::Url = zerokms_host
-            .parse()
-            .expect("zerokms_host must be a valid URL");
+    if let Some(url) = config.zerokms_host() {
         builder = builder.with_base_url(url);
     }