Skip to content
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
2e11f69
chore(deps): upgrade cipherstash-client to 0.38.0 and drop vendored s…
calvinbrewer Jun 16, 2026
b38eeb0
chore: bump EQL to eql-2.3.1 for cipherstash-client 0.38.0 compatibility
freshtonic Jun 24, 2026
d1abdd2
feat(eql-mapper): route jsonb STE-vec range/order/projection for clie…
freshtonic Jun 25, 2026
1af9968
feat(eql-mapper): concrete-index-aware transformation + scalar OPE or…
freshtonic Jun 25, 2026
7248515
test(eql-mapper): pin scalar OPE ordering edge cases; tighten docs (C…
freshtonic Jun 25, 2026
df28b0f
feat(eql-mapper): jsonb STE-vec equality (=/<>) for client 0.38.0 (CI…
freshtonic Jun 25, 2026
1ad4c3f
test: bump cipherstash-client to 0.38.1-alpha.1 (op-store) for CI e2e
freshtonic Jun 25, 2026
4f3c2a4
fix(eql-mapper): cast to jsonb before ->>'op' in scalar OPE rewrite (…
freshtonic Jun 25, 2026
af5c963
fix: encrypt bare numeric sv-term literals as scalars (CIP-3233)
freshtonic Jun 25, 2026
93ac7b1
revert: drop temporary cipherstash-client 0.38.1-alpha.1 prerelease pin
freshtonic Jun 25, 2026
76a8bfc
fix(zerokms): fail fast on SteVecTerm without ste_vec index (CIP-3233)
freshtonic Jun 29, 2026
fd20bea
refactor: address PR #409 review feedback (CIP-3233)
freshtonic Jun 29, 2026
7b8500a
chore(deps): bump cipherstash-client to 0.38.1
freshtonic Jun 29, 2026
ed7d29e
ci: trigger Test + Benchmark on v3-targeting PRs (CIP-3233)
freshtonic Jun 29, 2026
10b06cf
test: fix jsonb bool-eq param binding (bind Value, not raw bool)
freshtonic Jun 29, 2026
717b960
revert: defer jsonb sv boolean-leaf equality (not wired e2e)
freshtonic Jun 29, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
337 changes: 163 additions & 174 deletions Cargo.lock

Large diffs are not rendered by default.

18 changes: 3 additions & 15 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
[workspace]
resolver = "2"
members = ["packages/*"]
# Vendored crate is consumed only via [patch.crates-io] below, not as a member.
exclude = ["vendor/stack-auth"]

[workspace.package]
version = "2.2.4"
Expand Down Expand Up @@ -45,9 +43,9 @@ debug = true

[workspace.dependencies]
sqltk = { version = "0.10.0" }
cipherstash-client = { version = "=0.34.1-alpha.4" }
cipherstash-config = { version = "=0.34.1-alpha.4" }
cts-common = { version = "=0.34.1-alpha.4" }
cipherstash-client = { version = "0.38.0" }
cipherstash-config = { version = "0.38.0" }
cts-common = { version = "0.38.0" }
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated

thiserror = "2.0.9"
tokio = { version = "1.44.2", features = ["full"] }
Expand All @@ -58,13 +56,3 @@ tracing-subscriber = { version = "^0.3.20", features = [
"env-filter",
"std",
] }

# HOTFIX (CIP-3159): backport the stack-auth token-refresh CancelGuard fix onto
# the 0.34.1-alpha.4 source that cipherstash-client 0.34.1-alpha.4 pins. Without
# this, a cancelled get_token() future could strand `refresh_in_progress = true`,
# wedging all later refreshes and causing ZeroKMS "Request not authorized" exactly
# ~15 min (token TTL) after startup. The patch keeps version 0.34.1-alpha.4 so it
# satisfies cipherstash-client's exact pin while replacing the registry source.
# Remove once Proxy moves to a cipherstash-client built against stack-auth >= 0.36.0.
[patch.crates-io]
stack-auth = { path = "vendor/stack-auth" }
2 changes: 1 addition & 1 deletion mise.local.example.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ CS_CLIENT_KEY = "client-key"
CS_CLIENT_ID = "client-id"

# The release of EQL that the proxy tests will use and releases will be built with
CS_EQL_VERSION = "eql-2.3.0-pre.3"
CS_EQL_VERSION = "eql-2.3.1"

# TLS variables are required for providing TLS to Proxy's clients.
# CS_TLS__TYPE can be either "Path" or "Pem" (case-sensitive).
Expand Down
2 changes: 1 addition & 1 deletion mise.toml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ CS_PROXY__HOST = "host.docker.internal"
# Misc
DOCKER_CLI_HINTS = "false" # Please don't show us What's Next.

CS_EQL_VERSION = "eql-2.3.0-pre.3"
CS_EQL_VERSION = "eql-2.3.1"


[tools]
Expand Down
6 changes: 3 additions & 3 deletions packages/cipherstash-proxy/src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -340,9 +340,9 @@ impl From<cipherstash_client::eql::EqlError> for EncryptError {
cipherstash_client::eql::EqlError::ColumnConfigurationMismatch { table, column } => {
Self::ColumnConfigurationMismatch { table, column }
}
cipherstash_client::eql::EqlError::CouldNotDecryptDataForKeyset { keyset_id } => {
Self::CouldNotDecryptDataForKeyset { keyset_id }
}
cipherstash_client::eql::EqlError::CouldNotDecryptDataForKeyset {
keyset_id, ..
} => Self::CouldNotDecryptDataForKeyset { keyset_id },
cipherstash_client::eql::EqlError::InvalidIndexTerm => Self::InvalidIndexTerm,
cipherstash_client::eql::EqlError::MissingCiphertext(identifier) => {
Self::ColumnCouldNotBeDeserialised {
Expand Down
2 changes: 1 addition & 1 deletion packages/cipherstash-proxy/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ pub use crate::config::{DatabaseConfig, ServerConfig, TandemConfig, TlsConfig};
pub use crate::log::init;
pub use crate::proxy::Proxy;
pub use cipherstash_client::encryption::Plaintext;
pub use cipherstash_client::eql::{EqlCiphertext, Identifier};
pub use cipherstash_client::eql::{EqlCiphertext, EqlOutput, Identifier};

use std::mem;

Expand Down
8 changes: 4 additions & 4 deletions packages/cipherstash-proxy/src/postgresql/backend.rs
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,7 @@ where
for (col, ct) in projection_columns.iter().zip(ciphertexts) {
match (col, ct) {
(Some(col), Some(ct)) => {
if col.identifier != ct.identifier {
if &col.identifier != ct.identifier() {
return Err(EncryptError::ColumnConfigurationMismatch {
table: col.identifier.table.to_owned(),
column: col.identifier.column.to_owned(),
Expand All @@ -553,8 +553,8 @@ where
// ciphertext with no column configuration is bad
(None, Some(ct)) => {
return Err(EncryptError::ColumnConfigurationMismatch {
table: ct.identifier.table.to_owned(),
column: ct.identifier.column.to_owned(),
table: ct.identifier().table.to_owned(),
column: ct.identifier().column.to_owned(),
}
.into());
}
Expand Down Expand Up @@ -749,7 +749,7 @@ mod tests {
_keyset_id: Option<KeysetIdentifier>,
_plaintexts: Vec<Option<cipherstash_client::encryption::Plaintext>>,
_columns: &[Option<Column>],
) -> Result<Vec<Option<crate::EqlCiphertext>>, Error> {
) -> Result<Vec<Option<crate::EqlOutput>>, Error> {
Ok(vec![])
}

Expand Down
14 changes: 12 additions & 2 deletions packages/cipherstash-proxy/src/postgresql/context/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -578,6 +578,16 @@ where
self.table_resolver.clone()
}

/// Returns the per-context snapshot of the [`EncryptConfig`].
///
/// Used by the SQL transformation stage to resolve the concrete encrypted
/// index types of a column (see [`EncryptConfigIndexResolver`]).
///
/// [`EncryptConfigIndexResolver`]: crate::proxy::EncryptConfigIndexResolver
pub fn get_encrypt_config(&self) -> Arc<EncryptConfig> {
self.encrypt_config.clone()
}

/// Examines a [`sqltk::parser::ast::Statement`] and if it is precisely equal to `SET UNSAFE_DISABLE_MAPPING = {boolean};`
/// then it sets the flag [`Context::unsafe_disable_mapping`] to the provided `{boolean}`` value.
///
Expand Down Expand Up @@ -752,7 +762,7 @@ where
&self,
plaintexts: Vec<Option<cipherstash_client::encryption::Plaintext>>,
columns: &[Option<Column>],
) -> Result<Vec<Option<crate::EqlCiphertext>>, Error> {
) -> Result<Vec<Option<crate::EqlOutput>>, Error> {
let keyset_id = self.keyset_identifier();

self.encryption
Expand Down Expand Up @@ -1077,7 +1087,7 @@ mod tests {
_keyset_id: Option<KeysetIdentifier>,
_plaintexts: Vec<Option<cipherstash_client::encryption::Plaintext>>,
_columns: &[Option<Column>],
) -> Result<Vec<Option<crate::EqlCiphertext>>, Error> {
) -> Result<Vec<Option<crate::EqlOutput>>, Error> {
Ok(vec![])
}

Expand Down
Loading
Loading