feat: upgrade cipherstash-client to 0.37.0

[calvinbrewer]

Acknowledgment

By submitting this pull request, I confirm that CipherStash can use, modify, copy, and redistribute this contribution, under the terms of CipherStash's choice.

Summary by CodeRabbit

• Chores

  • Updated core dependencies to version 0.37.0, bringing latest improvements and bug fixes.

• Bug Fixes

  • Enhanced backward compatibility to support legacy data formats in database queries.

• Refactor

  • Improved internal encryption output handling for better consistency across the system.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f106f09-8da5-4136-bc7c-b4a15fca32e7

📥 Commits

Reviewing files that changed from the base of the PR and between bdeead3 and aaa7161.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• Cargo.toml
• packages/cipherstash-proxy/src/error.rs
• packages/cipherstash-proxy/src/lib.rs
• packages/cipherstash-proxy/src/postgresql/backend.rs
• packages/cipherstash-proxy/src/postgresql/context/mod.rs
• packages/cipherstash-proxy/src/postgresql/frontend.rs
• packages/cipherstash-proxy/src/postgresql/messages/bind.rs
• packages/cipherstash-proxy/src/postgresql/messages/data_row.rs
• packages/cipherstash-proxy/src/proxy/encrypt_config/manager.rs
• packages/cipherstash-proxy/src/proxy/mod.rs
• packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs

---

📝 Walkthrough

Walkthrough

Three workspace dependencies (cipherstash-client, cipherstash-config, cts-common) are bumped from =0.34.1-alpha.4 to 0.37.0. The proxy is adapted to the new API by replacing EqlCiphertext with EqlOutput across the entire encryption pipeline, adding a legacy EQL JSON deserialization helper, and updating identifier accessor call sites.

Changes

EqlOutput Migration and 0.37.0 Upgrade

Layer / File(s)	Summary
Dependency bump and EqlOutput re-export Cargo.toml, packages/cipherstash-proxy/src/lib.rs	Bumps cipherstash-client, cipherstash-config, and cts-common to 0.37.0 and adds a public re-export of EqlOutput from cipherstash_client::eql.
EncryptionService trait and ZeroKMS implementation packages/cipherstash-proxy/src/proxy/mod.rs, packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs	Changes EncryptionService::encrypt return type to Vec<Option<EqlOutput>> in the trait, and updates the ZeroKms impl with adjusted imports, an iterator-based all-None fast-path, and reworked result vector reconstruction.
Encryption pipeline: Context, Frontend, Bind packages/cipherstash-proxy/src/postgresql/context/mod.rs, packages/cipherstash-proxy/src/postgresql/frontend.rs, packages/cipherstash-proxy/src/postgresql/messages/bind.rs, packages/cipherstash-proxy/src/postgresql/backend.rs	Propagates EqlOutput through Context::encrypt, encrypt_literals, transform_statement, encrypt_params, and Bind::rewrite. Test EncryptionService mocks in backend, context, and frontend are updated to match.
Backend identifier accessor and legacy EQL deserialization packages/cipherstash-proxy/src/postgresql/backend.rs, packages/cipherstash-proxy/src/postgresql/messages/data_row.rs	Updates Backend::check_column_config to use ct.identifier() accessor. Introduces eql_ciphertext_from_json and legacy_to_current helpers for both current EQL v2.x tagged JSON and legacy flat JSON shapes; test assertions updated to use identifier().
Error pattern cleanup and config test fixture packages/cipherstash-proxy/src/error.rs, packages/cipherstash-proxy/src/proxy/encrypt_config/manager.rs	Rewrites CouldNotDecryptDataForKeyset match arm with struct-destructuring. Updates can_parse_ste_vec_index test to include mode: SteVecMode::default() in the IndexType::SteVec expectation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• cipherstash/proxy#370: Modifies the same ZeroKms::encrypt implementation in zerokms.rs, adding timing/metrics logging to the encrypt/decrypt paths that this PR updates for EqlOutput.

Suggested reviewers

• coderdan
• freshtonic

Poem

🐇 Hop hop, the versions leap ahead,
From alpha-four to thirty-seven instead!
EqlOutput hops through every lane,
Old legacy JSON? Remapped with care and plain.
The pipeline updated, the rabbit says "Done!"
A cleaner codebase, and the tests still run! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: upgrading cipherstash-client to version 0.37.0, which is the main motivation for all downstream changes throughout the codebase.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch version-bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR upgrades the workspace CipherStash Rust crates to cipherstash-client/config/cts-common 0.37.0 and updates the proxy to use the new EQL output types and ciphertext storage format handling introduced by that release.

Changes:

• Bump cipherstash-client, cipherstash-config, and cts-common to 0.37.0 (plus lockfile refresh).
• Update the encryption pipeline to return/propagate EqlOutput (instead of EqlCiphertext) for encrypted parameter rewriting.
• Add backwards-compatible deserialization in DataRow to read both legacy pre-v2.x ciphertext JSON and the current tagged ("k") format.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs	Updates encryption return type to EqlOutput and adjusts result reconstruction.
packages/cipherstash-proxy/src/proxy/mod.rs	Updates EncryptionService::encrypt trait signature to return EqlOutput.
packages/cipherstash-proxy/src/proxy/encrypt_config/manager.rs	Updates test config to include new SteVecMode field.
packages/cipherstash-proxy/src/postgresql/messages/data_row.rs	Adds legacy→current ciphertext JSON remapping and updates tests for new API.
packages/cipherstash-proxy/src/postgresql/messages/bind.rs	Updates bind rewriting to accept EqlOutput.
packages/cipherstash-proxy/src/postgresql/frontend.rs	Propagates EqlOutput through literal encryption and statement transformation.
packages/cipherstash-proxy/src/postgresql/context/mod.rs	Updates context encrypt API return type usages/mocks.
packages/cipherstash-proxy/src/postgresql/backend.rs	Updates ciphertext identifier access to the new identifier() accessor API.
packages/cipherstash-proxy/src/lib.rs	Re-exports EqlOutput.
packages/cipherstash-proxy/src/error.rs	Adjusts pattern matching for updated EqlError::CouldNotDecryptDataForKeyset shape.
Cargo.toml	Bumps workspace dependency versions to 0.37.0.
Cargo.lock	Lockfile updates for the dependency upgrade.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[freshtonic]

Closing in favour of #407