chore(deps): upgrade cipherstash-client to 0.38.0, drop vendored stack-auth patch (CIP-3233)

[freshtonic]

Summary

Moves Proxy off the vendor/stack-auth [patch.crates-io] workaround and onto the current released cipherstash-client group, built against the fixed stack-auth. This is the CIP-3233 follow-up cleanup.

Background: 2.2.4 (#408) shipped the CIP-3233 access-key token-refresh fix via a vendored stack-auth, patched on top of the 0.34.1-alpha.4 source that cipherstash-client 0.34.1-alpha.4 pinned. cipherstash-client 0.38.0 links stack-auth 0.38.0, which carries the same fix straight from crates.io — so the vendored copy and the patch are no longer needed.

Changes

• cipherstash-client / cipherstash-config / cts-common: 0.34.1-alpha.4 → 0.38.0 (the current published group). The API migration for the 0.34 → 0.37 jump is carried over from the (closed) feat: upgrade cipherstash-client to 0.37.0 #406 0.37.0 upgrade — same 10 source-file changes; 0.37 → 0.38 needed no further source changes.
• Removed [patch.crates-io] stack-auth = { path = "vendor/stack-auth" }, the exclude = ["vendor/stack-auth"] workspace entry, and the entire vendor/stack-auth/ tree.
• stack-auth now resolves from crates.io at 0.38.0 (registry source, verified in the lock). Single version of the whole cipherstash-client group; zerokms-protocol at 0.12.19.

Verification

• cargo check --workspace — clean
• cargo clippy --workspace --all-targets — clean
• cargo test --workspace --lib — 111 cipherstash-proxy unit tests pass
• Lock contains exactly one stack-auth (0.38.0, registry source); no vendor/ or patch.crates-io references remain

Not run: cipherstash-proxy-integration tests (need a live Postgres + ZeroKMS; they fail here only with ConnectionRefused). Please run the full integration suite in CI / with creds before merge.

Notes

• No behaviour change — the token fix already shipped in 2.2.4; this is dependency hygiene, so no version bump / changelog entry. Happy to add one if you'd prefer.
• Supersedes the closed feat: upgrade cipherstash-client to 0.37.0 #406 (which targeted 0.37.0 and predated the vendor patch) and the stale deps: upgrade cipherstash-client to 0.35.0 and EQL to 2.3.0 #394 (0.35.0).

Closes the cipherstash/proxy follow-up line item on CIP-3233.

Summary by CodeRabbit

• Bug Fixes

  • Improved compatibility when reading encrypted PostgreSQL rows, including support for older payload formats.
  • Fixed ciphertext/config checks so encryption behavior is more consistent across column metadata.
  • Adjusted encryption output handling to work with the latest EQL format.

• Chores

  • Updated EQL to version 2.3.1.
  • Refreshed workspace dependency versions to newer releases.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the proxy encryption path to use EqlOutput, adds legacy EQL ciphertext parsing, bumps related version pins, and removes the vendored stack-auth patch and example code.

Changes

Proxy EQL output migration

Layer / File(s)	Summary
Dependency and contract updates Cargo.toml, mise.toml, mise.local.example.toml, packages/cipherstash-proxy/src/lib.rs, packages/cipherstash-proxy/src/error.rs, packages/cipherstash-proxy/src/proxy/mod.rs	Workspace pins, EQL version settings, a public re-export, the EncryptError mapping, and the EncryptionService::encrypt contract all switch to EqlOutput-related shapes.
Encryption pipeline propagation packages/cipherstash-proxy/src/postgresql/frontend.rs, packages/cipherstash-proxy/src/postgresql/context/mod.rs, packages/cipherstash-proxy/src/postgresql/messages/bind.rs, packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs, packages/cipherstash-proxy/src/postgresql/backend.rs	Frontend helpers, context delegation, bind rewriting, ZeroKMS output reconstruction, and backend test-service signatures use EqlOutput through the encryption flow.
PostgreSQL ciphertext handling packages/cipherstash-proxy/src/postgresql/backend.rs, packages/cipherstash-proxy/src/postgresql/messages/data_row.rs, packages/cipherstash-proxy/src/proxy/encrypt_config/manager.rs	check_column_config uses accessors, legacy EQL JSON parsing is added for data rows, and config tests include the updated SteVecMode expectation.

Vendored stack-auth cleanup

Layer / File(s)	Summary
Workspace patch cleanup Cargo.toml	The workspace exclude entry and crates.io patch override for vendor/stack-auth are removed.
Vendored auth code removal vendor/stack-auth/examples/device_code.rs, vendor/stack-auth/src/auto_refresh.rs	The device-code example and AutoRefresh module are removed from vendor/stack-auth.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• cipherstash/stack issue 471: The EQL version bump and EqlOutput-related payload changes match the upgrade objective described there.

Possibly related PRs

• cipherstash/proxy#371: It changes the same workspace dependency family that this PR updates for the EqlOutput migration.
• cipherstash/proxy#407: It is directly connected to the vendored stack-auth patch that this PR removes.

Suggested reviewers

• tobyhede
• coderdan
• auxesis

Poem

A rabbit hopped through Cargo lanes,
where EqlOutput now flows in trains.
The stack-auth burrow turned to breeze,
and legacy bytes found newer trees. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main dependency upgrade and removal of the vendored stack-auth patch.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch james/cip-3233-proxy-drop-vendor-patch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/cipherstash-proxy/src/postgresql/messages/bind.rs (1)

84-96: 🗄️ Data Integrity & Integration | 🟠 Major

Confirm EqlOutput serialization format mismatch for EQL 2.3.1

The workspace is pinned to cipherstash-client version 0.38.0, where EqlOutput serializes via serde_json::to_value into a JSON object containing a top-level c (ciphertext) field. The required EQL 2.3.1 format expects a structure without this top-level c wrapper. As written, rewrite() writes the legacy payload, which will fail or corrupt data in eql_v2_encrypted columns expecting the new format. Update the serialization logic to produce the schema-free format expected by the EQL 2.3.1 backend, likely requiring manual construction of the JSON payload from the EqlOutput components or updating the dependency if a fix is available.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cipherstash-proxy/src/postgresql/messages/bind.rs` around lines 84 -
96, The bind::rewrite method is serializing EqlOutput with serde_json::to_value,
which preserves the legacy top-level c wrapper and does not match the EQL 2.3.1
payload shape. Update rewrite() to emit the schema-free JSON expected by
eql_v2_encrypted columns, either by manually building the payload from
EqlOutput’s fields or by switching to a dependency/version that already produces
the new format. Keep the change localized to bind::rewrite and the EqlOutput
serialization path it uses.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Cargo.toml`:
- Around line 46-48: The Cargo.toml dependency update points cipherstash-client,
cipherstash-config, and cts-common at unpublished 0.38.0 versions, which will
break dependency resolution. Revert these entries to a published crates.io
version or restore the [patch.crates-io] override to a valid local/git source
for stack-auth until those crates are available. Keep the existing dependency
names and patch configuration aligned so Cargo can resolve them successfully.

---

Outside diff comments:
In `@packages/cipherstash-proxy/src/postgresql/messages/bind.rs`:
- Around line 84-96: The bind::rewrite method is serializing EqlOutput with
serde_json::to_value, which preserves the legacy top-level c wrapper and does
not match the EQL 2.3.1 payload shape. Update rewrite() to emit the schema-free
JSON expected by eql_v2_encrypted columns, either by manually building the
payload from EqlOutput’s fields or by switching to a dependency/version that
already produces the new format. Keep the change localized to bind::rewrite and
the EqlOutput serialization path it uses.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25c7c19a-7daf-43a1-9720-a75b783fae42

📥 Commits

Reviewing files that changed from the base of the PR and between 4facf29 and b38eeb0.

⛔ Files ignored due to path filters (2)

• Cargo.lock is excluded by !**/*.lock
• vendor/stack-auth/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (35)

• Cargo.toml
• mise.local.example.toml
• mise.toml
• packages/cipherstash-proxy/src/error.rs
• packages/cipherstash-proxy/src/lib.rs
• packages/cipherstash-proxy/src/postgresql/backend.rs
• packages/cipherstash-proxy/src/postgresql/context/mod.rs
• packages/cipherstash-proxy/src/postgresql/frontend.rs
• packages/cipherstash-proxy/src/postgresql/messages/bind.rs
• packages/cipherstash-proxy/src/postgresql/messages/data_row.rs
• packages/cipherstash-proxy/src/proxy/encrypt_config/manager.rs
• packages/cipherstash-proxy/src/proxy/mod.rs
• packages/cipherstash-proxy/src/proxy/zerokms/zerokms.rs
• vendor/stack-auth/.gitignore
• vendor/stack-auth/Cargo.toml
• vendor/stack-auth/LICENSE
• vendor/stack-auth/README.md
• vendor/stack-auth/examples/auto_strategy.rs
• vendor/stack-auth/examples/device_code.rs
• vendor/stack-auth/src/access_key.rs
• vendor/stack-auth/src/access_key_refresher.rs
• vendor/stack-auth/src/access_key_strategy.rs
• vendor/stack-auth/src/auto_refresh.rs
• vendor/stack-auth/src/auto_strategy.rs
• vendor/stack-auth/src/device_client.rs
• vendor/stack-auth/src/device_code/mod.rs
• vendor/stack-auth/src/device_code/protocol.rs
• vendor/stack-auth/src/device_code/tests.rs
• vendor/stack-auth/src/lib.rs
• vendor/stack-auth/src/oauth_refresher.rs
• vendor/stack-auth/src/oauth_strategy.rs
• vendor/stack-auth/src/refresher.rs
• vendor/stack-auth/src/service_token.rs
• vendor/stack-auth/src/static_token_strategy.rs
• vendor/stack-auth/src/token.rs

💤 Files with no reviewable changes (22)

• vendor/stack-auth/src/static_token_strategy.rs
• vendor/stack-auth/src/device_code/tests.rs
• vendor/stack-auth/README.md
• vendor/stack-auth/src/auto_strategy.rs
• vendor/stack-auth/src/oauth_refresher.rs
• vendor/stack-auth/.gitignore
• vendor/stack-auth/src/access_key.rs
• vendor/stack-auth/Cargo.toml
• vendor/stack-auth/src/device_client.rs
• vendor/stack-auth/src/device_code/protocol.rs
• vendor/stack-auth/src/device_code/mod.rs
• vendor/stack-auth/src/refresher.rs
• vendor/stack-auth/src/service_token.rs
• vendor/stack-auth/src/oauth_strategy.rs
• vendor/stack-auth/src/access_key_refresher.rs
• vendor/stack-auth/src/access_key_strategy.rs
• vendor/stack-auth/examples/auto_strategy.rs
• vendor/stack-auth/LICENSE
• vendor/stack-auth/src/token.rs
• vendor/stack-auth/src/lib.rs
• vendor/stack-auth/src/auto_refresh.rs
• vendor/stack-auth/examples/device_code.rs

[coderabbitai]

🩺 Stability & Availability | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm published versions and that no stale patch/exclude remains
for c in cipherstash-client cipherstash-config cts-common; do
  echo "== $c =="
  curl -s "https://crates.io/api/v1/crates/$c" | jq -r '.versions[].num' | rg -n '0\.38\.0' || echo "0.38.0 NOT found"
done
echo "== residual stack-auth references =="
rg -n 'stack-auth|vendor/stack-auth' Cargo.toml Cargo.lock 2>/dev/null

Repository: cipherstash/proxy

Length of output: 550

---

Critical Build Failure: Versions 0.38.0 are unpublished.

The versions 0.38.0 for cipherstash-client, cipherstash-config, and cts-common are not available on crates.io. Removing the [patch.crates-io] override with these versions will cause the build to fail immediately as the resolver cannot find these artifacts.

Required Action:

• Revert the Cargo.toml changes to use a published version or restore the [patch.crates-io] entry with a valid local or git source for stack-auth until the crates are published. Do not merge this PR in its current state.
  [dangerous_changes]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Cargo.toml` around lines 46 - 48, The Cargo.toml dependency update points
cipherstash-client, cipherstash-config, and cts-common at unpublished 0.38.0
versions, which will break dependency resolution. Revert these entries to a
published crates.io version or restore the [patch.crates-io] override to a valid
local/git source for stack-auth until those crates are available. Keep the
existing dependency names and patch configuration aligned so Cargo can resolve
them successfully.