feat(amazonq): hook up lsp payload encryption

Certain LSP messages require AES-256-GCM encryption packaged as JWE

Author: rli

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/AmazonQLspService.kt

@@ -28,6 +28,7 @@ import org.slf4j.event.Level
 import software.aws.toolkits.core.utils.getLogger
 import software.aws.toolkits.core.utils.warn
 import software.aws.toolkits.jetbrains.isDeveloperMode
+import software.aws.toolkits.jetbrains.services.amazonq.lsp.encryption.JwtEncryptionManager
 import java.io.IOException
 import java.io.OutputStreamWriter
 import java.io.PipedInputStream
@@ -98,6 +99,8 @@ class AmazonQLspService(private val project: Project, private val cs: CoroutineS
 }
 
 private class AmazonQServerInstance(private val project: Project, private val cs: CoroutineScope) : Disposable {
+    private val encryptionManager = JwtEncryptionManager()
+
     private val launcher: Launcher<AmazonQLanguageServer>
 
     private val languageServer: AmazonQLanguageServer
@@ -108,7 +111,11 @@ private class AmazonQServerInstance(private val project: Project, private val cs
     private val launcherHandler: KillableProcessHandler
 
     init {
-        val cmd = GeneralCommandLine("amazon-q-lsp")
+        val cmd = GeneralCommandLine(
+            "amazon-q-lsp",
+            "--stdio",
+            "--set-credentials-encryption-key",
+        )
 
         launcherHandler = KillableColoredProcessHandler.Silent(cmd)
         val inputWrapper = LSPProcessListener()
@@ -143,6 +150,9 @@ private class AmazonQServerInstance(private val project: Project, private val cs
         launcherFuture = launcher.startListening()
 
         cs.launch {
+            // encryption info must be sent within 5s or Flare process will exit
+            encryptionManager.writeInitializationPayload(launcherHandler.process.outputStream)
+
             val initializeResult = languageServer.initialize(
                 InitializeParams().apply {
                     // does this work on windows

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/encryption/JwtEncryptionManager.kt

@@ -0,0 +1,60 @@
+// Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.services.amazonq.lsp.encryption
+
+import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
+import com.nimbusds.jose.EncryptionMethod
+import com.nimbusds.jose.JWEAlgorithm
+import com.nimbusds.jose.JWEHeader
+import com.nimbusds.jose.JWEObject
+import com.nimbusds.jose.Payload
+import com.nimbusds.jose.crypto.DirectDecrypter
+import com.nimbusds.jose.crypto.DirectEncrypter
+import software.aws.toolkits.jetbrains.services.amazonq.lsp.model.EncryptionInitializationRequest
+import java.io.OutputStream
+import java.security.SecureRandom
+import java.util.Base64
+import javax.crypto.SecretKey
+import javax.crypto.spec.SecretKeySpec
+
+class JwtEncryptionManager(private val key: SecretKey) {
+    constructor() : this(generateHmacKey())
+
+    private val mapper = jacksonObjectMapper()
+
+    fun writeInitializationPayload(os: OutputStream) {
+        val payload = EncryptionInitializationRequest(
+            EncryptionInitializationRequest.Version.V1_0,
+            EncryptionInitializationRequest.Mode.JWT,
+            Base64.getUrlEncoder().withoutPadding().encodeToString(key.encoded)
+        )
+
+        // write directly to stream because utils are closing the underlying stream
+        os.write("${mapper.writeValueAsString(payload)}\n".toByteArray())
+    }
+
+    fun encrypt(data: Any): String {
+        val header = JWEHeader(JWEAlgorithm.DIR, EncryptionMethod.A256GCM)
+        val payload = Payload(mapper.writeValueAsBytes(data))
+        val jweObject = JWEObject(header, payload)
+        jweObject.encrypt(DirectEncrypter(key))
+
+        return jweObject.serialize()
+    }
+
+    fun decrypt(jwt: String): String {
+        val jweObject = JWEObject.parse(jwt)
+        jweObject.decrypt(DirectDecrypter(key))
+
+        return jweObject.payload.toString()
+    }
+
+    private companion object {
+        private fun generateHmacKey(): SecretKey {
+            val keyBytes = ByteArray(32)
+            SecureRandom().nextBytes(keyBytes)
+            return SecretKeySpec(keyBytes, "HmacSHA256")
+        }
+    }
+}

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/model/EncryptionInitializationRequest.kt

@@ -0,0 +1,20 @@
+// Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.services.amazonq.lsp.model
+
+import com.fasterxml.jackson.annotation.JsonValue
+
+data class EncryptionInitializationRequest(
+    val version: Version,
+    val mode: Mode,
+    val key: String,
+) {
+    enum class Version(@JsonValue val value: String) {
+        V1_0("1.0"),
+    }
+
+    enum class Mode(@JsonValue val value: String) {
+        JWT("JWT"),
+    }
+}

plugins/amazonq/shared/jetbrains-community/src/software/aws/toolkits/jetbrains/services/amazonq/lsp/model/aws/credentials/UpdateCredentialsPayload.kt

@@ -5,7 +5,7 @@ package software.aws.toolkits.jetbrains.services.amazonq.lsp.model.aws.credentia
 
 data class UpdateCredentialsPayload(
     val data: String,
-    val encrypted: String,
+    val encrypted: Boolean,
 )
 
 data class UpdateCredentialsPayloadData(