Merge pull request #304 from cipherstash/set-keyset-name

Handle SET KEYSET errors with grace and aplomb

Author: tobyhede

.claude/commands/commit.md

@@ -17,9 +17,7 @@ Or with options:
 ## What This Command Does
 
 1. Unless specified with `--no-verify`, automatically runs pre-commit checks:
-   - `cargo clippy` to ensure code quality
-   - `cargo check` to verify the build succeeds
-   - `cargo fmt --check` to ensure consistent code formatting
+   - `mise run check`
 2. Checks which files are staged with `git status`
 3. If 0 files are staged, automatically adds all modified and new files with `git add`
 4. Performs a `git diff` to understand what changes are being committed

.github/actions/setup-test/action.yml

@@ -7,16 +7,19 @@ runs:
   using: composite
   steps:
     - uses: actions/checkout@v4
+
     - name: Install rust
       shell: /bin/bash -l {0}
       run: rustup toolchain install stable --profile minimal --no-self-update
     - name: Setup Rust cache
       uses: Swatinem/rust-cache@v2
       with:
-        cache-provider: buildjet
+        cache-provider: ${{ inputs.provider }}
+        shared-key: ${{ inputs.key }}
         cache-all-crates: true
     - uses: jdx/mise-action@v2
       with:
         version: 2025.1.0 # [default: latest] mise version to install
         install: true # [default: true] run `mise install`
         cache: true # [default: true] cache mise using GitHub's cache
+

.github/workflows/test.yml

@@ -34,4 +34,4 @@ jobs:
 
           RUST_BACKTRACE: "1"
         run: |
-          mise run --output prefix test
+          mise run --output prefix test

CLAUDE.md

@@ -76,6 +76,9 @@ mise run reset
 # Full test suite (hygiene + unit + integration)
 mise run test
 
+# Hygiene checks only
+mise run check
+
 # Unit tests only
 mise run test:unit [test_name]
 
@@ -111,7 +114,7 @@ Proxy requires CipherStash credentials configured in `mise.local.toml`:
 CS_WORKSPACE_CRN = "crn:region:workspace-id"
 CS_CLIENT_ACCESS_KEY = "your-access-key"
 CS_DEFAULT_KEYSET_ID = "your-keyset-id"
-CS_CLIENT_ID = "your-client-id" 
+CS_CLIENT_ID = "your-client-id"
 CS_CLIENT_KEY = "your-client-key"
 ```
 
@@ -136,7 +139,7 @@ Available targets: `DEVELOPMENT`, `AUTHENTICATION`, `CONTEXT`, `ENCRYPT`, `KEYSE
 
 ### Error Handling
 - All errors defined in `packages/cipherstash-proxy/src/error.rs`
-- Errors grouped by problem domain (not module structure)  
+- Errors grouped by problem domain (not module structure)
 - Customer-facing errors include friendly messages and documentation links
 - Use descriptive variant names without "Error" suffix
 

Cargo.lock

@@ -43,7 +43,7 @@ debug = true
 
 [workspace.dependencies]
 sqltk = { version = "0.10.0" }
-cipherstash-client = "0.26.0"
+cipherstash-client = "0.27.0"
 cts-common = { version = "0.3.0" }
 thiserror = "2.0.9"
 tokio = { version = "1.44.2", features = ["full"] }

Cargo.toml

@@ -50,7 +50,7 @@ stash access-keys create proxy
 # add to CS_CLIENT_ACCESS_KEY
 
 # Create a dataset
-stash datasets create proxy
+stash keysets create proxy
 # add to CS_DEFAULT_KEYSET_ID
 
 # Create a client
@@ -409,6 +409,9 @@ The integration tests have several runtime dependencies:
 - Running PostgreSQL instances (that can be started with `mise run postgres:up`)
 - Credentials for CipherStash ZeroKMS (which can be found in the [quickstart](#developing) section)
 
+The `Multitenant` Integration tests require different configuration from the baseline.
+The `CS_DEFAULT_KEYSET_ID` value must not be set for the multitenant `SET KEYSET_*` commands to work.
+
 ##### Language-specific integration tests
 
 To run language-specific integration tests, call:

DEVELOPMENT.md

@@ -17,7 +17,9 @@
   - [Column could not be encrypted](#encrypt-column-could-not-be-encrypted)
   - [Column could not be encrypted](#encrypt-column-could-not-be-encrypted)
   - [Could not decrypt data for keyset](#encrypt-encrypt-could-not-decrypt-data-for-keyset)
+  - [KeysetId could not be parsed](#encrypt-keyset-id-could-not-be-parsed)
   - [KeysetId could not be set](#encrypt-keyset-id-could-not-be-set)
+  - [KeysetName could not be set](#encrypt-keyset-name-could-not-be-set)
   - [Plaintext could not be encoded](#encrypt-plaintext-could-not-be-encoded)
   - [Unknown column](#encrypt-unknown-column)
   - [Unknown table](#encrypt-unknown-table)
@@ -276,31 +278,81 @@ The most likely cause is network access to the ZeroKMS service.
 
 
 
+<!-- ---------------------------------------------------------------------------------------------------- -->
+
+
+## KeysetId could not be parsed <a id='encrypt-keyset-id-could-not-be-parsed'></a>
+
+A keyset_id could not be parsed using the `SET CIPHERSTASH.KEYSET_ID` command.
+
+### Error message
+
+```
+KeysetId `{id}` could not be parsed using `SET CIPHERSTASH.KEYSET_ID`. KeysetId should be a valid UUID.
+```
+
+### How to Fix
+
+1. Check that the `KeysetId` is a valid UUID.
+
+
+```
+   SET [ SESSION ] CIPHERSTASH.KEYSET_ID { TO | = } '{KeysetId}'
+```
+
 <!-- ---------------------------------------------------------------------------------------------------- -->
 
 
 ## KeysetId could not be set <a id='encrypt-keyset-id-could-not-be-set'></a>
 
-A keyset_id could not be set using the `SET CIPHERSTASH.KEYSET_ID` command.
+A KeysetId could not be set using the `SET CIPHERSTASH.KEYSET_ID` command.
 
 
 ### Error message
 
 ```
-A keyset_id could not be set using `SET CIPHERSTASH.KEYSET_ID`
+A KeysetId could not be set using `SET CIPHERSTASH.KEYSET_ID`
 ```
 
 ### How to Fix
 
-1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `keyset_id` value should be in single quotes.
-2. Check that the provided `keyset_id` is a valid UUID.
-2. Check that the value is being set as a literal. The PostgreSQL `SET` statement does not support parameterised querying.
+1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `KeysetId` value should be in single quotes.
+2. Check that the `KeysetId` is a valid UUID.
+3. Check that the value is being set as a literal. The PostgreSQL `SET` statement does not support parameterised querying.
 
 
 ```
    SET [ SESSION ] CIPHERSTASH.KEYSET_ID { TO | = } '{keyset_id}'
 ```
 
+
+<!-- ---------------------------------------------------------------------------------------------------- -->
+
+
+## KeysetName could not be set <a id='encrypt-keyset-name-could-not-be-set'></a>
+
+KeysetName could not be set using the `SET CIPHERSTASH.KEYSET_NAME` command.
+
+
+### Error message
+
+```
+A KeysetName could not be set using `SET CIPHERSTASH.KEYSET_NAME`
+```
+
+### How to Fix
+
+1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `KeysetName` value should be in single quotes.
+2. Check that the provided `KeysetName` is a valid UUID.
+2. Check that the value is being set as a literal. The PostgreSQL `SET` statement does not support parameterised querying.
+
+
+```
+   SET [ SESSION ] CIPHERSTASH.KEYSET_NAME { TO | = } '{KeysetName}'
+```
+
+
+
 <!-- ---------------------------------------------------------------------------------------------------- -->