Merge pull request #285 from cipherstash/test/walkthrough

feature(showcase): add comprehensive Proxy/EQL showcase crate

Author: freshtonic

.claude/commands/commit.md

@@ -0,0 +1,164 @@
+# Claude Command: Commit
+
+This command helps you create well-formatted commits with conventional commit messages and emoji.
+
+## Usage
+
+To create a commit, just type:
+```
+/commit
+```
+
+Or with options:
+```
+/commit --no-verify
+```
+
+## What This Command Does
+
+1. Unless specified with `--no-verify`, automatically runs pre-commit checks:
+   - `cargo clippy` to ensure code quality
+   - `cargo check` to verify the build succeeds
+   - `cargo fmt --check` to ensure consistent code formatting
+2. Checks which files are staged with `git status`
+3. If 0 files are staged, automatically adds all modified and new files with `git add`
+4. Performs a `git diff` to understand what changes are being committed
+5. Analyzes the diff to determine if multiple distinct logical changes are present
+6. If multiple distinct changes are detected, suggests breaking the commit into multiple smaller commits
+7. For each commit (or the single commit if not split), creates a commit message using emoji conventional commit format
+
+## Best Practices for Commits
+
+- **Verify before committing**: Ensure code is linted, builds correctly, and documentation is updated
+- **Atomic commits**: Each commit should contain related changes that serve a single purpose
+- **Split large changes**: If changes touch multiple concerns, split them into separate commits
+- **Conventional commit format**: Use the format `<type>: <description>` where type is one of:
+  - `feat`: A new feature
+  - `fix`: A bug fix
+  - `docs`: Documentation changes
+  - `style`: Code style changes (formatting, etc)
+  - `refactor`: Code changes that neither fix bugs nor add features
+  - `perf`: Performance improvements
+  - `test`: Adding or fixing tests
+  - `chore`: Changes to the build process, tools, etc.
+- **Present tense, imperative mood**: Write commit messages as commands (e.g., "add feature" not "added feature")
+- **Concise first line**: Keep the first line under 72 characters
+- **Emoji**: Each commit type is paired with an appropriate emoji:
+  - `feat`: ✨ New feature
+  - `fix`: 🐛 Bug fix
+  - `docs`: 📝 Documentation
+  - `style`: 💄 Formatting/style
+  - `refactor`: ♻️ Code refactoring
+  - `perf`: ⚡️ Performance improvements
+  - `test`: ✅ Tests
+  - `chore`: 🔧 Tooling, configuration
+  - `ci`: 🚀 CI/CD improvements
+  - `revert`: 🗑️ Reverting changes
+  - `test`: 🧪 Add a failing test
+  - `fix`: 🚨 Fix compiler/linter warnings
+  - `fix`: 🔒️ Fix security issues
+  - `chore`: 👥 Add or update contributors
+  - `refactor`: 🚚 Move or rename resources
+  - `refactor`: 🏗️ Make architectural changes
+  - `chore`: 🔀 Merge branches
+  - `chore`: 📦️ Add or update compiled files or packages
+  - `chore`: ➕ Add a dependency
+  - `chore`: ➖ Remove a dependency
+  - `chore`: 🌱 Add or update seed files
+  - `chore`: 🧑‍💻 Improve developer experience
+  - `feat`: 🧵 Add or update code related to multithreading or concurrency
+  - `feat`: 🔍️ Improve SEO
+  - `feat`: 🏷️ Add or update types
+  - `feat`: 💬 Add or update text and literals
+  - `feat`: 🌐 Internationalization and localization
+  - `feat`: 👔 Add or update business logic
+  - `feat`: 📱 Work on responsive design
+  - `feat`: 🚸 Improve user experience / usability
+  - `fix`: 🩹 Simple fix for a non-critical issue
+  - `fix`: 🥅 Catch errors
+  - `fix`: 👽️ Update code due to external API changes
+  - `fix`: 🔥 Remove code or files
+  - `style`: 🎨 Improve structure/format of the code
+  - `fix`: 🚑️ Critical hotfix
+  - `chore`: 🎉 Begin a project
+  - `chore`: 🔖 Release/Version tags
+  - `wip`: 🚧 Work in progress
+  - `fix`: 💚 Fix CI build
+  - `chore`: 📌 Pin dependencies to specific versions
+  - `ci`: 👷 Add or update CI build system
+  - `feat`: 📈 Add or update analytics or tracking code
+  - `fix`: ✏️ Fix typos
+  - `revert`: ⏪️ Revert changes
+  - `chore`: 📄 Add or update license
+  - `feat`: 💥 Introduce breaking changes
+  - `assets`: 🍱 Add or update assets
+  - `feat`: ♿️ Improve accessibility
+  - `docs`: 💡 Add or update comments in source code
+  - `db`: 🗃️ Perform database related changes
+  - `feat`: 🔊 Add or update logs
+  - `fix`: 🔇 Remove logs
+  - `test`: 🤡 Mock things
+  - `feat`: 🥚 Add or update an easter egg
+  - `chore`: 🙈 Add or update .gitignore file
+  - `test`: 📸 Add or update snapshots
+  - `experiment`: ⚗️ Perform experiments
+  - `feat`: 🚩 Add, update, or remove feature flags
+  - `ui`: 💫 Add or update animations and transitions
+  - `refactor`: ⚰️ Remove dead code
+  - `feat`: 🦺 Add or update code related to validation
+  - `feat`: ✈️ Improve offline support
+
+## Guidelines for Splitting Commits
+
+When analyzing the diff, consider splitting commits based on these criteria:
+
+1. **Different concerns**: Changes to unrelated parts of the codebase
+2. **Different types of changes**: Mixing features, fixes, refactoring, etc.
+3. **File patterns**: Changes to different types of files (e.g., source code vs documentation)
+4. **Logical grouping**: Changes that would be easier to understand or review separately
+5. **Size**: Very large changes that would be clearer if broken down
+
+## Examples
+
+Good commit messages:
+- feat: ✨ add user authentication system
+- fix: 🐛 resolve memory leak in rendering process
+- docs: 📝 update API documentation with new endpoints
+- refactor: ♻️ simplify error handling logic in parser
+- fix: 🚨 resolve linter warnings in component files
+- chore: 🧑‍💻 improve developer tooling setup process
+- feat: 👔 implement business logic for transaction validation
+- fix: 🩹 address minor styling inconsistency in header
+- fix: 🚑️ patch critical security vulnerability in auth flow
+- style: 🎨 reorganize component structure for better readability
+- fix: 🔥 remove deprecated legacy code
+- feat: 🦺 add input validation for user registration form
+- fix: 💚 resolve failing CI pipeline tests
+- feat: 📈 implement analytics tracking for user engagement
+- fix: 🔒️ strengthen authentication password requirements
+- feat: ♿️ improve form accessibility for screen readers
+
+Example of splitting commits:
+- First commit: ✨ feat: add new solc version type definitions
+- Second commit: 📝 docs: update documentation for new solc versions
+- Third commit: 🔧 chore: update package.json dependencies
+- Fourth commit: 🏷️ feat: add type definitions for new API endpoints
+- Fifth commit: 🧵 feat: improve concurrency handling in worker threads
+- Sixth commit: 🚨 fix: resolve linting issues in new code
+- Seventh commit: ✅ test: add unit tests for new solc version features
+- Eighth commit: 🔒️ fix: update dependencies with security vulnerabilities
+
+## Command Options
+
+- `--no-verify`: Skip running the pre-commit checks (`cargo check`, `cargo clippy`, `cargo fmt --check`)
+
+## Important Notes
+
+- By default, pre-commit checks (`cargo check`, `cargo clippy`, `cargo fmt --check`) will run to ensure code quality
+- If these checks fail, you'll be asked if you want to proceed with the commit anyway or fix the issues first
+- If specific files are already staged, the command will only commit those files
+- If no files are staged, it will automatically stage all modified and new files
+- The commit message will be constructed based on the changes detected
+- Before committing, the command will review the diff to identify if multiple commits would be more appropriate
+- If suggesting multiple commits, it will help you stage and commit the changes separately
+- Always reviews the commit diff to ensure the message matches the changes

CLAUDE.md

@@ -0,0 +1,178 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+CipherStash Proxy is a PostgreSQL proxy that provides **transparent, searchable encryption** for existing applications. It sits between applications and PostgreSQL databases, automatically encrypting sensitive data while preserving the ability to query encrypted values using equality, comparison, and ordering operations.
+
+Key capabilities:
+- Zero-change SQL queries - applications connect to Proxy instead of directly to PostgreSQL
+- EQL v2 (Encrypt Query Language) for searchable encryption using CipherStash ZeroKMS
+- Support for encrypted equality, comparison, ordering, and grouping operations
+- Written in Rust for performance with strongly-typed SQL statement mapping
+
+## Architecture
+
+### High-Level Components
+
+**Core Proxy (`packages/cipherstash-proxy/`):**
+- `postgresql/` - PostgreSQL wire protocol implementation, message parsing, and client handling
+- `encrypt/` - Integration with CipherStash ZeroKMS for key management and encryption operations
+- `config/` - Configuration management for database connections, TLS, and encryption settings
+- `eql/` - EQL v2 types and encryption abstractions
+
+**EQL Mapper (`packages/eql-mapper/`):**
+- SQL parsing and type inference engine
+- Transformation rules for converting plaintext SQL to encrypted operations
+- Schema analysis and column mapping for encryption
+
+**Integration Tests (`packages/cipherstash-proxy-integration/`):**
+- Comprehensive test suite covering encryption scenarios
+- Language-specific integration tests (Python, Go, Elixir)
+
+**Showcase (`packages/showcase/`):**
+- Healthcare data model demonstrating EQL v2 encryption
+- Example of realistic encrypted application with foreign keys and relationships
+
+### Request Flow
+
+1. Application connects to Proxy (port 6432) using standard PostgreSQL protocol
+2. Proxy intercepts SQL statements and uses EQL Mapper to analyze query structure
+3. For encrypted columns, Proxy transforms SQL using EQL v2 operations
+4. Encrypted queries are sent to actual PostgreSQL database
+5. Results are decrypted before returning to application
+
+## Development Commands
+
+### Prerequisites Setup
+```bash
+# Install mise (required for all development)
+brew install mise  # macOS
+mise trust --yes && mise install
+
+# Start PostgreSQL containers
+mise run postgres:up --extra-args "--detach --wait"
+mise run postgres:setup  # Install EQL and schema
+```
+
+### Core Development Workflow
+```bash
+# Build and run Proxy as a process (development)
+mise run proxy
+
+# Run Proxy in container (integration testing)
+mise run proxy:up --extra-args "--detach --wait"
+
+# Kill running processes
+mise run proxy:kill
+
+# Reset database state
+mise run reset
+```
+
+### Testing
+```bash
+# Full test suite (hygiene + unit + integration)
+mise run test
+
+# Unit tests only
+mise run test:unit [test_name]
+
+# Integration tests
+mise run test:integration
+
+# Language-specific integration tests
+mise run test:integration:lang:python
+mise run test:integration:lang:golang
+
+# Individual test packages
+mise run test:local:integration  # cipherstash-proxy-integration
+mise run test:local:mapper       # eql-mapper
+```
+
+### Database Management
+```bash
+# Connect to Proxy interactively
+mise run proxy:psql
+
+# Connect directly to PostgreSQL (bypassing Proxy)
+mise run postgres:psql
+
+# Clean shutdown
+mise run postgres:down
+```
+
+## Configuration
+
+### Authentication & Encryption
+Proxy requires CipherStash credentials configured in `mise.local.toml`:
+```toml
+CS_WORKSPACE_CRN = "crn:region:workspace-id"
+CS_CLIENT_ACCESS_KEY = "your-access-key"
+CS_DEFAULT_KEYSET_ID = "your-keyset-id"
+CS_CLIENT_ID = "your-client-id" 
+CS_CLIENT_KEY = "your-client-key"
+```
+
+### PostgreSQL Port Conventions
+- `5532` - PostgreSQL latest (non-TLS)
+- `5617` - PostgreSQL 17 (TLS)
+- `6432` - CipherStash Proxy
+
+Container names: `postgres`, `postgres-17-tls`, `proxy`, `proxy-tls`
+
+### Logging Configuration
+Set granular log levels by target:
+```bash
+CS_LOG__MAPPER_LEVEL=debug
+CS_LOG__AUTHENTICATION_LEVEL=debug
+CS_LOG__ENCRYPT_LEVEL=debug
+```
+
+Available targets: `DEVELOPMENT`, `AUTHENTICATION`, `CONTEXT`, `ENCRYPT`, `KEYSET`, `PROTOCOL`, `MAPPER`, `SCHEMA`
+
+## Key Development Patterns
+
+### Error Handling
+- All errors defined in `packages/cipherstash-proxy/src/error.rs`
+- Errors grouped by problem domain (not module structure)  
+- Customer-facing errors include friendly messages and documentation links
+- Use descriptive variant names without "Error" suffix
+
+### Testing Patterns
+- Use `unwrap()` instead of `expect()` unless providing meaningful context
+- Prefer `assert_eq!` over `assert!` for equality checks
+- Integration tests use Docker containers for reproducible environments
+
+### SQL Transformation
+- EQL Mapper handles SQL parsing and type inference
+- Transformation rules in `packages/eql-mapper/src/transformation_rules/`
+- Schema analysis determines which columns require encryption
+- Supports complex queries including JOINs, subqueries, and aggregations
+
+## EQL Integration
+
+CipherStash Proxy uses EQL v2 for searchable encryption. Key concepts:
+
+- **Plaintext columns** - standard PostgreSQL data types
+- **Encrypted columns** - use `eql_v2_encrypted` type in schema
+- **Searchable operations** - equality, comparison, ordering work on encrypted data
+- **Index support** - ORE (Order Revealing Encryption) and Match indexes for performance
+
+EQL is automatically downloaded and installed during setup. Use `CS_EQL_PATH` to point to local EQL development version.
+
+## Cross-Compilation & Building
+
+```bash
+# Build binary for current platform
+mise run build:binary
+
+# Cross-compile for Linux (from macOS)
+mise run build:binary --target aarch64-unknown-linux-gnu
+
+# Build Docker image
+mise run build:docker --platform linux/arm64
+```
+
+The build system supports cross-compilation from macOS to Linux using MaterializeInc/crosstools.

Cargo.lock

@@ -15,7 +15,7 @@ CS_CLIENT_KEY = "client-key"
 CS_CLIENT_ID = "client-id"
 
 # The release of EQL that the proxy tests will use and releases will be built with
-CS_EQL_VERSION="eql-1.0.0"
+CS_EQL_VERSION="eql-2.1.6"
 
 # TLS variables are required for providing TLS to Proxy's clients.
 # CS_TLS__TYPE can be either "Path" or "Pem" (case-sensitive).