cipherstash · tobyhede · Apr 14, 2025 · Apr 14, 2025
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -238,12 +238,26 @@ The possible values are:
 - `warn`
 - `error`
 
-A Proxy-wide default level is configured by setting the environment variable `RUST_LOG`.
-If this variable is not set, the default value set in the Proxy code will be used.
+The Proxy-wide default level can be configured by `CS_LOG__LEVEL`.
+Default level is `Info`.
+
+Proxy has multiple "log targets" corresponding to the internal domains.
+
+Set log levels for a specific log target to turn on or turn of more verbose logging:
+
+```
+Target          | ENV
+--------------- | -------------------------------------
+DEVELOPMENT     | CS_LOG__DEVELOPMENT_LEVEL
+AUTHENTICATION  | CS_LOG__AUTHENTICATION_LEVEL
+CONTEXT         | CS_LOG__CONTEXT_LEVEL
+ENCRYPT         | CS_LOG__ENCRYPT_LEVEL
+KEYSET          | CS_LOG__KEYSET_LEVEL
+PROTOCOL        | CS_LOG__PROTOCOL_LEVEL
+MAPPER          | CS_LOG__MAPPER_LEVEL
+SCHEMA          | CS_LOG__SCHEMA_LEVEL
+```
 
-There are different "log targets" in Proxy.
-They correspond to modules or functionalities.
-Set log levels for a specific log target to turn on or turn of more verbose logging.
 
 > [!IMPORTANT]
 > The application code must use the 'target' parameter for the per-target log level to work.
@@ -395,6 +409,8 @@ The integration tests have several runtime dependencies:
 - Credentials for CipherStash ZeroKMS (which can be found in the [quickstart](#developing) section)
 
 
+
+
 ### Working with Encrypt Query Language (EQL)
 
 The [Encrypt Query Language (EQL)](https://github.com/cipherstash/encrypt-query-language/) is a set of abstractions for transmitting, storing, and interacting with encrypted data and indexes in PostgreSQL.
@@ -481,6 +497,36 @@ If you ever get confused about where your configuration is coming from, run `mis
 Certificates are generated by `mkcert`, and live in `tests/tls/`.
 
 
+#### Configuration: development endpoints
+
+
+ZeroKMS and CTS host endpoints can be configured for local development.
+
+Env variables are `CS_DEVELOPMENT__ZEROKMS_HOST` and `CS_DEVELOPMENT__CTS_HOST`.
+
+
+```toml
+
+[development]
+# ZeroKMS host
+# Optional
+# Defaults to CipherStash Production ZeroKMS host
+# Env: CS_DEVELOPMENT__ZEROKMS_HOST
+zerokms_host = "1.1.1.1"
+
+
+# CTS host
+# Optional
+# Defaults to CipherStash Production CTS host
+# Env: CS_DEVELOPMENT__CTS_HOST
+cts_host = "1.1.1.1"
+
+```
+
+
+
+
+
 ## Logging
 
 - Use structured logging

diff --git a/packages/cipherstash-proxy/src/config/tandem.rs b/packages/cipherstash-proxy/src/config/tandem.rs
@@ -65,6 +65,12 @@ pub struct DevelopmentConfig {
 
     #[serde(default)]
     pub enable_mapping_errors: bool,
+
+    #[serde(default)]
+    pub zerokms_host: Option<String>,
+
+    #[serde(default)]
+    pub cts_host: Option<String>,
 }
 
 /// Config defaults to a file called `tandem` in the current directory.
@@ -198,6 +204,18 @@ impl TandemConfig {
         }
     }
 
+    pub fn zerokms_host(&self) -> Option<String> {
+        self.development
+            .as_ref()
+            .and_then(|dev| dev.zerokms_host.clone())
+    }
+
+    pub fn cts_host(&self) -> Option<String> {
+        self.development
+            .as_ref()
+            .and_then(|dev| dev.cts_host.clone())
+    }
+
     pub fn use_structured_logging(&self) -> bool {
         matches!(self.log.format, LogFormat::Structured)
     }

diff --git a/packages/cipherstash-proxy/src/encrypt/mod.rs b/packages/cipherstash-proxy/src/encrypt/mod.rs
@@ -10,6 +10,7 @@ use crate::{
     Identifier,
 };
 use cipherstash_client::{
+    config::EnvSource,
     credentials::{auto_refresh::AutoRefresh, ServiceCredentials},
     encryption::{
         self, Encrypted, EncryptionError, IndexTerm, Plaintext, PlaintextTarget,
@@ -190,19 +191,32 @@ impl Encrypt {
 
 async fn init_cipher(config: &TandemConfig) -> Result<ScopedCipher, Error> {
     let console_config = ConsoleConfig::builder().with_env().build()?;
-    let cts_config = CtsConfig::builder().with_env().build()?;
 
-    // Not using with_env because the proxy config should take precedence
-    let builder = ZeroKMSConfig::builder(); //.with_env();
+    let builder = CtsConfig::builder().with_env();
+    let builder = if let Some(cts_host) = config.cts_host() {
+        builder.base_url(&cts_host)
+    } else {
+        builder
+    };
+    let cts_config = builder.build()?;
 
-    let zerokms_config = builder
+    // Not using with_env because the proxy config should take precedence
+    let builder = ZeroKMSConfig::builder()
+        .add_source(EnvSource::default())
         .workspace_id(&config.auth.workspace_id)
         .access_key(&config.auth.client_access_key)
         .try_with_client_id(&config.encrypt.client_id)?
         .try_with_client_key(&config.encrypt.client_key)?
         .console_config(&console_config)
-        .cts_config(&cts_config)
-        .build_with_client_key()?;
+        .cts_config(&cts_config);
+
+    let builder = if let Some(zerokms_host) = config.zerokms_host() {
+        builder.base_url(zerokms_host)
+    } else {
+        builder
+    };
+
+    let zerokms_config = builder.build_with_client_key()?;
 
     let zerokms_client = zerokms_config
         .create_client_with_credentials(AutoRefresh::new(zerokms_config.credentials()));