Skip to content

feat: support encrypted CDN resolver state#428

Draft
nicklasl wants to merge 20 commits into
mainfrom
nicklasl/encrypted-cdn-state
Draft

feat: support encrypted CDN resolver state#428
nicklasl wants to merge 20 commits into
mainfrom
nicklasl/encrypted-cdn-state

Conversation

@nicklasl

@nicklasl nicklasl commented May 29, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • Add AES-256-GCM decryption to the WASM guest layer so all providers can consume encrypted CDN state
  • Add encryption key configuration to all 4 WASM-based providers (JS, Java, Go, Python)
  • Detect encrypted responses via x-goog-meta-encrypted CDN header, with a clear error when no key is configured

Changes

WASM layer

  • New proto message SetEncryptedResolverStateRequest (encrypted blob + raw key + SDK metadata)
  • New guest export wasm_msg_guest_set_encrypted_resolver_state — decrypts AES-256-GCM (Tink NO_PREFIX: 12-byte nonce ∥ ciphertext+tag), then parses and sets state
  • aes-gcm crate added (~42K WASM binary increase)

JS provider

  • ProviderOptions.encryptionKey — hex-encoded AES-256 key
  • updateState() checks x-goog-meta-encrypted header and routes to the encrypted or plain path
  • Crash-recovery wrapper (WasmResolver) caches encrypted state for instance reload

Java provider

  • LocalProviderConfig.builder().encryptionKey() — hex-encoded AES-256 key
  • FlagsAdminStateFetcher detects encrypted responses and stores raw CDN bytes
  • setEncryptedResolverState propagated through all resolver layers (Pooled, Recovering, Materializing)

Go provider

  • ProviderConfig.EncryptionKey — hex-encoded AES-256 key
  • FlagsAdminStateFetcher detects encrypted responses and stores raw CDN bytes
  • SetEncryptedResolverState propagated through all resolver layers (Pool, Recovering, Materialization)

Python provider

  • ConfidenceProvider(encryption_key=...) — hex-encoded AES-256 key
  • StateFetcher detects encrypted responses and stores raw CDN bytes
  • set_encrypted_resolver_state propagated through resolver layers

Test plan

  • WASM builds, new export verified via wasm-objdump
  • Clippy clean
  • JS build + 150/150 tests pass
  • Java build passes
  • Go build + local_resolver tests pass
  • Python lint passes (ruff + format)
  • E2E: configure encryption key on a credential, verify providers decrypt and resolve flags

🤖 Generated with Claude Code

@nicklasl nicklasl changed the title feat(wasm,js): support encrypted CDN resolver state feat: support encrypted CDN resolver state Jun 1, 2026
@nicklasl nicklasl force-pushed the nicklasl/encrypted-cdn-state branch 3 times, most recently from c98377a to 99d4ff2 Compare June 1, 2026 06:44
nicklasl and others added 11 commits June 18, 2026 09:18
@nicklasl @claude
feat(wasm,js): support encrypted CDN resolver state
4929972 
Add AES-256-GCM decryption support for encrypted CDN state blobs.

WASM layer:
- New `set_encrypted_resolver_state` guest function
- Decrypts AES-256-GCM (Tink NO_PREFIX) and sets resolver state
- Uses `aes-gcm` crate (~42K binary increase)

JS provider:
- New `encryptionKey` option in `ProviderOptions`
- Detects encrypted responses via `x-goog-meta-encrypted` header
- Informative error when state is encrypted but no key is provided

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
feat(java): support encrypted CDN resolver state
6bd443c 
- Add `encryptionKey` to `LocalProviderConfig` builder
- Detect encrypted CDN responses via `x-goog-meta-encrypted` header
- Add `setEncryptedResolverState` through all resolver layers
- Informative error when state is encrypted but no key is provided

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
feat(go): support encrypted CDN resolver state
a948f88 
- Add `EncryptionKey` to `ProviderConfig`
- Detect encrypted CDN responses via `x-goog-meta-encrypted` header
- Add `SetEncryptedResolverState` through all resolver layers
- Informative error when state is encrypted but no key is provided

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
feat(python): support encrypted CDN resolver state
99dc1e2 
- Add `encryption_key` parameter to `ConfidenceProvider`
- Detect encrypted CDN responses via `x-goog-meta-encrypted` header
- Add `set_encrypted_resolver_state` through resolver layers
- Informative error when state is encrypted but no key is provided

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
fix(go): fix atomic.Value nil store panics
bcb5a2f 
Replace nil stores into atomic.Value with atomic.Bool flags in both
RecoveringResolver and FlagsAdminStateFetcher. atomic.Value panics
when storing nil after a typed value was previously stored.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
fix(go): fix atomic.Value nil store in state fetcher
cba8907 
Use atomic.Bool to track encrypted state instead of storing nil
into rawCdnBytes atomic.Value.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
fix(go): restore original error message for empty accountID
a380423 
Match the error string expected by TestLocalResolverProvider_Init_EmptyAccountID.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
fix(js): add setEncryptedResolverState to test mock
264fddb 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
chore: sync WASM module for Go provider
18f1691 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
fix(python): use relative import in generated messages_pb2.py
0dd2ad3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
style(java): fix FlagsAdminStateFetcher formatting
280e9aa 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl nicklasl force-pushed the nicklasl/encrypted-cdn-state branch from 7285e4f to 280e9aa Compare June 18, 2026 07:21
nicklasl and others added 7 commits June 18, 2026 11:25
@nicklasl @claude
feat(cloudflare): decrypt encrypted CDN state before embedding
4458f63 
The deployer now detects encrypted CDN responses via the
x-goog-meta-encrypted header and decrypts using Node.js crypto
(already available for Wrangler) before embedding in the Worker.

Requires STATE_ENCRYPTION_KEY env var (hex-encoded AES-256 key)
when the CDN state is encrypted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
refactor(cloudflare): extract decrypt logic to standalone script
83c8156 
Move AES-256-GCM decryption to decrypt_state.js so it can be
called manually:
  node decrypt_state.js <file> <hex_key> [output_file]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
fix: use x-amz-meta-encrypted header for encryption detection
db1bc28 
The CDN serves GCS metadata with x-amz-meta-* prefix, not
x-goog-meta-*. Updated all providers and the deployer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
feat: add protobuf parse fallback for encrypted state detection
68ed4bd 
Check x-amz-meta-encrypted header first, then fall back to
protobuf decode — if parsing fails, treat the state as encrypted.
Covers CDN configurations that don't forward metadata headers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
test: add encrypted resolver state fixture for e2e tests
7a1d0f5 
Generated from wasm/resolver_state.pb wrapped as SetResolverStateRequest
with account_id "confidence-test", encrypted with AES-256-GCM.

Key is deterministic (sha256 of "confidence-test-encryption-key")
and stored alongside the fixture — not secret.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
test: add encrypted state e2e tests for all providers
fc7d27e 
Each provider loads the encrypted fixture from data/, decrypts via
the WASM set_encrypted_resolver_state function, and verifies flag
resolution works. Also tests wrong-key rejection.

- JS: 2 tests in WasmResolver.test.ts
- Java: 2 tests in EncryptedStateTest.java
- Go: 2 tests in encrypted_state_test.go
- Python: 3 tests in test_encrypted_state.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
feat(rust): support encrypted CDN resolver state
15629e8 
The Rust provider uses the native resolver (no WASM), so decryption
is implemented directly in StateFetcher::fetch().

- Add `encryption_key` to `ProviderOptions` with builder method
- Detect encrypted responses via x-amz-meta-encrypted header
- Fall back to protobuf parse failure detection
- 3 tests: decrypt+resolve, wrong key rejection, missing key

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 23, 2026
View reviewed changes
Comment thread openfeature-provider/rust/src/state.rs Fixed
@nicklasl @claude
fix(rust): avoid hardcoded key in test to satisfy CodeQL
30ddd76 
Derive the wrong key by flipping a bit of the real test key instead
of using a zero-filled byte array, which CodeQL flags as a hardcoded
cryptographic key.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 23, 2026
View reviewed changes
Comment thread openfeature-provider/rust/src/state.rs Fixed
@nicklasl @claude
fix(rust): use generated key for wrong-key test
a84dc59 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nicklasl @github-advanced-security