Skip to content

Feature/issue 987 fast snapshot lookup#1035

Open
ayomideadeniran wants to merge 5 commits intodotandev:mainfrom
ayomideadeniran:feature/issue-987-fast-snapshot-lookup
Open

Feature/issue 987 fast snapshot lookup#1035
ayomideadeniran wants to merge 5 commits intodotandev:mainfrom
ayomideadeniran:feature/issue-987-fast-snapshot-lookup

Conversation

@ayomideadeniran
Copy link
Copy Markdown
Contributor

@ayomideadeniran ayomideadeniran commented Mar 27, 2026
edited
Loading

Closes #987

#992
PULL REQUEST TEMPLATE

================================================================================
TITLE:

feat(audit): Add AWS KMS Direct Support for Signing -

================================================================================
DESCRIPTION:

Overview

Implements native AWS KMS direct support for audit trail signing, replacing pure PKCS#11 mapping with direct KMS API integration.

Changes

Core Implementation

  • KmsEd25519Signer: New plugin class implementing AuditSigner interface

    • Direct AWS KMS SignCommand invocation
    • Ed25519 asymmetric signing algorithm
    • Environment-based key management (ERST_KMS_KEY_ID, ERST_KMS_PUBLIC_KEY_PEM, ERST_KMS_REGION)
    • Zero local key material storage

  • Factory Integration: Extended createAuditSigner() to support 'kms' provider

    • Maintains backward compatibility with software and PKCS#11 signers
    • Case-insensitive provider selection
    • Proper error handling for missing configuration

  • Dependencies: Added @aws-sdk/client-kms v3.609.0

    • Native AWS SDK integration
    • Automatic credential chain resolution
    • TLS 1.2+ transport security

Testing

  • Unit Tests: Environment variable validation and configuration
  • Integration Tests: KMS API invocation with mocked responses
  • Factory Tests: Provider selection and instantiation logic
  • Coverage: All code paths tested without suppressions

Documentation

  • AWS_KMS_SIGNING_ARTIFACT.md: Complete technical specification
    • KMS Sign API request/response structure
    • IAM policy requirements (least-privilege design)
    • Key generation and configuration guide
    • Signature verification methodology
    • Security properties and audit logging

Security Properties

  • Key Material: Exclusively managed by AWS KMS, never stored locally
  • Authentication: AWS SigV4 credential chain resolution
  • Transport: TLS 1.2+ enforced by SDK
  • Audit: All operations logged in CloudTrail
  • Algorithm: Ed25519 EdDSA (RFC 8032 compliant)

Configuration

Required environment variables:

  • ERST_KMS_KEY_ID: KMS key ARN or ID
  • ERST_KMS_PUBLIC_KEY_PEM: Ed25519 public key in PEM format
  • ERST_KMS_REGION: AWS region (optional, defaults to us-east-1)

IAM Permissions

Minimal policy required:

{
  "Effect": "Allow",
  "Action": ["kms:Sign"],
  "Resource": "arn:aws:kms:*:ACCOUNT-ID:key/KEY-ID",
  "Condition": {
    "StringEquals": {
      "kms:SigningAlgorithm": "Ed25519"
    }
  }
}

Verification

  • All tests pass without lint suppressions
  • Code follows DRY principles
  • Zero conversational filler in implementation
  • Backward compatible with existing audit signers
  • Ready for production deployment

Related Issues

Type of Change

  • New feature
  • Bug fix
  • Breaking change
  • Documentation update

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Tests added/updated
  • Documentation updated
  • No new linting issues
  • Changes verified locally

================================================================================

Your Name and others added 4 commits March 25, 2026 19:42
feat: Add circuit breaker configuration via TOML
5adff4f 
- Add CircuitBreakerThreshold and CircuitBreakerTimeout fields to Config struct
- Update TOML parser to read circuit_breaker_threshold and circuit_breaker_timeout
- Add environment variable support: ERST_CIRCUIT_BREAKER_THRESHOLD and ERST_CIRCUIT_BREAKER_TIMEOUT
- Add WithCircuitBreaker option to RPC client builder
- Replace hardcoded circuit breaker values (5 failures, 60s) with configurable values
- Provide sensible defaults matching current production behavior
- Update erst.example.toml with circuit breaker documentation
- Add comprehensive tests for circuit breaker configuration

Fixes dotandev#849
refactor: Extract MethodTelemetry into standalone internal package
e247c4d 
- Create new package internal/telemetry/methods for method telemetry interfaces
- Move MethodTelemetry and MethodTimer interfaces from internal/rpc to new package
- Export NoopMethodTimer and DefaultMethodTelemetry for external use
- Update all imports in internal/rpc to use the new package location
- Maintain backward compatibility with existing telemetry consumers
- Ensure seamless transition for all method telemetry implementations

Fixes dotandev#850
feat: implement O(log N) snapshot lookup by instruction index
188d337 
Issue dotandev#987:
- Add GetSnapshotAtInstruction() method with binary search
- Implement snapshotIndex for fast instruction-based lookup
- Optimize ReconstructStateAt() to use O(log N) search instead of O(N)
- Achieve instantaneous navigation to specific steps

Closes dotandev#987
@ayomideadeniran
Merge branch 'main' into feature/issue-987-fast-snapshot-lookup
13b7686
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[TIME-TRAVEL] [FEAT] Implement 'get_snapshot_at_instruction' in Rust

1 participant

@ayomideadeniran