DGS-21268 Add support for full payload encryption

[rayokota]

Please prefix all TypeScript pull-requests with [Typescript]

What

Add support for full payload encryption

Checklist

• [Y] Contains customer facing changes? Including API/behavior changes
• [Y] Did you add sufficient unit test and/or integration test coverage for this PR?
  • If not, please explain why it is not required

References

JIRA:

Test & Review

Open questions / Follow-ups

[Copilot]

Pull Request Overview

This PR introduces full payload encryption support across Protobuf, JSON, and Avro serializers/deserializers by adding a new encoding phase, implementing a EncryptionExecutor, and updating tests to cover payload‐level encryption.

• Introduce RulePhase.ENCODING and executeRulesWithPhase in core Serde to apply encoding‐phase rules
• Implement EncryptionExecutor for payload encryption and refactor FieldEncryptionExecutor to delegate
• Update serializers and deserializers to invoke encoding‐phase transforms and extend tests for payload encryption

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
schemaregistry/test/serde/protobuf.spec.ts	Import EncryptionExecutor, switch to executor.client, add end‐to‐end payload encryption test
schemaregistry/test/serde/json.spec.ts	Same changes for JSON: import EncryptionExecutor, add payload encryption test, adjust client assignment
schemaregistry/test/serde/avro.spec.ts	Same changes for Avro, using registerWithClock and new payload encryption test
schemaregistry/serde/serde.ts	Add RulePhase enum, executeRulesWithPhase method, and wiring for encoding rules
schemaregistry/serde/protobuf.ts	Apply encoding‐phase rules around Protobuf payload before/after binary conversion
schemaregistry/serde/json.ts	Apply encoding‐phase rules around JSON serialization/deserialization
schemaregistry/serde/avro.ts	Apply encoding‐phase rules around Avro serialization/deserialization
schemaregistry/schemaregistry-client.ts	Define RulePhase enum and add encodingRules to RuleSet
schemaregistry/rules/encryption/encrypt-executor.ts	Implement EncryptionExecutor for full‐payload transform, refactor FieldEncryptionExecutor

Comments suppressed due to low confidence (6)

schemaregistry/rules/encryption/encrypt-executor.ts:1

• The file uses FieldRuleExecutor, FieldTransform, FieldContext, and FieldType but does not import them. Add missing imports from '../../serde/serde'.

import {

schemaregistry/test/serde/protobuf.spec.ts:322

• This payload decryption rule uses EncryptionExecutor (type 'ENCRYPT_PAYLOAD'), but the client is set on FieldEncryptionExecutor. It should configure the EncryptionExecutor instance instead.

    fieldEncryptionExecutor.executor.client = dekClient

schemaregistry/test/serde/json.spec.ts:551

• This payload decryption rule uses EncryptionExecutor (type 'ENCRYPT_PAYLOAD'), but the client is set on FieldEncryptionExecutor. It should configure the EncryptionExecutor instance instead.

    fieldEncryptionExecutor.executor.client = dekClient

schemaregistry/test/serde/protobuf.spec.ts:29

• [nitpick] After importing clearKmsClients, call clearKmsClients() before registering KMS drivers to ensure a clean KMS state for each test.

const encryptionExecutor = EncryptionExecutor.register()

schemaregistry/test/serde/json.spec.ts:29

• [nitpick] After importing clearKmsClients, call clearKmsClients() before registering drivers to avoid leaking KMS state between tests.

const encryptionExecutor = EncryptionExecutor.register()

schemaregistry/test/serde/avro.spec.ts:321

• [nitpick] After importing clearKmsClients, call clearKmsClients() before registering executors to reset KMS registry for test isolation.

const encryptionExecutor = EncryptionExecutor.registerWithClock(new FakeClock())