Add dual-path EdgeZero entry point with feature flag (PR 14)

[prk-Jr]

Summary

• Adds a feature-flagged dual-path entry point: requests are dispatched through the new EdgeZero TrustedServerApp or the preserved legacy_main based on edgezero_enabled in the trusted_server_config Fastly ConfigStore, with false as the safe default on any read failure
• Implements TrustedServerApp via edgezero_core::app::Hooks with all routes, plus FinalizeResponseMiddleware and AuthMiddleware — matching legacy routing semantics without the compat conversion layer
• Upgrades edgezero workspace dependencies from a pinned revision to branch=main and uses dispatch_with_config (non-deprecated) to avoid the double set_logger panic that run_app/run_app_with_logging would cause

Changes

File	Change
Cargo.toml	Pin all four edgezero deps to branch=main; bump toml to "1.1"
Cargo.lock	Updated for edgezero and toml version changes
crates/trusted-server-adapter-fastly/src/main.rs	Add is_edgezero_enabled(), feature-flag dispatch block, extract legacy_main(), use dispatch_with_config
crates/trusted-server-adapter-fastly/src/app.rs	TrustedServerApp implementing Hooks with all 14 routes; explicit GET / and POST / to cover matchit root path gap
crates/trusted-server-adapter-fastly/src/middleware.rs	New file: FinalizeResponseMiddleware and AuthMiddleware with golden header-precedence test
fastly.toml	Add trusted_server_config config store for local dev with edgezero_enabled = "true"
crates/trusted-server-core/src/auction/orchestrator.rs	rustfmt: remove blank line
crates/trusted-server-core/src/integrations/google_tag_manager.rs	rustfmt: reorder imports, reformat long use lists
crates/trusted-server-core/src/integrations/lockr.rs	rustfmt: inline trailing-brace onto condition
crates/trusted-server-core/src/integrations/permutive.rs	rustfmt: inline trailing-brace onto condition
crates/trusted-server-core/src/integrations/prebid.rs	rustfmt: reorder imports
crates/trusted-server-core/src/integrations/testlight.rs	rustfmt: reformat long use list
.claude/settings.json	Remove trailing comma in allowed-tools array

Closes

Closes #495

Test plan

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• Manual testing via fastly compute serve — EdgeZero path routes all named routes and GET / correctly; legacy path reachable by setting edgezero_enabled = "false"

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses log macros (not println!)
• New code has tests
• No secrets or credentials committed

[aram356]

Summary

Reviewed the 13 files that PR 628 actually changes vs its base (feature/edgezero-pr13-...). The dual-path entry point is a sensible migration shape, and the explicit GET/POST "/" routes + the header-precedence middleware test are the kind of load-bearing details that prevent future outages. However, the EdgeZero path currently diverges from the legacy path in ways that are security- and reliability-relevant, and the branch = "main" pin on upstream deps makes builds non-deterministic. Blocking on those.

Blocking

🔧 wrench

• Forwarded-header sanitization missing on EdgeZero path — legacy strips Forwarded / X-Forwarded-* / Fastly-SSL before routing; EdgeZero hands the raw req to dispatch_with_config. With edgezero_enabled = "true" as the local-dev default, this is the default path. (main.rs:95)
• build_state() panics on misconfig — expect("should …") on settings / orchestrator / registry. Legacy returns a structured error response; EdgeZero now 5xx's with no detail. (app.rs:75)
• Docstring "built once at startup" is misleading — every request spins up a fresh Wasm instance, so build_state() runs per-request. Invites future false caching. (app.rs:61)
• Stale #[allow(dead_code)] on now-live middleware — five suppressions with "until Task 4 wires app.rs" comments. Task 4 is this PR. (middleware.rs:50,57,96,103,146)
• AuthMiddleware flattens Report<TrustedServerError> into EdgeError::internal(io::Error::other(...)) — loses per-variant status code and user message; generic 500 instead of the specific error. (middleware.rs:122)
• edgezero-* deps pinned to branch = "main" — non-deterministic builds; supply-chain path into prod via a moving upstream branch. Pin to a specific rev or fork tag. (Cargo.toml:59-62)

Non-blocking

🤔 thinking

• TLS metadata dropped on EdgeZero path — tls_protocol / tls_cipher hardcoded to None; legacy populates both. Low impact today (debug logging only), but a silent regression if any future signing/audit path reads them. (app.rs:123-124)

♻️ refactor

• 11 near-identical handler closures in routes() — a pair of file-local make_sync_handler / make_async_handler helpers would cut ~120 lines without harming auditability. (app.rs:175-301)
• FinalizeResponseMiddleware hardcodes FastlyPlatformGeo — take Arc<dyn PlatformGeo> instead so Middleware::handle can be unit-tested end-to-end. (middleware.rs:68)
• build_per_request_services duplicates platform::build_runtime_services — extract a shared helper that takes ClientInfo. (app.rs:111-127)

🌱 seedling

• fastly.toml flips local dev default to EdgeZero — combined with the blockers above, every fastly compute serve now exposes them. Consider defaulting to "false" until the blockers land. (fastly.toml:52)

⛏ nitpick

• AppState fields can be private (not pub(crate)). (app.rs:62-66)
• Root-route pairs clone closures four times — upstream RouterService::get_many would help. (app.rs:374-377)

📝 note

• The dispatch_with_config comment explaining the set_logger panic is excellent "why, not what" documentation. (main.rs:91-94)

👍 praise

• operator_response_headers_override_earlier_headers codifies a brittle precedence contract. (middleware.rs:217-233)
• Explicit GET "/" / POST "/" routes with the in-code explanation of matchit's wildcard gap prevent a future 404 outage. (app.rs:374-377)

CI Status

• browser integration tests: PASS
• integration tests: PASS
• prepare integration artifacts: PASS
• fmt / clippy / unit tests: not surfaced by gh pr checks — please confirm these ran.

[ChristianPavilonis]

Summary

Supplementary review — see aram356's review for the primary findings. This review covers additional items not raised there.

Non-blocking

🔧 wrench (cross-cutting, from earlier PRs in this stack)

• set_header drops multi-valued headers: edge_request_to_fastly in platform.rs:187 uses set_header instead of append_header, silently dropping duplicate headers. Pre-existing pattern (also in compat::to_fastly_request), but the EdgeZero path creates a new copy of the same bug.

🌱 seedling

• parse_edgezero_flag is case-sensitive: "TRUE" and "True" silently fall through to legacy path. Consider eq_ignore_ascii_case or logging unrecognized values.

📝 note (cross-cutting, from earlier PRs)

• Stale doc comment in platform/mod.rs:31: References fastly::Body in publisher.rs, but PR 11 already migrated to EdgeBody.

♻️ refactor (cross-cutting, from earlier PRs)

• Duplicated body_as_reader helper: Identical function in proxy.rs:24 and publisher.rs:23. Extract to shared utility.

⛏ nitpick (cross-cutting)

• Management API client re-created per write: Each put/delete in platform.rs constructs a new FastlyManagementApiClient. Fine for current usage, noted for future batch writes.

📌 out of scope

• compat.rs in core depends on fastly types: Already tracked as PR 15 removal target.

CI Status

• browser integration tests: PASS
• integration tests: PASS
• prepare integration artifacts: PASS

[ChristianPavilonis]

Summary

I found 5 issues to address before this dual-path entry-point rollout is ready. Three are functional regressions that can change request handling or response metadata, and two are documentation/configuration gaps that should be cleaned up before operators rely on the new path.

Findings folded into the review body

🤔 API/docs comments lag new proxy-rebuild and settings behavior: The latest reviewer findings also called out stale API/docs comments in crates/trusted-server-core/src/proxy.rs:989-997 and crates/trusted-server-core/src/settings.rs:476-480. Those files are not part of this PR's current diff, so I could not place them as inline comments on this review, but they should still be reconciled before the new proxy-rebuild and runtime-settings behavior is considered fully documented.

[aram356]

Summary

The previously blocking findings from the earlier review round are resolved: forwarded-header sanitization is now applied on the EdgeZero path, build_state() returns a Result with a startup_error_router fallback instead of panicking, AuthMiddleware preserves per-variant status codes via http_error, the "built once at startup" docstring is clarified, and edgezero deps are pinned to the full 40-char commit SHA 38198f9839b70aef03ab971ae5876982773fc2a1. parse_edgezero_flag is now case-insensitive with full test coverage.

Deep analysis surfaces two new blockers that share a single root cause: RouterService middleware in edgezero-core only runs on matched routes, and only GET/POST handlers are registered on this app. The combination produces two independent regressions on the EdgeZero path — non-GET/POST requests return 405 instead of being proxied to origin (legacy proxies every method), and router-level errors bypass FinalizeResponseMiddleware so responses miss X-Geo-*, X-TS-Version, X-TS-ENV, and operator-configured response_headers. Both can plausibly be fixed in one pass.

Inline comments cover the two blockers and the remaining non-blocking findings. CI locally: cargo fmt --check, cargo clippy --workspace --all-targets --all-features -- -D warnings, and cargo test --workspace all pass (821 tests).

Blocking

🔧 wrench

• Non-GET/POST methods regress to 405 — legacy route_request falls through to handle_publisher_request for every method; EdgeZero registers only GET and POST. RouterInner::dispatch returns Err(EdgeError::method_not_allowed) for HEAD / OPTIONS / PUT / DELETE / PATCH, which oneshot turns into a bare 405. See inline on crates/trusted-server-adapter-fastly/src/app.rs:422.
• TS response headers dropped on router-level errors and handler EdgeError paths — RouterService::oneshot handles Err(EdgeError) via err.into_response() outside the middleware chain, so 405/404/handler-error responses never reach FinalizeResponseMiddleware. Separately, next.run(ctx).await? in the middleware short-circuits on any inner Err. Both need changing so finalize always runs. See inline on crates/trusted-server-adapter-fastly/src/middleware.rs:69.

Non-blocking

🤔 thinking

• Geo lookup runs on auth-rejected responses — legacy skips geo on 401 and sets X-Geo-Info-Available: false; EdgeZero unconditionally attaches full geo headers to the 401. Inline on middleware.rs:71.
• Per-request double open of trusted_server_config — is_edgezero_enabled() and dispatch_with_config each open the store. Use dispatch_with_config_handle and reuse a single handle. Inline on main.rs:98.
• TLS metadata hardcoded to None on EdgeZero path — tls_protocol / tls_cipher are populated by legacy; the EdgeZero FastlyRequestContext only carries client_ip. Silent regression for any future signing/audit path. Previously flagged; still present. Inline on app.rs:126.

♻️ refactor

• Eleven near-identical handler closures — two small helpers collapse all of them. Previously flagged. Inline on app.rs:214.
• build_per_request_services duplicates platform::build_runtime_services — extract a shared helper parameterized by ClientInfo. Previously flagged. Inline on app.rs:129.
• Module docstring claims middleware is always attached — but startup_error_router skips it. Inline on app.rs:5.

🌱 seedling

• fastly.toml defaults local dev to EdgeZero — combined with the blockers above, every fastly compute serve reproduces them. Inline on fastly.toml:54.

📝 note

• No tests for AuthMiddleware::handle, FinalizeResponseMiddleware::handle, or startup_error_router — apply_finalize_headers is tested standalone, but the middleware handle methods and the degraded startup-error path have no coverage. Inline on middleware.rs:238.

CI Status

• browser integration tests: PASS
• integration tests: PASS
• prepare integration artifacts: PASS
• fmt / clippy / unit tests (local): PASS — 821 tests passing

[ChristianPavilonis]

superseded

[ChristianPavilonis]

Superseding note: I re-posted the line-specific findings as inline comments after switching to the single-comment review-comments API with the PR head commit SHA.

One additional high-priority finding is still not inline because the relevant code is outside this PR diff:

P1 — ProxyRequestConfig.allowed_domains is ignored, so integration proxies inherit the first-party allowlist unintentionally (crates/trusted-server-core/src/proxy.rs:432-458,573-579,694-700)

ProxyRequestConfig documents two modes: integrations should pass &[] for open mode, while the first-party proxy should pass &settings.proxy.allowed_domains. But proxy_request() currently destructures allowed_domains into _, and proxy_with_redirects() always checks settings.proxy.allowed_domains instead. That means enabling proxy.allowed_domains for /first-party/proxy can unexpectedly break unrelated integration proxy traffic.

Suggested fix: thread config.allowed_domains through to proxy_with_redirects() and use that slice for both the initial target check and redirect-hop checks. I’d also add a regression test where settings.proxy.allowed_domains is non-empty but proxy_request(... allowed_domains: &[]) still succeeds.

[prk-Jr]

@ChristianPavilonis Fixed the non-inline ProxyRequestConfig.allowed_domains item in eb6a9e9f. ProxyRequestConfig::allowed_domains is now threaded into ProxyRedirectPolicy and used for both the initial target check and redirect-hop checks. Added regressions for open mode with a non-empty settings.proxy.allowed_domains and open-mode redirect hops; cargo test -p trusted-server-core proxy_request_ passes.

[aram356]

Summary

Round-3 review. The previously blocking findings from round 2 are all resolved: forwarded-header sanitization runs on the EdgeZero path, build_state returns a Result with a startup_error_router fallback, AuthMiddleware preserves per-variant status codes via http_error, FinalizeResponseMiddleware absorbs handler errors via IntoResponse, the AppState docstring is corrected, workspace edgezero deps are pinned to the full 40-char commit SHA 38198f9839b70aef03ab971ae5876982773fc2a1, parse_edgezero_flag is case-insensitive with full test coverage, HEAD/OPTIONS/PUT/PATCH/DELETE catch-all routes are registered, and FinalizeResponseMiddleware now takes Arc<dyn PlatformGeo> for testability.

This round surfaces two new blockers and four non-blocking findings. Both blockers are scope/behavior issues, not implementation bugs:

• Silent behavior change in proxy.rs — integration-proxy redirect chains are no longer bounded by settings.proxy.allowed_domains, and nothing in the PR body documents it.
• Non-standard HTTP methods bypass the middleware chain — legacy route_request falls through to publisher origin for every method; this path 405/404s them without running FinalizeResponseMiddleware, dropping all TS/geo/operator headers. Contradicts the FinalizeResponseMiddleware doc contract.

Both are addressable in this PR without a large rework. Inline comments describe concrete fix options.

Local CI is green: cargo fmt --check, cargo clippy --workspace --all-targets --all-features -D warnings, and cargo test --workspace (867 tests).

Blocking

🔧 wrench

• Scope creep: silent integration-proxy allowlist semantics change — proxy.rs now lets integration proxies opt out of settings.proxy.allowed_domains for initial target and redirect hops. Not in PR description. See inline on crates/trusted-server-core/src/proxy.rs:446.
• Non-standard HTTP methods bypass middleware — TRACE/CONNECT/WebDAV verbs skip FinalizeResponseMiddleware; TS/geo/operator headers dropped. Contradicts the doc contract. See inline on crates/trusted-server-adapter-fastly/src/app.rs:149.

Non-blocking

🤔 thinking

• Per-request INFO-level routing log — noisy at production traffic; consider log::debug! or once-per-cold-start. Inline on main.rs:96.

📝 note

• No tests for FinalizeResponseMiddleware::handle / AuthMiddleware::handle — the code changed this round has no direct unit coverage. Inline on middleware.rs:130.
• No end-to-end test for the EdgeZero dispatch path — would catch the method-bypass regression directly. Inline on app.rs:392.

CI Status

• browser integration tests: PASS (GitHub)
• integration tests: PASS (GitHub)
• prepare integration artifacts: PASS (GitHub)
• fmt: PASS (local)
• clippy: PASS (local)
• rust tests: PASS (local, 867 tests)

[aram356]

🔧 wrench — Scope creep: silent behavior change to integration-proxy allowlist enforcement, not in PR description.

Before this PR, proxy_with_redirects accepted allowed_domains: _ (unused) and always enforced &settings.proxy.allowed_domains on the initial target and every redirect hop. After this PR, integration callers (gpt, google_tag_manager, permutive, etc.) pass allowed_domains: &[] → open mode (proxy.rs:519–524: empty slice permits all) → integration proxy redirect chains are no longer bounded by operator-configured allowed_domains. Only handle_first_party_proxy at proxy.rs:790 still enforces the settings allowlist.

This is security-relevant. Integration redirect hops can now follow Location to arbitrary hosts regardless of settings.proxy.allowed_domains. Likely intentional (integrations are operator-configured; first-party proxy handles untrusted creative-referenced URLs), but nothing in the PR body or the ## Changes table mentions it, and a reviewer reading git blame on the "dual-path entry point" PR will not expect this semantic shift.

Fix options (pick one, not all):

1. Split into a separate PR with its own description, tests, and reviewer sign-off on the security trade-off.
2. Update the PR body with an explicit "Proxy allowlist semantics" section explaining which callers opt into open mode and why.
3. Add a doc comment on ProxyRequestConfig::allowed_domains explaining the open-mode contract and the integration/first-party split, and update the PR body.

Blocking until the scope is explicit — the change may be fine to land, but not silently.

[aram356]

🔧 wrench — Non-standard HTTP methods bypass the middleware chain; TS/geo headers dropped.

publisher_fallback_methods() covers 7 methods (GET/POST/HEAD/OPTIONS/PUT/PATCH/DELETE). For any method outside that set (TRACE, CONNECT, WebDAV PROPFIND/PROPPATCH, LINK, UNLINK, custom verbs), RouterInner::dispatch (edgezero-core router.rs:260-271) returns Err(EdgeError::method_not_allowed) or Err(EdgeError::not_found). RouterService::oneshot (router.rs:234-240) converts that Err to a response via err.into_response() outside the middleware chain.

Consequence: 405/404 responses on those methods skip FinalizeResponseMiddleware — no X-Geo-*, X-TS-Version, X-TS-ENV, and no operator-configured response_headers. Legacy route_request falls through to handle_publisher_request for every method, so this is a silent legacy→EdgeZero semantic regression on the "unusual method" envelope, and it contradicts the FinalizeResponseMiddleware doc contract ("every outgoing response — including auth-rejected ones — carries a consistent set of headers").

Fix options:

1. Wrap the dispatch at the entry point so apply_finalize_headers runs on router-level errors too — call it on the FastlyResponse produced by dispatch_with_config before returning from fn main.
2. Add a top-level "always-apply-finalize" outer service that wraps the RouterService.
3. Expand the method list to cover everything the edge can deliver.

Option 1 or 2 is the robust fix — Option 3 is fragile (new methods added upstream would silently regress).

[aram356]

🤔 thinking — Per-request INFO-level routing log is noisy.

log::info!("routing request through EdgeZero path") at main.rs:85 and log::info!("routing request through legacy path") at main.rs:96 fire on every request. At production traffic rates this produces one INFO line per request with no actionable information — operators already know the flag value from config. Consider log::debug! for per-request, or use a OnceLock to log once per cold start so the signal is retained without the volume.

[aram356]

📝 note — Missing test coverage for FinalizeResponseMiddleware::handle and AuthMiddleware::handle.

apply_finalize_headers is tested directly (good), and startup_error_router / uses_dynamic_tsjs_fallback have focused tests. But the middleware handle methods themselves — the code that was changed this round — are not exercised:

• "Auth rejection bubbles through FinalizeResponseMiddleware and gets TS headers" contract.
• match next.run(ctx).await { Err(e) => e.into_response() } absorption path added this round.
• if response.status() != UNAUTHORIZED { geo.lookup(...) } branch.
• FastlyRequestContext::get(ctx.request()).and_then(|c| c.client_ip) extraction.

A couple of handle unit tests with a stub Next and a mock PlatformGeo would pin down the round-2 fixes and prevent regression.

[aram356]

📝 note — No end-to-end test exercises the full EdgeZero dispatch path.

None of the new tests drive TrustedServerApp::routes() → oneshot(request) end-to-end through the router + middleware + fallback chain. An E2E test would:

1. Catch the method-bypass regression directly (assert X-TS-Version present on a TRACE/CONNECT response).
2. Pin down the middleware ordering contract (FinalizeResponseMiddleware outermost).
3. Verify auth-rejected 401s still receive TS headers but skip geo lookup.

Given the size of this PR, an E2E test is high leverage.