Remove fastly dependency from trusted-server-core (PR 15)

[prk-Jr]

Summary

• Removes all fastly crate imports from trusted-server-core, keeping the shared crate platform-agnostic and enforcing that invariant with migration_guards.rs
• Moves Fastly-specific compatibility, backend, geo, config-store, secret-store, and KV-store wiring into trusted-server-adapter-fastly
• Uses the platform abstraction layer (RuntimeServices, PlatformBackendSpec, PlatformKvStore) for core request handling instead of Fastly SDK types
• Restores consent KV wiring on the EdgeZero entry path: configured consent stores are opened for /auction and publisher fallback routes, matching the legacy path's fail-closed 503 behavior when the store is unavailable

Changes

File	Change
crates/trusted-server-core/src/compat.rs	Deleted; Fastly request/response conversion lives in the adapter
crates/trusted-server-core/src/storage/	Removed Fastly config/secret store implementations from core; callers use platform traits
crates/trusted-server-core/src/geo.rs	Removed Fastly geo conversion from core; adapter owns Fastly-specific geo mapping
crates/trusted-server-core/src/storage/kv_store.rs	Consent KV persistence uses PlatformKvStore rather than Fastly KV types
crates/trusted-server-core/src/consent/mod.rs	ConsentPipelineInput accepts an optional PlatformKvStore reference for KV fallback/write-through
crates/trusted-server-core/src/platform/	Hosts the platform contracts, including the shared default backend first-byte timeout
crates/trusted-server-core/src/integrations/mod.rs	Adds platform-backend helpers for ensure/predict behavior without Fastly imports
crates/trusted-server-core/src/integrations/{aps,adserver_mock,prebid}.rs	Migrated from direct Fastly backend config to platform helpers
crates/trusted-server-core/src/publisher.rs	Uses RuntimeServices/PlatformKvStore for consent KV fallback and revocation deletion
crates/trusted-server-core/Cargo.toml	Removes the fastly dependency from core
crates/trusted-server-adapter-fastly/src/compat.rs	Owns Fastly/http compatibility conversion and forwarded-header sanitization tests
crates/trusted-server-adapter-fastly/src/backend.rs	Owns Fastly dynamic backend configuration and deterministic backend naming
crates/trusted-server-adapter-fastly/src/platform.rs	Implements Fastly platform services, including open_kv_store for PlatformKvStore
crates/trusted-server-adapter-fastly/src/app.rs	Wires EdgeZero routes through the shared consent-route KV helper and adds an EdgeZero regression test for missing configured consent stores
crates/trusted-server-adapter-fastly/src/main.rs	Legacy route path reuses the same consent-route KV helper
crates/trusted-server-adapter-fastly/Cargo.toml	Keeps adapter-only dependencies scoped to Fastly-specific code

Closes

Closes #496

Test plan

• cargo test -p trusted-server-adapter-fastly edgezero_missing_consent_store_breaks_only_consent_routes
• cargo test -p trusted-server-adapter-fastly configured_missing_consent_store_only_breaks_consent_routes
• cargo test -p trusted-server-core --lib
• cargo fmt --all -- --check
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo test --workspace
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
• Manual testing via fastly compute serve

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code; uses expect("should ...") where needed
• Uses log macros rather than println!
• New behavior has regression coverage
• No secrets or credentials committed

[aram356]

Summary

This PR delivers its stated goal — trusted-server-core is now fully fastly-free and the consent pipeline is abstracted behind a minimal ConsentKvOps trait. Local verification passes (fmt, clippy -D warnings, cargo test --workspace, wasm32-wasip1 release build).

Three concerns merit changes before merge: a diagnostic regression in predict_backend_name_for_url, duplication of the security-adjacent SPOOFABLE_FORWARDED_HEADERS list, and a test-coverage regression in the relocated adapter compat.rs. The remaining items are non-blocking observations and follow-up candidates.

Note: this PR targets feature/edgezero-pr14-entry-point-dual-path, not main; review scope is the 31-file PR-15-specific delta (+2230/-2165).

Blocking

🔧 wrench

• Diagnostic regression in predict_backend_name_for_url — inline comment at crates/trusted-server-core/src/integrations/mod.rs:135
• SPOOFABLE_FORWARDED_HEADERS duplicated across core and adapter — inline comment at crates/trusted-server-adapter-fastly/src/compat.rs:18
• Adapter compat.rs has zero tests after relocation (14 security-relevant tests dropped) — inline comment at crates/trusted-server-adapter-fastly/src/compat.rs:82

Non-blocking

🤔 thinking

• KV errors logged at debug level as "lookup miss" — inline comment at crates/trusted-server-adapter-fastly/src/platform.rs:420
• Backend-name compute logic duplicated between predict_backend_name_for_url (core) and BackendConfig::compute_name (adapter) — inline comment at crates/trusted-server-core/src/integrations/mod.rs:130

🌱 seedling

• Redundant KV read on fallback+save path — inline comment at crates/trusted-server-core/src/consent/kv.rs:267
• Hardcoded certificate_check: true in ensure_integration_backend (integrations/mod.rs:69) and ensure_integration_backend_with_timeout (integrations/mod.rs:114). No regression vs. pre-PR behaviour, but the sibling predict_backend_name_for_url does take certificate_check: bool — asymmetric. If any integration ever needs a self-signed upstream (test/on-prem), these helpers would need to grow that parameter.

📌 out of scope

• migration_guards.rs not extended — migration_guards.rs:27-46 only covers 12 files and a narrow regex (Request|Response|http::Method|StatusCode|mime::APPLICATION_JSON). With core's fastly dep now removed, this guard should either broaden to \bfastly:: across all core files, be replaced by a Cargo-metadata dependency-presence test (more robust, no false negatives), or be deleted as structurally redundant. Follow-up issue.
• FastlyConsentKvStore::open silent failure — inline comment at crates/trusted-server-adapter-fastly/src/platform.rs:409

📝 note

• Stale "PR 15" forward references:
  • adapter-fastly/src/app.rs:150: "will be removed when legacy_main is deleted in PR 15". This is PR 15 and legacy_main was not deleted.
  • adapter-fastly/src/main.rs:113: "compat.rs will be deleted in PR 15 once this legacy path is retired". This is PR 15; compat.rs was moved (not deleted) and the legacy path was not retired.
    Update comments to reference the actual future PR number or drop the promise.

⛏ nitpick

• Unnecessary u16 type suffix — inline comment at crates/trusted-server-core/src/integrations/mod.rs:140

CI Status

• fmt: PASS
• clippy (-D warnings): PASS
• rust tests (cargo test --workspace): PASS (800+ tests)
• wasm32-wasip1 release build: PASS
• PR-reported checks (browser integration, integration tests, prepare integration artifacts): PASS

[ChristianPavilonis]

Summary

• Submitted reviewer-approved findings for consent/KV handling, backend naming consistency, and Fastly wiring.
• Verdict: REQUEST_CHANGES (includes a P1 finding).

Findings moved to review body

The following approved findings were included in the review body because GitHub could not resolve their requested inline locations in the current diff:

• 🤔 Consent bootstrap logic is now duplicated across auction and publisher paths (crates/trusted-server-core/src/auction/endpoints.rs:61)
  Both handlers now repeat the same sequence: parse cookies, generate/read synthetic ID, geo lookup with identical error handling, and build ConsentPipelineInput with kv_ops. This duplication is likely to drift as the consent pipeline evolves; this PR already had to touch both call sites just to thread the new abstraction through.
  Suggestion: Extract a small shared helper that prepares request-scoped consent state once and returns the ConsentContext plus any reused intermediates such as synthetic_id, geo, and cookie_jar.

• ⛏ Public docs/comments still lag the new kv_ops contract (crates/trusted-server-core/src/auction/endpoints.rs:21)
  The new kv_ops parameter materially changes how consent persistence is enabled, but the public docs still describe these handlers mostly in their pre-PR form, and one consent comment still says fallback requires consent_store rather than kv_ops.
  Suggestion: Update the affected doc comments to explain that consent KV fallback/write-through occurs only when a concrete kv_ops implementation is supplied, and adjust the stale internal comment in consent/mod.rs.

[prk-Jr]

Fixed the two findings GitHub moved into the review body in 3a53f33.

• Extracted shared consent bootstrap into consent::prepare_request_consent_state(...), and both the auction and publisher handlers now use it instead of duplicating cookie parsing, synthetic-id setup, geo lookup, and consent-context construction.
• Updated the affected handler docs plus the stale internal comment so they describe the kv_ops contract correctly: KV fallback/write-through only happens when a concrete kv_ops implementation is supplied.

Fresh verification on this commit:

• cargo fmt --all -- --check
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo test --workspace

[ChristianPavilonis]

Summary

Approving this PR. The main refactor looks solid: trusted-server-core is decoupled from Fastly and the adapter now owns the Fastly-specific backend, KV, and compatibility wiring.

I left 2 non-blocking follow-up comments inline for logging/test coverage.

[aram356]

Summary

Re-review of PR 15 after the most recent commits (Apr 27). The core refactor goal is achieved — trusted-server-core no longer imports fastly, and the migration guard test (migration_guards.rs) durably enforces the invariant. Build, clippy, fmt, and the full Rust test suite (878 tests) pass locally; GitHub CI is green.

However, the merge with PR14 removed the ConsentKvOps / FastlyConsentKvStore abstraction without replacing the wiring on the EdgeZero entry path, leaving a privacy-sensitive gap: when edgezero_enabled = true and consent_store is configured, consent revocation deletes silently fail. The PR description still describes the pre-merge design and is now misleading.

Requesting changes to address (or explicitly accept and document) the EdgeZero consent-KV gap and to update the PR description before merge.

Blocking

❓ question

Consent KV is not opened on the EdgeZero entry path — crates/trusted-server-adapter-fastly/src/app.rs:92

build_state() constructs kv_store = Arc::new(UnavailableKvStore) unconditionally, and build_per_request_services (lines 111–127) hands that same store to every handler. The runtime_services_for_consent_route helper in crates/trusted-server-adapter-fastly/src/main.rs:307-323 (which actually opens the configured consent.consent_store) is only called from the legacy route_request.

Consequence: when edgezero_enabled = true and [consent] consent_store = "..." is configured, every services.kv_store() call in core returns KvError::Unavailable. In particular, the revocation delete in crates/trusted-server-core/src/publisher.rs:765 silently fails (Failed to delete consent KV entry … Unavailable) — the EC cookie expires, but the persisted consent data is not removed. KV-backed consent fallback also never engages on the EdgeZero path. This is a privacy/compliance concern (right-to-erasure).

This appears to be a regression from the merge resolution that removed FastlyConsentKvStore / open_consent_kv after merging PR14. Either (a) the EdgeZero path needs an equivalent of runtime_services_for_consent_route (open the consent store inside build_per_request_services or wrap the auction/publisher handlers), or (b) the EdgeZero path should fail loudly at startup when consent.consent_store is configured but cannot be opened.

Was this intentional, or did it slip through the merge?

🔧 wrench

PR description is stale and contradicts the merged code — The body still claims:

• "Introduces a sync ConsentKvOps trait in core"
• "FastlyConsentKvStore in the adapter implements the trait"
• "Threads kv_ops: Option<&dyn ConsentKvOps> through ConsentPipelineInput"

None of these exist after the PR14 merge — the actual code uses PlatformKvStore directly via RuntimeServices, and the consent KV is opened only on the legacy path. The "Changes" table for consent/kv.rs, consent/mod.rs, app.rs, main.rs, and platform.rs describes work that was reverted. Reviewers and git log consumers will be misled. Please update the PR description to reflect the post-PR14-merge reality before merging.

Non-blocking

🤔 thinking

UnavailableKvStore swallows configuration errors silently on the EdgeZero path — Combined with the question above, configuring consent_store = "missing-store" on the EdgeZero path produces no startup error and only per-request warn! lines. The legacy path correctly fails the auction/publisher routes with 503 (verified by route_tests.rs:184). Worth validating consent-store availability at startup so misconfiguration cannot silently disable revocation.

⛏ nitpick

Pre-existing: core is on edition = "2021" — CLAUDE.md mandates 2024 edition. Not introduced by this PR; flagged only for awareness/follow-up.

CI Status

• fmt: PASS (local + GitHub)
• clippy: PASS (local, -D warnings)
• rust tests: PASS (878 tests, local)
• GitHub CI: PASS (browser tests, integration tests, prepare integration artifacts)

[aram356]

Summary

Re-review of PR 15 against HEAD 725ccdc2. Local verification passes (fmt, clippy -D warnings, 878 + 45 unit tests across the changed crates) and GitHub CI is green.

The core refactor goal is achieved — trusted-server-core no longer imports fastly and the migration guard test enforces the invariant. However, the previously flagged EdgeZero consent-KV regression (Apr 30 review) is still present at the same line, and the PR description still describes the pre-PR14-merge design that was reverted. Requesting changes to address (or explicitly accept and document) those before merge.

Blocking

🔧 wrench

• EdgeZero path silently disables consent KV (privacy/compliance regression) — crates/trusted-server-adapter-fastly/src/app.rs:92 (line outside this PR's diff hunk, so flagging at body level).

  build_state() hardcodes Arc::new(UnavailableKvStore), and build_per_request_services (lines 111–127) hands that exact store to every route. There is no analogue of runtime_services_for_consent_route (main.rs:307-323) on this path.

  Concrete effect when edgezero_enabled = true AND [consent] consent_store = "..." is set:

  • crates/trusted-server-core/src/publisher.rs:765 calls delete_consent_from_kv(services.kv_store(), cookie_ec_id), which hits UnavailableKvStore.delete() → KvError::Unavailable. storage/kv_store.rs:323-332 swallows the error (warn-log only). The EC cookie expires but the persisted consent is not removed — right-to-erasure broken.
  • crates/trusted-server-core/src/auction/endpoints.rs:83-87 and publisher.rs:508-512 pass Some(services.kv_store()) to the consent pipeline, but it's the unavailable store, so consent persistence and KV-backed consent fallback never engage.

  Compare with the legacy path (correct): route_tests.rs:184-260 verifies that a missing consent.consent_store produces a fail-closed 503 on /auction and the publisher fallback via route_request. EdgeZero has no equivalent and silently degrades. Same blocking finding as the Apr 30 review, at the same line, still present at HEAD 725ccdc2.

  Fix options:

  1. Open consent.consent_store inside build_state() (or in build_per_request_services) using platform::open_kv_store, and either (a) fail startup if configured-but-unavailable or (b) wrap the consent-touching handlers (/auction, fallback) so they return 503 like the legacy path.
  2. Mirror runtime_services_for_consent_route at the EdgeZero handler boundaries.

  Either way, please add a counterpart of the existing configured_missing_consent_store_only_breaks_consent_routes test that drives TrustedServerApp::routes() so the regression cannot slip through another merge.

• PR description is stale and contradicts the merged code — the body still claims the PR introduces a sync ConsentKvOps trait, a FastlyConsentKvStore adapter implementation, and threads kv_ops: Option<&dyn ConsentKvOps> through ConsentPipelineInput. None of those exist after the PR14 merge — the actual code uses PlatformKvStore directly via RuntimeServices. The "Changes" table for consent/kv.rs, consent/mod.rs, app.rs, main.rs, and platform.rs describes work that was reverted. Please update the description to reflect the post-PR14-merge reality before merging so reviewers and git log consumers aren't misled.

Non-blocking

🤔 thinking

• No EdgeZero-side test for consent-store wiring — route_tests.rs:184 configured_missing_consent_store_only_breaks_consent_routes only exercises the legacy route_request. There is no analogous test that constructs TrustedServerApp::routes() with consent.consent_store configured. Combined with the blocking finding above, the regression slipped through the PR14 merge with no failing test to catch it.
• Both crates still on edition = "2021" — CLAUDE.md mandates 2024 edition. Pre-existing across the repo, not introduced by this PR; flagged for awareness/follow-up.

📌 out of scope

• UnavailableKvStore makes consent-store misconfiguration invisible at startup — even after the blocking finding is addressed, configured-but-unopenable stores will only surface as per-request warn! lines unless build_state() validates store availability at startup. Worth a follow-up to fail loudly when consent.consent_store is set but cannot be opened.

CI Status

• fmt: PASS (local)
• clippy: PASS (local, -D warnings)
• rust tests: PASS (878 + 45 in changed crates)
• GitHub CI: PASS (browser tests, integration tests, prepare integration artifacts)

[prk-Jr]

Addressed the body-level blocking findings from the Apr 30 and May 6 reviews in 50dc61f.

• EdgeZero /auction and publisher fallback now use the same consent-route KV helper as the legacy path, so configured-but-unavailable consent stores fail closed with 503 instead of silently using UnavailableKvStore.
• Added app::tests::edgezero_missing_consent_store_breaks_only_consent_routes, which drives TrustedServerApp::routes() with consent.consent_store configured.
• Updated the PR description to reflect the current RuntimeServices / PlatformKvStore design and removed the stale ConsentKvOps / FastlyConsentKvStore wording.
• Also handled the repeated inline cleanup comments for timeout placement, the core backend stub, the unused adapter dependency, and platform-backend wording.

Fresh verification before commit:

• cargo fmt --all -- --check
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo test --workspace