Merge feature/edgezero-pr17-cloudflare-adapter into PR18

Conflict resolutions:
- .github/workflows/test.yml: keep both PR18's benchmark smoke step and
  PR17's Fastly WASM release build verification step
- crates/integration-tests/Cargo.toml: union of PR18's parity test deps
  and lints with PR17's urlencoding; lock file regenerated
- crates/integration-tests/Cargo.lock: regenerated from merged manifest

Semantic fixes for the hardened get_settings() brought in by PR17:
- Add TrustedServerApp::routes_with_settings() to the Cloudflare
  adapter (mirroring the Axum seam) and split routes() into
  build_state_with_settings + build_router
- Parity tests build both routers from shared explicit test settings
  instead of routes(), which now returns the startup error router for
  the baked placeholder secrets. Previously seven parity tests passed
  vacuously by comparing identical 500s
- Axum and Cloudflare adapter route tests build through the settings
  seam; route-table introspection now inspects the real route table
  rather than the startup-error fallback table
- Test handler regex ^/(_ts/)?admin covers the adapter-level /admin
  routes asserted by the 401 tests and the /_ts/admin paths required
  by settings validation

Review follow-ups:
- Update stale 2x growth comment to match MAX_GROWTH_FACTOR = 1.1
- Document the dual-bump requirement for the edgezero git rev pinned
  in the workspace-excluded integration-tests manifest

Author: prk-Jr

.cargo/config.toml

@@ -21,7 +21,9 @@ check-cloudflare = ["check", "-p", "trusted-server-adapter-cloudflare", "--targe
 # Clippy — target-matched to avoid cross-target compile failures
 clippy-fastly = ["clippy", "--workspace", "--exclude", "trusted-server-adapter-axum", "--exclude", "trusted-server-adapter-cloudflare", "--all-targets", "--all-features", "--target", "wasm32-wasip1", "--", "-D", "warnings"]
 clippy-axum = ["clippy", "-p", "trusted-server-adapter-axum", "--all-targets", "--all-features", "--", "-D", "warnings"]
-clippy-cloudflare = ["clippy", "-p", "trusted-server-adapter-cloudflare", "--all-targets", "--all-features", "--", "-D", "warnings"]
+# No --all-features: the `cloudflare` feature has a compile_error! guard on
+# non-wasm32 targets. WASM-feature coverage comes from `cargo check-cloudflare`.
+clippy-cloudflare = ["clippy", "-p", "trusted-server-adapter-cloudflare", "--all-targets", "--", "-D", "warnings"]
 
 [target.'cfg(all(target_arch = "wasm32"))']
 runner = "viceroy run -C ../../fastly.toml -- "

.claude/settings.json

@@ -22,9 +22,31 @@
       "Bash(git branch:*)",
       "Bash(git diff:*)",
       "Bash(git log:*)",
+      "Bash(git show:*)",
       "Bash(git status:*)",
+      "Bash(gh pr view:*)",
+      "Bash(gh pr list:*)",
+      "Bash(gh pr diff:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh issue view:*)",
+      "Bash(gh issue list:*)",
+      "Bash(gh run view:*)",
+      "Bash(gh run list:*)",
+      "Bash(gh repo view:*)",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__new_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_pages",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__select_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__navigate_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__take_screenshot",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__take_snapshot",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_console_messages",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__get_console_message",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_network_requests",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__get_network_request",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__wait_for",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_start_trace",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_stop_trace",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_analyze_insight",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__evaluate_script"
     ]
   },

.github/actions/setup-integration-test-env/action.yml

@@ -88,7 +88,9 @@ runs:
       env:
         TRUSTED_SERVER__PUBLISHER__ORIGIN_URL: http://127.0.0.1:${{ inputs.origin-port }}
         TRUSTED_SERVER__PUBLISHER__PROXY_SECRET: integration-test-proxy-secret
-        TRUSTED_SERVER__EDGE_COOKIE__SECRET_KEY: integration-test-secret-key
+        TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret-padded-32
+        TRUSTED_SERVER__EC__PARTNERS: >-
+          [{"name":"Integration Test Partner","source_domain":"inttest.example.com","bidstream_enabled":true,"api_token":"integration-test-token-alpha-32-bytes-ok"},{"name":"Integration Test Partner 2","source_domain":"inttest2.example.com","bidstream_enabled":true,"api_token":"integration-test-token-bravo-32-bytes-ok"}]
         TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK: "false"
       run: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
 

.github/pull_request_template.md

@@ -23,8 +23,8 @@ Closes #
 
 <!-- How did you verify this works? Check all that apply -->
 
-- [ ] `cargo test --workspace`
-- [ ] `cargo clippy --workspace --all-targets --all-features -- -D warnings`
+- [ ] `cargo test-fastly && cargo test-axum`
+- [ ] `cargo clippy-fastly && cargo clippy-axum`
 - [ ] `cargo fmt --all -- --check`
 - [ ] JS tests: `cd crates/js/lib && npx vitest run`
 - [ ] JS format: `cd crates/js/lib && npm run format`

.github/workflows/test.yml

@@ -66,6 +66,9 @@ jobs:
         uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           toolchain: ${{ steps.rust-version.outputs.rust-version }}
+          # wasm32-wasip1 is required by the "Verify Fastly WASM release
+          # build" step below; the axum build and tests are native.
+          target: wasm32-wasip1
           cache-shared-key: cargo-${{ runner.os }}
 
       - name: Build Axum adapter
@@ -78,6 +81,14 @@ jobs:
         # -- --test runs each benchmark as a regular test (no timing harness) so CI stays fast
         run: cargo bench -p trusted-server-core --bench html_processor_bench -- --test
 
+      - name: Verify Fastly WASM release build
+        env:
+          TRUSTED_SERVER__PUBLISHER__ORIGIN_URL: http://127.0.0.1:8080
+          TRUSTED_SERVER__PUBLISHER__PROXY_SECRET: integration-test-proxy-secret
+          TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret-padded-32
+          TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK: "false"
+        run: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
+
   test-cloudflare:
     name: cargo check (cloudflare native + wasm32-unknown-unknown)
     runs-on: ubuntu-latest

AGENTS.md

@@ -21,7 +21,7 @@ If you cannot read `CLAUDE.md`, follow these rules:
    - `cargo test-fastly` — Fastly adapter + core (wasm32-wasip1 via Viceroy)
    - `cargo test-axum` — Axum dev server adapter (native)
    Do NOT use bare `cargo test --workspace` — it will attempt to compile the Fastly adapter for the host target.
-4. Run `cargo fmt --all -- --check` and `cargo clippy --workspace --all-targets --all-features -- -D warnings`.
+4. Run `cargo fmt --all -- --check` and `cargo clippy-fastly && cargo clippy-axum`.
 5. Run JS tests with `cd crates/js/lib && npx vitest run` when touching JS/TS code.
 6. Use `error-stack` (`Report<E>`) for error handling — not anyhow, eyre, or thiserror.
 7. Use `log` macros (not `println!`) and `expect("should ...")` (not `unwrap()`).

CLAUDE.md

@@ -81,7 +81,7 @@ cargo test-cloudflare  # Cloudflare Workers adapter (native host)
 cargo fmt --all -- --check
 
 # Lint
-cargo clippy --workspace --all-targets --all-features -- -D warnings
+cargo clippy-fastly && cargo clippy-axum
 
 # Check compilation
 cargo check
@@ -229,6 +229,14 @@ impl core::error::Error for MyError {}
 - Format messages with present-tense verbs.
 - Use `log-fastly` as the backend for Fastly Compute.
 
+## Other guidelines
+
+- Use only example or fictional information in comments, tests, docs, examples,
+  and similar non-runtime materials. (eg. for urls use: example.com domains only)
+- Do not write or commit real domains, customer names, credentials,
+  configuration values, or other potentially sensitive real-world information in
+  comments, tests, docs, or examples.
+
 ---
 
 ## Git Commit Conventions
@@ -386,7 +394,7 @@ both runtime behavior and build/tooling changes.
 | `crates/trusted-server-core/src/tsjs.rs`                  | Script tag generation with module IDs             |
 | `crates/trusted-server-core/src/html_processor.rs`        | Injects `<script>` at `<head>` start              |
 | `crates/trusted-server-core/src/publisher.rs`             | `/static/tsjs=` handler, concatenates modules     |
-| `crates/trusted-server-core/src/edge_cookie.rs`           | Edge Cookie (EC) ID generation                    |
+| `crates/trusted-server-core/src/ec/`                      | EC identity subsystem (generation, consent, cookies) |
 | `crates/trusted-server-core/src/cookies.rs`               | Cookie handling                                   |
 | `crates/trusted-server-core/src/consent/mod.rs`           | GDPR and broader consent management               |
 | `crates/trusted-server-core/src/http_util.rs`             | HTTP abstractions and request utilities           |
@@ -402,6 +410,7 @@ both runtime behavior and build/tooling changes.
 - Do not use `unwrap()` in production code — use `expect("should ...")`.
 - Do not use thiserror — use `derive_more::Display` + `impl Error`.
 - Do not use wildcard imports (except `use super::*` in test modules).
-- Do not commit `.env` files or secrets.
+- Do not commit `.env` files, secrets, or potentially sensitive real-world
+  information in comments, tests, docs, examples, or configuration files.
 - Do not make large refactors without approval.
 - Always run tests and linting before committing.