Merge feature/edgezero-pr13-integration-provider-type-migration into PR14

Conflicts resolved:

- .claude/settings.json: take PR13's additional MCP allowlist entry
- main.rs (doc comment): merge AuthChallenge variant doc from PR13 into PR14's
  "legacy routes" wording
- main.rs (match arm): take PR13's Buffered | AuthChallenge combined arm;
  keep PR14's state.settings reference (legacy_main uses AppState)
- sourcepoint.rs: take PR13's collect_response_bounded fix; PR14 HEAD still
  had the old empty-body-on-stream bug that PR13 addressed

Author: prk-Jr

.claude/settings.json

@@ -22,9 +22,31 @@
       "Bash(git branch:*)",
       "Bash(git diff:*)",
       "Bash(git log:*)",
+      "Bash(git show:*)",
       "Bash(git status:*)",
+      "Bash(gh pr view:*)",
+      "Bash(gh pr list:*)",
+      "Bash(gh pr diff:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh issue view:*)",
+      "Bash(gh issue list:*)",
+      "Bash(gh run view:*)",
+      "Bash(gh run list:*)",
+      "Bash(gh repo view:*)",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__new_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_pages",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__select_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__navigate_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__take_screenshot",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__take_snapshot",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_console_messages",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__get_console_message",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_network_requests",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__get_network_request",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__wait_for",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_start_trace",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_stop_trace",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_analyze_insight",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__evaluate_script"
     ]
   },

CLAUDE.md

@@ -209,6 +209,14 @@ impl core::error::Error for MyError {}
 - Format messages with present-tense verbs.
 - Use `log-fastly` as the backend for Fastly Compute.
 
+## Other guidelines
+
+- Use only example or fictional information in comments, tests, docs, examples,
+  and similar non-runtime materials. (eg. for urls use: example.com domains only)
+- Do not write or commit real domains, customer names, credentials,
+  configuration values, or other potentially sensitive real-world information in
+  comments, tests, docs, or examples.
+
 ---
 
 ## Git Commit Conventions
@@ -382,6 +390,7 @@ both runtime behavior and build/tooling changes.
 - Do not use `unwrap()` in production code — use `expect("should ...")`.
 - Do not use thiserror — use `derive_more::Display` + `impl Error`.
 - Do not use wildcard imports (except `use super::*` in test modules).
-- Do not commit `.env` files or secrets.
+- Do not commit `.env` files, secrets, or potentially sensitive real-world
+  information in comments, tests, docs, examples, or configuration files.
 - Do not make large refactors without approval.
 - Always run tests and linting before committing.

crates/trusted-server-adapter-fastly/src/main.rs

@@ -58,8 +58,13 @@ const EDGEZERO_ENABLED_KEY: &str = "edgezero_enabled";
 ///
 /// The streaming arm keeps the publisher body out of WASM heap until it is written directly
 /// to the client via [`fastly::Response::stream_to_client`]. All other legacy routes are buffered.
+///
+/// [`AuthChallenge`](HandlerOutcome::AuthChallenge) marks responses produced by this server's
+/// own `enforce_basic_auth` so the geo-lookup gate can distinguish them from origin-forwarded
+/// 401s, which should still carry geo headers.
 enum HandlerOutcome {
     Buffered(HttpResponse),
+    AuthChallenge(HttpResponse),
     Streaming {
         response: HttpResponse,
         body: EdgeBody,
@@ -68,9 +73,10 @@ enum HandlerOutcome {
 }
 
 impl HandlerOutcome {
+    #[cfg(test)]
     fn status(&self) -> edgezero_core::http::StatusCode {
         match self {
-            HandlerOutcome::Buffered(resp) => resp.status(),
+            HandlerOutcome::Buffered(resp) | HandlerOutcome::AuthChallenge(resp) => resp.status(),
             HandlerOutcome::Streaming { response, .. } => response.status(),
         }
     }
@@ -296,8 +302,10 @@ fn legacy_main(mut req: FastlyRequest) {
     ))
     .unwrap_or_else(|e| HandlerOutcome::Buffered(http_error_response(&e)));
 
-    // Skip geo lookup for 401s: avoids exposing geo headers to unauthenticated callers.
-    let geo_info = if outcome.status() == edgezero_core::http::StatusCode::UNAUTHORIZED {
+    // Skip geo lookup for our own auth challenges: avoids exposing geo headers to
+    // unauthenticated callers.  Origin-forwarded 401s are not AuthChallenge and
+    // do receive geo headers — the client already reached the origin anyway.
+    let geo_info = if matches!(outcome, HandlerOutcome::AuthChallenge(_)) {
         None
     } else {
         runtime_services
@@ -310,7 +318,7 @@ fn legacy_main(mut req: FastlyRequest) {
     };
 
     match outcome {
-        HandlerOutcome::Buffered(mut response) => {
+        HandlerOutcome::Buffered(mut response) | HandlerOutcome::AuthChallenge(mut response) => {
             finalize_response(&state.settings, geo_info.as_ref(), &mut response);
             compat::to_fastly_response(response).send_to_client();
         }
@@ -336,9 +344,9 @@ fn legacy_main(mut req: FastlyRequest) {
                 }
                 Err(e) => {
                     log::error!("streaming processing failed: {e:?}");
-                    if let Err(finish_err) = streaming_body.finish() {
-                        log::error!("failed to finish streaming body after error: {finish_err}");
-                    }
+                    // Headers already committed. Drop the body so the client sees a
+                    // truncated response (EOF mid-stream) — standard proxy behavior.
+                    drop(streaming_body);
                 }
             }
         }
@@ -398,7 +406,7 @@ async fn route_request(
     // Keep this fallback so manually-constructed or otherwise unprepared
     // settings still become an error response instead of panicking.
     match enforce_basic_auth(settings, &req) {
-        Ok(Some(response)) => return Ok(HandlerOutcome::Buffered(response)),
+        Ok(Some(response)) => return Ok(HandlerOutcome::AuthChallenge(response)),
         Ok(None) => {}
         Err(e) => return Err(e),
     }

crates/trusted-server-core/src/auction/orchestrator.rs

@@ -434,9 +434,30 @@ impl AuctionOrchestrator {
                     }
                 }
                 Err(e) => {
-                    // When select() returns an error, we can't easily identify which
-                    // provider failed since the PendingRequest is consumed
-                    log::warn!("A provider request failed: {:?}", e);
+                    // Identify the failed provider by finding the backend_to_provider
+                    // entry whose backend name is no longer present in `remaining`
+                    // (select() consumed exactly one pending request — the failed one).
+                    let remaining_backends: std::collections::HashSet<&str> =
+                        remaining.iter().filter_map(|r| r.backend_name()).collect();
+                    let failed_backend = backend_to_provider
+                        .keys()
+                        .find(|name| !remaining_backends.contains(name.as_str()))
+                        .cloned();
+
+                    if let Some(ref backend_name) = failed_backend {
+                        if let Some((provider_name, start_time, _)) =
+                            backend_to_provider.remove(backend_name)
+                        {
+                            let response_time_ms = start_time.elapsed().as_millis() as u64;
+                            log::warn!("Provider '{}' request failed: {:?}", provider_name, e);
+                            responses.push(AuctionResponse::error(provider_name, response_time_ms));
+                        }
+                    } else {
+                        log::warn!(
+                            "A provider request failed (backend not identified): {:?}",
+                            e
+                        );
+                    }
                 }
             }
 

crates/trusted-server-core/src/compat.rs

@@ -93,7 +93,10 @@ pub fn to_fastly_request(req: http::Request<EdgeBody>) -> fastly::Request {
 
 /// Convert a borrowed `http::Request<EdgeBody>` into a `fastly::Request`.
 ///
-/// Headers, method, and URI are copied; the body is empty.
+/// Headers, method, and URI are copied; the body is always empty. This function
+/// requires that the caller has already consumed or discarded the body — passing
+/// a request with a non-empty body is a caller error: the body bytes will be
+/// silently lost with no warning or panic.
 ///
 /// # PR 15 removal target
 pub fn to_fastly_request_ref(req: &http::Request<EdgeBody>) -> fastly::Request {
@@ -640,6 +643,38 @@ mod tests {
         );
     }
 
+    #[test]
+    fn to_fastly_response_skeleton_copies_status_and_headers_discards_body() {
+        let http_resp = http::Response::builder()
+            .status(206)
+            .header("content-type", "text/html; charset=utf-8")
+            .header("x-custom", "value")
+            .body(EdgeBody::from(b"some body bytes".as_ref()))
+            .expect("should build response");
+
+        let fastly_resp = to_fastly_response_skeleton(http_resp);
+
+        assert_eq!(
+            fastly_resp.get_status().as_u16(),
+            206,
+            "should copy status code"
+        );
+        assert_eq!(
+            fastly_resp
+                .get_header("content-type")
+                .and_then(|v| v.to_str().ok()),
+            Some("text/html; charset=utf-8"),
+            "should copy content-type header"
+        );
+        assert_eq!(
+            fastly_resp
+                .get_header("x-custom")
+                .and_then(|v| v.to_str().ok()),
+            Some("value"),
+            "should copy custom header"
+        );
+    }
+
     #[test]
     fn to_fastly_request_with_streaming_body_produces_empty_body() {
         // Stream bodies cannot cross the compat boundary: the Fastly SDK has no

crates/trusted-server-core/src/http_util.rs

@@ -1,11 +1,13 @@
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
 use chacha20poly1305::{aead::Aead, aead::KeyInit, XChaCha20Poly1305, XNonce};
 use edgezero_core::body::Body as EdgeBody;
+use error_stack::Report;
 use http::{header, Request, Response, StatusCode};
 use sha2::{Digest, Sha256};
 use subtle::ConstantTimeEq as _;
 
 use crate::constants::INTERNAL_HEADERS;
+use crate::error::TrustedServerError;
 use crate::platform::ClientInfo;
 use crate::settings::Settings;
 
@@ -401,6 +403,27 @@ pub fn compute_encrypted_sha256_token(settings: &Settings, full_url: &str) -> St
     URL_SAFE_NO_PAD.encode(digest)
 }
 
+/// Return an error if `bytes` exceeds `limit`.
+///
+/// # Errors
+///
+/// Returns [`TrustedServerError::RequestTooLarge`] when `bytes.len() > limit`.
+pub fn enforce_max_body_size(
+    bytes: &[u8],
+    limit: usize,
+    what: &str,
+) -> Result<(), Report<TrustedServerError>> {
+    if bytes.len() > limit {
+        return Err(Report::new(TrustedServerError::RequestTooLarge {
+            message: format!(
+                "{what} payload {} exceeds limit of {limit} bytes",
+                bytes.len()
+            ),
+        }));
+    }
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

crates/trusted-server-core/src/integrations/adserver_mock.rs

@@ -22,7 +22,9 @@ use crate::auction::types::{
 };
 use crate::backend::BackendConfig;
 use crate::error::TrustedServerError;
-use crate::integrations::{collect_response_bounded, UPSTREAM_RTB_MAX_RESPONSE_BYTES};
+use crate::integrations::{
+    collect_response_bounded, ensure_integration_backend, UPSTREAM_RTB_MAX_RESPONSE_BYTES,
+};
 use crate::platform::{PlatformHttpRequest, PlatformPendingRequest, PlatformResponse};
 use crate::settings::{IntegrationConfig, Settings};
 
@@ -334,20 +336,12 @@ impl AuctionProvider for AdServerMockProvider {
             }
         }
 
-        // Uses context.timeout_ms (auction-scoped) rather than the 15 s fixed
-        // timeout in ensure_integration_backend, which is for proxy endpoints.
-        // Send async with auction-scoped timeout
-        let backend_name = BackendConfig::from_url_with_first_byte_timeout(
+        let backend_name = ensure_integration_backend(
+            context.services,
             &self.config.endpoint,
-            true,
-            Duration::from_millis(u64::from(context.timeout_ms)),
-        )
-        .change_context(TrustedServerError::Auction {
-            message: format!(
-                "Failed to resolve backend for mediation endpoint: {}",
-                self.config.endpoint
-            ),
-        })?;
+            "adserver_mock",
+            Some(Duration::from_millis(u64::from(context.timeout_ms))),
+        )?;
 
         let pending = context
             .services

crates/trusted-server-core/src/integrations/aps.rs

@@ -16,7 +16,9 @@ use crate::auction::provider::AuctionProvider;
 use crate::auction::types::{AuctionContext, AuctionRequest, AuctionResponse, Bid, MediaType};
 use crate::backend::BackendConfig;
 use crate::error::TrustedServerError;
-use crate::integrations::{collect_response_bounded, UPSTREAM_RTB_MAX_RESPONSE_BYTES};
+use crate::integrations::{
+    collect_response_bounded, ensure_integration_backend, UPSTREAM_RTB_MAX_RESPONSE_BYTES,
+};
 use crate::platform::{PlatformHttpRequest, PlatformPendingRequest, PlatformResponse};
 use crate::settings::IntegrationConfig;
 
@@ -513,20 +515,12 @@ impl AuctionProvider for ApsAuctionProvider {
                 message: "Failed to build APS request".to_string(),
             })?;
 
-        // Uses context.timeout_ms (auction-scoped) rather than the 15 s fixed
-        // timeout in ensure_integration_backend, which is for proxy endpoints.
-        // Send request asynchronously with auction-scoped timeout
-        let backend_name = BackendConfig::from_url_with_first_byte_timeout(
+        let backend_name = ensure_integration_backend(
+            context.services,
             &self.config.endpoint,
-            true,
-            Duration::from_millis(u64::from(context.timeout_ms)),
-        )
-        .change_context(TrustedServerError::Auction {
-            message: format!(
-                "Failed to resolve backend for APS endpoint: {}",
-                self.config.endpoint
-            ),
-        })?;
+            "aps",
+            Some(Duration::from_millis(u64::from(context.timeout_ms))),
+        )?;
 
         let pending = context
             .services

crates/trusted-server-core/src/integrations/datadome.rs

@@ -428,7 +428,7 @@ impl DataDomeIntegration {
         services: &RuntimeServices,
         target_url: &str,
     ) -> Result<String, Report<TrustedServerError>> {
-        ensure_integration_backend(services, target_url, DATADOME_INTEGRATION_ID)
+        ensure_integration_backend(services, target_url, DATADOME_INTEGRATION_ID, None)
     }
 }
 

crates/trusted-server-core/src/integrations/didomi.rs

@@ -172,7 +172,7 @@ impl DidomiIntegration {
         services: &RuntimeServices,
         origin: &str,
     ) -> Result<String, Report<TrustedServerError>> {
-        ensure_integration_backend(services, origin, DIDOMI_INTEGRATION_ID)
+        ensure_integration_backend(services, origin, DIDOMI_INTEGRATION_ID, None)
     }
 }