Skip to content

Wire request signing to RuntimeServices store primitives (PR 9)#609

Open
prk-Jr wants to merge 12 commits intofeature/edgezero-pr8-content-rewritingfrom
feature/edgezero-pr9-wire-signing-to-store-primitives
Open

Wire request signing to RuntimeServices store primitives (PR 9)#609
prk-Jr wants to merge 12 commits intofeature/edgezero-pr8-content-rewritingfrom
feature/edgezero-pr9-wire-signing-to-store-primitives

Conversation

@prk-Jr
Copy link
Copy Markdown
Collaborator

@prk-Jr prk-Jr commented Apr 2, 2026

Summary

  • Replaces direct FastlyConfigStore/FastlySecretStore construction in request_signing/ with RuntimeServices platform traits, making the signing subsystem platform-agnostic
  • Moves management API write operations (config item / secret CRUD) out of trusted-server-core into an adapter-only FastlyManagementApiClient, enforcing the EdgeZero layering rule that only the adapter may call Fastly-specific APIs
  • Threads RuntimeServices into AuctionContext so PrebidAuctionProvider (and future providers) can call RequestSigner::from_services without a deprecated FastlyConfigStore shim

Changes

File Change
crates/trusted-server-adapter-fastly/src/management_api.rs NewFastlyManagementApiClient with update_config_item, delete_config_item, create_secret, delete_secret via Fastly management API
crates/trusted-server-adapter-fastly/src/platform.rs FastlyPlatformConfigStore::put/delete and FastlyPlatformSecretStore::create/delete delegate to FastlyManagementApiClient
crates/trusted-server-adapter-fastly/src/main.rs Wire services into /verify-signature handler; add mod management_api
crates/trusted-server-core/src/request_signing/signing.rs Rewrite — RequestSigner::from_services(&RuntimeServices) replaces from_config(); verify_signature accepts &RuntimeServices; deprecated shim removed
crates/trusted-server-core/src/request_signing/rotation.rs Rewrite — KeyRotationManager::new() now infallible; all methods accept services: &RuntimeServices
crates/trusted-server-core/src/request_signing/endpoints.rs All handlers accept services: &RuntimeServices; tests use in-memory stub stores
crates/trusted-server-core/src/auction/types.rs AuctionContext gains pub services: &'a RuntimeServices
crates/trusted-server-core/src/auction/orchestrator.rs Pass services through derived AuctionContext construction sites
crates/trusted-server-core/src/auction/endpoints.rs Pass services when constructing AuctionContext
crates/trusted-server-core/src/integrations/prebid.rs Use RequestSigner::from_services(context.services) — no more #[allow(deprecated)]
crates/trusted-server-core/src/platform/test_support.rs Add build_services_with_config_and_secret test helper
crates/trusted-server-core/src/storage/api_client.rs DeletedFastlyApiClient moved to adapter-only management_api.rs
crates/trusted-server-core/src/storage/mod.rs Remove api_client module and FastlyApiClient re-export
docs/superpowers/plans/2026-03-31-pr9-wire-signing-to-store-primitives.md Implementation plan

Closes

Closes #490

Test plan

  • cargo test --workspace
  • cargo clippy --workspace --all-targets --all-features -- -D warnings
  • cargo fmt --all -- --check
  • JS tests: cd crates/js/lib && npx vitest run
  • JS format: cd crates/js/lib && npm run format
  • Docs format: cd docs && npm run format
  • WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
  • Manual testing via fastly compute serve

Checklist

  • Changes follow CLAUDE.md conventions
  • No unwrap() in production code — use expect("should ...")
  • Uses tracing macros (not println!)
  • New code has tests
  • No secrets or credentials committed

prk-Jr added 11 commits March 31, 2026 18:47
@prk-Jr
Add plan for PR9: wire signing to store primitives
794b66d
@prk-Jr
Add build_services_with_config_and_secret to test_support
e13537b
@prk-Jr
Merge branch 'feature/edgezero-pr8-content-rewriting' into feature/ed…
04b9cda 
…gezero-pr9-wire-signing-to-store-primitives
@prk-Jr
Add FastlyManagementApiClient to adapter
2c0c4eb
@prk-Jr
Implement FastlyPlatformConfigStore and FastlyPlatformSecretStore wri…
f6b00c8 
…te methods via management API

Replace FastlyApiClient with FastlyManagementApiClient in the put/delete
methods of FastlyPlatformConfigStore and the create/delete methods of
FastlyPlatformSecretStore. Remove the now-unused FastlyApiClient import.
@prk-Jr
Migrate KeyRotationManager from FastlyApiClient to RuntimeServices st…
ec62970 
…ore primitives
@prk-Jr
Migrate signing.rs from FastlyConfigStore/FastlySecretStore to Runtim…
27a0949 
…eServices
@prk-Jr
Delete storage/api_client.rs from core; remove FastlyApiClient
5b6555f
@prk-Jr
Fix formatting after CI gate check
0a8915c
@prk-Jr
Add services to AuctionContext; remove deprecated from_config shim
2f1cc97 
Thread RuntimeServices into AuctionContext so auction providers can
access platform stores directly. Update PrebidAuctionProvider to use
RequestSigner::from_services(context.services) instead of the now-
removed from_config() shim. All construction sites and test helpers
updated accordingly.

This satisfies the final acceptance criterion of #490: no
FastlyConfigStore/FastlySecretStore construction remains in the
request_signing/ modules.
@prk-Jr
Fix prettier formatting in PR9 plan document
ba141fa
@prk-Jr prk-Jr self-assigned this Apr 2, 2026
@prk-Jr prk-Jr changed the title (PR 9) Wire request signing to RuntimeServices store primitives Wire request signing to RuntimeServices store primitives (PR 9) Apr 2, 2026
@prk-Jr prk-Jr linked an issue Apr 2, 2026 that may be closed by this pull request
Wire signing to store write primitives #490
Open
aram356
aram356 requested changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aram356 aram356 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

Solid architectural move — management API writes are cleanly extracted from trusted-server-core into the Fastly adapter, and request signing is now fully platform-agnostic via RuntimeServices. Tests migrated well with spy/stub stores exercising real crypto.

Two issues with HTTP status code handling in FastlyManagementApiClient that could cause silent failures in production.

Blocking

🔧 wrench

  • create_secret rejects HTTP 201 Created: Fastly secret store API returns 201 on creation, but only 200 is accepted — new secrets will be treated as failures (management_api.rs:221)
  • update_config_item may reject HTTP 201: Config store PUT may return 201 for new items — same risk as above (management_api.rs:139)

❓ question

  • Box::leak in test helpers: Intentional memory leak in orchestrator.rs:683 and prebid.rs:1290 — would LazyLock<RuntimeServices> be preferred?

Non-blocking

♻️ refactor

  • Duplicate JWKS_STORE_NAME LazyLock: Identical definition in both signing.rs:17 and rotation.rs:20 — could live in request_signing/mod.rs

🤔 thinking

  • api_key stored as Vec<u8> but used as string: Could be String directly, or a zeroizing type for security (management_api.rs:41)

⛏ nitpick

  • Response body read but discarded: buf is read in every method but never included in error messages, unlike the deleted FastlyApiClient which used it for debugging

👍 praise

  • KeyRotationManager::new() becoming infallible is a clean simplification
  • Spy store test pattern with Mutex<Vec<...>> is excellent — real crypto with in-memory stores

CI Status

  • integration tests: PASS
  • browser integration tests: PASS
  • prepare integration artifacts: PASS

@prk-Jr prk-Jr requested a review from aram356 April 6, 2026 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristianPavilonis ChristianPavilonis Awaiting requested review from ChristianPavilonis

@aram356 aram356 Awaiting requested review from aram356

Assignees

@prk-Jr prk-Jr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wire signing to store write primitives

2 participants

@prk-Jr @aram356