Add dual-path EdgeZero entry point with feature flag (PR 14)

.github/workflows/integration-tests.yml

@@ -83,6 +83,50 @@ jobs:
           INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
           RUST_LOG: info
 
+  integration-tests-edgezero:
+    name: integration tests (EdgeZero entry point)
+    needs: prepare-artifacts
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up integration test runtime
+        id: shared-setup
+        uses: ./.github/actions/setup-integration-test-env
+        with:
+          origin-port: ${{ env.ORIGIN_PORT }}
+          check-dependency-versions: "false"
+          install-viceroy: "true"
+          build-wasm: "false"
+          build-test-images: "false"
+
+      - name: Download integration test artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: integration-test-artifacts
+          path: ${{ env.ARTIFACTS_DIR }}
+
+      # Exercises the EdgeZero entry point against the same WASM binary by
+      # pointing Viceroy at a config store with `edgezero_enabled = "true"`.
+      # Scoped to the container-free EC lifecycle suite (minimal TCP origin), a
+      # focused parity subset covering Fastly request conversion, config-store
+      # dispatch, publisher fallback proxying, and end-to-end EC/API wiring on
+      # the EdgeZero path. The legacy `integration-tests` job above still covers
+      # the full framework matrix.
+      - name: Run EdgeZero EC lifecycle tests
+        run: >-
+          cargo test
+          --manifest-path crates/integration-tests/Cargo.toml
+          --target x86_64-unknown-linux-gnu
+          test_ec_lifecycle_fastly
+          -- --include-ignored --test-threads=1
+        env:
+          WASM_BINARY_PATH: ${{ env.WASM_ARTIFACT_PATH }}
+          INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
+          VICEROY_CONFIG_PATH: ${{ github.workspace }}/crates/integration-tests/fixtures/configs/viceroy-template-edgezero.toml
+          RUST_LOG: info
+
   browser-tests:
     name: browser integration tests
     needs: prepare-artifacts

Cargo.toml

@@ -56,10 +56,10 @@ config = "0.15.19"
 cookie = "0.18.1"
 derive_more = { version = "2.0", features = ["display", "error"] }
 ed25519-dalek = { version = "2.2", features = ["rand_core"] }
-edgezero-adapter-axum = { git = "https://github.com/stackpop/edgezero", rev = "170b74b", default-features = false }
-edgezero-adapter-cloudflare = { git = "https://github.com/stackpop/edgezero", rev = "170b74b", default-features = false }
-edgezero-adapter-fastly = { git = "https://github.com/stackpop/edgezero", rev = "170b74b", default-features = false }
-edgezero-core = { git = "https://github.com/stackpop/edgezero", rev = "170b74b", default-features = false }
+edgezero-adapter-axum = { git = "https://github.com/stackpop/edgezero", rev = "38198f9839b70aef03ab971ae5876982773fc2a1", default-features = false }
+edgezero-adapter-cloudflare = { git = "https://github.com/stackpop/edgezero", rev = "38198f9839b70aef03ab971ae5876982773fc2a1", default-features = false }
+edgezero-adapter-fastly = { git = "https://github.com/stackpop/edgezero", rev = "38198f9839b70aef03ab971ae5876982773fc2a1", default-features = false }
+edgezero-core = { git = "https://github.com/stackpop/edgezero", rev = "38198f9839b70aef03ab971ae5876982773fc2a1", default-features = false }
 error-stack = "0.6"
 fastly = "0.11.12"
 fern = "0.7.1"
@@ -83,7 +83,7 @@ sha2 = "0.10.9"
 subtle = "2.6"
 temp-env = "0.3.6"
 tokio = { version = "1.49", features = ["sync", "macros", "io-util", "rt", "time"] }
-toml = "1.0"
+toml = "1.1"
 trusted-server-core = { path = "crates/trusted-server-core" }
 url = "2.5.8"
 urlencoding = "2.1"

crates/integration-tests/fixtures/configs/viceroy-template-edgezero.toml

@@ -0,0 +1,93 @@
+# Viceroy local server configuration template for integration tests —
+# EdgeZero entry-point variant.
+#
+# Identical to `viceroy-template.toml` but adds the `trusted_server_config`
+# config store with `edgezero_enabled = "true"`, so the same WASM binary routes
+# requests through the EdgeZero entry point instead of the legacy path. Used by
+# the `integration-tests-edgezero` CI job (via `VICEROY_CONFIG_PATH`) to exercise
+# Fastly request conversion, config-store dispatch, and end-to-end EC wiring on
+# the EdgeZero path. Keep the shared stores in sync with `viceroy-template.toml`.
+#
+# This configures the Viceroy runtime itself (backends, KV stores, etc.),
+# separate from the application config (trusted-server.toml).
+
+[local_server]
+
+    [local_server.backends]
+
+    [local_server.kv_stores]
+        # These inline placeholders satisfy Viceroy's local KV configuration
+        # requirements without exercising KV-backed application behavior.
+        [[local_server.kv_stores.counter_store]]
+            key = "placeholder"
+            data = "placeholder"
+
+        [[local_server.kv_stores.opid_store]]
+            key = "placeholder"
+            data = "placeholder"
+
+        [[local_server.kv_stores.creative_store]]
+            key = "placeholder"
+            data = "placeholder"
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "placeholder"
+            data = "placeholder"
+
+        # Pre-seeded EC rows for KV-backed EC lifecycle tests. Each scenario
+        # uses a separate row so withdrawal tombstones do not leak across
+        # sequential scenario execution in the same Viceroy instance.
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.test01"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.test02"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc.test03"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd.test04"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.test05"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_partner_store]]
+            key = "placeholder"
+            data = "placeholder"
+
+    # These are generated test-only key pairs, not production credentials.
+    # The Ed25519 private key (data) and its matching public key (x in jwks_store below)
+    # exist solely for signing and verifying tokens in the integration test environment.
+    # They were generated specifically for testing and are safe to commit — they
+    # have never been used in any production or staging environment.
+    [local_server.secret_stores]
+        [[local_server.secret_stores.signing_keys]]
+            key = "ts-2025-10-A"
+            data = "NVnTYrw5xoyTJDOwoUWoPJO3A6UCCXOJJUzgGTxxx7k="
+
+        [[local_server.secret_stores.api-keys]]
+            key = "api_key"
+            data = "test-api-key"
+
+    [local_server.config_stores]
+        # Routes requests through the EdgeZero entry point. `is_edgezero_enabled`
+        # in the Fastly adapter reads this key at runtime; `"true"` (or `"1"`)
+        # enables EdgeZero, anything else falls back to the legacy path.
+        [local_server.config_stores.trusted_server_config]
+            format = "inline-toml"
+        [local_server.config_stores.trusted_server_config.contents]
+            edgezero_enabled = "true"
+
+        [local_server.config_stores.jwks_store]
+            format = "inline-toml"
+        [local_server.config_stores.jwks_store.contents]
+            ts-2025-10-A = "{\"kty\":\"OKP\",\"crv\":\"Ed25519\",\"kid\":\"ts-2025-10-A\",\"use\":\"sig\",\"x\":\"UVTi04QLrIuB7jXpVfHjUTVN5aIdcbPNr50umTtN8pw\"}"
+            ts-2025-10-B = "{\"kty\":\"OKP\",\"crv\":\"Ed25519\",\"kid\":\"ts-2025-10-B\",\"use\":\"sig\",\"x\":\"HVTi04QLrIuB7jXpVfHjUTVN5aIdcbPNr50umTtN8pw\"}"
+            current-kid = "ts-2025-10-A"
+            active-kids = "ts-2025-10-A,ts-2025-10-B"

crates/integration-tests/tests/environments/fastly.rs

@@ -67,7 +67,19 @@ impl FastlyViceroy {
     ///
     /// This contains `[local_server]` configuration (backends, KV stores,
     /// secret stores) that Viceroy needs, separate from the application config.
+    ///
+    /// Honors the `VICEROY_CONFIG_PATH` environment variable so a CI job can
+    /// point the same WASM binary at an alternative config store — e.g. the
+    /// EdgeZero fixture that sets `trusted_server_config.edgezero_enabled =
+    /// "true"` to exercise the EdgeZero entry point. Mirrors the browser
+    /// harness's `global-setup.ts`, which reads the same variable. Falls back to
+    /// the default legacy template when unset.
     fn viceroy_config_path(&self) -> std::path::PathBuf {
+        if let Ok(path) = std::env::var("VICEROY_CONFIG_PATH") {
+            if !path.is_empty() {
+                return std::path::PathBuf::from(path);
+            }
+        }
         std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR"))
             .join("fixtures/configs/viceroy-template.toml")
     }

crates/trusted-server-adapter-fastly/Cargo.toml

@@ -26,3 +26,4 @@ urlencoding = { workspace = true }
 
 [dev-dependencies]
 edgezero-core = { workspace = true, features = ["test-utils"] }
+trusted-server-core = { workspace = true, features = ["test-utils"] }