Add Fermyon Spin adapter (wasm32-wasip1)#735
Open
prk-Jr wants to merge 22 commits into
Open
Conversation
Adds trusted-server-adapter-spin: Spin entrypoint via edgezero_adapter_spin::run_app, EdgeZero and Spin runtime manifests, platform runtime services (null geo, sync Spin variable secret adapter, conservative buffered HTTP client with gzip/br decompression policy), route/auth smoke tests, and EdgeZero manifest validation test. Bumps EdgeZero deps to ce6bcf74b529d9066d08ba87b2971af8379eb29e to access edgezero-adapter-spin. The new rev requires fastly = "0.12" (edgezero-adapter-fastly workspace dependency) and worker = "0.8" (Cloudflare adapter type compatibility). Pins viceroy 0.16.5 to resolve the Fastly SDK 0.12 bot-analysis hostcall issue. Extends parity tests to include Spin as a third in-process adapter. Adds target-matched cargo aliases and CI jobs for Spin native and wasm32-wasip1 targets. Updates CLAUDE.md lint and build guidance for the mixed-runtime workspace. Known MVP limits: Spin component variables do not map cleanly to all Trusted Server config keys; authenticated key rotation success is not claimed. Spin KV TTL is unavailable in the current EdgeZero Spin KV adapter.
prk-Jr
requested review from
ChristianPavilonis and
aram356
and removed request for
aram356
KIDs starting with a digit would alias in the Spin variable encoder (both "1foo" and "n1foo" map to "v_n1foo"). Blocking them at validation eliminates the risk without changing the encoding scheme.
- Filter WASI HTTP P2 forbidden outbound headers (host, connection, keep-alive, transfer-encoding, upgrade, proxy-connection) before building the Spin outbound request; the host header caused every proxy request to fail with HeaderError::Forbidden - Fix push_spin_variable_escape to emit _xhh not _hh; corrects all variable names in spin.toml and encoded test expectations - Prepend n to digit-leading keys in spin_variable_name so Spin's letter-led segment requirement is met; aliasing now unreachable because validate_kid rejects digit-leading KIDs - Fix with_capacity to account for the optional n prefix - Remove redundant localhost entries from allowed_outbound_hosts (http://*:* already covers them) - Update spin.toml encoding comment: collision-free → collision-resistant
Resolve conflict in parity.rs: preserve axum_www_auth binding from base branch (required by assert_eq! below) and move spin WWW-Authenticate presence check to end of function, consistent with deactivate test pattern.
Spin's WASI HTTP bridge does not surface the incoming Host header via IncomingRequest::headers() — the authority is only accessible through Spin's spin-full-url synthetic header. EdgeZero's into_core_request forwards all headers including spin-full-url, but the Host header is absent. extract_request_host() returns "" which causes classify_response_route to fall back to BufferedUnmodified, skipping the HTML processor entirely: no TSJS injection, no URL rewriting, no GTM proxying. Inject Host from spin-full-url in dispatch before routing, via a simple host_from_spin_url helper that strips the scheme and path. The fix is Spin-specific and does not touch shared publisher code. Also addresses PR review findings: remove build_per_request_services passthrough wrapper, reduce MAX_DECOMPRESSED_SIZE to 8 MiB, annotate streaming body limitation, expand validate_kid digit test, upgrade parity WWW-Authenticate assertions from presence to value equality, and document the anyhow exception at the WASM FFI boundary.
aram356
requested changes
May 28, 2026
aram356
left a comment
aram356
left a comment
Collaborator
There was a problem hiding this comment.
Summary
Adds a Fermyon Spin entry-point crate (wasm32-wasip1 component) with an EdgeZero manifest, platform runtime services, conservative response policy (hop-by-hop sanitization, gzip/br decompression with a 64 MiB cap), route/auth smoke tests, and a three-way parity test extension. Bumps the EdgeZero rev plus fastly 0.12, worker 0.8, and Viceroy 0.16.5 to track the new SDK surface.
Overall the adapter is well-tested with documented MVP limits, but the Spin variable encoder makes safety claims it doesn't enforce, and outbound HTTP has no timeout. Requesting changes on those two items; the rest are non-blocking suggestions.
Blocking
🔧 wrench
spin_variable_namecontract is broader than its safety claim: the comment + test name anchor onvalidate_kid, but the encoder is called by config and secret stores with arbitrary keys. Two reachable foot-guns — digit-leading aliasing and adjacent-underscore invalidity for uppercase/_/-/./:-leading keys. Fix by rejecting at the encoder boundary. (crates/trusted-server-adapter-spin/src/platform.rs:138-176)- No outbound HTTP timeout on Spin:
spin_sdk::http::sendis called with no timeout;NoopBackenddiscardsPlatformBackendSpec::first_byte_timeout. Either honor it via a race-with-delay future or document the limitation explicitly. (crates/trusted-server-adapter-spin/src/platform.rs:399-444)
Non-blocking
♻️ refactor
startup_error_routerskipsAuthMiddlewareand methods beyondGET/POST— the fallback router leaks startup error text on admin routes without a 401 challenge, and non-GET/POSTmethods bypass the error message entirely. (crates/trusted-server-adapter-spin/src/app.rs:128-154)- Duplicate
/first-party/signhandlers —fp_sign_get_handlerandfp_sign_post_handlerare byte-identical closures. (crates/trusted-server-adapter-spin/src/app.rs:264-288)
🤔 thinking
- Multi-provider fan-out rejected at request time only —
selectreturns an error when 2+ providers are submitted, but operators won't discover this until/auctiontraffic hits. A startup-time warning when adapter + provider count are incompatible would surface the limit sooner. (crates/trusted-server-adapter-spin/src/platform.rs:507-547) SpinSecretStoreAdapterUTF-8 and plaintext constraints — Spin variables are UTF-8 strings and unencrypted in the manifest by default. Today's JSON-encoded signing keys work; binary secrets would silently break, and production deployments must back the variables with a real secret-provider source. Worth a# Limitationsrustdoc section. (crates/trusted-server-adapter-spin/src/platform.rs:570-598)
⛏ nitpick
with_capacityunder-allocates — escapes are 4 bytes per char; current bound assumes 1:1. (platform.rs:150)- Test name overpromises —
spin_variable_name_digit_prefix_aliasing_is_unreachable_for_valid_kidsis true only for callers that pre-validate. Pair with an encoder-level test or rename. (platform.rs:980)
🌱 seedling
- No live Spin-runtime CI gate — the PR test plan's
spin up --from ...is intentionally unchecked. Today's CI builds and runs native-host route tests; a follow-up could exercise the WASM artifact under a real Spin runtime (the analog of Viceroy for Fastly).
📌 out of scope
clippy-cloudflareadded toformat.yml— closes an existing gap but is orthogonal to the Spin adapter. Calling it out so it isn't lost.
CI Status
- fmt: PASS
- clippy (Fastly / Axum / Cloudflare / Spin native + wasm32-wasip1): PASS
- cargo test (Fastly via Viceroy): PASS
- cargo test (Axum native): PASS
- cargo test (Cloudflare native): PASS
- cargo check/build (Spin native + wasm32-wasip1): PASS
- cargo test (cross-adapter parity): PASS
- vitest: PASS
- format-docs / format-typescript: PASS
- integration + browser tests: PASS
ChristianPavilonis
left a comment
ChristianPavilonis
left a comment
Collaborator
There was a problem hiding this comment.
Summary
Submitting the review findings as a comment review. CI is passing. I did not duplicate the existing inline review comments for the Spin variable encoder, missing outbound timeout, or startup fallback because those are already covered by an existing changes-requested review on this PR.
The additional findings below are folded into the review body because their referenced lines are outside this stacked PR's current GitHub diff, so GitHub cannot attach them as inline comments on PR #735.
Additional findings
P1 — proxy-rebuild can mint valid click redirects without validating the original token
crates/trusted-server-core/src/proxy.rs:1107
handle_first_party_proxy_rebuild extracts tsurl, ignores any supplied tstoken, then signs a new /first-party/click URL. Because this route is public, an attacker can create valid click redirects to arbitrary URLs and, when a victim follows them, handle_first_party_click may append the victim's EC ID to the attacker-controlled redirect target.
Suggestion: Validate payload.tsclick with reconstruct_and_validate_signed_target before applying changes, reject missing/invalid tstoken, and enforce settings.proxy.allowed_domains in the click redirect path before returning Location.
P2 — Cloudflare integration build uses stale SYNTHETIC env var
.github/actions/setup-integration-test-env/action.yml:132
The Cloudflare build step sets TRUSTED_SERVER__SYNTHETIC__SECRET_KEY, but the current settings field is edge_cookie.secret_key. The override is ignored, so the Cloudflare integration artifact is built with the default config value instead of the intended integration-test secret.
Suggestion: Replace it with:
TRUSTED_SERVER__EDGE_COOKIE__SECRET_KEY: integration-test-secret-keyP3 — Public docs/README do not reflect Spin or target-matched commands
docs/guide/architecture.md:7, README.md:51
The public docs still describe only Fastly/Axum runtimes and recommend broad workspace clippy commands that the project now documents as problematic for mixed runtimes.
Suggestion: Update README and guide pages to include Spin commands (cargo test-spin, cargo check-spin, the Spin build command) and target-matched clippy aliases.
Existing findings already covered by prior review
- P1 — Spin variable encoder accepts unsafe key shapes (
crates/trusted-server-adapter-spin/src/platform.rs). - P1 — Spin outbound HTTP ignores configured timeouts (
crates/trusted-server-adapter-spin/src/platform.rs). - P2 — Spin startup fallback bypasses admin auth and only handles GET/POST (
crates/trusted-server-adapter-spin/src/app.rs).
Blocking: - Reject keys not starting with a lowercase ASCII letter at the spin_variable_name encoder boundary; removes the aliasing-prone digit-leading n-prefix branch and fixes with_capacity to worst-case (key.len() * 4 + 3). Updates affected tests to assert rejection. - Document the no-configurable-outbound-timeout limitation in SpinPlatformHttpClient rustdoc; PlatformBackendSpec::first_byte_timeout is ignored by NoopBackend and Spin's http::send has no per-request timeout API. Non-blocking: - startup_error_router now logs the error and returns a generic "Service Unavailable" body so deployment state is not leaked to anonymous callers; adds PUT/DELETE handlers for all catch-all routes. - Collapse duplicate fp_sign_get_handler/fp_sign_post_handler into one closure + clone, matching the get_fallback/post_fallback pattern. - Add # Limitations rustdoc section to SpinSecretStoreAdapter covering UTF-8-only variables and plaintext-at-rest in the default manifest. Security (P1 — proxy-rebuild): - handle_first_party_proxy_rebuild now validates the tstoken on the original tsclick URL via reconstruct_and_validate_signed_target before applying any parameter mutations. Without this an attacker could submit an unsigned tsclick and mint valid click redirects to arbitrary URLs. - Enforce settings.proxy.allowed_domains on tsurl before issuing the new signed redirect. CI fix (P2): - Replace stale TRUSTED_SERVER__SYNTHETIC__SECRET_KEY env var with TRUSTED_SERVER__EDGE_COOKIE__SECRET_KEY in the Cloudflare integration build step; the previous key was ignored, leaving the artifact built with the default config value.
- README Quick Start: add cargo test-spin - README Development: replace broad workspace clippy with target-matched aliases and note why; add cargo test-spin to test list - architecture.md: mention Cloudflare/Spin in the high-level overview; add trusted-server-adapter-spin section with build/test/lint commands and known MVP limits; expand Runtime Targets table to include all four adapters; add note on target-matched clippy requirement
Test was constructing a tsclick URL without a signature. Now that handle_first_party_proxy_rebuild validates the tstoken via reconstruct_and_validate_signed_target, the test must supply a properly signed click URL. Compute the token with compute_encrypted_sha256_token over tsurl + original params before building tsclick.
- Collapse nested if/if-let/if-let into a single let-chain condition (collapsible_if, Rust 2024 edition let chains) - Move host_from_spin_url test module to end of file so no items follow the test module (items_after_test_module)
Conflict resolutions: - .cargo/config.toml: keep PR18's clippy-cloudflare without --all-features (the cloudflare feature has a non-wasm32 compile_error! guard) alongside PR19's spin aliases - CLAUDE.md / README.md: keep PR19's per-adapter lint command list; drop the broad --all-features workspace clippy suggestion that the cloudflare guard would trip - cloudflare build.sh: keep PR19's worker-build ^0.8 (matches the worker 0.8 dependency bump) - integration-tests/Cargo.toml: keep PR19's edgezero rev ce6bcf74 (matches the bumped root workspace pin) with PR18's dual-bump warning comment, PR19's exact tokio pin, and PR18's urlencoding - core proxy.rs: keep PR18's #[test] + block_on style (core has no tokio, tests must run on wasm via Viceroy) with PR19's updated proxy_rebuild test body that signs the click URL for tstoken validation - parity.rs: keep PR19's three-way Spin coverage on top of PR18's routes_with_settings seams; spin_router() helper added; JSON key-set parity extended to Spin - Lock files regenerated from the merged manifests Semantic fixes for PR16-18 API changes in the Spin adapter: - handle_proxy now takes ProxyDispatchInput - handle_auction gained kv, partner registry, and EC context parameters - PlatformSelectResult gained failed_backend_name - supports_concurrent_fanout() reports false (send_async executes eagerly) so the orchestrator rejects multi-provider auctions before any request launches; select keeps its defense-in-depth rejection - resolve_publisher_response delegates to the shared buffer_publisher_response so the max_buffered_body_bytes cap applies on Spin too - TrustedServerApp::routes_with_settings() seam added; Spin middleware and route tests build explicit test settings instead of the baked placeholder secrets that get_settings() rejects Also adapt fastly main.rs TLS metadata calls to the fastly 0.12 API (get_tls_protocol / get_tls_cipher_openssl_name now return Result<Option<&str>>)
The merged [lints.clippy] block from PR18 now applies to this branch's pre-existing integration test files: - Collapse the nested if in is_ec_cookie_expired into a let-chain - Replace redundant closures with serde_json::Value::as_u64 - Replace the denied panic! in the EC scenario loop with an assert! carrying the same diagnostic message CI's freshly installed worker-build ^0.8 requires wasm-bindgen 0.2.123 or newer, but the lock files held worker 0.8.3 with wasm-bindgen 0.2.121 (js-sys exact-pins its companion wasm-bindgen, so only the worker 0.8.4 bump moves it). Update worker in both the workspace and integration-tests lock files.
ChristianPavilonis
requested changes
Jun 13, 2026
ChristianPavilonis
left a comment
ChristianPavilonis
left a comment
Collaborator
There was a problem hiding this comment.
Automated review: I reviewed PR #735 against feature/edgezero-pr18-phase5-verification, focusing on the new Spin adapter, the core proxy/signing deltas, and the adapter parity/CI changes. CI is green, and the earlier review items for the Spin variable encoder, outbound timeout documentation, startup fallback leak, and unsigned proxy-rebuild have been addressed.
I found several issues that should block merging: the Spin adapter does not preserve trusted request scheme/sanitize spoofable forwarded headers for publisher/integration rewriting, its route table does not match the Fastly/Axum publisher fallback methods for non-GET/POST requests, and proxy-rebuild can strip the tsexp replay bound from a signed click URL and re-sign it indefinitely. I also left one non-blocking compatibility note about digit-leading legacy KIDs.
CI / Existing Reviews:
gh pr checks 735: all reported checks pass (fmt, Rust tests, cross-adapter parity, Spin native+wasm build/check, Cloudflare checks, vitest, docs/TS formatting, integration/browser tests).- Existing reviews already covered and the current HEAD appears to have fixed the prior Spin variable encoder, timeout documentation, startup fallback, Cloudflare env var, docs, and initial proxy-rebuild validation findings.
Conflict resolutions: - CLAUDE.md / README.md: kept the spin-aware clippy aliases (clippy-spin-native, clippy-spin-wasm) and the build-alias note from the base. - integration.rs: both branches replaced the panic with an assert; kept the base's "should succeed" wording. - parity.rs: combined PR18's stronger assertions with PR19's three-adapter coverage — full parsed-body equality for the discovery JSON (incl. spin), /auction status equality plus non-404 across axum/cf/spin, and canonical /_ts/admin/keys/* paths for the admin auth parity tests. To make the merged admin-auth contract hold on Spin (which previously only registered legacy /admin/keys/*), registered the canonical /_ts/admin/keys/* routes on the Spin adapter and aligned its route tests to the production-shaped ^/_ts/admin handler regex, mirroring the PR18 fix for the Axum and Cloudflare adapters.
The Spin fallback dispatch reconstructed only the Host header from the trusted spin-full-url and left client-supplied Forwarded/X-Forwarded-* headers intact. Because build_runtime_services sets no TLS signal, detect_request_scheme had no trusted scheme source and fell back to http, or to a client-spoofed scheme/host, which publisher HTML rewriting, integration URL rewriting, and request-signing context then consumed. Strip the spoofable forwarded headers (mirroring the Fastly/Axum edge sanitization), then inject both the trusted Host and the trusted scheme parsed from spin-full-url. Extracted the logic into apply_trusted_host_and_scheme and added unit tests covering spoofed X-Forwarded-* headers and Host preservation.
The Spin route table only registered GET and POST for / and /{*rest} and only
each named route's primary method, so HEAD /, OPTIONS /page (CORS preflight),
HEAD /first-party/proxy, and similar requests returned a router-level 405
instead of reaching the publisher/integration fallback like Fastly and Axum.
Mirror the Fastly/Axum publisher_fallback_methods() pattern: register GET, POST,
HEAD, OPTIONS, PUT, PATCH, and DELETE for the catch-all and for every named
path's non-primary methods, all routed through the shared fallback. Dynamic
/static/tsjs= handling stays GET-only (now gated inside dispatch on the request
method). Added route tests for HEAD /, OPTIONS, and a non-primary method on a
named path; updated the PUT /verify-signature test to assert fall-through.
handle_first_party_proxy_rebuild validated the original tstoken but then let payload.del/add mutate any parameter, including the reserved tsexp replay bound that handle_first_party_proxy_sign attaches. A public rebuild request could take a still-valid expiring /first-party/click URL, delete tsexp, and receive a freshly signed click URL that reconstruct_and_validate_signed_target accepts indefinitely (expiration is optional). Treat tsexp, tstoken, and tsurl as reserved: reject del/add for them so the bounded expiration is preserved and re-signed. Added regression tests asserting deletion of tsexp is rejected and that a normal rebuild retains the tsexp bound.
The digit-leading KID rejection (added to block Spin variable-encoder aliasing) was applied through validate_kid to every caller, including handle_deactivate_key. Deployments that created operator-supplied digit-leading KIDs under the previous validation rules could no longer deactivate or delete them, since the request was rejected before storage was touched. Split validation: validate_kid_format enforces the structural constraints (length, charset) and validate_kid layers the digit-leading rejection on top for creation/rotation. Deactivation and deletion now use validate_kid_format so legacy digit-leading KIDs remain removable. Added tests covering both paths.
The Cloudflare build installed worker-build with a floating `^0.8`, which began resolving to worker-build 0.8.5. That release passes `--force-enable-abort-handler` to wasm-bindgen, but worker-build downloads the wasm-bindgen CLI matching the locked `wasm-bindgen` (0.2.123, pulled by worker 0.8.4), and that CLI does not recognise the flag — so the integration-test Cloudflare bundle build failed with "unexpected argument '--force-enable-abort-handler'". Derive the worker crate version from Cargo.lock and pin worker-build to it. worker-build is released in lockstep with worker, so this keeps the build tool and the wasm-bindgen CLI it drives compatible, and the pin advances automatically when the lockfile bumps worker. Verified locally: build.sh installs worker-build 0.8.4 and produces build/index.js without error.
ChristianPavilonis
requested changes
Jun 13, 2026
ChristianPavilonis
left a comment
ChristianPavilonis
left a comment
Collaborator
There was a problem hiding this comment.
Automated review: I reviewed PR #735 against feature/edgezero-pr18-phase5-verification, focusing on the current Spin adapter head, the prior review fixes, route/header behavior, request-signing/proxy changes, and CI/test coverage. CI is currently green and the earlier blocking review items appear to have been addressed, but I found one remaining blocking Spin correctness issue: the first-party proxy/click/sign path still receives path-only Spin URIs while the shared core handlers parse absolute URLs. That makes the creative first-party proxy flow fail on Spin. I also left two non-blocking compatibility findings for startup fallback method coverage and KID validation consistency.
CI / Existing Reviews:
gh pr checks 735: all reported checks pass (fmt, Rust tests, cross-adapter parity, Spin native + wasm32-wasip1 check/build, Cloudflare checks, vitest, docs/TS formatting, integration/browser tests).- Existing review feedback already covered the Spin variable encoder, outbound timeout docs, trusted scheme/header sanitization in publisher fallback, route fallback methods, proxy-rebuild signing controls, legacy digit-leading KID removal, Cloudflare worker-build pinning, docs, and startup error leak. I avoided duplicating resolved items except where the current code still leaves a distinct edge case.
Spin builds the core request URI from IncomingRequest::path_with_query(), so it is path-only (e.g. "/first-party/proxy?..."). The shared first-party proxy/click/sign handlers parse req.uri() with url::Url::parse, which rejected the relative path with "Invalid URL" — breaking the creative first-party proxy flow, click redirects, and GET sign query parsing on Spin. Rename apply_trusted_host_and_scheme to normalize_spin_request and have it rebuild an absolute URI from the trusted spin-full-url scheme+host, then apply it to every named first-party handler (proxy, click, sign GET+POST, proxy-rebuild) in addition to the publisher fallback. Also build the startup error router from the full publisher fallback method set so HEAD, OPTIONS, and PATCH on "/" and nested paths return the generic 503 instead of a router-level 405, matching the healthy router. Add regression tests: a signed proxy round-trip and GET sign query parse through the Spin router, plus a startup-fallback method-coverage unit test.
validate_kid now requires a lowercase ASCII leading character, matching the strictest platform key-name encoder (the Spin variable encoder, which rejects uppercase- and punctuation-leading KIDs and aliases digit-leading ones). A KID minted on any adapter must be storable on every backend, so create/rotate validates against the strictest common denominator and returns a client- correctable 400 instead of a runtime 5xx on Spin. Deactivation keeps the looser format check so legacy KIDs stay removable. Expose kid_is_creatable and add a Spin contract test asserting the encoder accepts every creatable KID, pinning core >= encoder strictness so the two lowercase-leading rules cannot silently drift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
trusted-server-adapter-spin— the Fermyon Spin entry point (wasm32-wasip1component) usingedgezero_adapter_spin::run_appwith Spin-backedRuntimeServices(config store, KV, secrets, buffered proxy client with gzip/br decompression)ce6bcf74(addsedgezero-adapter-spin), Fastly SDK to0.12, Cloudflareworkerto0.8, and Viceroy to0.16.5to resolve bot-analysis hostcall breakage introduced by the SDK bumpChanges
crates/trusted-server-adapter-spin/edgezero.toml,spin.toml, platform runtime services, route/auth smoke tests, EdgeZero manifest validation testCargo.toml/Cargo.locktrusted-server-adapter-spin; bump EdgeZero rev,fastly 0.12,log-fastly 0.12,worker 0.8crates/integration-tests/Cargo.toml/tests/parity.rs.cargo/config.tomltest-spin,check-spin,clippy-spin-native,clippy-spin-wasmaliases.github/workflows/test.ymlwasm32-wasip1CI jobs.github/workflows/format.yml.github/actions/setup-integration-test-env/action.yml0.16.5.tool-versions0.16.5CLAUDE.mdcrates/trusted-server-adapter-fastly/src/{main,platform,route_tests}.rsfastly 0.12API surfacecrates/trusted-server-adapter-cloudflare/Cargo.tomlworkerto0.8docs/superpowers/specs/2026-03-19-edgezero-migration-design.mdCloses
Closes #732
Known MVP limits
cargo build --workspaceintentionally fails (mixedwasm32-wasip1/wasm32-unknown-unknowntargets); target-matched aliases are the correct verification pathTest plan
cargo fmt --all -- --checkcargo check(native)cargo check-spin(wasm32-wasip1)cargo build --package trusted-server-adapter-spin --target wasm32-wasip1 --features spin --releasecargo test-spin(route/auth smoke tests, native host)cargo test-fastly(Viceroy 0.16.5)cargo test-axumcargo test-cloudflarecargo test --manifest-path crates/integration-tests/Cargo.toml --test parity(Fastly + Cloudflare + Spin)cargo clippy-fastly,clippy-axum,clippy-cloudflare,clippy-spin-native,clippy-spin-wasmcargo clippy --manifest-path crates/integration-tests/Cargo.toml -- -D warningscargo check -p trusted-server-adapter-fastly --target wasm32-wasip1cargo check -p trusted-server-adapter-cloudflare --target wasm32-unknown-unknown --features cloudflaregit diff --checkspin up --from crates/trusted-server-adapter-spin(requires local Spin CLI install)Checklist
unwrap()in production code — useexpect("should ...")logmacros (notprintln!)