Merge branch 'main' into feature/edgezero-pr2-platform-traits

Author: prk-Jr

.claude/agents/pr-creator.md

@@ -49,6 +49,7 @@ Using the `.github/pull_request_template.md` structure, draft:
 - **Changes table**: list each file modified and what changed.
 - **Closes**: `Closes #<issue-number>` to auto-close the linked issue.
 - **Test plan**: check off which verification steps were run.
+- **Hardening note**: when config-derived regex or pattern compilation is touched, state how invalid enabled config fails startup and which regression tests cover that path.
 - **Checklist**: verify each item applies.
 
 ### 5. Create the PR
@@ -172,6 +173,7 @@ Do **not** use labels as a substitute for types.
 - Use sentence case for the title.
 - Use imperative mood (e.g., "Add caching to proxy" not "Added caching").
 - The summary should focus on _why_, not just _what_.
+- Do not describe config-derived regex/pattern compilation as safe unless invalid enabled config is handled without `panic!`, `unwrap()`, or `expect()`.
 - Always base PRs against `main` unless told otherwise.
 - Always assign the PR to the current user (`--assignee @me`).
 - Never force-push or rebase without explicit user approval.

.claude/agents/pr-reviewer.md

@@ -78,6 +78,8 @@ For each changed file, evaluate:
 - `expect("should ...")` instead of `unwrap()` in production code
 - `error-stack` (`Report<E>`) with `derive_more::Display` for errors (not thiserror/anyhow)
 - `log` macros (not `println!`)
+- Config-derived regex/pattern compilation must not use panic-prone `expect()`/`unwrap()`; invalid enabled config should surface as startup/config errors
+- Invalid enabled integrations/providers must not be silently logged-and-disabled during startup or registration
 - `vi.hoisted()` for mock definitions in JS tests
 - Integration IDs match JS directory names
 - Colocated tests with `#[cfg(test)]`
@@ -105,6 +107,7 @@ For each changed file, evaluate:
 
 - Are new code paths tested?
 - Are edge cases covered (empty input, max values, error paths)?
+- If config-derived regex/pattern compilation changed: are invalid enabled-config startup failures and explicit `enabled = false` bypass cases both covered?
 - Rust tests: `cargo test --workspace`
 - JS tests: `npx vitest run` in `crates/js/lib/`
 

.claude/settings.json

@@ -25,7 +25,11 @@
       "Bash(git status:*)",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__new_page",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_stop_trace",
-      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__evaluate_script"
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__evaluate_script",
     ]
+  },
+  "enabledPlugins": {
+    "chrome-devtools@claude-plugins-official": true,
+    "superpowers@claude-plugins-official": true
   }
 }

.env.dev

@@ -8,3 +8,11 @@ TRUSTED_SERVER__SYNTHETIC__OPID_STORE=opid_store
 # [proxy]
 # Disable TLS certificate verification for local dev with self-signed certs
 # TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK=false
+#
+# Restrict first-party proxy redirect targets to an allowlist (JSON array or indexed form).
+# Leave unset in local dev; configure in production to prevent SSRF via redirect chains
+# initiated by signed first-party proxy URLs.
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS='["*.doubleclick.net","*.googlesyndication.com"]'
+# Or using indexed form:
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS__0='*.doubleclick.net'
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS__1='*.googlesyndication.com'

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- Validate synthetic ID format on inbound values from the `x-synthetic-id` header and `synthetic_id` cookie; values that do not match the expected format (`64-hex-hmac.6-alphanumeric-suffix`) are discarded and a fresh ID is generated rather than forwarded to response headers, cookies, or third-party APIs
+
 ### Added
 
 - Implemented basic authentication for configurable endpoint paths (#73)

Cargo.lock

@@ -74,7 +74,6 @@ jose-jwk = "0.1.2"
 log = "0.4.29"
 log-fastly = "0.11.12"
 lol_html = "2.7.2"
-once_cell = "1.21"
 matchit = "0.9"
 pin-project-lite = "0.2"
 rand = "0.8"

Cargo.toml

@@ -53,7 +53,13 @@ fn main(req: Request) -> Result<Response, Error> {
     log::debug!("Settings {settings:?}");
 
     // Build the auction orchestrator once at startup
-    let orchestrator = build_orchestrator(&settings);
+    let orchestrator = match build_orchestrator(&settings) {
+        Ok(orchestrator) => orchestrator,
+        Err(e) => {
+            log::error!("Failed to build auction orchestrator: {:?}", e);
+            return Ok(to_error_response(&e));
+        }
+    };
 
     let integration_registry = match IntegrationRegistry::new(&settings) {
         Ok(r) => r,
@@ -111,9 +117,21 @@ async fn route_request(
             None
         });
 
-    if let Some(mut response) = enforce_basic_auth(settings, &req) {
-        finalize_response(settings, geo_info.as_ref(), &mut response);
-        return Ok(response);
+    // `get_settings()` should already have rejected invalid handler regexes.
+    // Keep this fallback so manually-constructed or otherwise unprepared
+    // settings still become an error response instead of panicking.
+    match enforce_basic_auth(settings, &req) {
+        Ok(Some(mut response)) => {
+            finalize_response(settings, geo_info.as_ref(), &mut response);
+            return Ok(response);
+        }
+        Ok(None) => {}
+        Err(e) => {
+            log::error!("Failed to evaluate basic auth: {:?}", e);
+            let mut response = to_error_response(&e);
+            finalize_response(settings, geo_info.as_ref(), &mut response);
+            return Ok(response);
+        }
     }
 
     // Get path and method for routing

crates/trusted-server-adapter-fastly/src/main.rs

@@ -52,7 +52,6 @@ uuid = { workspace = true }
 validator = { workspace = true }
 ed25519-dalek = { workspace = true }
 edgezero-core = { workspace = true }
-once_cell = { workspace = true }
 
 [build-dependencies]
 config = { workspace = true }

crates/trusted-server-core/Cargo.toml

@@ -38,11 +38,6 @@ fn main() {
 
     // Merge base TOML with environment variable overrides and write output.
     // Panics if admin endpoints are not covered by a handler.
-    // Note: placeholder secret rejection is intentionally NOT done here.
-    // The base trusted-server.toml ships with placeholder secrets that
-    // production deployments override via TRUSTED_SERVER__* env vars at
-    // build time. Runtime startup (get_settings) rejects any remaining
-    // placeholders so a misconfigured deployment fails fast.
     let settings = settings::Settings::from_toml_and_env(&toml_content)
         .expect("Failed to parse settings at build time");