Add config store support across all adapters

[prk-Jr]

Summary

• Introduces a portable ConfigStore abstraction in edgezero-core that lets handlers read key/value configuration at runtime without coupling to a specific platform
• Implements platform-native backing stores for Fastly (edge dictionary), Cloudflare (KV / env bindings), and Axum (in-memory map with env-var fallback), all sharing a common contract verified by shared test macros
• Wires config store injection through the #[app] macro and each adapter's request pipeline so handlers receive a ConfigStoreHandle via RequestContext with no boilerplate

Changes

Crate / File	Change
edgezero-core/src/config_store.rs	New ConfigStore trait, ConfigStoreHandle wrapper, and shared contract test macro
edgezero-core/src/manifest.rs	New manifest module with ConfigStore TOML binding and adapter name resolution
edgezero-core/src/context.rs	Added config_store() accessor and injection helpers to RequestContext
edgezero-core/src/app.rs	App::build hooks extended to accept config store configuration
edgezero-core/src/lib.rs	Re-exported manifest module
edgezero-adapter-axum/src/config_store.rs	New: in-memory + env-var AxumConfigStore with defaults support
edgezero-adapter-axum/src/service.rs	Inject ConfigStoreHandle into each request before routing
edgezero-adapter-axum/src/dev_server.rs	Accept optional config store handle in DevServerConfig
edgezero-adapter-axum/src/lib.rs	Re-exported config store types
edgezero-adapter-fastly/src/config_store.rs	New: FastlyConfigStore backed by Fastly edge dictionary
edgezero-adapter-fastly/src/lib.rs	Re-exported and wired config store into dispatch path
edgezero-adapter-fastly/src/request.rs	Inject config store handle during request conversion
edgezero-adapter-fastly/tests/contract.rs	Updated contract tests
edgezero-adapter-cloudflare/src/config_store.rs	New: CloudflareConfigStore backed by worker::Env bindings
edgezero-adapter-cloudflare/src/lib.rs	Re-exported and wired config store into dispatch path
edgezero-adapter-cloudflare/src/request.rs	Inject config store handle during request conversion
edgezero-adapter-cloudflare/tests/contract.rs	Updated contract tests
edgezero-macros/src/app.rs	#[app] macro generates config store setup from manifest
examples/app-demo/	Added config store usage in demo handlers and adapter wiring
docs/guide/	Added config store adapter docs and configuration guide
scripts/smoke_test_config.sh	New smoke test script for config store end-to-end verification
.gitignore	Excluded generated WASM artifacts

Closes

Closes #51

Test plan

• cargo test --workspace --all-targets
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo check --workspace --all-targets --features "fastly cloudflare"
• WASM builds: wasm32-wasip1 (Fastly) / wasm32-unknown-unknown (Cloudflare)
• Manual testing via edgezero-cli dev
• Other: shared contract test macro verified against all three adapter implementations

Checklist

• Changes follow CLAUDE.md conventions
• No Tokio deps added to core or adapter crates
• Route params use {id} syntax (not :id)
• Types imported from edgezero_core (not http crate)
• New code has tests
• No secrets or credentials committed

[ChristianPavilonis]

Thanks for the cross-adapter config store work — the overall direction looks good. I’m requesting changes for one high-severity issue plus follow-ups.

Findings

1. High — Axum config store can expose full process environment (secret leakage risk)

   • crates/edgezero-adapter-axum/src/config_store.rs:12
   • crates/edgezero-adapter-axum/src/config_store.rs:37
   • examples/app-demo/crates/app-demo-core/src/handlers.rs:119
   • AxumConfigStore::from_env snapshots all env vars, so any handler pattern that accepts user-controlled keys can accidentally expose unrelated secrets.
   • Requested fix: replace blanket std::env::vars() capture with an explicit allowlist (manifest-declared keys only), and avoid arbitrary key-lookup patterns in examples intended for production-like usage.

2. Medium — Adapter override key casing is inconsistent across resolution paths

   • crates/edgezero-core/src/manifest.rs:352
   • crates/edgezero-macros/src/app.rs:120
   • crates/edgezero-core/src/app.rs:59
   • Mixed-case adapter keys can work in one path and fail in another.
   • Requested fix: normalize keys at parse/finalize time (or enforce lowercase with validation) and add a mixed-case adapter-key test.

3. Low — Missing positive-path injection coverage in adapter tests

   • crates/edgezero-adapter-fastly/tests/contract.rs:17
   • crates/edgezero-adapter-cloudflare/tests/contract.rs:188
   • Please add success-path assertions that config store injection/retrieval works when bindings are present.

Once the high-severity item is addressed, this should be in good shape.

[aram356]

Review: Config Store Feature

Overall this is a well-structured feature that follows the existing adapter pattern cleanly. The core trait, contract test macro, per-adapter implementations, and manifest/macro integration are all thoughtfully designed. Test coverage is solid across all three adapters and the docs are thorough.

That said, I found issues across four areas that should be addressed before merge — one high-severity security concern, two medium design issues, and one CI coverage gap.

Summary

Severity	Finding
High	Axum config-store exposes entire process environment (secret leakage risk)
Medium	Case handling for adapter overrides is inconsistent between manifest and metadata paths
Medium	dispatch() bypasses config-store injection, diverging from run_app behavior
Medium-Low	New WASM adapter code paths are weakly exercised in CI

See inline comments for details and suggested improvements.

[ChristianPavilonis]

Follow-up review complete. No new issues were found in the current changeset, and previously noted concerns appear addressed.

[aram356]

PR Review

Summary

Solid config store abstraction with good test coverage across all three adapters. The contract test macro and error mapping are well-designed. Main concerns are around the public dispatch API silently dropping KV handles, and a dual config resolution path that needs clarification.

Findings

Blocking

• 🔧 dispatch_with_config / dispatch_with_config_handle silently drop KV: Both Fastly and Cloudflare versions pass None for KV. Users migrating from dispatch or dispatch_with_kv to a config-aware path will lose KV access with no warning. (cloudflare request.rs:106-130, fastly request.rs:78-103)
• ❓ Dual config name resolution in run_app: Both adapters check A::config_store() (compile-time) then fall back to runtime manifest parsing. Since both derive from the same edgezero.toml, when would these diverge? Needs documentation or removal of dead path. (cloudflare lib.rs:86-94, fastly lib.rs:97-107)

Non-blocking

• 🤔 CloudflareConfigStore::new() silent fallback: A binding typo gives an empty store with only a log::warn. Consider renaming to new_or_empty() or removing in favor of try_new only.
• ♻️ Duplicate bounded dedup caches: Fastly RecentStringSet and Cloudflare ConfigCache are structurally identical. Candidate for a shared core utility.
• ⛏ _ctx prefix on used variable: cloudflare/tests/contract.rs:55 — underscore implies unused but variable is read.
• 🏕 wasm-bindgen-test in [dependencies]: Pre-existing but file was touched — test-only crate shouldn't be in production deps.
• 🌱 Consider a ConfigStore extractor: Handlers call ctx.config_store() manually; a ConfigStore(store) extractor (like Kv) would complete the pattern.

📌 Out of Scope

• wasm-bindgen-test dep placement should be fixed in a separate cleanup PR
• Bounded cache dedup is a candidate for future core utility extraction

CI Status

• fmt: PASS
• clippy: PASS
• tests: PASS

[aram356]

❓ Dual config name resolution — when do paths diverge? This first checks A::config_store() (compile-time metadata from the #[app] macro), then falls back to parsing manifest.stores.config at runtime. Since both derive from the same edgezero.toml, these should always agree.

When would A::config_store() return None but the manifest has [stores.config]? Presumably when someone implements Hooks manually without the macro. If so, this should be documented. If not, the fallback is dead code.

Same pattern in edgezero-adapter-fastly/src/lib.rs:97-107.

[prk-Jr]

The fallback is not dead code: it fires when a caller implements Hooks manually without the #[app] macro, in which case A::config_store() returns None while [stores.config] may still be present in the manifest. Added a comment explaining this in both adapters.

[aram356]

PR Review

Summary

Well-structured, well-tested portable ConfigStore abstraction with implementations for Fastly, Cloudflare, and Axum. The contract test macro, security boundaries (env-var allowlisting, demo handler key allowlist), and deprecation strategy are all strong. CI passes cleanly. Two blocking issues around a silent behavioral change to ServiceUnavailable formatting and a logic bug in warning deduplication.

😃 Praise

• Contract test macro (config_store_contract_tests!) with configurable #[$test_attr] is excellent — enables wasm_bindgen_test for Cloudflare while others use #[test]
• AxumConfigStore::from_env only reads declared keys — strong security boundary preventing the config store from becoming an env-var oracle
• Demo handler allowlist (ALLOWED_CONFIG_KEYS) — great documentation-by-example of the recommended security practice
• Deprecation strategy — dispatch() deprecated with clear migration path via dispatch_raw and new dispatch variants
• CI additions — explicit cloudflare-wasm-tests and fastly-wasm-tests jobs with proper wasm-bindgen-cli version resolution

Findings

Blocking

• 🔧 ServiceUnavailable format string change: #[error("service unavailable: {message}")] → #[error("{message}")] removes the prefix for ALL callers, not just config store — silent behavioral change (crates/edgezero-core/src/error.rs:22)
• 🔧 RecentStringSet::insert logic bug: returns true without tracking the key when limit == 0, defeating dedup (crates/edgezero-adapter-fastly/src/request.rs:227)

Non-blocking

• 🤔 contract_empty_key_returns_none may not match real Fastly behavior — real try_get("") returns KeyInvalid error, not Ok(None) (crates/edgezero-core/src/config_store.rs:168)
• 🤔 Dispatch function proliferation — 7 dispatch-related functions per adapter; consider an options struct pattern as store types grow
• 🤔 Cloudflare ConfigCache caches None for invalid JSON permanently — correct but should document why caching failure is safe (isolate immutability)
• ♻️ Duplicated bounded LRU pattern — RecentStringSet (Fastly) and ConfigCache (Cloudflare) implement the same HashMap+VecDeque eviction; extract if it appears a third time
• ⛏ warned_store_cache() wrapper — function wrapping a static is unnecessary indirection; could inline in warn_missing_store_once

📌 Out of Scope

• ❓ Spin adapter missing — PR title says "across all adapters" but Spin is excluded from SUPPORTED_CONFIG_STORE_ADAPTERS. Consider adjusting title or creating a follow-up issue
• 🌱 Spin config store support — spin_sdk::variables::get() maps well to this abstraction; worth a follow-up issue
• 📝 Cloudflare JSON-in-TOML approach — creative workaround for platform binding-name limitations; DX could be smoothed by CLI tooling generating JSON from TOML defaults

CI Status

• fmt: ✅ PASS
• clippy: ✅ PASS
• tests: ✅ PASS

[aram356]

test review

[aram356]

test

[aram356]

test

[aram356]

test

[aram356]

test

[aram356]

test

[aram356]

test

[aram356]

PR Review

Summary

This PR introduces a well-designed portable ConfigStore abstraction with implementations across Axum, Fastly, and Cloudflare adapters. The overall architecture is clean, follows established project patterns, and has solid test coverage. However, it needs a rebase onto current main to pick up the Spin adapter (#166), and there are a few gaps in CI placement and test coverage.

Praise

• 😃 Synchronous ConfigStore trait is the right call for all current backends — avoids unnecessary async in WASM
• 😃 Contract test macro (config_store_contract_tests!) with configurable test attribute is a great reusable pattern
• 😃 Axum from_lookup dependency injection is textbook testability design
• 😃 Consistent resolve → inject → dispatch flow across all three adapters makes the codebase easy to navigate
• 😃 Cloudflare module-level docs excellently explain the JSON-in-string-binding approach with concrete examples
• 😃 Two-path config resolution comments in Fastly adapter prevent future confusion
• 😃 Feature gating (serde_json behind cloudflare feature) is correct
• 😃 Demo app handler with allowlist check, graceful degradation, and proper error propagation
• 😃 Smoke test script is well-structured with cleanup trap, readiness polling, and pass/fail summary

Findings

Blocking

• 🔧 Spin adapter missing throughout: SUPPORTED_CONFIG_STORE_ADAPTERS in manifest.rs:57 omits "spin", and SPIN_ADAPTER constant is missing from app.rs. Branch needs rebase onto main (#166). CI gate 4 (cargo check --features "fastly cloudflare spin") fails. (see inline comments)
• 🔧 Cloudflare wasm check misplaced in CI: .github/workflows/test.yml:170 — the step cargo check -p edgezero-adapter-cloudflare --features cloudflare --target wasm32-unknown-unknown is in the fastly-wasm-tests job instead of cloudflare-wasm-tests. If the Fastly job fails early, this check never runs. This also forces the Fastly job to install wasm32-unknown-unknown unnecessarily. Fix: Move this step to the cloudflare-wasm-tests job.
• 🔧 Missing test for store-level key miss: handlers.rs:458 — config_get_returns_404_when_key_missing tests the allowlist, not store.get() returning None. The store-miss code path (lines 162-165) has zero test coverage. (see inline comment)

Non-blocking

• ❓ Axum skips A::config_store() hooks path (dev_server.rs:219): Fastly and Cloudflare use two-path resolution (compile-time hooks → manifest fallback), Axum only reads the manifest. Cross-adapter behavioral inconsistency. (see inline comment)
• 🤔 contract_empty_key_returns_none may not hold on all backends (config_store.rs:168): Fastly Config Store SDK may error on empty keys rather than returning None. (see inline comment)
• 🤔 No convenience re-exports for config_store types (lib.rs:6): key_value_store gets pub use re-exports but config_store doesn't. (see inline comment)
• 🤔 new_or_empty silently swallows missing bindings (cloudflare/config_store.rs:37): Returns empty store with no warning when binding is missing. (see inline comment)
• ♻️ Unbounded BTreeSet in Fastly KV warn-once (fastly/request.rs:248): Config store warn-once uses bounded RecentStringSet (64 entries) but the pre-existing KV variant uses an unbounded BTreeSet. Unify on the bounded pattern.
• 🏕 Missing test for ConfigStoreError::Internal conversion (error.rs:120): Unavailable and InvalidKey covered, Internal not. (see inline comment)
• ⛏ Test name misleading (handlers.rs:458): config_get_returns_404_when_key_missing tests allowlist, not store miss. Consider renaming to config_get_returns_404_when_key_not_in_allowlist.

Out of Scope

• 📌 RecentStringSet duplicated across Fastly and Cloudflare adapters — future refactor to share in core
• 📌 serve_with_listener grew to 5 positional params — consider struct param if a third store type is added
• 📌 KV adapter keys lack the same validation as config store keys (pre-existing)
• 📌 Spin adapter config store implementation (separate PR after rebase)

CI Status

• fmt: PASS
• clippy: PASS
• tests: PASS (478 tests)
• feature check (spin): FAIL — branch needs rebase onto main

[aram356]

🔧 Missing "spin" in SUPPORTED_CONFIG_STORE_ADAPTERS

The Spin adapter was merged to main in #166. Once this branch is rebased, users configuring [stores.config.adapters.spin] will get a validation error because "spin" is not in this list.

Fix:

const SUPPORTED_CONFIG_STORE_ADAPTERS: &[&str] = &["axum", "cloudflare", "fastly", "spin"];

[aram356]

🔧 Missing SPIN_ADAPTER constant

The Spin adapter exists on main (#166) but there is no SPIN_ADAPTER constant here. When the branch is rebased, the #[app] macro will have no constant to reference for Spin config store metadata generation.

Fix:

pub const SPIN_ADAPTER: &str = "spin";

[aram356]

🔧 Missing test for store-level "key not found" path

This test uses "missing.key" which is NOT in ALLOWED_CONFIG_KEYS, so the 404 comes from the allowlist check (line 146), not from store.get() returning Ok(None) (lines 162-165). The store-miss code path has zero test coverage.

Fix: Add a test where the key IS in ALLOWED_CONFIG_KEYS but IS NOT in the store:

#[test]
fn config_get_returns_404_when_key_not_in_store() {
    let ctx = context_with_config_key("greeting", &[("other_key", "value")]);
    let response = block_on(config_get(ctx)).expect("handler ok");
    assert_eq!(response.status(), StatusCode::NOT_FOUND);
}

Also consider renaming this test to config_get_returns_404_when_key_not_in_allowlist to reflect what it actually tests.

[aram356]

❓ Axum run_app skips A::config_store() hooks path

Fastly and Cloudflare both implement two-path config resolution: check A::config_store() (compile-time metadata from #[app] macro) first, then fall back to the manifest. Axum only reads from the manifest.

This means if a user implements Hooks::config_store() manually but has no [stores.config] in the manifest, it works on Fastly/Cloudflare but is silently ignored on Axum.

Is this intentional because Axum needs defaults from the manifest? If so, a comment explaining the divergence would prevent future confusion.

[aram356]

🤔 contract_empty_key_returns_none may not hold on all backends

This contract test asserts that store.get("") returns Ok(None). However, Fastly's Config Store SDK may return an error for empty keys rather than None. If that's the case, the adapter would need to swallow a real error to satisfy this contract.

Consider either removing this from the contract or relaxing the assertion to allow Ok(None) OR Err(InvalidKey).

[aram356]

🤔 No convenience re-exports for config_store types

The key_value_store module gets re-exports at line 22:

pub use key_value_store::{KvError, KvHandle, KvPage, KvStore};

But config_store doesn't, so users must write edgezero_core::config_store::ConfigStore instead of edgezero_core::ConfigStore. Consider adding:

pub use config_store::{ConfigStore, ConfigStoreError, ConfigStoreHandle};

[aram356]

🤔 new_or_empty silently swallows missing bindings

This returns an empty store with no warning when the binding is missing, while try_new logs a warning. If a user misspells a binding name in wrangler.toml, this silently degrades.

Consider adding a doc comment on this method noting that missing bindings are silent, and suggesting try_new for debugging.

[aram356]

🏕 Missing test for ConfigStoreError::Internal → EdgeError conversion

Tests cover Unavailable and InvalidKey mappings but not Internal. Consider adding:

#[test]
fn config_store_error_internal_maps_to_internal_server_error() {
    let err = EdgeError::from(ConfigStoreError::internal(anyhow::anyhow!("boom")));
    assert_eq!(err.status(), StatusCode::INTERNAL_SERVER_ERROR);
}

[aram356]

😃 Synchronous ConfigStore trait is the right call

Making get() synchronous rather than async is correct for all current backends (Fastly Config Store, Cloudflare env bindings, and env vars are all sync). This avoids unnecessary async machinery and keeps WASM compatibility simple. The contract test macro with configurable #[$test_attr] is also a great pattern.

[aram356]

😃 Clean from_lookup test seam

Textbook dependency injection: production code calls from_env which delegates to from_lookup with std::env::var, and tests inject a closure. The security property of only reading env vars for declared keys is a nice touch.