Add config store read path and split storage module (PR3) (#548)

* Rename crates to trusted-server-core and trusted-server-adapter-fastly

Rename crates/common → crates/trusted-server-core and crates/fastly →
crates/trusted-server-adapter-fastly following the EdgeZero naming
convention. Add EdgeZero workspace dependencies pinned to rev 170b74b.
Update all references across docs, CI workflows, scripts, agent files,
and configuration.

* Add platform abstraction layer with traits and RuntimeServices

Introduces trusted-server-core::platform with PlatformConfigStore,
PlatformSecretStore, PlatformKvStore, PlatformBackend, PlatformHttpClient,
and PlatformGeo traits alongside ClientInfo, PlatformError, and
RuntimeServices. Wires the Fastly adapter implementations and threads
RuntimeServices into route_request. Moves GeoInfo to platform/types as
platform-neutral data and adds geo_from_fastly for field mapping.

- Defer KV store opening: replace early error return with a local
  UnavailableKvStore fallback so routes that do not need synthetic ID
  access succeed when the KV store is missing or temporarily unavailable
- Use ConfigStore::try_open + try_get and SecretStore::try_get throughout
  FastlyPlatformConfigStore and FastlyPlatformSecretStore to honour the
  Result contract instead of panicking on open/lookup failure
- Encapsulate RuntimeServices service fields as pub(crate) with public
  getter methods (config_store, secret_store, backend, http_client, geo)
  and a pub new() constructor; adapter updated to use new()
- Reference #487 in FastlyPlatformHttpClient stub (PR 6 implements it)
- Remove unused KvPage re-export from platform/mod.rs
- Use super::KvHandle shorthand in RuntimeServices::kv_handle()

* Reject host strings containing control characters in BackendConfig

* Validate scheme and host for control characters in BackendConfig

* Add config store read path and storage module split

- Split fastly_storage.rs into storage/{config_store,secret_store,api_client,mod}.rs
- Add PlatformConfigStore read path via FastlyPlatformConfigStore::get using ConfigStore::try_open/try_get
- Add PlatformError::NotImplemented variant; stub write methods on FastlyPlatformConfigStore and FastlyPlatformSecretStore
- Add StoreName/StoreId newtypes with From<String>, From<&str>, AsRef<str>
- Add UnavailableKvStore to core platform module
- Add RuntimeServicesBuilder replacing 7-arg constructor
- Migrate get_active_jwks and handle_trusted_server_discovery to use &RuntimeServices
- Update call sites in signing.rs, rotation.rs, main.rs
- Add success-path test for handle_trusted_server_discovery using StubJwksConfigStore
- Fix test_parse_cookies_to_jar_empty typo (was emtpy)

* Harden legacy config-store reads and align Fastly adapter stubs

- Make StoreName and StoreId inner fields private; From/AsRef provide all
  needed construction and access
- Add #[deprecated] to GeoInfo::from_request with #[allow(deprecated)] at
  the three legacy call sites to track migration progress
- Enumerate the six platform traits in the platform module doc comment
- Extract backend_config_from_spec helper to remove duplicate BackendConfig
  construction in predict_name and ensure
- Replace .into_iter().collect() with .to_vec() on secret plaintext bytes
- Remove unused bytes dependency from trusted-server-adapter-fastly
- Add comment on SecretStore::open clarifying it already returns Result
  (unlike ConfigStore::open which panics)

* Make client_info field pub(crate) and add a client_info() accessor

Author: prk-Jr

crates/trusted-server-adapter-fastly/src/main.rs

@@ -111,7 +111,7 @@ async fn route_request(
     // already captured in RuntimeServices at the entry point.
     let geo_info = runtime_services
         .geo()
-        .lookup(runtime_services.client_info.client_ip)
+        .lookup(runtime_services.client_info().client_ip)
         .unwrap_or_else(|e| {
             log::warn!("geo lookup failed: {e}");
             None
@@ -147,7 +147,7 @@ async fn route_request(
 
         // Discovery endpoint for trusted-server capabilities and JWKS
         (Method::GET, "/.well-known/trusted-server.json") => {
-            handle_trusted_server_discovery(settings, req)
+            handle_trusted_server_discovery(settings, runtime_services, req)
         }
 
         // Signature verification endpoint

crates/trusted-server-adapter-fastly/src/platform.rs

@@ -15,14 +15,14 @@ use fastly::geo::geo_lookup;
 use fastly::{ConfigStore, Request, SecretStore};
 
 use trusted_server_core::backend::BackendConfig;
-use trusted_server_core::fastly_storage::FastlyApiClient;
 use trusted_server_core::geo::geo_from_fastly;
 use trusted_server_core::platform::{
     ClientInfo, GeoInfo, PlatformBackend, PlatformBackendSpec, PlatformConfigStore, PlatformError,
     PlatformGeo, PlatformHttpClient, PlatformHttpRequest, PlatformKvStore, PlatformPendingRequest,
     PlatformResponse, PlatformSecretStore, PlatformSelectResult, RuntimeServices, StoreId,
     StoreName,
 };
+use trusted_server_core::storage::FastlyApiClient;
 
 pub(crate) use trusted_server_core::platform::UnavailableKvStore;
 
@@ -34,7 +34,7 @@ pub(crate) use trusted_server_core::platform::UnavailableKvStore;
 ///
 /// Stateless — the store name is supplied per call, matching the trait
 /// signature. This replaces the store-name-at-construction pattern of
-/// [`trusted_server_core::fastly_storage::FastlyConfigStore`].
+/// [`trusted_server_core::storage::FastlyConfigStore`].
 ///
 /// # Write cost
 ///
@@ -91,7 +91,7 @@ impl PlatformConfigStore for FastlyPlatformConfigStore {
 ///
 /// Stateless — the store name is supplied per call. This replaces the
 /// store-name-at-construction pattern of
-/// [`trusted_server_core::fastly_storage::FastlySecretStore`].
+/// [`trusted_server_core::storage::FastlySecretStore`].
 ///
 /// # Write cost
 ///
@@ -256,7 +256,7 @@ impl PlatformGeo for FastlyPlatformGeo {
 /// Call this once at the entry point before dispatching to handlers.
 /// `client_info` is populated from TLS and IP metadata available on the
 /// request; geo lookup is deferred to handler time via
-/// `services.geo.lookup(services.client_info.client_ip)`.
+/// `services.geo().lookup(services.client_info().client_ip)`.
 ///
 /// `kv_store` is an [`Arc<dyn PlatformKvStore>`] opened by the caller for
 /// the primary KV store. Use [`open_kv_store`] to construct it.
@@ -396,11 +396,11 @@ mod tests {
         let services = build_runtime_services(&req, noop_kv_store());
 
         assert!(
-            services.client_info.tls_protocol.is_none(),
+            services.client_info().tls_protocol.is_none(),
             "should have no tls_protocol on plain test request"
         );
         assert!(
-            services.client_info.tls_cipher.is_none(),
+            services.client_info().tls_cipher.is_none(),
             "should have no tls_cipher on plain test request"
         );
     }
@@ -412,7 +412,8 @@ mod tests {
         let cloned = services.clone();
 
         assert_eq!(
-            services.client_info.client_ip, cloned.client_info.client_ip,
+            services.client_info().client_ip,
+            cloned.client_info().client_ip,
             "should preserve client_ip through clone"
         );
     }