Harden edgezero #269 runtime config-store load (HTTP layer)

[prk-Jr]

Summary

• HTTP-layer (runtime) half of edgezero stackpop/edgezero#269. Stacked on feature/ts-cli-next (which carries the As a buyer, I want the first bid request to include IAB cohorts, signals, and synthetic ID #269 repin, Body fixes, the Fastly adapter migration, and config-store-backed Settings load). Draft — base is unmerged; retarget to main once ts-cli-next lands.
• Core change (spec "option Y"): a config-store read failure (store unseeded, transient backend, or a listed key missing) now maps to a new TrustedServerError::ConfigStoreUnavailable → 503, while a reconstruct/verify failure (settings_from_config_entries: hash mismatch / unparseable) stays 500. One new error variant; no platform-layer change.
• Security-aware: the actionable hint (run \ts config push``) goes to server logs (error chain); the public 503 body stays generic by design.
• Includes the design spec + implementation plan, and the upstream finding/plan docs for context.

Base note: diff is against feature/ts-cli-next, so it shows only this branch's work. Against main it would include all of ts-cli-next.

Changes

File	Change
crates/trusted-server-core/src/error.rs	New ConfigStoreUnavailable { store_name, message } variant → 503 (+ exhaustiveness guard, unit test)
crates/trusted-server-core/src/settings_data.rs	read_config_entry read failures → ConfigStoreUnavailable; tests (unseeded→503, malformed-hash→500, missing-listed-key→503, hint-in-chain)
crates/trusted-server-adapter-fastly/src/error.rs	Test: ConfigStoreUnavailable renders 503 to client via to_error_response
crates/integration-tests/Cargo.lock	Reconciled to edgezero #269
`docs/superpowers/specs	plans/*`

Closes

n/a — issue linking skipped by request.

Test plan

• cargo test --workspace (core 1376 / adapter 39, 0 fail)
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• cargo build -p trusted-server-adapter-fastly --release --target wasm32-wasip1
• integration-tests workspace builds; docs format clean

Checklist

• Changes follow CLAUDE.md conventions (error-stack, log, colocated tests)
• No unwrap() in production code
• No secrets committed
• New code has tests

[ChristianPavilonis]

Automated review:

Review Summary

Reviewed PR #783 against feature/ts-cli-audit, focusing on the runtime config-store load path, error-stack context/status behavior, Fastly/EdgeZero HTTP error rendering, public error-body leakage, and the added regression tests. I did not find any blocking correctness, security, data-loss, authorization, or severe compatibility issues in the changed code.

Findings

No blocking findings.

CI / Existing Reviews

• GitHub checks currently show prepare integration artifacts failing, with downstream jobs skipped. The failure is dependency-lock parity drift in crates/trusted-server-integration-tests/Cargo.lock (for example anyhow, cssparser, html5ever, scraper, uuid, and related transitive dependencies). This should be resolved or confirmed as inherited from the stacked/base branch before merge.
• Existing PR reviews: none returned by the GitHub API. Existing inline review comments: none.
• Local focused check passed: cargo test -p trusted-server-core settings_data --target wasm32-wasip1. A local Fastly adapter-focused test could not complete because this environment has viceroy 0.16.4 while the repo pins 0.17.0.