Skip to content

Add Phase 5 cross-adapter verification suite (PR 18)#725

Open
prk-Jr wants to merge 28 commits into
feature/edgezero-pr17-cloudflare-adapterfrom
feature/edgezero-pr18-phase5-verification
Open

Add Phase 5 cross-adapter verification suite (PR 18)#725
prk-Jr wants to merge 28 commits into
feature/edgezero-pr17-cloudflare-adapterfrom
feature/edgezero-pr18-phase5-verification

Conversation

@prk-Jr
Copy link
Copy Markdown
Collaborator

@prk-Jr prk-Jr commented May 20, 2026
edited
Loading

Summary

  • Implements the Phase 5 verification gate suite from issue Verification gates #499: route parity, auth parity, cross-adapter behavior, auction error-correlation, HTML golden tests, and Criterion benchmarks
  • Adds a dedicated parity test binary in crates/integration-tests that drives the Axum and Cloudflare adapters with identical requests in-process, proving behavioral equivalence before cutover
  • Establishes CI gates for both the parity suite and a benchmark smoke-run so regressions are caught on every PR

Changes

File Change
crates/trusted-server-adapter-cloudflare/tests/routes.rs 10 route smoke tests + 5 basic-auth parity tests + 4 admin key path tests
crates/trusted-server-adapter-axum/tests/routes.rs 5 basic-auth parity tests + 3 admin key path tests
crates/trusted-server-adapter-cloudflare/Cargo.toml Added base64 dev-dependency
crates/trusted-server-adapter-axum/Cargo.toml Added base64 dev-dependency
crates/integration-tests/Cargo.toml New [[test]] parity binary + adapter path deps + edgezero git deps
crates/integration-tests/tests/parity.rs New — 8 cross-adapter in-process parity tests (Axum vs Cloudflare)
crates/trusted-server-core/src/platform/http.rs PlatformResponse::backend_name unit tests (error-correlation, pre-EdgeZero #213)
crates/trusted-server-core/src/html_processor.rs 4 golden regression tests: injection position, URL rewriting, no double-inject, size bounds
crates/trusted-server-core/Cargo.toml Added [[bench]] html_processor_bench entry
crates/trusted-server-core/benches/html_processor_bench.rs New — Criterion benchmarks for 10 KB and 100 KB HTML processing
.github/workflows/test.yml New test-parity CI job + benchmark smoke step in test-axum job
docs/superpowers/plans/2026-05-20-pr18-phase5-verification.md Implementation plan

Closes

Closes #499

Test plan

  • cargo fmt --all -- --check
  • cargo clippy-axum
  • cargo test-axum (16 tests pass)
  • cargo test-cloudflare (22 tests pass)
  • cargo test --manifest-path crates/integration-tests/Cargo.toml --test parity (8 tests pass)
  • cargo test --lib -p trusted-server-core (956 tests pass)
  • cargo bench -p trusted-server-core --bench html_processor_bench -- --test (smoke passes)
  • cargo test-fastly (Viceroy-based — not run locally; covered by existing CI job)
  • JS tests / JS format / Docs format (no JS or docs changes)

Checklist

  • Changes follow CLAUDE.md conventions
  • No unwrap() in production code — use expect("should ...")
  • Uses tracing macros (not println!)
  • New code has tests
  • No secrets or credentials committed

prk-Jr added 15 commits May 20, 2026 20:32
@prk-Jr
Add Phase 5 verification plan for PR-18
a499f93
@prk-Jr
Add route smoke tests for all Cloudflare adapter routes
ede4e81 
Adds 10 tests to tests/routes.rs covering every explicitly registered
route plus the tsjs catch-all wildcard. Assertions are scoped to routing
only (not 404) for handlers that require live settings or outbound
connections, matching the pattern established by the existing auction test.
@prk-Jr
Fix rustfmt formatting in Cloudflare route smoke tests
acd3f5d
@prk-Jr
Add basic-auth parity tests to Axum and Cloudflare adapters
7efa2ff 
Verifies that /admin/* routes return 401 without credentials, include
a WWW-Authenticate: Basic realm=... header, and reject wrong credentials;
also confirms /.well-known and /auction are not gated by admin auth.
@prk-Jr
Fix unwrap_or and comment inconsistency in basic-auth parity tests
69d3693
@prk-Jr
Add admin key route full path coverage to Axum and Cloudflare adapters
75fac49
@prk-Jr
Tighten storage-fail assertion and add duplicate context comments
e891f5e
@prk-Jr
Add cross-adapter in-process parity test suite (Axum vs Cloudflare)
72be307
@prk-Jr
Fix parity test review issues: expect messages, dead if guard, unused…
4f79021 
… base64 dep
@prk-Jr
Add error-correlation unit tests for PlatformResponse backend_name
040a77b
@prk-Jr
Add HTML rewriting golden tests, response size check, and Criterion b…
1e2979d 
…enchmarks

- Add golden_script_tag_injected_at_head_start: verifies script tag is
  the first child of <head> with nothing between the opening tag and the
  injected <script>.
- Add golden_url_rewriting_replaces_origin_in_href: verifies origin host
  is fully replaced by proxy host in href/src attributes.
- Add golden_integration_script_is_not_double_injected: verifies the
  /static/tsjs= script tag appears exactly once.
- Add response_size_does_not_grow_disproportionately: verifies processed
  HTML stays within 2× of input size to catch buffer/double-processing bugs.
- Add Criterion benchmark (html_processor_bench) for process_chunk at
  10 KB and 100 KB payload sizes.
@prk-Jr
Add criterion::black_box to benchmark input for measurement purity
0e4d2ea
@prk-Jr
Add cross-adapter parity and benchmark CI gates for Phase 5 verification
24f122f
@prk-Jr
Add inline comment explaining -- --test flag in benchmark CI step
99967c8
@prk-Jr
Update Cargo.lock files after adding parity test dependencies
8a509ac
@prk-Jr prk-Jr self-assigned this May 20, 2026
prk-Jr added 13 commits May 20, 2026 21:43
@prk-Jr
Pin axum/tower/tokio versions in integration-tests to match workspace
c114209
@prk-Jr
Pin tokio to exact workspace version =1.52.3 in integration-tests
84cbdfe
@prk-Jr
Create parent directory before writing build output config
95fde69 
The build script writes trusted-server-out.toml to ../../target/ relative
to crates/trusted-server-core/. When the test-parity CI job builds this
crate as a dependency from crates/integration-tests/ (workspace-excluded),
the workspace-root target/ directory may not yet exist, causing a panic.

Add fs::create_dir_all for the parent path before the write to handle
this case robustly.
@prk-Jr
Remove redundant wrong-credentials tests from admin key route coverage
0b2228c 
The renamed tests duplicated coverage already provided by
admin_route_with_wrong_credentials_returns_401. Auth middleware rejects
any wrong credentials with 401 regardless of body content, so the extra
variants added no unique signal.
@prk-Jr
Fix admin_rotate_unauthenticated_parity: assert both adapters return 401
fdef759 
The previous comment described the wrong divergence (authenticated path).
For unauthenticated requests both adapters return 401. Add the missing
assert_eq!(axum_status, 401) and assert_eq!(axum_status, cf_status) so
the parity claim is actually verified for both adapters.
@prk-Jr
Add clippy gate for integration-tests crate in test-parity CI job
5123bd4 
crates/integration-tests is workspace-excluded so cargo clippy --workspace
is blind to it. Add an explicit step so lint regressions in parity.rs
are caught on every PR.
@prk-Jr
Extract MAX_GROWTH_FACTOR constant in html_processor growth test
641bfde 
2.0 was a magic number. Named constant with comment makes the bound
self-documenting: 2× covers injected script tag plus URL rewrites.
@prk-Jr
Fix trailing blank line in Cloudflare routes test file
d7670aa
@prk-Jr
Add clippy component to test-parity toolchain setup
b6a8894 
The setup-rust-toolchain action does not guarantee clippy is installed
when restoring a shared cache. Explicitly request the component so the
Clippy (parity test crate) step can find cargo-clippy.
@prk-Jr
Use multi_thread tokio flavor for all CF adapter route tests
a521479 
Matches the convention used by the Axum adapter tests and parity tests.
Single-threaded tokio can miss races in middleware that spawns tasks.
@prk-Jr
Add first-party route smoke tests to Axum adapter
5f91da2 
Matches the five first-party route tests already present in the
Cloudflare adapter test suite. A silently removed route in the Axum
adapter now fails the test run instead of going undetected.
@prk-Jr
Strengthen parity test assertions for unauthenticated admin routes
c0f2eec 
- Assert Axum also returns WWW-Authenticate header on 401 (was CF-only)
- Add admin_deactivate_unauthenticated_parity covering the deactivate path
- Rename cookie_behavior_note → publisher_proxy_fallback_parity (name
  now reflects what the test actually verifies)
- Fix expect("collect body") → expect("should collect body") per style guide
@prk-Jr
Document tokio exact pin in integration-tests Cargo.toml
161c41e 
Adds inline comment so future maintainers know why the version is pinned
with `=` rather than a range constraint.
@prk-Jr prk-Jr requested a review from aram356 May 20, 2026 17:15
@prk-Jr prk-Jr requested a review from ChristianPavilonis May 20, 2026 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aram356 aram356 Awaiting requested review from aram356

@ChristianPavilonis ChristianPavilonis Awaiting requested review from ChristianPavilonis

Assignees

@prk-Jr prk-Jr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prk-Jr