Add ts cli

.cargo/config.toml

@@ -3,12 +3,18 @@
 #   trusted-server-adapter-axum      → native                (dev server)
 #   trusted-server-adapter-cloudflare → wasm32-unknown-unknown (Cloudflare Workers)
 #   trusted-server-adapter-spin      → wasm32-wasip1         (Fermyon Spin)
+#   trusted-server-cli               → native                (operator CLI)
 #
 # All adapters are workspace members so `-p` resolves each.
 # default-members = [fastly] — required so Viceroy can locate the binary via `cargo run --bin`.
 # Use the aliases below to target each adapter with the correct toolchain.
 
 [alias]
+test_details = ["test", "--target", "aarch64-apple-darwin"]
+test_cli_macos = ["test", "--package", "trusted-server-cli", "--target", "aarch64-apple-darwin"]
+build_cli_macos = ["build", "--package", "trusted-server-cli", "--target", "aarch64-apple-darwin"]
+test_cli_linux = ["test", "--package", "trusted-server-cli", "--target", "x86_64-unknown-linux-gnu"]
+build_cli_linux = ["build", "--package", "trusted-server-cli", "--target", "x86_64-unknown-linux-gnu"]
 # Fastly adapter + shared crates (wasm32-wasip1 via Viceroy)
 # Excludes Axum (native-only), Cloudflare (wasm32-unknown-unknown), and Spin (separate wasm32-wasip1 job)
 test-fastly = ["test", "--workspace", "--exclude", "trusted-server-adapter-axum", "--exclude", "trusted-server-adapter-cloudflare", "--exclude", "trusted-server-adapter-spin", "--target", "wasm32-wasip1"]

.github/workflows/format.yml

@@ -47,6 +47,9 @@ jobs:
       - name: Run cargo clippy (Spin — wasm32-wasip1)
         run: cargo clippy-spin-wasm
 
+      - name: Run host-target CLI clippy
+        run: cargo clippy --package trusted-server-cli --target x86_64-unknown-linux-gnu --all-targets --all-features -- -D warnings
+
   format-typescript:
     runs-on: ubuntu-latest
     defaults:

.github/workflows/integration-tests.yml

@@ -33,6 +33,11 @@ jobs:
           install-viceroy: "false"
           build-cloudflare: "true"
 
+      - name: Generate integration Viceroy configs
+        run: ./scripts/generate-integration-viceroy-configs.sh
+        env:
+          INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
+
       - name: Package integration test artifacts
         run: |
           mkdir -p "$(dirname "$WASM_ARTIFACT_PATH")" "$(dirname "$AXUM_ARTIFACT_PATH")" "$(dirname "$DOCKER_ARTIFACT_PATH")" "$CF_BUILD_ARTIFACT_PATH"
@@ -107,6 +112,7 @@ jobs:
           AXUM_BINARY_PATH: ${{ env.AXUM_ARTIFACT_PATH }}
           CLOUDFLARE_WRANGLER_DIR: ${{ github.workspace }}/crates/trusted-server-adapter-cloudflare
           INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
+          VICEROY_CONFIG_PATH: ${{ env.ARTIFACTS_DIR }}/configs/viceroy-legacy.toml
           RUST_LOG: info
 
   integration-tests-edgezero:
@@ -150,11 +156,7 @@ jobs:
         env:
           WASM_BINARY_PATH: ${{ env.WASM_ARTIFACT_PATH }}
           INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
-          VICEROY_CONFIG_PATH: ${{ github.workspace }}/crates/trusted-server-integration-tests/fixtures/configs/viceroy-template-edgezero.toml
-          # Opt into the EdgeZero entry-point canary in test_ec_lifecycle_fastly.
-          # Only set here, so the legacy integration-tests job runs the same
-          # scenarios through legacy_main without asserting the EdgeZero-only 405.
-          EXPECT_EDGEZERO_ENTRY_POINT: "true"
+          VICEROY_CONFIG_PATH: ${{ env.ARTIFACTS_DIR }}/configs/viceroy-edgezero.toml
           RUST_LOG: info
 
   browser-tests:
@@ -202,7 +204,7 @@ jobs:
         env:
           WASM_BINARY_PATH: ${{ env.WASM_ARTIFACT_PATH }}
           INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
-          VICEROY_CONFIG_PATH: ${{ github.workspace }}/crates/trusted-server-integration-tests/fixtures/configs/viceroy-template.toml
+          VICEROY_CONFIG_PATH: ${{ env.ARTIFACTS_DIR }}/configs/viceroy-legacy.toml
           TEST_FRAMEWORK: nextjs
           PLAYWRIGHT_HTML_REPORT: playwright-report-nextjs
         run: npx playwright test
@@ -221,7 +223,7 @@ jobs:
         env:
           WASM_BINARY_PATH: ${{ env.WASM_ARTIFACT_PATH }}
           INTEGRATION_ORIGIN_PORT: ${{ env.ORIGIN_PORT }}
-          VICEROY_CONFIG_PATH: ${{ github.workspace }}/crates/trusted-server-integration-tests/fixtures/configs/viceroy-template.toml
+          VICEROY_CONFIG_PATH: ${{ env.ARTIFACTS_DIR }}/configs/viceroy-legacy.toml
           TEST_FRAMEWORK: wordpress
           PLAYWRIGHT_HTML_REPORT: playwright-report-wordpress
         run: npx playwright test

.github/workflows/test.yml

@@ -79,12 +79,10 @@ jobs:
         # -- --test runs each benchmark as a regular test (no timing harness) so CI stays fast
         run: cargo bench -p trusted-server-core --bench html_processor_bench -- --test
 
+      - name: Run host-target CLI tests
+        run: cargo test --package trusted-server-cli --target x86_64-unknown-linux-gnu
+
       - name: Verify Fastly WASM release build
-        env:
-          TRUSTED_SERVER__PUBLISHER__ORIGIN_URL: http://127.0.0.1:8080
-          TRUSTED_SERVER__PUBLISHER__PROXY_SECRET: integration-test-proxy-secret
-          TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret-padded-32
-          TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK: "false"
         run: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
 
   test-cloudflare:

.gitignore

@@ -21,6 +21,7 @@
 
 # env
 .env*
+trusted-server.toml
 
 # backup
 **/*.rs.bk

CLAUDE.md

@@ -18,12 +18,14 @@ crates/
   trusted-server-adapter-axum/          # Axum dev server entry point (native binary)
   trusted-server-adapter-cloudflare/    # Cloudflare Workers entry point (wasm32-unknown-unknown binary)
   trusted-server-adapter-spin/          # Fermyon Spin entry point (wasm32-wasip1 component)
+  trusted-server-cli/                   # Host-target `ts` operator CLI
   trusted-server-js/                    # TypeScript/JS build — per-integration IIFE bundles
     lib/         # TS source, Vitest tests, esbuild pipeline
 ```
 
-Supporting files: `fastly.toml`, `trusted-server.toml`, `.env.dev`,
-`rust-toolchain.toml`, `CONTRIBUTING.md`.
+Supporting files: `edgezero.toml`, `fastly.toml`,
+`trusted-server.example.toml`, `.env.dev`, `rust-toolchain.toml`,
+`CONTRIBUTING.md`. Operator-owned `trusted-server.toml` files are gitignored.
 
 ## Toolchain
 
@@ -96,6 +98,11 @@ cargo test-axum        # Axum dev server adapter (native)
 cargo test-cloudflare  # Cloudflare Workers adapter (native host)
 cargo test-spin        # Spin adapter route tests (native host)
 
+# Run host-target CLI tests (workspace default target is wasm32-wasip1)
+# Use your host triple, for example x86_64-unknown-linux-gnu on CI/Linux
+# or aarch64-apple-darwin on Apple Silicon macOS.
+cargo test --package trusted-server-cli --target <host-triple>
+
 # Format
 cargo fmt --all -- --check
 
@@ -311,10 +318,12 @@ IntegrationRegistration::builder(ID)
 
 | File                  | Purpose                                                    |
 | --------------------- | ---------------------------------------------------------- |
-| `fastly.toml`         | Fastly service configuration and build settings            |
-| `trusted-server.toml` | Application settings (ad servers, KV stores, ID templates) |
-| `rust-toolchain.toml` | Pins Rust version to 1.95.0                                |
-| `.env.dev`            | Local development environment variables                    |
+| `edgezero.toml`                 | EdgeZero app/platform manifest and logical stores               |
+| `fastly.toml`                   | Fastly service configuration and build settings                 |
+| `trusted-server.example.toml`   | Source-controlled Trusted Server app-config template            |
+| `trusted-server.toml`           | Operator-owned app config; gitignored; `ts config push` publishes it as an EdgeZero blob envelope |
+| `rust-toolchain.toml`           | Pins Rust version to 1.95.0                                     |
+| `.env.dev`                      | Local development environment variables                         |
 
 ---