Skip to content

Add ts CLI ad-template config diagnostics and browser audit#823

Draft
prk-Jr wants to merge 33 commits into
server-side-ad-templates-implfrom
feature/ts-cli-ad-templates
Draft

Add ts CLI ad-template config diagnostics and browser audit#823
prk-Jr wants to merge 33 commits into
server-side-ad-templates-implfrom
feature/ts-cli-ad-templates

Conversation

@prk-Jr

@prk-Jr prk-Jr commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Adds operator tooling to verify server-side ad-template ([creative_opportunities]) configuration: static path/slot diagnostics via ts config ad-templates …, and browser-backed live verification via ts audit … (local Chrome/Chromium over CDP).
  • Lets publishers catch slot/config drift before deploy — match a path to configured slots, assert expected slots in CI, explain runtime ad-stack gating, and confirm configured slots actually render (DOM/GPT/APS evidence) on live pages.
  • Keeps the CLI host-only: browser deps (chromiumoxide) are excluded from the wasm32-wasip1 build, and the runtime ad-stack gate is shared with publisher.rs so the CLI cannot drift from server behavior.

Stacks on the EdgeZero CLI base (server-side-ad-templates-impl). The changes below are the server-side ad-template CLI feature; the rest of the diff is the inherited CLI base.

Changes

Area Change
trusted-server-core/src/creative_opportunities.rs [creative_opportunities] config types, match_slots, and a shared evaluate_ad_stack_gate runtime gate
trusted-server-core/src/publisher.rs Route should_run_server_side_ad_stack through the shared gate (behavior-preserving)
trusted-server-cli/src/config_ad_templates.rs ts config ad-templates {lint,match,check,explain} static diagnostics
trusted-server-cli/src/app_config.rs Shared effective app-config loader for the config + audit commands
trusted-server-cli/src/ad_templates/{expected,compare,output}.rs Pure expected-slot projection, DOM/GPT/APS evidence comparison, and the stable JSON model
trusted-server-cli/src/audit/{mod,page,collector,browser,ad_templates}.rs, audit/ad_template_collector.js ts audit page + ts audit ad-templates verify: chromiumoxide collector, read-only GPT/APS/DOM init script, verifier orchestration
trusted-server-cli/src/run.rs, src/lib.rs Command wiring and parser tests for the audit namespace
Cargo.toml, trusted-server-cli/Cargo.toml Host-only chromiumoxide/tokio/futures/which/tempfile deps, cfg-gated off wasm
trusted-server.example.toml Example [creative_opportunities] block
docs/superpowers/{specs,plans}/2026-06-26-server-side-ad-template-cli* Design spec and implementation plan

Closes

Not yet linked to an issue.

Test plan

  • cargo test --workspace
  • cargo clippy --workspace --all-targets --all-features -- -D warnings
  • cargo fmt --all -- --check
  • JS tests: cd crates/trusted-server-js/lib && npx vitest run (393 passed)
  • JS format: cd crates/trusted-server-js/lib && npm run format
  • Docs format: cd docs && npm run format
  • WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1 (plus cargo build -p trusted-server-cli --target wasm32-wasip1 — browser deps stay out of wasm)
  • Other: host CLI tests cargo test -p trusted-server-cli --target <host-triple> (48, incl. a Chrome-gated browser fixture); manual ts audit ad-templates verify against a local fixture — confirmed (exit 0) and --strict on a missing slot (exit 2)

How to use

Static ts config ad-templates … commands only read local effective config (no browser). Browser-backed ts audit … commands launch a local Chrome/Chromium.

Configure slots

In your (gitignored) trusted-server.toml — fictional values shown:

[creative_opportunities]
gam_network_id = "123"

[[creative_opportunities.slot]]
id = "atf"
gam_unit_path = "/123/news/atf"
div_id = "ad-atf-"            # treated as a prefix; matches e.g. ad-atf-0
page_patterns = ["/news/*"]
formats = [{ width = 300, height = 250 }]

# optional provider hints
[creative_opportunities.slot.providers.aps]
slot_id = "atf"

Static diagnostics (no browser)

# Summarize config + deploy-time implications
ts config ad-templates lint

# Which configured slots match a path (or full URL)
ts config ad-templates match /news/story --details

# CI assertion: exact expected slot set
ts config ad-templates check /news/story --expected-slot atf
ts config ad-templates check /weather --expect-no-slots
ts config ad-templates check /news/story --expected-slot atf --allow-extra-slots

# Explain the runtime ad-stack gates for a modeled request
ts config ad-templates explain /news/story --bot --consent-denied --prefetch

Browser-backed audit (needs local Chrome/Chromium)

# Generic read-only page summary
ts audit page https://www.example.com/

# Verify configured slots render on live pages (DOM/GPT/APS evidence)
ts audit ad-templates verify https://www.example.com/news/story
ts audit ad-templates verify https://www.example.com/news/story --json
ts audit ad-templates verify https://www.example.com/ --strict --scroll

# Point at a specific browser / tune settle timing
ts audit ad-templates verify https://www.example.com/ \
  --chrome /path/to/chrome --settle-quiet-ms 1000 --settle-max-ms 15000

Shared config flags (all of the above)

--app-config <path>     # default: <app.name>.toml beside edgezero.toml
--manifest <path>       # default: edgezero.toml
--no-env                # skip the app-config environment overlay

Exit behavior

  • Default verify is auditor-assist: exits 0 even with missing/partial evidence.
  • --strict exits non-zero when a matched slot is missing or only partially confirmed (CI gate). A page-level navigation failure also exits non-zero.
  • Runtime gates (e.g. [auction].enabled = false) mark a page "skipped" so --strict does not fail it.

Local live test (deterministic, no external site)

Many large ad publishers block headless/non-evasive browsers, so verify against them sees a challenge page, not the article (this tool does not evade bot detection). To exercise the full pipeline reliably, serve a local fixture:

# 1. Fixture page that stubs just enough GPT (no network), served over HTTP
mkdir -p demo/news
cat > demo/news/story.html <<'HTML'
<!doctype html><html><head><meta charset="utf-8">
<div id="ad-atf-0"></div>
<script>
(function(){var s=[];var gt={cmd:[]};
gt.defineSlot=function(p,z,d){var o={getAdUnitPath:function(){return p},getSlotElementId:function(){return d},getSizes:function(){return z.map(function(x){return {getWidth:function(){return x[0]},getHeight:function(){return x[1]}}})}};s.push(o);return o};
gt.pubads=function(){return {getSlots:function(){return s}}};var op=gt.cmd.push.bind(gt.cmd);gt.cmd.push=function(c){op(c);c()};
window.googletag=gt;googletag.cmd.push(function(){googletag.defineSlot('/123/news/atf',[[300,250]],'ad-atf-0')});})();
</script></head><body></body></html>
HTML
(cd demo && python3 -m http.server 8771 &)

# 2. Verify against it (config from the example above, with page_patterns ["/news/*"])
ts audit ad-templates verify http://127.0.0.1:8771/news/story.html --json
#   => slots[0].status == "confirmed"

Checklist

  • Changes follow CLAUDE.md conventions
  • No unwrap() in production code — use expect("should ...")
  • No println!/eprintln! in library code (CLI output uses writeln!; errors use log)
  • New code has tests
  • No secrets or credentials committed

ChristianPavilonis and others added 15 commits June 22, 2026 17:40
@ChristianPavilonis
Add EdgeZero-backed ts CLI
edb7f0c
@ChristianPavilonis
Update CLI EdgeZero revision
51aaecc
@ChristianPavilonis
Push Trusted Server config as a blob
9b4d6fc
@ChristianPavilonis
Use configured Fastly config store name for EdgeZero bootstrap
f4411cb
@ChristianPavilonis
Refactor trusted-server CLI around typed EdgeZero blob config
6e44a98 
Replace the custom trusted-server CLI lifecycle and config payload plumbing with a thin EdgeZero delegation layer using typed config push/validate flows.

Add TrustedServerAppConfig wrapper in core with deploy-time validation and move blob reconstruction into runtime helpers.

Drop flattened config entry publishing and route app-config through EdgeZero blob envelope handling while keeping edgezero flag reads in trusted_server_config.

Update CLI and architecture docs for the new model and adjust fastly adapter store selection.
@ChristianPavilonis
Fix host CLI clippy and integration lock
ffc2ba3
@ChristianPavilonis
Fix integration dependency parity check
76040ca
@ChristianPavilonis
Seed integration app config blob
36d5605
@ChristianPavilonis
Update EdgeZero integration canary
621e740
@ChristianPavilonis
Read EdgeZero rollout flag as raw Fastly config
57ace6a
@ChristianPavilonis
Make EdgeZero integration probe non-fatal
65188b5
@ChristianPavilonis
Generate integration Viceroy configs
3831cf2
@ChristianPavilonis
support config diff
2ca44fe
@prk-Jr
Merge remote-tracking branch 'origin/feature/ts-cli-base' into featur…
a15ed2e 
…e/ts-cli-ad-templates

# Conflicts:
#	Cargo.lock
#	crates/trusted-server-adapter-fastly/src/main.rs
#	crates/trusted-server-core/Cargo.toml
#	crates/trusted-server-core/build.rs
#	crates/trusted-server-core/src/publisher.rs
#	crates/trusted-server-integration-tests/Cargo.lock
#	trusted-server.toml
@prk-Jr
Add ad-template diagnostics to ts config
7fdf8fc
@prk-Jr prk-Jr self-assigned this Jun 25, 2026
@prk-Jr prk-Jr mentioned this pull request Jun 25, 2026
Closed
13 tasks
@prk-Jr prk-Jr changed the title Add ts CLI diagnostics for server-side ad templates Add ts CLI ad-template config diagnostics and browser audit Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@prk-Jr prk-Jr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prk-Jr @ChristianPavilonis