Add config store read path and split storage module

CLAUDE.md

@@ -157,7 +157,7 @@ pub struct UserId(Uuid);
 - Use concrete error types with `Report<E>`.
 - Use `ensure!()` / `bail!()` macros for early returns.
 - Import `Error` from `core::error::` instead of `std::error::`.
-- Use `change_context()` to map error types, `attach()` / `attach_with()` for debug info.
+- Use `change_context()` to map error types, `attach()` for debug info.
 - Define errors with `derive_more::Display` (not thiserror):
 
 ```rust

crates/trusted-server-adapter-fastly/Cargo.toml

@@ -7,8 +7,11 @@ edition = "2021"
 workspace = true
 
 [dependencies]
+async-trait = { workspace = true }
+bytes = { workspace = true }
 chrono = { workspace = true }
-edgezero-adapter-fastly = { workspace = true }
+edgezero-adapter-fastly = { workspace = true, features = ["fastly"] }
+edgezero-core = { workspace = true }
 error-stack = { workspace = true }
 fastly = { workspace = true }
 fern = { workspace = true }
@@ -19,3 +22,6 @@ serde = { workspace = true }
 serde_json = { workspace = true }
 trusted-server-core = { path = "../trusted-server-core" }
 trusted-server-js = { path = "../js" }
+
+[dev-dependencies]
+edgezero-core = { workspace = true, features = ["test-utils"] }

crates/trusted-server-adapter-fastly/src/main.rs

@@ -14,6 +14,7 @@ use trusted_server_core::error::TrustedServerError;
 use trusted_server_core::geo::GeoInfo;
 use trusted_server_core::http_util::sanitize_forwarded_headers;
 use trusted_server_core::integrations::IntegrationRegistry;
+use trusted_server_core::platform::RuntimeServices;
 use trusted_server_core::proxy::{
     handle_first_party_click, handle_first_party_proxy, handle_first_party_proxy_rebuild,
     handle_first_party_proxy_sign,
@@ -27,7 +28,10 @@ use trusted_server_core::settings::Settings;
 use trusted_server_core::settings_data::get_settings;
 
 mod error;
+mod platform;
+
 use crate::error::to_error_response;
+use crate::platform::{build_runtime_services, open_kv_store, UnavailableKvStore};
 
 #[fastly::main]
 fn main(req: Request) -> Result<Response, Error> {
@@ -59,10 +63,28 @@ fn main(req: Request) -> Result<Response, Error> {
         }
     };
 
+    let kv_store = match open_kv_store(&settings.synthetic.opid_store) {
+        Ok(s) => s,
+        Err(e) => {
+            // Degrade gracefully: routes that do not touch synthetic IDs
+            // (e.g. /.well-known/, /verify-signature, /admin/keys/*) must
+            // still succeed even when the KV store is unavailable.
+            // Handlers that call kv_handle() will receive KvError::Unavailable.
+            log::warn!(
+                "KV store '{}' unavailable, synthetic ID routes will return errors: {e}",
+                settings.synthetic.opid_store
+            );
+            std::sync::Arc::new(UnavailableKvStore)
+                as std::sync::Arc<dyn trusted_server_core::platform::PlatformKvStore>
+        }
+    };
+    let runtime_services = build_runtime_services(&req, kv_store);
+
     futures::executor::block_on(route_request(
         &settings,
         &orchestrator,
         &integration_registry,
+        &runtime_services,
         req,
     ))
 }
@@ -71,15 +93,23 @@ async fn route_request(
     settings: &Settings,
     orchestrator: &AuctionOrchestrator,
     integration_registry: &IntegrationRegistry,
+    runtime_services: &RuntimeServices,
     mut req: Request,
 ) -> Result<Response, Error> {
     // Strip client-spoofable forwarded headers at the edge.
     // On Fastly this service IS the first proxy — these headers from
     // clients are untrusted and can hijack URL rewriting (see #409).
     sanitize_forwarded_headers(&mut req);
 
-    // Extract geo info before auth check or routing consumes the request
-    let geo_info = GeoInfo::from_request(&req);
+    // Look up geo info via the platform abstraction using the client IP
+    // already captured in RuntimeServices at the entry point.
+    let geo_info = runtime_services
+        .geo()
+        .lookup(runtime_services.client_info.client_ip)
+        .unwrap_or_else(|e| {
+            log::warn!("geo lookup failed: {e}");
+            None
+        });
 
     if let Some(mut response) = enforce_basic_auth(settings, &req) {
         finalize_response(settings, geo_info.as_ref(), &mut response);
@@ -99,7 +129,7 @@ async fn route_request(
 
         // Discovery endpoint for trusted-server capabilities and JWKS
         (Method::GET, "/.well-known/trusted-server.json") => {
-            handle_trusted_server_discovery(settings, req)
+            handle_trusted_server_discovery(settings, runtime_services, req)
         }
 
         // Signature verification endpoint