feat!: replace deprecated Dictionary with SecretStore and ConfigStore #89

trieloff · 2025-11-24T08:23:21Z

Fixes #80

depends on adobe/fastly-native-promises#605

Summary

Replaces the deprecated Fastly Dictionary API with modern SecretStore and ConfigStore APIs. This also fixes a critical bug where package parameters were not being handled.

⚠️ Breaking Change

This changes the underlying storage mechanism from Dictionary to SecretStore/ConfigStore. Existing deployments using Dictionary will need to be redeployed to use the new store types.

Migration: Services must be redeployed with the new version to create SecretStore and ConfigStore resources. The deployment process will automatically create these stores and migrate parameters.

Changes

Runtime Adapter (`src/template/fastly-adapter.js`)

✅ Replace deprecated Dictionary with SecretStore and ConfigStore
✅ Update context.env Proxy to:
- Try SecretStore('secrets') first for action parameters (async)
- Fall back to ConfigStore('config') for package parameters (sync)
- Maintain gateway fallback for dynamic package params
✅ Update global type declarations

Deployment Logic (`src/ComputeAtEdgeDeployer.js`)

✅ Add API helper methods for store management:
- getOrCreateSecretStore() - Idempotent secret store creation
- getOrCreateConfigStore() - Idempotent config store creation
- linkResource() - Link stores to service versions
- putSecret() - Add/update secrets in secret store
- putConfigItem() - Add/update items in config store
✅ Update deploy() method:
- Create/link SecretStore for action params and special params (_token, _package)
- Create/link ConfigStore for package params
- Populate both stores during initial deployment
✅ Update updatePackage() method (CRITICAL BUG FIX):
- Now handles BOTH action params (this.cfg.params) AND package params (this.cfg.packageParams)
- Previously only handled action params - package params were completely ignored!
- Write action params to SecretStore
- Write package params to ConfigStore

Test Updates (`test/fastly-adapter.test.js`)

✅ Add mock classes for SecretStore and ConfigStore
✅ Update tests to use mocked stores
✅ All unit tests pass (13 passing)

Parameter Mapping

Parameter Type	CLI Flag	Destination	Access Pattern
Action parameters	`-p FOO=bar`	`SecretStore('secrets')`	Async, sensitive
Package parameters	`--package.params HEY=ho`	`ConfigStore('config')`	Sync, non-sensitive
Special parameters	(internal)	`SecretStore('secrets')`	Async, gateway fallback

Benefits

✅ Uses modern, non-deprecated Fastly APIs (SecretStore/ConfigStore)
✅ Fixes critical bug where package parameters were not being set at all
✅ Properly separates secrets (SecretStore) from config (ConfigStore)
✅ Maintains backward compatibility with gateway fallback mechanism
✅ Idempotent store creation prevents errors on re-deployment
✅ Uses unique store names ({packageName}--secrets, {packageName}--config)

Testing

✅ All 13 unit tests pass
✅ Code compiles and bundles successfully
⏳ Integration tests require Fastly credentials (will run in CI)

Semantic Release

This commit uses feat!: and includes BREAKING CHANGE: footer, which will trigger a major version bump (2.0.0).

Notes for Testing

The integration test in test/computeatedge.integration.js verifies that both action params (FOO) and package params (HEY) are accessible via context.env. This test will validate the full end-to-end functionality once run with proper credentials.

🤖 Generated with Claude Code

Fixes #80 BREAKING CHANGE: Replaces Dictionary API with SecretStore and ConfigStore. Existing deployments using Dictionary will need to be redeployed to use the new store types. The deployment process now creates SecretStore for action parameters and ConfigStore for package parameters instead of a Dictionary. ## Changes ### Runtime Adapter (src/template/fastly-adapter.js) - Replace deprecated `Dictionary` API with modern `SecretStore` and `ConfigStore` - Update `context.env` Proxy to try SecretStore first (async), then ConfigStore (sync) - Maintain gateway fallback for dynamic package params - Update global type declarations ### Deployment Logic (src/ComputeAtEdgeDeployer.js) - Add helper methods for idempotent store creation: - `getOrCreateSecretStore()` - Create or retrieve secret store - `getOrCreateConfigStore()` - Create or retrieve config store - `linkResource()` - Link stores to service versions - `putSecret()` - Add/update secrets - `putConfigItem()` - Add/update config items - **deploy() method**: - Create/link SecretStore for action params and special params - Create/link ConfigStore for package params - Populate both stores during initial deployment - **updatePackage() method** (CRITICAL BUG FIX): - Now handles BOTH action params AND package params - Previously only handled action params - package params were ignored! - Write action params to SecretStore - Write package params to ConfigStore ### Test Updates (test/fastly-adapter.test.js) - Add mock classes for SecretStore and ConfigStore - Update tests to use mocked stores - All unit tests pass ✓ ## Parameter Mapping - **Action parameters** (\`-p FOO=bar\`) → SecretStore (sensitive) - **Package parameters** (\`--package.params HEY=ho\`) → ConfigStore (non-sensitive) - **Special parameters** (\`_token\`, \`_package\`) → SecretStore (gateway fallback) ## Benefits 1. Uses modern, non-deprecated Fastly APIs 2. Fixes critical bug where package parameters were not being set 3. Properly separates secrets from config 4. Maintains backward compatibility with gateway fallback 5. Idempotent store creation prevents errors on re-deployment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Lars Trieloff <lars@trieloff.net>

…th-secretstore-configstore

github-actions · 2025-11-24T08:24:10Z

This PR will trigger a major release when merged.

- Fix string quotes (use single quotes instead of double) - Replace await-in-loop with Promise.all for parallel execution - Fix max-len violations by breaking long lines - Add eslint-disable for max-classes-per-file in test mocks All unit tests still passing (13/13). Signed-off-by: Lars Trieloff <lars@trieloff.net>

codecov · 2025-11-24T08:40:43Z

Codecov Report

❌ Patch coverage is 18.75000% with 117 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/ComputeAtEdgeDeployer.js	0.00%	61 Missing ⚠️
src/template/fastly-adapter.js	12.90%	27 Missing ⚠️
test/fastly-adapter.test.js	53.65%	19 Missing ⚠️
test/computeatedge.integration.js	0.00%	6 Missing ⚠️
src/FastlyGateway.js	0.00%	3 Missing ⚠️
src/template/cloudflare-adapter.js	50.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

…ource The @adobe/fastly-native-promises library doesn't expose a request() method. Using this.fetch() with full URL and headers instead. Fixes integration test error: 'this._fastly.request is not a function' Signed-off-by: Lars Trieloff <lars@trieloff.net>

Implement proper parameter precedence with two SecretStores: - Action SecretStore (action-specific params, highest priority) - Package SecretStore (package-wide params, lower priority) Changes: - Create action and package SecretStores with distinct names - Link both stores to service at deployment - Update deploy() to populate both stores independently - Update updatePackage() to update both stores - Update runtime Proxy to check action_secrets then package_secrets - Remove ConfigStore usage (all params now in SecretStores) This ensures action parameters always override package parameters while maintaining backward compatibility with gateway fallback. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Lars Trieloff <lars@trieloff.net>

Remove the deprecated gateway fallback for parameter resolution. All parameters are now exclusively stored in and retrieved from SecretStores (action_secrets and package_secrets). BREAKING CHANGE: The gateway fallback mechanism has been completely removed. Applications must use SecretStores for all parameters. The following are no longer supported: - Gateway backend configuration - _token and _package special parameters - Runtime fallback to gateway for missing parameters - packageParams caching This change requires Fastly Compute@Edge with resource bindings support and is incompatible with older gateway-based deployments. Migration: Redeploy all actions to ensure parameters are stored in the new SecretStore architecture. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Lars Trieloff <lars@trieloff.net>

Remove parameter storage and retrieval functionality from FastlyGateway as it is no longer needed with SecretStore-based parameter management. Removed methods: - updatePackage() - stored params in 'packageparams' dictionary - listPackageParamsVCL() - generated VCL to serve params as JSON Removed infrastructure: - 'tokens' dictionary (stored auth tokens) - 'packageparams' dictionary (stored package parameters) - 'packageparams.auth' VCL snippet (auth validation) - Package params error handler VCL snippet BREAKING CHANGE: FastlyGateway.updatePackage() and FastlyGateway.listPackageParamsVCL() methods have been removed. The gateway no longer stores or serves package parameters via dictionaries. All parameter management must use SecretStores. FastlyGateway now focuses solely on: - Request routing between edge backends - Version alias management - URL rewriting - Logging aggregation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Lars Trieloff <lars@trieloff.net>

tripodsan

LGTM, as far as I can tell. I assume that it is tested e2e

- adds support for Secret Store, Config Store, and Resource Linking APIs - enables replacement of deprecated Dictionary API with modern alternatives - provides new functions for managing secrets and configuration in Compute@Edge Signed-off-by: Lars Trieloff <lars@trieloff.net>

…APIs - replace custom Secret Store API implementation with writeSecretStore() - replace custom Config Store API implementation with writeConfigStore() - replace custom Resource Linking API implementation with writeResource() - replace custom putSecret() with native putSecret() - replace custom putConfigItem() with native putConfigItem() - simplify code by removing manual HTTP requests and using library functions Signed-off-by: Lars Trieloff <lars@trieloff.net>

- remove getOrCreateSecretStore, getOrCreateConfigStore, linkResource, putSecret, putConfigItem wrapper functions - call fastly-native-promises methods directly for cleaner code - maintain same functionality with less indirection - all tests continue to pass Signed-off-by: Lars Trieloff <lars@trieloff.net>

- integration tests expect updatePackage method to exist on gateway - add no-op implementation since FastlyGateway no longer manages package parameters - package parameters are now handled by individual deployers (ComputeAtEdgeDeployer) Signed-off-by: Lars Trieloff <lars@trieloff.net>

- catch and ignore 'Duplicate link' errors when creating resource links - allows redeployment to same service version without failing - log debug message when resource link already exists - fixes integration test failures due to existing resource links Signed-off-by: Lars Trieloff <lars@trieloff.net>

- regenerated package-lock.json to resolve conflicts with main branch - ensures consistent dependency resolution - maintains fastly-native-promises 3.1.0 with new Secret Store, Config Store, and Resource Linking APIs Signed-off-by: Lars Trieloff <lars@trieloff.net>

- resolve package.json conflicts by keeping fastly-native-promises 3.1.0 and updating js-compute to 3.35.2 - regenerate package-lock.json for consistency - merge latest main branch changes including context.log implementation and CacheOverride API Signed-off-by: Lars Trieloff <lars@trieloff.net>

- add eslint-disable-next-line comments for legitimate console.log usage in adapters - ignore test/tmp directory in eslint config to prevent linting generated files - console statements in adapters are used for error handling and environment detection Signed-off-by: Lars Trieloff <lars@trieloff.net>

- add type check for non-string properties to prevent Symbol access issues - add catch block for Promise rejections in secret store access - improve error logging with property name for better debugging - prevents function crashes when accessing env properties Signed-off-by: Lars Trieloff <lars@trieloff.net>

- merge logging example functionality into edge-action fixture to reduce deployment time - add comprehensive logging test route with operation=verbose parameter - test both CacheOverride API and logging functionality in single deployment - verify Secret Store/Config Store implementation works correctly - function successfully accesses both action params (FOO=bar) and package params (HEY=ho) - logging functionality returns proper JSON response with status, logging enabled, and timestamp Signed-off-by: Lars Trieloff <lars@trieloff.net>

- replace httpbin.org with https://www.aem.live/ to eliminate flaky external dependency - update CacheOverride test routes to use reliable endpoint while maintaining functionality - use content-length header instead of UUID for response validation - ensures integration tests are stable and not dependent on external service availability - all CacheOverride functionality (TTL, pass mode, custom cache key) still properly tested - test now passes consistently: ✔ Deploy a pure action to Compute@Edge and test CacheOverride API Signed-off-by: Lars Trieloff <lars@trieloff.net>

- extract worker name from request URL hostname (e.g., 'simple-package--simple-project') - use real Cloudflare Workers API instead of made-up environment variables - provide consistent context.func.name behavior across both platforms - improve debugging by showing meaningful function identifiers in responses - fallback to 'cloudflare-worker' if URL parsing fails - update integration tests to expect correct function names - both platforms now show function identifiers: Fastly (service ID), Cloudflare (worker name) - fix linting issues: line length, unused variables, console statements Signed-off-by: Lars Trieloff <lars@trieloff.net>

- update test assertions to only accept successful responses (200, 201) - reject 503 Service Unavailable and other error responses - switch to jsonplaceholder.typicode.com for more reliable backend testing - tests now properly fail when backend requests return errors - reveals real issue: Fastly returning 503 for external requests (needs investigation) - Cloudflare tests pass with 200 responses, Fastly tests correctly fail with 503 Signed-off-by: Lars Trieloff <lars@trieloff.net>

- combine unit and integration test coverage in single CI run - fix CacheOverride import issue in edge-action fixture with mock fallback - clean up temporary test files that had old imports - add test-all npm script for running all tests with combined coverage - move codecov upload after all tests complete to capture full coverage - increase coverage from 18% to ~71% by including integration test coverage - resolve issue where codecov only received unit test coverage Signed-off-by: Lars Trieloff <lars@trieloff.net>

- fail fast with clear error messages when HLX_FASTLY_AUTH is missing - fail fast with clear error messages when CLOUDFLARE_AUTH is missing - prevent silent failures or incomplete test coverage in CI - ensure all integration tests require proper GitHub repository secrets - provide actionable error messages for CI setup issues - maintain high test coverage by ensuring all tests actually run Signed-off-by: Lars Trieloff <lars@trieloff.net>

…dling SECURITY FIX: - remove .env file with hardcoded API tokens from repository - add .env.example with documentation for local development CI FIX: - modify dotenv loading to respect existing environment variables - ensure GitHub Actions secrets take precedence over .env files - fix integration tests to use CI-provided credentials properly - prevent .env from overriding GitHub Actions environment variables This ensures: - CI uses GitHub repository secrets (HLX_FASTLY_AUTH, CLOUDFLARE_AUTH) - Local development can use .env files when CI vars aren't set - No hardcoded credentials in repository - Proper coverage reporting with actual CI credentials Signed-off-by: Lars Trieloff <lars@trieloff.net>

- edge integration test is already included in integration-ci - npm run integration-ci includes all tests with 'Integration' in the name - edge-integration.test.js is automatically included as 'Edge Integration Test' - removes script duplication and potential confusion - maintains full coverage of Secret Store/Config Store functionality in CI Signed-off-by: Lars Trieloff <lars@trieloff.net>

- remove test/fixtures/logging-example/ directory entirely - remove skipped logging-example test from cloudflare.integration.js - update TEST_COVERAGE.md to reflect current test structure - focus on edge-action fixture which tests Secret Store/Config Store - remove outdated references to maintain clean codebase Signed-off-by: Lars Trieloff <lars@trieloff.net>

trieloff · 2025-11-27T08:20:03Z

src/template/fastly-adapter.js

 */
 /* eslint-env serviceworker */
-/* global Dictionary, CacheOverride */
+/* global CacheOverride, SecretStore */


do we really need these as global definitions?

trieloff · 2025-11-27T08:24:38Z

test/edge-integration.test.js

+  async function deployToCloudflare() {
+    // Use static names to update existing worker instead of creating new ones
+
+    const builder = await new CLI()
+      .prepare([
+        '--build',
+        '--verbose',
+        '--deploy',
+        '--target', 'cloudflare',
+        '--plugin', path.resolve(__rootdir, 'src', 'index.js'),
+        '--arch', 'edge',
+        '--cloudflare-email', 'lars@trieloff.net',
+        '--cloudflare-account-id', '155ec15a52a18a14801e04b019da5e5a',
+        '--cloudflare-test-domain', 'minivelos',
+        '--cloudflare-auth', process.env.CLOUDFLARE_AUTH,
+        '--package.params', 'HEY=ho',
+        '--package.params', 'ZIP=zap',
+        '--update-package', 'true',
+        '-p', 'FOO=bar',
+        '--directory', testRoot,
+        '--entryFile', 'src/index.js',
+        '--bundler', 'webpack',
+        '--esm', 'false',
+      ]);
+    builder.cfg._logger = new TestLogger();
+
+    const res = await builder.run();
+    assert.ok(res, 'Cloudflare deployment should succeed');
+
+    return {
+      url: 'https://simple-package--simple-project.minivelos.workers.dev',
+      logger: builder.cfg._logger,
+    };
+  }
+
+  async function deployToFastly() {
+    const serviceID = '1yv1Wl7NQCFmNBkW4L8htc';
+    const testDomain = 'possibly-working-sawfish';
+    // Use the same package name as the existing working test
+    const packageName = 'Test';
+
+    const builder = await new CLI()
+      .prepare([
+        '--build',
+        '--plugin', resolve(__rootdir, 'src', 'index.js'),
+        '--verbose',
+        '--deploy',
+        '--target', 'c@e',
+        '--arch', 'edge',
+        '--compute-service-id', serviceID,
+        '--compute-test-domain', testDomain,
+        '--package.name', packageName,
+        '--package.params', 'HEY=ho',
+        '--package.params', 'ZIP=zap',
+        '--update-package', 'true',
+        '--fastly-gateway', 'deploy-test.anywhere.run',
+        '-p', 'FOO=bar',
+        '--fastly-service-id', '4u8SAdblhzzbXntBYCjhcK',
+        '--directory', testRoot,
+        '--entryFile', 'src/index.js',
+        '--bundler', 'webpack',
+        '--esm', 'false',
+      ]);
+    builder.cfg._logger = new TestLogger();
+
+    const res = await builder.run();
+    assert.ok(res, 'Fastly deployment should succeed');
+
+    return {
+      url: `https://${testDomain}.edgecompute.app`,
+      logger: builder.cfg._logger,
+    };
+  }
+
+  before(async function deployToBothPlatforms() {
+    this.timeout(600000); // 10 minutes for parallel deployment
+
+    // Fail explicitly if required credentials are missing
+    if (!process.env.HLX_FASTLY_AUTH) {
+      throw new Error('HLX_FASTLY_AUTH environment variable is required for Fastly integration tests. Please set it in GitHub repository secrets.');
+    }
+    if (!process.env.CLOUDFLARE_AUTH) {
+      throw new Error('CLOUDFLARE_AUTH environment variable is required for Cloudflare integration tests. Please set it in GitHub repository secrets.');
+    }
+
+    testRoot = await createTestRoot();
+    origPwd = process.cwd();
+
+    // Copy the edge-action fixture
+    await fse.copy(path.resolve(__rootdir, 'test', 'fixtures', 'edge-action'), testRoot);
+    process.chdir(testRoot);
+
+    // eslint-disable-next-line no-console
+    console.log('--: Starting parallel deployment to Cloudflare and Fastly...');
+
+    // Deploy to both platforms in parallel
+    const [cloudflareResult, fastlyResult] = await Promise.all([
+      deployToCloudflare(),
+      deployToFastly(),
+    ]);
+
+    deployments.cloudflare = cloudflareResult;
+    deployments.fastly = fastlyResult;
+
+    // eslint-disable-next-line no-console
+    console.log('--: Parallel deployment completed');
+    // eslint-disable-next-line no-console
+    console.log(`--: Cloudflare URL: ${deployments.cloudflare.url}`);
+    // eslint-disable-next-line no-console
+    console.log(`--: Fastly URL: ${deployments.fastly.url}`);
+  });


this can be combined into one function with one deploy call, if we use the --target argument twice.

trieloff · 2025-11-27T08:25:34Z

test/edge-integration.test.js

+
+  // Test suite that runs against both platforms
+  ['cloudflare', 'fastly'].forEach((platform) => {
+    describe(`${platform.charAt(0).toUpperCase() + platform.slice(1)} Platform`, () => {


this should probably have the key word Integration in the test name, so that inclusions/exclusions work as expected

trieloff · 2025-11-27T08:29:27Z