Add DataDome server-side validation and multi-backend routing

.gitignore

@@ -36,3 +36,6 @@ src/*.html
 /crates/integration-tests/browser/test-results/
 /crates/integration-tests/browser/playwright-report/
 /crates/integration-tests/browser/.browser-test-state.json
+
+# Fastly VCL exports (reference snapshots, not source)
+*.vcl

crates/trusted-server-adapter-fastly/backends.toml

@@ -0,0 +1,176 @@
+# Arena Group / SayMedia backend routing configuration.
+#
+# This file is merged into the embedded binary config at build time by
+# crates/common/build.rs. It is separate from trusted-server.toml to keep
+# customer-specific configuration out of the shared application template.
+
+[[backends]]
+id = "raven"
+origin_url = "https://raven-public.prod.saymedia.com"
+certificate_check = true
+domains = [
+    "active.com",
+    "americansongwriter.com",
+    "athleticbusiness.com",
+    "athlonsports.com",
+    "autoblog.com",
+    "azbigmedia.com",
+    "benzinga.com",
+    "bestproducts.com",
+    "bicycling.com",
+    "biography.com",
+    "bizjournals.com",
+    "bleacherreport.com",
+    "blogher.com",
+    "carsdirect.com",
+    "catalog.thearenagroup.net",
+    "cbsnews.com",
+    "cheatsheet.com",
+    "chron.com",
+    "cinemablend.com",
+    "citybeatnews.com",
+    "coachmag.co.uk",
+    "coastalliving.com",
+    "collegehumor.com",
+    "countryliving.com",
+    "ctnewsonline.com",
+    "dailypress.com",
+    "delish.com",
+    "denofgeek.com",
+    "detroit.cbslocal.com",
+    "digg.com",
+    "digitalspy.com",
+    "diynetwork.com",
+    "dooyoo.co.uk",
+    "dualshockers.com",
+    "eater.com",
+    "elle.com",
+    "elledecor.com",
+    "esquire.com",
+    "eurweb.com",
+    "everydayhealth.com",
+    "fansided.com",
+    "fightful.com",
+    "filmschoolrejects.com",
+    "fitbit.com",
+    "foodandwine.com",
+    "fool.com",
+    "forbes.com",
+    "freep.com",
+    "gamerant.com",
+    "gizmodo.com",
+    "glam.com",
+    "goodhousekeeping.com",
+    "grunge.com",
+    "health.com",
+    "healthline.com",
+    "hercampus.com",
+    "hgtv.com",
+    "history.com",
+    "hollywoodreporter.com",
+    "housebeautiful.com",
+    "huffpost.com",
+    "ibtimes.com",
+    "ign.com",
+    "indiewire.com",
+    "insidehook.com",
+    "instyle.com",
+    "investopedia.com",
+    "io9.com",
+    "jezebel.com",
+    "kiplinger.com",
+    "kotaku.com",
+    "latimes.com",
+    "law.com",
+    "lifehacker.com",
+    "livestrong.com",
+    "livescience.com",
+    "localiq.com",
+    "looper.com",
+    "mashable.com",
+    "mayoclinic.org",
+    "medicalnewstoday.com",
+    "menshealth.com",
+    "mensjournal.com",
+    "meredith.com",
+    "metro.co.uk",
+    "military.com",
+    "militarytimes.com",
+    "mlb.com",
+    "mlive.com",
+    "mnn.com",
+    "motorcyclistonline.com",
+    "msn.com",
+    "narcity.com",
+    "nationalreview.com",
+    "nbcnews.com",
+    "nerdist.com",
+    "newsweek.com",
+    "nj.com",
+    "nola.com",
+    "npr.org",
+    "nypost.com",
+    "nytimes.com",
+    "observer.com",
+    "oregonlive.com",
+    "outsideonline.com",
+    "outsports.com",
+    "oxygen.com",
+    "parade.com",
+    "patch.com",
+    "pcgamer.com",
+    "pennlive.com",
+    "people.com",
+    "petmd.com",
+    "pgalinks.org",
+    "philly.com",
+    "polygon.com",
+    "popsugar.com",
+    "prevention.com",
+    "purewow.com",
+    "realclearpolitics.com",
+    "realsimple.com",
+    "realtor.com",
+    "refinery29.com",
+    "rollingstone.com",
+    "runnersworld.com",
+    "salon.com",
+    "scout.com",
+    "screenrant.com",
+    "sfgate.com",
+    "si.com",
+    "simplemost.com",
+    "slate.com",
+    "space.com",
+    "sporcle.com",
+    "sportingnews.com",
+    "sportskeeda.com",
+    "southernliving.com",
+    "stltoday.com",
+    "syracuse.com",
+    "tampabay.com",
+    "thedailybeast.com",
+    "thedailymeal.com",
+    "thedenverchannel.com",
+    "thegamer.com",
+    "thelist.com",
+    "thepioneerwoman.com",
+    "thestreet.com",
+    "thethings.com",
+    "time.com",
+    "tmz.com",
+    "today.com",
+    "townandcountrymag.com",
+    "travelandleisure.com",
+    "usatoday.com",
+    "variety.com",
+    "verywellhealth.com",
+    "vox.com",
+    "vulture.com",
+    "washingtonpost.com",
+    "webmd.com",
+    "wired.com",
+    "womansday.com",
+    "womenshealthmag.com",
+    "yahoo.com",
+]

crates/trusted-server-core/build.rs

@@ -18,19 +18,42 @@ mod consent_config;
 #[path = "src/settings.rs"]
 mod settings;
 
+use serde_json::Value;
+use std::collections::HashSet;
 use std::fs;
 use std::path::Path;
 
 const TRUSTED_SERVER_INIT_CONFIG_PATH: &str = "../../trusted-server.toml";
 const TRUSTED_SERVER_OUTPUT_CONFIG_PATH: &str = "../../target/trusted-server-out.toml";
+const BACKENDS_CONFIG_PATH: &str = "../../crates/trusted-server-adapter-fastly/backends.toml";
 
 fn main() {
-    // Always rerun build.rs: integration settings are stored in a flat
-    // HashMap<String, JsonValue>, so we cannot enumerate all possible env
-    // var keys ahead of time. Emitting rerun-if-changed for a nonexistent
-    // file forces cargo to always rerun the build script.
-    println!("cargo:rerun-if-changed=_always_rebuild_sentinel_");
+    merge_toml();
+    rerun_if_changed();
+}
+
+fn rerun_if_changed() {
+    // Watch the root trusted-server.toml file for changes
+    println!("cargo:rerun-if-changed={}", TRUSTED_SERVER_INIT_CONFIG_PATH);
+    println!("cargo:rerun-if-changed={}", BACKENDS_CONFIG_PATH);
+
+    // Create a default Settings instance and convert to JSON to discover all fields
+    let default_settings = settings::Settings::default();
+    let settings_json = serde_json::to_value(&default_settings).unwrap();
+
+    let mut env_vars = HashSet::new();
+    collect_env_vars(&settings_json, &mut env_vars, &[]);
+
+    // Print rerun-if-env-changed for each variable
+    let mut sorted_vars: Vec<_> = env_vars.into_iter().collect();
+    sorted_vars.sort();
 
+    for var in sorted_vars {
+        println!("cargo:rerun-if-env-changed={}", var);
+    }
+}
+
+fn merge_toml() {
     // Read init config
     let init_config_path = Path::new(TRUSTED_SERVER_INIT_CONFIG_PATH);
     let toml_content = fs::read_to_string(init_config_path)
@@ -43,17 +66,57 @@ fn main() {
     // production deployments override via TRUSTED_SERVER__* env vars at
     // build time. Runtime startup (get_settings) rejects any remaining
     // placeholders so a misconfigured deployment fails fast.
-    let settings = settings::Settings::from_toml_and_env(&toml_content)
+    let mut settings = settings::Settings::from_toml_and_env(&toml_content)
         .expect("Failed to parse settings at build time");
 
-    let merged_toml =
-        toml::to_string_pretty(&settings).expect("Failed to serialize settings to TOML");
+    // Merge customer-specific backends from crates/fastly/backends.toml, if present
+    let backends_path = Path::new(BACKENDS_CONFIG_PATH);
+    if backends_path.exists() {
+        #[derive(serde::Deserialize)]
+        struct BackendsFile {
+            backends: Vec<settings::BackendRoutingConfig>,
+        }
+        let backends_toml = fs::read_to_string(backends_path)
+            .unwrap_or_else(|_| panic!("Failed to read {:?}", backends_path));
+        let backends_file: BackendsFile =
+            toml::from_str(&backends_toml).expect("Failed to parse backends.toml");
+        settings.backends.extend(backends_file.backends);
+    }
 
     // Only write when content changes to avoid unnecessary recompilation.
+    let merged_toml =
+        toml::to_string_pretty(&settings).expect("Failed to serialize settings to TOML");
     let dest_path = Path::new(TRUSTED_SERVER_OUTPUT_CONFIG_PATH);
     let current = fs::read_to_string(dest_path).unwrap_or_default();
     if current != merged_toml {
         fs::write(dest_path, merged_toml)
             .unwrap_or_else(|_| panic!("Failed to write {dest_path:?}"));
     }
 }
+
+fn collect_env_vars(value: &Value, env_vars: &mut HashSet<String>, path: &[String]) {
+    if let Value::Object(map) = value {
+        for (key, val) in map {
+            let mut new_path = path.to_owned();
+            new_path.push(key.to_uppercase());
+
+            match val {
+                Value::String(_) | Value::Number(_) | Value::Bool(_) => {
+                    // Leaf node - create environment variable
+                    let env_var = format!(
+                        "{}{}{}",
+                        settings::ENVIRONMENT_VARIABLE_PREFIX,
+                        settings::ENVIRONMENT_VARIABLE_SEPARATOR,
+                        new_path.join(settings::ENVIRONMENT_VARIABLE_SEPARATOR)
+                    );
+                    env_vars.insert(env_var);
+                }
+                Value::Object(_) => {
+                    // Recurse into nested objects
+                    collect_env_vars(val, env_vars, &new_path);
+                }
+                _ => {}
+            }
+        }
+    }
+}