Add config store support across all adapters

[prk-Jr]

Summary

• Introduces a portable ConfigStore abstraction in edgezero-core that lets handlers read key/value configuration at runtime without coupling to a specific platform
• Implements platform-native backing stores for Fastly (edge dictionary), Cloudflare (KV / env bindings), and Axum (in-memory map with env-var fallback), all sharing a common contract verified by shared test macros
• Wires config store injection through the #[app] macro and each adapter's request pipeline so handlers receive a ConfigStoreHandle via RequestContext with no boilerplate

Changes

Crate / File	Change
edgezero-core/src/config_store.rs	New ConfigStore trait, ConfigStoreHandle wrapper, and shared contract test macro
edgezero-core/src/manifest.rs	New manifest module with ConfigStore TOML binding and adapter name resolution
edgezero-core/src/context.rs	Added config_store() accessor and injection helpers to RequestContext
edgezero-core/src/app.rs	App::build hooks extended to accept config store configuration
edgezero-core/src/lib.rs	Re-exported manifest module
edgezero-adapter-axum/src/config_store.rs	New: in-memory + env-var AxumConfigStore with defaults support
edgezero-adapter-axum/src/service.rs	Inject ConfigStoreHandle into each request before routing
edgezero-adapter-axum/src/dev_server.rs	Accept optional config store handle in DevServerConfig
edgezero-adapter-axum/src/lib.rs	Re-exported config store types
edgezero-adapter-fastly/src/config_store.rs	New: FastlyConfigStore backed by Fastly edge dictionary
edgezero-adapter-fastly/src/lib.rs	Re-exported and wired config store into dispatch path
edgezero-adapter-fastly/src/request.rs	Inject config store handle during request conversion
edgezero-adapter-fastly/tests/contract.rs	Updated contract tests
edgezero-adapter-cloudflare/src/config_store.rs	New: CloudflareConfigStore backed by worker::Env bindings
edgezero-adapter-cloudflare/src/lib.rs	Re-exported and wired config store into dispatch path
edgezero-adapter-cloudflare/src/request.rs	Inject config store handle during request conversion
edgezero-adapter-cloudflare/tests/contract.rs	Updated contract tests
edgezero-macros/src/app.rs	#[app] macro generates config store setup from manifest
examples/app-demo/	Added config store usage in demo handlers and adapter wiring
docs/guide/	Added config store adapter docs and configuration guide
scripts/smoke_test_config.sh	New smoke test script for config store end-to-end verification
.gitignore	Excluded generated WASM artifacts

Closes

Closes #51

Test plan

• cargo test --workspace --all-targets
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo check --workspace --all-targets --features "fastly cloudflare"
• WASM builds: wasm32-wasip1 (Fastly) / wasm32-unknown-unknown (Cloudflare)
• Manual testing via edgezero-cli dev
• Other: shared contract test macro verified against all three adapter implementations

Checklist

• Changes follow CLAUDE.md conventions
• No Tokio deps added to core or adapter crates
• Route params use {id} syntax (not :id)
• Types imported from edgezero_core (not http crate)
• New code has tests
• No secrets or credentials committed

[ChristianPavilonis]

Thanks for the cross-adapter config store work — the overall direction looks good. I’m requesting changes for one high-severity issue plus follow-ups.

Findings

1. High — Axum config store can expose full process environment (secret leakage risk)

   • crates/edgezero-adapter-axum/src/config_store.rs:12
   • crates/edgezero-adapter-axum/src/config_store.rs:37
   • examples/app-demo/crates/app-demo-core/src/handlers.rs:119
   • AxumConfigStore::from_env snapshots all env vars, so any handler pattern that accepts user-controlled keys can accidentally expose unrelated secrets.
   • Requested fix: replace blanket std::env::vars() capture with an explicit allowlist (manifest-declared keys only), and avoid arbitrary key-lookup patterns in examples intended for production-like usage.

2. Medium — Adapter override key casing is inconsistent across resolution paths

   • crates/edgezero-core/src/manifest.rs:352
   • crates/edgezero-macros/src/app.rs:120
   • crates/edgezero-core/src/app.rs:59
   • Mixed-case adapter keys can work in one path and fail in another.
   • Requested fix: normalize keys at parse/finalize time (or enforce lowercase with validation) and add a mixed-case adapter-key test.

3. Low — Missing positive-path injection coverage in adapter tests

   • crates/edgezero-adapter-fastly/tests/contract.rs:17
   • crates/edgezero-adapter-cloudflare/tests/contract.rs:188
   • Please add success-path assertions that config store injection/retrieval works when bindings are present.

Once the high-severity item is addressed, this should be in good shape.

[aram356]

Review: Config Store Feature

Overall this is a well-structured feature that follows the existing adapter pattern cleanly. The core trait, contract test macro, per-adapter implementations, and manifest/macro integration are all thoughtfully designed. Test coverage is solid across all three adapters and the docs are thorough.

That said, I found issues across four areas that should be addressed before merge — one high-severity security concern, two medium design issues, and one CI coverage gap.

Summary

Severity	Finding
High	Axum config-store exposes entire process environment (secret leakage risk)
Medium	Case handling for adapter overrides is inconsistent between manifest and metadata paths
Medium	dispatch() bypasses config-store injection, diverging from run_app behavior
Medium-Low	New WASM adapter code paths are weakly exercised in CI

See inline comments for details and suggested improvements.

[ChristianPavilonis]

Follow-up review complete. No new issues were found in the current changeset, and previously noted concerns appear addressed.