Adds trusted-server-adapter-spin: Spin entrypoint via
edgezero_adapter_spin::run_app, EdgeZero and Spin runtime manifests,
platform runtime services (null geo, sync Spin variable secret adapter,
conservative buffered HTTP client with gzip/br decompression policy),
route/auth smoke tests, and EdgeZero manifest validation test.

Bumps EdgeZero deps to ce6bcf74b529d9066d08ba87b2971af8379eb29e to
access edgezero-adapter-spin. The new rev requires fastly = "0.12"
(edgezero-adapter-fastly workspace dependency) and worker = "0.8"
(Cloudflare adapter type compatibility). Pins viceroy 0.16.5 to
resolve the Fastly SDK 0.12 bot-analysis hostcall issue.

Extends parity tests to include Spin as a third in-process adapter.
Adds target-matched cargo aliases and CI jobs for Spin native and
wasm32-wasip1 targets. Updates CLAUDE.md lint and build guidance for
the mixed-runtime workspace.

Known MVP limits: Spin component variables do not map cleanly to all
Trusted Server config keys; authenticated key rotation success is not
claimed. Spin KV TTL is unavailable in the current EdgeZero Spin KV
adapter.

- Filter WASI HTTP P2 forbidden outbound headers (host, connection,
  keep-alive, transfer-encoding, upgrade, proxy-connection) before
  building the Spin outbound request; the host header caused every
  proxy request to fail with HeaderError::Forbidden
- Fix push_spin_variable_escape to emit _xhh not _hh; corrects all
  variable names in spin.toml and encoded test expectations
- Prepend n to digit-leading keys in spin_variable_name so Spin's
  letter-led segment requirement is met; aliasing now unreachable
  because validate_kid rejects digit-leading KIDs
- Fix with_capacity to account for the optional n prefix
- Remove redundant localhost entries from allowed_outbound_hosts
  (http://*:* already covers them)
- Update spin.toml encoding comment: collision-free → collision-resistant

Resolve conflict in parity.rs: preserve axum_www_auth binding from base
branch (required by assert_eq! below) and move spin WWW-Authenticate
presence check to end of function, consistent with deactivate test pattern.

Spin's WASI HTTP bridge does not surface the incoming Host header via
IncomingRequest::headers() — the authority is only accessible through
Spin's spin-full-url synthetic header. EdgeZero's into_core_request
forwards all headers including spin-full-url, but the Host header is
absent. extract_request_host() returns "" which causes
classify_response_route to fall back to BufferedUnmodified, skipping
the HTML processor entirely: no TSJS injection, no URL rewriting, no
GTM proxying.

Inject Host from spin-full-url in dispatch before routing, via a
simple host_from_spin_url helper that strips the scheme and path. The
fix is Spin-specific and does not touch shared publisher code.

Also addresses PR review findings: remove build_per_request_services
passthrough wrapper, reduce MAX_DECOMPRESSED_SIZE to 8 MiB, annotate
streaming body limitation, expand validate_kid digit test, upgrade
parity WWW-Authenticate assertions from presence to value equality,
and document the anyhow exception at the WASM FFI boundary.

- README Quick Start: add cargo test-spin
- README Development: replace broad workspace clippy with target-matched
  aliases and note why; add cargo test-spin to test list
- architecture.md: mention Cloudflare/Spin in the high-level overview;
  add trusted-server-adapter-spin section with build/test/lint commands
  and known MVP limits; expand Runtime Targets table to include all four
  adapters; add note on target-matched clippy requirement

Test was constructing a tsclick URL without a signature. Now that
handle_first_party_proxy_rebuild validates the tstoken via
reconstruct_and_validate_signed_target, the test must supply a properly
signed click URL. Compute the token with compute_encrypted_sha256_token
over tsurl + original params before building tsclick.

- Collapse nested if/if-let/if-let into a single let-chain condition
  (collapsible_if, Rust 2024 edition let chains)
- Move host_from_spin_url test module to end of file so no items follow
  the test module (items_after_test_module)

Conflict resolutions:
- .cargo/config.toml: keep PR18's clippy-cloudflare without
  --all-features (the cloudflare feature has a non-wasm32
  compile_error! guard) alongside PR19's spin aliases
- CLAUDE.md / README.md: keep PR19's per-adapter lint command list;
  drop the broad --all-features workspace clippy suggestion that the
  cloudflare guard would trip
- cloudflare build.sh: keep PR19's worker-build ^0.8 (matches the
  worker 0.8 dependency bump)
- integration-tests/Cargo.toml: keep PR19's edgezero rev ce6bcf74
  (matches the bumped root workspace pin) with PR18's dual-bump
  warning comment, PR19's exact tokio pin, and PR18's urlencoding
- core proxy.rs: keep PR18's #[test] + block_on style (core has no
  tokio, tests must run on wasm via Viceroy) with PR19's updated
  proxy_rebuild test body that signs the click URL for tstoken
  validation
- parity.rs: keep PR19's three-way Spin coverage on top of PR18's
  routes_with_settings seams; spin_router() helper added; JSON
  key-set parity extended to Spin
- Lock files regenerated from the merged manifests

Semantic fixes for PR16-18 API changes in the Spin adapter:
- handle_proxy now takes ProxyDispatchInput
- handle_auction gained kv, partner registry, and EC context parameters
- PlatformSelectResult gained failed_backend_name
- supports_concurrent_fanout() reports false (send_async executes
  eagerly) so the orchestrator rejects multi-provider auctions before
  any request launches; select keeps its defense-in-depth rejection
- resolve_publisher_response delegates to the shared
  buffer_publisher_response so the max_buffered_body_bytes cap applies
  on Spin too
- TrustedServerApp::routes_with_settings() seam added; Spin middleware
  and route tests build explicit test settings instead of the baked
  placeholder secrets that get_settings() rejects

Also adapt fastly main.rs TLS metadata calls to the fastly 0.12 API
(get_tls_protocol / get_tls_cipher_openssl_name now return
Result<Option<&str>>)

The merged [lints.clippy] block from PR18 now applies to this branch's
pre-existing integration test files:
- Collapse the nested if in is_ec_cookie_expired into a let-chain
- Replace redundant closures with serde_json::Value::as_u64
- Replace the denied panic! in the EC scenario loop with an assert!
  carrying the same diagnostic message

CI's freshly installed worker-build ^0.8 requires wasm-bindgen 0.2.123
or newer, but the lock files held worker 0.8.3 with wasm-bindgen
0.2.121 (js-sys exact-pins its companion wasm-bindgen, so only the
worker 0.8.4 bump moves it). Update worker in both the workspace and
integration-tests lock files.

The Spin fallback dispatch reconstructed only the Host header from the trusted
spin-full-url and left client-supplied Forwarded/X-Forwarded-* headers intact.
Because build_runtime_services sets no TLS signal, detect_request_scheme had no
trusted scheme source and fell back to http, or to a client-spoofed scheme/host,
which publisher HTML rewriting, integration URL rewriting, and request-signing
context then consumed.

Strip the spoofable forwarded headers (mirroring the Fastly/Axum edge
sanitization), then inject both the trusted Host and the trusted scheme parsed
from spin-full-url. Extracted the logic into apply_trusted_host_and_scheme and
added unit tests covering spoofed X-Forwarded-* headers and Host preservation.

The Spin route table only registered GET and POST for / and /{*rest} and only
each named route's primary method, so HEAD /, OPTIONS /page (CORS preflight),
HEAD /first-party/proxy, and similar requests returned a router-level 405
instead of reaching the publisher/integration fallback like Fastly and Axum.

Mirror the Fastly/Axum publisher_fallback_methods() pattern: register GET, POST,
HEAD, OPTIONS, PUT, PATCH, and DELETE for the catch-all and for every named
path's non-primary methods, all routed through the shared fallback. Dynamic
/static/tsjs= handling stays GET-only (now gated inside dispatch on the request
method). Added route tests for HEAD /, OPTIONS, and a non-primary method on a
named path; updated the PUT /verify-signature test to assert fall-through.

handle_first_party_proxy_rebuild validated the original tstoken but then let
payload.del/add mutate any parameter, including the reserved tsexp replay bound
that handle_first_party_proxy_sign attaches. A public rebuild request could take
a still-valid expiring /first-party/click URL, delete tsexp, and receive a
freshly signed click URL that reconstruct_and_validate_signed_target accepts
indefinitely (expiration is optional).

Treat tsexp, tstoken, and tsurl as reserved: reject del/add for them so the
bounded expiration is preserved and re-signed. Added regression tests asserting
deletion of tsexp is rejected and that a normal rebuild retains the tsexp bound.

The digit-leading KID rejection (added to block Spin variable-encoder aliasing)
was applied through validate_kid to every caller, including
handle_deactivate_key. Deployments that created operator-supplied digit-leading
KIDs under the previous validation rules could no longer deactivate or delete
them, since the request was rejected before storage was touched.

Split validation: validate_kid_format enforces the structural constraints
(length, charset) and validate_kid layers the digit-leading rejection on top for
creation/rotation. Deactivation and deletion now use validate_kid_format so
legacy digit-leading KIDs remain removable. Added tests covering both paths.

The Cloudflare build installed worker-build with a floating `^0.8`, which began
resolving to worker-build 0.8.5. That release passes `--force-enable-abort-handler`
to wasm-bindgen, but worker-build downloads the wasm-bindgen CLI matching the
locked `wasm-bindgen` (0.2.123, pulled by worker 0.8.4), and that CLI does not
recognise the flag — so the integration-test Cloudflare bundle build failed with
"unexpected argument '--force-enable-abort-handler'".

Derive the worker crate version from Cargo.lock and pin worker-build to it.
worker-build is released in lockstep with worker, so this keeps the build tool
and the wasm-bindgen CLI it drives compatible, and the pin advances automatically
when the lockfile bumps worker. Verified locally: build.sh installs worker-build
0.8.4 and produces build/index.js without error.

validate_kid now requires a lowercase ASCII leading character, matching the
strictest platform key-name encoder (the Spin variable encoder, which rejects
uppercase- and punctuation-leading KIDs and aliases digit-leading ones). A KID
minted on any adapter must be storable on every backend, so create/rotate
validates against the strictest common denominator and returns a client-
correctable 400 instead of a runtime 5xx on Spin. Deactivation keeps the looser
format check so legacy KIDs stay removable.

Expose kid_is_creatable and add a Spin contract test asserting the encoder
accepts every creatable KID, pinning core >= encoder strictness so the two
lowercase-leading rules cannot silently drift.

normalize_spin_request now always sets Host from the trusted spin-full-url
host instead of preserving a client-supplied value. Keeping an incoming Host
while rebuilding req.uri() from the spin-full-url host left the shared
RequestInfo path (publisher HTML rewriting, integration URL rewriting, signing
context) reading one authority while handlers parsing req.uri() saw another.
Overriding from the single trusted authority keeps both consistent and drops a
client-spoofing vector. The unit test now asserts replacement.

Also add GET /health returning 200 "ok" to both the healthy router and the
startup-error fallback, matching the Fastly entry point and Axum adapter so
deployments can reuse the same liveness probe on Spin. Spin's platform-provided
/.well-known/spin/health is left untouched. Add route and startup-fallback
health tests.

These workspace aliases excluded only Axum and Cloudflare, so after adding
trusted-server-adapter-spin as a member they compiled the Spin adapter on
wasm32-wasip1 without the spin feature. Match the same split already used by
test-fastly and clippy-fastly and rely on the Spin-specific aliases/jobs for
Spin coverage.

…/edgezero-pr19-spin-adapter

# Conflicts:
#	crates/integration-tests/tests/parity.rs