Skip to content

Trusted Server CLI

The Trusted Server CLI binary is ts. It is a host-target operator tool for configuration, page audits, and EdgeZero-backed lifecycle commands.

Install from source

The workspace default target is wasm32-wasip1, so build or test the CLI with your host target:

bash
HOST_TARGET="$(rustc -vV | sed -n 's/^host: //p')"
cargo build --package trusted-server-cli --target "$HOST_TARGET"

Common workflow

bash
ts config init
# Edit trusted-server.toml
ts config validate
ts auth login --adapter fastly
ts provision --adapter fastly
ts config push --adapter fastly
ts serve --adapter fastly

Configuration commands

Create a starter Trusted Server config:

bash
ts config init

config init accepts --app-config <path> and the compatibility alias --config <path>.

Validate a local config before pushing it to platform storage:

bash
ts config validate

Push Trusted Server config through EdgeZero:

bash
ts config push --adapter fastly

config validate and config push use EdgeZero's typed app-config loader. By default that loader applies TRUSTED_SERVER__... environment overlays before validation and blob creation. Pass --no-env for file-only operation.

config push publishes a single EdgeZero BlobEnvelope containing the validated Trusted Server settings JSON. This blob model is intentional because full Trusted Server configs can exceed Fastly limits when split into one config-store entry per setting.

Lifecycle commands

Lifecycle commands delegate to the selected EdgeZero adapter:

bash
ts auth login --adapter fastly
ts build --adapter fastly
ts provision --adapter fastly
ts deploy --adapter fastly
ts serve --adapter fastly

Audit a public page

ts audit loads a public page in a fresh headless Chrome/Chromium session, collects rendered JavaScript asset evidence, detects known Trusted Server integrations, and writes local draft artifacts.

Chrome or Chromium must be installed locally. The command checks common PATH names and standard macOS/Linux install locations.

bash
ts audit https://publisher.example

By default, the command writes:

FilePurpose
js-assets.tomlJavaScript asset inventory, detected integrations, counts, and warnings.
trusted-server.tomlDraft Trusted Server config based on the starter template and final URL.

The generated config is a draft. Review it, replace placeholders/secrets, adjust publisher-specific settings, then run:

bash
ts config validate

If a config already exists, avoid overwriting it:

bash
ts audit https://publisher.example --no-config

Use custom output paths when reviewing artifacts first:

bash
ts audit https://publisher.example \
  --js-assets audit/js-assets.toml \
  --config audit/trusted-server.toml

Use --force only when replacing existing output files is intentional:

bash
ts audit https://publisher.example --force

ts audit is not an EdgeZero adapter command. It has no --adapter option and it does not provision resources, push config, build, deploy, or contact platform APIs.

Generate an external Prebid bundle

ts prebid bundle builds the local external Prebid browser bundle configured in trusted-server.toml.

toml
[integrations.prebid.bundle]
adapters = ["rubicon", "kargo"]
user_id_modules = ["sharedIdSystem"]

Run the command after installing JS dependencies:

bash
cd crates/trusted-server-js/lib && npm ci
cd ../../..
ts prebid bundle

By default, generated artifacts are written to dist/prebid/, and the command updates integrations.prebid.external_bundle_sha256 and integrations.prebid.external_bundle_sri in trusted-server.toml. Upload the generated JavaScript file yourself, set external_bundle_url to its HTTPS asset URL, and include that host (plus any redirect targets) in proxy.allowed_domains before running ts config validate or ts config push.

Use custom paths when needed:

bash
ts prebid bundle --config publisher-a.toml --out build/prebid

ts prebid bundle is local-only. It has no --adapter option and does not upload, provision, deploy, or push config.

Released under the Apache License 2.0.