Trusted Server CLI
The Trusted Server CLI binary is ts. It is a host-target operator tool for configuration, page audits, and EdgeZero-backed lifecycle commands.
Install from source
The workspace default target is wasm32-wasip1, so build or test the CLI with your host target:
HOST_TARGET="$(rustc -vV | sed -n 's/^host: //p')"
cargo build --package trusted-server-cli --target "$HOST_TARGET"Common workflow
ts config init
# Edit trusted-server.toml
ts config validate
ts auth login --adapter fastly
ts provision --adapter fastly
ts config push --adapter fastly
ts serve --adapter fastlyConfiguration commands
Create a starter Trusted Server config:
ts config initconfig init accepts --app-config <path> and the compatibility alias --config <path>.
Validate a local config before pushing it to platform storage:
ts config validatePush Trusted Server config through EdgeZero:
ts config push --adapter fastlyconfig validate and config push use EdgeZero's typed app-config loader. By default that loader applies TRUSTED_SERVER__... environment overlays before validation and blob creation. Pass --no-env for file-only operation.
config push publishes a single EdgeZero BlobEnvelope containing the validated Trusted Server settings JSON. This blob model is intentional because full Trusted Server configs can exceed Fastly limits when split into one config-store entry per setting.
Lifecycle commands
Lifecycle commands delegate to the selected EdgeZero adapter:
ts auth login --adapter fastly
ts build --adapter fastly
ts provision --adapter fastly
ts deploy --adapter fastly
ts serve --adapter fastlyAudit a public page
ts audit loads a public page in a fresh headless Chrome/Chromium session, collects rendered JavaScript asset evidence, detects known Trusted Server integrations, and writes local draft artifacts.
Chrome or Chromium must be installed locally. The command checks common PATH names and standard macOS/Linux install locations.
ts audit https://publisher.exampleBy default, the command writes:
| File | Purpose |
|---|---|
js-assets.toml | JavaScript asset inventory, detected integrations, counts, and warnings. |
trusted-server.toml | Draft Trusted Server config based on the starter template and final URL. |
The generated config is a draft. Review it, replace placeholders/secrets, adjust publisher-specific settings, then run:
ts config validateIf a config already exists, avoid overwriting it:
ts audit https://publisher.example --no-configUse custom output paths when reviewing artifacts first:
ts audit https://publisher.example \
--js-assets audit/js-assets.toml \
--config audit/trusted-server.tomlUse --force only when replacing existing output files is intentional:
ts audit https://publisher.example --forcets audit is not an EdgeZero adapter command. It has no --adapter option and it does not provision resources, push config, build, deploy, or contact platform APIs.
Generate an external Prebid bundle
ts prebid bundle builds the local external Prebid browser bundle configured in trusted-server.toml.
[integrations.prebid.bundle]
adapters = ["rubicon", "kargo"]
user_id_modules = ["sharedIdSystem"]Run the command after installing JS dependencies:
cd crates/trusted-server-js/lib && npm ci
cd ../../..
ts prebid bundleBy default, generated artifacts are written to dist/prebid/, and the command updates integrations.prebid.external_bundle_sha256 and integrations.prebid.external_bundle_sri in trusted-server.toml. Upload the generated JavaScript file yourself, set external_bundle_url to its HTTPS asset URL, and include that host (plus any redirect targets) in proxy.allowed_domains before running ts config validate or ts config push.
Use custom paths when needed:
ts prebid bundle --config publisher-a.toml --out build/prebidts prebid bundle is local-only. It has no --adapter option and does not upload, provision, deploy, or push config.