Add focused coverage for production readiness test gaps

[ChristianPavilonis]

Summary

• Add focused unit coverage for production-readiness backlog test gaps under Production readiness #396.
• Cover error status mapping, bare-host rewrite boundaries, TSJS script tag/source generation, and auction format conversion behavior.
• Document the current banner-only auction request conversion behavior without changing runtime behavior.
• Supersedes Add test coverage for error mapping and tsjs helpers #648 for the overlapping Add tests for TrustedServerError HTTP status mapping #448/Add unit tests for tsjs script source and tag generation #450 coverage.

Changes

File	Change
crates/trusted-server-core/src/error.rs	Added direct status-code mapping coverage for every current TrustedServerError variant, including a compile-time exhaustive match guard for new variants.
crates/trusted-server-core/src/host_rewrite.rs	Added direct boundary tests for exact hosts, paths, punctuation, multiple occurrences, subdomains, suffixes, empty inputs, and ports.
crates/trusted-server-core/src/tsjs.rs	Added tests for unified/deferred script source formatting, hash shape, script tag attributes, empty deferred output, and deferred order preservation.
crates/trusted-server-core/src/auction/formats.rs	Added request/response conversion tests for banner formats, bidder params, context allowlisting, malformed sizes, unsupported media skip behavior, OpenRTB response fields, mediation strategy, missing prices, and out-of-range dimensions.

Closes

Closes #448
Closes #449
Closes #450
Closes #453

Note: #455 references the old synthetic-template path, which no longer exists on current main after the EC ID migration. It should be triaged separately rather than auto-closed by this PR.

Test plan

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
• Manual testing via fastly compute serve
• Other: cargo test -p trusted-server-core status_code_maps_each_error_variant_to_expected_http_response -- --nocapture; cargo test -p trusted-server-core tsjs_ -- --nocapture; cargo test -p trusted-server-core rewrite -- --nocapture; cargo test -p trusted-server-core convert_tsjs_to_auction_request -- --nocapture; cargo test -p trusted-server-core convert_to_openrtb_response -- --nocapture

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses log macros (not println!)
• New code has tests
• No secrets or credentials committed

[prk-Jr]

Summary

Pure test additions across four files — error.rs, host_rewrite.rs, tsjs.rs, and auction/formats.rs. No production code changed. All CI checks pass. Test quality is high overall; a few missing edge cases and one misleading helper message noted inline.

Non-blocking

🏕 camp site

• Forbidden and AllowlistViolation user_message untested — Both variants fall into the _ catch-all in user_message and return "An internal error occurred" despite being 4xx responses. The existing server_errors_return_generic_message test does not include them. Worth adding both to explicitly document (and lock in) the intended behavior — or, if a more descriptive message is preferred for 403s, this is the place to catch it.

🌱 seedling

• Host-in-path-segment behavior unspecified (host_rewrite.rs) — Input https://cdn.example.com/assets/origin.example.com/image.png will be rewritten because / is not a is_host_char. This may be intentional for Next.js __next_f payloads but is undocumented and untested. A test explicitly asserting current behavior would prevent silent regressions.

• Empty module list edge case (tsjs.rs) — tsjs_script_src(&[]) behavior is unspecified. What does concatenated_hash(&[]) return? Low risk but a documentation test would lock in the contract.

CI Status

• cargo fmt: PASS
• cargo clippy: PASS
• cargo test: PASS
• vitest: PASS
• integration tests: PASS
• browser integration tests: PASS

[aram356]

Summary

Follow-up to the prior review on the same head commit — only new findings missed last pass. Still no blocking items; verdict is COMMENT.

• 3 🌱 seedling — coverage gaps: hash order/dedup invariants, empty winning_bids response, height out-of-range symmetry.
• 2 ⛏ nitpick — redundant use in the test module; mixed *.example / example.com test-fixture TLDs.
• 2 👍 praise — compile-time exhaustiveness guard pattern; banner-only behavior pinned by a test.

The prior review's findings remain open (no commits since 2a3edb77) — they're tracked there, not re-posted here.

CI Status

• cargo fmt: PASS
• cargo clippy: PASS
• cargo test: PASS
• vitest: PASS
• integration tests: PASS
• browser integration tests: PASS

[aram356]

Requesting changes to address the 5 non-praise findings (3 🌱 + 2 ⛏) in my prior review — and the 9 still-open items from the earlier review that haven't been addressed yet.