[codex] Fix product onboarding gaps

[albert-einshutoin]

Summary

Fixes the product review findings around first-run onboarding, documented CLI behavior, deploy guidance, and npm package examples.

Changes

• Adds cdn-security build --allow-placeholder-token to the CLI and programmatic compile path, matching existing compiler support.
• Adds regression coverage for CLI and API placeholder builds without auth env vars.
• Syncs Quick Start docs with README guidance for build-time secrets and local fixture secrets.
• Adds a clear recommended first deployment path: AWS + Terraform using spa-static-site.
• Reworks IaC WAF guidance toward a concrete Terraform root layout and Web ACL attachment flow.
• Includes example project docs/package/policy files in the npm package while excluding example node_modules and generated dist artifacts.

Validation

• node bin/cli.js build --help | rg -n "allow-placeholder|Usage|Options"
• node bin/cli.js build --allow-placeholder-token
• npm run test:api-contract
• npm run typecheck
• npm run test:unit
• EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy ORIGIN_SECRET=ci-origin-secret-not-for-deploy npm run build && EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy ORIGIN_SECRET=ci-origin-secret-not-for-deploy npm run test:runtime
• EDGE_ADMIN_TOKEN=ci-build-token-not-for-deploy ORIGIN_SECRET=ci-origin-secret-not-for-deploy npm run test:drift
• npm run test:package
• npm pack --dry-run 2>&1 | rg "examples/|node_modules|dist/edge|total files"

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 64b84073d8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Correct generated Web ACL reference

For users following this Terraform example with project: example-cdn-security, this reference points to a resource that the generator never creates. The infra compiler keeps hyphens in the sanitized project name and appends -waf-acl for the Web ACL label (webAclName = projectName + '-waf-acl' in scripts/compile-infra.js), so copying waf-rules.tf.json will define a differently named aws_wafv2_web_acl and terraform plan will fail with an undeclared resource when this snippet is used.

Useful? React with 👍 / 👎.