Update pr review findings

Author: prk-Jr

crates/trusted-server-adapter-fastly/src/app.rs

@@ -7,8 +7,9 @@
 //! Builds the [`AppState`] once per Wasm instance.
 //!
 //! `EdgeZero`'s current Fastly request context exposes client IP but not TLS
-//! protocol or cipher metadata. The `EdgeZero` path therefore preserves TLS
-//! metadata as `None` until the upstream adapter exposes those fields.
+//! protocol or cipher metadata. `edgezero_main` injects a trusted `fastly-ssl`
+//! header after stripping client-spoofable headers, so [`detect_request_scheme`]
+//! in `http_util` can still derive the correct scheme for HTTPS traffic.
 //!
 //! # Route inventory
 //!
@@ -149,7 +150,8 @@ pub(crate) fn runtime_services_for_consent_route(
 ///
 /// Extracts the client IP address from the [`FastlyRequestContext`] extension
 /// inserted by `edgezero_adapter_fastly::dispatch`. TLS metadata is not
-/// available through the `EdgeZero` context so those fields are left empty.
+/// available through the `EdgeZero` context; scheme detection relies on the
+/// trusted `fastly-ssl` header injected by `edgezero_main` after sanitization.
 fn build_per_request_services(state: &AppState, ctx: &RequestContext) -> RuntimeServices {
     let client_ip = FastlyRequestContext::get(ctx.request()).and_then(|c| c.client_ip);
 

crates/trusted-server-adapter-fastly/src/main.rs

@@ -160,12 +160,42 @@ fn main() {
 
 /// Handles a request through the `EdgeZero` router path.
 fn edgezero_main(mut req: FastlyRequest, config_store: ConfigStoreHandle) {
+    // Short-circuit the JA4 debug probe before app construction, mirroring
+    // legacy_main. Must run here because TLS/JA4 accessors are only available
+    // on FastlyRequest before conversion to edgezero types.
+    if req.get_method() == FastlyMethod::GET && req.get_path() == "/_ts/debug/ja4" {
+        match get_settings() {
+            Ok(settings) if settings.debug.ja4_endpoint_enabled => {
+                build_ja4_debug_response(&req).send_to_client();
+            }
+            Ok(_) => {
+                FastlyResponse::from_status(fastly::http::StatusCode::NOT_FOUND).send_to_client();
+            }
+            Err(e) => {
+                log::warn!("EdgeZero JA4 endpoint: failed to load settings: {e:?}");
+                FastlyResponse::from_status(fastly::http::StatusCode::INTERNAL_SERVER_ERROR)
+                    .with_body_text_plain("Internal Server Error")
+                    .send_to_client();
+            }
+        }
+        return;
+    }
+
     let app = TrustedServerApp::build_app();
 
     // Strip client-spoofable forwarded headers before handing off to the
     // EdgeZero dispatcher, mirroring the sanitization done in legacy_main.
     compat::sanitize_fastly_forwarded_headers(&mut req);
 
+    // Re-inject a trusted TLS scheme signal after sanitization has stripped any
+    // client-sent fastly-ssl header. Setting it from Fastly's native TLS
+    // metadata here is authoritative. detect_request_scheme in http_util
+    // checks this header so scheme-sensitive logic (publisher URL rewriting,
+    // etc.) produces https URLs on HTTPS traffic, matching legacy path parity.
+    if req.get_tls_protocol().is_some() || req.get_tls_cipher_openssl_name().is_some() {
+        req.set_header("fastly-ssl", "1");
+    }
+
     // Capture client IP before the request is consumed by dispatch.
     let client_ip = req.get_client_ip_addr();
 

crates/trusted-server-core/src/http_util.rs

@@ -169,7 +169,7 @@ fn normalize_scheme(value: &str) -> Option<String> {
 /// 1. `ClientInfo` TLS fields populated at the adapter entry point (most reliable)
 /// 2. Forwarded header (RFC 7239)
 /// 3. X-Forwarded-Proto header
-/// 4. Fastly-SSL header (least reliable, can be spoofed)
+/// 4. Fastly-SSL header (trusted on EdgeZero path; can be spoofed on legacy path)
 /// 5. Default to HTTP
 fn detect_request_scheme(
     req: &Request<EdgeBody>,
@@ -210,7 +210,9 @@ fn detect_request_scheme(
         }
     }
 
-    // 4. Check Fastly-SSL header (can be spoofed by clients, use as last resort)
+    // 4. Check Fastly-SSL header. On the EdgeZero path this is injected from
+    //    authoritative Fastly TLS metadata after spoofable headers are stripped,
+    //    so it is reliable. On direct or legacy paths it can be spoofed by clients.
     if let Some(ssl) = req.headers().get("fastly-ssl") {
         if let Ok(ssl_str) = ssl.to_str() {
             if ssl_str == "1" || ssl_str.to_lowercase() == "true" {