Honor publisher Host override and bypass IO for SVG assets

[ChristianPavilonis]

Summary

• Thread publisher origin Host header overrides through the platform backend abstraction.
• Ensure Fastly dynamic backends call override_host when publisher.origin_host_header_override is configured.
• Keep integration, asset, and generic proxy backend registrations unchanged by using no override.
• Bypass Fastly Image Optimizer for SVG asset requests when either the incoming path or rewritten target path ends in .svg/.svgz.

Changes

File	Change
crates/trusted-server-core/src/platform/types.rs	Added optional host_header_override to PlatformBackendSpec.
crates/trusted-server-core/src/publisher.rs	Passes publisher.origin_host_header_override when registering the publisher origin backend.
crates/trusted-server-adapter-fastly/src/platform.rs	Wires PlatformBackendSpec::host_header_override into BackendConfig::host_header_override; adds override-aware backend name test.
crates/trusted-server-core/src/integrations/mod.rs	Sets no host override for integration backends.
crates/trusted-server-core/src/integrations/datadome/protection.rs	Sets no host override for DataDome protection backend.
crates/trusted-server-core/src/proxy.rs	Sets no host override for asset and signed proxy backends; skips Image Optimizer for incoming SVG paths even when route rewrites remove the extension.
crates/trusted-server-core/src/platform/test_support.rs	Updates test backend spec construction for the new field.

Closes

Closes #786

Test plan

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
• Manual testing: verified deployed SVG logo loads after bypassing Image Optimizer
• Other: Not run; Rust-only change.

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses logging macros (not println!)
• New code has tests
• No secrets or credentials committed

[ChristianPavilonis]

Follow-up after testing the deployed branch: the first patch deployed as x-ts-version: 281 still produced the origin 404. I found an additional Host handling issue in the Fastly request conversion path: edge_request_to_fastly() constructed a Fastly request from the absolute origin URL, then appended forwarded headers. If Fastly had already populated Host/authority from the URL, appending the configured Host could leave the backend host in effect. The latest commit replaces the URL-derived Host header instead of appending a duplicate and adds a targeted test for that conversion behavior. Please redeploy latest branch commit 65a475c9.

[aram356]

Summary

Correct, well-tested, and CI-green. The publisher Host-override is implemented through the right mechanism — origin_host_header_override → PlatformBackendSpec.host_header_override → BackendConfig::ensure() → Backend::override_host(...), which the Fastly SDK documents as forcing the outbound Host. The SVG Image Optimizer bypass is a genuine correctness fix with a focused regression test. No blocking issues; two non-blocking suggestions (inline) to make intent explicit and add the unit-testable half of the override coverage.

Non-blocking

♻️ refactor

• Document the Host set_header normalization — it's defensive only; the wire Host is forced by the backend's override_host, and it applies to every backend, not just the publisher origin. (crates/trusted-server-adapter-fastly/src/platform.rs:312 — suggestion inline)
• Add request-side override coverage — assert a configured origin_host_header_override reaches the outbound request's Host header via StubHttpClient. (crates/trusted-server-core/src/publisher.rs — suggested test inline)

👍 praise

• SVG bypass checks both incoming and rewritten paths with a targeted regression test. (crates/trusted-server-core/src/proxy.rs)
• Backend name encodes the override (_oh_ suffix) so different overrides don't collide or get poisoned by first-registration-wins, and the value is validated against control characters. (crates/trusted-server-core/src/backend.rs)

⛏ nitpick

• History includes "Load Prebid split bundle synchronously" and its immediate revert (net-zero in the diff) — consider squashing on merge.

CI Status

• fmt: PASS
• clippy: PASS
• rust tests: PASS
• js tests: PASS
• integration / browser tests: PASS

[aram356]

♻️ refactor — The override wiring is currently only covered indirectly (backend-name encoding). The request-side half is unit-testable with the existing StubHttpClient: assert that a configured origin_host_header_override reaches the outbound request's Host header. (The Fastly override_host forcing still needs manual verification — it only runs in the Fastly runtime.) Suggested test for the #[cfg(test)] mod tests block in this file:

#[tokio::test]
async fn publisher_request_sends_configured_host_header_override() {
    let mut settings = create_test_settings();
    settings.publisher.origin_host_header_override = Some("www.example.com".to_string());
    let registry =
        IntegrationRegistry::new(&settings).expect("should create integration registry");
    let stub = Arc::new(StubHttpClient::new());
    stub.push_response(200, b"origin response".to_vec());
    let services = build_services_with_http_client(
        Arc::clone(&stub) as Arc<dyn crate::platform::PlatformHttpClient>
    );
    let req = HttpRequest::builder()
        .method(Method::GET)
        .uri("https://publisher.example/page")
        .header(header::HOST, "publisher.example")
        .body(EdgeBody::empty())
        .expect("should build request");

    handle_publisher_request(&settings, &registry, &services, req)
        .await
        .expect("should proxy publisher request");

    let recorded_headers = stub.recorded_request_headers();
    let outbound = recorded_headers
        .first()
        .expect("should record one outbound origin request");
    let host_header = outbound
        .iter()
        .find(|(name, _)| name.eq_ignore_ascii_case("host"))
        .map(|(_, value)| value.as_str());
    assert_eq!(
        host_header,
        Some("www.example.com"),
        "should send the configured origin host header override to the backend"
    );
}