Extract client IP and TLS info once at adapter boundary (PR7)

crates/trusted-server-adapter-fastly/src/main.rs

@@ -192,7 +192,7 @@ async fn route_request(
                 path
             );
 
-            match handle_publisher_request(settings, integration_registry, req) {
+            match handle_publisher_request(settings, integration_registry, runtime_services, req) {
                 Ok(response) => Ok(response),
                 Err(e) => {
                     log::error!("Failed to proxy to publisher origin: {:?}", e);

crates/trusted-server-core/src/auction/README.md

@@ -256,18 +256,18 @@ The trusted-server handles several types of routes defined in `crates/trusted-se
 
 | Route                     | Method | Handler                        | Purpose                                          | Line |
 |---------------------------|--------|--------------------------------|--------------------------------------------------|------|
-| `/auction`                | POST   | `handle_auction()`             | Main auction endpoint (Prebid.js/tsjs format)    | 84   |
-| `/first-party/proxy`      | GET    | `handle_first_party_proxy()`   | Proxy creatives through first-party domain       | 84   |
-| `/first-party/click`      | GET    | `handle_first_party_click()`   | Track clicks on ads                              | 85   |
-| `/first-party/sign`       | GET/POST | `handle_first_party_proxy_sign()` | Generate signed URLs for creatives            | 86   |
-| `/first-party/proxy-rebuild` | POST | `handle_first_party_proxy_rebuild()` | Rebuild creative HTML with new settings     | 89   |
-| `/static/tsjs=*`          | GET    | `handle_tsjs_dynamic()`        | Serve tsjs library (Prebid.js alternative)       | 66   |
-| `/.well-known/ts.jwks.json` | GET  | `handle_jwks_endpoint()`       | Public key distribution for request signing      | 71   |
-| `/verify-signature`       | POST   | `handle_verify_signature()`    | Verify signed requests                           | 74   |
-| `/admin/keys/rotate`      | POST   | `handle_rotate_key()`          | Rotate signing keys (admin only)                 | 77   |
-| `/admin/keys/deactivate`  | POST   | `handle_deactivate_key()`      | Deactivate signing keys (admin only)             | 78   |
-| `/integrations/*`         | *      | Integration Registry           | Provider-specific endpoints (Prebid, etc.)       | 92   |
-| `*` (fallback)            | *      | `handle_publisher_request()`   | Proxy to publisher origin                        | 108  |
+| `/auction`                | POST   | `handle_auction()`             | Main auction endpoint (Prebid.js/tsjs format)    | 162  |
+| `/first-party/proxy`      | GET    | `handle_first_party_proxy()`   | Proxy creatives through first-party domain       | 167  |
+| `/first-party/click`      | GET    | `handle_first_party_click()`   | Track clicks on ads                              | 170  |
+| `/first-party/sign`       | GET/POST | `handle_first_party_proxy_sign()` | Generate signed URLs for creatives            | 173  |
+| `/first-party/proxy-rebuild` | POST | `handle_first_party_proxy_rebuild()` | Rebuild creative HTML with new settings     | 176  |
+| `/static/tsjs=*`          | GET    | `handle_tsjs_dynamic()`        | Serve tsjs library (Prebid.js alternative)       | 145  |
+| `/.well-known/trusted-server.json` | GET  | `handle_trusted_server_discovery()` | Public key distribution for request signing | 149  |
+| `/verify-signature`       | POST   | `handle_verify_signature()`    | Verify signed requests                           | 154  |
+| `/admin/keys/rotate`      | POST   | `handle_rotate_key()`          | Rotate signing keys (admin only)                 | 158  |
+| `/admin/keys/deactivate`  | POST   | `handle_deactivate_key()`      | Deactivate signing keys (admin only)             | 159  |
+| `/integrations/*`         | *      | Integration Registry           | Provider-specific endpoints (Prebid, etc.)       | 179  |
+| `*` (fallback)            | *      | `handle_publisher_request()`   | Proxy to publisher origin                        | 195  |
 
 ### How Routing Works
 
@@ -276,20 +276,40 @@ The Fastly Compute entrypoint uses pattern matching on `(Method, path)` tuples:
 
 ```rust
 let result = match (method, path.as_str()) {
-    // Auction endpoint
-    (Method::POST, "/auction") => handle_auction(&settings, req).await,
-
-    // First-party endpoints
-    (Method::GET, "/first-party/proxy") => handle_first_party_proxy(&settings, req).await,
-
-    // Integration registry (dynamic routes)
-    (m, path) if integration_registry.has_route(&m, path) => {
-        integration_registry.handle_proxy(&m, path, &settings, req).await
-    },
-
-    // Fallback to publisher origin
-    _ => handle_publisher_request(&settings, &integration_registry, req),
-}
+    (Method::GET, path) if path.starts_with("/static/tsjs=") => {
+        handle_tsjs_dynamic(&req, integration_registry)
+    }
+    (Method::GET, "/.well-known/trusted-server.json") => {
+        handle_trusted_server_discovery(settings, runtime_services, req)
+    }
+    (Method::POST, "/verify-signature") => handle_verify_signature(settings, req),
+    (Method::POST, "/admin/keys/rotate") => handle_rotate_key(settings, req),
+    (Method::POST, "/admin/keys/deactivate") => handle_deactivate_key(settings, req),
+    (Method::POST, "/auction") => {
+        handle_auction(settings, orchestrator, runtime_services, req).await
+    }
+    (Method::GET, "/first-party/proxy") => {
+        handle_first_party_proxy(settings, runtime_services, req).await
+    }
+    (Method::GET, "/first-party/click") => {
+        handle_first_party_click(settings, runtime_services, req).await
+    }
+    (Method::GET, "/first-party/sign") | (Method::POST, "/first-party/sign") => {
+        handle_first_party_proxy_sign(settings, runtime_services, req).await
+    }
+    (Method::POST, "/first-party/proxy-rebuild") => {
+        handle_first_party_proxy_rebuild(settings, runtime_services, req).await
+    }
+    (m, path) if integration_registry.has_route(&m, path) => integration_registry
+        .handle_proxy(&m, path, settings, runtime_services, req)
+        .await
+        .unwrap_or_else(|| {
+            Err(Report::new(TrustedServerError::BadRequest {
+                message: format!("Unknown integration route: {path}"),
+            }))
+        }),
+    _ => handle_publisher_request(settings, integration_registry, runtime_services, req),
+};
 ```
 
 #### 2. Integration Registry (Dynamic Routes)

crates/trusted-server-core/src/auction/endpoints.rs

@@ -7,7 +7,6 @@ use crate::auction::formats::AdRequest;
 use crate::consent;
 use crate::cookies::handle_request_cookies;
 use crate::error::TrustedServerError;
-use crate::geo::GeoInfo;
 use crate::platform::RuntimeServices;
 use crate::settings::Settings;
 use crate::synthetic::get_or_generate_synthetic_id;
@@ -49,16 +48,21 @@ pub async fn handle_auction(
 
     // Generate synthetic ID early so the consent pipeline can use it for
     // KV Store fallback/write operations.
-    let synthetic_id = get_or_generate_synthetic_id(settings, &req).change_context(
+    let synthetic_id = get_or_generate_synthetic_id(settings, services, &req).change_context(
         TrustedServerError::Auction {
             message: "Failed to generate synthetic ID".to_string(),
         },
     )?;
 
     // Extract consent from request cookies, headers, and geo.
     let cookie_jar = handle_request_cookies(&req)?;
-    #[allow(deprecated)]
-    let geo = GeoInfo::from_request(&req);
+    let geo = services
+        .geo()
+        .lookup(services.client_info.client_ip)
+        .unwrap_or_else(|e| {
+            log::warn!("geo lookup failed: {e}");
+            None
+        });
     let consent_context = consent::build_consent_context(&consent::ConsentPipelineInput {
         jar: cookie_jar.as_ref(),
         req: &req,
@@ -68,13 +72,21 @@ pub async fn handle_auction(
     });
 
     // Convert tsjs request format to auction request
-    let auction_request =
-        convert_tsjs_to_auction_request(&body, settings, &req, consent_context, &synthetic_id)?;
+    let auction_request = convert_tsjs_to_auction_request(
+        &body,
+        settings,
+        services,
+        &req,
+        consent_context,
+        &synthetic_id,
+        geo,
+    )?;
 
     // Create auction context
     let context = AuctionContext {
         settings,
         request: &req,
+        client_info: &services.client_info,
         timeout_ms: settings.auction.timeout_ms,
         provider_responses: None,
     };

crates/trusted-server-core/src/auction/formats.rs

@@ -16,8 +16,8 @@ use crate::auction::context::ContextValue;
 use crate::consent::ConsentContext;
 use crate::creative;
 use crate::error::TrustedServerError;
-use crate::geo::GeoInfo;
 use crate::openrtb::{to_openrtb_i32, OpenRtbBid, OpenRtbResponse, ResponseExt, SeatBid, ToExt};
+use crate::platform::{GeoInfo, RuntimeServices};
 use crate::settings::Settings;
 use crate::synthetic::generate_synthetic_id;
 
@@ -82,15 +82,18 @@ pub struct BannerUnit {
 pub fn convert_tsjs_to_auction_request(
     body: &AdRequest,
     settings: &Settings,
+    services: &RuntimeServices,
     req: &Request,
     consent: ConsentContext,
     synthetic_id: &str,
+    geo: Option<GeoInfo>,
 ) -> Result<AuctionRequest, Report<TrustedServerError>> {
     let synthetic_id = synthetic_id.to_owned();
-    let fresh_id =
-        generate_synthetic_id(settings, req).change_context(TrustedServerError::Auction {
+    let fresh_id = generate_synthetic_id(settings, services, req).change_context(
+        TrustedServerError::Auction {
             message: "Failed to generate fresh ID".to_string(),
-        })?;
+        },
+    )?;
 
     // Convert ad units to slots
     let mut slots = Vec::new();
@@ -137,9 +140,8 @@ pub fn convert_tsjs_to_auction_request(
         user_agent: req
             .get_header_str("user-agent")
             .map(std::string::ToString::to_string),
-        ip: req.get_client_ip_addr().map(|ip| ip.to_string()),
-        #[allow(deprecated)]
-        geo: GeoInfo::from_request(req),
+        ip: services.client_info.client_ip.map(|ip| ip.to_string()),
+        geo,
     });
 
     // Forward allowed config entries from the JS request into the context map.

crates/trusted-server-core/src/auction/orchestrator.rs

@@ -145,6 +145,7 @@ impl AuctionOrchestrator {
             let mediator_context = AuctionContext {
                 settings: context.settings,
                 request: context.request,
+                client_info: context.client_info,
                 timeout_ms: remaining_ms,
                 provider_responses: Some(&provider_responses),
             };
@@ -321,6 +322,7 @@ impl AuctionOrchestrator {
             let provider_context = AuctionContext {
                 settings: context.settings,
                 request: context.request,
+                client_info: context.client_info,
                 timeout_ms: effective_timeout,
                 provider_responses: context.provider_responses,
             };
@@ -673,10 +675,12 @@ mod tests {
     fn create_test_context<'a>(
         settings: &'a crate::settings::Settings,
         req: &'a Request,
+        client_info: &'a crate::platform::ClientInfo,
     ) -> AuctionContext<'a> {
         AuctionContext {
             settings,
             request: req,
+            client_info,
             timeout_ms: 2000,
             provider_responses: None,
         }
@@ -769,7 +773,15 @@ mod tests {
         let request = create_test_auction_request();
         let settings = create_test_settings();
         let req = Request::get("https://test.com/test");
-        let context = create_test_context(&settings, &req);
+        let context = create_test_context(
+            &settings,
+            &req,
+            &crate::platform::ClientInfo {
+                client_ip: None,
+                tls_protocol: None,
+                tls_cipher: None,
+            },
+        );
 
         let result = orchestrator
             .run_auction(&request, &context, &noop_services())

crates/trusted-server-core/src/auction/types.rs

@@ -6,6 +6,7 @@ use std::collections::HashMap;
 
 use crate::auction::context::ContextValue;
 use crate::geo::GeoInfo;
+use crate::platform::ClientInfo;
 use crate::settings::Settings;
 
 /// Represents a unified auction request across all providers.
@@ -102,6 +103,7 @@ pub struct SiteInfo {
 pub struct AuctionContext<'a> {
     pub settings: &'a Settings,
     pub request: &'a Request,
+    pub client_info: &'a ClientInfo,
     pub timeout_ms: u32,
     /// Provider responses from the bidding phase, used by mediators.
     /// This is `None` for regular bidders and `Some` when calling a mediator.