From 240c37e944ade7482442aef13875acad4b240218 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20Andr=C3=A9=20dos=20Santos=20Lopes?=
 <gustavo.lopes@datadoghq.com>
Date: Thu, 9 Apr 2026 15:11:58 +0100
Subject: [PATCH 1/3] Enable rust helper on PHP 8.5

---
 .gitlab/generate-appsec.php                   |  1 -
 appsec/src/extension/configuration.h          |  4 +++
 .../appsec/php/docker/AppSecContainer.groovy  |  5 ++++
 .../src/test/bin/enable_extensions.sh         |  5 ++++
 .../appsec/php/integration/CommonTests.groovy | 30 +++++++++++++++++++
 5 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index 62acc18ffc5..5f1021e9cbb 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -191,7 +191,6 @@
           - test8.1-release
           - test8.3-debug
           - test8.4-release-zts
-          - test8.5-release-musl
 
 "helper-rust build and test":
   stage: test
diff --git a/appsec/src/extension/configuration.h b/appsec/src/extension/configuration.h
index c1da7f40743..5ad968bf77b 100644
--- a/appsec/src/extension/configuration.h
+++ b/appsec/src/extension/configuration.h
@@ -28,7 +28,11 @@ extern bool runtime_config_first_init;
 
 #define DD_BASE(path) "/opt/datadog-php/" path
 
+#if PHP_VERSION_ID >= 80500
+#define DD_APPSEC_HELPER_RUST_REDIRECTION_DEFAULT "true"
+#else
 #define DD_APPSEC_HELPER_RUST_REDIRECTION_DEFAULT "false"
+#endif
 
 // clang-format off
 #define DD_CONFIGURATION_GENERAL \
diff --git a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy
index fc8b265321f..8df2a9c2a5d 100644
--- a/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy
+++ b/appsec/tests/integration/src/main/groovy/com/datadog/appsec/php/docker/AppSecContainer.groovy
@@ -491,6 +491,11 @@ class AppSecContainer<SELF extends AppSecContainer<SELF>> extends GenericContain
                 }
             }
             withEnv 'USE_HELPER_RUST', '1'
+        } else {
+            // Mount helper-rust volume so enable_extensions.sh can copy the binary
+            // for the redirection mechanism (DD_APPSEC_HELPER_RUST_REDIRECTION
+            // defaults to true on PHP 8.5+)
+            addVolumeMount('php-helper-rust', '/helper-rust')
         }
 
         String fullWorkVolume = "php-workvol-$workVolume-$phpVersion-$phpVariant"
diff --git a/appsec/tests/integration/src/test/bin/enable_extensions.sh b/appsec/tests/integration/src/test/bin/enable_extensions.sh
index a2ea5da0954..37870c251e8 100755
--- a/appsec/tests/integration/src/test/bin/enable_extensions.sh
+++ b/appsec/tests/integration/src/test/bin/enable_extensions.sh
@@ -11,6 +11,11 @@ HELPER_PATH=/appsec/libddappsec-helper.so
 if [[ -n $USE_HELPER_RUST ]]; then
   echo "Using Rust helper" >&2
   HELPER_PATH=/helper-rust/libddappsec-helper.so
+elif [[ -f /helper-rust/libddappsec-helper.so ]]; then
+  # Copy Rust helper for the redirection mechanism
+  # (DD_APPSEC_HELPER_RUST_REDIRECTION defaults to true on PHP >= 8.5)
+  ln -sf /helper-rust/libddappsec-helper.so \
+    "$(dirname "$HELPER_PATH")/libddappsec-helper-rust.so"
 fi
 
 if [[ -n $USE_SSI ]]; then
diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
index cfc0e2cd1a7..b8c4efd5b47 100644
--- a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
+++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
@@ -863,4 +863,34 @@ trait CommonTests {
         assert span.metrics."_dd.appsec.trace.integer" == 1729
         assert span.meta."_dd.appsec.trace.agent" == "TraceTagging/v4"
     }
+
+    @Test
+    void 'helper runtime default matches PHP version'() {
+        // This test verifies the default helper selection; skip when explicitly overridden
+        org.junit.jupiter.api.Assumptions.assumeTrue(
+            System.getProperty('USE_HELPER_RUST') == null,
+            'Skipped: helper explicitly overridden via -PuseHelperRust')
+
+        def trace = container.traceFromRequest('/phpinfo.php') { HttpResponse<InputStream> resp ->
+            assert resp.statusCode() == 200
+            def content = resp.body().text
+
+            if (TestParams.phpVersionAtLeast('8.5')) {
+                assert content.contains('Yes (Rust)') :
+                    "PHP >= 8.5 should use Rust helper by default"
+            } else {
+                assert content.contains('Yes (C++)') :
+                    "PHP < 8.5 should use C++ helper by default"
+            }
+        }
+
+        Span span = trace.first()
+        if (TestParams.phpVersionAtLeast('8.5')) {
+            assert span.meta."_dd.appsec.helper_runtime" == 'rust' :
+                "PHP >= 8.5 should report helper_runtime=rust in span"
+        } else {
+            assert span.meta."_dd.appsec.helper_runtime" == null :
+                "PHP < 8.5 should not set helper_runtime span tag"
+        }
+    }
 }

From ecbb9cb48e336f82d9035502ba4347b17faeae41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20Andr=C3=A9=20dos=20Santos=20Lopes?=
 <gustavo.lopes@datadoghq.com>
Date: Thu, 9 Apr 2026 17:56:37 +0100
Subject: [PATCH 2/3] Fix missing buildHelperRust dependency for PHP 8.5 test
 tasks

PHP 8.5 now defaults to the Rust helper via DD_APPSEC_HELPER_RUST_REDIRECTION,
so the test tasks need to depend on buildHelperRust to ensure the volume is
populated before tests run in CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 appsec/tests/integration/build.gradle | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/appsec/tests/integration/build.gradle b/appsec/tests/integration/build.gradle
index cf973ee0186..9b5ec0977f0 100644
--- a/appsec/tests/integration/build.gradle
+++ b/appsec/tests/integration/build.gradle
@@ -639,6 +639,9 @@ def runMainTask = { String phpVersion, String variant ->
             dependsOn 'buildHelperRustWithCoverage'
         } else if (project.hasProperty('useHelperRust')) {
             dependsOn 'buildHelperRust'
+        } else if (phpVersion == '8.5') {
+            // PHP 8.5+ uses Rust helper by default via DD_APPSEC_HELPER_RUST_REDIRECTION
+            dependsOn 'buildHelperRust'
         }
     }
 }
@@ -710,6 +713,9 @@ def runMainTask = { String phpVersion, String variant ->
             dependsOn 'buildHelperRustWithCoverage'
         } else if (project.hasProperty('useHelperRust')) {
             dependsOn 'buildHelperRust'
+        } else if (phpVersion == '8.5') {
+            // PHP 8.5+ uses Rust helper by default via DD_APPSEC_HELPER_RUST_REDIRECTION
+            dependsOn 'buildHelperRust'
         }
 
         if (phpVersion in ['7.0', '7.1']) {

From 781d4191d3e5b474e15d7c1f04094cab6f872b29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gustavo=20Andr=C3=A9=20dos=20Santos=20Lopes?=
 <gustavo.lopes@datadoghq.com>
Date: Fri, 10 Apr 2026 14:09:23 +0100
Subject: [PATCH 3/3] Try to satisfy Configuration Consistency

---
 metadata/supported-configurations.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/metadata/supported-configurations.json b/metadata/supported-configurations.json
index f4a3c4d0644..334fc3c0c8c 100644
--- a/metadata/supported-configurations.json
+++ b/metadata/supported-configurations.json
@@ -104,9 +104,9 @@
     ],
     "DD_APPSEC_HELPER_RUST_REDIRECTION": [
       {
-        "implementation": "A",
+        "implementation": "B",
         "type": "boolean",
-        "default": "false"
+        "default": "true"
       }
     ],
     "DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML": [