Running vcl_recv and vcl_deliver on shield seems redundant


So it’s kind of abstract question. I know that shield works exactly as any other node and runs same VCL and that’s why we need all these complex conditions " if (!req.http.fastly-ff) {…} ", don’t change headers if already set and so on.
The question is why was it designed this way? What’s the point of running same vcl_recv and getting invalid results because some headers already set, url already replaced, and even IP is changed, thus affecting geolocation conditions.

If i’d make it I’d pass req.hash as is to the shield and run there only bare minimum required to cache properly -
vcl_hit/miss and vcl_fetch (in case of miss).

This seems quite easy to implement with single Fastly-FF condition in the beginning of most subrutines, but I’m obviously missing something, otherwise it would already be done by Fastly team.