Add EC module with lifecycle management, consent gating, and config migration

- Add ec/ module with EcContext lifecycle, generation, cookies, and consent
- Compute cookie domain from publisher.domain, move EC cookie helpers
- Fix auction consent gating, restore cookie_domain for non-EC cookies
- Add integration proxy revocation, refactor EC parsing, clean up ec_hash
- Remove fresh_id and ec_fresh per EC spec §12.1
- Migrate [edge_cookie] config to [ec] per spec §14

Author: ChristianPavilonis

CLAUDE.md

@@ -366,7 +366,7 @@ both runtime behavior and build/tooling changes.
 | `crates/trusted-server-core/src/tsjs.rs`                  | Script tag generation with module IDs             |
 | `crates/trusted-server-core/src/html_processor.rs`        | Injects `<script>` at `<head>` start              |
 | `crates/trusted-server-core/src/publisher.rs`             | `/static/tsjs=` handler, concatenates modules     |
-| `crates/trusted-server-core/src/edge_cookie.rs`           | Edge Cookie (EC) ID generation                    |
+| `crates/trusted-server-core/src/ec/`                      | EC identity subsystem (generation, consent, cookies) |
 | `crates/trusted-server-core/src/cookies.rs`               | Cookie handling                                   |
 | `crates/trusted-server-core/src/consent/mod.rs`           | GDPR and broader consent management               |
 | `crates/trusted-server-core/src/http_util.rs`             | HTTP abstractions and request utilities           |

PUBLISHER_IDS_AUDIT.md

@@ -20,8 +20,9 @@ This document lists all publisher-specific IDs and configurations found in the c
 - `cookie_domain = ".test-publisher.com"` (line 3)
 - `origin_url = "https://origin.test-publisher.com"` (line 4)
 
-**KV Store Names:**
-*(Removed — `counter_store` and `opid_store` were removed in the EC rename; they were vestigial from the template-based SyntheticID generation.)*
+**KV Store Names (user-specific):**
+- `counter_store = "jevans_synth_id_counter"` (line 24)
+- `opid_store = "jevans_synth_id_opid"` (line 25)
 
 ## Hardcoded in Source Code
 

crates/integration-tests/fixtures/configs/viceroy-template.toml

@@ -7,7 +7,9 @@
     [local_server.backends]
 
     [local_server.kv_stores]
-        [[local_server.kv_stores.creative_store]]
+         # These inline placeholders satisfy Viceroy's local KV configuration
+         # requirements without exercising KV-backed application behavior.
+         [[local_server.kv_stores.creative_store]]
             key = "placeholder"
             data = "placeholder"
 

crates/js/lib/package-lock.json

@@ -26,7 +26,7 @@
     "eslint": "^9.10.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-import": "^2.29.1",
-    "eslint-plugin-jsdoc": "^62.8.0",
+    "eslint-plugin-jsdoc": "^62.5.4",
     "eslint-plugin-unicorn": "^62.0.0",
     "jsdom": "^28.0.0",
     "prettier": "^3.2.5",

crates/js/lib/package.json

@@ -7,16 +7,15 @@ import NORMALIZE_CSS from './styles/normalize.css?inline';
 import IFRAME_TEMPLATE from './templates/iframe.html?raw';
 
 // Sandbox permissions granted to creative iframes.
-// Ad creatives routinely contain scripts for tracking, click handling, and
-// viewability measurement, so allow-scripts and allow-same-origin are required
-// for creatives to render correctly. Server-side sanitization is the primary
-// defense against malicious markup; the sandbox provides defense-in-depth.
+// Notably absent:
+//   allow-scripts, allow-same-origin — prevent JS execution and same-origin
+//     access, which are the primary attack vectors for malicious creatives.
+//   allow-forms — server-side sanitization strips <form> elements, so form
+//     submission from creatives is not a supported use case. Omitting this token
+//     is consistent with that server-side policy and reduces the attack surface.
 const CREATIVE_SANDBOX_TOKENS = [
-  'allow-forms',
   'allow-popups',
   'allow-popups-to-escape-sandbox',
-  'allow-same-origin',
-  'allow-scripts',
   'allow-top-navigation-by-user-activation',
 ] as const;
 

crates/js/lib/src/core/render.ts

@@ -269,13 +269,6 @@ export function installPrebidNpm(config?: Partial<PrebidNpmConfig>): typeof pbjs
       } else {
         unit.bids.push({ bidder: ADAPTER_CODE, params: tsParams });
       }
-
-      // Remove server-side bidder entries — they are now handled via the
-      // trustedServer adapter. Only keep client-side bidders (which run via
-      // their native Prebid.js adapters) and the trustedServer bid itself.
-      unit.bids = unit.bids.filter(
-        (b) => b.bidder === ADAPTER_CODE || clientSideBidders.has(b.bidder ?? '')
-      );
     }
 
     // Ensure the trustedServer adapter is allowed to return bids under any

crates/js/lib/src/integrations/prebid/index.ts

@@ -27,12 +27,12 @@ describe('render', () => {
     expect(iframe.srcdoc).toContain('<span>ad</span>');
     expect(div.querySelector('iframe')).toBe(iframe);
     const sandbox = iframe.getAttribute('sandbox') ?? '';
-    expect(sandbox).toContain('allow-forms');
+    expect(sandbox).not.toContain('allow-forms');
     expect(sandbox).toContain('allow-popups');
     expect(sandbox).toContain('allow-popups-to-escape-sandbox');
     expect(sandbox).toContain('allow-top-navigation-by-user-activation');
-    expect(sandbox).toContain('allow-same-origin');
-    expect(sandbox).toContain('allow-scripts');
+    expect(sandbox).not.toContain('allow-same-origin');
+    expect(sandbox).not.toContain('allow-scripts');
   });
 
   it('preserves dollar sequences when building the creative document', async () => {

crates/js/lib/test/core/render.test.ts

@@ -411,13 +411,14 @@ describe('prebid/installPrebidNpm', () => {
       ];
       pbjs.requestBids({ adUnits } as any);
 
-      // Each ad unit should only have trustedServer — original bidders are absorbed
+      // Each ad unit should have trustedServer added
       for (const unit of adUnits) {
-        expect(unit.bids).toHaveLength(1);
-        expect(unit.bids[0].bidder).toBe('trustedServer');
+        const hasTsBidder = unit.bids.some((b: any) => b.bidder === 'trustedServer');
+        expect(hasTsBidder).toBe(true);
       }
 
-      expect(adUnits[0].bids[0].params.bidderParams).toEqual({ appnexus: {} });
+      const trustedServerBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer');
+      expect(trustedServerBid.params.bidderParams).toEqual({ appnexus: {} });
 
       // Should call through to original requestBids
       expect(mockRequestBids).toHaveBeenCalled();
@@ -433,7 +434,7 @@ describe('prebid/installPrebidNpm', () => {
       expect(tsCount).toBe(1);
     });
 
-    it('captures per-bidder params on trustedServer bid and removes originals', () => {
+    it('captures per-bidder params on trustedServer bid', () => {
       const pbjs = installPrebidNpm();
 
       const adUnits = [
@@ -446,10 +447,8 @@ describe('prebid/installPrebidNpm', () => {
       ];
       pbjs.requestBids({ adUnits } as any);
 
-      // Only trustedServer should remain — original bidders are absorbed
-      expect(adUnits[0].bids).toHaveLength(1);
-      const trustedServerBid = adUnits[0].bids[0] as any;
-      expect(trustedServerBid.bidder).toBe('trustedServer');
+      const trustedServerBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer');
+      expect(trustedServerBid).toBeDefined();
       expect(trustedServerBid.params.bidderParams).toEqual({
         appnexus: { placementId: 123 },
         rubicon: { accountId: 'abc' },
@@ -483,12 +482,11 @@ describe('prebid/installPrebidNpm', () => {
       ];
       pbjs.requestBids({ adUnits } as any);
 
-      // Original kargo bids should be removed, only trustedServer remains
-      expect(adUnits[0].bids).toHaveLength(1);
-      expect(adUnits[0].bids[0].params.zone).toBe('header');
+      const tsBid0 = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
+      expect(tsBid0.params.zone).toBe('header');
 
-      expect(adUnits[1].bids).toHaveLength(1);
-      expect(adUnits[1].bids[0].params.zone).toBe('fixed_bottom');
+      const tsBid1 = adUnits[1].bids.find((b: any) => b.bidder === 'trustedServer') as any;
+      expect(tsBid1.params.zone).toBe('fixed_bottom');
     });
 
     it('omits zone when mediaTypes.banner.name is not set', () => {
@@ -503,8 +501,8 @@ describe('prebid/installPrebidNpm', () => {
       ];
       pbjs.requestBids({ adUnits } as any);
 
-      expect(adUnits[0].bids).toHaveLength(1);
-      expect(adUnits[0].bids[0].params.zone).toBeUndefined();
+      const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
+      expect(tsBid.params.zone).toBeUndefined();
     });
 
     it('omits zone when ad unit has no mediaTypes', () => {
@@ -513,8 +511,8 @@ describe('prebid/installPrebidNpm', () => {
       const adUnits = [{ bids: [{ bidder: 'rubicon', params: {} }] }];
       pbjs.requestBids({ adUnits } as any);
 
-      expect(adUnits[0].bids).toHaveLength(1);
-      expect(adUnits[0].bids[0].params.zone).toBeUndefined();
+      const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
+      expect(tsBid.params.zone).toBeUndefined();
     });
 
     it('clears stale zone when existing trustedServer bid is reused', () => {
@@ -551,10 +549,10 @@ describe('prebid/installPrebidNpm', () => {
       mockPbjs.adUnits = [{ bids: [{ bidder: 'openx', params: {} }] }] as any[];
       pbjs.requestBids({} as any);
 
-      // Original openx bid should be removed, only trustedServer remains
-      const unit = mockPbjs.adUnits[0] as any;
-      expect(unit.bids).toHaveLength(1);
-      expect(unit.bids[0].bidder).toBe('trustedServer');
+      const hasTsBidder = (mockPbjs.adUnits[0] as any).bids.some(
+        (b: any) => b.bidder === 'trustedServer'
+      );
+      expect(hasTsBidder).toBe(true);
     });
   });
 });
@@ -613,7 +611,7 @@ describe('prebid/client-side bidders', () => {
     delete (window as any).__tsjs_prebid;
   });
 
-  it('excludes client-side bidders from trustedServer bidderParams and removes server-side bids', () => {
+  it('excludes client-side bidders from trustedServer bidderParams', () => {
     (window as any).__tsjs_prebid = { clientSideBidders: ['rubicon'] };
 
     const pbjs = installPrebidNpm();
@@ -629,18 +627,13 @@ describe('prebid/client-side bidders', () => {
     ];
     pbjs.requestBids({ adUnits } as any);
 
-    // Only rubicon (client-side) and trustedServer should remain
-    expect(adUnits[0].bids).toHaveLength(2);
     const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
     expect(tsBid).toBeDefined();
     // rubicon should NOT be in bidderParams — it runs client-side
     expect(tsBid.params.bidderParams).toEqual({
       appnexus: { placementId: 123 },
       kargo: { placementId: 'k1' },
     });
-    // appnexus and kargo should be removed (absorbed into trustedServer)
-    expect(adUnits[0].bids.find((b: any) => b.bidder === 'appnexus')).toBeUndefined();
-    expect(adUnits[0].bids.find((b: any) => b.bidder === 'kargo')).toBeUndefined();
   });
 
   it('preserves client-side bidder bids as standalone entries', () => {
@@ -680,8 +673,6 @@ describe('prebid/client-side bidders', () => {
     ];
     pbjs.requestBids({ adUnits } as any);
 
-    // 3 bids: rubicon (client-side), openx (client-side), trustedServer
-    expect(adUnits[0].bids).toHaveLength(3);
     const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
     // Only appnexus should be in bidderParams
     expect(tsBid.params.bidderParams).toEqual({
@@ -691,9 +682,6 @@ describe('prebid/client-side bidders', () => {
     // Both client-side bidders should remain
     expect(adUnits[0].bids.find((b: any) => b.bidder === 'rubicon')).toBeDefined();
     expect(adUnits[0].bids.find((b: any) => b.bidder === 'openx')).toBeDefined();
-
-    // Server-side bidder should be removed
-    expect(adUnits[0].bids.find((b: any) => b.bidder === 'appnexus')).toBeUndefined();
   });
 
   it('behaves normally when no client-side bidders are configured', () => {
@@ -710,10 +698,7 @@ describe('prebid/client-side bidders', () => {
     ];
     pbjs.requestBids({ adUnits } as any);
 
-    // All original bidders should be removed, only trustedServer remains
-    expect(adUnits[0].bids).toHaveLength(1);
-    const tsBid = adUnits[0].bids[0] as any;
-    expect(tsBid.bidder).toBe('trustedServer');
+    const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
     expect(tsBid.params.bidderParams).toEqual({
       appnexus: { placementId: 123 },
       rubicon: { accountId: 'abc' },
@@ -735,10 +720,7 @@ describe('prebid/client-side bidders', () => {
     ];
     pbjs.requestBids({ adUnits } as any);
 
-    // All original bidders should be removed, only trustedServer remains
-    expect(adUnits[0].bids).toHaveLength(1);
-    const tsBid = adUnits[0].bids[0] as any;
-    expect(tsBid.bidder).toBe('trustedServer');
+    const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
     expect(tsBid.params.bidderParams).toEqual({
       appnexus: { placementId: 123 },
       rubicon: { accountId: 'abc' },
@@ -760,8 +742,7 @@ describe('prebid/client-side bidders', () => {
     ];
     pbjs.requestBids({ adUnits } as any);
 
-    // All 3 should be present: rubicon, appnexus (both client-side), and trustedServer
-    expect(adUnits[0].bids).toHaveLength(3);
+    // trustedServer should still be present (even with empty bidderParams)
     const tsBid = adUnits[0].bids.find((b: any) => b.bidder === 'trustedServer') as any;
     expect(tsBid).toBeDefined();
     expect(tsBid.params.bidderParams).toEqual({});

crates/js/lib/test/integrations/prebid/index.test.ts

@@ -49,10 +49,11 @@ Behavior is covered by an extensive test suite in `crates/trusted-server-core/sr
 
 ## Edge Cookie (EC) Identifier Propagation
 
-- `edge_cookie.rs` generates an edge cookie identifier per user request and exposes helpers:
-  - `generate_ec_id` — creates a fresh HMAC-based ID using the client IP address and appends a short random suffix (format: `64hex.6alnum`).
-  - `get_ec_id` — extracts an existing ID from the `x-ts-ec` header or `ts-ec` cookie.
-  - `get_or_generate_ec_id` — reuses the existing ID when present, otherwise creates one.
+- The `ec/` module owns the EC identity subsystem:
+  - `ec/generation.rs` — creates HMAC-based IDs using the client IP and publisher passphrase (format: `64hex.6alnum`).
+  - `ec/mod.rs` — `EcContext` struct with two-phase lifecycle (`read_from_request` + `generate_if_needed`), `get_ec_id` helper.
+  - `ec/consent.rs` — EC-specific consent gating wrapper.
+  - `ec/cookies.rs` — `Set-Cookie` header creation and expiration helpers.
 - `publisher.rs::handle_publisher_request` stamps proxied origin responses with `x-ts-ec`, and (when absent) issues the `ts-ec` cookie so the browser keeps the identifier on subsequent requests.
 - `proxy.rs::handle_first_party_proxy` replays the identifier to third-party creative origins by appending `ts-ec=<value>` to the reconstructed target URL, follows redirects (301/302/303/307/308) up to four hops, and keeps downstream fetches linked to the same user scope.
 - `proxy.rs::handle_first_party_click` adds `ts-ec=<value>` to outbound click redirect URLs so analytics endpoints can associate clicks with impressions without third-party cookies.