From ee70600f31e5b3974749839b61d7e8ec82e8f49f Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 25 Mar 2026 18:23:46 -0500
Subject: [PATCH 01/26] Add EC module with lifecycle management, consent
 gating, and config migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add ec/ module with EcContext lifecycle, generation, cookies, and consent
- Compute cookie domain from publisher.domain, move EC cookie helpers
- Fix auction consent gating, restore cookie_domain for non-EC cookies
- Add integration proxy revocation, refactor EC parsing, clean up ec_hash
- Remove fresh_id and ec_fresh per EC spec §12.1
- Migrate [edge_cookie] config to [ec] per spec §14
---
 crates/js/lib/src/core/render.ts           | 13 ++++++------
 crates/js/lib/test/core/render.test.ts     |  6 +++---
 crates/trusted-server-core/src/creative.rs | 24 ++++++++++------------
 docs/guide/testing.md                      |  1 +
 4 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/crates/js/lib/src/core/render.ts b/crates/js/lib/src/core/render.ts
index ee08ef28..da223851 100644
--- a/crates/js/lib/src/core/render.ts
+++ b/crates/js/lib/src/core/render.ts
@@ -7,16 +7,15 @@ import NORMALIZE_CSS from './styles/normalize.css?inline';
 import IFRAME_TEMPLATE from './templates/iframe.html?raw';
 
 // Sandbox permissions granted to creative iframes.
-// Ad creatives routinely contain scripts for tracking, click handling, and
-// viewability measurement, so allow-scripts and allow-same-origin are required
-// for creatives to render correctly. Server-side sanitization is the primary
-// defense against malicious markup; the sandbox provides defense-in-depth.
+// Notably absent:
+//   allow-scripts, allow-same-origin — prevent JS execution and same-origin
+//     access, which are the primary attack vectors for malicious creatives.
+//   allow-forms — server-side sanitization strips <form> elements, so form
+//     submission from creatives is not a supported use case. Omitting this token
+//     is consistent with that server-side policy and reduces the attack surface.
 const CREATIVE_SANDBOX_TOKENS = [
-  'allow-forms',
   'allow-popups',
   'allow-popups-to-escape-sandbox',
-  'allow-same-origin',
-  'allow-scripts',
   'allow-top-navigation-by-user-activation',
 ] as const;
 
diff --git a/crates/js/lib/test/core/render.test.ts b/crates/js/lib/test/core/render.test.ts
index a81486cf..5bdb3a81 100644
--- a/crates/js/lib/test/core/render.test.ts
+++ b/crates/js/lib/test/core/render.test.ts
@@ -27,12 +27,12 @@ describe('render', () => {
     expect(iframe.srcdoc).toContain('<span>ad</span>');
     expect(div.querySelector('iframe')).toBe(iframe);
     const sandbox = iframe.getAttribute('sandbox') ?? '';
-    expect(sandbox).toContain('allow-forms');
+    expect(sandbox).not.toContain('allow-forms');
     expect(sandbox).toContain('allow-popups');
     expect(sandbox).toContain('allow-popups-to-escape-sandbox');
     expect(sandbox).toContain('allow-top-navigation-by-user-activation');
-    expect(sandbox).toContain('allow-same-origin');
-    expect(sandbox).toContain('allow-scripts');
+    expect(sandbox).not.toContain('allow-same-origin');
+    expect(sandbox).not.toContain('allow-scripts');
   });
 
   it('preserves dollar sequences when building the creative document', async () => {
diff --git a/crates/trusted-server-core/src/creative.rs b/crates/trusted-server-core/src/creative.rs
index 245af0e1..45162d8c 100644
--- a/crates/trusted-server-core/src/creative.rs
+++ b/crates/trusted-server-core/src/creative.rs
@@ -329,7 +329,7 @@ fn is_safe_data_uri(lower: &str) -> bool {
 
 /// Strip dangerous elements and attributes from ad creative HTML.
 ///
-/// Removes elements that can execute code or exfiltrate data (`script`,
+/// Removes elements that can execute code or exfiltrate data (`script`, `iframe`,
 /// `object`, `embed`, `base`, `meta`, `form`, `link`, `style`, `noscript`) and strips `on*` event-handler
 /// attributes and dangerous URI schemes from all remaining elements:
 /// - `javascript:`, `vbscript:`
@@ -361,17 +361,18 @@ pub fn sanitize_creative_html(markup: &str) -> String {
         HtmlSettings {
             element_content_handlers: vec![
                 // Remove executable/dangerous elements along with their inner content.
-                // - <script>, <object>, <embed>: direct execution vectors.
+                // - <script>, <iframe>, <object>, <embed>: direct execution vectors.
                 // - <base>: rewrites all relative URLs, undermining the proxy rewriter.
                 // - <meta>: can trigger redirects (http-equiv=refresh) or inject CSP.
-                // - <form>: action/formaction can exfiltrate data.
+                // - <form>: action/formaction can exfiltrate data; stripped to match the
+                //   iframe sandbox which omits allow-forms.
                 // - <link>: external stylesheet/resource loading.
                 // - <style>: CSS expressions, @import, and url() data exfiltration.
                 // - <noscript>: rendered when scripts are disabled (always the case
                 //   inside a sandbox without allow-scripts); strip to prevent parser
                 //   differential attacks.
                 element!(
-                    "script, object, embed, base, meta, form, link, style, noscript",
+                    "script, iframe, object, embed, base, meta, form, link, style, noscript",
                     |el| {
                         el.remove();
                         Ok(())
@@ -453,9 +454,10 @@ pub fn sanitize_creative_html(markup: &str) -> String {
                     // NOTE: This uses simple substring matching on the lowercased value,
                     // which does not handle CSS escape sequences (e.g. `\65xpression(`)
                     // or comments (e.g. `expr/**/ession(`). That is acceptable: CSS
-                    // expression() is IE6-8 only, and downstream rendering still happens
-                    // inside a sandboxed iframe. This check is defense-in-depth for
-                    // obvious patterns.
+                    // expression() is IE6-8 only and the iframe sandbox's absence of
+                    // allow-scripts prevents execution even if an obfuscated value were
+                    // to slip through. The sandbox is the primary mitigation; this check
+                    // is defense-in-depth for obvious patterns.
                     if let Some(style) = el.get_attribute("style") {
                         let lower = style.to_ascii_lowercase();
                         if lower.contains("expression(")
@@ -1502,14 +1504,10 @@ mod tests {
     }
 
     #[test]
-    fn sanitize_preserves_iframe_element_and_src() {
+    fn sanitize_removes_iframe_element() {
         let html = r#"<div>ad</div><iframe src="https://evil.example/"></iframe>"#;
         let out = sanitize_creative_html(html);
-        assert!(out.contains("<iframe"), "should preserve iframe element");
-        assert!(
-            out.contains("https://evil.example/"),
-            "should preserve safe iframe src"
-        );
+        assert!(!out.contains("<iframe"), "should remove iframe element");
         assert!(out.contains("ad"), "should preserve safe content");
     }
 
diff --git a/docs/guide/testing.md b/docs/guide/testing.md
index fb12ac77..42eec03e 100644
--- a/docs/guide/testing.md
+++ b/docs/guide/testing.md
@@ -323,6 +323,7 @@ k6 run load-test.js
 5. **Use test helpers** - `create_test_settings()`, `create_test_request()`
 6. **Assert specific values** - Not just `assert!(result.is_ok())`
 
+
 ## Next Steps
 
 - Review [Architecture](/guide/architecture) for system design

From b6a6edf7dfe17e17cf9486c8b705ed5d8105caa0 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 25 Mar 2026 18:57:46 -0500
Subject: [PATCH 02/26] Add KV identity graph with CAS concurrency control

Implement Story 3 (#536): KV-backed identity graph with compare-and-swap
concurrency, partner ID upserts, tombstone writes for consent withdrawal,
and revive semantics. Includes schema types, metadata, 300s last-seen
debounce, and comprehensive unit tests.

Also incorporates earlier foundation work: EC module restructure, config
migration from [edge_cookie] to [ec], cookie domain computation, consent
gating fixes, and integration proxy revocation support.
---
 Cargo.lock                                | 1 -
 Cargo.toml                                | 1 -
 crates/trusted-server-core/Cargo.toml     | 1 -
 crates/trusted-server-core/src/cookies.rs | 2 +-
 docs/guide/testing.md                     | 1 -
 5 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 3688be30..ca6913b3 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2740,7 +2740,6 @@ dependencies = [
  "serde",
  "serde_json",
  "sha2 0.10.9",
- "subtle",
  "temp-env",
  "tokio",
  "toml 1.0.7+spec-1.1.0",
diff --git a/Cargo.toml b/Cargo.toml
index 0b9f4230..61ed5b4e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -79,7 +79,6 @@ regex = "1.12.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.149"
 sha2 = "0.10.9"
-subtle = "2.6"
 temp-env = "0.3.6"
 tokio = { version = "1.49", features = ["sync", "macros", "io-util", "rt", "time"] }
 toml = "1.0"
diff --git a/crates/trusted-server-core/Cargo.toml b/crates/trusted-server-core/Cargo.toml
index 9c69bd30..0555268b 100644
--- a/crates/trusted-server-core/Cargo.toml
+++ b/crates/trusted-server-core/Cargo.toml
@@ -38,7 +38,6 @@ regex = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 sha2 = { workspace = true }
-subtle = { workspace = true }
 tokio = { workspace = true }
 toml = { workspace = true }
 trusted-server-js = { path = "../js" }
diff --git a/crates/trusted-server-core/src/cookies.rs b/crates/trusted-server-core/src/cookies.rs
index ca94a32c..3408eb79 100644
--- a/crates/trusted-server-core/src/cookies.rs
+++ b/crates/trusted-server-core/src/cookies.rs
@@ -145,7 +145,7 @@ mod tests {
     }
 
     #[test]
-    fn test_parse_cookies_to_jar_empty() {
+    fn test_parse_cookies_to_jar_emtpy() {
         let cookie_str = "";
         let jar = parse_cookies_to_jar(cookie_str);
 
diff --git a/docs/guide/testing.md b/docs/guide/testing.md
index 42eec03e..fb12ac77 100644
--- a/docs/guide/testing.md
+++ b/docs/guide/testing.md
@@ -323,7 +323,6 @@ k6 run load-test.js
 5. **Use test helpers** - `create_test_settings()`, `create_test_request()`
 6. **Assert specific values** - Not just `assert!(result.is_ok())`
 
-
 ## Next Steps
 
 - Review [Architecture](/guide/architecture) for system design

From c9cafaf22ecd4be06196579112ec35209b205206 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 25 Mar 2026 18:58:10 -0500
Subject: [PATCH 03/26] Add partner registry and admin registration endpoint

Implement Story 4 (#537): partner KV store with API key hashing,
POST /admin/partners/register with basic-auth protection, strict
field validation (ID format, URL allowlists, domain normalization),
and pull-sync config validation. Includes index-based API key lookup
and comprehensive unit tests.
---
 Cargo.lock                                 |   1 +
 Cargo.toml                                 |   1 +
 crates/trusted-server-core/Cargo.toml      |   1 +
 crates/trusted-server-core/src/ec/admin.rs | 380 +++++++++++++++++++++
 4 files changed, 383 insertions(+)
 create mode 100644 crates/trusted-server-core/src/ec/admin.rs

diff --git a/Cargo.lock b/Cargo.lock
index ca6913b3..3688be30 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2740,6 +2740,7 @@ dependencies = [
  "serde",
  "serde_json",
  "sha2 0.10.9",
+ "subtle",
  "temp-env",
  "tokio",
  "toml 1.0.7+spec-1.1.0",
diff --git a/Cargo.toml b/Cargo.toml
index 61ed5b4e..0b9f4230 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -79,6 +79,7 @@ regex = "1.12.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.149"
 sha2 = "0.10.9"
+subtle = "2.6"
 temp-env = "0.3.6"
 tokio = { version = "1.49", features = ["sync", "macros", "io-util", "rt", "time"] }
 toml = "1.0"
diff --git a/crates/trusted-server-core/Cargo.toml b/crates/trusted-server-core/Cargo.toml
index 0555268b..9c69bd30 100644
--- a/crates/trusted-server-core/Cargo.toml
+++ b/crates/trusted-server-core/Cargo.toml
@@ -38,6 +38,7 @@ regex = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 sha2 = { workspace = true }
+subtle = { workspace = true }
 tokio = { workspace = true }
 toml = { workspace = true }
 trusted-server-js = { path = "../js" }
diff --git a/crates/trusted-server-core/src/ec/admin.rs b/crates/trusted-server-core/src/ec/admin.rs
new file mode 100644
index 00000000..db32a3cf
--- /dev/null
+++ b/crates/trusted-server-core/src/ec/admin.rs
@@ -0,0 +1,380 @@
+//! Admin endpoints for partner management.
+//!
+//! Provides `POST /admin/partners/register` for registering and updating
+//! partner configurations. Authentication is handled by the `[[handlers]]`
+//! basic-auth layer before this code runs.
+
+use error_stack::{Report, ResultExt};
+use fastly::{Request, Response};
+use serde::{Deserialize, Serialize};
+use std::collections::HashSet;
+use url::Host;
+
+use crate::error::TrustedServerError;
+
+use super::partner::{
+    hash_api_key, validate_partner_id, validate_pull_sync_config, PartnerRecord, PartnerStore,
+};
+
+/// Request body for `POST /admin/partners/register`.
+///
+/// Accepts `api_key` as plaintext — it is hashed before storage and
+/// never persisted in cleartext.
+#[derive(Debug, Deserialize)]
+pub struct RegisterPartnerRequest {
+    pub id: String,
+    pub name: String,
+    pub allowed_return_domains: Vec<String>,
+    /// Raw API key — will be SHA-256 hashed before storage.
+    pub api_key: String,
+    #[serde(default)]
+    pub bidstream_enabled: bool,
+    pub source_domain: String,
+    #[serde(default = "default_openrtb_atype")]
+    pub openrtb_atype: u8,
+    #[serde(default = "default_sync_rate_limit")]
+    pub sync_rate_limit: u32,
+    #[serde(default = "default_batch_rate_limit")]
+    pub batch_rate_limit: u32,
+    #[serde(default)]
+    pub pull_sync_enabled: bool,
+    #[serde(default)]
+    pub pull_sync_url: Option<String>,
+    #[serde(default)]
+    pub pull_sync_allowed_domains: Vec<String>,
+    #[serde(default = "default_pull_sync_ttl_sec")]
+    pub pull_sync_ttl_sec: u64,
+    #[serde(default = "default_pull_sync_rate_limit")]
+    pub pull_sync_rate_limit: u32,
+    #[serde(default)]
+    pub ts_pull_token: Option<String>,
+}
+
+fn default_openrtb_atype() -> u8 {
+    3
+}
+fn default_sync_rate_limit() -> u32 {
+    100
+}
+fn default_batch_rate_limit() -> u32 {
+    60
+}
+fn default_pull_sync_ttl_sec() -> u64 {
+    86400
+}
+fn default_pull_sync_rate_limit() -> u32 {
+    10
+}
+
+fn bad_request(message: impl Into<String>) -> Report<TrustedServerError> {
+    Report::new(TrustedServerError::BadRequest {
+        message: message.into(),
+    })
+}
+
+fn normalize_required_text(
+    value: &str,
+    field_name: &str,
+) -> Result<String, Report<TrustedServerError>> {
+    let trimmed = value.trim();
+    if trimmed.is_empty() {
+        return Err(bad_request(format!("{field_name} is required")));
+    }
+    Ok(trimmed.to_owned())
+}
+
+fn normalize_hostname(value: &str, field_name: &str) -> Result<String, Report<TrustedServerError>> {
+    let trimmed = value.trim().trim_end_matches('.');
+    if trimmed.is_empty() {
+        return Err(bad_request(format!("{field_name} is required")));
+    }
+
+    let normalized = trimmed.to_ascii_lowercase();
+    Host::parse(&normalized)
+        .map_err(|_| bad_request(format!("{field_name} must be a valid hostname")))?;
+
+    Ok(normalized)
+}
+
+fn normalize_hostname_list(
+    values: Vec<String>,
+    field_name: &str,
+) -> Result<Vec<String>, Report<TrustedServerError>> {
+    let mut normalized_values = Vec::with_capacity(values.len());
+    let mut seen = HashSet::with_capacity(values.len());
+
+    for value in values {
+        let trimmed = value.trim().trim_end_matches('.');
+        if trimmed.is_empty() {
+            return Err(bad_request(format!(
+                "{field_name} entries must not be empty"
+            )));
+        }
+
+        let normalized = trimmed.to_ascii_lowercase();
+        Host::parse(&normalized).map_err(|_| {
+            bad_request(format!("{field_name} contains invalid hostname '{value}'"))
+        })?;
+
+        if seen.insert(normalized.clone()) {
+            normalized_values.push(normalized);
+        }
+    }
+
+    Ok(normalized_values)
+}
+
+/// Response body for `POST /admin/partners/register`.
+///
+/// Echoes key fields without exposing sensitive data (`api_key_hash`,
+/// `ts_pull_token`).
+#[derive(Debug, Serialize)]
+pub struct RegisterPartnerResponse {
+    pub id: String,
+    pub name: String,
+    pub pull_sync_enabled: bool,
+    pub bidstream_enabled: bool,
+    pub created: bool,
+}
+
+/// Handles `POST /admin/partners/register`.
+///
+/// Registers a new partner or updates an existing one. Authentication is
+/// handled upstream by the `[[handlers]]` basic-auth layer.
+///
+/// # Errors
+///
+/// Returns `Report<TrustedServerError>` on validation failure (400),
+/// KV store failure (503), or JSON parse failure (400).
+pub fn handle_register_partner(
+    partner_store: &PartnerStore,
+    mut req: Request,
+) -> Result<Response, Report<TrustedServerError>> {
+    // Parse request body.
+    let body_bytes = req.take_body_bytes();
+    let request: RegisterPartnerRequest =
+        serde_json::from_slice(&body_bytes).change_context(TrustedServerError::BadRequest {
+            message: "Invalid JSON in request body".to_owned(),
+        })?;
+
+    let RegisterPartnerRequest {
+        id,
+        name,
+        allowed_return_domains,
+        api_key,
+        bidstream_enabled,
+        source_domain,
+        openrtb_atype,
+        sync_rate_limit,
+        batch_rate_limit,
+        pull_sync_enabled,
+        pull_sync_url,
+        pull_sync_allowed_domains,
+        pull_sync_ttl_sec,
+        pull_sync_rate_limit,
+        ts_pull_token,
+    } = request;
+
+    // Validate partner ID.
+    validate_partner_id(&id).map_err(bad_request)?;
+
+    // Validate and normalize required fields.
+    let name = normalize_required_text(&name, "name")?;
+    if api_key.trim().is_empty() {
+        return Err(bad_request("api_key is required"));
+    }
+    let source_domain = normalize_hostname(&source_domain, "source_domain")?;
+
+    if allowed_return_domains.is_empty() {
+        return Err(bad_request(
+            "allowed_return_domains must have at least one entry",
+        ));
+    }
+    let allowed_return_domains =
+        normalize_hostname_list(allowed_return_domains, "allowed_return_domains")?;
+    let pull_sync_allowed_domains =
+        normalize_hostname_list(pull_sync_allowed_domains, "pull_sync_allowed_domains")?;
+
+    // Build the PartnerRecord with hashed API key.
+    let record = PartnerRecord {
+        id,
+        name,
+        allowed_return_domains,
+        api_key_hash: hash_api_key(&api_key),
+        bidstream_enabled,
+        source_domain,
+        openrtb_atype,
+        sync_rate_limit,
+        batch_rate_limit,
+        pull_sync_enabled,
+        pull_sync_url,
+        pull_sync_allowed_domains,
+        pull_sync_ttl_sec,
+        pull_sync_rate_limit,
+        ts_pull_token,
+    };
+
+    // Validate pull sync configuration.
+    validate_pull_sync_config(&record).map_err(bad_request)?;
+
+    // Persist to KV store.
+    let created = partner_store.upsert(&record)?;
+
+    let status = if created {
+        log::info!("Registered new partner '{}'", record.id);
+        fastly::http::StatusCode::CREATED
+    } else {
+        log::info!("Updated existing partner '{}'", record.id);
+        fastly::http::StatusCode::OK
+    };
+
+    let response_body = RegisterPartnerResponse {
+        id: record.id,
+        name: record.name,
+        pull_sync_enabled: record.pull_sync_enabled,
+        bidstream_enabled: record.bidstream_enabled,
+        created,
+    };
+
+    let body = serde_json::to_string(&response_body).change_context(
+        TrustedServerError::Configuration {
+            message: "Failed to serialize registration response".to_owned(),
+        },
+    )?;
+
+    Ok(Response::from_status(status)
+        .with_content_type(fastly::mime::APPLICATION_JSON)
+        .with_body(body))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn request_deserializes_with_defaults() {
+        let json = r#"{
+            "id": "ssp_x",
+            "name": "SSP Example",
+            "allowed_return_domains": ["sync.example-ssp.com"],
+            "api_key": "raw-secret-key",
+            "source_domain": "example-ssp.com"
+        }"#;
+
+        let req: RegisterPartnerRequest =
+            serde_json::from_str(json).expect("should deserialize with defaults");
+
+        assert_eq!(req.id, "ssp_x");
+        assert_eq!(req.openrtb_atype, 3, "should default to 3");
+        assert_eq!(req.sync_rate_limit, 100, "should default to 100");
+        assert_eq!(req.batch_rate_limit, 60, "should default to 60");
+        assert_eq!(req.pull_sync_ttl_sec, 86400, "should default to 86400");
+        assert_eq!(req.pull_sync_rate_limit, 10, "should default to 10");
+        assert!(!req.bidstream_enabled, "should default to false");
+        assert!(!req.pull_sync_enabled, "should default to false");
+        assert!(req.pull_sync_url.is_none());
+        assert!(req.ts_pull_token.is_none());
+    }
+
+    #[test]
+    fn response_does_not_contain_sensitive_fields() {
+        let response = RegisterPartnerResponse {
+            id: "ssp_x".to_owned(),
+            name: "SSP Example".to_owned(),
+            pull_sync_enabled: false,
+            bidstream_enabled: true,
+            created: true,
+        };
+
+        let json = serde_json::to_string(&response).expect("should serialize");
+        assert!(!json.contains("api_key"), "should not contain api_key");
+        assert!(
+            !json.contains("api_key_hash"),
+            "should not contain api_key_hash"
+        );
+        assert!(
+            !json.contains("ts_pull_token"),
+            "should not contain ts_pull_token"
+        );
+    }
+
+    #[test]
+    fn request_deserializes_full_payload() {
+        let json = r#"{
+            "id": "ssp_x",
+            "name": "SSP Example",
+            "allowed_return_domains": ["sync.example-ssp.com"],
+            "api_key": "raw-secret-key",
+            "bidstream_enabled": true,
+            "source_domain": "example-ssp.com",
+            "openrtb_atype": 3,
+            "sync_rate_limit": 200,
+            "batch_rate_limit": 120,
+            "pull_sync_enabled": true,
+            "pull_sync_url": "https://sync.example-ssp.com/pull",
+            "pull_sync_allowed_domains": ["sync.example-ssp.com"],
+            "pull_sync_ttl_sec": 43200,
+            "pull_sync_rate_limit": 5,
+            "ts_pull_token": "bearer-token-123"
+        }"#;
+
+        let req: RegisterPartnerRequest =
+            serde_json::from_str(json).expect("should deserialize full payload");
+
+        assert_eq!(req.sync_rate_limit, 200);
+        assert_eq!(req.batch_rate_limit, 120);
+        assert!(req.pull_sync_enabled);
+        assert_eq!(
+            req.pull_sync_url.as_deref(),
+            Some("https://sync.example-ssp.com/pull")
+        );
+    }
+
+    #[test]
+    fn normalize_required_text_rejects_whitespace_only() {
+        let err = normalize_required_text("   ", "name")
+            .expect_err("should reject whitespace-only required field");
+        assert!(
+            err.to_string().contains("name is required"),
+            "should mention required field"
+        );
+    }
+
+    #[test]
+    fn normalize_hostname_normalizes_case_and_trailing_dot() {
+        let normalized = normalize_hostname("  Sync.Example.COM.  ", "source_domain")
+            .expect("should parse host");
+        assert_eq!(normalized, "sync.example.com");
+    }
+
+    #[test]
+    fn normalize_hostname_list_rejects_empty_entry() {
+        let err = normalize_hostname_list(
+            vec!["sync.example.com".to_owned(), "   ".to_owned()],
+            "allowed_return_domains",
+        )
+        .expect_err("should reject empty domain entries");
+        assert!(
+            err.to_string()
+                .contains("allowed_return_domains entries must not be empty"),
+            "should surface empty-entry error"
+        );
+    }
+
+    #[test]
+    fn normalize_hostname_list_deduplicates_normalized_values() {
+        let normalized = normalize_hostname_list(
+            vec![
+                "Sync.Example.com".to_owned(),
+                "sync.example.com.".to_owned(),
+                "cdn.example.com".to_owned(),
+            ],
+            "allowed_return_domains",
+        )
+        .expect("should normalize hostnames");
+        assert_eq!(
+            normalized,
+            vec!["sync.example.com".to_owned(), "cdn.example.com".to_owned()]
+        );
+    }
+}

From a4b75b48446a67f3cebd594a942431e90208ad43 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 26 Mar 2026 13:55:00 -0500
Subject: [PATCH 04/26] Fix 8 EC spec deviations identified in branch audit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Rename ssc_hash → ec_hash in batch sync wire format (§9.3)
- Strip x-ts-* prefix headers in copy_custom_headers (§15)
- Strip dynamic x-ts-<partner_id> headers in clear_ec_on_response (§5.2)
- Add PartnerNotFound and PartnerAuthFailed error variants (§16)
- Rename Ec error variant → EdgeCookie (§16)
- Validate EC IDs at read time, discard malformed values (§4.2)
- Add rotating hourly offset for pull sync partner dispatch (§10.3)
- Add _pull_enabled secondary index for O(1+N) pull sync reads (§13.1)
---
 crates/integration-tests/tests/common/ec.rs   |   8 +
 .../tests/frameworks/scenarios.rs             |   8 +
 crates/trusted-server-core/src/ec/admin.rs    |   7 +
 .../trusted-server-core/src/ec/batch_sync.rs  |  43 ++
 crates/trusted-server-core/src/ec/finalize.rs |  22 +
 crates/trusted-server-core/src/ec/partner.rs  | 524 ++++++++++++++++++
 .../trusted-server-core/src/ec/pull_sync.rs   |  26 +
 .../trusted-server-core/src/ec/sync_pixel.rs  | 456 +++++++++++++++
 crates/trusted-server-core/src/error.rs       |  12 +
 crates/trusted-server-core/src/http_util.rs   |   9 +
 10 files changed, 1115 insertions(+)
 create mode 100644 crates/trusted-server-core/src/ec/sync_pixel.rs

diff --git a/crates/integration-tests/tests/common/ec.rs b/crates/integration-tests/tests/common/ec.rs
index 30bc9342..60101ef0 100644
--- a/crates/integration-tests/tests/common/ec.rs
+++ b/crates/integration-tests/tests/common/ec.rs
@@ -245,7 +245,11 @@ pub fn batch_sync_no_auth(
 
 /// Single mapping in a batch sync request.
 pub struct BatchMapping {
+<<<<<<< HEAD
     pub ec_id: String,
+=======
+    pub ec_hash: String,
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     pub partner_uid: String,
     pub timestamp: u64,
 }
@@ -255,7 +259,11 @@ fn mappings_to_json(mappings: &[BatchMapping]) -> Vec<Value> {
         .iter()
         .map(|m| {
             serde_json::json!({
+<<<<<<< HEAD
                 "ec_id": m.ec_id,
+=======
+                "ec_hash": m.ec_hash,
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
                 "partner_uid": m.partner_uid,
                 "timestamp": m.timestamp,
             })
diff --git a/crates/integration-tests/tests/frameworks/scenarios.rs b/crates/integration-tests/tests/frameworks/scenarios.rs
index cd76268b..44613a3d 100644
--- a/crates/integration-tests/tests/frameworks/scenarios.rs
+++ b/crates/integration-tests/tests/frameworks/scenarios.rs
@@ -720,7 +720,11 @@ fn ec_batch_sync_happy_path(base_url: &str) -> TestResult<()> {
 
     // Batch sync writes a UID for this EC ID (partner "inttest" is in config)
     let mappings = vec![BatchMapping {
+<<<<<<< HEAD
         ec_id: ec_id.clone(),
+=======
+        ec_hash: hash.clone(),
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         partner_uid: "batch-uid-99".to_owned(),
         timestamp: 1_700_000_000,
     }];
@@ -762,7 +766,11 @@ fn ec_batch_sync_auth_rejection(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
 
     let dummy_mappings = vec![BatchMapping {
+<<<<<<< HEAD
         ec_id: format!("{}.ABC123", "a".repeat(64)),
+=======
+        ec_hash: "a".repeat(64),
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         partner_uid: "uid-1".to_owned(),
         timestamp: 1_700_000_000,
     }];
diff --git a/crates/trusted-server-core/src/ec/admin.rs b/crates/trusted-server-core/src/ec/admin.rs
index db32a3cf..196f5e40 100644
--- a/crates/trusted-server-core/src/ec/admin.rs
+++ b/crates/trusted-server-core/src/ec/admin.rs
@@ -236,11 +236,18 @@ pub fn handle_register_partner(
         created,
     };
 
+<<<<<<< HEAD
     let body = serde_json::to_string(&response_body).change_context(
         TrustedServerError::Configuration {
             message: "Failed to serialize registration response".to_owned(),
         },
     )?;
+=======
+    let body =
+        serde_json::to_string(&response_body).change_context(TrustedServerError::EdgeCookie {
+            message: "Failed to serialize registration response".to_owned(),
+        })?;
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 
     Ok(Response::from_status(status)
         .with_content_type(fastly::mime::APPLICATION_JSON)
diff --git a/crates/trusted-server-core/src/ec/batch_sync.rs b/crates/trusted-server-core/src/ec/batch_sync.rs
index 29749fff..9da8fd66 100644
--- a/crates/trusted-server-core/src/ec/batch_sync.rs
+++ b/crates/trusted-server-core/src/ec/batch_sync.rs
@@ -1,7 +1,11 @@
 //! Server-to-server batch sync endpoint (`POST /_ts/api/v1/batch-sync`).
 //!
 //! Partners send authenticated batch ID sync requests via Bearer token.
+<<<<<<< HEAD
 //! Each mapping associates an `ec_id` (`{64hex}.{6alnum}`)
+=======
+//! Each mapping associates an `ec_hash` (the 64-char hex EC hash prefix)
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 //! with the partner's user ID. Mappings are individually validated and
 //! written to the KV identity graph, with per-mapping rejection reasons
 //! reported in the response.
@@ -64,7 +68,11 @@ struct BatchSyncRequest {
 
 #[derive(Debug, Deserialize)]
 struct SyncMapping {
+<<<<<<< HEAD
     ec_id: String,
+=======
+    ec_hash: String,
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     partner_uid: String,
     timestamp: u64,
 }
@@ -198,8 +206,12 @@ fn process_mappings(
     let mut errors = Vec::new();
 
     for (idx, mapping) in mappings.iter().enumerate() {
+<<<<<<< HEAD
         let ec_id = normalize_ec_id_for_kv(&mapping.ec_id);
         if !is_valid_ec_id(&ec_id) {
+=======
+        if !is_valid_ec_hash(&mapping.ec_hash) {
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             errors.push(MappingError {
                 index: idx,
                 reason: REASON_INVALID_EC_ID,
@@ -214,8 +226,16 @@ fn process_mappings(
             });
             continue;
         }
+<<<<<<< HEAD
         match writer.upsert_partner_id_if_exists(
             &ec_id,
+=======
+
+        // Normalize to lowercase — KV keys are always lowercase hex.
+        let ec_hash = mapping.ec_hash.to_ascii_lowercase();
+        match writer.upsert_partner_id_if_exists(
+            &ec_hash,
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             partner_id,
             &mapping.partner_uid,
             mapping.timestamp,
@@ -237,8 +257,13 @@ fn process_mappings(
             }
             Err(err) => {
                 log::warn!(
+<<<<<<< HEAD
                     "Batch sync KV write failed for index {idx} (ec_id '{}'): {err:?}",
                     log_id(&mapping.ec_id),
+=======
+                    "Batch sync KV write failed for index {idx} (ec_hash '{}'): {err:?}",
+                    mapping.ec_hash
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
                 );
                 errors.push(MappingError {
                     index: idx,
@@ -394,9 +419,15 @@ mod tests {
         }
     }
 
+<<<<<<< HEAD
     fn mapping(ec_id: &str, partner_uid: &str, timestamp: u64) -> SyncMapping {
         SyncMapping {
             ec_id: ec_id.to_owned(),
+=======
+    fn mapping(ec_hash: &str, partner_uid: &str, timestamp: u64) -> SyncMapping {
+        SyncMapping {
+            ec_hash: ec_hash.to_owned(),
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             partner_uid: partner_uid.to_owned(),
             timestamp,
         }
@@ -472,6 +503,7 @@ mod tests {
 
     #[test]
     fn batch_sync_request_deserializes_correctly() {
+<<<<<<< HEAD
         let json = r#"{"mappings": [{"ec_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.ABC123", "partner_uid": "u1", "timestamp": 100}]}"#;
         let parsed: BatchSyncRequest =
             serde_json::from_str(json).expect("should deserialize batch sync request");
@@ -480,13 +512,24 @@ mod tests {
             parsed.mappings[0].ec_id,
             "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.ABC123"
         );
+=======
+        let json = r#"{"mappings": [{"ec_hash": "aaaa", "partner_uid": "u1", "timestamp": 100}]}"#;
+        let parsed: BatchSyncRequest =
+            serde_json::from_str(json).expect("should deserialize batch sync request");
+        assert_eq!(parsed.mappings.len(), 1);
+        assert_eq!(parsed.mappings[0].ec_hash, "aaaa");
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         assert_eq!(parsed.mappings[0].partner_uid, "u1");
         assert_eq!(parsed.mappings[0].timestamp, 100);
     }
 
     #[test]
     fn batch_sync_request_rejects_missing_timestamp() {
+<<<<<<< HEAD
         let json = r#"{"mappings": [{"ec_id": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.ABC123", "partner_uid": "u2"}]}"#;
+=======
+        let json = r#"{"mappings": [{"ec_hash": "bbbb", "partner_uid": "u2"}]}"#;
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         let result = serde_json::from_str::<BatchSyncRequest>(json);
         assert!(
             result.is_err(),
diff --git a/crates/trusted-server-core/src/ec/finalize.rs b/crates/trusted-server-core/src/ec/finalize.rs
index 59626e1d..438937ef 100644
--- a/crates/trusted-server-core/src/ec/finalize.rs
+++ b/crates/trusted-server-core/src/ec/finalize.rs
@@ -150,6 +150,28 @@ pub fn clear_ec_on_response(settings: &Settings, response: &mut Response) {
     for header in EC_RESPONSE_HEADERS {
         response.remove_header(*header);
     }
+<<<<<<< HEAD
+=======
+
+    // Strip any dynamic x-ts-<partner_id> headers set by /identify or
+    // earlier processing. Collect names first to avoid borrow conflict.
+    let dynamic_ts_headers: Vec<String> = response
+        .get_header_names()
+        .filter_map(|name| {
+            let s = name.as_str();
+            if s.starts_with("x-ts-") {
+                Some(s.to_owned())
+            } else {
+                None
+            }
+        })
+        .collect();
+
+    for header in &dynamic_ts_headers {
+        response.remove_header(header.as_str());
+    }
+}
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 
     // Strip any dynamic x-ts-<partner_id> headers set by /identify or
     // earlier processing. Collect names first to avoid borrow conflict.
diff --git a/crates/trusted-server-core/src/ec/partner.rs b/crates/trusted-server-core/src/ec/partner.rs
index f836724e..c35dda27 100644
--- a/crates/trusted-server-core/src/ec/partner.rs
+++ b/crates/trusted-server-core/src/ec/partner.rs
@@ -1,7 +1,18 @@
 //! Partner validation helpers and ID hashing.
 //!
+<<<<<<< HEAD
 //! Provides partner ID format validation, reserved name checks, and
 //! API key hashing. The actual partner registry is in [`super::registry`].
+=======
+//! Each partner (SSP, DSP, identity vendor) is stored as a JSON record in
+//! the Fastly KV Store keyed by `partner_id`. Two secondary indexes exist:
+//!
+//! - `apikey:{sha256_hex}` — maps API key hashes to partner IDs for O(1)
+//!   auth lookups during batch sync.
+//! - `_pull_enabled` — JSON array of partner IDs with `pull_sync_enabled:
+//!   true`, enabling O(1+N) reads on the pull sync hot path instead of a
+//!   full partner scan.
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 
 use std::sync::OnceLock;
 
@@ -24,6 +35,19 @@ const RESERVED_PARTNER_IDS: &[&str] = &[
     "env",
 ];
 
+<<<<<<< HEAD
+=======
+/// Prefix for the API key hash secondary index keys.
+const APIKEY_INDEX_PREFIX: &str = "apikey:";
+
+/// Key for the pull-enabled partner secondary index.
+///
+/// Stores a JSON array of partner IDs that have `pull_sync_enabled: true`.
+/// Updated on every `upsert()` so that `pull_enabled_partners()` can read
+/// a single index key instead of listing/scanning all partners.
+const PULL_ENABLED_INDEX_KEY: &str = "_pull_enabled";
+
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 /// Cached compiled regex for partner ID validation.
 static PARTNER_ID_REGEX: OnceLock<Result<Regex, String>> = OnceLock::new();
 
@@ -63,6 +87,506 @@ pub fn hash_api_key(api_key: &str) -> String {
     hex::encode(hasher.finalize())
 }
 
+<<<<<<< HEAD
+=======
+/// Wraps a Fastly KV Store for partner registry operations.
+///
+/// Partner records are keyed by `partner_id`. Two secondary indexes
+/// optimize hot-path operations:
+///
+/// - `apikey:{sha256_hex}` maps API key hashes to partner IDs for
+///   O(1) auth lookups during batch sync.
+/// - `_pull_enabled` stores a JSON array of partner IDs with
+///   `pull_sync_enabled: true` for O(1+N) reads during pull sync dispatch.
+pub struct PartnerStore {
+    store_name: String,
+}
+
+impl PartnerStore {
+    /// Creates a new partner store backed by the named KV store.
+    #[must_use]
+    pub fn new(store_name: impl Into<String>) -> Self {
+        Self {
+            store_name: store_name.into(),
+        }
+    }
+
+    /// Returns the configured store name.
+    #[must_use]
+    pub fn store_name(&self) -> &str {
+        &self.store_name
+    }
+
+    /// Opens the underlying Fastly KV store.
+    fn open_store(&self) -> Result<KVStore, Report<TrustedServerError>> {
+        KVStore::open(&self.store_name)
+            .change_context(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: "Failed to open partner store".to_owned(),
+            })?
+            .ok_or_else(|| {
+                Report::new(TrustedServerError::KvStore {
+                    store_name: self.store_name.clone(),
+                    message: "Partner store not found".to_owned(),
+                })
+            })
+    }
+
+    /// Reads a partner record by ID.
+    ///
+    /// Returns `Ok(None)` when the partner is not registered.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError::KvStore`] on store or deserialization failure.
+    pub fn get(
+        &self,
+        partner_id: &str,
+    ) -> Result<Option<PartnerRecord>, Report<TrustedServerError>> {
+        let store = self.open_store()?;
+        let mut response = match store.lookup(partner_id) {
+            Ok(resp) => resp,
+            Err(fastly::kv_store::KVStoreError::ItemNotFound) => return Ok(None),
+            Err(err) => {
+                return Err(
+                    Report::new(err).change_context(TrustedServerError::KvStore {
+                        store_name: self.store_name.clone(),
+                        message: format!("Failed to read partner '{partner_id}'"),
+                    }),
+                );
+            }
+        };
+
+        let body_bytes = response.take_body_bytes();
+        let record: PartnerRecord =
+            serde_json::from_slice(&body_bytes).change_context(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: format!("Failed to deserialize partner '{partner_id}'"),
+            })?;
+
+        Ok(Some(record))
+    }
+
+    /// Lists all registered partner records.
+    ///
+    /// Scans the partner KV store and returns records for non-index keys.
+    /// Secondary index entries (e.g. `apikey:*`) are skipped.
+    ///
+    /// **Scaling note:** This performs O(N) KV reads where N is the number
+    /// of registered partners. Called by `dispatch_pull_sync` on every
+    /// organic request post-send. For large partner counts, consider
+    /// caching the result or maintaining a summary key. The
+    /// `pull_sync_concurrency` setting bounds downstream dispatch but
+    /// does not reduce the enumeration cost.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError::KvStore`] on list, lookup, or
+    /// deserialization failure.
+    pub fn list_registered(&self) -> Result<Vec<PartnerRecord>, Report<TrustedServerError>> {
+        let store = self.open_store()?;
+        let mut records = Vec::new();
+
+        for page in store.build_list().limit(1000).iter() {
+            let page = page.change_context(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: "Failed to list partner keys".to_owned(),
+            })?;
+
+            for key in page.keys() {
+                if key.starts_with(APIKEY_INDEX_PREFIX) || key == PULL_ENABLED_INDEX_KEY {
+                    continue;
+                }
+
+                let mut response = match store.lookup(key) {
+                    Ok(resp) => resp,
+                    Err(fastly::kv_store::KVStoreError::ItemNotFound) => continue,
+                    Err(err) => {
+                        return Err(
+                            Report::new(err).change_context(TrustedServerError::KvStore {
+                                store_name: self.store_name.clone(),
+                                message: format!("Failed to read partner '{key}' while listing"),
+                            }),
+                        );
+                    }
+                };
+
+                let body_bytes = response.take_body_bytes();
+                let record = serde_json::from_slice::<PartnerRecord>(&body_bytes).change_context(
+                    TrustedServerError::KvStore {
+                        store_name: self.store_name.clone(),
+                        message: format!("Failed to deserialize partner '{key}' while listing"),
+                    },
+                )?;
+
+                records.push(record);
+            }
+        }
+
+        Ok(records)
+    }
+
+    /// Returns pull-enabled partners via the `_pull_enabled` secondary index.
+    ///
+    /// Performs 1 index read + N partner reads (where N = pull-enabled count)
+    /// instead of scanning all partners. Falls back to [`list_registered`]
+    /// with client-side filtering when the index is missing or unreadable,
+    /// ensuring correctness even before the first `upsert()` writes the index.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError::KvStore`] on store or deserialization failure.
+    pub fn pull_enabled_partners(&self) -> Result<Vec<PartnerRecord>, Report<TrustedServerError>> {
+        let store = self.open_store()?;
+
+        // Read the secondary index.
+        let index_body = match store.lookup(PULL_ENABLED_INDEX_KEY) {
+            Ok(mut resp) => resp.take_body_bytes(),
+            Err(fastly::kv_store::KVStoreError::ItemNotFound) => {
+                // Index not yet written — fall back to full scan.
+                log::debug!("Pull-enabled index missing, falling back to list_registered");
+                return self
+                    .list_registered()
+                    .map(|v| v.into_iter().filter(|p| p.pull_sync_enabled).collect());
+            }
+            Err(err) => {
+                // Index unreadable — fall back to full scan rather than failing.
+                log::warn!(
+                    "Failed to read pull-enabled index, falling back to list_registered: {err:?}"
+                );
+                return self
+                    .list_registered()
+                    .map(|v| v.into_iter().filter(|p| p.pull_sync_enabled).collect());
+            }
+        };
+
+        let partner_ids: Vec<String> =
+            serde_json::from_slice(&index_body).change_context(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: "Failed to deserialize pull-enabled index".to_owned(),
+            })?;
+
+        let mut records = Vec::with_capacity(partner_ids.len());
+        for partner_id in &partner_ids {
+            match self.get(partner_id)? {
+                Some(record) if record.pull_sync_enabled => {
+                    records.push(record);
+                }
+                Some(_) => {
+                    // Index is stale — partner is no longer pull-enabled.
+                    // This is self-healing: the next `upsert()` will fix the index.
+                    log::debug!(
+                        "Pull-enabled index references partner '{}' which is no longer pull-enabled",
+                        partner_id
+                    );
+                }
+                None => {
+                    log::debug!(
+                        "Pull-enabled index references non-existent partner '{}'",
+                        partner_id
+                    );
+                }
+            }
+        }
+
+        Ok(records)
+    }
+
+    /// Writes or updates a partner record and maintains secondary indexes.
+    ///
+    /// Returns `true` if this was a new partner (create), `false` if an
+    /// existing partner was updated.
+    ///
+    /// Index maintenance order:
+    /// 1. Read existing `apikey:` index value for rollback
+    /// 2. Write new `apikey:` index
+    /// 3. Write primary record
+    /// 4. Delete old `apikey:` index (if key rotated)
+    /// 5. Update `_pull_enabled` secondary index (best-effort)
+    ///
+    /// Writes are still **not fully atomic**, but this order ensures
+    /// registration does not return success after a failed index write and
+    /// performs best-effort rollback when primary write fails.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError::KvStore`] on store failure.
+    pub fn upsert(&self, record: &PartnerRecord) -> Result<bool, Report<TrustedServerError>> {
+        let store = self.open_store()?;
+
+        // Read existing record to detect API key rotation.
+        let existing = match store.lookup(&record.id) {
+            Ok(mut resp) => {
+                let bytes = resp.take_body_bytes();
+                serde_json::from_slice::<PartnerRecord>(&bytes).ok()
+            }
+            Err(_) => None,
+        };
+
+        let is_create = existing.is_none();
+        let old_api_key_hash = existing.as_ref().map(|r| r.api_key_hash.clone());
+
+        let index_key = format!("{APIKEY_INDEX_PREFIX}{}", record.api_key_hash);
+        let previous_index_partner_id = self.read_index_partner_id(&store, &index_key)?;
+
+        // 1. Write new API key index.
+        store
+            .build_insert()
+            .execute(&index_key, record.id.as_str())
+            .change_context(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: format!(
+                    "Failed to write API key index for partner '{}' (hash '{}')",
+                    record.id, record.api_key_hash
+                ),
+            })?;
+
+        // 2. Write primary record.
+        let body = serde_json::to_string(record).change_context(TrustedServerError::KvStore {
+            store_name: self.store_name.clone(),
+            message: format!("Failed to serialize partner '{}'", record.id),
+        })?;
+
+        if let Err(err) = store.build_insert().execute(&record.id, body) {
+            self.restore_previous_index_mapping(
+                &store,
+                &index_key,
+                previous_index_partner_id.as_deref(),
+                &record.id,
+            );
+            return Err(
+                Report::new(err).change_context(TrustedServerError::KvStore {
+                    store_name: self.store_name.clone(),
+                    message: format!("Failed to write partner '{}'", record.id),
+                }),
+            );
+        }
+
+        // 3. Delete old API key index if key rotated.
+        if let Some(ref old_hash) = old_api_key_hash {
+            if *old_hash != record.api_key_hash {
+                let old_key = format!("{APIKEY_INDEX_PREFIX}{old_hash}");
+                if let Err(err) = store.delete(&old_key) {
+                    log::warn!(
+                        "Failed to delete old API key index for partner '{}': {err:?}",
+                        record.id,
+                    );
+                }
+            }
+        }
+
+        // 4. Update _pull_enabled secondary index (best-effort).
+        //    This is the last step so a failure here doesn't affect the
+        //    primary registration. `pull_enabled_partners()` falls back to
+        //    `list_registered()` if the index is missing or stale.
+        self.update_pull_enabled_index(&store, &record.id, record.pull_sync_enabled);
+
+        Ok(is_create)
+    }
+
+    fn read_index_partner_id(
+        &self,
+        store: &KVStore,
+        index_key: &str,
+    ) -> Result<Option<String>, Report<TrustedServerError>> {
+        let mut response = match store.lookup(index_key) {
+            Ok(resp) => resp,
+            Err(fastly::kv_store::KVStoreError::ItemNotFound) => return Ok(None),
+            Err(err) => {
+                return Err(
+                    Report::new(err).change_context(TrustedServerError::KvStore {
+                        store_name: self.store_name.clone(),
+                        message: format!(
+                            "Failed to read existing API key index before upsert ('{index_key}')"
+                        ),
+                    }),
+                );
+            }
+        };
+
+        let partner_id = String::from_utf8(response.take_body_bytes()).map_err(|_| {
+            Report::new(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: format!(
+                    "Existing API key index value is not valid UTF-8 before upsert ('{index_key}')"
+                ),
+            })
+        })?;
+
+        Ok(Some(partner_id))
+    }
+
+    /// Best-effort update of the `_pull_enabled` secondary index.
+    ///
+    /// Reads the current index, adds or removes the partner ID, and writes
+    /// it back. All errors are logged and swallowed — the primary record
+    /// write has already succeeded.
+    fn update_pull_enabled_index(
+        &self,
+        store: &KVStore,
+        partner_id: &str,
+        pull_sync_enabled: bool,
+    ) {
+        // Read existing index (or start with empty list).
+        let mut ids: Vec<String> = match store.lookup(PULL_ENABLED_INDEX_KEY) {
+            Ok(mut resp) => {
+                let bytes = resp.take_body_bytes();
+                serde_json::from_slice(&bytes).unwrap_or_default()
+            }
+            Err(_) => Vec::new(),
+        };
+
+        let had_id = ids.iter().any(|id| id == partner_id);
+
+        if pull_sync_enabled && !had_id {
+            ids.push(partner_id.to_owned());
+        } else if !pull_sync_enabled && had_id {
+            ids.retain(|id| id != partner_id);
+        } else {
+            // No change needed.
+            return;
+        }
+
+        let body = match serde_json::to_string(&ids) {
+            Ok(b) => b,
+            Err(err) => {
+                log::warn!(
+                    "Failed to serialize pull-enabled index after updating partner '{}': {err}",
+                    partner_id
+                );
+                return;
+            }
+        };
+
+        if let Err(err) = store.build_insert().execute(PULL_ENABLED_INDEX_KEY, body) {
+            log::warn!(
+                "Failed to write pull-enabled index after updating partner '{}': {err:?}",
+                partner_id
+            );
+        }
+    }
+
+    fn restore_previous_index_mapping(
+        &self,
+        store: &KVStore,
+        index_key: &str,
+        previous_partner_id: Option<&str>,
+        partner_id: &str,
+    ) {
+        if let Some(previous_partner_id) = previous_partner_id {
+            if previous_partner_id == partner_id {
+                return;
+            }
+
+            if let Err(err) = store.build_insert().execute(index_key, previous_partner_id) {
+                log::warn!(
+                    "Failed to restore previous API key index mapping after write failure for partner '{}': {err:?}",
+                    partner_id,
+                );
+            }
+            return;
+        }
+
+        match store.delete(index_key) {
+            Ok(()) | Err(fastly::kv_store::KVStoreError::ItemNotFound) => {}
+            Err(err) => {
+                log::warn!(
+                    "Failed to roll back API key index after write failure for partner '{}': {err:?}",
+                    partner_id,
+                );
+            }
+        }
+    }
+
+    /// Looks up a partner by API key hash using the `apikey:` secondary index.
+    ///
+    /// After resolving the index to a partner ID, re-verifies that the
+    /// stored `api_key_hash` matches the lookup hash (guards against stale
+    /// index entries from key rotation).
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError::KvStore`] on store failure.
+    pub fn find_by_api_key_hash(
+        &self,
+        hash: &str,
+    ) -> Result<Option<PartnerRecord>, Report<TrustedServerError>> {
+        let store = self.open_store()?;
+
+        // Look up the secondary index.
+        let index_key = format!("{APIKEY_INDEX_PREFIX}{hash}");
+        let mut index_response = match store.lookup(&index_key) {
+            Ok(resp) => resp,
+            Err(fastly::kv_store::KVStoreError::ItemNotFound) => return Ok(None),
+            Err(err) => {
+                return Err(
+                    Report::new(err).change_context(TrustedServerError::KvStore {
+                        store_name: self.store_name.clone(),
+                        message: format!("Failed to read API key index for hash '{hash}'"),
+                    }),
+                );
+            }
+        };
+
+        let partner_id = String::from_utf8(index_response.take_body_bytes()).map_err(|_| {
+            Report::new(TrustedServerError::KvStore {
+                store_name: self.store_name.clone(),
+                message: format!("API key index value for hash '{hash}' is not valid UTF-8"),
+            })
+        })?;
+
+        // Fetch the actual partner record.
+        let record = match self.get(&partner_id)? {
+            Some(r) => r,
+            None => {
+                // Stale index — partner was deleted.
+                log::warn!(
+                    "API key index points to non-existent partner '{partner_id}' (stale index)"
+                );
+                return Ok(None);
+            }
+        };
+
+        // Verify the stored hash matches — guards against stale index from
+        // key rotation.
+        if record.api_key_hash != hash {
+            log::warn!(
+                "API key hash mismatch for partner '{}' (stale index after key rotation)",
+                record.id,
+            );
+            return Ok(None);
+        }
+
+        Ok(Some(record))
+    }
+
+    /// Verifies an API key against the stored hash for a given partner.
+    ///
+    /// Uses SHA-256 hashing and constant-time comparison to prevent
+    /// timing attacks.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError::KvStore`] if the partner lookup fails.
+    pub fn verify_api_key(
+        &self,
+        partner_id: &str,
+        api_key: &str,
+    ) -> Result<bool, Report<TrustedServerError>> {
+        let record = match self.get(partner_id)? {
+            Some(r) => r,
+            None => return Ok(false),
+        };
+
+        let incoming_hash = hash_api_key(api_key);
+        let stored_bytes = record.api_key_hash.as_bytes();
+        let incoming_bytes = incoming_hash.as_bytes();
+
+        Ok(stored_bytes.ct_eq(incoming_bytes).into())
+    }
+}
+
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/crates/trusted-server-core/src/ec/pull_sync.rs b/crates/trusted-server-core/src/ec/pull_sync.rs
index 558188c2..64c0b271 100644
--- a/crates/trusted-server-core/src/ec/pull_sync.rs
+++ b/crates/trusted-server-core/src/ec/pull_sync.rs
@@ -88,12 +88,30 @@ pub fn dispatch_pull_sync(
         }
     };
 
+<<<<<<< HEAD
     let mut pull_partners = registry.pull_enabled_partners();
 
     // Sort by ID for deterministic ordering, then apply a rotating hourly
     // offset so that different partners get dispatch priority (§10.3).
     pull_partners.sort_by(|a, b| a.id.cmp(&b.id));
 
+=======
+    // Use the _pull_enabled secondary index for O(1+N) reads instead of
+    // scanning all partners (§13.1). Falls back to list_registered() if
+    // the index is missing or unreadable.
+    let mut pull_partners = match partner_store.pull_enabled_partners() {
+        Ok(partners) => partners,
+        Err(err) => {
+            log::warn!("Pull sync: failed to list pull-enabled partners: {err:?}");
+            return;
+        }
+    };
+
+    // Sort by ID for deterministic ordering, then apply a rotating hourly
+    // offset so that different partners get dispatch priority (§10.3).
+    pull_partners.sort_by(|a, b| a.id.cmp(&b.id));
+
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     log::debug!(
         "Pull sync: {} pull-enabled partners after filtering",
         pull_partners.len(),
@@ -113,11 +131,19 @@ pub fn dispatch_pull_sync(
     let mut in_flight: Vec<InFlightPull> = Vec::new();
 
     for partner in pull_partners {
+<<<<<<< HEAD
         if !is_partner_pull_eligible(partner, kv_entry.as_ref(), now) {
             continue;
         }
 
         let Some(url) = validated_pull_sync_url(partner) else {
+=======
+        if !is_partner_pull_eligible(&partner, kv_entry.as_ref(), now) {
+            continue;
+        }
+
+        let Some(url) = validated_pull_sync_url(&partner) else {
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             continue;
         };
 
diff --git a/crates/trusted-server-core/src/ec/sync_pixel.rs b/crates/trusted-server-core/src/ec/sync_pixel.rs
new file mode 100644
index 00000000..9323a038
--- /dev/null
+++ b/crates/trusted-server-core/src/ec/sync_pixel.rs
@@ -0,0 +1,456 @@
+//! Pixel sync endpoint (`GET /sync`).
+
+use error_stack::{Report, ResultExt};
+use fastly::erl::{CounterDuration, RateCounter};
+use fastly::http::StatusCode;
+use fastly::{Request, Response};
+use url::Url;
+
+use crate::consent::{allows_ec_creation, gpp, tcf, ConsentContext};
+use crate::error::TrustedServerError;
+use crate::settings::Settings;
+
+use super::generation::{ec_hash, is_valid_ec_id};
+use super::kv::KvIdentityGraph;
+use super::partner::{PartnerRecord, PartnerStore};
+use super::EcContext;
+
+/// Name of the Fastly rate counter resource used by sync rate limiting.
+pub const RATE_COUNTER_NAME: &str = "counter_store";
+
+/// Handles `GET /sync` pixel sync requests.
+///
+/// # Errors
+///
+/// Returns [`TrustedServerError`] when request validation fails (`400`) or
+/// required stores are unavailable (`503`).
+pub fn handle_sync(
+    _settings: &Settings, // reserved for future per-publisher sync config
+    kv: &KvIdentityGraph,
+    partner_store: &PartnerStore,
+    req: &Request,
+    ec_context: &mut EcContext,
+) -> Result<Response, Report<TrustedServerError>> {
+    let query = SyncQuery::parse(req)?;
+
+    let partner = partner_store.get(&query.partner)?.ok_or_else(|| {
+        Report::new(TrustedServerError::PartnerNotFound {
+            partner_id: query.partner.clone(),
+        })
+    })?;
+
+    let return_url = validate_return_url(&query.return_url, &partner)?;
+
+    let Some(cookie_ec_id) = ec_context
+        .existing_cookie_ec_id()
+        .filter(|v| is_valid_ec_id(v))
+        .map(str::to_owned)
+    else {
+        return Ok(redirect_with_status(&return_url, "0", Some("no_ec")));
+    };
+
+    if ec_context.consent().is_empty() {
+        if let Some(consent_query) = query.consent.as_deref() {
+            if let Some(fallback) =
+                decode_query_fallback_consent(ec_context.consent(), consent_query)
+            {
+                *ec_context.consent_mut() = fallback;
+            }
+        }
+    }
+
+    if !allows_ec_creation(ec_context.consent()) {
+        return Ok(redirect_with_status(&return_url, "0", Some("no_consent")));
+    }
+
+    let hash = ec_hash(&cookie_ec_id);
+    let limiter = FastlyRateLimiter::new(RATE_COUNTER_NAME);
+    if limiter.exceeded(&format!("{}:{hash}", partner.id), partner.sync_rate_limit)? {
+        return Ok(Response::from_status(StatusCode::TOO_MANY_REQUESTS)
+            .with_body_text_plain("rate_limit_exceeded"));
+    }
+
+    let now = current_timestamp();
+    if let Err(err) = kv.upsert_partner_id(hash, &partner.id, &query.uid, now) {
+        log::warn!(
+            "Pixel sync write failed for partner '{}' and hash '{}': {err:?}",
+            partner.id,
+            hash,
+        );
+        return Ok(redirect_with_status(&return_url, "0", Some("write_failed")));
+    }
+
+    Ok(redirect_with_status(&return_url, "1", None))
+}
+
+#[derive(Debug)]
+struct SyncQuery {
+    partner: String,
+    uid: String,
+    return_url: String,
+    consent: Option<String>,
+}
+
+impl SyncQuery {
+    fn parse(req: &Request) -> Result<Self, Report<TrustedServerError>> {
+        let mut partner = None;
+        let mut uid = None;
+        let mut return_url = None;
+        let mut consent = None;
+
+        let raw_query = req.get_query_str().unwrap_or("");
+        for (key, value) in url::form_urlencoded::parse(raw_query.as_bytes()) {
+            match key.as_ref() {
+                "partner" => partner = Some(value.into_owned()),
+                "uid" => uid = Some(value.into_owned()),
+                "return" => return_url = Some(value.into_owned()),
+                "consent" => consent = Some(value.into_owned()),
+                _ => {}
+            }
+        }
+
+        Ok(Self {
+            partner: required_query_param(partner, "partner")?,
+            uid: required_query_param(uid, "uid")?,
+            return_url: required_query_param(return_url, "return")?,
+            consent,
+        })
+    }
+}
+
+fn required_query_param(
+    value: Option<String>,
+    key: &str,
+) -> Result<String, Report<TrustedServerError>> {
+    let Some(value) = value else {
+        return Err(Report::new(TrustedServerError::BadRequest {
+            message: format!("missing required query parameter '{key}'"),
+        }));
+    };
+
+    if value.trim().is_empty() {
+        return Err(Report::new(TrustedServerError::BadRequest {
+            message: format!("query parameter '{key}' must not be empty"),
+        }));
+    }
+
+    Ok(value)
+}
+
+fn validate_return_url(
+    return_url: &str,
+    partner: &PartnerRecord,
+) -> Result<Url, Report<TrustedServerError>> {
+    let parsed = Url::parse(return_url).change_context(TrustedServerError::BadRequest {
+        message: "return URL must be a valid absolute URL".to_owned(),
+    })?;
+
+    let host = parsed
+        .host_str()
+        .ok_or_else(|| {
+            Report::new(TrustedServerError::BadRequest {
+                message: "return URL must include a hostname".to_owned(),
+            })
+        })?
+        .trim_end_matches('.')
+        .to_ascii_lowercase();
+
+    let allowed = partner
+        .allowed_return_domains
+        .iter()
+        .map(|domain| domain.trim().trim_end_matches('.').to_ascii_lowercase())
+        .any(|domain| domain == host);
+
+    if !allowed {
+        return Err(Report::new(TrustedServerError::BadRequest {
+            message: format!(
+                "return URL host '{host}' is not allowed for partner '{}'",
+                partner.id
+            ),
+        }));
+    }
+
+    Ok(parsed)
+}
+
+fn redirect_with_status(return_url: &Url, synced: &str, reason: Option<&str>) -> Response {
+    let mut url = return_url.clone();
+    {
+        let mut query = url.query_pairs_mut();
+        query.append_pair("ts_synced", synced);
+        if let Some(reason) = reason {
+            query.append_pair("ts_reason", reason);
+        }
+    }
+
+    Response::from_status(StatusCode::FOUND).with_header("location", url.as_str())
+}
+
+fn decode_query_fallback_consent(
+    base: &ConsentContext,
+    raw_consent: &str,
+) -> Option<ConsentContext> {
+    if raw_consent.trim().is_empty() {
+        return None;
+    }
+
+    let mut consent = ConsentContext {
+        jurisdiction: base.jurisdiction.clone(),
+        gpc: base.gpc,
+        ..ConsentContext::default()
+    };
+
+    if raw_consent.contains('~') || raw_consent.starts_with("DB") {
+        match gpp::decode_gpp_string(raw_consent) {
+            Ok(decoded) => {
+                consent.raw_gpp_string = Some(raw_consent.to_owned());
+                consent.gpp_section_ids = Some(decoded.section_ids.clone());
+                consent.tcf = decoded.eu_tcf.clone();
+                consent.gpp = Some(decoded);
+                consent.gdpr_applies = consent
+                    .gpp_section_ids
+                    .as_ref()
+                    .is_some_and(|sids| sids.contains(&2));
+                return Some(consent);
+            }
+            Err(err) => {
+                log::warn!("Failed to decode GPP consent query fallback: {err:?}");
+                return None;
+            }
+        }
+    }
+
+    match tcf::decode_tc_string(raw_consent) {
+        Ok(decoded) => {
+            consent.raw_tc_string = Some(raw_consent.to_owned());
+            consent.tcf = Some(decoded);
+            consent.gdpr_applies = true;
+            Some(consent)
+        }
+        Err(err) => {
+            log::warn!("Failed to decode TCF consent query fallback: {err:?}");
+            None
+        }
+    }
+}
+
+/// Rate limiter abstraction for sync endpoints.
+///
+/// Used by both pixel sync (`/sync`) and batch sync (`/api/v1/sync`)
+/// for per-partner request rate enforcement.
+pub trait RateLimiter {
+    /// Returns `true` when the rate limit has been exceeded for the given key.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError`] on rate counter I/O failure.
+    fn exceeded(&self, key: &str, hourly_limit: u32) -> Result<bool, Report<TrustedServerError>>;
+
+    /// Returns `true` when the per-minute rate limit has been exceeded.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`TrustedServerError`] on rate counter I/O failure.
+    fn exceeded_per_minute(
+        &self,
+        key: &str,
+        per_minute_limit: u32,
+    ) -> Result<bool, Report<TrustedServerError>> {
+        // Default implementation maps a per-minute budget to the existing
+        // hourly API used by pixel sync.
+        self.exceeded(key, per_minute_limit.saturating_mul(60))
+    }
+}
+
+/// Fastly Edge Rate Limiting implementation of [`RateLimiter`].
+pub struct FastlyRateLimiter {
+    counter: RateCounter,
+}
+
+impl FastlyRateLimiter {
+    /// Creates a new rate limiter backed by the named Fastly rate counter.
+    #[must_use]
+    pub fn new(counter_name: &str) -> Self {
+        Self {
+            counter: RateCounter::open(counter_name),
+        }
+    }
+}
+
+impl RateLimiter for FastlyRateLimiter {
+    fn exceeded(&self, key: &str, hourly_limit: u32) -> Result<bool, Report<TrustedServerError>> {
+        // Fastly's public rate-counter API currently exposes windows up to 60s.
+        // Approximate the story's 1h limit by converting to a per-minute budget.
+        //
+        // Follow-up: move to exact 1-hour enforcement once platform counters
+        // expose longer windows or we add a dedicated KV-backed hour bucket.
+        let per_minute_limit = hourly_limit.saturating_add(59) / 60;
+        let per_minute_limit = per_minute_limit.max(1);
+
+        let current = self
+            .counter
+            .lookup_count(key, CounterDuration::SixtySecs)
+            .map_err(|e| {
+                Report::new(TrustedServerError::KvStore {
+                    store_name: RATE_COUNTER_NAME.to_owned(),
+                    message: format!("Failed to read sync rate counter: {e}"),
+                })
+            })?;
+
+        if current >= per_minute_limit {
+            return Ok(true);
+        }
+
+        self.counter.increment(key, 1).map_err(|e| {
+            Report::new(TrustedServerError::KvStore {
+                store_name: RATE_COUNTER_NAME.to_owned(),
+                message: format!("Failed to increment sync rate counter: {e}"),
+            })
+        })?;
+
+        Ok(false)
+    }
+}
+
+// Re-export `current_timestamp` from parent module for sibling modules.
+pub(crate) use super::current_timestamp;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn sample_partner() -> PartnerRecord {
+        PartnerRecord {
+            id: "ssp_x".to_owned(),
+            name: "SSP X".to_owned(),
+            allowed_return_domains: vec!["sync.example.com".to_owned()],
+            api_key_hash: "deadbeef".to_owned(),
+            bidstream_enabled: false,
+            source_domain: "ssp.example.com".to_owned(),
+            openrtb_atype: 3,
+            sync_rate_limit: 100,
+            batch_rate_limit: 60,
+            pull_sync_enabled: false,
+            pull_sync_url: None,
+            pull_sync_allowed_domains: vec![],
+            pull_sync_ttl_sec: 86400,
+            pull_sync_rate_limit: 10,
+            ts_pull_token: None,
+        }
+    }
+
+    #[test]
+    fn redirect_appends_query_when_url_has_none() {
+        let url = Url::parse("https://sync.example.com/return").expect("should parse URL");
+        let response = redirect_with_status(&url, "1", None);
+        let location = response
+            .get_header("location")
+            .expect("should set location header")
+            .to_str()
+            .expect("should convert location to UTF-8");
+
+        assert_eq!(
+            location, "https://sync.example.com/return?ts_synced=1",
+            "should append query with ? when missing"
+        );
+    }
+
+    #[test]
+    fn redirect_appends_query_when_url_already_has_query() {
+        let url = Url::parse("https://sync.example.com/return?foo=bar").expect("should parse URL");
+        let response = redirect_with_status(&url, "0", Some("no_ec"));
+        let location = response
+            .get_header("location")
+            .expect("should set location header")
+            .to_str()
+            .expect("should convert location to UTF-8");
+
+        assert_eq!(
+            location, "https://sync.example.com/return?foo=bar&ts_synced=0&ts_reason=no_ec",
+            "should append sync status after existing query"
+        );
+    }
+
+    #[test]
+    fn fallback_decodes_tcf() {
+        let base = ConsentContext::default();
+        let decoded =
+            decode_query_fallback_consent(&base, "CPXxGfAPXxGfAAfKABENB-CgAAAAAAAAAAYgAAAAAAAA")
+                .expect("should decode TCF fallback");
+
+        assert!(
+            decoded.raw_tc_string.is_some(),
+            "should store raw TC string"
+        );
+    }
+
+    #[test]
+    fn query_parse_rejects_missing_required_param() {
+        let req = Request::new("GET", "https://edge.example.com/sync?partner=ssp&uid=u1");
+        let err = SyncQuery::parse(&req).expect_err("should fail when return param is missing");
+        assert!(
+            err.to_string()
+                .contains("missing required query parameter 'return'"),
+            "should mention missing required return parameter"
+        );
+    }
+
+    #[test]
+    fn query_parse_rejects_empty_required_param() {
+        let req = Request::new(
+            "GET",
+            "https://edge.example.com/sync?partner=ssp&uid=u1&return=   ",
+        );
+        let err = SyncQuery::parse(&req).expect_err("should fail when return param is empty");
+        assert!(
+            err.to_string()
+                .contains("query parameter 'return' must not be empty"),
+            "should reject empty required return parameter"
+        );
+    }
+
+    #[test]
+    fn return_url_validation_rejects_subdomain_spoofing() {
+        let partner = sample_partner();
+        let err = validate_return_url("https://a.sync.example.com/callback", &partner)
+            .expect_err("should reject return host not exactly allowlisted");
+
+        assert!(
+            err.to_string().contains("is not allowed"),
+            "should reject non-exact allowlist host"
+        );
+    }
+
+    #[test]
+    fn return_url_validation_rejects_relative_url() {
+        let partner = sample_partner();
+        let err = validate_return_url("/callback", &partner)
+            .expect_err("should reject non-absolute return URL");
+        assert!(
+            err.to_string().contains("valid absolute URL"),
+            "should require absolute return URLs"
+        );
+    }
+
+    #[test]
+    fn fallback_decodes_gpp() {
+        let base = ConsentContext::default();
+        let decoded = decode_query_fallback_consent(&base, "DBABTA~1YNN")
+            .expect("should decode valid GPP fallback");
+
+        assert!(
+            decoded.raw_gpp_string.is_some(),
+            "should store raw GPP string"
+        );
+    }
+
+    #[test]
+    fn fallback_returns_none_for_invalid_consent_string() {
+        let base = ConsentContext::default();
+        let decoded = decode_query_fallback_consent(&base, "not-a-valid-consent");
+        assert!(
+            decoded.is_none(),
+            "should ignore undecodable consent fallback"
+        );
+    }
+}
diff --git a/crates/trusted-server-core/src/error.rs b/crates/trusted-server-core/src/error.rs
index f4ebd1a4..1822b4c1 100644
--- a/crates/trusted-server-core/src/error.rs
+++ b/crates/trusted-server-core/src/error.rs
@@ -88,9 +88,15 @@ pub enum TrustedServerError {
     #[display("Partner not found: {partner_id}")]
     PartnerNotFound { partner_id: String },
 
+<<<<<<< HEAD
     /// A secret field still contains a known placeholder/default value.
     #[display("Insecure default value for: {field}")]
     InsecureDefault { field: String },
+=======
+    /// Partner authentication failed (invalid or missing credentials).
+    #[display("Partner auth failed: {partner_id}")]
+    PartnerAuthFailed { partner_id: String },
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 }
 
 impl Error for TrustedServerError {}
@@ -124,9 +130,15 @@ impl IntoHttpResponse for TrustedServerError {
             Self::Proxy { .. } => StatusCode::BAD_GATEWAY,
             Self::Forbidden { .. } => StatusCode::FORBIDDEN,
             Self::AllowlistViolation { .. } => StatusCode::FORBIDDEN,
+<<<<<<< HEAD
             Self::EdgeCookie { .. } => StatusCode::INTERNAL_SERVER_ERROR,
             Self::PartnerNotFound { .. } => StatusCode::NOT_FOUND,
             Self::InsecureDefault { .. } => StatusCode::INTERNAL_SERVER_ERROR,
+=======
+            Self::Ec { .. } => StatusCode::INTERNAL_SERVER_ERROR,
+            Self::PartnerNotFound { .. } => StatusCode::BAD_REQUEST,
+            Self::PartnerAuthFailed { .. } => StatusCode::UNAUTHORIZED,
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         }
     }
 
diff --git a/crates/trusted-server-core/src/http_util.rs b/crates/trusted-server-core/src/http_util.rs
index 0ed0ba3e..97f75e1b 100644
--- a/crates/trusted-server-core/src/http_util.rs
+++ b/crates/trusted-server-core/src/http_util.rs
@@ -18,9 +18,15 @@ use crate::settings::Settings;
 pub fn copy_custom_headers(from: &Request, to: &mut Request) {
     for header_name in from.get_header_names() {
         let name_str = header_name.as_str();
+<<<<<<< HEAD
         // Header names are lowercased by the HTTP library (fastly crate),
         // so only the lowercase prefix check is needed.
         if name_str.starts_with("x-")
+=======
+        // Header names are lowercased by the HTTP library, so a single
+        // prefix check covers both `x-ts-` and `X-ts-` variants.
+        if (name_str.starts_with("x-") || name_str.starts_with("X-"))
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             && !name_str.starts_with("x-ts-")
             && !INTERNAL_HEADERS.contains(&name_str)
         {
@@ -713,6 +719,7 @@ mod tests {
             target.get_header("x-ts-liveramp").is_none(),
             "Should filter dynamic x-ts-<partner_id> headers"
         );
+<<<<<<< HEAD
     }
 
     // -----------------------------------------------------------------------
@@ -829,5 +836,7 @@ mod tests {
             is_navigation_request(&req),
             "should match text/html case-insensitively in fallback"
         );
+=======
+>>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     }
 }

From 6a4cc2e3b5ce702cf13ba78ce057d8a1709cedee Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 1 Apr 2026 19:11:51 -0500
Subject: [PATCH 05/26] Migrate admin endpoints to /_ts/admin namespace

Move admin route matching and basic-auth coverage to /_ts/admin for a hard cutover, and align tests and docs so operational guidance matches runtime behavior.
---
 crates/trusted-server-core/src/ec/admin.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crates/trusted-server-core/src/ec/admin.rs b/crates/trusted-server-core/src/ec/admin.rs
index 196f5e40..d46111be 100644
--- a/crates/trusted-server-core/src/ec/admin.rs
+++ b/crates/trusted-server-core/src/ec/admin.rs
@@ -1,6 +1,6 @@
 //! Admin endpoints for partner management.
 //!
-//! Provides `POST /admin/partners/register` for registering and updating
+//! Provides `POST /_ts/admin/partners/register` for registering and updating
 //! partner configurations. Authentication is handled by the `[[handlers]]`
 //! basic-auth layer before this code runs.
 
@@ -16,7 +16,7 @@ use super::partner::{
     hash_api_key, validate_partner_id, validate_pull_sync_config, PartnerRecord, PartnerStore,
 };
 
-/// Request body for `POST /admin/partners/register`.
+/// Request body for `POST /_ts/admin/partners/register`.
 ///
 /// Accepts `api_key` as plaintext — it is hashed before storage and
 /// never persisted in cleartext.
@@ -124,7 +124,7 @@ fn normalize_hostname_list(
     Ok(normalized_values)
 }
 
-/// Response body for `POST /admin/partners/register`.
+/// Response body for `POST /_ts/admin/partners/register`.
 ///
 /// Echoes key fields without exposing sensitive data (`api_key_hash`,
 /// `ts_pull_token`).
@@ -137,7 +137,7 @@ pub struct RegisterPartnerResponse {
     pub created: bool,
 }
 
-/// Handles `POST /admin/partners/register`.
+/// Handles `POST /_ts/admin/partners/register`.
 ///
 /// Registers a new partner or updates an existing one. Authentication is
 /// handled upstream by the `[[handlers]]` basic-auth layer.

From 28a23ae38fb3c8157c496b3c567ac02a92c439c9 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 15 Apr 2026 15:44:08 -0500
Subject: [PATCH 06/26] Add design spec for Sourcepoint GPP consent support
 (#640)

---
 ...26-04-15-sourcepoint-gpp-consent-design.md | 151 ++++++++++++++++++
 1 file changed, 151 insertions(+)
 create mode 100644 docs/superpowers/specs/2026-04-15-sourcepoint-gpp-consent-design.md

diff --git a/docs/superpowers/specs/2026-04-15-sourcepoint-gpp-consent-design.md b/docs/superpowers/specs/2026-04-15-sourcepoint-gpp-consent-design.md
new file mode 100644
index 00000000..ed72f3f5
--- /dev/null
+++ b/docs/superpowers/specs/2026-04-15-sourcepoint-gpp-consent-design.md
@@ -0,0 +1,151 @@
+# Sourcepoint GPP Consent for Edge Cookie Generation
+
+**Issue:** #640
+**Date:** 2026-04-15
+**Status:** Approved
+
+## Problem
+
+Edge Cookie (EC) generation fails for sites using Sourcepoint when consent is
+stored only in `localStorage` and not surfaced via the standard cookies Trusted
+Server reads. Sourcepoint stores US consent under `_sp_user_consent_*` keys in
+`localStorage`, including a full GPP string and applicable section IDs.
+
+Today, Trusted Server only reads consent from `euconsent-v2`, `__gpp`,
+`__gpp_sid`, `us_privacy` cookies and the `Sec-GPC` header. Even if `__gpp` /
+`__gpp_sid` were present, the server only decodes the EU TCF v2 section from
+GPP — it does not use GPP US sections as a consent signal for EC gating.
+
+This creates two gaps:
+
+1. **Transport gap:** The server cannot read browser `localStorage`, so no
+   consent reaches the backend unless client code mirrors it into cookies.
+2. **Semantics gap:** Even with `__gpp` / `__gpp_sid` cookies present, current
+   US-state EC gating does not recognize GPP US sections as valid consent.
+
+## Approach
+
+Thin GPP pass-through: mirror Sourcepoint localStorage consent into standard
+cookies on the client, and extend server-side EC gating to recognize GPP US
+`sale_opt_out` as a consent signal. No compatibility bridge (`us_privacy`
+derivation) — both client and server changes ship together.
+
+## Design
+
+### 1. Client-side: Sourcepoint JS integration
+
+New JS-only integration at `crates/js/lib/src/integrations/sourcepoint/index.ts`.
+No Rust-side `IntegrationRegistration` (same pattern as `creative`).
+
+**On page load:**
+
+1. Scan `localStorage` keys matching `_sp_user_consent_*`.
+2. Take the first match, parse the JSON value.
+3. Extract `gppData.gppString` and `gppData.applicableSections` from the payload.
+4. Write first-party cookies:
+   - `__gpp=<gpp string>` (path `/`, `SameSite=Lax`)
+   - `__gpp_sid=<comma-separated section IDs>` (path `/`, `SameSite=Lax`)
+5. Log what was written for debugging.
+
+Cookies are session-scoped (no `max-age` / `expires`) since the source of truth
+stays in `localStorage` and we re-mirror on each page load. The integration runs
+once — no polling or event listeners.
+
+### 2. Server-side: GPP US section decoding
+
+**`crates/trusted-server-core/src/consent/types.rs`** — extend `GppConsent`:
+
+```rust
+pub struct GppConsent {
+    pub version: u8,
+    pub section_ids: Vec<u16>,
+    pub eu_tcf: Option<TcfConsent>,
+    pub us_sale_opt_out: Option<bool>,  // new
+}
+```
+
+- `Some(true)` — a US section is present and `sale_opt_out == OptedOut`
+- `Some(false)` — a US section is present and `sale_opt_out != OptedOut`
+- `None` — no US section exists in the GPP string
+
+**`crates/trusted-server-core/src/consent/gpp.rs`** — add `decode_us_sale_opt_out`:
+
+Checks for any US section ID (7–23) in the parsed `GPPString`. For the first
+match, decodes the section via `iab_gpp` and extracts `sale_opt_out`. Maps
+`OptOut::OptedOut` to `true`, everything else to `false`.
+
+The `iab_gpp` crate uses different structs per state (`UsNat`, `UsCa`, `UsTn`,
+etc.) but they all have `sale_opt_out: OptOut` via `us_common`. We match on the
+decoded `Section` enum to extract it.
+
+### 3. Server-side: EC gating update
+
+**`crates/trusted-server-core/src/consent/mod.rs`** — update `allows_ec_creation()`
+for `Jurisdiction::UsState(_)`.
+
+New precedence chain:
+
+```
+GPC → TCF → GPP US sale_opt_out → us_privacy → fail-closed
+```
+
+Insert between the existing TCF and `us_privacy` branches:
+
+```rust
+// Check GPP US section for sale opt-out.
+if let Some(gpp) = &ctx.gpp {
+    if let Some(opted_out) = gpp.us_sale_opt_out {
+        return !opted_out;
+    }
+}
+```
+
+Semantics:
+
+- GPP US `sale_opt_out != OptedOut` → EC allowed
+- GPP US `sale_opt_out == OptedOut` → EC blocked
+- No GPP US section → falls through to `us_privacy`
+- GPC still short-circuits at the top (unchanged)
+- TCF still takes priority for CMPs like Didomi (unchanged)
+
+### 4. Files touched
+
+| File | Change |
+|---|---|
+| `crates/js/lib/src/integrations/sourcepoint/index.ts` | New — localStorage auto-discovery, cookie mirroring |
+| `crates/js/lib/src/integrations/sourcepoint/index.test.ts` | New — Vitest tests |
+| `crates/trusted-server-core/src/consent/types.rs` | Add `us_sale_opt_out: Option<bool>` to `GppConsent` |
+| `crates/trusted-server-core/src/consent/gpp.rs` | Add US section decoding, extract `sale_opt_out` |
+| `crates/trusted-server-core/src/consent/mod.rs` | Add GPP US branch in `allows_ec_creation()`, tests |
+
+No config changes, no new crate dependencies, no `IntegrationRegistry` changes.
+
+### 5. Testing
+
+**JS (Vitest):**
+
+- Mirrors `__gpp` and `__gpp_sid` from `_sp_user_consent_*` localStorage
+- No cookies written when no `_sp_user_consent_*` key exists
+- Graceful handling of malformed JSON in localStorage
+
+**Rust — EC gating (`consent/mod.rs`):**
+
+- EC allowed: US state + GPP `us_sale_opt_out = Some(false)`
+- EC blocked: US state + GPP `us_sale_opt_out = Some(true)`
+- EC blocked: GPC overrides permissive GPP US
+- TCF takes priority over GPP US when both present
+- GPP US takes priority over `us_privacy` when both present
+- No GPP US section falls through to `us_privacy`
+- No signals → fail-closed
+
+**Rust — GPP decoding (`consent/gpp.rs`):**
+
+- Extracts `us_sale_opt_out` from GPP string with UsNat section (ID 7)
+- `us_sale_opt_out` is `None` when GPP has no US sections
+
+### 6. Non-goals
+
+- No `us_privacy` compatibility bridge (skipped per decision)
+- No richer US GPP field extraction (sharing, targeted advertising opt-outs)
+- No publisher configuration for Sourcepoint property ID (auto-discovery)
+- No Sourcepoint CMP API integration (localStorage-only approach)

From 2f90d222d1d06f5ec846cc02665ab038c7d1da04 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 15 Apr 2026 15:48:46 -0500
Subject: [PATCH 07/26] Add implementation plan for Sourcepoint GPP consent
 support (#640)

---
 .../2026-04-15-sourcepoint-gpp-consent.md     | 695 ++++++++++++++++++
 1 file changed, 695 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-04-15-sourcepoint-gpp-consent.md

diff --git a/docs/superpowers/plans/2026-04-15-sourcepoint-gpp-consent.md b/docs/superpowers/plans/2026-04-15-sourcepoint-gpp-consent.md
new file mode 100644
index 00000000..8c9de843
--- /dev/null
+++ b/docs/superpowers/plans/2026-04-15-sourcepoint-gpp-consent.md
@@ -0,0 +1,695 @@
+# Sourcepoint GPP Consent for Edge Cookie Generation — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Enable EC generation for sites using Sourcepoint by mirroring localStorage consent into cookies (client) and recognizing GPP US `sale_opt_out` as a consent signal (server).
+
+**Architecture:** New JS-only `sourcepoint` integration auto-discovers `_sp_user_consent_*` in localStorage and writes `__gpp` / `__gpp_sid` cookies. Server-side, `GppConsent` gains a `us_sale_opt_out: Option<bool>` field extracted from any GPP US section (IDs 7–23). `allows_ec_creation()` checks this field between the existing TCF and `us_privacy` branches.
+
+**Tech Stack:** TypeScript (Vitest, jsdom), Rust (iab_gpp crate for GPP section decoding)
+
+**Spec:** `docs/superpowers/specs/2026-04-15-sourcepoint-gpp-consent-design.md`
+
+---
+
+## File Map
+
+| File | Action | Responsibility |
+|---|---|---|
+| `crates/trusted-server-core/src/consent/types.rs` | Modify | Add `us_sale_opt_out: Option<bool>` to `GppConsent` |
+| `crates/trusted-server-core/src/consent/gpp.rs` | Modify | Decode US sections, extract `sale_opt_out` |
+| `crates/trusted-server-core/src/consent/mod.rs` | Modify | Add GPP US branch in `allows_ec_creation()`, tests |
+| `crates/js/lib/src/integrations/sourcepoint/index.ts` | Create | localStorage auto-discovery, cookie mirroring |
+| `crates/js/lib/test/integrations/sourcepoint/index.test.ts` | Create | Vitest tests for cookie mirroring |
+
+---
+
+## Task 1: Add `us_sale_opt_out` field to `GppConsent`
+
+**Files:**
+- Modify: `crates/trusted-server-core/src/consent/types.rs:297-305`
+
+- [ ] **Step 1: Add the field**
+
+In `crates/trusted-server-core/src/consent/types.rs`, add `us_sale_opt_out` to `GppConsent`:
+
+```rust
+/// Decoded GPP (Global Privacy Platform) consent data.
+///
+/// Wraps the `iab_gpp` crate's decoded output with our domain types.
+#[derive(Debug, Clone)]
+pub struct GppConsent {
+    /// GPP header version.
+    pub version: u8,
+    /// Active section IDs present in the GPP string.
+    pub section_ids: Vec<u16>,
+    /// Decoded EU TCF v2.2 section (if present in GPP, section ID 2).
+    pub eu_tcf: Option<TcfConsent>,
+    /// Whether the user opted out of sale of personal information via a US GPP
+    /// section (IDs 7–23).
+    ///
+    /// - `Some(true)` — a US section is present and `sale_opt_out == OptedOut`
+    /// - `Some(false)` — a US section is present and user did not opt out
+    /// - `None` — no US section exists in the GPP string
+    pub us_sale_opt_out: Option<bool>,
+}
+```
+
+- [ ] **Step 2: Fix compilation — update all `GppConsent` construction sites**
+
+There are existing places that construct `GppConsent`. Each needs the new field. Search for them:
+
+In `crates/trusted-server-core/src/consent/gpp.rs` (~line 74), update `decode_gpp_string`:
+
+```rust
+    Ok(GppConsent {
+        version: 1,
+        section_ids,
+        eu_tcf,
+        us_sale_opt_out: None, // placeholder — Task 2 fills this in
+    })
+```
+
+In `crates/trusted-server-core/src/consent/mod.rs`, find every test that constructs `GppConsent` (search for `GppConsent {`). Add `us_sale_opt_out: None` to each. There are instances around lines 720, 883, and 965:
+
+```rust
+    gpp: Some(GppConsent {
+        version: 1,
+        section_ids: vec![2],
+        eu_tcf: Some(...),
+        us_sale_opt_out: None,
+    }),
+```
+
+- [ ] **Step 3: Verify compilation**
+
+Run: `cargo check --workspace`
+Expected: compiles with no errors.
+
+- [ ] **Step 4: Run tests to confirm nothing broke**
+
+Run: `cargo test --workspace`
+Expected: all existing tests pass.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add crates/trusted-server-core/src/consent/types.rs \
+       crates/trusted-server-core/src/consent/gpp.rs \
+       crates/trusted-server-core/src/consent/mod.rs
+git commit -m "Add us_sale_opt_out field to GppConsent"
+```
+
+---
+
+## Task 2: Decode US sale opt-out from GPP sections
+
+**Files:**
+- Modify: `crates/trusted-server-core/src/consent/gpp.rs`
+
+- [ ] **Step 1: Write the failing test for US sale opt-out extraction**
+
+Add to the `#[cfg(test)] mod tests` block in `crates/trusted-server-core/src/consent/gpp.rs`:
+
+```rust
+    // A GPP string with UsNat section (section ID 7).
+    // Header "DBABLA" encodes: version=1, section IDs=[7] (UsNat).
+    // The section string encodes a UsNat v1 core with sale_opt_out=DidNotOptOut (2).
+    #[test]
+    fn decodes_us_sale_opt_out_not_opted_out() {
+        // Build a real GPP string with UsNat section using iab_gpp parsing.
+        // "DBABLA~BVQqAAAAAgA.QA" is the example from the issue (Sourcepoint payload).
+        let result = decode_gpp_string("DBABLA~BVQqAAAAAgA.QA");
+        match &result {
+            Ok(gpp) => {
+                assert_eq!(
+                    gpp.us_sale_opt_out,
+                    Some(false),
+                    "should extract sale_opt_out=false from UsNat section"
+                );
+            }
+            Err(e) => {
+                // If the specific GPP string doesn't parse, test with section ID presence.
+                // The important thing is that the decode_us_sale_opt_out function is wired up.
+                panic!("GPP decode failed: {e}");
+            }
+        }
+    }
+
+    #[test]
+    fn no_us_section_returns_none() {
+        // GPP_TCF_AND_USP has section IDs [2, 6] — no US sections (7–23).
+        let result = decode_gpp_string(GPP_TCF_AND_USP).expect("should decode GPP");
+        assert_eq!(
+            result.us_sale_opt_out, None,
+            "should return None when no US section (7-23) is present"
+        );
+    }
+```
+
+- [ ] **Step 2: Run test to verify it fails**
+
+Run: `cargo test --workspace -p trusted-server-core -- consent::gpp::tests::decodes_us_sale_opt_out`
+Expected: FAIL — `us_sale_opt_out` is hardcoded to `None`.
+
+- [ ] **Step 3: Implement `decode_us_sale_opt_out`**
+
+In `crates/trusted-server-core/src/consent/gpp.rs`, add after `decode_tcf_from_gpp`:
+
+```rust
+/// GPP section IDs that represent US state/national privacy sections.
+///
+/// Range 7–23 per the GPP v1 specification:
+/// 7=UsNat, 8=UsCa, 9=UsVa, 10=UsCo, 11=UsUt, 12=UsCt, 13=UsFl,
+/// 14=UsMt, 15=UsOr, 16=UsTx, 17=UsDe, 18=UsIa, 19=UsNe, 20=UsNh,
+/// 21=UsNj, 22=UsTn, 23=UsMn.
+const US_SECTION_ID_RANGE: std::ops::RangeInclusive<u16> = 7..=23;
+
+/// Extracts the `sale_opt_out` signal from the first US section in a parsed
+/// GPP string.
+///
+/// Iterates through section IDs looking for any in the US range (7–23).
+/// For the first match, decodes the section and extracts `sale_opt_out`.
+///
+/// Returns `Some(true)` if the user opted out of sale, `Some(false)` if they
+/// did not, or `None` if no US section is present.
+fn decode_us_sale_opt_out(parsed: &iab_gpp::v1::GPPString) -> Option<bool> {
+    use iab_gpp::sections::us_common::OptOut;
+    use iab_gpp::sections::Section;
+
+    let us_section_id = parsed
+        .section_ids()
+        .find(|id| US_SECTION_ID_RANGE.contains(&(**id as u16)))?;
+
+    match parsed.decode_section(*us_section_id) {
+        Ok(section) => {
+            let sale_opt_out = match &section {
+                Section::UsNat(s) => match &s.core {
+                    iab_gpp::sections::usnat::Core::V1(c) => &c.sale_opt_out,
+                    iab_gpp::sections::usnat::Core::V2(c) => &c.sale_opt_out,
+                },
+                Section::UsCa(s) => &s.core.sale_opt_out,
+                Section::UsVa(s) => &s.core.sale_opt_out,
+                Section::UsCo(s) => &s.core.sale_opt_out,
+                Section::UsUt(s) => &s.core.sale_opt_out,
+                Section::UsCt(s) => &s.core.sale_opt_out,
+                Section::UsFl(s) => &s.core.sale_opt_out,
+                Section::UsMt(s) => &s.core.sale_opt_out,
+                Section::UsOr(s) => &s.core.sale_opt_out,
+                Section::UsTx(s) => &s.core.sale_opt_out,
+                Section::UsDe(s) => &s.core.sale_opt_out,
+                Section::UsIa(s) => &s.core.sale_opt_out,
+                Section::UsNe(s) => &s.core.sale_opt_out,
+                Section::UsNh(s) => &s.core.sale_opt_out,
+                Section::UsNj(s) => &s.core.sale_opt_out,
+                Section::UsTn(s) => &s.core.sale_opt_out,
+                Section::UsMn(s) => &s.core.sale_opt_out,
+                // Non-US sections — should not reach here given the ID filter.
+                _ => return None,
+            };
+            Some(*sale_opt_out == OptOut::OptedOut)
+        }
+        Err(e) => {
+            log::warn!("Failed to decode US GPP section {us_section_id}: {e}");
+            None
+        }
+    }
+}
+```
+
+- [ ] **Step 4: Wire it into `decode_gpp_string`**
+
+In the same file, replace the placeholder in `decode_gpp_string`:
+
+```rust
+    let us_sale_opt_out = decode_us_sale_opt_out(&parsed);
+
+    Ok(GppConsent {
+        version: 1,
+        section_ids,
+        eu_tcf,
+        us_sale_opt_out,
+    })
+```
+
+- [ ] **Step 5: Run tests**
+
+Run: `cargo test --workspace -p trusted-server-core -- consent::gpp::tests`
+Expected: all GPP tests pass, including the two new ones.
+
+- [ ] **Step 6: Commit**
+
+```bash
+git add crates/trusted-server-core/src/consent/gpp.rs
+git commit -m "Decode US sale opt-out from GPP sections"
+```
+
+---
+
+## Task 3: Add GPP US branch to `allows_ec_creation()`
+
+**Files:**
+- Modify: `crates/trusted-server-core/src/consent/mod.rs`
+
+- [ ] **Step 1: Write failing tests**
+
+Add to the `#[cfg(test)] mod tests` block in `crates/trusted-server-core/src/consent/mod.rs`:
+
+```rust
+    #[test]
+    fn ec_allowed_us_state_gpp_no_sale_opt_out() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(false),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "US state + GPP US sale_opt_out=false should allow EC"
+        );
+    }
+
+    #[test]
+    fn ec_blocked_us_state_gpp_sale_opted_out() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(true),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            !allows_ec_creation(&ctx),
+            "US state + GPP US sale_opt_out=true should block EC"
+        );
+    }
+
+    #[test]
+    fn ec_blocked_us_state_gpc_overrides_gpp_us() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpc: true,
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(false),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            !allows_ec_creation(&ctx),
+            "GPC should block EC even when GPP US says no opt-out"
+        );
+    }
+
+    #[test]
+    fn ec_us_state_tcf_takes_priority_over_gpp_us() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            tcf: Some(make_tcf_with_storage(true)),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(true),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "TCF consent should take priority over GPP US opt-out"
+        );
+    }
+
+    #[test]
+    fn ec_us_state_gpp_us_takes_priority_over_us_privacy() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(false),
+            }),
+            us_privacy: Some(UsPrivacy {
+                version: 1,
+                notice_given: PrivacyFlag::Yes,
+                opt_out_sale: PrivacyFlag::Yes,
+                lspa_covered: PrivacyFlag::NotApplicable,
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "GPP US should take priority over us_privacy opt-out"
+        );
+    }
+
+    #[test]
+    fn ec_us_state_gpp_no_us_section_falls_through_to_us_privacy() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("CA".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![2],
+                eu_tcf: None,
+                us_sale_opt_out: None,
+            }),
+            us_privacy: Some(UsPrivacy {
+                version: 1,
+                notice_given: PrivacyFlag::Yes,
+                opt_out_sale: PrivacyFlag::No,
+                lspa_covered: PrivacyFlag::NotApplicable,
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "GPP without US section should fall through to us_privacy"
+        );
+    }
+```
+
+- [ ] **Step 2: Run tests to verify they fail**
+
+Run: `cargo test --workspace -p trusted-server-core -- consent::tests::ec_allowed_us_state_gpp`
+Expected: FAIL — the GPP US branch doesn't exist yet, so `ec_allowed_us_state_gpp_no_sale_opt_out` fails (falls through to fail-closed).
+
+- [ ] **Step 3: Add the GPP US branch to `allows_ec_creation()`**
+
+In `crates/trusted-server-core/src/consent/mod.rs`, update `allows_ec_creation()`. The `UsState` arm currently reads:
+
+```rust
+        jurisdiction::Jurisdiction::UsState(_) => {
+            if ctx.gpc {
+                return false;
+            }
+            if let Some(tcf) = effective_tcf(ctx) {
+                return tcf.has_storage_consent();
+            }
+            if let Some(usp) = &ctx.us_privacy {
+                return usp.opt_out_sale != PrivacyFlag::Yes;
+            }
+            false
+        }
+```
+
+Insert the GPP US check between TCF and us_privacy:
+
+```rust
+        jurisdiction::Jurisdiction::UsState(_) => {
+            if ctx.gpc {
+                return false;
+            }
+            if let Some(tcf) = effective_tcf(ctx) {
+                return tcf.has_storage_consent();
+            }
+            // Check GPP US section for sale opt-out.
+            if let Some(gpp) = &ctx.gpp {
+                if let Some(opted_out) = gpp.us_sale_opt_out {
+                    return !opted_out;
+                }
+            }
+            if let Some(usp) = &ctx.us_privacy {
+                return usp.opt_out_sale != PrivacyFlag::Yes;
+            }
+            false
+        }
+```
+
+- [ ] **Step 4: Run all tests**
+
+Run: `cargo test --workspace`
+Expected: all tests pass, including the six new EC gating tests.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add crates/trusted-server-core/src/consent/mod.rs
+git commit -m "Recognize GPP US sale opt-out in EC consent gating"
+```
+
+---
+
+## Task 4: Create Sourcepoint JS integration
+
+**Files:**
+- Create: `crates/js/lib/src/integrations/sourcepoint/index.ts`
+
+- [ ] **Step 1: Write the test file first**
+
+Create `crates/js/lib/test/integrations/sourcepoint/index.test.ts`:
+
+```typescript
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+
+import { mirrorSourcepointConsent } from '../../../src/integrations/sourcepoint';
+
+describe('integrations/sourcepoint', () => {
+  beforeEach(() => {
+    // Clear cookies and localStorage before each test.
+    document.cookie.split(';').forEach((c) => {
+      const name = c.split('=')[0].trim();
+      if (name) document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`;
+    });
+    localStorage.clear();
+  });
+
+  afterEach(() => {
+    localStorage.clear();
+  });
+
+  it('mirrors __gpp and __gpp_sid from _sp_user_consent_* localStorage', () => {
+    const payload = {
+      gppData: {
+        gppString: 'DBABLA~BVQqAAAAAgA.QA',
+        applicableSections: [7],
+      },
+    };
+    localStorage.setItem('_sp_user_consent_36026', JSON.stringify(payload));
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(true);
+    expect(document.cookie).toContain('__gpp=DBABLA~BVQqAAAAAgA.QA');
+    expect(document.cookie).toContain('__gpp_sid=7');
+  });
+
+  it('handles multiple applicable sections', () => {
+    const payload = {
+      gppData: {
+        gppString: 'DBABLA~BVQqAAAAAgA.QA',
+        applicableSections: [7, 8],
+      },
+    };
+    localStorage.setItem('_sp_user_consent_99999', JSON.stringify(payload));
+
+    mirrorSourcepointConsent();
+
+    expect(document.cookie).toContain('__gpp_sid=7,8');
+  });
+
+  it('returns false when no _sp_user_consent_* key exists', () => {
+    localStorage.setItem('unrelated_key', 'value');
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+    expect(document.cookie).not.toContain('__gpp_sid=');
+  });
+
+  it('returns false for malformed JSON in localStorage', () => {
+    localStorage.setItem('_sp_user_consent_12345', 'not-json!!!');
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+  });
+
+  it('returns false when gppData is missing from payload', () => {
+    localStorage.setItem('_sp_user_consent_12345', JSON.stringify({ otherField: true }));
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+  });
+
+  it('returns false when gppString is empty', () => {
+    const payload = {
+      gppData: {
+        gppString: '',
+        applicableSections: [7],
+      },
+    };
+    localStorage.setItem('_sp_user_consent_12345', JSON.stringify(payload));
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+  });
+});
+```
+
+- [ ] **Step 2: Run tests to verify they fail**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/sourcepoint/index.test.ts`
+Expected: FAIL — module `../../../src/integrations/sourcepoint` does not exist.
+
+- [ ] **Step 3: Implement the integration**
+
+Create `crates/js/lib/src/integrations/sourcepoint/index.ts`:
+
+```typescript
+import { log } from '../../core/log';
+
+const SP_CONSENT_PREFIX = '_sp_user_consent_';
+
+interface SourcepointGppData {
+  gppString: string;
+  applicableSections: number[];
+}
+
+interface SourcepointConsentPayload {
+  gppData?: SourcepointGppData;
+}
+
+function findSourcepointConsent(): SourcepointConsentPayload | null {
+  for (let i = 0; i < localStorage.length; i++) {
+    const key = localStorage.key(i);
+    if (!key?.startsWith(SP_CONSENT_PREFIX)) continue;
+
+    const raw = localStorage.getItem(key);
+    if (!raw) continue;
+
+    try {
+      return JSON.parse(raw) as SourcepointConsentPayload;
+    } catch {
+      log.debug('sourcepoint: failed to parse localStorage value', { key });
+      return null;
+    }
+  }
+  return null;
+}
+
+function writeCookie(name: string, value: string): void {
+  document.cookie = `${name}=${encodeURIComponent(value)}; path=/; SameSite=Lax`;
+}
+
+/// Reads Sourcepoint consent from localStorage and mirrors it into
+/// `__gpp` and `__gpp_sid` cookies for Trusted Server to read.
+///
+/// Returns `true` if cookies were written, `false` otherwise.
+export function mirrorSourcepointConsent(): boolean {
+  if (typeof localStorage === 'undefined' || typeof document === 'undefined') {
+    return false;
+  }
+
+  const payload = findSourcepointConsent();
+  if (!payload?.gppData) {
+    log.debug('sourcepoint: no GPP data found in localStorage');
+    return false;
+  }
+
+  const { gppString, applicableSections } = payload.gppData;
+  if (!gppString) {
+    log.debug('sourcepoint: gppString is empty');
+    return false;
+  }
+
+  writeCookie('__gpp', gppString);
+
+  if (Array.isArray(applicableSections) && applicableSections.length > 0) {
+    writeCookie('__gpp_sid', applicableSections.join(','));
+  }
+
+  log.info('sourcepoint: mirrored GPP consent to cookies', {
+    gppLength: gppString.length,
+    sections: applicableSections,
+  });
+
+  return true;
+}
+
+if (typeof window !== 'undefined') {
+  mirrorSourcepointConsent();
+}
+
+export default mirrorSourcepointConsent;
+```
+
+- [ ] **Step 4: Run tests**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/sourcepoint/index.test.ts`
+Expected: all 6 tests pass.
+
+- [ ] **Step 5: Run the full JS test suite**
+
+Run: `cd crates/js/lib && npx vitest run`
+Expected: all tests pass (existing + new).
+
+- [ ] **Step 6: Format**
+
+Run: `cd crates/js/lib && npm run format`
+Expected: no formatting issues.
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add crates/js/lib/src/integrations/sourcepoint/index.ts \
+       crates/js/lib/test/integrations/sourcepoint/index.test.ts
+git commit -m "Add Sourcepoint JS integration for GPP consent cookie mirroring"
+```
+
+---
+
+## Task 5: Final verification
+
+**Files:** None (verification only)
+
+- [ ] **Step 1: Build the JS bundles**
+
+Run: `cd crates/js/lib && node build-all.mjs`
+Expected: builds successfully, `dist/tsjs-sourcepoint.js` appears in the output.
+
+- [ ] **Step 2: Full Rust build**
+
+Run: `cargo build --workspace`
+Expected: compiles with no errors.
+
+- [ ] **Step 3: Full Rust test suite**
+
+Run: `cargo test --workspace`
+Expected: all tests pass.
+
+- [ ] **Step 4: Clippy**
+
+Run: `cargo clippy --workspace --all-targets --all-features -- -D warnings`
+Expected: no warnings.
+
+- [ ] **Step 5: Rust format check**
+
+Run: `cargo fmt --all -- --check`
+Expected: no formatting issues.
+
+- [ ] **Step 6: Full JS test suite**
+
+Run: `cd crates/js/lib && npx vitest run`
+Expected: all tests pass.
+
+- [ ] **Step 7: JS format check**
+
+Run: `cd crates/js/lib && npm run format`
+Expected: no formatting issues.

From d5797b56ad5c1f808d122448cc0bd2d21c834008 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 15 Apr 2026 15:52:34 -0500
Subject: [PATCH 08/26] Add us_sale_opt_out field to GppConsent

---
 crates/trusted-server-core/src/consent/gpp.rs   | 1 +
 crates/trusted-server-core/src/consent/mod.rs   | 3 +++
 crates/trusted-server-core/src/consent/types.rs | 7 +++++++
 3 files changed, 11 insertions(+)

diff --git a/crates/trusted-server-core/src/consent/gpp.rs b/crates/trusted-server-core/src/consent/gpp.rs
index 9d0e5c81..76b69e08 100644
--- a/crates/trusted-server-core/src/consent/gpp.rs
+++ b/crates/trusted-server-core/src/consent/gpp.rs
@@ -76,6 +76,7 @@ pub fn decode_gpp_string(gpp_string: &str) -> Result<GppConsent, Report<ConsentD
         version: 1,
         section_ids,
         eu_tcf,
+        us_sale_opt_out: None,
     })
 }
 
diff --git a/crates/trusted-server-core/src/consent/mod.rs b/crates/trusted-server-core/src/consent/mod.rs
index aed71281..71db4036 100644
--- a/crates/trusted-server-core/src/consent/mod.rs
+++ b/crates/trusted-server-core/src/consent/mod.rs
@@ -721,6 +721,7 @@ mod tests {
                 version: 1,
                 section_ids: vec![2],
                 eu_tcf: Some(make_tcf(gpp_last_updated_ds, gpp_allows_eids)),
+                us_sale_opt_out: None,
             }),
             ..ConsentContext::default()
         }
@@ -884,6 +885,7 @@ mod tests {
                 version: 1,
                 section_ids: vec![2],
                 eu_tcf: Some(make_tcf(0, true)),
+                us_sale_opt_out: None,
             }),
             ..ConsentContext::default()
         };
@@ -966,6 +968,7 @@ mod tests {
                 version: 1,
                 section_ids: vec![2],
                 eu_tcf: Some(make_tcf_with_storage(true)),
+                us_sale_opt_out: None,
             }),
             gdpr_applies: true,
             ..ConsentContext::default()
diff --git a/crates/trusted-server-core/src/consent/types.rs b/crates/trusted-server-core/src/consent/types.rs
index a68eda9a..44f1a3df 100644
--- a/crates/trusted-server-core/src/consent/types.rs
+++ b/crates/trusted-server-core/src/consent/types.rs
@@ -302,6 +302,13 @@ pub struct GppConsent {
     pub section_ids: Vec<u16>,
     /// Decoded EU TCF v2.2 section (if present in GPP, section ID 2).
     pub eu_tcf: Option<TcfConsent>,
+    /// Whether the user opted out of sale of personal information via a US GPP
+    /// section (IDs 7–23).
+    ///
+    /// - `Some(true)` — a US section is present and `sale_opt_out == OptedOut`
+    /// - `Some(false)` — a US section is present and user did not opt out
+    /// - `None` — no US section exists in the GPP string
+    pub us_sale_opt_out: Option<bool>,
 }
 
 // ---------------------------------------------------------------------------

From f5475a03db9e798366366fba77947a45b0d05c3b Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 15 Apr 2026 15:54:47 -0500
Subject: [PATCH 09/26] Decode US sale opt-out from GPP sections

---
 crates/trusted-server-core/src/consent/gpp.rs | 90 ++++++++++++++++++-
 1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/crates/trusted-server-core/src/consent/gpp.rs b/crates/trusted-server-core/src/consent/gpp.rs
index 76b69e08..d6e8902e 100644
--- a/crates/trusted-server-core/src/consent/gpp.rs
+++ b/crates/trusted-server-core/src/consent/gpp.rs
@@ -72,11 +72,13 @@ pub fn decode_gpp_string(gpp_string: &str) -> Result<GppConsent, Report<ConsentD
     let eu_tcf = decode_tcf_from_gpp(&parsed);
 
     // The GPP header version is always 1 for current spec.
+    let us_sale_opt_out = decode_us_sale_opt_out(&parsed);
+
     Ok(GppConsent {
         version: 1,
         section_ids,
         eu_tcf,
-        us_sale_opt_out: None,
+        us_sale_opt_out,
     })
 }
 
@@ -101,6 +103,66 @@ fn decode_tcf_from_gpp(parsed: &iab_gpp::v1::GPPString) -> Option<TcfConsent> {
     }
 }
 
+/// GPP section IDs that represent US state/national privacy sections.
+///
+/// Range 7–23 per the GPP v1 specification:
+/// 7=UsNat, 8=UsCa, 9=UsVa, 10=UsCo, 11=UsUt, 12=UsCt, 13=UsFl,
+/// 14=UsMt, 15=UsOr, 16=UsTx, 17=UsDe, 18=UsIa, 19=UsNe, 20=UsNh,
+/// 21=UsNj, 22=UsTn, 23=UsMn.
+const US_SECTION_ID_RANGE: std::ops::RangeInclusive<u16> = 7..=23;
+
+/// Extracts the `sale_opt_out` signal from the first US section in a parsed
+/// GPP string.
+///
+/// Iterates through section IDs looking for any in the US range (7–23).
+/// For the first match, decodes the section and extracts `sale_opt_out`.
+///
+/// Returns `Some(true)` if the user opted out of sale, `Some(false)` if they
+/// did not, or `None` if no US section is present.
+fn decode_us_sale_opt_out(parsed: &iab_gpp::v1::GPPString) -> Option<bool> {
+    use iab_gpp::sections::us_common::OptOut;
+    use iab_gpp::sections::Section;
+
+    let us_section_id = parsed
+        .section_ids()
+        .find(|id| US_SECTION_ID_RANGE.contains(&(**id as u16)))?;
+
+    match parsed.decode_section(*us_section_id) {
+        Ok(section) => {
+            let sale_opt_out = match &section {
+                Section::UsNat(s) => match &s.core {
+                    iab_gpp::sections::usnat::Core::V1(c) => &c.sale_opt_out,
+                    iab_gpp::sections::usnat::Core::V2(c) => &c.sale_opt_out,
+                    _ => return None,
+                },
+                Section::UsCa(s) => &s.core.sale_opt_out,
+                Section::UsVa(s) => &s.core.sale_opt_out,
+                Section::UsCo(s) => &s.core.sale_opt_out,
+                Section::UsUt(s) => &s.core.sale_opt_out,
+                Section::UsCt(s) => &s.core.sale_opt_out,
+                Section::UsFl(s) => &s.core.sale_opt_out,
+                Section::UsMt(s) => &s.core.sale_opt_out,
+                Section::UsOr(s) => &s.core.sale_opt_out,
+                Section::UsTx(s) => &s.core.sale_opt_out,
+                Section::UsDe(s) => &s.core.sale_opt_out,
+                Section::UsIa(s) => &s.core.sale_opt_out,
+                Section::UsNe(s) => &s.core.sale_opt_out,
+                Section::UsNh(s) => &s.core.sale_opt_out,
+                Section::UsNj(s) => &s.core.sale_opt_out,
+                Section::UsTn(s) => &s.core.sale_opt_out,
+                Section::UsMn(s) => &s.core.sale_opt_out,
+                // Non-US sections — should not reach here given the ID filter.
+                _ => return None,
+            };
+            Some(*sale_opt_out == OptOut::OptedOut)
+        }
+        Err(e) => {
+            log::warn!("Failed to decode US GPP section {us_section_id}: {e}");
+            None
+        }
+    }
+}
+
 /// Parses a `__gpp_sid` cookie value into a vector of section IDs.
 ///
 /// The cookie is a comma-separated list of integer section IDs, e.g. `"2,6"`.
@@ -240,4 +302,30 @@ mod tests {
             "all-invalid should be None"
         );
     }
+
+    #[test]
+    fn decodes_us_sale_opt_out_not_opted_out() {
+        let result = decode_gpp_string("DBABLA~BVQqAAAAAgA.QA");
+        match &result {
+            Ok(gpp) => {
+                assert_eq!(
+                    gpp.us_sale_opt_out,
+                    Some(false),
+                    "should extract sale_opt_out=false from UsNat section"
+                );
+            }
+            Err(e) => {
+                panic!("GPP decode failed: {e}");
+            }
+        }
+    }
+
+    #[test]
+    fn no_us_section_returns_none() {
+        let result = decode_gpp_string(GPP_TCF_AND_USP).expect("should decode GPP");
+        assert_eq!(
+            result.us_sale_opt_out, None,
+            "should return None when no US section (7-23) is present"
+        );
+    }
 }

From e899df70d3a9feff3ee020e92e82105e06f97955 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 15 Apr 2026 15:57:34 -0500
Subject: [PATCH 10/26] Recognize GPP US sale opt-out in EC consent gating

---
 crates/trusted-server-core/src/consent/mod.rs | 128 ++++++++++++++++++
 1 file changed, 128 insertions(+)

diff --git a/crates/trusted-server-core/src/consent/mod.rs b/crates/trusted-server-core/src/consent/mod.rs
index 71db4036..7f77deb3 100644
--- a/crates/trusted-server-core/src/consent/mod.rs
+++ b/crates/trusted-server-core/src/consent/mod.rs
@@ -507,6 +507,12 @@ pub fn allows_ec_creation(ctx: &ConsentContext) -> bool {
             if let Some(tcf) = effective_tcf(ctx) {
                 return tcf.has_storage_consent();
             }
+            // Check GPP US section for sale opt-out.
+            if let Some(gpp) = &ctx.gpp {
+                if let Some(opted_out) = gpp.us_sale_opt_out {
+                    return !opted_out;
+                }
+            }
             // Check US Privacy string for explicit opt-out.
             if let Some(usp) = &ctx.us_privacy {
                 return usp.opt_out_sale != PrivacyFlag::Yes;
@@ -1162,4 +1168,126 @@ mod tests {
             "TCF consent should take priority over US Privacy opt-out when both present"
         );
     }
+
+    #[test]
+    fn ec_allowed_us_state_gpp_no_sale_opt_out() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(false),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "US state + GPP US sale_opt_out=false should allow EC"
+        );
+    }
+
+    #[test]
+    fn ec_blocked_us_state_gpp_sale_opted_out() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(true),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            !allows_ec_creation(&ctx),
+            "US state + GPP US sale_opt_out=true should block EC"
+        );
+    }
+
+    #[test]
+    fn ec_blocked_us_state_gpc_overrides_gpp_us() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpc: true,
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(false),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            !allows_ec_creation(&ctx),
+            "GPC should block EC even when GPP US says no opt-out"
+        );
+    }
+
+    #[test]
+    fn ec_us_state_tcf_takes_priority_over_gpp_us() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            tcf: Some(make_tcf_with_storage(true)),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(true),
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "TCF consent should take priority over GPP US opt-out"
+        );
+    }
+
+    #[test]
+    fn ec_us_state_gpp_us_takes_priority_over_us_privacy() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("TN".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![7],
+                eu_tcf: None,
+                us_sale_opt_out: Some(false),
+            }),
+            us_privacy: Some(UsPrivacy {
+                version: 1,
+                notice_given: PrivacyFlag::Yes,
+                opt_out_sale: PrivacyFlag::Yes,
+                lspa_covered: PrivacyFlag::NotApplicable,
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "GPP US should take priority over us_privacy opt-out"
+        );
+    }
+
+    #[test]
+    fn ec_us_state_gpp_no_us_section_falls_through_to_us_privacy() {
+        let ctx = ConsentContext {
+            jurisdiction: Jurisdiction::UsState("CA".to_owned()),
+            gpp: Some(GppConsent {
+                version: 1,
+                section_ids: vec![2],
+                eu_tcf: None,
+                us_sale_opt_out: None,
+            }),
+            us_privacy: Some(UsPrivacy {
+                version: 1,
+                notice_given: PrivacyFlag::Yes,
+                opt_out_sale: PrivacyFlag::No,
+                lspa_covered: PrivacyFlag::NotApplicable,
+            }),
+            ..ConsentContext::default()
+        };
+        assert!(
+            allows_ec_creation(&ctx),
+            "GPP without US section should fall through to us_privacy"
+        );
+    }
 }

From 595b95ffe29c9b4ac9f04be0c9781412d9ab6e69 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Wed, 15 Apr 2026 15:58:57 -0500
Subject: [PATCH 11/26] Add Sourcepoint JS integration for GPP consent cookie
 mirroring

---
 .../lib/src/integrations/sourcepoint/index.ts | 77 ++++++++++++++++
 .../integrations/sourcepoint/index.test.ts    | 91 +++++++++++++++++++
 2 files changed, 168 insertions(+)
 create mode 100644 crates/js/lib/src/integrations/sourcepoint/index.ts
 create mode 100644 crates/js/lib/test/integrations/sourcepoint/index.test.ts

diff --git a/crates/js/lib/src/integrations/sourcepoint/index.ts b/crates/js/lib/src/integrations/sourcepoint/index.ts
new file mode 100644
index 00000000..850659dc
--- /dev/null
+++ b/crates/js/lib/src/integrations/sourcepoint/index.ts
@@ -0,0 +1,77 @@
+import { log } from '../../core/log';
+
+const SP_CONSENT_PREFIX = '_sp_user_consent_';
+
+interface SourcepointGppData {
+  gppString: string;
+  applicableSections: number[];
+}
+
+interface SourcepointConsentPayload {
+  gppData?: SourcepointGppData;
+}
+
+function findSourcepointConsent(): SourcepointConsentPayload | null {
+  for (let i = 0; i < localStorage.length; i++) {
+    const key = localStorage.key(i);
+    if (!key?.startsWith(SP_CONSENT_PREFIX)) continue;
+
+    const raw = localStorage.getItem(key);
+    if (!raw) continue;
+
+    try {
+      return JSON.parse(raw) as SourcepointConsentPayload;
+    } catch {
+      log.debug('sourcepoint: failed to parse localStorage value', { key });
+      return null;
+    }
+  }
+  return null;
+}
+
+function writeCookie(name: string, value: string): void {
+  document.cookie = `${name}=${value}; path=/; SameSite=Lax`;
+}
+
+/**
+ * Reads Sourcepoint consent from localStorage and mirrors it into
+ * `__gpp` and `__gpp_sid` cookies for Trusted Server to read.
+ *
+ * Returns `true` if cookies were written, `false` otherwise.
+ */
+export function mirrorSourcepointConsent(): boolean {
+  if (typeof localStorage === 'undefined' || typeof document === 'undefined') {
+    return false;
+  }
+
+  const payload = findSourcepointConsent();
+  if (!payload?.gppData) {
+    log.debug('sourcepoint: no GPP data found in localStorage');
+    return false;
+  }
+
+  const { gppString, applicableSections } = payload.gppData;
+  if (!gppString) {
+    log.debug('sourcepoint: gppString is empty');
+    return false;
+  }
+
+  writeCookie('__gpp', gppString);
+
+  if (Array.isArray(applicableSections) && applicableSections.length > 0) {
+    writeCookie('__gpp_sid', applicableSections.join(','));
+  }
+
+  log.info('sourcepoint: mirrored GPP consent to cookies', {
+    gppLength: gppString.length,
+    sections: applicableSections,
+  });
+
+  return true;
+}
+
+if (typeof window !== 'undefined') {
+  mirrorSourcepointConsent();
+}
+
+export default mirrorSourcepointConsent;
diff --git a/crates/js/lib/test/integrations/sourcepoint/index.test.ts b/crates/js/lib/test/integrations/sourcepoint/index.test.ts
new file mode 100644
index 00000000..4eaf763f
--- /dev/null
+++ b/crates/js/lib/test/integrations/sourcepoint/index.test.ts
@@ -0,0 +1,91 @@
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+
+import { mirrorSourcepointConsent } from '../../../src/integrations/sourcepoint';
+
+describe('integrations/sourcepoint', () => {
+  beforeEach(() => {
+    // Clear cookies and localStorage before each test.
+    document.cookie.split(';').forEach((c) => {
+      const name = c.split('=')[0].trim();
+      if (name) document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`;
+    });
+    localStorage.clear();
+  });
+
+  afterEach(() => {
+    localStorage.clear();
+  });
+
+  it('mirrors __gpp and __gpp_sid from _sp_user_consent_* localStorage', () => {
+    const payload = {
+      gppData: {
+        gppString: 'DBABLA~BVQqAAAAAgA.QA',
+        applicableSections: [7],
+      },
+    };
+    localStorage.setItem('_sp_user_consent_36026', JSON.stringify(payload));
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(true);
+    expect(document.cookie).toContain('__gpp=DBABLA~BVQqAAAAAgA.QA');
+    expect(document.cookie).toContain('__gpp_sid=7');
+  });
+
+  it('handles multiple applicable sections', () => {
+    const payload = {
+      gppData: {
+        gppString: 'DBABLA~BVQqAAAAAgA.QA',
+        applicableSections: [7, 8],
+      },
+    };
+    localStorage.setItem('_sp_user_consent_99999', JSON.stringify(payload));
+
+    mirrorSourcepointConsent();
+
+    expect(document.cookie).toContain('__gpp_sid=7,8');
+  });
+
+  it('returns false when no _sp_user_consent_* key exists', () => {
+    localStorage.setItem('unrelated_key', 'value');
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+    expect(document.cookie).not.toContain('__gpp_sid=');
+  });
+
+  it('returns false for malformed JSON in localStorage', () => {
+    localStorage.setItem('_sp_user_consent_12345', 'not-json!!!');
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+  });
+
+  it('returns false when gppData is missing from payload', () => {
+    localStorage.setItem('_sp_user_consent_12345', JSON.stringify({ otherField: true }));
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+  });
+
+  it('returns false when gppString is empty', () => {
+    const payload = {
+      gppData: {
+        gppString: '',
+        applicableSections: [7],
+      },
+    };
+    localStorage.setItem('_sp_user_consent_12345', JSON.stringify(payload));
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(document.cookie).not.toContain('__gpp=');
+  });
+});

From 413f7e31f00d4f98699af3eee1cfe7b86ffe84d3 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 10:25:05 -0500
Subject: [PATCH 12/26] tmp fix for toml

---
 trusted-server.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/trusted-server.toml b/trusted-server.toml
index c7c24370..cbbd0beb 100644
--- a/trusted-server.toml
+++ b/trusted-server.toml
@@ -15,7 +15,7 @@ origin_url = "https://origin.test-publisher.com"
 proxy_secret = "change-me-proxy-secret"
 
 [ec]
-passphrase = "trusted-server"
+passphrase = "trusted-server-yo"
 ec_store = "ec_identity_store"
 pull_sync_concurrency = 3
 # cluster_trust_threshold = 10   # Entries with cluster_size <= this are individual users

From 20dfa2e78eb983a41498d0b8797f9c0e11974362 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 11:55:16 -0500
Subject: [PATCH 13/26] Add design spec for Prebid User ID Module support

---
 ...2026-04-16-prebid-user-id-module-design.md | 198 ++++++++++++++++++
 1 file changed, 198 insertions(+)
 create mode 100644 docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md

diff --git a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
new file mode 100644
index 00000000..bc0f3f66
--- /dev/null
+++ b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
@@ -0,0 +1,198 @@
+# Prebid User ID Module support
+
+**Date:** 2026-04-16
+**Status:** Design
+**Scope:** JS bundle (`crates/js/lib/src/integrations/prebid/index.ts`)
+
+## Problem
+
+The Trusted Server Prebid integration strips each publisher's origin `prebid.js`
+and replaces it with a server-bundled build. That bundle imports the consent
+management modules but does **not** import Prebid's User ID core module or any
+ID submodules. As a result `pbjs.getUserIdsAsEids` is `undefined` at runtime,
+the `syncPrebidEidsCookie()` helper early-returns, and the `ts-eids` cookie is
+never written — even when the publisher's origin-side code has a fully
+configured `userSync.userIds` list.
+
+Downstream, `crates/trusted-server-core/src/ec/prebid_eids.rs` never receives a
+cookie to ingest, so matched partner UIDs never land in the KV identity graph.
+
+## Goal
+
+Bundle Prebid's User ID core module and a broad, widely-deployed set of ID
+submodules so publishers' existing `pbjs.setConfig({ userSync: { userIds: ... } })`
+calls activate real ID resolution. After first auction completes, `ts-eids`
+cookie is written and the backend ingestion path (already implemented) takes
+over.
+
+## Non-goals
+
+- No Rust changes. No new `trusted-server.toml` fields.
+- No runtime config injection from the server (`window.__tsjs_prebid.userIds`)
+  — deferred to a follow-up.
+- No build-time env-var toggle for the bundled set (e.g. `TSJS_PREBID_USER_IDS`
+  mirroring `TSJS_PREBID_ADAPTERS`) — deferred to a follow-up.
+- No automatic alignment between bundled ID submodules and configured
+  `[[ec.partners]]` — operators must keep those in sync themselves.
+
+## Design
+
+### Bundled modules
+
+Exactly one file changes: `crates/js/lib/src/integrations/prebid/index.ts`.
+Add static imports near the existing `consentManagement*.js` imports.
+
+**Core (required):**
+
+- `prebid.js/modules/userId.js`
+
+**Zero-config / auto-populating submodules** (resolve without publisher params):
+
+- `prebid.js/modules/sharedIdSystem.js`
+- `prebid.js/modules/criteoIdSystem.js`
+- `prebid.js/modules/33acrossIdSystem.js`
+- `prebid.js/modules/pubProvidedIdSystem.js`
+- `prebid.js/modules/quantcastIdSystem.js`
+
+**Param-based submodules** (inert until the publisher's `setConfig` supplies
+the relevant params):
+
+- `prebid.js/modules/id5IdSystem.js`
+- `prebid.js/modules/identityLinkIdSystem.js`
+- `prebid.js/modules/liveIntentIdSystem.js`
+- `prebid.js/modules/uid2IdSystem.js`
+- `prebid.js/modules/euidIdSystem.js`
+- `prebid.js/modules/intentIqIdSystem.js`
+- `prebid.js/modules/lotamePanoramaIdSystem.js`
+- `prebid.js/modules/connectIdSystem.js`
+- `prebid.js/modules/merkleIdSystem.js`
+
+**Legacy / compatibility:**
+
+- `prebid.js/modules/pubCommonIdSystem.js` — deprecated in favor of SharedID
+  but still present in some publisher configs.
+
+Total: 1 core + 15 submodules = 16 new imports.
+
+No changes to `installPrebidNpm`, no changes to the `bidsBackHandler` shim, no
+changes to `syncPrebidEidsCookie`. The existing cookie-writing path is already
+correct — it was only silent because `pbjs.getUserIdsAsEids` did not exist.
+
+### Runtime flow
+
+No new runtime logic. The sequence below is what will light up once the
+submodules are present:
+
+1. Rust `IntegrationHeadInjector` emits the `window.pbjs` / `window.pbjs.que`
+   / `window.__tsjs_prebid` bootstrap before any publisher-origin script runs.
+2. Publisher origin code queues its existing config:
+   `pbjs.que.push(() => pbjs.setConfig({ userSync: { userIds: [...] } }))`.
+3. Our bundle loads. `installPrebidNpm()` registers the `trustedServer`
+   adapter, shims `requestBids` (already appends a chained `bidsBackHandler`
+   calling `syncPrebidEidsCookie`), then calls `pbjs.processQueue()` — the
+   publisher's queued `setConfig` runs at this point and activates the
+   configured submodules (each self-registered at import time).
+4. User ID Module resolves IDs per its own rules (TCF/GPP/USP-gated, async).
+5. First `requestBids` fires. Auction completes. Chained `bidsBackHandler`
+   calls `syncPrebidEidsCookie()`.
+6. `syncPrebidEidsCookie` calls `pbjs.getUserIdsAsEids()` (now a real
+   function), flattens `[{source, id, atype}]`, base64-encodes JSON, writes
+   `document.cookie = "ts-eids=..."`.
+7. Subsequent `/auction` requests carry `Cookie: ts-eids=...`.
+8. Backend (`crates/trusted-server-core/src/ec/prebid_eids.rs`) parses the
+   cookie, matches `source` against `[[ec.partners]]`, syncs partner UIDs to
+   KV.
+
+The first `/auction` request after a cold page load still will not carry
+`ts-eids`, because the cookie is written in the post-auction handler. This
+matches preexisting behavior.
+
+### Error handling
+
+All failure modes are already covered by existing code. No new error paths.
+
+- **Publisher has no `userSync.userIds` configured** →
+  `pbjs.getUserIdsAsEids()` returns `[]` → early-return at `index.ts:380-382`.
+  No cookie written. Silent. Correct.
+- **Submodule fails to resolve** (no consent, no third-party ID, network
+  error) → handled inside Prebid; `getUserIdsAsEids()` returns only the
+  resolved subset. Cookie reflects what resolved.
+- **Cookie payload exceeds 3072 bytes** → existing trim-and-retry loop at
+  `index.ts:404-411` drops entries from the tail until it fits. If a single
+  entry alone exceeds the cap, no cookie is written.
+- **Unexpected exception in sync path** → caught by the existing `try/catch`
+  at `index.ts:417-419`, logged via `log.warn`, does not break the auction.
+- **Module import failure at build time** → esbuild fails the build. This
+  catches missing or renamed Prebid modules before they ship.
+
+### Known caveats
+
+- **Backend pairing** — an EID whose `source` has no matching `[[ec.partners]]`
+  entry is dropped at the backend (with a debug log). Bundling
+  `id5IdSystem.js` is inert for EC identity-graph purposes unless the
+  operator also adds an `[[ec.partners]]` entry with
+  `source_domain = "id5-sync.com"`. Operators must keep the two lists in
+  sync. Not a code change here; documented as an operator concern.
+- **Bundle size** — adding 15 modules increases the shipped `tsjs-prebid.js`
+  by an estimated ~100-150kb gzipped. Not gated on a build-time toggle in
+  this change.
+
+## Testing
+
+### Automated (Vitest)
+
+Add tests under `crates/js/lib/src/integrations/prebid/`:
+
+- **Import smoke test** — import `./index.ts` and assert
+  `typeof pbjs.getUserIdsAsEids === 'function'`. Guards against the exact
+  regression that motivated this work.
+- **`syncPrebidEidsCookie` unit tests** (new or expanded) — mock
+  `pbjs.getUserIdsAsEids` to return a fixed `[{source, uids: [{id, atype}]}]`
+  array and assert the cookie is written with base64-encoded
+  `[{source, id, atype}]`. Cover:
+  - empty array → no cookie written
+  - normal payload → cookie written with expected value
+  - oversize payload → trimmed to fit; partial entries persisted
+  - single oversize entry → no cookie written
+
+### Manual (after deploy to a dev publisher)
+
+- DevTools console: `typeof pbjs.getUserIdsAsEids === 'function'` returns
+  `true`.
+- `pbjs.getUserIdsAsEids()` returns a non-empty array for a publisher with
+  configured `userIds`.
+- After the first auction: `document.cookie` contains `ts-eids=...`. Decoded
+  payload (base64 → JSON) matches the raw EIDs.
+- Network tab: second `/auction` request carries `Cookie: ts-eids=...`.
+
+### Explicitly out of scope
+
+- Each individual ID submodule's resolution behavior — that is Prebid's
+  responsibility and covered by Prebid's own test suite.
+- Backend ingestion of `ts-eids` — already covered by `prebid_eids.rs`
+  tests; no new backend code.
+- Bundle-size regression gating — noted as a caveat, not enforced.
+
+## Rollout
+
+This is a bundle change only. No migration, no feature flag, no staged
+rollout beyond normal deploy.
+
+On first deploy, publishers with active origin-side `userSync.userIds`
+configuration will begin emitting `ts-eids` cookies after their first
+auction. Publishers without `userSync.userIds` configured see no change.
+
+## Follow-ups
+
+1. **Build-time configurability** — introduce `_user_ids.generated.ts`
+   driven by a `TSJS_PREBID_USER_IDS` env var, mirroring the existing
+   `TSJS_PREBID_ADAPTERS` / `_adapters.generated.ts` pattern. Allows
+   operators to slim the bundle per deployment.
+2. **Server-injected `userSync.userIds`** — extend `trusted-server.toml`
+   with a `[[integrations.prebid.user_ids]]` array. Rust serializes into
+   `window.__tsjs_prebid.userIds`. JS applies via `pbjs.setConfig` before
+   `processQueue()`. Supports publishers who do not run their own Prebid
+   config on origin.
+3. **Partner alignment tooling** — a startup-time check that warns when a
+   bundled ID submodule has no matching `[[ec.partners]]` entry, or vice
+   versa.

From a491610d252e3894a4b24d4d57e84507a58c1a8b Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 12:00:21 -0500
Subject: [PATCH 14/26] Add implementation plan for Prebid User ID Module
 support

---
 .../plans/2026-04-16-prebid-user-id-module.md | 575 ++++++++++++++++++
 1 file changed, 575 insertions(+)
 create mode 100644 docs/superpowers/plans/2026-04-16-prebid-user-id-module.md

diff --git a/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md b/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
new file mode 100644
index 00000000..534422fa
--- /dev/null
+++ b/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
@@ -0,0 +1,575 @@
+# Prebid User ID Module — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Bundle Prebid's User ID core module and a broad set of ID submodules so publisher-side `pbjs.setConfig({ userSync: { userIds: [...] } })` calls activate real ID resolution and the existing `syncPrebidEidsCookie()` helper begins writing `ts-eids`.
+
+**Architecture:** JS-only change. Add 16 static imports (1 core + 15 submodules) to `crates/js/lib/src/integrations/prebid/index.ts`. No Rust changes, no TOML changes, no new runtime logic. Existing `bidsBackHandler` shim and cookie-sync path already handle the rest; they were silent only because `pbjs.getUserIdsAsEids` did not exist.
+
+**Tech Stack:** TypeScript, Vitest, esbuild (via `build-all.mjs`), Prebid.js 9.x (via npm)
+
+**Spec:** `docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md`
+
+---
+
+## File Map
+
+| File | Action | Responsibility |
+|---|---|---|
+| `crates/js/lib/src/integrations/prebid/index.ts` | Modify | Add 16 User ID Module imports alongside existing `consentManagement*` imports |
+| `crates/js/lib/test/integrations/prebid/index.test.ts` | Modify | Add `vi.mock` stubs for the 16 new modules, add `mockPbjs.getUserIdsAsEids`, add new tests for cookie-sync behavior and import regression guard |
+
+No other files change. `build.rs` picks up the rebuilt `dist/tsjs-prebid.js` automatically via `include_str!`.
+
+---
+
+## Task 1: Document existing `syncPrebidEidsCookie` behavior with tests
+
+The sync helper already exists but has no test coverage. Before changing anything, lock in its current contract so we can refactor or extend later without regressions. These tests exercise the `bidsBackHandler` shim path end-to-end using the existing mocks.
+
+**Files:**
+- Modify: `crates/js/lib/test/integrations/prebid/index.test.ts`
+
+- [ ] **Step 1: Add `getUserIdsAsEids` to the hoisted pbjs mock**
+
+In `crates/js/lib/test/integrations/prebid/index.test.ts` inside the existing `vi.hoisted(() => { ... })` block, add a new mock function and include it on `mockPbjs`. Replace the current block with:
+
+```ts
+const {
+  mockSetConfig,
+  mockProcessQueue,
+  mockRequestBids,
+  mockRegisterBidAdapter,
+  mockGetUserIdsAsEids,
+  mockPbjs,
+  mockGetBidAdapter,
+  mockAdapterManager,
+} = vi.hoisted(() => {
+  const mockSetConfig = vi.fn();
+  const mockProcessQueue = vi.fn();
+  const mockRequestBids = vi.fn();
+  const mockRegisterBidAdapter = vi.fn();
+  const mockGetBidAdapter = vi.fn();
+  const mockGetUserIdsAsEids = vi.fn(() => [] as Array<{ source: string; uids?: Array<{ id: string; atype?: number }> }>);
+  const mockPbjs = {
+    setConfig: mockSetConfig,
+    processQueue: mockProcessQueue,
+    requestBids: mockRequestBids,
+    registerBidAdapter: mockRegisterBidAdapter,
+    getUserIdsAsEids: mockGetUserIdsAsEids,
+    adUnits: [] as any[],
+  };
+  const mockAdapterManager = {
+    getBidAdapter: mockGetBidAdapter,
+  };
+  return {
+    mockSetConfig,
+    mockProcessQueue,
+    mockRequestBids,
+    mockRegisterBidAdapter,
+    mockGetUserIdsAsEids,
+    mockPbjs,
+    mockGetBidAdapter,
+    mockAdapterManager,
+  };
+});
+```
+
+- [ ] **Step 2: Write the failing test — empty EID array writes no cookie**
+
+Append this new `describe` block at the end of `crates/js/lib/test/integrations/prebid/index.test.ts`:
+
+```ts
+describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockPbjs.requestBids = mockRequestBids;
+    mockPbjs.adUnits = [];
+    mockGetUserIdsAsEids.mockReset();
+    mockGetUserIdsAsEids.mockReturnValue([]);
+    // Restore the pbjs→mock wiring in case a prior test blanked it out.
+    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
+    delete (window as any).__tsjs_prebid;
+    // Wipe any leftover ts-eids cookie from previous tests.
+    document.cookie = 'ts-eids=; Path=/; Max-Age=0';
+  });
+
+  afterEach(() => {
+    document.cookie = 'ts-eids=; Path=/; Max-Age=0';
+  });
+
+  /**
+   * Helper: make mockRequestBids actually invoke the injected bidsBackHandler
+   * so the shim's post-auction sync path runs.
+   */
+  function wireBidsBackHandler(): void {
+    mockRequestBids.mockImplementation((opts: any) => {
+      if (typeof opts?.bidsBackHandler === 'function') {
+        opts.bidsBackHandler();
+      }
+    });
+  }
+
+  function getTsEidsCookie(): string | undefined {
+    const match = document.cookie.split('; ').find((c) => c.startsWith('ts-eids='));
+    return match ? match.split('=').slice(1).join('=') : undefined;
+  }
+
+  it('writes no cookie when getUserIdsAsEids returns empty array', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+});
+```
+
+- [ ] **Step 3: Run the test — expect PASS (documents existing behavior)**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "writes no cookie when getUserIdsAsEids returns empty array"`
+
+Expected: PASS. The shim already calls `syncPrebidEidsCookie` which early-returns on empty input.
+
+- [ ] **Step 4: Add test — writes base64 cookie for a normal payload**
+
+Append inside the same `describe` block:
+
+```ts
+  it('writes ts-eids cookie with base64-encoded flat JSON for normal payload', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'sharedid.org', uids: [{ id: 'shared-abc', atype: 1 }] },
+      { source: 'id5-sync.com', uids: [{ id: 'id5-xyz', atype: 3 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const encoded = getTsEidsCookie();
+    expect(encoded).toBeDefined();
+    const decoded = JSON.parse(atob(encoded!));
+    expect(decoded).toEqual([
+      { source: 'sharedid.org', id: 'shared-abc', atype: 1 },
+      { source: 'id5-sync.com', id: 'id5-xyz', atype: 3 },
+    ]);
+  });
+```
+
+- [ ] **Step 5: Run and confirm PASS**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "writes ts-eids cookie with base64"`
+
+Expected: PASS.
+
+- [ ] **Step 6: Add test — defaults atype to 3 when missing**
+
+Append:
+
+```ts
+  it('defaults atype to 3 when the uid omits it', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'example.com', uids: [{ id: 'no-atype' }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const decoded = JSON.parse(atob(getTsEidsCookie()!));
+    expect(decoded).toEqual([{ source: 'example.com', id: 'no-atype', atype: 3 }]);
+  });
+```
+
+- [ ] **Step 7: Add test — skips entries without an id or source**
+
+Append:
+
+```ts
+  it('skips EID entries that are missing id or source', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'good.example', uids: [{ id: 'keep', atype: 1 }] },
+      { source: 'empty-uids.example', uids: [] },
+      { source: '', uids: [{ id: 'no-source', atype: 1 }] },
+      { source: 'no-id.example', uids: [{ id: '', atype: 1 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const decoded = JSON.parse(atob(getTsEidsCookie()!));
+    expect(decoded).toEqual([{ source: 'good.example', id: 'keep', atype: 1 }]);
+  });
+```
+
+- [ ] **Step 8: Add test — takes first uid when multiple are present**
+
+Append:
+
+```ts
+  it('takes the first uid per source when multiple are present', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      {
+        source: 'multi.example',
+        uids: [
+          { id: 'first', atype: 1 },
+          { id: 'second', atype: 2 },
+        ],
+      },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const decoded = JSON.parse(atob(getTsEidsCookie()!));
+    expect(decoded).toEqual([{ source: 'multi.example', id: 'first', atype: 1 }]);
+  });
+```
+
+- [ ] **Step 9: Add test — trims tail when payload exceeds 3072 bytes**
+
+Append:
+
+```ts
+  it('trims EIDs from the tail when the cookie payload would exceed 3072 bytes', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+
+    // Build ~20 entries each ~200 bytes → definitely exceeds 3072-byte cap
+    // once base64-encoded.
+    const big = Array.from({ length: 20 }, (_, i) => ({
+      source: `source-${i}.example`,
+      uids: [{ id: 'x'.repeat(200) + String(i), atype: 3 }],
+    }));
+    mockGetUserIdsAsEids.mockReturnValue(big);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const encoded = getTsEidsCookie();
+    expect(encoded).toBeDefined();
+    expect(encoded!.length).toBeLessThanOrEqual(3072);
+
+    const decoded = JSON.parse(atob(encoded!));
+    // At least one entry kept, strictly fewer than original count.
+    expect(decoded.length).toBeGreaterThan(0);
+    expect(decoded.length).toBeLessThan(big.length);
+    // Head of the list is preserved (trimming happens from the tail).
+    expect(decoded[0].source).toBe('source-0.example');
+  });
+```
+
+- [ ] **Step 10: Add test — writes no cookie when a single entry alone exceeds the cap**
+
+Append:
+
+```ts
+  it('writes no cookie when a single entry alone exceeds the cap', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+
+    // Single entry large enough to blow past 3072 bytes after base64.
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'too-big.example', uids: [{ id: 'x'.repeat(4000), atype: 3 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+```
+
+- [ ] **Step 11: Add test — does not throw when getUserIdsAsEids is undefined**
+
+This mirrors the pre-fix production state and guards against regressions in the defensive check at `index.ts:375`. Append:
+
+```ts
+  it('does not throw when getUserIdsAsEids is undefined (pre-fix production state)', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    // Simulate a build that forgot the userId core module.
+    (mockPbjs as any).getUserIdsAsEids = undefined;
+
+    expect(() => pbjs.requestBids({ adUnits: [] } as any)).not.toThrow();
+    expect(getTsEidsCookie()).toBeUndefined();
+
+    // Restore for subsequent tests.
+    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
+  });
+```
+
+- [ ] **Step 12: Add test — calls the original bidsBackHandler when one was supplied**
+
+Append:
+
+```ts
+  it('calls the original bidsBackHandler after syncing EIDs', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    const originalHandler = vi.fn();
+
+    pbjs.requestBids({ adUnits: [], bidsBackHandler: originalHandler } as any);
+
+    expect(originalHandler).toHaveBeenCalledTimes(1);
+  });
+```
+
+- [ ] **Step 13: Run the full new block and confirm all pass**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "syncPrebidEidsCookie"`
+
+Expected: all 9 new tests PASS. If any fail, investigate before proceeding — the rest of the plan assumes this behavior is locked in.
+
+- [ ] **Step 14: Run the entire prebid test file to confirm no regressions**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts`
+
+Expected: all tests PASS (new + existing).
+
+- [ ] **Step 15: Commit**
+
+```bash
+git add crates/js/lib/test/integrations/prebid/index.test.ts
+git commit -m "Add Vitest coverage for Prebid ts-eids cookie sync"
+```
+
+---
+
+## Task 2: Add Prebid User ID core and submodule imports
+
+This is the substantive change. Add `vi.mock` stubs for the new modules first (so tests don't blow up when the imports are added), then add the imports.
+
+**Files:**
+- Modify: `crates/js/lib/test/integrations/prebid/index.test.ts:44-47`
+- Modify: `crates/js/lib/src/integrations/prebid/index.ts:16-18`
+
+- [ ] **Step 1: Add `vi.mock` stubs in the test file for all 16 new modules**
+
+In `crates/js/lib/test/integrations/prebid/index.test.ts`, locate the existing block (around line 44-47):
+
+```ts
+// Side-effect imports are no-ops in tests
+vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}));
+vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}));
+vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}));
+```
+
+Replace it with (consent management mocks stay; add 16 new ones):
+
+```ts
+// Side-effect imports are no-ops in tests
+vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}));
+vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}));
+vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}));
+
+// User ID Module core + submodules — no-op mocks so jsdom does not try to
+// execute the real Prebid code paths.
+vi.mock('prebid.js/modules/userId.js', () => ({}));
+vi.mock('prebid.js/modules/sharedIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/criteoIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/33acrossIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/pubProvidedIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/quantcastIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/id5IdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/identityLinkIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/liveIntentIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/uid2IdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/euidIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/intentIqIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/lotamePanoramaIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/connectIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/merkleIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/pubCommonIdSystem.js', () => ({}));
+```
+
+- [ ] **Step 2: Write the failing regression-guard test**
+
+Append this `describe` block to `crates/js/lib/test/integrations/prebid/index.test.ts`:
+
+```ts
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+describe('prebid/index.ts User ID Module imports (regression guard)', () => {
+  const REQUIRED_IMPORTS = [
+    'prebid.js/modules/userId.js',
+    'prebid.js/modules/sharedIdSystem.js',
+    'prebid.js/modules/criteoIdSystem.js',
+    'prebid.js/modules/33acrossIdSystem.js',
+    'prebid.js/modules/pubProvidedIdSystem.js',
+    'prebid.js/modules/quantcastIdSystem.js',
+    'prebid.js/modules/id5IdSystem.js',
+    'prebid.js/modules/identityLinkIdSystem.js',
+    'prebid.js/modules/liveIntentIdSystem.js',
+    'prebid.js/modules/uid2IdSystem.js',
+    'prebid.js/modules/euidIdSystem.js',
+    'prebid.js/modules/intentIqIdSystem.js',
+    'prebid.js/modules/lotamePanoramaIdSystem.js',
+    'prebid.js/modules/connectIdSystem.js',
+    'prebid.js/modules/merkleIdSystem.js',
+    'prebid.js/modules/pubCommonIdSystem.js',
+  ];
+
+  // Source-text check: these mocks make the runtime pbjs mock a no-op for the
+  // User ID Module, so there is no way to assert `typeof getUserIdsAsEids ===
+  // 'function'` at import time from within Vitest. Reading the source file
+  // directly is the most reliable way to catch accidental removal of an
+  // import, which is the exact regression that motivated this work.
+  const SOURCE_PATH = resolve(__dirname, '../../../src/integrations/prebid/index.ts');
+  const source = readFileSync(SOURCE_PATH, 'utf8');
+
+  for (const module of REQUIRED_IMPORTS) {
+    it(`statically imports ${module}`, () => {
+      const pattern = new RegExp(`import\\s+['"]${module.replace(/\./g, '\\.')}['"]`);
+      expect(source).toMatch(pattern);
+    });
+  }
+});
+```
+
+- [ ] **Step 3: Run the new block — expect 16 failures**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "regression guard"`
+
+Expected: FAIL — 16 failing assertions, one per expected import. This confirms the regression guard actually reads the source.
+
+- [ ] **Step 4: Add the 16 imports to `index.ts`**
+
+In `crates/js/lib/src/integrations/prebid/index.ts`, locate lines 16-18:
+
+```ts
+import 'prebid.js/modules/consentManagementTcf.js';
+import 'prebid.js/modules/consentManagementGpp.js';
+import 'prebid.js/modules/consentManagementUsp.js';
+```
+
+Insert the User ID imports immediately after them, before the existing `// Client-side bid adapters` comment block. The resulting section must read:
+
+```ts
+import 'prebid.js/modules/consentManagementTcf.js';
+import 'prebid.js/modules/consentManagementGpp.js';
+import 'prebid.js/modules/consentManagementUsp.js';
+
+// Prebid User ID Module — core + submodules. The core module exposes
+// `pbjs.getUserIdsAsEids`; submodules self-register at import time and
+// activate when the publisher's origin-side `pbjs.setConfig({ userSync:
+// { userIds: [...] } })` call runs during `processQueue()`.
+import 'prebid.js/modules/userId.js';
+
+// Zero-config / auto-populating submodules (resolve without publisher params).
+import 'prebid.js/modules/sharedIdSystem.js';
+import 'prebid.js/modules/criteoIdSystem.js';
+import 'prebid.js/modules/33acrossIdSystem.js';
+import 'prebid.js/modules/pubProvidedIdSystem.js';
+import 'prebid.js/modules/quantcastIdSystem.js';
+
+// Param-based submodules — inert until publisher setConfig supplies params.
+import 'prebid.js/modules/id5IdSystem.js';
+import 'prebid.js/modules/identityLinkIdSystem.js';
+import 'prebid.js/modules/liveIntentIdSystem.js';
+import 'prebid.js/modules/uid2IdSystem.js';
+import 'prebid.js/modules/euidIdSystem.js';
+import 'prebid.js/modules/intentIqIdSystem.js';
+import 'prebid.js/modules/lotamePanoramaIdSystem.js';
+import 'prebid.js/modules/connectIdSystem.js';
+import 'prebid.js/modules/merkleIdSystem.js';
+
+// Legacy / deprecated but still present in some publisher configs.
+import 'prebid.js/modules/pubCommonIdSystem.js';
+```
+
+- [ ] **Step 5: Run the regression-guard block — expect PASS**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "regression guard"`
+
+Expected: all 16 tests PASS.
+
+- [ ] **Step 6: Run the full prebid test file — expect no regressions**
+
+Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts`
+
+Expected: all tests PASS (Task 1 tests + regression guards + all pre-existing tests).
+
+- [ ] **Step 7: Run the entire JS test suite**
+
+Run: `cd crates/js/lib && npx vitest run`
+
+Expected: all PASS. If any unrelated test fails because it imports `./index.ts` transitively and the real Prebid modules are not mocked there, add matching `vi.mock` stubs at the top of that test file (copy the same 16 lines). Common suspects: any test under `crates/js/lib/test/integrations/prebid/` you may have added, or tests that import core modules which in turn import the prebid integration. At the time of writing, no other test file imports the prebid integration.
+
+- [ ] **Step 8: Build the JS bundles**
+
+Run: `cd crates/js/lib && node build-all.mjs`
+
+Expected: build succeeds. `dist/tsjs-prebid.js` gets substantially larger (est. 100-150kb gzipped increase). No esbuild errors about missing modules — if there are, the module path in the new imports is wrong (check `crates/js/lib/node_modules/prebid.js/modules/` for the exact filename — note `33acrossIdSystem.js` really does start with a digit and is correct).
+
+- [ ] **Step 9: Format the JS**
+
+Run: `cd crates/js/lib && npm run format`
+
+Expected: prettier rewrites any formatting drift in the files you touched. No errors.
+
+- [ ] **Step 10: Verify the Rust build picks up the rebuilt bundle**
+
+Run: `cargo check --package trusted-server-core`
+
+Expected: PASS. `build.rs` re-runs because `dist/tsjs-prebid.js` changed; `include_str!` pulls in the new content.
+
+- [ ] **Step 11: Run full Rust test suite to confirm no downstream breakage**
+
+Run: `cargo test --workspace`
+
+Expected: PASS. The Rust side does not inspect bundle contents, only concatenates and hashes them, so tests should be unaffected.
+
+- [ ] **Step 12: Commit**
+
+```bash
+git add crates/js/lib/src/integrations/prebid/index.ts crates/js/lib/test/integrations/prebid/index.test.ts
+git commit -m "Bundle Prebid User ID core and submodules in Prebid integration"
+```
+
+---
+
+## Task 3: Final verification
+
+- [ ] **Step 1: Full CI-equivalent check**
+
+Run the same sequence CI runs:
+
+```bash
+cargo fmt --all -- --check
+cargo clippy --workspace --all-targets --all-features -- -D warnings
+cargo test --workspace
+cd crates/js/lib && npx vitest run && cd ../../..
+cd crates/js/lib && npm run format && cd ../../..
+```
+
+Expected: everything PASS / clean.
+
+- [ ] **Step 2: Manual verification note**
+
+Manual browser verification (cannot be automated here; run against a dev publisher environment that has origin-side `pbjs.setConfig({ userSync: { userIds: [...] } })`):
+
+1. Load a publisher page. In DevTools console: `typeof pbjs.getUserIdsAsEids` should return `'function'`.
+2. `pbjs.getUserIdsAsEids()` should return a non-empty array.
+3. After the first ad-slot auction completes: `document.cookie.match(/ts-eids=/)` should match.
+4. Decode the cookie: `JSON.parse(atob(document.cookie.match(/ts-eids=([^;]+)/)[1]))` should produce a `[{source, id, atype}]` array matching the raw EIDs.
+5. Network tab: the second `/auction` request should carry `Cookie: ts-eids=...`.
+
+These are documented in the spec; they are not blockers for the PR, but they should be run before closing out the work.
+
+- [ ] **Step 3: No follow-up commits required**
+
+The work is complete when Tasks 1 and 2 are committed. Do not create a third "chore" commit unless format/clippy asks for one.
+
+---
+
+## What this plan intentionally does NOT do
+
+- Does **not** add a build-time env-var toggle (`TSJS_PREBID_USER_IDS`) to mirror `TSJS_PREBID_ADAPTERS`. Deferred per spec.
+- Does **not** add `window.__tsjs_prebid.userIds` server-side injection. Deferred per spec.
+- Does **not** change `[[ec.partners]]` or `crates/trusted-server-core/src/ec/prebid_eids.rs`. Backend already handles received cookies correctly.
+- Does **not** add a bundle-size regression gate. Noted as a known cost in the spec.
+- Does **not** add tests for individual ID submodule resolution behavior. That is Prebid's own test surface, not ours.

From 5e654668aed19114a6a8595e533e6552964e007d Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 12:01:49 -0500
Subject: [PATCH 15/26] Fix ESM path resolution in Prebid User ID plan
 regression guard

---
 docs/superpowers/plans/2026-04-16-prebid-user-id-module.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md b/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
index 534422fa..9a1e3350 100644
--- a/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
+++ b/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
@@ -391,6 +391,7 @@ Append this `describe` block to `crates/js/lib/test/integrations/prebid/index.te
 
 ```ts
 import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
 import { resolve } from 'node:path';
 
 describe('prebid/index.ts User ID Module imports (regression guard)', () => {
@@ -418,7 +419,10 @@ describe('prebid/index.ts User ID Module imports (regression guard)', () => {
   // 'function'` at import time from within Vitest. Reading the source file
   // directly is the most reliable way to catch accidental removal of an
   // import, which is the exact regression that motivated this work.
-  const SOURCE_PATH = resolve(__dirname, '../../../src/integrations/prebid/index.ts');
+  // The package is ESM (`"type": "module"`), so `__dirname` is not defined —
+  // resolve relative to this file via `import.meta.url`.
+  const THIS_DIR = fileURLToPath(new URL('.', import.meta.url));
+  const SOURCE_PATH = resolve(THIS_DIR, '../../../src/integrations/prebid/index.ts');
   const source = readFileSync(SOURCE_PATH, 'utf8');
 
   for (const module of REQUIRED_IMPORTS) {

From 34bb0266dc7f71a7d25914d0bc4b0d04d7500847 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 12:03:12 -0500
Subject: [PATCH 16/26] Add Vitest coverage for Prebid ts-eids cookie sync

---
 .../test/integrations/prebid/index.test.ts    | 182 ++++++++++++++++++
 1 file changed, 182 insertions(+)

diff --git a/crates/js/lib/test/integrations/prebid/index.test.ts b/crates/js/lib/test/integrations/prebid/index.test.ts
index 7f18148d..084524e4 100644
--- a/crates/js/lib/test/integrations/prebid/index.test.ts
+++ b/crates/js/lib/test/integrations/prebid/index.test.ts
@@ -6,6 +6,7 @@ const {
   mockProcessQueue,
   mockRequestBids,
   mockRegisterBidAdapter,
+  mockGetUserIdsAsEids,
   mockPbjs,
   mockGetBidAdapter,
   mockAdapterManager,
@@ -15,11 +16,15 @@ const {
   const mockRequestBids = vi.fn();
   const mockRegisterBidAdapter = vi.fn();
   const mockGetBidAdapter = vi.fn();
+  const mockGetUserIdsAsEids = vi.fn(
+    () => [] as Array<{ source: string; uids?: Array<{ id: string; atype?: number }> }>
+  );
   const mockPbjs = {
     setConfig: mockSetConfig,
     processQueue: mockProcessQueue,
     requestBids: mockRequestBids,
     registerBidAdapter: mockRegisterBidAdapter,
+    getUserIdsAsEids: mockGetUserIdsAsEids,
     adUnits: [] as any[],
   };
   const mockAdapterManager = {
@@ -30,6 +35,7 @@ const {
     mockProcessQueue,
     mockRequestBids,
     mockRegisterBidAdapter,
+    mockGetUserIdsAsEids,
     mockPbjs,
     mockGetBidAdapter,
     mockAdapterManager,
@@ -805,3 +811,179 @@ describe('prebid/client-side bidders', () => {
     errorSpy.mockRestore();
   });
 });
+
+describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockPbjs.requestBids = mockRequestBids;
+    mockPbjs.adUnits = [];
+    mockGetUserIdsAsEids.mockReset();
+    mockGetUserIdsAsEids.mockReturnValue([]);
+    // Restore the pbjs→mock wiring in case a prior test blanked it out.
+    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
+    delete (window as any).__tsjs_prebid;
+    // Wipe any leftover ts-eids cookie from previous tests.
+    document.cookie = 'ts-eids=; Path=/; Max-Age=0';
+  });
+
+  afterEach(() => {
+    document.cookie = 'ts-eids=; Path=/; Max-Age=0';
+  });
+
+  /**
+   * Helper: make mockRequestBids actually invoke the injected bidsBackHandler
+   * so the shim's post-auction sync path runs.
+   */
+  function wireBidsBackHandler(): void {
+    mockRequestBids.mockImplementation((opts: any) => {
+      if (typeof opts?.bidsBackHandler === 'function') {
+        opts.bidsBackHandler();
+      }
+    });
+  }
+
+  function getTsEidsCookie(): string | undefined {
+    const match = document.cookie.split('; ').find((c) => c.startsWith('ts-eids='));
+    return match ? match.split('=').slice(1).join('=') : undefined;
+  }
+
+  it('writes no cookie when getUserIdsAsEids returns empty array', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+
+  it('writes ts-eids cookie with base64-encoded flat JSON for normal payload', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'sharedid.org', uids: [{ id: 'shared-abc', atype: 1 }] },
+      { source: 'id5-sync.com', uids: [{ id: 'id5-xyz', atype: 3 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const encoded = getTsEidsCookie();
+    expect(encoded).toBeDefined();
+    const decoded = JSON.parse(atob(encoded!));
+    expect(decoded).toEqual([
+      { source: 'sharedid.org', id: 'shared-abc', atype: 1 },
+      { source: 'id5-sync.com', id: 'id5-xyz', atype: 3 },
+    ]);
+  });
+
+  it('defaults atype to 3 when the uid omits it', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'example.com', uids: [{ id: 'no-atype' }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const decoded = JSON.parse(atob(getTsEidsCookie()!));
+    expect(decoded).toEqual([{ source: 'example.com', id: 'no-atype', atype: 3 }]);
+  });
+
+  it('skips EID entries that are missing id or source', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'good.example', uids: [{ id: 'keep', atype: 1 }] },
+      { source: 'empty-uids.example', uids: [] },
+      { source: '', uids: [{ id: 'no-source', atype: 1 }] },
+      { source: 'no-id.example', uids: [{ id: '', atype: 1 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const decoded = JSON.parse(atob(getTsEidsCookie()!));
+    expect(decoded).toEqual([{ source: 'good.example', id: 'keep', atype: 1 }]);
+  });
+
+  it('takes the first uid per source when multiple are present', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    mockGetUserIdsAsEids.mockReturnValue([
+      {
+        source: 'multi.example',
+        uids: [
+          { id: 'first', atype: 1 },
+          { id: 'second', atype: 2 },
+        ],
+      },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const decoded = JSON.parse(atob(getTsEidsCookie()!));
+    expect(decoded).toEqual([{ source: 'multi.example', id: 'first', atype: 1 }]);
+  });
+
+  it('trims EIDs from the tail when the cookie payload would exceed 3072 bytes', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+
+    // Build ~20 entries each ~200 bytes → definitely exceeds 3072-byte cap
+    // once base64-encoded.
+    const big = Array.from({ length: 20 }, (_, i) => ({
+      source: `source-${i}.example`,
+      uids: [{ id: 'x'.repeat(200) + String(i), atype: 3 }],
+    }));
+    mockGetUserIdsAsEids.mockReturnValue(big);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    const encoded = getTsEidsCookie();
+    expect(encoded).toBeDefined();
+    expect(encoded!.length).toBeLessThanOrEqual(3072);
+
+    const decoded = JSON.parse(atob(encoded!));
+    // At least one entry kept, strictly fewer than original count.
+    expect(decoded.length).toBeGreaterThan(0);
+    expect(decoded.length).toBeLessThan(big.length);
+    // Head of the list is preserved (trimming happens from the tail).
+    expect(decoded[0].source).toBe('source-0.example');
+  });
+
+  it('writes no cookie when a single entry alone exceeds the cap', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+
+    // Single entry large enough to blow past 3072 bytes after base64.
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'too-big.example', uids: [{ id: 'x'.repeat(4000), atype: 3 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+
+  it('does not throw when getUserIdsAsEids is undefined (pre-fix production state)', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    // Simulate a build that forgot the userId core module.
+    (mockPbjs as any).getUserIdsAsEids = undefined;
+
+    expect(() => pbjs.requestBids({ adUnits: [] } as any)).not.toThrow();
+    expect(getTsEidsCookie()).toBeUndefined();
+
+    // Restore for subsequent tests.
+    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
+  });
+
+  it('calls the original bidsBackHandler after syncing EIDs', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    const originalHandler = vi.fn();
+
+    pbjs.requestBids({ adUnits: [], bidsBackHandler: originalHandler } as any);
+
+    expect(originalHandler).toHaveBeenCalledTimes(1);
+  });
+});

From 1947595b4a91526dc2bcb7eee91ad78c75baaf50 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 12:07:59 -0500
Subject: [PATCH 17/26] Bundle Prebid User ID core and submodules in Prebid
 integration

---
 .../js/lib/src/integrations/prebid/index.ts   | 27 +++++++-
 .../test/integrations/prebid/index.test.ts    | 62 ++++++++++++++++++-
 2 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/crates/js/lib/src/integrations/prebid/index.ts b/crates/js/lib/src/integrations/prebid/index.ts
index fc976334..0fce811d 100644
--- a/crates/js/lib/src/integrations/prebid/index.ts
+++ b/crates/js/lib/src/integrations/prebid/index.ts
@@ -17,6 +17,30 @@ import 'prebid.js/modules/consentManagementTcf.js';
 import 'prebid.js/modules/consentManagementGpp.js';
 import 'prebid.js/modules/consentManagementUsp.js';
 
+// Prebid User ID Module — core + submodules. The core module exposes
+// `pbjs.getUserIdsAsEids`; submodules self-register at import time and
+// activate when the publisher's origin-side `pbjs.setConfig({ userSync:
+// { userIds: [...] } })` call runs during `processQueue()`.
+import 'prebid.js/modules/userId.js';
+
+// Zero-config / auto-populating submodules (resolve without publisher params).
+import 'prebid.js/modules/sharedIdSystem.js';
+import 'prebid.js/modules/criteoIdSystem.js';
+import 'prebid.js/modules/33acrossIdSystem.js';
+import 'prebid.js/modules/pubProvidedIdSystem.js';
+import 'prebid.js/modules/quantcastIdSystem.js';
+
+// Param-based submodules — inert until publisher setConfig supplies params.
+import 'prebid.js/modules/id5IdSystem.js';
+import 'prebid.js/modules/identityLinkIdSystem.js';
+import 'prebid.js/modules/liveIntentIdSystem.js';
+import 'prebid.js/modules/uid2IdSystem.js';
+import 'prebid.js/modules/euidIdSystem.js';
+import 'prebid.js/modules/intentIqIdSystem.js';
+import 'prebid.js/modules/lotamePanoramaIdSystem.js';
+import 'prebid.js/modules/connectIdSystem.js';
+import 'prebid.js/modules/merkleIdSystem.js';
+
 // Client-side bid adapters — self-register with prebid.js on import.
 // The set of adapters is controlled by the TSJS_PREBID_ADAPTERS env var at
 // build time. See _adapters.generated.ts (written by build-all.mjs).
@@ -410,8 +434,7 @@ function syncPrebidEidsCookie(): void {
       return; // Single EID too large — skip.
     }
 
-    document.cookie =
-      `${EID_COOKIE_NAME}=${encoded}; Path=/; Secure; SameSite=Lax; Max-Age=${EID_COOKIE_MAX_AGE}`;
+    document.cookie = `${EID_COOKIE_NAME}=${encoded}; Path=/; Secure; SameSite=Lax; Max-Age=${EID_COOKIE_MAX_AGE}`;
 
     log.debug(`[tsjs-prebid] synced ${payload.length} EIDs to cookie`);
   } catch (err) {
diff --git a/crates/js/lib/test/integrations/prebid/index.test.ts b/crates/js/lib/test/integrations/prebid/index.test.ts
index 084524e4..38e2f5b1 100644
--- a/crates/js/lib/test/integrations/prebid/index.test.ts
+++ b/crates/js/lib/test/integrations/prebid/index.test.ts
@@ -1,3 +1,6 @@
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 
 // Define mocks using vi.hoisted so they're available inside vi.mock factories
@@ -52,6 +55,24 @@ vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}));
 vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}));
 vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}));
 
+// User ID Module core + submodules — no-op mocks so jsdom does not try to
+// execute the real Prebid code paths.
+vi.mock('prebid.js/modules/userId.js', () => ({}));
+vi.mock('prebid.js/modules/sharedIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/criteoIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/33acrossIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/pubProvidedIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/quantcastIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/id5IdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/identityLinkIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/liveIntentIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/uid2IdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/euidIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/intentIqIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/lotamePanoramaIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/connectIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/merkleIdSystem.js', () => ({}));
+
 // Mock the build-generated adapter imports (no-op in tests)
 vi.mock('../../../src/integrations/prebid/_adapters.generated', () => ({}));
 
@@ -879,9 +900,7 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
   it('defaults atype to 3 when the uid omits it', () => {
     wireBidsBackHandler();
     const pbjs = installPrebidNpm();
-    mockGetUserIdsAsEids.mockReturnValue([
-      { source: 'example.com', uids: [{ id: 'no-atype' }] },
-    ]);
+    mockGetUserIdsAsEids.mockReturnValue([{ source: 'example.com', uids: [{ id: 'no-atype' }] }]);
 
     pbjs.requestBids({ adUnits: [] } as any);
 
@@ -987,3 +1006,40 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
     expect(originalHandler).toHaveBeenCalledTimes(1);
   });
 });
+
+describe('prebid/index.ts User ID Module imports (regression guard)', () => {
+  const REQUIRED_IMPORTS = [
+    'prebid.js/modules/userId.js',
+    'prebid.js/modules/sharedIdSystem.js',
+    'prebid.js/modules/criteoIdSystem.js',
+    'prebid.js/modules/33acrossIdSystem.js',
+    'prebid.js/modules/pubProvidedIdSystem.js',
+    'prebid.js/modules/quantcastIdSystem.js',
+    'prebid.js/modules/id5IdSystem.js',
+    'prebid.js/modules/identityLinkIdSystem.js',
+    'prebid.js/modules/liveIntentIdSystem.js',
+    'prebid.js/modules/uid2IdSystem.js',
+    'prebid.js/modules/euidIdSystem.js',
+    'prebid.js/modules/intentIqIdSystem.js',
+    'prebid.js/modules/lotamePanoramaIdSystem.js',
+    'prebid.js/modules/connectIdSystem.js',
+    'prebid.js/modules/merkleIdSystem.js',
+  ];
+
+  // Source-text check: these mocks make the runtime pbjs mock a no-op for the
+  // User ID Module, so there is no way to assert `typeof getUserIdsAsEids ===
+  // 'function'` at import time from within Vitest. Reading the source file
+  // directly is the most reliable way to catch accidental removal of an
+  // import, which is the exact regression that motivated this work.
+  // Vitest runs with `process.cwd()` set to the package root (`crates/js/lib`)
+  // where `package.json` lives.
+  const SOURCE_PATH = resolve(process.cwd(), 'src/integrations/prebid/index.ts');
+  const source = readFileSync(SOURCE_PATH, 'utf8');
+
+  for (const module of REQUIRED_IMPORTS) {
+    it(`statically imports ${module}`, () => {
+      const pattern = new RegExp(`import\\s+['"]${module.replace(/\./g, '\\.')}['"]`);
+      expect(source).toMatch(pattern);
+    });
+  }
+});

From 99b4e472d305bfe25cc00001b296b92bcc7fecb4 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 12:09:55 -0500
Subject: [PATCH 18/26] =?UTF-8?q?Correct=20Prebid=20User=20ID=20plan=20+?=
 =?UTF-8?q?=20spec=20=E2=80=94=20drop=20pubCommonIdSystem=20(removed=20in?=
 =?UTF-8?q?=20Prebid=2010)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../plans/2026-04-16-prebid-user-id-module.md | 452 +++++++++---------
 ...2026-04-16-prebid-user-id-module-design.md |  10 +-
 2 files changed, 241 insertions(+), 221 deletions(-)

diff --git a/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md b/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
index 9a1e3350..cbf3acaf 100644
--- a/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
+++ b/docs/superpowers/plans/2026-04-16-prebid-user-id-module.md
@@ -4,7 +4,12 @@
 
 **Goal:** Bundle Prebid's User ID core module and a broad set of ID submodules so publisher-side `pbjs.setConfig({ userSync: { userIds: [...] } })` calls activate real ID resolution and the existing `syncPrebidEidsCookie()` helper begins writing `ts-eids`.
 
-**Architecture:** JS-only change. Add 16 static imports (1 core + 15 submodules) to `crates/js/lib/src/integrations/prebid/index.ts`. No Rust changes, no TOML changes, no new runtime logic. Existing `bidsBackHandler` shim and cookie-sync path already handle the rest; they were silent only because `pbjs.getUserIdsAsEids` did not exist.
+**Architecture:** JS-only change. Add 15 static imports (1 core + 14 submodules) to `crates/js/lib/src/integrations/prebid/index.ts`. No Rust changes, no TOML changes, no new runtime logic. Existing `bidsBackHandler` shim and cookie-sync path already handle the rest; they were silent only because `pbjs.getUserIdsAsEids` did not exist.
+
+> **In-flight correction (2026-04-16):** `pubCommonIdSystem.js` was originally
+> included in the plan as a legacy/compatibility submodule. It does not exist
+> in Prebid 10.26.0 (consolidated into `sharedIdSystem`) and has been removed.
+> All downstream counts reflect 14 submodules instead of 15.
 
 **Tech Stack:** TypeScript, Vitest, esbuild (via `build-all.mjs`), Prebid.js 9.x (via npm)
 
@@ -14,10 +19,10 @@
 
 ## File Map
 
-| File | Action | Responsibility |
-|---|---|---|
-| `crates/js/lib/src/integrations/prebid/index.ts` | Modify | Add 16 User ID Module imports alongside existing `consentManagement*` imports |
-| `crates/js/lib/test/integrations/prebid/index.test.ts` | Modify | Add `vi.mock` stubs for the 16 new modules, add `mockPbjs.getUserIdsAsEids`, add new tests for cookie-sync behavior and import regression guard |
+| File                                                   | Action | Responsibility                                                                                                                                  |
+| ------------------------------------------------------ | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| `crates/js/lib/src/integrations/prebid/index.ts`       | Modify | Add 15 User ID Module imports alongside existing `consentManagement*` imports                                                                   |
+| `crates/js/lib/test/integrations/prebid/index.test.ts` | Modify | Add `vi.mock` stubs for the 15 new modules, add `mockPbjs.getUserIdsAsEids`, add new tests for cookie-sync behavior and import regression guard |
 
 No other files change. `build.rs` picks up the rebuilt `dist/tsjs-prebid.js` automatically via `include_str!`.
 
@@ -28,6 +33,7 @@ No other files change. `build.rs` picks up the rebuilt `dist/tsjs-prebid.js` aut
 The sync helper already exists but has no test coverage. Before changing anything, lock in its current contract so we can refactor or extend later without regressions. These tests exercise the `bidsBackHandler` shim path end-to-end using the existing mocks.
 
 **Files:**
+
 - Modify: `crates/js/lib/test/integrations/prebid/index.test.ts`
 
 - [ ] **Step 1: Add `getUserIdsAsEids` to the hoisted pbjs mock**
@@ -45,12 +51,18 @@ const {
   mockGetBidAdapter,
   mockAdapterManager,
 } = vi.hoisted(() => {
-  const mockSetConfig = vi.fn();
-  const mockProcessQueue = vi.fn();
-  const mockRequestBids = vi.fn();
-  const mockRegisterBidAdapter = vi.fn();
-  const mockGetBidAdapter = vi.fn();
-  const mockGetUserIdsAsEids = vi.fn(() => [] as Array<{ source: string; uids?: Array<{ id: string; atype?: number }> }>);
+  const mockSetConfig = vi.fn()
+  const mockProcessQueue = vi.fn()
+  const mockRequestBids = vi.fn()
+  const mockRegisterBidAdapter = vi.fn()
+  const mockGetBidAdapter = vi.fn()
+  const mockGetUserIdsAsEids = vi.fn(
+    () =>
+      [] as Array<{
+        source: string
+        uids?: Array<{ id: string; atype?: number }>
+      }>
+  )
   const mockPbjs = {
     setConfig: mockSetConfig,
     processQueue: mockProcessQueue,
@@ -58,10 +70,10 @@ const {
     registerBidAdapter: mockRegisterBidAdapter,
     getUserIdsAsEids: mockGetUserIdsAsEids,
     adUnits: [] as any[],
-  };
+  }
   const mockAdapterManager = {
     getBidAdapter: mockGetBidAdapter,
-  };
+  }
   return {
     mockSetConfig,
     mockProcessQueue,
@@ -71,8 +83,8 @@ const {
     mockPbjs,
     mockGetBidAdapter,
     mockAdapterManager,
-  };
-});
+  }
+})
 ```
 
 - [ ] **Step 2: Write the failing test — empty EID array writes no cookie**
@@ -82,21 +94,21 @@ Append this new `describe` block at the end of `crates/js/lib/test/integrations/
 ```ts
 describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
   beforeEach(() => {
-    vi.clearAllMocks();
-    mockPbjs.requestBids = mockRequestBids;
-    mockPbjs.adUnits = [];
-    mockGetUserIdsAsEids.mockReset();
-    mockGetUserIdsAsEids.mockReturnValue([]);
+    vi.clearAllMocks()
+    mockPbjs.requestBids = mockRequestBids
+    mockPbjs.adUnits = []
+    mockGetUserIdsAsEids.mockReset()
+    mockGetUserIdsAsEids.mockReturnValue([])
     // Restore the pbjs→mock wiring in case a prior test blanked it out.
-    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
-    delete (window as any).__tsjs_prebid;
+    ;(mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids
+    delete (window as any).__tsjs_prebid
     // Wipe any leftover ts-eids cookie from previous tests.
-    document.cookie = 'ts-eids=; Path=/; Max-Age=0';
-  });
+    document.cookie = 'ts-eids=; Path=/; Max-Age=0'
+  })
 
   afterEach(() => {
-    document.cookie = 'ts-eids=; Path=/; Max-Age=0';
-  });
+    document.cookie = 'ts-eids=; Path=/; Max-Age=0'
+  })
 
   /**
    * Helper: make mockRequestBids actually invoke the injected bidsBackHandler
@@ -105,26 +117,28 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
   function wireBidsBackHandler(): void {
     mockRequestBids.mockImplementation((opts: any) => {
       if (typeof opts?.bidsBackHandler === 'function') {
-        opts.bidsBackHandler();
+        opts.bidsBackHandler()
       }
-    });
+    })
   }
 
   function getTsEidsCookie(): string | undefined {
-    const match = document.cookie.split('; ').find((c) => c.startsWith('ts-eids='));
-    return match ? match.split('=').slice(1).join('=') : undefined;
+    const match = document.cookie
+      .split('; ')
+      .find((c) => c.startsWith('ts-eids='))
+    return match ? match.split('=').slice(1).join('=') : undefined
   }
 
   it('writes no cookie when getUserIdsAsEids returns empty array', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    mockGetUserIdsAsEids.mockReturnValue([]);
+    wireBidsBackHandler()
+    const pbjs = installPrebidNpm()
+    mockGetUserIdsAsEids.mockReturnValue([])
 
-    pbjs.requestBids({ adUnits: [] } as any);
+    pbjs.requestBids({ adUnits: [] } as any)
 
-    expect(getTsEidsCookie()).toBeUndefined();
-  });
-});
+    expect(getTsEidsCookie()).toBeUndefined()
+  })
+})
 ```
 
 - [ ] **Step 3: Run the test — expect PASS (documents existing behavior)**
@@ -138,24 +152,24 @@ Expected: PASS. The shim already calls `syncPrebidEidsCookie` which early-return
 Append inside the same `describe` block:
 
 ```ts
-  it('writes ts-eids cookie with base64-encoded flat JSON for normal payload', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    mockGetUserIdsAsEids.mockReturnValue([
-      { source: 'sharedid.org', uids: [{ id: 'shared-abc', atype: 1 }] },
-      { source: 'id5-sync.com', uids: [{ id: 'id5-xyz', atype: 3 }] },
-    ]);
-
-    pbjs.requestBids({ adUnits: [] } as any);
-
-    const encoded = getTsEidsCookie();
-    expect(encoded).toBeDefined();
-    const decoded = JSON.parse(atob(encoded!));
-    expect(decoded).toEqual([
-      { source: 'sharedid.org', id: 'shared-abc', atype: 1 },
-      { source: 'id5-sync.com', id: 'id5-xyz', atype: 3 },
-    ]);
-  });
+it('writes ts-eids cookie with base64-encoded flat JSON for normal payload', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+  mockGetUserIdsAsEids.mockReturnValue([
+    { source: 'sharedid.org', uids: [{ id: 'shared-abc', atype: 1 }] },
+    { source: 'id5-sync.com', uids: [{ id: 'id5-xyz', atype: 3 }] },
+  ])
+
+  pbjs.requestBids({ adUnits: [] } as any)
+
+  const encoded = getTsEidsCookie()
+  expect(encoded).toBeDefined()
+  const decoded = JSON.parse(atob(encoded!))
+  expect(decoded).toEqual([
+    { source: 'sharedid.org', id: 'shared-abc', atype: 1 },
+    { source: 'id5-sync.com', id: 'id5-xyz', atype: 3 },
+  ])
+})
 ```
 
 - [ ] **Step 5: Run and confirm PASS**
@@ -169,18 +183,18 @@ Expected: PASS.
 Append:
 
 ```ts
-  it('defaults atype to 3 when the uid omits it', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    mockGetUserIdsAsEids.mockReturnValue([
-      { source: 'example.com', uids: [{ id: 'no-atype' }] },
-    ]);
-
-    pbjs.requestBids({ adUnits: [] } as any);
-
-    const decoded = JSON.parse(atob(getTsEidsCookie()!));
-    expect(decoded).toEqual([{ source: 'example.com', id: 'no-atype', atype: 3 }]);
-  });
+it('defaults atype to 3 when the uid omits it', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+  mockGetUserIdsAsEids.mockReturnValue([
+    { source: 'example.com', uids: [{ id: 'no-atype' }] },
+  ])
+
+  pbjs.requestBids({ adUnits: [] } as any)
+
+  const decoded = JSON.parse(atob(getTsEidsCookie()!))
+  expect(decoded).toEqual([{ source: 'example.com', id: 'no-atype', atype: 3 }])
+})
 ```
 
 - [ ] **Step 7: Add test — skips entries without an id or source**
@@ -188,21 +202,21 @@ Append:
 Append:
 
 ```ts
-  it('skips EID entries that are missing id or source', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    mockGetUserIdsAsEids.mockReturnValue([
-      { source: 'good.example', uids: [{ id: 'keep', atype: 1 }] },
-      { source: 'empty-uids.example', uids: [] },
-      { source: '', uids: [{ id: 'no-source', atype: 1 }] },
-      { source: 'no-id.example', uids: [{ id: '', atype: 1 }] },
-    ]);
-
-    pbjs.requestBids({ adUnits: [] } as any);
-
-    const decoded = JSON.parse(atob(getTsEidsCookie()!));
-    expect(decoded).toEqual([{ source: 'good.example', id: 'keep', atype: 1 }]);
-  });
+it('skips EID entries that are missing id or source', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+  mockGetUserIdsAsEids.mockReturnValue([
+    { source: 'good.example', uids: [{ id: 'keep', atype: 1 }] },
+    { source: 'empty-uids.example', uids: [] },
+    { source: '', uids: [{ id: 'no-source', atype: 1 }] },
+    { source: 'no-id.example', uids: [{ id: '', atype: 1 }] },
+  ])
+
+  pbjs.requestBids({ adUnits: [] } as any)
+
+  const decoded = JSON.parse(atob(getTsEidsCookie()!))
+  expect(decoded).toEqual([{ source: 'good.example', id: 'keep', atype: 1 }])
+})
 ```
 
 - [ ] **Step 8: Add test — takes first uid when multiple are present**
@@ -210,24 +224,24 @@ Append:
 Append:
 
 ```ts
-  it('takes the first uid per source when multiple are present', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    mockGetUserIdsAsEids.mockReturnValue([
-      {
-        source: 'multi.example',
-        uids: [
-          { id: 'first', atype: 1 },
-          { id: 'second', atype: 2 },
-        ],
-      },
-    ]);
-
-    pbjs.requestBids({ adUnits: [] } as any);
-
-    const decoded = JSON.parse(atob(getTsEidsCookie()!));
-    expect(decoded).toEqual([{ source: 'multi.example', id: 'first', atype: 1 }]);
-  });
+it('takes the first uid per source when multiple are present', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+  mockGetUserIdsAsEids.mockReturnValue([
+    {
+      source: 'multi.example',
+      uids: [
+        { id: 'first', atype: 1 },
+        { id: 'second', atype: 2 },
+      ],
+    },
+  ])
+
+  pbjs.requestBids({ adUnits: [] } as any)
+
+  const decoded = JSON.parse(atob(getTsEidsCookie()!))
+  expect(decoded).toEqual([{ source: 'multi.example', id: 'first', atype: 1 }])
+})
 ```
 
 - [ ] **Step 9: Add test — trims tail when payload exceeds 3072 bytes**
@@ -235,31 +249,31 @@ Append:
 Append:
 
 ```ts
-  it('trims EIDs from the tail when the cookie payload would exceed 3072 bytes', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-
-    // Build ~20 entries each ~200 bytes → definitely exceeds 3072-byte cap
-    // once base64-encoded.
-    const big = Array.from({ length: 20 }, (_, i) => ({
-      source: `source-${i}.example`,
-      uids: [{ id: 'x'.repeat(200) + String(i), atype: 3 }],
-    }));
-    mockGetUserIdsAsEids.mockReturnValue(big);
-
-    pbjs.requestBids({ adUnits: [] } as any);
-
-    const encoded = getTsEidsCookie();
-    expect(encoded).toBeDefined();
-    expect(encoded!.length).toBeLessThanOrEqual(3072);
-
-    const decoded = JSON.parse(atob(encoded!));
-    // At least one entry kept, strictly fewer than original count.
-    expect(decoded.length).toBeGreaterThan(0);
-    expect(decoded.length).toBeLessThan(big.length);
-    // Head of the list is preserved (trimming happens from the tail).
-    expect(decoded[0].source).toBe('source-0.example');
-  });
+it('trims EIDs from the tail when the cookie payload would exceed 3072 bytes', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+
+  // Build ~20 entries each ~200 bytes → definitely exceeds 3072-byte cap
+  // once base64-encoded.
+  const big = Array.from({ length: 20 }, (_, i) => ({
+    source: `source-${i}.example`,
+    uids: [{ id: 'x'.repeat(200) + String(i), atype: 3 }],
+  }))
+  mockGetUserIdsAsEids.mockReturnValue(big)
+
+  pbjs.requestBids({ adUnits: [] } as any)
+
+  const encoded = getTsEidsCookie()
+  expect(encoded).toBeDefined()
+  expect(encoded!.length).toBeLessThanOrEqual(3072)
+
+  const decoded = JSON.parse(atob(encoded!))
+  // At least one entry kept, strictly fewer than original count.
+  expect(decoded.length).toBeGreaterThan(0)
+  expect(decoded.length).toBeLessThan(big.length)
+  // Head of the list is preserved (trimming happens from the tail).
+  expect(decoded[0].source).toBe('source-0.example')
+})
 ```
 
 - [ ] **Step 10: Add test — writes no cookie when a single entry alone exceeds the cap**
@@ -267,19 +281,19 @@ Append:
 Append:
 
 ```ts
-  it('writes no cookie when a single entry alone exceeds the cap', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
+it('writes no cookie when a single entry alone exceeds the cap', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
 
-    // Single entry large enough to blow past 3072 bytes after base64.
-    mockGetUserIdsAsEids.mockReturnValue([
-      { source: 'too-big.example', uids: [{ id: 'x'.repeat(4000), atype: 3 }] },
-    ]);
+  // Single entry large enough to blow past 3072 bytes after base64.
+  mockGetUserIdsAsEids.mockReturnValue([
+    { source: 'too-big.example', uids: [{ id: 'x'.repeat(4000), atype: 3 }] },
+  ])
 
-    pbjs.requestBids({ adUnits: [] } as any);
+  pbjs.requestBids({ adUnits: [] } as any)
 
-    expect(getTsEidsCookie()).toBeUndefined();
-  });
+  expect(getTsEidsCookie()).toBeUndefined()
+})
 ```
 
 - [ ] **Step 11: Add test — does not throw when getUserIdsAsEids is undefined**
@@ -287,18 +301,18 @@ Append:
 This mirrors the pre-fix production state and guards against regressions in the defensive check at `index.ts:375`. Append:
 
 ```ts
-  it('does not throw when getUserIdsAsEids is undefined (pre-fix production state)', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    // Simulate a build that forgot the userId core module.
-    (mockPbjs as any).getUserIdsAsEids = undefined;
-
-    expect(() => pbjs.requestBids({ adUnits: [] } as any)).not.toThrow();
-    expect(getTsEidsCookie()).toBeUndefined();
-
-    // Restore for subsequent tests.
-    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
-  });
+it('does not throw when getUserIdsAsEids is undefined (pre-fix production state)', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+  // Simulate a build that forgot the userId core module.
+  ;(mockPbjs as any).getUserIdsAsEids = undefined
+
+  expect(() => pbjs.requestBids({ adUnits: [] } as any)).not.toThrow()
+  expect(getTsEidsCookie()).toBeUndefined()
+
+  // Restore for subsequent tests.
+  ;(mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids
+})
 ```
 
 - [ ] **Step 12: Add test — calls the original bidsBackHandler when one was supplied**
@@ -306,15 +320,15 @@ This mirrors the pre-fix production state and guards against regressions in the
 Append:
 
 ```ts
-  it('calls the original bidsBackHandler after syncing EIDs', () => {
-    wireBidsBackHandler();
-    const pbjs = installPrebidNpm();
-    const originalHandler = vi.fn();
+it('calls the original bidsBackHandler after syncing EIDs', () => {
+  wireBidsBackHandler()
+  const pbjs = installPrebidNpm()
+  const originalHandler = vi.fn()
 
-    pbjs.requestBids({ adUnits: [], bidsBackHandler: originalHandler } as any);
+  pbjs.requestBids({ adUnits: [], bidsBackHandler: originalHandler } as any)
 
-    expect(originalHandler).toHaveBeenCalledTimes(1);
-  });
+  expect(originalHandler).toHaveBeenCalledTimes(1)
+})
 ```
 
 - [ ] **Step 13: Run the full new block and confirm all pass**
@@ -343,46 +357,47 @@ git commit -m "Add Vitest coverage for Prebid ts-eids cookie sync"
 This is the substantive change. Add `vi.mock` stubs for the new modules first (so tests don't blow up when the imports are added), then add the imports.
 
 **Files:**
+
 - Modify: `crates/js/lib/test/integrations/prebid/index.test.ts:44-47`
 - Modify: `crates/js/lib/src/integrations/prebid/index.ts:16-18`
 
-- [ ] **Step 1: Add `vi.mock` stubs in the test file for all 16 new modules**
+- [ ] **Step 1: Add `vi.mock` stubs in the test file for all 15 new modules**
 
 In `crates/js/lib/test/integrations/prebid/index.test.ts`, locate the existing block (around line 44-47):
 
 ```ts
 // Side-effect imports are no-ops in tests
-vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}));
-vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}));
-vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}));
+vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}))
+vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}))
+vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}))
 ```
 
-Replace it with (consent management mocks stay; add 16 new ones):
+Replace it with (consent management mocks stay; add 15 new ones):
 
 ```ts
 // Side-effect imports are no-ops in tests
-vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}));
-vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}));
-vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}));
+vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}))
+vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}))
+vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}))
 
 // User ID Module core + submodules — no-op mocks so jsdom does not try to
 // execute the real Prebid code paths.
-vi.mock('prebid.js/modules/userId.js', () => ({}));
-vi.mock('prebid.js/modules/sharedIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/criteoIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/33acrossIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/pubProvidedIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/quantcastIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/id5IdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/identityLinkIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/liveIntentIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/uid2IdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/euidIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/intentIqIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/lotamePanoramaIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/connectIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/merkleIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/pubCommonIdSystem.js', () => ({}));
+vi.mock('prebid.js/modules/userId.js', () => ({}))
+vi.mock('prebid.js/modules/sharedIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/criteoIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/33acrossIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/pubProvidedIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/quantcastIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/id5IdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/identityLinkIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/liveIntentIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/uid2IdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/euidIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/intentIqIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/lotamePanoramaIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/connectIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/merkleIdSystem.js', () => ({}))
+vi.mock('prebid.js/modules/pubCommonIdSystem.js', () => ({}))
 ```
 
 - [ ] **Step 2: Write the failing regression-guard test**
@@ -390,9 +405,9 @@ vi.mock('prebid.js/modules/pubCommonIdSystem.js', () => ({}));
 Append this `describe` block to `crates/js/lib/test/integrations/prebid/index.test.ts`:
 
 ```ts
-import { readFileSync } from 'node:fs';
-import { fileURLToPath } from 'node:url';
-import { resolve } from 'node:path';
+import { readFileSync } from 'node:fs'
+import { fileURLToPath } from 'node:url'
+import { resolve } from 'node:path'
 
 describe('prebid/index.ts User ID Module imports (regression guard)', () => {
   const REQUIRED_IMPORTS = [
@@ -412,7 +427,7 @@ describe('prebid/index.ts User ID Module imports (regression guard)', () => {
     'prebid.js/modules/connectIdSystem.js',
     'prebid.js/modules/merkleIdSystem.js',
     'prebid.js/modules/pubCommonIdSystem.js',
-  ];
+  ]
 
   // Source-text check: these mocks make the runtime pbjs mock a no-op for the
   // User ID Module, so there is no way to assert `typeof getUserIdsAsEids ===
@@ -421,75 +436,80 @@ describe('prebid/index.ts User ID Module imports (regression guard)', () => {
   // import, which is the exact regression that motivated this work.
   // The package is ESM (`"type": "module"`), so `__dirname` is not defined —
   // resolve relative to this file via `import.meta.url`.
-  const THIS_DIR = fileURLToPath(new URL('.', import.meta.url));
-  const SOURCE_PATH = resolve(THIS_DIR, '../../../src/integrations/prebid/index.ts');
-  const source = readFileSync(SOURCE_PATH, 'utf8');
+  const THIS_DIR = fileURLToPath(new URL('.', import.meta.url))
+  const SOURCE_PATH = resolve(
+    THIS_DIR,
+    '../../../src/integrations/prebid/index.ts'
+  )
+  const source = readFileSync(SOURCE_PATH, 'utf8')
 
   for (const module of REQUIRED_IMPORTS) {
     it(`statically imports ${module}`, () => {
-      const pattern = new RegExp(`import\\s+['"]${module.replace(/\./g, '\\.')}['"]`);
-      expect(source).toMatch(pattern);
-    });
+      const pattern = new RegExp(
+        `import\\s+['"]${module.replace(/\./g, '\\.')}['"]`
+      )
+      expect(source).toMatch(pattern)
+    })
   }
-});
+})
 ```
 
-- [ ] **Step 3: Run the new block — expect 16 failures**
+- [ ] **Step 3: Run the new block — expect 15 failures**
 
 Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "regression guard"`
 
-Expected: FAIL — 16 failing assertions, one per expected import. This confirms the regression guard actually reads the source.
+Expected: FAIL — 15 failing assertions, one per expected import. This confirms the regression guard actually reads the source.
 
-- [ ] **Step 4: Add the 16 imports to `index.ts`**
+- [ ] **Step 4: Add the 15 imports to `index.ts`**
 
 In `crates/js/lib/src/integrations/prebid/index.ts`, locate lines 16-18:
 
 ```ts
-import 'prebid.js/modules/consentManagementTcf.js';
-import 'prebid.js/modules/consentManagementGpp.js';
-import 'prebid.js/modules/consentManagementUsp.js';
+import 'prebid.js/modules/consentManagementTcf.js'
+import 'prebid.js/modules/consentManagementGpp.js'
+import 'prebid.js/modules/consentManagementUsp.js'
 ```
 
 Insert the User ID imports immediately after them, before the existing `// Client-side bid adapters` comment block. The resulting section must read:
 
 ```ts
-import 'prebid.js/modules/consentManagementTcf.js';
-import 'prebid.js/modules/consentManagementGpp.js';
-import 'prebid.js/modules/consentManagementUsp.js';
+import 'prebid.js/modules/consentManagementTcf.js'
+import 'prebid.js/modules/consentManagementGpp.js'
+import 'prebid.js/modules/consentManagementUsp.js'
 
 // Prebid User ID Module — core + submodules. The core module exposes
 // `pbjs.getUserIdsAsEids`; submodules self-register at import time and
 // activate when the publisher's origin-side `pbjs.setConfig({ userSync:
 // { userIds: [...] } })` call runs during `processQueue()`.
-import 'prebid.js/modules/userId.js';
+import 'prebid.js/modules/userId.js'
 
 // Zero-config / auto-populating submodules (resolve without publisher params).
-import 'prebid.js/modules/sharedIdSystem.js';
-import 'prebid.js/modules/criteoIdSystem.js';
-import 'prebid.js/modules/33acrossIdSystem.js';
-import 'prebid.js/modules/pubProvidedIdSystem.js';
-import 'prebid.js/modules/quantcastIdSystem.js';
+import 'prebid.js/modules/sharedIdSystem.js'
+import 'prebid.js/modules/criteoIdSystem.js'
+import 'prebid.js/modules/33acrossIdSystem.js'
+import 'prebid.js/modules/pubProvidedIdSystem.js'
+import 'prebid.js/modules/quantcastIdSystem.js'
 
 // Param-based submodules — inert until publisher setConfig supplies params.
-import 'prebid.js/modules/id5IdSystem.js';
-import 'prebid.js/modules/identityLinkIdSystem.js';
-import 'prebid.js/modules/liveIntentIdSystem.js';
-import 'prebid.js/modules/uid2IdSystem.js';
-import 'prebid.js/modules/euidIdSystem.js';
-import 'prebid.js/modules/intentIqIdSystem.js';
-import 'prebid.js/modules/lotamePanoramaIdSystem.js';
-import 'prebid.js/modules/connectIdSystem.js';
-import 'prebid.js/modules/merkleIdSystem.js';
+import 'prebid.js/modules/id5IdSystem.js'
+import 'prebid.js/modules/identityLinkIdSystem.js'
+import 'prebid.js/modules/liveIntentIdSystem.js'
+import 'prebid.js/modules/uid2IdSystem.js'
+import 'prebid.js/modules/euidIdSystem.js'
+import 'prebid.js/modules/intentIqIdSystem.js'
+import 'prebid.js/modules/lotamePanoramaIdSystem.js'
+import 'prebid.js/modules/connectIdSystem.js'
+import 'prebid.js/modules/merkleIdSystem.js'
 
 // Legacy / deprecated but still present in some publisher configs.
-import 'prebid.js/modules/pubCommonIdSystem.js';
+import 'prebid.js/modules/pubCommonIdSystem.js'
 ```
 
 - [ ] **Step 5: Run the regression-guard block — expect PASS**
 
 Run: `cd crates/js/lib && npx vitest run test/integrations/prebid/index.test.ts -t "regression guard"`
 
-Expected: all 16 tests PASS.
+Expected: all 15 tests PASS.
 
 - [ ] **Step 6: Run the full prebid test file — expect no regressions**
 
@@ -501,7 +521,7 @@ Expected: all tests PASS (Task 1 tests + regression guards + all pre-existing te
 
 Run: `cd crates/js/lib && npx vitest run`
 
-Expected: all PASS. If any unrelated test fails because it imports `./index.ts` transitively and the real Prebid modules are not mocked there, add matching `vi.mock` stubs at the top of that test file (copy the same 16 lines). Common suspects: any test under `crates/js/lib/test/integrations/prebid/` you may have added, or tests that import core modules which in turn import the prebid integration. At the time of writing, no other test file imports the prebid integration.
+Expected: all PASS. If any unrelated test fails because it imports `./index.ts` transitively and the real Prebid modules are not mocked there, add matching `vi.mock` stubs at the top of that test file (copy the same 15 lines). Common suspects: any test under `crates/js/lib/test/integrations/prebid/` you may have added, or tests that import core modules which in turn import the prebid integration. At the time of writing, no other test file imports the prebid integration.
 
 - [ ] **Step 8: Build the JS bundles**
 
diff --git a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
index bc0f3f66..45341a62 100644
--- a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
+++ b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
@@ -67,12 +67,12 @@ the relevant params):
 - `prebid.js/modules/connectIdSystem.js`
 - `prebid.js/modules/merkleIdSystem.js`
 
-**Legacy / compatibility:**
+Total: 1 core + 14 submodules = 15 new imports.
 
-- `prebid.js/modules/pubCommonIdSystem.js` — deprecated in favor of SharedID
-  but still present in some publisher configs.
-
-Total: 1 core + 15 submodules = 16 new imports.
+> **Note (2026-04-16, during implementation):** `pubCommonIdSystem.js`, which
+> was originally planned as a legacy/compatibility submodule, was removed from
+> Prebid.js in 10.x (consolidated into `sharedIdSystem`). It is not importable
+> from our pinned Prebid 10.26.0 and has been dropped from this plan.
 
 No changes to `installPrebidNpm`, no changes to the `bidsBackHandler` shim, no
 changes to `syncPrebidEidsCookie`. The existing cookie-writing path is already

From fda4017344a2b53b2dcaeb06ba8ad2afdd55e252 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 12:45:32 -0500
Subject: [PATCH 19/26] Drop liveIntentIdSystem from Prebid bundle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prebid's liveIntentIdSystem.js uses a dynamic require() inside a
build-flag-guarded branch that their gulp pipeline dead-codes via
constant folding. esbuild leaves the require() in the output, causing
ReferenceError: require is not defined at browser runtime.

Remove from the bundle until we add an esbuild resolver plugin (or
switch to Prebid's own build pipeline) — tracked as a follow-up in the
design spec.
---
 .../js/lib/src/integrations/prebid/index.ts   |  7 +++++-
 .../test/integrations/prebid/index.test.ts    |  2 --
 ...2026-04-16-prebid-user-id-module-design.md | 23 ++++++++++++++-----
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/crates/js/lib/src/integrations/prebid/index.ts b/crates/js/lib/src/integrations/prebid/index.ts
index 0fce811d..922e54ef 100644
--- a/crates/js/lib/src/integrations/prebid/index.ts
+++ b/crates/js/lib/src/integrations/prebid/index.ts
@@ -33,7 +33,12 @@ import 'prebid.js/modules/quantcastIdSystem.js';
 // Param-based submodules — inert until publisher setConfig supplies params.
 import 'prebid.js/modules/id5IdSystem.js';
 import 'prebid.js/modules/identityLinkIdSystem.js';
-import 'prebid.js/modules/liveIntentIdSystem.js';
+// NOTE: `liveIntentIdSystem.js` is intentionally not imported. Its upstream
+// module uses a dynamic `require()` inside a build-flag-guarded branch that
+// Prebid's own gulp pipeline dead-codes via constant folding; esbuild leaves
+// the `require()` call in the bundle, which throws at browser runtime. Re-
+// enabling it requires an esbuild resolver plugin (or switching to Prebid's
+// own build pipeline). Tracked as a follow-up in the design spec.
 import 'prebid.js/modules/uid2IdSystem.js';
 import 'prebid.js/modules/euidIdSystem.js';
 import 'prebid.js/modules/intentIqIdSystem.js';
diff --git a/crates/js/lib/test/integrations/prebid/index.test.ts b/crates/js/lib/test/integrations/prebid/index.test.ts
index 38e2f5b1..f57c7edd 100644
--- a/crates/js/lib/test/integrations/prebid/index.test.ts
+++ b/crates/js/lib/test/integrations/prebid/index.test.ts
@@ -65,7 +65,6 @@ vi.mock('prebid.js/modules/pubProvidedIdSystem.js', () => ({}));
 vi.mock('prebid.js/modules/quantcastIdSystem.js', () => ({}));
 vi.mock('prebid.js/modules/id5IdSystem.js', () => ({}));
 vi.mock('prebid.js/modules/identityLinkIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/liveIntentIdSystem.js', () => ({}));
 vi.mock('prebid.js/modules/uid2IdSystem.js', () => ({}));
 vi.mock('prebid.js/modules/euidIdSystem.js', () => ({}));
 vi.mock('prebid.js/modules/intentIqIdSystem.js', () => ({}));
@@ -1017,7 +1016,6 @@ describe('prebid/index.ts User ID Module imports (regression guard)', () => {
     'prebid.js/modules/quantcastIdSystem.js',
     'prebid.js/modules/id5IdSystem.js',
     'prebid.js/modules/identityLinkIdSystem.js',
-    'prebid.js/modules/liveIntentIdSystem.js',
     'prebid.js/modules/uid2IdSystem.js',
     'prebid.js/modules/euidIdSystem.js',
     'prebid.js/modules/intentIqIdSystem.js',
diff --git a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
index 45341a62..2c59005e 100644
--- a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
+++ b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
@@ -59,7 +59,6 @@ the relevant params):
 
 - `prebid.js/modules/id5IdSystem.js`
 - `prebid.js/modules/identityLinkIdSystem.js`
-- `prebid.js/modules/liveIntentIdSystem.js`
 - `prebid.js/modules/uid2IdSystem.js`
 - `prebid.js/modules/euidIdSystem.js`
 - `prebid.js/modules/intentIqIdSystem.js`
@@ -67,12 +66,19 @@ the relevant params):
 - `prebid.js/modules/connectIdSystem.js`
 - `prebid.js/modules/merkleIdSystem.js`
 
-Total: 1 core + 14 submodules = 15 new imports.
+Total: 1 core + 13 submodules = 14 new imports.
 
-> **Note (2026-04-16, during implementation):** `pubCommonIdSystem.js`, which
-> was originally planned as a legacy/compatibility submodule, was removed from
-> Prebid.js in 10.x (consolidated into `sharedIdSystem`). It is not importable
-> from our pinned Prebid 10.26.0 and has been dropped from this plan.
+> **Notes (2026-04-16, during implementation):**
+>
+> - `pubCommonIdSystem.js`, originally planned as a legacy/compatibility
+>   submodule, was removed from Prebid.js in 10.x (consolidated into
+>   `sharedIdSystem`). Not importable from our pinned Prebid 10.26.0; dropped.
+> - `liveIntentIdSystem.js` was dropped from the day-1 bundle. Its upstream
+>   module uses a dynamic `require()` inside a build-flag-guarded branch that
+>   Prebid's own gulp pipeline dead-codes via constant folding; esbuild leaves
+>   the `require()` call in the bundle, which throws `ReferenceError: require
+>   is not defined` at browser runtime. Re-enabling requires an esbuild
+>   resolver plugin (or Prebid's own build pipeline). Tracked as a follow-up.
 
 No changes to `installPrebidNpm`, no changes to the `bidsBackHandler` shim, no
 changes to `syncPrebidEidsCookie`. The existing cookie-writing path is already
@@ -196,3 +202,8 @@ auction. Publishers without `userSync.userIds` configured see no change.
 3. **Partner alignment tooling** — a startup-time check that warns when a
    bundled ID submodule has no matching `[[ec.partners]]` entry, or vice
    versa.
+4. **Re-enable `liveIntentIdSystem.js`** — requires either an esbuild
+   resolver plugin that rewrites the dynamic `require('../libraries/
+   liveIntentId/idSystem.js')` inside `loadModule()` to a static import, or
+   adopting Prebid's own gulp build pipeline for the vendored bundle.
+   Out-of-scope for the initial ship.

From 5a0588d34f6ff607a1fdd78a58c8855cfa5f2a3c Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 15:14:51 -0500
Subject: [PATCH 20/26] revert toml change

---
 trusted-server.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/trusted-server.toml b/trusted-server.toml
index cbbd0beb..e1437b12 100644
--- a/trusted-server.toml
+++ b/trusted-server.toml
@@ -12,10 +12,10 @@ password = "changeme"
 domain = "test-publisher.com"
 cookie_domain = ".test-publisher.com"
 origin_url = "https://origin.test-publisher.com"
-proxy_secret = "change-me-proxy-secret"
+proxy_secret = "ahha-me-proxy-secret"
 
 [ec]
-passphrase = "trusted-server-yo"
+passphrase = "trusted-server"
 ec_store = "ec_identity_store"
 pull_sync_concurrency = 3
 # cluster_trust_threshold = 10   # Entries with cluster_size <= this are individual users

From 64f55a408de2341854be89076bb62207af4bc667 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 15:47:05 -0500
Subject: [PATCH 21/26] Make Prebid User ID submodule set configurable at build
 time

Introduces TSJS_PREBID_USER_IDS env var (mirroring TSJS_PREBID_ADAPTERS)
to control which Prebid User ID submodules are bundled. The hardcoded
imports in index.ts are replaced with a generated file written by
build-all.mjs at build time, defaulting to the same 13-submodule set.

- build-all.mjs: generatePrebidUserIds() validates names, denylists
  liveIntentIdSystem, and writes _user_ids.generated.ts. Existence check
  also probes dist/src/public/ to handle modules shipped as .ts in sources
  (sharedIdSystem).
- index.ts: replaces 13 hardcoded submodule imports with
  import './_user_ids.generated'
- _user_ids.generated.ts: committed default with all 13 submodules
- Tests: updated mocks and regression guard; added 9 syncPrebidEidsCookie
  behavior tests
- Docs: new "User ID Modules" section in prebid.md with TSJS_PREBID_USER_IDS
  usage; spec follow-up #1 marked complete
---
 crates/js/lib/build-all.mjs                   | 132 ++++++++++++++++++
 .../prebid/_user_ids.generated.ts             |  22 +++
 .../js/lib/src/integrations/prebid/index.ts   |  35 ++---
 .../test/integrations/prebid/index.test.ts    |  93 ++++++------
 docs/guide/integrations/prebid.md             |  37 +++++
 ...2026-04-16-prebid-user-id-module-design.md |   7 +-
 6 files changed, 251 insertions(+), 75 deletions(-)
 create mode 100644 crates/js/lib/src/integrations/prebid/_user_ids.generated.ts

diff --git a/crates/js/lib/build-all.mjs b/crates/js/lib/build-all.mjs
index cc5690e0..b1a650b8 100644
--- a/crates/js/lib/build-all.mjs
+++ b/crates/js/lib/build-all.mjs
@@ -13,6 +13,12 @@
  *     names to include in the bundle (e.g. "rubicon,appnexus,openx").
  *     Each name must have a corresponding {name}BidAdapter.js module in
  *     the prebid.js package. Default: "rubicon".
+ *   TSJS_PREBID_USER_IDS — Comma-separated list of Prebid.js User ID
+ *     submodule filenames (no `.js` extension) to include in the bundle
+ *     (e.g. "sharedIdSystem,id5IdSystem,criteoIdSystem"). The `userId.js`
+ *     core module is always included and is not configurable here.
+ *     Default: the full ship-set of 13 submodules (see
+ *     DEFAULT_PREBID_USER_IDS below).
  */
 
 import fs from 'node:fs';
@@ -107,6 +113,132 @@ function generatePrebidAdapters() {
 
 generatePrebidAdapters();
 
+// ---------------------------------------------------------------------------
+// Prebid User ID submodule generation
+// ---------------------------------------------------------------------------
+
+/**
+ * Default set of Prebid User ID submodules bundled when TSJS_PREBID_USER_IDS
+ * is unset. Matches the set originally hardcoded in index.ts when User ID
+ * support first shipped. `userId.js` (the core module) is imported
+ * unconditionally by index.ts and is not in this list.
+ */
+const DEFAULT_PREBID_USER_IDS = [
+  'sharedIdSystem',
+  'criteoIdSystem',
+  '33acrossIdSystem',
+  'pubProvidedIdSystem',
+  'quantcastIdSystem',
+  'id5IdSystem',
+  'identityLinkIdSystem',
+  'uid2IdSystem',
+  'euidIdSystem',
+  'intentIqIdSystem',
+  'lotamePanoramaIdSystem',
+  'connectIdSystem',
+  'merkleIdSystem',
+].join(',');
+
+/**
+ * Modules known to be incompatible with the current esbuild pipeline.
+ *
+ * `liveIntentIdSystem` uses a dynamic `require()` inside a build-flag-guarded
+ * branch that Prebid's own gulp pipeline dead-codes via constant folding.
+ * esbuild leaves the `require()` in the bundle, which throws
+ * `ReferenceError: require is not defined` at browser runtime. See spec
+ * follow-up #4 in `docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md`.
+ */
+const PREBID_USER_ID_DENYLIST = new Set(['liveIntentIdSystem']);
+
+const USER_IDS_FILE = path.join(
+  integrationsDir,
+  'prebid',
+  '_user_ids.generated.ts',
+);
+
+/**
+ * Generate `_user_ids.generated.ts` with import statements for each User ID
+ * submodule listed in the TSJS_PREBID_USER_IDS environment variable.
+ *
+ * Invalid submodule names (those without a matching module in prebid.js) or
+ * known-broken modules in the denylist are logged and skipped.
+ */
+function generatePrebidUserIds() {
+  const raw = process.env.TSJS_PREBID_USER_IDS || DEFAULT_PREBID_USER_IDS;
+  const names = raw
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+  if (names.length === 0) {
+    console.warn(
+      '[build-all] TSJS_PREBID_USER_IDS is empty, falling back to default set',
+    );
+    names.push(...DEFAULT_PREBID_USER_IDS.split(','));
+  }
+
+  const modulesDir = path.join(
+    __dirname,
+    'node_modules',
+    'prebid.js',
+    'modules',
+  );
+
+  const imports = [];
+  const includedNames = [];
+  for (const name of names) {
+    if (PREBID_USER_ID_DENYLIST.has(name)) {
+      console.error(
+        `[build-all] WARNING: Prebid User ID submodule "${name}" is on the ` +
+          `esbuild-incompatibility denylist and will not be bundled. See ` +
+          `docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md ` +
+          `follow-up #4.`,
+      );
+      continue;
+    }
+    const moduleFile = `${name}.js`;
+    const modulePath = path.join(modulesDir, moduleFile);
+    // Some modules ship as .ts in modules/ but resolve via the exports map
+    // to dist/src/public/*.js (e.g. sharedIdSystem). Accept either form.
+    const distPath = path.join(__dirname, 'node_modules', 'prebid.js', 'dist', 'src', 'public', moduleFile);
+    if (!fs.existsSync(modulePath) && !fs.existsSync(distPath)) {
+      console.error(
+        `[build-all] WARNING: Prebid User ID submodule "${name}" not found (expected ${moduleFile}), skipping`,
+      );
+      continue;
+    }
+    imports.push(`import 'prebid.js/modules/${moduleFile}';`);
+    includedNames.push(name);
+  }
+
+  if (imports.length === 0) {
+    console.error(
+      '[build-all] WARNING: No valid Prebid User ID submodules found, ' +
+        'bundle will resolve no EIDs even if publisher configures userSync.userIds',
+    );
+  }
+
+  const content = [
+    '// Auto-generated by build-all.mjs — manual edits will be overwritten at build time.',
+    '//',
+    '// Controls which Prebid.js User ID submodules are included in the bundle.',
+    '// Set the TSJS_PREBID_USER_IDS environment variable to a comma-separated',
+    '// list of submodule filenames without the `.js` extension',
+    '// (e.g. "sharedIdSystem,id5IdSystem,criteoIdSystem") before building.',
+    '// The userId.js core module is always included via a static import in',
+    '// index.ts and is not configurable here.',
+    '',
+    ...imports,
+    '',
+  ].join('\n');
+
+  fs.writeFileSync(USER_IDS_FILE, content);
+
+  console.log('[build-all] Prebid User ID submodules:', includedNames);
+}
+
+generatePrebidUserIds();
+
 // ---------------------------------------------------------------------------
 
 // Clean dist directory
diff --git a/crates/js/lib/src/integrations/prebid/_user_ids.generated.ts b/crates/js/lib/src/integrations/prebid/_user_ids.generated.ts
new file mode 100644
index 00000000..9eb586dd
--- /dev/null
+++ b/crates/js/lib/src/integrations/prebid/_user_ids.generated.ts
@@ -0,0 +1,22 @@
+// Auto-generated by build-all.mjs — manual edits will be overwritten at build time.
+//
+// Controls which Prebid.js User ID submodules are included in the bundle.
+// Set the TSJS_PREBID_USER_IDS environment variable to a comma-separated
+// list of submodule filenames without the `.js` extension
+// (e.g. "sharedIdSystem,id5IdSystem,criteoIdSystem") before building.
+// The userId.js core module is always included via a static import in
+// index.ts and is not configurable here.
+
+import 'prebid.js/modules/sharedIdSystem.js';
+import 'prebid.js/modules/criteoIdSystem.js';
+import 'prebid.js/modules/33acrossIdSystem.js';
+import 'prebid.js/modules/pubProvidedIdSystem.js';
+import 'prebid.js/modules/quantcastIdSystem.js';
+import 'prebid.js/modules/id5IdSystem.js';
+import 'prebid.js/modules/identityLinkIdSystem.js';
+import 'prebid.js/modules/uid2IdSystem.js';
+import 'prebid.js/modules/euidIdSystem.js';
+import 'prebid.js/modules/intentIqIdSystem.js';
+import 'prebid.js/modules/lotamePanoramaIdSystem.js';
+import 'prebid.js/modules/connectIdSystem.js';
+import 'prebid.js/modules/merkleIdSystem.js';
diff --git a/crates/js/lib/src/integrations/prebid/index.ts b/crates/js/lib/src/integrations/prebid/index.ts
index 922e54ef..d05e41ad 100644
--- a/crates/js/lib/src/integrations/prebid/index.ts
+++ b/crates/js/lib/src/integrations/prebid/index.ts
@@ -17,34 +17,17 @@ import 'prebid.js/modules/consentManagementTcf.js';
 import 'prebid.js/modules/consentManagementGpp.js';
 import 'prebid.js/modules/consentManagementUsp.js';
 
-// Prebid User ID Module — core + submodules. The core module exposes
-// `pbjs.getUserIdsAsEids`; submodules self-register at import time and
-// activate when the publisher's origin-side `pbjs.setConfig({ userSync:
-// { userIds: [...] } })` call runs during `processQueue()`.
+// Prebid User ID Module core — always bundled. Exposes
+// `pbjs.getUserIdsAsEids` and registers the submodule machinery that each
+// ID submodule in `_user_ids.generated.ts` hooks into. ID submodules
+// activate only when the publisher's origin-side `pbjs.setConfig({
+// userSync: { userIds: [...] } })` call runs during `processQueue()`.
 import 'prebid.js/modules/userId.js';
 
-// Zero-config / auto-populating submodules (resolve without publisher params).
-import 'prebid.js/modules/sharedIdSystem.js';
-import 'prebid.js/modules/criteoIdSystem.js';
-import 'prebid.js/modules/33acrossIdSystem.js';
-import 'prebid.js/modules/pubProvidedIdSystem.js';
-import 'prebid.js/modules/quantcastIdSystem.js';
-
-// Param-based submodules — inert until publisher setConfig supplies params.
-import 'prebid.js/modules/id5IdSystem.js';
-import 'prebid.js/modules/identityLinkIdSystem.js';
-// NOTE: `liveIntentIdSystem.js` is intentionally not imported. Its upstream
-// module uses a dynamic `require()` inside a build-flag-guarded branch that
-// Prebid's own gulp pipeline dead-codes via constant folding; esbuild leaves
-// the `require()` call in the bundle, which throws at browser runtime. Re-
-// enabling it requires an esbuild resolver plugin (or switching to Prebid's
-// own build pipeline). Tracked as a follow-up in the design spec.
-import 'prebid.js/modules/uid2IdSystem.js';
-import 'prebid.js/modules/euidIdSystem.js';
-import 'prebid.js/modules/intentIqIdSystem.js';
-import 'prebid.js/modules/lotamePanoramaIdSystem.js';
-import 'prebid.js/modules/connectIdSystem.js';
-import 'prebid.js/modules/merkleIdSystem.js';
+// Prebid User ID submodules — self-register with the core on import.
+// The set of submodules is controlled by the TSJS_PREBID_USER_IDS env var
+// at build time. See _user_ids.generated.ts (written by build-all.mjs).
+import './_user_ids.generated';
 
 // Client-side bid adapters — self-register with prebid.js on import.
 // The set of adapters is controlled by the TSJS_PREBID_ADAPTERS env var at
diff --git a/crates/js/lib/test/integrations/prebid/index.test.ts b/crates/js/lib/test/integrations/prebid/index.test.ts
index f57c7edd..97ac5199 100644
--- a/crates/js/lib/test/integrations/prebid/index.test.ts
+++ b/crates/js/lib/test/integrations/prebid/index.test.ts
@@ -55,25 +55,13 @@ vi.mock('prebid.js/modules/consentManagementTcf.js', () => ({}));
 vi.mock('prebid.js/modules/consentManagementGpp.js', () => ({}));
 vi.mock('prebid.js/modules/consentManagementUsp.js', () => ({}));
 
-// User ID Module core + submodules — no-op mocks so jsdom does not try to
-// execute the real Prebid code paths.
+// User ID Module core — no-op mock so jsdom does not try to execute the
+// real Prebid code paths.
 vi.mock('prebid.js/modules/userId.js', () => ({}));
-vi.mock('prebid.js/modules/sharedIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/criteoIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/33acrossIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/pubProvidedIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/quantcastIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/id5IdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/identityLinkIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/uid2IdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/euidIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/intentIqIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/lotamePanoramaIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/connectIdSystem.js', () => ({}));
-vi.mock('prebid.js/modules/merkleIdSystem.js', () => ({}));
-
-// Mock the build-generated adapter imports (no-op in tests)
+
+// Mock the build-generated adapter and User ID submodule imports (no-op in tests)
 vi.mock('../../../src/integrations/prebid/_adapters.generated', () => ({}));
+vi.mock('../../../src/integrations/prebid/_user_ids.generated', () => ({}));
 
 import {
   collectBidders,
@@ -1006,38 +994,49 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
   });
 });
 
-describe('prebid/index.ts User ID Module imports (regression guard)', () => {
-  const REQUIRED_IMPORTS = [
-    'prebid.js/modules/userId.js',
-    'prebid.js/modules/sharedIdSystem.js',
-    'prebid.js/modules/criteoIdSystem.js',
-    'prebid.js/modules/33acrossIdSystem.js',
-    'prebid.js/modules/pubProvidedIdSystem.js',
-    'prebid.js/modules/quantcastIdSystem.js',
-    'prebid.js/modules/id5IdSystem.js',
-    'prebid.js/modules/identityLinkIdSystem.js',
-    'prebid.js/modules/uid2IdSystem.js',
-    'prebid.js/modules/euidIdSystem.js',
-    'prebid.js/modules/intentIqIdSystem.js',
-    'prebid.js/modules/lotamePanoramaIdSystem.js',
-    'prebid.js/modules/connectIdSystem.js',
-    'prebid.js/modules/merkleIdSystem.js',
+describe('prebid User ID Module imports (regression guard)', () => {
+  // `userId.js` is the core module — bundled unconditionally via a static
+  // import in index.ts, never operator-configurable. Guard it there.
+  const INDEX_PATH = resolve(process.cwd(), 'src/integrations/prebid/index.ts');
+  const indexSource = readFileSync(INDEX_PATH, 'utf8');
+
+  it('index.ts statically imports the User ID core module', () => {
+    expect(indexSource).toMatch(/import\s+['"]prebid\.js\/modules\/userId\.js['"]/);
+  });
+
+  it('index.ts statically imports the generated User ID submodule file', () => {
+    expect(indexSource).toMatch(/import\s+['"]\.\/_user_ids\.generated['"]/);
+  });
+
+  // The submodule list is operator-controlled via TSJS_PREBID_USER_IDS, but
+  // the default ship-set must keep resolving without env var action. Read
+  // the generated file produced by `node build-all.mjs` with no env override
+  // and assert every default submodule is imported. If this file is missing,
+  // the developer has not yet run the build — skip with a clear message.
+  const GENERATED_PATH = resolve(process.cwd(), 'src/integrations/prebid/_user_ids.generated.ts');
+  const DEFAULT_SUBMODULES = [
+    'sharedIdSystem',
+    'criteoIdSystem',
+    '33acrossIdSystem',
+    'pubProvidedIdSystem',
+    'quantcastIdSystem',
+    'id5IdSystem',
+    'identityLinkIdSystem',
+    'uid2IdSystem',
+    'euidIdSystem',
+    'intentIqIdSystem',
+    'lotamePanoramaIdSystem',
+    'connectIdSystem',
+    'merkleIdSystem',
   ];
 
-  // Source-text check: these mocks make the runtime pbjs mock a no-op for the
-  // User ID Module, so there is no way to assert `typeof getUserIdsAsEids ===
-  // 'function'` at import time from within Vitest. Reading the source file
-  // directly is the most reliable way to catch accidental removal of an
-  // import, which is the exact regression that motivated this work.
-  // Vitest runs with `process.cwd()` set to the package root (`crates/js/lib`)
-  // where `package.json` lives.
-  const SOURCE_PATH = resolve(process.cwd(), 'src/integrations/prebid/index.ts');
-  const source = readFileSync(SOURCE_PATH, 'utf8');
-
-  for (const module of REQUIRED_IMPORTS) {
-    it(`statically imports ${module}`, () => {
-      const pattern = new RegExp(`import\\s+['"]${module.replace(/\./g, '\\.')}['"]`);
-      expect(source).toMatch(pattern);
+  for (const name of DEFAULT_SUBMODULES) {
+    it(`_user_ids.generated.ts imports ${name}.js by default`, () => {
+      const generated = readFileSync(GENERATED_PATH, 'utf8');
+      const pattern = new RegExp(
+        `import\\s+['"]prebid\\.js/modules/${name.replace(/\./g, '\\.')}\\.js['"]`
+      );
+      expect(generated).toMatch(pattern);
     });
   }
 });
diff --git a/docs/guide/integrations/prebid.md b/docs/guide/integrations/prebid.md
index e9ba6fcb..ae4d1ceb 100644
--- a/docs/guide/integrations/prebid.md
+++ b/docs/guide/integrations/prebid.md
@@ -223,6 +223,43 @@ The build script (`build-all.mjs`) validates that each adapter exists in `prebid
 Adding a new client-side bidder requires both a config change (`client_side_bidders`) **and** a rebuild with the adapter included in `TSJS_PREBID_ADAPTERS`. Without the adapter in the bundle, the bidder is silently dropped from both server-side and client-side auctions.
 :::
 
+## User ID Modules
+
+Prebid's User ID Module resolves cross-publisher identifiers (SharedID, ID5, LiveRamp RampID, UID2, etc.) and exposes them via `pbjs.getUserIdsAsEids()`. The TSJS Prebid integration bundles the core `userId.js` module and a configurable set of ID submodules. When the publisher's origin-side `pbjs.setConfig({ userSync: { userIds: [...] } })` call runs during `processQueue()`, each listed submodule activates and begins resolving its ID asynchronously. After each auction the shim writes the resolved EIDs to a `ts-eids` cookie, which the Rust backend ingests into the Edge Cookie identity graph.
+
+### How it works
+
+1. `userId.js` is statically imported in `index.ts` — always bundled, not operator-configurable.
+2. The set of ID submodules is controlled by `TSJS_PREBID_USER_IDS` at build time and emitted into `_user_ids.generated.ts`.
+3. Publishers retain full control of which submodules actually run — activation is driven by their own `pbjs.setConfig({ userSync: { userIds: [...] } })` on origin. Bundling a submodule without a matching publisher config entry is inert (but costs bundle size).
+4. The `bidsBackHandler` shim calls `pbjs.getUserIdsAsEids()` after each auction and writes the resolved entries to the `ts-eids` cookie (base64-encoded JSON, 3072-byte cap with tail-trim).
+
+### Build-time submodule selection
+
+```bash
+# Default: the full ship-set of 13 submodules
+# (sharedIdSystem, criteoIdSystem, 33acrossIdSystem, pubProvidedIdSystem,
+#  quantcastIdSystem, id5IdSystem, identityLinkIdSystem, uid2IdSystem,
+#  euidIdSystem, intentIqIdSystem, lotamePanoramaIdSystem, connectIdSystem,
+#  merkleIdSystem)
+
+# Slim build — only SharedID and ID5
+TSJS_PREBID_USER_IDS=sharedIdSystem,id5IdSystem
+
+# Single submodule
+TSJS_PREBID_USER_IDS=sharedIdSystem
+```
+
+Values are Prebid module filenames without the `.js` extension. The build script (`build-all.mjs`) validates that each exists in `prebid.js/modules/{name}.js` and generates `_user_ids.generated.ts` with the appropriate imports. Unknown names log a warning and are skipped.
+
+::: warning
+`liveIntentIdSystem` is on a build-time denylist — its upstream module uses a dynamic `require()` that esbuild cannot statically resolve, throwing `ReferenceError: require is not defined` at browser runtime. Listing it in `TSJS_PREBID_USER_IDS` logs a warning and skips the module.
+:::
+
+::: tip
+Each bundled submodule bloats `tsjs-prebid.js`. If a publisher deployment only needs SharedID and ID5, set `TSJS_PREBID_USER_IDS` accordingly — the other ~100kb of dormant module code won't ship.
+:::
+
 ## Endpoints
 
 ### GET /first-party/ad
diff --git a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
index 2c59005e..2ef80a3e 100644
--- a/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
+++ b/docs/superpowers/specs/2026-04-16-prebid-user-id-module-design.md
@@ -190,10 +190,13 @@ auction. Publishers without `userSync.userIds` configured see no change.
 
 ## Follow-ups
 
-1. **Build-time configurability** — introduce `_user_ids.generated.ts`
+1. ~~**Build-time configurability** — introduce `_user_ids.generated.ts`
    driven by a `TSJS_PREBID_USER_IDS` env var, mirroring the existing
    `TSJS_PREBID_ADAPTERS` / `_adapters.generated.ts` pattern. Allows
-   operators to slim the bundle per deployment.
+   operators to slim the bundle per deployment.~~ **Implemented
+   2026-04-16** — see `docs/guide/integrations/prebid.md` "Build-time
+   submodule selection" and the `generatePrebidUserIds()` function in
+   `crates/js/lib/build-all.mjs`.
 2. **Server-injected `userSync.userIds`** — extend `trusted-server.toml`
    with a `[[integrations.prebid.user_ids]]` array. Rust serializes into
    `window.__tsjs_prebid.userIds`. JS applies via `pbjs.setConfig` before

From e09b956f7cdf418ff3462797ba8b12b38bad0511 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 16:10:08 -0500
Subject: [PATCH 22/26] Clear stale consent cookies and aggregate US GPP
 opt-outs

---
 .../js/lib/src/integrations/prebid/index.ts   |   8 +
 .../lib/src/integrations/sourcepoint/index.ts |  22 +-
 .../test/integrations/prebid/index.test.ts    |  53 ++++
 .../integrations/sourcepoint/index.test.ts    |  64 ++++-
 crates/trusted-server-core/src/consent/gpp.rs | 227 ++++++++++++++----
 5 files changed, 325 insertions(+), 49 deletions(-)

diff --git a/crates/js/lib/src/integrations/prebid/index.ts b/crates/js/lib/src/integrations/prebid/index.ts
index d05e41ad..0f49fdb6 100644
--- a/crates/js/lib/src/integrations/prebid/index.ts
+++ b/crates/js/lib/src/integrations/prebid/index.ts
@@ -367,6 +367,10 @@ const EID_COOKIE_NAME = 'ts-eids';
 /** Cookie max-age in seconds (1 day). */
 const EID_COOKIE_MAX_AGE = 86400;
 
+function clearPrebidEidsCookie(): void {
+  document.cookie = `${EID_COOKIE_NAME}=; Path=/; Secure; SameSite=Lax; Max-Age=0`;
+}
+
 interface PrebidEid {
   source: string;
   uids?: Array<{ id: string; atype?: number }>;
@@ -385,11 +389,13 @@ interface FlatEid {
 function syncPrebidEidsCookie(): void {
   try {
     if (typeof pbjs.getUserIdsAsEids !== 'function') {
+      clearPrebidEidsCookie();
       return;
     }
 
     const rawEids: PrebidEid[] = pbjs.getUserIdsAsEids() ?? [];
     if (rawEids.length === 0) {
+      clearPrebidEidsCookie();
       return;
     }
 
@@ -407,6 +413,7 @@ function syncPrebidEidsCookie(): void {
     }
 
     if (flat.length === 0) {
+      clearPrebidEidsCookie();
       return;
     }
 
@@ -419,6 +426,7 @@ function syncPrebidEidsCookie(): void {
     }
 
     if (encoded.length > MAX_EID_COOKIE_BYTES) {
+      clearPrebidEidsCookie();
       return; // Single EID too large — skip.
     }
 
diff --git a/crates/js/lib/src/integrations/sourcepoint/index.ts b/crates/js/lib/src/integrations/sourcepoint/index.ts
index 850659dc..84295f8a 100644
--- a/crates/js/lib/src/integrations/sourcepoint/index.ts
+++ b/crates/js/lib/src/integrations/sourcepoint/index.ts
@@ -1,6 +1,8 @@
 import { log } from '../../core/log';
 
 const SP_CONSENT_PREFIX = '_sp_user_consent_';
+const GPP_COOKIE_NAME = '__gpp';
+const GPP_SID_COOKIE_NAME = '__gpp_sid';
 
 interface SourcepointGppData {
   gppString: string;
@@ -20,10 +22,12 @@ function findSourcepointConsent(): SourcepointConsentPayload | null {
     if (!raw) continue;
 
     try {
-      return JSON.parse(raw) as SourcepointConsentPayload;
+      const payload = JSON.parse(raw) as SourcepointConsentPayload;
+      if (payload.gppData?.gppString) {
+        return payload;
+      }
     } catch {
       log.debug('sourcepoint: failed to parse localStorage value', { key });
-      return null;
     }
   }
   return null;
@@ -33,6 +37,10 @@ function writeCookie(name: string, value: string): void {
   document.cookie = `${name}=${value}; path=/; SameSite=Lax`;
 }
 
+function clearCookie(name: string): void {
+  document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; SameSite=Lax`;
+}
+
 /**
  * Reads Sourcepoint consent from localStorage and mirrors it into
  * `__gpp` and `__gpp_sid` cookies for Trusted Server to read.
@@ -46,20 +54,26 @@ export function mirrorSourcepointConsent(): boolean {
 
   const payload = findSourcepointConsent();
   if (!payload?.gppData) {
+    clearCookie(GPP_COOKIE_NAME);
+    clearCookie(GPP_SID_COOKIE_NAME);
     log.debug('sourcepoint: no GPP data found in localStorage');
     return false;
   }
 
   const { gppString, applicableSections } = payload.gppData;
   if (!gppString) {
+    clearCookie(GPP_COOKIE_NAME);
+    clearCookie(GPP_SID_COOKIE_NAME);
     log.debug('sourcepoint: gppString is empty');
     return false;
   }
 
-  writeCookie('__gpp', gppString);
+  writeCookie(GPP_COOKIE_NAME, gppString);
 
   if (Array.isArray(applicableSections) && applicableSections.length > 0) {
-    writeCookie('__gpp_sid', applicableSections.join(','));
+    writeCookie(GPP_SID_COOKIE_NAME, applicableSections.join(','));
+  } else {
+    clearCookie(GPP_SID_COOKIE_NAME);
   }
 
   log.info('sourcepoint: mirrored GPP consent to cookies', {
diff --git a/crates/js/lib/test/integrations/prebid/index.test.ts b/crates/js/lib/test/integrations/prebid/index.test.ts
index 97ac5199..0408b66b 100644
--- a/crates/js/lib/test/integrations/prebid/index.test.ts
+++ b/crates/js/lib/test/integrations/prebid/index.test.ts
@@ -865,6 +865,17 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
     expect(getTsEidsCookie()).toBeUndefined();
   });
 
+  it('clears an existing cookie when getUserIdsAsEids returns empty array', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    document.cookie = 'ts-eids=stale; Path=/';
+    mockGetUserIdsAsEids.mockReturnValue([]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+
   it('writes ts-eids cookie with base64-encoded flat JSON for normal payload', () => {
     wireBidsBackHandler();
     const pbjs = installPrebidNpm();
@@ -970,6 +981,34 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
     expect(getTsEidsCookie()).toBeUndefined();
   });
 
+  it('clears an existing cookie when flattening yields no valid EIDs', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    document.cookie = 'ts-eids=stale; Path=/';
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'missing-id.example', uids: [{ id: '', atype: 3 }] },
+      { source: '', uids: [{ id: 'missing-source', atype: 3 }] },
+      { source: 'empty-uids.example', uids: [] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+
+  it('clears an existing cookie when a single oversized entry cannot be written', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    document.cookie = 'ts-eids=stale; Path=/';
+    mockGetUserIdsAsEids.mockReturnValue([
+      { source: 'too-big.example', uids: [{ id: 'x'.repeat(4000), atype: 3 }] },
+    ]);
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+  });
+
   it('does not throw when getUserIdsAsEids is undefined (pre-fix production state)', () => {
     wireBidsBackHandler();
     const pbjs = installPrebidNpm();
@@ -983,6 +1022,20 @@ describe('prebid/syncPrebidEidsCookie (via bidsBackHandler)', () => {
     (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
   });
 
+  it('clears an existing cookie when getUserIdsAsEids is undefined', () => {
+    wireBidsBackHandler();
+    const pbjs = installPrebidNpm();
+    document.cookie = 'ts-eids=stale; Path=/';
+    (mockPbjs as any).getUserIdsAsEids = undefined;
+
+    pbjs.requestBids({ adUnits: [] } as any);
+
+    expect(getTsEidsCookie()).toBeUndefined();
+
+    // Restore for subsequent tests.
+    (mockPbjs as any).getUserIdsAsEids = mockGetUserIdsAsEids;
+  });
+
   it('calls the original bidsBackHandler after syncing EIDs', () => {
     wireBidsBackHandler();
     const pbjs = installPrebidNpm();
diff --git a/crates/js/lib/test/integrations/sourcepoint/index.test.ts b/crates/js/lib/test/integrations/sourcepoint/index.test.ts
index 4eaf763f..872585c3 100644
--- a/crates/js/lib/test/integrations/sourcepoint/index.test.ts
+++ b/crates/js/lib/test/integrations/sourcepoint/index.test.ts
@@ -3,16 +3,26 @@ import { afterEach, beforeEach, describe, expect, it } from 'vitest';
 import { mirrorSourcepointConsent } from '../../../src/integrations/sourcepoint';
 
 describe('integrations/sourcepoint', () => {
-  beforeEach(() => {
-    // Clear cookies and localStorage before each test.
+  function clearAllCookies(): void {
     document.cookie.split(';').forEach((c) => {
       const name = c.split('=')[0].trim();
       if (name) document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/`;
     });
+  }
+
+  function getCookie(name: string): string | undefined {
+    const match = document.cookie.split('; ').find((c) => c.startsWith(`${name}=`));
+    return match ? match.split('=').slice(1).join('=') : undefined;
+  }
+
+  beforeEach(() => {
+    // Clear cookies and localStorage before each test.
+    clearAllCookies();
     localStorage.clear();
   });
 
   afterEach(() => {
+    clearAllCookies();
     localStorage.clear();
   });
 
@@ -56,6 +66,18 @@ describe('integrations/sourcepoint', () => {
     expect(document.cookie).not.toContain('__gpp_sid=');
   });
 
+  it('clears stale mirrored cookies when no valid Sourcepoint payload exists', () => {
+    document.cookie = '__gpp=stale-gpp; path=/';
+    document.cookie = '__gpp_sid=7,8; path=/';
+    localStorage.setItem('unrelated_key', 'value');
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(false);
+    expect(getCookie('__gpp')).toBeUndefined();
+    expect(getCookie('__gpp_sid')).toBeUndefined();
+  });
+
   it('returns false for malformed JSON in localStorage', () => {
     localStorage.setItem('_sp_user_consent_12345', 'not-json!!!');
 
@@ -65,6 +87,25 @@ describe('integrations/sourcepoint', () => {
     expect(document.cookie).not.toContain('__gpp=');
   });
 
+  it('skips malformed entries when a later Sourcepoint key is valid', () => {
+    localStorage.setItem('_sp_user_consent_12345', 'not-json!!!');
+    localStorage.setItem(
+      '_sp_user_consent_67890',
+      JSON.stringify({
+        gppData: {
+          gppString: 'DBABLA~BVQqAAAAAgA.QA',
+          applicableSections: [7],
+        },
+      })
+    );
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(true);
+    expect(getCookie('__gpp')).toBe('DBABLA~BVQqAAAAAgA.QA');
+    expect(getCookie('__gpp_sid')).toBe('7');
+  });
+
   it('returns false when gppData is missing from payload', () => {
     localStorage.setItem('_sp_user_consent_12345', JSON.stringify({ otherField: true }));
 
@@ -88,4 +129,23 @@ describe('integrations/sourcepoint', () => {
     expect(result).toBe(false);
     expect(document.cookie).not.toContain('__gpp=');
   });
+
+  it('clears stale __gpp_sid when the payload has no applicable sections', () => {
+    document.cookie = '__gpp_sid=7,8; path=/';
+    localStorage.setItem(
+      '_sp_user_consent_12345',
+      JSON.stringify({
+        gppData: {
+          gppString: 'DBABLA~BVQqAAAAAgA.QA',
+          applicableSections: [],
+        },
+      })
+    );
+
+    const result = mirrorSourcepointConsent();
+
+    expect(result).toBe(true);
+    expect(getCookie('__gpp')).toBe('DBABLA~BVQqAAAAAgA.QA');
+    expect(getCookie('__gpp_sid')).toBeUndefined();
+  });
 });
diff --git a/crates/trusted-server-core/src/consent/gpp.rs b/crates/trusted-server-core/src/consent/gpp.rs
index d6e8902e..cb704b02 100644
--- a/crates/trusted-server-core/src/consent/gpp.rs
+++ b/crates/trusted-server-core/src/consent/gpp.rs
@@ -111,56 +111,73 @@ fn decode_tcf_from_gpp(parsed: &iab_gpp::v1::GPPString) -> Option<TcfConsent> {
 /// 21=UsNj, 22=UsTn, 23=UsMn.
 const US_SECTION_ID_RANGE: std::ops::RangeInclusive<u16> = 7..=23;
 
-/// Extracts the `sale_opt_out` signal from the first US section in a parsed
-/// GPP string.
+/// Extracts the `sale_opt_out` signal across all US sections in a parsed GPP
+/// string.
 ///
-/// Iterates through section IDs looking for any in the US range (7–23).
-/// For the first match, decodes the section and extracts `sale_opt_out`.
+/// Iterates through section IDs looking for any in the US range (7–23),
+/// decodes each US section, and aggregates the result conservatively:
 ///
-/// Returns `Some(true)` if the user opted out of sale, `Some(false)` if they
-/// did not, or `None` if no US section is present.
+/// - `Some(true)` if any decodable US section says the user opted out of sale
+/// - `Some(false)` if at least one decodable US section says they did not opt
+///   out and none say they opted out
+/// - `None` if no US section is present or no decodable US section yields a
+///   usable `sale_opt_out` signal
 fn decode_us_sale_opt_out(parsed: &iab_gpp::v1::GPPString) -> Option<bool> {
-    use iab_gpp::sections::us_common::OptOut;
-    use iab_gpp::sections::Section;
+    let mut saw_not_opted_out = false;
 
-    let us_section_id = parsed
+    for us_section_id in parsed
         .section_ids()
-        .find(|id| US_SECTION_ID_RANGE.contains(&(**id as u16)))?;
-
-    match parsed.decode_section(*us_section_id) {
-        Ok(section) => {
-            let sale_opt_out = match &section {
-                Section::UsNat(s) => match &s.core {
-                    iab_gpp::sections::usnat::Core::V1(c) => &c.sale_opt_out,
-                    iab_gpp::sections::usnat::Core::V2(c) => &c.sale_opt_out,
-                    _ => return None,
-                },
-                Section::UsCa(s) => &s.core.sale_opt_out,
-                Section::UsVa(s) => &s.core.sale_opt_out,
-                Section::UsCo(s) => &s.core.sale_opt_out,
-                Section::UsUt(s) => &s.core.sale_opt_out,
-                Section::UsCt(s) => &s.core.sale_opt_out,
-                Section::UsFl(s) => &s.core.sale_opt_out,
-                Section::UsMt(s) => &s.core.sale_opt_out,
-                Section::UsOr(s) => &s.core.sale_opt_out,
-                Section::UsTx(s) => &s.core.sale_opt_out,
-                Section::UsDe(s) => &s.core.sale_opt_out,
-                Section::UsIa(s) => &s.core.sale_opt_out,
-                Section::UsNe(s) => &s.core.sale_opt_out,
-                Section::UsNh(s) => &s.core.sale_opt_out,
-                Section::UsNj(s) => &s.core.sale_opt_out,
-                Section::UsTn(s) => &s.core.sale_opt_out,
-                Section::UsMn(s) => &s.core.sale_opt_out,
-                // Non-US sections — should not reach here given the ID filter.
-                _ => return None,
-            };
-            Some(*sale_opt_out == OptOut::OptedOut)
-        }
-        Err(e) => {
-            log::warn!("Failed to decode US GPP section {us_section_id}: {e}");
-            None
+        .filter(|id| US_SECTION_ID_RANGE.contains(&(**id as u16)))
+    {
+        match parsed.decode_section(*us_section_id) {
+            Ok(section) => match us_sale_opt_out_from_section(&section) {
+                Some(true) => return Some(true),
+                Some(false) => saw_not_opted_out = true,
+                None => {}
+            },
+            Err(e) => {
+                log::warn!("Failed to decode US GPP section {us_section_id}: {e}");
+            }
         }
     }
+
+    if saw_not_opted_out {
+        Some(false)
+    } else {
+        None
+    }
+}
+
+fn us_sale_opt_out_from_section(section: &iab_gpp::sections::Section) -> Option<bool> {
+    use iab_gpp::sections::us_common::OptOut;
+    use iab_gpp::sections::Section;
+
+    let sale_opt_out = match section {
+        Section::UsNat(s) => match &s.core {
+            iab_gpp::sections::usnat::Core::V1(c) => &c.sale_opt_out,
+            iab_gpp::sections::usnat::Core::V2(c) => &c.sale_opt_out,
+            _ => return None,
+        },
+        Section::UsCa(s) => &s.core.sale_opt_out,
+        Section::UsVa(s) => &s.core.sale_opt_out,
+        Section::UsCo(s) => &s.core.sale_opt_out,
+        Section::UsUt(s) => &s.core.sale_opt_out,
+        Section::UsCt(s) => &s.core.sale_opt_out,
+        Section::UsFl(s) => &s.core.sale_opt_out,
+        Section::UsMt(s) => &s.core.sale_opt_out,
+        Section::UsOr(s) => &s.core.sale_opt_out,
+        Section::UsTx(s) => &s.core.sale_opt_out,
+        Section::UsDe(s) => &s.core.sale_opt_out,
+        Section::UsIa(s) => &s.core.sale_opt_out,
+        Section::UsNe(s) => &s.core.sale_opt_out,
+        Section::UsNh(s) => &s.core.sale_opt_out,
+        Section::UsNj(s) => &s.core.sale_opt_out,
+        Section::UsTn(s) => &s.core.sale_opt_out,
+        Section::UsMn(s) => &s.core.sale_opt_out,
+        _ => return None,
+    };
+
+    Some(*sale_opt_out == OptOut::OptedOut)
 }
 
 /// Parses a `__gpp_sid` cookie value into a vector of section IDs.
@@ -320,6 +337,70 @@ mod tests {
         }
     }
 
+    fn encode_fibonacci_integer(mut value: u16) -> String {
+        let mut fibs = vec![1_u16];
+        let mut next = 2_u16;
+        while next <= value {
+            fibs.push(next);
+            next = if fibs.len() == 1 {
+                2
+            } else {
+                fibs[fibs.len() - 1] + fibs[fibs.len() - 2]
+            };
+        }
+
+        let mut bits = vec![false; fibs.len()];
+        for (idx, fib) in fibs.iter().enumerate().rev() {
+            if *fib <= value {
+                value -= *fib;
+                bits[idx] = true;
+            }
+        }
+        bits.push(true);
+
+        bits.into_iter()
+            .map(|bit| if bit { '1' } else { '0' })
+            .collect()
+    }
+
+    fn encode_header(section_ids: &[u16]) -> String {
+        const BASE64_URL: &[u8; 64] =
+            b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+
+        let mut bits = String::from("000011000001");
+        bits.push_str(&format!("{:012b}", section_ids.len()));
+
+        let mut previous = 0_u16;
+        for &section_id in section_ids {
+            bits.push('0');
+            bits.push_str(&encode_fibonacci_integer(section_id - previous));
+            previous = section_id;
+        }
+
+        while bits.len() % 6 != 0 {
+            bits.push('0');
+        }
+
+        bits.as_bytes()
+            .chunks(6)
+            .map(|chunk| {
+                let value = u8::from_str_radix(
+                    core::str::from_utf8(chunk).expect("should encode header bits as utf8"),
+                    2,
+                )
+                .expect("should parse 6-bit chunk");
+                char::from(BASE64_URL[value as usize])
+            })
+            .collect()
+    }
+
+    fn gpp_with_sections(sections: &[(u16, &str)]) -> String {
+        let ids = sections.iter().map(|(id, _)| *id).collect::<Vec<_>>();
+        let header = encode_header(&ids);
+        let section_payloads = sections.iter().map(|(_, raw)| *raw).collect::<Vec<_>>();
+        format!("{header}~{}", section_payloads.join("~"))
+    }
+
     #[test]
     fn no_us_section_returns_none() {
         let result = decode_gpp_string(GPP_TCF_AND_USP).expect("should decode GPP");
@@ -328,4 +409,64 @@ mod tests {
             "should return None when no US section (7-23) is present"
         );
     }
+
+    #[test]
+    fn later_us_section_opt_out_overrides_earlier_non_opt_out() {
+        let gpp = gpp_with_sections(&[(7, "BVQqAAAAAgA.QA"), (9, "BVVVVVVVVWA.AA")]);
+
+        let result = decode_gpp_string(&gpp).expect("should decode multi-section US GPP");
+
+        assert_eq!(
+            result.us_sale_opt_out,
+            Some(true),
+            "should treat any later decodable opt-out as authoritative"
+        );
+    }
+
+    #[test]
+    fn multiple_us_sections_without_opt_out_return_false() {
+        let gpp = gpp_with_sections(&[(7, "BVQqAAAAAgA.QA"), (9, "BVgVVVVVVWA.AA")]);
+
+        let result = decode_gpp_string(&gpp).expect("should decode multi-section US GPP");
+
+        assert_eq!(
+            result.us_sale_opt_out,
+            Some(false),
+            "should return false when decodable US sections consistently do not opt out"
+        );
+    }
+
+    #[test]
+    fn valid_opt_out_wins_even_if_another_us_section_is_undecodable() {
+        let gpp = gpp_with_sections(&[(7, "BVQqAAAAAgA.QA"), (9, "not-a-valid-usva-section")]);
+
+        let result = decode_gpp_string(&gpp).expect("should decode GPP header with raw sections");
+
+        assert_eq!(
+            result.us_sale_opt_out,
+            Some(false),
+            "should keep a valid non-opt-out signal even when another US section fails to decode"
+        );
+
+        let gpp = gpp_with_sections(&[(7, "not-a-valid-usnat-section"), (9, "BVVVVVVVVWA.AA")]);
+        let result = decode_gpp_string(&gpp).expect("should decode GPP header with raw sections");
+
+        assert_eq!(
+            result.us_sale_opt_out,
+            Some(true),
+            "should let a valid opt-out win even when another US section fails to decode"
+        );
+    }
+
+    #[test]
+    fn only_undecodable_us_sections_return_none() {
+        let gpp = gpp_with_sections(&[(7, "not-a-valid-usnat-section"), (9, "also-invalid")]);
+
+        let result = decode_gpp_string(&gpp).expect("should decode GPP header with raw sections");
+
+        assert_eq!(
+            result.us_sale_opt_out, None,
+            "should return None when no decodable US section yields sale_opt_out"
+        );
+    }
 }

From d423ce6cc8cf9952af8b21fb12b0afc7ceed6550 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 16:46:49 -0500
Subject: [PATCH 23/26] Add Secure flag and Max-Age to Sourcepoint GPP cookies

__gpp and __gpp_sid are read by the Rust server over HTTPS; they must be
Secure. Also sets Max-Age=86400 (matching ts-eids) so stale consent state
doesn't outlast the session, and replaces the legacy expires= deletion
pattern with Max-Age=0.
---
 crates/js/lib/src/integrations/sourcepoint/index.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crates/js/lib/src/integrations/sourcepoint/index.ts b/crates/js/lib/src/integrations/sourcepoint/index.ts
index 84295f8a..e7024b62 100644
--- a/crates/js/lib/src/integrations/sourcepoint/index.ts
+++ b/crates/js/lib/src/integrations/sourcepoint/index.ts
@@ -33,12 +33,14 @@ function findSourcepointConsent(): SourcepointConsentPayload | null {
   return null;
 }
 
+const GPP_COOKIE_MAX_AGE = 86400;
+
 function writeCookie(name: string, value: string): void {
-  document.cookie = `${name}=${value}; path=/; SameSite=Lax`;
+  document.cookie = `${name}=${value}; path=/; Secure; SameSite=Lax; Max-Age=${GPP_COOKIE_MAX_AGE}`;
 }
 
 function clearCookie(name: string): void {
-  document.cookie = `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; SameSite=Lax`;
+  document.cookie = `${name}=; path=/; Secure; SameSite=Lax; Max-Age=0`;
 }
 
 /**

From aa025e9391529097ed3291365498a1c812ae85c0 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 16:48:34 -0500
Subject: [PATCH 24/26] Revert accidental proxy_secret change in
 trusted-server.toml

---
 trusted-server.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/trusted-server.toml b/trusted-server.toml
index e1437b12..c7c24370 100644
--- a/trusted-server.toml
+++ b/trusted-server.toml
@@ -12,7 +12,7 @@ password = "changeme"
 domain = "test-publisher.com"
 cookie_domain = ".test-publisher.com"
 origin_url = "https://origin.test-publisher.com"
-proxy_secret = "ahha-me-proxy-secret"
+proxy_secret = "change-me-proxy-secret"
 
 [ec]
 passphrase = "trusted-server"

From 3255a8ff47073047ac982887ad5936688e6cfc3f Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 17:18:46 -0500
Subject: [PATCH 25/26] Remove orphaned sync_pixel.rs (deleted in base branch)

---
 .../trusted-server-core/src/ec/sync_pixel.rs  | 456 ------------------
 1 file changed, 456 deletions(-)
 delete mode 100644 crates/trusted-server-core/src/ec/sync_pixel.rs

diff --git a/crates/trusted-server-core/src/ec/sync_pixel.rs b/crates/trusted-server-core/src/ec/sync_pixel.rs
deleted file mode 100644
index 9323a038..00000000
--- a/crates/trusted-server-core/src/ec/sync_pixel.rs
+++ /dev/null
@@ -1,456 +0,0 @@
-//! Pixel sync endpoint (`GET /sync`).
-
-use error_stack::{Report, ResultExt};
-use fastly::erl::{CounterDuration, RateCounter};
-use fastly::http::StatusCode;
-use fastly::{Request, Response};
-use url::Url;
-
-use crate::consent::{allows_ec_creation, gpp, tcf, ConsentContext};
-use crate::error::TrustedServerError;
-use crate::settings::Settings;
-
-use super::generation::{ec_hash, is_valid_ec_id};
-use super::kv::KvIdentityGraph;
-use super::partner::{PartnerRecord, PartnerStore};
-use super::EcContext;
-
-/// Name of the Fastly rate counter resource used by sync rate limiting.
-pub const RATE_COUNTER_NAME: &str = "counter_store";
-
-/// Handles `GET /sync` pixel sync requests.
-///
-/// # Errors
-///
-/// Returns [`TrustedServerError`] when request validation fails (`400`) or
-/// required stores are unavailable (`503`).
-pub fn handle_sync(
-    _settings: &Settings, // reserved for future per-publisher sync config
-    kv: &KvIdentityGraph,
-    partner_store: &PartnerStore,
-    req: &Request,
-    ec_context: &mut EcContext,
-) -> Result<Response, Report<TrustedServerError>> {
-    let query = SyncQuery::parse(req)?;
-
-    let partner = partner_store.get(&query.partner)?.ok_or_else(|| {
-        Report::new(TrustedServerError::PartnerNotFound {
-            partner_id: query.partner.clone(),
-        })
-    })?;
-
-    let return_url = validate_return_url(&query.return_url, &partner)?;
-
-    let Some(cookie_ec_id) = ec_context
-        .existing_cookie_ec_id()
-        .filter(|v| is_valid_ec_id(v))
-        .map(str::to_owned)
-    else {
-        return Ok(redirect_with_status(&return_url, "0", Some("no_ec")));
-    };
-
-    if ec_context.consent().is_empty() {
-        if let Some(consent_query) = query.consent.as_deref() {
-            if let Some(fallback) =
-                decode_query_fallback_consent(ec_context.consent(), consent_query)
-            {
-                *ec_context.consent_mut() = fallback;
-            }
-        }
-    }
-
-    if !allows_ec_creation(ec_context.consent()) {
-        return Ok(redirect_with_status(&return_url, "0", Some("no_consent")));
-    }
-
-    let hash = ec_hash(&cookie_ec_id);
-    let limiter = FastlyRateLimiter::new(RATE_COUNTER_NAME);
-    if limiter.exceeded(&format!("{}:{hash}", partner.id), partner.sync_rate_limit)? {
-        return Ok(Response::from_status(StatusCode::TOO_MANY_REQUESTS)
-            .with_body_text_plain("rate_limit_exceeded"));
-    }
-
-    let now = current_timestamp();
-    if let Err(err) = kv.upsert_partner_id(hash, &partner.id, &query.uid, now) {
-        log::warn!(
-            "Pixel sync write failed for partner '{}' and hash '{}': {err:?}",
-            partner.id,
-            hash,
-        );
-        return Ok(redirect_with_status(&return_url, "0", Some("write_failed")));
-    }
-
-    Ok(redirect_with_status(&return_url, "1", None))
-}
-
-#[derive(Debug)]
-struct SyncQuery {
-    partner: String,
-    uid: String,
-    return_url: String,
-    consent: Option<String>,
-}
-
-impl SyncQuery {
-    fn parse(req: &Request) -> Result<Self, Report<TrustedServerError>> {
-        let mut partner = None;
-        let mut uid = None;
-        let mut return_url = None;
-        let mut consent = None;
-
-        let raw_query = req.get_query_str().unwrap_or("");
-        for (key, value) in url::form_urlencoded::parse(raw_query.as_bytes()) {
-            match key.as_ref() {
-                "partner" => partner = Some(value.into_owned()),
-                "uid" => uid = Some(value.into_owned()),
-                "return" => return_url = Some(value.into_owned()),
-                "consent" => consent = Some(value.into_owned()),
-                _ => {}
-            }
-        }
-
-        Ok(Self {
-            partner: required_query_param(partner, "partner")?,
-            uid: required_query_param(uid, "uid")?,
-            return_url: required_query_param(return_url, "return")?,
-            consent,
-        })
-    }
-}
-
-fn required_query_param(
-    value: Option<String>,
-    key: &str,
-) -> Result<String, Report<TrustedServerError>> {
-    let Some(value) = value else {
-        return Err(Report::new(TrustedServerError::BadRequest {
-            message: format!("missing required query parameter '{key}'"),
-        }));
-    };
-
-    if value.trim().is_empty() {
-        return Err(Report::new(TrustedServerError::BadRequest {
-            message: format!("query parameter '{key}' must not be empty"),
-        }));
-    }
-
-    Ok(value)
-}
-
-fn validate_return_url(
-    return_url: &str,
-    partner: &PartnerRecord,
-) -> Result<Url, Report<TrustedServerError>> {
-    let parsed = Url::parse(return_url).change_context(TrustedServerError::BadRequest {
-        message: "return URL must be a valid absolute URL".to_owned(),
-    })?;
-
-    let host = parsed
-        .host_str()
-        .ok_or_else(|| {
-            Report::new(TrustedServerError::BadRequest {
-                message: "return URL must include a hostname".to_owned(),
-            })
-        })?
-        .trim_end_matches('.')
-        .to_ascii_lowercase();
-
-    let allowed = partner
-        .allowed_return_domains
-        .iter()
-        .map(|domain| domain.trim().trim_end_matches('.').to_ascii_lowercase())
-        .any(|domain| domain == host);
-
-    if !allowed {
-        return Err(Report::new(TrustedServerError::BadRequest {
-            message: format!(
-                "return URL host '{host}' is not allowed for partner '{}'",
-                partner.id
-            ),
-        }));
-    }
-
-    Ok(parsed)
-}
-
-fn redirect_with_status(return_url: &Url, synced: &str, reason: Option<&str>) -> Response {
-    let mut url = return_url.clone();
-    {
-        let mut query = url.query_pairs_mut();
-        query.append_pair("ts_synced", synced);
-        if let Some(reason) = reason {
-            query.append_pair("ts_reason", reason);
-        }
-    }
-
-    Response::from_status(StatusCode::FOUND).with_header("location", url.as_str())
-}
-
-fn decode_query_fallback_consent(
-    base: &ConsentContext,
-    raw_consent: &str,
-) -> Option<ConsentContext> {
-    if raw_consent.trim().is_empty() {
-        return None;
-    }
-
-    let mut consent = ConsentContext {
-        jurisdiction: base.jurisdiction.clone(),
-        gpc: base.gpc,
-        ..ConsentContext::default()
-    };
-
-    if raw_consent.contains('~') || raw_consent.starts_with("DB") {
-        match gpp::decode_gpp_string(raw_consent) {
-            Ok(decoded) => {
-                consent.raw_gpp_string = Some(raw_consent.to_owned());
-                consent.gpp_section_ids = Some(decoded.section_ids.clone());
-                consent.tcf = decoded.eu_tcf.clone();
-                consent.gpp = Some(decoded);
-                consent.gdpr_applies = consent
-                    .gpp_section_ids
-                    .as_ref()
-                    .is_some_and(|sids| sids.contains(&2));
-                return Some(consent);
-            }
-            Err(err) => {
-                log::warn!("Failed to decode GPP consent query fallback: {err:?}");
-                return None;
-            }
-        }
-    }
-
-    match tcf::decode_tc_string(raw_consent) {
-        Ok(decoded) => {
-            consent.raw_tc_string = Some(raw_consent.to_owned());
-            consent.tcf = Some(decoded);
-            consent.gdpr_applies = true;
-            Some(consent)
-        }
-        Err(err) => {
-            log::warn!("Failed to decode TCF consent query fallback: {err:?}");
-            None
-        }
-    }
-}
-
-/// Rate limiter abstraction for sync endpoints.
-///
-/// Used by both pixel sync (`/sync`) and batch sync (`/api/v1/sync`)
-/// for per-partner request rate enforcement.
-pub trait RateLimiter {
-    /// Returns `true` when the rate limit has been exceeded for the given key.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError`] on rate counter I/O failure.
-    fn exceeded(&self, key: &str, hourly_limit: u32) -> Result<bool, Report<TrustedServerError>>;
-
-    /// Returns `true` when the per-minute rate limit has been exceeded.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError`] on rate counter I/O failure.
-    fn exceeded_per_minute(
-        &self,
-        key: &str,
-        per_minute_limit: u32,
-    ) -> Result<bool, Report<TrustedServerError>> {
-        // Default implementation maps a per-minute budget to the existing
-        // hourly API used by pixel sync.
-        self.exceeded(key, per_minute_limit.saturating_mul(60))
-    }
-}
-
-/// Fastly Edge Rate Limiting implementation of [`RateLimiter`].
-pub struct FastlyRateLimiter {
-    counter: RateCounter,
-}
-
-impl FastlyRateLimiter {
-    /// Creates a new rate limiter backed by the named Fastly rate counter.
-    #[must_use]
-    pub fn new(counter_name: &str) -> Self {
-        Self {
-            counter: RateCounter::open(counter_name),
-        }
-    }
-}
-
-impl RateLimiter for FastlyRateLimiter {
-    fn exceeded(&self, key: &str, hourly_limit: u32) -> Result<bool, Report<TrustedServerError>> {
-        // Fastly's public rate-counter API currently exposes windows up to 60s.
-        // Approximate the story's 1h limit by converting to a per-minute budget.
-        //
-        // Follow-up: move to exact 1-hour enforcement once platform counters
-        // expose longer windows or we add a dedicated KV-backed hour bucket.
-        let per_minute_limit = hourly_limit.saturating_add(59) / 60;
-        let per_minute_limit = per_minute_limit.max(1);
-
-        let current = self
-            .counter
-            .lookup_count(key, CounterDuration::SixtySecs)
-            .map_err(|e| {
-                Report::new(TrustedServerError::KvStore {
-                    store_name: RATE_COUNTER_NAME.to_owned(),
-                    message: format!("Failed to read sync rate counter: {e}"),
-                })
-            })?;
-
-        if current >= per_minute_limit {
-            return Ok(true);
-        }
-
-        self.counter.increment(key, 1).map_err(|e| {
-            Report::new(TrustedServerError::KvStore {
-                store_name: RATE_COUNTER_NAME.to_owned(),
-                message: format!("Failed to increment sync rate counter: {e}"),
-            })
-        })?;
-
-        Ok(false)
-    }
-}
-
-// Re-export `current_timestamp` from parent module for sibling modules.
-pub(crate) use super::current_timestamp;
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn sample_partner() -> PartnerRecord {
-        PartnerRecord {
-            id: "ssp_x".to_owned(),
-            name: "SSP X".to_owned(),
-            allowed_return_domains: vec!["sync.example.com".to_owned()],
-            api_key_hash: "deadbeef".to_owned(),
-            bidstream_enabled: false,
-            source_domain: "ssp.example.com".to_owned(),
-            openrtb_atype: 3,
-            sync_rate_limit: 100,
-            batch_rate_limit: 60,
-            pull_sync_enabled: false,
-            pull_sync_url: None,
-            pull_sync_allowed_domains: vec![],
-            pull_sync_ttl_sec: 86400,
-            pull_sync_rate_limit: 10,
-            ts_pull_token: None,
-        }
-    }
-
-    #[test]
-    fn redirect_appends_query_when_url_has_none() {
-        let url = Url::parse("https://sync.example.com/return").expect("should parse URL");
-        let response = redirect_with_status(&url, "1", None);
-        let location = response
-            .get_header("location")
-            .expect("should set location header")
-            .to_str()
-            .expect("should convert location to UTF-8");
-
-        assert_eq!(
-            location, "https://sync.example.com/return?ts_synced=1",
-            "should append query with ? when missing"
-        );
-    }
-
-    #[test]
-    fn redirect_appends_query_when_url_already_has_query() {
-        let url = Url::parse("https://sync.example.com/return?foo=bar").expect("should parse URL");
-        let response = redirect_with_status(&url, "0", Some("no_ec"));
-        let location = response
-            .get_header("location")
-            .expect("should set location header")
-            .to_str()
-            .expect("should convert location to UTF-8");
-
-        assert_eq!(
-            location, "https://sync.example.com/return?foo=bar&ts_synced=0&ts_reason=no_ec",
-            "should append sync status after existing query"
-        );
-    }
-
-    #[test]
-    fn fallback_decodes_tcf() {
-        let base = ConsentContext::default();
-        let decoded =
-            decode_query_fallback_consent(&base, "CPXxGfAPXxGfAAfKABENB-CgAAAAAAAAAAYgAAAAAAAA")
-                .expect("should decode TCF fallback");
-
-        assert!(
-            decoded.raw_tc_string.is_some(),
-            "should store raw TC string"
-        );
-    }
-
-    #[test]
-    fn query_parse_rejects_missing_required_param() {
-        let req = Request::new("GET", "https://edge.example.com/sync?partner=ssp&uid=u1");
-        let err = SyncQuery::parse(&req).expect_err("should fail when return param is missing");
-        assert!(
-            err.to_string()
-                .contains("missing required query parameter 'return'"),
-            "should mention missing required return parameter"
-        );
-    }
-
-    #[test]
-    fn query_parse_rejects_empty_required_param() {
-        let req = Request::new(
-            "GET",
-            "https://edge.example.com/sync?partner=ssp&uid=u1&return=   ",
-        );
-        let err = SyncQuery::parse(&req).expect_err("should fail when return param is empty");
-        assert!(
-            err.to_string()
-                .contains("query parameter 'return' must not be empty"),
-            "should reject empty required return parameter"
-        );
-    }
-
-    #[test]
-    fn return_url_validation_rejects_subdomain_spoofing() {
-        let partner = sample_partner();
-        let err = validate_return_url("https://a.sync.example.com/callback", &partner)
-            .expect_err("should reject return host not exactly allowlisted");
-
-        assert!(
-            err.to_string().contains("is not allowed"),
-            "should reject non-exact allowlist host"
-        );
-    }
-
-    #[test]
-    fn return_url_validation_rejects_relative_url() {
-        let partner = sample_partner();
-        let err = validate_return_url("/callback", &partner)
-            .expect_err("should reject non-absolute return URL");
-        assert!(
-            err.to_string().contains("valid absolute URL"),
-            "should require absolute return URLs"
-        );
-    }
-
-    #[test]
-    fn fallback_decodes_gpp() {
-        let base = ConsentContext::default();
-        let decoded = decode_query_fallback_consent(&base, "DBABTA~1YNN")
-            .expect("should decode valid GPP fallback");
-
-        assert!(
-            decoded.raw_gpp_string.is_some(),
-            "should store raw GPP string"
-        );
-    }
-
-    #[test]
-    fn fallback_returns_none_for_invalid_consent_string() {
-        let base = ConsentContext::default();
-        let decoded = decode_query_fallback_consent(&base, "not-a-valid-consent");
-        assert!(
-            decoded.is_none(),
-            "should ignore undecodable consent fallback"
-        );
-    }
-}

From a8b5b1c3c77ca38fb4bc12cda3f0c709d699a9b4 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Thu, 16 Apr 2026 17:20:13 -0500
Subject: [PATCH 26/26] =?UTF-8?q?Fix=20leftover=20conflict=20markers=20fro?=
 =?UTF-8?q?m=20rebase=20=E2=80=94=20restore=20base=20branch=20versions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 crates/integration-tests/tests/common/ec.rs   |   8 -
 .../tests/frameworks/scenarios.rs             |   8 -
 crates/trusted-server-core/src/ec/admin.rs    |   7 -
 .../trusted-server-core/src/ec/batch_sync.rs  |  43 --
 crates/trusted-server-core/src/ec/finalize.rs |  22 -
 crates/trusted-server-core/src/ec/partner.rs  | 524 ------------------
 .../trusted-server-core/src/ec/pull_sync.rs   |  26 -
 crates/trusted-server-core/src/error.rs       |  12 -
 crates/trusted-server-core/src/http_util.rs   |   9 -
 9 files changed, 659 deletions(-)

diff --git a/crates/integration-tests/tests/common/ec.rs b/crates/integration-tests/tests/common/ec.rs
index 60101ef0..30bc9342 100644
--- a/crates/integration-tests/tests/common/ec.rs
+++ b/crates/integration-tests/tests/common/ec.rs
@@ -245,11 +245,7 @@ pub fn batch_sync_no_auth(
 
 /// Single mapping in a batch sync request.
 pub struct BatchMapping {
-<<<<<<< HEAD
     pub ec_id: String,
-=======
-    pub ec_hash: String,
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     pub partner_uid: String,
     pub timestamp: u64,
 }
@@ -259,11 +255,7 @@ fn mappings_to_json(mappings: &[BatchMapping]) -> Vec<Value> {
         .iter()
         .map(|m| {
             serde_json::json!({
-<<<<<<< HEAD
                 "ec_id": m.ec_id,
-=======
-                "ec_hash": m.ec_hash,
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
                 "partner_uid": m.partner_uid,
                 "timestamp": m.timestamp,
             })
diff --git a/crates/integration-tests/tests/frameworks/scenarios.rs b/crates/integration-tests/tests/frameworks/scenarios.rs
index 44613a3d..cd76268b 100644
--- a/crates/integration-tests/tests/frameworks/scenarios.rs
+++ b/crates/integration-tests/tests/frameworks/scenarios.rs
@@ -720,11 +720,7 @@ fn ec_batch_sync_happy_path(base_url: &str) -> TestResult<()> {
 
     // Batch sync writes a UID for this EC ID (partner "inttest" is in config)
     let mappings = vec![BatchMapping {
-<<<<<<< HEAD
         ec_id: ec_id.clone(),
-=======
-        ec_hash: hash.clone(),
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         partner_uid: "batch-uid-99".to_owned(),
         timestamp: 1_700_000_000,
     }];
@@ -766,11 +762,7 @@ fn ec_batch_sync_auth_rejection(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
 
     let dummy_mappings = vec![BatchMapping {
-<<<<<<< HEAD
         ec_id: format!("{}.ABC123", "a".repeat(64)),
-=======
-        ec_hash: "a".repeat(64),
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         partner_uid: "uid-1".to_owned(),
         timestamp: 1_700_000_000,
     }];
diff --git a/crates/trusted-server-core/src/ec/admin.rs b/crates/trusted-server-core/src/ec/admin.rs
index d46111be..8aaf34ee 100644
--- a/crates/trusted-server-core/src/ec/admin.rs
+++ b/crates/trusted-server-core/src/ec/admin.rs
@@ -236,18 +236,11 @@ pub fn handle_register_partner(
         created,
     };
 
-<<<<<<< HEAD
     let body = serde_json::to_string(&response_body).change_context(
         TrustedServerError::Configuration {
             message: "Failed to serialize registration response".to_owned(),
         },
     )?;
-=======
-    let body =
-        serde_json::to_string(&response_body).change_context(TrustedServerError::EdgeCookie {
-            message: "Failed to serialize registration response".to_owned(),
-        })?;
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 
     Ok(Response::from_status(status)
         .with_content_type(fastly::mime::APPLICATION_JSON)
diff --git a/crates/trusted-server-core/src/ec/batch_sync.rs b/crates/trusted-server-core/src/ec/batch_sync.rs
index 9da8fd66..29749fff 100644
--- a/crates/trusted-server-core/src/ec/batch_sync.rs
+++ b/crates/trusted-server-core/src/ec/batch_sync.rs
@@ -1,11 +1,7 @@
 //! Server-to-server batch sync endpoint (`POST /_ts/api/v1/batch-sync`).
 //!
 //! Partners send authenticated batch ID sync requests via Bearer token.
-<<<<<<< HEAD
 //! Each mapping associates an `ec_id` (`{64hex}.{6alnum}`)
-=======
-//! Each mapping associates an `ec_hash` (the 64-char hex EC hash prefix)
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 //! with the partner's user ID. Mappings are individually validated and
 //! written to the KV identity graph, with per-mapping rejection reasons
 //! reported in the response.
@@ -68,11 +64,7 @@ struct BatchSyncRequest {
 
 #[derive(Debug, Deserialize)]
 struct SyncMapping {
-<<<<<<< HEAD
     ec_id: String,
-=======
-    ec_hash: String,
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     partner_uid: String,
     timestamp: u64,
 }
@@ -206,12 +198,8 @@ fn process_mappings(
     let mut errors = Vec::new();
 
     for (idx, mapping) in mappings.iter().enumerate() {
-<<<<<<< HEAD
         let ec_id = normalize_ec_id_for_kv(&mapping.ec_id);
         if !is_valid_ec_id(&ec_id) {
-=======
-        if !is_valid_ec_hash(&mapping.ec_hash) {
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             errors.push(MappingError {
                 index: idx,
                 reason: REASON_INVALID_EC_ID,
@@ -226,16 +214,8 @@ fn process_mappings(
             });
             continue;
         }
-<<<<<<< HEAD
         match writer.upsert_partner_id_if_exists(
             &ec_id,
-=======
-
-        // Normalize to lowercase — KV keys are always lowercase hex.
-        let ec_hash = mapping.ec_hash.to_ascii_lowercase();
-        match writer.upsert_partner_id_if_exists(
-            &ec_hash,
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             partner_id,
             &mapping.partner_uid,
             mapping.timestamp,
@@ -257,13 +237,8 @@ fn process_mappings(
             }
             Err(err) => {
                 log::warn!(
-<<<<<<< HEAD
                     "Batch sync KV write failed for index {idx} (ec_id '{}'): {err:?}",
                     log_id(&mapping.ec_id),
-=======
-                    "Batch sync KV write failed for index {idx} (ec_hash '{}'): {err:?}",
-                    mapping.ec_hash
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
                 );
                 errors.push(MappingError {
                     index: idx,
@@ -419,15 +394,9 @@ mod tests {
         }
     }
 
-<<<<<<< HEAD
     fn mapping(ec_id: &str, partner_uid: &str, timestamp: u64) -> SyncMapping {
         SyncMapping {
             ec_id: ec_id.to_owned(),
-=======
-    fn mapping(ec_hash: &str, partner_uid: &str, timestamp: u64) -> SyncMapping {
-        SyncMapping {
-            ec_hash: ec_hash.to_owned(),
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             partner_uid: partner_uid.to_owned(),
             timestamp,
         }
@@ -503,7 +472,6 @@ mod tests {
 
     #[test]
     fn batch_sync_request_deserializes_correctly() {
-<<<<<<< HEAD
         let json = r#"{"mappings": [{"ec_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.ABC123", "partner_uid": "u1", "timestamp": 100}]}"#;
         let parsed: BatchSyncRequest =
             serde_json::from_str(json).expect("should deserialize batch sync request");
@@ -512,24 +480,13 @@ mod tests {
             parsed.mappings[0].ec_id,
             "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.ABC123"
         );
-=======
-        let json = r#"{"mappings": [{"ec_hash": "aaaa", "partner_uid": "u1", "timestamp": 100}]}"#;
-        let parsed: BatchSyncRequest =
-            serde_json::from_str(json).expect("should deserialize batch sync request");
-        assert_eq!(parsed.mappings.len(), 1);
-        assert_eq!(parsed.mappings[0].ec_hash, "aaaa");
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         assert_eq!(parsed.mappings[0].partner_uid, "u1");
         assert_eq!(parsed.mappings[0].timestamp, 100);
     }
 
     #[test]
     fn batch_sync_request_rejects_missing_timestamp() {
-<<<<<<< HEAD
         let json = r#"{"mappings": [{"ec_id": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.ABC123", "partner_uid": "u2"}]}"#;
-=======
-        let json = r#"{"mappings": [{"ec_hash": "bbbb", "partner_uid": "u2"}]}"#;
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         let result = serde_json::from_str::<BatchSyncRequest>(json);
         assert!(
             result.is_err(),
diff --git a/crates/trusted-server-core/src/ec/finalize.rs b/crates/trusted-server-core/src/ec/finalize.rs
index 438937ef..59626e1d 100644
--- a/crates/trusted-server-core/src/ec/finalize.rs
+++ b/crates/trusted-server-core/src/ec/finalize.rs
@@ -150,28 +150,6 @@ pub fn clear_ec_on_response(settings: &Settings, response: &mut Response) {
     for header in EC_RESPONSE_HEADERS {
         response.remove_header(*header);
     }
-<<<<<<< HEAD
-=======
-
-    // Strip any dynamic x-ts-<partner_id> headers set by /identify or
-    // earlier processing. Collect names first to avoid borrow conflict.
-    let dynamic_ts_headers: Vec<String> = response
-        .get_header_names()
-        .filter_map(|name| {
-            let s = name.as_str();
-            if s.starts_with("x-ts-") {
-                Some(s.to_owned())
-            } else {
-                None
-            }
-        })
-        .collect();
-
-    for header in &dynamic_ts_headers {
-        response.remove_header(header.as_str());
-    }
-}
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 
     // Strip any dynamic x-ts-<partner_id> headers set by /identify or
     // earlier processing. Collect names first to avoid borrow conflict.
diff --git a/crates/trusted-server-core/src/ec/partner.rs b/crates/trusted-server-core/src/ec/partner.rs
index c35dda27..f836724e 100644
--- a/crates/trusted-server-core/src/ec/partner.rs
+++ b/crates/trusted-server-core/src/ec/partner.rs
@@ -1,18 +1,7 @@
 //! Partner validation helpers and ID hashing.
 //!
-<<<<<<< HEAD
 //! Provides partner ID format validation, reserved name checks, and
 //! API key hashing. The actual partner registry is in [`super::registry`].
-=======
-//! Each partner (SSP, DSP, identity vendor) is stored as a JSON record in
-//! the Fastly KV Store keyed by `partner_id`. Two secondary indexes exist:
-//!
-//! - `apikey:{sha256_hex}` — maps API key hashes to partner IDs for O(1)
-//!   auth lookups during batch sync.
-//! - `_pull_enabled` — JSON array of partner IDs with `pull_sync_enabled:
-//!   true`, enabling O(1+N) reads on the pull sync hot path instead of a
-//!   full partner scan.
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 
 use std::sync::OnceLock;
 
@@ -35,19 +24,6 @@ const RESERVED_PARTNER_IDS: &[&str] = &[
     "env",
 ];
 
-<<<<<<< HEAD
-=======
-/// Prefix for the API key hash secondary index keys.
-const APIKEY_INDEX_PREFIX: &str = "apikey:";
-
-/// Key for the pull-enabled partner secondary index.
-///
-/// Stores a JSON array of partner IDs that have `pull_sync_enabled: true`.
-/// Updated on every `upsert()` so that `pull_enabled_partners()` can read
-/// a single index key instead of listing/scanning all partners.
-const PULL_ENABLED_INDEX_KEY: &str = "_pull_enabled";
-
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 /// Cached compiled regex for partner ID validation.
 static PARTNER_ID_REGEX: OnceLock<Result<Regex, String>> = OnceLock::new();
 
@@ -87,506 +63,6 @@ pub fn hash_api_key(api_key: &str) -> String {
     hex::encode(hasher.finalize())
 }
 
-<<<<<<< HEAD
-=======
-/// Wraps a Fastly KV Store for partner registry operations.
-///
-/// Partner records are keyed by `partner_id`. Two secondary indexes
-/// optimize hot-path operations:
-///
-/// - `apikey:{sha256_hex}` maps API key hashes to partner IDs for
-///   O(1) auth lookups during batch sync.
-/// - `_pull_enabled` stores a JSON array of partner IDs with
-///   `pull_sync_enabled: true` for O(1+N) reads during pull sync dispatch.
-pub struct PartnerStore {
-    store_name: String,
-}
-
-impl PartnerStore {
-    /// Creates a new partner store backed by the named KV store.
-    #[must_use]
-    pub fn new(store_name: impl Into<String>) -> Self {
-        Self {
-            store_name: store_name.into(),
-        }
-    }
-
-    /// Returns the configured store name.
-    #[must_use]
-    pub fn store_name(&self) -> &str {
-        &self.store_name
-    }
-
-    /// Opens the underlying Fastly KV store.
-    fn open_store(&self) -> Result<KVStore, Report<TrustedServerError>> {
-        KVStore::open(&self.store_name)
-            .change_context(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: "Failed to open partner store".to_owned(),
-            })?
-            .ok_or_else(|| {
-                Report::new(TrustedServerError::KvStore {
-                    store_name: self.store_name.clone(),
-                    message: "Partner store not found".to_owned(),
-                })
-            })
-    }
-
-    /// Reads a partner record by ID.
-    ///
-    /// Returns `Ok(None)` when the partner is not registered.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError::KvStore`] on store or deserialization failure.
-    pub fn get(
-        &self,
-        partner_id: &str,
-    ) -> Result<Option<PartnerRecord>, Report<TrustedServerError>> {
-        let store = self.open_store()?;
-        let mut response = match store.lookup(partner_id) {
-            Ok(resp) => resp,
-            Err(fastly::kv_store::KVStoreError::ItemNotFound) => return Ok(None),
-            Err(err) => {
-                return Err(
-                    Report::new(err).change_context(TrustedServerError::KvStore {
-                        store_name: self.store_name.clone(),
-                        message: format!("Failed to read partner '{partner_id}'"),
-                    }),
-                );
-            }
-        };
-
-        let body_bytes = response.take_body_bytes();
-        let record: PartnerRecord =
-            serde_json::from_slice(&body_bytes).change_context(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: format!("Failed to deserialize partner '{partner_id}'"),
-            })?;
-
-        Ok(Some(record))
-    }
-
-    /// Lists all registered partner records.
-    ///
-    /// Scans the partner KV store and returns records for non-index keys.
-    /// Secondary index entries (e.g. `apikey:*`) are skipped.
-    ///
-    /// **Scaling note:** This performs O(N) KV reads where N is the number
-    /// of registered partners. Called by `dispatch_pull_sync` on every
-    /// organic request post-send. For large partner counts, consider
-    /// caching the result or maintaining a summary key. The
-    /// `pull_sync_concurrency` setting bounds downstream dispatch but
-    /// does not reduce the enumeration cost.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError::KvStore`] on list, lookup, or
-    /// deserialization failure.
-    pub fn list_registered(&self) -> Result<Vec<PartnerRecord>, Report<TrustedServerError>> {
-        let store = self.open_store()?;
-        let mut records = Vec::new();
-
-        for page in store.build_list().limit(1000).iter() {
-            let page = page.change_context(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: "Failed to list partner keys".to_owned(),
-            })?;
-
-            for key in page.keys() {
-                if key.starts_with(APIKEY_INDEX_PREFIX) || key == PULL_ENABLED_INDEX_KEY {
-                    continue;
-                }
-
-                let mut response = match store.lookup(key) {
-                    Ok(resp) => resp,
-                    Err(fastly::kv_store::KVStoreError::ItemNotFound) => continue,
-                    Err(err) => {
-                        return Err(
-                            Report::new(err).change_context(TrustedServerError::KvStore {
-                                store_name: self.store_name.clone(),
-                                message: format!("Failed to read partner '{key}' while listing"),
-                            }),
-                        );
-                    }
-                };
-
-                let body_bytes = response.take_body_bytes();
-                let record = serde_json::from_slice::<PartnerRecord>(&body_bytes).change_context(
-                    TrustedServerError::KvStore {
-                        store_name: self.store_name.clone(),
-                        message: format!("Failed to deserialize partner '{key}' while listing"),
-                    },
-                )?;
-
-                records.push(record);
-            }
-        }
-
-        Ok(records)
-    }
-
-    /// Returns pull-enabled partners via the `_pull_enabled` secondary index.
-    ///
-    /// Performs 1 index read + N partner reads (where N = pull-enabled count)
-    /// instead of scanning all partners. Falls back to [`list_registered`]
-    /// with client-side filtering when the index is missing or unreadable,
-    /// ensuring correctness even before the first `upsert()` writes the index.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError::KvStore`] on store or deserialization failure.
-    pub fn pull_enabled_partners(&self) -> Result<Vec<PartnerRecord>, Report<TrustedServerError>> {
-        let store = self.open_store()?;
-
-        // Read the secondary index.
-        let index_body = match store.lookup(PULL_ENABLED_INDEX_KEY) {
-            Ok(mut resp) => resp.take_body_bytes(),
-            Err(fastly::kv_store::KVStoreError::ItemNotFound) => {
-                // Index not yet written — fall back to full scan.
-                log::debug!("Pull-enabled index missing, falling back to list_registered");
-                return self
-                    .list_registered()
-                    .map(|v| v.into_iter().filter(|p| p.pull_sync_enabled).collect());
-            }
-            Err(err) => {
-                // Index unreadable — fall back to full scan rather than failing.
-                log::warn!(
-                    "Failed to read pull-enabled index, falling back to list_registered: {err:?}"
-                );
-                return self
-                    .list_registered()
-                    .map(|v| v.into_iter().filter(|p| p.pull_sync_enabled).collect());
-            }
-        };
-
-        let partner_ids: Vec<String> =
-            serde_json::from_slice(&index_body).change_context(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: "Failed to deserialize pull-enabled index".to_owned(),
-            })?;
-
-        let mut records = Vec::with_capacity(partner_ids.len());
-        for partner_id in &partner_ids {
-            match self.get(partner_id)? {
-                Some(record) if record.pull_sync_enabled => {
-                    records.push(record);
-                }
-                Some(_) => {
-                    // Index is stale — partner is no longer pull-enabled.
-                    // This is self-healing: the next `upsert()` will fix the index.
-                    log::debug!(
-                        "Pull-enabled index references partner '{}' which is no longer pull-enabled",
-                        partner_id
-                    );
-                }
-                None => {
-                    log::debug!(
-                        "Pull-enabled index references non-existent partner '{}'",
-                        partner_id
-                    );
-                }
-            }
-        }
-
-        Ok(records)
-    }
-
-    /// Writes or updates a partner record and maintains secondary indexes.
-    ///
-    /// Returns `true` if this was a new partner (create), `false` if an
-    /// existing partner was updated.
-    ///
-    /// Index maintenance order:
-    /// 1. Read existing `apikey:` index value for rollback
-    /// 2. Write new `apikey:` index
-    /// 3. Write primary record
-    /// 4. Delete old `apikey:` index (if key rotated)
-    /// 5. Update `_pull_enabled` secondary index (best-effort)
-    ///
-    /// Writes are still **not fully atomic**, but this order ensures
-    /// registration does not return success after a failed index write and
-    /// performs best-effort rollback when primary write fails.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError::KvStore`] on store failure.
-    pub fn upsert(&self, record: &PartnerRecord) -> Result<bool, Report<TrustedServerError>> {
-        let store = self.open_store()?;
-
-        // Read existing record to detect API key rotation.
-        let existing = match store.lookup(&record.id) {
-            Ok(mut resp) => {
-                let bytes = resp.take_body_bytes();
-                serde_json::from_slice::<PartnerRecord>(&bytes).ok()
-            }
-            Err(_) => None,
-        };
-
-        let is_create = existing.is_none();
-        let old_api_key_hash = existing.as_ref().map(|r| r.api_key_hash.clone());
-
-        let index_key = format!("{APIKEY_INDEX_PREFIX}{}", record.api_key_hash);
-        let previous_index_partner_id = self.read_index_partner_id(&store, &index_key)?;
-
-        // 1. Write new API key index.
-        store
-            .build_insert()
-            .execute(&index_key, record.id.as_str())
-            .change_context(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: format!(
-                    "Failed to write API key index for partner '{}' (hash '{}')",
-                    record.id, record.api_key_hash
-                ),
-            })?;
-
-        // 2. Write primary record.
-        let body = serde_json::to_string(record).change_context(TrustedServerError::KvStore {
-            store_name: self.store_name.clone(),
-            message: format!("Failed to serialize partner '{}'", record.id),
-        })?;
-
-        if let Err(err) = store.build_insert().execute(&record.id, body) {
-            self.restore_previous_index_mapping(
-                &store,
-                &index_key,
-                previous_index_partner_id.as_deref(),
-                &record.id,
-            );
-            return Err(
-                Report::new(err).change_context(TrustedServerError::KvStore {
-                    store_name: self.store_name.clone(),
-                    message: format!("Failed to write partner '{}'", record.id),
-                }),
-            );
-        }
-
-        // 3. Delete old API key index if key rotated.
-        if let Some(ref old_hash) = old_api_key_hash {
-            if *old_hash != record.api_key_hash {
-                let old_key = format!("{APIKEY_INDEX_PREFIX}{old_hash}");
-                if let Err(err) = store.delete(&old_key) {
-                    log::warn!(
-                        "Failed to delete old API key index for partner '{}': {err:?}",
-                        record.id,
-                    );
-                }
-            }
-        }
-
-        // 4. Update _pull_enabled secondary index (best-effort).
-        //    This is the last step so a failure here doesn't affect the
-        //    primary registration. `pull_enabled_partners()` falls back to
-        //    `list_registered()` if the index is missing or stale.
-        self.update_pull_enabled_index(&store, &record.id, record.pull_sync_enabled);
-
-        Ok(is_create)
-    }
-
-    fn read_index_partner_id(
-        &self,
-        store: &KVStore,
-        index_key: &str,
-    ) -> Result<Option<String>, Report<TrustedServerError>> {
-        let mut response = match store.lookup(index_key) {
-            Ok(resp) => resp,
-            Err(fastly::kv_store::KVStoreError::ItemNotFound) => return Ok(None),
-            Err(err) => {
-                return Err(
-                    Report::new(err).change_context(TrustedServerError::KvStore {
-                        store_name: self.store_name.clone(),
-                        message: format!(
-                            "Failed to read existing API key index before upsert ('{index_key}')"
-                        ),
-                    }),
-                );
-            }
-        };
-
-        let partner_id = String::from_utf8(response.take_body_bytes()).map_err(|_| {
-            Report::new(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: format!(
-                    "Existing API key index value is not valid UTF-8 before upsert ('{index_key}')"
-                ),
-            })
-        })?;
-
-        Ok(Some(partner_id))
-    }
-
-    /// Best-effort update of the `_pull_enabled` secondary index.
-    ///
-    /// Reads the current index, adds or removes the partner ID, and writes
-    /// it back. All errors are logged and swallowed — the primary record
-    /// write has already succeeded.
-    fn update_pull_enabled_index(
-        &self,
-        store: &KVStore,
-        partner_id: &str,
-        pull_sync_enabled: bool,
-    ) {
-        // Read existing index (or start with empty list).
-        let mut ids: Vec<String> = match store.lookup(PULL_ENABLED_INDEX_KEY) {
-            Ok(mut resp) => {
-                let bytes = resp.take_body_bytes();
-                serde_json::from_slice(&bytes).unwrap_or_default()
-            }
-            Err(_) => Vec::new(),
-        };
-
-        let had_id = ids.iter().any(|id| id == partner_id);
-
-        if pull_sync_enabled && !had_id {
-            ids.push(partner_id.to_owned());
-        } else if !pull_sync_enabled && had_id {
-            ids.retain(|id| id != partner_id);
-        } else {
-            // No change needed.
-            return;
-        }
-
-        let body = match serde_json::to_string(&ids) {
-            Ok(b) => b,
-            Err(err) => {
-                log::warn!(
-                    "Failed to serialize pull-enabled index after updating partner '{}': {err}",
-                    partner_id
-                );
-                return;
-            }
-        };
-
-        if let Err(err) = store.build_insert().execute(PULL_ENABLED_INDEX_KEY, body) {
-            log::warn!(
-                "Failed to write pull-enabled index after updating partner '{}': {err:?}",
-                partner_id
-            );
-        }
-    }
-
-    fn restore_previous_index_mapping(
-        &self,
-        store: &KVStore,
-        index_key: &str,
-        previous_partner_id: Option<&str>,
-        partner_id: &str,
-    ) {
-        if let Some(previous_partner_id) = previous_partner_id {
-            if previous_partner_id == partner_id {
-                return;
-            }
-
-            if let Err(err) = store.build_insert().execute(index_key, previous_partner_id) {
-                log::warn!(
-                    "Failed to restore previous API key index mapping after write failure for partner '{}': {err:?}",
-                    partner_id,
-                );
-            }
-            return;
-        }
-
-        match store.delete(index_key) {
-            Ok(()) | Err(fastly::kv_store::KVStoreError::ItemNotFound) => {}
-            Err(err) => {
-                log::warn!(
-                    "Failed to roll back API key index after write failure for partner '{}': {err:?}",
-                    partner_id,
-                );
-            }
-        }
-    }
-
-    /// Looks up a partner by API key hash using the `apikey:` secondary index.
-    ///
-    /// After resolving the index to a partner ID, re-verifies that the
-    /// stored `api_key_hash` matches the lookup hash (guards against stale
-    /// index entries from key rotation).
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError::KvStore`] on store failure.
-    pub fn find_by_api_key_hash(
-        &self,
-        hash: &str,
-    ) -> Result<Option<PartnerRecord>, Report<TrustedServerError>> {
-        let store = self.open_store()?;
-
-        // Look up the secondary index.
-        let index_key = format!("{APIKEY_INDEX_PREFIX}{hash}");
-        let mut index_response = match store.lookup(&index_key) {
-            Ok(resp) => resp,
-            Err(fastly::kv_store::KVStoreError::ItemNotFound) => return Ok(None),
-            Err(err) => {
-                return Err(
-                    Report::new(err).change_context(TrustedServerError::KvStore {
-                        store_name: self.store_name.clone(),
-                        message: format!("Failed to read API key index for hash '{hash}'"),
-                    }),
-                );
-            }
-        };
-
-        let partner_id = String::from_utf8(index_response.take_body_bytes()).map_err(|_| {
-            Report::new(TrustedServerError::KvStore {
-                store_name: self.store_name.clone(),
-                message: format!("API key index value for hash '{hash}' is not valid UTF-8"),
-            })
-        })?;
-
-        // Fetch the actual partner record.
-        let record = match self.get(&partner_id)? {
-            Some(r) => r,
-            None => {
-                // Stale index — partner was deleted.
-                log::warn!(
-                    "API key index points to non-existent partner '{partner_id}' (stale index)"
-                );
-                return Ok(None);
-            }
-        };
-
-        // Verify the stored hash matches — guards against stale index from
-        // key rotation.
-        if record.api_key_hash != hash {
-            log::warn!(
-                "API key hash mismatch for partner '{}' (stale index after key rotation)",
-                record.id,
-            );
-            return Ok(None);
-        }
-
-        Ok(Some(record))
-    }
-
-    /// Verifies an API key against the stored hash for a given partner.
-    ///
-    /// Uses SHA-256 hashing and constant-time comparison to prevent
-    /// timing attacks.
-    ///
-    /// # Errors
-    ///
-    /// Returns [`TrustedServerError::KvStore`] if the partner lookup fails.
-    pub fn verify_api_key(
-        &self,
-        partner_id: &str,
-        api_key: &str,
-    ) -> Result<bool, Report<TrustedServerError>> {
-        let record = match self.get(partner_id)? {
-            Some(r) => r,
-            None => return Ok(false),
-        };
-
-        let incoming_hash = hash_api_key(api_key);
-        let stored_bytes = record.api_key_hash.as_bytes();
-        let incoming_bytes = incoming_hash.as_bytes();
-
-        Ok(stored_bytes.ct_eq(incoming_bytes).into())
-    }
-}
-
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/crates/trusted-server-core/src/ec/pull_sync.rs b/crates/trusted-server-core/src/ec/pull_sync.rs
index 64c0b271..558188c2 100644
--- a/crates/trusted-server-core/src/ec/pull_sync.rs
+++ b/crates/trusted-server-core/src/ec/pull_sync.rs
@@ -88,30 +88,12 @@ pub fn dispatch_pull_sync(
         }
     };
 
-<<<<<<< HEAD
     let mut pull_partners = registry.pull_enabled_partners();
 
     // Sort by ID for deterministic ordering, then apply a rotating hourly
     // offset so that different partners get dispatch priority (§10.3).
     pull_partners.sort_by(|a, b| a.id.cmp(&b.id));
 
-=======
-    // Use the _pull_enabled secondary index for O(1+N) reads instead of
-    // scanning all partners (§13.1). Falls back to list_registered() if
-    // the index is missing or unreadable.
-    let mut pull_partners = match partner_store.pull_enabled_partners() {
-        Ok(partners) => partners,
-        Err(err) => {
-            log::warn!("Pull sync: failed to list pull-enabled partners: {err:?}");
-            return;
-        }
-    };
-
-    // Sort by ID for deterministic ordering, then apply a rotating hourly
-    // offset so that different partners get dispatch priority (§10.3).
-    pull_partners.sort_by(|a, b| a.id.cmp(&b.id));
-
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     log::debug!(
         "Pull sync: {} pull-enabled partners after filtering",
         pull_partners.len(),
@@ -131,19 +113,11 @@ pub fn dispatch_pull_sync(
     let mut in_flight: Vec<InFlightPull> = Vec::new();
 
     for partner in pull_partners {
-<<<<<<< HEAD
         if !is_partner_pull_eligible(partner, kv_entry.as_ref(), now) {
             continue;
         }
 
         let Some(url) = validated_pull_sync_url(partner) else {
-=======
-        if !is_partner_pull_eligible(&partner, kv_entry.as_ref(), now) {
-            continue;
-        }
-
-        let Some(url) = validated_pull_sync_url(&partner) else {
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             continue;
         };
 
diff --git a/crates/trusted-server-core/src/error.rs b/crates/trusted-server-core/src/error.rs
index 1822b4c1..f4ebd1a4 100644
--- a/crates/trusted-server-core/src/error.rs
+++ b/crates/trusted-server-core/src/error.rs
@@ -88,15 +88,9 @@ pub enum TrustedServerError {
     #[display("Partner not found: {partner_id}")]
     PartnerNotFound { partner_id: String },
 
-<<<<<<< HEAD
     /// A secret field still contains a known placeholder/default value.
     #[display("Insecure default value for: {field}")]
     InsecureDefault { field: String },
-=======
-    /// Partner authentication failed (invalid or missing credentials).
-    #[display("Partner auth failed: {partner_id}")]
-    PartnerAuthFailed { partner_id: String },
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
 }
 
 impl Error for TrustedServerError {}
@@ -130,15 +124,9 @@ impl IntoHttpResponse for TrustedServerError {
             Self::Proxy { .. } => StatusCode::BAD_GATEWAY,
             Self::Forbidden { .. } => StatusCode::FORBIDDEN,
             Self::AllowlistViolation { .. } => StatusCode::FORBIDDEN,
-<<<<<<< HEAD
             Self::EdgeCookie { .. } => StatusCode::INTERNAL_SERVER_ERROR,
             Self::PartnerNotFound { .. } => StatusCode::NOT_FOUND,
             Self::InsecureDefault { .. } => StatusCode::INTERNAL_SERVER_ERROR,
-=======
-            Self::Ec { .. } => StatusCode::INTERNAL_SERVER_ERROR,
-            Self::PartnerNotFound { .. } => StatusCode::BAD_REQUEST,
-            Self::PartnerAuthFailed { .. } => StatusCode::UNAUTHORIZED,
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
         }
     }
 
diff --git a/crates/trusted-server-core/src/http_util.rs b/crates/trusted-server-core/src/http_util.rs
index 97f75e1b..0ed0ba3e 100644
--- a/crates/trusted-server-core/src/http_util.rs
+++ b/crates/trusted-server-core/src/http_util.rs
@@ -18,15 +18,9 @@ use crate::settings::Settings;
 pub fn copy_custom_headers(from: &Request, to: &mut Request) {
     for header_name in from.get_header_names() {
         let name_str = header_name.as_str();
-<<<<<<< HEAD
         // Header names are lowercased by the HTTP library (fastly crate),
         // so only the lowercase prefix check is needed.
         if name_str.starts_with("x-")
-=======
-        // Header names are lowercased by the HTTP library, so a single
-        // prefix check covers both `x-ts-` and `X-ts-` variants.
-        if (name_str.starts_with("x-") || name_str.starts_with("X-"))
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
             && !name_str.starts_with("x-ts-")
             && !INTERNAL_HEADERS.contains(&name_str)
         {
@@ -719,7 +713,6 @@ mod tests {
             target.get_header("x-ts-liveramp").is_none(),
             "Should filter dynamic x-ts-<partner_id> headers"
         );
-<<<<<<< HEAD
     }
 
     // -----------------------------------------------------------------------
@@ -836,7 +829,5 @@ mod tests {
             is_navigation_request(&req),
             "should match text/html case-insensitively in fallback"
         );
-=======
->>>>>>> da7782c (Fix 8 EC spec deviations identified in branch audit)
     }
 }