Implement server-side ad slot templates with PBS and APS auction

[prk-Jr]

Summary

• Adds server-side ad slot templates under [creative_opportunities] in trusted-server.toml. Matching slots are selected from the incoming document URL at the edge, and window.tsjs.adSlots is injected at <head> open so initial GPT setup does not need a separate slot-discovery request.
• Runs the server-side auction in parallel with the origin fetch for eligible document navigations. Configured providers such as Prebid Server and APS race under the creative-opportunity auction deadline; winning bids are price-bucketed and injected as window.tsjs.bids before </body>.
• Adds the window.tsjs.adInit GPT runtime path. It reads window.tsjs.adSlots and window.tsjs.bids synchronously, defines or reuses GPT slots, applies slot-level and hb_* targeting, sets ts_initial=1, refreshes the initial slots, and fires nurl/burl only after slotRenderEnded confirms the TS bid won via hb_adid.
• Adds PBS stored-request fallback keyed by slot ID when no inline PBS bidder params are present, filters non-PBS provider keys from PBS requests, and keeps bidder-param override rules for per-bidder/zone params.
• Adds per-bidder PBS win/billing suppression with [integrations.prebid].suppress_nurl_bidders, while retaining the deployment-wide [integrations.prebid].suppress_nurl compatibility switch.
• Improves the deferred slim-Prebid refresh path so GPT refresh auctions derive ad unit sizes and zone from injected window.tsjs.adSlots / GPT metadata instead of placeholder refresh sizes.
• Implements EID forwarding for the server-side auction path: reads the ts-eids cookie written by TSJS, gates EIDs by consent, and forwards them as OpenRTB user.ext.eids to PBS.
• Forwards real client IP and geo from Fastly ClientInfo into the server-side PBS request so bidders see the browser client context rather than the Fastly edge context.
• Keeps SPA/CSR route changes covered by the existing GET /__ts/page-bids hook, which updates window.tsjs.adSlots / window.tsjs.bids and re-runs window.tsjs.adInit() after pushState, replaceState, or popstate navigations.

What the server-side auction sends to PBS

Field	Value	Source
user.id	EC ID	ts-ec cookie or generated EC identity
user.consent / user.ext.consent	TCF v2 string when available	consent cookies / request consent extraction
user.ext.eids	EID array, consent-gated	ts-eids cookie plus EC identity resolution
user.ext.ec_fresh	fresh EC flag	EC context
device.ua	user agent	User-Agent header
device.ip	real client IP	Fastly ClientInfo.client_ip
device.geo	city/country/region/lat/lon/metro/asn	Fastly geo lookup
device.dnt	true if set	DNT: 1 header
device.language	primary language tag	Accept-Language header
site.domain / site.page	publisher domain + full URL	request host/path/scheme
site.ref	referrer	Referer header
regs.gdpr / regs.us_privacy / regs.gpp	privacy signals	consent extraction
imp.*	slots, formats, bidder params, floors	[creative_opportunities] slot templates and Prebid config
tmax	auction timeout ms	[creative_opportunities].auction_timeout_ms, falling back to [auction].timeout_ms

Changes

File / area	Change
trusted-server.toml	Adds [creative_opportunities] slot templates and documents Prebid nurl suppression knobs.
.env.example / docs	Documents Prebid bidder override env vars and SUPPRESS_NURL_BIDDERS.
crates/trusted-server-core/src/creative_opportunities.rs	Defines slot-template config, URL glob matching, slot-to-auction conversion, provider params, and slot ID validation helpers.
crates/trusted-server-core/src/settings.rs / build.rs	Wires creative opportunities into settings and build-time slot ID validation from trusted-server.toml.
crates/trusted-server-core/src/publisher.rs	Matches slots, dispatches server-side auctions, injects window.tsjs.adSlots and window.tsjs.bids, applies cache-control safeguards, handles page-bids responses, and forwards client context.
crates/trusted-server-core/src/html_processor.rs	Adds head-open and bounded body-close injection points with a guard against duplicate tsjs.bids injection.
crates/trusted-server-core/src/auction/*	Extends auction types, request parsing, provider orchestration, floor filtering, diagnostics, and provider response handling.
crates/trusted-server-core/src/integrations/prebid.rs	Adds OpenRTB enrichment, stored-request fallback, EID forwarding, bidder override rules, PBS cache fields, nurl/burl propagation, and per-bidder suppression.
crates/trusted-server-core/src/integrations/aps.rs	Adds APS/TAM provider support.
crates/trusted-server-core/src/integrations/adserver_mock.rs	Adds mock mediation support with decoded provider prices.
crates/trusted-server-core/src/integrations/gpt.rs / gpt_bootstrap.js	Adds the head-injected window.tsjs.adInit bootstrap path.
crates/js/lib/src/integrations/gpt/index.ts	Implements the browser GPT path for window.tsjs.adSlots, window.tsjs.bids, render-confirmed beacon firing, SPA updates, slim-Prebid loading, and Prebid creative rendering bridge.
crates/js/lib/src/integrations/prebid/index.ts	Adds deferred Prebid integration, user ID module/EID cookie sync, client-side bidder support, and metadata-derived refresh auctions.
crates/trusted-server-adapter-fastly/src/main.rs	Wires auction/page-bids routes and publisher handler inputs into the Fastly adapter.

Closes

Closes #677
Closes #697
Closes #698
Closes #699
Closes #700
Closes #702

Test plan

Automated

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• git diff --check
• JS build: cd crates/js/lib && node build-all.mjs
• JS lint: cd crates/js/lib && npm run lint
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• GitHub Vitest check passes on the current PR head
• Local cd crates/js/lib && npx vitest run currently fails before test discovery in this workspace with ERR_REQUIRE_ESM from html-encoding-sniffer requiring @exodus/bytes/encoding-lite.js; no local JS test assertions execute under that failure mode.

Manual end-to-end (browser DevTools console)

The steps below build on each other. Use a URL whose path matches one of the configured [[creative_opportunities.slot]] page_patterns.

Step 1 - Verify slot config is injected at <head> open

window.tsjs?.adSlots

Expected: an array of slot objects. Each entry has id, gam_unit_path, div_id, formats, and targeting. Note the div_id value from one matching slot for step 3.

Step 2 - Verify server-side auction results are injected before </body>

window.tsjs?.bids

Expected: an object keyed by slot ID. Winning slots include hb_bidder, hb_pb, and, for Prebid cache-backed bids, hb_adid / cache fields.

Step 3 - Verify window.tsjs.adInit wired GPT targeting

Replace SLOT_DIV_ID with the div_id from step 1.

googletag
  .pubads()
  .getSlots()
  .filter((slot) => slot.getSlotElementId() === 'SLOT_DIV_ID')
  .map((slot) => ({
    path: slot.getAdUnitPath(),
    targeting: slot.getTargetingMap(),
  }))

Expected: the slot has the configured GAM unit path and targeting includes hb_pb, hb_bidder, any slot-level keys such as pos / zone, and ts_initial: ["1"].

Step 4 - Verify slot matching is page-pattern-aware

Navigate to a different configured path, for example / when homepage slots are configured, and repeat step 2.

Expected: window.tsjs.bids is keyed by the slots matching that page, not by slots from the previous page type.

Step 5 - Confirm no duplicate bids injection

View page source and search for .bids=JSON.parse.

Expected: exactly one window.tsjs.bids assignment before </body> on pages where an auction ran.

Pending (GAM line items required)

Creative delivery requires standard GAM line items targeting hb_pb, hb_bidder, and related Prebid keys. That setup is outside this PR.

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code
• Uses log macros instead of println!
• New code paths have Rust and/or TS test coverage
• No secrets or credentials intentionally committed

[ChristianPavilonis]

Automated review: I reviewed PR #680 at def951a against main. CI is green, but I found blocking privacy/security and correctness issues in the new server-side ad-template paths. In particular, the publisher/page-bids auction paths can forward persistent identifiers after EC consent is denied, the default config now enables automatic outbound ad calls to real endpoints, and the GPT/Prebid refresh paths can duplicate requests or reuse stale targeting. Details are inline.

[ChristianPavilonis]

Summary

Reviewed the current branch PR #680 at 80fe39220 against main. I found several remaining issues that should be addressed in this PR because they affect the new server-side ad-template auction behavior: consent gating, the auction kill switch, PBS URL compatibility, SPA refresh flow, timeout budgets, and stale GPT targeting.

Per discussion, the raw browser-cookie forwarding concern is not included in this PR review and is tracked separately in #763.

Findings submitted inline: 0 P0, 4 P1, 1 P2, 1 P3. One additional P2 is included below because the affected provider timeout lines are not part of the final PR diff.

P2 — Provider payload timeouts ignore the effective auction budget

crates/trusted-server-core/src/integrations/prebid.rs:1171 and crates/trusted-server-core/src/integrations/aps.rs:367 still use provider config timeouts in the payload (tmax / APS timeout), while the Fastly backend timeout is capped to context.timeout_ms. When creative_opportunities.auction_timeout_ms is lower than the provider timeout, providers are told they have more time than the edge will actually wait, which can turn useful partial bids into edge timeouts. Please use the effective context.timeout_ms in provider payloads and add tests where provider config is 1000ms but auction context is 500ms.

[aram356]

Summary

Server-side ad slot templates with PBS/APS auction — a large, well-tested feature (44 files, +12,746/−395). The XSS escaping, single-injection guard, consent gating, and price-bucket math are solid. Findings cluster around win/billing beacon correctness (the headline issue), a runtime slot-id validation gap, and JS test hygiene. Inline comments carry most findings; cross-cutting items are below.

Blocking

🔧 wrench

• Win/billing beacons over-fire / double-fire — gpt_bootstrap.js:95 and gpt/index.ts:440 (inline).
• validate_slot_id dead at runtime — env-injected slot ids unvalidated, creative_opportunities.rs:270 (inline).
• JS test file leaks global addEventListener; suites duplicated across two dirs — gpt/index.test.ts:10 (inline).
• installSpaAuctionHook has zero coverage — gpt/index.ts:475 (inline).

❓ question

• Prebid stored-request fan-out behavioral change — prebid.rs:974 (inline).
• page-bids path query param not normalized before glob match — publisher.rs:1584 (inline).
• Cache-Control max-age=0 vs claimed no-store — publisher.rs:1214 (inline).

Non-blocking (not pinnable to a single diff line)

🤔 thinking

• collect vs parallel auction paths may diverge — auction/orchestrator.rs collect path calls provider.parse_response(...) while run_providers_parallel calls parse_response_with_context(...). If any provider's context-aware parse does extra work (consent/settings-driven), the async and parallel paths produce different bids for the same upstream response. Confirm the plain parse_response is an equivalent superset, or thread context through the collect loop too.

🌱 seedling

• No per-iteration deadline check in the collect select-loop — auction/orchestrator.rs collect_dispatched_auction relies entirely on each backend's dispatch-time timeout cap, whereas run_providers_parallel re-checks elapsed >= deadline after each select(). The invariant holds today (dispatch caps each provider at the remaining budget), but the two paths diverge silently; mirror the guard for defense-in-depth.

♻️ refactor

• adserver_mock.rs:101 carries request-scoped bid_index via Mutex on a shared Arc provider — same pattern flagged inline on aps.rs:289; migrate to parse_response_with_context.

⛏ nitpick

• platform_response_to_fastly is infallible but returns Result — auction/orchestrator.rs:497; every call site handles an Err that can never fire. Return fastly::Response directly or document the forward-compat intent.
• Redundant constructors — PriceGranularity::dense() (returns Self::Dense, and the enum already Defaults to Dense) and MediaType::banner() add public API surface over the variant literals for no benefit.

CI Status

• cargo fmt: PASS
• cargo clippy: PASS
• cargo test: PASS
• vitest (JS): PASS
• CodeQL / integration / browser-integration: PASS

[prk-Jr]

All findings from the two latest reviews are addressed in d3d43bc, 0f4dd86, and aa43944. Inline threads have individual replies; the items below had no inline thread.

@ChristianPavilonis — P2 provider payload timeouts (review body): Fixed in d3d43bc. PBS tmax and the APS payload timeout now use the effective context.timeout_ms — the orchestrator already caps each provider's context at min(remaining auction budget, provider config), so payloads now advertise exactly the deadline the edge backend enforces. Tests added for both providers with provider config 1000ms / auction context 500ms asserting the payload says 500.

@aram356 — blocking:

• Win/billing beacons over-fire / double-fire — fixed in 0f4dd86. Unified ourBidWon (hb_adid confirmation, hb_bidder fallback for APS bids which carry no hb_adid) across bootstrap and bundle, plus a once-per-bid dedupe keyed by slot + bid identity in shared tsjs.firedBeacons state — GAM re-renders and publisher refreshes can't re-bill, and the two listeners can't double-fire the same bid. Tests cover first-fire, repeat-render suppression, and the APS fallback.
• validate_slot_id dead at runtime — fixed in 0f4dd86. Wired into Settings::prepare_runtime, so every load path (including env-injected slots) rejects invalid IDs; build.rs keeps its raw-TOML check for build-time failures. Rejection test added.
• JS test addEventListener leak + suites in two dirs — fixed in 0f4dd86. The gpt adInit suite moved to test/integrations/gpt/ad_init.test.ts; the module-scope patch is now a plain wrapper restored in afterAll (deliberately not vi.spyOn — the render-bridge suite spies the same method, and a spy-on-spy aliases implementations and recurses).
• installSpaAuctionHook zero coverage — fixed in 0f4dd86. New spa_hook.test.ts: pushState fetch + adInit application, same-path no-op, replaceState/popstate, stale-response guard, non-OK response, install idempotence.

@aram356 — questions:

• Prebid stored-request fan-out — no behavioral change for existing flows: the JS adapter injects a trustedServer entry into every /auction ad unit, so the empty-bidder branch only fires for server-side creative-opportunity slots (new in this PR). Documented at the branch in 0f4dd86.
• page-bids path normalization — fixed in 0f4dd86: query/fragment stripped, leading slash forced before glob matching, with tests.
• Cache-Control max-age=0 vs no-store — deliberate per design spec §4.7: no-store was rejected to preserve BFCache eligibility; private plus Surrogate-Control stripping handles shared caches. The code comment now states this instead of implying no-store.

@aram356 — non-blocking:

• collect vs parallel parse divergence — fixed in 0f4dd86: the collect path (providers and mediator) now calls parse_response_with_context, matching the parallel path.
• collect-loop deadline check — mirrored in 0f4dd86 as defense-in-depth.
• adserver_mock bid_index Mutex — migrated in 0f4dd86: the index is rebuilt in parse_response_with_context from context.provider_responses. The APS slot_id_map cannot follow the same recipe — it derives from the AuctionRequest, which AuctionContext doesn't carry — so it keeps the Mutex with a doc comment stating the constraint; threading the request through the context is a follow-up.
• platform_response_to_fastly Result — now returns fastly::Response directly; dead error arms removed.
• Redundant constructors — removed; they existed only as serde default hooks, replaced with #[serde(default)] + Default impls.

Deliberately deferred: gating /auction on [auction].enabled (the "ideally" part of the kill-switch P1) — the client-side /auction path is scoped to a separate branch per earlier discussion.

aa43944 additionally defaults tsjs.adSlots/tsjs.bids in core init so pages reading them never throw when the ad stack is gated off, and flips the committed [auction].enabled default to true (inert in the checked-in config: no providers enabled, no slot templates — the integration flags remain the safe-by-default guard).

CI: cargo fmt / clippy -D warnings / cargo test --workspace (1310 core) / vitest 351 all green locally.

[ChristianPavilonis]

Automated review: I reviewed PR #680 at d1cd3d8 against origin/main. CI is currently green, but I found one blocking cache/privacy issue and two additional correctness/security hardening issues in the new server-side ad-template paths. Details are inline.

[ChristianPavilonis]

Automated review: P1 — operator response headers can re-enable shared caching for per-user HTML

handle_publisher_request strips Surrogate-Control / Fastly-Surrogate-Control when it marks assembled HTML as Cache-Control: private, max-age=0, because the body can now contain per-user window.tsjs.bids and targeting state. However, finalize_response later reapplies every configured [response_headers] entry and only protects Cache-Control. If an operator has a global Surrogate-Control = "max-age=..." or Fastly-Surrogate-Control, this line re-adds it after the publisher path removed it, making a bid-injected HTML response eligible for shared surrogate caching.

Please treat surrogate cache headers like Cache-Control when the response already has a private cache directive: skip/remove Surrogate-Control and Fastly-Surrogate-Control in this loop, and add a route test showing private HTML/page-bids responses cannot regain those headers from settings.response_headers.

[ChristianPavilonis]

Automated review: P2 — /__ts/page-bids is a side-effecting GET with no same-origin gate

Once these conditions pass, this public GET endpoint runs real PBS/APS auctions and forwards request-derived data (IP/UA/geo, consent signals, and any cookies browser policy permits) to partners. The TS client fetch does not send a custom header, and the server does not check Fetch Metadata, so a third-party page can trigger this endpoint from the user's browser even though it cannot read the JSON response. That still burns SSP quota and causes outbound partner calls unrelated to a real same-origin SPA navigation.

Please add a same-origin/CSRF-style gate before dispatching the auction, e.g. require Sec-Fetch-Site to be same-origin/same-site (or absent only for known legacy clients) and/or have the TS client send a non-simple X-TSJS-Page-Bids: 1 header. Requests failing the gate should return 403 or at least skip run_auction; add tests for missing/cross-site metadata.

[ChristianPavilonis]

Automated review: P2 — build-time validation no longer checks the runtime slot schema

The build script deserializes creative-opportunity slots as raw JSON and then validates only id presence/shape. That means cargo build can succeed and write target/trusted-server-out.toml for slots that the runtime schema will reject later (for example missing formats, malformed page_patterns, wrong provider field types). The deployed WASM would then fail settings load at request time instead of failing in CI/build.

Please validate slot_raw against a build-time schema that mirrors CreativeOpportunitySlot's required fields/types, or restructure the build script stubs so it can reuse the real runtime deserializer for creative-opportunity slots, while still preserving the env-var JSON blob support.