Implement server-side ad slot templates with PBS and APS auction

[prk-Jr]

Summary

• Adds server-side ad slot templates under [creative_opportunities] in trusted-server.toml. Matching slots are selected from the incoming document URL at the edge, and window.tsjs.adSlots is injected at <head> open so initial GPT setup does not need a separate slot-discovery request.
• Runs the server-side auction in parallel with the origin fetch for eligible document navigations. Configured providers such as Prebid Server and APS race under the creative-opportunity auction deadline; winning bids are price-bucketed and injected as window.tsjs.bids before </body>.
• Adds the window.tsjs.adInit GPT runtime path. It reads window.tsjs.adSlots and window.tsjs.bids synchronously, defines or reuses GPT slots, applies slot-level and hb_* targeting, sets ts_initial=1, refreshes the initial slots, and fires nurl/burl only after slotRenderEnded confirms the TS bid won via hb_adid.
• Adds PBS stored-request fallback keyed by slot ID when no inline PBS bidder params are present, filters non-PBS provider keys from PBS requests, and keeps bidder-param override rules for per-bidder/zone params.
• Adds per-bidder PBS win/billing suppression with [integrations.prebid].suppress_nurl_bidders, while retaining the deployment-wide [integrations.prebid].suppress_nurl compatibility switch.
• Improves the deferred slim-Prebid refresh path so GPT refresh auctions derive ad unit sizes and zone from injected window.tsjs.adSlots / GPT metadata instead of placeholder refresh sizes.
• Implements EID forwarding for the server-side auction path: reads the ts-eids cookie written by TSJS, gates EIDs by consent, and forwards them as OpenRTB user.ext.eids to PBS.
• Forwards real client IP and geo from Fastly ClientInfo into the server-side PBS request so bidders see the browser client context rather than the Fastly edge context.
• Keeps SPA/CSR route changes covered by the existing GET /__ts/page-bids hook, which updates window.tsjs.adSlots / window.tsjs.bids and re-runs window.tsjs.adInit() after pushState, replaceState, or popstate navigations.

What the server-side auction sends to PBS

Field	Value	Source
user.id	EC ID	ts-ec cookie or generated EC identity
user.consent / user.ext.consent	TCF v2 string when available	consent cookies / request consent extraction
user.ext.eids	EID array, consent-gated	ts-eids cookie plus EC identity resolution
user.ext.ec_fresh	fresh EC flag	EC context
device.ua	user agent	User-Agent header
device.ip	real client IP	Fastly ClientInfo.client_ip
device.geo	city/country/region/lat/lon/metro/asn	Fastly geo lookup
device.dnt	true if set	DNT: 1 header
device.language	primary language tag	Accept-Language header
site.domain / site.page	publisher domain + full URL	request host/path/scheme
site.ref	referrer	Referer header
regs.gdpr / regs.us_privacy / regs.gpp	privacy signals	consent extraction
imp.*	slots, formats, bidder params, floors	[creative_opportunities] slot templates and Prebid config
tmax	auction timeout ms	[creative_opportunities].auction_timeout_ms, falling back to [auction].timeout_ms

Changes

File / area	Change
trusted-server.toml	Adds [creative_opportunities] slot templates and documents Prebid nurl suppression knobs.
.env.example / docs	Documents Prebid bidder override env vars and SUPPRESS_NURL_BIDDERS.
crates/trusted-server-core/src/creative_opportunities.rs	Defines slot-template config, URL glob matching, slot-to-auction conversion, provider params, and slot ID validation helpers.
crates/trusted-server-core/src/settings.rs / build.rs	Wires creative opportunities into settings and build-time slot ID validation from trusted-server.toml.
crates/trusted-server-core/src/publisher.rs	Matches slots, dispatches server-side auctions, injects window.tsjs.adSlots and window.tsjs.bids, applies cache-control safeguards, handles page-bids responses, and forwards client context.
crates/trusted-server-core/src/html_processor.rs	Adds head-open and bounded body-close injection points with a guard against duplicate tsjs.bids injection.
crates/trusted-server-core/src/auction/*	Extends auction types, request parsing, provider orchestration, floor filtering, diagnostics, and provider response handling.
crates/trusted-server-core/src/integrations/prebid.rs	Adds OpenRTB enrichment, stored-request fallback, EID forwarding, bidder override rules, PBS cache fields, nurl/burl propagation, and per-bidder suppression.
crates/trusted-server-core/src/integrations/aps.rs	Adds APS/TAM provider support.
crates/trusted-server-core/src/integrations/adserver_mock.rs	Adds mock mediation support with decoded provider prices.
crates/trusted-server-core/src/integrations/gpt.rs / gpt_bootstrap.js	Adds the head-injected window.tsjs.adInit bootstrap path.
crates/js/lib/src/integrations/gpt/index.ts	Implements the browser GPT path for window.tsjs.adSlots, window.tsjs.bids, render-confirmed beacon firing, SPA updates, slim-Prebid loading, and Prebid creative rendering bridge.
crates/js/lib/src/integrations/prebid/index.ts	Adds deferred Prebid integration, user ID module/EID cookie sync, client-side bidder support, and metadata-derived refresh auctions.
crates/trusted-server-adapter-fastly/src/main.rs	Wires auction/page-bids routes and publisher handler inputs into the Fastly adapter.

Closes

Closes #677
Closes #697
Closes #698
Closes #699
Closes #700
Closes #702

Test plan

Automated

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• git diff --check
• JS build: cd crates/js/lib && node build-all.mjs
• JS lint: cd crates/js/lib && npm run lint
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• GitHub Vitest check passes on the current PR head
• Local cd crates/js/lib && npx vitest run currently fails before test discovery in this workspace with ERR_REQUIRE_ESM from html-encoding-sniffer requiring @exodus/bytes/encoding-lite.js; no local JS test assertions execute under that failure mode.

Manual end-to-end (browser DevTools console)

The steps below build on each other. Use a URL whose path matches one of the configured [[creative_opportunities.slot]] page_patterns.

Step 1 - Verify slot config is injected at <head> open

window.tsjs?.adSlots

Expected: an array of slot objects. Each entry has id, gam_unit_path, div_id, formats, and targeting. Note the div_id value from one matching slot for step 3.

Step 2 - Verify server-side auction results are injected before </body>

window.tsjs?.bids

Expected: an object keyed by slot ID. Winning slots include hb_bidder, hb_pb, and, for Prebid cache-backed bids, hb_adid / cache fields.

Step 3 - Verify window.tsjs.adInit wired GPT targeting

Replace SLOT_DIV_ID with the div_id from step 1.

googletag
  .pubads()
  .getSlots()
  .filter((slot) => slot.getSlotElementId() === 'SLOT_DIV_ID')
  .map((slot) => ({
    path: slot.getAdUnitPath(),
    targeting: slot.getTargetingMap(),
  }))

Expected: the slot has the configured GAM unit path and targeting includes hb_pb, hb_bidder, any slot-level keys such as pos / zone, and ts_initial: ["1"].

Step 4 - Verify slot matching is page-pattern-aware

Navigate to a different configured path, for example / when homepage slots are configured, and repeat step 2.

Expected: window.tsjs.bids is keyed by the slots matching that page, not by slots from the previous page type.

Step 5 - Confirm no duplicate bids injection

View page source and search for .bids=JSON.parse.

Expected: exactly one window.tsjs.bids assignment before </body> on pages where an auction ran.

Pending (GAM line items required)

Creative delivery requires standard GAM line items targeting hb_pb, hb_bidder, and related Prebid keys. That setup is outside this PR.

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code
• Uses log macros instead of println!
• New code paths have Rust and/or TS test coverage
• No secrets or credentials intentionally committed

[prk-Jr]

Re: review pullrequestreview-4499471630 — blocking body finding.

P1 — synchronous mediated auctions lose restored render/accounting fields. Fixed in c99bac8.

run_parallel_mediation now calls mediator.parse_response_with_context(platform_resp, response_time_ms, &mediator_context).await, matching the dispatched collect path, so nurl/burl/ad_id and PBS cache fields are restored on the synchronous POST /auction and /__ts/page-bids paths (the mediator context already carries the collected SSP provider_responses). Added a regression test, mediated_bid_preserves_restored_fields_through_run_auction, that registers a context-restoring mediator and asserts the winning bid keeps its nurl/ad_id through run_auction. The four inline findings (GPT display, build-time glob validation, case-insensitive Cache-Control, creative timeout default) are answered on their threads.

[prk-Jr]

Re: review pullrequestreview-4500409866 (second pass) — all items addressed.

Blocking

• price_bucket under-buckets via float truncation — 3a5c4b4. 0.29 * 100.0 is 28.999…, so flooring truncated to "0.28". CPM→cents now goes through a helper that corrects the binary-float representation error before flooring, so 0.29→"0.29" and 1.15→"1.15" while genuinely sub-cent values still floor (0.015→"0.01", 0.289→"0.28"). Pure round-half was avoided because it would break Prebid floor semantics. Regression test added.
• Sync mediation drops bid metadata — c99bac8 (details in the reply on the other review). The adserver_mock::parse_response comment is now accurate since both mediator paths use parse_response_with_context.

Non-blocking

• Dispatched auction dropped on Buffered/PassThrough — 64ecc74. Added log::warn! on both arms when dispatched_auction.is_some(). Kept it to a warning (not await-and-discard): the SSP requests are already dispatched so the quota is spent, and those routes have no </body> to inject bids into, so awaiting only adds latency to non-HTML responses.
• Sync mediator timeout cap — 0f241ca. Now remaining_ms.min(mediator.timeout_ms()), matching the collect path.
• Env-injected slot-id rejection test — ac0add3. Asserts TRUSTED_SERVER__CREATIVE_OPPORTUNITIES__SLOT with an invalid id is rejected via from_toml_and_env; the build-time path uses the same validate_creative_slot.
• /20** doc example — c324e09. Now /2024/*, with the normalization note kept as the edge-case caveat.

Inline / cleanup

• parse_ts_eids_cookie dead code — bdb00f5. Removed the #[cfg(test)]-only function, its tests, and orphaned imports. Production parses the cookie through resolve_client_auction_eids → parse_cookie_auction_eids → parse_prebid_eids_cookie, which enforces its own size/length caps, so no behavior or hardening is lost.
• APS provider Mutex state — deferred. Unlike adserver_mock (which derives its bid index from context.provider_responses), APS's slot_id_map derives from the AuctionRequest, which AuctionContext does not carry; the existing code comment documents this. It is single-threaded-safe (one request per Wasm instance), and migrating it cleanly needs an AuctionProvider/AuctionContext change to thread the request through — out of scope for this PR. Happy to track it as a follow-up.

CI: cargo fmt / clippy -D warnings / cargo test --workspace (1558) / vitest / wasm release all green.

[ChristianPavilonis]

Automated review: I reviewed PR #680 at bdb00f5 against main. CI is green, but I found one blocking privacy/cacheability issue that should be fixed before merge: EC cookie writes happen after the cache-safety finalizer, so first-visit cookie-bearing responses can retain shared-cache headers. I also found two non-blocking but important issues around refresh bidder params and build-time/runtime config validation. Details are inline.

[ChristianPavilonis]

Automated review: Reviewed PR #680 at 32de4aa against main, focusing on the current server-side ad-template, page-bids, consent/identity, and config paths. CI is green, but I found remaining blocking correctness/privacy issues in the publisher/page-bids flow: EC generation can bypass the adapter's real-browser gate, and /__ts/page-bids can still drive GPT slot creation/refresh when the kill switch or consent gate disables the server-side ad stack. I also left one medium config-safety comment.

CI checked: gh pr checks reports all current checks passing (fmt, clippy/analyze, cargo test, vitest, format docs/typescript, browser/integration tests, CodeQL). I reviewed existing comments and avoided re-reporting resolved historical findings; the page-bids finding is a remaining/incomplete edge of the earlier kill-switch/consent fixes.

[ChristianPavilonis]

Automated review: reviewed PR #680 at f456b50 against main. CI is currently green, but I found blocking cache/privacy regressions around late Set-Cookie response effects and surrogate-cache headers, plus one medium refresh-demand correctness issue. Details are inline.

[ChristianPavilonis]

Review Summary

🔧 Requesting changes on PR #680 at f456b506. CI is green, but I found two high-priority correctness/security issues and one medium config-safety issue in the server-side ad-template flow.

I avoided duplicating the latest existing inline comments on request-filter Set-Cookie cache privacy, no-store surrogate headers, and container-backed Prebid refresh recovery.

Findings submitted inline: 0 P0, 2 P1, 1 P2, 0 P3.

[ChristianPavilonis]

Automated review: I reviewed PR #680 at a3160d5 against main. CI is currently green, and many prior review issues have been fixed, but I found two remaining high-impact issues that should be addressed before merge: /auction can still forward client-provided EIDs when the current consent context forbids EC identity use, and TS-owned GPT slots can stay blank on pages that use GPT disableInitialLoad(). Details are inline.

Review Summary

Reviewed the current server-side ad templates implementation, focusing on consent/privacy, the /auction and /__ts/page-bids paths, GPT/Prebid client behavior, and existing review context. Overall risk is reduced compared with earlier revisions, but these two issues affect privacy/compliance and first-impression serving compatibility.

Findings

P0 / Blockers

None.

P1 / High

1. /auction resolves and forwards client EIDs even when EC identity is not allowed — see inline.
2. TS-owned GPT slots are only displayed, not refreshed, so pages using GPT disableInitialLoad() can get blank first impressions — see inline.

P2 / Medium

None included.

P3 / Low

None included.

CI / Existing Reviews

All current GitHub checks pass (cargo fmt/test, clippy/Analyze, vitest, integration/browser tests, CodeQL, docs/TS format). I checked prior review threads and avoided re-reporting issues that were already fixed or explicitly deferred.

[ChristianPavilonis]

Automated review: I reviewed PR #680 at bf76d41 against origin/main, including the Rust publisher/page-bids auction path, the GPT/Prebid browser code, config/build validation, CI status, and existing review threads. I did not find any new blocking correctness/security/data-loss issues. I left two non-blocking findings inline: one concrete build-time validation gap for creative-opportunity slot config, and one stale code-doc contract around SPA navigation ownership. CI is currently green across the reported PR checks.

[ChristianPavilonis]

Automated review: P2 — Build-time slot-pattern validation is ineffective in the build.rs context.

The new creative_slot_build_check::validate_creative_slot() path says it rejects invalid page_patterns before embedding config, but in build.rs the local glob::Pattern::new stub unconditionally returns Ok. That means a private/env slot such as page_patterns = ["["] passes the build-time check and is serialized into target/trusted-server-out.toml; the real runtime loader later uses the actual glob crate, drops/rejects the pattern during Settings::from_toml, and can fail service startup/request settings load instead of failing the build. This also makes the build-time tests misleading because they run against the real crate dependency, not this stub.

Suggested fix: avoid stubbing glob for this path (depend on the real glob crate from the build script, or move the pattern-validity check into a small helper that build.rs can compile with the real dependency). Add a build-context regression test or an integration-style check that an invalid env-injected slot pattern fails during build-time validation.

[ChristianPavilonis]

Automated review: P3 — This handoff comment no longer matches the implemented SPA flow.

The PR now installs installSpaAuctionHook() from the GPT bundle and GET /__ts/page-bids handles pushState / replaceState / popstate route changes. Saying that SPA pushState navigation is slim-Prebid's domain contradicts auction/endpoints.rs and the actual client code, and can mislead future maintainers about which component owns route-level server-side auctions.

Suggested fix: update this paragraph to say slim-Prebid owns scroll/GPT refresh, while SPA navigation is handled by installSpaAuctionHook() + /__ts/page-bids.