Implement server-side ad slot templates with PBS and APS auction

[prk-Jr]

Summary

• Adds server-side ad slot templates under [creative_opportunities] in trusted-server.toml. Matching slots are selected from the incoming document URL at the edge, and window.tsjs.adSlots is injected at <head> open so initial GPT setup does not need a separate slot-discovery request.
• Runs the server-side auction in parallel with the origin fetch for eligible document navigations. Configured providers such as Prebid Server and APS race under the creative-opportunity auction deadline; winning bids are price-bucketed and injected as window.tsjs.bids before </body>.
• Adds the window.tsjs.adInit GPT runtime path. It reads window.tsjs.adSlots and window.tsjs.bids synchronously, defines or reuses GPT slots, applies slot-level and hb_* targeting, sets ts_initial=1, refreshes the initial slots, and fires nurl/burl only after slotRenderEnded confirms the TS bid won via hb_adid.
• Adds PBS stored-request fallback keyed by slot ID when no inline PBS bidder params are present, filters non-PBS provider keys from PBS requests, and keeps bidder-param override rules for per-bidder/zone params.
• Adds per-bidder PBS win/billing suppression with [integrations.prebid].suppress_nurl_bidders, while retaining the deployment-wide [integrations.prebid].suppress_nurl compatibility switch.
• Improves the deferred slim-Prebid refresh path so GPT refresh auctions derive ad unit sizes and zone from injected window.tsjs.adSlots / GPT metadata instead of placeholder refresh sizes.
• Implements EID forwarding for the server-side auction path: reads the ts-eids cookie written by TSJS, gates EIDs by consent, and forwards them as OpenRTB user.ext.eids to PBS.
• Forwards real client IP and geo from Fastly ClientInfo into the server-side PBS request so bidders see the browser client context rather than the Fastly edge context.
• Keeps SPA/CSR route changes covered by the existing GET /__ts/page-bids hook, which updates window.tsjs.adSlots / window.tsjs.bids and re-runs window.tsjs.adInit() after pushState, replaceState, or popstate navigations.

What the server-side auction sends to PBS

Field	Value	Source
user.id	EC ID	ts-ec cookie or generated EC identity
user.consent / user.ext.consent	TCF v2 string when available	consent cookies / request consent extraction
user.ext.eids	EID array, consent-gated	ts-eids cookie plus EC identity resolution
user.ext.ec_fresh	fresh EC flag	EC context
device.ua	user agent	User-Agent header
device.ip	real client IP	Fastly ClientInfo.client_ip
device.geo	city/country/region/lat/lon/metro/asn	Fastly geo lookup
device.dnt	true if set	DNT: 1 header
device.language	primary language tag	Accept-Language header
site.domain / site.page	publisher domain + full URL	request host/path/scheme
site.ref	referrer	Referer header
regs.gdpr / regs.us_privacy / regs.gpp	privacy signals	consent extraction
imp.*	slots, formats, bidder params, floors	[creative_opportunities] slot templates and Prebid config
tmax	auction timeout ms	[creative_opportunities].auction_timeout_ms, falling back to [auction].timeout_ms

Changes

File / area	Change
trusted-server.toml	Adds [creative_opportunities] slot templates and documents Prebid nurl suppression knobs.
.env.example / docs	Documents Prebid bidder override env vars and SUPPRESS_NURL_BIDDERS.
crates/trusted-server-core/src/creative_opportunities.rs	Defines slot-template config, URL glob matching, slot-to-auction conversion, provider params, and slot ID validation helpers.
crates/trusted-server-core/src/settings.rs / build.rs	Wires creative opportunities into settings and build-time slot ID validation from trusted-server.toml.
crates/trusted-server-core/src/publisher.rs	Matches slots, dispatches server-side auctions, injects window.tsjs.adSlots and window.tsjs.bids, applies cache-control safeguards, handles page-bids responses, and forwards client context.
crates/trusted-server-core/src/html_processor.rs	Adds head-open and bounded body-close injection points with a guard against duplicate tsjs.bids injection.
crates/trusted-server-core/src/auction/*	Extends auction types, request parsing, provider orchestration, floor filtering, diagnostics, and provider response handling.
crates/trusted-server-core/src/integrations/prebid.rs	Adds OpenRTB enrichment, stored-request fallback, EID forwarding, bidder override rules, PBS cache fields, nurl/burl propagation, and per-bidder suppression.
crates/trusted-server-core/src/integrations/aps.rs	Adds APS/TAM provider support.
crates/trusted-server-core/src/integrations/adserver_mock.rs	Adds mock mediation support with decoded provider prices.
crates/trusted-server-core/src/integrations/gpt.rs / gpt_bootstrap.js	Adds the head-injected window.tsjs.adInit bootstrap path.
crates/js/lib/src/integrations/gpt/index.ts	Implements the browser GPT path for window.tsjs.adSlots, window.tsjs.bids, render-confirmed beacon firing, SPA updates, slim-Prebid loading, and Prebid creative rendering bridge.
crates/js/lib/src/integrations/prebid/index.ts	Adds deferred Prebid integration, user ID module/EID cookie sync, client-side bidder support, and metadata-derived refresh auctions.
crates/trusted-server-adapter-fastly/src/main.rs	Wires auction/page-bids routes and publisher handler inputs into the Fastly adapter.

Closes

Closes #677
Closes #697
Closes #698
Closes #699
Closes #700
Closes #702

Test plan

Automated

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• git diff --check
• JS build: cd crates/js/lib && node build-all.mjs
• JS lint: cd crates/js/lib && npm run lint
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• GitHub Vitest check passes on the current PR head
• Local cd crates/js/lib && npx vitest run currently fails before test discovery in this workspace with ERR_REQUIRE_ESM from html-encoding-sniffer requiring @exodus/bytes/encoding-lite.js; no local JS test assertions execute under that failure mode.

Manual end-to-end (browser DevTools console)

The steps below build on each other. Use a URL whose path matches one of the configured [[creative_opportunities.slot]] page_patterns.

Step 1 - Verify slot config is injected at <head> open

window.tsjs?.adSlots

Expected: an array of slot objects. Each entry has id, gam_unit_path, div_id, formats, and targeting. Note the div_id value from one matching slot for step 3.

Step 2 - Verify server-side auction results are injected before </body>

window.tsjs?.bids

Expected: an object keyed by slot ID. Winning slots include hb_bidder, hb_pb, and, for Prebid cache-backed bids, hb_adid / cache fields.

Step 3 - Verify window.tsjs.adInit wired GPT targeting

Replace SLOT_DIV_ID with the div_id from step 1.

googletag
  .pubads()
  .getSlots()
  .filter((slot) => slot.getSlotElementId() === 'SLOT_DIV_ID')
  .map((slot) => ({
    path: slot.getAdUnitPath(),
    targeting: slot.getTargetingMap(),
  }))

Expected: the slot has the configured GAM unit path and targeting includes hb_pb, hb_bidder, any slot-level keys such as pos / zone, and ts_initial: ["1"].

Step 4 - Verify slot matching is page-pattern-aware

Navigate to a different configured path, for example / when homepage slots are configured, and repeat step 2.

Expected: window.tsjs.bids is keyed by the slots matching that page, not by slots from the previous page type.

Step 5 - Confirm no duplicate bids injection

View page source and search for .bids=JSON.parse.

Expected: exactly one window.tsjs.bids assignment before </body> on pages where an auction ran.

Pending (GAM line items required)

Creative delivery requires standard GAM line items targeting hb_pb, hb_bidder, and related Prebid keys. That setup is outside this PR.

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code
• Uses log macros instead of println!
• New code paths have Rust and/or TS test coverage
• No secrets or credentials intentionally committed

[ChristianPavilonis]

Review Summary

CI is green. I found one high-priority timing/initialization issue and two low-priority follow-ups.

Findings submitted inline: 0 P0, 1 P1, 0 P2, 2 P3.

[aram356]

Summary

Pass-4 review at fcb04d29 (latest head). Verified all prior-review fixes (passes 1–3 + Christian's comments) landed correctly; identified one trivial blocker (test-fixture typo), one open question on SPA-navigation race, and a handful of hardening seedlings. CI all green.

Blocking

🔧 wrench

• examnple.com typo in sourcepoint.rs test fixture (sourcepoint.rs:1076, 1078) — see inline.

❓ question

• SPA navigation race on rapid back-and-forth (gpt/index.ts:331) — see inline.

Non-blocking

🤔 thinking

• prepend_auction_debug_comment None branch unreachable (publisher.rs:653) — see inline.

♻️ refactor

• Empty-bids <script> fallback duplicated. build_bids_script (publisher.rs:1346–1353) and the no-bids fallback in html_processor.rs (~line 340) both emit the same window.__ts_bids=JSON.parse("{}");if(typeof window.__tsAdInit==="function")window.__tsAdInit();. Export a build_empty_bids_script() helper so the script shape can change in one place.

🌱 seedling

• parse_ts_eids_cookie hardening — deny_unknown_fields + length cap (cookies.rs:143) — see inline.
• CreativeOpportunitiesFile + CreativeOpportunitySlot lack deny_unknown_fields (creative_opportunities.rs:227) — see inline.
• adserver_mock crid parsing silently strips bid metadata (adserver_mock.rs:253–256) — see inline.
• adserver_mock accepts zero-dimension bids silently (adserver_mock.rs:263–264) — see inline.
• APS parse_aps_slot defaults to 0×0 on bad size string (aps.rs:409, not in diff hunk so flagging here). Self::parse_size(&slot.size).unwrap_or((0, 0)) produces an invalid 0×0 bid when the APS response carries a malformed size. Fail closed by logging and skipping the bid, mirroring the adserver_mock seedling above.
• No MediaType::Native or MediaType::Video slot-conversion test in creative_opportunities.rs — only Banner is exercised. Re-flag from pass-2; still applicable.
• No negative-CPM test in price_bucket (price_bucket.rs:133–157). The early if !cpm.is_finite() || cpm <= 0.0 correctly returns the zero bucket, but the test matrix only pins NaN/Inf. One-line assert_eq!(price_bucket(-1.5, Dense), "0.00");.

⛏ nitpick

• is_processable_content_type uses contains rather than parsing the MIME (publisher.rs:1401, not in diff hunk). Content-Type: text/notthml from a misbehaving origin would match text/. Best-effort and current callers are safe; flag for future hardening.

📌 out of scope

• /__ts/page-bids accepts client-supplied ?path= and forwards to PBS as site.page (publisher.rs:1480–1488) — see inline.

CI status

All 13 GitHub checks pass at fcb04d29 — fmt, clippy, cargo test, vitest, format-docs, format-typescript, browser integration tests, integration tests, CodeQL, Analyze (rust + javascript-typescript + actions).

[ChristianPavilonis]

Automated review: I reviewed PR #680 at def951a against main. CI is green, but I found blocking privacy/security and correctness issues in the new server-side ad-template paths. In particular, the publisher/page-bids auction paths can forward persistent identifiers after EC consent is denied, the default config now enables automatic outbound ad calls to real endpoints, and the GPT/Prebid refresh paths can duplicate requests or reuse stale targeting. Details are inline.

[ChristianPavilonis]

Summary

Reviewed the current branch PR #680 at 80fe39220 against main. I found several remaining issues that should be addressed in this PR because they affect the new server-side ad-template auction behavior: consent gating, the auction kill switch, PBS URL compatibility, SPA refresh flow, timeout budgets, and stale GPT targeting.

Per discussion, the raw browser-cookie forwarding concern is not included in this PR review and is tracked separately in #763.

Findings submitted inline: 0 P0, 4 P1, 1 P2, 1 P3. One additional P2 is included below because the affected provider timeout lines are not part of the final PR diff.

P2 — Provider payload timeouts ignore the effective auction budget

crates/trusted-server-core/src/integrations/prebid.rs:1171 and crates/trusted-server-core/src/integrations/aps.rs:367 still use provider config timeouts in the payload (tmax / APS timeout), while the Fastly backend timeout is capped to context.timeout_ms. When creative_opportunities.auction_timeout_ms is lower than the provider timeout, providers are told they have more time than the edge will actually wait, which can turn useful partial bids into edge timeouts. Please use the effective context.timeout_ms in provider payloads and add tests where provider config is 1000ms but auction context is 500ms.

[ChristianPavilonis]

P1 — GDPR/no-consent requests can still run server-side auctions

gdpr_applies is derived from TCF/GPP signal presence, not from geo jurisdiction. That means a GDPR-region request with no TC/GPP signal yet is treated as !gdpr_applies and can dispatch PBS/APS auctions. For this server-side ad stack, please fail closed for GDPR/unknown jurisdiction unless effective TCF/GPP Purpose 1 is granted.

Suggested fix: centralize this eligibility check in a helper and use it for both publisher navigation auctions and /__ts/page-bids. Also make page-bids use the adapter's geo-aware EcContext or pass geo into read_from_request_with_geo, so jurisdiction is available for this decision.

[ChristianPavilonis]

P1 — Documented Prebid URL shape is double-appended by the provider

The committed config now shows server_url = "https://prebid-server.example.com/openrtb2/auction", but the provider constructs requests with format!("{}/openrtb2/auction", self.config.server_url). Operators copying this config/docs will request /openrtb2/auction/openrtb2/auction and get no PBS bids.

Suggested fix: normalize backward-compatibly: if server_url already ends with /openrtb2/auction, use it as-is; otherwise append the path. Alternatively, redefine the config field as a base origin and update all examples/docs to match.

[ChristianPavilonis]

P1 — [auction].enabled is ignored by the new automatic auction paths

should_run_auction is derived from slots/navigation/consent, but not from settings.auction.enabled or orchestrator.is_enabled(). A deployment with [auction].enabled = false can still dispatch automatic publisher/page-bids server-side auctions when creative-opportunity slots are configured.

Suggested fix: make the global auction flag a real kill switch for publisher navigation auctions, /__ts/page-bids, and ideally /auction for consistency. When disabled, skip the server-side ad stack behavior that would dispatch auctions or call adInit() from injected empty bids.

[ChristianPavilonis]

P1 — SPA adInit() refreshes can be intercepted by slim-Prebid and clear server-side bids

After /__ts/page-bids returns, adInit() applies the server-side hb_* targeting and then calls pubads.refresh(slotsToRefresh). Once slim-Prebid has wrapped refresh, that internal TS refresh is intercepted, clears the just-applied TS targeting, and starts a client-side Prebid auction instead. This defeats the SPA server-side bid path and adds duplicate auction/GAM latency.

Suggested fix: add a one-shot internal refresh bypass around this adInit() refresh (for example ts.adInitRefreshInProgress) and have the Prebid refresh wrapper call originalRefresh directly only for that internal refresh. Do not key this off ts_initial, because later publisher-initiated refreshes of these slots should still run fresh client-side auctions.

[ChristianPavilonis]

P2 — Stale TS targeting can remain when the next SPA route has no TS slots

The cleanup of prior hb_*, ts_initial, and route-specific targeting only runs inside the loop over the new ts.adSlots. If navigation moves to a route with no matching TS slots, or a previously TS-touched publisher-owned GPT slot is absent from the new slot list, old targeting can remain and later publisher refreshes can reuse it.

Suggested fix: before applying the current route, clear TS-managed keys and previously tracked slot-targeting keys from all previously TS-touched GPT slots/div IDs, then replace prevSlotTargetingKeys / divToSlotId and apply current slots.

[ChristianPavilonis]

P3 — Inline GPT bootstrap misses container slot IDs for beacon lookup

When the bootstrap defines a slot on ${actualDivId}-container, slotRenderEnded reports the GPT slot element ID, but divToSlotId only maps actualDivId. In that fallback path, container-backed slots can miss nurl/burl firing.

Suggested fix: mirror the TS implementation: after defining/reusing the slot, read s.getSlotElementId() and map both actualDivId and the GPT slot element ID to slot.id.