IABTechLab · ChristianPavilonis · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.github/actions/setup-integration-test-env/action.yml b/.github/actions/setup-integration-test-env/action.yml
@@ -80,7 +80,7 @@ runs:
       env:
         TRUSTED_SERVER__PUBLISHER__ORIGIN_URL: http://127.0.0.1:${{ inputs.origin-port }}
         TRUSTED_SERVER__PUBLISHER__PROXY_SECRET: integration-test-proxy-secret
-        TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret
+        TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret-padded-32
         TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK: "false"
       run: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -55,7 +55,7 @@ jobs:
         env:
           TRUSTED_SERVER__PUBLISHER__ORIGIN_URL: http://127.0.0.1:8080
           TRUSTED_SERVER__PUBLISHER__PROXY_SECRET: integration-test-proxy-secret
-          TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret
+          TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret-padded-32
           TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK: "false"
         run: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
 

diff --git a/crates/integration-tests/fixtures/configs/viceroy-template.toml b/crates/integration-tests/fixtures/configs/viceroy-template.toml
@@ -25,11 +25,29 @@
             key = "placeholder"
             data = "placeholder"
 
-        # Pre-seeded EC row for KV-backed EC lifecycle tests.
+        # Pre-seeded EC rows for KV-backed EC lifecycle tests. Each scenario
+        # uses a separate row so withdrawal tombstones do not leak across
+        # sequential scenario execution in the same Viceroy instance.
         [[local_server.kv_stores.ec_identity_store]]
             key = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.test01"
             data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
 
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.test02"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc.test03"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd.test04"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
+        [[local_server.kv_stores.ec_identity_store]]
+            key = "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.test05"
+            data = '{"v":1,"created":1700000000,"consent":{"ok":true,"updated":1700000000},"geo":{"country":"US","region":"CA"}}'
+
         [[local_server.kv_stores.ec_partner_store]]
             key = "placeholder"
             data = "placeholder"

diff --git a/crates/integration-tests/tests/frameworks/scenarios.rs b/crates/integration-tests/tests/frameworks/scenarios.rs
@@ -500,16 +500,17 @@ impl EcScenario {
 /// US Privacy signal that explicitly allows storage in the default Viceroy
 /// integration-test geo (US-CA).
 const ALLOW_US_PRIVACY_COOKIE: &str = "1YNN";
-const SEEDED_EC_ID: &str =
-    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.test01";
-
 fn allow_ec_generation(client: &EcTestClient) {
     client.set_cookie("us_privacy", ALLOW_US_PRIVACY_COOKIE);
 }
 
-fn use_seeded_ec(client: &EcTestClient) -> String {
-    client.set_cookie("ts-ec", SEEDED_EC_ID);
-    normalize_ec_id(SEEDED_EC_ID)
+fn seeded_ec_id(hex_digit: char, suffix: &str) -> String {
+    format!("{}.{suffix}", hex_digit.to_string().repeat(64))
+}
+
+fn use_seeded_ec(client: &EcTestClient, ec_id: &str) -> String {
+    client.set_cookie("ts-ec", ec_id);
+    normalize_ec_id(ec_id)
 }
 
 /// Full lifecycle: seeded EC → batch sync → identify (Bearer auth) with scoped UID.
@@ -518,7 +519,8 @@ fn use_seeded_ec(client: &EcTestClient) -> String {
 fn ec_full_lifecycle(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
-    let ec_id = use_seeded_ec(&client);
+    let seeded_ec_id = seeded_ec_id('a', "test01");
+    let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC full lifecycle: using seeded EC ID = {ec_id}");
 
     // 2. Batch sync writes partner UID (partner "inttest" is in config)
@@ -576,7 +578,8 @@ fn ec_full_lifecycle(base_url: &str) -> TestResult<()> {
 fn ec_consent_withdrawal(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
-    let ec_id = use_seeded_ec(&client);
+    let seeded_ec_id = seeded_ec_id('b', "test02");
+    let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC consent withdrawal: using seeded EC = {ec_id}");
 
     // GPC overrides the allow cookie in US-CA, so this is an explicit
@@ -623,7 +626,8 @@ fn ec_identify_without_ec(base_url: &str) -> TestResult<()> {
 fn ec_identify_consent_denied(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
-    let _ec_id = use_seeded_ec(&client);
+    let seeded_ec_id = seeded_ec_id('c', "test03");
+    let _ec_id = use_seeded_ec(&client, &seeded_ec_id);
 
     // Identify with GPC=1 — in the default US-CA test geo, GPC is an explicit
     // denial that must override the allow cookie. Per spec §11.4, consent is
@@ -647,7 +651,8 @@ fn ec_identify_consent_denied(base_url: &str) -> TestResult<()> {
 fn ec_concurrent_partner_syncs(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
-    let ec_id = use_seeded_ec(&client);
+    let seeded_ec_id = seeded_ec_id('d', "test04");
+    let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC concurrent syncs: using seeded EC = {ec_id}");
 
     // Batch sync both partners (both are pre-configured in trusted-server.toml)
@@ -705,7 +710,8 @@ fn ec_concurrent_partner_syncs(base_url: &str) -> TestResult<()> {
 fn ec_batch_sync_happy_path(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
-    let ec_id = use_seeded_ec(&client);
+    let seeded_ec_id = seeded_ec_id('e', "test05");
+    let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC batch sync happy path: using seeded ec_id = {ec_id}");
 
     // Batch sync writes a UID for this EC ID (partner "inttest" is in config)

diff --git a/crates/js/lib/src/integrations/prebid/index.ts b/crates/js/lib/src/integrations/prebid/index.ts
@@ -451,6 +451,8 @@ function fitAuctionEidsToCookie(eids: AuctionEid[]): AuctionEid[] | undefined {
 function syncPrebidEidsCookie(): void {
   try {
     if (typeof pbjs.getUserIdsAsEids !== 'function') {
+      // Without Prebid EIDs to forward, stale auction fallback IDs must not persist.
+      clearPrebidEidsCookie();
       return;
     }
 

diff --git a/crates/js/lib/src/integrations/sourcepoint/index.ts b/crates/js/lib/src/integrations/sourcepoint/index.ts
@@ -0,0 +1,181 @@
+import { log } from '../../core/log';
+
+const SP_CONSENT_PREFIX = '_sp_user_consent_';
+const GPP_COOKIE_NAME = '__gpp';
+const GPP_SID_COOKIE_NAME = '__gpp_sid';
+const GPP_SOURCE_COOKIE_NAME = '_ts_gpp_src';
+const GPP_SOURCE_SOURCEPOINT = 'sp';
+const INITIAL_RETRY_DELAY_MS = 500;
+
+interface SourcepointGppData {
+  gppString: string;
+  applicableSections: number[];
+}
+
+interface SourcepointConsentPayload {
+  gppData?: SourcepointGppData;
+}
+
+let initialized = false;
+let initialRetryDone = false;
+let retryTimer: ReturnType<typeof window.setTimeout> | undefined;
+
+function findSourcepointConsent(): SourcepointConsentPayload | null {
+  // Sourcepoint stores one consent payload per property under `_sp_user_consent_*`.
+  // We intentionally take the first valid match and mirror that origin-scoped payload.
+  for (let i = 0; i < localStorage.length; i++) {
+    const key = localStorage.key(i);
+    if (!key?.startsWith(SP_CONSENT_PREFIX)) continue;
+
+    const raw = localStorage.getItem(key);
+    if (!raw) continue;
+
+    try {
+      const payload = JSON.parse(raw) as SourcepointConsentPayload;
+      if (payload.gppData?.gppString) {
+        return payload;
+      }
+    } catch {
+      log.debug('sourcepoint: failed to parse localStorage value', { key });
+    }
+  }
+  return null;
+}
+
+function readCookie(name: string): string | undefined {
+  const prefix = `${name}=`;
+  const cookie = document.cookie.split('; ').find((entry) => entry.startsWith(prefix));
+  return cookie?.slice(prefix.length);
+}
+
+function hasSourcepointMarker(): boolean {
+  return readCookie(GPP_SOURCE_COOKIE_NAME) === GPP_SOURCE_SOURCEPOINT;
+}
+
+function writeCookie(name: string, value: string): void {
+  document.cookie = `${name}=${value}; path=/; Secure; SameSite=Lax`;
+}
+
+function clearCookie(name: string): void {
+  document.cookie = `${name}=; path=/; Secure; SameSite=Lax; Max-Age=0`;
+}
+
+function clearSourcepointCookies(): void {
+  if (!hasSourcepointMarker()) {
+    return;
+  }
+
+  clearCookie(GPP_COOKIE_NAME);
+  clearCookie(GPP_SID_COOKIE_NAME);
+  clearCookie(GPP_SOURCE_COOKIE_NAME);
+}
+
+function mirrorOnVisible(): void {
+  if (document.visibilityState === 'visible') {
+    mirrorSourcepointConsent();
+  }
+}
+
+function clearInitialRetryTimer(): void {
+  if (retryTimer === undefined) {
+    return;
+  }
+
+  window.clearTimeout(retryTimer);
+  retryTimer = undefined;
+}
+
+function scheduleInitialRetry(): void {
+  if (initialRetryDone || retryTimer !== undefined) {
+    return;
+  }
+
+  const retry = (): void => {
+    if (initialRetryDone) {
+      return;
+    }
+
+    initialRetryDone = true;
+    clearInitialRetryTimer();
+    mirrorSourcepointConsent();
+  };
+
+  if (document.readyState === 'loading') {
+    document.addEventListener('DOMContentLoaded', retry, { once: true });
+  }
+
+  retryTimer = window.setTimeout(retry, INITIAL_RETRY_DELAY_MS);
+}
+
+/**
+ * Reads Sourcepoint consent from localStorage and mirrors it into
+ * `__gpp` and `__gpp_sid` cookies for Trusted Server to read.
+ *
+ * Returns `true` if cookies were written, `false` otherwise.
+ */
+export function mirrorSourcepointConsent(): boolean {
+  if (typeof localStorage === 'undefined' || typeof document === 'undefined') {
+    return false;
+  }
+
+  const payload = findSourcepointConsent();
+  if (!payload?.gppData) {
+    clearSourcepointCookies();
+    log.debug('sourcepoint: no GPP data found in localStorage');
+    return false;
+  }
+
+  const { gppString, applicableSections } = payload.gppData;
+  if (!gppString) {
+    clearSourcepointCookies();
+    log.debug('sourcepoint: gppString is empty');
+    return false;
+  }
+
+  const existingGppCookie = readCookie(GPP_COOKIE_NAME);
+  if (existingGppCookie && existingGppCookie !== gppString && !hasSourcepointMarker()) {
+    log.debug('sourcepoint: preserving existing __gpp cookie from another writer');
+    return false;
+  }
+
+  writeCookie(GPP_SOURCE_COOKIE_NAME, GPP_SOURCE_SOURCEPOINT);
+  writeCookie(GPP_COOKIE_NAME, gppString);
+
+  if (Array.isArray(applicableSections) && applicableSections.length > 0) {
+    writeCookie(GPP_SID_COOKIE_NAME, applicableSections.join(','));
+  } else {
+    clearCookie(GPP_SID_COOKIE_NAME);
+  }
+
+  initialRetryDone = true;
+  clearInitialRetryTimer();
+
+  log.info('sourcepoint: mirrored GPP consent to cookies', {
+    gppLength: gppString.length,
+    sections: applicableSections,
+  });
+
+  return true;
+}
+
+/**
+ * Initializes Sourcepoint consent mirroring and bounded refresh hooks.
+ */
+export function initializeSourcepointConsentMirror(): void {
+  if (initialized || typeof window === 'undefined' || typeof document === 'undefined') {
+    return;
+  }
+
+  initialized = true;
+
+  if (!mirrorSourcepointConsent()) {
+    scheduleInitialRetry();
+  }
+
+  // Sourcepoint persists consent changes to localStorage. Re-mirror when a
+  // user returns to the page so session cookies do not remain stale.
+  document.addEventListener('visibilitychange', mirrorOnVisible);
+  window.addEventListener('focus', mirrorSourcepointConsent);
+}
+
+initializeSourcepointConsentMirror();
diff --git a/crates/js/lib/test/integrations/prebid/index.test.ts b/crates/js/lib/test/integrations/prebid/index.test.ts
@@ -6,17 +6,19 @@ const {
   mockProcessQueue,
   mockRequestBids,
   mockRegisterBidAdapter,
+  mockGetUserIdsAsEids,
   mockPbjs,
   mockGetBidAdapter,
-  mockGetUserIdsAsEids,
   mockAdapterManager,
 } = vi.hoisted(() => {
   const mockSetConfig = vi.fn();
   const mockProcessQueue = vi.fn();
   const mockRequestBids = vi.fn();
   const mockRegisterBidAdapter = vi.fn();
   const mockGetBidAdapter = vi.fn();
-  const mockGetUserIdsAsEids = vi.fn();
+  const mockGetUserIdsAsEids = vi.fn(
+    () => [] as Array<{ source: string; uids?: Array<{ id: string; atype?: number }> }>
+  );
   const mockPbjs = {
     setConfig: mockSetConfig,
     processQueue: mockProcessQueue,
@@ -33,9 +35,9 @@ const {
     mockProcessQueue,
     mockRequestBids,
     mockRegisterBidAdapter,
+    mockGetUserIdsAsEids,
     mockPbjs,
     mockGetBidAdapter,
-    mockGetUserIdsAsEids,
     mockAdapterManager,
   };
 });