Migrate [edge_cookie] config to [ec] per spec §14

Rename EdgeCookie struct to Ec, secret_key field to passphrase,
and the TOML section from [edge_cookie] to [ec] to align with the
spec's configuration schema.

Add optional ec_store and partner_store fields to the Ec struct
in preparation for Story 3 (KV identity graph) and Story 4
(partner registry).

Remove the edge_cookie.rs legacy re-export shim — no consumers
remain after the ec/ module migration.

Author: ChristianPavilonis

CLAUDE.md

@@ -366,7 +366,7 @@ both runtime behavior and build/tooling changes.
 | `crates/trusted-server-core/src/tsjs.rs`                  | Script tag generation with module IDs             |
 | `crates/trusted-server-core/src/html_processor.rs`        | Injects `<script>` at `<head>` start              |
 | `crates/trusted-server-core/src/publisher.rs`             | `/static/tsjs=` handler, concatenates modules     |
-| `crates/trusted-server-core/src/edge_cookie.rs`           | Edge Cookie (EC) ID generation                    |
+| `crates/trusted-server-core/src/ec/`                      | EC identity subsystem (generation, consent, cookies) |
 | `crates/trusted-server-core/src/cookies.rs`               | Cookie handling                                   |
 | `crates/trusted-server-core/src/consent/mod.rs`           | GDPR and broader consent management               |
 | `crates/trusted-server-core/src/http_util.rs`             | HTTP abstractions and request utilities           |

crates/trusted-server-core/README.md

@@ -49,10 +49,11 @@ Behavior is covered by an extensive test suite in `crates/trusted-server-core/sr
 
 ## Edge Cookie (EC) Identifier Propagation
 
-- `edge_cookie.rs` generates an edge cookie identifier per user request and exposes helpers:
-  - `generate_ec_id` — creates a fresh HMAC-based ID using the client IP address and appends a short random suffix (format: `64hex.6alnum`).
-  - `get_ec_id` — extracts an existing ID from the `x-ts-ec` header or `ts-ec` cookie.
-  - `get_or_generate_ec_id` — reuses the existing ID when present, otherwise creates one.
+- The `ec/` module owns the EC identity subsystem:
+  - `ec/generation.rs` — creates HMAC-based IDs using the client IP and publisher passphrase (format: `64hex.6alnum`).
+  - `ec/mod.rs` — `EcContext` struct with two-phase lifecycle (`read_from_request` + `generate_if_needed`), `get_ec_id` helper.
+  - `ec/consent.rs` — EC-specific consent gating wrapper.
+  - `ec/cookies.rs` — `Set-Cookie` header creation and expiration helpers.
 - `publisher.rs::handle_publisher_request` stamps proxied origin responses with `x-ts-ec`, and (when absent) issues the `ts-ec` cookie so the browser keeps the identifier on subsequent requests.
 - `proxy.rs::handle_first_party_proxy` replays the identifier to third-party creative origins by appending `ts-ec=<value>` to the reconstructed target URL, follows redirects (301/302/303/307/308) up to four hops, and keeps downstream fetches linked to the same user scope.
 - `proxy.rs::handle_first_party_click` adds `ts-ec=<value>` to outbound click redirect URLs so analytics endpoints can associate clicks with impressions without third-party cookies.

crates/trusted-server-core/src/ec/generation.rs

@@ -70,10 +70,10 @@ pub fn generate_ec_id(
 ) -> Result<String, Report<TrustedServerError>> {
     log::trace!("Input for fresh EC ID: client_ip={client_ip}");
 
-    let mut mac = HmacSha256::new_from_slice(settings.edge_cookie.secret_key.expose().as_bytes())
+    let mut mac = HmacSha256::new_from_slice(settings.ec.passphrase.expose().as_bytes())
         .change_context(TrustedServerError::Ec {
-        message: "Failed to create HMAC instance".to_string(),
-    })?;
+            message: "Failed to create HMAC instance".to_string(),
+        })?;
     mac.update(client_ip.as_bytes());
     let hmac_hash = hex::encode(mac.finalize().into_bytes());
 

crates/trusted-server-core/src/edge_cookie.rs

@@ -1308,8 +1308,8 @@ cookie_domain = ".test-publisher.com"
 origin_url = "https://origin.test-publisher.com"
 proxy_secret = "test-secret"
 
-[edge_cookie]
-secret_key = "test-secret-key"
+[ec]
+passphrase = "test-secret-key"
 
 [integrations.google_tag_manager]
 enabled = true
@@ -1341,8 +1341,8 @@ cookie_domain = ".test-publisher.com"
 origin_url = "https://origin.test-publisher.com"
 proxy_secret = "test-secret"
 
-[edge_cookie]
-secret_key = "test-secret-key"
+[ec]
+passphrase = "test-secret-key"
 
 [integrations.google_tag_manager]
 container_id = "GTM-DEFAULT"

crates/trusted-server-core/src/integrations/google_tag_manager.rs

@@ -1307,8 +1307,8 @@ cookie_domain = ".test-publisher.com"
 origin_url = "https://origin.test-publisher.com"
 proxy_secret = "test-secret"
 
-[edge_cookie]
-secret_key = "test-secret-key"
+[ec]
+passphrase = "test-secret-key"
 "#;
 
     /// Parse a TOML string containing only the `[integrations.prebid]` section

crates/trusted-server-core/src/integrations/prebid.rs

@@ -17,7 +17,6 @@
 //! - [`settings`]: Configuration management and validation
 //! - [`streaming_replacer`]: Streaming URL replacement for large responses
 //! - [`ec`]: Edge Cookie (EC) identity subsystem — ID generation, consent gating, lifecycle
-//! - [`edge_cookie`]: Legacy re-exports from [`ec`]
 //! - [`test_support`]: Testing utilities and mocks
 //! - [`why`]: Debugging and introspection utilities
 
@@ -42,7 +41,6 @@ pub mod constants;
 pub mod cookies;
 pub mod creative;
 pub mod ec;
-pub mod edge_cookie;
 pub mod error;
 pub mod fastly_storage;
 pub mod geo;

crates/trusted-server-core/src/lib.rs

@@ -192,28 +192,42 @@ impl DerefMut for IntegrationSettings {
     }
 }
 
-/// Edge Cookie configuration.
+/// Edge Cookie (EC) configuration.
+///
+/// Mapped from the `[ec]` TOML section. Controls EC identity generation,
+/// KV store names, and partner registry.
 #[allow(unused)]
 #[derive(Debug, Default, Clone, Deserialize, Serialize, Validate)]
-pub struct EdgeCookie {
-    #[validate(custom(function = EdgeCookie::validate_secret_key))]
-    pub secret_key: Redacted<String>,
+pub struct Ec {
+    /// Publisher passphrase used as HMAC key for EC generation.
+    #[validate(custom(function = Ec::validate_passphrase))]
+    pub passphrase: Redacted<String>,
+
+    /// Fastly KV store name for the EC identity graph.
+    /// Required for Stories 3+ (KV identity graph).
+    #[serde(default)]
+    pub ec_store: Option<String>,
+
+    /// Fastly KV store name for the partner registry.
+    /// Required for Story 4+ (partner registry).
+    #[serde(default)]
+    pub partner_store: Option<String>,
 }
 
-impl EdgeCookie {
+impl Ec {
     /// Known placeholder values that must not be used in production.
-    pub const SECRET_KEY_PLACEHOLDERS: &[&str] = &["secret-key", "secret_key", "trusted-server"];
+    pub const PASSPHRASE_PLACEHOLDERS: &[&str] = &["secret-key", "secret_key", "trusted-server"];
 
-    /// Returns `true` if `secret_key` matches a known placeholder value
+    /// Returns `true` if `passphrase` matches a known placeholder value
     /// (case-insensitive).
     #[must_use]
-    pub fn is_placeholder_secret_key(secret_key: &str) -> bool {
-        Self::SECRET_KEY_PLACEHOLDERS
+    pub fn is_placeholder_passphrase(passphrase: &str) -> bool {
+        Self::PASSPHRASE_PLACEHOLDERS
             .iter()
-            .any(|p| p.eq_ignore_ascii_case(secret_key))
+            .any(|p| p.eq_ignore_ascii_case(passphrase))
     }
 
-    /// Validates that the secret key is not empty.
+    /// Validates that the passphrase is not empty.
     ///
     /// Placeholder detection is intentionally **not** performed here because
     /// this validator runs at build time (via `from_toml_and_env`) when the
@@ -222,10 +236,10 @@ impl EdgeCookie {
     ///
     /// # Errors
     ///
-    /// Returns a validation error if the secret key is empty.
-    pub fn validate_secret_key(secret_key: &Redacted<String>) -> Result<(), ValidationError> {
-        if secret_key.expose().is_empty() {
-            return Err(ValidationError::new("empty_secret_key"));
+    /// Returns a validation error if the passphrase is empty.
+    pub fn validate_passphrase(passphrase: &Redacted<String>) -> Result<(), ValidationError> {
+        if passphrase.expose().is_empty() {
+            return Err(ValidationError::new("empty_passphrase"));
         }
         Ok(())
     }
@@ -331,7 +345,7 @@ pub struct Settings {
     pub publisher: Publisher,
     #[serde(default)]
     #[validate(nested)]
-    pub edge_cookie: EdgeCookie,
+    pub ec: Ec,
     #[serde(default)]
     pub integrations: IntegrationSettings,
     #[serde(default, deserialize_with = "vec_from_seq_or_map")]
@@ -427,8 +441,8 @@ impl Settings {
     pub fn reject_placeholder_secrets(&self) -> Result<(), Report<TrustedServerError>> {
         let mut insecure_fields: Vec<&str> = Vec::new();
 
-        if EdgeCookie::is_placeholder_secret_key(self.edge_cookie.secret_key.expose()) {
-            insecure_fields.push("edge_cookie.secret_key");
+        if Ec::is_placeholder_passphrase(self.ec.passphrase.expose()) {
+            insecure_fields.push("ec.passphrase");
         }
         if Publisher::is_placeholder_proxy_secret(self.publisher.proxy_secret.expose()) {
             insecure_fields.push("publisher.proxy_secret");
@@ -717,7 +731,7 @@ mod tests {
             settings.publisher.origin_url,
             "https://origin.test-publisher.com"
         );
-        assert_eq!(settings.edge_cookie.secret_key.expose(), "test-secret-key");
+        assert_eq!(settings.ec.passphrase.expose(), "test-secret-key");
 
         settings.validate().expect("Failed to validate settings");
     }
@@ -752,32 +766,32 @@ mod tests {
     }
 
     #[test]
-    fn is_placeholder_secret_key_rejects_all_known_placeholders() {
-        for placeholder in EdgeCookie::SECRET_KEY_PLACEHOLDERS {
+    fn is_placeholder_passphrase_rejects_all_known_placeholders() {
+        for placeholder in Ec::PASSPHRASE_PLACEHOLDERS {
             assert!(
-                EdgeCookie::is_placeholder_secret_key(placeholder),
-                "should detect placeholder secret_key '{placeholder}'"
+                Ec::is_placeholder_passphrase(placeholder),
+                "should detect placeholder passphrase '{placeholder}'"
             );
         }
     }
 
     #[test]
-    fn is_placeholder_secret_key_is_case_insensitive() {
+    fn is_placeholder_passphrase_is_case_insensitive() {
         assert!(
-            EdgeCookie::is_placeholder_secret_key("SECRET-KEY"),
-            "should detect case-insensitive placeholder secret_key"
+            Ec::is_placeholder_passphrase("SECRET-KEY"),
+            "should detect case-insensitive placeholder passphrase"
         );
         assert!(
-            EdgeCookie::is_placeholder_secret_key("Trusted-Server"),
-            "should detect mixed-case placeholder secret_key"
+            Ec::is_placeholder_passphrase("Trusted-Server"),
+            "should detect mixed-case placeholder passphrase"
         );
     }
 
     #[test]
-    fn is_placeholder_secret_key_accepts_non_placeholder() {
+    fn is_placeholder_passphrase_accepts_non_placeholder() {
         assert!(
-            !EdgeCookie::is_placeholder_secret_key("test-secret-key"),
-            "should accept non-placeholder secret_key"
+            !Ec::is_placeholder_passphrase("test-secret-key"),
+            "should accept non-placeholder passphrase"
         );
     }
 
@@ -1419,8 +1433,8 @@ mod tests {
             origin_url = "https://origin.test-publisher.com"
             proxy_secret = "unit-test-proxy-secret"
 
-            [edge_cookie]
-            secret_key = "test-secret-key"
+            [ec]
+            passphrase = "test-secret-key"
 
             [request_signing]
             config_store_id = "test-config-store-id"

crates/trusted-server-core/src/settings.rs

@@ -58,22 +58,22 @@ mod tests {
     ///
     /// Panics if the replacement patterns no longer match the test TOML,
     /// which would cause the substitution to silently no-op.
-    fn toml_with_secrets(secret_key: &str, proxy_secret: &str) -> String {
+    fn toml_with_secrets(passphrase: &str, proxy_secret: &str) -> String {
         let original = crate_test_settings_str();
-        let after_secret_key = original.replace(
-            r#"secret_key = "test-secret-key""#,
-            &format!(r#"secret_key = "{secret_key}""#),
+        let after_passphrase = original.replace(
+            r#"passphrase = "test-secret-key""#,
+            &format!(r#"passphrase = "{passphrase}""#),
         );
         assert_ne!(
-            after_secret_key, original,
-            "should have replaced secret_key value"
+            after_passphrase, original,
+            "should have replaced passphrase value"
         );
-        let result = after_secret_key.replace(
+        let result = after_passphrase.replace(
             r#"proxy_secret = "unit-test-proxy-secret""#,
             &format!(r#"proxy_secret = "{proxy_secret}""#),
         );
         assert_ne!(
-            result, after_secret_key,
+            result, after_passphrase,
             "should have replaced proxy_secret value"
         );
         result
@@ -88,8 +88,8 @@ mod tests {
             .expect_err("should reject placeholder secret_key");
         let root = err.current_context();
         assert!(
-            matches!(root, TrustedServerError::InsecureDefault { field } if field.contains("edge_cookie.secret_key")),
-            "error should mention edge_cookie.secret_key, got: {root}"
+            matches!(root, TrustedServerError::InsecureDefault { field } if field.contains("ec.passphrase")),
+            "error should mention ec.passphrase, got: {root}"
         );
     }
 
@@ -118,8 +118,8 @@ mod tests {
         match root {
             TrustedServerError::InsecureDefault { field } => {
                 assert!(
-                    field.contains("edge_cookie.secret_key"),
-                    "error should mention edge_cookie.secret_key, got: {field}"
+                    field.contains("ec.passphrase"),
+                    "error should mention ec.passphrase, got: {field}"
                 );
                 assert!(
                     field.contains("publisher.proxy_secret"),

crates/trusted-server-core/src/settings_data.rs

@@ -30,8 +30,8 @@ pub mod tests {
             enabled = false
             rewrite_attributes = ["href", "link", "url"]
 
-            [edge_cookie]
-            secret_key = "test-secret-key"
+            [ec]
+            passphrase = "test-secret-key"
             [request_signing]
             config_store_id = "test-config-store-id"
             secret_store_id = "test-secret-store-id"