Implement server-side ad slot templates with PBS and APS auction

[prk-Jr]

Summary

• Adds server-side ad slot templates under [creative_opportunities] in trusted-server.toml. Matching slots are selected from the incoming document URL at the edge, and window.tsjs.adSlots is injected at <head> open so initial GPT setup does not need a separate slot-discovery request.
• Runs the server-side auction in parallel with the origin fetch for eligible document navigations. Configured providers such as Prebid Server and APS race under the creative-opportunity auction deadline; winning bids are price-bucketed and injected as window.tsjs.bids before </body>.
• Adds the window.tsjs.adInit GPT runtime path. It reads window.tsjs.adSlots and window.tsjs.bids synchronously, defines or reuses GPT slots, applies slot-level and hb_* targeting, sets ts_initial=1, refreshes the initial slots, and fires nurl/burl only after slotRenderEnded confirms the TS bid won via hb_adid.
• Adds PBS stored-request fallback keyed by slot ID when no inline PBS bidder params are present, filters non-PBS provider keys from PBS requests, and keeps bidder-param override rules for per-bidder/zone params.
• Adds per-bidder PBS win/billing suppression with [integrations.prebid].suppress_nurl_bidders, while retaining the deployment-wide [integrations.prebid].suppress_nurl compatibility switch.
• Improves the deferred slim-Prebid refresh path so GPT refresh auctions derive ad unit sizes and zone from injected window.tsjs.adSlots / GPT metadata instead of placeholder refresh sizes.
• Implements EID forwarding for the server-side auction path: reads the ts-eids cookie written by TSJS, gates EIDs by consent, and forwards them as OpenRTB user.ext.eids to PBS.
• Forwards real client IP and geo from Fastly ClientInfo into the server-side PBS request so bidders see the browser client context rather than the Fastly edge context.
• Keeps SPA/CSR route changes covered by the existing GET /__ts/page-bids hook, which updates window.tsjs.adSlots / window.tsjs.bids and re-runs window.tsjs.adInit() after pushState, replaceState, or popstate navigations.

What the server-side auction sends to PBS

Field	Value	Source
user.id	EC ID	ts-ec cookie or generated EC identity
user.consent / user.ext.consent	TCF v2 string when available	consent cookies / request consent extraction
user.ext.eids	EID array, consent-gated	ts-eids cookie plus EC identity resolution
user.ext.ec_fresh	fresh EC flag	EC context
device.ua	user agent	User-Agent header
device.ip	real client IP	Fastly ClientInfo.client_ip
device.geo	city/country/region/lat/lon/metro/asn	Fastly geo lookup
device.dnt	true if set	DNT: 1 header
device.language	primary language tag	Accept-Language header
site.domain / site.page	publisher domain + full URL	request host/path/scheme
site.ref	referrer	Referer header
regs.gdpr / regs.us_privacy / regs.gpp	privacy signals	consent extraction
imp.*	slots, formats, bidder params, floors	[creative_opportunities] slot templates and Prebid config
tmax	auction timeout ms	[creative_opportunities].auction_timeout_ms, falling back to [auction].timeout_ms

Changes

File / area	Change
trusted-server.toml	Adds [creative_opportunities] slot templates and documents Prebid nurl suppression knobs.
.env.example / docs	Documents Prebid bidder override env vars and SUPPRESS_NURL_BIDDERS.
crates/trusted-server-core/src/creative_opportunities.rs	Defines slot-template config, URL glob matching, slot-to-auction conversion, provider params, and slot ID validation helpers.
crates/trusted-server-core/src/settings.rs / build.rs	Wires creative opportunities into settings and build-time slot ID validation from trusted-server.toml.
crates/trusted-server-core/src/publisher.rs	Matches slots, dispatches server-side auctions, injects window.tsjs.adSlots and window.tsjs.bids, applies cache-control safeguards, handles page-bids responses, and forwards client context.
crates/trusted-server-core/src/html_processor.rs	Adds head-open and bounded body-close injection points with a guard against duplicate tsjs.bids injection.
crates/trusted-server-core/src/auction/*	Extends auction types, request parsing, provider orchestration, floor filtering, diagnostics, and provider response handling.
crates/trusted-server-core/src/integrations/prebid.rs	Adds OpenRTB enrichment, stored-request fallback, EID forwarding, bidder override rules, PBS cache fields, nurl/burl propagation, and per-bidder suppression.
crates/trusted-server-core/src/integrations/aps.rs	Adds APS/TAM provider support.
crates/trusted-server-core/src/integrations/adserver_mock.rs	Adds mock mediation support with decoded provider prices.
crates/trusted-server-core/src/integrations/gpt.rs / gpt_bootstrap.js	Adds the head-injected window.tsjs.adInit bootstrap path.
crates/js/lib/src/integrations/gpt/index.ts	Implements the browser GPT path for window.tsjs.adSlots, window.tsjs.bids, render-confirmed beacon firing, SPA updates, slim-Prebid loading, and Prebid creative rendering bridge.
crates/js/lib/src/integrations/prebid/index.ts	Adds deferred Prebid integration, user ID module/EID cookie sync, client-side bidder support, and metadata-derived refresh auctions.
crates/trusted-server-adapter-fastly/src/main.rs	Wires auction/page-bids routes and publisher handler inputs into the Fastly adapter.

Closes

Closes #677
Closes #697
Closes #698
Closes #699
Closes #700
Closes #702

Test plan

Automated

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• git diff --check
• JS build: cd crates/js/lib && node build-all.mjs
• JS lint: cd crates/js/lib && npm run lint
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• GitHub Vitest check passes on the current PR head
• Local cd crates/js/lib && npx vitest run currently fails before test discovery in this workspace with ERR_REQUIRE_ESM from html-encoding-sniffer requiring @exodus/bytes/encoding-lite.js; no local JS test assertions execute under that failure mode.

Manual end-to-end (browser DevTools console)

The steps below build on each other. Use a URL whose path matches one of the configured [[creative_opportunities.slot]] page_patterns.

Step 1 - Verify slot config is injected at <head> open

window.tsjs?.adSlots

Expected: an array of slot objects. Each entry has id, gam_unit_path, div_id, formats, and targeting. Note the div_id value from one matching slot for step 3.

Step 2 - Verify server-side auction results are injected before </body>

window.tsjs?.bids

Expected: an object keyed by slot ID. Winning slots include hb_bidder, hb_pb, and, for Prebid cache-backed bids, hb_adid / cache fields.

Step 3 - Verify window.tsjs.adInit wired GPT targeting

Replace SLOT_DIV_ID with the div_id from step 1.

googletag
  .pubads()
  .getSlots()
  .filter((slot) => slot.getSlotElementId() === 'SLOT_DIV_ID')
  .map((slot) => ({
    path: slot.getAdUnitPath(),
    targeting: slot.getTargetingMap(),
  }))

Expected: the slot has the configured GAM unit path and targeting includes hb_pb, hb_bidder, any slot-level keys such as pos / zone, and ts_initial: ["1"].

Step 4 - Verify slot matching is page-pattern-aware

Navigate to a different configured path, for example / when homepage slots are configured, and repeat step 2.

Expected: window.tsjs.bids is keyed by the slots matching that page, not by slots from the previous page type.

Step 5 - Confirm no duplicate bids injection

View page source and search for .bids=JSON.parse.

Expected: exactly one window.tsjs.bids assignment before </body> on pages where an auction ran.

Pending (GAM line items required)

Creative delivery requires standard GAM line items targeting hb_pb, hb_bidder, and related Prebid keys. That setup is outside this PR.

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code
• Uses log macros instead of println!
• New code paths have Rust and/or TS test coverage
• No secrets or credentials intentionally committed

[ChristianPavilonis]

Automated review: I reviewed PR #680 at def951a against main. CI is green, but I found blocking privacy/security and correctness issues in the new server-side ad-template paths. In particular, the publisher/page-bids auction paths can forward persistent identifiers after EC consent is denied, the default config now enables automatic outbound ad calls to real endpoints, and the GPT/Prebid refresh paths can duplicate requests or reuse stale targeting. Details are inline.

[ChristianPavilonis]

Summary

Reviewed the current branch PR #680 at 80fe39220 against main. I found several remaining issues that should be addressed in this PR because they affect the new server-side ad-template auction behavior: consent gating, the auction kill switch, PBS URL compatibility, SPA refresh flow, timeout budgets, and stale GPT targeting.

Per discussion, the raw browser-cookie forwarding concern is not included in this PR review and is tracked separately in #763.

Findings submitted inline: 0 P0, 4 P1, 1 P2, 1 P3. One additional P2 is included below because the affected provider timeout lines are not part of the final PR diff.

P2 — Provider payload timeouts ignore the effective auction budget

crates/trusted-server-core/src/integrations/prebid.rs:1171 and crates/trusted-server-core/src/integrations/aps.rs:367 still use provider config timeouts in the payload (tmax / APS timeout), while the Fastly backend timeout is capped to context.timeout_ms. When creative_opportunities.auction_timeout_ms is lower than the provider timeout, providers are told they have more time than the edge will actually wait, which can turn useful partial bids into edge timeouts. Please use the effective context.timeout_ms in provider payloads and add tests where provider config is 1000ms but auction context is 500ms.

[aram356]

Summary

Server-side ad slot templates with PBS/APS auction — a large, well-tested feature (44 files, +12,746/−395). The XSS escaping, single-injection guard, consent gating, and price-bucket math are solid. Findings cluster around win/billing beacon correctness (the headline issue), a runtime slot-id validation gap, and JS test hygiene. Inline comments carry most findings; cross-cutting items are below.

Blocking

🔧 wrench

• Win/billing beacons over-fire / double-fire — gpt_bootstrap.js:95 and gpt/index.ts:440 (inline).
• validate_slot_id dead at runtime — env-injected slot ids unvalidated, creative_opportunities.rs:270 (inline).
• JS test file leaks global addEventListener; suites duplicated across two dirs — gpt/index.test.ts:10 (inline).
• installSpaAuctionHook has zero coverage — gpt/index.ts:475 (inline).

❓ question

• Prebid stored-request fan-out behavioral change — prebid.rs:974 (inline).
• page-bids path query param not normalized before glob match — publisher.rs:1584 (inline).
• Cache-Control max-age=0 vs claimed no-store — publisher.rs:1214 (inline).

Non-blocking (not pinnable to a single diff line)

🤔 thinking

• collect vs parallel auction paths may diverge — auction/orchestrator.rs collect path calls provider.parse_response(...) while run_providers_parallel calls parse_response_with_context(...). If any provider's context-aware parse does extra work (consent/settings-driven), the async and parallel paths produce different bids for the same upstream response. Confirm the plain parse_response is an equivalent superset, or thread context through the collect loop too.

🌱 seedling

• No per-iteration deadline check in the collect select-loop — auction/orchestrator.rs collect_dispatched_auction relies entirely on each backend's dispatch-time timeout cap, whereas run_providers_parallel re-checks elapsed >= deadline after each select(). The invariant holds today (dispatch caps each provider at the remaining budget), but the two paths diverge silently; mirror the guard for defense-in-depth.

♻️ refactor

• adserver_mock.rs:101 carries request-scoped bid_index via Mutex on a shared Arc provider — same pattern flagged inline on aps.rs:289; migrate to parse_response_with_context.

⛏ nitpick

• platform_response_to_fastly is infallible but returns Result — auction/orchestrator.rs:497; every call site handles an Err that can never fire. Return fastly::Response directly or document the forward-compat intent.
• Redundant constructors — PriceGranularity::dense() (returns Self::Dense, and the enum already Defaults to Dense) and MediaType::banner() add public API surface over the variant literals for no benefit.

CI Status

• cargo fmt: PASS
• cargo clippy: PASS
• cargo test: PASS
• vitest (JS): PASS
• CodeQL / integration / browser-integration: PASS

[prk-Jr]

All findings from the two latest reviews are addressed in d3d43bc, 0f4dd86, and aa43944. Inline threads have individual replies; the items below had no inline thread.

@ChristianPavilonis — P2 provider payload timeouts (review body): Fixed in d3d43bc. PBS tmax and the APS payload timeout now use the effective context.timeout_ms — the orchestrator already caps each provider's context at min(remaining auction budget, provider config), so payloads now advertise exactly the deadline the edge backend enforces. Tests added for both providers with provider config 1000ms / auction context 500ms asserting the payload says 500.

@aram356 — blocking:

• Win/billing beacons over-fire / double-fire — fixed in 0f4dd86. Unified ourBidWon (hb_adid confirmation, hb_bidder fallback for APS bids which carry no hb_adid) across bootstrap and bundle, plus a once-per-bid dedupe keyed by slot + bid identity in shared tsjs.firedBeacons state — GAM re-renders and publisher refreshes can't re-bill, and the two listeners can't double-fire the same bid. Tests cover first-fire, repeat-render suppression, and the APS fallback.
• validate_slot_id dead at runtime — fixed in 0f4dd86. Wired into Settings::prepare_runtime, so every load path (including env-injected slots) rejects invalid IDs; build.rs keeps its raw-TOML check for build-time failures. Rejection test added.
• JS test addEventListener leak + suites in two dirs — fixed in 0f4dd86. The gpt adInit suite moved to test/integrations/gpt/ad_init.test.ts; the module-scope patch is now a plain wrapper restored in afterAll (deliberately not vi.spyOn — the render-bridge suite spies the same method, and a spy-on-spy aliases implementations and recurses).
• installSpaAuctionHook zero coverage — fixed in 0f4dd86. New spa_hook.test.ts: pushState fetch + adInit application, same-path no-op, replaceState/popstate, stale-response guard, non-OK response, install idempotence.

@aram356 — questions:

• Prebid stored-request fan-out — no behavioral change for existing flows: the JS adapter injects a trustedServer entry into every /auction ad unit, so the empty-bidder branch only fires for server-side creative-opportunity slots (new in this PR). Documented at the branch in 0f4dd86.
• page-bids path normalization — fixed in 0f4dd86: query/fragment stripped, leading slash forced before glob matching, with tests.
• Cache-Control max-age=0 vs no-store — deliberate per design spec §4.7: no-store was rejected to preserve BFCache eligibility; private plus Surrogate-Control stripping handles shared caches. The code comment now states this instead of implying no-store.

@aram356 — non-blocking:

• collect vs parallel parse divergence — fixed in 0f4dd86: the collect path (providers and mediator) now calls parse_response_with_context, matching the parallel path.
• collect-loop deadline check — mirrored in 0f4dd86 as defense-in-depth.
• adserver_mock bid_index Mutex — migrated in 0f4dd86: the index is rebuilt in parse_response_with_context from context.provider_responses. The APS slot_id_map cannot follow the same recipe — it derives from the AuctionRequest, which AuctionContext doesn't carry — so it keeps the Mutex with a doc comment stating the constraint; threading the request through the context is a follow-up.
• platform_response_to_fastly Result — now returns fastly::Response directly; dead error arms removed.
• Redundant constructors — removed; they existed only as serde default hooks, replaced with #[serde(default)] + Default impls.

Deliberately deferred: gating /auction on [auction].enabled (the "ideally" part of the kill-switch P1) — the client-side /auction path is scoped to a separate branch per earlier discussion.

aa43944 additionally defaults tsjs.adSlots/tsjs.bids in core init so pages reading them never throw when the ad stack is gated off, and flips the committed [auction].enabled default to true (inert in the checked-in config: no providers enabled, no slot templates — the integration flags remain the safe-by-default guard).

CI: cargo fmt / clippy -D warnings / cargo test --workspace (1310 core) / vitest 351 all green locally.

[ChristianPavilonis]

Automated review: I reviewed PR #680 at d1cd3d8 against origin/main. CI is currently green, but I found one blocking cache/privacy issue and two additional correctness/security hardening issues in the new server-side ad-template paths. Details are inline.

[ChristianPavilonis]

Automated review:

Review Summary

Reviewed PR #680 at 9613aff against origin/main, including current CI/review context and focused passes over Rust auction/publisher paths, GPT/Prebid JS, config/build validation, and caching/security behavior. CI is currently green, and many prior review findings have been fixed. I still found blocking correctness/compatibility issues in the server-side ad-template flow, especially around win/billing beacons and cache behavior.

Findings

P0 / Blockers

None.

P1 / High

1. Win and billing beacons can fire for non-Trusted-Server winners — crates/js/lib/src/integrations/gpt/index.ts:463

   • Issue: The slotRenderEnded handler treats retained GPT slot targeting as proof that the TS bid won. PBS bids compare hb_adid against slot.getTargeting('hb_adid'), and APS bids only require !!bid.hb_bidder. Slot targeting is request state, not proof of the winning GAM line item; direct/sponsorship/house line items can render non-empty while TS targeting remains on the slot.
   • Why it matters: nurl/burl are win/billing notifications. False positives can over-report wins and trigger billing for impressions won by other GAM demand. APS is especially exposed because the fallback has no event/creative identity check.
   • Suggested fix: Fire beacons only from a positive TS creative signal, such as a TS/Prebid creative callback carrying the expected ad/cache id, or a configured line-item/creative-id allowlist checked against slotRenderEnded event fields. Add a test where a non-empty non-TS line item renders while TS targeting remains on the slot.

2. Ad-template cache policy is applied to every HTML response, even when the stack is disabled/no-op — crates/trusted-server-core/src/publisher.rs:1219

   • Issue: All proxied text/html responses are rewritten to Cache-Control: private, max-age=0 and have surrogate headers stripped whenever this path handles HTML, regardless of whether any creative-opportunity slot matched or whether the checked-in/default config has zero slots.
   • Why it matters: Deploying with the current default/empty slot config can silently remove public/shared cacheability from all publisher HTML even though no per-user tsjs.adSlots/tsjs.bids data was injected. That is a severe compatibility/performance regression and undermines the empty-slot kill-switch behavior.
   • Suggested fix: Only force private/no-surrogate for responses that actually need per-user protection (for example when matched slots/ad scripts/bids are injected, or another per-user response mutation requires it). Add tests for zero-slot and non-matching-slot configs preserving origin cache headers unless per-user data is injected.

P2 / Medium

1. /__ts/page-bids accepts same-site cross-origin callers — crates/trusted-server-core/src/publisher.rs:1580

   • Issue: Sec-Fetch-Site: same-site includes sibling origins under the same registrable domain. This endpoint is side-effecting and can dispatch real PBS/APS auctions while forwarding request-derived signals to partners.
   • Why it matters: An untrusted same-site sibling origin cannot read the JSON without CORS, but it can still trigger partner calls and burn SSP quota from the visitor's browser context.
   • Suggested fix: Require Sec-Fetch-Site: same-origin for Fetch-Metadata-capable browsers. Keep the legacy fallback only when Sec-Fetch-Site is absent and the non-simple X-TSJS-Page-Bids header is present.

2. Repeated requestBids() calls can drop inline server-side bidder params — crates/js/lib/src/integrations/prebid/index.ts:496

   • Issue: The shim mutates unit.bids in-place to keep only trustedServer and client-side bidders. On the next requestBids() call with the same Prebid ad unit object, the original server-side bidder entries are gone, so bidderParams is rebuilt as {} and overwrites the existing trustedServer bidder params.
   • Why it matters: Publishers that supplied inline PBS params on the initial ad unit can lose them on refresh/re-auction and fall back to empty params/stored-request behavior instead.
   • Suggested fix: Preserve original server-side bids in a side table/non-destructive clone, or retain existing trustedServer.params.bidderParams when no new server-side bids are found. Add a test that calls requestBids() twice with the same ad unit.

3. SPA auctions can apply before the new route's ad containers exist — crates/js/lib/src/integrations/gpt/index.ts:548

   • Issue: After the page-bids fetch resolves, the SPA hook immediately writes ts.adSlots/ts.bids and calls ts.adInit(). adInit() looks up each slot element once and silently skips missing elements. Many SPA routers update history before the new route DOM has committed.
   • Why it matters: A fast edge response can run before the ad container exists, dropping server-side bids for that route with no retry and no beacon path.
   • Suggested fix: Defer route application until the next render tick and/or retry missing slots for a bounded window (for example requestAnimationFrame plus MutationObserver/timeout). Add a test where the page-bids response resolves before the slot element is inserted.

4. Build-time creative-opportunity validation only checks slot IDs — crates/trusted-server-core/build.rs:131

   • Issue: The build script deserializes creative-opportunity slots as raw JSON and validates only id, while the runtime schema requires fields like page_patterns and formats and denies unknown fields.
   • Why it matters: Bad slot config can pass cargo build and only fail later when the embedded settings are loaded at runtime/deploy.
   • Suggested fix: Validate slot_raw against a build-time schema that mirrors the runtime required fields/types, or reuse the real runtime deserializer in build context.

P3 / Low

None.

CI / Existing Reviews

Current GitHub checks are passing (cargo fmt/test, clippy/Analyze, vitest, browser and integration tests, CodeQL, docs/TS formatting). Existing review threads show multiple prior blocking findings have been addressed; the findings above are based on current head behavior. Inline comments were attempted first, but GitHub rejected the batch as line-unresolvable, so findings are consolidated in this review body.

[prk-Jr]

Thanks for the pass — addressed the five behavioral findings across two commits (065cea6, 5b225ae). Summary of how each was resolved:

P1.1 — win/billing beacons could fire for non-TS winners (5b225ae)
Dropped the !!bid.hb_bidder fallback that fired a beacon for any non-empty render whenever an APS bid existed for the slot. Beacons now require an hb_adid match (event.slot.getTargeting('hb_adid')[0] === bid.hb_adid), applied in both the bundle listener (gpt/index.ts) and the inline bootstrap (gpt_bootstrap.js). As you note, slot targeting is request state rather than proof of the winning GAM line item, so this removes the unconditional false positive but is not fully airtight — a creative/line-item allowlist keyed on slotRenderEnded fields is the airtight fix and needs config that does not exist yet; tracking that separately. Test updated to assert an APS-style bid with no hb_adid fires no beacon.

P1.2 — cache policy applied to all HTML even when the stack is no-op (5b225ae)
One correction on the suggested fix: ec_finalize_response sets the first-visit EC identity Set-Cookie without a cache directive of its own, so the blanket text/html → private rewrite was the only thing keeping that per-user cookie out of shared caches. Gating purely on "ad data injected" would have reopened a Set-Cookie cache leak. Resolved in two parts:

• The publisher-path rewrite is now gated on should_run_ad_stack (still applies regardless of auction outcome, per §8), so zero-slot / non-matching / feature-off navigations keep their origin cache headers.
• finalize_response now downgrades any Set-Cookie response to private, max-age=0 and strips surrogate headers, so first-visit identity responses stay private. Returning-visitor, cookieless, non-ad HTML is now shared-cacheable again.
  Added finalize_response tests for: plain cookieless HTML preserved, cookie-bearing HTML → private + surrogate stripped, stricter no-store left untouched, and operator surrogate headers cannot re-enable caching once private.

P2.1 — page-bids accepted same-site cross-origin callers (065cea6)
Gate now requires Sec-Fetch-Site: same-origin; same-site is rejected. The absent-metadata legacy fallback (non-simple X-TSJS-Page-Bids header) is unchanged. Updated the prior same-site test to assert 403.

P2.2 — repeated requestBids() dropped inline server-side bidder params (065cea6)
The shim now retains the bidderParams captured on the first call when a later call surfaces no server-side bidders (because they were already pruned from unit.bids), instead of overwriting with {}. Added a test that calls requestBids() twice on the same ad unit and asserts params survive.

P2.3 — SPA auctions could apply before the route's containers exist (065cea6)
The SPA hook now defers applying bids until at least one slot container is present, via MutationObserver bounded by a 2s timeout, then calls adInit() once (no re-run, to avoid re-refresh/re-bill). Added a test where the response resolves before the container is inserted and bids apply only after insertion.

P2.4 — build-time validation only checks slot IDs
Same as the prior review: build.rs intentionally validates only id shape; full slot-schema validation against the real runtime deserializer is moving to the dedicated creative-opportunities CLI that will run in CI, rather than duplicating the schema in build-script stubs.

CI green locally: cargo fmt/clippy, full workspace tests (1391 core + 45 adapter), and vitest (353).

[ChristianPavilonis]

Automated review: Reviewed PR #680 at 0283b13 against main. CI is green, but I found blocking correctness issues in the server-side ad-template runtime: win/billing beacons can still fire without proof that the TS bid actually won, and SPA navigation can drop later-mounted slots on multi-slot routes. I also found a medium compatibility issue in the new content-type gates.

Summary of findings:

• P1: Win/billing beacons still use GPT slot targeting as winner proof (bundle and inline bootstrap).
• P1: SPA page-bids DOM wait resolves when any slot appears, so later-rendered slots are skipped permanently.
• P2: Case-sensitive Content-Type checks can bypass processing after dispatching auctions. The inline diff comment did not attach cleanly; the affected checks are crates/trusted-server-core/src/publisher.rs around origin_content_type.contains("text/html"), params.content_type.contains("text/html"), and is_processable_content_type. MIME types are case-insensitive, so normalize the header value (or parse MIME types case-insensitively) and add coverage for Text/HTML; charset=utf-8.

CI / existing reviews: all current GitHub checks pass at this head. I reviewed the prior feedback and focused on issues still present after the latest fixes.