Address review feedback: fix logging, cleanup dead config, improve docs

- Downgrade EC ID/IP log statements from debug to trace to prevent
  sensitive data appearing in production logs (edge_cookie.rs)
- Fix .change_context indentation in HMAC error handling
- Remove unused counter_store and opid_store fields from EdgeCookie
  config struct, all test fixtures, TOML configs, and documentation
- Add serialization test asserting ec_fresh wire field name
- Fix edge-cookies.md config section reference and consent language
- Update error-reference.md to reflect HMAC-based generation
- Update configuration.md to remove dead KV store field docs

Author: ChristianPavilonis

Cargo.lock

@@ -76,7 +76,7 @@ pub fn generate_ec_id(
         .map(normalize_ip)
         .unwrap_or_else(|| "unknown".to_string());
 
-    log::debug!("Input for fresh EC ID: client_ip={}", client_ip);
+    log::trace!("Input for fresh EC ID: client_ip={}", client_ip);
 
     let mut mac = HmacSha256::new_from_slice(settings.edge_cookie.secret_key.expose().as_bytes())
         .change_context(TrustedServerError::Ec {
@@ -89,7 +89,7 @@ pub fn generate_ec_id(
     let random_suffix = generate_random_suffix(6);
     let ec_id = format!("{hmac_hash}.{random_suffix}");
 
-    log::debug!("Generated fresh EC ID: {}", ec_id);
+    log::trace!("Generated fresh EC ID: {}", ec_id);
 
     Ok(ec_id)
 }
@@ -108,15 +108,15 @@ pub fn generate_ec_id(
 pub fn get_ec_id(req: &Request) -> Result<Option<String>, Report<TrustedServerError>> {
     if let Some(ec_id) = req.get_header(HEADER_X_TS_EC).and_then(|h| h.to_str().ok()) {
         let id = ec_id.to_string();
-        log::debug!("Using existing EC ID from header: {}", id);
+        log::trace!("Using existing EC ID from header: {}", id);
         return Ok(Some(id));
     }
 
     match handle_request_cookies(req)? {
         Some(jar) => {
             if let Some(cookie) = jar.get(COOKIE_TS_EC) {
                 let id = cookie.value().to_string();
-                log::debug!("Using existing EC ID from cookie: {}", id);
+                log::trace!("Using existing EC ID from cookie: {}", id);
                 return Ok(Some(id));
             }
         }
@@ -149,7 +149,7 @@ pub fn get_or_generate_ec_id(
 
     // If no existing EC ID found, generate a fresh one
     let ec_id = generate_ec_id(settings, req)?;
-    log::debug!("No existing EC ID, generated: {}", ec_id);
+    log::trace!("No existing EC ID, generated: {}", ec_id);
     Ok(ec_id)
 }
 

crates/trusted-server-core/src/edge_cookie.rs

@@ -1309,8 +1309,6 @@ origin_url = "https://origin.test-publisher.com"
 proxy_secret = "test-secret"
 
 [edge_cookie]
-counter_store = "test-counter-store"
-opid_store = "test-opid-store"
 secret_key = "test-secret-key"
 
 [integrations.google_tag_manager]
@@ -1344,8 +1342,6 @@ origin_url = "https://origin.test-publisher.com"
 proxy_secret = "test-secret"
 
 [edge_cookie]
-counter_store = "test-counter-store"
-opid_store = "test-opid-store"
 secret_key = "test-secret-key"
 
 [integrations.google_tag_manager]

crates/trusted-server-core/src/integrations/google_tag_manager.rs

@@ -1309,8 +1309,6 @@ origin_url = "https://origin.test-publisher.com"
 proxy_secret = "test-secret"
 
 [edge_cookie]
-counter_store = "test-counter-store"
-opid_store = "test-opid-store"
 secret_key = "test-secret-key"
 "#;
 

crates/trusted-server-core/src/integrations/prebid.rs

@@ -397,4 +397,24 @@ mod tests {
             "ext should be omitted when None"
         );
     }
+
+    #[test]
+    fn user_ext_serializes_ec_fresh_not_synthetic_fresh() {
+        let ext = UserExt {
+            consent: None,
+            consented_providers_settings: None,
+            eids: None,
+            ec_fresh: Some("true".to_string()),
+        };
+
+        let serialized = serde_json::to_value(&ext).expect("should serialize UserExt");
+        assert_eq!(
+            serialized["ec_fresh"], "true",
+            "ec_fresh should be present in serialized output"
+        );
+        assert!(
+            serialized.get("synthetic_fresh").is_none(),
+            "synthetic_fresh should not appear — field was renamed to ec_fresh"
+        );
+    }
 }

crates/trusted-server-core/src/openrtb.rs

@@ -196,8 +196,6 @@ impl DerefMut for IntegrationSettings {
 #[allow(unused)]
 #[derive(Debug, Default, Clone, Deserialize, Serialize, Validate)]
 pub struct EdgeCookie {
-    pub counter_store: String,
-    pub opid_store: String,
     #[validate(custom(function = EdgeCookie::validate_secret_key))]
     pub secret_key: Redacted<String>,
 }
@@ -719,8 +717,6 @@ mod tests {
             settings.publisher.origin_url,
             "https://origin.test-publisher.com"
         );
-        assert_eq!(settings.edge_cookie.counter_store, "test-counter-store");
-        assert_eq!(settings.edge_cookie.opid_store, "test-opid-store");
         assert_eq!(settings.edge_cookie.secret_key.expose(), "test-secret-key");
 
         settings.validate().expect("Failed to validate settings");
@@ -1424,8 +1420,6 @@ mod tests {
             proxy_secret = "unit-test-proxy-secret"
 
             [edge_cookie]
-            counter_store = "test-counter-store"
-            opid_store = "test-opid-store"
             secret_key = "test-secret-key"
 
             [request_signing]

crates/trusted-server-core/src/settings.rs

@@ -31,8 +31,6 @@ pub mod tests {
             rewrite_attributes = ["href", "link", "url"]
 
             [edge_cookie]
-            counter_store = "test-counter-store"
-            opid_store = "test-opid-store"
             secret_key = "test-secret-key"
             [request_signing]
             config_store_id = "test-config-store-id"

crates/trusted-server-core/src/test_support.rs

@@ -24,8 +24,6 @@ origin_url = "https://origin.publisher.com"
 proxy_secret = "your-secure-secret-here"
 
 [edge_cookie]
-counter_store = "counter_store"
-opid_store = "opid_store"
 secret_key = "your-hmac-secret"
 ```
 
@@ -77,8 +75,6 @@ origin_url = "https://origin.publisher.com"
 proxy_secret = "change-me-to-secure-value"
 
 [edge_cookie]
-counter_store = "counter_store"
-opid_store = "opid_store"
 secret_key = "your-hmac-secret-key"
 
 [request_signing]
@@ -271,83 +267,25 @@ Settings for generating privacy-preserving Edge Cookie identifiers.
 
 ### `[edge_cookie]`
 
-| Field           | Type   | Required | Description                                    |
-| --------------- | ------ | -------- | ---------------------------------------------- |
-| `counter_store` | String | Yes      | Fastly KV store name for counters              |
-| `opid_store`    | String | Yes      | Fastly KV store name for publisher ID mappings |
-| `secret_key`    | String | Yes      | HMAC secret for ID generation                  |
+| Field        | Type   | Required | Description                   |
+| ------------ | ------ | -------- | ----------------------------- |
+| `secret_key` | String | Yes      | HMAC secret for ID generation |
 
 **Example**:
 
 ```toml
 [edge_cookie]
-counter_store = "counter_store"
-opid_store = "opid_store"
 secret_key = "your-secure-hmac-secret"
 ```
 
 **Environment Override**:
 
 ```bash
-TRUSTED_SERVER__EDGE_COOKIE__COUNTER_STORE=counter_store
-TRUSTED_SERVER__EDGE_COOKIE__OPID_STORE=opid_store
 TRUSTED_SERVER__EDGE_COOKIE__SECRET_KEY=your-secret
 ```
 
 ### Field Details
 
-#### `counter_store`
-
-**Purpose**: Fastly KV store for EC ID counters.
-
-**Usage**:
-
-- Stores incrementing counters per domain
-- Ensures ID uniqueness
-- Accessed via Fastly KV Store API
-
-**Setup**:
-
-```bash
-# Create KV store
-fastly kv-store create --name=counter_store
-```
-
-**Data Format**:
-
-```json
-{
-  "publisher.com": 12345,
-  "another.com": 67890
-}
-```
-
-#### `opid_store`
-
-**Purpose**: Fastly KV store for publisher-provided ID mappings.
-
-**Usage**:
-
-- Maps publisher IDs to EC IDs
-- Enables first-party ID integration
-- Optional (used if publisher provides IDs)
-
-**Setup**:
-
-```bash
-# Create KV store
-fastly kv-store create --name=opid_store
-```
-
-**Data Format**:
-
-```json
-{
-  "publisher-id-123": "ec-abc",
-  "publisher-id-456": "ec-def"
-}
-```
-
 #### `secret_key`
 
 **Purpose**: HMAC secret for EC ID base generation.

docs/guide/configuration.md

@@ -20,14 +20,14 @@ EC IDs use HMAC (Hash-based Message Authentication Code) to generate a determini
 
 ## Configuration
 
-Configure EC secrets in `trusted-server.toml`. See the full [Configuration Reference](/guide/configuration) for the `ec` section and environment variable overrides.
+Configure EC secrets in `trusted-server.toml`. See the full [Configuration Reference](/guide/configuration) for the `[edge_cookie]` section and environment variable overrides.
 
 ## Privacy Considerations
 
-- IDs are only generated with explicit user consent
-- No personally identifiable information (PII) is included
+- EC IDs are generated deterministically from the client IP, but the cookie is only set when storage consent is present
+- No personally identifiable information (PII) is stored in the ID
 - The hash input is the client IP address only
-- IDs can be rotated on schedule
+- IDs can be rotated by changing the secret key
 
 ## Best Practices
 

docs/guide/edge-cookies.md

@@ -134,30 +134,24 @@ See [Configuration Reference](./configuration.md) for complete patterns.
 **Error Message:**
 
 ```
-Failed to generate EC ID: KV store not available
+Failed to generate EC ID: HMAC error
 ```
 
-**Cause:** KV store (counter_store or opid_store) not configured in Fastly
+**Cause:** HMAC secret key is missing or invalid in the Edge Cookie configuration.
 
 **Solution:**
 
-1. Create KV stores in Fastly dashboard
-2. Link them to your Compute service
-3. Update `trusted-server.toml`:
+1. Ensure `secret_key` is set in `trusted-server.toml`:
 
 ```toml
 [edge_cookie]
-counter_store = "counter_store"  # Must match Fastly KV store name
-opid_store = "opid_store"
+secret_key = "your-secure-hmac-secret"
 ```
 
-4. For local development, configure in `fastly.toml`:
+2. Or set via environment variable:
 
-```toml
-[local_server.kv_stores]
-    [[local_server.kv_stores.counter_store]]
-        key = "placeholder"
-        data = "placeholder"
+```bash
+TRUSTED_SERVER__EDGE_COOKIE__SECRET_KEY=your-secure-hmac-secret
 ```
 
 ---