Implement Edge Cookie (EC) identity system

[aram356]

Description

Enable the trusted server to generate, persist, and serve a publisher-owned, privacy-safe Edge Cookie (EC) that can be used for ID sync, identity lookup, and auction decoration — without relying on third-party cookies.

EC replaces SyntheticID as the primary user identity mechanism. It uses IP address + publisher passphrase for HMAC-SHA256 generation, adds consent enforcement via the existing allows_ec_creation() gate, and backs identity with a server-side KV graph that accumulates partner IDs over time.

Prerequisites

• PR Rename Synthetic ID to Edge Cookie (EC) and simplify generation #479 merged — SyntheticID removal, consent pipeline rekeyed to identity_key
• Consent pipeline — build_consent_context(), ConsentContext, allows_ec_creation() available (PR Implement consent forwarding pipeline #380)

Scope

• EC generation (HMAC-SHA256, IP normalization)
• Two-phase middleware (read_from_request pre-routing, generate_if_needed in organic handlers)
• ec_finalize_response() on every route (cookie write/delete, tombstone, last_seen, mismatch reconciliation)
• KV identity graph with CAS, tombstones, partner ID accumulation
• Partner registry with admin endpoint, secondary indexes
• Pixel sync (GET /sync), batch sync (POST /api/v1/sync), pull sync (background)
• Identity lookup (GET /identify) with CORS
• Auction bidstream decoration (user.id, user.eids, user.consent)
• Jurisdiction::Unknown → false (fail-closed) change to allows_ec_creation()
• Fastly entrypoint refactor (send_to_client() + background pull sync)

Technical Spec

docs/internal/ssc_technical_spec.md

Done when

All 12 stories are complete and cargo test --workspace passes with no regressions.