Add EC module with EcContext lifecycle and cookie domain computation

[ChristianPavilonis]

Summary

• Implements Story 1 (EC generation and request context #533) and Story 2a (EC cookie helpers #535) of the Edge Cookie epic (Implement Edge Cookie (EC) identity system #532): introduces a new ec/ module with two-phase EcContext lifecycle (read_from_request + generate_if_needed), fixes consent gating to fail-closed for unknown jurisdictions and GPC in US states, and removes the "unknown" client IP fallback.
• EC cookies derive their domain as .{publisher.domain} per spec §5.2. The cookie_domain config field is retained for non-EC cookies. EC cookie helpers moved from cookies.rs to ec/cookies.rs.
• Removes fresh_id / ec_fresh / X-ts-ec-fresh per spec §12.1 — this was a SyntheticID artifact not carried forward in the EC spec.
• Updates all call sites, TOML fixtures, integration test configs, and documentation.

Closes #533, Closes #535

Changes

File	Change
ec/mod.rs	New. EcContext struct with read_from_request() and generate_if_needed(), shared parse_ec_from_request() helper, get_ec_id() public API
ec/generation.rs	New. HMAC-based ID generation, IPv4/v6 normalization, ec_hash(), is_valid_ec_id(), extract_client_ip()
ec/consent.rs	New. ec_consent_granted() wrapper delegating to consent module
ec/cookies.rs	New. create_ec_cookie, set_ec_cookie, expire_ec_cookie — uses ec_cookie_domain() per spec §5.2
edge_cookie.rs	Reduced to thin re-export shim for backward compat
consent/mod.rs	Jurisdiction::Unknown now blocks EC (fail-closed); GPC independently blocks in US states
cookies.rs	Removed EC-specific cookie helpers (moved to ec/cookies.rs)
settings.rs	Added ec_cookie_domain() method (computed .{domain} for EC); cookie_domain field retained for non-EC use
publisher.rs	Migrated to EcContext API with full consent-gated revocation
integrations/registry.rs	Migrated to EcContext; added consent-gated cookie setting AND revocation on withdrawal
auction/endpoints.rs	Migrated to EcContext; EC value gated behind ec_allowed() before forwarding to bidders
auction/formats.rs	Removed fresh_id generation; removed X-ts-ec-fresh response header
auction/types.rs	Removed fresh_id from UserInfo struct
openrtb.rs	Removed ec_fresh field from UserExt
constants.rs	Removed HEADER_X_TS_EC_FRESH constant and internal header entry
integrations/prebid.rs	Removed ec_fresh population in Prebid adapter
proxy.rs, testlight.rs	Import updated from edge_cookie → ec
Docs	Updated configuration.md, first-party-proxy.md, error-reference.md, PUBLISHER_IDS_AUDIT.md

Breaking changes

1. Missing client IP now errors — generate_ec_id() takes a &str client IP; no "unknown" fallback
2. Jurisdiction::Unknown blocks EC creation — fail-closed when geo unavailable
3. GPC independently blocks in US states — even if us_privacy string allows
4. IPv6 normalization format change — "2001:db8:85a3:0::" → "20010db885a30000" (existing IPv6 EC IDs invalidated)
5. Integration proxy now consent-gates cookie setting — was unconditional (bug fix)
6. Integration proxy now expires cookie on consent withdrawal — matches publisher proxy behavior
7. EC cookie domain computed from publisher.domain — cookie_domain config retained for non-EC cookies only
8. fresh_id / ec_fresh / X-ts-ec-fresh removed — SyntheticID artifact not in EC spec (§12.1)
9. Auction strips revoked EC IDs — user.id is empty when consent denied, preventing leaked identifiers to bidders

Verification

• cargo fmt --all -- --check — clean
• cargo clippy --workspace --all-targets --all-features -- -D warnings — zero warnings
• cargo test --workspace — 715 tests passed, 0 failed