EC finalize response

[aram356]

Parent epic

#532

Description

Implement ec_finalize_response() — the post-routing function that enforces cookie writes, deletions, tombstones, and last-seen updates on every response.

Scope: ec/finalize.rs (new file)

Acceptance criteria

• ec_finalize_response(settings, geo, ec_context, kv, response) runs on every route.
• Consent gating uses the existing allows_ec_creation() — no new gating function.
• When !allows_ec_creation(&consent) && cookie_was_present: calls clear_ec_on_response() (deletes cookie and strips all EC response headers) and writes tombstone for each valid EC hash available. When the cookie is malformed and no valid header exists, no tombstone is written — cookie deletion alone enforces withdrawal.
• When ec_was_present && !ec_generated && allows_ec_creation(&consent): calls kv.update_last_seen(ec_hash, now()) (debounced at 300s). If cookie_ec_value is set (header/cookie mismatch), also calls set_ec_on_response() to reconcile the browser cookie.
• When ec_generated == true: calls set_ec_on_response().
• Unit tests cover all four branches: withdrawal (with and without valid hash), returning-user last_seen + mismatch reconciliation, and new-EC generation.

Spec ref

docs/internal/ssc_technical_spec.md §5.4, §6.2