Pixel sync (GET /sync)

[aram356]

Parent epic

#532

Description

Implement the pixel-based ID sync endpoint that partners use to write their user ID against an EC hash.

Scope: ec/sync_pixel.rs, router update

Acceptance criteria

• Missing required query params (partner, uid, return) → 400.
• No valid ts-ec cookie → redirect to {return}?ts_synced=0&ts_reason=no_ec.
• Unknown partner ID → 400.
• return URL hostname not in partner.allowed_return_domains → 400.
• Consent uses ec_context.consent. Optional consent query param is fallback only — used when ec_context.consent.is_empty() returns true. Use ConsentContext::is_empty() directly. When fallback applies, decode locally and assign into ec_context.consent. Do NOT re-call build_consent_context(). Denied/absent → redirect {return}?ts_synced=0&ts_reason=no_consent.
• Rate limit exceeded → 429 Too Many Requests (no redirect).
• KV write failure → redirect {return}?ts_synced=0&ts_reason=write_failed.
• kv.upsert_partner_id() creates minimal live root entry when EC exists in cookie but KV entry missing.
• Success → redirect {return}?ts_synced=1.
• Return URL construction correctly appends & or ?.
• Rate counter key: {partner_id}:{ec_hash}, 1-hour window, fastly::erl::RateCounter.
• Unit tests cover all redirect/response codes and return URL construction.

Spec ref

docs/internal/ssc_technical_spec.md §8