Identity lookup (GET /identify)

[aram356]

Parent epic

#532

Description

Implement the browser-facing endpoint that publishers call to retrieve the EC hash and synced partner UIDs.

Scope: ec/identify.rs, router update

Acceptance criteria

• !allows_ec_creation(consent) (consent denied, regardless of EC presence) → 403 Forbidden. Consent evaluated before EC presence.
• No EC present, consent not denied → 204 No Content.
• Valid EC, consent granted, KV entry found → 200 with ec, consent, uids, eids.
• Valid EC, consent granted, no KV entry (never synced / create failed) → 200 with degraded: false, empty uids/eids.
• uids filtered to bidstream_enabled = true partners.
• KV read error → 200 with degraded: true, empty uids/eids.
• No Origin header → no CORS headers, no 403.
• Origin matches publisher.domain or subdomain → reflect in Access-Control-Allow-Origin + Vary: Origin.
• Origin mismatch → 403.
• OPTIONS /identify → 200 with CORS headers, no body.
• generate_if_needed() never called. Handler does not write cookies; ec_finalize_response() handles withdrawal/reconciliation.
• Response time target: 30ms p95 (documented, not gate).
• Unit tests cover all response codes, degraded flag, uids filtering, CORS origin validation.

Spec ref

docs/internal/ssc_technical_spec.md §11