Add Osano consent mirror integration

[ChristianPavilonis]

Summary

• Adds an explicitly-enabled Osano consent mirror that copies Osano IAB API output into the standard consent cookies Trusted Server already reads.
• Refactors CMP mirror module inclusion so Sourcepoint and Osano are loaded through normal integration configuration instead of unconditional JS inclusion.
• Documents the implemented design and adds Rust/Vitest coverage for registration, module selection, ownership, retries, and failure handling.

Changes

File	Change
crates/js/lib/src/integrations/osano/index.ts	New Osano browser consent mirror for us_privacy, __gpp, __gpp_sid, and euconsent-v2 with _ts_consent_src=osano ownership.
crates/js/lib/test/integrations/osano/index.test.ts	Vitest coverage for mirroring behavior, ownership preservation, stale-cookie clearing, failures, timeouts, retries, and initialization.
crates/trusted-server-core/src/integrations/osano.rs	Minimal enabled/disabled integration registration for the JS-only Osano module.
crates/trusted-server-core/src/integrations/mod.rs	Adds Osano to the integration builder list.
crates/trusted-server-core/src/integrations/registry.rs	Tracks enabled integration IDs so opt-in JS-only registrations can be included; removes Sourcepoint from unconditional JS inclusion.
trusted-server.toml	Adds disabled-by-default [integrations.osano] config block.
docs/superpowers/specs/2026-06-17-osano-consent-mirror-design.md	Captures the implemented design.

Closes

Closes #772

Test plan

• cargo test --workspace
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo fmt --all -- --check
• JS tests: cd crates/js/lib && npx vitest run
• JS format: cd crates/js/lib && npm run format
• Docs format: cd docs && npm run format
• WASM build: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
• Manual testing via fastly compute serve
• Other: cd crates/js/lib && node build-all.mjs
• Other: cd docs && npx prettier --check .

Checklist

• Changes follow CLAUDE.md conventions
• No unwrap() in production code — use expect("should ...")
• Uses project logging helpers/macros (not println!)
• New code has tests
• No secrets or credentials committed

[aram356]

Summary

The Osano mirror is a good direction and the PR has solid CI coverage, but I found two consent-state correctness issues that should be fixed before merge. I also included a small registry refactor request and two non-blocking follow-ups around migration/docs.

Blocking

🔧 wrench

• Overlapping mirror attempts can apply stale consent: mirrorOsanoConsent() awaits async IAB API reads without guarding against older attempts completing after newer consent events, so a delayed callback can overwrite the current consent state. (crates/js/lib/src/integrations/osano/index.ts:394)
• GPP empty-value clearing bypasses the Osano readiness guard: USP and TCF empty values wait for Osano readiness before clearing stale cookies, but GPP ready-with-empty clears immediately. (crates/js/lib/src/integrations/osano/index.ts:290)

Non-blocking

♻️ refactor

• Derive JS module availability instead of hardcoding integration IDs: JS_EXCLUDED has to stay in sync with Rust registrations and generated TSJS modules. Prefer checking whether trusted_server_js::module_bundle(id) exists for each enabled integration. (crates/trusted-server-core/src/integrations/registry.rs:1144)

🤔 thinking

• Sourcepoint mirror is now opt-in, which is a behavior change: existing deployments that relied on the unconditional Sourcepoint GPP mirror will stop shipping that JS unless they explicitly enable [integrations.sourcepoint]. This likely deserves a migration note. (crates/trusted-server-core/src/integrations/registry.rs:1146)

🌱 seedling

• Public integration docs should mention Osano enablement: the design spec is useful, but operators will likely look in public guide/configuration docs for [integrations.osano] enabled = true and the first-request/next-request limitation.

CI Status

• Analyze (actions): PASS
• Analyze (javascript-typescript): PASS
• Analyze (rust): PASS
• CodeQL: PASS
• browser integration tests: PASS
• cargo fmt: PASS
• cargo test: PASS
• format-docs: PASS
• format-typescript: PASS
• integration tests: PASS
• prepare integration artifacts: PASS
• vitest: PASS

[ChristianPavilonis]

Also addressed the non-inline docs feedback in e62f8e0 by adding public Osano enablement docs, linking the Osano guide from the sidebar and integrations overview, and documenting the first-request/subsequent-request limitation.