diff --git a/docs/.vitepress/config.mts b/docs/.vitepress/config.mts
index 36f8188..b9c2516 100644
--- a/docs/.vitepress/config.mts
+++ b/docs/.vitepress/config.mts
@@ -10,6 +10,8 @@ export default defineConfig({
nav: [
{ text: 'Home', link: '/' },
{ text: 'Guide', link: '/guide/getting-started' },
+ { text: 'Business Value', link: '/business-use-cases' },
+ { text: 'Roadmap', link: '/roadmap' },
],
sidebar: [
@@ -61,6 +63,33 @@ export default defineConfig({
{ text: 'Environment Variables', link: '/guide/environment-variables' },
{ text: 'Error Reference', link: '/guide/error-reference' }
]
+ },
+ {
+ text: 'Partner Integrations',
+ items: [
+ { text: 'Identity', items: [
+ { text: 'Lockr', link: '/guide/integrations/lockr' }
+ ]},
+ { text: 'CMP', items: [
+ { text: 'Didomi', link: '/guide/integrations/didomi' }
+ ]},
+ { text: 'Data', items: [
+ { text: 'Permutive', link: '/guide/integrations/permutive' }
+ ]},
+ { text: 'Ad Serving', items: [
+ { text: 'GAM', link: '/guide/integrations/gam' }
+ ]},
+ { text: 'Demand Wrapper', items: [
+ { text: 'Prebid', link: '/guide/integrations/prebid' },
+ { text: 'APS', link: '/guide/integrations/aps' }
+ ]},
+ { text: 'SSP', items: [
+ { text: 'Kargo', link: '/guide/integrations/kargo' }
+ ]},
+ { text: 'Framework Support', items: [
+ { text: 'Next.js', link: '/guide/integrations/nextjs' }
+ ]}
+ ]
}
],
diff --git a/docs/business-use-cases.md b/docs/business-use-cases.md
new file mode 100644
index 0000000..a9a3741
--- /dev/null
+++ b/docs/business-use-cases.md
@@ -0,0 +1,333 @@
+# Business Use Cases
+
+Trusted Server delivers measurable business value across revenue generation, compliance, performance, and user experience. This page outlines real-world scenarios where Trusted Server provides significant ROI.
+
+---
+
+## Revenue & Monetization
+
+### 1. Increased Ad Revenue in Cookieless Environments
+
+**Problem**: Safari and Firefox block third-party cookies, fragmenting user identity and reducing addressable inventory CPMs by 30-50%.
+
+**Solution**: Trusted Server's synthetic ID system maintains user recognition across cookieless browsers through first-party identifiers.
+
+**Business Impact**:
+- **Revenue Recovery**: Restore 30-40% of lost Safari/Firefox CPM
+- **Addressable Inventory**: Increase addressable inventory from 60% to 95%
+- **Annual Value**: $500K+ for mid-sized publisher (10M monthly visits)
+
+**Metrics**:
+- CPM lift: +35% in Safari
+- Fill rate increase: +25% in cookieless browsers
+- Identity resolution rate: 90%+ vs 40% with third-party cookies
+
+---
+
+### 2. Premium Audience Data Monetization
+
+**Problem**: Publishers collect valuable first-party data but struggle to monetize it while maintaining user privacy and compliance.
+
+**Solution**: Trusted Server enables controlled, granular sharing of audience segments with buyer partners through secure, consent-based mechanisms.
+
+**Business Impact**:
+- **Higher CPMs**: Premium segments command 2-5x higher CPMs
+- **Data Scarcity Value**: Limited sharing increases data value
+- **New Revenue Stream**: Audience data licensing opportunities
+
+**Example ROI**:
+- Publisher with 5M monthly users
+- 20% consented users in premium segments
+- Average CPM lift: +$3.50
+- **Annual Revenue Increase**: $840K
+
+**Key Differentiators**:
+- Granular consent controls (GDPR compliant)
+- Real-time segment activation
+- First-party data ownership
+- Privacy-preserving sharing
+
+---
+
+### 3. Server-Side Header Bidding Performance
+
+**Problem**: Client-side header bidding slows page loads by 1-3 seconds, reducing user engagement and ad viewability.
+
+**Solution**: Trusted Server moves header bidding server-side, eliminating browser JavaScript overhead.
+
+**Business Impact**:
+- **Faster Page Loads**: 1.5-2s improvement
+- **Higher Viewability**: +15% viewable impressions
+- **Better UX**: Reduced bounce rate = more pageviews = more ad impressions
+
+**Revenue Math**:
+- 10M monthly pageviews
+- 15% viewability improvement = 1.5M additional viewable impressions
+- Average CPM: $2.50
+- **Monthly Revenue Increase**: $45K ($540K annually)
+
+**Performance Metrics**:
+- Time to First Byte: -200ms
+- Largest Contentful Paint: -1.2s
+- Cumulative Layout Shift: -0.15 (better Core Web Vitals)
+
+---
+
+### 4. Reduced Bid Manipulation & Auction Fraud
+
+**Problem**: Fraudulent bid requests and auction manipulation cost publishers $400K-$1M+ annually in lost revenue.
+
+**Solution**: Trusted Server's request signing (Ed25519) cryptographically authenticates all bid requests, preventing spoofing and manipulation.
+
+**Business Impact**:
+- **Revenue Protection**: Prevent $400K+ annual loss from bid manipulation
+- **Demand Quality**: Higher-quality demand partners trust authenticated requests
+- **Premium CPMs**: Verified inventory commands higher prices
+
+**Fraud Prevention**:
+- Cryptographic proof of origin (JWKS)
+- Tamper-proof bid requests
+- Real-time verification at DSP/SSP
+- Audit trail for compliance
+
+---
+
+## Compliance & Risk Mitigation
+
+### 5. GDPR Fine Prevention
+
+**Problem**: Third-party ad tech vendors inject non-compliant tracking scripts, exposing publishers to multi-million dollar GDPR fines.
+
+**Solution**: Trusted Server's Creative Forensics Engine detects and blocks GDPR violations before they reach users.
+
+**Business Impact**:
+- **Fine Avoidance**: Prevent €2.3M+ fines (4% of global revenue)
+- **Regulatory Risk Reduction**: Automated compliance monitoring
+- **Brand Protection**: Avoid public regulatory actions
+
+**Real-World Example**:
+- Publisher with €50M annual revenue
+- GDPR fine risk: 4% = €2M
+- Trusted Server cost: €100K annually
+- **ROI**: 20:1 (risk mitigation value)
+
+**Compliance Features**:
+- Real-time creative scanning
+- Unauthorized pixel detection
+- GDPR consent validation
+- Automated blocking of violations
+
+---
+
+### 6. Brand Safety & Malvertising Protection
+
+**Problem**: Malicious ads damage publisher reputation, causing user exodus and advertiser boycotts.
+
+**Solution**: Trusted Server's headless browser inspection detects malvertising, redirect chains, and malicious scripts before serving.
+
+**Business Impact**:
+- **User Retention**: Prevent 100K+ user loss from malvertising incidents
+- **Advertiser Confidence**: Maintain premium advertiser relationships
+- **Revenue Protection**: Avoid 10-15% revenue drop from brand safety incidents
+
+**User Retention Math**:
+- 100K users retained
+- Average lifetime value: $12 per user
+- **Value Protected**: $1.2M
+
+**Detection Capabilities**:
+- Malicious JavaScript detection
+- Unauthorized redirects
+- Data exfiltration attempts
+- Phishing/scam ads
+
+---
+
+## Performance & User Experience
+
+### 7. Page Speed Improvement & User Engagement
+
+**Problem**: Slow-loading pages increase bounce rates, reduce engagement, and hurt SEO rankings.
+
+**Solution**: Trusted Server's edge computing and optimized ad delivery improve page load times by 40-60%.
+
+**Business Impact**:
+- **Lower Bounce Rate**: -25% bounce rate improvement
+- **Higher Engagement**: +2 pageviews per session
+- **SEO Boost**: Better Core Web Vitals = higher search rankings
+
+**Engagement Math**:
+- 5M monthly sessions
+- Bounce rate improvement: 40% → 30%
+- Additional engaged sessions: 500K
+- Average pageviews per engaged session: 3.5
+- Additional pageviews: 1.75M monthly
+- CPM: $2.00
+- **Monthly Ad Revenue Increase**: $14K ($168K annually)
+
+**Performance Gains**:
+- Time to Interactive: -1.8s
+- First Input Delay: -50ms
+- Page abandonment: -30%
+
+---
+
+### 8. Mobile Optimization & App-Like Experience
+
+**Problem**: Mobile web experiences lag native apps, driving users to closed ecosystems where publishers lose control.
+
+**Solution**: Trusted Server's WASM-based edge computing delivers near-native performance on mobile web.
+
+**Business Impact**:
+- **Mobile Revenue**: Increase mobile CPMs by 40%
+- **User Retention**: Keep users on open web vs app ecosystems
+- **Inventory Value**: Mobile inventory becomes as valuable as desktop
+
+**Mobile Math**:
+- 60% mobile traffic (6M monthly mobile visits)
+- Current mobile CPM: $1.50
+- Improved mobile CPM: $2.10 (+40%)
+- Monthly impressions: 18M (assuming 3 ads per visit)
+- **Monthly Revenue Increase**: $10.8K ($129.6K annually)
+
+---
+
+## Operational Efficiency
+
+### 9. Real-Time Data Insights & Faster Decision-Making
+
+**Problem**: Publishers wait days for reporting data, missing optimization opportunities and revenue.
+
+**Solution**: Trusted Server provides real-time metrics and observability, enabling immediate optimization.
+
+**Business Impact**:
+- **Faster Optimization**: Identify and fix issues in minutes vs days
+- **Revenue Recovery**: Reduce downtime and revenue loss
+- **Better Forecasting**: Real-time data improves yield predictions
+
+**Example Scenario**:
+- Ad unit underperforms (low fill rate)
+- Traditional reporting: Identified after 48 hours, fixed in 72 hours
+- Trusted Server: Identified in 5 minutes, fixed in 30 minutes
+- Revenue loss prevented: $5K per incident (10 incidents/month = $50K monthly)
+
+**Real-Time Capabilities**:
+- Bid request monitoring
+- Creative rendering diagnostics
+- Consent rate tracking
+- Identity resolution metrics
+- Performance dashboards
+
+---
+
+### 10. Reduced Third-Party Dependencies
+
+**Problem**: Reliance on 10+ third-party vendors creates operational complexity, security risks, and hidden costs.
+
+**Solution**: Trusted Server consolidates identity, ad serving, privacy, and analytics into a single edge platform.
+
+**Business Impact**:
+- **Cost Savings**: Reduce vendor fees by $200K-$500K annually
+- **Operational Efficiency**: Single platform vs fragmented stack
+- **Security**: Fewer integration points = reduced attack surface
+
+**Vendor Consolidation**:
+- Identity vendors: 3 → 1 (Lockr + synthetic IDs)
+- Ad tech vendors: 5 → 2 (Prebid + Trusted Server)
+- CMP vendors: Integrated (Didomi first-party)
+- Analytics: Built-in observability
+
+---
+
+## Competitive Differentiation
+
+### 11. Privacy-First Publisher Positioning
+
+**Problem**: Users increasingly distrust ad-supported content due to invasive tracking.
+
+**Solution**: Trusted Server enables transparent, consent-based advertising that rebuilds user trust.
+
+**Business Impact**:
+- **User Loyalty**: Privacy-conscious users stay engaged
+- **Premium Positioning**: Differentiate from surveillance-based competitors
+- **Regulatory Advantage**: Early GDPR/CCPA compliance = competitive moat
+
+**Brand Value**:
+- Position as privacy leader in industry
+- Attract privacy-conscious advertisers
+- Build long-term user relationships
+
+---
+
+### 12. Future-Proof Infrastructure
+
+**Problem**: Privacy regulations (GDPR, CCPA, etc.) and browser changes (cookie deprecation) create constant technical debt.
+
+**Solution**: Trusted Server's architecture is built for a cookieless, privacy-first future.
+
+**Business Impact**:
+- **Reduced Technical Debt**: No emergency migrations when browsers change
+- **Regulatory Readiness**: Built-in compliance for new regulations
+- **Competitive Advantage**: Move faster than competitors stuck on legacy tech
+
+**Long-Term Value**:
+- Avoid $1M+ emergency rewrites
+- Stay ahead of regulatory changes
+- Maintain revenue during industry transitions
+
+---
+
+## Total Economic Impact
+
+### ROI Summary (Mid-Sized Publisher)
+
+**Assumptions**:
+- 10M monthly visits
+- $5M annual ad revenue (baseline)
+- Trusted Server implementation cost: $200K annually (setup + operations)
+
+**Revenue Gains**:
+1. Cookieless revenue recovery: +$500K
+2. Premium audience data: +$840K
+3. Server-side header bidding: +$540K
+4. Mobile optimization: +$129.6K
+5. Page speed engagement: +$168K
+6. Real-time optimization: +$600K (reduced downtime)
+
+**Total Revenue Increase**: +$2.78M
+
+**Cost Savings**:
+1. Fraud prevention: +$400K
+2. Vendor consolidation: +$300K
+3. Future-proofing (avoid rewrites): +$200K
+
+**Total Cost Savings**: +$900K
+
+**Risk Mitigation**:
+1. GDPR fine avoidance: +$2.3M (risk value)
+2. Malvertising prevention: +$1.2M (user retention)
+
+**Net Impact**: +$3.68M annually
+**ROI**: 18.4x (1,840% return)
+
+---
+
+## Getting Started
+
+Ready to realize these business outcomes? Here's how to get started:
+
+1. **Assessment**: Review current tech stack and identify gaps
+2. **Pilot**: Start with single use case (e.g., cookieless recovery)
+3. **Measurement**: Establish baseline metrics before implementation
+4. **Scale**: Expand to additional use cases based on results
+
+**Contact**: [GitHub Discussions](https://github.com/IABTechLab/trusted-server/discussions) for implementation guidance.
+
+---
+
+## Next Steps
+
+- Review [What is Trusted Server](/guide/what-is-trusted-server) for technical overview
+- Check [Getting Started](/guide/getting-started) for implementation guide
+- Explore [Roadmap](/roadmap) for upcoming features
+- See [Partner Integrations](/guide/integrations/lockr) for ecosystem support
diff --git a/docs/guide/integrations/aps.md b/docs/guide/integrations/aps.md
new file mode 100644
index 0000000..8601971
--- /dev/null
+++ b/docs/guide/integrations/aps.md
@@ -0,0 +1,75 @@
+# Amazon Publisher Services (APS) Integration
+
+**Category**: Demand Wrapper
+**Status**: Planned for 2026
+**Type**: Header Bidding / Transparent Ad Marketplace
+
+## Overview
+
+The Amazon Publisher Services (APS) integration will enable direct integration with Amazon's Transparent Ad Marketplace (TAM) and A9 bidding engine.
+
+## What is APS?
+
+Amazon Publisher Services provides publishers with access to Amazon's advertising demand through:
+- **Transparent Ad Marketplace (TAM)**: Server-to-server header bidding
+- **A9 Bidding**: Amazon's proprietary bidding algorithm
+- **Unified Ad Marketplace (UAM)**: Client-side header bidding wrapper
+
+## Planned Features
+
+- **TAM Integration**: Server-side A9 bid requests
+- **First-Party Context**: All requests through publisher domain
+- **Privacy-Safe IDs**: Synthetic ID integration for user recognition
+- **Dynamic Pricing**: Real-time floor price optimization
+- **Creative Proxying**: First-party creative delivery
+- **Reporting Integration**: Performance metrics and analytics
+
+## Expected Configuration
+
+```toml
+[integrations.aps]
+enabled = true
+publisher_id = "your-amazon-publisher-id"
+endpoint = "https://aax.amazon-adsystem.com"
+timeout_ms = 1000
+price_floors = true
+```
+
+## Use Cases
+
+### Amazon Demand Access
+
+Tap into Amazon's unique shopping and behavioral data for better targeting and higher CPMs.
+
+### Server-Side TAM
+
+Move APS bidding server-side to reduce client-side latency and improve page performance.
+
+### Hybrid Wrapper
+
+Combine APS with Prebid for comprehensive demand access.
+
+## Status
+
+This integration is in the planning phase. Development will begin in Q2 2026.
+
+**Target Release**: Q2 2026
+
+## Comparison: APS vs Prebid
+
+| Feature | APS | Prebid |
+|---------|-----|--------|
+| Demand Source | Amazon exclusive | 300+ bidders |
+| Integration | Proprietary | Open-source |
+| Data Advantage | Amazon shopping data | Neutral |
+| Setup Complexity | Medium | Low |
+
+## Get Involved
+
+Want to contribute to the APS integration? Check the [GitHub Issues](https://github.com/IABTechLab/trusted-server/issues) for details.
+
+## Next Steps
+
+- Review [Roadmap](/roadmap) for development timeline
+- Check [Prebid Integration](/guide/integrations/prebid) for current header bidding
+- Learn about [Ad Serving](/guide/ad-serving) concepts
diff --git a/docs/guide/integrations/didomi.md b/docs/guide/integrations/didomi.md
new file mode 100644
index 0000000..4ae56e3
--- /dev/null
+++ b/docs/guide/integrations/didomi.md
@@ -0,0 +1,347 @@
+# Didomi Integration
+
+**Category**: CMP (Consent Management Platform)
+**Status**: Production
+**Type**: Reverse Proxy for Consent Management
+
+## Overview
+
+The Didomi integration enables first-party serving of Didomi's consent management platform (CMP) through Trusted Server. By proxying Didomi's SDK and API through your domain, you maintain first-party context while ensuring GDPR/TCF 2.2 compliance.
+
+## What is Didomi?
+
+Didomi is a Consent Management Platform that helps publishers comply with GDPR, CCPA, and other privacy regulations by managing user consent for data collection and processing.
+
+**Key Capabilities**:
+- TCF 2.2 (Transparency & Consent Framework) compliance
+- Custom consent notices and preferences
+- Vendor management
+- Consent analytics and reporting
+- Multi-regulation support (GDPR, CCPA, LGPD)
+
+## How It Works
+
+```
+┌──────────────────────────────────────────────────┐
+│ Browser Request │
+│ GET /integrations/didomi/consent/loader.js │
+│ ↓ │
+│ Trusted Server (First-Party Domain) │
+│ ↓ │
+│ Proxy to Didomi SDK Origin │
+│ https://sdk.privacy-center.org/loader.js │
+│ ↓ │
+│ Return SDK (appears first-party to browser) │
+└──────────────────────────────────────────────────┘
+```
+
+**Benefits**:
+- Didomi SDK loads from your domain (not `privacy-center.org`)
+- First-party cookies for consent storage
+- Improved tracking prevention compatibility
+- Better page load performance
+
+## Configuration
+
+Add Didomi configuration to `trusted-server.toml`:
+
+```toml
+[integrations.didomi]
+enabled = true
+sdk_origin = "https://sdk.privacy-center.org"
+api_origin = "https://api.privacy-center.org"
+```
+
+### Configuration Options
+
+| Field | Type | Required | Default | Description |
+|-------|------|----------|---------|-------------|
+| `enabled` | boolean | No | `false` | Enable/disable integration |
+| `sdk_origin` | string | Yes | `https://sdk.privacy-center.org` | Didomi SDK backend URL |
+| `api_origin` | string | Yes | `https://api.privacy-center.org` | Didomi API backend URL |
+
+### Environment Variables
+
+```bash
+TRUSTED_SERVER__INTEGRATIONS__DIDOMI__ENABLED=true
+TRUSTED_SERVER__INTEGRATIONS__DIDOMI__SDK_ORIGIN=https://sdk.privacy-center.org
+TRUSTED_SERVER__INTEGRATIONS__DIDOMI__API_ORIGIN=https://api.privacy-center.org
+```
+
+## Endpoints
+
+### SDK Proxy
+
+**Pattern**: `/integrations/didomi/consent/*` (except `/api/*`)
+
+Proxies Didomi SDK resources through first-party domain.
+
+**Example**:
+```
+Original: https://sdk.privacy-center.org/24cd1234/loader.js
+Proxied: https://your-domain.com/integrations/didomi/consent/24cd1234/loader.js
+```
+
+**Headers Forwarded**:
+- `User-Agent`
+- `Accept`
+- `Accept-Language`
+- `Accept-Encoding`
+- `Referer`
+- `Origin`
+- `Authorization`
+
+**Geo Headers** (SDK only):
+- `X-Geo-Country` ← `FastlyGeo-CountryCode`
+- `X-Geo-Region` ← `FastlyGeo-Region`
+- `CloudFront-Viewer-Country` ← `FastlyGeo-CountryCode`
+
+**CORS Headers** (added to SDK responses):
+```http
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
+Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
+```
+
+### API Proxy
+
+**Pattern**: `/integrations/didomi/consent/api/*`
+
+Proxies Didomi API requests (consent events, user preferences, etc.).
+
+**Example**:
+```
+Original: https://api.privacy-center.org/v1/events
+Proxied: https://your-domain.com/integrations/didomi/consent/api/v1/events
+```
+
+**Methods**: GET, POST, PUT, DELETE, OPTIONS
+
+**Note**: API requests do NOT receive CORS headers (handled by Didomi API).
+
+## Integration with Trusted Server
+
+### Consent Validation
+
+Didomi consent status is checked before:
+- Generating synthetic IDs
+- Syncing with identity partners (Lockr)
+- Activating tracking pixels
+- Sharing data with third parties
+
+```rust
+// Example consent check
+if !has_didomi_consent(&request, Purpose::Tracking) {
+ return reject_tracking();
+}
+```
+
+### TCF 2.2 Support
+
+Didomi integration supports IAB's Transparency & Consent Framework 2.2:
+- TCF consent strings (TC strings)
+- Vendor consent validation
+- Purpose consent enforcement
+- Special feature consent
+
+## Use Cases
+
+### 1. First-Party Consent Management
+
+**Problem**: Third-party consent scripts blocked by tracking prevention.
+
+**Solution**: Serve Didomi SDK from your domain via Trusted Server proxy.
+
+**Benefit**: Consent notice loads reliably, compliance maintained.
+
+### 2. Regional Consent Enforcement
+
+**Problem**: Different consent requirements per region (GDPR, CCPA, LGPD).
+
+**Solution**: Didomi provides region-specific consent flows, Trusted Server forwards geo data.
+
+**Benefit**: Automatic compliance with regional privacy laws.
+
+### 3. Consent-Based Data Activation
+
+**Problem**: Need to enforce consent before activating analytics/advertising.
+
+**Solution**: Check Didomi consent status in Trusted Server before data processing.
+
+**Benefit**: Provable compliance, reduced regulatory risk.
+
+## Implementation
+
+The Didomi integration is implemented in [crates/common/src/integrations/didomi.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/didomi.rs).
+
+### Key Components
+
+**Backend Selection** (line 74-80):
+```rust
+fn backend_for_path(&self, consent_path: &str) -> DidomiBackend {
+ if consent_path.starts_with("/api/") {
+ DidomiBackend::Api // Route to API origin
+ } else {
+ DidomiBackend::Sdk // Route to SDK origin
+ }
+}
+```
+
+**Header Forwarding** (line 100-127):
+- Forwards standard HTTP headers
+- Adds geo headers for SDK requests
+- Preserves client IP via `X-Forwarded-For`
+
+**CORS Management** (line 143-153):
+- Adds CORS headers to SDK responses
+- Skips CORS for API requests (Didomi API handles it)
+
+## Frontend Integration
+
+### Load Didomi SDK
+
+Replace your direct Didomi SDK reference with the proxied version:
+
+```html
+
+
+
+
+
+```
+
+### Access Consent Status
+
+Use Didomi's standard JavaScript API:
+
+```javascript
+// Wait for Didomi to load
+window.didomiOnReady = window.didomiOnReady || [];
+window.didomiOnReady.push(function (Didomi) {
+
+ // Check consent for specific purpose
+ if (Didomi.getUserStatus().purposes.consent.enabled.includes('cookies')) {
+ // User consented to cookies
+ initializeAnalytics();
+ }
+
+ // Listen for consent changes
+ Didomi.on('consent.changed', function() {
+ console.log('Consent status changed');
+ });
+});
+```
+
+## Best Practices
+
+### 1. Configure Didomi ID
+
+Ensure your Didomi organization ID is in the SDK path:
+
+```html
+
+```
+
+### 2. Preconnect to Proxy
+
+Add DNS preconnect for faster loading:
+
+```html
+
+
+```
+
+### 3. Cache SDK Responses
+
+Configure caching headers for Didomi SDK:
+
+```http
+Cache-Control: public, max-age=3600
+```
+
+### 4. Monitor Consent Rate
+
+Track consent acceptance/rejection rates:
+- Low acceptance → Review consent notice clarity
+- Regional variations → Adjust messaging
+- Trend analysis → Optimize user experience
+
+## Troubleshooting
+
+### Didomi SDK Not Loading
+
+**Symptoms**:
+- Consent notice doesn't appear
+- Console errors about missing Didomi
+
+**Solutions**:
+- Verify `/integrations/didomi/consent/` path is correct
+- Check `sdk_origin` configuration
+- Ensure Didomi ID in script path is valid
+- Inspect network tab for 404/403 errors
+
+### CORS Errors
+
+**Symptoms**:
+- Browser console shows CORS errors
+- SDK requests blocked
+
+**Solutions**:
+- Verify integration adds CORS headers for SDK requests
+- Check `Access-Control-Allow-Origin` is present
+- Ensure requests go through proxy (not directly to Didomi)
+
+### API Requests Failing
+
+**Symptoms**:
+- Consent events not recording
+- Preference updates failing
+
+**Solutions**:
+- Check `/integrations/didomi/consent/api/*` routing
+- Verify `api_origin` configuration
+- Review Authorization headers are forwarded
+- Inspect Didomi API credentials
+
+## Performance
+
+### Typical Latency
+
+- SDK load: 100-200ms (first load)
+- Cached SDK: <50ms
+- API calls: 50-150ms
+- Total overhead: ~20ms (proxy layer)
+
+### Optimization
+
+- Enable HTTP/2 for multiplexing
+- Use CDN caching for SDK files
+- Implement service worker for offline consent
+- Lazy-load consent notice
+
+## Security
+
+### Content Security Policy
+
+Add Didomi to your CSP:
+
+```http
+Content-Security-Policy:
+ script-src 'self' /integrations/didomi/;
+ connect-src 'self' /integrations/didomi/;
+ frame-src 'self' /integrations/didomi/;
+```
+
+### Data Privacy
+
+- Didomi consent data stays first-party
+- No PII shared without consent
+- Consent strings stored locally
+- User can withdraw consent anytime
+
+## Next Steps
+
+- Review [GDPR Compliance](/guide/gdpr-compliance) for consent enforcement
+- Explore [Lockr Integration](/guide/integrations/lockr) for consent-based identity
+- Check [Configuration](/guide/configuration) for advanced setup
+- Read [First-Party Proxy](/guide/first-party-proxy) for proxy architecture
diff --git a/docs/guide/integrations/gam.md b/docs/guide/integrations/gam.md
new file mode 100644
index 0000000..94bc30d
--- /dev/null
+++ b/docs/guide/integrations/gam.md
@@ -0,0 +1,58 @@
+# Google Ad Manager (GAM) Integration
+
+**Category**: Ad Serving
+**Status**: Planned for 2026
+**Type**: Ad Server
+
+## Overview
+
+The Google Ad Manager (GAM) integration will enable direct integration with Google's ad serving platform, providing first-party ad delivery and reporting.
+
+## Planned Features
+
+- **Direct GAM Integration**: Native support for GAM ad requests
+- **Dynamic Ad Slots**: Programmatic slot management
+- **Programmatic Guaranteed**: Direct deals and PG support
+- **First-Party Reporting**: Ad performance metrics
+- **Secure Signals**: Privacy-preserving audience signals
+- **Creative Rendering**: First-party creative delivery
+
+## Expected Configuration
+
+```toml
+[integrations.gam]
+enabled = true
+publisher_id = "your-publisher-id"
+network_code = "your-network-code"
+endpoint = "https://securepubads.g.doubleclick.net"
+```
+
+## Use Cases
+
+### Header Bidding + Direct
+
+Combine header bidding (Prebid) with GAM direct campaigns for optimal yield.
+
+### Programmatic Guaranteed
+
+Manage PG deals with deterministic delivery.
+
+### Unified Reporting
+
+Consolidated reporting across all monetization channels.
+
+## Status
+
+This integration is currently in the planning phase. See the [Roadmap](/roadmap) for timeline and progress updates.
+
+**Target Release**: Q1 2026
+
+## Get Involved
+
+Interested in contributing to the GAM integration? Check out the [GitHub issue](https://github.com/IABTechLab/trusted-server/issues) or join the discussion.
+
+## Next Steps
+
+- Review [Roadmap](/roadmap) for latest status
+- Check [Prebid Integration](/guide/integrations/prebid) for current header bidding support
+- Explore [Ad Serving Guide](/guide/ad-serving) for general ad serving concepts
diff --git a/docs/guide/integrations/kargo.md b/docs/guide/integrations/kargo.md
new file mode 100644
index 0000000..d63cac1
--- /dev/null
+++ b/docs/guide/integrations/kargo.md
@@ -0,0 +1,65 @@
+# Kargo SSP Integration
+
+**Category**: SSP (Supply-Side Platform)
+**Status**: In Development
+**Type**: Direct SSP Integration
+
+## Overview
+
+The Kargo integration provides direct access to Kargo's supply-side platform for premium programmatic demand.
+
+## What is Kargo?
+
+Kargo is a mobile-first SSP specializing in high-impact, brand-safe advertising with:
+- Premium brand demand
+- Advanced creative formats
+- Viewability optimization
+- First-party data activation
+
+## Planned Features
+
+- **Direct Kargo Bidding**: Native Kargo bid adapter
+- **First-Party Creative Rendering**: All creatives served through publisher domain
+- **Enhanced Viewability Tracking**: Real-time viewability metrics
+- **Brand Safety**: Pre-bid brand safety validation
+- **Custom Creative Formats**: Support for Kargo's rich media units
+
+## Expected Configuration
+
+```toml
+[integrations.kargo]
+enabled = true
+publisher_id = "your-kargo-publisher-id"
+endpoint = "https://krk.kargo.com"
+timeout_ms = 1000
+```
+
+## Use Cases
+
+### Premium Brand Campaigns
+
+Access to Kargo's premium brand advertisers for higher CPMs.
+
+### Mobile Optimization
+
+Kargo's mobile-first approach optimizes for mobile inventory.
+
+### High-Impact Formats
+
+Leverage Kargo's proprietary creative formats for better engagement.
+
+## Status
+
+This integration is currently being developed on a separate branch. Check with the team for the latest status.
+
+**Expected Release**: Q1-Q2 2026
+
+## Get Involved
+
+Interested in beta testing the Kargo integration? Reach out via [GitHub Discussions](https://github.com/IABTechLab/trusted-server/discussions).
+
+## Next Steps
+
+- Review [Roadmap](/roadmap) for SSP integration plans
+- Check [Prebid Integration](/guide/integrations/prebid) for current demand access
+- Explore [Ad Serving](/guide/ad-serving) for general concepts
diff --git a/docs/guide/integrations/lockr.md b/docs/guide/integrations/lockr.md
new file mode 100644
index 0000000..33f9925
--- /dev/null
+++ b/docs/guide/integrations/lockr.md
@@ -0,0 +1,254 @@
+# Lockr Integration
+
+**Category**: Identity
+**Status**: Production
+**Type**: Identity Management & Privacy Vault
+
+## Overview
+
+The Lockr integration enables first-party identity resolution and privacy-compliant data management through Lockr's identity vault platform. This integration provides secure, consented identity synchronization while maintaining GDPR compliance.
+
+## What is Lockr?
+
+Lockr is an identity resolution and privacy platform that helps publishers manage user identities across fragmented environments (cookieless browsers, multiple devices, etc.) while respecting user privacy and consent.
+
+**Key Capabilities**:
+- Privacy-preserving identity graphs
+- Consent-based data sharing
+- Secure identity vault
+- Cross-device user recognition
+- Publisher-owned identity infrastructure
+
+## How It Works
+
+```
+┌──────────────────────────────────────────────────┐
+│ User Visit │
+│ ↓ │
+│ Trusted Server generates Synthetic ID │
+│ ↓ │
+│ Lockr Integration maps to Lockr Identity │
+│ ↓ │
+│ Identity synchronized (with consent) │
+│ ↓ │
+│ Lockr ID added to bid requests (user.ext.eids) │
+└──────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Add Lockr configuration to `trusted-server.toml`:
+
+```toml
+[integrations.lockr]
+enabled = true
+api_endpoint = "https://api.lockr.io"
+organization_id = "your-org-id"
+project_id = "your-project-id"
+```
+
+### Configuration Options
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `enabled` | boolean | No | Enable/disable integration (default: `false`) |
+| `api_endpoint` | string | Yes | Lockr API endpoint URL |
+| `organization_id` | string | Yes | Your Lockr organization ID |
+| `project_id` | string | Yes | Your Lockr project ID |
+
+### Environment Variables
+
+```bash
+TRUSTED_SERVER__INTEGRATIONS__LOCKR__ENABLED=true
+TRUSTED_SERVER__INTEGRATIONS__LOCKR__API_ENDPOINT=https://api.lockr.io
+TRUSTED_SERVER__INTEGRATIONS__LOCKR__ORGANIZATION_ID=your-org-id
+TRUSTED_SERVER__INTEGRATIONS__LOCKR__PROJECT_ID=your-project-id
+```
+
+## Features
+
+### Identity Synchronization
+
+Lockr integration automatically syncs Trusted Server synthetic IDs with Lockr's identity vault:
+
+1. User visits site (Trusted Server generates synthetic ID)
+2. If GDPR consent granted, sync with Lockr
+3. Lockr returns unified identity
+4. Identity available for bid requests and analytics
+
+### Privacy Vault
+
+User data is stored securely in Lockr's privacy vault:
+- Encrypted at rest
+- Consent-based access
+- User right to erasure
+- Data portability support
+
+### Extended ID (EID) Support
+
+Lockr identities are injected into OpenRTB bid requests as Extended Identifiers:
+
+```json
+{
+ "user": {
+ "ext": {
+ "eids": [
+ {
+ "source": "lockr.io",
+ "uids": [
+ {
+ "id": "lockr-user-id-123",
+ "atype": 1
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
+```
+
+## Use Cases
+
+### 1. Cookieless Identity Resolution
+
+**Problem**: Safari and Firefox block third-party cookies, fragmenting user identity.
+
+**Solution**: Lockr provides first-party identity resolution that works across cookieless environments.
+
+**Benefit**: Maintain user recognition and monetization in privacy-focused browsers.
+
+### 2. Cross-Device User Recognition
+
+**Problem**: Users access content from multiple devices, appearing as different users.
+
+**Solution**: Lockr's identity graph links devices to a unified user profile.
+
+**Benefit**: Better audience targeting and frequency capping across devices.
+
+### 3. Privacy-Compliant Data Sharing
+
+**Problem**: Sharing user data with partners raises GDPR/CCPA compliance risks.
+
+**Solution**: Lockr enforces consent-based access to identity data.
+
+**Benefit**: Compliant data monetization without regulatory risk.
+
+## Implementation Details
+
+The Lockr integration is implemented in [crates/common/src/integrations/lockr.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/lockr.rs).
+
+### Key Components
+
+**Identity Sync Endpoint**:
+- Route: `/integrations/lockr/sync`
+- Method: POST
+- Purpose: Synchronize synthetic ID with Lockr vault
+
+**ID Mapping**:
+- Maps Trusted Server synthetic ID → Lockr unified ID
+- Cached for performance
+- Respects consent status
+
+**Consent Validation**:
+- Checks GDPR consent before syncing
+- Integrates with CMP (e.g., Didomi)
+- Respects user withdrawal of consent
+
+## Best Practices
+
+### 1. Consent First
+
+Always validate consent before initiating Lockr sync:
+```rust
+if !has_gdpr_consent() {
+ return; // Skip Lockr sync
+}
+```
+
+### 2. Cache Lockr IDs
+
+Cache Lockr identity mappings to reduce API calls:
+- TTL: 24 hours recommended
+- Invalidate on consent withdrawal
+- Use KV store for persistence
+
+### 3. Monitor Sync Rate
+
+Track Lockr sync success/failure rates:
+- Alert on elevated failures
+- Monitor API latency
+- Track consent decline impact
+
+### 4. Test Identity Flow
+
+Validate end-to-end identity flow:
+```bash
+# 1. Generate synthetic ID
+curl https://edge.example.com/
+
+# 2. Verify Lockr sync (check logs)
+# 3. Validate EID in bid request
+```
+
+## Troubleshooting
+
+### Lockr Sync Fails
+
+**Symptoms**:
+- No Lockr ID in bid requests
+- Sync endpoint returns errors
+
+**Solutions**:
+- Verify `organization_id` and `project_id` are correct
+- Check Lockr API endpoint is reachable
+- Ensure GDPR consent is granted
+- Review Lockr API credentials
+
+### Missing EID in Bid Requests
+
+**Symptoms**:
+- Lockr sync succeeds but EID missing from OpenRTB
+
+**Solutions**:
+- Verify OpenRTB request builder includes `user.ext.eids`
+- Check integration is registered in IntegrationRegistry
+- Ensure `contribute_eids()` method is implemented
+
+## Performance
+
+### Typical Latency
+
+- Identity sync: 50-100ms
+- Cached lookup: <5ms
+- API timeout: 500ms (configurable)
+
+### Optimization Tips
+
+- Enable caching for repeat visitors
+- Batch sync operations when possible
+- Use async/non-blocking sync
+- Monitor API quota usage
+
+## Security Considerations
+
+### API Credentials
+
+- Store Lockr credentials in secret management system
+- Rotate credentials periodically
+- Never commit credentials to git
+- Use environment variables in production
+
+### Data Privacy
+
+- Only sync with explicit user consent
+- Implement right to erasure
+- Audit data access logs
+- Encrypt data in transit (HTTPS)
+
+## Next Steps
+
+- Learn about [Synthetic IDs](/guide/synthetic-ids) for identity generation
+- Review [GDPR Compliance](/guide/gdpr-compliance) for consent management
+- Explore [Didomi Integration](/guide/integrations/didomi) for CMP integration
+- Check [Configuration Reference](/guide/configuration-reference) for advanced options
diff --git a/docs/guide/integrations/nextjs.md b/docs/guide/integrations/nextjs.md
new file mode 100644
index 0000000..d275b7d
--- /dev/null
+++ b/docs/guide/integrations/nextjs.md
@@ -0,0 +1,217 @@
+# Next.js Integration
+
+**Category**: Framework Support
+**Status**: Production
+**Type**: HTML/Script Rewriter
+
+## Overview
+
+The Next.js integration enables seamless integration between Trusted Server and Next.js applications by rewriting Next.js-specific data structures to route traffic through first-party proxying.
+
+## What It Does
+
+Next.js applications generate framework-specific JSON data (`__NEXT_DATA__`) and API routes that need special handling. This integration:
+
+- Rewrites Next.js App Router (RSC) streaming responses
+- Processes Pages Router static data payloads
+- Modifies Next.js internal URLs to use first-party proxy
+- Preserves React Server Component hydration
+
+## Supported Next.js Versions
+
+- **Next.js 13+**: App Router with React Server Components (RSC)
+- **Next.js 12+**: Pages Router with static generation
+- **Next.js 11**: Pages Router (basic support)
+
+## Configuration
+
+```toml
+[integrations.nextjs]
+enabled = false
+rewrite_attributes = ["href", "link", "url"]
+```
+
+### Configuration Options
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `enabled` | boolean | `false` | Enable Next.js integration |
+| `rewrite_attributes` | array | `["href", "link", "url"]` | Attributes to rewrite in Next.js data |
+
+## How It Works
+
+### App Router (RSC Streaming)
+
+Next.js 13+ App Router uses React Server Components with streaming:
+
+```
+┌─────────────────────────────────────────┐
+│ Next.js App Router │
+│ Streams: 0:{...} 1:{...} 2:{...} │
+│ ↓ │
+│ Trusted Server Next.js Integration │
+│ ↓ │
+│ Rewrites URLs in RSC payload │
+│ - /_next/image → /first-party/proxy │
+│ - /api/data → /first-party/proxy │
+│ ↓ │
+│ Browser hydrates with first-party URLs │
+└─────────────────────────────────────────┘
+```
+
+### Pages Router
+
+Next.js Pages Router embeds data in `__NEXT_DATA__` script:
+
+```html
+
+
+
+
+
+```
+
+## Implementation Details
+
+The Next.js integration is implemented across multiple files:
+
+- [crates/common/src/integrations/nextjs/mod.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/nextjs/mod.rs) - Main integration
+- [crates/common/src/integrations/nextjs/rsc.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/nextjs/rsc.rs) - RSC parsing
+- [crates/common/src/integrations/nextjs/script_rewriter.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/nextjs/script_rewriter.rs) - Script rewriting
+
+### Key Components
+
+**Script Selector**: `script#__NEXT_DATA__`
+
+Targets the Next.js data script for rewriting.
+
+**Attribute Rewriting**:
+- `href` - Link URLs
+- `link` - Preload/prefetch URLs
+- `url` - Image and asset URLs
+
+**RSC Stream Processing**:
+- Parses React Server Component streaming format
+- Rewrites URLs in streaming chunks
+- Preserves component structure
+
+## Use Cases
+
+### Next.js + Trusted Server
+
+Run your Next.js application behind Trusted Server for:
+- First-party asset loading
+- Synthetic ID injection
+- Privacy-compliant tracking
+- Ad serving integration
+
+### Static Site with Dynamic Ads
+
+Use Next.js for content, Trusted Server for monetization.
+
+### Hybrid Rendering
+
+Combine Next.js SSR/SSG with Trusted Server edge logic.
+
+## Best Practices
+
+### 1. Enable Only When Needed
+
+Only enable if you're using Next.js:
+
+```toml
+[integrations.nextjs]
+enabled = true # Only if using Next.js
+```
+
+### 2. Configure Rewrite Attributes
+
+Add custom attributes if your Next.js app uses non-standard fields:
+
+```toml
+[integrations.nextjs]
+rewrite_attributes = ["href", "link", "url", "customImageUrl"]
+```
+
+### 3. Test RSC Hydration
+
+Verify React Server Components hydrate correctly:
+
+```bash
+# Check browser console for hydration errors
+# Verify interactive elements work
+```
+
+### 4. Monitor Performance
+
+Next.js integration adds minimal overhead (<10ms), but monitor:
+- Time to First Byte (TTFB)
+- First Contentful Paint (FCP)
+- Largest Contentful Paint (LCP)
+
+## Troubleshooting
+
+### Hydration Mismatch Errors
+
+**Symptoms**: React hydration errors in browser console
+
+**Solutions**:
+- Ensure rewrite attributes match your Next.js data structure
+- Check URLs are properly signed
+- Verify origin URLs are accessible
+
+### Images Not Loading
+
+**Symptoms**: Next.js `` components show broken images
+
+**Solutions**:
+- Verify `_next/image` URLs are proxied
+- Check image domains are allowed
+- Ensure proxy signatures are valid
+
+### API Routes Failing
+
+**Symptoms**: Next.js API routes return 404/500
+
+**Solutions**:
+- Check `/api/*` routes are not being over-proxied
+- Verify Next.js origin URL is correct
+- Review proxy exclusion rules
+
+## Performance
+
+### Overhead
+
+- RSC parsing: ~5-10ms
+- URL rewriting: ~2-5ms
+- Total: <15ms per request
+
+### Optimization
+
+- Enable HTTP/2 for streaming
+- Use CDN for static assets
+- Cache `__NEXT_DATA__` when possible
+- Minimize rewrite attributes
+
+## Next Steps
+
+- Review [First-Party Proxy](/guide/first-party-proxy) for URL rewriting
+- Check [Creative Processing](/guide/creative-processing) for HTML processing
+- Explore [Configuration](/guide/configuration) for setup details
+- Learn about [Integrations Overview](/guide/integrations-overview)
diff --git a/docs/guide/integrations/permutive.md b/docs/guide/integrations/permutive.md
new file mode 100644
index 0000000..f0a7218
--- /dev/null
+++ b/docs/guide/integrations/permutive.md
@@ -0,0 +1,68 @@
+# Permutive Integration
+
+**Category**: Data
+**Status**: Production
+**Type**: Audience Data Platform
+
+## Overview
+
+The Permutive integration enables first-party audience segmentation and data collection by proxying Permutive's SDK and API endpoints through your domain.
+
+## What is Permutive?
+
+Permutive is a real-time data platform that helps publishers build and activate audience segments for advertising without relying on third-party cookies.
+
+## Configuration
+
+```toml
+[integrations.permutive]
+enabled = true
+organization_id = "your-org-id"
+workspace_id = "your-workspace-id"
+project_id = "your-project-id"
+api_endpoint = "https://api.permutive.com"
+secure_signals_endpoint = "https://secure-signals.permutive.app"
+cache_ttl_seconds = 3600
+rewrite_sdk = true
+```
+
+## Endpoints
+
+- `GET /integrations/permutive/sdk` - SDK serving
+- `GET/POST /integrations/permutive/api/*` - API proxy
+- `GET/POST /integrations/permutive/secure-signal/*` - Secure Signals (GAM integration)
+- `GET/POST /integrations/permutive/events/*` - Event tracking
+- `GET/POST /integrations/permutive/sync/*` - ID synchronization
+- `GET /integrations/permutive/cdn/*` - CDN proxy
+
+## Features
+
+- **Real-time segmentation**: Build audience cohorts in real-time
+- **First-party data**: All data collection through your domain
+- **Secure Signals**: Integrate with Google Ad Manager
+- **SDK caching**: Performance optimization (1 hour TTL)
+- **Privacy compliance**: Consent-based activation
+
+## Use Cases
+
+### Publisher Audience Monetization
+
+Collect first-party data, build segments, activate in programmatic auctions to increase CPMs.
+
+### Contextual Targeting
+
+Combine page context with user behavior for privacy-safe targeting.
+
+### Cross-Site Insights
+
+Aggregate audience data across your property portfolio.
+
+## Implementation
+
+See [crates/common/src/integrations/permutive.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/permutive.rs) for implementation details.
+
+## Next Steps
+
+- Review [Integrations Overview](/guide/integrations-overview) for comparison
+- Check [Configuration Reference](/guide/configuration-reference) for options
+- Learn about [First-Party Proxy](/guide/first-party-proxy) architecture
diff --git a/docs/guide/integrations/prebid.md b/docs/guide/integrations/prebid.md
new file mode 100644
index 0000000..d4a5cc5
--- /dev/null
+++ b/docs/guide/integrations/prebid.md
@@ -0,0 +1,115 @@
+# Prebid Integration
+
+**Category**: Demand Wrapper
+**Status**: Production
+**Type**: Header Bidding
+
+## Overview
+
+The Prebid integration enables server-side header bidding through Prebid Server while maintaining first-party context and privacy compliance.
+
+## What is Prebid?
+
+Prebid is the leading open-source header bidding solution that allows publishers to offer ad inventory to multiple demand sources simultaneously, maximizing revenue through competition.
+
+## Configuration
+
+```toml
+[integrations.prebid]
+enabled = true
+server_url = "https://prebid-server.example.com/openrtb2/auction"
+timeout_ms = 1200
+bidders = ["kargo", "rubicon", "appnexus"]
+auto_configure = true
+debug = false
+```
+
+## Features
+
+### Server-Side Header Bidding
+
+Move header bidding to the server for:
+- Faster page loads (reduce browser JavaScript)
+- Better mobile performance
+- Reduced client-side latency
+- Improved user experience
+
+### OpenRTB 2.x Support
+
+Full OpenRTB protocol conversion:
+- Converts ad units to OpenRTB `imp` objects
+- Injects publisher domain and page URL
+- Adds synthetic ID for privacy-safe tracking
+- Supports banner, video, and native formats
+
+### Synthetic ID Injection
+
+Automatically injects privacy-preserving synthetic ID into bid requests for user recognition without cookies.
+
+### Request Signing
+
+Optional Ed25519 request signing for bid request authentication and fraud prevention.
+
+## Endpoints
+
+### GET /first-party/ad
+
+Server-side ad rendering for single ad slot.
+
+**Query Parameters**:
+- `slot` - Ad unit code
+- `w` - Width in pixels
+- `h` - Height in pixels
+
+**Response**: Complete HTML creative with first-party proxying.
+
+### POST /third-party/ad
+
+Client-side auction endpoint for TSJS library.
+
+**Request Body**: Ad units configuration
+**Response**: OpenRTB bid response with creatives
+
+### GET /prebid.js (Optional)
+
+Empty script override to prevent client-side Prebid.js loading when using server-side bidding.
+
+## Use Cases
+
+### Pure Server-Side Header Bidding
+
+Replace client-side Prebid.js entirely with server-side auctions for maximum performance.
+
+### Hybrid Client + Server
+
+Use server-side for primary demand, client-side for niche bidders.
+
+### Mobile-First Monetization
+
+Optimize mobile ad serving with reduced JavaScript overhead.
+
+## Implementation
+
+See [crates/common/src/integrations/prebid.rs](https://github.com/IABTechLab/trusted-server/blob/main/crates/common/src/integrations/prebid.rs) for full implementation.
+
+### OpenRTB Request Construction
+
+Located in `build_openrtb_from_ts()` function (line 335):
+- Converts ad units to impressions
+- Adds site metadata
+- Injects bidder parameters
+- Generates unique request ID
+
+## Best Practices
+
+1. **Configure Timeouts**: Set `timeout_ms` based on your latency requirements
+2. **Select Bidders**: Enable only bidders you have direct relationships with
+3. **Monitor Performance**: Track bid response times and fill rates
+4. **Test Thoroughly**: Validate bid requests in debug mode before production
+
+## Next Steps
+
+- Review [Ad Serving Guide](/guide/ad-serving) for general concepts
+- Check [OpenRTB Support](/roadmap) on the roadmap for enhancements
+- Explore [Request Signing](/guide/request-signing) for authentication
+- Learn about [Synthetic IDs](/guide/synthetic-ids) for privacy-safe tracking
diff --git a/docs/roadmap.md b/docs/roadmap.md
new file mode 100644
index 0000000..694b1e1
--- /dev/null
+++ b/docs/roadmap.md
@@ -0,0 +1,242 @@
+# Roadmap
+
+The Trusted Server roadmap is organized around three strategic initiatives aligned with our GitHub project structure. This page outlines features currently in development and planned for 2026.
+
+## Overview
+
+Our development is focused on three key areas:
+
+1. **Edge Platform** - Code execution, proxy capabilities, and runtime support
+2. **Monetization** - Ad serving, identity, and bidstream integration
+3. **Transaction Trust** - Attestation, measurement, and fraud prevention
+
+---
+
+## 🚀 Edge Platform: Code Execution, Proxy, and Runtime
+
+### In-Flight
+
+**Cloudflare Workers Support**
+- Adapt `/common/` crate for Cloudflare Workers runtime
+- Create platform-specific adapter in `/cloudflare/` crate
+- Maintain feature parity with Fastly Compute
+- Enable multi-platform publisher deployments
+
+**Next.js RSC (React Server Components) Enhancements**
+- Improved streaming support for App Router
+- Better hydration data parsing
+- Enhanced origin URL rewriting
+
+### Planned for 2026
+
+**SPIN + Akamai EdgeWorkers Support**
+- Port Trusted Server to Fermyon SPIN runtime
+- Enable deployment on Akamai's edge platform
+- WebAssembly Component Model adoption
+- Cross-platform WASI compatibility
+
+**Encoding/Decoding Streaming Improvements**
+- Enhanced Gzip, Brotli, Deflate streaming support
+- Memory-efficient large file processing
+- Improved compression passthrough modes
+
+**WebSockets Support**
+- Real-time bidirectional communication at the edge
+- Server-sent events (SSE) for live updates
+- Enhanced streaming auction support
+
+**Header Configuration Enhancements**
+- Advanced CORS policy management
+- Content Security Policy (CSP) templating
+- X-Frame-Options and crossorigin attribute control
+- Security header automation
+
+---
+
+## 💰 Monetization: SSPs, DSPs, PBS, Ad-Servers, ID Providers
+
+### In-Flight
+
+**Prebid Server Integration Enhancements**
+- Improved OpenRTB 2.x support
+- Enhanced bidder configuration
+- Better timeout management
+
+**Permutive Audience Data**
+- First-party audience segmentation
+- Real-time cohort updates
+- Secure Signals integration
+
+### Planned for 2026
+
+**Full Google Ad Manager (GAM) Support**
+- Complete GAM publisher integration
+- Dynamic ad slot management
+- Programmatic guaranteed support
+- First-party GAM reporting
+
+**Amazon Publisher Services (APS) Integration**
+- Transparent Ad Marketplace (TAM) support
+- A9 bidding integration
+- First-party APS header bidding
+
+**Kargo SSP Integration**
+- Native Kargo bid adapter
+- First-party creative rendering
+- Enhanced viewability tracking
+
+**Additional SSP Integrations**
+- Index Exchange
+- OpenX
+- PubMatic
+- Other major SSPs
+
+**Prebid Server Rust Port**
+- Native Rust implementation of Prebid Server
+- Embedded WASM-based bidder adapters
+- Zero-cold-start header bidding
+- Reduce external dependencies
+
+**Better Synthetic ID Syncing**
+- Enhanced ID sync with downstream partners
+- Batch sync optimization
+- Partner ID mapping tables
+- Sync status monitoring
+
+**Standalone Synthetic ID Service**
+- Dedicated ID generation microservice
+- Cross-publisher ID graph support
+- Privacy-preserving ID resolution
+- API-first architecture
+
+**OpenRTB Geo Signal Enrichment**
+- Push X-Geo signals into bidstream
+- City, continent, coordinates, metro-code (DMA)
+- Country and region data
+- IP geolocation integration
+
+**Agentic Frameworks for Dynamic Ad Optimization**
+- LLM-powered ad relevance scoring
+- Context-aware creative selection
+- Real-time optimization agents
+
+**Content Protection & RSL Protocol**
+- Really Simple Licensing (RSL) integration
+- AI crawler detection and blocking
+- Content usage attribution
+- Licensing metadata injection
+
+---
+
+## 🛡️ Transaction Trust: Attestation, Measurement, IVT & Fraud Prevention
+
+### In-Flight
+
+**Request Signing & JWKS**
+- Ed25519 cryptographic signing
+- JSON Web Key Set (JWKS) discovery
+- Key rotation automation
+
+### Planned for 2026
+
+**Advanced Observability and Security Tooling**
+
+A comprehensive creative forensics engine for ad behavior monitoring and fraud prevention:
+
+**Capabilities:**
+- Real-time creative behavior analysis using headless browser automation
+- Network traffic interception and validation
+- DOM manipulation detection
+- Unauthorized data exfiltration prevention
+- Malvertising and malicious script identification
+
+**Business Impact:**
+- **Compliance Protection**: Prevent GDPR violations from third-party creatives (potential $2.3M+ fine avoidance)
+- **Revenue Protection**: Detect bid manipulation and auction fraud ($400K+ annual recovery potential)
+- **User Trust**: Block malvertising before it reaches users (prevent user exodus, retain 100K+ users)
+- **Brand Safety**: Real-time creative quality assurance
+
+**Technical Implementation:**
+- Headless browser integration (Playwright/Puppeteer)
+- Chrome DevTools Protocol (CDP) for network inspection
+- Edge + backend hybrid architecture
+- Real-time alerting and blocking
+
+**LLM-Crawler Detection & .md Versions**
+- Detect AI training crawlers (GPTBot, Claude-Web, etc.)
+- Serve markdown versions for authorized AI consumption
+- Track AI content usage with RSL metadata
+- Content attribution and licensing
+
+**JavaScript Parsing/Evaluation Engine**
+- Safe JS execution sandbox at the edge
+- Creative script analysis before rendering
+- Malicious code detection
+- Dynamic creative validation
+
+**Verified Builds & Attestation**
+- Reproducible WASM builds
+- Cryptographic build verification
+- Transparency logs for deployed code
+- Publisher trust attestation
+
+**Invalid Traffic (IVT) Detection**
+- Bot traffic identification
+- Sophisticated invalid traffic (SIVT) detection
+- Fraud score attribution
+- Real-time traffic filtering
+
+**Consent Management Platform (CMP) Enhancements**
+- Deeper Didomi integration
+- OneTrust support
+- Quantcast CMP integration
+- TCF 2.2 full compliance
+
+---
+
+## Timeline & Priorities
+
+### Q1 2026
+- Cloudflare Workers Support (production ready)
+- Full GAM Integration
+- Advanced Observability tooling (beta)
+
+### Q2 2026
+- SPIN + Akamai Support
+- Prebid Server Rust Port (alpha)
+- Standalone Synthetic ID Service
+
+### Q3 2026
+- Additional SSP Integrations (Index, OpenX, PubMatic)
+- LLM-Crawler Detection
+- Verified Builds
+
+### Q4 2026
+- Agentic frameworks for ad optimization
+- IVT detection (production)
+- WebSockets support
+
+---
+
+## Contributing
+
+Interested in contributing to these initiatives? Check out our [GitHub Issues](https://github.com/IABTechLab/trusted-server/issues) for specific tasks and discussions.
+
+### How to Contribute
+
+1. **Pick an Initiative**: Choose from the roadmap above
+2. **Check Issues**: Look for existing issues or create a new one
+3. **Discuss Design**: Propose your approach in the issue
+4. **Submit PR**: Follow our [contribution guidelines](https://github.com/IABTechLab/trusted-server/blob/main/CONTRIBUTING.md)
+
+---
+
+## Feedback
+
+Have ideas for the roadmap? [Open an issue](https://github.com/IABTechLab/trusted-server/issues/new) or join the discussion in our community channels.
+
+## Next Steps
+
+- Review [Architecture](/guide/architecture) to understand the system
+- Explore [Integration Guide](/guide/integration-guide) to build custom integrations
+- Check [Configuration](/guide/configuration) for deployment options