Decode TCF and GPP consent strings on every incoming request

[ChristianPavilonis]

User story

As a publisher, I want the system to decode the IAB TCF and GPP consent strings on every incoming request, so that consent status (including withdrawals) is always current and never stale.

Acceptance criteria

• TCF v2 string is parsed and vendor/purpose consent extracted per request
• GPP string is parsed and US section consent signals extracted per request
• Decoded consent result is available to SSC gating and revocation logic
• Handles missing or malformed strings gracefully (treat as no-consent)

Affected area

Core (synthetic IDs, cookies, GDPR), Fastly runtime

Proposed approach

1. Extract TCF (euconsent-v2) and GPP (gpp / gpp_sid) values from the incoming request (cookie or query param, depending on CMP integration).
2. Decode TCF v2 string per the IAB TCF spec — extract purpose consents and vendor consents relevant to our vendor ID.
3. Decode GPP string per the IAB GPP spec — identify applicable US section and extract opt-out signals.
4. Produce a unified consent result (e.g., ConsentStatus { has_consent: bool, jurisdiction: EU | UK | US | Unknown }) for downstream use.
5. If no string is present or decoding fails, default to has_consent: false.

Additional context

Sub-issue of #54. Related to #312, PR #380.
TCF = IAB Transparency & Consent Framework (EU).
GPP = Global Privacy Platform (US + multi-jurisdiction).