Evaluate allowedAlternateBidderCodes strategy for prebid-npm integration

[aram356]

Context

Related to #250 / PR #242.

The trustedServer Prebid adapter returns bids under alternate bidder codes (e.g. mocktioneer, appnexus) from the server-side seat. Prebid.js validates these against allowedAlternateBidderCodes in bidderSettings and rejects bids from unrecognized codes.

We currently set allowedAlternateBidderCodes: ['*'] (wildcard) inside the requestBids shim to allow any seat code from the orchestrator response.

Decision needed

Should we:

1. Keep ['*'] wildcard — simplest, works with any bidder the orchestrator returns, no config wiring needed
2. Use explicit list from trusted-server.toml — use the bidders array already injected via window.__tsjs_prebid.bidders to restrict which alternate codes are accepted. Tighter control but requires wiring the injected config into bidderSettings

Additional work

• Add test coverage for bidderSettings behavior (currently zero tests for this path)
• Verify the requestBids shim placement is sufficient to prevent publisher overwrites from dropping the setting
• Document the expected Prebid.js behavior for allowAlternateBidderCodes + allowedAlternateBidderCodes in the integration

References

• Prebid docs: https://docs.prebid.org/dev-docs/publisher-api-reference/bidderSettings.html
• Prebid source validation: prebid.js/src/adapters/bidderFactory.ts → isInvalidAlternateBidder()
• Fix commit: 1001892