@c15t/backend 2.0.0-rc.0 → 2.0.0-rc.10

package/dist/router.cjs

@@ -22,7 +22,7 @@ var __webpack_require__ = {};
 })();
 (()=>{
     __webpack_require__.r = (exports1)=>{
-        if ('undefined' != typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
             value: 'Module'
         });
         Object.defineProperty(exports1, '__esModule', {
@@ -42,7 +42,7 @@ const schema_namespaceObject = require("@c15t/schema");
 const external_hono_namespaceObject = require("hono");
 const external_hono_openapi_namespaceObject = require("hono-openapi");
 const http_exception_namespaceObject = require("hono/http-exception");
-function extractErrorMessage(error) {
+function extract_error_message_extractErrorMessage(error) {
     if (error instanceof AggregateError && error.errors?.length > 0) {
         const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
         return `AggregateError: ${inner}`;
@@ -54,18 +54,18 @@ const api_namespaceObject = require("@opentelemetry/api");
 let cachedConfig = null;
 let cachedDefaultAttributes = {};
 function create_telemetry_options_isTelemetryEnabled(options) {
-    if (options) return options.advanced?.telemetry?.enabled === true;
+    if (options) return options.telemetry?.enabled === true;
     return cachedConfig?.enabled === true;
 }
 const create_telemetry_options_getTracer = (options)=>{
     if (!create_telemetry_options_isTelemetryEnabled(options)) return api_namespaceObject.trace.getTracer('c15t-noop');
-    const tracer = options?.advanced?.telemetry?.tracer ?? cachedConfig?.tracer;
+    const tracer = options?.telemetry?.tracer ?? cachedConfig?.tracer;
     if (tracer) return tracer;
     return api_namespaceObject.trace.getTracer(options?.appName ?? 'c15t');
 };
 const getMeter = (options)=>{
     if (!create_telemetry_options_isTelemetryEnabled(options)) return api_namespaceObject.metrics.getMeter('c15t-noop');
-    const meter = options?.advanced?.telemetry?.meter ?? cachedConfig?.meter;
+    const meter = options?.telemetry?.meter ?? cachedConfig?.meter;
     if (meter) return meter;
     return api_namespaceObject.metrics.getMeter(options?.appName ?? 'c15t');
 };
@@ -75,7 +75,7 @@ function getDefaultAttributes() {
 const handleSpanError = (span, error)=>{
     span.setStatus({
         code: api_namespaceObject.SpanStatusCode.ERROR,
-        message: extractErrorMessage(error)
+        message: extract_error_message_extractErrorMessage(error)
     });
     if (error instanceof Error) span.setAttribute('error.type', error.name);
 };
@@ -244,7 +244,7 @@ function createMetrics(meter) {
     };
 }
 let metricsInstance = null;
-function getMetrics(options) {
+function metrics_getMetrics(options) {
     if (metricsInstance) return metricsInstance;
     if (!create_telemetry_options_isTelemetryEnabled(options)) return null;
     metricsInstance = createMetrics(getMeter(options));
@@ -270,7 +270,7 @@ async function batchLoadPolicies(policyIds, ctx) {
     for (const p of policyMap.values())uniqueTypes.add(p.type);
     const latestPolicyByType = new Map();
     for (const type of uniqueTypes){
-        const latest = await registry.findOrCreatePolicy(type);
+        const latest = await registry.findLatestPolicyByType(type);
         if (latest) latestPolicyByType.set(type, latest.id);
     }
     return {
@@ -296,11 +296,17 @@ async function enrichConsents(consents, ctx) {
     }
     return consents.map((consent)=>{
         let policyType = 'unknown';
+        let policyVersion;
+        let policyHash;
+        let policyEffectiveDate;
         let isLatestPolicy = false;
         if (consent.policyId) {
             const policy = policyMap.get(consent.policyId);
             if (policy) {
                 policyType = policy.type;
+                policyVersion = policy.version;
+                policyHash = policy.hash ?? void 0;
+                policyEffectiveDate = policy.effectiveDate;
                 isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
             }
         }
@@ -317,6 +323,9 @@ async function enrichConsents(consents, ctx) {
             id: consent.id,
             type: policyType,
             policyId: consent.policyId ?? void 0,
+            policyVersion,
+            policyHash,
+            policyEffectiveDate,
             isLatestPolicy,
             preferences,
             givenAt: consent.givenAt
@@ -408,14 +417,14 @@ const checkConsentHandler = async (c)=>{
             externalId,
             results
         });
-        const metrics = getMetrics();
+        const metrics = metrics_getMetrics();
         if (metrics) for (const [type, result] of Object.entries(results))metrics.recordConsentCheck(type, result.hasConsent);
         return c.json({
             results
         });
     } catch (error) {
         logger.error('Error in GET /consents/check handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -431,11 +440,7 @@ const createConsentRoutes = ()=>{
     const app = new external_hono_namespaceObject.Hono();
     app.get('/check', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Check consent by external user ID',
-        description: `Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.
-
-**Query parameters:**
-- \`externalId\` – External user ID to check
-- \`type\` – Consent type(s) to check (comma-separated)`,
+        description: "Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.\n\n**Query parameters:**\n- `externalId` – External user ID to check\n- `type` – Consent type(s) to check (comma-separated)",
         tags: [
             'Consent'
         ],
@@ -470,7 +475,7 @@ async function executeWithSpan(span, operation) {
     }
 }
 function resolveDefaultAttributes(options) {
-    return options?.advanced?.telemetry?.defaultAttributes || getDefaultAttributes();
+    return options?.telemetry?.defaultAttributes || getDefaultAttributes();
 }
 async function withExternalSpan(attributes, operation, options) {
     if (!create_telemetry_options_isTelemetryEnabled(options)) return operation();
@@ -596,14 +601,14 @@ async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT
                 if (!parsed.vendorListVersion || !parsed.purposes || !parsed.vendors) throw new Error('Invalid GVL response: missing required fields');
                 return parsed;
             });
-            getMetrics()?.recordGvlFetch({
+            metrics_getMetrics()?.recordGvlFetch({
                 language,
                 source: 'fetch',
                 status: 200
             }, Date.now() - fetchStart);
             return gvl;
         } catch (error) {
-            getMetrics()?.recordGvlError({
+            metrics_getMetrics()?.recordGvlError({
                 language,
                 errorType: error instanceof Error ? error.name : 'UnknownError'
             });
@@ -624,18 +629,18 @@ function createGVLResolver(options) {
             if (bundled?.[language]) return bundled[language];
             const memoryHit = await withCacheSpan('get', 'memory', ()=>memoryCache.get(cacheKey));
             if (memoryHit) {
-                getMetrics()?.recordCacheHit('memory');
+                metrics_getMetrics()?.recordCacheHit('memory');
                 return memoryHit;
             }
-            getMetrics()?.recordCacheMiss('memory');
+            metrics_getMetrics()?.recordCacheMiss('memory');
             if (cacheAdapter) {
                 const externalHit = await withCacheSpan('get', 'external', ()=>cacheAdapter.get(cacheKey));
                 if (externalHit) {
-                    getMetrics()?.recordCacheHit('external');
+                    metrics_getMetrics()?.recordCacheHit('external');
                     await withCacheSpan('set', 'memory', ()=>memoryCache.set(cacheKey, externalHit, 300000));
                     return externalHit;
                 }
-                getMetrics()?.recordCacheMiss('external');
+                metrics_getMetrics()?.recordCacheMiss('external');
             }
             const gvl = await fetchGVLWithLanguage(language, vendorIds, endpoint);
             if (gvl) {
@@ -646,6 +651,124 @@ function createGVLResolver(options) {
         }
     };
 }
+const external_jose_namespaceObject = require("jose");
+const POLICY_SNAPSHOT_JWT_HEADER = {
+    alg: 'HS256',
+    typ: 'JWT'
+};
+const DEFAULT_POLICY_SNAPSHOT_ISSUER = 'c15t';
+const DEFAULT_POLICY_SNAPSHOT_AUDIENCE = 'c15t-policy-snapshot';
+function resolveSnapshotIssuer(options) {
+    return options?.issuer?.trim() || DEFAULT_POLICY_SNAPSHOT_ISSUER;
+}
+function resolveSnapshotAudience(params) {
+    const configuredAudience = params.options?.audience?.trim();
+    if (configuredAudience) return configuredAudience;
+    return params.tenantId ? `${DEFAULT_POLICY_SNAPSHOT_AUDIENCE}:${params.tenantId}` : DEFAULT_POLICY_SNAPSHOT_AUDIENCE;
+}
+function getSigningKey(secret) {
+    return new TextEncoder().encode(secret);
+}
+function isPolicySnapshotPayload(payload) {
+    return 'string' == typeof payload.policyId && 'string' == typeof payload.fingerprint && 'string' == typeof payload.matchedBy && 'string' == typeof payload.jurisdiction && 'string' == typeof payload.model && 'string' == typeof payload.iss && 'string' == typeof payload.aud && 'string' == typeof payload.sub && 'number' == typeof payload.iat && 'number' == typeof payload.exp;
+}
+async function createPolicySnapshotToken(params) {
+    const { options } = params;
+    if (!options?.signingKey) return;
+    const iat = Math.floor(Date.now() / 1000);
+    const ttlSeconds = options.ttlSeconds ?? 1800;
+    const exp = iat + ttlSeconds;
+    const iss = resolveSnapshotIssuer(options);
+    const aud = resolveSnapshotAudience({
+        options,
+        tenantId: params.tenantId
+    });
+    const payload = {
+        iss,
+        aud,
+        sub: params.policyId,
+        tenantId: params.tenantId,
+        policyId: params.policyId,
+        fingerprint: params.fingerprint,
+        matchedBy: params.matchedBy,
+        country: params.country,
+        region: params.region,
+        jurisdiction: params.jurisdiction,
+        language: params.language,
+        model: params.model,
+        policyI18n: params.policyI18n,
+        expiryDays: params.expiryDays,
+        scopeMode: params.scopeMode,
+        uiMode: params.uiMode,
+        bannerUi: params.bannerUi,
+        dialogUi: params.dialogUi,
+        categories: params.categories,
+        preselectedCategories: params.preselectedCategories,
+        gpc: params.gpc,
+        proofConfig: params.proofConfig,
+        iat,
+        exp
+    };
+    const token = await new external_jose_namespaceObject.SignJWT(payload).setProtectedHeader(POLICY_SNAPSHOT_JWT_HEADER).setIssuedAt(iat).setExpirationTime(exp).sign(getSigningKey(options.signingKey));
+    return {
+        token,
+        payload
+    };
+}
+async function verifyPolicySnapshotToken(params) {
+    const { token, options, tenantId } = params;
+    if (!options?.signingKey) return {
+        valid: false,
+        reason: 'missing'
+    };
+    if (!token) return {
+        valid: false,
+        reason: 'missing'
+    };
+    if (3 !== token.split('.').length) return {
+        valid: false,
+        reason: 'malformed'
+    };
+    try {
+        const { payload, protectedHeader } = await (0, external_jose_namespaceObject.jwtVerify)(token, getSigningKey(options.signingKey), {
+            issuer: resolveSnapshotIssuer(options),
+            audience: resolveSnapshotAudience({
+                options,
+                tenantId
+            })
+        });
+        const header = protectedHeader;
+        if ('HS256' !== header.alg || 'JWT' !== header.typ) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if (!isPolicySnapshotPayload(payload)) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if (payload.sub !== payload.policyId) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if ((tenantId ?? void 0) !== (payload.tenantId ?? void 0)) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        return {
+            valid: true,
+            payload
+        };
+    } catch (error) {
+        if (error instanceof external_jose_namespaceObject.errors.JWTExpired) return {
+            valid: false,
+            reason: 'expired'
+        };
+        return {
+            valid: false,
+            reason: 'invalid'
+        };
+    }
+}
 function geo_normalizeHeader(value) {
     if (!value) return null;
     return Array.isArray(value) ? value[0] ?? null : value;
@@ -787,7 +910,7 @@ function checkJurisdiction(countryCode, regionCode) {
     return jurisdiction;
 }
 async function getLocation(request, options) {
-    if (options.advanced?.disableGeoLocation) return {
+    if (options.disableGeoLocation) return {
         countryCode: null,
         regionCode: null
     };
@@ -798,30 +921,253 @@ async function getLocation(request, options) {
     };
 }
 function getJurisdiction(location, options) {
-    if (options.advanced?.disableGeoLocation) return 'GDPR';
+    if (options.disableGeoLocation) return 'GDPR';
     return checkJurisdiction(location.countryCode, location.regionCode);
 }
+const schema_types_namespaceObject = require("@c15t/schema/types");
+async function resolvePolicyDecision(params) {
+    return (0, schema_types_namespaceObject.resolvePolicyDecision)({
+        policies: params.policies,
+        countryCode: params.countryCode,
+        regionCode: params.regionCode,
+        jurisdiction: params.jurisdiction,
+        iabEnabled: params.iabEnabled
+    });
+}
 const translations_namespaceObject = require("@c15t/translations");
+const all_namespaceObject = require("@c15t/translations/all");
+const DEFAULT_PROFILE = 'default';
+const warnedKeys = new Set();
 function isSupportedBaseLanguage(lang) {
-    return lang in translations_namespaceObject.baseTranslations;
+    return lang in all_namespaceObject.baseTranslations;
+}
+function warnOnce(logger, key, message, metadata) {
+    if (!logger || warnedKeys.has(key)) return;
+    warnedKeys.add(key);
+    logger.warn(message, metadata);
+}
+function normalizeLanguage(value) {
+    if (!value) return;
+    const normalized = value.split(',')[0]?.split(';')[0]?.trim().toLowerCase();
+    if (!normalized) return;
+    return normalized.split('-')[0] ?? void 0;
+}
+function normalizeProfiles(params) {
+    const profiles = params.i18n?.messages;
+    const legacy = params.customTranslations;
+    if (profiles && Object.keys(profiles).length > 0) {
+        if (legacy && Object.keys(legacy).length > 0) warnOnce(params.logger, 'i18n.customTranslations.ignored', '`customTranslations` is deprecated and ignored when `i18n.messages` is configured.');
+        return profiles;
+    }
+    if (legacy && Object.keys(legacy).length > 0) {
+        warnOnce(params.logger, 'i18n.customTranslations.deprecated', '`customTranslations` is deprecated. Use `i18n.messages` instead.');
+        return {
+            [DEFAULT_PROFILE]: {
+                translations: legacy
+            }
+        };
+    }
+    return {};
 }
-function translations_getTranslationsData(acceptLanguage, customTranslations) {
-    const supportedDefaultLanguages = Object.keys(translations_namespaceObject.baseTranslations);
-    const supportedCustomLanguages = Object.keys(customTranslations || {});
-    const supportedLanguages = [
-        ...supportedDefaultLanguages,
-        ...supportedCustomLanguages
+function buildCandidates(input) {
+    const raw = [
+        {
+            language: input.language,
+            reason: 'profile_language'
+        },
+        {
+            language: input.fallbackLanguage,
+            reason: 'profile_fallback'
+        }
     ];
-    const preferredLanguage = (0, translations_namespaceObject.selectLanguage)(supportedLanguages, {
+    const dedupe = new Set();
+    return raw.filter((candidate)=>{
+        const key = candidate.language;
+        if (dedupe.has(key)) return false;
+        dedupe.add(key);
+        return true;
+    });
+}
+function getProfileLanguages(profiles, profile) {
+    return Object.keys(profiles[profile]?.translations ?? {}).sort();
+}
+function getSelectableLanguages(input) {
+    return getProfileLanguages(input.profiles, input.profile);
+}
+function resolveFallbackLanguage(input) {
+    const configuredFallbackLanguage = normalizeLanguage(input.profile?.fallbackLanguage) ?? 'en';
+    const profileLanguages = Object.keys(input.profile?.translations ?? {}).sort();
+    if (profileLanguages.includes(configuredFallbackLanguage)) return configuredFallbackLanguage;
+    if (profileLanguages.includes('en')) return 'en';
+    return profileLanguages[0] ?? configuredFallbackLanguage;
+}
+function resolveActiveProfile(input) {
+    const requestedProfile = input.policyProfile ?? input.defaultProfile;
+    if (input.profiles[requestedProfile]) return requestedProfile;
+    if (input.policyProfile) warnOnce(input.logger, `i18n.profile.missing:${requestedProfile}`, `Policy i18n profile '${requestedProfile}' does not exist. Falling back to default profile '${input.defaultProfile}'.`);
+    return input.defaultProfile;
+}
+function translations_getTranslationsData(acceptLanguage, customTranslations, options) {
+    const profiles = normalizeProfiles({
+        customTranslations,
+        i18n: options?.i18n,
+        logger: options?.logger
+    });
+    const defaultProfile = options?.i18n?.defaultProfile ?? DEFAULT_PROFILE;
+    const profile = resolveActiveProfile({
+        profiles,
+        defaultProfile,
+        policyProfile: options?.policyI18n?.messageProfile,
+        logger: options?.logger
+    });
+    const configuredLanguages = Object.keys(profiles).length > 0 ? getSelectableLanguages({
+        profiles,
+        profile
+    }) : Object.keys(all_namespaceObject.baseTranslations);
+    const fallbackLanguage = Object.keys(profiles).length > 0 ? resolveFallbackLanguage({
+        profile: profiles[profile]
+    }) : 'en';
+    const policyLanguage = normalizeLanguage(options?.policyI18n?.language);
+    const requestedLanguage = policyLanguage ?? (0, translations_namespaceObject.selectLanguage)(configuredLanguages, {
         header: acceptLanguage,
-        fallback: 'en'
+        fallback: fallbackLanguage
+    });
+    const candidates = buildCandidates({
+        language: requestedLanguage,
+        fallbackLanguage
+    });
+    const selectedCandidate = candidates.find((candidate)=>!!profiles[profile]?.translations[candidate.language]);
+    if (selectedCandidate && 'profile_language' !== selectedCandidate.reason) warnOnce(options?.logger, `i18n.fallback:${profile}:${requestedLanguage}:${selectedCandidate.language}`, `Policy translation fallback used (${selectedCandidate.reason}).`, {
+        requestedProfile: profile,
+        requestedLanguage,
+        resolvedProfile: profile,
+        resolvedLanguage: selectedCandidate.language
     });
-    const base = isSupportedBaseLanguage(preferredLanguage) ? translations_namespaceObject.baseTranslations[preferredLanguage] : translations_namespaceObject.baseTranslations.en;
-    const custom = supportedCustomLanguages.includes(preferredLanguage) ? customTranslations?.[preferredLanguage] : {};
+    let language = selectedCandidate?.language ?? requestedLanguage;
+    if (!selectedCandidate && !isSupportedBaseLanguage(language)) {
+        warnOnce(options?.logger, `i18n.base-fallback:${language}`, `No translation found for '${language}'. Falling back to base English translations.`);
+        language = 'en';
+    }
+    const base = isSupportedBaseLanguage(language) ? all_namespaceObject.baseTranslations[language] : all_namespaceObject.baseTranslations.en;
+    const custom = selectedCandidate ? profiles[profile]?.translations[selectedCandidate.language] : void 0;
     const translations = custom ? (0, translations_namespaceObject.deepMergeTranslations)(base, custom) : base;
     return {
         translations: translations,
-        language: preferredLanguage
+        language
+    };
+}
+function stripIabTranslations(translations) {
+    const { iab: _iab, ...rest } = translations;
+    return rest;
+}
+function resolveNoPolicyFallback() {
+    return {
+        id: 'no_banner',
+        model: 'none',
+        ui: {
+            mode: 'none'
+        }
+    };
+}
+async function resolveInitPayload(request, options, logger) {
+    const acceptLanguage = request.headers.get('accept-language') || 'en';
+    const location = await getLocation(request, options);
+    const jurisdiction = getJurisdiction(location, options);
+    const hasExplicitPolicyPack = void 0 !== options.policyPacks;
+    const isExplicitEmptyPolicyPack = hasExplicitPolicyPack && (options.policyPacks?.length ?? 0) === 0;
+    const policyDecision = isExplicitEmptyPolicyPack ? void 0 : await resolvePolicyDecision({
+        policies: options.policyPacks,
+        countryCode: location.countryCode,
+        regionCode: location.regionCode,
+        jurisdiction,
+        iabEnabled: options.iab?.enabled === true
+    });
+    if (hasExplicitPolicyPack && !isExplicitEmptyPolicyPack && !policyDecision) logger?.warn('Policy packs configured but no policy matched', {
+        country: location.countryCode,
+        region: location.regionCode
+    });
+    const resolvedPolicy = hasExplicitPolicyPack ? policyDecision?.policy ?? resolveNoPolicyFallback() : void 0;
+    const iabOptions = options.iab;
+    const shouldIncludeIabPayload = iabOptions?.enabled === true && (!hasExplicitPolicyPack || resolvedPolicy?.model === 'iab');
+    const translationsResult = translations_getTranslationsData(acceptLanguage, options.customTranslations, {
+        i18n: options.i18n,
+        policyI18n: resolvedPolicy?.i18n,
+        logger
+    });
+    const responseTranslations = shouldIncludeIabPayload ? translationsResult : {
+        ...translationsResult,
+        translations: stripIabTranslations(translationsResult.translations)
+    };
+    let gvl = null;
+    if (shouldIncludeIabPayload && iabOptions) {
+        const language = translationsResult.language.split('-')[0] || 'en';
+        const gvlResolver = createGVLResolver({
+            appName: options.appName || 'c15t',
+            bundled: iabOptions.bundled,
+            cacheAdapter: options.cache?.adapter,
+            vendorIds: iabOptions.vendorIds,
+            endpoint: iabOptions.endpoint
+        });
+        gvl = await gvlResolver.get(language);
+    }
+    const customVendors = shouldIncludeIabPayload ? iabOptions?.customVendors : void 0;
+    const snapshot = policyDecision ? await createPolicySnapshotToken({
+        options: options.policySnapshot,
+        tenantId: options.tenantId,
+        policyId: policyDecision.policy.id,
+        fingerprint: policyDecision.fingerprint,
+        matchedBy: policyDecision.matchedBy,
+        country: location?.countryCode ?? null,
+        region: location?.regionCode ?? null,
+        jurisdiction,
+        language: translationsResult.language,
+        model: policyDecision.policy.model,
+        policyI18n: policyDecision.policy.i18n,
+        expiryDays: policyDecision.policy.consent?.expiryDays,
+        scopeMode: policyDecision.policy.consent?.scopeMode,
+        uiMode: policyDecision.policy.ui?.mode,
+        bannerUi: policyDecision.policy.ui?.banner,
+        dialogUi: policyDecision.policy.ui?.dialog,
+        categories: policyDecision.policy.consent?.categories,
+        preselectedCategories: policyDecision.policy.consent?.preselectedCategories,
+        gpc: policyDecision.policy.consent?.gpc,
+        proofConfig: policyDecision.policy.proof
+    }) : void 0;
+    const gpc = '1' === request.headers.get('sec-gpc');
+    metrics_getMetrics()?.recordInit({
+        jurisdiction,
+        country: location?.countryCode ?? void 0,
+        region: location?.regionCode ?? void 0,
+        gpc
+    });
+    return {
+        jurisdiction,
+        location,
+        translations: responseTranslations,
+        branding: options.branding || 'c15t',
+        ...shouldIncludeIabPayload && {
+            gvl,
+            customVendors
+        },
+        ...resolvedPolicy && {
+            policy: resolvedPolicy
+        },
+        ...policyDecision && {
+            policyDecision: {
+                policyId: policyDecision.policy.id,
+                fingerprint: policyDecision.fingerprint,
+                matchedBy: policyDecision.matchedBy,
+                country: location.countryCode,
+                region: location.regionCode,
+                jurisdiction
+            }
+        },
+        ...snapshot?.token && {
+            policySnapshotToken: snapshot.token
+        },
+        ...shouldIncludeIabPayload && iabOptions?.cmpId != null && {
+            cmpId: iabOptions.cmpId
+        }
     };
 }
 const createInitRoute = (options)=>{
@@ -834,7 +1180,7 @@ const createInitRoute = (options)=>{
 - **Location** – User's location (null if geo-location is disabled)
 - **Translations** – Consent manager copy (from \`Accept-Language\` header)
 - **Branding** – Configured branding key
-- **GVL** – Global Vendor List when enabled
+- **GVL** – Global Vendor List when IAB is active for the request
 
 Use for geo-targeted consent banners and regional compliance.`,
         tags: [
@@ -851,43 +1197,22 @@ Use for geo-targeted consent banners and regional compliance.`,
             }
         }
     }), async (c)=>{
-        const request = c.req.raw;
-        const acceptLanguage = request.headers.get('accept-language') || 'en';
-        const location = await getLocation(request, options);
-        const jurisdiction = getJurisdiction(location, options);
-        const translationsResult = translations_getTranslationsData(acceptLanguage, options.advanced?.customTranslations);
-        let gvl = null;
-        if (options.advanced?.gvl?.enabled) {
-            const language = translationsResult.language.split('-')[0] || 'en';
-            const gvlResolver = createGVLResolver({
-                appName: options.appName || 'c15t',
-                bundled: options.advanced.gvl.bundled,
-                cacheAdapter: options.advanced.cache?.adapter,
-                vendorIds: options.advanced.gvl.vendorIds,
-                endpoint: options.advanced.gvl.endpoint
-            });
-            gvl = await gvlResolver.get(language);
-        }
-        const customVendors = options.advanced?.gvl?.customVendors;
-        const gpc = '1' === request.headers.get('sec-gpc');
-        getMetrics()?.recordInit({
-            jurisdiction,
-            country: location?.countryCode ?? void 0,
-            region: location?.regionCode ?? void 0,
-            gpc
-        });
-        return c.json({
-            jurisdiction,
-            location,
-            translations: translationsResult,
-            branding: options.advanced?.branding || 'c15t',
-            gvl,
-            customVendors
-        });
+        const ctx = c.get('c15tContext');
+        const payload = await resolveInitPayload(c.req.raw, options, ctx?.logger);
+        return c.json(payload);
     });
     return app;
 };
-const version_version = '2.0.0-rc.0';
+const external_base_x_namespaceObject = require("base-x");
+var external_base_x_default = /*#__PURE__*/ __webpack_require__.n(external_base_x_namespaceObject);
+external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
+class consent_policy_LegalDocumentPolicyConflictError extends Error {
+    constructor(message){
+        super(message);
+        this.name = 'LegalDocumentPolicyConflictError';
+    }
+}
+const version_version = '2.0.0-rc.10';
 function getHeaders(headers) {
     if (!headers) return {
         countryCode: null,
@@ -974,6 +1299,12 @@ const getSubjectHandler = async (c)=>{
     const subjectId = c.req.param('id');
     const type = c.req.query('type');
     const typeFilter = type?.split(',').map((t)=>t.trim()) || [];
+    if (!subjectId) throw new http_exception_namespaceObject.HTTPException(400, {
+        message: 'Subject ID is required',
+        cause: {
+            code: 'SUBJECT_ID_REQUIRED'
+        }
+    });
     logger.debug('Request parameters', {
         subjectId,
         typeFilter
@@ -1002,7 +1333,6 @@ const getSubjectHandler = async (c)=>{
             subject: {
                 id: subject.id,
                 externalId: subject.externalId ?? void 0,
-                isIdentified: subject.isIdentified,
                 createdAt: subject.createdAt
             },
             consents: filteredConsents,
@@ -1010,7 +1340,7 @@ const getSubjectHandler = async (c)=>{
         });
     } catch (error) {
         logger.error('Error in GET /subjects/:id handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -1058,7 +1388,6 @@ const listSubjectsHandler = async (c)=>{
             return {
                 id: subject.id,
                 externalId: subject.externalId ?? externalId,
-                isIdentified: subject.isIdentified,
                 createdAt: subject.createdAt,
                 consents: consentItems
             };
@@ -1072,7 +1401,7 @@ const listSubjectsHandler = async (c)=>{
         });
     } catch (error) {
         logger.error('Error in GET /subjects handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -1084,9 +1413,7 @@ const listSubjectsHandler = async (c)=>{
         });
     }
 };
-const external_base_x_namespaceObject = require("base-x");
-var external_base_x_default = /*#__PURE__*/ __webpack_require__.n(external_base_x_namespaceObject);
-const prefixes = {
+const utils_prefixes = {
     auditLog: 'log',
     consent: 'cns',
     consentPolicy: 'pol',
@@ -1094,10 +1421,10 @@ const prefixes = {
     domain: 'dom',
     subject: 'sub'
 };
-const b58 = external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
-function generateId(model) {
+const utils_b58 = external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
+function utils_generateId(model) {
     const buf = crypto.getRandomValues(new Uint8Array(20));
-    const prefix = prefixes[model];
+    const prefix = utils_prefixes[model];
     const EPOCH_TIMESTAMP = 1700000000000;
     const t = Date.now() - EPOCH_TIMESTAMP;
     const high = Math.floor(t / 0x100000000);
@@ -1110,9 +1437,9 @@ function generateId(model) {
     buf[5] = low >>> 16 & 255;
     buf[6] = low >>> 8 & 255;
     buf[7] = 255 & low;
-    return `${prefix}_${b58.encode(buf)}`;
+    return `${prefix}_${utils_b58.encode(buf)}`;
 }
-async function generateUniqueId(db, model, ctx, options = {}) {
+async function utils_generateUniqueId(db, model, ctx, options = {}) {
     const { maxRetries = 10, attempt = 0, baseDelay = 5 } = options;
     if (attempt >= maxRetries) {
         const error = new Error(`Failed to generate unique ID for ${model} after ${maxRetries} attempts`);
@@ -1122,7 +1449,7 @@ async function generateUniqueId(db, model, ctx, options = {}) {
         });
         throw error;
     }
-    const id = generateId(model);
+    const id = utils_generateId(model);
     try {
         const existing = await db.findFirst(model, {
             where: (b)=>b('id', '=', id)
@@ -1136,7 +1463,7 @@ async function generateUniqueId(db, model, ctx, options = {}) {
             });
             const delay = Math.min(baseDelay * 2 ** attempt, 1000);
             await new Promise((resolve)=>setTimeout(resolve, delay));
-            return generateUniqueId(db, model, ctx, {
+            return utils_generateUniqueId(db, model, ctx, {
                 maxRetries,
                 attempt: attempt + 1,
                 baseDelay
@@ -1152,7 +1479,7 @@ async function generateUniqueId(db, model, ctx, options = {}) {
         if (attempt < maxRetries - 1) {
             const delay = Math.min(baseDelay * 2 ** attempt, 2000);
             await new Promise((resolve)=>setTimeout(resolve, delay));
-            return generateUniqueId(db, model, ctx, {
+            return utils_generateUniqueId(db, model, ctx, {
                 maxRetries,
                 attempt: attempt + 1,
                 baseDelay
@@ -1169,6 +1496,12 @@ const patchSubjectHandler = async (c)=>{
     const subjectId = c.req.param('id');
     const body = await c.req.json();
     const { externalId, identityProvider = 'external' } = body;
+    if (!subjectId) throw new http_exception_namespaceObject.HTTPException(400, {
+        message: 'Subject ID is required',
+        cause: {
+            code: 'SUBJECT_ID_REQUIRED'
+        }
+    });
     logger.debug('Request parameters', {
         subjectId,
         externalId,
@@ -1191,12 +1524,11 @@ const patchSubjectHandler = async (c)=>{
                 set: {
                     externalId,
                     identityProvider,
-                    isIdentified: true,
                     updatedAt: new Date()
                 }
             });
             await tx.create('auditLog', {
-                id: await generateUniqueId(tx, 'auditLog', ctx),
+                id: await utils_generateUniqueId(tx, 'auditLog', ctx),
                 subjectId,
                 entityType: 'subject',
                 entityId: subjectId,
@@ -1211,10 +1543,6 @@ const patchSubjectHandler = async (c)=>{
                     identityProvider: {
                         from: subject.identityProvider,
                         to: identityProvider
-                    },
-                    isIdentified: {
-                        from: subject.isIdentified,
-                        to: true
                     }
                 },
                 metadata: {
@@ -1228,18 +1556,17 @@ const patchSubjectHandler = async (c)=>{
             externalId,
             identityProvider
         });
-        getMetrics()?.recordSubjectLinked(identityProvider);
+        metrics_getMetrics()?.recordSubjectLinked(identityProvider);
         return c.json({
             success: true,
             subject: {
                 id: subjectId,
-                externalId,
-                isIdentified: true
+                externalId
             }
         });
     } catch (error) {
         logger.error('Error in PATCH /subjects/:id handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -1251,6 +1578,234 @@ const patchSubjectHandler = async (c)=>{
         });
     }
 };
+const DEFAULT_ISSUER = 'c15t';
+const DEFAULT_AUDIENCE = 'c15t-legal-document-snapshot';
+function isLegalDocumentPolicyType(type) {
+    return 'privacy_policy' === type || 'terms_and_conditions' === type || 'dpa' === type;
+}
+function snapshot_resolveSnapshotIssuer(options) {
+    return options?.issuer?.trim() || DEFAULT_ISSUER;
+}
+function snapshot_resolveSnapshotAudience(params) {
+    const configuredAudience = params.options?.audience?.trim();
+    if (configuredAudience) return configuredAudience;
+    return params.tenantId ? `${DEFAULT_AUDIENCE}:${params.tenantId}` : DEFAULT_AUDIENCE;
+}
+function snapshot_getSigningKey(secret) {
+    return new TextEncoder().encode(secret);
+}
+function isLegalDocumentSnapshotPayload(payload) {
+    return 'string' == typeof payload.iss && 'string' == typeof payload.aud && 'string' == typeof payload.sub && isLegalDocumentPolicyType(payload.type) && 'string' == typeof payload.version && 'string' == typeof payload.hash && 'string' == typeof payload.effectiveDate && 'number' == typeof payload.iat && 'number' == typeof payload.exp;
+}
+async function verifyLegalDocumentSnapshotToken(params) {
+    const { token, options, tenantId } = params;
+    if (!options?.signingKey) return {
+        valid: false,
+        reason: 'missing'
+    };
+    if (!token) return {
+        valid: false,
+        reason: 'missing'
+    };
+    if (3 !== token.split('.').length) return {
+        valid: false,
+        reason: 'malformed'
+    };
+    try {
+        const { payload, protectedHeader } = await (0, external_jose_namespaceObject.jwtVerify)(token, snapshot_getSigningKey(options.signingKey), {
+            issuer: snapshot_resolveSnapshotIssuer(options),
+            audience: snapshot_resolveSnapshotAudience({
+                options,
+                tenantId
+            })
+        });
+        const header = protectedHeader;
+        if ('HS256' !== header.alg || 'JWT' !== header.typ) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if (!isLegalDocumentSnapshotPayload(payload)) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if (payload.sub !== payload.hash) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if ((tenantId ?? void 0) !== (payload.tenantId ?? void 0)) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        return {
+            valid: true,
+            payload
+        };
+    } catch (error) {
+        if (error instanceof external_jose_namespaceObject.errors.JWTExpired) return {
+            valid: false,
+            reason: 'expired'
+        };
+        return {
+            valid: false,
+            reason: 'invalid'
+        };
+    }
+}
+function buildRuntimeDecisionDedupeKey(input) {
+    return [
+        input.tenantId ?? 'default',
+        input.fingerprint,
+        input.matchedBy,
+        input.countryCode ?? 'none',
+        input.regionCode ?? 'none',
+        input.jurisdiction,
+        input.language ?? 'none'
+    ].join('|');
+}
+function buildDecisionPayload(params) {
+    const { tenantId, snapshot, decision, location, jurisdiction, language, proofConfig } = params;
+    if (snapshot?.valid && snapshot.payload) {
+        const sp = snapshot.payload;
+        return {
+            tenantId,
+            policyId: sp.policyId,
+            fingerprint: sp.fingerprint,
+            matchedBy: sp.matchedBy,
+            countryCode: sp.country,
+            regionCode: sp.region,
+            jurisdiction: sp.jurisdiction,
+            language: sp.language,
+            model: sp.model,
+            policyI18n: sp.policyI18n,
+            uiMode: sp.uiMode,
+            bannerUi: sp.bannerUi,
+            dialogUi: sp.dialogUi,
+            categories: sp.categories,
+            preselectedCategories: sp.preselectedCategories,
+            proofConfig: sp.proofConfig,
+            dedupeKey: buildRuntimeDecisionDedupeKey({
+                tenantId,
+                fingerprint: sp.fingerprint,
+                matchedBy: sp.matchedBy,
+                countryCode: sp.country,
+                regionCode: sp.region,
+                jurisdiction: sp.jurisdiction,
+                language: sp.language
+            }),
+            source: 'snapshot_token'
+        };
+    }
+    if (decision) return {
+        tenantId,
+        policyId: decision.policy.id,
+        fingerprint: decision.fingerprint,
+        matchedBy: decision.matchedBy,
+        countryCode: location.countryCode,
+        regionCode: location.regionCode,
+        jurisdiction,
+        language,
+        model: decision.policy.model,
+        policyI18n: decision.policy.i18n,
+        uiMode: decision.policy.ui?.mode,
+        bannerUi: decision.policy.ui?.banner,
+        dialogUi: decision.policy.ui?.dialog,
+        categories: decision.policy.consent?.categories,
+        preselectedCategories: decision.policy.consent?.preselectedCategories,
+        proofConfig,
+        dedupeKey: buildRuntimeDecisionDedupeKey({
+            tenantId,
+            fingerprint: decision.fingerprint,
+            matchedBy: decision.matchedBy,
+            countryCode: location.countryCode,
+            regionCode: location.regionCode,
+            jurisdiction,
+            language
+        }),
+        source: 'write_time_fallback'
+    };
+}
+function parseLanguageFromHeader(header) {
+    if (!header) return;
+    const firstLanguage = header.split(',')[0]?.split(';')[0]?.trim();
+    if (!firstLanguage) return;
+    return firstLanguage.split('-')[0]?.toLowerCase();
+}
+function isLegalDocumentType(type) {
+    return 'privacy_policy' === type || 'terms_and_conditions' === type || 'dpa' === type;
+}
+function resolveSnapshotFailureMode(ctx) {
+    return ctx.policySnapshot?.onValidationFailure ?? 'reject';
+}
+function buildSnapshotHttpException(reason) {
+    switch(reason){
+        case 'missing':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Policy snapshot token is required',
+                cause: {
+                    code: 'POLICY_SNAPSHOT_REQUIRED'
+                }
+            });
+        case 'expired':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Policy snapshot token has expired',
+                cause: {
+                    code: 'POLICY_SNAPSHOT_EXPIRED'
+                }
+            });
+        case 'malformed':
+        case 'invalid':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Policy snapshot token is invalid',
+                cause: {
+                    code: 'POLICY_SNAPSHOT_INVALID'
+                }
+            });
+        default:
+            {
+                const _exhaustive = reason;
+                throw new Error(`Unhandled policy snapshot verification failure reason: ${_exhaustive}`);
+            }
+    }
+}
+function buildLegalDocumentSnapshotHttpException(reason) {
+    switch(reason){
+        case 'missing':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Legal document snapshot token is required',
+                cause: {
+                    code: 'LEGAL_DOCUMENT_SNAPSHOT_REQUIRED'
+                }
+            });
+        case 'expired':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Legal document snapshot token has expired',
+                cause: {
+                    code: 'LEGAL_DOCUMENT_SNAPSHOT_EXPIRED'
+                }
+            });
+        case 'malformed':
+        case 'invalid':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Legal document snapshot token is invalid',
+                cause: {
+                    code: 'LEGAL_DOCUMENT_SNAPSHOT_INVALID'
+                }
+            });
+        default:
+            {
+                const _exhaustive = reason;
+                throw new Error(`Unhandled legal document snapshot verification failure reason: ${_exhaustive}`);
+            }
+    }
+}
+function buildLegalDocumentProofHttpException(message) {
+    return new http_exception_namespaceObject.HTTPException(409, {
+        message,
+        cause: {
+            code: 'LEGAL_DOCUMENT_PROOF_REQUIRED'
+        }
+    });
+}
 const postSubjectHandler = async (c)=>{
     const ctx = c.get('c15tContext');
     const logger = ctx.logger;
@@ -1260,6 +1815,8 @@ const postSubjectHandler = async (c)=>{
     const { type, subjectId, identityProvider, externalSubjectId, domain, metadata, givenAt: givenAtEpoch } = input;
     const preferences = 'preferences' in input ? input.preferences : void 0;
     const givenAt = new Date(givenAtEpoch);
+    const rawConsentAction = 'consentAction' in input ? input.consentAction : void 0;
+    let derivedConsentAction;
     logger.debug('Request parameters', {
         type,
         subjectId,
@@ -1268,6 +1825,64 @@ const postSubjectHandler = async (c)=>{
         domain
     });
     try {
+        if ('cookie_banner' === type) logger.warn('`cookie_banner` policy type is deprecated in 2.0 RC and will be removed in 2.0 GA. Use backend runtime `policyPacks` for banner behavior.');
+        const request = c.req.raw ?? new Request('https://c15t.local/subjects');
+        const acceptLanguage = request.headers.get('accept-language');
+        const requestLanguage = parseLanguageFromHeader(acceptLanguage);
+        const location = await getLocation(request, ctx);
+        const resolvedJurisdiction = getJurisdiction(location, ctx);
+        const legalDocumentConsent = isLegalDocumentType(type);
+        const runtimeSnapshotVerification = legalDocumentConsent ? {
+            valid: false,
+            reason: 'missing'
+        } : await verifyPolicySnapshotToken({
+            token: input.policySnapshotToken,
+            options: ctx.policySnapshot,
+            tenantId: ctx.tenantId
+        });
+        const legalDocumentSnapshotVerification = legalDocumentConsent ? await verifyLegalDocumentSnapshotToken({
+            token: input.documentSnapshotToken,
+            options: ctx.legalDocumentSnapshot,
+            tenantId: ctx.tenantId
+        }) : {
+            valid: false,
+            reason: 'missing'
+        };
+        const hasValidSnapshot = runtimeSnapshotVerification.valid;
+        const snapshotPayload = runtimeSnapshotVerification.valid ? runtimeSnapshotVerification.payload : null;
+        const shouldRequireSnapshot = !legalDocumentConsent && !!ctx.policySnapshot?.signingKey && 'reject' === resolveSnapshotFailureMode(ctx);
+        if (!hasValidSnapshot && shouldRequireSnapshot) throw buildSnapshotHttpException(runtimeSnapshotVerification.reason);
+        const shouldRequireLegalDocumentSnapshot = legalDocumentConsent && !!ctx.legalDocumentSnapshot?.signingKey;
+        if (shouldRequireLegalDocumentSnapshot && !legalDocumentSnapshotVerification.valid) throw buildLegalDocumentSnapshotHttpException(legalDocumentSnapshotVerification.reason);
+        const resolvedPolicyDecision = hasValidSnapshot ? void 0 : legalDocumentConsent ? void 0 : await resolvePolicyDecision({
+            policies: ctx.policyPacks,
+            countryCode: location.countryCode,
+            regionCode: location.regionCode,
+            jurisdiction: resolvedJurisdiction,
+            iabEnabled: ctx.iab?.enabled === true
+        });
+        const effectivePolicy = hasValidSnapshot && snapshotPayload ? {
+            id: snapshotPayload.policyId,
+            model: snapshotPayload.model,
+            i18n: snapshotPayload.policyI18n,
+            consent: {
+                expiryDays: snapshotPayload.expiryDays,
+                scopeMode: snapshotPayload.scopeMode,
+                categories: snapshotPayload.categories,
+                preselectedCategories: snapshotPayload.preselectedCategories,
+                gpc: snapshotPayload.gpc
+            },
+            ui: {
+                mode: snapshotPayload.uiMode,
+                banner: snapshotPayload.bannerUi,
+                dialog: snapshotPayload.dialogUi
+            },
+            proof: snapshotPayload.proofConfig
+        } : resolvedPolicyDecision?.policy;
+        const effectiveModel = effectivePolicy?.model ?? ('opt-in' === input.jurisdictionModel || 'opt-out' === input.jurisdictionModel || 'iab' === input.jurisdictionModel ? input.jurisdictionModel : void 0);
+        if ('all' === rawConsentAction) derivedConsentAction = 'accept_all';
+        else if ('necessary' === rawConsentAction) derivedConsentAction = 'opt-out' === effectiveModel ? 'opt_out' : 'reject_all';
+        else if ('custom' === rawConsentAction) derivedConsentAction = 'custom';
         const subject = await registry.findOrCreateSubject({
             subjectId,
             externalSubjectId,
@@ -1294,8 +1909,63 @@ const postSubjectHandler = async (c)=>{
         });
         let policyId;
         let purposeIds = [];
+        let appliedPreferences;
         const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
-        if (inputPolicyId) {
+        const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
+        if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
+            if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
+            const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
+            if (Number.isNaN(effectiveDate.getTime())) throw buildLegalDocumentSnapshotHttpException('invalid');
+            const documentPolicy = await registry.findOrCreateLegalDocumentPolicy({
+                type,
+                version: legalDocumentSnapshotVerification.payload.version,
+                hash: legalDocumentSnapshotVerification.payload.hash,
+                effectiveDate
+            });
+            policyId = documentPolicy.id;
+        } else if (legalDocumentConsent) {
+            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+            if (inputPolicyId) {
+                policyId = inputPolicyId;
+                const policy = await registry.findConsentPolicyById(inputPolicyId);
+                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        policyId,
+                        type
+                    }
+                });
+                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId,
+                        type
+                    }
+                });
+            } else if (inputPolicyHash) {
+                const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId: policy.id,
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                policyId = policy.id;
+            }
+        } else if (inputPolicyId) {
             policyId = inputPolicyId;
             const policy = await registry.findConsentPolicyById(inputPolicyId);
             if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
@@ -1326,20 +1996,73 @@ const postSubjectHandler = async (c)=>{
             policyId = policy.id;
         }
         if (preferences) {
-            const consentedPurposes = Object.entries(preferences).filter(([_, isConsented])=>isConsented).map(([purposeCode])=>purposeCode);
+            const allowedCategories = effectivePolicy?.consent?.categories;
+            const effectiveScopeMode = effectivePolicy?.consent?.scopeMode ?? 'permissive';
+            const hasWildcardCategoryScope = allowedCategories?.includes('*') === true;
+            const appliedPreferenceEntries = Object.entries(preferences);
+            let filteredAppliedPreferenceEntries = appliedPreferenceEntries;
+            if (allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
+                const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!allowedCategories.includes(purpose));
+                filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>allowedCategories.includes(purpose));
+                if (disallowed.length > 0 && 'strict' === effectiveScopeMode) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Preferences include categories not allowed by policy',
+                    cause: {
+                        code: 'PURPOSE_NOT_ALLOWED',
+                        disallowed
+                    }
+                });
+            }
+            appliedPreferences = Object.fromEntries(filteredAppliedPreferenceEntries);
+            const filteredConsentedPurposeCodes = filteredAppliedPreferenceEntries.filter(([_, isConsented])=>isConsented).map(([purposeCode])=>purposeCode);
             logger.debug('Consented purposes', {
-                consentedPurposes
+                consentedPurposes: filteredConsentedPurposeCodes
             });
-            const purposesRaw = await Promise.all(consentedPurposes.map((purposeCode)=>registry.findOrCreateConsentPurposeByCode(purposeCode)));
+            const purposesRaw = await Promise.all(filteredConsentedPurposeCodes.map((purposeCode)=>registry.findOrCreateConsentPurposeByCode(purposeCode)));
             const purposes = purposesRaw.map((purpose)=>purpose?.id ?? null).filter((id)=>Boolean(id));
             logger.debug('Filtered purposes', {
                 purposes
             });
             if (0 === purposes.length) logger.warn('No valid purpose IDs found after filtering. Using empty list.', {
-                consentedPurposes
+                consentedPurposes: filteredConsentedPurposeCodes
             });
             purposeIds = purposes;
         }
+        if (!policyId) throw new http_exception_namespaceObject.HTTPException(500, {
+            message: 'Failed to resolve policy',
+            cause: {
+                code: 'POLICY_RESOLUTION_FAILED',
+                type
+            }
+        });
+        const expiryDays = effectivePolicy?.consent?.expiryDays;
+        const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
+        const proofConfig = effectivePolicy?.proof;
+        const shouldStoreIp = proofConfig?.storeIp ?? true;
+        const shouldStoreUserAgent = proofConfig?.storeUserAgent ?? true;
+        const shouldStoreLanguage = proofConfig?.storeLanguage ?? false;
+        const effectiveLanguage = (snapshotPayload?.language && hasValidSnapshot ? snapshotPayload.language : requestLanguage) ?? void 0;
+        const metadataWithPolicy = {
+            ...metadata ?? {},
+            ...shouldStoreLanguage && effectiveLanguage ? {
+                policyLanguage: effectiveLanguage
+            } : {}
+        };
+        const effectiveJurisdiction = hasValidSnapshot && snapshotPayload ? snapshotPayload.jurisdiction : resolvedJurisdiction;
+        const decisionPayload = buildDecisionPayload({
+            tenantId: ctx.tenantId,
+            snapshot: hasValidSnapshot && snapshotPayload ? {
+                valid: true,
+                payload: snapshotPayload
+            } : null,
+            decision: resolvedPolicyDecision,
+            location: {
+                countryCode: location.countryCode,
+                regionCode: location.regionCode
+            },
+            jurisdiction: resolvedJurisdiction,
+            language: effectiveLanguage,
+            proofConfig
+        });
         const existingConsent = await db.findFirst('consent', {
             where: (b)=>b.and(b('subjectId', '=', subject.id), b('domainId', '=', domainRecord.id), b('policyId', '=', policyId), b('givenAt', '=', givenAt))
         });
@@ -1354,6 +2077,7 @@ const postSubjectHandler = async (c)=>{
                 domain: domainRecord.name,
                 type,
                 metadata,
+                appliedPreferences,
                 uiSource: input.uiSource,
                 givenAt: existingConsent.givenAt
             });
@@ -1365,24 +2089,64 @@ const postSubjectHandler = async (c)=>{
                 policyId,
                 purposeIds
             });
+            const runtimePolicyDecision = decisionPayload ? await tx.findFirst('runtimePolicyDecision', {
+                where: (b)=>b('dedupeKey', '=', decisionPayload.dedupeKey)
+            }) ?? await tx.create('runtimePolicyDecision', {
+                id: `rpd_${crypto.randomUUID().replaceAll('-', '')}`,
+                tenantId: decisionPayload.tenantId,
+                policyId: decisionPayload.policyId,
+                fingerprint: decisionPayload.fingerprint,
+                matchedBy: decisionPayload.matchedBy,
+                countryCode: decisionPayload.countryCode,
+                regionCode: decisionPayload.regionCode,
+                jurisdiction: decisionPayload.jurisdiction,
+                language: decisionPayload.language,
+                model: decisionPayload.model,
+                policyI18n: decisionPayload.policyI18n ? {
+                    json: decisionPayload.policyI18n
+                } : void 0,
+                uiMode: decisionPayload.uiMode,
+                bannerUi: decisionPayload.bannerUi ? {
+                    json: decisionPayload.bannerUi
+                } : void 0,
+                dialogUi: decisionPayload.dialogUi ? {
+                    json: decisionPayload.dialogUi
+                } : void 0,
+                categories: decisionPayload.categories ? {
+                    json: decisionPayload.categories
+                } : void 0,
+                preselectedCategories: decisionPayload.preselectedCategories ? {
+                    json: decisionPayload.preselectedCategories
+                } : void 0,
+                proofConfig: decisionPayload.proofConfig ? {
+                    json: decisionPayload.proofConfig
+                } : void 0,
+                dedupeKey: decisionPayload.dedupeKey
+            }).catch(async ()=>tx.findFirst('runtimePolicyDecision', {
+                    where: (b)=>b('dedupeKey', '=', decisionPayload.dedupeKey)
+                })) : void 0;
             const consentRecord = await tx.create('consent', {
-                id: await generateUniqueId(tx, 'consent', ctx),
+                id: await utils_generateUniqueId(tx, 'consent', ctx),
                 subjectId: subject.id,
                 domainId: domainRecord.id,
                 policyId,
                 purposeIds: {
                     json: purposeIds
                 },
-                metadata: metadata ? {
-                    json: metadata
+                metadata: Object.keys(metadataWithPolicy).length > 0 ? {
+                    json: metadataWithPolicy
                 } : void 0,
-                ipAddress: ctx.ipAddress,
-                userAgent: ctx.userAgent,
-                jurisdiction: input.jurisdiction,
-                jurisdictionModel: input.jurisdictionModel,
+                ipAddress: shouldStoreIp ? ctx.ipAddress : null,
+                userAgent: shouldStoreUserAgent ? ctx.userAgent : null,
+                jurisdiction: effectiveJurisdiction,
+                jurisdictionModel: effectiveModel,
                 tcString: input.tcString,
                 uiSource: input.uiSource,
-                givenAt
+                consentAction: derivedConsentAction,
+                givenAt,
+                validUntil,
+                runtimePolicyDecisionId: runtimePolicyDecision?.id,
+                runtimePolicySource: decisionPayload?.source
             });
             logger.debug('Created consent', {
                 consentRecord: consentRecord.id
@@ -1399,9 +2163,9 @@ const postSubjectHandler = async (c)=>{
                 consent: consentRecord
             };
         });
-        const metrics = getMetrics();
+        const metrics = metrics_getMetrics();
         if (metrics) {
-            const jurisdiction = input.jurisdiction;
+            const jurisdiction = effectiveJurisdiction;
             metrics.recordConsentCreated({
                 type,
                 jurisdiction
@@ -1423,15 +2187,22 @@ const postSubjectHandler = async (c)=>{
             domain: domainRecord.name,
             type,
             metadata,
+            appliedPreferences,
             uiSource: input.uiSource,
             givenAt: result.consent.givenAt
         });
     } catch (error) {
         logger.error('Error in POST /subjects handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
+        if (error instanceof consent_policy_LegalDocumentPolicyConflictError) throw new http_exception_namespaceObject.HTTPException(409, {
+            message: error.message,
+            cause: {
+                code: 'LEGAL_DOCUMENT_RELEASE_CONFLICT'
+            }
+        });
         throw new http_exception_namespaceObject.HTTPException(500, {
             message: 'Internal server error',
             cause: {
@@ -1444,11 +2215,7 @@ const createSubjectRoutes = ()=>{
     const app = new external_hono_namespaceObject.Hono();
     app.get('/:id', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Get subject consent status',
-        description: `Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.
-
-**Query:** \`type\` – Filter by consent type(s), comma-separated (e.g. \`privacy_policy,cookie_banner\`).
-
-**Response:** \`subject\`, \`consents\` (matching filter), \`isValid\` (valid consent for requested type(s)).`,
+        description: "Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.\n\n**Query:** `type` – Filter by consent type(s), comma-separated (e.g. `privacy_policy,cookie_banner`).\n\n**Response:** `subject`, `consents` (matching filter), `isValid` (valid consent for requested type(s)).",
         tags: [
             'Subject',
             'Consent'
@@ -1469,12 +2236,7 @@ const createSubjectRoutes = ()=>{
     }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_namespaceObject.getSubjectInputSchema), getSubjectHandler);
     app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Record consent for a subject',
-        description: `Creates a new consent record (append-only). Creates the subject if it does not exist.
-
-**Request body by \`type\`:**
-- \`cookie_banner\` – Requires \`preferences\` object
-- \`privacy_policy\`, \`dpa\`, \`terms_and_conditions\` – Optional \`policyId\`
-- \`marketing_communications\`, \`age_verification\`, \`other\` – Optional \`preferences\``,
+        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
         tags: [
             'Subject',
             'Consent'