@c15t/backend 2.0.0-rc.1 → 2.0.0-rc.10

package/dist/core.cjs

@@ -1,6 +1,6 @@
 "use strict";
 var __webpack_modules__ = {
-    "./src/db/schema/index.ts" (__unused_webpack_module, __webpack_exports__, __webpack_require__) {
+    "./src/db/schema/index.ts" (__unused_rspack_module, __webpack_exports__, __webpack_require__) {
         __webpack_require__.d(__webpack_exports__, {
             DB: ()=>DB
         });
@@ -79,7 +79,6 @@ var __webpack_modules__ = {
         });
         const subjectTable = (0, schema_namespaceObject.table)('subject', {
             id: (0, schema_namespaceObject.idColumn)('id', 'varchar(255)'),
-            isIdentified: (0, schema_namespaceObject.column)('isIdentified', 'bool').defaultTo$(()=>false),
             externalId: (0, schema_namespaceObject.column)('externalId', 'string').nullable(),
             identityProvider: (0, schema_namespaceObject.column)('identityProvider', 'string').nullable(),
             lastIpAddress: (0, schema_namespaceObject.column)('lastIpAddress', 'string').nullable(),
@@ -172,12 +171,16 @@ var __webpack_modules__ = {
             jurisdictionModel: (0, schema_namespaceObject.column)('jurisdictionModel', 'string').nullable(),
             tcString: (0, schema_namespaceObject.column)('tcString', 'string').nullable(),
             uiSource: (0, schema_namespaceObject.column)('uiSource', 'string').nullable(),
+            consentAction: (0, schema_namespaceObject.column)('consentAction', 'string').nullable(),
+            runtimePolicyDecisionId: (0, schema_namespaceObject.column)('runtimePolicyDecisionId', 'string').nullable(),
+            runtimePolicySource: (0, schema_namespaceObject.column)('runtimePolicySource', 'string').nullable(),
             tenantId: (0, schema_namespaceObject.column)('tenantId', 'string').nullable()
         });
         const consent_policy_consentPolicyTable = (0, schema_namespaceObject.table)('consentPolicy', {
             id: (0, schema_namespaceObject.idColumn)('id', 'varchar(255)'),
             version: (0, schema_namespaceObject.column)('version', 'string'),
             type: (0, schema_namespaceObject.column)('type', 'string'),
+            hash: (0, schema_namespaceObject.column)('hash', 'string').nullable(),
             effectiveDate: (0, schema_namespaceObject.column)('effectiveDate', 'timestamp'),
             isActive: (0, schema_namespaceObject.column)('isActive', 'bool').defaultTo$(()=>true),
             createdAt: (0, schema_namespaceObject.column)('createdAt', 'timestamp').defaultTo$('now'),
@@ -197,9 +200,29 @@ var __webpack_modules__ = {
             updatedAt: (0, schema_namespaceObject.column)('updatedAt', 'timestamp').defaultTo$('now'),
             tenantId: (0, schema_namespaceObject.column)('tenantId', 'string').nullable()
         });
+        const runtimePolicyDecisionTable = (0, schema_namespaceObject.table)('runtimePolicyDecision', {
+            id: (0, schema_namespaceObject.idColumn)('id', 'varchar(255)'),
+            tenantId: (0, schema_namespaceObject.column)('tenantId', 'string').nullable(),
+            policyId: (0, schema_namespaceObject.column)('policyId', 'string'),
+            fingerprint: (0, schema_namespaceObject.column)('fingerprint', 'string'),
+            matchedBy: (0, schema_namespaceObject.column)('matchedBy', 'string'),
+            countryCode: (0, schema_namespaceObject.column)('countryCode', 'string').nullable(),
+            regionCode: (0, schema_namespaceObject.column)('regionCode', 'string').nullable(),
+            jurisdiction: (0, schema_namespaceObject.column)('jurisdiction', 'string'),
+            language: (0, schema_namespaceObject.column)('language', 'string').nullable(),
+            model: (0, schema_namespaceObject.column)('model', 'string'),
+            policyI18n: (0, schema_namespaceObject.column)('policyI18n', 'json').nullable(),
+            uiMode: (0, schema_namespaceObject.column)('uiMode', 'string').nullable(),
+            bannerUi: (0, schema_namespaceObject.column)('bannerUi', 'json').nullable(),
+            dialogUi: (0, schema_namespaceObject.column)('dialogUi', 'json').nullable(),
+            categories: (0, schema_namespaceObject.column)('categories', 'json').nullable(),
+            preselectedCategories: (0, schema_namespaceObject.column)('preselectedCategories', 'json').nullable(),
+            proofConfig: (0, schema_namespaceObject.column)('proofConfig', 'json').nullable(),
+            dedupeKey: (0, schema_namespaceObject.column)('dedupeKey', 'string').unique(),
+            createdAt: (0, schema_namespaceObject.column)('createdAt', 'timestamp').defaultTo$('now')
+        });
         const subject_subjectTable = (0, schema_namespaceObject.table)('subject', {
             id: (0, schema_namespaceObject.idColumn)('id', 'varchar(255)'),
-            isIdentified: (0, schema_namespaceObject.column)('isIdentified', 'bool').defaultTo$(()=>false),
             externalId: (0, schema_namespaceObject.column)('externalId', 'string').nullable(),
             identityProvider: (0, schema_namespaceObject.column)('identityProvider', 'string').nullable(),
             createdAt: (0, schema_namespaceObject.column)('createdAt', 'timestamp').defaultTo$('now'),
@@ -212,6 +235,7 @@ var __webpack_modules__ = {
                 subject: subject_subjectTable,
                 domain: domain_domainTable,
                 consentPolicy: consent_policy_consentPolicyTable,
+                runtimePolicyDecision: runtimePolicyDecisionTable,
                 consentPurpose: consent_purpose_consentPurposeTable,
                 consent: consent_consentTable,
                 auditLog: audit_log_auditLogTable
@@ -227,6 +251,9 @@ var __webpack_modules__ = {
                 consentPolicy: ({ many })=>({
                         consents: many('consent')
                     }),
+                runtimePolicyDecision: ({ many })=>({
+                        consents: many('consent')
+                    }),
                 consentPurpose: ()=>({}),
                 consent: ({ one })=>({
                         subject: one('subject', [
@@ -240,6 +267,10 @@ var __webpack_modules__ = {
                         policy: one('consentPolicy', [
                             'policyId',
                             'id'
+                        ]).foreignKey(),
+                        runtimePolicyDecision: one('runtimePolicyDecision', [
+                            'runtimePolicyDecisionId',
+                            'id'
                         ]).foreignKey()
                     }),
                 auditLog: ({ one })=>({
@@ -264,7 +295,7 @@ var __webpack_modules__ = {
             ]
         });
     },
-    "./src/define-config.ts" (__unused_webpack_module, __webpack_exports__, __webpack_require__) {
+    "./src/define-config.ts" (__unused_rspack_module, __webpack_exports__, __webpack_require__) {
         __webpack_require__.d(__webpack_exports__, {
             defineConfig: ()=>defineConfig
         });
@@ -306,7 +337,7 @@ function __webpack_require__(moduleId) {
 })();
 (()=>{
     __webpack_require__.r = (exports1)=>{
-        if ('undefined' != typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
             value: 'Module'
         });
         Object.defineProperty(exports1, '__esModule', {
@@ -320,7 +351,15 @@ var __webpack_exports__ = {};
     __webpack_require__.d(__webpack_exports__, {
         version: ()=>version_version,
         c15tInstance: ()=>c15tInstance,
-        defineConfig: ()=>define_config.defineConfig
+        EEA_COUNTRY_CODES: ()=>types_namespaceObject.EEA_COUNTRY_CODES,
+        EU_COUNTRY_CODES: ()=>types_namespaceObject.EU_COUNTRY_CODES,
+        UK_COUNTRY_CODES: ()=>types_namespaceObject.UK_COUNTRY_CODES,
+        policyMatchers: ()=>types_namespaceObject.policyMatchers,
+        policyBuilder: ()=>policyBuilder,
+        policyPackPresets: ()=>schema_.policyPackPresets,
+        inspectPolicies: ()=>inspectPolicies,
+        defineConfig: ()=>define_config.defineConfig,
+        POLICY_MATCH_DATASET_VERSION: ()=>types_namespaceObject.POLICY_MATCH_DATASET_VERSION
     });
     const logger_namespaceObject = require("@c15t/logger");
     const api_namespaceObject = require("@opentelemetry/api");
@@ -455,10 +494,10 @@ var __webpack_exports__ = {};
         };
     }
     const createOpenAPIConfig = (options)=>({
-            enabled: options.advanced?.openapi?.enabled !== false,
+            enabled: options.openapi?.enabled !== false,
             specPath: '/spec.json',
             docsPath: '/docs',
-            ...options.advanced?.openapi || {}
+            ...options.openapi || {}
         });
     const DEFAULT_IP_HEADERS = [
         'x-client-ip',
@@ -553,7 +592,7 @@ var __webpack_exports__ = {};
         return ip;
     }
     function getIpAddress(req, options) {
-        const ipAddressConfig = options.advanced?.ipAddress;
+        const ipAddressConfig = options.ipAddress;
         if (ipAddressConfig?.tracking === false) return null;
         const ipHeaders = ipAddressConfig?.ipAddressHeaders || DEFAULT_IP_HEADERS;
         const headers = req instanceof Request ? req.headers : req;
@@ -569,7 +608,137 @@ var __webpack_exports__ = {};
         }
         return null;
     }
-    const version_version = '2.0.0-rc.1';
+    const types_namespaceObject = require("@c15t/schema/types");
+    const translations_namespaceObject = require("@c15t/translations");
+    const all_namespaceObject = require("@c15t/translations/all");
+    const DEFAULT_PROFILE = 'default';
+    const warnedKeys = new Set();
+    function isSupportedBaseLanguage(lang) {
+        return lang in all_namespaceObject.baseTranslations;
+    }
+    function warnOnce(logger, key, message, metadata) {
+        if (!logger || warnedKeys.has(key)) return;
+        warnedKeys.add(key);
+        logger.warn(message, metadata);
+    }
+    function normalizeLanguage(value) {
+        if (!value) return;
+        const normalized = value.split(',')[0]?.split(';')[0]?.trim().toLowerCase();
+        if (!normalized) return;
+        return normalized.split('-')[0] ?? void 0;
+    }
+    function normalizeProfiles(params) {
+        const profiles = params.i18n?.messages;
+        const legacy = params.customTranslations;
+        if (profiles && Object.keys(profiles).length > 0) {
+            if (legacy && Object.keys(legacy).length > 0) warnOnce(params.logger, 'i18n.customTranslations.ignored', '`customTranslations` is deprecated and ignored when `i18n.messages` is configured.');
+            return profiles;
+        }
+        if (legacy && Object.keys(legacy).length > 0) {
+            warnOnce(params.logger, 'i18n.customTranslations.deprecated', '`customTranslations` is deprecated. Use `i18n.messages` instead.');
+            return {
+                [DEFAULT_PROFILE]: {
+                    translations: legacy
+                }
+            };
+        }
+        return {};
+    }
+    function buildCandidates(input) {
+        const raw = [
+            {
+                language: input.language,
+                reason: 'profile_language'
+            },
+            {
+                language: input.fallbackLanguage,
+                reason: 'profile_fallback'
+            }
+        ];
+        const dedupe = new Set();
+        return raw.filter((candidate)=>{
+            const key = candidate.language;
+            if (dedupe.has(key)) return false;
+            dedupe.add(key);
+            return true;
+        });
+    }
+    function getProfileLanguages(profiles, profile) {
+        return Object.keys(profiles[profile]?.translations ?? {}).sort();
+    }
+    function getSelectableLanguages(input) {
+        return getProfileLanguages(input.profiles, input.profile);
+    }
+    function resolveFallbackLanguage(input) {
+        const configuredFallbackLanguage = normalizeLanguage(input.profile?.fallbackLanguage) ?? 'en';
+        const profileLanguages = Object.keys(input.profile?.translations ?? {}).sort();
+        if (profileLanguages.includes(configuredFallbackLanguage)) return configuredFallbackLanguage;
+        if (profileLanguages.includes('en')) return 'en';
+        return profileLanguages[0] ?? configuredFallbackLanguage;
+    }
+    function resolveActiveProfile(input) {
+        const requestedProfile = input.policyProfile ?? input.defaultProfile;
+        if (input.profiles[requestedProfile]) return requestedProfile;
+        if (input.policyProfile) warnOnce(input.logger, `i18n.profile.missing:${requestedProfile}`, `Policy i18n profile '${requestedProfile}' does not exist. Falling back to default profile '${input.defaultProfile}'.`);
+        return input.defaultProfile;
+    }
+    function validateMessages(options) {
+        return (0, types_namespaceObject.validatePolicyI18nConfig)({
+            customTranslations: options.customTranslations,
+            i18n: options.i18n,
+            policies: options.policies
+        });
+    }
+    function translations_getTranslationsData(acceptLanguage, customTranslations, options) {
+        const profiles = normalizeProfiles({
+            customTranslations,
+            i18n: options?.i18n,
+            logger: options?.logger
+        });
+        const defaultProfile = options?.i18n?.defaultProfile ?? DEFAULT_PROFILE;
+        const profile = resolveActiveProfile({
+            profiles,
+            defaultProfile,
+            policyProfile: options?.policyI18n?.messageProfile,
+            logger: options?.logger
+        });
+        const configuredLanguages = Object.keys(profiles).length > 0 ? getSelectableLanguages({
+            profiles,
+            profile
+        }) : Object.keys(all_namespaceObject.baseTranslations);
+        const fallbackLanguage = Object.keys(profiles).length > 0 ? resolveFallbackLanguage({
+            profile: profiles[profile]
+        }) : 'en';
+        const policyLanguage = normalizeLanguage(options?.policyI18n?.language);
+        const requestedLanguage = policyLanguage ?? (0, translations_namespaceObject.selectLanguage)(configuredLanguages, {
+            header: acceptLanguage,
+            fallback: fallbackLanguage
+        });
+        const candidates = buildCandidates({
+            language: requestedLanguage,
+            fallbackLanguage
+        });
+        const selectedCandidate = candidates.find((candidate)=>!!profiles[profile]?.translations[candidate.language]);
+        if (selectedCandidate && 'profile_language' !== selectedCandidate.reason) warnOnce(options?.logger, `i18n.fallback:${profile}:${requestedLanguage}:${selectedCandidate.language}`, `Policy translation fallback used (${selectedCandidate.reason}).`, {
+            requestedProfile: profile,
+            requestedLanguage,
+            resolvedProfile: profile,
+            resolvedLanguage: selectedCandidate.language
+        });
+        let language = selectedCandidate?.language ?? requestedLanguage;
+        if (!selectedCandidate && !isSupportedBaseLanguage(language)) {
+            warnOnce(options?.logger, `i18n.base-fallback:${language}`, `No translation found for '${language}'. Falling back to base English translations.`);
+            language = 'en';
+        }
+        const base = isSupportedBaseLanguage(language) ? all_namespaceObject.baseTranslations[language] : all_namespaceObject.baseTranslations.en;
+        const custom = selectedCandidate ? profiles[profile]?.translations[selectedCandidate.language] : void 0;
+        const translations = custom ? (0, translations_namespaceObject.deepMergeTranslations)(base, custom) : base;
+        return {
+            translations: translations,
+            language
+        };
+    }
+    const version_version = '2.0.0-rc.10';
     function extractErrorMessage(error) {
         if (error instanceof AggregateError && error.errors?.length > 0) {
             const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
@@ -598,18 +767,18 @@ var __webpack_exports__ = {};
         return config;
     }
     function isTelemetryEnabled(options) {
-        if (options) return options.advanced?.telemetry?.enabled === true;
+        if (options) return options.telemetry?.enabled === true;
         return cachedConfig?.enabled === true;
     }
     const getTracer = (options)=>{
         if (!isTelemetryEnabled(options)) return api_namespaceObject.trace.getTracer('c15t-noop');
-        const tracer = options?.advanced?.telemetry?.tracer ?? cachedConfig?.tracer;
+        const tracer = options?.telemetry?.tracer ?? cachedConfig?.tracer;
         if (tracer) return tracer;
         return api_namespaceObject.trace.getTracer(options?.appName ?? 'c15t');
     };
     const getMeter = (options)=>{
         if (!isTelemetryEnabled(options)) return api_namespaceObject.metrics.getMeter('c15t-noop');
-        const meter = options?.advanced?.telemetry?.meter ?? cachedConfig?.meter;
+        const meter = options?.telemetry?.meter ?? cachedConfig?.meter;
         if (meter) return meter;
         return api_namespaceObject.metrics.getMeter(options?.appName ?? 'c15t');
     };
@@ -619,7 +788,7 @@ var __webpack_exports__ = {};
     const createRequestSpan = (method, path, options)=>{
         if (!isTelemetryEnabled(options)) return null;
         const tracer = getTracer(options);
-        const defaultAttrs = options?.advanced?.telemetry?.defaultAttributes || getDefaultAttributes();
+        const defaultAttrs = options?.telemetry?.defaultAttributes || getDefaultAttributes();
         const span = tracer.startSpan(`${method} ${path}`, {
             attributes: {
                 'http.method': method,
@@ -661,7 +830,7 @@ var __webpack_exports__ = {};
         }
     }
     function resolveDefaultAttributes(options) {
-        return options?.advanced?.telemetry?.defaultAttributes || getDefaultAttributes();
+        return options?.telemetry?.defaultAttributes || getDefaultAttributes();
     }
     async function withDatabaseSpan(attributes, operation, options) {
         if (!isTelemetryEnabled(options)) return operation();
@@ -894,6 +1063,7 @@ var __webpack_exports__ = {};
         consentPolicy: 'pol',
         consentPurpose: 'pur',
         domain: 'dom',
+        runtimePolicyDecision: 'rpd',
         subject: 'sub'
     };
     const b58 = external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
@@ -963,6 +1133,23 @@ var __webpack_exports__ = {};
             throw error;
         }
     }
+    class LegalDocumentPolicyConflictError extends Error {
+        constructor(message){
+            super(message);
+            this.name = 'LegalDocumentPolicyConflictError';
+        }
+    }
+    async function buildLegalDocumentPolicyId(input) {
+        const digest = await (0, types_namespaceObject.hashSha256Hex)([
+            input.tenantId ?? 'default',
+            input.type,
+            input.hash
+        ].join('|'));
+        return `pol_${digest}`;
+    }
+    function hasLegalDocumentPolicyConflict(policy, input) {
+        return policy.version !== input.version || policy.hash !== input.hash || policy.effectiveDate.getTime() !== input.effectiveDate.getTime();
+    }
     function policyRegistry({ db, ctx }) {
         const { logger } = ctx;
         return {
@@ -991,6 +1178,176 @@ var __webpack_exports__ = {};
                     throw error;
                 }
             },
+            findLatestPolicyByType: async (type)=>{
+                const start = Date.now();
+                try {
+                    const result = await withDatabaseSpan({
+                        operation: 'findLatest',
+                        entity: 'consentPolicy'
+                    }, async ()=>db.findFirst('consentPolicy', {
+                            where: (b)=>b.and(b('isActive', '=', true), b('type', '=', type)),
+                            orderBy: [
+                                'effectiveDate',
+                                'desc'
+                            ]
+                        }));
+                    getMetrics()?.recordDbQuery({
+                        operation: 'findLatest',
+                        entity: 'consentPolicy'
+                    }, Date.now() - start);
+                    return result;
+                } catch (error) {
+                    getMetrics()?.recordDbError({
+                        operation: 'findLatest',
+                        entity: 'consentPolicy'
+                    });
+                    throw error;
+                }
+            },
+            findLegalDocumentPolicyByHash: async (type, hash)=>{
+                const start = Date.now();
+                try {
+                    const policyId = await buildLegalDocumentPolicyId({
+                        tenantId: ctx.tenantId,
+                        type,
+                        hash
+                    });
+                    const result = await withDatabaseSpan({
+                        operation: 'findByHash',
+                        entity: 'consentPolicy'
+                    }, async ()=>db.findFirst('consentPolicy', {
+                            where: (b)=>b('id', '=', policyId)
+                        }));
+                    getMetrics()?.recordDbQuery({
+                        operation: 'findByHash',
+                        entity: 'consentPolicy'
+                    }, Date.now() - start);
+                    return result;
+                } catch (error) {
+                    getMetrics()?.recordDbError({
+                        operation: 'findByHash',
+                        entity: 'consentPolicy'
+                    });
+                    throw error;
+                }
+            },
+            syncCurrentLegalDocumentPolicy: async (input)=>{
+                const start = Date.now();
+                try {
+                    const result = await withDatabaseSpan({
+                        operation: 'syncCurrent',
+                        entity: 'consentPolicy'
+                    }, async ()=>{
+                        const policyId = await buildLegalDocumentPolicyId({
+                            tenantId: ctx.tenantId,
+                            type: input.type,
+                            hash: input.hash
+                        });
+                        return db.transaction(async (tx)=>{
+                            const existing = await tx.findFirst('consentPolicy', {
+                                where: (b)=>b('id', '=', policyId)
+                            });
+                            if (existing) {
+                                if (hasLegalDocumentPolicyConflict(existing, input)) throw new LegalDocumentPolicyConflictError('Release metadata conflicts with existing consent policy');
+                                await tx.updateMany('consentPolicy', {
+                                    where: (b)=>b.and(b('type', '=', input.type), b('isActive', '=', true), b('id', '!=', existing.id)),
+                                    set: {
+                                        isActive: false
+                                    }
+                                });
+                                if (!existing.isActive) {
+                                    await tx.updateMany('consentPolicy', {
+                                        where: (b)=>b('id', '=', existing.id),
+                                        set: {
+                                            isActive: true
+                                        }
+                                    });
+                                    return {
+                                        ...existing,
+                                        isActive: true
+                                    };
+                                }
+                                return existing;
+                            }
+                            await tx.updateMany('consentPolicy', {
+                                where: (b)=>b.and(b('type', '=', input.type), b('isActive', '=', true)),
+                                set: {
+                                    isActive: false
+                                }
+                            });
+                            const policy = await tx.create('consentPolicy', {
+                                id: policyId,
+                                version: input.version,
+                                type: input.type,
+                                hash: input.hash,
+                                effectiveDate: input.effectiveDate,
+                                isActive: true
+                            });
+                            return policy;
+                        });
+                    });
+                    getMetrics()?.recordDbQuery({
+                        operation: 'syncCurrent',
+                        entity: 'consentPolicy'
+                    }, Date.now() - start);
+                    return result;
+                } catch (error) {
+                    getMetrics()?.recordDbError({
+                        operation: 'syncCurrent',
+                        entity: 'consentPolicy'
+                    });
+                    throw error;
+                }
+            },
+            findOrCreateLegalDocumentPolicy: async (input)=>{
+                const start = Date.now();
+                try {
+                    const result = await withDatabaseSpan({
+                        operation: 'findOrCreateLegalDocument',
+                        entity: 'consentPolicy'
+                    }, async ()=>{
+                        const policyId = await buildLegalDocumentPolicyId({
+                            tenantId: ctx.tenantId,
+                            type: input.type,
+                            hash: input.hash
+                        });
+                        const existing = await db.findFirst('consentPolicy', {
+                            where: (b)=>b('id', '=', policyId)
+                        });
+                        if (existing) {
+                            if (hasLegalDocumentPolicyConflict(existing, input)) throw new LegalDocumentPolicyConflictError('Release metadata conflicts with existing consent policy');
+                            return existing;
+                        }
+                        const policy = await db.create('consentPolicy', {
+                            id: policyId,
+                            version: input.version,
+                            type: input.type,
+                            hash: input.hash,
+                            effectiveDate: input.effectiveDate,
+                            isActive: false
+                        }).catch(async ()=>{
+                            const concurrent = await db.findFirst('consentPolicy', {
+                                where: (b)=>b('id', '=', policyId)
+                            });
+                            if (!concurrent) throw new LegalDocumentPolicyConflictError('Failed to create legal document consent policy');
+                            if (hasLegalDocumentPolicyConflict(concurrent, input)) throw new LegalDocumentPolicyConflictError('Release metadata conflicts with existing consent policy');
+                            return concurrent;
+                        });
+                        return policy;
+                    });
+                    getMetrics()?.recordDbQuery({
+                        operation: 'findOrCreateLegalDocument',
+                        entity: 'consentPolicy'
+                    }, Date.now() - start);
+                    return result;
+                } catch (error) {
+                    getMetrics()?.recordDbError({
+                        operation: 'findOrCreateLegalDocument',
+                        entity: 'consentPolicy'
+                    });
+                    throw error;
+                }
+            },
             findOrCreatePolicy: async (type)=>{
                 const start = Date.now();
                 try {
@@ -1165,6 +1522,54 @@ var __webpack_exports__ = {};
             }
         };
     }
+    function runtimePolicyDecisionRegistry({ db, ctx }) {
+        const { logger } = ctx;
+        return {
+            findOrCreateRuntimePolicyDecision: async (input)=>{
+                const existing = await db.findFirst('runtimePolicyDecision', {
+                    where: (b)=>b('dedupeKey', '=', input.dedupeKey)
+                });
+                if (existing) return existing;
+                logger.debug('Creating runtime policy decision', {
+                    policyId: input.policyId,
+                    fingerprint: input.fingerprint,
+                    matchedBy: input.matchedBy
+                });
+                return db.create('runtimePolicyDecision', {
+                    id: `rpd_${crypto.randomUUID().replaceAll('-', '')}`,
+                    tenantId: input.tenantId,
+                    policyId: input.policyId,
+                    fingerprint: input.fingerprint,
+                    matchedBy: input.matchedBy,
+                    countryCode: input.countryCode,
+                    regionCode: input.regionCode,
+                    jurisdiction: input.jurisdiction,
+                    language: input.language,
+                    model: input.model,
+                    policyI18n: input.policyI18n ? {
+                        json: input.policyI18n
+                    } : void 0,
+                    uiMode: input.uiMode,
+                    bannerUi: input.bannerUi ? {
+                        json: input.bannerUi
+                    } : void 0,
+                    dialogUi: input.dialogUi ? {
+                        json: input.dialogUi
+                    } : void 0,
+                    categories: input.categories ? {
+                        json: input.categories
+                    } : void 0,
+                    preselectedCategories: input.preselectedCategories ? {
+                        json: input.preselectedCategories
+                    } : void 0,
+                    proofConfig: input.proofConfig ? {
+                        json: input.proofConfig
+                    } : void 0,
+                    dedupeKey: input.dedupeKey
+                });
+            }
+        };
+    }
     function subjectRegistry({ db, ctx }) {
         const { logger } = ctx;
         return {
@@ -1194,8 +1599,7 @@ var __webpack_exports__ = {};
                             const newSubject = await db.create('subject', {
                                 id: subjectId,
                                 externalId: externalSubjectId ?? null,
-                                identityProvider: externalSubjectId ? identityProvider ?? 'external' : 'anonymous',
-                                isIdentified: !!externalSubjectId
+                                identityProvider: externalSubjectId ? identityProvider ?? 'external' : 'anonymous'
                             });
                             logger.debug('Created new subject', {
                                 subject: newSubject
@@ -1209,8 +1613,7 @@ var __webpack_exports__ = {};
                             const subject = await db.create('subject', {
                                 id: await generateUniqueId(db, 'subject', ctx),
                                 externalId: externalSubjectId,
-                                identityProvider: identityProvider ?? 'external',
-                                isIdentified: true
+                                identityProvider: identityProvider ?? 'external'
                             });
                             return subject;
                         }
@@ -1218,8 +1621,7 @@ var __webpack_exports__ = {};
                         const subject = await db.create('subject', {
                             id: await generateUniqueId(db, 'subject', ctx),
                             externalId: null,
-                            identityProvider: 'anonymous',
-                            isIdentified: false
+                            identityProvider: 'anonymous'
                         });
                         logger.debug('Created new anonymous subject', {
                             subject
@@ -1245,7 +1647,8 @@ var __webpack_exports__ = {};
             ...subjectRegistry(ctx),
             ...consentPurposeRegistry(ctx),
             ...policyRegistry(ctx),
-            ...domainRegistry(ctx)
+            ...domainRegistry(ctx),
+            ...runtimePolicyDecisionRegistry(ctx)
         });
     var schema = __webpack_require__("./src/db/schema/index.ts");
     const SCOPED_METHODS = new Set([
@@ -1311,6 +1714,18 @@ var __webpack_exports__ = {};
             }
         });
     }
+    function inspectPolicies(policies, options) {
+        return (0, types_namespaceObject.inspectPolicies)(policies, options);
+    }
+    async function resolvePolicyDecision(params) {
+        return (0, types_namespaceObject.resolvePolicyDecision)({
+            policies: params.policies,
+            countryCode: params.countryCode,
+            regionCode: params.regionCode,
+            jurisdiction: params.jurisdiction,
+            iabEnabled: params.iabEnabled
+        });
+    }
     let globalLogger;
     function initLogger(options) {
         globalLogger = (0, logger_namespaceObject.createLogger)({
@@ -1325,7 +1740,7 @@ var __webpack_exports__ = {};
             ...options.logger,
             appName: String(appName)
         });
-        const telemetryOptions = createTelemetryOptions(String(appName), options.advanced?.telemetry, options.tenantId);
+        const telemetryOptions = createTelemetryOptions(String(appName), options.telemetry, options.tenantId);
         if (isTelemetryEnabled(options)) logger.debug('Telemetry is enabled', {
             hasTracer: !!telemetryOptions?.tracer,
             hasMeter: !!telemetryOptions?.meter,
@@ -1336,15 +1751,29 @@ var __webpack_exports__ = {};
         const client = db.client(options.adapter);
         const rawOrm = client.orm('2.0.0');
         const orm = options.tenantId ? withTenantScope(rawOrm, options.tenantId) : rawOrm;
+        const { ipAddress: _ipAddressConfig, ...baseOptions } = options;
+        const i18nValidation = validateMessages({
+            i18n: options.i18n,
+            customTranslations: options.customTranslations,
+            policies: options.policyPacks
+        });
+        for (const warning of i18nValidation.warnings)logger.warn(`i18n: ${warning}`);
+        if (i18nValidation.errors.length > 0) throw new Error(`Invalid i18n configuration:\n${i18nValidation.errors.map((error)=>`- ${error}`).join('\n')}`);
+        const policyValidation = inspectPolicies(options.policyPacks ?? [], {
+            iabEnabled: options.iab?.enabled === true
+        });
+        for (const warning of policyValidation.warnings)logger.warn(`policyPacks: ${warning}`);
+        if (policyValidation.errors.length > 0) throw new Error(policyValidation.errors[0]);
         const context = {
-            ...options,
+            ...baseOptions,
             appName,
             logger,
             db: orm,
             registry: createRegistry({
                 db: orm,
                 ctx: {
-                    logger
+                    logger,
+                    tenantId: options.tenantId
                 }
             })
         };
@@ -1371,7 +1800,7 @@ var __webpack_exports__ = {};
         for (const p of policyMap.values())uniqueTypes.add(p.type);
         const latestPolicyByType = new Map();
         for (const type of uniqueTypes){
-            const latest = await registry.findOrCreatePolicy(type);
+            const latest = await registry.findLatestPolicyByType(type);
             if (latest) latestPolicyByType.set(type, latest.id);
         }
         return {
@@ -1397,11 +1826,17 @@ var __webpack_exports__ = {};
         }
         return consents.map((consent)=>{
             let policyType = 'unknown';
+            let policyVersion;
+            let policyHash;
+            let policyEffectiveDate;
             let isLatestPolicy = false;
             if (consent.policyId) {
                 const policy = policyMap.get(consent.policyId);
                 if (policy) {
                     policyType = policy.type;
+                    policyVersion = policy.version;
+                    policyHash = policy.hash ?? void 0;
+                    policyEffectiveDate = policy.effectiveDate;
                     isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
                 }
             }
@@ -1418,6 +1853,9 @@ var __webpack_exports__ = {};
                 id: consent.id,
                 type: policyType,
                 policyId: consent.policyId ?? void 0,
+                policyVersion,
+                policyHash,
+                policyEffectiveDate,
                 isLatestPolicy,
                 preferences,
                 givenAt: consent.givenAt
@@ -1532,11 +1970,7 @@ var __webpack_exports__ = {};
         const app = new external_hono_namespaceObject.Hono();
         app.get('/check', (0, external_hono_openapi_namespaceObject.describeRoute)({
             summary: 'Check consent by external user ID',
-            description: `Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.
-
-**Query parameters:**
-- \`externalId\` – External user ID to check
-- \`type\` – Consent type(s) to check (comma-separated)`,
+            description: "Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.\n\n**Query parameters:**\n- `externalId` – External user ID to check\n- `type` – Consent type(s) to check (comma-separated)",
             tags: [
                 'Consent'
             ],
@@ -1696,6 +2130,124 @@ var __webpack_exports__ = {};
             }
         };
     }
+    const external_jose_namespaceObject = require("jose");
+    const POLICY_SNAPSHOT_JWT_HEADER = {
+        alg: 'HS256',
+        typ: 'JWT'
+    };
+    const DEFAULT_POLICY_SNAPSHOT_ISSUER = 'c15t';
+    const DEFAULT_POLICY_SNAPSHOT_AUDIENCE = 'c15t-policy-snapshot';
+    function resolveSnapshotIssuer(options) {
+        return options?.issuer?.trim() || DEFAULT_POLICY_SNAPSHOT_ISSUER;
+    }
+    function resolveSnapshotAudience(params) {
+        const configuredAudience = params.options?.audience?.trim();
+        if (configuredAudience) return configuredAudience;
+        return params.tenantId ? `${DEFAULT_POLICY_SNAPSHOT_AUDIENCE}:${params.tenantId}` : DEFAULT_POLICY_SNAPSHOT_AUDIENCE;
+    }
+    function getSigningKey(secret) {
+        return new TextEncoder().encode(secret);
+    }
+    function isPolicySnapshotPayload(payload) {
+        return 'string' == typeof payload.policyId && 'string' == typeof payload.fingerprint && 'string' == typeof payload.matchedBy && 'string' == typeof payload.jurisdiction && 'string' == typeof payload.model && 'string' == typeof payload.iss && 'string' == typeof payload.aud && 'string' == typeof payload.sub && 'number' == typeof payload.iat && 'number' == typeof payload.exp;
+    }
+    async function createPolicySnapshotToken(params) {
+        const { options } = params;
+        if (!options?.signingKey) return;
+        const iat = Math.floor(Date.now() / 1000);
+        const ttlSeconds = options.ttlSeconds ?? 1800;
+        const exp = iat + ttlSeconds;
+        const iss = resolveSnapshotIssuer(options);
+        const aud = resolveSnapshotAudience({
+            options,
+            tenantId: params.tenantId
+        });
+        const payload = {
+            iss,
+            aud,
+            sub: params.policyId,
+            tenantId: params.tenantId,
+            policyId: params.policyId,
+            fingerprint: params.fingerprint,
+            matchedBy: params.matchedBy,
+            country: params.country,
+            region: params.region,
+            jurisdiction: params.jurisdiction,
+            language: params.language,
+            model: params.model,
+            policyI18n: params.policyI18n,
+            expiryDays: params.expiryDays,
+            scopeMode: params.scopeMode,
+            uiMode: params.uiMode,
+            bannerUi: params.bannerUi,
+            dialogUi: params.dialogUi,
+            categories: params.categories,
+            preselectedCategories: params.preselectedCategories,
+            gpc: params.gpc,
+            proofConfig: params.proofConfig,
+            iat,
+            exp
+        };
+        const token = await new external_jose_namespaceObject.SignJWT(payload).setProtectedHeader(POLICY_SNAPSHOT_JWT_HEADER).setIssuedAt(iat).setExpirationTime(exp).sign(getSigningKey(options.signingKey));
+        return {
+            token,
+            payload
+        };
+    }
+    async function verifyPolicySnapshotToken(params) {
+        const { token, options, tenantId } = params;
+        if (!options?.signingKey) return {
+            valid: false,
+            reason: 'missing'
+        };
+        if (!token) return {
+            valid: false,
+            reason: 'missing'
+        };
+        if (3 !== token.split('.').length) return {
+            valid: false,
+            reason: 'malformed'
+        };
+        try {
+            const { payload, protectedHeader } = await (0, external_jose_namespaceObject.jwtVerify)(token, getSigningKey(options.signingKey), {
+                issuer: resolveSnapshotIssuer(options),
+                audience: resolveSnapshotAudience({
+                    options,
+                    tenantId
+                })
+            });
+            const header = protectedHeader;
+            if ('HS256' !== header.alg || 'JWT' !== header.typ) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            if (!isPolicySnapshotPayload(payload)) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            if (payload.sub !== payload.policyId) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            if ((tenantId ?? void 0) !== (payload.tenantId ?? void 0)) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            return {
+                valid: true,
+                payload
+            };
+        } catch (error) {
+            if (error instanceof external_jose_namespaceObject.errors.JWTExpired) return {
+                valid: false,
+                reason: 'expired'
+            };
+            return {
+                valid: false,
+                reason: 'invalid'
+            };
+        }
+    }
     function geo_normalizeHeader(value) {
         if (!value) return null;
         return Array.isArray(value) ? value[0] ?? null : value;
@@ -1837,7 +2389,7 @@ var __webpack_exports__ = {};
         return jurisdiction;
     }
     async function getLocation(request, options) {
-        if (options.advanced?.disableGeoLocation) return {
+        if (options.disableGeoLocation) return {
             countryCode: null,
             regionCode: null
         };
@@ -1848,30 +2400,121 @@ var __webpack_exports__ = {};
         };
     }
     function getJurisdiction(location, options) {
-        if (options.advanced?.disableGeoLocation) return 'GDPR';
+        if (options.disableGeoLocation) return 'GDPR';
         return checkJurisdiction(location.countryCode, location.regionCode);
     }
-    const translations_namespaceObject = require("@c15t/translations");
-    function isSupportedBaseLanguage(lang) {
-        return lang in translations_namespaceObject.baseTranslations;
-    }
-    function translations_getTranslationsData(acceptLanguage, customTranslations) {
-        const supportedDefaultLanguages = Object.keys(translations_namespaceObject.baseTranslations);
-        const supportedCustomLanguages = Object.keys(customTranslations || {});
-        const supportedLanguages = [
-            ...supportedDefaultLanguages,
-            ...supportedCustomLanguages
-        ];
-        const preferredLanguage = (0, translations_namespaceObject.selectLanguage)(supportedLanguages, {
-            header: acceptLanguage,
-            fallback: 'en'
+    function stripIabTranslations(translations) {
+        const { iab: _iab, ...rest } = translations;
+        return rest;
+    }
+    function resolveNoPolicyFallback() {
+        return {
+            id: 'no_banner',
+            model: 'none',
+            ui: {
+                mode: 'none'
+            }
+        };
+    }
+    async function resolveInitPayload(request, options, logger) {
+        const acceptLanguage = request.headers.get('accept-language') || 'en';
+        const location = await getLocation(request, options);
+        const jurisdiction = getJurisdiction(location, options);
+        const hasExplicitPolicyPack = void 0 !== options.policyPacks;
+        const isExplicitEmptyPolicyPack = hasExplicitPolicyPack && (options.policyPacks?.length ?? 0) === 0;
+        const policyDecision = isExplicitEmptyPolicyPack ? void 0 : await resolvePolicyDecision({
+            policies: options.policyPacks,
+            countryCode: location.countryCode,
+            regionCode: location.regionCode,
+            jurisdiction,
+            iabEnabled: options.iab?.enabled === true
+        });
+        if (hasExplicitPolicyPack && !isExplicitEmptyPolicyPack && !policyDecision) logger?.warn('Policy packs configured but no policy matched', {
+            country: location.countryCode,
+            region: location.regionCode
+        });
+        const resolvedPolicy = hasExplicitPolicyPack ? policyDecision?.policy ?? resolveNoPolicyFallback() : void 0;
+        const iabOptions = options.iab;
+        const shouldIncludeIabPayload = iabOptions?.enabled === true && (!hasExplicitPolicyPack || resolvedPolicy?.model === 'iab');
+        const translationsResult = translations_getTranslationsData(acceptLanguage, options.customTranslations, {
+            i18n: options.i18n,
+            policyI18n: resolvedPolicy?.i18n,
+            logger
+        });
+        const responseTranslations = shouldIncludeIabPayload ? translationsResult : {
+            ...translationsResult,
+            translations: stripIabTranslations(translationsResult.translations)
+        };
+        let gvl = null;
+        if (shouldIncludeIabPayload && iabOptions) {
+            const language = translationsResult.language.split('-')[0] || 'en';
+            const gvlResolver = createGVLResolver({
+                appName: options.appName || 'c15t',
+                bundled: iabOptions.bundled,
+                cacheAdapter: options.cache?.adapter,
+                vendorIds: iabOptions.vendorIds,
+                endpoint: iabOptions.endpoint
+            });
+            gvl = await gvlResolver.get(language);
+        }
+        const customVendors = shouldIncludeIabPayload ? iabOptions?.customVendors : void 0;
+        const snapshot = policyDecision ? await createPolicySnapshotToken({
+            options: options.policySnapshot,
+            tenantId: options.tenantId,
+            policyId: policyDecision.policy.id,
+            fingerprint: policyDecision.fingerprint,
+            matchedBy: policyDecision.matchedBy,
+            country: location?.countryCode ?? null,
+            region: location?.regionCode ?? null,
+            jurisdiction,
+            language: translationsResult.language,
+            model: policyDecision.policy.model,
+            policyI18n: policyDecision.policy.i18n,
+            expiryDays: policyDecision.policy.consent?.expiryDays,
+            scopeMode: policyDecision.policy.consent?.scopeMode,
+            uiMode: policyDecision.policy.ui?.mode,
+            bannerUi: policyDecision.policy.ui?.banner,
+            dialogUi: policyDecision.policy.ui?.dialog,
+            categories: policyDecision.policy.consent?.categories,
+            preselectedCategories: policyDecision.policy.consent?.preselectedCategories,
+            gpc: policyDecision.policy.consent?.gpc,
+            proofConfig: policyDecision.policy.proof
+        }) : void 0;
+        const gpc = '1' === request.headers.get('sec-gpc');
+        getMetrics()?.recordInit({
+            jurisdiction,
+            country: location?.countryCode ?? void 0,
+            region: location?.regionCode ?? void 0,
+            gpc
         });
-        const base = isSupportedBaseLanguage(preferredLanguage) ? translations_namespaceObject.baseTranslations[preferredLanguage] : translations_namespaceObject.baseTranslations.en;
-        const custom = supportedCustomLanguages.includes(preferredLanguage) ? customTranslations?.[preferredLanguage] : {};
-        const translations = custom ? (0, translations_namespaceObject.deepMergeTranslations)(base, custom) : base;
         return {
-            translations: translations,
-            language: preferredLanguage
+            jurisdiction,
+            location,
+            translations: responseTranslations,
+            branding: options.branding || 'c15t',
+            ...shouldIncludeIabPayload && {
+                gvl,
+                customVendors
+            },
+            ...resolvedPolicy && {
+                policy: resolvedPolicy
+            },
+            ...policyDecision && {
+                policyDecision: {
+                    policyId: policyDecision.policy.id,
+                    fingerprint: policyDecision.fingerprint,
+                    matchedBy: policyDecision.matchedBy,
+                    country: location.countryCode,
+                    region: location.regionCode,
+                    jurisdiction
+                }
+            },
+            ...snapshot?.token && {
+                policySnapshotToken: snapshot.token
+            },
+            ...shouldIncludeIabPayload && iabOptions?.cmpId != null && {
+                cmpId: iabOptions.cmpId
+            }
         };
     }
     const createInitRoute = (options)=>{
@@ -1884,7 +2527,7 @@ var __webpack_exports__ = {};
 - **Location** – User's location (null if geo-location is disabled)
 - **Translations** – Consent manager copy (from \`Accept-Language\` header)
 - **Branding** – Configured branding key
-- **GVL** – Global Vendor List when enabled
+- **GVL** – Global Vendor List when IAB is active for the request
 
 Use for geo-targeted consent banners and regional compliance.`,
             tags: [
@@ -1901,40 +2544,98 @@ Use for geo-targeted consent banners and regional compliance.`,
                 }
             }
         }), async (c)=>{
-            const request = c.req.raw;
-            const acceptLanguage = request.headers.get('accept-language') || 'en';
-            const location = await getLocation(request, options);
-            const jurisdiction = getJurisdiction(location, options);
-            const translationsResult = translations_getTranslationsData(acceptLanguage, options.advanced?.customTranslations);
-            let gvl = null;
-            if (options.advanced?.gvl?.enabled) {
-                const language = translationsResult.language.split('-')[0] || 'en';
-                const gvlResolver = createGVLResolver({
-                    appName: options.appName || 'c15t',
-                    bundled: options.advanced.gvl.bundled,
-                    cacheAdapter: options.advanced.cache?.adapter,
-                    vendorIds: options.advanced.gvl.vendorIds,
-                    endpoint: options.advanced.gvl.endpoint
-                });
-                gvl = await gvlResolver.get(language);
+            const ctx = c.get('c15tContext');
+            const payload = await resolveInitPayload(c.req.raw, options, ctx?.logger);
+            return c.json(payload);
+        });
+        return app;
+    };
+    const syncCurrentLegalDocumentHandler = async (c)=>{
+        const ctx = c.get('c15tContext');
+        const logger = ctx.logger;
+        logger.info('Handling PUT /legal-documents/:type/current request');
+        if (!ctx.apiKeyAuthenticated) throw new http_exception_namespaceObject.HTTPException(401, {
+            message: 'API key required. Use Authorization: Bearer <api_key>',
+            cause: {
+                code: 'UNAUTHORIZED'
             }
-            const customVendors = options.advanced?.gvl?.customVendors;
-            const gpc = '1' === request.headers.get('sec-gpc');
-            getMetrics()?.recordInit({
-                jurisdiction,
-                country: location?.countryCode ?? void 0,
-                region: location?.regionCode ?? void 0,
-                gpc
+        });
+        const type = c.req.param('type');
+        const body = await c.req.json();
+        const effectiveDate = new Date(body.effectiveDate);
+        if (Number.isNaN(effectiveDate.getTime())) throw new http_exception_namespaceObject.HTTPException(422, {
+            message: 'effectiveDate must be a valid ISO-8601 string',
+            cause: {
+                code: 'INPUT_VALIDATION_FAILED'
+            }
+        });
+        try {
+            const policy = await ctx.registry.syncCurrentLegalDocumentPolicy({
+                type,
+                version: body.version,
+                hash: body.hash,
+                effectiveDate
             });
             return c.json({
-                jurisdiction,
-                location,
-                translations: translationsResult,
-                branding: options.advanced?.branding || 'c15t',
-                gvl,
-                customVendors
+                policy: {
+                    id: policy.id,
+                    type: policy.type,
+                    version: policy.version,
+                    hash: policy.hash,
+                    effectiveDate: policy.effectiveDate,
+                    isActive: policy.isActive
+                }
             });
-        });
+        } catch (error) {
+            logger.error('Error in PUT /legal-documents/:type/current handler', {
+                error: extractErrorMessage(error),
+                errorType: error instanceof Error ? error.constructor.name : typeof error
+            });
+            if (error instanceof LegalDocumentPolicyConflictError) throw new http_exception_namespaceObject.HTTPException(409, {
+                message: error.message,
+                cause: {
+                    code: 'LEGAL_DOCUMENT_RELEASE_CONFLICT'
+                }
+            });
+            if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
+            throw new http_exception_namespaceObject.HTTPException(500, {
+                message: 'Internal server error',
+                cause: {
+                    code: 'INTERNAL_SERVER_ERROR'
+                }
+            });
+        }
+    };
+    const createLegalDocumentRoutes = ()=>{
+        const app = new external_hono_namespaceObject.Hono();
+        app.put('/:type/current', (0, external_hono_openapi_namespaceObject.describeRoute)({
+            summary: 'Sync the current legal document release (API key required)',
+            description: 'Marks a legal document release as the latest known version for its type. Requires a Bearer API key.',
+            tags: [
+                'LegalDocument'
+            ],
+            security: [
+                {
+                    bearerAuth: []
+                }
+            ],
+            responses: {
+                200: {
+                    description: 'Current legal document release synced successfully',
+                    content: {
+                        'application/json': {
+                            schema: (0, external_hono_openapi_namespaceObject.resolver)(schema_.legalDocumentCurrentOutputSchema)
+                        }
+                    }
+                },
+                401: {
+                    description: 'Missing or invalid API key'
+                },
+                409: {
+                    description: 'Release metadata conflicts with an existing release'
+                }
+            }
+        }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_.legalDocumentCurrentParamsSchema), (0, external_hono_openapi_namespaceObject.validator)('json', schema_.legalDocumentCurrentInputSchema), syncCurrentLegalDocumentHandler);
         return app;
     };
     function getHeaders(headers) {
@@ -2023,6 +2724,12 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         const subjectId = c.req.param('id');
         const type = c.req.query('type');
         const typeFilter = type?.split(',').map((t)=>t.trim()) || [];
+        if (!subjectId) throw new http_exception_namespaceObject.HTTPException(400, {
+            message: 'Subject ID is required',
+            cause: {
+                code: 'SUBJECT_ID_REQUIRED'
+            }
+        });
         logger.debug('Request parameters', {
             subjectId,
             typeFilter
@@ -2051,7 +2758,6 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 subject: {
                     id: subject.id,
                     externalId: subject.externalId ?? void 0,
-                    isIdentified: subject.isIdentified,
                     createdAt: subject.createdAt
                 },
                 consents: filteredConsents,
@@ -2107,7 +2813,6 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 return {
                     id: subject.id,
                     externalId: subject.externalId ?? externalId,
-                    isIdentified: subject.isIdentified,
                     createdAt: subject.createdAt,
                     consents: consentItems
                 };
@@ -2216,6 +2921,12 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         const subjectId = c.req.param('id');
         const body = await c.req.json();
         const { externalId, identityProvider = 'external' } = body;
+        if (!subjectId) throw new http_exception_namespaceObject.HTTPException(400, {
+            message: 'Subject ID is required',
+            cause: {
+                code: 'SUBJECT_ID_REQUIRED'
+            }
+        });
         logger.debug('Request parameters', {
             subjectId,
             externalId,
@@ -2238,7 +2949,6 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     set: {
                         externalId,
                         identityProvider,
-                        isIdentified: true,
                         updatedAt: new Date()
                     }
                 });
@@ -2258,10 +2968,6 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                         identityProvider: {
                             from: subject.identityProvider,
                             to: identityProvider
-                        },
-                        isIdentified: {
-                            from: subject.isIdentified,
-                            to: true
                         }
                     },
                     metadata: {
@@ -2280,8 +2986,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 success: true,
                 subject: {
                     id: subjectId,
-                    externalId,
-                    isIdentified: true
+                    externalId
                 }
             });
         } catch (error) {
@@ -2298,6 +3003,234 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             });
         }
     };
+    const DEFAULT_ISSUER = 'c15t';
+    const DEFAULT_AUDIENCE = 'c15t-legal-document-snapshot';
+    function isLegalDocumentPolicyType(type) {
+        return 'privacy_policy' === type || 'terms_and_conditions' === type || 'dpa' === type;
+    }
+    function snapshot_resolveSnapshotIssuer(options) {
+        return options?.issuer?.trim() || DEFAULT_ISSUER;
+    }
+    function snapshot_resolveSnapshotAudience(params) {
+        const configuredAudience = params.options?.audience?.trim();
+        if (configuredAudience) return configuredAudience;
+        return params.tenantId ? `${DEFAULT_AUDIENCE}:${params.tenantId}` : DEFAULT_AUDIENCE;
+    }
+    function snapshot_getSigningKey(secret) {
+        return new TextEncoder().encode(secret);
+    }
+    function isLegalDocumentSnapshotPayload(payload) {
+        return 'string' == typeof payload.iss && 'string' == typeof payload.aud && 'string' == typeof payload.sub && isLegalDocumentPolicyType(payload.type) && 'string' == typeof payload.version && 'string' == typeof payload.hash && 'string' == typeof payload.effectiveDate && 'number' == typeof payload.iat && 'number' == typeof payload.exp;
+    }
+    async function verifyLegalDocumentSnapshotToken(params) {
+        const { token, options, tenantId } = params;
+        if (!options?.signingKey) return {
+            valid: false,
+            reason: 'missing'
+        };
+        if (!token) return {
+            valid: false,
+            reason: 'missing'
+        };
+        if (3 !== token.split('.').length) return {
+            valid: false,
+            reason: 'malformed'
+        };
+        try {
+            const { payload, protectedHeader } = await (0, external_jose_namespaceObject.jwtVerify)(token, snapshot_getSigningKey(options.signingKey), {
+                issuer: snapshot_resolveSnapshotIssuer(options),
+                audience: snapshot_resolveSnapshotAudience({
+                    options,
+                    tenantId
+                })
+            });
+            const header = protectedHeader;
+            if ('HS256' !== header.alg || 'JWT' !== header.typ) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            if (!isLegalDocumentSnapshotPayload(payload)) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            if (payload.sub !== payload.hash) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            if ((tenantId ?? void 0) !== (payload.tenantId ?? void 0)) return {
+                valid: false,
+                reason: 'invalid'
+            };
+            return {
+                valid: true,
+                payload
+            };
+        } catch (error) {
+            if (error instanceof external_jose_namespaceObject.errors.JWTExpired) return {
+                valid: false,
+                reason: 'expired'
+            };
+            return {
+                valid: false,
+                reason: 'invalid'
+            };
+        }
+    }
+    function buildRuntimeDecisionDedupeKey(input) {
+        return [
+            input.tenantId ?? 'default',
+            input.fingerprint,
+            input.matchedBy,
+            input.countryCode ?? 'none',
+            input.regionCode ?? 'none',
+            input.jurisdiction,
+            input.language ?? 'none'
+        ].join('|');
+    }
+    function buildDecisionPayload(params) {
+        const { tenantId, snapshot, decision, location, jurisdiction, language, proofConfig } = params;
+        if (snapshot?.valid && snapshot.payload) {
+            const sp = snapshot.payload;
+            return {
+                tenantId,
+                policyId: sp.policyId,
+                fingerprint: sp.fingerprint,
+                matchedBy: sp.matchedBy,
+                countryCode: sp.country,
+                regionCode: sp.region,
+                jurisdiction: sp.jurisdiction,
+                language: sp.language,
+                model: sp.model,
+                policyI18n: sp.policyI18n,
+                uiMode: sp.uiMode,
+                bannerUi: sp.bannerUi,
+                dialogUi: sp.dialogUi,
+                categories: sp.categories,
+                preselectedCategories: sp.preselectedCategories,
+                proofConfig: sp.proofConfig,
+                dedupeKey: buildRuntimeDecisionDedupeKey({
+                    tenantId,
+                    fingerprint: sp.fingerprint,
+                    matchedBy: sp.matchedBy,
+                    countryCode: sp.country,
+                    regionCode: sp.region,
+                    jurisdiction: sp.jurisdiction,
+                    language: sp.language
+                }),
+                source: 'snapshot_token'
+            };
+        }
+        if (decision) return {
+            tenantId,
+            policyId: decision.policy.id,
+            fingerprint: decision.fingerprint,
+            matchedBy: decision.matchedBy,
+            countryCode: location.countryCode,
+            regionCode: location.regionCode,
+            jurisdiction,
+            language,
+            model: decision.policy.model,
+            policyI18n: decision.policy.i18n,
+            uiMode: decision.policy.ui?.mode,
+            bannerUi: decision.policy.ui?.banner,
+            dialogUi: decision.policy.ui?.dialog,
+            categories: decision.policy.consent?.categories,
+            preselectedCategories: decision.policy.consent?.preselectedCategories,
+            proofConfig,
+            dedupeKey: buildRuntimeDecisionDedupeKey({
+                tenantId,
+                fingerprint: decision.fingerprint,
+                matchedBy: decision.matchedBy,
+                countryCode: location.countryCode,
+                regionCode: location.regionCode,
+                jurisdiction,
+                language
+            }),
+            source: 'write_time_fallback'
+        };
+    }
+    function parseLanguageFromHeader(header) {
+        if (!header) return;
+        const firstLanguage = header.split(',')[0]?.split(';')[0]?.trim();
+        if (!firstLanguage) return;
+        return firstLanguage.split('-')[0]?.toLowerCase();
+    }
+    function isLegalDocumentType(type) {
+        return 'privacy_policy' === type || 'terms_and_conditions' === type || 'dpa' === type;
+    }
+    function resolveSnapshotFailureMode(ctx) {
+        return ctx.policySnapshot?.onValidationFailure ?? 'reject';
+    }
+    function buildSnapshotHttpException(reason) {
+        switch(reason){
+            case 'missing':
+                return new http_exception_namespaceObject.HTTPException(409, {
+                    message: 'Policy snapshot token is required',
+                    cause: {
+                        code: 'POLICY_SNAPSHOT_REQUIRED'
+                    }
+                });
+            case 'expired':
+                return new http_exception_namespaceObject.HTTPException(409, {
+                    message: 'Policy snapshot token has expired',
+                    cause: {
+                        code: 'POLICY_SNAPSHOT_EXPIRED'
+                    }
+                });
+            case 'malformed':
+            case 'invalid':
+                return new http_exception_namespaceObject.HTTPException(409, {
+                    message: 'Policy snapshot token is invalid',
+                    cause: {
+                        code: 'POLICY_SNAPSHOT_INVALID'
+                    }
+                });
+            default:
+                {
+                    const _exhaustive = reason;
+                    throw new Error(`Unhandled policy snapshot verification failure reason: ${_exhaustive}`);
+                }
+        }
+    }
+    function buildLegalDocumentSnapshotHttpException(reason) {
+        switch(reason){
+            case 'missing':
+                return new http_exception_namespaceObject.HTTPException(409, {
+                    message: 'Legal document snapshot token is required',
+                    cause: {
+                        code: 'LEGAL_DOCUMENT_SNAPSHOT_REQUIRED'
+                    }
+                });
+            case 'expired':
+                return new http_exception_namespaceObject.HTTPException(409, {
+                    message: 'Legal document snapshot token has expired',
+                    cause: {
+                        code: 'LEGAL_DOCUMENT_SNAPSHOT_EXPIRED'
+                    }
+                });
+            case 'malformed':
+            case 'invalid':
+                return new http_exception_namespaceObject.HTTPException(409, {
+                    message: 'Legal document snapshot token is invalid',
+                    cause: {
+                        code: 'LEGAL_DOCUMENT_SNAPSHOT_INVALID'
+                    }
+                });
+            default:
+                {
+                    const _exhaustive = reason;
+                    throw new Error(`Unhandled legal document snapshot verification failure reason: ${_exhaustive}`);
+                }
+        }
+    }
+    function buildLegalDocumentProofHttpException(message) {
+        return new http_exception_namespaceObject.HTTPException(409, {
+            message,
+            cause: {
+                code: 'LEGAL_DOCUMENT_PROOF_REQUIRED'
+            }
+        });
+    }
     const postSubjectHandler = async (c)=>{
         const ctx = c.get('c15tContext');
         const logger = ctx.logger;
@@ -2307,6 +3240,8 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         const { type, subjectId, identityProvider, externalSubjectId, domain, metadata, givenAt: givenAtEpoch } = input;
         const preferences = 'preferences' in input ? input.preferences : void 0;
         const givenAt = new Date(givenAtEpoch);
+        const rawConsentAction = 'consentAction' in input ? input.consentAction : void 0;
+        let derivedConsentAction;
         logger.debug('Request parameters', {
             type,
             subjectId,
@@ -2315,6 +3250,64 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             domain
         });
         try {
+            if ('cookie_banner' === type) logger.warn('`cookie_banner` policy type is deprecated in 2.0 RC and will be removed in 2.0 GA. Use backend runtime `policyPacks` for banner behavior.');
+            const request = c.req.raw ?? new Request('https://c15t.local/subjects');
+            const acceptLanguage = request.headers.get('accept-language');
+            const requestLanguage = parseLanguageFromHeader(acceptLanguage);
+            const location = await getLocation(request, ctx);
+            const resolvedJurisdiction = getJurisdiction(location, ctx);
+            const legalDocumentConsent = isLegalDocumentType(type);
+            const runtimeSnapshotVerification = legalDocumentConsent ? {
+                valid: false,
+                reason: 'missing'
+            } : await verifyPolicySnapshotToken({
+                token: input.policySnapshotToken,
+                options: ctx.policySnapshot,
+                tenantId: ctx.tenantId
+            });
+            const legalDocumentSnapshotVerification = legalDocumentConsent ? await verifyLegalDocumentSnapshotToken({
+                token: input.documentSnapshotToken,
+                options: ctx.legalDocumentSnapshot,
+                tenantId: ctx.tenantId
+            }) : {
+                valid: false,
+                reason: 'missing'
+            };
+            const hasValidSnapshot = runtimeSnapshotVerification.valid;
+            const snapshotPayload = runtimeSnapshotVerification.valid ? runtimeSnapshotVerification.payload : null;
+            const shouldRequireSnapshot = !legalDocumentConsent && !!ctx.policySnapshot?.signingKey && 'reject' === resolveSnapshotFailureMode(ctx);
+            if (!hasValidSnapshot && shouldRequireSnapshot) throw buildSnapshotHttpException(runtimeSnapshotVerification.reason);
+            const shouldRequireLegalDocumentSnapshot = legalDocumentConsent && !!ctx.legalDocumentSnapshot?.signingKey;
+            if (shouldRequireLegalDocumentSnapshot && !legalDocumentSnapshotVerification.valid) throw buildLegalDocumentSnapshotHttpException(legalDocumentSnapshotVerification.reason);
+            const resolvedPolicyDecision = hasValidSnapshot ? void 0 : legalDocumentConsent ? void 0 : await resolvePolicyDecision({
+                policies: ctx.policyPacks,
+                countryCode: location.countryCode,
+                regionCode: location.regionCode,
+                jurisdiction: resolvedJurisdiction,
+                iabEnabled: ctx.iab?.enabled === true
+            });
+            const effectivePolicy = hasValidSnapshot && snapshotPayload ? {
+                id: snapshotPayload.policyId,
+                model: snapshotPayload.model,
+                i18n: snapshotPayload.policyI18n,
+                consent: {
+                    expiryDays: snapshotPayload.expiryDays,
+                    scopeMode: snapshotPayload.scopeMode,
+                    categories: snapshotPayload.categories,
+                    preselectedCategories: snapshotPayload.preselectedCategories,
+                    gpc: snapshotPayload.gpc
+                },
+                ui: {
+                    mode: snapshotPayload.uiMode,
+                    banner: snapshotPayload.bannerUi,
+                    dialog: snapshotPayload.dialogUi
+                },
+                proof: snapshotPayload.proofConfig
+            } : resolvedPolicyDecision?.policy;
+            const effectiveModel = effectivePolicy?.model ?? ('opt-in' === input.jurisdictionModel || 'opt-out' === input.jurisdictionModel || 'iab' === input.jurisdictionModel ? input.jurisdictionModel : void 0);
+            if ('all' === rawConsentAction) derivedConsentAction = 'accept_all';
+            else if ('necessary' === rawConsentAction) derivedConsentAction = 'opt-out' === effectiveModel ? 'opt_out' : 'reject_all';
+            else if ('custom' === rawConsentAction) derivedConsentAction = 'custom';
             const subject = await registry.findOrCreateSubject({
                 subjectId,
                 externalSubjectId,
@@ -2341,8 +3334,63 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             });
             let policyId;
             let purposeIds = [];
+            let appliedPreferences;
             const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
-            if (inputPolicyId) {
+            const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
+            if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
+                if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
+                const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
+                if (Number.isNaN(effectiveDate.getTime())) throw buildLegalDocumentSnapshotHttpException('invalid');
+                const documentPolicy = await registry.findOrCreateLegalDocumentPolicy({
+                    type,
+                    version: legalDocumentSnapshotVerification.payload.version,
+                    hash: legalDocumentSnapshotVerification.payload.hash,
+                    effectiveDate
+                });
+                policyId = documentPolicy.id;
+            } else if (legalDocumentConsent) {
+                if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+                if (inputPolicyId) {
+                    policyId = inputPolicyId;
+                    const policy = await registry.findConsentPolicyById(inputPolicyId);
+                    if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                        message: 'Policy not found',
+                        cause: {
+                            code: 'POLICY_NOT_FOUND',
+                            policyId,
+                            type
+                        }
+                    });
+                    if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Policy is inactive',
+                        cause: {
+                            code: 'POLICY_INACTIVE',
+                            policyId,
+                            type
+                        }
+                    });
+                } else if (inputPolicyHash) {
+                    const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                    if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                        message: 'Policy not found',
+                        cause: {
+                            code: 'POLICY_NOT_FOUND',
+                            type,
+                            policyHash: inputPolicyHash
+                        }
+                    });
+                    if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Policy is inactive',
+                        cause: {
+                            code: 'POLICY_INACTIVE',
+                            policyId: policy.id,
+                            type,
+                            policyHash: inputPolicyHash
+                        }
+                    });
+                    policyId = policy.id;
+                }
+            } else if (inputPolicyId) {
                 policyId = inputPolicyId;
                 const policy = await registry.findConsentPolicyById(inputPolicyId);
                 if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
@@ -2373,20 +3421,73 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 policyId = policy.id;
             }
             if (preferences) {
-                const consentedPurposes = Object.entries(preferences).filter(([_, isConsented])=>isConsented).map(([purposeCode])=>purposeCode);
+                const allowedCategories = effectivePolicy?.consent?.categories;
+                const effectiveScopeMode = effectivePolicy?.consent?.scopeMode ?? 'permissive';
+                const hasWildcardCategoryScope = allowedCategories?.includes('*') === true;
+                const appliedPreferenceEntries = Object.entries(preferences);
+                let filteredAppliedPreferenceEntries = appliedPreferenceEntries;
+                if (allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
+                    const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!allowedCategories.includes(purpose));
+                    filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>allowedCategories.includes(purpose));
+                    if (disallowed.length > 0 && 'strict' === effectiveScopeMode) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Preferences include categories not allowed by policy',
+                        cause: {
+                            code: 'PURPOSE_NOT_ALLOWED',
+                            disallowed
+                        }
+                    });
+                }
+                appliedPreferences = Object.fromEntries(filteredAppliedPreferenceEntries);
+                const filteredConsentedPurposeCodes = filteredAppliedPreferenceEntries.filter(([_, isConsented])=>isConsented).map(([purposeCode])=>purposeCode);
                 logger.debug('Consented purposes', {
-                    consentedPurposes
+                    consentedPurposes: filteredConsentedPurposeCodes
                 });
-                const purposesRaw = await Promise.all(consentedPurposes.map((purposeCode)=>registry.findOrCreateConsentPurposeByCode(purposeCode)));
+                const purposesRaw = await Promise.all(filteredConsentedPurposeCodes.map((purposeCode)=>registry.findOrCreateConsentPurposeByCode(purposeCode)));
                 const purposes = purposesRaw.map((purpose)=>purpose?.id ?? null).filter((id)=>Boolean(id));
                 logger.debug('Filtered purposes', {
                     purposes
                 });
                 if (0 === purposes.length) logger.warn('No valid purpose IDs found after filtering. Using empty list.', {
-                    consentedPurposes
+                    consentedPurposes: filteredConsentedPurposeCodes
                 });
                 purposeIds = purposes;
             }
+            if (!policyId) throw new http_exception_namespaceObject.HTTPException(500, {
+                message: 'Failed to resolve policy',
+                cause: {
+                    code: 'POLICY_RESOLUTION_FAILED',
+                    type
+                }
+            });
+            const expiryDays = effectivePolicy?.consent?.expiryDays;
+            const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
+            const proofConfig = effectivePolicy?.proof;
+            const shouldStoreIp = proofConfig?.storeIp ?? true;
+            const shouldStoreUserAgent = proofConfig?.storeUserAgent ?? true;
+            const shouldStoreLanguage = proofConfig?.storeLanguage ?? false;
+            const effectiveLanguage = (snapshotPayload?.language && hasValidSnapshot ? snapshotPayload.language : requestLanguage) ?? void 0;
+            const metadataWithPolicy = {
+                ...metadata ?? {},
+                ...shouldStoreLanguage && effectiveLanguage ? {
+                    policyLanguage: effectiveLanguage
+                } : {}
+            };
+            const effectiveJurisdiction = hasValidSnapshot && snapshotPayload ? snapshotPayload.jurisdiction : resolvedJurisdiction;
+            const decisionPayload = buildDecisionPayload({
+                tenantId: ctx.tenantId,
+                snapshot: hasValidSnapshot && snapshotPayload ? {
+                    valid: true,
+                    payload: snapshotPayload
+                } : null,
+                decision: resolvedPolicyDecision,
+                location: {
+                    countryCode: location.countryCode,
+                    regionCode: location.regionCode
+                },
+                jurisdiction: resolvedJurisdiction,
+                language: effectiveLanguage,
+                proofConfig
+            });
             const existingConsent = await db.findFirst('consent', {
                 where: (b)=>b.and(b('subjectId', '=', subject.id), b('domainId', '=', domainRecord.id), b('policyId', '=', policyId), b('givenAt', '=', givenAt))
             });
@@ -2401,6 +3502,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     domain: domainRecord.name,
                     type,
                     metadata,
+                    appliedPreferences,
                     uiSource: input.uiSource,
                     givenAt: existingConsent.givenAt
                 });
@@ -2412,6 +3514,42 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     policyId,
                     purposeIds
                 });
+                const runtimePolicyDecision = decisionPayload ? await tx.findFirst('runtimePolicyDecision', {
+                    where: (b)=>b('dedupeKey', '=', decisionPayload.dedupeKey)
+                }) ?? await tx.create('runtimePolicyDecision', {
+                    id: `rpd_${crypto.randomUUID().replaceAll('-', '')}`,
+                    tenantId: decisionPayload.tenantId,
+                    policyId: decisionPayload.policyId,
+                    fingerprint: decisionPayload.fingerprint,
+                    matchedBy: decisionPayload.matchedBy,
+                    countryCode: decisionPayload.countryCode,
+                    regionCode: decisionPayload.regionCode,
+                    jurisdiction: decisionPayload.jurisdiction,
+                    language: decisionPayload.language,
+                    model: decisionPayload.model,
+                    policyI18n: decisionPayload.policyI18n ? {
+                        json: decisionPayload.policyI18n
+                    } : void 0,
+                    uiMode: decisionPayload.uiMode,
+                    bannerUi: decisionPayload.bannerUi ? {
+                        json: decisionPayload.bannerUi
+                    } : void 0,
+                    dialogUi: decisionPayload.dialogUi ? {
+                        json: decisionPayload.dialogUi
+                    } : void 0,
+                    categories: decisionPayload.categories ? {
+                        json: decisionPayload.categories
+                    } : void 0,
+                    preselectedCategories: decisionPayload.preselectedCategories ? {
+                        json: decisionPayload.preselectedCategories
+                    } : void 0,
+                    proofConfig: decisionPayload.proofConfig ? {
+                        json: decisionPayload.proofConfig
+                    } : void 0,
+                    dedupeKey: decisionPayload.dedupeKey
+                }).catch(async ()=>tx.findFirst('runtimePolicyDecision', {
+                        where: (b)=>b('dedupeKey', '=', decisionPayload.dedupeKey)
+                    })) : void 0;
                 const consentRecord = await tx.create('consent', {
                     id: await utils_generateUniqueId(tx, 'consent', ctx),
                     subjectId: subject.id,
@@ -2420,16 +3558,20 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     purposeIds: {
                         json: purposeIds
                     },
-                    metadata: metadata ? {
-                        json: metadata
+                    metadata: Object.keys(metadataWithPolicy).length > 0 ? {
+                        json: metadataWithPolicy
                     } : void 0,
-                    ipAddress: ctx.ipAddress,
-                    userAgent: ctx.userAgent,
-                    jurisdiction: input.jurisdiction,
-                    jurisdictionModel: input.jurisdictionModel,
+                    ipAddress: shouldStoreIp ? ctx.ipAddress : null,
+                    userAgent: shouldStoreUserAgent ? ctx.userAgent : null,
+                    jurisdiction: effectiveJurisdiction,
+                    jurisdictionModel: effectiveModel,
                     tcString: input.tcString,
                     uiSource: input.uiSource,
-                    givenAt
+                    consentAction: derivedConsentAction,
+                    givenAt,
+                    validUntil,
+                    runtimePolicyDecisionId: runtimePolicyDecision?.id,
+                    runtimePolicySource: decisionPayload?.source
                 });
                 logger.debug('Created consent', {
                     consentRecord: consentRecord.id
@@ -2448,7 +3590,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             });
             const metrics = getMetrics();
             if (metrics) {
-                const jurisdiction = input.jurisdiction;
+                const jurisdiction = effectiveJurisdiction;
                 metrics.recordConsentCreated({
                     type,
                     jurisdiction
@@ -2470,6 +3612,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 domain: domainRecord.name,
                 type,
                 metadata,
+                appliedPreferences,
                 uiSource: input.uiSource,
                 givenAt: result.consent.givenAt
             });
@@ -2479,6 +3622,12 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 errorType: error instanceof Error ? error.constructor.name : typeof error
             });
             if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
+            if (error instanceof LegalDocumentPolicyConflictError) throw new http_exception_namespaceObject.HTTPException(409, {
+                message: error.message,
+                cause: {
+                    code: 'LEGAL_DOCUMENT_RELEASE_CONFLICT'
+                }
+            });
             throw new http_exception_namespaceObject.HTTPException(500, {
                 message: 'Internal server error',
                 cause: {
@@ -2491,11 +3640,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         const app = new external_hono_namespaceObject.Hono();
         app.get('/:id', (0, external_hono_openapi_namespaceObject.describeRoute)({
             summary: 'Get subject consent status',
-            description: `Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.
-
-**Query:** \`type\` – Filter by consent type(s), comma-separated (e.g. \`privacy_policy,cookie_banner\`).
-
-**Response:** \`subject\`, \`consents\` (matching filter), \`isValid\` (valid consent for requested type(s)).`,
+            description: "Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.\n\n**Query:** `type` – Filter by consent type(s), comma-separated (e.g. `privacy_policy,cookie_banner`).\n\n**Response:** `subject`, `consents` (matching filter), `isValid` (valid consent for requested type(s)).",
             tags: [
                 'Subject',
                 'Consent'
@@ -2516,12 +3661,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_.getSubjectInputSchema), getSubjectHandler);
         app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
             summary: 'Record consent for a subject',
-            description: `Creates a new consent record (append-only). Creates the subject if it does not exist.
-
-**Request body by \`type\`:**
-- \`cookie_banner\` – Requires \`preferences\` object
-- \`privacy_policy\`, \`dpa\`, \`terms_and_conditions\` – Optional \`policyId\`
-- \`marketing_communications\`, \`age_verification\`, \`other\` – Optional \`preferences\``,
+            description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
             tags: [
                 'Subject',
                 'Consent'
@@ -2593,6 +3733,86 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         return app;
     };
     var define_config = __webpack_require__("./src/define-config.ts");
+    const DEFAULT_FALLBACK_POLICY_INPUT = {
+        id: 'world_no_banner',
+        isDefault: true,
+        model: 'none',
+        uiMode: 'none'
+    };
+    function mergeMatch(input) {
+        return types_namespaceObject.policyMatchers.merge(input.countries?.length ? types_namespaceObject.policyMatchers.countries(input.countries) : {}, input.regions?.length ? types_namespaceObject.policyMatchers.regions(input.regions) : {}, input.isDefault ? types_namespaceObject.policyMatchers["default"]() : {});
+    }
+    function compactUiSurface(value) {
+        if (!value) return;
+        return (0, schema_.compactDefined)({
+            allowedActions: (0, schema_.dedupeTrimmedStrings)(value.allowedActions),
+            primaryActions: value.primaryActions,
+            layout: value.layout,
+            direction: value.direction,
+            uiProfile: value.uiProfile,
+            scrollLock: value.scrollLock
+        });
+    }
+    function buildPolicyConfig(input) {
+        const categories = (0, schema_.dedupeTrimmedStrings)(input.categories);
+        const preselectedCategories = (0, schema_.dedupeTrimmedStrings)(input.preselectedCategories);
+        return {
+            id: input.id,
+            match: mergeMatch(input),
+            i18n: input.i18n,
+            consent: (0, schema_.compactDefined)({
+                model: input.model,
+                expiryDays: input.expiryDays,
+                scopeMode: input.scopeMode,
+                categories,
+                preselectedCategories,
+                gpc: input.gpc
+            }),
+            ui: (0, schema_.compactDefined)({
+                mode: input.uiMode,
+                banner: compactUiSurface(input.banner),
+                dialog: compactUiSurface(input.dialog)
+            }),
+            proof: (0, schema_.compactDefined)({
+                storeIp: input.proof?.storeIp,
+                storeUserAgent: input.proof?.storeUserAgent,
+                storeLanguage: input.proof?.storeLanguage
+            })
+        };
+    }
+    function buildPolicyPack(inputs) {
+        return inputs.map((input)=>buildPolicyConfig(input));
+    }
+    function buildPolicyPackWithDefault(inputs, defaultPolicy) {
+        const pack = buildPolicyPack(inputs);
+        const hasDefault = pack.some((policy)=>policy.match.isDefault);
+        if (hasDefault) return pack;
+        const fallbackInput = defaultPolicy ? {
+            ...defaultPolicy,
+            isDefault: true,
+            countries: void 0,
+            regions: void 0
+        } : DEFAULT_FALLBACK_POLICY_INPUT;
+        return [
+            ...pack,
+            buildPolicyConfig(fallbackInput)
+        ];
+    }
+    function composePacks(...packs) {
+        const seen = new Set();
+        const result = [];
+        for (const pack of packs)for (const policy of pack)if (!seen.has(policy.id)) {
+            seen.add(policy.id);
+            result.push(policy);
+        }
+        return result;
+    }
+    const policyBuilder = {
+        create: buildPolicyConfig,
+        createPack: buildPolicyPack,
+        createPackWithDefault: buildPolicyPackWithDefault,
+        composePacks
+    };
     const c15tInstance = (options)=>{
         const context = init(options);
         const logger = (0, logger_namespaceObject.createLogger)(options.logger);
@@ -2605,7 +3825,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         app.use('*', async (c, next)=>{
             const request = c.req.raw;
             const startTime = Date.now();
-            const apiKeyAuthenticated = validateRequestAuth(request.headers, options.advanced?.apiKeys);
+            const apiKeyAuthenticated = validateRequestAuth(request.headers, options.apiKeys);
             const enrichedContext = {
                 ...context,
                 ipAddress: getIpAddress(request, options),
@@ -2674,16 +3894,16 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             }));
             const publicSpecUrl = `${basePath}${openApiConfig.specPath}`.replace(/\/+/g, '/');
             app.get(openApiConfig.docsPath, (0, hono_api_reference_namespaceObject.apiReference)({
-                spec: {
-                    url: publicSpecUrl
-                },
+                url: publicSpecUrl,
                 pageTitle: `${options.appName || 'c15t API'} Documentation`
             }));
         }
         app.route('/init', createInitRoute(options));
+        app.route('/legal-documents', createLegalDocumentRoutes());
         app.route('/subjects', createSubjectRoutes());
         app.route('/consents', createConsentRoutes());
         app.route('/status', createStatusRoute());
+        app.route('/', createStatusRoute());
         app.onError((err, c)=>{
             const ctx = c.get('c15tContext');
             const log = ctx?.logger || logger;
@@ -2769,12 +3989,28 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         };
     };
 })();
+exports.EEA_COUNTRY_CODES = __webpack_exports__.EEA_COUNTRY_CODES;
+exports.EU_COUNTRY_CODES = __webpack_exports__.EU_COUNTRY_CODES;
+exports.POLICY_MATCH_DATASET_VERSION = __webpack_exports__.POLICY_MATCH_DATASET_VERSION;
+exports.UK_COUNTRY_CODES = __webpack_exports__.UK_COUNTRY_CODES;
 exports.c15tInstance = __webpack_exports__.c15tInstance;
 exports.defineConfig = __webpack_exports__.defineConfig;
+exports.inspectPolicies = __webpack_exports__.inspectPolicies;
+exports.policyBuilder = __webpack_exports__.policyBuilder;
+exports.policyMatchers = __webpack_exports__.policyMatchers;
+exports.policyPackPresets = __webpack_exports__.policyPackPresets;
 exports.version = __webpack_exports__.version;
 for(var __rspack_i in __webpack_exports__)if (-1 === [
+    "EEA_COUNTRY_CODES",
+    "EU_COUNTRY_CODES",
+    "POLICY_MATCH_DATASET_VERSION",
+    "UK_COUNTRY_CODES",
     "c15tInstance",
     "defineConfig",
+    "inspectPolicies",
+    "policyBuilder",
+    "policyMatchers",
+    "policyPackPresets",
     "version"
 ].indexOf(__rspack_i)) exports[__rspack_i] = __webpack_exports__[__rspack_i];
 Object.defineProperty(exports, '__esModule', {