@c15t/backend 2.0.0-rc.4 → 2.0.0-rc.6

package/dist/router.js

@@ -1,1509 +1 @@
-import { checkConsentOutputSchema, checkConsentQuerySchema, getSubjectInputSchema, getSubjectOutputSchema, initOutputSchema, listSubjectsOutputSchema, listSubjectsQuerySchema, patchSubjectOutputSchema, postSubjectInputSchema, postSubjectOutputSchema, statusOutputSchema, subjectIdSchema } from "@c15t/schema";
-import { Hono } from "hono";
-import { describeRoute, resolver, validator } from "hono-openapi";
-import { HTTPException } from "hono/http-exception";
-import { SpanKind as api_SpanKind, SpanStatusCode as api_SpanStatusCode, context, metrics as api_metrics, trace as api_trace } from "@opentelemetry/api";
-import { deepMergeTranslations, selectLanguage } from "@c15t/translations";
-import { baseTranslations } from "@c15t/translations/all";
-import { object, optional, string } from "valibot";
-import base_x from "base-x";
-function extractErrorMessage(error) {
-    if (error instanceof AggregateError && error.errors?.length > 0) {
-        const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
-        return `AggregateError: ${inner}`;
-    }
-    if (error instanceof Error) return error.message || error.name;
-    return String(error);
-}
-const version_version = '2.0.0-rc.4';
-let cachedConfig = null;
-let cachedDefaultAttributes = {};
-function create_telemetry_options_isTelemetryEnabled(options) {
-    if (options) return options.telemetry?.enabled === true;
-    return cachedConfig?.enabled === true;
-}
-const create_telemetry_options_getTracer = (options)=>{
-    if (!create_telemetry_options_isTelemetryEnabled(options)) return api_trace.getTracer('c15t-noop');
-    const tracer = options?.telemetry?.tracer ?? cachedConfig?.tracer;
-    if (tracer) return tracer;
-    return api_trace.getTracer(options?.appName ?? 'c15t');
-};
-const getMeter = (options)=>{
-    if (!create_telemetry_options_isTelemetryEnabled(options)) return api_metrics.getMeter('c15t-noop');
-    const meter = options?.telemetry?.meter ?? cachedConfig?.meter;
-    if (meter) return meter;
-    return api_metrics.getMeter(options?.appName ?? 'c15t');
-};
-function getDefaultAttributes() {
-    return cachedDefaultAttributes;
-}
-const handleSpanError = (span, error)=>{
-    span.setStatus({
-        code: api_SpanStatusCode.ERROR,
-        message: extractErrorMessage(error)
-    });
-    if (error instanceof Error) span.setAttribute('error.type', error.name);
-};
-const withSpanContext = async (span, operation)=>context["with"](api_trace.setSpan(context.active(), span), operation);
-function sanitizeAttributes(attrs) {
-    return Object.fromEntries(Object.entries(attrs).filter(([_, v])=>null != v));
-}
-function createMetrics(meter) {
-    const consentCreated = meter.createCounter('c15t.consent.created', {
-        description: 'Number of consent submissions',
-        unit: '1'
-    });
-    const consentAccepted = meter.createCounter('c15t.consent.accepted', {
-        description: 'Number of consents accepted',
-        unit: '1'
-    });
-    const consentRejected = meter.createCounter('c15t.consent.rejected', {
-        description: 'Number of consents rejected',
-        unit: '1'
-    });
-    const subjectCreated = meter.createCounter('c15t.subject.created', {
-        description: 'Number of new subjects created',
-        unit: '1'
-    });
-    const subjectLinked = meter.createCounter('c15t.subject.linked', {
-        description: 'Number of subjects linked to external ID',
-        unit: '1'
-    });
-    const consentCheckCount = meter.createCounter('c15t.consent_check.count', {
-        description: 'Number of cross-device consent checks',
-        unit: '1'
-    });
-    const initCount = meter.createCounter('c15t.init.count', {
-        description: 'Number of init endpoint calls',
-        unit: '1'
-    });
-    const httpRequestDuration = meter.createHistogram('c15t.http.request.duration', {
-        description: 'HTTP request latency',
-        unit: 'ms'
-    });
-    const httpRequestCount = meter.createCounter('c15t.http.request.count', {
-        description: 'Number of HTTP requests',
-        unit: '1'
-    });
-    const httpErrorCount = meter.createCounter('c15t.http.error.count', {
-        description: 'Number of HTTP errors',
-        unit: '1'
-    });
-    const dbQueryDuration = meter.createHistogram('c15t.db.query.duration', {
-        description: 'Database query latency',
-        unit: 'ms'
-    });
-    const dbQueryCount = meter.createCounter('c15t.db.query.count', {
-        description: 'Number of database queries',
-        unit: '1'
-    });
-    const dbErrorCount = meter.createCounter('c15t.db.error.count', {
-        description: 'Number of database errors',
-        unit: '1'
-    });
-    const cacheHit = meter.createCounter('c15t.cache.hit', {
-        description: 'Number of cache hits',
-        unit: '1'
-    });
-    const cacheMiss = meter.createCounter('c15t.cache.miss', {
-        description: 'Number of cache misses',
-        unit: '1'
-    });
-    const cacheLatency = meter.createHistogram('c15t.cache.latency', {
-        description: 'Cache operation latency',
-        unit: 'ms'
-    });
-    const gvlFetchDuration = meter.createHistogram('c15t.gvl.fetch.duration', {
-        description: 'GVL fetch latency',
-        unit: 'ms'
-    });
-    const gvlFetchCount = meter.createCounter('c15t.gvl.fetch.count', {
-        description: 'Number of GVL fetches',
-        unit: '1'
-    });
-    const gvlFetchError = meter.createCounter('c15t.gvl.fetch.error', {
-        description: 'Number of GVL fetch errors',
-        unit: '1'
-    });
-    return {
-        consentCreated,
-        consentAccepted,
-        consentRejected,
-        subjectCreated,
-        subjectLinked,
-        consentCheckCount,
-        initCount,
-        httpRequestDuration,
-        httpRequestCount,
-        httpErrorCount,
-        dbQueryDuration,
-        dbQueryCount,
-        dbErrorCount,
-        cacheHit,
-        cacheMiss,
-        cacheLatency,
-        gvlFetchDuration,
-        gvlFetchCount,
-        gvlFetchError,
-        recordConsentCreated (attributes) {
-            consentCreated.add(1, sanitizeAttributes(attributes));
-        },
-        recordConsentAccepted (attributes) {
-            consentAccepted.add(1, sanitizeAttributes(attributes));
-        },
-        recordConsentRejected (attributes) {
-            consentRejected.add(1, sanitizeAttributes(attributes));
-        },
-        recordSubjectCreated (attributes) {
-            subjectCreated.add(1, sanitizeAttributes(attributes));
-        },
-        recordSubjectLinked (identityProvider) {
-            subjectLinked.add(1, {
-                identityProvider: identityProvider || 'unknown'
-            });
-        },
-        recordConsentCheck (type, found) {
-            consentCheckCount.add(1, {
-                type,
-                found: String(found)
-            });
-        },
-        recordInit (attributes) {
-            initCount.add(1, sanitizeAttributes(attributes));
-        },
-        recordHttpRequest (attributes, durationMs) {
-            const attrs = sanitizeAttributes(attributes);
-            httpRequestCount.add(1, attrs);
-            httpRequestDuration.record(durationMs, attrs);
-            if (attributes.status >= 400) httpErrorCount.add(1, attrs);
-        },
-        recordDbQuery (attributes, durationMs) {
-            const attrs = sanitizeAttributes(attributes);
-            dbQueryCount.add(1, attrs);
-            dbQueryDuration.record(durationMs, attrs);
-        },
-        recordDbError (attributes) {
-            dbErrorCount.add(1, sanitizeAttributes(attributes));
-        },
-        recordCacheHit (layer) {
-            cacheHit.add(1, {
-                layer
-            });
-        },
-        recordCacheMiss (layer) {
-            cacheMiss.add(1, {
-                layer
-            });
-        },
-        recordCacheLatency (attributes, durationMs) {
-            cacheLatency.record(durationMs, sanitizeAttributes(attributes));
-        },
-        recordGvlFetch (attributes, durationMs) {
-            const attrs = sanitizeAttributes(attributes);
-            gvlFetchCount.add(1, attrs);
-            gvlFetchDuration.record(durationMs, attrs);
-        },
-        recordGvlError (attributes) {
-            gvlFetchError.add(1, sanitizeAttributes(attributes));
-        }
-    };
-}
-let metricsInstance = null;
-function getMetrics(options) {
-    if (metricsInstance) return metricsInstance;
-    if (!create_telemetry_options_isTelemetryEnabled(options)) return null;
-    metricsInstance = createMetrics(getMeter(options));
-    return metricsInstance;
-}
-function parsePurposeIds(purposeIds) {
-    if (null == purposeIds) return [];
-    const ids = 'object' == typeof purposeIds && 'json' in purposeIds ? purposeIds.json : purposeIds;
-    return Array.isArray(ids) ? ids : [];
-}
-async function batchLoadPolicies(policyIds, ctx) {
-    const { db, registry } = ctx;
-    const policyMap = new Map();
-    if (policyIds.size > 0) {
-        const policies = await db.findMany('consentPolicy', {
-            where: (b)=>b('id', 'in', [
-                    ...policyIds
-                ])
-        });
-        for (const p of policies)policyMap.set(p.id, p);
-    }
-    const uniqueTypes = new Set();
-    for (const p of policyMap.values())uniqueTypes.add(p.type);
-    const latestPolicyByType = new Map();
-    for (const type of uniqueTypes){
-        const latest = await registry.findOrCreatePolicy(type);
-        if (latest) latestPolicyByType.set(type, latest.id);
-    }
-    return {
-        policyMap,
-        latestPolicyByType
-    };
-}
-async function enrichConsents(consents, ctx) {
-    if (0 === consents.length) return [];
-    const policyIds = new Set();
-    for (const c of consents)if (c.policyId) policyIds.add(c.policyId);
-    const { policyMap, latestPolicyByType } = await batchLoadPolicies(policyIds, ctx);
-    const allPurposeIds = new Set();
-    for (const c of consents)for (const id of parsePurposeIds(c.purposeIds))allPurposeIds.add(id);
-    const purposeMap = new Map();
-    if (allPurposeIds.size > 0) {
-        const purposes = await ctx.db.findMany('consentPurpose', {
-            where: (b)=>b('id', 'in', [
-                    ...allPurposeIds
-                ])
-        });
-        for (const p of purposes)purposeMap.set(p.id, p.code);
-    }
-    return consents.map((consent)=>{
-        let policyType = 'unknown';
-        let isLatestPolicy = false;
-        if (consent.policyId) {
-            const policy = policyMap.get(consent.policyId);
-            if (policy) {
-                policyType = policy.type;
-                isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
-            }
-        }
-        let preferences;
-        const ids = parsePurposeIds(consent.purposeIds);
-        if (ids.length > 0) {
-            preferences = {};
-            for (const purposeId of ids){
-                const code = purposeMap.get(purposeId);
-                if (code) preferences[code] = true;
-            }
-        }
-        return {
-            id: consent.id,
-            type: policyType,
-            policyId: consent.policyId ?? void 0,
-            isLatestPolicy,
-            preferences,
-            givenAt: consent.givenAt
-        };
-    });
-}
-async function resolveConsentPolicies(consents, ctx) {
-    if (0 === consents.length) return [];
-    const policyIds = new Set();
-    for (const c of consents)if (c.policyId) policyIds.add(c.policyId);
-    const { policyMap, latestPolicyByType } = await batchLoadPolicies(policyIds, ctx);
-    return consents.map((consent)=>{
-        let policyType = 'unknown';
-        let isLatestPolicy = false;
-        if (consent.policyId) {
-            const policy = policyMap.get(consent.policyId);
-            if (policy) {
-                policyType = policy.type;
-                isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
-            }
-        }
-        return {
-            consentId: consent.id,
-            policyType,
-            policyId: consent.policyId ?? void 0,
-            isLatestPolicy
-        };
-    });
-}
-const checkConsentHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling GET /consents/check request');
-    const { db, registry } = ctx;
-    const externalId = c.req.query('externalId');
-    const type = c.req.query('type');
-    if (!externalId) throw new HTTPException(422, {
-        message: 'externalId query parameter is required',
-        cause: {
-            code: 'EXTERNAL_ID_REQUIRED'
-        }
-    });
-    if (!type) throw new HTTPException(422, {
-        message: 'type query parameter is required',
-        cause: {
-            code: 'TYPE_REQUIRED'
-        }
-    });
-    const types = type.split(',').map((t)=>t.trim());
-    logger.debug('Request parameters', {
-        externalId,
-        types
-    });
-    try {
-        const subjects = await db.findMany('subject', {
-            where: (b)=>b('externalId', '=', externalId)
-        });
-        const subjectIds = subjects.map((s)=>s.id);
-        const results = {};
-        for (const t of types)results[t] = {
-            hasConsent: false,
-            isLatestPolicy: false
-        };
-        if (0 === subjectIds.length) {
-            logger.debug('No subjects found for externalId', {
-                externalId
-            });
-            return c.json({
-                results
-            });
-        }
-        const allConsents = await Promise.all(subjectIds.map((subjectId)=>db.findMany('consent', {
-                where: (b)=>b('subjectId', '=', subjectId)
-            })));
-        const consents = allConsents.flat();
-        const policyInfos = await resolveConsentPolicies(consents, {
-            db,
-            registry
-        });
-        for (const info of policyInfos){
-            if (!types.includes(info.policyType)) continue;
-            const entry = results[info.policyType];
-            if (entry) {
-                entry.hasConsent = true;
-                if (info.isLatestPolicy) entry.isLatestPolicy = true;
-            }
-        }
-        logger.debug('Consent check results', {
-            externalId,
-            results
-        });
-        const metrics = getMetrics();
-        if (metrics) for (const [type, result] of Object.entries(results))metrics.recordConsentCheck(type, result.hasConsent);
-        return c.json({
-            results
-        });
-    } catch (error) {
-        logger.error('Error in GET /consents/check handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const createConsentRoutes = ()=>{
-    const app = new Hono();
-    app.get('/check', describeRoute({
-        summary: 'Check consent by external user ID',
-        description: `Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.
-
-**Query parameters:**
-- \`externalId\` – External user ID to check
-- \`type\` – Consent type(s) to check (comma-separated)`,
-        tags: [
-            'Consent'
-        ],
-        responses: {
-            200: {
-                description: 'Consent check result per requested type(s)',
-                content: {
-                    'application/json': {
-                        schema: resolver(checkConsentOutputSchema)
-                    }
-                }
-            },
-            422: {
-                description: 'Invalid or missing query parameters'
-            }
-        }
-    }), validator('query', checkConsentQuerySchema), checkConsentHandler);
-    return app;
-};
-async function executeWithSpan(span, operation) {
-    try {
-        const result = await withSpanContext(span, operation);
-        span.setStatus({
-            code: api_SpanStatusCode.OK
-        });
-        return result;
-    } catch (error) {
-        handleSpanError(span, error);
-        throw error;
-    } finally{
-        span.end();
-    }
-}
-function resolveDefaultAttributes(options) {
-    return options?.telemetry?.defaultAttributes || getDefaultAttributes();
-}
-async function withExternalSpan(attributes, operation, options) {
-    if (!create_telemetry_options_isTelemetryEnabled(options)) return operation();
-    const tracer = create_telemetry_options_getTracer(options);
-    const url = new URL(attributes.url);
-    const spanName = `HTTP ${attributes.method} ${url.hostname}`;
-    const span = tracer.startSpan(spanName, {
-        kind: api_SpanKind.CLIENT,
-        attributes: {
-            'http.method': attributes.method,
-            'http.url': `${url.origin}${url.pathname}`,
-            'http.host': url.hostname,
-            ...resolveDefaultAttributes(options),
-            ...Object.fromEntries(Object.entries(attributes).filter(([key])=>![
-                    'url',
-                    'method'
-                ].includes(key)))
-        }
-    });
-    return executeWithSpan(span, operation);
-}
-async function withCacheSpan(operation, layer, fn, options) {
-    if (!create_telemetry_options_isTelemetryEnabled(options)) return fn();
-    const tracer = create_telemetry_options_getTracer(options);
-    const spanName = `cache.${layer}.${operation}`;
-    const span = tracer.startSpan(spanName, {
-        kind: api_SpanKind.CLIENT,
-        attributes: {
-            'cache.operation': operation,
-            'cache.layer': layer,
-            ...resolveDefaultAttributes(options)
-        }
-    });
-    return executeWithSpan(span, fn);
-}
-const GVL_TTL_MS = 259200000;
-const memory_memoryCache = new Map();
-function createMemoryCacheAdapter() {
-    return {
-        async get (key) {
-            const entry = memory_memoryCache.get(key);
-            if (!entry) return null;
-            if (Date.now() > entry.expiresAt) {
-                memory_memoryCache.delete(key);
-                return null;
-            }
-            return entry.value;
-        },
-        async set (key, value, ttlMs = 300000) {
-            memory_memoryCache.set(key, {
-                value,
-                expiresAt: Date.now() + ttlMs
-            });
-        },
-        async delete (key) {
-            memory_memoryCache.delete(key);
-        },
-        async has (key) {
-            const entry = memory_memoryCache.get(key);
-            if (!entry) return false;
-            if (Date.now() > entry.expiresAt) {
-                memory_memoryCache.delete(key);
-                return false;
-            }
-            return true;
-        }
-    };
-}
-function createGVLCacheKey(appName, language, vendorIds) {
-    const sortedIds = vendorIds ? [
-        ...vendorIds
-    ].sort((a, b)=>a - b).join(',') : 'all';
-    return `${appName}:gvl:${language}:${sortedIds}`;
-}
-const GVL_ENDPOINT = 'https://gvl.consent.io';
-const inflightRequests = new Map();
-async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
-    const sortedVendorIds = vendorIds ? [
-        ...vendorIds
-    ].sort((a, b)=>a - b) : [];
-    const dedupeKey = `${endpoint}|${language}|${sortedVendorIds.join(',')}`;
-    const existingRequest = inflightRequests.get(dedupeKey);
-    if (existingRequest) return existingRequest;
-    const url = new URL(endpoint);
-    if (sortedVendorIds.length > 0) url.searchParams.set('vendorIds', sortedVendorIds.join(','));
-    const promise = (async ()=>{
-        const fetchStart = Date.now();
-        try {
-            const gvl = await withExternalSpan({
-                url: url.toString(),
-                method: 'GET'
-            }, async ()=>{
-                const response = await fetch(url.toString(), {
-                    headers: {
-                        'Accept-Language': language
-                    }
-                });
-                if (204 === response.status) return null;
-                if (!response.ok) throw new Error(`Failed to fetch GVL: ${response.status} ${response.statusText}`);
-                const text = await response.text();
-                const trimmed = text.trim().replace(/^\uFEFF/, '');
-                let parsed;
-                try {
-                    parsed = JSON.parse(trimmed);
-                } catch  {
-                    let depth = 0;
-                    let end = -1;
-                    const start = trimmed.indexOf('{');
-                    if (start >= 0) for(let i = start; i < trimmed.length; i++){
-                        const c = trimmed[i];
-                        if ('{' === c) depth++;
-                        else if ('}' === c) {
-                            depth--;
-                            if (0 === depth) {
-                                end = i + 1;
-                                break;
-                            }
-                        }
-                    }
-                    if (end > 0) parsed = JSON.parse(trimmed.slice(0, end));
-                    else throw new SyntaxError('Invalid GVL response: not valid JSON');
-                }
-                if (!parsed.vendorListVersion || !parsed.purposes || !parsed.vendors) throw new Error('Invalid GVL response: missing required fields');
-                return parsed;
-            });
-            getMetrics()?.recordGvlFetch({
-                language,
-                source: 'fetch',
-                status: 200
-            }, Date.now() - fetchStart);
-            return gvl;
-        } catch (error) {
-            getMetrics()?.recordGvlError({
-                language,
-                errorType: error instanceof Error ? error.name : 'UnknownError'
-            });
-            throw error;
-        } finally{
-            inflightRequests.delete(dedupeKey);
-        }
-    })();
-    inflightRequests.set(dedupeKey, promise);
-    return promise;
-}
-function createGVLResolver(options) {
-    const { appName, bundled, cacheAdapter, vendorIds, endpoint } = options;
-    const memoryCache = createMemoryCacheAdapter();
-    return {
-        async get (language) {
-            const cacheKey = createGVLCacheKey(appName, language, vendorIds);
-            if (bundled?.[language]) return bundled[language];
-            const memoryHit = await withCacheSpan('get', 'memory', ()=>memoryCache.get(cacheKey));
-            if (memoryHit) {
-                getMetrics()?.recordCacheHit('memory');
-                return memoryHit;
-            }
-            getMetrics()?.recordCacheMiss('memory');
-            if (cacheAdapter) {
-                const externalHit = await withCacheSpan('get', 'external', ()=>cacheAdapter.get(cacheKey));
-                if (externalHit) {
-                    getMetrics()?.recordCacheHit('external');
-                    await withCacheSpan('set', 'memory', ()=>memoryCache.set(cacheKey, externalHit, 300000));
-                    return externalHit;
-                }
-                getMetrics()?.recordCacheMiss('external');
-            }
-            const gvl = await fetchGVLWithLanguage(language, vendorIds, endpoint);
-            if (gvl) {
-                await withCacheSpan('set', 'memory', ()=>memoryCache.set(cacheKey, gvl, 300000));
-                if (cacheAdapter) await withCacheSpan('set', 'external', ()=>cacheAdapter.set(cacheKey, gvl, GVL_TTL_MS));
-            }
-            return gvl;
-        }
-    };
-}
-function geo_normalizeHeader(value) {
-    if (!value) return null;
-    return Array.isArray(value) ? value[0] ?? null : value;
-}
-function getGeoHeaders(headers) {
-    const countryCode = geo_normalizeHeader(headers.get('x-c15t-country')) ?? geo_normalizeHeader(headers.get('cf-ipcountry')) ?? geo_normalizeHeader(headers.get('x-vercel-ip-country')) ?? geo_normalizeHeader(headers.get('x-amz-cf-ipcountry')) ?? geo_normalizeHeader(headers.get('x-country-code'));
-    const regionCode = geo_normalizeHeader(headers.get('x-c15t-region')) ?? geo_normalizeHeader(headers.get('x-vercel-ip-country-region')) ?? geo_normalizeHeader(headers.get('x-region-code'));
-    return {
-        countryCode,
-        regionCode
-    };
-}
-function checkJurisdiction(countryCode, regionCode) {
-    const jurisdictions = {
-        EU: new Set([
-            'AT',
-            'BE',
-            'BG',
-            'HR',
-            'CY',
-            'CZ',
-            'DK',
-            'EE',
-            'FI',
-            'FR',
-            'DE',
-            'GR',
-            'HU',
-            'IE',
-            'IT',
-            'LV',
-            'LT',
-            'LU',
-            'MT',
-            'NL',
-            'PL',
-            'PT',
-            'RO',
-            'SK',
-            'SI',
-            'ES',
-            'SE'
-        ]),
-        EEA: new Set([
-            'IS',
-            'NO',
-            'LI'
-        ]),
-        UK: new Set([
-            'GB'
-        ]),
-        CH: new Set([
-            'CH'
-        ]),
-        BR: new Set([
-            'BR'
-        ]),
-        CA: new Set([
-            'CA'
-        ]),
-        AU: new Set([
-            'AU'
-        ]),
-        JP: new Set([
-            'JP'
-        ]),
-        KR: new Set([
-            'KR'
-        ]),
-        US_CCPA_REGIONS: new Set([
-            'CA'
-        ]),
-        CA_QC_REGIONS: new Set([
-            'QC'
-        ])
-    };
-    let jurisdiction = 'NONE';
-    if (countryCode) {
-        const normalizedCountryCode = countryCode.toUpperCase();
-        const normalizedRegionCode = regionCode && 'string' == typeof regionCode ? (regionCode.includes('-') ? regionCode.split('-').pop() : regionCode).toUpperCase() : null;
-        if ('US' === normalizedCountryCode && normalizedRegionCode && jurisdictions.US_CCPA_REGIONS.has(normalizedRegionCode)) return 'CCPA';
-        if ('CA' === normalizedCountryCode && normalizedRegionCode && jurisdictions.CA_QC_REGIONS.has(normalizedRegionCode)) return 'QC_LAW25';
-        const jurisdictionMap = [
-            {
-                sets: [
-                    jurisdictions.UK
-                ],
-                code: 'UK_GDPR'
-            },
-            {
-                sets: [
-                    jurisdictions.EU,
-                    jurisdictions.EEA
-                ],
-                code: 'GDPR'
-            },
-            {
-                sets: [
-                    jurisdictions.CH
-                ],
-                code: 'CH'
-            },
-            {
-                sets: [
-                    jurisdictions.BR
-                ],
-                code: 'BR'
-            },
-            {
-                sets: [
-                    jurisdictions.CA
-                ],
-                code: 'PIPEDA'
-            },
-            {
-                sets: [
-                    jurisdictions.AU
-                ],
-                code: 'AU'
-            },
-            {
-                sets: [
-                    jurisdictions.JP
-                ],
-                code: 'APPI'
-            },
-            {
-                sets: [
-                    jurisdictions.KR
-                ],
-                code: 'PIPA'
-            }
-        ];
-        for (const { sets, code } of jurisdictionMap)if (sets.some((set)=>set.has(normalizedCountryCode))) {
-            jurisdiction = code;
-            break;
-        }
-    }
-    return jurisdiction;
-}
-async function getLocation(request, options) {
-    if (options.disableGeoLocation) return {
-        countryCode: null,
-        regionCode: null
-    };
-    const { countryCode, regionCode } = getGeoHeaders(request.headers);
-    return {
-        countryCode,
-        regionCode
-    };
-}
-function getJurisdiction(location, options) {
-    if (options.disableGeoLocation) return 'GDPR';
-    return checkJurisdiction(location.countryCode, location.regionCode);
-}
-function isSupportedBaseLanguage(lang) {
-    return lang in baseTranslations;
-}
-function translations_getTranslationsData(acceptLanguage, customTranslations) {
-    const supportedDefaultLanguages = Object.keys(baseTranslations);
-    const supportedCustomLanguages = Object.keys(customTranslations || {});
-    const supportedLanguages = [
-        ...supportedDefaultLanguages,
-        ...supportedCustomLanguages
-    ];
-    const preferredLanguage = selectLanguage(supportedLanguages, {
-        header: acceptLanguage,
-        fallback: 'en'
-    });
-    const base = isSupportedBaseLanguage(preferredLanguage) ? baseTranslations[preferredLanguage] : baseTranslations.en;
-    const custom = supportedCustomLanguages.includes(preferredLanguage) ? customTranslations?.[preferredLanguage] : {};
-    const translations = custom ? deepMergeTranslations(base, custom) : base;
-    return {
-        translations: translations,
-        language: preferredLanguage
-    };
-}
-const createInitRoute = (options)=>{
-    const app = new Hono();
-    app.get('/', describeRoute({
-        summary: 'Get initial consent manager state',
-        description: `Returns the initial state required to render the consent manager.
-
-- **Jurisdiction** – User's jurisdiction (defaults to GDPR if geo-location is disabled)
-- **Location** – User's location (null if geo-location is disabled)
-- **Translations** – Consent manager copy (from \`Accept-Language\` header)
-- **Branding** – Configured branding key
-- **GVL** – Global Vendor List when enabled
-
-Use for geo-targeted consent banners and regional compliance.`,
-        tags: [
-            'Init'
-        ],
-        responses: {
-            200: {
-                description: 'Initialization payload (jurisdiction, location, translations, branding, GVL)',
-                content: {
-                    'application/json': {
-                        schema: resolver(initOutputSchema)
-                    }
-                }
-            }
-        }
-    }), async (c)=>{
-        const request = c.req.raw;
-        const acceptLanguage = request.headers.get('accept-language') || 'en';
-        const location = await getLocation(request, options);
-        const jurisdiction = getJurisdiction(location, options);
-        const translationsResult = translations_getTranslationsData(acceptLanguage, options.customTranslations);
-        let gvl = null;
-        if (options.iab?.enabled) {
-            const language = translationsResult.language.split('-')[0] || 'en';
-            const gvlResolver = createGVLResolver({
-                appName: options.appName || 'c15t',
-                bundled: options.iab.bundled,
-                cacheAdapter: options.cache?.adapter,
-                vendorIds: options.iab.vendorIds,
-                endpoint: options.iab.endpoint
-            });
-            gvl = await gvlResolver.get(language);
-        }
-        const customVendors = options.iab?.customVendors;
-        const gpc = '1' === request.headers.get('sec-gpc');
-        getMetrics()?.recordInit({
-            jurisdiction,
-            country: location?.countryCode ?? void 0,
-            region: location?.regionCode ?? void 0,
-            gpc
-        });
-        return c.json({
-            jurisdiction,
-            location,
-            translations: translationsResult,
-            branding: options.branding || 'c15t',
-            gvl,
-            customVendors,
-            ...options.iab?.cmpId != null && {
-                cmpId: options.iab.cmpId
-            }
-        });
-    });
-    return app;
-};
-function getHeaders(headers) {
-    if (!headers) return {
-        countryCode: null,
-        regionCode: null,
-        acceptLanguage: null
-    };
-    const normalizeHeader = (value)=>{
-        if (!value) return null;
-        return Array.isArray(value) ? value[0] ?? null : value;
-    };
-    const countryCode = normalizeHeader(headers.get('x-c15t-country')) ?? normalizeHeader(headers.get('cf-ipcountry')) ?? normalizeHeader(headers.get('x-vercel-ip-country')) ?? normalizeHeader(headers.get('x-amz-cf-ipcountry')) ?? normalizeHeader(headers.get('x-country-code'));
-    const regionCode = normalizeHeader(headers.get('x-c15t-region')) ?? normalizeHeader(headers.get('x-vercel-ip-country-region')) ?? normalizeHeader(headers.get('x-region-code'));
-    const acceptLanguage = normalizeHeader(headers.get('accept-language'));
-    return {
-        countryCode,
-        regionCode,
-        acceptLanguage
-    };
-}
-const statusHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const { countryCode, regionCode, acceptLanguage } = getHeaders(ctx.headers);
-    const clientInfo = {
-        ip: ctx.ipAddress ?? null,
-        acceptLanguage,
-        userAgent: ctx.userAgent ?? null,
-        region: {
-            countryCode,
-            regionCode
-        }
-    };
-    try {
-        await ctx.db.findFirst('subject', {});
-        return c.json({
-            version: version_version,
-            timestamp: new Date(),
-            client: clientInfo
-        });
-    } catch (error) {
-        ctx.logger.error('Database health check failed', {
-            error
-        });
-        throw new HTTPException(503, {
-            message: 'Database health check failed',
-            cause: {
-                code: 'SERVICE_UNAVAILABLE',
-                error
-            }
-        });
-    }
-};
-const createStatusRoute = ()=>{
-    const app = new Hono();
-    app.get('/', describeRoute({
-        summary: 'Health check and API status',
-        description: `Returns API version, timestamp, and client info (IP, region, user agent).
-
-Use for health checks, load balancer probes, and debugging. Performs a lightweight DB check; returns 503 if the database is unreachable.`,
-        tags: [
-            'Status'
-        ],
-        responses: {
-            200: {
-                description: 'API is healthy (version, timestamp, client info)',
-                content: {
-                    'application/json': {
-                        schema: resolver(statusOutputSchema)
-                    }
-                }
-            },
-            503: {
-                description: 'Service unavailable (e.g. database unreachable)'
-            }
-        }
-    }), statusHandler);
-    return app;
-};
-const getSubjectHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling GET /subjects/:id request');
-    const { db, registry } = ctx;
-    const subjectId = c.req.param('id');
-    const type = c.req.query('type');
-    const typeFilter = type?.split(',').map((t)=>t.trim()) || [];
-    logger.debug('Request parameters', {
-        subjectId,
-        typeFilter
-    });
-    try {
-        const subject = await db.findFirst('subject', {
-            where: (b)=>b('id', '=', subjectId)
-        });
-        if (!subject) throw new HTTPException(404, {
-            message: 'Subject not found',
-            cause: {
-                code: 'SUBJECT_NOT_FOUND',
-                subjectId
-            }
-        });
-        const consents = await db.findMany('consent', {
-            where: (b)=>b('subjectId', '=', subjectId)
-        });
-        const consentItems = await enrichConsents(consents, {
-            db,
-            registry
-        });
-        const filteredConsents = typeFilter.length > 0 ? consentItems.filter((consent)=>typeFilter.includes(consent.type)) : consentItems;
-        const isValid = 0 === typeFilter.length || typeFilter.every((t)=>filteredConsents.some((consent)=>consent.type === t && consent.isLatestPolicy));
-        return c.json({
-            subject: {
-                id: subject.id,
-                externalId: subject.externalId ?? void 0,
-                createdAt: subject.createdAt
-            },
-            consents: filteredConsents,
-            isValid
-        });
-    } catch (error) {
-        logger.error('Error in GET /subjects/:id handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const listSubjectsHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling GET /subjects request');
-    const { db, registry } = ctx;
-    if (!ctx.apiKeyAuthenticated) throw new HTTPException(401, {
-        message: 'API key required. Use Authorization: Bearer <api_key>',
-        cause: {
-            code: 'UNAUTHORIZED'
-        }
-    });
-    const externalId = c.req.query('externalId');
-    if (!externalId) throw new HTTPException(422, {
-        message: 'externalId query parameter is required',
-        cause: {
-            code: 'EXTERNAL_ID_REQUIRED'
-        }
-    });
-    logger.debug('Request parameters', {
-        externalId
-    });
-    try {
-        const subjects = await db.findMany('subject', {
-            where: (b)=>b('externalId', '=', externalId)
-        });
-        const subjectItems = await Promise.all(subjects.map(async (subject)=>{
-            const consents = await db.findMany('consent', {
-                where: (b)=>b('subjectId', '=', subject.id)
-            });
-            const consentItems = await enrichConsents(consents, {
-                db,
-                registry
-            });
-            return {
-                id: subject.id,
-                externalId: subject.externalId ?? externalId,
-                createdAt: subject.createdAt,
-                consents: consentItems
-            };
-        }));
-        logger.info('Found subjects for externalId', {
-            externalId,
-            count: subjectItems.length
-        });
-        return c.json({
-            subjects: subjectItems
-        });
-    } catch (error) {
-        logger.error('Error in GET /subjects handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const prefixes = {
-    auditLog: 'log',
-    consent: 'cns',
-    consentPolicy: 'pol',
-    consentPurpose: 'pur',
-    domain: 'dom',
-    subject: 'sub'
-};
-const b58 = base_x('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
-function generateId(model) {
-    const buf = crypto.getRandomValues(new Uint8Array(20));
-    const prefix = prefixes[model];
-    const EPOCH_TIMESTAMP = 1700000000000;
-    const t = Date.now() - EPOCH_TIMESTAMP;
-    const high = Math.floor(t / 0x100000000);
-    const low = t >>> 0;
-    buf[0] = high >>> 24 & 255;
-    buf[1] = high >>> 16 & 255;
-    buf[2] = high >>> 8 & 255;
-    buf[3] = 255 & high;
-    buf[4] = low >>> 24 & 255;
-    buf[5] = low >>> 16 & 255;
-    buf[6] = low >>> 8 & 255;
-    buf[7] = 255 & low;
-    return `${prefix}_${b58.encode(buf)}`;
-}
-async function generateUniqueId(db, model, ctx, options = {}) {
-    const { maxRetries = 10, attempt = 0, baseDelay = 5 } = options;
-    if (attempt >= maxRetries) {
-        const error = new Error(`Failed to generate unique ID for ${model} after ${maxRetries} attempts`);
-        ctx?.logger?.error?.('ID generation failed', {
-            model,
-            maxRetries
-        });
-        throw error;
-    }
-    const id = generateId(model);
-    try {
-        const existing = await db.findFirst(model, {
-            where: (b)=>b('id', '=', id)
-        });
-        if (existing) {
-            ctx?.logger?.debug?.('ID conflict detected', {
-                id,
-                model,
-                attempt: attempt + 1,
-                maxRetries
-            });
-            const delay = Math.min(baseDelay * 2 ** attempt, 1000);
-            await new Promise((resolve)=>setTimeout(resolve, delay));
-            return generateUniqueId(db, model, ctx, {
-                maxRetries,
-                attempt: attempt + 1,
-                baseDelay
-            });
-        }
-        return id;
-    } catch (error) {
-        ctx?.logger?.error?.('Error checking ID uniqueness', {
-            error: error.message,
-            model,
-            attempt
-        });
-        if (attempt < maxRetries - 1) {
-            const delay = Math.min(baseDelay * 2 ** attempt, 2000);
-            await new Promise((resolve)=>setTimeout(resolve, delay));
-            return generateUniqueId(db, model, ctx, {
-                maxRetries,
-                attempt: attempt + 1,
-                baseDelay
-            });
-        }
-        throw error;
-    }
-}
-const patchSubjectHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling PATCH /subjects/:id request');
-    const { db } = ctx;
-    const subjectId = c.req.param('id');
-    const body = await c.req.json();
-    const { externalId, identityProvider = 'external' } = body;
-    logger.debug('Request parameters', {
-        subjectId,
-        externalId,
-        identityProvider
-    });
-    try {
-        const subject = await db.findFirst('subject', {
-            where: (b)=>b('id', '=', subjectId)
-        });
-        if (!subject) throw new HTTPException(404, {
-            message: 'Subject not found',
-            cause: {
-                code: 'SUBJECT_NOT_FOUND',
-                subjectId
-            }
-        });
-        await db.transaction(async (tx)=>{
-            await tx.updateMany('subject', {
-                where: (b)=>b('id', '=', subjectId),
-                set: {
-                    externalId,
-                    identityProvider,
-                    updatedAt: new Date()
-                }
-            });
-            await tx.create('auditLog', {
-                id: await generateUniqueId(tx, 'auditLog', ctx),
-                subjectId,
-                entityType: 'subject',
-                entityId: subjectId,
-                actionType: 'identify_user',
-                ipAddress: ctx.ipAddress || null,
-                userAgent: ctx.userAgent || null,
-                changes: {
-                    externalId: {
-                        from: subject.externalId,
-                        to: externalId
-                    },
-                    identityProvider: {
-                        from: subject.identityProvider,
-                        to: identityProvider
-                    }
-                },
-                metadata: {
-                    externalId,
-                    identityProvider
-                }
-            });
-        });
-        logger.info('Subject linked to external ID', {
-            subjectId,
-            externalId,
-            identityProvider
-        });
-        getMetrics()?.recordSubjectLinked(identityProvider);
-        return c.json({
-            success: true,
-            subject: {
-                id: subjectId,
-                externalId
-            }
-        });
-    } catch (error) {
-        logger.error('Error in PATCH /subjects/:id handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const postSubjectHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling POST /subjects request');
-    const { db, registry } = ctx;
-    const input = await c.req.json();
-    const { type, subjectId, identityProvider, externalSubjectId, domain, metadata, givenAt: givenAtEpoch } = input;
-    const preferences = 'preferences' in input ? input.preferences : void 0;
-    const givenAt = new Date(givenAtEpoch);
-    const rawConsentAction = 'consentAction' in input ? input.consentAction : void 0;
-    let derivedConsentAction;
-    if ('all' === rawConsentAction) derivedConsentAction = 'accept_all';
-    else if ('necessary' === rawConsentAction) derivedConsentAction = 'opt-out' === input.jurisdictionModel ? 'opt_out' : 'reject_all';
-    else if ('custom' === rawConsentAction) derivedConsentAction = 'custom';
-    logger.debug('Request parameters', {
-        type,
-        subjectId,
-        identityProvider,
-        externalSubjectId,
-        domain
-    });
-    try {
-        const subject = await registry.findOrCreateSubject({
-            subjectId,
-            externalSubjectId,
-            identityProvider,
-            ipAddress: ctx.ipAddress
-        });
-        if (!subject) throw new HTTPException(500, {
-            message: 'Failed to create subject',
-            cause: {
-                code: 'SUBJECT_CREATION_FAILED',
-                subjectId
-            }
-        });
-        logger.debug('Subject found/created', {
-            subjectId: subject.id
-        });
-        const domainRecord = await registry.findOrCreateDomain(domain);
-        if (!domainRecord) throw new HTTPException(500, {
-            message: 'Failed to create domain',
-            cause: {
-                code: 'DOMAIN_CREATION_FAILED',
-                domain
-            }
-        });
-        let policyId;
-        let purposeIds = [];
-        const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
-        if (inputPolicyId) {
-            policyId = inputPolicyId;
-            const policy = await registry.findConsentPolicyById(inputPolicyId);
-            if (!policy) throw new HTTPException(404, {
-                message: 'Policy not found',
-                cause: {
-                    code: 'POLICY_NOT_FOUND',
-                    policyId,
-                    type
-                }
-            });
-            if (!policy.isActive) throw new HTTPException(400, {
-                message: 'Policy is inactive',
-                cause: {
-                    code: 'POLICY_INACTIVE',
-                    policyId,
-                    type
-                }
-            });
-        } else {
-            const policy = await registry.findOrCreatePolicy(type);
-            if (!policy) throw new HTTPException(500, {
-                message: 'Failed to create policy',
-                cause: {
-                    code: 'POLICY_CREATION_FAILED',
-                    type
-                }
-            });
-            policyId = policy.id;
-        }
-        if (preferences) {
-            const consentedPurposes = Object.entries(preferences).filter(([_, isConsented])=>isConsented).map(([purposeCode])=>purposeCode);
-            logger.debug('Consented purposes', {
-                consentedPurposes
-            });
-            const purposesRaw = await Promise.all(consentedPurposes.map((purposeCode)=>registry.findOrCreateConsentPurposeByCode(purposeCode)));
-            const purposes = purposesRaw.map((purpose)=>purpose?.id ?? null).filter((id)=>Boolean(id));
-            logger.debug('Filtered purposes', {
-                purposes
-            });
-            if (0 === purposes.length) logger.warn('No valid purpose IDs found after filtering. Using empty list.', {
-                consentedPurposes
-            });
-            purposeIds = purposes;
-        }
-        const existingConsent = await db.findFirst('consent', {
-            where: (b)=>b.and(b('subjectId', '=', subject.id), b('domainId', '=', domainRecord.id), b('policyId', '=', policyId), b('givenAt', '=', givenAt))
-        });
-        if (existingConsent) {
-            logger.debug('Duplicate consent detected, returning existing record', {
-                consentId: existingConsent.id
-            });
-            return c.json({
-                subjectId: subject.id,
-                consentId: existingConsent.id,
-                domainId: domainRecord.id,
-                domain: domainRecord.name,
-                type,
-                metadata,
-                uiSource: input.uiSource,
-                givenAt: existingConsent.givenAt
-            });
-        }
-        const result = await db.transaction(async (tx)=>{
-            logger.debug('Creating consent record', {
-                subjectId: subject.id,
-                domainId: domainRecord.id,
-                policyId,
-                purposeIds
-            });
-            const consentRecord = await tx.create('consent', {
-                id: await generateUniqueId(tx, 'consent', ctx),
-                subjectId: subject.id,
-                domainId: domainRecord.id,
-                policyId,
-                purposeIds: {
-                    json: purposeIds
-                },
-                metadata: metadata ? {
-                    json: metadata
-                } : void 0,
-                ipAddress: ctx.ipAddress,
-                userAgent: ctx.userAgent,
-                jurisdiction: input.jurisdiction,
-                jurisdictionModel: input.jurisdictionModel,
-                tcString: input.tcString,
-                uiSource: input.uiSource,
-                consentAction: derivedConsentAction,
-                givenAt
-            });
-            logger.debug('Created consent', {
-                consentRecord: consentRecord.id
-            });
-            if (!consentRecord) throw new HTTPException(500, {
-                message: 'Failed to create consent',
-                cause: {
-                    code: 'CONSENT_CREATION_FAILED',
-                    subjectId: subject.id,
-                    domain
-                }
-            });
-            return {
-                consent: consentRecord
-            };
-        });
-        const metrics = getMetrics();
-        if (metrics) {
-            const jurisdiction = input.jurisdiction;
-            metrics.recordConsentCreated({
-                type,
-                jurisdiction
-            });
-            const hasAccepted = preferences && Object.values(preferences).some(Boolean);
-            if (hasAccepted) metrics.recordConsentAccepted({
-                type,
-                jurisdiction
-            });
-            else metrics.recordConsentRejected({
-                type,
-                jurisdiction
-            });
-        }
-        return c.json({
-            subjectId: subject.id,
-            consentId: result.consent.id,
-            domainId: domainRecord.id,
-            domain: domainRecord.name,
-            type,
-            metadata,
-            uiSource: input.uiSource,
-            givenAt: result.consent.givenAt
-        });
-    } catch (error) {
-        logger.error('Error in POST /subjects handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const createSubjectRoutes = ()=>{
-    const app = new Hono();
-    app.get('/:id', describeRoute({
-        summary: 'Get subject consent status',
-        description: `Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.
-
-**Query:** \`type\` – Filter by consent type(s), comma-separated (e.g. \`privacy_policy,cookie_banner\`).
-
-**Response:** \`subject\`, \`consents\` (matching filter), \`isValid\` (valid consent for requested type(s)).`,
-        tags: [
-            'Subject',
-            'Consent'
-        ],
-        responses: {
-            200: {
-                description: 'Subject and consent records for the requested type(s)',
-                content: {
-                    'application/json': {
-                        schema: resolver(getSubjectOutputSchema)
-                    }
-                }
-            },
-            404: {
-                description: 'Subject not found for the given ID'
-            }
-        }
-    }), validator('param', getSubjectInputSchema), getSubjectHandler);
-    app.post('/', describeRoute({
-        summary: 'Record consent for a subject',
-        description: `Creates a new consent record (append-only). Creates the subject if it does not exist.
-
-**Request body by \`type\`:**
-- \`cookie_banner\` – Requires \`preferences\` object
-- \`privacy_policy\`, \`dpa\`, \`terms_and_conditions\` – Optional \`policyId\`
-- \`marketing_communications\`, \`age_verification\`, \`other\` – Optional \`preferences\``,
-        tags: [
-            'Subject',
-            'Consent'
-        ],
-        responses: {
-            200: {
-                description: 'Consent recorded; subject and consent in response',
-                content: {
-                    'application/json': {
-                        schema: resolver(postSubjectOutputSchema)
-                    }
-                }
-            },
-            422: {
-                description: 'Invalid request body (schema or validation failed)'
-            }
-        }
-    }), validator('json', postSubjectInputSchema), postSubjectHandler);
-    app.patch('/:id', describeRoute({
-        summary: 'Link external ID to subject',
-        description: 'Associates an external user ID with an existing subject (e.g. after login). Enables cross-device consent sync.',
-        tags: [
-            'Subject'
-        ],
-        responses: {
-            200: {
-                description: 'Subject updated with external ID',
-                content: {
-                    'application/json': {
-                        schema: resolver(patchSubjectOutputSchema)
-                    }
-                }
-            },
-            404: {
-                description: 'Subject not found for the given ID'
-            }
-        }
-    }), validator('param', object({
-        id: subjectIdSchema
-    })), validator('json', object({
-        externalId: string(),
-        identityProvider: optional(string())
-    })), patchSubjectHandler);
-    app.get('/', describeRoute({
-        summary: 'List subjects by external ID (API key required)',
-        description: 'Returns all subjects linked to the given external ID. Requires Bearer token (API key). Use for server-side consent lookups.',
-        tags: [
-            'Subject'
-        ],
-        security: [
-            {
-                bearerAuth: []
-            }
-        ],
-        responses: {
-            200: {
-                description: 'List of subjects for the external ID',
-                content: {
-                    'application/json': {
-                        schema: resolver(listSubjectsOutputSchema)
-                    }
-                }
-            },
-            401: {
-                description: 'Missing or invalid API key'
-            }
-        }
-    }), validator('query', listSubjectsQuerySchema), listSubjectsHandler);
-    return app;
-};
-export { createConsentRoutes, createInitRoute, createStatusRoute, createSubjectRoutes };
+export { createConsentRoutes, createInitRoute, createStatusRoute, createSubjectRoutes } from "./364.js";