@c15t/backend 2.0.0-rc.4 → 2.0.0-rc.6

package/dist/core.js

@@ -1,17 +1,17 @@
 import { createLogger as logger_createLogger } from "@c15t/logger";
-import { SpanKind, SpanStatusCode as api_SpanStatusCode, context as api_context, metrics as api_metrics, trace } from "@opentelemetry/api";
+import { SpanStatusCode } from "@opentelemetry/api";
 import { apiReference } from "@scalar/hono-api-reference";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { HTTPException } from "hono/http-exception";
-import { describeRoute, openAPIRouteHandler, resolver, validator } from "hono-openapi";
+import { openAPIRouteHandler } from "hono-openapi";
 import base_x from "base-x";
-import { fumadb } from "fumadb";
-import { column, idColumn, schema, table as schema_table } from "fumadb/schema";
-import { checkConsentOutputSchema, checkConsentQuerySchema, getSubjectInputSchema, getSubjectOutputSchema, initOutputSchema, listSubjectsOutputSchema, listSubjectsQuerySchema, patchSubjectOutputSchema, postSubjectInputSchema, postSubjectOutputSchema, statusOutputSchema, subjectIdSchema } from "@c15t/schema";
-import { deepMergeTranslations, selectLanguage } from "@c15t/translations";
-import { baseTranslations } from "@c15t/translations/all";
-import { object, optional, string } from "valibot";
+import { compactDefined, dedupeTrimmedStrings, policyPackPresets } from "@c15t/schema";
+import { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, policyMatchers } from "@c15t/schema/types";
+import { version as version_version, extractErrorMessage, withDatabaseSpan, getTraceContext as create_telemetry_options_getTraceContext, createRequestSpan, handleSpanError, createTelemetryOptions, getMetrics, isTelemetryEnabled, withSpanContext } from "./302.js";
+import { validateMessages, inspectPolicies as policy_inspectPolicies } from "./583.js";
+import { DB } from "./db/schema.js";
+import { createStatusRoute, createInitRoute, createConsentRoutes, createSubjectRoutes } from "./364.js";
 function extractBearerToken(authHeader) {
     if (!authHeader) return null;
     const parts = authHeader.split(' ');
@@ -137,8 +137,7 @@ function createCORSOptions(trustedOrigins) {
         ]
     };
 }
-const version_version = '2.0.0-rc.4';
-const config_createOpenAPIConfig = (options)=>({
+const createOpenAPIConfig = (options)=>({
         enabled: options.openapi?.enabled !== false,
         specPath: '/spec.json',
         docsPath: '/docs',
@@ -253,328 +252,13 @@ function getIpAddress(req, options) {
     }
     return null;
 }
-function extractErrorMessage(error) {
-    if (error instanceof AggregateError && error.errors?.length > 0) {
-        const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
-        return `AggregateError: ${inner}`;
-    }
-    if (error instanceof Error) return error.message || error.name;
-    return String(error);
-}
-let cachedConfig = null;
-let cachedDefaultAttributes = {};
-function createTelemetryOptions(appName = 'c15t', telemetryConfig, tenantId) {
-    const defaultAttributes = {
-        ...telemetryConfig?.defaultAttributes || {},
-        'service.name': String(appName),
-        'service.version': version_version
-    };
-    if (tenantId) defaultAttributes['tenant.id'] = tenantId;
-    const config = {
-        enabled: telemetryConfig?.enabled ?? false,
-        tracer: telemetryConfig?.tracer,
-        meter: telemetryConfig?.meter,
-        defaultAttributes
-    };
-    cachedConfig = config;
-    cachedDefaultAttributes = defaultAttributes;
-    return config;
-}
-function isTelemetryEnabled(options) {
-    if (options) return options.telemetry?.enabled === true;
-    return cachedConfig?.enabled === true;
-}
-const getTracer = (options)=>{
-    if (!isTelemetryEnabled(options)) return trace.getTracer('c15t-noop');
-    const tracer = options?.telemetry?.tracer ?? cachedConfig?.tracer;
-    if (tracer) return tracer;
-    return trace.getTracer(options?.appName ?? 'c15t');
-};
-const getMeter = (options)=>{
-    if (!isTelemetryEnabled(options)) return api_metrics.getMeter('c15t-noop');
-    const meter = options?.telemetry?.meter ?? cachedConfig?.meter;
-    if (meter) return meter;
-    return api_metrics.getMeter(options?.appName ?? 'c15t');
-};
-function getDefaultAttributes() {
-    return cachedDefaultAttributes;
-}
-const createRequestSpan = (method, path, options)=>{
-    if (!isTelemetryEnabled(options)) return null;
-    const tracer = getTracer(options);
-    const defaultAttrs = options?.telemetry?.defaultAttributes || getDefaultAttributes();
-    const span = tracer.startSpan(`${method} ${path}`, {
-        attributes: {
-            'http.method': method,
-            ...defaultAttrs
-        }
-    });
-    return span;
-};
-const handleSpanError = (span, error)=>{
-    span.setStatus({
-        code: api_SpanStatusCode.ERROR,
-        message: extractErrorMessage(error)
-    });
-    if (error instanceof Error) span.setAttribute('error.type', error.name);
-};
-function create_telemetry_options_getTraceContext() {
-    const activeSpan = trace.getActiveSpan();
-    if (!activeSpan) return null;
-    const spanContext = activeSpan.spanContext();
-    if (!spanContext) return null;
-    return {
-        traceId: spanContext.traceId,
-        spanId: spanContext.spanId
-    };
-}
-const withSpanContext = async (span, operation)=>api_context["with"](trace.setSpan(api_context.active(), span), operation);
-async function executeWithSpan(span, operation) {
-    try {
-        const result = await withSpanContext(span, operation);
-        span.setStatus({
-            code: api_SpanStatusCode.OK
-        });
-        return result;
-    } catch (error) {
-        handleSpanError(span, error);
-        throw error;
-    } finally{
-        span.end();
-    }
-}
-function resolveDefaultAttributes(options) {
-    return options?.telemetry?.defaultAttributes || getDefaultAttributes();
-}
-async function withDatabaseSpan(attributes, operation, options) {
-    if (!isTelemetryEnabled(options)) return operation();
-    const tracer = getTracer(options);
-    const spanName = `db.${attributes.entity}.${attributes.operation}`;
-    const span = tracer.startSpan(spanName, {
-        kind: SpanKind.CLIENT,
-        attributes: {
-            'db.system': 'c15t',
-            'db.operation': attributes.operation,
-            'db.entity': attributes.entity,
-            ...resolveDefaultAttributes(options),
-            ...Object.fromEntries(Object.entries(attributes).filter(([key])=>![
-                    'operation',
-                    'entity'
-                ].includes(key)))
-        }
-    });
-    return executeWithSpan(span, operation);
-}
-async function withExternalSpan(attributes, operation, options) {
-    if (!isTelemetryEnabled(options)) return operation();
-    const tracer = getTracer(options);
-    const url = new URL(attributes.url);
-    const spanName = `HTTP ${attributes.method} ${url.hostname}`;
-    const span = tracer.startSpan(spanName, {
-        kind: SpanKind.CLIENT,
-        attributes: {
-            'http.method': attributes.method,
-            'http.url': `${url.origin}${url.pathname}`,
-            'http.host': url.hostname,
-            ...resolveDefaultAttributes(options),
-            ...Object.fromEntries(Object.entries(attributes).filter(([key])=>![
-                    'url',
-                    'method'
-                ].includes(key)))
-        }
-    });
-    return executeWithSpan(span, operation);
-}
-async function withCacheSpan(operation, layer, fn, options) {
-    if (!isTelemetryEnabled(options)) return fn();
-    const tracer = getTracer(options);
-    const spanName = `cache.${layer}.${operation}`;
-    const span = tracer.startSpan(spanName, {
-        kind: SpanKind.CLIENT,
-        attributes: {
-            'cache.operation': operation,
-            'cache.layer': layer,
-            ...resolveDefaultAttributes(options)
-        }
-    });
-    return executeWithSpan(span, fn);
-}
-function sanitizeAttributes(attrs) {
-    return Object.fromEntries(Object.entries(attrs).filter(([_, v])=>null != v));
-}
-function createMetrics(meter) {
-    const consentCreated = meter.createCounter('c15t.consent.created', {
-        description: 'Number of consent submissions',
-        unit: '1'
-    });
-    const consentAccepted = meter.createCounter('c15t.consent.accepted', {
-        description: 'Number of consents accepted',
-        unit: '1'
-    });
-    const consentRejected = meter.createCounter('c15t.consent.rejected', {
-        description: 'Number of consents rejected',
-        unit: '1'
-    });
-    const subjectCreated = meter.createCounter('c15t.subject.created', {
-        description: 'Number of new subjects created',
-        unit: '1'
-    });
-    const subjectLinked = meter.createCounter('c15t.subject.linked', {
-        description: 'Number of subjects linked to external ID',
-        unit: '1'
-    });
-    const consentCheckCount = meter.createCounter('c15t.consent_check.count', {
-        description: 'Number of cross-device consent checks',
-        unit: '1'
-    });
-    const initCount = meter.createCounter('c15t.init.count', {
-        description: 'Number of init endpoint calls',
-        unit: '1'
-    });
-    const httpRequestDuration = meter.createHistogram('c15t.http.request.duration', {
-        description: 'HTTP request latency',
-        unit: 'ms'
-    });
-    const httpRequestCount = meter.createCounter('c15t.http.request.count', {
-        description: 'Number of HTTP requests',
-        unit: '1'
-    });
-    const httpErrorCount = meter.createCounter('c15t.http.error.count', {
-        description: 'Number of HTTP errors',
-        unit: '1'
-    });
-    const dbQueryDuration = meter.createHistogram('c15t.db.query.duration', {
-        description: 'Database query latency',
-        unit: 'ms'
-    });
-    const dbQueryCount = meter.createCounter('c15t.db.query.count', {
-        description: 'Number of database queries',
-        unit: '1'
-    });
-    const dbErrorCount = meter.createCounter('c15t.db.error.count', {
-        description: 'Number of database errors',
-        unit: '1'
-    });
-    const cacheHit = meter.createCounter('c15t.cache.hit', {
-        description: 'Number of cache hits',
-        unit: '1'
-    });
-    const cacheMiss = meter.createCounter('c15t.cache.miss', {
-        description: 'Number of cache misses',
-        unit: '1'
-    });
-    const cacheLatency = meter.createHistogram('c15t.cache.latency', {
-        description: 'Cache operation latency',
-        unit: 'ms'
-    });
-    const gvlFetchDuration = meter.createHistogram('c15t.gvl.fetch.duration', {
-        description: 'GVL fetch latency',
-        unit: 'ms'
-    });
-    const gvlFetchCount = meter.createCounter('c15t.gvl.fetch.count', {
-        description: 'Number of GVL fetches',
-        unit: '1'
-    });
-    const gvlFetchError = meter.createCounter('c15t.gvl.fetch.error', {
-        description: 'Number of GVL fetch errors',
-        unit: '1'
-    });
-    return {
-        consentCreated,
-        consentAccepted,
-        consentRejected,
-        subjectCreated,
-        subjectLinked,
-        consentCheckCount,
-        initCount,
-        httpRequestDuration,
-        httpRequestCount,
-        httpErrorCount,
-        dbQueryDuration,
-        dbQueryCount,
-        dbErrorCount,
-        cacheHit,
-        cacheMiss,
-        cacheLatency,
-        gvlFetchDuration,
-        gvlFetchCount,
-        gvlFetchError,
-        recordConsentCreated (attributes) {
-            consentCreated.add(1, sanitizeAttributes(attributes));
-        },
-        recordConsentAccepted (attributes) {
-            consentAccepted.add(1, sanitizeAttributes(attributes));
-        },
-        recordConsentRejected (attributes) {
-            consentRejected.add(1, sanitizeAttributes(attributes));
-        },
-        recordSubjectCreated (attributes) {
-            subjectCreated.add(1, sanitizeAttributes(attributes));
-        },
-        recordSubjectLinked (identityProvider) {
-            subjectLinked.add(1, {
-                identityProvider: identityProvider || 'unknown'
-            });
-        },
-        recordConsentCheck (type, found) {
-            consentCheckCount.add(1, {
-                type,
-                found: String(found)
-            });
-        },
-        recordInit (attributes) {
-            initCount.add(1, sanitizeAttributes(attributes));
-        },
-        recordHttpRequest (attributes, durationMs) {
-            const attrs = sanitizeAttributes(attributes);
-            httpRequestCount.add(1, attrs);
-            httpRequestDuration.record(durationMs, attrs);
-            if (attributes.status >= 400) httpErrorCount.add(1, attrs);
-        },
-        recordDbQuery (attributes, durationMs) {
-            const attrs = sanitizeAttributes(attributes);
-            dbQueryCount.add(1, attrs);
-            dbQueryDuration.record(durationMs, attrs);
-        },
-        recordDbError (attributes) {
-            dbErrorCount.add(1, sanitizeAttributes(attributes));
-        },
-        recordCacheHit (layer) {
-            cacheHit.add(1, {
-                layer
-            });
-        },
-        recordCacheMiss (layer) {
-            cacheMiss.add(1, {
-                layer
-            });
-        },
-        recordCacheLatency (attributes, durationMs) {
-            cacheLatency.record(durationMs, sanitizeAttributes(attributes));
-        },
-        recordGvlFetch (attributes, durationMs) {
-            const attrs = sanitizeAttributes(attributes);
-            gvlFetchCount.add(1, attrs);
-            gvlFetchDuration.record(durationMs, attrs);
-        },
-        recordGvlError (attributes) {
-            gvlFetchError.add(1, sanitizeAttributes(attributes));
-        }
-    };
-}
-let metricsInstance = null;
-function getMetrics(options) {
-    if (metricsInstance) return metricsInstance;
-    if (!isTelemetryEnabled(options)) return null;
-    metricsInstance = createMetrics(getMeter(options));
-    return metricsInstance;
-}
 const prefixes = {
     auditLog: 'log',
     consent: 'cns',
     consentPolicy: 'pol',
     consentPurpose: 'pur',
     domain: 'dom',
+    runtimePolicyDecision: 'rpd',
     subject: 'sub'
 };
 const b58 = base_x('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
@@ -846,6 +530,54 @@ function domainRegistry({ db, ctx }) {
         }
     };
 }
+function runtimePolicyDecisionRegistry({ db, ctx }) {
+    const { logger } = ctx;
+    return {
+        findOrCreateRuntimePolicyDecision: async (input)=>{
+            const existing = await db.findFirst('runtimePolicyDecision', {
+                where: (b)=>b('dedupeKey', '=', input.dedupeKey)
+            });
+            if (existing) return existing;
+            logger.debug('Creating runtime policy decision', {
+                policyId: input.policyId,
+                fingerprint: input.fingerprint,
+                matchedBy: input.matchedBy
+            });
+            return db.create('runtimePolicyDecision', {
+                id: `rpd_${crypto.randomUUID().replaceAll('-', '')}`,
+                tenantId: input.tenantId,
+                policyId: input.policyId,
+                fingerprint: input.fingerprint,
+                matchedBy: input.matchedBy,
+                countryCode: input.countryCode,
+                regionCode: input.regionCode,
+                jurisdiction: input.jurisdiction,
+                language: input.language,
+                model: input.model,
+                policyI18n: input.policyI18n ? {
+                    json: input.policyI18n
+                } : void 0,
+                uiMode: input.uiMode,
+                bannerUi: input.bannerUi ? {
+                    json: input.bannerUi
+                } : void 0,
+                dialogUi: input.dialogUi ? {
+                    json: input.dialogUi
+                } : void 0,
+                categories: input.categories ? {
+                    json: input.categories
+                } : void 0,
+                preselectedCategories: input.preselectedCategories ? {
+                    json: input.preselectedCategories
+                } : void 0,
+                proofConfig: input.proofConfig ? {
+                    json: input.proofConfig
+                } : void 0,
+                dedupeKey: input.dedupeKey
+            });
+        }
+    };
+}
 function subjectRegistry({ db, ctx }) {
     const { logger } = ctx;
     return {
@@ -923,263 +655,9 @@ const createRegistry = (ctx)=>({
         ...subjectRegistry(ctx),
         ...consentPurposeRegistry(ctx),
         ...policyRegistry(ctx),
-        ...domainRegistry(ctx)
+        ...domainRegistry(ctx),
+        ...runtimePolicyDecisionRegistry(ctx)
     });
-const auditLogTable = schema_table('auditLog', {
-    id: idColumn('id', 'varchar(255)'),
-    entityType: column('entityType', 'string'),
-    entityId: column('entityId', 'string'),
-    actionType: column('actionType', 'string'),
-    subjectId: column('subjectId', 'string').nullable(),
-    ipAddress: column('ipAddress', 'string').nullable(),
-    userAgent: column('userAgent', 'string').nullable(),
-    changes: column('changes', 'json').nullable(),
-    metadata: column('metadata', 'json').nullable(),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    eventTimezone: column('eventTimezone', 'string').defaultTo$(()=>'UTC')
-});
-const consentTable = schema_table('consent', {
-    id: idColumn('id', 'varchar(255)'),
-    subjectId: column('subjectId', 'string'),
-    domainId: column('domainId', 'string'),
-    policyId: column('policyId', 'string').nullable(),
-    purposeIds: column('purposeIds', 'json'),
-    metadata: column('metadata', 'json').nullable(),
-    ipAddress: column('ipAddress', 'string').nullable(),
-    userAgent: column('userAgent', 'string').nullable(),
-    status: column('status', 'string').defaultTo$(()=>'active'),
-    withdrawalReason: column('withdrawalReason', 'string').nullable(),
-    givenAt: column('givenAt', 'timestamp').defaultTo$('now'),
-    validUntil: column('validUntil', 'timestamp').nullable(),
-    isActive: column('isActive', 'bool').defaultTo$(()=>true)
-});
-const consentPolicyTable = schema_table('consentPolicy', {
-    id: idColumn('id', 'varchar(255)'),
-    version: column('version', 'string'),
-    type: column('type', 'string'),
-    name: column('name', 'string'),
-    effectiveDate: column('effectiveDate', 'timestamp'),
-    expirationDate: column('expirationDate', 'timestamp').nullable(),
-    content: column('content', 'string'),
-    contentHash: column('contentHash', 'string'),
-    isActive: column('isActive', 'bool').defaultTo$(()=>true),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now')
-});
-const consentPurposeTable = schema_table('consentPurpose', {
-    id: idColumn('id', 'varchar(255)'),
-    code: column('code', 'string'),
-    name: column('name', 'string'),
-    description: column("description", 'string'),
-    isEssential: column('isEssential', 'bool'),
-    dataCategory: column('dataCategory', 'string').nullable(),
-    legalBasis: column('legalBasis', 'string').nullable(),
-    isActive: column('isActive', 'bool').defaultTo$(()=>true),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    updatedAt: column('updatedAt', 'timestamp').defaultTo$('now')
-});
-const consentRecordTable = schema_table('consentRecord', {
-    id: idColumn('id', 'varchar(255)'),
-    subjectId: column('subjectId', 'string'),
-    consentId: column('consentId', 'string').nullable(),
-    actionType: column('actionType', 'string'),
-    details: column('details', 'json').nullable(),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now')
-});
-const domainTable = schema_table('domain', {
-    id: idColumn('id', 'varchar(255)'),
-    name: column('name', 'string').unique(),
-    description: column("description", 'string').nullable(),
-    allowedOrigins: column('allowedOrigins', 'json').nullable(),
-    isVerified: column('isVerified', 'bool').defaultTo$(()=>true),
-    isActive: column('isActive', 'bool').defaultTo$(()=>true),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    updatedAt: column('updatedAt', 'timestamp').defaultTo$('now')
-});
-const subjectTable = schema_table('subject', {
-    id: idColumn('id', 'varchar(255)'),
-    externalId: column('externalId', 'string').nullable(),
-    identityProvider: column('identityProvider', 'string').nullable(),
-    lastIpAddress: column('lastIpAddress', 'string').nullable(),
-    subjectTimezone: column('subjectTimezone', 'string').nullable(),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    updatedAt: column('updatedAt', 'timestamp').defaultTo$('now')
-});
-const v1 = schema({
-    version: '1.0.0',
-    tables: {
-        subject: subjectTable,
-        domain: domainTable,
-        consentPolicy: consentPolicyTable,
-        consentPurpose: consentPurposeTable,
-        consent: consentTable,
-        auditLog: auditLogTable,
-        consentRecord: consentRecordTable
-    },
-    relations: {
-        subject: ({ many })=>({
-                consents: many('consent'),
-                consentRecords: many('consentRecord'),
-                auditLogs: many('auditLog')
-            }),
-        domain: ({ many })=>({
-                consents: many('consent')
-            }),
-        consentPolicy: ({ many })=>({
-                consents: many('consent')
-            }),
-        consentPurpose: ()=>({}),
-        consent: ({ one, many })=>({
-                subject: one('subject', [
-                    'subjectId',
-                    'id'
-                ]).foreignKey(),
-                domain: one('domain', [
-                    'domainId',
-                    'id'
-                ]).foreignKey(),
-                policy: one('consentPolicy', [
-                    'policyId',
-                    'id'
-                ]).foreignKey(),
-                consentRecords: many('consentRecord')
-            }),
-        consentRecord: ({ one })=>({
-                subject: one('subject', [
-                    'subjectId',
-                    'id'
-                ]).foreignKey(),
-                consent: one('consent', [
-                    'consentId',
-                    'id'
-                ]).foreignKey()
-            }),
-        auditLog: ({ one })=>({
-                subject: one('subject', [
-                    'subjectId',
-                    'id'
-                ]).foreignKey()
-            })
-    }
-});
-const audit_log_auditLogTable = schema_table('auditLog', {
-    id: idColumn('id', 'varchar(255)'),
-    entityType: column('entityType', 'string'),
-    entityId: column('entityId', 'string'),
-    actionType: column('actionType', 'string'),
-    subjectId: column('subjectId', 'string').nullable(),
-    ipAddress: column('ipAddress', 'string').nullable(),
-    userAgent: column('userAgent', 'string').nullable(),
-    changes: column('changes', 'json').nullable(),
-    metadata: column('metadata', 'json').nullable(),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    tenantId: column('tenantId', 'string').nullable()
-});
-const consent_consentTable = schema_table('consent', {
-    id: idColumn('id', 'varchar(255)'),
-    subjectId: column('subjectId', 'string'),
-    domainId: column('domainId', 'string'),
-    policyId: column('policyId', 'string').nullable(),
-    purposeIds: column('purposeIds', 'json'),
-    metadata: column('metadata', 'json').nullable(),
-    ipAddress: column('ipAddress', 'string').nullable(),
-    userAgent: column('userAgent', 'string').nullable(),
-    givenAt: column('givenAt', 'timestamp').defaultTo$('now'),
-    validUntil: column('validUntil', 'timestamp').nullable(),
-    jurisdiction: column('jurisdiction', 'string').nullable(),
-    jurisdictionModel: column('jurisdictionModel', 'string').nullable(),
-    tcString: column('tcString', 'string').nullable(),
-    uiSource: column('uiSource', 'string').nullable(),
-    consentAction: column('consentAction', 'string').nullable(),
-    tenantId: column('tenantId', 'string').nullable()
-});
-const consent_policy_consentPolicyTable = schema_table('consentPolicy', {
-    id: idColumn('id', 'varchar(255)'),
-    version: column('version', 'string'),
-    type: column('type', 'string'),
-    effectiveDate: column('effectiveDate', 'timestamp'),
-    isActive: column('isActive', 'bool').defaultTo$(()=>true),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    tenantId: column('tenantId', 'string').nullable()
-});
-const consent_purpose_consentPurposeTable = schema_table('consentPurpose', {
-    id: idColumn('id', 'varchar(255)'),
-    code: column('code', 'string'),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    updatedAt: column('updatedAt', 'timestamp').defaultTo$('now'),
-    tenantId: column('tenantId', 'string').nullable()
-});
-const domain_domainTable = schema_table('domain', {
-    id: idColumn('id', 'varchar(255)'),
-    name: column('name', 'string'),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    updatedAt: column('updatedAt', 'timestamp').defaultTo$('now'),
-    tenantId: column('tenantId', 'string').nullable()
-});
-const subject_subjectTable = schema_table('subject', {
-    id: idColumn('id', 'varchar(255)'),
-    externalId: column('externalId', 'string').nullable(),
-    identityProvider: column('identityProvider', 'string').nullable(),
-    createdAt: column('createdAt', 'timestamp').defaultTo$('now'),
-    updatedAt: column('updatedAt', 'timestamp').defaultTo$('now'),
-    tenantId: column('tenantId', 'string').nullable()
-});
-const v2 = schema({
-    version: '2.0.0',
-    tables: {
-        subject: subject_subjectTable,
-        domain: domain_domainTable,
-        consentPolicy: consent_policy_consentPolicyTable,
-        consentPurpose: consent_purpose_consentPurposeTable,
-        consent: consent_consentTable,
-        auditLog: audit_log_auditLogTable
-    },
-    relations: {
-        subject: ({ many })=>({
-                consents: many('consent'),
-                auditLogs: many('auditLog')
-            }),
-        domain: ({ many })=>({
-                consents: many('consent')
-            }),
-        consentPolicy: ({ many })=>({
-                consents: many('consent')
-            }),
-        consentPurpose: ()=>({}),
-        consent: ({ one })=>({
-                subject: one('subject', [
-                    'subjectId',
-                    'id'
-                ]).foreignKey(),
-                domain: one('domain', [
-                    'domainId',
-                    'id'
-                ]).foreignKey(),
-                policy: one('consentPolicy', [
-                    'policyId',
-                    'id'
-                ]).foreignKey()
-            }),
-        auditLog: ({ one })=>({
-                subject: one('subject', [
-                    'subjectId',
-                    'id'
-                ]).foreignKey()
-            })
-    }
-});
-const DB = fumadb({
-    namespace: 'c15t',
-    schemas: [
-        v1,
-        v2
-    ]
-});
-fumadb({
-    namespace: 'c15t',
-    schemas: [
-        v2
-    ]
-});
 const SCOPED_METHODS = new Set([
     'create',
     'createMany',
@@ -1269,6 +747,18 @@ const init = (options)=>{
     const rawOrm = client.orm('2.0.0');
     const orm = options.tenantId ? withTenantScope(rawOrm, options.tenantId) : rawOrm;
     const { ipAddress: _ipAddressConfig, ...baseOptions } = options;
+    const i18nValidation = validateMessages({
+        i18n: options.i18n,
+        customTranslations: options.customTranslations,
+        policies: options.policyPacks
+    });
+    for (const warning of i18nValidation.warnings)logger.warn(`i18n: ${warning}`);
+    if (i18nValidation.errors.length > 0) throw new Error(`Invalid i18n configuration:\n${i18nValidation.errors.map((error)=>`- ${error}`).join('\n')}`);
+    const policyValidation = policy_inspectPolicies(options.policyPacks ?? [], {
+        iabEnabled: options.iab?.enabled === true
+    });
+    for (const warning of policyValidation.warnings)logger.warn(`policyPacks: ${warning}`);
+    if (policyValidation.errors.length > 0) throw new Error(policyValidation.errors[0]);
     const context = {
         ...baseOptions,
         appName,
@@ -1283,1252 +773,91 @@ const init = (options)=>{
     };
     return context;
 };
-function parsePurposeIds(purposeIds) {
-    if (null == purposeIds) return [];
-    const ids = 'object' == typeof purposeIds && 'json' in purposeIds ? purposeIds.json : purposeIds;
-    return Array.isArray(ids) ? ids : [];
-}
-async function batchLoadPolicies(policyIds, ctx) {
-    const { db, registry } = ctx;
-    const policyMap = new Map();
-    if (policyIds.size > 0) {
-        const policies = await db.findMany('consentPolicy', {
-            where: (b)=>b('id', 'in', [
-                    ...policyIds
-                ])
-        });
-        for (const p of policies)policyMap.set(p.id, p);
-    }
-    const uniqueTypes = new Set();
-    for (const p of policyMap.values())uniqueTypes.add(p.type);
-    const latestPolicyByType = new Map();
-    for (const type of uniqueTypes){
-        const latest = await registry.findOrCreatePolicy(type);
-        if (latest) latestPolicyByType.set(type, latest.id);
-    }
-    return {
-        policyMap,
-        latestPolicyByType
-    };
-}
-async function enrichConsents(consents, ctx) {
-    if (0 === consents.length) return [];
-    const policyIds = new Set();
-    for (const c of consents)if (c.policyId) policyIds.add(c.policyId);
-    const { policyMap, latestPolicyByType } = await batchLoadPolicies(policyIds, ctx);
-    const allPurposeIds = new Set();
-    for (const c of consents)for (const id of parsePurposeIds(c.purposeIds))allPurposeIds.add(id);
-    const purposeMap = new Map();
-    if (allPurposeIds.size > 0) {
-        const purposes = await ctx.db.findMany('consentPurpose', {
-            where: (b)=>b('id', 'in', [
-                    ...allPurposeIds
-                ])
-        });
-        for (const p of purposes)purposeMap.set(p.id, p.code);
-    }
-    return consents.map((consent)=>{
-        let policyType = 'unknown';
-        let isLatestPolicy = false;
-        if (consent.policyId) {
-            const policy = policyMap.get(consent.policyId);
-            if (policy) {
-                policyType = policy.type;
-                isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
-            }
-        }
-        let preferences;
-        const ids = parsePurposeIds(consent.purposeIds);
-        if (ids.length > 0) {
-            preferences = {};
-            for (const purposeId of ids){
-                const code = purposeMap.get(purposeId);
-                if (code) preferences[code] = true;
-            }
-        }
-        return {
-            id: consent.id,
-            type: policyType,
-            policyId: consent.policyId ?? void 0,
-            isLatestPolicy,
-            preferences,
-            givenAt: consent.givenAt
-        };
-    });
-}
-async function resolveConsentPolicies(consents, ctx) {
-    if (0 === consents.length) return [];
-    const policyIds = new Set();
-    for (const c of consents)if (c.policyId) policyIds.add(c.policyId);
-    const { policyMap, latestPolicyByType } = await batchLoadPolicies(policyIds, ctx);
-    return consents.map((consent)=>{
-        let policyType = 'unknown';
-        let isLatestPolicy = false;
-        if (consent.policyId) {
-            const policy = policyMap.get(consent.policyId);
-            if (policy) {
-                policyType = policy.type;
-                isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
-            }
-        }
-        return {
-            consentId: consent.id,
-            policyType,
-            policyId: consent.policyId ?? void 0,
-            isLatestPolicy
-        };
-    });
-}
-const checkConsentHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling GET /consents/check request');
-    const { db, registry } = ctx;
-    const externalId = c.req.query('externalId');
-    const type = c.req.query('type');
-    if (!externalId) throw new HTTPException(422, {
-        message: 'externalId query parameter is required',
-        cause: {
-            code: 'EXTERNAL_ID_REQUIRED'
-        }
-    });
-    if (!type) throw new HTTPException(422, {
-        message: 'type query parameter is required',
-        cause: {
-            code: 'TYPE_REQUIRED'
-        }
-    });
-    const types = type.split(',').map((t)=>t.trim());
-    logger.debug('Request parameters', {
-        externalId,
-        types
-    });
-    try {
-        const subjects = await db.findMany('subject', {
-            where: (b)=>b('externalId', '=', externalId)
-        });
-        const subjectIds = subjects.map((s)=>s.id);
-        const results = {};
-        for (const t of types)results[t] = {
-            hasConsent: false,
-            isLatestPolicy: false
-        };
-        if (0 === subjectIds.length) {
-            logger.debug('No subjects found for externalId', {
-                externalId
-            });
-            return c.json({
-                results
-            });
-        }
-        const allConsents = await Promise.all(subjectIds.map((subjectId)=>db.findMany('consent', {
-                where: (b)=>b('subjectId', '=', subjectId)
-            })));
-        const consents = allConsents.flat();
-        const policyInfos = await resolveConsentPolicies(consents, {
-            db,
-            registry
-        });
-        for (const info of policyInfos){
-            if (!types.includes(info.policyType)) continue;
-            const entry = results[info.policyType];
-            if (entry) {
-                entry.hasConsent = true;
-                if (info.isLatestPolicy) entry.isLatestPolicy = true;
-            }
-        }
-        logger.debug('Consent check results', {
-            externalId,
-            results
-        });
-        const metrics = getMetrics();
-        if (metrics) for (const [type, result] of Object.entries(results))metrics.recordConsentCheck(type, result.hasConsent);
-        return c.json({
-            results
-        });
-    } catch (error) {
-        logger.error('Error in GET /consents/check handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
+const DEFAULT_FALLBACK_POLICY_INPUT = {
+    id: 'world_no_banner',
+    isDefault: true,
+    model: 'none',
+    uiMode: 'none'
 };
-const createConsentRoutes = ()=>{
-    const app = new Hono();
-    app.get('/check', describeRoute({
-        summary: 'Check consent by external user ID',
-        description: `Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.
-
-**Query parameters:**
-- \`externalId\` – External user ID to check
-- \`type\` – Consent type(s) to check (comma-separated)`,
-        tags: [
-            'Consent'
-        ],
-        responses: {
-            200: {
-                description: 'Consent check result per requested type(s)',
-                content: {
-                    'application/json': {
-                        schema: resolver(checkConsentOutputSchema)
-                    }
-                }
-            },
-            422: {
-                description: 'Invalid or missing query parameters'
-            }
-        }
-    }), validator('query', checkConsentQuerySchema), checkConsentHandler);
-    return app;
-};
-const GVL_TTL_MS = 259200000;
-const memory_memoryCache = new Map();
-function createMemoryCacheAdapter() {
-    return {
-        async get (key) {
-            const entry = memory_memoryCache.get(key);
-            if (!entry) return null;
-            if (Date.now() > entry.expiresAt) {
-                memory_memoryCache.delete(key);
-                return null;
-            }
-            return entry.value;
-        },
-        async set (key, value, ttlMs = 300000) {
-            memory_memoryCache.set(key, {
-                value,
-                expiresAt: Date.now() + ttlMs
-            });
-        },
-        async delete (key) {
-            memory_memoryCache.delete(key);
-        },
-        async has (key) {
-            const entry = memory_memoryCache.get(key);
-            if (!entry) return false;
-            if (Date.now() > entry.expiresAt) {
-                memory_memoryCache.delete(key);
-                return false;
-            }
-            return true;
-        }
-    };
-}
-function createGVLCacheKey(appName, language, vendorIds) {
-    const sortedIds = vendorIds ? [
-        ...vendorIds
-    ].sort((a, b)=>a - b).join(',') : 'all';
-    return `${appName}:gvl:${language}:${sortedIds}`;
+function mergeMatch(input) {
+    return policyMatchers.merge(input.countries?.length ? policyMatchers.countries(input.countries) : {}, input.regions?.length ? policyMatchers.regions(input.regions) : {}, input.isDefault ? policyMatchers["default"]() : {});
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
-const inflightRequests = new Map();
-async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
-    const sortedVendorIds = vendorIds ? [
-        ...vendorIds
-    ].sort((a, b)=>a - b) : [];
-    const dedupeKey = `${endpoint}|${language}|${sortedVendorIds.join(',')}`;
-    const existingRequest = inflightRequests.get(dedupeKey);
-    if (existingRequest) return existingRequest;
-    const url = new URL(endpoint);
-    if (sortedVendorIds.length > 0) url.searchParams.set('vendorIds', sortedVendorIds.join(','));
-    const promise = (async ()=>{
-        const fetchStart = Date.now();
-        try {
-            const gvl = await withExternalSpan({
-                url: url.toString(),
-                method: 'GET'
-            }, async ()=>{
-                const response = await fetch(url.toString(), {
-                    headers: {
-                        'Accept-Language': language
-                    }
-                });
-                if (204 === response.status) return null;
-                if (!response.ok) throw new Error(`Failed to fetch GVL: ${response.status} ${response.statusText}`);
-                const text = await response.text();
-                const trimmed = text.trim().replace(/^\uFEFF/, '');
-                let parsed;
-                try {
-                    parsed = JSON.parse(trimmed);
-                } catch  {
-                    let depth = 0;
-                    let end = -1;
-                    const start = trimmed.indexOf('{');
-                    if (start >= 0) for(let i = start; i < trimmed.length; i++){
-                        const c = trimmed[i];
-                        if ('{' === c) depth++;
-                        else if ('}' === c) {
-                            depth--;
-                            if (0 === depth) {
-                                end = i + 1;
-                                break;
-                            }
-                        }
-                    }
-                    if (end > 0) parsed = JSON.parse(trimmed.slice(0, end));
-                    else throw new SyntaxError('Invalid GVL response: not valid JSON');
-                }
-                if (!parsed.vendorListVersion || !parsed.purposes || !parsed.vendors) throw new Error('Invalid GVL response: missing required fields');
-                return parsed;
-            });
-            getMetrics()?.recordGvlFetch({
-                language,
-                source: 'fetch',
-                status: 200
-            }, Date.now() - fetchStart);
-            return gvl;
-        } catch (error) {
-            getMetrics()?.recordGvlError({
-                language,
-                errorType: error instanceof Error ? error.name : 'UnknownError'
-            });
-            throw error;
-        } finally{
-            inflightRequests.delete(dedupeKey);
-        }
-    })();
-    inflightRequests.set(dedupeKey, promise);
-    return promise;
-}
-function createGVLResolver(options) {
-    const { appName, bundled, cacheAdapter, vendorIds, endpoint } = options;
-    const memoryCache = createMemoryCacheAdapter();
-    return {
-        async get (language) {
-            const cacheKey = createGVLCacheKey(appName, language, vendorIds);
-            if (bundled?.[language]) return bundled[language];
-            const memoryHit = await withCacheSpan('get', 'memory', ()=>memoryCache.get(cacheKey));
-            if (memoryHit) {
-                getMetrics()?.recordCacheHit('memory');
-                return memoryHit;
-            }
-            getMetrics()?.recordCacheMiss('memory');
-            if (cacheAdapter) {
-                const externalHit = await withCacheSpan('get', 'external', ()=>cacheAdapter.get(cacheKey));
-                if (externalHit) {
-                    getMetrics()?.recordCacheHit('external');
-                    await withCacheSpan('set', 'memory', ()=>memoryCache.set(cacheKey, externalHit, 300000));
-                    return externalHit;
-                }
-                getMetrics()?.recordCacheMiss('external');
-            }
-            const gvl = await fetchGVLWithLanguage(language, vendorIds, endpoint);
-            if (gvl) {
-                await withCacheSpan('set', 'memory', ()=>memoryCache.set(cacheKey, gvl, 300000));
-                if (cacheAdapter) await withCacheSpan('set', 'external', ()=>cacheAdapter.set(cacheKey, gvl, GVL_TTL_MS));
-            }
-            return gvl;
-        }
-    };
-}
-function geo_normalizeHeader(value) {
-    if (!value) return null;
-    return Array.isArray(value) ? value[0] ?? null : value;
-}
-function getGeoHeaders(headers) {
-    const countryCode = geo_normalizeHeader(headers.get('x-c15t-country')) ?? geo_normalizeHeader(headers.get('cf-ipcountry')) ?? geo_normalizeHeader(headers.get('x-vercel-ip-country')) ?? geo_normalizeHeader(headers.get('x-amz-cf-ipcountry')) ?? geo_normalizeHeader(headers.get('x-country-code'));
-    const regionCode = geo_normalizeHeader(headers.get('x-c15t-region')) ?? geo_normalizeHeader(headers.get('x-vercel-ip-country-region')) ?? geo_normalizeHeader(headers.get('x-region-code'));
-    return {
-        countryCode,
-        regionCode
-    };
-}
-function checkJurisdiction(countryCode, regionCode) {
-    const jurisdictions = {
-        EU: new Set([
-            'AT',
-            'BE',
-            'BG',
-            'HR',
-            'CY',
-            'CZ',
-            'DK',
-            'EE',
-            'FI',
-            'FR',
-            'DE',
-            'GR',
-            'HU',
-            'IE',
-            'IT',
-            'LV',
-            'LT',
-            'LU',
-            'MT',
-            'NL',
-            'PL',
-            'PT',
-            'RO',
-            'SK',
-            'SI',
-            'ES',
-            'SE'
-        ]),
-        EEA: new Set([
-            'IS',
-            'NO',
-            'LI'
-        ]),
-        UK: new Set([
-            'GB'
-        ]),
-        CH: new Set([
-            'CH'
-        ]),
-        BR: new Set([
-            'BR'
-        ]),
-        CA: new Set([
-            'CA'
-        ]),
-        AU: new Set([
-            'AU'
-        ]),
-        JP: new Set([
-            'JP'
-        ]),
-        KR: new Set([
-            'KR'
-        ]),
-        US_CCPA_REGIONS: new Set([
-            'CA'
-        ]),
-        CA_QC_REGIONS: new Set([
-            'QC'
-        ])
-    };
-    let jurisdiction = 'NONE';
-    if (countryCode) {
-        const normalizedCountryCode = countryCode.toUpperCase();
-        const normalizedRegionCode = regionCode && 'string' == typeof regionCode ? (regionCode.includes('-') ? regionCode.split('-').pop() : regionCode).toUpperCase() : null;
-        if ('US' === normalizedCountryCode && normalizedRegionCode && jurisdictions.US_CCPA_REGIONS.has(normalizedRegionCode)) return 'CCPA';
-        if ('CA' === normalizedCountryCode && normalizedRegionCode && jurisdictions.CA_QC_REGIONS.has(normalizedRegionCode)) return 'QC_LAW25';
-        const jurisdictionMap = [
-            {
-                sets: [
-                    jurisdictions.UK
-                ],
-                code: 'UK_GDPR'
-            },
-            {
-                sets: [
-                    jurisdictions.EU,
-                    jurisdictions.EEA
-                ],
-                code: 'GDPR'
-            },
-            {
-                sets: [
-                    jurisdictions.CH
-                ],
-                code: 'CH'
-            },
-            {
-                sets: [
-                    jurisdictions.BR
-                ],
-                code: 'BR'
-            },
-            {
-                sets: [
-                    jurisdictions.CA
-                ],
-                code: 'PIPEDA'
-            },
-            {
-                sets: [
-                    jurisdictions.AU
-                ],
-                code: 'AU'
-            },
-            {
-                sets: [
-                    jurisdictions.JP
-                ],
-                code: 'APPI'
-            },
-            {
-                sets: [
-                    jurisdictions.KR
-                ],
-                code: 'PIPA'
-            }
-        ];
-        for (const { sets, code } of jurisdictionMap)if (sets.some((set)=>set.has(normalizedCountryCode))) {
-            jurisdiction = code;
-            break;
-        }
-    }
-    return jurisdiction;
+function compactUiSurface(value) {
+    if (!value) return;
+    return compactDefined({
+        allowedActions: dedupeTrimmedStrings(value.allowedActions),
+        primaryActions: value.primaryActions,
+        layout: value.layout,
+        direction: value.direction,
+        uiProfile: value.uiProfile,
+        scrollLock: value.scrollLock
+    });
 }
-async function getLocation(request, options) {
-    if (options.disableGeoLocation) return {
-        countryCode: null,
-        regionCode: null
-    };
-    const { countryCode, regionCode } = getGeoHeaders(request.headers);
+function buildPolicyConfig(input) {
+    const categories = dedupeTrimmedStrings(input.categories);
+    const preselectedCategories = dedupeTrimmedStrings(input.preselectedCategories);
     return {
-        countryCode,
-        regionCode
+        id: input.id,
+        match: mergeMatch(input),
+        i18n: input.i18n,
+        consent: compactDefined({
+            model: input.model,
+            expiryDays: input.expiryDays,
+            scopeMode: input.scopeMode,
+            categories,
+            preselectedCategories,
+            gpc: input.gpc
+        }),
+        ui: compactDefined({
+            mode: input.uiMode,
+            banner: compactUiSurface(input.banner),
+            dialog: compactUiSurface(input.dialog)
+        }),
+        proof: compactDefined({
+            storeIp: input.proof?.storeIp,
+            storeUserAgent: input.proof?.storeUserAgent,
+            storeLanguage: input.proof?.storeLanguage
+        })
     };
 }
-function getJurisdiction(location, options) {
-    if (options.disableGeoLocation) return 'GDPR';
-    return checkJurisdiction(location.countryCode, location.regionCode);
-}
-function isSupportedBaseLanguage(lang) {
-    return lang in baseTranslations;
+function buildPolicyPack(inputs) {
+    return inputs.map((input)=>buildPolicyConfig(input));
 }
-function translations_getTranslationsData(acceptLanguage, customTranslations) {
-    const supportedDefaultLanguages = Object.keys(baseTranslations);
-    const supportedCustomLanguages = Object.keys(customTranslations || {});
-    const supportedLanguages = [
-        ...supportedDefaultLanguages,
-        ...supportedCustomLanguages
+function buildPolicyPackWithDefault(inputs, defaultPolicy) {
+    const pack = buildPolicyPack(inputs);
+    const hasDefault = pack.some((policy)=>policy.match.isDefault);
+    if (hasDefault) return pack;
+    const fallbackInput = defaultPolicy ? {
+        ...defaultPolicy,
+        isDefault: true,
+        countries: void 0,
+        regions: void 0
+    } : DEFAULT_FALLBACK_POLICY_INPUT;
+    return [
+        ...pack,
+        buildPolicyConfig(fallbackInput)
     ];
-    const preferredLanguage = selectLanguage(supportedLanguages, {
-        header: acceptLanguage,
-        fallback: 'en'
-    });
-    const base = isSupportedBaseLanguage(preferredLanguage) ? baseTranslations[preferredLanguage] : baseTranslations.en;
-    const custom = supportedCustomLanguages.includes(preferredLanguage) ? customTranslations?.[preferredLanguage] : {};
-    const translations = custom ? deepMergeTranslations(base, custom) : base;
-    return {
-        translations: translations,
-        language: preferredLanguage
-    };
-}
-const createInitRoute = (options)=>{
-    const app = new Hono();
-    app.get('/', describeRoute({
-        summary: 'Get initial consent manager state',
-        description: `Returns the initial state required to render the consent manager.
-
-- **Jurisdiction** – User's jurisdiction (defaults to GDPR if geo-location is disabled)
-- **Location** – User's location (null if geo-location is disabled)
-- **Translations** – Consent manager copy (from \`Accept-Language\` header)
-- **Branding** – Configured branding key
-- **GVL** – Global Vendor List when enabled
-
-Use for geo-targeted consent banners and regional compliance.`,
-        tags: [
-            'Init'
-        ],
-        responses: {
-            200: {
-                description: 'Initialization payload (jurisdiction, location, translations, branding, GVL)',
-                content: {
-                    'application/json': {
-                        schema: resolver(initOutputSchema)
-                    }
-                }
-            }
-        }
-    }), async (c)=>{
-        const request = c.req.raw;
-        const acceptLanguage = request.headers.get('accept-language') || 'en';
-        const location = await getLocation(request, options);
-        const jurisdiction = getJurisdiction(location, options);
-        const translationsResult = translations_getTranslationsData(acceptLanguage, options.customTranslations);
-        let gvl = null;
-        if (options.iab?.enabled) {
-            const language = translationsResult.language.split('-')[0] || 'en';
-            const gvlResolver = createGVLResolver({
-                appName: options.appName || 'c15t',
-                bundled: options.iab.bundled,
-                cacheAdapter: options.cache?.adapter,
-                vendorIds: options.iab.vendorIds,
-                endpoint: options.iab.endpoint
-            });
-            gvl = await gvlResolver.get(language);
-        }
-        const customVendors = options.iab?.customVendors;
-        const gpc = '1' === request.headers.get('sec-gpc');
-        getMetrics()?.recordInit({
-            jurisdiction,
-            country: location?.countryCode ?? void 0,
-            region: location?.regionCode ?? void 0,
-            gpc
-        });
-        return c.json({
-            jurisdiction,
-            location,
-            translations: translationsResult,
-            branding: options.branding || 'c15t',
-            gvl,
-            customVendors,
-            ...options.iab?.cmpId != null && {
-                cmpId: options.iab.cmpId
-            }
-        });
-    });
-    return app;
-};
-function getHeaders(headers) {
-    if (!headers) return {
-        countryCode: null,
-        regionCode: null,
-        acceptLanguage: null
-    };
-    const normalizeHeader = (value)=>{
-        if (!value) return null;
-        return Array.isArray(value) ? value[0] ?? null : value;
-    };
-    const countryCode = normalizeHeader(headers.get('x-c15t-country')) ?? normalizeHeader(headers.get('cf-ipcountry')) ?? normalizeHeader(headers.get('x-vercel-ip-country')) ?? normalizeHeader(headers.get('x-amz-cf-ipcountry')) ?? normalizeHeader(headers.get('x-country-code'));
-    const regionCode = normalizeHeader(headers.get('x-c15t-region')) ?? normalizeHeader(headers.get('x-vercel-ip-country-region')) ?? normalizeHeader(headers.get('x-region-code'));
-    const acceptLanguage = normalizeHeader(headers.get('accept-language'));
-    return {
-        countryCode,
-        regionCode,
-        acceptLanguage
-    };
 }
-const statusHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const { countryCode, regionCode, acceptLanguage } = getHeaders(ctx.headers);
-    const clientInfo = {
-        ip: ctx.ipAddress ?? null,
-        acceptLanguage,
-        userAgent: ctx.userAgent ?? null,
-        region: {
-            countryCode,
-            regionCode
-        }
-    };
-    try {
-        await ctx.db.findFirst('subject', {});
-        return c.json({
-            version: version_version,
-            timestamp: new Date(),
-            client: clientInfo
-        });
-    } catch (error) {
-        ctx.logger.error('Database health check failed', {
-            error
-        });
-        throw new HTTPException(503, {
-            message: 'Database health check failed',
-            cause: {
-                code: 'SERVICE_UNAVAILABLE',
-                error
-            }
-        });
-    }
-};
-const createStatusRoute = ()=>{
-    const app = new Hono();
-    app.get('/', describeRoute({
-        summary: 'Health check and API status',
-        description: `Returns API version, timestamp, and client info (IP, region, user agent).
-
-Use for health checks, load balancer probes, and debugging. Performs a lightweight DB check; returns 503 if the database is unreachable.`,
-        tags: [
-            'Status'
-        ],
-        responses: {
-            200: {
-                description: 'API is healthy (version, timestamp, client info)',
-                content: {
-                    'application/json': {
-                        schema: resolver(statusOutputSchema)
-                    }
-                }
-            },
-            503: {
-                description: 'Service unavailable (e.g. database unreachable)'
-            }
-        }
-    }), statusHandler);
-    return app;
-};
-const getSubjectHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling GET /subjects/:id request');
-    const { db, registry } = ctx;
-    const subjectId = c.req.param('id');
-    const type = c.req.query('type');
-    const typeFilter = type?.split(',').map((t)=>t.trim()) || [];
-    logger.debug('Request parameters', {
-        subjectId,
-        typeFilter
-    });
-    try {
-        const subject = await db.findFirst('subject', {
-            where: (b)=>b('id', '=', subjectId)
-        });
-        if (!subject) throw new HTTPException(404, {
-            message: 'Subject not found',
-            cause: {
-                code: 'SUBJECT_NOT_FOUND',
-                subjectId
-            }
-        });
-        const consents = await db.findMany('consent', {
-            where: (b)=>b('subjectId', '=', subjectId)
-        });
-        const consentItems = await enrichConsents(consents, {
-            db,
-            registry
-        });
-        const filteredConsents = typeFilter.length > 0 ? consentItems.filter((consent)=>typeFilter.includes(consent.type)) : consentItems;
-        const isValid = 0 === typeFilter.length || typeFilter.every((t)=>filteredConsents.some((consent)=>consent.type === t && consent.isLatestPolicy));
-        return c.json({
-            subject: {
-                id: subject.id,
-                externalId: subject.externalId ?? void 0,
-                createdAt: subject.createdAt
-            },
-            consents: filteredConsents,
-            isValid
-        });
-    } catch (error) {
-        logger.error('Error in GET /subjects/:id handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
+function composePacks(...packs) {
+    const seen = new Set();
+    const result = [];
+    for (const pack of packs)for (const policy of pack)if (!seen.has(policy.id)) {
+        seen.add(policy.id);
+        result.push(policy);
     }
-};
-const listSubjectsHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling GET /subjects request');
-    const { db, registry } = ctx;
-    if (!ctx.apiKeyAuthenticated) throw new HTTPException(401, {
-        message: 'API key required. Use Authorization: Bearer <api_key>',
-        cause: {
-            code: 'UNAUTHORIZED'
-        }
-    });
-    const externalId = c.req.query('externalId');
-    if (!externalId) throw new HTTPException(422, {
-        message: 'externalId query parameter is required',
-        cause: {
-            code: 'EXTERNAL_ID_REQUIRED'
-        }
-    });
-    logger.debug('Request parameters', {
-        externalId
-    });
-    try {
-        const subjects = await db.findMany('subject', {
-            where: (b)=>b('externalId', '=', externalId)
-        });
-        const subjectItems = await Promise.all(subjects.map(async (subject)=>{
-            const consents = await db.findMany('consent', {
-                where: (b)=>b('subjectId', '=', subject.id)
-            });
-            const consentItems = await enrichConsents(consents, {
-                db,
-                registry
-            });
-            return {
-                id: subject.id,
-                externalId: subject.externalId ?? externalId,
-                createdAt: subject.createdAt,
-                consents: consentItems
-            };
-        }));
-        logger.info('Found subjects for externalId', {
-            externalId,
-            count: subjectItems.length
-        });
-        return c.json({
-            subjects: subjectItems
-        });
-    } catch (error) {
-        logger.error('Error in GET /subjects handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const utils_prefixes = {
-    auditLog: 'log',
-    consent: 'cns',
-    consentPolicy: 'pol',
-    consentPurpose: 'pur',
-    domain: 'dom',
-    subject: 'sub'
-};
-const utils_b58 = base_x('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
-function utils_generateId(model) {
-    const buf = crypto.getRandomValues(new Uint8Array(20));
-    const prefix = utils_prefixes[model];
-    const EPOCH_TIMESTAMP = 1700000000000;
-    const t = Date.now() - EPOCH_TIMESTAMP;
-    const high = Math.floor(t / 0x100000000);
-    const low = t >>> 0;
-    buf[0] = high >>> 24 & 255;
-    buf[1] = high >>> 16 & 255;
-    buf[2] = high >>> 8 & 255;
-    buf[3] = 255 & high;
-    buf[4] = low >>> 24 & 255;
-    buf[5] = low >>> 16 & 255;
-    buf[6] = low >>> 8 & 255;
-    buf[7] = 255 & low;
-    return `${prefix}_${utils_b58.encode(buf)}`;
+    return result;
 }
-async function utils_generateUniqueId(db, model, ctx, options = {}) {
-    const { maxRetries = 10, attempt = 0, baseDelay = 5 } = options;
-    if (attempt >= maxRetries) {
-        const error = new Error(`Failed to generate unique ID for ${model} after ${maxRetries} attempts`);
-        ctx?.logger?.error?.('ID generation failed', {
-            model,
-            maxRetries
-        });
-        throw error;
-    }
-    const id = utils_generateId(model);
-    try {
-        const existing = await db.findFirst(model, {
-            where: (b)=>b('id', '=', id)
-        });
-        if (existing) {
-            ctx?.logger?.debug?.('ID conflict detected', {
-                id,
-                model,
-                attempt: attempt + 1,
-                maxRetries
-            });
-            const delay = Math.min(baseDelay * 2 ** attempt, 1000);
-            await new Promise((resolve)=>setTimeout(resolve, delay));
-            return utils_generateUniqueId(db, model, ctx, {
-                maxRetries,
-                attempt: attempt + 1,
-                baseDelay
-            });
-        }
-        return id;
-    } catch (error) {
-        ctx?.logger?.error?.('Error checking ID uniqueness', {
-            error: error.message,
-            model,
-            attempt
-        });
-        if (attempt < maxRetries - 1) {
-            const delay = Math.min(baseDelay * 2 ** attempt, 2000);
-            await new Promise((resolve)=>setTimeout(resolve, delay));
-            return utils_generateUniqueId(db, model, ctx, {
-                maxRetries,
-                attempt: attempt + 1,
-                baseDelay
-            });
-        }
-        throw error;
-    }
-}
-const patchSubjectHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling PATCH /subjects/:id request');
-    const { db } = ctx;
-    const subjectId = c.req.param('id');
-    const body = await c.req.json();
-    const { externalId, identityProvider = 'external' } = body;
-    logger.debug('Request parameters', {
-        subjectId,
-        externalId,
-        identityProvider
-    });
-    try {
-        const subject = await db.findFirst('subject', {
-            where: (b)=>b('id', '=', subjectId)
-        });
-        if (!subject) throw new HTTPException(404, {
-            message: 'Subject not found',
-            cause: {
-                code: 'SUBJECT_NOT_FOUND',
-                subjectId
-            }
-        });
-        await db.transaction(async (tx)=>{
-            await tx.updateMany('subject', {
-                where: (b)=>b('id', '=', subjectId),
-                set: {
-                    externalId,
-                    identityProvider,
-                    updatedAt: new Date()
-                }
-            });
-            await tx.create('auditLog', {
-                id: await utils_generateUniqueId(tx, 'auditLog', ctx),
-                subjectId,
-                entityType: 'subject',
-                entityId: subjectId,
-                actionType: 'identify_user',
-                ipAddress: ctx.ipAddress || null,
-                userAgent: ctx.userAgent || null,
-                changes: {
-                    externalId: {
-                        from: subject.externalId,
-                        to: externalId
-                    },
-                    identityProvider: {
-                        from: subject.identityProvider,
-                        to: identityProvider
-                    }
-                },
-                metadata: {
-                    externalId,
-                    identityProvider
-                }
-            });
-        });
-        logger.info('Subject linked to external ID', {
-            subjectId,
-            externalId,
-            identityProvider
-        });
-        getMetrics()?.recordSubjectLinked(identityProvider);
-        return c.json({
-            success: true,
-            subject: {
-                id: subjectId,
-                externalId
-            }
-        });
-    } catch (error) {
-        logger.error('Error in PATCH /subjects/:id handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const postSubjectHandler = async (c)=>{
-    const ctx = c.get('c15tContext');
-    const logger = ctx.logger;
-    logger.info('Handling POST /subjects request');
-    const { db, registry } = ctx;
-    const input = await c.req.json();
-    const { type, subjectId, identityProvider, externalSubjectId, domain, metadata, givenAt: givenAtEpoch } = input;
-    const preferences = 'preferences' in input ? input.preferences : void 0;
-    const givenAt = new Date(givenAtEpoch);
-    const rawConsentAction = 'consentAction' in input ? input.consentAction : void 0;
-    let derivedConsentAction;
-    if ('all' === rawConsentAction) derivedConsentAction = 'accept_all';
-    else if ('necessary' === rawConsentAction) derivedConsentAction = 'opt-out' === input.jurisdictionModel ? 'opt_out' : 'reject_all';
-    else if ('custom' === rawConsentAction) derivedConsentAction = 'custom';
-    logger.debug('Request parameters', {
-        type,
-        subjectId,
-        identityProvider,
-        externalSubjectId,
-        domain
-    });
-    try {
-        const subject = await registry.findOrCreateSubject({
-            subjectId,
-            externalSubjectId,
-            identityProvider,
-            ipAddress: ctx.ipAddress
-        });
-        if (!subject) throw new HTTPException(500, {
-            message: 'Failed to create subject',
-            cause: {
-                code: 'SUBJECT_CREATION_FAILED',
-                subjectId
-            }
-        });
-        logger.debug('Subject found/created', {
-            subjectId: subject.id
-        });
-        const domainRecord = await registry.findOrCreateDomain(domain);
-        if (!domainRecord) throw new HTTPException(500, {
-            message: 'Failed to create domain',
-            cause: {
-                code: 'DOMAIN_CREATION_FAILED',
-                domain
-            }
-        });
-        let policyId;
-        let purposeIds = [];
-        const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
-        if (inputPolicyId) {
-            policyId = inputPolicyId;
-            const policy = await registry.findConsentPolicyById(inputPolicyId);
-            if (!policy) throw new HTTPException(404, {
-                message: 'Policy not found',
-                cause: {
-                    code: 'POLICY_NOT_FOUND',
-                    policyId,
-                    type
-                }
-            });
-            if (!policy.isActive) throw new HTTPException(400, {
-                message: 'Policy is inactive',
-                cause: {
-                    code: 'POLICY_INACTIVE',
-                    policyId,
-                    type
-                }
-            });
-        } else {
-            const policy = await registry.findOrCreatePolicy(type);
-            if (!policy) throw new HTTPException(500, {
-                message: 'Failed to create policy',
-                cause: {
-                    code: 'POLICY_CREATION_FAILED',
-                    type
-                }
-            });
-            policyId = policy.id;
-        }
-        if (preferences) {
-            const consentedPurposes = Object.entries(preferences).filter(([_, isConsented])=>isConsented).map(([purposeCode])=>purposeCode);
-            logger.debug('Consented purposes', {
-                consentedPurposes
-            });
-            const purposesRaw = await Promise.all(consentedPurposes.map((purposeCode)=>registry.findOrCreateConsentPurposeByCode(purposeCode)));
-            const purposes = purposesRaw.map((purpose)=>purpose?.id ?? null).filter((id)=>Boolean(id));
-            logger.debug('Filtered purposes', {
-                purposes
-            });
-            if (0 === purposes.length) logger.warn('No valid purpose IDs found after filtering. Using empty list.', {
-                consentedPurposes
-            });
-            purposeIds = purposes;
-        }
-        const existingConsent = await db.findFirst('consent', {
-            where: (b)=>b.and(b('subjectId', '=', subject.id), b('domainId', '=', domainRecord.id), b('policyId', '=', policyId), b('givenAt', '=', givenAt))
-        });
-        if (existingConsent) {
-            logger.debug('Duplicate consent detected, returning existing record', {
-                consentId: existingConsent.id
-            });
-            return c.json({
-                subjectId: subject.id,
-                consentId: existingConsent.id,
-                domainId: domainRecord.id,
-                domain: domainRecord.name,
-                type,
-                metadata,
-                uiSource: input.uiSource,
-                givenAt: existingConsent.givenAt
-            });
-        }
-        const result = await db.transaction(async (tx)=>{
-            logger.debug('Creating consent record', {
-                subjectId: subject.id,
-                domainId: domainRecord.id,
-                policyId,
-                purposeIds
-            });
-            const consentRecord = await tx.create('consent', {
-                id: await utils_generateUniqueId(tx, 'consent', ctx),
-                subjectId: subject.id,
-                domainId: domainRecord.id,
-                policyId,
-                purposeIds: {
-                    json: purposeIds
-                },
-                metadata: metadata ? {
-                    json: metadata
-                } : void 0,
-                ipAddress: ctx.ipAddress,
-                userAgent: ctx.userAgent,
-                jurisdiction: input.jurisdiction,
-                jurisdictionModel: input.jurisdictionModel,
-                tcString: input.tcString,
-                uiSource: input.uiSource,
-                consentAction: derivedConsentAction,
-                givenAt
-            });
-            logger.debug('Created consent', {
-                consentRecord: consentRecord.id
-            });
-            if (!consentRecord) throw new HTTPException(500, {
-                message: 'Failed to create consent',
-                cause: {
-                    code: 'CONSENT_CREATION_FAILED',
-                    subjectId: subject.id,
-                    domain
-                }
-            });
-            return {
-                consent: consentRecord
-            };
-        });
-        const metrics = getMetrics();
-        if (metrics) {
-            const jurisdiction = input.jurisdiction;
-            metrics.recordConsentCreated({
-                type,
-                jurisdiction
-            });
-            const hasAccepted = preferences && Object.values(preferences).some(Boolean);
-            if (hasAccepted) metrics.recordConsentAccepted({
-                type,
-                jurisdiction
-            });
-            else metrics.recordConsentRejected({
-                type,
-                jurisdiction
-            });
-        }
-        return c.json({
-            subjectId: subject.id,
-            consentId: result.consent.id,
-            domainId: domainRecord.id,
-            domain: domainRecord.name,
-            type,
-            metadata,
-            uiSource: input.uiSource,
-            givenAt: result.consent.givenAt
-        });
-    } catch (error) {
-        logger.error('Error in POST /subjects handler', {
-            error: extractErrorMessage(error),
-            errorType: error instanceof Error ? error.constructor.name : typeof error
-        });
-        if (error instanceof HTTPException) throw error;
-        throw new HTTPException(500, {
-            message: 'Internal server error',
-            cause: {
-                code: 'INTERNAL_SERVER_ERROR'
-            }
-        });
-    }
-};
-const createSubjectRoutes = ()=>{
-    const app = new Hono();
-    app.get('/:id', describeRoute({
-        summary: 'Get subject consent status',
-        description: `Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.
-
-**Query:** \`type\` – Filter by consent type(s), comma-separated (e.g. \`privacy_policy,cookie_banner\`).
-
-**Response:** \`subject\`, \`consents\` (matching filter), \`isValid\` (valid consent for requested type(s)).`,
-        tags: [
-            'Subject',
-            'Consent'
-        ],
-        responses: {
-            200: {
-                description: 'Subject and consent records for the requested type(s)',
-                content: {
-                    'application/json': {
-                        schema: resolver(getSubjectOutputSchema)
-                    }
-                }
-            },
-            404: {
-                description: 'Subject not found for the given ID'
-            }
-        }
-    }), validator('param', getSubjectInputSchema), getSubjectHandler);
-    app.post('/', describeRoute({
-        summary: 'Record consent for a subject',
-        description: `Creates a new consent record (append-only). Creates the subject if it does not exist.
-
-**Request body by \`type\`:**
-- \`cookie_banner\` – Requires \`preferences\` object
-- \`privacy_policy\`, \`dpa\`, \`terms_and_conditions\` – Optional \`policyId\`
-- \`marketing_communications\`, \`age_verification\`, \`other\` – Optional \`preferences\``,
-        tags: [
-            'Subject',
-            'Consent'
-        ],
-        responses: {
-            200: {
-                description: 'Consent recorded; subject and consent in response',
-                content: {
-                    'application/json': {
-                        schema: resolver(postSubjectOutputSchema)
-                    }
-                }
-            },
-            422: {
-                description: 'Invalid request body (schema or validation failed)'
-            }
-        }
-    }), validator('json', postSubjectInputSchema), postSubjectHandler);
-    app.patch('/:id', describeRoute({
-        summary: 'Link external ID to subject',
-        description: 'Associates an external user ID with an existing subject (e.g. after login). Enables cross-device consent sync.',
-        tags: [
-            'Subject'
-        ],
-        responses: {
-            200: {
-                description: 'Subject updated with external ID',
-                content: {
-                    'application/json': {
-                        schema: resolver(patchSubjectOutputSchema)
-                    }
-                }
-            },
-            404: {
-                description: 'Subject not found for the given ID'
-            }
-        }
-    }), validator('param', object({
-        id: subjectIdSchema
-    })), validator('json', object({
-        externalId: string(),
-        identityProvider: optional(string())
-    })), patchSubjectHandler);
-    app.get('/', describeRoute({
-        summary: 'List subjects by external ID (API key required)',
-        description: 'Returns all subjects linked to the given external ID. Requires Bearer token (API key). Use for server-side consent lookups.',
-        tags: [
-            'Subject'
-        ],
-        security: [
-            {
-                bearerAuth: []
-            }
-        ],
-        responses: {
-            200: {
-                description: 'List of subjects for the external ID',
-                content: {
-                    'application/json': {
-                        schema: resolver(listSubjectsOutputSchema)
-                    }
-                }
-            },
-            401: {
-                description: 'Missing or invalid API key'
-            }
-        }
-    }), validator('query', listSubjectsQuerySchema), listSubjectsHandler);
-    return app;
+const policyBuilder = {
+    create: buildPolicyConfig,
+    createPack: buildPolicyPack,
+    createPackWithDefault: buildPolicyPackWithDefault,
+    composePacks: composePacks
 };
-const defineConfig = (config)=>config;
 const c15tInstance = (options)=>{
     const context = init(options);
     const logger = logger_createLogger(options.logger);
     const app = new Hono();
-    const openApiConfig = config_createOpenAPIConfig(options);
+    const openApiConfig = createOpenAPIConfig(options);
     const basePath = options.basePath || '/';
     const corsOptions = createCORSOptions(options.trustedOrigins);
     app.use('*', cors(corsOptions));
@@ -2559,7 +888,7 @@ const c15tInstance = (options)=>{
                 span.updateName(`${c.req.method} ${routePattern}`);
                 span.setAttribute('http.route', routePattern);
                 span.setStatus({
-                    code: api_SpanStatusCode.OK
+                    code: SpanStatusCode.OK
                 });
             } else await runNext();
         } catch (error) {
@@ -2605,9 +934,7 @@ const c15tInstance = (options)=>{
         }));
         const publicSpecUrl = `${basePath}${openApiConfig.specPath}`.replace(/\/+/g, '/');
         app.get(openApiConfig.docsPath, apiReference({
-            spec: {
-                url: publicSpecUrl
-            },
+            url: publicSpecUrl,
             pageTitle: `${options.appName || 'c15t API'} Documentation`
         }));
     }
@@ -2700,4 +1027,7 @@ const c15tInstance = (options)=>{
         getDocsUI
     };
 };
-export { c15tInstance, defineConfig, version_version as version };
+export { defineConfig } from "./define-config.js";
+export { inspectPolicies } from "./583.js";
+export { version } from "./302.js";
+export { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, c15tInstance, policyBuilder, policyMatchers, policyPackPresets };