@c15t/backend 2.0.0-rc.5 → 2.0.0-rc.8

package/dist/router.cjs

@@ -22,7 +22,7 @@ var __webpack_require__ = {};
 })();
 (()=>{
     __webpack_require__.r = (exports1)=>{
-        if ('undefined' != typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
             value: 'Module'
         });
         Object.defineProperty(exports1, '__esModule', {
@@ -42,7 +42,7 @@ const schema_namespaceObject = require("@c15t/schema");
 const external_hono_namespaceObject = require("hono");
 const external_hono_openapi_namespaceObject = require("hono-openapi");
 const http_exception_namespaceObject = require("hono/http-exception");
-function extractErrorMessage(error) {
+function extract_error_message_extractErrorMessage(error) {
     if (error instanceof AggregateError && error.errors?.length > 0) {
         const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
         return `AggregateError: ${inner}`;
@@ -75,7 +75,7 @@ function getDefaultAttributes() {
 const handleSpanError = (span, error)=>{
     span.setStatus({
         code: api_namespaceObject.SpanStatusCode.ERROR,
-        message: extractErrorMessage(error)
+        message: extract_error_message_extractErrorMessage(error)
     });
     if (error instanceof Error) span.setAttribute('error.type', error.name);
 };
@@ -244,7 +244,7 @@ function createMetrics(meter) {
     };
 }
 let metricsInstance = null;
-function getMetrics(options) {
+function metrics_getMetrics(options) {
     if (metricsInstance) return metricsInstance;
     if (!create_telemetry_options_isTelemetryEnabled(options)) return null;
     metricsInstance = createMetrics(getMeter(options));
@@ -270,7 +270,7 @@ async function batchLoadPolicies(policyIds, ctx) {
     for (const p of policyMap.values())uniqueTypes.add(p.type);
     const latestPolicyByType = new Map();
     for (const type of uniqueTypes){
-        const latest = await registry.findOrCreatePolicy(type);
+        const latest = await registry.findLatestPolicyByType(type);
         if (latest) latestPolicyByType.set(type, latest.id);
     }
     return {
@@ -296,11 +296,17 @@ async function enrichConsents(consents, ctx) {
     }
     return consents.map((consent)=>{
         let policyType = 'unknown';
+        let policyVersion;
+        let policyHash;
+        let policyEffectiveDate;
         let isLatestPolicy = false;
         if (consent.policyId) {
             const policy = policyMap.get(consent.policyId);
             if (policy) {
                 policyType = policy.type;
+                policyVersion = policy.version;
+                policyHash = policy.hash ?? void 0;
+                policyEffectiveDate = policy.effectiveDate;
                 isLatestPolicy = latestPolicyByType.get(policyType) === consent.policyId;
             }
         }
@@ -317,6 +323,9 @@ async function enrichConsents(consents, ctx) {
             id: consent.id,
             type: policyType,
             policyId: consent.policyId ?? void 0,
+            policyVersion,
+            policyHash,
+            policyEffectiveDate,
             isLatestPolicy,
             preferences,
             givenAt: consent.givenAt
@@ -408,14 +417,14 @@ const checkConsentHandler = async (c)=>{
             externalId,
             results
         });
-        const metrics = getMetrics();
+        const metrics = metrics_getMetrics();
         if (metrics) for (const [type, result] of Object.entries(results))metrics.recordConsentCheck(type, result.hasConsent);
         return c.json({
             results
         });
     } catch (error) {
         logger.error('Error in GET /consents/check handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -431,11 +440,7 @@ const createConsentRoutes = ()=>{
     const app = new external_hono_namespaceObject.Hono();
     app.get('/check', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Check consent by external user ID',
-        description: `Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.
-
-**Query parameters:**
-- \`externalId\` – External user ID to check
-- \`type\` – Consent type(s) to check (comma-separated)`,
+        description: "Pre-banner cross-device consent check. Use to avoid showing the banner when the user has already consented on another device.\n\n**Query parameters:**\n- `externalId` – External user ID to check\n- `type` – Consent type(s) to check (comma-separated)",
         tags: [
             'Consent'
         ],
@@ -596,14 +601,14 @@ async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT
                 if (!parsed.vendorListVersion || !parsed.purposes || !parsed.vendors) throw new Error('Invalid GVL response: missing required fields');
                 return parsed;
             });
-            getMetrics()?.recordGvlFetch({
+            metrics_getMetrics()?.recordGvlFetch({
                 language,
                 source: 'fetch',
                 status: 200
             }, Date.now() - fetchStart);
             return gvl;
         } catch (error) {
-            getMetrics()?.recordGvlError({
+            metrics_getMetrics()?.recordGvlError({
                 language,
                 errorType: error instanceof Error ? error.name : 'UnknownError'
             });
@@ -624,18 +629,18 @@ function createGVLResolver(options) {
             if (bundled?.[language]) return bundled[language];
             const memoryHit = await withCacheSpan('get', 'memory', ()=>memoryCache.get(cacheKey));
             if (memoryHit) {
-                getMetrics()?.recordCacheHit('memory');
+                metrics_getMetrics()?.recordCacheHit('memory');
                 return memoryHit;
             }
-            getMetrics()?.recordCacheMiss('memory');
+            metrics_getMetrics()?.recordCacheMiss('memory');
             if (cacheAdapter) {
                 const externalHit = await withCacheSpan('get', 'external', ()=>cacheAdapter.get(cacheKey));
                 if (externalHit) {
-                    getMetrics()?.recordCacheHit('external');
+                    metrics_getMetrics()?.recordCacheHit('external');
                     await withCacheSpan('set', 'memory', ()=>memoryCache.set(cacheKey, externalHit, 300000));
                     return externalHit;
                 }
-                getMetrics()?.recordCacheMiss('external');
+                metrics_getMetrics()?.recordCacheMiss('external');
             }
             const gvl = await fetchGVLWithLanguage(language, vendorIds, endpoint);
             if (gvl) {
@@ -1129,7 +1134,7 @@ async function resolveInitPayload(request, options, logger) {
         proofConfig: policyDecision.policy.proof
     }) : void 0;
     const gpc = '1' === request.headers.get('sec-gpc');
-    getMetrics()?.recordInit({
+    metrics_getMetrics()?.recordInit({
         jurisdiction,
         country: location?.countryCode ?? void 0,
         region: location?.regionCode ?? void 0,
@@ -1198,7 +1203,16 @@ Use for geo-targeted consent banners and regional compliance.`,
     });
     return app;
 };
-const version_version = '2.0.0-rc.5';
+const external_base_x_namespaceObject = require("base-x");
+var external_base_x_default = /*#__PURE__*/ __webpack_require__.n(external_base_x_namespaceObject);
+external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
+class consent_policy_LegalDocumentPolicyConflictError extends Error {
+    constructor(message){
+        super(message);
+        this.name = 'LegalDocumentPolicyConflictError';
+    }
+}
+const version_version = '2.0.0-rc.8';
 function getHeaders(headers) {
     if (!headers) return {
         countryCode: null,
@@ -1285,6 +1299,12 @@ const getSubjectHandler = async (c)=>{
     const subjectId = c.req.param('id');
     const type = c.req.query('type');
     const typeFilter = type?.split(',').map((t)=>t.trim()) || [];
+    if (!subjectId) throw new http_exception_namespaceObject.HTTPException(400, {
+        message: 'Subject ID is required',
+        cause: {
+            code: 'SUBJECT_ID_REQUIRED'
+        }
+    });
     logger.debug('Request parameters', {
         subjectId,
         typeFilter
@@ -1320,7 +1340,7 @@ const getSubjectHandler = async (c)=>{
         });
     } catch (error) {
         logger.error('Error in GET /subjects/:id handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -1381,7 +1401,7 @@ const listSubjectsHandler = async (c)=>{
         });
     } catch (error) {
         logger.error('Error in GET /subjects handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -1393,9 +1413,7 @@ const listSubjectsHandler = async (c)=>{
         });
     }
 };
-const external_base_x_namespaceObject = require("base-x");
-var external_base_x_default = /*#__PURE__*/ __webpack_require__.n(external_base_x_namespaceObject);
-const prefixes = {
+const utils_prefixes = {
     auditLog: 'log',
     consent: 'cns',
     consentPolicy: 'pol',
@@ -1403,10 +1421,10 @@ const prefixes = {
     domain: 'dom',
     subject: 'sub'
 };
-const b58 = external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
-function generateId(model) {
+const utils_b58 = external_base_x_default()('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
+function utils_generateId(model) {
     const buf = crypto.getRandomValues(new Uint8Array(20));
-    const prefix = prefixes[model];
+    const prefix = utils_prefixes[model];
     const EPOCH_TIMESTAMP = 1700000000000;
     const t = Date.now() - EPOCH_TIMESTAMP;
     const high = Math.floor(t / 0x100000000);
@@ -1419,9 +1437,9 @@ function generateId(model) {
     buf[5] = low >>> 16 & 255;
     buf[6] = low >>> 8 & 255;
     buf[7] = 255 & low;
-    return `${prefix}_${b58.encode(buf)}`;
+    return `${prefix}_${utils_b58.encode(buf)}`;
 }
-async function generateUniqueId(db, model, ctx, options = {}) {
+async function utils_generateUniqueId(db, model, ctx, options = {}) {
     const { maxRetries = 10, attempt = 0, baseDelay = 5 } = options;
     if (attempt >= maxRetries) {
         const error = new Error(`Failed to generate unique ID for ${model} after ${maxRetries} attempts`);
@@ -1431,7 +1449,7 @@ async function generateUniqueId(db, model, ctx, options = {}) {
         });
         throw error;
     }
-    const id = generateId(model);
+    const id = utils_generateId(model);
     try {
         const existing = await db.findFirst(model, {
             where: (b)=>b('id', '=', id)
@@ -1445,7 +1463,7 @@ async function generateUniqueId(db, model, ctx, options = {}) {
             });
             const delay = Math.min(baseDelay * 2 ** attempt, 1000);
             await new Promise((resolve)=>setTimeout(resolve, delay));
-            return generateUniqueId(db, model, ctx, {
+            return utils_generateUniqueId(db, model, ctx, {
                 maxRetries,
                 attempt: attempt + 1,
                 baseDelay
@@ -1461,7 +1479,7 @@ async function generateUniqueId(db, model, ctx, options = {}) {
         if (attempt < maxRetries - 1) {
             const delay = Math.min(baseDelay * 2 ** attempt, 2000);
             await new Promise((resolve)=>setTimeout(resolve, delay));
-            return generateUniqueId(db, model, ctx, {
+            return utils_generateUniqueId(db, model, ctx, {
                 maxRetries,
                 attempt: attempt + 1,
                 baseDelay
@@ -1478,6 +1496,12 @@ const patchSubjectHandler = async (c)=>{
     const subjectId = c.req.param('id');
     const body = await c.req.json();
     const { externalId, identityProvider = 'external' } = body;
+    if (!subjectId) throw new http_exception_namespaceObject.HTTPException(400, {
+        message: 'Subject ID is required',
+        cause: {
+            code: 'SUBJECT_ID_REQUIRED'
+        }
+    });
     logger.debug('Request parameters', {
         subjectId,
         externalId,
@@ -1504,7 +1528,7 @@ const patchSubjectHandler = async (c)=>{
                 }
             });
             await tx.create('auditLog', {
-                id: await generateUniqueId(tx, 'auditLog', ctx),
+                id: await utils_generateUniqueId(tx, 'auditLog', ctx),
                 subjectId,
                 entityType: 'subject',
                 entityId: subjectId,
@@ -1532,7 +1556,7 @@ const patchSubjectHandler = async (c)=>{
             externalId,
             identityProvider
         });
-        getMetrics()?.recordSubjectLinked(identityProvider);
+        metrics_getMetrics()?.recordSubjectLinked(identityProvider);
         return c.json({
             success: true,
             subject: {
@@ -1542,7 +1566,7 @@ const patchSubjectHandler = async (c)=>{
         });
     } catch (error) {
         logger.error('Error in PATCH /subjects/:id handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
@@ -1554,6 +1578,79 @@ const patchSubjectHandler = async (c)=>{
         });
     }
 };
+const DEFAULT_ISSUER = 'c15t';
+const DEFAULT_AUDIENCE = 'c15t-legal-document-snapshot';
+function isLegalDocumentPolicyType(type) {
+    return 'privacy_policy' === type || 'terms_and_conditions' === type || 'dpa' === type;
+}
+function snapshot_resolveSnapshotIssuer(options) {
+    return options?.issuer?.trim() || DEFAULT_ISSUER;
+}
+function snapshot_resolveSnapshotAudience(params) {
+    const configuredAudience = params.options?.audience?.trim();
+    if (configuredAudience) return configuredAudience;
+    return params.tenantId ? `${DEFAULT_AUDIENCE}:${params.tenantId}` : DEFAULT_AUDIENCE;
+}
+function snapshot_getSigningKey(secret) {
+    return new TextEncoder().encode(secret);
+}
+function isLegalDocumentSnapshotPayload(payload) {
+    return 'string' == typeof payload.iss && 'string' == typeof payload.aud && 'string' == typeof payload.sub && isLegalDocumentPolicyType(payload.type) && 'string' == typeof payload.version && 'string' == typeof payload.hash && 'string' == typeof payload.effectiveDate && 'number' == typeof payload.iat && 'number' == typeof payload.exp;
+}
+async function verifyLegalDocumentSnapshotToken(params) {
+    const { token, options, tenantId } = params;
+    if (!options?.signingKey) return {
+        valid: false,
+        reason: 'missing'
+    };
+    if (!token) return {
+        valid: false,
+        reason: 'missing'
+    };
+    if (3 !== token.split('.').length) return {
+        valid: false,
+        reason: 'malformed'
+    };
+    try {
+        const { payload, protectedHeader } = await (0, external_jose_namespaceObject.jwtVerify)(token, snapshot_getSigningKey(options.signingKey), {
+            issuer: snapshot_resolveSnapshotIssuer(options),
+            audience: snapshot_resolveSnapshotAudience({
+                options,
+                tenantId
+            })
+        });
+        const header = protectedHeader;
+        if ('HS256' !== header.alg || 'JWT' !== header.typ) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if (!isLegalDocumentSnapshotPayload(payload)) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if (payload.sub !== payload.hash) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        if ((tenantId ?? void 0) !== (payload.tenantId ?? void 0)) return {
+            valid: false,
+            reason: 'invalid'
+        };
+        return {
+            valid: true,
+            payload
+        };
+    } catch (error) {
+        if (error instanceof external_jose_namespaceObject.errors.JWTExpired) return {
+            valid: false,
+            reason: 'expired'
+        };
+        return {
+            valid: false,
+            reason: 'invalid'
+        };
+    }
+}
 function buildRuntimeDecisionDedupeKey(input) {
     return [
         input.tenantId ?? 'default',
@@ -1633,6 +1730,9 @@ function parseLanguageFromHeader(header) {
     if (!firstLanguage) return;
     return firstLanguage.split('-')[0]?.toLowerCase();
 }
+function isLegalDocumentType(type) {
+    return 'privacy_policy' === type || 'terms_and_conditions' === type || 'dpa' === type;
+}
 function resolveSnapshotFailureMode(ctx) {
     return ctx.policySnapshot?.onValidationFailure ?? 'reject';
 }
@@ -1667,6 +1767,45 @@ function buildSnapshotHttpException(reason) {
             }
     }
 }
+function buildLegalDocumentSnapshotHttpException(reason) {
+    switch(reason){
+        case 'missing':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Legal document snapshot token is required',
+                cause: {
+                    code: 'LEGAL_DOCUMENT_SNAPSHOT_REQUIRED'
+                }
+            });
+        case 'expired':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Legal document snapshot token has expired',
+                cause: {
+                    code: 'LEGAL_DOCUMENT_SNAPSHOT_EXPIRED'
+                }
+            });
+        case 'malformed':
+        case 'invalid':
+            return new http_exception_namespaceObject.HTTPException(409, {
+                message: 'Legal document snapshot token is invalid',
+                cause: {
+                    code: 'LEGAL_DOCUMENT_SNAPSHOT_INVALID'
+                }
+            });
+        default:
+            {
+                const _exhaustive = reason;
+                throw new Error(`Unhandled legal document snapshot verification failure reason: ${_exhaustive}`);
+            }
+    }
+}
+function buildLegalDocumentProofHttpException(message) {
+    return new http_exception_namespaceObject.HTTPException(409, {
+        message,
+        cause: {
+            code: 'LEGAL_DOCUMENT_PROOF_REQUIRED'
+        }
+    });
+}
 const postSubjectHandler = async (c)=>{
     const ctx = c.get('c15tContext');
     const logger = ctx.logger;
@@ -1692,16 +1831,30 @@ const postSubjectHandler = async (c)=>{
         const requestLanguage = parseLanguageFromHeader(acceptLanguage);
         const location = await getLocation(request, ctx);
         const resolvedJurisdiction = getJurisdiction(location, ctx);
-        const snapshotVerification = await verifyPolicySnapshotToken({
+        const legalDocumentConsent = isLegalDocumentType(type);
+        const runtimeSnapshotVerification = legalDocumentConsent ? {
+            valid: false,
+            reason: 'missing'
+        } : await verifyPolicySnapshotToken({
             token: input.policySnapshotToken,
             options: ctx.policySnapshot,
             tenantId: ctx.tenantId
         });
-        const hasValidSnapshot = snapshotVerification.valid;
-        const snapshotPayload = snapshotVerification.valid ? snapshotVerification.payload : null;
-        const shouldRequireSnapshot = !!ctx.policySnapshot?.signingKey && 'reject' === resolveSnapshotFailureMode(ctx);
-        if (!hasValidSnapshot && shouldRequireSnapshot) throw buildSnapshotHttpException(snapshotVerification.reason);
-        const resolvedPolicyDecision = hasValidSnapshot ? void 0 : await resolvePolicyDecision({
+        const legalDocumentSnapshotVerification = legalDocumentConsent ? await verifyLegalDocumentSnapshotToken({
+            token: input.documentSnapshotToken,
+            options: ctx.legalDocumentSnapshot,
+            tenantId: ctx.tenantId
+        }) : {
+            valid: false,
+            reason: 'missing'
+        };
+        const hasValidSnapshot = runtimeSnapshotVerification.valid;
+        const snapshotPayload = runtimeSnapshotVerification.valid ? runtimeSnapshotVerification.payload : null;
+        const shouldRequireSnapshot = !legalDocumentConsent && !!ctx.policySnapshot?.signingKey && 'reject' === resolveSnapshotFailureMode(ctx);
+        if (!hasValidSnapshot && shouldRequireSnapshot) throw buildSnapshotHttpException(runtimeSnapshotVerification.reason);
+        const shouldRequireLegalDocumentSnapshot = legalDocumentConsent && !!ctx.legalDocumentSnapshot?.signingKey;
+        if (shouldRequireLegalDocumentSnapshot && !legalDocumentSnapshotVerification.valid) throw buildLegalDocumentSnapshotHttpException(legalDocumentSnapshotVerification.reason);
+        const resolvedPolicyDecision = hasValidSnapshot ? void 0 : legalDocumentConsent ? void 0 : await resolvePolicyDecision({
             policies: ctx.policyPacks,
             countryCode: location.countryCode,
             regionCode: location.regionCode,
@@ -1758,7 +1911,39 @@ const postSubjectHandler = async (c)=>{
         let purposeIds = [];
         let appliedPreferences;
         const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
-        if (inputPolicyId) {
+        if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
+            if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
+            const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
+            if (Number.isNaN(effectiveDate.getTime())) throw buildLegalDocumentSnapshotHttpException('invalid');
+            const documentPolicy = await registry.findOrCreateLegalDocumentPolicy({
+                type,
+                version: legalDocumentSnapshotVerification.payload.version,
+                hash: legalDocumentSnapshotVerification.payload.hash,
+                effectiveDate
+            });
+            policyId = documentPolicy.id;
+        } else if (legalDocumentConsent) {
+            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
+            if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
+            policyId = inputPolicyId;
+            const policy = await registry.findConsentPolicyById(inputPolicyId);
+            if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                message: 'Policy not found',
+                cause: {
+                    code: 'POLICY_NOT_FOUND',
+                    policyId,
+                    type
+                }
+            });
+            if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                message: 'Policy is inactive',
+                cause: {
+                    code: 'POLICY_INACTIVE',
+                    policyId,
+                    type
+                }
+            });
+        } else if (inputPolicyId) {
             policyId = inputPolicyId;
             const policy = await registry.findConsentPolicyById(inputPolicyId);
             if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
@@ -1912,7 +2097,7 @@ const postSubjectHandler = async (c)=>{
                     where: (b)=>b('dedupeKey', '=', decisionPayload.dedupeKey)
                 })) : void 0;
             const consentRecord = await tx.create('consent', {
-                id: await generateUniqueId(tx, 'consent', ctx),
+                id: await utils_generateUniqueId(tx, 'consent', ctx),
                 subjectId: subject.id,
                 domainId: domainRecord.id,
                 policyId,
@@ -1949,7 +2134,7 @@ const postSubjectHandler = async (c)=>{
                 consent: consentRecord
             };
         });
-        const metrics = getMetrics();
+        const metrics = metrics_getMetrics();
         if (metrics) {
             const jurisdiction = effectiveJurisdiction;
             metrics.recordConsentCreated({
@@ -1979,10 +2164,16 @@ const postSubjectHandler = async (c)=>{
         });
     } catch (error) {
         logger.error('Error in POST /subjects handler', {
-            error: extractErrorMessage(error),
+            error: extract_error_message_extractErrorMessage(error),
             errorType: error instanceof Error ? error.constructor.name : typeof error
         });
         if (error instanceof http_exception_namespaceObject.HTTPException) throw error;
+        if (error instanceof consent_policy_LegalDocumentPolicyConflictError) throw new http_exception_namespaceObject.HTTPException(409, {
+            message: error.message,
+            cause: {
+                code: 'LEGAL_DOCUMENT_RELEASE_CONFLICT'
+            }
+        });
         throw new http_exception_namespaceObject.HTTPException(500, {
             message: 'Internal server error',
             cause: {
@@ -1995,11 +2186,7 @@ const createSubjectRoutes = ()=>{
     const app = new external_hono_namespaceObject.Hono();
     app.get('/:id', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Get subject consent status',
-        description: `Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.
-
-**Query:** \`type\` – Filter by consent type(s), comma-separated (e.g. \`privacy_policy,cookie_banner\`).
-
-**Response:** \`subject\`, \`consents\` (matching filter), \`isValid\` (valid consent for requested type(s)).`,
+        description: "Returns the subject's consent status for this device. Use to check if the subject has valid consent for given policy types.\n\n**Query:** `type` – Filter by consent type(s), comma-separated (e.g. `privacy_policy,cookie_banner`).\n\n**Response:** `subject`, `consents` (matching filter), `isValid` (valid consent for requested type(s)).",
         tags: [
             'Subject',
             'Consent'
@@ -2020,12 +2207,7 @@ const createSubjectRoutes = ()=>{
     }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_namespaceObject.getSubjectInputSchema), getSubjectHandler);
     app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Record consent for a subject',
-        description: `Creates a new consent record (append-only). Creates the subject if it does not exist.
-
-**Request body by \`type\`:**
-- \`cookie_banner\` – Requires \`preferences\` object
-- \`privacy_policy\`, \`dpa\`, \`terms_and_conditions\` – Optional \`policyId\`
-- \`marketing_communications\`, \`age_verification\`, \`other\` – Optional \`preferences\``,
+        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
         tags: [
             'Subject',
             'Consent'