@c15t/backend 2.0.0-rc.8 → 2.0.0

package/README.md

@@ -11,7 +11,7 @@
 
 [![GitHub stars](https://img.shields.io/github/stars/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![CI](https://img.shields.io/github/actions/workflow/status/c15t/c15t/ci.yml?style=flat-square)](https://github.com/c15t/c15t/actions/workflows/ci.yml)
-[![License](https://img.shields.io/badge/license-GPL--3.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 [![Discord](https://img.shields.io/discord/1312171102268690493?style=flat-square)](https://c15t.link/discord)
 [![npm version](https://img.shields.io/npm/v/%40c15t%2Fbackend?style=flat-square)](https://www.npmjs.com/package/@c15t/backend)
 [![Top Language](https://img.shields.io/github/languages/top/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
@@ -82,8 +82,8 @@ Our preference is that you make use of GitHub's private vulnerability reporting
 
 ## License
 
-[GNU General Public License v3.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[Apache License 2.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 
 ---
 
-**Built with ❤️ by the [consent.io](https://www.consent.io?utm_source=github&utm_medium=repopage_%40c15t%2Fbackend) team**
+**Built by [Inth](https://inth.com?utm_source=github&utm_medium=repopage_%40c15t%2Fbackend)**

package/dist/302.js

@@ -1,5 +1,4 @@
 import { SpanKind, SpanStatusCode as api_SpanStatusCode, context, metrics, trace } from "@opentelemetry/api";
-const version = '2.0.0-rc.8';
 function extractErrorMessage(error) {
     if (error instanceof AggregateError && error.errors?.length > 0) {
         const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
@@ -14,7 +13,7 @@ function createTelemetryOptions(appName = 'c15t', telemetryConfig, tenantId) {
     const defaultAttributes = {
         ...telemetryConfig?.defaultAttributes || {},
         'service.name': String(appName),
-        'service.version': version
+        'service.version': "2.0.0"
     };
     if (tenantId) defaultAttributes['tenant.id'] = tenantId;
     const config = {
@@ -470,4 +469,4 @@ function createGVLResolver(options) {
         }
     };
 }
-export { GVL_TTL_MS, clearMemoryCache, createCacheKey, createGVLCacheKey, createGVLResolver, createMemoryCacheAdapter, createRequestSpan, createTelemetryOptions, extractErrorMessage, getMemoryCacheSize, getMetrics, getTraceContext, handleSpanError, isTelemetryEnabled, version, withDatabaseSpan, withSpanContext };
+export { GVL_TTL_MS, clearMemoryCache, createCacheKey, createGVLCacheKey, createGVLResolver, createMemoryCacheAdapter, createRequestSpan, createTelemetryOptions, extractErrorMessage, getMemoryCacheSize, getMetrics, getTraceContext, handleSpanError, isTelemetryEnabled, withDatabaseSpan, withSpanContext };

package/dist/915.js

@@ -5,7 +5,7 @@ import { Hono } from "hono";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { HTTPException } from "hono/http-exception";
 import { errors, jwtVerify } from "jose";
-import { version, getMetrics, withDatabaseSpan, extractErrorMessage } from "./302.js";
+import { extractErrorMessage, getMetrics, withDatabaseSpan } from "./302.js";
 import { getLocation, resolveInitPayload, policy_resolvePolicyDecision, verifyPolicySnapshotToken, getJurisdiction } from "./583.js";
 import * as __rspack_external_valibot from "valibot";
 const prefixes = {
@@ -709,7 +709,7 @@ const statusHandler = async (c)=>{
     try {
         await ctx.db.findFirst('subject', {});
         return c.json({
-            version: version,
+            version: "2.0.0",
             timestamp: new Date(),
             client: clientInfo
         });
@@ -1372,6 +1372,7 @@ const postSubjectHandler = async (c)=>{
         let purposeIds = [];
         let appliedPreferences;
         const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
+        const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
         if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
             if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
             const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
@@ -1384,26 +1385,47 @@ const postSubjectHandler = async (c)=>{
             });
             policyId = documentPolicy.id;
         } else if (legalDocumentConsent) {
-            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
-            if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
-            policyId = inputPolicyId;
-            const policy = await registry.findConsentPolicyById(inputPolicyId);
-            if (!policy) throw new HTTPException(404, {
-                message: 'Policy not found',
-                cause: {
-                    code: 'POLICY_NOT_FOUND',
-                    policyId,
-                    type
-                }
-            });
-            if (!policy.isActive) throw new HTTPException(400, {
-                message: 'Policy is inactive',
-                cause: {
-                    code: 'POLICY_INACTIVE',
-                    policyId,
-                    type
-                }
-            });
+            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+            if (inputPolicyId) {
+                policyId = inputPolicyId;
+                const policy = await registry.findConsentPolicyById(inputPolicyId);
+                if (!policy) throw new HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        policyId,
+                        type
+                    }
+                });
+                if (!policy.isActive) throw new HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId,
+                        type
+                    }
+                });
+            } else if (inputPolicyHash) {
+                const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                if (!policy) throw new HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                if (!policy.isActive) throw new HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId: policy.id,
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                policyId = policy.id;
+            }
         } else if (inputPolicyId) {
             policyId = inputPolicyId;
             const policy = await registry.findConsentPolicyById(inputPolicyId);
@@ -1466,6 +1488,13 @@ const postSubjectHandler = async (c)=>{
             });
             purposeIds = purposes;
         }
+        if (!policyId) throw new HTTPException(500, {
+            message: 'Failed to resolve policy',
+            cause: {
+                code: 'POLICY_RESOLUTION_FAILED',
+                type
+            }
+        });
         const expiryDays = effectivePolicy?.consent?.expiryDays;
         const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
         const proofConfig = effectivePolicy?.proof;
@@ -1668,7 +1697,7 @@ const createSubjectRoutes = ()=>{
     }), validator('param', getSubjectInputSchema), getSubjectHandler);
     app.post('/', describeRoute({
         summary: 'Record consent for a subject',
-        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
+        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
         tags: [
             'Subject',
             'Consent'

package/dist/core.cjs

@@ -349,7 +349,7 @@ var __webpack_exports__ = {};
 (()=>{
     __webpack_require__.r(__webpack_exports__);
     __webpack_require__.d(__webpack_exports__, {
-        version: ()=>version_version,
+        version: ()=>"2.0.0",
         c15tInstance: ()=>c15tInstance,
         EEA_COUNTRY_CODES: ()=>types_namespaceObject.EEA_COUNTRY_CODES,
         EU_COUNTRY_CODES: ()=>types_namespaceObject.EU_COUNTRY_CODES,
@@ -738,7 +738,6 @@ var __webpack_exports__ = {};
             language
         };
     }
-    const version_version = '2.0.0-rc.8';
     function extractErrorMessage(error) {
         if (error instanceof AggregateError && error.errors?.length > 0) {
             const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
@@ -753,7 +752,7 @@ var __webpack_exports__ = {};
         const defaultAttributes = {
             ...telemetryConfig?.defaultAttributes || {},
             'service.name': String(appName),
-            'service.version': version_version
+            'service.version': "2.0.0"
         };
         if (tenantId) defaultAttributes['tenant.id'] = tenantId;
         const config = {
@@ -2672,7 +2671,7 @@ Use for geo-targeted consent banners and regional compliance.`,
         try {
             await ctx.db.findFirst('subject', {});
             return c.json({
-                version: version_version,
+                version: "2.0.0",
                 timestamp: new Date(),
                 client: clientInfo
             });
@@ -3336,6 +3335,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             let purposeIds = [];
             let appliedPreferences;
             const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
+            const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
             if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
                 if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
                 const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
@@ -3348,26 +3348,47 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 });
                 policyId = documentPolicy.id;
             } else if (legalDocumentConsent) {
-                if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
-                if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
-                policyId = inputPolicyId;
-                const policy = await registry.findConsentPolicyById(inputPolicyId);
-                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
-                    message: 'Policy not found',
-                    cause: {
-                        code: 'POLICY_NOT_FOUND',
-                        policyId,
-                        type
-                    }
-                });
-                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
-                    message: 'Policy is inactive',
-                    cause: {
-                        code: 'POLICY_INACTIVE',
-                        policyId,
-                        type
-                    }
-                });
+                if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+                if (inputPolicyId) {
+                    policyId = inputPolicyId;
+                    const policy = await registry.findConsentPolicyById(inputPolicyId);
+                    if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                        message: 'Policy not found',
+                        cause: {
+                            code: 'POLICY_NOT_FOUND',
+                            policyId,
+                            type
+                        }
+                    });
+                    if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Policy is inactive',
+                        cause: {
+                            code: 'POLICY_INACTIVE',
+                            policyId,
+                            type
+                        }
+                    });
+                } else if (inputPolicyHash) {
+                    const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                    if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                        message: 'Policy not found',
+                        cause: {
+                            code: 'POLICY_NOT_FOUND',
+                            type,
+                            policyHash: inputPolicyHash
+                        }
+                    });
+                    if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Policy is inactive',
+                        cause: {
+                            code: 'POLICY_INACTIVE',
+                            policyId: policy.id,
+                            type,
+                            policyHash: inputPolicyHash
+                        }
+                    });
+                    policyId = policy.id;
+                }
             } else if (inputPolicyId) {
                 policyId = inputPolicyId;
                 const policy = await registry.findConsentPolicyById(inputPolicyId);
@@ -3430,6 +3451,13 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 });
                 purposeIds = purposes;
             }
+            if (!policyId) throw new http_exception_namespaceObject.HTTPException(500, {
+                message: 'Failed to resolve policy',
+                cause: {
+                    code: 'POLICY_RESOLUTION_FAILED',
+                    type
+                }
+            });
             const expiryDays = effectivePolicy?.consent?.expiryDays;
             const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
             const proofConfig = effectivePolicy?.proof;
@@ -3632,7 +3660,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_.getSubjectInputSchema), getSubjectHandler);
         app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
             summary: 'Record consent for a subject',
-            description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
+            description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
             tags: [
                 'Subject',
                 'Consent'
@@ -3845,7 +3873,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     openapi: '3.1.0',
                     info: {
                         title: options.appName || 'c15t API',
-                        version: version_version,
+                        version: "2.0.0",
                         description: 'API for consent management'
                     },
                     servers: [

package/dist/core.js

@@ -7,7 +7,7 @@ import { HTTPException } from "hono/http-exception";
 import { openAPIRouteHandler } from "hono-openapi";
 import { compactDefined, dedupeTrimmedStrings, policyPackPresets } from "@c15t/schema";
 import { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, policyMatchers } from "@c15t/schema/types";
-import { version as version_version, extractErrorMessage, withDatabaseSpan, getTraceContext as create_telemetry_options_getTraceContext, createRequestSpan, handleSpanError, createTelemetryOptions, getMetrics, isTelemetryEnabled, withSpanContext } from "./302.js";
+import { extractErrorMessage, withDatabaseSpan, getTraceContext as create_telemetry_options_getTraceContext, createRequestSpan, handleSpanError, createTelemetryOptions, getMetrics, isTelemetryEnabled, withSpanContext } from "./302.js";
 import { createLegalDocumentRoutes, createSubjectRoutes, generateUniqueId, createStatusRoute, createInitRoute, createConsentRoutes, policyRegistry } from "./915.js";
 import { validateMessages, inspectPolicies as policy_inspectPolicies } from "./583.js";
 import { DB } from "./db/schema.js";
@@ -765,7 +765,7 @@ const c15tInstance = (options)=>{
                 openapi: '3.1.0',
                 info: {
                     title: options.appName || 'c15t API',
-                    version: version_version,
+                    version: "2.0.0",
                     description: 'API for consent management'
                 },
                 servers: [
@@ -879,7 +879,7 @@ const c15tInstance = (options)=>{
         getDocsUI
     };
 };
+var core_version = "2.0.0";
 export { defineConfig } from "./define-config.js";
 export { inspectPolicies } from "./583.js";
-export { version } from "./302.js";
-export { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, c15tInstance, policyBuilder, policyMatchers, policyPackPresets };
+export { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, c15tInstance, core_version as version, policyBuilder, policyMatchers, policyPackPresets };

package/dist/router.cjs

@@ -1212,7 +1212,6 @@ class consent_policy_LegalDocumentPolicyConflictError extends Error {
         this.name = 'LegalDocumentPolicyConflictError';
     }
 }
-const version_version = '2.0.0-rc.8';
 function getHeaders(headers) {
     if (!headers) return {
         countryCode: null,
@@ -1247,7 +1246,7 @@ const statusHandler = async (c)=>{
     try {
         await ctx.db.findFirst('subject', {});
         return c.json({
-            version: version_version,
+            version: "2.0.0",
             timestamp: new Date(),
             client: clientInfo
         });
@@ -1911,6 +1910,7 @@ const postSubjectHandler = async (c)=>{
         let purposeIds = [];
         let appliedPreferences;
         const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
+        const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
         if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
             if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
             const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
@@ -1923,26 +1923,47 @@ const postSubjectHandler = async (c)=>{
             });
             policyId = documentPolicy.id;
         } else if (legalDocumentConsent) {
-            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
-            if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
-            policyId = inputPolicyId;
-            const policy = await registry.findConsentPolicyById(inputPolicyId);
-            if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
-                message: 'Policy not found',
-                cause: {
-                    code: 'POLICY_NOT_FOUND',
-                    policyId,
-                    type
-                }
-            });
-            if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
-                message: 'Policy is inactive',
-                cause: {
-                    code: 'POLICY_INACTIVE',
-                    policyId,
-                    type
-                }
-            });
+            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+            if (inputPolicyId) {
+                policyId = inputPolicyId;
+                const policy = await registry.findConsentPolicyById(inputPolicyId);
+                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        policyId,
+                        type
+                    }
+                });
+                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId,
+                        type
+                    }
+                });
+            } else if (inputPolicyHash) {
+                const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId: policy.id,
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                policyId = policy.id;
+            }
         } else if (inputPolicyId) {
             policyId = inputPolicyId;
             const policy = await registry.findConsentPolicyById(inputPolicyId);
@@ -2005,6 +2026,13 @@ const postSubjectHandler = async (c)=>{
             });
             purposeIds = purposes;
         }
+        if (!policyId) throw new http_exception_namespaceObject.HTTPException(500, {
+            message: 'Failed to resolve policy',
+            cause: {
+                code: 'POLICY_RESOLUTION_FAILED',
+                type
+            }
+        });
         const expiryDays = effectivePolicy?.consent?.expiryDays;
         const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
         const proofConfig = effectivePolicy?.proof;
@@ -2207,7 +2235,7 @@ const createSubjectRoutes = ()=>{
     }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_namespaceObject.getSubjectInputSchema), getSubjectHandler);
     app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Record consent for a subject',
-        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
+        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
         tags: [
             'Subject',
             'Consent'

package/dist-types/policies/builder.d.ts

@@ -8,8 +8,8 @@ import type { PolicyConfig, PolicyModel, PolicyScopeMode, PolicyUiMode, PolicyUi
  * Use the builder helpers to normalize this input into runtime-ready policy
  * configs.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
- * @see {@link https://v2.c15t.com/docs/frameworks/react/concepts/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/frameworks/react/concepts/policy-packs}
  */
 export interface PolicyBuilderInput {
     id: string;
@@ -57,7 +57,7 @@ export interface PolicyBuilderInput {
  * Empty optional fields are removed from the final output, matcher input is
  * merged into `match`, and duplicate string arrays are deduplicated.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function buildPolicyConfig(input: PolicyBuilderInput): PolicyConfig;
 /**
@@ -68,7 +68,7 @@ export declare function buildPolicyConfig(input: PolicyBuilderInput): PolicyConf
  * duplicate region/country matchers use first-match-wins semantics within the
  * same matcher type.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function buildPolicyPack(inputs: PolicyBuilderInput[]): PolicyConfig[];
 /**
@@ -84,7 +84,7 @@ export declare function buildPolicyPack(inputs: PolicyBuilderInput[]): PolicyCon
  * When `defaultPolicy` is provided, its `countries` and `regions` fields are
  * stripped and replaced with `match.isDefault = true`.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function buildPolicyPackWithDefault(inputs: PolicyBuilderInput[], defaultPolicy?: PolicyBuilderInput): PolicyConfig[];
 /**
@@ -107,7 +107,7 @@ export declare function buildPolicyPackWithDefault(inputs: PolicyBuilderInput[],
  * );
  * ```
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function composePacks(...packs: PolicyConfig[][]): PolicyConfig[];
 /**
@@ -117,7 +117,7 @@ export declare function composePacks(...packs: PolicyConfig[][]): PolicyConfig[]
  * Useful when you prefer a grouped API such as `policyBuilder.createPack()`
  * inside backend config files.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare const policyBuilder: {
     create: typeof buildPolicyConfig;

package/dist-types/types/index.d.ts

@@ -13,7 +13,7 @@ export interface DatabaseOptions {
     /**
      * The database adapter to use.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     adapter: FumaDB<FumaDBSchema>['adapter'];
     /**
@@ -26,7 +26,7 @@ export interface DatabaseOptions {
      * Useful when sharing a database with other applications to avoid naming conflicts.
      *
      * @example 'c15t_' // tables become: c15t_subject, c15t_consent, etc.
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     tablePrefix?: string;
 }
@@ -297,7 +297,7 @@ export interface C15TOptions {
     /**
      * The database adapter to use.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     adapter: FumaDB<FumaDBSchema>['adapter'];
     /**
@@ -310,7 +310,7 @@ export interface C15TOptions {
      * Useful when sharing a database with other applications to avoid naming conflicts.
      *
      * @example 'c15t_' // tables become: c15t_subject, c15t_consent, etc.
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     tablePrefix?: string;
     /**
@@ -319,13 +319,13 @@ export interface C15TOptions {
      * and cache key prefixing.
      *
      * @default "c15t"
-     * @see {@link https://v2.c15t.com/docs/self-host/api/configuration}
+     * @see {@link https://c15t.com/docs/self-host/api/configuration}
      */
     appName?: string;
     /**
      * Base path prefix for all API routes (e.g. `/api/self-host`).
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/api/endpoints}
+     * @see {@link https://c15t.com/docs/self-host/api/endpoints}
      */
     basePath?: string;
     /**
@@ -333,7 +333,7 @@ export interface C15TOptions {
      * Protocol is optional; matching is protocol-agnostic and normalized.
      *
      * @example ['example.com', 'app.example.com', 'localhost:3000']
-     * @see {@link https://v2.c15t.com/docs/self-host/api/configuration}
+     * @see {@link https://c15t.com/docs/self-host/api/configuration}
      */
     trustedOrigins: string[];
     /** Logger configuration. */
@@ -373,7 +373,7 @@ export interface C15TOptions {
      * explicit no-banner mode. In production, prefer including a default policy
      * so unmatched traffic still resolves deterministically.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+     * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
      */
     policyPacks?: PolicyConfig[];
     /**
@@ -386,7 +386,7 @@ export interface C15TOptions {
     /**
      * OpenAPI spec generation and documentation UI options.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/api/endpoints}
+     * @see {@link https://c15t.com/docs/self-host/api/endpoints}
      */
     openapi?: OpenAPIOptions;
     /**
@@ -394,20 +394,20 @@ export interface C15TOptions {
      * Telemetry is opt-in and disabled by default.
      * Users must provide their own SDK setup (Node, Bun, edge, etc.).
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/observability}
+     * @see {@link https://c15t.com/docs/self-host/guides/observability}
      */
     telemetry?: TelemetryOptions;
     /**
      * IP address tracking and masking options.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/api/configuration}
+     * @see {@link https://c15t.com/docs/self-host/api/configuration}
      */
     ipAddress?: IPAddressOptions;
     /**
      * Cache configuration for external persistent storage.
      * Used for caching GVL and other data.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/caching}
+     * @see {@link https://c15t.com/docs/self-host/guides/caching}
      */
     cache?: CacheOptions;
     /**
@@ -425,7 +425,7 @@ export interface C15TOptions {
      * Disabled by default - most users don't need IAB TCF.
      * Set enabled: true to activate IAB support.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/iab-tcf}
+     * @see {@link https://c15t.com/docs/self-host/guides/iab-tcf}
      */
     iab?: IABOptions;
     /**

package/dist-types/version.d.ts

@@ -1 +1 @@
-export declare const version = "2.0.0-rc.8";
+export declare const version = "2.0.0";

package/docs/api/configuration.md

@@ -10,24 +10,24 @@ All options are passed to `c15tInstance()`. Only `adapter` and `trustedOrigins`
 
 |Property|Type|Description|Default|Required|
 |:--|:--|:--|:--|:--:|
-|adapter|[FumaDBAdapter](https://v2.c15t.com/docs/self-host/guides/database-setup)|The database adapter to use.|-|✅ Required|
+|adapter|[FumaDBAdapter](https://c15t.com/docs/self-host/guides/database-setup)|The database adapter to use.|-|✅ Required|
 |tenantId|string \|undefined|Tenant ID for multi-tenant deployments. When set, all database queries are automatically scoped to this tenant.|-|Optional|
-|tablePrefix|[string \|undefined](https://v2.c15t.com/docs/self-host/guides/database-setup)|Optional prefix for all database table names. Useful when sharing a database with other applications to avoid naming conflicts.|-|Optional|
-|appName|[string \|undefined](https://v2.c15t.com/docs/self-host/api/configuration)|Application name used as backend metadata and identity. Returned by \`/init\` (\`appName\`), used in logs, telemetry defaults (\`service.name\`), and cache key prefixing.|"c15t"|Optional|
-|basePath|[string \|undefined](https://v2.c15t.com/docs/self-host/api/endpoints)|Base path prefix for all API routes (e.g. \`/api/self-host\`).|-|Optional|
-|trustedOrigins|[string\[\]](https://v2.c15t.com/docs/self-host/api/configuration)|Allowed origins for CORS. Required for browser-based consent collection. Protocol is optional; matching is protocol-agnostic and normalized.|-|✅ Required|
+|tablePrefix|[string \|undefined](https://c15t.com/docs/self-host/guides/database-setup)|Optional prefix for all database table names. Useful when sharing a database with other applications to avoid naming conflicts.|-|Optional|
+|appName|[string \|undefined](https://c15t.com/docs/self-host/api/configuration)|Application name used as backend metadata and identity. Returned by \`/init\` (\`appName\`), used in logs, telemetry defaults (\`service.name\`), and cache key prefixing.|"c15t"|Optional|
+|basePath|[string \|undefined](https://c15t.com/docs/self-host/api/endpoints)|Base path prefix for all API routes (e.g. \`/api/self-host\`).|-|Optional|
+|trustedOrigins|[string\[\]](https://c15t.com/docs/self-host/api/configuration)|Allowed origins for CORS. Required for browser-based consent collection. Protocol is optional; matching is protocol-agnostic and normalized.|-|✅ Required|
 |logger|LoggerOptions \|undefined|Logger configuration.|-|Optional|
 |disableGeoLocation|boolean \|undefined|Disables the use of Geo Location to determine the jurisdiction. When enabled, the jurisdiction will be set to "GDPR" to show the strictest version of the banner as we don't know the jurisdiction in this case.|false|Optional|
 |customTranslations|Record\<string, Partial\<Translations>> \|undefined|Override base translations.|-|Optional|
 |i18n|I18nOptions \|undefined|Internationalization message profiles used by runtime policies.|-|Optional|
-|policyPacks|[PolicyConfig \|undefined](https://v2.c15t.com/docs/self-host/guides/policy-packs)|Runtime regional policy pack resolved per request.|-|Optional|
+|policyPacks|[PolicyConfig \|undefined](https://c15t.com/docs/self-host/guides/policy-packs)|Runtime regional policy pack resolved per request.|-|Optional|
 |branding|"c15t" \|"consent" \|"none" \|"inth" \|undefined|Select which branding to show in the consent banner. Use "inth" for the INTH brand. "consent" is a deprecated alias for "inth". Use "none" to hide branding.|"c15t"|Optional|
-|openapi|[OpenAPIOptions \|undefined](https://v2.c15t.com/docs/self-host/api/endpoints)|OpenAPI spec generation and documentation UI options.|-|Optional|
-|telemetry|[TelemetryOptions \|undefined](https://v2.c15t.com/docs/self-host/guides/observability)|OpenTelemetry configuration for tracing and metrics. Telemetry is opt-in and disabled by default. Users must provide their own SDK setup (Node, Bun, edge, etc.).|-|Optional|
-|ipAddress|[IPAddressOptions \|undefined](https://v2.c15t.com/docs/self-host/api/configuration)|IP address tracking and masking options.|-|Optional|
-|cache|[CacheOptions \|undefined](https://v2.c15t.com/docs/self-host/guides/caching)|Cache configuration for external persistent storage. Used for caching GVL and other data.|-|Optional|
+|openapi|[OpenAPIOptions \|undefined](https://c15t.com/docs/self-host/api/endpoints)|OpenAPI spec generation and documentation UI options.|-|Optional|
+|telemetry|[TelemetryOptions \|undefined](https://c15t.com/docs/self-host/guides/observability)|OpenTelemetry configuration for tracing and metrics. Telemetry is opt-in and disabled by default. Users must provide their own SDK setup (Node, Bun, edge, etc.).|-|Optional|
+|ipAddress|[IPAddressOptions \|undefined](https://c15t.com/docs/self-host/api/configuration)|IP address tracking and masking options.|-|Optional|
+|cache|[CacheOptions \|undefined](https://c15t.com/docs/self-host/guides/caching)|Cache configuration for external persistent storage. Used for caching GVL and other data.|-|Optional|
 |apiKeys|string\[] \|undefined|API keys for authenticated endpoints. Used for server-side endpoints like GET /subjects.|-|Optional|
-|iab|[IABOptions \|undefined](https://v2.c15t.com/docs/self-host/guides/iab-tcf)|IAB TCF configuration including GVL, CMP registration, and custom vendors. Disabled by default - most users don't need IAB TCF. Set enabled: true to activate IAB support.|-|Optional|
+|iab|[IABOptions \|undefined](https://c15t.com/docs/self-host/guides/iab-tcf)|IAB TCF configuration including GVL, CMP registration, and custom vendors. Disabled by default - most users don't need IAB TCF. Set enabled: true to activate IAB support.|-|Optional|
 |policySnapshot|PolicySnapshotOptions \|undefined|Optional signed policy snapshots used to keep /init and /subjects consistent.|-|Optional|
 |legalDocumentSnapshot|LegalDocumentSnapshotOptions \|undefined|Optional signed legal-document snapshots issued by external document renderers.|-|Optional|
 |background|BackgroundOptions \|undefined|Optional background task runner for non-critical side effects.|-|Optional|

package/docs/guides/database-setup.md

@@ -95,10 +95,10 @@ To create & update the database you can use the migrator which is included in th
 
 |Package manager|Command|
 |:--|:--|
-|npm|`npx @c15t/cli@rc`|
-|pnpm|`pnpm dlx @c15t/cli@rc`|
-|yarn|`yarn dlx @c15t/cli@rc`|
-|bun|`bunx @c15t/cli@rc`|
+|npm|`npx @c15t/cli`|
+|pnpm|`pnpm dlx @c15t/cli`|
+|yarn|`yarn dlx @c15t/cli`|
+|bun|`bunx @c15t/cli`|
 
 ## Table Prefix
 

package/docs/guides/iab-tcf.md

@@ -6,7 +6,7 @@ The c15t backend optionally supports [IAB TCF v2.3](https://iabeurope.eu/transpa
 
 ## CMP Registration
 
-[consent.io](https://consent.io) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when using consent.io as your hosted backend, the CMP ID will be automatically provided to clients — no additional configuration needed.
+[inth.com](https://inth.com) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when using inth.com as your hosted backend, the CMP ID will be automatically provided to clients — no additional configuration needed.
 
 If you self-host and have your own CMP registration with IAB Europe, configure your CMP ID via `iab.cmpId`. This value is returned to clients in the `/init` response so they use the correct CMP identity in TC Strings.
 
@@ -14,7 +14,7 @@ If you self-host and have your own CMP registration with IAB Europe, configure y
 > A valid (non-zero) CMP ID is required for IAB TCF compliance. If neither the backend nor the client provides a CMP ID, IAB initialization will fail with an error.
 >
 > ℹ️ **Info:**
-> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components provided by c15t), you cannot use consent.io's CMP ID. You must register your own CMP with IAB Europe and configure your CMP ID via iab.cmpId.
+> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components provided by c15t), you cannot use inth.com's CMP ID. You must register your own CMP with IAB Europe and configure your CMP ID via iab.cmpId.
 
 ## Enable IAB
 
@@ -25,13 +25,13 @@ export const c15t = c15tInstance({
   // ...
   iab: {
     enabled: true,
-    cmpId: 10,                  // your registered CMP ID (consent.io provides this automatically)
+    cmpId: 10,                  // your registered CMP ID (inth.com provides this automatically)
     vendorIds: [755, 52, 69],   // only include vendors you use
   },
 });
 ```
 
-The backend fetches the GVL from `https://gvl.consent.io` by default and caches it. The `/init` endpoint returns the filtered GVL and your CMP ID to the frontend.
+The backend fetches the GVL from `https://gvl.inth.com` by default and caches it. The `/init` endpoint returns the filtered GVL and your CMP ID to the frontend.
 
 ## Custom GVL Endpoint
 

package/docs/quickstart.md

@@ -6,7 +6,7 @@ The `@c15t/backend` package gives you a fully self-hosted consent management API
 
 The backend exposes a standard `(request: Request) => Promise<Response>` handler, so it works with any JavaScript runtime (Node.js, Bun, Deno, Cloudflare Workers) and any HTTP framework.
 
-If you want a fully managed experience we recommend using [consent.io](https://consent.io).
+If you want a fully managed experience we recommend using [inth.com](https://inth.com).
 
 ## Installation
 
@@ -76,10 +76,10 @@ If you want a fully managed experience we recommend using [consent.io](https://c
 
    |Package manager|Command|
    |:--|:--|
-   |npm|`npx @c15t/cli@rc`|
-   |pnpm|`pnpm dlx @c15t/cli@rc`|
-   |yarn|`yarn dlx @c15t/cli@rc`|
-   |bun|`bunx @c15t/cli@rc`|
+   |npm|`npx @c15t/cli`|
+   |pnpm|`pnpm dlx @c15t/cli`|
+   |yarn|`yarn dlx @c15t/cli`|
+   |bun|`bunx @c15t/cli`|
 
    See Database Setup for adapter-specific migration guides. If you plan to use policy packs with runtime audit storage, also apply the runtime policy decision migration from the Policy Packs guide.
 
@@ -119,10 +119,10 @@ Install c15t agent skills to let AI agents help with styling, i18n, scripts & ot
 
 |Package manager|Command|
 |:--|:--|
-|npm|`npx @c15t/cli@rc skills`|
-|pnpm|`pnpm dlx @c15t/cli@rc skills`|
-|yarn|`yarn dlx @c15t/cli@rc skills`|
-|bun|`bunx @c15t/cli@rc skills`|
+|npm|`npx @c15t/cli skills`|
+|pnpm|`pnpm dlx @c15t/cli skills`|
+|yarn|`yarn dlx @c15t/cli skills`|
+|bun|`bunx @c15t/cli skills`|
 
 See [AI Agents](/docs/ai-agents) for bundled package docs and agent skills.
 

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@c15t/backend",
-	"version": "2.0.0-rc.8",
+	"version": "2.0.0",
 	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io",
 	"keywords": [
 		"consent",
@@ -25,7 +25,7 @@
 		"url": "https://github.com/c15t/c15t.git",
 		"directory": "packages/backend"
 	},
-	"license": "GPL-3.0-only",
+	"license": "Apache-2.0",
 	"type": "module",
 	"exports": {
 		".": {
@@ -123,9 +123,9 @@
 		"test:watch": "bun prebuild && vitest"
 	},
 	"dependencies": {
-		"@c15t/logger": "1.0.2-rc.1",
-		"@c15t/schema": "2.0.0-rc.5",
-		"@c15t/translations": "2.0.0-rc.8",
+		"@c15t/logger": "2.0.0",
+		"@c15t/schema": "2.0.0",
+		"@c15t/translations": "2.0.0",
 		"@hono/standard-validator": "^0.2.2",
 		"@hono/valibot-validator": "0.6.1",
 		"@opentelemetry/api": "1.9.1",
@@ -141,7 +141,7 @@
 		"valibot": "1.3.1"
 	},
 	"devDependencies": {
-		"@c15t/typescript-config": "0.0.1-beta.1",
+		"@c15t/typescript-config": "0.0.1",
 		"@c15t/vitest-config": "1.0.0",
 		"@opentelemetry/sdk-trace-base": "^2.6.1",
 		"@types/node": "25.5.0",