@c15t/backend 2.0.0-rc.8 → 2.0.2

package/README.md

@@ -1,24 +1,24 @@
 <p align="center">
-  <a href="https://c15t.com?utm_source=github&utm_medium=repopage_%40c15t%2Fbackend" target="_blank" rel="noopener noreferrer">
+  <a href="https://c15t.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=%40c15t%2Fbackend" target="_blank" rel="noopener noreferrer">
     <picture>
       <source media="(prefers-color-scheme: dark)" srcset="../../docs/assets/c15t-banner-readme-dark.svg" type="image/svg+xml">
       <img src="../../docs/assets/c15t-banner-readme-light.svg" alt="c15t Banner" type="image/svg+xml">
     </picture>
   </a>
-  <br />
-  <h1 align="center">@c15t/backend: Consent Management Backend</h1>
 </p>
 
+# @c15t/backend: Consent Management Backend
+
 [![GitHub stars](https://img.shields.io/github/stars/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![CI](https://img.shields.io/github/actions/workflow/status/c15t/c15t/ci.yml?style=flat-square)](https://github.com/c15t/c15t/actions/workflows/ci.yml)
-[![License](https://img.shields.io/badge/license-GPL--3.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 [![Discord](https://img.shields.io/discord/1312171102268690493?style=flat-square)](https://c15t.link/discord)
 [![npm version](https://img.shields.io/npm/v/%40c15t%2Fbackend?style=flat-square)](https://www.npmjs.com/package/@c15t/backend)
 [![Top Language](https://img.shields.io/github/languages/top/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![Last Commit](https://img.shields.io/github/last-commit/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/commits/main)
 [![Open Issues](https://img.shields.io/github/issues/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/issues)
 
-Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io
+Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preference center. Webhooks, audit logs, storage adapters. Self-host or use inth.com
 
 ## Key Features
 
@@ -54,24 +54,24 @@ For further information, guides, and examples visit the [reference documentation
 
 - Join our [Discord community](https://c15t.link/discord)
 - Open an issue on our [GitHub repository](https://github.com/c15t/c15t/issues)
-- Visit [consent.io](https://consent.io) and use the chat widget
-- Contact our support team via email [support@consent.io](mailto:support@consent.io)
+- Visit [inth.com](https://inth.com) and use the chat widget
+- Contact our support team via email [support@inth.com](mailto:support@inth.com)
 
 ## Contributing
 
-- We're open to all community contributions!
+- We're open to all community contributions.
 - Read our [Contribution Guidelines](https://c15t.com/docs/oss/contributing)
 - Review our [Code of Conduct](https://c15t.com/docs/oss/code-of-conduct)
 - Fork the repository
 - Create a new branch for your feature
 - Submit a pull request
-- **All contributions, big or small, are welcome and appreciated!**
+- **All contributions, big or small, are welcome and appreciated.**
 
 ## Security
 
 If you believe you have found a security vulnerability in c15t, we encourage you to **_responsibly disclose this and NOT open a public issue_**. We will investigate all legitimate reports.
 
-Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our Open Source Software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
+Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our open-source software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
 
 ### Security Policy
 
@@ -82,8 +82,8 @@ Our preference is that you make use of GitHub's private vulnerability reporting
 
 ## License
 
-[GNU General Public License v3.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[Apache License 2.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 
 ---
 
-**Built with ❤️ by the [consent.io](https://www.consent.io?utm_source=github&utm_medium=repopage_%40c15t%2Fbackend) team**
+**Built by [Inth](https://inth.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=%40c15t%2Fbackend)**

package/dist/302.js

@@ -1,5 +1,4 @@
 import { SpanKind, SpanStatusCode as api_SpanStatusCode, context, metrics, trace } from "@opentelemetry/api";
-const version = '2.0.0-rc.8';
 function extractErrorMessage(error) {
     if (error instanceof AggregateError && error.errors?.length > 0) {
         const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
@@ -14,7 +13,7 @@ function createTelemetryOptions(appName = 'c15t', telemetryConfig, tenantId) {
     const defaultAttributes = {
         ...telemetryConfig?.defaultAttributes || {},
         'service.name': String(appName),
-        'service.version': version
+        'service.version': "2.0.2"
     };
     if (tenantId) defaultAttributes['tenant.id'] = tenantId;
     const config = {
@@ -369,7 +368,7 @@ function createCacheKey(appName, namespace, ...parts) {
     ];
     return allParts.join(':');
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [
@@ -470,4 +469,4 @@ function createGVLResolver(options) {
         }
     };
 }
-export { GVL_TTL_MS, clearMemoryCache, createCacheKey, createGVLCacheKey, createGVLResolver, createMemoryCacheAdapter, createRequestSpan, createTelemetryOptions, extractErrorMessage, getMemoryCacheSize, getMetrics, getTraceContext, handleSpanError, isTelemetryEnabled, version, withDatabaseSpan, withSpanContext };
+export { GVL_TTL_MS, clearMemoryCache, createCacheKey, createGVLCacheKey, createGVLResolver, createMemoryCacheAdapter, createRequestSpan, createTelemetryOptions, extractErrorMessage, getMemoryCacheSize, getMetrics, getTraceContext, handleSpanError, isTelemetryEnabled, withDatabaseSpan, withSpanContext };

package/dist/915.js

@@ -5,7 +5,7 @@ import { Hono } from "hono";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { HTTPException } from "hono/http-exception";
 import { errors, jwtVerify } from "jose";
-import { version, getMetrics, withDatabaseSpan, extractErrorMessage } from "./302.js";
+import { extractErrorMessage, getMetrics, withDatabaseSpan } from "./302.js";
 import { getLocation, resolveInitPayload, policy_resolvePolicyDecision, verifyPolicySnapshotToken, getJurisdiction } from "./583.js";
 import * as __rspack_external_valibot from "valibot";
 const prefixes = {
@@ -709,7 +709,7 @@ const statusHandler = async (c)=>{
     try {
         await ctx.db.findFirst('subject', {});
         return c.json({
-            version: version,
+            version: "2.0.2",
             timestamp: new Date(),
             client: clientInfo
         });
@@ -1372,6 +1372,7 @@ const postSubjectHandler = async (c)=>{
         let purposeIds = [];
         let appliedPreferences;
         const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
+        const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
         if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
             if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
             const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
@@ -1384,26 +1385,47 @@ const postSubjectHandler = async (c)=>{
             });
             policyId = documentPolicy.id;
         } else if (legalDocumentConsent) {
-            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
-            if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
-            policyId = inputPolicyId;
-            const policy = await registry.findConsentPolicyById(inputPolicyId);
-            if (!policy) throw new HTTPException(404, {
-                message: 'Policy not found',
-                cause: {
-                    code: 'POLICY_NOT_FOUND',
-                    policyId,
-                    type
-                }
-            });
-            if (!policy.isActive) throw new HTTPException(400, {
-                message: 'Policy is inactive',
-                cause: {
-                    code: 'POLICY_INACTIVE',
-                    policyId,
-                    type
-                }
-            });
+            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+            if (inputPolicyId) {
+                policyId = inputPolicyId;
+                const policy = await registry.findConsentPolicyById(inputPolicyId);
+                if (!policy) throw new HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        policyId,
+                        type
+                    }
+                });
+                if (!policy.isActive) throw new HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId,
+                        type
+                    }
+                });
+            } else if (inputPolicyHash) {
+                const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                if (!policy) throw new HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                if (!policy.isActive) throw new HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId: policy.id,
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                policyId = policy.id;
+            }
         } else if (inputPolicyId) {
             policyId = inputPolicyId;
             const policy = await registry.findConsentPolicyById(inputPolicyId);
@@ -1466,6 +1488,13 @@ const postSubjectHandler = async (c)=>{
             });
             purposeIds = purposes;
         }
+        if (!policyId) throw new HTTPException(500, {
+            message: 'Failed to resolve policy',
+            cause: {
+                code: 'POLICY_RESOLUTION_FAILED',
+                type
+            }
+        });
         const expiryDays = effectivePolicy?.consent?.expiryDays;
         const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
         const proofConfig = effectivePolicy?.proof;
@@ -1668,7 +1697,7 @@ const createSubjectRoutes = ()=>{
     }), validator('param', getSubjectInputSchema), getSubjectHandler);
     app.post('/', describeRoute({
         summary: 'Record consent for a subject',
-        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
+        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
         tags: [
             'Subject',
             'Consent'

package/dist/942.js

@@ -0,0 +1,5 @@
+function matchesWildcard(origin, wildcardPattern) {
+    const wildcardDomain = wildcardPattern.slice(2);
+    return origin !== wildcardDomain && origin.endsWith(`.${wildcardDomain}`);
+}
+export { matchesWildcard };

package/dist/cache.cjs

@@ -400,7 +400,7 @@ function createCacheKey(appName, namespace, ...parts) {
     ];
     return allParts.join(':');
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [

package/dist/core.cjs

@@ -349,7 +349,7 @@ var __webpack_exports__ = {};
 (()=>{
     __webpack_require__.r(__webpack_exports__);
     __webpack_require__.d(__webpack_exports__, {
-        version: ()=>version_version,
+        version: ()=>"2.0.2",
         c15tInstance: ()=>c15tInstance,
         EEA_COUNTRY_CODES: ()=>types_namespaceObject.EEA_COUNTRY_CODES,
         EU_COUNTRY_CODES: ()=>types_namespaceObject.EU_COUNTRY_CODES,
@@ -393,6 +393,10 @@ var __webpack_exports__ = {};
         const token = extractBearerToken(authHeader);
         return validateApiKey(token, validKeys);
     }
+    function matchesWildcard(origin, wildcardPattern) {
+        const wildcardDomain = wildcardPattern.slice(2);
+        return origin !== wildcardDomain && origin.endsWith(`.${wildcardDomain}`);
+    }
     const WWW_REGEX = /^www\./;
     const PROTOCOL_WWW_REGEX = /^https?:\/\/(www\.)?/;
     const SUPPORTED_METHODS = [
@@ -476,6 +480,7 @@ var __webpack_exports__ = {};
                 const isTrusted = expandedTrusted.some((trusted)=>{
                     const normalizedTrusted = normalizeOrigin(trusted);
                     if ('localhost' === normalizedTrusted) return 'localhost' === normalizedOrigin || normalizedOrigin.startsWith('localhost:') || '127.0.0.1' === normalizedOrigin || normalizedOrigin.startsWith('127.0.0.1:') || '[::1]' === normalizedOrigin || normalizedOrigin.startsWith('[::1]:');
+                    if (normalizedTrusted.startsWith('*.')) return matchesWildcard(normalizedOrigin, normalizedTrusted);
                     return normalizedTrusted === normalizedOrigin;
                 });
                 return isTrusted ? origin : null;
@@ -738,7 +743,6 @@ var __webpack_exports__ = {};
             language
         };
     }
-    const version_version = '2.0.0-rc.8';
     function extractErrorMessage(error) {
         if (error instanceof AggregateError && error.errors?.length > 0) {
             const inner = error.errors.map((e)=>e instanceof Error ? e.message : String(e)).join('; ');
@@ -753,7 +757,7 @@ var __webpack_exports__ = {};
         const defaultAttributes = {
             ...telemetryConfig?.defaultAttributes || {},
             'service.name': String(appName),
-            'service.version': version_version
+            'service.version': "2.0.2"
         };
         if (tenantId) defaultAttributes['tenant.id'] = tenantId;
         const config = {
@@ -2029,7 +2033,7 @@ var __webpack_exports__ = {};
         ].sort((a, b)=>a - b).join(',') : 'all';
         return `${appName}:gvl:${language}:${sortedIds}`;
     }
-    const GVL_ENDPOINT = 'https://gvl.consent.io';
+    const GVL_ENDPOINT = 'https://gvl.inth.app';
     const inflightRequests = new Map();
     async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
         const sortedVendorIds = vendorIds ? [
@@ -2672,7 +2676,7 @@ Use for geo-targeted consent banners and regional compliance.`,
         try {
             await ctx.db.findFirst('subject', {});
             return c.json({
-                version: version_version,
+                version: "2.0.2",
                 timestamp: new Date(),
                 client: clientInfo
             });
@@ -3336,6 +3340,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
             let purposeIds = [];
             let appliedPreferences;
             const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
+            const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
             if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
                 if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
                 const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
@@ -3348,26 +3353,47 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 });
                 policyId = documentPolicy.id;
             } else if (legalDocumentConsent) {
-                if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
-                if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
-                policyId = inputPolicyId;
-                const policy = await registry.findConsentPolicyById(inputPolicyId);
-                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
-                    message: 'Policy not found',
-                    cause: {
-                        code: 'POLICY_NOT_FOUND',
-                        policyId,
-                        type
-                    }
-                });
-                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
-                    message: 'Policy is inactive',
-                    cause: {
-                        code: 'POLICY_INACTIVE',
-                        policyId,
-                        type
-                    }
-                });
+                if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+                if (inputPolicyId) {
+                    policyId = inputPolicyId;
+                    const policy = await registry.findConsentPolicyById(inputPolicyId);
+                    if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                        message: 'Policy not found',
+                        cause: {
+                            code: 'POLICY_NOT_FOUND',
+                            policyId,
+                            type
+                        }
+                    });
+                    if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Policy is inactive',
+                        cause: {
+                            code: 'POLICY_INACTIVE',
+                            policyId,
+                            type
+                        }
+                    });
+                } else if (inputPolicyHash) {
+                    const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                    if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                        message: 'Policy not found',
+                        cause: {
+                            code: 'POLICY_NOT_FOUND',
+                            type,
+                            policyHash: inputPolicyHash
+                        }
+                    });
+                    if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                        message: 'Policy is inactive',
+                        cause: {
+                            code: 'POLICY_INACTIVE',
+                            policyId: policy.id,
+                            type,
+                            policyHash: inputPolicyHash
+                        }
+                    });
+                    policyId = policy.id;
+                }
             } else if (inputPolicyId) {
                 policyId = inputPolicyId;
                 const policy = await registry.findConsentPolicyById(inputPolicyId);
@@ -3430,6 +3456,13 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 });
                 purposeIds = purposes;
             }
+            if (!policyId) throw new http_exception_namespaceObject.HTTPException(500, {
+                message: 'Failed to resolve policy',
+                cause: {
+                    code: 'POLICY_RESOLUTION_FAILED',
+                    type
+                }
+            });
             const expiryDays = effectivePolicy?.consent?.expiryDays;
             const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
             const proofConfig = effectivePolicy?.proof;
@@ -3632,7 +3665,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
         }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_.getSubjectInputSchema), getSubjectHandler);
         app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
             summary: 'Record consent for a subject',
-            description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
+            description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
             tags: [
                 'Subject',
                 'Consent'
@@ -3845,7 +3878,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     openapi: '3.1.0',
                     info: {
                         title: options.appName || 'c15t API',
-                        version: version_version,
+                        version: "2.0.2",
                         description: 'API for consent management'
                     },
                     servers: [

package/dist/core.js

@@ -7,7 +7,8 @@ import { HTTPException } from "hono/http-exception";
 import { openAPIRouteHandler } from "hono-openapi";
 import { compactDefined, dedupeTrimmedStrings, policyPackPresets } from "@c15t/schema";
 import { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, policyMatchers } from "@c15t/schema/types";
-import { version as version_version, extractErrorMessage, withDatabaseSpan, getTraceContext as create_telemetry_options_getTraceContext, createRequestSpan, handleSpanError, createTelemetryOptions, getMetrics, isTelemetryEnabled, withSpanContext } from "./302.js";
+import { matchesWildcard } from "./942.js";
+import { extractErrorMessage, withDatabaseSpan, getTraceContext as create_telemetry_options_getTraceContext, createRequestSpan, handleSpanError, createTelemetryOptions, getMetrics, isTelemetryEnabled, withSpanContext } from "./302.js";
 import { createLegalDocumentRoutes, createSubjectRoutes, generateUniqueId, createStatusRoute, createInitRoute, createConsentRoutes, policyRegistry } from "./915.js";
 import { validateMessages, inspectPolicies as policy_inspectPolicies } from "./583.js";
 import { DB } from "./db/schema.js";
@@ -119,6 +120,7 @@ function createCORSOptions(trustedOrigins) {
             const isTrusted = expandedTrusted.some((trusted)=>{
                 const normalizedTrusted = normalizeOrigin(trusted);
                 if ('localhost' === normalizedTrusted) return 'localhost' === normalizedOrigin || normalizedOrigin.startsWith('localhost:') || '127.0.0.1' === normalizedOrigin || normalizedOrigin.startsWith('127.0.0.1:') || '[::1]' === normalizedOrigin || normalizedOrigin.startsWith('[::1]:');
+                if (normalizedTrusted.startsWith('*.')) return matchesWildcard(normalizedOrigin, normalizedTrusted);
                 return normalizedTrusted === normalizedOrigin;
             });
             return isTrusted ? origin : null;
@@ -765,7 +767,7 @@ const c15tInstance = (options)=>{
                 openapi: '3.1.0',
                 info: {
                     title: options.appName || 'c15t API',
-                    version: version_version,
+                    version: "2.0.2",
                     description: 'API for consent management'
                 },
                 servers: [
@@ -879,7 +881,7 @@ const c15tInstance = (options)=>{
         getDocsUI
     };
 };
+var core_version = "2.0.2";
 export { defineConfig } from "./define-config.js";
 export { inspectPolicies } from "./583.js";
-export { version } from "./302.js";
-export { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, c15tInstance, policyBuilder, policyMatchers, policyPackPresets };
+export { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, c15tInstance, core_version as version, policyBuilder, policyMatchers, policyPackPresets };

package/dist/edge.cjs

@@ -348,7 +348,7 @@ function createGVLCacheKey(appName, language, vendorIds) {
     ].sort((a, b)=>a - b).join(',') : 'all';
     return `${appName}:gvl:${language}:${sortedIds}`;
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [
@@ -908,13 +908,12 @@ async function resolveInitPayload(request, options, logger) {
         }
     };
 }
-const STRIP_REGEX = /^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
-function matchesWildcard(hostname, wildcardPattern, logger) {
+function matchesWildcard(origin, wildcardPattern) {
     const wildcardDomain = wildcardPattern.slice(2);
-    const isValid = hostname !== wildcardDomain && hostname.endsWith(`.${wildcardDomain}`);
-    logger?.debug(`Wildcard match result: ${isValid} ${hostname} ends with .${wildcardDomain}`);
-    return isValid;
+    return origin !== wildcardDomain && origin.endsWith(`.${wildcardDomain}`);
 }
+const STRIP_REGEX = /^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
+const WWW_REGEX = /^www\./;
 function isOriginTrusted(origin, trustedDomains, logger) {
     try {
         if (0 === trustedDomains.length) throw new Error('No trusted domains');
@@ -933,9 +932,15 @@ function isOriginTrusted(origin, trustedDomains, logger) {
             }
             const strippedDomain = domain.replace(STRIP_REGEX, '').toLowerCase();
             logger?.debug(`Checking against stripped domain: ${strippedDomain}`);
-            if (strippedDomain.startsWith('*.')) return matchesWildcard(originHostname, strippedDomain, logger);
-            const isMatch = originHostname === strippedDomain;
-            logger?.debug(`Exact match result: ${isMatch} ${originHostname} === ${strippedDomain}`);
+            if (strippedDomain.startsWith('*.')) {
+                const isMatch = matchesWildcard(originHostname, strippedDomain);
+                logger?.debug(`Wildcard match result: ${isMatch} ${originHostname} matches ${strippedDomain}`);
+                return isMatch;
+            }
+            const normalizedOriginHostname = originHostname.replace(WWW_REGEX, '');
+            const normalizedDomain = strippedDomain.replace(WWW_REGEX, '');
+            const isMatch = normalizedOriginHostname === normalizedDomain;
+            logger?.debug(`Exact match result: ${isMatch} ${normalizedOriginHostname} === ${normalizedDomain}`);
             return isMatch;
         });
     } catch (error) {

package/dist/edge.js

@@ -1,12 +1,8 @@
 import { createLogger } from "@c15t/logger";
+import { matchesWildcard } from "./942.js";
 import { inspectPolicies as policy_inspectPolicies, policy_resolvePolicySync, resolveInitPayload, validateMessages, checkJurisdiction } from "./583.js";
 const STRIP_REGEX = /^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
-function matchesWildcard(hostname, wildcardPattern, logger) {
-    const wildcardDomain = wildcardPattern.slice(2);
-    const isValid = hostname !== wildcardDomain && hostname.endsWith(`.${wildcardDomain}`);
-    logger?.debug(`Wildcard match result: ${isValid} ${hostname} ends with .${wildcardDomain}`);
-    return isValid;
-}
+const WWW_REGEX = /^www\./;
 function isOriginTrusted(origin, trustedDomains, logger) {
     try {
         if (0 === trustedDomains.length) throw new Error('No trusted domains');
@@ -25,9 +21,15 @@ function isOriginTrusted(origin, trustedDomains, logger) {
             }
             const strippedDomain = domain.replace(STRIP_REGEX, '').toLowerCase();
             logger?.debug(`Checking against stripped domain: ${strippedDomain}`);
-            if (strippedDomain.startsWith('*.')) return matchesWildcard(originHostname, strippedDomain, logger);
-            const isMatch = originHostname === strippedDomain;
-            logger?.debug(`Exact match result: ${isMatch} ${originHostname} === ${strippedDomain}`);
+            if (strippedDomain.startsWith('*.')) {
+                const isMatch = matchesWildcard(originHostname, strippedDomain);
+                logger?.debug(`Wildcard match result: ${isMatch} ${originHostname} matches ${strippedDomain}`);
+                return isMatch;
+            }
+            const normalizedOriginHostname = originHostname.replace(WWW_REGEX, '');
+            const normalizedDomain = strippedDomain.replace(WWW_REGEX, '');
+            const isMatch = normalizedOriginHostname === normalizedDomain;
+            logger?.debug(`Exact match result: ${isMatch} ${normalizedOriginHostname} === ${normalizedDomain}`);
             return isMatch;
         });
     } catch (error) {

package/dist/router.cjs

@@ -550,7 +550,7 @@ function createGVLCacheKey(appName, language, vendorIds) {
     ].sort((a, b)=>a - b).join(',') : 'all';
     return `${appName}:gvl:${language}:${sortedIds}`;
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [
@@ -1212,7 +1212,6 @@ class consent_policy_LegalDocumentPolicyConflictError extends Error {
         this.name = 'LegalDocumentPolicyConflictError';
     }
 }
-const version_version = '2.0.0-rc.8';
 function getHeaders(headers) {
     if (!headers) return {
         countryCode: null,
@@ -1247,7 +1246,7 @@ const statusHandler = async (c)=>{
     try {
         await ctx.db.findFirst('subject', {});
         return c.json({
-            version: version_version,
+            version: "2.0.2",
             timestamp: new Date(),
             client: clientInfo
         });
@@ -1911,6 +1910,7 @@ const postSubjectHandler = async (c)=>{
         let purposeIds = [];
         let appliedPreferences;
         const inputPolicyId = 'policyId' in input ? input.policyId : void 0;
+        const inputPolicyHash = 'policyHash' in input ? input.policyHash : void 0;
         if (legalDocumentConsent && legalDocumentSnapshotVerification.valid) {
             if (legalDocumentSnapshotVerification.payload.type !== type) throw buildLegalDocumentSnapshotHttpException('invalid');
             const effectiveDate = new Date(legalDocumentSnapshotVerification.payload.effectiveDate);
@@ -1923,26 +1923,47 @@ const postSubjectHandler = async (c)=>{
             });
             policyId = documentPolicy.id;
         } else if (legalDocumentConsent) {
-            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId when snapshot verification is disabled');
-            if (!inputPolicyId) throw buildLegalDocumentProofHttpException('Legal document consent requires a valid document snapshot token or policyId');
-            policyId = inputPolicyId;
-            const policy = await registry.findConsentPolicyById(inputPolicyId);
-            if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
-                message: 'Policy not found',
-                cause: {
-                    code: 'POLICY_NOT_FOUND',
-                    policyId,
-                    type
-                }
-            });
-            if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
-                message: 'Policy is inactive',
-                cause: {
-                    code: 'POLICY_INACTIVE',
-                    policyId,
-                    type
-                }
-            });
+            if (!ctx.legalDocumentSnapshot?.signingKey && !inputPolicyId && !inputPolicyHash) throw buildLegalDocumentProofHttpException('Legal document consent requires policyId or policyHash when snapshot verification is disabled');
+            if (inputPolicyId) {
+                policyId = inputPolicyId;
+                const policy = await registry.findConsentPolicyById(inputPolicyId);
+                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        policyId,
+                        type
+                    }
+                });
+                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId,
+                        type
+                    }
+                });
+            } else if (inputPolicyHash) {
+                const policy = await registry.findLegalDocumentPolicyByHash(type, inputPolicyHash);
+                if (!policy) throw new http_exception_namespaceObject.HTTPException(404, {
+                    message: 'Policy not found',
+                    cause: {
+                        code: 'POLICY_NOT_FOUND',
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                if (!policy.isActive) throw new http_exception_namespaceObject.HTTPException(400, {
+                    message: 'Policy is inactive',
+                    cause: {
+                        code: 'POLICY_INACTIVE',
+                        policyId: policy.id,
+                        type,
+                        policyHash: inputPolicyHash
+                    }
+                });
+                policyId = policy.id;
+            }
         } else if (inputPolicyId) {
             policyId = inputPolicyId;
             const policy = await registry.findConsentPolicyById(inputPolicyId);
@@ -2005,6 +2026,13 @@ const postSubjectHandler = async (c)=>{
             });
             purposeIds = purposes;
         }
+        if (!policyId) throw new http_exception_namespaceObject.HTTPException(500, {
+            message: 'Failed to resolve policy',
+            cause: {
+                code: 'POLICY_RESOLUTION_FAILED',
+                type
+            }
+        });
         const expiryDays = effectivePolicy?.consent?.expiryDays;
         const validUntil = 'number' == typeof expiryDays && Number.isFinite(expiryDays) ? new Date(givenAt.getTime() + 86400000 * Math.max(0, expiryDays)) : void 0;
         const proofConfig = effectivePolicy?.proof;
@@ -2207,7 +2235,7 @@ const createSubjectRoutes = ()=>{
     }), (0, external_hono_openapi_namespaceObject.validator)('param', schema_namespaceObject.getSubjectInputSchema), getSubjectHandler);
     app.post('/', (0, external_hono_openapi_namespaceObject.describeRoute)({
         summary: 'Record consent for a subject',
-        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Requires a valid `documentSnapshotToken` when legal-document verification is enabled, otherwise an explicit `policyId`\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
+        description: "Creates a new consent record (append-only). Creates the subject if it does not exist.\n\n**Request body by `type`:**\n- `cookie_banner` – Requires `preferences` object\n- `privacy_policy`, `dpa`, `terms_and_conditions` – Prefer a signed `documentSnapshotToken`; otherwise use a release `policyHash`, with `policyId` kept only for compatibility\n- `marketing_communications`, `age_verification`, `other` – Optional `preferences`",
         tags: [
             'Subject',
             'Consent'

package/dist-types/cache/gvl-resolver.d.ts

@@ -5,7 +5,7 @@
  * 1. Bundled translations (checked first)
  * 2. In-memory cache
  * 3. External cache (Redis/KV)
- * 4. Fetch from gvl.consent.io
+ * 4. Fetch from gvl.inth.app
  *
  * @packageDocumentation
  */
@@ -38,7 +38,7 @@ export interface GVLResolverOptions {
     vendorIds?: number[];
     /**
      * Override the default GVL endpoint.
-     * @default 'https://gvl.consent.io'
+     * @default 'https://gvl.inth.app'
      */
     endpoint?: string;
 }
@@ -63,7 +63,7 @@ export interface GVLResolver {
  * 1. **Bundled** - Check bundled translations (0ms)
  * 2. **In-Memory** - Check worker/process memory cache (0ms)
  * 3. **External Cache** - Check Redis/KV if configured (20-40ms)
- * 4. **Fetch** - Fetch from gvl.consent.io with Accept-Language (100-300ms)
+ * 4. **Fetch** - Fetch from gvl.inth.app with Accept-Language (100-300ms)
  *
  * @param options - Resolver configuration
  * @returns A GVL resolver instance

package/dist-types/middleware/cors/matches-wildcard.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared wildcard matching utilities for CORS origin checks.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Checks if an origin matches a wildcard domain pattern.
+ *
+ * @param origin - Hostname or normalized origin to check
+ * @param wildcardPattern - Wildcard pattern (e.g. *.example.com)
+ * @returns true if the origin is a subdomain of the wildcard pattern
+ */
+export declare function matchesWildcard(origin: string, wildcardPattern: string): boolean;

package/dist-types/policies/builder.d.ts

@@ -8,8 +8,8 @@ import type { PolicyConfig, PolicyModel, PolicyScopeMode, PolicyUiMode, PolicyUi
  * Use the builder helpers to normalize this input into runtime-ready policy
  * configs.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
- * @see {@link https://v2.c15t.com/docs/frameworks/react/concepts/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/frameworks/react/concepts/policy-packs}
  */
 export interface PolicyBuilderInput {
     id: string;
@@ -57,7 +57,7 @@ export interface PolicyBuilderInput {
  * Empty optional fields are removed from the final output, matcher input is
  * merged into `match`, and duplicate string arrays are deduplicated.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function buildPolicyConfig(input: PolicyBuilderInput): PolicyConfig;
 /**
@@ -68,7 +68,7 @@ export declare function buildPolicyConfig(input: PolicyBuilderInput): PolicyConf
  * duplicate region/country matchers use first-match-wins semantics within the
  * same matcher type.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function buildPolicyPack(inputs: PolicyBuilderInput[]): PolicyConfig[];
 /**
@@ -84,7 +84,7 @@ export declare function buildPolicyPack(inputs: PolicyBuilderInput[]): PolicyCon
  * When `defaultPolicy` is provided, its `countries` and `regions` fields are
  * stripped and replaced with `match.isDefault = true`.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function buildPolicyPackWithDefault(inputs: PolicyBuilderInput[], defaultPolicy?: PolicyBuilderInput): PolicyConfig[];
 /**
@@ -107,7 +107,7 @@ export declare function buildPolicyPackWithDefault(inputs: PolicyBuilderInput[],
  * );
  * ```
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare function composePacks(...packs: PolicyConfig[][]): PolicyConfig[];
 /**
@@ -117,7 +117,7 @@ export declare function composePacks(...packs: PolicyConfig[][]): PolicyConfig[]
  * Useful when you prefer a grouped API such as `policyBuilder.createPack()`
  * inside backend config files.
  *
- * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+ * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
  */
 export declare const policyBuilder: {
     create: typeof buildPolicyConfig;

package/dist-types/types/index.d.ts

@@ -13,7 +13,7 @@ export interface DatabaseOptions {
     /**
      * The database adapter to use.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     adapter: FumaDB<FumaDBSchema>['adapter'];
     /**
@@ -26,7 +26,7 @@ export interface DatabaseOptions {
      * Useful when sharing a database with other applications to avoid naming conflicts.
      *
      * @example 'c15t_' // tables become: c15t_subject, c15t_consent, etc.
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     tablePrefix?: string;
 }
@@ -177,7 +177,7 @@ export interface IABOptions {
     vendorIds?: number[];
     /**
      * Override the default GVL endpoint.
-     * @default 'https://gvl.consent.io'
+     * @default 'https://gvl.inth.app'
      */
     endpoint?: string;
     /**
@@ -297,7 +297,7 @@ export interface C15TOptions {
     /**
      * The database adapter to use.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     adapter: FumaDB<FumaDBSchema>['adapter'];
     /**
@@ -310,7 +310,7 @@ export interface C15TOptions {
      * Useful when sharing a database with other applications to avoid naming conflicts.
      *
      * @example 'c15t_' // tables become: c15t_subject, c15t_consent, etc.
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/database-setup}
+     * @see {@link https://c15t.com/docs/self-host/guides/database-setup}
      */
     tablePrefix?: string;
     /**
@@ -319,13 +319,13 @@ export interface C15TOptions {
      * and cache key prefixing.
      *
      * @default "c15t"
-     * @see {@link https://v2.c15t.com/docs/self-host/api/configuration}
+     * @see {@link https://c15t.com/docs/self-host/api/configuration}
      */
     appName?: string;
     /**
      * Base path prefix for all API routes (e.g. `/api/self-host`).
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/api/endpoints}
+     * @see {@link https://c15t.com/docs/self-host/api/endpoints}
      */
     basePath?: string;
     /**
@@ -333,7 +333,7 @@ export interface C15TOptions {
      * Protocol is optional; matching is protocol-agnostic and normalized.
      *
      * @example ['example.com', 'app.example.com', 'localhost:3000']
-     * @see {@link https://v2.c15t.com/docs/self-host/api/configuration}
+     * @see {@link https://c15t.com/docs/self-host/api/configuration}
      */
     trustedOrigins: string[];
     /** Logger configuration. */
@@ -373,7 +373,7 @@ export interface C15TOptions {
      * explicit no-banner mode. In production, prefer including a default policy
      * so unmatched traffic still resolves deterministically.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/policy-packs}
+     * @see {@link https://c15t.com/docs/self-host/guides/policy-packs}
      */
     policyPacks?: PolicyConfig[];
     /**
@@ -386,7 +386,7 @@ export interface C15TOptions {
     /**
      * OpenAPI spec generation and documentation UI options.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/api/endpoints}
+     * @see {@link https://c15t.com/docs/self-host/api/endpoints}
      */
     openapi?: OpenAPIOptions;
     /**
@@ -394,20 +394,20 @@ export interface C15TOptions {
      * Telemetry is opt-in and disabled by default.
      * Users must provide their own SDK setup (Node, Bun, edge, etc.).
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/observability}
+     * @see {@link https://c15t.com/docs/self-host/guides/observability}
      */
     telemetry?: TelemetryOptions;
     /**
      * IP address tracking and masking options.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/api/configuration}
+     * @see {@link https://c15t.com/docs/self-host/api/configuration}
      */
     ipAddress?: IPAddressOptions;
     /**
      * Cache configuration for external persistent storage.
      * Used for caching GVL and other data.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/caching}
+     * @see {@link https://c15t.com/docs/self-host/guides/caching}
      */
     cache?: CacheOptions;
     /**
@@ -425,7 +425,7 @@ export interface C15TOptions {
      * Disabled by default - most users don't need IAB TCF.
      * Set enabled: true to activate IAB support.
      *
-     * @see {@link https://v2.c15t.com/docs/self-host/guides/iab-tcf}
+     * @see {@link https://c15t.com/docs/self-host/guides/iab-tcf}
      */
     iab?: IABOptions;
     /**

package/dist-types/version.d.ts

@@ -1 +1 @@
-export declare const version = "2.0.0-rc.8";
+export declare const version = "2.0.2";

package/docs/api/configuration.md

@@ -10,24 +10,24 @@ All options are passed to `c15tInstance()`. Only `adapter` and `trustedOrigins`
 
 |Property|Type|Description|Default|Required|
 |:--|:--|:--|:--|:--:|
-|adapter|[FumaDBAdapter](https://v2.c15t.com/docs/self-host/guides/database-setup)|The database adapter to use.|-|✅ Required|
+|adapter|[FumaDBAdapter](https://c15t.com/docs/self-host/guides/database-setup)|The database adapter to use.|-|✅ Required|
 |tenantId|string \|undefined|Tenant ID for multi-tenant deployments. When set, all database queries are automatically scoped to this tenant.|-|Optional|
-|tablePrefix|[string \|undefined](https://v2.c15t.com/docs/self-host/guides/database-setup)|Optional prefix for all database table names. Useful when sharing a database with other applications to avoid naming conflicts.|-|Optional|
-|appName|[string \|undefined](https://v2.c15t.com/docs/self-host/api/configuration)|Application name used as backend metadata and identity. Returned by \`/init\` (\`appName\`), used in logs, telemetry defaults (\`service.name\`), and cache key prefixing.|"c15t"|Optional|
-|basePath|[string \|undefined](https://v2.c15t.com/docs/self-host/api/endpoints)|Base path prefix for all API routes (e.g. \`/api/self-host\`).|-|Optional|
-|trustedOrigins|[string\[\]](https://v2.c15t.com/docs/self-host/api/configuration)|Allowed origins for CORS. Required for browser-based consent collection. Protocol is optional; matching is protocol-agnostic and normalized.|-|✅ Required|
+|tablePrefix|[string \|undefined](https://c15t.com/docs/self-host/guides/database-setup)|Optional prefix for all database table names. Useful when sharing a database with other applications to avoid naming conflicts.|-|Optional|
+|appName|[string \|undefined](https://c15t.com/docs/self-host/api/configuration)|Application name used as backend metadata and identity. Returned by \`/init\` (\`appName\`), used in logs, telemetry defaults (\`service.name\`), and cache key prefixing.|"c15t"|Optional|
+|basePath|[string \|undefined](https://c15t.com/docs/self-host/api/endpoints)|Base path prefix for all API routes (e.g. \`/api/self-host\`).|-|Optional|
+|trustedOrigins|[string\[\]](https://c15t.com/docs/self-host/api/configuration)|Allowed origins for CORS. Required for browser-based consent collection. Protocol is optional; matching is protocol-agnostic and normalized.|-|✅ Required|
 |logger|LoggerOptions \|undefined|Logger configuration.|-|Optional|
 |disableGeoLocation|boolean \|undefined|Disables the use of Geo Location to determine the jurisdiction. When enabled, the jurisdiction will be set to "GDPR" to show the strictest version of the banner as we don't know the jurisdiction in this case.|false|Optional|
 |customTranslations|Record\<string, Partial\<Translations>> \|undefined|Override base translations.|-|Optional|
 |i18n|I18nOptions \|undefined|Internationalization message profiles used by runtime policies.|-|Optional|
-|policyPacks|[PolicyConfig \|undefined](https://v2.c15t.com/docs/self-host/guides/policy-packs)|Runtime regional policy pack resolved per request.|-|Optional|
+|policyPacks|[PolicyConfig \|undefined](https://c15t.com/docs/self-host/guides/policy-packs)|Runtime regional policy pack resolved per request.|-|Optional|
 |branding|"c15t" \|"consent" \|"none" \|"inth" \|undefined|Select which branding to show in the consent banner. Use "inth" for the INTH brand. "consent" is a deprecated alias for "inth". Use "none" to hide branding.|"c15t"|Optional|
-|openapi|[OpenAPIOptions \|undefined](https://v2.c15t.com/docs/self-host/api/endpoints)|OpenAPI spec generation and documentation UI options.|-|Optional|
-|telemetry|[TelemetryOptions \|undefined](https://v2.c15t.com/docs/self-host/guides/observability)|OpenTelemetry configuration for tracing and metrics. Telemetry is opt-in and disabled by default. Users must provide their own SDK setup (Node, Bun, edge, etc.).|-|Optional|
-|ipAddress|[IPAddressOptions \|undefined](https://v2.c15t.com/docs/self-host/api/configuration)|IP address tracking and masking options.|-|Optional|
-|cache|[CacheOptions \|undefined](https://v2.c15t.com/docs/self-host/guides/caching)|Cache configuration for external persistent storage. Used for caching GVL and other data.|-|Optional|
+|openapi|[OpenAPIOptions \|undefined](https://c15t.com/docs/self-host/api/endpoints)|OpenAPI spec generation and documentation UI options.|-|Optional|
+|telemetry|[TelemetryOptions \|undefined](https://c15t.com/docs/self-host/guides/observability)|OpenTelemetry configuration for tracing and metrics. Telemetry is opt-in and disabled by default. Users must provide their own SDK setup (Node, Bun, edge, etc.).|-|Optional|
+|ipAddress|[IPAddressOptions \|undefined](https://c15t.com/docs/self-host/api/configuration)|IP address tracking and masking options.|-|Optional|
+|cache|[CacheOptions \|undefined](https://c15t.com/docs/self-host/guides/caching)|Cache configuration for external persistent storage. Used for caching GVL and other data.|-|Optional|
 |apiKeys|string\[] \|undefined|API keys for authenticated endpoints. Used for server-side endpoints like GET /subjects.|-|Optional|
-|iab|[IABOptions \|undefined](https://v2.c15t.com/docs/self-host/guides/iab-tcf)|IAB TCF configuration including GVL, CMP registration, and custom vendors. Disabled by default - most users don't need IAB TCF. Set enabled: true to activate IAB support.|-|Optional|
+|iab|[IABOptions \|undefined](https://c15t.com/docs/self-host/guides/iab-tcf)|IAB TCF configuration including GVL, CMP registration, and custom vendors. Disabled by default - most users don't need IAB TCF. Set enabled: true to activate IAB support.|-|Optional|
 |policySnapshot|PolicySnapshotOptions \|undefined|Optional signed policy snapshots used to keep /init and /subjects consistent.|-|Optional|
 |legalDocumentSnapshot|LegalDocumentSnapshotOptions \|undefined|Optional signed legal-document snapshots issued by external document renderers.|-|Optional|
 |background|BackgroundOptions \|undefined|Optional background task runner for non-critical side effects.|-|Optional|
@@ -157,7 +157,7 @@ OpenAPI specification options
 |cmpId|number \|undefined|CMP ID registered with IAB Europe. This is returned to clients via the /init endpoint so they can use the correct CMP identity in TC Strings. See List of registered CMPs: https\://iabeurope.eu/cmp-list/|-|Optional|
 |bundled|Object \|undefined \|null|Bundled GVL translations by language code. These are checked first before any cache or fetch.|-|Optional|
 |vendorIds|number\[] \|undefined|Vendor IDs to filter when fetching non-bundled languages. Reduces payload size.|-|Optional|
-|endpoint|string \|undefined|Override the default GVL endpoint.|'https\://gvl.consent.io'|Optional|
+|endpoint|string \|undefined|Override the default GVL endpoint.|'https\://gvl.inth.app'|Optional|
 |customVendors|Array\<Object> \|undefined|Custom vendors not registered with IAB. These are synced to the frontend via the /init endpoint.|-|Optional|
 
 ## Return Value

package/docs/guides/database-setup.md

@@ -95,10 +95,10 @@ To create & update the database you can use the migrator which is included in th
 
 |Package manager|Command|
 |:--|:--|
-|npm|`npx @c15t/cli@rc`|
-|pnpm|`pnpm dlx @c15t/cli@rc`|
-|yarn|`yarn dlx @c15t/cli@rc`|
-|bun|`bunx @c15t/cli@rc`|
+|npm|`npx @c15t/cli`|
+|pnpm|`pnpm dlx @c15t/cli`|
+|yarn|`yarn dlx @c15t/cli`|
+|bun|`bunx @c15t/cli`|
 
 ## Table Prefix
 

package/docs/guides/iab-tcf.md

@@ -6,15 +6,15 @@ The c15t backend optionally supports [IAB TCF v2.3](https://iabeurope.eu/transpa
 
 ## CMP Registration
 
-[consent.io](https://consent.io) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when using consent.io as your hosted backend, the CMP ID will be automatically provided to clients — no additional configuration needed.
+[Inth](https://inth.com), c15t's hosted platform, is IAB TCF certified. If you use Inth instead of self-hosting, the CMP ID is automatically provided to clients — no additional configuration needed.
 
-If you self-host and have your own CMP registration with IAB Europe, configure your CMP ID via `iab.cmpId`. This value is returned to clients in the `/init` response so they use the correct CMP identity in TC Strings.
+If you self-host, you need your own CMP registration with IAB Europe and must configure your CMP ID via `iab.cmpId`. Registering your own CMP may also involve IAB Europe fees, so check IAB Europe's current CMP registration terms and pricing before choosing this route. The backend returns this value in the `/init` response so clients use the correct CMP identity in TC Strings.
 
 > ℹ️ **Info:**
 > A valid (non-zero) CMP ID is required for IAB TCF compliance. If neither the backend nor the client provides a CMP ID, IAB initialization will fail with an error.
 >
 > ℹ️ **Info:**
-> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components provided by c15t), you cannot use consent.io's CMP ID. You must register your own CMP with IAB Europe and configure your CMP ID via iab.cmpId.
+> If you heavily customize or build your own IAB banner or dialog instead of using the default IABConsentBanner and IABConsentDialog components provided by c15t, you cannot use Inth's CMP ID. You must register your own CMP with IAB Europe and configure your CMP ID via iab.cmpId.
 
 ## Enable IAB
 
@@ -25,13 +25,13 @@ export const c15t = c15tInstance({
   // ...
   iab: {
     enabled: true,
-    cmpId: 10,                  // your registered CMP ID (consent.io provides this automatically)
+    cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
     vendorIds: [755, 52, 69],   // only include vendors you use
   },
 });
 ```
 
-The backend fetches the GVL from `https://gvl.consent.io` by default and caches it. The `/init` endpoint returns the filtered GVL and your CMP ID to the frontend.
+The backend fetches the GVL from `https://gvl.inth.com` by default and caches it. The `/init` endpoint returns the filtered GVL and your CMP ID to the frontend, so use the same `iab.cmpId` pattern in every self-hosted configuration.
 
 ## Custom GVL Endpoint
 
@@ -40,6 +40,7 @@ Point to your own GVL mirror:
 ```ts
 iab: {
   enabled: true,
+  cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
   endpoint: 'https://your-gvl-mirror.com',
   vendorIds: [755, 52, 69],
 },
@@ -55,6 +56,7 @@ import gvlDe from './gvl/de.json';
 
 iab: {
   enabled: true,
+  cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
   bundled: {
     en: gvlEn,
     de: gvlDe,
@@ -72,6 +74,7 @@ Add your own vendors alongside IAB-registered ones:
 ```ts
 iab: {
   enabled: true,
+  cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
   vendorIds: [755],
   customVendors: [
     {

package/docs/quickstart.md

@@ -6,7 +6,7 @@ The `@c15t/backend` package gives you a fully self-hosted consent management API
 
 The backend exposes a standard `(request: Request) => Promise<Response>` handler, so it works with any JavaScript runtime (Node.js, Bun, Deno, Cloudflare Workers) and any HTTP framework.
 
-If you want a fully managed experience we recommend using [consent.io](https://consent.io).
+If you want a fully managed experience we recommend using [inth.com](https://inth.com).
 
 ## Installation
 
@@ -76,10 +76,10 @@ If you want a fully managed experience we recommend using [consent.io](https://c
 
    |Package manager|Command|
    |:--|:--|
-   |npm|`npx @c15t/cli@rc`|
-   |pnpm|`pnpm dlx @c15t/cli@rc`|
-   |yarn|`yarn dlx @c15t/cli@rc`|
-   |bun|`bunx @c15t/cli@rc`|
+   |npm|`npx @c15t/cli`|
+   |pnpm|`pnpm dlx @c15t/cli`|
+   |yarn|`yarn dlx @c15t/cli`|
+   |bun|`bunx @c15t/cli`|
 
    See Database Setup for adapter-specific migration guides. If you plan to use policy packs with runtime audit storage, also apply the runtime policy decision migration from the Policy Packs guide.
 
@@ -119,10 +119,10 @@ Install c15t agent skills to let AI agents help with styling, i18n, scripts & ot
 
 |Package manager|Command|
 |:--|:--|
-|npm|`npx @c15t/cli@rc skills`|
-|pnpm|`pnpm dlx @c15t/cli@rc skills`|
-|yarn|`yarn dlx @c15t/cli@rc skills`|
-|bun|`bunx @c15t/cli@rc skills`|
+|npm|`npx @c15t/cli skills`|
+|pnpm|`pnpm dlx @c15t/cli skills`|
+|yarn|`yarn dlx @c15t/cli skills`|
+|bun|`bunx @c15t/cli skills`|
 
 See [AI Agents](/docs/ai-agents) for bundled package docs and agent skills.
 

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@c15t/backend",
-	"version": "2.0.0-rc.8",
-	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io",
+	"version": "2.0.2",
+	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preference center. Webhooks, audit logs, storage adapters. Self-host or use inth.com",
 	"keywords": [
 		"consent",
 		"privacy",
@@ -20,12 +20,15 @@
 		"consent-banner"
 	],
 	"homepage": "https://c15t.com/docs/self-host/v2",
+	"bugs": {
+		"url": "https://github.com/c15t/c15t/issues"
+	},
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/c15t/c15t.git",
 		"directory": "packages/backend"
 	},
-	"license": "GPL-3.0-only",
+	"license": "Apache-2.0",
 	"type": "module",
 	"exports": {
 		".": {
@@ -113,19 +116,19 @@
 		"build": "bun prebuild && rslib build && bun ../../scripts/normalize-dist-types.mjs && bun ../../scripts/agent-docs/generate-package-docs.ts @c15t/backend",
 		"build:agent-docs": "bun ../../scripts/agent-docs/generate-package-docs.ts @c15t/backend",
 		"check-types": "bun prebuild && tsc --noEmit",
-		"dev": "bun prebuild && rslib build && bun ../../scripts/normalize-dist-types.mjs",
+		"dev": "sh -c 'bun prebuild && rslib build --no-dts --no-clean && rslib build --watch --no-dts --no-clean'",
 		"fmt": "bun biome format --write . && bun biome check --formatter-enabled=false --linter-enabled=false --write",
 		"knip": "knip",
 		"lint": "bun biome lint ./src",
-		"prepack": "cd ../.. && bunx turbo run build --filter=@c15t/backend",
+		"prepack": "bun run build",
 		"start": "node dist/server.cjs",
 		"test": "bun prebuild && vitest run",
 		"test:watch": "bun prebuild && vitest"
 	},
 	"dependencies": {
-		"@c15t/logger": "1.0.2-rc.1",
-		"@c15t/schema": "2.0.0-rc.5",
-		"@c15t/translations": "2.0.0-rc.8",
+		"@c15t/logger": "2.0.0",
+		"@c15t/schema": "2.0.0",
+		"@c15t/translations": "2.0.0",
 		"@hono/standard-validator": "^0.2.2",
 		"@hono/valibot-validator": "0.6.1",
 		"@opentelemetry/api": "1.9.1",
@@ -141,7 +144,7 @@
 		"valibot": "1.3.1"
 	},
 	"devDependencies": {
-		"@c15t/typescript-config": "0.0.1-beta.1",
+		"@c15t/typescript-config": "0.0.1",
 		"@c15t/vitest-config": "1.0.0",
 		"@opentelemetry/sdk-trace-base": "^2.6.1",
 		"@types/node": "25.5.0",

package/readme.json

@@ -1,6 +1,6 @@
 {
 	"title": "@c15t/backend: Consent Management Backend",
-	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io",
+	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preference center. Webhooks, audit logs, storage adapters. Self-host or use inth.com",
 	"features": [
 		"Consent Management: Track and manage user consent preferences",
 		"Geo-Location: Identify user's location to show relevant consent preferences",