@c15t/backend 2.0.0 → 2.0.4

package/README.md

@@ -1,14 +1,14 @@
 <p align="center">
-  <a href="https://c15t.com?utm_source=github&utm_medium=repopage_%40c15t%2Fbackend" target="_blank" rel="noopener noreferrer">
+  <a href="https://c15t.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=%40c15t%2Fbackend" target="_blank" rel="noopener noreferrer">
     <picture>
       <source media="(prefers-color-scheme: dark)" srcset="../../docs/assets/c15t-banner-readme-dark.svg" type="image/svg+xml">
       <img src="../../docs/assets/c15t-banner-readme-light.svg" alt="c15t Banner" type="image/svg+xml">
     </picture>
   </a>
-  <br />
-  <h1 align="center">@c15t/backend: Consent Management Backend</h1>
 </p>
 
+# @c15t/backend: Consent Management Backend
+
 [![GitHub stars](https://img.shields.io/github/stars/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![CI](https://img.shields.io/github/actions/workflow/status/c15t/c15t/ci.yml?style=flat-square)](https://github.com/c15t/c15t/actions/workflows/ci.yml)
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
@@ -18,7 +18,7 @@
 [![Last Commit](https://img.shields.io/github/last-commit/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/commits/main)
 [![Open Issues](https://img.shields.io/github/issues/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/issues)
 
-Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io
+Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preference center. Webhooks, audit logs, storage adapters. Self-host or use inth.com
 
 ## Key Features
 
@@ -54,24 +54,24 @@ For further information, guides, and examples visit the [reference documentation
 
 - Join our [Discord community](https://c15t.link/discord)
 - Open an issue on our [GitHub repository](https://github.com/c15t/c15t/issues)
-- Visit [consent.io](https://consent.io) and use the chat widget
-- Contact our support team via email [support@consent.io](mailto:support@consent.io)
+- Visit [inth.com](https://inth.com) and use the chat widget
+- Contact our support team via email [support@inth.com](mailto:support@inth.com)
 
 ## Contributing
 
-- We're open to all community contributions!
+- We're open to all community contributions.
 - Read our [Contribution Guidelines](https://c15t.com/docs/oss/contributing)
 - Review our [Code of Conduct](https://c15t.com/docs/oss/code-of-conduct)
 - Fork the repository
 - Create a new branch for your feature
 - Submit a pull request
-- **All contributions, big or small, are welcome and appreciated!**
+- **All contributions, big or small, are welcome and appreciated.**
 
 ## Security
 
 If you believe you have found a security vulnerability in c15t, we encourage you to **_responsibly disclose this and NOT open a public issue_**. We will investigate all legitimate reports.
 
-Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our Open Source Software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
+Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our open-source software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
 
 ### Security Policy
 
@@ -86,4 +86,4 @@ Our preference is that you make use of GitHub's private vulnerability reporting
 
 ---
 
-**Built by [Inth](https://inth.com?utm_source=github&utm_medium=repopage_%40c15t%2Fbackend)**
+**Built by [Inth](https://inth.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=%40c15t%2Fbackend)**

package/dist/302.js

@@ -13,7 +13,7 @@ function createTelemetryOptions(appName = 'c15t', telemetryConfig, tenantId) {
     const defaultAttributes = {
         ...telemetryConfig?.defaultAttributes || {},
         'service.name': String(appName),
-        'service.version': "2.0.0"
+        'service.version': "2.0.4"
     };
     if (tenantId) defaultAttributes['tenant.id'] = tenantId;
     const config = {
@@ -368,7 +368,7 @@ function createCacheKey(appName, namespace, ...parts) {
     ];
     return allParts.join(':');
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [

package/dist/915.js

@@ -709,7 +709,7 @@ const statusHandler = async (c)=>{
     try {
         await ctx.db.findFirst('subject', {});
         return c.json({
-            version: "2.0.0",
+            version: "2.0.4",
             timestamp: new Date(),
             client: clientInfo
         });
@@ -1462,10 +1462,14 @@ const postSubjectHandler = async (c)=>{
             const hasWildcardCategoryScope = allowedCategories?.includes('*') === true;
             const appliedPreferenceEntries = Object.entries(preferences);
             let filteredAppliedPreferenceEntries = appliedPreferenceEntries;
-            if (allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
-                const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!allowedCategories.includes(purpose));
-                filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>allowedCategories.includes(purpose));
-                if (disallowed.length > 0 && 'strict' === effectiveScopeMode) throw new HTTPException(400, {
+            if ('strict' === effectiveScopeMode && allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
+                const strictAllowedCategories = new Set([
+                    'necessary',
+                    ...allowedCategories
+                ]);
+                const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!strictAllowedCategories.has(purpose));
+                filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>strictAllowedCategories.has(purpose));
+                if (disallowed.length > 0) throw new HTTPException(400, {
                     message: 'Preferences include categories not allowed by policy',
                     cause: {
                         code: 'PURPOSE_NOT_ALLOWED',

package/dist/942.js

@@ -0,0 +1,5 @@
+function matchesWildcard(origin, wildcardPattern) {
+    const wildcardDomain = wildcardPattern.slice(2);
+    return origin !== wildcardDomain && origin.endsWith(`.${wildcardDomain}`);
+}
+export { matchesWildcard };

package/dist/cache.cjs

@@ -400,7 +400,7 @@ function createCacheKey(appName, namespace, ...parts) {
     ];
     return allParts.join(':');
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [

package/dist/core.cjs

@@ -349,7 +349,7 @@ var __webpack_exports__ = {};
 (()=>{
     __webpack_require__.r(__webpack_exports__);
     __webpack_require__.d(__webpack_exports__, {
-        version: ()=>"2.0.0",
+        version: ()=>"2.0.4",
         c15tInstance: ()=>c15tInstance,
         EEA_COUNTRY_CODES: ()=>types_namespaceObject.EEA_COUNTRY_CODES,
         EU_COUNTRY_CODES: ()=>types_namespaceObject.EU_COUNTRY_CODES,
@@ -393,6 +393,10 @@ var __webpack_exports__ = {};
         const token = extractBearerToken(authHeader);
         return validateApiKey(token, validKeys);
     }
+    function matchesWildcard(origin, wildcardPattern) {
+        const wildcardDomain = wildcardPattern.slice(2);
+        return origin !== wildcardDomain && origin.endsWith(`.${wildcardDomain}`);
+    }
     const WWW_REGEX = /^www\./;
     const PROTOCOL_WWW_REGEX = /^https?:\/\/(www\.)?/;
     const SUPPORTED_METHODS = [
@@ -476,6 +480,7 @@ var __webpack_exports__ = {};
                 const isTrusted = expandedTrusted.some((trusted)=>{
                     const normalizedTrusted = normalizeOrigin(trusted);
                     if ('localhost' === normalizedTrusted) return 'localhost' === normalizedOrigin || normalizedOrigin.startsWith('localhost:') || '127.0.0.1' === normalizedOrigin || normalizedOrigin.startsWith('127.0.0.1:') || '[::1]' === normalizedOrigin || normalizedOrigin.startsWith('[::1]:');
+                    if (normalizedTrusted.startsWith('*.')) return matchesWildcard(normalizedOrigin, normalizedTrusted);
                     return normalizedTrusted === normalizedOrigin;
                 });
                 return isTrusted ? origin : null;
@@ -752,7 +757,7 @@ var __webpack_exports__ = {};
         const defaultAttributes = {
             ...telemetryConfig?.defaultAttributes || {},
             'service.name': String(appName),
-            'service.version': "2.0.0"
+            'service.version': "2.0.4"
         };
         if (tenantId) defaultAttributes['tenant.id'] = tenantId;
         const config = {
@@ -2028,7 +2033,7 @@ var __webpack_exports__ = {};
         ].sort((a, b)=>a - b).join(',') : 'all';
         return `${appName}:gvl:${language}:${sortedIds}`;
     }
-    const GVL_ENDPOINT = 'https://gvl.consent.io';
+    const GVL_ENDPOINT = 'https://gvl.inth.app';
     const inflightRequests = new Map();
     async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
         const sortedVendorIds = vendorIds ? [
@@ -2671,7 +2676,7 @@ Use for geo-targeted consent banners and regional compliance.`,
         try {
             await ctx.db.findFirst('subject', {});
             return c.json({
-                version: "2.0.0",
+                version: "2.0.4",
                 timestamp: new Date(),
                 client: clientInfo
             });
@@ -3425,10 +3430,14 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                 const hasWildcardCategoryScope = allowedCategories?.includes('*') === true;
                 const appliedPreferenceEntries = Object.entries(preferences);
                 let filteredAppliedPreferenceEntries = appliedPreferenceEntries;
-                if (allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
-                    const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!allowedCategories.includes(purpose));
-                    filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>allowedCategories.includes(purpose));
-                    if (disallowed.length > 0 && 'strict' === effectiveScopeMode) throw new http_exception_namespaceObject.HTTPException(400, {
+                if ('strict' === effectiveScopeMode && allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
+                    const strictAllowedCategories = new Set([
+                        'necessary',
+                        ...allowedCategories
+                    ]);
+                    const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!strictAllowedCategories.has(purpose));
+                    filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>strictAllowedCategories.has(purpose));
+                    if (disallowed.length > 0) throw new http_exception_namespaceObject.HTTPException(400, {
                         message: 'Preferences include categories not allowed by policy',
                         cause: {
                             code: 'PURPOSE_NOT_ALLOWED',
@@ -3873,7 +3882,7 @@ Use for health checks, load balancer probes, and debugging. Performs a lightweig
                     openapi: '3.1.0',
                     info: {
                         title: options.appName || 'c15t API',
-                        version: "2.0.0",
+                        version: "2.0.4",
                         description: 'API for consent management'
                     },
                     servers: [

package/dist/core.js

@@ -7,6 +7,7 @@ import { HTTPException } from "hono/http-exception";
 import { openAPIRouteHandler } from "hono-openapi";
 import { compactDefined, dedupeTrimmedStrings, policyPackPresets } from "@c15t/schema";
 import { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, policyMatchers } from "@c15t/schema/types";
+import { matchesWildcard } from "./942.js";
 import { extractErrorMessage, withDatabaseSpan, getTraceContext as create_telemetry_options_getTraceContext, createRequestSpan, handleSpanError, createTelemetryOptions, getMetrics, isTelemetryEnabled, withSpanContext } from "./302.js";
 import { createLegalDocumentRoutes, createSubjectRoutes, generateUniqueId, createStatusRoute, createInitRoute, createConsentRoutes, policyRegistry } from "./915.js";
 import { validateMessages, inspectPolicies as policy_inspectPolicies } from "./583.js";
@@ -119,6 +120,7 @@ function createCORSOptions(trustedOrigins) {
             const isTrusted = expandedTrusted.some((trusted)=>{
                 const normalizedTrusted = normalizeOrigin(trusted);
                 if ('localhost' === normalizedTrusted) return 'localhost' === normalizedOrigin || normalizedOrigin.startsWith('localhost:') || '127.0.0.1' === normalizedOrigin || normalizedOrigin.startsWith('127.0.0.1:') || '[::1]' === normalizedOrigin || normalizedOrigin.startsWith('[::1]:');
+                if (normalizedTrusted.startsWith('*.')) return matchesWildcard(normalizedOrigin, normalizedTrusted);
                 return normalizedTrusted === normalizedOrigin;
             });
             return isTrusted ? origin : null;
@@ -765,7 +767,7 @@ const c15tInstance = (options)=>{
                 openapi: '3.1.0',
                 info: {
                     title: options.appName || 'c15t API',
-                    version: "2.0.0",
+                    version: "2.0.4",
                     description: 'API for consent management'
                 },
                 servers: [
@@ -879,7 +881,7 @@ const c15tInstance = (options)=>{
         getDocsUI
     };
 };
-var core_version = "2.0.0";
+var core_version = "2.0.4";
 export { defineConfig } from "./define-config.js";
 export { inspectPolicies } from "./583.js";
 export { EEA_COUNTRY_CODES, EU_COUNTRY_CODES, POLICY_MATCH_DATASET_VERSION, UK_COUNTRY_CODES, c15tInstance, core_version as version, policyBuilder, policyMatchers, policyPackPresets };

package/dist/edge.cjs

@@ -348,7 +348,7 @@ function createGVLCacheKey(appName, language, vendorIds) {
     ].sort((a, b)=>a - b).join(',') : 'all';
     return `${appName}:gvl:${language}:${sortedIds}`;
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [
@@ -908,13 +908,12 @@ async function resolveInitPayload(request, options, logger) {
         }
     };
 }
-const STRIP_REGEX = /^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
-function matchesWildcard(hostname, wildcardPattern, logger) {
+function matchesWildcard(origin, wildcardPattern) {
     const wildcardDomain = wildcardPattern.slice(2);
-    const isValid = hostname !== wildcardDomain && hostname.endsWith(`.${wildcardDomain}`);
-    logger?.debug(`Wildcard match result: ${isValid} ${hostname} ends with .${wildcardDomain}`);
-    return isValid;
+    return origin !== wildcardDomain && origin.endsWith(`.${wildcardDomain}`);
 }
+const STRIP_REGEX = /^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
+const WWW_REGEX = /^www\./;
 function isOriginTrusted(origin, trustedDomains, logger) {
     try {
         if (0 === trustedDomains.length) throw new Error('No trusted domains');
@@ -933,9 +932,15 @@ function isOriginTrusted(origin, trustedDomains, logger) {
             }
             const strippedDomain = domain.replace(STRIP_REGEX, '').toLowerCase();
             logger?.debug(`Checking against stripped domain: ${strippedDomain}`);
-            if (strippedDomain.startsWith('*.')) return matchesWildcard(originHostname, strippedDomain, logger);
-            const isMatch = originHostname === strippedDomain;
-            logger?.debug(`Exact match result: ${isMatch} ${originHostname} === ${strippedDomain}`);
+            if (strippedDomain.startsWith('*.')) {
+                const isMatch = matchesWildcard(originHostname, strippedDomain);
+                logger?.debug(`Wildcard match result: ${isMatch} ${originHostname} matches ${strippedDomain}`);
+                return isMatch;
+            }
+            const normalizedOriginHostname = originHostname.replace(WWW_REGEX, '');
+            const normalizedDomain = strippedDomain.replace(WWW_REGEX, '');
+            const isMatch = normalizedOriginHostname === normalizedDomain;
+            logger?.debug(`Exact match result: ${isMatch} ${normalizedOriginHostname} === ${normalizedDomain}`);
             return isMatch;
         });
     } catch (error) {

package/dist/edge.js

@@ -1,12 +1,8 @@
 import { createLogger } from "@c15t/logger";
+import { matchesWildcard } from "./942.js";
 import { inspectPolicies as policy_inspectPolicies, policy_resolvePolicySync, resolveInitPayload, validateMessages, checkJurisdiction } from "./583.js";
 const STRIP_REGEX = /^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
-function matchesWildcard(hostname, wildcardPattern, logger) {
-    const wildcardDomain = wildcardPattern.slice(2);
-    const isValid = hostname !== wildcardDomain && hostname.endsWith(`.${wildcardDomain}`);
-    logger?.debug(`Wildcard match result: ${isValid} ${hostname} ends with .${wildcardDomain}`);
-    return isValid;
-}
+const WWW_REGEX = /^www\./;
 function isOriginTrusted(origin, trustedDomains, logger) {
     try {
         if (0 === trustedDomains.length) throw new Error('No trusted domains');
@@ -25,9 +21,15 @@ function isOriginTrusted(origin, trustedDomains, logger) {
             }
             const strippedDomain = domain.replace(STRIP_REGEX, '').toLowerCase();
             logger?.debug(`Checking against stripped domain: ${strippedDomain}`);
-            if (strippedDomain.startsWith('*.')) return matchesWildcard(originHostname, strippedDomain, logger);
-            const isMatch = originHostname === strippedDomain;
-            logger?.debug(`Exact match result: ${isMatch} ${originHostname} === ${strippedDomain}`);
+            if (strippedDomain.startsWith('*.')) {
+                const isMatch = matchesWildcard(originHostname, strippedDomain);
+                logger?.debug(`Wildcard match result: ${isMatch} ${originHostname} matches ${strippedDomain}`);
+                return isMatch;
+            }
+            const normalizedOriginHostname = originHostname.replace(WWW_REGEX, '');
+            const normalizedDomain = strippedDomain.replace(WWW_REGEX, '');
+            const isMatch = normalizedOriginHostname === normalizedDomain;
+            logger?.debug(`Exact match result: ${isMatch} ${normalizedOriginHostname} === ${normalizedDomain}`);
             return isMatch;
         });
     } catch (error) {

package/dist/router.cjs

@@ -550,7 +550,7 @@ function createGVLCacheKey(appName, language, vendorIds) {
     ].sort((a, b)=>a - b).join(',') : 'all';
     return `${appName}:gvl:${language}:${sortedIds}`;
 }
-const GVL_ENDPOINT = 'https://gvl.consent.io';
+const GVL_ENDPOINT = 'https://gvl.inth.app';
 const inflightRequests = new Map();
 async function fetchGVLWithLanguage(language, vendorIds, endpoint = GVL_ENDPOINT) {
     const sortedVendorIds = vendorIds ? [
@@ -1246,7 +1246,7 @@ const statusHandler = async (c)=>{
     try {
         await ctx.db.findFirst('subject', {});
         return c.json({
-            version: "2.0.0",
+            version: "2.0.4",
             timestamp: new Date(),
             client: clientInfo
         });
@@ -2000,10 +2000,14 @@ const postSubjectHandler = async (c)=>{
             const hasWildcardCategoryScope = allowedCategories?.includes('*') === true;
             const appliedPreferenceEntries = Object.entries(preferences);
             let filteredAppliedPreferenceEntries = appliedPreferenceEntries;
-            if (allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
-                const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!allowedCategories.includes(purpose));
-                filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>allowedCategories.includes(purpose));
-                if (disallowed.length > 0 && 'strict' === effectiveScopeMode) throw new http_exception_namespaceObject.HTTPException(400, {
+            if ('strict' === effectiveScopeMode && allowedCategories && allowedCategories.length > 0 && !hasWildcardCategoryScope) {
+                const strictAllowedCategories = new Set([
+                    'necessary',
+                    ...allowedCategories
+                ]);
+                const disallowed = appliedPreferenceEntries.map(([purpose])=>purpose).filter((purpose)=>!strictAllowedCategories.has(purpose));
+                filteredAppliedPreferenceEntries = appliedPreferenceEntries.filter(([purpose])=>strictAllowedCategories.has(purpose));
+                if (disallowed.length > 0) throw new http_exception_namespaceObject.HTTPException(400, {
                     message: 'Preferences include categories not allowed by policy',
                     cause: {
                         code: 'PURPOSE_NOT_ALLOWED',

package/dist-types/cache/gvl-resolver.d.ts

@@ -5,7 +5,7 @@
  * 1. Bundled translations (checked first)
  * 2. In-memory cache
  * 3. External cache (Redis/KV)
- * 4. Fetch from gvl.consent.io
+ * 4. Fetch from gvl.inth.app
  *
  * @packageDocumentation
  */
@@ -38,7 +38,7 @@ export interface GVLResolverOptions {
     vendorIds?: number[];
     /**
      * Override the default GVL endpoint.
-     * @default 'https://gvl.consent.io'
+     * @default 'https://gvl.inth.app'
      */
     endpoint?: string;
 }
@@ -63,7 +63,7 @@ export interface GVLResolver {
  * 1. **Bundled** - Check bundled translations (0ms)
  * 2. **In-Memory** - Check worker/process memory cache (0ms)
  * 3. **External Cache** - Check Redis/KV if configured (20-40ms)
- * 4. **Fetch** - Fetch from gvl.consent.io with Accept-Language (100-300ms)
+ * 4. **Fetch** - Fetch from gvl.inth.app with Accept-Language (100-300ms)
  *
  * @param options - Resolver configuration
  * @returns A GVL resolver instance

package/dist-types/middleware/cors/matches-wildcard.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared wildcard matching utilities for CORS origin checks.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Checks if an origin matches a wildcard domain pattern.
+ *
+ * @param origin - Hostname or normalized origin to check
+ * @param wildcardPattern - Wildcard pattern (e.g. *.example.com)
+ * @returns true if the origin is a subdomain of the wildcard pattern
+ */
+export declare function matchesWildcard(origin: string, wildcardPattern: string): boolean;

package/dist-types/types/index.d.ts

@@ -177,7 +177,7 @@ export interface IABOptions {
     vendorIds?: number[];
     /**
      * Override the default GVL endpoint.
-     * @default 'https://gvl.consent.io'
+     * @default 'https://gvl.inth.app'
      */
     endpoint?: string;
     /**

package/dist-types/version.d.ts

@@ -1 +1 @@
-export declare const version = "2.0.0";
+export declare const version = "2.0.4";

package/docs/api/configuration.md

@@ -157,7 +157,7 @@ OpenAPI specification options
 |cmpId|number \|undefined|CMP ID registered with IAB Europe. This is returned to clients via the /init endpoint so they can use the correct CMP identity in TC Strings. See List of registered CMPs: https\://iabeurope.eu/cmp-list/|-|Optional|
 |bundled|Object \|undefined \|null|Bundled GVL translations by language code. These are checked first before any cache or fetch.|-|Optional|
 |vendorIds|number\[] \|undefined|Vendor IDs to filter when fetching non-bundled languages. Reduces payload size.|-|Optional|
-|endpoint|string \|undefined|Override the default GVL endpoint.|'https\://gvl.consent.io'|Optional|
+|endpoint|string \|undefined|Override the default GVL endpoint.|'https\://gvl.inth.app'|Optional|
 |customVendors|Array\<Object> \|undefined|Custom vendors not registered with IAB. These are synced to the frontend via the /init endpoint.|-|Optional|
 
 ## Return Value

package/docs/guides/iab-tcf.md

@@ -6,15 +6,15 @@ The c15t backend optionally supports [IAB TCF v2.3](https://iabeurope.eu/transpa
 
 ## CMP Registration
 
-[inth.com](https://inth.com) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when using inth.com as your hosted backend, the CMP ID will be automatically provided to clients — no additional configuration needed.
+[Inth](https://inth.com), c15t's hosted platform, is IAB TCF certified. If you use Inth instead of self-hosting, the CMP ID is automatically provided to clients — no additional configuration needed.
 
-If you self-host and have your own CMP registration with IAB Europe, configure your CMP ID via `iab.cmpId`. This value is returned to clients in the `/init` response so they use the correct CMP identity in TC Strings.
+If you self-host, you need your own CMP registration with IAB Europe and must configure your CMP ID via `iab.cmpId`. Registering your own CMP may also involve IAB Europe fees, so check IAB Europe's current CMP registration terms and pricing before choosing this route. The backend returns this value in the `/init` response so clients use the correct CMP identity in TC Strings.
 
 > ℹ️ **Info:**
 > A valid (non-zero) CMP ID is required for IAB TCF compliance. If neither the backend nor the client provides a CMP ID, IAB initialization will fail with an error.
 >
 > ℹ️ **Info:**
-> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components provided by c15t), you cannot use inth.com's CMP ID. You must register your own CMP with IAB Europe and configure your CMP ID via iab.cmpId.
+> If you heavily customize or build your own IAB banner or dialog instead of using the default IABConsentBanner and IABConsentDialog components provided by c15t, you cannot use Inth's CMP ID. You must register your own CMP with IAB Europe and configure your CMP ID via iab.cmpId.
 
 ## Enable IAB
 
@@ -25,13 +25,13 @@ export const c15t = c15tInstance({
   // ...
   iab: {
     enabled: true,
-    cmpId: 10,                  // your registered CMP ID (inth.com provides this automatically)
+    cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
     vendorIds: [755, 52, 69],   // only include vendors you use
   },
 });
 ```
 
-The backend fetches the GVL from `https://gvl.inth.com` by default and caches it. The `/init` endpoint returns the filtered GVL and your CMP ID to the frontend.
+The backend fetches the GVL from `https://gvl.inth.com` by default and caches it. The `/init` endpoint returns the filtered GVL and your CMP ID to the frontend, so use the same `iab.cmpId` pattern in every self-hosted configuration.
 
 ## Custom GVL Endpoint
 
@@ -40,6 +40,7 @@ Point to your own GVL mirror:
 ```ts
 iab: {
   enabled: true,
+  cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
   endpoint: 'https://your-gvl-mirror.com',
   vendorIds: [755, 52, 69],
 },
@@ -55,6 +56,7 @@ import gvlDe from './gvl/de.json';
 
 iab: {
   enabled: true,
+  cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
   bundled: {
     en: gvlEn,
     de: gvlDe,
@@ -72,6 +74,7 @@ Add your own vendors alongside IAB-registered ones:
 ```ts
 iab: {
   enabled: true,
+  cmpId: Number('<YOUR_CMP_ID>'), // replace with your registered CMP ID
   vendorIds: [755],
   customVendors: [
     {

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@c15t/backend",
-	"version": "2.0.0",
-	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io",
+	"version": "2.0.4",
+	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preference center. Webhooks, audit logs, storage adapters. Self-host or use inth.com",
 	"keywords": [
 		"consent",
 		"privacy",
@@ -20,6 +20,9 @@
 		"consent-banner"
 	],
 	"homepage": "https://c15t.com/docs/self-host/v2",
+	"bugs": {
+		"url": "https://github.com/c15t/c15t/issues"
+	},
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/c15t/c15t.git",
@@ -113,18 +116,18 @@
 		"build": "bun prebuild && rslib build && bun ../../scripts/normalize-dist-types.mjs && bun ../../scripts/agent-docs/generate-package-docs.ts @c15t/backend",
 		"build:agent-docs": "bun ../../scripts/agent-docs/generate-package-docs.ts @c15t/backend",
 		"check-types": "bun prebuild && tsc --noEmit",
-		"dev": "bun prebuild && rslib build && bun ../../scripts/normalize-dist-types.mjs",
+		"dev": "sh -c 'bun prebuild && rslib build --no-dts --no-clean && rslib build --watch --no-dts --no-clean'",
 		"fmt": "bun biome format --write . && bun biome check --formatter-enabled=false --linter-enabled=false --write",
 		"knip": "knip",
 		"lint": "bun biome lint ./src",
-		"prepack": "cd ../.. && bunx turbo run build --filter=@c15t/backend",
+		"prepack": "bun ../../scripts/verify-package-artifacts.ts",
 		"start": "node dist/server.cjs",
 		"test": "bun prebuild && vitest run",
 		"test:watch": "bun prebuild && vitest"
 	},
 	"dependencies": {
 		"@c15t/logger": "2.0.0",
-		"@c15t/schema": "2.0.0",
+		"@c15t/schema": "2.0.1",
 		"@c15t/translations": "2.0.0",
 		"@hono/standard-validator": "^0.2.2",
 		"@hono/valibot-validator": "0.6.1",
@@ -133,9 +136,9 @@
 		"@scalar/hono-api-reference": "0.10.5",
 		"@valibot/to-json-schema": "1.6.0",
 		"base-x": "5.0.1",
-		"defu": "6.1.4",
+		"defu": "6.1.5",
 		"fumadb": "0.2.2",
-		"hono": "4.12.9",
+		"hono": "4.12.14",
 		"hono-openapi": "1.3.0",
 		"jose": "6.2.2",
 		"valibot": "1.3.1"

package/readme.json

@@ -1,6 +1,6 @@
 {
 	"title": "@c15t/backend: Consent Management Backend",
-	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preferences centre. Webhooks, audit logs, storage adapters. Self host or use consent.io",
+	"description": "Consent policy engine and API for c15t. Powers the cookie banner, consent manager, and preference center. Webhooks, audit logs, storage adapters. Self-host or use inth.com",
 	"features": [
 		"Consent Management: Track and manage user consent preferences",
 		"Geo-Location: Identify user's location to show relevant consent preferences",