@c15t/nextjs 2.0.0-rc.0 → 2.0.0-rc.10

package/docs/iab/overview.md

@@ -0,0 +1,126 @@
+---
+title: IAB TCF 2.3
+description: Implement IAB Transparency & Consent Framework 2.3 compliance for programmatic advertising in EU/EEA jurisdictions.
+---
+## What is IAB TCF?
+
+The [IAB Transparency & Consent Framework (TCF)](https://iabeurope.eu/tcf-2-0/) is a standardized protocol for communicating user consent choices to ad tech vendors in the programmatic advertising ecosystem. TCF 2.3 is the current version and is widely adopted across the EU/EEA.
+
+When your site participates in the IAB ecosystem (ad exchanges, SSPs, DSPs, DMPs), you need to:
+
+* Disclose which vendors process user data and for what purposes
+* Collect granular consent for each IAB-defined purpose
+* Generate a **TC String** — a standardized encoding of consent choices that ad tech vendors can read
+* Expose the `__tcfapi` CMP stub for vendor scripts to query consent status
+
+## CMP Registration
+
+[inth.com](https://inth.com) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when you use inth.com as your backend, the correct CMP ID will be automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
+
+If you self-host the c15t backend and have your own CMP registration with IAB Europe, you can configure your CMP ID on the backend via `advanced.iab.cmpId` or on the client via the `iab.cmpId` option. A valid (non-zero) CMP ID is required for IAB TCF compliance.
+
+> ℹ️ **Info:**
+> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components), you cannot use inth.com's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
+
+## How c15t Implements TCF
+
+c15t provides a complete IAB TCF 2.3 CMP (Consent Management Platform) implementation:
+
+1. **Global Vendor List (GVL)** — Automatically fetched from the c15t backend. Contains the official IAB vendor registry with purposes, features, and stacks.
+2. **IABConsentBanner** — A pre-built banner showing partner count, purpose summaries, and legitimate interest notices.
+3. **IABConsentDialog** — A tabbed preference center for granular purpose and vendor consent management.
+4. **TC String generation** — Consent choices are encoded into the standard TC String format.
+5. **`__tcfapi` stub** — The standard CMP API is exposed on `window` so vendor scripts can query consent.
+
+If you use the prebuilt styled IAB UI, add your framework's `iab/styles.css` entrypoint alongside the base c15t stylesheet. IAB CSS is published separately so apps that do not render IAB surfaces do not ship those component rules.
+
+## Quick Setup
+
+If you use the prebuilt styled IAB UI, import the IAB stylesheet alongside the base stylesheet in your global CSS entrypoint:
+
+```css title="src/app/globals.css"
+@import "@c15t/nextjs/styles.css";
+@import "@c15t/nextjs/iab/styles.css";
+```
+
+```tsx
+import { type ReactNode } from 'react';
+import { iab } from '@c15t/iab';
+import { ConsentManagerProvider } from '@c15t/nextjs';
+import { IABConsentBanner, IABConsentDialog } from '@c15t/react/iab';
+
+export default function ConsentManager({ children }: { children: ReactNode }) {
+  return (
+    <ConsentManagerProvider
+      options={{
+        mode: 'hosted',
+        backendURL: '/api/c15t',
+        iab: iab({
+          vendors: [1, 2, 10, 25],  // IAB vendor IDs you work with
+          // cmpId is automatically provided by the backend (inth.com).
+          // Only set this if you have your own CMP registration with IAB Europe.
+          // cmpId: 123,
+        }),
+      }}
+    >
+      <IABConsentBanner />
+      <IABConsentDialog showTrigger />
+      {children}
+    </ConsentManagerProvider>
+  );
+}
+```
+
+## IAB Configuration Options
+
+Configure IAB mode with `iab({ ... })` from `@c15t/iab`. The factory enables the addon and injects the runtime module automatically. The user-facing options are:
+
+|Option|Type|Description|
+|--|--|--|
+|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using inth.com. Only set this if you have your own CMP registration.|
+|`vendors`|`number[]`|IAB vendor IDs that your site works with|
+|`customVendors`|`NonIABVendor[]`|Custom vendors not in the IAB registry|
+
+## Key Concepts
+
+### Purposes
+
+IAB defines 11 standard purposes for data processing (e.g., "Store and/or access information on a device", "Select basic ads", "Measure ad performance"). Each purpose can be consented to individually.
+
+### Stacks
+
+Purposes are grouped into **stacks** by the GVL for a simplified UI presentation. For example, "Advertising based on limited data" might group purposes 2, 7, and 10 together.
+
+### Special Features
+
+Features like precise geolocation or device scanning that require explicit opt-in beyond standard consent.
+
+### Legitimate Interest
+
+Some purposes can be processed under legitimate interest rather than consent. Users can object to legitimate interest processing per-vendor.
+
+### Vendors
+
+Each vendor in the GVL declares which purposes it uses, whether via consent or legitimate interest. The preference center lets users toggle consent per-vendor.
+
+## Standard vs IAB Components
+
+|Feature|ConsentBanner / ConsentDialog|IABConsentBanner / IABConsentDialog|
+|--|--|--|
+|Consent model|opt-in / opt-out|IAB TCF 2.3|
+|Granularity|Category-level (measurement, marketing, etc.)|Purpose-level + vendor-level|
+|Vendor management|No|Yes (full GVL integration)|
+|TC String|No|Yes|
+|`__tcfapi`|No|Yes|
+|Legitimate interest|No|Yes|
+|Use when|General GDPR/CCPA compliance|Programmatic advertising in EU/EEA|
+
+## Components
+
+|Component|Description|
+|--|--|
+|[IABConsentBanner](/docs/frameworks/next/iab/consent-banner)|TCF-compliant banner with partner disclosure|
+|[IABConsentDialog](/docs/frameworks/next/iab/consent-dialog)|Tabbed preference center for purposes and vendors|
+
+> ℹ️ **Info:**
+> For lower-level custom IAB flows, use useHeadlessIABConsentUI() from @c15t/react/iab. useGVLData() is currently internal and is not part of the public package surface.

package/docs/iab/use-gvl-data.md

@@ -0,0 +1,20 @@
+---
+title: useGVLData (Internal)
+description: Status note for the internal GVL hook used by the built-in IAB dialog.
+---
+> ❌ **Error:**
+> c15t is not yet IAB certified. The IAB TCF components are under active development and should not be used in production. APIs and behavior may change before certification is achieved.
+
+`useGVLData()` currently powers the built-in `IABConsentDialog`, but it is **not part of the public package surface**.
+
+Older docs showed it as a public hook. That is no longer accurate.
+
+If you need supported customization points today:
+
+* Use `IABConsentBanner` and `IABConsentDialog` from `@c15t/react/iab` for the supported prebuilt UI
+* Use `useHeadlessIABConsentUI()` from `@c15t/react/iab` when you need lower-level control over banner/dialog state and actions
+
+> ℹ️ **Info:**
+> Until useGVLData() is exported as public API, avoid importing it from deep internal paths. Those paths are not covered by semver guarantees and can change without notice.
+
+When a public GVL-focused hook becomes part of the supported API, this page should document that public surface instead of the internal dialog hook.

package/docs/iframe-blocking.md

@@ -0,0 +1,107 @@
+---
+title: Iframe Blocking
+description: Block embedded content (YouTube, social widgets, maps) until users grant consent for the appropriate category.
+---
+Embedded iframes from third parties (YouTube, Google Maps, social media widgets) can set cookies and track users without their consent. c15t provides two approaches to gate iframes behind consent:
+
+1. **`<Frame>` component** - A React component that conditionally renders children based on consent
+2. **HTML `data-category` attribute** - For raw `<iframe>` elements outside of React
+
+## Frame Component
+
+The `<Frame>` component wraps content that requires consent. Children are only mounted when the specified category has consent. When consent is not granted, a placeholder is shown instead.
+
+```tsx
+import { Frame } from '@c15t/nextjs';
+
+function YouTubeEmbed() {
+  return (
+    <Frame category="marketing">
+      <iframe
+        src="https://www.youtube.com/embed/dQw4w9WgXcQ"
+        width="560"
+        height="315"
+        allowFullScreen
+      />
+    </Frame>
+  );
+}
+```
+
+### Custom Placeholder
+
+Replace the default placeholder with your own UI:
+
+```tsx
+<Frame
+  category="marketing"
+  placeholder={
+    <div className="flex items-center justify-center h-64 bg-gray-100 rounded">
+      <p>Enable marketing cookies to watch this video.</p>
+    </div>
+  }
+>
+  <iframe src="https://www.youtube.com/embed/..." />
+</Frame>
+```
+
+### Compound Components
+
+Build custom placeholder layouts using compound components:
+
+```tsx
+<Frame.Root category="marketing">
+  <Frame.Title category="marketing" />
+  <Frame.Button category="marketing" />
+</Frame.Root>
+```
+
+## HTML Attribute Approach
+
+For iframes outside of React (e.g., CMS content, server-rendered HTML), add `data-category` and use `data-src` instead of `src`:
+
+```html
+<iframe
+  data-src="https://www.youtube.com/embed/dQw4w9WgXcQ"
+  data-category="marketing"
+  width="560"
+  height="315"
+></iframe>
+```
+
+When consent for the specified category is granted, c15t automatically swaps `data-src` to `src`, loading the iframe. When consent is revoked, `src` is moved back to `data-src`.
+
+### Dynamic Iframes
+
+c15t uses a `MutationObserver` to watch for dynamically added iframes. Any iframe with `data-category` added to the DOM after initialization is automatically processed.
+
+## Initializing the Iframe Blocker
+
+The iframe blocker for HTML attributes needs to be initialized separately from the Frame component:
+
+```tsx
+import { useConsentManager } from '@c15t/nextjs';
+import { useEffect } from 'react';
+
+function IframeBlockerInit() {
+  const { initializeIframeBlocker } = useConsentManager();
+
+  useEffect(() => {
+    initializeIframeBlocker();
+  }, [initializeIframeBlocker]);
+
+  return null;
+}
+```
+
+## API Reference
+
+### FrameProps
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|children|ReactNode|Content rendered when consent is granted. Children are not mounted until consent is given, preventing unnecessary network requests.|-|✅ Required|
+|category|AllConsentNames|Consent category required to render children.|-|✅ Required|
+|placeholder|ReactNode|A custom placeholder component to display when consent is not met. If not provided, a default placeholder will be displayed.|-|Optional|
+|noStyle|boolean \|undefined|When true, removes all default styling from the component|false|Optional|
+|theme|any|Custom theme to override default styles while maintaining structure and accessibility. Merges with defaults. Ignored when \`noStyle=\{true}\`.|undefined|Optional|

package/docs/integrations/building-integrations.md

@@ -0,0 +1,405 @@
+---
+title: Build a Custom Script Integration
+description: Learn when to use a raw Script, when to build a reusable manifest-backed integration, and how to debug and test custom consent-aware scripts in c15t.
+lastModified: 2026-04-10
+---
+If you cannot find a prebuilt integration in [`@c15t/scripts`](/docs/integrations), you have two good options:
+
+1. Build a one-off `Script` object directly in your app.
+2. Build a reusable manifest-backed integration helper.
+
+Use the first option for app-specific scripts. Use the second option when you want something reusable, testable, and aligned with c15t's manifest system.
+
+## Choose the Right Level
+
+### One-off app script
+
+Use a raw `Script` when:
+
+* the integration is only used in one app
+* the vendor setup is small
+* you do not need to publish or share the helper
+
+```ts
+import type { Script } from 'c15t';
+
+export function acmeAnalytics(siteId: string): Script {
+  return {
+    id: 'acme-analytics',
+    src: `https://cdn.acme.com/analytics.js?site=${siteId}`,
+    category: 'measurement',
+    onBeforeLoad: () => {
+      window.acmeQueue = window.acmeQueue || [];
+    },
+    onConsentChange: ({ hasConsent }) => {
+      window.acme?.setConsent(hasConsent);
+    },
+  };
+}
+```
+
+### Reusable manifest-backed integration
+
+Use a manifest-backed helper when:
+
+* you want to contribute to `@c15t/scripts`
+* you want the integration to be reusable across apps
+* you need structured startup/setup phases
+* you want compatibility with c15t's server-side support for script loading
+
+Manifest integrations should be declarative, serializable, and built from structured steps rather than raw inline JavaScript strings.
+
+## Manifest Contract
+
+Every reusable manifest carries two contract fields:
+
+* `kind`: identifies the payload as a c15t vendor manifest
+* `schemaVersion`: identifies which manifest schema the runtime should compile
+
+Use `vendorManifestContract` so helpers stay aligned with the runtime's current contract:
+
+```ts
+const acmeManifest = {
+  ...vendorManifestContract,
+  vendor: 'acme-analytics',
+  // ...
+} as const satisfies VendorManifest;
+```
+
+If manifests are sent from a server later, these fields are how the client can validate that it knows how to interpret the payload before executing anything.
+
+## Manifest Mental Model
+
+The manifest runtime executes a script in ordered phases:
+
+* `bootstrap`: globals or stubs that must exist before anything else
+* `install`: startup steps plus a single `loadScript`
+* `afterLoad`: work that should run after the external script loads
+* `onBeforeLoadGranted` / `onBeforeLoadDenied`: initial consent-specific setup
+* `onLoadGranted` / `onLoadDenied`: post-load consent-specific setup
+* `onConsentChange`: runs on every consent update
+* `onConsentGranted` / `onConsentDenied`: branch-specific consent updates
+
+For vendors with explicit consent APIs, you can also use:
+
+* `consentMapping`
+* `consentSignal`
+* `consentSignalTarget`
+
+That is how the Google integrations map c15t consent categories to Consent Mode v2 and inject `default` and `update` signals in the correct phase order.
+
+`category` supports the same consent condition model as a plain `Script`, so manifests can represent simple or nested rules such as:
+
+```ts
+category: { and: ['measurement', { not: 'marketing' }] }
+```
+
+## Structured Steps
+
+Prefer structured steps over raw script text. The current manifest DSL supports patterns like:
+
+* `setGlobal`
+* `setGlobalPath`
+* `defineQueueFunction`
+* `defineStubFunction`
+* `pushToQueue`
+* `callGlobal`
+* `defineQueueMethods`
+* `defineGlobalMethods`
+* `constructGlobal`
+* `loadScript`
+
+These steps are easier to validate, test, debug, and eventually transport from the server.
+
+## Example Manifest Integration
+
+If you are building a reusable helper, the pattern looks like this:
+
+```ts
+import type { Script } from 'c15t';
+import { resolveManifest } from '@c15t/scripts/resolve';
+import {
+  vendorManifestContract,
+  type VendorManifest,
+} from '@c15t/scripts/types';
+
+const acmeManifest = {
+  ...vendorManifestContract,
+  vendor: 'acme-analytics',
+  category: 'measurement',
+  bootstrap: [
+    {
+      type: 'setGlobal',
+      name: 'acmeQueue',
+      value: [],
+      ifUndefined: true,
+    },
+    {
+      type: 'defineQueueFunction',
+      name: 'acme',
+      queue: 'acmeQueue',
+      ifUndefined: true,
+    },
+  ],
+  install: [
+    {
+      type: 'callGlobal',
+      global: 'acme',
+      args: ['init', '{{siteId}}'],
+    },
+    {
+      type: 'loadScript',
+      src: 'https://cdn.acme.com/analytics.js?site={{siteId}}',
+      async: true,
+    },
+  ],
+  onConsentGranted: [
+    {
+      type: 'callGlobal',
+      global: 'acme',
+      args: ['consent', true],
+    },
+  ],
+  onConsentDenied: [
+    {
+      type: 'callGlobal',
+      global: 'acme',
+      args: ['consent', false],
+    },
+  ],
+} as const satisfies VendorManifest;
+
+export function acmeAnalytics(siteId: string): Script {
+  return resolveManifest(acmeManifest, { siteId });
+}
+```
+
+## Design Guidelines
+
+When building an integration, prefer these rules:
+
+* Keep helper logic thin. Put behavior in the manifest, not in post-resolution callback mutation.
+* Keep manifests serializable. Avoid helper-only runtime branches where possible.
+* Use explicit config inputs. Avoid generic override bags when a named option is clearer.
+* Use `alwaysLoad` only when the vendor truly manages its own consent correctly.
+* Use `persistAfterConsentRevoked` only when the vendor exposes a real consent toggle and does not need a full reload.
+* Keep vendor-specific naming out of the core DSL when a generic step can express it.
+
+## Testing Checklist
+
+At minimum, test these flows:
+
+1. Initial page load with consent denied.
+2. Initial page load with consent granted.
+3. Consent granted after the script was previously denied.
+4. Consent revoked after the script was previously active.
+5. Existing script element reuse if the script persists after revocation.
+6. Error handling if the vendor global or loader is missing.
+
+If you are contributing to `@c15t/scripts`, add focused engine/helper tests similar to the existing tests in `packages/scripts/src/engine.test.ts` and `packages/scripts/src/helpers.test.ts`.
+
+## Debugging
+
+Use `@c15t/dev-tools` while implementing and testing integrations.
+
+The scripts panel now shows:
+
+* whether a script is loaded, pending, or blocked
+* grouped activity for `onBeforeLoad`, `onLoad`, and `onConsentChange`
+* manifest phase activity such as `bootstrap`, `consent-default`, `setup`, and `afterLoad`
+
+The events panel also records script lifecycle and manifest step events, which is useful when a vendor reads consent too early or a startup step runs in the wrong order.
+
+## When to Stop and Use a Plain Script
+
+Not every integration needs a reusable manifest helper.
+
+If the vendor snippet is tiny, unique to one app, or mostly static, a plain `Script` object in your runtime options is usually the simpler choice. Reach for the manifest system when you need reuse, consistency, structured startup behavior, or a path to server-driven manifests.
+
+## Reference Types
+
+### Script
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|Unique identifier for the script|-|✅ Required|
+|src|string \|undefined|URL of the script to load|-|Optional|
+|textContent|string \|undefined|Inline JavaScript code to execute|-|Optional|
+|category|HasCondition\<AllConsentNames>|Consent category or condition required to load this script|-|✅ Required|
+|callbackOnly|boolean \|undefined|Whether this is a callback-only script that doesn't need to load an external resource. When true, no script tag will be added to the DOM, only callbacks will be executed.|false|Optional|
+|persistAfterConsentRevoked|boolean \|undefined|Whether the script should persist after consent is revoked.|false|Optional|
+|alwaysLoad|boolean \|undefined|Whether the script should always load regardless of consent state. This is useful for scripts like Google Tag Manager or PostHog that manage their own consent state internally. The script will load immediately and never be unloaded based on consent changes. Note: When using this option, you are responsible for ensuring the script itself respects user consent preferences through its own consent management.|false|Optional|
+|fetchPriority|"high" \|"low" \|"auto" \|undefined|Priority hint for browser resource loading|-|Optional|
+|attributes|Record\<string, string> \|undefined|Additional attributes to add to the script element|-|Optional|
+|async|boolean \|undefined|Whether to use async loading|-|Optional|
+|defer|boolean \|undefined|Whether to defer script loading|-|Optional|
+|nonce|string \|undefined|Content Security Policy nonce|-|Optional|
+|anonymizeId|boolean \|undefined|Whether to use an anonymized ID for the script element, this helps ensure the script is not blocked by ad blockers|true|Optional|
+|target|"head" \|"body" \|undefined|Where to inject the script element in the DOM. Options: \`'head'\`: Scripts are appended to \`\<head>\` (default); \`'body'\`: Scripts are appended to \`\<body>\`|'head'|Optional|
+|onBeforeLoad|Object \|undefined|Callback executed before the script is loaded|-|Optional|
+|onLoad|Object \|undefined|Callback executed when the script loads successfully|-|Optional|
+|onError|Object \|undefined|Callback executed if the script fails to load|-|Optional|
+|onConsentChange|Object \|undefined|Callback executed whenever the consent store is changed. This callback only applies to scripts already loaded.|-|Optional|
+|vendorId|string \|number \|undefined|IAB TCF vendor ID - links script to a registered vendor. When in IAB mode, the script will only load if this vendor has consent. Takes precedence over \`category\` when in IAB mode. Use custom vendor IDs (string or number) to gate non-IAB vendors too.|-|Optional|
+|iabPurposes|number\[] \|undefined|IAB TCF purpose IDs this script requires consent for. When in IAB mode and no vendorId is set, the script will only load if ALL specified purposes have consent.|-|Optional|
+|iabLegIntPurposes|number\[] \|undefined|IAB TCF legitimate interest purpose IDs. These purposes can operate under legitimate interest instead of consent. The script loads if all iabPurposes have consent OR all iabLegIntPurposes have legitimate interest established.|-|Optional|
+|iabSpecialFeatures|number\[] \|undefined|IAB TCF special feature IDs this script requires. Options: 1: Use precise geolocation data; 2: Actively scan device characteristics for identification|-|Optional|
+
+#### `onBeforeLoad`
+
+Callback executed before the script is loaded
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+#### `onLoad`
+
+Callback executed when the script loads successfully
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+#### `onError`
+
+Callback executed if the script fails to load
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+#### `onConsentChange`
+
+Callback executed whenever the consent store is changed. This callback only applies to scripts already loaded.
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+### VendorManifest
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|kind|"c15t.vendor-manifest"|Manifest contract identifier.|-|✅ Required|
+|schemaVersion|1|Manifest schema version.|-|✅ Required|
+|vendor|string|Unique vendor identifier (used as Script.id)|-|✅ Required|
+|category|ManifestCategoryCondition|Consent category or condition required to load this vendor|-|✅ Required|
+|alwaysLoad|string \|boolean \|undefined|Load regardless of consent state (vendor manages its own consent internally)|-|Optional|
+|persistAfterConsentRevoked|string \|boolean \|undefined|Keep script in DOM after consent revocation (vendor has a consent API)|-|Optional|
+|bootstrap|ManifestStep \|undefined|Steps that must execute before default consent signaling. This is primarily used for integrations such as Google tags where a stub global must exist before calling the vendor's consent API.|-|Optional|
+|install|ManifestStep|Steps to execute when installing the vendor.|-|✅ Required|
+|afterLoad|ManifestStep \|undefined|Steps to execute after the main script loads|-|Optional|
+|onBeforeLoadGranted|ManifestStep \|undefined|Steps to execute before load when the vendor has consent|-|Optional|
+|onBeforeLoadDenied|ManifestStep \|undefined|Steps to execute before load when the vendor does not have consent|-|Optional|
+|onLoadGranted|ManifestStep \|undefined|Steps to execute after load when the vendor has consent|-|Optional|
+|onLoadDenied|ManifestStep \|undefined|Steps to execute after load when the vendor does not have consent|-|Optional|
+|onConsentChange|ManifestStep \|undefined|Steps to run on any consent state change|-|Optional|
+|onConsentGranted|ManifestStep \|undefined|Steps to run when this vendor's category consent is granted|-|Optional|
+|onConsentDenied|ManifestStep \|undefined|Steps to run when this vendor's category consent is denied|-|Optional|
+|consentMapping|Record\<string, string\[]> \|undefined|Maps c15t consent categories to vendor-specific consent type names. Used with \`consentSignal\` to translate c15t consent state into the vendor's consent API format.|-|Optional|
+|consentSignal|"gtag" \|undefined|How to signal consent state to the vendor|-|Optional|
+|consentSignalTarget|string \|undefined|Target global for consent signaling (defaults based on signal type)|-|Optional|
+
+#### `bootstrap` ManifestStep
+
+Steps that must execute before default consent signaling. This is primarily used for integrations such as Google tags where a stub global must exist before calling the vendor's consent API.
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `install` ManifestStep
+
+Steps to execute when installing the vendor.
+
+* If a \`loadScript\` step exists, its \`src\` becomes \`Script.src\`
+* All non-\`loadScript\` steps run as part of \`onBeforeLoad\`
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `afterLoad` ManifestStep
+
+Steps to execute after the main script loads
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onBeforeLoadGranted` ManifestStep
+
+Steps to execute before load when the vendor has consent
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onBeforeLoadDenied` ManifestStep
+
+Steps to execute before load when the vendor does not have consent
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onLoadGranted` ManifestStep
+
+Steps to execute after load when the vendor has consent
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onLoadDenied` ManifestStep
+
+Steps to execute after load when the vendor does not have consent
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onConsentChange` ManifestStep
+
+Steps to run on any consent state change
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onConsentGranted` ManifestStep
+
+Steps to run when this vendor's category consent is granted
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|
+
+#### `onConsentDenied` ManifestStep
+
+Steps to run when this vendor's category consent is denied
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|type|Object|-|-|✅ Required|