@crelora/mark 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +25 -9
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -2,6 +2,13 @@
2
2
 
3
3
  Mark is Crelora's lightweight attribution SDK for capturing user journeys, conversions, and consent across browsers and server-side runtimes. The npm package includes both browser and Node entry points so you can send consistent data from any surface.
4
4
 
5
+ Use it to feed **OneLence** with first‑party behavioral and conversion data so you can build **analytics**, **insights**, **signals**, and **decisions** on top of a unified event stream.
6
+
7
+ ### API keys and documentation
8
+
9
+ - **Keys:** Publishable keys (`pk_…`) for browser and secret keys (`sk_…`) for server-side use are available in the OneLence dashboard: [API keys](https://onelence.com/dash/settings/api-keys).
10
+ - **Guides:** For integration patterns, alternative integration types (e.g. server-only, tag managers), and deeper technical documentation, see the [Integrations overview](https://onelence.com/docs/integrations/overview).
11
+
5
12
  ## Installation
6
13
 
7
14
  ```bash
@@ -136,7 +143,7 @@ All config options use snake_case. Stored event payloads and database columns ma
136
143
 
137
144
  | Option | Type | Description |
138
145
  | --- | --- | --- |
139
- | `key` | `string` | Publishable (browser) or secret (server) key issued in the Crelora dashboard. |
146
+ | `key` | `string` | Publishable (browser) or secret (server) key from [OneLence API keys](https://onelence.com/dash/settings/api-keys). |
140
147
  | `debug` | `boolean` | Enables verbose console logging to help with integration tests. |
141
148
  | `before_send` | `(event) => event \| null` | Mutate/redact payloads before send, or return `null` to drop events. |
142
149
  | `on_error` | `(error, event?) => void` | Hook for transport and queue failures. |
@@ -147,6 +154,7 @@ All config options use snake_case. Stored event payloads and database columns ma
147
154
  | `rotate_visitor_on_consent_change` | `boolean` | Rotate `visitor_id` after denied -> granted transition. |
148
155
  | `batching` | `{ enabled?: boolean, max_size?: number, flush_interval_ms?: number, endpoint_path?: string }` | Optional batch mode (`/events` by default). |
149
156
  | `require_consent` | `boolean \| 'auto'` | `true` blocks tracking until consent is granted, `'auto'` requires stored granted consent and treats missing consent as denied, default `false` (`'auto'` recommended for production). |
157
+ | `consent_source` | `{ type: 'tcf', purposes: number[] }` | Optional **IAB TCF v2** integration: the SDK listens for CMP updates and only allows tracking when the listed numeric purpose IDs are consented. Combine with `require_consent` and `setConsent` as your legal team requires. |
150
158
  | `autocapture` | `{ pageview?: boolean, click?: boolean \| { selector?: string }, form_submit?: boolean, outbound_link?: boolean, scroll_depth?: boolean, web_vitals?: boolean }` | Auto-capture toggles for page views and optional interaction/perf signals. |
151
159
  | `track_route_changes` | `boolean` | When `autocapture.pageview` is true, also emits on SPA route changes (pushState/replaceState/popstate); defaults to `true`. |
152
160
  | `include_page_context` | `boolean` | When true (default), enriches events with `page`, `title`, `referrer`, `site` (full `url` is only sent if you pass it explicitly in payload). |
@@ -163,13 +171,21 @@ Server runtimes can also pass `storage`, `storageDefaults`, or `transport` via `
163
171
 
164
172
  ## Consent & Privacy
165
173
 
166
- - Call `setConsent('denied')` to immediately halt tracking when visitors opt out and clear stored attribution/cookie identity state.
167
- - Use `require_consent: true` (or `'auto'`) to make the SDK wait until a positive consent signal is received.
168
- - In `'auto'` mode, missing consent is treated as denied until consent is explicitly granted.
169
- - Event payloads cannot bypass consent checks.
170
- - Attribution parameters are not persisted pre-consent; they are held in runtime memory until consent is granted.
171
- - Cross-domain mode supports first-party iframe bridges so identifiers remain in your control.
172
- - IP/Geo: IP is never taken from the browser; it is captured server-side, hashed, and used to derive coarse geo (country/region/city, coarse lat/lon) when allowed by consent/tenant settings.
174
+ These behaviors matter for **compliance-sensitive** setups (GDPR-style consent, CMPs, enterprise security reviews):
175
+
176
+ - **Consent gating:** Use `require_consent: true` or `'auto'` so events and `identify` only run after a positive consent signal. In `'auto'` mode, missing consent is treated as denied until `setConsent('granted')`.
177
+ - **TCF v2:** Set `consent_source: { type: 'tcf', purposes: [/* IAB purpose IDs */] }` so tracking follows your CMP’s current purpose consents (the SDK subscribes to CMP updates rather than relying on a one-time read).
178
+ - **Withdrawal:** `setConsent('denied')` stops tracking and clears stored attribution plus cookie-backed visitor identity where applicable.
179
+ - **Stricter identity hygiene:** Enable `rotate_visitor_on_consent_change` if you want a fresh `visitor_id` after a denied → granted transition.
180
+ - **DNT / GPC:** `honor_dnt: true` blocks tracking when the browser reports Do Not Track or Global Privacy Control.
181
+ - **Data minimization:** Use `before_send` to strip or redact fields before they leave the client; use `on_error` for observability without logging raw payloads.
182
+ - **Payloads cannot bypass consent** via event properties; reserved fields are sanitized.
183
+ - **Pre-consent attribution:** URL attribution is held in memory only until consent is granted, then persisted.
184
+ - **Cross-domain:** First-party iframe bridges keep identifiers under your control.
185
+ - **Delivery without long-lived local queues:** Failed sends can be retried from a browser outbox with a **48-hour TTL**; on tab hide / unload, pending items are flushed with **`sendBeacon`** where possible to improve delivery without weakening consent checks.
186
+ - **IP / geo:** IP is not read in the browser; it is taken server-side, hashed, and used for coarse geo only when allowed by consent and tenant settings.
187
+
188
+ For product-level privacy commitments and processor terms, rely on your OneLence agreement and [documentation](https://onelence.com/docs/integrations/overview); this README describes SDK behavior only.
173
189
 
174
190
  ## Visitor ID for server attribution
175
191
 
@@ -209,5 +225,5 @@ Mark.identify('user_123', {
209
225
 
210
226
  ## Support
211
227
 
212
- Need help? Reach out through your Crelora account team or file a ticket via the dashboard. Please include the SDK version, runtime (browser or Node), and any reproduction steps so we can assist quickly.
228
+ Need help? Reach out through your account team or file a ticket via the OneLence dashboard. Please include the SDK version, runtime (browser or Node), and any reproduction steps so we can assist quickly.
213
229
 
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@crelora/mark",
3
3
  "private": false,
4
- "version": "0.1.0",
4
+ "version": "0.1.1",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "type": "module",
7
7
  "main": "./dist/browser.umd.js",