@freshjuice/zest 1.0.0 → 2.1.0

package/dist/zest.headless.esm.js

@@ -0,0 +1,2299 @@
+/**
+ * Security utilities - escaping, validation, and safe parsing helpers
+ *
+ * These helpers are used across UI components, URL/CSS validation, and
+ * consent-cookie parsing to provide defense-in-depth against untrusted
+ * config (CMS-driven, i18n-loaded, or attacker-supplied).
+ */
+
+
+/**
+ * Validate a regex pattern string. Rejects patterns that contain known
+ * catastrophic-backtracking shapes (nested quantifiers). Compiles with
+ * try/catch.
+ *
+ * Returns a RegExp on success, null on failure.
+ */
+const REDOS_PATTERNS = [
+  /(\([^)]*[+*][^)]*\)|\[[^\]]*\]|\\w|\\d|\\s)\s*[+*]/, // nested quantifier
+  /\(\?[=!][^)]*[+*][^)]*\)[+*]/, // lookahead with quantifier, then quantifier
+];
+
+function safeRegExp(pattern, flags) {
+  if (pattern instanceof RegExp) return pattern;
+  if (typeof pattern !== 'string') return null;
+
+  // Cap pattern length to limit compiled-regex state
+  if (pattern.length > 500) return null;
+
+  // Heuristic: reject obviously dangerous patterns
+  for (const bad of REDOS_PATTERNS) {
+    if (bad.test(pattern)) return null;
+  }
+
+  try {
+    return new RegExp(pattern, flags);
+  } catch (e) {
+    return null;
+  }
+}
+
+/**
+ * Sanitize a consent-cookie payload. Only known category keys with
+ * boolean values survive; prototype-polluting keys are stripped.
+ */
+const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
+function sanitizeConsentPayload(raw, knownCategoryIds) {
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) return null;
+
+  const result = {
+    version: typeof raw.version === 'string' ? raw.version : null,
+    timestamp: typeof raw.timestamp === 'number' && Number.isFinite(raw.timestamp) ? raw.timestamp : null,
+    categories: {}
+  };
+
+  const cats = raw.categories;
+  if (!cats || typeof cats !== 'object' || Array.isArray(cats)) return null;
+
+  for (const key of knownCategoryIds) {
+    if (FORBIDDEN_KEYS.has(key)) continue;
+    if (Object.prototype.hasOwnProperty.call(cats, key)) {
+      result.categories[key] = cats[key] === true;
+    }
+  }
+
+  // essential is always true regardless of stored value
+  if (knownCategoryIds.includes('essential')) {
+    result.categories.essential = true;
+  }
+
+  return result;
+}
+
+/**
+ * Invoke a user-supplied callback, swallowing and logging exceptions so
+ * a misbehaving callback can't break the consent flow.
+ */
+function safeInvoke(fn, ...args) {
+  if (typeof fn !== 'function') return undefined;
+  try {
+    return fn(...args);
+  } catch (e) {
+    try {
+      console.error('[Zest] User callback threw:', e);
+    } catch (_) {
+      /* no-op */
+    }
+    return undefined;
+  }
+}
+
+/**
+ * Pattern Matcher - Categorizes cookies and storage keys by pattern
+ */
+
+
+/**
+ * Default patterns for each category
+ */
+const DEFAULT_PATTERNS = {
+  essential: [
+    /^zest_/,
+    /^csrf/i,
+    /^xsrf/i,
+    /^session/i,
+    /^__host-/i,
+    /^__secure-/i
+  ],
+  functional: [
+    /^lang/i,
+    /^locale/i,
+    /^theme/i,
+    /^preferences/i,
+    /^ui_/i
+  ],
+  analytics: [
+    /^_ga/,
+    /^_gid/,
+    /^_gat/,
+    /^_utm/,
+    /^__utm/,
+    /^plausible/i,
+    /^_pk_/,
+    /^matomo/i,
+    /^_hj/,
+    /^ajs_/
+  ],
+  marketing: [
+    /^_fbp/,
+    /^_fbc/,
+    /^_gcl/,
+    /^_ttp/,
+    /^ads/i,
+    /^doubleclick/i,
+    /^__gads/,
+    /^__gpi/,
+    /^_pin_/,
+    /^li_/
+  ]
+};
+
+let patterns = { ...DEFAULT_PATTERNS };
+
+/**
+ * Set custom patterns. User-supplied strings are validated with safeRegExp,
+ * which rejects catastrophic-backtracking shapes and syntax errors.
+ * Invalid patterns are silently dropped with a console warning.
+ */
+function setPatterns(customPatterns) {
+  patterns = { ...DEFAULT_PATTERNS };
+  if (!customPatterns || typeof customPatterns !== 'object') return;
+
+  for (const [category, regexList] of Object.entries(customPatterns)) {
+    if (!Array.isArray(regexList)) continue;
+
+    const compiled = [];
+    for (const p of regexList) {
+      const re = safeRegExp(p);
+      if (re) {
+        compiled.push(re);
+      } else {
+        try {
+          console.warn('[Zest] Rejected unsafe pattern:', p);
+        } catch (_) { /* no-op */ }
+      }
+    }
+    patterns[category] = compiled;
+  }
+}
+
+/**
+ * Determine category for a cookie/storage key name
+ * @param {string} name - Cookie or storage key name
+ * @returns {string} Category ID (defaults to 'marketing' for unknown)
+ */
+function getCategoryForName(name) {
+  for (const [category, regexList] of Object.entries(patterns)) {
+    if (regexList.some(regex => regex.test(name))) {
+      return category;
+    }
+  }
+  // Unknown items default to marketing (strictest)
+  return 'marketing';
+}
+
+/**
+ * Parse cookie string to extract name
+ * @param {string} cookieString - Full cookie string (e.g., "name=value; path=/")
+ * @returns {string|null} Cookie name or null
+ */
+function parseCookieName(cookieString) {
+  const match = cookieString.match(/^([^=]+)/);
+  return match ? match[1].trim() : null;
+}
+
+/**
+ * Cookie Interceptor - Intercepts document.cookie operations
+ */
+
+
+// Store original descriptor
+let originalCookieDescriptor = null;
+
+// Upper bound on the number of queued cookies awaiting consent replay.
+// An unbounded queue is a memory-exhaustion DoS vector — a hostile
+// script could flood it with document.cookie writes.
+const MAX_QUEUE_SIZE$2 = 100;
+
+// Queue for blocked cookies
+const cookieQueue = [];
+
+// Reference to consent checker function
+let checkConsent$3 = () => false;
+
+/**
+ * Set the consent checker function
+ */
+function setConsentChecker$2(fn) {
+  checkConsent$3 = fn;
+}
+
+/**
+ * Get the original cookie descriptor
+ */
+function getOriginalCookieDescriptor() {
+  return originalCookieDescriptor;
+}
+
+/**
+ * Replay queued cookies for allowed categories
+ */
+function replayCookies(allowedCategories) {
+  const remaining = [];
+
+  for (const item of cookieQueue) {
+    if (allowedCategories.includes(item.category)) {
+      // Set the cookie using original setter
+      if (originalCookieDescriptor?.set) {
+        originalCookieDescriptor.set.call(document, item.value);
+      }
+    } else {
+      remaining.push(item);
+    }
+  }
+
+  cookieQueue.length = 0;
+  cookieQueue.push(...remaining);
+}
+
+/**
+ * Start intercepting cookies
+ */
+function interceptCookies() {
+  // Store original
+  originalCookieDescriptor = Object.getOwnPropertyDescriptor(Document.prototype, 'cookie');
+
+  if (!originalCookieDescriptor) {
+    console.warn('[Zest] Could not get cookie descriptor');
+    return false;
+  }
+
+  Object.defineProperty(document, 'cookie', {
+    get() {
+      // Always allow reading
+      return originalCookieDescriptor.get.call(document);
+    },
+    set(value) {
+      const name = parseCookieName(value);
+      if (!name) {
+        return;
+      }
+
+      const category = getCategoryForName(name);
+
+      if (checkConsent$3(category)) {
+        // Consent given - set cookie
+        originalCookieDescriptor.set.call(document, value);
+      } else if (cookieQueue.length < MAX_QUEUE_SIZE$2) {
+        // No consent - queue for later (capped to prevent DoS)
+        cookieQueue.push({
+          value,
+          name,
+          category,
+          timestamp: Date.now()
+        });
+      }
+    },
+    // configurable: false prevents a later-loaded script from
+    // overriding our descriptor and bypassing the interceptor.
+    configurable: false
+  });
+
+  return true;
+}
+
+/**
+ * Storage Interceptor - Intercepts localStorage and sessionStorage operations
+ */
+
+
+// Upper bound on queued operations awaiting consent replay — unbounded
+// growth would be a memory-exhaustion DoS vector.
+const MAX_QUEUE_SIZE$1 = 200;
+
+// Store originals
+let originalLocalStorage = null;
+let originalSessionStorage = null;
+
+// Queues for blocked operations
+const localStorageQueue = [];
+const sessionStorageQueue = [];
+
+// Reference to consent checker function
+let checkConsent$2 = () => false;
+
+/**
+ * Set the consent checker function
+ */
+function setConsentChecker$1(fn) {
+  checkConsent$2 = fn;
+}
+
+/**
+ * Create a proxy for storage API
+ */
+function createStorageProxy(storage, queue, storageName) {
+  return new Proxy(storage, {
+    get(target, prop) {
+      if (prop === 'setItem') {
+        return (key, value) => {
+          const category = getCategoryForName(key);
+
+          if (checkConsent$2(category)) {
+            target.setItem(key, value);
+          } else if (queue.length < MAX_QUEUE_SIZE$1) {
+            queue.push({
+              key,
+              value,
+              category,
+              timestamp: Date.now()
+            });
+          }
+        };
+      }
+
+      // Allow all other operations
+      const val = target[prop];
+      return typeof val === 'function' ? val.bind(target) : val;
+    }
+  });
+}
+
+/**
+ * Replay queued storage operations for allowed categories
+ */
+function replayStorage(allowedCategories) {
+  // Replay localStorage
+  const remainingLocal = [];
+  for (const item of localStorageQueue) {
+    if (allowedCategories.includes(item.category)) {
+      originalLocalStorage?.setItem(item.key, item.value);
+    } else {
+      remainingLocal.push(item);
+    }
+  }
+  localStorageQueue.length = 0;
+  localStorageQueue.push(...remainingLocal);
+
+  // Replay sessionStorage
+  const remainingSession = [];
+  for (const item of sessionStorageQueue) {
+    if (allowedCategories.includes(item.category)) {
+      originalSessionStorage?.setItem(item.key, item.value);
+    } else {
+      remainingSession.push(item);
+    }
+  }
+  sessionStorageQueue.length = 0;
+  sessionStorageQueue.push(...remainingSession);
+}
+
+/**
+ * Start intercepting storage APIs
+ */
+function interceptStorage() {
+  try {
+    originalLocalStorage = window.localStorage;
+    originalSessionStorage = window.sessionStorage;
+
+    Object.defineProperty(window, 'localStorage', {
+      value: createStorageProxy(originalLocalStorage, localStorageQueue, 'localStorage'),
+      configurable: true,
+      writable: false
+    });
+
+    Object.defineProperty(window, 'sessionStorage', {
+      value: createStorageProxy(originalSessionStorage, sessionStorageQueue, 'sessionStorage'),
+      configurable: true,
+      writable: false
+    });
+
+    return true;
+  } catch (e) {
+    console.warn('[Zest] Could not intercept storage APIs:', e);
+    return false;
+  }
+}
+
+/**
+ * Known Trackers - Lists of known tracking script domains by category
+ */
+
+/**
+ * Safe mode - Major, well-known trackers only
+ */
+const SAFE_TRACKERS = {
+  analytics: [
+    'google-analytics.com',
+    'www.google-analytics.com',
+    'analytics.google.com',
+    'googletagmanager.com',
+    'www.googletagmanager.com',
+    'plausible.io',
+    'cloudflareinsights.com',
+    'static.cloudflareinsights.com'
+  ],
+  marketing: [
+    'connect.facebook.net',
+    'www.facebook.com/tr',
+    'ads.google.com',
+    'www.googleadservices.com',
+    'googleads.g.doubleclick.net',
+    'pagead2.googlesyndication.com'
+  ]
+};
+
+/**
+ * Strict mode - Extended list including less common trackers
+ */
+const STRICT_TRACKERS = {
+  analytics: [
+    ...SAFE_TRACKERS.analytics,
+    'analytics.tiktok.com',
+    'matomo.', // partial match
+    'hotjar.com',
+    'static.hotjar.com',
+    'script.hotjar.com',
+    'clarity.ms',
+    'www.clarity.ms',
+    'heapanalytics.com',
+    'cdn.heapanalytics.com',
+    'mixpanel.com',
+    'cdn.mxpnl.com',
+    'segment.com',
+    'cdn.segment.com',
+    'api.segment.io',
+    'fullstory.com',
+    'rs.fullstory.com',
+    'amplitude.com',
+    'cdn.amplitude.com',
+    'mouseflow.com',
+    'cdn.mouseflow.com',
+    'luckyorange.com',
+    'cdn.luckyorange.net',
+    'crazyegg.com',
+    'script.crazyegg.com'
+  ],
+  marketing: [
+    ...SAFE_TRACKERS.marketing,
+    'snap.licdn.com',
+    'px.ads.linkedin.com',
+    'ads.linkedin.com',
+    'analytics.twitter.com',
+    'static.ads-twitter.com',
+    't.co',
+    'analytics.tiktok.com',
+    'ads.tiktok.com',
+    'sc-static.net', // Snapchat
+    'tr.snapchat.com',
+    'ct.pinterest.com',
+    'pintrk.com',
+    's.pinimg.com',
+    'widgets.pinterest.com',
+    'bat.bing.com',
+    'ads.yahoo.com',
+    'sp.analytics.yahoo.com',
+    'amazon-adsystem.com',
+    'z-na.amazon-adsystem.com',
+    'criteo.com',
+    'static.criteo.net',
+    'dis.criteo.com',
+    'taboola.com',
+    'cdn.taboola.com',
+    'trc.taboola.com',
+    'outbrain.com',
+    'widgets.outbrain.com',
+    'adroll.com',
+    's.adroll.com'
+  ],
+  functional: [
+    'cdn.onesignal.com',
+    'onesignal.com',
+    'pusher.com',
+    'js.pusher.com',
+    'intercom.io',
+    'widget.intercom.io',
+    'js.intercomcdn.com',
+    'crisp.chat',
+    'client.crisp.chat',
+    'cdn.livechatinc.com',
+    'livechatinc.com',
+    'tawk.to',
+    'embed.tawk.to',
+    'zendesk.com',
+    'static.zdassets.com'
+  ]
+};
+
+/**
+ * Check if a URL matches any tracker in the list.
+ *
+ * Matching is restricted to hostname (and, when the list entry contains
+ * a path, the URL path prefix). A naive `fullUrl.includes(domain)` was
+ * previously used, which would false-positive on e.g.
+ *   https://mysite.com/page?ref=google-analytics.com
+ */
+function matchesTrackerList(url, trackerList) {
+  let urlObj;
+  try {
+    urlObj = new URL(url);
+  } catch (e) {
+    return false;
+  }
+  const hostname = urlObj.hostname.toLowerCase();
+  const path = urlObj.pathname.toLowerCase();
+
+  for (const rawEntry of trackerList) {
+    if (typeof rawEntry !== 'string') continue;
+    const entry = rawEntry.toLowerCase();
+
+    // Partial-prefix match on hostname (entry ends with a dot),
+    // e.g. "matomo." matches "analytics.matomo.cloud"
+    if (entry.endsWith('.')) {
+      const needle = entry.slice(0, -1);
+      const segments = hostname.split('.');
+      if (segments.some(seg => seg === needle) || hostname.startsWith(entry)) {
+        return true;
+      }
+      continue;
+    }
+
+    // Entries containing a slash specify hostname + path prefix
+    const slashIdx = entry.indexOf('/');
+    if (slashIdx !== -1) {
+      const entryHost = entry.slice(0, slashIdx);
+      const entryPath = entry.slice(slashIdx);
+      if ((hostname === entryHost || hostname.endsWith('.' + entryHost)) &&
+          path.startsWith(entryPath)) {
+        return true;
+      }
+      continue;
+    }
+
+    // Plain hostname: exact or subdomain match only
+    if (hostname === entry || hostname.endsWith('.' + entry)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Get category for a script URL based on tracker lists
+ */
+function getCategoryForScript(url, mode = 'safe') {
+  const trackers = mode === 'strict' ? STRICT_TRACKERS : SAFE_TRACKERS;
+
+  for (const [category, domains] of Object.entries(trackers)) {
+    if (matchesTrackerList(url, domains)) {
+      return category;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Check if URL is third-party (different domain)
+ */
+function isThirdParty(url) {
+  try {
+    const scriptHost = new URL(url).hostname;
+    const pageHost = window.location.hostname;
+
+    // Remove www. for comparison
+    const normalizeHost = (h) => h.replace(/^www\./, '');
+
+    return normalizeHost(scriptHost) !== normalizeHost(pageHost);
+  } catch (e) {
+    return false;
+  }
+}
+
+/**
+ * Script Blocker - Blocks and manages consent-gated scripts
+ *
+ * Modes:
+ * - manual: Only blocks scripts with data-consent-category attribute
+ * - safe: Manual + known major trackers (Google, Facebook, etc.)
+ * - strict: Safe + extended tracker list (Hotjar, Mixpanel, etc.)
+ * - doomsday: Block ALL third-party scripts
+ */
+
+
+// Categories the author has declared blockable. A script can self-label
+// into one of these, but not into 'essential' (a common bypass).
+const BLOCKABLE_CATEGORIES = new Set(['functional', 'analytics', 'marketing']);
+
+// Upper bound on queued scripts awaiting consent replay — prevents a
+// hostile page from flooding the queue with <script> nodes.
+const MAX_QUEUE_SIZE = 500;
+
+// Queue for blocked scripts — the authoritative source for replay,
+// snapshotting src/inline BEFORE any DOM mutation so later tampering
+// cannot hijack what gets executed.
+const scriptQueue = [];
+
+// MutationObserver instance
+let observer = null;
+
+// Current blocking mode
+let blockingMode = 'safe';
+
+// Custom blocked domains (user-defined)
+let customBlockedDomains = [];
+
+// Reference to consent checker function
+let checkConsent$1 = () => false;
+
+/**
+ * Set the consent checker function
+ */
+function setConsentChecker(fn) {
+  checkConsent$1 = fn;
+}
+
+/**
+ * Check if script URL matches custom blocked domains
+ */
+function matchesCustomDomains(url) {
+  if (!url || customBlockedDomains.length === 0) return null;
+
+  try {
+    const hostname = new URL(url).hostname.toLowerCase();
+
+    for (const entry of customBlockedDomains) {
+      const domain = typeof entry === 'string' ? entry : entry.domain;
+      const category = typeof entry === 'string' ? 'marketing' : (entry.category || 'marketing');
+
+      if (hostname === domain || hostname.endsWith('.' + domain)) {
+        return category;
+      }
+    }
+  } catch (e) {
+    // Invalid URL
+  }
+
+  return null;
+}
+
+/**
+ * Determine if a script should be blocked and get its category.
+ *
+ * A self-applied 'essential' label is ignored — only explicit blockable
+ * categories are accepted. That prevents a third-party script from
+ * stamping itself with data-consent-category="essential" to slip past
+ * mode-based blocking.
+ */
+function getScriptBlockCategory(script) {
+  // Skip if script has data-zest-allow attribute (opt-out)
+  if (script.hasAttribute('data-zest-allow')) {
+    return null;
+  }
+
+  // 1. Check for explicit data-consent-category attribute.
+  // Only honor values from the blockable set; 'essential' and unknown
+  // values fall through to the other checks.
+  const explicitCategory = script.getAttribute('data-consent-category');
+  const explicitBlockable = explicitCategory && BLOCKABLE_CATEGORIES.has(explicitCategory)
+    ? explicitCategory
+    : null;
+
+  const src = script.src;
+
+  // No src = inline script, only block if explicitly tagged (blockable only)
+  if (!src) {
+    return explicitBlockable;
+  }
+
+  // 2. Check custom blocked domains
+  const customCategory = matchesCustomDomains(src);
+
+  // 3. Mode-based blocking
+  let modeCategory = null;
+  switch (blockingMode) {
+    case 'manual':
+      break;
+
+    case 'safe':
+    case 'strict':
+      modeCategory = getCategoryForScript(src, blockingMode);
+      break;
+
+    case 'doomsday':
+      if (isThirdParty(src)) {
+        modeCategory = getCategoryForScript(src, 'strict') || 'marketing';
+      }
+      break;
+  }
+
+  // Use the strictest category among explicit/custom/mode decisions.
+  // We collect all categories the script matches and pick the first
+  // that appears in the blockable set (any match wins — but we prefer
+  // the mode-assigned one since it's authoritative for third-party
+  // trackers that try to self-label as 'functional').
+  return modeCategory || customCategory || explicitBlockable;
+}
+
+/**
+ * Block a script element
+ */
+function blockScript(script) {
+  // Skip already processed scripts
+  if (script.hasAttribute('data-zest-processed')) {
+    return false;
+  }
+
+  const category = getScriptBlockCategory(script);
+
+  if (!category) {
+    script.setAttribute('data-zest-processed', 'allowed');
+    return false;
+  }
+
+  if (checkConsent$1(category)) {
+    // Consent already given - allow script
+    script.setAttribute('data-zest-processed', 'allowed');
+    return false;
+  }
+
+  // Store script info for later execution. Snapshot the src/text BEFORE
+  // mutating the DOM — this snapshot is the authoritative replay source
+  // so later DOM tampering cannot hijack the replayed script URL.
+  const scriptInfo = {
+    category,
+    src: script.src || '',
+    inline: script.textContent,
+    type: script.type,
+    async: script.async,
+    defer: script.defer,
+    element: script,
+    timestamp: Date.now()
+  };
+
+  // Mark as processed
+  script.setAttribute('data-zest-processed', 'blocked');
+  script.setAttribute('data-consent-category', category);
+
+  // Disable the script
+  script.type = 'text/plain';
+
+  // Remove src to prevent loading. We no longer stash it on the element
+  // (data-blocked-src was a tampering vector); scriptQueue is the single
+  // source of truth for replay.
+  if (script.src) {
+    script.removeAttribute('src');
+  }
+
+  if (scriptQueue.length < MAX_QUEUE_SIZE) {
+    scriptQueue.push(scriptInfo);
+  }
+  return true;
+}
+
+/**
+ * Replay queued scripts for allowed categories.
+ *
+ * scriptQueue is the single source of truth for src and inline body —
+ * we never re-read data-* attributes from the DOM (which an attacker
+ * could have rewritten in the intervening time).
+ */
+function replayScripts(allowedCategories) {
+  const remaining = [];
+
+  for (const scriptInfo of scriptQueue) {
+    if (!allowedCategories.includes(scriptInfo.category)) {
+      remaining.push(scriptInfo);
+      continue;
+    }
+
+    const newScript = document.createElement('script');
+    if (scriptInfo.src) {
+      newScript.src = scriptInfo.src;
+    } else if (scriptInfo.inline) {
+      newScript.textContent = scriptInfo.inline;
+    }
+    if (scriptInfo.async) newScript.async = true;
+    if (scriptInfo.defer) newScript.defer = true;
+    if (scriptInfo.type && scriptInfo.type !== 'text/plain') {
+      newScript.type = scriptInfo.type;
+    }
+    newScript.setAttribute('data-zest-processed', 'executed');
+    newScript.setAttribute('data-consent-executed', 'true');
+
+    // If the original element is still in the DOM, replace it in place
+    // so execution order is preserved. Otherwise append to <head>.
+    const original = scriptInfo.element;
+    if (original && original.isConnected && original.parentNode) {
+      original.parentNode.replaceChild(newScript, original);
+    } else {
+      document.head.appendChild(newScript);
+    }
+  }
+
+  scriptQueue.length = 0;
+  scriptQueue.push(...remaining);
+}
+
+/**
+ * Process existing scripts in the DOM
+ */
+function processExistingScripts() {
+  const scripts = document.querySelectorAll('script:not([data-zest-processed])');
+  scripts.forEach(blockScript);
+}
+
+/**
+ * Handle mutations (new scripts added to DOM)
+ */
+function handleMutations(mutations) {
+  for (const mutation of mutations) {
+    for (const node of mutation.addedNodes) {
+      if (node.nodeName === 'SCRIPT' && !node.hasAttribute('data-zest-processed')) {
+        blockScript(node);
+      }
+
+      // Check child scripts
+      if (node.querySelectorAll) {
+        const scripts = node.querySelectorAll('script:not([data-zest-processed])');
+        scripts.forEach(blockScript);
+      }
+    }
+  }
+}
+
+/**
+ * Start observing for new scripts
+ */
+function startScriptBlocking(mode = 'safe', customDomains = []) {
+  blockingMode = mode;
+  customBlockedDomains = customDomains;
+
+  // Process existing scripts
+  processExistingScripts();
+
+  // Watch for new scripts
+  observer = new MutationObserver(handleMutations);
+
+  observer.observe(document.documentElement, {
+    childList: true,
+    subtree: true
+  });
+
+  return true;
+}
+
+/**
+ * Default consent categories
+ */
+const DEFAULT_CATEGORIES = {
+  essential: {
+    id: 'essential',
+    label: 'Essential',
+    description: 'Required for the website to function properly. Cannot be disabled.',
+    required: true,
+    default: true
+  },
+  functional: {
+    id: 'functional',
+    label: 'Functional',
+    description: 'Enable personalized features like language preferences and themes.',
+    required: false,
+    default: false
+  },
+  analytics: {
+    id: 'analytics',
+    label: 'Analytics',
+    description: 'Help us understand how visitors interact with our website.',
+    required: false,
+    default: false
+  },
+  marketing: {
+    id: 'marketing',
+    label: 'Marketing',
+    description: 'Used to deliver relevant advertisements and track campaign performance.',
+    required: false,
+    default: false
+  }
+};
+
+/**
+ * Default consent state
+ */
+function getDefaultConsent() {
+  return {
+    essential: true,
+    functional: false,
+    analytics: false,
+    marketing: false
+  };
+}
+
+/**
+ * Get all category IDs
+ */
+function getCategoryIds() {
+  return Object.keys(DEFAULT_CATEGORIES);
+}
+
+/**
+ * Do Not Track (DNT) Detection
+ *
+ * Detects browser DNT/GPC signals for privacy compliance
+ */
+
+/**
+ * Check if Do Not Track is enabled
+ * Checks both DNT header and Global Privacy Control (GPC)
+ */
+function isDoNotTrackEnabled() {
+  if (typeof navigator === 'undefined') {
+    return false;
+  }
+
+  // Check DNT (Do Not Track)
+  // Values: "1" = enabled, "0" = disabled, null/undefined = not set
+  const dnt = navigator.doNotTrack ||
+              window.doNotTrack ||
+              navigator.msDoNotTrack;
+
+  if (dnt === '1' || dnt === 'yes' || dnt === true) {
+    return true;
+  }
+
+  // Check GPC (Global Privacy Control) - newer standard
+  // https://globalprivacycontrol.org/
+  if (navigator.globalPrivacyControl === true) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Get DNT signal details for logging/debugging
+ */
+function getDNTDetails() {
+  if (typeof navigator === 'undefined') {
+    return { enabled: false, source: null };
+  }
+
+  const dnt = navigator.doNotTrack ||
+              window.doNotTrack ||
+              navigator.msDoNotTrack;
+
+  if (dnt === '1' || dnt === 'yes' || dnt === true) {
+    return { enabled: true, source: 'dnt' };
+  }
+
+  if (navigator.globalPrivacyControl === true) {
+    return { enabled: true, source: 'gpc' };
+  }
+
+  return { enabled: false, source: null };
+}
+
+/**
+ * Consent Signals - Optional vendor consent mode integrations
+ *
+ * Pushes consent state to Google Consent Mode v2 and/or Microsoft UET
+ * Consent Mode when enabled via config.
+ */
+
+/**
+ * Map Zest consent state to Google Consent Mode v2 signals
+ */
+function toGoogleSignals(consent) {
+  const g = (val) => val ? 'granted' : 'denied';
+  return {
+    ad_storage: g(consent.marketing),
+    ad_user_data: g(consent.marketing),
+    ad_personalization: g(consent.marketing),
+    analytics_storage: g(consent.analytics),
+    functionality_storage: 'granted', // essential is always true
+    personalization_storage: g(consent.functional)
+  };
+}
+
+/**
+ * Push consent signal to Google via gtag or dataLayer fallback.
+ * Uses a local function to preserve the `arguments` object shape
+ * that gtag/dataLayer expects (not an array).
+ */
+function pushGoogle(type, signals) {
+  window.dataLayer = window.dataLayer || [];
+  if (typeof window.gtag === 'function') {
+    window.gtag('consent', type, signals);
+  } else {
+    function gtagFallback() { window.dataLayer.push(arguments); }
+    gtagFallback('consent', type, signals);
+  }
+}
+
+/**
+ * Map Zest consent state to Microsoft UET signal.
+ * Microsoft UET only exposes ad_storage.
+ */
+function toMicrosoftSignals(consent) {
+  return { ad_storage: consent.marketing ? 'granted' : 'denied' };
+}
+
+/**
+ * Push consent signal to Microsoft UET
+ */
+function pushMicrosoft(type, signals) {
+  window.uetq = window.uetq || [];
+  window.uetq.push('consent', type, signals);
+}
+
+/**
+ * Apply consent signals to enabled vendor integrations.
+ *
+ * @param {Object} consent    Current Zest consent state
+ * @param {Object} config     Merged Zest config
+ * @param {boolean} isDefault true on first call (pushes 'default'), false for updates
+ */
+function applyConsentSignals(consent, config, isDefault) {
+  const type = isDefault ? 'default' : 'update';
+
+  if (config.consentModeGoogle) {
+    pushGoogle(type, toGoogleSignals(consent));
+  }
+
+  if (config.consentModeMicrosoft) {
+    pushMicrosoft(type, toMicrosoftSignals(consent));
+  }
+}
+
+/**
+ * Built-in translations for Zest
+ * Language is auto-detected from <html lang=""> or navigator.language
+ */
+
+const translations = {
+  en: {
+    labels: {
+      banner: {
+        title: 'We value your privacy',
+        description: 'We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.',
+        acceptAll: 'Accept All',
+        rejectAll: 'Reject All',
+        settings: 'Settings'
+      },
+      modal: {
+        title: 'Privacy Settings',
+        description: 'Manage your cookie preferences. You can enable or disable different types of cookies below.',
+        save: 'Save Preferences',
+        acceptAll: 'Accept All',
+        rejectAll: 'Reject All'
+      },
+      widget: {
+        label: 'Cookie Settings'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Essential',
+        description: 'Required for the website to function properly. Cannot be disabled.'
+      },
+      functional: {
+        label: 'Functional',
+        description: 'Enable personalized features like language preferences and themes.'
+      },
+      analytics: {
+        label: 'Analytics',
+        description: 'Help us understand how visitors interact with our website.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Used to deliver relevant advertisements and track campaign performance.'
+      }
+    }
+  },
+
+  de: {
+    labels: {
+      banner: {
+        title: 'Wir respektieren Ihre Privatsphäre',
+        description: 'Wir verwenden Cookies, um Ihr Surferlebnis zu verbessern, personalisierte Inhalte bereitzustellen und unseren Datenverkehr zu analysieren. Mit einem Klick auf „Alle akzeptieren" stimmen Sie der Verwendung von Cookies zu.',
+        acceptAll: 'Alle akzeptieren',
+        rejectAll: 'Alle ablehnen',
+        settings: 'Einstellungen'
+      },
+      modal: {
+        title: 'Datenschutzeinstellungen',
+        description: 'Verwalten Sie Ihre Cookie-Einstellungen. Sie können verschiedene Arten von Cookies unten aktivieren oder deaktivieren.',
+        save: 'Einstellungen speichern',
+        acceptAll: 'Alle akzeptieren',
+        rejectAll: 'Alle ablehnen'
+      },
+      widget: {
+        label: 'Cookie-Einstellungen'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Notwendig',
+        description: 'Erforderlich für die ordnungsgemäße Funktion der Website. Können nicht deaktiviert werden.'
+      },
+      functional: {
+        label: 'Funktional',
+        description: 'Ermöglichen personalisierte Funktionen wie Spracheinstellungen und Designs.'
+      },
+      analytics: {
+        label: 'Analytisch',
+        description: 'Helfen uns zu verstehen, wie Besucher mit unserer Website interagieren.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Werden verwendet, um relevante Werbung anzuzeigen und die Kampagnenleistung zu messen.'
+      }
+    }
+  },
+
+  es: {
+    labels: {
+      banner: {
+        title: 'Valoramos tu privacidad',
+        description: 'Utilizamos cookies para mejorar tu experiencia de navegación, ofrecer contenido personalizado y analizar nuestro tráfico. Al hacer clic en "Aceptar todo", consientes el uso de cookies.',
+        acceptAll: 'Aceptar todo',
+        rejectAll: 'Rechazar todo',
+        settings: 'Configuración'
+      },
+      modal: {
+        title: 'Configuración de privacidad',
+        description: 'Gestiona tus preferencias de cookies. Puedes activar o desactivar diferentes tipos de cookies a continuación.',
+        save: 'Guardar preferencias',
+        acceptAll: 'Aceptar todo',
+        rejectAll: 'Rechazar todo'
+      },
+      widget: {
+        label: 'Configuración de cookies'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Esenciales',
+        description: 'Necesarias para el funcionamiento del sitio web. No se pueden desactivar.'
+      },
+      functional: {
+        label: 'Funcionales',
+        description: 'Permiten funciones personalizadas como preferencias de idioma y temas.'
+      },
+      analytics: {
+        label: 'Analíticas',
+        description: 'Nos ayudan a entender cómo los visitantes interactúan con nuestro sitio web.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Se utilizan para mostrar anuncios relevantes y medir el rendimiento de las campañas.'
+      }
+    }
+  },
+
+  fr: {
+    labels: {
+      banner: {
+        title: 'Nous respectons votre vie privée',
+        description: 'Nous utilisons des cookies pour améliorer votre expérience de navigation, proposer du contenu personnalisé et analyser notre trafic. En cliquant sur « Tout accepter », vous consentez à l\'utilisation de cookies.',
+        acceptAll: 'Tout accepter',
+        rejectAll: 'Tout refuser',
+        settings: 'Paramètres'
+      },
+      modal: {
+        title: 'Paramètres de confidentialité',
+        description: 'Gérez vos préférences en matière de cookies. Vous pouvez activer ou désactiver différents types de cookies ci-dessous.',
+        save: 'Enregistrer les préférences',
+        acceptAll: 'Tout accepter',
+        rejectAll: 'Tout refuser'
+      },
+      widget: {
+        label: 'Paramètres des cookies'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Essentiels',
+        description: 'Nécessaires au bon fonctionnement du site. Ne peuvent pas être désactivés.'
+      },
+      functional: {
+        label: 'Fonctionnels',
+        description: 'Permettent des fonctionnalités personnalisées comme les préférences de langue et de thème.'
+      },
+      analytics: {
+        label: 'Analytiques',
+        description: 'Nous aident à comprendre comment les visiteurs interagissent avec notre site.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Utilisés pour afficher des publicités pertinentes et mesurer les performances des campagnes.'
+      }
+    }
+  },
+
+  it: {
+    labels: {
+      banner: {
+        title: 'Rispettiamo la tua privacy',
+        description: 'Utilizziamo i cookie per migliorare la tua esperienza di navigazione, fornire contenuti personalizzati e analizzare il nostro traffico. Cliccando su "Accetta tutto", acconsenti all\'uso dei cookie.',
+        acceptAll: 'Accetta tutto',
+        rejectAll: 'Rifiuta tutto',
+        settings: 'Impostazioni'
+      },
+      modal: {
+        title: 'Impostazioni privacy',
+        description: 'Gestisci le tue preferenze sui cookie. Puoi attivare o disattivare diversi tipi di cookie qui sotto.',
+        save: 'Salva preferenze',
+        acceptAll: 'Accetta tutto',
+        rejectAll: 'Rifiuta tutto'
+      },
+      widget: {
+        label: 'Impostazioni cookie'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Essenziali',
+        description: 'Necessari per il corretto funzionamento del sito. Non possono essere disattivati.'
+      },
+      functional: {
+        label: 'Funzionali',
+        description: 'Abilitano funzionalità personalizzate come preferenze di lingua e tema.'
+      },
+      analytics: {
+        label: 'Analitici',
+        description: 'Ci aiutano a capire come i visitatori interagiscono con il nostro sito.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Utilizzati per mostrare annunci pertinenti e misurare le prestazioni delle campagne.'
+      }
+    }
+  },
+
+  pt: {
+    labels: {
+      banner: {
+        title: 'Valorizamos sua privacidade',
+        description: 'Usamos cookies para melhorar sua experiência de navegação, fornecer conteúdo personalizado e analisar nosso tráfego. Ao clicar em "Aceitar tudo", você consente com o uso de cookies.',
+        acceptAll: 'Aceitar tudo',
+        rejectAll: 'Rejeitar tudo',
+        settings: 'Configurações'
+      },
+      modal: {
+        title: 'Configurações de privacidade',
+        description: 'Gerencie suas preferências de cookies. Você pode ativar ou desativar diferentes tipos de cookies abaixo.',
+        save: 'Salvar preferências',
+        acceptAll: 'Aceitar tudo',
+        rejectAll: 'Rejeitar tudo'
+      },
+      widget: {
+        label: 'Configurações de cookies'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Essenciais',
+        description: 'Necessários para o funcionamento do site. Não podem ser desativados.'
+      },
+      functional: {
+        label: 'Funcionais',
+        description: 'Permitem recursos personalizados como preferências de idioma e tema.'
+      },
+      analytics: {
+        label: 'Analíticos',
+        description: 'Nos ajudam a entender como os visitantes interagem com nosso site.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Usados para exibir anúncios relevantes e medir o desempenho de campanhas.'
+      }
+    }
+  },
+
+  nl: {
+    labels: {
+      banner: {
+        title: 'Wij respecteren uw privacy',
+        description: 'Wij gebruiken cookies om uw browse-ervaring te verbeteren, gepersonaliseerde inhoud aan te bieden en ons verkeer te analyseren. Door op "Alles accepteren" te klikken, stemt u in met het gebruik van cookies.',
+        acceptAll: 'Alles accepteren',
+        rejectAll: 'Alles weigeren',
+        settings: 'Instellingen'
+      },
+      modal: {
+        title: 'Privacy-instellingen',
+        description: 'Beheer uw cookievoorkeuren. U kunt hieronder verschillende soorten cookies in- of uitschakelen.',
+        save: 'Voorkeuren opslaan',
+        acceptAll: 'Alles accepteren',
+        rejectAll: 'Alles weigeren'
+      },
+      widget: {
+        label: 'Cookie-instellingen'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Essentieel',
+        description: 'Noodzakelijk voor de goede werking van de website. Kunnen niet worden uitgeschakeld.'
+      },
+      functional: {
+        label: 'Functioneel',
+        description: 'Maken gepersonaliseerde functies mogelijk zoals taal- en themavoorkeuren.'
+      },
+      analytics: {
+        label: 'Analytisch',
+        description: 'Helpen ons te begrijpen hoe bezoekers onze website gebruiken.'
+      },
+      marketing: {
+        label: 'Marketing',
+        description: 'Worden gebruikt om relevante advertenties te tonen en campagneprestaties te meten.'
+      }
+    }
+  },
+
+  pl: {
+    labels: {
+      banner: {
+        title: 'Szanujemy Twoją prywatność',
+        description: 'Używamy plików cookie, aby poprawić Twoje wrażenia z przeglądania, dostarczać spersonalizowane treści i analizować nasz ruch. Klikając „Zaakceptuj wszystko", wyrażasz zgodę na używanie plików cookie.',
+        acceptAll: 'Zaakceptuj wszystko',
+        rejectAll: 'Odrzuć wszystko',
+        settings: 'Ustawienia'
+      },
+      modal: {
+        title: 'Ustawienia prywatności',
+        description: 'Zarządzaj swoimi preferencjami dotyczącymi plików cookie. Możesz włączyć lub wyłączyć różne typy plików cookie poniżej.',
+        save: 'Zapisz preferencje',
+        acceptAll: 'Zaakceptuj wszystko',
+        rejectAll: 'Odrzuć wszystko'
+      },
+      widget: {
+        label: 'Ustawienia plików cookie'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Niezbędne',
+        description: 'Wymagane do prawidłowego działania strony. Nie można ich wyłączyć.'
+      },
+      functional: {
+        label: 'Funkcjonalne',
+        description: 'Umożliwiają spersonalizowane funkcje, takie jak preferencje językowe i motywy.'
+      },
+      analytics: {
+        label: 'Analityczne',
+        description: 'Pomagają nam zrozumieć, jak odwiedzający korzystają z naszej strony.'
+      },
+      marketing: {
+        label: 'Marketingowe',
+        description: 'Służą do wyświetlania odpowiednich reklam i mierzenia skuteczności kampanii.'
+      }
+    }
+  },
+
+  uk: {
+    labels: {
+      banner: {
+        title: 'Ми цінуємо вашу конфіденційність',
+        description: 'Ми використовуємо файли cookie для покращення вашого досвіду перегляду, надання персоналізованого контенту та аналізу нашого трафіку. Натискаючи «Прийняти все», ви погоджуєтесь на використання файлів cookie.',
+        acceptAll: 'Прийняти все',
+        rejectAll: 'Відхилити все',
+        settings: 'Налаштування'
+      },
+      modal: {
+        title: 'Налаштування конфіденційності',
+        description: 'Керуйте своїми налаштуваннями файлів cookie. Ви можете ввімкнути або вимкнути різні типи файлів cookie нижче.',
+        save: 'Зберегти налаштування',
+        acceptAll: 'Прийняти все',
+        rejectAll: 'Відхилити все'
+      },
+      widget: {
+        label: 'Налаштування cookie'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Необхідні',
+        description: 'Потрібні для правильної роботи сайту. Не можуть бути вимкнені.'
+      },
+      functional: {
+        label: 'Функціональні',
+        description: 'Дозволяють персоналізовані функції, такі як мовні налаштування та теми.'
+      },
+      analytics: {
+        label: 'Аналітичні',
+        description: 'Допомагають нам зрозуміти, як відвідувачі взаємодіють з нашим сайтом.'
+      },
+      marketing: {
+        label: 'Маркетингові',
+        description: 'Використовуються для показу релевантної реклами та вимірювання ефективності кампаній.'
+      }
+    }
+  },
+
+  ru: {
+    labels: {
+      banner: {
+        title: 'Мы ценим вашу конфиденциальность',
+        description: 'Мы используем файлы cookie для улучшения вашего опыта просмотра, предоставления персонализированного контента и анализа нашего трафика. Нажимая «Принять все», вы соглашаетесь на использование файлов cookie.',
+        acceptAll: 'Принять все',
+        rejectAll: 'Отклонить все',
+        settings: 'Настройки'
+      },
+      modal: {
+        title: 'Настройки конфиденциальности',
+        description: 'Управляйте своими настройками файлов cookie. Вы можете включить или отключить различные типы файлов cookie ниже.',
+        save: 'Сохранить настройки',
+        acceptAll: 'Принять все',
+        rejectAll: 'Отклонить все'
+      },
+      widget: {
+        label: 'Настройки cookie'
+      }
+    },
+    categories: {
+      essential: {
+        label: 'Необходимые',
+        description: 'Требуются для правильной работы сайта. Не могут быть отключены.'
+      },
+      functional: {
+        label: 'Функциональные',
+        description: 'Позволяют использовать персонализированные функции, такие как языковые настройки и темы.'
+      },
+      analytics: {
+        label: 'Аналитические',
+        description: 'Помогают нам понять, как посетители взаимодействуют с нашим сайтом.'
+      },
+      marketing: {
+        label: 'Маркетинговые',
+        description: 'Используются для показа релевантной рекламы и измерения эффективности кампаний.'
+      }
+    }
+  },
+
+  ja: {
+    labels: {
+      banner: {
+        title: 'プライバシーを尊重します',
+        description: '当サイトでは、ブラウジング体験の向上、パーソナライズされたコンテンツの提供、トラフィックの分析のためにCookieを使用しています。「すべて同意」をクリックすると、Cookieの使用に同意したことになります。',
+        acceptAll: 'すべて同意',
+        rejectAll: 'すべて拒否',
+        settings: '設定'
+      },
+      modal: {
+        title: 'プライバシー設定',
+        description: 'Cookieの設定を管理できます。以下で各種Cookieを有効または無効にできます。',
+        save: '設定を保存',
+        acceptAll: 'すべて同意',
+        rejectAll: 'すべて拒否'
+      },
+      widget: {
+        label: 'Cookie設定'
+      }
+    },
+    categories: {
+      essential: {
+        label: '必須',
+        description: 'サイトの正常な動作に必要です。無効にすることはできません。'
+      },
+      functional: {
+        label: '機能性',
+        description: '言語設定やテーマなどのパーソナライズ機能を有効にします。'
+      },
+      analytics: {
+        label: '分析',
+        description: '訪問者がサイトをどのように利用しているかを理解するのに役立ちます。'
+      },
+      marketing: {
+        label: 'マーケティング',
+        description: '関連性の高い広告を表示し、キャンペーンの効果を測定するために使用されます。'
+      }
+    }
+  },
+
+  zh: {
+    labels: {
+      banner: {
+        title: '我们重视您的隐私',
+        description: '我们使用Cookie来改善您的浏览体验、提供个性化内容并分析我们的流量。点击"全部接受"即表示您同意我们使用Cookie。',
+        acceptAll: '全部接受',
+        rejectAll: '全部拒绝',
+        settings: '设置'
+      },
+      modal: {
+        title: '隐私设置',
+        description: '管理您的Cookie偏好设置。您可以在下方启用或禁用不同类型的Cookie。',
+        save: '保存设置',
+        acceptAll: '全部接受',
+        rejectAll: '全部拒绝'
+      },
+      widget: {
+        label: 'Cookie设置'
+      }
+    },
+    categories: {
+      essential: {
+        label: '必要',
+        description: '网站正常运行所必需的。无法禁用。'
+      },
+      functional: {
+        label: '功能性',
+        description: '启用个性化功能，如语言偏好和主题设置。'
+      },
+      analytics: {
+        label: '分析',
+        description: '帮助我们了解访问者如何与网站互动。'
+      },
+      marketing: {
+        label: '营销',
+        description: '用于展示相关广告并衡量营销活动效果。'
+      }
+    }
+  }
+};
+
+/**
+ * Detect language from various sources
+ * Priority: config.lang > <html lang=""> > navigator.language > 'en'
+ */
+function detectLanguage(configLang) {
+  // 1. Explicit config
+  if (configLang && configLang !== 'auto') {
+    return normalizeLanguage(configLang);
+  }
+
+  // 2. HTML lang attribute
+  const htmlLang = document.documentElement.lang;
+  if (htmlLang) {
+    const normalized = normalizeLanguage(htmlLang);
+    if (translations[normalized]) {
+      return normalized;
+    }
+  }
+
+  // 3. Browser language
+  if (typeof navigator !== 'undefined' && navigator.language) {
+    const normalized = normalizeLanguage(navigator.language);
+    if (translations[normalized]) {
+      return normalized;
+    }
+  }
+
+  // 4. Default to English
+  return 'en';
+}
+
+/**
+ * Normalize language code (e.g., 'en-US' -> 'en', 'es_MX' -> 'es')
+ */
+function normalizeLanguage(lang) {
+  if (!lang) return 'en';
+
+  // ISO 639-1 language codes are always 2 characters
+  const base = lang.slice(0, 2).toLowerCase();
+
+  // Check if we support it
+  if (translations[base]) {
+    return base;
+  }
+
+  return 'en';
+}
+
+/**
+ * Get translation for a language
+ */
+function getTranslation(lang) {
+  return translations[lang] || translations.en;
+}
+
+/**
+ * Default configuration values
+ */
+
+
+const DEFAULTS = {
+  // Language: 'auto' | 'en' | 'de' | 'es' | 'fr' | 'it' | 'pt' | 'nl' | 'pl' | 'uk' | 'ru' | 'ja' | 'zh'
+  lang: 'auto',
+
+  // UI positioning
+  position: 'bottom', // 'bottom' | 'bottom-left' | 'bottom-right' | 'top'
+
+  // Theming
+  theme: 'auto', // 'light' | 'dark' | 'auto'
+  accentColor: '#0071e3',
+
+  // Categories
+  categories: DEFAULT_CATEGORIES,
+
+  // UI Labels
+  labels: {
+    banner: {
+      title: 'We value your privacy',
+      description: 'We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.',
+      acceptAll: 'Accept All',
+      rejectAll: 'Reject All',
+      settings: 'Settings'
+    },
+    modal: {
+      title: 'Privacy Settings',
+      description: 'Manage your cookie preferences. You can enable or disable different types of cookies below.',
+      save: 'Save Preferences',
+      acceptAll: 'Accept All',
+      rejectAll: 'Reject All'
+    },
+    widget: {
+      label: 'Cookie Settings'
+    }
+  },
+
+  // Behavior
+  autoInit: true,
+  showWidget: true,
+  expiration: 365,
+
+  // Do Not Track / Global Privacy Control
+  // respectDNT: true = respect DNT/GPC signals
+  // dntBehavior: 'reject' | 'preselect' | 'ignore'
+  //   - 'reject': auto-reject non-essential, don't show banner
+  //   - 'preselect': show banner with non-essential unchecked (same as normal)
+  //   - 'ignore': ignore DNT completely
+  respectDNT: true,
+  dntBehavior: 'reject',
+
+  // Custom styles to inject into Shadow DOM
+  customStyles: '',
+
+  // Vendor consent mode integrations (optional)
+  consentModeGoogle: false,
+  consentModeMicrosoft: false,
+
+  // Blocking mode: 'manual' | 'safe' | 'strict' | 'doomsday'
+  mode: 'safe',
+
+  // Custom domains to block (in addition to mode-based blocking)
+  blockedDomains: [], // days
+
+  // Links
+  policyUrl: null,
+  imprintUrl: null,
+
+  // Callbacks
+  callbacks: {
+    onAccept: null,
+    onReject: null,
+    onChange: null,
+    onReady: null
+  }
+};
+
+/**
+ * Merge user config with defaults (deep merge)
+ */
+function mergeConfig(userConfig) {
+  const config = { ...DEFAULTS };
+
+  if (!userConfig) {
+    userConfig = {};
+  }
+
+  // Simple properties
+  const simpleKeys = ['lang', 'position', 'theme', 'accentColor', 'autoInit', 'showWidget', 'expiration', 'policyUrl', 'imprintUrl', 'customStyles', 'mode', 'blockedDomains', 'respectDNT', 'dntBehavior', 'consentModeGoogle', 'consentModeMicrosoft'];
+  for (const key of simpleKeys) {
+    if (userConfig[key] !== undefined) {
+      config[key] = userConfig[key];
+    }
+  }
+
+  // Detect language and get translations
+  const detectedLang = detectLanguage(config.lang);
+  config.lang = detectedLang;
+  const translation = getTranslation(detectedLang);
+
+  // Deep merge labels (translation < user config)
+  const translationLabels = translation.labels || {};
+  const userLabels = userConfig.labels || {};
+  config.labels = {
+    banner: {
+      ...DEFAULTS.labels.banner,
+      ...translationLabels.banner,
+      ...userLabels.banner
+    },
+    modal: {
+      ...DEFAULTS.labels.modal,
+      ...translationLabels.modal,
+      ...userLabels.modal
+    },
+    widget: {
+      ...DEFAULTS.labels.widget,
+      ...translationLabels.widget,
+      ...userLabels.widget
+    }
+  };
+
+  // Deep merge categories (translation < user config)
+  const translationCategories = translation.categories || {};
+  const userCategories = userConfig.categories || {};
+  config.categories = { ...DEFAULTS.categories };
+  for (const key of Object.keys(DEFAULTS.categories)) {
+    config.categories[key] = {
+      ...DEFAULTS.categories[key],
+      ...translationCategories[key],
+      ...userCategories[key]
+    };
+  }
+
+  // Merge callbacks
+  if (userConfig.callbacks) {
+    config.callbacks = { ...DEFAULTS.callbacks, ...userConfig.callbacks };
+  }
+
+  // Patterns (for pattern matcher)
+  if (userConfig.patterns) {
+    config.patterns = userConfig.patterns;
+  }
+
+  return config;
+}
+
+/**
+ * Configuration Parser - Reads config from various sources
+ */
+
+
+/**
+ * Update configuration at runtime
+ */
+let currentConfig$1 = null;
+
+function setConfig(config) {
+  currentConfig$1 = mergeConfig(config);
+  return currentConfig$1;
+}
+
+/**
+ * Consent Store - Manages consent state persistence
+ */
+
+
+const COOKIE_NAME = 'zest_consent';
+const CONSENT_VERSION = '1.0';
+
+/**
+ * Return the Secure flag fragment when running over HTTPS, empty otherwise.
+ * On HTTPS sites, omitting Secure lets the cookie leak over plain HTTP.
+ */
+function secureAttribute() {
+  try {
+    return typeof location !== 'undefined' && location.protocol === 'https:'
+      ? '; Secure'
+      : '';
+  } catch (_) {
+    return '';
+  }
+}
+
+// Current consent state
+let consent = null;
+
+/**
+ * Get the original cookie setter (bypasses interception)
+ */
+function setRawCookie(value) {
+  const descriptor = getOriginalCookieDescriptor();
+  if (descriptor?.set) {
+    descriptor.set.call(document, value);
+  } else {
+    // Fallback if interceptor not initialized yet
+    document.cookie = value;
+  }
+}
+
+/**
+ * Get the original cookie getter
+ */
+function getRawCookie() {
+  const descriptor = getOriginalCookieDescriptor();
+  if (descriptor?.get) {
+    return descriptor.get.call(document);
+  }
+  return document.cookie;
+}
+
+/**
+ * Load consent from cookie.
+ *
+ * The parsed cookie is validated against the expected schema via
+ * sanitizeConsentPayload — only known category keys with boolean values
+ * survive, so a tampered cookie can't inject prototype-polluting props
+ * or unexpected category shapes.
+ */
+function loadConsent() {
+  try {
+    const cookies = getRawCookie();
+    const match = cookies.match(new RegExp(`${COOKIE_NAME}=([^;]+)`));
+
+    if (match) {
+      const raw = JSON.parse(decodeURIComponent(match[1]));
+      const clean = sanitizeConsentPayload(raw, getCategoryIds());
+      if (clean && clean.categories) {
+        consent = { ...getDefaultConsent(), ...clean.categories };
+        return { ...consent };
+      }
+    }
+  } catch (e) {
+    // Invalid or missing cookie
+  }
+
+  consent = getDefaultConsent();
+  return { ...consent };
+}
+
+/**
+ * Save consent to cookie
+ */
+function saveConsent(expirationDays = 365) {
+  if (!consent) {
+    consent = getDefaultConsent();
+  }
+
+  const data = {
+    version: CONSENT_VERSION,
+    timestamp: Date.now(),
+    categories: consent
+  };
+
+  const expires = new Date(Date.now() + expirationDays * 24 * 60 * 60 * 1000).toUTCString();
+  const cookieValue = `${COOKIE_NAME}=${encodeURIComponent(JSON.stringify(data))}; expires=${expires}; path=/; SameSite=Lax${secureAttribute()}`;
+
+  setRawCookie(cookieValue);
+}
+
+/**
+ * Get current consent state
+ */
+function getConsent() {
+  if (!consent) {
+    consent = loadConsent();
+  }
+  return { ...consent };
+}
+
+/**
+ * Update consent state
+ */
+function updateConsent$1(newConsent, expirationDays = 365) {
+  const previous = consent ? { ...consent } : getDefaultConsent();
+
+  consent = {
+    essential: true, // Always true
+    functional: !!newConsent.functional,
+    analytics: !!newConsent.analytics,
+    marketing: !!newConsent.marketing
+  };
+
+  saveConsent(expirationDays);
+
+  return { current: { ...consent }, previous };
+}
+
+/**
+ * Check if specific category is allowed
+ */
+function hasConsent(category) {
+  if (!consent) {
+    consent = loadConsent();
+  }
+  return consent[category] === true;
+}
+
+/**
+ * Accept all categories
+ */
+function acceptAll$1(expirationDays = 365) {
+  return updateConsent$1({
+    functional: true,
+    analytics: true,
+    marketing: true
+  }, expirationDays);
+}
+
+/**
+ * Reject all (except essential)
+ */
+function rejectAll$1(expirationDays = 365) {
+  return updateConsent$1({
+    functional: false,
+    analytics: false,
+    marketing: false
+  }, expirationDays);
+}
+
+/**
+ * Reset consent (clear cookie)
+ */
+function resetConsent() {
+  setRawCookie(`${COOKIE_NAME}=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; SameSite=Lax${secureAttribute()}`);
+  consent = null;
+}
+
+/**
+ * Check if consent has been given (any decision made)
+ */
+function hasConsentDecision() {
+  try {
+    const cookies = getRawCookie();
+    return cookies.includes(COOKIE_NAME);
+  } catch (e) {
+    return false;
+  }
+}
+
+/**
+ * Get consent proof for compliance
+ */
+function getConsentProof() {
+  try {
+    const cookies = getRawCookie();
+    const match = cookies.match(new RegExp(`${COOKIE_NAME}=([^;]+)`));
+
+    if (match) {
+      const raw = JSON.parse(decodeURIComponent(match[1]));
+      return sanitizeConsentPayload(raw, getCategoryIds());
+    }
+  } catch (e) {
+    // Invalid cookie
+  }
+
+  return null;
+}
+
+/**
+ * Events - Custom event dispatching for consent changes
+ */
+
+// Event names
+const EVENTS = {
+  READY: 'zest:ready',
+  CONSENT: 'zest:consent',
+  REJECT: 'zest:reject',
+  CHANGE: 'zest:change',
+  SHOW: 'zest:show',
+  HIDE: 'zest:hide'
+};
+
+/**
+ * Dispatch a custom event
+ */
+function emit(eventName, detail = {}) {
+  const event = new CustomEvent(eventName, {
+    detail,
+    bubbles: true,
+    cancelable: true
+  });
+
+  document.dispatchEvent(event);
+  return event;
+}
+
+/**
+ * Emit ready event
+ */
+function emitReady(consent) {
+  return emit(EVENTS.READY, { consent });
+}
+
+/**
+ * Emit consent event (user accepted)
+ */
+function emitConsent(consent, previous) {
+  return emit(EVENTS.CONSENT, { consent, previous });
+}
+
+/**
+ * Emit reject event (user rejected all)
+ */
+function emitReject(consent) {
+  return emit(EVENTS.REJECT, { consent });
+}
+
+/**
+ * Emit change event (any consent change)
+ */
+function emitChange(consent, previous) {
+  return emit(EVENTS.CHANGE, { consent, previous });
+}
+
+/**
+ * Subscribe to an event
+ */
+function on(eventName, callback) {
+  document.addEventListener(eventName, callback);
+  return () => document.removeEventListener(eventName, callback);
+}
+
+/**
+ * Subscribe to an event once
+ */
+function once(eventName, callback) {
+  document.addEventListener(eventName, callback, { once: true });
+}
+
+/**
+ * Core lifecycle - UI-agnostic initialization and consent actions.
+ *
+ * This module contains everything the main entry (with UI) and the
+ * headless entry (no UI) share: interceptor setup, consent load/save,
+ * replay, DNT handling, and the events/callbacks fan-out. It intentionally
+ * does NOT import anything from `./ui/*` so tree-shakers can drop the UI
+ * bundle entirely when only the headless API is used.
+ */
+
+
+let initialized = false;
+let currentConfig = null;
+
+function checkConsent(category) {
+  return hasConsent(category);
+}
+
+function replayAll(categories) {
+  replayCookies(categories);
+  replayStorage(categories);
+  replayScripts(categories);
+}
+
+/**
+ * Run the non-UI half of init. Returns a snapshot the caller (UI or
+ * headless) can use to decide what to do next.
+ */
+function coreInit(userConfig = {}) {
+  if (initialized) {
+    return {
+      alreadyInitialized: true,
+      config: currentConfig,
+      consent: loadConsent(),
+      hasDecision: hasConsentDecision(),
+      dntApplied: false
+    };
+  }
+
+  currentConfig = setConfig(userConfig);
+
+  // Push default-denied state to vendor consent mode APIs BEFORE any
+  // third-party script has a chance to fire.
+  applyConsentSignals(
+    { functional: false, analytics: false, marketing: false },
+    currentConfig,
+    true
+  );
+
+  if (currentConfig.patterns) {
+    setPatterns(currentConfig.patterns);
+  }
+
+  setConsentChecker$2(checkConsent);
+  setConsentChecker$1(checkConsent);
+  setConsentChecker(checkConsent);
+
+  interceptCookies();
+  interceptStorage();
+  startScriptBlocking(currentConfig.mode, currentConfig.blockedDomains);
+
+  const consent = loadConsent();
+  initialized = true;
+
+  if (hasConsentDecision()) {
+    applyConsentSignals(consent, currentConfig, false);
+  }
+
+  // DNT / GPC handling — if the user signalled opt-out at the browser
+  // level and the site opts to respect it, auto-reject before the UI
+  // layer ever runs.
+  const dntEnabled = isDoNotTrackEnabled();
+  let dntApplied = false;
+
+  if (dntEnabled && currentConfig.respectDNT && currentConfig.dntBehavior !== 'ignore') {
+    if (currentConfig.dntBehavior === 'reject' && !hasConsentDecision()) {
+      const result = rejectAll$1(currentConfig.expiration);
+      dntApplied = true;
+      applyConsentSignals(result.current, currentConfig, false);
+      emitReject(result.current);
+      emitChange(result.current, result.previous);
+      safeInvoke(currentConfig.callbacks?.onReject);
+      safeInvoke(currentConfig.callbacks?.onChange, result.current);
+    }
+  }
+
+  emitReady(consent);
+  safeInvoke(currentConfig.callbacks?.onReady, consent);
+
+  return {
+    alreadyInitialized: false,
+    config: currentConfig,
+    consent,
+    hasDecision: hasConsentDecision(),
+    dntApplied
+  };
+}
+
+/**
+ * Accept all categories, replay queued items, fire events + callbacks.
+ * Returns { current, previous } or null if not yet initialized.
+ */
+function coreAcceptAll() {
+  if (!initialized) return null;
+  const result = acceptAll$1(currentConfig.expiration);
+  applyConsentSignals(result.current, currentConfig, false);
+  replayAll(getCategoryIds());
+  emitConsent(result.current, result.previous);
+  emitChange(result.current, result.previous);
+  safeInvoke(currentConfig.callbacks?.onAccept, result.current);
+  safeInvoke(currentConfig.callbacks?.onChange, result.current);
+  return result;
+}
+
+/**
+ * Reject all non-essential categories, fire events + callbacks.
+ */
+function coreRejectAll() {
+  if (!initialized) return null;
+  const result = rejectAll$1(currentConfig.expiration);
+  applyConsentSignals(result.current, currentConfig, false);
+  emitReject(result.current);
+  emitChange(result.current, result.previous);
+  safeInvoke(currentConfig.callbacks?.onReject);
+  safeInvoke(currentConfig.callbacks?.onChange, result.current);
+  return result;
+}
+
+/**
+ * Save custom selections and replay only the newly-allowed categories.
+ */
+function coreUpdateConsent(selections) {
+  if (!initialized) return null;
+  const result = updateConsent$1(selections, currentConfig.expiration);
+  applyConsentSignals(result.current, currentConfig, false);
+
+  const newlyAllowed = Object.keys(result.current).filter(
+    (cat) => result.current[cat] && !result.previous[cat]
+  );
+  if (newlyAllowed.length > 0) {
+    replayAll(newlyAllowed);
+  }
+
+  const hasNonEssential = Object.entries(selections || {}).some(
+    ([cat, val]) => cat !== 'essential' && val
+  );
+  if (hasNonEssential) {
+    emitConsent(result.current, result.previous);
+  } else {
+    emitReject(result.current);
+  }
+  emitChange(result.current, result.previous);
+  safeInvoke(currentConfig.callbacks?.onChange, result.current);
+  return result;
+}
+
+/**
+ * Clear the consent cookie. The caller is responsible for any UI reset.
+ */
+function coreReset() {
+  resetConsent();
+}
+
+function isInitialized() {
+  return initialized;
+}
+
+function getActiveConfig() {
+  return currentConfig;
+}
+
+/**
+ * Zest Headless - consent logic only, zero UI.
+ *
+ * Use this entry when you want to bring your own banner / modal / settings
+ * markup and style it with your own CSS. No Shadow DOM is mounted, no
+ * inline stylesheet is injected, and nothing is attached to `window`.
+ *
+ * Everything you need to wire a custom UI is here:
+ *
+ *   import Zest from '@freshjuice/zest/headless';
+ *
+ *   Zest.init({ mode: 'safe', respectDNT: true });
+ *
+ *   if (!Zest.hasConsentDecision()) {
+ *     myBanner.show();
+ *   }
+ *
+ *   myAcceptBtn.addEventListener('click', () => Zest.acceptAll());
+ *   myRejectBtn.addEventListener('click', () => Zest.rejectAll());
+ *   mySaveBtn.addEventListener('click', () => {
+ *     Zest.updateConsent({ analytics: true, marketing: false });
+ *   });
+ *
+ *   Zest.on(Zest.EVENTS.CHANGE, (e) => console.log(e.detail.consent));
+ *
+ * The headless build does NOT auto-initialize. You must call `init()`
+ * yourself, so you control exactly when interceptors come online.
+ */
+
+
+function init(userConfig = {}) {
+  const snapshot = coreInit(userConfig);
+  // Headless returns the snapshot so callers can decide whether to
+  // render their banner / settings UI based on hasDecision / dntApplied.
+  return snapshot;
+}
+
+function acceptAll() {
+  if (!isInitialized()) {
+    console.warn('[Zest] Not initialized. Call Zest.init() first.');
+    return null;
+  }
+  return coreAcceptAll();
+}
+
+function rejectAll() {
+  if (!isInitialized()) {
+    console.warn('[Zest] Not initialized. Call Zest.init() first.');
+    return null;
+  }
+  return coreRejectAll();
+}
+
+function updateConsent(selections) {
+  if (!isInitialized()) {
+    console.warn('[Zest] Not initialized. Call Zest.init() first.');
+    return null;
+  }
+  return coreUpdateConsent(selections);
+}
+
+function reset() {
+  coreReset();
+}
+
+const Zest = {
+  init,
+
+  // Consent state
+  getConsent,
+  hasConsent,
+  hasConsentDecision,
+  getConsentProof,
+
+  // Actions
+  acceptAll,
+  rejectAll,
+  updateConsent,
+  reset,
+
+  // DNT introspection
+  isDoNotTrackEnabled,
+  getDNTDetails,
+
+  // Events
+  on,
+  once,
+  EVENTS,
+
+  // Config introspection
+  getConfig: getActiveConfig
+};
+
+export { EVENTS, acceptAll, Zest as default, getActiveConfig as getConfig, getConsent, getConsentProof, getDNTDetails, hasConsent, hasConsentDecision, init, isDoNotTrackEnabled, on, once, rejectAll, reset, updateConsent };
+//# sourceMappingURL=zest.headless.esm.js.map