npm - @openpolicy/sdk - Versions diffs - 0.0.19 → 0.0.20 - Mend

@openpolicy/sdk 0.0.19 → 0.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +10 -0
package/dist/index.d.ts +0 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.js +0 -3
package/dist/index.js.map +1 -1
package/package.json +9 -4
package/skills/annotate-data-collection/SKILL.md +240 -0
package/skills/annotate-third-parties/SKILL.md +237 -0
package/skills/annotate-third-parties/references/known-packages.md +37 -0
package/skills/define-config/SKILL.md +286 -0
package/skills/define-config/references/privacy-config.md +153 -0
package/skills/define-config/references/terms-config.md +130 -0
package/skills/getting-started/SKILL.md +251 -0
package/skills/migrate/SKILL.md +360 -0

package/README.md CHANGED Viewed

@@ -88,6 +88,16 @@ The SDK exports types and helper functions for _defining_ policies. To compile t
 Full field reference and guides: [openpolicy.sh/docs](https://openpolicy.sh/docs)
+## AI Agents
+If you use an AI coding agent (Claude Code, Cursor, Copilot, etc.), run:
+```sh
+npx @tanstack/intent@latest install
+```
+This installs skill files that give your agent accurate, up-to-date guidance for OpenPolicy APIs.
 ## Links
 - [GitHub](https://github.com/jamiedavenport/openpolicy)

package/dist/index.d.ts CHANGED Viewed

@@ -334,9 +334,6 @@ declare const Providers: {
 };
 //#endregion
 //#region src/third-parties.d.ts
-/**
- * TODO
- */
 declare function thirdParty(_name: string, _purpose: string, _policyUrl: string): void;
 //#endregion
 //#region src/index.d.ts

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","names":["OutputFormat","CompileOptions","formats","Jurisdiction","UserRight","LegalBasis","CompanyConfig","name","legalName","address","contact","PrivacyPolicyConfig","Record","effectiveDate","company","dataCollected","legalBasis","retention","cookies","essential","analytics","marketing","thirdParties","purpose","policyUrl","userRights","jurisdictions","children","underAge","noticeUrl","DisputeResolutionMethod","TermsOfServiceConfig","acceptance","methods","eligibility","minimumAge","jurisdictionRestrictions","accounts","registrationRequired","userResponsibleForCredentials","companyCanTerminate","prohibitedUses","userContent","usersOwnContent","licenseGrantedToCompany","licenseDescription","companyCanRemoveContent","intellectualProperty","companyOwnsService","usersMayNotCopy","payments","hasPaidFeatures","refundPolicy","priceChangesNotice","availability","noUptimeGuarantee","maintenanceWindows","termination","userCanTerminate","effectOfTermination","disclaimers","serviceProvidedAsIs","noWarranties","limitationOfLiability","excludesIndirectDamages","liabilityCap","indemnification","userIndemnifiesCompany","scope","thirdPartyServices","disputeResolution","method","venue","classActionWaiver","governingLaw","jurisdiction","changesPolicy","noticeMethod","noticePeriodDays","privacyPolicyUrl","CookiePolicyCookies","key","CookiePolicyConfig","trackingTechnologies","consentMechanism","hasBanner","hasPreferencePanel","canWithdraw","PolicyInput","type","OpenPolicyConfig","Omit","privacy","terms","cookie","isOpenPolicyConfig","value","ValidationIssue","level","message","CookieConsent","CookieConsentStatus","acceptAll","config","rejectAll","NodeContext","reason","TextNode","context","BoldNode","ItalicNode","LinkNode","href","InlineNode","HeadingNode","ParagraphNode","ListItemNode","ListNode","ordered","items","ContentNode","DocumentSection","id","content","PolicyType","Document","policyType","sections","Node","heading","levelOrContext","text","bold","italic","link","p","li","ul","ol","section","compile","input","validatePrivacyPolicy","validateCookiePolicy","validateTermsOfService","expandOpenPolicyConfig"],"sources":["../../core/dist/index.d.ts","../src/collecting.ts","../src/compliance.ts","../src/data.ts","../src/providers.ts","../src/third-parties.ts","../src/index.ts"],"mappings":";;;KAKKG,YAAAA;AAAAA,KACAC,SAAAA;AAAAA,KACAC,UAAAA;AAAAA,KACAC,aAAAA;EACHC,IAAAA;EACAC,SAAAA;EACAC,OAAAA;EACAC,OAAAA;AAAAA;AAAAA,KAEGC,mBAAAA;EACHE,aAAAA;EACAC,OAAAA,EAASR,aAAAA;EACTS,aAAAA,EAAeH,MAAAA;EACfI,UAAAA,EAAYX,UAAAA,GAAaA,UAAAA;EACzBY,SAAAA,EAAWL,MAAAA;EACXM,OAAAA;IACEC,SAAAA;IACAC,SAAAA;IACAC,SAAAA;EAAAA;EAEFC,YAAAA;IACEf,IAAAA;IACAgB,OAAAA;IACAC,SAAAA;EAAAA;EAEFC,UAAAA,EAAYrB,SAAAA;EACZsB,aAAAA,EAAevB,YAAAA;EACfwB,QAAAA;IACEC,QAAAA;IACAC,SAAAA;EAAAA;AAAAA;AAAAA,KAGCC,uBAAAA;AAAAA,KACAC,oBAAAA;EACHlB,aAAAA;EACAC,OAAAA,EAASR,aAAAA;EACT0B,UAAAA;IACEC,OAAAA;EAAAA;EAEFC,WAAAA;IACEC,UAAAA;IACAC,wBAAAA;EAAAA;EAEFC,QAAAA;IACEC,oBAAAA;IACAC,6BAAAA;IACAC,mBAAAA;EAAAA;EAEFC,cAAAA;EACAC,WAAAA;IACEC,eAAAA;IACAC,uBAAAA;IACAC,kBAAAA;IACAC,uBAAAA;EAAAA;EAEFC,oBAAAA;IACEC,kBAAAA;IACAC,eAAAA;EAAAA;EAEFC,QAAAA;IACEC,eAAAA;IACAC,YAAAA;IACAC,kBAAAA;EAAAA;EAEFC,YAAAA;IACEC,iBAAAA;IACAC,kBAAAA;EAAAA;EAEFC,WAAAA;IACEjB,mBAAAA;IACAkB,gBAAAA;IACAC,mBAAAA;EAAAA;EAEFC,WAAAA;IACEC,mBAAAA;IACAC,YAAAA;EAAAA;EAEFC,qBAAAA;IACEC,uBAAAA;IACAC,YAAAA;EAAAA;EAEFC,eAAAA;IACEC,sBAAAA;IACAC,KAAAA;EAAAA;EAEFC,kBAAAA;IACE9D,IAAAA;IACAgB,OAAAA;EAAAA;EAEF+C,iBAAAA;IACEC,MAAAA,EAAQzC,uBAAAA;IACR0C,KAAAA;IACAC,iBAAAA;EAAAA;EAEFC,YAAAA;IACEC,YAAAA;EAAAA;EAEFC,aAAAA;IACEC,YAAAA;IACAC,gBAAAA;EAAAA;EAEFC,gBAAAA;AAAAA;AAAAA,KAEGC,mBAAAA;EACH7D,SAAAA;EAAAA,CACC8D,GAAAA;AAAAA;AAAAA,KAEEC,kBAAAA;EACHrE,aAAAA;EACAC,OAAAA,EAASR,aAAAA;EACTY,OAAAA,EAAS8D,mBAAAA;EACT1D,YAAAA;IACEf,IAAAA;IACAgB,OAAAA;IACAC,SAAAA;EAAAA;EAEF2D,oBAAAA;EACAC,gBAAAA;IACEC,SAAAA;IACAC,kBAAAA;IACAC,WAAAA;EAAAA;EAEF7D,aAAAA,EAAevB,YAAAA;AAAAA;AAAAA,KASZuF,gBAAAA;EACH5E,OAAAA,EAASR,aAAAA;EACTsF,OAAAA,GAAUD,IAAAA,CAAKhF,mBAAAA;EACfkF,KAAAA,GAAQF,IAAAA,CAAK5D,oBAAAA;EACb+D,MAAAA,GAASH,IAAAA,CAAKT,kBAAAA;AAAAA;;;;;;AAzIO;;;;;AAEN;;;;;AACH;;;;;AACC;;;;;;;;;;AAKN;;;;;;iBCsBO,UAAA,GAAA,CACf,SAAA,UACA,KAAA,EAAO,CAAA,EACP,MAAA,EAAQ,OAAA,CAAQ,MAAA,OAAa,CAAA,aAC3B,CAAA;;;cCpCU,UAAA;EAAA;4BAEc,YAAA;IAAA,qBACe,UAAA;IAAA,qBAQnC,SAAA;EAAA;EAAA;4BAGoB,YAAA;IAAA,qBAMpB,SAAA;EAAA;AAAA;;;cCpBM,cAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;cA4BA,SAAA;EAAA;;;;;;;;cAUA,MAAA;EAAA;;;;;;;;;cAWA,UAAA;EAAA;;;;;;;;;cCjDA,SAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBCCG~~,UAAA,CACf,KAAA,UACA,QAAA,UACA,UAAA;;;~~iBCYe~~,YAAA,CAAa,MAAA,EAAQ,gBAAA,GAAmB,gBAAA"}
1	+ {"version":3,"file":"index.d.ts","names":["OutputFormat","CompileOptions","formats","Jurisdiction","UserRight","LegalBasis","CompanyConfig","name","legalName","address","contact","PrivacyPolicyConfig","Record","effectiveDate","company","dataCollected","legalBasis","retention","cookies","essential","analytics","marketing","thirdParties","purpose","policyUrl","userRights","jurisdictions","children","underAge","noticeUrl","DisputeResolutionMethod","TermsOfServiceConfig","acceptance","methods","eligibility","minimumAge","jurisdictionRestrictions","accounts","registrationRequired","userResponsibleForCredentials","companyCanTerminate","prohibitedUses","userContent","usersOwnContent","licenseGrantedToCompany","licenseDescription","companyCanRemoveContent","intellectualProperty","companyOwnsService","usersMayNotCopy","payments","hasPaidFeatures","refundPolicy","priceChangesNotice","availability","noUptimeGuarantee","maintenanceWindows","termination","userCanTerminate","effectOfTermination","disclaimers","serviceProvidedAsIs","noWarranties","limitationOfLiability","excludesIndirectDamages","liabilityCap","indemnification","userIndemnifiesCompany","scope","thirdPartyServices","disputeResolution","method","venue","classActionWaiver","governingLaw","jurisdiction","changesPolicy","noticeMethod","noticePeriodDays","privacyPolicyUrl","CookiePolicyCookies","key","CookiePolicyConfig","trackingTechnologies","consentMechanism","hasBanner","hasPreferencePanel","canWithdraw","PolicyInput","type","OpenPolicyConfig","Omit","privacy","terms","cookie","isOpenPolicyConfig","value","ValidationIssue","level","message","CookieConsent","CookieConsentStatus","acceptAll","config","rejectAll","NodeContext","reason","TextNode","context","BoldNode","ItalicNode","LinkNode","href","InlineNode","HeadingNode","ParagraphNode","ListItemNode","ListNode","ordered","items","ContentNode","DocumentSection","id","content","PolicyType","Document","policyType","sections","Node","heading","levelOrContext","text","bold","italic","link","p","li","ul","ol","section","compile","input","validatePrivacyPolicy","validateCookiePolicy","validateTermsOfService","expandOpenPolicyConfig"],"sources":["../../core/dist/index.d.ts","../src/collecting.ts","../src/compliance.ts","../src/data.ts","../src/providers.ts","../src/third-parties.ts","../src/index.ts"],"mappings":";;;KAKKG,YAAAA;AAAAA,KACAC,SAAAA;AAAAA,KACAC,UAAAA;AAAAA,KACAC,aAAAA;EACHC,IAAAA;EACAC,SAAAA;EACAC,OAAAA;EACAC,OAAAA;AAAAA;AAAAA,KAEGC,mBAAAA;EACHE,aAAAA;EACAC,OAAAA,EAASR,aAAAA;EACTS,aAAAA,EAAeH,MAAAA;EACfI,UAAAA,EAAYX,UAAAA,GAAaA,UAAAA;EACzBY,SAAAA,EAAWL,MAAAA;EACXM,OAAAA;IACEC,SAAAA;IACAC,SAAAA;IACAC,SAAAA;EAAAA;EAEFC,YAAAA;IACEf,IAAAA;IACAgB,OAAAA;IACAC,SAAAA;EAAAA;EAEFC,UAAAA,EAAYrB,SAAAA;EACZsB,aAAAA,EAAevB,YAAAA;EACfwB,QAAAA;IACEC,QAAAA;IACAC,SAAAA;EAAAA;AAAAA;AAAAA,KAGCC,uBAAAA;AAAAA,KACAC,oBAAAA;EACHlB,aAAAA;EACAC,OAAAA,EAASR,aAAAA;EACT0B,UAAAA;IACEC,OAAAA;EAAAA;EAEFC,WAAAA;IACEC,UAAAA;IACAC,wBAAAA;EAAAA;EAEFC,QAAAA;IACEC,oBAAAA;IACAC,6BAAAA;IACAC,mBAAAA;EAAAA;EAEFC,cAAAA;EACAC,WAAAA;IACEC,eAAAA;IACAC,uBAAAA;IACAC,kBAAAA;IACAC,uBAAAA;EAAAA;EAEFC,oBAAAA;IACEC,kBAAAA;IACAC,eAAAA;EAAAA;EAEFC,QAAAA;IACEC,eAAAA;IACAC,YAAAA;IACAC,kBAAAA;EAAAA;EAEFC,YAAAA;IACEC,iBAAAA;IACAC,kBAAAA;EAAAA;EAEFC,WAAAA;IACEjB,mBAAAA;IACAkB,gBAAAA;IACAC,mBAAAA;EAAAA;EAEFC,WAAAA;IACEC,mBAAAA;IACAC,YAAAA;EAAAA;EAEFC,qBAAAA;IACEC,uBAAAA;IACAC,YAAAA;EAAAA;EAEFC,eAAAA;IACEC,sBAAAA;IACAC,KAAAA;EAAAA;EAEFC,kBAAAA;IACE9D,IAAAA;IACAgB,OAAAA;EAAAA;EAEF+C,iBAAAA;IACEC,MAAAA,EAAQzC,uBAAAA;IACR0C,KAAAA;IACAC,iBAAAA;EAAAA;EAEFC,YAAAA;IACEC,YAAAA;EAAAA;EAEFC,aAAAA;IACEC,YAAAA;IACAC,gBAAAA;EAAAA;EAEFC,gBAAAA;AAAAA;AAAAA,KAEGC,mBAAAA;EACH7D,SAAAA;EAAAA,CACC8D,GAAAA;AAAAA;AAAAA,KAEEC,kBAAAA;EACHrE,aAAAA;EACAC,OAAAA,EAASR,aAAAA;EACTY,OAAAA,EAAS8D,mBAAAA;EACT1D,YAAAA;IACEf,IAAAA;IACAgB,OAAAA;IACAC,SAAAA;EAAAA;EAEF2D,oBAAAA;EACAC,gBAAAA;IACEC,SAAAA;IACAC,kBAAAA;IACAC,WAAAA;EAAAA;EAEF7D,aAAAA,EAAevB,YAAAA;AAAAA;AAAAA,KASZuF,gBAAAA;EACH5E,OAAAA,EAASR,aAAAA;EACTsF,OAAAA,GAAUD,IAAAA,CAAKhF,mBAAAA;EACfkF,KAAAA,GAAQF,IAAAA,CAAK5D,oBAAAA;EACb+D,MAAAA,GAASH,IAAAA,CAAKT,kBAAAA;AAAAA;;;;;;AAzIO;;;;;AAEN;;;;;AACH;;;;;AACC;;;;;;;;;;AAKN;;;;;;iBCsBO,UAAA,GAAA,CACf,SAAA,UACA,KAAA,EAAO,CAAA,EACP,MAAA,EAAQ,OAAA,CAAQ,MAAA,OAAa,CAAA,aAC3B,CAAA;;;cCpCU,UAAA;EAAA;4BAEc,YAAA;IAAA,qBACe,UAAA;IAAA,qBAQnC,SAAA;EAAA;EAAA;4BAGoB,YAAA;IAAA,qBAMpB,SAAA;EAAA;AAAA;;;cCpBM,cAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;cA4BA,SAAA;EAAA;;;;;;;;cAUA,MAAA;EAAA;;;;;;;;;cAWA,UAAA;EAAA;;;;;;;;;cCjDA,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBCFG,UAAA,CACf,KAAA,UACA,QAAA,UACA,UAAA;;;iBCee,YAAA,CAAa,MAAA,EAAQ,gBAAA,GAAmB,gBAAA"}

package/dist/index.js CHANGED Viewed

@@ -221,9 +221,6 @@ const Providers = {
 };
 //#endregion
 //#region src/third-parties.ts
-/**
-* TODO
-*/
 function thirdParty(_name, _purpose, _policyUrl) {}
 //#endregion
 //#region src/index.ts

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":[],"sources":["../src/collecting.ts","../src/compliance.ts","../src/data.ts","../src/providers.ts","../src/third-parties.ts","../src/index.ts"],"sourcesContent":["/*\n Declares data collected at the point of storage. Returns `value` unchanged\n * at runtime — the Vite plugin / CLI static analyser (OP-152) will scan calls\n * to `collecting()` at build time and merge the declarations into the\n * compiled privacy policy.\n \n The third argument is a plain object literal whose keys are field names\n * matching your stored value (for convenient access without a typed callback)\n * and whose values are the human-readable labels used in the compiled\n * policy. Only the string values are used by the analyser; the object is\n * never evaluated at runtime. This shape lets you:\n * - keep `value` matching your ORM/table schema exactly,\n * - describe fields with friendly labels for the policy,\n * - omit fields from the policy by leaving them out of the label record\n * (e.g. `hashedPassword`).\n \n The category argument and the string values of the label record must be\n * string literals — dynamic values are silently skipped by the analyser.\n \n @example\n * ```ts\n * import { collecting } from \"@openpolicy/sdk\";\n \n export async function createUser(name: string, email: string) {\n * return db.insert(users).values(\n * collecting(\n * \"Account Information\",\n * { name, email }, // real ORM columns — returned unchanged\n * { name: \"Name\", email: \"Email address\" },\n * ),\n * );\n * }\n * ```\n /\nexport function collecting<T>(\n\t_category: string,\n\tvalue: T,\n\t_label: Partial<Record<keyof T, string>>,\n): T {\n\treturn value;\n}\n","import type { Jurisdiction, LegalBasis, UserRight } from \"@openpolicy/core\";\n\nexport const Compliance = {\n\tGDPR: {\n\t\tjurisdictions: [\"eu\"] as Jurisdiction[],\n\t\tlegalBasis: [\"legitimate_interests\"] as LegalBasis[],\n\t\tuserRights: [\n\t\t\t\"access\",\n\t\t\t\"rectification\",\n\t\t\t\"erasure\",\n\t\t\t\"portability\",\n\t\t\t\"restriction\",\n\t\t\t\"objection\",\n\t\t] as UserRight[],\n\t},\n\tCCPA: {\n\t\tjurisdictions: [\"ca\"] as Jurisdiction[],\n\t\tuserRights: [\n\t\t\t\"access\",\n\t\t\t\"erasure\",\n\t\t\t\"opt_out_sale\",\n\t\t\t\"non_discrimination\",\n\t\t] as UserRight[],\n\t},\n} as const;\n","import type { LegalBasis, UserRight } from \"@openpolicy/core\";\n\nexport const DataCategories = {\n\tAccountInfo: { \"Account Information\": [\"Name\", \"Email address\"] },\n\tSessionData: {\n\t\t\"Session Data\": [\"IP address\", \"User agent\", \"Browser type\"],\n\t},\n\tPaymentInfo: {\n\t\t\"Payment Information\": [\n\t\t\t\"Card last 4 digits\",\n\t\t\t\"Billing name\",\n\t\t\t\"Billing address\",\n\t\t],\n\t},\n\tUsageData: {\n\t\t\"Usage Data\": [\"Pages visited\", \"Features used\", \"Time spent\"],\n\t},\n\tDeviceInfo: {\n\t\t\"Device Information\": [\n\t\t\t\"Device type\",\n\t\t\t\"Operating system\",\n\t\t\t\"Browser version\",\n\t\t],\n\t},\n\tLocationData: { \"Location Data\": [\"Country\", \"City\", \"Timezone\"] },\n\tCommunications: {\n\t\tCommunications: [\"Email content\", \"Support tickets\"],\n\t},\n} as const;\n\nexport const Retention = {\n\tUntilAccountDeletion: \"Until account deletion\",\n\tUntilSessionExpiry: \"Until session expiry\",\n\tThirtyDays: \"30 days\",\n\tNinetyDays: \"90 days\",\n\tOneYear: \"1 year\",\n\tThreeYears: \"3 years\",\n\tAsRequiredByLaw: \"As required by applicable law\",\n} as const;\n\nexport const Rights = {\n\tAccess: \"access\",\n\tRectification: \"rectification\",\n\tErasure: \"erasure\",\n\tPortability: \"portability\",\n\tRestriction: \"restriction\",\n\tObjection: \"objection\",\n\tOptOutSale: \"opt_out_sale\",\n\tNonDiscrimination: \"non_discrimination\",\n} as const satisfies Record<string, UserRight>;\n\nexport const LegalBases = {\n\tConsent: \"consent\",\n\tContract: \"contract\",\n\tLegalObligation: \"legal_obligation\",\n\tVitalInterests: \"vital_interests\",\n\tPublicTask: \"public_task\",\n\tLegitimateInterests: \"legitimate_interests\",\n} as const satisfies Record<string, LegalBasis>;\n","type Provider = { name: string; purpose: string; policyUrl?: string };\n\nexport const Providers = {\n\t// Payments\n\tStripe: {\n\t\tname: \"Stripe\",\n\t\tpurpose: \"Payment processing\",\n\t\tpolicyUrl: \"https://stripe.com/privacy\",\n\t},\n\tPaddle: {\n\t\tname: \"Paddle\",\n\t\tpurpose: \"Payment processing and subscription management\",\n\t\tpolicyUrl: \"https://www.paddle.com/legal/privacy\",\n\t},\n\tLemonSqueezy: {\n\t\tname: \"Lemon Squeezy\",\n\t\tpurpose: \"Payment processing and subscription management\",\n\t\tpolicyUrl: \"https://www.lemonsqueezy.com/privacy\",\n\t},\n\tPayPal: {\n\t\tname: \"PayPal\",\n\t\tpurpose: \"Payment processing\",\n\t\tpolicyUrl: \"https://www.paypal.com/webapps/mpp/ua/privacy-full\",\n\t},\n\n\t// Analytics\n\tGoogleAnalytics: {\n\t\tname: \"Google Analytics\",\n\t\tpurpose: \"Usage analytics\",\n\t\tpolicyUrl: \"https://policies.google.com/privacy\",\n\t},\n\tPostHog: {\n\t\tname: \"PostHog\",\n\t\tpurpose: \"Product analytics and session recording\",\n\t\tpolicyUrl: \"https://posthog.com/privacy\",\n\t},\n\tPlausible: {\n\t\tname: \"Plausible Analytics\",\n\t\tpurpose: \"Privacy-friendly usage analytics\",\n\t\tpolicyUrl: \"https://plausible.io/privacy\",\n\t},\n\tMixpanel: {\n\t\tname: \"Mixpanel\",\n\t\tpurpose: \"Product analytics and event tracking\",\n\t\tpolicyUrl: \"https://mixpanel.com/legal/privacy-policy\",\n\t},\n\n\t// Infrastructure\n\tVercel: {\n\t\tname: \"Vercel\",\n\t\tpurpose: \"Hosting and deployment infrastructure\",\n\t\tpolicyUrl: \"https://vercel.com/legal/privacy-policy\",\n\t},\n\tCloudflare: {\n\t\tname: \"Cloudflare\",\n\t\tpurpose: \"CDN, DNS, and security services\",\n\t\tpolicyUrl: \"https://www.cloudflare.com/privacypolicy/\",\n\t},\n\tAWS: {\n\t\tname: \"Amazon Web Services\",\n\t\tpurpose: \"Cloud infrastructure and hosting\",\n\t\tpolicyUrl: \"https://aws.amazon.com/privacy/\",\n\t},\n\n\t// Auth\n\tAuth0: {\n\t\tname: \"Auth0\",\n\t\tpurpose: \"Authentication and identity management\",\n\t\tpolicyUrl: \"https://auth0.com/privacy\",\n\t},\n\tClerk: {\n\t\tname: \"Clerk\",\n\t\tpurpose: \"Authentication and user management\",\n\t\tpolicyUrl: \"https://clerk.com/privacy\",\n\t},\n\n\t// Email\n\tResend: {\n\t\tname: \"Resend\",\n\t\tpurpose: \"Transactional email delivery\",\n\t\tpolicyUrl: \"https://resend.com/legal/privacy-policy\",\n\t},\n\tPostmark: {\n\t\tname: \"Postmark\",\n\t\tpurpose: \"Transactional email delivery\",\n\t\tpolicyUrl: \"https://wildbit.com/privacy-policy\",\n\t},\n\tSendGrid: {\n\t\tname: \"SendGrid\",\n\t\tpurpose: \"Transactional email delivery\",\n\t\tpolicyUrl: \"https://www.twilio.com/en-us/legal/privacy\",\n\t},\n\tLoops: {\n\t\tname: \"Loops\",\n\t\tpurpose: \"Email marketing and automation\",\n\t\tpolicyUrl: \"https://loops.so/privacy\",\n\t},\n\n\t// Monitoring\n\tSentry: {\n\t\tname: \"Sentry\",\n\t\tpurpose: \"Error monitoring and performance tracking\",\n\t\tpolicyUrl: \"https://sentry.io/privacy/\",\n\t},\n\tDatadog: {\n\t\tname: \"Datadog\",\n\t\tpurpose: \"Infrastructure monitoring and observability\",\n\t\tpolicyUrl: \"https://www.datadoghq.com/legal/privacy/\",\n\t},\n} satisfies Record<string, Provider>;\n","/\n TODO\n */\nexport function thirdParty(\n\t_name: string,\n\t_purpose: string,\n\t_policyUrl: string,\n): void {\n\treturn;\n}\n","import type { OpenPolicyConfig } from \"@openpolicy/core\";\n\nexport type {\n\tCookiePolicyConfig,\n\tLegalBasis,\n\tOpenPolicyConfig,\n\tPrivacyPolicyConfig,\n\tTermsOfServiceConfig,\n\tUserRight,\n} from \"@openpolicy/core\";\n\nexport { dataCollected, thirdParties } from \"./auto-collected\";\nexport { collecting } from \"./collecting\";\nexport { Compliance } from \"./compliance\";\nexport { DataCategories, LegalBases, Retention, Rights } from \"./data\";\nexport { Providers } from \"./providers\";\nexport { thirdParty } from \"./third-parties\";\n\nexport function defineConfig(config: OpenPolicyConfig): OpenPolicyConfig {\n\treturn config;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,SAAgB,WACf,WACA,OACA,QACI;AACJ,QAAO;;;;ACrCR,MAAa,aAAa;CACzB,MAAM;EACL,eAAe,CAAC,KAAK;EACrB,YAAY,CAAC,uBAAuB;EACpC,YAAY;GACX;GACA;GACA;GACA;GACA;GACA;GACA;EACD;CACD,MAAM;EACL,eAAe,CAAC,KAAK;EACrB,YAAY;GACX;GACA;GACA;GACA;GACA;EACD;CACD;;;ACtBD,MAAa,iBAAiB;CAC7B,aAAa,EAAE,uBAAuB,CAAC,QAAQ,gBAAgB,EAAE;CACjE,aAAa,EACZ,gBAAgB;EAAC;EAAc;EAAc;EAAe,EAC5D;CACD,aAAa,EACZ,uBAAuB;EACtB;EACA;EACA;EACA,EACD;CACD,WAAW,EACV,cAAc;EAAC;EAAiB;EAAiB;EAAa,EAC9D;CACD,YAAY,EACX,sBAAsB;EACrB;EACA;EACA;EACA,EACD;CACD,cAAc,EAAE,iBAAiB;EAAC;EAAW;EAAQ;EAAW,EAAE;CAClE,gBAAgB,EACf,gBAAgB,CAAC,iBAAiB,kBAAkB,EACpD;CACD;AAED,MAAa,YAAY;CACxB,sBAAsB;CACtB,oBAAoB;CACpB,YAAY;CACZ,YAAY;CACZ,SAAS;CACT,YAAY;CACZ,iBAAiB;CACjB;AAED,MAAa,SAAS;CACrB,QAAQ;CACR,eAAe;CACf,SAAS;CACT,aAAa;CACb,aAAa;CACb,WAAW;CACX,YAAY;CACZ,mBAAmB;CACnB;AAED,MAAa,aAAa;CACzB,SAAS;CACT,UAAU;CACV,iBAAiB;CACjB,gBAAgB;CAChB,YAAY;CACZ,qBAAqB;CACrB;;;ACxDD,MAAa,YAAY;CAExB,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,cAAc;EACb,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,iBAAiB;EAChB,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,SAAS;EACR,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,WAAW;EACV,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,UAAU;EACT,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,YAAY;EACX,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,KAAK;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,OAAO;EACN,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,OAAO;EACN,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,UAAU;EACT,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,UAAU;EACT,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,OAAO;EACN,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,SAAS;EACR,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD;;;;;;AC1GD,SAAgB,WACf,OACA,UACA,YACO;;;ACWR,SAAgB,aAAa,QAA4C;AACxE,QAAO"}
1	+ {"version":3,"file":"index.js","names":[],"sources":["../src/collecting.ts","../src/compliance.ts","../src/data.ts","../src/providers.ts","../src/third-parties.ts","../src/index.ts"],"sourcesContent":["/*\n Declares data collected at the point of storage. Returns `value` unchanged\n * at runtime — the Vite plugin / CLI static analyser (OP-152) will scan calls\n * to `collecting()` at build time and merge the declarations into the\n * compiled privacy policy.\n \n The third argument is a plain object literal whose keys are field names\n * matching your stored value (for convenient access without a typed callback)\n * and whose values are the human-readable labels used in the compiled\n * policy. Only the string values are used by the analyser; the object is\n * never evaluated at runtime. This shape lets you:\n * - keep `value` matching your ORM/table schema exactly,\n * - describe fields with friendly labels for the policy,\n * - omit fields from the policy by leaving them out of the label record\n * (e.g. `hashedPassword`).\n \n The category argument and the string values of the label record must be\n * string literals — dynamic values are silently skipped by the analyser.\n \n @example\n * ```ts\n * import { collecting } from \"@openpolicy/sdk\";\n \n export async function createUser(name: string, email: string) {\n * return db.insert(users).values(\n * collecting(\n * \"Account Information\",\n * { name, email }, // real ORM columns — returned unchanged\n * { name: \"Name\", email: \"Email address\" },\n * ),\n * );\n * }\n * ```\n */\nexport function collecting<T>(\n\t_category: string,\n\tvalue: T,\n\t_label: Partial<Record<keyof T, string>>,\n): T {\n\treturn value;\n}\n","import type { Jurisdiction, LegalBasis, UserRight } from \"@openpolicy/core\";\n\nexport const Compliance = {\n\tGDPR: {\n\t\tjurisdictions: [\"eu\"] as Jurisdiction[],\n\t\tlegalBasis: [\"legitimate_interests\"] as LegalBasis[],\n\t\tuserRights: [\n\t\t\t\"access\",\n\t\t\t\"rectification\",\n\t\t\t\"erasure\",\n\t\t\t\"portability\",\n\t\t\t\"restriction\",\n\t\t\t\"objection\",\n\t\t] as UserRight[],\n\t},\n\tCCPA: {\n\t\tjurisdictions: [\"ca\"] as Jurisdiction[],\n\t\tuserRights: [\n\t\t\t\"access\",\n\t\t\t\"erasure\",\n\t\t\t\"opt_out_sale\",\n\t\t\t\"non_discrimination\",\n\t\t] as UserRight[],\n\t},\n} as const;\n","import type { LegalBasis, UserRight } from \"@openpolicy/core\";\n\nexport const DataCategories = {\n\tAccountInfo: { \"Account Information\": [\"Name\", \"Email address\"] },\n\tSessionData: {\n\t\t\"Session Data\": [\"IP address\", \"User agent\", \"Browser type\"],\n\t},\n\tPaymentInfo: {\n\t\t\"Payment Information\": [\n\t\t\t\"Card last 4 digits\",\n\t\t\t\"Billing name\",\n\t\t\t\"Billing address\",\n\t\t],\n\t},\n\tUsageData: {\n\t\t\"Usage Data\": [\"Pages visited\", \"Features used\", \"Time spent\"],\n\t},\n\tDeviceInfo: {\n\t\t\"Device Information\": [\n\t\t\t\"Device type\",\n\t\t\t\"Operating system\",\n\t\t\t\"Browser version\",\n\t\t],\n\t},\n\tLocationData: { \"Location Data\": [\"Country\", \"City\", \"Timezone\"] },\n\tCommunications: {\n\t\tCommunications: [\"Email content\", \"Support tickets\"],\n\t},\n} as const;\n\nexport const Retention = {\n\tUntilAccountDeletion: \"Until account deletion\",\n\tUntilSessionExpiry: \"Until session expiry\",\n\tThirtyDays: \"30 days\",\n\tNinetyDays: \"90 days\",\n\tOneYear: \"1 year\",\n\tThreeYears: \"3 years\",\n\tAsRequiredByLaw: \"As required by applicable law\",\n} as const;\n\nexport const Rights = {\n\tAccess: \"access\",\n\tRectification: \"rectification\",\n\tErasure: \"erasure\",\n\tPortability: \"portability\",\n\tRestriction: \"restriction\",\n\tObjection: \"objection\",\n\tOptOutSale: \"opt_out_sale\",\n\tNonDiscrimination: \"non_discrimination\",\n} as const satisfies Record<string, UserRight>;\n\nexport const LegalBases = {\n\tConsent: \"consent\",\n\tContract: \"contract\",\n\tLegalObligation: \"legal_obligation\",\n\tVitalInterests: \"vital_interests\",\n\tPublicTask: \"public_task\",\n\tLegitimateInterests: \"legitimate_interests\",\n} as const satisfies Record<string, LegalBasis>;\n","type Provider = { name: string; purpose: string; policyUrl?: string };\n\nexport const Providers = {\n\t// Payments\n\tStripe: {\n\t\tname: \"Stripe\",\n\t\tpurpose: \"Payment processing\",\n\t\tpolicyUrl: \"https://stripe.com/privacy\",\n\t},\n\tPaddle: {\n\t\tname: \"Paddle\",\n\t\tpurpose: \"Payment processing and subscription management\",\n\t\tpolicyUrl: \"https://www.paddle.com/legal/privacy\",\n\t},\n\tLemonSqueezy: {\n\t\tname: \"Lemon Squeezy\",\n\t\tpurpose: \"Payment processing and subscription management\",\n\t\tpolicyUrl: \"https://www.lemonsqueezy.com/privacy\",\n\t},\n\tPayPal: {\n\t\tname: \"PayPal\",\n\t\tpurpose: \"Payment processing\",\n\t\tpolicyUrl: \"https://www.paypal.com/webapps/mpp/ua/privacy-full\",\n\t},\n\n\t// Analytics\n\tGoogleAnalytics: {\n\t\tname: \"Google Analytics\",\n\t\tpurpose: \"Usage analytics\",\n\t\tpolicyUrl: \"https://policies.google.com/privacy\",\n\t},\n\tPostHog: {\n\t\tname: \"PostHog\",\n\t\tpurpose: \"Product analytics and session recording\",\n\t\tpolicyUrl: \"https://posthog.com/privacy\",\n\t},\n\tPlausible: {\n\t\tname: \"Plausible Analytics\",\n\t\tpurpose: \"Privacy-friendly usage analytics\",\n\t\tpolicyUrl: \"https://plausible.io/privacy\",\n\t},\n\tMixpanel: {\n\t\tname: \"Mixpanel\",\n\t\tpurpose: \"Product analytics and event tracking\",\n\t\tpolicyUrl: \"https://mixpanel.com/legal/privacy-policy\",\n\t},\n\n\t// Infrastructure\n\tVercel: {\n\t\tname: \"Vercel\",\n\t\tpurpose: \"Hosting and deployment infrastructure\",\n\t\tpolicyUrl: \"https://vercel.com/legal/privacy-policy\",\n\t},\n\tCloudflare: {\n\t\tname: \"Cloudflare\",\n\t\tpurpose: \"CDN, DNS, and security services\",\n\t\tpolicyUrl: \"https://www.cloudflare.com/privacypolicy/\",\n\t},\n\tAWS: {\n\t\tname: \"Amazon Web Services\",\n\t\tpurpose: \"Cloud infrastructure and hosting\",\n\t\tpolicyUrl: \"https://aws.amazon.com/privacy/\",\n\t},\n\n\t// Auth\n\tAuth0: {\n\t\tname: \"Auth0\",\n\t\tpurpose: \"Authentication and identity management\",\n\t\tpolicyUrl: \"https://auth0.com/privacy\",\n\t},\n\tClerk: {\n\t\tname: \"Clerk\",\n\t\tpurpose: \"Authentication and user management\",\n\t\tpolicyUrl: \"https://clerk.com/privacy\",\n\t},\n\n\t// Email\n\tResend: {\n\t\tname: \"Resend\",\n\t\tpurpose: \"Transactional email delivery\",\n\t\tpolicyUrl: \"https://resend.com/legal/privacy-policy\",\n\t},\n\tPostmark: {\n\t\tname: \"Postmark\",\n\t\tpurpose: \"Transactional email delivery\",\n\t\tpolicyUrl: \"https://wildbit.com/privacy-policy\",\n\t},\n\tSendGrid: {\n\t\tname: \"SendGrid\",\n\t\tpurpose: \"Transactional email delivery\",\n\t\tpolicyUrl: \"https://www.twilio.com/en-us/legal/privacy\",\n\t},\n\tLoops: {\n\t\tname: \"Loops\",\n\t\tpurpose: \"Email marketing and automation\",\n\t\tpolicyUrl: \"https://loops.so/privacy\",\n\t},\n\n\t// Monitoring\n\tSentry: {\n\t\tname: \"Sentry\",\n\t\tpurpose: \"Error monitoring and performance tracking\",\n\t\tpolicyUrl: \"https://sentry.io/privacy/\",\n\t},\n\tDatadog: {\n\t\tname: \"Datadog\",\n\t\tpurpose: \"Infrastructure monitoring and observability\",\n\t\tpolicyUrl: \"https://www.datadoghq.com/legal/privacy/\",\n\t},\n} satisfies Record<string, Provider>;\n","export function thirdParty(\n\t_name: string,\n\t_purpose: string,\n\t_policyUrl: string,\n): void {\n\treturn;\n}\n","import type { OpenPolicyConfig } from \"@openpolicy/core\";\n\nexport type {\n\tCookiePolicyConfig,\n\tLegalBasis,\n\tOpenPolicyConfig,\n\tPrivacyPolicyConfig,\n\tTermsOfServiceConfig,\n\tUserRight,\n} from \"@openpolicy/core\";\n\nexport { dataCollected, thirdParties } from \"./auto-collected\";\nexport { collecting } from \"./collecting\";\nexport { Compliance } from \"./compliance\";\nexport { DataCategories, LegalBases, Retention, Rights } from \"./data\";\nexport { Providers } from \"./providers\";\nexport { thirdParty } from \"./third-parties\";\n\nexport function defineConfig(config: OpenPolicyConfig): OpenPolicyConfig {\n\treturn config;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,SAAgB,WACf,WACA,OACA,QACI;AACJ,QAAO;;;;ACrCR,MAAa,aAAa;CACzB,MAAM;EACL,eAAe,CAAC,KAAK;EACrB,YAAY,CAAC,uBAAuB;EACpC,YAAY;GACX;GACA;GACA;GACA;GACA;GACA;GACA;EACD;CACD,MAAM;EACL,eAAe,CAAC,KAAK;EACrB,YAAY;GACX;GACA;GACA;GACA;GACA;EACD;CACD;;;ACtBD,MAAa,iBAAiB;CAC7B,aAAa,EAAE,uBAAuB,CAAC,QAAQ,gBAAgB,EAAE;CACjE,aAAa,EACZ,gBAAgB;EAAC;EAAc;EAAc;EAAe,EAC5D;CACD,aAAa,EACZ,uBAAuB;EACtB;EACA;EACA;EACA,EACD;CACD,WAAW,EACV,cAAc;EAAC;EAAiB;EAAiB;EAAa,EAC9D;CACD,YAAY,EACX,sBAAsB;EACrB;EACA;EACA;EACA,EACD;CACD,cAAc,EAAE,iBAAiB;EAAC;EAAW;EAAQ;EAAW,EAAE;CAClE,gBAAgB,EACf,gBAAgB,CAAC,iBAAiB,kBAAkB,EACpD;CACD;AAED,MAAa,YAAY;CACxB,sBAAsB;CACtB,oBAAoB;CACpB,YAAY;CACZ,YAAY;CACZ,SAAS;CACT,YAAY;CACZ,iBAAiB;CACjB;AAED,MAAa,SAAS;CACrB,QAAQ;CACR,eAAe;CACf,SAAS;CACT,aAAa;CACb,aAAa;CACb,WAAW;CACX,YAAY;CACZ,mBAAmB;CACnB;AAED,MAAa,aAAa;CACzB,SAAS;CACT,UAAU;CACV,iBAAiB;CACjB,gBAAgB;CAChB,YAAY;CACZ,qBAAqB;CACrB;;;ACxDD,MAAa,YAAY;CAExB,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,cAAc;EACb,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,iBAAiB;EAChB,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,SAAS;EACR,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,WAAW;EACV,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,UAAU;EACT,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,YAAY;EACX,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,KAAK;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,OAAO;EACN,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,OAAO;EACN,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,UAAU;EACT,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,UAAU;EACT,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,OAAO;EACN,MAAM;EACN,SAAS;EACT,WAAW;EACX;CAGD,QAAQ;EACP,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD,SAAS;EACR,MAAM;EACN,SAAS;EACT,WAAW;EACX;CACD;;;AC7GD,SAAgB,WACf,OACA,UACA,YACO;;;ACcR,SAAgB,aAAa,QAA4C;AACxE,QAAO"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@openpolicy/sdk",
-	"version": "0.0.19",
+	"version": "0.0.20",
 	"type": "module",
 	"description": "Public API for defining privacy policies with OpenPolicy",
 	"license": "GPL-3.0-only",
@@ -11,7 +11,8 @@
 	},
 	"files": [
 		"dist",
-		"README.md"
+		"README.md",
+		"skills"
 	],
 	"exports": {
 		".": {
@@ -28,6 +29,10 @@
 	"dependencies": {},
 	"devDependencies": {
 		"@openpolicy/core": "workspace:*",
-		"@openpolicy/tooling": "workspace:*"
-	}
+		"@openpolicy/tooling": "workspace:*",
+		"@tanstack/intent": "^0.0.29"
+	},
+	"keywords": [
+		"tanstack-intent"
+	]
 }

package/skills/annotate-data-collection/SKILL.md ADDED Viewed

@@ -0,0 +1,240 @@
+---
+name: annotate-data-collection
+description: >
+  Mark data collection points in source code with collecting(category, value,
+  labels) so the autoCollect() Vite plugin can populate privacy.dataCollected
+  automatically at build time via static AST analysis. All arguments must be
+  string literals. Spread the dataCollected sentinel from @openpolicy/sdk into
+  the config for plugin output to take effect.
+type: core
+library: openpolicy
+library_version: "0.0.19"
+requires:
+  - openpolicy/vite-setup
+sources:
+  - jamiedavenport/openpolicy:packages/sdk/src/auto-collected.ts
+  - jamiedavenport/openpolicy:packages/vite-auto-collect/src/analyse.ts
+---
+This skill builds on openpolicy/vite-setup. Read it first.
+## How it works
+`collecting(category, value, labels)` is a **pass-through at runtime** — it returns `value` unchanged. Its purpose is to serve as a static marker. During a Vite build, `autoCollect()` scans your source files using oxc-parser, finds every `collecting()` call, and merges the extracted category/label data into the `dataCollected` virtual module exported from `@openpolicy/sdk`.
+The scanned data only reaches your policy config if you import the `dataCollected` sentinel and spread it into `privacy.dataCollected`. Without the spread, all collected annotations are silently discarded.
+**Critical constraint: every argument that the plugin reads must be a string literal.** The AST scanner does not evaluate expressions. Variables, template literals, and computed values are silently skipped with no warning.
+## Setup
+Install and wire `autoCollect()` first (see openpolicy/vite-setup). Then follow these three steps:
+**Step 1 — Annotate a data collection point in your app code:**
+```ts
+// src/users/create.ts
+import { collecting } from "@openpolicy/sdk";
+export async function createUser(name: string, email: string) {
+  return db.insert(users).values(
+    collecting(
+      "Account Information",          // category — must be a string literal
+      { name, email },                // value — returned unchanged at runtime
+      { name: "Name", email: "Email address" }, // labels — values must be string literals
+    ),
+  );
+}
+```
+**Step 2 — Spread the sentinel into your config:**
+```ts
+// openpolicy.ts
+import { defineConfig, dataCollected } from "@openpolicy/sdk";
+export default defineConfig({
+  company: {
+    name: "Acme",
+    legalName: "Acme, Inc.",
+    address: "123 Main St, San Francisco, CA 94105",
+    contact: "privacy@acme.com",
+  },
+  privacy: {
+    effectiveDate: "2026-01-01",
+    dataCollected: {
+      ...dataCollected,              // populated by autoCollect() at build time
+      // add manually-tracked categories here if needed
+    },
+  },
+});
+```
+**Step 3 — Verify the plugin is active in vite.config.ts:**
+```ts
+// vite.config.ts
+import { defineConfig } from "vite";
+import { autoCollect } from "@openpolicy/vite-auto-collect";
+export default defineConfig({
+  plugins: [autoCollect()],
+});
+```
+At build time, `autoCollect()` scans `src/` for `collecting()` calls and injects the result into the `dataCollected` sentinel before your config module is evaluated.
+## Core Patterns
+### 1. Basic annotation
+Wrap the value you are storing at any data collection point. The third argument maps your field names to human-readable policy labels. Fields you omit from the label record are not included in the policy.
+```ts
+import { collecting } from "@openpolicy/sdk";
+// Database insert
+const row = collecting(
+  "Contact Information",
+  { email, phone },
+  { email: "Email address", phone: "Phone number" },
+);
+await db.insert(contacts).values(row);
+// Form submission
+const payload = collecting(
+  "Support Request",
+  { subject, body, userId },
+  { subject: "Subject line", body: "Message content" },
+  // userId omitted — not included in the policy
+);
+```
+### 2. Using DataCategories presets
+`DataCategories` provides preset category names and label arrays aligned with common GDPR/CCPA categories. Use these to keep your annotations consistent with the generated policy text.
+```ts
+import { collecting, DataCategories } from "@openpolicy/sdk";
+// DataCategories.AccountInfo = { "Account Information": ["Name", "Email address"] }
+// Use the category string from the preset key
+const user = collecting(
+  "Account Information",
+  { name, email },
+  { name: "Name", email: "Email address" },
+);
+// DataCategories.SessionData = { "Session Data": ["IP address", "User agent", "Browser type"] }
+const session = collecting(
+  "Session Data",
+  { ip, userAgent },
+  { ip: "IP address", userAgent: "User agent" },
+);
+```
+Available presets: `AccountInfo`, `SessionData`, `PaymentInfo`, `UsageData`, `DeviceInfo`, `LocationData`, `Communications`.
+Note: `DataCategories` values are objects for spreading into `dataCollected` manually; the string keys are the category names to use in `collecting()` calls.
+### 3. Spreading the sentinel into config
+The sentinel must be spread with `...dataCollected` — not assigned directly. You can add manually-tracked categories alongside the auto-collected ones.
+```ts
+import { defineConfig, dataCollected } from "@openpolicy/sdk";
+export default defineConfig({
+  company: { /* ... */ },
+  privacy: {
+    effectiveDate: "2026-01-01",
+    dataCollected: {
+      ...dataCollected,                              // auto-collected at build time
+      "Analytics": ["Page views", "Click events"],  // manually declared
+    },
+    jurisdictions: ["eu", "us"],
+    legalBasis: "legitimate_interests",
+    userRights: ["access", "erasure", "portability"],
+  },
+});
+```
+## Common Mistakes
+### MISTAKE 1 (HIGH) — Dynamic values in `collecting()` arguments
+The plugin uses static AST analysis and only recognises string literal nodes. Any non-literal — a variable, template literal, or computed expression — causes the entire call to be silently skipped. No warning is emitted.
+```ts
+// WRONG: variable in category position — silently skipped
+const category = "Account Information";
+collecting(category, { name, email }, { name: "Name", email: "Email address" });
+// WRONG: template literal — silently skipped
+collecting(`${"Account"} Information`, { name, email }, { name: "Name", email: "Email address" });
+// WRONG: dynamic label value — silently skipped
+const label = "Email address";
+collecting("Account Information", { name, email }, { name: "Name", email: label });
+```
+```ts
+// CORRECT: every argument the plugin reads is a string literal
+collecting(
+  "Account Information",
+  { name, email },
+  { name: "Name", email: "Email address" },
+);
+```
+The `value` argument (second position) is never read by the scanner and can be any expression.
+### MISTAKE 2 (HIGH) — Not spreading `dataCollected` into the config
+Even with `collecting()` calls throughout your codebase and `autoCollect()` wired up in Vite, the plugin output has no effect unless you import `dataCollected` from `@openpolicy/sdk` and spread it into `privacy.dataCollected`. Without the spread the sentinel is an empty object `{}` and the policy compiles with no auto-collected data.
+```ts
+// WRONG: sentinel not imported or spread
+export default defineConfig({
+  privacy: {
+    dataCollected: {
+      "Account Information": ["Email"],  // only manually-declared items appear
+    },
+  },
+});
+```
+```ts
+// CORRECT: sentinel imported and spread
+import { defineConfig, dataCollected } from "@openpolicy/sdk";
+export default defineConfig({
+  privacy: {
+    dataCollected: {
+      ...dataCollected,                  // auto-collected entries merged here
+      "Account Information": ["Email"],  // any manual additions
+    },
+  },
+});
+```
+### MISTAKE 3 (MEDIUM) — Calling `collecting()` with fewer than 3 arguments
+The plugin requires all three positional arguments: `category`, `value`, and `labels`. Calls with fewer than 3 arguments are silently skipped by the scanner. There is no runtime error because `collecting()` is a pass-through — it still returns `value` — but the call is never recorded in the policy.
+```ts
+// WRONG: missing labels argument — silently skipped by plugin
+collecting("Account Information", { name, email });
+// WRONG: only one argument — silently skipped
+collecting("Account Information");
+```
+```ts
+// CORRECT: all three arguments present
+collecting(
+  "Account Information",
+  { name, email },
+  { name: "Name", email: "Email address" },
+);
+```

package/skills/annotate-third-parties/SKILL.md ADDED Viewed

@@ -0,0 +1,237 @@
+---
+name: annotate-third-parties
+description: >
+  Mark third-party service dependencies in source code using thirdParty() so
+  the autoCollect() Vite plugin can populate the thirdParties sentinel for the
+  privacy policy config. Covers manual annotation, usePackageJson auto-detection
+  from the KNOWN_PACKAGES registry, combining both approaches, and the Providers
+  preset as a static alternative.
+type: core
+library: openpolicy
+library_version: "0.0.19"
+requires:
+  - openpolicy/vite-setup
+sources:
+  - jamiedavenport/openpolicy:packages/sdk/src/third-parties.ts
+  - jamiedavenport/openpolicy:packages/vite-auto-collect/src/known-packages.ts
+---
+This skill builds on openpolicy/vite-setup. Read it first.
+## How It Works
+`thirdParty()` is a **runtime no-op**. It is a build-time marker — `autoCollect()` scans source files statically via `oxc-parser` and extracts the three string literal arguments. The plugin then populates the `thirdParties` sentinel exported from `@openpolicy/sdk`. Without the plugin, `thirdParty()` calls have no effect whatsoever.
+The populated sentinel must be spread into `privacy.thirdParties` in the config file. Without the spread, the plugin output is discarded and the policy renders with no third parties listed.
+## Setup
+Three moving parts must all be in place:
+**1. `vite.config.ts` — enable the plugin**
+```ts
+import { defineConfig } from "vite";
+import { autoCollect } from "@openpolicy/vite-auto-collect";
+export default defineConfig({
+  plugins: [
+    autoCollect({
+      thirdParties: { usePackageJson: true }, // optional — see below
+    }),
+  ],
+});
+```
+**2. Source file — annotate next to the usage**
+```ts
+import { thirdParty } from "@openpolicy/sdk";
+// Place next to where you initialise or use the third-party SDK
+thirdParty("Stripe", "Payment processing", "https://stripe.com/privacy");
+// ... rest of your Stripe integration
+```
+**3. `openpolicy.ts` — spread the sentinel into config**
+```ts
+import { defineConfig, thirdParties } from "@openpolicy/sdk";
+export default defineConfig({
+  company: {
+    name: "Acme",
+    legalName: "Acme, Inc.",
+    address: "123 Main St, San Francisco, CA 94105",
+    contact: "privacy@acme.com",
+  },
+  privacy: {
+    effectiveDate: "2026-01-01",
+    thirdParties: [...thirdParties],
+  },
+});
+```
+## Core Patterns
+### 1. Manual thirdParty() annotation
+Call `thirdParty(name, purpose, policyUrl)` with three string literals next to wherever you initialise the third-party integration. All three arguments must be string literals — dynamic values are silently skipped by the static analyser.
+```ts
+import { thirdParty } from "@openpolicy/sdk";
+// Correct: all string literals
+thirdParty("Intercom", "Customer messaging", "https://www.intercom.com/legal/privacy");
+// Wrong: variable — silently skipped at build time
+const name = "Intercom";
+thirdParty(name, "Customer messaging", "https://www.intercom.com/legal/privacy");
+```
+Deduplication is by `name` — the first occurrence wins when files are walked in sorted alphabetical order. Calling `thirdParty()` with the same name from multiple files is safe.
+### 2. usePackageJson auto-detection
+`autoCollect({ thirdParties: { usePackageJson: true } })` reads `package.json` at build time and cross-references every entry in `dependencies` and `devDependencies` against the built-in KNOWN_PACKAGES registry. Matched packages are merged into `thirdParties` automatically, with deduplication by service name.
+This is the fastest way to cover common services (Stripe, Sentry, PostHog, Vercel, etc.) without any source annotations.
+```ts
+// vite.config.ts
+autoCollect({ thirdParties: { usePackageJson: true } })
+```
+See [references/known-packages.md](references/known-packages.md) for the full list of ~30 auto-detected packages.
+### 3. Combining both approaches
+`thirdParty()` annotations and `usePackageJson` are merged at build time. The plugin deduplicates by service name — `thirdParty()` entries from source files are added first (sorted file order), then package.json detections fill in any remaining services not already seen.
+Use this combination when:
+- Most services are covered by the KNOWN_PACKAGES registry (`usePackageJson: true`)
+- A few services are not in the registry and need explicit `thirdParty()` calls
+```ts
+// vite.config.ts
+autoCollect({ thirdParties: { usePackageJson: true } })
+// src/lib/custom-analytics.ts
+import { thirdParty } from "@openpolicy/sdk";
+thirdParty("Fathom Analytics", "Privacy-friendly web analytics", "https://usefathom.com/privacy");
+```
+```ts
+// openpolicy.ts — one spread covers both sources
+import { defineConfig, thirdParties } from "@openpolicy/sdk";
+export default defineConfig({
+  privacy: {
+    thirdParties: [...thirdParties],
+  },
+});
+```
+### 4. Providers presets as a static alternative
+`Providers` from `@openpolicy/sdk` is a collection of pre-filled third-party objects for common services. Use this when you want to declare third parties statically in `openpolicy.ts` without any source annotations or plugin scanning.
+```ts
+import { defineConfig, Providers } from "@openpolicy/sdk";
+export default defineConfig({
+  privacy: {
+    thirdParties: [
+      Providers.Stripe,
+      Providers.Sentry,
+      Providers.Vercel,
+      { name: "Custom Service", purpose: "Internal logging", policyUrl: "https://example.com/privacy" },
+    ],
+  },
+});
+```
+Available presets: `Stripe`, `Paddle`, `LemonSqueezy`, `PayPal`, `GoogleAnalytics`, `PostHog`, `Plausible`, `Mixpanel`, `Vercel`, `Cloudflare`, `AWS`, `Auth0`, `Clerk`, `Resend`, `Postmark`, `SendGrid`, `Loops`, `Sentry`, `Datadog`.
+Note: when using `Providers` statically, you can still spread `thirdParties` alongside it to capture any additional auto-collected services:
+```ts
+privacy: {
+  thirdParties: [...thirdParties, Providers.Cloudflare],
+}
+```
+## Common Mistakes
+### HIGH — Using thirdParty() without the autoCollect() plugin and expecting a runtime effect
+`thirdParty()` is defined as a no-op function that immediately returns `undefined`. It has no runtime behaviour. The only way it produces output in the policy is when `autoCollect()` is present in `vite.config.ts` and scans the file at build time.
+```ts
+// WRONG: calling thirdParty() and expecting it to affect the policy at runtime
+import { thirdParty } from "@openpolicy/sdk";
+thirdParty("Stripe", "Payment processing", "https://stripe.com/privacy");
+// Without autoCollect() in vite.config.ts, this does nothing
+```
+```ts
+// Correct: autoCollect() in vite.config.ts is the required prerequisite
+// vite.config.ts
+import { autoCollect } from "@openpolicy/vite-auto-collect";
+export default defineConfig({ plugins: [autoCollect()] });
+// src/lib/stripe.ts — scanned at build time by the plugin
+import { thirdParty } from "@openpolicy/sdk";
+thirdParty("Stripe", "Payment processing", "https://stripe.com/privacy");
+```
+### HIGH — Not spreading thirdParties sentinel into privacy.thirdParties
+Even when `autoCollect()` scans the source and populates the sentinel, the populated value is discarded unless it is imported and spread into `privacy.thirdParties` in the config. The privacy policy then renders with an empty third-party section, which may be legally invalid.
+```ts
+// WRONG: thirdParties not imported or spread
+export default defineConfig({
+  privacy: {
+    thirdParties: [], // static empty array, discards plugin output
+  },
+});
+```
+```ts
+// Correct
+import { defineConfig, thirdParties } from "@openpolicy/sdk";
+export default defineConfig({
+  privacy: {
+    thirdParties: [...thirdParties],
+    // or combine with static entries:
+    // thirdParties: [...thirdParties, Providers.Cloudflare],
+  },
+});
+```
+### MEDIUM — Not enabling usePackageJson when known packages are used
+The KNOWN_PACKAGES registry covers ~30 common npm packages. Without `usePackageJson: true`, packages like `@sentry/browser`, `posthog-js`, or `@stripe/stripe-js` are not auto-detected and must each be annotated manually with `thirdParty()`. Enabling the option costs nothing and eliminates this annotation burden for any covered package.
+```ts
+// WRONG: usePackageJson not enabled — known packages not auto-detected
+autoCollect()
+```
+```ts
+// Correct
+autoCollect({ thirdParties: { usePackageJson: true } })
+```
+## References
+- [Known packages registry](references/known-packages.md) — full table of npm packages auto-detected by `usePackageJson: true`
+- `packages/sdk/src/third-parties.ts` — thirdParty() implementation (runtime no-op)
+- `packages/sdk/src/providers.ts` — Providers preset objects
+- `packages/sdk/src/auto-collected.ts` — thirdParties sentinel definition
+- `packages/vite-auto-collect/src/index.ts` — autoCollect() plugin, AutoCollectOptions type
+- `packages/vite-auto-collect/src/analyse.ts` — static AST extraction logic
+- `packages/vite-auto-collect/src/known-packages.ts` — KNOWN_PACKAGES registry source

package/skills/annotate-third-parties/references/known-packages.md ADDED Viewed

@@ -0,0 +1,37 @@
+# Known Packages Registry
+These npm package names are auto-detected when `usePackageJson: true` is set in `autoCollect()`. The plugin reads `dependencies` and `devDependencies` from the project root `package.json` and matches entries against this registry. Multiple package names can map to the same service — deduplication is by service name, first match wins.
+| npm package | Service name | Purpose |
+|---|---|---|
+| `stripe` | Stripe | Payment processing |
+| `@stripe/stripe-js` | Stripe | Payment processing |
+| `braintree` | Braintree | Payment processing |
+| `@braintree/browser-drop-in` | Braintree | Payment processing |
+| `@sentry/browser` | Sentry | Error tracking |
+| `@sentry/node` | Sentry | Error tracking |
+| `@sentry/nextjs` | Sentry | Error tracking |
+| `@sentry/react` | Sentry | Error tracking |
+| `@sentry/vue` | Sentry | Error tracking |
+| `@datadog/browser-rum` | Datadog | Monitoring |
+| `dd-trace` | Datadog | Monitoring |
+| `posthog-js` | PostHog | Product analytics |
+| `posthog-node` | PostHog | Product analytics |
+| `mixpanel-browser` | Mixpanel | Product analytics |
+| `@segment/analytics-next` | Segment | Customer data platform |
+| `@amplitude/analytics-browser` | Amplitude | Product analytics |
+| `amplitude-js` | Amplitude | Product analytics |
+| `@vercel/analytics` | Vercel Analytics | Web analytics |
+| `plausible-tracker` | Plausible | Web analytics |
+| `logrocket` | LogRocket | Session recording |
+| `@hotjar/browser` | Hotjar | Session recording |
+| `resend` | Resend | Transactional email |
+| `@sendgrid/mail` | SendGrid | Transactional email |
+| `intercom-client` | Intercom | Customer messaging |
+| `@intercom/messenger-js-sdk` | Intercom | Customer messaging |
+## Services not in the registry
+For services not listed here, use `thirdParty()` source annotations or the `Providers` preset constants from `@openpolicy/sdk`. See the main skill file for examples.
+The registry source is at `packages/vite-auto-collect/src/known-packages.ts`.