@tickboxhq/core 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Tiny Systems Limited
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index-D_Xt5NFB.d.ts

@@ -0,0 +1,155 @@
+/**
+ * How a category should be treated for a given jurisdiction.
+ *
+ * - `consent`  — must opt-in. Block tags until granted. (e.g. marketing under GDPR/PECR)
+ * - `notice`   — show info + easy opt-out, but don't block tags. (e.g. UK DUAA "statistical" analytics)
+ * - `always`   — no consent or notice required. (e.g. necessary cookies)
+ */
+type ConsentMode = 'consent' | 'notice' | 'always';
+type CategoryId = string;
+type CategoryDefinition = {
+    /** True for strictly necessary categories that the user cannot deny. */
+    required?: boolean;
+    /** Pre-toggled state when the user hasn't chosen yet. Ignored when `required` is true. */
+    default?: boolean;
+    /** Vendor identifiers (e.g. 'plausible', 'google-ads') used for jurisdiction classification. */
+    vendors?: string[];
+    /** Human-readable description shown in the banner / preference centre. */
+    description?: string;
+    /**
+     * Override the inferred mode for this category. Normally not needed —
+     * the jurisdiction + vendor list determines the mode.
+     */
+    mode?: ConsentMode;
+};
+type JurisdictionId = 'UK_DUAA' | 'EU_GDPR' | 'US_CA' | 'CCPA' | (string & {});
+type Jurisdiction = {
+    id: JurisdictionId;
+    name: string;
+    /**
+     * Per-vendor classification: which vendors require full consent vs. notice-only
+     * vs. always-allowed under this jurisdiction.
+     */
+    vendorRules: Record<string, ConsentMode>;
+    /** Default mode applied to vendors not in `vendorRules`. */
+    defaultMode: ConsentMode;
+    /** UI requirements imposed by the jurisdiction. */
+    ui: {
+        /** Whether a "Reject All" button is required on the first banner layer. */
+        rejectButtonOnFirstLayer: boolean;
+        /** Whether Accept/Reject must have equal visual prominence. */
+        equalProminence: boolean;
+        /** Whether Global Privacy Control (Sec-GPC) signals must be honoured as opt-out. */
+        honorGPC: boolean;
+    };
+    /** Optional ISO 3166-1 alpha-2 country codes that map to this jurisdiction (used by 'auto' mode). */
+    countries?: readonly string[];
+};
+type ConsentConfig = {
+    /**
+     * The jurisdiction governing this site, or `'auto'` to detect by visitor country.
+     * 'auto' falls back to the strictest available match.
+     */
+    jurisdiction: Jurisdiction | 'auto';
+    /** Map of category ID to definition. The keys are arbitrary (e.g. 'analytics', 'marketing'). */
+    categories: Record<CategoryId, CategoryDefinition>;
+    /** Versioned policy reference. Audit log entries are tied to a policy version. */
+    policy?: {
+        version: string;
+        url?: string;
+    };
+    /** Cloud configuration. If omitted, the SDK runs entirely client-side with no telemetry. */
+    cloud?: {
+        apiKey?: string;
+        /** Override the default ingest endpoint. Useful for self-hosting. */
+        endpoint?: string;
+    };
+    /** Cookie storage options. */
+    storage?: StorageOptions;
+};
+type StorageOptions = {
+    /** Cookie name. Defaults to `__tb_consent`. */
+    cookieName?: string;
+    /** Optional Domain attribute (e.g. '.example.com' to share across subdomains). */
+    domain?: string;
+    /** Cookie max-age in days. Defaults to 365. */
+    maxAgeDays?: number;
+};
+/**
+ * The serialised consent record stored in the browser cookie.
+ * Schema is versioned via `v` so future migrations don't break readers.
+ */
+type StoredConsent = {
+    /** Schema version. */
+    v: 1;
+    /** Map of category ID to granted/denied. */
+    c: Record<CategoryId, boolean>;
+    /** Policy version at the time of choice. */
+    pv: string;
+    /** Unix epoch milliseconds when the choice was made. */
+    ts: number;
+    /** Jurisdiction ID at the time of choice. */
+    j: JurisdictionId;
+};
+/**
+ * A category resolved against the active jurisdiction — what the SDK actually
+ * needs to know to render UI and gate scripts.
+ */
+type ResolvedCategory = {
+    id: CategoryId;
+    required: boolean;
+    mode: ConsentMode;
+    default: boolean;
+    vendors: string[];
+    description?: string;
+};
+
+/**
+ * United Kingdom — Data (Use and Access) Act 2025 (DUAA).
+ *
+ * In force from 5 February 2026. Amends PECR to introduce new exemptions for
+ * cookies/storage used solely for statistical, security, authentication, and
+ * appearance purposes. Advertising and individual-level tracking still require
+ * full opt-in consent.
+ *
+ * UI requirements (ICO):
+ *  - "Reject All" must be on the first banner layer
+ *  - "Accept All" and "Reject All" must have equal visual prominence
+ *  - GPC is not (yet) mandatory in UK guidance; default off.
+ *
+ * @see https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/
+ */
+declare const UK_DUAA: Jurisdiction;
+
+/**
+ * European Union — GDPR + ePrivacy Directive ("Cookie Law").
+ *
+ * EU rules don't have the DUAA "statistical exemption" — analytics that
+ * involve client-side storage on a user's device generally require opt-in
+ * consent, even for first-party privacy-friendly tools (positions vary by
+ * DPA; CNIL has been more permissive than others). This preset takes the
+ * conservative position: treat all tracking categories as consent-required.
+ *
+ * UI requirements (EDPB / national DPAs):
+ *  - "Reject All" on first banner layer with equal prominence
+ *  - GPC: not yet mandatory but increasingly recognised
+ */
+declare const EU_GDPR: Jurisdiction;
+
+/**
+ * Map of all built-in jurisdiction presets, keyed by their ID for ergonomic
+ * lookup: `jurisdictions.UK_DUAA`.
+ */
+declare const jurisdictions: {
+    readonly UK_DUAA: Jurisdiction;
+    readonly EU_GDPR: Jurisdiction;
+};
+/**
+ * Resolve a jurisdiction from an ISO 3166-1 alpha-2 country code (e.g. 'GB').
+ * Falls back to `EU_GDPR` for any country not explicitly mapped — the safer
+ * default for an unknown EEA visitor. Returns `null` when the code is unknown
+ * and no fallback is requested.
+ */
+declare function resolveJurisdictionByCountry(country: string | undefined, fallback?: Jurisdiction | null): Jurisdiction | null;
+
+export { type ConsentConfig as C, EU_GDPR as E, type Jurisdiction as J, type ResolvedCategory as R, type StorageOptions as S, UK_DUAA as U, type StoredConsent as a, type CategoryDefinition as b, type CategoryId as c, type ConsentMode as d, type JurisdictionId as e, jurisdictions as j, resolveJurisdictionByCountry as r };

package/dist/index.d.ts

@@ -0,0 +1,151 @@
+import { R as ResolvedCategory, C as ConsentConfig, S as StorageOptions, J as Jurisdiction, a as StoredConsent } from './index-D_Xt5NFB.js';
+export { b as CategoryDefinition, c as CategoryId, d as ConsentMode, e as JurisdictionId, j as jurisdictions, r as resolveJurisdictionByCountry } from './index-D_Xt5NFB.js';
+
+type ConsentState = {
+    /** True after the store has hydrated from the cookie (client-only). */
+    ready: boolean;
+    /** True when the banner / preference centre should be visible. */
+    isOpen: boolean;
+    /** Map of category ID → granted (true) / denied (false). */
+    decisions: Record<string, boolean>;
+    /** Resolved categories for the active jurisdiction. */
+    resolved: ResolvedCategory[];
+    /** Timestamp of the most-recent stored decision, if any. */
+    storedAt: number | null;
+};
+type Listener = (state: ConsentState) => void;
+type StoreOptions = {
+    /** Storage options forwarded to the cookie reader/writer. */
+    storage?: StorageOptions;
+    /** When `true`, side-effects like script rewriting fire on state changes. Defaults to true. */
+    applyEffects?: boolean;
+    /** Custom side-effect handler. Receives `(state, resolved)` whenever decisions change. */
+    onApply?: (state: ConsentState) => void;
+    /** Active jurisdiction. Required — pass `config.jurisdiction` after resolving 'auto'. */
+    jurisdiction: Jurisdiction;
+};
+/**
+ * Framework-agnostic consent state machine.
+ *
+ * The store hydrates from the cookie on first read, keeps decisions in memory,
+ * and broadcasts changes to subscribers. Adapters (`@tickboxhq/react`,
+ * `@tickboxhq/vue`) bind to it via their idiomatic reactivity primitive.
+ */
+declare class ConsentStore {
+    private state;
+    private readonly listeners;
+    private readonly config;
+    private readonly options;
+    constructor(config: ConsentConfig, options: StoreOptions);
+    /**
+     * Read the stored cookie and update state. Safe to call on the server
+     * (no-op when `document` is unavailable). Call from a mount effect.
+     */
+    hydrate(): void;
+    /**
+     * Hydrate from a raw Cookie header — for server-side rendering.
+     * Pass the value of the request's `cookie` header (or `undefined` if absent).
+     */
+    hydrateFromHeader(cookieHeader: string | undefined): void;
+    private applyHydration;
+    getState(): ConsentState;
+    subscribe(fn: Listener): () => void;
+    grant(id: string): void;
+    deny(id: string): void;
+    grantAll(): void;
+    denyAll(): void;
+    /** Persist the current decisions and close the banner. */
+    save(): void;
+    open(): void;
+    close(): void;
+    /** Wipe stored consent and reopen the banner. */
+    reset(): void;
+    isRequired(id: string): boolean;
+    private update;
+    private persist;
+    private emit;
+}
+
+/**
+ * Element attribute used by Tickbox-aware scripts to declare their category.
+ *
+ * @example
+ * ```html
+ * <script type="text/plain" data-tb-category="analytics" src="plausible.js"></script>
+ * ```
+ *
+ * On grant, the SDK rewrites `type` to `text/javascript` so the browser executes the script.
+ * On deny, the script is left as `text/plain` (browser ignores it).
+ */
+declare const TAG_ATTRIBUTE = "data-tb-category";
+/**
+ * Apply a consent state to the document by:
+ *  1. Activating any `<script type="text/plain" data-tb-category="X">` whose category was granted
+ *  2. Calling `gtag('consent', 'update', ...)` if `gtag` is on the global scope
+ *  3. Dispatching a `tickbox:consent-changed` CustomEvent for any custom integrations
+ *
+ * No-op on the server.
+ */
+declare function applyConsent(state: ConsentState): void;
+
+/**
+ * Identity helper that narrows the type of a consent config so users get
+ * full autocomplete + type-checking in their `consent.config.ts`.
+ *
+ * @example
+ * ```ts
+ * import { defineConsent, jurisdictions } from '@tickboxhq/core'
+ *
+ * export default defineConsent({
+ *   jurisdiction: jurisdictions.UK_DUAA,
+ *   categories: {
+ *     necessary: { required: true },
+ *     analytics: { vendors: ['plausible'] },
+ *   },
+ * })
+ * ```
+ */
+declare function defineConsent<const T extends ConsentConfig>(config: T): T;
+
+/**
+ * Detect a Global Privacy Control signal from the visitor's browser.
+ *
+ * GPC is exposed as `navigator.globalPrivacyControl` (boolean) and the
+ * `Sec-GPC: 1` HTTP header. The header is server-side only; this helper
+ * covers the client-side property.
+ *
+ * @see https://globalprivacycontrol.org/
+ */
+declare function isGPCSignaled(): boolean;
+
+/**
+ * Resolve each declared category against the active jurisdiction's vendor rules.
+ *
+ * For each category, the most-restrictive vendor mode wins:
+ *   `consent` > `notice` > `always`
+ *
+ * Categories with no vendors fall back to the jurisdiction's default mode,
+ * unless `required: true` (always allowed) or an explicit `mode` override is set.
+ */
+declare function resolveCategories(config: ConsentConfig, jurisdiction: Jurisdiction): ResolvedCategory[];
+
+/**
+ * Read the stored consent record from `document.cookie`.
+ * Returns `null` on the server, when no cookie is set, or when the cookie is malformed.
+ */
+declare function readConsent(options?: StorageOptions): StoredConsent | null;
+/**
+ * Parse a stored consent record from a raw `Cookie` header string.
+ * Useful on the server: pass the request's `cookie` header.
+ * Returns `null` when the cookie isn't present or is malformed.
+ */
+declare function parseConsentFromHeader(cookieHeader: string | undefined, options?: StorageOptions): StoredConsent | null;
+/**
+ * Persist a consent record to `document.cookie`.
+ * No-op on the server.
+ */
+declare function writeConsent(value: StoredConsent, options?: StorageOptions): void;
+/** Clear the stored consent cookie. */
+declare function clearConsent(options?: StorageOptions): void;
+
+export { ConsentConfig, type ConsentState, ConsentStore, Jurisdiction, ResolvedCategory, StorageOptions, type StoreOptions, StoredConsent, TAG_ATTRIBUTE, applyConsent, clearConsent, defineConsent, isGPCSignaled, parseConsentFromHeader, readConsent, resolveCategories, writeConsent };

package/dist/index.js

@@ -0,0 +1,425 @@
+// src/apply.ts
+var TAG_ATTRIBUTE = "data-tb-category";
+function applyConsent(state) {
+  if (typeof document === "undefined") return;
+  activateScripts(state.decisions);
+  updateConsentMode(state.decisions);
+  dispatchEvent(state);
+}
+function activateScripts(decisions) {
+  const blocked = document.querySelectorAll(`script[type="text/plain"][${TAG_ATTRIBUTE}]`);
+  for (const node of Array.from(blocked)) {
+    const category = node.getAttribute(TAG_ATTRIBUTE);
+    if (!category || !decisions[category]) continue;
+    const replacement = document.createElement("script");
+    for (const attr of Array.from(node.attributes)) {
+      if (attr.name === "type") continue;
+      replacement.setAttribute(attr.name, attr.value);
+    }
+    replacement.text = node.textContent ?? "";
+    node.parentNode?.replaceChild(replacement, node);
+  }
+}
+function updateConsentMode(decisions) {
+  const win = globalThis;
+  if (typeof win.gtag !== "function") return;
+  win.gtag("consent", "update", {
+    ad_storage: gv(decisions, "marketing"),
+    ad_user_data: gv(decisions, "marketing"),
+    ad_personalization: gv(decisions, "marketing"),
+    analytics_storage: gv(decisions, "analytics"),
+    functionality_storage: gv(decisions, "functional", true),
+    personalization_storage: gv(decisions, "preferences", true),
+    security_storage: "granted"
+  });
+}
+function gv(decisions, id, defaultGranted = false) {
+  const value = decisions[id];
+  if (value === void 0) return defaultGranted ? "granted" : "denied";
+  return value ? "granted" : "denied";
+}
+function dispatchEvent(state) {
+  document.dispatchEvent(
+    new CustomEvent("tickbox:consent-changed", {
+      detail: { decisions: state.decisions, ts: state.storedAt }
+    })
+  );
+}
+
+// src/define-consent.ts
+function defineConsent(config) {
+  return config;
+}
+
+// src/gpc.ts
+function isGPCSignaled() {
+  if (typeof navigator === "undefined") return false;
+  return navigator.globalPrivacyControl === true;
+}
+
+// src/jurisdictions/eu-gdpr.ts
+var EU_GDPR = {
+  id: "EU_GDPR",
+  name: "European Union (GDPR / ePrivacy)",
+  vendorRules: {},
+  defaultMode: "consent",
+  ui: {
+    rejectButtonOnFirstLayer: true,
+    equalProminence: true,
+    honorGPC: false
+  },
+  countries: [
+    "AT",
+    "BE",
+    "BG",
+    "HR",
+    "CY",
+    "CZ",
+    "DK",
+    "EE",
+    "FI",
+    "FR",
+    "DE",
+    "GR",
+    "HU",
+    "IE",
+    "IT",
+    "LV",
+    "LT",
+    "LU",
+    "MT",
+    "NL",
+    "PL",
+    "PT",
+    "RO",
+    "SK",
+    "SI",
+    "ES",
+    "SE",
+    // EEA additions
+    "IS",
+    "LI",
+    "NO"
+  ]
+};
+
+// src/jurisdictions/uk-duaa.ts
+var DUAA_STATISTICAL_VENDORS = [
+  "plausible",
+  "fathom",
+  "simpleanalytics",
+  "pirsch",
+  "goatcounter",
+  "umami",
+  "tinybird-analytics",
+  "cloudflare-web-analytics"
+];
+var DUAA_CONSENT_REQUIRED_VENDORS = [
+  // Advertising
+  "google-ads",
+  "google-analytics",
+  "ga4",
+  "meta-pixel",
+  "facebook-pixel",
+  "tiktok-pixel",
+  "linkedin-insight",
+  "twitter-pixel",
+  "pinterest-tag",
+  "reddit-pixel",
+  // Session replay / individual tracking
+  "hotjar",
+  "fullstory",
+  "microsoft-clarity",
+  "mouseflow",
+  "logrocket",
+  // CDPs / marketing automation
+  "segment",
+  "rudderstack",
+  "hubspot",
+  "mixpanel",
+  "amplitude",
+  // AI training crawlers (always require explicit opt-in/out)
+  "gptbot",
+  "claudebot",
+  "anthropic-ai",
+  "google-extended",
+  "perplexitybot",
+  "ccbot",
+  "bytespider",
+  "applebot-extended"
+];
+var UK_DUAA = {
+  id: "UK_DUAA",
+  name: "United Kingdom (Data (Use and Access) Act 2025)",
+  vendorRules: {
+    ...Object.fromEntries(DUAA_STATISTICAL_VENDORS.map((v) => [v, "notice"])),
+    ...Object.fromEntries(DUAA_CONSENT_REQUIRED_VENDORS.map((v) => [v, "consent"]))
+  },
+  defaultMode: "consent",
+  ui: {
+    rejectButtonOnFirstLayer: true,
+    equalProminence: true,
+    honorGPC: false
+  },
+  countries: ["GB"]
+};
+
+// src/jurisdictions/index.ts
+var jurisdictions = {
+  UK_DUAA,
+  EU_GDPR
+};
+function resolveJurisdictionByCountry(country, fallback = EU_GDPR) {
+  if (!country) return fallback;
+  const upper = country.toUpperCase();
+  for (const j of Object.values(jurisdictions)) {
+    if (j.countries?.includes(upper)) return j;
+  }
+  return fallback;
+}
+
+// src/resolve.ts
+function resolveCategories(config, jurisdiction) {
+  return Object.entries(config.categories).map(([id, def]) => {
+    const required = def.required === true;
+    const explicit = def.mode;
+    const vendors = def.vendors ?? [];
+    let mode;
+    if (required) {
+      mode = "always";
+    } else if (explicit) {
+      mode = explicit;
+    } else if (vendors.length === 0) {
+      mode = jurisdiction.defaultMode;
+    } else {
+      mode = mostRestrictive(
+        vendors.map((v) => jurisdiction.vendorRules[v] ?? jurisdiction.defaultMode)
+      );
+    }
+    return {
+      id,
+      required,
+      mode,
+      default: required ? true : def.default ?? false,
+      vendors,
+      description: def.description
+    };
+  });
+}
+var ORDER = { always: 0, notice: 1, consent: 2 };
+function mostRestrictive(modes) {
+  let winner = "always";
+  for (const m of modes) {
+    if (ORDER[m] > ORDER[winner]) winner = m;
+  }
+  return winner;
+}
+
+// src/storage.ts
+var DEFAULT_COOKIE_NAME = "__tb_consent";
+var DEFAULT_MAX_AGE_DAYS = 365;
+function readConsent(options = {}) {
+  if (typeof document === "undefined") return null;
+  return parseConsentFromHeader(document.cookie, options);
+}
+function parseConsentFromHeader(cookieHeader, options = {}) {
+  if (!cookieHeader) return null;
+  const name = options.cookieName ?? DEFAULT_COOKIE_NAME;
+  const match = cookieHeader.match(new RegExp(`(?:^|; )${name}=([^;]+)`));
+  if (!match) return null;
+  try {
+    const parsed = JSON.parse(decodeURIComponent(match[1]));
+    if (isStoredConsent(parsed)) return parsed;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function writeConsent(value, options = {}) {
+  if (typeof document === "undefined") return;
+  const name = options.cookieName ?? DEFAULT_COOKIE_NAME;
+  const maxAge = (options.maxAgeDays ?? DEFAULT_MAX_AGE_DAYS) * 86400;
+  const domain = options.domain ? `; Domain=${options.domain}` : "";
+  const secure = typeof location !== "undefined" && location.protocol === "https:" ? "; Secure" : "";
+  const encoded = encodeURIComponent(JSON.stringify(value));
+  document.cookie = `${name}=${encoded}; Path=/; Max-Age=${maxAge}; SameSite=Lax${secure}${domain}`;
+}
+function clearConsent(options = {}) {
+  if (typeof document === "undefined") return;
+  const name = options.cookieName ?? DEFAULT_COOKIE_NAME;
+  const domain = options.domain ? `; Domain=${options.domain}` : "";
+  document.cookie = `${name}=; Path=/; Max-Age=0${domain}`;
+}
+function isStoredConsent(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const v = value;
+  return v.v === 1 && typeof v.c === "object" && v.c !== null && typeof v.pv === "string" && typeof v.ts === "number" && typeof v.j === "string";
+}
+
+// src/store.ts
+var ConsentStore = class {
+  state;
+  listeners = /* @__PURE__ */ new Set();
+  config;
+  options;
+  constructor(config, options) {
+    this.config = config;
+    this.options = options;
+    const resolved = resolveCategories(config, options.jurisdiction);
+    this.state = {
+      ready: false,
+      isOpen: false,
+      decisions: defaultDecisions(resolved),
+      resolved,
+      storedAt: null
+    };
+  }
+  /**
+   * Read the stored cookie and update state. Safe to call on the server
+   * (no-op when `document` is unavailable). Call from a mount effect.
+   */
+  hydrate() {
+    const stored = readConsent(this.options.storage);
+    this.applyHydration(stored);
+  }
+  /**
+   * Hydrate from a raw Cookie header — for server-side rendering.
+   * Pass the value of the request's `cookie` header (or `undefined` if absent).
+   */
+  hydrateFromHeader(cookieHeader) {
+    const stored = parseConsentFromHeader(cookieHeader, this.options.storage);
+    this.applyHydration(stored);
+  }
+  applyHydration(stored) {
+    if (stored) {
+      this.state = {
+        ...this.state,
+        ready: true,
+        isOpen: needsRefresh(stored, this.config),
+        decisions: mergeDecisions(this.state.resolved, stored.c),
+        storedAt: stored.ts
+      };
+    } else {
+      this.state = {
+        ...this.state,
+        ready: true,
+        isOpen: shouldShowBanner(this.state.resolved)
+      };
+    }
+    this.emit();
+  }
+  getState() {
+    return this.state;
+  }
+  subscribe(fn) {
+    this.listeners.add(fn);
+    return () => {
+      this.listeners.delete(fn);
+    };
+  }
+  grant(id) {
+    this.update({ [id]: true });
+  }
+  deny(id) {
+    if (this.isRequired(id)) return;
+    this.update({ [id]: false });
+  }
+  grantAll() {
+    const next = {};
+    for (const r of this.state.resolved) next[r.id] = true;
+    this.update(next, { close: true });
+  }
+  denyAll() {
+    const next = {};
+    for (const r of this.state.resolved) next[r.id] = r.required;
+    this.update(next, { close: true });
+  }
+  /** Persist the current decisions and close the banner. */
+  save() {
+    const ts = this.persist(this.state.decisions);
+    this.state = { ...this.state, isOpen: false, storedAt: ts };
+    this.emit();
+  }
+  open() {
+    if (this.state.isOpen) return;
+    this.state = { ...this.state, isOpen: true };
+    this.emit();
+  }
+  close() {
+    if (!this.state.isOpen) return;
+    this.state = { ...this.state, isOpen: false };
+    this.emit();
+  }
+  /** Wipe stored consent and reopen the banner. */
+  reset() {
+    this.state = {
+      ...this.state,
+      decisions: defaultDecisions(this.state.resolved),
+      isOpen: true,
+      storedAt: null
+    };
+    this.emit();
+  }
+  isRequired(id) {
+    return this.state.resolved.find((r) => r.id === id)?.required === true;
+  }
+  update(partial, opts = {}) {
+    const next = { ...this.state.decisions, ...partial };
+    const ts = this.persist(next);
+    this.state = {
+      ...this.state,
+      decisions: next,
+      isOpen: opts.close ? false : this.state.isOpen,
+      storedAt: ts
+    };
+    this.emit();
+  }
+  persist(decisions) {
+    const ts = Date.now();
+    const stored = {
+      v: 1,
+      c: decisions,
+      pv: this.config.policy?.version ?? "0",
+      ts,
+      j: this.options.jurisdiction.id
+    };
+    writeConsent(stored, this.options.storage);
+    return ts;
+  }
+  emit() {
+    if (this.options.applyEffects !== false) {
+      this.options.onApply?.(this.state);
+    }
+    for (const fn of this.listeners) fn(this.state);
+  }
+};
+function defaultDecisions(resolved) {
+  const out = {};
+  for (const r of resolved) out[r.id] = r.required ? true : r.default;
+  return out;
+}
+function mergeDecisions(resolved, stored) {
+  const out = {};
+  for (const r of resolved) {
+    if (r.required) {
+      out[r.id] = true;
+    } else if (stored[r.id] !== void 0) {
+      out[r.id] = stored[r.id];
+    } else {
+      out[r.id] = r.default;
+    }
+  }
+  return out;
+}
+function needsRefresh(stored, config) {
+  const declared = config.policy?.version;
+  if (!declared) return false;
+  return stored.pv !== declared;
+}
+function shouldShowBanner(resolved) {
+  return resolved.some((r) => r.mode === "consent" && !r.required);
+}
+
+export { ConsentStore, TAG_ATTRIBUTE, applyConsent, clearConsent, defineConsent, isGPCSignaled, jurisdictions, parseConsentFromHeader, readConsent, resolveCategories, resolveJurisdictionByCountry, writeConsent };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/apply.ts","../src/define-consent.ts","../src/gpc.ts","../src/jurisdictions/eu-gdpr.ts","../src/jurisdictions/uk-duaa.ts","../src/jurisdictions/index.ts","../src/resolve.ts","../src/storage.ts","../src/store.ts"],"names":[],"mappings":";AAaO,IAAM,aAAA,GAAgB;AAUtB,SAAS,aAAa,KAAA,EAA2B;AACtD,EAAA,IAAI,OAAO,aAAa,WAAA,EAAa;AACrC,EAAA,eAAA,CAAgB,MAAM,SAAS,CAAA;AAC/B,EAAA,iBAAA,CAAkB,MAAM,SAAS,CAAA;AACjC,EAAA,aAAA,CAAc,KAAK,CAAA;AACrB;AAEA,SAAS,gBAAgB,SAAA,EAA0C;AACjE,EAAA,MAAM,OAAA,GAAU,QAAA,CAAS,gBAAA,CAAiB,CAAA,0BAAA,EAA6B,aAAa,CAAA,CAAA,CAAG,CAAA;AACvF,EAAA,KAAA,MAAW,IAAA,IAAQ,KAAA,CAAM,IAAA,CAAK,OAAO,CAAA,EAAG;AACtC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,YAAA,CAAa,aAAa,CAAA;AAChD,IAAA,IAAI,CAAC,QAAA,IAAY,CAAC,SAAA,CAAU,QAAQ,CAAA,EAAG;AACvC,IAAA,MAAM,WAAA,GAAc,QAAA,CAAS,aAAA,CAAc,QAAQ,CAAA;AACnD,IAAA,KAAA,MAAW,IAAA,IAAQ,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,UAAU,CAAA,EAAG;AAC9C,MAAA,IAAI,IAAA,CAAK,SAAS,MAAA,EAAQ;AAC1B,MAAA,WAAA,CAAY,YAAA,CAAa,IAAA,CAAK,IAAA,EAAM,IAAA,CAAK,KAAK,CAAA;AAAA,IAChD;AACA,IAAA,WAAA,CAAY,IAAA,GAAO,KAAK,WAAA,IAAe,EAAA;AACvC,IAAA,IAAA,CAAK,UAAA,EAAY,YAAA,CAAa,WAAA,EAAa,IAAI,CAAA;AAAA,EACjD;AACF;AAIA,SAAS,kBAAkB,SAAA,EAA0C;AACnE,EAAA,MAAM,GAAA,GAAM,UAAA;AACZ,EAAA,IAAI,OAAO,GAAA,CAAI,IAAA,KAAS,UAAA,EAAY;AACpC,EAAA,GAAA,CAAI,IAAA,CAAK,WAAW,QAAA,EAAU;AAAA,IAC5B,UAAA,EAAY,EAAA,CAAG,SAAA,EAAW,WAAW,CAAA;AAAA,IACrC,YAAA,EAAc,EAAA,CAAG,SAAA,EAAW,WAAW,CAAA;AAAA,IACvC,kBAAA,EAAoB,EAAA,CAAG,SAAA,EAAW,WAAW,CAAA;AAAA,IAC7C,iBAAA,EAAmB,EAAA,CAAG,SAAA,EAAW,WAAW,CAAA;AAAA,IAC5C,qBAAA,EAAuB,EAAA,CAAG,SAAA,EAAW,YAAA,EAAc,IAAI,CAAA;AAAA,IACvD,uBAAA,EAAyB,EAAA,CAAG,SAAA,EAAW,aAAA,EAAe,IAAI,CAAA;AAAA,IAC1D,gBAAA,EAAkB;AAAA,GACnB,CAAA;AACH;AAEA,SAAS,EAAA,CACP,SAAA,EACA,EAAA,EACA,cAAA,GAAiB,KAAA,EACK;AACtB,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,IAAI,KAAA,KAAU,MAAA,EAAW,OAAO,cAAA,GAAiB,SAAA,GAAY,QAAA;AAC7D,EAAA,OAAO,QAAQ,SAAA,GAAY,QAAA;AAC7B;AAEA,SAAS,cAAc,KAAA,EAA2B;AAChD,EAAA,QAAA,CAAS,aAAA;AAAA,IACP,IAAI,YAAY,yBAAA,EAA2B;AAAA,MACzC,QAAQ,EAAE,SAAA,EAAW,MAAM,SAAA,EAAW,EAAA,EAAI,MAAM,QAAA;AAAS,KAC1D;AAAA,GACH;AACF;;;AC1DO,SAAS,cAA6C,MAAA,EAAc;AACzE,EAAA,OAAO,MAAA;AACT;;;ACZO,SAAS,aAAA,GAAyB;AACvC,EAAA,IAAI,OAAO,SAAA,KAAc,WAAA,EAAa,OAAO,KAAA;AAC7C,EAAA,OAAQ,UAA6D,oBAAA,KAAyB,IAAA;AAChG;;;ACGO,IAAM,OAAA,GAAwB;AAAA,EACnC,EAAA,EAAI,SAAA;AAAA,EACJ,IAAA,EAAM,kCAAA;AAAA,EACN,aAAa,EAAC;AAAA,EACd,WAAA,EAAa,SAAA;AAAA,EACb,EAAA,EAAI;AAAA,IACF,wBAAA,EAA0B,IAAA;AAAA,IAC1B,eAAA,EAAiB,IAAA;AAAA,IACjB,QAAA,EAAU;AAAA,GACZ;AAAA,EACA,SAAA,EAAW;AAAA,IACT,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA;AAAA,IAEA,IAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA;AAEJ,CAAA;;;AC9CA,IAAM,wBAAA,GAA2B;AAAA,EAC/B,WAAA;AAAA,EACA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,aAAA;AAAA,EACA,OAAA;AAAA,EACA,oBAAA;AAAA,EACA;AACF,CAAA;AAMA,IAAM,6BAAA,GAAgC;AAAA;AAAA,EAEpC,YAAA;AAAA,EACA,kBAAA;AAAA,EACA,KAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,cAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,eAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,mBAAA;AAAA,EACA,WAAA;AAAA,EACA,WAAA;AAAA;AAAA,EAEA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA;AAAA,EAEA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,cAAA;AAAA,EACA,iBAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAiBO,IAAM,OAAA,GAAwB;AAAA,EACnC,EAAA,EAAI,SAAA;AAAA,EACJ,IAAA,EAAM,iDAAA;AAAA,EACN,WAAA,EAAa;AAAA,IACX,GAAG,MAAA,CAAO,WAAA,CAAY,wBAAA,CAAyB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,EAAG,QAAiB,CAAC,CAAC,CAAA;AAAA,IACjF,GAAG,MAAA,CAAO,WAAA,CAAY,6BAAA,CAA8B,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,EAAG,SAAkB,CAAC,CAAC;AAAA,GACzF;AAAA,EACA,WAAA,EAAa,SAAA;AAAA,EACb,EAAA,EAAI;AAAA,IACF,wBAAA,EAA0B,IAAA;AAAA,IAC1B,eAAA,EAAiB,IAAA;AAAA,IACjB,QAAA,EAAU;AAAA,GACZ;AAAA,EACA,SAAA,EAAW,CAAC,IAAI;AAClB,CAAA;;;AChFO,IAAM,aAAA,GAAgB;AAAA,EAC3B,OAAA;AAAA,EACA;AACF;AAQO,SAAS,4BAAA,CACd,OAAA,EACA,QAAA,GAAgC,OAAA,EACX;AACrB,EAAA,IAAI,CAAC,SAAS,OAAO,QAAA;AACrB,EAAA,MAAM,KAAA,GAAQ,QAAQ,WAAA,EAAY;AAClC,EAAA,KAAA,MAAW,CAAA,IAAK,MAAA,CAAO,MAAA,CAAO,aAAa,CAAA,EAAG;AAC5C,IAAA,IAAI,CAAA,CAAE,SAAA,EAAW,QAAA,CAAS,KAAK,GAAG,OAAO,CAAA;AAAA,EAC3C;AACA,EAAA,OAAO,QAAA;AACT;;;ACrBO,SAAS,iBAAA,CACd,QACA,YAAA,EACoB;AACpB,EAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,MAAA,CAAO,UAAU,CAAA,CAAE,IAAI,CAAC,CAAC,EAAA,EAAI,GAAG,CAAA,KAAM;AAC1D,IAAA,MAAM,QAAA,GAAW,IAAI,QAAA,KAAa,IAAA;AAClC,IAAA,MAAM,WAAW,GAAA,CAAI,IAAA;AACrB,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,IAAW,EAAC;AAEhC,IAAA,IAAI,IAAA;AACJ,IAAA,IAAI,QAAA,EAAU;AACZ,MAAA,IAAA,GAAO,QAAA;AAAA,IACT,WAAW,QAAA,EAAU;AACnB,MAAA,IAAA,GAAO,QAAA;AAAA,IACT,CAAA,MAAA,IAAW,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG;AAC/B,MAAA,IAAA,GAAO,YAAA,CAAa,WAAA;AAAA,IACtB,CAAA,MAAO;AACL,MAAA,IAAA,GAAO,eAAA;AAAA,QACL,OAAA,CAAQ,IAAI,CAAC,CAAA,KAAM,aAAa,WAAA,CAAY,CAAC,CAAA,IAAK,YAAA,CAAa,WAAW;AAAA,OAC5E;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,EAAA;AAAA,MACA,QAAA;AAAA,MACA,IAAA;AAAA,MACA,OAAA,EAAS,QAAA,GAAW,IAAA,GAAQ,GAAA,CAAI,OAAA,IAAW,KAAA;AAAA,MAC3C,OAAA;AAAA,MACA,aAAa,GAAA,CAAI;AAAA,KACnB;AAAA,EACF,CAAC,CAAA;AACH;AAEA,IAAM,QAAqC,EAAE,MAAA,EAAQ,GAAG,MAAA,EAAQ,CAAA,EAAG,SAAS,CAAA,EAAE;AAE9E,SAAS,gBAAgB,KAAA,EAAmC;AAC1D,EAAA,IAAI,MAAA,GAAsB,QAAA;AAC1B,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,IAAI,MAAM,CAAC,CAAA,GAAI,KAAA,CAAM,MAAM,GAAG,MAAA,GAAS,CAAA;AAAA,EACzC;AACA,EAAA,OAAO,MAAA;AACT;;;AClDA,IAAM,mBAAA,GAAsB,cAAA;AAC5B,IAAM,oBAAA,GAAuB,GAAA;AAMtB,SAAS,WAAA,CAAY,OAAA,GAA0B,EAAC,EAAyB;AAC9E,EAAA,IAAI,OAAO,QAAA,KAAa,WAAA,EAAa,OAAO,IAAA;AAC5C,EAAA,OAAO,sBAAA,CAAuB,QAAA,CAAS,MAAA,EAAQ,OAAO,CAAA;AACxD;AAOO,SAAS,sBAAA,CACd,YAAA,EACA,OAAA,GAA0B,EAAC,EACL;AACtB,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,IAAA,GAAO,QAAQ,UAAA,IAAc,mBAAA;AACnC,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,QAAA,EAAW,IAAI,UAAU,CAAC,CAAA;AACtE,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,IAAI;AACF,IAAA,MAAM,SAAS,IAAA,CAAK,KAAA,CAAM,mBAAmB,KAAA,CAAM,CAAC,CAAE,CAAC,CAAA;AACvD,IAAA,IAAI,eAAA,CAAgB,MAAM,CAAA,EAAG,OAAO,MAAA;AACpC,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,YAAA,CAAa,KAAA,EAAsB,OAAA,GAA0B,EAAC,EAAS;AACrF,EAAA,IAAI,OAAO,aAAa,WAAA,EAAa;AACrC,EAAA,MAAM,IAAA,GAAO,QAAQ,UAAA,IAAc,mBAAA;AACnC,EAAA,MAAM,MAAA,GAAA,CAAU,OAAA,CAAQ,UAAA,IAAc,oBAAA,IAAwB,KAAA;AAC9D,EAAA,MAAM,SAAS,OAAA,CAAQ,MAAA,GAAS,CAAA,SAAA,EAAY,OAAA,CAAQ,MAAM,CAAA,CAAA,GAAK,EAAA;AAC/D,EAAA,MAAM,SAAS,OAAO,QAAA,KAAa,eAAe,QAAA,CAAS,QAAA,KAAa,WAAW,UAAA,GAAa,EAAA;AAChG,EAAA,MAAM,OAAA,GAAU,kBAAA,CAAmB,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACxD,EAAA,QAAA,CAAS,MAAA,GAAS,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,OAAO,qBAAqB,MAAM,CAAA,cAAA,EAAiB,MAAM,CAAA,EAAG,MAAM,CAAA,CAAA;AACjG;AAGO,SAAS,YAAA,CAAa,OAAA,GAA0B,EAAC,EAAS;AAC/D,EAAA,IAAI,OAAO,aAAa,WAAA,EAAa;AACrC,EAAA,MAAM,IAAA,GAAO,QAAQ,UAAA,IAAc,mBAAA;AACnC,EAAA,MAAM,SAAS,OAAA,CAAQ,MAAA,GAAS,CAAA,SAAA,EAAY,OAAA,CAAQ,MAAM,CAAA,CAAA,GAAK,EAAA;AAC/D,EAAA,QAAA,CAAS,MAAA,GAAS,CAAA,EAAG,IAAI,CAAA,oBAAA,EAAuB,MAAM,CAAA,CAAA;AACxD;AAEA,SAAS,gBAAgB,KAAA,EAAwC;AAC/D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,MAAM,OAAO,KAAA;AACxD,EAAA,MAAM,CAAA,GAAI,KAAA;AACV,EAAA,OACE,CAAA,CAAE,MAAM,CAAA,IACR,OAAO,EAAE,CAAA,KAAM,QAAA,IACf,EAAE,CAAA,KAAM,IAAA,IACR,OAAO,CAAA,CAAE,EAAA,KAAO,YAChB,OAAO,CAAA,CAAE,OAAO,QAAA,IAChB,OAAO,EAAE,CAAA,KAAM,QAAA;AAEnB;;;AC1BO,IAAM,eAAN,MAAmB;AAAA,EAChB,KAAA;AAAA,EACS,SAAA,uBAAgB,GAAA,EAAc;AAAA,EAC9B,MAAA;AAAA,EACA,OAAA;AAAA,EAEjB,WAAA,CAAY,QAAuB,OAAA,EAAuB;AACxD,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,MAAM,QAAA,GAAW,iBAAA,CAAkB,MAAA,EAAQ,OAAA,CAAQ,YAAY,CAAA;AAC/D,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ,KAAA;AAAA,MACR,SAAA,EAAW,iBAAiB,QAAQ,CAAA;AAAA,MACpC,QAAA;AAAA,MACA,QAAA,EAAU;AAAA,KACZ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAgB;AACd,IAAA,MAAM,MAAA,GAAS,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA;AAC/C,IAAA,IAAA,CAAK,eAAe,MAAM,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,YAAA,EAAwC;AACxD,IAAA,MAAM,MAAA,GAAS,sBAAA,CAAuB,YAAA,EAAc,IAAA,CAAK,QAAQ,OAAO,CAAA;AACxE,IAAA,IAAA,CAAK,eAAe,MAAM,CAAA;AAAA,EAC5B;AAAA,EAEQ,eAAe,MAAA,EAAoC;AACzD,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,QACX,GAAG,IAAA,CAAK,KAAA;AAAA,QACR,KAAA,EAAO,IAAA;AAAA,QACP,MAAA,EAAQ,YAAA,CAAa,MAAA,EAAQ,IAAA,CAAK,MAAM,CAAA;AAAA,QACxC,WAAW,cAAA,CAAe,IAAA,CAAK,KAAA,CAAM,QAAA,EAAU,OAAO,CAAC,CAAA;AAAA,QACvD,UAAU,MAAA,CAAO;AAAA,OACnB;AAAA,IACF,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,QACX,GAAG,IAAA,CAAK,KAAA;AAAA,QACR,KAAA,EAAO,IAAA;AAAA,QACP,MAAA,EAAQ,gBAAA,CAAiB,IAAA,CAAK,KAAA,CAAM,QAAQ;AAAA,OAC9C;AAAA,IACF;AACA,IAAA,IAAA,CAAK,IAAA,EAAK;AAAA,EACZ;AAAA,EAEA,QAAA,GAAyB;AACvB,IAAA,OAAO,IAAA,CAAK,KAAA;AAAA,EACd;AAAA,EAEA,UAAU,EAAA,EAA0B;AAClC,IAAA,IAAA,CAAK,SAAA,CAAU,IAAI,EAAE,CAAA;AACrB,IAAA,OAAO,MAAM;AACX,MAAA,IAAA,CAAK,SAAA,CAAU,OAAO,EAAE,CAAA;AAAA,IAC1B,CAAA;AAAA,EACF;AAAA,EAEA,MAAM,EAAA,EAAkB;AACtB,IAAA,IAAA,CAAK,OAAO,EAAE,CAAC,EAAE,GAAG,MAAM,CAAA;AAAA,EAC5B;AAAA,EAEA,KAAK,EAAA,EAAkB;AACrB,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,EAAE,CAAA,EAAG;AACzB,IAAA,IAAA,CAAK,OAAO,EAAE,CAAC,EAAE,GAAG,OAAO,CAAA;AAAA,EAC7B;AAAA,EAEA,QAAA,GAAiB;AACf,IAAA,MAAM,OAAgC,EAAC;AACvC,IAAA,KAAA,MAAW,KAAK,IAAA,CAAK,KAAA,CAAM,UAAU,IAAA,CAAK,CAAA,CAAE,EAAE,CAAA,GAAI,IAAA;AAClD,IAAA,IAAA,CAAK,MAAA,CAAO,IAAA,EAAM,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA,EACnC;AAAA,EAEA,OAAA,GAAgB;AACd,IAAA,MAAM,OAAgC,EAAC;AACvC,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,KAAA,CAAM,QAAA,OAAe,CAAA,CAAE,EAAE,IAAI,CAAA,CAAE,QAAA;AACpD,IAAA,IAAA,CAAK,MAAA,CAAO,IAAA,EAAM,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA,EACnC;AAAA;AAAA,EAGA,IAAA,GAAa;AACX,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,MAAM,SAAS,CAAA;AAC5C,IAAA,IAAA,CAAK,KAAA,GAAQ,EAAE,GAAG,IAAA,CAAK,OAAO,MAAA,EAAQ,KAAA,EAAO,UAAU,EAAA,EAAG;AAC1D,IAAA,IAAA,CAAK,IAAA,EAAK;AAAA,EACZ;AAAA,EAEA,IAAA,GAAa;AACX,IAAA,IAAI,IAAA,CAAK,MAAM,MAAA,EAAQ;AACvB,IAAA,IAAA,CAAK,QAAQ,EAAE,GAAG,IAAA,CAAK,KAAA,EAAO,QAAQ,IAAA,EAAK;AAC3C,IAAA,IAAA,CAAK,IAAA,EAAK;AAAA,EACZ;AAAA,EAEA,KAAA,GAAc;AACZ,IAAA,IAAI,CAAC,IAAA,CAAK,KAAA,CAAM,MAAA,EAAQ;AACxB,IAAA,IAAA,CAAK,QAAQ,EAAE,GAAG,IAAA,CAAK,KAAA,EAAO,QAAQ,KAAA,EAAM;AAC5C,IAAA,IAAA,CAAK,IAAA,EAAK;AAAA,EACZ;AAAA;AAAA,EAGA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,GAAG,IAAA,CAAK,KAAA;AAAA,MACR,SAAA,EAAW,gBAAA,CAAiB,IAAA,CAAK,KAAA,CAAM,QAAQ,CAAA;AAAA,MAC/C,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU;AAAA,KACZ;AACA,IAAA,IAAA,CAAK,IAAA,EAAK;AAAA,EACZ;AAAA,EAEA,WAAW,EAAA,EAAqB;AAC9B,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,QAAA,CAAS,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,EAAA,KAAO,EAAE,CAAA,EAAG,QAAA,KAAa,IAAA;AAAA,EACpE;AAAA,EAEQ,MAAA,CAAO,OAAA,EAAkC,IAAA,GAA4B,EAAC,EAAS;AACrF,IAAA,MAAM,OAAO,EAAE,GAAG,KAAK,KAAA,CAAM,SAAA,EAAW,GAAG,OAAA,EAAQ;AACnD,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,OAAA,CAAQ,IAAI,CAAA;AAC5B,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,GAAG,IAAA,CAAK,KAAA;AAAA,MACR,SAAA,EAAW,IAAA;AAAA,MACX,MAAA,EAAQ,IAAA,CAAK,KAAA,GAAQ,KAAA,GAAQ,KAAK,KAAA,CAAM,MAAA;AAAA,MACxC,QAAA,EAAU;AAAA,KACZ;AACA,IAAA,IAAA,CAAK,IAAA,EAAK;AAAA,EACZ;AAAA,EAEQ,QAAQ,SAAA,EAA4C;AAC1D,IAAA,MAAM,EAAA,GAAK,KAAK,GAAA,EAAI;AACpB,IAAA,MAAM,MAAA,GAAwB;AAAA,MAC5B,CAAA,EAAG,CAAA;AAAA,MACH,CAAA,EAAG,SAAA;AAAA,MACH,EAAA,EAAI,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ,OAAA,IAAW,GAAA;AAAA,MACnC,EAAA;AAAA,MACA,CAAA,EAAG,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa;AAAA,KAC/B;AACA,IAAA,YAAA,CAAa,MAAA,EAAQ,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA;AACzC,IAAA,OAAO,EAAA;AAAA,EACT;AAAA,EAEQ,IAAA,GAAa;AACnB,IAAA,IAAI,IAAA,CAAK,OAAA,CAAQ,YAAA,KAAiB,KAAA,EAAO;AACvC,MAAA,IAAA,CAAK,OAAA,CAAQ,OAAA,GAAU,IAAA,CAAK,KAAK,CAAA;AAAA,IACnC;AACA,IAAA,KAAA,MAAW,EAAA,IAAM,IAAA,CAAK,SAAA,EAAW,EAAA,CAAG,KAAK,KAAK,CAAA;AAAA,EAChD;AACF;AAEA,SAAS,iBAAiB,QAAA,EAAuD;AAC/E,EAAA,MAAM,MAA+B,EAAC;AACtC,EAAA,KAAA,MAAW,CAAA,IAAK,UAAU,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,CAAA,CAAE,QAAA,GAAW,IAAA,GAAO,CAAA,CAAE,OAAA;AAC5D,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,cAAA,CACP,UACA,MAAA,EACyB;AACzB,EAAA,MAAM,MAA+B,EAAC;AACtC,EAAA,KAAA,MAAW,KAAK,QAAA,EAAU;AACxB,IAAA,IAAI,EAAE,QAAA,EAAU;AACd,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,IAAA;AAAA,IACd,CAAA,MAAA,IAAW,MAAA,CAAO,CAAA,CAAE,EAAE,MAAM,MAAA,EAAW;AACrC,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,MAAA,CAAO,EAAE,EAAE,CAAA;AAAA,IACzB,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,CAAA,CAAE,EAAE,CAAA,GAAI,CAAA,CAAE,OAAA;AAAA,IAChB;AAAA,EACF;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,YAAA,CAAa,QAAuB,MAAA,EAAgC;AAC3E,EAAA,MAAM,QAAA,GAAW,OAAO,MAAA,EAAQ,OAAA;AAChC,EAAA,IAAI,CAAC,UAAU,OAAO,KAAA;AACtB,EAAA,OAAO,OAAO,EAAA,KAAO,QAAA;AACvB;AAEA,SAAS,iBAAiB,QAAA,EAAuC;AAC/D,EAAA,OAAO,QAAA,CAAS,KAAK,CAAC,CAAA,KAAM,EAAE,IAAA,KAAS,SAAA,IAAa,CAAC,CAAA,CAAE,QAAQ,CAAA;AACjE","file":"index.js","sourcesContent":["import type { ConsentState } from './store.js'\n\n/**\n * Element attribute used by Tickbox-aware scripts to declare their category.\n *\n * @example\n * ```html\n * <script type=\"text/plain\" data-tb-category=\"analytics\" src=\"plausible.js\"></script>\n * ```\n *\n * On grant, the SDK rewrites `type` to `text/javascript` so the browser executes the script.\n * On deny, the script is left as `text/plain` (browser ignores it).\n */\nexport const TAG_ATTRIBUTE = 'data-tb-category'\n\n/**\n * Apply a consent state to the document by:\n *  1. Activating any `<script type=\"text/plain\" data-tb-category=\"X\">` whose category was granted\n *  2. Calling `gtag('consent', 'update', ...)` if `gtag` is on the global scope\n *  3. Dispatching a `tickbox:consent-changed` CustomEvent for any custom integrations\n *\n * No-op on the server.\n */\nexport function applyConsent(state: ConsentState): void {\n  if (typeof document === 'undefined') return\n  activateScripts(state.decisions)\n  updateConsentMode(state.decisions)\n  dispatchEvent(state)\n}\n\nfunction activateScripts(decisions: Record<string, boolean>): void {\n  const blocked = document.querySelectorAll(`script[type=\"text/plain\"][${TAG_ATTRIBUTE}]`)\n  for (const node of Array.from(blocked)) {\n    const category = node.getAttribute(TAG_ATTRIBUTE)\n    if (!category || !decisions[category]) continue\n    const replacement = document.createElement('script')\n    for (const attr of Array.from(node.attributes)) {\n      if (attr.name === 'type') continue\n      replacement.setAttribute(attr.name, attr.value)\n    }\n    replacement.text = node.textContent ?? ''\n    node.parentNode?.replaceChild(replacement, node)\n  }\n}\n\ntype Gtag = (cmd: 'consent', action: 'update', params: Record<string, 'granted' | 'denied'>) => void\n\nfunction updateConsentMode(decisions: Record<string, boolean>): void {\n  const win = globalThis as unknown as { gtag?: Gtag }\n  if (typeof win.gtag !== 'function') return\n  win.gtag('consent', 'update', {\n    ad_storage: gv(decisions, 'marketing'),\n    ad_user_data: gv(decisions, 'marketing'),\n    ad_personalization: gv(decisions, 'marketing'),\n    analytics_storage: gv(decisions, 'analytics'),\n    functionality_storage: gv(decisions, 'functional', true),\n    personalization_storage: gv(decisions, 'preferences', true),\n    security_storage: 'granted',\n  })\n}\n\nfunction gv(\n  decisions: Record<string, boolean>,\n  id: string,\n  defaultGranted = false,\n): 'granted' | 'denied' {\n  const value = decisions[id]\n  if (value === undefined) return defaultGranted ? 'granted' : 'denied'\n  return value ? 'granted' : 'denied'\n}\n\nfunction dispatchEvent(state: ConsentState): void {\n  document.dispatchEvent(\n    new CustomEvent('tickbox:consent-changed', {\n      detail: { decisions: state.decisions, ts: state.storedAt },\n    }),\n  )\n}\n","import type { ConsentConfig } from './types.js'\n\n/**\n * Identity helper that narrows the type of a consent config so users get\n * full autocomplete + type-checking in their `consent.config.ts`.\n *\n * @example\n * ```ts\n * import { defineConsent, jurisdictions } from '@tickboxhq/core'\n *\n * export default defineConsent({\n *   jurisdiction: jurisdictions.UK_DUAA,\n *   categories: {\n *     necessary: { required: true },\n *     analytics: { vendors: ['plausible'] },\n *   },\n * })\n * ```\n */\nexport function defineConsent<const T extends ConsentConfig>(config: T): T {\n  return config\n}\n","/**\n * Detect a Global Privacy Control signal from the visitor's browser.\n *\n * GPC is exposed as `navigator.globalPrivacyControl` (boolean) and the\n * `Sec-GPC: 1` HTTP header. The header is server-side only; this helper\n * covers the client-side property.\n *\n * @see https://globalprivacycontrol.org/\n */\nexport function isGPCSignaled(): boolean {\n  if (typeof navigator === 'undefined') return false\n  return (navigator as Navigator & { globalPrivacyControl?: boolean }).globalPrivacyControl === true\n}\n","import type { Jurisdiction } from '../types.js'\n\n/**\n * European Union — GDPR + ePrivacy Directive (\"Cookie Law\").\n *\n * EU rules don't have the DUAA \"statistical exemption\" — analytics that\n * involve client-side storage on a user's device generally require opt-in\n * consent, even for first-party privacy-friendly tools (positions vary by\n * DPA; CNIL has been more permissive than others). This preset takes the\n * conservative position: treat all tracking categories as consent-required.\n *\n * UI requirements (EDPB / national DPAs):\n *  - \"Reject All\" on first banner layer with equal prominence\n *  - GPC: not yet mandatory but increasingly recognised\n */\nexport const EU_GDPR: Jurisdiction = {\n  id: 'EU_GDPR',\n  name: 'European Union (GDPR / ePrivacy)',\n  vendorRules: {},\n  defaultMode: 'consent',\n  ui: {\n    rejectButtonOnFirstLayer: true,\n    equalProminence: true,\n    honorGPC: false,\n  },\n  countries: [\n    'AT',\n    'BE',\n    'BG',\n    'HR',\n    'CY',\n    'CZ',\n    'DK',\n    'EE',\n    'FI',\n    'FR',\n    'DE',\n    'GR',\n    'HU',\n    'IE',\n    'IT',\n    'LV',\n    'LT',\n    'LU',\n    'MT',\n    'NL',\n    'PL',\n    'PT',\n    'RO',\n    'SK',\n    'SI',\n    'ES',\n    'SE',\n    // EEA additions\n    'IS',\n    'LI',\n    'NO',\n  ],\n}\n","import type { Jurisdiction } from '../types.js'\n\n/**\n * Vendors classified as eligible for the DUAA \"statistical purposes\" exemption:\n * privacy-first analytics with aggregated, non-identifying data and no ad features.\n *\n * These do **not** require consent under the UK Data (Use and Access) Act 2025\n * but still require clear notice and an easy way to object.\n *\n * Treat the list as a starting position; specific deployments may still need\n * consent depending on configuration (e.g. session replay, cross-domain tracking).\n */\nconst DUAA_STATISTICAL_VENDORS = [\n  'plausible',\n  'fathom',\n  'simpleanalytics',\n  'pirsch',\n  'goatcounter',\n  'umami',\n  'tinybird-analytics',\n  'cloudflare-web-analytics',\n] as const\n\n/**\n * Vendors that require full opt-in consent under DUAA — anything that touches\n * advertising, individual-level tracking, session replay, or cross-site profiles.\n */\nconst DUAA_CONSENT_REQUIRED_VENDORS = [\n  // Advertising\n  'google-ads',\n  'google-analytics',\n  'ga4',\n  'meta-pixel',\n  'facebook-pixel',\n  'tiktok-pixel',\n  'linkedin-insight',\n  'twitter-pixel',\n  'pinterest-tag',\n  'reddit-pixel',\n  // Session replay / individual tracking\n  'hotjar',\n  'fullstory',\n  'microsoft-clarity',\n  'mouseflow',\n  'logrocket',\n  // CDPs / marketing automation\n  'segment',\n  'rudderstack',\n  'hubspot',\n  'mixpanel',\n  'amplitude',\n  // AI training crawlers (always require explicit opt-in/out)\n  'gptbot',\n  'claudebot',\n  'anthropic-ai',\n  'google-extended',\n  'perplexitybot',\n  'ccbot',\n  'bytespider',\n  'applebot-extended',\n] as const\n\n/**\n * United Kingdom — Data (Use and Access) Act 2025 (DUAA).\n *\n * In force from 5 February 2026. Amends PECR to introduce new exemptions for\n * cookies/storage used solely for statistical, security, authentication, and\n * appearance purposes. Advertising and individual-level tracking still require\n * full opt-in consent.\n *\n * UI requirements (ICO):\n *  - \"Reject All\" must be on the first banner layer\n *  - \"Accept All\" and \"Reject All\" must have equal visual prominence\n *  - GPC is not (yet) mandatory in UK guidance; default off.\n *\n * @see https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/\n */\nexport const UK_DUAA: Jurisdiction = {\n  id: 'UK_DUAA',\n  name: 'United Kingdom (Data (Use and Access) Act 2025)',\n  vendorRules: {\n    ...Object.fromEntries(DUAA_STATISTICAL_VENDORS.map((v) => [v, 'notice' as const])),\n    ...Object.fromEntries(DUAA_CONSENT_REQUIRED_VENDORS.map((v) => [v, 'consent' as const])),\n  },\n  defaultMode: 'consent',\n  ui: {\n    rejectButtonOnFirstLayer: true,\n    equalProminence: true,\n    honorGPC: false,\n  },\n  countries: ['GB'],\n}\n","import type { Jurisdiction } from '../types.js'\nimport { EU_GDPR } from './eu-gdpr.js'\nimport { UK_DUAA } from './uk-duaa.js'\n\nexport { UK_DUAA } from './uk-duaa.js'\nexport { EU_GDPR } from './eu-gdpr.js'\n\n/**\n * Map of all built-in jurisdiction presets, keyed by their ID for ergonomic\n * lookup: `jurisdictions.UK_DUAA`.\n */\nexport const jurisdictions = {\n  UK_DUAA,\n  EU_GDPR,\n} as const\n\n/**\n * Resolve a jurisdiction from an ISO 3166-1 alpha-2 country code (e.g. 'GB').\n * Falls back to `EU_GDPR` for any country not explicitly mapped — the safer\n * default for an unknown EEA visitor. Returns `null` when the code is unknown\n * and no fallback is requested.\n */\nexport function resolveJurisdictionByCountry(\n  country: string | undefined,\n  fallback: Jurisdiction | null = EU_GDPR,\n): Jurisdiction | null {\n  if (!country) return fallback\n  const upper = country.toUpperCase()\n  for (const j of Object.values(jurisdictions)) {\n    if (j.countries?.includes(upper)) return j\n  }\n  return fallback\n}\n","import type { ConsentConfig, ConsentMode, Jurisdiction, ResolvedCategory } from './types.js'\n\n/**\n * Resolve each declared category against the active jurisdiction's vendor rules.\n *\n * For each category, the most-restrictive vendor mode wins:\n *   `consent` > `notice` > `always`\n *\n * Categories with no vendors fall back to the jurisdiction's default mode,\n * unless `required: true` (always allowed) or an explicit `mode` override is set.\n */\nexport function resolveCategories(\n  config: ConsentConfig,\n  jurisdiction: Jurisdiction,\n): ResolvedCategory[] {\n  return Object.entries(config.categories).map(([id, def]) => {\n    const required = def.required === true\n    const explicit = def.mode\n    const vendors = def.vendors ?? []\n\n    let mode: ConsentMode\n    if (required) {\n      mode = 'always'\n    } else if (explicit) {\n      mode = explicit\n    } else if (vendors.length === 0) {\n      mode = jurisdiction.defaultMode\n    } else {\n      mode = mostRestrictive(\n        vendors.map((v) => jurisdiction.vendorRules[v] ?? jurisdiction.defaultMode),\n      )\n    }\n\n    return {\n      id,\n      required,\n      mode,\n      default: required ? true : (def.default ?? false),\n      vendors,\n      description: def.description,\n    }\n  })\n}\n\nconst ORDER: Record<ConsentMode, number> = { always: 0, notice: 1, consent: 2 }\n\nfunction mostRestrictive(modes: ConsentMode[]): ConsentMode {\n  let winner: ConsentMode = 'always'\n  for (const m of modes) {\n    if (ORDER[m] > ORDER[winner]) winner = m\n  }\n  return winner\n}\n","import type { StorageOptions, StoredConsent } from './types.js'\n\nconst DEFAULT_COOKIE_NAME = '__tb_consent'\nconst DEFAULT_MAX_AGE_DAYS = 365\n\n/**\n * Read the stored consent record from `document.cookie`.\n * Returns `null` on the server, when no cookie is set, or when the cookie is malformed.\n */\nexport function readConsent(options: StorageOptions = {}): StoredConsent | null {\n  if (typeof document === 'undefined') return null\n  return parseConsentFromHeader(document.cookie, options)\n}\n\n/**\n * Parse a stored consent record from a raw `Cookie` header string.\n * Useful on the server: pass the request's `cookie` header.\n * Returns `null` when the cookie isn't present or is malformed.\n */\nexport function parseConsentFromHeader(\n  cookieHeader: string | undefined,\n  options: StorageOptions = {},\n): StoredConsent | null {\n  if (!cookieHeader) return null\n  const name = options.cookieName ?? DEFAULT_COOKIE_NAME\n  const match = cookieHeader.match(new RegExp(`(?:^|; )${name}=([^;]+)`))\n  if (!match) return null\n  try {\n    const parsed = JSON.parse(decodeURIComponent(match[1]!)) as unknown\n    if (isStoredConsent(parsed)) return parsed\n    return null\n  } catch {\n    return null\n  }\n}\n\n/**\n * Persist a consent record to `document.cookie`.\n * No-op on the server.\n */\nexport function writeConsent(value: StoredConsent, options: StorageOptions = {}): void {\n  if (typeof document === 'undefined') return\n  const name = options.cookieName ?? DEFAULT_COOKIE_NAME\n  const maxAge = (options.maxAgeDays ?? DEFAULT_MAX_AGE_DAYS) * 86_400\n  const domain = options.domain ? `; Domain=${options.domain}` : ''\n  const secure = typeof location !== 'undefined' && location.protocol === 'https:' ? '; Secure' : ''\n  const encoded = encodeURIComponent(JSON.stringify(value))\n  document.cookie = `${name}=${encoded}; Path=/; Max-Age=${maxAge}; SameSite=Lax${secure}${domain}`\n}\n\n/** Clear the stored consent cookie. */\nexport function clearConsent(options: StorageOptions = {}): void {\n  if (typeof document === 'undefined') return\n  const name = options.cookieName ?? DEFAULT_COOKIE_NAME\n  const domain = options.domain ? `; Domain=${options.domain}` : ''\n  document.cookie = `${name}=; Path=/; Max-Age=0${domain}`\n}\n\nfunction isStoredConsent(value: unknown): value is StoredConsent {\n  if (typeof value !== 'object' || value === null) return false\n  const v = value as Record<string, unknown>\n  return (\n    v.v === 1 &&\n    typeof v.c === 'object' &&\n    v.c !== null &&\n    typeof v.pv === 'string' &&\n    typeof v.ts === 'number' &&\n    typeof v.j === 'string'\n  )\n}\n","import { resolveCategories } from './resolve.js'\nimport { parseConsentFromHeader, readConsent, writeConsent } from './storage.js'\nimport type {\n  ConsentConfig,\n  Jurisdiction,\n  ResolvedCategory,\n  StorageOptions,\n  StoredConsent,\n} from './types.js'\n\nexport type ConsentState = {\n  /** True after the store has hydrated from the cookie (client-only). */\n  ready: boolean\n  /** True when the banner / preference centre should be visible. */\n  isOpen: boolean\n  /** Map of category ID → granted (true) / denied (false). */\n  decisions: Record<string, boolean>\n  /** Resolved categories for the active jurisdiction. */\n  resolved: ResolvedCategory[]\n  /** Timestamp of the most-recent stored decision, if any. */\n  storedAt: number | null\n}\n\ntype Listener = (state: ConsentState) => void\n\nexport type StoreOptions = {\n  /** Storage options forwarded to the cookie reader/writer. */\n  storage?: StorageOptions\n  /** When `true`, side-effects like script rewriting fire on state changes. Defaults to true. */\n  applyEffects?: boolean\n  /** Custom side-effect handler. Receives `(state, resolved)` whenever decisions change. */\n  onApply?: (state: ConsentState) => void\n  /** Active jurisdiction. Required — pass `config.jurisdiction` after resolving 'auto'. */\n  jurisdiction: Jurisdiction\n}\n\n/**\n * Framework-agnostic consent state machine.\n *\n * The store hydrates from the cookie on first read, keeps decisions in memory,\n * and broadcasts changes to subscribers. Adapters (`@tickboxhq/react`,\n * `@tickboxhq/vue`) bind to it via their idiomatic reactivity primitive.\n */\nexport class ConsentStore {\n  private state: ConsentState\n  private readonly listeners = new Set<Listener>()\n  private readonly config: ConsentConfig\n  private readonly options: StoreOptions\n\n  constructor(config: ConsentConfig, options: StoreOptions) {\n    this.config = config\n    this.options = options\n    const resolved = resolveCategories(config, options.jurisdiction)\n    this.state = {\n      ready: false,\n      isOpen: false,\n      decisions: defaultDecisions(resolved),\n      resolved,\n      storedAt: null,\n    }\n  }\n\n  /**\n   * Read the stored cookie and update state. Safe to call on the server\n   * (no-op when `document` is unavailable). Call from a mount effect.\n   */\n  hydrate(): void {\n    const stored = readConsent(this.options.storage)\n    this.applyHydration(stored)\n  }\n\n  /**\n   * Hydrate from a raw Cookie header — for server-side rendering.\n   * Pass the value of the request's `cookie` header (or `undefined` if absent).\n   */\n  hydrateFromHeader(cookieHeader: string | undefined): void {\n    const stored = parseConsentFromHeader(cookieHeader, this.options.storage)\n    this.applyHydration(stored)\n  }\n\n  private applyHydration(stored: StoredConsent | null): void {\n    if (stored) {\n      this.state = {\n        ...this.state,\n        ready: true,\n        isOpen: needsRefresh(stored, this.config),\n        decisions: mergeDecisions(this.state.resolved, stored.c),\n        storedAt: stored.ts,\n      }\n    } else {\n      this.state = {\n        ...this.state,\n        ready: true,\n        isOpen: shouldShowBanner(this.state.resolved),\n      }\n    }\n    this.emit()\n  }\n\n  getState(): ConsentState {\n    return this.state\n  }\n\n  subscribe(fn: Listener): () => void {\n    this.listeners.add(fn)\n    return () => {\n      this.listeners.delete(fn)\n    }\n  }\n\n  grant(id: string): void {\n    this.update({ [id]: true })\n  }\n\n  deny(id: string): void {\n    if (this.isRequired(id)) return\n    this.update({ [id]: false })\n  }\n\n  grantAll(): void {\n    const next: Record<string, boolean> = {}\n    for (const r of this.state.resolved) next[r.id] = true\n    this.update(next, { close: true })\n  }\n\n  denyAll(): void {\n    const next: Record<string, boolean> = {}\n    for (const r of this.state.resolved) next[r.id] = r.required\n    this.update(next, { close: true })\n  }\n\n  /** Persist the current decisions and close the banner. */\n  save(): void {\n    const ts = this.persist(this.state.decisions)\n    this.state = { ...this.state, isOpen: false, storedAt: ts }\n    this.emit()\n  }\n\n  open(): void {\n    if (this.state.isOpen) return\n    this.state = { ...this.state, isOpen: true }\n    this.emit()\n  }\n\n  close(): void {\n    if (!this.state.isOpen) return\n    this.state = { ...this.state, isOpen: false }\n    this.emit()\n  }\n\n  /** Wipe stored consent and reopen the banner. */\n  reset(): void {\n    this.state = {\n      ...this.state,\n      decisions: defaultDecisions(this.state.resolved),\n      isOpen: true,\n      storedAt: null,\n    }\n    this.emit()\n  }\n\n  isRequired(id: string): boolean {\n    return this.state.resolved.find((r) => r.id === id)?.required === true\n  }\n\n  private update(partial: Record<string, boolean>, opts: { close?: boolean } = {}): void {\n    const next = { ...this.state.decisions, ...partial }\n    const ts = this.persist(next)\n    this.state = {\n      ...this.state,\n      decisions: next,\n      isOpen: opts.close ? false : this.state.isOpen,\n      storedAt: ts,\n    }\n    this.emit()\n  }\n\n  private persist(decisions: Record<string, boolean>): number {\n    const ts = Date.now()\n    const stored: StoredConsent = {\n      v: 1,\n      c: decisions,\n      pv: this.config.policy?.version ?? '0',\n      ts,\n      j: this.options.jurisdiction.id,\n    }\n    writeConsent(stored, this.options.storage)\n    return ts\n  }\n\n  private emit(): void {\n    if (this.options.applyEffects !== false) {\n      this.options.onApply?.(this.state)\n    }\n    for (const fn of this.listeners) fn(this.state)\n  }\n}\n\nfunction defaultDecisions(resolved: ResolvedCategory[]): Record<string, boolean> {\n  const out: Record<string, boolean> = {}\n  for (const r of resolved) out[r.id] = r.required ? true : r.default\n  return out\n}\n\nfunction mergeDecisions(\n  resolved: ResolvedCategory[],\n  stored: Record<string, boolean>,\n): Record<string, boolean> {\n  const out: Record<string, boolean> = {}\n  for (const r of resolved) {\n    if (r.required) {\n      out[r.id] = true\n    } else if (stored[r.id] !== undefined) {\n      out[r.id] = stored[r.id]!\n    } else {\n      out[r.id] = r.default\n    }\n  }\n  return out\n}\n\nfunction needsRefresh(stored: StoredConsent, config: ConsentConfig): boolean {\n  const declared = config.policy?.version\n  if (!declared) return false\n  return stored.pv !== declared\n}\n\nfunction shouldShowBanner(resolved: ResolvedCategory[]): boolean {\n  return resolved.some((r) => r.mode === 'consent' && !r.required)\n}\n"]}

package/dist/jurisdictions/index.d.ts

@@ -0,0 +1 @@
+export { E as EU_GDPR, U as UK_DUAA, j as jurisdictions, r as resolveJurisdictionByCountry } from '../index-D_Xt5NFB.js';

package/dist/jurisdictions/index.js

@@ -0,0 +1,124 @@
+// src/jurisdictions/eu-gdpr.ts
+var EU_GDPR = {
+  id: "EU_GDPR",
+  name: "European Union (GDPR / ePrivacy)",
+  vendorRules: {},
+  defaultMode: "consent",
+  ui: {
+    rejectButtonOnFirstLayer: true,
+    equalProminence: true,
+    honorGPC: false
+  },
+  countries: [
+    "AT",
+    "BE",
+    "BG",
+    "HR",
+    "CY",
+    "CZ",
+    "DK",
+    "EE",
+    "FI",
+    "FR",
+    "DE",
+    "GR",
+    "HU",
+    "IE",
+    "IT",
+    "LV",
+    "LT",
+    "LU",
+    "MT",
+    "NL",
+    "PL",
+    "PT",
+    "RO",
+    "SK",
+    "SI",
+    "ES",
+    "SE",
+    // EEA additions
+    "IS",
+    "LI",
+    "NO"
+  ]
+};
+
+// src/jurisdictions/uk-duaa.ts
+var DUAA_STATISTICAL_VENDORS = [
+  "plausible",
+  "fathom",
+  "simpleanalytics",
+  "pirsch",
+  "goatcounter",
+  "umami",
+  "tinybird-analytics",
+  "cloudflare-web-analytics"
+];
+var DUAA_CONSENT_REQUIRED_VENDORS = [
+  // Advertising
+  "google-ads",
+  "google-analytics",
+  "ga4",
+  "meta-pixel",
+  "facebook-pixel",
+  "tiktok-pixel",
+  "linkedin-insight",
+  "twitter-pixel",
+  "pinterest-tag",
+  "reddit-pixel",
+  // Session replay / individual tracking
+  "hotjar",
+  "fullstory",
+  "microsoft-clarity",
+  "mouseflow",
+  "logrocket",
+  // CDPs / marketing automation
+  "segment",
+  "rudderstack",
+  "hubspot",
+  "mixpanel",
+  "amplitude",
+  // AI training crawlers (always require explicit opt-in/out)
+  "gptbot",
+  "claudebot",
+  "anthropic-ai",
+  "google-extended",
+  "perplexitybot",
+  "ccbot",
+  "bytespider",
+  "applebot-extended"
+];
+var UK_DUAA = {
+  id: "UK_DUAA",
+  name: "United Kingdom (Data (Use and Access) Act 2025)",
+  vendorRules: {
+    ...Object.fromEntries(DUAA_STATISTICAL_VENDORS.map((v) => [v, "notice"])),
+    ...Object.fromEntries(DUAA_CONSENT_REQUIRED_VENDORS.map((v) => [v, "consent"]))
+  },
+  defaultMode: "consent",
+  ui: {
+    rejectButtonOnFirstLayer: true,
+    equalProminence: true,
+    honorGPC: false
+  },
+  countries: ["GB"]
+};
+
+// src/jurisdictions/index.ts
+var jurisdictions = {
+  UK_DUAA,
+  EU_GDPR
+};
+function resolveJurisdictionByCountry(country, fallback = EU_GDPR) {
+  if (!country) return fallback;
+  const upper = country.toUpperCase();
+  for (const j of Object.values(jurisdictions)) {
+    if (j.countries?.includes(upper)) return j;
+  }
+  return fallback;
+}
+
+export { EU_GDPR, UK_DUAA, jurisdictions, resolveJurisdictionByCountry };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/jurisdictions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/jurisdictions/eu-gdpr.ts","../../src/jurisdictions/uk-duaa.ts","../../src/jurisdictions/index.ts"],"names":[],"mappings":";AAeO,IAAM,OAAA,GAAwB;AAAA,EACnC,EAAA,EAAI,SAAA;AAAA,EACJ,IAAA,EAAM,kCAAA;AAAA,EACN,aAAa,EAAC;AAAA,EACd,WAAA,EAAa,SAAA;AAAA,EACb,EAAA,EAAI;AAAA,IACF,wBAAA,EAA0B,IAAA;AAAA,IAC1B,eAAA,EAAiB,IAAA;AAAA,IACjB,QAAA,EAAU;AAAA,GACZ;AAAA,EACA,SAAA,EAAW;AAAA,IACT,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA,IACA,IAAA;AAAA;AAAA,IAEA,IAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA;AAEJ;;;AC9CA,IAAM,wBAAA,GAA2B;AAAA,EAC/B,WAAA;AAAA,EACA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,aAAA;AAAA,EACA,OAAA;AAAA,EACA,oBAAA;AAAA,EACA;AACF,CAAA;AAMA,IAAM,6BAAA,GAAgC;AAAA;AAAA,EAEpC,YAAA;AAAA,EACA,kBAAA;AAAA,EACA,KAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,cAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,eAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,mBAAA;AAAA,EACA,WAAA;AAAA,EACA,WAAA;AAAA;AAAA,EAEA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA;AAAA,EAEA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,cAAA;AAAA,EACA,iBAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAiBO,IAAM,OAAA,GAAwB;AAAA,EACnC,EAAA,EAAI,SAAA;AAAA,EACJ,IAAA,EAAM,iDAAA;AAAA,EACN,WAAA,EAAa;AAAA,IACX,GAAG,MAAA,CAAO,WAAA,CAAY,wBAAA,CAAyB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,EAAG,QAAiB,CAAC,CAAC,CAAA;AAAA,IACjF,GAAG,MAAA,CAAO,WAAA,CAAY,6BAAA,CAA8B,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,EAAG,SAAkB,CAAC,CAAC;AAAA,GACzF;AAAA,EACA,WAAA,EAAa,SAAA;AAAA,EACb,EAAA,EAAI;AAAA,IACF,wBAAA,EAA0B,IAAA;AAAA,IAC1B,eAAA,EAAiB,IAAA;AAAA,IACjB,QAAA,EAAU;AAAA,GACZ;AAAA,EACA,SAAA,EAAW,CAAC,IAAI;AAClB;;;AChFO,IAAM,aAAA,GAAgB;AAAA,EAC3B,OAAA;AAAA,EACA;AACF;AAQO,SAAS,4BAAA,CACd,OAAA,EACA,QAAA,GAAgC,OAAA,EACX;AACrB,EAAA,IAAI,CAAC,SAAS,OAAO,QAAA;AACrB,EAAA,MAAM,KAAA,GAAQ,QAAQ,WAAA,EAAY;AAClC,EAAA,KAAA,MAAW,CAAA,IAAK,MAAA,CAAO,MAAA,CAAO,aAAa,CAAA,EAAG;AAC5C,IAAA,IAAI,CAAA,CAAE,SAAA,EAAW,QAAA,CAAS,KAAK,GAAG,OAAO,CAAA;AAAA,EAC3C;AACA,EAAA,OAAO,QAAA;AACT","file":"index.js","sourcesContent":["import type { Jurisdiction } from '../types.js'\n\n/**\n * European Union — GDPR + ePrivacy Directive (\"Cookie Law\").\n *\n * EU rules don't have the DUAA \"statistical exemption\" — analytics that\n * involve client-side storage on a user's device generally require opt-in\n * consent, even for first-party privacy-friendly tools (positions vary by\n * DPA; CNIL has been more permissive than others). This preset takes the\n * conservative position: treat all tracking categories as consent-required.\n *\n * UI requirements (EDPB / national DPAs):\n *  - \"Reject All\" on first banner layer with equal prominence\n *  - GPC: not yet mandatory but increasingly recognised\n */\nexport const EU_GDPR: Jurisdiction = {\n  id: 'EU_GDPR',\n  name: 'European Union (GDPR / ePrivacy)',\n  vendorRules: {},\n  defaultMode: 'consent',\n  ui: {\n    rejectButtonOnFirstLayer: true,\n    equalProminence: true,\n    honorGPC: false,\n  },\n  countries: [\n    'AT',\n    'BE',\n    'BG',\n    'HR',\n    'CY',\n    'CZ',\n    'DK',\n    'EE',\n    'FI',\n    'FR',\n    'DE',\n    'GR',\n    'HU',\n    'IE',\n    'IT',\n    'LV',\n    'LT',\n    'LU',\n    'MT',\n    'NL',\n    'PL',\n    'PT',\n    'RO',\n    'SK',\n    'SI',\n    'ES',\n    'SE',\n    // EEA additions\n    'IS',\n    'LI',\n    'NO',\n  ],\n}\n","import type { Jurisdiction } from '../types.js'\n\n/**\n * Vendors classified as eligible for the DUAA \"statistical purposes\" exemption:\n * privacy-first analytics with aggregated, non-identifying data and no ad features.\n *\n * These do **not** require consent under the UK Data (Use and Access) Act 2025\n * but still require clear notice and an easy way to object.\n *\n * Treat the list as a starting position; specific deployments may still need\n * consent depending on configuration (e.g. session replay, cross-domain tracking).\n */\nconst DUAA_STATISTICAL_VENDORS = [\n  'plausible',\n  'fathom',\n  'simpleanalytics',\n  'pirsch',\n  'goatcounter',\n  'umami',\n  'tinybird-analytics',\n  'cloudflare-web-analytics',\n] as const\n\n/**\n * Vendors that require full opt-in consent under DUAA — anything that touches\n * advertising, individual-level tracking, session replay, or cross-site profiles.\n */\nconst DUAA_CONSENT_REQUIRED_VENDORS = [\n  // Advertising\n  'google-ads',\n  'google-analytics',\n  'ga4',\n  'meta-pixel',\n  'facebook-pixel',\n  'tiktok-pixel',\n  'linkedin-insight',\n  'twitter-pixel',\n  'pinterest-tag',\n  'reddit-pixel',\n  // Session replay / individual tracking\n  'hotjar',\n  'fullstory',\n  'microsoft-clarity',\n  'mouseflow',\n  'logrocket',\n  // CDPs / marketing automation\n  'segment',\n  'rudderstack',\n  'hubspot',\n  'mixpanel',\n  'amplitude',\n  // AI training crawlers (always require explicit opt-in/out)\n  'gptbot',\n  'claudebot',\n  'anthropic-ai',\n  'google-extended',\n  'perplexitybot',\n  'ccbot',\n  'bytespider',\n  'applebot-extended',\n] as const\n\n/**\n * United Kingdom — Data (Use and Access) Act 2025 (DUAA).\n *\n * In force from 5 February 2026. Amends PECR to introduce new exemptions for\n * cookies/storage used solely for statistical, security, authentication, and\n * appearance purposes. Advertising and individual-level tracking still require\n * full opt-in consent.\n *\n * UI requirements (ICO):\n *  - \"Reject All\" must be on the first banner layer\n *  - \"Accept All\" and \"Reject All\" must have equal visual prominence\n *  - GPC is not (yet) mandatory in UK guidance; default off.\n *\n * @see https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/\n */\nexport const UK_DUAA: Jurisdiction = {\n  id: 'UK_DUAA',\n  name: 'United Kingdom (Data (Use and Access) Act 2025)',\n  vendorRules: {\n    ...Object.fromEntries(DUAA_STATISTICAL_VENDORS.map((v) => [v, 'notice' as const])),\n    ...Object.fromEntries(DUAA_CONSENT_REQUIRED_VENDORS.map((v) => [v, 'consent' as const])),\n  },\n  defaultMode: 'consent',\n  ui: {\n    rejectButtonOnFirstLayer: true,\n    equalProminence: true,\n    honorGPC: false,\n  },\n  countries: ['GB'],\n}\n","import type { Jurisdiction } from '../types.js'\nimport { EU_GDPR } from './eu-gdpr.js'\nimport { UK_DUAA } from './uk-duaa.js'\n\nexport { UK_DUAA } from './uk-duaa.js'\nexport { EU_GDPR } from './eu-gdpr.js'\n\n/**\n * Map of all built-in jurisdiction presets, keyed by their ID for ergonomic\n * lookup: `jurisdictions.UK_DUAA`.\n */\nexport const jurisdictions = {\n  UK_DUAA,\n  EU_GDPR,\n} as const\n\n/**\n * Resolve a jurisdiction from an ISO 3166-1 alpha-2 country code (e.g. 'GB').\n * Falls back to `EU_GDPR` for any country not explicitly mapped — the safer\n * default for an unknown EEA visitor. Returns `null` when the code is unknown\n * and no fallback is requested.\n */\nexport function resolveJurisdictionByCountry(\n  country: string | undefined,\n  fallback: Jurisdiction | null = EU_GDPR,\n): Jurisdiction | null {\n  if (!country) return fallback\n  const upper = country.toUpperCase()\n  for (const j of Object.values(jurisdictions)) {\n    if (j.countries?.includes(upper)) return j\n  }\n  return fallback\n}\n"]}

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@tickboxhq/core",
+  "version": "0.0.1",
+  "description": "Core types, jurisdictions, and storage primitives for Tickbox consent management",
+  "license": "MIT",
+  "homepage": "https://tickbox.dev",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tickboxhq/tickbox.git",
+    "directory": "packages/core"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./jurisdictions": {
+      "types": "./dist/jurisdictions/index.d.ts",
+      "import": "./dist/jurisdictions/index.js"
+    }
+  },
+  "sideEffects": false,
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2",
+    "vitest": "^2.1.8"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  }
+}