c15t 2.0.0-rc.8 → 2.0.4

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # c15t
 
+## 2.0.4
+
+### Patch Changes
+
+- 748536a: Refine policy category scope handling.
+- Updated dependencies [748536a]
+  - @c15t/schema@2.0.1
+
+## 2.0.0
+
+### Major Changes
+
+- 32617c9: Changelog available at https://c15t.com/changelog/2026-04-14-v2.0.0
+
+### Patch Changes
+
+- Updated dependencies [32617c9]
+- Updated dependencies [32617c9]
+  - @c15t/schema@2.0.0
+  - @c15t/translations@2.0.0
+
+## 2.0.0-rc.10
+
+### Patch Changes
+
+- 9579b62: Add token-first legal-document consent groundwork for `2.0`.
+
+  - `c15t`: expand the unstable policy-consent input types so legal-document writes can prefer `documentSnapshotToken`, fall back to `policyHash`, and keep `policyId` only as a compatibility path.
+  - `@c15t/backend`: update legal-document consent writes to resolve append-only consent against a verified document snapshot token when configured, or against a provided document hash when only lighter-weight release proof is available.
+  - `@c15t/schema`: extend the subject consent schema and error shapes for legal-document snapshot tokens and hash-based legal-document resolution.
+
+- Updated dependencies [9579b62]
+  - @c15t/schema@2.0.0-rc.6
+
 ## 2.0.0-rc.8
 
 ### Minor Changes
@@ -171,7 +205,7 @@
 
 ### Major Changes
 
-- 126a78b: https://v2.c15t.com/changelog/2026-02-12-v2.0.0-rc.0
+- 126a78b: https://c15t.com/changelog/2026-02-12-v2.0.0-rc.0
 
 ### Patch Changes
 

package/README.md

@@ -1,24 +1,24 @@
 <p align="center">
-  <a href="https://c15t.com?utm_source=github&utm_medium=repopage_c15t" target="_blank" rel="noopener noreferrer">
+  <a href="https://c15t.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=c15t" target="_blank" rel="noopener noreferrer">
     <picture>
       <source media="(prefers-color-scheme: dark)" srcset="../../docs/assets/c15t-banner-readme-dark.svg" type="image/svg+xml">
       <img src="../../docs/assets/c15t-banner-readme-light.svg" alt="c15t Banner" type="image/svg+xml">
     </picture>
   </a>
-  <br />
-  <h1 align="center">c15t: Developer-First Consent Management Platform</h1>
 </p>
 
+# c15t: Developer-First Consent Management Platform
+
 [![GitHub stars](https://img.shields.io/github/stars/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![CI](https://img.shields.io/github/actions/workflow/status/c15t/c15t/ci.yml?style=flat-square)](https://github.com/c15t/c15t/actions/workflows/ci.yml)
-[![License](https://img.shields.io/badge/license-GPL--3.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 [![Discord](https://img.shields.io/discord/1312171102268690493?style=flat-square)](https://c15t.link/discord)
 [![npm version](https://img.shields.io/npm/v/c15t?style=flat-square)](https://www.npmjs.com/package/c15t)
 [![Top Language](https://img.shields.io/github/languages/top/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![Last Commit](https://img.shields.io/github/last-commit/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/commits/main)
 [![Open Issues](https://img.shields.io/github/issues/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/issues)
 
-Developer-first CMP for JavaScript: cookie banner, consent manager, preferences centre. GDPR ready with minimal setup and rich customization
+Headless cookie banner, consent manager & preference center for JavaScript / TypeScript. GDPR, CCPA, LGPD and IAB TCF compliant.
 
 ## Key Features
 
@@ -34,18 +34,18 @@ Developer-first CMP for JavaScript: cookie banner, consent manager, preferences
 - JavaScript or TypeScript project
 - Node.js 18.17.0 or later
 - npm, pnpm, or yarn package manager
-- A hosted [c15t instance](https://consent.io) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)
+- A hosted [c15t instance](https://inth.com) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)
 
 ## Quick Start
 
 Easiest setup with @c15t/cli:
 
 ```bash
-# Generate schema and code
-pnpm dlx @c15t/cli generate
+# Set up c15t in your project
+pnpm dlx @c15t/cli setup
 # Alternatives:
-# npx @c15t/cli generate
-# bunx --bun @c15t/cli generate
+# npx @c15t/cli setup
+# bunx --bun @c15t/cli setup
 ```
 
 The CLI will:
@@ -88,24 +88,24 @@ For further information, guides, and examples visit the [reference documentation
 
 - Join our [Discord community](https://c15t.link/discord)
 - Open an issue on our [GitHub repository](https://github.com/c15t/c15t/issues)
-- Visit [consent.io](https://consent.io) and use the chat widget
-- Contact our support team via email [support@consent.io](mailto:support@consent.io)
+- Visit [inth.com](https://inth.com) and use the chat widget
+- Contact our support team via email [support@inth.com](mailto:support@inth.com)
 
 ## Contributing
 
-- We're open to all community contributions!
+- We're open to all community contributions.
 - Read our [Contribution Guidelines](https://c15t.com/docs/oss/contributing)
 - Review our [Code of Conduct](https://c15t.com/docs/oss/code-of-conduct)
 - Fork the repository
 - Create a new branch for your feature
 - Submit a pull request
-- **All contributions, big or small, are welcome and appreciated!**
+- **All contributions, big or small, are welcome and appreciated.**
 
 ## Security
 
 If you believe you have found a security vulnerability in c15t, we encourage you to **_responsibly disclose this and NOT open a public issue_**. We will investigate all legitimate reports.
 
-Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our Open Source Software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
+Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our open-source software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
 
 ### Security Policy
 
@@ -116,8 +116,8 @@ Our preference is that you make use of GitHub's private vulnerability reporting
 
 ## License
 
-[GNU General Public License v3.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[Apache License 2.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 
 ---
 
-**Built with ❤️ by the [consent.io](https://www.consent.io?utm_source=github&utm_medium=repopage_c15t) team**
+**Built by [Inth](https://inth.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=c15t)**

package/dist/index.cjs

@@ -601,14 +601,13 @@ const consent_types_consentTypes = [
     }
 ];
 const allConsentNames = consent_types_consentTypes.map((consent)=>consent.name);
-const version = '2.0.0-rc.8';
 const STORAGE_KEY_V2 = 'c15t';
 const STORAGE_KEY = 'privacy-consent-storage';
 const initial_state_initialState = {
     debug: false,
     config: {
         pkg: 'c15t',
-        version: version,
+        version: "2.0.4",
         mode: 'Unknown'
     },
     consents: consent_types_consentTypes.reduce((acc, consent)=>{
@@ -1768,11 +1767,24 @@ function flattenLayout(layout) {
 }
 function applyPolicyPurposeAllowlist(preferences, allowedPurposeIds) {
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
-    const allowed = new Set(allowedPurposeIds);
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
     const next = {};
     for (const [key, value] of Object.entries(preferences))next[key] = allowed.has(key) ? value : false;
     return next;
 }
+function stripDisallowedPreferenceKeys(preferences, allowedPurposeIds) {
+    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
+    const next = {};
+    for (const [key, value] of Object.entries(preferences))if (allowed.has(key)) next[key] = value;
+    return next;
+}
 function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     const uniqueCategories = Array.from(new Set(categories));
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return uniqueCategories;
@@ -1784,19 +1796,11 @@ function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     if (!filtered.includes('necessary')) filtered.unshift('necessary');
     return filtered;
 }
-function applyPolicyScopeForRuntimeGating(consents, allowedPurposeIds, scopeMode = 'permissive') {
-    if ('strict' === scopeMode) return consents;
-    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return consents;
-    const allowedCategories = new Set([
-        'necessary',
-        ...allowedPurposeIds.filter(isConsentCategory)
-    ]);
-    const next = {
-        ...consents
-    };
-    for (const category of allConsentNames)if (!allowedCategories.has(category)) next[category] = true;
-    next.necessary = true;
-    return next;
+function shouldEnforcePolicyCategoryScope(allowedPurposeIds, scopeMode = 'permissive') {
+    return 'strict' === scopeMode && Array.isArray(allowedPurposeIds) && allowedPurposeIds.length > 0 && !allowedPurposeIds.includes('*');
+}
+function applyPolicyScopeForRuntimeGating(consents, _allowedPurposeIds, _scopeMode = 'permissive') {
+    return consents;
 }
 function getEffectivePolicy(initData) {
     return initData?.policy;
@@ -2799,8 +2803,11 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
     if ('all' === type) {
         for (const consent of consentTypes)if (consentCategories.includes(consent.name)) newConsents[consent.name] = true;
     } else if ('necessary' === type) for (const consent of consentTypes)newConsents[consent.name] = true === consent.disabled ? consent.defaultValue : false;
-    const policyCategories = getEffectivePolicy(lastBannerFetchData)?.consent?.categories;
-    const effectiveConsents = applyPolicyPurposeAllowlist(newConsents, policyCategories);
+    const effectivePolicy = getEffectivePolicy(lastBannerFetchData);
+    const policyCategories = effectivePolicy?.consent?.categories;
+    const shouldEnforcePolicyScope = shouldEnforcePolicyCategoryScope(policyCategories, effectivePolicy?.consent?.scopeMode ?? null);
+    const effectiveConsents = shouldEnforcePolicyScope ? applyPolicyPurposeAllowlist(newConsents, policyCategories) : newConsents;
+    const requestPreferences = shouldEnforcePolicyScope ? stripDisallowedPreferenceKeys(effectiveConsents, policyCategories) : effectiveConsents;
     const didChange = haveConsentsChanged(previousConsents, effectiveConsents, consentTypes);
     const nextConsentCategoryLists = getConsentCategoryLists(effectiveConsents, consentCategories, consentTypes);
     const previousConsentCategoryLists = getConsentCategoryLists(previousConsents, consentCategories, consentTypes);
@@ -2851,7 +2858,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         const pendingSync = {
             type,
             subjectId,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             givenAt,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model,
@@ -2890,7 +2897,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         body: {
             type: 'cookie_banner',
             domain: window.location.hostname,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             subjectId,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model ?? void 0,
@@ -3001,8 +3008,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
         update.selectedConsents = autoGrantedConsents;
     }
     const policyCategories = data.policy?.consent?.categories;
-    const hasPolicyCategoryAllowlist = Array.isArray(policyCategories) && policyCategories.length > 0 && !policyCategories.includes('*');
-    if (hasPolicyCategoryAllowlist) {
+    const hasStrictPolicyCategoryAllowlist = shouldEnforcePolicyCategoryScope(policyCategories, data.policy?.consent?.scopeMode ?? null);
+    if (hasStrictPolicyCategoryAllowlist) {
         const uniqueAllowedCategories = filterConsentCategoriesByPolicy(allConsentNames, policyCategories);
         update.consentCategories = uniqueAllowedCategories;
         update.consents = applyPolicyPurposeAllowlist(update.consents ?? get().consents, uniqueAllowedCategories);
@@ -3011,7 +3018,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
     const preselectedCategories = data.policy?.consent?.preselectedCategories;
     const shouldApplyPreselectedCategories = null === consentInfo && !autoGrantedConsents && Array.isArray(preselectedCategories) && preselectedCategories.length > 0;
     if (shouldApplyPreselectedCategories) {
-        const preselectedScope = hasPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(allConsentNames, policyCategories) : allConsentNames;
+        const displayedConsentNames = update.consentCategories ?? get().consentCategories;
+        const preselectedScope = hasStrictPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(displayedConsentNames, policyCategories) : displayedConsentNames;
         const allowedPreselectedCategories = filterConsentCategoriesByPolicy(preselectedScope, preselectedCategories);
         const preselectedSet = new Set(allowedPreselectedCategories);
         const selectedConsentBaseline = update.selectedConsents ?? get().selectedConsents;
@@ -3724,8 +3732,14 @@ const createConsentManagerStore = (manager, options = {})=>{
                     return resetState;
                 });
             },
-            setConsentCategories: (types)=>set({
-                    consentCategories: filterConsentCategoriesByPolicy(types, get().policyCategories)
+            setConsentCategories: (types)=>set(()=>{
+                    const { policyCategories, policyScopeMode } = get();
+                    if (shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode)) return {
+                        consentCategories: filterConsentCategoriesByPolicy(types, policyCategories)
+                    };
+                    return {
+                        consentCategories: Array.from(new Set(types))
+                    };
                 }),
             setCallback: (name, callback)=>{
                 const currentState = get();
@@ -3797,13 +3811,15 @@ const createConsentManagerStore = (manager, options = {})=>{
                 });
             },
             updateConsentCategories: (newCategories)=>{
+                const { consentCategories: currentConsentCategories, policyCategories, policyScopeMode } = get();
                 const allCategoriesSet = new Set([
-                    ...get().consentCategories,
+                    ...currentConsentCategories,
                     ...newCategories
                 ]);
-                const allCategories = filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), get().policyCategories);
+                let consentCategories;
+                consentCategories = shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode) ? filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), policyCategories) : Array.from(allCategoriesSet);
                 set({
-                    consentCategories: allCategories
+                    consentCategories
                 });
             },
             identifyUser: async (user)=>{
@@ -3831,6 +3847,103 @@ const createConsentManagerStore = (manager, options = {})=>{
                     }
                 });
             },
+            unstable_acceptPolicyConsent: async (input)=>{
+                const currentState = get();
+                const currentInfo = currentState.consentInfo;
+                const subjectId = currentInfo?.subjectId ?? generateSubjectId();
+                const storedIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentInfo?.externalId,
+                    identityProvider: currentInfo?.identityProvider
+                });
+                const userIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentState.user?.id,
+                    identityProvider: currentState.user?.identityProvider
+                });
+                const inputIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: input.externalId,
+                    identityProvider: input.identityProvider
+                });
+                const externalId = inputIdentifiers.externalId ?? storedIdentifiers.externalId ?? userIdentifiers.externalId;
+                const identityProvider = inputIdentifiers.identityProvider ?? storedIdentifiers.identityProvider ?? userIdentifiers.identityProvider;
+                const givenAt = input.givenAt ?? Date.now();
+                const domain = input.domain ?? ("u" > typeof window ? window.location.hostname : 'localhost');
+                const isLegalDocumentType = 'privacy_policy' === input.type || 'terms_and_conditions' === input.type || 'dpa' === input.type;
+                let legalDocumentFields = {};
+                if (isLegalDocumentType) if (input.documentSnapshotToken) legalDocumentFields = {
+                    documentSnapshotToken: input.documentSnapshotToken
+                };
+                else if (input.policyHash) legalDocumentFields = {
+                    policyHash: input.policyHash
+                };
+                else if (input.policyId) legalDocumentFields = {
+                    policyId: input.policyId
+                };
+                else throw new Error('Legal document consent requires documentSnapshotToken, policyHash, or policyId.');
+                const response = await manager.setConsent({
+                    body: {
+                        type: input.type,
+                        subjectId,
+                        domain,
+                        givenAt,
+                        uiSource: input.uiSource ?? 'api',
+                        ...legalDocumentFields,
+                        ...input.metadata ? {
+                            metadata: input.metadata
+                        } : {},
+                        ...input.preferences ? {
+                            preferences: input.preferences
+                        } : {},
+                        ...externalId ? {
+                            externalSubjectId: externalId
+                        } : {},
+                        ...identityProvider ? {
+                            identityProvider
+                        } : {}
+                    }
+                });
+                if (!response.ok || !response.data) {
+                    const errorMsg = response.error?.message ?? 'Failed to accept policy consent';
+                    get().callbacks.onError?.({
+                        error: errorMsg
+                    });
+                    const error = new Error(errorMsg);
+                    error.code = response.error?.code;
+                    error.details = response.error?.details ?? null;
+                    error.status = response.error?.status;
+                    throw error;
+                }
+                const consent = {
+                    ...response.data,
+                    givenAt: response.data.givenAt instanceof Date ? response.data.givenAt : new Date(response.data.givenAt)
+                };
+                const latestState = get();
+                const latestInfo = latestState.consentInfo;
+                const nextConsentInfo = {
+                    ...latestInfo,
+                    time: givenAt,
+                    subjectId,
+                    ...externalId ? {
+                        externalId
+                    } : {},
+                    ...identityProvider ? {
+                        identityProvider
+                    } : {}
+                };
+                set({
+                    consentInfo: nextConsentInfo,
+                    ...externalId ? {
+                        user: {
+                            id: externalId,
+                            identityProvider
+                        }
+                    } : {}
+                });
+                saveConsentToStorage({
+                    consents: latestState.consents,
+                    consentInfo: nextConsentInfo
+                }, void 0, latestState.storageConfig);
+                return consent;
+            },
             setOverrides: async (overrides)=>{
                 set({
                     overrides: {
@@ -3960,7 +4073,7 @@ function getOrCreateConsentRuntime(options, pkgInfo) {
             config: {
                 ...userConfig ?? {},
                 pkg: pkgInfo?.pkg || 'c15t',
-                version: pkgInfo?.version || version,
+                version: pkgInfo?.version || "2.0.4",
                 mode: normalizedMode,
                 meta: {
                     ...userConfig?.meta ?? {},

package/dist/index.js

@@ -525,14 +525,13 @@ const consent_types_consentTypes = [
     }
 ];
 const allConsentNames = consent_types_consentTypes.map((consent)=>consent.name);
-const version = '2.0.0-rc.8';
 const STORAGE_KEY_V2 = 'c15t';
 const STORAGE_KEY = 'privacy-consent-storage';
 const initial_state_initialState = {
     debug: false,
     config: {
         pkg: 'c15t',
-        version: version,
+        version: "2.0.4",
         mode: 'Unknown'
     },
     consents: consent_types_consentTypes.reduce((acc, consent)=>{
@@ -1692,11 +1691,24 @@ function flattenLayout(layout) {
 }
 function applyPolicyPurposeAllowlist(preferences, allowedPurposeIds) {
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
-    const allowed = new Set(allowedPurposeIds);
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
     const next = {};
     for (const [key, value] of Object.entries(preferences))next[key] = allowed.has(key) ? value : false;
     return next;
 }
+function stripDisallowedPreferenceKeys(preferences, allowedPurposeIds) {
+    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
+    const next = {};
+    for (const [key, value] of Object.entries(preferences))if (allowed.has(key)) next[key] = value;
+    return next;
+}
 function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     const uniqueCategories = Array.from(new Set(categories));
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return uniqueCategories;
@@ -1708,19 +1720,11 @@ function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     if (!filtered.includes('necessary')) filtered.unshift('necessary');
     return filtered;
 }
-function applyPolicyScopeForRuntimeGating(consents, allowedPurposeIds, scopeMode = 'permissive') {
-    if ('strict' === scopeMode) return consents;
-    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return consents;
-    const allowedCategories = new Set([
-        'necessary',
-        ...allowedPurposeIds.filter(isConsentCategory)
-    ]);
-    const next = {
-        ...consents
-    };
-    for (const category of allConsentNames)if (!allowedCategories.has(category)) next[category] = true;
-    next.necessary = true;
-    return next;
+function shouldEnforcePolicyCategoryScope(allowedPurposeIds, scopeMode = 'permissive') {
+    return 'strict' === scopeMode && Array.isArray(allowedPurposeIds) && allowedPurposeIds.length > 0 && !allowedPurposeIds.includes('*');
+}
+function applyPolicyScopeForRuntimeGating(consents, _allowedPurposeIds, _scopeMode = 'permissive') {
+    return consents;
 }
 function getEffectivePolicy(initData) {
     return initData?.policy;
@@ -2722,8 +2726,11 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
     if ('all' === type) {
         for (const consent of consentTypes)if (consentCategories.includes(consent.name)) newConsents[consent.name] = true;
     } else if ('necessary' === type) for (const consent of consentTypes)newConsents[consent.name] = true === consent.disabled ? consent.defaultValue : false;
-    const policyCategories = getEffectivePolicy(lastBannerFetchData)?.consent?.categories;
-    const effectiveConsents = applyPolicyPurposeAllowlist(newConsents, policyCategories);
+    const effectivePolicy = getEffectivePolicy(lastBannerFetchData);
+    const policyCategories = effectivePolicy?.consent?.categories;
+    const shouldEnforcePolicyScope = shouldEnforcePolicyCategoryScope(policyCategories, effectivePolicy?.consent?.scopeMode ?? null);
+    const effectiveConsents = shouldEnforcePolicyScope ? applyPolicyPurposeAllowlist(newConsents, policyCategories) : newConsents;
+    const requestPreferences = shouldEnforcePolicyScope ? stripDisallowedPreferenceKeys(effectiveConsents, policyCategories) : effectiveConsents;
     const didChange = haveConsentsChanged(previousConsents, effectiveConsents, consentTypes);
     const nextConsentCategoryLists = getConsentCategoryLists(effectiveConsents, consentCategories, consentTypes);
     const previousConsentCategoryLists = getConsentCategoryLists(previousConsents, consentCategories, consentTypes);
@@ -2774,7 +2781,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         const pendingSync = {
             type,
             subjectId,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             givenAt,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model,
@@ -2813,7 +2820,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         body: {
             type: 'cookie_banner',
             domain: window.location.hostname,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             subjectId,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model ?? void 0,
@@ -2924,8 +2931,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
         update.selectedConsents = autoGrantedConsents;
     }
     const policyCategories = data.policy?.consent?.categories;
-    const hasPolicyCategoryAllowlist = Array.isArray(policyCategories) && policyCategories.length > 0 && !policyCategories.includes('*');
-    if (hasPolicyCategoryAllowlist) {
+    const hasStrictPolicyCategoryAllowlist = shouldEnforcePolicyCategoryScope(policyCategories, data.policy?.consent?.scopeMode ?? null);
+    if (hasStrictPolicyCategoryAllowlist) {
         const uniqueAllowedCategories = filterConsentCategoriesByPolicy(allConsentNames, policyCategories);
         update.consentCategories = uniqueAllowedCategories;
         update.consents = applyPolicyPurposeAllowlist(update.consents ?? get().consents, uniqueAllowedCategories);
@@ -2934,7 +2941,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
     const preselectedCategories = data.policy?.consent?.preselectedCategories;
     const shouldApplyPreselectedCategories = null === consentInfo && !autoGrantedConsents && Array.isArray(preselectedCategories) && preselectedCategories.length > 0;
     if (shouldApplyPreselectedCategories) {
-        const preselectedScope = hasPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(allConsentNames, policyCategories) : allConsentNames;
+        const displayedConsentNames = update.consentCategories ?? get().consentCategories;
+        const preselectedScope = hasStrictPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(displayedConsentNames, policyCategories) : displayedConsentNames;
         const allowedPreselectedCategories = filterConsentCategoriesByPolicy(preselectedScope, preselectedCategories);
         const preselectedSet = new Set(allowedPreselectedCategories);
         const selectedConsentBaseline = update.selectedConsents ?? get().selectedConsents;
@@ -3647,8 +3655,14 @@ const createConsentManagerStore = (manager, options = {})=>{
                     return resetState;
                 });
             },
-            setConsentCategories: (types)=>set({
-                    consentCategories: filterConsentCategoriesByPolicy(types, get().policyCategories)
+            setConsentCategories: (types)=>set(()=>{
+                    const { policyCategories, policyScopeMode } = get();
+                    if (shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode)) return {
+                        consentCategories: filterConsentCategoriesByPolicy(types, policyCategories)
+                    };
+                    return {
+                        consentCategories: Array.from(new Set(types))
+                    };
                 }),
             setCallback: (name, callback)=>{
                 const currentState = get();
@@ -3720,13 +3734,15 @@ const createConsentManagerStore = (manager, options = {})=>{
                 });
             },
             updateConsentCategories: (newCategories)=>{
+                const { consentCategories: currentConsentCategories, policyCategories, policyScopeMode } = get();
                 const allCategoriesSet = new Set([
-                    ...get().consentCategories,
+                    ...currentConsentCategories,
                     ...newCategories
                 ]);
-                const allCategories = filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), get().policyCategories);
+                let consentCategories;
+                consentCategories = shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode) ? filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), policyCategories) : Array.from(allCategoriesSet);
                 set({
-                    consentCategories: allCategories
+                    consentCategories
                 });
             },
             identifyUser: async (user)=>{
@@ -3754,6 +3770,103 @@ const createConsentManagerStore = (manager, options = {})=>{
                     }
                 });
             },
+            unstable_acceptPolicyConsent: async (input)=>{
+                const currentState = get();
+                const currentInfo = currentState.consentInfo;
+                const subjectId = currentInfo?.subjectId ?? generateSubjectId();
+                const storedIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentInfo?.externalId,
+                    identityProvider: currentInfo?.identityProvider
+                });
+                const userIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentState.user?.id,
+                    identityProvider: currentState.user?.identityProvider
+                });
+                const inputIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: input.externalId,
+                    identityProvider: input.identityProvider
+                });
+                const externalId = inputIdentifiers.externalId ?? storedIdentifiers.externalId ?? userIdentifiers.externalId;
+                const identityProvider = inputIdentifiers.identityProvider ?? storedIdentifiers.identityProvider ?? userIdentifiers.identityProvider;
+                const givenAt = input.givenAt ?? Date.now();
+                const domain = input.domain ?? ("u" > typeof window ? window.location.hostname : 'localhost');
+                const isLegalDocumentType = 'privacy_policy' === input.type || 'terms_and_conditions' === input.type || 'dpa' === input.type;
+                let legalDocumentFields = {};
+                if (isLegalDocumentType) if (input.documentSnapshotToken) legalDocumentFields = {
+                    documentSnapshotToken: input.documentSnapshotToken
+                };
+                else if (input.policyHash) legalDocumentFields = {
+                    policyHash: input.policyHash
+                };
+                else if (input.policyId) legalDocumentFields = {
+                    policyId: input.policyId
+                };
+                else throw new Error('Legal document consent requires documentSnapshotToken, policyHash, or policyId.');
+                const response = await manager.setConsent({
+                    body: {
+                        type: input.type,
+                        subjectId,
+                        domain,
+                        givenAt,
+                        uiSource: input.uiSource ?? 'api',
+                        ...legalDocumentFields,
+                        ...input.metadata ? {
+                            metadata: input.metadata
+                        } : {},
+                        ...input.preferences ? {
+                            preferences: input.preferences
+                        } : {},
+                        ...externalId ? {
+                            externalSubjectId: externalId
+                        } : {},
+                        ...identityProvider ? {
+                            identityProvider
+                        } : {}
+                    }
+                });
+                if (!response.ok || !response.data) {
+                    const errorMsg = response.error?.message ?? 'Failed to accept policy consent';
+                    get().callbacks.onError?.({
+                        error: errorMsg
+                    });
+                    const error = new Error(errorMsg);
+                    error.code = response.error?.code;
+                    error.details = response.error?.details ?? null;
+                    error.status = response.error?.status;
+                    throw error;
+                }
+                const consent = {
+                    ...response.data,
+                    givenAt: response.data.givenAt instanceof Date ? response.data.givenAt : new Date(response.data.givenAt)
+                };
+                const latestState = get();
+                const latestInfo = latestState.consentInfo;
+                const nextConsentInfo = {
+                    ...latestInfo,
+                    time: givenAt,
+                    subjectId,
+                    ...externalId ? {
+                        externalId
+                    } : {},
+                    ...identityProvider ? {
+                        identityProvider
+                    } : {}
+                };
+                set({
+                    consentInfo: nextConsentInfo,
+                    ...externalId ? {
+                        user: {
+                            id: externalId,
+                            identityProvider
+                        }
+                    } : {}
+                });
+                saveConsentToStorage({
+                    consents: latestState.consents,
+                    consentInfo: nextConsentInfo
+                }, void 0, latestState.storageConfig);
+                return consent;
+            },
             setOverrides: async (overrides)=>{
                 set({
                     overrides: {
@@ -3883,7 +3996,7 @@ function getOrCreateConsentRuntime(options, pkgInfo) {
             config: {
                 ...userConfig ?? {},
                 pkg: pkgInfo?.pkg || 'c15t',
-                version: pkgInfo?.version || version,
+                version: pkgInfo?.version || "2.0.4",
                 mode: normalizedMode,
                 meta: {
                     ...userConfig?.meta ?? {},

package/dist-types/client/client-factory.d.ts

@@ -82,7 +82,7 @@ export type ConsentManagerOptions = {
      * @remarks
      * When provided, this takes precedence over `store.offlinePolicy`.
      *
-     * @see {@link https://v2.c15t.com/docs/frameworks/javascript/policy-packs}
+     * @see {@link https://c15t.com/docs/frameworks/javascript/policy-packs}
      */
     offlinePolicy?: StoreOptions['offlinePolicy'];
     /**

package/dist-types/client/hosted/init.d.ts

@@ -5,7 +5,7 @@ import type { IABFallbackConfig } from './types';
 /**
  * Provides offline mode fallback for showConsentBanner API.
  * Simulates the behavior of OfflineClient when API requests fail.
- * In fallback mode, fetches GVL from gvl.consent.io when IAB is enabled.
+ * In fallback mode, fetches GVL from gvl.inth.app when IAB is enabled.
  * @internal
  */
 export declare function offlineFallbackForConsentBanner(options?: FetchOptions<InitResponse>, iabConfig?: IABFallbackConfig): Promise<ResponseContext<InitResponse>>;

package/dist-types/client/hosted/types.d.ts

@@ -59,7 +59,7 @@ export interface C15tInternalClientOptions {
     /**
      * IAB configuration for offline/fallback mode.
      * When the backend is unavailable and IAB is enabled,
-     * the client will fetch GVL from gvl.consent.io with these settings.
+     * the client will fetch GVL from gvl.inth.app with these settings.
      */
     iabConfig?: IABFallbackConfig;
 }

package/dist-types/client/offline/types.d.ts

@@ -6,7 +6,7 @@ import type { IABFallbackConfig } from '../hosted/types';
 export interface OfflineClientOptions {
     /**
      * IAB configuration for offline mode.
-     * When IAB is enabled, the client will fetch GVL from gvl.consent.io.
+     * When IAB is enabled, the client will fetch GVL from gvl.inth.app.
      */
     iabConfig?: IABFallbackConfig;
     /**

package/dist-types/index.d.ts

@@ -27,7 +27,7 @@ export { buildPrefetchScript } from './libs/prefetch';
 export { emitScriptDebugEvent, getLoadedScriptIds, isScriptLoaded, loadScripts, type Script, type ScriptDebugAction, type ScriptDebugEvent, type ScriptDebugEventInput, type ScriptDebugListener, type ScriptDebugScope, type ScriptDebugSource, type ScriptLifecycleCallback, subscribeToScriptDebugEvents, unloadScripts, updateScripts, } from './libs/script-loader';
 export { type ConsentRuntimeOptions, type ConsentRuntimePkgInfo, type ConsentRuntimeResult, clearConsentRuntimeCache, getOrCreateConsentRuntime, } from './runtime';
 export { createConsentManagerStore } from './store';
-export type { ActiveUI, ConsentStoreState, InitDataSource, OfflinePolicyConfig, PolicyScopeMode, PolicySurfaceState, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig, SSRInitialData, SSRInitRequestContext, SSRInitRequestMetadata, SSRSkippedReason, StoreOptions, } from './store/type';
+export type { ActiveUI, ConsentStoreState, InitDataSource, OfflinePolicyConfig, PolicyScopeMode, PolicySurfaceState, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig, SSRInitialData, SSRInitRequestContext, SSRInitRequestMetadata, SSRSkippedReason, StoreOptions, UnstableGenericPolicyConsentInput, UnstableLegalDocumentConsentInput, UnstablePolicyConsentInput, } from './store/type';
 export { defaultTranslationConfig } from './translations';
 export type { Callback, Callbacks, OnBannerFetchedPayload, OnConsentChangedPayload, OnConsentSetPayload, OnErrorPayload, } from './types/callbacks';
 export type { ConsentBannerResponse, ConsentState, LocationInfo, NamespaceProps, } from './types/compliance';

package/dist-types/libs/iab-tcf/types.d.ts

@@ -137,7 +137,7 @@ export type IABManager = IABState & IABActions;
  * @internal
  */
 export interface CMPApiConfig {
-    /** CMP ID registered with IAB Europe. Provided by the backend (consent.io) or client config. */
+    /** CMP ID registered with IAB Europe. Provided by the backend (inth.com) or client config. */
     cmpId?: number;
     /** CMP version (default: package version from ~/cmp-defaults) */
     cmpVersion?: number | string;
@@ -216,7 +216,7 @@ export interface IABConfig {
      * Enable IAB TCF 2.3 mode.
      *
      * When enabled, c15t will:
-     * - Fetch GVL from gvl.consent.io
+     * - Fetch GVL from gvl.inth.app
      * - Initialize __tcfapi CMP API
      * - Generate TC Strings for IAB compliance
      *
@@ -236,7 +236,7 @@ export interface IABConfig {
     /**
      * CMP ID registered with IAB Europe.
      *
-     * When using consent.io as the backend, this is automatically provided
+     * When using inth.com as the backend, this is automatically provided
      * via the `/init` endpoint — no client-side configuration needed.
      *
      * Only set this if you self-host and have your own CMP registration.
@@ -325,4 +325,4 @@ export declare const IAB_STORAGE_KEYS: {
  *
  * @internal
  */
-export declare const GVL_ENDPOINT = "https://gvl.consent.io";
+export declare const GVL_ENDPOINT = "https://gvl.inth.app";

package/dist-types/libs/policy.d.ts

@@ -20,9 +20,18 @@ export interface PolicyValidationIssue {
  * Any preference key not in `allowedPurposeIds` is forced to `false`.
  * This prevents backend allowlist enforcement errors when clients hold
  * additional consent keys (for example from IAB category mapping).
- * When `allowedPurposeIds` contains `*`, no filtering is applied.
+ * When `allowedPurposeIds` contains `*`, no filtering is applied. `necessary`
+ * is always retained.
  */
 export declare function applyPolicyPurposeAllowlist<T extends Record<string, boolean>>(preferences: T, allowedPurposeIds?: string[]): T;
+/**
+ * Strips preference keys that are outside the active policy allowlist.
+ *
+ * Use this for API payloads when the backend enforces strict purpose scope and
+ * rejects unknown preference keys entirely. `necessary` is always retained to
+ * stay aligned with `applyPolicyPurposeAllowlist()`.
+ */
+export declare function stripDisallowedPreferenceKeys<T extends Record<string, boolean>>(preferences: T, allowedPurposeIds?: string[]): Partial<T>;
 /**
  * Filters consent categories against a policy purpose allowlist.
  *
@@ -31,12 +40,15 @@ export declare function applyPolicyPurposeAllowlist<T extends Record<string, boo
  */
 export declare function filterConsentCategoriesByPolicy(categories: AllConsentNames[], allowedPurposeIds?: string[] | null): AllConsentNames[];
 /**
- * Applies policy scope to runtime gating behavior.
- *
- * Out-of-policy categories are treated as permissive by c15t runtime and are
- * therefore granted for gating decisions (scripts/iframes load normally).
+ * Returns whether policy category scope should be enforced as a hard allowlist.
+ */
+export declare function shouldEnforcePolicyCategoryScope(allowedPurposeIds?: string[] | null, scopeMode?: 'strict' | 'permissive' | null): boolean;
+/**
+ * @deprecated No-op retained for API compatibility. Runtime gating respects
+ * the current consent state directly; policy scope is enforced at category
+ * discovery, render, and save time instead.
  */
-export declare function applyPolicyScopeForRuntimeGating(consents: ConsentState, allowedPurposeIds?: string[] | null, scopeMode?: 'strict' | 'permissive' | null): ConsentState;
+export declare function applyPolicyScopeForRuntimeGating(consents: ConsentState, _allowedPurposeIds?: string[] | null, _scopeMode?: 'strict' | 'permissive' | null): ConsentState;
 /**
  * Gets the runtime policy returned by /init, if present.
  */

package/dist-types/libs/save-consents.d.ts

@@ -15,7 +15,7 @@ export interface PendingConsentSync {
     subjectId: string;
     externalId?: string;
     identityProvider?: string;
-    preferences: ConsentState;
+    preferences: Partial<ConsentState>;
     givenAt: number;
     jurisdiction?: string;
     jurisdictionModel?: string | null;

package/dist-types/store/type.d.ts

@@ -2,7 +2,7 @@
  * @packageDocumentation
  * Defines the core types and interfaces for the consent management store.
  */
-import type { Branding, InitOutput, PolicyConfig, PolicyScopeMode, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig } from '@c15t/schema/types';
+import type { Branding, InitOutput, PolicyConfig, PolicyScopeMode, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig, PostSubjectOutput } from '@c15t/schema/types';
 import type { Model } from '../libs/determine-model';
 import type { StorageConfig } from '../libs/cookie';
 import type { HasCondition } from '../libs/has';
@@ -48,6 +48,53 @@ export interface PolicySurfaceState {
     /** Scroll lock hint from backend runtime policy. */
     scrollLock?: boolean;
 }
+type RequireAtLeastOne<T, Keys extends keyof T = keyof T> = Keys extends keyof T ? Required<Pick<T, Keys>> & Partial<Omit<T, Keys>> : never;
+/**
+ * Experimental input for legal-document consent writes.
+ *
+ * @remarks
+ * Preferred identifier flow:
+ * - `documentSnapshotToken` for authoritative, signed release metadata
+ * - `policyHash` when the caller only knows the rendered document hash
+ * - `policyId` only as a compatibility fallback for older backends
+ *
+ * @experimental
+ */
+type UnstableLegalDocumentConsentInputBase = {
+    type: 'privacy_policy' | 'terms_and_conditions' | 'dpa';
+    policyId?: string;
+    policyHash?: string;
+    documentSnapshotToken?: string;
+    domain?: string;
+    givenAt?: number;
+    metadata?: Record<string, unknown>;
+    preferences?: Record<string, boolean>;
+    uiSource?: string;
+    externalId?: string;
+    identityProvider?: string;
+};
+export type UnstableLegalDocumentConsentInput = UnstableLegalDocumentConsentInputBase & RequireAtLeastOne<Pick<UnstableLegalDocumentConsentInputBase, 'policyId' | 'policyHash' | 'documentSnapshotToken'>>;
+/**
+ * Experimental input for non-legal policy consent writes.
+ *
+ * @experimental
+ */
+export interface UnstableGenericPolicyConsentInput {
+    type: 'marketing_communications' | 'age_verification' | 'other';
+    domain?: string;
+    givenAt?: number;
+    metadata?: Record<string, unknown>;
+    preferences?: Record<string, boolean>;
+    uiSource?: string;
+    externalId?: string;
+    identityProvider?: string;
+}
+/**
+ * Experimental input for policy-based consent writes.
+ *
+ * @experimental
+ */
+export type UnstablePolicyConsentInput = UnstableLegalDocumentConsentInput | UnstableGenericPolicyConsentInput;
 /**
  * Offline policy preview payload for the headless runtime.
  *
@@ -61,8 +108,8 @@ export interface PolicySurfaceState {
  *   resolve it locally
  * - `policy` / `policyDecision`: inject a fully synthetic resolved result
  *
- * @see {@link https://v2.c15t.com/docs/frameworks/javascript/policy-packs}
- * @see {@link https://v2.c15t.com/docs/frameworks/react/concepts/policy-packs}
+ * @see {@link https://c15t.com/docs/frameworks/javascript/policy-packs}
+ * @see {@link https://c15t.com/docs/frameworks/react/concepts/policy-packs}
  */
 export type OfflinePolicyConfig = {
     /**
@@ -198,7 +245,7 @@ export interface SSRInitialData {
     /**
      * Global Vendor List data for IAB TCF mode.
      * - `undefined` means IAB is not active for the request or not enabled on server
-     * - `null` means the user is in a non-IAB region (204 response from gvl.consent.io)
+     * - `null` means the user is in a non-IAB region (204 response from gvl.inth.app)
      * - `GlobalVendorList` contains the vendor list data from init response
      *
      * Note: When init returns 200 without gvl, client IAB settings are overridden to disabled.
@@ -422,7 +469,7 @@ export interface StoreOptions extends Partial<StoreConfig> {
      * Note: If the server returns 200 without GVL, client IAB settings are
      * automatically overridden to disabled (server takes precedence).
      *
-     * In offline/fallback mode, GVL is fetched from gvl.consent.io.
+     * In offline/fallback mode, GVL is fetched from gvl.inth.app.
      *
      * This is an opt-in feature with zero bundle impact when not enabled.
      *
@@ -440,7 +487,7 @@ export interface StoreOptions extends Partial<StoreConfig> {
      *
      * Ignored in hosted/custom modes.
      *
-     * @see {@link https://v2.c15t.com/docs/frameworks/javascript/policy-packs}
+     * @see {@link https://c15t.com/docs/frameworks/javascript/policy-packs}
      */
     offlinePolicy?: OfflinePolicyConfig;
     /**
@@ -646,6 +693,12 @@ export interface StoreActions {
      * @throws {Error} When the underlying identify-user request fails
      */
     identifyUser: (user: User) => Promise<void>;
+    /**
+     * Writes a policy-based consent such as terms and conditions.
+     *
+     * @experimental
+     */
+    unstable_acceptPolicyConsent: (input: UnstablePolicyConsentInput) => Promise<PostSubjectOutput>;
     /**
      * Updates the selected consent state for a specific consent type.
      *

package/dist-types/version.d.ts

@@ -1 +1 @@
-export declare const version = "2.0.0-rc.8";
+export declare const version = "2.0.4";

package/docs/ai-agents.md

@@ -0,0 +1,111 @@
+---
+title: AI Agents
+description: Integrate c15t with AI coding assistants using the docs bundled in each package and c15t agent skills. Give agents version-matched local docs for consent management, banners, script loading, callbacks, and integrations.
+lastModified: 2026-03-24
+---
+## Bundled Docs
+
+Every supported c15t package now ships docs inside the installed package itself.
+
+### Where to find them
+
+* `node_modules/c15t/docs/README.md`
+* `node_modules/@c15t/react/docs/README.md`
+* `node_modules/@c15t/nextjs/docs/README.md`
+* `node_modules/@c15t/backend/docs/README.md`
+
+Start with the package `README.md`, then follow its linked pages for the relevant workflow.
+
+These docs are version-matched to the exact c15t package version in your project, including generated reference content like prop and type tables.
+
+### Why use them
+
+If your app uses multiple c15t packages, use the docs from each relevant installed package instead of relying on stale model knowledge.
+
+### Agent philosophy
+
+When an AI tool is helping with c15t behavior, it should read the installed c15t docs first and use model knowledge second. That keeps consent flows, script gating, banner behavior, and integrations aligned with the exact version you have installed.
+
+### Customization ladder for agents
+
+When an agent is working on consent UI, it should choose the lowest-power tool that solves the task:
+
+1. Start with the pre-built component and its existing props or provider options
+2. Use `theme` tokens for semantic visual changes
+3. Use `theme.slots` for targeted styling of specific parts
+4. Use CSS variables or className-level overrides only when integrating with external styles
+5. Use compound components only when the markup order must change
+6. Use `noStyle` only when c15t structure is still correct but all styling must be replaced
+7. Use headless hooks only when markup and behavior both need to be rebuilt
+
+For common tasks:
+
+* Banner footer background -> `theme.colors.surfaceHover`
+* Banner card background -> `theme.colors.surface`
+* Banner card/footer/title tweaks -> banner slots
+* Stock action styling -> `theme.consentActions`
+* Copy changes -> `ConsentManagerProvider.options.i18n`
+
+If a token appears not to work, the agent should verify the token-to-component mapping before suggesting CSS overrides, `!important`, `noStyle`, or headless mode.
+
+***
+
+## Agent Skills
+
+c15t publishes agent skills that give AI coding assistants deep knowledge of c15t's APIs, components, and configuration. Skills are reusable workflows and tool-specific guidance, not version-matched local docs.
+
+### Installation
+
+Via the c15t CLI:
+
+|Package manager|Command|
+|:--|:--|
+|npm|`npx @c15t/cli install-skills`|
+|pnpm|`pnpm dlx @c15t/cli install-skills`|
+|yarn|`yarn dlx @c15t/cli install-skills`|
+|bun|`bunx @c15t/cli install-skills`|
+
+Or directly:
+
+|Package manager|Command|
+|:--|:--|
+|npm|`npx skills add c15t/skills`|
+|pnpm|`pnpm dlx skills add c15t/skills`|
+|yarn|`yarn dlx skills add c15t/skills`|
+|bun|`bunx skills add c15t/skills`|
+
+### What skills provide
+
+* **Styling customization** — strict escalation guidance across props, tokens, slots, CSS variables, compound components, `noStyle`, and headless
+* **Internationalization** — translation setup, locale routing integration
+* **Script management** — configuring third-party scripts with consent categories
+* **Component setup** — ConsentBanner, ConsentDialog, provider configuration
+
+### Supported tools
+
+* Claude Code
+* Cursor
+* GitHub Copilot (via `.github/skills`)
+* Any agent that supports the skills format
+
+***
+
+## When to use which
+
+Use bundled docs when:
+
+* Your agent can read files in the local project
+* You want version-matched docs from the installed c15t packages
+* You want a package-local README that tells the agent which detailed docs to read first
+* You want concrete guidance for consent management, cookie banners, consent dialogs, preference centers, script loading, callbacks, and integrations
+
+Use agent skills when:
+
+* Your tool supports the skills ecosystem
+* You want reusable workflows and tool-specific guidance that can point back to the installed package README files
+
+Use both when:
+
+* Your tool supports both local file context and skills
+* You want local package docs plus reusable setup and configuration help
+* You want the bundled package docs as the source of truth plus a reusable decision tree for customization

package/docs/concepts/client-modes.md

@@ -15,7 +15,7 @@ c15t supports three client modes that determine how consent data is stored and s
 
 ## Hosted Mode (Recommended)
 
-The default mode. Connects to a c15t backend for full consent lifecycle management. We recommend using [consent.io](https://consent.io) for a fully managed experience, but you can [self-host](/docs/self-host) as well.
+The default mode. Connects to a c15t backend for full consent lifecycle management. We recommend using [inth.com](https://inth.com) for a fully managed experience, but you can [self-host](/docs/self-host) as well.
 
 > ℹ️ **Info:**
 > mode: 'hosted' is the preferred value. The legacy alias mode: 'c15t' is still supported for backward compatibility.

package/docs/concepts/policy-packs.md

@@ -8,7 +8,7 @@ A policy pack is an ordered array of policies. Each policy targets a region or c
 
 There are three ways to configure policy packs:
 
-1. **consent.io (recommended)** — use [consent.io](https://consent.io) as your hosted backend. Configure packs visually in the dashboard or via API — no code changes required. Works with any frontend, including static sites.
+1. **inth.com (recommended)** — use [inth.com](https://inth.com) as your hosted backend. Configure packs visually in the dashboard or via API — no code changes required. Works with any frontend, including static sites.
 2. **Self-hosted backend** — define packs in code via `policyPacks` and resolve them from real request geo data. Full control over policy logic and storage.
 3. **Offline fallback** — pass the same policy shapes to the frontend via `offlinePolicy.policyPacks`. Use this mainly for local development, demos, deterministic testing, or resilience when the backend is temporarily unreachable. If you omit `offlinePolicy.policyPacks`, c15t falls back to a synthetic worldwide opt-in banner instead of no-banner mode.
 

package/docs/iab/overview.md

@@ -15,12 +15,12 @@ When your site participates in the IAB ecosystem (ad exchanges, SSPs, DSPs, DMPs
 
 ## CMP Registration
 
-[consent.io](https://consent.io) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when you use consent.io as your backend, the correct CMP ID will be automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
+[Inth](https://inth.com), c15t's hosted platform, is IAB TCF certified. When you use Inth as your backend with c15t's prebuilt IAB UI, the correct CMP ID is automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
 
-If you self-host the c15t backend and have your own CMP registration with IAB Europe, you can configure your CMP ID on the backend via `advanced.iab.cmpId` or on the client via the `iab.cmpId` option. A valid (non-zero) CMP ID is required for IAB TCF compliance.
+If you self-host the c15t backend or want to operate as your own CMP, register your own CMP with IAB Europe and configure your CMP ID on the backend via `advanced.iab.cmpId` or on the client via the `iab.cmpId` option. Registering your own CMP may also involve IAB Europe fees, so check IAB Europe's current CMP registration terms and pricing before choosing this route. A valid (non-zero) CMP ID is required for IAB TCF compliance.
 
 > ℹ️ **Info:**
-> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components), you cannot use consent.io's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
+> If you heavily customize or build your own IAB banner or dialog instead of using the default IABConsentBanner and IABConsentDialog components, you cannot use Inth's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
 
 ## How c15t Implements TCF
 
@@ -40,17 +40,17 @@ Enable IAB TCF in the runtime options:
 
 ```ts
 import { getOrCreateConsentRuntime } from 'c15t';
+import { iab } from '@c15t/iab';
 
 const { consentStore } = getOrCreateConsentRuntime({
   mode: 'hosted',
   backendURL: 'https://your-instance.c15t.dev',
-  iab: {
-    enabled: true,
+  iab: iab({
     vendors: [1, 2, 10, 25],  // IAB vendor IDs you work with
-    // cmpId is automatically provided by the backend (consent.io).
+    // cmpId is automatically provided by the backend (inth.com).
     // Only set this if you have your own CMP registration with IAB Europe.
     // cmpId: 123,
-  },
+  }),
 });
 ```
 
@@ -91,14 +91,13 @@ window.__tcfapi('getTCData', 2, (tcData, success) => {
 
 ## IAB Configuration Options
 
-The `iab` option on the provider accepts:
+Configure IAB mode with `iab({ ... })` from `@c15t/iab`. The factory enables the addon and injects the runtime module automatically. The user-facing options are:
 
 |Option|Type|Description|
 |--|--|--|
-|`enabled`|`boolean`|Enable IAB TCF mode|
-|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using consent.io. Only set this if you have your own CMP registration.|
+|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using Inth with the prebuilt IAB UI. Only set this if you have your own CMP registration.|
 |`vendors`|`number[]`|IAB vendor IDs that your site works with|
-|`nonIABVendors`|`NonIABVendor[]`|Custom vendors not in the IAB registry|
+|`customVendors`|`NonIABVendor[]`|Custom vendors not in the IAB registry|
 
 ## Key Concepts
 

package/docs/internationalization.md

@@ -10,7 +10,7 @@ There are two ways c15t can load translations: client-side or server-side.
 
 |Server-side|Client-side|
 |--|--|
-|The best way to reduce bundle size and improve performance. We can detect the user's language based on the browser's language settings, allowing for the most accurate translations. By default, when using a [consent.io](https://consent.io) hosted instance, [these languages](https://github.com/c15t/c15t/tree/main/packages/translations/src/translations) are supported.|Bundled with the application allowing for multiple languages to be supported without the need for a backend. The more translations you have, the larger the bundle size will be, which may impact the performance of your application.|
+|The best way to reduce bundle size and improve performance. We can detect the user's language based on the browser's language settings, allowing for the most accurate translations. By default, when using a [inth.com](https://inth.com) hosted instance, [these languages](https://github.com/c15t/c15t/tree/main/packages/translations/src/translations) are supported.|Bundled with the application allowing for multiple languages to be supported without the need for a backend. The more translations you have, the larger the bundle size will be, which may impact the performance of your application.|
 
 ## Basic Configuration
 

package/docs/quickstart.md

@@ -126,10 +126,10 @@ Install c15t agent skills to let AI agents help with styling, i18n, scripts & ot
 
 |Package manager|Command|
 |:--|:--|
-|npm|`npx @c15t/cli@rc skills`|
-|pnpm|`pnpm dlx @c15t/cli@rc skills`|
-|yarn|`yarn dlx @c15t/cli@rc skills`|
-|bun|`bunx @c15t/cli@rc skills`|
+|npm|`npx @c15t/cli skills`|
+|pnpm|`pnpm dlx @c15t/cli skills`|
+|yarn|`yarn dlx @c15t/cli skills`|
+|bun|`bunx @c15t/cli skills`|
 
 See [AI Agents](/docs/ai-agents) for bundled package docs and agent skills.
 

package/package.json

@@ -1,32 +1,42 @@
 {
 	"name": "c15t",
-	"version": "2.0.0-rc.8",
-	"description": "Developer-first CMP for JavaScript: cookie banner, consent manager, preferences centre. GDPR ready with minimal setup and rich customization",
+	"version": "2.0.4",
+	"description": "Headless cookie banner, consent manager & preference center for JavaScript / TypeScript. GDPR, CCPA, LGPD and IAB TCF compliant.",
 	"keywords": [
-		"nextjs",
 		"consent",
 		"privacy",
 		"gdpr",
 		"ccpa",
 		"lgpd",
-		"server-side rendering",
-		"react",
-		"typescript",
-		"cookie-banner",
-		"consent-management-platform",
+		"tcf",
+		"iab",
 		"cmp",
+		"consent-management",
+		"consent-management-platform",
+		"cookie-banner",
+		"cookie-consent",
+		"cookies",
 		"consent-banner",
-		"user-consent",
-		"privacy-compliance",
-		"web-privacy"
+		"consent-manager",
+		"preference-center",
+		"headless",
+		"javascript",
+		"typescript",
+		"ssr",
+		"server-side-rendering",
+		"tracking-consent",
+		"eu-cookie-law"
 	],
 	"homepage": "https://c15t.com/docs/frameworks/javascript/quickstart",
+	"bugs": {
+		"url": "https://github.com/c15t/c15t/issues"
+	},
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/c15t/c15t.git",
 		"directory": "packages/core"
 	},
-	"license": "GPL-3.0-only",
+	"license": "Apache-2.0",
 	"type": "module",
 	"exports": {
 		".": {
@@ -51,10 +61,10 @@
 		"build:agent-docs": "bun ../../scripts/agent-docs/generate-package-docs.ts c15t",
 		"check-types": "bun prebuild && tsc --noEmit",
 		"check-types:test": "tsc -p tsconfig.test.json",
-		"dev": "bun prebuild && rslib build && bun ../../scripts/normalize-dist-types.mjs",
+		"dev": "sh -c 'bun prebuild && rslib build --no-dts --no-clean && rslib build --watch --no-dts --no-clean'",
 		"fmt": "bun biome format --write . && bun biome check --formatter-enabled=false --linter-enabled=false --write",
 		"lint": "bun biome lint ./src",
-		"prepack": "cd ../.. && bunx turbo run build --filter=c15t",
+		"prepack": "bun ../../scripts/verify-package-artifacts.ts",
 		"test": "bun prebuild && vitest run",
 		"test:watch": "bun prebuild && vitest"
 	},
@@ -64,12 +74,12 @@
 		"not op_mini all"
 	],
 	"dependencies": {
-		"@c15t/schema": "2.0.0-rc.5",
-		"@c15t/translations": "2.0.0-rc.8",
+		"@c15t/schema": "2.0.1",
+		"@c15t/translations": "2.0.0",
 		"zustand": "5.0.12"
 	},
 	"devDependencies": {
-		"@c15t/typescript-config": "0.0.1-beta.1",
+		"@c15t/typescript-config": "0.0.1",
 		"@c15t/vitest-config": "1.0.0",
 		"genversion": "3.2.0",
 		"vitest-localstorage-mock": "0.1.2"

package/readme.json

@@ -12,7 +12,7 @@
 		"JavaScript or TypeScript project",
 		"Node.js 18.17.0 or later",
 		"npm, pnpm, or yarn package manager",
-		"A hosted [c15t instance](https://consent.io) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)"
+		"A hosted [c15t instance](https://inth.com) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)"
 	],
 	"manualInstallation": [
 		"",