c15t 2.0.0 → 2.0.4

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # c15t
 
+## 2.0.4
+
+### Patch Changes
+
+- 748536a: Refine policy category scope handling.
+- Updated dependencies [748536a]
+  - @c15t/schema@2.0.1
+
 ## 2.0.0
 
 ### Major Changes

package/README.md

@@ -1,14 +1,14 @@
 <p align="center">
-  <a href="https://c15t.com?utm_source=github&utm_medium=repopage_c15t" target="_blank" rel="noopener noreferrer">
+  <a href="https://c15t.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=c15t" target="_blank" rel="noopener noreferrer">
     <picture>
       <source media="(prefers-color-scheme: dark)" srcset="../../docs/assets/c15t-banner-readme-dark.svg" type="image/svg+xml">
       <img src="../../docs/assets/c15t-banner-readme-light.svg" alt="c15t Banner" type="image/svg+xml">
     </picture>
   </a>
-  <br />
-  <h1 align="center">c15t: Developer-First Consent Management Platform</h1>
 </p>
 
+# c15t: Developer-First Consent Management Platform
+
 [![GitHub stars](https://img.shields.io/github/stars/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![CI](https://img.shields.io/github/actions/workflow/status/c15t/c15t/ci.yml?style=flat-square)](https://github.com/c15t/c15t/actions/workflows/ci.yml)
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
@@ -18,7 +18,7 @@
 [![Last Commit](https://img.shields.io/github/last-commit/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/commits/main)
 [![Open Issues](https://img.shields.io/github/issues/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t/issues)
 
-Developer-first CMP for JavaScript: cookie banner, consent manager, preferences centre. GDPR ready with minimal setup and rich customization
+Headless cookie banner, consent manager & preference center for JavaScript / TypeScript. GDPR, CCPA, LGPD and IAB TCF compliant.
 
 ## Key Features
 
@@ -34,18 +34,18 @@ Developer-first CMP for JavaScript: cookie banner, consent manager, preferences
 - JavaScript or TypeScript project
 - Node.js 18.17.0 or later
 - npm, pnpm, or yarn package manager
-- A hosted [c15t instance](https://consent.io) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)
+- A hosted [c15t instance](https://inth.com) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)
 
 ## Quick Start
 
 Easiest setup with @c15t/cli:
 
 ```bash
-# Generate schema and code
-pnpm dlx @c15t/cli generate
+# Set up c15t in your project
+pnpm dlx @c15t/cli setup
 # Alternatives:
-# npx @c15t/cli generate
-# bunx --bun @c15t/cli generate
+# npx @c15t/cli setup
+# bunx --bun @c15t/cli setup
 ```
 
 The CLI will:
@@ -88,24 +88,24 @@ For further information, guides, and examples visit the [reference documentation
 
 - Join our [Discord community](https://c15t.link/discord)
 - Open an issue on our [GitHub repository](https://github.com/c15t/c15t/issues)
-- Visit [consent.io](https://consent.io) and use the chat widget
-- Contact our support team via email [support@consent.io](mailto:support@consent.io)
+- Visit [inth.com](https://inth.com) and use the chat widget
+- Contact our support team via email [support@inth.com](mailto:support@inth.com)
 
 ## Contributing
 
-- We're open to all community contributions!
+- We're open to all community contributions.
 - Read our [Contribution Guidelines](https://c15t.com/docs/oss/contributing)
 - Review our [Code of Conduct](https://c15t.com/docs/oss/code-of-conduct)
 - Fork the repository
 - Create a new branch for your feature
 - Submit a pull request
-- **All contributions, big or small, are welcome and appreciated!**
+- **All contributions, big or small, are welcome and appreciated.**
 
 ## Security
 
 If you believe you have found a security vulnerability in c15t, we encourage you to **_responsibly disclose this and NOT open a public issue_**. We will investigate all legitimate reports.
 
-Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our Open Source Software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
+Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our open-source software. To do this, please visit [https://github.com/c15t/c15t/security](https://github.com/c15t/c15t/security) and click the "Report a vulnerability" button.
 
 ### Security Policy
 
@@ -120,4 +120,4 @@ Our preference is that you make use of GitHub's private vulnerability reporting
 
 ---
 
-**Built by [Inth](https://inth.com?utm_source=github&utm_medium=repopage_c15t)**
+**Built by [Inth](https://inth.com?utm_source=npm&utm_medium=readme&utm_campaign=oss_readme&utm_content=c15t)**

package/dist/index.cjs

@@ -607,7 +607,7 @@ const initial_state_initialState = {
     debug: false,
     config: {
         pkg: 'c15t',
-        version: "2.0.0",
+        version: "2.0.4",
         mode: 'Unknown'
     },
     consents: consent_types_consentTypes.reduce((acc, consent)=>{
@@ -1796,19 +1796,11 @@ function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     if (!filtered.includes('necessary')) filtered.unshift('necessary');
     return filtered;
 }
-function applyPolicyScopeForRuntimeGating(consents, allowedPurposeIds, scopeMode = 'permissive') {
-    if ('strict' === scopeMode) return consents;
-    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return consents;
-    const allowedCategories = new Set([
-        'necessary',
-        ...allowedPurposeIds.filter(isConsentCategory)
-    ]);
-    const next = {
-        ...consents
-    };
-    for (const category of allConsentNames)if (!allowedCategories.has(category)) next[category] = true;
-    next.necessary = true;
-    return next;
+function shouldEnforcePolicyCategoryScope(allowedPurposeIds, scopeMode = 'permissive') {
+    return 'strict' === scopeMode && Array.isArray(allowedPurposeIds) && allowedPurposeIds.length > 0 && !allowedPurposeIds.includes('*');
+}
+function applyPolicyScopeForRuntimeGating(consents, _allowedPurposeIds, _scopeMode = 'permissive') {
+    return consents;
 }
 function getEffectivePolicy(initData) {
     return initData?.policy;
@@ -2811,9 +2803,11 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
     if ('all' === type) {
         for (const consent of consentTypes)if (consentCategories.includes(consent.name)) newConsents[consent.name] = true;
     } else if ('necessary' === type) for (const consent of consentTypes)newConsents[consent.name] = true === consent.disabled ? consent.defaultValue : false;
-    const policyCategories = getEffectivePolicy(lastBannerFetchData)?.consent?.categories;
-    const effectiveConsents = applyPolicyPurposeAllowlist(newConsents, policyCategories);
-    const requestPreferences = stripDisallowedPreferenceKeys(effectiveConsents, policyCategories);
+    const effectivePolicy = getEffectivePolicy(lastBannerFetchData);
+    const policyCategories = effectivePolicy?.consent?.categories;
+    const shouldEnforcePolicyScope = shouldEnforcePolicyCategoryScope(policyCategories, effectivePolicy?.consent?.scopeMode ?? null);
+    const effectiveConsents = shouldEnforcePolicyScope ? applyPolicyPurposeAllowlist(newConsents, policyCategories) : newConsents;
+    const requestPreferences = shouldEnforcePolicyScope ? stripDisallowedPreferenceKeys(effectiveConsents, policyCategories) : effectiveConsents;
     const didChange = haveConsentsChanged(previousConsents, effectiveConsents, consentTypes);
     const nextConsentCategoryLists = getConsentCategoryLists(effectiveConsents, consentCategories, consentTypes);
     const previousConsentCategoryLists = getConsentCategoryLists(previousConsents, consentCategories, consentTypes);
@@ -3014,8 +3008,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
         update.selectedConsents = autoGrantedConsents;
     }
     const policyCategories = data.policy?.consent?.categories;
-    const hasPolicyCategoryAllowlist = Array.isArray(policyCategories) && policyCategories.length > 0 && !policyCategories.includes('*');
-    if (hasPolicyCategoryAllowlist) {
+    const hasStrictPolicyCategoryAllowlist = shouldEnforcePolicyCategoryScope(policyCategories, data.policy?.consent?.scopeMode ?? null);
+    if (hasStrictPolicyCategoryAllowlist) {
         const uniqueAllowedCategories = filterConsentCategoriesByPolicy(allConsentNames, policyCategories);
         update.consentCategories = uniqueAllowedCategories;
         update.consents = applyPolicyPurposeAllowlist(update.consents ?? get().consents, uniqueAllowedCategories);
@@ -3024,7 +3018,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
     const preselectedCategories = data.policy?.consent?.preselectedCategories;
     const shouldApplyPreselectedCategories = null === consentInfo && !autoGrantedConsents && Array.isArray(preselectedCategories) && preselectedCategories.length > 0;
     if (shouldApplyPreselectedCategories) {
-        const preselectedScope = hasPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(allConsentNames, policyCategories) : allConsentNames;
+        const displayedConsentNames = update.consentCategories ?? get().consentCategories;
+        const preselectedScope = hasStrictPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(displayedConsentNames, policyCategories) : displayedConsentNames;
         const allowedPreselectedCategories = filterConsentCategoriesByPolicy(preselectedScope, preselectedCategories);
         const preselectedSet = new Set(allowedPreselectedCategories);
         const selectedConsentBaseline = update.selectedConsents ?? get().selectedConsents;
@@ -3737,8 +3732,14 @@ const createConsentManagerStore = (manager, options = {})=>{
                     return resetState;
                 });
             },
-            setConsentCategories: (types)=>set({
-                    consentCategories: filterConsentCategoriesByPolicy(types, get().policyCategories)
+            setConsentCategories: (types)=>set(()=>{
+                    const { policyCategories, policyScopeMode } = get();
+                    if (shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode)) return {
+                        consentCategories: filterConsentCategoriesByPolicy(types, policyCategories)
+                    };
+                    return {
+                        consentCategories: Array.from(new Set(types))
+                    };
                 }),
             setCallback: (name, callback)=>{
                 const currentState = get();
@@ -3810,13 +3811,15 @@ const createConsentManagerStore = (manager, options = {})=>{
                 });
             },
             updateConsentCategories: (newCategories)=>{
+                const { consentCategories: currentConsentCategories, policyCategories, policyScopeMode } = get();
                 const allCategoriesSet = new Set([
-                    ...get().consentCategories,
+                    ...currentConsentCategories,
                     ...newCategories
                 ]);
-                const allCategories = filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), get().policyCategories);
+                let consentCategories;
+                consentCategories = shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode) ? filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), policyCategories) : Array.from(allCategoriesSet);
                 set({
-                    consentCategories: allCategories
+                    consentCategories
                 });
             },
             identifyUser: async (user)=>{
@@ -4070,7 +4073,7 @@ function getOrCreateConsentRuntime(options, pkgInfo) {
             config: {
                 ...userConfig ?? {},
                 pkg: pkgInfo?.pkg || 'c15t',
-                version: pkgInfo?.version || "2.0.0",
+                version: pkgInfo?.version || "2.0.4",
                 mode: normalizedMode,
                 meta: {
                     ...userConfig?.meta ?? {},

package/dist/index.js

@@ -531,7 +531,7 @@ const initial_state_initialState = {
     debug: false,
     config: {
         pkg: 'c15t',
-        version: "2.0.0",
+        version: "2.0.4",
         mode: 'Unknown'
     },
     consents: consent_types_consentTypes.reduce((acc, consent)=>{
@@ -1720,19 +1720,11 @@ function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     if (!filtered.includes('necessary')) filtered.unshift('necessary');
     return filtered;
 }
-function applyPolicyScopeForRuntimeGating(consents, allowedPurposeIds, scopeMode = 'permissive') {
-    if ('strict' === scopeMode) return consents;
-    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return consents;
-    const allowedCategories = new Set([
-        'necessary',
-        ...allowedPurposeIds.filter(isConsentCategory)
-    ]);
-    const next = {
-        ...consents
-    };
-    for (const category of allConsentNames)if (!allowedCategories.has(category)) next[category] = true;
-    next.necessary = true;
-    return next;
+function shouldEnforcePolicyCategoryScope(allowedPurposeIds, scopeMode = 'permissive') {
+    return 'strict' === scopeMode && Array.isArray(allowedPurposeIds) && allowedPurposeIds.length > 0 && !allowedPurposeIds.includes('*');
+}
+function applyPolicyScopeForRuntimeGating(consents, _allowedPurposeIds, _scopeMode = 'permissive') {
+    return consents;
 }
 function getEffectivePolicy(initData) {
     return initData?.policy;
@@ -2734,9 +2726,11 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
     if ('all' === type) {
         for (const consent of consentTypes)if (consentCategories.includes(consent.name)) newConsents[consent.name] = true;
     } else if ('necessary' === type) for (const consent of consentTypes)newConsents[consent.name] = true === consent.disabled ? consent.defaultValue : false;
-    const policyCategories = getEffectivePolicy(lastBannerFetchData)?.consent?.categories;
-    const effectiveConsents = applyPolicyPurposeAllowlist(newConsents, policyCategories);
-    const requestPreferences = stripDisallowedPreferenceKeys(effectiveConsents, policyCategories);
+    const effectivePolicy = getEffectivePolicy(lastBannerFetchData);
+    const policyCategories = effectivePolicy?.consent?.categories;
+    const shouldEnforcePolicyScope = shouldEnforcePolicyCategoryScope(policyCategories, effectivePolicy?.consent?.scopeMode ?? null);
+    const effectiveConsents = shouldEnforcePolicyScope ? applyPolicyPurposeAllowlist(newConsents, policyCategories) : newConsents;
+    const requestPreferences = shouldEnforcePolicyScope ? stripDisallowedPreferenceKeys(effectiveConsents, policyCategories) : effectiveConsents;
     const didChange = haveConsentsChanged(previousConsents, effectiveConsents, consentTypes);
     const nextConsentCategoryLists = getConsentCategoryLists(effectiveConsents, consentCategories, consentTypes);
     const previousConsentCategoryLists = getConsentCategoryLists(previousConsents, consentCategories, consentTypes);
@@ -2937,8 +2931,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
         update.selectedConsents = autoGrantedConsents;
     }
     const policyCategories = data.policy?.consent?.categories;
-    const hasPolicyCategoryAllowlist = Array.isArray(policyCategories) && policyCategories.length > 0 && !policyCategories.includes('*');
-    if (hasPolicyCategoryAllowlist) {
+    const hasStrictPolicyCategoryAllowlist = shouldEnforcePolicyCategoryScope(policyCategories, data.policy?.consent?.scopeMode ?? null);
+    if (hasStrictPolicyCategoryAllowlist) {
         const uniqueAllowedCategories = filterConsentCategoriesByPolicy(allConsentNames, policyCategories);
         update.consentCategories = uniqueAllowedCategories;
         update.consents = applyPolicyPurposeAllowlist(update.consents ?? get().consents, uniqueAllowedCategories);
@@ -2947,7 +2941,8 @@ function buildStoreUpdate(data, config, effectiveIABEnabled, initSourceMetadata)
     const preselectedCategories = data.policy?.consent?.preselectedCategories;
     const shouldApplyPreselectedCategories = null === consentInfo && !autoGrantedConsents && Array.isArray(preselectedCategories) && preselectedCategories.length > 0;
     if (shouldApplyPreselectedCategories) {
-        const preselectedScope = hasPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(allConsentNames, policyCategories) : allConsentNames;
+        const displayedConsentNames = update.consentCategories ?? get().consentCategories;
+        const preselectedScope = hasStrictPolicyCategoryAllowlist ? filterConsentCategoriesByPolicy(displayedConsentNames, policyCategories) : displayedConsentNames;
         const allowedPreselectedCategories = filterConsentCategoriesByPolicy(preselectedScope, preselectedCategories);
         const preselectedSet = new Set(allowedPreselectedCategories);
         const selectedConsentBaseline = update.selectedConsents ?? get().selectedConsents;
@@ -3660,8 +3655,14 @@ const createConsentManagerStore = (manager, options = {})=>{
                     return resetState;
                 });
             },
-            setConsentCategories: (types)=>set({
-                    consentCategories: filterConsentCategoriesByPolicy(types, get().policyCategories)
+            setConsentCategories: (types)=>set(()=>{
+                    const { policyCategories, policyScopeMode } = get();
+                    if (shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode)) return {
+                        consentCategories: filterConsentCategoriesByPolicy(types, policyCategories)
+                    };
+                    return {
+                        consentCategories: Array.from(new Set(types))
+                    };
                 }),
             setCallback: (name, callback)=>{
                 const currentState = get();
@@ -3733,13 +3734,15 @@ const createConsentManagerStore = (manager, options = {})=>{
                 });
             },
             updateConsentCategories: (newCategories)=>{
+                const { consentCategories: currentConsentCategories, policyCategories, policyScopeMode } = get();
                 const allCategoriesSet = new Set([
-                    ...get().consentCategories,
+                    ...currentConsentCategories,
                     ...newCategories
                 ]);
-                const allCategories = filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), get().policyCategories);
+                let consentCategories;
+                consentCategories = shouldEnforcePolicyCategoryScope(policyCategories, policyScopeMode) ? filterConsentCategoriesByPolicy(Array.from(allCategoriesSet), policyCategories) : Array.from(allCategoriesSet);
                 set({
-                    consentCategories: allCategories
+                    consentCategories
                 });
             },
             identifyUser: async (user)=>{
@@ -3993,7 +3996,7 @@ function getOrCreateConsentRuntime(options, pkgInfo) {
             config: {
                 ...userConfig ?? {},
                 pkg: pkgInfo?.pkg || 'c15t',
-                version: pkgInfo?.version || "2.0.0",
+                version: pkgInfo?.version || "2.0.4",
                 mode: normalizedMode,
                 meta: {
                     ...userConfig?.meta ?? {},

package/dist-types/client/hosted/init.d.ts

@@ -5,7 +5,7 @@ import type { IABFallbackConfig } from './types';
 /**
  * Provides offline mode fallback for showConsentBanner API.
  * Simulates the behavior of OfflineClient when API requests fail.
- * In fallback mode, fetches GVL from gvl.consent.io when IAB is enabled.
+ * In fallback mode, fetches GVL from gvl.inth.app when IAB is enabled.
  * @internal
  */
 export declare function offlineFallbackForConsentBanner(options?: FetchOptions<InitResponse>, iabConfig?: IABFallbackConfig): Promise<ResponseContext<InitResponse>>;

package/dist-types/client/hosted/types.d.ts

@@ -59,7 +59,7 @@ export interface C15tInternalClientOptions {
     /**
      * IAB configuration for offline/fallback mode.
      * When the backend is unavailable and IAB is enabled,
-     * the client will fetch GVL from gvl.consent.io with these settings.
+     * the client will fetch GVL from gvl.inth.app with these settings.
      */
     iabConfig?: IABFallbackConfig;
 }

package/dist-types/client/offline/types.d.ts

@@ -6,7 +6,7 @@ import type { IABFallbackConfig } from '../hosted/types';
 export interface OfflineClientOptions {
     /**
      * IAB configuration for offline mode.
-     * When IAB is enabled, the client will fetch GVL from gvl.consent.io.
+     * When IAB is enabled, the client will fetch GVL from gvl.inth.app.
      */
     iabConfig?: IABFallbackConfig;
     /**

package/dist-types/libs/iab-tcf/types.d.ts

@@ -137,7 +137,7 @@ export type IABManager = IABState & IABActions;
  * @internal
  */
 export interface CMPApiConfig {
-    /** CMP ID registered with IAB Europe. Provided by the backend (consent.io) or client config. */
+    /** CMP ID registered with IAB Europe. Provided by the backend (inth.com) or client config. */
     cmpId?: number;
     /** CMP version (default: package version from ~/cmp-defaults) */
     cmpVersion?: number | string;
@@ -216,7 +216,7 @@ export interface IABConfig {
      * Enable IAB TCF 2.3 mode.
      *
      * When enabled, c15t will:
-     * - Fetch GVL from gvl.consent.io
+     * - Fetch GVL from gvl.inth.app
      * - Initialize __tcfapi CMP API
      * - Generate TC Strings for IAB compliance
      *
@@ -236,7 +236,7 @@ export interface IABConfig {
     /**
      * CMP ID registered with IAB Europe.
      *
-     * When using consent.io as the backend, this is automatically provided
+     * When using inth.com as the backend, this is automatically provided
      * via the `/init` endpoint — no client-side configuration needed.
      *
      * Only set this if you self-host and have your own CMP registration.
@@ -325,4 +325,4 @@ export declare const IAB_STORAGE_KEYS: {
  *
  * @internal
  */
-export declare const GVL_ENDPOINT = "https://gvl.consent.io";
+export declare const GVL_ENDPOINT = "https://gvl.inth.app";

package/dist-types/libs/policy.d.ts

@@ -40,12 +40,15 @@ export declare function stripDisallowedPreferenceKeys<T extends Record<string, b
  */
 export declare function filterConsentCategoriesByPolicy(categories: AllConsentNames[], allowedPurposeIds?: string[] | null): AllConsentNames[];
 /**
- * Applies policy scope to runtime gating behavior.
- *
- * Out-of-policy categories are treated as permissive by c15t runtime and are
- * therefore granted for gating decisions (scripts/iframes load normally).
+ * Returns whether policy category scope should be enforced as a hard allowlist.
+ */
+export declare function shouldEnforcePolicyCategoryScope(allowedPurposeIds?: string[] | null, scopeMode?: 'strict' | 'permissive' | null): boolean;
+/**
+ * @deprecated No-op retained for API compatibility. Runtime gating respects
+ * the current consent state directly; policy scope is enforced at category
+ * discovery, render, and save time instead.
  */
-export declare function applyPolicyScopeForRuntimeGating(consents: ConsentState, allowedPurposeIds?: string[] | null, scopeMode?: 'strict' | 'permissive' | null): ConsentState;
+export declare function applyPolicyScopeForRuntimeGating(consents: ConsentState, _allowedPurposeIds?: string[] | null, _scopeMode?: 'strict' | 'permissive' | null): ConsentState;
 /**
  * Gets the runtime policy returned by /init, if present.
  */

package/dist-types/store/type.d.ts

@@ -245,7 +245,7 @@ export interface SSRInitialData {
     /**
      * Global Vendor List data for IAB TCF mode.
      * - `undefined` means IAB is not active for the request or not enabled on server
-     * - `null` means the user is in a non-IAB region (204 response from gvl.consent.io)
+     * - `null` means the user is in a non-IAB region (204 response from gvl.inth.app)
      * - `GlobalVendorList` contains the vendor list data from init response
      *
      * Note: When init returns 200 without gvl, client IAB settings are overridden to disabled.
@@ -469,7 +469,7 @@ export interface StoreOptions extends Partial<StoreConfig> {
      * Note: If the server returns 200 without GVL, client IAB settings are
      * automatically overridden to disabled (server takes precedence).
      *
-     * In offline/fallback mode, GVL is fetched from gvl.consent.io.
+     * In offline/fallback mode, GVL is fetched from gvl.inth.app.
      *
      * This is an opt-in feature with zero bundle impact when not enabled.
      *

package/dist-types/version.d.ts

@@ -1 +1 @@
-export declare const version = "2.0.0";
+export declare const version = "2.0.4";

package/docs/ai-agents.md

@@ -0,0 +1,111 @@
+---
+title: AI Agents
+description: Integrate c15t with AI coding assistants using the docs bundled in each package and c15t agent skills. Give agents version-matched local docs for consent management, banners, script loading, callbacks, and integrations.
+lastModified: 2026-03-24
+---
+## Bundled Docs
+
+Every supported c15t package now ships docs inside the installed package itself.
+
+### Where to find them
+
+* `node_modules/c15t/docs/README.md`
+* `node_modules/@c15t/react/docs/README.md`
+* `node_modules/@c15t/nextjs/docs/README.md`
+* `node_modules/@c15t/backend/docs/README.md`
+
+Start with the package `README.md`, then follow its linked pages for the relevant workflow.
+
+These docs are version-matched to the exact c15t package version in your project, including generated reference content like prop and type tables.
+
+### Why use them
+
+If your app uses multiple c15t packages, use the docs from each relevant installed package instead of relying on stale model knowledge.
+
+### Agent philosophy
+
+When an AI tool is helping with c15t behavior, it should read the installed c15t docs first and use model knowledge second. That keeps consent flows, script gating, banner behavior, and integrations aligned with the exact version you have installed.
+
+### Customization ladder for agents
+
+When an agent is working on consent UI, it should choose the lowest-power tool that solves the task:
+
+1. Start with the pre-built component and its existing props or provider options
+2. Use `theme` tokens for semantic visual changes
+3. Use `theme.slots` for targeted styling of specific parts
+4. Use CSS variables or className-level overrides only when integrating with external styles
+5. Use compound components only when the markup order must change
+6. Use `noStyle` only when c15t structure is still correct but all styling must be replaced
+7. Use headless hooks only when markup and behavior both need to be rebuilt
+
+For common tasks:
+
+* Banner footer background -> `theme.colors.surfaceHover`
+* Banner card background -> `theme.colors.surface`
+* Banner card/footer/title tweaks -> banner slots
+* Stock action styling -> `theme.consentActions`
+* Copy changes -> `ConsentManagerProvider.options.i18n`
+
+If a token appears not to work, the agent should verify the token-to-component mapping before suggesting CSS overrides, `!important`, `noStyle`, or headless mode.
+
+***
+
+## Agent Skills
+
+c15t publishes agent skills that give AI coding assistants deep knowledge of c15t's APIs, components, and configuration. Skills are reusable workflows and tool-specific guidance, not version-matched local docs.
+
+### Installation
+
+Via the c15t CLI:
+
+|Package manager|Command|
+|:--|:--|
+|npm|`npx @c15t/cli install-skills`|
+|pnpm|`pnpm dlx @c15t/cli install-skills`|
+|yarn|`yarn dlx @c15t/cli install-skills`|
+|bun|`bunx @c15t/cli install-skills`|
+
+Or directly:
+
+|Package manager|Command|
+|:--|:--|
+|npm|`npx skills add c15t/skills`|
+|pnpm|`pnpm dlx skills add c15t/skills`|
+|yarn|`yarn dlx skills add c15t/skills`|
+|bun|`bunx skills add c15t/skills`|
+
+### What skills provide
+
+* **Styling customization** — strict escalation guidance across props, tokens, slots, CSS variables, compound components, `noStyle`, and headless
+* **Internationalization** — translation setup, locale routing integration
+* **Script management** — configuring third-party scripts with consent categories
+* **Component setup** — ConsentBanner, ConsentDialog, provider configuration
+
+### Supported tools
+
+* Claude Code
+* Cursor
+* GitHub Copilot (via `.github/skills`)
+* Any agent that supports the skills format
+
+***
+
+## When to use which
+
+Use bundled docs when:
+
+* Your agent can read files in the local project
+* You want version-matched docs from the installed c15t packages
+* You want a package-local README that tells the agent which detailed docs to read first
+* You want concrete guidance for consent management, cookie banners, consent dialogs, preference centers, script loading, callbacks, and integrations
+
+Use agent skills when:
+
+* Your tool supports the skills ecosystem
+* You want reusable workflows and tool-specific guidance that can point back to the installed package README files
+
+Use both when:
+
+* Your tool supports both local file context and skills
+* You want local package docs plus reusable setup and configuration help
+* You want the bundled package docs as the source of truth plus a reusable decision tree for customization

package/docs/iab/overview.md

@@ -15,12 +15,12 @@ When your site participates in the IAB ecosystem (ad exchanges, SSPs, DSPs, DMPs
 
 ## CMP Registration
 
-[inth.com](https://inth.com) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when you use inth.com as your backend, the correct CMP ID will be automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
+[Inth](https://inth.com), c15t's hosted platform, is IAB TCF certified. When you use Inth as your backend with c15t's prebuilt IAB UI, the correct CMP ID is automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
 
-If you self-host the c15t backend and have your own CMP registration with IAB Europe, you can configure your CMP ID on the backend via `advanced.iab.cmpId` or on the client via the `iab.cmpId` option. A valid (non-zero) CMP ID is required for IAB TCF compliance.
+If you self-host the c15t backend or want to operate as your own CMP, register your own CMP with IAB Europe and configure your CMP ID on the backend via `advanced.iab.cmpId` or on the client via the `iab.cmpId` option. Registering your own CMP may also involve IAB Europe fees, so check IAB Europe's current CMP registration terms and pricing before choosing this route. A valid (non-zero) CMP ID is required for IAB TCF compliance.
 
 > ℹ️ **Info:**
-> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components), you cannot use inth.com's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
+> If you heavily customize or build your own IAB banner or dialog instead of using the default IABConsentBanner and IABConsentDialog components, you cannot use Inth's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
 
 ## How c15t Implements TCF
 
@@ -95,7 +95,7 @@ Configure IAB mode with `iab({ ... })` from `@c15t/iab`. The factory enables the
 
 |Option|Type|Description|
 |--|--|--|
-|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using inth.com. Only set this if you have your own CMP registration.|
+|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using Inth with the prebuilt IAB UI. Only set this if you have your own CMP registration.|
 |`vendors`|`number[]`|IAB vendor IDs that your site works with|
 |`customVendors`|`NonIABVendor[]`|Custom vendors not in the IAB registry|
 

package/package.json

@@ -1,26 +1,36 @@
 {
 	"name": "c15t",
-	"version": "2.0.0",
-	"description": "Developer-first CMP for JavaScript: cookie banner, consent manager, preferences centre. GDPR ready with minimal setup and rich customization",
+	"version": "2.0.4",
+	"description": "Headless cookie banner, consent manager & preference center for JavaScript / TypeScript. GDPR, CCPA, LGPD and IAB TCF compliant.",
 	"keywords": [
-		"nextjs",
 		"consent",
 		"privacy",
 		"gdpr",
 		"ccpa",
 		"lgpd",
-		"server-side rendering",
-		"react",
-		"typescript",
-		"cookie-banner",
-		"consent-management-platform",
+		"tcf",
+		"iab",
 		"cmp",
+		"consent-management",
+		"consent-management-platform",
+		"cookie-banner",
+		"cookie-consent",
+		"cookies",
 		"consent-banner",
-		"user-consent",
-		"privacy-compliance",
-		"web-privacy"
+		"consent-manager",
+		"preference-center",
+		"headless",
+		"javascript",
+		"typescript",
+		"ssr",
+		"server-side-rendering",
+		"tracking-consent",
+		"eu-cookie-law"
 	],
 	"homepage": "https://c15t.com/docs/frameworks/javascript/quickstart",
+	"bugs": {
+		"url": "https://github.com/c15t/c15t/issues"
+	},
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/c15t/c15t.git",
@@ -51,10 +61,10 @@
 		"build:agent-docs": "bun ../../scripts/agent-docs/generate-package-docs.ts c15t",
 		"check-types": "bun prebuild && tsc --noEmit",
 		"check-types:test": "tsc -p tsconfig.test.json",
-		"dev": "bun prebuild && rslib build && bun ../../scripts/normalize-dist-types.mjs",
+		"dev": "sh -c 'bun prebuild && rslib build --no-dts --no-clean && rslib build --watch --no-dts --no-clean'",
 		"fmt": "bun biome format --write . && bun biome check --formatter-enabled=false --linter-enabled=false --write",
 		"lint": "bun biome lint ./src",
-		"prepack": "cd ../.. && bunx turbo run build --filter=c15t",
+		"prepack": "bun ../../scripts/verify-package-artifacts.ts",
 		"test": "bun prebuild && vitest run",
 		"test:watch": "bun prebuild && vitest"
 	},
@@ -64,7 +74,7 @@
 		"not op_mini all"
 	],
 	"dependencies": {
-		"@c15t/schema": "2.0.0",
+		"@c15t/schema": "2.0.1",
 		"@c15t/translations": "2.0.0",
 		"zustand": "5.0.12"
 	},

package/readme.json

@@ -12,7 +12,7 @@
 		"JavaScript or TypeScript project",
 		"Node.js 18.17.0 or later",
 		"npm, pnpm, or yarn package manager",
-		"A hosted [c15t instance](https://consent.io) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)"
+		"A hosted [c15t instance](https://inth.com) (free sign-up) or [self-hosted deployment](https://c15t.com/docs/self-host/v2)"
 	],
 	"manualInstallation": [
 		"",