c15t 2.0.0 → 2.1.0

package/docs/integrations/overview.md

@@ -1,105 +1,100 @@
 ---
 title: Integrations
-description: "Many of your tools may require consent to be given before they can be used. This is especially true for analytics and marketing tools. \nc15t has various ways to integrate with your tools, depending on the tool you are using."
-lastModified: 2026-04-10
+description: "Load analytics, pixels, tag managers, and widgets through c15t so consent state controls when they run, update, and appear in your consent UI."
+lastModified: 2026-05-12
 
 ---
-c15t supports two integration styles:
+Third-party tools are easy to paste into app code, but consent makes them part
+of your privacy runtime. Analytics SDKs, ad pixels, tag managers, and chat
+widgets can load remote code, store identifiers, send events, and keep running
+after the first page view.
 
-* use a prebuilt helper from `@c15t/scripts`
-* build your own script or manifest-backed helper
+> ℹ️ **Info:**
+> Put consent-sensitive vendor tools in c15t instead of scattering script tags across your codebase. c15t becomes the place that decides when they can load, when they must stop, and which consent categories your UI needs to show.
 
-If you are building something reusable or contributing to `@c15t/scripts`, start with the [custom integration guide](/docs/integrations/building-integrations).
+## Why Manage Tools In c15t
 
-## General Pattern
+When you install a vendor directly in your app, your consent logic has to chase
+that vendor everywhere it appears: page layouts, route handlers, event helpers,
+tag-manager snippets, and cleanup code.
 
-Every integration provides a script configuration function. Pass it to your framework's setup:
+Register the vendor with c15t instead. The integration becomes a declarative
+`Script` that the consent runtime can reason about:
 
-**JavaScript**
+* c15t registers the tool with the runtime and evaluates it against the current
+  consent state;
+* c15t automatically adds the tool's consent category to the active categories,
+  so GDPR-style consent UIs include `measurement`, `marketing`, or
+  `functionality` when an enabled integration needs them;
+* c15t blocks the script until consent is granted, or loads it with denied
+  defaults when the vendor has its own consent mode;
+* c15t handles revocation by unloading the script or calling the vendor's
+  consent API;
+* c15t runs vendor setup in the right order, including queue stubs, global
+  functions, data attributes, default page-view events, and consent updates.
 
-```ts
-import { getOrCreateConsentRuntime } from 'c15t';
-import { yourScript } from '@c15t/scripts/your-script';
+That gives your app one consent lifecycle instead of many scattered vendor
+lifecycles.
 
-getOrCreateConsentRuntime({
-  mode: 'hosted',
-  scripts: [
-    yourScript({ /* options */ }),
-  ],
-});
-```
+## Built-In Helpers
 
-**React**
+c15t ships prebuilt helpers in
+[`@c15t/scripts`](https://www.npmjs.com/package/@c15t/scripts) for the
+third-party tools developers integrate most often. Prefer them over copied
+vendor snippets whenever c15t already supports the vendor.
 
-```tsx
-import { yourScript } from '@c15t/scripts/your-script';
-import { ConsentManagerProvider } from '@c15t/react';
+Every helper returns a regular `Script` object, so it works anywhere the c15t
+[script loader](/docs/frameworks/javascript/script-loader) accepts scripts. You
+usually choose the helper, provide the vendor ID, and pass the result to your
+provider's `scripts` option. The vendor page explains anything else that still
+matters, such as custom events, region settings, privacy modes, or ecommerce
+payloads.
 
-export function App({ children }: { children: React.ReactNode }) {
-  return (
-    <ConsentManagerProvider
-      options={{
-        scripts: [
-          yourScript({ /* options */ }),
-        ],
-      }}
-    >
-      {children}
-    </ConsentManagerProvider>
-  );
-}
-```
+## Choose An Integration Style
 
-**Next.js**
+Most apps mix more than one style. Pick the smallest one that keeps consent behavior obvious.
 
-```tsx
-import { yourScript } from '@c15t/scripts/your-script';
-import { ConsentManagerProvider } from '@c15t/nextjs';
+|Style|Use when|
+|--|--|
+|**Built-in helper** from `@c15t/scripts`|The vendor is listed below — start here.|
+|**Plain `Script`**|One-off app code with simple load and callback behavior.|
+|**Manifest-backed helper**|Reusable vendor integration with structured setup phases, queues, stubs, or a vendor consent API.|
+|**Iframe / renderable integration**|Vendor exposes an iframe or React component, not just a script tag.|
 
-export function App({ children }: { children: React.ReactNode }) {
-  return (
-    <ConsentManagerProvider
-      options={{
-        scripts: [
-          yourScript({ /* options */ }),
-        ],
-      }}
-    >
-      {children}
-    </ConsentManagerProvider>
-  );
-}
-```
+Setup is the same shape in every framework: import the helper, call it with vendor options, and pass the result to the consent runtime through your provider's `scripts` option. See the framework guides for end-to-end snippets — [JavaScript](/docs/frameworks/javascript/script-loader), [React](/docs/frameworks/react/script-loader), [Next.js](/docs/frameworks/next/script-loader).
 
-## Script Loader
+## Analytics
 
-Many marketing and analytics tools are commonly loaded using a script tag, such as Google Tag Manager (GTM), Google Tag (gtag.js), Meta Pixel and TikTok Pixel.
+Analytics integrations usually require `measurement` consent. Some vendors can run in a consent-aware or cookieless mode; others should stay fully blocked until measurement consent is granted.
 
-c15t's script loader allows you to easily integrate your tools that require consent with c15t. The prebuilt integrations in `@c15t/scripts` are the recommended starting point, and the custom integration guide explains how to build your own when you need something more specialized.
+## Functional
 
-* [JavaScript](/docs/frameworks/javascript/script-loader)
-* [React](/docs/frameworks/react/script-loader)
-* [Next.js](/docs/frameworks/next/script-loader)
+Functional integrations usually require `functionality` consent. They add optional user-facing capabilities, such as chat widgets, that should only run after the user allows them.
 
-## Building Your Own
+## Ads & Pixels
 
-If you need a vendor we do not ship yet:
+Advertising pixels usually require `marketing` consent. Many of them need startup stubs so events can be queued safely before the remote SDK loads — built-in helpers handle this for you.
 
-* build a one-off `Script` directly in your app for simple cases
-* build a reusable manifest-backed helper for shared or package-level integrations
+## Tag Managers
 
-Read the [custom integration guide](/docs/integrations/building-integrations) for the manifest phases, structured step model, testing checklist, and devtools debugging flow.
+Tag managers can load other scripts, so they deserve extra care. Prefer vendor consent modes and denied defaults before any tags are allowed to run.
 
-## has() method
+## Build Your Own
 
-The `has()` method allows you to check if the user has given consent for a specific purpose. You can learn more about the `has()` method [here](/docs/frameworks/javascript/store/checking-consent).
+If c15t does not ship the vendor you need, drop down a level:
 
-```ts
+* build a one-off `Script` directly in your app for simple cases,
+* build a reusable manifest-backed helper for shared or package-level integrations,
+* or combine the script loader with iframe gating for visible media and widget integrations.
 
+### Build a Custom Integration
 
-const hasAnalytics = has('measurement');
+Learn when to use a raw `Script`, when to use a manifest, and how to debug and test custom integrations.
 
-if (hasAnalytics) {
-  myAnalyticsLibrary.track('checkout_completed');
-}
-```
+[Read the guide →](/docs/integrations/building-integrations)
+
+## Where To Next
+
+* Read the script loader guide for your framework: [JavaScript](/docs/frameworks/javascript/script-loader), [React](/docs/frameworks/react/script-loader), [Next.js](/docs/frameworks/next/script-loader).
+* See the [iframe blocking](/docs/frameworks/react/iframe-blocking) pattern for visible embeds (YouTube, maps, calendars).
+* Use [`has()`](/docs/frameworks/javascript/store/checking-consent) to conditionally run app code based on consent state.

package/docs/integrations/plausible-analytics.md

@@ -0,0 +1,237 @@
+---
+title: Plausible Analytics
+description: Privacy-friendly cookieless analytics with a prebuilt helper that preserves Plausible's queue bootstrap and loader attributes.
+lastModified: 2026-05-10
+icon: plausible
+---
+Plausible Analytics is a privacy-friendly, cookieless analytics product with a lightweight script loader. The `plausibleAnalytics()` helper models Plausible's queue bootstrap and script attributes as a c15t-managed script so early `window.plausible(...)` calls are buffered safely until the tracker loads.
+
+## Integrate with c15t
+
+**React**
+
+```tsx
+import { type ReactNode } from 'react';
+import { ConsentManagerProvider } from '@c15t/react';
+import { plausibleAnalytics } from '@c15t/scripts/plausible-analytics';
+
+const scripts = [plausibleAnalytics({ domain: 'example.com' })];
+
+export function ConsentProvider({ children }: { children: ReactNode }) {
+  return (
+    <ConsentManagerProvider
+      options={{
+        mode: 'hosted',
+        backendURL: 'https://your-instance.c15t.dev',
+        scripts,
+      }}
+    >
+      {children}
+    </ConsentManagerProvider>
+  );
+}
+```
+
+**Next.js**
+
+```tsx
+'use client';
+
+import { type ReactNode } from 'react';
+import { ConsentManagerProvider } from '@c15t/nextjs';
+import { plausibleAnalytics } from '@c15t/scripts/plausible-analytics';
+
+const scripts = [plausibleAnalytics({ domain: 'example.com' })];
+
+export function ConsentProvider({ children }: { children: ReactNode }) {
+  return (
+    <ConsentManagerProvider
+      options={{
+        mode: 'hosted',
+        backendURL: '/api/c15t',
+        scripts,
+      }}
+    >
+      {children}
+    </ConsentManagerProvider>
+  );
+}
+```
+
+**JavaScript**
+
+```ts
+import { getOrCreateConsentRuntime } from 'c15t';
+import { plausibleAnalytics } from '@c15t/scripts/plausible-analytics';
+
+getOrCreateConsentRuntime({
+  mode: 'hosted',
+  backendURL: 'https://your-instance.c15t.dev',
+  scripts: [plausibleAnalytics({ domain: 'example.com' })],
+});
+```
+
+## How c15t loads it
+
+* **Category:** `measurement` (Analytics)
+* **Loads when:** measurement consent is granted
+* **On revocation:** unloaded — c15t removes the script element from the DOM. Plausible is cookieless, so no client-side state needs clearing.
+
+If you need script extensions or hash-based routing support, pass them through the helper:
+
+```ts
+plausibleAnalytics({
+  domain: 'example.com',
+  extension: ['file-downloads', 'outbound-links'],
+  hashBasedRouting: true,
+})
+```
+
+The helper seeds a `window.plausible` queue stub during `onBeforeLoad`, so any calls made between the consent grant and the real script attaching get buffered into `plausible.q` and replayed. It also maps the legacy `data-domain` / `data-api` attributes and the new `scriptId`-based loader URL automatically.
+
+## Tracking events in your app
+
+c15t gates the Plausible script from loading until `measurement` consent is granted. Your application code that calls Plausible is **not** automatically gated — `window.plausible` does not exist until the script is loaded, so unguarded calls before consent throw.
+
+Guard event calls by checking consent state. From React:
+
+```tsx
+import { useCallback } from 'react';
+import { useConsentManager } from '@c15t/react';
+
+function useTrackSignup() {
+  const { has } = useConsentManager();
+
+  return useCallback(() => {
+    if (has('measurement')) {
+      window.plausible?.('Signup');
+    }
+  }, [has]);
+}
+
+function SignupButton() {
+  const trackSignup = useTrackSignup();
+
+  return (
+    <button type="button" onClick={trackSignup}>
+      Sign up
+    </button>
+  );
+}
+```
+
+From plain JavaScript:
+
+```ts
+import { getOrCreateConsentRuntime } from 'c15t';
+
+const { consentStore } = getOrCreateConsentRuntime();
+
+if (consentStore.getState().has('measurement')) {
+  window.plausible?.('Signup');
+}
+```
+
+## Types
+
+### PlausibleAnalyticsOptions
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|scriptId|string \|undefined|Unique Plausible script ID for the new script format.|-|Optional|
+|domain|string \|undefined|Legacy domain-based site identifier.|-|Optional|
+|extension|PlausibleExtension \|undefined|Legacy script extensions.|-|Optional|
+|customProperties|Record\<string, unknown> \|undefined|Properties tracked with each pageview.|-|Optional|
+|endpoint|string \|undefined|Custom tracking endpoint.|-|Optional|
+|fileDownloads|Object \|undefined|File download tracking configuration.|-|Optional|
+|hashBasedRouting|boolean \|undefined|Enable hash-based routing support.|-|Optional|
+|autoCapturePageviews|boolean \|undefined|Disable automatic pageview capture when set to \`false\`.|-|Optional|
+|captureOnLocalhost|boolean \|undefined|Enable tracking on localhost.|-|Optional|
+|scriptUrl|string \|undefined|Custom loader URL.|-|Optional|
+
+#### `fileDownloads`
+
+File download tracking configuration.
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|fileExtensions|string\[] \|undefined|-|-|Optional|
+
+### Script
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|Unique identifier for the script|-|✅ Required|
+|src|string \|undefined|URL of the script to load|-|Optional|
+|textContent|string \|undefined|Inline JavaScript code to execute|-|Optional|
+|category|HasCondition\<AllConsentNames>|Consent category or condition required to load this script|-|✅ Required|
+|callbackOnly|boolean \|undefined|Whether this is a callback-only script that doesn't need to load an external resource. When true, no script tag will be added to the DOM, only callbacks will be executed.|false|Optional|
+|persistAfterConsentRevoked|boolean \|undefined|Whether the script should persist after consent is revoked.|false|Optional|
+|alwaysLoad|boolean \|undefined|Whether the script should always load regardless of consent state. This is useful for scripts like Google Tag Manager or PostHog that manage their own consent state internally. The script will load immediately and never be unloaded based on consent changes. Note: When using this option, you are responsible for ensuring the script itself respects user consent preferences through its own consent management.|false|Optional|
+|fetchPriority|"high" \|"low" \|"auto" \|undefined|Priority hint for browser resource loading|-|Optional|
+|attributes|Record\<string, string> \|undefined|Additional attributes to add to the script element|-|Optional|
+|async|boolean \|undefined|Whether to use async loading|-|Optional|
+|defer|boolean \|undefined|Whether to defer script loading|-|Optional|
+|nonce|string \|undefined|Content Security Policy nonce|-|Optional|
+|anonymizeId|boolean \|undefined|Whether to use an anonymized ID for the script element, this helps ensure the script is not blocked by ad blockers|true|Optional|
+|target|"head" \|"body" \|undefined|Where to inject the script element in the DOM. Options: \`'head'\`: Scripts are appended to \`\<head>\` (default); \`'body'\`: Scripts are appended to \`\<body>\`|'head'|Optional|
+|onBeforeLoad|Object \|undefined|Callback executed before the script is loaded|-|Optional|
+|onLoad|Object \|undefined|Callback executed when the script loads successfully|-|Optional|
+|onError|Object \|undefined|Callback executed if the script fails to load|-|Optional|
+|onConsentChange|Object \|undefined|Callback executed whenever the consent store is changed. This callback only applies to scripts already loaded.|-|Optional|
+|vendorId|string \|number \|undefined|IAB TCF vendor ID - links script to a registered vendor. When in IAB mode, the script will only load if this vendor has consent. Takes precedence over \`category\` when in IAB mode. Use custom vendor IDs (string or number) to gate non-IAB vendors too.|-|Optional|
+|iabPurposes|number\[] \|undefined|IAB TCF purpose IDs this script requires consent for. When in IAB mode and no vendorId is set, the script will only load if ALL specified purposes have consent.|-|Optional|
+|iabLegIntPurposes|number\[] \|undefined|IAB TCF legitimate interest purpose IDs. These purposes can operate under legitimate interest instead of consent. The script loads if all iabPurposes have consent OR all iabLegIntPurposes have legitimate interest established.|-|Optional|
+|iabSpecialFeatures|number\[] \|undefined|IAB TCF special feature IDs this script requires. Options: 1: Use precise geolocation data; 2: Actively scan device characteristics for identification|-|Optional|
+
+#### `onBeforeLoad`
+
+Callback executed before the script is loaded
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+#### `onLoad`
+
+Callback executed when the script loads successfully
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+#### `onError`
+
+Callback executed if the script fails to load
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|
+
+#### `onConsentChange`
+
+Callback executed whenever the consent store is changed. This callback only applies to scripts already loaded.
+
+|Property|Type|Description|Default|Required|
+|:--|:--|:--|:--|:--:|
+|id|string|The original script ID|-|✅ Required|
+|elementId|string|The actual DOM element ID used (anonymized if enabled)|-|✅ Required|
+|hasConsent|boolean|Has consent|-|✅ Required|
+|consents|ConsentState|The current consent state|-|✅ Required|
+|element|HTMLScriptElement \|undefined|The script element (for load/error callbacks) Will be undefined for callback-only scripts|-|Optional|
+|error|Error \|undefined|Error information (for error callbacks)|-|Optional|