ultimate-jekyll-manager 1.2.3 → 1.3.1

package/CHANGELOG.md

@@ -14,6 +14,34 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+---
+## [1.3.1] - 2026-05-21
+
+### Changed
+
+- **`ENFORCE_CONSENT_GUARD` flipped to `true`** in `src/assets/js/core/auth.js`. The page-load consent guard now silently signs out any authenticated user whose doc has `consent.legal.status !== 'granted'`. Caveat: any pre-consent-system user doc (missing the field, or defaulted to `'revoked'`) will be signed out on page load — run the legacy-user migration first, or live-test against fresh signups.
+
+---
+## [1.3.0] - 2026-05-21
+
+### Added
+
+- **Marketing consent capture on the signup form.** Frontend half of `backend-manager` v5.2.0's consent system. `src/defaults/dist/_layouts/themes/classy/frontend/pages/auth/signup.html` replaces the legal-copy line with two real checkboxes (`consent-legal`, `consent-marketing`) wrapped in a `#consent-group` so validation can highlight the pair as a unit. `consent-legal` is required to submit.
+- **`captureSignupConsent()` + `validateConsent()` in `src/assets/js/libs/auth.js`.** Pulls checkbox state + label text from the FormManager-collected data and writes it to `webManager.storage()` under key `consent` BEFORE Firebase auth fires — survives the post-signup redirect the same way `attribution` does. `validateConsent()` blocks submit via a phantom `__consent` field name and surfaces feedback via the wrapper outline + an inline error message instead of red-X-ing the single legal checkbox.
+- **`reverseAccidentalSignup()` for the Google quirk.** Landing on `/signin` with an unknown Google account auto-creates the Firebase auth user; this reverses that path — deletes the user, signs out, strips `authReturnUrl`, and surfaces an inline form error. Best-effort delete; the page-load consent guard (below, currently OFF) is the backstop if delete fails.
+- **`ENFORCE_CONSENT_GUARD` in `src/assets/js/core/auth.js`.** Page-load guard that silently signs out any authenticated user whose doc has `consent.legal.status !== 'granted'`. Default **FALSE** until the legacy-user migration runs (which sets all existing docs to `granted` + `source: 'imported'`); flipping it on before then would lock every existing user out.
+- **`consent` field on the `sendUserSignupMetadata` payload.** Forwards the storage-survived consent blob to BEM's `/user/signup` route so it can write the canonical `consent.{legal,marketing}` sub-tree on the new user doc.
+- **Marketing-emails toggle on the account page.** `src/defaults/dist/_layouts/themes/classy/frontend/pages/account/index.html` + `src/assets/js/pages/account/sections/notifications.js` reworked to read `account.consent.marketing.status` (not the old `preferences.notifications.marketing`) and POST to `/backend-manager/marketing/email-preferences` on change. Shows the original grant date below the toggle.
+
+### Changed
+
+- **`web-manager` bumped to `^4.2.0`** (was `file:../web-manager` from local dev). Locks in `DEFAULT_ACCOUNT.consent.{legal,marketing}` so `resolveAccount()` always returns a defined consent shape for legacy users.
+- Minor template touchups on `oauth2.html`, `reset.html`, `signin.html`, `token.html`, `signup.html` — heading casing, `filter-adaptive` class on the brandmark logo so it inverts in dark mode.
+
+### Fixed
+
+- **`_team` seed authors** — corrected LinkedIn/Twitter handles in `christina-hill.md`, `james-oconnor.md`, `marcus-johnson.md`, `priya-sharma.md`, `sarah-rodriguez.md` so the default scaffolded `/team/` page links don't 404.
+
 ---
 ## [1.2.3] - 2026-05-19
 

package/dist/assets/js/core/auth.js

@@ -4,6 +4,12 @@ import webManager from 'web-manager';
 // Constants
 const SIGNUP_MAX_AGE = 5 * 60 * 1000;
 
+// Enforce page-load consent guard. When true, any authenticated user whose doc has
+// consent.legal.status !== 'granted' is silently signed out. Keep FALSE until the
+// legacy user migration runs (sets all existing docs to status='granted',
+// source='imported'). Otherwise every existing user gets locked out on signin.
+const ENFORCE_CONSENT_GUARD = true;
+
 // Auth Module
 export default function () {
   // Get auth policy
@@ -59,6 +65,25 @@ export default function () {
       if (user) {
         // User is authenticated
 
+        // Consent guard: if the user is authenticated but their account doc shows
+        // no legal consent on record, they're an orphan from a reversed Google signup
+        // that failed to delete cleanly. Sign them out and surface a toast so the
+        // user knows what happened (especially if they just clicked Google and saw
+        // a success message before this fired).
+        // Gated by ENFORCE_CONSENT_GUARD (off until the legacy-user migration runs).
+        if (ENFORCE_CONSENT_GUARD) {
+          const legalStatus = state.account?.consent?.legal?.status;
+          if (legalStatus && legalStatus !== 'granted') {
+            console.warn('[Auth] Signing out user with no legal consent on record');
+            await webManager.auth().signOut();
+            webManager.utilities().showNotification(
+              `This account hasn't completed setup. Please sign up first.`,
+              { type: 'danger', timeout: 8000 }
+            );
+            return;
+          }
+        }
+
         // Send user signup metadata if account is new
         await sendUserSignupMetadata(user);
 
@@ -241,12 +266,14 @@ async function sendUserSignupMetadata(user) {
 
     // Get attribution data from storage
     const attribution = webManager.storage().get('attribution', {});
+    const consent = webManager.storage().get('consent', {});
 
     // Build the payload
     const payload = {
       // New structure
       attribution: attribution,
       context: webManager.utilities().getContext(),
+      consent: consent,
     };
 
     // Get server API URL

package/dist/assets/js/libs/auth.js

@@ -104,6 +104,13 @@ export default function () {
     return async ({ data, $submitButton }) => {
       const provider = $submitButton?.getAttribute('data-provider');
 
+      // Capture consent BEFORE any Firebase call. On signup pages the checkbox state
+      // must survive any post-auth redirect so BEM's /user/signup can write it to the doc.
+      // Read from FormManager-collected data on signup; ignored on signin (no checkboxes there).
+      if (action === 'signup') {
+        captureSignupConsent(data);
+      }
+
       if (provider === 'email') {
         await emailHandler(data);
       } else if (provider) {
@@ -112,6 +119,101 @@ export default function () {
     };
   }
 
+  // Google's signInWithPopup/Redirect auto-creates accounts. If a user lands on /signin
+  // with a Google account that doesn't exist yet, Firebase creates one before we can stop it.
+  // This reverses that: delete the auth user, sign out, surface an inline error.
+  async function reverseAccidentalSignup(newUser) {
+    console.warn('[Auth] Reversing accidental signup from /signin (new Google account created with no consent on record)');
+
+    try {
+      await newUser.delete();
+    } catch (e) {
+      // Best-effort. If delete fails (network/token issue), the page-load consent guard
+      // is the backstop — the orphan account will be signed out on every future visit.
+      console.error('[Auth] Failed to delete accidental account:', e);
+      webManager.sentry().captureException(new Error('Failed to reverse accidental signup', { cause: e }));
+    }
+
+    try {
+      const { getAuth, signOut } = await import('@firebase/auth');
+      await signOut(getAuth());
+    } catch (e) {
+      console.error('[Auth] Failed to sign out after accidental signup:', e);
+    }
+
+    // Strip authReturnUrl so the next attempt doesn't redirect them away from /signin
+    const url = new URL(window.location.href);
+    if (url.searchParams.has('authReturnUrl')) {
+      url.searchParams.delete('authReturnUrl');
+      window.history.replaceState({}, document.title, url.toString());
+    }
+
+    if (formManager) {
+      formManager.showError(`This account doesn't exist. Try signing up first or use a different account.`);
+      formManager.ready();
+    }
+  }
+
+  // Validate that the user has agreed to the legal terms. Instead of highlighting the
+  // single legal checkbox in red (which subtly frames it as "the one that matters"),
+  // we surround BOTH checkboxes with a red outline and surface a top-level banner.
+  // This frames consent as a unit the user is confirming, not a hurdle to clear.
+  function validateConsent({ data, setError }) {
+    if (data?.consentLegal === true) {
+      return;
+    }
+
+    // Phantom field name — blocks submit (FormManager checks errorCount > 0) but
+    // skips rendering since no DOM field matches '__consent'. The visual treatment
+    // is the wrapper outline + inline error message below.
+    setError('__consent', 'Agreement to Terms required');
+
+    const $group = document.getElementById('consent-group');
+    if ($group) {
+      // Match the same border color the email/password fields show when invalid.
+      // The HTML baseline is 'border: 1px solid transparent' so we only swap the color.
+      $group.style.borderColor = 'var(--bs-form-invalid-border-color, var(--bs-danger, #dc3545))';
+    }
+
+    const $err = document.getElementById('consent-error');
+    if ($err) {
+      $err.textContent = `Please select "I agree" to the Terms of Service and Privacy Policy.`;
+      $err.classList.remove('d-none');
+    }
+  }
+
+  // Clear the consent error styling once the user starts interacting with the boxes.
+  // Runs on every change to either checkbox. We only restore borderColor since the
+  // HTML baseline keeps 'border: 1px solid transparent' to reserve the layout space.
+  function clearConsentError() {
+    const $group = document.getElementById('consent-group');
+    if ($group) {
+      $group.style.borderColor = 'transparent';
+    }
+    const $err = document.getElementById('consent-error');
+    if ($err) {
+      $err.classList.add('d-none');
+    }
+  }
+
+  // Read the consent checkboxes and stash to storage. Survives the post-signup redirect
+  // the same way attribution does. BEM's /user/signup route picks it up via sendUserSignupMetadata.
+  function captureSignupConsent(data) {
+    const legalLabel = document.querySelector('label[for="consent-legal"]')?.innerText?.trim() || null;
+    const marketingLabel = document.querySelector('label[for="consent-marketing"]')?.innerText?.trim() || null;
+
+    webManager.storage().set('consent', {
+      legal: {
+        granted: data?.consentLegal === true || data?.consentLegal === 'on',
+        text: legalLabel,
+      },
+      marketing: {
+        granted: data?.consentMarketing === true || data?.consentMarketing === 'on',
+        text: marketingLabel,
+      },
+    });
+  }
+
   // Initialize signin form
   function initializeSigninForm() {
     formManager = new FormManager('#auth-form', {
@@ -139,7 +241,12 @@ export default function () {
 
     formManager.on('statechange', stateChangeHandler);
     formManager.on('validation', validateEmailProvider);
+    formManager.on('validation', validateConsent);
     formManager.on('submit', createAuthSubmitHandler('signup', handleEmailSignup));
+
+    // Clear consent error styling when either checkbox is toggled
+    document.getElementById('consent-legal')?.addEventListener('change', clearConsentError);
+    document.getElementById('consent-marketing')?.addEventListener('change', clearConsentError);
   }
 
   // Initialize reset form
@@ -183,6 +290,14 @@ export default function () {
       const pagePath = document.documentElement.getAttribute('data-page-path');
       const isSignupPage = pagePath === '/signup';
 
+      // Google quirk: if a new account was auto-created during a signin attempt
+      // (user came back from OAuth via the redirect path on /signin, not /signup),
+      // reverse it — they have no consent on record.
+      if (isNewUser && !isSignupPage) {
+        await reverseAccidentalSignup(result.user);
+        return true;
+      }
+
       if (isNewUser || isSignupPage) {
         trackSignup(providerId, result.user);
         formManager.showSuccess('Account created successfully!');
@@ -525,6 +640,15 @@ export default function () {
 
           // Track based on whether this is a new user
           const isNewUser = result.additionalUserInfo?.isNewUser;
+
+          // Google quirk: signInWithPopup auto-creates accounts. If a brand-new visitor
+          // clicks "Sign in with Google" on the SIGNIN page (not signup), reverse the
+          // auto-creation — they have no consent on record and never asked to create one.
+          if (isNewUser && action === 'signin') {
+            await reverseAccidentalSignup(result.user);
+            return;
+          }
+
           if (isNewUser || action === 'signup') {
             trackSignup(providerName, result.user);
             // Show success message

package/dist/assets/js/pages/account/sections/notifications.js

@@ -1,145 +1,95 @@
-// Notifications section module
+/**
+ * Notifications section — marketing email consent toggle.
+ *
+ * Reads consent.marketing.status from the user doc for the toggle's initial state.
+ * On toggle, POSTs to /backend-manager/marketing/email-preferences with subscribe|unsubscribe.
+ * The server writes consent.marketing to the user doc + syncs SendGrid + Beehiiv.
+ */
+import authorizedFetch from '__main_assets__/js/libs/authorized-fetch.js';
 import webManager from 'web-manager';
 
-// Initialize notifications section
+const TOGGLE_ID = 'marketing-emails';
+const GRANT_DATE_ID = 'marketing-emails-grant-date';
+
 export function init() {
-  setupNotificationToggles();
+  const $toggle = document.getElementById(TOGGLE_ID);
+  if (!$toggle) {
+    return;
+  }
+  $toggle.addEventListener('change', handleToggleChange);
 }
 
-// Load notifications data
 export function loadData(account) {
-  if (!account) return;
-
-  // Load notification preferences from account
-  const preferences = account.preferences?.notifications || {};
-
-  // Set toggle states
-  setToggleState('marketing-emails', preferences.marketing !== false);
-  setToggleState('security-emails', preferences.security !== false);
-  setToggleState('product-emails', preferences.product === true);
-}
-
-// Setup notification toggles
-function setupNotificationToggles() {
-  const toggles = [
-    'marketing-emails',
-    'security-emails',
-    'product-emails'
-  ];
-
-  toggles.forEach(toggleId => {
-    const $toggle = document.getElementById(toggleId);
-    if ($toggle) {
-      $toggle.addEventListener('change', handleToggleChange);
-    }
-  });
-}
-
-// Handle toggle change
-async function handleToggleChange(event) {
-  const toggleId = event.target.id;
-  const isEnabled = event.target.checked;
-
-  try {
-    // Map toggle ID to preference key
-    const preferenceKey = toggleId.replace('-emails', '');
-
-    // Update preferences
-    await updateNotificationPreference(preferenceKey, isEnabled);
-
-    // Show feedback
-    const actionText = isEnabled ? 'enabled' : 'disabled';
-    showToast(`${getToggleLabel(toggleId)} ${actionText}`, 'success');
-
-  } catch (error) {
-    console.error('Failed to update notification preference:', error);
-
-    // Revert toggle state
-    event.target.checked = !isEnabled;
-
-    showToast('Failed to update notification preferences. Please try again.', 'danger');
+  if (!account) {
+    return;
   }
-}
-
-// Update notification preference
-async function updateNotificationPreference(key, value) {
-  // This would call the appropriate API endpoint
-  // For now, just update locally
-  const preferences = {
-    notifications: {
-      [key]: value
-    }
-  };
 
-  // await webManager.auth().updatePreferences(preferences);
-  console.log('Updating notification preference:', key, value);
-}
-
-// Set toggle state
-function setToggleState(toggleId, isEnabled) {
-  const $toggle = document.getElementById(toggleId);
-  if ($toggle) {
-    $toggle.checked = isEnabled;
+  const $toggle = document.getElementById(TOGGLE_ID);
+  if (!$toggle) {
+    return;
   }
-}
 
-// Get toggle label for feedback
-function getToggleLabel(toggleId) {
-  switch(toggleId) {
-    case 'marketing-emails':
-      return 'Marketing emails';
-    case 'security-emails':
-      return 'Security alerts';
-    case 'product-emails':
-      return 'Product updates';
-    default:
-      return 'Notifications';
+  const isGranted = account.consent?.marketing?.status === 'granted';
+  $toggle.checked = isGranted;
+
+  // Show the original grant date if known — gives the user context on what they agreed to.
+  const grantTimestamp = account.consent?.marketing?.grantedAt?.timestamp;
+  if (isGranted && grantTimestamp) {
+    const $date = document.getElementById(GRANT_DATE_ID);
+    if ($date) {
+      const date = new Date(grantTimestamp);
+      $date.textContent = `Subscribed ${date.toLocaleDateString(undefined, { year: 'numeric', month: 'long', day: 'numeric' })}.`;
+      $date.classList.remove('d-none');
+    }
   }
 }
 
-// Show toast notification
-function showToast(message, type = 'info') {
-  // Create toast element
-  const $toast = document.createElement('div');
-  $toast.className = `toast align-items-center text-bg-${type} border-0 position-fixed bottom-0 end-0 m-3`;
-  $toast.setAttribute('role', 'alert');
-  $toast.setAttribute('aria-live', 'assertive');
-  $toast.setAttribute('aria-atomic', 'true');
-  $toast.style.zIndex = '9999';
-
-  const $inner = document.createElement('div');
-  $inner.className = 'd-flex';
+async function handleToggleChange(event) {
+  const $toggle = event.target;
+  const wasChecked = !$toggle.checked; // checkbox already flipped at this point
+  const isEnabled = $toggle.checked;
+  const action = isEnabled ? 'subscribe' : 'unsubscribe';
 
-  const $body = document.createElement('div');
-  $body.className = 'toast-body';
-  $body.textContent = message;
+  // Disable while in-flight so rapid clicks don't fire multiple requests
+  $toggle.disabled = true;
 
-  const $closeBtn = document.createElement('button');
-  $closeBtn.type = 'button';
-  $closeBtn.className = 'btn-close btn-close-white me-2 m-auto';
-  $closeBtn.setAttribute('data-bs-dismiss', 'toast');
-  $closeBtn.setAttribute('aria-label', 'Close');
+  try {
+    const response = await authorizedFetch(`${webManager.getApiUrl()}/backend-manager/marketing/email-preferences`, {
+      method: 'POST',
+      timeout: 15000,
+      response: 'json',
+      tries: 2,
+      body: { action },
+    });
 
-  $inner.appendChild($body);
-  $inner.appendChild($closeBtn);
-  $toast.appendChild($inner);
+    if (response.error || response.data?.success !== true) {
+      throw new Error(response.message || response.error || 'Failed to update email preferences.');
+    }
 
-  // Add to page
-  document.body.appendChild($toast);
+    webManager.utilities().showNotification(
+      isEnabled ? 'Subscribed to email updates.' : 'Unsubscribed from email updates.',
+      { type: 'success' }
+    );
+
+    // Hide the grant-date line on unsubscribe (it was the OLD grant date — informational only).
+    // It'll get repopulated the next time loadData runs if the user re-subscribes.
+    if (!isEnabled) {
+      const $date = document.getElementById(GRANT_DATE_ID);
+      if ($date) {
+        $date.classList.add('d-none');
+      }
+    }
+  } catch (error) {
+    console.error('Failed to update marketing consent:', error);
 
-  // Initialize and show toast
-  if (window.bootstrap && window.bootstrap.Toast) {
-    const toast = new window.bootstrap.Toast($toast);
-    toast.show();
+    // Revert toggle on failure so UI matches server state
+    $toggle.checked = wasChecked;
 
-    // Remove after hidden
-    $toast.addEventListener('hidden.bs.toast', () => {
-      $toast.remove();
-    });
-  } else {
-    // Fallback if Bootstrap JS not available
-    setTimeout(() => {
-      $toast.remove();
-    }, 3000);
+    webManager.utilities().showNotification(
+      'Failed to update email preferences. Please try again.',
+      { type: 'danger' }
+    );
+  } finally {
+    $toggle.disabled = false;
   }
 }

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/account/index.html

@@ -36,8 +36,8 @@ sections:
   - id: "profile"
     name: "Profile"
     icon: "user-circle"
-  # - id: "notifications"
-  #   name: "Notifications"
+  - id: "notifications"
+    name: "Notifications"
     icon: "bell"
   - id: "security"
     name: "Security"
@@ -777,29 +777,14 @@ badges:
 
         <div class="card">
           <div class="card-body">
-            <h5 class="card-title">Email notifications</h5>
-
-            <div class="form-check form-switch mb-3">
-              <input class="form-check-input" type="checkbox" id="marketing-emails" checked>
-              <label class="form-check-label" for="marketing-emails">
-                Marketing emails
-                <small class="d-block text-muted">Receive emails about new features and updates</small>
-              </label>
-            </div>
-
-            <div class="form-check form-switch mb-3">
-              <input class="form-check-input" type="checkbox" id="security-emails" checked>
-              <label class="form-check-label" for="security-emails">
-                Security alerts
-                <small class="d-block text-muted">Get notified about important security updates</small>
-              </label>
-            </div>
+            <h5 class="card-title">Email preferences</h5>
 
             <div class="form-check form-switch">
-              <input class="form-check-input" type="checkbox" id="product-emails">
-              <label class="form-check-label" for="product-emails">
-                Product updates
-                <small class="d-block text-muted">Receive updates about your products and services</small>
+              <input class="form-check-input" type="checkbox" id="marketing-emails">
+              <label class="form-check-label" for="marketing-emails">
+                Product updates, newsletters, and marketing communications
+                <small class="d-block text-muted">You can withdraw consent at any time.</small>
+                <small id="marketing-emails-grant-date" class="d-block text-muted d-none"></small>
               </label>
             </div>
           </div>

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/auth/oauth2.html

@@ -11,7 +11,7 @@ layout: themes/[ site.theme.id ]/frontend/core/cover
       <!-- Logo -->
       <div class="text-center mb-3">
         <div class="avatar avatar-xl">
-          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" alt="{{ site.brand.name }} Logo"/>
+          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" class="filter-adaptive" alt="{{ site.brand.name }} Logo"/>
         </div>
       </div>
 

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/auth/reset.html

@@ -11,13 +11,13 @@ layout: themes/[ site.theme.id ]/frontend/core/cover
       <!-- Logo -->
       <div class="text-center mb-3">
         <div class="avatar avatar-xl">
-          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" alt="{{ site.brand.name }} Logo"/>
+          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" class="filter-adaptive" alt="{{ site.brand.name }} Logo"/>
         </div>
       </div>
 
       <!-- Header -->
       <div class="text-center mb-4">
-        <h1 class="h3 mb-2">Reset Your Password</h1>
+        <h1 class="h3 mb-2">Reset password</h1>
         <p class="text-muted">Enter your email address and we'll send you a link to reset your password.</p>
       </div>
 

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/auth/signin.html

@@ -26,13 +26,13 @@ social_signin:
       <!-- Logo -->
       <div class="text-center mb-3">
         <div class="avatar avatar-xl">
-          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" alt="{{ site.brand.name }} Logo"/>
+          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" class="filter-adaptive" alt="{{ site.brand.name }} Logo"/>
         </div>
       </div>
 
       <!-- Header -->
       <div class="text-center mb-4">
-        <h1 class="h3 mb-2">Welcome Back!</h1>
+        <h1 class="h3 mb-2">Welcome back!</h1>
         <p class="text-muted">Sign in to your {{ site.brand.name }} account</p>
       </div>
 

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/auth/signup.html

@@ -26,13 +26,13 @@ social_signup:
       <!-- Logo -->
       <div class="text-center mb-3">
         <div class="avatar avatar-xl">
-          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" alt="{{ site.brand.name }} Logo"/>
+          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" class="filter-adaptive" alt="{{ site.brand.name }} Logo"/>
         </div>
       </div>
 
       <!-- Header -->
       <div class="text-center mb-4">
-        <h1 class="h3 mb-2">Create Your Account</h1>
+        <h1 class="h3 mb-2">Create your account</h1>
         <p class="text-muted">Get started with {{ site.brand.name }} in seconds</p>
       </div>
 
@@ -94,10 +94,24 @@ social_signup:
           <!-- <div class="form-text">Must be at least 8 characters with letters and numbers</div> -->
         </div>
 
-        <div class="mb-3 text-center">
-          <p class="text-muted small">
-            By signing up, you agree to {{ site.brand.name }}'s <a href="/terms" class="text-decoration-none" target="_blank">Terms of Service</a> and <a href="/privacy" class="text-decoration-none" target="_blank">Privacy Policy</a>.
-          </p>
+        {% comment %} TODO: in regions that allow pre-checked consent (e.g. US), default both to checked. {% endcomment %}
+        <div id="consent-group" class="mb-3 text-start p-2 rounded" style="border: 1px solid transparent;">
+          <div class="form-check mb-2">
+            <input class="form-check-input" type="checkbox" id="consent-legal" name="consentLegal">
+            <label class="form-check-label small" for="consent-legal">
+              I agree to {{ site.brand.name }}'s
+              <a href="/terms" class="text-decoration-none" target="_blank">Terms of Service</a>
+              and
+              <a href="/privacy" class="text-decoration-none" target="_blank">Privacy Policy</a>.
+            </label>
+          </div>
+          <div class="form-check">
+            <input class="form-check-input" type="checkbox" id="consent-marketing" name="consentMarketing">
+            <label class="form-check-label small" for="consent-marketing">
+              I agree to receive product updates, newsletters, and marketing communications from {{ site.brand.name }}. You can unsubscribe anytime.
+            </label>
+          </div>
+          <div id="consent-error" class="small mt-2 d-none" style="color: var(--bs-form-invalid-color, var(--bs-danger, #dc3545));"></div>
         </div>
 
         <button type="submit" class="btn btn-success _btn-lg w-100 mb-3" data-provider="email" disabled>

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/auth/token.html

@@ -9,7 +9,7 @@ layout: themes/[ site.theme.id ]/frontend/core/cover
       <!-- Logo -->
       <div class="text-center mb-3">
         <div class="avatar avatar-xl">
-          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" alt="{{ site.brand.name }} Logo"/>
+          <img src="{{ site.brand.images.brandmark }}?cb={{ site.uj.cache_breaker }}" class="filter-adaptive" alt="{{ site.brand.name }} Logo"/>
         </div>
       </div>
 

package/dist/defaults/dist/_team/christina-hill.md

@@ -24,10 +24,10 @@ member:
   links:
     - id: "linkedin"
       title: "LinkedIn"
-      url: "https://www.linkedin.com/in/christina-hill"
+      url: "https://www.linkedin.com/in/christina-hill-23487"
     - id: "twitter"
       title: "Twitter"
-      url: "https://twitter.com/christina-hill"
+      url: "https://twitter.com/christina-hill-23487"
 ---
 
 Hey there, I'm Christina!

package/dist/defaults/dist/_team/james-oconnor.md

@@ -25,7 +25,7 @@ member:
   links:
     - id: "linkedin"
       title: "LinkedIn"
-      url: "https://www.linkedin.com/in/james-oconnor"
+      url: "https://www.linkedin.com/in/james-oconnor-88559"
 ---
 
 Hey! I'm James.

package/dist/defaults/dist/_team/marcus-johnson.md

@@ -25,13 +25,13 @@ member:
   links:
     - id: "linkedin"
       title: "LinkedIn"
-      url: "https://www.linkedin.com/in/marcus-johnson"
+      url: "https://www.linkedin.com/in/marcus-johnson-381958"
     - id: "dribbble"
       title: "Dribbble"
-      url: "https://dribbble.com/marcus-johnson"
+      url: "https://dribbble.com/marcus-johnson-381958"
     - id: "instagram"
       title: "Instagram"
-      url: "https://www.instagram.com/marcus-johnson"
+      url: "https://www.instagram.com/marcus-johnson-381958"
 ---
 
 Hey there, I'm Marcus!

package/dist/defaults/dist/_team/priya-sharma.md

@@ -25,10 +25,10 @@ member:
   links:
     - id: "linkedin"
       title: "LinkedIn"
-      url: "https://www.linkedin.com/in/priya-sharma"
+      url: "https://www.linkedin.com/in/priya-sharma-5829947"
     - id: "twitter"
       title: "Twitter"
-      url: "https://twitter.com/priya-sharma"
+      url: "https://twitter.com/priya-sharma-5829947"
 ---
 
 Hi there, I'm Priya!

package/dist/defaults/dist/_team/sarah-rodriguez.md

@@ -25,13 +25,13 @@ member:
   links:
     - id: "linkedin"
       title: "LinkedIn"
-      url: "https://www.linkedin.com/in/sarah-rodriguez"
+      url: "https://www.linkedin.com/in/sarah-rodriguez-103863"
     - id: "twitter"
       title: "Twitter"
-      url: "https://twitter.com/sarah-rodriguez"
+      url: "https://twitter.com/sarah-rodriguez-103863"
     - id: "instagram"
       title: "Instagram"
-      url: "https://www.instagram.com/sarahrodriguez"
+      url: "https://www.instagram.com/sarah-rodriguez-103863"
 ---
 
 Hola! I'm Sarah.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ultimate-jekyll-manager",
-  "version": "1.2.3",
+  "version": "1.3.1",
   "description": "Ultimate Jekyll dependency manager",
   "main": "dist/index.js",
   "exports": {
@@ -107,7 +107,7 @@
     "prettier": "^3.8.3",
     "sass": "^1.99.0",
     "spellchecker": "^3.7.1",
-    "web-manager": "^4.1.42",
+    "web-manager": "^4.2.0",
     "webpack": "^5.106.2",
     "wonderful-fetch": "^2.0.5",
     "wonderful-version": "^1.3.2",