At a Glance:
PolicyStack provides open-source, AI-first primitives for embedding privacy policies and cookie consent directly into React, Vue, Svelte, Solid, or Angular apps using a typed configuration, with a Vite plugin that enforces consent at build time.
Overview:
PolicyStack is an open-source toolkit for developers who need to add privacy policies and consent management to their web applications without relying on third-party iframes. It uses a single typed configuration to define both policy content and cookie consent logic, which is then rendered natively into the application through framework-specific adapters. The project covers two main areas: a policy layer that compiles privacy and cookie policies into components or Markdown, and a headless consent state machine that gates cookie execution. A Vite plugin handles build-time compilation and can scan for undeclared third-party resources. An optional cloud service exists for versioning and analytics, but the core open-source pieces function independently. It is designed for frontend applications built with React, Vue, Svelte, Solid, or Angular.
Key Decision Points:
Native UI rendering: Consent banners and policy pages are built with your own components and rendered directly into the application, not loaded through a third-party iframe.
Build-time enforcement: The Vite plugin can fail the build if it detects an ungated cookie, making consent compliance a CI-checkable rule.
Framework support: Dedicated adapters are available for React, Vue, Svelte, Solid, and Angular, each exposing policy and consent subpaths.
Headless consent core: The consent runtime is a sub-4kb state machine that manages consent logic without imposing any specific UI, leaving banner design to the developer.
Optional cloud dependency: A hosted control plane for audit trails and analytics is available but is not required to use the open-source policy and consent layers.
Core Features:
Typed policy configuration: A single
defineConfig()call defines both the privacy policy and cookie policy, driving all downstream rendering.Framework-specific adapters: Packages for React, Vue, Svelte, Solid, and Angular allow the consent state machine and policy content to be wired into existing component trees.
Vite build plugin: Compiles policies at build time and optionally scans for third-party scripts that have not been declared in the policy config.
Headless consent runtime: A framework-agnostic consent engine that manages cookie consent state and exposes it to UI adapters.
Consent-gated script loaders:
@policystack/scriptsprovides utilities for loading third-party scripts that are blocked until appropriate consent is given.Multi-format policy rendering: A shared render layer can output policies as Markdown, HTML, or PDF.
Use Cases:
Frontend developers adding a consent banner and privacy policy to a React, Vue, Svelte, Solid, or Angular application without introducing a third-party iframe.
Build engineers incorporating consent enforcement into a CI pipeline by using the Vite plugin to fail builds on undeclared cookie usage.
Teams maintaining a single typed configuration as the source of truth for both policy text and cookie consent behavior across a frontend codebase.
Open-Source Alternative Value:
PolicyStack’s core policy and consent layers are open-source and designed to run entirely within your own application and build process, avoiding reliance on external consent management platforms. Developers retain control over the UI and the enforcement logic because consent banners are built with native components and cookie compliance is validated at build time through the Vite plugin. The optional cloud service remains separate from the open-source packages, meaning the core workflow of defining, rendering, and enforcing consent does not depend on any hosted service.
