ENG-2895: Add attribution link options to fides-js config

[gilluminate]

Ticket ENG-2895

Description Of Changes

Add server-configurable attribution link options to the fides-js bundle. When enabled via FIDES_PRIVACY_CENTER__ATTRIBUTION_ENABLED=true, an attribution object is included in the FidesConfig.options payload with configurable anchor text, destination URL, and nofollow behavior. When disabled (default), the field is omitted entirely from the serialized config.

This is separate from the existing SHOW_BRAND_LINK setting - both can be controlled independently.

New Environment Variables

Variable	Type	Default	Description
FIDES_PRIVACY_CENTER__ATTRIBUTION_ENABLED	boolean	false	Whether the attribution link is included in the fides-js config
FIDES_PRIVACY_CENTER__ATTRIBUTION_ANCHOR_TEXT	string	"Consent powered by Ethyca"	Anchor text for the attribution link
FIDES_PRIVACY_CENTER__ATTRIBUTION_DESTINATION_URL	string	"https://ethyca.com/consent"	Destination URL for the attribution link
FIDES_PRIVACY_CENTER__ATTRIBUTION_NOFOLLOW	boolean	false	Whether the attribution link should have rel="nofollow"

Code Changes

• clients/fides-js/src/lib/consent-types.ts - Add AttributionOptions interface and optional attribution field on FidesInitOptions
• clients/privacy-center/app/server-utils/PrivacyCenterSettings.ts - Add 4 new settings: ATTRIBUTION_ENABLED, ATTRIBUTION_ANCHOR_TEXT, ATTRIBUTION_DESTINATION_URL, ATTRIBUTION_NOFOLLOW
• clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts - Read 4 FIDES_PRIVACY_CENTER__ATTRIBUTION_* env vars with sensible defaults; export default constants
• clients/privacy-center/app/server-environment.ts - Add attribution fields to PrivacyCenterClientSettings Pick type and getClientSettings() return
• clients/privacy-center/pages/api/fides-js.ts - Conditional inclusion of attribution object in FidesConfig options (undefined when disabled)
• clients/privacy-center/__tests__/app/fides-js-attribution.test.ts - Tests for client settings and config-building logic (9 tests)
• clients/privacy-center/__tests__/server-utils/loadEnvironmentVariables.test.ts - Tests for env var parsing and defaults (10 tests)

Steps to Confirm

1. Verify default behavior (attribution disabled):

   • Start Privacy Center without setting any ATTRIBUTION_* env vars
   • Visit the fides.js demo page and inspect the window.Fides.config JSON value
   • Confirm options.attribution is not present in the config

2. Verify enabled behavior:

   • Set FIDES_PRIVACY_CENTER__ATTRIBUTION_ENABLED=true
   • Visit the fides.js demo page and inspect the config JSON
   • Confirm options.attribution is present with default values:
     • anchorText: "Consent powered by Ethyca"
     • destinationUrl: "https://ethyca.com/consent"
     • nofollow: false

3. Verify custom overrides:

   • Set all 4 env vars with custom values
   • Confirm the config reflects the custom values

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • Documentation issue created in fidesdocs

Summary by CodeRabbit

• New Features

  • Added configurable attribution link options to the Fides JS bundle: enable/disable attribution, customizable anchor text, destination URL, and nofollow setting; defaults provided.

• Tests

  • Added end-to-end tests validating enablement, default values, overrides, and serialization behavior for attribution settings.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 6, 2026 11:16pm
fides-privacy-center	Ignored		Mar 6, 2026 11:16pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds configurable attribution link options exposed from environment through server settings into the fides-js client bundle: ATTRIBUTION_ENABLED, ATTRIBUTION_ANCHOR_TEXT, ATTRIBUTION_DESTINATION_URL, and ATTRIBUTION_NOFOLLOW, plus types, loaders, API payload inclusion, and tests.

Changes

Cohort / File(s)	Summary
Type Definitions clients/fides-js/src/lib/consent-types.ts	Add AttributionOptions interface and optional attribution property on FidesInitOptions.
Server Settings & Loader clients/privacy-center/app/server-utils/PrivacyCenterSettings.ts, clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts	Add four new attribution settings to PrivacyCenterSettings; introduce DEFAULT_ATTRIBUTION_ANCHOR_TEXT, DEFAULT_ATTRIBUTION_DESTINATION_URL, and parsing/validation logic for env vars (enabled, anchor text, destination URL, nofollow).
Server→Client Bridge clients/privacy-center/app/server-environment.ts	Expose attribution fields on PrivacyCenterClientSettings, map server settings into client settings, and add buildAttributionOptions(settings) helper returning `AttributionOptions
API Payload clients/privacy-center/pages/api/fides-js.ts	Include attribution: buildAttributionOptions(environment.settings) in the fidesConfig payload returned to the client.
Tests clients/privacy-center/__tests__/app/fides-js-attribution.test.ts, clients/privacy-center/__tests__/server-utils/loadEnvironmentVariables.test.ts	Add tests covering env parsing, defaults, overrides, buildAttributionOptions behavior, and JSON serialization with/without attribution.
Changelog changelog/7590-attribution-link-options.yaml	Add changelog entry documenting the new attribution link options feature.

Sequence Diagram(s)

sequenceDiagram
  participant Env as Environment Variables
  participant Loader as loadEnvironmentVariables()
  participant Server as Server Settings
  participant API as /api/fides-js
  participant Client as Browser / fides-js

  Env->>Loader: ATTRIBUTION_* vars
  Loader->>Server: returns PrivacyCenterSettings (with attribution fields)
  Server->>API: getClientSettings() (maps attribution fields)
  API->>API: buildAttributionOptions(settings)
  API->>Client: fidesConfig (includes attribution when enabled)
  Client->>Client: fides-js reads `fidesConfig.attribution`

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through env and server logs bright,
I stitched anchor text and links just right.
Defaults snug, overrides take flight,
A tiny hop for SEO delight —
Puff of code, and attribution's in sight! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding attribution link options to the fides-js configuration.
Description check	✅ Passed	The description follows the template structure with all major sections completed: ticket reference, detailed description of changes, comprehensive code changes list, validation steps, and pre-merge checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gill/ENG-2895/attribution-env-var-support

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds the server-side config plumbing to deliver a new attribution link object (anchor text, destination URL, and nofollow flag) from the Privacy Center to the fides-js bundle via four new FIDES_PRIVACY_CENTER__ATTRIBUTION_* env vars. When disabled (the default), the field is correctly omitted from the serialized JSON config.

Key findings:

• The attribution field is wired end-to-end from env var → PrivacyCenterSettings → PrivacyCenterClientSettings → FidesConfig.options, but no rendering code exists in the fides-js bundle that consumes options.attribution. The showFidesBrandLink equivalent in ConsentButtons.tsx has no counterpart for attribution. If the rendering is deferred to a follow-up, that should be made explicit.
• The second describe block in fides-js-attribution.test.ts tests a local copy of the handler ternary rather than the actual pages/api/fides-js.ts production path, reducing confidence that the real handler is covered.
• ATTRIBUTION_DESTINATION_URL accepts any arbitrary string without URL validation; adding a protocol check (https:// / http://) before it is used as an href would be a good defensive practice.

Confidence Score: 4/5

• Safe to merge with minor follow-up items; the attribution config is delivered but silently unused until rendering code is added to fides-js.
• The changes are well-scoped and the new fields are correctly optional/gated behind ATTRIBUTION_ENABLED. The main concern is that the attribution field has no consuming rendering code yet in fides-js, and one test suite mirrors rather than tests the real handler logic. No regressions to existing functionality are introduced.
• clients/fides-js/src/lib/consent-types.ts – the new attribution field has no corresponding rendering usage in the bundle; clients/privacy-center/__tests__/app/fides-js-attribution.test.ts – second describe block tests a copy of the handler logic, not the handler itself.

Important Files Changed

Filename	Overview
clients/fides-js/src/lib/consent-types.ts	Adds AttributionOptions interface and optional attribution field to FidesInitOptions. The type definitions are clean and well-structured, but there is no corresponding rendering code anywhere in fides-js that consumes this new attribution field.
clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts	Adds parsing of 4 new FIDES_PRIVACY_CENTER__ATTRIBUTION_* env vars with sensible defaults. Exports the two string defaults as named constants. Logic is consistent with patterns used elsewhere in the file.
clients/privacy-center/pages/api/fides-js.ts	Conditionally includes the attribution object in the FidesConfig.options payload. When disabled, the value is undefined which is correctly omitted by JSON.stringify. Logic is straightforward.
clients/privacy-center/tests/app/fides-js-attribution.test.ts	First describe block tests getClientSettings() directly (good). Second describe block defines a local function that duplicates the handler's ternary rather than testing the actual fides-js.ts handler, reducing test value if the handler logic diverges.

_{Last reviewed commit: f81479c}

[coderabbitai]

🧹 Nitpick comments (2)

clients/privacy-center/__tests__/app/fides-js-attribution.test.ts (1)

82-90: Exercise the real handler mapping instead of a mirrored helper. buildAttributionFromSettings() duplicates the production ternary from clients/privacy-center/pages/api/fides-js.ts, so these tests can stay green even if the handler drifts. I’d rather extract a shared helper or assert against the actual handler response.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/privacy-center/__tests__/app/fides-js-attribution.test.ts` around
lines 82 - 90, The test helper buildAttributionFromSettings() duplicates the
production mapping; replace it by invoking the real handler mapping (or
extracting and importing the shared helper used by
clients/privacy-center/pages/api/fides-js.ts) so tests assert the actual handler
output instead of a mirrored ternary. Locate buildAttributionFromSettings and
getClientSettings in the test, remove the duplicated logic, and either import
the exported handler/mapping function from
clients/privacy-center/pages/api/fides-js.ts (or move the mapping into a new
shared function and import it into both the handler and the test), then call
that real function and assert its returned AttributionOptions.

clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts (1)

200-202: Validate the attribution URL before exposing it to the bundle. This value currently passes straight from env to client-visible config. A typo or non-HTTP(S) scheme will produce a broken or unsafe href in every rendered footer, so it should fail fast during env loading.

Suggested hardening

+const normalizeAttributionDestinationUrl = (value?: string): string => {
+  const parsed = new URL(value || DEFAULT_ATTRIBUTION_DESTINATION_URL);
+  if (!["http:", "https:"].includes(parsed.protocol)) {
+    throw new Error(
+      "FIDES_PRIVACY_CENTER__ATTRIBUTION_DESTINATION_URL must use http or https",
+    );
+  }
+  return parsed.toString();
+};
+
 const loadEnvironmentVariables = () => {
   // Load environment variables
   const settings: PrivacyCenterSettings = {
@@
-    ATTRIBUTION_DESTINATION_URL:
-      process.env.FIDES_PRIVACY_CENTER__ATTRIBUTION_DESTINATION_URL ||
-      DEFAULT_ATTRIBUTION_DESTINATION_URL,
+    ATTRIBUTION_DESTINATION_URL: normalizeAttributionDestinationUrl(
+      process.env.FIDES_PRIVACY_CENTER__ATTRIBUTION_DESTINATION_URL,
+    ),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts` around
lines 200 - 202, The exported ATTRIBUTION_DESTINATION_URL value is taken
directly from process.env and may contain invalid or unsafe schemes; update the
environment-loading logic in loadEnvironmentVariables.ts to validate
ATTRIBUTION_DESTINATION_URL (falling back to
DEFAULT_ATTRIBUTION_DESTINATION_URL) using the URL constructor and ensure the
protocol is "http:" or "https:"; if validation fails, throw an error (or exit)
during load so the bundle never receives an invalid/unsafe href.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@clients/privacy-center/__tests__/app/fides-js-attribution.test.ts`:
- Around line 82-90: The test helper buildAttributionFromSettings() duplicates
the production mapping; replace it by invoking the real handler mapping (or
extracting and importing the shared helper used by
clients/privacy-center/pages/api/fides-js.ts) so tests assert the actual handler
output instead of a mirrored ternary. Locate buildAttributionFromSettings and
getClientSettings in the test, remove the duplicated logic, and either import
the exported handler/mapping function from
clients/privacy-center/pages/api/fides-js.ts (or move the mapping into a new
shared function and import it into both the handler and the test), then call
that real function and assert its returned AttributionOptions.

In `@clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts`:
- Around line 200-202: The exported ATTRIBUTION_DESTINATION_URL value is taken
directly from process.env and may contain invalid or unsafe schemes; update the
environment-loading logic in loadEnvironmentVariables.ts to validate
ATTRIBUTION_DESTINATION_URL (falling back to
DEFAULT_ATTRIBUTION_DESTINATION_URL) using the URL constructor and ensure the
protocol is "http:" or "https:"; if validation fails, throw an error (or exit)
during load so the bundle never receives an invalid/unsafe href.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6efc97ce-a285-4835-8715-f637d97e9d55

📥 Commits

Reviewing files that changed from the base of the PR and between 8e40b98 and f81479c.

📒 Files selected for processing (8)

• changelog/7590-attribution-link-options.yaml
• clients/fides-js/src/lib/consent-types.ts
• clients/privacy-center/__tests__/app/fides-js-attribution.test.ts
• clients/privacy-center/__tests__/server-utils/loadEnvironmentVariables.test.ts
• clients/privacy-center/app/server-environment.ts
• clients/privacy-center/app/server-utils/PrivacyCenterSettings.ts
• clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts
• clients/privacy-center/pages/api/fides-js.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/privacy-center/app/server-environment.ts`:
- Around line 77-80: The client settings surface is exposing raw ATTRIBUTION_*
env keys; update getClientSettings() (and the similar export around lines
356-359) to stop including "ATTRIBUTION_ENABLED", "ATTRIBUTION_ANCHOR_TEXT",
"ATTRIBUTION_DESTINATION_URL", and "ATTRIBUTION_NOFOLLOW" as top-level
client-facing fields. Instead, inside getClientSettings() build an optional
attribution object server-side only when ATTRIBUTION_ENABLED is truthy (e.g., {
anchorText, destinationUrl, nofollow } sourced from the env) and attach that
object to the returned client settings; omit the attribution field entirely when
disabled. Ensure the raw ATTRIBUTION_* names are removed from the client
contract/type so they are not forwarded to /api/fides-js.

In `@clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts`:
- Around line 58-59: The defaults DEFAULT_ATTRIBUTION_ANCHOR_TEXT and
DEFAULT_ATTRIBUTION_DESTINATION_URL currently contain Ethyca branding; replace
those hard-coded values with generic placeholders (e.g., "Consent powered by
example_org" and "https://example.com/consent" or similar) and ensure any
deployment-specific branding/URL comes from environment variables (retain
existing env var usage around attribution anchor and destination URL so callers
can override at runtime); update DEFAULT_ATTRIBUTION_ANCHOR_TEXT and
DEFAULT_ATTRIBUTION_DESTINATION_URL constants accordingly and keep references to
these symbols (and the env var reads) intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de9a789d-c2fb-4de5-a940-24f63d2bfc38

📥 Commits

Reviewing files that changed from the base of the PR and between f81479c and 66fb2db.

📒 Files selected for processing (4)

• clients/privacy-center/__tests__/app/fides-js-attribution.test.ts
• clients/privacy-center/app/server-environment.ts
• clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts
• clients/privacy-center/pages/api/fides-js.ts