Include vendors disclosed segment in TC string for __tcfapi

[gilluminate]

Ticket ENG-2460

Description Of Changes

Fixed the TC string passed to the CMP API so that it includes the full TC string (including the vendors disclosed segment) instead of only the first segment. Previously extractTCStringForCmpApi stripped the string at the first ., which removed the disclosed vendors portion. Integrations using __tcfapi(\"getTCData\", ...) now receive a tcString that matches the TC portion of Fides.fides_string and includes the disclosed vendors segment.

Code Changes

• Updated extractTCStringForCmpApi in tcf/events.ts to use decodeFidesString and return the full tc value instead of splitting and taking only the first segment
• Added Cypress test to assert that TC string from __tcfapi getTCData matches the TC portion of Fides.fides_string and that both include the disclosed vendors segment (.)

Steps to Confirm

1. Load a TCF experience and opt in to all (eg. /fides-js-demo.html?geolocation=eea)
2. In the browser console, paste the following and validate that both strings are identical

__tcfapi("getTCData", 2, (tcData) => {
  console.log("Checking TC string for disclosed vendors (v2.3)...");
  console.log("from fides_string:", window.Fides.fides_string.split(",")[0]);
  console.log("from __tcfapi str:", tcData.tcString);
  console.log("strings are identical:", window.Fides.fides_string.split(",")[0] === tcData.tcString);
}) 

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 28, 2026 9:29pm
fides-privacy-center	Ignored		Jan 28, 2026 9:29pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes a bug in the TC string extraction logic for the __tcfapi CMP API. Previously, extractTCStringForCmpApi was manually splitting the TC string at the first . character, which incorrectly removed the vendors disclosed segment introduced in TCF 2.3. The fix refactors the function to use the existing decodeFidesString utility, which properly parses the full Fides string format and returns the complete TC string including all segments (core string + vendors disclosed).

Key changes:

• Replaced manual string splitting logic with decodeFidesString utility
• Updated function documentation to remove outdated comments about stripping segments
• Added Cypress test to verify TC string from __tcfapi matches the TC portion of Fides.fides_string and includes the disclosed vendors segment (indicated by .)

The change ensures integrations using __tcfapi("getTCData", ...) receive a complete TC string that matches what's stored in the Fides cookie, maintaining consistency across the consent management system.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is well-contained, fixes a clear bug by using existing utility functions instead of manual string manipulation, and includes comprehensive test coverage to verify the fix works correctly
• No files require special attention

Important Files Changed

Filename	Overview
clients/fides-js/src/lib/tcf/events.ts	Updated extractTCStringForCmpApi to return full TC string including vendors disclosed segment by using decodeFidesString instead of manual string splitting
clients/privacy-center/cypress/e2e/fides-js/consent-banner-tcf.cy.ts	Added test to verify TC string from __tcfapi getTCData matches Fides.fides_string and includes disclosed vendors segment

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[speaker-ender]

Tested locally and looks good!