Add GPP/TCF cmpapi integration to respect device access in EU/CA/US

[zapo]

In optable-web-sdk we currently defer the responsibility of detecting regulations and handling consent to the user which usually results in gating the load of the SDK which is not ideal.

In this PR we propose to detect regulation that should apply and integrate directly with CMP APIs (namely TCF and GPP) to gather visitor consent. Based on the detected regulation and consent, device access may be granted.

To do so, this PR introduces a new "consent" config property holding either a static consent object passed by the user, or automatically inferred:

 type Consent = { 
  // Whether localStorage read/writes are granted
  deviceAccess: boolean; 
  
  // Regulation that applies
  reg: "us" | "can" | "gdpr" | null;
  
  // GPP string when applicable
  gpp?: string;
  
  // TCF string when applicable
  tcf?: string;
  
  // GPP section IDs when applicable
  gppSectionIDs?: number[];
 }

This also updates the config object passed to instanciate the SDK to accept an optional consent retrieval configuration:

{
  // A "static" consent object already built by the publisher
  static?: Consent;
  // A "cmpapi" configuration indicating that consent should be gathered from CMP apis.
  cmpapi?: { 
    // An optional vendor ID from global vendor list when interpretting TCF/GPP EU consent,
    // when not passed, defaults to publisher consent.
    tcfeuVendorID?: string;
  }
}

• Passing directly the static consent object allows the user to control device access and passing consent strings to the DCN based on their own integration with CMPs.
• Passing "cmpapi" let the SDK automatically detect the regulation that should apply and infer device access based on the preferred CMP API for this regulation.

When absent, consent is granted for device access to preserve existing behavior. Eventually this may be changed to "cmpapi". Users should start passing consent: { static: { deviceAccess: true, reg: null } } if they want to preserve the existing behavior.

Regulation Detection & device access

Regulation detection is currently implemented by looking up the timezone of the device and the languages supported.
When no regulation is detected, device access is automatically granted.

regulation	cmp api	detection	device access
TCF CA V1 ("can")	gpp	QC timezone and french browser language	always granted
TCF EU V2 ("gdpr")	tcfapi if available, otherwise gpp	EU country timezone	purpose 1 pub or vendor consent (when tcfeuVendorID is passed) when gdpr applies
US ("us")	gpp (usnat + states)	US time zone	always granted

Signals passing to the DCN

Additionally to gating device access, the regulation and corresponding consent strings are passed to any DCN call as query strings as soon as they are available and set. This allows the DCN to degrade behavior based on applicable regulation, consent vs those APIs purpose