feat: Phase 11 — granular cookie category testing

Tests each consent category in isolation:
- Phase D: Only "Statistics" enabled → checks if only analytics loads
- Phase E: Only "Marketing" enabled → checks if only ads load
- Phase F: Only "Functional" enabled → checks no tracking loads

CMP-specific category selectors for Cookiebot, OneTrust, Usercentrics,
Didomi. Generic fallback via toggle/checkbox keyword detection.

SERVICE_CATEGORY_MAP maps 35+ services to expected categories.
Violations: "Facebook Pixel loads with only Statistics enabled" = miscategorization.

Frontend: category test results shown below Phase A-C with
per-category violation cards.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

consent-tester/main.py

@@ -41,6 +41,7 @@ class ScanResponse(BaseModel):
     phases: dict
     summary: dict
     scanned_at: str
+    category_tests: list = []
 
 
 @app.get("/health")
@@ -83,8 +84,16 @@ async def scan_consent(req: ScanRequest):
             "high": len(result.before_violations),
             "undocumented": len(result.accept_undocumented),
             "total_violations": len(result.before_violations) + len(result.reject_violations),
+            "category_violations": sum(len(ct.violations) for ct in result.category_tests),
+            "categories_tested": len(result.category_tests),
         },
         scanned_at=datetime.now(timezone.utc).isoformat(),
+        category_tests=[{
+            "category": ct.category,
+            "category_label": ct.category_label,
+            "tracking_services": ct.tracking_services,
+            "violations": ct.violations,
+        } for ct in result.category_tests] if result.category_tests else [],
     )