feat(cookie): präfix-bewusster Library-Match (Runtime-Suffixe)

load_big_library matchte nur EXAKT → nur ~27% der BMW-Cookies trafen die
Open-Cookie-DB, weil Per-Instanz-Suffixe abweichen (_ga_GTM-XYZ, AMCVS_###@
AdobeOrg, _pk_id.5.7d8). Jetzt: Library einmal laden, Namen entwildcarden,
über _candidate_keys (exact + Präfix an Trennzeichen, Mindestlänge 3 gegen
Über-Match) matchen. Reuse der bewährten _strip_wildcards-Logik.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/compliance/tests/test_cookie_library_check.py

@@ -2,7 +2,27 @@
 
 from __future__ import annotations
 
-from compliance.services.cookie_library_check import analyze_cookies
+from compliance.services.cookie_library_check import (
+    _candidate_keys,
+    _match_lib,
+    analyze_cookies,
+)
+
+
+def test_candidate_keys_strips_runtime_suffix():
+    assert "_ga" in _candidate_keys("_ga_GTM-ABC123")
+    assert "amcvs" in _candidate_keys("AMCVS_1234@AdobeOrg")
+    assert "_pk_id" in _candidate_keys("_pk_id.5.7d8f")
+
+
+def test_match_lib_prefix_and_exact():
+    lib = {"_ga": {"actual_category": "statistics"},
+           "phpsessid": {"actual_category": "essential"}}
+    assert _match_lib("_ga_GTM-XYZ", lib)["actual_category"] == "statistics"
+    assert _match_lib("PHPSESSID".lower(), lib)["actual_category"] == "essential"
+    assert _match_lib("totally_unknown_xyz", lib) is None
+    # kurze generische Basis darf NICHT über-matchen
+    assert _match_lib("id_charger", {"id": {"x": 1}}) is None
 
 
 def test_tracker_declared_necessary_is_high_finding():