Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
982 Commits 5 Branches 1 Tag
1bd892afbff00e094e5dbae117894ffb81b8a4c0
Commit Graph

4 Commits

Author SHA1 Message Date
Benjamin Admin c867478791 feat(tcf-vendors): GVL cache + vendor extraction + VVT mapping
CI / loc-budget (push) Failing after 16s
Details
Build + Deploy / build-admin-compliance (push) Successful in 14s
Details
Build + Deploy / build-backend-compliance (push) Successful in 16s
Details
Build + Deploy / build-ai-sdk (push) Successful in 20s
Details
Build + Deploy / build-developer-portal (push) Successful in 12s
Details
Build + Deploy / build-tts (push) Successful in 15s
Details
Build + Deploy / build-document-crawler (push) Successful in 13s
Details
Build + Deploy / build-dsms-gateway (push) Successful in 13s
Details
Build + Deploy / build-dsms-node (push) Successful in 12s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / test-python-document-crawler (push) Successful in 26s
Details
CI / secret-scan (push) Has been skipped
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m49s
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / test-go (push) Successful in 45s
Details
CI / test-python-backend (push) Successful in 38s
Details
CI / test-python-dsms-gateway (push) Successful in 23s
Details
CI / validate-canonical-controls (push) Successful in 15s
Details
Build + Deploy / trigger-orca (push) Successful in 2m23s
Details 
Phase 1-2 of the closed quality loop:
- GVL cache (consent-tester/services/gvl_cache.py): downloads and caches
  IAB Global Vendor List with 24h TTL, resolves vendor IDs to names,
  purposes, policy URLs, retention, country
- Vendor extraction (consent_interceptor.py): extract_tcf_vendors()
  reads __tcfapi after accept phase, resolves via GVL
- Scan response: tcf_vendors field added to /scan endpoint
- VVT mapper (vendor_vvt_mapper.py): maps TCF vendors to VVT format
  with purpose labels, Rechtsgrundlage, Drittland detection
- Vendor cross-check (banner_cookie_cross_check.py): checks all TCF
  vendors against DSI text — missing vendors, undocumented transfers
- Compliance check integrates Step 3d: TCF vendors vs DSI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-12 18:18:50 +02:00
Benjamin Admin d2dc0c9fe4 feat: Deep consent verification — DataLayer, Storage, GCM, TCF 
5 verification layers added to the 3-phase banner test:

1. DataLayer/GTM Interception: Proxy on window.dataLayer captures
   all push() events. Distinguishes safe lifecycle events (gtm.js,
   gtm.dom) from tracking events (page_view, conversion, purchase).
   Flags tracking events before consent as violations.

2. localStorage/sessionStorage Monitoring: Intercepts setItem() to
   detect tracking keys (_ga, _fbp, amplitude, mixpanel, etc.)
   written before consent.

3. Google Consent Mode v2 Runtime Verification: Reads actual GCM
   state (analytics_storage, ad_storage) per phase. Verifies
   default=denied before consent, stays denied after reject,
   switches to granted after accept.

4. TCF v2.2 State: Reads __tcfapi('getTCData') if available.
   Verifies consent purpose states match user choice.

5. Cookie Attribute Analysis: Domain (1st vs 3rd party), expires
   (>13 months), secure flag for tracking cookies.

10 new L2 checks with expert hints (EDPB, CNIL, §25 TDDDG).
All interceptor calls wrapped in try/except for graceful fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-10 08:58:44 +02:00
Benjamin Admin 4bfb438c92 feat: 4 banner check upgrades — 30 CMPs, stealth, Shadow DOM, categories
Build + Deploy / build-admin-compliance (push) Successful in 2m17s
Details
Build + Deploy / build-backend-compliance (push) Successful in 3m17s
Details
Build + Deploy / build-ai-sdk (push) Successful in 56s
Details
Build + Deploy / build-developer-portal (push) Successful in 1m37s
Details
Build + Deploy / build-tts (push) Successful in 1m33s
Details
Build + Deploy / build-document-crawler (push) Successful in 42s
Details
Build + Deploy / build-dsms-gateway (push) Successful in 33s
Details
Build + Deploy / build-dsms-node (push) Successful in 16s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / loc-budget (push) Failing after 25s
Details
CI / secret-scan (push) Has been skipped
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 3m33s
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / test-go (push) Failing after 1m18s
Details
CI / test-python-backend (push) Successful in 53s
Details
CI / test-python-document-crawler (push) Successful in 36s
Details
CI / test-python-dsms-gateway (push) Successful in 33s
Details
CI / validate-canonical-controls (push) Successful in 24s
Details
Build + Deploy / trigger-orca (push) Successful in 3m19s
Details 
1. 30 CMP selectors (was 10): Added Sourcepoint, Iubenda, Complianz,
   CookieFirst, HubSpot, Osano, Piwik PRO, Cookie Consent (Insites),
   Axeptio, Termly, CookieScript, Civic UK, GDPR Cookie Compliance,
   CookieHub, Ketch, Admiral, Sibbo, Evidon, LiveRamp, Adsimple.
   Plus improved generic fallback: role=dialog, aria-label, data-* attrs.

2. Playwright stealth mode: playwright-stealth against bot detection.
   Removes WebDriver flag, simulates plugins, realistic viewport/locale.
   Launch args: --disable-blink-features=AutomationControlled.

3. Shadow DOM: Recursive JS-based search through shadowRoot elements
   for consent banners. Fallback click via page.evaluate() when
   normal Playwright selectors can't penetrate Shadow DOM.

4. Category selection UI: User can choose which cookie categories to
   test (Notwendig, Statistik, Marketing, Funktional, Praeferenzen).
   Pill-style checkboxes in BannerCheckTab, forwarded through API chain.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-09 08:42:30 +02:00
Benjamin Admin 5d138f265b feat: 3 new banner legal checks (11 total) + extract banner_text_checker 
New checks (from EUIPO reference case):
- Check 9: Third-party DSE link — detects when consent dialog links to
  external domain's privacy policy instead of own DSE (Art. 13 DSGVO)
- Check 10: Dark-pattern language — detects "muessen/erforderlich" for
  non-essential cookies suggesting false technical necessity (EDPB Rn. 70)
- Check 11: Non-modal dismiss = consent — detects when clicking outside
  dialog closes it (possibly treating as consent, Planet49 violation)

Refactor: extracted _check_banner_text (375 LOC) from consent_scanner.py
into services/banner_text_checker.py to keep both files under 500 LOC.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-04 08:02:46 +02:00