breakpilot-compliance

Benjamin_Boenisch/breakpilot-compliance

Fork 0

Commit Graph

Author	SHA1	Message	Date
Benjamin Admin	d2dc0c9fe4	feat: Deep consent verification — DataLayer, Storage, GCM, TCF 5 verification layers added to the 3-phase banner test: 1. DataLayer/GTM Interception: Proxy on window.dataLayer captures all push() events. Distinguishes safe lifecycle events (gtm.js, gtm.dom) from tracking events (page_view, conversion, purchase). Flags tracking events before consent as violations. 2. localStorage/sessionStorage Monitoring: Intercepts setItem() to detect tracking keys (_ga, _fbp, amplitude, mixpanel, etc.) written before consent. 3. Google Consent Mode v2 Runtime Verification: Reads actual GCM state (analytics_storage, ad_storage) per phase. Verifies default=denied before consent, stays denied after reject, switches to granted after accept. 4. TCF v2.2 State: Reads __tcfapi('getTCData') if available. Verifies consent purpose states match user choice. 5. Cookie Attribute Analysis: Domain (1st vs 3rd party), expires (>13 months), secure flag for tracking cookies. 10 new L2 checks with expert hints (EDPB, CNIL, §25 TDDDG). All interceptor calls wrapped in try/except for graceful fallback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-10 08:58:44 +02:00
Benjamin Admin	4bfb438c92	feat: 4 banner check upgrades — 30 CMPs, stealth, Shadow DOM, categories Build + Deploy / build-admin-compliance (push) Successful in 2m17s Details Build + Deploy / build-backend-compliance (push) Successful in 3m17s Details Build + Deploy / build-ai-sdk (push) Successful in 56s Details Build + Deploy / build-developer-portal (push) Successful in 1m37s Details Build + Deploy / build-tts (push) Successful in 1m33s Details Build + Deploy / build-document-crawler (push) Successful in 42s Details Build + Deploy / build-dsms-gateway (push) Successful in 33s Details Build + Deploy / build-dsms-node (push) Successful in 16s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / loc-budget (push) Failing after 25s Details CI / secret-scan (push) Has been skipped Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m33s Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / test-go (push) Failing after 1m18s Details CI / test-python-backend (push) Successful in 53s Details CI / test-python-document-crawler (push) Successful in 36s Details CI / test-python-dsms-gateway (push) Successful in 33s Details CI / validate-canonical-controls (push) Successful in 24s Details Build + Deploy / trigger-orca (push) Successful in 3m19s Details 1. 30 CMP selectors (was 10): Added Sourcepoint, Iubenda, Complianz, CookieFirst, HubSpot, Osano, Piwik PRO, Cookie Consent (Insites), Axeptio, Termly, CookieScript, Civic UK, GDPR Cookie Compliance, CookieHub, Ketch, Admiral, Sibbo, Evidon, LiveRamp, Adsimple. Plus improved generic fallback: role=dialog, aria-label, data-* attrs. 2. Playwright stealth mode: playwright-stealth against bot detection. Removes WebDriver flag, simulates plugins, realistic viewport/locale. Launch args: --disable-blink-features=AutomationControlled. 3. Shadow DOM: Recursive JS-based search through shadowRoot elements for consent banners. Fallback click via page.evaluate() when normal Playwright selectors can't penetrate Shadow DOM. 4. Category selection UI: User can choose which cookie categories to test (Notwendig, Statistik, Marketing, Funktional, Praeferenzen). Pill-style checkboxes in BannerCheckTab, forwarded through API chain. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-09 08:42:30 +02:00
Benjamin Admin	5d138f265b	feat: 3 new banner legal checks (11 total) + extract banner_text_checker New checks (from EUIPO reference case): - Check 9: Third-party DSE link — detects when consent dialog links to external domain's privacy policy instead of own DSE (Art. 13 DSGVO) - Check 10: Dark-pattern language — detects "muessen/erforderlich" for non-essential cookies suggesting false technical necessity (EDPB Rn. 70) - Check 11: Non-modal dismiss = consent — detects when clicking outside dialog closes it (possibly treating as consent, Planet49 violation) Refactor: extracted _check_banner_text (375 LOC) from consent_scanner.py into services/banner_text_checker.py to keep both files under 500 LOC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 08:02:46 +02:00

Author

SHA1

Message

Date

Benjamin Admin

d2dc0c9fe4

feat: Deep consent verification — DataLayer, Storage, GCM, TCF

5 verification layers added to the 3-phase banner test:

1. DataLayer/GTM Interception: Proxy on window.dataLayer captures
   all push() events. Distinguishes safe lifecycle events (gtm.js,
   gtm.dom) from tracking events (page_view, conversion, purchase).
   Flags tracking events before consent as violations.

2. localStorage/sessionStorage Monitoring: Intercepts setItem() to
   detect tracking keys (_ga, _fbp, amplitude, mixpanel, etc.)
   written before consent.

3. Google Consent Mode v2 Runtime Verification: Reads actual GCM
   state (analytics_storage, ad_storage) per phase. Verifies
   default=denied before consent, stays denied after reject,
   switches to granted after accept.

4. TCF v2.2 State: Reads __tcfapi('getTCData') if available.
   Verifies consent purpose states match user choice.

5. Cookie Attribute Analysis: Domain (1st vs 3rd party), expires
   (>13 months), secure flag for tracking cookies.

10 new L2 checks with expert hints (EDPB, CNIL, §25 TDDDG).
All interceptor calls wrapped in try/except for graceful fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-05-10 08:58:44 +02:00

Benjamin Admin

4bfb438c92

feat: 4 banner check upgrades — 30 CMPs, stealth, Shadow DOM, categories

Build + Deploy / build-admin-compliance (push) Successful in 2m17s

Details

Build + Deploy / build-backend-compliance (push) Successful in 3m17s

Details

Build + Deploy / build-ai-sdk (push) Successful in 56s

Details

Build + Deploy / build-developer-portal (push) Successful in 1m37s

Details

Build + Deploy / build-tts (push) Successful in 1m33s

Details

Build + Deploy / build-document-crawler (push) Successful in 42s

Details

Build + Deploy / build-dsms-gateway (push) Successful in 33s

Details

Build + Deploy / build-dsms-node (push) Successful in 16s

Details

CI / branch-name (push) Has been skipped

Details

CI / guardrail-integrity (push) Has been skipped

Details

CI / loc-budget (push) Failing after 25s

Details

CI / secret-scan (push) Has been skipped

Details

CI / go-lint (push) Has been skipped

Details

CI / python-lint (push) Has been skipped

Details

CI / nodejs-lint (push) Has been skipped

Details

CI / nodejs-build (push) Successful in 3m33s

Details

CI / dep-audit (push) Has been skipped

Details

CI / sbom-scan (push) Has been skipped

Details

CI / test-go (push) Failing after 1m18s

Details

CI / test-python-backend (push) Successful in 53s

Details

CI / test-python-document-crawler (push) Successful in 36s

Details

CI / test-python-dsms-gateway (push) Successful in 33s

Details

CI / validate-canonical-controls (push) Successful in 24s

Details

Build + Deploy / trigger-orca (push) Successful in 3m19s

Details

1. 30 CMP selectors (was 10): Added Sourcepoint, Iubenda, Complianz,
   CookieFirst, HubSpot, Osano, Piwik PRO, Cookie Consent (Insites),
   Axeptio, Termly, CookieScript, Civic UK, GDPR Cookie Compliance,
   CookieHub, Ketch, Admiral, Sibbo, Evidon, LiveRamp, Adsimple.
   Plus improved generic fallback: role=dialog, aria-label, data-* attrs.

2. Playwright stealth mode: playwright-stealth against bot detection.
   Removes WebDriver flag, simulates plugins, realistic viewport/locale.
   Launch args: --disable-blink-features=AutomationControlled.

3. Shadow DOM: Recursive JS-based search through shadowRoot elements
   for consent banners. Fallback click via page.evaluate() when
   normal Playwright selectors can't penetrate Shadow DOM.

4. Category selection UI: User can choose which cookie categories to
   test (Notwendig, Statistik, Marketing, Funktional, Praeferenzen).
   Pill-style checkboxes in BannerCheckTab, forwarded through API chain.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-05-09 08:42:30 +02:00

Benjamin Admin

5d138f265b

feat: 3 new banner legal checks (11 total) + extract banner_text_checker

New checks (from EUIPO reference case):
- Check 9: Third-party DSE link — detects when consent dialog links to
  external domain's privacy policy instead of own DSE (Art. 13 DSGVO)
- Check 10: Dark-pattern language — detects "muessen/erforderlich" for
  non-essential cookies suggesting false technical necessity (EDPB Rn. 70)
- Check 11: Non-modal dismiss = consent — detects when clicking outside
  dialog closes it (possibly treating as consent, Planet49 violation)

Refactor: extracted _check_banner_text (375 LOC) from consent_scanner.py
into services/banner_text_checker.py to keep both files under 500 LOC.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-05-04 08:02:46 +02:00

3 Commits