Skip to content

consent-engine v0.6.3

Choose a tag to compare

View all tags
@github-actions github-actions released this 29 May 04:18
· 16 commits to main since this release
v0.6.3
c8ace9e

feat: v0.6.3 — full scan in production + jurisdiction-aware exposure

Repositioned from outreach lead-magnet (fast scan) to give-away/portfolio tool.

Full scan is now production:

  • run_audit -> scan_page (_scan_s3) for opt-out + GPC passes (was scan_page_fast).
    Brings per-CMP injection (build_injection_plan) + banner-click reject + a 150s
    per-pass timeout (also fixes the fast path's hang on slow sites). Non-OneTrust
    CMPs are now actually injected against instead of returned inconclusive.
  • Ported CMP runtime introspection + consent-event capture into _scan_s3, and the
    Camoufox stealthy WAF retry into the scan_page wrapper.

Accuracy:

  • Geo-override gated to cmp_method == "banner_click" only. Under cookie_injection
    the denial cookie is one WE inject (circular -> fabricated "denied" -> false
    CONFIRMED); same bug class fixed in the fast path for v0.6.2.
  • Jurisdiction detection prefers the CMP's own geolocation as ground truth
    (country_to_jurisdiction) over the HTML/TLD heuristic.

Jurisdiction-aware financial exposure (deck + report):

  • A Canadian or EU site no longer shows US statutes (CCPA/CIPA) or US precedents
    (Sephora/Disney). US = per-consumer multiplier; EU/UK/Quebec = turnover-% caps
    (different structure, not just different numbers).
    • Canada: Quebec Law 25 (CAD $25M/4% penal, $10M/2% admin, $1,000 private floor)
      • PIPEDA + honesty note (no flagship cookie fine yet; Tim Hortons precedent).
    • EU: GDPR Art. 83 (€20M/4%) + ePrivacy/CNIL, anchored to real cookie fines
      (Google €325M, SHEIN €150M Sep 2025; Amazon €35M). UK-GDPR/PECR noted.
    • Figures verified against primary regulator sources. Applicable-law slide,
      per-pixel callout, and statute kicker are jurisdiction-branched too.

Deck:

  • CMP self-report slide: generic theme table -> on-brand navy spec grid; values
    html.escape()d (deck f-strings have no autoescape).

113 tests pass (9 new jurisdiction-exposure), ruff + mypy strict clean. Live
full-scan sweep across US/CA/UK validated: nytimes 39 confirmed = all real
ad-tech (true positives), no false-positive explosion.

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com

Assets 4
Loading