consent-engine v0.6.4

feat: v0.6.4 — Sourcepoint reject-click reliability + no-GCS methodology

Sourcepoint banner-click now genuinely rejects (4 compounding bugs fixed), and
sites that emit no Google Consent Mode signal get an honest methodology instead
of a false "wiring broken" / "unknown CMP" label.

Clicker (cmp_clicker.py):

• _banner_present no longer false-positives on [class*='banner'] promo/ad
  banners (e.g. the Guardian's subscription promo), which had been reporting
  successful rejects as banner_click_failed. Banner detection is now
  consent-specific (explicit CMP containers + cookie/consent selectors). This
  is an accuracy win across all CMPs.
• Enter any CMP message iframe (Sourcepoint sp_message_iframe), not just
  TrustArc, and no longer gated on dom_type (Sourcepoint reports "standard").
• Use the real sp reject API (usnat.postRejectAll / ccpa.rejectAll); the flat
  sp.rejectAll() does not exist on modern builds.
• Recognise "No, thank you" / "Do not consent" / "Continue without accepting".

Methodology:

• New S3_NO_GOOGLE_CONSENT_MODE: known CMP + reject applied + zero gcs= observed
  -> the GCS signal-chain audit is not applicable (non-definitive). Replaces the
  false s3_consent_wiring_broken (cnn) and s3_inconclusive_unknown_cmp
  (theguardian). Report + deck render a neutral verdict, never a false-green pass.
• Decision extracted to the pure, unit-tested classify_s3_methodology().

Live-verified on theguardian.com, bbc.com, cnn.com (all now
s3_no_google_consent_mode). 131 tests pass, ruff + mypy strict clean.

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com