@consenttheater/playbill 0.1.0

package/dist/actors/tag_manager.json

@@ -0,0 +1,52 @@
+{
+    "category": "tag_manager",
+    "description": "Tag management systems — container scripts that load other trackers",
+    "stats": { "cookies": 10, "domains": 33, "companies": 25 },
+    "cookies": {
+        "_dc_gtm_*": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "description": "Throttles request rate for Google Tag Manager container loading", "severity": "medium", "pattern": true, "lifetime": "1 minute", "docs_url": "https://developers.google.com/tag-platform/tag-manager/web" },
+        "_zaius_*": { "company": "Optimizely (Zaius)", "service": "Zaius CDP", "category": "tag_manager", "description": "Zaius/Optimizely Data Platform cookie for B2C customer data collection and tag management", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.optimizely.com/legal/privacy-policy/" },
+        "ensighten_*": { "company": "Ensighten", "service": "Ensighten Manage", "category": "tag_manager", "description": "Ensighten tag management cookie for controlling tag firing rules and visitor segmentation", "severity": "medium", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.ensighten.com/privacy-policy/" },
+        "lytics_*": { "company": "Lytics", "service": "Lytics CDP", "category": "tag_manager", "description": "Lytics CDP tag management cookie for real-time audience decisioning and tag orchestration", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.lytics.com/privacy/" },
+        "mp_*_api_host_override": { "company": "mParticle", "service": "mParticle SDK", "category": "tag_manager", "description": "mParticle API host override cookie for routing SDK calls through custom proxy endpoints", "severity": "medium", "pattern": true, "lifetime": "session", "docs_url": "https://docs.mparticle.com/developers/sdk/web/configuration/" },
+        "rl_*": { "company": "RudderStack", "service": "RudderStack SDK", "category": "tag_manager", "description": "RudderStack open-source CDP cookie storing anonymous ID, user traits, and session data for tag routing", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.rudderstack.com/privacy-policy/" },
+        "tdjs_*": { "company": "Treasure Data", "service": "Treasure Data JS SDK", "category": "tag_manager", "description": "Treasure Data CDP JavaScript SDK cookie for event collection and visitor identification", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.treasuredata.com/privacy/" },
+        "tt_tealium_ct": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Tealium connection type cookie for tag management load rules", "severity": "medium", "lifetime": "session", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" },
+        "utag_main": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Primary Tealium visitor session cookie containing session ID and visit count", "severity": "high", "lifetime": "1 year", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" },
+        "utag_main_*": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Extended Tealium session data used for tag firing conditions and visitor stitching", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" }
+    },
+    "domains": {
+        "api.lytics.io": { "company": "Lytics", "service": "Lytics API", "category": "tag_manager", "severity": "high", "docs_url": "https://www.lytics.com/privacy/" },
+        "assets.adobedtm.com": { "company": "Adobe", "service": "Adobe Launch (DTM)", "category": "tag_manager", "severity": "medium", "docs_url": "https://experienceleague.adobe.com/docs/experience-platform/tags/home.html" },
+        "cdn.actioniq.com": { "company": "ActionIQ", "service": "ActionIQ CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.actioniq.com/privacy-policy/" },
+        "cdn.amperity.com": { "company": "Amperity", "service": "Amperity CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://amperity.com/privacy/" },
+        "cdn.blueshift.com": { "company": "Blueshift", "service": "Blueshift CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://blueshift.com/privacy-policy/" },
+        "cdn.census.com": { "company": "Census", "service": "Census Reverse ETL CDN", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.getcensus.com/privacy" },
+        "cdn.commandersact.com/js": { "company": "Commanders Act", "service": "Commanders Act TagCommander", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.commandersact.com/en/privacy/" },
+        "cdn.exponea.com": { "company": "Bloomreach (Exponea)", "service": "Bloomreach CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.bloomreach.com/en/legal/privacy-policy" },
+        "cdn.freshpaint.io": { "company": "Freshpaint", "service": "Freshpaint Tag CDN", "category": "tag_manager", "severity": "high", "note": "Healthcare-compliant analytics proxy that replaces direct third-party tag loading", "docs_url": "https://www.freshpaint.io/privacy-policy" },
+        "cdn.hightouch.io": { "company": "Hightouch", "service": "Hightouch Events CDN", "category": "tag_manager", "severity": "medium", "docs_url": "https://hightouch.com/privacy-policy/" },
+        "cdn.lytics.io": { "company": "Lytics", "service": "Lytics CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.lytics.com/privacy/" },
+        "cdn.mparticle.com": { "company": "mParticle", "service": "mParticle SDK CDN", "category": "tag_manager", "severity": "high", "docs_url": "https://www.mparticle.com/privacy/" },
+        "cdn.ometria.com": { "company": "Ometria", "service": "Ometria CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://ometria.com/privacy-policy/" },
+        "cdn.piwikpro.com": { "company": "Piwik PRO", "service": "Piwik PRO Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://piwik.pro/privacy-policy/" },
+        "cdn.qubit.com": { "company": "Coveo/Qubit", "service": "Qubit Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.coveo.com/en/trust-center/privacy/privacy-notice" },
+        "cdn.rudderlabs.com": { "company": "RudderStack", "service": "RudderStack SDK CDN", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.rudderstack.com/privacy-policy/" },
+        "cdn.segment.com": { "company": "Twilio", "service": "Segment Tag Manager", "category": "tag_manager", "severity": "high", "docs_url": "https://segment.com/legal/privacy/" },
+        "cdn.signal.co": { "company": "Signal (BrightTag)", "service": "Signal Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.signal.co/privacy-policy/" },
+        "cdn.simondata.com": { "company": "Simon Data", "service": "Simon Data CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.simondata.com/privacy-policy/" },
+        "cdn.tagcommander.com": { "company": "Commanders Act", "service": "TagCommander", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.commandersact.com/en/privacy/" },
+        "cdn.treasuredata.com": { "company": "Treasure Data", "service": "Treasure Data CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.treasuredata.com/privacy/" },
+        "cdn.zaius.com": { "company": "Optimizely (Zaius)", "service": "Zaius CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.optimizely.com/legal/privacy-policy/" },
+        "collect.tealiumiq.com": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "severity": "high", "docs_url": "https://docs.tealium.com/platforms/javascript/" },
+        "ensighten.com": { "company": "Ensighten", "service": "Ensighten Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.ensighten.com/privacy-policy/" },
+        "googletagmanager.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "severity": "medium", "note": "Container script host; severity depends on tags loaded inside the container", "docs_url": "https://developers.google.com/tag-platform/tag-manager" },
+        "identity.mparticle.com": { "company": "mParticle", "service": "mParticle Identity API", "category": "tag_manager", "severity": "high", "docs_url": "https://www.mparticle.com/privacy/" },
+        "js.hs-scripts.com": { "company": "HubSpot", "service": "HubSpot Tracking Code (Tag)", "category": "tag_manager", "severity": "high", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
+        "jssdks.mparticle.com": { "company": "mParticle", "service": "mParticle JS SDK", "category": "tag_manager", "severity": "high", "docs_url": "https://www.mparticle.com/privacy/" },
+        "matomo.cloud": { "company": "Matomo", "service": "Matomo Tag Manager", "category": "tag_manager", "severity": "low", "docs_url": "https://matomo.org/docs/tag-manager/" },
+        "nexus.ensighten.com": { "company": "Ensighten", "service": "Ensighten Nexus", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.ensighten.com/privacy-policy/" },
+        "tagmanager.google.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://developers.google.com/tag-platform/tag-manager" },
+        "tags.tiqcdn.com": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "severity": "medium", "docs_url": "https://docs.tealium.com/platforms/javascript/" },
+        "www.googletagmanager.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "severity": "medium", "note": "Container script host; severity depends on tags loaded inside the container", "docs_url": "https://developers.google.com/tag-platform/tag-manager" }
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,38 @@
+/**
+ * @consenttheater/playbill
+ *
+ * The world's largest open-source GDPR tracker knowledge base.
+ * Every cookie, every domain, every actor on the web stage —
+ * identified, categorized, and scored.
+ *
+ * @example
+ * ```ts
+ * import { loadPlaybill, matchCookie, computeScore } from '@consenttheater/playbill';
+ *
+ * const playbill = await loadPlaybill('core');
+ * const actor = matchCookie(playbill, '_ga');
+ * ```
+ */
+export type { Playbill, CookieActor, DomainActor, CookieMatch, DomainMatch, Tier, Severity, Category, BandKey, Band, Violation, ScoreResult } from './types.js';
+export { matchCookie, matchDomain, isSameOrSubdomain, listCompanies, listCategories } from './matcher.js';
+export { computeScore, bandForScore, SEVERITY_WEIGHTS, BANDS } from './scorer.js';
+export type { ScoreInput, ObservedItem, ObservedBanner } from './scorer.js';
+import type { Playbill, Tier } from './types.js';
+/**
+ * Load a playbill tier by merging actor category files and filtering by severity.
+ *
+ * @param tier - 'mini' (~50 top companies, critical+high only),
+ *               'core' (all critical+high+medium),
+ *               'full' (everything)
+ */
+export declare function loadPlaybill(tier?: Tier): Playbill;
+/**
+ * Load only specific actor categories (e.g. just advertising + analytics).
+ *
+ * @example
+ * ```ts
+ * const db = loadActors(['advertising', 'analytics']);
+ * ```
+ */
+export declare function loadActors(categories: string[]): Playbill;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChK,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1G,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAClF,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE5E,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAA4B,MAAM,YAAY,CAAC;AAgF3E;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,IAAa,GAAG,QAAQ,CAoB1D;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,QAAQ,CAgBzD"}

package/dist/index.js

@@ -0,0 +1,123 @@
+/**
+ * @consenttheater/playbill
+ *
+ * The world's largest open-source GDPR tracker knowledge base.
+ * Every cookie, every domain, every actor on the web stage —
+ * identified, categorized, and scored.
+ *
+ * @example
+ * ```ts
+ * import { loadPlaybill, matchCookie, computeScore } from '@consenttheater/playbill';
+ *
+ * const playbill = await loadPlaybill('core');
+ * const actor = matchCookie(playbill, '_ga');
+ * ```
+ */
+export { matchCookie, matchDomain, isSameOrSubdomain, listCompanies, listCategories } from './matcher.js';
+export { computeScore, bandForScore, SEVERITY_WEIGHTS, BANDS } from './scorer.js';
+// All actor category files
+import advertising from './actors/advertising.json' with { type: 'json' };
+import analytics from './actors/analytics.json' with { type: 'json' };
+import consent from './actors/consent.json' with { type: 'json' };
+import dataLeak from './actors/data_leak.json' with { type: 'json' };
+import fingerprinting from './actors/fingerprinting.json' with { type: 'json' };
+import functional from './actors/functional.json' with { type: 'json' };
+import marketing from './actors/marketing.json' with { type: 'json' };
+import security from './actors/security.json' with { type: 'json' };
+import sessionRecording from './actors/session_recording.json' with { type: 'json' };
+import social from './actors/social.json' with { type: 'json' };
+import tagManager from './actors/tag_manager.json' with { type: 'json' };
+const ALL_ACTORS = [
+    advertising, analytics, consent, dataLeak, fingerprinting,
+    functional, marketing, security, sessionRecording, social, tagManager
+];
+const TOP_N_COMPANIES = 50;
+function mergeActors(actors) {
+    const cookies = {};
+    const domains = {};
+    for (const actor of actors) {
+        Object.assign(cookies, actor.cookies);
+        Object.assign(domains, actor.domains);
+    }
+    return { cookies, domains };
+}
+function getTopCompanies(cookies, domains, n) {
+    const counts = {};
+    for (const e of [...Object.values(cookies), ...Object.values(domains)]) {
+        counts[e.company] = (counts[e.company] || 0) + 1;
+    }
+    return new Set(Object.entries(counts)
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, n)
+        .map(([company]) => company));
+}
+function uniqueCompanyCount(cookies, domains) {
+    const set = new Set();
+    for (const e of [...Object.values(cookies), ...Object.values(domains)])
+        set.add(e.company);
+    return set.size;
+}
+function filterEntries(entries, filterFn, topCompanies) {
+    const result = {};
+    for (const [key, entry] of Object.entries(entries)) {
+        if (filterFn(entry, topCompanies))
+            result[key] = entry;
+    }
+    return result;
+}
+const TIER_FILTERS = {
+    mini: (entry, topCompanies) => (entry.severity === 'critical' || entry.severity === 'high') &&
+        topCompanies.has(entry.company),
+    core: (entry) => entry.severity === 'critical' || entry.severity === 'high' || entry.severity === 'medium',
+    full: () => true
+};
+/**
+ * Load a playbill tier by merging actor category files and filtering by severity.
+ *
+ * @param tier - 'mini' (~50 top companies, critical+high only),
+ *               'core' (all critical+high+medium),
+ *               'full' (everything)
+ */
+export function loadPlaybill(tier = 'full') {
+    const { cookies: allCookies, domains: allDomains } = mergeActors(ALL_ACTORS);
+    const topCompanies = getTopCompanies(allCookies, allDomains, TOP_N_COMPANIES);
+    const filter = TIER_FILTERS[tier];
+    const cookies = filterEntries(allCookies, filter, topCompanies);
+    const domains = filterEntries(allDomains, filter, topCompanies);
+    return {
+        version: 2,
+        tier,
+        generated: new Date().toISOString(),
+        stats: {
+            cookies: Object.keys(cookies).length,
+            domains: Object.keys(domains).length,
+            companies: uniqueCompanyCount(cookies, domains)
+        },
+        cookies,
+        domains
+    };
+}
+/**
+ * Load only specific actor categories (e.g. just advertising + analytics).
+ *
+ * @example
+ * ```ts
+ * const db = loadActors(['advertising', 'analytics']);
+ * ```
+ */
+export function loadActors(categories) {
+    const selected = ALL_ACTORS.filter(a => categories.includes(a.category));
+    const { cookies, domains } = mergeActors(selected);
+    return {
+        version: 2,
+        tier: 'full',
+        generated: new Date().toISOString(),
+        stats: {
+            cookies: Object.keys(cookies).length,
+            domains: Object.keys(domains).length,
+            companies: uniqueCompanyCount(cookies, domains)
+        },
+        cookies,
+        domains
+    };
+}

package/dist/matcher.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @consenttheater/playbill — Matcher
+ *
+ * Pure functions to identify actors (trackers) from the playbill by cookie name
+ * or domain hostname. No side effects, no browser API access.
+ */
+import type { Playbill, CookieMatch, DomainMatch } from './types.js';
+/**
+ * Match a cookie name against the playbill. Checks exact names first,
+ * then pattern entries (e.g. `_ga_*` matches `_ga_ABC123`).
+ */
+export declare function matchCookie(playbill: Playbill | null | undefined, cookieName: string): CookieMatch | null;
+/**
+ * Match a hostname against the playbill. Checks exact domain first,
+ * then subdomain matches (e.g. `www.google-analytics.com` matches `google-analytics.com`).
+ */
+export declare function matchDomain(playbill: Playbill | null | undefined, hostname: string): DomainMatch | null;
+/**
+ * Check if two hostnames are the same domain or subdomains of each other.
+ */
+export declare function isSameOrSubdomain(hostname: string, baseHost: string): boolean;
+/**
+ * List all unique companies in the playbill.
+ */
+export declare function listCompanies(playbill: Playbill): string[];
+/**
+ * List all unique categories in the playbill.
+ */
+export declare function listCategories(playbill: Playbill): string[];
+//# sourceMappingURL=matcher.d.ts.map

package/dist/matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"matcher.d.ts","sourceRoot":"","sources":["../src/matcher.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAErE;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAezG;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,GAAG,SAAS,EAAE,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAavG;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAK7E;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,EAAE,CAK1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,EAAE,CAK3D"}

package/dist/matcher.js

@@ -0,0 +1,71 @@
+/**
+ * Match a cookie name against the playbill. Checks exact names first,
+ * then pattern entries (e.g. `_ga_*` matches `_ga_ABC123`).
+ */
+export function matchCookie(playbill, cookieName) {
+    if (!playbill?.cookies || !cookieName)
+        return null;
+    const exact = playbill.cookies[cookieName];
+    if (exact)
+        return { ...exact, name: cookieName };
+    for (const key of Object.keys(playbill.cookies)) {
+        const entry = playbill.cookies[key];
+        if (!entry.pattern || !key.includes('*'))
+            continue;
+        const prefix = key.replace(/\*.*$/, '');
+        if (prefix && cookieName.startsWith(prefix)) {
+            return { ...entry, name: cookieName, matchedPattern: key };
+        }
+    }
+    return null;
+}
+/**
+ * Match a hostname against the playbill. Checks exact domain first,
+ * then subdomain matches (e.g. `www.google-analytics.com` matches `google-analytics.com`).
+ */
+export function matchDomain(playbill, hostname) {
+    if (!playbill?.domains || !hostname)
+        return null;
+    const host = hostname.toLowerCase();
+    const exact = playbill.domains[host];
+    if (exact)
+        return { ...exact, hostname: host };
+    for (const key of Object.keys(playbill.domains)) {
+        if (host === key || host.endsWith('.' + key)) {
+            return { ...playbill.domains[key], hostname: host, matchedDomain: key };
+        }
+    }
+    return null;
+}
+/**
+ * Check if two hostnames are the same domain or subdomains of each other.
+ */
+export function isSameOrSubdomain(hostname, baseHost) {
+    if (!hostname || !baseHost)
+        return false;
+    const h = hostname.toLowerCase();
+    const b = baseHost.toLowerCase();
+    return h === b || h.endsWith('.' + b) || b.endsWith('.' + h);
+}
+/**
+ * List all unique companies in the playbill.
+ */
+export function listCompanies(playbill) {
+    const set = new Set();
+    for (const entry of Object.values(playbill.cookies))
+        set.add(entry.company);
+    for (const entry of Object.values(playbill.domains))
+        set.add(entry.company);
+    return [...set].sort();
+}
+/**
+ * List all unique categories in the playbill.
+ */
+export function listCategories(playbill) {
+    const set = new Set();
+    for (const entry of Object.values(playbill.cookies))
+        set.add(entry.category);
+    for (const entry of Object.values(playbill.domains))
+        set.add(entry.category);
+    return [...set].sort();
+}

package/dist/scorer.d.ts

@@ -0,0 +1,42 @@
+/**
+ * @consenttheater/playbill — Scorer
+ *
+ * Risk scoring — pure functions. Given observations (cookies, requests, banner),
+ * produce a compliance score with risk band and violation list.
+ *
+ * Bands: >= 90 Compliant, 70-89 At Risk, 40-69 Non-Compliant, < 40 Violating
+ * Weights: critical -25, high -15, medium -10, low -5
+ */
+import type { Severity, Band, BandKey, ScoreResult } from './types.js';
+export declare const SEVERITY_WEIGHTS: Record<Severity, number>;
+export declare const BANDS: readonly {
+    min: number;
+    key: BandKey;
+    label: string;
+}[];
+export declare function bandForScore(score: number): Band;
+export interface ObservedItem {
+    name?: string;
+    hostname?: string;
+    company?: string;
+    service?: string;
+    severity: Severity;
+    category?: string;
+    note?: string;
+}
+export interface ObservedBanner {
+    detected: boolean;
+    hasAcceptButton?: boolean;
+    hasRejectButton?: boolean;
+    hasManageButton?: boolean;
+    buttonCount?: number;
+    textPreview?: string;
+}
+export interface ScoreInput {
+    preConsentCookies?: ObservedItem[];
+    preConsentRequests?: ObservedItem[];
+    dataLeakRequests?: ObservedItem[];
+    banner?: ObservedBanner | null;
+}
+export declare function computeScore(input: ScoreInput): ScoreResult;
+//# sourceMappingURL=scorer.d.ts.map

package/dist/scorer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scorer.d.ts","sourceRoot":"","sources":["../src/scorer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAa,MAAM,YAAY,CAAC;AAElF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAKrD,CAAC;AAEF,eAAO,MAAM,KAAK,EAAE,SAAS;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EAKxE,CAAC;AAEF,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAKhD;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,iBAAiB,CAAC,EAAE,YAAY,EAAE,CAAC;IACnC,kBAAkB,CAAC,EAAE,YAAY,EAAE,CAAC;IACpC,gBAAgB,CAAC,EAAE,YAAY,EAAE,CAAC;IAClC,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,CAAC;CAChC;AAUD,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW,CAwE3D"}

package/dist/scorer.js

@@ -0,0 +1,97 @@
+export const SEVERITY_WEIGHTS = {
+    critical: 25,
+    high: 15,
+    medium: 10,
+    low: 5
+};
+export const BANDS = [
+    { min: 90, key: 'compliant', label: 'Compliant' },
+    { min: 70, key: 'at_risk', label: 'At Risk' },
+    { min: 40, key: 'non_compliant', label: 'Non-Compliant' },
+    { min: 0, key: 'violating', label: 'Violating' }
+];
+export function bandForScore(score) {
+    for (const b of BANDS) {
+        if (score >= b.min)
+            return { key: b.key, label: b.label };
+    }
+    return { key: 'violating', label: 'Violating' };
+}
+function bucketBySeverity(items) {
+    const out = { critical: [], high: [], medium: [], low: [] };
+    for (const it of items || []) {
+        if (out[it.severity])
+            out[it.severity].push(it);
+    }
+    return out;
+}
+export function computeScore(input) {
+    const violations = [];
+    const cookies = bucketBySeverity(input.preConsentCookies);
+    const reqs = bucketBySeverity(input.preConsentRequests);
+    if (cookies.critical.length) {
+        violations.push({
+            type: 'critical_cookies_before_consent', severity: 'critical', count: cookies.critical.length,
+            description: `${cookies.critical.length} advertising/tracking cookie(s) set before consent`,
+            items: cookies.critical.map(c => ({ name: c.name, company: c.company }))
+        });
+    }
+    if (cookies.high.length) {
+        violations.push({
+            type: 'high_cookies_before_consent', severity: 'high', count: cookies.high.length,
+            description: `${cookies.high.length} analytics cookie(s) set before consent`,
+            items: cookies.high.map(c => ({ name: c.name, company: c.company }))
+        });
+    }
+    if (cookies.medium.length) {
+        violations.push({
+            type: 'medium_cookies_before_consent', severity: 'medium', count: cookies.medium.length,
+            description: `${cookies.medium.length} tracking cookie(s) set before consent`,
+            items: cookies.medium.map(c => ({ name: c.name, company: c.company }))
+        });
+    }
+    if (reqs.critical.length) {
+        violations.push({
+            type: 'critical_requests_before_consent', severity: 'critical', count: reqs.critical.length,
+            description: `${reqs.critical.length} advertising request(s) fired before consent`,
+            items: reqs.critical.map(r => ({ hostname: r.hostname, company: r.company }))
+        });
+    }
+    if (reqs.high.length) {
+        violations.push({
+            type: 'high_requests_before_consent', severity: 'high', count: reqs.high.length,
+            description: `${reqs.high.length} analytics request(s) fired before consent`,
+            items: reqs.high.map(r => ({ hostname: r.hostname, company: r.company }))
+        });
+    }
+    const leaks = (input.dataLeakRequests || []).filter(r => r.category === 'data_leak');
+    if (leaks.length) {
+        violations.push({
+            type: 'data_leaks', severity: 'medium', count: leaks.length,
+            description: `${leaks.length} data-leak request(s) (IP exposure to third parties)`,
+            items: leaks.map(r => ({ hostname: r.hostname, company: r.company, note: r.note }))
+        });
+    }
+    const banner = input.banner;
+    if (banner?.detected) {
+        if (banner.hasAcceptButton && !banner.hasRejectButton) {
+            violations.push({
+                type: 'banner_missing_reject', severity: 'high', count: 1,
+                description: 'Consent banner has Accept but no Reject/Decline option'
+            });
+        }
+    }
+    else if (banner === null || (banner && !banner.detected)) {
+        if ((input.preConsentCookies || []).length || (input.preConsentRequests || []).length) {
+            violations.push({
+                type: 'no_banner_with_trackers', severity: 'high', count: 1,
+                description: 'No consent banner detected but trackers are present'
+            });
+        }
+    }
+    let score = 100;
+    for (const v of violations)
+        score -= (SEVERITY_WEIGHTS[v.severity] || 0);
+    score = Math.max(0, Math.min(100, score));
+    return { score, band: bandForScore(score), violations };
+}

package/dist/types.d.ts

@@ -0,0 +1,78 @@
+/**
+ * @consenttheater/playbill — Type definitions
+ *
+ * The Playbill is a theater program that lists every actor (tracker) and their role
+ * (category/severity) on the web stage (website). These types define the shape of
+ * that program.
+ */
+export type Severity = 'critical' | 'high' | 'medium' | 'low';
+export type Category = 'advertising' | 'analytics' | 'marketing' | 'functional' | 'tag_manager' | 'data_leak' | 'social' | 'session_recording' | 'security' | 'consent' | 'fingerprinting';
+export type Tier = 'mini' | 'core' | 'full';
+/** A cookie actor in the playbill — a known tracking cookie signature. */
+export interface CookieActor {
+    company: string;
+    service: string;
+    category: Category;
+    description?: string;
+    severity: Severity;
+    pattern?: boolean;
+    note?: string;
+    lifetime?: string;
+    docs_url?: string;
+}
+/** A domain actor in the playbill — a known tracking domain. */
+export interface DomainActor {
+    company: string;
+    service: string;
+    category: Category;
+    severity: Severity;
+    note?: string;
+    docs_url?: string;
+}
+/** The Playbill — the complete cast of known trackers. */
+export interface Playbill {
+    version: number;
+    tier: Tier;
+    generated: string;
+    stats: {
+        cookies: number;
+        domains: number;
+        companies: number;
+    };
+    cookies: Record<string, CookieActor>;
+    domains: Record<string, DomainActor>;
+}
+/** Result of matching a cookie name against the playbill. */
+export interface CookieMatch extends CookieActor {
+    name: string;
+    matchedPattern?: string;
+}
+/** Result of matching a domain against the playbill. */
+export interface DomainMatch extends DomainActor {
+    hostname: string;
+    matchedDomain?: string;
+}
+/** Risk band derived from the compliance score. */
+export type BandKey = 'compliant' | 'at_risk' | 'non_compliant' | 'violating';
+export interface Band {
+    key: BandKey;
+    label: string;
+}
+export interface Violation {
+    type: string;
+    severity: Severity;
+    count: number;
+    description: string;
+    items?: Array<{
+        name?: string;
+        hostname?: string;
+        company?: string;
+        note?: string;
+    }>;
+}
+export interface ScoreResult {
+    score: number;
+    band: Band;
+    violations: Violation[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE9D,MAAM,MAAM,QAAQ,GAChB,aAAa,GAAG,WAAW,GAAG,WAAW,GAAG,YAAY,GACxD,aAAa,GAAG,WAAW,GAAG,QAAQ,GAAG,mBAAmB,GAC5D,UAAU,GAAG,SAAS,GAAG,gBAAgB,CAAC;AAE9C,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5C,0EAA0E;AAC1E,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,gEAAgE;AAChE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,0DAA0D;AAC1D,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE;QACL,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACtC;AAED,6DAA6D;AAC7D,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wDAAwD;AACxD,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,mDAAmD;AACnD,MAAM,MAAM,OAAO,GAAG,WAAW,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,CAAC;AAE9E,MAAM,WAAW,IAAI;IACnB,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACtF;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC;IACX,UAAU,EAAE,SAAS,EAAE,CAAC;CACzB"}

package/dist/types.js

@@ -0,0 +1,8 @@
+/**
+ * @consenttheater/playbill — Type definitions
+ *
+ * The Playbill is a theater program that lists every actor (tracker) and their role
+ * (category/severity) on the web stage (website). These types define the shape of
+ * that program.
+ */
+export {};