@consenttheater/playbill 0.1.1 → 0.1.2

package/dist/actors/advertising.json

@@ -1,7 +1,7 @@
 {
     "category": "advertising",
     "description": "Ad targeting, retargeting, DSPs, SSPs, ad exchanges, conversion tracking, programmatic advertising",
-    "stats": { "cookies": 675, "domains": 1736, "companies": 1173 },
+    "stats": { "cookies": 675, "domains": 1737, "companies": 1174 },
     "cookies": {
         "1P_JAR": { "company": "Google", "service": "Google", "category": "advertising", "description": "Gathers site statistics and tracks conversion rates for Google advertising campaigns", "severity": "critical", "lifetime": "30 days", "docs_url": "https://policies.google.com/technologies/cookies" },
         "33x_*": { "company": "33Across", "service": "33Across", "category": "advertising", "description": "33Across attention-based advertising identifier for viewability targeting", "severity": "critical", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.33across.com/privacy-policy/" },
@@ -2063,6 +2063,7 @@
         "t.stroeerdigitalmedia.de": { "company": "Ströer", "service": "Ströer Digital", "category": "advertising", "severity": "critical", "docs_url": "https://www.stroeer.de/en/privacy-policy" },
         "t.teads.tv": { "company": "Teads", "service": "Teads", "category": "advertising", "severity": "critical", "docs_url": "https://www.teads.com/privacy-policy/" },
         "t.unruly.co": { "company": "Unruly (Tremor International)", "service": "Unruly Video Ads", "category": "advertising", "severity": "high", "docs_url": "https://unruly.co/legal/privacy/" },
+        "t.vibe.co": { "company": "Vibe", "service": "Vibe CTV Ad Tracking", "category": "advertising", "severity": "critical", "note": "Connected TV (streaming) advertising telemetry — tracks ad exposure and attribution across CTV and web for cross-device profiling", "docs_url": "https://www.vibe.co/privacy-policy" },
         "t.viralga.com": { "company": "ViralGains", "service": "ViralGains Video Advertising", "category": "advertising", "severity": "high", "docs_url": "https://www.viralgains.com/privacy-policy/" },
         "t.vlyby.com": { "company": "Vlyby", "service": "Vlyby Interactive Video", "category": "advertising", "severity": "medium", "docs_url": "https://www.vlyby.com/privacy-policy" },
         "t.wizaly.com": { "company": "Wizaly", "service": "Wizaly Tracking", "category": "advertising", "severity": "high", "docs_url": "https://www.wizaly.com/privacy-policy/" },

package/dist/actors/analytics.json

@@ -1,7 +1,7 @@
 {
     "category": "analytics",
     "description": "Usage measurement, audience insights, A/B testing, monitoring, CDP, attribution",
-    "stats": { "cookies": 730, "domains": 1917, "companies": 1338 },
+    "stats": { "cookies": 730, "domains": 1921, "companies": 1338 },
     "cookies": {
         "888_analytics_*": { "company": "888 Holdings", "service": "888 Analytics", "category": "analytics", "description": "888 Holdings gambling analytics for casino and sports betting player behavior measurement", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.888.com/security-and-privacy/privacy-policy/" },
         "ABTasty": { "company": "AB Tasty", "service": "AB Tasty", "category": "analytics", "description": "AB Tasty main visitor cookie storing A/B test assignments and personalization segment data", "severity": "high", "lifetime": "13 months", "docs_url": "https://www.abtasty.com/privacy-policy/" },
@@ -1373,7 +1373,9 @@
         "api.writesonic.com": { "company": "Writesonic", "service": "Writesonic AI Writing API", "category": "analytics", "severity": "high", "docs_url": "https://writesonic.com/privacy-policy" },
         "api.zendesk.com": { "company": "Zendesk", "service": "Zendesk API", "category": "analytics", "severity": "high", "docs_url": "https://www.zendesk.com/company/privacy-and-data-protection/" },
         "api2.amplitude.com": { "company": "Amplitude", "service": "Amplitude API", "category": "analytics", "severity": "high", "docs_url": "https://amplitude.com/privacy" },
+        "aplo-evnt.com": { "company": "Apollo.io", "service": "Apollo Event Tracking", "category": "analytics", "severity": "high", "note": "Apollo.io event collector backend — feeds the B2B sales-intelligence database that identifies visiting companies and individuals", "docs_url": "https://www.apollo.io/privacy-policy" },
         "apnews.com": { "company": "Associated Press", "service": "AP News", "category": "analytics", "severity": "high", "docs_url": "https://apnews.com/privacystatement" },
+        "apollo.io": { "company": "Apollo.io", "service": "Apollo B2B Intelligence", "category": "analytics", "severity": "high", "note": "Umbrella catches assets.apollo.io, app.apollo.io, and other subdomains. Apollo deanonymises B2B website visitors and scrapes public profiles for its sales prospecting database", "docs_url": "https://www.apollo.io/privacy-policy" },
         "app-analytics-services.com": { "company": "Apple", "service": "Apple App Analytics", "category": "analytics", "severity": "medium", "note": "Apple App Analytics collection domain for app install attribution and engagement measurement", "docs_url": "https://www.apple.com/legal/privacy/" },
         "app-measurement.com": { "company": "Google", "service": "Firebase Analytics (App Measurement)", "category": "analytics", "severity": "high", "note": "Firebase Analytics data collection endpoint — receives all app events, user properties, and audience data", "docs_url": "https://firebase.google.com/support/privacy" },
         "app.1inch.io": { "company": "1inch Network", "service": "1inch DEX Aggregator", "category": "analytics", "severity": "medium", "docs_url": "https://1inch.io/assets/1inch_network_privacy_policy.pdf" },
@@ -1914,6 +1916,7 @@
         "gemius.pl": { "company": "Gemius", "service": "Gemius Analytics", "category": "analytics", "severity": "high", "docs_url": "https://www.gemius.com/privacy-policy" },
         "generativelanguage.googleapis.com": { "company": "Google", "service": "Google Gemini/PaLM API", "category": "analytics", "severity": "high", "note": "Google generative AI API endpoint for Gemini and PaLM models — inputs may be used for product improvement", "docs_url": "https://ai.google.dev/gemini-api/terms" },
         "getcensus.com": { "company": "Census", "service": "Census Reverse ETL", "category": "analytics", "severity": "medium", "docs_url": "https://www.getcensus.com/legal/privacy-policy" },
+        "getwarmly.com": { "company": "Warmly", "service": "Warmly De-anonymization", "category": "analytics", "severity": "critical", "note": "Reverse-IP B2B deanonymization — identifies visiting companies and individuals in real time and pipes them to sales. Matches cookies warmly_visitor_id / warmly_session_id", "docs_url": "https://www.warmly.ai/privacy" },
         "gfk.com": { "company": "GfK", "service": "GfK Market Research", "category": "analytics", "severity": "high", "docs_url": "https://www.gfk.com/privacy" },
         "ghost.io": { "company": "Ghost", "service": "Ghost Pro Hosting", "category": "analytics", "severity": "medium", "docs_url": "https://ghost.org/privacy/" },
         "giffgaff.com": { "company": "giffgaff", "service": "giffgaff MVNO", "category": "analytics", "severity": "medium", "docs_url": "https://www.giffgaff.com/privacy-policy" },
@@ -1952,6 +1955,7 @@
         "hinge.co": { "company": "Match Group", "service": "Hinge Web", "category": "analytics", "severity": "high", "docs_url": "https://hinge.co/privacy" },
         "hit.gemius.pl": { "company": "Gemius", "service": "Gemius Analytics", "category": "analytics", "severity": "high", "docs_url": "https://www.gemius.com/privacy-policy" },
         "hm.baidu.com": { "company": "Baidu", "service": "Baidu Tongji (Analytics)", "category": "analytics", "severity": "high", "docs_url": "https://tongji.baidu.com/web/help/article?id=330&type=0" },
+        "hs-analytics.net": { "company": "HubSpot", "service": "HubSpot Analytics (Regional CDN)", "category": "analytics", "severity": "high", "note": "Umbrella catches regional variants (js-eu1, js-na1, etc.) of the HubSpot analytics.js loader", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
         "hs.fi": { "company": "Sanoma", "service": "Helsingin Sanomat", "category": "analytics", "severity": "high", "docs_url": "https://www.sanoma.com/en/privacy/" },
         "hubilo.com": { "company": "Hubilo", "service": "Hubilo Virtual Events", "category": "analytics", "severity": "medium", "docs_url": "https://hubilo.com/privacy-policy/" },
         "hubspot.com": { "company": "HubSpot", "service": "HubSpot Platform (Umbrella)", "category": "analytics", "severity": "high", "note": "Umbrella catches regional variants including track-eu1 / track-na1 (ptq.gif tracking pixel), api-eu1, etc.", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },

package/dist/actors/data_leak.json

@@ -1,7 +1,7 @@
 {
     "category": "data_leak",
     "description": "Third-party resources that expose visitor IP addresses — fonts, embeds, CDNs, maps",
-    "stats": { "cookies": 0, "domains": 818, "companies": 566 },
+    "stats": { "cookies": 0, "domains": 819, "companies": 566 },
     "cookies": {},
     "domains": {
         "*.b-cdn.net": { "company": "BunnyCDN", "service": "BunnyCDN CDN", "category": "data_leak", "severity": "medium", "pattern": true, "docs_url": "https://bunny.net/privacy" },
@@ -795,6 +795,7 @@
         "www.elster.de": { "company": "German Tax Authority", "service": "ELSTER", "category": "data_leak", "severity": "high", "docs_url": "https://www.elster.de/eportal/datenschutz" },
         "www.figma.com": { "company": "Figma", "service": "Figma Embed", "category": "data_leak", "severity": "medium", "docs_url": "https://www.figma.com/privacy/" },
         "www.gofundme.com/f": { "company": "GoFundMe", "service": "GoFundMe Campaign Embed", "category": "data_leak", "severity": "medium", "docs_url": "https://www.gofundme.com/privacy" },
+        "www.google.com": { "company": "Google", "service": "Google Cross-Site Endpoint", "category": "data_leak", "severity": "medium", "note": "Cross-origin requests to www.google.com on a non-Google site are almost always reCAPTCHA (/recaptcha/api.js), Google Fonts CSS, OAuth/Login, or Maps — all leak visitor IP to Google regardless of consent", "docs_url": "https://policies.google.com/privacy" },
         "www.gov.uk": { "company": "UK Government", "service": "GOV.UK", "category": "data_leak", "severity": "medium", "note": "UK government services portal — browsing patterns reveal benefit claims, visa applications, tax filings, and health needs", "docs_url": "https://www.gov.uk/help/privacy-notice" },
         "www.gov.uk/dwp": { "company": "DWP (UK)", "service": "UK Department for Work and Pensions", "category": "data_leak", "severity": "high", "note": "UK benefits and social security portal — browsing reveals claimant status and benefit types", "docs_url": "https://www.gov.uk/government/organisations/department-for-work-pensions/about/personal-information-charter" },
         "www.gstatic.com": { "company": "Google", "service": "Google Static Content", "category": "data_leak", "severity": "low", "note": "Google static asset CDN — leaks visitor IP to Google on every page load", "docs_url": "https://policies.google.com/technologies/cookies" },

package/dist/actors/functional.json

@@ -1,7 +1,7 @@
 {
     "category": "functional",
     "description": "Chat widgets, forms, payments, CMS features, support tools, loyalty programs, accessibility",
-    "stats": { "cookies": 419, "domains": 672, "companies": 522 },
+    "stats": { "cookies": 419, "domains": 673, "companies": 522 },
     "cookies": {
         ".AspNetCore.Antiforgery.*": { "company": "Microsoft", "service": "ASP.NET Core", "category": "functional", "description": "ASP.NET Core anti-forgery system cookie for cross-site request forgery prevention", "severity": "low", "pattern": true, "lifetime": "session", "docs_url": "https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery" },
         ".AspNetCore.Identity.Application": { "company": "Microsoft", "service": "ASP.NET Core Identity", "category": "functional", "description": "ASP.NET Core Identity authentication cookie for maintaining user login state", "severity": "low", "lifetime": "14 days", "docs_url": "https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity" },
@@ -827,6 +827,7 @@
         "honors.hilton.com": { "company": "Hilton", "service": "Hilton Honors Loyalty", "category": "functional", "severity": "medium", "docs_url": "https://www.hilton.com/en/corporate/privacy/" },
         "hub.docker.com": { "company": "Docker", "service": "Docker Hub", "category": "functional", "severity": "low", "docs_url": "https://www.docker.com/legal/privacy/" },
         "hub.loginradius.com": { "company": "LoginRadius", "service": "LoginRadius Identity Hub", "category": "functional", "severity": "medium", "docs_url": "https://www.loginradius.com/privacy-policy/" },
+        "hubspotusercontent-na1.net": { "company": "HubSpot", "service": "HubSpot CMS User Content CDN", "category": "functional", "severity": "low", "note": "HubSpot customer-hosted static assets (images, downloads, CMS files) served from the NA1 region. Pure CDN, but cross-origin load still reveals visitor IP to HubSpot", "docs_url": "https://knowledge.hubspot.com/content-hub/the-difference-between-your-hubl-cms-domains" },
         "icomoon.io": { "company": "IcoMoon", "service": "IcoMoon Icon CDN", "category": "functional", "severity": "low", "docs_url": "https://icomoon.io/" },
         "icons.getbootstrap.com": { "company": "Bootstrap", "service": "Bootstrap Icons CDN", "category": "functional", "severity": "low", "docs_url": "https://icons.getbootstrap.com/" },
         "identitytoolkit.googleapis.com": { "company": "Google", "service": "Firebase Auth API", "category": "functional", "severity": "medium", "docs_url": "https://firebase.google.com/docs/auth/" },

package/dist/actors/marketing.json

@@ -1,7 +1,7 @@
 {
     "category": "marketing",
     "description": "Email marketing, SMS, push notifications, CRM tracking, marketing automation, lead capture",
-    "stats": { "cookies": 182, "domains": 544, "companies": 373 },
+    "stats": { "cookies": 182, "domains": 545, "companies": 373 },
     "cookies": {
         "MCPopupClosed": { "company": "Mailchimp (Intuit)", "service": "Mailchimp", "category": "marketing", "description": "Mailchimp popup closed cookie preventing dismissed subscription popups from re-appearing", "severity": "low", "lifetime": "1 year", "docs_url": "https://mailchimp.com/legal/cookies/" },
         "MCPopupSubscribed": { "company": "Mailchimp (Intuit)", "service": "Mailchimp", "category": "marketing", "description": "Mailchimp subscription state cookie hiding signup popups for already-subscribed visitors", "severity": "low", "lifetime": "1 year", "docs_url": "https://mailchimp.com/legal/cookies/" },
@@ -567,6 +567,7 @@
         "hashnode.com/api": { "company": "Hashnode", "service": "Hashnode API", "category": "marketing", "severity": "medium", "docs_url": "https://hashnode.com/privacy" },
         "hopin.com": { "company": "Hopin", "service": "Hopin Virtual Events", "category": "marketing", "severity": "medium", "docs_url": "https://hopin.com/privacy" },
         "hs-banner.com": { "company": "HubSpot", "service": "HubSpot Cookie Banner", "category": "marketing", "severity": "high", "note": "Banner loader fingerprints the visitor (viewport, language, referrer) before the UI renders — occurs pre-consent", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
+        "hsforms.com": { "company": "HubSpot", "service": "HubSpot Forms (Regional CDN)", "category": "marketing", "severity": "high", "note": "Umbrella catches regional variants (forms-na1, forms-eu1, perf-na1, etc.) of the HubSpot Forms embed and performance-tracking endpoints", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
         "imgn.constantcontact.com": { "company": "Constant Contact", "service": "Constant Contact Tracking", "category": "marketing", "severity": "high", "docs_url": "https://www.constantcontact.com/legal/privacy-statement" },
         "imgssl.constantcontact.com": { "company": "Constant Contact", "service": "Constant Contact Image Tracking", "category": "marketing", "severity": "high", "note": "Constant Contact SSL image hosting used for email open tracking pixels", "docs_url": "https://www.constantcontact.com/legal/privacy-statement" },
         "impressions.onelink.me": { "company": "AppsFlyer", "service": "OneLink Impressions", "category": "marketing", "severity": "high", "docs_url": "https://www.appsflyer.com/legal/privacy-policy/" },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@consenttheater/playbill",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "An open-source, tiered knowledge base of GDPR-relevant web trackers (cookies, domains, companies) with pure-function matching and risk-scoring utilities. Standalone library for privacy auditors, compliance scanners, consent platforms, browser extensions, and research tools.",
   "author": {
     "name": "ConsentTheater",