@consenttheater/playbill 0.1.1 → 0.2.0

package/dist/actors/tag_manager.json

@@ -3,51 +3,51 @@
     "description": "Tag management systems — container scripts that load other trackers",
     "stats": { "cookies": 10, "domains": 34, "companies": 25 },
     "cookies": {
-        "_dc_gtm_*": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "description": "Throttles request rate for Google Tag Manager container loading", "severity": "medium", "pattern": true, "lifetime": "1 minute", "docs_url": "https://developers.google.com/tag-platform/tag-manager/web" },
-        "_zaius_*": { "company": "Optimizely (Zaius)", "service": "Zaius CDP", "category": "tag_manager", "description": "Zaius/Optimizely Data Platform cookie for B2C customer data collection and tag management", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.optimizely.com/legal/privacy-policy/" },
-        "ensighten_*": { "company": "Ensighten", "service": "Ensighten Manage", "category": "tag_manager", "description": "Ensighten tag management cookie for controlling tag firing rules and visitor segmentation", "severity": "medium", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.ensighten.com/privacy-policy/" },
-        "lytics_*": { "company": "Lytics", "service": "Lytics CDP", "category": "tag_manager", "description": "Lytics CDP tag management cookie for real-time audience decisioning and tag orchestration", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.lytics.com/privacy/" },
-        "mp_*_api_host_override": { "company": "mParticle", "service": "mParticle SDK", "category": "tag_manager", "description": "mParticle API host override cookie for routing SDK calls through custom proxy endpoints", "severity": "medium", "pattern": true, "lifetime": "session", "docs_url": "https://docs.mparticle.com/developers/sdk/web/configuration/" },
-        "rl_*": { "company": "RudderStack", "service": "RudderStack SDK", "category": "tag_manager", "description": "RudderStack open-source CDP cookie storing anonymous ID, user traits, and session data for tag routing", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.rudderstack.com/privacy-policy/" },
-        "tdjs_*": { "company": "Treasure Data", "service": "Treasure Data JS SDK", "category": "tag_manager", "description": "Treasure Data CDP JavaScript SDK cookie for event collection and visitor identification", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.treasuredata.com/privacy/" },
-        "tt_tealium_ct": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Tealium connection type cookie for tag management load rules", "severity": "medium", "lifetime": "session", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" },
-        "utag_main": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Primary Tealium visitor session cookie containing session ID and visit count", "severity": "high", "lifetime": "1 year", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" },
-        "utag_main_*": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Extended Tealium session data used for tag firing conditions and visitor stitching", "severity": "high", "pattern": true, "lifetime": "1 year", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" }
+        "_dc_gtm_*": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "description": "Throttles request rate for Google Tag Manager container loading", "consent_burden": "contested", "pattern": true, "lifetime": "1 minute", "docs_url": "https://developers.google.com/tag-platform/tag-manager/web" },
+        "_zaius_*": { "company": "Optimizely (Zaius)", "service": "Zaius CDP", "category": "tag_manager", "description": "Zaius/Optimizely Data Platform cookie for B2C customer data collection and tag management", "consent_burden": "required", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.optimizely.com/legal/privacy-policy/" },
+        "ensighten_*": { "company": "Ensighten", "service": "Ensighten Manage", "category": "tag_manager", "description": "Ensighten tag management cookie for controlling tag firing rules and visitor segmentation", "consent_burden": "contested", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.ensighten.com/privacy-policy/" },
+        "lytics_*": { "company": "Lytics", "service": "Lytics CDP", "category": "tag_manager", "description": "Lytics CDP tag management cookie for real-time audience decisioning and tag orchestration", "consent_burden": "required", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.lytics.com/privacy/" },
+        "mp_*_api_host_override": { "company": "mParticle", "service": "mParticle SDK", "category": "tag_manager", "description": "mParticle API host override cookie for routing SDK calls through custom proxy endpoints", "consent_burden": "contested", "pattern": true, "lifetime": "session", "docs_url": "https://docs.mparticle.com/developers/sdk/web/configuration/" },
+        "rl_*": { "company": "RudderStack", "service": "RudderStack SDK", "category": "tag_manager", "description": "RudderStack open-source CDP cookie storing anonymous ID, user traits, and session data for tag routing", "consent_burden": "required", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.rudderstack.com/privacy-policy/" },
+        "tdjs_*": { "company": "Treasure Data", "service": "Treasure Data JS SDK", "category": "tag_manager", "description": "Treasure Data CDP JavaScript SDK cookie for event collection and visitor identification", "consent_burden": "required", "pattern": true, "lifetime": "1 year", "docs_url": "https://www.treasuredata.com/privacy/" },
+        "tt_tealium_ct": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Tealium connection type cookie for tag management load rules", "consent_burden": "contested", "lifetime": "session", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" },
+        "utag_main": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Primary Tealium visitor session cookie containing session ID and visit count", "consent_burden": "required", "lifetime": "1 year", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" },
+        "utag_main_*": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "description": "Extended Tealium session data used for tag firing conditions and visitor stitching", "consent_burden": "required", "pattern": true, "lifetime": "1 year", "docs_url": "https://docs.tealium.com/platforms/javascript/cookie-definitions/" }
     },
     "domains": {
-        "api.lytics.io": { "company": "Lytics", "service": "Lytics API", "category": "tag_manager", "severity": "high", "docs_url": "https://www.lytics.com/privacy/" },
-        "assets.adobedtm.com": { "company": "Adobe", "service": "Adobe Launch (DTM)", "category": "tag_manager", "severity": "medium", "docs_url": "https://experienceleague.adobe.com/docs/experience-platform/tags/home.html" },
-        "cdn.actioniq.com": { "company": "ActionIQ", "service": "ActionIQ CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.actioniq.com/privacy-policy/" },
-        "cdn.amperity.com": { "company": "Amperity", "service": "Amperity CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://amperity.com/privacy/" },
-        "cdn.blueshift.com": { "company": "Blueshift", "service": "Blueshift CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://blueshift.com/privacy-policy/" },
-        "cdn.census.com": { "company": "Census", "service": "Census Reverse ETL CDN", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.getcensus.com/privacy" },
-        "cdn.commandersact.com/js": { "company": "Commanders Act", "service": "Commanders Act TagCommander", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.commandersact.com/en/privacy/" },
-        "cdn.exponea.com": { "company": "Bloomreach (Exponea)", "service": "Bloomreach CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.bloomreach.com/en/legal/privacy-policy" },
-        "cdn.freshpaint.io": { "company": "Freshpaint", "service": "Freshpaint Tag CDN", "category": "tag_manager", "severity": "high", "note": "Healthcare-compliant analytics proxy that replaces direct third-party tag loading", "docs_url": "https://www.freshpaint.io/privacy-policy" },
-        "cdn.hightouch.io": { "company": "Hightouch", "service": "Hightouch Events CDN", "category": "tag_manager", "severity": "medium", "docs_url": "https://hightouch.com/privacy-policy/" },
-        "cdn.lytics.io": { "company": "Lytics", "service": "Lytics CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.lytics.com/privacy/" },
-        "cdn.mparticle.com": { "company": "mParticle", "service": "mParticle SDK CDN", "category": "tag_manager", "severity": "high", "docs_url": "https://www.mparticle.com/privacy/" },
-        "cdn.ometria.com": { "company": "Ometria", "service": "Ometria CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://ometria.com/privacy-policy/" },
-        "cdn.piwikpro.com": { "company": "Piwik PRO", "service": "Piwik PRO Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://piwik.pro/privacy-policy/" },
-        "cdn.qubit.com": { "company": "Coveo/Qubit", "service": "Qubit Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.coveo.com/en/trust-center/privacy/privacy-notice" },
-        "cdn.rudderlabs.com": { "company": "RudderStack", "service": "RudderStack SDK CDN", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.rudderstack.com/privacy-policy/" },
-        "cdn.segment.com": { "company": "Twilio", "service": "Segment Tag Manager", "category": "tag_manager", "severity": "high", "docs_url": "https://segment.com/legal/privacy/" },
-        "cdn.signal.co": { "company": "Signal (BrightTag)", "service": "Signal Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.signal.co/privacy-policy/" },
-        "cdn.simondata.com": { "company": "Simon Data", "service": "Simon Data CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.simondata.com/privacy-policy/" },
-        "cdn.tagcommander.com": { "company": "Commanders Act", "service": "TagCommander", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.commandersact.com/en/privacy/" },
-        "cdn.treasuredata.com": { "company": "Treasure Data", "service": "Treasure Data CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.treasuredata.com/privacy/" },
-        "cdn.zaius.com": { "company": "Optimizely (Zaius)", "service": "Zaius CDP Tag", "category": "tag_manager", "severity": "high", "docs_url": "https://www.optimizely.com/legal/privacy-policy/" },
-        "collect.tealiumiq.com": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "severity": "high", "docs_url": "https://docs.tealium.com/platforms/javascript/" },
-        "ensighten.com": { "company": "Ensighten", "service": "Ensighten Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.ensighten.com/privacy-policy/" },
-        "googletagmanager.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "severity": "medium", "note": "Container script host; severity depends on tags loaded inside the container", "docs_url": "https://developers.google.com/tag-platform/tag-manager" },
-        "hs-scripts.com": { "company": "HubSpot", "service": "HubSpot Tracking Code (Regional CDN)", "category": "tag_manager", "severity": "high", "note": "Umbrella catches regional variants (js-eu1, js-na1, js-au1, etc.)", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
-        "identity.mparticle.com": { "company": "mParticle", "service": "mParticle Identity API", "category": "tag_manager", "severity": "high", "docs_url": "https://www.mparticle.com/privacy/" },
-        "js.hs-scripts.com": { "company": "HubSpot", "service": "HubSpot Tracking Code (Tag)", "category": "tag_manager", "severity": "high", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
-        "jssdks.mparticle.com": { "company": "mParticle", "service": "mParticle JS SDK", "category": "tag_manager", "severity": "high", "docs_url": "https://www.mparticle.com/privacy/" },
-        "matomo.cloud": { "company": "Matomo", "service": "Matomo Tag Manager", "category": "tag_manager", "severity": "low", "docs_url": "https://matomo.org/docs/tag-manager/" },
-        "nexus.ensighten.com": { "company": "Ensighten", "service": "Ensighten Nexus", "category": "tag_manager", "severity": "medium", "docs_url": "https://www.ensighten.com/privacy-policy/" },
-        "tagmanager.google.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "severity": "medium", "docs_url": "https://developers.google.com/tag-platform/tag-manager" },
-        "tags.tiqcdn.com": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "severity": "medium", "docs_url": "https://docs.tealium.com/platforms/javascript/" },
-        "www.googletagmanager.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "severity": "medium", "note": "Container script host; severity depends on tags loaded inside the container", "docs_url": "https://developers.google.com/tag-platform/tag-manager" }
+        "api.lytics.io": { "company": "Lytics", "service": "Lytics API", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.lytics.com/privacy/" },
+        "assets.adobedtm.com": { "company": "Adobe", "service": "Adobe Launch (DTM)", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://experienceleague.adobe.com/docs/experience-platform/tags/home.html" },
+        "cdn.actioniq.com": { "company": "ActionIQ", "service": "ActionIQ CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.actioniq.com/privacy-policy/" },
+        "cdn.amperity.com": { "company": "Amperity", "service": "Amperity CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://amperity.com/privacy/" },
+        "cdn.blueshift.com": { "company": "Blueshift", "service": "Blueshift CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://blueshift.com/privacy-policy/" },
+        "cdn.census.com": { "company": "Census", "service": "Census Reverse ETL CDN", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.getcensus.com/privacy" },
+        "cdn.commandersact.com/js": { "company": "Commanders Act", "service": "Commanders Act TagCommander", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.commandersact.com/en/privacy/" },
+        "cdn.exponea.com": { "company": "Bloomreach (Exponea)", "service": "Bloomreach CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.bloomreach.com/en/legal/privacy-policy" },
+        "cdn.freshpaint.io": { "company": "Freshpaint", "service": "Freshpaint Tag CDN", "category": "tag_manager", "consent_burden": "required", "note": "Healthcare-compliant analytics proxy that replaces direct third-party tag loading", "docs_url": "https://www.freshpaint.io/privacy-policy" },
+        "cdn.hightouch.io": { "company": "Hightouch", "service": "Hightouch Events CDN", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://hightouch.com/privacy-policy/" },
+        "cdn.lytics.io": { "company": "Lytics", "service": "Lytics CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.lytics.com/privacy/" },
+        "cdn.mparticle.com": { "company": "mParticle", "service": "mParticle SDK CDN", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.mparticle.com/privacy/" },
+        "cdn.ometria.com": { "company": "Ometria", "service": "Ometria CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://ometria.com/privacy-policy/" },
+        "cdn.piwikpro.com": { "company": "Piwik PRO", "service": "Piwik PRO Tag Manager", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://piwik.pro/privacy-policy/" },
+        "cdn.qubit.com": { "company": "Coveo/Qubit", "service": "Qubit Tag Manager", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.coveo.com/en/trust-center/privacy/privacy-notice" },
+        "cdn.rudderlabs.com": { "company": "RudderStack", "service": "RudderStack SDK CDN", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.rudderstack.com/privacy-policy/" },
+        "cdn.segment.com": { "company": "Twilio", "service": "Segment Tag Manager", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://segment.com/legal/privacy/" },
+        "cdn.signal.co": { "company": "Signal (BrightTag)", "service": "Signal Tag Manager", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.signal.co/privacy-policy/" },
+        "cdn.simondata.com": { "company": "Simon Data", "service": "Simon Data CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.simondata.com/privacy-policy/" },
+        "cdn.tagcommander.com": { "company": "Commanders Act", "service": "TagCommander", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.commandersact.com/en/privacy/" },
+        "cdn.treasuredata.com": { "company": "Treasure Data", "service": "Treasure Data CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.treasuredata.com/privacy/" },
+        "cdn.zaius.com": { "company": "Optimizely (Zaius)", "service": "Zaius CDP Tag", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.optimizely.com/legal/privacy-policy/" },
+        "collect.tealiumiq.com": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://docs.tealium.com/platforms/javascript/" },
+        "ensighten.com": { "company": "Ensighten", "service": "Ensighten Tag Manager", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.ensighten.com/privacy-policy/" },
+        "googletagmanager.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "consent_burden": "contested", "note": "Container script host; consent burden depends on tags loaded inside the container", "docs_url": "https://developers.google.com/tag-platform/tag-manager" },
+        "hs-scripts.com": { "company": "HubSpot", "service": "HubSpot Tracking Code (Regional CDN)", "category": "tag_manager", "consent_burden": "required", "note": "Umbrella catches regional variants (js-eu1, js-na1, js-au1, etc.)", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
+        "identity.mparticle.com": { "company": "mParticle", "service": "mParticle Identity API", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.mparticle.com/privacy/" },
+        "js.hs-scripts.com": { "company": "HubSpot", "service": "HubSpot Tracking Code (Tag)", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser" },
+        "jssdks.mparticle.com": { "company": "mParticle", "service": "mParticle JS SDK", "category": "tag_manager", "consent_burden": "required", "docs_url": "https://www.mparticle.com/privacy/" },
+        "matomo.cloud": { "company": "Matomo", "service": "Matomo Tag Manager", "category": "tag_manager", "consent_burden": "minimal", "docs_url": "https://matomo.org/docs/tag-manager/" },
+        "nexus.ensighten.com": { "company": "Ensighten", "service": "Ensighten Nexus", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://www.ensighten.com/privacy-policy/" },
+        "tagmanager.google.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://developers.google.com/tag-platform/tag-manager" },
+        "tags.tiqcdn.com": { "company": "Tealium", "service": "Tealium iQ", "category": "tag_manager", "consent_burden": "contested", "docs_url": "https://docs.tealium.com/platforms/javascript/" },
+        "www.googletagmanager.com": { "company": "Google", "service": "Google Tag Manager", "category": "tag_manager", "consent_burden": "contested", "note": "Container script host; consent burden depends on tags loaded inside the container", "docs_url": "https://developers.google.com/tag-platform/tag-manager" }
     }
 }

package/dist/index.d.ts

@@ -3,27 +3,33 @@
  *
  * The world's largest open-source GDPR tracker knowledge base.
  * Every cookie, every domain, every actor on the web stage —
- * identified, categorized, and scored.
+ * identified, categorised, and tagged with its consent burden.
+ *
+ * This library deliberately does **not** assign verdicts or scores. It
+ * gives you the facts about each tracker; what (if anything) you do with
+ * those facts is up to you. Consumers needing visualisation hierarchies
+ * (red / amber / green, "high risk", etc.) compute them in their own UI
+ * layer from the `consent_burden` and `category` fields.
  *
  * @example
  * ```ts
- * import { loadPlaybill, matchCookie, computeScore } from '@consenttheater/playbill';
+ * import { loadPlaybill, matchCookie } from '@consenttheater/playbill';
  *
- * const playbill = await loadPlaybill('core');
+ * const playbill = loadPlaybill('core');
  * const actor = matchCookie(playbill, '_ga');
+ * // actor?.consent_burden === 'required'
  * ```
  */
-export type { Playbill, CookieActor, DomainActor, CookieMatch, DomainMatch, Tier, Severity, Category, BandKey, Band, Violation, ScoreResult } from './types.js';
+export type { Playbill, CookieActor, DomainActor, CookieMatch, DomainMatch, Tier, ConsentBurden, Category } from './types.js';
 export { matchCookie, matchDomain, isSameOrSubdomain, listCompanies, listCategories } from './matcher.js';
-export { computeScore, bandForScore, SEVERITY_WEIGHTS, BANDS } from './scorer.js';
-export type { ScoreInput, ObservedItem, ObservedBanner } from './scorer.js';
 import type { Playbill, Tier } from './types.js';
 /**
- * Load a playbill tier by merging actor category files and filtering by severity.
+ * Load a playbill tier by merging actor category files and filtering by
+ * consent burden.
  *
- * @param tier - 'mini' (~50 top companies, critical+high only),
- *               'core' (all critical+high+medium),
- *               'full' (everything)
+ * @param tier - 'mini' (~50 top companies, required_strict + required only),
+ *               'core' (all entries that require or might require consent),
+ *               'full' (everything, including minimal-burden entries)
  */
 export declare function loadPlaybill(tier?: Tier): Playbill;
 /**

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChK,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1G,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAClF,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE5E,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAA4B,MAAM,YAAY,CAAC;AAgF3E;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,IAAa,GAAG,QAAQ,CAoB1D;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,QAAQ,CAgBzD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,YAAY,EACV,QAAQ,EACR,WAAW,EACX,WAAW,EACX,WAAW,EACX,WAAW,EACX,IAAI,EACJ,aAAa,EACb,QAAQ,EACT,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,iBAAiB,EACjB,aAAa,EACb,cAAc,EACf,MAAM,cAAc,CAAC;AAEtB,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAA2C,MAAM,YAAY,CAAC;AAiF1F;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,IAAa,GAAG,QAAQ,CAoB1D;AAED;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,QAAQ,CAgBzD"}

package/dist/index.js

@@ -3,18 +3,24 @@
  *
  * The world's largest open-source GDPR tracker knowledge base.
  * Every cookie, every domain, every actor on the web stage —
- * identified, categorized, and scored.
+ * identified, categorised, and tagged with its consent burden.
+ *
+ * This library deliberately does **not** assign verdicts or scores. It
+ * gives you the facts about each tracker; what (if anything) you do with
+ * those facts is up to you. Consumers needing visualisation hierarchies
+ * (red / amber / green, "high risk", etc.) compute them in their own UI
+ * layer from the `consent_burden` and `category` fields.
  *
  * @example
  * ```ts
- * import { loadPlaybill, matchCookie, computeScore } from '@consenttheater/playbill';
+ * import { loadPlaybill, matchCookie } from '@consenttheater/playbill';
  *
- * const playbill = await loadPlaybill('core');
+ * const playbill = loadPlaybill('core');
  * const actor = matchCookie(playbill, '_ga');
+ * // actor?.consent_burden === 'required'
  * ```
  */
 export { matchCookie, matchDomain, isSameOrSubdomain, listCompanies, listCategories } from './matcher.js';
-export { computeScore, bandForScore, SEVERITY_WEIGHTS, BANDS } from './scorer.js';
 // All actor category files
 import advertising from './actors/advertising.json' with { type: 'json' };
 import analytics from './actors/analytics.json' with { type: 'json' };
@@ -65,18 +71,20 @@ function filterEntries(entries, filterFn, topCompanies) {
     }
     return result;
 }
+const CONSENT_REQUIRED = ['required_strict', 'required', 'contested'];
 const TIER_FILTERS = {
-    mini: (entry, topCompanies) => (entry.severity === 'critical' || entry.severity === 'high') &&
+    mini: (entry, topCompanies) => (entry.consent_burden === 'required_strict' || entry.consent_burden === 'required') &&
         topCompanies.has(entry.company),
-    core: (entry) => entry.severity === 'critical' || entry.severity === 'high' || entry.severity === 'medium',
+    core: (entry) => CONSENT_REQUIRED.includes(entry.consent_burden),
     full: () => true
 };
 /**
- * Load a playbill tier by merging actor category files and filtering by severity.
+ * Load a playbill tier by merging actor category files and filtering by
+ * consent burden.
  *
- * @param tier - 'mini' (~50 top companies, critical+high only),
- *               'core' (all critical+high+medium),
- *               'full' (everything)
+ * @param tier - 'mini' (~50 top companies, required_strict + required only),
+ *               'core' (all entries that require or might require consent),
+ *               'full' (everything, including minimal-burden entries)
  */
 export function loadPlaybill(tier = 'full') {
     const { cookies: allCookies, domains: allDomains } = mergeActors(ALL_ACTORS);
@@ -85,7 +93,7 @@ export function loadPlaybill(tier = 'full') {
     const cookies = filterEntries(allCookies, filter, topCompanies);
     const domains = filterEntries(allDomains, filter, topCompanies);
     return {
-        version: 2,
+        version: 3,
         tier,
         generated: new Date().toISOString(),
         stats: {
@@ -109,7 +117,7 @@ export function loadActors(categories) {
     const selected = ALL_ACTORS.filter(a => categories.includes(a.category));
     const { cookies, domains } = mergeActors(selected);
     return {
-        version: 2,
+        version: 3,
         tier: 'full',
         generated: new Date().toISOString(),
         stats: {

package/dist/types.d.ts

@@ -1,11 +1,30 @@
 /**
  * @consenttheater/playbill — Type definitions
  *
- * The Playbill is a theater program that lists every actor (tracker) and their role
- * (category/severity) on the web stage (website). These types define the shape of
- * that program.
+ * The Playbill is a theater program that lists every actor (tracker) and
+ * its role on the web stage. These types define the shape of that program.
+ *
+ * The library deliberately does **not** assign verdicts to whole websites
+ * or carry school-grade severity labels. It classifies trackers by the
+ * consent burden each one creates under EU/GDPR rules, leaves judgement
+ * to supervisory authorities and courts, and lets downstream consumers
+ * present the data however they like.
+ */
+/**
+ * How much explicit consent the tracker requires under GDPR / ePrivacy.
+ *
+ * - `required_strict` — Cross-site profiling, ad-tech retargeting,
+ *   fingerprinting, session recording. Always needs prior, informed,
+ *   freely-given consent.
+ * - `required`        — Standard analytics and marketing tracking.
+ *   Consent required in nearly all interpretations.
+ * - `contested`       — Tracking-adjacent or jurisdiction-dependent.
+ *   Some authorities allow under legitimate interest, others require
+ *   consent. Treat as consent-required by default.
+ * - `minimal`         — Functional, security, or strictly-necessary in
+ *   most interpretations. Often exempt from consent requirements.
  */
-export type Severity = 'critical' | 'high' | 'medium' | 'low';
+export type ConsentBurden = 'required_strict' | 'required' | 'contested' | 'minimal';
 export type Category = 'advertising' | 'analytics' | 'marketing' | 'functional' | 'tag_manager' | 'data_leak' | 'social' | 'session_recording' | 'security' | 'consent' | 'fingerprinting';
 export type Tier = 'mini' | 'core' | 'full';
 /** A cookie actor in the playbill — a known tracking cookie signature. */
@@ -14,7 +33,7 @@ export interface CookieActor {
     service: string;
     category: Category;
     description?: string;
-    severity: Severity;
+    consent_burden: ConsentBurden;
     pattern?: boolean;
     note?: string;
     lifetime?: string;
@@ -25,7 +44,7 @@ export interface DomainActor {
     company: string;
     service: string;
     category: Category;
-    severity: Severity;
+    consent_burden: ConsentBurden;
     note?: string;
     docs_url?: string;
 }
@@ -52,27 +71,4 @@ export interface DomainMatch extends DomainActor {
     hostname: string;
     matchedDomain?: string;
 }
-/** Risk band derived from the compliance score. */
-export type BandKey = 'compliant' | 'at_risk' | 'non_compliant' | 'violating';
-export interface Band {
-    key: BandKey;
-    label: string;
-}
-export interface Violation {
-    type: string;
-    severity: Severity;
-    count: number;
-    description: string;
-    items?: Array<{
-        name?: string;
-        hostname?: string;
-        company?: string;
-        note?: string;
-    }>;
-}
-export interface ScoreResult {
-    score: number;
-    band: Band;
-    violations: Violation[];
-}
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE9D,MAAM,MAAM,QAAQ,GAChB,aAAa,GAAG,WAAW,GAAG,WAAW,GAAG,YAAY,GACxD,aAAa,GAAG,WAAW,GAAG,QAAQ,GAAG,mBAAmB,GAC5D,UAAU,GAAG,SAAS,GAAG,gBAAgB,CAAC;AAE9C,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5C,0EAA0E;AAC1E,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,gEAAgE;AAChE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,0DAA0D;AAC1D,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE;QACL,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACtC;AAED,6DAA6D;AAC7D,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wDAAwD;AACxD,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,mDAAmD;AACnD,MAAM,MAAM,OAAO,GAAG,WAAW,GAAG,SAAS,GAAG,eAAe,GAAG,WAAW,CAAC;AAE9E,MAAM,WAAW,IAAI;IACnB,GAAG,EAAE,OAAO,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACtF;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC;IACX,UAAU,EAAE,SAAS,EAAE,CAAC;CACzB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GACrB,iBAAiB,GACjB,UAAU,GACV,WAAW,GACX,SAAS,CAAC;AAEd,MAAM,MAAM,QAAQ,GAChB,aAAa,GAAG,WAAW,GAAG,WAAW,GAAG,YAAY,GACxD,aAAa,GAAG,WAAW,GAAG,QAAQ,GAAG,mBAAmB,GAC5D,UAAU,GAAG,SAAS,GAAG,gBAAgB,CAAC;AAE9C,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5C,0EAA0E;AAC1E,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,aAAa,CAAC;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,gEAAgE;AAChE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,cAAc,EAAE,aAAa,CAAC;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,0DAA0D;AAC1D,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE;QACL,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACtC;AAED,6DAA6D;AAC7D,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wDAAwD;AACxD,MAAM,WAAW,WAAY,SAAQ,WAAW;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB"}

package/dist/types.js

@@ -1,8 +1,13 @@
 /**
  * @consenttheater/playbill — Type definitions
  *
- * The Playbill is a theater program that lists every actor (tracker) and their role
- * (category/severity) on the web stage (website). These types define the shape of
- * that program.
+ * The Playbill is a theater program that lists every actor (tracker) and
+ * its role on the web stage. These types define the shape of that program.
+ *
+ * The library deliberately does **not** assign verdicts to whole websites
+ * or carry school-grade severity labels. It classifies trackers by the
+ * consent burden each one creates under EU/GDPR rules, leaves judgement
+ * to supervisory authorities and courts, and lets downstream consumers
+ * present the data however they like.
  */
 export {};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@consenttheater/playbill",
-  "version": "0.1.1",
-  "description": "An open-source, tiered knowledge base of GDPR-relevant web trackers (cookies, domains, companies) with pure-function matching and risk-scoring utilities. Standalone library for privacy auditors, compliance scanners, consent platforms, browser extensions, and research tools.",
+  "version": "0.2.0",
+  "description": "An open-source, tiered knowledge base of GDPR-relevant web trackers (cookies, domains, companies) with pure-function matching helpers. Each entry is tagged with the consent burden it creates under EU/GDPR rules — no verdicts, no risk scores. Standalone library for privacy auditors, compliance scanners, consent platforms, browser extensions, and research tools.",
   "author": {
     "name": "ConsentTheater",
     "email": "developer@consenttheater.org",
@@ -50,10 +50,6 @@
       "import": "./dist/matcher.js",
       "types": "./dist/matcher.d.ts"
     },
-    "./scorer": {
-      "import": "./dist/scorer.js",
-      "types": "./dist/scorer.d.ts"
-    },
     "./types": {
       "types": "./dist/types.d.ts"
     }
@@ -71,7 +67,7 @@
   },
   "devDependencies": {
     "typescript": "^5.9.3",
-    "vitest": "^4.1.4"
+    "vitest": "^4.1.5"
   },
   "engines": {
     "node": ">=22.0.0"

package/dist/scorer.d.ts

@@ -1,42 +0,0 @@
-/**
- * @consenttheater/playbill — Scorer
- *
- * Risk scoring — pure functions. Given observations (cookies, requests, banner),
- * produce a compliance score with risk band and violation list.
- *
- * Bands: >= 90 Compliant, 70-89 At Risk, 40-69 Non-Compliant, < 40 Violating
- * Weights: critical -25, high -15, medium -10, low -5
- */
-import type { Severity, Band, BandKey, ScoreResult } from './types.js';
-export declare const SEVERITY_WEIGHTS: Record<Severity, number>;
-export declare const BANDS: readonly {
-    min: number;
-    key: BandKey;
-    label: string;
-}[];
-export declare function bandForScore(score: number): Band;
-export interface ObservedItem {
-    name?: string;
-    hostname?: string;
-    company?: string;
-    service?: string;
-    severity: Severity;
-    category?: string;
-    note?: string;
-}
-export interface ObservedBanner {
-    detected: boolean;
-    hasAcceptButton?: boolean;
-    hasRejectButton?: boolean;
-    hasManageButton?: boolean;
-    buttonCount?: number;
-    textPreview?: string;
-}
-export interface ScoreInput {
-    preConsentCookies?: ObservedItem[];
-    preConsentRequests?: ObservedItem[];
-    dataLeakRequests?: ObservedItem[];
-    banner?: ObservedBanner | null;
-}
-export declare function computeScore(input: ScoreInput): ScoreResult;
-//# sourceMappingURL=scorer.d.ts.map

package/dist/scorer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"scorer.d.ts","sourceRoot":"","sources":["../src/scorer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAa,MAAM,YAAY,CAAC;AAElF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAKrD,CAAC;AAEF,eAAO,MAAM,KAAK,EAAE,SAAS;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EAKxE,CAAC;AAEF,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAKhD;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,iBAAiB,CAAC,EAAE,YAAY,EAAE,CAAC;IACnC,kBAAkB,CAAC,EAAE,YAAY,EAAE,CAAC;IACpC,gBAAgB,CAAC,EAAE,YAAY,EAAE,CAAC;IAClC,MAAM,CAAC,EAAE,cAAc,GAAG,IAAI,CAAC;CAChC;AAUD,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW,CAwE3D"}

package/dist/scorer.js

@@ -1,97 +0,0 @@
-export const SEVERITY_WEIGHTS = {
-    critical: 25,
-    high: 15,
-    medium: 10,
-    low: 5
-};
-export const BANDS = [
-    { min: 90, key: 'compliant', label: 'Compliant' },
-    { min: 70, key: 'at_risk', label: 'At Risk' },
-    { min: 40, key: 'non_compliant', label: 'Non-Compliant' },
-    { min: 0, key: 'violating', label: 'Violating' }
-];
-export function bandForScore(score) {
-    for (const b of BANDS) {
-        if (score >= b.min)
-            return { key: b.key, label: b.label };
-    }
-    return { key: 'violating', label: 'Violating' };
-}
-function bucketBySeverity(items) {
-    const out = { critical: [], high: [], medium: [], low: [] };
-    for (const it of items || []) {
-        if (out[it.severity])
-            out[it.severity].push(it);
-    }
-    return out;
-}
-export function computeScore(input) {
-    const violations = [];
-    const cookies = bucketBySeverity(input.preConsentCookies);
-    const reqs = bucketBySeverity(input.preConsentRequests);
-    if (cookies.critical.length) {
-        violations.push({
-            type: 'critical_cookies_before_consent', severity: 'critical', count: cookies.critical.length,
-            description: `${cookies.critical.length} advertising/tracking cookie(s) set before consent`,
-            items: cookies.critical.map(c => ({ name: c.name, company: c.company }))
-        });
-    }
-    if (cookies.high.length) {
-        violations.push({
-            type: 'high_cookies_before_consent', severity: 'high', count: cookies.high.length,
-            description: `${cookies.high.length} analytics cookie(s) set before consent`,
-            items: cookies.high.map(c => ({ name: c.name, company: c.company }))
-        });
-    }
-    if (cookies.medium.length) {
-        violations.push({
-            type: 'medium_cookies_before_consent', severity: 'medium', count: cookies.medium.length,
-            description: `${cookies.medium.length} tracking cookie(s) set before consent`,
-            items: cookies.medium.map(c => ({ name: c.name, company: c.company }))
-        });
-    }
-    if (reqs.critical.length) {
-        violations.push({
-            type: 'critical_requests_before_consent', severity: 'critical', count: reqs.critical.length,
-            description: `${reqs.critical.length} advertising request(s) fired before consent`,
-            items: reqs.critical.map(r => ({ hostname: r.hostname, company: r.company }))
-        });
-    }
-    if (reqs.high.length) {
-        violations.push({
-            type: 'high_requests_before_consent', severity: 'high', count: reqs.high.length,
-            description: `${reqs.high.length} analytics request(s) fired before consent`,
-            items: reqs.high.map(r => ({ hostname: r.hostname, company: r.company }))
-        });
-    }
-    const leaks = (input.dataLeakRequests || []).filter(r => r.category === 'data_leak');
-    if (leaks.length) {
-        violations.push({
-            type: 'data_leaks', severity: 'medium', count: leaks.length,
-            description: `${leaks.length} data-leak request(s) (IP exposure to third parties)`,
-            items: leaks.map(r => ({ hostname: r.hostname, company: r.company, note: r.note }))
-        });
-    }
-    const banner = input.banner;
-    if (banner?.detected) {
-        if (banner.hasAcceptButton && !banner.hasRejectButton) {
-            violations.push({
-                type: 'banner_missing_reject', severity: 'high', count: 1,
-                description: 'Consent banner has Accept but no Reject/Decline option'
-            });
-        }
-    }
-    else if (banner === null || (banner && !banner.detected)) {
-        if ((input.preConsentCookies || []).length || (input.preConsentRequests || []).length) {
-            violations.push({
-                type: 'no_banner_with_trackers', severity: 'high', count: 1,
-                description: 'No consent banner detected but trackers are present'
-            });
-        }
-    }
-    let score = 100;
-    for (const v of violations)
-        score -= (SEVERITY_WEIGHTS[v.severity] || 0);
-    score = Math.max(0, Math.min(100, score));
-    return { score, band: bandForScore(score), violations };
-}