@etalon/cli 1.0.0

package/README.md

@@ -0,0 +1,61 @@
+# ETALON Scanner CLI
+
+**Scan websites for third-party trackers and GDPR compliance.**
+
+## Installation
+
+```bash
+npm install -g etalon
+```
+
+## Usage
+
+```bash
+# Scan a website
+optic scan https://example.com
+
+# JSON output
+optic scan https://example.com --format json
+
+# SARIF for CI/CD (GitHub Code Scanning)
+optic scan https://example.com --format sarif
+
+# Deep scan — scroll page, click consent dialogs
+optic scan https://example.com --deep
+
+# Look up a single domain
+optic lookup google-analytics.com
+
+# Registry stats
+optic info
+```
+
+## Options
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `-f, --format` | `text`, `json`, `sarif` | `text` |
+| `-d, --deep` | Scroll + consent interaction | `false` |
+| `-t, --timeout` | Nav timeout in ms | `30000` |
+| `--no-idle` | Skip network idle wait | `false` |
+| `--config` | Path to `etalon.yaml` | auto-detect |
+
+## CI/CD
+
+The `scan` command exits with code **1** if high-risk trackers are found.
+
+```yaml
+# GitHub Actions
+- run: npx etalon scan https://your-site.com --format sarif > results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+## Configuration
+
+See the root [etalon.yaml](../../etalon.yaml.example) for a complete config example.
+
+## License
+
+MIT

package/dist/chunk-Z6ZQZ5HI.js

@@ -0,0 +1,189 @@
+#!/usr/bin/env node
+
+// src/scanner.ts
+import { chromium } from "playwright";
+import {
+  VendorRegistry,
+  extractDomain,
+  isFirstParty
+} from "@etalon/core";
+var ETALON_VERSION = "1.0.0";
+var DEFAULT_OPTIONS = {
+  deep: false,
+  timeout: 3e4,
+  waitForNetworkIdle: true,
+  userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
+  viewport: { width: 1920, height: 1080 },
+  vendorDbPath: ""
+};
+async function scanSite(url, options = {}) {
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  const startTime = Date.now();
+  const registry = opts.vendorDbPath ? VendorRegistry.load(opts.vendorDbPath) : VendorRegistry.load();
+  const siteDomain = extractDomain(url);
+  if (!siteDomain) {
+    throw new Error(`Invalid URL: ${url}`);
+  }
+  const capturedRequests = [];
+  let browser = null;
+  try {
+    browser = await chromium.launch({ headless: true });
+    const context = await browser.newContext({
+      userAgent: opts.userAgent,
+      viewport: opts.viewport,
+      ignoreHTTPSErrors: true
+    });
+    const page = await context.newPage();
+    page.on("request", (request) => {
+      const reqUrl = request.url();
+      const domain = extractDomain(reqUrl);
+      if (!domain) return;
+      capturedRequests.push({
+        url: reqUrl,
+        domain,
+        method: request.method(),
+        type: request.resourceType(),
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    });
+    await page.goto(url, {
+      waitUntil: opts.waitForNetworkIdle ? "networkidle" : "domcontentloaded",
+      timeout: opts.timeout
+    });
+    if (opts.deep) {
+      await performDeepScan(page, opts.timeout);
+    }
+    await page.waitForTimeout(1e3);
+    await context.close();
+  } finally {
+    if (browser) {
+      await browser.close();
+    }
+  }
+  const scanDurationMs = Date.now() - startTime;
+  const thirdPartyRequests = capturedRequests.filter(
+    (req) => !isFirstParty(req.domain, siteDomain)
+  );
+  const vendorMap = /* @__PURE__ */ new Map();
+  const unknownMap = /* @__PURE__ */ new Map();
+  for (const req of thirdPartyRequests) {
+    const vendor = registry.lookupDomain(req.domain);
+    if (vendor) {
+      const existing = vendorMap.get(vendor.id);
+      if (existing) {
+        existing.requests.push(req);
+      } else {
+        vendorMap.set(vendor.id, { vendor, requests: [req] });
+      }
+    } else {
+      const existing = unknownMap.get(req.domain);
+      if (existing) {
+        existing.requests.push(req);
+      } else {
+        unknownMap.set(req.domain, {
+          domain: req.domain,
+          requests: [req],
+          suggestedAction: "submit_for_review"
+        });
+      }
+    }
+  }
+  const vendors = Array.from(vendorMap.values());
+  const unknown = Array.from(unknownMap.values());
+  vendors.sort((a, b) => b.vendor.risk_score - a.vendor.risk_score);
+  const recommendations = generateRecommendations(vendors, unknown);
+  const highRisk = vendors.filter((v) => v.vendor.risk_score >= 6).length;
+  const mediumRisk = vendors.filter((v) => v.vendor.risk_score >= 3 && v.vendor.risk_score < 6).length;
+  const lowRisk = vendors.filter((v) => v.vendor.risk_score < 3).length;
+  return {
+    meta: {
+      etalonVersion: ETALON_VERSION,
+      scanDate: (/* @__PURE__ */ new Date()).toISOString(),
+      scanDurationMs,
+      url,
+      deep: opts.deep ?? false
+    },
+    summary: {
+      totalRequests: capturedRequests.length,
+      thirdPartyRequests: thirdPartyRequests.length,
+      knownVendors: vendors.length,
+      unknownDomains: unknown.length,
+      highRisk,
+      mediumRisk,
+      lowRisk
+    },
+    vendors,
+    unknown,
+    recommendations
+  };
+}
+async function performDeepScan(page, _timeout) {
+  const scrollDelay = 500;
+  const maxScrolls = 10;
+  for (let i = 0; i < maxScrolls; i++) {
+    await page.evaluate(() => {
+      window.scrollBy(0, window.innerHeight);
+    });
+    await page.waitForTimeout(scrollDelay);
+  }
+  await page.evaluate(() => window.scrollTo(0, 0));
+  await page.waitForTimeout(2e3);
+  const consentSelectors = [
+    'button[id*="accept"]',
+    'button[id*="consent"]',
+    'button[class*="accept"]',
+    'button[class*="consent"]',
+    'a[id*="accept"]',
+    '[data-testid*="accept"]',
+    '[data-testid*="consent"]'
+  ];
+  for (const selector of consentSelectors) {
+    try {
+      const button = page.locator(selector).first();
+      if (await button.isVisible({ timeout: 500 })) {
+        await button.click();
+        await page.waitForTimeout(1e3);
+        break;
+      }
+    } catch {
+    }
+  }
+}
+function generateRecommendations(vendors, unknown) {
+  const recs = [];
+  for (const v of vendors) {
+    if (v.vendor.risk_score >= 6) {
+      const altText = v.vendor.alternatives?.length ? ` Consider alternatives: ${v.vendor.alternatives.join(", ")}` : "";
+      recs.push({
+        type: "high_risk_vendor",
+        vendorId: v.vendor.id,
+        message: `${v.vendor.name} is a high-risk tracker (score: ${v.vendor.risk_score}/10).${altText}`
+      });
+    }
+    if (v.vendor.gdpr_compliant && !v.vendor.dpa_url && v.vendor.risk_score >= 3) {
+      recs.push({
+        type: "missing_dpa",
+        vendorId: v.vendor.id,
+        message: `${v.vendor.name} is GDPR-compliant but no DPA URL is documented. Verify your Data Processing Agreement.`
+      });
+    }
+    if (v.vendor.risk_score >= 4 && v.vendor.alternatives?.length) {
+      recs.push({
+        type: "consider_alternative",
+        vendorId: v.vendor.id,
+        message: `Consider privacy-friendly alternatives to ${v.vendor.name}: ${v.vendor.alternatives.join(", ")}`
+      });
+    }
+  }
+  if (unknown.length > 0) {
+    recs.push({
+      type: "unknown_tracker",
+      message: `${unknown.length} unknown domain(s) detected. Review and submit to the ETALON registry if they are trackers.`
+    });
+  }
+  return recs;
+}
+
+export {
+  scanSite
+};

package/dist/consent-checker-B6J7GESG.js

@@ -0,0 +1,199 @@
+#!/usr/bin/env node
+
+// src/consent-checker.ts
+import { chromium } from "playwright";
+import {
+  VendorRegistry,
+  extractDomain,
+  isFirstParty
+} from "@etalon/core";
+var CMP_SELECTORS = [
+  // CookieBot
+  { name: "Cookiebot", banner: "#CybotCookiebotDialog", reject: '#CybotCookiebotDialogBodyButtonDecline, .CybotCookiebotDialogBodyButton[id*="decline"]' },
+  // OneTrust
+  { name: "OneTrust", banner: "#onetrust-consent-sdk, .onetrust-pc-dark-filter", reject: "#onetrust-reject-all-handler, .ot-pc-refuse-all-handler" },
+  // Didomi
+  { name: "Didomi", banner: "#didomi-popup, .didomi-popup-container", reject: "#didomi-notice-disagree-button, .didomi-components-button--disagree" },
+  // Quantcast
+  { name: "Quantcast", banner: ".qc-cmp2-container, #qcCmpUi", reject: '.qc-cmp2-summary-buttons button[mode="secondary"], .qc-cmp2-footer button:first-child' },
+  // Klaro
+  { name: "Klaro", banner: ".klaro .cookie-notice, .klaro .cm-app", reject: ".klaro .cn-decline, .klaro .cm-btn-decline" },
+  // TrustArc
+  { name: "TrustArc", banner: "#truste-consent-track", reject: "#truste-consent-required" },
+  // Generic selectors
+  { name: "Generic", banner: '[class*="cookie-banner"], [class*="cookie-consent"], [id*="cookie-banner"], [id*="cookie-consent"], [class*="gdpr"], [id*="gdpr"]', reject: 'button[class*="reject"], button[class*="decline"], button[class*="deny"], a[class*="reject"], a[class*="decline"]' },
+  // Text-based (last resort)
+  { name: "Text-based", banner: "", reject: "" }
+];
+var REJECT_TEXT_PATTERNS = [
+  /reject\s*all/i,
+  /decline\s*all/i,
+  /refuse\s*all/i,
+  /deny\s*all/i,
+  /reject/i,
+  /decline/i,
+  /refuse/i,
+  /nur\s*notwendige/i,
+  // German: "only necessary"
+  /refuser/i,
+  // French
+  /rifiuta/i,
+  // Italian
+  /rechazar/i
+  // Spanish
+];
+async function checkConsent(url, options = {}) {
+  const timeout = options.timeout ?? 15e3;
+  const registry = VendorRegistry.load();
+  const siteDomain = extractDomain(url);
+  if (!siteDomain) throw new Error(`Invalid URL: ${url}`);
+  const preConsentRequests = [];
+  const postRejectRequests = [];
+  let phase = "pre-consent";
+  let browser = null;
+  try {
+    browser = await chromium.launch({ headless: true });
+    const context = await browser.newContext({
+      userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
+      viewport: { width: 1920, height: 1080 }
+    });
+    const page = await context.newPage();
+    page.on("request", (request) => {
+      const reqUrl = request.url();
+      const domain = extractDomain(reqUrl);
+      if (!domain || isFirstParty(domain, siteDomain)) return;
+      const req = {
+        url: reqUrl,
+        method: request.method(),
+        resourceType: request.resourceType(),
+        domain
+      };
+      if (phase === "pre-consent") {
+        preConsentRequests.push(req);
+      } else {
+        postRejectRequests.push(req);
+      }
+    });
+    await page.goto(url, { waitUntil: "networkidle", timeout });
+    await page.waitForTimeout(2e3);
+    const { bannerDetected, bannerType, rejectSelector } = await detectBanner(page);
+    let rejectButtonFound = false;
+    let rejectClicked = false;
+    if (bannerDetected && rejectSelector) {
+      rejectButtonFound = true;
+      try {
+        await page.click(rejectSelector, { timeout: 5e3 });
+        rejectClicked = true;
+      } catch {
+        rejectClicked = false;
+      }
+    }
+    if (bannerDetected && !rejectClicked) {
+      const result = await tryTextBasedReject(page);
+      rejectButtonFound = rejectButtonFound || result.found;
+      rejectClicked = result.clicked;
+    }
+    if (rejectClicked) {
+      phase = "post-reject";
+      await page.waitForTimeout(3e3);
+    }
+    const preConsentTrackers = classifyTrackers(preConsentRequests, registry);
+    const postRejectTrackers = classifyTrackers(postRejectRequests, registry);
+    const violations = [];
+    for (const tracker of preConsentTrackers) {
+      if (tracker.category === "analytics" || tracker.category === "advertising") {
+        violations.push({
+          vendor: tracker.name,
+          vendorId: tracker.id,
+          domain: tracker.matchedDomain,
+          phase: "before-interaction",
+          message: `${tracker.name} loaded BEFORE any consent interaction \u2014 violates GDPR Art. 6(1)(a)`
+        });
+      }
+    }
+    for (const tracker of postRejectTrackers) {
+      if (tracker.category === "analytics" || tracker.category === "advertising") {
+        violations.push({
+          vendor: tracker.name,
+          vendorId: tracker.id,
+          domain: tracker.matchedDomain,
+          phase: "after-reject",
+          message: `${tracker.name} still active AFTER consent rejection \u2014 consent mechanism is broken`
+        });
+      }
+    }
+    return {
+      url,
+      bannerDetected,
+      bannerType,
+      rejectButtonFound,
+      rejectClicked,
+      preConsentTrackers,
+      postRejectTrackers,
+      violations,
+      pass: violations.length === 0
+    };
+  } finally {
+    await browser?.close();
+  }
+}
+async function detectBanner(page) {
+  for (const cmp of CMP_SELECTORS) {
+    if (!cmp.banner) continue;
+    try {
+      const banner = await page.$(cmp.banner);
+      if (banner) {
+        const isVisible = await banner.isVisible();
+        if (isVisible) {
+          let rejectSelector = null;
+          if (cmp.reject) {
+            const reject = await page.$(cmp.reject);
+            if (reject && await reject.isVisible()) {
+              rejectSelector = cmp.reject;
+            }
+          }
+          return { bannerDetected: true, bannerType: cmp.name, rejectSelector };
+        }
+      }
+    } catch {
+    }
+  }
+  return { bannerDetected: false, bannerType: null, rejectSelector: null };
+}
+async function tryTextBasedReject(page) {
+  try {
+    const buttons = await page.$$('button, a[role="button"], [class*="btn"]');
+    for (const button of buttons) {
+      const text = await button.textContent();
+      if (!text) continue;
+      const matches = REJECT_TEXT_PATTERNS.some((p) => p.test(text.trim()));
+      if (matches && await button.isVisible()) {
+        await button.click();
+        return { found: true, clicked: true };
+      }
+    }
+  } catch {
+  }
+  return { found: false, clicked: false };
+}
+function classifyTrackers(requests, registry) {
+  const seen = /* @__PURE__ */ new Set();
+  const trackers = [];
+  for (const req of requests) {
+    const vendor = registry.lookupDomain(req.domain);
+    if (vendor && !seen.has(vendor.id)) {
+      seen.add(vendor.id);
+      trackers.push({
+        id: vendor.id,
+        name: vendor.name,
+        category: vendor.category,
+        matchedDomain: req.domain,
+        firstSeenUrl: req.url
+      });
+    }
+  }
+  return trackers;
+}
+export {
+  checkConsent
+};