npm - @etalon/cli - Versions diffs - 1.0.0 - Mend

@etalon/cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +61 -0
package/dist/chunk-Z6ZQZ5HI.js +189 -0
package/dist/consent-checker-B6J7GESG.js +199 -0
package/dist/index.js +1190 -0
package/dist/policy-checker-J2WPHGU3.js +294 -0
package/package.json +43 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1190 @@
+#!/usr/bin/env node
+import {
+  scanSite
+} from "./chunk-Z6ZQZ5HI.js";
+// src/index.ts
+import { Command } from "commander";
+import ora from "ora";
+import chalk4 from "chalk";
+import { writeFileSync as writeFileSync2 } from "fs";
+import {
+  normalizeUrl,
+  VendorRegistry,
+  auditProject,
+  formatAuditSarif,
+  generateBadgeSvg,
+  calculateScore,
+  generatePatches,
+  applyPatches,
+  analyzeDataFlow,
+  toMermaid,
+  toTextSummary,
+  generatePolicy
+} from "@etalon/core";
+// src/formatters/text.ts
+import chalk from "chalk";
+function formatText(report) {
+  const lines = [];
+  lines.push("");
+  lines.push(chalk.bold.cyan("ETALON Privacy Audit"));
+  lines.push(chalk.dim("\u2550".repeat(55)));
+  lines.push(`${chalk.dim("Site:")}       ${report.meta.url}`);
+  lines.push(`${chalk.dim("Scanned:")}    ${new Date(report.meta.scanDate).toLocaleString()}`);
+  lines.push(`${chalk.dim("Duration:")}   ${(report.meta.scanDurationMs / 1e3).toFixed(1)} seconds`);
+  if (report.meta.deep) {
+    lines.push(`${chalk.dim("Mode:")}       ${chalk.yellow("Deep scan")}`);
+  }
+  lines.push("");
+  lines.push(chalk.bold("\u{1F4CA} Summary"));
+  lines.push(chalk.dim("\u2500".repeat(55)));
+  const { summary } = report;
+  lines.push(`${chalk.green("\u2713")} ${summary.thirdPartyRequests} third-party requests`);
+  lines.push(`${chalk.green("\u2713")} ${summary.knownVendors} matched to known vendors`);
+  if (summary.unknownDomains > 0) {
+    lines.push(`${chalk.yellow("\u26A0")} ${summary.unknownDomains} unknown domain${summary.unknownDomains !== 1 ? "s" : ""}`);
+  }
+  if (summary.highRisk > 0) {
+    lines.push(`${chalk.red("\u2717")} ${summary.highRisk} high-risk tracker${summary.highRisk !== 1 ? "s" : ""} detected`);
+  }
+  const highRisk = report.vendors.filter((v) => v.vendor.risk_score >= 6);
+  if (highRisk.length > 0) {
+    lines.push("");
+    lines.push(chalk.bold.red(`\u{1F534} High Risk (${highRisk.length})`));
+    lines.push(chalk.dim("\u2500".repeat(55)));
+    for (const dv of highRisk) {
+      lines.push(...formatVendorEntry(dv));
+      lines.push("");
+    }
+  }
+  const mediumRisk = report.vendors.filter((v) => v.vendor.risk_score >= 3 && v.vendor.risk_score < 6);
+  if (mediumRisk.length > 0) {
+    lines.push("");
+    lines.push(chalk.bold.yellow(`\u{1F7E1} Medium Risk (${mediumRisk.length})`));
+    lines.push(chalk.dim("\u2500".repeat(55)));
+    for (const dv of mediumRisk) {
+      lines.push(...formatVendorEntry(dv));
+      lines.push("");
+    }
+  }
+  const lowRisk = report.vendors.filter((v) => v.vendor.risk_score < 3);
+  if (lowRisk.length > 0) {
+    lines.push("");
+    lines.push(chalk.bold.green(`\u{1F7E2} Low Risk (${lowRisk.length})`));
+    lines.push(chalk.dim("\u2500".repeat(55)));
+    for (const dv of lowRisk) {
+      lines.push(...formatVendorEntry(dv, true));
+      lines.push("");
+    }
+  }
+  if (report.unknown.length > 0) {
+    lines.push("");
+    lines.push(chalk.bold.gray(`\u2753 Unknown (${report.unknown.length})`));
+    lines.push(chalk.dim("\u2500".repeat(55)));
+    for (const u of report.unknown) {
+      lines.push(...formatUnknownEntry(u));
+    }
+  }
+  if (report.recommendations.length > 0) {
+    lines.push("");
+    lines.push(chalk.bold("\u{1F4A1} Recommendations"));
+    lines.push(chalk.dim("\u2500".repeat(55)));
+    report.recommendations.forEach((rec, i) => {
+      lines.push(`${i + 1}. ${rec.message}`);
+    });
+  }
+  lines.push("");
+  lines.push(chalk.dim("Run with --format json for machine-readable output"));
+  lines.push(chalk.dim("Report issues: github.com/NMA-vc/etalon/issues"));
+  lines.push("");
+  return lines.join("\n");
+}
+function formatVendorEntry(dv, compact = false) {
+  const { vendor } = dv;
+  const lines = [];
+  const riskColor = vendor.risk_score >= 6 ? chalk.red : vendor.risk_score >= 3 ? chalk.yellow : chalk.green;
+  lines.push(
+    `${riskColor(vendor.domains[0].padEnd(35))} ${chalk.bold(vendor.name)}`
+  );
+  lines.push(`\u251C\u2500 ${chalk.dim("Category:")}   ${vendor.category}`);
+  if (!compact) {
+    const gdprStatus = vendor.gdpr_compliant ? chalk.green("Compliant") + (vendor.dpa_url ? chalk.dim(" (with DPA)") : "") : chalk.red("Non-compliant");
+    lines.push(`\u251C\u2500 ${chalk.dim("GDPR:")}       ${gdprStatus}`);
+    if (vendor.data_collected.length > 0) {
+      lines.push(`\u251C\u2500 ${chalk.dim("Data:")}       ${vendor.data_collected.join(", ")}`);
+    }
+    if (vendor.dpa_url) {
+      lines.push(`\u251C\u2500 ${chalk.dim("DPA:")}        ${chalk.underline(vendor.dpa_url)}`);
+    }
+    if (vendor.alternatives?.length) {
+      lines.push(`\u2514\u2500 ${chalk.dim("Alt:")}        Consider ${vendor.alternatives.join(", ")}`);
+    } else {
+      lines.push(`\u2514\u2500 ${chalk.dim("Requests:")}   ${dv.requests.length}`);
+    }
+  } else {
+    lines.push(`\u2514\u2500 ${chalk.dim("Requests:")}   ${dv.requests.length}`);
+  }
+  return lines;
+}
+function formatUnknownEntry(u) {
+  return [
+    `${chalk.gray(u.domain)}`,
+    `\u251C\u2500 ${chalk.dim("Requests:")}   ${u.requests.length}`,
+    `\u2514\u2500 ${chalk.dim("Action:")}     Submit to ETALON registry`,
+    ""
+  ];
+}
+// src/formatters/json.ts
+function formatJson(report) {
+  const output = {
+    meta: {
+      etalon_version: report.meta.etalonVersion,
+      scan_date: report.meta.scanDate,
+      scan_duration_ms: report.meta.scanDurationMs,
+      url: report.meta.url
+    },
+    summary: {
+      total_requests: report.summary.totalRequests,
+      third_party_requests: report.summary.thirdPartyRequests,
+      known_vendors: report.summary.knownVendors,
+      unknown_domains: report.summary.unknownDomains,
+      high_risk: report.summary.highRisk,
+      medium_risk: report.summary.mediumRisk,
+      low_risk: report.summary.lowRisk
+    },
+    vendors: report.vendors.map((dv) => ({
+      domain: dv.vendor.domains[0],
+      vendor_id: dv.vendor.id,
+      name: dv.vendor.name,
+      category: dv.vendor.category,
+      risk_level: dv.vendor.risk_score >= 6 ? "high" : dv.vendor.risk_score >= 3 ? "medium" : "low",
+      risk_score: dv.vendor.risk_score,
+      gdpr_compliant: dv.vendor.gdpr_compliant,
+      dpa_url: dv.vendor.dpa_url,
+      data_collected: dv.vendor.data_collected,
+      requests: dv.requests.map((r) => ({
+        url: r.url,
+        method: r.method,
+        type: r.type,
+        timestamp: r.timestamp
+      }))
+    })),
+    unknown: report.unknown.map((u) => ({
+      domain: u.domain,
+      requests: u.requests.map((r) => ({
+        url: r.url,
+        method: r.method,
+        type: r.type
+      })),
+      suggested_action: u.suggestedAction
+    })),
+    recommendations: report.recommendations.map((r) => ({
+      type: r.type,
+      vendor_id: r.vendorId,
+      message: r.message
+    }))
+  };
+  return JSON.stringify(output, null, 2);
+}
+// src/formatters/sarif.ts
+function formatSarif(report) {
+  const results = [];
+  for (const dv of report.vendors) {
+    if (dv.vendor.risk_score >= 6) {
+      results.push({
+        ruleId: "high-risk-tracker",
+        level: "warning",
+        message: {
+          text: `${dv.vendor.name} detected (risk score: ${dv.vendor.risk_score}/10). Category: ${dv.vendor.category}. ${dv.vendor.gdpr_compliant ? "GDPR compliant" : "Not GDPR compliant"}.`
+        },
+        locations: [
+          {
+            physicalLocation: {
+              artifactLocation: { uri: report.meta.url }
+            }
+          }
+        ],
+        properties: {
+          vendorId: dv.vendor.id,
+          category: dv.vendor.category,
+          riskScore: dv.vendor.risk_score,
+          requestCount: dv.requests.length
+        }
+      });
+    }
+  }
+  for (const dv of report.vendors) {
+    if (dv.vendor.risk_score >= 3 && dv.vendor.risk_score < 6) {
+      results.push({
+        ruleId: "medium-risk-tracker",
+        level: "note",
+        message: {
+          text: `${dv.vendor.name} detected (risk score: ${dv.vendor.risk_score}/10). Category: ${dv.vendor.category}.`
+        },
+        locations: [
+          {
+            physicalLocation: {
+              artifactLocation: { uri: report.meta.url }
+            }
+          }
+        ],
+        properties: {
+          vendorId: dv.vendor.id,
+          category: dv.vendor.category,
+          riskScore: dv.vendor.risk_score
+        }
+      });
+    }
+  }
+  for (const u of report.unknown) {
+    results.push({
+      ruleId: "unknown-tracker",
+      level: "note",
+      message: {
+        text: `Unknown third-party domain: ${u.domain} (${u.requests.length} request${u.requests.length !== 1 ? "s" : ""})`
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: report.meta.url }
+          }
+        }
+      ]
+    });
+  }
+  const sarif = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "ETALON",
+            version: report.meta.etalonVersion,
+            informationUri: "https://github.com/NMA-vc/etalon",
+            rules: [
+              {
+                id: "high-risk-tracker",
+                shortDescription: { text: "High-risk tracker detected" },
+                helpUri: "https://github.com/NMA-vc/etalon#risk-levels"
+              },
+              {
+                id: "medium-risk-tracker",
+                shortDescription: { text: "Medium-risk tracker detected" },
+                helpUri: "https://github.com/NMA-vc/etalon#risk-levels"
+              },
+              {
+                id: "unknown-tracker",
+                shortDescription: { text: "Unknown third-party domain" },
+                helpUri: "https://github.com/NMA-vc/etalon#unknown-domains"
+              }
+            ]
+          }
+        },
+        results
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+// src/formatters/audit-text.ts
+import chalk2 from "chalk";
+var SEVERITY_ICONS = {
+  critical: "\u{1F534}",
+  high: "\u{1F534}",
+  medium: "\u{1F7E1}",
+  low: "\u{1F7E2}",
+  info: "\u2139\uFE0F "
+};
+var SEVERITY_COLORS = {
+  critical: chalk2.red.bold,
+  high: chalk2.red,
+  medium: chalk2.yellow,
+  low: chalk2.green,
+  info: chalk2.gray
+};
+var CATEGORY_LABELS = {
+  code: "\u{1F4E6} Code",
+  schema: "\u{1F5C4}\uFE0F  Schema",
+  config: "\u2699\uFE0F  Config"
+};
+function formatAuditText(report) {
+  const lines = [];
+  lines.push("");
+  lines.push(chalk2.bold("ETALON Code Audit"));
+  lines.push(chalk2.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  lines.push(`Directory:  ${chalk2.cyan(report.meta.directory)}`);
+  lines.push(`Scanned:    ${new Date(report.meta.auditDate).toLocaleString()}`);
+  lines.push(`Duration:   ${(report.meta.auditDurationMs / 1e3).toFixed(1)} seconds`);
+  lines.push("");
+  lines.push(chalk2.bold("\u{1F50D} Detected Stack"));
+  lines.push(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  lines.push(`Languages:  ${report.meta.stack.languages.join(", ")}`);
+  lines.push(`Framework:  ${report.meta.stack.framework}`);
+  lines.push(`ORM:        ${report.meta.stack.orm}`);
+  lines.push(`Pkg Mgr:    ${report.meta.stack.packageManager}`);
+  lines.push("");
+  lines.push(chalk2.bold("\u{1F4CA} Summary"));
+  lines.push(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  const s = report.summary;
+  if (s.totalFindings === 0) {
+    lines.push(chalk2.green("\u2713 No findings!"));
+  } else {
+    if (s.critical > 0) lines.push(chalk2.red.bold(`  \u{1F534} ${s.critical} critical`));
+    if (s.high > 0) lines.push(chalk2.red(`  \u{1F534} ${s.high} high`));
+    if (s.medium > 0) lines.push(chalk2.yellow(`  \u{1F7E1} ${s.medium} medium`));
+    if (s.low > 0) lines.push(chalk2.green(`  \u{1F7E2} ${s.low} low`));
+    if (s.info > 0) lines.push(chalk2.gray(`  \u2139\uFE0F  ${s.info} info`));
+    lines.push("");
+    lines.push(`  Tracker SDKs:    ${s.trackerSdksFound}`);
+    lines.push(`  PII columns:     ${s.piiColumnsFound}`);
+    lines.push(`  Config issues:   ${s.configIssues}`);
+  }
+  lines.push("");
+  if (report.score) {
+    const gradeColors = {
+      A: chalk2.green.bold,
+      B: chalk2.green,
+      C: chalk2.yellow,
+      D: chalk2.red,
+      F: chalk2.red.bold
+    };
+    const colorFn = gradeColors[report.score.grade];
+    lines.push(chalk2.bold("\u{1F6E1}\uFE0F  Compliance Score"));
+    lines.push(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    lines.push(`  Grade: ${colorFn(report.score.grade)}  Score: ${colorFn(String(report.score.score))}/100`);
+    lines.push("");
+  }
+  if (report.findings.length > 0) {
+    const grouped = groupByCategory(report.findings);
+    for (const [category, findings] of Object.entries(grouped)) {
+      lines.push(chalk2.bold(`${CATEGORY_LABELS[category] ?? category} Findings (${findings.length})`));
+      lines.push(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+      for (const finding of findings) {
+        const icon = SEVERITY_ICONS[finding.severity] ?? "?";
+        const colorFn = SEVERITY_COLORS[finding.severity] ?? chalk2.white;
+        lines.push(`${icon} ${colorFn(finding.title)}`);
+        lines.push(`\u251C\u2500 ${chalk2.dim("File:")}    ${finding.file}${finding.line ? `:${finding.line}` : ""}`);
+        if (finding.blame) {
+          const date = new Date(finding.blame.date).toLocaleDateString();
+          lines.push(`\u251C\u2500 ${chalk2.dim("Blame:")}   ${finding.blame.author} on ${date} (${finding.blame.commit.substring(0, 8)})`);
+        }
+        lines.push(`\u251C\u2500 ${chalk2.dim("Rule:")}    ${finding.rule}`);
+        lines.push(`\u251C\u2500 ${chalk2.dim("Message:")} ${finding.message}`);
+        if (finding.gdprArticles && finding.gdprArticles.length > 0) {
+          const arts = finding.gdprArticles.map((a) => `Art. ${a.article}`).join(", ");
+          lines.push(`\u251C\u2500 ${chalk2.dim("GDPR:")}    \u2696\uFE0F  ${chalk2.magenta(arts)}`);
+        }
+        if (finding.fix) {
+          lines.push(`\u2514\u2500 ${chalk2.dim("Fix:")}     ${chalk2.cyan(finding.fix)}`);
+        } else {
+          lines.push("");
+        }
+      }
+      lines.push("");
+    }
+  }
+  if (report.recommendations.length > 0) {
+    lines.push(chalk2.bold("\u{1F4A1} Recommendations"));
+    lines.push(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    for (let i = 0; i < report.recommendations.length; i++) {
+      lines.push(`${i + 1}. ${report.recommendations[i]}`);
+    }
+    lines.push("");
+  }
+  lines.push(chalk2.dim("Run with --format json for machine-readable output"));
+  lines.push(chalk2.dim("Report issues: github.com/NMA-vc/etalon/issues"));
+  return lines.join("\n");
+}
+function groupByCategory(findings) {
+  const groups = {};
+  for (const finding of findings) {
+    if (!groups[finding.category]) groups[finding.category] = [];
+    groups[finding.category].push(finding);
+  }
+  return groups;
+}
+// src/formatters/html-report.ts
+var GRADE_COLORS = {
+  A: "#4caf50",
+  B: "#8bc34a",
+  C: "#ff9800",
+  D: "#ff5722",
+  F: "#f44336"
+};
+var SEV_COLORS = {
+  critical: "#f44336",
+  high: "#ff5722",
+  medium: "#ff9800",
+  low: "#4caf50",
+  info: "#90a4ae"
+};
+function generateHtmlReport(report) {
+  const score = report.score;
+  const grade = score?.grade ?? "F";
+  const gradeColor = GRADE_COLORS[grade];
+  const scoreNum = score?.score ?? 0;
+  const findingRows = report.findings.map((f) => {
+    const gdpr = f.gdprArticles?.map((a) => `<a href="${a.url}" target="_blank" title="${a.title}">Art. ${a.article}</a>`).join(", ") ?? "";
+    return `<tr data-severity="${f.severity}" data-category="${f.category}">
+            <td><span class="sev-badge" style="background:${SEV_COLORS[f.severity]}">${f.severity}</span></td>
+            <td>${esc(f.title)}</td>
+            <td><code>${esc(f.file)}${f.line ? `:${f.line}` : ""}</code></td>
+            <td>${esc(f.rule)}</td>
+            <td class="gdpr-col">${gdpr}</td>
+            <td>${f.fix ? esc(f.fix) : ""}</td>
+        </tr>`;
+  }).join("\n");
+  const sevChart = ["critical", "high", "medium", "low", "info"].map((s) => {
+    const count = report.summary[s];
+    return count > 0 ? `<div class="bar" style="flex:${count};background:${SEV_COLORS[s]}" title="${s}: ${count}">${count}</div>` : "";
+  }).join("");
+  return `<!DOCTYPE html>
+<html lang="en" data-theme="dark">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>ETALON Privacy Audit Report</title>
+<style>
+:root { --bg: #0d1117; --card: #161b22; --border: #30363d; --text: #c9d1d9; --text-dim: #8b949e; }
+* { margin:0; padding:0; box-sizing:border-box; }
+body { font-family: -apple-system,BlinkMacSystemFont,'Segoe UI',Helvetica,Arial,sans-serif; background:var(--bg); color:var(--text); padding:2rem; line-height:1.6; }
+.container { max-width:1200px; margin:0 auto; }
+h1 { font-size:1.8rem; margin-bottom:.5rem; }
+h2 { font-size:1.2rem; margin:1.5rem 0 .75rem; color:var(--text); }
+.subtitle { color:var(--text-dim); margin-bottom:2rem; }
+.grid { display:grid; grid-template-columns:200px 1fr; gap:1.5rem; margin-bottom:2rem; }
+.score-ring { width:180px; height:180px; position:relative; margin:0 auto; }
+.score-ring svg { transform:rotate(-90deg); }
+.score-ring .label { position:absolute; top:50%; left:50%; transform:translate(-50%,-50%); text-align:center; }
+.score-ring .grade { font-size:3rem; font-weight:700; color:${gradeColor}; }
+.score-ring .num { font-size:1rem; color:var(--text-dim); }
+.card { background:var(--card); border:1px solid var(--border); border-radius:8px; padding:1.25rem; }
+.meta-grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(180px,1fr)); gap:.75rem; }
+.meta-item { font-size:.85rem; }
+.meta-item span { display:block; color:var(--text-dim); font-size:.75rem; }
+.bar-chart { display:flex; border-radius:4px; overflow:hidden; height:28px; margin:1rem 0; }
+.bar { color:#fff; font-size:.75rem; display:flex; align-items:center; justify-content:center; font-weight:600; min-width:28px; }
+table { width:100%; border-collapse:collapse; font-size:.85rem; }
+th { text-align:left; padding:.6rem .75rem; border-bottom:2px solid var(--border); color:var(--text-dim); font-weight:600; position:sticky; top:0; background:var(--card); }
+td { padding:.5rem .75rem; border-bottom:1px solid var(--border); vertical-align:top; }
+tr:hover { background:#1c2128; }
+code { background:#1c2128; padding:.15rem .4rem; border-radius:3px; font-size:.8rem; }
+a { color:#58a6ff; text-decoration:none; }
+a:hover { text-decoration:underline; }
+.sev-badge { color:#fff; padding:2px 8px; border-radius:3px; font-size:.75rem; font-weight:600; text-transform:uppercase; }
+.filters { display:flex; gap:.5rem; margin-bottom:1rem; flex-wrap:wrap; }
+.filters button { background:var(--card); border:1px solid var(--border); color:var(--text); padding:.35rem .75rem; border-radius:4px; cursor:pointer; font-size:.8rem; }
+.filters button.active { background:#1f6feb; border-color:#1f6feb; color:#fff; }
+.gdpr-col { font-size:.8rem; }
+.footer { text-align:center; color:var(--text-dim); font-size:.8rem; margin-top:2rem; padding-top:1rem; border-top:1px solid var(--border); }
+@media print { body { background:#fff; color:#000; } .card { border-color:#ddd; } }
+@media (max-width:768px) { .grid { grid-template-columns:1fr; } }
+</style>
+</head>
+<body>
+<div class="container">
+<h1>\u{1F6E1}\uFE0F ETALON Privacy Audit Report</h1>
+<p class="subtitle">Generated ${new Date(report.meta.auditDate).toLocaleString()} \u2022 ${report.meta.directory}</p>
+<div class="grid">
+  <div class="card" style="display:flex;align-items:center;justify-content:center">
+    <div class="score-ring">
+      <svg width="180" height="180" viewBox="0 0 180 180">
+        <circle cx="90" cy="90" r="78" stroke="var(--border)" stroke-width="12" fill="none"/>
+        <circle cx="90" cy="90" r="78" stroke="${gradeColor}" stroke-width="12" fill="none"
+          stroke-dasharray="${scoreNum / 100 * 490} 490" stroke-linecap="round"/>
+      </svg>
+      <div class="label">
+        <div class="grade">${grade}</div>
+        <div class="num">${scoreNum}/100</div>
+      </div>
+    </div>
+  </div>
+  <div class="card">
+    <h2 style="margin-top:0">Summary</h2>
+    <div class="meta-grid">
+      <div class="meta-item"><span>Total Findings</span>${report.summary.totalFindings}</div>
+      <div class="meta-item"><span>Tracker SDKs</span>${report.summary.trackerSdksFound}</div>
+      <div class="meta-item"><span>PII Columns</span>${report.summary.piiColumnsFound}</div>
+      <div class="meta-item"><span>Config Issues</span>${report.summary.configIssues}</div>
+      <div class="meta-item"><span>Stack</span>${report.meta.stack.languages.join(", ")} / ${report.meta.stack.framework}</div>
+      <div class="meta-item"><span>Duration</span>${(report.meta.auditDurationMs / 1e3).toFixed(1)}s</div>
+    </div>
+    <div class="bar-chart">${sevChart || '<div style="flex:1;background:var(--border);display:flex;align-items:center;justify-content:center;color:var(--text-dim);font-size:.8rem">No findings</div>'}</div>
+  </div>
+</div>
+${report.findings.length > 0 ? `
+<div class="card">
+<h2 style="margin-top:0">Findings (${report.findings.length})</h2>
+<div class="filters">
+  <button class="active" onclick="filterTable('all')">All</button>
+  <button onclick="filterTable('critical')">Critical</button>
+  <button onclick="filterTable('high')">High</button>
+  <button onclick="filterTable('medium')">Medium</button>
+  <button onclick="filterTable('low')">Low</button>
+</div>
+<div style="overflow-x:auto">
+<table id="findings-table">
+<thead><tr><th>Severity</th><th>Title</th><th>File</th><th>Rule</th><th>GDPR</th><th>Fix</th></tr></thead>
+<tbody>${findingRows}</tbody>
+</table>
+</div>
+</div>` : ""}
+${report.recommendations.length > 0 ? `
+<div class="card" style="margin-top:1.5rem">
+<h2 style="margin-top:0">\u{1F4A1} Recommendations</h2>
+<ol style="padding-left:1.25rem">${report.recommendations.map((r) => `<li>${esc(r)}</li>`).join("")}</ol>
+</div>` : ""}
+<div class="footer">
+  Generated by <a href="https://etalon.nma.vc">ETALON</a> v${report.meta.etalonVersion} \u2022
+  <a href="https://etalon.nma.vc/docs">Documentation</a>
+</div>
+</div>
+<script>
+function filterTable(sev) {
+  document.querySelectorAll('.filters button').forEach(b => b.classList.remove('active'));
+  event.target.classList.add('active');
+  document.querySelectorAll('#findings-table tbody tr').forEach(row => {
+    row.style.display = (sev === 'all' || row.dataset.severity === sev) ? '' : 'none';
+  });
+}
+</script>
+</body>
+</html>`;
+}
+function esc(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+// src/config.ts
+import { readFileSync, existsSync } from "fs";
+import { join } from "path";
+import { parse as parseYaml } from "yaml";
+var CONFIG_FILENAMES = ["etalon.yaml", "etalon.yml", ".etalon.yaml", ".etalon.yml"];
+function loadConfig(startDir) {
+  const dir = startDir ?? process.cwd();
+  for (const filename of CONFIG_FILENAMES) {
+    const filePath = join(dir, filename);
+    if (existsSync(filePath)) {
+      try {
+        const raw = readFileSync(filePath, "utf-8");
+        return parseYaml(raw);
+      } catch (err) {
+        console.error(`Warning: Failed to parse ${filePath}: ${err}`);
+        return null;
+      }
+    }
+  }
+  return null;
+}
+// src/commands/init.ts
+import { writeFileSync, existsSync as existsSync2, mkdirSync } from "fs";
+import { join as join2 } from "path";
+import chalk3 from "chalk";
+var ETALON_YAML = `# ETALON Configuration
+# https://etalon.nma.vc/docs/config
+version: "1.0"
+# Vendors/domains you've reviewed and approved
+allowlist: []
+  # - vendor_id: google-analytics
+  #   reason: "Required for analytics \u2014 consent collected via CMP"
+  #   approved_by: "privacy@company.com"
+  #   approved_date: "2025-01-15"
+# Audit settings
+audit:
+  severity: low          # minimum severity to report
+  include_blame: false   # enrich with git blame info
+# Scan settings (runtime)
+scan:
+  timeout: 30000
+  wait_for_network_idle: true
+`;
+var GITHUB_ACTION = `name: ETALON Privacy Audit
+on:
+  pull_request:
+    branches: [main, master]
+permissions:
+  contents: read
+  pull-requests: write
+  security-events: write
+jobs:
+  etalon:
+    name: Privacy Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Install ETALON
+        run: npm install -g etalon
+      - name: Run audit
+        run: etalon audit ./ --format sarif > etalon-results.sarif
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: etalon-results.sarif
+          category: etalon-privacy
+`;
+var PRECOMMIT_HOOK = `#!/bin/sh
+# ETALON pre-commit hook \u2014 blocks commits with critical/high privacy issues
+# Installed by 'etalon init'
+# Get staged files
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+if [ -z "$STAGED_FILES" ]; then
+  exit 0
+fi
+# Run audit silently
+echo "\u{1F50D} ETALON: checking for privacy issues..."
+npx etalon audit ./ --format json --severity high 2>/dev/null | node -e "
+  const data = require('fs').readFileSync('/dev/stdin', 'utf8');
+  try {
+    const report = JSON.parse(data);
+    const staged = process.argv.slice(1);
+    const issues = report.findings.filter(f => staged.some(s => f.file.includes(s)));
+    if (issues.length > 0) {
+      console.error('\\n\u{1F534} ETALON: Found ' + issues.length + ' high/critical privacy issue(s):');
+      issues.forEach(f => console.error('  \u2022 ' + f.severity.toUpperCase() + ': ' + f.title + ' (' + f.file + ')'));
+      console.error('\\nFix these issues or use --no-verify to skip.\\n');
+      process.exit(1);
+    }
+  } catch(e) { /* audit not available, allow commit */ }
+" $STAGED_FILES
+`;
+var GITIGNORE_ADDITIONS = `
+# ETALON
+etalon-report.html
+etalon-badge.svg
+etalon-results.sarif
+`;
+async function runInit(dir, options = {}) {
+  const ci = options.ci ?? "github";
+  const precommit = options.precommit ?? true;
+  const force = options.force ?? false;
+  console.log("");
+  console.log(chalk3.bold("\u{1F527} ETALON Project Setup"));
+  console.log(chalk3.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+  console.log("");
+  const yamlPath = join2(dir, "etalon.yaml");
+  if (!existsSync2(yamlPath) || force) {
+    writeFileSync(yamlPath, ETALON_YAML, "utf-8");
+    console.log(chalk3.green("\u2713") + ` Created ${chalk3.cyan("etalon.yaml")}`);
+  } else {
+    console.log(chalk3.yellow("\u2298") + ` ${chalk3.cyan("etalon.yaml")} already exists (use --force to overwrite)`);
+  }
+  if (ci === "github") {
+    const workflowDir = join2(dir, ".github", "workflows");
+    const workflowPath = join2(workflowDir, "etalon.yml");
+    if (!existsSync2(workflowPath) || force) {
+      mkdirSync(workflowDir, { recursive: true });
+      writeFileSync(workflowPath, GITHUB_ACTION, "utf-8");
+      console.log(chalk3.green("\u2713") + ` Created ${chalk3.cyan(".github/workflows/etalon.yml")}`);
+    } else {
+      console.log(chalk3.yellow("\u2298") + ` ${chalk3.cyan(".github/workflows/etalon.yml")} already exists`);
+    }
+  }
+  if (precommit) {
+    const hooksDir = join2(dir, ".git", "hooks");
+    const hookPath = join2(hooksDir, "pre-commit");
+    const etalonDir = join2(dir, ".etalon");
+    const standalonePath = join2(etalonDir, "pre-commit.sh");
+    mkdirSync(etalonDir, { recursive: true });
+    if (!existsSync2(standalonePath) || force) {
+      writeFileSync(standalonePath, PRECOMMIT_HOOK, { mode: 493 });
+      console.log(chalk3.green("\u2713") + ` Created ${chalk3.cyan(".etalon/pre-commit.sh")}`);
+    }
+    if (existsSync2(join2(dir, ".git"))) {
+      mkdirSync(hooksDir, { recursive: true });
+      if (!existsSync2(hookPath) || force) {
+        writeFileSync(hookPath, PRECOMMIT_HOOK, { mode: 493 });
+        console.log(chalk3.green("\u2713") + ` Installed ${chalk3.cyan("pre-commit hook")}`);
+      } else {
+        console.log(chalk3.yellow("\u2298") + ` pre-commit hook already exists (see ${chalk3.cyan(".etalon/pre-commit.sh")})`);
+      }
+    } else {
+      console.log(chalk3.dim("  (no .git directory \u2014 hook saved to .etalon/pre-commit.sh)"));
+    }
+  }
+  const rulesDir = join2(dir, ".etalon", "rules");
+  if (!existsSync2(rulesDir)) {
+    mkdirSync(rulesDir, { recursive: true });
+    writeFileSync(join2(rulesDir, ".gitkeep"), "", "utf-8");
+    console.log(chalk3.green("\u2713") + ` Created ${chalk3.cyan(".etalon/rules/")} for custom rules`);
+  }
+  const gitignorePath = join2(dir, ".gitignore");
+  if (existsSync2(gitignorePath)) {
+    const content = await import("fs").then((fs) => fs.readFileSync(gitignorePath, "utf-8"));
+    if (!content.includes("etalon-report.html")) {
+      writeFileSync(gitignorePath, content + GITIGNORE_ADDITIONS, "utf-8");
+      console.log(chalk3.green("\u2713") + ` Updated ${chalk3.cyan(".gitignore")}`);
+    }
+  }
+  console.log("");
+  console.log(chalk3.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk3.bold("Next steps:"));
+  console.log(`  1. Review ${chalk3.cyan("etalon.yaml")} and add approved vendors`);
+  console.log(`  2. Run ${chalk3.cyan("etalon audit ./")} to scan your codebase`);
+  if (ci === "github") {
+    console.log(`  3. Push to trigger the GitHub Action`);
+  }
+  console.log(`  4. Visit ${chalk3.cyan("https://etalon.nma.vc/docs")} for full documentation`);
+  console.log("");
+}
+// src/index.ts
+var VERSION = "1.0.0";
+function showBanner() {
+  const blue = chalk4.hex("#3B82F6");
+  const dim = chalk4.hex("#64748B");
+  const cyan = chalk4.hex("#06B6D4");
+  console.log("");
+  console.log(blue.bold("  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557"));
+  console.log(blue.bold("  \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551"));
+  console.log(cyan.bold("  \u2588\u2588\u2588\u2588\u2588\u2557     \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551"));
+  console.log(cyan.bold("  \u2588\u2588\u2554\u2550\u2550\u255D     \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551"));
+  console.log(blue.bold("  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551   \u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551"));
+  console.log(blue.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D"));
+  console.log("");
+  console.log(dim(`  v${VERSION}  `) + chalk4.white("Privacy audit tool for AI coding agents"));
+  console.log(dim("  Open-source GDPR compliance scanner  ") + cyan("etalon.nma.vc"));
+  console.log("");
+}
+var program = new Command();
+program.name("etalon").description("ETALON \u2014 Open-source privacy auditor. Scan websites for trackers and GDPR compliance.").version(VERSION).hook("preAction", () => {
+  showBanner();
+});
+program.command("scan").description("Scan a website for third-party trackers").argument("<url>", "URL to scan").option("-f, --format <format>", "Output format: text, json, sarif", "text").option("-d, --deep", "Deep scan: scroll page, interact with consent dialogs", false).option("-t, --timeout <ms>", "Navigation timeout in milliseconds", "30000").option("--no-idle", "Do not wait for network idle").option("--config <path>", "Path to etalon.yaml config file").action(async (url, options) => {
+  const normalizedUrl = normalizeUrl(url);
+  const format = options.format ?? "text";
+  const config = loadConfig(options.config);
+  const scanOptions = {
+    deep: options.deep,
+    timeout: parseInt(options.timeout, 10),
+    waitForNetworkIdle: options.idle !== false
+  };
+  if (config?.scan) {
+    if (config.scan.timeout && !options.timeout) scanOptions.timeout = config.scan.timeout;
+    if (config.scan.user_agent) scanOptions.userAgent = config.scan.user_agent;
+    if (config.scan.viewport) scanOptions.viewport = config.scan.viewport;
+    if (config.scan.wait_for_network_idle !== void 0 && options.idle === void 0) {
+      scanOptions.waitForNetworkIdle = config.scan.wait_for_network_idle;
+    }
+  }
+  const showSpinner = format === "text";
+  const spinner = showSpinner ? ora(`Scanning ${normalizedUrl}...`).start() : null;
+  try {
+    const report = await scanSite(normalizedUrl, scanOptions);
+    spinner?.stop();
+    switch (format) {
+      case "json":
+        console.log(formatJson(report));
+        break;
+      case "sarif":
+        console.log(formatSarif(report));
+        break;
+      case "text":
+      default:
+        console.log(formatText(report));
+        break;
+    }
+    if (report.summary.highRisk > 0) {
+      process.exit(1);
+    }
+  } catch (error) {
+    spinner?.fail("Scan failed");
+    if (error instanceof Error) {
+      console.error(`
+Error: ${error.message}`);
+      if (error.message.includes("Executable doesn't exist")) {
+        console.error("\nPlaywright browsers not installed. Run:");
+        console.error("  npx playwright install chromium");
+      }
+    } else {
+      console.error("\nAn unexpected error occurred.");
+    }
+    process.exit(2);
+  }
+});
+program.command("audit").description("Scan a codebase for GDPR compliance (tracker SDKs, PII in schemas, config issues)").argument("[dir]", "Directory to audit", "./").option("-f, --format <format>", "Output format: text, json, sarif, html", "text").option("-s, --severity <level>", "Minimum severity: info, low, medium, high, critical").option("--include-blame", "Include git blame information for each finding", false).option("--fix", "Auto-fix simple issues (preview before applying)", false).action(async (dir, options) => {
+  const format = options.format ?? "text";
+  const includeBlame = options.includeBlame;
+  const autoFix = options.fix;
+  const showSpinner = format === "text";
+  const spinner = showSpinner ? ora(`Auditing ${dir}...`).start() : null;
+  try {
+    const report = await auditProject(dir, {
+      severity: options.severity,
+      includeBlame
+    });
+    spinner?.stop();
+    if (autoFix) {
+      const patches = generatePatches(report.findings, dir);
+      if (patches.length === 0) {
+        console.log(chalk4.yellow("\nNo auto-fixable issues found."));
+      } else {
+        console.log(chalk4.bold(`
+\u{1F527} ${patches.length} auto-fixable issue(s):`));
+        for (const p of patches) {
+          console.log(`  ${chalk4.dim(p.file)}:${p.line} \u2014 ${p.description}`);
+          console.log(`    ${chalk4.red("- " + p.oldContent.trim())}`);
+          console.log(`    ${chalk4.green("+ " + p.newContent.trim())}`);
+        }
+        const applied = applyPatches(patches, dir);
+        console.log(chalk4.green(`
+\u2713 Applied ${applied} fix(es).`));
+      }
+    }
+    switch (format) {
+      case "json":
+        console.log(JSON.stringify(report, null, 2));
+        break;
+      case "sarif":
+        console.log(formatAuditSarif(report));
+        break;
+      case "html": {
+        const html = generateHtmlReport(report);
+        const outPath = "etalon-report.html";
+        writeFileSync2(outPath, html, "utf-8");
+        console.log(chalk4.green(`\u2713 Report written to ${chalk4.cyan(outPath)}`));
+        break;
+      }
+      case "text":
+      default:
+        console.log(formatAuditText(report));
+        break;
+    }
+    if (report.summary.critical > 0 || report.summary.high > 0) {
+      process.exit(1);
+    }
+  } catch (error) {
+    spinner?.fail("Audit failed");
+    if (error instanceof Error) {
+      console.error(`
+Error: ${error.message}`);
+    } else {
+      console.error("\nAn unexpected error occurred.");
+    }
+    process.exit(2);
+  }
+});
+program.command("lookup").description("Look up a domain in the vendor registry").argument("<domain>", "Domain to look up").action((domain) => {
+  const registry = VendorRegistry.load();
+  const vendor = registry.lookupDomain(domain);
+  if (vendor) {
+    console.log(JSON.stringify(vendor, null, 2));
+  } else {
+    console.log(`Domain "${domain}" is not in the ETALON vendor registry.`);
+    process.exit(1);
+  }
+});
+program.command("info").description("Show ETALON registry information").action(() => {
+  const registry = VendorRegistry.load();
+  const meta = registry.getMetadata();
+  console.log(`ETALON Registry v${meta.version}`);
+  console.log(`Last updated: ${meta.lastUpdated}`);
+  console.log(`Vendors: ${meta.vendorCount}`);
+  console.log(`Domains tracked: ${meta.domainCount}`);
+  console.log(`Categories: ${meta.categoryCount}`);
+});
+program.command("init").description("Set up ETALON in your project (config, CI, pre-commit hook)").argument("[dir]", "Project directory", "./").option("--ci <provider>", "CI provider: github, gitlab, none", "github").option("--no-precommit", "Skip pre-commit hook installation").option("--force", "Overwrite existing files", false).action(async (dir, options) => {
+  await runInit(dir, {
+    ci: options.ci,
+    precommit: options.precommit !== false,
+    force: options.force
+  });
+});
+program.command("consent-check").description("Test if trackers fire before/after rejecting cookies on a website").argument("<url>", "URL to check").option("-f, --format <format>", "Output format: text, json", "text").option("-t, --timeout <ms>", "Navigation timeout", "15000").action(async (url, options) => {
+  const normalizedUrl = normalizeUrl(url);
+  const format = options.format ?? "text";
+  const spinner = format === "text" ? ora(`Checking consent on ${normalizedUrl}...`).start() : null;
+  try {
+    const { checkConsent } = await import("./consent-checker-B6J7GESG.js");
+    const result = await checkConsent(normalizedUrl, {
+      timeout: parseInt(options.timeout ?? "15000", 10)
+    });
+    spinner?.stop();
+    if (format === "json") {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.log("");
+      console.log(chalk4.bold("ETALON Consent Verification"));
+      console.log(chalk4.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+      console.log(`URL:       ${chalk4.cyan(result.url)}`);
+      console.log(`Banner:    ${result.bannerDetected ? chalk4.green("\u2713 Detected") : chalk4.red("\u2717 Not found")}${result.bannerType ? ` (${result.bannerType})` : ""}`);
+      console.log(`Reject:    ${result.rejectClicked ? chalk4.green("\u2713 Clicked") : chalk4.yellow("\u2717 Could not reject")}`);
+      console.log("");
+      if (result.preConsentTrackers.length > 0) {
+        console.log(chalk4.bold("\u{1F50D} Trackers before consent:"));
+        for (const t of result.preConsentTrackers) {
+          console.log(`  \u2022 ${t.name} (${chalk4.dim(t.matchedDomain)})`);
+        }
+        console.log("");
+      }
+      if (result.postRejectTrackers.length > 0) {
+        console.log(chalk4.bold("\u26A0\uFE0F  Trackers after rejection:"));
+        for (const t of result.postRejectTrackers) {
+          console.log(`  \u2022 ${chalk4.red(t.name)} (${chalk4.dim(t.matchedDomain)})`);
+        }
+        console.log("");
+      }
+      if (result.violations.length > 0) {
+        console.log(chalk4.red.bold(`\u{1F534} ${result.violations.length} consent violation(s)`));
+        for (const v of result.violations) {
+          console.log(`  ${v.phase === "before-interaction" ? "\u23F1" : "\u{1F534}"} ${v.message}`);
+        }
+      } else {
+        console.log(chalk4.green.bold("\u2713 No consent violations detected"));
+      }
+      console.log("");
+    }
+    if (!result.pass) process.exit(1);
+  } catch (error) {
+    spinner?.fail("Consent check failed");
+    if (error instanceof Error) {
+      console.error(`
+Error: ${error.message}`);
+    }
+    process.exit(2);
+  }
+});
+program.command("policy-check").description("Cross-reference privacy policy text against actual detected trackers").argument("<url>", "URL to check").option("-f, --format <format>", "Output format: text, json", "text").option("-t, --timeout <ms>", "Navigation timeout", "30000").option("--policy-url <url>", "Directly specify the privacy policy URL").action(async (url, options) => {
+  const normalizedUrl = normalizeUrl(url);
+  const format = options.format ?? "text";
+  const spinner = format === "text" ? ora(`Analyzing privacy policy for ${normalizedUrl}...`).start() : null;
+  try {
+    const { checkPolicy } = await import("./policy-checker-J2WPHGU3.js");
+    const result = await checkPolicy(normalizedUrl, {
+      timeout: parseInt(options.timeout ?? "30000", 10),
+      policyUrl: options.policyUrl
+    });
+    spinner?.stop();
+    if (format === "json") {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.log("");
+      console.log(chalk4.bold("ETALON Policy vs. Reality Audit"));
+      console.log(chalk4.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+      console.log(`URL:           ${chalk4.cyan(result.url)}`);
+      console.log(`Policy page:   ${result.policyFound ? chalk4.green(result.policyUrl) : chalk4.red("\u2717 Not found")}`);
+      console.log("");
+      console.log(`\u{1F4CB} Vendors mentioned in policy:  ${chalk4.bold(String(result.mentionedVendors.length))}`);
+      console.log(`\u{1F50D} Vendors detected by scan:     ${chalk4.bold(String(result.detectedVendors.length))}`);
+      console.log("");
+      if (!result.policyFound) {
+        console.log(chalk4.red.bold("\u26A0  No privacy policy page found \u2014 all detected trackers are undisclosed"));
+        console.log("");
+      }
+      if (result.undisclosed.length > 0) {
+        console.log(chalk4.red.bold(`\u{1F534} ${result.undisclosed.length} UNDISCLOSED (detected on site, not in policy):`));
+        for (const m of result.undisclosed) {
+          const icon = m.severity === "critical" ? chalk4.red("\u2717 CRITICAL") : m.severity === "high" ? chalk4.yellow("\u2717 HIGH") : m.severity === "medium" ? chalk4.yellow("\u2717 MEDIUM") : chalk4.dim("\u2717 LOW");
+          console.log(`  ${icon}  ${m.vendorName} \u2014 ${m.message}`);
+        }
+        console.log("");
+      }
+      if (result.disclosed.length > 0) {
+        console.log(chalk4.green.bold(`\u2713 ${result.disclosed.length} DISCLOSED (in both policy and scan):`));
+        for (const m of result.disclosed) {
+          console.log(`  ${chalk4.green("\u2713")} ${m.vendorName}`);
+        }
+        console.log("");
+      }
+      if (result.overclaimed.length > 0) {
+        console.log(chalk4.dim(`\u2139  ${result.overclaimed.length} OVERCLAIMED (in policy, not detected):`));
+        for (const m of result.overclaimed) {
+          console.log(`  ${chalk4.dim("\u2013")} ${m.vendorName}`);
+        }
+        console.log("");
+      }
+      if (result.pass) {
+        console.log(chalk4.green.bold("\u2713 All detected trackers are disclosed in the privacy policy"));
+      } else {
+        console.log(chalk4.red.bold(`\u2717 ${result.undisclosed.length} tracker(s) not disclosed in privacy policy`));
+      }
+      console.log("");
+      if (result.disclosures.length > 0) {
+        console.log(chalk4.bold.cyan("\u{1F4DD} Add this to your privacy policy:"));
+        console.log(chalk4.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+        for (const d of result.disclosures) {
+          console.log("");
+          console.log(chalk4.bold(`  ${d.vendorName}`));
+          console.log(`  ${d.snippet}`);
+          if (d.dpaUrl) {
+            console.log(chalk4.dim(`  DPA: ${d.dpaUrl}`));
+          }
+        }
+        console.log("");
+        console.log(chalk4.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+        console.log(chalk4.dim("Copy the text above into your privacy policy or CMS."));
+        console.log("");
+      }
+    }
+    if (!result.pass) process.exit(1);
+  } catch (error) {
+    spinner?.fail("Policy check failed");
+    if (error instanceof Error) {
+      console.error(`
+Error: ${error.message}`);
+    }
+    process.exit(2);
+  }
+});
+program.command("generate-policy").description("Generate a GDPR privacy policy from code audit + network scan").argument("[dir]", "Project directory to audit", "./").requiredOption("--company <name>", "Your company/organization name").requiredOption("--email <email>", "Privacy contact / DPO email").option("--url <url>", "Also scan a live URL for network trackers").option("--country <country>", 'Jurisdiction (e.g. "EU", "Germany")').option("-o, --output <file>", "Output file", "privacy-policy.md").option("-f, --format <format>", "Output format: md, html, txt", "md").action(async (dir, options) => {
+  const spinner = ora("Generating privacy policy...").start();
+  try {
+    spinner.text = "Running code audit...";
+    const audit = await auditProject(dir);
+    spinner.text = "Analyzing data flows...";
+    const { collectFiles } = await import("@etalon/core");
+    let dataFlow;
+    try {
+      const files = collectFiles?.(dir) ?? [];
+      if (files.length > 0) {
+        dataFlow = analyzeDataFlow(files, dir);
+      }
+    } catch {
+    }
+    let networkVendorIds;
+    if (options.url) {
+      spinner.text = `Scanning ${options.url} for trackers...`;
+      const scanResult = await scanSite(normalizeUrl(options.url), { timeout: 3e4, deep: false });
+      networkVendorIds = new Set(scanResult.vendors.map((v) => v.vendor.id));
+    }
+    spinner.text = "Assembling privacy policy...";
+    const policy = generatePolicy({
+      input: {
+        companyName: options.company,
+        companyEmail: options.email,
+        companyCountry: options.country,
+        siteUrl: options.url,
+        projectDir: dir
+      },
+      audit,
+      networkVendorIds,
+      dataFlow
+    });
+    const outputFile = options.output ?? "privacy-policy.md";
+    writeFileSync2(outputFile, policy.fullText, "utf-8");
+    spinner.succeed(`Privacy policy generated!`);
+    console.log("");
+    console.log(chalk4.bold("ETALON Privacy Policy Generator"));
+    console.log(chalk4.dim("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550"));
+    console.log(`Company:       ${chalk4.cyan(options.company)}`);
+    console.log(`Contact:       ${chalk4.cyan(options.email)}`);
+    if (options.url) {
+      console.log(`Site scanned:  ${chalk4.cyan(options.url)}`);
+    }
+    console.log(`Sources:       ${chalk4.dim(policy.meta.sources.join(", "))}`);
+    console.log("");
+    console.log(`\u{1F4CB} Sections:   ${chalk4.bold(String(policy.sections.length))}`);
+    console.log(`\u{1F50D} Vendors:    ${chalk4.bold(String(policy.vendors.length))}`);
+    console.log(`\u{1F6E1}\uFE0F  PII types:  ${chalk4.bold(String(policy.piiTypes.length))}`);
+    console.log("");
+    if (policy.vendors.length > 0) {
+      console.log(chalk4.dim("Third-party vendors included:"));
+      for (const v of policy.vendors) {
+        const src = v.source === "both" ? chalk4.magenta("code+network") : v.source === "code" ? chalk4.blue("code") : chalk4.green("network");
+        console.log(`  ${chalk4.bold(v.vendorName)} ${chalk4.dim(`(${v.category})`)} \u2014 ${src}`);
+      }
+      console.log("");
+    }
+    console.log(chalk4.green(`\u2713 Written to ${chalk4.bold(outputFile)}`));
+    console.log(chalk4.dim("\u26A0 Review with a legal professional before publishing."));
+    console.log("");
+  } catch (error) {
+    spinner.fail("Policy generation failed");
+    if (error instanceof Error) {
+      console.error(`
+Error: ${error.message}`);
+    }
+    process.exit(2);
+  }
+});
+program.command("badge").description("Generate a compliance badge SVG for your README").argument("[dir]", "Directory to audit", "./").option("-o, --output <file>", "Output file", "etalon-badge.svg").action(async (dir, options) => {
+  const spinner = ora("Generating badge...").start();
+  try {
+    const report = await auditProject(dir);
+    const score = report.score ?? calculateScore(report);
+    const svg = generateBadgeSvg(score);
+    writeFileSync2(options.output, svg, "utf-8");
+    spinner.succeed(`Badge written to ${chalk4.cyan(options.output)} \u2014 Grade: ${score.grade} (${score.score}/100)`);
+    console.log("");
+    console.log(chalk4.bold("Shields.io badge for your README:"));
+    console.log(chalk4.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    const { badgeMarkdown: toBadgeMd } = await import("@etalon/core");
+    console.log(toBadgeMd(score.grade, score.score));
+    console.log("");
+  } catch (error) {
+    spinner.fail("Badge generation failed");
+    if (error instanceof Error) console.error(`
+Error: ${error.message}`);
+    process.exit(2);
+  }
+});
+program.command("data-flow").description("Map PII data flows through your codebase").argument("[dir]", "Directory to analyze", "./").option("-f, --format <format>", "Output format: text, mermaid, json", "text").action(async (dir, options) => {
+  const spinner = ora("Analyzing data flows...").start();
+  try {
+    let walk2 = function(d) {
+      for (const entry of readdirSync(d, { withFileTypes: true })) {
+        const full = join3(d, entry.name);
+        if (entry.isDirectory()) {
+          if (!["node_modules", ".git", "dist", "build", ".next", "__pycache__"].includes(entry.name)) {
+            walk2(full);
+          }
+        } else {
+          files.push(relative(dir, full));
+        }
+      }
+    };
+    var walk = walk2;
+    const { readdirSync, statSync } = await import("fs");
+    const { join: join3, relative } = await import("path");
+    const files = [];
+    walk2(dir);
+    const flow = analyzeDataFlow(files, dir);
+    spinner.stop();
+    switch (options.format) {
+      case "json":
+        console.log(JSON.stringify(flow, null, 2));
+        break;
+      case "mermaid":
+        console.log(toMermaid(flow));
+        break;
+      case "text":
+      default:
+        console.log(toTextSummary(flow));
+        break;
+    }
+  } catch (error) {
+    spinner.fail("Data flow analysis failed");
+    if (error instanceof Error) console.error(`
+Error: ${error.message}`);
+    process.exit(2);
+  }
+});
+program.parse();