@slashgear/gdpr-cookie-scanner 1.0.0 → 1.2.0

package/.github/workflows/release.yml

@@ -10,8 +10,6 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-      packages: write
-      id-token: write # required for npm trusted publishing (OIDC)
 
     steps:
       - uses: actions/checkout@v4
@@ -33,25 +31,12 @@ jobs:
         run: pnpm build
 
       - name: Create release PR or publish to npm
-        id: changesets
         uses: changesets/action@v1
         with:
           publish: pnpm changeset publish
           title: "chore: release new version"
           commit: "chore: release new version"
+          createGithubReleases: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: "true"
-
-      - name: Configure registry for GitHub Packages
-        if: steps.changesets.outputs.published == 'true'
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          registry-url: https://npm.pkg.github.com
-
-      - name: Publish to GitHub Packages
-        if: steps.changesets.outputs.published == 'true'
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.prettierignore

@@ -0,0 +1,3 @@
+# Files excluded from oxfmt formatting
+.changeset/
+CLAUDE.md

package/CHANGELOG.md

@@ -1,5 +1,43 @@
 # @slashgear/gdpr-cookie-scanner
 
+## 1.2.0
+
+### Minor Changes
+
+- 15deb9e: chore: simplify npm publishing — token-based auth, no GitHub Packages
+
+  The release pipeline now publishes exclusively to npmjs.org using a classic
+  NPM_TOKEN secret. GitHub Packages publishing and GitHub Releases creation have
+  been removed to reduce complexity. OIDC trusted publishing has been dropped in
+  favour of the more straightforward token approach.
+
+## 1.1.0
+
+### Minor Changes
+
+- 730e4d2: feat: generate a merged PDF report alongside the Markdown files
+
+  A single `gdpr-report-{hostname}-{date}.pdf` is now produced at the end of
+  each scan, combining the main compliance report, the checklist, and the cookie
+  inventory into one A4 document. The PDF is rendered via the Playwright browser
+  already installed as a dependency. The CLI prints the PDF path on completion.
+
+## 1.0.1
+
+### Patch Changes
+
+- 56bfed3: fix: isolate navigation timeout in accept phase so cookies are captured even when networkidle times out
+
+  The accept phase (phase 4) previously wrapped navigation and cookie capture in a single try/catch, causing the entire phase to be skipped when `networkidle` timed out on heavy sites. The navigation timeout is now isolated so detection and capture proceed regardless.
+
+  feat: add cookie inventory report (`gdpr-cookies-*.md`)
+
+  A new per-scan file lists all unique cookies detected across all three phases (before consent, after acceptance, after rejection) with their category, phases of presence, expiry, consent requirement, and an empty "Description / Purpose" column for the DPO or technical owner to fill in.
+
+  feat: add hyperlinks to legal references in checklist
+
+  Every reference in the compliance checklist (GDPR Art. 7, EDPB Guidelines 03/2022, CNIL Recommendation 2022, etc.) now links to the official source document.
+
 ## 1.0.0
 
 ### Major Changes

package/CLAUDE.md

@@ -21,15 +21,27 @@ node dist/cli.js list-trackers
 
 There are no tests currently.
 
+## Commit checklist
+
+Before every commit, always run in order:
+
+```bash
+pnpm lint        # must show 0 errors (warnings tolerated if pre-existing)
+pnpm format      # auto-fix formatting — never commit with format issues
+pnpm typecheck   # must pass with 0 errors
+```
+
+Then create a changeset (see below) and commit everything together.
+
+Commits must follow [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `docs:`, etc.).
+
 ## Release process
 
 This project uses [Changesets](https://github.com/changesets/changesets).
 
-- **Contributors**: run `pnpm changeset` before opening a PR to document the change (patch/minor/major + summary). Commit the generated `.changeset/*.md` file with your PR. Skip for docs/CI-only changes.
+- **Contributors**: write a `.changeset/<slug>.md` file manually (the interactive CLI doesn't work in non-TTY environments) before every meaningful commit. Use `patch` for bug fixes, `minor` for new features, `major` for breaking changes. The summary should explain *what* changed and *why* — not just restate the diff. Skip for docs/CI-only changes.
 - **Maintainers**: merging changesets into `main` triggers the release workflow, which opens a "chore: release new version" PR (bumps version + updates `CHANGELOG.md`). Merging that PR publishes to GitHub Packages and creates the GitHub Release automatically.
 
-Commits must follow [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `docs:`, etc.).
-
 ## Architecture
 
 This is a TypeScript CLI tool (`gdpr-scan`) that audits websites for GDPR/RGPD cookie consent compliance using Playwright. It produces a Markdown report in French.
@@ -56,7 +68,7 @@ Phase 3 and 4 require two separate browser sessions so cookie state is fully iso
 - **`src/classifiers/tracker-list.ts`** — Static database of tracker domains by category
 - **`src/analyzers/compliance.ts`** — Scores 4 dimensions (0–25 each) and surfaces `DarkPatternIssue` objects: consent validity, easy refusal, transparency, cookie behavior
 - **`src/analyzers/wording.ts`** — Text analysis of button labels and modal copy
-- **`src/report/generator.ts`** — Renders a Markdown report and checklist from `ScanResult`; runs `oxfmt` on generated files
+- **`src/report/generator.ts`** — Renders 3 Markdown files from `ScanResult`: the main compliance report (`gdpr-report-*.md`), the checklist (`gdpr-checklist-*.md`), and the cookie inventory (`gdpr-cookies-*.md`); runs `oxfmt` on all generated files
 - **`src/types.ts`** — All shared TypeScript interfaces (`ScanResult`, `ScanOptions`, `ComplianceScore`, `ConsentModal`, etc.)
 
 ### Compliance scoring

package/dist/cli.js

@@ -47,7 +47,7 @@ program
         spinner.succeed("Scan complete");
         console.log();
         const generator = new ReportGenerator(options);
-        const reportPath = await generator.generate(result);
+        const { reportPath, pdfPath } = await generator.generate(result);
         console.log(chalk.bold(`  Compliance score: ${formatScore(result.compliance.total)} ${result.compliance.grade}`));
         console.log();
         if (result.compliance.issues.length > 0) {
@@ -62,6 +62,7 @@ program
             console.log();
         }
         console.log(chalk.green(`  Report saved: ${reportPath}`));
+        console.log(chalk.green(`  PDF saved:    ${pdfPath}`));
         console.log();
         process.exit(result.compliance.grade === "F" ? 1 : 0);
     }

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGxD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,mDAAmD,CAAC;KAChE,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,sDAAsD,CAAC;KACnE,QAAQ,CAAC,OAAO,EAAE,4BAA4B,CAAC;KAC/C,MAAM,CAAC,oBAAoB,EAAE,iCAAiC,EAAE,gBAAgB,CAAC;KACjF,MAAM,CAAC,oBAAoB,EAAE,oCAAoC,EAAE,OAAO,CAAC;KAC3E,MAAM,CAAC,kBAAkB,EAAE,4BAA4B,CAAC;KACxD,MAAM,CAAC,uBAAuB,EAAE,uCAAuC,EAAE,OAAO,CAAC;KACjF,MAAM,CAAC,eAAe,EAAE,sBAAsB,EAAE,KAAK,CAAC;KACtD,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,IAAI,EAAE,EAAE;IAClC,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC,CAAC;IACnE,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;IAEvD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,MAAM,OAAO,GAAgB;QAC3B,GAAG,EAAE,aAAa;QAClB,SAAS;QACT,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QACnC,WAAW,EAAE,IAAI,CAAC,WAAW,KAAK,KAAK;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC;IAEF,MAAM,OAAO,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,OAAO,CAAC,IAAI,GAAG,sCAAsC,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,OAAO,CAAC,IAAI,GAAG,KAAK,CAAC;QACvB,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEpD,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CACR,uBAAuB,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,CACzF,CACF,CAAC;QACF,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,qBAAqB,CAAC,CAAC,CAAC;YACrF,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChF,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxC,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,oBAAoB,CAAC,CACnF,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,mBAAmB,UAAU,EAAE,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3F,IAAI,IAAI,CAAC,OAAO,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACtD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC7C,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC;QAC3B,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,CAAC;IAC1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,oBAAoB,CAAC,CAAC;AAChF,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAE5B,SAAS,YAAY,CAAC,GAAW;IAC/B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,OAAO,WAAW,GAAG,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,OAAO,GACX,KAAK,IAAI,EAAE;QACT,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;QACpB,CAAC,CAAC,KAAK,IAAI,EAAE;YACX,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC;YACrB,CAAC,CAAC,KAAK,IAAI,EAAE;gBACX,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC;gBAC7B,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3B,OAAO,GAAG,OAAO,MAAM,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGxD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,mDAAmD,CAAC;KAChE,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,sDAAsD,CAAC;KACnE,QAAQ,CAAC,OAAO,EAAE,4BAA4B,CAAC;KAC/C,MAAM,CAAC,oBAAoB,EAAE,iCAAiC,EAAE,gBAAgB,CAAC;KACjF,MAAM,CAAC,oBAAoB,EAAE,oCAAoC,EAAE,OAAO,CAAC;KAC3E,MAAM,CAAC,kBAAkB,EAAE,4BAA4B,CAAC;KACxD,MAAM,CAAC,uBAAuB,EAAE,uCAAuC,EAAE,OAAO,CAAC;KACjF,MAAM,CAAC,eAAe,EAAE,sBAAsB,EAAE,KAAK,CAAC;KACtD,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,IAAI,EAAE,EAAE;IAClC,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC;IACtD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC,CAAC;IACnE,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;IAEvD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,MAAM,OAAO,GAAgB;QAC3B,GAAG,EAAE,aAAa;QAClB,SAAS;QACT,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QACnC,WAAW,EAAE,IAAI,CAAC,WAAW,KAAK,KAAK;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC;IAEF,MAAM,OAAO,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;QAErC,OAAO,CAAC,IAAI,GAAG,sCAAsC,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,OAAO,CAAC,IAAI,GAAG,KAAK,CAAC;QACvB,CAAC,CAAC,CAAC;QAEH,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEjE,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CACR,uBAAuB,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,CACzF,CACF,CAAC;QACF,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,qBAAqB,CAAC,CAAC,CAAC;YACrF,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChF,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxC,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,oBAAoB,CAAC,CACnF,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,mBAAmB,UAAU,EAAE,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3F,IAAI,IAAI,CAAC,OAAO,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACtD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC7C,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC;QAC3B,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,CAAC;IAC1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,oBAAoB,CAAC,CAAC;AAChF,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAE5B,SAAS,YAAY,CAAC,GAAW;IAC/B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,OAAO,WAAW,GAAG,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,OAAO,GACX,KAAK,IAAI,EAAE;QACT,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;QACpB,CAAC,CAAC,KAAK,IAAI,EAAE;YACX,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC;YACrB,CAAC,CAAC,KAAK,IAAI,EAAE;gBACX,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC;gBAC7B,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3B,OAAO,GAAG,OAAO,MAAM,CAAC;AAC1B,CAAC"}

package/dist/report/generator.d.ts

@@ -3,7 +3,13 @@ import type { ScanOptions } from "../types.js";
 export declare class ReportGenerator {
     private readonly options;
     constructor(options: ScanOptions);
-    generate(result: ScanResult): Promise<string>;
+    generate(result: ScanResult): Promise<{
+        reportPath: string;
+        pdfPath: string;
+    }>;
+    private buildHtmlBody;
+    private inlineImages;
+    private wrapHtml;
     private buildMarkdown;
     private buildScoreTable;
     private buildExecutiveSummary;
@@ -14,6 +20,7 @@ export declare class ReportGenerator {
     private buildCookiesAfterRejectSection;
     private buildNetworkSection;
     private buildRecommendations;
+    private buildCookiesInventory;
     private buildChecklist;
 }
 //# sourceMappingURL=generator.d.ts.map

package/dist/report/generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EACV,UAAU,EAKX,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,WAAW;IAE3C,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAqBnD,OAAO,CAAC,aAAa;IA6ErB,OAAO,CAAC,eAAe;IAmBvB,OAAO,CAAC,qBAAqB;IAkD7B,OAAO,CAAC,iBAAiB;IAwEzB,OAAO,CAAC,cAAc;IActB,OAAO,CAAC,kBAAkB;IAqC1B,OAAO,CAAC,iBAAiB;IA4BzB,OAAO,CAAC,8BAA8B;IAiBtC,OAAO,CAAC,mBAAmB;IAgD3B,OAAO,CAAC,oBAAoB;IA2D5B,OAAO,CAAC,cAAc;CAgPvB"}
+{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EACV,UAAU,EAKX,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,WAAW;IAE3C,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;YAmCtE,aAAa;YAkDb,YAAY;IAmC1B,OAAO,CAAC,QAAQ;IAgDhB,OAAO,CAAC,aAAa;IA6ErB,OAAO,CAAC,eAAe;IAmBvB,OAAO,CAAC,qBAAqB;IAkD7B,OAAO,CAAC,iBAAiB;IAwEzB,OAAO,CAAC,cAAc;IActB,OAAO,CAAC,kBAAkB;IAqC1B,OAAO,CAAC,iBAAiB;IA4BzB,OAAO,CAAC,8BAA8B;IAiBtC,OAAO,CAAC,mBAAmB;IAgD3B,OAAO,CAAC,oBAAoB;IA2D5B,OAAO,CAAC,qBAAqB;IA6H7B,OAAO,CAAC,cAAc;CA6PvB"}

package/dist/report/generator.js

@@ -1,8 +1,10 @@
 import { execFile } from "child_process";
-import { writeFile, mkdir } from "fs/promises";
-import { basename, dirname, join } from "path";
+import { writeFile, mkdir, readFile } from "fs/promises";
+import { basename, dirname, extname, join } from "path";
 import { promisify } from "util";
 import { fileURLToPath } from "url";
+import { Marked } from "marked";
+import { generatePdf } from "./pdf.js";
 const execFileAsync = promisify(execFile);
 const oxfmtBin = join(dirname(fileURLToPath(import.meta.url)), "../../node_modules/.bin/oxfmt");
 export class ReportGenerator {
@@ -24,7 +26,138 @@ export class ReportGenerator {
         const checklist = this.buildChecklist(result);
         await writeFile(checklistPath, checklist, "utf-8");
         await execFileAsync(oxfmtBin, [checklistPath]).catch(() => { });
-        return outputPath;
+        const cookiesFilename = `gdpr-cookies-${hostname}-${date}.md`;
+        const cookiesPath = join(this.options.outputDir, cookiesFilename);
+        const cookiesInventory = this.buildCookiesInventory(result);
+        await writeFile(cookiesPath, cookiesInventory, "utf-8");
+        await execFileAsync(oxfmtBin, [cookiesPath]).catch(() => { });
+        const combined = [markdown, checklist, cookiesInventory].join("\n\n---\n\n");
+        const rawBody = await this.buildHtmlBody(combined);
+        const body = await this.inlineImages(rawBody, this.options.outputDir);
+        const html = this.wrapHtml(body, hostname);
+        const pdfFilename = `gdpr-report-${hostname}-${date}.pdf`;
+        const pdfPath = join(this.options.outputDir, pdfFilename);
+        await generatePdf(html, pdfPath);
+        return { reportPath: outputPath, pdfPath };
+    }
+    async buildHtmlBody(markdown) {
+        const entries = [];
+        const idCounts = new Map();
+        const slugify = (text) => {
+            const base = text
+                .replace(/[^\p{L}\p{N}\s-]/gu, "")
+                .trim()
+                .toLowerCase()
+                .replace(/\s+/g, "-")
+                .replace(/-+/g, "-") || "section";
+            const count = idCounts.get(base) ?? 0;
+            idCounts.set(base, count + 1);
+            return count === 0 ? base : `${base}-${count}`;
+        };
+        const localMarked = new Marked();
+        localMarked.use({
+            renderer: {
+                heading({ text, depth }) {
+                    const id = slugify(text);
+                    if (depth <= 2)
+                        entries.push({ level: depth, text, id });
+                    return `<h${depth} id="${id}">${text}</h${depth}>\n`;
+                },
+            },
+        });
+        const body = await localMarked.parse(markdown);
+        if (entries.length === 0)
+            return body;
+        const tocItems = entries
+            .map(({ level, text, id }) => {
+            const cls = level === 1 ? "toc-h1" : "toc-h2";
+            return `<li class="${cls}"><a href="#${id}">${text}</a></li>`;
+        })
+            .join("\n");
+        const toc = `<nav class="toc">
+<p class="toc-title">Table of Contents</p>
+<ul>
+${tocItems}
+</ul>
+</nav>`;
+        return toc + "\n" + body;
+    }
+    async inlineImages(html, outputDir) {
+        const mimeTypes = {
+            ".png": "image/png",
+            ".jpg": "image/jpeg",
+            ".jpeg": "image/jpeg",
+            ".gif": "image/gif",
+            ".webp": "image/webp",
+        };
+        const imgRegex = /<img([^>]*)\ssrc="([^"#][^"]*)"([^>]*)>/gi;
+        const replacements = [];
+        for (const match of html.matchAll(imgRegex)) {
+            const [full, before, src, after] = match;
+            if (src.startsWith("data:") || src.startsWith("http://") || src.startsWith("https://"))
+                continue;
+            const mime = mimeTypes[extname(src).toLowerCase()];
+            if (!mime)
+                continue;
+            try {
+                const buf = await readFile(join(outputDir, src));
+                replacements.push({
+                    original: full,
+                    replacement: `<img${before} src="data:${mime};base64,${buf.toString("base64")}"${after}>`,
+                });
+            }
+            catch {
+                // file not found — leave the tag as-is
+            }
+        }
+        return replacements.reduce((acc, { original, replacement }) => acc.replace(original, replacement), html);
+    }
+    wrapHtml(body, hostname) {
+        return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>GDPR Report — ${hostname}</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+           font-size: 11pt; line-height: 1.6; color: #1a1a1a; max-width: 900px;
+           margin: 0 auto; padding: 0 8px; }
+    h1 { font-size: 18pt; border-bottom: 2px solid #1a1a2e; padding-bottom: 6px;
+         color: #1a1a2e; margin-top: 2em; }
+    h2 { font-size: 14pt; color: #1a1a2e; margin-top: 1.5em; }
+    h3 { font-size: 12pt; margin-top: 1.2em; }
+    table { width: 100%; border-collapse: collapse; font-size: 9.5pt;
+            margin: 1em 0; page-break-inside: auto; }
+    th { background: #f0f0f4; padding: 6px 10px; text-align: left;
+         border-bottom: 2px solid #ccc; }
+    td { padding: 5px 10px; border-bottom: 1px solid #eee; vertical-align: top; }
+    tr { page-break-inside: avoid; }
+    code { font-family: "SFMono-Regular", Consolas, monospace; background: #f4f4f4;
+           padding: 1px 5px; border-radius: 3px; font-size: 9pt; }
+    pre { background: #f4f4f4; padding: 12px; border-radius: 4px;
+          overflow-x: auto; font-size: 9pt; }
+    blockquote { border-left: 3px solid #ccc; margin: 0.5em 0;
+                 padding: 0.5em 1em; color: #555; }
+    hr { border: none; border-top: 1px solid #ddd; margin: 2em 0;
+         page-break-after: always; }
+    a { color: #0066cc; }
+    img { max-width: 100%; height: auto; border: 1px solid #ddd; border-radius: 4px; }
+    nav.toc { background: #f4f5f8; border-left: 4px solid #1a1a2e; border-radius: 4px;
+              padding: 14px 20px; margin: 0 0 2.5em 0; page-break-inside: avoid; }
+    .toc-title { font-weight: 700; font-size: 11pt; margin: 0 0 10px 0; color: #1a1a2e; }
+    nav.toc ul { list-style: none; margin: 0; padding: 0; }
+    nav.toc li { margin: 3px 0; line-height: 1.4; }
+    .toc-h1 { font-weight: 600; margin-top: 6px; }
+    .toc-h2 { padding-left: 1.2em; font-size: 9.5pt; }
+    nav.toc a { color: #0055aa; text-decoration: none; }
+    @media print {
+      h1 { page-break-before: always; }
+      h1:first-child { page-break-before: avoid; }
+    }
+  </style>
+</head>
+<body>${body}</body>
+</html>`;
     }
     buildMarkdown(r) {
         const hostname = new URL(r.url).hostname;
@@ -145,7 +278,7 @@ ${row("Cookie behavior", breakdown.cookieBehavior, 25)}
         const { modal } = r;
         const acceptBtn = modal.buttons.find((b) => b.type === "accept");
         const rejectBtn = modal.buttons.find((b) => b.type === "reject");
-        const prefBtn = modal.buttons.find((b) => b.type === "preferences");
+        const _prefBtn = modal.buttons.find((b) => b.type === "preferences");
         const preTicked = modal.checkboxes.filter((c) => c.isCheckedByDefault);
         const lines = [
             `**CSS selector:** \`${modal.selector}\``,
@@ -348,6 +481,101 @@ ${rows.join("\n")}
         }
         return recs.join("\n\n");
     }
+    buildCookiesInventory(r) {
+        const hostname = new URL(r.url).hostname;
+        const scanDate = new Date(r.scanDate).toLocaleString("en-GB");
+        const cookieMap = new Map();
+        const phaseLabel = {
+            "before-interaction": "before consent",
+            "after-accept": "after acceptance",
+            "after-reject": "after rejection",
+        };
+        const allCookies = [
+            ...r.cookiesBeforeInteraction,
+            ...r.cookiesAfterAccept,
+            ...r.cookiesAfterReject,
+        ];
+        for (const c of allCookies) {
+            const key = `${c.name}||${c.domain}`;
+            if (!cookieMap.has(key)) {
+                cookieMap.set(key, {
+                    name: c.name,
+                    domain: c.domain,
+                    category: c.category,
+                    phases: new Set(),
+                    expires: c.expires,
+                    httpOnly: c.httpOnly,
+                    secure: c.secure,
+                    requiresConsent: c.requiresConsent,
+                });
+            }
+            cookieMap.get(key).phases.add(phaseLabel[c.capturedAt]);
+        }
+        const expires = (entry) => {
+            if (entry.expires === null)
+                return "Session";
+            const days = Math.round((entry.expires * 1000 - Date.now()) / 86400000);
+            if (days < 0)
+                return "Expired";
+            if (days === 0)
+                return "< 1 day";
+            if (days < 30)
+                return `${days} days`;
+            return `${Math.round(days / 30)} months`;
+        };
+        const categoryLabel = {
+            "strictly-necessary": "Strictly necessary",
+            analytics: "Analytics",
+            advertising: "Advertising",
+            social: "Social",
+            personalization: "Personalization",
+            unknown: "Unknown",
+        };
+        const entries = [...cookieMap.values()].sort((a, b) => {
+            // Sort: strictly-necessary first, then by category, then by name
+            const order = [
+                "strictly-necessary",
+                "analytics",
+                "advertising",
+                "social",
+                "personalization",
+                "unknown",
+            ];
+            const oa = order.indexOf(a.category);
+            const ob = order.indexOf(b.category);
+            if (oa !== ob)
+                return oa - ob;
+            return a.name.localeCompare(b.name);
+        });
+        const lines = [];
+        lines.push(`# Cookie Inventory — ${hostname}`);
+        lines.push(`
+> **Scan date:** ${scanDate}
+> **Scanned URL:** ${r.url}
+> **Unique cookies detected:** ${entries.length}
+`);
+        lines.push(`## Instructions`);
+        lines.push(`
+This table lists all cookies detected during the scan, across all phases.
+The **Description / Purpose** column is to be filled in by the DPO or technical owner.
+
+- **Before consent** — cookie present from page load, before any interaction
+- **After acceptance** — cookie set or persisting after clicking "Accept all"
+- **After rejection** — cookie present after clicking "Reject all"
+`);
+        lines.push(`## Cookie table\n`);
+        lines.push(`| Cookie | Domain | Category | Phases | Expiry | Consent required | Description / Purpose |`);
+        lines.push(`|--------|--------|----------|--------|--------|------------------|-----------------------|`);
+        for (const entry of entries) {
+            const phases = [...entry.phases].join(", ");
+            const consent = entry.requiresConsent ? "⚠️ Yes" : "✅ No";
+            const cat = categoryLabel[entry.category] ?? entry.category;
+            lines.push(`| \`${entry.name}\` | ${entry.domain} | ${cat} | ${phases} | ${expires(entry)} | ${consent} | <!-- fill in --> |`);
+        }
+        lines.push(`\n---`);
+        lines.push(`\n_Automatically generated by gdpr-cookie-scanner. Categories marked "Unknown" could not be identified automatically and should be verified manually._\n`);
+        return lines.join("\n") + "\n";
+    }
     buildChecklist(r) {
         const hostname = new URL(r.url).hostname;
         const scanDate = new Date(r.scanDate).toLocaleString("en-GB");
@@ -362,7 +590,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Consent",
             rule: "Consent modal detected",
-            reference: "RGPD Art. 7 · Dir. ePrivacy Art. 5(3)",
+            reference: "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [ePrivacy Dir. Art. 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058)",
             status: r.modal.detected ? ok : ko,
             detail: r.modal.detected
                 ? `Detected (\`${r.modal.selector}\`)`
@@ -372,7 +600,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Consent",
             rule: "No pre-ticked checkboxes",
-            reference: "RGPD Recital 32",
+            reference: "[GDPR Recital 32](https://gdpr-info.eu/recitals/no-32/)",
             status: preTicked.length === 0 ? ok : ko,
             detail: preTicked.length === 0
                 ? "No pre-ticked checkbox detected"
@@ -383,7 +611,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Consent",
             rule: "Accept button label is unambiguous",
-            reference: "RGPD Art. 4(11)",
+            reference: "[GDPR Art. 4(11)](https://gdpr-info.eu/art-4-gdpr/)",
             status: !r.modal.detected || !misleadingAccept
                 ? ok
                 : misleadingAccept.severity === "critical"
@@ -403,7 +631,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Easy refusal",
             rule: "Reject button present at first layer",
-            reference: "CNIL Recommendation 2022",
+            reference: "[CNIL Recommendation 2022](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/recommandation-sur-les-cookies-et-autres-traceurs)",
             status: !r.modal.detected ? ko : noReject ? ko : ok,
             detail: !r.modal.detected
                 ? "Modal not detected"
@@ -415,7 +643,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Easy refusal",
             rule: "Rejecting requires no more clicks than accepting",
-            reference: "CNIL Recommendation 2022",
+            reference: "[CNIL Recommendation 2022](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/recommandation-sur-les-cookies-et-autres-traceurs)",
             status: !r.modal.detected ? ko : clickIssue ? ko : ok,
             detail: !r.modal.detected
                 ? "Modal not detected"
@@ -429,7 +657,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Easy refusal",
             rule: "Size symmetry between Accept and Reject",
-            reference: "CEPD Guidelines 03/2022",
+            reference: "[EDPB Guidelines 03/2022](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-dark-patterns-social-media-platform_en)",
             status: !r.modal.detected ? ko : sizeIssue ? warn : ok,
             detail: !r.modal.detected
                 ? "Modal not detected"
@@ -441,7 +669,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Easy refusal",
             rule: "Font symmetry between Accept and Reject",
-            reference: "CEPD Guidelines 03/2022",
+            reference: "[EDPB Guidelines 03/2022](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-dark-patterns-social-media-platform_en)",
             status: !r.modal.detected ? ko : nudgeIssue ? warn : ok,
             detail: !r.modal.detected
                 ? "Modal not detected"
@@ -453,7 +681,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Transparency",
             rule: "Granular controls available",
-            reference: "CEPD Guidelines 05/2020",
+            reference: "[EDPB Guidelines 05/2020](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en)",
             status: !r.modal.detected ? ko : r.modal.hasGranularControls ? ok : warn,
             detail: !r.modal.detected
                 ? "Modal not detected"
@@ -462,21 +690,25 @@ ${rows.join("\n")}
                     : "No granular controls (checkboxes or panel) detected",
         });
         const infoChecks = [
-            { key: "purposes", label: "Processing purposes mentioned", ref: "RGPD Art. 13-14" },
+            {
+                key: "purposes",
+                label: "Processing purposes mentioned",
+                ref: "[GDPR Art. 13-14](https://gdpr-info.eu/art-13-gdpr/)",
+            },
             {
                 key: "third-parties",
                 label: "Sub-processors / third parties mentioned",
-                ref: "RGPD Art. 13-14",
+                ref: "[GDPR Art. 13-14](https://gdpr-info.eu/art-13-gdpr/)",
             },
             {
                 key: "duration",
                 label: "Retention period mentioned",
-                ref: "RGPD Art. 13(2)(a)",
+                ref: "[GDPR Art. 13(2)(a)](https://gdpr-info.eu/art-13-gdpr/)",
             },
             {
                 key: "withdrawal",
                 label: "Right to withdraw consent mentioned",
-                ref: "RGPD Art. 7(3)",
+                ref: "[GDPR Art. 7(3)](https://gdpr-info.eu/art-7-gdpr/)",
             },
         ];
         for (const { key, label, ref } of infoChecks) {
@@ -498,7 +730,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Cookie behavior",
             rule: "No non-essential cookie before consent",
-            reference: "RGPD Art. 7 · Dir. ePrivacy Art. 5(3)",
+            reference: "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [ePrivacy Dir. Art. 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058)",
             status: illegalPre.length === 0 ? ok : ko,
             detail: illegalPre.length === 0
                 ? "No non-essential cookie set before interaction"
@@ -508,7 +740,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Cookie behavior",
             rule: "Non-essential cookies removed after rejection",
-            reference: "RGPD Art. 7 · CNIL Recommendation 2022",
+            reference: "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [CNIL Recommendation 2022](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/recommandation-sur-les-cookies-et-autres-traceurs)",
             status: persistAfterReject.length === 0 ? ok : ko,
             detail: persistAfterReject.length === 0
                 ? "No non-essential cookie persisting after rejection"
@@ -518,7 +750,7 @@ ${rows.join("\n")}
         rows.push({
             category: "Cookie behavior",
             rule: "No network tracker before consent",
-            reference: "RGPD Art. 7 · Dir. ePrivacy Art. 5(3)",
+            reference: "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [ePrivacy Dir. Art. 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058)",
             status: preTrackers.length === 0 ? ok : ko,
             detail: preTrackers.length === 0
                 ? "No tracker request fired before interaction"