@slashgear/gdpr-cookie-scanner 1.0.0

package/dist/types.d.ts

@@ -0,0 +1,105 @@
+export type CookieCategory = "strictly-necessary" | "analytics" | "advertising" | "social" | "personalization" | "unknown";
+export type ConsentButtonType = "accept" | "reject" | "preferences" | "close" | "unknown";
+export interface ScannedCookie {
+    name: string;
+    domain: string;
+    path: string;
+    value: string;
+    expires: number | null;
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: string | null;
+    category: CookieCategory;
+    requiresConsent: boolean;
+    capturedAt: "before-interaction" | "after-accept" | "after-reject";
+}
+export interface NetworkRequest {
+    url: string;
+    method: string;
+    resourceType: string;
+    initiator: string | null;
+    isThirdParty: boolean;
+    trackerCategory: TrackerCategory | null;
+    trackerName: string | null;
+    capturedAt: "before-interaction" | "after-accept" | "after-reject";
+    responseStatus: number | null;
+    contentType: string | null;
+}
+export type TrackerCategory = "analytics" | "advertising" | "social" | "fingerprinting" | "pixel" | "cdn" | "unknown";
+export interface ConsentButton {
+    type: ConsentButtonType;
+    text: string;
+    selector: string;
+    isVisible: boolean;
+    boundingBox: {
+        x: number;
+        y: number;
+        width: number;
+        height: number;
+    } | null;
+    fontSize: number | null;
+    backgroundColor: string | null;
+    textColor: string | null;
+    contrastRatio: number | null;
+    clickDepth: number;
+}
+export interface ConsentCheckbox {
+    name: string;
+    label: string;
+    isCheckedByDefault: boolean;
+    category: CookieCategory;
+    selector: string;
+}
+export interface ConsentModal {
+    detected: boolean;
+    selector: string | null;
+    text: string;
+    buttons: ConsentButton[];
+    checkboxes: ConsentCheckbox[];
+    hasGranularControls: boolean;
+    layerCount: number;
+    screenshotPath: string | null;
+}
+export interface DarkPatternIssue {
+    type: DarkPatternType;
+    severity: "critical" | "warning" | "info";
+    description: string;
+    evidence: string;
+}
+export type DarkPatternType = "asymmetric-prominence" | "click-asymmetry" | "pre-ticked" | "misleading-wording" | "cookie-wall" | "nudging" | "no-reject-button" | "buried-reject" | "auto-consent" | "missing-info";
+export interface ComplianceScore {
+    total: number;
+    breakdown: {
+        consentValidity: number;
+        easyRefusal: number;
+        transparency: number;
+        cookieBehavior: number;
+    };
+    issues: DarkPatternIssue[];
+    grade: "A" | "B" | "C" | "D" | "F";
+}
+export interface ScanOptions {
+    url: string;
+    outputDir: string;
+    timeout: number;
+    screenshots: boolean;
+    locale: string;
+    verbose: boolean;
+    userAgent?: string;
+}
+export interface ScanResult {
+    url: string;
+    scanDate: string;
+    duration: number;
+    modal: ConsentModal;
+    cookiesBeforeInteraction: ScannedCookie[];
+    cookiesAfterAccept: ScannedCookie[];
+    cookiesAfterReject: ScannedCookie[];
+    networkBeforeInteraction: NetworkRequest[];
+    networkAfterAccept: NetworkRequest[];
+    networkAfterReject: NetworkRequest[];
+    compliance: ComplianceScore;
+    screenshotPaths: string[];
+    errors: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,WAAW,GACX,aAAa,GACb,QAAQ,GACR,iBAAiB,GACjB,SAAS,CAAC;AAEd,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,GAAG,aAAa,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1F,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,cAAc,CAAC;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,UAAU,EAAE,oBAAoB,GAAG,cAAc,GAAG,cAAc,CAAC;CACpE;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,GAAG,IAAI,CAAC;IACxC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,oBAAoB,GAAG,cAAc,GAAG,cAAc,CAAC;IACnE,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,MAAM,eAAe,GACvB,WAAW,GACX,aAAa,GACb,QAAQ,GACR,gBAAgB,GAChB,OAAO,GACP,KAAK,GACL,SAAS,CAAC;AAEd,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE;QAAE,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,EAAE,OAAO,CAAC;IAC5B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,eAAe,CAAC;IACtB,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,CAAC;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,eAAe,GACvB,uBAAuB,GACvB,iBAAiB,GACjB,YAAY,GACZ,oBAAoB,GACpB,aAAa,GACb,SAAS,GACT,kBAAkB,GAClB,eAAe,GACf,cAAc,GACd,cAAc,CAAC;AAEnB,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE;QACT,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,KAAK,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;CACpC;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,OAAO,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,YAAY,CAAC;IACpB,wBAAwB,EAAE,aAAa,EAAE,CAAC;IAC1C,kBAAkB,EAAE,aAAa,EAAE,CAAC;IACpC,kBAAkB,EAAE,aAAa,EAAE,CAAC;IACpC,wBAAwB,EAAE,cAAc,EAAE,CAAC;IAC3C,kBAAkB,EAAE,cAAc,EAAE,CAAC;IACrC,kBAAkB,EAAE,cAAc,EAAE,CAAC;IACrC,UAAU,EAAE,eAAe,CAAC;IAC5B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@slashgear/gdpr-cookie-scanner",
+  "version": "1.0.0",
+  "description": "CLI tool to scan websites for GDPR cookie consent compliance",
+  "keywords": [
+    "compliance",
+    "consent",
+    "cookie",
+    "gdpr",
+    "playwright",
+    "privacy",
+    "rgpd",
+    "scanner"
+  ],
+  "license": "MIT",
+  "bin": {
+    "gdpr-scan": "dist/cli.js"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/cli.js",
+    "lint": "oxlint .",
+    "lint:fix": "oxlint --fix .",
+    "format": "oxfmt .",
+    "format:check": "oxfmt --check .",
+    "typecheck": "tsc --noEmit",
+    "changeset": "changeset"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "ora": "^8.1.0",
+    "playwright": "^1.49.0"
+  },
+  "devDependencies": {
+    "@changesets/cli": "^2.29.8",
+    "@types/node": "^22.0.0",
+    "oxfmt": "^0.33.0",
+    "oxlint": "^1.48.0",
+    "typescript": "^5.5.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}

package/renovate.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "schedule": ["every weekend"],
+  "packageRules": [
+    {
+      "matchDepTypes": ["devDependencies"],
+      "automerge": true,
+      "automergeType": "squash"
+    },
+    {
+      "matchPackageNames": ["playwright"],
+      "reviewers": ["Slashgear"],
+      "automerge": false
+    }
+  ]
+}

package/src/analyzers/compliance.ts

@@ -0,0 +1,203 @@
+import type {
+  ComplianceScore,
+  ConsentModal,
+  DarkPatternIssue,
+  ScannedCookie,
+  NetworkRequest,
+} from "../types.js";
+import { analyzeButtonWording, analyzeModalText } from "./wording.js";
+
+interface ComplianceInput {
+  modal: ConsentModal;
+  cookiesBeforeInteraction: ScannedCookie[];
+  cookiesAfterAccept: ScannedCookie[];
+  cookiesAfterReject: ScannedCookie[];
+  networkBeforeInteraction: NetworkRequest[];
+  networkAfterAccept: NetworkRequest[];
+  networkAfterReject: NetworkRequest[];
+}
+
+export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
+  const issues: DarkPatternIssue[] = [];
+
+  // ── A. Consent validity (0-25) ────────────────────────────────
+  let consentValidity = 25;
+
+  if (!input.modal.detected) {
+    issues.push({
+      type: "no-reject-button",
+      severity: "critical",
+      description: "No cookie consent modal detected",
+      evidence: "A consent mechanism is required before depositing non-essential cookies",
+    });
+    consentValidity = 0;
+  } else {
+    // Wording analysis
+    const wordingResult = analyzeButtonWording(input.modal.buttons);
+    const textResult = analyzeModalText(input.modal.text);
+    issues.push(...wordingResult.issues, ...textResult.issues);
+
+    // Pre-ticked checkboxes
+    const preTicked = input.modal.checkboxes.filter((c) => c.isCheckedByDefault);
+    if (preTicked.length > 0) {
+      issues.push({
+        type: "pre-ticked",
+        severity: "critical",
+        description: `${preTicked.length} checkbox(es) pre-ticked by default`,
+        evidence: `Pre-ticked boxes are invalid consent under RGPD Recital 32. Affected: ${preTicked.map((c) => c.label || c.name).join(", ")}`,
+      });
+      consentValidity -= 10;
+    }
+
+    // Missing info deductions
+    if (textResult.missingInfo.includes("purposes")) consentValidity -= 5;
+    if (textResult.missingInfo.includes("third-parties")) consentValidity -= 5;
+    if (textResult.missingInfo.length >= 3) consentValidity -= 5;
+  }
+
+  // ── B. Easy refusal (0-25) ────────────────────────────────────
+  let easyRefusal = 25;
+
+  if (!input.modal.detected) {
+    easyRefusal = 0;
+  } else {
+    const acceptButton = input.modal.buttons.find((b) => b.type === "accept");
+    const rejectButton = input.modal.buttons.find((b) => b.type === "reject");
+
+    if (!rejectButton) {
+      issues.push({
+        type: "buried-reject",
+        severity: "critical",
+        description: "No reject button on first layer",
+        evidence: "CNIL (2022) requires reject to require no more clicks than accept",
+      });
+      easyRefusal -= 15;
+    } else if (rejectButton.clickDepth > (acceptButton?.clickDepth ?? 1)) {
+      issues.push({
+        type: "click-asymmetry",
+        severity: "critical",
+        description: "Reject requires more clicks than accept",
+        evidence: `Accept: ${acceptButton?.clickDepth ?? 1} click(s), Reject: ${rejectButton.clickDepth} click(s)`,
+      });
+      easyRefusal -= 15;
+    }
+
+    // Visual asymmetry: if accept button is significantly larger/more prominent
+    if (acceptButton && rejectButton && acceptButton.boundingBox && rejectButton.boundingBox) {
+      const acceptArea = acceptButton.boundingBox.width * acceptButton.boundingBox.height;
+      const rejectArea = rejectButton.boundingBox.width * rejectButton.boundingBox.height;
+      if (acceptArea > rejectArea * 3) {
+        issues.push({
+          type: "asymmetric-prominence",
+          severity: "warning",
+          description: "Accept button is significantly larger than reject button",
+          evidence: `Accept area: ${Math.round(acceptArea)}px², Reject area: ${Math.round(rejectArea)}px²`,
+        });
+        easyRefusal -= 5;
+      }
+    }
+
+    // Font size asymmetry
+    if (acceptButton?.fontSize && rejectButton?.fontSize) {
+      if (acceptButton.fontSize > rejectButton.fontSize * 1.3) {
+        issues.push({
+          type: "nudging",
+          severity: "warning",
+          description: "Accept button font is significantly larger than reject button",
+          evidence: `Accept: ${acceptButton.fontSize}px, Reject: ${rejectButton.fontSize}px`,
+        });
+        easyRefusal -= 5;
+      }
+    }
+  }
+
+  // ── C. Transparency (0-25) ────────────────────────────────────
+  let transparency = 25;
+
+  if (!input.modal.detected) {
+    transparency = 0;
+  } else {
+    if (!input.modal.hasGranularControls) {
+      transparency -= 10;
+    }
+    // Already deducted in consentValidity for missing info
+    const wordingResult = analyzeModalText(input.modal.text);
+    if (wordingResult.missingInfo.length > 0) {
+      transparency -= wordingResult.missingInfo.length * 3;
+    }
+  }
+
+  // ── D. Cookie behavior (0-25) ─────────────────────────────────
+  let cookieBehavior = 25;
+
+  // Cookies deposited before any interaction that require consent
+  const illegalPreConsentCookies = input.cookiesBeforeInteraction.filter((c) => c.requiresConsent);
+
+  if (illegalPreConsentCookies.length > 0) {
+    issues.push({
+      type: "auto-consent",
+      severity: "critical",
+      description: `${illegalPreConsentCookies.length} non-essential cookie(s) deposited before any interaction`,
+      evidence: illegalPreConsentCookies.map((c) => `${c.name} (${c.category})`).join(", "),
+    });
+    cookieBehavior -= Math.min(20, illegalPreConsentCookies.length * 4);
+  }
+
+  // Non-essential cookies persisting after reject
+  const consentCookiesAfterReject = input.cookiesAfterReject.filter(
+    (c) => c.requiresConsent && c.capturedAt === "after-reject",
+  );
+
+  if (consentCookiesAfterReject.length > 0) {
+    issues.push({
+      type: "auto-consent",
+      severity: "critical",
+      description: `${consentCookiesAfterReject.length} non-essential cookie(s) persist after rejection`,
+      evidence: consentCookiesAfterReject.map((c) => `${c.name} (${c.category})`).join(", "),
+    });
+    cookieBehavior -= Math.min(15, consentCookiesAfterReject.length * 3);
+  }
+
+  // Network trackers firing before interaction
+  const preInteractionTrackers = input.networkBeforeInteraction.filter(
+    (r) => r.trackerCategory !== null && r.trackerCategory !== "cdn",
+  );
+
+  if (preInteractionTrackers.length > 0) {
+    issues.push({
+      type: "auto-consent",
+      severity: "critical",
+      description: `${preInteractionTrackers.length} tracker request(s) fired before any consent`,
+      evidence: [...new Set(preInteractionTrackers.map((r) => r.trackerName ?? r.url))]
+        .slice(0, 5)
+        .join(", "),
+    });
+    cookieBehavior -= Math.min(10, preInteractionTrackers.length * 2);
+  }
+
+  // Clamp all scores
+  const clamp = (v: number) => Math.max(0, Math.min(25, v));
+  const breakdown = {
+    consentValidity: clamp(consentValidity),
+    easyRefusal: clamp(easyRefusal),
+    transparency: clamp(transparency),
+    cookieBehavior: clamp(cookieBehavior),
+  };
+
+  const total = Object.values(breakdown).reduce((a, b) => a + b, 0);
+
+  return {
+    total,
+    breakdown,
+    issues,
+    grade: scoreToGrade(total),
+  };
+}
+
+function scoreToGrade(score: number): "A" | "B" | "C" | "D" | "F" {
+  if (score >= 90) return "A";
+  if (score >= 75) return "B";
+  if (score >= 55) return "C";
+  if (score >= 35) return "D";
+  return "F";
+}

package/src/analyzers/wording.ts

@@ -0,0 +1,112 @@
+import type { ConsentButton, DarkPatternIssue } from "../types.js";
+
+/**
+ * Ambiguous button labels that don't clearly express consent.
+ * These are used as "accept" but don't say "accept" — a dark pattern.
+ */
+const MISLEADING_ACCEPT_LABELS = [
+  /^(ok|okay|got it|understood|d'accord|compris|j'ai compris|c'est ok|continuer|continue|proceed|go ahead|next|suivant|proceed)$/i,
+  /^(i agree|i understand|i consent)$/i, // acceptable but worth flagging as borderline
+];
+
+/**
+ * Labels that suggest rejection but are actually just "close" or navigate away.
+ */
+const FAKE_REJECT_LABELS = [/^(×|✕|✖|close|fermer|dismiss|ignorer|skip|passer)$/i];
+
+/**
+ * Required informational elements in consent text (RGPD Art. 13-14).
+ */
+const REQUIRED_INFO_PATTERNS = [
+  { key: "purposes", patterns: [/finalit[eé]|purpose|objectif|utilisation/i] },
+  { key: "third-parties", patterns: [/partenaire|tiers|third.part|sous.traitant|vendor/i] },
+  {
+    key: "duration",
+    patterns: [/dur[eé]e|expir|conservation|validit[eé]|period|month|year|mois|an(s)?/i],
+  },
+  { key: "withdrawal", patterns: [/retrait|retirer|withdraw|revok|modif|changer|chang/i] },
+];
+
+export interface WordingAnalysis {
+  issues: DarkPatternIssue[];
+  missingInfo: string[];
+  hasPositiveActionForAccept: boolean;
+  hasExplicitRejectOption: boolean;
+}
+
+export function analyzeButtonWording(buttons: ConsentButton[]): WordingAnalysis {
+  const issues: DarkPatternIssue[] = [];
+  const acceptButton = buttons.find((b) => b.type === "accept");
+  const rejectButton = buttons.find((b) => b.type === "reject");
+  const prefButton = buttons.find((b) => b.type === "preferences");
+
+  // ── Misleading "accept" wording ──────────────────────────────
+  if (acceptButton) {
+    for (const pattern of MISLEADING_ACCEPT_LABELS) {
+      if (pattern.test(acceptButton.text.trim())) {
+        issues.push({
+          type: "misleading-wording",
+          severity: "warning",
+          description: `Accept button has ambiguous label: "${acceptButton.text}"`,
+          evidence: `Button text "${acceptButton.text}" does not clearly express consent`,
+        });
+        break;
+      }
+    }
+  }
+
+  // ── No reject button at all ───────────────────────────────────
+  if (!rejectButton && !prefButton) {
+    issues.push({
+      type: "no-reject-button",
+      severity: "critical",
+      description: "No reject/decline option found in the consent modal",
+      evidence: "RGPD requires refusal to be as easy as acceptance (CNIL 2022)",
+    });
+  }
+
+  // ── Fake reject (close button instead) ───────────────────────
+  if (rejectButton) {
+    for (const pattern of FAKE_REJECT_LABELS) {
+      if (pattern.test(rejectButton.text.trim())) {
+        issues.push({
+          type: "misleading-wording",
+          severity: "critical",
+          description: `Reject button has misleading label: "${rejectButton.text}"`,
+          evidence: "A close/dismiss button is not a valid rejection mechanism",
+        });
+        break;
+      }
+    }
+  }
+
+  return {
+    issues,
+    missingInfo: [], // filled in by analyzeModalText
+    hasPositiveActionForAccept: !!acceptButton,
+    hasExplicitRejectOption: !!rejectButton,
+  };
+}
+
+export function analyzeModalText(text: string): {
+  missingInfo: string[];
+  issues: DarkPatternIssue[];
+} {
+  const missingInfo: string[] = [];
+  const issues: DarkPatternIssue[] = [];
+
+  for (const { key, patterns } of REQUIRED_INFO_PATTERNS) {
+    const found = patterns.some((p) => p.test(text));
+    if (!found) {
+      missingInfo.push(key);
+      issues.push({
+        type: "missing-info",
+        severity: "warning",
+        description: `Missing required information: "${key}"`,
+        evidence: `The consent text does not mention ${key}`,
+      });
+    }
+  }
+
+  return { missingInfo, issues };
+}

package/src/classifiers/cookie-classifier.ts

@@ -0,0 +1,125 @@
+import type { CookieCategory } from "../types.js";
+
+interface CookieClassification {
+  category: CookieCategory;
+  requiresConsent: boolean;
+}
+
+/**
+ * Cookie name patterns mapped to categories.
+ * Patterns are checked against the cookie name (case-insensitive).
+ */
+const COOKIE_PATTERNS: Array<{
+  pattern: RegExp;
+  category: CookieCategory;
+  requiresConsent: boolean;
+}> = [
+  // ── Strictly necessary ────────────────────────────────────────
+  {
+    pattern: /^(PHPSESSID|JSESSIONID|ASP\.NET_SessionId|__session)$/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+  { pattern: /^sess(ion)?[-_]?id$/i, category: "strictly-necessary", requiresConsent: false },
+  {
+    pattern: /^(csrf|xsrf|_token|authenticity_token)[-_]?/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+  {
+    pattern: /^(auth|authenticated|login|logged[-_]in)[-_]?/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+  {
+    pattern: /^(cart|basket|bag|checkout)[-_]?/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+  {
+    pattern: /^(lang|locale|language|country|currency)$/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+  {
+    pattern: /^(consent|cookie[-_]consent|cc[-_]cookie|cookieconsent)[-_]?/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+  {
+    pattern: /^(axeptio|didomi|cookiebot|onetrust|tarteaucitron)[-_]?/i,
+    category: "strictly-necessary",
+    requiresConsent: false,
+  },
+
+  // ── Analytics ──────────────────────────────────────────────────
+  { pattern: /^_ga$/i, category: "analytics", requiresConsent: true },
+  { pattern: /^_ga_/i, category: "analytics", requiresConsent: true },
+  { pattern: /^_gid$/i, category: "analytics", requiresConsent: true },
+  { pattern: /^_gat/i, category: "analytics", requiresConsent: true },
+  { pattern: /^_utm/i, category: "analytics", requiresConsent: true },
+  { pattern: /^__utm/i, category: "analytics", requiresConsent: true },
+  { pattern: /^_pk_/i, category: "analytics", requiresConsent: true }, // Matomo/Piwik
+  { pattern: /^pk_/i, category: "analytics", requiresConsent: true },
+  { pattern: /^amp_/i, category: "analytics", requiresConsent: true }, // Amplitude
+  { pattern: /^(ajs_|segment_)/i, category: "analytics", requiresConsent: true }, // Segment
+  { pattern: /^_hjSessionUser/i, category: "analytics", requiresConsent: true }, // Hotjar
+  { pattern: /^_hj/i, category: "analytics", requiresConsent: true },
+  { pattern: /^mixpanel/i, category: "analytics", requiresConsent: true },
+  { pattern: /^(heap_|heap\.)/i, category: "analytics", requiresConsent: true },
+  { pattern: /^(clarity_|clid|CLID)$/i, category: "analytics", requiresConsent: true }, // Microsoft Clarity
+
+  // ── Advertising ────────────────────────────────────────────────
+  { pattern: /^(_fbp|_fbc|fb_)/, category: "advertising", requiresConsent: true }, // Meta/Facebook
+  {
+    pattern: /^(IDE|NID|DSID|ANID|__gads|__gpi|FCNEC)$/i,
+    category: "advertising",
+    requiresConsent: true,
+  }, // Google Ads
+  {
+    pattern: /^(muid|MUID|at_check|atidvisitor)$/i,
+    category: "advertising",
+    requiresConsent: true,
+  }, // Microsoft
+  { pattern: /^(li_|linkedin_|bcookie|bscookie)/, category: "advertising", requiresConsent: true }, // LinkedIn
+  {
+    pattern: /^(twitter|_twitter_sess|personalization_id|guest_id)$/i,
+    category: "advertising",
+    requiresConsent: true,
+  },
+  { pattern: /^(criteo_|cto_|uid)$/i, category: "advertising", requiresConsent: true }, // Criteo
+  { pattern: /^(tapad|tapid)$/i, category: "advertising", requiresConsent: true },
+  { pattern: /^(DoubleClick|DCLK)$/i, category: "advertising", requiresConsent: true },
+  { pattern: /^_ttp$/i, category: "advertising", requiresConsent: true }, // TikTok
+
+  // ── Social ─────────────────────────────────────────────────────
+  { pattern: /^(fbsr_|fbm_)/, category: "social", requiresConsent: true }, // Facebook login
+  { pattern: /^(yt-|VISITOR_INFO|YSC|GPS)$/i, category: "social", requiresConsent: true }, // YouTube
+
+  // ── Personalization ────────────────────────────────────────────
+  {
+    pattern: /^(ab_|abt_|abtest|experiment|variant|split[-_]test)/i,
+    category: "personalization",
+    requiresConsent: true,
+  },
+  {
+    pattern: /^(optimizely|vwo_|convert_|cxense)/i,
+    category: "personalization",
+    requiresConsent: true,
+  },
+];
+
+export function classifyCookie(name: string, domain: string, value: string): CookieClassification {
+  for (const { pattern, category, requiresConsent } of COOKIE_PATTERNS) {
+    if (pattern.test(name)) {
+      return { category, requiresConsent };
+    }
+  }
+
+  // Heuristic: very short session cookie with no clear purpose
+  if (name.length <= 4 && !value.includes("=")) {
+    return { category: "unknown", requiresConsent: true };
+  }
+
+  return { category: "unknown", requiresConsent: false };
+}