@slashgear/gdpr-cookie-scanner 1.2.1 → 1.4.0

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,WAAW,GACX,aAAa,GACb,QAAQ,GACR,iBAAiB,GACjB,SAAS,CAAC;AAEd,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,GAAG,aAAa,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1F,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,cAAc,CAAC;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,UAAU,EAAE,oBAAoB,GAAG,cAAc,GAAG,cAAc,CAAC;CACpE;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,GAAG,IAAI,CAAC;IACxC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,oBAAoB,GAAG,cAAc,GAAG,cAAc,CAAC;IACnE,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,MAAM,eAAe,GACvB,WAAW,GACX,aAAa,GACb,QAAQ,GACR,gBAAgB,GAChB,OAAO,GACP,KAAK,GACL,SAAS,CAAC;AAEd,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE;QAAE,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,EAAE,OAAO,CAAC;IAC5B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,eAAe,CAAC;IACtB,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,CAAC;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,eAAe,GACvB,uBAAuB,GACvB,iBAAiB,GACjB,YAAY,GACZ,oBAAoB,GACpB,aAAa,GACb,SAAS,GACT,kBAAkB,GAClB,eAAe,GACf,cAAc,GACd,cAAc,CAAC;AAEnB,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE;QACT,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,KAAK,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;CACpC;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,OAAO,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,YAAY,CAAC;IACpB,wBAAwB,EAAE,aAAa,EAAE,CAAC;IAC1C,kBAAkB,EAAE,aAAa,EAAE,CAAC;IACpC,kBAAkB,EAAE,aAAa,EAAE,CAAC;IACpC,wBAAwB,EAAE,cAAc,EAAE,CAAC;IAC3C,kBAAkB,EAAE,cAAc,EAAE,CAAC;IACrC,kBAAkB,EAAE,cAAc,EAAE,CAAC;IACrC,UAAU,EAAE,eAAe,CAAC;IAC5B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,WAAW,GACX,aAAa,GACb,QAAQ,GACR,iBAAiB,GACjB,SAAS,CAAC;AAEd,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,GAAG,aAAa,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1F,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,cAAc,CAAC;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,UAAU,EAAE,oBAAoB,GAAG,cAAc,GAAG,cAAc,CAAC;CACpE;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,GAAG,IAAI,CAAC;IACxC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,oBAAoB,GAAG,cAAc,GAAG,cAAc,CAAC;IACnE,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,MAAM,eAAe,GACvB,WAAW,GACX,aAAa,GACb,QAAQ,GACR,gBAAgB,GAChB,OAAO,GACP,KAAK,GACL,SAAS,CAAC;AAEd,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE;QAAE,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,EAAE,OAAO,CAAC;IAC5B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,eAAe,CAAC;IACtB,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,CAAC;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,eAAe,GACvB,uBAAuB,GACvB,iBAAiB,GACjB,YAAY,GACZ,oBAAoB,GACpB,aAAa,GACb,SAAS,GACT,kBAAkB,GAClB,eAAe,GACf,cAAc,GACd,cAAc,CAAC;AAEnB,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE;QACT,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,KAAK,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;CACpC;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,OAAO,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,YAAY,CAAC;IACpB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,wBAAwB,EAAE,aAAa,EAAE,CAAC;IAC1C,kBAAkB,EAAE,aAAa,EAAE,CAAC;IACpC,kBAAkB,EAAE,aAAa,EAAE,CAAC;IACpC,wBAAwB,EAAE,cAAc,EAAE,CAAC;IAC3C,kBAAkB,EAAE,cAAc,EAAE,CAAC;IACrC,kBAAkB,EAAE,cAAc,EAAE,CAAC;IACrC,UAAU,EAAE,eAAe,CAAC;IAC5B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slashgear/gdpr-cookie-scanner",
-  "version": "1.2.1",
+  "version": "1.4.0",
   "description": "CLI tool to scan websites for GDPR cookie consent compliance",
   "keywords": [
     "compliance",
@@ -43,7 +43,8 @@
     "@types/node": "^22.0.0",
     "oxfmt": "^0.33.0",
     "oxlint": "^1.48.0",
-    "typescript": "^5.5.0"
+    "typescript": "^5.5.0",
+    "vitest": "^4.0.18"
   },
   "engines": {
     "node": ">=20.0.0"
@@ -57,6 +58,8 @@
     "format": "oxfmt .",
     "format:check": "oxfmt --check .",
     "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "changeset": "changeset"
   }
 }

package/src/analyzers/compliance.ts

@@ -9,6 +9,7 @@ import { analyzeButtonWording, analyzeModalText } from "./wording.js";
 
 interface ComplianceInput {
   modal: ConsentModal;
+  privacyPolicyUrl: string | null;
   cookiesBeforeInteraction: ScannedCookie[];
   cookiesAfterAccept: ScannedCookie[];
   cookiesAfterReject: ScannedCookie[];
@@ -125,6 +126,28 @@ export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
     if (wordingResult.missingInfo.length > 0) {
       transparency -= wordingResult.missingInfo.length * 3;
     }
+    // No privacy policy link in the modal
+    if (!input.modal.privacyPolicyUrl) {
+      issues.push({
+        type: "missing-info",
+        severity: "warning",
+        description: "No privacy policy link found in the consent modal",
+        evidence:
+          "GDPR Art. 13 requires the privacy policy to be accessible from the consent interface",
+      });
+      transparency -= 5;
+    }
+  }
+
+  // No privacy policy link anywhere on the page
+  if (!input.privacyPolicyUrl) {
+    issues.push({
+      type: "missing-info",
+      severity: "warning",
+      description: "No privacy policy link found on the page",
+      evidence: "A privacy policy must be accessible from every page (GDPR Art. 13)",
+    });
+    transparency -= 3;
   }
 
   // ── D. Cookie behavior (0-25) ─────────────────────────────────

package/src/report/generator.ts

@@ -350,6 +350,9 @@ ${row("Cookie behavior", breakdown.cookieBehavior, 25)}
       `**CSS selector:** \`${modal.selector}\``,
       `**Granular controls:** ${modal.hasGranularControls ? "✅ Yes" : "❌ No"}`,
       `**Layer count:** ${modal.layerCount}`,
+      modal.privacyPolicyUrl
+        ? `**Privacy policy link:** ✅ [${modal.privacyPolicyUrl}](${modal.privacyPolicyUrl})`
+        : `**Privacy policy link:** ⚠️ Not found in the modal`,
       "",
       "### Detected buttons",
       "",
@@ -914,6 +917,28 @@ The **Description / Purpose** column is to be filled in by the DPO or technical
       });
     }
 
+    rows.push({
+      category: "Transparency",
+      rule: "Privacy policy link present in the consent modal",
+      reference: "[GDPR Art. 13](https://gdpr-info.eu/art-13-gdpr/)",
+      status: !r.modal.detected ? ko : r.modal.privacyPolicyUrl ? ok : warn,
+      detail: !r.modal.detected
+        ? "Modal not detected"
+        : r.modal.privacyPolicyUrl
+          ? `Link found: ${r.modal.privacyPolicyUrl}`
+          : "No privacy policy link found inside the consent modal",
+    });
+
+    rows.push({
+      category: "Transparency",
+      rule: "Privacy policy accessible from the main page",
+      reference: "[GDPR Art. 13](https://gdpr-info.eu/art-13-gdpr/)",
+      status: r.privacyPolicyUrl ? ok : warn,
+      detail: r.privacyPolicyUrl
+        ? `Link found: ${r.privacyPolicyUrl}`
+        : "No privacy policy link found on the main page",
+    });
+
     // ── D. Cookie behavior ────────────────────────────────────────
     const illegalPre = r.cookiesBeforeInteraction.filter((c) => c.requiresConsent);
     rows.push({

package/src/scanner/consent-modal.ts

@@ -45,6 +45,65 @@ const MODAL_SELECTORS = [
   "[role='alertdialog']",
 ];
 
+const PRIVACY_POLICY_URL_PATTERNS = [
+  "privacy[_-]?polic",
+  "politique[_-]?(de[_-])?confidentialit",
+  "politique[_-]?(de[_-])?vie[_-]?priv",
+  "confidentialit",
+  "vie[_-]?priv",
+  "mentions[_-]?l.gales",
+  "datenschutz",
+  "privacidad",
+  "data[_-]?protection",
+  "data[_-]?privacy",
+];
+
+const PRIVACY_POLICY_TEXT_PATTERNS = [
+  "privacy\\s+polic",
+  "politique\\s+(de\\s+)?confidentialit",
+  "politique\\s+(de\\s+)?vie\\s+priv",
+  "confidentialit",
+  "vie\\s+priv",
+  "mentions?\\s+l.gales?",
+  "datenschutz",
+  "privacidad",
+  "data\\s+protection",
+];
+
+/**
+ * Find a privacy policy link within a given scope (modal selector) or the full page.
+ * Returns the absolute URL of the first matching link, or null.
+ */
+export async function findPrivacyPolicyUrl(
+  page: Page,
+  scopeSelector?: string,
+): Promise<string | null> {
+  return page
+    .evaluate(
+      ({ scope, urlPats, textPats }) => {
+        const root: Element | Document = scope
+          ? (document.querySelector(scope) ?? document)
+          : document;
+        const links = root.querySelectorAll("a[href]");
+        for (const link of links) {
+          const href = (link as HTMLAnchorElement).href ?? "";
+          const text = (link.textContent ?? "").trim();
+          if (!href || href.startsWith("javascript:") || href === "#") continue;
+          const matchUrl = urlPats.some((p) => new RegExp(p, "i").test(href));
+          const matchText = textPats.some((p) => new RegExp(p, "i").test(text));
+          if (matchUrl || matchText) return href;
+        }
+        return null;
+      },
+      {
+        scope: scopeSelector ?? null,
+        urlPats: PRIVACY_POLICY_URL_PATTERNS,
+        textPats: PRIVACY_POLICY_TEXT_PATTERNS,
+      },
+    )
+    .catch(() => null);
+}
+
 const ACCEPT_PATTERNS = [
   /\b(accept|accepter|acceptez|tout accepter|accept all|j'accepte|i accept|agree|ok\b|d'accord|continuer|continue|valider|confirmer)\b/i,
 ];
@@ -109,6 +168,7 @@ export async function detectConsentModal(page: Page, options: ScanOptions): Prom
       hasGranularControls: false,
       layerCount: 0,
       screenshotPath: null,
+      privacyPolicyUrl: null,
     };
   }
 
@@ -125,6 +185,9 @@ export async function detectConsentModal(page: Page, options: ScanOptions): Prom
   const hasGranularControls =
     checkboxes.length > 0 || buttons.some((b) => b.type === "preferences");
 
+  // Look for a privacy policy link inside the modal
+  const privacyPolicyUrl = await findPrivacyPolicyUrl(page, foundSelector);
+
   return {
     detected: true,
     selector: foundSelector,
@@ -134,6 +197,7 @@ export async function detectConsentModal(page: Page, options: ScanOptions): Prom
     hasGranularControls,
     layerCount: hasGranularControls ? 2 : 1,
     screenshotPath: null,
+    privacyPolicyUrl,
   };
 }
 

package/src/scanner/index.ts

@@ -4,7 +4,7 @@ import type { ScanOptions, ScanResult } from "../types.js";
 import { createBrowser, clearState, closeBrowser } from "./browser.js";
 import { captureCookies } from "./cookies.js";
 import { createNetworkInterceptor } from "./network.js";
-import { detectConsentModal } from "./consent-modal.js";
+import { detectConsentModal, findPrivacyPolicyUrl } from "./consent-modal.js";
 import { analyzeCompliance } from "../analyzers/compliance.js";
 
 type PhaseCallback = (message: string) => void;
@@ -44,6 +44,9 @@ export class Scanner {
     const networkBeforeInteraction = interceptor1.getRequests();
     interceptor1.stop();
 
+    // Look for a privacy policy link anywhere on the page (typically footer/nav)
+    const privacyPolicyUrl = await findPrivacyPolicyUrl(session1.page);
+
     // ────────────────────────────────────────────────────────────
     // Phase 2 — Detect and analyze the consent modal
     // ────────────────────────────────────────────────────────────
@@ -142,6 +145,7 @@ export class Scanner {
     // ────────────────────────────────────────────────────────────
     const compliance = analyzeCompliance({
       modal,
+      privacyPolicyUrl,
       cookiesBeforeInteraction,
       cookiesAfterAccept,
       cookiesAfterReject,
@@ -155,6 +159,7 @@ export class Scanner {
       scanDate: new Date().toISOString(),
       duration: Date.now() - startTime,
       modal,
+      privacyPolicyUrl,
       cookiesBeforeInteraction,
       cookiesAfterAccept,
       cookiesAfterReject,

package/src/types.ts

@@ -74,6 +74,7 @@ export interface ConsentModal {
   hasGranularControls: boolean;
   layerCount: number; // number of clicks to reach full options
   screenshotPath: string | null;
+  privacyPolicyUrl: string | null; // link to the privacy policy found inside the modal
 }
 
 export interface DarkPatternIssue {
@@ -122,6 +123,7 @@ export interface ScanResult {
   scanDate: string;
   duration: number; // ms
   modal: ConsentModal;
+  privacyPolicyUrl: string | null; // link to the privacy policy found anywhere on the page
   cookiesBeforeInteraction: ScannedCookie[];
   cookiesAfterAccept: ScannedCookie[];
   cookiesAfterReject: ScannedCookie[];

package/tests/e2e/fixtures/compliant-site.html

@@ -0,0 +1,80 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>Compliant Test Site</title>
+  </head>
+  <body>
+    <main>
+      <h1>Welcome to our website</h1>
+      <p>This is a test page with a GDPR-compliant cookie banner.</p>
+    </main>
+
+    <footer>
+      <a href="/privacy-policy">Privacy Policy</a>
+      <a href="/terms">Terms of Service</a>
+    </footer>
+
+    <!-- GDPR-compliant cookie banner -->
+    <div
+      id="cookie-banner"
+      style="
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        background: #1a1a2e;
+        color: #fff;
+        padding: 20px;
+        z-index: 9999;
+        display: flex;
+        align-items: center;
+        gap: 16px;
+      "
+    >
+      <p style="flex: 1; margin: 0">
+        We use cookies for analytics purposes with <strong>third-party vendors</strong>. Cookies
+        expire after <strong>13 months</strong>. You may <strong>withdraw your consent</strong> at
+        any time. See our <a href="/privacy-policy" style="color: #90e0ef">Privacy Policy</a>.
+      </p>
+      <button
+        id="reject-btn"
+        style="
+          padding: 10px 20px;
+          background: transparent;
+          color: #fff;
+          border: 1px solid #fff;
+          cursor: pointer;
+          font-size: 14px;
+        "
+      >
+        Reject all
+      </button>
+      <button
+        id="accept-btn"
+        style="
+          padding: 10px 20px;
+          background: #4caf50;
+          color: #fff;
+          border: none;
+          cursor: pointer;
+          font-size: 14px;
+        "
+      >
+        Accept all
+      </button>
+    </div>
+
+    <script>
+      document.getElementById("accept-btn").addEventListener("click", function () {
+        document.getElementById("cookie-banner").style.display = "none";
+        document.cookie = "consent=accepted; path=/; max-age=31536000";
+      });
+
+      document.getElementById("reject-btn").addEventListener("click", function () {
+        document.getElementById("cookie-banner").style.display = "none";
+        document.cookie = "consent=rejected; path=/; max-age=31536000";
+      });
+    </script>
+  </body>
+</html>

package/tests/e2e/fixtures/no-modal-site.html

@@ -0,0 +1,17 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>No Modal Test Site</title>
+  </head>
+  <body>
+    <main>
+      <h1>Welcome</h1>
+      <p>This page has no cookie consent modal at all.</p>
+    </main>
+
+    <footer>
+      <a href="/privacy-policy">Privacy Policy</a>
+    </footer>
+  </body>
+</html>

package/tests/e2e/fixtures/non-compliant-site.html

@@ -0,0 +1,54 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>Non-Compliant Test Site</title>
+  </head>
+  <body>
+    <main>
+      <h1>Welcome</h1>
+      <p>This page has no reject button and sets analytics cookies immediately.</p>
+    </main>
+
+    <!-- Non-compliant: no reject button, no privacy policy link, cookie set before interaction -->
+    <div
+      id="cookie-banner"
+      style="
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        background: #333;
+        color: #fff;
+        padding: 20px;
+        z-index: 9999;
+      "
+    >
+      <p style="margin: 0 0 10px 0">
+        By continuing to browse this site, you accept the use of cookies.
+      </p>
+      <button
+        id="accept-btn"
+        style="
+          padding: 10px 24px;
+          background: #e53935;
+          color: #fff;
+          border: none;
+          cursor: pointer;
+          font-size: 16px;
+        "
+      >
+        OK
+      </button>
+    </div>
+
+    <script>
+      // Set analytics cookie before any interaction (non-compliant)
+      document.cookie = "_ga=GA1.2.123456789.1234567890; path=/; max-age=34560000";
+
+      document.getElementById("accept-btn").addEventListener("click", function () {
+        document.getElementById("cookie-banner").style.display = "none";
+      });
+    </script>
+  </body>
+</html>

package/tests/e2e/scanner.test.ts

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { mkdtemp, rm } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { Scanner } from "../../src/scanner/index.js";
+import { startTestServer, type TestServer } from "../helpers/test-server.js";
+
+// E2E tests spin up real Playwright browsers — allow generous timeouts
+const E2E_TIMEOUT = 60_000;
+
+describe("Scanner E2E", { timeout: E2E_TIMEOUT }, () => {
+  let server: TestServer;
+  let outputDir: string;
+
+  beforeAll(async () => {
+    server = await startTestServer();
+    outputDir = await mkdtemp(join(tmpdir(), "gdpr-test-"));
+  });
+
+  afterAll(async () => {
+    await server.close();
+    await rm(outputDir, { recursive: true, force: true });
+  });
+
+  function makeOptions(fixture: string) {
+    return {
+      url: `${server.url}/${fixture}`,
+      outputDir: join(outputDir, fixture.replace(".html", "")),
+      timeout: 30_000,
+      screenshots: false,
+      locale: "en-US",
+      verbose: false,
+    };
+  }
+
+  describe("compliant-site.html", () => {
+    it("detects the consent modal", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.detected).toBe(true);
+    });
+
+    it("finds both accept and reject buttons", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      const types = result.modal.buttons.map((b) => b.type);
+      expect(types).toContain("accept");
+      expect(types).toContain("reject");
+    });
+
+    it("finds the privacy policy link in the modal", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.privacyPolicyUrl).toBeTruthy();
+    });
+
+    it("finds a privacy policy link on the page", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.privacyPolicyUrl).toBeTruthy();
+    });
+
+    it("assigns a passing compliance grade (A or B)", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      expect(["A", "B"]).toContain(result.compliance.grade);
+    });
+
+    it("does not flag pre-consent cookies", async () => {
+      const scanner = new Scanner(makeOptions("compliant-site.html"));
+      const result = await scanner.run();
+      const illegalPreConsent = result.cookiesBeforeInteraction.filter((c) => c.requiresConsent);
+      expect(illegalPreConsent).toHaveLength(0);
+    });
+  });
+
+  describe("non-compliant-site.html", () => {
+    it("detects the consent modal", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.detected).toBe(true);
+    });
+
+    it("detects _ga cookie set before any interaction", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      const gaBeforeInteraction = result.cookiesBeforeInteraction.some(
+        (c) => c.name === "_ga" && c.requiresConsent,
+      );
+      expect(gaBeforeInteraction).toBe(true);
+    });
+
+    it("raises an auto-consent issue for pre-interaction cookies", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      const issue = result.compliance.issues.find((i) => i.type === "auto-consent");
+      expect(issue).toBeDefined();
+    });
+
+    it("assigns a failing grade (C, D, or F)", async () => {
+      const scanner = new Scanner(makeOptions("non-compliant-site.html"));
+      const result = await scanner.run();
+      expect(["C", "D", "F"]).toContain(result.compliance.grade);
+    });
+  });
+
+  describe("no-modal-site.html", () => {
+    it("reports modal as not detected", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      expect(result.modal.detected).toBe(false);
+    });
+
+    it("still finds the page-level privacy policy link", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      expect(result.privacyPolicyUrl).toBeTruthy();
+    });
+
+    it("assigns grade F when no modal is detected", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      expect(result.compliance.grade).toBe("F");
+    });
+
+    it("raises a critical no-reject-button issue", async () => {
+      const scanner = new Scanner(makeOptions("no-modal-site.html"));
+      const result = await scanner.run();
+      const issue = result.compliance.issues.find(
+        (i) => i.type === "no-reject-button" && i.severity === "critical",
+      );
+      expect(issue).toBeDefined();
+    });
+  });
+});

package/tests/helpers/test-server.ts

@@ -0,0 +1,57 @@
+import { createServer } from "http";
+import { readFile } from "fs/promises";
+import { join, extname } from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const FIXTURES_DIR = join(__dirname, "../e2e/fixtures");
+
+const MIME_TYPES: Record<string, string> = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+};
+
+export interface TestServer {
+  url: string;
+  close(): Promise<void>;
+}
+
+/**
+ * Starts a minimal HTTP server serving static HTML fixtures.
+ * Returns the base URL and a close() function.
+ */
+export async function startTestServer(port = 0): Promise<TestServer> {
+  const server = createServer(async (req, res) => {
+    const urlPath = req.url === "/" ? "/index.html" : (req.url ?? "/");
+    // Map /privacy-policy → privacy-policy.html or return a stub
+    const filePath = urlPath.endsWith(".html")
+      ? join(FIXTURES_DIR, urlPath)
+      : join(FIXTURES_DIR, `${urlPath.slice(1)}.html`);
+
+    try {
+      const content = await readFile(filePath);
+      const ext = extname(filePath) || ".html";
+      res.writeHead(200, { "Content-Type": MIME_TYPES[ext] ?? "text/plain" });
+      res.end(content);
+    } catch {
+      // Return a minimal stub for unknown paths (e.g., /privacy-policy)
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end("<!DOCTYPE html><html><body><h1>Privacy Policy</h1></body></html>");
+    }
+  });
+
+  await new Promise<void>((resolve) => server.listen(port, "127.0.0.1", resolve));
+
+  const address = server.address();
+  if (!address || typeof address === "string") {
+    throw new Error("Unexpected server address type");
+  }
+
+  return {
+    url: `http://127.0.0.1:${address.port}`,
+    close: () =>
+      new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve()))),
+  };
+}