npm - @slashgear/gdpr-cookie-scanner - Versions diffs - 3.5.1 → 3.7.0 - Mend

@slashgear/gdpr-cookie-scanner 3.5.1 → 3.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/CHANGELOG.md +106 -0
package/CLAUDE.md +12 -1
package/NEXT_STEPS.md +37 -3
package/README.md +23 -0
package/dist/analyzers/colour.d.ts +36 -0
package/dist/analyzers/colour.d.ts.map +1 -0
package/dist/analyzers/colour.js +75 -0
package/dist/analyzers/colour.js.map +1 -0
package/dist/analyzers/compliance.d.ts.map +1 -1
package/dist/analyzers/compliance.js +24 -6
package/dist/analyzers/compliance.js.map +1 -1
package/dist/analyzers/tcf-decoder.d.ts +9 -0
package/dist/analyzers/tcf-decoder.d.ts.map +1 -0
package/dist/analyzers/tcf-decoder.js +123 -0
package/dist/analyzers/tcf-decoder.js.map +1 -0
package/dist/analyzers/wording.d.ts +1 -0
package/dist/analyzers/wording.d.ts.map +1 -1
package/dist/analyzers/wording.js +39 -0
package/dist/analyzers/wording.js.map +1 -1
package/dist/report/generator.d.ts +1 -2
package/dist/report/generator.d.ts.map +1 -1
package/dist/report/generator.js +80 -108
package/dist/report/generator.js.map +1 -1
package/dist/report/html.d.ts.map +1 -1
package/dist/report/html.js +173 -4
package/dist/report/html.js.map +1 -1
package/dist/scanner/consent-modal.d.ts.map +1 -1
package/dist/scanner/consent-modal.js +57 -39
package/dist/scanner/consent-modal.js.map +1 -1
package/dist/scanner/index.d.ts.map +1 -1
package/dist/scanner/index.js +4 -0
package/dist/scanner/index.js.map +1 -1
package/dist/scanner/tcf.d.ts +9 -0
package/dist/scanner/tcf.d.ts.map +1 -0
package/dist/scanner/tcf.js +72 -0
package/dist/scanner/tcf.js.map +1 -0
package/dist/types.d.ts +26 -0
package/dist/types.d.ts.map +1 -1
package/docs/index.html +37 -49
package/docs/reports/www.arte.tv/after-accept.png +0 -0
package/docs/reports/www.arte.tv/after-reject.png +0 -0
package/docs/reports/www.arte.tv/gdpr-report-arte.tv-2026-02-24.html +997 -0
package/docs/reports/www.deezer.com/after-accept.png +0 -0
package/docs/reports/www.deezer.com/after-reject.png +0 -0
package/docs/reports/www.deezer.com/gdpr-report-deezer.com-2026-02-22.html +1667 -0
package/docs/reports/www.impots.gouv.fr/after-accept.png +0 -0
package/docs/reports/www.impots.gouv.fr/after-reject.png +0 -0
package/docs/reports/www.impots.gouv.fr/gdpr-report-impots.gouv.fr-2026-02-22.html +751 -0
package/docs/reports/www.leboncoin.fr/after-accept.png +0 -0
package/docs/reports/www.leboncoin.fr/after-reject.png +0 -0
package/docs/reports/www.leboncoin.fr/gdpr-report-leboncoin.fr-2026-02-22.html +764 -0
package/docs/reports/www.netflix.com/after-accept.png +0 -0
package/docs/reports/www.netflix.com/after-reject.png +0 -0
package/docs/reports/www.netflix.com/gdpr-report-netflix.com-2026-02-23.html +1050 -0
package/docs/reports/www.radiofrance.fr/after-accept.png +0 -0
package/docs/reports/www.radiofrance.fr/after-reject.png +0 -0
package/docs/reports/www.radiofrance.fr/gdpr-report-radiofrance.fr-2026-02-24.html +1145 -0
package/package.json +1 -2
package/src/analyzers/colour.ts +89 -0
package/src/analyzers/compliance.ts +35 -10
package/src/analyzers/tcf-decoder.ts +130 -0
package/src/analyzers/wording.ts +44 -0
package/src/report/generator.ts +92 -119
package/src/report/html.ts +197 -4
package/src/scanner/consent-modal.ts +64 -38
package/src/scanner/index.ts +5 -0
package/src/scanner/tcf.ts +80 -0
package/src/types.ts +29 -0
package/tests/analyzers/colour.test.ts +187 -0
package/tests/analyzers/compliance.test.ts +102 -0
package/tests/analyzers/tcf-decoder.test.ts +292 -0
package/tests/analyzers/wording.test.ts +38 -0
package/tests/scanner/button-classification.test.ts +32 -0
package/docs/reports/github.com/after-accept.png +0 -0
package/docs/reports/github.com/after-reject.png +0 -0
package/docs/reports/github.com/gdpr-checklist-github.com-2026-02-22.md +0 -44
package/docs/reports/github.com/gdpr-cookies-github.com-2026-02-22.md +0 -29
package/docs/reports/github.com/gdpr-report-github.com-2026-02-22.md +0 -102
package/docs/reports/github.com/gdpr-report-github.com-2026-02-22.pdf +0 -0
package/docs/reports/gitlab.com/after-accept.png +0 -0
package/docs/reports/gitlab.com/after-reject.png +0 -0
package/docs/reports/gitlab.com/gdpr-checklist-gitlab.com-2026-02-22.md +0 -44
package/docs/reports/gitlab.com/gdpr-cookies-gitlab.com-2026-02-22.md +0 -55
package/docs/reports/gitlab.com/gdpr-report-gitlab.com-2026-02-22.md +0 -200
package/docs/reports/gitlab.com/gdpr-report-gitlab.com-2026-02-22.pdf +0 -0
package/docs/reports/gitlab.com/modal-initial.png +0 -0
package/docs/reports/npmjs.com/after-accept.png +0 -0
package/docs/reports/npmjs.com/after-reject.png +0 -0
package/docs/reports/npmjs.com/gdpr-checklist-npmjs.com-2026-02-22.md +0 -44
package/docs/reports/npmjs.com/gdpr-cookies-npmjs.com-2026-02-22.md +0 -25
package/docs/reports/npmjs.com/gdpr-report-npmjs.com-2026-02-22.md +0 -88
package/docs/reports/npmjs.com/gdpr-report-npmjs.com-2026-02-22.pdf +0 -0
package/docs/reports/reddit.com/after-accept.png +0 -0
package/docs/reports/reddit.com/after-reject.png +0 -0
package/docs/reports/reddit.com/gdpr-checklist-reddit.com-2026-02-22.md +0 -44
package/docs/reports/reddit.com/gdpr-cookies-reddit.com-2026-02-22.md +0 -33
package/docs/reports/reddit.com/gdpr-report-reddit.com-2026-02-22.md +0 -148
package/docs/reports/reddit.com/gdpr-report-reddit.com-2026-02-22.pdf +0 -0
package/docs/reports/reddit.com/modal-initial.png +0 -0
package/docs/reports/stackoverflow.com/after-accept.png +0 -0
package/docs/reports/stackoverflow.com/after-reject.png +0 -0
package/docs/reports/stackoverflow.com/gdpr-checklist-stackoverflow.com-2026-02-22.md +0 -44
package/docs/reports/stackoverflow.com/gdpr-cookies-stackoverflow.com-2026-02-22.md +0 -67
package/docs/reports/stackoverflow.com/gdpr-report-stackoverflow.com-2026-02-22.md +0 -206
package/docs/reports/stackoverflow.com/gdpr-report-stackoverflow.com-2026-02-22.pdf +0 -0
package/docs/reports/stackoverflow.com/modal-initial.png +0 -0
package/docs/reports/www.afp.com/after-accept.png +0 -0
package/docs/reports/www.afp.com/after-reject.png +0 -0
package/docs/reports/www.afp.com/gdpr-checklist-afp.com-2026-02-22.md +0 -44
package/docs/reports/www.afp.com/gdpr-cookies-afp.com-2026-02-22.md +0 -42
package/docs/reports/www.afp.com/gdpr-report-afp.com-2026-02-22.md +0 -202
package/docs/reports/www.afp.com/gdpr-report-afp.com-2026-02-22.pdf +0 -0
package/docs/reports/www.afp.com/modal-initial.png +0 -0

package/tests/analyzers/colour.test.ts ADDED Viewed

@@ -0,0 +1,187 @@
+import { describe, it, expect } from "vitest";
+import { rgbToHsl, classifyHue, detectColourNudging } from "../../src/analyzers/colour.js";
+// ── rgbToHsl ──────────────────────────────────────────────────────────────────
+describe("rgbToHsl", () => {
+  it("converts pure red", () => {
+    const [h, s, l] = rgbToHsl(255, 0, 0);
+    expect(h).toBe(0);
+    expect(s).toBe(100);
+    expect(l).toBe(50);
+  });
+  it("converts pure green", () => {
+    const [h, s, l] = rgbToHsl(0, 255, 0);
+    expect(h).toBe(120);
+    expect(s).toBe(100);
+    expect(l).toBe(50);
+  });
+  it("converts pure blue", () => {
+    const [h, s, l] = rgbToHsl(0, 0, 255);
+    expect(h).toBe(240);
+    expect(s).toBe(100);
+    expect(l).toBe(50);
+  });
+  it("converts white", () => {
+    const [_h, s, l] = rgbToHsl(255, 255, 255);
+    expect(s).toBe(0);
+    expect(l).toBe(100);
+  });
+  it("converts black", () => {
+    const [_h, s, l] = rgbToHsl(0, 0, 0);
+    expect(s).toBe(0);
+    expect(l).toBe(0);
+  });
+  it("converts medium grey", () => {
+    const [, s, l] = rgbToHsl(128, 128, 128);
+    expect(s).toBe(0);
+    expect(l).toBeCloseTo(50, 0);
+  });
+});
+// ── classifyHue ───────────────────────────────────────────────────────────────
+describe("classifyHue", () => {
+  describe("green", () => {
+    it("classifies a vivid green accept button colour", () => {
+      // rgb(34, 197, 94) — typical Tailwind green-500
+      expect(classifyHue(34, 197, 94)).toBe("green");
+    });
+    it("classifies a darker CMP green", () => {
+      // rgb(22, 163, 74) — green-600
+      expect(classifyHue(22, 163, 74)).toBe("green");
+    });
+    it("classifies a yellow-green as green", () => {
+      // h ≈ 100 — still in the green range
+      expect(classifyHue(100, 200, 50)).toBe("green");
+    });
+  });
+  describe("grey", () => {
+    it("classifies a mid-grey reject button", () => {
+      expect(classifyHue(160, 160, 160)).toBe("grey");
+    });
+    it("classifies a light grey (s very low)", () => {
+      expect(classifyHue(220, 222, 220)).toBe("grey");
+    });
+    it("classifies a dark grey", () => {
+      // l ≈ 25%, s ≈ 0
+      expect(classifyHue(60, 60, 60)).toBe("grey");
+    });
+  });
+  describe("red", () => {
+    it("classifies pure red", () => {
+      expect(classifyHue(255, 0, 0)).toBe("red");
+    });
+    it("classifies a muted red / crimson", () => {
+      // rgb(185, 28, 28) — red-700
+      expect(classifyHue(185, 28, 28)).toBe("red");
+    });
+    it("classifies a high-hue pink/magenta near 340° as red", () => {
+      // h ≈ 348
+      expect(classifyHue(220, 38, 100)).toBe("red");
+    });
+  });
+  describe("blue", () => {
+    it("classifies a standard blue CTA button", () => {
+      // rgb(59, 130, 246) — blue-500
+      expect(classifyHue(59, 130, 246)).toBe("blue");
+    });
+    it("classifies a darker navy blue", () => {
+      expect(classifyHue(30, 64, 175)).toBe("blue");
+    });
+  });
+  describe("neutral", () => {
+    it("returns neutral for white (l > 93)", () => {
+      expect(classifyHue(255, 255, 255)).toBe("neutral");
+    });
+    it("returns neutral for near-black (l < 10)", () => {
+      expect(classifyHue(10, 10, 10)).toBe("neutral");
+    });
+    it("returns neutral for an orange hue (not a defined category)", () => {
+      // h ≈ 30, s ≈ 90% — orange
+      expect(classifyHue(255, 140, 0)).toBe("neutral");
+    });
+  });
+});
+// ── detectColourNudging ───────────────────────────────────────────────────────
+describe("detectColourNudging", () => {
+  const GREEN = "rgb(34, 197, 94)";
+  const GREY = "rgb(160, 160, 160)";
+  const RED = "rgb(185, 28, 28)";
+  const BLUE = "rgb(59, 130, 246)";
+  describe("nudging detected", () => {
+    it("flags green accept + grey reject", () => {
+      const { isNudging, acceptHue, rejectHue } = detectColourNudging(GREEN, GREY);
+      expect(isNudging).toBe(true);
+      expect(acceptHue).toBe("green");
+      expect(rejectHue).toBe("grey");
+    });
+    it("flags green accept + red reject", () => {
+      const { isNudging, acceptHue, rejectHue } = detectColourNudging(GREEN, RED);
+      expect(isNudging).toBe(true);
+      expect(acceptHue).toBe("green");
+      expect(rejectHue).toBe("red");
+    });
+  });
+  describe("no nudging", () => {
+    it("does not flag blue accept + grey reject (blue ≠ green)", () => {
+      const { isNudging } = detectColourNudging(BLUE, GREY);
+      expect(isNudging).toBe(false);
+    });
+    it("does not flag green accept + green reject (same hue, no asymmetry)", () => {
+      const { isNudging } = detectColourNudging(GREEN, GREEN);
+      expect(isNudging).toBe(false);
+    });
+    it("does not flag green accept + blue reject", () => {
+      const { isNudging } = detectColourNudging(GREEN, BLUE);
+      expect(isNudging).toBe(false);
+    });
+    it("returns isNudging false when acceptBg is null", () => {
+      const { isNudging, acceptHue } = detectColourNudging(null, GREY);
+      expect(isNudging).toBe(false);
+      expect(acceptHue).toBeNull();
+    });
+    it("returns isNudging false when rejectBg is null", () => {
+      const { isNudging, rejectHue } = detectColourNudging(GREEN, null);
+      expect(isNudging).toBe(false);
+      expect(rejectHue).toBeNull();
+    });
+    it("returns isNudging false when both are null", () => {
+      const { isNudging } = detectColourNudging(null, null);
+      expect(isNudging).toBe(false);
+    });
+    it("does not flag unparseable CSS strings", () => {
+      const { isNudging } = detectColourNudging("transparent", "inherit");
+      expect(isNudging).toBe(false);
+    });
+  });
+});

package/tests/analyzers/compliance.test.ts CHANGED Viewed

@@ -287,6 +287,108 @@ describe("easyRefusal dimension", () => {
     });
     expect(result.issues.some((i) => i.type === "nudging")).toBe(true);
   });
+  it("deducts 5 for indirect reject label ('continuer sans accepter' dark pattern)", () => {
+    const modal = makeModal({
+      buttons: [
+        makeButton("accept", "Tout accepter", 1),
+        makeButton("reject", "Continuer sans accepter", 1),
+      ],
+    });
+    const result = analyzeCompliance({
+      modal,
+      privacyPolicyUrl: "https://example.com/privacy",
+      cookiesBeforeInteraction: [],
+      cookiesAfterAccept: [makeCookie("_ga", true, "after-accept")],
+      cookiesAfterReject: [],
+      networkBeforeInteraction: [],
+      networkAfterAccept: [],
+      networkAfterReject: [],
+    });
+    expect(result.breakdown.easyRefusal).toBeLessThanOrEqual(20);
+    expect(
+      result.issues.some((i) => i.type === "misleading-wording" && i.severity === "warning"),
+    ).toBe(true);
+  });
+  it("does NOT deduct for an explicit reject label", () => {
+    const modal = makeModal({
+      buttons: [makeButton("accept", "Tout accepter", 1), makeButton("reject", "Tout refuser", 1)],
+    });
+    const result = analyzeCompliance({
+      modal,
+      privacyPolicyUrl: "https://example.com/privacy",
+      cookiesBeforeInteraction: [],
+      cookiesAfterAccept: [makeCookie("_ga", true, "after-accept")],
+      cookiesAfterReject: [],
+      networkBeforeInteraction: [],
+      networkAfterAccept: [],
+      networkAfterReject: [],
+    });
+    expect(result.breakdown.easyRefusal).toBe(25);
+  });
+  it("deducts 5 for colour nudging (green accept + grey reject)", () => {
+    const modal = makeModal({
+      buttons: [
+        makeButton("accept", "Accept all", 1, { backgroundColor: "rgb(34, 197, 94)" }),
+        makeButton("reject", "Reject all", 1, { backgroundColor: "rgb(160, 160, 160)" }),
+      ],
+    });
+    const result = analyzeCompliance({
+      modal,
+      privacyPolicyUrl: "https://example.com/privacy",
+      cookiesBeforeInteraction: [],
+      cookiesAfterAccept: [makeCookie("_ga", true, "after-accept")],
+      cookiesAfterReject: [],
+      networkBeforeInteraction: [],
+      networkAfterAccept: [],
+      networkAfterReject: [],
+    });
+    expect(result.breakdown.easyRefusal).toBeLessThanOrEqual(20);
+    expect(result.issues.some((i) => i.type === "nudging" && i.severity === "warning")).toBe(true);
+  });
+  it("deducts 5 for colour nudging (green accept + red reject)", () => {
+    const modal = makeModal({
+      buttons: [
+        makeButton("accept", "Accept all", 1, { backgroundColor: "rgb(34, 197, 94)" }),
+        makeButton("reject", "Reject all", 1, { backgroundColor: "rgb(185, 28, 28)" }),
+      ],
+    });
+    const result = analyzeCompliance({
+      modal,
+      privacyPolicyUrl: "https://example.com/privacy",
+      cookiesBeforeInteraction: [],
+      cookiesAfterAccept: [makeCookie("_ga", true, "after-accept")],
+      cookiesAfterReject: [],
+      networkBeforeInteraction: [],
+      networkAfterAccept: [],
+      networkAfterReject: [],
+    });
+    expect(result.breakdown.easyRefusal).toBeLessThanOrEqual(20);
+    expect(result.issues.some((i) => i.type === "nudging")).toBe(true);
+  });
+  it("does NOT flag colour nudging when accept is blue (not green)", () => {
+    const modal = makeModal({
+      buttons: [
+        makeButton("accept", "Accept all", 1, { backgroundColor: "rgb(59, 130, 246)" }),
+        makeButton("reject", "Reject all", 1, { backgroundColor: "rgb(160, 160, 160)" }),
+      ],
+    });
+    const result = analyzeCompliance({
+      modal,
+      privacyPolicyUrl: "https://example.com/privacy",
+      cookiesBeforeInteraction: [],
+      cookiesAfterAccept: [makeCookie("_ga", true, "after-accept")],
+      cookiesAfterReject: [],
+      networkBeforeInteraction: [],
+      networkAfterAccept: [],
+      networkAfterReject: [],
+    });
+    expect(result.breakdown.easyRefusal).toBe(25);
+  });
 });
 // ── C. Transparency ───────────────────────────────────────────────────────────

package/tests/analyzers/tcf-decoder.test.ts ADDED Viewed

@@ -0,0 +1,292 @@
+import { describe, it, expect } from "vitest";
+import {
+  decodeTcfConsentString,
+  IAB_PURPOSES,
+  IAB_SPECIAL_FEATURES,
+} from "../../src/analyzers/tcf-decoder.js";
+// ── Fixture builder ───────────────────────────────────────────────────────────
+//
+// Encodes an array of [bitCount, value] pairs into a base64url string
+// suitable for passing to decodeTcfConsentString().
+// Uses modulo + Math.floor to avoid 32-bit overflow on large timestamps.
+function makeTcfString(fields: Array<[bits: number, value: number]>): string {
+  const totalBits = fields.reduce((s, [b]) => s + b, 0);
+  const buf = Buffer.alloc(Math.ceil(totalBits / 8), 0);
+  let pos = 0;
+  for (const [bits, value] of fields) {
+    const arr: number[] = [];
+    let v = value;
+    for (let i = 0; i < bits; i++) {
+      arr.unshift(v % 2);
+      v = Math.floor(v / 2);
+    }
+    for (const bit of arr) {
+      if (bit) buf[Math.floor(pos / 8)] |= 1 << (7 - (pos % 8));
+      pos++;
+    }
+  }
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+/** Encode a 2-char ISO language/country code into 12 bits (A=0). */
+function langBits(code: string): number {
+  return ((code.charCodeAt(0) - 65) << 6) | (code.charCodeAt(1) - 65);
+}
+/** Encode a list of purpose IDs (1-based) into a 24-bit bitfield. */
+function purposeBits(ids: number[]): number {
+  return ids.reduce((acc, id) => acc | (1 << (24 - id)), 0);
+}
+/** Encode a list of special feature IDs (1-based) into a 12-bit bitfield. */
+function specialFeatureBits(ids: number[]): number {
+  return ids.reduce((acc, id) => acc | (1 << (12 - id)), 0);
+}
+// 2020-01-01T00:00:00.000Z in deciseconds
+const EPOCH_2020_DS = 15778368000;
+function makeTcfV2(
+  opts: {
+    cmpId?: number;
+    cmpVersion?: number;
+    consentLanguage?: string;
+    vendorListVersion?: number;
+    tcfPolicyVersion?: number;
+    isServiceSpecific?: boolean;
+    specialFeatures?: number[];
+    purposesConsent?: number[];
+    purposesLI?: number[];
+    publisherCC?: string;
+  } = {},
+): string {
+  const {
+    cmpId = 28,
+    cmpVersion = 1,
+    consentLanguage = "EN",
+    vendorListVersion = 65,
+    tcfPolicyVersion = 2,
+    isServiceSpecific = false,
+    specialFeatures = [],
+    purposesConsent = [],
+    purposesLI = [],
+    publisherCC = "DE",
+  } = opts;
+  return makeTcfString([
+    [6, 2], // version = 2
+    [36, EPOCH_2020_DS], // created
+    [36, EPOCH_2020_DS], // lastUpdated
+    [12, cmpId],
+    [12, cmpVersion],
+    [6, 0], // consentScreen
+    [12, langBits(consentLanguage)],
+    [12, vendorListVersion],
+    [6, tcfPolicyVersion],
+    [1, isServiceSpecific ? 1 : 0],
+    [1, 0], // useNonStandardStacks
+    [12, specialFeatureBits(specialFeatures)],
+    [24, purposeBits(purposesConsent)],
+    [24, purposeBits(purposesLI)],
+    [1, 0], // purposeOneTreatment
+    [12, langBits(publisherCC)],
+  ]);
+}
+function makeTcfV1(
+  opts: {
+    cmpId?: number;
+    cmpVersion?: number;
+    consentLanguage?: string;
+    vendorListVersion?: number;
+    purposesAllowed?: number[];
+  } = {},
+): string {
+  const {
+    cmpId = 10,
+    cmpVersion = 1,
+    consentLanguage = "FR",
+    vendorListVersion = 12,
+    purposesAllowed = [],
+  } = opts;
+  return makeTcfString([
+    [6, 1], // version = 1
+    [36, EPOCH_2020_DS], // created
+    [36, EPOCH_2020_DS], // lastUpdated
+    [12, cmpId],
+    [12, cmpVersion],
+    [6, 0], // consentScreen
+    [12, langBits(consentLanguage)],
+    [12, vendorListVersion],
+    [24, purposeBits(purposesAllowed)],
+  ]);
+}
+// ── TCF v2 ────────────────────────────────────────────────────────────────────
+describe("decodeTcfConsentString — TCF v2", () => {
+  it("decodes version 2", () => {
+    expect(decodeTcfConsentString(makeTcfV2())?.version).toBe(2);
+  });
+  it("decodes CMP ID and version", () => {
+    const result = decodeTcfConsentString(makeTcfV2({ cmpId: 28, cmpVersion: 3 }));
+    expect(result?.cmpId).toBe(28);
+    expect(result?.cmpVersion).toBe(3);
+  });
+  it("decodes consent language", () => {
+    expect(decodeTcfConsentString(makeTcfV2({ consentLanguage: "FR" }))?.consentLanguage).toBe(
+      "FR",
+    );
+  });
+  it("decodes timestamps as Date objects", () => {
+    const result = decodeTcfConsentString(makeTcfV2());
+    expect(result?.created).toEqual(new Date(EPOCH_2020_DS * 100));
+    expect(result?.lastUpdated).toEqual(new Date(EPOCH_2020_DS * 100));
+  });
+  it("decodes purposesConsent", () => {
+    const result = decodeTcfConsentString(makeTcfV2({ purposesConsent: [1, 2, 7] }));
+    expect(result?.purposesConsent).toEqual([1, 2, 7]);
+  });
+  it("decodes purposesLegitimateInterest", () => {
+    const result = decodeTcfConsentString(makeTcfV2({ purposesLI: [2, 4, 9] }));
+    expect(result?.purposesLegitimateInterest).toEqual([2, 4, 9]);
+  });
+  it("decodes specialFeatureOptins", () => {
+    const result = decodeTcfConsentString(makeTcfV2({ specialFeatures: [1, 2] }));
+    expect(result?.specialFeatureOptins).toEqual([1, 2]);
+  });
+  it("returns empty arrays when nothing is set", () => {
+    const result = decodeTcfConsentString(
+      makeTcfV2({ purposesConsent: [], purposesLI: [], specialFeatures: [] }),
+    );
+    expect(result?.purposesConsent).toEqual([]);
+    expect(result?.purposesLegitimateInterest).toEqual([]);
+    expect(result?.specialFeatureOptins).toEqual([]);
+  });
+  it("decodes publisherCC", () => {
+    expect(decodeTcfConsentString(makeTcfV2({ publisherCC: "FR" }))?.publisherCC).toBe("FR");
+  });
+  it("decodes isServiceSpecific", () => {
+    expect(decodeTcfConsentString(makeTcfV2({ isServiceSpecific: true }))?.isServiceSpecific).toBe(
+      true,
+    );
+  });
+  it("decodes tcfPolicyVersion", () => {
+    expect(decodeTcfConsentString(makeTcfV2({ tcfPolicyVersion: 4 }))?.tcfPolicyVersion).toBe(4);
+  });
+  it("decodes vendorListVersion", () => {
+    expect(decodeTcfConsentString(makeTcfV2({ vendorListVersion: 130 }))?.vendorListVersion).toBe(
+      130,
+    );
+  });
+  it("preserves the raw string", () => {
+    const str = makeTcfV2();
+    expect(decodeTcfConsentString(str)?.raw).toBe(str);
+  });
+  it("ignores vendor segments after '~'", () => {
+    const str = makeTcfV2({ cmpId: 5 });
+    const result = decodeTcfConsentString(`${str}~someVendorSegment~anotherSegment`);
+    expect(result?.version).toBe(2);
+    expect(result?.cmpId).toBe(5);
+  });
+});
+// ── TCF v1 ────────────────────────────────────────────────────────────────────
+describe("decodeTcfConsentString — TCF v1", () => {
+  it("decodes version 1", () => {
+    expect(decodeTcfConsentString(makeTcfV1())?.version).toBe(1);
+  });
+  it("decodes purposesAllowed as purposesConsent", () => {
+    const result = decodeTcfConsentString(makeTcfV1({ purposesAllowed: [1, 3, 5] }));
+    expect(result?.purposesConsent).toEqual([1, 3, 5]);
+  });
+  it("returns empty legitimateInterest and specialFeatures for v1", () => {
+    const result = decodeTcfConsentString(makeTcfV1());
+    expect(result?.purposesLegitimateInterest).toEqual([]);
+    expect(result?.specialFeatureOptins).toEqual([]);
+  });
+  it("decodes CMP ID", () => {
+    expect(decodeTcfConsentString(makeTcfV1({ cmpId: 42 }))?.cmpId).toBe(42);
+  });
+  it("decodes consent language", () => {
+    expect(decodeTcfConsentString(makeTcfV1({ consentLanguage: "DE" }))?.consentLanguage).toBe(
+      "DE",
+    );
+  });
+  it("decodes timestamps as Date objects", () => {
+    const result = decodeTcfConsentString(makeTcfV1());
+    expect(result?.created).toEqual(new Date(EPOCH_2020_DS * 100));
+  });
+});
+// ── Edge cases ────────────────────────────────────────────────────────────────
+describe("decodeTcfConsentString — edge cases", () => {
+  it("returns null for an empty string", () => {
+    expect(decodeTcfConsentString("")).toBeNull();
+  });
+  it("returns null for a garbage base64 string", () => {
+    expect(decodeTcfConsentString("aaaa")).toBeNull();
+  });
+  it("returns null for an unsupported version (v3)", () => {
+    const str = makeTcfString([
+      [6, 3], // version = 3, unsupported
+      [36, 0],
+      [36, 0],
+      [12, 1],
+      [12, 1],
+      [6, 0],
+      [12, langBits("EN")],
+      [12, 1],
+    ]);
+    expect(decodeTcfConsentString(str)).toBeNull();
+  });
+});
+// ── IAB constants ─────────────────────────────────────────────────────────────
+describe("IAB_PURPOSES", () => {
+  it("contains all 11 standard purposes", () => {
+    for (let i = 1; i <= 11; i++) {
+      expect(IAB_PURPOSES[i], `purpose ${i}`).toBeDefined();
+    }
+  });
+  it("purpose 1 is about device storage", () => {
+    expect(IAB_PURPOSES[1]).toMatch(/store/i);
+  });
+});
+describe("IAB_SPECIAL_FEATURES", () => {
+  it("contains exactly 2 special features", () => {
+    expect(Object.keys(IAB_SPECIAL_FEATURES)).toHaveLength(2);
+  });
+  it("feature 1 is about geolocation", () => {
+    expect(IAB_SPECIAL_FEATURES[1]).toMatch(/geolocation/i);
+  });
+});

package/tests/analyzers/wording.test.ts CHANGED Viewed

@@ -84,6 +84,44 @@ describe("analyzeButtonWording", () => {
     });
   });
+  describe("indirect reject — refusal implied, not stated", () => {
+    it.each([
+      "Continuer sans accepter",
+      "Continue without accepting",
+      "Continue without consent",
+      "Proceed without accepting",
+      "Continuar sin aceptar",
+      "Continua senza accettare",
+      "Weiter ohne akzeptieren",
+    ])('flags "%s" as indirect reject (warning)', (text) => {
+      const buttons = [makeButton("accept", "Accept all"), makeButton("reject", text)];
+      const result = analyzeButtonWording(buttons);
+      expect(result.hasIndirectRejectLabel).toBe(true);
+      const issue = result.issues.find(
+        (i) => i.type === "misleading-wording" && i.severity === "warning",
+      );
+      expect(issue).toBeDefined();
+    });
+    it("does NOT flag an explicit Reject button as indirect", () => {
+      const buttons = [makeButton("accept", "Accept all"), makeButton("reject", "Reject all")];
+      const result = analyzeButtonWording(buttons);
+      expect(result.hasIndirectRejectLabel).toBe(false);
+    });
+    it("does NOT flag 'Tout refuser' as indirect", () => {
+      const buttons = [makeButton("accept", "Tout accepter"), makeButton("reject", "Tout refuser")];
+      const result = analyzeButtonWording(buttons);
+      expect(result.hasIndirectRejectLabel).toBe(false);
+    });
+    it("returns hasIndirectRejectLabel: false when there is no reject button", () => {
+      const buttons = [makeButton("accept", "Accept all")];
+      const result = analyzeButtonWording(buttons);
+      expect(result.hasIndirectRejectLabel).toBe(false);
+    });
+  });
   describe("fake reject — close/dismiss button disguised as reject", () => {
     it.each(["×", "✕", "close", "Fermer", "dismiss", "skip"])(
       'flags "%s" reject button as misleading (fake reject)',

package/tests/scanner/button-classification.test.ts CHANGED Viewed

@@ -191,6 +191,38 @@ describe("classifyButtonText — null (unknown language)", () => {
   });
 });
+// ── "Continue without accepting" dark pattern ─────────────────────────────────
+//
+// Some sites hide their reject action behind a phrase that contains the word
+// "accept" or an equivalent, making automated classifiers misread it as an
+// accept button. These must be classified as "reject".
+describe('classifyButtonText — "continue without accepting" dark pattern', () => {
+  it('FR: "Continuer sans accepter" → reject', () => {
+    expect(classifyButtonText("Continuer sans accepter", "fr")).toBe("reject");
+  });
+  it('EN: "Continue without accepting" → reject', () => {
+    expect(classifyButtonText("Continue without accepting", "en")).toBe("reject");
+  });
+  it('EN: "Continue without consent" → reject', () => {
+    expect(classifyButtonText("Continue without consent", "en")).toBe("reject");
+  });
+  it('ES: "Continuar sin aceptar" → reject', () => {
+    expect(classifyButtonText("Continuar sin aceptar", "es")).toBe("reject");
+  });
+  it('FR: "Accepter" alone → still accept (no regression)', () => {
+    expect(classifyButtonText("Accepter", "fr")).toBe("accept");
+  });
+  it('FR: "Tout accepter" → still accept (no regression)', () => {
+    expect(classifyButtonText("Tout accepter", "fr")).toBe("accept");
+  });
+});
 // ── BCP 47 subtag normalisation (sanity) ─────────────────────────────────────
 describe("classifyButtonText — full BCP 47 tags should be pre-normalised", () => {

package/docs/reports/github.com/after-accept.png DELETED Viewed

Binary file

package/docs/reports/github.com/after-reject.png DELETED Viewed

Binary file