@tantainnovative/ndpr-toolkit 5.5.1 → 5.6.0

package/CHANGELOG.md

@@ -2,6 +2,27 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [5.6.0](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.5.1...v5.6.0) (2026-06-01)
+
+
+### Features
+
+* **consent:** add cookie scanner (declared vs present audit) ([d74366f](https://github.com/mr-tanta/ndpr-toolkit/commit/d74366f8356857621a94729eb79225cdfbef2024))
+* **packages:** refresh create-ndpr and ndpr-recipes for GAID 2025 ([bf709cf](https://github.com/mr-tanta/ndpr-toolkit/commit/bf709cf4f40176e65f21f2db61a946542fac7479))
+* **site:** make the /score audit a full-screen cinematic experience ([52cc0e8](https://github.com/mr-tanta/ndpr-toolkit/commit/52cc0e8b6b889df0ca6c1842a71d25029f4e4aaa))
+* **site:** turn the /score audit into a guided step-by-step wizard ([18f26ad](https://github.com/mr-tanta/ndpr-toolkit/commit/18f26ad36726f4b3ef9228e032e3d60eb4de1786))
+
+
+### Bug Fixes
+
+* **packages:** use canonical bin path (no ./ prefix) in create-ndpr manifests ([600d989](https://github.com/mr-tanta/ndpr-toolkit/commit/600d989f1f73fe5174f4d3fc035980bfa6c8fa27))
+
+
+### Documentation
+
+* **marketing:** refresh the X thread + LinkedIn post for current state ([58c6fca](https://github.com/mr-tanta/ndpr-toolkit/commit/58c6fca46899765bf3a09eee5cc0fca387f6cd99))
+* **site:** add Cookie Scanner guide page ([5813686](https://github.com/mr-tanta/ndpr-toolkit/commit/58136865de16e9f1f8b74c7918294fdcd0c5b78f))
+
 ## [5.5.1](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.5.0...v5.5.1) (2026-05-31)
 
 

package/README.md

@@ -536,6 +536,31 @@ The content checklist (`notificationToCommission`) maps each item to its source
 
 ---
 
+## Cookie Scanner
+
+`scanCookies()` audits the cookies **actually present** against the cookies you've **declared**, surfacing undeclared cookies that put you out of step with your cookie notice (**NDPA 2023 S.25–26** / **NDPC GAID 2025** — consent must be specific and informed). It's pure and DOM-optional: pass a `cookieString` (a `Cookie:` header server-side, or a fixture) or let it read `document.cookie` in the browser.
+
+```ts
+import { scanCookies } from '@tantainnovative/ndpr-toolkit/core'; // or /server
+
+const scan = scanCookies(
+  [{ name: 'sid', category: 'necessary', provider: 'App', purpose: 'Login session' }],
+  { cookieString: document.cookie }, // omit in the browser to read it automatically
+);
+
+scan.complete;     // false while any undeclared cookie is present
+scan.undeclared;   // cookies on the page you didn't declare — the compliance gap
+scan.identified;   // undeclared, but the built-in registry knows them (_ga → Google Analytics, …)
+scan.unknown;      // undeclared and unidentifiable
+scan.byCategory;   // present cookies grouped by resolved category
+```
+
+A built-in `KNOWN_COOKIES` registry recognises common third-party cookies (Google Analytics/Ads, Meta, Hotjar, Microsoft Clarity, LinkedIn, Stripe, HubSpot, TikTok, Intercom, …) so even undeclared cookies are usually identified with a provider and likely category; extend it via `knownCookies` or disable it with `useKnownRegistry: false`. Your own declarations always take precedence. Also available as the client-side `useCookieScan(declared?, options?)` hook from `/hooks`, which scans on mount and returns a stable `rescan()`.
+
+> A compliance-discovery aid, not legal advice — verify against current NDPC guidance.
+
+---
+
 ## Compliance Audit CLI
 
 The package ships an `ndpr` binary. `ndpr audit` scores a compliance config against the toolkit's engine — the compliance score plus the GAID 2025 DCPMI, CAR, and breach-notification checks — and **exits non-zero when the audit fails**, so you can drop it into CI as a compliance gate.

package/dist/chunk-675DXBED.mjs

@@ -0,0 +1 @@
+function S(r){let e=[];if((!r.consents||Object.keys(r.consents).length===0)&&e.push({field:"consents",code:"consents_required",message:"Consent settings must include at least one consent option"}),r.timestamp?(typeof r.timestamp!="number"||isNaN(r.timestamp))&&e.push({field:"timestamp",code:"timestamp_invalid",message:"Consent timestamp must be a valid number"}):e.push({field:"timestamp",code:"timestamp_required",message:"Consent timestamp is required"}),r.version||e.push({field:"version",code:"version_required",message:"Consent version is required"}),r.method||e.push({field:"method",code:"method_required",message:"Consent collection method is required"}),r.hasInteracted===void 0&&e.push({field:"hasInteracted",code:"has_interacted_required",message:"User interaction status is required"}),r.timestamp){let o=new Date;o.setMonth(o.getMonth()-13);let n=o.getTime();r.timestamp<n&&e.push({field:"timestamp",code:"consent_stale",message:"Consent is older than 13 months and should be refreshed"});}return e.length>0?{valid:false,errors:e}:{valid:true,errors:[],data:r}}function b(r){let e=[];return (!r||r.length===0)&&e.push({field:"options",code:"options_required",message:"At least one consent option is required"}),r==null||r.forEach((o,n)=>{(!o.purpose||o.purpose.trim()==="")&&e.push({field:`options[${n}].purpose`,code:"purpose_required",message:`Consent option "${o.id}" is missing a purpose. NDPA Section 26 requires consent to be specific to a stated purpose.`});}),e.length>0?{valid:false,errors:e}:{valid:true,errors:[],data:r}}var v=[{name:"_ga",category:"analytics",provider:"Google Analytics",purpose:"Distinguishes users"},{name:"_ga_",prefix:true,category:"analytics",provider:"Google Analytics (GA4)",purpose:"Persists session state"},{name:"_gid",category:"analytics",provider:"Google Analytics",purpose:"Distinguishes users"},{name:"_gat",prefix:true,category:"analytics",provider:"Google Analytics",purpose:"Throttles request rate"},{name:"_dc_gtm_",prefix:true,category:"analytics",provider:"Google Tag Manager",purpose:"Throttles request rate"},{name:"_gcl_",prefix:true,category:"marketing",provider:"Google Ads",purpose:"Conversion tracking"},{name:"IDE",category:"marketing",provider:"Google DoubleClick",purpose:"Ad targeting"},{name:"test_cookie",category:"marketing",provider:"Google DoubleClick",purpose:"Checks cookie support"},{name:"_fbp",category:"marketing",provider:"Meta (Facebook)",purpose:"Ad delivery and measurement"},{name:"_fbc",category:"marketing",provider:"Meta (Facebook)",purpose:"Click attribution"},{name:"fr",category:"marketing",provider:"Meta (Facebook)",purpose:"Ad delivery and measurement"},{name:"_clck",category:"analytics",provider:"Microsoft Clarity",purpose:"Session analytics"},{name:"_clsk",category:"analytics",provider:"Microsoft Clarity",purpose:"Session analytics"},{name:"_hj",prefix:true,category:"analytics",provider:"Hotjar",purpose:"Behaviour analytics"},{name:"bcookie",category:"marketing",provider:"LinkedIn",purpose:"Browser identification"},{name:"lidc",category:"marketing",provider:"LinkedIn",purpose:"Routing / ad delivery"},{name:"li_",prefix:true,category:"marketing",provider:"LinkedIn",purpose:"Ad delivery"},{name:"_ttp",category:"marketing",provider:"TikTok",purpose:"Ad measurement"},{name:"personalization_id",category:"marketing",provider:"X (Twitter)",purpose:"Ad personalisation"},{name:"guest_id",category:"marketing",provider:"X (Twitter)",purpose:"Identifies the browser"},{name:"hubspotutk",category:"marketing",provider:"HubSpot",purpose:"Visitor identification"},{name:"__hs",prefix:true,category:"analytics",provider:"HubSpot",purpose:"Analytics / session"},{name:"__stripe_mid",category:"necessary",provider:"Stripe",purpose:"Fraud prevention"},{name:"__stripe_sid",category:"necessary",provider:"Stripe",purpose:"Fraud prevention"},{name:"intercom-",prefix:true,category:"functional",provider:"Intercom",purpose:"Live chat / messaging"},{name:"ndpr_consent",category:"necessary",provider:"NDPR Toolkit",purpose:"Stores the consent decision"}];function k(r,e){return e.name instanceof RegExp?e.name.test(r):e.prefix?r.startsWith(e.name):r===e.name}function C(r){return r.split(";").map(e=>{let o=e.trim(),n=o.indexOf("=");return (n===-1?o:o.slice(0,n)).trim()}).filter(e=>e.length>0)}function A(r=[],e={}){var u,l,m,g,f,y;let o=(u=e.cookieString)!=null?u:typeof document!="undefined"?document.cookie:"",n=(l=e.asOf)!=null?l:Date.now(),h=((m=e.useKnownRegistry)!=null?m:true)?[...(g=e.knownCookies)!=null?g:[],...v]:[],a=C(o).map(t=>{let i=r.find(d=>k(t,d));if(i)return {name:t,category:i.category,matchedBy:"declared",provider:i.provider,purpose:i.purpose};let c=h.find(d=>k(t,d));return c?{name:t,category:c.category,matchedBy:"known",provider:c.provider,purpose:c.purpose}:{name:t,category:null,matchedBy:"none"}}),s={};for(let t of a){let i=(f=t.category)!=null?f:"uncategorized";((y=s[i])!=null?y:s[i]=[]).push(t);}let p=a.filter(t=>t.matchedBy!=="declared");return {scannedAt:n,total:a.length,cookies:a,declared:a.filter(t=>t.matchedBy==="declared"),undeclared:p,identified:a.filter(t=>t.matchedBy==="known"),unknown:a.filter(t=>t.matchedBy==="none"),byCategory:s,complete:p.length===0}}export{S as a,b,v as c,A as d};

package/dist/{chunk-QKXGVT2Q.js → chunk-GJH7YFBO.js}

@@ -1 +1 @@
-'use strict';var chunkC2KEXHRX_js=require('./chunk-C2KEXHRX.js'),chunkDKLJ5DYN_js=require('./chunk-DKLJ5DYN.js'),chunkVWED6UTN_js=require('./chunk-VWED6UTN.js'),react=require('react');function F(o){if(!o)return chunkVWED6UTN_js.a("ndpr_consent");let{storageKey:n="ndpr_consent",storageType:i="localStorage"}=o;return i==="sessionStorage"?chunkC2KEXHRX_js.a(n):i==="cookie"?chunkC2KEXHRX_js.b(n,o.cookieOptions):chunkVWED6UTN_js.a(n)}function V(o,n,i,r,a,p,l){if(o){i(o);let{valid:s,errors:c}=chunkDKLJ5DYN_js.a(o);r(s),a(c),p(!(s&&o.version===n));}else p(true);l(false);}function z({options:o,adapter:n,storageOptions:i,version:r="1.0",onChange:a}){let p=n!=null?n:F(i),l=react.useRef(p);l.current=p;let[s,c]=react.useState(null),[y,d]=react.useState(false),[O,S]=react.useState(false),[k,C]=react.useState([]),[w,v]=react.useState(true);react.useEffect(()=>{let t=false;try{let e=l.current.load();e instanceof Promise?e.then(m=>{t||V(m,r,c,S,C,d,v);},()=>{t||(d(!0),v(!1));}):V(e,r,c,S,C,d,v);}catch(e){t||(d(true),v(false));}return ()=>{t=true;}},[r]);let h=react.useCallback(t=>{let{valid:e,errors:m}=chunkDKLJ5DYN_js.a(t);S(e),C(m),a==null||a(t),Promise.resolve(l.current.save(t)).catch(j=>{console.warn("[ndpr-toolkit] Failed to save consent:",j);});},[a]),f=react.useCallback(t=>{let e={consents:t,timestamp:Date.now(),version:r,method:"explicit",hasInteracted:true};c(e),h(e),d(false);},[r,h]),x=react.useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=true;}),f(t);},[o,f]),I=react.useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=e.required||false;}),f(t);},[o,f]),L=react.useCallback(t=>!!(s!=null&&s.consents[t]),[s]),U=react.useCallback(()=>{c(null),d(true),S(false),C([]),Promise.resolve(l.current.remove()).catch(t=>{console.warn("[ndpr-toolkit] Failed to remove consent:",t);});},[]);return {settings:s,hasConsent:L,updateConsent:f,acceptAll:x,rejectAll:I,shouldShowBanner:y,isValid:O,validationErrors:k,resetConsent:U,isLoading:w}}exports.a=z;
+'use strict';var chunkC2KEXHRX_js=require('./chunk-C2KEXHRX.js'),chunkZVWSSXV2_js=require('./chunk-ZVWSSXV2.js'),chunkVWED6UTN_js=require('./chunk-VWED6UTN.js'),react=require('react');function F(o){if(!o)return chunkVWED6UTN_js.a("ndpr_consent");let{storageKey:n="ndpr_consent",storageType:i="localStorage"}=o;return i==="sessionStorage"?chunkC2KEXHRX_js.a(n):i==="cookie"?chunkC2KEXHRX_js.b(n,o.cookieOptions):chunkVWED6UTN_js.a(n)}function V(o,n,i,r,a,p,l){if(o){i(o);let{valid:s,errors:c}=chunkZVWSSXV2_js.a(o);r(s),a(c),p(!(s&&o.version===n));}else p(true);l(false);}function z({options:o,adapter:n,storageOptions:i,version:r="1.0",onChange:a}){let p=n!=null?n:F(i),l=react.useRef(p);l.current=p;let[s,c]=react.useState(null),[y,d]=react.useState(false),[O,S]=react.useState(false),[k,C]=react.useState([]),[w,v]=react.useState(true);react.useEffect(()=>{let t=false;try{let e=l.current.load();e instanceof Promise?e.then(m=>{t||V(m,r,c,S,C,d,v);},()=>{t||(d(!0),v(!1));}):V(e,r,c,S,C,d,v);}catch(e){t||(d(true),v(false));}return ()=>{t=true;}},[r]);let h=react.useCallback(t=>{let{valid:e,errors:m}=chunkZVWSSXV2_js.a(t);S(e),C(m),a==null||a(t),Promise.resolve(l.current.save(t)).catch(j=>{console.warn("[ndpr-toolkit] Failed to save consent:",j);});},[a]),f=react.useCallback(t=>{let e={consents:t,timestamp:Date.now(),version:r,method:"explicit",hasInteracted:true};c(e),h(e),d(false);},[r,h]),x=react.useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=true;}),f(t);},[o,f]),I=react.useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=e.required||false;}),f(t);},[o,f]),L=react.useCallback(t=>!!(s!=null&&s.consents[t]),[s]),U=react.useCallback(()=>{c(null),d(true),S(false),C([]),Promise.resolve(l.current.remove()).catch(t=>{console.warn("[ndpr-toolkit] Failed to remove consent:",t);});},[]);return {settings:s,hasConsent:L,updateConsent:f,acceptAll:x,rejectAll:I,shouldShowBanner:y,isValid:O,validationErrors:k,resetConsent:U,isLoading:w}}exports.a=z;

package/dist/chunk-H3Q3I6XC.js

@@ -0,0 +1 @@
+'use strict';var chunkVFRGCBJY_js=require('./chunk-VFRGCBJY.js'),chunk7TTXS7JX_js=require('./chunk-7TTXS7JX.js'),chunkY346CURW_js=require('./chunk-Y346CURW.js'),chunkZVWSSXV2_js=require('./chunk-ZVWSSXV2.js'),react=require('react');function h(e,o){return react.useMemo(()=>chunkY346CURW_js.a(e,o),[e,o])}function x({input:e}){let o=JSON.stringify(e);return react.useMemo(()=>chunk7TTXS7JX_js.a(e),[o])}function b(e,o){return react.useMemo(()=>chunkVFRGCBJY_js.c(e,o),[e.dataSubjectsInSixMonths,e.isDesignated,o])}function v(e,o){let[u,f]=react.useState(null),i=react.useRef(e),r=react.useRef(o);i.current=e,r.current=o;let t=react.useCallback(()=>{f(chunkZVWSSXV2_js.d(i.current,r.current));},[]);return react.useEffect(()=>{t();},[t]),{result:u,rescan:t}}function q(e,o){return react.useMemo(()=>chunkVFRGCBJY_js.d(e,o),[e.commencementDate,e.asOf,e.tier,o])}exports.a=h;exports.b=x;exports.c=b;exports.d=v;exports.e=q;

package/dist/chunk-LAAJVTUV.mjs

@@ -0,0 +1 @@
+import {c,d as d$1}from'./chunk-MGXWQW5I.mjs';import {a as a$1}from'./chunk-6A7M4CGJ.mjs';import {a}from'./chunk-WJSUVPYX.mjs';import {d}from'./chunk-675DXBED.mjs';import {useMemo,useState,useRef,useCallback,useEffect}from'react';function h(e,o){return useMemo(()=>a(e,o),[e,o])}function x({input:e}){let o=JSON.stringify(e);return useMemo(()=>a$1(e),[o])}function b(e,o){return useMemo(()=>c(e,o),[e.dataSubjectsInSixMonths,e.isDesignated,o])}function v(e,o){let[u,f]=useState(null),i=useRef(e),r=useRef(o);i.current=e,r.current=o;let t=useCallback(()=>{f(d(i.current,r.current));},[]);return useEffect(()=>{t();},[t]),{result:u,rescan:t}}function q(e,o){return useMemo(()=>d$1(e,o),[e.commencementDate,e.asOf,e.tier,o])}export{h as a,x as b,b as c,v as d,q as e};

package/dist/{chunk-PQ5IPUJN.mjs → chunk-VXLOPB33.mjs}

@@ -1 +1 @@
-import {a as a$2,b}from'./chunk-XC3DLYEG.mjs';import {a}from'./chunk-R3ZKV2J7.mjs';import {a as a$1}from'./chunk-DBZSN4WP.mjs';import {useRef,useState,useEffect,useCallback}from'react';function F(o){if(!o)return a$1("ndpr_consent");let{storageKey:n="ndpr_consent",storageType:i="localStorage"}=o;return i==="sessionStorage"?a$2(n):i==="cookie"?b(n,o.cookieOptions):a$1(n)}function V(o,n,i,r,a$1,p,l){if(o){i(o);let{valid:s,errors:c}=a(o);r(s),a$1(c),p(!(s&&o.version===n));}else p(true);l(false);}function z({options:o,adapter:n,storageOptions:i,version:r="1.0",onChange:a$1}){let p=n!=null?n:F(i),l=useRef(p);l.current=p;let[s,c]=useState(null),[y,d]=useState(false),[O,S]=useState(false),[k,C]=useState([]),[w,v]=useState(true);useEffect(()=>{let t=false;try{let e=l.current.load();e instanceof Promise?e.then(m=>{t||V(m,r,c,S,C,d,v);},()=>{t||(d(!0),v(!1));}):V(e,r,c,S,C,d,v);}catch(e){t||(d(true),v(false));}return ()=>{t=true;}},[r]);let h=useCallback(t=>{let{valid:e,errors:m}=a(t);S(e),C(m),a$1==null||a$1(t),Promise.resolve(l.current.save(t)).catch(j=>{console.warn("[ndpr-toolkit] Failed to save consent:",j);});},[a$1]),f=useCallback(t=>{let e={consents:t,timestamp:Date.now(),version:r,method:"explicit",hasInteracted:true};c(e),h(e),d(false);},[r,h]),x=useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=true;}),f(t);},[o,f]),I=useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=e.required||false;}),f(t);},[o,f]),L=useCallback(t=>!!(s!=null&&s.consents[t]),[s]),U=useCallback(()=>{c(null),d(true),S(false),C([]),Promise.resolve(l.current.remove()).catch(t=>{console.warn("[ndpr-toolkit] Failed to remove consent:",t);});},[]);return {settings:s,hasConsent:L,updateConsent:f,acceptAll:x,rejectAll:I,shouldShowBanner:y,isValid:O,validationErrors:k,resetConsent:U,isLoading:w}}export{z as a};
+import {a as a$2,b}from'./chunk-XC3DLYEG.mjs';import {a}from'./chunk-675DXBED.mjs';import {a as a$1}from'./chunk-DBZSN4WP.mjs';import {useRef,useState,useEffect,useCallback}from'react';function F(o){if(!o)return a$1("ndpr_consent");let{storageKey:n="ndpr_consent",storageType:i="localStorage"}=o;return i==="sessionStorage"?a$2(n):i==="cookie"?b(n,o.cookieOptions):a$1(n)}function V(o,n,i,r,a$1,p,l){if(o){i(o);let{valid:s,errors:c}=a(o);r(s),a$1(c),p(!(s&&o.version===n));}else p(true);l(false);}function z({options:o,adapter:n,storageOptions:i,version:r="1.0",onChange:a$1}){let p=n!=null?n:F(i),l=useRef(p);l.current=p;let[s,c]=useState(null),[y,d]=useState(false),[O,S]=useState(false),[k,C]=useState([]),[w,v]=useState(true);useEffect(()=>{let t=false;try{let e=l.current.load();e instanceof Promise?e.then(m=>{t||V(m,r,c,S,C,d,v);},()=>{t||(d(!0),v(!1));}):V(e,r,c,S,C,d,v);}catch(e){t||(d(true),v(false));}return ()=>{t=true;}},[r]);let h=useCallback(t=>{let{valid:e,errors:m}=a(t);S(e),C(m),a$1==null||a$1(t),Promise.resolve(l.current.save(t)).catch(j=>{console.warn("[ndpr-toolkit] Failed to save consent:",j);});},[a$1]),f=useCallback(t=>{let e={consents:t,timestamp:Date.now(),version:r,method:"explicit",hasInteracted:true};c(e),h(e),d(false);},[r,h]),x=useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=true;}),f(t);},[o,f]),I=useCallback(()=>{let t={};o.forEach(e=>{t[e.id]=e.required||false;}),f(t);},[o,f]),L=useCallback(t=>!!(s!=null&&s.consents[t]),[s]),U=useCallback(()=>{c(null),d(true),S(false),C([]),Promise.resolve(l.current.remove()).catch(t=>{console.warn("[ndpr-toolkit] Failed to remove consent:",t);});},[]);return {settings:s,hasConsent:L,updateConsent:f,acceptAll:x,rejectAll:I,shouldShowBanner:y,isValid:O,validationErrors:k,resetConsent:U,isLoading:w}}export{z as a};

package/dist/chunk-ZVWSSXV2.js

@@ -0,0 +1 @@
+'use strict';function S(r){let e=[];if((!r.consents||Object.keys(r.consents).length===0)&&e.push({field:"consents",code:"consents_required",message:"Consent settings must include at least one consent option"}),r.timestamp?(typeof r.timestamp!="number"||isNaN(r.timestamp))&&e.push({field:"timestamp",code:"timestamp_invalid",message:"Consent timestamp must be a valid number"}):e.push({field:"timestamp",code:"timestamp_required",message:"Consent timestamp is required"}),r.version||e.push({field:"version",code:"version_required",message:"Consent version is required"}),r.method||e.push({field:"method",code:"method_required",message:"Consent collection method is required"}),r.hasInteracted===void 0&&e.push({field:"hasInteracted",code:"has_interacted_required",message:"User interaction status is required"}),r.timestamp){let o=new Date;o.setMonth(o.getMonth()-13);let n=o.getTime();r.timestamp<n&&e.push({field:"timestamp",code:"consent_stale",message:"Consent is older than 13 months and should be refreshed"});}return e.length>0?{valid:false,errors:e}:{valid:true,errors:[],data:r}}function b(r){let e=[];return (!r||r.length===0)&&e.push({field:"options",code:"options_required",message:"At least one consent option is required"}),r==null||r.forEach((o,n)=>{(!o.purpose||o.purpose.trim()==="")&&e.push({field:`options[${n}].purpose`,code:"purpose_required",message:`Consent option "${o.id}" is missing a purpose. NDPA Section 26 requires consent to be specific to a stated purpose.`});}),e.length>0?{valid:false,errors:e}:{valid:true,errors:[],data:r}}var v=[{name:"_ga",category:"analytics",provider:"Google Analytics",purpose:"Distinguishes users"},{name:"_ga_",prefix:true,category:"analytics",provider:"Google Analytics (GA4)",purpose:"Persists session state"},{name:"_gid",category:"analytics",provider:"Google Analytics",purpose:"Distinguishes users"},{name:"_gat",prefix:true,category:"analytics",provider:"Google Analytics",purpose:"Throttles request rate"},{name:"_dc_gtm_",prefix:true,category:"analytics",provider:"Google Tag Manager",purpose:"Throttles request rate"},{name:"_gcl_",prefix:true,category:"marketing",provider:"Google Ads",purpose:"Conversion tracking"},{name:"IDE",category:"marketing",provider:"Google DoubleClick",purpose:"Ad targeting"},{name:"test_cookie",category:"marketing",provider:"Google DoubleClick",purpose:"Checks cookie support"},{name:"_fbp",category:"marketing",provider:"Meta (Facebook)",purpose:"Ad delivery and measurement"},{name:"_fbc",category:"marketing",provider:"Meta (Facebook)",purpose:"Click attribution"},{name:"fr",category:"marketing",provider:"Meta (Facebook)",purpose:"Ad delivery and measurement"},{name:"_clck",category:"analytics",provider:"Microsoft Clarity",purpose:"Session analytics"},{name:"_clsk",category:"analytics",provider:"Microsoft Clarity",purpose:"Session analytics"},{name:"_hj",prefix:true,category:"analytics",provider:"Hotjar",purpose:"Behaviour analytics"},{name:"bcookie",category:"marketing",provider:"LinkedIn",purpose:"Browser identification"},{name:"lidc",category:"marketing",provider:"LinkedIn",purpose:"Routing / ad delivery"},{name:"li_",prefix:true,category:"marketing",provider:"LinkedIn",purpose:"Ad delivery"},{name:"_ttp",category:"marketing",provider:"TikTok",purpose:"Ad measurement"},{name:"personalization_id",category:"marketing",provider:"X (Twitter)",purpose:"Ad personalisation"},{name:"guest_id",category:"marketing",provider:"X (Twitter)",purpose:"Identifies the browser"},{name:"hubspotutk",category:"marketing",provider:"HubSpot",purpose:"Visitor identification"},{name:"__hs",prefix:true,category:"analytics",provider:"HubSpot",purpose:"Analytics / session"},{name:"__stripe_mid",category:"necessary",provider:"Stripe",purpose:"Fraud prevention"},{name:"__stripe_sid",category:"necessary",provider:"Stripe",purpose:"Fraud prevention"},{name:"intercom-",prefix:true,category:"functional",provider:"Intercom",purpose:"Live chat / messaging"},{name:"ndpr_consent",category:"necessary",provider:"NDPR Toolkit",purpose:"Stores the consent decision"}];function k(r,e){return e.name instanceof RegExp?e.name.test(r):e.prefix?r.startsWith(e.name):r===e.name}function C(r){return r.split(";").map(e=>{let o=e.trim(),n=o.indexOf("=");return (n===-1?o:o.slice(0,n)).trim()}).filter(e=>e.length>0)}function A(r=[],e={}){var u,l,m,g,f,y;let o=(u=e.cookieString)!=null?u:typeof document!="undefined"?document.cookie:"",n=(l=e.asOf)!=null?l:Date.now(),h=((m=e.useKnownRegistry)!=null?m:true)?[...(g=e.knownCookies)!=null?g:[],...v]:[],a=C(o).map(t=>{let i=r.find(d=>k(t,d));if(i)return {name:t,category:i.category,matchedBy:"declared",provider:i.provider,purpose:i.purpose};let c=h.find(d=>k(t,d));return c?{name:t,category:c.category,matchedBy:"known",provider:c.provider,purpose:c.purpose}:{name:t,category:null,matchedBy:"none"}}),s={};for(let t of a){let i=(f=t.category)!=null?f:"uncategorized";((y=s[i])!=null?y:s[i]=[]).push(t);}let p=a.filter(t=>t.matchedBy!=="declared");return {scannedAt:n,total:a.length,cookies:a,declared:a.filter(t=>t.matchedBy==="declared"),undeclared:p,identified:a.filter(t=>t.matchedBy==="known"),unknown:a.filter(t=>t.matchedBy==="none"),byCategory:s,complete:p.length===0}}exports.a=S;exports.b=b;exports.c=v;exports.d=A;

package/dist/consent.d.mts

@@ -487,6 +487,44 @@ declare interface ConsentStorageProps {
     }) => React__default.ReactNode);
 }
 
+/** How a present cookie was classified. */
+export declare type CookieMatchSource = 'declared' | 'known' | 'none';
+
+export declare interface CookieScanOptions {
+    /**
+     * The cookie string to scan, in `document.cookie` form (`a=1; b=2`).
+     * Defaults to `document.cookie` in the browser, or `''` on the server.
+     */
+    cookieString?: string;
+    /** Reference timestamp (epoch ms) recorded on the result. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Extra known cookies, checked before the built-in registry (so they can override it). */
+    knownCookies?: DeclaredCookie[];
+    /** Whether to fall back to the built-in known-cookie registry for undeclared cookies. @default true */
+    useKnownRegistry?: boolean;
+}
+
+export declare interface CookieScanResult {
+    /** When the scan ran (epoch ms). */
+    scannedAt: number;
+    /** Number of cookies present. */
+    total: number;
+    /** Every present cookie, classified. */
+    cookies: ScannedCookie[];
+    /** Cookies that matched one of your declared cookies. */
+    declared: ScannedCookie[];
+    /** Cookies present but NOT in your declaration — the compliance gap. */
+    undeclared: ScannedCookie[];
+    /** Undeclared cookies the built-in registry could still identify. */
+    identified: ScannedCookie[];
+    /** Undeclared cookies that could not be identified at all. */
+    unknown: ScannedCookie[];
+    /** Present cookies grouped by resolved category; unclassified cookies go under `uncategorized`. */
+    byCategory: Record<string, ScannedCookie[]>;
+    /** True when there are no undeclared cookies. */
+    complete: boolean;
+}
+
 /**
  * Creates a new audit entry from consent settings. If `previousSettings` is
  * provided, the action is automatically determined by comparing old and new
@@ -494,6 +532,30 @@ declare interface ConsentStorageProps {
  */
 export declare function createAuditEntry(settings: ConsentSettings, previousSettings?: ConsentSettings | null, actionOverride?: ConsentAuditEntry['action']): ConsentAuditEntry;
 
+/**
+ * Cookie scanner — audits the cookies actually present in the browser against
+ * the cookies you have declared, surfacing undeclared cookies that put you out
+ * of step with your cookie notice (NDPA 2023 S.25-26 / NDPC GAID 2025 on
+ * specific, informed consent).
+ *
+ * Pure and DOM-optional: pass `cookieString` to scan an arbitrary value (a
+ * `Cookie:` header on the server, a test fixture), or call it in the browser
+ * and it reads `document.cookie`. Safe to import from a server bundle.
+ */
+/** A cookie you declare against a consent category. */
+export declare interface DeclaredCookie {
+    /** Exact cookie name, a prefix (with `prefix: true`), or a RegExp matched against the name. */
+    name: string | RegExp;
+    /** Consent category this cookie belongs to (e.g. 'necessary', 'analytics', 'marketing'). */
+    category: string;
+    /** Who sets the cookie (e.g. 'Google Analytics'). */
+    provider?: string;
+    /** What the cookie is used for — surfaced in your cookie policy. */
+    purpose?: string;
+    /** Treat a string `name` as a prefix match instead of an exact match. Ignored for RegExp names. */
+    prefix?: boolean;
+}
+
 /**
  * Retrieves the full consent audit log from localStorage.
  * Returns an empty array if no log exists or parsing fails.
@@ -502,6 +564,14 @@ export declare function createAuditEntry(settings: ConsentSettings, previousSett
  */
 export declare function getAuditLog(storageKey?: string): ConsentAuditEntry[];
 
+/**
+ * Built-in registry of widely deployed third-party cookies, so an undeclared
+ * cookie can often still be identified (provider + likely category). Override
+ * or extend via {@link CookieScanOptions.knownCookies}; categories follow the
+ * common necessary / functional / analytics / marketing taxonomy.
+ */
+export declare const KNOWN_COOKIES: DeclaredCookie[];
+
 /**
  * Lawful basis for processing personal data per NDPA Section 25(1)
  */
@@ -539,6 +609,24 @@ declare interface SaveButtonProps {
     consents?: Record<string, boolean>;
 }
 
+/**
+ * Scan the cookies present against your declared cookies and a registry of
+ * well-known third-party cookies. Returns which cookies are declared, which are
+ * undeclared (and whether they can still be identified), and a per-category view.
+ */
+export declare function scanCookies(declared?: DeclaredCookie[], options?: CookieScanOptions): CookieScanResult;
+
+export declare interface ScannedCookie {
+    /** The cookie name as found in the cookie string. */
+    name: string;
+    /** Resolved consent category, or `null` when it could not be classified. */
+    category: string | null;
+    /** Whether it matched your declaration, only the known registry, or nothing. */
+    matchedBy: CookieMatchSource;
+    provider?: string;
+    purpose?: string;
+}
+
 export declare interface StorageAdapter<T = unknown> {
     /** Load persisted data. Called once on hook mount. */
     load(): T | null | Promise<T | null>;

package/dist/consent.d.ts

@@ -487,6 +487,44 @@ declare interface ConsentStorageProps {
     }) => React__default.ReactNode);
 }
 
+/** How a present cookie was classified. */
+export declare type CookieMatchSource = 'declared' | 'known' | 'none';
+
+export declare interface CookieScanOptions {
+    /**
+     * The cookie string to scan, in `document.cookie` form (`a=1; b=2`).
+     * Defaults to `document.cookie` in the browser, or `''` on the server.
+     */
+    cookieString?: string;
+    /** Reference timestamp (epoch ms) recorded on the result. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Extra known cookies, checked before the built-in registry (so they can override it). */
+    knownCookies?: DeclaredCookie[];
+    /** Whether to fall back to the built-in known-cookie registry for undeclared cookies. @default true */
+    useKnownRegistry?: boolean;
+}
+
+export declare interface CookieScanResult {
+    /** When the scan ran (epoch ms). */
+    scannedAt: number;
+    /** Number of cookies present. */
+    total: number;
+    /** Every present cookie, classified. */
+    cookies: ScannedCookie[];
+    /** Cookies that matched one of your declared cookies. */
+    declared: ScannedCookie[];
+    /** Cookies present but NOT in your declaration — the compliance gap. */
+    undeclared: ScannedCookie[];
+    /** Undeclared cookies the built-in registry could still identify. */
+    identified: ScannedCookie[];
+    /** Undeclared cookies that could not be identified at all. */
+    unknown: ScannedCookie[];
+    /** Present cookies grouped by resolved category; unclassified cookies go under `uncategorized`. */
+    byCategory: Record<string, ScannedCookie[]>;
+    /** True when there are no undeclared cookies. */
+    complete: boolean;
+}
+
 /**
  * Creates a new audit entry from consent settings. If `previousSettings` is
  * provided, the action is automatically determined by comparing old and new
@@ -494,6 +532,30 @@ declare interface ConsentStorageProps {
  */
 export declare function createAuditEntry(settings: ConsentSettings, previousSettings?: ConsentSettings | null, actionOverride?: ConsentAuditEntry['action']): ConsentAuditEntry;
 
+/**
+ * Cookie scanner — audits the cookies actually present in the browser against
+ * the cookies you have declared, surfacing undeclared cookies that put you out
+ * of step with your cookie notice (NDPA 2023 S.25-26 / NDPC GAID 2025 on
+ * specific, informed consent).
+ *
+ * Pure and DOM-optional: pass `cookieString` to scan an arbitrary value (a
+ * `Cookie:` header on the server, a test fixture), or call it in the browser
+ * and it reads `document.cookie`. Safe to import from a server bundle.
+ */
+/** A cookie you declare against a consent category. */
+export declare interface DeclaredCookie {
+    /** Exact cookie name, a prefix (with `prefix: true`), or a RegExp matched against the name. */
+    name: string | RegExp;
+    /** Consent category this cookie belongs to (e.g. 'necessary', 'analytics', 'marketing'). */
+    category: string;
+    /** Who sets the cookie (e.g. 'Google Analytics'). */
+    provider?: string;
+    /** What the cookie is used for — surfaced in your cookie policy. */
+    purpose?: string;
+    /** Treat a string `name` as a prefix match instead of an exact match. Ignored for RegExp names. */
+    prefix?: boolean;
+}
+
 /**
  * Retrieves the full consent audit log from localStorage.
  * Returns an empty array if no log exists or parsing fails.
@@ -502,6 +564,14 @@ export declare function createAuditEntry(settings: ConsentSettings, previousSett
  */
 export declare function getAuditLog(storageKey?: string): ConsentAuditEntry[];
 
+/**
+ * Built-in registry of widely deployed third-party cookies, so an undeclared
+ * cookie can often still be identified (provider + likely category). Override
+ * or extend via {@link CookieScanOptions.knownCookies}; categories follow the
+ * common necessary / functional / analytics / marketing taxonomy.
+ */
+export declare const KNOWN_COOKIES: DeclaredCookie[];
+
 /**
  * Lawful basis for processing personal data per NDPA Section 25(1)
  */
@@ -539,6 +609,24 @@ declare interface SaveButtonProps {
     consents?: Record<string, boolean>;
 }
 
+/**
+ * Scan the cookies present against your declared cookies and a registry of
+ * well-known third-party cookies. Returns which cookies are declared, which are
+ * undeclared (and whether they can still be identified), and a per-category view.
+ */
+export declare function scanCookies(declared?: DeclaredCookie[], options?: CookieScanOptions): CookieScanResult;
+
+export declare interface ScannedCookie {
+    /** The cookie name as found in the cookie string. */
+    name: string;
+    /** Resolved consent category, or `null` when it could not be classified. */
+    category: string | null;
+    /** Whether it matched your declaration, only the known registry, or nothing. */
+    matchedBy: CookieMatchSource;
+    provider?: string;
+    purpose?: string;
+}
+
 export declare interface StorageAdapter<T = unknown> {
     /** Load persisted data. Called once on hook mount. */
     load(): T | null | Promise<T | null>;

package/dist/consent.js

@@ -1,2 +1,2 @@
 "use client";
-'use strict';var chunkSJDDNB6M_js=require('./chunk-SJDDNB6M.js'),chunkC32TMS75_js=require('./chunk-C32TMS75.js'),chunkPXUX4FYM_js=require('./chunk-PXUX4FYM.js'),chunk3IA3KDII_js=require('./chunk-3IA3KDII.js'),chunkQKXGVT2Q_js=require('./chunk-QKXGVT2Q.js');require('./chunk-L2VO3MEJ.js'),require('./chunk-C2KEXHRX.js');var chunkDKLJ5DYN_js=require('./chunk-DKLJ5DYN.js'),chunkAME4HJR4_js=require('./chunk-AME4HJR4.js');require('./chunk-I5ZDNSX5.js'),require('./chunk-7563FVMY.js'),require('./chunk-VWED6UTN.js');var chunkRFPLZDIO_js=require('./chunk-RFPLZDIO.js'),react=require('react'),jsxRuntime=require('react/jsx-runtime');var v=react.createContext(null);function p(){let t=react.useContext(v);if(!t)throw new Error("Consent compound components must be wrapped in <Consent.Provider>. Example: <Consent.Provider options={...}><Consent.Banner /></Consent.Provider>");return t}var g=({options:t,adapter:n,version:s,onChange:r,children:c})=>{let d=chunkQKXGVT2Q_js.a({options:t,adapter:n,version:s,onChange:r}),o=chunkRFPLZDIO_js.b(chunkRFPLZDIO_js.a({},d),{options:t});return jsxRuntime.jsx(v.Provider,{value:o,children:c})};var S=({classNames:t,unstyled:n})=>{let{options:s,settings:r}=p(),[c,d]=react.useState(()=>{let o={};return s.forEach(i=>{var a,_;o[i.id]=(_=(a=r==null?void 0:r.consents[i.id])!=null?a:i.defaultValue)!=null?_:false;}),o});return jsxRuntime.jsx("div",{className:chunkAME4HJR4_js.a("ndpr-consent-banner__options-list",t==null?void 0:t.root,n),"data-ndpr-component":"consent-option-list",children:s.map(o=>jsxRuntime.jsxs("div",{className:chunkAME4HJR4_js.a("ndpr-consent-banner__option",t==null?void 0:t.optionItem,n),children:[jsxRuntime.jsx("input",{id:`consent-${o.id}`,type:"checkbox",checked:c[o.id]||false,onChange:i=>d(a=>chunkRFPLZDIO_js.b(chunkRFPLZDIO_js.a({},a),{[o.id]:i.target.checked})),disabled:o.required,className:chunkAME4HJR4_js.a("ndpr-consent-banner__option-checkbox",t==null?void 0:t.optionCheckbox,n),"aria-label":o.label}),jsxRuntime.jsxs("div",{className:n?"":"ndpr-consent-banner__option-text",children:[jsxRuntime.jsxs("label",{htmlFor:`consent-${o.id}`,className:chunkAME4HJR4_js.a("ndpr-consent-banner__option-label",t==null?void 0:t.optionLabel,n),children:[o.label,o.required&&jsxRuntime.jsx("span",{className:n?"":"ndpr-consent-banner__required-marker",children:" *"})]}),jsxRuntime.jsx("p",{className:chunkAME4HJR4_js.a("ndpr-consent-banner__option-description",t==null?void 0:t.optionDescription,n),children:o.description})]})]},o.id))})};var P=({children:t,className:n,unstyled:s})=>{let{acceptAll:r}=p();return jsxRuntime.jsx("button",{onClick:r,className:chunkAME4HJR4_js.a("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-accept-button",children:t!=null?t:"Accept All"})};var R=({children:t,className:n,unstyled:s})=>{let{rejectAll:r}=p();return jsxRuntime.jsx("button",{onClick:r,className:chunkAME4HJR4_js.a("ndpr-consent-banner__button ndpr-consent-banner__button--secondary",n,s),"data-ndpr-component":"consent-reject-button",children:t!=null?t:"Reject All"})};var y=({children:t,className:n,unstyled:s,consents:r})=>{let{updateConsent:c,options:d}=p();return jsxRuntime.jsx("button",{onClick:()=>{if(r)c(r);else {let i={};d.forEach(a=>{i[a.id]=a.required||false;}),c(i);}},className:chunkAME4HJR4_js.a("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-save-button",children:t!=null?t:"Save Preferences"})};var I={Provider:g,OptionList:S,AcceptButton:P,RejectButton:R,SaveButton:y,Banner:chunkPXUX4FYM_js.a,Settings:chunkC32TMS75_js.a,Storage:chunkSJDDNB6M_js.a};Object.defineProperty(exports,"ConsentStorage",{enumerable:true,get:function(){return chunkSJDDNB6M_js.a}});Object.defineProperty(exports,"ConsentManager",{enumerable:true,get:function(){return chunkC32TMS75_js.a}});Object.defineProperty(exports,"ConsentBanner",{enumerable:true,get:function(){return chunkPXUX4FYM_js.a}});Object.defineProperty(exports,"appendAuditEntry",{enumerable:true,get:function(){return chunk3IA3KDII_js.c}});Object.defineProperty(exports,"createAuditEntry",{enumerable:true,get:function(){return chunk3IA3KDII_js.a}});Object.defineProperty(exports,"getAuditLog",{enumerable:true,get:function(){return chunk3IA3KDII_js.b}});Object.defineProperty(exports,"useConsent",{enumerable:true,get:function(){return chunkQKXGVT2Q_js.a}});Object.defineProperty(exports,"validateConsentOptionsStructured",{enumerable:true,get:function(){return chunkDKLJ5DYN_js.b}});Object.defineProperty(exports,"validateConsentStructured",{enumerable:true,get:function(){return chunkDKLJ5DYN_js.a}});Object.defineProperty(exports,"resolveClass",{enumerable:true,get:function(){return chunkAME4HJR4_js.a}});exports.Consent=I;exports.ConsentAcceptButton=P;exports.ConsentOptionList=S;exports.ConsentProvider=g;exports.ConsentRejectButton=R;exports.ConsentSaveButton=y;exports.useConsentCompound=p;
+'use strict';var chunkSJDDNB6M_js=require('./chunk-SJDDNB6M.js'),chunkC32TMS75_js=require('./chunk-C32TMS75.js'),chunkPXUX4FYM_js=require('./chunk-PXUX4FYM.js'),chunk3IA3KDII_js=require('./chunk-3IA3KDII.js'),chunkGJH7YFBO_js=require('./chunk-GJH7YFBO.js');require('./chunk-L2VO3MEJ.js'),require('./chunk-C2KEXHRX.js');var chunkZVWSSXV2_js=require('./chunk-ZVWSSXV2.js'),chunkAME4HJR4_js=require('./chunk-AME4HJR4.js');require('./chunk-I5ZDNSX5.js'),require('./chunk-7563FVMY.js'),require('./chunk-VWED6UTN.js');var chunkRFPLZDIO_js=require('./chunk-RFPLZDIO.js'),react=require('react'),jsxRuntime=require('react/jsx-runtime');var v=react.createContext(null);function p(){let t=react.useContext(v);if(!t)throw new Error("Consent compound components must be wrapped in <Consent.Provider>. Example: <Consent.Provider options={...}><Consent.Banner /></Consent.Provider>");return t}var g=({options:t,adapter:n,version:s,onChange:r,children:c})=>{let d=chunkGJH7YFBO_js.a({options:t,adapter:n,version:s,onChange:r}),o=chunkRFPLZDIO_js.b(chunkRFPLZDIO_js.a({},d),{options:t});return jsxRuntime.jsx(v.Provider,{value:o,children:c})};var B=({classNames:t,unstyled:n})=>{let{options:s,settings:r}=p(),[c,d]=react.useState(()=>{let o={};return s.forEach(i=>{var a,_;o[i.id]=(_=(a=r==null?void 0:r.consents[i.id])!=null?a:i.defaultValue)!=null?_:false;}),o});return jsxRuntime.jsx("div",{className:chunkAME4HJR4_js.a("ndpr-consent-banner__options-list",t==null?void 0:t.root,n),"data-ndpr-component":"consent-option-list",children:s.map(o=>jsxRuntime.jsxs("div",{className:chunkAME4HJR4_js.a("ndpr-consent-banner__option",t==null?void 0:t.optionItem,n),children:[jsxRuntime.jsx("input",{id:`consent-${o.id}`,type:"checkbox",checked:c[o.id]||false,onChange:i=>d(a=>chunkRFPLZDIO_js.b(chunkRFPLZDIO_js.a({},a),{[o.id]:i.target.checked})),disabled:o.required,className:chunkAME4HJR4_js.a("ndpr-consent-banner__option-checkbox",t==null?void 0:t.optionCheckbox,n),"aria-label":o.label}),jsxRuntime.jsxs("div",{className:n?"":"ndpr-consent-banner__option-text",children:[jsxRuntime.jsxs("label",{htmlFor:`consent-${o.id}`,className:chunkAME4HJR4_js.a("ndpr-consent-banner__option-label",t==null?void 0:t.optionLabel,n),children:[o.label,o.required&&jsxRuntime.jsx("span",{className:n?"":"ndpr-consent-banner__required-marker",children:" *"})]}),jsxRuntime.jsx("p",{className:chunkAME4HJR4_js.a("ndpr-consent-banner__option-description",t==null?void 0:t.optionDescription,n),children:o.description})]})]},o.id))})};var R=({children:t,className:n,unstyled:s})=>{let{acceptAll:r}=p();return jsxRuntime.jsx("button",{onClick:r,className:chunkAME4HJR4_js.a("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-accept-button",children:t!=null?t:"Accept All"})};var P=({children:t,className:n,unstyled:s})=>{let{rejectAll:r}=p();return jsxRuntime.jsx("button",{onClick:r,className:chunkAME4HJR4_js.a("ndpr-consent-banner__button ndpr-consent-banner__button--secondary",n,s),"data-ndpr-component":"consent-reject-button",children:t!=null?t:"Reject All"})};var y=({children:t,className:n,unstyled:s,consents:r})=>{let{updateConsent:c,options:d}=p();return jsxRuntime.jsx("button",{onClick:()=>{if(r)c(r);else {let i={};d.forEach(a=>{i[a.id]=a.required||false;}),c(i);}},className:chunkAME4HJR4_js.a("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-save-button",children:t!=null?t:"Save Preferences"})};var K={Provider:g,OptionList:B,AcceptButton:R,RejectButton:P,SaveButton:y,Banner:chunkPXUX4FYM_js.a,Settings:chunkC32TMS75_js.a,Storage:chunkSJDDNB6M_js.a};Object.defineProperty(exports,"ConsentStorage",{enumerable:true,get:function(){return chunkSJDDNB6M_js.a}});Object.defineProperty(exports,"ConsentManager",{enumerable:true,get:function(){return chunkC32TMS75_js.a}});Object.defineProperty(exports,"ConsentBanner",{enumerable:true,get:function(){return chunkPXUX4FYM_js.a}});Object.defineProperty(exports,"appendAuditEntry",{enumerable:true,get:function(){return chunk3IA3KDII_js.c}});Object.defineProperty(exports,"createAuditEntry",{enumerable:true,get:function(){return chunk3IA3KDII_js.a}});Object.defineProperty(exports,"getAuditLog",{enumerable:true,get:function(){return chunk3IA3KDII_js.b}});Object.defineProperty(exports,"useConsent",{enumerable:true,get:function(){return chunkGJH7YFBO_js.a}});Object.defineProperty(exports,"KNOWN_COOKIES",{enumerable:true,get:function(){return chunkZVWSSXV2_js.c}});Object.defineProperty(exports,"scanCookies",{enumerable:true,get:function(){return chunkZVWSSXV2_js.d}});Object.defineProperty(exports,"validateConsentOptionsStructured",{enumerable:true,get:function(){return chunkZVWSSXV2_js.b}});Object.defineProperty(exports,"validateConsentStructured",{enumerable:true,get:function(){return chunkZVWSSXV2_js.a}});Object.defineProperty(exports,"resolveClass",{enumerable:true,get:function(){return chunkAME4HJR4_js.a}});exports.Consent=K;exports.ConsentAcceptButton=R;exports.ConsentOptionList=B;exports.ConsentProvider=g;exports.ConsentRejectButton=P;exports.ConsentSaveButton=y;exports.useConsentCompound=p;

package/dist/consent.mjs

@@ -1,2 +1,2 @@
 "use client";
-import {a}from'./chunk-XOH4WXOZ.mjs';export{a as ConsentStorage}from'./chunk-XOH4WXOZ.mjs';import {a as a$1}from'./chunk-CNCEP66F.mjs';export{a as ConsentManager}from'./chunk-CNCEP66F.mjs';import {a as a$2}from'./chunk-HMKXK23C.mjs';export{a as ConsentBanner}from'./chunk-HMKXK23C.mjs';export{c as appendAuditEntry,a as createAuditEntry,b as getAuditLog}from'./chunk-V7UFP6QU.mjs';import {a as a$3}from'./chunk-PQ5IPUJN.mjs';export{a as useConsent}from'./chunk-PQ5IPUJN.mjs';import'./chunk-YTU4FNM2.mjs';import'./chunk-XC3DLYEG.mjs';export{b as validateConsentOptionsStructured,a as validateConsentStructured}from'./chunk-R3ZKV2J7.mjs';import {a as a$5}from'./chunk-SFGW37LE.mjs';export{a as resolveClass}from'./chunk-SFGW37LE.mjs';import'./chunk-PHA3YMFO.mjs';import'./chunk-5LJ652AH.mjs';import'./chunk-DBZSN4WP.mjs';import {b,a as a$4}from'./chunk-ZJYULEER.mjs';import {createContext,useContext,useState}from'react';import {jsx,jsxs}from'react/jsx-runtime';var v=createContext(null);function p(){let t=useContext(v);if(!t)throw new Error("Consent compound components must be wrapped in <Consent.Provider>. Example: <Consent.Provider options={...}><Consent.Banner /></Consent.Provider>");return t}var g=({options:t,adapter:n,version:s,onChange:r,children:c})=>{let d=a$3({options:t,adapter:n,version:s,onChange:r}),o=b(a$4({},d),{options:t});return jsx(v.Provider,{value:o,children:c})};var S=({classNames:t,unstyled:n})=>{let{options:s,settings:r}=p(),[c,d]=useState(()=>{let o={};return s.forEach(i=>{var a,_;o[i.id]=(_=(a=r==null?void 0:r.consents[i.id])!=null?a:i.defaultValue)!=null?_:false;}),o});return jsx("div",{className:a$5("ndpr-consent-banner__options-list",t==null?void 0:t.root,n),"data-ndpr-component":"consent-option-list",children:s.map(o=>jsxs("div",{className:a$5("ndpr-consent-banner__option",t==null?void 0:t.optionItem,n),children:[jsx("input",{id:`consent-${o.id}`,type:"checkbox",checked:c[o.id]||false,onChange:i=>d(a=>b(a$4({},a),{[o.id]:i.target.checked})),disabled:o.required,className:a$5("ndpr-consent-banner__option-checkbox",t==null?void 0:t.optionCheckbox,n),"aria-label":o.label}),jsxs("div",{className:n?"":"ndpr-consent-banner__option-text",children:[jsxs("label",{htmlFor:`consent-${o.id}`,className:a$5("ndpr-consent-banner__option-label",t==null?void 0:t.optionLabel,n),children:[o.label,o.required&&jsx("span",{className:n?"":"ndpr-consent-banner__required-marker",children:" *"})]}),jsx("p",{className:a$5("ndpr-consent-banner__option-description",t==null?void 0:t.optionDescription,n),children:o.description})]})]},o.id))})};var P=({children:t,className:n,unstyled:s})=>{let{acceptAll:r}=p();return jsx("button",{onClick:r,className:a$5("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-accept-button",children:t!=null?t:"Accept All"})};var R=({children:t,className:n,unstyled:s})=>{let{rejectAll:r}=p();return jsx("button",{onClick:r,className:a$5("ndpr-consent-banner__button ndpr-consent-banner__button--secondary",n,s),"data-ndpr-component":"consent-reject-button",children:t!=null?t:"Reject All"})};var y=({children:t,className:n,unstyled:s,consents:r})=>{let{updateConsent:c,options:d}=p();return jsx("button",{onClick:()=>{if(r)c(r);else {let i={};d.forEach(a=>{i[a.id]=a.required||false;}),c(i);}},className:a$5("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-save-button",children:t!=null?t:"Save Preferences"})};var I={Provider:g,OptionList:S,AcceptButton:P,RejectButton:R,SaveButton:y,Banner:a$2,Settings:a$1,Storage:a};export{I as Consent,P as ConsentAcceptButton,S as ConsentOptionList,g as ConsentProvider,R as ConsentRejectButton,y as ConsentSaveButton,p as useConsentCompound};
+import {a}from'./chunk-XOH4WXOZ.mjs';export{a as ConsentStorage}from'./chunk-XOH4WXOZ.mjs';import {a as a$1}from'./chunk-CNCEP66F.mjs';export{a as ConsentManager}from'./chunk-CNCEP66F.mjs';import {a as a$2}from'./chunk-HMKXK23C.mjs';export{a as ConsentBanner}from'./chunk-HMKXK23C.mjs';export{c as appendAuditEntry,a as createAuditEntry,b as getAuditLog}from'./chunk-V7UFP6QU.mjs';import {a as a$3}from'./chunk-VXLOPB33.mjs';export{a as useConsent}from'./chunk-VXLOPB33.mjs';import'./chunk-YTU4FNM2.mjs';import'./chunk-XC3DLYEG.mjs';export{c as KNOWN_COOKIES,d as scanCookies,b as validateConsentOptionsStructured,a as validateConsentStructured}from'./chunk-675DXBED.mjs';import {a as a$5}from'./chunk-SFGW37LE.mjs';export{a as resolveClass}from'./chunk-SFGW37LE.mjs';import'./chunk-PHA3YMFO.mjs';import'./chunk-5LJ652AH.mjs';import'./chunk-DBZSN4WP.mjs';import {b,a as a$4}from'./chunk-ZJYULEER.mjs';import {createContext,useContext,useState}from'react';import {jsx,jsxs}from'react/jsx-runtime';var v=createContext(null);function p(){let t=useContext(v);if(!t)throw new Error("Consent compound components must be wrapped in <Consent.Provider>. Example: <Consent.Provider options={...}><Consent.Banner /></Consent.Provider>");return t}var g=({options:t,adapter:n,version:s,onChange:r,children:c})=>{let d=a$3({options:t,adapter:n,version:s,onChange:r}),o=b(a$4({},d),{options:t});return jsx(v.Provider,{value:o,children:c})};var B=({classNames:t,unstyled:n})=>{let{options:s,settings:r}=p(),[c,d]=useState(()=>{let o={};return s.forEach(i=>{var a,_;o[i.id]=(_=(a=r==null?void 0:r.consents[i.id])!=null?a:i.defaultValue)!=null?_:false;}),o});return jsx("div",{className:a$5("ndpr-consent-banner__options-list",t==null?void 0:t.root,n),"data-ndpr-component":"consent-option-list",children:s.map(o=>jsxs("div",{className:a$5("ndpr-consent-banner__option",t==null?void 0:t.optionItem,n),children:[jsx("input",{id:`consent-${o.id}`,type:"checkbox",checked:c[o.id]||false,onChange:i=>d(a=>b(a$4({},a),{[o.id]:i.target.checked})),disabled:o.required,className:a$5("ndpr-consent-banner__option-checkbox",t==null?void 0:t.optionCheckbox,n),"aria-label":o.label}),jsxs("div",{className:n?"":"ndpr-consent-banner__option-text",children:[jsxs("label",{htmlFor:`consent-${o.id}`,className:a$5("ndpr-consent-banner__option-label",t==null?void 0:t.optionLabel,n),children:[o.label,o.required&&jsx("span",{className:n?"":"ndpr-consent-banner__required-marker",children:" *"})]}),jsx("p",{className:a$5("ndpr-consent-banner__option-description",t==null?void 0:t.optionDescription,n),children:o.description})]})]},o.id))})};var R=({children:t,className:n,unstyled:s})=>{let{acceptAll:r}=p();return jsx("button",{onClick:r,className:a$5("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-accept-button",children:t!=null?t:"Accept All"})};var P=({children:t,className:n,unstyled:s})=>{let{rejectAll:r}=p();return jsx("button",{onClick:r,className:a$5("ndpr-consent-banner__button ndpr-consent-banner__button--secondary",n,s),"data-ndpr-component":"consent-reject-button",children:t!=null?t:"Reject All"})};var y=({children:t,className:n,unstyled:s,consents:r})=>{let{updateConsent:c,options:d}=p();return jsx("button",{onClick:()=>{if(r)c(r);else {let i={};d.forEach(a=>{i[a.id]=a.required||false;}),c(i);}},className:a$5("ndpr-consent-banner__button ndpr-consent-banner__button--primary",n,s),"data-ndpr-component":"consent-save-button",children:t!=null?t:"Save Preferences"})};var K={Provider:g,OptionList:B,AcceptButton:R,RejectButton:P,SaveButton:y,Banner:a$2,Settings:a$1,Storage:a};export{K as Consent,R as ConsentAcceptButton,B as ConsentOptionList,g as ConsentProvider,P as ConsentRejectButton,y as ConsentSaveButton,p as useConsentCompound};

package/dist/core.d.mts

@@ -615,6 +615,44 @@ export declare interface ConsentStorageOptions {
     };
 }
 
+/** How a present cookie was classified. */
+export declare type CookieMatchSource = 'declared' | 'known' | 'none';
+
+export declare interface CookieScanOptions {
+    /**
+     * The cookie string to scan, in `document.cookie` form (`a=1; b=2`).
+     * Defaults to `document.cookie` in the browser, or `''` on the server.
+     */
+    cookieString?: string;
+    /** Reference timestamp (epoch ms) recorded on the result. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Extra known cookies, checked before the built-in registry (so they can override it). */
+    knownCookies?: DeclaredCookie[];
+    /** Whether to fall back to the built-in known-cookie registry for undeclared cookies. @default true */
+    useKnownRegistry?: boolean;
+}
+
+export declare interface CookieScanResult {
+    /** When the scan ran (epoch ms). */
+    scannedAt: number;
+    /** Number of cookies present. */
+    total: number;
+    /** Every present cookie, classified. */
+    cookies: ScannedCookie[];
+    /** Cookies that matched one of your declared cookies. */
+    declared: ScannedCookie[];
+    /** Cookies present but NOT in your declaration — the compliance gap. */
+    undeclared: ScannedCookie[];
+    /** Undeclared cookies the built-in registry could still identify. */
+    identified: ScannedCookie[];
+    /** Undeclared cookies that could not be identified at all. */
+    unknown: ScannedCookie[];
+    /** Present cookies grouped by resolved category; unclassified cookies go under `uncategorized`. */
+    byCategory: Record<string, ScannedCookie[]>;
+    /** True when there are no undeclared cookies. */
+    complete: boolean;
+}
+
 /**
  * Creates a new audit entry from consent settings. If `previousSettings` is
  * provided, the action is automatically determined by comparing old and new
@@ -828,6 +866,30 @@ export declare interface DCPMIThresholds {
  */
 export declare type DCPMITier = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
 
+/**
+ * Cookie scanner — audits the cookies actually present in the browser against
+ * the cookies you have declared, surfacing undeclared cookies that put you out
+ * of step with your cookie notice (NDPA 2023 S.25-26 / NDPC GAID 2025 on
+ * specific, informed consent).
+ *
+ * Pure and DOM-optional: pass `cookieString` to scan an arbitrary value (a
+ * `Cookie:` header on the server, a test fixture), or call it in the browser
+ * and it reads `document.cookie`. Safe to import from a server bundle.
+ */
+/** A cookie you declare against a consent category. */
+export declare interface DeclaredCookie {
+    /** Exact cookie name, a prefix (with `prefix: true`), or a RegExp matched against the name. */
+    name: string | RegExp;
+    /** Consent category this cookie belongs to (e.g. 'necessary', 'analytics', 'marketing'). */
+    category: string;
+    /** Who sets the cookie (e.g. 'Google Analytics'). */
+    provider?: string;
+    /** What the cookie is used for — surfaced in your cookie policy. */
+    purpose?: string;
+    /** Treat a string `name` as a prefix match instead of an exact match. Ignored for RegExp names. */
+    prefix?: boolean;
+}
+
 /** September 2025 GAID baseline annual fees (NGN). */
 export declare const DEFAULT_DCPMI_FEES_NGN: DCPMIFees;
 
@@ -1323,6 +1385,14 @@ declare type Industry = 'fintech' | 'healthcare' | 'ecommerce' | 'saas' | 'educa
  */
 export declare function isNDPCApprovalRequired(mechanism: TransferMechanism): boolean;
 
+/**
+ * Built-in registry of widely deployed third-party cookies, so an undeclared
+ * cookie can often still be identified (provider + likely category). Override
+ * or extend via {@link CookieScanOptions.knownCookies}; categories follow the
+ * common necessary / functional / analytics / marketing taxonomy.
+ */
+export declare const KNOWN_COOKIES: DeclaredCookie[];
+
 /**
  * Lawful Basis types aligned with NDPA 2023 Part III (Sections 24-28)
  * Every processing activity must have a documented lawful basis
@@ -2330,6 +2400,24 @@ export declare function runNdprAudit(input: NdprAuditInput, options?: NdprAuditO
  */
 export declare function sanitizeInput(input: string): string;
 
+/**
+ * Scan the cookies present against your declared cookies and a registry of
+ * well-known third-party cookies. Returns which cookies are declared, which are
+ * undeclared (and whether they can still be identified), and a per-category view.
+ */
+export declare function scanCookies(declared?: DeclaredCookie[], options?: CookieScanOptions): CookieScanResult;
+
+export declare interface ScannedCookie {
+    /** The cookie name as found in the cookie string. */
+    name: string;
+    /** Resolved consent category, or `null` when it could not be classified. */
+    category: string | null;
+    /** Whether it matched your declaration, only the known registry, or nothing. */
+    matchedBy: CookieMatchSource;
+    provider?: string;
+    purpose?: string;
+}
+
 /**
  * Additional conditions required for processing sensitive personal data
  * per NDPA Section 30

package/dist/core.d.ts

@@ -615,6 +615,44 @@ export declare interface ConsentStorageOptions {
     };
 }
 
+/** How a present cookie was classified. */
+export declare type CookieMatchSource = 'declared' | 'known' | 'none';
+
+export declare interface CookieScanOptions {
+    /**
+     * The cookie string to scan, in `document.cookie` form (`a=1; b=2`).
+     * Defaults to `document.cookie` in the browser, or `''` on the server.
+     */
+    cookieString?: string;
+    /** Reference timestamp (epoch ms) recorded on the result. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Extra known cookies, checked before the built-in registry (so they can override it). */
+    knownCookies?: DeclaredCookie[];
+    /** Whether to fall back to the built-in known-cookie registry for undeclared cookies. @default true */
+    useKnownRegistry?: boolean;
+}
+
+export declare interface CookieScanResult {
+    /** When the scan ran (epoch ms). */
+    scannedAt: number;
+    /** Number of cookies present. */
+    total: number;
+    /** Every present cookie, classified. */
+    cookies: ScannedCookie[];
+    /** Cookies that matched one of your declared cookies. */
+    declared: ScannedCookie[];
+    /** Cookies present but NOT in your declaration — the compliance gap. */
+    undeclared: ScannedCookie[];
+    /** Undeclared cookies the built-in registry could still identify. */
+    identified: ScannedCookie[];
+    /** Undeclared cookies that could not be identified at all. */
+    unknown: ScannedCookie[];
+    /** Present cookies grouped by resolved category; unclassified cookies go under `uncategorized`. */
+    byCategory: Record<string, ScannedCookie[]>;
+    /** True when there are no undeclared cookies. */
+    complete: boolean;
+}
+
 /**
  * Creates a new audit entry from consent settings. If `previousSettings` is
  * provided, the action is automatically determined by comparing old and new
@@ -828,6 +866,30 @@ export declare interface DCPMIThresholds {
  */
 export declare type DCPMITier = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
 
+/**
+ * Cookie scanner — audits the cookies actually present in the browser against
+ * the cookies you have declared, surfacing undeclared cookies that put you out
+ * of step with your cookie notice (NDPA 2023 S.25-26 / NDPC GAID 2025 on
+ * specific, informed consent).
+ *
+ * Pure and DOM-optional: pass `cookieString` to scan an arbitrary value (a
+ * `Cookie:` header on the server, a test fixture), or call it in the browser
+ * and it reads `document.cookie`. Safe to import from a server bundle.
+ */
+/** A cookie you declare against a consent category. */
+export declare interface DeclaredCookie {
+    /** Exact cookie name, a prefix (with `prefix: true`), or a RegExp matched against the name. */
+    name: string | RegExp;
+    /** Consent category this cookie belongs to (e.g. 'necessary', 'analytics', 'marketing'). */
+    category: string;
+    /** Who sets the cookie (e.g. 'Google Analytics'). */
+    provider?: string;
+    /** What the cookie is used for — surfaced in your cookie policy. */
+    purpose?: string;
+    /** Treat a string `name` as a prefix match instead of an exact match. Ignored for RegExp names. */
+    prefix?: boolean;
+}
+
 /** September 2025 GAID baseline annual fees (NGN). */
 export declare const DEFAULT_DCPMI_FEES_NGN: DCPMIFees;
 
@@ -1323,6 +1385,14 @@ declare type Industry = 'fintech' | 'healthcare' | 'ecommerce' | 'saas' | 'educa
  */
 export declare function isNDPCApprovalRequired(mechanism: TransferMechanism): boolean;
 
+/**
+ * Built-in registry of widely deployed third-party cookies, so an undeclared
+ * cookie can often still be identified (provider + likely category). Override
+ * or extend via {@link CookieScanOptions.knownCookies}; categories follow the
+ * common necessary / functional / analytics / marketing taxonomy.
+ */
+export declare const KNOWN_COOKIES: DeclaredCookie[];
+
 /**
  * Lawful Basis types aligned with NDPA 2023 Part III (Sections 24-28)
  * Every processing activity must have a documented lawful basis
@@ -2330,6 +2400,24 @@ export declare function runNdprAudit(input: NdprAuditInput, options?: NdprAuditO
  */
 export declare function sanitizeInput(input: string): string;
 
+/**
+ * Scan the cookies present against your declared cookies and a registry of
+ * well-known third-party cookies. Returns which cookies are declared, which are
+ * undeclared (and whether they can still be identified), and a per-category view.
+ */
+export declare function scanCookies(declared?: DeclaredCookie[], options?: CookieScanOptions): CookieScanResult;
+
+export declare interface ScannedCookie {
+    /** The cookie name as found in the cookie string. */
+    name: string;
+    /** Resolved consent category, or `null` when it could not be classified. */
+    category: string | null;
+    /** Whether it matched your declaration, only the known registry, or nothing. */
+    matchedBy: CookieMatchSource;
+    provider?: string;
+    purpose?: string;
+}
+
 /**
  * Additional conditions required for processing sensitive personal data
  * per NDPA Section 30