consent-engine 0.1.0__py3-none-any.whl

consent_engine/__init__.py

@@ -0,0 +1,11 @@
+"""consent-engine — forensic consent compliance audit engine.
+
+Public package surface:
+- consent_engine.cli            CLI entrypoint (`consent-engine audit ...`)
+- consent_engine.mcp_server     MCP server entrypoint (`consent-engine-mcp`)
+- consent_engine.tools.*        Eight deterministic audit tools
+- consent_engine.models.*       Pydantic models (AuditResult, ScanResult, ...)
+- consent_engine.llm.client     LiteLLM-wrapped chat surface (agentic layer)
+"""
+
+__version__ = "0.1.0"

consent_engine/api.py

@@ -0,0 +1,83 @@
+"""Stripped FastAPI surface for the public consent-engine.
+
+Single endpoint: POST /audit
+  - Accepts { "url": "https://example.com" }
+  - Returns the audit_result.json contents inline + a link to the report
+    bundle on disk (relative path).
+
+For the full async / job-queue flow the private business app uses, fork this
+file. This public version is deliberately small and synchronous so it's easy
+to read.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+from fastapi import FastAPI, HTTPException
+from pydantic import BaseModel, HttpUrl
+
+from consent_engine import __version__
+
+app = FastAPI(
+    title="consent-engine",
+    version=__version__,
+    description="Forensic consent compliance audit engine.",
+)
+
+
+class AuditRequest(BaseModel):
+    url: HttpUrl
+
+
+@app.get("/healthz")
+def healthz() -> dict[str, str]:
+    return {"status": "ok", "version": __version__}
+
+
+@app.post("/audit")
+async def audit(req: AuditRequest) -> dict:
+    """Run a full audit and return the structured result inline.
+
+    For long-running jobs swap this for an async job-queue (BackgroundTasks
+    or a real queue like Celery/Arq).
+    """
+    from consent_engine.tools.tool_02_violation_classifier import classify
+    from consent_engine.tools.tool_03_browser_scanner import scan_page
+    from consent_engine.tools.tool_08_report_generator import generate_report
+
+    try:
+        scan = await scan_page(url=str(req.url))
+    except Exception as e:                                       # noqa: BLE001
+        raise HTTPException(status_code=502, detail=f"scan failed: {e}") from e
+
+    audit_result = classify(scan)
+
+    out_dir = Path("./out") / audit_result.audit_id
+    out_dir.mkdir(parents=True, exist_ok=True)
+    with (out_dir / "evidence.jsonl").open("w") as f:
+        for r in scan.network_requests:
+            f.write(json.dumps(r.model_dump(mode="json"), default=str) + "\n")
+    report_html, deck_md = generate_report(audit_result)
+    (out_dir / "report.html").write_text(report_html)
+    (out_dir / "deck.marp.md").write_text(deck_md)
+    (out_dir / "audit_result.json").write_text(
+        json.dumps(audit_result.model_dump(mode="json"), indent=2, default=str)
+    )
+
+    return {
+        "audit_id": audit_result.audit_id,
+        "bundle": str(out_dir),
+        "result": audit_result.model_dump(mode="json"),
+    }
+
+
+def cli() -> None:
+    """`uvicorn` entrypoint for the FastAPI surface."""
+    import uvicorn
+    uvicorn.run("consent_engine.api:app", host="0.0.0.0", port=8080, reload=False)
+
+
+if __name__ == "__main__":                                        # pragma: no cover
+    cli()

consent_engine/cli.py

@@ -0,0 +1,133 @@
+"""consent-engine CLI.
+
+Usage:
+    consent-engine audit <url> [--output-dir DIR] [--gtm-json PATH] [--har PATH]
+    consent-engine chat <audit_id>
+    consent-engine version
+
+The `audit` command writes a full audit bundle (report.html, audit_result.json,
+evidence.jsonl, deck.marp.md) to ./out/<audit_id>/.
+
+The `chat` command opens a per-audit Claude conversation grounded in the
+captured evidence + audit result + wiki context cited by the audit. Closing
+the loop on Fred Pike's glass-box principle.
+"""
+
+from __future__ import annotations
+
+import argparse
+import asyncio
+import json
+import sys
+from pathlib import Path
+
+from consent_engine import __version__
+
+
+def _audit_command(args: argparse.Namespace) -> int:
+    """Run an audit against a URL. Writes the bundle to out/<audit_id>/."""
+    # Lazy imports so `--help` doesn't trigger Playwright load.
+    from consent_engine.tools.tool_02_violation_classifier import classify
+    from consent_engine.tools.tool_03_browser_scanner import scan_page
+    from consent_engine.tools.tool_08_report_generator import generate_report
+
+    url = args.url
+    out_dir = Path(args.output_dir or "./out")
+    out_dir.mkdir(parents=True, exist_ok=True)
+
+    print(f"[1/4] Scanning {url} …", flush=True)
+    scan_result = asyncio.run(scan_page(url=url))
+
+    print("[2/4] Classifying violations …", flush=True)
+    audit_result = classify(scan_result)
+
+    audit_dir = out_dir / audit_result.audit_id
+    audit_dir.mkdir(parents=True, exist_ok=True)
+
+    # Persist the network evidence per Fred Pike's "glass box" pattern —
+    # every captured request goes to evidence.jsonl, audit-scoped.
+    print("[3/4] Writing evidence log …", flush=True)
+    with (audit_dir / "evidence.jsonl").open("w") as f:
+        for req in scan_result.network_requests:
+            f.write(json.dumps(req.model_dump(mode="json"), default=str) + "\n")
+
+    print("[4/4] Generating report + deck …", flush=True)
+    report_html, deck_md = generate_report(audit_result)
+    (audit_dir / "report.html").write_text(report_html)
+    (audit_dir / "deck.marp.md").write_text(deck_md)
+    (audit_dir / "audit_result.json").write_text(
+        json.dumps(audit_result.model_dump(mode="json"), indent=2, default=str)
+    )
+
+    print()
+    print(f"Audit complete: {audit_dir}")
+    print(f"  Report:    {audit_dir / 'report.html'}")
+    print(f"  Deck:      {audit_dir / 'deck.marp.md'}")
+    print(f"  Evidence:  {audit_dir / 'evidence.jsonl'}")
+    print(f"  Findings:  {len(audit_result.violations)} violation(s), "
+          f"{len(audit_result.warnings)} warning(s)")
+    return 0
+
+
+def _chat_command(args: argparse.Namespace) -> int:
+    """Open a Claude conversation grounded in a completed audit."""
+    audit_dir = Path("./out") / args.audit_id
+    if not audit_dir.exists():
+        print(f"error: no audit bundle at {audit_dir}", file=sys.stderr)
+        return 1
+
+    try:
+        from consent_engine.llm.client import chat_with_context
+    except ImportError:
+        print("error: chat requires `pip install consent-engine[chat]`", file=sys.stderr)
+        return 1
+
+    audit = json.loads((audit_dir / "audit_result.json").read_text())
+    evidence_lines = (audit_dir / "evidence.jsonl").read_text().splitlines()
+
+    print(f"Loaded audit {args.audit_id}. {len(evidence_lines)} network "
+          f"events captured. Type 'exit' to quit.\n")
+
+    while True:
+        try:
+            question = input("you> ").strip()
+        except (EOFError, KeyboardInterrupt):
+            print()
+            return 0
+        if not question or question.lower() in {"exit", "quit"}:
+            return 0
+        answer = chat_with_context(
+            question=question,
+            audit_result=audit,
+            evidence=evidence_lines,
+        )
+        print(f"claude> {answer}\n")
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(
+        prog="consent-engine",
+        description="Forensic consent compliance audit engine.",
+    )
+    sub = parser.add_subparsers(dest="command", required=True)
+
+    p_audit = sub.add_parser("audit", help="Run an audit against a URL.")
+    p_audit.add_argument("url", help="The URL to audit.")
+    p_audit.add_argument("--output-dir", help="Output directory (default: ./out).")
+    p_audit.add_argument("--gtm-json", help="Optional GTM container JSON export.")
+    p_audit.add_argument("--har", help="Optional HAR file.")
+    p_audit.set_defaults(func=_audit_command)
+
+    p_chat = sub.add_parser("chat", help="Chat over a completed audit.")
+    p_chat.add_argument("audit_id", help="Audit ID (the directory name under ./out/).")
+    p_chat.set_defaults(func=_chat_command)
+
+    p_ver = sub.add_parser("version", help="Print version + exit.")
+    p_ver.set_defaults(func=lambda _: (print(f"consent-engine {__version__}"), 0)[1])
+
+    args = parser.parse_args(argv)
+    return args.func(args)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

consent_engine/config.py

@@ -0,0 +1,37 @@
+from functools import lru_cache
+
+from pydantic import field_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class Settings(BaseSettings):
+    model_config = SettingsConfigDict(env_file=".env", env_file_encoding="utf-8", extra="ignore")
+
+    # LLM
+    anthropic_api_key: str | None = None
+    default_audit_model: str = "vertex_ai/gemini-2.5-pro"
+    default_classify_model: str = "vertex_ai/gemini-2.5-flash"
+
+    # Gemini / Vertex AI
+    gemini_api_key: str | None = None
+    vertex_project: str | None = None  # GCP project ID for Vertex AI
+    vertex_location: str = "us-central1"
+
+    # App
+    environment: str = "development"
+    log_level: str = "INFO"
+
+    # Playwright proxy (optional — empty string treated as None)
+    playwright_proxy_url: str | None = None
+
+    @field_validator("playwright_proxy_url", mode="before")
+    @classmethod
+    def empty_str_to_none(cls, v: object) -> object:
+        if isinstance(v, str) and (not v.strip() or v.strip() == "placeholder"):
+            return None
+        return v
+
+
+@lru_cache(maxsize=1)
+def get_settings() -> Settings:
+    return Settings()  # type: ignore[call-arg,unused-ignore]

consent_engine/llm/client.py

@@ -0,0 +1,50 @@
+from __future__ import annotations
+
+import os
+from typing import Any
+
+import litellm
+
+
+def _propagate_api_keys() -> None:
+    """Propagate API keys from pydantic-settings into os.environ for LiteLLM.
+
+    pydantic-settings reads .env into a Python object but does NOT set OS env
+    vars. LiteLLM reads provider keys directly from os.environ, so we bridge
+    the gap here without overwriting keys that were already set at process start.
+    """
+    try:
+        from consent_engine.config import get_settings  # local import to avoid circular
+
+        settings = get_settings()
+        pairs = [
+            ("GEMINI_API_KEY", settings.gemini_api_key),
+            ("ANTHROPIC_API_KEY", settings.anthropic_api_key),
+        ]
+        for env_var, value in pairs:
+            if value and not os.environ.get(env_var):
+                os.environ[env_var] = value
+    except Exception:  # noqa: BLE001
+        pass
+
+
+class LLMClient:
+    """Thin LiteLLM wrapper. Swap `model` string to change LLM providers."""
+
+    def __init__(self, model: str) -> None:
+        self.model = model
+        _propagate_api_keys()
+
+    async def complete(
+        self,
+        messages: list[dict[str, Any]],
+        tools: list[dict[str, Any]] | None = None,
+        system: str | None = None,
+    ) -> dict[str, Any]:
+        kwargs: dict[str, Any] = {"model": self.model, "messages": messages}
+        if tools:
+            kwargs["tools"] = tools
+        if system:
+            kwargs["messages"] = [{"role": "system", "content": system}] + messages
+        response = await litellm.acompletion(**kwargs)
+        return dict(response)

consent_engine/mcp_server.py

@@ -0,0 +1,185 @@
+"""MCP server wrapper for consent-engine.
+
+Exposes the audit pipeline as Model Context Protocol tools so Claude Desktop
+(and any other MCP host) can run an audit, read the result, and query the
+captured evidence from a conversation.
+
+Run standalone:
+    uvx consent-engine-mcp
+
+Register in Claude Desktop config:
+    {
+      "mcpServers": {
+        "consent-engine": {
+          "command": "uvx",
+          "args": ["consent-engine-mcp"]
+        }
+      }
+    }
+"""
+
+from __future__ import annotations
+
+import asyncio
+import json
+from pathlib import Path
+from typing import Any
+
+# `mcp` is an optional dependency. If the user installed
+# `pip install consent-engine[mcp]` we get it; otherwise we surface a clear
+# error rather than failing on import.
+try:
+    from mcp.server import Server
+    from mcp.server.stdio import stdio_server
+    from mcp.types import TextContent, Tool
+except ImportError as e:                                          # pragma: no cover
+    raise SystemExit(
+        "MCP support requires the optional [mcp] extra:\n"
+        "  pip install 'consent-engine[mcp]'\n"
+    ) from e
+
+
+server: Server = Server("consent-engine")
+
+
+@server.list_tools()
+async def list_tools() -> list[Tool]:
+    return [
+        Tool(
+            name="audit_url",
+            description=(
+                "Run a forensic consent-compliance audit against a URL. "
+                "Returns the audit_id, a one-paragraph executive summary, "
+                "and a violations count. Use read_audit_result / "
+                "query_evidence to drill into specifics."
+            ),
+            inputSchema={
+                "type": "object",
+                "properties": {"url": {"type": "string"}},
+                "required": ["url"],
+            },
+        ),
+        Tool(
+            name="read_audit_result",
+            description=(
+                "Load the structured audit_result.json for a prior audit. "
+                "Returns the full Pydantic model as JSON."
+            ),
+            inputSchema={
+                "type": "object",
+                "properties": {"audit_id": {"type": "string"}},
+                "required": ["audit_id"],
+            },
+        ),
+        Tool(
+            name="query_evidence",
+            description=(
+                "Filter the captured network evidence for a prior audit. "
+                "Use this when the user asks 'why did X fire' or 'what was "
+                "happening at time T'. Filter by url substring, "
+                "host substring, or time window."
+            ),
+            inputSchema={
+                "type": "object",
+                "properties": {
+                    "audit_id": {"type": "string"},
+                    "url_contains": {"type": "string"},
+                    "host_contains": {"type": "string"},
+                    "max_results": {"type": "integer", "default": 20},
+                },
+                "required": ["audit_id"],
+            },
+        ),
+    ]
+
+
+@server.call_tool()
+async def call_tool(name: str, arguments: dict[str, Any]) -> list[TextContent]:
+    if name == "audit_url":
+        return await _audit_url(arguments["url"])
+    if name == "read_audit_result":
+        return _read_audit_result(arguments["audit_id"])
+    if name == "query_evidence":
+        return _query_evidence(arguments)
+    raise ValueError(f"Unknown tool: {name}")
+
+
+async def _audit_url(url: str) -> list[TextContent]:
+    # Lazy import — avoids pulling Playwright at MCP server start
+    from consent_engine.tools.tool_02_violation_classifier import classify
+    from consent_engine.tools.tool_03_browser_scanner import scan_page
+    from consent_engine.tools.tool_08_report_generator import generate_executive_summary
+
+    scan = await scan_page(url=url)
+    audit = classify(scan)
+    audit_dir = Path("./out") / audit.audit_id
+    audit_dir.mkdir(parents=True, exist_ok=True)
+    (audit_dir / "audit_result.json").write_text(
+        json.dumps(audit.model_dump(mode="json"), indent=2, default=str)
+    )
+    with (audit_dir / "evidence.jsonl").open("w") as f:
+        for req in scan.network_requests:
+            f.write(json.dumps(req.model_dump(mode="json"), default=str) + "\n")
+    summary = generate_executive_summary(audit)
+    return [TextContent(
+        type="text",
+        text=(
+            f"Audit complete: {audit.audit_id}\n"
+            f"  URL: {url}\n"
+            f"  Violations: {len(audit.violations)}\n"
+            f"  Warnings: {len(audit.warnings)}\n\n"
+            f"Summary:\n{summary}"
+        ),
+    )]
+
+
+def _read_audit_result(audit_id: str) -> list[TextContent]:
+    path = Path("./out") / audit_id / "audit_result.json"
+    if not path.exists():
+        return [TextContent(type="text", text=f"No audit bundle at {path}")]
+    return [TextContent(type="text", text=path.read_text())]
+
+
+def _query_evidence(args: dict[str, Any]) -> list[TextContent]:
+    audit_id = args["audit_id"]
+    max_results = args.get("max_results", 20)
+    url_contains = (args.get("url_contains") or "").lower()
+    host_contains = (args.get("host_contains") or "").lower()
+
+    path = Path("./out") / audit_id / "evidence.jsonl"
+    if not path.exists():
+        return [TextContent(type="text", text=f"No evidence at {path}")]
+
+    matches: list[dict[str, Any]] = []
+    for line in path.read_text().splitlines():
+        try:
+            evt = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+        u = (evt.get("url") or "").lower()
+        if url_contains and url_contains not in u:
+            continue
+        if host_contains and host_contains not in u:
+            continue
+        matches.append(evt)
+        if len(matches) >= max_results:
+            break
+
+    return [TextContent(
+        type="text",
+        text=f"{len(matches)} match(es):\n" + json.dumps(matches, indent=2, default=str),
+    )]
+
+
+def cli() -> None:
+    """Entrypoint registered as `consent-engine-mcp` in pyproject.toml."""
+    asyncio.run(_run())
+
+
+async def _run() -> None:
+    async with stdio_server() as (read_stream, write_stream):
+        await server.run(read_stream, write_stream, server.create_initialization_options())
+
+
+if __name__ == "__main__":                                            # pragma: no cover
+    cli()

consent_engine/models/audit_request.py

@@ -0,0 +1,23 @@
+from enum import StrEnum
+from typing import Literal
+
+from pydantic import BaseModel
+
+
+class CMPProvider(StrEnum):
+    ONETRUST = "onetrust"
+
+
+class ConsentState(StrEnum):
+    OPTED_IN = "opted_in"
+    OPTED_OUT = "opted_out"
+    GPC_OPTED_OUT = "gpc_opted_out"
+
+
+class AuditRequest(BaseModel):
+    url: str
+    cmp_provider: Literal[CMPProvider.ONETRUST] = CMPProvider.ONETRUST
+    consent_state: ConsentState = ConsentState.OPTED_OUT
+    gtm_container_json: str | None = None
+    onetrust_receipt_jwt: str | None = None
+    har_file_path: str | None = None

consent_engine/models/audit_result.py

@@ -0,0 +1,152 @@
+from datetime import datetime
+from enum import StrEnum
+from typing import Literal
+
+from pydantic import BaseModel
+
+from .vendor import Vendor
+
+
+class GTMExtractionMethod(StrEnum):
+    LIVE = "live"  # Intercepted from gtm.js during scan — strongest evidence
+    PROVIDED = "provided"  # User-supplied JSON export
+    NONE = "none"  # No container data available
+
+
+class ViolationStatus(StrEnum):
+    CONFIRMED = "confirmed_violation"
+    LIKELY = "likely_violation"
+    REQUIRES_INVESTIGATION = "requires_further_investigation"
+    NO_EVIDENCE = "no_evidence_of_violation"
+    ACM_COMPLIANT = "acm_cookieless_ping"  # Google tag firing cookieless (correct ACM behaviour)
+
+
+class MethodologyFlag(StrEnum):
+    S1 = "s1_baseline"
+    S2 = "s2_post_optout_no_reload"
+    S3 = "s3_fresh_load_optout_preset"
+    # S3 run completed, but consent injection could not be verified against
+    # a denied post-injection Consent Mode signal (e.g. unknown CMP, or
+    # injection silently did not suppress tracking). Treat as non-definitive.
+    INCONCLUSIVE_UNKNOWN_CMP = "s3_inconclusive_unknown_cmp"
+    # S3 run completed with a recognised CMP and a matching injection plan,
+    # but Google Consent Mode beacons continued firing with GCS=G111
+    # throughout the scan. This is definitive evidence that the site's tag
+    # wiring fires before or regardless of the consent state the CMP stores
+    # — the CMP is working; the integration is broken. Findings are legally
+    # defensible.
+    S3_CONSENT_WIRING_BROKEN = "s3_consent_wiring_broken"
+
+
+class GCSValue(BaseModel):
+    raw: str
+    ad_storage: str
+    analytics_storage: str
+
+
+class TagConsentEntry(BaseModel):
+    """Per-tag GTM consent configuration extracted by Tool 1."""
+
+    tag_id: int
+    tag_name: str
+    tag_type: str  # GTM function code, e.g. "__html", "__ua", "__ga4"
+    is_google_tag: bool
+    consent_types: list[str] = []  # e.g. ["ad_storage", "analytics_storage"]
+    requirement: Literal[
+        "required",  # explicit consent settings present, enforced
+        "optional",  # explicit consent settings, default_value=1
+        "acm_managed",  # Google tag — ACM handles consent via cookieless ping
+        "missing",  # NON-Google tag with no consent settings — VIOLATION
+    ]
+
+
+class GCSHit(BaseModel):
+    """A single GCS signal observation from HAR analysis (Tool 4)."""
+
+    url: str
+    gcs_value: GCSValue
+    gcd_raw: str | None = None
+    timestamp_ms: float  # milliseconds from first HAR entry
+
+
+class HarAnalysis(BaseModel):
+    """Output of Tool 4 HAR file analysis."""
+
+    gcs_timeline: list[GCSHit] = []
+    post_payloads: list[str] = []  # raw POST bodies (beacons, dataLayer pushes)
+    consent_api_responses: list[str] = []  # response bodies from consent endpoints
+
+
+class PixelFiring(BaseModel):
+    """A tracking pixel endpoint observed firing in network traffic post-consent-denial.
+
+    This is the primary evidence method used by plaintiff attorneys — detecting
+    known ad/analytics pixel endpoints in HAR/network traffic regardless of cookies.
+    """
+
+    vendor_name: str  # e.g. "Meta Pixel", "TikTok Pixel", "LinkedIn Insight Tag"
+    url: str  # full request URL observed
+    category: str  # "advertising" | "analytics" | "session_recording"
+    legal_exposure: str  # "high" | "medium"
+    matched_pattern: str  # the pattern that triggered this match
+    is_acm_ping: bool = (
+        False  # True = Google ACM cookieless ping (G100+npa=1) — expected behavior, not a violation
+    )
+
+
+class VendorFinding(BaseModel):
+    vendor: Vendor
+    status: ViolationStatus
+    methodology: MethodologyFlag
+    cookies_observed: list[str] = []
+    gcs_value: GCSValue | None = None
+    gpc_honored: bool | None = None
+    evidence: list[str] = []
+    notes: str = ""
+
+
+class AuditResult(BaseModel):
+    audit_id: str
+    url: str
+    timestamp: datetime
+    methodology: MethodologyFlag
+    gtm_extraction_method: GTMExtractionMethod = GTMExtractionMethod.NONE
+    gtm_container_id: str | None = None  # e.g. "GTM-XXXXXX"
+    ssgtm_detected: bool = False
+    ssgtm_domain: str | None = None
+    gpc_tested: bool = False
+    # GPC signal test — populated when a dedicated GPC scan is run alongside
+    # the primary S3 scan. Lets the report show a clear pass/fail on whether
+    # the site respected the Global Privacy Control opt-out signal.
+    gpc_header_sent: bool = False  # Sec-GPC: 1 HTTP header on all requests
+    gpc_navigator_api_set: bool = False  # navigator.globalPrivacyControl = true injected
+    gpc_signal_respected: bool | None = None  # True = pixel count dropped; None = not tested
+    gpc_vendors_after_signal: int = 0  # vendors still firing after GPC asserted
+    gpc_pixel_count_baseline: int = 0  # pixel firings during primary S3 opt-out scan
+    gpc_pixel_count_with_gpc: int = 0  # pixel firings during GPC scan
+    # Scan-level consent signals from primary scan network traffic
+    gcs_value: GCSValue | None = None
+    gcd_raw: str | None = None
+    cmp_interaction_method: str | None = (
+        None  # "cookie_injection" | "banner_click" | "banner_click_inconclusive" | "banner_click_failed" | "banner_click_reverted"
+    )
+    detected_cmp: str | None = None
+    cmp_detection_confidence: str | None = None
+    bot_detection_encountered: bool = False
+    scan_mode_used: Literal["playwright", "stealthy"] = "playwright"
+    # Records whether the primary Chromium scan succeeded ("playwright") or the
+    # Scrapling/Camoufox stealthy fallback had to be engaged ("stealthy") — set
+    # when the primary scan hit a WAF/bot challenge.
+    detected_jurisdiction: str | None = (
+        None  # "EU" | "US" | "CA"; str (not Literal) to allow extension without schema migration
+    )
+    tag_consent_map: list[TagConsentEntry] = []
+    gcs_timeline: list[GCSHit] = []
+    post_payloads: list[str] = []
+    consent_api_responses: list[str] = []
+    findings: list[VendorFinding] = []
+    pixel_firings: list[
+        PixelFiring
+    ] = []  # Network-level pixel endpoint detections (plaintiff evidence)
+    open_gaps: list[str] = []
+    remediation: list[str] = []