consent-engine 0.3.0__tar.gz → 0.3.2__tar.gz

{consent_engine-0.3.0 → consent_engine-0.3.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: consent-engine
-Version: 0.3.0
+Version: 0.3.2
 Summary: Forensic consent-compliance audit engine. Deterministic by design.
 Project-URL: Homepage, https://github.com/kb223/consent-engine
 Project-URL: Repository, https://github.com/kb223/consent-engine

{consent_engine-0.3.0 → consent_engine-0.3.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "consent-engine"
-version = "0.3.0"
+version = "0.3.2"
 description = "Forensic consent-compliance audit engine. Deterministic by design."
 readme = "README.md"
 license = { text = "MIT" }

{consent_engine-0.3.0 → consent_engine-0.3.2}/src/consent_engine/__init__.py

@@ -8,4 +8,4 @@ Public package surface:
 - consent_engine.llm.client     LiteLLM-wrapped chat surface (agentic layer)
 """
 
-__version__ = "0.3.0"
+__version__ = "0.3.2"

{consent_engine-0.3.0 → consent_engine-0.3.2}/src/consent_engine/data/wiki/concepts/consent-mode-v2.md

@@ -124,3 +124,70 @@ Non-compliant advertisers face:
 Sending any network request (which exposes IP addresses) before explicit consent may carry legal risk under strict interpretations of GDPR and Quebec Law 25. The transmission of cookieless pings requires a defensible legal basis — typically documented legitimate interest for aggregate modeling.
 
 An audit finding of `gcs=G100` with conversion events = data flowing to Google for modeling. This is not a clean pass — it requires documentation of the legal basis used.
+
+## Source Verification — Google's Official Documentation (re-verified 2026-05-18)
+
+The "no cookies written when consent denied" rule is the load-bearing claim
+behind the scanner's `_ga`+`GCS=G100` = ACM-misconfiguration classification.
+Re-verified against Google's official docs:
+
+| Claim | Google source | Direct evidence |
+|---|---|---|
+| `_ga` / `_ga_<id>` cookies are not written when `analytics_storage` is denied | [Consent mode reference](https://support.google.com/analytics/answer/13802165) + [About consent mode](https://support.google.com/analytics/answer/10000067) | "When visitors deny consent, consent-aware tags do not store cookies. Instead, tags communicate consent state and user activity by sending measurements without cookies (web), or signals (apps)" |
+| Advanced Mode sends cookieless pings, not cookies | [Consent mode overview](https://developers.google.com/tag-platform/security/concepts/consent-mode) | "tags load with default settings and adjust behavior based on consent... If consent is denied, Google receives cookieless pings" |
+| `_gcl_au` is not written when `ad_storage` is denied | [Set up consent mode](https://developers.google.com/tag-platform/security/guides/consent) | "If ad_storage is denied, Google tags won't save this information locally. Existing first-party advertising cookies won't be read." |
+| `ads_data_redaction` deletes stored info on top of the cookie-write block | [Consent mode reference (Google Ads)](https://support.google.com/google-ads/answer/13802165) | "If you enable ads_data_redaction, when the user denies consent, Google Ads will delete the stored information" |
+| URL passthrough is the cookieless alternative for cross-page analytics | [Set up consent mode](https://developers.google.com/tag-platform/security/guides/consent) | "If analytics_storage is set to denied, URL passthrough can be used to send event and session-based analytics (including key events) without cookies across pages" |
+
+### Scanner classifier implication (load-bearing)
+
+The above is what makes `_ga` (or `_ga_<id>`) **+** `GCS=G100` on a fresh-context
+scan a real config error and not "ACM working as designed":
+
+- `GCS=G100` in the request payload proves the cookieless-ping layer is
+  active (Google's server sees a denied state).
+- A fresh browser context has no pre-existing `_ga` cookies.
+- If `_ga` appears after the scan, GA4 wrote it during this denied-consent
+  visit. Per the Google sources above, that is **not** ACM-compliant behavior.
+
+The scanner classifies this as `confirmed_violation` with notes that frame
+it as **"Advanced Consent Mode misconfiguration — cookieless-ping layer
+firing correctly, cookie-suppression layer broken."** This is technically
+distinct from a non-Google vendor firing without consent (no ACM equivalent
+exists for Meta, TikTok, LinkedIn, etc.) — both are violations under denied
+consent, but the fix paths differ and the report copy reflects that.
+
+### What this rule does NOT say
+
+- It does **not** say `_ga_<id>` (the GA4-property-specific session cookie)
+  is always blocked. Some non-ACM implementations may set it; the audit
+  flags those.
+- It does **not** apply to non-Google vendors. Meta, TikTok, LinkedIn, etc.
+  must be fully blocked when consent is denied — no cookieless-ping
+  equivalent exists for them.
+- It does **not** mean GCS=G100 is itself a "clean pass." See the
+  *Regulatory Gray Area* section above on EU/Quebec exposure from any
+  pre-consent network request.
+
+### Session-continuity (consent revocation) — separate methodology
+
+Two distinct cookie-behavior questions exist under ACM with denied consent:
+
+1. **Fresh-context denied — "should cookies be SET?"**
+   *Answer per Google: no.* Tested by this scanner via the S3 methodology
+   (fresh browser context, denial pre-injected, page loaded). `_ga` + GCS=G100
+   here = the cookie-suppression layer of ACM is broken.
+
+2. **Session-continuity withdrawal — "should previously-granted cookies be CLEARED when the user revokes?"**
+   *Answer per Google:* (a) **Not read** — "existing first-party advertising
+   cookies won't be read" once `ad_storage` is denied. (b) **Deleted** if and
+   only if `ads_data_redaction=true` is set on the page — "Google Ads will
+   delete the stored information." Without `ads_data_redaction`, prior cookies
+   persist on disk but are not used.
+
+The current scanner tests question #1 only (fresh-context S3). Question #2
+requires a session-continuity scan mode — granted → revoked mid-session —
+that has not been built yet. Per the project's `concepts/consent-mode-v2.md`,
+this distinction is recorded so buyers can interpret the scope correctly:
+this audit confirms compliant cookie-write behavior under denied consent at
+page load, not compliant cookie-clearance behavior on consent withdrawal.

{consent_engine-0.3.0 → consent_engine-0.3.2}/src/consent_engine/data/wiki/log.md

@@ -4,6 +4,29 @@ Format: `## [YYYY-MM-DD] operation | description`
 
 ---
 
+## [2026-05-18] verify | ACM cookie behavior re-checked against Google official docs
+
+Triggered by Kenneth's pushback on whether cookies-in-anonymous-state under
+Advanced Consent Mode count as a violation. Fact-checked via WebSearch
+against the official Google sources listed below; all five confirmed the
+"no cookies written when consent denied" rule that the scanner's classifier
+relies on.
+
+Sources cross-checked (all from official Google domains):
+- https://developers.google.com/tag-platform/security/concepts/consent-mode
+- https://developers.google.com/tag-platform/security/guides/consent
+- https://support.google.com/analytics/answer/13802165 (Consent mode reference)
+- https://support.google.com/analytics/answer/10000067 (About consent mode)
+- https://support.google.com/google-ads/answer/13802165 (Consent mode reference – Ads)
+
+Page updated: `concepts/consent-mode-v2.md` — added a *Source Verification*
+section with direct quotes mapped to each load-bearing claim, and a
+*Scanner classifier implication* paragraph explaining why `_ga` + GCS=G100
+on a fresh-context scan is a real config error (not "ACM working as
+designed").
+
+Outcome: scanner classification stands. Wiki is now the auditable record.
+
 ## [2026-04-08] ingest | Initial wiki build — 9 regulatory source docs
 
 Sources ingested from `data/regulatory/`:

{consent_engine-0.3.0 → consent_engine-0.3.2}/src/consent_engine/tools/tool_08_report_generator.py

@@ -1183,7 +1183,11 @@ def generate_marp_slides(
         else "None detected",
         _SVG_CROSS if pixel_violations else _SVG_CHECK,
     )
-    _gcs_code = f"<code style='background:#1f2937;padding:2px 6px;border-radius:3px;font-size:0.9em;'>{gcs_state}</code>"
+    _gcs_code = (
+        f"<code style='background:#faf8f2;color:#14182b;border:1px solid #e7e3d8;"
+        f"padding:2px 8px;border-radius:3px;font-size:0.9em;"
+        f"font-family:\"SF Mono\",Menlo,monospace;font-weight:600;'>{gcs_state}</code>"
+    )
     if _gcs_full_denial:
         _gcs_display = f"{_gcs_code} — ACM implemented correctly (cookieless pings only)"
         _gcs_icon = _SVG_CHECK
@@ -1445,21 +1449,21 @@ def generate_marp_slides(
         )
 
         _gpc_footer = (
-            '<div style="margin-top:14px;background:#ffffff;border-radius:8px;padding:12px 16px;'
+            '<div style="margin-top:10px;background:#faf8f2;border-radius:6px;padding:10px 14px;'
             f'border-left:3px solid {_gpc_verdict_color};">'
-            '<div style="font-size:0.68em;color:#9ca3af;line-height:1.6;">'
-            "Under CCPA/CPRA, GPC (Global Privacy Control) is a legally binding opt-out signal. "
+            '<div style="font-size:0.62em;color:#6b7794;line-height:1.5;">'
+            "Under CCPA/CPRA, GPC is a legally binding opt-out signal. "
             "California's CPPA has stated GPC non-compliance is enforceable without prior notice."
             "</div></div>"
         )
 
         _gpc_slide_md = (
             "---\n\n"
+            "<!-- _class: compact -->\n\n"
             "### GPC COMPLIANCE TEST\n\n"
             f"# GPC Compliance {_gpc_tag_html}\n\n"
-            '<p style="font-size:0.75em;color:#9ca3af;margin-bottom:4px;">'
-            "Global Privacy Control signal test — Sec-GPC: 1 HTTP header plus "
-            "navigator.globalPrivacyControl = true injected on every request.</p>"
+            '<p style="font-size:0.72em;color:#6b7794;margin:0 0 10px;line-height:1.5;">'
+            "Sec-GPC: 1 header + navigator.globalPrivacyControl asserted on every request.</p>"
             f"{_gpc_rows}"
             f"{_gpc_footer}\n"
         )
@@ -1714,6 +1718,10 @@ style: |
     font-size: 0.82em; font-family: 'SF Mono', Menlo, monospace;
   }}
   section.lead {{ display: flex; flex-direction: column; justify-content: center; align-items: center; text-align: center; }}
+  section.compact {{ padding: 56px 96px 56px; }}
+  section.compact h1 {{ font-size: 2.1em; margin-bottom: 8px; }}
+  section.compact h2 {{ font-size: 1em; margin-bottom: 18px; }}
+  section.compact p {{ font-size: 0.78em; }}
   section.cover {{ padding: 110px 96px; background: var(--bg); }}
   section.cover h1 {{
     font-size: 3.2em; border-left: 3px solid var(--a);
@@ -1843,11 +1851,11 @@ style: |
 
 ---
 
-### {_closing_kicker}
+### PREPARED BY
 
 # Kenneth Buchanan
 
-## Consent Compliance Intelligence
+## kennethjbuchanan.com
 
 <div style="display:flex;gap:10px;margin-top:28px;">
   <div style="flex:1;background:var(--s);border-radius:10px;padding:20px;border-top:2px solid var(--a);">