consentos

kunthawat/consentos

Fork 0

Commit Graph

Author	SHA1	Message	Date
James Cottrill	bd465008e5	fix(banner): bridge blocker state loader↔bundle and sweep stale cookies on consent change (#4 ) * fix(banner): bridge blocker state between loader and bundle ``consent-loader.js`` and ``consent-bundle.js`` are built as two separate rollup IIFEs, so each inlines a private copy of ``blocker.ts``. The loader's copy is the one that actually matters — it installs the ``document.cookie`` / ``Storage.prototype.setItem`` / ``MutationObserver`` proxies, and those proxies close over the loader's private ``acceptedCategories`` set and its ``blockedScripts`` queue. The bundle used to ``import { updateAcceptedCategories } from './blocker'`` and call it from ``handleConsent``. That updated the bundle's dead-end copy of the blocker module — a different ``Set`` object in a different scope from the one the proxies read — so after the user granted consent the loader's proxies stayed stuck on ``Set(['necessary'])``, any non-necessary cookie write kept being silently dropped, and the loader's queue of blocked scripts was never released. Fix by exposing the loader's live ``updateAcceptedCategories`` on ``window.__consentos._updateBlocker`` right after ``installBlocker()``, and replacing the bundle's dead-end import with a helper that calls through the bridge. The bundle no longer imports from ``./blocker`` at all; rollup tree-shakes the bundle's copy out, so ``consent-bundle.js`` gets slightly smaller. Tests (``__tests__/blocker-bridge.test.ts``) cover: * Bridge is called with the exact accepted list. * Bridge is forwarded verbatim (no slug filtering). * Missing bridge logs a warning and doesn't throw. * Missing ``window.__consentos`` logs a warning and doesn't throw. ``vi.hoisted`` seeds ``window.__consentos`` before banner.ts's module-level ``init()`` runs so the import-time IIFE doesn't throw on the empty global. * fix(banner): sweep disallowed cookies + storage on consent update When the loader runs it now proactively deletes any pre-existing cookies (and localStorage / sessionStorage keys) that classify into a category the visitor hasn't consented to. Fixes the common case of an ``_ga`` that slipped through before the loader was installed — e.g. on a host page that loads the loader with ``async`` or places another tracker above it in ``<head>`` — sitting there forever because the blocker's only defence was a setter proxy on future writes. Sweep semantics: - Runs on every ``updateAcceptedCategories`` call (consent narrowed → the just-revoked categories' cookies are wiped) plus an explicit call from the loader's "no consent yet" branch (initial visit with pre-existing trackers from elsewhere). - Only deletes cookies / keys whose classifier hits a known pattern (``_ga``, ``_fbp``, ``intercom-`` etc. — same lists as the proxied setters). Unknown / unclassified cookies are left alone: we can't attribute them and won't risk clobbering first-party session state. - ``_consentos_`` is always preserved. - For cookies, we don't know the original ``domain`` / ``path`` (``document.cookie`` doesn't expose them), so we fire deletes against every plausible domain variant — bare hostname, leading ``.``, and every parent domain walked up from the left. Covers the GA "set on ``.example.com`` from a subdomain page" case without over-deleting. - Deletions bypass the proxied setter and go directly through the cached ``originalCookieDescriptor`` captured before the proxy was installed, so the blocker doesn't eat its own expiry writes. - Storage access is wrapped in ``safeStorage`` — sandboxed / cross-origin iframes that throw on ``window.localStorage`` are skipped rather than crashing the loader. Tests in ``__tests__/blocker.test.ts`` cover: non-consented analytics cookies are deleted, consented ones are preserved, unknown cookies survive, ``_consentos_*`` is untouched, revoking a category after seeding new cookies triggers a follow-up sweep, and localStorage cleanup follows the same rules. 6 new cases, 373 passing total in the banner suite.	2026-04-14 17:30:02 +01:00
James Cottrill	8d15ec4398	Per-site configurable cookie categories (#3 ) * feat: per-site configurable cookie categories Operators can now choose which cookie categories the banner displays for a given site — useful for sites that genuinely don't use e.g. marketing cookies and shouldn't be forced to show the toggle. Backend * New ``enabled_categories`` JSONB column on ``site_configs``, ``site_group_configs``, and ``org_configs`` (migration 0003). NULL at a level means "inherit"; an explicit list overrides. * ``config_resolver`` merges ``enabled_categories`` through the existing cascade (system → org → group → site) and normalises the result via ``_normalise_enabled_categories``: - Unknown slugs stripped. - ``necessary`` is forced in regardless of the operator's input — it's never optional. - Empty / invalid values fall back to the full five-category default so a cleared field doesn't silently hide the banner. - Output is returned in canonical display order so insertion order from the cascade doesn't leak into the UI. * ``build_public_config`` surfaces ``enabled_categories`` to the banner-facing public config endpoint. * Schemas for site/group/org config create + update + response all include the new field. Banner * ``apps/banner/src/banner.ts`` replaces the hard-coded ``ALL_CATEGORIES`` / ``NON_ESSENTIAL`` constants with a runtime ``resolveEnabledCategories(config)`` helper. ``renderCategories`` takes the enabled list and only renders toggles for those categories; ``nonEssentialFor(enabled)`` derives the user-toggleable subset. Falls back to all five when the field is missing in the config payload so older banner bundles against newer APIs (and vice versa) don't break. * ``SiteConfig`` type in ``apps/banner/src/types.ts`` has ``enabled_categories?: CategorySlug[]`` to match. Admin UI * New ``SiteCategoriesTab`` component — five checkboxes, ``necessary`` locked on, with "Reset to inherited" to clear the site override. Wired in as a new core tab on ``SiteDetailPage`` between Configuration and Cookies. * ``SiteConfig`` type in ``types/api.ts`` declares ``enabled_categories`` and a new ``ALL_COOKIE_CATEGORIES`` constant exposing label/description metadata shared between the tab component and any future display of the list. Semantics of a disabled category When the operator unticks e.g. ``marketing`` for a site: * The toggle is not rendered in the banner. * A visitor can never grant consent for ``marketing``. * Any cookie or script that classifies into ``marketing`` stays blocked permanently by the auto-blocker. That's the correct behaviour for sites that genuinely don't use a category: declare it, hide it from the visitor, have the blocker enforce it. Tests * ``test_config_resolver.py`` — 13 new cases covering the full cascade, ``necessary`` forcing, unknown-slug stripping, empty / non-list values, canonical display order, and the public-config surface. 37 passed total. * ``test_SiteCategoriesTab.test.tsx`` — renders all five, locks ``necessary``, pre-fills from an override, saves the explicit list, and resets to inherited by sending NULL. 6 cases. * Full API suite (610) and admin-ui suite (139) both green; banner bundle builds cleanly with 363 tests passing. * style: ruff format config_resolver.py	2026-04-14 14:05:31 +01:00
James Cottrill	fbf26453f2	feat: initial public release ConsentOS — a privacy-first cookie consent management platform. Self-hosted, source-available alternative to OneTrust, Cookiebot, and CookieYes. Full standards coverage (IAB TCF v2.2, GPP v1, Google Consent Mode v2, GPC, Shopify Customer Privacy API), multi-tenant architecture with role-based access, configuration cascade (system → org → group → site → region), dark-pattern detection in the scanner, and a tamper-evident consent record audit trail. This is the initial public release. Prior development history is retained internally. See README.md for the feature list, architecture overview, and quick-start instructions. Licensed under the Elastic Licence 2.0 — self-host freely; do not resell as a managed service.	2026-04-14 09:18:18 +00:00

Author

SHA1

Message

Date

James Cottrill

bd465008e5

fix(banner): bridge blocker state loader↔bundle and sweep stale cookies on consent change (#4 )

* fix(banner): bridge blocker state between loader and bundle

``consent-loader.js`` and ``consent-bundle.js`` are built as two
separate rollup IIFEs, so each inlines a private copy of
``blocker.ts``. The loader's copy is the one that actually matters
— it installs the ``document.cookie`` / ``Storage.prototype.setItem``
/ ``MutationObserver`` proxies, and those proxies close over the
loader's private ``acceptedCategories`` set and its
``blockedScripts`` queue.

The bundle used to ``import { updateAcceptedCategories } from './blocker'``
and call it from ``handleConsent``. That updated the **bundle's**
dead-end copy of the blocker module — a different ``Set`` object in
a different scope from the one the proxies read — so after the user
granted consent the loader's proxies stayed stuck on
``Set(['necessary'])``, any non-necessary cookie write kept being
silently dropped, and the loader's queue of blocked scripts was
never released.

Fix by exposing the loader's live ``updateAcceptedCategories`` on
``window.__consentos._updateBlocker`` right after
``installBlocker()``, and replacing the bundle's dead-end import
with a helper that calls through the bridge. The bundle no longer
imports from ``./blocker`` at all; rollup tree-shakes the bundle's
copy out, so ``consent-bundle.js`` gets slightly smaller.

Tests (``__tests__/blocker-bridge.test.ts``) cover:
* Bridge is called with the exact accepted list.
* Bridge is forwarded verbatim (no slug filtering).
* Missing bridge logs a warning and doesn't throw.
* Missing ``window.__consentos`` logs a warning and doesn't throw.

``vi.hoisted`` seeds ``window.__consentos`` before banner.ts's
module-level ``init()`` runs so the import-time IIFE doesn't throw
on the empty global.

* fix(banner): sweep disallowed cookies + storage on consent update

When the loader runs it now proactively deletes any pre-existing
cookies (and localStorage / sessionStorage keys) that classify into
a category the visitor hasn't consented to. Fixes the common case
of an ``_ga`` that slipped through before the loader was installed
— e.g. on a host page that loads the loader with ``async`` or
places another tracker above it in ``<head>`` — sitting there
forever because the blocker's only defence was a setter proxy on
future writes.

Sweep semantics:

- Runs on every ``updateAcceptedCategories`` call (consent narrowed
  → the just-revoked categories' cookies are wiped) plus an
  explicit call from the loader's "no consent yet" branch (initial
  visit with pre-existing trackers from elsewhere).
- Only deletes cookies / keys whose classifier hits a known
  pattern (``_ga``, ``_fbp``, ``intercom-*`` etc. — same lists as
  the proxied setters). Unknown / unclassified cookies are left
  alone: we can't attribute them and won't risk clobbering
  first-party session state.
- ``_consentos_*`` is always preserved.
- For cookies, we don't know the original ``domain`` / ``path``
  (``document.cookie`` doesn't expose them), so we fire deletes
  against every plausible domain variant — bare hostname, leading
  ``.``, and every parent domain walked up from the left. Covers
  the GA "set on ``.example.com`` from a subdomain page" case
  without over-deleting.
- Deletions bypass the proxied setter and go directly through the
  cached ``originalCookieDescriptor`` captured before the proxy was
  installed, so the blocker doesn't eat its own expiry writes.
- Storage access is wrapped in ``safeStorage`` — sandboxed /
  cross-origin iframes that throw on ``window.localStorage`` are
  skipped rather than crashing the loader.

Tests in ``__tests__/blocker.test.ts`` cover: non-consented analytics
cookies are deleted, consented ones are preserved, unknown cookies
survive, ``_consentos_*`` is untouched, revoking a category after
seeding new cookies triggers a follow-up sweep, and localStorage
cleanup follows the same rules. 6 new cases, 373 passing total in
the banner suite.

2026-04-14 17:30:02 +01:00

James Cottrill

8d15ec4398

Per-site configurable cookie categories (#3 )

* feat: per-site configurable cookie categories

Operators can now choose which cookie categories the banner displays
for a given site — useful for sites that genuinely don't use
e.g. marketing cookies and shouldn't be forced to show the toggle.

**Backend**

* New ``enabled_categories`` JSONB column on ``site_configs``,
  ``site_group_configs``, and ``org_configs`` (migration 0003).
  NULL at a level means "inherit"; an explicit list overrides.
* ``config_resolver`` merges ``enabled_categories`` through the
  existing cascade (system → org → group → site) and normalises
  the result via ``_normalise_enabled_categories``:
  - Unknown slugs stripped.
  - ``necessary`` is forced in regardless of the operator's input
    — it's never optional.
  - Empty / invalid values fall back to the full five-category
    default so a cleared field doesn't silently hide the banner.
  - Output is returned in canonical display order so insertion
    order from the cascade doesn't leak into the UI.
* ``build_public_config`` surfaces ``enabled_categories`` to the
  banner-facing public config endpoint.
* Schemas for site/group/org config create + update + response all
  include the new field.

**Banner**

* ``apps/banner/src/banner.ts`` replaces the hard-coded
  ``ALL_CATEGORIES`` / ``NON_ESSENTIAL`` constants with a runtime
  ``resolveEnabledCategories(config)`` helper. ``renderCategories``
  takes the enabled list and only renders toggles for those
  categories; ``nonEssentialFor(enabled)`` derives the user-toggleable
  subset. Falls back to all five when the field is missing in the
  config payload so older banner bundles against newer APIs (and
  vice versa) don't break.
* ``SiteConfig`` type in ``apps/banner/src/types.ts`` has
  ``enabled_categories?: CategorySlug[]`` to match.

**Admin UI**

* New ``SiteCategoriesTab`` component — five checkboxes, ``necessary``
  locked on, with "Reset to inherited" to clear the site override.
  Wired in as a new core tab on ``SiteDetailPage`` between
  Configuration and Cookies.
* ``SiteConfig`` type in ``types/api.ts`` declares ``enabled_categories``
  and a new ``ALL_COOKIE_CATEGORIES`` constant exposing label/description
  metadata shared between the tab component and any future display of
  the list.

**Semantics of a disabled category**

When the operator unticks e.g. ``marketing`` for a site:

* The toggle is not rendered in the banner.
* A visitor can never grant consent for ``marketing``.
* Any cookie or script that classifies into ``marketing`` stays
  blocked permanently by the auto-blocker.

That's the correct behaviour for sites that genuinely don't use a
category: declare it, hide it from the visitor, have the blocker
enforce it.

**Tests**

* ``test_config_resolver.py`` — 13 new cases covering the full
  cascade, ``necessary`` forcing, unknown-slug stripping, empty /
  non-list values, canonical display order, and the public-config
  surface. 37 passed total.
* ``test_SiteCategoriesTab.test.tsx`` — renders all five, locks
  ``necessary``, pre-fills from an override, saves the explicit
  list, and resets to inherited by sending NULL. 6 cases.
* Full API suite (610) and admin-ui suite (139) both green;
  banner bundle builds cleanly with 363 tests passing.

* style: ruff format config_resolver.py

2026-04-14 14:05:31 +01:00

James Cottrill

fbf26453f2

feat: initial public release

ConsentOS — a privacy-first cookie consent management platform.

Self-hosted, source-available alternative to OneTrust, Cookiebot, and
CookieYes. Full standards coverage (IAB TCF v2.2, GPP v1, Google
Consent Mode v2, GPC, Shopify Customer Privacy API), multi-tenant
architecture with role-based access, configuration cascade
(system → org → group → site → region), dark-pattern detection in
the scanner, and a tamper-evident consent record audit trail.

This is the initial public release. Prior development history is
retained internally.

See README.md for the feature list, architecture overview, and
quick-start instructions. Licensed under the Elastic Licence 2.0 —
self-host freely; do not resell as a managed service.

2026-04-14 09:18:18 +00:00

3 Commits