Skip to main content

CMP Changelog

All notable changes scoped to the CMP (Consent SDKs, Registry, Portal, Scanner, Helm) in the DigiWedge hub.

2026-01-09

  • fix(registry): enforce cryptographic JWT verification for /consent/v1/append using issuer/audience plus HS256 or JWKS, and require exp on tokens.

2025-09-23

  • chore(monorepo): regroup CMP packages beneath libs/cmp/* (consent-core, consent-react, datasets, registry-types, sdk-web) so shared tooling and docs resolve a single workspace segment.
  • docs: refreshed README quick-links and datasets guide references to the new libs/cmp/* layout.

2025-09-15

  • feat(registry): tenant enforcement for admin endpoints (cookies analytics/export, exports list/download/delete, scans baseline, sites domains, classifier overrides, audit logs). Toggle with CMP_ENFORCE_TENANT=1; tenant resolved from token claims (tenant_id|tenantId|org_id|orgId|tid) or x-tenant-id header in dev.
  • feat(registry): Admin Audit Log — AdminAuditLog model, AuditService, and endpoints:
    • GET /api/admin/audit/logs?siteKey=&action=&range=Nd|Nh&from=&to=&limit&offset (JSON)
    • GET /api/admin/audit/logs/export?... (CSV)
    • Logged actions include: cookies.definitions.batch, cookies.overrides.upsert|delete|import|export, scans.baseline.promote, exports.consents.start|job, sites.domains.add|remove|copy-primary, exports.artifact.delete
    • Retention via AUDIT_RETENTION_DAYS added to retention job
  • feat(portal): Analytics → Audit tab with quick action chips, date range filter, details drawer, and CSV export button
  • feat(portal): Artifacts tab pagination (limit/offset) and bulk delete; per-row delete wired to DELETE /api/admin/exports/:id
  • feat(registry): admin rate limits for analytics (/api/admin/analytics/*) and exports (/api/admin/exports/*) with configurable windows/max; 429s counted in cmp_rate_limited_total{route}
  • chore(registry): exclude src/app/__tests__/** from production tsc build; added smoke tests for analytics, public scans, and tenant enforcement
  • docs: updated docs/cmp/registry.md (tenant scoping, audit endpoints, curl examples), and docs/cmp/portal.md (Artifacts pagination/bulk delete, Audit tab)

2025-09-14

  • docs(datasets): add Datasets & Sync guide with AdGuard‑maintained defaults (dist/whotracksme.json, dist/companies.json), IAB GVL source, K8s Secret example, and progress/logging expectations
  • feat(cmp-datasets): support AdGuard companiesdb export shape for WTM (trackers + trackerDomains), fallback to legacy WTM shape when present; add constant progress logging and graceful handling when sources unavailable
  • fix(cmp-datasets): correct build output import paths for dataset runners; datasets job resolves module paths via import.meta.url for robust dist execution
  • docs(registry): link Classifier section to Datasets & Sync; add “Run datasets now” snippet in curl examples; clarify dataset defaults under Environment
  • docs(nav): add “Datasets & Sync” to navbar (under Demos); README quick actions to run datasets and stream logs
  • docs(scanner): avoid route collision by renaming React page to /scanner‑tool and updating navbar link
  • feat(scan-api): auto‑pick free port if 3005 is busy; CommonJS build for Nx node executor; lint/TS cleanups
  • docs(registry): comprehensive Swagger coverage and rich examples across Admin Analytics, Admin Classifier, Admin Sites (listing + domains), Config, Consent, Classifier, and Health endpoints
  • feat(registry): enable global ValidationPipe (whitelist + transform) to standardize 4xx validation; unify error semantics on admin Domains and Classifier (400/404 instead of ok=false); add typed DTOs for queries/responses
  • feat(registry): pagination for Admin Sites listing (limit/offset), documented in Swagger and portal docs
  • docs(registry): document JSONL streaming export (format=jsonl) and query validation rules (format, range Nd/Nh, from/to ISO, gpc) for consent exports
  • docs(portal): reflect CSV/JSON/JSONL export and sites pagination; align examples
  • docs: fix CMP docs navbar/home links to Swagger (use 3318) and add Swagger 404 troubleshooting; clarify portal VITE_REGISTRY_URL default vs recommended
  • chore(registry): centralize Swagger examples; typed responses for /v1/config, /v1/consent, /v1/classify
  • breaking(registry): Admin Site Domains GET now returns 404 when siteKey is unknown (previously returned 200 with empty list)

2025-09-13

  • feat(registry): consent analytics summary and CSV/JSON export by site & date range
  • feat(registry): JSONL (NDJSON) streaming export for large windows (format=jsonl)
  • feat(portal): consent analytics widget (7/30d) and Export consents UI (CSV/JSON/JSONL, filters)
  • feat(ci): add scanner CI gate (baseline + GPC) with artifact reports
  • feat(react): axe-core a11y harness stabilized (DOM-based); CI workflow
  • docs: updated Registry/Portal/Consent/Scanner guides and Operator Checklist; added CMP docs index and Quickstart
  • ops: example prod values for tight egress NetPol and metrics basic auth
  • chore: AGENTS.md playbooks added for cmp-registry, cmp-portal, cmp-consent-core, cmp-consent-react, cmp-datasets, dw-cmp-dropin, cmp-scanner

2025-09-12

  • feat: CORS-by-site enforcement and rate limiting for /v1/config and /v1/consent
  • feat: GPC support end‑to‑end (client default‑deny; server metrics + event flag)
  • feat: per‑site i18n strings and Policy Block generator
  • feat: datasets nightly + consent retention CronJobs; Prometheus metrics and Grafana dashboard
  • feat: Helm ops guards (resources, HPA, PDB, NetworkPolicy)
  • feat(registry): global API base path /api; Swagger served at /api/docs with relative server base
  • fix(registry): switch build to TypeScript @nx/js:tsc to emit DI metadata (Nest)
  • docs: update CMP docs to use /api/v1/* endpoints and correct portal VITE_REGISTRY_URL

Contributors

  • DigiWedge Engineering

2025-09-19

  • sdk(web): official GPP header (Range/Fibonacci); US‑CA (Sec‑8) real bitfield; US‑National (Sec‑7) v2 schema (12 sensitive, 3 child) with toggle
  • sdk(web): real bit‑encoded TCF v2.2 Core segment (flag‑gated via TCF_ENABLE), vendor cap via setTcfVendorCap (Portal loads pinned GVL)
  • portal: Diagnostics adds Google Consent Mode v2 checklist, “Latest Consent Events” table, and one‑click exports (CSV/JSON/JSONL) with optional Authorization
  • portal: dev‑only Flags banner (TCF_ENABLE, GPP_USNAT_VERSION, VITE_TCF_GVL_URL)
  • portal: consent emitter posts { gppString, applicableSections, tcfString, gpc, region } to the registry on consent changes
  • registry: ConsentEvent now stores gppString, sections:int[], tcfString; export endpoints include these fields in CSV/JSON/JSONL
  • docs: refreshed SDK/Portal/Consent docs (flags, theming & IDs, SSR, vendor cap)

2025-09-19 (v1+)

  • sdk(web): GPP state sections VA(9)/CO(10)/CT(11)/UT(12) live by region; decoded sections are attached to __gpp('getGPPData') response
  • sdk(web): state bitfields locked to MSPA v2 (12 sensitive, 3 child) with vector round‑trips
  • sdk(web): TCF Core tcString exposed; Publisher segment joined as multi‑segment when TCF_PUB_ENABLE=1; vendor cap pinned from GVL
  • portal: Diagnostics tiles (snapshots) for exports/receipts/scans/appends with SLO hints; scanner details render blocked‑until‑consent, cookie deltas, and new 3P hosts
  • portal: Receipts tab with inline chain verify; Latest events list; Exports (CSV/JSON/JSONL) with Authorization; dev flags banner remains
  • registry: DB queue gains retries/backoff (attempts/nextAttemptAt/lastError/maxAttempts) and DLQ counters; SKIP LOCKED worker loop remains available
  • registry: BullMQ scans queue added (flag‑gated via SCANS_USE_BULL=1, REDIS_URL), with enqueue/status/requeue endpoints and metrics
  • registry: metrics summary JSON for portal tiles; CSV export guardrails (pagesize cap + date window clamp with signaling headers)
  • templates: importable GTM containers added under templates/gtm/ (GA4 Consent Mode + Floodlight)
  • docs: README/AGENTS updated (flags: GPP_US_STATES_ENABLE, SCANS_USE_BULL, REDIS_URL; metrics and GTM import notes)
  • portal: Failed scans table with precise pagination (server total) and per‑row Requeue; status modal shows attemptsMade and errors
  • sdk(react): shared Banner component with variants MB1/CC1/SP1/HB1/FS1/TS1; a11y‑first (role=dialog, focus trap, keyboard loop); Storybook stories added
  • portal: Banner A/B demo (Diagnostics) — assign variant (sticky), show/reset assignment, emit metrics; Experiments card shows views/accept%/adjust%
  • registry: analytics endpoints — GET /api/admin/analytics/consent (coverage series) and POST/GET /api/admin/analytics/experiments* (in‑memory counters for demo)
  • sdk(react): Banner variants push cmp_accept / cmp_reject to window.dataLayer ahead of callbacks; focused MB1/CC1 stories exercise the flow.
  • portal: /analytics dashboard adds consent funnel + experiment charts with CSV export and the health page surfaces an Access Control latency badge.