Add GDPR compliance: cookie consent banner, privacy checkbox, reCAPTCHA v3

[Copilot]

Three GDPR elements were absent: no cookie consent mechanism, no explicit privacy checkbox on the contact form (despite backend requiring consent_given), and no reCAPTCHA integration anywhere in the stack.

Privacy consent checkbox

Added required privacyConsent field to both ContactForm.tsx and index.html, wired to consent_given in the submission payload. Validation fails client-side if unchecked; contact_handler.py already enforced this server-side.

<input
  type="checkbox"
  id="privacyConsent"
  aria-required="true"
  aria-invalid={!!errors.privacyConsent}
  aria-describedby={errors.privacyConsent ? 'privacyConsent-error' : 'privacyConsent-help'}
/>
<label htmlFor="privacyConsent">
  I agree to the <a href="/privacy-policy">privacy policy</a> *
</label>

Cookie consent banner

New src/components/CookieConsent.tsx with three categories (necessary/analytics/marketing), preferences persisted to localStorage as gdpr_cookie_consent. Vanilla JS equivalent rendered into #cookie-consent-banner via main.js on first visit, with acceptAllCookies() / acceptNecessaryCookiesOnly() exposed globally.

reCAPTCHA v3

• src/hooks/useRecaptcha.ts — wraps window.grecaptcha.execute(); returns '' gracefully when unavailable (test/dev environments)
• index.html — reCAPTCHA script added async defer, keyed off YOUR_RECAPTCHA_SITE_KEY placeholder (replace with VITE_RECAPTCHA_SITE_KEY env var)
• ContactForm.tsx — token obtained pre-submission and included in payload as recaptchaToken
• server/contact_handler.py — verify_recaptcha_token() calls Google's siteverify API; fails closed on malformed token responses, fails open on network errors (with audit log warnings); skips entirely when RECAPTCHA_SECRET_KEY is unset

API contract update

ContactFormData in src/api/contact.ts now includes consent_given: boolean and recaptchaToken: string. Consent is validated before the fetch.

Test infrastructure

ContactForm.tsx now imports submitContactForm / logAuditEvent from ../api/contact (replacing internal stubs), making the existing vi.mock interception work correctly. Added tests/setup.ts for @testing-library/jest-dom, configured vite.config.js with jsdom environment, jsxInject, and jest-dom setupFiles.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• googlechromelabs.github.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node install.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.