diff --git a/pkg/verify/consent_test.go b/pkg/verify/consent_test.go
new file mode 100644
index 0000000..1fc0962
--- /dev/null
+++ b/pkg/verify/consent_test.go
@@ -0,0 +1,118 @@
+package verify
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/salvacybersec/keyhunter/pkg/storage"
+)
+
+func newTestDB(t *testing.T) *storage.DB {
+	t.Helper()
+	db, err := storage.Open(":memory:")
+	if err != nil {
+		t.Fatalf("storage.Open(:memory:): %v", err)
+	}
+	t.Cleanup(func() { _ = db.Close() })
+	return db
+}
+
+func TestEnsureConsent_GrantedPrevious(t *testing.T) {
+	db := newTestDB(t)
+	if err := db.SetSetting(ConsentSettingKey, ConsentGranted); err != nil {
+		t.Fatalf("seed: %v", err)
+	}
+	var out bytes.Buffer
+	ok, err := EnsureConsent(db, strings.NewReader(""), &out)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !ok {
+		t.Errorf("want true, got false")
+	}
+	if out.Len() != 0 {
+		t.Errorf("expected no prompt when previously granted, got %q", out.String())
+	}
+}
+
+func TestEnsureConsent_TypeYes(t *testing.T) {
+	db := newTestDB(t)
+	var out bytes.Buffer
+	ok, err := EnsureConsent(db, strings.NewReader("yes\n"), &out)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !ok {
+		t.Errorf("want true, got false")
+	}
+	if !strings.Contains(out.String(), "legal implications") {
+		t.Errorf("prompt missing 'legal implications': %q", out.String())
+	}
+	if !strings.Contains(out.String(), "keyhunter legal") {
+		t.Errorf("prompt missing 'keyhunter legal': %q", out.String())
+	}
+	val, found, err := db.GetSetting(ConsentSettingKey)
+	if err != nil || !found || val != ConsentGranted {
+		t.Errorf("setting not persisted: val=%q found=%v err=%v", val, found, err)
+	}
+}
+
+func TestEnsureConsent_TypeYesUppercase(t *testing.T) {
+	db := newTestDB(t)
+	var out bytes.Buffer
+	ok, err := EnsureConsent(db, strings.NewReader("YES\n"), &out)
+	if err != nil || !ok {
+		t.Fatalf("want (true,nil), got (%v,%v)", ok, err)
+	}
+}
+
+func TestEnsureConsent_TypeNo(t *testing.T) {
+	db := newTestDB(t)
+	var out bytes.Buffer
+	ok, err := EnsureConsent(db, strings.NewReader("no\n"), &out)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if ok {
+		t.Errorf("want false, got true")
+	}
+	val, _, _ := db.GetSetting(ConsentSettingKey)
+	if val != ConsentDeclined {
+		t.Errorf("want declined, got %q", val)
+	}
+}
+
+func TestEnsureConsent_Empty(t *testing.T) {
+	db := newTestDB(t)
+	var out bytes.Buffer
+	ok, err := EnsureConsent(db, strings.NewReader("\n"), &out)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if ok {
+		t.Errorf("want false, got true")
+	}
+}
+
+func TestEnsureConsent_DeclinedNotSticky(t *testing.T) {
+	db := newTestDB(t)
+	if err := db.SetSetting(ConsentSettingKey, ConsentDeclined); err != nil {
+		t.Fatalf("seed: %v", err)
+	}
+	var out bytes.Buffer
+	ok, err := EnsureConsent(db, strings.NewReader("yes\n"), &out)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !ok {
+		t.Errorf("want true (re-prompted & granted), got false")
+	}
+	if out.Len() == 0 {
+		t.Errorf("expected re-prompt after declined, got no output")
+	}
+	val, _, _ := db.GetSetting(ConsentSettingKey)
+	if val != ConsentGranted {
+		t.Errorf("want granted after re-prompt, got %q", val)
+	}
+}