v0.1 · MIT licensed · Open source

Infrastructure-as-code for Google Tag Manager.

One command installs a complete vendor pixel. One command audits your container for the Consent Mode v2 misconfigs that silently cost accounts up to 90% of their EEA conversions. One command snapshots everything for Git.

Star on GitHub See the 30-second demo

Why this exists

On July 21, 2025, Google quietly started breaking accounts.

That's when Consent Mode v2 enforcement went live for EEA and UK traffic. No banner. No email. No grace period. Accounts that hadn't wired ad_user_data and ad_personalization through their GTM layer saw observed Google Ads conversions drop up to 90% overnight.

"Our client's consent banner was collecting user preferences but not transmitting signals to Google's tag infrastructure. After diagnosis and remediation, approximately 40% of attribution data was recovered through behavioral modeling; the remainder was permanently lost."
— field report in ppc.land, Matomo observed 90–95% EEA drops at affected sites

None of this is visible in the GTM UI. There is no "Consent Mode v2 Compliance" tab. There's only the silent revenue drop.

TagOps is the CLI that finds these misconfigurations, fixes them, and keeps them from coming back. Plus everything else you wish GTM had.

The 30-second demo

One command. A full container audited.

Given a Google service account with Edit on your container:

tagops-demo — zsh

$ npm install -g tagops $ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa.json $ tagops init --import \ --account-id 123 --container-id 456 --workspace-id 1 \ --monthly-conversions 1000 --avg-value 85 ✔ Container imported Config: .gtmrc.json Snapshot: gtm-snapshot.json Report: consent-report-2026-04-16.md What's inside 71 tags · 32 triggers · 69 variables · 0 folders Consent Mode v2 compliance 76% (71 tags audited) ✖ 0 non-compliant · ⚠ 11 unconfigured EU data-loss exposure estimate Inputs: 1000 conversions/mo · 30% EEA share · $85 avg value Non-compliant tag share: 18% Affected conversions/mo: ~54 Gross monthly exposure: ~$4,598 Permanent loss/mo (est.): ~$2,759 Yearly permanent loss: ~$33,108

In under a minute: a tracked .gtmrc.json, a full Git-ready snapshot, a shareable Markdown compliance report, and a CFO-grade dollar exposure estimate. Output above is a real run against a live 71-tag container.

What it does

Three capabilities. Tightly scoped.

32 vendor pixel templates

Not empty tag shells. Each installs tags + triggers + consent + data-layer variables. Meta (base + advanced with Event Match Quality), GA4, Google Ads, TikTok, LinkedIn, Microsoft Clarity, Hotjar, Mixpanel, PostHog, HubSpot, Intercom, Yandex Metrica — and 20 more.

tagops templates install meta-pixel

Consent Mode v2 audit

Names which tags are missing which signals. --fix writes the corrections back via the GTM API with an auto-snapshot first. --score-only is your CI gate.

tagops consent-audit --report

IaC for your container

Snapshot, diff, plan, restore, promote between environments. Promotion enforces dev → staging → production. Stage-skipping rejected.

tagops snapshot && tagops diff

Compared to what's out there

The moat is the governance layer.

Other GTM CLIs and MCPs are CRUD wrappers. TagOps is an opinionated control plane on top of them.

Tool	Type	Misses
owntag/gtm-cli	CLI	Templates, consent audit, IaC, policies
Stape GTM MCP	MCP	Templates, consent audit, IaC, policies, CLI
Google GA4 MCP	MCP	Read-only; doesn't touch GTM
Google Community Template Gallery	UI	Triggers, consent, data layer mapping
GTM 360 (paid)	UI	Only for Google Marketing Platform customers
TagOps	CLI + MCP	Templates + consent audit + IaC + policy gate

MCP integration

The MCP with guardrails.

Other GTM MCP servers let an agent create, update, and delete tags via the API. TagOps's MCP server routes every mutation through a safety layer:

Pre-fix snapshot before any mutation — reversible via tagops restore
Policy gates block non-compliant writes (gdpr-strict, ccpa-baseline, agency-standard)
Production promotion enforces dev → staging → production
Read-only by default. Flip the flag when you're ready.

Claude Desktop config:

claude_desktop_config.json

{ "mcpServers": { "tagops": { "command": "tagops-mcp", "args": ["--read-only"], "env": { "GOOGLE_APPLICATION_CREDENTIALS": "/path/to/sa.json" } } } }

Giving an AI agent production write access to a GTM container is how you break tracking for a million-dollar campaign at 2am. Every other GTM MCP is one prompt away from that outcome. TagOps says no before the agent does something it shouldn't.

Status

Early — v0.1.

32 vendor templates · 332 tests · MCP server · MIT licensed
Browser OAuth login requires your own client (bring-your-own-client model). Service-account auth is the supported path and works out of the box.
Two templates (GA4 event tags, Google Ads Enhanced Conversions) are preview-only pending native tag-creation support; both are v0.2 priorities.
Aggressive PR-merge during launch: reasonable vendor-template PRs merged within 48 hours.

Star on GitHub Read the docs