feat: Package 4 Rechtliche Texte — DB-Persistenz fuer Legal Documents, Einwilligungen und Cookie Banner

- Migration 007: compliance_legal_documents, _versions, _approvals (Approval-Workflow)
- Migration 008: compliance_einwilligungen_catalog, _company, _cookies, _consents
- Backend: legal_document_routes.py (11 Endpoints + draft→review→approved→published Workflow)
- Backend: einwilligungen_routes.py (10 Endpoints inkl. Stats, Pagination, Revoke)
- Frontend: /api/admin/consent/[[...path]] Catch-All-Proxy fuer Legal Documents
- Frontend: catalog/consent/cookie-banner routes von In-Memory auf DB-Proxy umgestellt
- Frontend: einwilligungen/page.tsx + cookie-banner/page.tsx laden jetzt via API (kein Mock)
- Tests: 44/44 pass (test_legal_document_routes.py + test_einwilligungen_routes.py)
- Deploy-Scripts: apply_legal_docs_migration.sh + apply_einwilligungen_migration.sh

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

admin-compliance/app/api/sdk/v1/einwilligungen/consent/route.ts

@@ -1,51 +1,38 @@
 /**
  * API Route: Consent Management
  *
+ * Proxies to backend-compliance for DB persistence.
  * POST - Consent erfassen
- * GET  - Consent-Status abrufen
+ * GET  - Consent-Status und Statistiken abrufen
+ * PUT  - Batch-Update von Consents
  */
 
 import { NextRequest, NextResponse } from 'next/server'
-import {
-  ConsentEntry,
-  ConsentStatistics,
-  DataPointCategory,
-  LegalBasis,
-} from '@/lib/sdk/einwilligungen/types'
-import { PREDEFINED_DATA_POINTS } from '@/lib/sdk/einwilligungen/catalog/loader'
 
-// In-Memory Storage fuer Consents
-const consentStorage = new Map<string, ConsentEntry[]>() // tenantId -> consents
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
-// Hilfsfunktion: Generiere eindeutige ID
-function generateId(): string {
-  return `consent-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`
+function getHeaders(request: NextRequest): HeadersInit {
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+  const clientTenantId = request.headers.get('x-tenant-id') || request.headers.get('X-Tenant-ID')
+  const tenantId = (clientTenantId && uuidRegex.test(clientTenantId))
+    ? clientTenantId
+    : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+  return {
+    'Content-Type': 'application/json',
+    'X-Tenant-ID': tenantId,
+  }
 }
 
 /**
  * POST /api/sdk/v1/einwilligungen/consent
- *
  * Erfasst eine neue Einwilligung
- *
- * Body:
- * - userId: string - Benutzer-ID
- * - dataPointId: string - ID des Datenpunkts
- * - granted: boolean - Einwilligung erteilt?
- * - consentVersion?: string - Version der Einwilligung
  */
 export async function POST(request: NextRequest) {
   try {
-    const tenantId = request.headers.get('X-Tenant-ID')
-
-    if (!tenantId) {
-      return NextResponse.json(
-        { error: 'Tenant ID required' },
-        { status: 400 }
-      )
-    }
-
+    const headers = getHeaders(request)
     const body = await request.json()
-    const { userId, dataPointId, granted, consentVersion = '1.0.0' } = body
+    const { userId, dataPointId, granted, consentVersion = '1.0.0', source } = body
 
     if (!userId || !dataPointId || typeof granted !== 'boolean') {
       return NextResponse.json(
@@ -54,316 +41,159 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    // Hole IP und User-Agent
     const ipAddress = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || null
     const userAgent = request.headers.get('user-agent') || null
 
-    // Erstelle Consent-Eintrag
-    const consent: ConsentEntry = {
-      id: generateId(),
-      userId,
-      dataPointId,
-      granted,
-      grantedAt: new Date(),
-      revokedAt: undefined,
-      ipAddress: ipAddress || undefined,
-      userAgent: userAgent || undefined,
-      consentVersion,
-    }
-
-    // Hole bestehende Consents
-    const tenantConsents = consentStorage.get(tenantId) || []
-
-    // Pruefe auf bestehende Einwilligung fuer diesen Datenpunkt
-    const existingIndex = tenantConsents.findIndex(
-      (c) => c.userId === userId && c.dataPointId === dataPointId && !c.revokedAt
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/einwilligungen/consents`,
+      {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+          user_id: userId,
+          data_point_id: dataPointId,
+          granted,
+          consent_version: consentVersion,
+          source: source || null,
+          ip_address: ipAddress,
+          user_agent: userAgent,
+        }),
+        signal: AbortSignal.timeout(30000),
+      }
     )
 
-    if (existingIndex !== -1) {
-      if (!granted) {
-        // Widerruf: Setze revokedAt
-        tenantConsents[existingIndex].revokedAt = new Date()
-      }
-      // Bei granted=true: Keine Aenderung noetig, Consent existiert bereits
-    } else if (granted) {
-      // Neuer Consent
-      tenantConsents.push(consent)
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: errorText }, { status: response.status })
     }
 
-    consentStorage.set(tenantId, tenantConsents)
-
+    const data = await response.json()
     return NextResponse.json({
       success: true,
       consent: {
-        id: consent.id,
-        dataPointId: consent.dataPointId,
-        granted: consent.granted,
-        grantedAt: consent.grantedAt,
+        id: data.id,
+        dataPointId: data.data_point_id,
+        granted: data.granted,
+        grantedAt: data.granted_at,
       },
     })
   } catch (error) {
     console.error('Error recording consent:', error)
-    return NextResponse.json(
-      { error: 'Failed to record consent' },
-      { status: 500 }
-    )
+    return NextResponse.json({ error: 'Failed to record consent' }, { status: 500 })
   }
 }
 
 /**
  * GET /api/sdk/v1/einwilligungen/consent
- *
  * Ruft Consent-Status und Statistiken ab
- *
- * Query Parameters:
- * - userId?: string - Fuer spezifischen Benutzer
- * - stats?: boolean - Statistiken inkludieren
  */
 export async function GET(request: NextRequest) {
   try {
-    const tenantId = request.headers.get('X-Tenant-ID')
-
-    if (!tenantId) {
-      return NextResponse.json(
-        { error: 'Tenant ID required' },
-        { status: 400 }
-      )
-    }
-
+    const headers = getHeaders(request)
     const { searchParams } = new URL(request.url)
     const userId = searchParams.get('userId')
     const includeStats = searchParams.get('stats') === 'true'
 
-    const tenantConsents = consentStorage.get(tenantId) || []
-
-    if (userId) {
-      // Spezifischer Benutzer
-      const userConsents = tenantConsents.filter((c) => c.userId === userId)
-
-      // Gruppiere nach Datenpunkt
-      const consentMap: Record<string, { granted: boolean; grantedAt: Date; revokedAt?: Date }> = {}
-      for (const consent of userConsents) {
-        consentMap[consent.dataPointId] = {
-          granted: consent.granted && !consent.revokedAt,
-          grantedAt: consent.grantedAt,
-          revokedAt: consent.revokedAt,
-        }
-      }
-
-      return NextResponse.json({
-        userId,
-        consents: consentMap,
-        totalConsents: Object.keys(consentMap).length,
-        activeConsents: Object.values(consentMap).filter((c) => c.granted).length,
-      })
-    }
-
-    // Statistiken fuer alle Consents
     if (includeStats) {
-      const stats = calculateStatistics(tenantConsents)
-      return NextResponse.json({
-        statistics: stats,
-        recentConsents: tenantConsents
-          .sort((a, b) => new Date(b.grantedAt).getTime() - new Date(a.grantedAt).getTime())
-          .slice(0, 10)
-          .map((c) => ({
-            id: c.id,
-            userId: c.userId.substring(0, 8) + '...', // Anonymisiert
-            dataPointId: c.dataPointId,
-            granted: c.granted,
-            grantedAt: c.grantedAt,
-          })),
-      })
+      const statsResponse = await fetch(
+        `${BACKEND_URL}/api/compliance/einwilligungen/consents/stats`,
+        { method: 'GET', headers, signal: AbortSignal.timeout(30000) }
+      )
+      if (!statsResponse.ok) {
+        return NextResponse.json({ error: 'Failed to fetch stats' }, { status: statsResponse.status })
+      }
+      const stats = await statsResponse.json()
+      return NextResponse.json({ statistics: stats })
     }
 
-    // Standard: Alle Consents (anonymisiert)
+    // Fetch consents with optional user filter
+    const queryParams = new URLSearchParams()
+    if (userId) queryParams.set('user_id', userId)
+    queryParams.set('limit', '50')
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/einwilligungen/consents?${queryParams.toString()}`,
+      { method: 'GET', headers, signal: AbortSignal.timeout(30000) }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: errorText }, { status: response.status })
+    }
+
+    const data = await response.json()
     return NextResponse.json({
-      totalConsents: tenantConsents.length,
-      activeConsents: tenantConsents.filter((c) => c.granted && !c.revokedAt).length,
-      revokedConsents: tenantConsents.filter((c) => c.revokedAt).length,
+      totalConsents: data.total || 0,
+      activeConsents: (data.consents || []).filter((c: { granted: boolean; revoked_at: string | null }) => c.granted && !c.revoked_at).length,
+      revokedConsents: (data.consents || []).filter((c: { revoked_at: string | null }) => c.revoked_at).length,
+      consents: data.consents || [],
     })
   } catch (error) {
     console.error('Error fetching consents:', error)
-    return NextResponse.json(
-      { error: 'Failed to fetch consents' },
-      { status: 500 }
-    )
+    return NextResponse.json({ error: 'Failed to fetch consents' }, { status: 500 })
   }
 }
 
 /**
  * PUT /api/sdk/v1/einwilligungen/consent
- *
- * Batch-Update von Consents (z.B. Cookie-Banner)
+ * Batch-Update oder Revoke einzelner Consents
  */
 export async function PUT(request: NextRequest) {
   try {
-    const tenantId = request.headers.get('X-Tenant-ID')
-
-    if (!tenantId) {
-      return NextResponse.json(
-        { error: 'Tenant ID required' },
-        { status: 400 }
-      )
-    }
-
+    const headers = getHeaders(request)
     const body = await request.json()
-    const { userId, consents, consentVersion = '1.0.0' } = body
+    const { consentId, action } = body
 
-    if (!userId || !consents || typeof consents !== 'object') {
-      return NextResponse.json(
-        { error: 'userId and consents object required' },
-        { status: 400 }
+    // Single consent revoke
+    if (consentId && action === 'revoke') {
+      const response = await fetch(
+        `${BACKEND_URL}/api/compliance/einwilligungen/consents/${consentId}/revoke`,
+        { method: 'PUT', headers, body: '{}', signal: AbortSignal.timeout(30000) }
       )
+      if (!response.ok) {
+        const errorText = await response.text()
+        return NextResponse.json({ error: errorText }, { status: response.status })
+      }
+      const data = await response.json()
+      return NextResponse.json({ success: true, ...data })
     }
 
-    const ipAddress = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || null
+    // Batch update: { userId, consents: { dataPointId: boolean } }
+    const { userId, consents, consentVersion = '1.0.0' } = body
+    if (!userId || !consents) {
+      return NextResponse.json({ error: 'userId and consents required' }, { status: 400 })
+    }
+
+    const ipAddress = request.headers.get('x-forwarded-for') || null
     const userAgent = request.headers.get('user-agent') || null
+    const results = []
 
-    const tenantConsents = consentStorage.get(tenantId) || []
-    const now = new Date()
-
-    // Verarbeite jeden Consent
     for (const [dataPointId, granted] of Object.entries(consents)) {
       if (typeof granted !== 'boolean') continue
-
-      const existingIndex = tenantConsents.findIndex(
-        (c) => c.userId === userId && c.dataPointId === dataPointId && !c.revokedAt
-      )
-
-      if (existingIndex !== -1) {
-        const existing = tenantConsents[existingIndex]
-        if (existing.granted !== granted) {
-          if (!granted) {
-            // Widerruf
-            tenantConsents[existingIndex].revokedAt = now
-          } else {
-            // Neuer Consent nach Widerruf
-            tenantConsents.push({
-              id: generateId(),
-              userId,
-              dataPointId,
-              granted: true,
-              grantedAt: now,
-              ipAddress: ipAddress || undefined,
-              userAgent: userAgent || undefined,
-              consentVersion,
-            })
-          }
+      const resp = await fetch(
+        `${BACKEND_URL}/api/compliance/einwilligungen/consents`,
+        {
+          method: 'POST',
+          headers,
+          body: JSON.stringify({
+            user_id: userId,
+            data_point_id: dataPointId,
+            granted,
+            consent_version: consentVersion,
+            ip_address: ipAddress,
+            user_agent: userAgent,
+          }),
+          signal: AbortSignal.timeout(30000),
         }
-      } else if (granted) {
-        // Neuer Consent
-        tenantConsents.push({
-          id: generateId(),
-          userId,
-          dataPointId,
-          granted: true,
-          grantedAt: now,
-          ipAddress: ipAddress || undefined,
-          userAgent: userAgent || undefined,
-          consentVersion,
-        })
+      )
+      if (resp.ok) {
+        results.push(await resp.json())
       }
     }
 
-    consentStorage.set(tenantId, tenantConsents)
-
-    // Zaehle aktive Consents fuer diesen User
-    const activeConsents = tenantConsents.filter(
-      (c) => c.userId === userId && c.granted && !c.revokedAt
-    ).length
-
-    return NextResponse.json({
-      success: true,
-      userId,
-      activeConsents,
-      updatedAt: now,
-    })
+    return NextResponse.json({ success: true, userId, updated: results.length })
   } catch (error) {
     console.error('Error updating consents:', error)
-    return NextResponse.json(
-      { error: 'Failed to update consents' },
-      { status: 500 }
-    )
-  }
-}
-
-/**
- * Berechnet Consent-Statistiken
- */
-function calculateStatistics(consents: ConsentEntry[]): ConsentStatistics {
-  const activeConsents = consents.filter((c) => c.granted && !c.revokedAt)
-  const revokedConsents = consents.filter((c) => c.revokedAt)
-
-  // Gruppiere nach Kategorie (18 Kategorien A-R)
-  const byCategory: Record<DataPointCategory, { total: number; active: number; revoked: number }> = {
-    MASTER_DATA: { total: 0, active: 0, revoked: 0 },
-    CONTACT_DATA: { total: 0, active: 0, revoked: 0 },
-    AUTHENTICATION: { total: 0, active: 0, revoked: 0 },
-    CONSENT: { total: 0, active: 0, revoked: 0 },
-    COMMUNICATION: { total: 0, active: 0, revoked: 0 },
-    PAYMENT: { total: 0, active: 0, revoked: 0 },
-    USAGE_DATA: { total: 0, active: 0, revoked: 0 },
-    LOCATION: { total: 0, active: 0, revoked: 0 },
-    DEVICE_DATA: { total: 0, active: 0, revoked: 0 },
-    MARKETING: { total: 0, active: 0, revoked: 0 },
-    ANALYTICS: { total: 0, active: 0, revoked: 0 },
-    SOCIAL_MEDIA: { total: 0, active: 0, revoked: 0 },
-    HEALTH_DATA: { total: 0, active: 0, revoked: 0 },
-    EMPLOYEE_DATA: { total: 0, active: 0, revoked: 0 },
-    CONTRACT_DATA: { total: 0, active: 0, revoked: 0 },
-    LOG_DATA: { total: 0, active: 0, revoked: 0 },
-    AI_DATA: { total: 0, active: 0, revoked: 0 },
-    SECURITY: { total: 0, active: 0, revoked: 0 },
-  }
-
-  for (const consent of consents) {
-    const dataPoint = PREDEFINED_DATA_POINTS.find((dp) => dp.id === consent.dataPointId)
-    if (dataPoint) {
-      byCategory[dataPoint.category].total++
-      if (consent.granted && !consent.revokedAt) {
-        byCategory[dataPoint.category].active++
-      }
-      if (consent.revokedAt) {
-        byCategory[dataPoint.category].revoked++
-      }
-    }
-  }
-
-  // Gruppiere nach Rechtsgrundlage (7 Rechtsgrundlagen)
-  const byLegalBasis: Record<LegalBasis, { total: number; active: number }> = {
-    CONTRACT: { total: 0, active: 0 },
-    CONSENT: { total: 0, active: 0 },
-    EXPLICIT_CONSENT: { total: 0, active: 0 },
-    LEGITIMATE_INTEREST: { total: 0, active: 0 },
-    LEGAL_OBLIGATION: { total: 0, active: 0 },
-    VITAL_INTERESTS: { total: 0, active: 0 },
-    PUBLIC_INTEREST: { total: 0, active: 0 },
-  }
-
-  for (const consent of consents) {
-    const dataPoint = PREDEFINED_DATA_POINTS.find((dp) => dp.id === consent.dataPointId)
-    if (dataPoint) {
-      byLegalBasis[dataPoint.legalBasis].total++
-      if (consent.granted && !consent.revokedAt) {
-        byLegalBasis[dataPoint.legalBasis].active++
-      }
-    }
-  }
-
-  // Berechne Conversion Rate (Unique Users mit mindestens einem Consent)
-  const uniqueUsers = new Set(consents.map((c) => c.userId))
-  const usersWithActiveConsent = new Set(activeConsents.map((c) => c.userId))
-  const conversionRate = uniqueUsers.size > 0
-    ? (usersWithActiveConsent.size / uniqueUsers.size) * 100
-    : 0
-
-  return {
-    totalConsents: consents.length,
-    activeConsents: activeConsents.length,
-    revokedConsents: revokedConsents.length,
-    byCategory,
-    byLegalBasis,
-    conversionRate: Math.round(conversionRate * 10) / 10,
+    return NextResponse.json({ error: 'Failed to update consents' }, { status: 500 })
   }
 }