Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(compliance-check): MC-Classification + Embedding + Vendor-Redundanz + Action-Recipes + Borlabs-Features
CI / nodejs-build (push) Successful in 2m47s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / detect-changes (push) Successful in 10s
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / validate-canonical-controls (push) Successful in 16s
Details
CI / loc-budget (push) Failing after 17s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / test-python-backend (push) Successful in 42s
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-go (push) Has been skipped
Details
CI / iace-gt-coverage (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details

Browse Source 
Massiv-Update auf Basis BMW-Test-Iterationen (v1→v9):

Core Compliance-Check
- Sonnet check_type Klassifikation: text/process/review fuer alle 1874 MCs
  in compliance.doc_check_controls (script + Sidecar /data/mc_classification.db).
  rag_document_checker filtert auf check_type='text' fuer doc_check.
  Plus fits_doc_type-Audit (v2) + ui_only-Audit fuer DSA/E-Commerce-MCs in
  falscher doc_type-Schublade.
- scope_requires-Filter: biometric/ai_decision/child_targeting MCs werden
  per business_profile gefiltert (FRT skipped fuer BMW etc.).
- Embedding-Match (BGE-M3) als Phase-3 nach Regex-Match:
  Per-doc_type-Threshold-Override (impressum 0.50, dse/cookie 0.60),
  Short-Field-Rescue (15-Wort-Chunks) fuer Pflichtfelder im Impressum.
  Title+check_question als Embedding-Input fuer mehr Kontext.
- Cookie-Text-Routing: consent-tester gibt cmp_cookie_text aus dem
  CMP-Reconstruct zurueck, Backend bevorzugt das gegen DOM-Extraction
  wenn richer (BMW 1824 vs 600 Worte).

Vendor-Redundanz + EU-Alternativen + Cost-Saving
- vendor_redundancy.analyze() — funktionale Kategorisierung der CMP-Vendors,
  Detektion von Mehrfach-Anbietern pro Kategorie, EU-Alternative-Lookup
  (Matomo, IONOS, HERE, Friendly Captcha, Smart AdServer, ...).
- vendor_cost_estimator: Tier-Inferenz aus Cookie-Footprint (Cookie-Anzahl
  + Premium-Feature-Cookies + Third-Party-Quote → starter/professional/
  enterprise/premier).
- Self-Service-Werbung (Google/Meta/Pinterest/...) = 0 Lizenz-Kosten
  (nur Media-Spend, separat). DSP-Plattformen behalten enge Range.
- Tier-aware Saving-Range: bei Enterprise/Premier nutzen wir den
  oberen 40-100%-Band der Listpreise, nicht starter→premier.
- Multi-Function-Tools (Matomo Pro, SAP CX, IONOS Cloud, Userlike, Smart
  AdServer, HERE Maps, Vimeo Pro, LamaPoll) — ein Tool ersetzt mehrere
  Kategorien gleichzeitig.

Cookie-Wissens-DB + Funktionale Klassifikation
- cookie_knowledge_db: 50 kuratierte Top-Cookies (Google/Meta/Adobe/MS/...)
  mit vendor, exact_purpose, data_collected, IAB-TCF-IDs, reid_risk,
  schrems_ii_status, EuGH-Urteile, EU-Alternative.
- cookie_function_classifier: pro Cookie funktionale Rolle (tracking_id,
  ad_pixel, session_id, ab_test, csrf, ...) + blocking_impact.

Country-Inferenz aus Rechtsform
- cookie_link_validator: Country-Field wird aus Vendor-Name abgeleitet
  (A/S=DK, GmbH=DE, Inc=US, B.V.=NL, ...) plus Vendor-Lookup-Table.
  Reduziert false-positive no_country-Flags bei eindeutig-EU-Vendors
  (Adform DK, Pinterest IE).

Action-Recipes + Doc-Anchor-Locator
- finding_action_recipes: pro Finding-Typ (no_cookies_listed, no_country,
  broken_opt_out, "Auftragsverarbeiter erwaehnen", "Art. 22 Profiling",
  ...) eine strukturierte Anweisung mit what/why/fix_text/where/example.
  Zum 1:1-Einfuegen in Kunden-Dokumente.
- doc_anchor_locator: Embedding-basiert (BGE-M3 cosine) — sucht den
  passenden Absatz im existierenden Kundendokument fuer jeden Finding.
  Per-Run Thread-Local-Cache. Fallback: keyword-Match.
- Email-Rendering integriert Recipe + Anchor pro Doc-Pruefungs-Fail
  + Vendor-Flag-Liste mit aufklappbarer Action-Liste.
- Score-Erklaerung pro Vendor-Zeile (3/5-Untertitel + Tooltip).

Migration-Pipeline (Compliance-Check -> Customer Banner/Documents)
- migration_to_banner.py: Vendor-Liste -> CookieBannerConfig mit
  4 Kategorien + Review-Flags.
- migration_to_document.py: Vendor-Liste -> Cookie-Policy + VVT-Register
  + Privacy-Policy-Pre-Fills.
- agent_migration_routes: 3 Preview-Endpoints (banner-preview,
  document-preview, summary). Persistierung der cmp_vendors in
  /data/compliance_audits.db check_payloads-Tabelle.

Borlabs-Parity Cookie-Banner-Features
- Consent-Historie im Banner: window.bpShowConsentHistory() + localStorage.
- Content-Blocker: cookie-banner-content-blocker.ts — YouTube/Maps/Video
  Placeholder bis Einwilligung.
- Google Consent Mode v2 erweitert: wait_for_update + region=EEA/CH/GB.
- Consent-Log Export (CSV/JSON) per einwilligungen_export_routes.

Bug-Fixes
- canonical_control_routes: _jsonish-Helper fuer string-typed jsonb,
  similar-controls-Endpoint mit _has_embedding_col()-Cache (kein 500 mehr).
- Control-Library Frontend: defensive .map-Coercer in 2 Detail-Views.
- Embedding-Service-Batching (32er Batches statt 165 in einem Call).
- KeyError 'control_id' in MC-Result-Aggregation (defensive .get).
- Master-Controls-Klick-Through von /sdk/master-controls auf
  /sdk/control-library?control=<id> mit URL-Param-Auto-Open.
- Dockerfile: /data pre-chowned auf appuser (Audit-DB-Schreibrecht).
- Cookie-Text-Routing-Bug (cmp_reconstructed > DOM-extraction).
- doc_type-aware MC-Filter (statt all-text-MCs).
- Master-Contract-Dedup (60 BMW-Internal-Eintraege = 1 Adobe-Vertrag).
- A3-v2-Audit hat 24 UI-Sprache-MCs als 'process' reklassifiziert.

Tests
- test_migration_mappers.py (9 Tests)
- test_migration_endpoints.py (4 Tests)

Skripte (one-shot)
- classify_mc_check_type.py (v1) + _v2 (PK=control_id,doc_type)
- audit_mc_doctype_fit.py (v1 fits) + _v2 (ui_only + scope_requires)

BMW-Run-Bilanz v1 (broken) -> v9 (alle Fixes):
  DSE     7,5% -> 81-83%
  Impressum 4%   -> 100% (6 echte MCs alle erfuellt)
  Cookie  0%    -> 79-83% (CMP-Text-Routing + Embedding)
  Plus: 10 Konsolidierungs-Kategorien, geschaetzte Saving 200k-3M / Jahr
  Plus: Action-Recipes + Doc-Anchors fuer jeden Fail

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-05-18 18:30:08 +02:00
parent 52fb8b91e7
commit 662327e8b4
31 changed files with 5214 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-compliance/lib/sdk/einwilligungen/generator/cookie-banner-content-blocker.ts
+156
View File
@@ -0,0 +1,156 @@
/**
* Content-Blocker Generator (Borlabs-Parity).
*
* Returns a small JS snippet that scans the page for blockable third-party
* embeds (YouTube, Vimeo, Google Maps, Spotify, Twitter, Facebook) and
* replaces them with a click-to-consent placeholder until the user agrees
* to the relevant cookie category.
*
* The customer drops a SECOND script tag next to the banner:
* <script src="/cookie-banner.js"></script>
* <script src="/cookie-content-blocker.js"></script>
*
* Author writes content as either:
* <bp-consent-block category="EXTERNAL_MEDIA"
* provider="YouTube"
* src="https://www.youtube.com/embed/...">
* <!-- the original iframe / embed code -->
* </bp-consent-block>
*
* OR auto-detect: any <iframe src="https://www.youtube.com/...">
* gets wrapped on page load.
*/
const KNOWN_EMBEDS: Array<{ host: string; provider: string; category: string }> = [
{ host: 'youtube.com', provider: 'YouTube', category: 'EXTERNAL_MEDIA' },
{ host: 'youtu.be', provider: 'YouTube', category: 'EXTERNAL_MEDIA' },
{ host: 'vimeo.com', provider: 'Vimeo', category: 'EXTERNAL_MEDIA' },
{ host: 'google.com/maps', provider: 'Google Maps', category: 'EXTERNAL_MEDIA' },
{ host: 'maps.googleapis.com', provider: 'Google Maps', category: 'EXTERNAL_MEDIA' },
{ host: 'spotify.com', provider: 'Spotify', category: 'EXTERNAL_MEDIA' },
{ host: 'soundcloud.com', provider: 'SoundCloud', category: 'EXTERNAL_MEDIA' },
{ host: 'twitter.com', provider: 'Twitter / X', category: 'PERSONALIZATION' },
{ host: 'facebook.com', provider: 'Facebook', category: 'PERSONALIZATION' },
{ host: 'instagram.com', provider: 'Instagram', category: 'PERSONALIZATION' },
]
export function generateContentBlockerJS(cookieName: string = 'cookie_consent'): string {
return `(function () {
'use strict';
var COOKIE_NAME = ${JSON.stringify(cookieName)};
var KNOWN_EMBEDS = ${JSON.stringify(KNOWN_EMBEDS)};
function getConsent() {
var c = document.cookie.split('; ').find(function (r) {
return r.indexOf(COOKIE_NAME + '=') === 0;
});
if (!c) return null;
try { return JSON.parse(decodeURIComponent(c.split('=')[1])); } catch (e) { return null; }
}
function categoryGranted(cat) {
var c = getConsent();
if (!c) return false;
var k = String(cat).toLowerCase();
return c[cat] === true || c[k] === true;
}
function classifyByHost(src) {
if (!src) return null;
for (var i = 0; i < KNOWN_EMBEDS.length; i++) {
if (src.indexOf(KNOWN_EMBEDS[i].host) > -1) return KNOWN_EMBEDS[i];
}
return null;
}
function makePlaceholder(provider, category, originalHTML, parent) {
var ph = document.createElement('div');
ph.className = 'bp-consent-placeholder';
ph.style.cssText = 'border:2px dashed #cbd5e1;background:#f8fafc;padding:24px;' +
'border-radius:8px;text-align:center;font-family:-apple-system,sans-serif;color:#475569';
ph.innerHTML =
'<div style="font-size:14px;font-weight:600;color:#1e293b;margin-bottom:8px">' +
'Inhalt von ' + provider + ' blockiert</div>' +
'<div style="font-size:12px;margin-bottom:12px">' +
'Zum Anzeigen dieses Inhalts wird Ihre Einwilligung fuer die Kategorie ' +
'<strong>' + category + '</strong> benoetigt. ' +
'Beim Akzeptieren werden Cookies von ' + provider + ' gesetzt.</div>' +
'<button class="bp-consent-load-btn" ' +
'style="background:#7c3aed;color:white;border:none;padding:8px 16px;' +
'border-radius:6px;font-size:13px;cursor:pointer;margin-right:6px">' +
'Inhalt einmalig laden</button>' +
'<button class="bp-consent-accept-btn" ' +
'style="background:#16a34a;color:white;border:none;padding:8px 16px;' +
'border-radius:6px;font-size:13px;cursor:pointer">' +
category + ' akzeptieren</button>';
ph.querySelector('.bp-consent-load-btn').addEventListener('click', function () {
var div = document.createElement('div');
div.innerHTML = originalHTML;
while (div.firstChild) parent.insertBefore(div.firstChild, ph);
ph.remove();
});
ph.querySelector('.bp-consent-accept-btn').addEventListener('click', function () {
var c = getConsent() || {};
c[category] = true;
var date = new Date();
date.setTime(date.getTime() + 180 * 86400000);
document.cookie = COOKIE_NAME + '=' + encodeURIComponent(JSON.stringify(c)) +
';expires=' + date.toUTCString() + ';path=/;SameSite=Lax';
window.dispatchEvent(new CustomEvent('cookieConsentUpdated', { detail: c }));
// Re-scan: placeholders for THIS category get replaced now
processAll();
});
return ph;
}
function processWrapped() {
var wrapped = document.querySelectorAll('bp-consent-block, [data-bp-consent-block]');
wrapped.forEach(function (el) {
var cat = el.getAttribute('category') || el.getAttribute('data-category') || 'EXTERNAL_MEDIA';
var prov = el.getAttribute('provider') || el.getAttribute('data-provider') || 'Drittanbieter';
if (categoryGranted(cat)) {
// Already consented: unwrap the inner content
var html = el.innerHTML;
var tmp = document.createElement('div');
tmp.innerHTML = html;
var parent = el.parentNode;
while (tmp.firstChild) parent.insertBefore(tmp.firstChild, el);
el.remove();
} else {
var parent = el.parentNode;
var inner = el.innerHTML;
var ph = makePlaceholder(prov, cat, inner, parent);
parent.insertBefore(ph, el);
el.remove();
}
});
}
function processBareIframes() {
var iframes = document.querySelectorAll('iframe[src]:not([data-bp-processed])');
iframes.forEach(function (f) {
var match = classifyByHost(f.getAttribute('src') || '');
if (!match) return;
f.setAttribute('data-bp-processed', '1');
if (categoryGranted(match.category)) return;
var html = f.outerHTML;
var parent = f.parentNode;
var ph = makePlaceholder(match.provider, match.category, html, parent);
parent.replaceChild(ph, f);
});
}
function processAll() {
processWrapped();
processBareIframes();
}
if (document.readyState === 'loading') {
document.addEventListener('DOMContentLoaded', processAll);
} else {
processAll();
}
// Re-process when consent updates
window.addEventListener('cookieConsentUpdated', processAll);
})();`
}
admin-compliance/lib/sdk/einwilligungen/generator/cookie-banner-embed.ts
+69 -11
View File
@@ -325,18 +325,25 @@ function generateJS(config: CookieBannerConfig): string {
const CATEGORIES = ${JSON.stringify(categoryIds)};
const REQUIRED_CATEGORIES = ${JSON.stringify(requiredCategories)};
// Google Consent Mode v2 — PFLICHT seit Maerz 2024 fuer Google Services in EEA
// Sets default consent state to "denied" BEFORE any Google tags fire
if (typeof gtag === 'function') {
gtag('consent', 'default', {
analytics_storage: 'denied',
ad_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
functionality_storage: 'granted',
security_storage: 'granted',
});
// Google Consent Mode v2 — PFLICHT seit Maerz 2024 fuer Google Services
// in EEA. Shim gtag/dataLayer falls Google Tag noch nicht initialisiert
// wurde, dann sofort den default consent state setzen (DENIED).
window.dataLayer = window.dataLayer || [];
if (typeof gtag !== 'function') {
window.gtag = function () { window.dataLayer.push(arguments); };
}
// wait_for_update gibt dem Banner 500ms Zeit, damit der Nutzer
// entscheiden kann bevor Tags feuern. Empfehlung von Google fuer GCM v2.
gtag('consent', 'default', {
analytics_storage: 'denied',
ad_storage: 'denied',
ad_user_data: 'denied',
ad_personalization: 'denied',
functionality_storage: 'granted',
security_storage: 'granted',
wait_for_update: 500,
region: ['EEA', 'CH', 'GB'],
});
function updateGoogleConsentMode(consent) {
if (typeof gtag !== 'function') return;
@@ -364,10 +371,61 @@ function generateJS(config: CookieBannerConfig): string {
document.cookie = COOKIE_NAME + '=' + encodeURIComponent(JSON.stringify(consent)) +
';expires=' + date.toUTCString() +
';path=/;SameSite=Lax';
// Append to local history (Art. 7(3) DSGVO Best-Practice + Borlabs-Parity).
// Server-seitiges Logging laeuft separat via consent-service.
try {
const HKEY = COOKIE_NAME + '_history';
const hist = JSON.parse(localStorage.getItem(HKEY) || '[]');
hist.push({
ts: new Date().toISOString(),
choices: consent,
});
if (hist.length > 50) hist.splice(0, hist.length - 50);
localStorage.setItem(HKEY, JSON.stringify(hist));
} catch (e) { /* localStorage blocked */ }
window.dispatchEvent(new CustomEvent('cookieConsentUpdated', { detail: consent }));
updateGoogleConsentMode(consent);
}
// Borlabs-Parity: zeigt dem Nutzer alle seine bisherigen Einwilligungen.
// Aufruf via window.bpShowConsentHistory() oder Klick auf den Link im Banner-Footer.
window.bpShowConsentHistory = function () {
var existing = document.getElementById('bpConsentHistoryModal');
if (existing) { existing.remove(); return; }
var hist = [];
try { hist = JSON.parse(localStorage.getItem(COOKIE_NAME + '_history') || '[]'); } catch (e) {}
var rows = hist.length === 0
? '<p style="color:#94a3b8;font-style:italic">Noch keine Einwilligungen gespeichert.</p>'
: hist.slice().reverse().map(function (h) {
var d = new Date(h.ts);
var parts = Object.keys(h.choices).map(function (k) {
return '<span style="margin-right:8px;font-size:11px;color:' +
(h.choices[k] ? '#16a34a' : '#dc2626') + '">' +
(h.choices[k] ? '✓ ' : '✗ ') + k + '</span>';
}).join('');
return '<div style="border-bottom:1px solid #e5e7eb;padding:8px 0">' +
'<div style="font-size:12px;color:#64748b;margin-bottom:4px">' +
d.toLocaleString('de-DE') + '</div>' +
'<div>' + parts + '</div></div>';
}).join('');
var modal = document.createElement('div');
modal.id = 'bpConsentHistoryModal';
modal.style.cssText = 'position:fixed;inset:0;background:rgba(0,0,0,0.5);' +
'z-index:999999;display:flex;align-items:center;justify-content:center;padding:20px';
modal.innerHTML = '<div style="background:white;border-radius:8px;max-width:500px;' +
'width:100%;max-height:80vh;overflow:auto;padding:20px;font-family:-apple-system,sans-serif">' +
'<div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:12px">' +
'<h3 style="margin:0;font-size:16px">Ihre Einwilligungs-Historie</h3>' +
'<button onclick="document.getElementById(\\'bpConsentHistoryModal\\').remove()" ' +
'style="background:none;border:none;font-size:24px;cursor:pointer;color:#94a3b8">×</button>' +
'</div>' +
'<p style="font-size:12px;color:#64748b;margin:0 0 12px">' +
'Lokal in Ihrem Browser gespeichert. Server-seitig laufen Audit-Logs gemaess Art. 7(1) DSGVO.</p>' +
rows + '</div>';
modal.addEventListener('click', function (e) { if (e.target === modal) modal.remove(); });
document.body.appendChild(modal);
};
function hasConsent(category) {
const consent = getConsent();
if (!consent) return REQUIRED_CATEGORIES.includes(category);