feat(compliance-check): exec-summary + voll-audit + TDM-respect + cookie-KB-extended + saving-scan-funnel

P1 — Exec-Summary oben im Email-Report (4 KPIs + 2 CTAs, dunkler Gradient)
P3 — no_direct_sales-Flag fuer OEM-Konfigurator-Sites; AGB/Widerruf/AGB als
     "NICHT ANWENDBAR" (grau) statt "NICHT GEFUNDEN" (rot)
P5 — Voll-Audit Unification: alle Findings (MC + Pflichtangaben + Vendor +
     Redundanz) in /data/compliance_audits.db.unified_findings; neuer
     /api/compliance/agent/findings/<id> Endpoint + FindingsTab im Audit-UI
     mit Filter + CSV-Export
P7 — Crawl-Hardening: TDM-Reservation-Check (robots.txt / ai.txt / Header /
     Meta) vor jedem Run mit 24h-Cache; HeadlessChrome-UA (Firma noch nicht
     gegruendet — Switch via BREAKPILOT_BRANDED_UA env); per-Domain
     Rate-Limit 1 req/s + max 2 concurrent
P2 — Cookie-Knowledge-DB additiv erweitert (35 -> 74 Cookies): Adobe, Meta,
     Microsoft, LinkedIn, TikTok, HubSpot, Marketo, Salesforce, Hotjar,
     FullStory, Mouseflow, Intercom, Drift, Zendesk, Cloudflare, Stripe,
     OneTrust/Cookiebot/Usercentrics, Matomo, Pinterest, Snapchat, X/Twitter,
     YouTube, Vimeo, Klaviyo, Mailchimp, Mixpanel, Segment, Amplitude,
     Optimizely, Datadog; Wire-in in cookie_function_classifier liefert
     compliance_risk-Label (kritisch/hoch/mittel/gering) pro Vendor
A  — k-Anonymitaets-Helper (benchmark_k_anonymity) fuer P6-Vorbereitung
B  — Cross-Tenant-Domain-Assertion im /findings-Endpoint (expected_domain
     Query-Param -> 403 bei Mismatch)
C  — Saving-Scan-Funnel: /api/compliance/agent/saving-scan/start mit
     Validierung + 24h-Rate-Limit pro Domain + Lead-Persistenz in
     saving_scan_leads + Auto-Discovery via _run_compliance_check; 6 Tests
D  — Risk-Badge im Email-Vendor-Row

Rechtliche Leitplanken (Memory feedback_oem_data_legal.md): nur eigene
Knapp-Bewertungen + Source-Pointer, keine 1:1-Kopien fremder CMP-Texte.
TDM-Opt-Out-Respect nach § 44b UrhG. KEINE Schema-Aenderungen — alles in
Sidecar-SQLite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/api/agent_compliance_check_routes.py

@@ -166,6 +166,33 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
         except Exception:
             pass
 
+        # P7: TDM-Reservation-Check der Base-Domain (§ 44b UrhG).
+        # Bei reserved/denied: Run sofort beenden, kein Crawl.
+        try:
+            from compliance.services.tdm_reservation_check import (
+                check_tdm_reservation, is_crawl_allowed,
+            )
+            first_url = next(
+                (d.url for d in req.documents if d.url), "",
+            )
+            if first_url:
+                tdm = await check_tdm_reservation(first_url)
+                _compliance_check_jobs[check_id]["tdm"] = tdm
+                if not is_crawl_allowed(tdm):
+                    _compliance_check_jobs[check_id]["status"] = "skipped_tdm"
+                    _compliance_check_jobs[check_id]["error"] = (
+                        f"TDM-Vorbehalt fuer {tdm.get('domain')} erkannt "
+                        f"(status={tdm.get('status')}) — Crawl nach § 44b "
+                        f"UrhG nicht zulaessig. Signals: "
+                        f"{[s.get('src') for s in tdm.get('signals', [])]}"
+                    )
+                    _compliance_check_jobs[check_id]["progress_pct"] = 100
+                    logger.info("TDM-skip check_id=%s domain=%s status=%s",
+                                check_id, tdm.get("domain"), tdm.get("status"))
+                    return
+        except Exception as e:
+            logger.warning("TDM-check failed (proceeding): %s", e)
+
         # Step 1: Resolve texts (fetch from URL if needed) — 0-30%
         _update(check_id, "Texte werden geladen...", 1)
         doc_texts: dict[str, str] = {}
@@ -526,15 +553,37 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
         report_html = build_html_report(results, None, doc_texts)
         profile_html = _build_profile_html(profile)
 
-        # O4: Vendor-Redundanz / EU-Alternativen + Cost-Savings-Block —
-        # zwischen VVT und Doc-Report einsortiert, damit Geschaeftsfuehrung
-        # die Einsparung sieht bevor sie in die Detail-Pruefung geht.
+        # O4: Vendor-Redundanz / EU-Alternativen + Cost-Savings-Block
         from .agent_doc_check_redundancy import build_redundancy_html
         redundancy_html = build_redundancy_html(redundancy_report)
 
+        # P1: Executive-Summary GANZ oben — CFO/GF sieht 4 KPIs + 2 CTAs.
+        from .agent_doc_check_exec_summary import build_exec_summary_html
+        # Site-Name fuer Header bestimmen (gleiche Logik wie Email-Subject)
+        url_company_for_exec = _company_name_from_url(doc_entries)
+        domain_for_exec = _extract_domain(doc_entries)
+        site_name_for_exec = url_company_for_exec or domain_for_exec or ""
+        exec_summary_html = build_exec_summary_html(
+            scorecard=scorecard,
+            previous_scorecard=prev_scorecard,
+            cmp_vendors=cmp_vendors,
+            redundancy_report=redundancy_report,
+            site_name=site_name_for_exec,
+        )
+
+        # Reihenfolge — Sales-optimiert:
+        #   1) Exec-Summary (KPIs + Saving + CTAs)
+        #   2) summary_html (Konkrete Aufgaben fuer die Geschaeftsfuehrung)
+        #   3) scanned_urls (Quellen-Transparenz)
+        #   4) profile_html (Erkanntes Geschaeftsmodell)
+        #   5) scorecard_html (MC-Scorecard)
+        #   6) redundancy_html (Optimierungspotenzial — direkt nach Compliance-Score)
+        #   7) providers_html + vvt_html (Vendor-Liste)
+        #   8) report_html (Doc-Pruefung Details)
         full_html = (
-            summary_html + scanned_html + profile_html + scorecard_html
-            + providers_html + vvt_html + redundancy_html + report_html
+            exec_summary_html + summary_html + scanned_html + profile_html
+            + scorecard_html + redundancy_html
+            + providers_html + vvt_html + report_html
         )
 
         # Step 6: Send email — derive site name primarily from entered URL.
@@ -619,6 +668,21 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
                 vendors=cmp_vendors,
                 profile=extracted_profile,
             )
+            # Unified findings (P5): bundle MC + Pflichtangaben + Vendor +
+            # Redundanz in one searchable table behind /agent/findings/<id>.
+            try:
+                from compliance.services.unified_findings_collector import collect
+                from compliance.services.unified_findings_store import record_findings
+                unified = collect(
+                    check_id=check_id,
+                    results=results,
+                    cmp_vendors=cmp_vendors,
+                    redundancy_report=redundancy_report,
+                    doc_texts=doc_texts,
+                )
+                record_findings(check_id, unified)
+            except Exception as e:
+                logger.warning("Unified findings collect failed: %s", e)
         except Exception as e:
             logger.warning("Audit persistence skipped: %s", e)
 
@@ -696,11 +760,19 @@ async def _fetch_text(url: str, doc_type: str = "") -> tuple[str, list[dict]]:
     except Exception as e:
         logger.warning("Consent-tester fetch failed for %s: %s", url, e)
 
-    # 2. Fallback: direct HTTP fetch (works for SSR pages like BMW)
+    # 2. Fallback: direct HTTP fetch (works for SSR pages like BMW).
+    # P7: kenntlicher UA + per-Domain Rate-Limit.
     try:
         import re as _re
-        async with httpx.AsyncClient(timeout=30.0, follow_redirects=True) as client:
-            resp = await client.get(url)
+        from compliance.services.compliance_user_agent import (
+            default_request_headers, DomainRateLimiter,
+        )
+        async with httpx.AsyncClient(
+            timeout=30.0, follow_redirects=True,
+            headers=default_request_headers(),
+        ) as client:
+            async with DomainRateLimiter(url):
+                resp = await client.get(url)
             if resp.status_code == 200 and "text/html" in resp.headers.get("content-type", ""):
                 html = resp.text
                 # Strip HTML tags, decode entities
@@ -1135,8 +1207,25 @@ def _company_name_from_url(doc_entries: list[dict]) -> str | None:
 
 
 def _get_skip_types(profile) -> dict[str, str]:
-    """Doc_types to skip entirely. Currently empty — we check everything
-    and flag irrelevant items as INFO instead of skipping."""
+    """Doc_types to skip entirely with a per-type reason message.
+
+    Heute primaer fuer OEM-Konfigurator-Pattern (BMW/Audi/Mercedes):
+    wenn die Site kein Direkt-Vertrieb macht, sind AGB/Widerruf/
+    Nutzungsbedingungen nicht Pflicht auf der Website — sie werden
+    beim Vertragshaendler ausgehaendigt.
+    """
+    if getattr(profile, "no_direct_sales", False):
+        msg = (
+            "Nicht anwendbar — die Webseite schliesst keinen Direkt-"
+            "Kaufvertrag (OEM-Konfigurator-Pattern, Vertrag laeuft "
+            "ueber Vertragshaendler). AGB/Widerruf werden beim "
+            "Haendler ausgehaendigt."
+        )
+        return {
+            "agb": msg,
+            "widerruf": msg,
+            "nutzungsbedingungen": msg,
+        }
     return {}