feat(banner): P19 + P20 — Per-Category-Click-Test + Frontend-Drilldown

P19 (consent-tester):
- dp-cookieconsent (TYPO3, Safetykon-Pattern) als CMP-Profil hinzu —
  Selektoren #dp--cookie-statistics/marketing + a.cc-allow Save-Button
- Neues Signal provider_details_visible: nach Kategorie-Toggle prueft
  Playwright ob im Banner sichtbare Provider-/Cookie-Detail-Elemente
  erscheinen. Bei dp-cookieconsent (Banner ohne Listing) immer False
  -> HIGH-Violation "Kategorie zeigt keine Provider-/Cookie-Details —
  Nutzer kann nicht informiert einwilligen (Art. 7 Abs. 1 DSGVO)"
- main.py serialisiert provider_details_visible + cookies_set pro Kategorie

P20 (Frontend-Drilldown):
- Backend: check_payloads-Tabelle um Spalte 'banner' (JSON) — voller
  banner_result persistiert (vorher nur in-memory). ALTER TABLE
  Migration idempotent.
- Neuer Endpoint GET /api/compliance/agent/banner/<check_id> — liefert
  Quality-Score, Phases, Category-Tests, Banner-Checks, alle 46
  structured_checks.
- Frontend: BannerTab im /sdk/agent/audit/<id> mit Quality-Cards,
  3-Phasen-Cookie-Tabelle, Per-Category-Listing (mit P19-Signal
  rot/gruen), Banner-Verstoesse + Rechtsgrundlagen, 46-Check-Drilldown
  filterbar nach Severity.
- Tab-Switcher in page.tsx um "Cookie-Banner-Analyse" erweitert.
- Bonus: 2 alte route.ts auf Next.js 15 Promise-params umgestellt
  (Build-Fix).

Plus: Critical-Findings-Block nutzt provider_details_visible als
primaeres Signal statt nur tracking_services-Anzahl.

Smoke-Test Safetykon: 4 Critical Findings im Mail, banner-Endpoint
liefert 46 checks + 3 phases + 2 categories mit provider_details_visible=False.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/api/agent_compliance_check_routes.py

@@ -841,6 +841,7 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
                 check_id=check_id,
                 vendors=cmp_vendors,
                 profile=extracted_profile,
+                banner=banner_result,
             )
             # Unified findings (P5): bundle MC + Pflichtangaben + Vendor +
             # Redundanz in one searchable table behind /agent/findings/<id>.

backend-compliance/compliance/api/agent_doc_check_banner.py

@@ -158,13 +158,18 @@ def build_banner_deep_html(banner_result: dict | None) -> str:
             for c in non_essential:
                 n = len(c.get("tracking_services") or [])
                 label = c.get("category_label") or c.get("category", "?")
-                if n == 0:
-                    color = "#dc2626"
-                    hint = ("Keine Anbieter sichtbar — Nutzer kann nicht "
-                            "informiert einwilligen (Art. 7 DSGVO)")
+                pdv = c.get("provider_details_visible")
+                # P19: echtes Signal aus Click-Through-Test
+                if pdv is False:
+                    color, hint = "#dc2626", ("Banner zeigt KEINE Provider-"
+                                              "Details — keine informierte Einwilligung")
+                elif pdv is True:
+                    color, hint = "#16a34a", ""
+                elif n == 0:
+                    color, hint = "#d97706", ("Keine Anbieter erkannt (vermutlich "
+                                               "kein Provider-Listing im Banner)")
                 else:
-                    color = "#16a34a"
-                    hint = ""
+                    color, hint = "#16a34a", ""
                 parts.append(
                     f'<tr style="border-top:1px solid #e2e8f0">'
                     f'<td style="padding:5px 8px">{label}</td>'

backend-compliance/compliance/api/agent_doc_check_critical.py

@@ -49,23 +49,32 @@ def _detect_critical_issues(
                             else _BUSSGELD_REFS.get("dark_pattern_reject"),
             })
 
-    # 2) Category-Tests: leere Vendor-Liste pro Kategorie (Safetykon-Pattern)
+    # 2) Category-Tests: Banner zeigt keine Provider-Details pro Kategorie.
+    # Bevorzugt das echte Signal aus dem Click-Through-Test (P19):
+    # provider_details_visible. Fallback: leere tracking_services.
     cat_tests = br.get("category_tests") or []
-    empty_cats = [c for c in cat_tests
-                  if not c.get("tracking_services")
-                  and c.get("category") != "necessary"]
-    if empty_cats and len(cat_tests) >= 2:
+    cats_without_details = [
+        c for c in cat_tests
+        if c.get("category") != "necessary"
+        and (c.get("provider_details_visible") is False
+             or (c.get("provider_details_visible") is None
+                 and not c.get("tracking_services")))
+    ]
+    if cats_without_details and len(cat_tests) >= 2:
         cats = ", ".join(c.get("category_label", c.get("category", "?"))
-                         for c in empty_cats)
+                         for c in cats_without_details)
         issues.append({
             "key": "no_provider_per_category",
-            "title": f"Cookie-Banner Kategorien ({cats}) ohne Provider-Listing",
+            "title": f"Cookie-Banner: Kategorien ({cats}) zeigen keine "
+                     f"Provider-/Cookie-Details",
             "severity": "HIGH",
             "action": ("Pro Banner-Kategorie eine Liste der eingebundenen "
                        "Anbieter + Cookie-Details (Name, Zweck, Speicherdauer, "
-                       "Drittlandtransfer) ergaenzen. Sonst ist die "
-                       "Einwilligung nicht 'informiert' nach Art. 7 DSGVO."),
-            "source": "Art. 7 DSGVO, EDPB Guidelines 2/2023, DSK 2024",
+                       "Drittlandtransfer) sichtbar machen — am besten als "
+                       "ausklappbares Detail-Panel. Sonst ist die "
+                       "Einwilligung nicht 'informiert' nach Art. 7 DSGVO "
+                       "und gilt als unwirksam."),
+            "source": "Art. 7 Abs. 1 DSGVO, EDPB Guidelines 2/2023, DSK 2024",
             "bussgeld": _BUSSGELD_REFS["no_provider_per_category"],
         })
 

backend-compliance/compliance/api/agent_findings_routes.py

@@ -24,7 +24,7 @@ from compliance.services.unified_findings_store import (
     findings_summary,
     list_findings,
 )
-from compliance.services.compliance_audit_log import get_check_run
+from compliance.services.compliance_audit_log import get_check_run, get_check_payload
 
 logger = logging.getLogger(__name__)
 
@@ -102,3 +102,18 @@ def get_findings(
             "count": 0,
             "findings": [],
         }
+
+
+@router.get("/banner/{check_id}")
+def get_banner_payload(check_id: str) -> dict:
+    """P20: full banner_result (phases, structured_checks, category_tests,
+    banner_checks.violations) fuer das Voll-Audit-Frontend.
+    """
+    try:
+        payload = get_check_payload(check_id) or {}
+        banner = payload.get("banner") or {}
+        return {"found": bool(banner), "check_id": check_id, "banner": banner}
+    except Exception as e:
+        logger.exception("get_banner_payload failed for %s", check_id)
+        return {"found": False, "check_id": check_id,
+                "error": str(e)[:200], "banner": {}}

backend-compliance/compliance/services/compliance_audit_log.py

@@ -66,27 +66,35 @@ def _ensure_db() -> None:
             CREATE TABLE IF NOT EXISTS check_payloads (
                 check_id   TEXT PRIMARY KEY,
                 vendors    TEXT,    -- JSON list[dict]
-                profile    TEXT     -- JSON dict
+                profile    TEXT,    -- JSON dict
+                banner     TEXT     -- P20: JSON dict — full banner_result
             );
         """)
+        # P20 migration: spalte 'banner' nachtraeglich anlegen wenn alt
+        try:
+            conn.execute("ALTER TABLE check_payloads ADD COLUMN banner TEXT")
+        except sqlite3.OperationalError:
+            pass
 
 
 def record_check_payload(
     check_id: str,
     vendors: list[dict] | None,
     profile: dict | None,
+    banner: dict | None = None,
 ) -> None:
-    """Persist cmp_vendors + extracted_profile for later migration use."""
+    """Persist cmp_vendors + extracted_profile + banner_result (P20)."""
     try:
         _ensure_db()
         with sqlite3.connect(DB_PATH) as conn:
             conn.execute(
                 "INSERT OR REPLACE INTO check_payloads "
-                "(check_id, vendors, profile) VALUES (?, ?, ?)",
+                "(check_id, vendors, profile, banner) VALUES (?, ?, ?, ?)",
                 (
                     check_id,
                     json.dumps(vendors or [], ensure_ascii=False),
                     json.dumps(profile or {}, ensure_ascii=False),
+                    json.dumps(banner or {}, ensure_ascii=False) if banner else None,
                 ),
             )
             conn.commit()
@@ -95,13 +103,13 @@ def record_check_payload(
 
 
 def get_check_payload(check_id: str) -> dict | None:
-    """Load cmp_vendors + extracted_profile for a previous check."""
+    """Load cmp_vendors + extracted_profile + banner_result for a previous check."""
     try:
         _ensure_db()
         with sqlite3.connect(DB_PATH) as conn:
             conn.row_factory = sqlite3.Row
             row = conn.execute(
-                "SELECT vendors, profile FROM check_payloads WHERE check_id=?",
+                "SELECT vendors, profile, banner FROM check_payloads WHERE check_id=?",
                 (check_id,),
             ).fetchone()
             if not row:
@@ -109,6 +117,7 @@ def get_check_payload(check_id: str) -> dict | None:
             return {
                 "vendors": json.loads(row["vendors"] or "[]"),
                 "profile": json.loads(row["profile"] or "{}"),
+                "banner": json.loads(row["banner"]) if row["banner"] else None,
             }
     except Exception as e:
         logger.warning("get_check_payload failed: %s", e)