refactor(admin): split lib document generators and data catalogs into domain barrels

obligations-document, tom-document, loeschfristen-document, compliance-scope-triggers, sdk-flow/flow-data, processing-activities, loeschfristen-baseline-catalog, catalog-registry, dsfa mitigation-library + risk-catalog, vvt-baseline-catalog, vendor contract-review checklists + findings, demo-data, tom-compliance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 00:07:03 +02:00
parent b00fe6cb73
commit 91063f09b8
65 changed files with 9514 additions and 9544 deletions
--- a/admin-compliance/lib/sdk/demo-data/demo-state.ts
+++ b/admin-compliance/lib/sdk/demo-data/demo-state.ts
@@ -0,0 +1,217 @@
+/**
+ * Demo State Generator
+ *
+ * Generates a complete demo SDKState object for seeding.
+ * Barrel-split from index.ts. Do NOT import directly; use index.ts.
+ */
+
+import { SDKState } from '../types'
+import { getDemoUseCases } from './use-cases'
+import { getDemoRisks } from './risks'
+import { getDemoControls } from './controls'
+import { getDemoDSFA } from './dsfa'
+import { getDemoTOMs } from './toms'
+import { getDemoProcessingActivities, getDemoRetentionPolicies } from './vvt'
+
+/**
+ * Generate a complete demo state object
+ * This is used as seed data for the API, not as runtime data
+ */
+export function generateDemoState(tenantId: string, userId: string): Partial<SDKState> {
+  const now = new Date()
+
+  return {
+    // Metadata
+    version: '1.0.0',
+    projectVersion: 1,
+    lastModified: now,
+
+    // Tenant & User
+    tenantId,
+    userId,
+    subscription: 'PROFESSIONAL',
+
+    // Customer Type
+    customerType: 'new',
+
+    // Company Profile (Demo: TechStart GmbH - SaaS-Startup aus Berlin)
+    companyProfile: {
+      companyName: 'TechStart GmbH',
+      legalForm: 'gmbh',
+      industry: ['Technologie / IT'],
+      industryOther: '',
+      foundedYear: 2022,
+      businessModel: 'B2B_B2C',
+      offerings: ['app_web', 'software_saas', 'services_consulting'],
+      companySize: 'small',
+      employeeCount: '10-49',
+      annualRevenue: '2-10 Mio',
+      headquartersCountry: 'DE',
+      headquartersCity: 'Berlin',
+      hasInternationalLocations: false,
+      internationalCountries: [],
+      targetMarkets: ['germany_only', 'dach'],
+      primaryJurisdiction: 'DE',
+      isDataController: true,
+      isDataProcessor: true,
+      dpoName: 'Max Mustermann',
+      dpoEmail: 'dsb@techstart.de',
+      legalContactName: null,
+      legalContactEmail: null,
+      isComplete: true,
+      completedAt: new Date('2026-01-14'),
+    },
+
+    // Progress - showing a realistic partially completed workflow
+    currentPhase: 2,
+    currentStep: 'tom',
+    completedSteps: [
+      'company-profile',
+      'use-case-assessment',
+      'screening',
+      'modules',
+      'requirements',
+      'controls',
+      'evidence',
+      'audit-checklist',
+      'risks',
+      'ai-act',
+      'obligations',
+      'dsfa',
+    ],
+    checkpoints: {
+      'CP-PROF': { checkpointId: 'CP-PROF', passed: true, validatedAt: new Date('2026-01-14'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-UC': { checkpointId: 'CP-UC', passed: true, validatedAt: new Date('2026-01-15'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-SCAN': { checkpointId: 'CP-SCAN', passed: true, validatedAt: new Date('2026-01-16'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-MOD': { checkpointId: 'CP-MOD', passed: true, validatedAt: new Date('2026-01-17'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-REQ': { checkpointId: 'CP-REQ', passed: true, validatedAt: new Date('2026-01-18'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-CTRL': { checkpointId: 'CP-CTRL', passed: true, validatedAt: new Date('2026-01-19'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-EVI': { checkpointId: 'CP-EVI', passed: true, validatedAt: new Date('2026-01-20'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-CHK': { checkpointId: 'CP-CHK', passed: true, validatedAt: new Date('2026-01-21'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-RISK': { checkpointId: 'CP-RISK', passed: true, validatedAt: new Date('2026-01-22'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-AI': { checkpointId: 'CP-AI', passed: true, validatedAt: new Date('2026-01-25'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-OBL': { checkpointId: 'CP-OBL', passed: true, validatedAt: new Date('2026-01-27'), validatedBy: 'demo-user', errors: [], warnings: [] },
+      'CP-DSFA': { checkpointId: 'CP-DSFA', passed: true, validatedAt: new Date('2026-01-30'), validatedBy: 'DSB', errors: [], warnings: [] },
+    },
+
+    // Phase 1 Data
+    useCases: getDemoUseCases(),
+    activeUseCase: 'demo-uc-1',
+    screening: {
+      id: 'demo-scan-1',
+      status: 'COMPLETED',
+      startedAt: new Date('2026-01-16T09:00:00'),
+      completedAt: new Date('2026-01-16T09:15:00'),
+      sbom: {
+        format: 'CycloneDX',
+        version: '1.4',
+        components: [
+          { name: 'tensorflow', version: '2.15.0', type: 'library', purl: 'pkg:pypi/tensorflow@2.15.0', licenses: ['Apache-2.0'], vulnerabilities: [] },
+          { name: 'scikit-learn', version: '1.4.0', type: 'library', purl: 'pkg:pypi/scikit-learn@1.4.0', licenses: ['BSD-3-Clause'], vulnerabilities: [] },
+          { name: 'pandas', version: '2.2.0', type: 'library', purl: 'pkg:pypi/pandas@2.2.0', licenses: ['BSD-3-Clause'], vulnerabilities: [] },
+        ],
+        dependencies: [],
+        generatedAt: new Date('2026-01-16T09:10:00'),
+      },
+      securityScan: {
+        totalIssues: 3,
+        critical: 0,
+        high: 1,
+        medium: 1,
+        low: 1,
+        issues: [
+          {
+            id: 'sec-issue-1', severity: 'HIGH', title: 'Outdated cryptography library',
+            description: 'The cryptography library version 41.0.0 has known vulnerabilities',
+            cve: 'CVE-2024-1234', cvss: 7.5, affectedComponent: 'cryptography',
+            remediation: 'Upgrade to cryptography >= 42.0.0', status: 'RESOLVED',
+          },
+          {
+            id: 'sec-issue-2', severity: 'MEDIUM', title: 'Insecure default configuration',
+            description: 'Debug mode enabled in production configuration',
+            cve: null, cvss: 5.3, affectedComponent: 'app-config',
+            remediation: 'Set DEBUG=false in production', status: 'RESOLVED',
+          },
+          {
+            id: 'sec-issue-3', severity: 'LOW', title: 'Missing security headers',
+            description: 'X-Content-Type-Options header not set',
+            cve: null, cvss: 3.1, affectedComponent: 'web-server',
+            remediation: 'Add security headers middleware', status: 'RESOLVED',
+          },
+        ],
+      },
+      error: null,
+    },
+    modules: [
+      { id: 'demo-mod-1', name: 'Kundendaten-Modul', description: 'Verarbeitung von Kundendaten für Marketing und Analyse', regulations: ['DSGVO', 'TTDSG'], criticality: 'HIGH', processesPersonalData: true, hasAIComponents: true },
+      { id: 'demo-mod-2', name: 'HR-Modul', description: 'Bewerbermanagement und Personalverwaltung', regulations: ['DSGVO', 'AGG', 'AI Act'], criticality: 'HIGH', processesPersonalData: true, hasAIComponents: true },
+      { id: 'demo-mod-3', name: 'Support-Modul', description: 'Kundenservice und Chatbot-System', regulations: ['DSGVO', 'AI Act'], criticality: 'MEDIUM', processesPersonalData: true, hasAIComponents: true },
+    ],
+    requirements: [
+      { id: 'demo-req-1', regulation: 'DSGVO', article: 'Art. 5', title: 'Grundsätze der Verarbeitung', description: 'Einhaltung der Grundsätze für die Verarbeitung personenbezogener Daten', criticality: 'CRITICAL', applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'], status: 'IMPLEMENTED', controls: ['demo-ctrl-1', 'demo-ctrl-2', 'demo-ctrl-9'] },
+      { id: 'demo-req-2', regulation: 'DSGVO', article: 'Art. 32', title: 'Sicherheit der Verarbeitung', description: 'Geeignete technische und organisatorische Maßnahmen', criticality: 'CRITICAL', applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'], status: 'IMPLEMENTED', controls: ['demo-ctrl-1', 'demo-ctrl-3', 'demo-ctrl-4'] },
+      { id: 'demo-req-3', regulation: 'DSGVO', article: 'Art. 25', title: 'Datenschutz durch Technikgestaltung', description: 'Privacy by Design und Privacy by Default', criticality: 'HIGH', applicableModules: ['demo-mod-1', 'demo-mod-2'], status: 'IMPLEMENTED', controls: ['demo-ctrl-9', 'demo-ctrl-10'] },
+      { id: 'demo-req-4', regulation: 'AI Act', article: 'Art. 13', title: 'Transparenz', description: 'Transparenzanforderungen für KI-Systeme', criticality: 'HIGH', applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'], status: 'IMPLEMENTED', controls: ['demo-ctrl-7', 'demo-ctrl-8'] },
+      { id: 'demo-req-5', regulation: 'AI Act', article: 'Art. 9', title: 'Risikomanagement', description: 'Risikomanagementsystem für Hochrisiko-KI', criticality: 'HIGH', applicableModules: ['demo-mod-2'], status: 'IMPLEMENTED', controls: ['demo-ctrl-5', 'demo-ctrl-6', 'demo-ctrl-11', 'demo-ctrl-12'] },
+    ],
+    controls: getDemoControls(),
+    evidence: [
+      { id: 'demo-evi-1', controlId: 'demo-ctrl-1', type: 'SCREENSHOT', name: 'MFA-Konfiguration Azure AD', description: 'Screenshot der MFA-Einstellungen im Azure AD Admin Portal', fileUrl: null, validFrom: new Date('2026-01-01'), validUntil: new Date('2027-01-01'), uploadedBy: 'IT-Security', uploadedAt: new Date('2026-01-10') },
+      { id: 'demo-evi-2', controlId: 'demo-ctrl-2', type: 'DOCUMENT', name: 'Berechtigungskonzept v2.1', description: 'Dokumentiertes Berechtigungskonzept mit Rollenmatrix', fileUrl: null, validFrom: new Date('2026-01-01'), validUntil: null, uploadedBy: 'IT-Security', uploadedAt: new Date('2026-01-05') },
+      { id: 'demo-evi-5', controlId: 'demo-ctrl-5', type: 'AUDIT_REPORT', name: 'Bias-Audit Q1/2026', description: 'Externer Audit-Bericht zur Fairness des KI-Modells', fileUrl: null, validFrom: new Date('2026-01-15'), validUntil: new Date('2026-04-15'), uploadedBy: 'Data Science Lead', uploadedAt: new Date('2026-01-20') },
+    ],
+    checklist: [
+      { id: 'demo-chk-1', requirementId: 'demo-req-1', title: 'Rechtmäßigkeit der Verarbeitung geprüft', description: 'Dokumentierte Prüfung der Rechtsgrundlagen', status: 'PASSED', notes: 'Geprüft durch DSB', verifiedBy: 'DSB', verifiedAt: new Date('2026-01-20') },
+      { id: 'demo-chk-2', requirementId: 'demo-req-2', title: 'TOMs dokumentiert und umgesetzt', description: 'Technische und organisatorische Maßnahmen', status: 'PASSED', notes: 'Alle TOMs implementiert', verifiedBy: 'CISO', verifiedAt: new Date('2026-01-21') },
+    ],
+    risks: getDemoRisks(),
+
+    // Phase 2 Data
+    aiActClassification: {
+      riskCategory: 'HIGH',
+      systemType: 'Beschäftigungsbezogenes KI-System (Art. 6 Abs. 2 AI Act)',
+      obligations: [
+        { id: 'demo-ai-obl-1', article: 'Art. 9', title: 'Risikomanagementsystem', description: 'Einrichtung eines KI-Risikomanagementsystems', deadline: new Date('2026-08-01'), status: 'IN_PROGRESS' },
+        { id: 'demo-ai-obl-2', article: 'Art. 10', title: 'Daten-Governance', description: 'Anforderungen an Trainingsdaten', deadline: new Date('2026-08-01'), status: 'COMPLETED' },
+        { id: 'demo-ai-obl-3', article: 'Art. 13', title: 'Transparenz', description: 'Dokumentation für Nutzer', deadline: new Date('2026-08-01'), status: 'COMPLETED' },
+      ],
+      assessmentDate: new Date('2026-01-25'),
+      assessedBy: 'Compliance Team',
+      justification: 'Das System fällt unter Art. 6 Abs. 2 lit. a AI Act (Einstellung und Auswahl von Personen).',
+    },
+    obligations: [
+      { id: 'demo-obl-1', regulation: 'DSGVO', article: 'Art. 30', title: 'Verarbeitungsverzeichnis', description: 'Führung eines Verzeichnisses der Verarbeitungstätigkeiten', deadline: null, penalty: 'Bis zu 10 Mio. EUR oder 2% des Jahresumsatzes', status: 'COMPLETED', responsible: 'DSB' },
+      { id: 'demo-obl-2', regulation: 'DSGVO', article: 'Art. 35', title: 'Datenschutz-Folgenabschätzung', description: 'Durchführung einer DSFA für Hochrisiko-Verarbeitungen', deadline: null, penalty: 'Bis zu 10 Mio. EUR oder 2% des Jahresumsatzes', status: 'COMPLETED', responsible: 'DSB' },
+      { id: 'demo-obl-3', regulation: 'AI Act', article: 'Art. 49', title: 'CE-Kennzeichnung', description: 'CE-Kennzeichnung für Hochrisiko-KI-Systeme', deadline: new Date('2026-08-01'), penalty: 'Bis zu 35 Mio. EUR oder 7% des Jahresumsatzes', status: 'PENDING', responsible: 'Compliance' },
+    ],
+    dsfa: getDemoDSFA(),
+    toms: getDemoTOMs(),
+    retentionPolicies: getDemoRetentionPolicies(),
+    vvt: getDemoProcessingActivities(),
+
+    // Documents, Cookie Banner, etc. - partially filled
+    documents: [],
+    cookieBanner: null,
+    consents: [],
+    dsrConfig: null,
+    escalationWorkflows: [],
+
+    // Security
+    sbom: null,
+    securityIssues: [],
+    securityBacklog: [],
+
+    // UI State
+    commandBarHistory: [],
+    recentSearches: ['DSGVO Art. 5', 'Bias-Monitoring', 'TOM Verschlüsselung'],
+    preferences: {
+      language: 'de',
+      theme: 'light',
+      compactMode: false,
+      showHints: true,
+      autoSave: true,
+      autoValidate: true,
+      allowParallelWork: true,
+    },
+  }
+}