refactor(admin): split lib document generators and data catalogs into domain barrels

obligations-document, tom-document, loeschfristen-document, compliance-scope-triggers, sdk-flow/flow-data, processing-activities, loeschfristen-baseline-catalog, catalog-registry, dsfa mitigation-library + risk-catalog, vvt-baseline-catalog, vendor contract-review checklists + findings, demo-data, tom-compliance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 00:07:03 +02:00
parent b00fe6cb73
commit 91063f09b8
65 changed files with 9514 additions and 9544 deletions
--- a/admin-compliance/lib/sdk/demo-data/index.ts
+++ b/admin-compliance/lib/sdk/demo-data/index.ts
@@ -7,6 +7,8 @@
 *
 * The seedDemoData() function writes data through the API,
 * and the data is then loaded from the database like any other data.
+ *
+ * generateDemoState lives in ./demo-state.ts (barrel split).
 */

 import { SDKState } from '../types'
@@ -39,420 +41,9 @@ export {
  DEMO_RETENTION_POLICIES,
 }

-/**
- * Generate a complete demo state object
- * This is used as seed data for the API, not as runtime data
- */
-export function generateDemoState(tenantId: string, userId: string): Partial<SDKState> {
-  const now = new Date()
-
-  return {
-    // Metadata
-    version: '1.0.0',
-    projectVersion: 1,
-    lastModified: now,
-
-    // Tenant & User
-    tenantId,
-    userId,
-    subscription: 'PROFESSIONAL',
-
-    // Customer Type
-    customerType: 'new',
-
-    // Company Profile (Demo: TechStart GmbH - SaaS-Startup aus Berlin)
-    companyProfile: {
-      companyName: 'TechStart GmbH',
-      legalForm: 'gmbh',
-      industry: ['Technologie / IT'],
-      industryOther: '',
-      foundedYear: 2022,
-      businessModel: 'B2B_B2C',
-      offerings: ['app_web', 'software_saas', 'services_consulting'],
-      companySize: 'small',
-      employeeCount: '10-49',
-      annualRevenue: '2-10 Mio',
-      headquartersCountry: 'DE',
-      headquartersCity: 'Berlin',
-      hasInternationalLocations: false,
-      internationalCountries: [],
-      targetMarkets: ['germany_only', 'dach'],
-      primaryJurisdiction: 'DE',
-      isDataController: true,
-      isDataProcessor: true,
-      dpoName: 'Max Mustermann',
-      dpoEmail: 'dsb@techstart.de',
-      legalContactName: null,
-      legalContactEmail: null,
-      isComplete: true,
-      completedAt: new Date('2026-01-14'),
-    },
-
-    // Progress - showing a realistic partially completed workflow
-    currentPhase: 2,
-    currentStep: 'tom',
-    completedSteps: [
-      'company-profile',
-      'use-case-assessment',
-      'screening',
-      'modules',
-      'requirements',
-      'controls',
-      'evidence',
-      'audit-checklist',
-      'risks',
-      'ai-act',
-      'obligations',
-      'dsfa',
-    ],
-    checkpoints: {
-      'CP-PROF': { checkpointId: 'CP-PROF', passed: true, validatedAt: new Date('2026-01-14'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-UC': { checkpointId: 'CP-UC', passed: true, validatedAt: new Date('2026-01-15'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-SCAN': { checkpointId: 'CP-SCAN', passed: true, validatedAt: new Date('2026-01-16'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-MOD': { checkpointId: 'CP-MOD', passed: true, validatedAt: new Date('2026-01-17'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-REQ': { checkpointId: 'CP-REQ', passed: true, validatedAt: new Date('2026-01-18'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-CTRL': { checkpointId: 'CP-CTRL', passed: true, validatedAt: new Date('2026-01-19'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-EVI': { checkpointId: 'CP-EVI', passed: true, validatedAt: new Date('2026-01-20'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-CHK': { checkpointId: 'CP-CHK', passed: true, validatedAt: new Date('2026-01-21'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-RISK': { checkpointId: 'CP-RISK', passed: true, validatedAt: new Date('2026-01-22'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-AI': { checkpointId: 'CP-AI', passed: true, validatedAt: new Date('2026-01-25'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-OBL': { checkpointId: 'CP-OBL', passed: true, validatedAt: new Date('2026-01-27'), validatedBy: 'demo-user', errors: [], warnings: [] },
-      'CP-DSFA': { checkpointId: 'CP-DSFA', passed: true, validatedAt: new Date('2026-01-30'), validatedBy: 'DSB', errors: [], warnings: [] },
-    },
-
-    // Phase 1 Data
-    useCases: getDemoUseCases(),
-    activeUseCase: 'demo-uc-1',
-    screening: {
-      id: 'demo-scan-1',
-      status: 'COMPLETED',
-      startedAt: new Date('2026-01-16T09:00:00'),
-      completedAt: new Date('2026-01-16T09:15:00'),
-      sbom: {
-        format: 'CycloneDX',
-        version: '1.4',
-        components: [
-          {
-            name: 'tensorflow',
-            version: '2.15.0',
-            type: 'library',
-            purl: 'pkg:pypi/tensorflow@2.15.0',
-            licenses: ['Apache-2.0'],
-            vulnerabilities: [],
-          },
-          {
-            name: 'scikit-learn',
-            version: '1.4.0',
-            type: 'library',
-            purl: 'pkg:pypi/scikit-learn@1.4.0',
-            licenses: ['BSD-3-Clause'],
-            vulnerabilities: [],
-          },
-          {
-            name: 'pandas',
-            version: '2.2.0',
-            type: 'library',
-            purl: 'pkg:pypi/pandas@2.2.0',
-            licenses: ['BSD-3-Clause'],
-            vulnerabilities: [],
-          },
-        ],
-        dependencies: [],
-        generatedAt: new Date('2026-01-16T09:10:00'),
-      },
-      securityScan: {
-        totalIssues: 3,
-        critical: 0,
-        high: 1,
-        medium: 1,
-        low: 1,
-        issues: [
-          {
-            id: 'sec-issue-1',
-            severity: 'HIGH',
-            title: 'Outdated cryptography library',
-            description: 'The cryptography library version 41.0.0 has known vulnerabilities',
-            cve: 'CVE-2024-1234',
-            cvss: 7.5,
-            affectedComponent: 'cryptography',
-            remediation: 'Upgrade to cryptography >= 42.0.0',
-            status: 'RESOLVED',
-          },
-          {
-            id: 'sec-issue-2',
-            severity: 'MEDIUM',
-            title: 'Insecure default configuration',
-            description: 'Debug mode enabled in production configuration',
-            cve: null,
-            cvss: 5.3,
-            affectedComponent: 'app-config',
-            remediation: 'Set DEBUG=false in production',
-            status: 'RESOLVED',
-          },
-          {
-            id: 'sec-issue-3',
-            severity: 'LOW',
-            title: 'Missing security headers',
-            description: 'X-Content-Type-Options header not set',
-            cve: null,
-            cvss: 3.1,
-            affectedComponent: 'web-server',
-            remediation: 'Add security headers middleware',
-            status: 'RESOLVED',
-          },
-        ],
-      },
-      error: null,
-    },
-    modules: [
-      {
-        id: 'demo-mod-1',
-        name: 'Kundendaten-Modul',
-        description: 'Verarbeitung von Kundendaten für Marketing und Analyse',
-        regulations: ['DSGVO', 'TTDSG'],
-        criticality: 'HIGH',
-        processesPersonalData: true,
-        hasAIComponents: true,
-      },
-      {
-        id: 'demo-mod-2',
-        name: 'HR-Modul',
-        description: 'Bewerbermanagement und Personalverwaltung',
-        regulations: ['DSGVO', 'AGG', 'AI Act'],
-        criticality: 'HIGH',
-        processesPersonalData: true,
-        hasAIComponents: true,
-      },
-      {
-        id: 'demo-mod-3',
-        name: 'Support-Modul',
-        description: 'Kundenservice und Chatbot-System',
-        regulations: ['DSGVO', 'AI Act'],
-        criticality: 'MEDIUM',
-        processesPersonalData: true,
-        hasAIComponents: true,
-      },
-    ],
-    requirements: [
-      {
-        id: 'demo-req-1',
-        regulation: 'DSGVO',
-        article: 'Art. 5',
-        title: 'Grundsätze der Verarbeitung',
-        description: 'Einhaltung der Grundsätze für die Verarbeitung personenbezogener Daten',
-        criticality: 'CRITICAL',
-        applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'],
-        status: 'IMPLEMENTED',
-        controls: ['demo-ctrl-1', 'demo-ctrl-2', 'demo-ctrl-9'],
-      },
-      {
-        id: 'demo-req-2',
-        regulation: 'DSGVO',
-        article: 'Art. 32',
-        title: 'Sicherheit der Verarbeitung',
-        description: 'Geeignete technische und organisatorische Maßnahmen',
-        criticality: 'CRITICAL',
-        applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'],
-        status: 'IMPLEMENTED',
-        controls: ['demo-ctrl-1', 'demo-ctrl-3', 'demo-ctrl-4'],
-      },
-      {
-        id: 'demo-req-3',
-        regulation: 'DSGVO',
-        article: 'Art. 25',
-        title: 'Datenschutz durch Technikgestaltung',
-        description: 'Privacy by Design und Privacy by Default',
-        criticality: 'HIGH',
-        applicableModules: ['demo-mod-1', 'demo-mod-2'],
-        status: 'IMPLEMENTED',
-        controls: ['demo-ctrl-9', 'demo-ctrl-10'],
-      },
-      {
-        id: 'demo-req-4',
-        regulation: 'AI Act',
-        article: 'Art. 13',
-        title: 'Transparenz',
-        description: 'Transparenzanforderungen für KI-Systeme',
-        criticality: 'HIGH',
-        applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'],
-        status: 'IMPLEMENTED',
-        controls: ['demo-ctrl-7', 'demo-ctrl-8'],
-      },
-      {
-        id: 'demo-req-5',
-        regulation: 'AI Act',
-        article: 'Art. 9',
-        title: 'Risikomanagement',
-        description: 'Risikomanagementsystem für Hochrisiko-KI',
-        criticality: 'HIGH',
-        applicableModules: ['demo-mod-2'],
-        status: 'IMPLEMENTED',
-        controls: ['demo-ctrl-5', 'demo-ctrl-6', 'demo-ctrl-11', 'demo-ctrl-12'],
-      },
-    ],
-    controls: getDemoControls(),
-    evidence: [
-      {
-        id: 'demo-evi-1',
-        controlId: 'demo-ctrl-1',
-        type: 'SCREENSHOT',
-        name: 'MFA-Konfiguration Azure AD',
-        description: 'Screenshot der MFA-Einstellungen im Azure AD Admin Portal',
-        fileUrl: null,
-        validFrom: new Date('2026-01-01'),
-        validUntil: new Date('2027-01-01'),
-        uploadedBy: 'IT-Security',
-        uploadedAt: new Date('2026-01-10'),
-      },
-      {
-        id: 'demo-evi-2',
-        controlId: 'demo-ctrl-2',
-        type: 'DOCUMENT',
-        name: 'Berechtigungskonzept v2.1',
-        description: 'Dokumentiertes Berechtigungskonzept mit Rollenmatrix',
-        fileUrl: null,
-        validFrom: new Date('2026-01-01'),
-        validUntil: null,
-        uploadedBy: 'IT-Security',
-        uploadedAt: new Date('2026-01-05'),
-      },
-      {
-        id: 'demo-evi-5',
-        controlId: 'demo-ctrl-5',
-        type: 'AUDIT_REPORT',
-        name: 'Bias-Audit Q1/2026',
-        description: 'Externer Audit-Bericht zur Fairness des KI-Modells',
-        fileUrl: null,
-        validFrom: new Date('2026-01-15'),
-        validUntil: new Date('2026-04-15'),
-        uploadedBy: 'Data Science Lead',
-        uploadedAt: new Date('2026-01-20'),
-      },
-    ],
-    checklist: [
-      {
-        id: 'demo-chk-1',
-        requirementId: 'demo-req-1',
-        title: 'Rechtmäßigkeit der Verarbeitung geprüft',
-        description: 'Dokumentierte Prüfung der Rechtsgrundlagen',
-        status: 'PASSED',
-        notes: 'Geprüft durch DSB',
-        verifiedBy: 'DSB',
-        verifiedAt: new Date('2026-01-20'),
-      },
-      {
-        id: 'demo-chk-2',
-        requirementId: 'demo-req-2',
-        title: 'TOMs dokumentiert und umgesetzt',
-        description: 'Technische und organisatorische Maßnahmen',
-        status: 'PASSED',
-        notes: 'Alle TOMs implementiert',
-        verifiedBy: 'CISO',
-        verifiedAt: new Date('2026-01-21'),
-      },
-    ],
-    risks: getDemoRisks(),
-
-    // Phase 2 Data
-    aiActClassification: {
-      riskCategory: 'HIGH',
-      systemType: 'Beschäftigungsbezogenes KI-System (Art. 6 Abs. 2 AI Act)',
-      obligations: [
-        {
-          id: 'demo-ai-obl-1',
-          article: 'Art. 9',
-          title: 'Risikomanagementsystem',
-          description: 'Einrichtung eines KI-Risikomanagementsystems',
-          deadline: new Date('2026-08-01'),
-          status: 'IN_PROGRESS',
-        },
-        {
-          id: 'demo-ai-obl-2',
-          article: 'Art. 10',
-          title: 'Daten-Governance',
-          description: 'Anforderungen an Trainingsdaten',
-          deadline: new Date('2026-08-01'),
-          status: 'COMPLETED',
-        },
-        {
-          id: 'demo-ai-obl-3',
-          article: 'Art. 13',
-          title: 'Transparenz',
-          description: 'Dokumentation für Nutzer',
-          deadline: new Date('2026-08-01'),
-          status: 'COMPLETED',
-        },
-      ],
-      assessmentDate: new Date('2026-01-25'),
-      assessedBy: 'Compliance Team',
-      justification: 'Das System fällt unter Art. 6 Abs. 2 lit. a AI Act (Einstellung und Auswahl von Personen).',
-    },
-    obligations: [
-      {
-        id: 'demo-obl-1',
-        regulation: 'DSGVO',
-        article: 'Art. 30',
-        title: 'Verarbeitungsverzeichnis',
-        description: 'Führung eines Verzeichnisses der Verarbeitungstätigkeiten',
-        deadline: null,
-        penalty: 'Bis zu 10 Mio. EUR oder 2% des Jahresumsatzes',
-        status: 'COMPLETED',
-        responsible: 'DSB',
-      },
-      {
-        id: 'demo-obl-2',
-        regulation: 'DSGVO',
-        article: 'Art. 35',
-        title: 'Datenschutz-Folgenabschätzung',
-        description: 'Durchführung einer DSFA für Hochrisiko-Verarbeitungen',
-        deadline: null,
-        penalty: 'Bis zu 10 Mio. EUR oder 2% des Jahresumsatzes',
-        status: 'COMPLETED',
-        responsible: 'DSB',
-      },
-      {
-        id: 'demo-obl-3',
-        regulation: 'AI Act',
-        article: 'Art. 49',
-        title: 'CE-Kennzeichnung',
-        description: 'CE-Kennzeichnung für Hochrisiko-KI-Systeme',
-        deadline: new Date('2026-08-01'),
-        penalty: 'Bis zu 35 Mio. EUR oder 7% des Jahresumsatzes',
-        status: 'PENDING',
-        responsible: 'Compliance',
-      },
-    ],
-    dsfa: getDemoDSFA(),
-    toms: getDemoTOMs(),
-    retentionPolicies: getDemoRetentionPolicies(),
-    vvt: getDemoProcessingActivities(),
-
-    // Documents, Cookie Banner, etc. - partially filled
-    documents: [],
-    cookieBanner: null,
-    consents: [],
-    dsrConfig: null,
-    escalationWorkflows: [],
-
-    // Security
-    sbom: null,
-    securityIssues: [],
-    securityBacklog: [],
-
-    // UI State
-    commandBarHistory: [],
-    recentSearches: ['DSGVO Art. 5', 'Bias-Monitoring', 'TOM Verschlüsselung'],
-    preferences: {
-      language: 'de',
-      theme: 'light',
-      compactMode: false,
-      showHints: true,
-      autoSave: true,
-      autoValidate: true,
-      allowParallelWork: true,
-    },
-  }
-}
+// Re-export generateDemoState from its own module
+export { generateDemoState } from './demo-state'
+import { generateDemoState } from './demo-state'

 /**
 * Seed demo data into the database via API