feat(email): P18 — Critical-Findings-Box + Banner-Deep-Block

Backend wirft 90% der consent-tester-Daten weg — nur 4 Felder von einem
vollen Banner-Scan landeten im Email. Phases (before_consent / after_reject
/ after_accept), banner_checks.violations mit Rechtsgrundlagen,
category_tests, 46 structured_checks, completeness/correctness-Scores
waren alle nicht sichtbar.

Backend: agent_compliance_check_routes leitet jetzt das volle banner_result
durch (15 Felder statt 4).

Renderer (2 neue Module):
1) agent_doc_check_critical.build_critical_findings_html
   - ROTER Sofortmassnahmen-Block GANZ OBEN in der Email
   - Erkennt: banner-violations (HIGH/CRITICAL), leere Per-Category-Lists,
     DSE-Score <30%, fehlende Cookie-Richtlinie, US-Tracker ohne SCC/DPF
   - Pro Issue: konkrete Sofortmassnahme + Rechtsgrundlage + Bussgeld-
     Praezedenz (CNIL TikTok 5 Mio, LfDI BW 30k, EuGH Schrems II, ...)
   - Wird nur gerendert wenn echte Issues vorliegen

2) agent_doc_check_banner.build_banner_deep_html
   - Banner-Quality-Score-Cards (Vollstaendigkeit / Korrektheit / Verstoesse)
   - 3-Phasen-Cookie-Tabelle: vor Consent / nach Ablehnung / nach Annahme
     mit Cookie-Count, Tracker-Count, Auffaelligkeiten
   - Per-Category-Tracker-Listing (Statistik/Marketing) — zeigt explizit
     wenn eine Kategorie keine Provider listet (Safetykon-Pattern)
   - Violations-Liste mit Severity-Badge + Quellen-Hint (LG Rostock, EDPB)

Smoke-Test Safetykon: alle 6 neuen Blocks rendern, kein Regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/api/agent_compliance_check_routes.py

@@ -614,6 +614,9 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
         summary_html = build_management_summary(results)
         scanned_html = build_scanned_urls_html(doc_entries)
         providers_html = build_provider_list_html(banner_result, vvt_entries)
+        # P18: Deep-Block mit Phases + Quality-Score + Per-Category-Tracker
+        from .agent_doc_check_banner import build_banner_deep_html
+        banner_deep_html = build_banner_deep_html(banner_result)
         vvt_html = build_vvt_table_html(cmp_vendors)
 
         # MC scorecard aggregated across ALL docs in this run (DSGVO/TDDDG/
@@ -676,6 +679,20 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
             site_name=site_name_for_exec,
         )
 
+        # P18: Critical-Findings-Block (rot oben, mit Sofortmassnahmen +
+        # Quellen + Bussgeld-Praezedenz). Wird nur gerendert wenn echte
+        # kritische Verstoesse vorliegen.
+        critical_html = ""
+        try:
+            from .agent_doc_check_critical import build_critical_findings_html
+            critical_html = build_critical_findings_html(
+                banner_result=banner_result,
+                scorecard=scorecard,
+                results=results,
+            )
+        except Exception as e:
+            logger.warning("Critical-findings block skipped: %s", e)
+
         # P10: Cookie-Policy-Architecture-Detection (BMW-Pattern erkennen)
         cookie_arch_html = ""
         try:
@@ -726,10 +743,10 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
         #   7) providers_html + vvt_html (Vendor-Liste)
         #   8) report_html (Doc-Pruefung Details)
         full_html = (
-            exec_summary_html + cookie_arch_html + summary_html
-            + scanned_html + profile_html
+            critical_html + exec_summary_html + cookie_arch_html
+            + summary_html + scanned_html + profile_html
             + scorecard_html + redundancy_html
-            + providers_html + vvt_html + report_html
+            + providers_html + banner_deep_html + vvt_html + report_html
         )
 
         # Step 6: Send email — derive site name primarily from entered URL.
@@ -753,12 +770,23 @@ async def _run_compliance_check(check_id: str, req: ComplianceCheckRequest):
             "results": [_result_to_dict(r) for r in results],
             "business_profile": profile_dict,
             "extracted_profile": extracted_profile,
-            "banner_result": {
-                "detected": banner_result.get("banner_detected", False) if banner_result else False,
-                "provider": banner_result.get("banner_provider", "") if banner_result else "",
-                "violations": len(banner_result.get("banner_checks", {}).get("violations", [])) if banner_result else 0,
+            # P18: vollen consent-tester-Output durchreichen statt nur 4 Felder.
+            # phases (before/after-accept/reject) + banner_checks.violations +
+            # category_tests werden vom Renderer + Critical-Findings-Block genutzt.
+            "banner_result": ({
+                "detected": banner_result.get("banner_detected", False),
+                "provider": banner_result.get("banner_provider", ""),
+                "violations": len((banner_result.get("banner_checks") or {})
+                                  .get("violations", [])),
                 "tcf_vendor_count": len(tcf_vendors),
-            } if banner_result else None,
+                "completeness_pct": banner_result.get("completeness_pct"),
+                "correctness_pct": banner_result.get("correctness_pct"),
+                "phases": banner_result.get("phases", {}),
+                "banner_checks": banner_result.get("banner_checks", {}),
+                "category_tests": banner_result.get("category_tests", []),
+                "structured_checks": banner_result.get("structured_checks", []),
+                "summary": banner_result.get("summary", {}),
+            } if banner_result else None),
             "tcf_vendors": vvt_entries if tcf_vendors else [],
             "cmp_vendors": cmp_vendors,
             "total_documents": len(results),