- DSRExportService: aggregates all CMP data about a user from
Banner Consents, Einwilligungen, Audit Trail, DSR History
- GET /dsr/{id}/export-user-data?format=json|csv|pdf endpoint
- PDF: A4 reportlab with 4 sections (Consents, Einwilligungen,
Audit-Trail, DSR-Anfragen) + cover page
- CSV: BOM-encoded for Excel with flattened data rows
- JSON: structured export with all data categories
- ActionButtons.tsx: PDF/JSON/CSV export buttons now functional
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Migration 115: compliance_role_training_mapping table (org roles → training codes)
- TrainingLinkService: queries training_modules/matrix/assignments to find gaps
per person and role. Gracefully degrades when Go training tables don't exist yet.
- document_review_routes: 2 new endpoints (training-requirements, training-gaps)
- _notify_approval() now checks training gaps and sends emails to persons
with outstanding modules, linking to /sdk/training/learner
[migration-approved]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New /sdk/rollenkonzept/ module with 3 tabs (Rollen, Zuordnung, Reviews)
- 7 standard compliance roles (DSB, GF, IT-Leiter, HR, Marketing, Compliance, Einkauf)
- Inline role editing with test email via Mailpit
- Document-to-role mapping table (editable per tenant)
- Review list with status filters and approve/reject workflow
- ReviewAssignmentPanel in Document Generator preview tab
- "Zur Pruefung senden" button creates reviews + sends notification emails
- Approval notification sent to all affected roles after document sign-off
- Sidebar navigation link added
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Migration 111: 3 new tables (org_roles, document_reviews, document_role_mapping)
with seed data mapping all 71 doc types to 7 compliance roles
- org_role_routes.py: CRUD for roles, seed defaults, test email, mapping API
- document_review_routes.py: Review lifecycle (create→send→approve/reject)
with approval notification to all affected roles
- Migration 112: SOP template (ISO 9001 structure, 21 placeholders)
- Added standard_operating_procedure to TemplateType, doc-labels, presets
[migration-approved]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Split presets into interface + data files (500-line budget)
- Extract DOC_LABELS into doc-labels.ts with all 71 template types
- Add 3 new presets: Cloud/SaaS-Anbieter, Finanzdienstleister, Plattform
- Expand Enterprise preset to 48 docs (full ISMS + BCM + DSR)
- Every template type appears in at least one preset
- ISO references verified: citations only, no copyrighted standard text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Every preset now includes DSGVO-mandatory docs (TOM, VVT, Löschkonzept)
plus Cookie-Banner/Policy, Mitarbeiter-DSI, Bewerber-DSI, and
industry-specific extras (DSFA, Whistleblower, ISMS, TIA, etc.).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- X button to close banner (SDK admin context only)
- Overlay leaves sidebar area accessible (ml-16/ml-64)
- Click overlay backdrop to dismiss
- Preview page: close banner on API error (don't trap user)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Presets were only visible after entering a project. Now they appear
on the /sdk landing page where users first see their project list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Browser blocks direct calls to backend-compliance:8093 due to
self-signed SSL certificate. All banner API calls now go through
Next.js API proxy at /api/sdk/v1/banner/* which runs server-side.
- New catch-all proxy: /api/sdk/v1/banner/[[...path]]/route.ts
Maps to backend-compliance:8002/api/compliance/banner/*
- Preview page: uses /api/sdk/v1/banner/ instead of https://macmini:8093
- CMP Dashboard: uses proxy for banner stats + compliance proxy for DSR/einwilligungen
- Fixes: banner not closeable due to API errors, consent not saving
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New route /sdk/cmp with full CMP dashboard
- 4 KPI cards: total consents, active consents, open DSR requests, configured sites
- Cookie category acceptance bars (necessary/statistics/marketing/functional)
- DSR breakdown: by status, by type (Art. 15-21), avg processing time, overdue count
- 9-point compliance checklist (banner, DSE, impressum, Art.7 proof, DSR, loeschfristen,
vendor AVV, email templates, EWR-only mode) — each links to relevant module
- 8 module cards with icons linking to all CMP sub-modules
- Real API integration: /banner/admin/stats, /einwilligungen/consents/stats, /dsr/stats
- Dashboard link added as first entry in CMP sidebar section
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Previously hidden when a company profile existed, but users with
existing test projects couldn't see the feature.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When selecting an industry preset on the SDK dashboard, a categorized
document preview panel now appears showing which documents will be
generated (Website, Vertraege, HR, Compliance, etc.).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CMP Section in Sidebar:
- New "CMP" group with purple accent, above other module sections
- Links: Cookie-Banner, Live-Vorschau, Consent-Records, Consent-Verwaltung,
Vendor-Compliance, DSR Portal, Loeschfristen, E-Mail-Templates
Live Preview (/sdk/cookie-banner/preview):
- Simulated "MusterShop GmbH" website with full cookie banner
- Real API calls to POST /banner/consent (saves to DB)
- EWR-Only toggle functional in preview
- API Debug panel shows fingerprint, consent status, blocked vendors
- Response JSON viewer for API debugging
- Links to verify in Consent-Verwaltung, Consent-Records, DSR Portal
- "Consent zuruecksetzen" button to re-test
- Footer "Cookie-Einstellungen" link to reopen banner
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Presets now shown on the SDK start page (/sdk) as a card grid
between header and stats — only when companyName is empty.
Click navigates to /sdk/company-profile?preset={id}.
Reverted company-profile/page.tsx to original state (no preset
logic there — the dashboard is the right place for discovery).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows preset cards before the wizard when the profile is empty:
- 10 industry presets (SaaS, Consumer App, E-Commerce, IT-Agentur,
Maschinenbau, Rechtsanwalt, Arztpraxis, Handwerk, Bildung, Enterprise)
- Each with icon, label, and description
- Click prefills: legalForm, industry, businessModel, companySize,
employeeCount, country, targetMarkets, dataController/Processor
- "Manuell ausfuellen" skip option
- Only shown when companyName is empty (fresh start)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Deleted 6 unused components from /sdk/einwilligungen/cookie-banner/_components/
- Replaced page.tsx with Next.js redirect() to /sdk/cookie-banner
- Updated EinwilligungenNavTabs link to /sdk/cookie-banner
- Updated catalog page link to /sdk/cookie-banner
- Single source of truth: /sdk/cookie-banner (Step in "Rechtliche Texte")
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migration 110: Updated descriptions and version for 12 previously
unreviewed templates (asset_management, backup, change_management,
cloud_security, devsecops, incident_response, logging, patch_management,
secrets_management, vulnerability_management, informationspflichten,
verpflichtungserklaerung).
All templates assessed as "Very Good" quality — only incremental
updates needed (AI Act, CRA, NIS2UmsuCG references in descriptions).
informationspflichten: Kept as separate compact checklist (distinct
from the full privacy_policy DSI template).
verpflichtungserklaerung: Kept as standalone HR document (employee
signs at onboarding). Added to HR & Mitarbeiter category.
Result: 88 templates, 44 at v1.1+, 0 unreviewed remaining.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 108: Remove DSI duplicate (023 + 093 both wrote privacy_policy DE),
remove outdated EN v1, create English Privacy Notice v2 with all
modular sections (data categories table, retention periods, processor
vs. controller guidance, Art. 21 right to object highlighted)
DB now has exactly 2 privacy_policy templates: DE + EN, both v2.0.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 106: Remove AGB duplicates and obsolete templates (terms_of_service
DE/EN v1.0, liability clause) — replaced by agb v2.0
- 107: English Terms and Conditions v2 (EU-compliant, same structure
as DE version with all IF-blocks)
DB now has exactly 2 AGB templates: DE + EN, both v2.0.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- All 4 categories with toggles visible on first layer (no "Einstellungen" step)
- Removed showSettings state — single-view banner
- EWR toggle + info button in header, always visible
- Two equal-weight buttons: "Alle akzeptieren" + "Auswahl speichern"
- "Nur notwendige" as text link below (not hidden, but less prominent)
- Vendor tables expandable per category via chevron
- DSK OH Telemedien 2022 + CNIL 2020 compliant layout
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Game-changing CMP feature: Users accept a category (e.g. Marketing) but
can restrict data processing to EU/EWR-only vendors. Non-EWR vendors are
blocked even when the category is accepted.
- Toggle "Nur EU/EWR-Anbieter" with globe icon in blue gradient bar
- Blocked vendors shown as red pills with strikethrough icon
- Per-vendor status icons: green checkmark (active), red slash (blocked),
gray dash (category disabled)
- Country column: green circle+check for EWR, amber warning for non-EWR
- EWR = EU27 + IS/LI/NO + CH (Angemessenheitsbeschluss)
- Vendor data extracted to cookie-banner-vendors.ts (under 500 LOC)
- Consent state includes ewrOnly flag + blockedVendors list
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backend: _ensure_list() converts null/string/malformed JSONB to []
for requirements, test_procedure, evidence, open_anchors, tags.
Frontend: defensive Array.isArray() check on ControlDetail.tsx.
Fixes: TypeError: A.requirements.map is not a function
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- CookieBannerOverlay: shows vendors per category with expandable tables
(Verarbeiter, Cookies, Dauer, Land) for full transparency
- Demo vendors: 4 necessary, 3 statistics, 3 marketing, 3 functional
- cookie_table_generator.py: renders {{COOKIE_TABLE}} Markdown tables
from vendor configs (DB) or service registry (fallback)
- SERVICE_COOKIES: 16 known vendor-to-cookie mappings with provider + country
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Impressum link mandatory in banner (§5 TMG)
2. Pre-ticked prevention: only "required" categories pre-enabled (Planet49)
3. Cookie-Settings reopen link (§7(3) DSGVO — revocation as easy as consent)
4. Script-Blocking: data-cookie-category + type="text/plain" pattern
Scripts only execute AFTER user consents to that category
5. Buttons already equal size (flex:1) — verified correct
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows: Impressum link ✓/✗, DSE link ✓/✗, plus violation cards for
wrong DSE consent wording, pre-ticked checkboxes, dark patterns,
missing reject button, no settings re-access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Impressum link accessible from banner (§5 TMG, LG Rostock)
2. DSE link in banner (Art. 13 DSGVO, informierte Einwilligung)
3. Wrong wording: "Zustimmung zur DSE" — DSE is Art. 13 obligation,
not consent. Correct: "zur Kenntnis genommen"
4. Reject button visible (§25 TDDDG, no hidden reject)
5. Pre-ticked checkboxes detected (EuGH C-673/17 Planet49)
6. Dark Pattern: button size comparison — accept vs reject area
ratio >2.5x or font size ratio >1.5x = dark pattern
7. Cookie Wall detection (Phase B — site blocked after reject)
8. Re-access to settings (Art. 7(3) — revocation as easy as consent)
All checks run via Playwright on the actual rendered banner.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fundamental architecture fix: data processing happens through APIs/scripts/
cookies — NOT through visible page text. A news site about healthcare does
NOT process health data.
Before: Qwen reads website text → guesses "health_data: true" (WRONG)
After: Google Analytics detected → tracking: true (CORRECT, deterministic)
New flow: detect services from HTML → map service categories to flags →
feed flags into UCCA assessment. No LLM needed for flag extraction.
SERVICE_TO_FLAGS maps categories: tracking→tracking, marketing→marketing+
third_party_sharing, payment→payment_data, heatmap→profiling, etc.
SPECIFIC_SERVICE_FLAGS for Klarna (Art.22), Stripe (US transfer), etc.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tests each consent category in isolation:
- Phase D: Only "Statistics" enabled → checks if only analytics loads
- Phase E: Only "Marketing" enabled → checks if only ads load
- Phase F: Only "Functional" enabled → checks no tracking loads
CMP-specific category selectors for Cookiebot, OneTrust, Usercentrics,
Didomi. Generic fallback via toggle/checkbox keyword detection.
SERVICE_CATEGORY_MAP maps 35+ services to expected categories.
Violations: "Facebook Pixel loads with only Statistics enabled" = miscategorization.
Frontend: category test results shown below Phase A-C with
per-category violation cards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
legalHolds can be a JSONB object {} instead of an array [], so
the || [] fallback wasn't sufficient. Array.isArray handles all
edge cases (null, undefined, object, string).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getActiveLegalHolds() crashed with "e.legalHolds.filter is not a
function" when legalHolds was null/undefined (e.g. old DB entries
without the JSONB field). Added fallback to empty array.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
VVT and Loeschfristen pages imported STEP_EXPLANATIONS as a named
export from StepHeader.tsx, but it was only imported (not re-exported).
This caused "Cannot read properties of undefined (reading 'vvt')"
at runtime. Adding the re-export fixes both pages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Results (https://macmini:3007):
- sdk-module-reachability: 40/42 (loeschfristen+vvt pre-existing bugs)
- vendor-transfers: 4/4
- isms-assets: 3/3
- document-generator: 3/4 (category label mismatch)
Added: playwright-live.config.ts (no webServer, live instance testing)
Test data NOT cleaned up — profiles persist for manual review.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New E2E test specs:
- sdk-module-reachability: Tests 40+ SDK routes for 404/crash
- scope-profiling: Three customer profiles (Startup/KMU/Enterprise)
with screenshots at each step — data NOT cleaned up
- document-generator: Template library, categories, recommendations
- vendor-transfers: Transfer tab, explanations, adequacy list
- isms-assets: Asset register tab, form, CRUD
All tests configured to run against https://macmini:3007
Screenshots saved to e2e/test-results/ for manual review
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The SECTION_FIELDS object was prematurely closed before the TOM and DPA
sections, causing a build-time syntax error. Removed the extra closing
brace so TOM and DPA fields are correctly inside the object.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New: adequacy-decisions.ts
- Complete list of 15 countries with EU adequacy decisions (Art. 45)
- EU/EEA country set (30 countries)
- getTransferRequirement() — determines SCC/TIA/certification needs
per country code with human-readable explanations
- US special handling: DPF certification required, check URL included
Updated: transfers/page.tsx
- "Was muss ich tun?" explanation section with 3 options:
1. Adequacy decision (green) — no action needed
2. DPF certification (blue, US only) — check dataprivacyframework.gov
3. SCC + TIA required (amber) — link to Document Generator
- Collapsible adequacy countries table (15 countries with restrictions)
- Schrems II background explanation for customers
- Customer guidance written for non-experts who never heard of TIA/SCC
Updated: templateRecommendations.ts
- SCC+TIA rules now consider DPF certification and adequacy status
- us_dpf_only → SCC/TIA optional (not required)
- adequate_only → SCC/TIA not recommended
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New "Assets" tab in the ISMS module for information asset management:
- CRUD for information assets (hardware, software, data, services,
people, facilities)
- CIA protection need matrix (confidentiality, integrity, availability)
with normal/high/very_high levels
- Information classification (public, internal, confidential,
strictly confidential) with color-coded badges
- Category filter (all/hardware/software/data/service/people/facility)
- Stats cards (total, by category, high protection need count)
- CSV export for ISO 27001 audits
- Edit/delete per asset
- localStorage persistence (same pattern as compliance_scope)
Types: InformationAsset, AssetCategory, AssetClassification,
ProtectionLevel interfaces + label/color maps
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New "Drittlandtransfers" tab in the Vendor Compliance sidebar:
- Aggregates all vendor processing locations with non-EU countries
- Traffic light system: green (EU/adequacy), yellow (SCC exists),
red (no transfer mechanism)
- Stats cards: total, EU+adequate, third-country, action required
- Filter by status (all/OK/review/action required)
- Table with vendor name, country, mechanism, SCC status, TIA status
- "TIA erstellen" link to Document Generator for third-country vendors
- Help text explaining Schrems II / Art. 46 DSGVO requirements
Uses existing data model — no new API endpoints or DB tables needed:
- vendor_vendors.processingLocations (isEU, isAdequate)
- vendor_vendors.transferMechanisms
- vendor_contracts.documentType = 'SCC'
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Benjamin Admin