breakpilot-compliance

Author	SHA1	Message	Date
Benjamin Admin	1e5aaf7103	feat(advisor): Authority Router — Advisor collection-agnostisch, KB-2026.1-Gewinn im Produktpfad CI / detect-changes (pull_request) Successful in 13s Details CI / branch-name (pull_request) Successful in 2s Details CI / guardrail-integrity (pull_request) Successful in 5s Details CI / secret-scan (pull_request) Successful in 11s Details CI / dep-audit (pull_request) Failing after 54s Details CI / sbom-scan (pull_request) Failing after 1m1s Details CI / build-sha-integrity (pull_request) Successful in 11s Details CI / validate-canonical-controls (pull_request) Successful in 7s Details CI / loc-budget (pull_request) Successful in 23s Details CI / go-lint (pull_request) Successful in 53s Details CI / python-lint (pull_request) Failing after 17s Details CI / nodejs-lint (pull_request) Failing after 1m6s Details CI / nodejs-build (pull_request) Successful in 2m59s Details CI / test-go (pull_request) Successful in 1m0s Details CI / iace-gt-coverage (pull_request) Successful in 17s Details CI / test-python-backend (pull_request) Successful in 26s Details CI / test-python-document-crawler (pull_request) Successful in 12s Details CI / test-python-dsms-gateway (pull_request) Successful in 8s Details Der Advisor fan-outete bisher selbst ueber eine feste Liste expliziter Collections (advisor-rag.ts) und umging damit das #61-Scope-Routing (das nur den Default-Pfad routet) → der gemessene +28-Retrieval-Gewinn (CB-100: 53→81, 0 Regr) kam nie beim Antwort-LLM an. Dieser Router zieht den Fan-out in die Retriever-Schicht: - SDK: LegalRAGClient.Retrieve() + POST /sdk/v1/rag/retrieve {query, top_k} — fan-outet server-seitig ueber die Broad-Authority-Base + die KB-2026.1-Slice bei inKBScope, merge+dedup, sortiert nach Authority-Score (rerankByAuthority je Collection), top-K. Index-Warmup vor dem nebenlaeufigen Fan-out (Map-Race-frei). Per-Env via RAG_ROUTER_COLLECTIONS. - admin: advisor-rag.ts ruft EINMAL /retrieve statt 6-fach expliziter Collections. Advisor ist collection-agnostisch (Vertrag Compiler→Collections→Retriever→Advisor); COMPLIANCE_COLLECTIONS/searchCollection entfernt. Validierung: Go-Unit (Router-Selektion, dedup); e2e gegen dev-Qdrant (echter Retrieve(), CB-100-Stichprobe stride 5): OLD-hit 11/20 → NEW-hit 15/20, GAIN 4 (alle DS-Guidance), REGR 0 — reproduziert den +28/0-Regr durch den Produktionscode. TS-Tests auf den Single-/retrieve-Call angepasst. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-30 14:13:09 +02:00
Benjamin Admin	6b9c7984b4	fix(ci): regulatory_news Zeitbomben-Test entschaerfen — test-go + Deploy entsperren CI / detect-changes (push) Successful in 8s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / validate-canonical-controls (push) Successful in 4s Details CI / loc-budget (push) Successful in 18s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m2s Details CI / test-go (push) Successful in 1m8s Details CI / iace-gt-coverage (push) Successful in 19s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details test-go failte seit 2026-06-19: VBR-OBL-001 ("Widerrufsbutton ab 19.06.2026") ist seit dem Stichtag abgelaufen und faellt aus dem Zukunfts-Horizont von GetRegulatoryNews, wodurch TestGetRegulatoryNews_FromRealFiles bricht. Fix: now-Referenz injizierbar (GetRegulatoryNewsAt), Test nutzt fixes Datum -> deterministisch. Produktions-Caller unveraendert (Wrapper). admin rag-query Marker, damit detect-changes admin mitbaut (article_label-Rendering). go vet + alle ai-sdk-Tests lokal gruen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 00:51:47 +02:00
Benjamin Admin	e646091ba2	chore(deploy): ai-sdk + admin neu bauen — Legal-Zitatfelder (article_label) nach Prod-Re-Ingest aktiv CI / detect-changes (push) Successful in 8s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / validate-canonical-controls (push) Successful in 6s Details CI / loc-budget (push) Successful in 20s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m3s Details CI / test-go (push) Failing after 57s Details CI / iace-gt-coverage (push) Successful in 16s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Triggert CI + detect-changes fuer ai-compliance-sdk + admin-compliance, nachdem der vorige Deploy am last-build/main Tag-Bug haengenblieb (Builds uebersprungen). Nur Doku-Kommentare, Logik unveraendert. Daten-Merge (Qdrant) ist bereits live. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 00:15:48 +02:00
Benjamin Admin	017c9b3c12	feat(advisor): Legal-RAG Zitier-Metadaten — ai-sdk + Advisor/Drafting lesen article_label ai-sdk (legal_rag_client/scroll/types) liest die gepinnten Spec-Felder article_label/regulation_code/article/paragraph/sub/citation_style/is_recital mit Fallback auf alt-ingestierte Chunks (regulation_id, section); neuer getBool-Helfer. Advisor + Drafting-Engine bilden die Quellenzeile primaer aus article_label ("BDSG § 38 Abs. 1"), sonst aus den strukturierten Feldern. 17 Tests gruen, tsc sauber. Vertrag: docs-src/development/rag_reingest_spec.md (§2/§7). Deploy an den Re-Ingest gekoppelt — neue Felder sind bis dahin leer (graceful Fallback). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-20 14:34:15 +02:00
Benjamin Admin	90a70c8404	fix(drafting): Drafting-Engine auf prod reparieren — RAG via ai-sdk + OVH-LLM-Kaskade CI / detect-changes (push) Successful in 7s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 5s Details CI / validate-canonical-controls (push) Successful in 4s Details CI / loc-budget (push) Successful in 17s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m2s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Die Drafting-Engine (Dokument-Entwurf, v2-Pipeline, Validierung, Drafting-Chat, Vendor-Vertragspruefung) war auf prod doppelt tot: - RAG ueber bp-core-rag-service:8097 (existiert auf prod nicht) - LLM ueber OLLAMA_URL/api/chat mit qwen2.5vl (prod = ollama-embed, kein Chat-Modell) Fix (analog zum Compliance-Advisor): - rag-query.ts -> ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar). - Neue lib/sdk/drafting-engine/llm-cascade.ts: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback; cascadeComplete (JSON) + cascadeStream. Das Backend nutzt OVH+JSON bereits erfolgreich auf prod (extract-datasheet). - 5 Aufrufstellen (draft-helpers, draft-helpers-v2, validate, chat, vendor-review) auf die Kaskade umgestellt; keine direkten Ollama-Calls mehr. - Tests: llm-cascade + rag-query aktualisiert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-19 10:02:06 +02:00
Benjamin Admin	cd3e0b15ad	fix(advisor): Compliance-Advisor auf prod reparieren — RAG via ai-sdk (bge-m3) + OVH-LLM CI / detect-changes (push) Successful in 6s Details CI / branch-name (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / validate-canonical-controls (push) Successful in 6s Details CI / loc-budget (push) Successful in 19s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m4s Details CI / test-go (push) Successful in 58s Details CI / iace-gt-coverage (push) Successful in 16s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Der Floating-Compliance-Advisor war auf prod kaputt (502): RAG ging ueber rag-service:8097 (auf prod nicht vorhanden) und der Chat ueber OLLAMA_URL=ollama-embed (embedding-only, kein qwen2.5vl). - RAG laeuft jetzt ueber die ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar) statt rag-service -> profitiert vom reicheren Embedding. (lib/sdk/agents/advisor-rag.ts) - LLM-Kaskade: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback. (lib/sdk/agents/advisor-llm.ts; OVH-Env via orca-infra admin-Block) - ai-sdk: bp_compliance_recht in AllowedCollections ergaenzt (Whitelist war inkonsistent — die Fehlermeldung listete es bereits als erlaubt). - Route auf die Module umgestellt (duenn); Controls-Augmentation unveraendert. - Tests: advisor-rag + advisor-llm. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-19 09:22:44 +02:00
Benjamin Bönisch	8f21650d74	feat(sdk): Kunden-Dokumente + CRA-Meldewesen, Screening aus Frontend genommen CI / detect-changes (push) Successful in 16s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 15s Details CI / validate-canonical-controls (push) Successful in 13s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m9s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 31s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details - /sdk/dokumente: Kundensicht nur auf veroeffentlichte Rechtsdokumente (Ansehen + Download); Proxy mit Allow-List nur /public — Templates/Drafts/ Generator bleiben unerreichbar. - /sdk/cra-meldewesen: CRA Art. 14 Meldewesen (24h/72h/14d-Kaskade) mit Fristen-Tracking + ENISA-SRP-Export-Entwurf (kein Live-API). Backend: cra_meldewesen (pure, getestet) + cra_incident_store (schema-neutral ueber compliance_cra_documents) + /api/v1/cra/incidents (additiv, contract-safe). - Screening (Self-Scan) aus dem Frontend genommen: Flow-Stepper-Eintrag ausgeblendet (visibleWhen), Dashboard-Kachel + Import-Button entfernt. Repo-Scanning laeuft extern im Compliance-Scanner; Backend-Router bleibt vorerst gemountet (Contract-Stabilitaet). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 21:21:28 +02:00
Benjamin Admin	f8b45dd3d1	feat(sdk): Sidebar neu gruppieren + Kunde/Intern-Trennung Die vier Kern-Module in eine Gruppe "Produkt-Compliance (CE & Cyber)" (Gap-Analyse, Maschinensicherheit/CE, Cyber Resilience/CRA) — iace+cra benachbart, KI-Compliance nicht mehr dazwischen gekeilt. Labels entschaerft (kein "IACE"-Codename, keine doppelten Header). Interne/Entwickler-Module (Kataloge/Templates, Korpus/coverage, Quellen, Engine-Internals, Admin) in eine per useInternalUI() gegatete Sektion "Intern · Entwicklung" — Kunden sehen sie nie (Default versteckt; intern = macmini/localhost o. Browser-Opt-in). coverage erstmals erreichbar (war verwaist). Toter SidebarModuleNav.tsx geloescht. Alle bestehenden Routen erhalten. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 13:27:38 +02:00
Benjamin Admin	05bd0418f8	feat(advisor): atom-grain controls in agent context controls-augmentation now renders control_id + sub_topic + source_regulation (handles both atom-grain and master-grain API shapes). The compliance-advisor answers from atom_classification (precise, sub-topic-organized, framework- traceable) via the shared get_controls_for_use_case API. 100% local at runtime. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-14 09:52:50 +02:00
Benjamin Admin	7f03ffadcc	feat(advisor): wire structured controls into compliance-advisor (HELD, not deployed) Prompt-augments the RAG-only advisor with the shared use-case->controls API: deterministic topic detection -> local controls API -> context block, so the agent can answer from real Control-IDs. 100% local at runtime (no Anthropic). NOT pushed/deployed: the shared API currently returns MASTER-grain controls, whose composition is broken (gpre2 object-only clustering -> mega-clusters). Pending the atom-grain rework of the API. tsc + vitest green. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-13 22:55:14 +02:00
Benjamin Admin	19786c96f8	test(admin): fix 3 stale vitest logic assumptions These were pre-existing failures (stale tests, not source bugs): - getNextStep walks steps ordered by `seq`, not array order (ai-act seq 350 sits before import 400). The tests assumed array order; derive the expectations from the seq-sorted sequence instead. - buildDocumentScope: a document required only by the level matrix is `mandatory` but may be `medium` priority — only trigger-mandated docs (and the high-priority doc types) are forced to high. The test wrongly asserted ALL mandatory docs are high; now it checks the trigger-mandated ones. Full vitest suite: 414/414 green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-11 08:08:23 +02:00
Benjamin Admin	a28db8f8f0	fix(admin): resolve all 266 TypeScript errors, enable strict build Eliminate the pre-existing TS errors that were masked by next.config.js `typescript.ignoreBuildErrors: true`, then turn the flag OFF so the compiler is a real safety net for future changes. `next build` and `tsc --noEmit` now pass with 0 errors. The errors were not cosmetic — several exposed real latent bugs hidden by the flag, e.g. the drafting-engine ConstraintEnforcer read non-existent fields (`t.rule.dsfaRequired`, `d.required`, `r.title`), so its DSFA hard gate and risk-flag checks were silently no-ops; scopeDefaults read snake_case CompanyProfile fields that never matched the camelCase type (generator defaults never populated). Both fixed by aligning code to the current types. Highlights: - Vitest globals: add vitest-globals.d.ts (config already had globals:true) so the test files type-check; exclude Playwright specs from vitest. - Add a minimal ambient `pg` module declaration (no @types/pg installed). - Fix Next 15 route handlers to await Promise params. - Reconcile drifted types across loeschfristen, compliance-scope, document- generator, drafting-engine, vendor-compliance, agent and more. Pre-existing (NOT caused here, proven by stashing the diff): 3 vitest logic tests still fail — getNextStep (2) and buildDocumentScope priority (1). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-11 00:42:44 +02:00
Benjamin Admin	663a1c3e38	feat(document-library): zentrale Doc-Übersicht + Workflow-Auto-Select (Phase 3) CI / detect-changes (push) Successful in 9s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Failing after 4s Details CI / validate-canonical-controls (push) Successful in 11s Details CI / loc-budget (push) Failing after 12s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 2m16s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 30s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Neue Compliance-Admin-Seite /sdk/document-library: zeigt alle compliance_ legal_documents mit aktueller Version, gruppiert nach Empfehlungs-Klassi- fikation, filterbar nach Status + Volltextsuche. Backend (Service + Routes): - LegalDocumentService.list_documents_with_versions() — JOIN über docs + latest/published version in einem Roundtrip statt N+1 - GET /api/v1/compliance/legal-documents/documents-with-versions liefert {documents:[{...doc, latest_version, published_version}]} Admin-Frontend: - app/sdk/document-library/page.tsx (350 LOC) - Lädt Docs + Recommend parallel - Mapped jedes Doc per .type → Recommend-Item (klassifiziert in required/recommended/optional/uncategorized) - 4 Sektionen mit Klassifikations-Chip + Anzahl-Badge - Tabelle pro Sektion: Titel · Type · Status · Version · Geändert · Override - Status-Filter (alle / draft / review_internal / review_client / approved / published / archived / rejected) - Klick auf Zeile → /sdk/workflow?doc=<uuid> - Empty state mit Link zum Generator (Bulk-Modus) - workflow/page.tsx: auto-select bei ?doc=<uuid> URL-Param - lib/sdk/types/sdk-steps.ts: 'document-library' bei seq=2500 im Paket 'dokumentation' registriert (sichtbar in der SDK-Sidebar) Workflow-Hookup vervollständigt: Library → click → Workflow öffnet direkt das gewünschte Dokument im SplitViewEditor, keine manuelle Selektion über DocumentSelectorBar mehr nötig. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-08 09:32:25 +02:00
Benjamin Admin	02879a2c3a	refactor: split cookie_screenshot_ocr.py (642 → 290 + 353 LOC) CI / build-sha-integrity (push) Failing after 4s Details CI / validate-canonical-controls (push) Successful in 11s Details CI / nodejs-lint (push) Has been skipped Details CI / detect-changes (push) Successful in 7s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / loc-budget (push) Failing after 14s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 2m19s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 29s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI hard-cap 500 LOC. cookie_screenshot_ocr.py war auf 642 gewachsen, also gesplittet: - cookie_screenshot_ocr_engines.py (353 LOC, NEU) OCR-Engine-Funktionen: _slice_screenshot, Vision-LLM (qwen2.5vl), PaddleOCR, Tesseract, parse_ocr_cookie_table, parse_vision_response, Konstanten VISION_MODEL/OLLAMA_URL/VISION_PROMPT. - cookie_screenshot_ocr.py (290 LOC, REWRITE) Orchestration: capture_cookie_evidence_slices, _ocr_one_slice, ocr_slices_extract_cookies, capture_cookie_screenshot, extract_cookies_via_vision, cookies_to_vendor_records. Re-Exports der Engine-Funktionen für Backward-Kompat. Einziger externer Importer (_phase_d1_vendors_raw.py) braucht keinen Code-Change — Public-API stabil. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 23:35:33 +02:00
Benjamin Admin	7335f64f4f	feat(founding-wizard): Per-Person IP-Assignment + Prefill + E2E-Tests CI / detect-changes (push) Successful in 12s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / validate-canonical-controls (push) Successful in 19s Details CI / loc-budget (push) Failing after 20s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m17s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 43s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Wizard unterstuetzt jetzt 2-4 Gesellschafter mit individuellem IP-Bereich: - Pro Gruender ein IP-Assignment-Vertrag (z.B. Benjamin: Compliance+RAG; Sharang: Security+Infrastruktur). Pro GF ein eigener Dienstvertrag. - Step 1: Prefill-Button aus Unternehmensprofil + Felder Registergericht und HRB-Nr. - Step 2: Rollen-Dropdown (CEO/CTO/CFO/COO/CPO/GF/Sonstige) statt freie Texteingabe, IP-Bereiche-Textarea pro Person. Backend: - generate_documents() iteriert pro Person fuer PER_PERSON_DOCS. - _build_person_context() injiziert ASSIGNOR_, GF_, IP_LIST_DETAILS aus person.ip_areas. - base_context() propagiert basics.register_court und basics.hrb_number. Tests: - 30/30 Pytest gruen (6 neue: Per-Person-Context, Slug-Helper, Registergericht-Propagation). - 4 neue Playwright-E2E-Specs (hermetisch via route.fulfill, mit Console-/Page-Error-Traps): kompletter 8-Step-Flow, Prefill-Fehlerpfad, Step-Navigation/Reset, Rollen-Dropdown + IP-Areas. - Spec setzt 'bp-sdk-cookie-consent' im addInitScript damit der CookieBannerOverlay nicht die Wizard-Buttons ueberlagert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-21 18:49:10 +02:00
Benjamin Admin	7a5f1e48dd	feat(founding-wizard): Gründungs-Wizard für 2-Mann GmbH + 14 Notar-Templates [migration-approved] Templates (Migrations 123-136): - 123 GO-GF (Geschäftsordnung Geschäftsführung) - 124 SHA (Shareholders' Agreement, 56 Platzhalter) - 125 Satzung (Articles of Association mit UG-Variante) - 126 GF-Dienstvertrag (Trennungsprinzip Organ/Anstellung) - 127 Arbeitsvertrag (AGG-neutral, NachwG, eAU) - 128 Gesellschafterliste (§ 40 GmbHG) - 129 GF-Bestellungsbeschluss (mit § 6 Abs. 2 Versicherung) - 130 HRB-Anmeldung (§§ 7, 8, 39 GmbHG, § 12 HGB) - 131 IP-Assignment Agreement (Gründer→GmbH) - 132 Term Sheet (Pre-Seed/Seed VC-Standard) - 133 Wandeldarlehensvertrag (Convertible Loan) - 134 Beteiligungsvertrag (Subscription Agreement) - 135 ESOP/VSOP-Plan (3 Varianten) - 136 Cap Table Kategorisierung (Migrations 137-138): - ALTER TABLE compliance_legal_templates ADD lifecycle_stage TEXT[], functional_category TEXT (mit CHECK Constraints + GIN-Index) - Backfill aller 105 Templates: lifecycle_stage (pre_founding\|founding\| startup\|kmu\|konzern) + functional_category (founding_legal\|employment\| investor_funding\|...) Backend Founding-Wizard Service: - template_renderer.py: Handlebars-light ({{VAR}}, {{#IF FLAG}}...{{/IF}}) - wizard_to_context.py: Mapping Wizard-State → SCREAMING_SNAKE_CASE Vars - markdown_to_docx.py: Markdown → DOCX via python-docx - founding_wizard_routes.py: POST /v1/founding-wizard/generate → liefert base64-DOCX-Files für ausgewählte Templates Frontend Founding-Wizard (/sdk/founding-wizard): - 8-Step Wizard (Basics, Gesellschafter, GF, Kapital, Notar, SHA, GF-Verträge, Generate) - useFoundingWizardForm Hook mit localStorage-Persistenz - TypeScript Code-Registry (template-categories.ts) als Backup zur DB - Word-Download via data:URLs (base64) Tests: - 20 Unit-Tests grün (Renderer, Context-Mapping, DOCX-Conversion) - Playwright E2E-Test mit 2-Mann GmbH (Benjamin + Sharang) Test-Daten	2026-05-20 09:30:51 +02:00
Benjamin Admin	662327e8b4	feat(compliance-check): MC-Classification + Embedding + Vendor-Redundanz + Action-Recipes + Borlabs-Features CI / detect-changes (push) Successful in 10s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / validate-canonical-controls (push) Successful in 16s Details CI / loc-budget (push) Failing after 17s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 2m47s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 42s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Massiv-Update auf Basis BMW-Test-Iterationen (v1→v9): Core Compliance-Check - Sonnet check_type Klassifikation: text/process/review fuer alle 1874 MCs in compliance.doc_check_controls (script + Sidecar /data/mc_classification.db). rag_document_checker filtert auf check_type='text' fuer doc_check. Plus fits_doc_type-Audit (v2) + ui_only-Audit fuer DSA/E-Commerce-MCs in falscher doc_type-Schublade. - scope_requires-Filter: biometric/ai_decision/child_targeting MCs werden per business_profile gefiltert (FRT skipped fuer BMW etc.). - Embedding-Match (BGE-M3) als Phase-3 nach Regex-Match: Per-doc_type-Threshold-Override (impressum 0.50, dse/cookie 0.60), Short-Field-Rescue (15-Wort-Chunks) fuer Pflichtfelder im Impressum. Title+check_question als Embedding-Input fuer mehr Kontext. - Cookie-Text-Routing: consent-tester gibt cmp_cookie_text aus dem CMP-Reconstruct zurueck, Backend bevorzugt das gegen DOM-Extraction wenn richer (BMW 1824 vs 600 Worte). Vendor-Redundanz + EU-Alternativen + Cost-Saving - vendor_redundancy.analyze() — funktionale Kategorisierung der CMP-Vendors, Detektion von Mehrfach-Anbietern pro Kategorie, EU-Alternative-Lookup (Matomo, IONOS, HERE, Friendly Captcha, Smart AdServer, ...). - vendor_cost_estimator: Tier-Inferenz aus Cookie-Footprint (Cookie-Anzahl + Premium-Feature-Cookies + Third-Party-Quote → starter/professional/ enterprise/premier). - Self-Service-Werbung (Google/Meta/Pinterest/...) = 0 Lizenz-Kosten (nur Media-Spend, separat). DSP-Plattformen behalten enge Range. - Tier-aware Saving-Range: bei Enterprise/Premier nutzen wir den oberen 40-100%-Band der Listpreise, nicht starter→premier. - Multi-Function-Tools (Matomo Pro, SAP CX, IONOS Cloud, Userlike, Smart AdServer, HERE Maps, Vimeo Pro, LamaPoll) — ein Tool ersetzt mehrere Kategorien gleichzeitig. Cookie-Wissens-DB + Funktionale Klassifikation - cookie_knowledge_db: 50 kuratierte Top-Cookies (Google/Meta/Adobe/MS/...) mit vendor, exact_purpose, data_collected, IAB-TCF-IDs, reid_risk, schrems_ii_status, EuGH-Urteile, EU-Alternative. - cookie_function_classifier: pro Cookie funktionale Rolle (tracking_id, ad_pixel, session_id, ab_test, csrf, ...) + blocking_impact. Country-Inferenz aus Rechtsform - cookie_link_validator: Country-Field wird aus Vendor-Name abgeleitet (A/S=DK, GmbH=DE, Inc=US, B.V.=NL, ...) plus Vendor-Lookup-Table. Reduziert false-positive no_country-Flags bei eindeutig-EU-Vendors (Adform DK, Pinterest IE). Action-Recipes + Doc-Anchor-Locator - finding_action_recipes: pro Finding-Typ (no_cookies_listed, no_country, broken_opt_out, "Auftragsverarbeiter erwaehnen", "Art. 22 Profiling", ...) eine strukturierte Anweisung mit what/why/fix_text/where/example. Zum 1:1-Einfuegen in Kunden-Dokumente. - doc_anchor_locator: Embedding-basiert (BGE-M3 cosine) — sucht den passenden Absatz im existierenden Kundendokument fuer jeden Finding. Per-Run Thread-Local-Cache. Fallback: keyword-Match. - Email-Rendering integriert Recipe + Anchor pro Doc-Pruefungs-Fail + Vendor-Flag-Liste mit aufklappbarer Action-Liste. - Score-Erklaerung pro Vendor-Zeile (3/5-Untertitel + Tooltip). Migration-Pipeline (Compliance-Check -> Customer Banner/Documents) - migration_to_banner.py: Vendor-Liste -> CookieBannerConfig mit 4 Kategorien + Review-Flags. - migration_to_document.py: Vendor-Liste -> Cookie-Policy + VVT-Register + Privacy-Policy-Pre-Fills. - agent_migration_routes: 3 Preview-Endpoints (banner-preview, document-preview, summary). Persistierung der cmp_vendors in /data/compliance_audits.db check_payloads-Tabelle. Borlabs-Parity Cookie-Banner-Features - Consent-Historie im Banner: window.bpShowConsentHistory() + localStorage. - Content-Blocker: cookie-banner-content-blocker.ts — YouTube/Maps/Video Placeholder bis Einwilligung. - Google Consent Mode v2 erweitert: wait_for_update + region=EEA/CH/GB. - Consent-Log Export (CSV/JSON) per einwilligungen_export_routes. Bug-Fixes - canonical_control_routes: _jsonish-Helper fuer string-typed jsonb, similar-controls-Endpoint mit _has_embedding_col()-Cache (kein 500 mehr). - Control-Library Frontend: defensive .map-Coercer in 2 Detail-Views. - Embedding-Service-Batching (32er Batches statt 165 in einem Call). - KeyError 'control_id' in MC-Result-Aggregation (defensive .get). - Master-Controls-Klick-Through von /sdk/master-controls auf /sdk/control-library?control=<id> mit URL-Param-Auto-Open. - Dockerfile: /data pre-chowned auf appuser (Audit-DB-Schreibrecht). - Cookie-Text-Routing-Bug (cmp_reconstructed > DOM-extraction). - doc_type-aware MC-Filter (statt all-text-MCs). - Master-Contract-Dedup (60 BMW-Internal-Eintraege = 1 Adobe-Vertrag). - A3-v2-Audit hat 24 UI-Sprache-MCs als 'process' reklassifiziert. Tests - test_migration_mappers.py (9 Tests) - test_migration_endpoints.py (4 Tests) Skripte (one-shot) - classify_mc_check_type.py (v1) + _v2 (PK=control_id,doc_type) - audit_mc_doctype_fit.py (v1 fits) + _v2 (ui_only + scope_requires) BMW-Run-Bilanz v1 (broken) -> v9 (alle Fixes): DSE 7,5% -> 81-83% Impressum 4% -> 100% (6 echte MCs alle erfuellt) Cookie 0% -> 79-83% (CMP-Text-Routing + Embedding) Plus: 10 Konsolidierungs-Kategorien, geschaetzte Saving 200k-3M / Jahr Plus: Action-Recipes + Doc-Anchors fuer jeden Fail Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 18:30:08 +02:00
Benjamin Admin	6af9353bad	feat(sidebar): add Master Controls between Control Library and Provenance Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 18:04:57 +02:00
Benjamin Admin	36c6101b91	Merge feat/zeroclaw-compliance-agent into main Brings all compliance doc-check features: - 162 regex checks + 1874 Master Controls - LLM-agnostic agent with tool calling - Banner check (46 checks, 30 CMPs, stealth, Shadow DOM) - Impressum check (24 checks) - Deep consent verification (DataLayer, GCM, TCF) - CMP E2E tests (39 tests) - HTML email reports, FAQ, persistent history Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 11:44:20 +02:00
Benjamin Admin	2e29b611c9	feat(iace): Phase 1 — Haftungs-Fixes, Massnahmen-Verkabelung, Explainability Engine Phase 1A — Haftungs-kritische Fixes: - SIL/PL-Badges als "Vorab-Einschaetzung" mit Tooltip gekennzeichnet - Coverage-Disclaimer in CE-Akte, Projekt-Uebersicht und Print-Export - Norm-Referenzen: 42 Kapitelverweise durch Themen-Deskriptoren ersetzt Phase 1B — Massnahmen-Verkabelung: - 16 neue Massnahmen (M201-M216) fuer bisher unabgedeckte Kategorien (communication_failure, hmi_error, firmware_corruption, maintenance, sensor_fault, mode_confusion) - Kategorie-Fallback im Initialize-Endpoint: ordnet Massnahmen aus der Bibliothek automatisch per HazardCategory zu (max 8 pro Kategorie) - Total: 225 → 241 Massnahmen, 0 Kategorien ohne Massnahmen Phase 1C — Explainability Engine: - MatchReason Struct in PatternMatch (type, tag, met) - Pattern Engine schreibt fuer jeden Match strukturierte Begruendungen - Frontend zeigt "Erkannt weil: Komponente X, Energie Y, Kein Ausschluss Z" Weitere Aenderungen: - BAuA/OSHA Regulatory Hints: 3 Enrich-Endpoints (per Hazard, per Measure, Batch) - Dokumente-Tab in IACE-Bibliothek (36.708 Chunks aus Qdrant) - Varianten-UX: Basis-Projekt-Summary auf Varianten-Seite - Projekt-Initialisierung: POST /initialize kettet Parse→Komponenten→Patterns→Hazards→Massnahmen→Normen - 18 pre-existing TS-Fehler gefixt, Route-Konflikt behoben - Component-Library + Measures-Library Tests aktualisiert Tests: Go alle bestanden, TS 0 Fehler, Playwright 141+ bestanden Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-09 21:32:23 +02:00
Benjamin Admin	c284cefada	refactor: Remove Modules step, add Regulations card to Dashboard - Modules step deleted from sdk-steps.ts and SDK Flow (regulations are now shown in Scope-Decision tab with toggles) - Dashboard: "Erkannte Regulierungen" card shows which regulations apply based on Scope-Profiling (DSGVO, AI Act, NIS2, HinSchG) - Dashboard: Amber warning if Scope-Profiling not yet completed - Link to Scope-Decision tab for details & customization Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 22:21:12 +02:00
Benjamin Admin	2b4ff9f422	feat: DSFA — VVT-Verknüpfung + Residual Risk + Bundesland-Blacklists 1. VVT-Verknüpfung: Dropdown "Verknüpfte VVT-Aktivität" in Step 1, lädt Aktivitäten via API, auto-fills Verarbeitungstätigkeit bei Auswahl 2. Residual Risk: Neuer Step 5 im Wizard — Bewertung des Restrisikos nach Maßnahmen. Bei hoch/kritisch → Art. 36 Vorabkonsultation Warnung 3. Bundesland-Blacklists (Art. 35 Abs. 4): 16 Landesbehörden mit DSK-Muss-Liste (10 gemeinsame Kriterien) + länderspezifische Ergänzungen (Bayern: Whistleblower/Drohnen, NRW: Social-Media- Monitoring, Berlin: Mieterbonitätsprüfung). Automatische Prüfung gegen Scope-Antworten. Blacklist-Matches im DSFA-Banner angezeigt. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 21:48:59 +02:00
Benjamin Admin	84b21cad08	feat: DSFA pre-fill from Company Profile + Scope answers - New prefill-from-scope.ts utility: - headquartersState → federal_state (Bundesland for authority lookup) - data_art9 → special data categories (Gesundheit, Biometrie, etc.) - data_minors → adds "Minderjährige" to data subjects + raises risk - proc_adm_scoring → Art. 22 affected rights + measures - proc_ai_usage → involves_ai flag + AI measures - proc_video_surveillance → video data categories - industry/businessModel → processing purpose + legal basis - isDSFARequired() check: shows red banner when Art. 35 triggers detected - GeneratorWizard accepts prefill prop, initializes all fields - Passes federal_state, involves_ai, legal_basis to backend POST Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 19:36:13 +02:00
Benjamin Admin	95baf60da3	refactor: Paket 2 Analyse umstrukturiert + AI Act/Evidence verschoben Paket 2 Analyse (vorher 7 Steps → jetzt 5): 1. Requirements — Pruefaspekte aus Regulierungen 2. Controls — Technische & organisatorische Massnahmen 3. Risk Matrix — Risikobewertung (vorher #4, jetzt #3) 4. Audit Checklist — Pruefbare Checkliste (vorher #6) 5. Audit Report — Zusammenfassender Report (vorher #7) Verschoben: - AI Act → Paket 1 Vorbereitung (optional, nur bei KI-Einsatz) - Evidence → Paket 5 Betrieb (Nachweise laufend sammeln, nicht einmalig) SDK Flow (steps-*.ts) synchronisiert mit neuer Reihenfolge. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 16:40:10 +02:00
Benjamin Admin	f737bfc4db	refactor: Integrate Modules into Scope-Decision (Option C) - RegulationsPanel: added enable/disable toggles per regulation - ScopeDecisionTab: passes enabledModules + onToggleModule - Scope page: auto-enables all applicable regulations when loaded - Modules step: isOptional=true, moved to Zusatzmodule - Requirements: now depends on compliance-scope, not modules - Source-policy: now depends on use-case-assessment, not modules Flow: Profile → Scope → Scope-Decision shows applicable regulations with toggles → Requirements derived from enabled regulations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 14:29:53 +02:00
Benjamin Admin	7ab1476d8f	refactor: Move Screening to Zusatzmodule (optional) - Screening step: isOptional=true - Compliance Modules no longer depends on Screening - Description updated to "SBOM + Vulnerability Scan (OSV.dev)" Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 13:55:09 +02:00
Benjamin Admin	225456ec14	refactor: Source Policy — strip PII/Audit/Blocked, move to Zusatzmodule - Removed: PII-Regeln tab (→ Core Service, other repo) - Removed: Audit tab (→ redundant with Document Workflow + RBAC) - Removed: Blockierte Inhalte tab (→ belongs to PII) - Kept: Quellen-Whitelist + Berechtigungen (Operations Matrix) - Renamed: "Source Policy" → "Quellen-Verwaltung" - Moved: From Paket 1 (Pflicht) to Zusatzmodule (optional) - sdk-steps.ts: isOptional=true, requirements no longer depends on it - Sidebar: Added under Zusatzmodule section - Page reduced from 365 → 130 lines Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 11:36:20 +02:00
Benjamin Admin	e0f59cdf82	feat: IAB TCF 2.2 + sidebar naming consistency (Option C) TCF/IAB 2.2: - TCFEncoderService: base64url TC String generation per IAB spec - 12 IAB purposes mapped to banner categories - tcf_routes: 5 endpoints (purposes, features, mapping, encode) - Auto-generate TC String on consent when tcf_enabled=true - TCFSettings.tsx: enable/disable, purpose grid, test encoder - New "TCF/IAB" tab in cookie-banner (7 tabs total) Sidebar naming (Option C): - SDK step "Einwilligungen" renamed to "Consent-Records" to match CMP sidebar label — consistent across both navigations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 07:10:53 +02:00
Benjamin Admin	c89a68e59e	feat: Whistleblower backend + Scanner banner-check (last 2 gaps) Whistleblower (HinSchG): - Migration 118: 3 tables (reports, messages, measures) with HinSchG deadlines (7d acknowledgment, 3mo feedback) - whistleblower_routes.py: 14 endpoints (CRUD, acknowledge, close, messages, measures, public submit, anonymous status check) - Frontend api-operations.ts rewired from Go SDK to compliance proxy - Access key format XXXX-XXXX-XXXX for anonymous reporters Scanner banner-check (TTDSG § 25): - CMP Dashboard: green "Kein Cookie-Banner erforderlich" when no trackers detected + no banner configured - Red warning "Cookie-Banner fehlt!" when trackers found but no banner - Mandatory note: Impressum (DDG § 5) + DSE (DSGVO Art. 13) still required [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 00:22:18 +02:00
Benjamin Admin	9b4be663f7	feat: Rollenkonzept backend + SOP template (Phase 1-3) - Migration 111: 3 new tables (org_roles, document_reviews, document_role_mapping) with seed data mapping all 71 doc types to 7 compliance roles - org_role_routes.py: CRUD for roles, seed defaults, test email, mapping API - document_review_routes.py: Review lifecycle (create→send→approve/reject) with approval notification to all affected roles - Migration 112: SOP template (ISO 9001 structure, 21 placeholders) - Added standard_operating_procedure to TemplateType, doc-labels, presets [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 13:03:38 +02:00
Benjamin Admin	ce52dd153e	feat: Complete template coverage — 13 presets, 71 doc types, 100% mapped - Split presets into interface + data files (500-line budget) - Extract DOC_LABELS into doc-labels.ts with all 71 template types - Add 3 new presets: Cloud/SaaS-Anbieter, Finanzdienstleister, Plattform - Expand Enterprise preset to 48 docs (full ISMS + BCM + DSR) - Every template type appears in at least one preset - ISO references verified: citations only, no copyrighted standard text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 10:59:58 +02:00
Benjamin Admin	3aff80fb0c	fix: Complete recommended docs for all 10 industry presets Every preset now includes DSGVO-mandatory docs (TOM, VVT, Löschkonzept) plus Cookie-Banner/Policy, Mitarbeiter-DSI, Bewerber-DSI, and industry-specific extras (DSFA, Whistleblower, ISMS, TIA, etc.). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 10:07:30 +02:00
Benjamin Admin	a56ea2c843	feat: A4 preview + example data + company profile presets Feature 1: DIN A4 Preview - Markdown→HTML renderer (inline, no dependency) - A4 page container (210mm × 297mm) with print styling - Toggle between "Vorschau" (rendered A4) and "Markdown" (raw) - Print button opens new window with @page A4 CSS - Purple theme for headings, styled tables Feature 2: Example Data Button - "Beispieldaten" button in Generator header - Loads examples/{templateType}_{lang}.json - Prefills all context fields for instant full preview Feature 3: Company Profile Presets - 10 industry presets: SaaS Startup, Consumer App, E-Commerce, IT-Agentur, Maschinenbau, Rechtsanwalt, Arztpraxis, Handwerk, Bildung, Enterprise - Each with pre-filled CompanyProfile + scope hints + recommended docs - PresetSelector component (card grid with icons) - "Manuell ausfuellen" skip option Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 07:38:18 +02:00
Benjamin Admin	cb2d503e84	feat: Google Consent Mode v2 + Developer Portal cookie banner docs Phase A: Google Consent Mode v2 in cookie-banner-embed.ts - gtag('consent', 'default', {...denied}) before banner loads - gtag('consent', 'update', {...}) after user decision - Automatic mapping: statistics→analytics_storage, marketing→ad_storage Phase B: 5 Developer Portal pages at /sdk/consent/cookie-banner/ - Overview page with 4 cards - Integration Guide: 3-step setup, script-tag, categories - Google Consent Mode: automatic integration, parameter mapping - Script Blocking: type=text/plain pattern, GA/FB/Hotjar examples - Compliance Checklist: 12 points, 9 automatic Sidebar navigation extended with Cookie-Banner section. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-02 17:13:34 +02:00
Benjamin Admin	dccd9d09e5	feat: cookie banner compliance hardening — 5 legal requirements 1. Impressum link mandatory in banner (§5 TMG) 2. Pre-ticked prevention: only "required" categories pre-enabled (Planet49) 3. Cookie-Settings reopen link (§7(3) DSGVO — revocation as easy as consent) 4. Script-Blocking: data-cookie-category + type="text/plain" pattern Scripts only execute AFTER user consents to that category 5. Buttons already equal size (flex:1) — verified correct Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-02 15:50:54 +02:00
Benjamin Admin	f6536e8d08	fix: Use Array.isArray for legalHolds check legalHolds can be a JSONB object {} instead of an array [], so the \|\| [] fallback wasn't sufficient. Array.isArray handles all edge cases (null, undefined, object, string). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 21:12:28 +02:00
Benjamin Admin	e3f26d7572	fix: Defensive legalHolds check in Loeschfristen getActiveLegalHolds() crashed with "e.legalHolds.filter is not a function" when legalHolds was null/undefined (e.g. old DB entries without the JSONB field). Added fallback to empty array. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 21:06:24 +02:00
Benjamin Admin	062d607da9	feat: Scope questions, placeholder mappings, example contexts Scope questions (compliance-scope-data.ts): - 7 new questions: org_has_employees, org_has_social_media, org_has_video_conferencing, proc_uses_ai_tools, proc_byod_allowed, prod_ugc_platform, org_cert_iso27001 Template recommendations updated: - employee_dsi/applicant_dsi now triggered by org_has_employees - ai_usage_policy triggered by proc_uses_ai_tools - byod_policy triggered by proc_byod_allowed (required when yes) - social_media_dsi triggered by org_has_social_media - video_conference_dsi triggered by org_has_video_conferencing - community_guidelines/terms_of_use triggered by prod_ugc_platform Placeholder mappings (contextBridge-helpers.ts): - 30+ new mappings for: whistleblower, video conference, AI policy, BYOD, consent, social media, transfer/SCC, DSI fields - SECTION_COVERS updated for template relevance detection Example contexts: ai_usage_policy_de, employee_dsi_de, social_media_dsi_de, tia_de Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 13:43:09 +02:00
Benjamin Admin	ef8eead513	feat: Adequacy decisions, DPF check, customer guidance for transfers New: adequacy-decisions.ts - Complete list of 15 countries with EU adequacy decisions (Art. 45) - EU/EEA country set (30 countries) - getTransferRequirement() — determines SCC/TIA/certification needs per country code with human-readable explanations - US special handling: DPF certification required, check URL included Updated: transfers/page.tsx - "Was muss ich tun?" explanation section with 3 options: 1. Adequacy decision (green) — no action needed 2. DPF certification (blue, US only) — check dataprivacyframework.gov 3. SCC + TIA required (amber) — link to Document Generator - Collapsible adequacy countries table (15 countries with restrictions) - Schrems II background explanation for customers - Customer guidance written for non-experts who never heard of TIA/SCC Updated: templateRecommendations.ts - SCC+TIA rules now consider DPF certification and adequacy status - us_dpf_only → SCC/TIA optional (not required) - adequate_only → SCC/TIA not recommended Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 12:57:54 +02:00
Benjamin Admin	b2a28eb4cd	feat: DSR Prozessbeschreibungen Art. 15-21 mit Swim-Lane-Diagrammen Build + Deploy / build-admin-compliance (push) Successful in 10s Details Build + Deploy / build-backend-compliance (push) Successful in 9s Details Build + Deploy / build-ai-sdk (push) Successful in 8s Details Build + Deploy / build-developer-portal (push) Successful in 7s Details Build + Deploy / build-tts (push) Successful in 7s Details Build + Deploy / build-document-crawler (push) Successful in 7s Details Build + Deploy / build-dsms-gateway (push) Successful in 7s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / test-go (push) Failing after 41s Details CI / test-python-backend (push) Successful in 35s Details CI / test-python-document-crawler (push) Successful in 25s Details CI / test-python-dsms-gateway (push) Successful in 21s Details CI / loc-budget (push) Failing after 13s Details CI / secret-scan (push) Has been skipped Details CI / go-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 2m29s Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / validate-canonical-controls (push) Successful in 13s Details Build + Deploy / trigger-orca (push) Successful in 1m53s Details 7 vollstaendige Prozessbeschreibungen fuer den Document Generator: - Art. 15: Auskunftsrecht (30 Tage, 6 Schritte, Informationskatalog) - Art. 16: Berichtigungsrecht (14 Tage, inkl. Art. 19 Mitteilung) - Art. 17: Loeschungsrecht (14 Tage, Art. 17(3) Ausnahmen-Checkliste) - Art. 18: Einschraenkungsrecht (14 Tage, erlaubte Verarbeitung) - Art. 19: Mitteilungspflicht (automatisch bei Art. 16/17/18) - Art. 20: Datenuebertragbarkeit (30 Tage, JSON/CSV/XML Export) - Art. 21: Widerspruchsrecht (30 Tage, Sonderfall Direktwerbung) Jede Beschreibung enthaelt: - Mermaid Swim-Lane-Diagramm (Betroffener/Sachbearbeitung/Fachabteilung/DSB) - Detaillierte Schritt-Tabelle mit Verantwortlichkeiten und Fristen - Rechtsgrundlagen-Verweise - Firmen-Platzhalter (FIRMENNAME, VERSION, DATUM, DSB_NAME) Integration: - 7 neue Typen in VALID_DOCUMENT_TYPES (legal_template_routes.py) - Neue Kategorie "DSR-Prozesse" im Document Generator Frontend - DSR types-core.ts: templateType Feld verknuepft DSR → Document Generator - Migration 085 seeded die Templates in die legal_templates Tabelle [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-28 19:25:38 +02:00
Benjamin Admin	b39c1d5dce	feat: DSR Prozessbeschreibungen Art. 15-21 mit Swim-Lane-Diagrammen Build + Deploy / build-admin-compliance (push) Successful in 1m56s Details Build + Deploy / build-backend-compliance (push) Successful in 3m5s Details Build + Deploy / build-ai-sdk (push) Successful in 47s Details Build + Deploy / build-developer-portal (push) Successful in 1m5s Details Build + Deploy / build-tts (push) Successful in 1m23s Details Build + Deploy / build-document-crawler (push) Successful in 33s Details Build + Deploy / build-dsms-gateway (push) Successful in 23s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / loc-budget (push) Failing after 17s Details CI / secret-scan (push) Has been skipped Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 2m40s Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / test-go (push) Successful in 42s Details CI / test-python-backend (push) Successful in 47s Details CI / test-python-document-crawler (push) Successful in 33s Details CI / test-python-dsms-gateway (push) Successful in 22s Details CI / validate-canonical-controls (push) Successful in 18s Details Build + Deploy / trigger-orca (push) Successful in 2m53s Details 7 vollstaendige Prozessbeschreibungen fuer den Document Generator: - Art. 15: Auskunftsrecht (30 Tage, 6 Schritte, Informationskatalog) - Art. 16: Berichtigungsrecht (14 Tage, inkl. Art. 19 Mitteilung) - Art. 17: Loeschungsrecht (14 Tage, Art. 17(3) Ausnahmen-Checkliste) - Art. 18: Einschraenkungsrecht (14 Tage, erlaubte Verarbeitung) - Art. 19: Mitteilungspflicht (automatisch bei Art. 16/17/18) - Art. 20: Datenuebertragbarkeit (30 Tage, JSON/CSV/XML Export) - Art. 21: Widerspruchsrecht (30 Tage, Sonderfall Direktwerbung) Jede Beschreibung enthaelt: - Mermaid Swim-Lane-Diagramm (Betroffener/Sachbearbeitung/Fachabteilung/DSB) - Detaillierte Schritt-Tabelle mit Verantwortlichkeiten und Fristen - Rechtsgrundlagen-Verweise - Firmen-Platzhalter (FIRMENNAME, VERSION, DATUM, DSB_NAME) Integration: - 7 neue Typen in VALID_DOCUMENT_TYPES (legal_template_routes.py) - Neue Kategorie "DSR-Prozesse" im Document Generator Frontend - DSR types-core.ts: templateType Feld verknuepft DSR → Document Generator - Migration 085 seeded die Templates in die legal_templates Tabelle [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-28 17:53:44 +02:00
Benjamin Admin	55a2cd4a3d	feat: Verbraucherrecht-Obligations + Widerrufsbutton-Pflicht ab 19.06.2026 Build + Deploy / build-admin-compliance (push) Successful in 1m51s Details Build + Deploy / build-backend-compliance (push) Successful in 2m48s Details Build + Deploy / build-ai-sdk (push) Successful in 43s Details Build + Deploy / build-developer-portal (push) Successful in 1m2s Details Build + Deploy / build-tts (push) Successful in 1m12s Details Build + Deploy / build-document-crawler (push) Successful in 30s Details CI / loc-budget (push) Failing after 15s Details CI / secret-scan (push) Has been skipped Details CI / test-python-backend (push) Successful in 35s Details CI / test-python-dsms-gateway (push) Successful in 19s Details CI / validate-canonical-controls (push) Successful in 12s Details Build + Deploy / build-dsms-gateway (push) Successful in 20s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 2m16s Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / test-go (push) Successful in 38s Details CI / test-python-document-crawler (push) Successful in 21s Details Build + Deploy / trigger-orca (push) Successful in 3m12s Details Neue Regulierung: EU-Richtlinie 2023/2673, §356a BGB 3 Obligations: - VBR-OBL-001: Digitaler Widerrufsbutton (Frist: 19.06.2026, Bussgeld: 50k EUR) - VBR-OBL-002: Widerrufsbelehrung bei Fernabsatz - VBR-OBL-003: Button-Loesung "zahlungspflichtig bestellen" Scope Engine: 3 neue Hard-Trigger-Rules (HT-N01..N03) fuer B2C, Online-Shop und Abo-Modelle. Total Obligations: 370 → 373 (12 Regulierungen) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-25 16:24:07 +02:00
Sharang Parnerkar	c05a71163b	fix: resolve CI failures in Python tests and admin-compliance build Build + Deploy / build-admin-compliance (push) Successful in 1m37s Details Build + Deploy / build-backend-compliance (push) Successful in 12s Details Build + Deploy / build-ai-sdk (push) Successful in 10s Details Build + Deploy / build-developer-portal (push) Successful in 12s Details Build + Deploy / build-tts (push) Successful in 12s Details Build + Deploy / build-document-crawler (push) Successful in 11s Details Build + Deploy / build-dsms-gateway (push) Successful in 12s Details CI/CD / loc-budget (push) Successful in 21s Details CI/CD / guardrail-integrity (push) Has been skipped Details CI/CD / go-lint (push) Has been skipped Details CI/CD / python-lint (push) Has been skipped Details CI/CD / nodejs-lint (push) Has been skipped Details CI/CD / test-go-ai-compliance (push) Successful in 42s Details CI/CD / test-python-backend-compliance (push) Has started running Details CI/CD / test-python-document-crawler (push) Has been cancelled Details CI/CD / test-python-dsms-gateway (push) Has been cancelled Details CI/CD / sbom-scan (push) Has been cancelled Details CI/CD / validate-canonical-controls (push) Has been cancelled Details Build + Deploy / trigger-orca (push) Successful in 2m19s Details Python: add missing 'import enum' to compliance/db/models.py shim. TypeScript: remove duplicate export of useVendorCompliance from vendor-compliance/context.tsx (already exported from ./hooks). Docs: add mandatory pre-push checklist (lint + test + build) to AGENTS.python.md and AGENTS.go.md. [guardrail-change] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-19 16:41:39 +02:00
Sharang Parnerkar	19d6437161	refactor(admin): split vvt-baseline-catalog into domain barrel Extracted 630-LOC monolith into 6 domain files (all <200 LOC) plus a 29-line barrel re-exporting everything for zero breaking-change impact. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:46:31 +02:00
Sharang Parnerkar	7d8e5667c9	refactor(admin-compliance): split 7 oversized files under 500 LOC hard cap (batch 3) - tom-generator/export/zip.ts: extract private helpers to zip-helpers.ts (544→342 LOC) - tom-generator/export/docx.ts: extract private helpers to docx-helpers.ts (525→378 LOC) - tom-generator/export/pdf.ts: extract private helpers to pdf-helpers.ts (517→446 LOC) - tom-generator/demo-data/index.ts: extract DEMO_RISK_PROFILES + DEMO_EVIDENCE_DOCUMENTS to demo-data-part2.ts (518→360 LOC) - einwilligungen/generator/privacy-policy-sections.ts: extract sections 5-7 to part2 (559→313 LOC) - einwilligungen/export/pdf.ts: extract HTML/CSS helpers to pdf-helpers.ts (505→296 LOC) - vendor-compliance/context.tsx: extract API action hooks to context-actions.tsx (509→286 LOC) All originals re-export from sibling files — zero consumer import changes needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:43:41 +02:00
Sharang Parnerkar	feedeb052f	refactor(admin-compliance): split 11 oversized files under 500 LOC hard cap (batch 2) Barrel-split pattern: each original becomes a thin re-export barrel; logic moved to sibling files so no consumer imports need updating. Files split: - loeschfristen-profiling.ts → profiling-data.ts + profiling-generator.ts - vendor-compliance/catalog/vendor-templates.ts → vendor-country-profiles.ts - vendor-compliance/catalog/legal-basis.ts → legal-basis-retention.ts - dsfa/eu-legal-frameworks.ts → eu-legal-frameworks-national.ts - compliance-scope-types/document-scope-matrix-core.ts → core-part2.ts - compliance-scope-types/document-scope-matrix-extended.ts → extended-part2.ts - app/sdk/document-generator/contextBridge.ts → contextBridge-helpers.ts - app/api/sdk/drafting-engine/draft/route.ts → draft-helpers.ts + draft-helpers-v2.ts All files ≤ 500 LOC. Zero behavior changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:32:08 +02:00
Sharang Parnerkar	92a47bf6f9	refactor: split oversized html-builder files under 500 LOC hard cap obligations-document/html-builder.ts (620→304 LOC): extract sections 6-11 and footer into html-builder-sections-6-11.ts (339 LOC). loeschfristen-document/html-builder.ts (603→353 LOC): extract sections 6-12 into html-builder-sections-6-12.ts (259 LOC). Both orchestrators re-export from siblings; zero behavior change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:12:01 +02:00
Sharang Parnerkar	91063f09b8	refactor(admin): split lib document generators and data catalogs into domain barrels obligations-document, tom-document, loeschfristen-document, compliance-scope-triggers, sdk-flow/flow-data, processing-activities, loeschfristen-baseline-catalog, catalog-registry, dsfa mitigation-library + risk-catalog, vvt-baseline-catalog, vendor contract-review checklists + findings, demo-data, tom-compliance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:07:03 +02:00
Sharang Parnerkar	e58af8aa30	refactor(admin): split tom-generator controls loader and vendor risk controls-library Split loader.ts (3163 LOC) into categories/ subdir (8 files, each <500 LOC): - access.ts (ACCESS_CONTROL + ADMISSION_CONTROL + ACCESS_AUTHORIZATION) - transfer-input.ts (TRANSFER_CONTROL + INPUT_CONTROL) - order-availability.ts (ORDER_CONTROL + AVAILABILITY) - separation-encryption.ts (SEPARATION incl. DL-* + ENCRYPTION) - pseudonymization.ts (PSEUDONYMIZATION) - resilience-recovery.ts (RESILIENCE + RECOVERY) - review.ts (REVIEW + training/TR-* controls) - category-map.ts (category metadata Map) Split controls-library.ts (943 LOC) into domain files: - transfer-audit.ts (TRANSFER + AUDIT) - deletion-incident.ts (DELETION + INCIDENT) - subprocessor-tom.ts (SUBPROCESSOR + TOM) - contract-data-subject.ts (CONTRACT + DATA_SUBJECT) - security-governance.ts (SECURITY + GOVERNANCE) Both barrel files preserved their full public API. No consumer imports changed. Zero new TypeScript errors introduced (305 pre-existing errors unchanged). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 09:20:22 +02:00
Sharang Parnerkar	535d3d8c20	refactor(admin): split lib/sdk/types.ts and vendor-compliance/types.ts into domain barrels Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 09:05:19 +02:00

1 2 3

140 Commits