- Migration 111: 3 new tables (org_roles, document_reviews, document_role_mapping)
with seed data mapping all 71 doc types to 7 compliance roles
- org_role_routes.py: CRUD for roles, seed defaults, test email, mapping API
- document_review_routes.py: Review lifecycle (create→send→approve/reject)
with approval notification to all affected roles
- Migration 112: SOP template (ISO 9001 structure, 21 placeholders)
- Added standard_operating_procedure to TemplateType, doc-labels, presets
[migration-approved]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Split presets into interface + data files (500-line budget)
- Extract DOC_LABELS into doc-labels.ts with all 71 template types
- Add 3 new presets: Cloud/SaaS-Anbieter, Finanzdienstleister, Plattform
- Expand Enterprise preset to 48 docs (full ISMS + BCM + DSR)
- Every template type appears in at least one preset
- ISO references verified: citations only, no copyrighted standard text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Every preset now includes DSGVO-mandatory docs (TOM, VVT, Löschkonzept)
plus Cookie-Banner/Policy, Mitarbeiter-DSI, Bewerber-DSI, and
industry-specific extras (DSFA, Whistleblower, ISMS, TIA, etc.).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Impressum link mandatory in banner (§5 TMG)
2. Pre-ticked prevention: only "required" categories pre-enabled (Planet49)
3. Cookie-Settings reopen link (§7(3) DSGVO — revocation as easy as consent)
4. Script-Blocking: data-cookie-category + type="text/plain" pattern
Scripts only execute AFTER user consents to that category
5. Buttons already equal size (flex:1) — verified correct
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
legalHolds can be a JSONB object {} instead of an array [], so
the || [] fallback wasn't sufficient. Array.isArray handles all
edge cases (null, undefined, object, string).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getActiveLegalHolds() crashed with "e.legalHolds.filter is not a
function" when legalHolds was null/undefined (e.g. old DB entries
without the JSONB field). Added fallback to empty array.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New: adequacy-decisions.ts
- Complete list of 15 countries with EU adequacy decisions (Art. 45)
- EU/EEA country set (30 countries)
- getTransferRequirement() — determines SCC/TIA/certification needs
per country code with human-readable explanations
- US special handling: DPF certification required, check URL included
Updated: transfers/page.tsx
- "Was muss ich tun?" explanation section with 3 options:
1. Adequacy decision (green) — no action needed
2. DPF certification (blue, US only) — check dataprivacyframework.gov
3. SCC + TIA required (amber) — link to Document Generator
- Collapsible adequacy countries table (15 countries with restrictions)
- Schrems II background explanation for customers
- Customer guidance written for non-experts who never heard of TIA/SCC
Updated: templateRecommendations.ts
- SCC+TIA rules now consider DPF certification and adequacy status
- us_dpf_only → SCC/TIA optional (not required)
- adequate_only → SCC/TIA not recommended
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Python: add missing 'import enum' to compliance/db/models.py shim.
TypeScript: remove duplicate export of useVendorCompliance from
vendor-compliance/context.tsx (already exported from ./hooks).
Docs: add mandatory pre-push checklist (lint + test + build) to
AGENTS.python.md and AGENTS.go.md. [guardrail-change]
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extracted 630-LOC monolith into 6 domain files (all <200 LOC) plus a
29-line barrel re-exporting everything for zero breaking-change impact.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
obligations-document/html-builder.ts (620→304 LOC): extract sections 6-11
and footer into html-builder-sections-6-11.ts (339 LOC).
loeschfristen-document/html-builder.ts (603→353 LOC): extract sections 6-12
into html-builder-sections-6-12.ts (259 LOC). Both orchestrators re-export
from siblings; zero behavior change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Whistleblower (1220 -> 349 LOC) split into 6 colocated components:
TabNavigation, StatCard, FilterBar, ReportCard, WhistleblowerCreateModal,
CaseDetailPanel. All under the 300 LOC soft target.
Drive-by fix: the earlier fc6a330 split of compliance-scope-types.ts
dropped several helper exports that downstream consumers still import
(lib/sdk/index.ts, compliance-scope-engine.ts, obligations page,
compliance-scope page, constraint-enforcer, drafting-engine validate).
Restored them in the appropriate domain modules:
- core-levels.ts: maxDepthLevel, getDepthLevelNumeric, depthLevelFromNumeric
- state.ts: createEmptyScopeState
- decisions.ts: createEmptyScopeDecision + ApplicableRegulation,
RegulationObligation, RegulationAssessmentResult, SupervisoryAuthorityInfo
Verification: next build clean (142 pages generated), /sdk/whistleblower
still builds at ~11.5 kB.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Types and PROFILING_STEPS data (242 LOC) extracted to
loeschfristen-profiling-data.ts. Functions remain in
loeschfristen-profiling.ts (306 LOC). Both under 500.
Barrel re-exports in the logic file so existing imports work unchanged.
next build passes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
api-client.ts is now a thin delegating class (263 LOC) backed by:
- api-client-types.ts (84) — shared types, config, FetchContext
- api-client-state.ts (120) — state CRUD + export
- api-client-projects.ts (160) — project management
- api-client-wiki.ts (116) — wiki knowledge base
- api-client-operations.ts (299) — checkpoints, flow, modules, UCCA, import, screening
endpoints.ts is now a barrel (25 LOC) aggregating the 4 existing domain files
(endpoints-python-core, endpoints-python-gdpr, endpoints-python-ops, endpoints-go).
All files stay under the 500-line hard cap. Build verified with `npx next build`.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split the monolithic file into three content modules plus a barrel re-export:
- compliance-scope-profiling-blocks.ts (489 LOC): blocks 1-7, hidden questions, autofill IDs
- compliance-scope-profiling-vvt-blocks.ts (274 LOC): blocks 8-9, SCOPE_QUESTION_BLOCKS aggregate
- compliance-scope-profiling-helpers.ts (359 LOC): all prefill/export/progress functions
- compliance-scope-profiling.ts (41 LOC): barrel re-export preserving existing import paths
All files under the 500 LOC hard cap. No consumer changes needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split vendor-compliance/types.ts (1217 LOC), dsfa/types.ts (1082 LOC),
tom-generator/types.ts (963 LOC), and einwilligungen/types.ts (838 LOC)
into types/ directories with per-section domain files and barrel-export
index.ts files, matching the pattern in lib/sdk/types/index.ts.
All files are under 500 LOC. Build verified with npx next build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract data constants and document-scope logic from the monolithic engine:
- compliance-scope-data.ts (133 LOC): score weights + answer multipliers
- compliance-scope-triggers.ts (823 LOC): 50 hard trigger rules (data table)
- compliance-scope-documents.ts (497 LOC): document scope, risk flags, gaps, actions, reasoning
- compliance-scope-engine.ts (406 LOC): core class with scoring + trigger evaluation
All logic files stay under the 500 LOC cap. The triggers file exceeds it
as a pure declarative data table with no logic.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
compliance-scope-types.ts decomposed into 9 files under
compliance-scope-types/ with a barrel index.ts:
core-levels.ts (29) — ComplianceDepthLevel enum
constants.ts (83) — label mappings + defaults
questions.ts (77) — ComplianceScopeQuestion types
hard-triggers.ts (77) — HardTrigger rule types
documents.ts (84) — ScopeDocumentType + document definitions
decisions.ts (111) — Decision model types
document-scope-matrix-core.ts (551) — core document scope matrix data
document-scope-matrix-extended.ts (565) — extended document scope data
state.ts (22) — ComplianceScopeState
Note: the two document-scope-matrix files at 551/565 LOC are data tables
(static configuration arrays). They exceed the 500-line soft cap but are
a legitimate data-table exception — splitting them would fragment the
matrix lookup logic without improving readability.
next build passes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the monolithic types.ts with 11 focused modules:
- enums.ts, company-profile.ts, sdk-flow.ts, sdk-steps.ts, assessment.ts,
compliance.ts, sdk-state.ts, iace.ts, helpers.ts, document-generator.ts
- Barrel index.ts re-exports everything so existing imports work unchanged
All files under 500 LOC hard cap. tsc error count unchanged (185), next build passes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backend: provenance endpoint (obligations, doc refs, merged duplicates,
regulations summary) + atomic-stats aggregation endpoint.
Frontend: ControlDetail mit Provenance-Sektionen, klickbare Navigation,
neue /sdk/atomic-controls Seite mit Stats-Bar und gefilterer Liste.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The HTML document builder was missing linked_vendor_ids in the detailed
obligation cards. Art. 28 obligations with linked vendors now display
them in the audit-ready PDF/HTML output.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Critical bug fix: mandatoryDocuments in Hard-Trigger-Rules used UPPERCASE
names (VVT, TOM, DSE) that never matched lowercase ScopeDocumentType keys
(vvt, tom, dsi). This meant no trigger documents were ever recognized as
mandatory in buildDocumentScope().
- Add normalizeDocType() mapping function with alias support
(DSE→dsi, LOESCHKONZEPT→lf, DSR_PROZESS→betroffenenrechte, etc.)
- Fix buildDocumentScope() to use normalized doc types
- Fix estimateEffort() to use lowercase keys matching ScopeDocumentType
- Add 2 tests for UPPERCASE normalization and alias resolution
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Split HT-H01 into HT-H01a (B2C/Hybrid mit Verbraucherschutzpflichten) und
HT-H01b (reiner B2B mit Basis-Pflichten). B2B-Webshops bekommen keine
Widerrufsbelehrung/Preisangaben/Fernabsatz mehr.
- Add excludeWhen/requireWhen to HardTriggerRule for conditional trigger logic
- Register 6 neue ScopeDocumentType: widerrufsbelehrung, preisangaben,
fernabsatz_info, streitbeilegung, produktsicherheit, ai_act_doku
- Full DOCUMENT_SCOPE_MATRIX L1-L4 for all new types
- Align HardTriggerRule interface with actual engine field names
- Add Phase H (Verbraucherschutz) to RAG ingestion script:
10 deutsche Gesetze + 4 EU-Verordnungen + HLEG Ethics Guidelines
- Add scripts/rag-sources.md with license documentation
- 9 new tests for B2B/B2C trigger split, all 326 tests pass
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Type alignment (root cause of client-side crash):
- RiskFlag: id/title/description → severity/category/message/recommendation
- ScopeGap: id/title/recommendation/relatedDocuments → gapType/currentState/targetState/effort
- NextAction: id/priority:number/effortDays → actionType/priority:string/estimatedEffort
- ScopeReasoning: details → factors + impact
- TriggeredHardTrigger: {rule: HardTriggerRule} → flat fields (ruleId, description, etc.)
- All UI components updated to match engine output shape
Project isolation:
- Scope localStorage key now includes projectId (prevents data leak between projects)
Optional block progress:
- Blocks with only optional questions now show green checkmark when any question answered
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The engine used short property names (risk, complexity, assurance, composite) while
the ComplianceScores interface defined (risk_score, complexity_score, assurance_need,
composite_score). Components used yet another convention (riskScore, level, hardTriggers).
The main crash was DEPTH_LEVEL_COLORS[decision.level] where decision.level was undefined
(correct property: decision.determinedLevel).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Step 2 im VVT-Generator: Ja/Nein-Buttons durch expandierbare Kacheln ersetzt.
Pro Abteilung werden typische Datenkategorien als Checkboxen angezeigt (isTypical
vorausgefuellt), Art. 9 Kategorien orange hervorgehoben mit DSGVO-Warnung.
7 neue Wiki-Artikel fuer Datenkategorien pro Geschaeftsbereich (HR, Finanzen,
Vertrieb, Marketing, Support, IT, Produktion).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Benjamin Admin