57c0f940a2
feat(consent+report): P56-P67 Mercedes-Audit-Cycle (Anti-Audit, Phase G Vendors, Cookie-Behavior-Validator + 5 Mail-Polish-Items) [migration-approved]
...
CI / detect-changes (push) Successful in 11s
CI / branch-name (push) Has been skipped
CI / nodejs-build (push) Successful in 2m19s
CI / test-go (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 16s
CI / loc-budget (push) Failing after 15s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 37s
P56 Anti-Auditing-Detection als constructive Compliance-Finding (Audit-API-
Empfehlung statt Anklage, weil Mercedes berechtigt Bots blockiert)
P57 Phase G vendor_details Union mit cmp_vendors -> 42 Anbieter sichtbar
P58 Anti-Audit-Detection robuster (Script-Domain-Check + Settings-spezifisch)
P59 Cookie-Behavior-Validator (4 Layer, 3-Tier-Severity: MEDIUM=Kategorie-
Mismatch / HIGH=Zweck-Mismatch / CRITICAL=beide=Vorsatz-Indiz)
+ Open Cookie Database (CC0) als Library-Seed (2264 Cookies)
P59b Cookie-Behavior in Banner-Check verdrahtet + Mail-Block (BUGFIX:
SessionLocal selbst oeffnen, db war im Background-Task nicht im Scope)
Mail-Polish nach Mercedes-Review:
P63 Banner-Footer-Links auch im wb7-link/role=link erkennen (Shadow-DOM-
Walker label-based statt nur <a href>)
P64 Re-Access-Severity: MEDIUM statt HIGH, wenn Footer "Einstellungen" oder
Mercedes-typisch existiert; OEM-Footer-Detection (wb7-footer)
P65 Text-Truncation: Word-Boundary statt Zeichen-Cut (kein "einfa"-Bruch
mehr in Sofortmassnahmen)
P66 GF-Aktionen: Service-Zweck vs Cookie-Zweck explizit erklaert
(haeufige Verwechslung Marketing/GF: "Akamai-Beschreibung" != Cookie-
Zweck pro DSK-OH 2024)
P67 Stirring-Finding mit "Verlust-Framing"-Erklaerung + Alt-vs-Neutral-
Beispiel, statt nur EDPB-Fachbegriff
Compliance-Advisor FAQ (admin agent-core/soul):
+ CNIL/EDPB Top-Bussgelder (Google 100M, Meta 60M, Amazon 35M)
+ Deutsche Praezedenz (LG Muenchen Google Fonts, EuGH Planet49, BGH I ZR 7/16)
+ 4 Risiko-Pfade (Bussgeld/Abmahnung/Sammelklage/NOYB) + Berechnungs-Methodik
Document-Generator Templates: AGB-DE (142), Impressum (140), Widerrufs-
formular-Anlage (143), DSR-Process-Dedup (139), Cookie-Library (144).
Architektur: doc_action_mappings.py + banner_dom_walkers.py +
cookie_behavior_validator.py + vendor_detail_extractor.py rausgezogen,
um die 500-LOC-Caps in agent_doc_check_report.py und
banner_text_checker.py einzuhalten.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-21 06:28:25 +02:00
02ff96f74e
fix: resolve all merge conflict markers from feat/zeroclaw-compliance-agent
...
Build + Deploy / build-admin-compliance (push) Successful in 2m7s
Build + Deploy / build-backend-compliance (push) Failing after 5m21s
Build + Deploy / build-ai-sdk (push) Successful in 53s
Build + Deploy / build-developer-portal (push) Successful in 1m18s
Build + Deploy / build-tts (push) Successful in 1m42s
Build + Deploy / build-document-crawler (push) Successful in 45s
Build + Deploy / build-dsms-gateway (push) Successful in 27s
Build + Deploy / build-dsms-node (push) Successful in 19s
CI / branch-name (push) Has been skipped
Build + Deploy / trigger-orca (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / loc-budget (push) Failing after 19s
CI / secret-scan (push) Has been skipped
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m6s
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / test-go (push) Successful in 55s
CI / test-python-backend (push) Successful in 44s
CI / test-python-document-crawler (push) Successful in 30s
CI / test-python-dsms-gateway (push) Successful in 26s
CI / validate-canonical-controls (push) Successful in 18s
9 files had conflict markers from the branch merge. All resolved keeping
the feature branch version. Also split agent_scan_routes.py (534→367 LOC)
by extracting Pydantic models to agent_scan_models.py.
[guardrail-change]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-11 12:15:07 +02:00
36c6101b91
Merge feat/zeroclaw-compliance-agent into main
...
Brings all compliance doc-check features:
- 162 regex checks + 1874 Master Controls
- LLM-agnostic agent with tool calling
- Banner check (46 checks, 30 CMPs, stealth, Shadow DOM)
- Impressum check (24 checks)
- Deep consent verification (DataLayer, GCM, TCF)
- CMP E2E tests (39 tests)
- HTML email reports, FAQ, persistent history
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-11 11:44:20 +02:00
64700b355e
feat: Review all 12 remaining policy templates + categorize
...
Migration 110: Updated descriptions and version for 12 previously
unreviewed templates (asset_management, backup, change_management,
cloud_security, devsecops, incident_response, logging, patch_management,
secrets_management, vulnerability_management, informationspflichten,
verpflichtungserklaerung).
All templates assessed as "Very Good" quality — only incremental
updates needed (AI Act, CRA, NIS2UmsuCG references in descriptions).
informationspflichten: Kept as separate compact checklist (distinct
from the full privacy_policy DSI template).
verpflichtungserklaerung: Kept as standalone HR document (employee
signs at onboarding). Added to HR & Mitarbeiter category.
Result: 88 templates, 44 at v1.1+, 0 unreviewed remaining.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-03 07:19:41 +02:00
4b9cf34243
feat: Full template cleanup + categories by use case
...
Cleanup (109):
- Removed DPA duplicates (v1 DE + v1 EN, kept v2 DE)
- Removed cookie_banner duplicate (kept larger with IF-blocks)
- Removed impressum duplicate (kept larger with IF-blocks)
- Removed TOM duplicate (kept newest)
- Removed DSFA v1 (kept v2)
- Kept all 8 VVT templates (1 main + 7 industry templates)
- DB: 98 → 88 templates, 0 duplicates remaining
Categories restructured by use case:
- Website/App: DSI, Impressum, Cookie, Social Media
- Online-Shop: AGB, Widerruf, DSI, Cookie
- SaaS/Cloud: AGB, AVV, SLA, Cloud Agreement
- App/Plattform: Nutzungsbedingungen, Community Guidelines, AUP
- Vertraege (B2B): AVV, NDA, SLA, Cloud
- DSGVO-Pflichten: TOM, VVT, Loeschkonzept, DSFA
- Sicherheitskonzepte + Richtlinien (separate categories)
- HR & Mitarbeiter, Daten-Governance, Vendor, BCM
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-03 07:09:16 +02:00
d1fb19810b
fix: Remove premature closing brace in SECTION_FIELDS
...
The SECTION_FIELDS object was prematurely closed before the TOM and DPA
sections, causing a build-time syntax error. Removed the extra closing
brace so TOM and DPA fields are correctly inside the object.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 15:08:23 +02:00
d942b21354
feat: SCC + TIA templates for third-country transfers
...
New templates for the Vendor Compliance module:
- 105: Transfer Impact Assessment (TIA) — Schrems II risk assessment
with country evaluation, government access assessment, supplementary
measures, risk matrix, and go/conditional/deny decision
- 105: SCC Companion Document — annexes to EU Decision 2021/914
(module selection C2C/C2P/P2P/P2C, party details, data description,
TOMs, sub-processor list)
Template recommendations: SCC+TIA triggered by tech_third_country answer
Generator: New "Drittlandtransfer" category
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 10:19:56 +02:00
42e02fe72d
feat: Phase 6 — Integration + QS (categories, scope defaults, examples)
...
Phase 6 of the Document Templates Masterplan:
- Categories: Consolidated AI governance into internal_policies,
removed redundant category
- scopeDefaults.ts: Added getRecommendedDocuments() function that
maps L1-L4 compliance levels to required/recommended/optional
document types (~60 types across 4 tiers)
- Examples: Added dpa_de.json, tom_de.json, whistleblower_de.json
example contexts for the document generator
Document recommendation per level:
- L1 (Startup): 5 required (DSI, Impressum, AGB, Cookie)
- L2 (KMU): +6 recommended (AVV, TOM, VVT, Löschkonzept, etc.)
- L3 (Extended): +16 recommended (Security concepts, policies, HR DSI)
- L4 (Enterprise): +25 recommended (ISMS, BCM, all policies)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 09:36:48 +02:00
3984f39329
feat: Phase 5 — Special templates (AI policy, BYOD, ISMS, consent, video DSI)
...
Phase 5 of the Document Templates Masterplan:
- 104: 5 new special templates:
- ai_usage_policy: AI usage policy (AI Act Art. 4 training obligation,
forbidden inputs, quality check, labeling, TDM opt-out)
- byod_policy: Bring Your Own Device (container solution, remote wipe,
DSFA, cost sharing options)
- consent_texts: Double-Opt-In texts, newsletter, marketing, tracking,
profiling consent, unsubscribe confirmation
- video_conference_dsi: Video conference privacy notice (Zoom/Teams/Meet,
recording consent, third-country transfer)
- isms_manual: ISMS handbook (ISO 27001, document structure map to all
other templates, PDCA cycle, management review)
Generator: 6 new categories (AI governance, ISMS, consent, special DSI,
internal policies)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 09:25:32 +02:00
4417938558
feat: Phase 3 — Security + HR/Vendor/BCM policies
...
Phase 3 of the Document Templates Masterplan:
- 103: 4 new security policies (information_security_policy, password_policy,
encryption_policy, access_control_policy) + updates for CRA (056) and
all 15 HR/Vendor/BCM policies (072)
New templates:
- Information Security Policy: ISMS-Leitlinie (ISO 27001, BSI, NIS2)
- Password Policy: BSI/NIST compliant (12+ chars, MFA, no forced rotation)
- Encryption Policy: BSI TR-02102, algorithms, key management, TLS config
- Access Control Policy: RBAC, Least Privilege, Zero Trust, rezertification
Updates: AI Act + NIS2UmsuCG references for CRA and all 15 HR/Vendor/BCM
Generator: 6 new categories (security, HR, data, vendor, BCM policies)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 09:05:03 +02:00
f591871277
feat: Phase 1 — Whistleblower + Cookie/Impressum + HR-DSI templates
...
Phase 1 of the Document Templates Masterplan:
- 098: Whistleblower-Richtlinie (HinSchG) — 10 sections, anonymous
reporting, 7-day confirmation, 3-month feedback, reprisal protection
- 099: Cookie-Banner + Impressum updates — OS-Plattform discontinued
note (July 2025), description updates
- 100: Applicant DSI + Employee DSI — two new HR privacy notices with
§ 26 BDSG, 6-month retention (applicants), modular blocks for video
interviews, talent pool, IT monitoring, company vehicles, works council
Generator: 25 new fields (whistleblower, applicant, employee categories)
Categories: whistleblower, hr_dsi added to document generator
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 08:29:52 +02:00
bae59e2ce0
feat: Document Templates v2 — 11 migrations + scope-based generator
...
Complete overhaul of document generator templates based on paragraph-by-paragraph
legal review of attorney-drafted templates (TOM, AVV, AGB, DSI, Community
Guidelines, Nutzungsbedingungen, Widerrufsbelehrung, Cookie-Richtlinie).
Templates (11 migrations 087-097):
- 087: TOM-Dokumentation v2 (11 categories incl. Trennungskontrolle)
- 088: AVV Art. 28 DSGVO (complete, §§ 1-11, 3 annexes)
- 089: Cross-document updates (Löschkonzept DIN 66399, VVT recipients)
- 090: AGB SaaS/Shop v2 (18 §§, B2B/B2C, IoT, physical goods, IP protection)
- 091: Community Guidelines v2 (3 tones, 11 modular categories, DSA-compliant)
- 092: Media & Content modules (MStV, AI Act Art. 50, UWG, Pressekodex)
- 093: DSI/Privacy Policy v2 (Art. 13 complete, shop+corporate modules)
- 094: Nutzungsbedingungen (Terms of Use, UGC, tipping, wallet, CC licenses)
- 095: Widerrufsbelehrung (SaaS + physical + IoT bundle + combo)
- 096: Social Media DSI (Facebook, YouTube, LinkedIn, TikTok, Meta Pixel)
- 097: Cookie-Richtlinie v2 (TDDDG § 25, consent banner, browser links)
Frontend (generator):
- scopeDefaults.ts: L1-L4 scope-based defaults from Compliance Scope Engine
- contextBridge.ts: TOMCtx + DPACtx interfaces (70+ new fields)
- contextBridge-helpers.ts: 35+ placeholder mappings for TOM/DPA/AGB
- _constants.ts: 120+ new generator fields (TOM, DPA, AGB, community,
media, social, nutzungsbedingungen, widerruf, cookie, shop, IoT)
- page.tsx: Auto-prefill TOM/DPA from scope engine decision
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-05-01 01:18:33 +02:00
b2a28eb4cd
feat: DSR Prozessbeschreibungen Art. 15-21 mit Swim-Lane-Diagrammen
...
Build + Deploy / build-admin-compliance (push) Successful in 10s
Build + Deploy / build-backend-compliance (push) Successful in 9s
Build + Deploy / build-ai-sdk (push) Successful in 8s
Build + Deploy / build-developer-portal (push) Successful in 7s
Build + Deploy / build-tts (push) Successful in 7s
Build + Deploy / build-document-crawler (push) Successful in 7s
Build + Deploy / build-dsms-gateway (push) Successful in 7s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go (push) Failing after 41s
CI / test-python-backend (push) Successful in 35s
CI / test-python-document-crawler (push) Successful in 25s
CI / test-python-dsms-gateway (push) Successful in 21s
CI / loc-budget (push) Failing after 13s
CI / secret-scan (push) Has been skipped
CI / go-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 2m29s
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 13s
Build + Deploy / trigger-orca (push) Successful in 1m53s
7 vollstaendige Prozessbeschreibungen fuer den Document Generator:
- Art. 15: Auskunftsrecht (30 Tage, 6 Schritte, Informationskatalog)
- Art. 16: Berichtigungsrecht (14 Tage, inkl. Art. 19 Mitteilung)
- Art. 17: Loeschungsrecht (14 Tage, Art. 17(3) Ausnahmen-Checkliste)
- Art. 18: Einschraenkungsrecht (14 Tage, erlaubte Verarbeitung)
- Art. 19: Mitteilungspflicht (automatisch bei Art. 16/17/18)
- Art. 20: Datenuebertragbarkeit (30 Tage, JSON/CSV/XML Export)
- Art. 21: Widerspruchsrecht (30 Tage, Sonderfall Direktwerbung)
Jede Beschreibung enthaelt:
- Mermaid Swim-Lane-Diagramm (Betroffener/Sachbearbeitung/Fachabteilung/DSB)
- Detaillierte Schritt-Tabelle mit Verantwortlichkeiten und Fristen
- Rechtsgrundlagen-Verweise
- Firmen-Platzhalter (FIRMENNAME, VERSION, DATUM, DSB_NAME)
Integration:
- 7 neue Typen in VALID_DOCUMENT_TYPES (legal_template_routes.py)
- Neue Kategorie "DSR-Prozesse" im Document Generator Frontend
- DSR types-core.ts: templateType Feld verknuepft DSR → Document Generator
- Migration 085 seeded die Templates in die legal_templates Tabelle
[migration-approved]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-28 19:25:38 +02:00
b39c1d5dce
feat: DSR Prozessbeschreibungen Art. 15-21 mit Swim-Lane-Diagrammen
...
Build + Deploy / build-admin-compliance (push) Successful in 1m56s
Build + Deploy / build-backend-compliance (push) Successful in 3m5s
Build + Deploy / build-ai-sdk (push) Successful in 47s
Build + Deploy / build-developer-portal (push) Successful in 1m5s
Build + Deploy / build-tts (push) Successful in 1m23s
Build + Deploy / build-document-crawler (push) Successful in 33s
Build + Deploy / build-dsms-gateway (push) Successful in 23s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / loc-budget (push) Failing after 17s
CI / secret-scan (push) Has been skipped
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 2m40s
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / test-go (push) Successful in 42s
CI / test-python-backend (push) Successful in 47s
CI / test-python-document-crawler (push) Successful in 33s
CI / test-python-dsms-gateway (push) Successful in 22s
CI / validate-canonical-controls (push) Successful in 18s
Build + Deploy / trigger-orca (push) Successful in 2m53s
7 vollstaendige Prozessbeschreibungen fuer den Document Generator:
- Art. 15: Auskunftsrecht (30 Tage, 6 Schritte, Informationskatalog)
- Art. 16: Berichtigungsrecht (14 Tage, inkl. Art. 19 Mitteilung)
- Art. 17: Loeschungsrecht (14 Tage, Art. 17(3) Ausnahmen-Checkliste)
- Art. 18: Einschraenkungsrecht (14 Tage, erlaubte Verarbeitung)
- Art. 19: Mitteilungspflicht (automatisch bei Art. 16/17/18)
- Art. 20: Datenuebertragbarkeit (30 Tage, JSON/CSV/XML Export)
- Art. 21: Widerspruchsrecht (30 Tage, Sonderfall Direktwerbung)
Jede Beschreibung enthaelt:
- Mermaid Swim-Lane-Diagramm (Betroffener/Sachbearbeitung/Fachabteilung/DSB)
- Detaillierte Schritt-Tabelle mit Verantwortlichkeiten und Fristen
- Rechtsgrundlagen-Verweise
- Firmen-Platzhalter (FIRMENNAME, VERSION, DATUM, DSB_NAME)
Integration:
- 7 neue Typen in VALID_DOCUMENT_TYPES (legal_template_routes.py)
- Neue Kategorie "DSR-Prozesse" im Document Generator Frontend
- DSR types-core.ts: templateType Feld verknuepft DSR → Document Generator
- Migration 085 seeded die Templates in die legal_templates Tabelle
[migration-approved]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-28 17:53:44 +02:00
eeb9931d87
refactor(admin): split document-generator page.tsx into colocated components
...
Split 1130-LOC document-generator page into _components and _constants
modules. page.tsx now 243 LOC (wire-up only). Behavior preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-14 23:01:56 +02:00
Benjamin Admin