126 Commits

Author	SHA1	Message	Date
Benjamin Admin	7335f64f4f	feat(founding-wizard): Per-Person IP-Assignment + Prefill + E2E-Tests ... Wizard unterstuetzt jetzt 2-4 Gesellschafter mit individuellem IP-Bereich: - Pro Gruender ein IP-Assignment-Vertrag (z.B. Benjamin: Compliance+RAG; Sharang: Security+Infrastruktur). Pro GF ein eigener Dienstvertrag. - Step 1: Prefill-Button aus Unternehmensprofil + Felder Registergericht und HRB-Nr. - Step 2: Rollen-Dropdown (CEO/CTO/CFO/COO/CPO/GF/Sonstige) statt freie Texteingabe, IP-Bereiche-Textarea pro Person. Backend: - generate_documents() iteriert pro Person fuer PER_PERSON_DOCS. - _build_person_context() injiziert ASSIGNOR_*, GF_*, IP_LIST_DETAILS aus person.ip_areas. - base_context() propagiert basics.register_court und basics.hrb_number. Tests: - 30/30 Pytest gruen (6 neue: Per-Person-Context, Slug-Helper, Registergericht-Propagation). - 4 neue Playwright-E2E-Specs (hermetisch via route.fulfill, mit Console-/Page-Error-Traps): kompletter 8-Step-Flow, Prefill-Fehlerpfad, Step-Navigation/Reset, Rollen-Dropdown + IP-Areas. - Spec setzt 'bp-sdk-cookie-consent' im addInitScript damit der CookieBannerOverlay nicht die Wizard-Buttons ueberlagert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-21 18:49:10 +02:00
Benjamin Admin	7a5f1e48dd	feat(founding-wizard): Gründungs-Wizard für 2-Mann GmbH + 14 Notar-Templates ... [migration-approved] Templates (Migrations 123-136): - 123 GO-GF (Geschäftsordnung Geschäftsführung) - 124 SHA (Shareholders' Agreement, 56 Platzhalter) - 125 Satzung (Articles of Association mit UG-Variante) - 126 GF-Dienstvertrag (Trennungsprinzip Organ/Anstellung) - 127 Arbeitsvertrag (AGG-neutral, NachwG, eAU) - 128 Gesellschafterliste (§ 40 GmbHG) - 129 GF-Bestellungsbeschluss (mit § 6 Abs. 2 Versicherung) - 130 HRB-Anmeldung (§§ 7, 8, 39 GmbHG, § 12 HGB) - 131 IP-Assignment Agreement (Gründer→GmbH) - 132 Term Sheet (Pre-Seed/Seed VC-Standard) - 133 Wandeldarlehensvertrag (Convertible Loan) - 134 Beteiligungsvertrag (Subscription Agreement) - 135 ESOP/VSOP-Plan (3 Varianten) - 136 Cap Table Kategorisierung (Migrations 137-138): - ALTER TABLE compliance_legal_templates ADD lifecycle_stage TEXT[], functional_category TEXT (mit CHECK Constraints + GIN-Index) - Backfill aller 105 Templates: lifecycle_stage (pre_founding|founding| startup|kmu|konzern) + functional_category (founding_legal|employment| investor_funding|...) Backend Founding-Wizard Service: - template_renderer.py: Handlebars-light ({{VAR}}, {{#IF FLAG}}...{{/IF}}) - wizard_to_context.py: Mapping Wizard-State → SCREAMING_SNAKE_CASE Vars - markdown_to_docx.py: Markdown → DOCX via python-docx - founding_wizard_routes.py: POST /v1/founding-wizard/generate → liefert base64-DOCX-Files für ausgewählte Templates Frontend Founding-Wizard (/sdk/founding-wizard): - 8-Step Wizard (Basics, Gesellschafter, GF, Kapital, Notar, SHA, GF-Verträge, Generate) - useFoundingWizardForm Hook mit localStorage-Persistenz - TypeScript Code-Registry (template-categories.ts) als Backup zur DB - Word-Download via data:URLs (base64) Tests: - 20 Unit-Tests grün (Renderer, Context-Mapping, DOCX-Conversion) - Playwright E2E-Test mit 2-Mann GmbH (Benjamin + Sharang) Test-Daten	2026-05-20 09:30:51 +02:00
Benjamin Admin	662327e8b4	feat(compliance-check): MC-Classification + Embedding + Vendor-Redundanz + Action-Recipes + Borlabs-Features ... Massiv-Update auf Basis BMW-Test-Iterationen (v1→v9): Core Compliance-Check - Sonnet check_type Klassifikation: text/process/review fuer alle 1874 MCs in compliance.doc_check_controls (script + Sidecar /data/mc_classification.db). rag_document_checker filtert auf check_type='text' fuer doc_check. Plus fits_doc_type-Audit (v2) + ui_only-Audit fuer DSA/E-Commerce-MCs in falscher doc_type-Schublade. - scope_requires-Filter: biometric/ai_decision/child_targeting MCs werden per business_profile gefiltert (FRT skipped fuer BMW etc.). - Embedding-Match (BGE-M3) als Phase-3 nach Regex-Match: Per-doc_type-Threshold-Override (impressum 0.50, dse/cookie 0.60), Short-Field-Rescue (15-Wort-Chunks) fuer Pflichtfelder im Impressum. Title+check_question als Embedding-Input fuer mehr Kontext. - Cookie-Text-Routing: consent-tester gibt cmp_cookie_text aus dem CMP-Reconstruct zurueck, Backend bevorzugt das gegen DOM-Extraction wenn richer (BMW 1824 vs 600 Worte). Vendor-Redundanz + EU-Alternativen + Cost-Saving - vendor_redundancy.analyze() — funktionale Kategorisierung der CMP-Vendors, Detektion von Mehrfach-Anbietern pro Kategorie, EU-Alternative-Lookup (Matomo, IONOS, HERE, Friendly Captcha, Smart AdServer, ...). - vendor_cost_estimator: Tier-Inferenz aus Cookie-Footprint (Cookie-Anzahl + Premium-Feature-Cookies + Third-Party-Quote → starter/professional/ enterprise/premier). - Self-Service-Werbung (Google/Meta/Pinterest/...) = 0 Lizenz-Kosten (nur Media-Spend, separat). DSP-Plattformen behalten enge Range. - Tier-aware Saving-Range: bei Enterprise/Premier nutzen wir den oberen 40-100%-Band der Listpreise, nicht starter→premier. - Multi-Function-Tools (Matomo Pro, SAP CX, IONOS Cloud, Userlike, Smart AdServer, HERE Maps, Vimeo Pro, LamaPoll) — ein Tool ersetzt mehrere Kategorien gleichzeitig. Cookie-Wissens-DB + Funktionale Klassifikation - cookie_knowledge_db: 50 kuratierte Top-Cookies (Google/Meta/Adobe/MS/...) mit vendor, exact_purpose, data_collected, IAB-TCF-IDs, reid_risk, schrems_ii_status, EuGH-Urteile, EU-Alternative. - cookie_function_classifier: pro Cookie funktionale Rolle (tracking_id, ad_pixel, session_id, ab_test, csrf, ...) + blocking_impact. Country-Inferenz aus Rechtsform - cookie_link_validator: Country-Field wird aus Vendor-Name abgeleitet (A/S=DK, GmbH=DE, Inc=US, B.V.=NL, ...) plus Vendor-Lookup-Table. Reduziert false-positive no_country-Flags bei eindeutig-EU-Vendors (Adform DK, Pinterest IE). Action-Recipes + Doc-Anchor-Locator - finding_action_recipes: pro Finding-Typ (no_cookies_listed, no_country, broken_opt_out, "Auftragsverarbeiter erwaehnen", "Art. 22 Profiling", ...) eine strukturierte Anweisung mit what/why/fix_text/where/example. Zum 1:1-Einfuegen in Kunden-Dokumente. - doc_anchor_locator: Embedding-basiert (BGE-M3 cosine) — sucht den passenden Absatz im existierenden Kundendokument fuer jeden Finding. Per-Run Thread-Local-Cache. Fallback: keyword-Match. - Email-Rendering integriert Recipe + Anchor pro Doc-Pruefungs-Fail + Vendor-Flag-Liste mit aufklappbarer Action-Liste. - Score-Erklaerung pro Vendor-Zeile (3/5-Untertitel + Tooltip). Migration-Pipeline (Compliance-Check -> Customer Banner/Documents) - migration_to_banner.py: Vendor-Liste -> CookieBannerConfig mit 4 Kategorien + Review-Flags. - migration_to_document.py: Vendor-Liste -> Cookie-Policy + VVT-Register + Privacy-Policy-Pre-Fills. - agent_migration_routes: 3 Preview-Endpoints (banner-preview, document-preview, summary). Persistierung der cmp_vendors in /data/compliance_audits.db check_payloads-Tabelle. Borlabs-Parity Cookie-Banner-Features - Consent-Historie im Banner: window.bpShowConsentHistory() + localStorage. - Content-Blocker: cookie-banner-content-blocker.ts — YouTube/Maps/Video Placeholder bis Einwilligung. - Google Consent Mode v2 erweitert: wait_for_update + region=EEA/CH/GB. - Consent-Log Export (CSV/JSON) per einwilligungen_export_routes. Bug-Fixes - canonical_control_routes: _jsonish-Helper fuer string-typed jsonb, similar-controls-Endpoint mit _has_embedding_col()-Cache (kein 500 mehr). - Control-Library Frontend: defensive .map-Coercer in 2 Detail-Views. - Embedding-Service-Batching (32er Batches statt 165 in einem Call). - KeyError 'control_id' in MC-Result-Aggregation (defensive .get). - Master-Controls-Klick-Through von /sdk/master-controls auf /sdk/control-library?control=<id> mit URL-Param-Auto-Open. - Dockerfile: /data pre-chowned auf appuser (Audit-DB-Schreibrecht). - Cookie-Text-Routing-Bug (cmp_reconstructed > DOM-extraction). - doc_type-aware MC-Filter (statt all-text-MCs). - Master-Contract-Dedup (60 BMW-Internal-Eintraege = 1 Adobe-Vertrag). - A3-v2-Audit hat 24 UI-Sprache-MCs als 'process' reklassifiziert. Tests - test_migration_mappers.py (9 Tests) - test_migration_endpoints.py (4 Tests) Skripte (one-shot) - classify_mc_check_type.py (v1) + _v2 (PK=control_id,doc_type) - audit_mc_doctype_fit.py (v1 fits) + _v2 (ui_only + scope_requires) BMW-Run-Bilanz v1 (broken) -> v9 (alle Fixes): DSE 7,5% -> 81-83% Impressum 4% -> 100% (6 echte MCs alle erfuellt) Cookie 0% -> 79-83% (CMP-Text-Routing + Embedding) Plus: 10 Konsolidierungs-Kategorien, geschaetzte Saving 200k-3M / Jahr Plus: Action-Recipes + Doc-Anchors fuer jeden Fail Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 18:30:08 +02:00
Benjamin Admin	6af9353bad	feat(sidebar): add Master Controls between Control Library and Provenance ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 18:04:57 +02:00
Benjamin Admin	36c6101b91	Merge feat/zeroclaw-compliance-agent into main ... Brings all compliance doc-check features: - 162 regex checks + 1874 Master Controls - LLM-agnostic agent with tool calling - Banner check (46 checks, 30 CMPs, stealth, Shadow DOM) - Impressum check (24 checks) - Deep consent verification (DataLayer, GCM, TCF) - CMP E2E tests (39 tests) - HTML email reports, FAQ, persistent history Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 11:44:20 +02:00
Benjamin Admin	2e29b611c9	feat(iace): Phase 1 — Haftungs-Fixes, Massnahmen-Verkabelung, Explainability Engine ... Phase 1A — Haftungs-kritische Fixes: - SIL/PL-Badges als "Vorab-Einschaetzung" mit Tooltip gekennzeichnet - Coverage-Disclaimer in CE-Akte, Projekt-Uebersicht und Print-Export - Norm-Referenzen: 42 Kapitelverweise durch Themen-Deskriptoren ersetzt Phase 1B — Massnahmen-Verkabelung: - 16 neue Massnahmen (M201-M216) fuer bisher unabgedeckte Kategorien (communication_failure, hmi_error, firmware_corruption, maintenance, sensor_fault, mode_confusion) - Kategorie-Fallback im Initialize-Endpoint: ordnet Massnahmen aus der Bibliothek automatisch per HazardCategory zu (max 8 pro Kategorie) - Total: 225 → 241 Massnahmen, 0 Kategorien ohne Massnahmen Phase 1C — Explainability Engine: - MatchReason Struct in PatternMatch (type, tag, met) - Pattern Engine schreibt fuer jeden Match strukturierte Begruendungen - Frontend zeigt "Erkannt weil: Komponente X, Energie Y, Kein Ausschluss Z" Weitere Aenderungen: - BAuA/OSHA Regulatory Hints: 3 Enrich-Endpoints (per Hazard, per Measure, Batch) - Dokumente-Tab in IACE-Bibliothek (36.708 Chunks aus Qdrant) - Varianten-UX: Basis-Projekt-Summary auf Varianten-Seite - Projekt-Initialisierung: POST /initialize kettet Parse→Komponenten→Patterns→Hazards→Massnahmen→Normen - 18 pre-existing TS-Fehler gefixt, Route-Konflikt behoben - Component-Library + Measures-Library Tests aktualisiert Tests: Go alle bestanden, TS 0 Fehler, Playwright 141+ bestanden Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-09 21:32:23 +02:00
Benjamin Admin	c284cefada	refactor: Remove Modules step, add Regulations card to Dashboard ... - Modules step deleted from sdk-steps.ts and SDK Flow (regulations are now shown in Scope-Decision tab with toggles) - Dashboard: "Erkannte Regulierungen" card shows which regulations apply based on Scope-Profiling (DSGVO, AI Act, NIS2, HinSchG) - Dashboard: Amber warning if Scope-Profiling not yet completed - Link to Scope-Decision tab for details & customization Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 22:21:12 +02:00
Benjamin Admin	2b4ff9f422	feat: DSFA — VVT-Verknüpfung + Residual Risk + Bundesland-Blacklists ... 1. VVT-Verknüpfung: Dropdown "Verknüpfte VVT-Aktivität" in Step 1, lädt Aktivitäten via API, auto-fills Verarbeitungstätigkeit bei Auswahl 2. Residual Risk: Neuer Step 5 im Wizard — Bewertung des Restrisikos nach Maßnahmen. Bei hoch/kritisch → Art. 36 Vorabkonsultation Warnung 3. Bundesland-Blacklists (Art. 35 Abs. 4): 16 Landesbehörden mit DSK-Muss-Liste (10 gemeinsame Kriterien) + länderspezifische Ergänzungen (Bayern: Whistleblower/Drohnen, NRW: Social-Media- Monitoring, Berlin: Mieterbonitätsprüfung). Automatische Prüfung gegen Scope-Antworten. Blacklist-Matches im DSFA-Banner angezeigt. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 21:48:59 +02:00
Benjamin Admin	84b21cad08	feat: DSFA pre-fill from Company Profile + Scope answers ... - New prefill-from-scope.ts utility: - headquartersState → federal_state (Bundesland for authority lookup) - data_art9 → special data categories (Gesundheit, Biometrie, etc.) - data_minors → adds "Minderjährige" to data subjects + raises risk - proc_adm_scoring → Art. 22 affected rights + measures - proc_ai_usage → involves_ai flag + AI measures - proc_video_surveillance → video data categories - industry/businessModel → processing purpose + legal basis - isDSFARequired() check: shows red banner when Art. 35 triggers detected - GeneratorWizard accepts prefill prop, initializes all fields - Passes federal_state, involves_ai, legal_basis to backend POST Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 19:36:13 +02:00
Benjamin Admin	95baf60da3	refactor: Paket 2 Analyse umstrukturiert + AI Act/Evidence verschoben ... Paket 2 Analyse (vorher 7 Steps → jetzt 5): 1. Requirements — Pruefaspekte aus Regulierungen 2. Controls — Technische & organisatorische Massnahmen 3. Risk Matrix — Risikobewertung (vorher #4, jetzt #3) 4. Audit Checklist — Pruefbare Checkliste (vorher #6) 5. Audit Report — Zusammenfassender Report (vorher #7) Verschoben: - AI Act → Paket 1 Vorbereitung (optional, nur bei KI-Einsatz) - Evidence → Paket 5 Betrieb (Nachweise laufend sammeln, nicht einmalig) SDK Flow (steps-*.ts) synchronisiert mit neuer Reihenfolge. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 16:40:10 +02:00
Benjamin Admin	f737bfc4db	refactor: Integrate Modules into Scope-Decision (Option C) ... - RegulationsPanel: added enable/disable toggles per regulation - ScopeDecisionTab: passes enabledModules + onToggleModule - Scope page: auto-enables all applicable regulations when loaded - Modules step: isOptional=true, moved to Zusatzmodule - Requirements: now depends on compliance-scope, not modules - Source-policy: now depends on use-case-assessment, not modules Flow: Profile → Scope → Scope-Decision shows applicable regulations with toggles → Requirements derived from enabled regulations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 14:29:53 +02:00
Benjamin Admin	7ab1476d8f	refactor: Move Screening to Zusatzmodule (optional) ... - Screening step: isOptional=true - Compliance Modules no longer depends on Screening - Description updated to "SBOM + Vulnerability Scan (OSV.dev)" Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 13:55:09 +02:00
Benjamin Admin	225456ec14	refactor: Source Policy — strip PII/Audit/Blocked, move to Zusatzmodule ... - Removed: PII-Regeln tab (→ Core Service, other repo) - Removed: Audit tab (→ redundant with Document Workflow + RBAC) - Removed: Blockierte Inhalte tab (→ belongs to PII) - Kept: Quellen-Whitelist + Berechtigungen (Operations Matrix) - Renamed: "Source Policy" → "Quellen-Verwaltung" - Moved: From Paket 1 (Pflicht) to Zusatzmodule (optional) - sdk-steps.ts: isOptional=true, requirements no longer depends on it - Sidebar: Added under Zusatzmodule section - Page reduced from 365 → 130 lines Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 11:36:20 +02:00
Benjamin Admin	e0f59cdf82	feat: IAB TCF 2.2 + sidebar naming consistency (Option C) ... TCF/IAB 2.2: - TCFEncoderService: base64url TC String generation per IAB spec - 12 IAB purposes mapped to banner categories - tcf_routes: 5 endpoints (purposes, features, mapping, encode) - Auto-generate TC String on consent when tcf_enabled=true - TCFSettings.tsx: enable/disable, purpose grid, test encoder - New "TCF/IAB" tab in cookie-banner (7 tabs total) Sidebar naming (Option C): - SDK step "Einwilligungen" renamed to "Consent-Records" to match CMP sidebar label — consistent across both navigations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 07:10:53 +02:00
Benjamin Admin	c89a68e59e	feat: Whistleblower backend + Scanner banner-check (last 2 gaps) ... Whistleblower (HinSchG): - Migration 118: 3 tables (reports, messages, measures) with HinSchG deadlines (7d acknowledgment, 3mo feedback) - whistleblower_routes.py: 14 endpoints (CRUD, acknowledge, close, messages, measures, public submit, anonymous status check) - Frontend api-operations.ts rewired from Go SDK to compliance proxy - Access key format XXXX-XXXX-XXXX for anonymous reporters Scanner banner-check (TTDSG § 25): - CMP Dashboard: green "Kein Cookie-Banner erforderlich" when no trackers detected + no banner configured - Red warning "Cookie-Banner fehlt!" when trackers found but no banner - Mandatory note: Impressum (DDG § 5) + DSE (DSGVO Art. 13) still required [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-04 00:22:18 +02:00
Benjamin Admin	9b4be663f7	feat: Rollenkonzept backend + SOP template (Phase 1-3) ... - Migration 111: 3 new tables (org_roles, document_reviews, document_role_mapping) with seed data mapping all 71 doc types to 7 compliance roles - org_role_routes.py: CRUD for roles, seed defaults, test email, mapping API - document_review_routes.py: Review lifecycle (create→send→approve/reject) with approval notification to all affected roles - Migration 112: SOP template (ISO 9001 structure, 21 placeholders) - Added standard_operating_procedure to TemplateType, doc-labels, presets [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 13:03:38 +02:00
Benjamin Admin	ce52dd153e	feat: Complete template coverage — 13 presets, 71 doc types, 100% mapped ... - Split presets into interface + data files (500-line budget) - Extract DOC_LABELS into doc-labels.ts with all 71 template types - Add 3 new presets: Cloud/SaaS-Anbieter, Finanzdienstleister, Plattform - Expand Enterprise preset to 48 docs (full ISMS + BCM + DSR) - Every template type appears in at least one preset - ISO references verified: citations only, no copyrighted standard text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 10:59:58 +02:00
Benjamin Admin	3aff80fb0c	fix: Complete recommended docs for all 10 industry presets ... Every preset now includes DSGVO-mandatory docs (TOM, VVT, Löschkonzept) plus Cookie-Banner/Policy, Mitarbeiter-DSI, Bewerber-DSI, and industry-specific extras (DSFA, Whistleblower, ISMS, TIA, etc.). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 10:07:30 +02:00
Benjamin Admin	a56ea2c843	feat: A4 preview + example data + company profile presets ... Feature 1: DIN A4 Preview - Markdown→HTML renderer (inline, no dependency) - A4 page container (210mm × 297mm) with print styling - Toggle between "Vorschau" (rendered A4) and "Markdown" (raw) - Print button opens new window with @page A4 CSS - Purple theme for headings, styled tables Feature 2: Example Data Button - "Beispieldaten" button in Generator header - Loads examples/{templateType}_{lang}.json - Prefills all context fields for instant full preview Feature 3: Company Profile Presets - 10 industry presets: SaaS Startup, Consumer App, E-Commerce, IT-Agentur, Maschinenbau, Rechtsanwalt, Arztpraxis, Handwerk, Bildung, Enterprise - Each with pre-filled CompanyProfile + scope hints + recommended docs - PresetSelector component (card grid with icons) - "Manuell ausfuellen" skip option Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-03 07:38:18 +02:00
Benjamin Admin	cb2d503e84	feat: Google Consent Mode v2 + Developer Portal cookie banner docs ... Phase A: Google Consent Mode v2 in cookie-banner-embed.ts - gtag('consent', 'default', {...denied}) before banner loads - gtag('consent', 'update', {...}) after user decision - Automatic mapping: statistics→analytics_storage, marketing→ad_storage Phase B: 5 Developer Portal pages at /sdk/consent/cookie-banner/ - Overview page with 4 cards - Integration Guide: 3-step setup, script-tag, categories - Google Consent Mode: automatic integration, parameter mapping - Script Blocking: type=text/plain pattern, GA/FB/Hotjar examples - Compliance Checklist: 12 points, 9 automatic Sidebar navigation extended with Cookie-Banner section. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-02 17:13:34 +02:00
Benjamin Admin	dccd9d09e5	feat: cookie banner compliance hardening — 5 legal requirements ... 1. Impressum link mandatory in banner (§5 TMG) 2. Pre-ticked prevention: only "required" categories pre-enabled (Planet49) 3. Cookie-Settings reopen link (§7(3) DSGVO — revocation as easy as consent) 4. Script-Blocking: data-cookie-category + type="text/plain" pattern Scripts only execute AFTER user consents to that category 5. Buttons already equal size (flex:1) — verified correct Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-02 15:50:54 +02:00
Benjamin Admin	f6536e8d08	fix: Use Array.isArray for legalHolds check ... legalHolds can be a JSONB object {} instead of an array [], so the || [] fallback wasn't sufficient. Array.isArray handles all edge cases (null, undefined, object, string). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 21:12:28 +02:00
Benjamin Admin	e3f26d7572	fix: Defensive legalHolds check in Loeschfristen ... getActiveLegalHolds() crashed with "e.legalHolds.filter is not a function" when legalHolds was null/undefined (e.g. old DB entries without the JSONB field). Added fallback to empty array. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 21:06:24 +02:00
Benjamin Admin	062d607da9	feat: Scope questions, placeholder mappings, example contexts ... Scope questions (compliance-scope-data.ts): - 7 new questions: org_has_employees, org_has_social_media, org_has_video_conferencing, proc_uses_ai_tools, proc_byod_allowed, prod_ugc_platform, org_cert_iso27001 Template recommendations updated: - employee_dsi/applicant_dsi now triggered by org_has_employees - ai_usage_policy triggered by proc_uses_ai_tools - byod_policy triggered by proc_byod_allowed (required when yes) - social_media_dsi triggered by org_has_social_media - video_conference_dsi triggered by org_has_video_conferencing - community_guidelines/terms_of_use triggered by prod_ugc_platform Placeholder mappings (contextBridge-helpers.ts): - 30+ new mappings for: whistleblower, video conference, AI policy, BYOD, consent, social media, transfer/SCC, DSI fields - SECTION_COVERS updated for template relevance detection Example contexts: ai_usage_policy_de, employee_dsi_de, social_media_dsi_de, tia_de Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 13:43:09 +02:00
Benjamin Admin	ef8eead513	feat: Adequacy decisions, DPF check, customer guidance for transfers ... New: adequacy-decisions.ts - Complete list of 15 countries with EU adequacy decisions (Art. 45) - EU/EEA country set (30 countries) - getTransferRequirement() — determines SCC/TIA/certification needs per country code with human-readable explanations - US special handling: DPF certification required, check URL included Updated: transfers/page.tsx - "Was muss ich tun?" explanation section with 3 options: 1. Adequacy decision (green) — no action needed 2. DPF certification (blue, US only) — check dataprivacyframework.gov 3. SCC + TIA required (amber) — link to Document Generator - Collapsible adequacy countries table (15 countries with restrictions) - Schrems II background explanation for customers - Customer guidance written for non-experts who never heard of TIA/SCC Updated: templateRecommendations.ts - SCC+TIA rules now consider DPF certification and adequacy status - us_dpf_only → SCC/TIA optional (not required) - adequate_only → SCC/TIA not recommended Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-01 12:57:54 +02:00
Benjamin Admin	b2a28eb4cd	feat: DSR Prozessbeschreibungen Art. 15-21 mit Swim-Lane-Diagrammen ... 7 vollstaendige Prozessbeschreibungen fuer den Document Generator: - Art. 15: Auskunftsrecht (30 Tage, 6 Schritte, Informationskatalog) - Art. 16: Berichtigungsrecht (14 Tage, inkl. Art. 19 Mitteilung) - Art. 17: Loeschungsrecht (14 Tage, Art. 17(3) Ausnahmen-Checkliste) - Art. 18: Einschraenkungsrecht (14 Tage, erlaubte Verarbeitung) - Art. 19: Mitteilungspflicht (automatisch bei Art. 16/17/18) - Art. 20: Datenuebertragbarkeit (30 Tage, JSON/CSV/XML Export) - Art. 21: Widerspruchsrecht (30 Tage, Sonderfall Direktwerbung) Jede Beschreibung enthaelt: - Mermaid Swim-Lane-Diagramm (Betroffener/Sachbearbeitung/Fachabteilung/DSB) - Detaillierte Schritt-Tabelle mit Verantwortlichkeiten und Fristen - Rechtsgrundlagen-Verweise - Firmen-Platzhalter (FIRMENNAME, VERSION, DATUM, DSB_NAME) Integration: - 7 neue Typen in VALID_DOCUMENT_TYPES (legal_template_routes.py) - Neue Kategorie "DSR-Prozesse" im Document Generator Frontend - DSR types-core.ts: templateType Feld verknuepft DSR → Document Generator - Migration 085 seeded die Templates in die legal_templates Tabelle [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-28 19:25:38 +02:00
Benjamin Admin	b39c1d5dce	feat: DSR Prozessbeschreibungen Art. 15-21 mit Swim-Lane-Diagrammen ... 7 vollstaendige Prozessbeschreibungen fuer den Document Generator: - Art. 15: Auskunftsrecht (30 Tage, 6 Schritte, Informationskatalog) - Art. 16: Berichtigungsrecht (14 Tage, inkl. Art. 19 Mitteilung) - Art. 17: Loeschungsrecht (14 Tage, Art. 17(3) Ausnahmen-Checkliste) - Art. 18: Einschraenkungsrecht (14 Tage, erlaubte Verarbeitung) - Art. 19: Mitteilungspflicht (automatisch bei Art. 16/17/18) - Art. 20: Datenuebertragbarkeit (30 Tage, JSON/CSV/XML Export) - Art. 21: Widerspruchsrecht (30 Tage, Sonderfall Direktwerbung) Jede Beschreibung enthaelt: - Mermaid Swim-Lane-Diagramm (Betroffener/Sachbearbeitung/Fachabteilung/DSB) - Detaillierte Schritt-Tabelle mit Verantwortlichkeiten und Fristen - Rechtsgrundlagen-Verweise - Firmen-Platzhalter (FIRMENNAME, VERSION, DATUM, DSB_NAME) Integration: - 7 neue Typen in VALID_DOCUMENT_TYPES (legal_template_routes.py) - Neue Kategorie "DSR-Prozesse" im Document Generator Frontend - DSR types-core.ts: templateType Feld verknuepft DSR → Document Generator - Migration 085 seeded die Templates in die legal_templates Tabelle [migration-approved] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-28 17:53:44 +02:00
Benjamin Admin	55a2cd4a3d	feat: Verbraucherrecht-Obligations + Widerrufsbutton-Pflicht ab 19.06.2026 ... Neue Regulierung: EU-Richtlinie 2023/2673, §356a BGB 3 Obligations: - VBR-OBL-001: Digitaler Widerrufsbutton (Frist: 19.06.2026, Bussgeld: 50k EUR) - VBR-OBL-002: Widerrufsbelehrung bei Fernabsatz - VBR-OBL-003: Button-Loesung "zahlungspflichtig bestellen" Scope Engine: 3 neue Hard-Trigger-Rules (HT-N01..N03) fuer B2C, Online-Shop und Abo-Modelle. Total Obligations: 370 → 373 (12 Regulierungen) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-25 16:24:07 +02:00
Sharang Parnerkar	c05a71163b	fix: resolve CI failures in Python tests and admin-compliance build ... Python: add missing 'import enum' to compliance/db/models.py shim. TypeScript: remove duplicate export of useVendorCompliance from vendor-compliance/context.tsx (already exported from ./hooks). Docs: add mandatory pre-push checklist (lint + test + build) to AGENTS.python.md and AGENTS.go.md. [guardrail-change] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-19 16:41:39 +02:00
Sharang Parnerkar	19d6437161	refactor(admin): split vvt-baseline-catalog into domain barrel ... Extracted 630-LOC monolith into 6 domain files (all <200 LOC) plus a 29-line barrel re-exporting everything for zero breaking-change impact. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:46:31 +02:00
Sharang Parnerkar	7d8e5667c9	refactor(admin-compliance): split 7 oversized files under 500 LOC hard cap (batch 3) ... - tom-generator/export/zip.ts: extract private helpers to zip-helpers.ts (544→342 LOC) - tom-generator/export/docx.ts: extract private helpers to docx-helpers.ts (525→378 LOC) - tom-generator/export/pdf.ts: extract private helpers to pdf-helpers.ts (517→446 LOC) - tom-generator/demo-data/index.ts: extract DEMO_RISK_PROFILES + DEMO_EVIDENCE_DOCUMENTS to demo-data-part2.ts (518→360 LOC) - einwilligungen/generator/privacy-policy-sections.ts: extract sections 5-7 to part2 (559→313 LOC) - einwilligungen/export/pdf.ts: extract HTML/CSS helpers to pdf-helpers.ts (505→296 LOC) - vendor-compliance/context.tsx: extract API action hooks to context-actions.tsx (509→286 LOC) All originals re-export from sibling files — zero consumer import changes needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:43:41 +02:00
Sharang Parnerkar	feedeb052f	refactor(admin-compliance): split 11 oversized files under 500 LOC hard cap (batch 2) ... Barrel-split pattern: each original becomes a thin re-export barrel; logic moved to sibling files so no consumer imports need updating. Files split: - loeschfristen-profiling.ts → profiling-data.ts + profiling-generator.ts - vendor-compliance/catalog/vendor-templates.ts → vendor-country-profiles.ts - vendor-compliance/catalog/legal-basis.ts → legal-basis-retention.ts - dsfa/eu-legal-frameworks.ts → eu-legal-frameworks-national.ts - compliance-scope-types/document-scope-matrix-core.ts → core-part2.ts - compliance-scope-types/document-scope-matrix-extended.ts → extended-part2.ts - app/sdk/document-generator/contextBridge.ts → contextBridge-helpers.ts - app/api/sdk/drafting-engine/draft/route.ts → draft-helpers.ts + draft-helpers-v2.ts All files ≤ 500 LOC. Zero behavior changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:32:08 +02:00
Sharang Parnerkar	92a47bf6f9	refactor: split oversized html-builder files under 500 LOC hard cap ... obligations-document/html-builder.ts (620→304 LOC): extract sections 6-11 and footer into html-builder-sections-6-11.ts (339 LOC). loeschfristen-document/html-builder.ts (603→353 LOC): extract sections 6-12 into html-builder-sections-6-12.ts (259 LOC). Both orchestrators re-export from siblings; zero behavior change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:12:01 +02:00
Sharang Parnerkar	91063f09b8	refactor(admin): split lib document generators and data catalogs into domain barrels ... obligations-document, tom-document, loeschfristen-document, compliance-scope-triggers, sdk-flow/flow-data, processing-activities, loeschfristen-baseline-catalog, catalog-registry, dsfa mitigation-library + risk-catalog, vvt-baseline-catalog, vendor contract-review checklists + findings, demo-data, tom-compliance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-18 00:07:03 +02:00
Sharang Parnerkar	e58af8aa30	refactor(admin): split tom-generator controls loader and vendor risk controls-library ... Split loader.ts (3163 LOC) into categories/ subdir (8 files, each <500 LOC): - access.ts (ACCESS_CONTROL + ADMISSION_CONTROL + ACCESS_AUTHORIZATION) - transfer-input.ts (TRANSFER_CONTROL + INPUT_CONTROL) - order-availability.ts (ORDER_CONTROL + AVAILABILITY) - separation-encryption.ts (SEPARATION incl. DL-* + ENCRYPTION) - pseudonymization.ts (PSEUDONYMIZATION) - resilience-recovery.ts (RESILIENCE + RECOVERY) - review.ts (REVIEW + training/TR-* controls) - category-map.ts (category metadata Map) Split controls-library.ts (943 LOC) into domain files: - transfer-audit.ts (TRANSFER + AUDIT) - deletion-incident.ts (DELETION + INCIDENT) - subprocessor-tom.ts (SUBPROCESSOR + TOM) - contract-data-subject.ts (CONTRACT + DATA_SUBJECT) - security-governance.ts (SECURITY + GOVERNANCE) Both barrel files preserved their full public API. No consumer imports changed. Zero new TypeScript errors introduced (305 pre-existing errors unchanged). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 09:20:22 +02:00
Sharang Parnerkar	535d3d8c20	refactor(admin): split lib/sdk/types.ts and vendor-compliance/types.ts into domain barrels ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 09:05:19 +02:00
Sharang Parnerkar	c43d9da6d0	merge: sync with origin/main, take upstream on conflicts ... # Conflicts: # admin-compliance/lib/sdk/types.ts # admin-compliance/lib/sdk/vendor-compliance/types.ts	2026-04-16 16:26:48 +02:00
Sharang Parnerkar	1f45d6cca8	refactor(admin): split whistleblower page.tsx + restore scope helpers ... Whistleblower (1220 -> 349 LOC) split into 6 colocated components: TabNavigation, StatCard, FilterBar, ReportCard, WhistleblowerCreateModal, CaseDetailPanel. All under the 300 LOC soft target. Drive-by fix: the earlier fc6a330 split of compliance-scope-types.ts dropped several helper exports that downstream consumers still import (lib/sdk/index.ts, compliance-scope-engine.ts, obligations page, compliance-scope page, constraint-enforcer, drafting-engine validate). Restored them in the appropriate domain modules: - core-levels.ts: maxDepthLevel, getDepthLevelNumeric, depthLevelFromNumeric - state.ts: createEmptyScopeState - decisions.ts: createEmptyScopeDecision + ApplicableRegulation, RegulationObligation, RegulationAssessmentResult, SupervisoryAuthorityInfo Verification: next build clean (142 pages generated), /sdk/whistleblower still builds at ~11.5 kB. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-11 22:50:25 +02:00
Sharang Parnerkar	ff775517a2	refactor(admin): split loeschfristen-profiling.ts (538 LOC) into data + logic ... Types and PROFILING_STEPS data (242 LOC) extracted to loeschfristen-profiling-data.ts. Functions remain in loeschfristen-profiling.ts (306 LOC). Both under 500. Barrel re-exports in the logic file so existing imports work unchanged. next build passes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 21:09:58 +02:00
Sharang Parnerkar	528abc86ab	refactor(admin): split 8 oversized lib/ files into focused modules under 500 LOC ... Split these files that exceeded the 500-line hard cap: - privacy-policy.ts (965 LOC) -> sections + renderers - academy/api.ts (787 LOC) -> courses + mock-data - whistleblower/api.ts (755 LOC) -> operations + mock-data - vvt-profiling.ts (659 LOC) -> data + logic - cookie-banner.ts (595 LOC) -> config + embed - dsr/types.ts (581 LOC) -> core + api types - tom-generator/rules-engine.ts (560 LOC) -> evaluator + gap-analysis - datapoint-helpers.ts (548 LOC) -> generators + validators Each original file becomes a barrel re-export for backward compatibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 21:05:59 +02:00
Sharang Parnerkar	e07e1de6c9	refactor(admin): split api-client.ts (885 LOC) and endpoints.ts (1262 LOC) into focused modules ... api-client.ts is now a thin delegating class (263 LOC) backed by: - api-client-types.ts (84) — shared types, config, FetchContext - api-client-state.ts (120) — state CRUD + export - api-client-projects.ts (160) — project management - api-client-wiki.ts (116) — wiki knowledge base - api-client-operations.ts (299) — checkpoints, flow, modules, UCCA, import, screening endpoints.ts is now a barrel (25 LOC) aggregating the 4 existing domain files (endpoints-python-core, endpoints-python-gdpr, endpoints-python-ops, endpoints-go). All files stay under the 500-line hard cap. Build verified with `npx next build`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 19:17:38 +02:00
Sharang Parnerkar	58e95d5e8e	refactor(admin): split 9 more oversized lib/ files into focused modules ... Files split by agents before rate limit: - dsr/api.ts (669 → barrel + helpers) - einwilligungen/context.tsx (669 → barrel + hooks/reducer) - export.ts (753 → barrel + domain exporters) - incidents/api.ts (845 → barrel + api-helpers) - tom-generator/context.tsx (720 → barrel + hooks/reducer) - vendor-compliance/context.tsx (1010 → 234 provider + hooks/reducer) - api-docs/endpoints.ts — partially split (3 domain files created) - academy/api.ts — partially split (helpers extracted) - whistleblower/api.ts — partially split (helpers extracted) next build passes. api-client.ts (885) deferred to next session. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 19:12:09 +02:00
Sharang Parnerkar	786bb409e4	refactor(admin): split lib/sdk/context.tsx (1280 LOC) into focused modules ... Extract the monolithic SDK context provider into seven focused modules: - context-types.ts (203 LOC): SDKContextValue interface, initialState, ExtendedSDKAction - context-reducer.ts (353 LOC): sdkReducer with all action handlers - context-provider.tsx (495 LOC): SDKProvider component + SDKContext - context-hooks.ts (17 LOC): useSDK hook - context-validators.ts (94 LOC): local checkpoint validation logic - context-projects.ts (67 LOC): project management API helpers - context-sync-helpers.ts (145 LOC): sync infrastructure init/cleanup/callbacks - context.tsx (23 LOC): barrel re-export preserving existing import paths All files under the 500-line hard cap. Build verified with `npx next build`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 13:55:42 +02:00
Sharang Parnerkar	3c4f7d900d	refactor(admin): split compliance-scope-profiling.ts (1171 LOC) into focused modules ... Split the monolithic file into three content modules plus a barrel re-export: - compliance-scope-profiling-blocks.ts (489 LOC): blocks 1-7, hidden questions, autofill IDs - compliance-scope-profiling-vvt-blocks.ts (274 LOC): blocks 8-9, SCOPE_QUESTION_BLOCKS aggregate - compliance-scope-profiling-helpers.ts (359 LOC): all prefill/export/progress functions - compliance-scope-profiling.ts (41 LOC): barrel re-export preserving existing import paths All files under the 500 LOC hard cap. No consumer changes needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 13:54:29 +02:00
Sharang Parnerkar	aae07b7a9b	refactor(admin): split 4 large type-definition files into per-section modules ... Split vendor-compliance/types.ts (1217 LOC), dsfa/types.ts (1082 LOC), tom-generator/types.ts (963 LOC), and einwilligungen/types.ts (838 LOC) into types/ directories with per-section domain files and barrel-export index.ts files, matching the pattern in lib/sdk/types/index.ts. All files are under 500 LOC. Build verified with npx next build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 13:42:27 +02:00
Sharang Parnerkar	911d872178	refactor(admin): split compliance-scope-engine.ts (1811 LOC) into focused modules ... Extract data constants and document-scope logic from the monolithic engine: - compliance-scope-data.ts (133 LOC): score weights + answer multipliers - compliance-scope-triggers.ts (823 LOC): 50 hard trigger rules (data table) - compliance-scope-documents.ts (497 LOC): document scope, risk flags, gaps, actions, reasoning - compliance-scope-engine.ts (406 LOC): core class with scoring + trigger evaluation All logic files stay under the 500 LOC cap. The triggers file exceeds it as a pure declarative data table with no logic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 13:33:51 +02:00
Sharang Parnerkar	fc6a3306d4	refactor(admin): split compliance-scope-types.ts (1738 LOC) into domain modules ... compliance-scope-types.ts decomposed into 9 files under compliance-scope-types/ with a barrel index.ts: core-levels.ts (29) — ComplianceDepthLevel enum constants.ts (83) — label mappings + defaults questions.ts (77) — ComplianceScopeQuestion types hard-triggers.ts (77) — HardTrigger rule types documents.ts (84) — ScopeDocumentType + document definitions decisions.ts (111) — Decision model types document-scope-matrix-core.ts (551) — core document scope matrix data document-scope-matrix-extended.ts (565) — extended document scope data state.ts (22) — ComplianceScopeState Note: the two document-scope-matrix files at 551/565 LOC are data tables (static configuration arrays). They exceed the 500-line soft cap but are a legitimate data-table exception — splitting them would fragment the matrix lookup logic without improving readability. next build passes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 13:24:07 +02:00
Sharang Parnerkar	ab6ba63108	refactor(admin): split lib/sdk/types.ts (2511 LOC) into per-domain modules under types/ ... Replace the monolithic types.ts with 11 focused modules: - enums.ts, company-profile.ts, sdk-flow.ts, sdk-steps.ts, assessment.ts, compliance.ts, sdk-state.ts, iace.ts, helpers.ts, document-generator.ts - Barrel index.ts re-exports everything so existing imports work unchanged All files under 500 LOC hard cap. tsc error count unchanged (185), next build passes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 11:39:32 +02:00
Benjamin Admin	6d3bdf8e74	feat: Control-Detail Provenance + Atomare Controls Seite ... Backend: provenance endpoint (obligations, doc refs, merged duplicates, regulations summary) + atomic-stats aggregation endpoint. Frontend: ControlDetail mit Provenance-Sektionen, klickbare Navigation, neue /sdk/atomic-controls Seite mit Stats-Bar und gefilterer Liste. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 10:38:34 +01:00
Benjamin Admin	b1627252ee	fix(obligations): show linked vendor IDs in Pflichtenregister document ... The HTML document builder was missing linked_vendor_ids in the detailed obligation cards. Art. 28 obligations with linked vendors now display them in the audit-ready PDF/HTML output. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-20 08:55:01 +01:00