Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
1,222 Commits 12 Branches 1 Tag
65e8bb9d42596ce89e347a32167a8dd82f534686
Commit Graph

8 Commits

Author SHA1 Message Date
Benjamin Admin d0e3621192 feat(audit): V2 mail render + 5 new findings (B4/B5/B6/B7/B8) + LLM-Plausibility-Phase 
Mail Render V2 (compliance/services/mail_render_v2/) — 11-Modul-Subpackage
das einen einheitlichen Audit-Mail-Output erzeugt mit:
  - Header + KPI-Kacheln (Score / Findings / Docs / Vendors)
  - TOC + Sprung-Links
  - 3-Bucket-Trennung: Kritische Befunde / Manuelle Prüfung / Interne Reminder
  - Cookie-Inventar (Name·Vendor·Kategorie·Speicherdauer·Löschfrist·Sitzland·Quelle·Status)
  - Sofortmaßnahmen-Aggregator ("Sitzland ergänzen für 11 Cookies")
  - 24 Legacy-Wrappers — alle alten build_*_html in V2-Sections
  - Scope-Filter: FIN/GOV/MED/INS/EDU/LEG aus Berichten wenn nicht relevant
  - Hint/Action-Dedup: keine doppelten Sätze pro Card mehr
Aktiviert via env MAIL_RENDER_V2=true (Default: legacy renderer).

5 neue deterministische Findings als Phase D-2b/B4/B5/B6/B7/B8:

  B4 vendor_consistency_check — Cross-Doc-Provider-Widerspruch
     (Elli: DSE nennt Vertex AI für Chatbot, /de/cookies nennt Iadvize → HIGH).
     6 Service-Types: chatbot/analytics/tag_manager/pixel/cdn/cmp.

  B5 ai_act_transparency_check — AI Act Art. 50 Transparenzpflicht
     (Elli: Vertex AI vorhanden ohne Pre-Chat-Disclosure → HIGH).
     Plus B5-Erweiterung: Rechtsgrundlage Art-6-Abs-1-lit-f bei AI → MED
     (Einwilligung empfehlen).

  B6 cross_doc_dpo_check — DPO in DSE genannt, nicht im Impressum (LOW).

  B7 doc_staleness_check — Datum-Extraktion aus DSE/AGB/Nutzungsbedingungen.
     Cap: AGB/NB 3y, DSE 2y. Älter → MEDIUM (Elli NB Stand 2018 → HIGH).

  B8 cmp_fingerprint_check — Banner detected, aber CMP-Provider generic
     (kein Usercentrics/OneTrust/Cookiebot/etc → MED).

  B3-Erweiterung detect_intra_doc_contradictions — Widersprüchliche
     Speicherdauer im SELBEN Doc (Elli: Logfile 7d vs 30d → HIGH).

LLM-Plausibility-Phase (Phase D-2b, finding_plausibility_check.py):
  - Läuft AFTER MC pipeline, BEFORE D3 render
  - Prompt mit Beispiel-IDs + 3-Phase-Mapping: exact-ID / position-fallback /
    fuzzy-tail-match
  - Stempelt llm_title / llm_severity / llm_recommendation / llm_drop auf
    jeden FAIL CheckItem
  - V2-Render zeigt "🤖 LLM-Plausibility:" Box pro Finding wenn gestempelt
  - KNOWN ISSUE: qwen3:30b-a3b liefert oft empty content auf format='json' +
    8000-char-excerpt prompts. Pipeline läuft mit stamped=0 weiter. Task #16.

Coverage gegen Elli Ground Truth (zeroclaw/docs/ground-truth/elli_eco_2026-06-06.json,
13 expected findings via WebFetch-Agent-Crawl):
  - 4/4 HIGH-Findings ✓ (COOKIE-CONSENT-UX-001 + WIDERRUFSBELEHRUNG-001 +
    VENDOR-CONSISTENCY-001 + AI-ACT-TRANSPARENCY-001)
  - 4/6 MEDIUM ✓
  - 2/3 LOW ✓
  - Total: 10/13 = 77% (Sprung von 4/13 = 31%)

Restliche 3 Gaps als Task #17: IMPRESSUM-001 (multi-entity USt-IdNr),
TRANSFER-001 (Vendor-Mechanismus DPF/SCC), TH-RETENTION-002 (AI-Retention
pro Datenkategorie).

V2-Mail-Preview in Mailpit: 'v2all@local.test' Subject '[V2 ALL] ELLI'.
Backend healthy, B1+B3+B4+B5+B6+B7+B8 alle live im Orchestrator.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-06-06 21:19:49 +02:00
Benjamin Admin 70af018da5 docs(gt): BMW cross-domain finding — 3 domains, no AGB, Social Media on jobs portal 2026-05-15 13:21:27 +02:00
Benjamin Admin 0182c91ef9 docs(gt): BMW fully verified — URLs, DSB, Impressum, Social Media data 2026-05-15 12:01:20 +02:00
Benjamin Admin a67cfa7c4a fix(gt): update BMW URLs (all old URLs are 404 since 2026) 2026-05-15 10:38:07 +02:00
Benjamin Admin b175212516 docs(gt): update Spiegel GT with verified 2026-05-14 results
CI / detect-changes (push) Successful in 5m10s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / validate-canonical-controls (push) Successful in 5m1s
Details
CI / loc-budget (push) Successful in 17s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m15s
Details
CI / test-go (push) Failing after 46s
Details
CI / test-python-backend (push) Has been skipped
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details 
DSI: 9/9 L1 (was 6/9), 13698 words (was 6461), all FNs resolved.
Social Media: 10/10 L1 (was 9/10). Services: 31 detected (was 5).
Impressum: 9/13 (USt-IdNr + V.i.S.d.P. fixed).
Widerruf: NOT correctly tested (wrong text assigned, needs Cross-Doc Intelligence).

Full service list (31 providers) documented with country + EU status.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-14 23:07:42 +02:00
Benjamin Admin 5e317d2f0f fix: text extraction 50k char limit was root cause of all Spiegel FNs
Build + Deploy / build-admin-compliance (push) Successful in 18s
Details
Build + Deploy / build-backend-compliance (push) Successful in 12s
Details
Build + Deploy / build-ai-sdk (push) Successful in 10s
Details
Build + Deploy / build-developer-portal (push) Successful in 10s
Details
Build + Deploy / build-tts (push) Successful in 10s
Details
Build + Deploy / build-document-crawler (push) Successful in 9s
Details
Build + Deploy / build-dsms-gateway (push) Successful in 10s
Details
Build + Deploy / build-dsms-node (push) Successful in 15s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / loc-budget (push) Failing after 17s
Details
CI / secret-scan (push) Has been skipped
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m46s
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / test-go (push) Failing after 41s
Details
CI / test-python-backend (push) Successful in 37s
Details
CI / test-python-document-crawler (push) Successful in 27s
Details
CI / test-python-dsms-gateway (push) Successful in 22s
Details
CI / validate-canonical-controls (push) Successful in 13s
Details
Build + Deploy / trigger-orca (push) Successful in 2m13s
Details 
ROOT CAUSE: main.py line 338 truncated full_text at 50,000 chars.
Spiegel DSI has 107,720 chars (13,705 words) — only 47% was extracted.
DSB, Art. 77, Betroffenenrechte were all in the truncated portion.

Fixes:
1. Raise text limit from 50k to 200k chars in API response + discovery
2. click_button(): add iframe fallback for Sourcepoint/Quantcast
3. dsi_helpers: iterate ALL page.frames for consent buttons
4. Profiler: only check impressum (not full text) for regulated professions,
   and "rechtsanwalt" must be in first 500 chars (company description)
5. GT: save full Spiegel DSI text (13,705 words) as reference

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-13 15:22:38 +02:00
Benjamin Admin c702260ec1 fix: 5 regex bugs + text extraction scroll + GT update
Build + Deploy / build-admin-compliance (push) Successful in 13s
Details
Build + Deploy / build-backend-compliance (push) Successful in 23s
Details
Build + Deploy / build-ai-sdk (push) Successful in 13s
Details
Build + Deploy / build-developer-portal (push) Successful in 14s
Details
Build + Deploy / build-tts (push) Successful in 15s
Details
Build + Deploy / build-document-crawler (push) Successful in 13s
Details
Build + Deploy / build-dsms-gateway (push) Successful in 15s
Details
Build + Deploy / build-dsms-node (push) Successful in 14s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / loc-budget (push) Failing after 15s
Details
CI / secret-scan (push) Has been skipped
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m26s
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / test-go (push) Successful in 39s
Details
CI / test-python-backend (push) Successful in 39s
Details
CI / test-python-document-crawler (push) Successful in 25s
Details
CI / test-python-dsms-gateway (push) Successful in 22s
Details
CI / validate-canonical-controls (push) Successful in 15s
Details
Build + Deploy / trigger-orca (push) Successful in 2m28s
Details 
Root cause: Spiegel DSI text was truncated (lazy-loading) — the
rights/DSB/complaints sections at the bottom were never extracted.

Fixes:
1. Text extraction: scroll to bottom before innerText (dsi_discovery.py)
2. V.i.S.d.P.: add "verantwortlicher i.s.v." + "§18 Abs. N MStV" pattern
3. USt-IdNr: add "umsatzsteuer-id" + "DE 212 442 423" (with spaces)
4. Profiler: remove generic "anwalt"/"praxis" (false positive on Spiegel
   "Redaktionsanwalt"), keep only "rechtsanwalt", "kanzlei" etc.
5. Section splitter: auto_fill_from_dsi() fills empty Cookie/Social-Media
   rows from sections found in the DSI text

Ground Truth 06-spiegel.md fully rewritten with verified data from
live website — 3 L1 False Negatives identified (DSB, Beschwerderecht,
Betroffenenrechte all present on website but not in extracted text).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-13 01:20:55 +02:00
Benjamin Admin 407a9503e4 fix(profiler): fix B2G false positive + add consulting/manufacturing
Build + Deploy / build-admin-compliance (push) Successful in 2m27s
Details
Build + Deploy / build-backend-compliance (push) Successful in 3m40s
Details
Build + Deploy / build-ai-sdk (push) Successful in 1m0s
Details
Build + Deploy / build-developer-portal (push) Successful in 1m16s
Details
Build + Deploy / build-tts (push) Successful in 1m54s
Details
Build + Deploy / build-document-crawler (push) Successful in 1m2s
Details
Build + Deploy / build-dsms-gateway (push) Successful in 31s
Details
Build + Deploy / build-dsms-node (push) Successful in 20s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / loc-budget (push) Failing after 17s
Details
CI / secret-scan (push) Has been skipped
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m44s
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / test-go (push) Successful in 49s
Details
CI / test-python-backend (push) Successful in 36s
Details
CI / test-python-document-crawler (push) Successful in 25s
Details
CI / test-python-dsms-gateway (push) Successful in 21s
Details
CI / validate-canonical-controls (push) Successful in 14s
Details
Build + Deploy / trigger-orca (push) Successful in 3m23s
Details 
- Remove generic B2G keywords (behörde, amt, öffentlich) that match in
  every DSI due to "Aufsichtsbehörde", "Amtsgericht", "veröffentlichen"
- Remove "server" from it_services (too generic, appears in every DSI)
- Add consulting, manufacturing, media industries
- Add B2B fallback for GmbH/AG without B2C signals
- Add 10 ground truth files for unified compliance check

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-12 12:20:44 +02:00