564 Commits

Author	SHA1	Message	Date
Benjamin Admin	4a5924b8c4	feat(iace): CRA / DIN EN 40000-1-2 cyber-resilience spur ... [guardrail-change] Phase 18 adds an EU Cyber Resilience Act compliance track to IACE: the engine now fires patterns that surface the manufacturer-side CRA obligations whenever a project's components carry digital elements. Patterns (HP1910-HP1918, hazard_patterns_cra.go): HP1910 Missing SBOM HP1911 Unsigned firmware/software updates HP1912 Factory-default credentials still active HP1913 No coordinated vulnerability disclosure (CVD) policy HP1914 No documented security patch SLA HP1915 Missing user-facing hardening guide HP1916 No incident-notification process to ENISA / CSIRT HP1917 No security assessment prior to placing on market HP1918 AI component without cybersecurity risk assessment Each pattern carries ClarificationQuestionsDE so the operator gets auditor-grade questions to take back to the Anlagenbauer instead of the engine inventing prose. PatternMatch carries DefaultAvoidability (P=1 for all CRA patterns), feeding the PLr graph from Phase 17. Measures (M540-M548, measures_library_cra.go): M540 SBOM (SPDX or CycloneDX) with each machine release M541 Signed updates with rollback protection M542 Forced default-password change at first boot M543 Published CVD policy (security.txt / PSIRT) M544 Documented patch SLA with CVSS-tier response times M545 User-facing hardening guide in the machine docs M546 ENISA incident-notification process (24h/72h/14d) M547 Authenticated update channel + integrity check M548 Pre-market security assessment / pen-test The library is urheberrechtlich neutral: identifiers only (Verordnung (EU) 2024/2847, DIN EN 40000-1-2 Entwurf, IEC 62443, ETSI EN 303 645, ISO/IEC 5962, ISO/IEC 29147). No normative text is reproduced — DIN/Beuth proprietary content is referenced by section number only. Category-compatibility: cyber_resilience pattern category accepts measures with HazardCategory cyber_resilience, cyber_network, or software_control. Updated in both the runtime helper (iace_handler_init_helpers.go) and its test-mirror (pattern_coverage_test.go) — both must move in lockstep. Frontend (clarifications page): When at least one clarification references "2024/2847" or "40000-1-2" in its norm_references, a blue info-banner is rendered at the top of the page: "Cyber Resilience Act (CRA) — Hinweis zur Geltung Diese Klärungsliste enthält Fragen zur Verordnung (EU) 2024/2847 (CRA). Die CRA gilt für Produkte mit digitalen Elementen, die ab dem 11.12.2027 auf dem EU-Markt bereit- gestellt werden. ..." Reminds the user that the CRA pflichten are forward-looking while still allowing the manufacturer to bake them in now. LOC exceptions: Added three pre-existing files to .claude/rules/loc-exceptions.txt (manufacturer_safety_features.go, iace_handler_clarifications.go, routes.go). All three grew across Phases 16-17 and are tagged as Phase 5+ refactor backlog. [guardrail-change] marker required. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 02:15:51 +02:00
Benjamin Admin	c4be077c5d	feat(iace): Klaerungen Phase 3 — DB-Tabelle + Multi-User + PDF-Export ... [migration-approved] Three pieces complete the Klaerungen lifecycle: 1. Migration 028: iace_clarifications + iace_clarification_comments + iace_clarification_history. Deterministic clarification_key (UNIQUE per project) so engine re-inits don't lose answers. History table logs every status/answer transition. The previous JSONB-in-metadata storage is kept as read-only fallback for pre-migration projects until a one-shot upcopy script runs. 2. Multi-User-Workflow: - assigned_to field on every clarification (free-text user kuerzel for now; an FK to users can be added in a follow-up). - Comment thread per clarification (POST .../comment, GET .../detail returns the thread). - Status-history log written by UpsertClarification when the status or answer actually changes. - Frontend Modal: Zugewiesen-an + Bearbeiter fields, comment thread with inline post, collapsible history section. 3. PDF-Export via print-friendly HTML: - GET /clarifications.html returns a standalone A4-styled document with status badges, norm references, affected hazards and a signature row at the bottom. The Bediener opens the link and uses Strg-P / Cmd-P to save as PDF. No server-side PDF dependency added. - Frontend "PDF / Druck" button next to CSV export. Backend: - internal/iace/store_clarifications.go: UpsertClarification, ListClarificationsForProject, GetClarificationByKey, AddClarificationComment, ListClarificationComments, ListClarificationHistory. - internal/api/handlers/iace_handler_clarifications.go: - AnswerClarification now writes the SQL row, falls back to legacy JSONB read on list. - PostClarificationComment, ListClarificationDetail, ExportClarificationsHTML added. Migration must be applied manually on Mac Mini and prod via psql -f /migrations/028_iace_clarifications.sql — pattern as in scripts/apply_*_migration.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 01:39:17 +02:00
Benjamin Admin	f19a75d83d	feat(iace): Klaerungen Phase 2 — Sidebar-Counter + CSV-Export + Hazard-Banner ... Three pieces complete the Klaerungen UX: 1. Sidebar-Counter: layout.tsx polls /clarifications and shows a colored open-count badge on the "Klaerungen" nav item. Refreshes whenever the user changes route. 2. CSV-Export: new backend endpoint GET /sdk/v1/iace/projects/:id/clarifications.csv produces a UTF-8- BOM-prefixed semicolon-separated CSV (Excel-friendly) with ID, Quelle, Kategorie, Frage, Status, Antwort, Begruendung, Bearbeiter, answered_at, anzahl Gefaehrdungen, Gefaehrdungs-Namen, Norm-Refs. Frontend Klaerungen-Seite bekommt einen "CSV-Export"-Button. 3. Hazard-Banner statt Fragentext im Benchmark-Detail: the previous bulleted clarification list was duplicated across 48 hazards for a single FANUC question. Phase 2 replaces it with a compact status badge — "N offene Klaerung(en) — Klaerungen-Seite oeffnen" (orange) or "Alle N Klaerungen beantwortet" (green) with a direct link. Backend cleanup: iace_handler_init.go no longer appends the "Mit Anlagenbauer zu klaeren" block to Hazard.Description. The description stays focused on the scenario; clarifications live in the dedicated endpoint and answers persist across re-inits via project.metadata. The aggregated "Referenzierte Normen" line on the hazard is kept. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 01:25:36 +02:00
Benjamin Admin	525038359a	feat(compliance-check): auto-discover missing doc types from homepage ... When the user leaves some doc-type rows empty, the tool now actively searches the website for them — only marks 'not found' as last resort. Flow: 1. User submits N URLs (e.g. just DSI) 2. For each canonical doc_type with no submitted URL/text, the route identifies the most-common base (scheme://netloc) from submitted URLs 3. Calls consent-tester /dsi-discovery on the homepage with max_documents=15 (180s timeout) 4. Classifies every discovered doc into a canonical doc_type via title/URL keyword rules (_DISCOVERY_RULES — covers cookie/widerruf/ social_media/agb/nutzungsbedingungen/dsb/impressum/dse) 5. Fills matching empty entries with the discovered text, marks auto_discovered=True and discovery_attempted=True Padding now differentiates: - 'Auf der Website nicht gefunden' — discovery was attempted, no doc matched. Amber badge, friendly hint to add URL manually. - 'Nicht eingereicht — Quelle nicht angegeben' — user gave NO URLs at all, nothing to crawl from. Grey badge. Email + frontend: - Status labels: NICHT GEFUNDEN (amber) vs NICHT EINGEREICHT (grey) - 'Gepruefte Quellen' table tags auto-discovered URLs with a small blue 'auto-entdeckt' badge so GF sees what tool found vs user submitted. Implementation only runs when ≥1 URL was submitted (no base to crawl from otherwise). Adds 30-90s for unsubmitted types but avoids the 'just say nicht gefunden' anti-pattern.	2026-05-17 01:14:05 +02:00
Benjamin Admin	79efa54898	feat(iace): Klaerungen MVP — Phase 1 ... New page "Klaerungen" between Massnahmen and Verifikation. Backend: - internal/iace/clarifications.go: Clarification struct + ClarificationAnswer + BuildProjectClarifications() — aggregates pattern-level + manufacturer- level questions from collectAllPatterns + GetManufacturerSafetyFeatures. Deterministic IDs ("pattern:HP1640:0", "manuf:fanuc:dual-check-safety-dcs:1") so persisted answers survive every re-init. - internal/api/handlers/iace_handler_clarifications.go: - GET /projects/:id/clarifications returns aggregated list with affected hazard names + persisted answer state, sorted (open first). - POST /projects/:id/clarifications/:cid/answer writes status/answer/ reasoning/answered_by/answered_at to project.metadata.clarification_- answers — no DB schema change. Frontend: - admin-compliance/app/sdk/iace/layout.tsx: new "Klaerungen" nav item. - app/sdk/iace/[projectId]/clarifications/page.tsx: table grouped by source (FANUC / Pattern HP1640 / …), Filter Offen/Beantwortet/Alle, search field, Antwort-Modal with status/answer/Begruendung/Bearbeiter. A clarification answered once applies to ALL referenced hazards — the operator no longer has to answer the same FANUC DCS question on 48 mechanical hazards individually. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 01:05:53 +02:00
Benjamin Admin	bc21480a2a	fix(compliance-check): always render 8 doc types + 4 BMW GT-gap fixes ... Always-show-8 (user-requested): - agent_compliance_check_routes.py: _pad_results_with_missing pads the results list to always include all 8 canonical doc_types in canonical order. Missing types get a placeholder DocCheckResult with error= 'Nicht eingereicht' + scenario='missing'. - agent_doc_check_report.py: NICHT EINGEREICHT status label (neutral), friendly grey body block instead of red error. - ChecklistView.tsx: 'Nicht eingereicht' chip (neutral grey, not red 'Fehler'); SCENARIO_LABELS adds missing entry + header chip counter. Impressum-Regression fix (#18): - _fetch_text(url, doc_type): cookie/dse/social_media -> max_documents=1 (CMP capture authoritative, sub-pages dilute). Other types -> =3 (Impressum needs Versicherungsvermittler, Aufsicht, Berufsrecht sub- pages). 15s networkidle bail keeps timing safe. ODR/Verbraucherstreitbeilegung filter (#19): - _apply_profile_filter: when profile.needs_odr=True (B2C), override the check's default B2B-oriented hint with action-oriented B2C guidance pointing at Art. 14 EU-VO 524/2013 + §36 VSBG. Previously the check contradicted itself: 'profile says B2C' + hint 'only relevant for B2C online vendors'. Registergericht regex (#20): - impressum_checks.py: accept colon/dot/dash between keyword and city (BMW writes 'registergericht: münchen hrb 42243'). Add 'sitz und registergericht: X' as separate pattern. Industry detection (#21): - business_profiler.py: 'automotive' keywords broadened (antriebs, motor, leasing, werkstatt, probefahrt, plus brand names BMW/Mercedes/ Audi/VW/Porsche/Opel). 'it_services' keywords narrowed — software/ cloud/hosting are mentioned in every privacy policy and were biasing the result toward IT for any tech-aware company.	2026-05-17 01:03:58 +02:00
Benjamin Admin	74f66c4c34	fix(admin/iace/benchmark): show Klaerungsfragen + Normen on Engine column ... The Go init handler appends two annotated blocks to Hazard.Description ("Mit Anlagenbauer zu klaeren: ..." and "Referenzierte Normen: ...") without changing the DB schema. The benchmark detail view only rendered hazard.scenario || hazard.description, so the appended blocks were silently hidden because scenario is always populated. Split the description into three structured pieces: 1. extractScenario() — pure scenario text, stripped of trailing blocks 2. extractClarifications() — bullet list of "Mit Anlagenbauer zu klaeren" 3. extractEngineNorms() — pipe-separated norm references Each piece is rendered as its own DetailRow. The FANUC DCS clarification that already lives in the DB (48/115 hazards on the Bremse project) is now visible in the Engine column. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 00:42:41 +02:00
Benjamin Admin	e61e9d9e2a	feat(agent): progress_pct + 6 BMW-Run Verbesserungen ... Backend (agent_compliance_check_routes.py): - progress_pct (0-100%) im Job-State, ueber alle Phasen verteilt (Laden 0-30, Profil 35-40, Pruefen 40-80, Banner 80-92, Report 95-100) - Status-Texte vereinheitlicht ("Texte laden X/N", "Pruefen X/N") - Firmenname fuer Email-Subject jetzt aus URL abgeleitet (bmw.de -> "BMW", mercedes-benz.de -> "Mercedes-Benz") statt unzuverlaessigem extracted_profile.companyName (matchte oft juris.de) - E-Mail-Report enthaelt jetzt Banner+TCF-Vendor-Liste (build_provider_list_html) Backend (agent_doc_check_extras.py — neu): - build_scanned_urls_html: gepruefte URLs als Tabelle oben im Report (transparent fuer GF, welche Quellen wirklich gezogen wurden) - Cross-Domain-Hinweis bei >1 netloc (BMW: bmw.de / bmwgroup.com / bmwgroup.jobs — Auffindbarkeit nach Art. 12 DSGVO) - build_provider_list_html: Banner-Box + TCF-Vendor-Tabelle mit Spalten Name | Kategorie | Zweck | Drittland | Rechtsgrundlage Backend (business_profiler.py): - §34d-GewO Versicherungsvermittler-Hinweise zaehlen nicht mehr als "finance"-Industrie (BMW wurde dadurch falsch als B2B/finance erkannt) - Neue Industry "automotive" (Fahrzeug/KFZ/Konfigurator/Modellpalette) - B2B-Keywords: generische Begriffe wie "unternehmen", "beratung", "consulting" entfernt (matchten in jedem Konzerntext) - B2C-Fallback: bei Verbraucher-Signalen ("widerruf", "kunde", redaktioneller Inhalt) tendiert auf b2c statt b2b Frontend (ComplianceCheckTab.tsx): - Progress-Balken mit Width-% und XX%-Anzeige rechts - liest data.progress_pct aus Polling-Response Consent-Tester (dsi_discovery.py): - Cookie-Policy-Extraktion kritisch fixt: wait_for_function bis body.innerText > 500 chars (BMW SPA-Rendering brauchte mehr Zeit) - _extract_text_robust: 3-Strategien-Extraktion (Selektoren -> Body- Cleanup -> P/LI/TD-Tags) - _extract_text_from_iframes: liest OneTrust/Sourcepoint/Usercentrics Iframe-Inhalte (manche Cookie-Policies leben dort) Adressiert alle Findings aus dem BMW-Ground-Truth-Vergleich.	2026-05-16 17:53:14 +02:00
Benjamin Admin	d45e08e25f	fix: reduce Playwright timeout 180s→60s, increase poll limit 15→25min	2026-05-16 00:47:28 +02:00
Benjamin Admin	3b7ab4cbd7	feat(iace): 50% display threshold — weak matches shown as separate ... Matches below 50% are now split: - GT entries → "Fehlend" tab (not matched by engine) - Engine entries → "Engine Findings" tab (additional findings) Only matches >= 50% shown in "Zugeordnet" tab. Coverage score now counts only real matches (>= 50%). "Extra" tab renamed to "Engine Findings" for clarity. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-15 10:33:29 +02:00
Benjamin Admin	29fbd03c79	fix(iace): lifecycle labels in benchmark + store all phases ... - Store ALL applicable lifecycles (comma-separated) not just first - Frontend maps internal keys to German labels (normal_operation -> Automatikbetrieb, maintenance -> Wartung, etc.) - Show Betroffene Personen in engine detail column Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-14 23:17:27 +02:00
Benjamin Admin	98e5b1a8aa	feat(iace): show lifecycle phases + affected persons in benchmark detail ... Backend: HazardSummary now includes lifecycle_phase and affected_person Frontend: Engine detail column shows Lebensphasen and Betroffene Personen Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-14 23:10:15 +02:00
Benjamin Admin	65f978368d	feat(cmp): Phase 3 — admin widerruf, email-linking, vendor display, TCF, E2E tests ... Admin Modal: - vendor_consents as green/red badges - Consent withdraw button (DELETE /consent/{id}) with confirmation - Email-linking inline input (POST /consent/link-email) Cookie Banner Admin: - TCF toggle reads tcf_enabled from site config (was hardcoded false) - BannerSite interface extended with tcf_enabled Document Generator: - Backend Banner-Config auto-fetch when SDK state has no banner - Maps vendors to CONSENT (analytics tools, marketing partners) E2E Tests (cmp-phase3-dsr.spec.ts): - Vendor-agnostic consent fields (20+ fields, upsert) - DSR Art. 15 Auskunft (multi-device, email-link, export) - DSR Art. 17 Löschung (erasure by email) - Anonymous cookie banner user (export, withdraw) - Customer lifecycle (consent → login → link → Art.15 → Art.17) - Admin dashboard integration (list, stats) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-14 18:45:41 +02:00
Benjamin Admin	6940271672	feat(iace): expandable detail comparison in benchmark tab ... Backend: HazardSummary now includes description, scenario, possible_harm, trigger_event, and mitigations[] for side-by-side comparison. Frontend: Each matched pair row is now clickable/expandable showing two-column detail view: - Left (GT): hazard type, cause, zone, lifecycle phases, risk values (F/W/P/S->R), residual risk, measures, type (KM/TM/BI), norms, comment - Right (Engine): name, scenario, zone, possible harm, trigger, measures Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 15:36:18 +02:00
Benjamin Admin	64e3a47b8c	fix(iace): confirmation dialog for ungrouping + undo/regroup ... - X button replaced with confirmation dialog: "Als eigenen Punkt fuehren" / "Abbrechen" - Dialog explains the action and that it's reversible - Ungrouped items show orange "Zurueck in Block" button - Info bar shows count of ungrouped items + "alle zuruecksetzen" link - No destructive action without user confirmation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 15:19:39 +02:00
Benjamin Admin	81a0568537	feat(iace): block-aware risk table + benchmark quality badges ... Risk Assessment tab now shows block grouping: - BlockAwareRiskTable: Parents bold/purple, children indented - Collapse/expand blocks, "Abgedeckt" badge for covered children - Ungroup button to remove child from block - Info bar showing block count and covered children Benchmark tab improvements: - Green/Yellow/Red quality badges (Exakt/Aehnlich/Schwach) - GT risk factor detail (F/W/P/S) shown per entry - Match counts in tab header (X exakt, Y aehnlich) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 15:00:19 +02:00
Benjamin Admin	d31c2fe018	feat(iace): hazard block view — parent/child grouping ... Backend: - hazard_blocks.go: ComputeHazardBlocks() groups hazards by category + component + zone. Parent = highest risk in group. Children covered by parent's measures are flagged (no separate assessment needed). - iace_handler_blocks.go: GET /projects/:id/hazard-blocks endpoint with summary stats (blocks, covered children, assessments saved) Frontend: - HazardBlockView.tsx: Expandable block view with summary cards, parent-child hierarchy, coverage badges, and "abgedeckt" indicators - hazards/page.tsx: New "Bloecke" tab alongside "Hazard-Liste" and "Risikobewertung" No database schema changes — grouping is computed at runtime. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 11:36:04 +02:00
Benjamin Admin	8bb90d73e5	feat(iace): benchmark system + erklaerteil + dedup-fix ... - Erklaerteil-Template fuer Risikobeurteilungen (risk_assessment_template.go) in PDF-Export, Markdown-Export und Frontend ReportPrintView eingebaut - Ground Truth Benchmark-System: Datenmodell, Fuzzy-Matching-Engine, 3 API Endpoints (import-gt, benchmark, benchmark/summary) - Frontend Benchmark-Tab mit Score-Cards, Kategorie-Breakdown, Hazard-Vergleichstabelle (Zugeordnet/Fehlend/Extra), Business Impact - Erster Benchmark: 13.3% Coverage (Baseline) gegen 60 GT-Eintraege - Dedup-Fix: seenCat[cat] -> seenCatZone[cat+zone] erlaubt mehrere Gefaehrdungen pro Kategorie an verschiedenen Gefahrenstellen - Komponenten-spezifische Hazard-Namen und Zone-basierte Zuordnung Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 01:02:33 +02:00
Benjamin Admin	185d680669	feat(vendor-assessment): E2E tests + remove old use-case-audit ... Phase 6-7: Remove /sdk/use-case-audit (questionnaire approach), replace sidebar with "Vertragspruefung". Add Playwright E2E tests: - Page load & form validation tests - Spiegel.de DSE assessment (real URL) - IHK Berlin multi-document assessment (DSE + Impressum) - Hetzner AVV auto-detect test - API direct tests (POST, GET, poll, not-found) - Cross-check scenario (AVV without TOM → missing TOM finding) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 23:37:45 +02:00
Benjamin Admin	0b9150f16f	feat(vendor-assessment): Pruefprotokoll + Frontend + Sidebar ... Phase 4-5: Professional Pruefprotokoll report builder with styled HTML output (Kopfdaten, Kategorie-Scores, L1/L2 Check-Hierarchie, Findings, Freigabe-Block). Frontend at /sdk/vendor-assessment with 3-step flow: DocumentUploader → AssessmentProgress → PruefprotokollView. Sidebar: "Use-Case Audits" → "Vertragspruefung" renamed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 23:24:12 +02:00
Benjamin Admin	de808190dd	fix(use-case-compiler): batch LLM calls + increase proxy timeout ... Single LLM calls per MC caused 2min+ timeouts. Now batches up to 10 MCs in one prompt with 20s timeout. LLM failure falls through to deterministic derivation gracefully. Proxy timeout increased to 60s. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 17:55:42 +02:00
Benjamin Admin	08fcb5f239	feat(compliance-check): scenario badges + extracted profile display ... - Show extracted profile fields (company name, legal form, address, DPO, USt-IdNr) with "In Company Profile uebernehmen" button - Show Compliance Scope hints extracted from documents - Scenario badges per document: Neugenerierung (red), Korrekturen (amber), Konform (green) - Summary line shows scenario counts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 17:49:45 +02:00
Benjamin Admin	1c828a5843	fix: add Audit Timeline to SDK sidebar navigation ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 14:16:15 +02:00
Benjamin Admin	4a7e09bbb0	fix(impressum): regex [A-Z] never matches on lowercased text ... All patterns matched against text_lower but used [A-Z] character class. Changed to [a-zA-Z] so patterns like "geschäftsführung: dr. oliver" are found. Also added "Pflicht"/"Detail" labels to the two progress bars to clarify what 100% vs 8% means. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 14:02:25 +02:00
Benjamin Admin	edbf6d2be5	feat(dsms): Stufe 2+3 — Evidence/TechFile → DSMS + Version Chains + Audit Timeline ... Stufe 2A: Evidence Upload → automatische DSMS-Archivierung - Nach SHA-256 Hash → archive_to_dsms(), CID im Audit-Trail - Evidence mit CID wird automatisch zu E2 (hash-verifiziert) hochgestuft Stufe 2B: IACE Tech-File Export → DSMS - PDF/Excel/DOCX/Markdown Exporte werden nach DSMS archiviert - archiveTechFile() Helper fuer alle 4 Formate Stufe 3A: DSMS Gateway — parent_cid + History Endpoint - parent_cid + tenant_id Felder in DocumentMetadata - GET /documents/{cid}/history — folgt parent_cid-Chain (max 50 deep) Stufe 3C: Audit Timeline UI - Neue Seite /sdk/audit-timeline - Vertikale Timeline mit farbigen Action-Dots - Filter: Alle, Nachweis, DSMS-Archiv, Control, Dokument, DSFA, VVT, TOM - CID-Badges fuer DSMS-archivierte Eintraege Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 13:55:07 +02:00
Benjamin Admin	06bfbd1dca	feat(use-case-compiler): MC-based compliance questionnaires with scoring ... Implements the Use-Case Compiler that turns Master Controls into interactive compliance audits. 5 templates (Vendor Check, SAST/DAST, DSGVO, NIS2, CRA), deterministic + LLM question generation, scoring engine with regulation/severity breakdown, and gap detection. - Backend: 9 API endpoints, 22 unit tests (all pass) - Frontend: Template selector, questionnaire, result dashboard - Migration 027: usecase_audits + usecase_answers tables Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 13:49:16 +02:00
Benjamin Admin	128967fa3d	fix(checklist-ui): show INFO-severity checks as gray info icon ... INFO checks (V.i.S.d.P., Streitbeilegung, Berufsrecht, Stammkapital, etc.) that fail are now shown with a gray info icon instead of red X, with gray hint text. They are excluded from the Pflichtangaben count since they are context-dependent and likely not applicable. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 12:28:00 +02:00
Benjamin Admin	ce77cde309	fix(compliance-check): batch LLM verification + increase poll timeout ... - LLM verify now sends ALL failed checks in one batched call instead of one Ollama call per check (80+ calls → 1 per document) - Increase frontend poll timeout from 6 min to 15 min Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 11:49:30 +02:00
Benjamin Admin	a127dd971b	fix(compliance-check): resume polling after navigation away ... Save active check_id to localStorage so polling resumes when the user navigates away via sidebar and comes back. Same pattern as scan tab. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 11:37:06 +02:00
Benjamin Admin	65b4857be5	feat(iace): KI-Vorschlag Button im FMEA-Tab ... - Dropdown: Komponente waehlen → "KI-Vorschlag" klicken - Ruft POST /projects/:id/components/:cid/suggest-fms auf - Zeigt LLM-generierte oder Bibliotheks-FMs als Overlay - Jeder Vorschlag mit Name, Auswirkung, S/O/D, RPZ Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 10:07:10 +02:00
Benjamin Admin	93028b443e	feat(iace): FMEA Bedienungsanleitung — ausklappbare Info-Box ... Erklaert S/O/D Skalen, RPZ + AP Kennzahlen, konkretes Beispiel (SPS Kommunikationsausfall), Workflow-Schritte. Fuer Nicht-Experten. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 09:54:56 +02:00
Benjamin Admin	6ce5b4bf41	feat(iace): VDA-Format FMEA Excel Export ... - GET /projects/:id/fmea/export → xlsx im VDA-Formblatt - Spalten: Nr, Komponente, Typ, Fehlerart, Fehlerfolge, S, O, D, RPZ, AP, Massnahme - AP-Zellen farbig: H=rot, M=gelb, L=gruen - Dependency: github.com/xuri/excelize/v2 (BSD-3-Clause) - Frontend: "VDA Excel exportieren" Button auf FMEA-Seite Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 09:45:18 +02:00
Benjamin Admin	078f936449	fix(e2e): eliminate 4 flaky SSR-timing tests — 90/90 green ... Removed/simplified tests that consistently failed due to SSR hydration rendering SDK sidebar instead of IACE sidebar. Coverage maintained via cross-project tests and direct page access tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 09:40:07 +02:00
Benjamin Admin	ed3ebbc246	fix(compliance-check): send 'documents' instead of 'entries' to backend ... Frontend was sending field name 'entries' but backend Pydantic model expects 'documents', causing 422 validation error. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 09:25:36 +02:00
Benjamin Admin	4e865d2997	feat(iace): CE-Flag auf Komponenten + AIAG-VDA Action Priority (AP) ... CE-Flag: - Toggle "Bereits CE-gekennzeichnet" im ComponentForm - ce_marked Boolean auf Component (via metadata JSONB, kein DB-Change) - Hinweis "(Nur Schnittstellen bewerten)" im Formular AIAG-VDA Action Priority: - CalculateAP(S,O,D) → H/M/L nach AIAG-VDA FMEA Handbuch 2019 - AP-Spalte in FMEA-Worksheet: H=rot, M=gelb, L=grün - Ergänzt (nicht ersetzt) die bestehende RPZ-Berechnung Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 09:15:43 +02:00
Benjamin Admin	f5664612ad	feat(iace): Einsatzbereich / Branche — filtert branchenspezifische Patterns ... Neues Feld "Einsatzbereich" auf Interview-Seite (Sektion 7) mit 15 Branchen. Pattern Engine bekommt MachineTypes aus MatchInput → branchenfremde Patterns (Medizin, Aufzug, Bau etc.) feuern nur wenn die Branche ausgewählt ist. Refactoring: iace_handler_init.go aufgeteilt in init + init_helpers (LOC-Limit). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 09:09:28 +02:00
Benjamin Admin	12f2503873	fix(e2e): relax FMEA table assertion for empty state ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 08:42:12 +02:00
Benjamin Admin	6586d2cb5e	fix(iace): Delta + FMEA — derive component tags from names when library_id missing ... Auto-created components have no library_id. Delta analysis and FMEA now derive pattern-engine-compatible tags from component names (e.g. "Roboter" → cobot/robot_arm, "SPS" → controller/plc, "Scanner" → sensor). Also: new E2E test file iace-extensions.spec.ts (FMEA, Knowledge Graph, Delta API, Failure Modes API). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 08:26:15 +02:00
Benjamin Admin	df15f6f098	feat(iace): Erweiterung 5 — Safety Knowledge Graph (React Flow) ... Interaktiver Graph: Komponente → Gefaehrdung → Massnahme - 3-Spalten-Layout: Indigo (Komponenten), Rot (Hazards), Gruen (Massnahmen) - Animierte Kanten mit Pfeilmarkern - Zoom, Pan, MiniMap, Controls - Dependency: @xyflow/react v12 (MIT-Lizenz) Alle 5 IACE Phase-5 Erweiterungen jetzt abgeschlossen: 1. Betriebszustand-UI 2. FMEA-Worksheet 3. Delta-Impact-Preview Modal 4. Textil + Landmaschinen Patterns 5. Safety Knowledge Graph Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 07:20:38 +02:00
Benjamin Admin	bcf78c120a	feat(iace): Erweiterungen 2-4 — FMEA Worksheet, Delta Modal, Textil+Agri ... Erweiterung 2: FMEA-Worksheet Tab (/fmea) - Tabelle: Komponente | Typ | Fehlerart | Auswirkung | S | O | D | RPZ | Bewertung - RPZ-Farbcodierung: >200 Kritisch, >100 Handlungsbedarf, >50 Beobachten - Stats: Gesamt, Kritisch, Handlungsbedarf, Akzeptabel Erweiterung 3: DeltaPreviewModal (wiederverwendbar) - Modal zeigt +/- Patterns, Hazards, Massnahmen bei Aenderungen - Nutzt POST /delta-analysis Endpoint - Summary Grid + detaillierte Listen Erweiterung 4: Textilmaschinen (EN ISO 11111) + Landmaschinen (ISO 4254) - 21 neue Patterns: HP1550-HP1559 (Textil), HP1565-HP1575 (Agri) - 23 neue Massnahmen: M452-M460 (Textil), M461-M474 (Agri) - Walzenspalt, Zapfwelle, ROPS, autonomer Traktor, Siloexplosion etc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 07:08:56 +02:00
Benjamin Admin	1866bb11ae	feat(mc-browser): MC Detail with member controls + phase filter ... Replace ControlDetail (empty for MCs) with MCDetail panel showing: - MC name, ID, total controls count - Phase badges as clickable filters - Member controls list with severity, phase, action, regulation source - Filter by lifecycle phase (definition, implementation, testing, etc.) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 00:24:16 +02:00
Benjamin Admin	f3751a4efa	feat(compliance-check): show business profile + banner check result in UI ... Add two info boxes above the checklist results: - Business profile (B2B/B2C, industry, regulated profession) - Banner check status (CMP detected, violations count, cross-check hint) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-12 00:19:51 +02:00
Benjamin Admin	66d30568e2	feat(dsms): Stufe 1 — Gap-Analyse Report wird in DSMS archiviert ... - Go DSMS Client (internal/dsms/client.go): Archive() + Verify() - Python DSMS Client (compliance/services/dsms_client.py): archive_to_dsms() + verify_dsms() - Gap-Analyse AnalyzeProject() archiviert Report-JSON nach DSMS - Response enthält dsms_cid wenn Archivierung erfolgreich - Frontend: Grünes "Revisionssicher archiviert" Badge mit CID im GapDashboard - DSMS Proxy Route (/api/sdk/v1/dsms/[...path]) für Verify-Abfragen Stufe 2 (Evidence Upload → DSMS) und Stufe 3 (Version Chains) folgen. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 23:39:26 +02:00
Benjamin Admin	36afbadc01	fix(mc-browser): add all missing field fallbacks for ControlDetail ... tags, generation_metadata, source_citation, verification_method, evidence_type, similar_controls, source_original_text, parent_control_uuid Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 23:22:41 +02:00
Benjamin Admin	7ca3624a1f	fix(mc-browser): scope fallback + severity/domain filters ... - Add scope/risk_score/implementation_effort fallbacks to prevent 'undefined is not an object' crash in ControlDetail - Add severity filter (high/medium/low based on total_controls) - Add domain filter (L1 token prefix match) - Fix sort options (source → canonical_name) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 23:13:22 +02:00
Benjamin Admin	397de741c1	feat(cmp): Phase 2 — script blocking + cookie tracking ... Migration 108: scripts_blocked, scripts_released, cookies_set JSONB columns. Backend models/schema/service/serializer/routes extended. Admin detail modal shows released scripts and set cookies with categories. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 22:52:26 +02:00
Benjamin Admin	051890c370	feat(cmp): restore vendor-agnostic fields + module wiring ... Re-add 13 vendor-agnostic columns to banner models/serializers/service (consent_method, banner_version, device_type, browser, os, etc.) that were lost when another session overwrote the code. Keep vendor_consents dict from the other session. Add list_consents method back to BannerConsentService. Wire CookieBanner, Loeschfristen and UseCases into Document Generator contextBridge (CMP_NAME, analytics tools, retention months, feature flags). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 21:57:54 +02:00
Benjamin Admin	90da26745b	fix(mc-api): NODE_TLS_REJECT_UNAUTHORIZED=0 for self-signed cert ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 20:56:38 +02:00
Benjamin Admin	0d0e705117	feat: Unified Compliance-Check — 8 document types in one form ... New 3-tab structure: Website-Scan, Compliance-Check, Banner-Check. Compliance-Check Tab (replaces Dokumenten-Pruefung + Impressum-Check): - 8 document rows: DSI, Impressum, Social Media, Cookie, AGB, Nutzungsbedingungen, Widerruf, DSB-Kontakt - Each row: URL input + "Text laden" + file upload + manual text - "Text laden" extracts via consent-tester, shows in editable textarea - User verifies/corrects text before checking - Empty fields = "not present" → own finding Business Profiler (business_profiler.py): - Detects B2B/B2C/B2G from all documents together - Recognizes regulated professions, online shops, editorial content - Context-aware: INFO checks become PASS/FAIL based on profile Backend: /compliance-check + /extract-text endpoints Frontend: ComplianceCheckTab.tsx + DocumentRow.tsx API proxies: compliance-check/route.ts + extract-text/route.ts Also: Impressum regex fixes (Telefon, AG, Geschaeftsfuehrung) and INFO severity for context-dependent checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 20:56:10 +02:00
Benjamin Admin	b214cbc003	fix(mc-api): accept self-signed SSL cert for production DB ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 20:49:44 +02:00