Presets now shown on the SDK start page (/sdk) as a card grid
between header and stats — only when companyName is empty.
Click navigates to /sdk/company-profile?preset={id}.
Reverted company-profile/page.tsx to original state (no preset
logic there — the dashboard is the right place for discovery).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows preset cards before the wizard when the profile is empty:
- 10 industry presets (SaaS, Consumer App, E-Commerce, IT-Agentur,
Maschinenbau, Rechtsanwalt, Arztpraxis, Handwerk, Bildung, Enterprise)
- Each with icon, label, and description
- Click prefills: legalForm, industry, businessModel, companySize,
employeeCount, country, targetMarkets, dataController/Processor
- "Manuell ausfuellen" skip option
- Only shown when companyName is empty (fresh start)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Deleted 6 unused components from /sdk/einwilligungen/cookie-banner/_components/
- Replaced page.tsx with Next.js redirect() to /sdk/cookie-banner
- Updated EinwilligungenNavTabs link to /sdk/cookie-banner
- Updated catalog page link to /sdk/cookie-banner
- Single source of truth: /sdk/cookie-banner (Step in "Rechtliche Texte")
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migration 110: Updated descriptions and version for 12 previously
unreviewed templates (asset_management, backup, change_management,
cloud_security, devsecops, incident_response, logging, patch_management,
secrets_management, vulnerability_management, informationspflichten,
verpflichtungserklaerung).
All templates assessed as "Very Good" quality — only incremental
updates needed (AI Act, CRA, NIS2UmsuCG references in descriptions).
informationspflichten: Kept as separate compact checklist (distinct
from the full privacy_policy DSI template).
verpflichtungserklaerung: Kept as standalone HR document (employee
signs at onboarding). Added to HR & Mitarbeiter category.
Result: 88 templates, 44 at v1.1+, 0 unreviewed remaining.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 108: Remove DSI duplicate (023 + 093 both wrote privacy_policy DE),
remove outdated EN v1, create English Privacy Notice v2 with all
modular sections (data categories table, retention periods, processor
vs. controller guidance, Art. 21 right to object highlighted)
DB now has exactly 2 privacy_policy templates: DE + EN, both v2.0.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 106: Remove AGB duplicates and obsolete templates (terms_of_service
DE/EN v1.0, liability clause) — replaced by agb v2.0
- 107: English Terms and Conditions v2 (EU-compliant, same structure
as DE version with all IF-blocks)
DB now has exactly 2 AGB templates: DE + EN, both v2.0.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- All 4 categories with toggles visible on first layer (no "Einstellungen" step)
- Removed showSettings state — single-view banner
- EWR toggle + info button in header, always visible
- Two equal-weight buttons: "Alle akzeptieren" + "Auswahl speichern"
- "Nur notwendige" as text link below (not hidden, but less prominent)
- Vendor tables expandable per category via chevron
- DSK OH Telemedien 2022 + CNIL 2020 compliant layout
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Game-changing CMP feature: Users accept a category (e.g. Marketing) but
can restrict data processing to EU/EWR-only vendors. Non-EWR vendors are
blocked even when the category is accepted.
- Toggle "Nur EU/EWR-Anbieter" with globe icon in blue gradient bar
- Blocked vendors shown as red pills with strikethrough icon
- Per-vendor status icons: green checkmark (active), red slash (blocked),
gray dash (category disabled)
- Country column: green circle+check for EWR, amber warning for non-EWR
- EWR = EU27 + IS/LI/NO + CH (Angemessenheitsbeschluss)
- Vendor data extracted to cookie-banner-vendors.ts (under 500 LOC)
- Consent state includes ewrOnly flag + blockedVendors list
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backend: _ensure_list() converts null/string/malformed JSONB to []
for requirements, test_procedure, evidence, open_anchors, tags.
Frontend: defensive Array.isArray() check on ControlDetail.tsx.
Fixes: TypeError: A.requirements.map is not a function
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- CookieBannerOverlay: shows vendors per category with expandable tables
(Verarbeiter, Cookies, Dauer, Land) for full transparency
- Demo vendors: 4 necessary, 3 statistics, 3 marketing, 3 functional
- cookie_table_generator.py: renders {{COOKIE_TABLE}} Markdown tables
from vendor configs (DB) or service registry (fallback)
- SERVICE_COOKIES: 16 known vendor-to-cookie mappings with provider + country
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Impressum link mandatory in banner (§5 TMG)
2. Pre-ticked prevention: only "required" categories pre-enabled (Planet49)
3. Cookie-Settings reopen link (§7(3) DSGVO — revocation as easy as consent)
4. Script-Blocking: data-cookie-category + type="text/plain" pattern
Scripts only execute AFTER user consents to that category
5. Buttons already equal size (flex:1) — verified correct
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows: Impressum link ✓/✗, DSE link ✓/✗, plus violation cards for
wrong DSE consent wording, pre-ticked checkboxes, dark patterns,
missing reject button, no settings re-access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Impressum link accessible from banner (§5 TMG, LG Rostock)
2. DSE link in banner (Art. 13 DSGVO, informierte Einwilligung)
3. Wrong wording: "Zustimmung zur DSE" — DSE is Art. 13 obligation,
not consent. Correct: "zur Kenntnis genommen"
4. Reject button visible (§25 TDDDG, no hidden reject)
5. Pre-ticked checkboxes detected (EuGH C-673/17 Planet49)
6. Dark Pattern: button size comparison — accept vs reject area
ratio >2.5x or font size ratio >1.5x = dark pattern
7. Cookie Wall detection (Phase B — site blocked after reject)
8. Re-access to settings (Art. 7(3) — revocation as easy as consent)
All checks run via Playwright on the actual rendered banner.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fundamental architecture fix: data processing happens through APIs/scripts/
cookies — NOT through visible page text. A news site about healthcare does
NOT process health data.
Before: Qwen reads website text → guesses "health_data: true" (WRONG)
After: Google Analytics detected → tracking: true (CORRECT, deterministic)
New flow: detect services from HTML → map service categories to flags →
feed flags into UCCA assessment. No LLM needed for flag extraction.
SERVICE_TO_FLAGS maps categories: tracking→tracking, marketing→marketing+
third_party_sharing, payment→payment_data, heatmap→profiling, etc.
SPECIFIC_SERVICE_FLAGS for Klarna (Art.22), Stripe (US transfer), etc.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tests each consent category in isolation:
- Phase D: Only "Statistics" enabled → checks if only analytics loads
- Phase E: Only "Marketing" enabled → checks if only ads load
- Phase F: Only "Functional" enabled → checks no tracking loads
CMP-specific category selectors for Cookiebot, OneTrust, Usercentrics,
Didomi. Generic fallback via toggle/checkbox keyword detection.
SERVICE_CATEGORY_MAP maps 35+ services to expected categories.
Violations: "Facebook Pixel loads with only Statistics enabled" = miscategorization.
Frontend: category test results shown below Phase A-C with
per-category violation cards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
legalHolds can be a JSONB object {} instead of an array [], so
the || [] fallback wasn't sufficient. Array.isArray handles all
edge cases (null, undefined, object, string).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getActiveLegalHolds() crashed with "e.legalHolds.filter is not a
function" when legalHolds was null/undefined (e.g. old DB entries
without the JSONB field). Added fallback to empty array.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
VVT and Loeschfristen pages imported STEP_EXPLANATIONS as a named
export from StepHeader.tsx, but it was only imported (not re-exported).
This caused "Cannot read properties of undefined (reading 'vvt')"
at runtime. Adding the re-export fixes both pages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Results (https://macmini:3007):
- sdk-module-reachability: 40/42 (loeschfristen+vvt pre-existing bugs)
- vendor-transfers: 4/4
- isms-assets: 3/3
- document-generator: 3/4 (category label mismatch)
Added: playwright-live.config.ts (no webServer, live instance testing)
Test data NOT cleaned up — profiles persist for manual review.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New E2E test specs:
- sdk-module-reachability: Tests 40+ SDK routes for 404/crash
- scope-profiling: Three customer profiles (Startup/KMU/Enterprise)
with screenshots at each step — data NOT cleaned up
- document-generator: Template library, categories, recommendations
- vendor-transfers: Transfer tab, explanations, adequacy list
- isms-assets: Asset register tab, form, CRUD
All tests configured to run against https://macmini:3007
Screenshots saved to e2e/test-results/ for manual review
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The SECTION_FIELDS object was prematurely closed before the TOM and DPA
sections, causing a build-time syntax error. Removed the extra closing
brace so TOM and DPA fields are correctly inside the object.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New: adequacy-decisions.ts
- Complete list of 15 countries with EU adequacy decisions (Art. 45)
- EU/EEA country set (30 countries)
- getTransferRequirement() — determines SCC/TIA/certification needs
per country code with human-readable explanations
- US special handling: DPF certification required, check URL included
Updated: transfers/page.tsx
- "Was muss ich tun?" explanation section with 3 options:
1. Adequacy decision (green) — no action needed
2. DPF certification (blue, US only) — check dataprivacyframework.gov
3. SCC + TIA required (amber) — link to Document Generator
- Collapsible adequacy countries table (15 countries with restrictions)
- Schrems II background explanation for customers
- Customer guidance written for non-experts who never heard of TIA/SCC
Updated: templateRecommendations.ts
- SCC+TIA rules now consider DPF certification and adequacy status
- us_dpf_only → SCC/TIA optional (not required)
- adequate_only → SCC/TIA not recommended
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New "Assets" tab in the ISMS module for information asset management:
- CRUD for information assets (hardware, software, data, services,
people, facilities)
- CIA protection need matrix (confidentiality, integrity, availability)
with normal/high/very_high levels
- Information classification (public, internal, confidential,
strictly confidential) with color-coded badges
- Category filter (all/hardware/software/data/service/people/facility)
- Stats cards (total, by category, high protection need count)
- CSV export for ISO 27001 audits
- Edit/delete per asset
- localStorage persistence (same pattern as compliance_scope)
Types: InformationAsset, AssetCategory, AssetClassification,
ProtectionLevel interfaces + label/color maps
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New "Drittlandtransfers" tab in the Vendor Compliance sidebar:
- Aggregates all vendor processing locations with non-EU countries
- Traffic light system: green (EU/adequacy), yellow (SCC exists),
red (no transfer mechanism)
- Stats cards: total, EU+adequate, third-country, action required
- Filter by status (all/OK/review/action required)
- Table with vendor name, country, mechanism, SCC status, TIA status
- "TIA erstellen" link to Document Generator for third-country vendors
- Help text explaining Schrems II / Art. 46 DSGVO requirements
Uses existing data model — no new API endpoints or DB tables needed:
- vendor_vendors.processingLocations (isEU, isAdequate)
- vendor_vendors.transferMechanisms
- vendor_contracts.documentType = 'SCC'
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New RecommendedDocuments component shown above the template library:
- Evaluates scope answers + compliance level (L1-L4)
- Groups templates into required/recommended/optional
- Shows profile label (Startup/KMU/Extended/Enterprise)
- Cards link to actual templates — click opens in generator
- Optional section collapsed by default
- Only visible when scope has been completed
Renders as purple gradient panel with grid cards, each showing
template name and availability status.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New templates for the Vendor Compliance module:
- 105: Transfer Impact Assessment (TIA) — Schrems II risk assessment
with country evaluation, government access assessment, supplementary
measures, risk matrix, and go/conditional/deny decision
- 105: SCC Companion Document — annexes to EU Decision 2021/914
(module selection C2C/C2P/P2P/P2C, party details, data description,
TOMs, sub-processor list)
Template recommendations: SCC+TIA triggered by tech_third_country answer
Generator: New "Drittlandtransfer" category
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Phase 3 of the Document Templates Masterplan:
- 103: 4 new security policies (information_security_policy, password_policy,
encryption_policy, access_control_policy) + updates for CRA (056) and
all 15 HR/Vendor/BCM policies (072)
New templates:
- Information Security Policy: ISMS-Leitlinie (ISO 27001, BSI, NIS2)
- Password Policy: BSI/NIST compliant (12+ chars, MFA, no forced rotation)
- Encryption Policy: BSI TR-02102, algorithms, key management, TLS config
- Access Control Policy: RBAC, Least Privilege, Zero Trust, rezertification
Updates: AI Act + NIS2UmsuCG references for CRA and all 15 HR/Vendor/BCM
Generator: 6 new categories (security, HR, data, vendor, BCM policies)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Dockerfile: install Playwright AS appuser (not root) so chromium
binary is accessible at runtime. Was causing 500 error.
2. DSE service matching: text-search fallback when LLM extraction fails.
If "etracker" appears in DSE text, mark as documented even without
LLM parsing the service list.
3. CMP skip: consent managers in category "cmp" skipped (not just "other"
with id "cmp").
NOT DEPLOYED — RAG pipeline is running.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New /website-scan endpoint in consent-tester service:
- Real browser renders JavaScript (finds dynamic content)
- Clicks navigation menus (discovers hidden sub-pages like IHK DSB page)
- Follows links within DSE to find regional privacy policies
- Collects rendered HTML for each page (after JS execution)
Backend integration:
- agent_scan_routes tries Playwright first, falls back to httpx
- DSE text and HTML extracted from Playwright-rendered pages
- Service detection runs on rendered HTML (catches JS-loaded scripts)
Also fixes:
- GA regex: G-[A-Z0-9]{8,12} prevents CSS class false positives
- etracker added to service registry
- External page scanning blocked (same-domain only)
- CSS/JS/image files excluded from page list
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. GA regex: G-\w{5,} matched CSS classes (g-7031048). Now requires
G-[A-Z0-9]{8,12} (uppercase after G-, 8-12 chars = real GA4 ID)
2. External page scanning: DSE-internal links now SAME DOMAIN only.
Previously followed links to etracker.com, google.de/policies etc.
and detected services on THOSE sites as IHK services.
3. Added etracker to service registry (DE, ePrivacy-certified)
4. CSS/JS/image files excluded from page scanning
5. Navigation-pattern links for deeper DSE sub-pages
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mandatory_content_checker.py keywords break with alternative formulations.
Solution: LLM-based check per mandatory field (9 calls, parallelizable).
For other session to implement alongside Dict→Control migration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. DSE-Matcher: Google/YouTube false match — now requires 2+ word match
for provider-name fallback, not just "Google" matching YouTube section
2. AGB/Widerrufsbelehrung: only_ecommerce flag — skips for non-shop
websites (detected via payment providers, cart keywords)
3. DSE-internal link following — scanner now discovers links WITHIN the
privacy policy and scans those too (finds regional DSE sub-pages)
4. Expanded keyword synonyms for DSE mandatory checks:
- "Zweck und Rechtsgrundlage" now matches "zwecke"
- "behoerdlichen datenschutzbeauftragt" matches DSB
- "aufsichtsbehörde" with umlaut matches
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8 test cases with deliberately wrong legal basis assignments:
- Cookie tracking on lit. f (should be lit. a)
- Analytics on lit. b (should be lit. a)
- Newsletter on lit. f (should be lit. a)
- Klarna without Art. 22
- Session recording on lit. f
- 2 correct cases (should NOT trigger findings)
Runs both hardcoded dict AND Control Library query, compares results.
If Control Library passes all → dict can be removed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Benjamin Admin