Deterministic pass/fail stays unchanged. After keyword checking,
ONE batched LLM call enriches the top 10 severity FAILs with
context-specific recommendations based on the actual document.
Example: If document uses Google Analytics but lacks transfer
mechanism → LLM generates: "Sie nutzen Google Analytics (USA).
Ergaenzen Sie einen Verweis auf das EU-US Data Privacy Framework
und pruefen Sie die DPF-Zertifizierung unter dataprivacyframework.gov."
- Pass/fail: deterministic (keyword matching, reproducible)
- Hint enrichment: LLM (contextual, one call for all fails)
- Temperature 0.3 for consistency
- Graceful fallback if Ollama unavailable
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaced LLM-based MC verification with deterministic keyword matching:
- Extracts keywords from pass_criteria/fail_criteria
- Matches against document text via regex (case-insensitive)
- PASS if >= 60% of criteria keywords found AND no fail_criteria triggered
- Same text + same MCs = same result every time
Checks ALL MCs for the doc_type (max_controls=0):
- DSE: all 571 controls checked in <1 second
- Impressum: all 75 controls
- Cookie: all 381 controls
No LLM calls needed — purely deterministic keyword matching.
Bigram extraction for compound terms (e.g. "standardvertragsklauseln").
Stop word filtering for German legal text.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewritten rag_document_checker.py to use doc_check_controls table
instead of generic canonical_controls. Each MC has:
- check_question: binary YES/NO for LLM
- pass_criteria: JSONB list of concrete requirements
- fail_criteria: JSONB list of common mistakes
Flow: Regex checks (fast) → LLM verify FAILs → MC deep check (15 per doc)
MC results appear as additional L2 checks in the report.
Coverage: 571 DSE, 381 Cookie, 309 Loeschkonzept, 153 Widerruf,
147 DSFA, 125 AVV, 113 AGB, 75 Impressum = 1.874 total.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All elements exist twice on the preview page (desktop + mobile or
banner + page content). Using .first() avoids strict mode violations.
Also extracted goToPreview() and acceptAll() helpers for DRY.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extra waitForTimeout(3000) pro Test verdoppelte Laufzeit und verursachte
mehr Timeouts. Zurueck zum funktionierenden Ansatz: goTo wartet auf h1
+ 2s, dann 20s toBeVisible Timeout pro Assertion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Die letzten 3 Schwingarm-Failures kommen weil die Overview-Seite 2
parallele API-Fetches (project + risk-summary) braucht bevor der
Content rendert. goTo wartet auf h1, aber die h2-Sektionen
(Risikozusammenfassung, Schnellzugriff) rendern erst danach.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause der 16 overview-Failures: goTo kehrte zu frueh zurueck weil
nav sofort sichtbar ist (SSR), aber der Main-Content (Projektstatus etc.)
erst nach API-Fetch rendert. Jetzt wartet goTo auf h1 (das erst nach
dem project-Fetch erscheint) + 1s Buffer.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
networkidle times out on CMP pages that poll API endpoints.
domcontentloaded + 1s wait is sufficient for page rendering.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
"impressum" was missing from DSI_KEYWORDS despite being listed in
the docstring. This caused /impressum URLs to skip self-extraction
and return linked datenschutz text instead.
Added: DE: impressum, anbieterkennzeichnung, kontakt
EN: imprint, legal notice, site notice, legal information
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When checking impressum/agb/widerruf, the DSI discovery would follow
links away from the page and return the wrong document (e.g.
/impressum → finds link to /datenschutz → returns datenschutz text).
Now: for non-DSE doc_types, prefer the html_full_page document
(self-extracted from the actual URL the user provided) over linked
pages found by the crawler.
Fixes safetykon.de/impressum returning datenschutz text.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 verification layers added to the 3-phase banner test:
1. DataLayer/GTM Interception: Proxy on window.dataLayer captures
all push() events. Distinguishes safe lifecycle events (gtm.js,
gtm.dom) from tracking events (page_view, conversion, purchase).
Flags tracking events before consent as violations.
2. localStorage/sessionStorage Monitoring: Intercepts setItem() to
detect tracking keys (_ga, _fbp, amplitude, mixpanel, etc.)
written before consent.
3. Google Consent Mode v2 Runtime Verification: Reads actual GCM
state (analytics_storage, ad_storage) per phase. Verifies
default=denied before consent, stays denied after reject,
switches to granted after accept.
4. TCF v2.2 State: Reads __tcfapi('getTCData') if available.
Verifies consent purpose states match user choice.
5. Cookie Attribute Analysis: Domain (1st vs 3rd party), expires
(>13 months), secure flag for tracking cookies.
10 new L2 checks with expert hints (EDPB, CNIL, §25 TDDDG).
All interceptor calls wrapped in try/except for graceful fallback.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
20 checks were defaulting to PASS when no violation was found,
even if the scanner couldn't actually test them. Now:
- Phase-based checks (tracking/cookies): absence = PASS (correct)
- UI checks: only PASS if banner_checks actually ran
- If banner not detected: everything except banner_detected = FAIL
This prevents false 100% scores when violations exist but the
text→code mapping doesn't cover them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The consent-tester produces violations without a 'code' field — only
text, severity, service. The runner now infers check_keys from the
violation text content (36 text→code mappings). This fixes the 100%
false-pass for safetykon.de which had 3 real violations (impressum,
re-access, color contrast dark pattern) that were silently ignored.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both DocCheckTab and BannerCheckTab now:
- Store full scan results per history entry in localStorage
- History entries are clickable — loads the saved result immediately
- No need to re-scan to see old results
- Fallback to last result if specific entry not found
- Banner-Check sends HTML email report to mailpit
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. localStorage Persistenz: URL, letztes Ergebnis, Historie (30 Eintraege)
2. Historie: Zeigt URL, Datum, Provider, Violations, Prozent
3. Letztes Ergebnis bleibt nach Tab-Wechsel/Reload sichtbar
4. E-Mail-Report: HTML-formatiert mit Violations + Hints an mailpit
5. Email-Status Anzeige im Frontend
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add OSHA 29 CFR 1910 Subpart O and harmonised norms to competence area
- Soften escalation rule: harmless info questions get a short answer
instead of full rejection. Only sensitive/legal-advice questions
get declined with referral to lawyer.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Explains why companies must buy norms their own employees wrote,
and the 2024 EuGH ruling that harmonised standards are EU law
and must be freely accessible.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add withdrawn/valid_until/replaced_by to Norm interface
- Add Status filter (Aktiv/Zurueckgezogen) — defaults to "Aktiv"
- Withdrawn norms hidden by default, viewable via filter
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PROBLEM: Cobot-Projekt hatte 52 Pressen-Hazards weil Keywords wie
"stempel" und "stoessel" ohne Maschinentyp-Kontext matchten.
FIX an 3 Stellen:
1. KeywordEntry.MachineTypes — Pressen-Keywords nur fuer press/*_press
2. ParseNarrative(text, machineType) — Parser laedt Maschinentyp aus Projekt
3. HazardPattern.MachineTypes — Pressen-Patterns (HP045-HP058) nur fuer Pressen
Verhindert zukuenftig falsche Zuordnungen bei neuen Kundenprojekten.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /banner-check endpoint is synchronous (Playwright completes in
<30s and returns result directly). Removed unused async polling loop
that would never match since no scan_id is returned.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Explains current status: no harmonised standards published under
(EU) 2023/1230 yet, ~800 from old directive still valid. Timeline
from June 2023 to January 2027 full application.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GetLineDashboard called GetLatestAssessment per hazard (N+1 queries).
Replaced with GetLatestAssessmentsByProject — one batch query per
station instead of one per hazard. With 50+ hazards across multiple
stations, this reduces hundreds of DB queries to ~5.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Benjamin Admin