Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
1,178 Commits 11 Branches 1 Tag
c771d8ecb94d0e9792777040733b78af2b2f546c
Commit Graph

5 Commits

Author SHA1 Message Date
Benjamin Admin 57c0f940a2 feat(consent+report): P56-P67 Mercedes-Audit-Cycle (Anti-Audit, Phase G Vendors, Cookie-Behavior-Validator + 5 Mail-Polish-Items) [migration-approved]
CI / detect-changes (push) Successful in 11s
Details
CI / branch-name (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m19s
Details
CI / test-go (push) Has been skipped
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / validate-canonical-controls (push) Successful in 16s
Details
CI / loc-budget (push) Failing after 15s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / iace-gt-coverage (push) Has been skipped
Details
CI / test-python-backend (push) Successful in 37s
Details 
P56  Anti-Auditing-Detection als constructive Compliance-Finding (Audit-API-
     Empfehlung statt Anklage, weil Mercedes berechtigt Bots blockiert)
P57  Phase G vendor_details Union mit cmp_vendors -> 42 Anbieter sichtbar
P58  Anti-Audit-Detection robuster (Script-Domain-Check + Settings-spezifisch)
P59  Cookie-Behavior-Validator (4 Layer, 3-Tier-Severity: MEDIUM=Kategorie-
     Mismatch / HIGH=Zweck-Mismatch / CRITICAL=beide=Vorsatz-Indiz)
     + Open Cookie Database (CC0) als Library-Seed (2264 Cookies)
P59b Cookie-Behavior in Banner-Check verdrahtet + Mail-Block (BUGFIX:
     SessionLocal selbst oeffnen, db war im Background-Task nicht im Scope)

Mail-Polish nach Mercedes-Review:
P63  Banner-Footer-Links auch im wb7-link/role=link erkennen (Shadow-DOM-
     Walker label-based statt nur <a href>)
P64  Re-Access-Severity: MEDIUM statt HIGH, wenn Footer "Einstellungen" oder
     Mercedes-typisch existiert; OEM-Footer-Detection (wb7-footer)
P65  Text-Truncation: Word-Boundary statt Zeichen-Cut (kein "einfa"-Bruch
     mehr in Sofortmassnahmen)
P66  GF-Aktionen: Service-Zweck vs Cookie-Zweck explizit erklaert
     (haeufige Verwechslung Marketing/GF: "Akamai-Beschreibung" != Cookie-
     Zweck pro DSK-OH 2024)
P67  Stirring-Finding mit "Verlust-Framing"-Erklaerung + Alt-vs-Neutral-
     Beispiel, statt nur EDPB-Fachbegriff

Compliance-Advisor FAQ (admin agent-core/soul):
  + CNIL/EDPB Top-Bussgelder (Google 100M, Meta 60M, Amazon 35M)
  + Deutsche Praezedenz (LG Muenchen Google Fonts, EuGH Planet49, BGH I ZR 7/16)
  + 4 Risiko-Pfade (Bussgeld/Abmahnung/Sammelklage/NOYB) + Berechnungs-Methodik

Document-Generator Templates: AGB-DE (142), Impressum (140), Widerrufs-
formular-Anlage (143), DSR-Process-Dedup (139), Cookie-Library (144).

Architektur: doc_action_mappings.py + banner_dom_walkers.py +
cookie_behavior_validator.py + vendor_detail_extractor.py rausgezogen,
um die 500-LOC-Caps in agent_doc_check_report.py und
banner_text_checker.py einzuhalten.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-21 06:28:25 +02:00
Benjamin Admin 062d607da9 feat: Scope questions, placeholder mappings, example contexts 
Scope questions (compliance-scope-data.ts):
- 7 new questions: org_has_employees, org_has_social_media,
  org_has_video_conferencing, proc_uses_ai_tools, proc_byod_allowed,
  prod_ugc_platform, org_cert_iso27001

Template recommendations updated:
- employee_dsi/applicant_dsi now triggered by org_has_employees
- ai_usage_policy triggered by proc_uses_ai_tools
- byod_policy triggered by proc_byod_allowed (required when yes)
- social_media_dsi triggered by org_has_social_media
- video_conference_dsi triggered by org_has_video_conferencing
- community_guidelines/terms_of_use triggered by prod_ugc_platform

Placeholder mappings (contextBridge-helpers.ts):
- 30+ new mappings for: whistleblower, video conference, AI policy,
  BYOD, consent, social media, transfer/SCC, DSI fields
- SECTION_COVERS updated for template relevance detection

Example contexts: ai_usage_policy_de, employee_dsi_de,
social_media_dsi_de, tia_de

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-01 13:43:09 +02:00
Benjamin Admin ef8eead513 feat: Adequacy decisions, DPF check, customer guidance for transfers 
New: adequacy-decisions.ts
- Complete list of 15 countries with EU adequacy decisions (Art. 45)
- EU/EEA country set (30 countries)
- getTransferRequirement() — determines SCC/TIA/certification needs
  per country code with human-readable explanations
- US special handling: DPF certification required, check URL included

Updated: transfers/page.tsx
- "Was muss ich tun?" explanation section with 3 options:
  1. Adequacy decision (green) — no action needed
  2. DPF certification (blue, US only) — check dataprivacyframework.gov
  3. SCC + TIA required (amber) — link to Document Generator
- Collapsible adequacy countries table (15 countries with restrictions)
- Schrems II background explanation for customers
- Customer guidance written for non-experts who never heard of TIA/SCC

Updated: templateRecommendations.ts
- SCC+TIA rules now consider DPF certification and adequacy status
- us_dpf_only → SCC/TIA optional (not required)
- adequate_only → SCC/TIA not recommended

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-01 12:57:54 +02:00
Benjamin Admin d942b21354 feat: SCC + TIA templates for third-country transfers 
New templates for the Vendor Compliance module:
- 105: Transfer Impact Assessment (TIA) — Schrems II risk assessment
  with country evaluation, government access assessment, supplementary
  measures, risk matrix, and go/conditional/deny decision
- 105: SCC Companion Document — annexes to EU Decision 2021/914
  (module selection C2C/C2P/P2P/P2C, party details, data description,
  TOMs, sub-processor list)

Template recommendations: SCC+TIA triggered by tech_third_country answer
Generator: New "Drittlandtransfer" category

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-01 10:19:56 +02:00
Benjamin Admin 4ff6050f43 feat: Template recommendation engine — bridges scope to document generator 
Fixes critical gap: 50+ templates were unreachable because the Compliance
Scope Engine only outputs 23 document types, while the database has 70+.

New: templateRecommendations.ts
- 25 template rules that map scope answers to specific templates
- Covers ALL previously orphaned templates (HR-DSI, whistleblower,
  AI policy, BYOD, security policies, community guidelines, etc.)
- Each rule evaluates scope answers + compliance level to determine
  required/recommended/optional status
- Key triggers:
  - employee_count > 0 → employee_dsi, applicant_dsi
  - employee_count >= 50 → whistleblower_policy (HinSchG Pflicht!)
  - ai_usage != none → ai_usage_policy
  - business_model = platform → community_guidelines, terms_of_use
  - cert_target = iso27001 → isms_manual
  - webshop = yes → widerruf

Updated: scopeDefaults.ts
- getRecommendedDocuments() expanded with all 60+ document types
- L1→L4 graduated recommendation (required/recommended/optional)

Updated: _constants.ts
- Consolidated AI governance into internal_policies category

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-01 10:12:15 +02:00