- RegulationsPanel: added enable/disable toggles per regulation
- ScopeDecisionTab: passes enabledModules + onToggleModule
- Scope page: auto-enables all applicable regulations when loaded
- Modules step: isOptional=true, moved to Zusatzmodule
- Requirements: now depends on compliance-scope, not modules
- Source-policy: now depends on use-case-assessment, not modules
Flow: Profile → Scope → Scope-Decision shows applicable regulations
with toggles → Requirements derived from enabled regulations
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Document Workflow:
- "Als Version speichern" button in Document Generator preview
- Creates document + version via /legal-documents/documents API
- Saved documents appear in /sdk/workflow module
- Status indicator (saving/saved/error) in toolbar
Email Consolidation:
- consent-management Emails tab now redirects to /sdk/email-templates
- Single source of truth for all email templates
- Old tab replaced with redirect card explaining the change
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New DSRArt11Service: handles rejection with proper legal basis,
automated email notification to requester explaining Art. 11
- POST /dsr/{id}/reject-art11 endpoint
- ActionButtons.tsx: "Nicht identifizierbar (Art. 11)" button
shown when identity is not yet verified
- Also fixes: DSR export type-cast rollback handling
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- DSRExportService: aggregates all CMP data about a user from
Banner Consents, Einwilligungen, Audit Trail, DSR History
- GET /dsr/{id}/export-user-data?format=json|csv|pdf endpoint
- PDF: A4 reportlab with 4 sections (Consents, Einwilligungen,
Audit-Trail, DSR-Anfragen) + cover page
- CSV: BOM-encoded for Excel with flattened data rows
- JSON: structured export with all data categories
- ActionButtons.tsx: PDF/JSON/CSV export buttons now functional
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New /sdk/rollenkonzept/ module with 3 tabs (Rollen, Zuordnung, Reviews)
- 7 standard compliance roles (DSB, GF, IT-Leiter, HR, Marketing, Compliance, Einkauf)
- Inline role editing with test email via Mailpit
- Document-to-role mapping table (editable per tenant)
- Review list with status filters and approve/reject workflow
- ReviewAssignmentPanel in Document Generator preview tab
- "Zur Pruefung senden" button creates reviews + sends notification emails
- Approval notification sent to all affected roles after document sign-off
- Sidebar navigation link added
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Migration 111: 3 new tables (org_roles, document_reviews, document_role_mapping)
with seed data mapping all 71 doc types to 7 compliance roles
- org_role_routes.py: CRUD for roles, seed defaults, test email, mapping API
- document_review_routes.py: Review lifecycle (create→send→approve/reject)
with approval notification to all affected roles
- Migration 112: SOP template (ISO 9001 structure, 21 placeholders)
- Added standard_operating_procedure to TemplateType, doc-labels, presets
[migration-approved]
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Split presets into interface + data files (500-line budget)
- Extract DOC_LABELS into doc-labels.ts with all 71 template types
- Add 3 new presets: Cloud/SaaS-Anbieter, Finanzdienstleister, Plattform
- Expand Enterprise preset to 48 docs (full ISMS + BCM + DSR)
- Every template type appears in at least one preset
- ISO references verified: citations only, no copyrighted standard text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Every preset now includes DSGVO-mandatory docs (TOM, VVT, Löschkonzept)
plus Cookie-Banner/Policy, Mitarbeiter-DSI, Bewerber-DSI, and
industry-specific extras (DSFA, Whistleblower, ISMS, TIA, etc.).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- X button to close banner (SDK admin context only)
- Overlay leaves sidebar area accessible (ml-16/ml-64)
- Click overlay backdrop to dismiss
- Preview page: close banner on API error (don't trap user)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Presets were only visible after entering a project. Now they appear
on the /sdk landing page where users first see their project list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Browser blocks direct calls to backend-compliance:8093 due to
self-signed SSL certificate. All banner API calls now go through
Next.js API proxy at /api/sdk/v1/banner/* which runs server-side.
- New catch-all proxy: /api/sdk/v1/banner/[[...path]]/route.ts
Maps to backend-compliance:8002/api/compliance/banner/*
- Preview page: uses /api/sdk/v1/banner/ instead of https://macmini:8093
- CMP Dashboard: uses proxy for banner stats + compliance proxy for DSR/einwilligungen
- Fixes: banner not closeable due to API errors, consent not saving
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New route /sdk/cmp with full CMP dashboard
- 4 KPI cards: total consents, active consents, open DSR requests, configured sites
- Cookie category acceptance bars (necessary/statistics/marketing/functional)
- DSR breakdown: by status, by type (Art. 15-21), avg processing time, overdue count
- 9-point compliance checklist (banner, DSE, impressum, Art.7 proof, DSR, loeschfristen,
vendor AVV, email templates, EWR-only mode) — each links to relevant module
- 8 module cards with icons linking to all CMP sub-modules
- Real API integration: /banner/admin/stats, /einwilligungen/consents/stats, /dsr/stats
- Dashboard link added as first entry in CMP sidebar section
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Previously hidden when a company profile existed, but users with
existing test projects couldn't see the feature.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When selecting an industry preset on the SDK dashboard, a categorized
document preview panel now appears showing which documents will be
generated (Website, Vertraege, HR, Compliance, etc.).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CMP Section in Sidebar:
- New "CMP" group with purple accent, above other module sections
- Links: Cookie-Banner, Live-Vorschau, Consent-Records, Consent-Verwaltung,
Vendor-Compliance, DSR Portal, Loeschfristen, E-Mail-Templates
Live Preview (/sdk/cookie-banner/preview):
- Simulated "MusterShop GmbH" website with full cookie banner
- Real API calls to POST /banner/consent (saves to DB)
- EWR-Only toggle functional in preview
- API Debug panel shows fingerprint, consent status, blocked vendors
- Response JSON viewer for API debugging
- Links to verify in Consent-Verwaltung, Consent-Records, DSR Portal
- "Consent zuruecksetzen" button to re-test
- Footer "Cookie-Einstellungen" link to reopen banner
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Presets now shown on the SDK start page (/sdk) as a card grid
between header and stats — only when companyName is empty.
Click navigates to /sdk/company-profile?preset={id}.
Reverted company-profile/page.tsx to original state (no preset
logic there — the dashboard is the right place for discovery).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows preset cards before the wizard when the profile is empty:
- 10 industry presets (SaaS, Consumer App, E-Commerce, IT-Agentur,
Maschinenbau, Rechtsanwalt, Arztpraxis, Handwerk, Bildung, Enterprise)
- Each with icon, label, and description
- Click prefills: legalForm, industry, businessModel, companySize,
employeeCount, country, targetMarkets, dataController/Processor
- "Manuell ausfuellen" skip option
- Only shown when companyName is empty (fresh start)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Deleted 6 unused components from /sdk/einwilligungen/cookie-banner/_components/
- Replaced page.tsx with Next.js redirect() to /sdk/cookie-banner
- Updated EinwilligungenNavTabs link to /sdk/cookie-banner
- Updated catalog page link to /sdk/cookie-banner
- Single source of truth: /sdk/cookie-banner (Step in "Rechtliche Texte")
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migration 110: Updated descriptions and version for 12 previously
unreviewed templates (asset_management, backup, change_management,
cloud_security, devsecops, incident_response, logging, patch_management,
secrets_management, vulnerability_management, informationspflichten,
verpflichtungserklaerung).
All templates assessed as "Very Good" quality — only incremental
updates needed (AI Act, CRA, NIS2UmsuCG references in descriptions).
informationspflichten: Kept as separate compact checklist (distinct
from the full privacy_policy DSI template).
verpflichtungserklaerung: Kept as standalone HR document (employee
signs at onboarding). Added to HR & Mitarbeiter category.
Result: 88 templates, 44 at v1.1+, 0 unreviewed remaining.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- All 4 categories with toggles visible on first layer (no "Einstellungen" step)
- Removed showSettings state — single-view banner
- EWR toggle + info button in header, always visible
- Two equal-weight buttons: "Alle akzeptieren" + "Auswahl speichern"
- "Nur notwendige" as text link below (not hidden, but less prominent)
- Vendor tables expandable per category via chevron
- DSK OH Telemedien 2022 + CNIL 2020 compliant layout
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Game-changing CMP feature: Users accept a category (e.g. Marketing) but
can restrict data processing to EU/EWR-only vendors. Non-EWR vendors are
blocked even when the category is accepted.
- Toggle "Nur EU/EWR-Anbieter" with globe icon in blue gradient bar
- Blocked vendors shown as red pills with strikethrough icon
- Per-vendor status icons: green checkmark (active), red slash (blocked),
gray dash (category disabled)
- Country column: green circle+check for EWR, amber warning for non-EWR
- EWR = EU27 + IS/LI/NO + CH (Angemessenheitsbeschluss)
- Vendor data extracted to cookie-banner-vendors.ts (under 500 LOC)
- Consent state includes ewrOnly flag + blockedVendors list
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backend: _ensure_list() converts null/string/malformed JSONB to []
for requirements, test_procedure, evidence, open_anchors, tags.
Frontend: defensive Array.isArray() check on ControlDetail.tsx.
Fixes: TypeError: A.requirements.map is not a function
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- CookieBannerOverlay: shows vendors per category with expandable tables
(Verarbeiter, Cookies, Dauer, Land) for full transparency
- Demo vendors: 4 necessary, 3 statistics, 3 marketing, 3 functional
- cookie_table_generator.py: renders {{COOKIE_TABLE}} Markdown tables
from vendor configs (DB) or service registry (fallback)
- SERVICE_COOKIES: 16 known vendor-to-cookie mappings with provider + country
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Impressum link mandatory in banner (§5 TMG)
2. Pre-ticked prevention: only "required" categories pre-enabled (Planet49)
3. Cookie-Settings reopen link (§7(3) DSGVO — revocation as easy as consent)
4. Script-Blocking: data-cookie-category + type="text/plain" pattern
Scripts only execute AFTER user consents to that category
5. Buttons already equal size (flex:1) — verified correct
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows: Impressum link ✓/✗, DSE link ✓/✗, plus violation cards for
wrong DSE consent wording, pre-ticked checkboxes, dark patterns,
missing reject button, no settings re-access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tests each consent category in isolation:
- Phase D: Only "Statistics" enabled → checks if only analytics loads
- Phase E: Only "Marketing" enabled → checks if only ads load
- Phase F: Only "Functional" enabled → checks no tracking loads
CMP-specific category selectors for Cookiebot, OneTrust, Usercentrics,
Didomi. Generic fallback via toggle/checkbox keyword detection.
SERVICE_CATEGORY_MAP maps 35+ services to expected categories.
Violations: "Facebook Pixel loads with only Statistics enabled" = miscategorization.
Frontend: category test results shown below Phase A-C with
per-category violation cards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
legalHolds can be a JSONB object {} instead of an array [], so
the || [] fallback wasn't sufficient. Array.isArray handles all
edge cases (null, undefined, object, string).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getActiveLegalHolds() crashed with "e.legalHolds.filter is not a
function" when legalHolds was null/undefined (e.g. old DB entries
without the JSONB field). Added fallback to empty array.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
VVT and Loeschfristen pages imported STEP_EXPLANATIONS as a named
export from StepHeader.tsx, but it was only imported (not re-exported).
This caused "Cannot read properties of undefined (reading 'vvt')"
at runtime. Adding the re-export fixes both pages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Results (https://macmini:3007):
- sdk-module-reachability: 40/42 (loeschfristen+vvt pre-existing bugs)
- vendor-transfers: 4/4
- isms-assets: 3/3
- document-generator: 3/4 (category label mismatch)
Added: playwright-live.config.ts (no webServer, live instance testing)
Test data NOT cleaned up — profiles persist for manual review.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New E2E test specs:
- sdk-module-reachability: Tests 40+ SDK routes for 404/crash
- scope-profiling: Three customer profiles (Startup/KMU/Enterprise)
with screenshots at each step — data NOT cleaned up
- document-generator: Template library, categories, recommendations
- vendor-transfers: Transfer tab, explanations, adequacy list
- isms-assets: Asset register tab, form, CRUD
All tests configured to run against https://macmini:3007
Screenshots saved to e2e/test-results/ for manual review
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The SECTION_FIELDS object was prematurely closed before the TOM and DPA
sections, causing a build-time syntax error. Removed the extra closing
brace so TOM and DPA fields are correctly inside the object.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Benjamin Admin