/**
 * VVT Baseline-Katalog — Support & IT Operations
 */

import type { BaselineTemplate } from './types'

export const SUPPORT_VVT_TEMPLATES: BaselineTemplate[] = [
  {
    templateId: 'support-ticketsystem',
    businessFunction: 'support',
    name: 'Kundenservice / Ticketsystem',
    description: 'Bearbeitung von Kundenanfragen und Support-Tickets',
    purposes: ['Kundenservice', 'Reklamationsbearbeitung', 'Vertragserfuellung'],
    legalBases: [
      { type: 'CONTRACT', description: 'Kundenvertrag', reference: 'Art. 6 Abs. 1 lit. b DSGVO' },
    ],
    dataSubjectCategories: ['CUSTOMERS', 'APP_USERS'],
    personalDataCategories: ['NAME', 'CONTACT', 'CONTRACT_DATA', 'COMMUNICATION_DATA'],
    recipientCategories: [
      { type: 'INTERNAL', name: 'Support-Team' },
      { type: 'PROCESSOR', name: 'Helpdesk-Software-Anbieter' },
    ],
    retentionPeriod: { duration: 3, durationUnit: 'YEARS', description: '3 Jahre nach Ticketschliessung', legalBasis: 'BGB § 195', deletionProcedure: 'Automatische Loeschung geschlossener Tickets' },
    tomDescription: 'Zugriffskontrolle nach Ticket-Owner, Verschluesselung, Audit-Trail',
    structuredToms: {
      accessControl: ['Ticket-basierte Zugriffskontrolle', 'Agent-Rollen'],
      confidentiality: ['TLS', 'Verschluesselung'],
      integrity: ['Ticket-Historie unveraenderbar'],
      availability: ['Hochverfuegbarer Helpdesk'],
      separation: ['Mandantentrennung'],
    },
    typicalSystems: ['Helpdesk-Software', 'E-Mail', 'Chat'],
    protectionLevel: 'MEDIUM',
    dpiaRequired: false,
    tags: ['support', 'kundenservice', 'tickets'],
  },
]

export const IT_OPERATIONS_VVT_TEMPLATES: BaselineTemplate[] = [
  {
    templateId: 'it-systemadministration',
    businessFunction: 'it_operations',
    name: 'Systemadministration',
    description: 'Verwaltung von IT-Systemen, Benutzerkonten und Zugriffsrechten',
    purposes: ['IT-Betrieb', 'Benutzerverwaltung', 'Sicherheitsueberwachung'],
    legalBases: [
      { type: 'LEGITIMATE_INTEREST', description: 'IT-Sicherheit', reference: 'Art. 6 Abs. 1 lit. f DSGVO' },
      { type: 'CONTRACT', description: 'Bereitstellung IT-Dienste', reference: 'Art. 6 Abs. 1 lit. b DSGVO' },
    ],
    dataSubjectCategories: ['EMPLOYEES', 'APP_USERS'],
    personalDataCategories: ['NAME', 'CONTACT', 'LOGIN_DATA', 'IP_ADDRESS', 'DEVICE_ID'],
    recipientCategories: [
      { type: 'INTERNAL', name: 'IT-Abteilung' },
      { type: 'PROCESSOR', name: 'IT-Dienstleister' },
    ],
    retentionPeriod: { duration: 1, durationUnit: 'YEARS', description: '1 Jahr nach Kontodeaktivierung', deletionProcedure: 'Automatische Loeschung deaktivierter Konten' },
    tomDescription: 'PAM, MFA, Protokollierung, regelmaessige Rechtereviews',
    structuredToms: {
      accessControl: ['PAM (Privileged Access Management)', 'MFA', 'Regelmaessige Rechtereviews'],
      confidentiality: ['Verschluesselung', 'Passwort-Policies'],
      integrity: ['Change Management', 'Konfigurationsmanagement'],
      availability: ['Redundanz', 'Monitoring', 'Alerting'],
      separation: ['Prod/Dev/Staging getrennt', 'Admin-Netze isoliert'],
    },
    typicalSystems: ['Active Directory / IAM', 'Monitoring', 'ITSM'],
    protectionLevel: 'MEDIUM',
    dpiaRequired: false,
    tags: ['it', 'admin', 'benutzerverwaltung'],
  },
  {
    templateId: 'it-backup',
    businessFunction: 'it_operations',
    name: 'Backup & Recovery',
    description: 'Sicherung und Wiederherstellung von Daten und Systemen',
    purposes: ['Datensicherung', 'Disaster Recovery', 'Geschaeftskontinuitaet'],
    legalBases: [
      { type: 'LEGITIMATE_INTEREST', description: 'Datensicherheit', reference: 'Art. 6 Abs. 1 lit. f DSGVO, Art. 32 DSGVO' },
    ],
    dataSubjectCategories: ['EMPLOYEES', 'CUSTOMERS'],
    personalDataCategories: ['NAME', 'CONTACT', 'CONTRACT_DATA'],
    recipientCategories: [
      { type: 'PROCESSOR', name: 'Backup-Dienstleister' },
      { type: 'INTERNAL', name: 'IT-Abteilung' },
    ],
    retentionPeriod: { duration: 90, durationUnit: 'DAYS', description: '90 Tage Aufbewahrung der Backups', deletionProcedure: 'Automatische Rotation und Loeschung' },
    tomDescription: 'Verschluesselung, Zugriffskontrolle, regelmaessige Wiederherstellungstests',
    structuredToms: {
      accessControl: ['Nur Backup-Admins', 'Separater Encryption Key'],
      confidentiality: ['AES-256-Verschluesselung', 'Verschluesselter Transport'],
      integrity: ['Checksummen-Pruefung', 'Regelmaessige Restore-Tests'],
      availability: ['3-2-1-Backup-Regel', 'Georedundanz'],
      separation: ['Backup-Netzwerk isoliert'],
    },
    typicalSystems: ['Backup-Software', 'Cloud-Storage'],
    protectionLevel: 'MEDIUM',
    dpiaRequired: false,
    tags: ['it', 'backup', 'recovery'],
  },
  {
    templateId: 'it-logging',
    businessFunction: 'it_operations',
    name: 'Protokollierung & Logging',
    description: 'Erfassung von System- und Sicherheitslogs zur Fehlerbehebung und Angriffserkennung',
    purposes: ['IT-Sicherheit', 'Fehlerbehebung', 'Angriffserkennung'],
    legalBases: [
      { type: 'LEGITIMATE_INTEREST', description: 'IT-Sicherheit und Betrieb', reference: 'Art. 6 Abs. 1 lit. f DSGVO' },
    ],
    dataSubjectCategories: ['EMPLOYEES', 'APP_USERS', 'WEBSITE_USERS'],
    personalDataCategories: ['IP_ADDRESS', 'LOGIN_DATA', 'USAGE_DATA', 'DEVICE_ID'],
    recipientCategories: [
      { type: 'INTERNAL', name: 'IT-Sicherheit' },
      { type: 'PROCESSOR', name: 'SIEM-Anbieter' },
    ],
    retentionPeriod: { duration: 90, durationUnit: 'DAYS', description: '90 Tage (Standard) / 1 Jahr (Security-Logs)', deletionProcedure: 'Automatische Rotation' },
    tomDescription: 'SIEM, Integritaetsschutz der Logs, Zugriffskontrolle, Pseudonymisierung',
    structuredToms: {
      accessControl: ['Nur Security-Team', 'Read-Only fuer Auditoren'],
      confidentiality: ['Pseudonymisierung wo moeglich'],
      integrity: ['WORM-Storage fuer Security-Logs', 'Hashketten'],
      availability: ['Redundante Log-Speicherung'],
      separation: ['Zentrale Log-Infrastruktur getrennt'],
    },
    typicalSystems: ['SIEM', 'ELK Stack', 'Syslog'],
    protectionLevel: 'MEDIUM',
    dpiaRequired: false,
    tags: ['it', 'logging', 'sicherheit'],
  },
  {
    templateId: 'it-iam',
    businessFunction: 'it_operations',
    name: 'Identity & Access Management',
    description: 'Verwaltung von Identitaeten, Authentifizierung und Autorisierung',
    purposes: ['Zugriffskontrolle', 'Identitaetsverwaltung', 'Compliance'],
    legalBases: [
      { type: 'LEGITIMATE_INTEREST', description: 'IT-Sicherheit', reference: 'Art. 6 Abs. 1 lit. f DSGVO' },
      { type: 'CONTRACT', description: 'Bereitstellung IT-Dienste', reference: 'Art. 6 Abs. 1 lit. b DSGVO' },
    ],
    dataSubjectCategories: ['EMPLOYEES', 'APP_USERS'],
    personalDataCategories: ['NAME', 'CONTACT', 'LOGIN_DATA'],
    recipientCategories: [
      { type: 'INTERNAL', name: 'IT-Abteilung' },
      { type: 'PROCESSOR', name: 'IAM-Anbieter' },
    ],
    retentionPeriod: { duration: 6, durationUnit: 'MONTHS', description: '6 Monate nach Kontodeaktivierung', deletionProcedure: 'Automatische Deprovisionierung' },
    tomDescription: 'MFA, SSO, regelmaessige Access Reviews, Least-Privilege-Prinzip',
    structuredToms: {
      accessControl: ['MFA', 'SSO', 'Least Privilege', 'Regelmaessige Reviews'],
      confidentiality: ['Passwort-Hashing (bcrypt)', 'Token-basierte Auth'],
      integrity: ['Audit-Trail aller Aenderungen'],
      availability: ['Hochverfuegbarer IdP'],
      separation: ['Identitaeten pro Mandant'],
    },
    typicalSystems: ['IAM-System', 'SSO Provider', 'MFA'],
    protectionLevel: 'HIGH',
    dpiaRequired: false,
    tags: ['it', 'iam', 'zugriffskontrolle'],
  },
]