Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2677bca9ca4879bee5eb2f01c28dfc477a9dbd7f
breakpilot-compliance/consent-tester/routes_audit_walk.py
T
Benjamin Admin b16130369a feat(b17): Stufe 4 banner-tour + Stufe 5 annotierte Screenshots + V2-default 
Stufe 4 — Cookie-Banner-Tour vor dem Accept-Klick:
  - audit_walk_banner_tour.tour_cookie_banner(): öffnet Settings
    (16 Phrase-Varianten), scrollt vertikal, aktiviert jedes
    [role=tab], expandet jedes [aria-expanded=false] / details /
    summary + 14 CMP-spezifische Selektoren. Max 35 Klicks,
    Best-Effort.
  - audit_walk_recorder ruft tour_cookie_banner() VOR
    _try_accept_banner auf — Reviewer sieht den vollen Consent-
    Katalog im Video (Vendor-Liste, Kategorien, Zwecke).
  - Recorder unter 500 LOC (412+155 split).

Stufe 5 — Annotierte Screenshots pro Finding:
  - finding_annotator.annotate_url(): WebKit headless, JS-Inject
    eines rot-banner-Labels oben + roter Outline um das Element
    (Selector oder Text-Match).
  - finding_annotator.annotate_findings(): dispatched 3 Cases —
    B1 Tap-Target (Anchor markiert mit "Tap-Target X×Y px"),
    B16 URL-Slug-Drift (404-Seite mit "/<slug> 404"),
    B13 Widerruf (Footer markiert "Widerruf-Link fehlt").
  - routes_audit_walk.POST /annotate-findings (consent-tester).
  - _b17_wiring ruft annotate-findings nach record_audit_walk und
    speichert annotations in walk.annotations.
  - audit_walk_zip_builder packt PNGs nach findings/<name>.png ins
    ZIP — Reviewer hat Beweis-Bilder im Postfach.

Plausibility Circuit-Breaker:
  - Nach 6 consecutive empty batches (PLAUSIBILITY_EMPTY_BUDGET=6)
    bricht die ganze Phase ab statt 200 Calls zu warten. Fix für
    qwen3-down + große DSE-Sites (BMW: ohne Breaker 21min, mit
    Breaker ~3min).

audit_walk_zip_builder fängt walk.annotations ab und legt sie unter
  findings/<fname>.png im ZIP-Anhang ab.

V2-Default:
  - docker-compose.yml backend-compliance.environment.MAIL_RENDER_V2:
    default 'true'. Ohne diesen Override liefert die Engine
    weiterhin das alte Legacy-Mail-Layout, in dem die B-Wiring-
    Blöcke nicht sichtbar sind.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-07 20:44:42 +02:00

69 lines
2.1 KiB
Python
Raw Blame History

"""Routes für Audit-Walk-Recorder (POST /scan-audit-walk + Video-Serve)."""
from __future__ import annotations
import os
from pathlib import Path
from fastapi import APIRouter, HTTPException
from fastapi.responses import FileResponse
from pydantic import BaseModel
from services.audit_walk_recorder import WALK_ROOT, record_audit_walk
from services.finding_annotator import annotate_findings
router = APIRouter()
class AuditWalkReq(BaseModel):
url: str
dwell_s: float = 5.0
max_links: int = 8
class AnnotateReq(BaseModel):
findings: list[dict]
home_url: str
@router.post("/scan-audit-walk")
async def scan_audit_walk(req: AuditWalkReq) -> dict:
if not req.url or not req.url.startswith(("http://", "https://")):
raise HTTPException(400, "invalid url")
walk = await record_audit_walk(
req.url,
dwell_s=max(1.0, min(req.dwell_s, 10.0)),
max_links=max(1, min(req.max_links, 12)),
)
return walk
@router.get("/audit-walks/{walk_id}/video.webm")
async def serve_walk_video(walk_id: str):
# Basic path-traversal guard
if not walk_id.isalnum() or len(walk_id) > 32:
raise HTTPException(400, "invalid walk_id")
path = Path(WALK_ROOT) / walk_id / "video.webm"
if not path.exists():
raise HTTPException(404, "walk video not found")
return FileResponse(str(path), media_type="video/webm")
@router.get("/audit-walks/{walk_id}/walk.json")
async def serve_walk_meta(walk_id: str):
if not walk_id.isalnum() or len(walk_id) > 32:
raise HTTPException(400, "invalid walk_id")
path = Path(WALK_ROOT) / walk_id / "walk.json"
if not path.exists():
raise HTTPException(404, "walk.json not found")
return FileResponse(str(path), media_type="application/json")
@router.post("/annotate-findings")
async def annotate_findings_route(req: AnnotateReq) -> dict:
"""Produce annotated screenshots per finding."""
if not req.home_url.startswith(("http://", "https://")):
raise HTTPException(400, "invalid home_url")
out = await annotate_findings(req.findings, req.home_url)
return {"annotations": out, "count": len(out)}
Reference in New Issue View Git Blame Copy Permalink