Benjamin Admin
57c0f940a2
CI / detect-changes (push) Successful in 11s
CI / branch-name (push) Has been skipped
CI / nodejs-build (push) Successful in 2m19s
CI / test-go (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 16s
CI / loc-budget (push) Failing after 15s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 37s
P56 Anti-Auditing-Detection als constructive Compliance-Finding (Audit-API-
Empfehlung statt Anklage, weil Mercedes berechtigt Bots blockiert)
P57 Phase G vendor_details Union mit cmp_vendors -> 42 Anbieter sichtbar
P58 Anti-Audit-Detection robuster (Script-Domain-Check + Settings-spezifisch)
P59 Cookie-Behavior-Validator (4 Layer, 3-Tier-Severity: MEDIUM=Kategorie-
Mismatch / HIGH=Zweck-Mismatch / CRITICAL=beide=Vorsatz-Indiz)
+ Open Cookie Database (CC0) als Library-Seed (2264 Cookies)
P59b Cookie-Behavior in Banner-Check verdrahtet + Mail-Block (BUGFIX:
SessionLocal selbst oeffnen, db war im Background-Task nicht im Scope)
Mail-Polish nach Mercedes-Review:
P63 Banner-Footer-Links auch im wb7-link/role=link erkennen (Shadow-DOM-
Walker label-based statt nur <a href>)
P64 Re-Access-Severity: MEDIUM statt HIGH, wenn Footer "Einstellungen" oder
Mercedes-typisch existiert; OEM-Footer-Detection (wb7-footer)
P65 Text-Truncation: Word-Boundary statt Zeichen-Cut (kein "einfa"-Bruch
mehr in Sofortmassnahmen)
P66 GF-Aktionen: Service-Zweck vs Cookie-Zweck explizit erklaert
(haeufige Verwechslung Marketing/GF: "Akamai-Beschreibung" != Cookie-
Zweck pro DSK-OH 2024)
P67 Stirring-Finding mit "Verlust-Framing"-Erklaerung + Alt-vs-Neutral-
Beispiel, statt nur EDPB-Fachbegriff
Compliance-Advisor FAQ (admin agent-core/soul):
+ CNIL/EDPB Top-Bussgelder (Google 100M, Meta 60M, Amazon 35M)
+ Deutsche Praezedenz (LG Muenchen Google Fonts, EuGH Planet49, BGH I ZR 7/16)
+ 4 Risiko-Pfade (Bussgeld/Abmahnung/Sammelklage/NOYB) + Berechnungs-Methodik
Document-Generator Templates: AGB-DE (142), Impressum (140), Widerrufs-
formular-Anlage (143), DSR-Process-Dedup (139), Cookie-Library (144).
Architektur: doc_action_mappings.py + banner_dom_walkers.py +
cookie_behavior_validator.py + vendor_detail_extractor.py rausgezogen,
um die 500-LOC-Caps in agent_doc_check_report.py und
banner_text_checker.py einzuhalten.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
372 lines
14 KiB
TypeScript
372 lines
14 KiB
TypeScript
/**
|
|
* Template Recommendations — Maps scope answers to document templates
|
|
*
|
|
* Bridges the gap between the Compliance Scope Engine (23 ScopeDocumentTypes)
|
|
* and the Document Generator (70+ database templates).
|
|
*
|
|
* The scope engine recommends high-level document categories (vvt, tom, dsfa...).
|
|
* This module recommends SPECIFIC templates based on additional context from
|
|
* the CompanyProfile and scope answers.
|
|
*/
|
|
|
|
import type { ComplianceDepthLevel } from '../../lib/sdk/compliance-scope-types/core-levels'
|
|
import type { ScopeProfilingAnswer } from '../../lib/sdk/compliance-scope-types/state'
|
|
|
|
// ============================================================================
|
|
// Template recommendation rules
|
|
// ============================================================================
|
|
|
|
interface TemplateRule {
|
|
/** Database document_type */
|
|
templateType: string
|
|
/** Human-readable label */
|
|
label: string
|
|
/** When to recommend this template */
|
|
condition: (answers: Map<string, string>, level: ComplianceDepthLevel, profile: Record<string, unknown>) => 'required' | 'recommended' | 'optional' | null
|
|
}
|
|
|
|
/**
|
|
* Rules that map scope answers + profile to specific template recommendations.
|
|
* These cover templates NOT directly output by the scope engine.
|
|
*/
|
|
const TEMPLATE_RULES: TemplateRule[] = [
|
|
// ── HR-DSI ──────────────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'employee_dsi',
|
|
label: 'Mitarbeiter-Datenschutzinformation',
|
|
condition: (answers, level) => {
|
|
const hasEmployees = answers.get('org_has_employees')
|
|
const empCount = answers.get('org_employee_count')
|
|
if (hasEmployees === 'yes' || (empCount && empCount !== 'none' && empCount !== '0')) {
|
|
return level >= 'L2' ? 'required' : 'recommended'
|
|
}
|
|
return null
|
|
},
|
|
},
|
|
{
|
|
templateType: 'applicant_dsi',
|
|
label: 'Bewerber-Datenschutzinformation',
|
|
condition: (answers, level) => {
|
|
const hasEmployees = answers.get('org_has_employees')
|
|
const empCount = answers.get('org_employee_count')
|
|
if (hasEmployees === 'yes' || (empCount && empCount !== 'none' && empCount !== '0')) {
|
|
return level >= 'L2' ? 'recommended' : 'optional'
|
|
}
|
|
return null
|
|
},
|
|
},
|
|
|
|
// ── Whistleblower ───────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'whistleblower_policy',
|
|
label: 'Hinweisgeberrichtlinie (HinSchG)',
|
|
condition: (answers) => {
|
|
const empCount = answers.get('org_employee_count')
|
|
// HinSchG Pflicht ab 50 MA
|
|
if (empCount === '50_249' || empCount === '250_999' || empCount === '1000_plus') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
|
|
// ── KI ──────────────────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'ai_usage_policy',
|
|
label: 'KI-Nutzungsrichtlinie',
|
|
condition: (answers) => {
|
|
const aiUsage = answers.get('proc_ai_usage') || answers.get('proc_uses_ai_tools')
|
|
if (aiUsage && aiUsage !== 'none' && aiUsage !== 'no') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
|
|
// ── BYOD ────────────────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'byod_policy',
|
|
label: 'BYOD-Richtlinie',
|
|
condition: (answers, level) => {
|
|
const byod = answers.get('proc_byod_allowed')
|
|
if (byod === 'yes') return 'required'
|
|
if (level >= 'L3') return 'recommended'
|
|
return 'optional'
|
|
},
|
|
},
|
|
|
|
// ── Social Media ────────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'social_media_dsi',
|
|
label: 'Social-Media-Datenschutzinformation',
|
|
condition: (answers, level) => {
|
|
const sm = answers.get('org_has_social_media')
|
|
if (sm === 'yes') return 'required'
|
|
return level >= 'L2' ? 'recommended' : 'optional'
|
|
},
|
|
},
|
|
|
|
// ── Videokonferenzen ────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'video_conference_dsi',
|
|
label: 'Videokonferenz-Datenschutzinformation',
|
|
condition: (answers, level) => {
|
|
const video = answers.get('org_has_video_conferencing')
|
|
if (video === 'yes') return 'recommended'
|
|
if (level >= 'L3') return 'recommended'
|
|
return 'optional'
|
|
},
|
|
},
|
|
|
|
// ── Security Policies (nur ab L3/L4) ───────────────────────────────────
|
|
{
|
|
templateType: 'information_security_policy',
|
|
label: 'Informationssicherheitsrichtlinie',
|
|
condition: (_answers, level) => {
|
|
if (level >= 'L3') return 'required'
|
|
if (level === 'L2') return 'recommended'
|
|
return null
|
|
},
|
|
},
|
|
{
|
|
templateType: 'password_policy',
|
|
label: 'Passwortrichtlinie',
|
|
condition: (_answers, level) => level >= 'L2' ? 'recommended' : 'optional',
|
|
},
|
|
{
|
|
templateType: 'encryption_policy',
|
|
label: 'Verschluesselungsrichtlinie',
|
|
condition: (_answers, level) => level >= 'L3' ? 'recommended' : 'optional',
|
|
},
|
|
{
|
|
templateType: 'access_control_policy',
|
|
label: 'Zugriffskontrollrichtlinie',
|
|
condition: (_answers, level) => level >= 'L3' ? 'recommended' : 'optional',
|
|
},
|
|
|
|
// ── Security Concepts (nur ab L3) ──────────────────────────────────────
|
|
{
|
|
templateType: 'it_security_concept',
|
|
label: 'IT-Sicherheitskonzept',
|
|
condition: (_answers, level) => level >= 'L3' ? 'required' : 'optional',
|
|
},
|
|
{
|
|
templateType: 'backup_recovery_concept',
|
|
label: 'Backup-Recovery-Konzept',
|
|
condition: (_answers, level) => level >= 'L3' ? 'recommended' : 'optional',
|
|
},
|
|
{
|
|
templateType: 'logging_concept',
|
|
label: 'Logging-Konzept',
|
|
condition: (_answers, level) => level >= 'L3' ? 'recommended' : 'optional',
|
|
},
|
|
{
|
|
templateType: 'access_control_concept',
|
|
label: 'Zugriffskonzept',
|
|
condition: (_answers, level) => level >= 'L3' ? 'recommended' : 'optional',
|
|
},
|
|
|
|
// ── Plattform/UGC ──────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'community_guidelines',
|
|
label: 'Gemeinschaftsrichtlinien',
|
|
condition: (answers) => {
|
|
const model = answers.get('org_business_model')
|
|
const ugc = answers.get('prod_ugc_platform')
|
|
if (ugc === 'yes' || model === 'platform' || model === 'marketplace' || model === 'social') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
{
|
|
templateType: 'terms_of_use',
|
|
label: 'Nutzungsbedingungen',
|
|
condition: (answers) => {
|
|
const model = answers.get('org_business_model')
|
|
const ugc = answers.get('prod_ugc_platform')
|
|
if (ugc === 'yes' || model === 'platform' || model === 'marketplace' || model === 'social' || model === 'saas') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
{
|
|
templateType: 'media_content_policy',
|
|
label: 'Medien- und Inhalte-Richtlinie',
|
|
condition: (answers) => {
|
|
const model = answers.get('org_business_model')
|
|
if (model === 'platform' || model === 'media') return 'recommended'
|
|
return null
|
|
},
|
|
},
|
|
|
|
// ── E-Commerce ─────────────────────────────────────────────────────────
|
|
{
|
|
templateType: 'widerruf',
|
|
label: 'Widerrufsbelehrung',
|
|
condition: (answers) => {
|
|
const shop = answers.get('prod_webshop')
|
|
if (shop && shop !== 'no') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
{
|
|
templateType: 'consent_texts',
|
|
label: 'Einwilligungstexte (Double-Opt-In)',
|
|
condition: (answers) => {
|
|
const consent = answers.get('prod_consent_management')
|
|
if (consent && consent !== 'no') return 'recommended'
|
|
return 'optional'
|
|
},
|
|
},
|
|
|
|
// ── Impressum + Cookie ─────────────────────────────────────────────────
|
|
{
|
|
templateType: 'impressum',
|
|
label: 'Impressum',
|
|
condition: () => 'required', // Immer Pflicht
|
|
},
|
|
{
|
|
templateType: 'cookie_policy',
|
|
label: 'Cookie-Richtlinie',
|
|
condition: () => 'required', // Immer Pflicht bei Websites
|
|
},
|
|
|
|
// ── DSE & Datenschutz-Kerndokumente (P38) ──────────────────────────────
|
|
{
|
|
templateType: 'privacy_policy',
|
|
label: 'Datenschutzerklaerung (Website)',
|
|
condition: () => 'required', // Art. 13 DSGVO — bei jeder Website Pflicht
|
|
},
|
|
{
|
|
templateType: 'data_protection_policy',
|
|
label: 'Datenschutzrichtlinie (intern)',
|
|
condition: (_answers, level) => level >= 'L2' ? 'required' : 'recommended',
|
|
},
|
|
{
|
|
templateType: 'dsfa',
|
|
label: 'DSFA-Vorlage',
|
|
condition: (answers) => {
|
|
const dsfa = answers.get('proc_dsfa_required') || answers.get('comp_dsfa_processes')
|
|
if (dsfa === 'yes' || dsfa === 'required') return 'required'
|
|
return 'optional'
|
|
},
|
|
},
|
|
{
|
|
templateType: 'dpa',
|
|
label: 'Auftragsverarbeitungsvertrag (AVV)',
|
|
condition: (answers) => {
|
|
const vendors = answers.get('comp_has_processors') || answers.get('comp_vendor_management')
|
|
if (vendors && vendors !== 'no') return 'required'
|
|
return 'recommended'
|
|
},
|
|
},
|
|
{
|
|
templateType: 'vvt_register',
|
|
label: 'Verzeichnis von Verarbeitungstaetigkeiten (VVT)',
|
|
condition: (_answers, level) => level >= 'L2' ? 'required' : 'recommended',
|
|
},
|
|
{
|
|
templateType: 'tom_documentation',
|
|
label: 'TOM-Dokumentation',
|
|
condition: (_answers, level) => level >= 'L2' ? 'required' : 'recommended',
|
|
},
|
|
{
|
|
templateType: 'loeschkonzept',
|
|
label: 'Loeschkonzept',
|
|
condition: (_answers, level) => level >= 'L2' ? 'required' : 'recommended',
|
|
},
|
|
|
|
// ── Drittlandtransfer (SCC + TIA) ───────────────────────────────────────
|
|
// SCC+TIA nur erforderlich wenn Drittlandtransfer OHNE Angemessenheitsbeschluss/DPF
|
|
{
|
|
templateType: 'transfer_impact_assessment',
|
|
label: 'Transfer Impact Assessment (TIA)',
|
|
condition: (answers) => {
|
|
const thirdCountry = answers.get('tech_third_country')
|
|
if (!thirdCountry || thirdCountry === 'no') return null
|
|
// Wenn nur DPF-zertifizierte US-Anbieter: empfohlen statt pflicht
|
|
if (thirdCountry === 'us_dpf_only') return 'optional'
|
|
// Wenn nur Laender mit Angemessenheitsbeschluss: nicht noetig
|
|
if (thirdCountry === 'adequate_only') return null
|
|
return 'required'
|
|
},
|
|
},
|
|
{
|
|
templateType: 'scc_companion',
|
|
label: 'Standardvertragsklauseln (SCC) — Anhaenge',
|
|
condition: (answers) => {
|
|
const thirdCountry = answers.get('tech_third_country')
|
|
if (!thirdCountry || thirdCountry === 'no') return null
|
|
if (thirdCountry === 'us_dpf_only') return 'optional'
|
|
if (thirdCountry === 'adequate_only') return null
|
|
return 'required'
|
|
},
|
|
},
|
|
|
|
// ── ISMS (nur bei Zertifizierungsziel) ─────────────────────────────────
|
|
{
|
|
templateType: 'isms_manual',
|
|
label: 'ISMS-Handbuch',
|
|
condition: (answers) => {
|
|
const cert = answers.get('org_cert_target')
|
|
if (cert === 'iso27001' || cert === 'iso27701' || cert === 'tisax') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
|
|
// ── Vendor/BCM (nur ab L4 oder bei Vendor-Management) ─────────────────
|
|
{
|
|
templateType: 'vendor_risk_management_policy',
|
|
label: 'Vendor-Risikomanagement',
|
|
condition: (answers, level) => {
|
|
const vendor = answers.get('comp_vendor_management')
|
|
if (vendor && vendor !== 'no') return 'recommended'
|
|
if (level === 'L4') return 'required'
|
|
return null
|
|
},
|
|
},
|
|
{
|
|
templateType: 'business_continuity_policy',
|
|
label: 'Business-Continuity-Richtlinie',
|
|
condition: (_answers, level) => level === 'L4' ? 'required' : 'optional',
|
|
},
|
|
]
|
|
|
|
// ============================================================================
|
|
// Public API
|
|
// ============================================================================
|
|
|
|
export interface TemplateRecommendation {
|
|
templateType: string
|
|
label: string
|
|
requirement: 'required' | 'recommended' | 'optional'
|
|
}
|
|
|
|
/**
|
|
* Evaluates all template rules against the user's scope answers and profile.
|
|
* Returns a prioritized list of template recommendations.
|
|
*/
|
|
export function evaluateTemplateRecommendations(
|
|
scopeAnswers: ScopeProfilingAnswer[],
|
|
level: ComplianceDepthLevel,
|
|
profile: Record<string, unknown> = {},
|
|
): TemplateRecommendation[] {
|
|
const answerMap = new Map<string, string>()
|
|
for (const a of scopeAnswers) {
|
|
answerMap.set(a.questionId, String(a.value))
|
|
}
|
|
|
|
const results: TemplateRecommendation[] = []
|
|
|
|
for (const rule of TEMPLATE_RULES) {
|
|
const requirement = rule.condition(answerMap, level, profile)
|
|
if (requirement) {
|
|
results.push({
|
|
templateType: rule.templateType,
|
|
label: rule.label,
|
|
requirement,
|
|
})
|
|
}
|
|
}
|
|
|
|
// Sort: required first, then recommended, then optional
|
|
const order = { required: 0, recommended: 1, optional: 2 }
|
|
results.sort((a, b) => order[a.requirement] - order[b.requirement])
|
|
|
|
return results
|
|
}
|