breakpilot-compliance/backend-compliance/compliance/services/cookie_knowledge_extended.py

"""
Cookie-Knowledge Erweiterung — Adobe, Meta erweitert, Microsoft, LinkedIn,
TikTok, Salesforce/HubSpot/Marketo, Hotjar/Mouseflow/FullStory, Live-Chat,
Cloudflare/Akamai, Payment, CMP-eigene Cookies, EU-Analytics.

Hinweis zu Rechten: Eintraege enthalten ausschliesslich Identitaetsfelder
(Cookie-Name, Anbieter, Sitzland) + EIGENE Knappformulierungen + Verweise
auf oeffentliche EuGH-/CNIL-/EDPB-Quellen. KEINE 1:1-Kopien aus OneTrust,
Cookiepedia oder Vendor-eigenen Beschreibungstexten.

Quellen-Pointer: IAB TCF v2.2 Vendor List, CNIL Cookies & Trackers
Guidelines 2024, EDPB Guidelines 2/2023, EuGH-Rechtsprechung (Schrems II,
Planet49), DSK-Orientierungshilfen 2021/2024.
"""

from __future__ import annotations

from compliance.services.cookie_knowledge_db import CookieKnowledge


_ADOBE_BASE = {
    "vendor": "Adobe Inc.", "vendor_country": "US",
    "schrems_ii_status": "Drittlandtransfer US. Mit DPF (2023) wieder "
                         "zulaessig; EU-Datenresidenz-Option in Adobe "
                         "Experience Platform verfuegbar.",
    "eugh_rulings": [
        "EuGH C-311/18 (Schrems II)",
        "EDPB Recommendations 01/2020 — Supplementary Measures",
    ],
}

_META_BASE = {
    "vendor": "Meta Platforms Ireland Ltd.", "vendor_country": "IE",
    "schrems_ii_status": "Verarbeitung in IE + US-Transfer. DPC Ireland "
                         "Bussgeld 2023 (€1,2 Mrd) wegen unzureichender "
                         "Schutzmassnahmen — DPF deckt seit 2023.",
    "eugh_rulings": [
        "EuGH C-311/18 (Schrems II)",
        "DPC Ireland 2023 — Meta 1,2 Mrd. EUR",
    ],
}

_MICROSOFT_BASE = {
    "vendor": "Microsoft Corp.", "vendor_country": "US",
    "schrems_ii_status": "DPF-zertifiziert; EU Data Boundary fuer Azure/365 "
                         "seit 2024 verfuegbar.",
    "eugh_rulings": ["EuGH C-311/18 (Schrems II)"],
}

_LINKEDIN_BASE = {
    "vendor": "LinkedIn Ireland Unlimited Co.", "vendor_country": "IE",
    "schrems_ii_status": "Microsoft-Konzern, EU-Hauptsitz IE, Transfer US.",
    "eugh_rulings": ["EuGH C-311/18 (Schrems II)"],
}


KB_EXT: dict[str, CookieKnowledge] = {

    # --- Adobe Experience Cloud --------------------------------------
    # AMCV_, s_cc, s_sq leben in Base-KB.
    "demdex": {
        **_ADOBE_BASE,
        "vendor": "Adobe Inc. (Audience Manager)",
        "exact_purpose": "Adobe Audience Manager DMP — Cross-Site-Profil "
                         "fuer Zielgruppen-Segmentierung.",
        "data_collected": ["dpuuid", "segments"],
        "ip_relevant": True,
        "tcf_purpose_ids": [4, 9, 10],
        "typical_lifetime": "180 Tage",
        "reid_risk": "high", "technical_necessity": "none",
    },

    # --- Meta erweitert -----------------------------------------------
    # fr, _fbc leben in Base-KB.
    "datr": {
        **_META_BASE,
        "exact_purpose": "Facebook Browser-Identifier — Anti-Abuse/Bot-Schutz.",
        "data_collected": ["browser_fingerprint_id"],
        "ip_relevant": True,
        "typical_lifetime": "2 Jahre",
        "reid_risk": "high", "technical_necessity": "partial",
        "notes": "Wird auch ohne Consent gesetzt; Meta argumentiert "
                 "Sicherheit. Trotzdem von DSK 2024 kritisch bewertet.",
    },
    # --- Microsoft / Bing ---------------------------------------------
    # MUID lebt in Base-KB.
    "MSCC": {
        **_MICROSOFT_BASE,
        "exact_purpose": "Microsoft Site Consent — Consent-Status-Speicherung "
                         "fuer Microsoft-eigene Properties.",
        "data_collected": ["consent_string"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "low", "technical_necessity": "full",
        "notes": "Strictly necessary nach §25(2) TDDDG.",
    },
    "ai_session": {
        **_MICROSOFT_BASE,
        "vendor": "Microsoft Corp. (Application Insights)",
        "exact_purpose": "Azure Application Insights — Session-Tracking fuer "
                         "Telemetry.",
        "data_collected": ["session_id"],
        "typical_lifetime": "30 Minuten",
        "reid_risk": "medium", "technical_necessity": "partial",
    },

    # --- LinkedIn ------------------------------------------------------
    "li_at": {
        **_LINKEDIN_BASE,
        "exact_purpose": "LinkedIn-Authentifizierung — Login-Session.",
        "data_collected": ["auth_token"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "full",
        "notes": "Nur fuer eingeloggte Nutzer; auf externer Site = "
                 "Insight Tag (siehe li_sugr).",
    },
    "li_sugr": {
        **_LINKEDIN_BASE,
        "exact_purpose": "LinkedIn Insight Tag — Browser-ID fuer "
                         "Conversion-Tracking + Werbe-Targeting.",
        "data_collected": ["browser_id"],
        "ip_relevant": True,
        "tcf_purpose_ids": [7, 9, 10],
        "typical_lifetime": "90 Tage",
        "reid_risk": "high", "technical_necessity": "none",
    },
    # bcookie, lidc leben in Base-KB.

    # --- TikTok --------------------------------------------------------
    "_ttp": {
        "vendor": "TikTok Pte. Ltd.", "vendor_country": "SG/CN",
        "exact_purpose": "TikTok Pixel — User-ID fuer Conversion-Tracking + "
                         "Werbeoptimierung.",
        "data_collected": ["pixel_id", "browser_id"],
        "ip_relevant": True,
        "tcf_purpose_ids": [7, 9, 10],
        "typical_lifetime": "13 Monate",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "Drittlandtransfer in Drittstaaten ohne "
                             "Angemessenheitsbeschluss. CNIL 2023 — "
                             "TikTok 5 Mio EUR Bussgeld.",
        "eugh_rulings": [
            "CNIL SAN-2022-027 — TikTok 5 Mio EUR",
            "Italienische DPA 2024 — TikTok 10 Mio EUR",
        ],
    },
    "ttwid": {
        "vendor": "TikTok Pte. Ltd.", "vendor_country": "SG/CN",
        "exact_purpose": "TikTok Web-Identifier — eindeutige Browser-ID auch "
                         "ohne Login.",
        "data_collected": ["ttwid"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "Wie _ttp.",
    },

    # --- HubSpot / Marketo / Salesforce ------------------------------
    "hubspotutk": {
        "vendor": "HubSpot Inc.", "vendor_country": "US",
        "exact_purpose": "HubSpot User-Token — Cross-Visit-Identitaet fuer "
                         "Lead-Tracking.",
        "data_collected": ["user_token"],
        "ip_relevant": True,
        "tcf_purpose_ids": [7, 8],
        "typical_lifetime": "6 Monate",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
    },
    "__hssc": {
        "vendor": "HubSpot Inc.", "vendor_country": "US",
        "exact_purpose": "HubSpot Session-Tracking — Pageviews innerhalb "
                         "einer Session.",
        "data_collected": ["session_count"],
        "typical_lifetime": "30 Minuten",
        "reid_risk": "low", "technical_necessity": "none",
    },
    "_mkto_trk": {
        "vendor": "Adobe Inc. (Marketo)", "vendor_country": "US",
        "exact_purpose": "Marketo Munchkin-Tracker — Lead-Identifikation "
                         "fuer Marketing-Automation.",
        "data_collected": ["munchkin_id", "session_id"],
        "ip_relevant": True,
        "typical_lifetime": "2 Jahre",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": _ADOBE_BASE["schrems_ii_status"],
    },
    "BrowserId_sec": {
        "vendor": "Salesforce.com Inc.", "vendor_country": "US",
        "exact_purpose": "Salesforce Marketing Cloud Browser-Token — "
                         "Cross-Visit-Identifikation.",
        "data_collected": ["browser_id"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "medium", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
    },

    # --- Session-Recording / Heatmaps ---------------------------------
    "_hjSessionUser_": {
        "vendor": "Hotjar Ltd.", "vendor_country": "MT",
        "exact_purpose": "Hotjar User-ID — Cross-Visit-Identifikation fuer "
                         "Session-Recording + Heatmaps.",
        "data_collected": ["user_id"],
        "ip_relevant": True,
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "EU (Malta) — kein Drittland. Aber: parent "
                             "Contentsquare (FR) hostet teilweise in US.",
        "notes": "Suffix `<site_id>`. Pattern-Match noetig. "
                 "DSGVO-Aufzeichnung = Einwilligung pflichtig.",
        "eu_alternative_vendor": "Mouseflow / Smartlook (CZ)",
    },
    "_hjSession_": {
        "vendor": "Hotjar Ltd.", "vendor_country": "MT",
        "exact_purpose": "Hotjar Session-Token — eindeutige Session-ID "
                         "innerhalb 30min Inaktivitaet.",
        "data_collected": ["session_id"],
        "typical_lifetime": "30 Minuten",
        "reid_risk": "medium", "technical_necessity": "none",
    },
    "fs_uid": {
        "vendor": "FullStory Inc.", "vendor_country": "US",
        "exact_purpose": "FullStory User-ID — Cross-Visit-Identifikation "
                         "fuer Session-Replay.",
        "data_collected": ["user_id"],
        "ip_relevant": True,
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert. EU-Region verfuegbar (opt-in).",
    },
    "mf_user": {
        "vendor": "Mouseflow Aps", "vendor_country": "DK",
        "exact_purpose": "Mouseflow User-ID — Cross-Visit-Identifikation fuer "
                         "Heatmap + Recording.",
        "data_collected": ["user_id"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "medium", "technical_necessity": "none",
        "schrems_ii_status": "EU (DK) — kein Drittland.",
    },

    # --- Live-Chat ----------------------------------------------------
    "intercom-id-": {
        "vendor": "Intercom Inc.", "vendor_country": "US",
        "exact_purpose": "Intercom Visitor-ID — Wiedererkennung anonymer "
                         "Besucher fuer Chat-History.",
        "data_collected": ["visitor_id"],
        "typical_lifetime": "9 Monate",
        "reid_risk": "medium", "technical_necessity": "partial",
        "schrems_ii_status": "DPF-zertifiziert; EU-Datenresidenz optional.",
        "notes": "Suffix `<app_id>`. Pattern-Match noetig.",
    },
    "driftt_aid": {
        "vendor": "Salesforce.com Inc. (Drift)", "vendor_country": "US",
        "exact_purpose": "Drift Anonymous-Visitor-ID fuer Chat-Personalisierung.",
        "data_collected": ["visitor_id"],
        "typical_lifetime": "2 Jahre",
        "reid_risk": "medium", "technical_necessity": "partial",
    },
    "__zlcmid": {
        "vendor": "Zendesk Inc.", "vendor_country": "US",
        "exact_purpose": "Zendesk Chat Visitor-ID fuer Session-Tracking.",
        "data_collected": ["chat_visitor_id"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "medium", "technical_necessity": "partial",
        "schrems_ii_status": "DPF-zertifiziert; EU-Datacenter optional.",
    },

    # --- CDN / Sicherheit (strictly necessary) -----------------------
    # __cf_bm, cf_clearance leben in Base-KB.
    "AKA_A2": {
        "vendor": "Akamai Technologies Inc.", "vendor_country": "US",
        "exact_purpose": "Akamai Adaptive Acceleration — geroutete Best-Path-"
                         "Optimierung.",
        "data_collected": ["a2_route"],
        "typical_lifetime": "1 Stunde",
        "reid_risk": "low", "technical_necessity": "full",
    },

    # --- Payment (strictly necessary fuer Checkout) ------------------
    "__stripe_mid": {
        "vendor": "Stripe Payments Europe Ltd.", "vendor_country": "IE",
        "exact_purpose": "Stripe Fraud-Detection Merchant-ID — Risiko-Scoring "
                         "fuer Zahlungs-Authentifizierung.",
        "data_collected": ["merchant_visitor_id"],
        "ip_relevant": True,
        "typical_lifetime": "1 Jahr",
        "reid_risk": "low", "technical_necessity": "full",
        "schrems_ii_status": "EU (IE) — kein Drittland.",
        "notes": "Strictly necessary nach §25(2) TDDDG fuer Zahlungsabwicklung.",
    },
    "__stripe_sid": {
        "vendor": "Stripe Payments Europe Ltd.", "vendor_country": "IE",
        "exact_purpose": "Stripe Session-ID — temporaere Zahlungs-Session.",
        "data_collected": ["session_id"],
        "typical_lifetime": "30 Minuten",
        "reid_risk": "low", "technical_necessity": "full",
    },

    # --- CMP-eigene Cookies (strictly necessary) ---------------------
    "CookieConsent": {
        "vendor": "Cybot A/S (Cookiebot)", "vendor_country": "DK",
        "exact_purpose": "Cookiebot Consent-Speicherung — gewaehlte "
                         "Kategorien + Zeitstempel.",
        "data_collected": ["consent_categories", "consent_timestamp"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "low", "technical_necessity": "full",
        "schrems_ii_status": "EU (DK). Wenn EU-Cloud, kein Drittland.",
    },
    "OptanonConsent": {
        "vendor": "OneTrust LLC", "vendor_country": "US",
        "exact_purpose": "OneTrust Consent-Speicherung — Kategorien + "
                         "Vendor-Liste + Zeitstempel.",
        "data_collected": ["consent_categories", "consent_string"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "low", "technical_necessity": "full",
        "schrems_ii_status": "DPF-zertifiziert; EU-Cloud optional.",
    },
    "OptanonAlertBoxClosed": {
        "vendor": "OneTrust LLC", "vendor_country": "US",
        "exact_purpose": "OneTrust UI-Flag — verhindert Re-Display des "
                         "Banners nach Schliessung.",
        "data_collected": ["closed_timestamp"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "low", "technical_necessity": "full",
    },
    "usercentrics-uuid": {
        "vendor": "Usercentrics GmbH", "vendor_country": "DE",
        "exact_purpose": "Usercentrics Consent-Speicherung — UUID-basiert.",
        "data_collected": ["consent_uuid", "consent_settings"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "low", "technical_necessity": "full",
        "schrems_ii_status": "DE — kein Drittland.",
    },

    # --- Weitere Social / Werbeplattformen ---------------------------
    # _pin_unauth lebt in Base-KB.
    "_scid": {
        "vendor": "Snap Group Ltd.", "vendor_country": "GB/US",
        "exact_purpose": "Snapchat Pixel — Conversion-Tracking fuer "
                         "Snap Ads.",
        "data_collected": ["snap_visitor_id"],
        "ip_relevant": True,
        "tcf_purpose_ids": [7, 9, 10],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "Drittlandtransfer; UK seit 2021 mit "
                             "Angemessenheitsbeschluss.",
    },
    "guest_id": {
        "vendor": "X Corp. (Twitter)", "vendor_country": "US",
        "exact_purpose": "X/Twitter Guest-Identifier — Tracking nicht "
                         "eingeloggter Besucher inkl. Embeds.",
        "data_collected": ["guest_id"],
        "ip_relevant": True,
        "tcf_purpose_ids": [4, 9, 10],
        "typical_lifetime": "2 Jahre",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-Status unklar seit Eigentuemerwechsel 2022. "
                             "Erhoehtes Risiko, EDPB beobachtet.",
    },
    "VISITOR_INFO1_LIVE": {
        "vendor": "Google Ireland Ltd. (YouTube)", "vendor_country": "IE",
        "exact_purpose": "YouTube Embed Visitor-ID — Bandbreiten-Optimierung "
                         "+ Empfehlungsalgorithmus.",
        "data_collected": ["youtube_visitor_id"],
        "ip_relevant": True,
        "tcf_purpose_ids": [8, 10],
        "typical_lifetime": "6 Monate",
        "reid_risk": "high", "technical_necessity": "none",
        "notes": "YouTube-NoCookie-Domain (youtube-nocookie.com) reduziert "
                 "Tracking — DSGVO-konformer.",
    },
    "vuid": {
        "vendor": "Vimeo Inc.", "vendor_country": "US",
        "exact_purpose": "Vimeo User-Identifier — Wiedererkennung "
                         "wiederkehrender Besucher fuer Statistik.",
        "data_collected": ["vimeo_user_id"],
        "typical_lifetime": "2 Jahre",
        "reid_risk": "medium", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
    },

    # --- Marketing-Automation / Email --------------------------------
    "__kla_id": {
        "vendor": "Klaviyo Inc.", "vendor_country": "US",
        "exact_purpose": "Klaviyo Visitor-Tracking — fuer E-Mail-Marketing-"
                         "Attribution.",
        "data_collected": ["klaviyo_id"],
        "ip_relevant": True,
        "typical_lifetime": "2 Jahre",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
    },
    "_mcid": {
        "vendor": "Intuit Mailchimp", "vendor_country": "US",
        "exact_purpose": "Mailchimp Email-Click-Tracking — Verknuepft "
                         "Pageviews mit gesendeter Kampagne.",
        "data_collected": ["mc_email_id"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
    },

    # --- Product-Analytics / CDP -------------------------------------
    "mp_": {
        "vendor": "Mixpanel Inc.", "vendor_country": "US",
        "exact_purpose": "Mixpanel Distinct-ID + Properties — "
                         "Pseudonyme Event-Analytics.",
        "data_collected": ["distinct_id", "properties"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert; EU-Residency optional.",
        "notes": "Suffix `<token>_mixpanel`. Pattern-Match noetig.",
    },
    "ajs_anonymous_id": {
        "vendor": "Twilio Inc. (Segment)", "vendor_country": "US",
        "exact_purpose": "Segment Anonymous-ID — Cross-Device-Identitaet "
                         "vor Login.",
        "data_collected": ["anonymous_id"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert; EU-Datenresidenz optional.",
    },
    "AMP_": {
        "vendor": "Amplitude Inc.", "vendor_country": "US",
        "exact_purpose": "Amplitude Device-ID — Cross-Session-Identitaet "
                         "fuer Product-Analytics.",
        "data_collected": ["device_id", "session_id"],
        "typical_lifetime": "1 Jahr",
        "reid_risk": "high", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
        "notes": "Suffix `<api_key>`. Pattern-Match noetig.",
    },

    # --- A/B-Testing -------------------------------------------------
    "optimizelyEndUserId": {
        "vendor": "Optimizely Inc.", "vendor_country": "US",
        "exact_purpose": "Optimizely End-User-ID — konsistente "
                         "Experiment-Zuteilung pro Besucher.",
        "data_collected": ["end_user_id", "variation_assignments"],
        "typical_lifetime": "6 Monate",
        "reid_risk": "medium", "technical_necessity": "none",
        "schrems_ii_status": "DPF-zertifiziert.",
    },

    # --- RUM / Monitoring (oft strictly necessary diskutiert) --------
    "_dd_s": {
        "vendor": "Datadog Inc.", "vendor_country": "US",
        "exact_purpose": "Datadog RUM Session-Tracking — Performance- "
                         "Monitoring + Fehler-Telemetrie.",
        "data_collected": ["session_id", "session_type"],
        "typical_lifetime": "15 Minuten",
        "reid_risk": "low", "technical_necessity": "partial",
        "schrems_ii_status": "EU-Region (Frankfurt) verfuegbar.",
        "notes": "Bei reiner Server-/Fehler-Telemetrie ohne Cross-Site-"
                 "Tracking Argument fuer berechtigtes Interesse moeglich.",
    },

    # --- EU-Analytics-Alternativen -----------------------------------
    "_pk_ref": {
        "vendor": "InnoCraft Ltd. (Matomo)", "vendor_country": "NZ",
        "exact_purpose": "Matomo Referrer-Tracking — Quelle des Besuchs.",
        "data_collected": ["referrer", "campaign"],
        "typical_lifetime": "6 Monate",
        "reid_risk": "low", "technical_necessity": "none",
        "schrems_ii_status": "NZ hat Angemessenheitsbeschluss (2012). "
                             "Bei On-Premise-Hosting kein Transfer.",
        "notes": "Self-Hosting empfohlen — dann zeroes Drittland.",
    },
    "_pk_cvar": {
        "vendor": "InnoCraft Ltd. (Matomo)", "vendor_country": "NZ",
        "exact_purpose": "Matomo Custom-Variables — pro Visit konfigurierbar.",
        "data_collected": ["custom_vars"],
        "typical_lifetime": "30 Minuten",
        "reid_risk": "low", "technical_necessity": "none",
    },
}


# Pattern-Lookups fuer dynamische Cookie-Namen
_EXT_PATTERNS: list[tuple[str, str]] = [
    (r"^_hjSessionUser_",    "_hjSessionUser_"),
    (r"^_hjSession_",        "_hjSession_"),
    (r"^intercom-id-",       "intercom-id-"),
    (r"^mp_",                "mp_"),
    (r"^AMP_",               "AMP_"),
]


def lookup_cookie_extended(name: str) -> CookieKnowledge | None:
    """Lookup in der KB_EXT (Extension). None wenn nicht gefunden."""
    import re
    if not name: return None  # noqa: E701
    if name in KB_EXT: return KB_EXT[name]  # noqa: E701
    for pat, key in _EXT_PATTERNS:
        if re.search(pat, name): return KB_EXT.get(key)  # noqa: E701
    base = name.split(".", 1)[0]
    if base != name and base in KB_EXT: return KB_EXT[base]  # noqa: E701
    return None