breakpilot-compliance/backend-compliance/migrations/144_cookie_library.sql

-- Migration 144: Cookie-Library für P59 — Behavior-Validator
--
-- Eigene Cookie-Wissensbasis: Name+Domain → tatsächliche Kategorie,
-- Zweck, typische Werte-Patterns, Datenempfänger. Basis für Findings
-- "Cookie als X deklariert, tatsächlich Y" nach Art. 5(1)(b) DSGVO.
--
-- Quellen:
--   - Open Cookie Database (CC0, github.com/jkwakman/Open-Cookie-Database)
--   - Cookiepedia (kommerziell, nur Referenz nicht ingestiert)
--   - Manuelle BreakPilot-Recherche (OEM-Cookies)

BEGIN;

CREATE TABLE IF NOT EXISTS compliance.cookie_library (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    cookie_name TEXT NOT NULL,
    -- Domain pattern: exact ".example.com" or wildcard "*.googletagmanager.com"
    domain_pattern TEXT NOT NULL,
    -- Vendor / processing company
    vendor_name TEXT NOT NULL,
    vendor_country TEXT,                       -- ISO-2 (DE/IE/US)
    vendor_privacy_url TEXT,
    vendor_opt_out_url TEXT,
    -- Behavioural classification (truth, not declaration)
    actual_category TEXT NOT NULL CHECK (actual_category IN
        ('essential', 'functional', 'statistics', 'marketing',
         'social_media', 'unknown')),
    purpose_de TEXT,                           -- "Cross-Site-Tracking ueber 80% der dt. Sites"
    purpose_en TEXT,
    -- Typical value pattern (regex) — used for value-mismatch findings
    value_pattern TEXT,                        -- e.g. ^[a-f0-9]{32}$ (Hash-ID)
    typical_max_age_seconds BIGINT,            -- Lebensdauer typ. Wert
    -- Receiver-domains (XHR/img to which the cookie value flows)
    data_receivers TEXT[],                     -- ["google-analytics.com", "doubleclick.net"]
    -- Cross-site usage signal (~ how widespread)
    cross_site_count INTEGER,                  -- ca. wie viele Sites verwenden ihn
    is_pii BOOLEAN DEFAULT FALSE,              -- enthält Personenbezug direkt
    -- Provenance + trust
    source_name TEXT NOT NULL,                 -- "Open Cookie Database" / "BreakPilot Research"
    source_url TEXT,
    source_license TEXT,                       -- "CC0", "MIT" — was wir nutzen duerfen
    confidence NUMERIC(3,2) DEFAULT 0.80,      -- 0..1
    last_verified TIMESTAMPTZ DEFAULT now(),
    notes TEXT,
    created_at TIMESTAMPTZ DEFAULT now(),
    updated_at TIMESTAMPTZ DEFAULT now()
);

-- Index for fast lookup by name + domain
CREATE INDEX IF NOT EXISTS idx_cookie_lib_name
    ON compliance.cookie_library (cookie_name);
CREATE INDEX IF NOT EXISTS idx_cookie_lib_domain
    ON compliance.cookie_library (domain_pattern);

-- Cookie behavior audit log — was haben wir bei welcher Site beobachtet
CREATE TABLE IF NOT EXISTS compliance.cookie_behavior_audits (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    check_id TEXT,                             -- compliance-check ID
    site_url TEXT NOT NULL,
    cookie_name TEXT NOT NULL,
    cookie_domain TEXT,
    -- Observed
    observed_value_sample TEXT,                -- truncated 200 chars
    observed_max_age_seconds BIGINT,
    declared_category TEXT,                    -- was die Site behauptet
    -- Library match
    library_id UUID REFERENCES compliance.cookie_library(id),
    matched_actual_category TEXT,
    mismatch_severity TEXT,                    -- "HIGH" / "MEDIUM" / "LOW" / NULL
    mismatch_reason TEXT,
    -- Network observations
    observed_receivers TEXT[],
    third_party_transfer BOOLEAN DEFAULT FALSE,
    created_at TIMESTAMPTZ DEFAULT now()
);

CREATE INDEX IF NOT EXISTS idx_cba_check
    ON compliance.cookie_behavior_audits (check_id);
CREATE INDEX IF NOT EXISTS idx_cba_site
    ON compliance.cookie_behavior_audits (site_url);

COMMIT;