breakpilot-compliance/admin-compliance/lib/sdk/demo-data/index.ts

/**
 * Demo Data Seeding for AI Compliance SDK
 *
 * IMPORTANT: Demo data is NOT hardcoded in the frontend.
 * This module provides seed data that gets stored via the API,
 * exactly like real customer data would be stored.
 *
 * The seedDemoData() function writes data through the API,
 * and the data is then loaded from the database like any other data.
 */

import { SDKState } from '../types'
import { getSDKApiClient } from '../api-client'

// Seed data imports (these are templates, not runtime data)
import { getDemoUseCases, DEMO_USE_CASES } from './use-cases'
import { getDemoRisks, DEMO_RISKS } from './risks'
import { getDemoControls, DEMO_CONTROLS } from './controls'
import { getDemoDSFA, DEMO_DSFA } from './dsfa'
import { getDemoTOMs, DEMO_TOMS } from './toms'
import { getDemoProcessingActivities, getDemoRetentionPolicies, DEMO_PROCESSING_ACTIVITIES, DEMO_RETENTION_POLICIES } from './vvt'

// Re-export for direct access to seed templates (for testing/development)
export {
  getDemoUseCases,
  getDemoRisks,
  getDemoControls,
  getDemoDSFA,
  getDemoTOMs,
  getDemoProcessingActivities,
  getDemoRetentionPolicies,
  // Raw data exports
  DEMO_USE_CASES,
  DEMO_RISKS,
  DEMO_CONTROLS,
  DEMO_DSFA,
  DEMO_TOMS,
  DEMO_PROCESSING_ACTIVITIES,
  DEMO_RETENTION_POLICIES,
}

/**
 * Generate a complete demo state object
 * This is used as seed data for the API, not as runtime data
 */
export function generateDemoState(tenantId: string, userId: string): Partial<SDKState> {
  const now = new Date()

  return {
    // Metadata
    version: '1.0.0',
    projectVersion: 1,
    lastModified: now,

    // Tenant & User
    tenantId,
    userId,
    subscription: 'PROFESSIONAL',

    // Customer Type
    customerType: 'new',

    // Company Profile (Demo: TechStart GmbH - SaaS-Startup aus Berlin)
    companyProfile: {
      companyName: 'TechStart GmbH',
      legalForm: 'gmbh',
      industry: 'Technologie / IT',
      foundedYear: 2022,
      businessModel: 'B2B_B2C',
      offerings: ['app_web', 'software_saas', 'services_consulting'],
      companySize: 'small',
      employeeCount: '10-49',
      annualRevenue: '2-10 Mio',
      headquartersCountry: 'DE',
      headquartersCity: 'Berlin',
      hasInternationalLocations: false,
      internationalCountries: [],
      targetMarkets: ['germany_only', 'dach'],
      primaryJurisdiction: 'DE',
      isDataController: true,
      isDataProcessor: true,
      usesAI: true,
      aiUseCases: ['KI-gestützte Kundenberatung', 'Automatisierte Dokumentenanalyse'],
      dpoName: 'Max Mustermann',
      dpoEmail: 'dsb@techstart.de',
      legalContactName: null,
      legalContactEmail: null,
      isComplete: true,
      completedAt: new Date('2026-01-14'),
    },

    // Progress - showing a realistic partially completed workflow
    currentPhase: 2,
    currentStep: 'tom',
    completedSteps: [
      'company-profile',
      'use-case-assessment',
      'screening',
      'modules',
      'requirements',
      'controls',
      'evidence',
      'audit-checklist',
      'risks',
      'ai-act',
      'obligations',
      'dsfa',
    ],
    checkpoints: {
      'CP-PROF': { checkpointId: 'CP-PROF', passed: true, validatedAt: new Date('2026-01-14'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-UC': { checkpointId: 'CP-UC', passed: true, validatedAt: new Date('2026-01-15'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-SCAN': { checkpointId: 'CP-SCAN', passed: true, validatedAt: new Date('2026-01-16'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-MOD': { checkpointId: 'CP-MOD', passed: true, validatedAt: new Date('2026-01-17'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-REQ': { checkpointId: 'CP-REQ', passed: true, validatedAt: new Date('2026-01-18'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-CTRL': { checkpointId: 'CP-CTRL', passed: true, validatedAt: new Date('2026-01-19'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-EVI': { checkpointId: 'CP-EVI', passed: true, validatedAt: new Date('2026-01-20'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-CHK': { checkpointId: 'CP-CHK', passed: true, validatedAt: new Date('2026-01-21'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-RISK': { checkpointId: 'CP-RISK', passed: true, validatedAt: new Date('2026-01-22'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-AI': { checkpointId: 'CP-AI', passed: true, validatedAt: new Date('2026-01-25'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-OBL': { checkpointId: 'CP-OBL', passed: true, validatedAt: new Date('2026-01-27'), validatedBy: 'demo-user', errors: [], warnings: [] },
      'CP-DSFA': { checkpointId: 'CP-DSFA', passed: true, validatedAt: new Date('2026-01-30'), validatedBy: 'DSB', errors: [], warnings: [] },
    },

    // Phase 1 Data
    useCases: getDemoUseCases(),
    activeUseCase: 'demo-uc-1',
    screening: {
      id: 'demo-scan-1',
      status: 'COMPLETED',
      startedAt: new Date('2026-01-16T09:00:00'),
      completedAt: new Date('2026-01-16T09:15:00'),
      sbom: {
        format: 'CycloneDX',
        version: '1.4',
        components: [
          {
            name: 'tensorflow',
            version: '2.15.0',
            type: 'library',
            purl: 'pkg:pypi/tensorflow@2.15.0',
            licenses: ['Apache-2.0'],
            vulnerabilities: [],
          },
          {
            name: 'scikit-learn',
            version: '1.4.0',
            type: 'library',
            purl: 'pkg:pypi/scikit-learn@1.4.0',
            licenses: ['BSD-3-Clause'],
            vulnerabilities: [],
          },
          {
            name: 'pandas',
            version: '2.2.0',
            type: 'library',
            purl: 'pkg:pypi/pandas@2.2.0',
            licenses: ['BSD-3-Clause'],
            vulnerabilities: [],
          },
        ],
        dependencies: [],
        generatedAt: new Date('2026-01-16T09:10:00'),
      },
      securityScan: {
        totalIssues: 3,
        critical: 0,
        high: 1,
        medium: 1,
        low: 1,
        issues: [
          {
            id: 'sec-issue-1',
            severity: 'HIGH',
            title: 'Outdated cryptography library',
            description: 'The cryptography library version 41.0.0 has known vulnerabilities',
            cve: 'CVE-2024-1234',
            cvss: 7.5,
            affectedComponent: 'cryptography',
            remediation: 'Upgrade to cryptography >= 42.0.0',
            status: 'RESOLVED',
          },
          {
            id: 'sec-issue-2',
            severity: 'MEDIUM',
            title: 'Insecure default configuration',
            description: 'Debug mode enabled in production configuration',
            cve: null,
            cvss: 5.3,
            affectedComponent: 'app-config',
            remediation: 'Set DEBUG=false in production',
            status: 'RESOLVED',
          },
          {
            id: 'sec-issue-3',
            severity: 'LOW',
            title: 'Missing security headers',
            description: 'X-Content-Type-Options header not set',
            cve: null,
            cvss: 3.1,
            affectedComponent: 'web-server',
            remediation: 'Add security headers middleware',
            status: 'RESOLVED',
          },
        ],
      },
      error: null,
    },
    modules: [
      {
        id: 'demo-mod-1',
        name: 'Kundendaten-Modul',
        description: 'Verarbeitung von Kundendaten für Marketing und Analyse',
        regulations: ['DSGVO', 'TTDSG'],
        criticality: 'HIGH',
        processesPersonalData: true,
        hasAIComponents: true,
      },
      {
        id: 'demo-mod-2',
        name: 'HR-Modul',
        description: 'Bewerbermanagement und Personalverwaltung',
        regulations: ['DSGVO', 'AGG', 'AI Act'],
        criticality: 'HIGH',
        processesPersonalData: true,
        hasAIComponents: true,
      },
      {
        id: 'demo-mod-3',
        name: 'Support-Modul',
        description: 'Kundenservice und Chatbot-System',
        regulations: ['DSGVO', 'AI Act'],
        criticality: 'MEDIUM',
        processesPersonalData: true,
        hasAIComponents: true,
      },
    ],
    requirements: [
      {
        id: 'demo-req-1',
        regulation: 'DSGVO',
        article: 'Art. 5',
        title: 'Grundsätze der Verarbeitung',
        description: 'Einhaltung der Grundsätze für die Verarbeitung personenbezogener Daten',
        criticality: 'CRITICAL',
        applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'],
        status: 'IMPLEMENTED',
        controls: ['demo-ctrl-1', 'demo-ctrl-2', 'demo-ctrl-9'],
      },
      {
        id: 'demo-req-2',
        regulation: 'DSGVO',
        article: 'Art. 32',
        title: 'Sicherheit der Verarbeitung',
        description: 'Geeignete technische und organisatorische Maßnahmen',
        criticality: 'CRITICAL',
        applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'],
        status: 'IMPLEMENTED',
        controls: ['demo-ctrl-1', 'demo-ctrl-3', 'demo-ctrl-4'],
      },
      {
        id: 'demo-req-3',
        regulation: 'DSGVO',
        article: 'Art. 25',
        title: 'Datenschutz durch Technikgestaltung',
        description: 'Privacy by Design und Privacy by Default',
        criticality: 'HIGH',
        applicableModules: ['demo-mod-1', 'demo-mod-2'],
        status: 'IMPLEMENTED',
        controls: ['demo-ctrl-9', 'demo-ctrl-10'],
      },
      {
        id: 'demo-req-4',
        regulation: 'AI Act',
        article: 'Art. 13',
        title: 'Transparenz',
        description: 'Transparenzanforderungen für KI-Systeme',
        criticality: 'HIGH',
        applicableModules: ['demo-mod-1', 'demo-mod-2', 'demo-mod-3'],
        status: 'IMPLEMENTED',
        controls: ['demo-ctrl-7', 'demo-ctrl-8'],
      },
      {
        id: 'demo-req-5',
        regulation: 'AI Act',
        article: 'Art. 9',
        title: 'Risikomanagement',
        description: 'Risikomanagementsystem für Hochrisiko-KI',
        criticality: 'HIGH',
        applicableModules: ['demo-mod-2'],
        status: 'IMPLEMENTED',
        controls: ['demo-ctrl-5', 'demo-ctrl-6', 'demo-ctrl-11', 'demo-ctrl-12'],
      },
    ],
    controls: getDemoControls(),
    evidence: [
      {
        id: 'demo-evi-1',
        controlId: 'demo-ctrl-1',
        type: 'SCREENSHOT',
        name: 'MFA-Konfiguration Azure AD',
        description: 'Screenshot der MFA-Einstellungen im Azure AD Admin Portal',
        fileUrl: null,
        validFrom: new Date('2026-01-01'),
        validUntil: new Date('2027-01-01'),
        uploadedBy: 'IT-Security',
        uploadedAt: new Date('2026-01-10'),
      },
      {
        id: 'demo-evi-2',
        controlId: 'demo-ctrl-2',
        type: 'DOCUMENT',
        name: 'Berechtigungskonzept v2.1',
        description: 'Dokumentiertes Berechtigungskonzept mit Rollenmatrix',
        fileUrl: null,
        validFrom: new Date('2026-01-01'),
        validUntil: null,
        uploadedBy: 'IT-Security',
        uploadedAt: new Date('2026-01-05'),
      },
      {
        id: 'demo-evi-5',
        controlId: 'demo-ctrl-5',
        type: 'AUDIT_REPORT',
        name: 'Bias-Audit Q1/2026',
        description: 'Externer Audit-Bericht zur Fairness des KI-Modells',
        fileUrl: null,
        validFrom: new Date('2026-01-15'),
        validUntil: new Date('2026-04-15'),
        uploadedBy: 'Data Science Lead',
        uploadedAt: new Date('2026-01-20'),
      },
    ],
    checklist: [
      {
        id: 'demo-chk-1',
        requirementId: 'demo-req-1',
        title: 'Rechtmäßigkeit der Verarbeitung geprüft',
        description: 'Dokumentierte Prüfung der Rechtsgrundlagen',
        status: 'PASSED',
        notes: 'Geprüft durch DSB',
        verifiedBy: 'DSB',
        verifiedAt: new Date('2026-01-20'),
      },
      {
        id: 'demo-chk-2',
        requirementId: 'demo-req-2',
        title: 'TOMs dokumentiert und umgesetzt',
        description: 'Technische und organisatorische Maßnahmen',
        status: 'PASSED',
        notes: 'Alle TOMs implementiert',
        verifiedBy: 'CISO',
        verifiedAt: new Date('2026-01-21'),
      },
    ],
    risks: getDemoRisks(),

    // Phase 2 Data
    aiActClassification: {
      riskCategory: 'HIGH',
      systemType: 'Beschäftigungsbezogenes KI-System (Art. 6 Abs. 2 AI Act)',
      obligations: [
        {
          id: 'demo-ai-obl-1',
          article: 'Art. 9',
          title: 'Risikomanagementsystem',
          description: 'Einrichtung eines KI-Risikomanagementsystems',
          deadline: new Date('2026-08-01'),
          status: 'IN_PROGRESS',
        },
        {
          id: 'demo-ai-obl-2',
          article: 'Art. 10',
          title: 'Daten-Governance',
          description: 'Anforderungen an Trainingsdaten',
          deadline: new Date('2026-08-01'),
          status: 'COMPLETED',
        },
        {
          id: 'demo-ai-obl-3',
          article: 'Art. 13',
          title: 'Transparenz',
          description: 'Dokumentation für Nutzer',
          deadline: new Date('2026-08-01'),
          status: 'COMPLETED',
        },
      ],
      assessmentDate: new Date('2026-01-25'),
      assessedBy: 'Compliance Team',
      justification: 'Das System fällt unter Art. 6 Abs. 2 lit. a AI Act (Einstellung und Auswahl von Personen).',
    },
    obligations: [
      {
        id: 'demo-obl-1',
        regulation: 'DSGVO',
        article: 'Art. 30',
        title: 'Verarbeitungsverzeichnis',
        description: 'Führung eines Verzeichnisses der Verarbeitungstätigkeiten',
        deadline: null,
        penalty: 'Bis zu 10 Mio. EUR oder 2% des Jahresumsatzes',
        status: 'COMPLETED',
        responsible: 'DSB',
      },
      {
        id: 'demo-obl-2',
        regulation: 'DSGVO',
        article: 'Art. 35',
        title: 'Datenschutz-Folgenabschätzung',
        description: 'Durchführung einer DSFA für Hochrisiko-Verarbeitungen',
        deadline: null,
        penalty: 'Bis zu 10 Mio. EUR oder 2% des Jahresumsatzes',
        status: 'COMPLETED',
        responsible: 'DSB',
      },
      {
        id: 'demo-obl-3',
        regulation: 'AI Act',
        article: 'Art. 49',
        title: 'CE-Kennzeichnung',
        description: 'CE-Kennzeichnung für Hochrisiko-KI-Systeme',
        deadline: new Date('2026-08-01'),
        penalty: 'Bis zu 35 Mio. EUR oder 7% des Jahresumsatzes',
        status: 'PENDING',
        responsible: 'Compliance',
      },
    ],
    dsfa: getDemoDSFA(),
    toms: getDemoTOMs(),
    retentionPolicies: getDemoRetentionPolicies(),
    vvt: getDemoProcessingActivities(),

    // Documents, Cookie Banner, etc. - partially filled
    documents: [],
    cookieBanner: null,
    consents: [],
    dsrConfig: null,
    escalationWorkflows: [],

    // Security
    sbom: null,
    securityIssues: [],
    securityBacklog: [],

    // UI State
    commandBarHistory: [],
    recentSearches: ['DSGVO Art. 5', 'Bias-Monitoring', 'TOM Verschlüsselung'],
    preferences: {
      language: 'de',
      theme: 'light',
      compactMode: false,
      showHints: true,
      autoSave: true,
      autoValidate: true,
      allowParallelWork: true,
    },
  }
}

/**
 * Seed demo data into the database via API
 * This ensures demo data is stored exactly like real customer data
 */
export async function seedDemoData(
  tenantId: string = 'demo-tenant',
  userId: string = 'demo-user',
  apiBaseUrl?: string
): Promise<{ success: boolean; message: string }> {
  try {
    const apiClient = getSDKApiClient(tenantId)

    // Generate the demo state
    const demoState = generateDemoState(tenantId, userId) as SDKState

    // Save via the same API that real data uses
    await apiClient.saveState(demoState)

    return {
      success: true,
      message: `Demo data successfully seeded for tenant ${tenantId}`,
    }
  } catch (error) {
    console.error('Failed to seed demo data:', error)
    return {
      success: false,
      message: error instanceof Error ? error.message : 'Unknown error during seeding',
    }
  }
}

/**
 * Check if demo data exists for a tenant
 */
export async function hasDemoData(tenantId: string = 'demo-tenant'): Promise<boolean> {
  try {
    const apiClient = getSDKApiClient(tenantId)
    const response = await apiClient.getState()

    // Check if we have any use cases (indicating data exists)
    return response !== null && response.state && Array.isArray(response.state.useCases) && response.state.useCases.length > 0
  } catch {
    return false
  }
}

/**
 * Clear demo data for a tenant
 */
export async function clearDemoData(tenantId: string = 'demo-tenant'): Promise<boolean> {
  try {
    const apiClient = getSDKApiClient(tenantId)
    await apiClient.deleteState()
    return true
  } catch {
    return false
  }
}

/**
 * Seed demo data via direct API call (for use outside of React context)
 * This is useful for server-side seeding or CLI tools
 */
export async function seedDemoDataDirect(
  baseUrl: string,
  tenantId: string = 'demo-tenant',
  userId: string = 'demo-user'
): Promise<{ success: boolean; message: string }> {
  try {
    const demoState = generateDemoState(tenantId, userId)

    const response = await fetch(`${baseUrl}/api/sdk/v1/state`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({
        tenantId,
        userId,
        state: demoState,
      }),
    })

    if (!response.ok) {
      const error = await response.json().catch(() => ({ message: 'Unknown error' }))
      throw new Error(error.message || `HTTP ${response.status}`)
    }

    return {
      success: true,
      message: `Demo data successfully seeded for tenant ${tenantId}`,
    }
  } catch (error) {
    console.error('Failed to seed demo data:', error)
    return {
      success: false,
      message: error instanceof Error ? error.message : 'Unknown error during seeding',
    }
  }
}