feat(cmp): Phase 2 complete — self-hosted fonts, ScriptManager, GeoIP, vendor UI

- Session ID via sessionStorage UUID
- Self-host Google Fonts (Inter, Plus Jakarta Sans, JetBrains Mono) — eliminates
  third-party transfer to Google, no more DSGVO violation
- ScriptManager component: consent-change listener for future analytics/marketing scripts
- GeoIP via browser timezone (Intl.DateTimeFormat) + IP injection in proxy
- Vendor-level consent UI: loads vendor config from backend, shows per-vendor
  toggles under each category, sends vendor_consents dict
- DSE updated: Google Fonts section now says "lokal gehostet"
- Config proxy route: GET /api/consent/config

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

marketing-website/app/api/consent/config/route.ts

@@ -0,0 +1,21 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.CONSENT_BACKEND_URL || 'https://macmini:3007/api/sdk/v1/banner'
+const TENANT_ID = process.env.CONSENT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const SITE_ID = process.env.NEXT_PUBLIC_CONSENT_SITE_ID || 'breakpilot-marketing'
+
+export async function GET(req: NextRequest) {
+  try {
+    const siteId = req.nextUrl.searchParams.get('site_id') || SITE_ID
+    const res = await fetch(`${BACKEND_URL}/config/${siteId}`, {
+      headers: { 'X-Tenant-ID': TENANT_ID },
+    })
+    const data = await res.text()
+    return new NextResponse(data, {
+      status: res.status,
+      headers: { 'Content-Type': 'application/json' },
+    })
+  } catch {
+    return NextResponse.json({ categories: [], vendors: [] }, { status: 200 })
+  }
+}

marketing-website/app/api/consent/route.ts

@@ -5,7 +5,13 @@ const TENANT_ID = process.env.CONSENT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc
 
 export async function POST(req: NextRequest) {
   try {
-    const body = await req.text()
+    const data = await req.json()
+
+    // Inject client IP for backend GeoIP resolution
+    const ip = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+      || req.headers.get('x-real-ip')
+      || null
+    if (ip) data.ip_address = ip
 
     const res = await fetch(`${BACKEND_URL}/consent`, {
       method: 'POST',
@@ -13,13 +19,11 @@ export async function POST(req: NextRequest) {
         'Content-Type': 'application/json',
         'X-Tenant-ID': TENANT_ID,
       },
-      body,
-      // Accept self-signed certs on internal network
-      ...(process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0' ? {} : {}),
+      body: JSON.stringify(data),
     })
 
-    const data = await res.text()
-    return new NextResponse(data, {
+    const resBody = await res.text()
+    return new NextResponse(resBody, {
       status: res.status,
       headers: { 'Content-Type': 'application/json' },
     })

marketing-website/app/datenschutz/page.tsx

@@ -87,19 +87,12 @@ export default function DatenschutzPage() {
           </div>
 
           <div>
-            <h2 className="text-lg font-semibold text-white mb-2">6. Externe Schriften</h2>
+            <h2 className="text-lg font-semibold text-white mb-2">6. Schriften</h2>
             <p>
-              Diese Website laedt Schriftarten von Google Fonts. Dabei wird Ihre IP-Adresse an Google LLC,
-              1600 Amphitheatre Parkway, Mountain View, CA 94043, USA uebermittelt.
-              Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO.
-              Google ist unter dem EU-US Data Privacy Framework (DPF) zertifiziert (Angemessenheitsbeschluss
-              der EU-Kommission vom 10. Juli 2023).
-            </p>
-            <p className="mt-1">
-              Weitere Informationen:{' '}
-              <a href="https://policies.google.com/privacy" className="text-accent-electric hover:underline" target="_blank" rel="noopener noreferrer">
-                policies.google.com/privacy
-              </a>
+              Diese Website verwendet die Schriftarten Inter, Plus Jakarta Sans und JetBrains Mono.
+              Die Schriften werden lokal auf unserem Server gehostet — es findet kein Abruf von
+              externen Servern (z.B. Google Fonts) statt. Es werden keine personenbezogenen Daten
+              an Dritte uebermittelt.
             </p>
           </div>
 
@@ -116,8 +109,8 @@ export default function DatenschutzPage() {
             <h2 className="text-lg font-semibold text-white mb-2">8. Empfaenger und Auftragsverarbeiter</h2>
             <ul className="list-disc list-inside space-y-1">
               <li>Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen — Hosting (AVV nach Art. 28 DSGVO)</li>
-              <li>Google LLC — Schriftarten (Google Fonts CDN, EU-US DPF)</li>
             </ul>
+            <p className="mt-1">Schriftarten werden lokal gehostet — kein Drittanbieter-Transfer.</p>
           </div>
 
           <div>

marketing-website/app/globals.css

@@ -1,6 +1,28 @@
-@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700;800;900&display=swap');
-@import url('https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@400;500;600;700;800&display=swap');
-@import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600&display=swap');
+/* Self-hosted fonts — kein Drittlandtransfer zu Google */
+@font-face {
+  font-family: 'Inter';
+  font-style: normal;
+  font-weight: 300 900;
+  font-display: swap;
+  src: url('/fonts/Inter-Latin.woff2') format('woff2');
+  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
+@font-face {
+  font-family: 'Plus Jakarta Sans';
+  font-style: normal;
+  font-weight: 400 800;
+  font-display: swap;
+  src: url('/fonts/PlusJakartaSans-Latin.woff2') format('woff2');
+  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
+@font-face {
+  font-family: 'JetBrains Mono';
+  font-style: normal;
+  font-weight: 400 600;
+  font-display: swap;
+  src: url('/fonts/JetBrainsMono-Latin.woff2') format('woff2');
+  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
 
 @tailwind base;
 @tailwind components;

marketing-website/app/layout.tsx

@@ -1,6 +1,7 @@
 import type { Metadata } from 'next'
 import { AppProvider } from '@/lib/context'
 import ConsentBanner from '@/components/layout/ConsentBanner'
+import ScriptManager from '@/components/layout/ScriptManager'
 import './globals.css'
 
 export const metadata: Metadata = {
@@ -27,6 +28,7 @@ export default function RootLayout({
         <AppProvider>
           {children}
           <ConsentBanner />
+          <ScriptManager />
         </AppProvider>
       </body>
     </html>