npm - @aegis-scan/skills - Versions diffs - 0.2.0 → 0.4.0 - Mend

@aegis-scan/skills 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/skills/foundation/aegis-native/aegis-audit/references/layer-2-html.md ADDED Viewed

@@ -0,0 +1,153 @@
+# Layer 2 Reference — HTML-Live-Probe
+Layer 2 fetches the rendered HTML and analyzes structural + content patterns. Catches: missing alt-texts, broken meta-tags, SSR-skeleton-only pages, inline-script-leaks, missing footer/legal links. **Time:** ~3-5 min per target.
+---
+## Probe Pattern
+```bash
+# Static fetch (curl)
+curl -sL -A "Mozilla/5.0 (compatible; aegis-audit/1.0)" "$TARGET" > /tmp/audit-html-static.html
+# Dynamic fetch (Playwright — captures JS-rendered content)
+npx -y playwright-core@latest <<EOF
+const { chromium } = require('playwright-core');
+(async () => {
+  const b = await chromium.launch();
+  const ctx = await b.newContext({ userAgent: 'aegis-audit/1.0' });
+  const p = await ctx.newPage();
+  await p.goto('$TARGET', { waitUntil: 'networkidle', timeout: 30000 });
+  console.log(await p.content());
+  await b.close();
+})();
+EOF > /tmp/audit-html-dynamic.html
+# Diff — large diff = heavy client-rendering (SSR/CSR balance check)
+wc -l /tmp/audit-html-*.html
+```
+---
+## Structural Checklist
+| Check | How | Severity |
+|---|---|---|
+| `<!doctype html>` present | `head -1 audit-html-static.html` | HOCH (missing) |
+| `<html lang="...">` set | `grep -oE '<html[^>]*lang=' audit-html-static.html` | MITTEL (missing) |
+| `<title>` present + non-empty + < 60 chars | `grep -oE '<title>[^<]*</title>'` | HOCH (missing or empty) |
+| `<meta charset="utf-8">` | `grep -oE '<meta[^>]*charset=' audit-html-static.html \| head -1` | MITTEL (missing) |
+| `<meta name="viewport">` | `grep -oE '<meta[^>]*viewport='` | HOCH (missing — mobile broken) |
+| `<meta name="description">` | `grep -oE '<meta[^>]*description='` | HOCH (missing) |
+| Heading-hierarchy (one h1, h2 → h3 ordering) | parse + check | MITTEL (multiple h1) / LOW (skip h2 → h3) |
+| Open-Graph tags (og:title, og:description, og:image, og:url) | `grep -E 'og:(title\|description\|image\|url)'` | MITTEL (missing) |
+| Twitter card tags | `grep -E 'twitter:card'` | LOW (missing) |
+| Schema.org JSON-LD | `grep -oE 'application/ld\+json'` | LOW (missing) |
+| Canonical link | `grep -oE 'rel="canonical"'` | MITTEL (missing) |
+---
+## Image Checks (alt-text, lazy-load, dimensions)
+```bash
+# Find all img tags
+grep -oE '<img[^>]*>' /tmp/audit-html-static.html > /tmp/audit-imgs.txt
+# Count
+total=$(wc -l < /tmp/audit-imgs.txt)
+# Missing alt-text
+missing_alt=$(grep -cv 'alt=' /tmp/audit-imgs.txt)
+empty_alt=$(grep -c 'alt=""' /tmp/audit-imgs.txt)
+# Missing dimensions (CLS issue)
+missing_dim=$(grep -cE 'width=' /tmp/audit-imgs.txt | head -1)
+echo "Images: $total, missing alt: $missing_alt, empty alt: $empty_alt"
+```
+| Check | Severity |
+|---|---|
+| Image without `alt=` | HOCH (A11y violation) |
+| Image with `alt=""` (and not decorative-only) | MITTEL (A11y) |
+| Image without `width` + `height` (causes CLS) | MITTEL |
+| Image without `loading="lazy"` (below fold) | LOW (perf) |
+| Image larger than render-size (e.g., 4000px-image rendered at 800px) | MITTEL (perf) |
+---
+## SSR-Skeleton Detection
+```bash
+# Static HTML body length vs dynamic
+static_body_len=$(grep -oE '<body[^>]*>.*</body>' /tmp/audit-html-static.html | wc -c)
+dynamic_body_len=$(grep -oE '<body[^>]*>.*</body>' /tmp/audit-html-dynamic.html | wc -c)
+# If static body is < 20% of dynamic body — SSR-skeleton (SEO-bad)
+ratio=$(echo "scale=2; $static_body_len / $dynamic_body_len" | bc)
+[ $(echo "$ratio < 0.2" | bc) = 1 ] && echo "L2-SSR-SKELETON-ONLY: HOCH"
+```
+For Next.js App Router: SSR-skeleton + heavy client-side rendering = SEO penalty. Phase 2 architecture decisions should favor RSC.
+---
+## Inline-Script Detection (CSP cross-check)
+```bash
+# Count inline scripts (no src attr)
+inline_count=$(grep -oE '<script[^s]*>' /tmp/audit-html-static.html | wc -l)
+# Big inline scripts may indicate injected analytics or unsafe-inline patterns
+grep -oE '<script[^s][^>]*>[^<]{100,}' /tmp/audit-html-static.html | head -5
+```
+If inline-scripts found AND Layer 1 CSP allows `'unsafe-inline'` on `script-src` → composite HOCH.
+---
+## Footer-Link Resolution (feeds Layer 3)
+Layer 3 (Impressum) needs the footer-link to /impressum. Resolve via:
+```bash
+# Find footer
+footer=$(grep -oE '<footer[^>]*>.*</footer>' /tmp/audit-html-static.html | head -1)
+# Find links in footer
+echo "$footer" | grep -oE '<a[^>]*href="[^"]*"[^>]*>[^<]*</a>'
+# Extract the impressum-href
+echo "$footer" | grep -oE 'href="[^"]*impressum[^"]*"' | head -1
+```
+If no `/impressum` link in footer or in main-nav — Layer 3 reports L3-IMPRESSUM-NO-FOOTER-LINK: HOCH.
+If link exists but points to 404 — Layer 3 reports L3-IMPRESSUM-LINK-BROKEN: KRITISCH.
+---
+## Findings Format
+```yaml
+- id: L2-IMG-MISSING-ALT
+  layer: 2
+  severity: HOCH
+  evidence:
+    url: <target>
+    img_count: 14
+    missing_alt: 3
+    affected: ["img[1]", "img[7]", "img[12]"]  # XPath-ish
+  recommendation: "Add meaningful alt-text to each img per WCAG 2.1 1.1.1"
+  citation: "WCAG 2.1 1.1.1, BFSG §3"
+```
+---
+## Anti-Patterns specific to Layer 2
+- ❌ Skipping Playwright fetch "because curl is faster" — JS-rendered content invisible to curl-only.
+- ❌ Reporting "no h1" without parsing — DOM-order matters; first h1 might be inside a `<header role="banner">`.
+- ❌ Marking `alt=""` as KRITISCH — empty alt is correct for purely-decorative images per WCAG; downgrade.
+- ❌ Reporting "missing OG-tags" for an internal admin-page — admin-pages don't need OG.
+- ❌ Inferring SSR-skeleton from static-body length alone — also check if `<noscript>` content fills the gap.

package/skills/foundation/aegis-native/aegis-audit/references/layer-3-impressum.md ADDED Viewed

@@ -0,0 +1,159 @@
+# Layer 3 Reference — Impressum (DDG §5)
+Layer 3 verifies the Impressum (legal notice) per DDG §5 (formerly TMG §5, renamed 2024-05-14 with TDDDG enactment). Catches: missing pflichtangaben, broken links, browser-vs-bot-walled pages. **Time:** ~3-5 min per target.
+---
+## Pflichtangaben Checklist (DDG §5)
+| # | Pflichtangabe | Field-name | Required when |
+|---|---|---|---|
+| 1 | Name + Anschrift | Geschäftsbezeichnung + Straße + PLZ + Ort | always (geschäftsmäßig) |
+| 2 | Vertretungsberechtigter | Geschäftsführer (bei juristischen Personen) | for GmbH/AG/UG/etc. |
+| 3 | Kontakt: E-Mail + Telefon | E-Mail + Tel. | always |
+| 4 | Handelsregister | HRB-Nummer + Registergericht | for handelsregister-pflichtige Rechtsformen |
+| 5 | Umsatzsteuer-ID | USt-IdNr. (`DE...`) | when § 27a UStG applies |
+| 6 | Wirtschafts-ID | W-IdNr. | when applicable |
+| 7 | Aufsichtsbehörde | Name + Adresse | for state-licensed industries (Anwalt, Arzt, Architekt, Steuerberater, ...) |
+| 8 | Berufsbezeichnung + Kammer | Bezeichnung + verleihender Staat + Kammer | for regulated professions |
+| 9 | Berufshaftpflicht | Versicherer + räumlicher Geltungsbereich | for regulated professions (Anwalt, Arzt, ...) |
+| 10 | Online-Streitbeilegung Hinweis | Link zu ec.europa.eu/consumers/odr | for B2C with online-business |
+| 11 | Verbraucherstreitbeilegung Hinweis | Bereit-/Nicht-Bereit-Erklärung | for B2C |
+| 12 | Inhaltlich Verantwortlicher (§ 18 Abs. 2 MStV) | Name + Anschrift | for journalistic-redaktional Angebote |
+---
+## Probe Pattern
+```bash
+# Resolve impressum-URL
+IMPRESSUM_URL=$(node -e "
+  const html = require('fs').readFileSync('/tmp/audit-html-static.html', 'utf-8');
+  const match = html.match(/href=['\"]([^'\"]*impressum[^'\"]*)['\"]/i);
+  console.log(match ? new URL(match[1], '$TARGET').href : '');
+")
+if [ -z "$IMPRESSUM_URL" ]; then
+  echo "L3-IMPRESSUM-NO-FOOTER-LINK: KRITISCH"
+  exit 1
+fi
+# Fetch with browser-UA (some sites bot-wall)
+curl -sL -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" "$IMPRESSUM_URL" > /tmp/audit-impressum.html
+# Or fall-back to Playwright
+[ "$(wc -c < /tmp/audit-impressum.html)" -lt 1000 ] && {
+  npx -y playwright-core@latest <<EOF | tee /tmp/audit-impressum.html
+const { chromium } = require('playwright-core');
+(async () => {
+  const b = await chromium.launch();
+  const p = await (await b.newContext()).newPage();
+  await p.goto('$IMPRESSUM_URL', { waitUntil: 'networkidle' });
+  console.log(await p.content());
+  await b.close();
+})();
+EOF
+}
+```
+---
+## Per-Field Detection Patterns
+```bash
+# Geschäftsbezeichnung + Anschrift (presence check)
+grep -E '(GmbH|UG|AG|e\.K\.|[A-ZÄÖÜ][a-zäöü]+ [A-ZÄÖÜ][a-zäöü]+)' /tmp/audit-impressum.html | head -3
+grep -E '\b[0-9]{5}\b' /tmp/audit-impressum.html  # German postal code
+# E-Mail + Telefon
+grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' /tmp/audit-impressum.html | head -3
+grep -oE '\+?49[ /-]?[0-9 /-]{7,}' /tmp/audit-impressum.html | head -3
+# USt-IdNr.
+grep -oE 'DE[ ]?[0-9]{9}' /tmp/audit-impressum.html
+# Handelsregister
+grep -oE 'HRB[ ]?[0-9]+' /tmp/audit-impressum.html
+grep -oE 'Amtsgericht [A-ZÄÖÜ][a-zäöü]+' /tmp/audit-impressum.html
+# OS-Streitbeilegung Link
+grep -E 'ec\.europa\.eu/consumers/odr' /tmp/audit-impressum.html
+# Verbraucherstreitbeilegung Hinweis
+grep -E '(Verbraucherstreitbeilegung|Streitbeilegungsverfahren)' /tmp/audit-impressum.html
+```
+---
+## Severity Matrix
+| Missing field | Severity |
+|---|---|
+| Geschäftsbezeichnung + Anschrift | KRITISCH |
+| Vertretungsberechtigter (when GmbH/AG/UG) | KRITISCH |
+| E-Mail | KRITISCH |
+| Telefon | HOCH (some courts accept E-Mail-only; abmahn-risk) |
+| HRB + Registergericht (when handelsregister-pflichtig) | KRITISCH |
+| USt-IdNr. (when § 27a UStG applies) | KRITISCH |
+| Aufsichtsbehörde (for regulated industries) | KRITISCH |
+| Berufshaftpflicht (for regulated professions) | KRITISCH |
+| OS-Streitbeilegung Link (when B2C online) | HOCH |
+| Verbraucherstreitbeilegung Hinweis (B2C) | MITTEL |
+| Inhaltlich Verantwortlicher (when journalistic) | KRITISCH |
+---
+## Cross-Check: Code-Repo (when Layer 7 enabled)
+If aegis-audit runs against a local repo (Layer 7 enabled), cross-check:
+```bash
+# Find impressum data in code
+find . -path ./node_modules -prune -o -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.json' -o -name '*.md' \) -print | xargs grep -lE 'impressum|HRB|USt-IdNr' 2>/dev/null
+# Verify code-data matches rendered-data
+# E.g., site says HRB 12345 but code has HRB 67890 — drift
+```
+If drift detected → L3-IMPRESSUM-CODE-DRIFT: HOCH (data inconsistency).
+---
+## Court-Decision References
+For findings, cite court-decisions where applicable:
+- KG Berlin 2010-04-21 (5 W 39/10) — vollständiger Name + Anschrift Pflicht
+- LG Düsseldorf 2008-05-21 (12 O 250/07) — Telefon Pflicht für unmittelbare Kontaktaufnahme
+- EuGH 2008-10-16 (C-298/07) — § 5 TMG (= jetzt DDG §5) ist Verbraucherinformations-Pflicht; B2B + B2C
+- BGH 2007-09-20 (I ZR 88/05) — Impressum 2-clicks-rule (vom Footer aus erreichbar)
+- LG München I 2022-01-20 (3 O 17493/20) — Google-Fonts (cross-layer with L4 + L5)
+---
+## Findings Format
+```yaml
+- id: L3-IMPRESSUM-VAT-MISSING
+  layer: 3
+  severity: KRITISCH
+  evidence:
+    url: <impressum-url>
+    field: USt-IdNr.
+    matches: []
+    detection: "no DE-prefixed VAT-ID found in /impressum HTML"
+  recommendation: "Add 'Umsatzsteuer-Identifikationsnummer: DE123456789' under § 27a UStG section"
+  citation: "DDG § 5 Abs. 1 Nr. 6, § 27a UStG"
+  abmahn_risk: "€500-2000 per finding (industry × visibility-dependent)"
+```
+---
+## Anti-Patterns specific to Layer 3
+- ❌ Reporting "USt-IdNr. missing" for a Kleinunternehmer (§ 19 UStG) — only § 27a UStG businesses need to publish.
+- ❌ Reporting "OS-Streitbeilegung missing" for B2B-only sites — only B2C requires this.
+- ❌ Skipping browser-UA fallback — many sites bot-wall scanners; without browser-UA the impressum returns 403.
+- ❌ Inferring "Aufsichtsbehörde missing" without first detecting industry — non-regulated industries don't need this.
+- ❌ Reporting on Inhaltlich-Verantwortlicher (§ 18 MStV) for non-journalistic sites — pure commercial sites don't need.
+- ❌ Reporting "missing Berufshaftpflicht" for unregulated professions — pflicht only for Anwalt / Arzt / Steuerberater / Architekt.

package/skills/foundation/aegis-native/aegis-audit/references/layer-4-dse.md ADDED Viewed

@@ -0,0 +1,178 @@
+# Layer 4 Reference — DSE (Datenschutzerklärung, DSGVO Art. 13/14)
+Layer 4 verifies the Datenschutzerklärung against DSGVO Art. 13 (Informationspflicht bei Erhebung beim Betroffenen) + Art. 14 (Erhebung bei Dritten) + Drittlandtransfer-Konformität (Schrems-II / SCC). **Time:** ~5-10 min per target.
+---
+## Art. 13 Pflichtangaben Checklist
+| # | Field | Severity if missing |
+|---|---|---|
+| 1 | Verantwortlicher (Name + Anschrift) | KRITISCH |
+| 2 | Vertreter in der EU (when applicable) | HOCH |
+| 3 | Datenschutzbeauftragter (when applicable per Art. 37) | HOCH (when pflicht) |
+| 4 | Verarbeitungszwecke + Rechtsgrundlage (Art. 6 / Art. 9) | KRITISCH |
+| 5 | Berechtigte Interessen (when Art. 6 Abs. 1 lit. f) | HOCH |
+| 6 | Empfänger / Empfängerkategorien | HOCH |
+| 7 | Drittlandtransfer + Schutzgarantien | KRITISCH (when transfer happens but DSE absent) |
+| 8 | Speicherdauer / Löschkonzept | HOCH |
+| 9 | Betroffenenrechte (Art. 15-22) | KRITISCH |
+| 10 | Beschwerderecht bei Aufsichtsbehörde | HOCH |
+| 11 | Pflicht zur Bereitstellung + Folgen | MITTEL |
+| 12 | Automatisierte Entscheidung / Profiling | HOCH (when applicable) |
+---
+## Probe Pattern
+```bash
+# Resolve DSE-URL (often /datenschutz, /privacy, /datenschutzerklaerung)
+DSE_URL=$(node -e "
+  const html = require('fs').readFileSync('/tmp/audit-html-static.html', 'utf-8');
+  const match = html.match(/href=['\"]([^'\"]*(datenschutz|privacy)[^'\"]*)['\"]/i);
+  console.log(match ? new URL(match[1], '$TARGET').href : '');
+")
+curl -sL -A "Mozilla/5.0" "$DSE_URL" > /tmp/audit-dse.html
+```
+---
+## Per-Field Detection Patterns
+```bash
+# Verantwortlicher (matches typical phrasing)
+grep -E 'Verantwortliche[r]?\s+i[mn]?\s+Sinne' /tmp/audit-dse.html
+# Datenschutzbeauftragter
+grep -iE '(Datenschutzbeauftragte[rn]|Data Protection Officer|DSB)' /tmp/audit-dse.html
+# Verarbeitungszwecke (look for Art. 6 references)
+grep -E 'Art\.\s*6\s*Abs\.\s*1\s*lit\.\s*[abcdef]' /tmp/audit-dse.html
+# Drittlandtransfer (US, GB post-Brexit)
+grep -iE '(Drittland|USA|United States|Standardvertragsklauseln|SCC|Privacy Shield|TIA)' /tmp/audit-dse.html
+# Speicherdauer
+grep -iE '(Speicherdauer|Löschkonzept|Aufbewahrungsfrist)' /tmp/audit-dse.html
+# Betroffenenrechte (Art. 15-22)
+grep -E 'Art\.\s*1[5-9]|Art\.\s*2[0-2]' /tmp/audit-dse.html
+grep -iE '(Auskunftsrecht|Berichtigung|Löschung|Einschränkung|Datenübertragbarkeit|Widerspruch)' /tmp/audit-dse.html
+# Beschwerderecht
+grep -iE '(Beschwerderecht|Aufsichtsbehörde|Datenschutzbeauftragte des Landes)' /tmp/audit-dse.html
+```
+---
+## Drittland-Transfer Detection (cross-check Layer 1 + Layer 5)
+Layer 4 cross-references with Layer 1 (CDN / 3rd-party domains in HTTP-headers) + Layer 5 (cookies set by 3rd-party trackers) to detect:
+```bash
+# 3rd-party domains active on the page (from Layer 1 / Layer 5)
+3p_domains=$(grep -oE 'https?://[^/]+' /tmp/audit-html-dynamic.html | sort -u | grep -v "$TARGET_DOMAIN")
+# For each 3rd-party, check if DSE mentions it
+for domain in $3p_domains; do
+  if grep -q "$domain" /tmp/audit-dse.html; then
+    echo "L4-DSE-MENTIONS: $domain ✓"
+  else
+    echo "L4-DSE-3P-NOT-MENTIONED: $domain (HOCH)"
+  fi
+done
+```
+US-headquartered 3rd-parties (Google, Meta, Cloudflare, AWS) trigger Drittlandtransfer concerns. DSE MUST mention:
+- The 3rd-party (by name or category)
+- The country of transfer
+- The schutzgarantien (SCC + TIA per Schrems-II requirements post-2020-07-16 EuGH C-311/18)
+If 3rd-party transfer happens AND DSE doesn't address it → KRITISCH (Schrems-II).
+---
+## Common Schrems-II Findings
+| 3rd-party | DSE-required addressing |
+|---|---|
+| Google Fonts (when loaded from fonts.googleapis.com) | KRITISCH if not local-bundled (LG München I 2022-01-20 3 O 17493/20) |
+| Google Analytics (without IP-anonymization + consent) | KRITISCH |
+| Google Maps embed (without consent OR static-image-fallback) | HOCH |
+| reCAPTCHA v3 (silent tracking) | KRITISCH |
+| Cloudflare (when used as CDN with EU-traffic) | MITTEL (DPA exists; SCC referenced) |
+| AWS / Azure / GCP (US-region) | HOCH (require SCC-DPA) |
+| Vercel (US-hosted) | MITTEL (Vercel offers DPA) |
+| Mailchimp / Sendinblue / Brevo | HOCH (US/EU split, requires SCC) |
+For each, check if DSE has the required transfer-section AND processor-AVV (Auftragsverarbeitung) listing.
+---
+## AVV-List Detection
+DSGVO Art. 28 requires AVV (Auftragsverarbeitung-Vertrag) for every processor handling personal data. DSE should reference:
+```bash
+grep -iE '(Auftragsverarbeitung|Art\.\s*28|AVV)' /tmp/audit-dse.html
+```
+For each 3rd-party from Layer 1 + 5: AVV must exist (signed contract); DSE should mention by name.
+---
+## Severity Matrix
+| Missing | Severity |
+|---|---|
+| Verantwortlicher (Art. 13 Abs. 1 lit. a) | KRITISCH |
+| Verarbeitungszwecke + Rechtsgrundlage (Art. 13 Abs. 1 lit. c-d) | KRITISCH |
+| Betroffenenrechte (Art. 15-22) | KRITISCH |
+| Drittlandtransfer + SCC + TIA (when transfer happens) | KRITISCH |
+| Speicherdauer (Art. 13 Abs. 2 lit. a) | HOCH |
+| Empfänger (Art. 13 Abs. 1 lit. e) | HOCH |
+| Beschwerderecht (Art. 13 Abs. 2 lit. d) | HOCH |
+| Datenschutzbeauftragter (when pflicht per Art. 37) | HOCH |
+| Vertreter in der EU (when ext.-EU controller) | HOCH |
+| Automatisierte Entscheidung (when applicable) | HOCH |
+| Pflicht zur Bereitstellung (Art. 13 Abs. 2 lit. e) | MITTEL |
+---
+## Court-Decision References
+- EuGH 2020-07-16 (C-311/18) — Schrems-II — invalidation of Privacy Shield; SCC + TIA required
+- LG München I 2022-01-20 (3 O 17493/20) — Google-Fonts via Google CDN = Drittlandtransfer ohne Rechtsgrundlage; 100€ Schadensersatz pro Betroffenem
+- BGH 2020-05-28 (I ZR 7/16) — Cookie-Banner BGB
+- OLG Düsseldorf 2019-03-26 (I-20 U 75/18) — DSE als wettbewerbsrechtliche Pflicht (UWG abmahnbar)
+- EDSA Recommendations 01/2020 — Schutzgarantien-Beurteilung TIA-Methodik
+---
+## Findings Format
+```yaml
+- id: L4-DSE-DRITTLAND-MISSING
+  layer: 4
+  severity: KRITISCH
+  evidence:
+    dse_url: <dse-url>
+    detected_3p: ["fonts.googleapis.com", "www.google-analytics.com"]
+    dse_mentions_drittland: false
+    dse_mentions_scc: false
+  recommendation: "Add Drittlandtransfer-section listing US-3rd-parties (Google Fonts, GA), reference SCC + TIA per Schrems-II"
+  citation: "DSGVO Art. 13 Abs. 1 lit. f, Art. 46; EuGH C-311/18 (Schrems-II); LG München I 3 O 17493/20"
+  abmahn_risk: "€2000-15000 per Betroffenem (LG München-Linie); aggregated risk per visitor-month"
+```
+---
+## Anti-Patterns specific to Layer 4
+- ❌ Reporting "Drittlandtransfer missing" without verifying transfer actually happens — first detect 3rd-parties via Layer 1 + 5.
+- ❌ Skipping AVV-cross-check — Art. 28 AVV is separate from Art. 13 DSE.
+- ❌ Reporting "DSB missing" for small businesses (< 20 employees handling personal data routinely) — Art. 37 thresholds apply.
+- ❌ Inferring DSE-completeness from word-count — short DSE can be complete; long DSE can miss fields.
+- ❌ Reporting on automatisierte Entscheidung when site has no profiling — only applies when profiling/decisions actually happen.

package/skills/foundation/aegis-native/aegis-audit/references/layer-5-cookie.md ADDED Viewed

@@ -0,0 +1,180 @@
+# Layer 5 Reference — Cookie + Consent (TTDSG/TDDDG §25)
+Layer 5 verifies cookie-banner + consent-flow against TTDSG/TDDDG §25 (formerly TTDSG, renamed 2024-05-14 with TDDDG enactment) + BGH cookie-decision (2020-05-28) + EU-Cookie-Banner-Guidelines. **Time:** ~5-10 min per target.
+---
+## Probe Pattern
+```bash
+# Fresh page-load (no prior consent-cookies)
+mkdir -p /tmp/audit-cookie-jar
+rm -f /tmp/audit-cookie-jar/*
+curl -sL -A "Mozilla/5.0" -c /tmp/audit-cookie-jar/cookies.txt "$TARGET" > /tmp/audit-fresh.html
+# What cookies were set BEFORE consent?
+cat /tmp/audit-cookie-jar/cookies.txt
+```
+Then a Playwright-based probe to detect dynamic cookies (set by JS) AND verify the consent-banner appears + works:
+```bash
+npx -y playwright-core@latest <<EOF
+const { chromium } = require('playwright-core');
+(async () => {
+  const b = await chromium.launch();
+  const ctx = await b.newContext();
+  const p = await ctx.newPage();
+  // Capture all requests + responses
+  const requests = [];
+  p.on('request', r => requests.push({ url: r.url(), type: r.resourceType() }));
+  // Navigate
+  await p.goto('$TARGET', { waitUntil: 'networkidle' });
+  // Capture cookies pre-consent
+  const preConsentCookies = await ctx.cookies();
+  // Check for consent-banner
+  const bannerSelector = 'div[id*="cookie"], div[class*="cookie"], div[class*="consent"]';
+  const banner = await p.$(bannerSelector);
+  const bannerHasBoth = banner ? await banner.evaluate(el => {
+    const text = el.innerText.toLowerCase();
+    return text.includes('akzeptieren') && (text.includes('ablehnen') || text.includes('reject'));
+  }) : false;
+  console.log(JSON.stringify({
+    preConsentCookies,
+    requests: requests.length,
+    bannerPresent: !!banner,
+    bannerHasBoth,
+  }, null, 2));
+  await b.close();
+})();
+EOF > /tmp/audit-cookie-probe.json
+```
+---
+## TTDSG/TDDDG §25 Pre-Consent-Tracker Detection
+```bash
+# Pre-consent cookies (any technically-non-required cookie set before consent = §25 violation)
+pre_count=$(jq -r '.preConsentCookies | length' /tmp/audit-cookie-probe.json)
+# Filter for tracking-cookies (heuristic: 3rd-party domain or known-tracking-pattern)
+tracking_pre=$(jq -r '.preConsentCookies[] | select(.domain | test("google|facebook|meta|doubleclick|hotjar|matomo|fathom|plausible|gtag|gads|fb_pixel|tiktok"))' /tmp/audit-cookie-probe.json)
+[ -n "$tracking_pre" ] && echo "L5-PRE-CONSENT-TRACKER: KRITISCH"
+```
+---
+## Banner-Pattern Compliance
+| Check | Severity if violated |
+|---|---|
+| Banner appears on first page-load | KRITISCH (no banner = no consent collected) |
+| Banner has equal-prominence "Accept" + "Reject all" | KRITISCH (BGH I ZR 7/16 — dark-pattern) |
+| Banner is granular (per-vendor opt-in for non-essential) | HOCH (BGH 2020-05-28 — global-opt-in invalid) |
+| Banner appears BEFORE any tracking-cookie set | KRITISCH (TTDSG §25) |
+| User can opt-out at any time (e.g., footer-link to /cookies/einstellungen) | HOCH |
+| Pre-checked checkboxes for opt-in | KRITISCH (DSGVO Art. 7 Abs. 2 — explicit consent required) |
+| Bundling consent (e.g., AGB + Cookie consent in one checkbox) | HOCH |
+| Continuing-to-use-site interpreted as consent | KRITISCH (BGH 2020-05-28 — mere browsing ≠ consent) |
+| Re-prompt period reasonable (≥ 6 months between prompts unless settings changed) | LOW |
+---
+## Granular vs Global
+| Pattern | Compliance |
+|---|---|
+| "Akzeptieren" + "Ablehnen" only (no granular) | HOCH (BGH-line — granular better) |
+| "Akzeptieren" + "Ablehnen" + per-vendor toggle | OK (granular) |
+| "Akzeptieren" + "Einstellungen" (where settings = granular) | OK if reachable in 1 click |
+| "Akzeptieren" + tiny "Ablehnen" (visual asymmetry) | KRITISCH (dark-pattern, BGH-line) |
+| "Akzeptieren" only (no reject-button on first banner) | KRITISCH |
+---
+## Consent-Mode-v2 (Google) Detection
+If site uses Google products (Analytics, Ads, Tag Manager), check for Consent-Mode-v2:
+```bash
+grep -E 'gtag\(.consent.,\s*.default.|consentDefault' /tmp/audit-fresh.html
+# default state should be 'denied' for ad_storage, ad_user_data, ad_personalization, analytics_storage
+```
+Default-`granted` for analytics_storage = pre-consent-tracking even with Consent-Mode = KRITISCH.
+---
+## Cookie-Categories Mapping
+For each cookie set on the site, classify:
+| Category | Consent-required | Examples |
+|---|---|---|
+| Strictly necessary | NO | session-id, csrf-token, cookie-consent-state |
+| Functional | Implicitly OK | language-preference, theme |
+| Analytics (anonymized) | YES (per §25) | matomo (with anonymize_ip), google-analytics-with-anonymize |
+| Marketing / Advertising | YES (explicit, granular) | _ga, _gid (without anonymize_ip), _fbp, fr, doubleclick |
+| Third-party content | YES (depending on data) | YouTube embed, Google Maps with API-key |
+If a cookie is "Strictly necessary" — must be on a justified business-need; not just "we want it".
+---
+## Cookie-Banner-Library Detection
+```bash
+# Common libraries used on DACH sites
+grep -iE '(usercentrics|cookiefirst|cookieyes|borlabs|webcm|consent-manager|onetrust|cookiepro|privacymanager|cookieinformation|complianz|iubenda)' /tmp/audit-fresh.html | head -3
+```
+If a recognized library is used — check its current-version compliance (via library-CHANGELOG cross-reference; e.g., Borlabs Cookie ≥ 2.2.0 is compliant; older versions had known dark-pattern bugs).
+---
+## CMP IAB-Framework Detection
+```bash
+# IAB-TCF-API presence
+grep -E '__tcfapi\(|TCF_API|cmp\.openWindow' /tmp/audit-fresh.html
+```
+If TCF-v2 used — verify Vendor-List up-to-date + Purposes match what's actually loaded.
+---
+## Findings Format
+```yaml
+- id: L5-PRE-CONSENT-TRACKER
+  layer: 5
+  severity: KRITISCH
+  evidence:
+    target: <target>
+    pre_consent_cookies: ["_ga", "_gid", "_fbp"]
+    banner_present: true
+    banner_appears_after_load: true  # but cookies were already set
+  recommendation: "Move all tracking-cookies behind cookie-banner consent. Use Google Consent-Mode-v2 with default='denied'. Verify with fresh page-load + cookies.txt empty."
+  citation: "TTDSG/TDDDG §25 Abs. 1; DSGVO Art. 7 Abs. 1; BGH I ZR 7/16 (2020-05-28); EuGH C-673/17 (Planet49)"
+  abmahn_risk: "€500-5000 per finding (industry × visibility); composite with L4-DSE-DRITTLAND-MISSING bumps to €5000-15000"
+```
+---
+## Anti-Patterns specific to Layer 5
+- ❌ Probing with stale cookie-jar — always use fresh /tmp/audit-cookie-jar.
+- ❌ Skipping Playwright probe "because curl is enough" — JS-set cookies invisible to curl.
+- ❌ Reporting "no banner" for sites with technically-only cookies (no consent-required) — first verify what cookies are actually set.
+- ❌ Marking "_ga" as KRITISCH if site uses Consent-Mode-v2 with default-denied — first check the consent-default-state.
+- ❌ Reporting "global opt-in invalid" without checking BGH-line context — granular is preferred but global-only is HOCH not KRITISCH per current BGH-Linie.
+- ❌ Inferring tracking-cookie from name alone — verify domain + actual purpose; some "_ga"-prefixed cookies are 1st-party-only.