@aegis-scan/skills 0.2.0 → 0.4.0

package/skills/foundation/aegis-native/aegis-customer-build/references/phase-3-component-build.md

@@ -0,0 +1,231 @@
+# Phase 3 Reference — Component-Build (Library-Binding + Per-Page Iteration)
+
+Phase 3 is the longest phase (60-90 min). Outputs: a working `app/` (or framework-equivalent) directory with one file per page, each page binding library-components + page-level components per the architecture.md.
+
+**Subagent dispatch:** strongly recommended. One Executor-subagent (model: sonnet) per page-batch.
+
+---
+
+## Library-Binding Workflow
+
+Before iterating pages, scan the project's component-library inventory:
+
+```
+1. Read library-inventory: <library-root>/components/*.tsx (or framework-equivalent)
+2. Build map: { component-name: { props-shape, suggested-use-cases, dependencies } }
+3. Cross-check each briefing page's sections against library-components
+4. For each section in each page, choose: library-bound vs custom page-level
+```
+
+**Heuristic for library-vs-custom:**
+
+| Section type | Default |
+|---|---|
+| Hero with image + headline + CTA | library-bound (HeroBlock) |
+| Logo-bar / press-mentions | library-bound (LogoBar) |
+| Feature-grid (3-6 features) | library-bound (FeatureGrid) |
+| Testimonials carousel | library-bound (Testimonials) |
+| Pricing-table (≥ 2 tiers) | library-bound (PricingTable) |
+| FAQ accordion | library-bound (FaqAccordion) |
+| CTA banner | library-bound (CtaBanner) |
+| Founder-story / origin-narrative | page-level (custom prose) |
+| Industry-specific module (e.g., scanner-widget for security business) | page-level (project-specific) |
+| Custom data-visualization | page-level |
+
+**Rule:** ≥ 60% of sections per page should be library-bound. Higher = better (consistent quality-bar). If a page is < 60% library-bound, flag for operator review.
+
+---
+
+## Per-Page Iteration Pattern
+
+For each page in `briefing.pages[]`:
+
+```
+1. Create file at app/<slug>/page.tsx (or root for slug == "home")
+2. Pull metadata from briefing-parsed.json[<slug>]
+3. Generate metadata export: { title, description, canonical }
+4. Compose JSX:
+   a. Import library-bound components for sections marked library
+   b. Define page-level components for sections marked custom
+   c. Order sections per briefing's page.sections[]
+5. Apply props per briefing-parsed.json (headlines, copy stubs from Phase 1)
+6. Verify file compiles: tsc --noEmit on the single file
+7. Checkpoint: .aegis/state.json `pages_built: [<slug>]` updated
+```
+
+Repeat for every page. Use TaskCreate per page to track progress; mark each page completed as soon as the file compiles.
+
+---
+
+## Component-File Template (page-level)
+
+For a page-level (custom) component, the canonical shape:
+
+```tsx
+// app/<slug>/components/UniqueSection.tsx
+'use client';  // omit if pure RSC
+
+import { cn } from '@/lib/utils';
+import type { ComponentProps } from 'react';
+
+interface Props extends ComponentProps<'section'> {
+  headline: string;
+  subline?: string;
+  // ... other props per briefing
+}
+
+export function UniqueSection({ headline, subline, className, ...rest }: Props) {
+  return (
+    <section className={cn('py-16 md:py-24', className)} {...rest}>
+      <div className="container mx-auto max-w-7xl px-4">
+        <h2 className="text-3xl font-bold md:text-5xl">{headline}</h2>
+        {subline && <p className="mt-4 text-lg text-muted-foreground">{subline}</p>}
+        {/* ... */}
+      </div>
+    </section>
+  );
+}
+```
+
+**Discipline:**
+- Always typed props (no `any`).
+- Always `cn()` for className composition.
+- Always responsive (`md:`, `lg:` breakpoints).
+- Always semantic HTML (`section`, `article`, `nav`, `header`, `footer`).
+- Never mutate the imported library-component's internals — extend by composition, not inheritance.
+
+---
+
+## Common Library-Component Shapes
+
+The project's component-library typically exposes these well-known shapes. The actual implementation depends on the bound library; here's the **conceptual contract** the customer-build expects:
+
+```tsx
+// Hero
+<HeroBlock
+  variant="image-left" | "image-right" | "centered" | "split"
+  headline={string}
+  subline={string}
+  primaryCta={{ label, href }}
+  secondaryCta?={{ label, href }}
+  imageSrc={string}
+  imageAlt={string}
+/>
+
+// FeatureGrid
+<FeatureGrid
+  variant="3-col" | "2-col" | "asymmetric"
+  features={Array<{ icon, title, description }>}
+/>
+
+// Testimonials
+<Testimonials
+  variant="carousel" | "grid" | "single"
+  items={Array<{ quote, name, role, avatarSrc? }>}
+/>
+
+// PricingTable
+<PricingTable
+  tiers={Array<{ name, price, description, features[], cta }>}
+  highlightTier?={string}
+/>
+
+// CtaBanner
+<CtaBanner
+  headline={string}
+  subline?={string}
+  cta={{ label, href }}
+/>
+```
+
+If the bound library uses different prop-names — read the library's component-inventory in pre-build, then map briefing-shape to library-shape per a `references/library-mapping.md` (extension-point).
+
+---
+
+## Page-Level Composition Example
+
+```tsx
+// app/page.tsx (home page)
+import { HeroBlock, FeatureGrid, Testimonials, CtaBanner } from '@/components/library';
+import { OriginStory } from './components/OriginStory';
+
+export const metadata = {
+  title: '...',
+  description: '...',
+};
+
+export default function HomePage() {
+  return (
+    <>
+      <HeroBlock
+        variant="image-right"
+        headline="..."
+        subline="..."
+        primaryCta={{ label: 'Jetzt anfragen', href: '/kontakt' }}
+        imageSrc="/images/hero.webp"
+        imageAlt="..."
+      />
+      <FeatureGrid
+        variant="3-col"
+        features={[/* per briefing */]}
+      />
+      <OriginStory />
+      <Testimonials variant="carousel" items={[/* per briefing */]} />
+      <CtaBanner
+        headline="Bereit für den nächsten Schritt?"
+        cta={{ label: 'Kontakt aufnehmen', href: '/kontakt' }}
+      />
+    </>
+  );
+}
+```
+
+---
+
+## Quality-Gate Per Page
+
+Before marking a page complete:
+
+- [ ] File compiles (`tsc --noEmit` clean for that page's tree)
+- [ ] Page renders without runtime errors (smoke-test via dev-server: `curl -s localhost:3000/<slug> | head -50` returns HTML, not 500)
+- [ ] All briefing.sections[] are present in the JSX (count match)
+- [ ] All required props are filled (no `headline=""` placeholders left)
+- [ ] Image-paths point to actual files (not 404s) — placeholders for Phase 4 are OK if explicitly marked
+
+If any unmet → page is incomplete; checkpoint stays `pages_built: [...without this page]`.
+
+---
+
+## Subagent-Dispatch Pattern
+
+For builds with > 5 pages, dispatch parallel Executor-subagents:
+
+```
+Master-agent:
+  for each batch in chunked(pages, 3):
+    dispatch Executor-subagent with prompt:
+      "Build pages [a, b, c] per architecture.md + briefing-parsed.json.
+       Library-mapping: <map>. Output: 3 page.tsx files.
+       Verify: tsc + curl smoke-test. Return checkpoint."
+
+  await all Executor-subagents
+  aggregate checkpoints into .aegis/state.json
+```
+
+Subagent-prompt MUST include:
+- The architecture.md path
+- The briefing-parsed.json path
+- The component-library mapping
+- The verification-checklist (tsc + curl + sections-count)
+
+Don't dispatch without these — subagents shouldn't have to rediscover them from chat-context.
+
+---
+
+## Anti-Patterns specific to Phase 3
+
+- ❌ Hand-cobbling a section that has a library-component for it — drift from quality-bar.
+- ❌ Skipping the per-page tsc + curl smoke-test "because the page looks fine" — page-renders-without-runtime-errors is gate-critical.
+- ❌ Marking pages_built[<slug>] without actually verifying — checkpoints are honest, not optimistic.
+- ❌ Building all pages in one Master-agent monologue when parallel Executor-subagents are available — wastes wall-clock time.
+- ❌ Forgetting to copy library-component CSS / dependencies — verify the imports compile + the runtime CSS bundle includes the components.

package/skills/foundation/aegis-native/aegis-customer-build/references/phase-4-content.md

@@ -0,0 +1,196 @@
+# Phase 4 Reference — Content (Copy + Images + SEO)
+
+Phase 4 fills the page-shells from Phase 3 with real content: copy in the briefing's tone, images placed per the design-prefs, SEO-meta + Open-Graph + Schema.org structured data. **Time budget:** 30-45 min.
+
+---
+
+## Copy-Writing — Tone-Match per Page
+
+For each page, follow the brand-essence captured in `briefing-parsed.json.brand_identity`:
+
+```
+Essence: <target_audience> looking for <value_proposition>; differentiated by <differentiators>, speaking in a <tone> voice with <voice>.
+```
+
+**Example tone-matrices:**
+
+| Tone | Voice | Lexical pattern |
+|---|---|---|
+| Vertraut, professionell | Sie + Plural-Wir | "Wir liefern Ihnen..." |
+| Locker, modern | Du | "Du bekommst..." |
+| Premium, gehoben | Sie + reduzierte Adjektive | "Unsere Manufaktur..." |
+| Tech, präzise | Wir + Fachbegriffe | "Unsere Engine berechnet..." |
+
+**Hard rules:**
+- Don't mix Sie / Du within one site. Pick one per the briefing.
+- Avoid Anglizisms unless the briefing uses them. "kostenlos" not "free", "Anmeldung" not "Sign-up".
+- Avoid Marketing-Phrasen-Müll ("revolutionär", "einzigartig", "innovativ" without a concrete claim) — concrete > superlative.
+- Avoid passive-voice when active works ("Wir bauen" > "Es wird gebaut").
+
+---
+
+## Per-Section Copy-Slot Workflow
+
+For each page section that needs copy:
+
+```
+1. Read briefing-parsed.json.pages[<slug>].sections[<section>] for any provided copy
+2. If briefing has copy: use it verbatim
+3. If briefing has bullets but no prose: expand bullets into prose matching brand-essence
+4. If briefing has only intent ("hero CTA pointing at /kontakt"): generate per intent + tone-match
+5. Write copy into the JSX — no placeholder strings left
+```
+
+**LLM-assist pattern** (for prose generation):
+
+```
+System: <brand-essence-paragraph>
+User: Generate hero subline for the home page.
+Constraints: 1-2 sentences, ≤ 160 characters, mentions <key-differentiator>, ends with action-verb.
+```
+
+Always operator-review LLM-generated copy. The briefing is the contract; LLM-fill is a placeholder until operator confirms in mid-audit.
+
+---
+
+## Image-Placement Workflow
+
+The image-pipeline follows the operator's existing convention:
+
+```
+1. Read briefing.assets[] for image-references
+2. For each referenced image:
+   a. If a local file exists at briefing.assets[*].src: copy to public/images/<slug>-<section>.webp
+   b. If a placeholder is needed: generate via the operator's image-pipeline (e.g., Midjourney + cwebp-conversion to WebP)
+   c. Always WebP at quality 88 (cwebp -q 88) — saves ~40% bytes vs PNG/JPG
+   d. Always responsive sources at 1920w + 1280w + 640w breakpoints
+3. Update JSX: <Image src="/images/<file>.webp" alt="<alt-text>" width={...} height={...} quality={95} />
+```
+
+**Hard rules:**
+- Always `quality={95}` prop on `next/image` — default 75 re-compresses operator-uploaded high-quality images poorly.
+- Always WebP for raster (PNG/JPG only for legacy logos that need transparency in browsers without WebP fallback — rare).
+- Always alt-text — write meaningful alt-text per image-content, not "image.webp" or empty.
+
+---
+
+## Alt-Text Generation
+
+For each image, alt-text MUST:
+
+1. Describe what's in the image (factual, concrete).
+2. Be ≤ 120 characters.
+3. Not start with "Image of..." or "Picture showing..." — redundant; screenreaders announce "image" already.
+4. Match the image-context (e.g., for a hero-image, the alt-text relates to the hero-headline).
+5. Be unique across the page (no two images with identical alt-text).
+
+**Example:**
+
+- ❌ "image.webp"
+- ❌ "Picture of a person"
+- ✅ "Frau am Laptop, fokussiert beim Coden im hellen Atelier"
+
+---
+
+## SEO-Meta per Page
+
+Every page exports `metadata` (App Router) or sets `<head>` (Pages Router) with:
+
+```tsx
+export const metadata: Metadata = {
+  title: '<unique-per-page>',           // 50-60 chars, includes brand at end
+  description: '<unique-per-page>',     // 120-160 chars, includes target_keyword
+  alternates: {
+    canonical: '/<slug>',
+  },
+  openGraph: {
+    title: '<og-title>',
+    description: '<og-description>',
+    images: ['/images/og-<slug>.webp'],
+    type: 'website',
+  },
+  twitter: {
+    card: 'summary_large_image',
+    title: '<twitter-title>',
+    description: '<twitter-description>',
+    images: ['/images/og-<slug>.webp'],
+  },
+};
+```
+
+**Per-page-uniqueness check:** every page's `title` is unique (no duplicates). Same for `description`. Phase 7 briefing-coverage gate verifies this.
+
+---
+
+## Schema.org Structured Data
+
+Inject JSON-LD per page-type:
+
+| Page-type | Schema |
+|---|---|
+| Home (organization) | `Organization` + `LocalBusiness` (if local biz) |
+| Service-page | `Service` |
+| Blog-post | `BlogPosting` |
+| FAQ-page | `FAQPage` |
+| Product | `Product` |
+| Contact | `ContactPage` |
+| About | `AboutPage` |
+
+Render via a `JsonLdScript` component:
+
+```tsx
+<JsonLdScript
+  schema={{
+    '@context': 'https://schema.org',
+    '@type': 'Organization',
+    name: '<brand>',
+    url: '<canonical-url>',
+    logo: '<logo-url>',
+    sameAs: [/* social-links from briefing */],
+  }}
+/>
+```
+
+Use a Next.js Script component (strategy="beforeInteractive") to ensure Google sees the schema before user-interaction.
+
+---
+
+## Open-Graph Images
+
+Generate one OG-image per page (or share a default for sub-pages):
+
+```
+1. Use a generator (e.g., next/og or Vercel OG) at /api/og?page=<slug>
+2. Or pre-generate static .webp/.png at public/images/og-<slug>.webp
+3. 1200x630 for Facebook/LinkedIn; 1200x675 for Twitter (use 1200x630 for both, slight crop OK)
+```
+
+If briefing doesn't specify per-page OG-images, reuse the home-page OG for sub-pages.
+
+---
+
+## Content-Completion Checklist
+
+Before marking Phase 4 complete:
+
+- [ ] Every page has copy in every section (no `Lorem ipsum` or `<placeholder>` left)
+- [ ] Every image is placed (no `<img src="">` or 404 paths)
+- [ ] Every image has meaningful alt-text
+- [ ] Every page has unique SEO-meta title + description
+- [ ] Every page has canonical URL set
+- [ ] Every page has OG + Twitter card meta
+- [ ] Every applicable page-type has Schema.org JSON-LD
+- [ ] No anglicisms / marketing-müll / placeholder-prose
+
+If any unmet → Phase 4 is incomplete. List failing items in `.aegis/state.json.phase_4_open[]`.
+
+---
+
+## Anti-Patterns specific to Phase 4
+
+- ❌ Leaving "Lorem ipsum" or "<placeholder>" strings — they survive into production. Grep before commit.
+- ❌ Using `<Image quality={75}>` (default) — re-compresses high-quality uploads poorly.
+- ❌ Same SEO-title across pages — Google will deduplicate and one page wins.
+- ❌ Empty or duplicate alt-texts — fails A11y.
+- ❌ Schema.org JSON-LD with placeholder URLs — Google flags "Site doesn't match schema."
+- ❌ Mixing Sie/Du within one page — operator-confirms one or the other in Phase 1.

package/skills/foundation/aegis-native/aegis-customer-build/references/phase-5-integration.md

@@ -0,0 +1,273 @@
+# Phase 5 Reference — Integration (API-Routes + Forms + Chatbot + Scanner)
+
+Phase 5 wires up the dynamic backends. Outputs: API-routes under `app/api/`, form-submission handlers, chatbot mount in `app/layout.tsx`, scanner mount under `app/scan/`. **Time budget:** 30-45 min.
+
+---
+
+## API-Route Template (canonical)
+
+Every API-route uses the `secureApiRoute` wrapper. Canonical shape:
+
+```ts
+// app/api/<endpoint>/route.ts
+import { secureApiRoute } from '@/lib/api/secure-route';
+import { z } from 'zod';
+
+const requestSchema = z.object({
+  name: z.string().min(1).max(100),
+  email: z.string().email().max(254),
+  message: z.string().min(10).max(5000),
+});
+
+export const POST = secureApiRoute({
+  schema: requestSchema,
+  rateLimit: { perIpPerHour: 30 },
+  origins: ['https://<production-domain>', 'http://localhost:3000'],
+  handler: async ({ body, req }) => {
+    // body is typed + validated per requestSchema
+    const result = await processSubmission(body);
+    return Response.json({ success: true, id: result.id });
+  },
+});
+```
+
+**`secureApiRoute` wraps:**
+
+1. Origin-check (allow-list per `origins[]`; rejects cross-origin POST).
+2. Rate-limit (Redis-backed or in-memory per IP).
+3. Body-parse + Zod validation (returns 400 on validation-fail).
+4. Honeypot field check (rejects if `_honey` field non-empty).
+5. Handler invocation (passes typed body + raw req).
+6. Error-mapping (maps thrown errors to clean JSON responses).
+
+The wrapper itself lives in `lib/api/secure-route.ts` — copy from foundation template.
+
+---
+
+## Form-Pattern (Contact Form)
+
+Canonical contact-form with double-opt-in:
+
+```tsx
+// components/forms/ContactForm.tsx
+'use client';
+
+import { useForm } from 'react-hook-form';
+import { zodResolver } from '@hookform/resolvers/zod';
+import { contactSchema } from '@/lib/schemas/contact';
+
+export function ContactForm() {
+  const { register, handleSubmit, formState } = useForm({
+    resolver: zodResolver(contactSchema),
+  });
+
+  const onSubmit = async (data) => {
+    const res = await fetch('/api/contact', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data),
+    });
+    if (!res.ok) throw new Error(await res.text());
+    // Show "We sent you a confirmation email" UI
+  };
+
+  return (
+    <form onSubmit={handleSubmit(onSubmit)} noValidate>
+      <input type="text" {...register('name')} aria-invalid={!!formState.errors.name} />
+      <input type="email" {...register('email')} />
+      <textarea {...register('message')} />
+      {/* Honeypot — bots fill, humans don't */}
+      <input type="text" name="_honey" style={{ position: 'absolute', left: '-9999px' }} tabIndex={-1} aria-hidden="true" />
+      {/* DSGVO-consent */}
+      <label>
+        <input type="checkbox" {...register('consent')} />
+        Ich willige in die Verarbeitung meiner Daten ein. <a href="/datenschutz">Datenschutz</a>
+      </label>
+      <button type="submit" disabled={formState.isSubmitting}>
+        {formState.isSubmitting ? 'Wird gesendet...' : 'Senden'}
+      </button>
+    </form>
+  );
+}
+```
+
+**DSGVO-Discipline:**
+
+- Consent-checkbox required before submit (no pre-checked checkbox — must be explicit user-action).
+- "Datenschutz" link visible next to consent-text.
+- Server-side: store consent-timestamp + IP-hash for audit trail (Art. 7 Abs. 1 DSGVO).
+- Double-opt-in: send confirmation email; don't store final submission until user clicks the email link.
+
+---
+
+## Chatbot Mount Pattern
+
+If `briefing.integrations` includes `chatbot.public-llm`:
+
+```tsx
+// app/layout.tsx
+import { ChatWidget } from '@/components/chat/ChatWidget';
+
+export default function RootLayout({ children }) {
+  return (
+    <html lang="de">
+      <body>
+        {children}
+        <ChatWidget endpoint="/api/chat" persona={chatPersona} />
+      </body>
+    </html>
+  );
+}
+```
+
+```ts
+// app/api/chat/route.ts
+import { secureApiRoute } from '@/lib/api/secure-route';
+import { z } from 'zod';
+import { chatPersona } from '@/lib/chat/persona';
+
+const messageSchema = z.object({
+  message: z.string().min(1).max(2000),
+  history: z.array(z.object({ role: z.enum(['user', 'assistant']), content: z.string() })).max(10),
+});
+
+export const POST = secureApiRoute({
+  schema: messageSchema,
+  rateLimit: { perIpPerHour: 60 },
+  handler: async ({ body }) => {
+    // Sanitize user input (anti-prompt-injection)
+    const sanitized = sanitizeInput(body.message);
+    // Redact PII before sending to LLM
+    const redacted = redactPii(sanitized);
+    // Stream response via SSE
+    const stream = await callLlm({
+      systemPrompt: chatPersona.systemPrompt,
+      messages: [...body.history, { role: 'user', content: redacted }],
+    });
+    return new Response(stream, {
+      headers: { 'Content-Type': 'text/event-stream' },
+    });
+  },
+});
+```
+
+**Anti-Injection-Defense-Layer:**
+
+- Sanitize user input (strip suspicious patterns: `system:`, `assistant:`, `<|im_start|>`, base64-blobs > 100 chars).
+- PII-redact before LLM-call (regex + named-entity).
+- Persona system-prompt with explicit "stay in role" rules.
+- Output-filter (strip any "I cannot..." that leaks training-data; strip markdown-headers from responses).
+- Rate-limit + per-IP cooldown.
+
+The detailed defense-layer-list is in `compliance/aegis-native/brutaler-anwalt/references/audit-patterns.md` (cross-skill reference).
+
+---
+
+## Scanner Mount Pattern
+
+If `briefing.integrations` includes `scanner.aegis`:
+
+```tsx
+// app/scan/page.tsx
+import { ScannerWidget } from '@aegis-scan/react';
+
+export default function ScanPage() {
+  return (
+    <main>
+      <h1>Site-Compliance-Check</h1>
+      <ScannerWidget />
+    </main>
+  );
+}
+```
+
+```ts
+// app/api/scan/route.ts
+import { secureApiRoute } from '@/lib/api/secure-route';
+import { runScan } from '@aegis-scan/runner';
+import { z } from 'zod';
+
+const scanSchema = z.object({
+  url: z.string().url(),
+  depth: z.enum(['quick', 'full']).default('quick'),
+});
+
+export const POST = secureApiRoute({
+  schema: scanSchema,
+  rateLimit: { perIpPerHour: 5 },
+  handler: async ({ body }) => {
+    const result = await runScan(body.url, { depth: body.depth });
+    return Response.json(result);
+  },
+});
+```
+
+Scanner has tighter rate-limit (5/hr) — scans are expensive + can be abused for reconnaissance.
+
+---
+
+## Cookie-Banner Mount
+
+If `briefing.legal.cookie_strategy != 'none'` (i.e., the site uses cookies that need consent):
+
+```tsx
+// app/layout.tsx
+import { CookieBanner } from '@/components/layout/CookieBanner';
+
+<CookieBanner
+  strategy={briefing.legal.cookie_strategy}  // 'granular' | 'global'
+  vendors={[/* per briefing.legal.vendors */]}
+/>
+```
+
+**TTDSG/TDDDG §25 compliance:**
+
+- No technically-non-required cookie set before user consent.
+- Granular > global (per BGH). Each vendor gets its own opt-in checkbox.
+- Banner has equal-prominence "Accept" / "Reject all" buttons (no dark-pattern of small "reject" link).
+- Re-consent UI at `/cookies/einstellungen` (or footer-link).
+
+Cookie-banner pattern detail belongs in `dsgvo-compliance/references/cookie-pattern.md` (cross-skill reference).
+
+---
+
+## Analytics Mount
+
+If `briefing.integrations.analytics` is set:
+
+| Provider | Consent-required | Mount |
+|---|---|---|
+| Plausible | No (anonymous, no cookies) | `<script defer src="https://plausible.io/js/script.js" />` in layout.tsx |
+| Matomo (self-hosted) | Depends on config | Behind cookie-banner if cookies enabled |
+| Google Analytics 4 | Yes | Behind cookie-banner; load only after consent |
+| Fathom | No | Anonymous mode default; `<script async src="https://cdn.usefathom.com/script.js" />` |
+
+Default to Plausible for new builds (privacy-friendly + DSGVO-clean by design).
+
+---
+
+## Integration-Completion Checklist
+
+Before marking Phase 5 complete:
+
+- [ ] Every API-route uses `secureApiRoute` wrapper (no raw `export const POST` without wrapper)
+- [ ] Every form has DSGVO-consent + honeypot + double-opt-in flow
+- [ ] Chatbot (if enabled) has anti-injection defense-layers active
+- [ ] Scanner (if enabled) has tight rate-limit (5/hr)
+- [ ] Cookie-banner (if needed) is granular per BGH + has equal-prominence accept/reject
+- [ ] Analytics (if enabled) is consent-aware per provider
+- [ ] All API-routes return JSON (no HTML / unstructured text)
+- [ ] All API-routes have unit tests for happy + sad paths
+
+---
+
+## Anti-Patterns specific to Phase 5
+
+- ❌ Skipping `secureApiRoute` wrapper "because the route is internal" — all routes get the wrapper.
+- ❌ Forms without honeypot — bots will spam.
+- ❌ Forms without double-opt-in — single-opt-in is no longer valid for newsletter under DSGVO + UWG.
+- ❌ Chatbot without anti-injection-layer — first jailbreak attempt will leak.
+- ❌ Cookie-banner with pre-checked checkboxes — illegal under TTDSG §25.
+- ❌ Cookie-banner with prominent "Accept" + tiny "Reject" link — dark-pattern, BGH explicitly disallows.
+- ❌ Loading Google Analytics before consent — DSGVO violation.
+- ❌ Pre-loading any tracker before consent — TTDSG §25 violation.