@aegis-scan/skills 0.2.1 → 0.5.0

package/skills/foundation/_INDEX.md

@@ -0,0 +1,73 @@
+# foundation/_INDEX.md — Foundation Skill Trigger-Table
+
+Routes the Foundation's own skills (orchestrator, customer-build, audit, etc.) based on user intent + keyword triggers. Loaded on-demand by the master `AGENTS.md` router when a Foundation-related request arrives.
+
+---
+
+## Skills in this category
+
+| Trigger keywords | → Skill | Frontmatter `model` | Loaded path |
+|---|---|---|---|
+| start, session, bootstrap, phase, handover, weiter, weitermachen, übergabe, recap | `aegis-orchestrator` | opus | `foundation/aegis-native/aegis-orchestrator/SKILL.md` |
+| handover, übergabe, session-ende, fertig, recap, abschluss | `aegis-handover-writer` | sonnet | `foundation/aegis-native/aegis-handover-writer/SKILL.md` |
+| verify, check all gates, quality-gates, audit-gate, pre-commit-check | `aegis-quality-gates` | sonnet | `foundation/aegis-native/aegis-quality-gates/SKILL.md` |
+| build customer, kundenseite, neue site, konfigurator-briefing, autonomous-build, 3h-build | `aegis-customer-build` | opus | `foundation/aegis-native/aegis-customer-build/SKILL.md` |
+| module, feature, db-migration, api-route, refactor, neue funktion, neue api, neues modul | `aegis-module-builder` | sonnet | `foundation/aegis-native/aegis-module-builder/SKILL.md` |
+| audit, paranoid-audit, AAA+++ check, 8-layer, security-audit, full-audit | `aegis-audit` | opus | `foundation/aegis-native/aegis-audit/SKILL.md` |
+| neuer skill, skill erstellen, skill verbessern, skill audit, meta-skill, skillforge | `aegis-skill-creator` | opus | `foundation/aegis-native/aegis-skill-creator/SKILL.md` |
+| consent, retention, art-13, art-15, art-33, datenpanne, drittland, dsgvo-baseline, schrems | `dsgvo-compliance` | opus | `foundation/aegis-native/dsgvo-compliance/SKILL.md` |
+
+---
+
+## Slash-Commands
+
+- `/start` / `/session` / `/bootstrap` — invoke aegis-orchestrator
+- `/verify` / `/check all gates` — invoke aegis-quality-gates
+- `/handover` / `/übergabe` / `/session-ende` — invoke aegis-handover-writer
+- `/build` / `/customer-build` / `/agentur-build` — invoke aegis-customer-build
+- `/module` / `/feature` / `/refactor` — invoke aegis-module-builder
+- `/audit` / `/paranoid-audit` / `/8-layer` — invoke aegis-audit
+- `/skill-creator` / `/new-skill` / `/skill-audit` — invoke aegis-skill-creator
+- `/dsgvo` / `/art-13` / `/art-15` / `/datenpanne` / `/schrems` — invoke dsgvo-compliance
+
+---
+
+## Rules for foundation skills
+
+- Each skill MUST have `metadata.required_tools`, `metadata.pre_done_audit`, `model`, `license` populated per the v0.3.0+ HARD-CONSTRAINT-frontmatter format.
+- Each skill MUST validate `python3 /tmp/SkillForge/scripts/validate-skill.py <skill>` at 16/17 or higher (the 1-warning ceiling allows for "5 phases recommend 1-3" advisories on intentionally-multi-phase skills).
+- Multi-file skills (SKILL.md + sibling `references/`) are auto-installed; references kept under `<skill>/references/`.
+- The master `AGENTS.md` tool-mapping table is canonical — skills reference tool-categories (`shell-ops`, `file-ops`, etc.), the AGENTS.md tells the agent which actual harness-tool to use.
+
+---
+
+## Bootstrap-checklist (called by master AGENTS.md)
+
+When this category is loaded:
+
+1. Verify the matched skill's SKILL.md is in context (read it, don't just assume).
+2. Check the skill's `metadata.required_tools` — confirm those tool-categories are available in the harness (per AGENTS.md tool-mapping table).
+3. If `metadata.pre_done_audit: "true"` — note it; the skill will not be allowed to declare DONE without explicit pre-done-audit completion.
+4. Print: `Loaded foundation skill: <name>, model: <opus|sonnet|haiku>, audit-passes: <N>, gates: <N>`.
+
+---
+
+## Cluster Composition Patterns
+
+The 8 foundation skills compose into use-case clusters per master `AGENTS.md` Use-Case Routing:
+
+| Use-case | Cluster |
+|---|---|
+| customer-build | aegis-orchestrator → aegis-customer-build (multi-agent) → aegis-quality-gates → aegis-handover-writer |
+| compliance-audit | aegis-orchestrator → aegis-audit + brutaler-anwalt (cross-validate) → dsgvo-compliance (fix-templates) → aegis-handover-writer |
+| dev-feature | aegis-orchestrator → aegis-module-builder (TDD) → aegis-quality-gates → aegis-handover-writer |
+| aegis-self-test | aegis-orchestrator → aegis-quality-gates → aegis-audit → aegis-handover-writer |
+| skill-authoring | aegis-orchestrator → aegis-skill-creator → aegis-quality-gates → aegis-handover-writer |
+
+Each cluster ends with `aegis-handover-writer` to ensure the next session starts with full context.
+
+---
+
+## Forward-compat note
+
+`foundation/_INDEX.md` at v0.4.0+ routes the full 8-skill foundation cluster. Future foundation-additions (e.g., `aegis-deploy` for Hetzner-Dokploy automation, `aegis-monitoring` for post-deploy observability) get rows added here + corresponding SKILL.md folders under `foundation/aegis-native/`.

package/skills/foundation/aegis-native/aegis-audit/SKILL.md

@@ -0,0 +1,194 @@
+<!-- aegis-local: AEGIS-native skill, MIT-licensed; 8-Layer paranoid-audit skill. Headers / HTML / Impressum / DSE / Cookie / Branche / Code-Cross-Check / Schadens-Diagnose. Runs against built customer-site, gegen Live-URL, oder gegen lokales Repo. Output 4-section format (Schadens-Diagnose / Findings-Tabelle / Anwalts-Anhang / Abmahn-Simulation). Pattern ported from a private operational reference; this is the public OSS variant. -->
+---
+name: aegis-audit
+description: 8-Layer paranoid-audit skill. Headers / HTML / Impressum / DSE / Cookie / Branche / Code-Cross-Check / Schadens-Diagnose. Runs against built site, live URL, or local repo. Output 4-section - Schadens-Diagnose / Findings-Tabelle / Anwalts-Anhang / Abmahn-Simulation. Trigger keywords - audit, paranoid-audit, AAA+++ check, 8-layer, security-audit, full-audit.
+model: opus
+license: MIT
+metadata:
+  required_tools: "shell-ops,file-ops,curl,playwright,aegis-scan"
+  required_audit_passes: "1"
+  enforced_quality_gates: "0"
+  pre_done_audit: "true"
+---
+
+# aegis-audit — 8-Layer Paranoid Audit
+
+The Foundation's audit skill. Runs an 8-layer audit against a target (customer-site / live URL / local repo), produces a 4-section structured report, classifies findings by severity (KRITISCH / HOCH / MITTEL / LOW), estimates €-risk per finding via the industry × visibility × competitor formula. Used by customer-build's Phase 6 (mid-audit, topic-scoped) and Phase 7 (final, full-pass).
+
+---
+
+## HARD-CONSTRAINT — Layer-Order, Reference-Loading, No Mocks
+
+This skill MUST:
+
+1. **Load all 8 layer-references** in `references/layer-1-headers.md` through `references/layer-8-schadens-diagnose.md` BEFORE producing any finding. Skipping a layer-reference = guaranteed false-negatives or false-positives.
+2. **Execute layers in fixed order** (1 → 8). Earlier layers feed later ones (e.g., Layer 1 HTTP-headers feed Layer 5 cookie-detection). Out-of-order execution skips signal.
+3. **No mocks.** Every layer hits the real target via real HTTP / curl / Playwright. If the target is unreachable — report NO-RESPONSE; never infer findings from chat-context.
+4. **Cross-check with brutaler-anwalt** (`compliance/aegis-native/brutaler-anwalt/SKILL.md`). aegis-audit is the technical pass; brutaler-anwalt is the legal pass. They share Layer 3 (Impressum) + Layer 4 (DSE) + Layer 5 (Cookie). Findings get cross-validated.
+5. **Output the canonical 4-section format.** Schadens-Diagnose / Findings-Tabelle / Anwalts-Anhang / Abmahn-Simulation. No deviation; downstream tooling parses this format.
+6. **Include €-range estimates** per Layer 8 formula (industry × visibility × competitor-pressure). Estimates are advisory, not legal advice — disclaimer required.
+
+If any layer cannot run (e.g., Playwright not installed) — STOP, report which layer + why. Don't silent-skip.
+
+---
+
+## Mission
+
+Eliminate the failure-mode where "the site looks fine" turns into a €15k abmahnung 3 weeks after launch. Catch the legal + technical regressions that scanners-alone miss because they don't cross-correlate (e.g., a tracker loaded before consent + impressum missing VAT-ID + cookie-banner with no equal-prominence reject = composite finding worth €5-15k).
+
+Be the audit that:
+
+- Hits every layer that abmahnanwalts inspect.
+- Cross-correlates findings (a single scanner-hit might be 0 €; a 3-finding-cluster might be €15k).
+- Estimates €-risk (operator can prioritize).
+- Produces a 4-section report that operator + legal + dev can all consume.
+- Distinguishes between "fix-now KRITISCH" and "fix-this-quarter MITTEL".
+
+Production-bar reference: a previous full-audit on a 13-page site (private operational reference) returned 0 KRITISCH / 0 HOCH / 3 MITTEL / 8 LOW with €-range 200-800 €/quarter (very low) — the bar this skill targets.
+
+---
+
+## Triggers
+
+### Slash-commands
+
+- `/audit` — run full 8-layer audit on the configured target
+- `/paranoid-audit` — alias
+- `/8-layer` — alias
+
+### Auto-trigger keywords
+
+- audit, paranoid-audit, AAA+++ check, 8-layer, security-audit, full-audit, abmahn-prevention
+
+### Programmatic invocation
+
+Customer-build Phase 6 invokes via:
+
+```
+Skill: aegis-native/aegis-audit
+Args: --mode=mid --topics=impressum,cookie,dse --target=http://localhost:3000
+```
+
+Phase 7 invokes via:
+
+```
+Skill: aegis-native/aegis-audit
+Args: --mode=full --target=http://localhost:3000 --output=audits/final.md
+```
+
+---
+
+## Process
+
+The 8 layers run in fixed order. Each layer has a dedicated reference under `references/`.
+
+### Layer Summary Table
+
+| # | Layer | Mid-mode | Full-mode | Reference |
+|---|---|---|---|---|
+| 1 | HTTP-Headers | optional | always | layer-1-headers.md |
+| 2 | HTML-Live-Probe | always | always | layer-2-html.md |
+| 3 | Impressum | always | always | layer-3-impressum.md |
+| 4 | DSE (Datenschutzerklärung) | always | always | layer-4-dse.md |
+| 5 | Cookie + Consent | always | always | layer-5-cookie.md |
+| 6 | Branche-Specific | optional | always | layer-6-branche.md |
+| 7 | Code-Cross-Check (when local repo) | full only | always | layer-7-code-cross-check.md |
+| 8 | Schadens-Diagnose (Synthesizer) | always | always | layer-8-schadens-diagnose.md |
+
+### Phase 1: Pre-Audit Setup
+
+```bash
+# Verify target is reachable
+curl -sf -o /dev/null -w "%{http_code}\n" "$TARGET"
+# Expected: 200 / 301 / 302; otherwise abort with NO-RESPONSE finding
+
+# Verify Playwright is available (for Layer 2 + Layer 5 deeper probes)
+npx playwright --version
+# If missing: STOP, ask operator to `npx playwright install chromium`
+```
+
+### Phase 2: Layer Execution (1 → 8)
+
+For each enabled layer (per --mode):
+
+1. Read the layer-reference for the patterns + thresholds.
+2. Execute the probe(s).
+3. Capture findings into the structured findings-list with:
+   - `id`: stable identifier (e.g., `L3-IMPRESSUM-VAT-MISSING`)
+   - `severity`: KRITISCH | HOCH | MITTEL | LOW
+   - `evidence`: the raw observation (URL + HTTP status + HTML snippet + curl output)
+   - `recommendation`: the fix
+   - `citation`: legal-source (Art. paragraph + court-decision when available)
+
+### Phase 3: Cross-Correlation
+
+After all layers run, run the cross-correlation pass:
+
+- Layer 3 + Layer 5 cluster: Impressum-incomplete + cookie-pre-consent → composite KRITISCH (€5-15k abmahn)
+- Layer 4 + Layer 5 cluster: DSE-incomplete + tracker-active → composite KRITISCH
+- Layer 1 + Layer 7 cluster: missing CSP + unsafe-eval in code → composite HOCH
+- Layer 6 + Layer 3 cluster: industry-specific pflichtangabe + impressum-missing → composite KRITISCH
+
+Cross-correlation often elevates 3 individual MITTEL findings to a single composite KRITISCH — the actual abmahn-target.
+
+### Phase 4: Report Generation (Layer 8 — Schadens-Diagnose)
+
+Produce the 4-section report per the canonical template (see `references/layer-8-schadens-diagnose.md`):
+
+1. **Schadens-Diagnose** — top-level summary + €-range estimate
+2. **Findings-Tabelle** — detailed per-finding (severity / layer / evidence / fix / citation)
+3. **Anwalts-Anhang** — legal citations (Art. paragraph + court-decisions)
+4. **Abmahn-Simulation** — likelihood × industry × visibility = probable cost-range
+
+### Phase 5: Output
+
+Write the report to:
+
+- `customers/<slug>/audits/<mode>-<date>.md` (when invoked from customer-build)
+- `audits/<mode>-<date>.md` (when invoked standalone)
+- stdout summary (1-line per finding) + path to full report
+
+---
+
+## Verification / Success Criteria
+
+Before declaring the audit complete:
+
+- [ ] All enabled layers executed (no silent-skip)
+- [ ] Each layer's findings captured with full evidence (no hand-wavy "looks bad")
+- [ ] Cross-correlation pass run after all layers
+- [ ] Schadens-Diagnose €-range computed via Layer 8 formula
+- [ ] 4-section report written + stdout summary printed
+- [ ] No KRITISCH finding without a citation
+- [ ] No HOCH finding without a fix-recommendation
+- [ ] No "TODO" or placeholder text in the final report
+
+If any unmet → audit is incomplete. Re-run failing layers + regenerate report.
+
+---
+
+## Anti-Patterns
+
+- ❌ Skipping a layer "because it doesn't apply to this target" — every layer applies; if none apply, report NOT-APPLICABLE in the layer-section, don't omit.
+- ❌ Mocking HTTP-responses — every probe hits real target.
+- ❌ Inferring findings from chat-context — read the raw output, cite line/byte.
+- ❌ Hand-wavy severities — every severity has a defined criteria (per layer-reference); apply consistently.
+- ❌ Composite findings without explicit cross-correlation logic — Phase 3 is mandatory.
+- ❌ €-range without disclaimer — "Estimates are advisory; not legal advice. Verify with a Fachanwalt."
+- ❌ Skipping Layer 8 (Schadens-Diagnose) "because no findings exist" — Layer 8 still produces a report stating "0 findings, low €-risk".
+- ❌ Out-of-order layer execution — Layer 5 (cookie) needs Layer 1 (headers) data; running L5 before L1 misses signals.
+- ❌ False-positive on a 3rd-party-CDN that's actually 1st-party-CNAME-aliased — verify via `dig CNAME` before reporting.
+- ❌ Missing citation for KRITISCH — no Art./§/court-decision = downgrade to HOCH at most.
+
+---
+
+## Extension Points
+
+- **New layer**: add `references/layer-9-<name>.md` + add to the Layer Summary Table here. Phase 2 reads the layer-references list dynamically.
+- **Industry-specific Layer 6**: per industry (legal, medical, financial, ...) extend `references/layer-6-branche.md` with industry-section. Phase 2 detects industry from the target's NAICS/WZ-code (or briefing.industry field).
+- **Custom severity thresholds**: a project might want stricter KRITISCH thresholds. Override in `aegis.config.json` `audit.severities.kritisch.threshold` per layer.
+- **Different target-types**: this skill audits a URL by default. Extend with `--mode=local-repo` (audits source-code without running build) or `--mode=tarball` (audits a published artifact) by adding probe-implementations per layer.
+- **Multi-language support**: for non-DE/EU jurisdictions, add `references/layer-<N>-<jurisdiction>.md` (e.g., layer-3-impressum-uk.md for UK pflichtangaben). Layer 2 (HTML), Layer 1 (Headers), Layer 7 (Code) are jurisdiction-agnostic and reused.
+- **Output format**: the 4-section format is canonical. Extension-formats (HTML / SARIF / JSON) live in `packages/reporters` and consume the audit's structured findings-list.
+- **Continuous audit**: a project can run aegis-audit on every commit (CI integration) or on every URL-change (production-watch). Add `--mode=ci` (fast, layer 1+2+3+5 only) and `--mode=watch` (Layer 1+2+5).
+- **Whitelisted-finding suppression**: some findings are project-accepted (e.g., a CSP `unsafe-inline` for a specific 3rd-party script). Add to `aegis.config.json` `audit.suppressions[]` with `id` + `rationale` + `expiry-date`. Suppressions expire by default (no permanent suppressions).

package/skills/foundation/aegis-native/aegis-audit/references/layer-1-headers.md

@@ -0,0 +1,138 @@
+# Layer 1 Reference — HTTP-Headers
+
+Layer 1 probes HTTP response-headers for security + privacy + caching headers. Findings here often feed Layer 5 (Cookie) + Layer 7 (Code-Cross-Check). **Time:** ~2-5 min per target.
+
+---
+
+## Probe Pattern
+
+```bash
+# Capture headers (HEAD + GET; some servers strip security headers on HEAD)
+curl -sI "$TARGET" > /tmp/audit-headers-head.txt
+curl -s -I -X GET "$TARGET" > /tmp/audit-headers-get.txt
+
+# Compare (some sites send different headers per method)
+diff /tmp/audit-headers-head.txt /tmp/audit-headers-get.txt
+```
+
+Then check each canonical header per the table below.
+
+---
+
+## Canonical Header Checklist
+
+| Header | Expected | Severity if missing/weak |
+|---|---|---|
+| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains; preload` | HOCH (missing) / MITTEL (max-age < 31536000) |
+| `Content-Security-Policy` | strict (no `unsafe-inline` on `script-src`, no `*` on `frame-ancestors`) | KRITISCH (missing) / HOCH (`unsafe-inline`) |
+| `X-Frame-Options` | `DENY` or `SAMEORIGIN` (or via CSP `frame-ancestors`) | HOCH (missing — clickjacking) |
+| `X-Content-Type-Options` | `nosniff` | MITTEL (missing — MIME-sniffing) |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` or stricter | MITTEL (missing) / LOW (`unsafe-url`) |
+| `Permissions-Policy` | scoped (no `*` defaults) | MITTEL (missing) |
+| `Cross-Origin-Opener-Policy` | `same-origin` | LOW (missing) |
+| `Cross-Origin-Embedder-Policy` | `require-corp` (when applicable) | LOW (missing — only for sensitive sites) |
+| `Cross-Origin-Resource-Policy` | `same-origin` or `same-site` | LOW (missing) |
+| `Cache-Control` (HTML) | `no-store, no-cache, must-revalidate` for auth-pages; `public, max-age=...` for static | MITTEL (auth-page cached) |
+| `Set-Cookie` (auth) | `Secure; HttpOnly; SameSite=Lax` (or `Strict`) | KRITISCH (auth-cookie without HttpOnly) |
+| `Server` | absent or generic (no version-disclosure) | LOW (verbose server-header) |
+| `X-Powered-By` | absent | LOW (verbose framework-disclosure) |
+
+---
+
+## CSP Strictness Check
+
+```bash
+csp=$(grep -i "content-security-policy" /tmp/audit-headers-get.txt | cut -d: -f2-)
+echo "$csp"
+
+# Check for KRITISCH/HOCH patterns
+grep -q "unsafe-inline" <<<"$csp" && echo "L1-CSP-UNSAFE-INLINE: HOCH"
+grep -q "unsafe-eval" <<<"$csp" && echo "L1-CSP-UNSAFE-EVAL: HOCH"
+grep -q "frame-ancestors[^;]*\*" <<<"$csp" && echo "L1-CSP-FRAME-ANCESTORS-WILDCARD: KRITISCH"
+grep -q "default-src[^;]*\*" <<<"$csp" && echo "L1-CSP-DEFAULT-SRC-WILDCARD: KRITISCH"
+```
+
+Strictest CSP pattern (next.js with strict-dynamic + nonce):
+
+```
+default-src 'self'; 
+script-src 'self' 'nonce-<hash>' 'strict-dynamic' https:; 
+style-src 'self' 'unsafe-inline'; 
+img-src 'self' data: https:; 
+connect-src 'self'; 
+frame-ancestors 'none';
+```
+
+`style-src 'unsafe-inline'` is acceptable (CSS injection has lower exploitation impact than JS injection); `script-src 'unsafe-inline'` is not.
+
+---
+
+## HSTS Preload Check
+
+```bash
+# If max-age < 31536000 OR missing includeSubDomains OR missing preload — not preload-eligible
+hsts=$(grep -i "strict-transport-security" /tmp/audit-headers-get.txt | cut -d: -f2-)
+max_age=$(grep -oE "max-age=[0-9]+" <<<"$hsts" | cut -d= -f2)
+[ -z "$max_age" ] && echo "L1-HSTS-MISSING: HOCH"
+[ -n "$max_age" ] && [ "$max_age" -lt 31536000 ] && echo "L1-HSTS-TOO-SHORT: MITTEL"
+grep -qi "includesubdomains" <<<"$hsts" || echo "L1-HSTS-NO-SUBDOMAINS: MITTEL"
+grep -qi "preload" <<<"$hsts" || echo "L1-HSTS-NO-PRELOAD: LOW"
+```
+
+For preload-list eligibility, also verify:
+
+```bash
+# At https://hstspreload.org/ — site must:
+# - Serve HSTS header on root domain + all subdomains
+# - max-age >= 31536000 (1 year)
+# - includeSubDomains
+# - preload
+# - Redirect HTTP to HTTPS on root + subdomains
+```
+
+---
+
+## Cookie Header Cross-Check (feeds Layer 5)
+
+```bash
+# Capture all Set-Cookie lines
+grep -i "^set-cookie:" /tmp/audit-headers-get.txt
+```
+
+For each cookie, check:
+
+- `Secure` flag set (only sent over HTTPS)
+- `HttpOnly` flag set (no JS-access; KRITISCH if missing on auth-cookie)
+- `SameSite` set (`Lax` or `Strict`; `None` requires `Secure`)
+- `Path=/` reasonable scope
+- `Max-Age` or `Expires` set (no session-cookies for tracking that should be persistent)
+
+Layer 5 (Cookie + Consent) cross-references each cookie against the consent-status: any tracking-cookie set BEFORE consent is a TTDSG/TDDDG §25 violation.
+
+---
+
+## Findings Format
+
+Each Layer 1 finding writes to the structured findings-list:
+
+```yaml
+- id: L1-CSP-UNSAFE-INLINE
+  layer: 1
+  severity: HOCH
+  evidence:
+    url: <target>
+    header_name: Content-Security-Policy
+    header_value: "default-src 'self'; script-src 'self' 'unsafe-inline' ..."
+  recommendation: "Replace 'unsafe-inline' with nonce-based CSP per OWASP CSP-3 cheatsheet"
+  citation: "OWASP CSP-3, BSI TR-03116-4 §4.2"
+```
+
+---
+
+## Anti-Patterns specific to Layer 1
+
+- ❌ Reporting "HSTS missing" when site is HTTP-only — first fix HTTP-to-HTTPS redirect; HSTS is moot otherwise.
+- ❌ Reporting "CSP unsafe-inline" without checking if the inline is `style-src` — script-src is the dangerous one; style-src is acceptable.
+- ❌ Skipping cookie-headers — they feed Layer 5; Layer 5 then fails to detect pre-consent trackers.
+- ❌ HEAD-only probe — some sites strip security-headers on HEAD; always run GET too.
+- ❌ Reporting "X-XSS-Protection missing" — that header is deprecated (no longer recommended; modern CSP supersedes).

package/skills/foundation/aegis-native/aegis-audit/references/layer-2-html.md

@@ -0,0 +1,153 @@
+# Layer 2 Reference — HTML-Live-Probe
+
+Layer 2 fetches the rendered HTML and analyzes structural + content patterns. Catches: missing alt-texts, broken meta-tags, SSR-skeleton-only pages, inline-script-leaks, missing footer/legal links. **Time:** ~3-5 min per target.
+
+---
+
+## Probe Pattern
+
+```bash
+# Static fetch (curl)
+curl -sL -A "Mozilla/5.0 (compatible; aegis-audit/1.0)" "$TARGET" > /tmp/audit-html-static.html
+
+# Dynamic fetch (Playwright — captures JS-rendered content)
+npx -y playwright-core@latest <<EOF
+const { chromium } = require('playwright-core');
+(async () => {
+  const b = await chromium.launch();
+  const ctx = await b.newContext({ userAgent: 'aegis-audit/1.0' });
+  const p = await ctx.newPage();
+  await p.goto('$TARGET', { waitUntil: 'networkidle', timeout: 30000 });
+  console.log(await p.content());
+  await b.close();
+})();
+EOF > /tmp/audit-html-dynamic.html
+
+# Diff — large diff = heavy client-rendering (SSR/CSR balance check)
+wc -l /tmp/audit-html-*.html
+```
+
+---
+
+## Structural Checklist
+
+| Check | How | Severity |
+|---|---|---|
+| `<!doctype html>` present | `head -1 audit-html-static.html` | HOCH (missing) |
+| `<html lang="...">` set | `grep -oE '<html[^>]*lang=' audit-html-static.html` | MITTEL (missing) |
+| `<title>` present + non-empty + < 60 chars | `grep -oE '<title>[^<]*</title>'` | HOCH (missing or empty) |
+| `<meta charset="utf-8">` | `grep -oE '<meta[^>]*charset=' audit-html-static.html \| head -1` | MITTEL (missing) |
+| `<meta name="viewport">` | `grep -oE '<meta[^>]*viewport='` | HOCH (missing — mobile broken) |
+| `<meta name="description">` | `grep -oE '<meta[^>]*description='` | HOCH (missing) |
+| Heading-hierarchy (one h1, h2 → h3 ordering) | parse + check | MITTEL (multiple h1) / LOW (skip h2 → h3) |
+| Open-Graph tags (og:title, og:description, og:image, og:url) | `grep -E 'og:(title\|description\|image\|url)'` | MITTEL (missing) |
+| Twitter card tags | `grep -E 'twitter:card'` | LOW (missing) |
+| Schema.org JSON-LD | `grep -oE 'application/ld\+json'` | LOW (missing) |
+| Canonical link | `grep -oE 'rel="canonical"'` | MITTEL (missing) |
+
+---
+
+## Image Checks (alt-text, lazy-load, dimensions)
+
+```bash
+# Find all img tags
+grep -oE '<img[^>]*>' /tmp/audit-html-static.html > /tmp/audit-imgs.txt
+
+# Count
+total=$(wc -l < /tmp/audit-imgs.txt)
+
+# Missing alt-text
+missing_alt=$(grep -cv 'alt=' /tmp/audit-imgs.txt)
+empty_alt=$(grep -c 'alt=""' /tmp/audit-imgs.txt)
+
+# Missing dimensions (CLS issue)
+missing_dim=$(grep -cE 'width=' /tmp/audit-imgs.txt | head -1)
+
+echo "Images: $total, missing alt: $missing_alt, empty alt: $empty_alt"
+```
+
+| Check | Severity |
+|---|---|
+| Image without `alt=` | HOCH (A11y violation) |
+| Image with `alt=""` (and not decorative-only) | MITTEL (A11y) |
+| Image without `width` + `height` (causes CLS) | MITTEL |
+| Image without `loading="lazy"` (below fold) | LOW (perf) |
+| Image larger than render-size (e.g., 4000px-image rendered at 800px) | MITTEL (perf) |
+
+---
+
+## SSR-Skeleton Detection
+
+```bash
+# Static HTML body length vs dynamic
+static_body_len=$(grep -oE '<body[^>]*>.*</body>' /tmp/audit-html-static.html | wc -c)
+dynamic_body_len=$(grep -oE '<body[^>]*>.*</body>' /tmp/audit-html-dynamic.html | wc -c)
+
+# If static body is < 20% of dynamic body — SSR-skeleton (SEO-bad)
+ratio=$(echo "scale=2; $static_body_len / $dynamic_body_len" | bc)
+[ $(echo "$ratio < 0.2" | bc) = 1 ] && echo "L2-SSR-SKELETON-ONLY: HOCH"
+```
+
+For Next.js App Router: SSR-skeleton + heavy client-side rendering = SEO penalty. Phase 2 architecture decisions should favor RSC.
+
+---
+
+## Inline-Script Detection (CSP cross-check)
+
+```bash
+# Count inline scripts (no src attr)
+inline_count=$(grep -oE '<script[^s]*>' /tmp/audit-html-static.html | wc -l)
+
+# Big inline scripts may indicate injected analytics or unsafe-inline patterns
+grep -oE '<script[^s][^>]*>[^<]{100,}' /tmp/audit-html-static.html | head -5
+```
+
+If inline-scripts found AND Layer 1 CSP allows `'unsafe-inline'` on `script-src` → composite HOCH.
+
+---
+
+## Footer-Link Resolution (feeds Layer 3)
+
+Layer 3 (Impressum) needs the footer-link to /impressum. Resolve via:
+
+```bash
+# Find footer
+footer=$(grep -oE '<footer[^>]*>.*</footer>' /tmp/audit-html-static.html | head -1)
+
+# Find links in footer
+echo "$footer" | grep -oE '<a[^>]*href="[^"]*"[^>]*>[^<]*</a>'
+
+# Extract the impressum-href
+echo "$footer" | grep -oE 'href="[^"]*impressum[^"]*"' | head -1
+```
+
+If no `/impressum` link in footer or in main-nav — Layer 3 reports L3-IMPRESSUM-NO-FOOTER-LINK: HOCH.
+
+If link exists but points to 404 — Layer 3 reports L3-IMPRESSUM-LINK-BROKEN: KRITISCH.
+
+---
+
+## Findings Format
+
+```yaml
+- id: L2-IMG-MISSING-ALT
+  layer: 2
+  severity: HOCH
+  evidence:
+    url: <target>
+    img_count: 14
+    missing_alt: 3
+    affected: ["img[1]", "img[7]", "img[12]"]  # XPath-ish
+  recommendation: "Add meaningful alt-text to each img per WCAG 2.1 1.1.1"
+  citation: "WCAG 2.1 1.1.1, BFSG §3"
+```
+
+---
+
+## Anti-Patterns specific to Layer 2
+
+- ❌ Skipping Playwright fetch "because curl is faster" — JS-rendered content invisible to curl-only.
+- ❌ Reporting "no h1" without parsing — DOM-order matters; first h1 might be inside a `<header role="banner">`.
+- ❌ Marking `alt=""` as KRITISCH — empty alt is correct for purely-decorative images per WCAG; downgrade.
+- ❌ Reporting "missing OG-tags" for an internal admin-page — admin-pages don't need OG.
+- ❌ Inferring SSR-skeleton from static-body length alone — also check if `<noscript>` content fills the gap.