@aegis-scan/skills 0.2.1 → 0.5.0

package/skills/foundation/aegis-native/aegis-audit/references/layer-3-impressum.md

@@ -0,0 +1,159 @@
+# Layer 3 Reference — Impressum (DDG §5)
+
+Layer 3 verifies the Impressum (legal notice) per DDG §5 (formerly TMG §5, renamed 2024-05-14 with TDDDG enactment). Catches: missing pflichtangaben, broken links, browser-vs-bot-walled pages. **Time:** ~3-5 min per target.
+
+---
+
+## Pflichtangaben Checklist (DDG §5)
+
+| # | Pflichtangabe | Field-name | Required when |
+|---|---|---|---|
+| 1 | Name + Anschrift | Geschäftsbezeichnung + Straße + PLZ + Ort | always (geschäftsmäßig) |
+| 2 | Vertretungsberechtigter | Geschäftsführer (bei juristischen Personen) | for GmbH/AG/UG/etc. |
+| 3 | Kontakt: E-Mail + Telefon | E-Mail + Tel. | always |
+| 4 | Handelsregister | HRB-Nummer + Registergericht | for handelsregister-pflichtige Rechtsformen |
+| 5 | Umsatzsteuer-ID | USt-IdNr. (`DE...`) | when § 27a UStG applies |
+| 6 | Wirtschafts-ID | W-IdNr. | when applicable |
+| 7 | Aufsichtsbehörde | Name + Adresse | for state-licensed industries (Anwalt, Arzt, Architekt, Steuerberater, ...) |
+| 8 | Berufsbezeichnung + Kammer | Bezeichnung + verleihender Staat + Kammer | for regulated professions |
+| 9 | Berufshaftpflicht | Versicherer + räumlicher Geltungsbereich | for regulated professions (Anwalt, Arzt, ...) |
+| 10 | Online-Streitbeilegung Hinweis | Link zu ec.europa.eu/consumers/odr | for B2C with online-business |
+| 11 | Verbraucherstreitbeilegung Hinweis | Bereit-/Nicht-Bereit-Erklärung | for B2C |
+| 12 | Inhaltlich Verantwortlicher (§ 18 Abs. 2 MStV) | Name + Anschrift | for journalistic-redaktional Angebote |
+
+---
+
+## Probe Pattern
+
+```bash
+# Resolve impressum-URL
+IMPRESSUM_URL=$(node -e "
+  const html = require('fs').readFileSync('/tmp/audit-html-static.html', 'utf-8');
+  const match = html.match(/href=['\"]([^'\"]*impressum[^'\"]*)['\"]/i);
+  console.log(match ? new URL(match[1], '$TARGET').href : '');
+")
+
+if [ -z "$IMPRESSUM_URL" ]; then
+  echo "L3-IMPRESSUM-NO-FOOTER-LINK: KRITISCH"
+  exit 1
+fi
+
+# Fetch with browser-UA (some sites bot-wall)
+curl -sL -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" "$IMPRESSUM_URL" > /tmp/audit-impressum.html
+
+# Or fall-back to Playwright
+[ "$(wc -c < /tmp/audit-impressum.html)" -lt 1000 ] && {
+  npx -y playwright-core@latest <<EOF | tee /tmp/audit-impressum.html
+const { chromium } = require('playwright-core');
+(async () => {
+  const b = await chromium.launch();
+  const p = await (await b.newContext()).newPage();
+  await p.goto('$IMPRESSUM_URL', { waitUntil: 'networkidle' });
+  console.log(await p.content());
+  await b.close();
+})();
+EOF
+}
+```
+
+---
+
+## Per-Field Detection Patterns
+
+```bash
+# Geschäftsbezeichnung + Anschrift (presence check)
+grep -E '(GmbH|UG|AG|e\.K\.|[A-ZÄÖÜ][a-zäöü]+ [A-ZÄÖÜ][a-zäöü]+)' /tmp/audit-impressum.html | head -3
+grep -E '\b[0-9]{5}\b' /tmp/audit-impressum.html  # German postal code
+
+# E-Mail + Telefon
+grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' /tmp/audit-impressum.html | head -3
+grep -oE '\+?49[ /-]?[0-9 /-]{7,}' /tmp/audit-impressum.html | head -3
+
+# USt-IdNr.
+grep -oE 'DE[ ]?[0-9]{9}' /tmp/audit-impressum.html
+
+# Handelsregister
+grep -oE 'HRB[ ]?[0-9]+' /tmp/audit-impressum.html
+grep -oE 'Amtsgericht [A-ZÄÖÜ][a-zäöü]+' /tmp/audit-impressum.html
+
+# OS-Streitbeilegung Link
+grep -E 'ec\.europa\.eu/consumers/odr' /tmp/audit-impressum.html
+
+# Verbraucherstreitbeilegung Hinweis
+grep -E '(Verbraucherstreitbeilegung|Streitbeilegungsverfahren)' /tmp/audit-impressum.html
+```
+
+---
+
+## Severity Matrix
+
+| Missing field | Severity |
+|---|---|
+| Geschäftsbezeichnung + Anschrift | KRITISCH |
+| Vertretungsberechtigter (when GmbH/AG/UG) | KRITISCH |
+| E-Mail | KRITISCH |
+| Telefon | HOCH (some courts accept E-Mail-only; abmahn-risk) |
+| HRB + Registergericht (when handelsregister-pflichtig) | KRITISCH |
+| USt-IdNr. (when § 27a UStG applies) | KRITISCH |
+| Aufsichtsbehörde (for regulated industries) | KRITISCH |
+| Berufshaftpflicht (for regulated professions) | KRITISCH |
+| OS-Streitbeilegung Link (when B2C online) | HOCH |
+| Verbraucherstreitbeilegung Hinweis (B2C) | MITTEL |
+| Inhaltlich Verantwortlicher (when journalistic) | KRITISCH |
+
+---
+
+## Cross-Check: Code-Repo (when Layer 7 enabled)
+
+If aegis-audit runs against a local repo (Layer 7 enabled), cross-check:
+
+```bash
+# Find impressum data in code
+find . -path ./node_modules -prune -o -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.json' -o -name '*.md' \) -print | xargs grep -lE 'impressum|HRB|USt-IdNr' 2>/dev/null
+
+# Verify code-data matches rendered-data
+# E.g., site says HRB 12345 but code has HRB 67890 — drift
+```
+
+If drift detected → L3-IMPRESSUM-CODE-DRIFT: HOCH (data inconsistency).
+
+---
+
+## Court-Decision References
+
+For findings, cite court-decisions where applicable:
+
+- KG Berlin 2010-04-21 (5 W 39/10) — vollständiger Name + Anschrift Pflicht
+- LG Düsseldorf 2008-05-21 (12 O 250/07) — Telefon Pflicht für unmittelbare Kontaktaufnahme
+- EuGH 2008-10-16 (C-298/07) — § 5 TMG (= jetzt DDG §5) ist Verbraucherinformations-Pflicht; B2B + B2C
+- BGH 2007-09-20 (I ZR 88/05) — Impressum 2-clicks-rule (vom Footer aus erreichbar)
+- LG München I 2022-01-20 (3 O 17493/20) — Google-Fonts (cross-layer with L4 + L5)
+
+---
+
+## Findings Format
+
+```yaml
+- id: L3-IMPRESSUM-VAT-MISSING
+  layer: 3
+  severity: KRITISCH
+  evidence:
+    url: <impressum-url>
+    field: USt-IdNr.
+    matches: []
+    detection: "no DE-prefixed VAT-ID found in /impressum HTML"
+  recommendation: "Add 'Umsatzsteuer-Identifikationsnummer: DE123456789' under § 27a UStG section"
+  citation: "DDG § 5 Abs. 1 Nr. 6, § 27a UStG"
+  abmahn_risk: "€500-2000 per finding (industry × visibility-dependent)"
+```
+
+---
+
+## Anti-Patterns specific to Layer 3
+
+- ❌ Reporting "USt-IdNr. missing" for a Kleinunternehmer (§ 19 UStG) — only § 27a UStG businesses need to publish.
+- ❌ Reporting "OS-Streitbeilegung missing" for B2B-only sites — only B2C requires this.
+- ❌ Skipping browser-UA fallback — many sites bot-wall scanners; without browser-UA the impressum returns 403.
+- ❌ Inferring "Aufsichtsbehörde missing" without first detecting industry — non-regulated industries don't need this.
+- ❌ Reporting on Inhaltlich-Verantwortlicher (§ 18 MStV) for non-journalistic sites — pure commercial sites don't need.
+- ❌ Reporting "missing Berufshaftpflicht" for unregulated professions — pflicht only for Anwalt / Arzt / Steuerberater / Architekt.

package/skills/foundation/aegis-native/aegis-audit/references/layer-4-dse.md

@@ -0,0 +1,178 @@
+# Layer 4 Reference — DSE (Datenschutzerklärung, DSGVO Art. 13/14)
+
+Layer 4 verifies the Datenschutzerklärung against DSGVO Art. 13 (Informationspflicht bei Erhebung beim Betroffenen) + Art. 14 (Erhebung bei Dritten) + Drittlandtransfer-Konformität (Schrems-II / SCC). **Time:** ~5-10 min per target.
+
+---
+
+## Art. 13 Pflichtangaben Checklist
+
+| # | Field | Severity if missing |
+|---|---|---|
+| 1 | Verantwortlicher (Name + Anschrift) | KRITISCH |
+| 2 | Vertreter in der EU (when applicable) | HOCH |
+| 3 | Datenschutzbeauftragter (when applicable per Art. 37) | HOCH (when pflicht) |
+| 4 | Verarbeitungszwecke + Rechtsgrundlage (Art. 6 / Art. 9) | KRITISCH |
+| 5 | Berechtigte Interessen (when Art. 6 Abs. 1 lit. f) | HOCH |
+| 6 | Empfänger / Empfängerkategorien | HOCH |
+| 7 | Drittlandtransfer + Schutzgarantien | KRITISCH (when transfer happens but DSE absent) |
+| 8 | Speicherdauer / Löschkonzept | HOCH |
+| 9 | Betroffenenrechte (Art. 15-22) | KRITISCH |
+| 10 | Beschwerderecht bei Aufsichtsbehörde | HOCH |
+| 11 | Pflicht zur Bereitstellung + Folgen | MITTEL |
+| 12 | Automatisierte Entscheidung / Profiling | HOCH (when applicable) |
+
+---
+
+## Probe Pattern
+
+```bash
+# Resolve DSE-URL (often /datenschutz, /privacy, /datenschutzerklaerung)
+DSE_URL=$(node -e "
+  const html = require('fs').readFileSync('/tmp/audit-html-static.html', 'utf-8');
+  const match = html.match(/href=['\"]([^'\"]*(datenschutz|privacy)[^'\"]*)['\"]/i);
+  console.log(match ? new URL(match[1], '$TARGET').href : '');
+")
+
+curl -sL -A "Mozilla/5.0" "$DSE_URL" > /tmp/audit-dse.html
+```
+
+---
+
+## Per-Field Detection Patterns
+
+```bash
+# Verantwortlicher (matches typical phrasing)
+grep -E 'Verantwortliche[r]?\s+i[mn]?\s+Sinne' /tmp/audit-dse.html
+
+# Datenschutzbeauftragter
+grep -iE '(Datenschutzbeauftragte[rn]|Data Protection Officer|DSB)' /tmp/audit-dse.html
+
+# Verarbeitungszwecke (look for Art. 6 references)
+grep -E 'Art\.\s*6\s*Abs\.\s*1\s*lit\.\s*[abcdef]' /tmp/audit-dse.html
+
+# Drittlandtransfer (US, GB post-Brexit)
+grep -iE '(Drittland|USA|United States|Standardvertragsklauseln|SCC|Privacy Shield|TIA)' /tmp/audit-dse.html
+
+# Speicherdauer
+grep -iE '(Speicherdauer|Löschkonzept|Aufbewahrungsfrist)' /tmp/audit-dse.html
+
+# Betroffenenrechte (Art. 15-22)
+grep -E 'Art\.\s*1[5-9]|Art\.\s*2[0-2]' /tmp/audit-dse.html
+grep -iE '(Auskunftsrecht|Berichtigung|Löschung|Einschränkung|Datenübertragbarkeit|Widerspruch)' /tmp/audit-dse.html
+
+# Beschwerderecht
+grep -iE '(Beschwerderecht|Aufsichtsbehörde|Datenschutzbeauftragte des Landes)' /tmp/audit-dse.html
+```
+
+---
+
+## Drittland-Transfer Detection (cross-check Layer 1 + Layer 5)
+
+Layer 4 cross-references with Layer 1 (CDN / 3rd-party domains in HTTP-headers) + Layer 5 (cookies set by 3rd-party trackers) to detect:
+
+```bash
+# 3rd-party domains active on the page (from Layer 1 / Layer 5)
+3p_domains=$(grep -oE 'https?://[^/]+' /tmp/audit-html-dynamic.html | sort -u | grep -v "$TARGET_DOMAIN")
+
+# For each 3rd-party, check if DSE mentions it
+for domain in $3p_domains; do
+  if grep -q "$domain" /tmp/audit-dse.html; then
+    echo "L4-DSE-MENTIONS: $domain ✓"
+  else
+    echo "L4-DSE-3P-NOT-MENTIONED: $domain (HOCH)"
+  fi
+done
+```
+
+US-headquartered 3rd-parties (Google, Meta, Cloudflare, AWS) trigger Drittlandtransfer concerns. DSE MUST mention:
+
+- The 3rd-party (by name or category)
+- The country of transfer
+- The schutzgarantien (SCC + TIA per Schrems-II requirements post-2020-07-16 EuGH C-311/18)
+
+If 3rd-party transfer happens AND DSE doesn't address it → KRITISCH (Schrems-II).
+
+---
+
+## Common Schrems-II Findings
+
+| 3rd-party | DSE-required addressing |
+|---|---|
+| Google Fonts (when loaded from fonts.googleapis.com) | KRITISCH if not local-bundled (LG München I 2022-01-20 3 O 17493/20) |
+| Google Analytics (without IP-anonymization + consent) | KRITISCH |
+| Google Maps embed (without consent OR static-image-fallback) | HOCH |
+| reCAPTCHA v3 (silent tracking) | KRITISCH |
+| Cloudflare (when used as CDN with EU-traffic) | MITTEL (DPA exists; SCC referenced) |
+| AWS / Azure / GCP (US-region) | HOCH (require SCC-DPA) |
+| Vercel (US-hosted) | MITTEL (Vercel offers DPA) |
+| Mailchimp / Sendinblue / Brevo | HOCH (US/EU split, requires SCC) |
+
+For each, check if DSE has the required transfer-section AND processor-AVV (Auftragsverarbeitung) listing.
+
+---
+
+## AVV-List Detection
+
+DSGVO Art. 28 requires AVV (Auftragsverarbeitung-Vertrag) for every processor handling personal data. DSE should reference:
+
+```bash
+grep -iE '(Auftragsverarbeitung|Art\.\s*28|AVV)' /tmp/audit-dse.html
+```
+
+For each 3rd-party from Layer 1 + 5: AVV must exist (signed contract); DSE should mention by name.
+
+---
+
+## Severity Matrix
+
+| Missing | Severity |
+|---|---|
+| Verantwortlicher (Art. 13 Abs. 1 lit. a) | KRITISCH |
+| Verarbeitungszwecke + Rechtsgrundlage (Art. 13 Abs. 1 lit. c-d) | KRITISCH |
+| Betroffenenrechte (Art. 15-22) | KRITISCH |
+| Drittlandtransfer + SCC + TIA (when transfer happens) | KRITISCH |
+| Speicherdauer (Art. 13 Abs. 2 lit. a) | HOCH |
+| Empfänger (Art. 13 Abs. 1 lit. e) | HOCH |
+| Beschwerderecht (Art. 13 Abs. 2 lit. d) | HOCH |
+| Datenschutzbeauftragter (when pflicht per Art. 37) | HOCH |
+| Vertreter in der EU (when ext.-EU controller) | HOCH |
+| Automatisierte Entscheidung (when applicable) | HOCH |
+| Pflicht zur Bereitstellung (Art. 13 Abs. 2 lit. e) | MITTEL |
+
+---
+
+## Court-Decision References
+
+- EuGH 2020-07-16 (C-311/18) — Schrems-II — invalidation of Privacy Shield; SCC + TIA required
+- LG München I 2022-01-20 (3 O 17493/20) — Google-Fonts via Google CDN = Drittlandtransfer ohne Rechtsgrundlage; 100€ Schadensersatz pro Betroffenem
+- BGH 2020-05-28 (I ZR 7/16) — Cookie-Banner BGB
+- OLG Düsseldorf 2019-03-26 (I-20 U 75/18) — DSE als wettbewerbsrechtliche Pflicht (UWG abmahnbar)
+- EDSA Recommendations 01/2020 — Schutzgarantien-Beurteilung TIA-Methodik
+
+---
+
+## Findings Format
+
+```yaml
+- id: L4-DSE-DRITTLAND-MISSING
+  layer: 4
+  severity: KRITISCH
+  evidence:
+    dse_url: <dse-url>
+    detected_3p: ["fonts.googleapis.com", "www.google-analytics.com"]
+    dse_mentions_drittland: false
+    dse_mentions_scc: false
+  recommendation: "Add Drittlandtransfer-section listing US-3rd-parties (Google Fonts, GA), reference SCC + TIA per Schrems-II"
+  citation: "DSGVO Art. 13 Abs. 1 lit. f, Art. 46; EuGH C-311/18 (Schrems-II); LG München I 3 O 17493/20"
+  abmahn_risk: "€2000-15000 per Betroffenem (LG München-Linie); aggregated risk per visitor-month"
+```
+
+---
+
+## Anti-Patterns specific to Layer 4
+
+- ❌ Reporting "Drittlandtransfer missing" without verifying transfer actually happens — first detect 3rd-parties via Layer 1 + 5.
+- ❌ Skipping AVV-cross-check — Art. 28 AVV is separate from Art. 13 DSE.
+- ❌ Reporting "DSB missing" for small businesses (< 20 employees handling personal data routinely) — Art. 37 thresholds apply.
+- ❌ Inferring DSE-completeness from word-count — short DSE can be complete; long DSE can miss fields.
+- ❌ Reporting on automatisierte Entscheidung when site has no profiling — only applies when profiling/decisions actually happen.

package/skills/foundation/aegis-native/aegis-audit/references/layer-5-cookie.md

@@ -0,0 +1,180 @@
+# Layer 5 Reference — Cookie + Consent (TTDSG/TDDDG §25)
+
+Layer 5 verifies cookie-banner + consent-flow against TTDSG/TDDDG §25 (formerly TTDSG, renamed 2024-05-14 with TDDDG enactment) + BGH cookie-decision (2020-05-28) + EU-Cookie-Banner-Guidelines. **Time:** ~5-10 min per target.
+
+---
+
+## Probe Pattern
+
+```bash
+# Fresh page-load (no prior consent-cookies)
+mkdir -p /tmp/audit-cookie-jar
+rm -f /tmp/audit-cookie-jar/*
+curl -sL -A "Mozilla/5.0" -c /tmp/audit-cookie-jar/cookies.txt "$TARGET" > /tmp/audit-fresh.html
+
+# What cookies were set BEFORE consent?
+cat /tmp/audit-cookie-jar/cookies.txt
+```
+
+Then a Playwright-based probe to detect dynamic cookies (set by JS) AND verify the consent-banner appears + works:
+
+```bash
+npx -y playwright-core@latest <<EOF
+const { chromium } = require('playwright-core');
+(async () => {
+  const b = await chromium.launch();
+  const ctx = await b.newContext();
+  const p = await ctx.newPage();
+  
+  // Capture all requests + responses
+  const requests = [];
+  p.on('request', r => requests.push({ url: r.url(), type: r.resourceType() }));
+  
+  // Navigate
+  await p.goto('$TARGET', { waitUntil: 'networkidle' });
+  
+  // Capture cookies pre-consent
+  const preConsentCookies = await ctx.cookies();
+  
+  // Check for consent-banner
+  const bannerSelector = 'div[id*="cookie"], div[class*="cookie"], div[class*="consent"]';
+  const banner = await p.$(bannerSelector);
+  const bannerHasBoth = banner ? await banner.evaluate(el => {
+    const text = el.innerText.toLowerCase();
+    return text.includes('akzeptieren') && (text.includes('ablehnen') || text.includes('reject'));
+  }) : false;
+  
+  console.log(JSON.stringify({
+    preConsentCookies,
+    requests: requests.length,
+    bannerPresent: !!banner,
+    bannerHasBoth,
+  }, null, 2));
+  
+  await b.close();
+})();
+EOF > /tmp/audit-cookie-probe.json
+```
+
+---
+
+## TTDSG/TDDDG §25 Pre-Consent-Tracker Detection
+
+```bash
+# Pre-consent cookies (any technically-non-required cookie set before consent = §25 violation)
+pre_count=$(jq -r '.preConsentCookies | length' /tmp/audit-cookie-probe.json)
+
+# Filter for tracking-cookies (heuristic: 3rd-party domain or known-tracking-pattern)
+tracking_pre=$(jq -r '.preConsentCookies[] | select(.domain | test("google|facebook|meta|doubleclick|hotjar|matomo|fathom|plausible|gtag|gads|fb_pixel|tiktok"))' /tmp/audit-cookie-probe.json)
+
+[ -n "$tracking_pre" ] && echo "L5-PRE-CONSENT-TRACKER: KRITISCH"
+```
+
+---
+
+## Banner-Pattern Compliance
+
+| Check | Severity if violated |
+|---|---|
+| Banner appears on first page-load | KRITISCH (no banner = no consent collected) |
+| Banner has equal-prominence "Accept" + "Reject all" | KRITISCH (BGH I ZR 7/16 — dark-pattern) |
+| Banner is granular (per-vendor opt-in for non-essential) | HOCH (BGH 2020-05-28 — global-opt-in invalid) |
+| Banner appears BEFORE any tracking-cookie set | KRITISCH (TTDSG §25) |
+| User can opt-out at any time (e.g., footer-link to /cookies/einstellungen) | HOCH |
+| Pre-checked checkboxes for opt-in | KRITISCH (DSGVO Art. 7 Abs. 2 — explicit consent required) |
+| Bundling consent (e.g., AGB + Cookie consent in one checkbox) | HOCH |
+| Continuing-to-use-site interpreted as consent | KRITISCH (BGH 2020-05-28 — mere browsing ≠ consent) |
+| Re-prompt period reasonable (≥ 6 months between prompts unless settings changed) | LOW |
+
+---
+
+## Granular vs Global
+
+| Pattern | Compliance |
+|---|---|
+| "Akzeptieren" + "Ablehnen" only (no granular) | HOCH (BGH-line — granular better) |
+| "Akzeptieren" + "Ablehnen" + per-vendor toggle | OK (granular) |
+| "Akzeptieren" + "Einstellungen" (where settings = granular) | OK if reachable in 1 click |
+| "Akzeptieren" + tiny "Ablehnen" (visual asymmetry) | KRITISCH (dark-pattern, BGH-line) |
+| "Akzeptieren" only (no reject-button on first banner) | KRITISCH |
+
+---
+
+## Consent-Mode-v2 (Google) Detection
+
+If site uses Google products (Analytics, Ads, Tag Manager), check for Consent-Mode-v2:
+
+```bash
+grep -E 'gtag\(.consent.,\s*.default.|consentDefault' /tmp/audit-fresh.html
+
+# default state should be 'denied' for ad_storage, ad_user_data, ad_personalization, analytics_storage
+```
+
+Default-`granted` for analytics_storage = pre-consent-tracking even with Consent-Mode = KRITISCH.
+
+---
+
+## Cookie-Categories Mapping
+
+For each cookie set on the site, classify:
+
+| Category | Consent-required | Examples |
+|---|---|---|
+| Strictly necessary | NO | session-id, csrf-token, cookie-consent-state |
+| Functional | Implicitly OK | language-preference, theme |
+| Analytics (anonymized) | YES (per §25) | matomo (with anonymize_ip), google-analytics-with-anonymize |
+| Marketing / Advertising | YES (explicit, granular) | _ga, _gid (without anonymize_ip), _fbp, fr, doubleclick |
+| Third-party content | YES (depending on data) | YouTube embed, Google Maps with API-key |
+
+If a cookie is "Strictly necessary" — must be on a justified business-need; not just "we want it".
+
+---
+
+## Cookie-Banner-Library Detection
+
+```bash
+# Common libraries used on DACH sites
+grep -iE '(usercentrics|cookiefirst|cookieyes|borlabs|webcm|consent-manager|onetrust|cookiepro|privacymanager|cookieinformation|complianz|iubenda)' /tmp/audit-fresh.html | head -3
+```
+
+If a recognized library is used — check its current-version compliance (via library-CHANGELOG cross-reference; e.g., Borlabs Cookie ≥ 2.2.0 is compliant; older versions had known dark-pattern bugs).
+
+---
+
+## CMP IAB-Framework Detection
+
+```bash
+# IAB-TCF-API presence
+grep -E '__tcfapi\(|TCF_API|cmp\.openWindow' /tmp/audit-fresh.html
+```
+
+If TCF-v2 used — verify Vendor-List up-to-date + Purposes match what's actually loaded.
+
+---
+
+## Findings Format
+
+```yaml
+- id: L5-PRE-CONSENT-TRACKER
+  layer: 5
+  severity: KRITISCH
+  evidence:
+    target: <target>
+    pre_consent_cookies: ["_ga", "_gid", "_fbp"]
+    banner_present: true
+    banner_appears_after_load: true  # but cookies were already set
+  recommendation: "Move all tracking-cookies behind cookie-banner consent. Use Google Consent-Mode-v2 with default='denied'. Verify with fresh page-load + cookies.txt empty."
+  citation: "TTDSG/TDDDG §25 Abs. 1; DSGVO Art. 7 Abs. 1; BGH I ZR 7/16 (2020-05-28); EuGH C-673/17 (Planet49)"
+  abmahn_risk: "€500-5000 per finding (industry × visibility); composite with L4-DSE-DRITTLAND-MISSING bumps to €5000-15000"
+```
+
+---
+
+## Anti-Patterns specific to Layer 5
+
+- ❌ Probing with stale cookie-jar — always use fresh /tmp/audit-cookie-jar.
+- ❌ Skipping Playwright probe "because curl is enough" — JS-set cookies invisible to curl.
+- ❌ Reporting "no banner" for sites with technically-only cookies (no consent-required) — first verify what cookies are actually set.
+- ❌ Marking "_ga" as KRITISCH if site uses Consent-Mode-v2 with default-denied — first check the consent-default-state.
+- ❌ Reporting "global opt-in invalid" without checking BGH-line context — granular is preferred but global-only is HOCH not KRITISCH per current BGH-Linie.
+- ❌ Inferring tracking-cookie from name alone — verify domain + actual purpose; some "_ga"-prefixed cookies are 1st-party-only.