npm - @aegis-scan/skills - Versions diffs - 0.2.1 → 0.5.0 - Mend

@aegis-scan/skills 0.2.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/skills/foundation/aegis-native/aegis-audit/references/layer-6-branche.md ADDED Viewed

@@ -0,0 +1,204 @@
+# Layer 6 Reference — Branche-Specific (Industry Compliance)
+Layer 6 applies industry-specific pflichtangaben + werbevorschriften per the target's branch. Industries handled: BORA (Anwalt), HWG (Heilwesen), LMIV (Lebensmittel), MPDG (Medizinprodukte), GlüStV (Glücksspiel), FernUSG (Fernunterricht), HWO/HwO (Handwerk), GewO (Gewerbeordnung). **Time:** ~5-10 min per target after industry-detection.
+---
+## Industry Detection
+Industry is detected from:
+1. The briefing's `industry` field (if customer-build invocation)
+2. The target's NAICS / WZ-Code (if available)
+3. Heuristic from page-content (keyword-density)
+Detection-fallback (heuristic):
+```bash
+# Anwaltskanzlei
+grep -iqE '(Rechtsanwalt|Kanzlei|Fachanwalt|BORA|RVG)' /tmp/audit-html-static.html && industry="anwalt"
+# Heilwesen (Arzt, Psychotherapie, Heilpraktiker)
+grep -iqE '(Arzt|Ärztin|Praxis|Heilpraktiker|Psychotherapie|Diagnose|Therapie)' /tmp/audit-html-static.html && industry="heilwesen"
+# Lebensmittel (Online-Shop)
+grep -iqE '(Lebensmittel|Bio-|Allergene|Nährwert|LMIV)' /tmp/audit-html-static.html && industry="lebensmittel"
+# Medizinprodukte
+grep -iqE '(MPDG|CE-Kennzeichen|Medizinprodukt|UDI|EUDAMED)' /tmp/audit-html-static.html && industry="medizinprodukte"
+# Steuerberater
+grep -iqE '(Steuerberater|StBerG|StBVV|Steuerkanzlei)' /tmp/audit-html-static.html && industry="steuerberater"
+# Architekt
+grep -iqE '(Architekt|Architektenkammer|HOAI)' /tmp/audit-html-static.html && industry="architekt"
+# Handwerk
+grep -iqE '(HwO|Handwerk|Meisterprüfung|Innung)' /tmp/audit-html-static.html && industry="handwerk"
+# Default
+[ -z "$industry" ] && industry="generic"
+```
+If detection ambiguous — ask operator. Don't apply Branchen-checks based on weak signal.
+---
+## BORA — Anwaltskanzlei
+| # | Pflichtangabe | Severity if missing |
+|---|---|---|
+| 1 | Berufsbezeichnung "Rechtsanwalt"/"Rechtsanwältin" + verleihender Staat | KRITISCH |
+| 2 | Zuständige Rechtsanwaltskammer | KRITISCH |
+| 3 | Berufshaftpflichtversicherung (Versicherer + räumlicher Geltungsbereich) | KRITISCH |
+| 4 | Berufsrechtliche Regelungen + zugängliche Quelle (BORA, BRAK, RVG) | HOCH |
+| 5 | Fachanwaltsbezeichnungen (when used) — verleihender Staat | HOCH |
+| 6 | Hinweis Streitbeilegung (RVG, ZAR) | MITTEL |
+**Werbevorschriften (BORA + UWG):**
+- Keine reißerische Werbung (BORA § 6)
+- Keine vergleichende Werbung mit Mitbewerbern (BORA + UWG)
+- Erfolgshonorar-Hinweis (BORA + RVG-Reform 2021) — only when applicable
+```bash
+# Detection patterns
+grep -iE '(garantiere(n)?\s+(Erfolg|Sieg)|100%\s+Erfolg|absolute\s+Sicherheit)' /tmp/audit-html-static.html | head -3
+# If matches → L6-BORA-ERFOLGSREKLAME: KRITISCH
+```
+---
+## HWG — Heilwesen (Arzt, Psychotherapie, Heilpraktiker)
+| # | Pflichtangabe | Severity |
+|---|---|---|
+| 1 | Berufsbezeichnung "Arzt"/"Ärztin"/"Heilpraktiker" + verleihender Staat | KRITISCH |
+| 2 | Zuständige Aufsichtsbehörde (Landesärztekammer / Gesundheitsamt) | KRITISCH |
+| 3 | Berufshaftpflicht | KRITISCH |
+| 4 | Approbationsstaat | HOCH |
+| 5 | Schwerpunkte / Zusatzbezeichnungen (when used) | HOCH |
+| 6 | Berufsordnung-Verweis | MITTEL |
+**HWG-Werbevorschriften (Heilmittelwerbegesetz):**
+- Kein Werbung mit "neu", "garantiert wirksam", "vollständig heilbar"
+- Keine Patientenfotos / -berichte ohne Einwilligung + Datenschutz-Hinweis
+- Keine vergleichende Werbung gegenüber anderen Methoden
+- Hinweis "Zu Risiken und Nebenwirkungen..." bei Medikamenten
+```bash
+# Common HWG-Verstöße
+grep -iE '(garantierte\s+Heilung|100%\s+wirksam|vollständig\s+heilbar|nebenwirkungs\s*frei)' /tmp/audit-html-static.html
+```
+---
+## LMIV — Lebensmittel-Online-Shop
+| Pflicht | Severity if missing |
+|---|---|
+| Bezeichnung des Lebensmittels (specific, not just brand) | KRITISCH |
+| Zutatenliste (in absteigender Mengenreihenfolge) | KRITISCH |
+| Allergene (Hervorhebung) | KRITISCH |
+| Nettomenge / Gewicht | HOCH |
+| Mindestens-Haltbar-Datum / Verbrauchsdatum | HOCH |
+| Hersteller / Inverkehrbringer + Anschrift | KRITISCH |
+| Ursprungsland (when applicable) | HOCH |
+| Nährwertdeklaration (per 100g/100ml) | KRITISCH |
+| Anweisungen zur sachgerechten Aufbewahrung | MITTEL |
+---
+## MPDG — Medizinprodukte
+| Pflicht | Severity |
+|---|---|
+| CE-Kennzeichnung (mit Notified-Body-Nummer für Klasse Is/IIa+) | KRITISCH |
+| UDI-DI / UDI-PI (per EU-Verordnung 2017/745) | HOCH |
+| EUDAMED-Eintrag (when produced/imported in EU) | HOCH |
+| Hersteller + Adresse | KRITISCH |
+| Klassifikation (Klasse I/IIa/IIb/III) | HOCH |
+| Bevollmächtigter EU (when ext.-EU manufacturer) | KRITISCH |
+| Gebrauchsanweisung (PDF-Link or paper) | KRITISCH |
+---
+## StBerG — Steuerberater
+| Pflicht | Severity |
+|---|---|
+| Berufsbezeichnung "Steuerberater"/"Steuerbevollmächtigter" + verleihender Staat | KRITISCH |
+| Zuständige Steuerberaterkammer | KRITISCH |
+| StBVV-Hinweis (Vergütung) | HOCH |
+| Berufshaftpflicht | KRITISCH |
+| Eintragung Berufsregister | HOCH |
+---
+## HOAI — Architekt
+| Pflicht | Severity |
+|---|---|
+| Berufsbezeichnung "Architekt"/"Architektin" + verleihender Staat | KRITISCH |
+| Architektenkammer (Bundesland) | KRITISCH |
+| Eintragsnummer | HOCH |
+| HOAI-Hinweis (Vergütung) | MITTEL |
+| Berufshaftpflicht | KRITISCH |
+---
+## HwO — Handwerk
+| Pflicht | Severity |
+|---|---|
+| Handwerksrolle + Eintragsnummer (when zulassungspflichtiges Handwerk) | KRITISCH |
+| Meisterprüfung-Nachweis (when rolle-pflichtig) | HOCH |
+| Zuständige Handwerkskammer | HOCH |
+| Innung-Mitgliedschaft (when applicable) | LOW |
+---
+## GlüStV — Glücksspiel
+For online-Glücksspiel: Stricter regime + license-display per GlüStV-2021. Out-of-scope unless target is licensed gambling.
+---
+## FernUSG — Fernunterricht
+If site sells distance-learning (online-courses with Lehrpersonen + Prüfung):
+- Zulassung-Nummer FernUSG (ZFU)
+- Vertragsbedingungen klar getrennt von Marketing
+- Widerrufsbelehrung verlängert (FernUSG)
+---
+## Findings Format
+```yaml
+- id: L6-BORA-NO-VERSICHERER
+  layer: 6
+  industry: anwalt
+  severity: KRITISCH
+  evidence:
+    detected_industry: anwalt
+    detection_signal: "Fachanwalt (line 23), BORA (line 47)"
+    impressum_url: <url>
+    versicherer_present: false
+  recommendation: "Add Berufshaftpflichtversicherung (Versicherer + räumlicher Geltungsbereich) per BORA § 7 + DDG § 5 Abs. 1 Nr. 8"
+  citation: "BORA § 7, DDG § 5 Abs. 1 Nr. 8, BRAO § 51"
+  abmahn_risk: "€2000-7000 (Kammern + Konkurrenz-Anwalt-Abmahnung)"
+```
+---
+## Anti-Patterns specific to Layer 6
+- ❌ Applying BORA-checks to a marketing-website that mentions "Rechtsanwalt" as a stock-image alt-text — verify the site is actually offering legal services.
+- ❌ Reporting LMIV-violations on a non-online-shop site (e.g., a restaurant blog without ordering) — LMIV applies to commercial offer of food, not editorial.
+- ❌ Reporting HWG on a private-blog about wellness — HWG applies to advertising of medicinal products / treatments by professionals.
+- ❌ Skipping Layer 6 for "generic" industry — even generic businesses have GewO basics (Gewerbeschein, GewSt-Nummer when applicable).
+- ❌ Inferring industry from a single keyword — require multiple signals (e.g., 2+ industry-specific terms before classification).
+- ❌ Hard-coding industry-list — the catalog should grow with operator-feedback; new industries added per `references/layer-6-branche-<industry>.md` extension.

package/skills/foundation/aegis-native/aegis-audit/references/layer-7-code-cross-check.md ADDED Viewed

@@ -0,0 +1,212 @@
+# Layer 7 Reference — Code-Cross-Check
+Layer 7 runs ONLY when aegis-audit has access to the source-code (local repo / customer-build artifact). Catches: hardcoded secrets, unsafe-eval / unsafe-inline patterns, missing CSP-headers in middleware, env-vars-leak in public builds, bug-bounty-known-bad-patterns. **Time:** ~5-15 min per target.
+---
+## Activation Conditions
+Layer 7 runs when:
+- Target is a local repo (`--target=./` or `--target=customers/<slug>/`)
+- Target is a built artifact with source-maps (`<target>/.next/server/chunks/`)
+- Operator passes `--enable-layer-7`
+Layer 7 does NOT run on a deployed-only URL — there's no source to inspect.
+---
+## Hardcoded Secrets Detection
+```bash
+# Common secret-patterns
+TARGETS="src/ app/ pages/ lib/ scripts/ next.config.js next.config.ts middleware.ts"
+# API keys
+grep -rEn '(api[_-]?key|secret[_-]?key|password|access[_-]?token)\s*[=:]\s*["\x27][^"\x27]{20,}' $TARGETS --include="*.{ts,tsx,js,jsx,json,env*}" 2>/dev/null
+# AWS-style
+grep -rEn 'AKIA[0-9A-Z]{16}' $TARGETS 2>/dev/null
+# JWT-like tokens
+grep -rEn 'eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*' $TARGETS 2>/dev/null
+# Private keys
+grep -rEn -- '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' $TARGETS 2>/dev/null
+```
+| Match | Severity |
+|---|---|
+| API-key / token in source | KRITISCH |
+| Database connection string | KRITISCH |
+| JWT-secret in source | KRITISCH |
+| Private key in source | KRITISCH |
+| `.env` file committed | KRITISCH |
+| `.env.local` file committed | HOCH |
+| Hardcoded test-credential (e.g., test-stripe-key) | LOW (intentional) |
+---
+## Public-Build Env-Vars-Leak
+Next.js: only `NEXT_PUBLIC_*` env-vars are exposed to client-bundles. Anything else exposed = leak.
+```bash
+# Find env-vars used on client
+grep -rEn 'process\.env\.[A-Z_]+' src/components/ src/app/*/page.tsx src/lib/client/ 2>/dev/null
+# For each, verify it's prefixed NEXT_PUBLIC_
+# If not — leak
+```
+| Pattern | Severity |
+|---|---|
+| `process.env.SECRET_KEY` in 'use client' component | KRITISCH |
+| `process.env.STRIPE_SECRET` in client-component | KRITISCH |
+| `NEXT_PUBLIC_*` used in server-only context | LOW (just bad style) |
+---
+## CSP Cross-Check
+Layer 1 reports the actual served CSP. Layer 7 reads `next.config.js` / `middleware.ts` to verify CSP-source.
+```bash
+# Find CSP-source
+grep -rEn 'Content-Security-Policy' next.config.* middleware.* src/middleware.* 2>/dev/null
+# Verify against served (Layer 1 finding)
+diff <(grep -oE "Content-Security-Policy.*" /tmp/audit-headers-get.txt) \
+     <(grep -oE "Content-Security-Policy.*" middleware.ts | head -1)
+```
+| Drift | Severity |
+|---|---|
+| CSP in middleware but not in served headers | HOCH (proxy stripping it) |
+| CSP in next.config but not in served | MITTEL (build-config not active) |
+| CSP differs between source + served | HOCH (drift / proxy-rewrite) |
+---
+## Unsafe Patterns
+```bash
+# eval / Function-constructor
+grep -rEn '\beval\(|new Function\(' src/ 2>/dev/null
+# Set innerHTML / dangerouslySetInnerHTML without sanitization
+grep -rEn 'dangerouslySetInnerHTML' src/ | xargs -I{} grep -L 'sanitize\|DOMPurify' {} 2>/dev/null
+# document.write
+grep -rEn 'document\.write\(' src/ 2>/dev/null
+# raw HTML construction
+grep -rEn 'innerHTML\s*=' src/ 2>/dev/null
+```
+| Pattern | Severity |
+|---|---|
+| `eval()` in production code | HOCH (CSP-cross-check: needs `unsafe-eval`) |
+| `dangerouslySetInnerHTML` without DOMPurify-or-equivalent | HOCH |
+| `document.write` | MITTEL |
+| `innerHTML =` with untrusted input | KRITISCH |
+| `target="_blank"` without `rel="noopener noreferrer"` | MITTEL (window-opener attack) |
+---
+## API-Route Wrapper Coverage
+Verify every API-route uses `secureApiRoute`:
+```bash
+# Find all api routes
+find app/api -name "route.ts" -o -name "route.tsx" 2>/dev/null
+# For each, verify wrapper used
+for f in $(find app/api -name "route.ts" 2>/dev/null); do
+  if ! grep -q "secureApiRoute\|requireRole\|withAuth" "$f"; then
+    echo "L7-API-ROUTE-NO-WRAPPER: $f (HOCH)"
+  fi
+done
+```
+Routes without wrapper bypass: rate-limit + Origin-check + body-validation. KRITISCH for state-mutating routes (POST/PUT/DELETE).
+---
+## Form Honeypot + DSGVO-Consent Coverage
+```bash
+# Find form components
+grep -rln '<form' src/components/forms/ src/components/ 2>/dev/null
+# Verify honeypot present
+for f in $(grep -rln '<form' src/components/ 2>/dev/null); do
+  if ! grep -qE '_honey|honeypot|hidden\s+input' "$f"; then
+    echo "L7-FORM-NO-HONEYPOT: $f (MITTEL)"
+  fi
+  if ! grep -qE 'consent\|dsgvo\|datenschutz' "$f"; then
+    echo "L7-FORM-NO-CONSENT: $f (HOCH)"
+  fi
+done
+```
+---
+## Dependency Vulnerability Scan
+```bash
+# pnpm audit (or npm audit)
+pnpm audit --json > /tmp/audit-deps.json 2>/dev/null
+# Parse high/critical
+high_count=$(jq -r '.metadata.vulnerabilities.high // 0' /tmp/audit-deps.json)
+crit_count=$(jq -r '.metadata.vulnerabilities.critical // 0' /tmp/audit-deps.json)
+[ $crit_count -gt 0 ] && echo "L7-DEPS-CRITICAL: $crit_count (KRITISCH)"
+[ $high_count -gt 0 ] && echo "L7-DEPS-HIGH: $high_count (HOCH)"
+```
+---
+## License-Cross-Check (compliance-relevant)
+```bash
+# Find dependencies with non-permissive licenses (GPL, AGPL)
+npx license-checker --json 2>/dev/null | jq -r 'to_entries[] | select(.value.licenses | tostring | test("GPL|AGPL")) | "\(.key): \(.value.licenses)"'
+```
+| Issue | Severity |
+|---|---|
+| AGPL dep in proprietary build | KRITISCH (license-incompatible) |
+| GPL dep in proprietary build | HOCH |
+| Unknown license | MITTEL |
+---
+## Findings Format
+```yaml
+- id: L7-API-ROUTE-NO-WRAPPER
+  layer: 7
+  severity: HOCH
+  evidence:
+    file: app/api/contact/route.ts
+    line_range: [1, 30]
+    detected_pattern: "export const POST = async (req) => { ... }"
+    expected_pattern: "export const POST = secureApiRoute({...})"
+  recommendation: "Wrap POST handler in secureApiRoute (rate-limit + Origin-check + Zod-validation)"
+  citation: "BSI TR-03116-4 §4.5; OWASP API Top-10 #4 (Lack of Resources & Rate Limiting)"
+  abmahn_risk: "Indirect — facilitates DoS / spam / credential-stuffing; €0 direct, escalates incident-cost when exploited"
+```
+---
+## Anti-Patterns specific to Layer 7
+- ❌ Running Layer 7 on a deployed-only URL — needs source-code.
+- ❌ Reporting "secret in source" for a `.env.example` template file — verify it's a real env-file.
+- ❌ Marking `dangerouslySetInnerHTML` as KRITISCH without checking for sanitization — DOMPurify or equivalent makes it acceptable.
+- ❌ Skipping `pnpm audit` because "deps look fine" — CVE-database changes daily.
+- ❌ Reporting "GPL dep" when project is also GPL — license-conflict only when target's license differs.
+- ❌ Inferring CSP-drift without serving the build first — middleware might be overridden by reverse-proxy in production.

package/skills/foundation/aegis-native/aegis-audit/references/layer-8-schadens-diagnose.md ADDED Viewed

@@ -0,0 +1,232 @@
+# Layer 8 Reference — Schadens-Diagnose (SYNTHESIZER + €-Range)
+Layer 8 is the consolidator. Reads Layer 1-7 findings, produces the 4-section report, computes €-range estimates via the industry × visibility × competitor formula. **Time:** ~5-10 min after Layer 7 completes.
+---
+## 4-Section Report Structure
+```markdown
+# Audit Report — <project_slug | target>
+**Date:** YYYY-MM-DD
+**Mode:** mid | full
+**Target:** <url | repo-path>
+---
+## 1. Schadens-Diagnose
+(Top-level summary, ≤ 200 words. €-range estimate. Status DONE | INCOMPLETE.)
+---
+## 2. Findings-Tabelle
+(Detailed per-finding. Severity + layer + ID + evidence + recommendation + citation. Ordered KRITISCH → HOCH → MITTEL → LOW.)
+---
+## 3. Anwalts-Anhang
+(Legal citations + court-decisions referenced. Per finding, the source-of-law that justifies the severity-classification.)
+---
+## 4. Abmahn-Simulation
+(Probability-weighted cost model. Industry × Visibility × Competitor-Pressure → € range over 12 months.)
+---
+**Disclaimer:** Estimates are advisory; not legal advice. Verify with a Fachanwalt für IT-Recht / Wettbewerbsrecht / Gewerblichen Rechtsschutz before relying on them.
+```
+---
+## Section 1: Schadens-Diagnose
+```markdown
+## 1. Schadens-Diagnose
+**Status:** DONE | INCOMPLETE
+**AEGIS-Score (when scan-mode):** N/1000 / Grade <S|A|B|C|D|F> / Bracket <FORTRESS|HARDENED|...>
+**Findings-Total:** K KRITISCH / H HOCH / M MITTEL / L LOW
+**€-Range (12 months):** €<low> - €<high>
+**Top-3-Risks:**
+1. <ID>: <one-sentence-summary>. Risk: €<low>-<high>.
+2. <ID>: ...
+3. <ID>: ...
+**Composite-Findings (cross-correlation pass):**
+- <ID-A> + <ID-B> + <ID-C> → composite KRITISCH (€<low>-<high>)
+```
+---
+## Section 2: Findings-Tabelle
+```markdown
+## 2. Findings-Tabelle
+| Severity | Layer | ID | Title | €-Range | Citation |
+|---|---|---|---|---|---|
+| KRITISCH | 4 | L4-DSE-DRITTLAND-MISSING | DSE fehlt Drittlandtransfer-Section | €2000-15000 | DSGVO Art. 13/46; EuGH C-311/18 |
+| KRITISCH | 5 | L5-PRE-CONSENT-TRACKER | _ga + _fbp set before banner-acceptance | €500-5000 | TTDSG §25; BGH I ZR 7/16 |
+| HOCH | 1 | L1-CSP-UNSAFE-INLINE | CSP allows unsafe-inline on script-src | €0 (no direct abmahn) | OWASP CSP-3 |
+| HOCH | 3 | L3-IMPRESSUM-VAT-MISSING | Impressum fehlt USt-IdNr | €500-2000 | DDG §5 Abs. 1 Nr. 6 |
+| ... | ... | ... | ... | ... | ... |
+(Then per finding, expand with Evidence + Recommendation block.)
+### KRITISCH 1: L4-DSE-DRITTLAND-MISSING
+**Severity:** KRITISCH
+**Layer:** 4
+**Found at:** /datenschutz (line 47)
+**Evidence:**
+- 3rd-parties detected: fonts.googleapis.com, www.google-analytics.com, connect.facebook.net
+- DSE-mentions-Drittland: false
+- DSE-mentions-SCC: false
+**Recommendation:**
+Add Drittlandtransfer-section listing US-3rd-parties (Google Fonts, Google Analytics, Facebook Pixel), reference SCC + TIA per Schrems-II EuGH C-311/18, Art. 46 DSGVO Schutzgarantien.
+**Citation:** DSGVO Art. 13 Abs. 1 lit. f; Art. 46; EuGH C-311/18 (Schrems-II); LG München I 3 O 17493/20 (Google Fonts).
+**€-Range:** €2000-15000 over 12 months (industry × visibility-dependent).
+```
+---
+## Section 3: Anwalts-Anhang
+```markdown
+## 3. Anwalts-Anhang
+### DSGVO (Verordnung (EU) 2016/679)
+- **Art. 13** — Informationspflicht bei Erhebung beim Betroffenen (referenced by L4-DSE-*)
+- **Art. 46** — Übermittlung vorbehaltlich geeigneter Garantien (referenced by L4-DSE-DRITTLAND-MISSING)
+- **Art. 7 Abs. 1** — Einwilligung nachweisen (referenced by L5-PRE-CONSENT-*)
+- **Art. 28** — Auftragsverarbeitung (referenced by L4-DSE-AVV-MISSING)
+### TTDSG / TDDDG
+- **§ 25 Abs. 1** — Einwilligung erforderlich für Speicherung von Informationen / Zugriff darauf (Cookies, fingerprinting)
+### DDG (vormals TMG)
+- **§ 5 Abs. 1** — Allgemeine Informationspflichten (Impressum)
+- **§ 5 Abs. 1 Nr. 6** — USt-IdNr. (when § 27a UStG applies)
+### Court Decisions
+- **EuGH 2020-07-16 C-311/18 (Schrems-II)** — Privacy-Shield invalid; SCC + TIA required for US-Drittlandtransfer
+- **BGH 2020-05-28 I ZR 7/16** — Cookie-Banner: einseitige Klick-Lösung unzulässig
+- **LG München I 2022-01-20 3 O 17493/20** — Google Fonts via Google CDN = Drittlandtransfer ohne Rechtsgrundlage; €100 Schadensersatz pro Betroffenem
+- **EuGH 2008-10-16 C-298/07** — § 5 TMG (= jetzt DDG §5) ist auch B2B-Pflicht
+- **OLG Düsseldorf 2019-03-26 I-20 U 75/18** — DSE als wettbewerbsrechtlich relevante Pflicht (UWG-Abmahnung möglich)
+### Industry-specific (Layer 6)
+(Listed per industry detected — BORA / HWG / LMIV / etc.)
+```
+---
+## Section 4: Abmahn-Simulation
+```markdown
+## 4. Abmahn-Simulation
+### Methodology
+For each KRITISCH/HOCH finding, the €-range is computed as:
+```
+€-range = Base × Industry-Multiplier × Visibility-Multiplier × Competitor-Pressure
+```
+| Variable | Range |
+|---|---|
+| Base (per finding-class) | €100-2000 |
+| Industry-Multiplier | 0.5 (private blog) - 2.5 (regulated industry: Anwalt, Arzt, Steuerberater) |
+| Visibility-Multiplier | 0.3 (Alexa > 1M) - 2.0 (Top-10000) |
+| Competitor-Pressure | 0.5 (uncommon abmahn-target) - 2.0 (active abmahn-anwalt watching industry) |
+### Example Calculation: L4-DSE-DRITTLAND-MISSING
+- Base: €1500 (DSGVO Drittlandtransfer cluster)
+- Industry: 1.0 (generic web-business)
+- Visibility: 1.5 (Top-100k DACH-traffic)
+- Competitor: 1.5 (Google Fonts = active abmahn-anwalt-Linie)
+- **Total: €1500 × 1.0 × 1.5 × 1.5 = €3375 mid-estimate**
+- Range: €2000-€5000 (varying competitor + industry factors)
+### Composite-Findings (cross-correlation)
+Composite findings (≥ 2 KRITISCH from related layers) get aggregated:
+- DSE incomplete + Pre-consent tracker + Impressum incomplete = **abmahn-cluster** (likely Konkurrenz-Anwalt or Verbraucherschutzverband target).
+- Aggregated: €5000-€15000 over 12 months.
+### Probability-Weighted Estimate
+| Scenario | Probability | Cost |
+|---|---|---|
+| No abmahnung | 60% | €0 |
+| 1 individual abmahnung (Verbraucher) | 25% | €1500-3500 |
+| 1 Konkurrenz-Abmahnung | 12% | €5000-10000 |
+| Multi-finding abmahn-cluster | 3% | €10000-25000 |
+**Expected value:** 0.6 × 0 + 0.25 × 2500 + 0.12 × 7500 + 0.03 × 17500 = **~€2050 over 12 months**.
+(Recompute per project. The probabilities shift with industry, visibility, competitor-pressure.)
+---
+**Disclaimer:** This is a probabilistic risk-model, not legal advice. Actual abmahnungen depend on case-specific factors (timing, abmahn-anwalt activity, court-Linie). For anything ≥ €5000 estimated risk, consult a Fachanwalt für IT-Recht.
+```
+---
+## Computation Algorithm
+```ts
+// Pseudo-code for €-range computation
+function computeEuroRange(finding, context) {
+  const base = SEVERITY_BASE[finding.severity]; // KRITISCH: 1000-3000, HOCH: 200-1000, MITTEL: 50-200, LOW: 0-50
+  const industry = INDUSTRY_MULTIPLIER[context.industry] ?? 1.0;
+  const visibility = visibilityMultiplier(context.alexa_rank ?? 1_000_000);
+  const competitor = competitorPressure(context.industry, finding.id);
+  const low = base.low * industry * visibility * competitor;
+  const high = base.high * industry * visibility * competitor;
+  return { low, high };
+}
+function aggregateComposites(findings) {
+  // Find clusters of related KRITISCH findings (cross-correlation pass already classified them)
+  const clusters = groupByCluster(findings);
+  return clusters.map(cluster => ({
+    ids: cluster.map(f => f.id),
+    severity: 'COMPOSITE-KRITISCH',
+    range: cluster.reduce((acc, f) => ({
+      low: acc.low + f.range.low * 0.7,  // 30% discount for composite (single abmahn-letter for multiple findings)
+      high: acc.high + f.range.high * 0.85,
+    }), { low: 0, high: 0 }),
+  }));
+}
+```
+---
+## Anti-Patterns specific to Layer 8
+- ❌ Reporting €-range without disclaimer — always note "advisory; not legal advice".
+- ❌ Hardcoding base-amounts — use a configurable table per `aegis.config.json` `audit.severity_base[]`.
+- ❌ Skipping composite-findings cross-correlation — single findings are often €0; clusters are where the abmahn-risk lives.
+- ❌ Using Alexa-rank only for visibility — also factor: industry-specific visibility (Top-10 in Anwalt-Verzeichnis = high visibility even at Alexa > 1M).
+- ❌ Ignoring competitor-pressure for non-DACH — Layer 8 is calibrated for DACH abmahn-Linien; for US/UK markets, recalibrate.
+- ❌ Promising precise €-amount — always range. "€3375 exact" gives false confidence; "€2000-5000" reflects uncertainty.
+- ❌ Skipping disclaimer in stdout-summary — every output includes the advisory-not-legal-advice note.