@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nest/gdpr-cleanup-cron.md

@@ -0,0 +1,244 @@
+---
+license: MIT (snippet)
+provider: NestJS + @nestjs/schedule (Open-Source)
+last-checked: 2026-05-05
+purpose: NestJS Schedule-Module + Soft-Delete + Anonymisierungs-Cron fuer DSGVO-Loeschpflichten.
+---
+
+# NestJS — GDPR-Cleanup-Cron Pattern
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `@nestjs/schedule` in Dependencies
+- `@Cron(...)` Decorator-Verwendung
+- `ScheduleModule.forRoot()` in `AppModule`
+- Optional: Soft-Delete-Patterns (`deletedAt: Date | null`)
+- Optional: Anonymisierungs-Service
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Soft-Deletes bleiben unbegrenzt → DSGVO Art. 5 lit. e Verstoss (Speicherbegrenzung)
+- Inaktive User-Accounts bleiben → uebermaessige Speicherung
+- Analytics-Events ohne Loeschfrist → Profil-Bildung trotz Widerruf
+- Backup-Files ohne Rotation → DSE-Drift gegenueber Realitaet
+- Kein Cron-Watchdog → silent failure bei Job-Crash
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Soft-Deletes nie hard-deleted | Art. 5 lit. e DSGVO | KRITISCH | Cron `0 3 * * *` mit Hard-Delete |
+| Inaktive Accounts unbegrenzt | Art. 5 lit. e | HOCH | Inaktivitaets-Cleanup nach <placeholder-days> Tagen |
+| Analytics-Events nie geloescht | Art. 5 lit. e | HOCH | Tabellen-Truncate-Cron |
+| Cron-Crash unbemerkt | Art. 5 Abs. 2 (Rechenschaft) | KRITISCH | Health-Endpoint + Last-Run-Tabelle |
+| Concurrent-Cron-Runs | Datenintegritaet | MITTEL | Distributed-Lock (Redis SETNX) |
+
+## Code-Pattern (sanitized)
+
+```typescript
+// File: src/gdpr/gdpr-cleanup.service.ts
+import { Injectable, Logger } from '@nestjs/common';
+import { Cron, CronExpression } from '@nestjs/schedule';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository, LessThan } from 'typeorm';
+import { User } from '../users/user.entity';
+import { ConsentLog } from '../consent/consent-log.entity';
+import { AnalyticsEvent } from '../analytics/analytics-event.entity';
+import { CronRun } from './cron-run.entity';
+
+@Injectable()
+export class GdprCleanupService {
+  private readonly logger = new Logger(GdprCleanupService.name);
+
+  constructor(
+    @InjectRepository(User) private readonly users: Repository<User>,
+    @InjectRepository(ConsentLog) private readonly consentLogs: Repository<ConsentLog>,
+    @InjectRepository(AnalyticsEvent) private readonly events: Repository<AnalyticsEvent>,
+    @InjectRepository(CronRun) private readonly runs: Repository<CronRun>,
+  ) {}
+
+  @Cron('0 3 * * *', { name: 'gdpr-hard-delete' })  // Taeglich 3 Uhr UTC
+  async hardDeleteSoftDeleted() {
+    const start = Date.now();
+    const cutoff = new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);  // 30 Tage Widerruf-Frist
+
+    try {
+      const result = await this.users.delete({
+        deletedAt: LessThan(cutoff),
+      });
+
+      await this.runs.save({
+        jobName: 'gdpr-hard-delete',
+        startedAt: new Date(start),
+        finishedAt: new Date(),
+        status: 'SUCCESS',
+        deletedCount: result.affected ?? 0,
+      });
+
+      this.logger.log(`Hard-deleted ${result.affected} users (cutoff ${cutoff.toISOString()})`);
+    } catch (err: any) {
+      await this.runs.save({
+        jobName: 'gdpr-hard-delete',
+        startedAt: new Date(start),
+        finishedAt: new Date(),
+        status: 'FAILED',
+        error: err.message,
+      });
+      this.logger.error(`Cron failed: ${err.message}`);
+      throw err;
+    }
+  }
+
+  @Cron('0 4 * * 0', { name: 'inactive-user-cleanup' })  // Sonntag 4 Uhr UTC
+  async deleteInactiveUsers() {
+    const cutoff = new Date(Date.now() - 365 * 2 * 24 * 60 * 60 * 1000);  // 2 Jahre inaktiv
+
+    const inactive = await this.users.find({
+      where: { lastLoginAt: LessThan(cutoff), deletedAt: null },
+      take: 1000,  // Batch-Limit
+    });
+
+    for (const user of inactive) {
+      await this.users.update(user.id, {
+        deletedAt: new Date(),
+        deletionReason: 'INACTIVITY_TIMEOUT_2_YEARS',
+        email: `inactive-${user.id}@<placeholder-domain>`,
+        name: 'GELOESCHT',
+      });
+    }
+
+    this.logger.log(`Soft-deleted ${inactive.length} inactive users`);
+  }
+
+  @Cron('0 5 * * *', { name: 'analytics-events-cleanup' })  // Taeglich 5 Uhr UTC
+  async deleteOldAnalyticsEvents() {
+    const cutoff = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);  // 90 Tage Speicherfrist
+
+    const result = await this.events.delete({
+      timestamp: LessThan(cutoff),
+    });
+
+    this.logger.log(`Deleted ${result.affected} old analytics events`);
+  }
+
+  @Cron('0 6 * * 0', { name: 'consent-log-rotation' })  // Sonntag 6 Uhr UTC
+  async rotateConsentLogs() {
+    // 6 Jahre Aufbewahrung (Verjaehrungsfrist Schadensersatz DSGVO)
+    const cutoff = new Date(Date.now() - 6 * 365 * 24 * 60 * 60 * 1000);
+
+    const result = await this.consentLogs.delete({
+      timestamp: LessThan(cutoff),
+    });
+
+    this.logger.log(`Rotated ${result.affected} old consent logs`);
+  }
+}
+```
+
+```typescript
+// File: src/gdpr/health.controller.ts
+import { Controller, Get } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository, MoreThan } from 'typeorm';
+import { CronRun } from './cron-run.entity';
+
+@Controller('health')
+export class HealthController {
+  constructor(
+    @InjectRepository(CronRun) private readonly runs: Repository<CronRun>,
+  ) {}
+
+  @Get('cron')
+  async cronHealth() {
+    const last24h = new Date(Date.now() - 24 * 60 * 60 * 1000);
+
+    const recentRuns = await this.runs.find({
+      where: { startedAt: MoreThan(last24h) },
+      order: { startedAt: 'DESC' },
+    });
+
+    const failed = recentRuns.filter(r => r.status === 'FAILED');
+    const expectedJobs = ['gdpr-hard-delete', 'analytics-events-cleanup'];
+    const missingJobs = expectedJobs.filter(
+      j => !recentRuns.some(r => r.jobName === j && r.status === 'SUCCESS')
+    );
+
+    return {
+      healthy: failed.length === 0 && missingJobs.length === 0,
+      recentRuns: recentRuns.length,
+      failedRuns: failed.length,
+      missingJobs,
+    };
+  }
+}
+```
+
+```typescript
+// File: src/app.module.ts (Auszug)
+import { Module } from '@nestjs/common';
+import { ScheduleModule } from '@nestjs/schedule';
+import { GdprCleanupService } from './gdpr/gdpr-cleanup.service';
+
+@Module({
+  imports: [ScheduleModule.forRoot()],
+  providers: [GdprCleanupService],
+})
+export class AppModule {}
+```
+
+## AVV / DPA
+
+- Datenbank — AVV (Hard-Delete-Wirksamkeit muss garantiert sein)
+- Backup-Provider — AVV mit Rotation-Garantie (sonst Hard-Delete in Backup nicht wirksam)
+- Cron-Watchdog (UptimeRobot / better-stack EU) — optional, AVV bei Health-Pings
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Loeschfristen und automatisierte Datenbereinigung
+
+Wir loeschen Ihre Daten automatisch nach folgenden Fristen:
+
+| Datenkategorie | Frist | Ausloeser |
+|---|---|---|
+| User-Account (aktiv) | bis Loeschungs-Anfrage | Manuell |
+| User-Account (inaktiv) | 2 Jahre nach letztem Login | Automatisch (taeglich) |
+| Analytics-Events | 90 Tage nach Erfassung | Automatisch (taeglich) |
+| Consent-Logs | 6 Jahre | Automatisch (woechentlich) |
+| Server-Logs | 14 Tage | Automatisch |
+| Backups | 90 Tage Rotation | Provider-seitig |
+
+**Soft-Delete + Hard-Delete:**
+Bei manueller Loeschung wird Ihr Account zunaechst soft-geloescht (PII
+ueberschrieben, Account deaktiviert). Nach 30 Tagen Widerruf-Frist erfolgt
+das endgueltige Hard-Delete in allen Systemen.
+
+**Rechtsgrundlage:** Art. 5 lit. e DSGVO (Speicherbegrenzung).
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Cron-Health-Endpoint
+curl https://<placeholder-domain>/health/cron
+# Erwartung: { "healthy": true, "missingJobs": [] }
+
+# 2. Bei fehlendem Job: missingJobs gefuellt
+# (Test: stoppe Cron-Service, warte 25h, prufe Endpoint)
+
+# 3. Soft-Delete-Wirkung
+# DB-Query: SELECT email, deleted_at FROM users WHERE deleted_at IS NOT NULL LIMIT 5;
+# Erwartung: email-Feld ueberschrieben, deleted_at gesetzt
+
+# 4. Hard-Delete nach 30 Tagen
+# DB-Query: SELECT COUNT(*) FROM users WHERE deleted_at < now() - interval '30 days';
+# Erwartung: 0
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `data-retention-checker.ts`, `cron-coverage-checker.ts`, `soft-delete-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 5 lit. e (Speicherbegrenzung), Art. 17 (Loeschung)
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- Audit-Pattern: `references/audit-patterns.md` Phase 4 (DSE-Drift Style 2 / Cron-Coverage)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nest/tracking-interceptor.md

@@ -0,0 +1,239 @@
+---
+license: MIT (snippet)
+provider: NestJS (Open-Source)
+last-checked: 2026-05-05
+purpose: NestJS Interceptor-Pattern fuer Tracker-Calls + Consent-Check + Anonymisierung.
+---
+
+# NestJS — Tracking-Interceptor (Pattern)
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `@Injectable()` Klassen die `NestInterceptor` implementieren
+- `@UseInterceptors(...)` Decorator-Verwendung
+- HTTP-Outbound-Calls in Service-Methoden (Tracker-Forwards)
+- Optional: `rxjs` `tap()` / `mergeMap()` Operators
+
+Pattern: zentraler Interceptor wrapped Tracker-Outbound-Calls. Vor dem Send wird Consent geprueft, IP gehasht, PII entfernt.
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Tracker-Calls in Services direkt → schwer zu auditieren
+- Kein zentraler PII-Filter → Email/Name leakt in Tracker-Payloads
+- Kein Backpressure → bei Tracker-Overload blockiert Hauptrequest
+- `console.log`-Debugging belaesst Klartext-Daten in stdout
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| PII (Email/Name) in Tracker-Payload | Art. 5 lit. c DSGVO | KRITISCH | Interceptor whitelistet Felder |
+| Klartext-IP in Tracker-Forward | Art. 5 lit. f | HOCH | IP-Hash im Interceptor |
+| Tracker-Crash blockiert Hauptrequest | Art. 32 DSGVO | MITTEL | `catchError` + Fire-and-Forget |
+| Drittland-Forward ohne Allowlist | Art. 44 DSGVO | KRITISCH | Allowlist in Interceptor-Config |
+| Console-Log mit PII | Art. 5 lit. f | HOCH | Pino-Redact + Logger-Service |
+
+## Code-Pattern (sanitized)
+
+```typescript
+// File: src/tracking/tracking.interceptor.ts
+import {
+  CallHandler, ExecutionContext, Injectable, NestInterceptor, Logger,
+} from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { tap, catchError } from 'rxjs/operators';
+import { of } from 'rxjs';
+import * as crypto from 'crypto';
+import { ConfigService } from '@nestjs/config';
+
+const ALLOWED_FIELDS = new Set([
+  'event', 'path', 'referrer', 'screen', 'language', 'timestamp',
+]);
+
+const ALLOWED_HOSTS = new Set([
+  '<placeholder-eu-analytics-host>',
+  '<placeholder-eu-error-tracking-host>',
+]);
+
+@Injectable()
+export class TrackingInterceptor implements NestInterceptor {
+  private readonly logger = new Logger(TrackingInterceptor.name);
+
+  constructor(private readonly config: ConfigService) {}
+
+  intercept(ctx: ExecutionContext, next: CallHandler): Observable<any> {
+    const req = ctx.switchToHttp().getRequest();
+    const consentRaw = req.cookies?.['cookie-consent'];
+    let consent = { necessary: true, analytics: false, marketing: false };
+    try {
+      if (consentRaw) consent = { ...consent, ...JSON.parse(consentRaw) };
+    } catch {}
+
+    return next.handle().pipe(
+      tap(async (data) => {
+        if (!consent.analytics) return;
+        if (!data?.trackingEvent) return;
+
+        const event = data.trackingEvent;
+        const safe = this.sanitize(event);
+        const ipHash = this.ipHash(req);
+
+        // Fire-and-Forget: Tracker-Crash darf Hauptrequest nicht beeinflussen
+        this.forward(safe, ipHash).catch((err) => {
+          this.logger.warn(`tracking-forward-failed: ${err.message}`);
+        });
+      }),
+      catchError((err) => {
+        // Hauptrequest-Errors propagieren, Tracker-Errors swallowen
+        throw err;
+      }),
+    );
+  }
+
+  private sanitize(event: any): Record<string, unknown> {
+    const out: Record<string, unknown> = {};
+    for (const [k, v] of Object.entries(event)) {
+      if (ALLOWED_FIELDS.has(k) && (typeof v === 'string' || typeof v === 'number')) {
+        out[k] = typeof v === 'string' ? v.slice(0, 500) : v;
+      }
+    }
+    return out;
+  }
+
+  private ipHash(req: any): string {
+    const ip = req.headers['x-forwarded-for']?.toString().split(',')[0]?.trim()
+      ?? req.socket?.remoteAddress
+      ?? '';
+    return crypto
+      .createHash('sha256')
+      .update(ip + this.config.get('IP_HASH_SALT', ''))
+      .digest('hex')
+      .slice(0, 16);
+  }
+
+  private async forward(payload: Record<string, unknown>, visitorHash: string): Promise<void> {
+    const endpoint = this.config.get<string>('ANALYTICS_ENDPOINT', '');
+    if (!endpoint) return;
+
+    const host = new URL(endpoint).host;
+    if (!ALLOWED_HOSTS.has(host)) {
+      this.logger.error(`Tracker-Host ${host} nicht in Allowlist — Forward abgebrochen`);
+      return;
+    }
+
+    await fetch(endpoint, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${this.config.get('ANALYTICS_TOKEN', '')}`,
+      },
+      body: JSON.stringify({ ...payload, visitorHash }),
+      signal: AbortSignal.timeout(2000),
+    });
+  }
+}
+```
+
+```typescript
+// File: src/tracking/tracking.module.ts
+import { Module } from '@nestjs/common';
+import { ConfigModule } from '@nestjs/config';
+import { APP_INTERCEPTOR } from '@nestjs/core';
+import { TrackingInterceptor } from './tracking.interceptor';
+
+@Module({
+  imports: [ConfigModule],
+  providers: [
+    { provide: APP_INTERCEPTOR, useClass: TrackingInterceptor },
+  ],
+})
+export class TrackingModule {}
+```
+
+```typescript
+// File: src/example/example.controller.ts (Beispiel-Verwendung)
+import { Body, Controller, Post } from '@nestjs/common';
+
+@Controller('api/example')
+export class ExampleController {
+  @Post('action')
+  async doAction(@Body() body: any) {
+    // Geschaeftslogik
+    const result = await this.businessLogic(body);
+
+    // Tracker-Event ZUSAMMEN mit Response zurueckgeben
+    // Interceptor fired das Event nach Response-Send
+    return {
+      ...result,
+      trackingEvent: {
+        event: 'action_completed',
+        path: '/api/example/action',
+        timestamp: new Date().toISOString(),
+      },
+    };
+  }
+
+  private async businessLogic(_body: any) {
+    return { ok: true };
+  }
+}
+```
+
+## AVV / DPA
+
+- Tracker-Forward-Provider — AVV Pflicht (Allowlist-Hosts)
+- Logging-Service (NestJS-Logger / Pino-Cloud / Datadog EU) — AVV
+- Hosting-Provider — Art. 28 DSGVO
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Webanalyse-Forwards
+
+Mit Ihrer Einwilligung leiten wir anonymisierte Tracker-Events an unseren
+Analytics-Provider weiter. Vor Versand erfolgt eine zwei-stufige Pruefung:
+
+1. **PII-Filter:** Nur folgende Felder werden uebertragen:
+   - Event-Name (z.B. `pageview`, `click`)
+   - URL-Pfad (ohne Query-String)
+   - Referrer-Domain (ohne Pfad)
+   - Bildschirm-Aufloesung
+   - Sprach-Code
+   - Zeitstempel
+
+2. **IP-Anonymisierung:** Statt Ihrer IP-Adresse uebertragen wir einen
+   gesalzenen Hash (SHA-256, 16 Zeichen), der nicht reversibel ist.
+
+**Anbieter:** <placeholder-analytics-provider>, EU-Hosting.
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. a DSGVO i.V.m. § 25 Abs. 1 TDDDG.
+**Widerruf:** [Cookie-Einstellungen](#cookie-settings) im Footer.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Tracker-Endpoint Allowlist enforced (Unit-Test)
+# Setze ANALYTICS_ENDPOINT auf nicht-allowlisted Host und triggere Action
+# Erwartung: Log "Tracker-Host X nicht in Allowlist"
+
+# 2. PII NICHT im Tracker-Payload
+# Mock fetch und logge Payload bei Provider-Call
+# Erwartung: kein "email", "name", "phone" Feld
+
+# 3. Tracker-Crash blockt Hauptrequest nicht
+# Mock fetch mit Error
+curl -X POST https://<placeholder-domain>/api/example/action -d '{}' -i
+# Erwartung: 200/204 trotz Tracker-Fehler
+
+# 4. Timeout funktioniert
+# Mock fetch mit 5s-delay
+# Erwartung: AbortError nach 2s, Hauptrequest fertig
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `tracking-scan.ts`, `pii-flow-tracker.ts`, `cors-allowlist-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 5 (Daten-Min), Art. 44 (Drittland)
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- Audit-Pattern: `references/audit-patterns.md` Phase 3 (Drittland-Audit), Phase 6 (Server-Logs)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/api-route-bearer-auth.md

@@ -0,0 +1,103 @@
+---
+license: MIT (snippet)
+provider: Next.js (Vercel) — Framework
+last-checked: 2026-05-02
+purpose: Pattern fuer Cron-Routes mit Bearer-Auth (Data-Retention, Cleanup, Newsletter-Send).
+---
+
+# Next.js — API-Route Bearer-Auth (Pattern)
+
+## 1. Use-Case
+
+Cron-getriggerte API-Routes (typisch fuer):
+- Data-Retention-Cleanup (DSGVO Art. 5 lit. e)
+- Newsletter-DOI-Token-Cleanup
+- Audit-Log-Rotation
+- Zombie-Account-Loeschung
+
+## 2. Compliance-Risiken
+
+| Risiko | Wirkung | Fix |
+|---|---|---|
+| Cron-Endpoint oeffentlich erreichbar | DDoS-Vektor / Daten-Manipulation | Bearer-Token Pflicht |
+| Token in Code hardcoded | Code-Leak = Bypass | env-driven |
+| Schwacher Token | Brute-Force | mind. 32 random Bytes |
+| Cron-Job laeuft nicht | DSE-Drift Style 2 | Verify-Cron |
+
+## 3. Code-Pattern
+
+```ts
+// File: src/app/api/cron/data-retention/route.ts
+import { NextResponse } from 'next/server';
+import { db } from '@/lib/db';
+
+export const dynamic = 'force-dynamic';
+
+export async function POST(req: Request) {
+  // Bearer-Auth (Pflicht)
+  const auth = req.headers.get('authorization');
+  if (auth !== `Bearer ${process.env.CRON_SECRET}`) {
+    return new NextResponse('Unauthorized', { status: 401 });
+  }
+
+  // Data-Retention Logic
+  const cutoff = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);  // 90 Tage
+
+  const result = await db.subscriber.deleteMany({
+    where: { confirmedAt: null, createdAt: { lt: cutoff } },
+  });
+
+  return NextResponse.json({
+    deletedCount: result.count,
+    cutoffDate: cutoff.toISOString(),
+  });
+}
+```
+
+```yaml
+# .github/workflows/data-retention.yml (oder vergleichbares CI-System)
+on:
+  schedule:
+    - cron: '0 3 * * 0'  # Sonntag 3 Uhr UTC
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          curl -X POST https://example.com/api/cron/data-retention \
+            -H "Authorization: Bearer ${{ secrets.CRON_SECRET }}" \
+            -f
+```
+
+## 4. Token-Generierung
+
+```bash
+# Pflicht: mind. 32 random bytes
+openssl rand -hex 32 > /tmp/cron-secret
+# Setze als ENV-Var in Hosting-Tool + GitHub Secret
+```
+
+## 5. Verify-Commands
+
+```bash
+# 1. Endpoint-Auth-Pruefung
+curl -X POST https://example.com/api/cron/data-retention -i
+# Erwartung: 401 Unauthorized
+
+curl -X POST https://example.com/api/cron/data-retention \
+  -H "Authorization: Bearer wrong-token" -i
+# Erwartung: 401
+
+curl -X POST https://example.com/api/cron/data-retention \
+  -H "Authorization: Bearer $CRON_SECRET" -i
+# Erwartung: 200 mit deletedCount
+
+# 2. Cron-Job laeuft tatsaechlich (Drift-Style-2-Check)
+# Bei GitHub Actions: gh workflow view data-retention --json
+# Bei Dokploy: SSH + crontab -l
+```
+
+## 6. Cross-Reference
+
+- DSGVO Art. 5 lit. e: `gesetze/DSGVO/articles.md`
+- Audit-Pattern Phase 4 DSE-Drift Style 2: `audit-patterns.md`

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/dynamic-rendering-headers.md

@@ -0,0 +1,83 @@
+---
+license: MIT (snippet)
+provider: Next.js (Vercel) — Framework
+last-checked: 2026-05-02
+purpose: Pattern fuer korrekt-konfigurierte Dynamic-Rendering + Cookie/Headers-Read.
+---
+
+# Next.js — Dynamic-Rendering + Headers (Pattern)
+
+## 1. Default-Verhalten
+
+Next.js (App-Router) versucht **Static-Rendering** wo moeglich. Wenn Component `cookies()`, `headers()`, `searchParams` liest, wird automatisch dynamic.
+
+## 2. Compliance-Risiken
+
+| Risiko | Wirkung | Fix |
+|---|---|---|
+| Static-Render mit Veraltetem Stand-Datum | DSE Z. 1 zeigt 2024 obwohl Code 2026 | `force-dynamic` oder ISR |
+| Cookie-Read in Static-Path | Funktion-Aufruf-Fehler in Build | `dynamic = 'force-dynamic'` |
+| GET-Form ohne Headers-Read | CSRF-Anfaelligkeit | `cookies()` auslesen |
+
+## 3. Code-Pattern
+
+```ts
+// File: src/app/datenschutz/page.tsx
+export const dynamic = 'force-dynamic';  // Pflicht wenn DSE Stand-Datum aktuell sein muss
+
+export default async function DSE() {
+  const dseStand = new Date().toLocaleDateString('de-DE', { month: 'long', year: 'numeric' });
+  return (
+    <main>
+      <h1>Datenschutzerklaerung</h1>
+      <p>Stand: {dseStand}</p>
+      ...
+    </main>
+  );
+}
+```
+
+```ts
+// File: src/app/api/csrf/route.ts (CSRF-Token-Handler)
+import { cookies } from 'next/headers';
+import { randomBytes } from 'crypto';
+
+export const dynamic = 'force-dynamic';
+
+export async function GET() {
+  const token = randomBytes(32).toString('hex');
+  cookies().set({
+    name: 'csrf-token',
+    value: token,
+    httpOnly: true,
+    secure: true,
+    sameSite: 'strict',
+    path: '/',
+    maxAge: 60 * 60,
+  });
+  return Response.json({ token });
+}
+```
+
+## 4. Anti-Pattern (NICHT)
+
+```ts
+// ❌ NICHT — Static-Render mit hardcoded Datum
+export default function DSE() {
+  return <p>Stand: 25.04.2024</p>;
+  // Drift-Style 2 (Falschangabe)
+}
+```
+
+## 5. Verify
+
+```bash
+# Verify dass DSE Stand-Datum aktuell ist
+curl -s https://example.com/datenschutz | grep -oE "Stand:[^<]{0,30}"
+# Erwartung: aktueller Monat
+```
+
+## 6. Cross-Reference
+
+- Audit-Pattern Phase 4 (DSE-Drift-Audit, Stand-Datum-Hygiene)
+- audit-patterns.md Phase 4