@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/env-driven-tracking.md

@@ -0,0 +1,135 @@
+---
+license: MIT (snippet)
+provider: Next.js (Vercel) — Framework
+last-checked: 2026-05-02
+purpose: Pattern fuer ENV-Driven Tracking-Loading mit Build-Arg-Pitfall-Schutz.
+---
+
+# Next.js — ENV-Driven Tracking (Pattern)
+
+## 1. Default-Verhalten / Pitfalls
+
+`NEXT_PUBLIC_*`-ENV-Vars werden zur **Build-Zeit** im Client-Bundle eingelogged (string-replace).
+Wenn das Deployment-Tool (Dokploy / Coolify / Nixpacks / Railway) die ENV nur als
+**Runtime-ENV** durchreicht aber nicht als `--build-arg` weitergibt, landet `undefined` im Bundle.
+
+## 2. Compliance-Risiken
+
+| Risiko | Wirkung | Fix |
+|---|---|---|
+| Build-Arg-Pitfall | Tracker-URL leer → Tracker laeuft nicht | Build-Arg-Konfiguration |
+| Tracker laedt vor Consent | § 25 TDDDG-Verstoss | ConsentGate |
+| Tracker-URL hardcoded | Drift bei Subdomain-Wechsel | env-driven mit Default |
+| Bundle leakt Brand-Codename | Public-OPSec-Issue | env-driven mit Brand-eigener Subdomain |
+
+## 3. Code-Pattern (sanitized)
+
+```ts
+// File: src/components/analytics/UmamiScript.tsx
+'use client';
+
+import Script from 'next/script';
+import { useConsent } from '@/lib/consent';
+
+const ANALYTICS_HOST = (
+  process.env.UMAMI_HOST ||
+  process.env.NEXT_PUBLIC_ANALYTICS_HOST ||
+  'https://metrics.example.com'  // Default = Brand-eigene Subdomain
+).replace(/\/+$/, '');
+
+const WEBSITE_ID = process.env.NEXT_PUBLIC_UMAMI_WEBSITE_ID;
+
+export default function UmamiScript() {
+  const { hasConsented } = useConsent();
+
+  if (!hasConsented('analytics') || !WEBSITE_ID) {
+    return null;
+  }
+
+  return (
+    <Script
+      defer
+      src={`${ANALYTICS_HOST}/script.js`}
+      data-website-id={WEBSITE_ID}
+      strategy="afterInteractive"
+    />
+  );
+}
+```
+
+```dockerfile
+# Dockerfile (builder-Stage)
+FROM node:22-alpine AS builder
+
+# Pflicht: NEXT_PUBLIC_*-Vars muessen ARG + ENV im Build-Stage sein
+ARG NEXT_PUBLIC_UMAMI_WEBSITE_ID
+ARG NEXT_PUBLIC_ANALYTICS_HOST
+ENV NEXT_PUBLIC_UMAMI_WEBSITE_ID=$NEXT_PUBLIC_UMAMI_WEBSITE_ID
+ENV NEXT_PUBLIC_ANALYTICS_HOST=$NEXT_PUBLIC_ANALYTICS_HOST
+
+# ... rest
+```
+
+```yaml
+# Dokploy Build-Args (oder vergleichbares Tool)
+buildArgs:
+  NEXT_PUBLIC_UMAMI_WEBSITE_ID: "abc-123"
+  NEXT_PUBLIC_ANALYTICS_HOST: "https://metrics.example.com"
+```
+
+## 4. Server-Component-Variante (besser, kein Bundle-Leak)
+
+```ts
+// File: src/app/layout.tsx (Server-Component)
+import { headers } from 'next/headers';
+
+export default async function RootLayout({ children }) {
+  const analyticsHost = process.env.UMAMI_HOST;  // server-only, kein NEXT_PUBLIC_
+
+  return (
+    <html>
+      <head>
+        {analyticsHost && (
+          <script
+            defer
+            src={`${analyticsHost}/script.js`}
+            data-website-id={process.env.UMAMI_WEBSITE_ID}
+          />
+        )}
+      </head>
+      <body>{children}</body>
+    </html>
+  );
+}
+```
+
+Server-Component-Variante:
+- Keine NEXT_PUBLIC_-Pflicht (server-only env)
+- Container-Runtime-ENV reicht (kein Build-Arg)
+- Kein Code-Var-Leak im Public-Bundle
+
+## 5. DSE-Wording-Vorlage
+
+> Wir verwenden Umami (selbst-gehostete Webanalyse) auf `metrics.example.com`. Daten
+> werden ohne Cookies erhoben + ohne Personenbezug ueber DAU-Hash. Erhebung erfolgt
+> mit Ihrer Einwilligung (Art. 6 Abs. 1 lit. a DSGVO + § 25 Abs. 1 TDDDG).
+
+## 6. Verify-Commands
+
+```bash
+# 1. Bundle-Check (NEXT_PUBLIC_-Pfad)
+docker exec <container> grep -rE "metrics.example.com|UMAMI_WEBSITE_ID" \
+  /app/.next/server/chunks/ /app/.next/static/ 2>&1 | head -3
+
+# 2. SSR-Render-Check (Server-Component-Pfad)
+curl -s https://example.com | grep -oE 'metrics.example.com'
+
+# 3. Pre-Consent-Loading-Pruefung
+curl -s https://example.com | grep -oE '<script[^>]*metrics.example.com[^>]*>'
+# Erwartung: kein direkter Script-Tag ohne ConsentGate-Wrapper
+```
+
+## 7. Az.-Anker
+
+- EuGH C-673/17 Planet49 (Cookie-Einwilligung)
+- BGH I ZR 7/16 (DSGVO-Pflichtinformation als UWG-Schutzgesetz)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/proxy-csp-pattern.md

@@ -0,0 +1,93 @@
+---
+license: MIT (snippet)
+purpose: Next.js (App Router 14+) Strict-Dynamic-CSP via middleware/proxy.ts
+references: audit-patterns.md HIGH-RISK-CSP-Migration, references/templates/proxy-strict-dynamic.ts.example
+last-checked: 2026-05-01
+---
+
+# Next.js — Strict-Dynamic-CSP via middleware/proxy
+
+## Anlass
+
+`script-src 'unsafe-inline'` ist die häufigste CSP-Schwäche in Next.js-Sites. Strict-Dynamic + nonce ersetzt das ohne legitime inline-Scripts zu brechen.
+
+## Pflicht-Migration-Strategy (HIGH-RISK)
+
+Diese Migration darf NIE direct-push sein:
+1. Feature-Branch erstellen
+2. middleware.ts mit nonce-Generation + CSP-Header
+3. layout.tsx liest `headers().get('x-nonce')` und gibt es an inline-Scripts
+4. Stripe-Elements + Supabase-OAuth + Google-Maps + GA-Snippets jeweils mit `nonce={nonce}`-Prop
+5. Intensive Tests aller Interaktiv-Features
+6. Stakeholder-Review
+7. Merge nur nach Approval
+
+## Code-Pattern
+
+Siehe vollständiges Snippet: `references/templates/proxy-strict-dynamic.ts.example`
+
+Kern-Idee:
+```ts
+// middleware.ts (Next.js 14+)
+const nonce = btoa(crypto.getRandomValues(new Uint8Array(16)).join(''));
+response.headers.set('Content-Security-Policy',
+  `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https:`);
+response.headers.set('x-nonce', nonce);
+```
+
+```tsx
+// layout.tsx
+import { headers } from 'next/headers';
+const nonce = headers().get('x-nonce') ?? '';
+return <Script id="bootstrap" nonce={nonce}>...</Script>;
+```
+
+## CSP-Direktiven-Checkliste
+
+| Direktive | Empfehlung | Warum |
+|-----------|------------|-------|
+| `default-src 'self'` | Pflicht | Restriktiver Default |
+| `script-src 'self' 'nonce-XXX' 'strict-dynamic' https:` | Pflicht | XSS-Schutz |
+| `style-src 'self' 'nonce-XXX'` | Empfohlen | inline-Style nur mit Nonce |
+| `img-src 'self' data: https://<your-cdn>` | Pflicht | Bild-Quellen begrenzt |
+| `connect-src 'self' https://<api> https://<analytics>` | Pflicht | API-Whitelist |
+| `frame-src 'self' https://<embed>` | Pflicht | iFrame-Whitelist |
+| `frame-ancestors 'none'` | Pflicht | Clickjacking-Schutz |
+| `object-src 'none'` | Pflicht | Flash-Disable |
+| `base-uri 'self'` | Pflicht | Base-Tag-Hijack-Schutz |
+| `form-action 'self'` | Pflicht | Form-Action-Beschränkung |
+| `upgrade-insecure-requests` | Empfohlen | HTTPS-Auto-Upgrade |
+
+## Defense-in-Depth Headers (zusätzlich zur CSP)
+
+```ts
+response.headers.set('X-Frame-Options', 'DENY');
+response.headers.set('X-Content-Type-Options', 'nosniff');
+response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+response.headers.set('Strict-Transport-Security',
+  'max-age=63072000; includeSubDomains; preload');
+response.headers.set('Permissions-Policy',
+  'camera=(), microphone=(), geolocation=(self), interest-cohort=()');
+```
+
+## Verify-Commands
+
+```bash
+# CSP-Header prüfen
+curl -sIS https://<your-domain> | grep -i 'content-security-policy'
+# erwarte: 'nonce-...' + 'strict-dynamic'; KEIN 'unsafe-inline'
+
+# Mozilla Observatory-Score
+curl -s "https://http-observatory.security.mozilla.org/api/v1/analyze?host=<your-domain>" \
+  -X POST | jq .grade
+# erwarte: A oder A+
+
+# CSP-Reporting (optional, für Drift-Detection)
+# response.headers.set('Content-Security-Policy-Report-Only', '...; report-uri /api/csp-report');
+```
+
+## Az.-Anker (CSP allgemein)
+
+- DSGVO Art. 32 — TOMs (CSP ist anerkannte TOM)
+- ENISA + BSI-Empfehlungen für moderne Web-Sicherheit
+- OWASP Top 10 2023 — A03:2021 Injection

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/payment/stripe-pci-tom.md

@@ -0,0 +1,121 @@
+---
+license: MIT (snippet)
+provider: Stripe Inc. (USA)
+provider-AVV-status: Standardvertrag verfügbar (Stripe DPA + SCC)
+last-checked: 2026-05-01
+---
+
+# Stripe — PCI-DSS-konformer Checkout + DSE-Wording
+
+## 1. PCI-DSS-Strategie: Stripe-hosted Checkout (Pflicht für KMU)
+
+Pflicht-Strategy: **Stripe Elements oder Stripe Checkout** — Karten-Daten passieren **nie** den eigenen Server.
+
+- ✅ `stripe-js` mit `<CardElement />`: Karten-Daten gehen direkt vom Browser zu Stripe
+- ✅ `Stripe.redirectToCheckout()`: hosted-Page bei Stripe
+- ❌ NICHT: Karten-Daten über eigenen Server entgegennehmen — würde PCI-DSS-Audit-Pflicht triggern (Self-Audit oder QSA)
+
+## 2. Compliance-Risiken
+
+| Risiko | Wirkung | Fix |
+|--------|---------|-----|
+| Sub-Processor in USA | Drittland-Transfer | DPA + SCC + DSE-Erwähnung |
+| Risiko-Score-Cookies | TDDDG § 25 | Pre-Consent: kein Stripe-Skript |
+| Webhook-Signatur-Prüfung fehlt | Unauthorized Charge / IDOR | `stripe.webhooks.constructEvent()` Pflicht |
+| `card.number` im Server-Log | PCI-DSS-Verstoss + Datenschutz | Logger sanitisieren |
+
+## 3. Code-Pattern (sanitized)
+
+```ts
+// File: src/app/api/stripe/webhook/route.ts
+// Webhook-Signatur-Verifikation (CWE-345 Schutz)
+import Stripe from 'stripe';
+import { NextRequest, NextResponse } from 'next/server';
+
+export const runtime = 'nodejs';
+
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, { apiVersion: '2025-06-30.basil' });
+
+export async function POST(req: NextRequest) {
+  const sig = req.headers.get('stripe-signature');
+  if (!sig) return NextResponse.json({ error: 'missing signature' }, { status: 400 });
+
+  const buf = await req.text(); // raw body Pflicht für Signatur
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(buf, sig, process.env.STRIPE_WEBHOOK_SECRET!);
+  } catch (err) {
+    return NextResponse.json({ error: `Webhook signature mismatch: ${err}` }, { status: 400 });
+  }
+
+  // Idempotency: bei replay-Webhook keine doppelte Aktion
+  // ... handle event types ...
+
+  return NextResponse.json({ received: true });
+}
+```
+
+```tsx
+// File: src/components/checkout/StripeButton.tsx
+// Pre-consent OHNE Stripe-Skript-Load
+'use client';
+import { useEffect, useState } from 'react';
+import { loadStripe } from '@stripe/stripe-js';
+
+export function StripeButton({ priceId }: { priceId: string }) {
+  const [stripe, setStripe] = useState<any>(null);
+
+  useEffect(() => {
+    // Erst nach Consent (oder hier explizit beim Klick erst loadStripe rufen)
+    loadStripe(process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY!).then(setStripe);
+  }, []);
+
+  async function handleCheckout() {
+    if (!stripe) return;
+    const res = await fetch('/api/stripe/checkout-session', { method: 'POST', body: JSON.stringify({ priceId }) });
+    const { sessionId } = await res.json();
+    await stripe.redirectToCheckout({ sessionId });
+  }
+
+  return <button onClick={handleCheckout}>Zahlungspflichtig bestellen</button>;
+  //                                       ^^^ Pflicht-Wording § 312j Abs. 3 BGB
+}
+```
+
+## 4. AVV / DPA
+
+- **DPA-Link**: https://stripe.com/legal/dpa
+- **SCC**: Modul 2 + 3 (Stripe als Processor + Sub-Processor-Liste)
+- **Sub-Processors**: https://stripe.com/legal/data-processing-providers
+
+## 5. DSE-Wording-Vorlage
+
+> **Zahlungsabwicklung (Stripe).** Für Zahlungen nutzen wir den Service von
+> Stripe Payments Europe Limited (1 Grand Canal Street Lower, Grand Canal
+> Dock, Dublin, Irland) sowie Stripe Inc. (354 Oyster Point Boulevard,
+> South San Francisco, CA 94080, USA) als Auftragsverarbeiter im Sinne
+> von Art. 28 DSGVO. Karten-Daten werden direkt von Ihrem Browser an
+> Stripe übermittelt — wir verarbeiten diese nicht selbst. Für die
+> Datenübermittlung in die USA gelten die EU-Standardvertragsklauseln
+> (Modul 2 + 3) sowie das EU-US Data Privacy Framework (Stripe Inc. ist
+> DPF-zertifiziert). Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
+> (Vertragserfüllung). Datenschutz Stripe: https://stripe.com/de/privacy.
+
+## 6. Verify-Commands
+
+```bash
+# Webhook-Konfiguration
+stripe webhooks list
+
+# Test-Webhook lokal
+stripe listen --forward-to https://<your-domain>/api/stripe/webhook
+
+# Verify Pflicht-Header an Webhook-Endpoint
+curl -X POST https://<your-domain>/api/stripe/webhook -H "stripe-signature: invalid"
+# erwarte: 400 mit "signature mismatch"
+```
+
+## 7. Az.-Anker
+
+- BGH I ZR 161/24 (Kuendigungsbutton, 22.05.2025) — § 312k betrifft Stripe-Subscription-Modelle
+- BGH VIII ZR 70/08 (Widerrufsbelehrung) — Pflicht-Belehrung vor Zahlung

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/cookie-banner-pattern.md

@@ -0,0 +1,294 @@
+---
+license: MIT (snippet)
+provider: Ruby on Rails (Open-Source)
+last-checked: 2026-05-05
+purpose: Rails Cookies-Helper + Concern-Pattern fuer Tracker-Authorization.
+---
+
+# Rails — Cookie-Banner (Pattern)
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `rails` in `Gemfile` (Version >= 7.x empfohlen)
+- `app/controllers/application_controller.rb`
+- `app/views/layouts/application.html.erb`
+- Optional: `app/javascript/` (Hotwire/Stimulus) oder Webpacker
+- Optional: `config/initializers/cookies_serializer.rb`
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Default `cookies` Helper signiert/verschluesselt Cookies → Banner-JS kann nicht lesen
+- Tracker-Tags in `application.html.erb` `<head>` direkt eingebunden
+- Session-Cookie ohne explizite `same_site` Setzung
+- Cookies ohne `secure: true` Default in Development → Drift zu Prod
+- Default-Logger schreibt Klartext-IP
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Tracker-Tag in Layout-`<head>` | § 25 TDDDG | KRITISCH | Conditional `if cookies[:consent]&.dig('analytics')` |
+| Encrypted Consent-Cookie unleserlich fuer JS | UX/DSGVO | MITTEL | Plain `cookies[:cookie_consent]` (nicht signed) |
+| Session-Cookie ohne SameSite | Art. 32 DSGVO | HOCH | `config.action_dispatch.cookies_same_site_protection = :lax` |
+| Klartext-IP in Production-Log | Art. 5 lit. f | HOCH | Custom `Rails.logger` Filter |
+| `protect_from_forgery` nicht erzwungen | Art. 32 DSGVO | KRITISCH | nicht `with: :null_session` global |
+
+## Code-Pattern (sanitized)
+
+```ruby
+# File: config/initializers/cookies.rb
+Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
+Rails.application.config.action_dispatch.use_cookies_with_metadata = true
+```
+
+```ruby
+# File: app/controllers/concerns/consent_concern.rb
+module ConsentConcern
+  extend ActiveSupport::Concern
+
+  CONSENT_DEFAULT = {
+    'necessary' => true,
+    'analytics' => false,
+    'marketing' => false
+  }.freeze
+
+  included do
+    helper_method :user_consent, :analytics_consented?, :marketing_consented?
+    before_action :load_consent
+  end
+
+  def user_consent
+    @user_consent ||= CONSENT_DEFAULT
+  end
+
+  def analytics_consented?
+    user_consent['analytics'] == true
+  end
+
+  def marketing_consented?
+    user_consent['marketing'] == true
+  end
+
+  private
+
+  def load_consent
+    raw = cookies[:cookie_consent]
+    return unless raw
+
+    parsed = JSON.parse(raw) rescue nil
+    return unless parsed.is_a?(Hash)
+
+    @user_consent = CONSENT_DEFAULT.merge(parsed)
+  end
+end
+```
+
+```ruby
+# File: app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include ConsentConcern
+
+  protect_from_forgery with: :exception
+
+  before_action :set_security_headers
+
+  private
+
+  def set_security_headers
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+    response.headers['Permissions-Policy'] = 'geolocation=(), camera=(), microphone=()'
+  end
+end
+```
+
+```ruby
+# File: app/controllers/consent_controller.rb
+class ConsentController < ApplicationController
+  skip_before_action :verify_authenticity_token, only: [:create], if: -> { csrf_token_via_header? }
+
+  def create
+    consent = consent_params.merge(
+      'necessary' => true,
+      'version' => '1.0',
+      'timestamp' => Time.current.iso8601
+    )
+
+    # Server-Log fuer Nachweispflicht
+    ConsentLog.create!(
+      ip_hash: ip_hash(request.remote_ip),
+      user_agent: (request.user_agent || '').first(200),
+      consent: consent.to_json
+    )
+
+    cookies[:cookie_consent] = {
+      value: consent.to_json,
+      expires: 12.months.from_now,
+      secure: Rails.env.production?,
+      httponly: false,  # Banner-JS muss lesen
+      same_site: :lax,
+      path: '/'
+    }
+
+    head :no_content
+  end
+
+  private
+
+  def consent_params
+    params.require(:consent).permit(:analytics, :marketing).to_h.transform_values { |v| v == true || v == 'true' }
+  end
+
+  def ip_hash(ip)
+    salt = Rails.application.credentials.dig(:ip_hash_salt) || ''
+    Digest::SHA256.hexdigest(ip + salt)[0...16]
+  end
+
+  def csrf_token_via_header?
+    request.headers['X-CSRF-Token'].present?
+  end
+end
+```
+
+```ruby
+# File: config/routes.rb (Auszug)
+Rails.application.routes.draw do
+  resource :consent, only: [:create]
+  # ...
+end
+```
+
+```erb
+<%# File: app/views/layouts/_cookie_banner.html.erb %>
+<% unless cookies[:cookie_consent] %>
+  <aside id="cookie-banner" role="dialog" aria-label="Cookie-Einwilligung" class="cookie-banner">
+    <p>
+      Wir nutzen Cookies fuer notwendige Funktionen. Mit Ihrer Einwilligung
+      zusaetzlich fuer Webanalyse. Details:
+      <%= link_to 'Datenschutzerklaerung', privacy_path %>.
+    </p>
+    <div class="cookie-actions">
+      <button type="button" data-action="reject-all" class="btn-secondary">
+        Nur Notwendige
+      </button>
+      <button type="button" data-action="accept-all" class="btn-primary">
+        Alle akzeptieren
+      </button>
+    </div>
+  </aside>
+
+  <script>
+    (() => {
+      const csrf = document.querySelector('meta[name="csrf-token"]')?.content;
+      const submit = (analytics, marketing) => {
+        fetch('<%= consent_path %>', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': csrf,
+            Accept: 'application/json'
+          },
+          body: JSON.stringify({ consent: { analytics, marketing } })
+        }).then(() => {
+          document.getElementById('cookie-banner').remove();
+          if (analytics) {
+            const s = document.createElement('script');
+            s.src = 'https://<placeholder-eu-analytics-host>/script.js';
+            s.async = true;
+            document.head.appendChild(s);
+          }
+        });
+      };
+
+      document.querySelector('[data-action="reject-all"]').onclick = () => submit(false, false);
+      document.querySelector('[data-action="accept-all"]').onclick = () => submit(true, true);
+    })();
+  </script>
+<% end %>
+```
+
+```erb
+<%# File: app/views/layouts/application.html.erb %>
+<!DOCTYPE html>
+<html lang="de">
+  <head>
+    <meta charset="utf-8">
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+    <title><%= content_for?(:title) ? yield(:title) : '<placeholder-site-name>' %></title>
+
+    <%# Tracker NUR conditional %>
+    <% if analytics_consented? %>
+      <script src="https://<placeholder-eu-analytics-host>/script.js" async></script>
+    <% end %>
+  </head>
+  <body>
+    <%= yield %>
+    <%= render 'layouts/cookie_banner' %>
+  </body>
+</html>
+```
+
+## AVV / DPA
+
+- Hosting-Provider (Heroku EU / Fly.io / Render) — Art. 28 DSGVO
+- Datenbank (Postgres EU / RDS Frankfurt) — AVV
+- Analytics-Provider (Plausible EU / Matomo) — AVV
+- Mailer (SES EU / Postmark) — AVV
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Cookies (Rails-Anwendung)
+
+Diese Webseite verwendet folgende Cookies:
+
+**Notwendige Cookies:**
+- `_<placeholder-app>_session` — Session-Verwaltung, Session-Dauer (signed/encrypted)
+- `_csrf_token` — CSRF-Schutz, Session-Dauer
+- `cookie_consent` — Speicherung Ihrer Einwilligung, 12 Monate (Klartext-JSON, damit JS lesen kann)
+
+**Analyse-Cookies (Opt-In, mit Einwilligung):**
+- gesetzt durch <placeholder-analytics-provider>
+- Speicherdauer: <placeholder-days> Tage
+- EU-Hosting: <placeholder-eu-country>
+
+**Rechtsgrundlage:** § 25 TDDDG i.V.m. Art. 6 Abs. 1 lit. a DSGVO
+(fuer Opt-In-Cookies) bzw. lit. f DSGVO (fuer notwendige Cookies).
+**Widerruf:** [Cookie-Einstellungen](#cookie-settings) im Footer.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Banner sichtbar bei Erstbesuch
+curl -sS https://<placeholder-domain>/ | grep -ic "cookie-banner"
+
+# 2. cookie_consent NICHT signed (JS-readable)
+curl -X POST https://<placeholder-domain>/consent \
+  -H "Content-Type: application/json" \
+  -H "X-CSRF-Token: <placeholder-csrf>" \
+  -d '{"consent":{"analytics":false,"marketing":false}}' -i \
+  | grep -i "set-cookie:.*cookie_consent"
+# Erwartung: JSON-String, NICHT base64-encrypted
+
+# 3. Tracker erst nach Consent
+curl -sS https://<placeholder-domain>/ | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: 0
+
+curl -sS -H 'Cookie: cookie_consent=%7B%22analytics%22%3Atrue%7D' https://<placeholder-domain>/ \
+  | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: >=1
+
+# 4. Security-Headers
+curl -sI https://<placeholder-domain>/ | grep -iE "x-content-type-options|referrer-policy"
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `cookie-flags-checker.ts`, `consent-flow-checker.ts`, `csrf-config-checker.ts`
+- Skill-Reference: `references/dsgvo.md` § 25 TDDDG, Art. 7 DSGVO
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- OLG Koeln 6 U 80/23 (Button-Gleichwertigkeit)
+- Audit-Pattern: `references/audit-patterns.md` Phase 2 (Cookie-Audit)