@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/devise-dsgvo-pattern.md

@@ -0,0 +1,262 @@
+---
+license: MIT (snippet)
+provider: Ruby on Rails + Devise (Open-Source)
+last-checked: 2026-05-05
+purpose: Devise + § 26 BDSG-konforme User-Verwaltung mit Audit-Trail.
+---
+
+# Rails + Devise — DSGVO-Pattern
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `gem 'devise'` in `Gemfile`
+- `app/models/user.rb` mit `devise :database_authenticatable, ...`
+- `config/initializers/devise.rb`
+- Migration mit `:lockable, :trackable, :timeoutable` Feldern
+- Optional: `gem 'pundit'` / `gem 'cancancan'` fuer Authorization
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Devise loggt `last_sign_in_ip`, `current_sign_in_ip` als Klartext → Art. 5 lit. f Verstoss
+- Default-Confirmable-Token-Lifetime ungesetzt → unbegrenzte Confirmation-Tokens
+- Failed-Login-Errors leaken User-Existence ("Email not found")
+- Default-Password-Length 6 Zeichen → zu schwach
+- `:rememberable` ohne Expiration → Permanent-Sessions
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| `last_sign_in_ip` Klartext | Art. 5 lit. f DSGVO | KRITISCH | Custom-Setter mit Hash |
+| User-Enumeration via Devise-Errors | Art. 32 DSGVO | HOCH | `paranoid: true` setzen |
+| Password-Length 6 | Art. 32 DSGVO | HOCH | `password_length: 12..128` |
+| Remember-Me unbegrenzt | Art. 32 DSGVO | MITTEL | `remember_for: 14.days` |
+| Audit-Log fuer Account-aenderungen fehlt | Art. 5 Abs. 2 | HOCH | `audited` Gem oder Custom |
+| `current_password`-Check fuer kritische Aktionen | Art. 32 DSGVO | HOCH | `before_action :require_recent_auth` |
+
+## Code-Pattern (sanitized)
+
+```ruby
+# File: config/initializers/devise.rb
+Devise.setup do |config|
+  config.mailer_sender = '<placeholder-noreply-email>'
+
+  config.password_length = 12..128
+
+  # Bestaetigungs-Token: 7 Tage, danach abgelaufen
+  config.confirm_within = 7.days
+
+  # Lockable: 5 Versuche, 30 Minuten Lock
+  config.maximum_attempts = 5
+  config.unlock_in = 30.minutes
+  config.unlock_strategy = :time
+
+  # Timeoutable: Auto-Logout nach 60 min Inaktivitaet
+  config.timeout_in = 60.minutes
+
+  # Rememberable: max. 14 Tage
+  config.remember_for = 14.days
+  config.expire_all_remember_me_on_sign_out = true
+
+  # paranoid: kein User-Enumeration via Reset-Password-Form
+  config.paranoid = true
+
+  # Argon2 / bcrypt-Cost auf >= 12
+  config.stretches = Rails.env.test? ? 1 : 12
+
+  # Reset-Password-Token: 6 Stunden
+  config.reset_password_within = 6.hours
+end
+```
+
+```ruby
+# File: app/models/user.rb
+class User < ApplicationRecord
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable,
+         :confirmable, :lockable, :timeoutable, :trackable
+
+  has_many :user_audit_logs, dependent: :destroy
+  has_many :user_legal_acceptances, dependent: :destroy
+
+  validates :name, length: { maximum: 100 }, allow_blank: true
+
+  # Anonymisierungs-Felder ueberschreiben statt loeschen
+  def anonymize!
+    update!(
+      email: "deleted-#{id}@<placeholder-domain>",
+      name: 'GELOESCHT',
+      phone: nil,
+      last_sign_in_ip_hash: nil,
+      current_sign_in_ip_hash: nil,
+      sign_in_count: 0
+    )
+  end
+
+  # Hash IP statt Klartext (override Devise-Default)
+  def update_tracked_fields!(request)
+    super
+    self.current_sign_in_ip = nil  # explicit nil
+    self.last_sign_in_ip = nil
+    self.current_sign_in_ip_hash = ip_hash(request.remote_ip)
+    save(validate: false)
+  end
+
+  private
+
+  def ip_hash(ip)
+    return nil if ip.blank?
+    salt = Rails.application.credentials.dig(:ip_hash_salt) || ''
+    Digest::SHA256.hexdigest(ip + salt)[0...16]
+  end
+end
+```
+
+```ruby
+# File: db/migrate/2026_05_05_add_dsgvo_fields_to_users.rb
+class AddDsgvoFieldsToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :current_sign_in_ip_hash, :string, limit: 16
+    add_column :users, :last_sign_in_ip_hash, :string, limit: 16
+    add_column :users, :anonymized_at, :datetime
+    add_index :users, :anonymized_at
+
+    # Loesche Klartext-IP-Felder (oder lasse sie als deprecated)
+    # remove_column :users, :current_sign_in_ip, :inet  # vorsichtig!
+  end
+end
+```
+
+```ruby
+# File: app/models/user_audit_log.rb
+class UserAuditLog < ApplicationRecord
+  belongs_to :user
+
+  validates :action, presence: true, inclusion: {
+    in: %w[
+      sign_in sign_out registration confirmation password_change
+      email_change profile_update consent_change account_deletion
+    ]
+  }
+
+  before_destroy { raise 'Audit-Log ist append-only' }
+
+  def self.log!(user, action, ip:, user_agent:)
+    salt = Rails.application.credentials.dig(:ip_hash_salt) || ''
+    create!(
+      user: user,
+      action: action,
+      ip_hash: Digest::SHA256.hexdigest((ip || '') + salt)[0...16],
+      user_agent: (user_agent || '').first(200),
+      occurred_at: Time.current
+    )
+  end
+end
+```
+
+```ruby
+# File: app/controllers/users/sessions_controller.rb
+class Users::SessionsController < Devise::SessionsController
+  def create
+    super do |user|
+      UserAuditLog.log!(user, 'sign_in', ip: request.remote_ip, user_agent: request.user_agent)
+    end
+  end
+
+  def destroy
+    user = current_user
+    super do
+      UserAuditLog.log!(user, 'sign_out', ip: request.remote_ip, user_agent: request.user_agent) if user
+    end
+  end
+end
+```
+
+```ruby
+# File: app/controllers/concerns/recent_auth_concern.rb
+module RecentAuthConcern
+  extend ActiveSupport::Concern
+
+  RECENT_AUTH_WINDOW = 5.minutes
+
+  def require_recent_auth
+    return if recent_auth?
+    session[:return_to] = request.fullpath
+    redirect_to new_user_confirm_password_path,
+                alert: 'Bitte bestaetigen Sie Ihr Passwort erneut'
+  end
+
+  def recent_auth?
+    session[:recent_auth_at].present? &&
+      Time.zone.at(session[:recent_auth_at]) > RECENT_AUTH_WINDOW.ago
+  end
+end
+```
+
+## AVV / DPA
+
+- Datenbank (Postgres EU) — AVV mit IP-Hash-Garantie
+- Mailer (SES EU / Postmark / Mailgun EU) — AVV
+- Optional: SSO-Provider (Auth0 EU / Keycloak self-host) — AVV mit Drittland-TIA
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Account-Anlage und Anmeldung
+
+Bei Registrierung und Anmeldung verarbeiten wir folgende Daten:
+
+- E-Mail-Adresse (Pflichtfeld, zur Identifizierung)
+- Name (optional)
+- Passwort (gespeichert als bcrypt-Hash mit Cost-Faktor 12)
+- Hash der IP-Adresse (zur Brute-Force-Erkennung; SHA-256 mit Salt, 16 Zeichen)
+- Anzahl Anmeldungen
+- Letzter Anmelde-Zeitpunkt
+- User-Agent (max. 200 Zeichen)
+
+**Audit-Log:** Wir protokollieren Anmeldungen, Passwort-aenderungen,
+Profil-aenderungen und Account-Loeschungen mit anonymisierter IP zur
+Sicherheits-Auswertung.
+
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. b DSGVO (Vertrag) +
+Art. 6 Abs. 1 lit. f DSGVO (Sicherheit).
+**Speicherdauer:**
+- Account: bis Loeschung (manuell oder via Inaktivitaets-Cleanup nach 2 Jahren)
+- Audit-Log: 90 Tage
+- Failed-Login-Counter: 30 Minuten (Lockout-Window)
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. paranoid-Mode aktiv (kein User-Enumeration)
+curl -X POST https://<placeholder-domain>/users/password \
+  -H "Content-Type: application/json" \
+  -d '{"user":{"email":"nonexistent@example.com"}}' -i
+# Erwartung: 200 mit "If your email exists..." (statt "Email not found")
+
+# 2. Account-Lockout nach 5 Versuchen
+for i in {1..6}; do
+  curl -X POST https://<placeholder-domain>/users/sign_in \
+    -d 'user[email]=<placeholder-user-email>&user[password]=wrong' -s -o /dev/null -w "%{http_code}\n"
+done
+# Erwartung: letzter Code zeigt Account-Lockout
+
+# 3. IP-Hash statt Klartext
+# DB-Query: SELECT current_sign_in_ip_hash, current_sign_in_ip FROM users WHERE id = '<test>';
+# Erwartung: ip_hash gefuellt, ip-Feld NULL/leer
+
+# 4. Password-Length-Enforcement
+curl -X POST https://<placeholder-domain>/users \
+  -d 'user[email]=test@test.com&user[password]=short' -i
+# Erwartung: 422 mit "Password is too short (minimum is 12 characters)"
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `auth-flow-checker.ts`, `password-policy-checker.ts`, `audit-trail-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 32 (Sicherheit), Art. 5 lit. f (Vertraulichkeit)
+- BDSG: § 26 Abs. 8 (Beschaeftigtendaten — bei Mitarbeiter-Accounts)
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- Audit-Pattern: `references/audit-patterns.md` Phase 9 (Auth-Audit)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/gdpr-anonymization-pattern.md

@@ -0,0 +1,283 @@
+---
+license: MIT (snippet)
+provider: Ruby on Rails + Sidekiq (Open-Source)
+last-checked: 2026-05-05
+purpose: Sidekiq-Worker-Pattern fuer asynchrone Anonymisierung + Hard-Delete-Cron.
+---
+
+# Rails — GDPR-Anonymisierungs-Worker (Sidekiq-Pattern)
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `gem 'sidekiq'` in `Gemfile`
+- `app/workers/` oder `app/jobs/` Verzeichnis
+- `Sidekiq::Worker` / `ActiveJob::Base` Subclasses
+- Optional: `gem 'sidekiq-cron'` / `gem 'whenever'` fuer Cron-Scheduling
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Account-Loeschung erfolgt synchron im Request → Timeout-Risiko
+- Anonymisierung uebersieht abhaengige Records (Activity, Comments, Uploads)
+- Search-Index (Elasticsearch / Algolia) wird nicht synchron mit DB-Loeschung geupdatet
+- Soft-Deletes haeufen sich → Storage-Kosten + DSGVO-Drift
+- Sidekiq-Logs enthalten Klartext-PII bei Job-Args
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Search-Index nicht ge-updated | Art. 17 DSGVO | KRITISCH | Worker triggert `unsearchable!` |
+| Sidekiq-Args mit User-PII (Email/Name) | Art. 5 lit. c | HOCH | Nur User-ID als Arg, Lookup im Worker |
+| Hard-Delete-Cron fehlt | Art. 5 lit. e | KRITISCH | `sidekiq-cron` mit taeglicher Schedule |
+| Job-Failure unbemerkt | Art. 5 Abs. 2 | HOCH | Sidekiq-Web + Alert-Hook |
+| Backup-Files nicht rotated | Art. 5 lit. e | HOCH | Backup-Provider-Policy + Doku |
+
+## Code-Pattern (sanitized)
+
+```ruby
+# File: app/workers/gdpr/anonymize_user_worker.rb
+module Gdpr
+  class AnonymizeUserWorker
+    include Sidekiq::Worker
+
+    sidekiq_options queue: 'gdpr', retry: 3, backtrace: true
+
+    def perform(user_id, reason = nil)
+      user = User.with_deleted.find_by(id: user_id)
+      return unless user
+
+      ActiveRecord::Base.transaction do
+        # 1. PII anonymisieren
+        user.anonymize!
+
+        # 2. Audit-Log
+        UserAuditLog.create!(
+          user: user,
+          action: 'account_deletion',
+          ip_hash: nil,
+          user_agent: 'GDPR-Worker',
+          occurred_at: Time.current,
+          metadata: { reason: reason }.to_json
+        )
+
+        # 3. Search-Index entfernen
+        user.unsearchable! if user.respond_to?(:unsearchable!)
+
+        # 4. Cascade-Anonymisierung auf abhaengige Records
+        user.comments.update_all(author_name: 'GELOESCHT')
+        user.uploads.find_each(&:purge)
+
+        # 5. Soft-Delete setzen (falls noch nicht)
+        user.update!(deleted_at: Time.current) unless user.deleted_at
+
+        # 6. Hard-Delete via separatem Cron in 30 Tagen
+      end
+
+      Rails.logger.info "[GDPR] User #{user_id} anonymized"
+    rescue => e
+      Rails.logger.error "[GDPR] Anonymization failed for #{user_id}: #{e.message}"
+      raise  # Sidekiq retry
+    end
+  end
+end
+```
+
+```ruby
+# File: app/workers/gdpr/hard_delete_worker.rb
+module Gdpr
+  class HardDeleteWorker
+    include Sidekiq::Worker
+
+    sidekiq_options queue: 'gdpr', retry: 3
+
+    HARD_DELETE_GRACE_PERIOD = 30.days
+
+    def perform
+      cutoff = HARD_DELETE_GRACE_PERIOD.ago
+
+      User.with_deleted.where('deleted_at < ?', cutoff).find_each do |user|
+        ActiveRecord::Base.transaction do
+          # Cascade-Loeschung
+          user.user_audit_logs.delete_all  # Audit-Log raus
+          user.comments.delete_all
+          user.uploads.find_each(&:destroy!)
+          user.user_legal_acceptances.delete_all
+
+          # Hard-Delete
+          user.really_destroy!  # paranoia-gem
+        end
+
+        Rails.logger.info "[GDPR] User #{user.id} hard-deleted"
+      end
+
+      # Cron-Run-Tracking
+      CronRun.create!(
+        job_name: 'gdpr-hard-delete',
+        finished_at: Time.current,
+        status: 'success'
+      )
+    rescue => e
+      CronRun.create!(
+        job_name: 'gdpr-hard-delete',
+        finished_at: Time.current,
+        status: 'failed',
+        error: e.message
+      )
+      raise
+    end
+  end
+end
+```
+
+```ruby
+# File: app/workers/gdpr/inactive_user_cleanup_worker.rb
+module Gdpr
+  class InactiveUserCleanupWorker
+    include Sidekiq::Worker
+
+    sidekiq_options queue: 'gdpr', retry: 3
+
+    INACTIVITY_PERIOD = 2.years
+
+    def perform
+      cutoff = INACTIVITY_PERIOD.ago
+
+      User.where('current_sign_in_at < ? AND deleted_at IS NULL', cutoff)
+          .where(consent_inactivity_warning_sent_at: nil)
+          .find_each(batch_size: 100) do |user|
+        # Erste Stufe: Warning-Mail
+        UserMailer.inactivity_warning(user).deliver_later
+        user.update!(consent_inactivity_warning_sent_at: Time.current)
+      end
+
+      # Zweite Stufe: User die bereits gewarnt + 30 Tage spaeter immer noch inaktiv
+      User.where('consent_inactivity_warning_sent_at < ?', 30.days.ago)
+          .where('current_sign_in_at < ?', cutoff)
+          .where(deleted_at: nil)
+          .find_each do |user|
+        Gdpr::AnonymizeUserWorker.perform_async(user.id, 'inactivity_2_years')
+        user.update!(deleted_at: Time.current)
+      end
+    end
+  end
+end
+```
+
+```ruby
+# File: config/sidekiq_cron.yml
+gdpr_hard_delete:
+  cron: '0 3 * * *'  # Taeglich 3 Uhr UTC
+  class: 'Gdpr::HardDeleteWorker'
+
+gdpr_inactive_cleanup:
+  cron: '0 4 * * 0'  # Sonntag 4 Uhr UTC
+  class: 'Gdpr::InactiveUserCleanupWorker'
+
+analytics_events_cleanup:
+  cron: '0 5 * * *'
+  class: 'AnalyticsEventCleanupWorker'
+```
+
+```ruby
+# File: config/initializers/sidekiq.rb
+Sidekiq.configure_server do |config|
+  config.redis = { url: ENV.fetch('REDIS_URL') }
+
+  # Sidekiq-Cron-Schedule laden
+  if File.exist?(Rails.root.join('config/sidekiq_cron.yml'))
+    schedule = YAML.load_file(Rails.root.join('config/sidekiq_cron.yml'))
+    Sidekiq::Cron::Job.load_from_hash(schedule)
+  end
+
+  # Args-Filtering: PII niemals in Logs
+  config.logger.formatter = lambda do |severity, time, prog, msg|
+    # Strip Email-Patterns
+    safe_msg = msg.to_s.gsub(/[\w.+-]+@[\w-]+\.[\w-]+/, '[EMAIL_REDACTED]')
+    "#{time.iso8601} [#{severity}] #{safe_msg}\n"
+  end
+end
+```
+
+```ruby
+# File: app/controllers/gdpr_controller.rb
+class GdprController < ApplicationController
+  before_action :authenticate_user!
+
+  def destroy_account
+    reason = params[:reason]&.first(500)
+
+    # Synchron: nur Soft-Delete + Logout
+    current_user.update!(deleted_at: Time.current, deletion_reason: reason)
+
+    # Async: Anonymisierung
+    Gdpr::AnonymizeUserWorker.perform_async(current_user.id, reason)
+
+    sign_out current_user
+    render json: {
+      status: 'PENDING_HARD_DELETE',
+      soft_deleted_at: Time.current.iso8601,
+      hard_delete_scheduled: '30 Tage'
+    }, status: :accepted
+  end
+end
+```
+
+## AVV / DPA
+
+- Datenbank — AVV mit Hard-Delete-Wirksamkeit
+- Sidekiq-Redis (Upstash EU / Redis Cloud EU) — AVV
+- Search-Index (Algolia / Meilisearch) — AVV + Index-Sync-Garantie
+- Mailer fuer Warning-Mails — AVV
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Loesch-Workflow und Inaktivitaets-Cleanup
+
+**Bei Loesch-Antrag (manuell):**
+
+1. Sofort: Account deaktiviert, ausgeloggt
+2. Sofort (asynchron): PII anonymisiert, Search-Index entfernt, Comments
+   anonymisiert, Uploads geloescht
+3. Nach 30 Tagen: Endgueltige Loeschung aus Datenbank
+
+**Bei Inaktivitaet (automatisch):**
+
+1. Nach 2 Jahren ohne Login: Erinnerungs-Mail
+2. 30 Tage nach Erinnerungs-Mail (immer noch keine Aktivitaet):
+   automatischer Loesch-Workflow
+3. Hard-Delete folgt nach weiteren 30 Tagen
+
+**Rechtsgrundlage:** Art. 5 lit. e DSGVO (Speicherbegrenzung), Art. 17 DSGVO
+(Recht auf Loeschung).
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Sidekiq-Web-Health
+curl https://<placeholder-domain>/sidekiq/cron
+# Erwartung: aktivitaet aller Cron-Jobs sichtbar
+
+# 2. Anonymize-Worker manuell anstossen
+bundle exec rails console
+# > Gdpr::AnonymizeUserWorker.perform_async(<test-user-id>, 'test')
+# > Sidekiq::Queue.new('gdpr').size  # Erwartung: 1, dann 0 nach Verarbeitung
+
+# 3. Job-Logs ohne PII
+tail -100 log/sidekiq.log | grep -E '[\w.+-]+@[\w-]+\.[\w-]+' | head -5
+# Erwartung: 0 Treffer oder ausschliesslich [EMAIL_REDACTED]
+
+# 4. Hard-Delete nach 30 Tagen wirksam
+# DB-Query: SELECT COUNT(*) FROM users WHERE deleted_at < now() - interval '30 days';
+# Erwartung: 0
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `data-retention-checker.ts`, `cron-coverage-checker.ts`, `pii-anonymization-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 17, Art. 5 lit. e
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- EuGH: `references/eu-eugh-dsgvo-schadensersatz.md` (Loesch-Anspruch)
+- Audit-Pattern: `references/audit-patterns.md` Phase 4 (DSE-Drift / Cron-Coverage)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/react/consent-gate-pattern.md

@@ -0,0 +1,99 @@
+---
+license: MIT (snippet)
+provider: React (Open-Source)
+last-checked: 2026-05-02
+purpose: React useConsent Hook fuer ConsentGate-Pattern.
+---
+
+# React — useConsent Hook + ConsentGate (Pattern)
+
+## 1. Use-Case
+
+Tracker / Embeds / Drittanbieter sollen NUR nach User-Consent geladen werden.
+
+## 2. Code-Pattern
+
+```tsx
+// File: src/lib/consent.ts
+import { useState, useEffect } from 'react';
+
+type ConsentCategory = 'necessary' | 'analytics' | 'marketing';
+
+type ConsentState = Record<ConsentCategory, boolean>;
+
+const STORAGE_KEY = 'cookie-consent';
+
+export function useConsent() {
+  const [consent, setConsent] = useState<ConsentState>({
+    necessary: true,
+    analytics: false,
+    marketing: false,
+  });
+
+  useEffect(() => {
+    const stored = localStorage.getItem(STORAGE_KEY);
+    if (stored) {
+      setConsent(JSON.parse(stored));
+    }
+    // Listen fuer Consent-Aenderungen
+    const handler = () => {
+      const updated = localStorage.getItem(STORAGE_KEY);
+      if (updated) setConsent(JSON.parse(updated));
+    };
+    window.addEventListener('storage', handler);
+    return () => window.removeEventListener('storage', handler);
+  }, []);
+
+  const hasConsented = (category: ConsentCategory) => consent[category];
+
+  return { consent, hasConsented };
+}
+```
+
+```tsx
+// File: src/components/ConsentGate.tsx
+'use client';
+
+import { ReactNode } from 'react';
+import { useConsent } from '@/lib/consent';
+
+type Props = {
+  category: 'analytics' | 'marketing';
+  children: ReactNode;
+  fallback?: ReactNode;
+};
+
+export default function ConsentGate({ category, children, fallback }: Props) {
+  const { hasConsented } = useConsent();
+
+  if (!hasConsented(category)) {
+    return fallback ? <>{fallback}</> : null;
+  }
+
+  return <>{children}</>;
+}
+```
+
+```tsx
+// Verwendung: YouTube-Embed nur nach Consent
+import ConsentGate from '@/components/ConsentGate';
+
+<ConsentGate category="marketing" fallback={
+  <div className="consent-fallback">
+    <p>YouTube-Video benoetigt Ihre Einwilligung.</p>
+    <button onClick={() => /* Banner re-open */}>Cookies aendern</button>
+  </div>
+}>
+  <iframe src="https://www.youtube-nocookie.com/embed/..." />
+</ConsentGate>
+```
+
+## 3. Az.-Anker
+
+- EuGH C-40/17 Fashion-ID (Mit-Verantwortlichkeit)
+- LG Muenchen I 3 O 17493/20 (Google Fonts ohne Consent)
+
+## 4. Cross-Reference
+
+- Cookie-Banner: `cookie-banner-pattern.md`
+- Audit-Pattern Phase 5: `audit-patterns.md`