@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/react/cookie-banner-pattern.md

@@ -0,0 +1,204 @@
+---
+license: MIT (snippet)
+provider: React (Open-Source)
+last-checked: 2026-05-02
+purpose: React Cookie-Banner Pattern mit Accept/Reject/Settings + Dokumentation.
+---
+
+# React — Cookie-Banner (Pattern)
+
+## 1. DSGVO/TDDDG-Pflicht-Eigenschaften
+
+| Pflicht | Quelle |
+|---|---|
+| Banner sichtbar bei Erstbesuch | EuGH C-673/17 Planet49 |
+| Akzeptieren + Ablehnen gleichwertig | OLG Koeln 6 U 80/23 |
+| Keine Pre-Tick-Boxen | EuGH C-673/17 |
+| Granulare Kategorien | EDPB Guidelines 03/2022 |
+| Widerruf jederzeit (Footer-Link) | DSGVO Art. 7 Abs. 3 |
+| Consent-Log mit Timestamp | DSGVO Art. 7 Abs. 1 (Nachweis) |
+
+## 2. Code-Pattern (sanitized)
+
+```tsx
+// File: src/components/CookieBanner.tsx
+'use client';
+
+import { useState, useEffect } from 'react';
+
+type ConsentState = {
+  necessary: true;       // Default true (immer erlaubt)
+  analytics: boolean;
+  marketing: boolean;
+  timestamp?: string;
+  version: '1.0';
+};
+
+const STORAGE_KEY = 'cookie-consent';
+
+export default function CookieBanner() {
+  const [showBanner, setShowBanner] = useState(false);
+  const [showSettings, setShowSettings] = useState(false);
+  const [consent, setConsent] = useState<ConsentState>({
+    necessary: true,
+    analytics: false,  // Default false (Opt-In)
+    marketing: false,  // Default false (Opt-In)
+    version: '1.0',
+  });
+
+  useEffect(() => {
+    const stored = localStorage.getItem(STORAGE_KEY);
+    if (!stored) {
+      setShowBanner(true);
+    }
+  }, []);
+
+  const persistConsent = (state: ConsentState) => {
+    const final = { ...state, timestamp: new Date().toISOString() };
+    localStorage.setItem(STORAGE_KEY, JSON.stringify(final));
+    // Server-side log fuer Beweis Pflicht
+    fetch('/api/consent-log', {
+      method: 'POST',
+      body: JSON.stringify(final),
+      headers: { 'Content-Type': 'application/json' },
+    });
+    setShowBanner(false);
+  };
+
+  const acceptAll = () => persistConsent({
+    ...consent,
+    analytics: true,
+    marketing: true,
+    version: '1.0',
+  });
+
+  const rejectAll = () => persistConsent({
+    necessary: true,
+    analytics: false,
+    marketing: false,
+    version: '1.0',
+  });
+
+  if (!showBanner) return null;
+
+  return (
+    <aside role="dialog" aria-label="Cookie-Einwilligung" className="cookie-banner">
+      <p>
+        Wir nutzen Cookies fuer notwendige Funktionen und (mit Ihrer Einwilligung)
+        fuer Webanalyse. Details in <a href="/datenschutz">Datenschutzerklaerung</a>.
+      </p>
+      <div className="cookie-banner-buttons">
+        {/* Beide Buttons gleichwertig (OLG Koeln 6 U 80/23) */}
+        <button onClick={rejectAll} className="btn-secondary">
+          Nur Notwendige
+        </button>
+        <button onClick={() => setShowSettings(true)} className="btn-secondary">
+          Einstellungen
+        </button>
+        <button onClick={acceptAll} className="btn-primary">
+          Alle akzeptieren
+        </button>
+      </div>
+      {showSettings && (
+        <CookieSettings
+          consent={consent}
+          onSave={persistConsent}
+          onChange={setConsent}
+        />
+      )}
+    </aside>
+  );
+}
+
+function CookieSettings({ consent, onSave, onChange }: any) {
+  return (
+    <div className="cookie-settings">
+      <label>
+        <input type="checkbox" checked disabled />
+        <strong>Notwendig</strong> (Session-Login, CSRF, Cookie-Consent — kein Opt-Out)
+      </label>
+      <label>
+        <input
+          type="checkbox"
+          checked={consent.analytics}
+          onChange={(e) => onChange({ ...consent, analytics: e.target.checked })}
+        />
+        <strong>Analytics</strong> (Webseiten-Statistiken, Datenerhebung anonym)
+      </label>
+      <label>
+        <input
+          type="checkbox"
+          checked={consent.marketing}
+          onChange={(e) => onChange({ ...consent, marketing: e.target.checked })}
+        />
+        <strong>Marketing</strong> (Werbung, Tracking ueber Drittanbieter)
+      </label>
+      <button onClick={() => onSave(consent)}>Auswahl speichern</button>
+    </div>
+  );
+}
+```
+
+## 3. Footer-Link fuer Widerruf
+
+```tsx
+// File: src/components/Footer.tsx
+export default function Footer() {
+  const reopenBanner = () => {
+    localStorage.removeItem('cookie-consent');
+    window.location.reload();
+  };
+
+  return (
+    <footer>
+      <button onClick={reopenBanner}>
+        Cookie-Einstellungen aendern
+      </button>
+    </footer>
+  );
+}
+```
+
+## 4. Server-Side Consent-Log
+
+```ts
+// File: src/app/api/consent-log/route.ts
+import { db } from '@/lib/db';
+
+export async function POST(req: Request) {
+  const consent = await req.json();
+  await db.consentLog.create({
+    data: {
+      ip: hashIp(req.headers.get('x-forwarded-for') ?? ''),
+      userAgent: req.headers.get('user-agent') ?? '',
+      consent: JSON.stringify(consent),
+      timestamp: new Date(),
+    },
+  });
+  return new Response(null, { status: 204 });
+}
+
+function hashIp(ip: string): string {
+  return require('crypto').createHash('sha256').update(ip).digest('hex');
+}
+```
+
+## 5. Az.-Anker
+
+- EuGH C-673/17 Planet49 (01.10.2019)
+- BGH I ZR 7/16 (28.05.2020)
+- OLG Koeln 6 U 80/23 (19.01.2024)
+- LG Berlin 16 O 252/22 (28.06.2023)
+
+## 6. Verify
+
+```bash
+# 1. Banner laedt bei Erstbesuch (no consent set)
+curl -sS https://example.com -H "Cookie: " | grep -ic "cookie-banner\|akzeptieren\|ablehnen"
+
+# 2. Reject = Akzeptieren gleichwertig
+# (manuell: pruefe CSS dass beide Buttons gleiche Klasse / Groesse haben)
+
+# 3. Settings-Link im Footer
+curl -sS https://example.com | grep -ic "cookie.einstell\|cookie-settings"
+```

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/strapi/cms-pii-pattern.md

@@ -0,0 +1,301 @@
+---
+license: MIT (snippet)
+provider: Strapi v4 / v5 (Open-Source)
+last-checked: 2026-05-05
+purpose: Strapi User-Submission Lifecycle-Hook Pattern fuer PII-Filtering + Robots-Meta + DSE-Erinnerung.
+---
+
+# Strapi — CMS-PII Pattern
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `@strapi/strapi` in `package.json`
+- `src/api/*/content-types/` Schema-Files
+- `src/api/*/controllers/*.js` / `services/*.js` / `routes/*.js`
+- Optional: `src/api/*/lifecycles.js` Hook-Files
+- Optional: `config/admin.js`, `config/server.js`
+
+Pattern: Strapi haelt User-generated-Content (Comments, Submissions, Form-Eintraege). Lifecycle-Hooks koennen PII-Felder filtern, Crawler-Indexing verhindern, DSE-Verweise erzwingen.
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Strapi-Admin-Panel laed Tracker-Pixel von `<placeholder-strapi-marketplace-host>` → DSGVO-Verstoss bei aktivierten Telemetry-Settings
+- User-Submissions speichern alles was im Schema definiert ist — keine Auto-PII-Filterung
+- Keine `robots: noindex` auf User-Content-Pages → Suchmaschinen indizieren PII
+- Webhooks senden Klartext-Daten an externe Endpoints
+- Default-Server-Logs enthalten Klartext-IP
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Strapi-Telemetry leakt Repo-Metadata an Drittland | Art. 44 DSGVO | KRITISCH | `telemetryDisabled: true` in `config/server.js` |
+| User-Submission ohne PII-Filter | Art. 5 lit. c DSGVO | HOCH | Lifecycle-Hook `beforeCreate` |
+| Robots-Meta fehlt fuer User-Content | Art. 5 lit. f DSGVO | HOCH | `noindex,nofollow` in CMS-Frontend |
+| Webhook mit Klartext-PII | Art. 5 lit. f | HOCH | Webhook-Payload-Filter im Hook |
+| Admin-Panel ueber HTTP zugaenglich | Art. 32 DSGVO | KRITISCH | `admin.url` mit HTTPS + IP-Allowlist |
+| Default-Email-Templates mit Brand-Tracker | § 25 TDDDG | MITTEL | Custom Templates |
+
+## Code-Pattern (sanitized)
+
+```javascript
+// File: config/server.js
+module.exports = ({ env }) => ({
+  host: env('HOST', '0.0.0.0'),
+  port: env.int('PORT', 1337),
+  app: {
+    keys: env.array('APP_KEYS'),
+  },
+  webhooks: {
+    populateRelations: env.bool('WEBHOOKS_POPULATE_RELATIONS', false),
+  },
+  // KRITISCH: Strapi-Telemetry deaktivieren
+  telemetryDisabled: true,
+});
+```
+
+```javascript
+// File: config/admin.js
+module.exports = ({ env }) => ({
+  auth: {
+    secret: env('ADMIN_JWT_SECRET'),
+  },
+  apiToken: {
+    salt: env('API_TOKEN_SALT'),
+  },
+  transfer: {
+    token: {
+      salt: env('TRANSFER_TOKEN_SALT'),
+    },
+  },
+  flags: {
+    nps: false,                  // Net-Promoter-Score-Tracker AUS
+    promoteEE: false,            // Marketing-Promo AUS
+  },
+});
+```
+
+```javascript
+// File: src/api/comment/content-types/comment/schema.json
+{
+  "kind": "collectionType",
+  "collectionName": "comments",
+  "info": {
+    "singularName": "comment",
+    "pluralName": "comments",
+    "displayName": "Comment"
+  },
+  "options": {
+    "draftAndPublish": true
+  },
+  "attributes": {
+    "body": {
+      "type": "text",
+      "required": true,
+      "maxLength": 5000
+    },
+    "authorName": {
+      "type": "string",
+      "maxLength": 100
+    },
+    "authorEmail": {
+      "type": "email",
+      "private": true
+    },
+    "ipHash": {
+      "type": "string",
+      "maxLength": 16,
+      "private": true
+    },
+    "consentVersion": {
+      "type": "string",
+      "maxLength": 16
+    }
+  }
+}
+```
+
+```javascript
+// File: src/api/comment/content-types/comment/lifecycles.js
+const crypto = require('crypto');
+
+const PII_FIELDS = ['authorEmail', 'ipHash'];
+const FORBIDDEN_PATTERNS = [
+  /[\w.+-]+@[\w-]+\.[\w-]+/g,                       // Email-Pattern im body
+  /\bDE\d{2}[\d\s]{18,22}\b/g,                       // IBAN
+  /\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g,     // Credit-Card
+];
+
+module.exports = {
+  async beforeCreate(event) {
+    const { data, params } = event;
+
+    // 1. PII im Body herausfiltern
+    if (typeof data.body === 'string') {
+      for (const pattern of FORBIDDEN_PATTERNS) {
+        data.body = data.body.replace(pattern, '[REDACTED]');
+      }
+    }
+
+    // 2. IP-Hash setzen (statt Klartext)
+    const requestState = strapi.requestContext.get();
+    const ip = requestState?.request?.ip
+      ?? requestState?.request?.header?.['x-forwarded-for']?.split(',')[0]
+      ?? '';
+
+    const salt = strapi.config.get('server.ipHashSalt', '');
+    data.ipHash = crypto
+      .createHash('sha256')
+      .update(`${ip}${salt}`)
+      .digest('hex')
+      .slice(0, 16);
+
+    // 3. Consent-Pflicht: erfordere consentVersion
+    if (!data.consentVersion) {
+      throw new Error('Consent-Version Pflicht — User muss DSE bestaetigt haben');
+    }
+  },
+
+  async beforeUpdate(event) {
+    // PII-Felder duerfen nicht via Public-API ge-updated werden
+    const { data } = event;
+    for (const field of PII_FIELDS) {
+      if (field in data) {
+        delete data[field];
+      }
+    }
+  },
+
+  async afterDelete(event) {
+    // Cascade auf abhaengige Records (Mentions, Replies)
+    const { result } = event;
+    await strapi.db.query('api::reply.reply').deleteMany({
+      where: { parentComment: result.id },
+    });
+  },
+};
+```
+
+```javascript
+// File: src/api/comment/controllers/comment.js
+'use strict';
+
+const { createCoreController } = require('@strapi/strapi').factories;
+
+module.exports = createCoreController('api::comment.comment', ({ strapi }) => ({
+  async findOne(ctx) {
+    const { id } = ctx.params;
+    const entity = await strapi.entityService.findOne('api::comment.comment', id, {
+      // Niemals authorEmail / ipHash in API-Response
+      fields: ['body', 'authorName', 'createdAt', 'consentVersion'],
+    });
+
+    if (!entity) {
+      return ctx.notFound();
+    }
+
+    // Robots-Meta-Header fuer User-Content-Page
+    ctx.set('X-Robots-Tag', 'noindex, nofollow');
+
+    return { data: entity };
+  },
+}));
+```
+
+```javascript
+// File: src/middlewares/robots-noindex.js
+module.exports = (config, { strapi }) => {
+  return async (ctx, next) => {
+    await next();
+
+    // User-generated-Content-Routes: kein Indexing
+    if (ctx.request.url.startsWith('/api/comments/')
+        || ctx.request.url.startsWith('/api/submissions/')) {
+      ctx.set('X-Robots-Tag', 'noindex, nofollow');
+    }
+  };
+};
+```
+
+```javascript
+// File: config/middlewares.js
+module.exports = [
+  'strapi::errors',
+  'strapi::security',
+  'strapi::cors',
+  'strapi::poweredBy',  // Sicherstellen: poweredBy=false (siehe unten)
+  'strapi::logger',
+  'strapi::query',
+  'strapi::body',
+  'strapi::session',
+  'strapi::favicon',
+  'strapi::public',
+  { resolve: './src/middlewares/robots-noindex' },
+];
+```
+
+## AVV / DPA
+
+- Strapi-Hosting (self-host EU / Strapi Cloud EU) — Art. 28 DSGVO
+- Datenbank (Postgres EU / SQLite local) — AVV
+- Media-Storage (S3 EU / Cloudinary EU) — AVV
+- Webhook-Empfaenger — pro externes System AVV
+- Telemetry MUSS aus sein (siehe `config/server.js`)
+
+## DSE-Wording-Vorlage
+
+```markdown
+### User-generierter Content (Kommentare, Formulare)
+
+Wenn Sie auf unserer Webseite Inhalte einreichen (z.B. Kommentare, Formulare),
+verarbeiten wir folgende Daten:
+
+| Feld | Verarbeitung | Speicherung |
+|---|---|---|
+| Inhalt (Body) | PII automatisch entfernt (E-Mail/IBAN/CC-Patterns redacted) | Bis Loeschung |
+| Name (optional) | wird mit Inhalt veroeffentlicht | Bis Loeschung |
+| E-Mail | nur intern (private), nicht oeffentlich | Bis Loeschung |
+| IP-Hash | SHA-256 mit Salt, gekuerzt (Spam-Schutz) | 90 Tage |
+
+**Veroeffentlichung:** Inhalte werden mit `noindex,nofollow` markiert,
+sodass Suchmaschinen sie nicht indizieren.
+
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. b DSGVO (Vertrag) +
+Art. 6 Abs. 1 lit. f DSGVO (Spam-Schutz).
+**Loeschung:** auf Anfrage via [Account-Dashboard](#account) oder
+E-Mail an <placeholder-email>.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Telemetry deaktiviert
+grep -r "telemetryDisabled" config/
+# Erwartung: telemetryDisabled: true
+
+# 2. PII-Filter wirkt (Test-Submission)
+curl -X POST https://<placeholder-domain>/api/comments \
+  -H "Content-Type: application/json" \
+  -d '{"data":{"body":"Mein Kontakt: test@example.com","consentVersion":"1.0"}}' \
+  -H "Authorization: Bearer <placeholder-token>" -i
+# Erwartung: 200, Body in DB enthaelt "[REDACTED]" statt Email
+
+# 3. authorEmail nicht in API-Response
+curl https://<placeholder-domain>/api/comments/<id> | jq .
+# Erwartung: kein "authorEmail"-Feld
+
+# 4. Robots-Meta-Header gesetzt
+curl -sI https://<placeholder-domain>/api/comments/<id> | grep -i "x-robots-tag"
+# Erwartung: X-Robots-Tag: noindex, nofollow
+
+# 5. Strapi-Admin telemetry blockiert
+# DevTools-Network-Tab beim Admin-Login: kein Call zu Strapi-Marketplace
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `cms-pii-checker.ts`, `tracking-scan.ts`, `data-transfer-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 5 (Min), Art. 32 (Sicherheit)
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- Audit-Pattern: `references/audit-patterns.md` Phase 5 (CMS-Audit), Phase 3 (Drittland)