@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/strapi/notice-and-action-plugin.md

@@ -0,0 +1,371 @@
+---
+license: MIT (snippet)
+provider: Strapi v4 / v5 (Open-Source)
+last-checked: 2026-05-05
+purpose: Strapi Plugin Pattern fuer DSA Art. 16 Notice-and-Action Compliance.
+---
+
+# Strapi — Notice-and-Action Plugin Pattern (DSA Art. 16)
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `@strapi/strapi` mit User-Generated-Content (Comments, Submissions, Reviews)
+- Optional: `src/plugins/notice-and-action/` Custom-Plugin
+- Service-Provider faellt unter DSA (Digital Services Act EU 2022/2065)
+- Optional: `src/api/dsa-report/` Content-Type fuer Reports
+
+DSA Art. 16: Hosting-Provider muessen einen Mechanismus zur Meldung rechtswidriger Inhalte bereitstellen ("Notice-and-Action"). Pflicht seit 17. Februar 2024 fuer alle Hosting-Provider (auch kleine).
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- Strapi hat keinen Built-in DSA-Report-Mechanismus
+- User koennen Inhalte nicht strukturiert melden → manuelle E-Mail-Bearbeitung
+- Keine Transparenz-Berichte → DSA Art. 15 Verstoss bei aktiveren Diensten
+- Kein Audit-Trail fuer Moderations-Entscheidungen
+- Keine Begruendung-Pflicht-Antwort an Reporter
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Kein Notice-and-Action-Mechanismus | DSA Art. 16 | KRITISCH | Plugin mit Report-Endpoint |
+| Reporter erhaelt keine Bestaetigung | DSA Art. 16 Abs. 5 | HOCH | Auto-Confirmation-Mail |
+| Keine Begruendung an Uploader bei Removal | DSA Art. 17 | HOCH | Statement-of-Reasons-Workflow |
+| Keine Transparenz-Reports | DSA Art. 15/24 | MITTEL (HOCH bei VLOP) | Annual-Report-Worker |
+| Trusted-Flagger-Privileg fehlt | DSA Art. 22 | NIEDRIG (Optional) | Role-based Priority |
+| Kein Beschwerde-System | DSA Art. 20 | HOCH | Internal-Complaint-Endpoint |
+
+## Code-Pattern (sanitized)
+
+```javascript
+// File: src/api/dsa-report/content-types/dsa-report/schema.json
+{
+  "kind": "collectionType",
+  "collectionName": "dsa_reports",
+  "info": {
+    "singularName": "dsa-report",
+    "pluralName": "dsa-reports",
+    "displayName": "DSA Report"
+  },
+  "options": {
+    "draftAndPublish": false
+  },
+  "attributes": {
+    "reportedContentType": {
+      "type": "enumeration",
+      "enum": ["comment", "submission", "upload", "review"],
+      "required": true
+    },
+    "reportedContentId": {
+      "type": "string",
+      "required": true
+    },
+    "category": {
+      "type": "enumeration",
+      "enum": [
+        "illegal_hate_speech",
+        "terrorism_extremism",
+        "child_sexual_abuse_material",
+        "intellectual_property_violation",
+        "data_protection_violation",
+        "consumer_protection_violation",
+        "other_illegal"
+      ],
+      "required": true
+    },
+    "explanation": {
+      "type": "text",
+      "required": true,
+      "maxLength": 5000
+    },
+    "reporterEmail": {
+      "type": "email",
+      "required": true,
+      "private": true
+    },
+    "reporterIpHash": {
+      "type": "string",
+      "maxLength": 16,
+      "private": true
+    },
+    "isTrustedFlagger": {
+      "type": "boolean",
+      "default": false
+    },
+    "status": {
+      "type": "enumeration",
+      "enum": ["received", "in_review", "actioned", "rejected", "appealed"],
+      "default": "received"
+    },
+    "actionTaken": {
+      "type": "enumeration",
+      "enum": ["none", "removed", "demoted", "warning", "account_suspended"]
+    },
+    "statementOfReasons": {
+      "type": "text",
+      "maxLength": 5000
+    },
+    "submittedAt": {
+      "type": "datetime",
+      "required": true
+    },
+    "actionedAt": {
+      "type": "datetime"
+    }
+  }
+}
+```
+
+```javascript
+// File: src/api/dsa-report/controllers/dsa-report.js
+'use strict';
+
+const crypto = require('crypto');
+
+module.exports = ({ strapi }) => ({
+  async create(ctx) {
+    const {
+      reportedContentType,
+      reportedContentId,
+      category,
+      explanation,
+      reporterEmail,
+    } = ctx.request.body.data ?? {};
+
+    // Validation
+    if (!reportedContentType || !reportedContentId || !category || !explanation || !reporterEmail) {
+      return ctx.badRequest('Pflichtfelder fehlen');
+    }
+    if (typeof explanation !== 'string' || explanation.length < 50) {
+      return ctx.badRequest('Begruendung mindestens 50 Zeichen');
+    }
+
+    // IP-Hash
+    const ip = ctx.request.ip
+      ?? ctx.request.header['x-forwarded-for']?.split(',')[0]
+      ?? '';
+    const salt = strapi.config.get('server.ipHashSalt', '');
+    const ipHash = crypto.createHash('sha256').update(`${ip}${salt}`).digest('hex').slice(0, 16);
+
+    // Trusted-Flagger-Check (sofern Email auf Allowlist)
+    const trustedList = strapi.config.get('server.trustedFlaggers', []);
+    const isTrusted = trustedList.includes(reporterEmail.toLowerCase());
+
+    const report = await strapi.entityService.create('api::dsa-report.dsa-report', {
+      data: {
+        reportedContentType,
+        reportedContentId,
+        category,
+        explanation: explanation.slice(0, 5000),
+        reporterEmail,
+        reporterIpHash: ipHash,
+        isTrustedFlagger: isTrusted,
+        status: 'received',
+        submittedAt: new Date(),
+      },
+    });
+
+    // Auto-Confirmation an Reporter (DSA Art. 16 Abs. 5)
+    await strapi.plugins.email.services.email.send({
+      to: reporterEmail,
+      subject: `Bestaetigung Ihrer Meldung [Ref: ${report.id}]`,
+      text: buildConfirmationMail(report),
+    });
+
+    // Optional: Trusted-Flagger gehen sofort in Priority-Queue
+    if (isTrusted) {
+      await strapi.service('api::dsa-report.dsa-report').prioritize(report.id);
+    }
+
+    return {
+      data: {
+        id: report.id,
+        status: 'received',
+        submittedAt: report.submittedAt,
+      },
+    };
+  },
+
+  async findOne(ctx) {
+    // Reporter darf nur eigene Reports sehen
+    const { id } = ctx.params;
+    const report = await strapi.entityService.findOne('api::dsa-report.dsa-report', id, {
+      fields: ['status', 'category', 'submittedAt', 'actionedAt', 'statementOfReasons', 'actionTaken'],
+    });
+    if (!report) return ctx.notFound();
+    return { data: report };
+  },
+});
+
+function buildConfirmationMail(report) {
+  return `
+Wir haben Ihre Meldung erhalten.
+
+Referenz: ${report.id}
+Eingegangen am: ${report.submittedAt}
+Kategorie: ${report.category}
+
+Wir werden Ihre Meldung gemaess DSA Art. 16 unverzueglich pruefen und Ihnen
+das Ergebnis mit Begruendung mitteilen.
+
+Bei Fragen: <placeholder-email>
+  `.trim();
+}
+```
+
+```javascript
+// File: src/api/dsa-report/services/dsa-report.js
+'use strict';
+
+const { createCoreService } = require('@strapi/strapi').factories;
+
+module.exports = createCoreService('api::dsa-report.dsa-report', ({ strapi }) => ({
+  async actionReport(reportId, action, statementOfReasons) {
+    const report = await strapi.entityService.findOne('api::dsa-report.dsa-report', reportId);
+    if (!report) throw new Error('Report not found');
+
+    // 1. Action ausfuehren
+    if (action === 'removed') {
+      await strapi.entityService.delete(
+        `api::${report.reportedContentType}.${report.reportedContentType}`,
+        report.reportedContentId,
+      );
+    }
+
+    // 2. Report-Status aktualisieren
+    await strapi.entityService.update('api::dsa-report.dsa-report', reportId, {
+      data: {
+        status: 'actioned',
+        actionTaken: action,
+        statementOfReasons,
+        actionedAt: new Date(),
+      },
+    });
+
+    // 3. Reporter informieren
+    await strapi.plugins.email.services.email.send({
+      to: report.reporterEmail,
+      subject: `Ihre Meldung wurde bearbeitet [Ref: ${reportId}]`,
+      text: `Status: ${action}\n\nBegruendung:\n${statementOfReasons}`,
+    });
+
+    // 4. Uploader informieren (DSA Art. 17 Statement of Reasons)
+    if (action === 'removed') {
+      await this.notifyUploader(report.reportedContentType, report.reportedContentId, statementOfReasons);
+    }
+  },
+
+  async prioritize(reportId) {
+    // Trusted-Flagger-Reports priorisieren in Moderations-Queue
+    await strapi.entityService.update('api::dsa-report.dsa-report', reportId, {
+      data: { status: 'in_review' },
+    });
+  },
+
+  async notifyUploader(contentType, contentId, reason) {
+    const content = await strapi.entityService.findOne(`api::${contentType}.${contentType}`, contentId, {
+      populate: ['author'],
+    });
+    if (!content?.author?.email) return;
+
+    await strapi.plugins.email.services.email.send({
+      to: content.author.email,
+      subject: 'Ihr Inhalt wurde wegen einer Meldung entfernt',
+      text: `
+Ihr Inhalt (${contentType} #${contentId}) wurde aufgrund einer Meldung entfernt.
+
+Begruendung:
+${reason}
+
+Sie haben das Recht zur Beschwerde gemaess DSA Art. 20 binnen 6 Monaten.
+Beschwerde-Endpoint: <placeholder-domain>/api/dsa-complaints
+      `.trim(),
+    });
+  },
+}));
+```
+
+```javascript
+// File: src/api/dsa-report/routes/dsa-report.js
+module.exports = {
+  routes: [
+    {
+      method: 'POST',
+      path: '/dsa-reports',
+      handler: 'dsa-report.create',
+      config: { auth: false },  // Auch Nicht-User koennen melden
+    },
+    {
+      method: 'GET',
+      path: '/dsa-reports/:id',
+      handler: 'dsa-report.findOne',
+      config: { auth: false },  // Nur via Reference-ID + Email-Match
+    },
+  ],
+};
+```
+
+## AVV / DPA
+
+- Strapi-Hosting — Art. 28 DSGVO
+- Datenbank fuer Reports — AVV mit Backup-Rotation
+- Mailer fuer Bestaetigungen + Statement-of-Reasons — AVV mit EU-Hosting
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Meldung rechtswidriger Inhalte (DSA Art. 16)
+
+Sie koennen rechtswidrige Inhalte auf dieser Plattform jederzeit melden.
+
+**Meldekanal:** [Inhalt melden](https://<placeholder-domain>/report) oder
+E-Mail an <placeholder-email>.
+
+**Was geschieht mit Ihrer Meldung:**
+
+1. **Bestaetigung** binnen 24 Stunden mit Referenz-Nummer
+2. **Pruefung** durch unser Moderations-Team (Trusted-Flagger werden priorisiert)
+3. **Entscheidung** mit Begruendung an Sie und ggf. an den Uploader
+4. **Beschwerde-Recht** binnen 6 Monaten gemaess DSA Art. 20
+
+**Verarbeitete Daten Ihrer Meldung:**
+- E-Mail-Adresse (zur Antwort)
+- IP-Hash (Anti-Spam)
+- Beschreibung der gemeldeten Verletzung
+- Referenz auf gemeldeten Inhalt
+
+**Speicherdauer:** 5 Jahre nach Abschluss (Beweisfunktion bei Rechtsstreit).
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. c DSGVO (gesetzliche Verpflichtung
+DSA Art. 16) + lit. f (berechtigtes Interesse Plattform-Sicherheit).
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Report-Endpoint erreichbar
+curl -X POST https://<placeholder-domain>/api/dsa-reports \
+  -H "Content-Type: application/json" \
+  -d '{"data":{"reportedContentType":"comment","reportedContentId":"42","category":"illegal_hate_speech","explanation":"<placeholder-min-50-chars-explanation-text>","reporterEmail":"reporter@example.com"}}' -i
+# Erwartung: 200 mit { id, status: "received" }
+
+# 2. Bestaetigungs-Mail wird gesendet
+# (Mail-Provider-Logs pruefen)
+
+# 3. Validation: zu kurze Begruendung blockt
+curl -X POST https://<placeholder-domain>/api/dsa-reports \
+  -d '{"data":{"category":"other_illegal","explanation":"kurz","reporterEmail":"x@x.de"}}' -i
+# Erwartung: 400
+
+# 4. Trusted-Flagger-Privileg
+# Setze Email auf trusted-flaggers-Allowlist und sende Report
+# Erwartung: status sofort "in_review"
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `dsa-compliance-checker.ts`, `cms-pii-checker.ts`, `audit-trail-checker.ts`
+- Skill-Reference: `references/dsgvo.md` (Datenschutz-Aspekt)
+- DSA: VO (EU) 2022/2065 Art. 14, 16, 17, 20, 22 (Notice-and-Action, Statement of Reasons, Beschwerde, Trusted Flagger)
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- Audit-Pattern: `references/audit-patterns.md` Phase 5 (CMS-Audit), Phase 8 (DSA-Compliance)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/svelte/cookie-banner-pattern.md

@@ -0,0 +1,234 @@
+---
+license: MIT (snippet)
+provider: Svelte / SvelteKit (Open-Source)
+last-checked: 2026-05-05
+purpose: SvelteKit Cookie-Banner mit Stores fuer Consent-State + global +layout.svelte Mount.
+---
+
+# Svelte/SvelteKit — Cookie-Banner (Pattern)
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `svelte` und/oder `@sveltejs/kit` in `package.json`
+- `svelte.config.js` mit Adapter-Config
+- `src/routes/+layout.svelte` als globales Layout
+- `src/lib/stores/*.ts` Svelte-Stores (`writable`/`readable`)
+- Optional: `+layout.server.ts` fuer Server-Cookie-Read
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- SvelteKit SSR rendered initial HTML serverseitig → Banner-Logik die `localStorage` braucht muss `browser`-Guard nutzen
+- Tracker-Imports im Top-Level `+layout.svelte` `<script>` werden gebundelt + im SSR-HTML referenziert
+- Ohne `+layout.server.ts` sieht Server keinen Consent-Cookie → kann Tracker nicht filtern
+- Stores haben kein Persist von Default → Reload zeigt Banner erneut
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Tracker-Bundle in initial-load | § 25 TDDDG | KRITISCH | Dynamic-Import nach Consent |
+| `localStorage`-Access ohne `browser`-Guard | SSR-Crash | HOCH | `import { browser } from '$app/environment'` |
+| Banner doppelt gerendered (SSR + Hydration) | UX / DSGVO Klarheit | MITTEL | `{#if mounted}` Pattern |
+| Cookie ohne `Secure; SameSite=Lax` | Art. 32 DSGVO | HOCH | `event.cookies.set(..., { secure, sameSite })` |
+| Drittland-Adapter ohne EU-Region | Art. 44 DSGVO | KRITISCH | Adapter-Region konfigurieren |
+
+## Code-Pattern (sanitized)
+
+```typescript
+// File: src/lib/stores/consent.ts
+import { writable, derived } from 'svelte/store';
+import { browser } from '$app/environment';
+
+export type Consent = {
+  necessary: true;
+  analytics: boolean;
+  marketing: boolean;
+  timestamp: string | null;
+  version: '1.0';
+};
+
+const defaultConsent: Consent = {
+  necessary: true,
+  analytics: false,
+  marketing: false,
+  timestamp: null,
+  version: '1.0',
+};
+
+function createConsentStore() {
+  const initial: Consent = { ...defaultConsent };
+
+  if (browser) {
+    const stored = localStorage.getItem('cookie-consent');
+    if (stored) {
+      try {
+        Object.assign(initial, JSON.parse(stored));
+      } catch {
+        /* ignore */
+      }
+    }
+  }
+
+  const { subscribe, set, update } = writable<Consent>(initial);
+
+  return {
+    subscribe,
+    grant(partial: Partial<Pick<Consent, 'analytics' | 'marketing'>>) {
+      update(c => {
+        const next: Consent = {
+          ...c,
+          ...partial,
+          timestamp: new Date().toISOString(),
+        };
+        if (browser) {
+          localStorage.setItem('cookie-consent', JSON.stringify(next));
+          fetch('/api/consent-log', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(next),
+          });
+        }
+        return next;
+      });
+    },
+    revoke() {
+      const reset: Consent = { ...defaultConsent, timestamp: new Date().toISOString() };
+      if (browser) {
+        localStorage.setItem('cookie-consent', JSON.stringify(reset));
+      }
+      set(reset);
+    },
+  };
+}
+
+export const consent = createConsentStore();
+export const hasDecided = derived(consent, $c => $c.timestamp !== null);
+```
+
+```svelte
+<!-- File: src/lib/components/CookieBanner.svelte -->
+<script lang="ts">
+  import { onMount } from 'svelte';
+  import { consent, hasDecided } from '$lib/stores/consent';
+  import { browser } from '$app/environment';
+
+  let mounted = false;
+
+  onMount(() => {
+    mounted = true;
+  });
+
+  function acceptAll() {
+    consent.grant({ analytics: true, marketing: true });
+  }
+
+  function rejectAll() {
+    consent.grant({ analytics: false, marketing: false });
+  }
+</script>
+
+{#if mounted && !$hasDecided}
+  <aside role="dialog" aria-label="Cookie-Einwilligung" class="cookie-banner">
+    <p>
+      Wir nutzen Cookies fuer notwendige Funktionen. Mit Ihrer Einwilligung
+      zusaetzlich fuer Webanalyse. Details:
+      <a href="/datenschutz">Datenschutzerklaerung</a>.
+    </p>
+    <div class="cookie-actions">
+      <!-- Buttons gleichwertig (OLG Koeln 6 U 80/23) -->
+      <button on:click={rejectAll} class="btn-secondary">Nur Notwendige</button>
+      <button on:click={acceptAll} class="btn-primary">Alle akzeptieren</button>
+    </div>
+  </aside>
+{/if}
+
+<style>
+  .cookie-banner {
+    position: fixed;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    background: #fff;
+    border-top: 1px solid #ccc;
+    padding: 1rem;
+    z-index: 9999;
+  }
+</style>
+```
+
+```svelte
+<!-- File: src/routes/+layout.svelte -->
+<script lang="ts">
+  import CookieBanner from '$lib/components/CookieBanner.svelte';
+  import { consent } from '$lib/stores/consent';
+  import { browser } from '$app/environment';
+
+  // Dynamic-Tracker-Load nach Consent-Aenderung
+  if (browser) {
+    consent.subscribe(async ($c) => {
+      if ($c.analytics) {
+        const m = await import('$lib/trackers/analytics');
+        m.init();
+      }
+    });
+  }
+</script>
+
+<slot />
+<CookieBanner />
+```
+
+## AVV / DPA
+
+- Hosting-Adapter (Vercel / Netlify / Node) — Art. 28 DSGVO
+- Edge-Adapter Region MUSS auf EU gepinnt sein
+- Analytics-Provider (EU) — AVV
+- Form-Backends — separate AVV pro Service
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Cookie-Einwilligung (SvelteKit)
+
+Diese Webseite verwendet einen Cookie-Banner zur Einholung Ihrer
+Einwilligung gem. § 25 Abs. 1 TDDDG. Ihre Entscheidung wird im
+Browser-Speicher (`localStorage`) gespeichert und zusaetzlich serverseitig
+zur Nachweispflicht (Art. 7 Abs. 1 DSGVO) protokolliert.
+
+**Server-Side-Log enthaelt:**
+- Hash der IP-Adresse (SHA-256, gekuerzt)
+- Zeitstempel
+- Gewaehlte Kategorien
+- User-Agent
+
+**Speicherdauer Server-Log:** 6 Jahre (Beweisfunktion bei Rechtsstreit).
+**Loeschung Browser-Storage:** ueber [Cookie-Einstellungen](#cookie-settings)
+im Footer oder Browser-Einstellungen.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Banner sichtbar bei Erstbesuch
+curl -sS https://<placeholder-domain>/ | grep -ic "cookie-banner"
+
+# 2. Tracker-Bundle nicht im initial HTML
+curl -sS https://<placeholder-domain>/ | grep -oE '<script[^>]*src="[^"]+"' | grep -i "analytics\|tracker"
+# Erwartung: leer
+
+# 3. SvelteKit-Region-Pinning
+curl -sI https://<placeholder-domain>/ | grep -i "x-vercel-id"
+# Erwartung: fra1 / cdg1 etc.
+
+# 4. Hydration-Check (Browser DevTools-Console)
+# Erwartung: kein "[svelte] hydration_mismatch" warning
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `cookie-audit.ts`, `tracking-scan.ts`, `consent-flow-checker.ts`, `ssr-data-leak-checker.ts`
+- Skill-Reference: `references/dsgvo.md` § 25 TDDDG, Art. 7 DSGVO
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- OLG Koeln 6 U 80/23 (Button-Gleichwertigkeit)
+- Audit-Pattern: `references/audit-patterns.md` Phase 2 (Cookie-Audit)