npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.1 - Mend

@aegis-scan/skills 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (346) hide show

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/env-driven-tracking.md ADDED Viewed

@@ -0,0 +1,135 @@
+---
+license: MIT (snippet)
+provider: Next.js (Vercel) — Framework
+last-checked: 2026-05-02
+purpose: Pattern fuer ENV-Driven Tracking-Loading mit Build-Arg-Pitfall-Schutz.
+---
+# Next.js — ENV-Driven Tracking (Pattern)
+## 1. Default-Verhalten / Pitfalls
+`NEXT_PUBLIC_*`-ENV-Vars werden zur **Build-Zeit** im Client-Bundle eingelogged (string-replace).
+Wenn das Deployment-Tool (Dokploy / Coolify / Nixpacks / Railway) die ENV nur als
+**Runtime-ENV** durchreicht aber nicht als `--build-arg` weitergibt, landet `undefined` im Bundle.
+## 2. Compliance-Risiken
+| Risiko | Wirkung | Fix |
+|---|---|---|
+| Build-Arg-Pitfall | Tracker-URL leer → Tracker laeuft nicht | Build-Arg-Konfiguration |
+| Tracker laedt vor Consent | § 25 TDDDG-Verstoss | ConsentGate |
+| Tracker-URL hardcoded | Drift bei Subdomain-Wechsel | env-driven mit Default |
+| Bundle leakt Brand-Codename | Public-OPSec-Issue | env-driven mit Brand-eigener Subdomain |
+## 3. Code-Pattern (sanitized)
+```ts
+// File: src/components/analytics/UmamiScript.tsx
+'use client';
+import Script from 'next/script';
+import { useConsent } from '@/lib/consent';
+const ANALYTICS_HOST = (
+  process.env.UMAMI_HOST ||
+  process.env.NEXT_PUBLIC_ANALYTICS_HOST ||
+  'https://metrics.example.com'  // Default = Brand-eigene Subdomain
+).replace(/\/+$/, '');
+const WEBSITE_ID = process.env.NEXT_PUBLIC_UMAMI_WEBSITE_ID;
+export default function UmamiScript() {
+  const { hasConsented } = useConsent();
+  if (!hasConsented('analytics') || !WEBSITE_ID) {
+    return null;
+  }
+  return (
+    <Script
+      defer
+      src={`${ANALYTICS_HOST}/script.js`}
+      data-website-id={WEBSITE_ID}
+      strategy="afterInteractive"
+    />
+  );
+}
+```
+```dockerfile
+# Dockerfile (builder-Stage)
+FROM node:22-alpine AS builder
+# Pflicht: NEXT_PUBLIC_*-Vars muessen ARG + ENV im Build-Stage sein
+ARG NEXT_PUBLIC_UMAMI_WEBSITE_ID
+ARG NEXT_PUBLIC_ANALYTICS_HOST
+ENV NEXT_PUBLIC_UMAMI_WEBSITE_ID=$NEXT_PUBLIC_UMAMI_WEBSITE_ID
+ENV NEXT_PUBLIC_ANALYTICS_HOST=$NEXT_PUBLIC_ANALYTICS_HOST
+# ... rest
+```
+```yaml
+# Dokploy Build-Args (oder vergleichbares Tool)
+buildArgs:
+  NEXT_PUBLIC_UMAMI_WEBSITE_ID: "abc-123"
+  NEXT_PUBLIC_ANALYTICS_HOST: "https://metrics.example.com"
+```
+## 4. Server-Component-Variante (besser, kein Bundle-Leak)
+```ts
+// File: src/app/layout.tsx (Server-Component)
+import { headers } from 'next/headers';
+export default async function RootLayout({ children }) {
+  const analyticsHost = process.env.UMAMI_HOST;  // server-only, kein NEXT_PUBLIC_
+  return (
+    <html>
+      <head>
+        {analyticsHost && (
+          <script
+            defer
+            src={`${analyticsHost}/script.js`}
+            data-website-id={process.env.UMAMI_WEBSITE_ID}
+          />
+        )}
+      </head>
+      <body>{children}</body>
+    </html>
+  );
+}
+```
+Server-Component-Variante:
+- Keine NEXT_PUBLIC_-Pflicht (server-only env)
+- Container-Runtime-ENV reicht (kein Build-Arg)
+- Kein Code-Var-Leak im Public-Bundle
+## 5. DSE-Wording-Vorlage
+> Wir verwenden Umami (selbst-gehostete Webanalyse) auf `metrics.example.com`. Daten
+> werden ohne Cookies erhoben + ohne Personenbezug ueber DAU-Hash. Erhebung erfolgt
+> mit Ihrer Einwilligung (Art. 6 Abs. 1 lit. a DSGVO + § 25 Abs. 1 TDDDG).
+## 6. Verify-Commands
+```bash
+# 1. Bundle-Check (NEXT_PUBLIC_-Pfad)
+docker exec <container> grep -rE "metrics.example.com|UMAMI_WEBSITE_ID" \
+  /app/.next/server/chunks/ /app/.next/static/ 2>&1 | head -3
+# 2. SSR-Render-Check (Server-Component-Pfad)
+curl -s https://example.com | grep -oE 'metrics.example.com'
+# 3. Pre-Consent-Loading-Pruefung
+curl -s https://example.com | grep -oE '<script[^>]*metrics.example.com[^>]*>'
+# Erwartung: kein direkter Script-Tag ohne ConsentGate-Wrapper
+```
+## 7. Az.-Anker
+- EuGH C-673/17 Planet49 (Cookie-Einwilligung)
+- BGH I ZR 7/16 (DSGVO-Pflichtinformation als UWG-Schutzgesetz)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/cookie-banner-pattern.md ADDED Viewed

@@ -0,0 +1,294 @@
+---
+license: MIT (snippet)
+provider: Ruby on Rails (Open-Source)
+last-checked: 2026-05-05
+purpose: Rails Cookies-Helper + Concern-Pattern fuer Tracker-Authorization.
+---
+# Rails — Cookie-Banner (Pattern)
+## Trigger / Detection
+Repo enthaelt:
+- `rails` in `Gemfile` (Version >= 7.x empfohlen)
+- `app/controllers/application_controller.rb`
+- `app/views/layouts/application.html.erb`
+- Optional: `app/javascript/` (Hotwire/Stimulus) oder Webpacker
+- Optional: `config/initializers/cookies_serializer.rb`
+## Default-Verhalten (was passiert ohne Konfiguration)
+- Default `cookies` Helper signiert/verschluesselt Cookies → Banner-JS kann nicht lesen
+- Tracker-Tags in `application.html.erb` `<head>` direkt eingebunden
+- Session-Cookie ohne explizite `same_site` Setzung
+- Cookies ohne `secure: true` Default in Development → Drift zu Prod
+- Default-Logger schreibt Klartext-IP
+## Compliance-Risiken
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Tracker-Tag in Layout-`<head>` | § 25 TDDDG | KRITISCH | Conditional `if cookies[:consent]&.dig('analytics')` |
+| Encrypted Consent-Cookie unleserlich fuer JS | UX/DSGVO | MITTEL | Plain `cookies[:cookie_consent]` (nicht signed) |
+| Session-Cookie ohne SameSite | Art. 32 DSGVO | HOCH | `config.action_dispatch.cookies_same_site_protection = :lax` |
+| Klartext-IP in Production-Log | Art. 5 lit. f | HOCH | Custom `Rails.logger` Filter |
+| `protect_from_forgery` nicht erzwungen | Art. 32 DSGVO | KRITISCH | nicht `with: :null_session` global |
+## Code-Pattern (sanitized)
+```ruby
+# File: config/initializers/cookies.rb
+Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
+Rails.application.config.action_dispatch.use_cookies_with_metadata = true
+```
+```ruby
+# File: app/controllers/concerns/consent_concern.rb
+module ConsentConcern
+  extend ActiveSupport::Concern
+  CONSENT_DEFAULT = {
+    'necessary' => true,
+    'analytics' => false,
+    'marketing' => false
+  }.freeze
+  included do
+    helper_method :user_consent, :analytics_consented?, :marketing_consented?
+    before_action :load_consent
+  end
+  def user_consent
+    @user_consent ||= CONSENT_DEFAULT
+  end
+  def analytics_consented?
+    user_consent['analytics'] == true
+  end
+  def marketing_consented?
+    user_consent['marketing'] == true
+  end
+  private
+  def load_consent
+    raw = cookies[:cookie_consent]
+    return unless raw
+    parsed = JSON.parse(raw) rescue nil
+    return unless parsed.is_a?(Hash)
+    @user_consent = CONSENT_DEFAULT.merge(parsed)
+  end
+end
+```
+```ruby
+# File: app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include ConsentConcern
+  protect_from_forgery with: :exception
+  before_action :set_security_headers
+  private
+  def set_security_headers
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+    response.headers['Permissions-Policy'] = 'geolocation=(), camera=(), microphone=()'
+  end
+end
+```
+```ruby
+# File: app/controllers/consent_controller.rb
+class ConsentController < ApplicationController
+  skip_before_action :verify_authenticity_token, only: [:create], if: -> { csrf_token_via_header? }
+  def create
+    consent = consent_params.merge(
+      'necessary' => true,
+      'version' => '1.0',
+      'timestamp' => Time.current.iso8601
+    )
+    # Server-Log fuer Nachweispflicht
+    ConsentLog.create!(
+      ip_hash: ip_hash(request.remote_ip),
+      user_agent: (request.user_agent || '').first(200),
+      consent: consent.to_json
+    )
+    cookies[:cookie_consent] = {
+      value: consent.to_json,
+      expires: 12.months.from_now,
+      secure: Rails.env.production?,
+      httponly: false,  # Banner-JS muss lesen
+      same_site: :lax,
+      path: '/'
+    }
+    head :no_content
+  end
+  private
+  def consent_params
+    params.require(:consent).permit(:analytics, :marketing).to_h.transform_values { |v| v == true || v == 'true' }
+  end
+  def ip_hash(ip)
+    salt = Rails.application.credentials.dig(:ip_hash_salt) || ''
+    Digest::SHA256.hexdigest(ip + salt)[0...16]
+  end
+  def csrf_token_via_header?
+    request.headers['X-CSRF-Token'].present?
+  end
+end
+```
+```ruby
+# File: config/routes.rb (Auszug)
+Rails.application.routes.draw do
+  resource :consent, only: [:create]
+  # ...
+end
+```
+```erb
+<%# File: app/views/layouts/_cookie_banner.html.erb %>
+<% unless cookies[:cookie_consent] %>
+  <aside id="cookie-banner" role="dialog" aria-label="Cookie-Einwilligung" class="cookie-banner">
+    <p>
+      Wir nutzen Cookies fuer notwendige Funktionen. Mit Ihrer Einwilligung
+      zusaetzlich fuer Webanalyse. Details:
+      <%= link_to 'Datenschutzerklaerung', privacy_path %>.
+    </p>
+    <div class="cookie-actions">
+      <button type="button" data-action="reject-all" class="btn-secondary">
+        Nur Notwendige
+      </button>
+      <button type="button" data-action="accept-all" class="btn-primary">
+        Alle akzeptieren
+      </button>
+    </div>
+  </aside>
+  <script>
+    (() => {
+      const csrf = document.querySelector('meta[name="csrf-token"]')?.content;
+      const submit = (analytics, marketing) => {
+        fetch('<%= consent_path %>', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': csrf,
+            Accept: 'application/json'
+          },
+          body: JSON.stringify({ consent: { analytics, marketing } })
+        }).then(() => {
+          document.getElementById('cookie-banner').remove();
+          if (analytics) {
+            const s = document.createElement('script');
+            s.src = 'https://<placeholder-eu-analytics-host>/script.js';
+            s.async = true;
+            document.head.appendChild(s);
+          }
+        });
+      };
+      document.querySelector('[data-action="reject-all"]').onclick = () => submit(false, false);
+      document.querySelector('[data-action="accept-all"]').onclick = () => submit(true, true);
+    })();
+  </script>
+<% end %>
+```
+```erb
+<%# File: app/views/layouts/application.html.erb %>
+<!DOCTYPE html>
+<html lang="de">
+  <head>
+    <meta charset="utf-8">
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+    <title><%= content_for?(:title) ? yield(:title) : '<placeholder-site-name>' %></title>
+    <%# Tracker NUR conditional %>
+    <% if analytics_consented? %>
+      <script src="https://<placeholder-eu-analytics-host>/script.js" async></script>
+    <% end %>
+  </head>
+  <body>
+    <%= yield %>
+    <%= render 'layouts/cookie_banner' %>
+  </body>
+</html>
+```
+## AVV / DPA
+- Hosting-Provider (Heroku EU / Fly.io / Render) — Art. 28 DSGVO
+- Datenbank (Postgres EU / RDS Frankfurt) — AVV
+- Analytics-Provider (Plausible EU / Matomo) — AVV
+- Mailer (SES EU / Postmark) — AVV
+## DSE-Wording-Vorlage
+```markdown
+### Cookies (Rails-Anwendung)
+Diese Webseite verwendet folgende Cookies:
+**Notwendige Cookies:**
+- `_<placeholder-app>_session` — Session-Verwaltung, Session-Dauer (signed/encrypted)
+- `_csrf_token` — CSRF-Schutz, Session-Dauer
+- `cookie_consent` — Speicherung Ihrer Einwilligung, 12 Monate (Klartext-JSON, damit JS lesen kann)
+**Analyse-Cookies (Opt-In, mit Einwilligung):**
+- gesetzt durch <placeholder-analytics-provider>
+- Speicherdauer: <placeholder-days> Tage
+- EU-Hosting: <placeholder-eu-country>
+**Rechtsgrundlage:** § 25 TDDDG i.V.m. Art. 6 Abs. 1 lit. a DSGVO
+(fuer Opt-In-Cookies) bzw. lit. f DSGVO (fuer notwendige Cookies).
+**Widerruf:** [Cookie-Einstellungen](#cookie-settings) im Footer.
+```
+## Verify-Commands (Live-Probe)
+```bash
+# 1. Banner sichtbar bei Erstbesuch
+curl -sS https://<placeholder-domain>/ | grep -ic "cookie-banner"
+# 2. cookie_consent NICHT signed (JS-readable)
+curl -X POST https://<placeholder-domain>/consent \
+  -H "Content-Type: application/json" \
+  -H "X-CSRF-Token: <placeholder-csrf>" \
+  -d '{"consent":{"analytics":false,"marketing":false}}' -i \
+  | grep -i "set-cookie:.*cookie_consent"
+# Erwartung: JSON-String, NICHT base64-encrypted
+# 3. Tracker erst nach Consent
+curl -sS https://<placeholder-domain>/ | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: 0
+curl -sS -H 'Cookie: cookie_consent=%7B%22analytics%22%3Atrue%7D' https://<placeholder-domain>/ \
+  | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: >=1
+# 4. Security-Headers
+curl -sI https://<placeholder-domain>/ | grep -iE "x-content-type-options|referrer-policy"
+```
+## Cross-References
+- AEGIS-Scanner: `cookie-flags-checker.ts`, `consent-flow-checker.ts`, `csrf-config-checker.ts`
+- Skill-Reference: `references/dsgvo.md` § 25 TDDDG, Art. 7 DSGVO
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- OLG Koeln 6 U 80/23 (Button-Gleichwertigkeit)
+- Audit-Pattern: `references/audit-patterns.md` Phase 2 (Cookie-Audit)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/devise-dsgvo-pattern.md ADDED Viewed

@@ -0,0 +1,262 @@
+---
+license: MIT (snippet)
+provider: Ruby on Rails + Devise (Open-Source)
+last-checked: 2026-05-05
+purpose: Devise + § 26 BDSG-konforme User-Verwaltung mit Audit-Trail.
+---
+# Rails + Devise — DSGVO-Pattern
+## Trigger / Detection
+Repo enthaelt:
+- `gem 'devise'` in `Gemfile`
+- `app/models/user.rb` mit `devise :database_authenticatable, ...`
+- `config/initializers/devise.rb`
+- Migration mit `:lockable, :trackable, :timeoutable` Feldern
+- Optional: `gem 'pundit'` / `gem 'cancancan'` fuer Authorization
+## Default-Verhalten (was passiert ohne Konfiguration)
+- Devise loggt `last_sign_in_ip`, `current_sign_in_ip` als Klartext → Art. 5 lit. f Verstoss
+- Default-Confirmable-Token-Lifetime ungesetzt → unbegrenzte Confirmation-Tokens
+- Failed-Login-Errors leaken User-Existence ("Email not found")
+- Default-Password-Length 6 Zeichen → zu schwach
+- `:rememberable` ohne Expiration → Permanent-Sessions
+## Compliance-Risiken
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| `last_sign_in_ip` Klartext | Art. 5 lit. f DSGVO | KRITISCH | Custom-Setter mit Hash |
+| User-Enumeration via Devise-Errors | Art. 32 DSGVO | HOCH | `paranoid: true` setzen |
+| Password-Length 6 | Art. 32 DSGVO | HOCH | `password_length: 12..128` |
+| Remember-Me unbegrenzt | Art. 32 DSGVO | MITTEL | `remember_for: 14.days` |
+| Audit-Log fuer Account-aenderungen fehlt | Art. 5 Abs. 2 | HOCH | `audited` Gem oder Custom |
+| `current_password`-Check fuer kritische Aktionen | Art. 32 DSGVO | HOCH | `before_action :require_recent_auth` |
+## Code-Pattern (sanitized)
+```ruby
+# File: config/initializers/devise.rb
+Devise.setup do |config|
+  config.mailer_sender = '<placeholder-noreply-email>'
+  config.password_length = 12..128
+  # Bestaetigungs-Token: 7 Tage, danach abgelaufen
+  config.confirm_within = 7.days
+  # Lockable: 5 Versuche, 30 Minuten Lock
+  config.maximum_attempts = 5
+  config.unlock_in = 30.minutes
+  config.unlock_strategy = :time
+  # Timeoutable: Auto-Logout nach 60 min Inaktivitaet
+  config.timeout_in = 60.minutes
+  # Rememberable: max. 14 Tage
+  config.remember_for = 14.days
+  config.expire_all_remember_me_on_sign_out = true
+  # paranoid: kein User-Enumeration via Reset-Password-Form
+  config.paranoid = true
+  # Argon2 / bcrypt-Cost auf >= 12
+  config.stretches = Rails.env.test? ? 1 : 12
+  # Reset-Password-Token: 6 Stunden
+  config.reset_password_within = 6.hours
+end
+```
+```ruby
+# File: app/models/user.rb
+class User < ApplicationRecord
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable,
+         :confirmable, :lockable, :timeoutable, :trackable
+  has_many :user_audit_logs, dependent: :destroy
+  has_many :user_legal_acceptances, dependent: :destroy
+  validates :name, length: { maximum: 100 }, allow_blank: true
+  # Anonymisierungs-Felder ueberschreiben statt loeschen
+  def anonymize!
+    update!(
+      email: "deleted-#{id}@<placeholder-domain>",
+      name: 'GELOESCHT',
+      phone: nil,
+      last_sign_in_ip_hash: nil,
+      current_sign_in_ip_hash: nil,
+      sign_in_count: 0
+    )
+  end
+  # Hash IP statt Klartext (override Devise-Default)
+  def update_tracked_fields!(request)
+    super
+    self.current_sign_in_ip = nil  # explicit nil
+    self.last_sign_in_ip = nil
+    self.current_sign_in_ip_hash = ip_hash(request.remote_ip)
+    save(validate: false)
+  end
+  private
+  def ip_hash(ip)
+    return nil if ip.blank?
+    salt = Rails.application.credentials.dig(:ip_hash_salt) || ''
+    Digest::SHA256.hexdigest(ip + salt)[0...16]
+  end
+end
+```
+```ruby
+# File: db/migrate/2026_05_05_add_dsgvo_fields_to_users.rb
+class AddDsgvoFieldsToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :current_sign_in_ip_hash, :string, limit: 16
+    add_column :users, :last_sign_in_ip_hash, :string, limit: 16
+    add_column :users, :anonymized_at, :datetime
+    add_index :users, :anonymized_at
+    # Loesche Klartext-IP-Felder (oder lasse sie als deprecated)
+    # remove_column :users, :current_sign_in_ip, :inet  # vorsichtig!
+  end
+end
+```
+```ruby
+# File: app/models/user_audit_log.rb
+class UserAuditLog < ApplicationRecord
+  belongs_to :user
+  validates :action, presence: true, inclusion: {
+    in: %w[
+      sign_in sign_out registration confirmation password_change
+      email_change profile_update consent_change account_deletion
+    ]
+  }
+  before_destroy { raise 'Audit-Log ist append-only' }
+  def self.log!(user, action, ip:, user_agent:)
+    salt = Rails.application.credentials.dig(:ip_hash_salt) || ''
+    create!(
+      user: user,
+      action: action,
+      ip_hash: Digest::SHA256.hexdigest((ip || '') + salt)[0...16],
+      user_agent: (user_agent || '').first(200),
+      occurred_at: Time.current
+    )
+  end
+end
+```
+```ruby
+# File: app/controllers/users/sessions_controller.rb
+class Users::SessionsController < Devise::SessionsController
+  def create
+    super do |user|
+      UserAuditLog.log!(user, 'sign_in', ip: request.remote_ip, user_agent: request.user_agent)
+    end
+  end
+  def destroy
+    user = current_user
+    super do
+      UserAuditLog.log!(user, 'sign_out', ip: request.remote_ip, user_agent: request.user_agent) if user
+    end
+  end
+end
+```
+```ruby
+# File: app/controllers/concerns/recent_auth_concern.rb
+module RecentAuthConcern
+  extend ActiveSupport::Concern
+  RECENT_AUTH_WINDOW = 5.minutes
+  def require_recent_auth
+    return if recent_auth?
+    session[:return_to] = request.fullpath
+    redirect_to new_user_confirm_password_path,
+                alert: 'Bitte bestaetigen Sie Ihr Passwort erneut'
+  end
+  def recent_auth?
+    session[:recent_auth_at].present? &&
+      Time.zone.at(session[:recent_auth_at]) > RECENT_AUTH_WINDOW.ago
+  end
+end
+```
+## AVV / DPA
+- Datenbank (Postgres EU) — AVV mit IP-Hash-Garantie
+- Mailer (SES EU / Postmark / Mailgun EU) — AVV
+- Optional: SSO-Provider (Auth0 EU / Keycloak self-host) — AVV mit Drittland-TIA
+## DSE-Wording-Vorlage
+```markdown
+### Account-Anlage und Anmeldung
+Bei Registrierung und Anmeldung verarbeiten wir folgende Daten:
+- E-Mail-Adresse (Pflichtfeld, zur Identifizierung)
+- Name (optional)
+- Passwort (gespeichert als bcrypt-Hash mit Cost-Faktor 12)
+- Hash der IP-Adresse (zur Brute-Force-Erkennung; SHA-256 mit Salt, 16 Zeichen)
+- Anzahl Anmeldungen
+- Letzter Anmelde-Zeitpunkt
+- User-Agent (max. 200 Zeichen)
+**Audit-Log:** Wir protokollieren Anmeldungen, Passwort-aenderungen,
+Profil-aenderungen und Account-Loeschungen mit anonymisierter IP zur
+Sicherheits-Auswertung.
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. b DSGVO (Vertrag) +
+Art. 6 Abs. 1 lit. f DSGVO (Sicherheit).
+**Speicherdauer:**
+- Account: bis Loeschung (manuell oder via Inaktivitaets-Cleanup nach 2 Jahren)
+- Audit-Log: 90 Tage
+- Failed-Login-Counter: 30 Minuten (Lockout-Window)
+```
+## Verify-Commands (Live-Probe)
+```bash
+# 1. paranoid-Mode aktiv (kein User-Enumeration)
+curl -X POST https://<placeholder-domain>/users/password \
+  -H "Content-Type: application/json" \
+  -d '{"user":{"email":"nonexistent@example.com"}}' -i
+# Erwartung: 200 mit "If your email exists..." (statt "Email not found")
+# 2. Account-Lockout nach 5 Versuchen
+for i in {1..6}; do
+  curl -X POST https://<placeholder-domain>/users/sign_in \
+    -d 'user[email]=<placeholder-user-email>&user[password]=wrong' -s -o /dev/null -w "%{http_code}\n"
+done
+# Erwartung: letzter Code zeigt Account-Lockout
+# 3. IP-Hash statt Klartext
+# DB-Query: SELECT current_sign_in_ip_hash, current_sign_in_ip FROM users WHERE id = '<test>';
+# Erwartung: ip_hash gefuellt, ip-Feld NULL/leer
+# 4. Password-Length-Enforcement
+curl -X POST https://<placeholder-domain>/users \
+  -d 'user[email]=test@test.com&user[password]=short' -i
+# Erwartung: 422 mit "Password is too short (minimum is 12 characters)"
+```
+## Cross-References
+- AEGIS-Scanner: `auth-flow-checker.ts`, `password-policy-checker.ts`, `audit-trail-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 32 (Sicherheit), Art. 5 lit. f (Vertraulichkeit)
+- BDSG: § 26 Abs. 8 (Beschaeftigtendaten — bei Mitarbeiter-Accounts)
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- Audit-Pattern: `references/audit-patterns.md` Phase 9 (Auth-Audit)