@aegis-scan/skills 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ATTRIBUTION.md +93 -0
- package/package.json +1 -1
- package/sbom.cdx.json +1 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/.claude-plugin/plugin.json +108 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/CHANGELOG.md +878 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/HANDOVER-LO-LIVE-VERIFICATION-2026-05-15.md +187 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/README.md +9 -3
- package/skills/compliance/aegis-native/brutaler-anwalt/SKILL.md +93 -14
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/audit.md +193 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/avv-redline.md +246 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/az-verify.md +155 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/cold-start.md +157 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/dsar-respond.md +180 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/health.md +50 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/commands/simulate.md +158 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/hooks/post_write.py +315 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/hooks/prompt_submit.py +144 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/hooks/session_start.py +57 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/hooks/triggers.json +191 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/INDEX.md +102 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/abmahn-templates.md +1 -1
- package/skills/compliance/aegis-native/brutaler-anwalt/references/aegis-integration.md +60 -5
- package/skills/compliance/aegis-native/brutaler-anwalt/references/audit-patterns.md +745 -11
- package/skills/compliance/aegis-native/brutaler-anwalt/references/az-auffuellung-batch1.md +468 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/bgh-urteile.md +106 -30
- package/skills/compliance/aegis-native/brutaler-anwalt/references/branchenrecht.md +247 -2
- package/skills/compliance/aegis-native/brutaler-anwalt/references/checklisten.md +75 -2
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-aufsichtsbehoerden-taetigkeitsberichte-2024.md +310 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-bussgeld-argumentations-layer.md +598 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-dsk-beschluesse.md +346 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/AGG/audit-relevance.md +76 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/AGG/paragraphs.md +115 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/AMG/audit-relevance.md +58 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/AMG/paragraphs.md +95 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/ArbZG/audit-relevance.md +60 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/ArbZG/paragraphs.md +90 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/BetrVG/audit-relevance.md +73 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/BetrVG/paragraphs.md +114 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/DDG/audit-relevance.md +72 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/DDG/paragraphs.md +103 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/DiGAV/audit-relevance.md +65 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/DiGAV/paragraphs.md +102 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/ElektroG/audit-relevance.md +66 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/ElektroG/paragraphs.md +108 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/FernUSG/audit-relevance.md +80 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/FernUSG/paragraphs.md +102 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/GeschGehG/audit-relevance.md +89 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/GeschGehG/paragraphs.md +107 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/GwG/audit-relevance.md +62 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/GwG/paragraphs.md +119 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/HWG/audit-relevance.md +70 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/HWG/paragraphs.md +125 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/HinSchG/audit-relevance.md +70 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/HinSchG/paragraphs.md +116 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/INDEX.md +152 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/KWG/audit-relevance.md +64 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/KWG/paragraphs.md +110 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/LFGB/audit-relevance.md +63 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/LFGB/paragraphs.md +90 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/MPDG/audit-relevance.md +61 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/MPDG/paragraphs.md +96 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/NachwG/audit-relevance.md +54 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/NachwG/paragraphs.md +82 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/PAngV/audit-relevance.md +76 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/PAngV/paragraphs.md +86 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/RDG/audit-relevance.md +84 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/RDG/paragraphs.md +114 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/TDDDG/audit-relevance.md +92 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/TDDDG/paragraphs.md +91 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/UrhG-UrhDaG/audit-relevance.md +85 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/UrhG-UrhDaG/paragraphs.md +166 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VDuG/audit-relevance.md +71 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VDuG/paragraphs.md +102 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VERIFICATION-NOTES.md +111 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VVG/audit-relevance.md +65 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VVG/paragraphs.md +101 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VerpackG/audit-relevance.md +62 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/VerpackG/paragraphs.md +120 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/WpHG/audit-relevance.md +64 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/WpHG/paragraphs.md +120 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/ZAG/audit-relevance.md +68 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/de-statute-tier1/ZAG/paragraphs.md +110 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/dsgvo.md +55 -8
- package/skills/compliance/aegis-native/brutaler-anwalt/references/eu-edpb-guidelines.md +505 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/eu-eugh-dsgvo-schadensersatz.md +223 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/BDSG/audit-relevance.md +31 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/BFSG/audit-relevance.md +39 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/BGB/audit-relevance.md +42 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/DDG/audit-relevance.md +28 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/DSGVO/audit-relevance.md +35 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/articles.md +4 -1
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/audit-relevance.md +139 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/gpai-pflichten.md +102 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/hochrisiko-annex-iii.md +134 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/sanktionen-art-99.md +97 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/transparenz-art-50.md +120 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/AI-Act-2024-1689/uebergangsfristen.md +109 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/CER-2022-2557/articles.md +42 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/CRA-2024-2847/articles.md +87 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/CSDDD-2024-1760/articles.md +43 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/CSRD-2022-2464/articles.md +42 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DGA-2022-868/articles.md +53 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DMA-2022-1925/articles.md +55 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DORA-2022-2554/articles.md +164 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DORA-2022-2554/audit-relevance.md +86 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DSA-2022-2065/articles.md +3 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DSA-2022-2065/audit-relevance.md +110 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DSA-2022-2065/notice-and-action.md +138 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DSA-2022-2065/small-platform-pflichten.md +109 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DSA-2022-2065/trusted-flaggers.md +77 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/DSA-2022-2065/vlop-vlose.md +130 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/Data-Act-2023-2854/articles.md +102 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/Data-Act-2023-2854/audit-relevance.md +77 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/MiCA-2023-1114/articles.md +124 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/MiCA-2023-1114/audit-relevance.md +85 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/NIS2-2022-2555/articles.md +101 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/ProdHaftRL-2024-2853/articles.md +68 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/EU-Verordnungen/eIDAS-2024-1183/articles.md +43 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/Finance/KWG.md +52 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/Finance/PSD2.md +67 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/Finance/ZAG.md +50 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/GlueStV/articles.md +86 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/HGB-AO/audit-relevance.md +27 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/HinSchG/articles.md +96 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/JuSchG-JMStV/articles.md +86 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/KritisDachG/articles.md +39 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/LkSG/articles.md +90 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/MedTech/DiGAV.md +60 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/MedTech/IVDR-2017-746.md +51 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/MedTech/MDR-2017-745.md +85 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/NIS2UmsuCG-BSIG/articles.md +53 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/StGB/relevante-paragraphen.md +157 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/TDDDG/audit-relevance.md +33 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/TDDDG/paragraphs.md +3 -2
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/TKG/articles.md +73 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/UWG/audit-relevance.md +39 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/UWG/paragraphs.md +71 -3
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/VERIFICATION-STATUS.md +266 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/VSBG/audit-relevance.md +37 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/ePrivacy-RL-2002-58/articles.md +92 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/gesetze/ePrivacy-RL-2002-58/audit-relevance.md +62 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/it-recht.md +115 -9
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/INDEX.md +1 -1
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/ai/anthropic-dpa.md +87 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/astro/cookie-banner-pattern.md +202 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/astro/dse-section-pattern.md +198 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/astro/tracking-server-endpoint.md +193 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/auth/auth0-tom.md +92 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/auth/clerk-tom.md +84 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/auth-cookies-pattern.md +295 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/cookie-banner-pattern.md +318 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/gdpr-cleanup-celery.md +339 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/express/cookie-banner-pattern.md +237 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/express/gdpr-routes-pattern.md +256 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/express/helmet-csp-pattern.md +207 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/laravel/agb-versioning-pattern.md +305 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/laravel/cookie-banner-pattern.md +287 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/laravel/gdpr-models-pattern.md +290 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/laravel/tracking-config-pattern.md +263 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nest/auth-pattern.md +265 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nest/cookie-banner-pattern.md +255 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nest/gdpr-cleanup-cron.md +244 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nest/tracking-interceptor.md +239 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/api-route-bearer-auth.md +103 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/dynamic-rendering-headers.md +83 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/nextjs/env-driven-tracking.md +135 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/cookie-banner-pattern.md +294 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/devise-dsgvo-pattern.md +262 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/rails/gdpr-anonymization-pattern.md +283 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/react/consent-gate-pattern.md +99 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/react/cookie-banner-pattern.md +204 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/strapi/cms-pii-pattern.md +301 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/strapi/notice-and-action-plugin.md +371 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/svelte/cookie-banner-pattern.md +234 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/svelte/dse-section-pattern.md +231 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/svelte/sveltekit-server-hooks-pattern.md +217 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/tracking/google-analytics-consent.md +129 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/tracking/posthog-consent.md +79 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/vue/cookie-banner-pattern.md +208 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/vue/dse-i18n-pattern.md +204 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/vue/nuxt-vs-vue-only-pattern.md +197 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/vue/tracking-pinia-pattern.md +211 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/strafrecht-steuer.md +1 -1
- package/skills/compliance/aegis-native/brutaler-anwalt/references/streitwerte.json +176 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates/DSFA-template.md +80 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates/VVT-template-file-upload.md +98 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-EN-international.md +267 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-Audit-Klausel-Varianten.md +148 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-CH-revDSG.md +127 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-SCC-module2-controller-processor.md +180 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-SCC-module3-processor-subprocessor.md +144 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-Sub-Processor-List.md +114 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-TOMs.md +197 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-anhang-UK-IDTA.md +131 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/AVV-standard-DE.md +288 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/references/templates-avv-layer/Joint-Controller-Vertrag-Art-26.md +265 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/scripts/health-check.sh +190 -48
- package/skills/compliance/aegis-native/brutaler-anwalt/scripts/test-triggers.sh +145 -0
- package/skills/compliance/aegis-native/brutaler-anwalt/settings.json +90 -0
- package/skills/defensive/permoon-fork/README.md +40 -0
- package/skills/defensive/permoon-fork/multi-model-consolidation/SKILL.md +47 -0
- package/skills/defensive/permoon-fork/multi-model-severity/SKILL.md +34 -0
- package/skills/defensive/permoon-fork/multi-model-system-prompt/SKILL.md +40 -0
- package/skills/foundation/aegis-native/aegis-handover-writer/SKILL.md +1 -1
- package/skills/foundation/aegis-native/aegis-quality-gates/SKILL.md +1 -1
- package/skills/offensive/airecon-fork/ctf-crypto/SKILL.md +260 -0
- package/skills/offensive/airecon-fork/ctf-crypto-modern-ciphers/SKILL.md +688 -0
- package/skills/offensive/airecon-fork/ctf-forensics/SKILL.md +253 -0
- package/skills/offensive/airecon-fork/ctf-forensics-network/SKILL.md +480 -0
- package/skills/offensive/airecon-fork/ctf-heap-advanced/SKILL.md +336 -0
- package/skills/offensive/airecon-fork/ctf-pwn/SKILL.md +294 -0
- package/skills/offensive/airecon-fork/ctf-pwn-rop-and-shellcode/SKILL.md +392 -0
- package/skills/offensive/airecon-fork/ctf-reversing/SKILL.md +284 -0
- package/skills/offensive/airecon-fork/frameworks-django/SKILL.md +268 -0
- package/skills/offensive/airecon-fork/frameworks-dotnet/SKILL.md +280 -0
- package/skills/offensive/airecon-fork/frameworks-express/SKILL.md +266 -0
- package/skills/offensive/airecon-fork/frameworks-fastapi/SKILL.md +193 -0
- package/skills/offensive/airecon-fork/frameworks-flask/SKILL.md +297 -0
- package/skills/offensive/airecon-fork/frameworks-laravel/SKILL.md +260 -0
- package/skills/offensive/airecon-fork/frameworks-nextjs/SKILL.md +230 -0
- package/skills/offensive/airecon-fork/frameworks-php/SKILL.md +271 -0
- package/skills/offensive/airecon-fork/frameworks-rails/SKILL.md +269 -0
- package/skills/offensive/airecon-fork/frameworks-spring/SKILL.md +245 -0
- package/skills/offensive/airecon-fork/frameworks-wordpress/SKILL.md +348 -0
- package/skills/offensive/airecon-fork/payloads-command-injection/SKILL.md +459 -0
- package/skills/offensive/airecon-fork/payloads-http-parameter-pollution/SKILL.md +129 -0
- package/skills/offensive/airecon-fork/payloads-ldap-injection/SKILL.md +100 -0
- package/skills/offensive/airecon-fork/payloads-lfi/SKILL.md +485 -0
- package/skills/offensive/airecon-fork/payloads-sqli/SKILL.md +419 -0
- package/skills/offensive/airecon-fork/payloads-ssrf/SKILL.md +125 -0
- package/skills/offensive/airecon-fork/payloads-ssti/SKILL.md +443 -0
- package/skills/offensive/airecon-fork/payloads-xss/SKILL.md +447 -0
- package/skills/offensive/airecon-fork/payloads-xxe/SKILL.md +172 -0
- package/skills/offensive/airecon-fork/postexploit-ad-credential-attacks/SKILL.md +306 -0
- package/skills/offensive/airecon-fork/postexploit-container-escape/SKILL.md +299 -0
- package/skills/offensive/airecon-fork/postexploit-credential-dumping/SKILL.md +249 -0
- package/skills/offensive/airecon-fork/postexploit-lateral-movement/SKILL.md +194 -0
- package/skills/offensive/airecon-fork/postexploit-linux-privesc/SKILL.md +252 -0
- package/skills/offensive/airecon-fork/postexploit-netexec-workflow/SKILL.md +302 -0
- package/skills/offensive/airecon-fork/postexploit-pivoting/SKILL.md +205 -0
- package/skills/offensive/airecon-fork/postexploit-windows-privesc/SKILL.md +210 -0
- package/skills/offensive/airecon-fork/protocols-active-directory/SKILL.md +314 -0
- package/skills/offensive/airecon-fork/protocols-dns/SKILL.md +203 -0
- package/skills/offensive/airecon-fork/protocols-ftp/SKILL.md +159 -0
- package/skills/offensive/airecon-fork/protocols-graphql/SKILL.md +648 -0
- package/skills/offensive/airecon-fork/protocols-kerberos/SKILL.md +168 -0
- package/skills/offensive/airecon-fork/protocols-ldap/SKILL.md +245 -0
- package/skills/offensive/airecon-fork/protocols-rdp/SKILL.md +186 -0
- package/skills/offensive/airecon-fork/protocols-smb/SKILL.md +191 -0
- package/skills/offensive/airecon-fork/protocols-smtp-imap/SKILL.md +263 -0
- package/skills/offensive/airecon-fork/protocols-snmp/SKILL.md +147 -0
- package/skills/offensive/airecon-fork/protocols-ssh/SKILL.md +287 -0
- package/skills/offensive/airecon-fork/reconnaissance-asn-whois-osint/SKILL.md +236 -0
- package/skills/offensive/airecon-fork/reconnaissance-ctf-methodology/SKILL.md +435 -0
- package/skills/offensive/airecon-fork/reconnaissance-dorking/SKILL.md +182 -0
- package/skills/offensive/airecon-fork/reconnaissance-exposed-devtools-detection/SKILL.md +513 -0
- package/skills/offensive/airecon-fork/reconnaissance-full-recon/SKILL.md +305 -0
- package/skills/offensive/airecon-fork/reconnaissance-internal-pentest/SKILL.md +202 -0
- package/skills/offensive/airecon-fork/reconnaissance-javascript-analysis/SKILL.md +167 -0
- package/skills/offensive/airecon-fork/reconnaissance-js-internal-hostname-intelligence/SKILL.md +391 -0
- package/skills/offensive/airecon-fork/reconnaissance-monitoring-secrets-exposure/SKILL.md +394 -0
- package/skills/offensive/airecon-fork/reconnaissance-shodan-censys/SKILL.md +279 -0
- package/skills/offensive/airecon-fork/reconnaissance-subdomain-enum/SKILL.md +952 -0
- package/skills/offensive/airecon-fork/technologies-cicd-attacks/SKILL.md +283 -0
- package/skills/offensive/airecon-fork/technologies-cloud-security/SKILL.md +299 -0
- package/skills/offensive/airecon-fork/technologies-docker-container/SKILL.md +266 -0
- package/skills/offensive/airecon-fork/technologies-elasticsearch/SKILL.md +226 -0
- package/skills/offensive/airecon-fork/technologies-firebase-firestore/SKILL.md +213 -0
- package/skills/offensive/airecon-fork/technologies-frida-hooking/SKILL.md +387 -0
- package/skills/offensive/airecon-fork/technologies-gitlab-github/SKILL.md +259 -0
- package/skills/offensive/airecon-fork/technologies-jenkins/SKILL.md +256 -0
- package/skills/offensive/airecon-fork/technologies-kubernetes-pentest/SKILL.md +281 -0
- package/skills/offensive/airecon-fork/technologies-memcached/SKILL.md +230 -0
- package/skills/offensive/airecon-fork/technologies-mobile-app-pentesting/SKILL.md +105 -0
- package/skills/offensive/airecon-fork/technologies-mongodb/SKILL.md +257 -0
- package/skills/offensive/airecon-fork/technologies-nginx-apache/SKILL.md +280 -0
- package/skills/offensive/airecon-fork/technologies-observability-stack-attacks/SKILL.md +501 -0
- package/skills/offensive/airecon-fork/technologies-redis/SKILL.md +236 -0
- package/skills/offensive/airecon-fork/technologies-supabase/SKILL.md +270 -0
- package/skills/offensive/airecon-fork/technologies-tomcat/SKILL.md +232 -0
- package/skills/offensive/airecon-fork/tools-advanced-fuzzing/SKILL.md +351 -0
- package/skills/offensive/airecon-fork/tools-browser-automation/SKILL.md +300 -0
- package/skills/offensive/airecon-fork/tools-caido/SKILL.md +776 -0
- package/skills/offensive/airecon-fork/tools-code-review/SKILL.md +71 -0
- package/skills/offensive/airecon-fork/tools-dalfox/SKILL.md +189 -0
- package/skills/offensive/airecon-fork/tools-hashcat-john/SKILL.md +258 -0
- package/skills/offensive/airecon-fork/tools-impacket/SKILL.md +227 -0
- package/skills/offensive/airecon-fork/tools-install/SKILL.md +202 -0
- package/skills/offensive/airecon-fork/tools-metasploit/SKILL.md +270 -0
- package/skills/offensive/airecon-fork/tools-nmap/SKILL.md +211 -0
- package/skills/offensive/airecon-fork/tools-nuclei/SKILL.md +175 -0
- package/skills/offensive/airecon-fork/tools-reporting/SKILL.md +47 -0
- package/skills/offensive/airecon-fork/tools-scripting/SKILL.md +1939 -0
- package/skills/offensive/airecon-fork/tools-semgrep/SKILL.md +202 -0
- package/skills/offensive/airecon-fork/tools-source-audit/SKILL.md +308 -0
- package/skills/offensive/airecon-fork/tools-sqlmap/SKILL.md +137 -0
- package/skills/offensive/airecon-fork/tools-tool-catalog/SKILL.md +320 -0
- package/skills/offensive/airecon-fork/tools-wapiti/SKILL.md +293 -0
- package/skills/offensive/airecon-fork/vulnerabilities-2fa-bypass/SKILL.md +219 -0
- package/skills/offensive/airecon-fork/vulnerabilities-account-takeover/SKILL.md +223 -0
- package/skills/offensive/airecon-fork/vulnerabilities-api-schema-exposure/SKILL.md +849 -0
- package/skills/offensive/airecon-fork/vulnerabilities-api-testing/SKILL.md +278 -0
- package/skills/offensive/airecon-fork/vulnerabilities-auth-workflow/SKILL.md +252 -0
- package/skills/offensive/airecon-fork/vulnerabilities-authentication-jwt/SKILL.md +158 -0
- package/skills/offensive/airecon-fork/vulnerabilities-bfla/SKILL.md +156 -0
- package/skills/offensive/airecon-fork/vulnerabilities-blind-xss/SKILL.md +111 -0
- package/skills/offensive/airecon-fork/vulnerabilities-business-logic/SKILL.md +313 -0
- package/skills/offensive/airecon-fork/vulnerabilities-cors/SKILL.md +242 -0
- package/skills/offensive/airecon-fork/vulnerabilities-crlf-injection/SKILL.md +146 -0
- package/skills/offensive/airecon-fork/vulnerabilities-csrf/SKILL.md +200 -0
- package/skills/offensive/airecon-fork/vulnerabilities-csrf-advanced-bypass/SKILL.md +536 -0
- package/skills/offensive/airecon-fork/vulnerabilities-deserialization/SKILL.md +363 -0
- package/skills/offensive/airecon-fork/vulnerabilities-dom-based-vulnerabilities/SKILL.md +105 -0
- package/skills/offensive/airecon-fork/vulnerabilities-exploitation/SKILL.md +286 -0
- package/skills/offensive/airecon-fork/vulnerabilities-grpc/SKILL.md +123 -0
- package/skills/offensive/airecon-fork/vulnerabilities-host-header-injection/SKILL.md +169 -0
- package/skills/offensive/airecon-fork/vulnerabilities-http-smuggling/SKILL.md +411 -0
- package/skills/offensive/airecon-fork/vulnerabilities-idor/SKILL.md +705 -0
- package/skills/offensive/airecon-fork/vulnerabilities-information-disclosure/SKILL.md +867 -0
- package/skills/offensive/airecon-fork/vulnerabilities-insecure-file-uploads/SKILL.md +190 -0
- package/skills/offensive/airecon-fork/vulnerabilities-jwt-attacks/SKILL.md +270 -0
- package/skills/offensive/airecon-fork/vulnerabilities-kubernetes/SKILL.md +252 -0
- package/skills/offensive/airecon-fork/vulnerabilities-mass-assignment/SKILL.md +788 -0
- package/skills/offensive/airecon-fork/vulnerabilities-nosql-injection/SKILL.md +204 -0
- package/skills/offensive/airecon-fork/vulnerabilities-oauth-misconfig/SKILL.md +220 -0
- package/skills/offensive/airecon-fork/vulnerabilities-oauth-saml/SKILL.md +163 -0
- package/skills/offensive/airecon-fork/vulnerabilities-open-redirect/SKILL.md +167 -0
- package/skills/offensive/airecon-fork/vulnerabilities-password-reset-poisoning/SKILL.md +66 -0
- package/skills/offensive/airecon-fork/vulnerabilities-path-traversal/SKILL.md +192 -0
- package/skills/offensive/airecon-fork/vulnerabilities-privilege-escalation/SKILL.md +320 -0
- package/skills/offensive/airecon-fork/vulnerabilities-prototype-pollution/SKILL.md +242 -0
- package/skills/offensive/airecon-fork/vulnerabilities-race-conditions/SKILL.md +192 -0
- package/skills/offensive/airecon-fork/vulnerabilities-rce/SKILL.md +240 -0
- package/skills/offensive/airecon-fork/vulnerabilities-sensitive-file-pii-exposure/SKILL.md +589 -0
- package/skills/offensive/airecon-fork/vulnerabilities-spring4shell/SKILL.md +86 -0
- package/skills/offensive/airecon-fork/vulnerabilities-sql-injection/SKILL.md +313 -0
- package/skills/offensive/airecon-fork/vulnerabilities-ssrf/SKILL.md +183 -0
- package/skills/offensive/airecon-fork/vulnerabilities-ssti/SKILL.md +344 -0
- package/skills/offensive/airecon-fork/vulnerabilities-subdomain-takeover/SKILL.md +160 -0
- package/skills/offensive/airecon-fork/vulnerabilities-supply-chain/SKILL.md +125 -0
- package/skills/offensive/airecon-fork/vulnerabilities-unhandled-exception-differential/SKILL.md +742 -0
- package/skills/offensive/airecon-fork/vulnerabilities-waf-detection/SKILL.md +90 -0
- package/skills/offensive/airecon-fork/vulnerabilities-web-cache-poisoning/SKILL.md +233 -0
- package/skills/offensive/airecon-fork/vulnerabilities-websocket/SKILL.md +180 -0
- package/skills/offensive/airecon-fork/vulnerabilities-xss/SKILL.md +316 -0
- package/skills/offensive/airecon-fork/vulnerabilities-xxe/SKILL.md +222 -0
|
@@ -0,0 +1,301 @@
|
|
|
1
|
+
---
|
|
2
|
+
license: MIT (snippet)
|
|
3
|
+
provider: Strapi v4 / v5 (Open-Source)
|
|
4
|
+
last-checked: 2026-05-05
|
|
5
|
+
purpose: Strapi User-Submission Lifecycle-Hook Pattern fuer PII-Filtering + Robots-Meta + DSE-Erinnerung.
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Strapi — CMS-PII Pattern
|
|
9
|
+
|
|
10
|
+
## Trigger / Detection
|
|
11
|
+
|
|
12
|
+
Repo enthaelt:
|
|
13
|
+
- `@strapi/strapi` in `package.json`
|
|
14
|
+
- `src/api/*/content-types/` Schema-Files
|
|
15
|
+
- `src/api/*/controllers/*.js` / `services/*.js` / `routes/*.js`
|
|
16
|
+
- Optional: `src/api/*/lifecycles.js` Hook-Files
|
|
17
|
+
- Optional: `config/admin.js`, `config/server.js`
|
|
18
|
+
|
|
19
|
+
Pattern: Strapi haelt User-generated-Content (Comments, Submissions, Form-Eintraege). Lifecycle-Hooks koennen PII-Felder filtern, Crawler-Indexing verhindern, DSE-Verweise erzwingen.
|
|
20
|
+
|
|
21
|
+
## Default-Verhalten (was passiert ohne Konfiguration)
|
|
22
|
+
|
|
23
|
+
- Strapi-Admin-Panel laed Tracker-Pixel von `<placeholder-strapi-marketplace-host>` → DSGVO-Verstoss bei aktivierten Telemetry-Settings
|
|
24
|
+
- User-Submissions speichern alles was im Schema definiert ist — keine Auto-PII-Filterung
|
|
25
|
+
- Keine `robots: noindex` auf User-Content-Pages → Suchmaschinen indizieren PII
|
|
26
|
+
- Webhooks senden Klartext-Daten an externe Endpoints
|
|
27
|
+
- Default-Server-Logs enthalten Klartext-IP
|
|
28
|
+
|
|
29
|
+
## Compliance-Risiken
|
|
30
|
+
|
|
31
|
+
| Risiko | Norm | Severity | Fix |
|
|
32
|
+
|---|---|---|---|
|
|
33
|
+
| Strapi-Telemetry leakt Repo-Metadata an Drittland | Art. 44 DSGVO | KRITISCH | `telemetryDisabled: true` in `config/server.js` |
|
|
34
|
+
| User-Submission ohne PII-Filter | Art. 5 lit. c DSGVO | HOCH | Lifecycle-Hook `beforeCreate` |
|
|
35
|
+
| Robots-Meta fehlt fuer User-Content | Art. 5 lit. f DSGVO | HOCH | `noindex,nofollow` in CMS-Frontend |
|
|
36
|
+
| Webhook mit Klartext-PII | Art. 5 lit. f | HOCH | Webhook-Payload-Filter im Hook |
|
|
37
|
+
| Admin-Panel ueber HTTP zugaenglich | Art. 32 DSGVO | KRITISCH | `admin.url` mit HTTPS + IP-Allowlist |
|
|
38
|
+
| Default-Email-Templates mit Brand-Tracker | § 25 TDDDG | MITTEL | Custom Templates |
|
|
39
|
+
|
|
40
|
+
## Code-Pattern (sanitized)
|
|
41
|
+
|
|
42
|
+
```javascript
|
|
43
|
+
// File: config/server.js
|
|
44
|
+
module.exports = ({ env }) => ({
|
|
45
|
+
host: env('HOST', '0.0.0.0'),
|
|
46
|
+
port: env.int('PORT', 1337),
|
|
47
|
+
app: {
|
|
48
|
+
keys: env.array('APP_KEYS'),
|
|
49
|
+
},
|
|
50
|
+
webhooks: {
|
|
51
|
+
populateRelations: env.bool('WEBHOOKS_POPULATE_RELATIONS', false),
|
|
52
|
+
},
|
|
53
|
+
// KRITISCH: Strapi-Telemetry deaktivieren
|
|
54
|
+
telemetryDisabled: true,
|
|
55
|
+
});
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
```javascript
|
|
59
|
+
// File: config/admin.js
|
|
60
|
+
module.exports = ({ env }) => ({
|
|
61
|
+
auth: {
|
|
62
|
+
secret: env('ADMIN_JWT_SECRET'),
|
|
63
|
+
},
|
|
64
|
+
apiToken: {
|
|
65
|
+
salt: env('API_TOKEN_SALT'),
|
|
66
|
+
},
|
|
67
|
+
transfer: {
|
|
68
|
+
token: {
|
|
69
|
+
salt: env('TRANSFER_TOKEN_SALT'),
|
|
70
|
+
},
|
|
71
|
+
},
|
|
72
|
+
flags: {
|
|
73
|
+
nps: false, // Net-Promoter-Score-Tracker AUS
|
|
74
|
+
promoteEE: false, // Marketing-Promo AUS
|
|
75
|
+
},
|
|
76
|
+
});
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
```javascript
|
|
80
|
+
// File: src/api/comment/content-types/comment/schema.json
|
|
81
|
+
{
|
|
82
|
+
"kind": "collectionType",
|
|
83
|
+
"collectionName": "comments",
|
|
84
|
+
"info": {
|
|
85
|
+
"singularName": "comment",
|
|
86
|
+
"pluralName": "comments",
|
|
87
|
+
"displayName": "Comment"
|
|
88
|
+
},
|
|
89
|
+
"options": {
|
|
90
|
+
"draftAndPublish": true
|
|
91
|
+
},
|
|
92
|
+
"attributes": {
|
|
93
|
+
"body": {
|
|
94
|
+
"type": "text",
|
|
95
|
+
"required": true,
|
|
96
|
+
"maxLength": 5000
|
|
97
|
+
},
|
|
98
|
+
"authorName": {
|
|
99
|
+
"type": "string",
|
|
100
|
+
"maxLength": 100
|
|
101
|
+
},
|
|
102
|
+
"authorEmail": {
|
|
103
|
+
"type": "email",
|
|
104
|
+
"private": true
|
|
105
|
+
},
|
|
106
|
+
"ipHash": {
|
|
107
|
+
"type": "string",
|
|
108
|
+
"maxLength": 16,
|
|
109
|
+
"private": true
|
|
110
|
+
},
|
|
111
|
+
"consentVersion": {
|
|
112
|
+
"type": "string",
|
|
113
|
+
"maxLength": 16
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
```javascript
|
|
120
|
+
// File: src/api/comment/content-types/comment/lifecycles.js
|
|
121
|
+
const crypto = require('crypto');
|
|
122
|
+
|
|
123
|
+
const PII_FIELDS = ['authorEmail', 'ipHash'];
|
|
124
|
+
const FORBIDDEN_PATTERNS = [
|
|
125
|
+
/[\w.+-]+@[\w-]+\.[\w-]+/g, // Email-Pattern im body
|
|
126
|
+
/\bDE\d{2}[\d\s]{18,22}\b/g, // IBAN
|
|
127
|
+
/\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g, // Credit-Card
|
|
128
|
+
];
|
|
129
|
+
|
|
130
|
+
module.exports = {
|
|
131
|
+
async beforeCreate(event) {
|
|
132
|
+
const { data, params } = event;
|
|
133
|
+
|
|
134
|
+
// 1. PII im Body herausfiltern
|
|
135
|
+
if (typeof data.body === 'string') {
|
|
136
|
+
for (const pattern of FORBIDDEN_PATTERNS) {
|
|
137
|
+
data.body = data.body.replace(pattern, '[REDACTED]');
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
// 2. IP-Hash setzen (statt Klartext)
|
|
142
|
+
const requestState = strapi.requestContext.get();
|
|
143
|
+
const ip = requestState?.request?.ip
|
|
144
|
+
?? requestState?.request?.header?.['x-forwarded-for']?.split(',')[0]
|
|
145
|
+
?? '';
|
|
146
|
+
|
|
147
|
+
const salt = strapi.config.get('server.ipHashSalt', '');
|
|
148
|
+
data.ipHash = crypto
|
|
149
|
+
.createHash('sha256')
|
|
150
|
+
.update(`${ip}${salt}`)
|
|
151
|
+
.digest('hex')
|
|
152
|
+
.slice(0, 16);
|
|
153
|
+
|
|
154
|
+
// 3. Consent-Pflicht: erfordere consentVersion
|
|
155
|
+
if (!data.consentVersion) {
|
|
156
|
+
throw new Error('Consent-Version Pflicht — User muss DSE bestaetigt haben');
|
|
157
|
+
}
|
|
158
|
+
},
|
|
159
|
+
|
|
160
|
+
async beforeUpdate(event) {
|
|
161
|
+
// PII-Felder duerfen nicht via Public-API ge-updated werden
|
|
162
|
+
const { data } = event;
|
|
163
|
+
for (const field of PII_FIELDS) {
|
|
164
|
+
if (field in data) {
|
|
165
|
+
delete data[field];
|
|
166
|
+
}
|
|
167
|
+
}
|
|
168
|
+
},
|
|
169
|
+
|
|
170
|
+
async afterDelete(event) {
|
|
171
|
+
// Cascade auf abhaengige Records (Mentions, Replies)
|
|
172
|
+
const { result } = event;
|
|
173
|
+
await strapi.db.query('api::reply.reply').deleteMany({
|
|
174
|
+
where: { parentComment: result.id },
|
|
175
|
+
});
|
|
176
|
+
},
|
|
177
|
+
};
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
```javascript
|
|
181
|
+
// File: src/api/comment/controllers/comment.js
|
|
182
|
+
'use strict';
|
|
183
|
+
|
|
184
|
+
const { createCoreController } = require('@strapi/strapi').factories;
|
|
185
|
+
|
|
186
|
+
module.exports = createCoreController('api::comment.comment', ({ strapi }) => ({
|
|
187
|
+
async findOne(ctx) {
|
|
188
|
+
const { id } = ctx.params;
|
|
189
|
+
const entity = await strapi.entityService.findOne('api::comment.comment', id, {
|
|
190
|
+
// Niemals authorEmail / ipHash in API-Response
|
|
191
|
+
fields: ['body', 'authorName', 'createdAt', 'consentVersion'],
|
|
192
|
+
});
|
|
193
|
+
|
|
194
|
+
if (!entity) {
|
|
195
|
+
return ctx.notFound();
|
|
196
|
+
}
|
|
197
|
+
|
|
198
|
+
// Robots-Meta-Header fuer User-Content-Page
|
|
199
|
+
ctx.set('X-Robots-Tag', 'noindex, nofollow');
|
|
200
|
+
|
|
201
|
+
return { data: entity };
|
|
202
|
+
},
|
|
203
|
+
}));
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
```javascript
|
|
207
|
+
// File: src/middlewares/robots-noindex.js
|
|
208
|
+
module.exports = (config, { strapi }) => {
|
|
209
|
+
return async (ctx, next) => {
|
|
210
|
+
await next();
|
|
211
|
+
|
|
212
|
+
// User-generated-Content-Routes: kein Indexing
|
|
213
|
+
if (ctx.request.url.startsWith('/api/comments/')
|
|
214
|
+
|| ctx.request.url.startsWith('/api/submissions/')) {
|
|
215
|
+
ctx.set('X-Robots-Tag', 'noindex, nofollow');
|
|
216
|
+
}
|
|
217
|
+
};
|
|
218
|
+
};
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
```javascript
|
|
222
|
+
// File: config/middlewares.js
|
|
223
|
+
module.exports = [
|
|
224
|
+
'strapi::errors',
|
|
225
|
+
'strapi::security',
|
|
226
|
+
'strapi::cors',
|
|
227
|
+
'strapi::poweredBy', // Sicherstellen: poweredBy=false (siehe unten)
|
|
228
|
+
'strapi::logger',
|
|
229
|
+
'strapi::query',
|
|
230
|
+
'strapi::body',
|
|
231
|
+
'strapi::session',
|
|
232
|
+
'strapi::favicon',
|
|
233
|
+
'strapi::public',
|
|
234
|
+
{ resolve: './src/middlewares/robots-noindex' },
|
|
235
|
+
];
|
|
236
|
+
```
|
|
237
|
+
|
|
238
|
+
## AVV / DPA
|
|
239
|
+
|
|
240
|
+
- Strapi-Hosting (self-host EU / Strapi Cloud EU) — Art. 28 DSGVO
|
|
241
|
+
- Datenbank (Postgres EU / SQLite local) — AVV
|
|
242
|
+
- Media-Storage (S3 EU / Cloudinary EU) — AVV
|
|
243
|
+
- Webhook-Empfaenger — pro externes System AVV
|
|
244
|
+
- Telemetry MUSS aus sein (siehe `config/server.js`)
|
|
245
|
+
|
|
246
|
+
## DSE-Wording-Vorlage
|
|
247
|
+
|
|
248
|
+
```markdown
|
|
249
|
+
### User-generierter Content (Kommentare, Formulare)
|
|
250
|
+
|
|
251
|
+
Wenn Sie auf unserer Webseite Inhalte einreichen (z.B. Kommentare, Formulare),
|
|
252
|
+
verarbeiten wir folgende Daten:
|
|
253
|
+
|
|
254
|
+
| Feld | Verarbeitung | Speicherung |
|
|
255
|
+
|---|---|---|
|
|
256
|
+
| Inhalt (Body) | PII automatisch entfernt (E-Mail/IBAN/CC-Patterns redacted) | Bis Loeschung |
|
|
257
|
+
| Name (optional) | wird mit Inhalt veroeffentlicht | Bis Loeschung |
|
|
258
|
+
| E-Mail | nur intern (private), nicht oeffentlich | Bis Loeschung |
|
|
259
|
+
| IP-Hash | SHA-256 mit Salt, gekuerzt (Spam-Schutz) | 90 Tage |
|
|
260
|
+
|
|
261
|
+
**Veroeffentlichung:** Inhalte werden mit `noindex,nofollow` markiert,
|
|
262
|
+
sodass Suchmaschinen sie nicht indizieren.
|
|
263
|
+
|
|
264
|
+
**Rechtsgrundlage:** Art. 6 Abs. 1 lit. b DSGVO (Vertrag) +
|
|
265
|
+
Art. 6 Abs. 1 lit. f DSGVO (Spam-Schutz).
|
|
266
|
+
**Loeschung:** auf Anfrage via [Account-Dashboard](#account) oder
|
|
267
|
+
E-Mail an <placeholder-email>.
|
|
268
|
+
```
|
|
269
|
+
|
|
270
|
+
## Verify-Commands (Live-Probe)
|
|
271
|
+
|
|
272
|
+
```bash
|
|
273
|
+
# 1. Telemetry deaktiviert
|
|
274
|
+
grep -r "telemetryDisabled" config/
|
|
275
|
+
# Erwartung: telemetryDisabled: true
|
|
276
|
+
|
|
277
|
+
# 2. PII-Filter wirkt (Test-Submission)
|
|
278
|
+
curl -X POST https://<placeholder-domain>/api/comments \
|
|
279
|
+
-H "Content-Type: application/json" \
|
|
280
|
+
-d '{"data":{"body":"Mein Kontakt: test@example.com","consentVersion":"1.0"}}' \
|
|
281
|
+
-H "Authorization: Bearer <placeholder-token>" -i
|
|
282
|
+
# Erwartung: 200, Body in DB enthaelt "[REDACTED]" statt Email
|
|
283
|
+
|
|
284
|
+
# 3. authorEmail nicht in API-Response
|
|
285
|
+
curl https://<placeholder-domain>/api/comments/<id> | jq .
|
|
286
|
+
# Erwartung: kein "authorEmail"-Feld
|
|
287
|
+
|
|
288
|
+
# 4. Robots-Meta-Header gesetzt
|
|
289
|
+
curl -sI https://<placeholder-domain>/api/comments/<id> | grep -i "x-robots-tag"
|
|
290
|
+
# Erwartung: X-Robots-Tag: noindex, nofollow
|
|
291
|
+
|
|
292
|
+
# 5. Strapi-Admin telemetry blockiert
|
|
293
|
+
# DevTools-Network-Tab beim Admin-Login: kein Call zu Strapi-Marketplace
|
|
294
|
+
```
|
|
295
|
+
|
|
296
|
+
## Cross-References
|
|
297
|
+
|
|
298
|
+
- AEGIS-Scanner: `cms-pii-checker.ts`, `tracking-scan.ts`, `data-transfer-checker.ts`
|
|
299
|
+
- Skill-Reference: `references/dsgvo.md` Art. 5 (Min), Art. 32 (Sicherheit)
|
|
300
|
+
- BGH-Rechtsprechung: `references/bgh-urteile.md`
|
|
301
|
+
- Audit-Pattern: `references/audit-patterns.md` Phase 5 (CMS-Audit), Phase 3 (Drittland)
|
|
@@ -0,0 +1,371 @@
|
|
|
1
|
+
---
|
|
2
|
+
license: MIT (snippet)
|
|
3
|
+
provider: Strapi v4 / v5 (Open-Source)
|
|
4
|
+
last-checked: 2026-05-05
|
|
5
|
+
purpose: Strapi Plugin Pattern fuer DSA Art. 16 Notice-and-Action Compliance.
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Strapi — Notice-and-Action Plugin Pattern (DSA Art. 16)
|
|
9
|
+
|
|
10
|
+
## Trigger / Detection
|
|
11
|
+
|
|
12
|
+
Repo enthaelt:
|
|
13
|
+
- `@strapi/strapi` mit User-Generated-Content (Comments, Submissions, Reviews)
|
|
14
|
+
- Optional: `src/plugins/notice-and-action/` Custom-Plugin
|
|
15
|
+
- Service-Provider faellt unter DSA (Digital Services Act EU 2022/2065)
|
|
16
|
+
- Optional: `src/api/dsa-report/` Content-Type fuer Reports
|
|
17
|
+
|
|
18
|
+
DSA Art. 16: Hosting-Provider muessen einen Mechanismus zur Meldung rechtswidriger Inhalte bereitstellen ("Notice-and-Action"). Pflicht seit 17. Februar 2024 fuer alle Hosting-Provider (auch kleine).
|
|
19
|
+
|
|
20
|
+
## Default-Verhalten (was passiert ohne Konfiguration)
|
|
21
|
+
|
|
22
|
+
- Strapi hat keinen Built-in DSA-Report-Mechanismus
|
|
23
|
+
- User koennen Inhalte nicht strukturiert melden → manuelle E-Mail-Bearbeitung
|
|
24
|
+
- Keine Transparenz-Berichte → DSA Art. 15 Verstoss bei aktiveren Diensten
|
|
25
|
+
- Kein Audit-Trail fuer Moderations-Entscheidungen
|
|
26
|
+
- Keine Begruendung-Pflicht-Antwort an Reporter
|
|
27
|
+
|
|
28
|
+
## Compliance-Risiken
|
|
29
|
+
|
|
30
|
+
| Risiko | Norm | Severity | Fix |
|
|
31
|
+
|---|---|---|---|
|
|
32
|
+
| Kein Notice-and-Action-Mechanismus | DSA Art. 16 | KRITISCH | Plugin mit Report-Endpoint |
|
|
33
|
+
| Reporter erhaelt keine Bestaetigung | DSA Art. 16 Abs. 5 | HOCH | Auto-Confirmation-Mail |
|
|
34
|
+
| Keine Begruendung an Uploader bei Removal | DSA Art. 17 | HOCH | Statement-of-Reasons-Workflow |
|
|
35
|
+
| Keine Transparenz-Reports | DSA Art. 15/24 | MITTEL (HOCH bei VLOP) | Annual-Report-Worker |
|
|
36
|
+
| Trusted-Flagger-Privileg fehlt | DSA Art. 22 | NIEDRIG (Optional) | Role-based Priority |
|
|
37
|
+
| Kein Beschwerde-System | DSA Art. 20 | HOCH | Internal-Complaint-Endpoint |
|
|
38
|
+
|
|
39
|
+
## Code-Pattern (sanitized)
|
|
40
|
+
|
|
41
|
+
```javascript
|
|
42
|
+
// File: src/api/dsa-report/content-types/dsa-report/schema.json
|
|
43
|
+
{
|
|
44
|
+
"kind": "collectionType",
|
|
45
|
+
"collectionName": "dsa_reports",
|
|
46
|
+
"info": {
|
|
47
|
+
"singularName": "dsa-report",
|
|
48
|
+
"pluralName": "dsa-reports",
|
|
49
|
+
"displayName": "DSA Report"
|
|
50
|
+
},
|
|
51
|
+
"options": {
|
|
52
|
+
"draftAndPublish": false
|
|
53
|
+
},
|
|
54
|
+
"attributes": {
|
|
55
|
+
"reportedContentType": {
|
|
56
|
+
"type": "enumeration",
|
|
57
|
+
"enum": ["comment", "submission", "upload", "review"],
|
|
58
|
+
"required": true
|
|
59
|
+
},
|
|
60
|
+
"reportedContentId": {
|
|
61
|
+
"type": "string",
|
|
62
|
+
"required": true
|
|
63
|
+
},
|
|
64
|
+
"category": {
|
|
65
|
+
"type": "enumeration",
|
|
66
|
+
"enum": [
|
|
67
|
+
"illegal_hate_speech",
|
|
68
|
+
"terrorism_extremism",
|
|
69
|
+
"child_sexual_abuse_material",
|
|
70
|
+
"intellectual_property_violation",
|
|
71
|
+
"data_protection_violation",
|
|
72
|
+
"consumer_protection_violation",
|
|
73
|
+
"other_illegal"
|
|
74
|
+
],
|
|
75
|
+
"required": true
|
|
76
|
+
},
|
|
77
|
+
"explanation": {
|
|
78
|
+
"type": "text",
|
|
79
|
+
"required": true,
|
|
80
|
+
"maxLength": 5000
|
|
81
|
+
},
|
|
82
|
+
"reporterEmail": {
|
|
83
|
+
"type": "email",
|
|
84
|
+
"required": true,
|
|
85
|
+
"private": true
|
|
86
|
+
},
|
|
87
|
+
"reporterIpHash": {
|
|
88
|
+
"type": "string",
|
|
89
|
+
"maxLength": 16,
|
|
90
|
+
"private": true
|
|
91
|
+
},
|
|
92
|
+
"isTrustedFlagger": {
|
|
93
|
+
"type": "boolean",
|
|
94
|
+
"default": false
|
|
95
|
+
},
|
|
96
|
+
"status": {
|
|
97
|
+
"type": "enumeration",
|
|
98
|
+
"enum": ["received", "in_review", "actioned", "rejected", "appealed"],
|
|
99
|
+
"default": "received"
|
|
100
|
+
},
|
|
101
|
+
"actionTaken": {
|
|
102
|
+
"type": "enumeration",
|
|
103
|
+
"enum": ["none", "removed", "demoted", "warning", "account_suspended"]
|
|
104
|
+
},
|
|
105
|
+
"statementOfReasons": {
|
|
106
|
+
"type": "text",
|
|
107
|
+
"maxLength": 5000
|
|
108
|
+
},
|
|
109
|
+
"submittedAt": {
|
|
110
|
+
"type": "datetime",
|
|
111
|
+
"required": true
|
|
112
|
+
},
|
|
113
|
+
"actionedAt": {
|
|
114
|
+
"type": "datetime"
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
```javascript
|
|
121
|
+
// File: src/api/dsa-report/controllers/dsa-report.js
|
|
122
|
+
'use strict';
|
|
123
|
+
|
|
124
|
+
const crypto = require('crypto');
|
|
125
|
+
|
|
126
|
+
module.exports = ({ strapi }) => ({
|
|
127
|
+
async create(ctx) {
|
|
128
|
+
const {
|
|
129
|
+
reportedContentType,
|
|
130
|
+
reportedContentId,
|
|
131
|
+
category,
|
|
132
|
+
explanation,
|
|
133
|
+
reporterEmail,
|
|
134
|
+
} = ctx.request.body.data ?? {};
|
|
135
|
+
|
|
136
|
+
// Validation
|
|
137
|
+
if (!reportedContentType || !reportedContentId || !category || !explanation || !reporterEmail) {
|
|
138
|
+
return ctx.badRequest('Pflichtfelder fehlen');
|
|
139
|
+
}
|
|
140
|
+
if (typeof explanation !== 'string' || explanation.length < 50) {
|
|
141
|
+
return ctx.badRequest('Begruendung mindestens 50 Zeichen');
|
|
142
|
+
}
|
|
143
|
+
|
|
144
|
+
// IP-Hash
|
|
145
|
+
const ip = ctx.request.ip
|
|
146
|
+
?? ctx.request.header['x-forwarded-for']?.split(',')[0]
|
|
147
|
+
?? '';
|
|
148
|
+
const salt = strapi.config.get('server.ipHashSalt', '');
|
|
149
|
+
const ipHash = crypto.createHash('sha256').update(`${ip}${salt}`).digest('hex').slice(0, 16);
|
|
150
|
+
|
|
151
|
+
// Trusted-Flagger-Check (sofern Email auf Allowlist)
|
|
152
|
+
const trustedList = strapi.config.get('server.trustedFlaggers', []);
|
|
153
|
+
const isTrusted = trustedList.includes(reporterEmail.toLowerCase());
|
|
154
|
+
|
|
155
|
+
const report = await strapi.entityService.create('api::dsa-report.dsa-report', {
|
|
156
|
+
data: {
|
|
157
|
+
reportedContentType,
|
|
158
|
+
reportedContentId,
|
|
159
|
+
category,
|
|
160
|
+
explanation: explanation.slice(0, 5000),
|
|
161
|
+
reporterEmail,
|
|
162
|
+
reporterIpHash: ipHash,
|
|
163
|
+
isTrustedFlagger: isTrusted,
|
|
164
|
+
status: 'received',
|
|
165
|
+
submittedAt: new Date(),
|
|
166
|
+
},
|
|
167
|
+
});
|
|
168
|
+
|
|
169
|
+
// Auto-Confirmation an Reporter (DSA Art. 16 Abs. 5)
|
|
170
|
+
await strapi.plugins.email.services.email.send({
|
|
171
|
+
to: reporterEmail,
|
|
172
|
+
subject: `Bestaetigung Ihrer Meldung [Ref: ${report.id}]`,
|
|
173
|
+
text: buildConfirmationMail(report),
|
|
174
|
+
});
|
|
175
|
+
|
|
176
|
+
// Optional: Trusted-Flagger gehen sofort in Priority-Queue
|
|
177
|
+
if (isTrusted) {
|
|
178
|
+
await strapi.service('api::dsa-report.dsa-report').prioritize(report.id);
|
|
179
|
+
}
|
|
180
|
+
|
|
181
|
+
return {
|
|
182
|
+
data: {
|
|
183
|
+
id: report.id,
|
|
184
|
+
status: 'received',
|
|
185
|
+
submittedAt: report.submittedAt,
|
|
186
|
+
},
|
|
187
|
+
};
|
|
188
|
+
},
|
|
189
|
+
|
|
190
|
+
async findOne(ctx) {
|
|
191
|
+
// Reporter darf nur eigene Reports sehen
|
|
192
|
+
const { id } = ctx.params;
|
|
193
|
+
const report = await strapi.entityService.findOne('api::dsa-report.dsa-report', id, {
|
|
194
|
+
fields: ['status', 'category', 'submittedAt', 'actionedAt', 'statementOfReasons', 'actionTaken'],
|
|
195
|
+
});
|
|
196
|
+
if (!report) return ctx.notFound();
|
|
197
|
+
return { data: report };
|
|
198
|
+
},
|
|
199
|
+
});
|
|
200
|
+
|
|
201
|
+
function buildConfirmationMail(report) {
|
|
202
|
+
return `
|
|
203
|
+
Wir haben Ihre Meldung erhalten.
|
|
204
|
+
|
|
205
|
+
Referenz: ${report.id}
|
|
206
|
+
Eingegangen am: ${report.submittedAt}
|
|
207
|
+
Kategorie: ${report.category}
|
|
208
|
+
|
|
209
|
+
Wir werden Ihre Meldung gemaess DSA Art. 16 unverzueglich pruefen und Ihnen
|
|
210
|
+
das Ergebnis mit Begruendung mitteilen.
|
|
211
|
+
|
|
212
|
+
Bei Fragen: <placeholder-email>
|
|
213
|
+
`.trim();
|
|
214
|
+
}
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
```javascript
|
|
218
|
+
// File: src/api/dsa-report/services/dsa-report.js
|
|
219
|
+
'use strict';
|
|
220
|
+
|
|
221
|
+
const { createCoreService } = require('@strapi/strapi').factories;
|
|
222
|
+
|
|
223
|
+
module.exports = createCoreService('api::dsa-report.dsa-report', ({ strapi }) => ({
|
|
224
|
+
async actionReport(reportId, action, statementOfReasons) {
|
|
225
|
+
const report = await strapi.entityService.findOne('api::dsa-report.dsa-report', reportId);
|
|
226
|
+
if (!report) throw new Error('Report not found');
|
|
227
|
+
|
|
228
|
+
// 1. Action ausfuehren
|
|
229
|
+
if (action === 'removed') {
|
|
230
|
+
await strapi.entityService.delete(
|
|
231
|
+
`api::${report.reportedContentType}.${report.reportedContentType}`,
|
|
232
|
+
report.reportedContentId,
|
|
233
|
+
);
|
|
234
|
+
}
|
|
235
|
+
|
|
236
|
+
// 2. Report-Status aktualisieren
|
|
237
|
+
await strapi.entityService.update('api::dsa-report.dsa-report', reportId, {
|
|
238
|
+
data: {
|
|
239
|
+
status: 'actioned',
|
|
240
|
+
actionTaken: action,
|
|
241
|
+
statementOfReasons,
|
|
242
|
+
actionedAt: new Date(),
|
|
243
|
+
},
|
|
244
|
+
});
|
|
245
|
+
|
|
246
|
+
// 3. Reporter informieren
|
|
247
|
+
await strapi.plugins.email.services.email.send({
|
|
248
|
+
to: report.reporterEmail,
|
|
249
|
+
subject: `Ihre Meldung wurde bearbeitet [Ref: ${reportId}]`,
|
|
250
|
+
text: `Status: ${action}\n\nBegruendung:\n${statementOfReasons}`,
|
|
251
|
+
});
|
|
252
|
+
|
|
253
|
+
// 4. Uploader informieren (DSA Art. 17 Statement of Reasons)
|
|
254
|
+
if (action === 'removed') {
|
|
255
|
+
await this.notifyUploader(report.reportedContentType, report.reportedContentId, statementOfReasons);
|
|
256
|
+
}
|
|
257
|
+
},
|
|
258
|
+
|
|
259
|
+
async prioritize(reportId) {
|
|
260
|
+
// Trusted-Flagger-Reports priorisieren in Moderations-Queue
|
|
261
|
+
await strapi.entityService.update('api::dsa-report.dsa-report', reportId, {
|
|
262
|
+
data: { status: 'in_review' },
|
|
263
|
+
});
|
|
264
|
+
},
|
|
265
|
+
|
|
266
|
+
async notifyUploader(contentType, contentId, reason) {
|
|
267
|
+
const content = await strapi.entityService.findOne(`api::${contentType}.${contentType}`, contentId, {
|
|
268
|
+
populate: ['author'],
|
|
269
|
+
});
|
|
270
|
+
if (!content?.author?.email) return;
|
|
271
|
+
|
|
272
|
+
await strapi.plugins.email.services.email.send({
|
|
273
|
+
to: content.author.email,
|
|
274
|
+
subject: 'Ihr Inhalt wurde wegen einer Meldung entfernt',
|
|
275
|
+
text: `
|
|
276
|
+
Ihr Inhalt (${contentType} #${contentId}) wurde aufgrund einer Meldung entfernt.
|
|
277
|
+
|
|
278
|
+
Begruendung:
|
|
279
|
+
${reason}
|
|
280
|
+
|
|
281
|
+
Sie haben das Recht zur Beschwerde gemaess DSA Art. 20 binnen 6 Monaten.
|
|
282
|
+
Beschwerde-Endpoint: <placeholder-domain>/api/dsa-complaints
|
|
283
|
+
`.trim(),
|
|
284
|
+
});
|
|
285
|
+
},
|
|
286
|
+
}));
|
|
287
|
+
```
|
|
288
|
+
|
|
289
|
+
```javascript
|
|
290
|
+
// File: src/api/dsa-report/routes/dsa-report.js
|
|
291
|
+
module.exports = {
|
|
292
|
+
routes: [
|
|
293
|
+
{
|
|
294
|
+
method: 'POST',
|
|
295
|
+
path: '/dsa-reports',
|
|
296
|
+
handler: 'dsa-report.create',
|
|
297
|
+
config: { auth: false }, // Auch Nicht-User koennen melden
|
|
298
|
+
},
|
|
299
|
+
{
|
|
300
|
+
method: 'GET',
|
|
301
|
+
path: '/dsa-reports/:id',
|
|
302
|
+
handler: 'dsa-report.findOne',
|
|
303
|
+
config: { auth: false }, // Nur via Reference-ID + Email-Match
|
|
304
|
+
},
|
|
305
|
+
],
|
|
306
|
+
};
|
|
307
|
+
```
|
|
308
|
+
|
|
309
|
+
## AVV / DPA
|
|
310
|
+
|
|
311
|
+
- Strapi-Hosting — Art. 28 DSGVO
|
|
312
|
+
- Datenbank fuer Reports — AVV mit Backup-Rotation
|
|
313
|
+
- Mailer fuer Bestaetigungen + Statement-of-Reasons — AVV mit EU-Hosting
|
|
314
|
+
|
|
315
|
+
## DSE-Wording-Vorlage
|
|
316
|
+
|
|
317
|
+
```markdown
|
|
318
|
+
### Meldung rechtswidriger Inhalte (DSA Art. 16)
|
|
319
|
+
|
|
320
|
+
Sie koennen rechtswidrige Inhalte auf dieser Plattform jederzeit melden.
|
|
321
|
+
|
|
322
|
+
**Meldekanal:** [Inhalt melden](https://<placeholder-domain>/report) oder
|
|
323
|
+
E-Mail an <placeholder-email>.
|
|
324
|
+
|
|
325
|
+
**Was geschieht mit Ihrer Meldung:**
|
|
326
|
+
|
|
327
|
+
1. **Bestaetigung** binnen 24 Stunden mit Referenz-Nummer
|
|
328
|
+
2. **Pruefung** durch unser Moderations-Team (Trusted-Flagger werden priorisiert)
|
|
329
|
+
3. **Entscheidung** mit Begruendung an Sie und ggf. an den Uploader
|
|
330
|
+
4. **Beschwerde-Recht** binnen 6 Monaten gemaess DSA Art. 20
|
|
331
|
+
|
|
332
|
+
**Verarbeitete Daten Ihrer Meldung:**
|
|
333
|
+
- E-Mail-Adresse (zur Antwort)
|
|
334
|
+
- IP-Hash (Anti-Spam)
|
|
335
|
+
- Beschreibung der gemeldeten Verletzung
|
|
336
|
+
- Referenz auf gemeldeten Inhalt
|
|
337
|
+
|
|
338
|
+
**Speicherdauer:** 5 Jahre nach Abschluss (Beweisfunktion bei Rechtsstreit).
|
|
339
|
+
**Rechtsgrundlage:** Art. 6 Abs. 1 lit. c DSGVO (gesetzliche Verpflichtung
|
|
340
|
+
DSA Art. 16) + lit. f (berechtigtes Interesse Plattform-Sicherheit).
|
|
341
|
+
```
|
|
342
|
+
|
|
343
|
+
## Verify-Commands (Live-Probe)
|
|
344
|
+
|
|
345
|
+
```bash
|
|
346
|
+
# 1. Report-Endpoint erreichbar
|
|
347
|
+
curl -X POST https://<placeholder-domain>/api/dsa-reports \
|
|
348
|
+
-H "Content-Type: application/json" \
|
|
349
|
+
-d '{"data":{"reportedContentType":"comment","reportedContentId":"42","category":"illegal_hate_speech","explanation":"<placeholder-min-50-chars-explanation-text>","reporterEmail":"reporter@example.com"}}' -i
|
|
350
|
+
# Erwartung: 200 mit { id, status: "received" }
|
|
351
|
+
|
|
352
|
+
# 2. Bestaetigungs-Mail wird gesendet
|
|
353
|
+
# (Mail-Provider-Logs pruefen)
|
|
354
|
+
|
|
355
|
+
# 3. Validation: zu kurze Begruendung blockt
|
|
356
|
+
curl -X POST https://<placeholder-domain>/api/dsa-reports \
|
|
357
|
+
-d '{"data":{"category":"other_illegal","explanation":"kurz","reporterEmail":"x@x.de"}}' -i
|
|
358
|
+
# Erwartung: 400
|
|
359
|
+
|
|
360
|
+
# 4. Trusted-Flagger-Privileg
|
|
361
|
+
# Setze Email auf trusted-flaggers-Allowlist und sende Report
|
|
362
|
+
# Erwartung: status sofort "in_review"
|
|
363
|
+
```
|
|
364
|
+
|
|
365
|
+
## Cross-References
|
|
366
|
+
|
|
367
|
+
- AEGIS-Scanner: `dsa-compliance-checker.ts`, `cms-pii-checker.ts`, `audit-trail-checker.ts`
|
|
368
|
+
- Skill-Reference: `references/dsgvo.md` (Datenschutz-Aspekt)
|
|
369
|
+
- DSA: VO (EU) 2022/2065 Art. 14, 16, 17, 20, 22 (Notice-and-Action, Statement of Reasons, Beschwerde, Trusted Flagger)
|
|
370
|
+
- BGH-Rechtsprechung: `references/bgh-urteile.md`
|
|
371
|
+
- Audit-Pattern: `references/audit-patterns.md` Phase 5 (CMS-Audit), Phase 8 (DSA-Compliance)
|