npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/cookie-banner-pattern.md ADDED Viewed

@@ -0,0 +1,318 @@
+---
+license: MIT (snippet)
+provider: Django (Open-Source)
+last-checked: 2026-05-05
+purpose: Django Middleware Pattern fuer Consent-Cookie-Read + Conditional Tracker-Render.
+---
+# Django — Cookie-Banner Middleware Pattern
+## Trigger / Detection
+Repo enthaelt:
+- `django` in `requirements.txt` / `pyproject.toml`
+- `settings.py` mit `MIDDLEWARE` Liste
+- `urls.py` URL-Routing
+- Optional: `django-cookie-consent` Package
+## Default-Verhalten (was passiert ohne Konfiguration)
+- Django-Default-Session-Cookies ohne `SESSION_COOKIE_SECURE = True` in DEBUG
+- `csrftoken` Cookie ohne `SameSite=Lax`-Hinweis
+- Tracker-Tags hardcoded in `base.html` Template
+- `CSRF_COOKIE_HTTPONLY = False` Default → JS kann CSRF-Token lesen (notwendig)
+- Default-Logger schreibt Klartext-IP via `request.META['REMOTE_ADDR']`
+## Compliance-Risiken
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Tracker-Tag in `base.html` | § 25 TDDDG | KRITISCH | `{% if request.consent.analytics %}` Conditional |
+| `SESSION_COOKIE_SECURE = False` | Art. 32 DSGVO | KRITISCH | True in production settings |
+| `SESSION_COOKIE_SAMESITE` ungesetzt | Art. 32 DSGVO | HOCH | `'Lax'` setzen |
+| Klartext-IP in Logs | Art. 5 lit. f | HOCH | Custom Logging-Filter |
+| Drittland-Tracker via CDN | Art. 44 DSGVO | KRITISCH | EU-Provider + AVV |
+## Code-Pattern (sanitized)
+```python
+# File: app/middleware/consent.py
+import json
+from typing import Callable
+from django.http import HttpRequest, HttpResponse
+DEFAULT_CONSENT = {
+    'necessary': True,
+    'analytics': False,
+    'marketing': False,
+    'version': '1.0',
+}
+class ConsentMiddleware:
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]) -> None:
+        self.get_response = get_response
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        raw = request.COOKIES.get('cookie_consent')
+        consent = dict(DEFAULT_CONSENT)
+        if raw:
+            try:
+                parsed = json.loads(raw)
+                if isinstance(parsed, dict):
+                    consent.update({k: v for k, v in parsed.items() if k in DEFAULT_CONSENT})
+            except (json.JSONDecodeError, ValueError):
+                pass
+        request.consent = consent
+        return self.get_response(request)
+```
+```python
+# File: app/views/consent.py
+import hashlib
+import json
+from datetime import datetime, timezone, timedelta
+from django.conf import settings
+from django.http import JsonResponse, HttpResponseBadRequest
+from django.views.decorators.http import require_POST
+from django.views.decorators.csrf import csrf_protect
+from app.models import ConsentLog
+@require_POST
+@csrf_protect
+def store_consent(request):
+    try:
+        body = json.loads(request.body)
+    except json.JSONDecodeError:
+        return HttpResponseBadRequest('Invalid JSON')
+    if not isinstance(body.get('analytics'), bool) or not isinstance(body.get('marketing'), bool):
+        return HttpResponseBadRequest('Invalid payload')
+    consent = {
+        'necessary': True,
+        'analytics': body['analytics'],
+        'marketing': body['marketing'],
+        'version': '1.0',
+        'timestamp': datetime.now(timezone.utc).isoformat(),
+    }
+    # Server-Log
+    ip = (request.META.get('HTTP_X_FORWARDED_FOR') or request.META.get('REMOTE_ADDR', '')).split(',')[0].strip()
+    salt = getattr(settings, 'IP_HASH_SALT', '')
+    ip_hash = hashlib.sha256(f'{ip}{salt}'.encode()).hexdigest()[:16]
+    ConsentLog.objects.create(
+        ip_hash=ip_hash,
+        user_agent=(request.META.get('HTTP_USER_AGENT') or '')[:200],
+        consent=consent,
+    )
+    response = JsonResponse({}, status=204)
+    response.set_cookie(
+        'cookie_consent',
+        json.dumps(consent),
+        max_age=int(timedelta(days=365).total_seconds()),
+        secure=not settings.DEBUG,
+        httponly=False,  # Banner-JS muss lesen
+        samesite='Lax',
+        path='/',
+    )
+    return response
+```
+```python
+# File: app/models/consent_log.py
+from django.db import models
+class ConsentLog(models.Model):
+    ip_hash = models.CharField(max_length=16)
+    user_agent = models.CharField(max_length=200)
+    consent = models.JSONField()
+    timestamp = models.DateTimeField(auto_now_add=True)
+    class Meta:
+        indexes = [models.Index(fields=['timestamp'])]
+    def __str__(self) -> str:
+        return f'ConsentLog #{self.pk} @ {self.timestamp.isoformat()}'
+```
+```python
+# File: settings.py (Auszug)
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'app.middleware.consent.ConsentMiddleware',
+    # ...
+]
+# Cookie-Security
+SESSION_COOKIE_SECURE = not DEBUG
+SESSION_COOKIE_SAMESITE = 'Lax'
+SESSION_COOKIE_HTTPONLY = True
+CSRF_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SAMESITE = 'Lax'
+# HSTS (nur in production)
+if not DEBUG:
+    SECURE_HSTS_SECONDS = 31536000
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_HSTS_PRELOAD = True
+    SECURE_SSL_REDIRECT = True
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+# Salt fuer IP-Hash
+IP_HASH_SALT = os.environ['IP_HASH_SALT']
+```
+```python
+# File: urls.py
+from django.urls import path
+from app.views.consent import store_consent
+urlpatterns = [
+    path('api/consent-log', store_consent, name='consent-store'),
+    # ...
+]
+```
+```html
+<!-- File: templates/cookies/banner.html -->
+{% if not request.COOKIES.cookie_consent %}
+<aside id="cookie-banner" role="dialog" aria-label="Cookie-Einwilligung" class="cookie-banner">
+    <p>
+        Wir nutzen Cookies fuer notwendige Funktionen. Mit Ihrer Einwilligung
+        zusaetzlich fuer Webanalyse. Details:
+        <a href="{% url 'legal-privacy' %}">Datenschutzerklaerung</a>.
+    </p>
+    <div class="cookie-actions">
+        <button type="button" data-action="reject-all" class="btn-secondary">Nur Notwendige</button>
+        <button type="button" data-action="accept-all" class="btn-primary">Alle akzeptieren</button>
+    </div>
+</aside>
+<script>
+(() => {
+    const csrf = document.querySelector('[name=csrfmiddlewaretoken]')?.value
+        || document.cookie.match(/csrftoken=([^;]+)/)?.[1];
+    const submit = (analytics, marketing) => {
+        fetch('{% url "consent-store" %}', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-CSRFToken': csrf,
+            },
+            body: JSON.stringify({ analytics, marketing }),
+        }).then(() => {
+            document.getElementById('cookie-banner').remove();
+            if (analytics) {
+                const s = document.createElement('script');
+                s.src = 'https://<placeholder-eu-analytics-host>/script.js';
+                s.async = true;
+                document.head.appendChild(s);
+            }
+        });
+    };
+    document.querySelector('[data-action="reject-all"]').onclick = () => submit(false, false);
+    document.querySelector('[data-action="accept-all"]').onclick = () => submit(true, true);
+})();
+</script>
+{% endif %}
+```
+```html
+<!-- File: templates/base.html -->
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <meta charset="UTF-8">
+    <title>{% block title %}<placeholder-site-name>{% endblock %}</title>
+    {% csrf_token %}
+    {# Tracker NUR conditional #}
+    {% if request.consent.analytics %}
+        <script src="https://<placeholder-eu-analytics-host>/script.js" async></script>
+    {% endif %}
+</head>
+<body>
+    {% block content %}{% endblock %}
+    {% include 'cookies/banner.html' %}
+</body>
+</html>
+```
+## AVV / DPA
+- Hosting-Provider (Heroku EU / Render / Fly.io) — Art. 28 DSGVO
+- Datenbank (Postgres) — AVV mit EU-Region
+- Analytics-Provider (Plausible EU / Matomo) — AVV
+- Mailer (SendGrid EU / Postmark / Mailjet) — AVV
+## DSE-Wording-Vorlage
+```markdown
+### Cookies (Django-Anwendung)
+Diese Webseite verwendet folgende Cookies:
+**Notwendige Cookies (kein Opt-Out):**
+- `sessionid` — Session-Verwaltung, Session-Dauer
+- `csrftoken` — CSRF-Schutz, 12 Monate
+- `cookie_consent` — Speicherung Ihrer Einwilligung, 12 Monate
+**Analyse-Cookies (Opt-In):**
+- gesetzt durch <placeholder-analytics-provider>
+- Speicherdauer: <placeholder-days> Tage
+- EU-Hosting: <placeholder-eu-country>
+**Rechtsgrundlage:** § 25 TDDDG i.V.m. Art. 6 Abs. 1 lit. a DSGVO.
+**Widerruf:** [Cookie-Einstellungen](#cookie-settings) im Footer.
+```
+## Verify-Commands (Live-Probe)
+```bash
+# 1. Banner sichtbar fuer neue Visitors
+curl -sS https://<placeholder-domain>/ | grep -ic "cookie-banner"
+# 2. Cookie-Security-Flags
+curl -sI https://<placeholder-domain>/ | grep -iE "set-cookie:.*sessionid"
+# Erwartung: HttpOnly; Secure; SameSite=Lax
+# 3. HSTS aktiv
+curl -sI https://<placeholder-domain>/ | grep -i "strict-transport-security"
+# Erwartung: max-age=31536000; includeSubDomains; preload
+# 4. Tracker-Conditional Rendering
+curl -sS -H 'Cookie: cookie_consent=%7B%22analytics%22%3Afalse%7D' https://<placeholder-domain>/ \
+  | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: 0
+curl -sS -H 'Cookie: cookie_consent=%7B%22analytics%22%3Atrue%7D' https://<placeholder-domain>/ \
+  | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: >=1
+# 5. CSRF-Schutz erzwungen
+curl -X POST https://<placeholder-domain>/api/consent-log \
+  -H "Content-Type: application/json" -d '{"analytics":false,"marketing":false}' -i
+# Erwartung: 403 Forbidden (CSRF token missing)
+```
+## Cross-References
+- AEGIS-Scanner: `cookie-flags-checker.ts`, `csrf-config-checker.ts`, `consent-flow-checker.ts`
+- Skill-Reference: `references/dsgvo.md` § 25 TDDDG, Art. 7 DSGVO
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- OLG Koeln 6 U 80/23 (Button-Gleichwertigkeit)
+- Audit-Pattern: `references/audit-patterns.md` Phase 2 (Cookie-Audit)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/gdpr-cleanup-celery.md ADDED Viewed

@@ -0,0 +1,339 @@
+---
+license: MIT (snippet)
+provider: Django + Celery + Celery-Beat (Open-Source)
+last-checked: 2026-05-05
+purpose: Celery-Beat-Cron Pattern fuer DSGVO-Loeschpflichten + Anonymisierung in Django.
+---
+# Django + Celery — GDPR-Cleanup-Cron
+## Trigger / Detection
+Repo enthaelt:
+- `celery` in `requirements.txt`
+- `app/celery.py` mit `celery -A app worker`
+- `app/tasks.py` mit `@shared_task` Decorators
+- `django-celery-beat` Package mit `PeriodicTask` Models
+- Optional: `flower` fuer Monitoring
+## Default-Verhalten (was passiert ohne Konfiguration)
+- Account-Loeschung synchron im View → Timeout-Risiko
+- Soft-Deletes haeufen sich → DSGVO-Drift
+- Search-Index nicht synchronisiert mit DB-Loeschung
+- Celery-Logs enthalten Klartext-Task-Args mit PII
+- Task-Failures unbemerkt → Cron-Reliability fragil
+## Compliance-Risiken
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Hard-Delete-Cron fehlt | Art. 5 lit. e DSGVO | KRITISCH | Celery-Beat taeglich um 3 Uhr UTC |
+| Celery-Args mit User-Email leakt in Logs | Art. 5 lit. f | HOCH | Nur User-ID als Arg, Lookup im Worker |
+| Search-Index ueberlebt User-Delete | Art. 17 DSGVO | KRITISCH | Worker triggert Index-Removal |
+| Task-Failure unbemerkt | Art. 5 Abs. 2 | HOCH | Sentry-Integration + DLQ |
+| Backup-Files ohne Rotation | Art. 5 lit. e | HOCH | Provider-Policy + Doku |
+## Code-Pattern (sanitized)
+```python
+# File: app/celery.py
+import os
+from celery import Celery
+from celery.schedules import crontab
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'app.settings')
+app = Celery('app')
+app.config_from_object('django.conf:settings', namespace='CELERY')
+app.autodiscover_tasks()
+app.conf.beat_schedule = {
+    'gdpr-hard-delete-daily': {
+        'task': 'app.tasks.gdpr_hard_delete',
+        'schedule': crontab(hour=3, minute=0),  # taeglich 3 Uhr UTC
+    },
+    'gdpr-inactive-cleanup-weekly': {
+        'task': 'app.tasks.gdpr_inactive_user_cleanup',
+        'schedule': crontab(hour=4, minute=0, day_of_week=0),  # Sonntag 4 Uhr
+    },
+    'analytics-events-cleanup-daily': {
+        'task': 'app.tasks.analytics_events_cleanup',
+        'schedule': crontab(hour=5, minute=0),
+    },
+    'consent-log-rotation-weekly': {
+        'task': 'app.tasks.consent_log_rotation',
+        'schedule': crontab(hour=6, minute=0, day_of_week=0),
+    },
+}
+```
+```python
+# File: app/tasks.py
+import logging
+from datetime import timedelta
+from celery import shared_task
+from django.utils import timezone
+from django.db import transaction
+from app.models import User, ConsentLog, AnalyticsEvent, CronRun
+logger = logging.getLogger(__name__)
+@shared_task(bind=True, max_retries=3, default_retry_delay=300)
+def gdpr_anonymize_user(self, user_id: int, reason: str = ''):
+    try:
+        user = User.objects.select_for_update().get(pk=user_id)
+    except User.DoesNotExist:
+        logger.warning('user-not-found-for-anonymization', extra={'user_id': user_id})
+        return
+    with transaction.atomic():
+        # 1. PII anonymisieren
+        user.email = f'deleted-{user.id}@<placeholder-domain>'
+        user.first_name = 'GELOESCHT'
+        user.last_name = ''
+        user.phone = None
+        user.deleted_at = timezone.now()
+        user.deletion_reason = reason or None
+        user.save(update_fields=[
+            'email', 'first_name', 'last_name', 'phone', 'deleted_at', 'deletion_reason'
+        ])
+        # 2. Search-Index removal (z.B. Algolia / Meilisearch)
+        try:
+            from app.search import remove_user_from_index
+            remove_user_from_index(user.id)
+        except Exception as e:
+            logger.warning('search-index-removal-failed', extra={'user_id': user_id, 'error': str(e)})
+        # 3. Cascade-Anonymisierung
+        from app.models import Comment, Upload
+        Comment.objects.filter(author=user).update(author_name='GELOESCHT')
+        for upload in Upload.objects.filter(owner=user):
+            upload.purge()
+    logger.info('user-anonymized', extra={'user_id': user_id})
+@shared_task(bind=True, max_retries=3)
+def gdpr_hard_delete(self):
+    cutoff = timezone.now() - timedelta(days=30)
+    deleted_count = 0
+    try:
+        with transaction.atomic():
+            users = User.objects.filter(deleted_at__lt=cutoff).select_for_update()
+            for user in users:
+                # Cascade-Loeschung
+                user.useraudit_logs.all().delete()
+                user.comments.all().delete()
+                user.uploads.all().delete()  # mit storage-cleanup
+                user.delete()  # endgueltig
+                deleted_count += 1
+        CronRun.objects.create(
+            job_name='gdpr-hard-delete',
+            finished_at=timezone.now(),
+            status='success',
+            metadata={'deleted_count': deleted_count},
+        )
+        logger.info('gdpr-hard-delete-complete', extra={'deleted_count': deleted_count})
+    except Exception as exc:
+        CronRun.objects.create(
+            job_name='gdpr-hard-delete',
+            finished_at=timezone.now(),
+            status='failed',
+            metadata={'error': str(exc)},
+        )
+        raise self.retry(exc=exc)
+@shared_task
+def gdpr_inactive_user_cleanup():
+    cutoff = timezone.now() - timedelta(days=730)  # 2 Jahre
+    warning_cutoff = timezone.now() - timedelta(days=30)
+    # Stufe 1: Warning an inaktive User die noch keine Warnung erhielten
+    for user in User.objects.filter(
+        last_login__lt=cutoff,
+        deleted_at__isnull=True,
+        inactivity_warning_sent_at__isnull=True,
+    )[:1000]:
+        from app.mail import send_inactivity_warning
+        send_inactivity_warning(user)
+        user.inactivity_warning_sent_at = timezone.now()
+        user.save(update_fields=['inactivity_warning_sent_at'])
+    # Stufe 2: User die gewarnt + immer noch inaktiv
+    for user in User.objects.filter(
+        last_login__lt=cutoff,
+        deleted_at__isnull=True,
+        inactivity_warning_sent_at__lt=warning_cutoff,
+    )[:1000]:
+        gdpr_anonymize_user.delay(user.id, reason='inactivity_2_years')
+@shared_task
+def analytics_events_cleanup():
+    cutoff = timezone.now() - timedelta(days=90)
+    deleted, _ = AnalyticsEvent.objects.filter(timestamp__lt=cutoff).delete()
+    logger.info('analytics-events-deleted', extra={'count': deleted})
+@shared_task
+def consent_log_rotation():
+    cutoff = timezone.now() - timedelta(days=6 * 365)  # 6 Jahre
+    deleted, _ = ConsentLog.objects.filter(timestamp__lt=cutoff).delete()
+    logger.info('consent-logs-rotated', extra={'count': deleted})
+```
+```python
+# File: app/views/gdpr.py
+from django.contrib.auth.decorators import login_required
+from django.contrib.auth import logout
+from django.http import JsonResponse
+from django.utils import timezone
+from django.views.decorators.http import require_POST
+from django.views.decorators.csrf import csrf_protect
+from app.tasks import gdpr_anonymize_user
+@require_POST
+@login_required
+@csrf_protect
+def delete_account(request):
+    import json
+    body = json.loads(request.body or '{}')
+    reason = (body.get('reason') or '')[:500]
+    user_id = request.user.id
+    # Synchron: nur Soft-Delete
+    request.user.deleted_at = timezone.now()
+    request.user.deletion_reason = reason or None
+    request.user.save(update_fields=['deleted_at', 'deletion_reason'])
+    # Async: Anonymisierung
+    gdpr_anonymize_user.delay(user_id, reason)
+    logout(request)
+    return JsonResponse({
+        'status': 'PENDING_HARD_DELETE',
+        'soft_deleted_at': timezone.now().isoformat(),
+        'hard_delete_scheduled': '30 Tage',
+    }, status=202)
+```
+```python
+# File: app/models/cron_run.py
+from django.db import models
+class CronRun(models.Model):
+    job_name = models.CharField(max_length=100, db_index=True)
+    started_at = models.DateTimeField(auto_now_add=True)
+    finished_at = models.DateTimeField()
+    status = models.CharField(max_length=16, choices=[('success', 'success'), ('failed', 'failed')])
+    metadata = models.JSONField(default=dict, blank=True)
+    class Meta:
+        indexes = [models.Index(fields=['job_name', 'started_at'])]
+```
+```python
+# File: app/views/health.py
+from datetime import timedelta
+from django.http import JsonResponse
+from django.utils import timezone
+from app.models import CronRun
+def cron_health(request):
+    last_24h = timezone.now() - timedelta(hours=24)
+    expected_jobs = ['gdpr-hard-delete', 'analytics-events-cleanup']
+    recent_runs = list(CronRun.objects.filter(started_at__gt=last_24h).order_by('-started_at'))
+    failed = [r for r in recent_runs if r.status == 'failed']
+    missing = [
+        j for j in expected_jobs
+        if not any(r.job_name == j and r.status == 'success' for r in recent_runs)
+    ]
+    return JsonResponse({
+        'healthy': not failed and not missing,
+        'recent_runs': len(recent_runs),
+        'failed_runs': len(failed),
+        'missing_jobs': missing,
+    })
+```
+## AVV / DPA
+- Datenbank — Hard-Delete-Wirksamkeit
+- Celery-Broker (Redis Cloud EU / Upstash) — AVV
+- Search-Provider (Algolia EU / Meilisearch self-host) — AVV
+- Mailer fuer Warning-Mails — AVV
+- Sentry/APM (sofern integriert) — AVV mit PII-Scrubbing
+## DSE-Wording-Vorlage
+```markdown
+### Loeschverfahren und Inaktivitaets-Cleanup
+**Bei Loesch-Antrag (manuell):**
+| Stufe | Zeitpunkt | Aktion |
+|---|---|---|
+| 1 | sofort | Account deaktiviert, Logout |
+| 2 | < 60 Sekunden (asynchron) | PII anonymisiert, Search-Index entfernt |
+| 3 | nach 30 Tagen | Endgueltige DB-Loeschung |
+**Bei Inaktivitaet (automatisch):**
+| Stufe | Zeitpunkt | Aktion |
+|---|---|---|
+| 1 | nach 2 Jahren ohne Login | Warning-Mail |
+| 2 | 30 Tage nach Warning | Account-Anonymisierung |
+| 3 | 30 Tage nach Anonymisierung | Hard-Delete |
+**Rechtsgrundlage:** Art. 5 lit. e DSGVO (Speicherbegrenzung), Art. 17 DSGVO.
+```
+## Verify-Commands (Live-Probe)
+```bash
+# 1. Cron-Health-Endpoint
+curl https://<placeholder-domain>/health/cron
+# Erwartung: { "healthy": true, "missing_jobs": [] }
+# 2. Celery-Worker-Health (Flower)
+curl https://<placeholder-domain>/flower/api/workers
+# Erwartung: aktive Worker sichtbar
+# 3. Anonymize-Task manuell triggern
+python manage.py shell
+# >>> from app.tasks import gdpr_anonymize_user
+# >>> gdpr_anonymize_user.delay(<test-user-id>, 'manual-test')
+# 4. Logs ohne PII
+tail -100 /var/log/celery/worker.log | grep -E '[\w.+-]+@[\w-]+\.[\w-]+' | head -5
+# Erwartung: 0 Treffer
+# 5. Hard-Delete nach 30 Tagen
+# DB: SELECT COUNT(*) FROM users WHERE deleted_at < now() - interval '30 days';
+# Erwartung: 0
+```
+## Cross-References
+- AEGIS-Scanner: `data-retention-checker.ts`, `cron-coverage-checker.ts`, `pii-anonymization-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 17, Art. 5 lit. e
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- EuGH: `references/eu-eugh-dsgvo-schadensersatz.md` (Loesch-Anspruch)
+- Audit-Pattern: `references/audit-patterns.md` Phase 4 (DSE-Drift / Cron-Coverage)