π Marktanalyse-Report β Inhaltsverzeichnis: 2-spaltiges TOC mit klickbaren Sprung-Ankern fΓΌr alle 14 Sektionen. scroll-margin fΓΌr saubere Anchor-Positionierung. Print-CSS-Safe (heller TOC-Style im PDF).
π§ Reproducible-Builds:tests/e2e/package-lock.json committed β lockt Playwright-Versionen fΓΌr deterministische E2E-CI-Runs. base_path()-Test-Fix (Funktion lebt in auth.php mit Session-Side-Effects, nicht im Test-Bootstrap).
v2026.05.1515. Mai 2026π Major Update β Security + Webhooks + Newsletter
π¬ Changelog-Newsletter (DSGVO Double-Opt-In): Public-Subscribe-Page changelog-subscribe.php, Mail-Verify via Token, Auto-Cleanup unverifizierter Subscriber nach 7 Tagen. Bei jedem Changelog-Save automatischer Mail-Versand an alle verifizierten Abonnenten mit personalisiertem Unsubscribe-Link pro Mail. Admin-UI admin-subscribers.php fΓΌr CRUD-Operationen. Audit-Log: subscribe_requested, verify_attempt, unsubscribe_attempt (email-hash statt klartext fuer Privacy).
π§ Freitext-E-Mail-Versand: Neuer Senden-Button im Freitext-Panel. Multi-Select-Checkboxen pro Doc + 'Alle auswΓ€hlen'. PDF-Anhang mit allen ausgewΓ€hlten Dokumenten via SimplePdf. Modal-UX: ESC-Close, Backdrop-Click-Close, Auto-Focus auf EmpfΓ€nger-Feld. Max 20 EmpfΓ€nger pro Call (Anti-Spam). Audit-Log: freitext.docs_mailed.
π‘ Security-Patches β 17+ echte Bugs gefixt: CSRF auf 134 API-Endpoints via _csrf_bootstrap.php, Session-Fixation-Fix in 2FA-Email-Pfad (session_regenerate_id(true)), CSRF + per-User-Rate-Limit + timing-attack-mitigation auf forgot_password.php, JSON_SORT_KEYS-non-existence (Hash-Chain non-deterministic), 3x write_log wrong-args, 4x undefined-variable nach try/catch, password_verify(null)-Bug in 2FA, 2x string-int type-juggling. require_admin_or_403() Helper auf 56/56 Admin-Gates = 100% Audit-Log-Coverage.
π‘ Rate-Limiting + Anomaly-Detection: Global Rate-Limit (60 POST/min, 200 GET/min pro IP) via includes/rate_limit.php mit Sliding-Window-Counter + Auto-Cleanup. Login-IP-Anomaly-Detection (kein externer GeoIP-Service): rolling-window letzte 20 Login-IPs pro User, alert bei neuer /24-Range (IPv4) bzw. /64 (IPv6). Audit-Log + Sentry-Warning bei Anomalie.
π Audit-Log-Rotation + Key-Rotation-Monitor:includes/log_rotation.php rotiert admin_audit.log bei >10 MB nach data/audit_archive/admin_audit.YYYY-MM-DD_HHMMSS.log.gz, Retention 365 Tage (NIS2-Empfehlung). Cron-Endpoint api/audit-log-rotate.php. Key-Rotation-Monitor (includes/rotation_monitor.php) warnt bei data/secrets.json mtime >90 Tage via Sentry + admin_log.
π Hardening: Content-Security-Policy mit Sentry-allowlist, Cross-Origin-Resource-Policy: same-origin, HSTS preload-eligible, SameSite-Cookie Lax β Strict, X-Frame-Options DENY, sensible-Files-Block erweitert (secrets.json, composer.json, sentry.php, rate_limit.php, rotation_monitor.php, .master.key, .app_enc_key, license-privkey.pem). includes/.htaccess: Deny from all.
π§ͺ PHPStan Level 6 strict in CI: L1-L6 = 0 errors, ~28 Type-Annotations hinzugefΓΌgt (return-types fΓΌr xx_out-Helpers, missing-iterable-value-types ignoreErrors). Pinned PHPStan PHAR 2.1.54 fΓΌr lokal/CI-Konsistenz. PHPStan Level 7-8 lokal clean, deferred in CI bis PHAR-Version stabil.
π Demo-Modus komplett entfernt: -1264 LOC. api/demo-init.php, api/demo-public.php, static/demo-tour.css/js, modules/sector_bw.demo_public/ gelΓΆscht. Demo-Login-Buttons aus login.php raus. 11 api/* Session-Demo-Filter purged. 64 demo-Lang-Keys aus DE/EN raus. Live-Bereinigung via FTPS-Cleanup.
π Marktanalyse-Report erweitert: Section 12: 19 Verkaufs-Plattformen mit Time-to-First-Sale (Gumroad/Payhip/Lemon Squeezy fΓΌr sofort-Verkauf, AppSumo/AWS/Azure fΓΌr Marketplace, BAAINBw/KdB fΓΌr DACH-BehΓΆrden). Section 13: Pro/Contra-Tabellen pro Plattform mit visuellen Sterne-Widgets + Tier-Badges (Gold/Blau/Grau/Rot).
π§Ή Code-Cleanup: Duplicate-Webroot MSC5_WebLive/785K3.../ entfernt (-896 MB). 1.9 GB Live-Backup angelegt unter Backups/webspace_2026-05-15_094150/. UserRole-Enum (PHP 8.2 backed-enum) mit 9 Sample-Migrationen. 13 Test-Files mit ~70 Test-Cases. Coverage-Threshold 10% β 12%.
π Docs: README.md von 12 β 202 Zeilen aufgebohrt (Tech-Stack-Tabelle, Quickstart, Security-Features-Matrix, Repo-Struktur, CI/CD-Pipeline). SECURITY.md mit Responsible-Disclosure-Policy + Safe-Harbor-Klausel. JS-Extraction-Roadmap fΓΌr audit.php (4400 LOC inline JS, 5-Phasen-Plan).
v2026.05.06May 6, 2026Feature + Security
π‘ GDPR Compliance Statement Generator: New card on compliance.php. Self-declaration as printable HTML/PDF with live compliance snapshot. Content: 12 sections β tool description, legal bases Art. 6, processors (Hetzner + AI providers), third-country transfer Art. 44 (DPF status), TOMs Art. 32 (confidentiality/integrity/availability), data subject rights Art. 12-23, ROPA Art. 30, DPIA Art. 35, retention periods, breach notification Art. 33-34 + NIS2 Art. 23, residual risk, EU AI Act risk classes. Backend api/dsgvo-erklaerung.php with live detection (TOM status, ROPA entry count, crypto files, audit log).
Inputs hardened: Controller / DPO / mail pre-fillable via form. Length cap 200 chars, CRLF strip via preg_replace, email format validation with FILTER_VALIDATE_EMAIL. Save mode archives to data/reports/dsgvo_konformitaet_<TS>.html with audit log report.dsgvo_generated. guard_module("compliance.dsgvo_erklaerung") for tier protection.
PDF print branded-light: Inherits same print theme as marketing/features reports. WCAG AAA contrast, A4 14mm margins, brand accents in blue/purple, 12-column TOM table with green/amber/red status badges. Abbreviation tooltips (GDPR, TOM, ROPA, DPIA, NIS2, ...) included.
Sec-fix CRITICAL β Open-Redirect in login.php:?next= parameter was used directly as redirect target after successful login. Phishing risk via ?next=https://attacker.com. Fix: Whitelist on allowed pages, block on scheme-relative URLs (//x.com), CRLF injection and path traversal (..).
Sec-fix HIGH β lang param type-juggling in api/report-multilang.php: User-controlled $_GET['lang'] was embedded directly in HTML without whitelist check. Fix: in_array($_GET['lang'], ['en','de'], true) with default 'de'. Prevents header/log injection and type confusion.
Sec-fix MED β strtok side-effect in api/dsgvo-erklaerung.php:strtok() has global state β race conditions possible on nested/parallel calls. Replaced with preg_replace('/[\r\n].*/s', '', $v) (stateless).
index.php β last update with date + time: Banner now shows 30.04.2026 22:34 instead of date only. Date from version string (regex tolerant for suffixes like -sovereign), time from filemtime(data/changelog.json). Auto-updates on every save.
index.php β base_path() Windows fix:dirname() returns backslashes on Windows PHP β concatenated with URL produces change_password.php?force=1 without slash β browser interprets as hostname. Fix: str_replace('\\', '/', dirname(...)) + empty-string handling.
Module manifest:compliance.dsgvo_erklaerung registered as Pro tier with endpoint dsgvo-erklaerung.
v2026.04.30-sovereignApril 30, 2026π Sovereign Edition
π NEW: MSC5Labs Sovereign Edition β the only audit platform with GDPR-Art-44-compliant AI. Fully air-gap capable, local LLMs (Llama 3.1, Qwen 2.5, Mistral via Ollama), local voice dictation (whisper.cpp), embeddings via SBERT β zero cloud roundtrip, no client data sent to OpenAI/Anthropic/Google.
β GDPR Art. 44 compliant β no third-country data transfer. Client data never leaves the audit host.
β EU AI Act compliant β self-declaration tracker for AI modules. CE conformity declaration exportable as PDF. Risk classification (unacceptable/high/limited/minimal) per module.
β VS-NfD eligible β processing of classified material (Restricted) without cloud risk. BSI TR-03102/03116 compliant.
β 0 cloud roundtrip β all AI inference, embeddings, voice dictation on the audit workstation. Outbound block for classified environments optionally enabled.
Pricing: Subscription single 699 β¬/mo Β· Team (5 users) 1,890 β¬/mo Β· Enterprise 8,500β14,000 β¬/mo Β· Perpetual Enterprise 89,900 β¬ Β· KOBRA VS Live USB 9,900 β¬ Β· Source code license 350-650 kβ¬.
Valuation effect: Sovereign Edition raises tool valuation by +30β50 % to β¬1.0β1.6 M asset / β¬4β7 M premium (BAAINBw listing capable).
Hardware: from 8 GB RAM (qwen2.5:7b-q4_K_M), GPU optional. With RTX 3060+ β 3-5Γ faster inference.
v2026.04.30April 30, 2026Security
Master-key (app_enc_key) rotated: Old 256-bit AES-256-GCM master key was briefly exposed via git push (legacy-bak file). New key generated, 3 API keys (api_key, openai_key, perplexity_key) decrypted + re-encrypted with new key. Old key + old ENC values now useless.
RSA-2048 license keypair rotated: New keypair for license signing. Old privkey (also leaked) dead. Public key in includes/license-pubkey.pem, private key in data/license-privkey.pem (chmod 0600).
Legacy config.json removed from webroot: Old plaintext config + master key sat in webroot β file deleted local + remote (FTPS-DELE). Active config in data/config.json (HTTP-blocked via data/.htaccess).
Git history cleaned: Commit containing data/config.json.legacy-bak orphaned via git commit --amend + git push --force-with-lease. .gitignore extended with *.legacy-bak, secrets.json, .master.key, license-privkey.pem.
Trial anti-bypass:data/.trial_started was file-deletable (trial reset trivial). Trial start now lives in data/secrets.json with HMAC-SHA256 signature (tampering detection). Legacy file migrated once.
2FA email routing: User email takes precedence β 2FA code goes ONLY to user's email, not in parallel to global admin addresses. Email mandatory when creating new user while 2FA is globally active (backend + UI hint *). toggle_2fa enable=true blocks users without email.
API key security card bug:load_config() decrypts transparently β admin.php saw plaintext β wrongly reported βKlartext". Inverted logic. Fix: check against RAW data/config.json instead of decrypted $cfg.
2FA self-heal:app_enc_key rotation made old TOTP secrets undecryptable β users stuck on βNo TOTP enrolled" error. twofa_totp_secret() now self-heals: on decrypt-fail, totp_secret_enc + totp_enabled are cleared, Authenticator tab disappears, user logs in via email and re-enrolls TOTP under settings. twofa_available_methods() actively probes decrypt for clean tab display. 2fa.php shows setup banner + button β twofa_setup.php on TOTP error.
License upload hardening:api/license.php?action=upload now has 50 KB size limit (DoS), payload JSON schema check (edition/modules/expires required), signature verify BEFORE save (bad sig rejected instead of stored), clear error responses with HTTP 400/413.
Community/Pro/Enterprise/BW build scripts: Distribution ZIPs via python build_all_editions.py. Output at dist/MSC5Labs-<Edition>-YYYY-MM-DD.zip. Community 4.8 MB, Pro 5.0 MB, Enterprise 5.0 MB, Sector-BW 899 MB (Vorschriften add-on).
Module folder refactor phase 2 (plugin architecture): 81 modules now have modules/<id>/manifest.json with id, name, page, tier, endpoints[], description, version. New includes/module-loader.php auto-discovers manifests at runtime + caches in-memory. module-registry.php now uses manifests as primary source, hardcoded list as fallback. Drop-in: new folder modules/<new>/ + manifest β auto-registered.
Build system refactor: 4 old per-edition build scripts replaced by _build_helper.py with manifest-driven tier filter. Single source of truth: manifest declares tier β build script auto-picks matching endpoints + modules.
Senior security audit + 18 findings fixed: Full audit (4 CRIT, 8 HIGH, 10 MED, 5 LOW) completed. Fixes: Open-redirect whitelist (2fa.php + api/sso.php), mass-assignment blocker (api/users.php β only superadmin can create superadmins), license-unsigned-bypass reject (no silent dev-mode), session-fixation (session_regenerate_id(true) after direct login), SSRF block in api/webhook-test.php (DNS resolve + RFC1918 + cloud metadata blocked), persistent TOTP lockout (5 fails β 15 min, resistant to session-clear), plain password removed from user-mail (reset-flow), upload hardening (MIME magic bytes + UUID filename + PHP-tag block), encrypt_value() silent-fallback removed (throws exception instead of plaintext), REQUEST_URI sanitize in require_login(), admin-self-add audit-log in sessions.
JSON schema validator helper: New includes/json-input.php with schema-driven whitelist validator. Format: ['field' => 'string:1..32', 'role' => '?enum:user,admin']. Type casts (string/int/bool/array/email/url/enum/regex), length ranges, optional fields via ?-prefix. Auto-400 response on invalid with JSON details.
PHPUnit test baseline: New tests under tests/ β CryptoTest (8 cases: AES-GCM round-trip, wrong-key, unicode, non-determinism), JsonInputTest (9 cases: schema whitelist, type-cast, enum, optional, regex), LicenseTest (6 cases: module registry, tier filter, edition resolution, manifest discovery). Config: phpunit.xml with testdox + random execution order. Run: phpunit tests/.
Bug-Report widget: Users can now report bugs/feature requests/UI issues directly inside the tool. Header button βπ Bug melden" on admin/grc/soc/compliance/audit/index. Modal with title, category (bug/UI/feature/performance/other), description, screenshot upload (Ctrl+V paste or file picker, max 2 MB). Auto-context: page URL, user-agent, viewport. Backend api/bug-report.php stores in data/bug_reports.json + screenshots in uploads/bug-reports/. Custom dropdown because native <select> unstylable in dark theme. Standalone static/bug-report.js idempotent loaded.
Bug-Reports admin card: New card on admin.php for bug management. Stats header (total/new/in-progress/resolved/closed count), 5 filter chips, per-report status dropdown + delete button + screenshot thumbnail (200Γ120). Status workflow: new β in_progress β resolved β closed. Backend actions list/update/delete/view_screenshot, all admin-only. Audit-log bug_report.create / update / delete. Module manifest admin.bug_reports (community tier).
Marktanalyse + features report live-recompute: All metrics recomputed from current code state on every generate β no cache. Live: API endpoints (glob), modules (manifest count), pages, PHP LOC, JS LOC (data bundles like prueffragen_*_data.js excluded), i18n DE/EN keys, modules per tier. Replacement cost = LOC Γ· 8 LOC/h Γ 1.30 overhead Γ {90,160} β¬/h. Conservative valuation multipliers: 1.4Γ (asset sale), 3.5Γ (realistic SaaS), 5.5Γ (BAAINBw premium). Snapshot file per generate at data/reports/marktanalyse_<TS>.html.
Security posture section in reports: Marktanalyse Β§11 + features Β§0a show live audit status. Score 9.0/10 (after 18 fixed findings) β +20 % valuation premium on replacement cost. 12-row status table: crypto, auth, authZ, validation, SSRF, upload, secrets, git hygiene, audit log, trial anti-bypass, license, browser headers, dependencies. Live health indicators: data/.htaccess deny, gitignore protection, crypto files, audit log existence. Audit-ready apps demonstrably fetch 10β20 % premium in M&A market (Carta SaaS reports).
Abbreviation tooltips in reports: New includes/abbr-glossary.php with ~110 abbreviations (MRR, ARR, BCM, RTO, RPO, ROPA, TISAX, DORA, SOAR, IOC, STIX, MITRE ATT&CK, 2FA, TOTP, AES, RSA, HMAC, BAAINBw, BWI, KRITIS, β¦). Auto-wrap via text-node walker with word-boundary detection. Hover shows explanation; in print, abbreviations automatically expanded with β(explanation)" (PDF-friendly).
PDF print branded-light theme: Marktanalyse + features now print as light, brand-true PDFs. @page A4 14mm margins, print-color-adjust:exact forces color print, headings in brand-blue/purple/cyan, tables with brand-gradient headers on white, KPI cards with blue left-border, status boxes context-colored (mint for recommend, cream for warn). WCAG AAA contrast (text on white), full readability even without enabled βbackground graphics".
Session-Cookie gehΓ€rtet:includes/auth.php setzt das Secure-Flag automatisch sobald HTTPS aktiv ist β HttpOnly + SameSite=Lax waren bereits aktiv.
Brute-Force-Lockout repariert:login.php ignoriert jetzt den spoofbaren X-Forwarded-For-Header und nutzt nur REMOTE_ADDR. ZusΓ€tzlich wird pro Username gezΓ€hlt, nicht nur pro IP β Credential-Stuffing ΓΌber wechselnde IPs lΓ€uft damit auch in den Lockout.
Service Worker komplett ΓΌberarbeitet:sw.js nutzt versionierte Cache-Keys (v2-2026-04-29), fehlertolerantes Precache (einzelne 404 brechen den Install nicht mehr), Network-First fΓΌr PHP-Pages, Stale-While-Revalidate fΓΌr Static-Assets. Auth-Routen (login, logout, 2fa, twofa_setup, change_password, forgot_password) werden nie gecached. Redirected Responses werden ignoriert.
HTTP-Caching fΓΌr Static-Assets:mod_expires-Block in .htaccess liefert PNG/JPG/SVG/Woff2 mit 30 Tagen, CSS/JS mit 30 Tagen, Manifest mit 1 Tag. sw.js ist explizit no-cache, damit Updates sofort durchschlagen. SpΓΌrt sich vor allem beim Login: das 288-KB-Logo wird einmal pro 30 Tage geladen statt jedes Mal.
AufrΓ€umung: Stub- und Test-Dateien aus dem Webroot entfernt β phptest.php, test.html, check.php (letztere leakte ohne Auth die User-Anzahl), sowie verirrte Python-Reste app.py, wsgi.py, requirements.txt.
User-Presence-Tracking auf admin.php: Neue Spalte βAktivitΓ€t" in der User-Tabelle mit Online/Offline-Pille (grΓΌn mit Glow / grau) und letztem Login als relative Zeit. Online = letzter Heartbeat β€ 5 Min. Pro Page-Navigation Heartbeat in data/user_presence.json (gedrosselt auf 30 s). Live-Refresh per JS-Poller alle 30 s gegen api/presence.php β kein Page-Reload nΓΆtig.
Neue Files:includes/presence.php (Tracker-Helper), api/presence.php (Admin-only JSON-Endpoint). Login-Erfolgspfade in login.php + includes/auth.php rufen presence_record_login() auf β alle 4 Pfade (2FA-skipped, Legacy, E-Mail-2FA-Verify, TOTP/Backup-Complete).
v2026.04.28April 28, 2026Feature
Download buttons disabled:MSC5 USB + MSC5 Macher Edition on index.php now shown as βBuy now" disabled β no more free ZIP downloads for Gold/Offline editions.
Card hover-tooltip removed: Mouse-over tooltip on index.php cards disabled per user request.
v2026.04.27April 27, 2026Major Release
License System Phase 1+2+3 β Modular plugin architecture: Tier-based module activation via signed license files (RSA-2048 SHA-256). Editions: community / pro / enterprise / sector_bw. 14-day trial fallback (file-based data/.trial_started). Offline-verify, no phone-home.
License core (3 new includes):includes/license.php (msc5_license_load, has_module, require_module, license_status, license_summary, wildcard support * and prefix.*) Β· includes/module-registry.php (~80 modules with id/name/page/tier/endpoints, msc5_modules_for_edition) Β· includes/guard-helper.php (server-side guard_module("id") β 402 module_not_licensed if license missing).
73 API endpoints auto-injected: Python script inject_guards.py inserted guard_module() calls into all module endpoints (e.g. risk-register.php β grc.risk_register, mdm.php β soc.mdm, compliance-tisax.php β compliance.frameworks, integration-jira.php β integrations.jira).
Admin License Card UI: Sidebar entry βπ License & Modules" on admin.php. 6-KPI status grid (Status/Edition/Customer/Expires/Modules/Signature). Module list grouped by tier (collapsible). Drag&drop upload area for license JSON. Buttons: Generate (self-signed), Keypair init, Export, Clear β trial reset.
License API:api/license.php with actions status / registry / keypair_init / generate / upload / export / clear. RSA keypair generation via openssl_pkey_new. Public key in includes/license-pubkey.pem, private key in data/license-privkey.pem (chmod 0600).
Zero-Day Tracker: New card on soc.php with api/zero-day.php. Auto-feed via CISA-KEV (Known-Exploited-Vulnerabilities) + NVD API. Fields: CVE/CVSS/CWE/Vendor/Product/Affected-Versions/Attack-Vector/Exploit-Public/Patch-Available/Mitigations/Risk-Score. Severity filter.
Import-to-Audit (Incident + Zero-Day β Checklist):api/import-to-audit.php with actions sessions / import_zero_day / import_incident. Generates audit row with kuerzel, modul (BSI default OPS.1.1.5 for 0-day, DER.2.1 for incident), prueffrage, feststellung (CVE/CVSS/severity/vendor/patch status), bewertung, empfehlung, NIS2 hint for reportable incidents. Dedup check via imported_from. Auto-redirect to audit.php after import.
login.php landscape: 2-column grid (branding left / form right) with responsive breakpoints. Now works on landscape mobile + desktop without scrolling.
audit.php fix: βMSC5 Macher Edition" text removed (was hardcoded in header).
Auto-backup rule: Trigger phrase βbis morgen" / βFeierabend" / βspeichere den stand" registered in ~/.claude/CLAUDE.md β Claude Code auto-commits + pushes uncommitted changes to github.com/RDanton21/MSC5Labs. Protection via .gitignore (config.json, API keys, license privkey).
v2026.04.26April 26, 2026Major Release
Architecture refactor β Tool split into 4 areas:admin.php (User Β· Security Β· Ops Β· Integrations), new grc.php (Governance Β· Risk Β· Compliance), new soc.php (Security Operations Β· Detection Β· Response Β· Hunting), new compliance.php (Frameworks Β· Gap Analysis Β· Audit Tools Β· Reports). Sticky tab navigation top (Admin/GRC/SOC/Compliance) with backdrop-blur, fixed at top:60px with z-index 11. Shared page shell via includes/page-shell-head.php, includes/page-shell-foot.php, includes/page-nav.php.
84 new P-features rolled out in 9 waves β distributed across 4 sub-pages:
Wave 16 β Reports & UX (5): Executive Security Report (stakeholder PDF, Risk Grade + KPIs + Top-5 risks), Auditor View Magic Link (time-limited, read-only, no login required), Multi-Lang Audit Report (DE/EN per session), Dashboard Builder (custom widgets), Mobile Tweaks.
Wave 17 β Integrations (5): Jira (REST API v3, issue create), Slack Bot (slash commands /msc5 status|risks|incidents with HMAC signature verify), LDAP/AD (bind test + user sync), SIEM Push (Splunk HEC / Elastic Bulk / Sumo / Generic), Zapier/n8n webhooks (outbound trigger per event).
Risk Heatmap fix: Colors now score-based (L Γ I): green <5, amber 5-9, orange 10-14, red β₯15. Score indicator per cell, title no longer cut off, iframe 610px.
admin.php cleanup (Phase 3+4): 6351 β 3375 lines (β47%). 41 migrated card HTML blocks (~860 lines) and ~100 JS handler functions (~2050 lines) removed. Sidebar reduced from 60+ to 12 entries. JS init calls reduced from ~35 to 1 per page.
Header rebrand:admin.php brand now "Admin Control Panel" (instead of "User Management"), index.php admin button now "ACP". Page H1 "Admin Control Panel" with subtitle "User Β· Security Β· Operations Β· Integrations".
JS externalized:static/soc.js (~25 KB), static/grc.js (~30 KB), static/compliance.js (~26 KB) β no more inline scripts in the 3 new pages.
Performance: First load time admin.php reduced from ~5 s to ~0.6 s. Sub-pages load only their own card set + JS β no cross-domain overhead.
Tech stack total: Tool now has 4 thematic pages, 84 P-features, ~150 PHP API endpoints, ~80 KB shared JS, fully ITIL/NIS2/GDPR/ISO27k/PCI/TISAX/DORA/CRA-aware.
UX polish: Tab-nav tooltips (Admin/GRC/SOC/Compliance explained) Β· card flash on sidebar click (2Γ pulse, 1.1s) Β· center-scroll logic (cards centered in viewport below sticky stack) Β· native browser tooltips via title attribute.
Sticky stack architecture: Header (fixed top:0, z:50) + tab-nav (sticky top:60, z:40) + page-header (sticky top:125, z:30) + sidebar (sticky top:215). On scroll, entire top area (logo+user β tabs β page title) stays fixed across all 4 pages. body{padding-top:60px} compensates fixed header.
Reports card extended: π delete button per file (with confirm dialog) Β· 3 bulk delete buttons (Marktanalyse / Features / All) Β· π PDF export button per row (opens report + auto-print β user picks "Save as PDF"). Backend api/reports-list.php with action=delete&name=... and action=delete_all&type=.... Audit log events report.delete + report.delete_all.
AI cost smart format: Backend delivers 6-decimal precision (instead of 2). Frontend formats dynamically β sub-cent: 4-6 decimals, normal: 2. Tooltip shows exact 8-decimal value. 885 tokens Γ OpenAI mix rate $4.75/M = $0.0042 now visible (was rounded to $0.00).
Risk heatmap fix: Colors now score-based (L Γ I): green <5, amber 5-9, orange 10-14, red β₯15. Score indicator per cell. Title no longer cut off, iframe 610px.
Bug fixes: Phase-4 cleanup left orphan } on line 2371 β ALL admin.php buttons broken (user create, Wazuh, GitHub, cron, integrations) β fixed. body::before z-index:-1 explicit (was unset β fixed header invisible). Tab-nav width:100% box-sizing:border-box (sticky layout shrink). Position sticky on .header β position fixed (more reliable).
Header rebrand: admin.php brand title hardcoded "Admin Control Panel" (instead of i18n lookup), subtitle "User Β· Security Β· Operations Β· Integrations". index.php admin button + audit.php header button both renamed to "ACP".
Incremental FTPS sync: Python script ftps_mirror_inc.py with MLSD mtime compare + size check + skip logic. First mirror 1.9 GB / 2353 files. Later syncs only diff (typically < 1 MB).
Market analysis 2026 extended: 8 open-source sale models (open-core, outright, acqui-hire, asset sale, re-license, white-label, donation, VC spin-off) with value ranges. Pricing recommendation increased (Team SaaS 449β¬/mo, Team Perpetual 14,900β¬). Asset value 569kβ1,072kβ¬, SaaS valuation 12 mo 4.5 Mβ¬, outright 600kβ1.5 Mβ¬. Competitive matrix extended with OneTrust + ServiceNow GRC.
Freelancer effort estimate: ~9,500 h realistic Β· senior 130β¬/h β 1.24 Mβ¬ Β· agency 11,000 h Γ 140β¬/h β 1.54 Mβ¬ Β· government surcharge β 1.8β2.3 Mβ¬.
v2026.04.25April 25, 2026Feature
i18n DE/EN fully deployed: Language switching now on wazuh-agent.php, changelog.php, training_lab.php, admin.php, wazuh.php, and audit.php (Header, Toolbar, Prompt Generator, Audit Row Template, Modals, Settings, Notes). ~1100 new translation keys (wa.*, cl.*, tl.*, ad.*, wz.*, au.*, ar.*, nt.*, ch.*, ms.*, sup.*) in lang/de.json + lang/en.json.
AI endpoints language-aware:analyze, reformulate, reformulate-feststellung, summarize, humanize detect active language and respond in DE or EN.
English review question catalogs (382 KB, 1907 Strings): Part 1A/1B/2/3 BSI/4 ISO translated in 202 OpenAI batches via newly built CLI tool tools/translate_catalogs.php. Language-aware loader accesses via file_exists() with DE fallback.
Language switcher with real inline SVG flags (DE Tricolor + UK Union Jack) instead of emoji text.
Multi-user team chat live: Floating panel with markdown-light, @-mentions + autocomplete, reply-quote-jump, 8 preset reactions, edit/delete, typing indicator, server-side search, unread counter, file attach (10 MB, image preview), system messages. 8 new actions in api/session.php + api/chat-attach.php/chat-attach-file.php; piggyback on existing 2.5 s state polling.
Footer support form (index.php): Modal with name/email/category/subject/message β api/support-mail.php β Email to support@msc5.de with reply-to, audit block, rate limit 1/min.
Fixes: Reformulate/Analyze (3 bugs: provider fallback, PHP-8 TypeError with trim(array), response schema mismatch data.text vs data.result vs data[0]) β all endpoints now use enforce_ai_guard() + run_prompt_text(). Header buttons in audit.php standardized to height (32 px). Reviewer abbreviation now resolved from config.json users[] in audit.php, no longer just from session β fixes erroneous 'abbreviation required' alert.
v2026.04.24April 24, 2026Feature
New β Multilingualism DE/EN (i18n system): Complete translation framework on all core pages. German remains default, English switchable via switcher or ?lang=en. Language selection persists via session + 1-year cookie (msc5_lang, SameSite=Lax, Secure on HTTPS). Detection order: GET parameter β session β cookie β Accept-Language header β DE fallback.
New β Language switcher in header on all main pages: Compact DE/EN toggle top right next to user badge on index.php, admin.php, audit.php, wazuh.php, training_lab.php, changelog.php, wazuh-agent.php. Active language highlighted, a click switches and reloads the page with persisted choice.
Changed β Authentication pages fully translated:login.php, 2fa.php, forgot_password.php, change_password.php, twofa_setup.php β all labels, placeholders, buttons, error messages, hint texts, and JS alerts via i18n keys. TOTP setup JS strings embedded into const I18N = {...} object via json_encode() pattern.
Changed β index.php deeply translated: Intro title + description, version bar, flash message, all card subtitles (Web/Windows/MacOS/maker/USB/iOS/Vulnerabilities/Pentest/Training Lab/Wazuh/Regulation Upload), all action buttons (Start now, Multi-user, Download .zip, Buy now, Offline/Online, Start offline/online, Start lab, Open dashboard, Configure), multi-user modal (title, labels, placeholders, Cancel/Start + JS errors via MU_I18N object), tools divider, free text card + complete free text modal (style profile dropdown, department/inspection number/auditor/team leader/project/finding/rating/follow-up/summary, all toolbar tooltips, status filter, export/save buttons), page footer.
New β English translations: ~250 translation keys in lang/en.json β equivalents of all the German strings from the referenced pages. Placeholders like :price remain (e.g., card.paid_from = "π Paid Β· from :price β¬ / month").
Technical β New files:includes/i18n.php (translator + language detection + switcher helpers), lang/de.json (German translations), lang/en.json (English translations).
Technical β Changed files:login.php, 2fa.php, forgot_password.php, change_password.php, twofa_setup.php (complete translation including JS), index.php (header + deep content translation), admin.php, audit.php, wazuh.php, training_lab.php, changelog.php, wazuh-agent.php (switcher + header + page title β deep content translation to follow).
Pending β Still outstanding for upcoming version: Deep content translation of admin.php (user table, settings cards, AI usage), audit.php (sidebar, modules, parts 1a/1b/2/β¦, notes modal, prompt generator), wazuh.php (dashboard cards, alerts, kill chain), training_lab.php (tabs, target cards), changelog.php (currently entirely DE), wazuh-agent.php, schwachstellenanalyse.php, pentest.php.
v2026.04.23April 23, 2026Major Release
New β Multi-user session (Live Collaboration in audit.php): Complete polling-based collab layer. Host creates session, adds participants via examiner shortcuts, system generates unique session ID (?sid=β¦). All participants work simultaneously on the audit: Field locks (8s TTL + 4s heartbeat) prevent overwrites, optimistic concurrency via expectedRev counter catches collisions (HTTP 409 + Remote-Apply), presence bar at the top shows host (β blue) + participants (grey if inactive >20s). Host-only guards for rows.add/remove/reorder + meta.prueffragen/vorschriften. Foreign lock visible in DOM as magenta outline + π KΓRZEL badge.
New β Session sync backend api/session.php: Flock-protected JSON state files per session under /sessions/<sid>.json with atomic tmpβrename write. Actions: create / join / state / patch / lock / unlock / heartbeat / leave. State schema: {sid, host, participants, rev, doc:{rows,meta}, locks, presence, log}. Automatic directory setup + .htaccess Require all denied. Client polling every 2.5s, autosave hook pushes doc.rows with expectedRev. beforeunload sends leave-beacon.
New β Dictation via Whisper (audit.php): Complete overhaul of microphone recording for determination field. Click β MediaRecorder (webm/opus) β upload to api/transcribe-snippet.php β OpenAI Whisper transcription β insertion into determination via execCommand('insertText') at cursor position, with automatic space handling. Hallucination filter discards empty/unintelligible results. Auto-stop after 120s, double-click stops manually.
New β Examiner shortcuts system (admin.php + api/users.php): User management receives a new mandatory field "Examiner Shortcut" (2β12 characters AβZ/0β9, globally unique). Validation at user.add, new API action set_kuerzel for subsequent editing with duplicate check + audit log entry. New column "Shortcut" in user table shows monospace badge #3d84f7 with β-edit button. Prerequisite for multi-user sessions.
New β Auto-fill examiner shortcut in audit lines: Upon login, the stored examiner shortcut is loaded into CURRENT_USER_KUERZEL and automatically entered into each newly created audit line via restoreKuerzel. No more manual typing per line.
New β Multi-user dialog on homepage (index.php): New button "Multi-User" next to "Start Now" (same btn-blue style, margin-left:auto). Opens login-look modal with host field + dynamic participant chip list (Enter or +-button to add, Γ to remove). "Start Session" calls api/session.php?action=create, redirects to audit.php?sid=β¦.
New β "Select All" in MITRE Kill-Chain panel (wazuh.php): New button in Kill-Chain filter, appears when active tactics exist and not all are already selected. One click adds all available tactics to the alert filter + automatically switches to the alerts tab.
New β BSI code linkify after AI reformulation: New DOM-tree walker autoLinkifyBsiCodes() detects regulation codes (regex \b[A-Z][A-Z0-9]{0,10}(?:\.[A-Z0-9]+){1,6}\b) in text nodes and converts them into magenta .quelle-mention chips with hover tooltip. Active after reformulateFeststellung, applyResult (evaluation + recommendation) and reformulate (single field). Codes remain clickable even after AI analysis.
Changed β Import order Wazuh/CVE β Audit: In alert-to-question import, findBsiFiles now runs first, then highlightQuellen before setFsContent. Ensures source chips appear in magenta on first render.
Fix β Multi-User Modal Centering: Modal was rendered in transformed .card ancestor, position:fixed was thus relative to the transform-parent. Fix: IIFE reparented backdrop + modal to document.body on script load.
Fix β Critical parse error in api/session.php:$GLOBALS as lexical variable in closure use() clauses was PHP fatal ("Cannot use auto-global as lexical variable"). Affected 4 closures. Removed β superglobal is automatically available within closures anyway. Explained the "Unexpected end of JSON input" errors on session start.
Infrastructure β Auto-setup sessions directory:api/session.php automatically creates /sessions/ with 0750 mode + .htaccess Require all denied on first request. No manual server configuration required.
v2026.04.22April 22, 2026Feature
New β Automatic Changelog PDF Dispatch: With every new changelog entry (saved via api/changelog-save.php), a PDF is automatically generated and sent as an attachment via email. The email body contains a summary (version/date/type/item count) and a link to the online changelog page. The PDF is A4 with Helvetica, automatic line and page breaks, and a small MSC5Labs logo + footer on each page.
New β Streamlined PDF Generator includes/simple_pdf.php: Custom mini PDF builder without external library (around 180 lines of PHP). Generates valid PDF 1.4 documents with headings, body text, bullet lists, dividers, and automatic page breaks. Supports Windows-1252 encoding for German umlauts.
New β Manual Reload Button in Wazuh Dashboard: A new "π Reload" button in the header refreshes all data (Overview/KPIs/Charts/Tabs) at the press of a button. The icon rotates during the loading process (CSS animation), and on success, the button briefly turns green with β, or red with β if an error occurs. An additional keyboard shortcut R triggers the reload when no input field is focused.
New β Randomized Demo Data Generator: Each reload in demo mode now generates entirely new, credible demo results from a significantly larger pool: 15 agents (status determined per call β active/disconnected/never_connected), 27 alert templates (8β14 randomly selected, level varies Β±1, agent assigned), 17 CVE templates (5β10 selected, CVSS varies Β±0.3, affected agents mixed), 13 SCA policies (5β9 selected, score varies Β±6, pass/fail adjusted).
Changed β Finding Reformulation (audit.php/reformulate): The prompt for api/reformulate-feststellung.php has been completely rewritten. The AI now only reformulates bullet points into complete sentences or rewrites existing sentences according to BSI Basic Protection standards (factual, descriptive, passive-heavy) β no evaluations, no risk assessments, no recommendations, no target-actual comparisons. Evaluation is reserved exclusively for AI assessment (field 2), which evaluates the finding considering the modules selected in field (A). Target length: 2β3 sentences.
Changed β Footer Fixed (wazuh.php + index.php): Both pages now use position:fixed instead of the previous sticky-to-bottom-flex technique. The footer always sticks to the bottom of the viewport (even when scrolling), with a semi-transparent background, backdrop-filter: blur(8px), and a subtle shadow facing upward. The body receives a reserved padding-bottom so that the last content is not obscured.
Changed β Auto-Refresh Toggle Visually Distinct: The auto-refresh switch in the Wazuh header now clearly shows its status: orange with "OFF" when disabled, green with "ON (30s)" when active (with pulsating glow dot). Previously, the off state was too subtle and often overlooked.
Changed β Login Logo Reverted to MSC5Labs: The temporarily used #TMYLGGNS whale logo on the login page has been replaced with the original MSC5Labs_Logo.png. The size adjustment (220px), the stronger cyan glow, and the removal of all other decorative background effects remain β the original logo is now the sole visual highlight.
Fix β Readable Dropdown Options in admin.php: The <option> elements in the Audit Log filter (All Events/Logins Only/Failed Logins/Users Only/Security Only/Wazuh Only) and in the "last X" dropdown were unreadable in Chrome/Edge (faint text on light purple background). Fixed with a global select option { background:#0b1829; color:#e8edf5 } rule including hover state.
Technical β New Files:includes/simple_pdf.php (mini PDF builder), includes/changelog_mailer.php (MIME multipart mail with PDF attachment).
v2026.04.21April 21, 2026Major
New β Chart-Zoom-Lightbox: All 4 Wazuh dashboard charts (Alerts 24h Timeline, Top MITRE Tactics, Top Agents, Severity Donut) and the MITRE Kill Chain are now clickable and open centered in an enlarged lightbox modal. SVG content scales up to 65vh height, HTML bars display larger labels and more entries in zoom (Top 20 instead of Top 5). Auto-refresh also updates the opened zoom view live. Close with Esc or click outside.
New β Kill Chain Multi-Select: The 13 MITRE ATT&CK tactics in the Kill Chain can now be individually and multiply selected (previously only one). Click toggles, Shift+Click sets exclusively, selected cells show β badge + cyan glow, unselected cells are dimmed. Alert table filters with OR logic, tactic dropdown synchronizes automatically ("Multiple (X)" at >1 selection).
New β Agent Detail Page wazuh-agent.php: Clicking an agent name in the agents table opens a dedicated detail page with 6 KPI tiles (Status, Total Alerts, Critical Alerts, Vulnerabilities, Γ SCA Score, Last Seen) and three filtered panels: only Alerts/Vulns/SCA for this agent.
New β Saved Views: All 4 filter bars (Alerts, Agents, Vulnerabilities, SCA) now have a πΎ Views βΎ dropdown. This allows you to save any filter combinations with a custom name ("My Morning Routine", "Windows Server", "Only Critical") and load them with a click. Per-user persistence in localStorage; individual views can be deleted via π icon.
New β Mini-Charts in Vulns & SCA Tabs: Above the tables in the Vulnerabilities and Compliance/SCA tabs, compact 3-column evaluations now appear: in Vulns, CVSS distribution + top packages + affected agents; in SCA, an SVG score histogram with average line + top policies + worst agents.
New β Alert Detail Modal Agent Click Filter: In the alert detail modal, the agent name is now a clickable link β sets the agent filter in the Alerts tab, closes the modal, and automatically switches to Alerts (including a toast "Alerts filtered by Agent X").
New β Per-User Module Permissions: In admin.php, a new table column Modules with a modal for managing module access (audit, wazuh, vulnerabilities, pentest, training, regulations_upload, downloads) is available. Modules not approved are hidden on the dashboard and direct page URLs (audit.php, wazuh.php, etc.) redirect with a flash banner "Access denied" back to index.php. Admins always have access to all modules.
New β API Key Encryption (AES-256-GCM): API keys in config.json (api_key, openai_key, perplexity_key, wazuh_password) are now encrypted with the automatically generated app_enc_key (32 Byte Hex). Transparently in helpers.php via openssl_encrypt/decrypt β values in JSON have the prefix ENC::base64(IV+TAG+ciphertext). Admin button "π Encrypt all keys now" migrates existing plaintext entries.
New β Admin Audit Log: New file includes/audit_log.php logs every admin action with timestamp, user, role, IP, user agent, action, and details in data/admin_audit.log (JSONL with automatic rotation at 5 MB, maximum 3 rotations).
New β Auth Event Logging: Extends the audit log to include all login/logout/2FA/password events. Logged events: auth.login_success, auth.login_failed (with reason: wrong_password / unknown_user), auth.login_password_ok (intermediate step before 2FA), auth.logout, auth.2fa_success/_failed (with method: totp/backup/email), auth.password_change/_failed, auth.password_reset_issued/_unknown_user.
New β Audit Log Viewer with Filter & Export: In admin.php the audit log section now shows: filter dropdown (All / π Logins / β Failed Logins / π€ User / π Security / π‘ Wazuh), π free text search, display limit (50/200/500), and export buttons β¬ JSON + β¬ TXT (respecting the current filter). Additionally, a π Clear History button (deletes all log files; the deletion action itself is logged as security.audit_log_cleared). Failed login lines have a red background tint for quick identification.
New β Wazuh Scheduled Import + Email Alert: New endpoint api/wazuh-cron.php (auth via URL token or admin login) pulls critical alerts on call, tracks already sent fingerprints in data/wazuh_cron_state.json, and sends formatted email notifications to the configured recipient for new matches from Level 12. Admin UI with copy button for the cron URL, test button "Execute Now Manually", and token regeneration.
New β Cron Interval Selection: The scheduled import card now features an interval dropdown: manual/external only (default) / 15 / 30 / 60 / 90 minutes. When interval is active: (1) browser auto-trigger pings the endpoint automatically while admin.php is open; (2) interval gate in the backend skips duplicate executions within an interval ("skipped, next_allowed_in: X"). The βΆ Execute Now Manually button bypasses the gate via ?force=1.
New β VulnerabilityβAudit Import with Individual Selection: On schwachstellenanalyse.php, each CVE line is equipped with a checkbox (default: all active). Above the table: quick actions β all / β none / critical only and a tri-state header checkbox. The import button shows the live count of selected CVEs and is disabled at 0 selection. A click forwards the selected CVEs to the audit tool via localStorage handoff (msc5_cve_import).
New β CVE β Audit Mapper api/cve-to-audit.php: Accepts CVE list and generates complete audit findings with check question, reference, formulated finding text (including NVD reference URL), and heuristic-based BSI IT-Grundschutz module suggestion. Keyword mapping for Apache/nginx/Tomcat/OpenSSH/OpenSSL/MySQL/Log4j/Spring/SMB/RDP/Zerologon/Citrix/Firewall/VPN/DNS/PHP/GitLab etc.
New β NVD Links for CVEs: CVE IDs in the vulnerability table are clickable links to https://nvd.nist.gov/vuln/detail/<id> (open in new tab, red with dotted underline and external link icon).
New β Dropdown options in Dark Mode: All <select> dropdowns (Agent, MITRE Tactic, CVSS, Score, Views) are now rendered with a dark background and light text when expanded (option { background:#0b1829; color:#e8edf5 }). Fixes the issue where Chrome/Edge on Windows ignored OS defaults for dropdown options.
Changed β Footer fixed on all pages:index.php, audit.php, wazuh.php, and wazuh-agent.php now all use the Flex Column Body technique (body { display:flex; flex-direction:column; min-height:100vh } + body > footer { margin-top:auto }). Footer sticks to the bottom of the viewport with little content, scrolls naturally on long pages.
Changed β Dashboard layout aligned: Hero section ("Version selection" / "IT Audit Platform" / Description) + Version bar + Flash message + Card grid are now placed in a single<div class="grid-section"> container. As a result, all elements share the same parent, ensuring left/right alignment. The .hero class was dissolved, and typography classes were renamed to .intro-eyebrow, .intro-title, .intro-sub.
Changed β Login page logo + effects: The MSC5Labs logo on login.php was replaced with the #TMYLGGNS whale (transparent background, isolated via PowerShell+System.Drawing) and enlarged from 140px to 220px. All decorative background effects (pulsating radial glow, horizontal scanline, floating particles, binary rain, grid pulse, blue card glow) were disabled β only the logo itself pulses with a cyan drop shadow.
Changed β Donut legend readable in zoom: The severity donut in the zoom modal previously clipped the legend (SVG was stretched to 100% width via global CSS). Fixed by setting explicit SVG dimensions (360px) and inline !important to override the global zoom selector. In zoom mode, font size Γ 2, dot size from 9 to 16px, percentage added in parentheses.
Technical β New API actions in api/users.php:set_user_modules, encrypt_api_keys, get_audit_log, clear_audit_log, set_wazuh_cron, regenerate_cron_token. All with admin_log() hook.
Technical β New .htaccess routes:wazuh-agent, api/wazuh-cron, api/cve-to-audit.
v2026.04.20April 20, 2026Major
New β Wazuh SIEM Integration (Dashboard): New page wazuh.php with KPI tiles (active/disconnected/never connected agents, critical alerts from the last 24h, vulnerabilities, compliance score) and tabs for alerts, agents, vulnerabilities, and SCA. Includes a demo mode with 12 fictitious agents, 10 example alerts (including MITRE IDs T1110/T1003/T1059.001 etc.), 8 CVEs (e.g., CVE-2024-3094, CVE-2024-6387) and CIS/BSI Grun dschutz SCA resultsβruns immediately without server connection.
New β Wazuh Configuration in Admin: Dedicated block π‘οΈ Wazuh SIEM Integration in admin.php with fields for manager URL (port 55000), API user, password, demo mode toggle, and SSL-verify option. Includes a connection test button to verify JWT authentication against the real Wazuh API (/security/user/authenticate).
New β Wazuh Dashboard Card: Cyan-colored tile Wazuh Security Monitoring on the main dashboard index.php with badge Demo or Live, direct link to the dashboard and (only for admins) visible configuration shortcut to admin.php#wazuh.
New β SCA Export (Option B): Tab SCA Export in the Wazuh dashboard converts OSCAL-1.1.x catalogs (BSI Methodology Grundschutz++ Β· 61 requirements, BSI GS.json Β· 692, BSI GS__.json Β· 717, BSI State of the Art Β· 582) into Wazuh SCA policies in YAML format. Resolves {{ insert: param, β¦ }} placeholders, maps to compliance tags (bsi, bsi_group, bsi_modal, bsi_sec_level) and offers three modes: Inventory (all checks as finding), Passive (all PASS), or Template (empty rule placeholders for filling).
New β Wazuh Alerts β Audit Findings (Option C): Toolbar button π‘οΈ Import Wazuh Alerts in audit.php opens a modal with all alerts (filter for critical alerts level 10 and above), automatically generates new audit entries from selected alerts with pre-filled audit questions, reference, and formulated findings text (including timestamp, agent, rule ID, MITRE technique, alert text).
New β Heuristic BSI Building Block Mapping: Endpoint api/wazuh-to-audit.php assigns appropriate BSI Grundschutz building blocks to each alert using a three-stage procedure: (1) MITRE ATT&CK technique (15 common TIDs like T1110βORP.4.A8/SYS.1.3, T1003βORP.4.A15/SYS.2.1.A25), (2) keyword matching in alert text (SSH, Mimikatz, PowerShell, portscan, AV, SMB, mail, web server, firewall), and (3) Wazuh rule ID ranges (55xxβPAM, 616xxβDefender, 92xxβAV etc.).
New β Automatic Source Assignment in Audit: During import, the frontend matches provided BSI IDs against files in the Vorschriften/ folder (e.g., ORP.4.A8 β ORP_4_Identitaets_und_Berechtigungsmanagement_Editon_2022.pdf) and automatically sets found PDFs as source chips. Respects the MAX_SOURCES limit per entry.
New β OSCAL Catalog Fallback: If PDF matching for a BSI ID finds no appropriate file (e.g., because the building block PDF is not available), the corresponding OSCAL catalog JSON is automatically added as a fallback source (BSI GS__.json for SYS/APP/NET/ORP/OPS/CON/DER/INF/IND, BSI-Methodik-Grundschutz++-catalog.json for GC/STM/UMS/VRB/PERF) β ensuring each entry has an AI-analyzable reference.
New β AI Model Assignment per User: In user management (admin.php), the allowed AI provider can be specified per user: β Global (follows system default), π£ Anthropic Claude, π’ OpenAI GPT-4o, or π΅ Perplexity Sonar. Admins are automatically exempt from any restrictions.
New β AI Usage Limits per User: Configurable in the AI modal with limit (requests, 0=unlimited) and period (per day or per month). Admins are not counted and not limited. When the quota is reached, the AI endpoints return HTTP 429 with a clear error message and reset indication.
New β Counter Reset & Live Usage: Admin modal shows the current usage of the selected user (counter, last provider, timestamp) and allows resetting the counter with a click. Data is stored in data/ai_usage.json.
Changed β Guard Mechanism on AI Endpoints:api/analyze.php, api/reformulate.php, api/reformulate-feststellung.php, api/summarize.php, and api/humanize.php now use enforce_ai_guard() from includes/user_limits.php β aborts requests at exceeded limits or blocked providers and enforces the assigned provider for non-admins (ignores the global setting). Successful calls increment the counter via track_ai_usage().
Changed β API Extensions User Management:api/users.php extended by three actions: set_user_ai (save provider/limit/period), reset_user_usage (reset counter to 0), and get_usage_overview (list of all users with current usage).
Fix β AI Cell in User Table: The new column AI Provider / Limit no longer renders invisible (originally button with nested flex spans that clashed with .btn{white-space:nowrap} rule). Rebuilt into a sleek <a> block with display:block, hover effect, and two-line content (provider + limit/period).
Technical β New Files:wazuh.php, api/wazuh.php, api/wazuh-to-audit.php, api/export/wazuh-sca.php, includes/user_limits.php.
New β Fixed Header: Header, toolbar, and BSI ticker remain fixed at the top when scrolling (position: sticky on wrapper div .sticky-top) β applicable in both audit.php and index.php.
New β Session Timer Auto-Reset: Each page navigation automatically resets the 90-minute logout timer. Only /api/* requests do not extend the session.
New β Daily Changelog Check: A cron task checks daily at 6:00 PM for updates and automatically creates a changelog entry if changes exist in the source state.
New β User Creation Without 2FA: Newly created users do not need to go through 2FA on their first login β only to change the temporary password assigned by the admin. 2FA becomes active only after the password change.
New β 2FA Toggle per User: In user management (admin.php), 2FA can be individually enabled or disabled for each user. When deactivated, the user's TOTP secret is automatically removed.
Changed β Password Reset: The reset_pw action additionally sets must_change_password=true, requiring the user to change their password at the next login.
Offline Version β WebLive Sync: All current web space functions (templates, static assets, API routes) have been integrated into the offline version MSC5_Win_VS. Includes .php alias routes (audit.php β /audit, api/analyze.php β /api/analyze etc.) for full WebLive compatibility without template changes.
Offline Version β Local GGUF Selection: Offline UI restored with radio buttons for selecting local gpt4all GGUF models from the models/ folder. force_online toggle between cloud API and local AI.
New β Microphone Selection per Line: Dropdown next to each dictation button in the determination (inspection team). Pre-claim via getUserMedia({deviceId:{exact}}) forces Chrome/Edge to use the selected device for SpeechRecognition. Persistent in localStorage.msc5_mic_id.
New β Hover Tooltips Vulnerability Analysis: Info dot for each scan method (26 methods, offline + online) with a 280 px explanation popup on function, source, and example output.
New β Hover Tooltips Pentest: Info dot for all 37 inspection methods (osint, dns, shodan, tls, smb, nse_safe, default_creds, spray, hashcrack, etc.) with title + explanation (purple theme, 300 px).
Changed β Offline Badge & Header: Offline banner and mode point in warning red instead of amber. Header buttons (user, session, logout) styled to match audit.php on the vulnerabilities and pentest page.
New β Training Lab Expanded: 30 β 77 targets with difficulty levels (Basic / Advanced / Expert) and filter chips. Advanced and expert targets with 5β9 step-by-step tasks (collapsible). Scenarios include adcs-esc1, kerberoast-forest, ransomware-dfir, apt-simulation, purple-team, k8s-escape, scada-refinery.
New β Random Scan Results: Training scans produce randomized ports (pool 34), CVEs (pool 22: Log4Shell, Zerologon, EternalBlue, CitrixBleed, Spring4Shell, etc.), and OS fingerprints for each host type. Math.random + pool-splice, no seedβno two scans are identical.
Fix β Tools-Row Auto-Hide: In the absence of /api/pentest/tools endpoint (web edition without Flask), the tool status row is automatically hidden instead of displaying "Error checking".
Fix β resolveRowProfile(): Helper provides {profile, custom_style} per row. Guarantees correct style application (including MontanaBlack / custom profiles) in analysis, determination rephrasing, evaluation, and recommendation.
New β Changelog AI Generator: Admin button "π€ Change Log Updates (AI)" on changelog.php. Admin enters bullet points, AI generates formatted entry (category prefix, HTML-compliant), preview in modal, transfer to edit mode for post-processing.
New β Feature Overview PDF: Completely revised MSC5_Labs_Funktionsuebersicht.pdf with all current features. Two variants: dark cyan theme (tool design) and a print-friendly light variant.
Free Text Module β Writing Style Profiles: 7 profiles (BSI, Military, Technical, Management, Audit, Forensics, π«Ά Humanizer) available as a dropdown, affecting rephrasing & auto-fill.
Humanizer: π«Ά-button per field (determination, evaluation, consequence, summary) β removes AI patterns (Wikipedia "Signs of AI writing") while retaining technical content.
Inspector Notes (Dictation Marker): "NOTE START β¦ NOTE END" + inline [[β¦]] are removed from the source text and only provided to AI as contextβexcluded from the output.
Summary: New field under consequence/measures β AI condenses determination+evaluation+consequence into 5β7 sentences.
Inspection Number: Split input with prefix "W-IN-" + two number fields + live preview.
Project Name + Project Company/Contact: New fields under department.
Inspection Team Leader: Additional field under inspector.
Rich Text Toolbar: Bullet points, numbered list, indent forward/backward for determination.
Status Toggle: "In Progress" / "Completed" buttons before saving, with badge in saved overview.
Save vs. Save & New: Separate buttons, upsert via document ID β no duplicates when saving again.
Search + Status Filter: Live search in saved overview via inspection number, department, project, topic, inspector; status dropdown (All/Completed/In Progress/Open).
Attachment Upload: PDF, Word, Excel, JSON, audio via drag & drop or file picker (max. 20 MB) β server-side under uploads/anlagen/ with .htaccess protection.
Voice Memos: MediaRecorder recording with microphone selection, live timer (Max. 10 Min), inline audio player in attachments list.
Exports Expanded: Excel (SpreadsheetML 2003) + JSON + Word + PDF with profile, project data, summary.
