From 06bfbd1dca1f7cf8d948bd3f7fb8a770af1fac5e Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Tue, 12 May 2026 13:49:16 +0200
Subject: [PATCH] feat(use-case-compiler): MC-based compliance questionnaires
 with scoring

Implements the Use-Case Compiler that turns Master Controls into
interactive compliance audits. 5 templates (Vendor Check, SAST/DAST,
DSGVO, NIS2, CRA), deterministic + LLM question generation, scoring
engine with regulation/severity breakdown, and gap detection.

- Backend: 9 API endpoints, 22 unit tests (all pass)
- Frontend: Template selector, questionnaire, result dashboard
- Migration 027: usecase_audits + usecase_answers tables

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../api/sdk/v1/use-case/[[...path]]/route.ts  |  91 +++++
 .../app/sdk/use-case-audit/[auditId]/page.tsx | 247 +++++++++++++
 .../_components/AuditResult.tsx               | 142 +++++++
 .../_components/QuestionnaireView.tsx         | 215 +++++++++++
 .../_components/UseCaseSelector.tsx           | 138 +++++++
 .../app/sdk/use-case-audit/page.tsx           | 208 +++++++++++
 .../sdk/Sidebar/SidebarModuleList.tsx         |  13 +
 .../internal/api/handlers/usecase_handler.go  | 315 ++++++++++++++++
 ai-compliance-sdk/internal/app/app.go         |   5 +-
 ai-compliance-sdk/internal/app/routes.go      |  17 +
 .../internal/usecase/compiler.go              | 191 ++++++++++
 .../internal/usecase/compiler_llm.go          | 134 +++++++
 .../internal/usecase/compiler_llm_test.go     | 102 +++++
 .../internal/usecase/compiler_test.go         | 186 ++++++++++
 .../internal/usecase/gap_detector.go          | 185 ++++++++++
 ai-compliance-sdk/internal/usecase/models.go  | 146 ++++++++
 .../internal/usecase/question_generator.go    |  67 ++++
 ai-compliance-sdk/internal/usecase/scoring.go |  92 +++++
 .../internal/usecase/scoring_test.go          | 173 +++++++++
 ai-compliance-sdk/internal/usecase/store.go   | 347 ++++++++++++++++++
 .../internal/usecase/templates.go             | 105 ++++++
 .../migrations/027_usecase_audits.sql         |  39 ++
 22 files changed, 3157 insertions(+), 1 deletion(-)
 create mode 100644 admin-compliance/app/api/sdk/v1/use-case/[[...path]]/route.ts
 create mode 100644 admin-compliance/app/sdk/use-case-audit/[auditId]/page.tsx
 create mode 100644 admin-compliance/app/sdk/use-case-audit/_components/AuditResult.tsx
 create mode 100644 admin-compliance/app/sdk/use-case-audit/_components/QuestionnaireView.tsx
 create mode 100644 admin-compliance/app/sdk/use-case-audit/_components/UseCaseSelector.tsx
 create mode 100644 admin-compliance/app/sdk/use-case-audit/page.tsx
 create mode 100644 ai-compliance-sdk/internal/api/handlers/usecase_handler.go
 create mode 100644 ai-compliance-sdk/internal/usecase/compiler.go
 create mode 100644 ai-compliance-sdk/internal/usecase/compiler_llm.go
 create mode 100644 ai-compliance-sdk/internal/usecase/compiler_llm_test.go
 create mode 100644 ai-compliance-sdk/internal/usecase/compiler_test.go
 create mode 100644 ai-compliance-sdk/internal/usecase/gap_detector.go
 create mode 100644 ai-compliance-sdk/internal/usecase/models.go
 create mode 100644 ai-compliance-sdk/internal/usecase/question_generator.go
 create mode 100644 ai-compliance-sdk/internal/usecase/scoring.go
 create mode 100644 ai-compliance-sdk/internal/usecase/scoring_test.go
 create mode 100644 ai-compliance-sdk/internal/usecase/store.go
 create mode 100644 ai-compliance-sdk/internal/usecase/templates.go
 create mode 100644 ai-compliance-sdk/migrations/027_usecase_audits.sql

diff --git a/admin-compliance/app/api/sdk/v1/use-case/[[...path]]/route.ts b/admin-compliance/app/api/sdk/v1/use-case/[[...path]]/route.ts
new file mode 100644
index 0000000..497fe3f
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/use-case/[[...path]]/route.ts
@@ -0,0 +1,91 @@
+/**
+ * Use-Case Compiler API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/use-case/* requests to ai-compliance-sdk backend
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${SDK_BACKEND_URL}/sdk/v1/use-case`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '00000000-0000-0000-0000-000000000001'
+    const DEFAULT_USER = '00000000-0000-0000-0000-000000000001'
+
+    headers['X-Tenant-Id'] = request.headers.get('x-tenant-id') || DEFAULT_TENANT
+    headers['X-User-Id'] = request.headers.get('x-user-id') || DEFAULT_USER
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(30000),
+    }
+
+    if (['POST', 'PUT', 'PATCH'].includes(method)) {
+      try {
+        const text = await request.text()
+        if (text && text.trim()) {
+          fetchOptions.body = text
+        }
+      } catch {
+        // Empty body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Use-Case API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
diff --git a/admin-compliance/app/sdk/use-case-audit/[auditId]/page.tsx b/admin-compliance/app/sdk/use-case-audit/[auditId]/page.tsx
new file mode 100644
index 0000000..c0356f2
--- /dev/null
+++ b/admin-compliance/app/sdk/use-case-audit/[auditId]/page.tsx
@@ -0,0 +1,247 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+import { useParams } from 'next/navigation'
+import { QuestionnaireView } from '../_components/QuestionnaireView'
+import { AuditResult } from '../_components/AuditResult'
+
+interface Question {
+  id: string
+  mc_id: string
+  mc_name: string
+  question: string
+  question_type: string
+  evidence_required: boolean
+  pass_criteria: string[]
+  fail_criteria: string[]
+  severity: string
+  regulation: string
+  depends_on?: string
+}
+
+interface Audit {
+  id: string
+  tenant_id: string
+  template_id: string
+  name: string
+  target_name: string
+  status: string
+  total_questions: number
+  answered_questions: number
+  compliance_score: number
+  questions: Question[]
+  created_at: string
+  completed_at: string | null
+}
+
+interface Answer {
+  id: string
+  question_id: string
+  mc_id: string
+  value: unknown
+  comment: string
+  evidence_ids: string[]
+  status: string
+  answered_at: string
+}
+
+interface ScoreResult {
+  audit_id: string
+  total_questions: number
+  answered: number
+  passed: number
+  failed: number
+  skipped: number
+  compliance_score: number
+  by_regulation: Record<string, { total: number; passed: number; score: number }>
+  by_severity: Record<string, { total: number; passed: number; failed: number }>
+}
+
+const TENANT_ID = '00000000-0000-0000-0000-000000000001'
+
+export default function AuditDetailPage() {
+  const params = useParams()
+  const auditId = params.auditId as string
+
+  const [audit, setAudit] = useState<Audit | null>(null)
+  const [answers, setAnswers] = useState<Answer[]>([])
+  const [score, setScore] = useState<ScoreResult | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState('')
+
+  const loadAudit = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/use-case/audits/${auditId}`, {
+        headers: { 'X-Tenant-ID': TENANT_ID },
+      })
+      if (!res.ok) throw new Error('Audit nicht gefunden')
+      const data = await res.json()
+      setAudit(data.audit)
+      setAnswers(data.answers || [])
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler')
+    } finally {
+      setLoading(false)
+    }
+  }, [auditId])
+
+  useEffect(() => { loadAudit() }, [loadAudit])
+
+  const handleAnswer = async (questionId: string, value: unknown, comment: string) => {
+    if (!audit) return
+    try {
+      const res = await fetch(`/api/sdk/v1/use-case/audits/${auditId}/answer`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Tenant-ID': TENANT_ID,
+        },
+        body: JSON.stringify({
+          question_id: questionId,
+          value,
+          comment,
+          status: 'answered',
+        }),
+      })
+      if (!res.ok) throw new Error('Antwort konnte nicht gespeichert werden')
+      const data = await res.json()
+
+      // Update local state
+      setAnswers(prev => {
+        const idx = prev.findIndex(a => a.question_id === questionId)
+        const newAnswer = data.answer
+        if (idx >= 0) {
+          const copy = [...prev]
+          copy[idx] = newAnswer
+          return copy
+        }
+        return [...prev, newAnswer]
+      })
+
+      if (data.progress) {
+        setAudit(prev => prev ? {
+          ...prev,
+          answered_questions: data.progress.answered,
+          compliance_score: data.progress.compliance_score,
+          status: data.progress.answered >= prev.total_questions ? 'completed' : 'in_progress',
+        } : null)
+      }
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler')
+    }
+  }
+
+  const handleSkip = async (questionId: string) => {
+    if (!audit) return
+    try {
+      await fetch(`/api/sdk/v1/use-case/audits/${auditId}/answer`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Tenant-ID': TENANT_ID,
+        },
+        body: JSON.stringify({
+          question_id: questionId,
+          value: null,
+          status: 'skipped',
+        }),
+      })
+      await loadAudit()
+    } catch { /* ignore */ }
+  }
+
+  const loadScore = async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/use-case/audits/${auditId}/score`, {
+        headers: { 'X-Tenant-ID': TENANT_ID },
+      })
+      if (res.ok) {
+        const data = await res.json()
+        setScore(data)
+      }
+    } catch { /* ignore */ }
+  }
+
+  if (loading) {
+    return (
+      <div className="min-h-screen bg-gray-50 flex items-center justify-center">
+        <div className="text-gray-500">Lade Audit...</div>
+      </div>
+    )
+  }
+
+  if (error || !audit) {
+    return (
+      <div className="min-h-screen bg-gray-50 py-8">
+        <div className="max-w-4xl mx-auto px-4">
+          <div className="bg-red-50 border border-red-200 rounded-lg p-4">
+            <p className="text-red-700">{error || 'Audit nicht gefunden'}</p>
+            <a href="/sdk/use-case-audit" className="text-sm text-red-500 mt-2 underline">
+              Zurueck zur Liste
+            </a>
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  const showResult = audit.status === 'completed' || score !== null
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-4xl mx-auto px-4">
+        {/* Header */}
+        <div className="mb-6 flex items-center justify-between">
+          <div>
+            <a href="/sdk/use-case-audit" className="text-sm text-blue-600 hover:text-blue-800 mb-1 inline-block">
+              &larr; Alle Audits
+            </a>
+            <h1 className="text-2xl font-bold text-gray-900">{audit.name}</h1>
+            {audit.target_name && (
+              <p className="text-gray-600">{audit.target_name}</p>
+            )}
+          </div>
+          <div className="flex items-center gap-3">
+            {/* Progress indicator */}
+            <div className="text-right">
+              <div className="text-sm text-gray-500">
+                {audit.answered_questions} / {audit.total_questions} beantwortet
+              </div>
+              <div className="w-32 h-2 bg-gray-200 rounded-full mt-1">
+                <div
+                  className="h-full bg-blue-500 rounded-full transition-all"
+                  style={{ width: `${audit.total_questions > 0 ? (audit.answered_questions / audit.total_questions) * 100 : 0}%` }}
+                />
+              </div>
+            </div>
+            {audit.answered_questions > 0 && (
+              <button
+                onClick={loadScore}
+                className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 text-sm font-medium"
+              >
+                Ergebnis anzeigen
+              </button>
+            )}
+          </div>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-3">
+            <p className="text-red-700 text-sm">{error}</p>
+          </div>
+        )}
+
+        {showResult && score ? (
+          <AuditResult audit={audit} score={score} />
+        ) : (
+          <QuestionnaireView
+            questions={audit.questions}
+            answers={answers}
+            onAnswer={handleAnswer}
+            onSkip={handleSkip}
+          />
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/use-case-audit/_components/AuditResult.tsx b/admin-compliance/app/sdk/use-case-audit/_components/AuditResult.tsx
new file mode 100644
index 0000000..8901566
--- /dev/null
+++ b/admin-compliance/app/sdk/use-case-audit/_components/AuditResult.tsx
@@ -0,0 +1,142 @@
+'use client'
+
+import React from 'react'
+
+interface Audit {
+  id: string
+  name: string
+  target_name: string
+  total_questions: number
+  answered_questions: number
+}
+
+interface ScoreResult {
+  audit_id: string
+  total_questions: number
+  answered: number
+  passed: number
+  failed: number
+  skipped: number
+  compliance_score: number
+  by_regulation: Record<string, { total: number; passed: number; score: number }>
+  by_severity: Record<string, { total: number; passed: number; failed: number }>
+}
+
+interface Props {
+  audit: Audit
+  score: ScoreResult
+}
+
+function scoreColor(score: number): string {
+  if (score >= 80) return 'text-green-600'
+  if (score >= 50) return 'text-yellow-600'
+  return 'text-red-600'
+}
+
+function scoreBg(score: number): string {
+  if (score >= 80) return 'bg-green-100 border-green-200'
+  if (score >= 50) return 'bg-yellow-100 border-yellow-200'
+  return 'bg-red-100 border-red-200'
+}
+
+export function AuditResult({ audit, score }: Props) {
+  const regEntries = Object.entries(score.by_regulation)
+  const sevEntries = Object.entries(score.by_severity)
+
+  return (
+    <div className="space-y-6">
+      {/* Score Overview */}
+      <div className={`rounded-xl border p-6 text-center ${scoreBg(score.compliance_score)}`}>
+        <div className={`text-5xl font-bold ${scoreColor(score.compliance_score)}`}>
+          {Math.round(score.compliance_score)}%
+        </div>
+        <div className="text-gray-600 mt-2">Compliance Score</div>
+        <div className="text-sm text-gray-500 mt-1">
+          {audit.name}{audit.target_name ? ` — ${audit.target_name}` : ''}
+        </div>
+      </div>
+
+      {/* Summary Stats */}
+      <div className="grid grid-cols-4 gap-4">
+        <div className="bg-white rounded-xl border border-gray-200 p-4 text-center">
+          <div className="text-2xl font-bold text-gray-900">{score.answered}</div>
+          <div className="text-xs text-gray-500 mt-1">Beantwortet</div>
+        </div>
+        <div className="bg-white rounded-xl border border-gray-200 p-4 text-center">
+          <div className="text-2xl font-bold text-green-600">{score.passed}</div>
+          <div className="text-xs text-gray-500 mt-1">Bestanden</div>
+        </div>
+        <div className="bg-white rounded-xl border border-gray-200 p-4 text-center">
+          <div className="text-2xl font-bold text-red-600">{score.failed}</div>
+          <div className="text-xs text-gray-500 mt-1">Nicht bestanden</div>
+        </div>
+        <div className="bg-white rounded-xl border border-gray-200 p-4 text-center">
+          <div className="text-2xl font-bold text-gray-400">{score.skipped}</div>
+          <div className="text-xs text-gray-500 mt-1">Uebersprungen</div>
+        </div>
+      </div>
+
+      {/* By Regulation */}
+      {regEntries.length > 0 && (
+        <div className="bg-white rounded-xl border border-gray-200 p-5">
+          <h3 className="font-semibold text-gray-800 mb-4">Nach Regulierung</h3>
+          <div className="space-y-3">
+            {regEntries.map(([reg, data]) => (
+              <div key={reg} className="flex items-center gap-3">
+                <span className="text-sm font-medium text-gray-700 w-32 truncate">{reg}</span>
+                <div className="flex-1 h-3 bg-gray-100 rounded-full overflow-hidden">
+                  <div
+                    className={`h-full rounded-full transition-all ${
+                      data.score >= 80 ? 'bg-green-500' :
+                      data.score >= 50 ? 'bg-yellow-500' : 'bg-red-500'
+                    }`}
+                    style={{ width: `${data.score}%` }}
+                  />
+                </div>
+                <span className={`text-sm font-bold w-12 text-right ${scoreColor(data.score)}`}>
+                  {Math.round(data.score)}%
+                </span>
+                <span className="text-xs text-gray-400 w-16 text-right">
+                  {data.passed}/{data.total}
+                </span>
+              </div>
+            ))}
+          </div>
+        </div>
+      )}
+
+      {/* By Severity */}
+      {sevEntries.length > 0 && (
+        <div className="bg-white rounded-xl border border-gray-200 p-5">
+          <h3 className="font-semibold text-gray-800 mb-4">Nach Schweregrad</h3>
+          <div className="grid grid-cols-3 gap-4">
+            {sevEntries.map(([sev, data]) => (
+              <div key={sev} className="text-center">
+                <div className={`text-sm font-medium mb-2 ${
+                  sev === 'HIGH' ? 'text-red-600' :
+                  sev === 'MEDIUM' ? 'text-yellow-600' : 'text-green-600'
+                }`}>
+                  {sev}
+                </div>
+                <div className="text-lg font-bold text-gray-900">{data.passed}/{data.total}</div>
+                <div className="text-xs text-gray-400 mt-0.5">
+                  {data.failed} nicht bestanden
+                </div>
+              </div>
+            ))}
+          </div>
+        </div>
+      )}
+
+      {/* Actions */}
+      <div className="flex items-center gap-3">
+        <a
+          href="/sdk/use-case-audit"
+          className="px-4 py-2.5 bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 text-sm font-medium"
+        >
+          Zurueck zur Liste
+        </a>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/use-case-audit/_components/QuestionnaireView.tsx b/admin-compliance/app/sdk/use-case-audit/_components/QuestionnaireView.tsx
new file mode 100644
index 0000000..5de9720
--- /dev/null
+++ b/admin-compliance/app/sdk/use-case-audit/_components/QuestionnaireView.tsx
@@ -0,0 +1,215 @@
+'use client'
+
+import React, { useState, useMemo } from 'react'
+
+interface Question {
+  id: string
+  mc_id: string
+  mc_name: string
+  question: string
+  question_type: string
+  evidence_required: boolean
+  pass_criteria: string[]
+  fail_criteria: string[]
+  severity: string
+  regulation: string
+  depends_on?: string
+}
+
+interface Answer {
+  question_id: string
+  value: unknown
+  comment: string
+  status: string
+}
+
+interface Props {
+  questions: Question[]
+  answers: Answer[]
+  onAnswer: (questionId: string, value: unknown, comment: string) => void
+  onSkip: (questionId: string) => void
+}
+
+const SEVERITY_COLORS: Record<string, string> = {
+  HIGH: 'bg-red-100 text-red-700 border-red-200',
+  MEDIUM: 'bg-yellow-100 text-yellow-700 border-yellow-200',
+  LOW: 'bg-green-100 text-green-700 border-green-200',
+}
+
+export function QuestionnaireView({ questions, answers, onAnswer, onSkip }: Props) {
+  const [comments, setComments] = useState<Record<string, string>>({})
+  const [showCriteria, setShowCriteria] = useState<string | null>(null)
+
+  const answerMap = useMemo(() => {
+    const m: Record<string, Answer> = {}
+    for (const a of answers) { m[a.question_id] = a }
+    return m
+  }, [answers])
+
+  // Filter visible questions (dependency check)
+  const visibleQuestions = useMemo(() => {
+    return questions.filter(q => {
+      if (!q.depends_on) return true
+      const depAnswer = answerMap[q.depends_on]
+      if (!depAnswer) return false
+      return depAnswer.value === true || depAnswer.value === 'yes' || depAnswer.value === 'ja'
+    })
+  }, [questions, answerMap])
+
+  // Group by regulation
+  const grouped = useMemo(() => {
+    const groups: Record<string, Question[]> = {}
+    for (const q of visibleQuestions) {
+      const key = q.regulation || 'Allgemein'
+      if (!groups[key]) groups[key] = []
+      groups[key].push(q)
+    }
+    return groups
+  }, [visibleQuestions])
+
+  return (
+    <div className="space-y-8">
+      {Object.entries(grouped).map(([reg, qs]) => (
+        <div key={reg}>
+          <h2 className="text-lg font-semibold text-gray-800 mb-3 flex items-center gap-2">
+            <span className="px-2.5 py-0.5 bg-blue-100 text-blue-700 rounded text-sm font-medium">
+              {reg}
+            </span>
+            <span className="text-sm text-gray-400 font-normal">
+              {qs.length} Fragen
+            </span>
+          </h2>
+
+          <div className="space-y-3">
+            {qs.map((q, idx) => {
+              const existing = answerMap[q.id]
+              const isAnswered = !!existing && existing.status !== 'skipped'
+              const isSkipped = existing?.status === 'skipped'
+              const isPassed = existing?.value === true || existing?.value === 'yes'
+
+              return (
+                <div
+                  key={q.id}
+                  className={`bg-white rounded-xl border p-5 transition-all ${
+                    isAnswered
+                      ? isPassed
+                        ? 'border-green-200 bg-green-50/30'
+                        : 'border-red-200 bg-red-50/30'
+                      : isSkipped
+                        ? 'border-gray-200 bg-gray-50/50 opacity-60'
+                        : 'border-gray-200 hover:border-blue-200'
+                  }`}
+                >
+                  <div className="flex items-start gap-3">
+                    <span className="text-xs text-gray-400 font-mono mt-1 shrink-0">
+                      {q.id}
+                    </span>
+                    <div className="flex-1 min-w-0">
+                      <div className="flex items-start justify-between gap-2 mb-2">
+                        <p className="text-sm font-medium text-gray-900">{q.question}</p>
+                        <div className="flex items-center gap-1.5 shrink-0">
+                          <span className={`px-2 py-0.5 rounded text-xs font-medium border ${
+                            SEVERITY_COLORS[q.severity] || SEVERITY_COLORS.MEDIUM
+                          }`}>
+                            {q.severity}
+                          </span>
+                          {q.evidence_required && (
+                            <span className="px-2 py-0.5 bg-purple-100 text-purple-700 rounded text-xs">
+                              Nachweis
+                            </span>
+                          )}
+                        </div>
+                      </div>
+
+                      {q.mc_name && (
+                        <p className="text-xs text-gray-400 mb-2">
+                          MC: {q.mc_name} {q.mc_id && `(${q.mc_id})`}
+                        </p>
+                      )}
+
+                      {/* Criteria toggle */}
+                      <button
+                        onClick={() => setShowCriteria(showCriteria === q.id ? null : q.id)}
+                        className="text-xs text-blue-500 hover:text-blue-700 mb-2"
+                      >
+                        {showCriteria === q.id ? 'Kriterien ausblenden' : 'Bewertungskriterien anzeigen'}
+                      </button>
+
+                      {showCriteria === q.id && (
+                        <div className="grid grid-cols-2 gap-3 mb-3 text-xs">
+                          {q.pass_criteria?.length > 0 && (
+                            <div className="bg-green-50 border border-green-100 rounded p-2">
+                              <div className="font-medium text-green-700 mb-1">Pass</div>
+                              {q.pass_criteria.map((c, i) => (
+                                <div key={i} className="text-green-600">{c}</div>
+                              ))}
+                            </div>
+                          )}
+                          {q.fail_criteria?.length > 0 && (
+                            <div className="bg-red-50 border border-red-100 rounded p-2">
+                              <div className="font-medium text-red-700 mb-1">Fail</div>
+                              {q.fail_criteria.map((c, i) => (
+                                <div key={i} className="text-red-600">{c}</div>
+                              ))}
+                            </div>
+                          )}
+                        </div>
+                      )}
+
+                      {/* Answer controls */}
+                      {!isAnswered && !isSkipped && (
+                        <div className="flex items-center gap-2 mt-3">
+                          <button
+                            onClick={() => onAnswer(q.id, true, comments[q.id] || '')}
+                            className="px-4 py-1.5 bg-green-600 text-white rounded-lg hover:bg-green-700 text-sm"
+                          >
+                            Ja
+                          </button>
+                          <button
+                            onClick={() => onAnswer(q.id, false, comments[q.id] || '')}
+                            className="px-4 py-1.5 bg-red-600 text-white rounded-lg hover:bg-red-700 text-sm"
+                          >
+                            Nein
+                          </button>
+                          <button
+                            onClick={() => onSkip(q.id)}
+                            className="px-3 py-1.5 text-gray-400 hover:text-gray-600 text-sm"
+                          >
+                            Ueberspringen
+                          </button>
+                          <input
+                            type="text"
+                            placeholder="Kommentar (optional)"
+                            value={comments[q.id] || ''}
+                            onChange={e => setComments(prev => ({ ...prev, [q.id]: e.target.value }))}
+                            className="flex-1 px-3 py-1.5 border border-gray-200 rounded-lg text-sm focus:ring-1 focus:ring-blue-500"
+                          />
+                        </div>
+                      )}
+
+                      {/* Already answered */}
+                      {isAnswered && (
+                        <div className="flex items-center gap-2 mt-2 text-sm">
+                          <span className={isPassed ? 'text-green-600 font-medium' : 'text-red-600 font-medium'}>
+                            {isPassed ? 'Ja' : 'Nein'}
+                          </span>
+                          {existing.comment && (
+                            <span className="text-gray-400">— {existing.comment}</span>
+                          )}
+                        </div>
+                      )}
+
+                      {isSkipped && (
+                        <div className="text-sm text-gray-400 mt-2">Uebersprungen</div>
+                      )}
+                    </div>
+                  </div>
+                </div>
+              )
+            })}
+          </div>
+        </div>
+      ))}
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/use-case-audit/_components/UseCaseSelector.tsx b/admin-compliance/app/sdk/use-case-audit/_components/UseCaseSelector.tsx
new file mode 100644
index 0000000..1612c60
--- /dev/null
+++ b/admin-compliance/app/sdk/use-case-audit/_components/UseCaseSelector.tsx
@@ -0,0 +1,138 @@
+'use client'
+
+import React, { useState } from 'react'
+
+interface Template {
+  id: string
+  name: string
+  description: string
+  mc_filters: string[]
+  regulations: string[]
+}
+
+interface Props {
+  templates: Template[]
+  onCreateAudit: (templateId: string, name: string, targetName: string) => void
+  loading: boolean
+}
+
+const REG_COLORS: Record<string, string> = {
+  dsgvo: 'bg-purple-100 text-purple-700',
+  nis2: 'bg-orange-100 text-orange-700',
+  cra: 'bg-red-100 text-red-700',
+  owasp: 'bg-yellow-100 text-yellow-700',
+}
+
+export function UseCaseSelector({ templates, onCreateAudit, loading }: Props) {
+  const [selected, setSelected] = useState<Template | null>(null)
+  const [auditName, setAuditName] = useState('')
+  const [targetName, setTargetName] = useState('')
+
+  const handleSelect = (t: Template) => {
+    setSelected(t)
+    setAuditName(t.name)
+    setTargetName('')
+  }
+
+  const handleSubmit = (e: React.FormEvent) => {
+    e.preventDefault()
+    if (!selected || !auditName.trim()) return
+    onCreateAudit(selected.id, auditName.trim(), targetName.trim())
+  }
+
+  return (
+    <div>
+      {!selected ? (
+        <div>
+          <h2 className="text-xl font-semibold text-gray-800 mb-4">Template auswaehlen</h2>
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+            {templates.map(t => (
+              <button
+                key={t.id}
+                onClick={() => handleSelect(t)}
+                className="text-left bg-white rounded-xl shadow-sm border border-gray-200 p-5 hover:shadow-md hover:border-blue-300 transition-all"
+              >
+                <h3 className="font-semibold text-gray-900 mb-2">{t.name}</h3>
+                <p className="text-sm text-gray-600 mb-3 line-clamp-2">{t.description}</p>
+                <div className="flex flex-wrap gap-1.5">
+                  {t.regulations.map(r => (
+                    <span
+                      key={r}
+                      className={`px-2 py-0.5 rounded text-xs font-medium ${REG_COLORS[r] || 'bg-gray-100 text-gray-600'}`}
+                    >
+                      {r.toUpperCase()}
+                    </span>
+                  ))}
+                  <span className="px-2 py-0.5 bg-blue-50 text-blue-600 rounded text-xs">
+                    {t.mc_filters.length} Filter
+                  </span>
+                </div>
+              </button>
+            ))}
+          </div>
+        </div>
+      ) : (
+        <form onSubmit={handleSubmit} className="bg-white rounded-xl shadow-sm border border-gray-200 p-6">
+          <div className="flex items-center gap-3 mb-6">
+            <button
+              type="button"
+              onClick={() => setSelected(null)}
+              className="text-gray-400 hover:text-gray-600"
+            >
+              &larr;
+            </button>
+            <div>
+              <h2 className="text-xl font-semibold text-gray-800">{selected.name}</h2>
+              <p className="text-sm text-gray-500">{selected.description}</p>
+            </div>
+          </div>
+
+          <div className="space-y-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">
+                Audit-Name *
+              </label>
+              <input
+                type="text"
+                value={auditName}
+                onChange={e => setAuditName(e.target.value)}
+                placeholder={`z.B. "${selected.name}: Firma XY"`}
+                className="w-full px-4 py-2.5 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent text-sm"
+                required
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">
+                Zielobjekt (optional)
+              </label>
+              <input
+                type="text"
+                value={targetName}
+                onChange={e => setTargetName(e.target.value)}
+                placeholder="z.B. AWS, SAP, Produkt XY"
+                className="w-full px-4 py-2.5 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent text-sm"
+              />
+            </div>
+          </div>
+
+          <div className="mt-6 flex items-center gap-3">
+            <button
+              type="submit"
+              disabled={loading || !auditName.trim()}
+              className="px-6 py-2.5 bg-blue-600 text-white rounded-lg hover:bg-blue-700 font-medium text-sm disabled:opacity-50"
+            >
+              {loading ? 'Wird erstellt...' : 'Audit starten'}
+            </button>
+            <button
+              type="button"
+              onClick={() => setSelected(null)}
+              className="px-4 py-2.5 text-gray-600 hover:text-gray-800 text-sm"
+            >
+              Abbrechen
+            </button>
+          </div>
+        </form>
+      )}
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/use-case-audit/page.tsx b/admin-compliance/app/sdk/use-case-audit/page.tsx
new file mode 100644
index 0000000..79b9100
--- /dev/null
+++ b/admin-compliance/app/sdk/use-case-audit/page.tsx
@@ -0,0 +1,208 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+import { UseCaseSelector } from './_components/UseCaseSelector'
+
+interface Template {
+  id: string
+  name: string
+  description: string
+  mc_filters: string[]
+  regulations: string[]
+}
+
+interface AuditSummary {
+  id: string
+  template_id: string
+  name: string
+  target_name: string
+  status: string
+  total_questions: number
+  answered_questions: number
+  compliance_score: number
+  created_at: string
+  completed_at: string | null
+}
+
+const TENANT_ID = '00000000-0000-0000-0000-000000000001'
+
+const STATUS_LABELS: Record<string, { label: string; color: string }> = {
+  draft: { label: 'Entwurf', color: 'bg-gray-100 text-gray-700' },
+  in_progress: { label: 'In Bearbeitung', color: 'bg-blue-100 text-blue-700' },
+  completed: { label: 'Abgeschlossen', color: 'bg-green-100 text-green-700' },
+}
+
+export default function UseCaseAuditPage() {
+  const [view, setView] = useState<'list' | 'new'>('list')
+  const [templates, setTemplates] = useState<Template[]>([])
+  const [audits, setAudits] = useState<AuditSummary[]>([])
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState('')
+
+  const loadData = useCallback(async () => {
+    try {
+      const [tRes, aRes] = await Promise.all([
+        fetch('/api/sdk/v1/use-case/templates'),
+        fetch('/api/sdk/v1/use-case/audits', {
+          headers: { 'X-Tenant-ID': TENANT_ID },
+        }),
+      ])
+      if (tRes.ok) {
+        const td = await tRes.json()
+        setTemplates(td.templates || [])
+      }
+      if (aRes.ok) {
+        const ad = await aRes.json()
+        setAudits(ad.audits || [])
+      }
+    } catch { /* ignore */ }
+  }, [])
+
+  useEffect(() => { loadData() }, [loadData])
+
+  const handleCreateAudit = async (templateId: string, name: string, targetName: string) => {
+    setLoading(true)
+    setError('')
+    try {
+      const res = await fetch('/api/sdk/v1/use-case/audits', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Tenant-ID': TENANT_ID,
+        },
+        body: JSON.stringify({
+          template_id: templateId,
+          name,
+          target_name: targetName,
+        }),
+      })
+      if (!res.ok) {
+        const err = await res.json()
+        throw new Error(err.error || 'Audit konnte nicht erstellt werden')
+      }
+      const data = await res.json()
+      window.location.href = `/sdk/use-case-audit/${data.audit.id}`
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-6xl mx-auto px-4">
+        <div className="mb-8 flex items-center justify-between">
+          <div>
+            <h1 className="text-3xl font-bold text-gray-900">Use-Case Audits</h1>
+            <p className="text-gray-600 mt-2">
+              Compliance-Pruefungen aus Master Controls — interaktive Frageboegen mit Scoring.
+            </p>
+          </div>
+          {view === 'list' ? (
+            <button
+              onClick={() => setView('new')}
+              className="px-5 py-2.5 bg-blue-600 text-white rounded-lg hover:bg-blue-700 font-medium text-sm"
+            >
+              + Neuen Audit starten
+            </button>
+          ) : (
+            <button
+              onClick={() => setView('list')}
+              className="px-4 py-2 text-sm text-blue-600 hover:text-blue-800 border border-blue-200 rounded-lg hover:bg-blue-50"
+            >
+              Zurueck zur Liste
+            </button>
+          )}
+        </div>
+
+        {error && (
+          <div className="mb-6 bg-red-50 border border-red-200 rounded-lg p-4">
+            <p className="text-red-700">{error}</p>
+            <button onClick={() => setError('')} className="text-sm text-red-500 mt-1 underline">
+              Schliessen
+            </button>
+          </div>
+        )}
+
+        {view === 'new' && (
+          <UseCaseSelector
+            templates={templates}
+            onCreateAudit={handleCreateAudit}
+            loading={loading}
+          />
+        )}
+
+        {view === 'list' && (
+          <div>
+            {audits.length > 0 ? (
+              <div className="space-y-3">
+                {audits.map(a => {
+                  const st = STATUS_LABELS[a.status] || STATUS_LABELS.draft
+                  const progress = a.total_questions > 0
+                    ? Math.round((a.answered_questions / a.total_questions) * 100)
+                    : 0
+                  return (
+                    <a
+                      key={a.id}
+                      href={`/sdk/use-case-audit/${a.id}`}
+                      className="block bg-white rounded-xl shadow-sm border border-gray-200 p-5 hover:shadow-md hover:border-blue-300 transition-all"
+                    >
+                      <div className="flex items-center justify-between">
+                        <div className="flex-1 min-w-0">
+                          <h3 className="font-semibold text-gray-900 truncate">{a.name}</h3>
+                          {a.target_name && (
+                            <p className="text-sm text-gray-500 mt-0.5">{a.target_name}</p>
+                          )}
+                        </div>
+                        <div className="flex items-center gap-3 ml-4">
+                          <span className={`px-3 py-1 rounded-full text-xs font-medium ${st.color}`}>
+                            {st.label}
+                          </span>
+                          <div className="text-right">
+                            <div className="text-sm font-medium text-gray-700">
+                              {a.answered_questions}/{a.total_questions}
+                            </div>
+                            <div className="w-20 h-1.5 bg-gray-200 rounded-full mt-1">
+                              <div
+                                className="h-full bg-blue-500 rounded-full transition-all"
+                                style={{ width: `${progress}%` }}
+                              />
+                            </div>
+                          </div>
+                          {a.status === 'completed' && (
+                            <div className={`text-lg font-bold ${
+                              a.compliance_score >= 80 ? 'text-green-600' :
+                              a.compliance_score >= 50 ? 'text-yellow-600' : 'text-red-600'
+                            }`}>
+                              {Math.round(a.compliance_score)}%
+                            </div>
+                          )}
+                          <span className="text-xs text-gray-400">
+                            {new Date(a.created_at).toLocaleDateString('de-DE')}
+                          </span>
+                        </div>
+                      </div>
+                    </a>
+                  )
+                })}
+              </div>
+            ) : (
+              <div className="text-center py-16 bg-white rounded-xl border border-gray-200">
+                <div className="text-4xl mb-4">&#128203;</div>
+                <h3 className="text-lg font-medium text-gray-700 mb-2">Noch keine Audits</h3>
+                <p className="text-gray-500 mb-6">Starten Sie Ihren ersten Compliance-Audit.</p>
+                <button
+                  onClick={() => setView('new')}
+                  className="px-5 py-2.5 bg-blue-600 text-white rounded-lg hover:bg-blue-700 font-medium text-sm"
+                >
+                  Jetzt starten
+                </button>
+              </div>
+            )}
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx b/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx
index ed74f90..2f747f1 100644
--- a/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx
+++ b/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx
@@ -95,6 +95,19 @@ export function SidebarModuleList({ collapsed, projectId, pendingCRCount }: Side
           collapsed={collapsed}
           projectId={projectId}
         />
+        <AdditionalModuleItem
+          href="/sdk/use-case-audit"
+          icon={
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4" />
+            </svg>
+          }
+          label="Use-Case Audits"
+          isActive={pathname?.startsWith('/sdk/use-case-audit') ?? false}
+          collapsed={collapsed}
+          projectId={projectId}
+        />
       </div>
 
       {/* Payment / Terminal */}
diff --git a/ai-compliance-sdk/internal/api/handlers/usecase_handler.go b/ai-compliance-sdk/internal/api/handlers/usecase_handler.go
new file mode 100644
index 0000000..edbf695
--- /dev/null
+++ b/ai-compliance-sdk/internal/api/handlers/usecase_handler.go
@@ -0,0 +1,315 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/llm"
+	"github.com/breakpilot/ai-compliance-sdk/internal/usecase"
+)
+
+// UseCaseHandler handles use-case compiler endpoints.
+type UseCaseHandler struct {
+	store       *usecase.Store
+	compiler    *usecase.Compiler
+	gapDetector *usecase.GapDetector
+	llmGen      *usecase.LLMQuestionGenerator
+}
+
+// NewUseCaseHandler creates a new UseCaseHandler.
+func NewUseCaseHandler(pool *pgxpool.Pool, registry *llm.ProviderRegistry) *UseCaseHandler {
+	store := usecase.NewStore(pool)
+	return &UseCaseHandler{
+		store:       store,
+		compiler:    usecase.NewCompiler(store),
+		gapDetector: usecase.NewGapDetector(store),
+		llmGen:      usecase.NewLLMQuestionGenerator(registry),
+	}
+}
+
+// GetTemplates returns all available use-case templates.
+// GET /sdk/v1/use-case/templates
+func (h *UseCaseHandler) GetTemplates(c *gin.Context) {
+	templates := usecase.TemplateList()
+	c.JSON(http.StatusOK, gin.H{"templates": templates, "total": len(templates)})
+}
+
+// GetTemplate returns a specific template with compiled questions.
+// GET /sdk/v1/use-case/templates/:id
+func (h *UseCaseHandler) GetTemplate(c *gin.Context) {
+	id := c.Param("id")
+	tmpl, ok := usecase.Templates[id]
+	if !ok {
+		c.JSON(http.StatusNotFound, gin.H{"error": "template not found"})
+		return
+	}
+
+	questions, err := h.compiler.Compile(&tmpl)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	tmpl.Questions = questions
+
+	c.JSON(http.StatusOK, gin.H{"template": tmpl})
+}
+
+// Compile generates questions from MC filters ad-hoc.
+// POST /sdk/v1/use-case/compile
+// Optional: "mode": "llm" to use LLM-based generation
+func (h *UseCaseHandler) Compile(c *gin.Context) {
+	var req struct {
+		MCFilters   []string `json:"mc_filters" binding:"required"`
+		Regulations []string `json:"regulations"`
+		Mode        string   `json:"mode"` // "deterministic" (default) or "llm"
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	tmpl := &usecase.Template{
+		ID:          "custom",
+		MCFilters:   req.MCFilters,
+		Regulations: req.Regulations,
+	}
+
+	if req.Mode == "llm" && h.llmGen != nil {
+		// Fetch MCs first, then generate via LLM
+		mcs, err := h.store.FetchMCsByFilters(req.MCFilters)
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+			return
+		}
+		questions, err := h.llmGen.GenerateQuestions(mcs, req.Regulations)
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+			return
+		}
+		c.JSON(http.StatusOK, gin.H{"questions": questions, "total": len(questions), "mode": "llm"})
+		return
+	}
+
+	questions, err := h.compiler.Compile(tmpl)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"questions": questions, "total": len(questions), "mode": "deterministic"})
+}
+
+// CreateAudit starts a new audit from a template.
+// POST /sdk/v1/use-case/audits
+func (h *UseCaseHandler) CreateAudit(c *gin.Context) {
+	var input usecase.CreateAuditInput
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	tenantID, err := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "X-Tenant-ID required"})
+		return
+	}
+
+	tmpl, ok := usecase.Templates[input.TemplateID]
+	if !ok {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "unknown template_id"})
+		return
+	}
+
+	questions, err := h.compiler.Compile(&tmpl)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	audit := &usecase.Audit{
+		TenantID:       tenantID,
+		TemplateID:     input.TemplateID,
+		Name:           input.Name,
+		TargetName:     input.TargetName,
+		TotalQuestions: len(questions),
+		Questions:      questions,
+	}
+
+	if err := h.store.CreateAudit(audit); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create audit"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"audit": audit})
+}
+
+// ListAudits returns all audits for a tenant.
+// GET /sdk/v1/use-case/audits
+func (h *UseCaseHandler) ListAudits(c *gin.Context) {
+	tenantID, err := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "X-Tenant-ID required"})
+		return
+	}
+
+	audits, err := h.store.ListAudits(tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list audits"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"audits": audits, "total": len(audits)})
+}
+
+// GetAudit returns an audit with questions and answers.
+// GET /sdk/v1/use-case/audits/:id
+func (h *UseCaseHandler) GetAudit(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid audit ID"})
+		return
+	}
+
+	audit, err := h.store.GetAudit(id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "audit not found"})
+		return
+	}
+
+	answers, err := h.store.ListAnswers(id)
+	if err != nil {
+		answers = nil
+	}
+
+	c.JSON(http.StatusOK, gin.H{"audit": audit, "answers": answers})
+}
+
+// AnswerQuestion saves an answer for a question in an audit.
+// POST /sdk/v1/use-case/audits/:id/answer
+func (h *UseCaseHandler) AnswerQuestion(c *gin.Context) {
+	auditID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid audit ID"})
+		return
+	}
+
+	var input usecase.AnswerInput
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Find MC ID from the question
+	audit, err := h.store.GetAudit(auditID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "audit not found"})
+		return
+	}
+
+	var mcID string
+	for _, q := range audit.Questions {
+		if q.ID == input.QuestionID {
+			mcID = q.MCID
+			break
+		}
+	}
+
+	status := usecase.AnswerStatusAnswered
+	if input.Status == "skipped" {
+		status = usecase.AnswerStatusSkipped
+	} else if input.Status == "escalated" {
+		status = usecase.AnswerStatusEscalated
+	}
+
+	answer := &usecase.Answer{
+		AuditID:     auditID,
+		QuestionID:  input.QuestionID,
+		MCID:        mcID,
+		Value:       input.Value,
+		Comment:     input.Comment,
+		EvidenceIDs: input.EvidenceIDs,
+		Status:      status,
+	}
+
+	if err := h.store.SaveAnswer(answer); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to save answer"})
+		return
+	}
+
+	// Update audit counters
+	answers, _ := h.store.ListAnswers(auditID)
+	score := usecase.Score(audit, answers)
+
+	auditStatus := usecase.StatusInProgress
+	if score.Answered >= audit.TotalQuestions {
+		auditStatus = usecase.StatusCompleted
+	}
+	h.store.UpdateAuditScore(auditID, score.Answered, score.ComplianceScore, auditStatus)
+
+	c.JSON(http.StatusOK, gin.H{"answer": answer, "progress": score})
+}
+
+// GetScore calculates and returns the compliance score.
+// GET /sdk/v1/use-case/audits/:id/score
+func (h *UseCaseHandler) GetScore(c *gin.Context) {
+	auditID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid audit ID"})
+		return
+	}
+
+	audit, err := h.store.GetAudit(auditID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "audit not found"})
+		return
+	}
+
+	answers, err := h.store.ListAnswers(auditID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to load answers"})
+		return
+	}
+
+	score := usecase.Score(audit, answers)
+	c.JSON(http.StatusOK, score)
+}
+
+// GetGaps returns missing regulation sources for an audit.
+// GET /sdk/v1/use-case/audits/:id/gaps
+func (h *UseCaseHandler) GetGaps(c *gin.Context) {
+	auditID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid audit ID"})
+		return
+	}
+
+	audit, err := h.store.GetAudit(auditID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "audit not found"})
+		return
+	}
+
+	tmpl, ok := usecase.Templates[audit.TemplateID]
+	if !ok {
+		c.JSON(http.StatusOK, gin.H{"gaps": []interface{}{}, "audit_gaps": []interface{}{}})
+		return
+	}
+
+	// Missing regulation sources (from MC analysis)
+	missingRegs, err := h.gapDetector.DetectMissingRegulations(&tmpl)
+	if err != nil {
+		missingRegs = nil
+	}
+
+	// Audit-specific gaps (from answer analysis)
+	answers, _ := h.store.ListAnswers(auditID)
+	auditGaps := h.gapDetector.DetectAuditGaps(audit, answers)
+
+	c.JSON(http.StatusOK, gin.H{
+		"missing_sources": missingRegs,
+		"audit_gaps":      auditGaps,
+	})
+}
diff --git a/ai-compliance-sdk/internal/app/app.go b/ai-compliance-sdk/internal/app/app.go
index c5ed3f5..f584db5 100644
--- a/ai-compliance-sdk/internal/app/app.go
+++ b/ai-compliance-sdk/internal/app/app.go
@@ -155,6 +155,9 @@ func buildRouter(cfg *config.Config, pool *pgxpool.Pool) *gin.Engine {
 	// Gap Analysis
 	gapHandler := handlers.NewGapHandler(pool)
 
+	// Use-Case Compiler
+	useCaseHandler := handlers.NewUseCaseHandler(pool, providerRegistry)
+
 	rbacMiddleware := rbac.NewMiddleware(rbacService, policyEngine)
 
 	// Router
@@ -179,7 +182,7 @@ func buildRouter(cfg *config.Config, pool *pgxpool.Pool) *gin.Engine {
 		uccaHandlers, escalationHandlers, obligationsHandlers, ragHandlers,
 		roadmapHandlers, workshopHandlers, portfolioHandlers,
 		academyHandlers, trainingHandlers, whistleblowerHandlers, iaceHandler,
-		gapHandler, maximizerHandlers, regulatoryNewsHandlers)
+		gapHandler, maximizerHandlers, regulatoryNewsHandlers, useCaseHandler)
 
 	return router
 }
diff --git a/ai-compliance-sdk/internal/app/routes.go b/ai-compliance-sdk/internal/app/routes.go
index 66b71cd..6c0b385 100644
--- a/ai-compliance-sdk/internal/app/routes.go
+++ b/ai-compliance-sdk/internal/app/routes.go
@@ -29,6 +29,7 @@ func registerRoutes(
 	gapHandler *handlers.GapHandler,
 	maximizerHandlers *handlers.MaximizerHandlers,
 	regulatoryNewsHandlers *handlers.RegulatoryNewsHandlers,
+	useCaseHandler *handlers.UseCaseHandler,
 ) {
 	v1 := router.Group("/sdk/v1")
 	{
@@ -51,6 +52,7 @@ func registerRoutes(
 		registerIACERoutes(v1, iaceHandler)
 		registerGapRoutes(v1, gapHandler)
 		registerMaximizerRoutes(v1, maximizerHandlers)
+		registerUseCaseRoutes(v1, useCaseHandler)
 		v1.GET("/regulatory-news", regulatoryNewsHandlers.GetNews)
 	}
 }
@@ -463,6 +465,21 @@ func registerMaximizerRoutes(v1 *gin.RouterGroup, h *handlers.MaximizerHandlers)
 	}
 }
 
+func registerUseCaseRoutes(v1 *gin.RouterGroup, h *handlers.UseCaseHandler) {
+	uc := v1.Group("/use-case")
+	{
+		uc.GET("/templates", h.GetTemplates)
+		uc.GET("/templates/:id", h.GetTemplate)
+		uc.POST("/compile", h.Compile)
+		uc.POST("/audits", h.CreateAudit)
+		uc.GET("/audits", h.ListAudits)
+		uc.GET("/audits/:id", h.GetAudit)
+		uc.POST("/audits/:id/answer", h.AnswerQuestion)
+		uc.GET("/audits/:id/score", h.GetScore)
+		uc.GET("/audits/:id/gaps", h.GetGaps)
+	}
+}
+
 func registerGapRoutes(v1 *gin.RouterGroup, h *handlers.GapHandler) {
 	g := v1.Group("/gap")
 	{
diff --git a/ai-compliance-sdk/internal/usecase/compiler.go b/ai-compliance-sdk/internal/usecase/compiler.go
new file mode 100644
index 0000000..fd7d36f
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/compiler.go
@@ -0,0 +1,191 @@
+package usecase
+
+import (
+	"fmt"
+	"strings"
+
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+)
+
+// Compiler turns Master Controls into audit questionnaires.
+type Compiler struct {
+	store *Store
+}
+
+// NewCompiler creates a Compiler.
+func NewCompiler(store *Store) *Compiler {
+	return &Compiler{store: store}
+}
+
+// Compile generates questions for a template by combining pre-defined
+// questions, existing doc_check_controls, and MC-derived questions.
+func (c *Compiler) Compile(tmpl *Template) ([]Question, error) {
+	// 1. Start with pre-defined template questions
+	if len(tmpl.Questions) > 0 {
+		return c.enrichWithMCIDs(tmpl)
+	}
+
+	// 2. Fetch MCs matching the template filters
+	mcs, err := c.store.FetchMCsByFilters(tmpl.MCFilters)
+	if err != nil {
+		return nil, fmt.Errorf("fetch MCs: %w", err)
+	}
+	if len(mcs) == 0 {
+		return nil, fmt.Errorf("no Master Controls found for filters %v", tmpl.MCFilters)
+	}
+
+	// 3. Check for existing doc_check_controls questions
+	mcIDs := make([]string, len(mcs))
+	for i, mc := range mcs {
+		mcIDs[i] = mc.MasterControlID
+	}
+
+	checkQuestions, err := c.store.FetchCheckQuestions(mcIDs)
+	if err != nil {
+		return nil, fmt.Errorf("fetch check questions: %w", err)
+	}
+
+	// 4. Generate questions from MCs
+	var questions []Question
+	qNum := 1
+
+	for _, mc := range mcs {
+		// Mode A: Use existing doc_check questions
+		if cqs, ok := checkQuestions[mc.MasterControlID]; ok {
+			for _, cq := range cqs {
+				q := Question{
+					ID:           fmt.Sprintf("Q%d", qNum),
+					MCID:         mc.MasterControlID,
+					MCName:       mc.CanonicalName,
+					Text:         cq.Question,
+					QuestionType: "yes_no",
+					Severity:     normalizeSeverity(cq.Severity),
+					Regulation:   mc.RegSource,
+					PassCriteria: splitCriteria(cq.PassCriteria),
+					FailCriteria: splitCriteria(cq.FailCriteria),
+				}
+				questions = append(questions, q)
+				qNum++
+			}
+			continue
+		}
+
+		// Mode A fallback: Derive question from MC name
+		q := Question{
+			ID:           fmt.Sprintf("Q%d", qNum),
+			MCID:         mc.MasterControlID,
+			MCName:       mc.CanonicalName,
+			Text:         deriveQuestion(mc.CanonicalName),
+			QuestionType: "yes_no",
+			Severity:     inferMCSeverity(mc.CanonicalName),
+			Regulation:   mc.RegSource,
+			PassCriteria: []string{"Anforderung erfuellt und dokumentiert"},
+			FailCriteria: []string{"Nicht implementiert oder nicht nachweisbar"},
+		}
+		questions = append(questions, q)
+		qNum++
+
+		// Cap at a reasonable number
+		if qNum > 50 {
+			break
+		}
+	}
+
+	return questions, nil
+}
+
+// enrichWithMCIDs links pre-defined questions to MCs.
+func (c *Compiler) enrichWithMCIDs(tmpl *Template) ([]Question, error) {
+	mcs, err := c.store.FetchMCsByFilters(tmpl.MCFilters)
+	if err != nil {
+		return tmpl.Questions, nil // fallback to questions without MC linkage
+	}
+
+	mcByTopic := make(map[string]MCInfo)
+	for _, mc := range mcs {
+		mcByTopic[mc.CanonicalName] = mc
+	}
+
+	questions := make([]Question, len(tmpl.Questions))
+	copy(questions, tmpl.Questions)
+
+	// Try to link questions to MCs by keyword matching
+	for i := range questions {
+		if questions[i].MCID != "" {
+			continue
+		}
+		qLower := strings.ToLower(questions[i].Text)
+		for _, mc := range mcs {
+			topic := strings.ReplaceAll(mc.CanonicalName, "_", " ")
+			words := strings.Fields(topic)
+			matched := 0
+			for _, w := range words {
+				if strings.Contains(qLower, w) {
+					matched++
+				}
+			}
+			if matched >= 2 {
+				questions[i].MCID = mc.MasterControlID
+				questions[i].MCName = mc.CanonicalName
+				break
+			}
+		}
+	}
+
+	return questions, nil
+}
+
+// deriveQuestion generates a human-readable question from an MC name.
+func deriveQuestion(canonicalName string) string {
+	readable := strings.ReplaceAll(canonicalName, "_", " ")
+	readable = cases.Title(language.German).String(readable)
+	return fmt.Sprintf("Ist '%s' implementiert und dokumentiert?", readable)
+}
+
+// splitCriteria splits a pipe-separated criteria string.
+func splitCriteria(s string) []string {
+	if s == "" {
+		return nil
+	}
+	parts := strings.Split(s, "|")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			result = append(result, p)
+		}
+	}
+	if len(result) == 0 {
+		return []string{s}
+	}
+	return result
+}
+
+// normalizeSeverity maps doc_check severity to our format.
+func normalizeSeverity(s string) string {
+	s = strings.ToUpper(strings.TrimSpace(s))
+	switch s {
+	case "HIGH", "CRITICAL":
+		return "HIGH"
+	case "MEDIUM":
+		return "MEDIUM"
+	case "LOW":
+		return "LOW"
+	default:
+		return "MEDIUM"
+	}
+}
+
+// inferMCSeverity guesses severity from the MC topic name.
+func inferMCSeverity(name string) string {
+	high := []string{"encryption", "access_control", "incident", "vulnerability",
+		"authentication", "key_management", "data_breach", "personal_data",
+		"consent", "data_transfer"}
+	for _, h := range high {
+		if strings.Contains(name, h) {
+			return "HIGH"
+		}
+	}
+	return "MEDIUM"
+}
diff --git a/ai-compliance-sdk/internal/usecase/compiler_llm.go b/ai-compliance-sdk/internal/usecase/compiler_llm.go
new file mode 100644
index 0000000..31246d3
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/compiler_llm.go
@@ -0,0 +1,134 @@
+package usecase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/llm"
+)
+
+// LLMQuestionGenerator uses an LLM to create questions from MC metadata
+// when no pre-defined questions or doc_check_controls exist (Mode B).
+type LLMQuestionGenerator struct {
+	registry *llm.ProviderRegistry
+}
+
+// NewLLMQuestionGenerator creates a new LLM-based generator.
+func NewLLMQuestionGenerator(registry *llm.ProviderRegistry) *LLMQuestionGenerator {
+	return &LLMQuestionGenerator{registry: registry}
+}
+
+// llmQuestion is the JSON structure we expect from the LLM.
+type llmQuestion struct {
+	Question     string   `json:"question"`
+	PassCriteria []string `json:"pass_criteria"`
+	FailCriteria []string `json:"fail_criteria"`
+	Severity     string   `json:"severity"`
+}
+
+// GenerateQuestions generates questions for a list of MCs using the LLM.
+func (g *LLMQuestionGenerator) GenerateQuestions(mcs []MCInfo, regulations []string) ([]Question, error) {
+	if g.registry == nil {
+		return nil, fmt.Errorf("no LLM provider configured")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 120*time.Second)
+	defer cancel()
+
+	var questions []Question
+	qNum := 1
+
+	for _, mc := range mcs {
+		prompt := buildPrompt(mc, regulations)
+
+		resp, err := g.registry.Chat(ctx, &llm.ChatRequest{
+			Messages: []llm.Message{
+				{Role: "system", Content: systemPrompt},
+				{Role: "user", Content: prompt},
+			},
+			Temperature: 0.3,
+			MaxTokens:   500,
+		})
+		if err != nil {
+			// Fallback to deterministic generation
+			questions = append(questions, GenerateFromMC(mc)...)
+			qNum += len(GenerateFromMC(mc))
+			continue
+		}
+
+		parsed := parseLLMResponse(resp.Message.Content)
+		for _, lq := range parsed {
+			q := Question{
+				ID:           fmt.Sprintf("Q%d", qNum),
+				MCID:         mc.MasterControlID,
+				MCName:       mc.CanonicalName,
+				Text:         lq.Question,
+				QuestionType: "yes_no",
+				Severity:     normalizeSeverity(lq.Severity),
+				Regulation:   mc.RegSource,
+				PassCriteria: lq.PassCriteria,
+				FailCriteria: lq.FailCriteria,
+			}
+			questions = append(questions, q)
+			qNum++
+		}
+
+		// Cap total questions
+		if qNum > 50 {
+			break
+		}
+	}
+
+	return questions, nil
+}
+
+const systemPrompt = `Du bist ein Compliance-Experte. Generiere praezise Prueffragen fuer Compliance-Audits.
+
+Antworte NUR mit einem JSON-Array. Jedes Element hat:
+- "question": Eine klare Ja/Nein-Frage auf Deutsch
+- "pass_criteria": Array mit 1-2 Kriterien fuer "bestanden"
+- "fail_criteria": Array mit 1-2 Kriterien fuer "nicht bestanden"
+- "severity": "HIGH", "MEDIUM" oder "LOW"
+
+Keine Erklaerungen, nur das JSON-Array.`
+
+func buildPrompt(mc MCInfo, regulations []string) string {
+	readable := strings.ReplaceAll(mc.CanonicalName, "_", " ")
+	regStr := strings.Join(regulations, ", ")
+
+	return fmt.Sprintf(
+		`Master Control: "%s" (%d Atomic Controls)
+Regulierungen: %s
+Regulation Source: %s
+
+Generiere 1-2 praezise Prueffragen fuer diesen Master Control.`,
+		readable, mc.TotalControls, regStr, mc.RegSource)
+}
+
+func parseLLMResponse(content string) []llmQuestion {
+	content = strings.TrimSpace(content)
+
+	// Try to find JSON array in the response
+	start := strings.Index(content, "[")
+	end := strings.LastIndex(content, "]")
+	if start >= 0 && end > start {
+		content = content[start : end+1]
+	}
+
+	var questions []llmQuestion
+	if err := json.Unmarshal([]byte(content), &questions); err != nil {
+		return nil
+	}
+
+	// Validate
+	var valid []llmQuestion
+	for _, q := range questions {
+		if q.Question != "" && len(q.PassCriteria) > 0 {
+			valid = append(valid, q)
+		}
+	}
+	return valid
+}
diff --git a/ai-compliance-sdk/internal/usecase/compiler_llm_test.go b/ai-compliance-sdk/internal/usecase/compiler_llm_test.go
new file mode 100644
index 0000000..f6cd693
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/compiler_llm_test.go
@@ -0,0 +1,102 @@
+package usecase
+
+import (
+	"testing"
+)
+
+func TestParseLLMResponse_ValidJSON(t *testing.T) {
+	input := `[
+		{
+			"question": "Ist eine Datenschutz-Folgenabschaetzung durchgefuehrt?",
+			"pass_criteria": ["DSFA dokumentiert"],
+			"fail_criteria": ["Keine DSFA"],
+			"severity": "HIGH"
+		},
+		{
+			"question": "Sind Betroffenenrechte implementiert?",
+			"pass_criteria": ["Prozess vorhanden"],
+			"fail_criteria": ["Kein Prozess"],
+			"severity": "MEDIUM"
+		}
+	]`
+
+	result := parseLLMResponse(input)
+	if len(result) != 2 {
+		t.Fatalf("Expected 2 questions, got %d", len(result))
+	}
+	if result[0].Question != "Ist eine Datenschutz-Folgenabschaetzung durchgefuehrt?" {
+		t.Errorf("Unexpected question: %s", result[0].Question)
+	}
+	if result[0].Severity != "HIGH" {
+		t.Errorf("Expected HIGH severity, got %s", result[0].Severity)
+	}
+}
+
+func TestParseLLMResponse_WithPreamble(t *testing.T) {
+	input := `Hier sind die Prueffragen:
+
+[{"question":"Test?","pass_criteria":["OK"],"fail_criteria":["NOK"],"severity":"LOW"}]
+
+Ich hoffe das hilft.`
+
+	result := parseLLMResponse(input)
+	if len(result) != 1 {
+		t.Fatalf("Expected 1 question from wrapped response, got %d", len(result))
+	}
+}
+
+func TestParseLLMResponse_InvalidJSON(t *testing.T) {
+	result := parseLLMResponse("This is not JSON at all")
+	if result != nil {
+		t.Errorf("Expected nil for invalid JSON, got %v", result)
+	}
+}
+
+func TestParseLLMResponse_EmptyQuestion(t *testing.T) {
+	input := `[
+		{"question":"","pass_criteria":["OK"],"fail_criteria":["NOK"],"severity":"HIGH"},
+		{"question":"Valid?","pass_criteria":["Yes"],"fail_criteria":["No"],"severity":"LOW"}
+	]`
+
+	result := parseLLMResponse(input)
+	if len(result) != 1 {
+		t.Fatalf("Expected 1 valid question (empty filtered), got %d", len(result))
+	}
+	if result[0].Question != "Valid?" {
+		t.Errorf("Unexpected question: %s", result[0].Question)
+	}
+}
+
+func TestBuildPrompt(t *testing.T) {
+	mc := MCInfo{
+		MasterControlID: "MC-123",
+		CanonicalName:   "access_control_mfa",
+		TotalControls:   12,
+		RegSource:       "NIS2",
+	}
+
+	prompt := buildPrompt(mc, []string{"nis2", "dsgvo"})
+
+	if prompt == "" {
+		t.Error("Expected non-empty prompt")
+	}
+	if !contains(prompt, "access control mfa") {
+		t.Error("Prompt should contain readable MC name")
+	}
+	if !contains(prompt, "12 Atomic Controls") {
+		t.Error("Prompt should contain control count")
+	}
+}
+
+func contains(s, sub string) bool {
+	return len(s) >= len(sub) && (s == sub || len(s) > 0 && containsSubstring(s, sub))
+}
+
+func containsSubstring(s, sub string) bool {
+	for i := 0; i+len(sub) <= len(s); i++ {
+		if s[i:i+len(sub)] == sub {
+			return true
+		}
+	}
+	return false
+}
diff --git a/ai-compliance-sdk/internal/usecase/compiler_test.go b/ai-compliance-sdk/internal/usecase/compiler_test.go
new file mode 100644
index 0000000..5ddad29
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/compiler_test.go
@@ -0,0 +1,186 @@
+package usecase
+
+import (
+	"testing"
+)
+
+func TestTemplates_AllPresent(t *testing.T) {
+	expected := []string{
+		"vendor_check_cloud",
+		"sast_dast_audit",
+		"dsgvo_quick_check",
+		"nis2_readiness",
+		"cra_product_check",
+	}
+
+	for _, id := range expected {
+		if _, ok := Templates[id]; !ok {
+			t.Errorf("Template %q missing from Templates map", id)
+		}
+	}
+}
+
+func TestTemplates_HaveQuestions(t *testing.T) {
+	for id, tmpl := range Templates {
+		if len(tmpl.Questions) == 0 {
+			t.Errorf("Template %q has no pre-defined questions", id)
+		}
+		if tmpl.Name == "" {
+			t.Errorf("Template %q has no name", id)
+		}
+		if len(tmpl.MCFilters) == 0 {
+			t.Errorf("Template %q has no MC filters", id)
+		}
+		if len(tmpl.Regulations) == 0 {
+			t.Errorf("Template %q has no regulations", id)
+		}
+	}
+}
+
+func TestTemplates_QuestionIDs_Unique(t *testing.T) {
+	for id, tmpl := range Templates {
+		seen := make(map[string]bool)
+		for _, q := range tmpl.Questions {
+			if seen[q.ID] {
+				t.Errorf("Template %q has duplicate question ID %q", id, q.ID)
+			}
+			seen[q.ID] = true
+		}
+	}
+}
+
+func TestTemplateList_ReturnsAll(t *testing.T) {
+	list := TemplateList()
+	if len(list) != len(Templates) {
+		t.Errorf("TemplateList returned %d, expected %d", len(list), len(Templates))
+	}
+}
+
+func TestDeriveQuestion(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"encryption_at_rest", "Ist 'Encryption At Rest' implementiert und dokumentiert?"},
+		{"access_control", "Ist 'Access Control' implementiert und dokumentiert?"},
+	}
+
+	for _, tt := range tests {
+		got := deriveQuestion(tt.input)
+		if got != tt.want {
+			t.Errorf("deriveQuestion(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
+
+func TestSplitCriteria(t *testing.T) {
+	tests := []struct {
+		input  string
+		expect int
+	}{
+		{"", 0},
+		{"Single criteria", 1},
+		{"A | B | C", 3},
+		{"A|B", 2},
+	}
+
+	for _, tt := range tests {
+		got := splitCriteria(tt.input)
+		if got == nil && tt.expect == 0 {
+			continue
+		}
+		if len(got) != tt.expect {
+			t.Errorf("splitCriteria(%q) returned %d items, want %d", tt.input, len(got), tt.expect)
+		}
+	}
+}
+
+func TestNormalizeSeverity(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"HIGH", "HIGH"},
+		{"high", "HIGH"},
+		{"CRITICAL", "HIGH"},
+		{"medium", "MEDIUM"},
+		{"LOW", "LOW"},
+		{"unknown", "MEDIUM"},
+		{"", "MEDIUM"},
+	}
+
+	for _, tt := range tests {
+		got := normalizeSeverity(tt.input)
+		if got != tt.want {
+			t.Errorf("normalizeSeverity(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
+
+func TestInferMCSeverity(t *testing.T) {
+	tests := []struct {
+		name string
+		want string
+	}{
+		{"encryption_at_rest_aes256", "HIGH"},
+		{"access_control_mfa", "HIGH"},
+		{"incident_response_plan", "HIGH"},
+		{"documentation_management", "MEDIUM"},
+		{"training_awareness", "MEDIUM"},
+	}
+
+	for _, tt := range tests {
+		got := inferMCSeverity(tt.name)
+		if got != tt.want {
+			t.Errorf("inferMCSeverity(%q) = %q, want %q", tt.name, got, tt.want)
+		}
+	}
+}
+
+func TestGenerateFromMC_SmallMC(t *testing.T) {
+	mc := MCInfo{
+		MasterControlID: "MC-123",
+		CanonicalName:   "access_control_basic",
+		TotalControls:   3,
+		RegSource:       "DSGVO",
+	}
+
+	questions := GenerateFromMC(mc)
+	if len(questions) != 1 {
+		t.Errorf("Expected 1 question for small MC, got %d", len(questions))
+	}
+	if questions[0].Severity != "HIGH" {
+		t.Errorf("Expected HIGH severity for access_control, got %s", questions[0].Severity)
+	}
+}
+
+func TestGenerateFromMC_MediumMC(t *testing.T) {
+	mc := MCInfo{
+		MasterControlID: "MC-456",
+		CanonicalName:   "documentation_management",
+		TotalControls:   8,
+		RegSource:       "NIS2",
+	}
+
+	questions := GenerateFromMC(mc)
+	if len(questions) != 2 {
+		t.Errorf("Expected 2 questions for medium MC, got %d", len(questions))
+	}
+	if questions[1].DependsOn == "" {
+		t.Error("Second question should depend on first")
+	}
+}
+
+func TestGenerateFromMC_LargeMC(t *testing.T) {
+	mc := MCInfo{
+		MasterControlID: "MC-789",
+		CanonicalName:   "risk_management_framework",
+		TotalControls:   25,
+		RegSource:       "NIS2",
+	}
+
+	questions := GenerateFromMC(mc)
+	if len(questions) != 3 {
+		t.Errorf("Expected 3 questions for large MC, got %d", len(questions))
+	}
+}
diff --git a/ai-compliance-sdk/internal/usecase/gap_detector.go b/ai-compliance-sdk/internal/usecase/gap_detector.go
new file mode 100644
index 0000000..68ca419
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/gap_detector.go
@@ -0,0 +1,185 @@
+package usecase
+
+import (
+	"fmt"
+	"strings"
+)
+
+// GapDetector identifies missing regulations for a use-case template.
+type GapDetector struct {
+	store *Store
+}
+
+// NewGapDetector creates a GapDetector.
+func NewGapDetector(store *Store) *GapDetector {
+	return &GapDetector{store: store}
+}
+
+// DetectMissingRegulations finds MCs with insufficient source citations.
+func (d *GapDetector) DetectMissingRegulations(tmpl *Template) ([]MissingSource, error) {
+	mcs, err := d.store.FetchMCsByFilters(tmpl.MCFilters)
+	if err != nil {
+		return nil, fmt.Errorf("fetch MCs: %w", err)
+	}
+	if len(mcs) == 0 {
+		return nil, nil
+	}
+
+	mcIDs := make([]string, len(mcs))
+	for i, mc := range mcs {
+		mcIDs[i] = mc.MasterControlID
+	}
+
+	citations, err := d.store.CountMCSourceCitations(mcIDs)
+	if err != nil {
+		return nil, fmt.Errorf("count citations: %w", err)
+	}
+
+	var gaps []MissingSource
+
+	for _, mc := range mcs {
+		citCount := citations[mc.MasterControlID]
+
+		// MC with many controls but few citations → gap
+		if mc.TotalControls > 20 && citCount < 3 {
+			missing := identifyMissingRegulation(mc, tmpl.Regulations)
+			if missing != nil {
+				gaps = append(gaps, *missing)
+			}
+		}
+
+		// MC topic implies a regulation that's not in source citations
+		expectedRegs := expectedRegulations(mc.CanonicalName)
+		for _, expected := range expectedRegs {
+			if !containsRegulation(tmpl.Regulations, expected.regID) {
+				continue
+			}
+			if mc.RegSource == "" || !strings.Contains(mc.RegSource, expected.keyword) {
+				gaps = append(gaps, MissingSource{
+					Regulation:   expected.name,
+					AffectsMCs:   []string{mc.CanonicalName},
+					EstimatedGap: mc.TotalControls / 3,
+					SourceURL:    expected.url,
+					Priority:     expected.priority,
+				})
+			}
+		}
+	}
+
+	return deduplicateGaps(gaps), nil
+}
+
+// DetectAuditGaps checks an audit's answers for regulation-specific gaps.
+func (d *GapDetector) DetectAuditGaps(audit *Audit, answers []Answer) []MissingSource {
+	answerMap := make(map[string]Answer)
+	for _, a := range answers {
+		answerMap[a.QuestionID] = a
+	}
+
+	// Find regulations with many failures
+	failsByReg := make(map[string]int)
+	totalByReg := make(map[string]int)
+
+	for _, q := range audit.Questions {
+		if q.Regulation == "" {
+			continue
+		}
+		totalByReg[q.Regulation]++
+		a, ok := answerMap[q.ID]
+		if ok && !isPassed(a) {
+			failsByReg[q.Regulation]++
+		}
+	}
+
+	var gaps []MissingSource
+	for reg, fails := range failsByReg {
+		total := totalByReg[reg]
+		if total > 0 && float64(fails)/float64(total) > 0.5 {
+			gaps = append(gaps, MissingSource{
+				Regulation:   reg,
+				AffectsMCs:   []string{audit.TemplateID},
+				EstimatedGap: fails,
+				Priority:     "high",
+			})
+		}
+	}
+
+	return gaps
+}
+
+type expectedReg struct {
+	regID    string
+	name     string
+	keyword  string
+	url      string
+	priority string
+}
+
+func expectedRegulations(mcName string) []expectedReg {
+	mappings := []struct {
+		prefix string
+		regs   []expectedReg
+	}{
+		{"data_processing_agreement", []expectedReg{
+			{regID: "dsgvo", name: "DSGVO (EU) 2016/679", keyword: "DSGVO", url: "https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679", priority: "high"},
+		}},
+		{"incident_", []expectedReg{
+			{regID: "nis2", name: "NIS2-Richtlinie (EU) 2022/2555", keyword: "NIS2", url: "https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32022L2555", priority: "high"},
+		}},
+		{"vulnerability_", []expectedReg{
+			{regID: "cra", name: "Cyber Resilience Act (CRA)", keyword: "CRA", url: "https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32024R2847", priority: "high"},
+		}},
+		{"aml_", []expectedReg{
+			{regID: "aml", name: "5. Geldwaescherichtlinie (EU) 2024/1624", keyword: "Geldwaesche", url: "https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32024L1624", priority: "high"},
+		}},
+	}
+
+	var result []expectedReg
+	for _, m := range mappings {
+		if strings.HasPrefix(mcName, m.prefix) {
+			result = append(result, m.regs...)
+		}
+	}
+	return result
+}
+
+func identifyMissingRegulation(mc MCInfo, templateRegs []string) *MissingSource {
+	if mc.RegSource != "" {
+		return nil
+	}
+	return &MissingSource{
+		Regulation:   fmt.Sprintf("Unbekannte Quelle fuer '%s'", mc.CanonicalName),
+		AffectsMCs:   []string{mc.CanonicalName},
+		EstimatedGap: mc.TotalControls,
+		Priority:     "medium",
+	}
+}
+
+func containsRegulation(regs []string, id string) bool {
+	for _, r := range regs {
+		if strings.EqualFold(r, id) {
+			return true
+		}
+	}
+	return true // if template doesn't restrict, always check
+}
+
+func deduplicateGaps(gaps []MissingSource) []MissingSource {
+	seen := make(map[string]*MissingSource)
+	for i := range gaps {
+		key := gaps[i].Regulation
+		if existing, ok := seen[key]; ok {
+			existing.AffectsMCs = append(existing.AffectsMCs, gaps[i].AffectsMCs...)
+			existing.EstimatedGap += gaps[i].EstimatedGap
+		} else {
+			copy := gaps[i]
+			seen[key] = &copy
+		}
+	}
+
+	result := make([]MissingSource, 0, len(seen))
+	for _, g := range seen {
+		result = append(result, *g)
+	}
+	return result
+}
diff --git a/ai-compliance-sdk/internal/usecase/models.go b/ai-compliance-sdk/internal/usecase/models.go
new file mode 100644
index 0000000..a490d15
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/models.go
@@ -0,0 +1,146 @@
+// Package usecase implements the Use-Case Compiler that turns
+// Master Controls into interactive compliance questionnaires.
+package usecase
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// ── Use-Case Template ──────────────────────────────────────────────
+
+// Template defines a reusable compliance audit blueprint.
+type Template struct {
+	ID          string   `json:"id"`
+	Name        string   `json:"name"`
+	Description string   `json:"description"`
+	MCFilters   []string `json:"mc_filters"`
+	Regulations []string `json:"regulations"`
+	Questions   []Question `json:"questions,omitempty"`
+}
+
+// ── Question ───────────────────────────────────────────────────────
+
+// Question is a single compliance check derived from a Master Control.
+type Question struct {
+	ID               string   `json:"id"`
+	MCID             string   `json:"mc_id"`
+	MCName           string   `json:"mc_name"`
+	Text             string   `json:"question"`
+	QuestionType     string   `json:"question_type"`
+	EvidenceRequired bool     `json:"evidence_required"`
+	PassCriteria     []string `json:"pass_criteria"`
+	FailCriteria     []string `json:"fail_criteria"`
+	Severity         string   `json:"severity"`
+	Regulation       string   `json:"regulation"`
+	DependsOn        string   `json:"depends_on,omitempty"`
+}
+
+// ── Audit ──────────────────────────────────────────────────────────
+
+// AuditStatus enumerates the lifecycle of an audit.
+type AuditStatus string
+
+const (
+	StatusDraft      AuditStatus = "draft"
+	StatusInProgress AuditStatus = "in_progress"
+	StatusCompleted  AuditStatus = "completed"
+)
+
+// Audit is a running or completed compliance questionnaire.
+type Audit struct {
+	ID                uuid.UUID   `json:"id"`
+	TenantID          uuid.UUID   `json:"tenant_id"`
+	TemplateID        string      `json:"template_id"`
+	Name              string      `json:"name"`
+	TargetName        string      `json:"target_name,omitempty"`
+	Status            AuditStatus `json:"status"`
+	TotalQuestions    int         `json:"total_questions"`
+	AnsweredQuestions int         `json:"answered_questions"`
+	ComplianceScore   float64     `json:"compliance_score"`
+	Questions         []Question  `json:"questions"`
+	CreatedAt         time.Time   `json:"created_at"`
+	UpdatedAt         time.Time   `json:"updated_at"`
+	CompletedAt       *time.Time  `json:"completed_at,omitempty"`
+}
+
+// ── Answer ─────────────────────────────────────────────────────────
+
+// AnswerStatus enumerates how a question was handled.
+type AnswerStatus string
+
+const (
+	AnswerStatusAnswered  AnswerStatus = "answered"
+	AnswerStatusSkipped   AnswerStatus = "skipped"
+	AnswerStatusEscalated AnswerStatus = "escalated"
+)
+
+// Answer stores a user's response to a single question.
+type Answer struct {
+	ID          uuid.UUID    `json:"id"`
+	AuditID     uuid.UUID    `json:"audit_id"`
+	QuestionID  string       `json:"question_id"`
+	MCID        string       `json:"mc_id,omitempty"`
+	Value       interface{}  `json:"value"`
+	Comment     string       `json:"comment,omitempty"`
+	EvidenceIDs []string     `json:"evidence_ids"`
+	Status      AnswerStatus `json:"status"`
+	AnsweredAt  time.Time    `json:"answered_at"`
+}
+
+// AnswerInput is the request payload for answering a question.
+type AnswerInput struct {
+	QuestionID  string      `json:"question_id" binding:"required"`
+	Value       interface{} `json:"value" binding:"required"`
+	Comment     string      `json:"comment"`
+	EvidenceIDs []string    `json:"evidence_ids"`
+	Status      string      `json:"status"`
+}
+
+// ── Scoring ────────────────────────────────────────────────────────
+
+// ScoreResult is the compliance summary for an audit.
+type ScoreResult struct {
+	AuditID         uuid.UUID  `json:"audit_id"`
+	TotalQuestions  int        `json:"total_questions"`
+	Answered        int        `json:"answered"`
+	Passed          int        `json:"passed"`
+	Failed          int        `json:"failed"`
+	Skipped         int        `json:"skipped"`
+	ComplianceScore float64    `json:"compliance_score"`
+	ByRegulation    map[string]RegulationScore `json:"by_regulation"`
+	BySeverity      map[string]SeverityScore   `json:"by_severity"`
+}
+
+// RegulationScore breaks down results per regulation.
+type RegulationScore struct {
+	Total  int     `json:"total"`
+	Passed int     `json:"passed"`
+	Score  float64 `json:"score"`
+}
+
+// SeverityScore breaks down results per severity.
+type SeverityScore struct {
+	Total  int `json:"total"`
+	Passed int `json:"passed"`
+	Failed int `json:"failed"`
+}
+
+// ── Gap Detection ──────────────────────────────────────────────────
+
+// MissingSource describes a regulation not yet covered by MCs.
+type MissingSource struct {
+	Regulation      string   `json:"regulation"`
+	AffectsMCs      []string `json:"affects_mcs"`
+	EstimatedGap    int      `json:"estimated_controls"`
+	SourceURL       string   `json:"source_url,omitempty"`
+	Priority        string   `json:"priority"`
+}
+
+// CreateAuditInput is the request to start a new audit.
+type CreateAuditInput struct {
+	TemplateID string `json:"template_id" binding:"required"`
+	Name       string `json:"name" binding:"required"`
+	TargetName string `json:"target_name"`
+}
diff --git a/ai-compliance-sdk/internal/usecase/question_generator.go b/ai-compliance-sdk/internal/usecase/question_generator.go
new file mode 100644
index 0000000..9adf06f
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/question_generator.go
@@ -0,0 +1,67 @@
+package usecase
+
+import (
+	"fmt"
+	"strings"
+)
+
+// QuestionGenerator creates questions from MC metadata when no
+// pre-defined questions or doc_check_controls exist (Mode A fallback).
+// For LLM-based generation (Mode B), see compiler_llm.go (Phase 7).
+
+// GenerateFromMC derives 1-3 questions from a single MC.
+func GenerateFromMC(mc MCInfo) []Question {
+	name := mc.CanonicalName
+	readable := strings.ReplaceAll(name, "_", " ")
+
+	var questions []Question
+	qBase := fmt.Sprintf("MC-%s", mc.MasterControlID)
+
+	// Primary question: is the control implemented?
+	questions = append(questions, Question{
+		ID:           qBase + "-1",
+		MCID:         mc.MasterControlID,
+		MCName:       name,
+		Text:         fmt.Sprintf("Ist '%s' in Ihrem Unternehmen implementiert?", readable),
+		QuestionType: "yes_no",
+		Severity:     inferMCSeverity(name),
+		Regulation:   mc.RegSource,
+		PassCriteria: []string{"Massnahme implementiert und aktiv"},
+		FailCriteria: []string{"Nicht implementiert"},
+	})
+
+	// Secondary question: is there documentation?
+	if mc.TotalControls >= 5 {
+		questions = append(questions, Question{
+			ID:           qBase + "-2",
+			MCID:         mc.MasterControlID,
+			MCName:       name,
+			Text:         fmt.Sprintf("Ist '%s' dokumentiert und nachweisbar?", readable),
+			QuestionType: "yes_no",
+			EvidenceRequired: true,
+			Severity:     "MEDIUM",
+			Regulation:   mc.RegSource,
+			PassCriteria: []string{"Dokumentation vorhanden und aktuell"},
+			FailCriteria: []string{"Keine oder veraltete Dokumentation"},
+			DependsOn:    qBase + "-1",
+		})
+	}
+
+	// Tertiary question for large MCs: review cycle
+	if mc.TotalControls >= 15 {
+		questions = append(questions, Question{
+			ID:           qBase + "-3",
+			MCID:         mc.MasterControlID,
+			MCName:       name,
+			Text:         fmt.Sprintf("Wird '%s' regelmaessig ueberprueft und aktualisiert?", readable),
+			QuestionType: "yes_no",
+			Severity:     "LOW",
+			Regulation:   mc.RegSource,
+			PassCriteria: []string{"Regelmaessiger Review-Zyklus definiert"},
+			FailCriteria: []string{"Kein Review-Prozess"},
+			DependsOn:    qBase + "-1",
+		})
+	}
+
+	return questions
+}
diff --git a/ai-compliance-sdk/internal/usecase/scoring.go b/ai-compliance-sdk/internal/usecase/scoring.go
new file mode 100644
index 0000000..98a6e63
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/scoring.go
@@ -0,0 +1,92 @@
+package usecase
+
+// Score calculates a compliance score from answers and questions.
+func Score(audit *Audit, answers []Answer) *ScoreResult {
+	result := &ScoreResult{
+		AuditID:        audit.ID,
+		TotalQuestions: len(audit.Questions),
+		ByRegulation:   make(map[string]RegulationScore),
+		BySeverity:     make(map[string]SeverityScore),
+	}
+
+	answerMap := make(map[string]Answer)
+	for _, a := range answers {
+		answerMap[a.QuestionID] = a
+	}
+
+	for _, q := range audit.Questions {
+		a, answered := answerMap[q.ID]
+		if !answered {
+			continue
+		}
+
+		result.Answered++
+
+		passed := isPassed(a)
+		switch a.Status {
+		case AnswerStatusSkipped:
+			result.Skipped++
+		default:
+			if passed {
+				result.Passed++
+			} else {
+				result.Failed++
+			}
+		}
+
+		// By regulation
+		if q.Regulation != "" {
+			rs := result.ByRegulation[q.Regulation]
+			rs.Total++
+			if passed {
+				rs.Passed++
+			}
+			result.ByRegulation[q.Regulation] = rs
+		}
+
+		// By severity
+		sev := q.Severity
+		if sev == "" {
+			sev = "MEDIUM"
+		}
+		ss := result.BySeverity[sev]
+		ss.Total++
+		if passed {
+			ss.Passed++
+		} else {
+			ss.Failed++
+		}
+		result.BySeverity[sev] = ss
+	}
+
+	// Calculate scores
+	if result.Answered > 0 {
+		answerable := result.Answered - result.Skipped
+		if answerable > 0 {
+			result.ComplianceScore = float64(result.Passed) / float64(answerable) * 100
+		}
+	}
+
+	for reg, rs := range result.ByRegulation {
+		if rs.Total > 0 {
+			rs.Score = float64(rs.Passed) / float64(rs.Total) * 100
+		}
+		result.ByRegulation[reg] = rs
+	}
+
+	return result
+}
+
+// isPassed checks if an answer represents a pass.
+func isPassed(a Answer) bool {
+	switch v := a.Value.(type) {
+	case bool:
+		return v
+	case string:
+		return v == "yes" || v == "true" || v == "ja"
+	case float64:
+		return v > 0
+	default:
+		return false
+	}
+}
diff --git a/ai-compliance-sdk/internal/usecase/scoring_test.go b/ai-compliance-sdk/internal/usecase/scoring_test.go
new file mode 100644
index 0000000..2ba8033
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/scoring_test.go
@@ -0,0 +1,173 @@
+package usecase
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+)
+
+func TestScore_AllPassed(t *testing.T) {
+	audit := &Audit{
+		ID: uuid.New(),
+		Questions: []Question{
+			{ID: "Q1", Severity: "HIGH", Regulation: "DSGVO"},
+			{ID: "Q2", Severity: "MEDIUM", Regulation: "NIS2"},
+			{ID: "Q3", Severity: "LOW", Regulation: "DSGVO"},
+		},
+	}
+	answers := []Answer{
+		{QuestionID: "Q1", Value: true, Status: AnswerStatusAnswered},
+		{QuestionID: "Q2", Value: true, Status: AnswerStatusAnswered},
+		{QuestionID: "Q3", Value: true, Status: AnswerStatusAnswered},
+	}
+
+	result := Score(audit, answers)
+
+	if result.ComplianceScore != 100 {
+		t.Errorf("Expected 100%% score, got %.1f%%", result.ComplianceScore)
+	}
+	if result.Passed != 3 {
+		t.Errorf("Expected 3 passed, got %d", result.Passed)
+	}
+	if result.Failed != 0 {
+		t.Errorf("Expected 0 failed, got %d", result.Failed)
+	}
+}
+
+func TestScore_MixedResults(t *testing.T) {
+	audit := &Audit{
+		ID: uuid.New(),
+		Questions: []Question{
+			{ID: "Q1", Severity: "HIGH", Regulation: "DSGVO"},
+			{ID: "Q2", Severity: "HIGH", Regulation: "DSGVO"},
+			{ID: "Q3", Severity: "MEDIUM", Regulation: "NIS2"},
+			{ID: "Q4", Severity: "LOW", Regulation: "NIS2"},
+		},
+	}
+	answers := []Answer{
+		{QuestionID: "Q1", Value: true, Status: AnswerStatusAnswered},
+		{QuestionID: "Q2", Value: false, Status: AnswerStatusAnswered},
+		{QuestionID: "Q3", Value: true, Status: AnswerStatusAnswered},
+		{QuestionID: "Q4", Value: false, Status: AnswerStatusAnswered},
+	}
+
+	result := Score(audit, answers)
+
+	if result.ComplianceScore != 50 {
+		t.Errorf("Expected 50%% score, got %.1f%%", result.ComplianceScore)
+	}
+	if result.Passed != 2 {
+		t.Errorf("Expected 2 passed, got %d", result.Passed)
+	}
+	if result.Failed != 2 {
+		t.Errorf("Expected 2 failed, got %d", result.Failed)
+	}
+
+	// Check regulation breakdown
+	dsgvo := result.ByRegulation["DSGVO"]
+	if dsgvo.Total != 2 || dsgvo.Passed != 1 {
+		t.Errorf("DSGVO: expected 1/2, got %d/%d", dsgvo.Passed, dsgvo.Total)
+	}
+
+	nis2 := result.ByRegulation["NIS2"]
+	if nis2.Total != 2 || nis2.Passed != 1 {
+		t.Errorf("NIS2: expected 1/2, got %d/%d", nis2.Passed, nis2.Total)
+	}
+}
+
+func TestScore_WithSkipped(t *testing.T) {
+	audit := &Audit{
+		ID: uuid.New(),
+		Questions: []Question{
+			{ID: "Q1", Severity: "HIGH"},
+			{ID: "Q2", Severity: "MEDIUM"},
+		},
+	}
+	answers := []Answer{
+		{QuestionID: "Q1", Value: true, Status: AnswerStatusAnswered},
+		{QuestionID: "Q2", Value: nil, Status: AnswerStatusSkipped},
+	}
+
+	result := Score(audit, answers)
+
+	if result.Skipped != 1 {
+		t.Errorf("Expected 1 skipped, got %d", result.Skipped)
+	}
+	if result.ComplianceScore != 100 {
+		t.Errorf("Expected 100%% (1 passed / 1 answerable), got %.1f%%", result.ComplianceScore)
+	}
+}
+
+func TestScore_NoAnswers(t *testing.T) {
+	audit := &Audit{
+		ID: uuid.New(),
+		Questions: []Question{
+			{ID: "Q1", Severity: "HIGH"},
+		},
+	}
+
+	result := Score(audit, nil)
+
+	if result.ComplianceScore != 0 {
+		t.Errorf("Expected 0%% score, got %.1f%%", result.ComplianceScore)
+	}
+	if result.Answered != 0 {
+		t.Errorf("Expected 0 answered, got %d", result.Answered)
+	}
+}
+
+func TestScore_BySeverity(t *testing.T) {
+	audit := &Audit{
+		ID: uuid.New(),
+		Questions: []Question{
+			{ID: "Q1", Severity: "HIGH"},
+			{ID: "Q2", Severity: "HIGH"},
+			{ID: "Q3", Severity: "MEDIUM"},
+		},
+	}
+	answers := []Answer{
+		{QuestionID: "Q1", Value: true, Status: AnswerStatusAnswered},
+		{QuestionID: "Q2", Value: false, Status: AnswerStatusAnswered},
+		{QuestionID: "Q3", Value: true, Status: AnswerStatusAnswered},
+	}
+
+	result := Score(audit, answers)
+
+	high := result.BySeverity["HIGH"]
+	if high.Total != 2 || high.Passed != 1 || high.Failed != 1 {
+		t.Errorf("HIGH: expected 1/2 (1 fail), got %d/%d (%d fail)",
+			high.Passed, high.Total, high.Failed)
+	}
+
+	med := result.BySeverity["MEDIUM"]
+	if med.Total != 1 || med.Passed != 1 {
+		t.Errorf("MEDIUM: expected 1/1, got %d/%d", med.Passed, med.Total)
+	}
+}
+
+func TestIsPassed_BoolValues(t *testing.T) {
+	tests := []struct {
+		name   string
+		value  interface{}
+		expect bool
+	}{
+		{"true bool", true, true},
+		{"false bool", false, false},
+		{"yes string", "yes", true},
+		{"no string", "no", false},
+		{"ja string", "ja", true},
+		{"positive float", float64(1), true},
+		{"zero float", float64(0), false},
+		{"nil value", nil, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := Answer{Value: tt.value, Status: AnswerStatusAnswered}
+			got := isPassed(a)
+			if got != tt.expect {
+				t.Errorf("isPassed(%v) = %v, want %v", tt.value, got, tt.expect)
+			}
+		})
+	}
+}
diff --git a/ai-compliance-sdk/internal/usecase/store.go b/ai-compliance-sdk/internal/usecase/store.go
new file mode 100644
index 0000000..09eacf2
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/store.go
@@ -0,0 +1,347 @@
+package usecase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// Store handles database operations for use-case audits.
+type Store struct {
+	pool *pgxpool.Pool
+}
+
+// NewStore creates a new Store.
+func NewStore(pool *pgxpool.Pool) *Store {
+	return &Store{pool: pool}
+}
+
+// ── Audit CRUD ─────────────────────────────────────────────────────
+
+// CreateAudit inserts a new audit.
+func (s *Store) CreateAudit(a *Audit) error {
+	ctx := context.Background()
+	a.ID = uuid.New()
+	a.CreatedAt = time.Now()
+	a.UpdatedAt = time.Now()
+	a.Status = StatusDraft
+
+	questionsJSON, err := json.Marshal(a.Questions)
+	if err != nil {
+		return fmt.Errorf("marshal questions: %w", err)
+	}
+
+	_, err = s.pool.Exec(ctx, `
+		INSERT INTO compliance.usecase_audits
+			(id, tenant_id, template_id, name, target_name, status,
+			 total_questions, answered_questions, compliance_score,
+			 questions, created_at, updated_at)
+		VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12)`,
+		a.ID, a.TenantID, a.TemplateID, a.Name, a.TargetName,
+		a.Status, a.TotalQuestions, a.AnsweredQuestions, a.ComplianceScore,
+		questionsJSON, a.CreatedAt, a.UpdatedAt,
+	)
+	return err
+}
+
+// GetAudit loads an audit by ID.
+func (s *Store) GetAudit(id uuid.UUID) (*Audit, error) {
+	ctx := context.Background()
+	a := &Audit{}
+	var questionsJSON []byte
+
+	err := s.pool.QueryRow(ctx, `
+		SELECT id, tenant_id, template_id, name, target_name, status,
+			   total_questions, answered_questions, compliance_score,
+			   questions, created_at, updated_at, completed_at
+		FROM compliance.usecase_audits WHERE id = $1`, id,
+	).Scan(
+		&a.ID, &a.TenantID, &a.TemplateID, &a.Name, &a.TargetName,
+		&a.Status, &a.TotalQuestions, &a.AnsweredQuestions,
+		&a.ComplianceScore, &questionsJSON,
+		&a.CreatedAt, &a.UpdatedAt, &a.CompletedAt,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(questionsJSON) > 0 {
+		json.Unmarshal(questionsJSON, &a.Questions)
+	}
+	return a, nil
+}
+
+// ListAudits returns all audits for a tenant.
+func (s *Store) ListAudits(tenantID uuid.UUID) ([]Audit, error) {
+	ctx := context.Background()
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, template_id, name, target_name, status,
+			   total_questions, answered_questions, compliance_score,
+			   created_at, updated_at, completed_at
+		FROM compliance.usecase_audits
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC`, tenantID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var audits []Audit
+	for rows.Next() {
+		var a Audit
+		a.TenantID = tenantID
+		if err := rows.Scan(
+			&a.ID, &a.TemplateID, &a.Name, &a.TargetName, &a.Status,
+			&a.TotalQuestions, &a.AnsweredQuestions, &a.ComplianceScore,
+			&a.CreatedAt, &a.UpdatedAt, &a.CompletedAt,
+		); err != nil {
+			return nil, err
+		}
+		audits = append(audits, a)
+	}
+	return audits, nil
+}
+
+// UpdateAuditScore updates the score and status of an audit.
+func (s *Store) UpdateAuditScore(id uuid.UUID, answered int, score float64, status AuditStatus) error {
+	ctx := context.Background()
+	now := time.Now()
+
+	query := `
+		UPDATE compliance.usecase_audits
+		SET answered_questions = $2, compliance_score = $3,
+			status = $4, updated_at = $5`
+
+	args := []interface{}{id, answered, score, status, now}
+	if status == StatusCompleted {
+		query += `, completed_at = $6 WHERE id = $1`
+		args = append(args, now)
+	} else {
+		query += ` WHERE id = $1`
+	}
+
+	_, err := s.pool.Exec(ctx, query, args...)
+	return err
+}
+
+// ── Answer CRUD ────────────────────────────────────────────────────
+
+// SaveAnswer upserts an answer (INSERT ... ON CONFLICT UPDATE).
+func (s *Store) SaveAnswer(a *Answer) error {
+	ctx := context.Background()
+	a.ID = uuid.New()
+	a.AnsweredAt = time.Now()
+
+	answerJSON, err := json.Marshal(map[string]interface{}{
+		"value":   a.Value,
+		"comment": a.Comment,
+	})
+	if err != nil {
+		return fmt.Errorf("marshal answer: %w", err)
+	}
+
+	evidenceJSON, _ := json.Marshal(a.EvidenceIDs)
+
+	_, err = s.pool.Exec(ctx, `
+		INSERT INTO compliance.usecase_answers
+			(id, audit_id, question_id, mc_id, answer, evidence_ids, status, answered_at)
+		VALUES ($1,$2,$3,$4,$5,$6,$7,$8)
+		ON CONFLICT (audit_id, question_id)
+		DO UPDATE SET answer = $5, evidence_ids = $6, status = $7, answered_at = $8`,
+		a.ID, a.AuditID, a.QuestionID, a.MCID,
+		answerJSON, evidenceJSON, a.Status, a.AnsweredAt,
+	)
+	return err
+}
+
+// ListAnswers returns all answers for an audit.
+func (s *Store) ListAnswers(auditID uuid.UUID) ([]Answer, error) {
+	ctx := context.Background()
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, audit_id, question_id, mc_id, answer, evidence_ids, status, answered_at
+		FROM compliance.usecase_answers
+		WHERE audit_id = $1
+		ORDER BY answered_at`, auditID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var answers []Answer
+	for rows.Next() {
+		var a Answer
+		var answerJSON, evidenceJSON []byte
+
+		if err := rows.Scan(
+			&a.ID, &a.AuditID, &a.QuestionID, &a.MCID,
+			&answerJSON, &evidenceJSON, &a.Status, &a.AnsweredAt,
+		); err != nil {
+			return nil, err
+		}
+
+		var payload map[string]interface{}
+		if json.Unmarshal(answerJSON, &payload) == nil {
+			a.Value = payload["value"]
+			if c, ok := payload["comment"].(string); ok {
+				a.Comment = c
+			}
+		}
+		json.Unmarshal(evidenceJSON, &a.EvidenceIDs)
+		answers = append(answers, a)
+	}
+	return answers, nil
+}
+
+// ── MC Queries ─────────────────────────────────────────────────────
+
+// MCInfo holds minimal data about a Master Control for compilation.
+type MCInfo struct {
+	MasterControlID string `json:"master_control_id"`
+	CanonicalName   string `json:"canonical_name"`
+	TotalControls   int    `json:"total_controls"`
+	RegSource       string `json:"regulation_source"`
+}
+
+// FetchMCsByFilters returns MCs whose canonical_name matches any filter pattern.
+func (s *Store) FetchMCsByFilters(filters []string) ([]MCInfo, error) {
+	if len(filters) == 0 {
+		return nil, nil
+	}
+
+	ctx := context.Background()
+
+	// Build LIKE conditions from filter patterns (support trailing *)
+	conditions := make([]string, len(filters))
+	args := make([]interface{}, len(filters))
+	for i, f := range filters {
+		// Convert "third_party_management_*" → "third_party_management_%"
+		pattern := f
+		if len(pattern) > 0 && pattern[len(pattern)-1] == '*' {
+			pattern = pattern[:len(pattern)-1] + "%"
+		}
+		conditions[i] = fmt.Sprintf("mc.canonical_name LIKE $%d", i+1)
+		args[i] = pattern
+	}
+
+	query := fmt.Sprintf(`
+		SELECT DISTINCT mc.master_control_id, mc.canonical_name, mc.total_controls,
+			   COALESCE(
+				 (SELECT pc.source_citation::jsonb->>'source'
+				  FROM compliance.master_control_members mcm2
+				  JOIN compliance.canonical_controls cc2 ON cc2.id = mcm2.control_uuid
+				  LEFT JOIN compliance.canonical_controls pc ON pc.id = cc2.parent_control_uuid
+				  WHERE mcm2.master_control_uuid = mc.id
+					AND pc.source_citation IS NOT NULL
+				  LIMIT 1), ''
+			   ) as regulation_source
+		FROM compliance.master_controls mc
+		WHERE %s
+		ORDER BY mc.total_controls DESC
+		LIMIT 200`,
+		joinOr(conditions))
+
+	rows, err := s.pool.Query(ctx, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("fetch MCs: %w", err)
+	}
+	defer rows.Close()
+
+	var mcs []MCInfo
+	for rows.Next() {
+		var m MCInfo
+		if err := rows.Scan(&m.MasterControlID, &m.CanonicalName,
+			&m.TotalControls, &m.RegSource); err != nil {
+			return nil, err
+		}
+		mcs = append(mcs, m)
+	}
+	return mcs, nil
+}
+
+// FetchCheckQuestions loads existing doc_check_controls for MCs.
+func (s *Store) FetchCheckQuestions(mcIDs []string) (map[string][]CheckQuestion, error) {
+	if len(mcIDs) == 0 {
+		return nil, nil
+	}
+
+	ctx := context.Background()
+	rows, err := s.pool.Query(ctx, `
+		SELECT control_id, check_question, pass_criteria, fail_criteria, severity
+		FROM compliance.doc_check_controls
+		WHERE control_id = ANY($1)`, mcIDs)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	result := make(map[string][]CheckQuestion)
+	for rows.Next() {
+		var cq CheckQuestion
+		if err := rows.Scan(&cq.ControlID, &cq.Question,
+			&cq.PassCriteria, &cq.FailCriteria, &cq.Severity); err != nil {
+			return nil, err
+		}
+		result[cq.ControlID] = append(result[cq.ControlID], cq)
+	}
+	return result, nil
+}
+
+// CheckQuestion holds an existing doc_check_control question.
+type CheckQuestion struct {
+	ControlID    string `json:"control_id"`
+	Question     string `json:"check_question"`
+	PassCriteria string `json:"pass_criteria"`
+	FailCriteria string `json:"fail_criteria"`
+	Severity     string `json:"severity"`
+}
+
+// CountMCSourceCitations counts controls with source_citation per MC.
+func (s *Store) CountMCSourceCitations(mcIDs []string) (map[string]int, error) {
+	if len(mcIDs) == 0 {
+		return nil, nil
+	}
+
+	ctx := context.Background()
+	rows, err := s.pool.Query(ctx, `
+		SELECT mc.master_control_id,
+			   COUNT(CASE WHEN cc.source_citation IS NOT NULL
+						  AND cc.source_citation != '' THEN 1 END)
+		FROM compliance.master_controls mc
+		JOIN compliance.master_control_members mcm ON mcm.master_control_uuid = mc.id
+		JOIN compliance.canonical_controls cc ON cc.id = mcm.control_uuid
+		WHERE mc.master_control_id = ANY($1)
+		GROUP BY mc.master_control_id`, mcIDs)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	result := make(map[string]int)
+	for rows.Next() {
+		var id string
+		var count int
+		if err := rows.Scan(&id, &count); err != nil {
+			return nil, err
+		}
+		result[id] = count
+	}
+	return result, nil
+}
+
+func joinOr(conditions []string) string {
+	if len(conditions) == 1 {
+		return conditions[0]
+	}
+	result := "("
+	for i, c := range conditions {
+		if i > 0 {
+			result += " OR "
+		}
+		result += c
+	}
+	return result + ")"
+}
diff --git a/ai-compliance-sdk/internal/usecase/templates.go b/ai-compliance-sdk/internal/usecase/templates.go
new file mode 100644
index 0000000..1ceefbe
--- /dev/null
+++ b/ai-compliance-sdk/internal/usecase/templates.go
@@ -0,0 +1,105 @@
+package usecase
+
+// Templates holds the built-in use-case templates.
+var Templates = map[string]Template{
+	"vendor_check_cloud": {
+		ID:          "vendor_check_cloud",
+		Name:        "Vendor Check (Cloud-Anbieter)",
+		Description: "Prueft Cloud-Anbieter auf DSGVO- und NIS2-Konformitaet: AVV, Drittlandtransfer, Zertifizierungen, Incident Response.",
+		MCFilters:   []string{"third_party_management_*", "data_processing_agreement_*", "data_transfer_*", "vendor_*", "supply_chain_*"},
+		Regulations: []string{"dsgvo", "nis2"},
+		Questions: []Question{
+			{ID: "VC01", Text: "Hat der Anbieter ISO 27001 oder eine vergleichbare Zertifizierung?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Gueltiges ISO 27001 Zertifikat vorhanden"}, FailCriteria: []string{"Kein Zertifikat, nur Selbstauskunft"}, Severity: "HIGH", Regulation: "NIS2"},
+			{ID: "VC02", Text: "Ist ein Auftragsverarbeitungsvertrag (AVV) nach Art. 28 DSGVO geschlossen?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"AVV liegt vor und ist unterschrieben"}, FailCriteria: []string{"Kein AVV vorhanden"}, Severity: "HIGH", Regulation: "DSGVO Art. 28"},
+			{ID: "VC03", Text: "Werden personenbezogene Daten in Drittlaender uebermittelt?", QuestionType: "yes_no", PassCriteria: []string{"Nein, Verarbeitung nur im EWR"}, FailCriteria: []string{"Ja, Drittlandtransfer ohne Absicherung"}, Severity: "HIGH", Regulation: "DSGVO Art. 44-49"},
+			{ID: "VC04", Text: "Gibt es Standardvertragsklauseln (SCC) oder einen Angemessenheitsbeschluss?", QuestionType: "yes_no", EvidenceRequired: true, DependsOn: "VC03", PassCriteria: []string{"SCC der EU-Kommission oder Angemessenheitsbeschluss vorhanden"}, FailCriteria: []string{"Weder SCC noch Angemessenheitsbeschluss"}, Severity: "HIGH", Regulation: "DSGVO Art. 46"},
+			{ID: "VC05", Text: "Hat der Anbieter ein dokumentiertes Schwachstellenmanagement?", QuestionType: "yes_no", PassCriteria: []string{"Schwachstellenmanagement-Prozess dokumentiert"}, FailCriteria: []string{"Kein formaler Prozess"}, Severity: "MEDIUM", Regulation: "NIS2"},
+			{ID: "VC06", Text: "Gibt es einen Incident-Response-Prozess mit definierten Meldefristen?", QuestionType: "yes_no", PassCriteria: []string{"Incident-Response-Plan mit Meldefristen vorhanden"}, FailCriteria: []string{"Kein dokumentierter Prozess"}, Severity: "HIGH", Regulation: "NIS2 Art. 23"},
+			{ID: "VC07", Text: "Sind Sub-Auftragsverarbeiter dokumentiert und genehmigt?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Liste der Sub-Auftragsverarbeiter aktuell und genehmigt"}, FailCriteria: []string{"Keine Uebersicht oder nicht genehmigt"}, Severity: "MEDIUM", Regulation: "DSGVO Art. 28 (2)"},
+			{ID: "VC08", Text: "Unterstuetzt der Anbieter Betroffenenrechte (Auskunft, Loeschung)?", QuestionType: "yes_no", PassCriteria: []string{"Prozess zur Unterstuetzung bei Betroffenenanfragen dokumentiert"}, FailCriteria: []string{"Keine Unterstuetzung vorgesehen"}, Severity: "MEDIUM", Regulation: "DSGVO Art. 28 (3e)"},
+			{ID: "VC09", Text: "Gibt es ein Loeschkonzept mit definierten Aufbewahrungsfristen?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Loeschkonzept mit Fristen vorhanden"}, FailCriteria: []string{"Kein Loeschkonzept"}, Severity: "MEDIUM", Regulation: "DSGVO Art. 17"},
+			{ID: "VC10", Text: "Werden regelmaessige Penetrationstests oder Audits durchgefuehrt?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Jaehrliche Pentests oder SOC2-Bericht"}, FailCriteria: []string{"Keine regelmaessigen Sicherheitspruefungen"}, Severity: "MEDIUM", Regulation: "NIS2"},
+		},
+	},
+
+	"sast_dast_audit": {
+		ID:          "sast_dast_audit",
+		Name:        "SAST/DAST Security Audit",
+		Description: "Prueft Sicherheitspraktiken in der Softwareentwicklung: Secure Coding, Schwachstellenscans, API-Sicherheit.",
+		MCFilters:   []string{"secure_development_*", "vulnerability_*", "input_validation_*", "api_security_*", "code_review_*", "software_testing_*"},
+		Regulations: []string{"cra", "owasp"},
+		Questions: []Question{
+			{ID: "SA01", Text: "Werden SAST-Tools (Static Application Security Testing) in der CI/CD-Pipeline eingesetzt?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"SAST in CI/CD integriert (z.B. Semgrep, SonarQube)"}, FailCriteria: []string{"Kein SAST im Build-Prozess"}, Severity: "HIGH", Regulation: "CRA Annex I"},
+			{ID: "SA02", Text: "Werden DAST-Tools (Dynamic Application Security Testing) regelmaessig ausgefuehrt?", QuestionType: "yes_no", PassCriteria: []string{"DAST mindestens quartalsweise"}, FailCriteria: []string{"Kein DAST"}, Severity: "HIGH", Regulation: "CRA Annex I"},
+			{ID: "SA03", Text: "Gibt es einen Secure-Coding-Standard fuer Entwickler?", QuestionType: "yes_no", PassCriteria: []string{"Dokumentierter Coding-Standard vorhanden"}, FailCriteria: []string{"Kein Standard"}, Severity: "MEDIUM", Regulation: "CRA"},
+			{ID: "SA04", Text: "Werden bekannte Schwachstellen in Dependencies ueberwacht (SCA)?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"SCA/Dependency-Check aktiv (z.B. Dependabot, Snyk)"}, FailCriteria: []string{"Keine Ueberwachung"}, Severity: "HIGH", Regulation: "CRA Annex I"},
+			{ID: "SA05", Text: "Werden API-Endpoints gegen OWASP Top 10 abgesichert?", QuestionType: "yes_no", PassCriteria: []string{"OWASP Top 10 systematisch adressiert"}, FailCriteria: []string{"Keine systematische Absicherung"}, Severity: "HIGH", Regulation: "OWASP"},
+			{ID: "SA06", Text: "Gibt es einen Prozess fuer Security Code Reviews?", QuestionType: "yes_no", PassCriteria: []string{"Pflicht-Review bei sicherheitskritischen Aenderungen"}, FailCriteria: []string{"Kein Review-Prozess"}, Severity: "MEDIUM", Regulation: "CRA"},
+			{ID: "SA07", Text: "Existiert eine SBOM (Software Bill of Materials)?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"SBOM automatisch generiert und aktuell"}, FailCriteria: []string{"Keine SBOM"}, Severity: "HIGH", Regulation: "CRA Art. 13"},
+			{ID: "SA08", Text: "Werden Sicherheitsupdates innerhalb definierter Fristen bereitgestellt?", QuestionType: "yes_no", PassCriteria: []string{"SLA fuer Security-Patches definiert"}, FailCriteria: []string{"Keine definierten Fristen"}, Severity: "HIGH", Regulation: "CRA Annex I"},
+		},
+	},
+
+	"dsgvo_quick_check": {
+		ID:          "dsgvo_quick_check",
+		Name:        "DSGVO Quick-Check",
+		Description: "Schnelle Selbstpruefung der wichtigsten DSGVO-Anforderungen: Verarbeitungsverzeichnis, Betroffenenrechte, DSFA, Einwilligungen.",
+		MCFilters:   []string{"personal_data_*", "consent_*", "data_subject_rights_*", "dpia_*", "data_retention_*", "privacy_*", "data_protection_*"},
+		Regulations: []string{"dsgvo"},
+		Questions: []Question{
+			{ID: "DS01", Text: "Fuehren Sie ein Verarbeitungsverzeichnis nach Art. 30 DSGVO?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Aktuelles Verarbeitungsverzeichnis vorhanden"}, FailCriteria: []string{"Kein oder veraltetes Verzeichnis"}, Severity: "HIGH", Regulation: "DSGVO Art. 30"},
+			{ID: "DS02", Text: "Ist ein Datenschutzbeauftragter (DSB) benannt (falls erforderlich)?", QuestionType: "yes_no", PassCriteria: []string{"DSB benannt und gemeldet"}, FailCriteria: []string{"Kein DSB trotz Pflicht"}, Severity: "HIGH", Regulation: "DSGVO Art. 37"},
+			{ID: "DS03", Text: "Gibt es einen Prozess fuer Betroffenenanfragen (Auskunft, Loeschung, Berichtigung)?", QuestionType: "yes_no", PassCriteria: []string{"Dokumentierter Prozess mit Fristenueberwachung"}, FailCriteria: []string{"Kein Prozess definiert"}, Severity: "HIGH", Regulation: "DSGVO Art. 15-22"},
+			{ID: "DS04", Text: "Werden Einwilligungen nachweisbar eingeholt und dokumentiert?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Consent-Management mit Nachweis"}, FailCriteria: []string{"Keine nachweisbare Einwilligung"}, Severity: "HIGH", Regulation: "DSGVO Art. 7"},
+			{ID: "DS05", Text: "Wurde eine DSFA fuer risikoreiche Verarbeitungen durchgefuehrt?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"DSFA durchgefuehrt und dokumentiert"}, FailCriteria: []string{"Keine DSFA trotz hohem Risiko"}, Severity: "HIGH", Regulation: "DSGVO Art. 35"},
+			{ID: "DS06", Text: "Gibt es eine aktuelle Datenschutzerklaerung auf der Website?", QuestionType: "yes_no", PassCriteria: []string{"DSE aktuell und vollstaendig"}, FailCriteria: []string{"Keine oder veraltete DSE"}, Severity: "MEDIUM", Regulation: "DSGVO Art. 13/14"},
+			{ID: "DS07", Text: "Sind Aufbewahrungsfristen fuer personenbezogene Daten definiert?", QuestionType: "yes_no", PassCriteria: []string{"Loeschkonzept mit Fristen vorhanden"}, FailCriteria: []string{"Keine definierten Fristen"}, Severity: "MEDIUM", Regulation: "DSGVO Art. 5 (1e)"},
+			{ID: "DS08", Text: "Gibt es einen Meldeprozess fuer Datenschutzverletzungen (72h)?", QuestionType: "yes_no", PassCriteria: []string{"Data-Breach-Prozess mit 72h-Frist dokumentiert"}, FailCriteria: []string{"Kein Meldeprozess"}, Severity: "HIGH", Regulation: "DSGVO Art. 33"},
+		},
+	},
+
+	"nis2_readiness": {
+		ID:          "nis2_readiness",
+		Name:        "NIS2 Readiness Check",
+		Description: "Prueft die Bereitschaft fuer NIS2: Risikomanagement, Incident Handling, Netzwerksicherheit, Supply Chain.",
+		MCFilters:   []string{"critical_infrastructure_*", "incident_*", "network_security_*", "risk_management_*", "business_continuity_*", "supply_chain_*"},
+		Regulations: []string{"nis2"},
+		Questions: []Question{
+			{ID: "N201", Text: "Gibt es ein formales Risikomanagement fuer IT-Sicherheit?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Risikomanagement-Framework dokumentiert"}, FailCriteria: []string{"Kein formales Risikomanagement"}, Severity: "HIGH", Regulation: "NIS2 Art. 21 (2a)"},
+			{ID: "N202", Text: "Gibt es einen Incident-Handling-Prozess mit Meldefristen (24h/72h)?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Incident-Response-Plan mit NIS2-konformen Fristen"}, FailCriteria: []string{"Kein oder unvollstaendiger Prozess"}, Severity: "HIGH", Regulation: "NIS2 Art. 23"},
+			{ID: "N203", Text: "Ist ein Business-Continuity-Plan vorhanden und getestet?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"BCP vorhanden und regelmaessig getestet"}, FailCriteria: []string{"Kein BCP oder nie getestet"}, Severity: "HIGH", Regulation: "NIS2 Art. 21 (2c)"},
+			{ID: "N204", Text: "Werden Lieferanten auf Cybersicherheit geprueft?", QuestionType: "yes_no", PassCriteria: []string{"Supply-Chain-Security-Anforderungen definiert"}, FailCriteria: []string{"Keine Lieferantenpruefung"}, Severity: "MEDIUM", Regulation: "NIS2 Art. 21 (2d)"},
+			{ID: "N205", Text: "Ist Multi-Faktor-Authentifizierung fuer kritische Systeme aktiviert?", QuestionType: "yes_no", PassCriteria: []string{"MFA fuer Admin-Zugaenge und VPN"}, FailCriteria: []string{"Kein MFA"}, Severity: "HIGH", Regulation: "NIS2 Art. 21 (2j)"},
+			{ID: "N206", Text: "Werden Mitarbeiter regelmaessig in Cybersicherheit geschult?", QuestionType: "yes_no", PassCriteria: []string{"Jaehrliche Security-Awareness-Schulung"}, FailCriteria: []string{"Keine Schulungen"}, Severity: "MEDIUM", Regulation: "NIS2 Art. 21 (2g)"},
+			{ID: "N207", Text: "Gibt es eine Netzwerksegmentierung fuer kritische Systeme?", QuestionType: "yes_no", PassCriteria: []string{"Netzwerksegmentierung implementiert"}, FailCriteria: []string{"Flat Network ohne Segmentierung"}, Severity: "MEDIUM", Regulation: "NIS2 Art. 21 (2e)"},
+			{ID: "N208", Text: "Ist die Geschaeftsfuehrung ueber NIS2-Pflichten informiert (persoenliche Haftung)?", QuestionType: "yes_no", PassCriteria: []string{"Management-Briefing dokumentiert"}, FailCriteria: []string{"Management nicht informiert"}, Severity: "HIGH", Regulation: "NIS2 Art. 20"},
+		},
+	},
+
+	"cra_product_check": {
+		ID:          "cra_product_check",
+		Name:        "CRA Product Compliance Check",
+		Description: "Prueft digitale Produkte auf Konformitaet mit dem Cyber Resilience Act: Schwachstellen, Updates, Verschluesselung, SBOM.",
+		MCFilters:   []string{"vulnerability_*", "patch_management_*", "encryption_*", "asset_management_inventory*", "secure_development_*", "product_security_*"},
+		Regulations: []string{"cra"},
+		Questions: []Question{
+			{ID: "CR01", Text: "Wird das Produkt ohne bekannte ausnutzbare Schwachstellen ausgeliefert?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"Schwachstellenscan vor Release, keine kritischen CVEs"}, FailCriteria: []string{"Bekannte Schwachstellen bei Auslieferung"}, Severity: "HIGH", Regulation: "CRA Annex I (1)"},
+			{ID: "CR02", Text: "Gibt es einen Security-Update-Mechanismus fuer das Produkt?", QuestionType: "yes_no", PassCriteria: []string{"Automatische oder manuelle Update-Funktion vorhanden"}, FailCriteria: []string{"Kein Update-Mechanismus"}, Severity: "HIGH", Regulation: "CRA Annex I (2)"},
+			{ID: "CR03", Text: "Werden Daten bei Uebertragung und Speicherung verschluesselt?", QuestionType: "yes_no", PassCriteria: []string{"TLS/HTTPS + verschluesselte Speicherung"}, FailCriteria: []string{"Unverschluesselte Kommunikation oder Speicherung"}, Severity: "HIGH", Regulation: "CRA Annex I (3d)"},
+			{ID: "CR04", Text: "Existiert eine SBOM (Software Bill of Materials) fuer das Produkt?", QuestionType: "yes_no", EvidenceRequired: true, PassCriteria: []string{"SBOM vorhanden und automatisch generiert"}, FailCriteria: []string{"Keine SBOM"}, Severity: "HIGH", Regulation: "CRA Art. 13 (15)"},
+			{ID: "CR05", Text: "Werden Security-Patches mindestens 5 Jahre nach Verkaufsende bereitgestellt?", QuestionType: "yes_no", PassCriteria: []string{"Support-Zeitraum >= 5 Jahre dokumentiert"}, FailCriteria: []string{"Kuerzerer oder kein definierter Support"}, Severity: "HIGH", Regulation: "CRA Art. 13 (8)"},
+			{ID: "CR06", Text: "Ist das Produkt standardmaessig sicher konfiguriert (Secure by Default)?", QuestionType: "yes_no", PassCriteria: []string{"Default-Konfiguration gehaertet"}, FailCriteria: []string{"Unsichere Defaults (z.B. Standard-Passwoerter)"}, Severity: "HIGH", Regulation: "CRA Annex I (3a)"},
+			{ID: "CR07", Text: "Gibt es eine Kontaktmoeglichkeit fuer Schwachstellenmeldungen?", QuestionType: "yes_no", PassCriteria: []string{"security.txt oder Vulnerability Disclosure Policy"}, FailCriteria: []string{"Keine Meldemoelichkeit"}, Severity: "MEDIUM", Regulation: "CRA Art. 13 (6)"},
+			{ID: "CR08", Text: "Werden Schwachstellen innerhalb von 24h an ENISA gemeldet (bei aktiver Ausnutzung)?", QuestionType: "yes_no", PassCriteria: []string{"Meldeprozess mit 24h-Frist dokumentiert"}, FailCriteria: []string{"Kein Meldeprozess"}, Severity: "HIGH", Regulation: "CRA Art. 14"},
+		},
+	},
+}
+
+// TemplateList returns all templates as a slice.
+func TemplateList() []Template {
+	list := make([]Template, 0, len(Templates))
+	for _, t := range Templates {
+		list = append(list, t)
+	}
+	return list
+}
diff --git a/ai-compliance-sdk/migrations/027_usecase_audits.sql b/ai-compliance-sdk/migrations/027_usecase_audits.sql
new file mode 100644
index 0000000..b7694c5
--- /dev/null
+++ b/ai-compliance-sdk/migrations/027_usecase_audits.sql
@@ -0,0 +1,39 @@
+-- Use-Case Compiler: Audits + Answers
+-- Turns Master Controls into interactive questionnaires
+
+CREATE TABLE IF NOT EXISTS compliance.usecase_audits (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    template_id VARCHAR(100) NOT NULL,
+    name VARCHAR(200) NOT NULL,
+    target_name VARCHAR(200),
+    status VARCHAR(20) DEFAULT 'draft',
+    total_questions INT DEFAULT 0,
+    answered_questions INT DEFAULT 0,
+    compliance_score FLOAT DEFAULT 0,
+    questions JSONB DEFAULT '[]',
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW(),
+    completed_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_usecase_audits_tenant
+    ON compliance.usecase_audits (tenant_id);
+CREATE INDEX IF NOT EXISTS idx_usecase_audits_template
+    ON compliance.usecase_audits (template_id);
+
+CREATE TABLE IF NOT EXISTS compliance.usecase_answers (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    audit_id UUID NOT NULL REFERENCES compliance.usecase_audits(id) ON DELETE CASCADE,
+    question_id VARCHAR(50) NOT NULL,
+    mc_id VARCHAR(50),
+    answer JSONB NOT NULL,
+    evidence_ids JSONB DEFAULT '[]',
+    status VARCHAR(20) DEFAULT 'answered',
+    answered_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_usecase_answers_audit
+    ON compliance.usecase_answers (audit_id);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_usecase_answers_unique
+    ON compliance.usecase_answers (audit_id, question_id);