feat: Domain-Fragen fuer 10 weitere Domains (14 total)

10 neue Context-Structs + Field-Resolver + ~30 YAML-Regeln + Frontend:
- Legal/Justice: Rechtsberatung, Urteilsprognose, Mandantengeheimnis
- Public Sector: Verwaltungsentscheidungen, Leistungsverteilung, FRIA
- Critical Infra: Netzsteuerung, Sicherheitskritisch, Redundanz
- Automotive: Autonomes Fahren, ADAS, ISO 26262
- Retail/E-Commerce: Preise, Scoring, Dark Patterns
- IT/Cybersecurity: Surveillance, Threat Detection, Log-Retention
- Logistics: Fahrer-Tracking, Workload-Scoring
- Construction: Mieterauswahl, Arbeitsschutz
- Marketing/Media: Deepfakes=BLOCK, Minderjaehrige, Targeting
- Manufacturing: Maschinensicherheit=BLOCK, CE-Kennzeichnung

Domains mit Fragen: 14 von 39 (36%)
YAML-Regeln total: ~44 (14 vorher + 30 neu)
BLOCK-Regeln: Deepfakes ungekennzeichnet, Maschinensicherheit unvalidiert,
              Kritische Infra ohne Redundanz

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ai-compliance-sdk/internal/ucca/models.go

@@ -223,9 +223,19 @@ type UseCaseIntake struct {
 	WorksCouncilConsulted bool `json:"works_council_consulted,omitempty"` // Works council has been consulted
 
 	// Domain-specific contexts (AI Act Annex III high-risk domains)
-	HRContext         *HRContext         `json:"hr_context,omitempty"`
-	EducationContext  *EducationContext  `json:"education_context,omitempty"`
-	HealthcareContext *HealthcareContext `json:"healthcare_context,omitempty"`
+	HRContext            *HRContext            `json:"hr_context,omitempty"`
+	EducationContext     *EducationContext     `json:"education_context,omitempty"`
+	HealthcareContext    *HealthcareContext    `json:"healthcare_context,omitempty"`
+	LegalContext         *LegalContext         `json:"legal_context,omitempty"`
+	PublicSectorContext  *PublicSectorContext  `json:"public_sector_context,omitempty"`
+	CriticalInfraContext *CriticalInfraContext `json:"critical_infra_context,omitempty"`
+	AutomotiveContext    *AutomotiveContext    `json:"automotive_context,omitempty"`
+	RetailContext        *RetailContext        `json:"retail_context,omitempty"`
+	ITSecurityContext    *ITSecurityContext    `json:"it_security_context,omitempty"`
+	LogisticsContext     *LogisticsContext     `json:"logistics_context,omitempty"`
+	ConstructionContext  *ConstructionContext  `json:"construction_context,omitempty"`
+	MarketingContext     *MarketingContext     `json:"marketing_context,omitempty"`
+	ManufacturingContext *ManufacturingContext `json:"manufacturing_context,omitempty"`
 
 	// Opt-in to store raw text (otherwise only hash)
 	StoreRawText bool `json:"store_raw_text,omitempty"`
@@ -262,6 +272,93 @@ type HealthcareContext struct {
 	ClinicalValidation   bool `json:"clinical_validation"`       // Klinisch validiert
 }
 
+// LegalContext captures legal/justice-specific compliance data (AI Act Annex III Nr. 8)
+type LegalContext struct {
+	LegalAdvice          bool `json:"legal_advice"`           // KI gibt Rechtsberatung
+	ContractAnalysis     bool `json:"contract_analysis"`      // KI analysiert Vertraege
+	CourtPrediction      bool `json:"court_prediction"`       // KI prognostiziert Urteile
+	AccessToJustice      bool `json:"access_to_justice"`      // KI beeinflusst Zugang zu Recht
+	ClientConfidential   bool `json:"client_confidential"`    // Mandantengeheimnis betroffen
+}
+
+// PublicSectorContext captures public sector compliance data (Art. 27 FRIA)
+type PublicSectorContext struct {
+	AdminDecision        bool `json:"admin_decision"`         // KI beeinflusst Verwaltungsentscheidungen
+	CitizenService       bool `json:"citizen_service"`        // KI in Buergerservices
+	BenefitAllocation    bool `json:"benefit_allocation"`     // KI verteilt Leistungen/Mittel
+	PublicSafety         bool `json:"public_safety"`          // KI in oeffentlicher Sicherheit
+	TransparencyEnsured  bool `json:"transparency_ensured"`   // Transparenz gegenueber Buergern
+}
+
+// CriticalInfraContext captures critical infrastructure data (NIS2 + Annex III Nr. 2)
+type CriticalInfraContext struct {
+	GridControl          bool `json:"grid_control"`           // KI steuert Netz/Infrastruktur
+	SafetyCritical       bool `json:"safety_critical"`        // Sicherheitskritische Steuerung
+	AnomalyDetection     bool `json:"anomaly_detection"`      // KI erkennt Anomalien
+	RedundancyExists     bool `json:"redundancy_exists"`      // Redundante Systeme vorhanden
+	IncidentResponse     bool `json:"incident_response"`      // Incident Response Plan vorhanden
+}
+
+// AutomotiveContext captures automotive/aerospace safety data
+type AutomotiveContext struct {
+	AutonomousDriving    bool `json:"autonomous_driving"`     // Autonomes Fahren / ADAS
+	SafetyRelevant       bool `json:"safety_relevant"`        // Sicherheitsrelevante Funktion
+	TypeApprovalNeeded   bool `json:"type_approval_needed"`   // Typgenehmigung erforderlich
+	FunctionalSafety     bool `json:"functional_safety"`      // ISO 26262 relevant
+}
+
+// RetailContext captures retail/e-commerce compliance data
+type RetailContext struct {
+	PricingPersonalized  bool `json:"pricing_personalized"`   // Personalisierte Preise
+	CustomerProfiling    bool `json:"customer_profiling"`     // Kundenprofilbildung
+	RecommendationEngine bool `json:"recommendation_engine"`  // Empfehlungssystem
+	CreditScoring        bool `json:"credit_scoring"`         // Bonitaetspruefung bei Kauf
+	DarkPatterns         bool `json:"dark_patterns"`          // Manipulative UI-Muster moeglich
+}
+
+// ITSecurityContext captures IT/cybersecurity/telecom data
+type ITSecurityContext struct {
+	EmployeeSurveillance bool `json:"employee_surveillance"`  // Mitarbeiterueberwachung
+	NetworkMonitoring    bool `json:"network_monitoring"`     // Netzwerkueberwachung
+	ThreatDetection      bool `json:"threat_detection"`       // Bedrohungserkennung
+	AccessControl        bool `json:"access_control_ai"`      // KI-gestuetzte Zugriffskontrolle
+	DataRetention        bool `json:"data_retention_logs"`    // Umfangreiche Log-Speicherung
+}
+
+// LogisticsContext captures logistics/transport compliance data
+type LogisticsContext struct {
+	DriverTracking       bool `json:"driver_tracking"`        // Fahrer-/Kurier-Tracking
+	RouteOptimization    bool `json:"route_optimization"`     // Routenoptimierung mit Personenbezug
+	WorkloadScoring      bool `json:"workload_scoring"`       // Leistungsbewertung Lagerarbeiter
+	PredictiveMaint      bool `json:"predictive_maintenance"` // Vorausschauende Wartung
+}
+
+// ConstructionContext captures construction/real estate data
+type ConstructionContext struct {
+	SafetyMonitoring     bool `json:"safety_monitoring"`      // Baustellensicherheit per KI
+	TenantScreening      bool `json:"tenant_screening"`       // KI-gestuetzte Mieterauswahl
+	BuildingAutomation   bool `json:"building_automation"`    // Gebaeudesteuerung
+	WorkerSafety         bool `json:"worker_safety"`          // Arbeitsschutzueberwachung
+}
+
+// MarketingContext captures marketing/media compliance data
+type MarketingContext struct {
+	DeepfakeContent      bool `json:"deepfake_content"`       // Synthetische Inhalte (Deepfakes)
+	ContentModeration    bool `json:"content_moderation"`     // Automatische Inhaltsmoderation
+	BehavioralTargeting  bool `json:"behavioral_targeting"`   // Verhaltensbasiertes Targeting
+	MinorsTargeted       bool `json:"minors_targeted"`        // Minderjaehrige als Zielgruppe
+	AIContentLabeled     bool `json:"ai_content_labeled"`     // KI-Inhalte als solche gekennzeichnet
+}
+
+// ManufacturingContext captures manufacturing/CE safety data
+type ManufacturingContext struct {
+	MachineSafety        bool `json:"machine_safety"`         // Maschinensicherheit
+	QualityControl       bool `json:"quality_control"`        // KI in Qualitaetskontrolle
+	ProcessControl       bool `json:"process_control"`        // KI steuert Fertigungsprozess
+	CEMarkingRequired    bool `json:"ce_marking_required"`    // CE-Kennzeichnung erforderlich
+	SafetyValidated      bool `json:"safety_validated"`       // Sicherheitsvalidierung durchgefuehrt
+}
+
 // DataTypes specifies what kinds of data are processed
 type DataTypes struct {
 	PersonalData     bool `json:"personal_data"`

ai-compliance-sdk/internal/ucca/policy_engine.go

@@ -482,6 +482,56 @@ func (e *PolicyEngine) getFieldValue(field string, intake *UseCaseIntake) interf
 			return nil
 		}
 		return e.getHealthcareContextValue(parts[1], intake)
+	case "legal_context":
+		if len(parts) < 2 || intake.LegalContext == nil {
+			return nil
+		}
+		return e.getLegalContextValue(parts[1], intake)
+	case "public_sector_context":
+		if len(parts) < 2 || intake.PublicSectorContext == nil {
+			return nil
+		}
+		return e.getPublicSectorContextValue(parts[1], intake)
+	case "critical_infra_context":
+		if len(parts) < 2 || intake.CriticalInfraContext == nil {
+			return nil
+		}
+		return e.getCriticalInfraContextValue(parts[1], intake)
+	case "automotive_context":
+		if len(parts) < 2 || intake.AutomotiveContext == nil {
+			return nil
+		}
+		return e.getAutomotiveContextValue(parts[1], intake)
+	case "retail_context":
+		if len(parts) < 2 || intake.RetailContext == nil {
+			return nil
+		}
+		return e.getRetailContextValue(parts[1], intake)
+	case "it_security_context":
+		if len(parts) < 2 || intake.ITSecurityContext == nil {
+			return nil
+		}
+		return e.getITSecurityContextValue(parts[1], intake)
+	case "logistics_context":
+		if len(parts) < 2 || intake.LogisticsContext == nil {
+			return nil
+		}
+		return e.getLogisticsContextValue(parts[1], intake)
+	case "construction_context":
+		if len(parts) < 2 || intake.ConstructionContext == nil {
+			return nil
+		}
+		return e.getConstructionContextValue(parts[1], intake)
+	case "marketing_context":
+		if len(parts) < 2 || intake.MarketingContext == nil {
+			return nil
+		}
+		return e.getMarketingContextValue(parts[1], intake)
+	case "manufacturing_context":
+		if len(parts) < 2 || intake.ManufacturingContext == nil {
+			return nil
+		}
+		return e.getManufacturingContextValue(parts[1], intake)
 	}
 
 	return nil
@@ -552,6 +602,123 @@ func (e *PolicyEngine) getHealthcareContextValue(field string, intake *UseCaseIn
 	return nil
 }
 
+func (e *PolicyEngine) getLegalContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.LegalContext == nil { return nil }
+	switch field {
+	case "legal_advice": return intake.LegalContext.LegalAdvice
+	case "contract_analysis": return intake.LegalContext.ContractAnalysis
+	case "court_prediction": return intake.LegalContext.CourtPrediction
+	case "access_to_justice": return intake.LegalContext.AccessToJustice
+	case "client_confidential": return intake.LegalContext.ClientConfidential
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getPublicSectorContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.PublicSectorContext == nil { return nil }
+	switch field {
+	case "admin_decision": return intake.PublicSectorContext.AdminDecision
+	case "citizen_service": return intake.PublicSectorContext.CitizenService
+	case "benefit_allocation": return intake.PublicSectorContext.BenefitAllocation
+	case "public_safety": return intake.PublicSectorContext.PublicSafety
+	case "transparency_ensured": return intake.PublicSectorContext.TransparencyEnsured
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getCriticalInfraContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.CriticalInfraContext == nil { return nil }
+	switch field {
+	case "grid_control": return intake.CriticalInfraContext.GridControl
+	case "safety_critical": return intake.CriticalInfraContext.SafetyCritical
+	case "anomaly_detection": return intake.CriticalInfraContext.AnomalyDetection
+	case "redundancy_exists": return intake.CriticalInfraContext.RedundancyExists
+	case "incident_response": return intake.CriticalInfraContext.IncidentResponse
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getAutomotiveContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.AutomotiveContext == nil { return nil }
+	switch field {
+	case "autonomous_driving": return intake.AutomotiveContext.AutonomousDriving
+	case "safety_relevant": return intake.AutomotiveContext.SafetyRelevant
+	case "type_approval_needed": return intake.AutomotiveContext.TypeApprovalNeeded
+	case "functional_safety": return intake.AutomotiveContext.FunctionalSafety
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getRetailContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.RetailContext == nil { return nil }
+	switch field {
+	case "pricing_personalized": return intake.RetailContext.PricingPersonalized
+	case "customer_profiling": return intake.RetailContext.CustomerProfiling
+	case "recommendation_engine": return intake.RetailContext.RecommendationEngine
+	case "credit_scoring": return intake.RetailContext.CreditScoring
+	case "dark_patterns": return intake.RetailContext.DarkPatterns
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getITSecurityContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.ITSecurityContext == nil { return nil }
+	switch field {
+	case "employee_surveillance": return intake.ITSecurityContext.EmployeeSurveillance
+	case "network_monitoring": return intake.ITSecurityContext.NetworkMonitoring
+	case "threat_detection": return intake.ITSecurityContext.ThreatDetection
+	case "access_control_ai": return intake.ITSecurityContext.AccessControl
+	case "data_retention_logs": return intake.ITSecurityContext.DataRetention
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getLogisticsContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.LogisticsContext == nil { return nil }
+	switch field {
+	case "driver_tracking": return intake.LogisticsContext.DriverTracking
+	case "route_optimization": return intake.LogisticsContext.RouteOptimization
+	case "workload_scoring": return intake.LogisticsContext.WorkloadScoring
+	case "predictive_maintenance": return intake.LogisticsContext.PredictiveMaint
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getConstructionContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.ConstructionContext == nil { return nil }
+	switch field {
+	case "safety_monitoring": return intake.ConstructionContext.SafetyMonitoring
+	case "tenant_screening": return intake.ConstructionContext.TenantScreening
+	case "building_automation": return intake.ConstructionContext.BuildingAutomation
+	case "worker_safety": return intake.ConstructionContext.WorkerSafety
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getMarketingContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.MarketingContext == nil { return nil }
+	switch field {
+	case "deepfake_content": return intake.MarketingContext.DeepfakeContent
+	case "content_moderation": return intake.MarketingContext.ContentModeration
+	case "behavioral_targeting": return intake.MarketingContext.BehavioralTargeting
+	case "minors_targeted": return intake.MarketingContext.MinorsTargeted
+	case "ai_content_labeled": return intake.MarketingContext.AIContentLabeled
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getManufacturingContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.ManufacturingContext == nil { return nil }
+	switch field {
+	case "machine_safety": return intake.ManufacturingContext.MachineSafety
+	case "quality_control": return intake.ManufacturingContext.QualityControl
+	case "process_control": return intake.ManufacturingContext.ProcessControl
+	case "ce_marking_required": return intake.ManufacturingContext.CEMarkingRequired
+	case "safety_validated": return intake.ManufacturingContext.SafetyValidated
+	}
+	return nil
+}
+
 func (e *PolicyEngine) getDataTypeValue(field string, intake *UseCaseIntake) interface{} {
 	switch field {
 	case "personal_data":

ai-compliance-sdk/policies/ucca_policy_v1.yaml

@@ -1150,6 +1150,249 @@ rules:
     gdpr_ref: "Art. 9 DSGVO"
     rationale: "Gesundheitsdaten sind besondere Kategorien mit erhoehtem Schutzbedarf"
 
+  # Legal / Justice (Annex III Nr. 8)
+  - id: R-LEG-001
+    category: "K. Legal Hochrisiko"
+    title: "KI gibt Rechtsberatung"
+    description: "KI generiert rechtliche Empfehlungen oder Einschaetzungen"
+    condition: { field: "legal_context.legal_advice", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    gdpr_ref: "Annex III Nr. 8 AI Act"
+    rationale: "Rechtsberatung durch KI kann Zugang zur Justiz beeintraechtigen"
+
+  - id: R-LEG-002
+    category: "K. Legal Hochrisiko"
+    title: "KI prognostiziert Gerichtsurteile"
+    description: "System erstellt Prognosen ueber Verfahrensausgaenge"
+    condition: { field: "legal_context.court_prediction", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Urteilsprognosen koennen rechtliches Verhalten verzerren"
+
+  - id: R-LEG-003
+    category: "K. Legal Hochrisiko"
+    title: "Mandantengeheimnis bei KI-Verarbeitung"
+    description: "Vertrauliche Mandantendaten werden durch KI verarbeitet"
+    condition: { field: "legal_context.client_confidential", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_ENCRYPTION] }
+    severity: WARN
+    rationale: "Mandantengeheimnis erfordert besonderen Schutz (§ 203 StGB)"
+
+  # Public Sector (Art. 27 FRIA)
+  - id: R-PUB-001
+    category: "K. Oeffentlicher Sektor"
+    title: "KI in Verwaltungsentscheidungen"
+    description: "KI beeinflusst Verwaltungsakte oder Bescheide"
+    condition: { field: "public_sector_context.admin_decision", operator: "equals", value: true }
+    effect: { risk_add: 25, dsfa_recommended: true, controls_add: [C_FRIA, C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    rationale: "Verwaltungsentscheidungen erfordern FRIA (Art. 27 AI Act)"
+
+  - id: R-PUB-002
+    category: "K. Oeffentlicher Sektor"
+    title: "KI verteilt oeffentliche Leistungen"
+    description: "KI entscheidet ueber Zuteilung von Sozialleistungen oder Foerderung"
+    condition: { field: "public_sector_context.benefit_allocation", operator: "equals", value: true }
+    effect: { risk_add: 25, feasibility: CONDITIONAL }
+    severity: WARN
+    rationale: "Leistungszuteilung betrifft Grundrecht auf soziale Sicherheit"
+
+  - id: R-PUB-003
+    category: "K. Oeffentlicher Sektor"
+    title: "Fehlende Transparenz gegenueber Buergern"
+    condition:
+      all_of:
+        - field: "public_sector_context.citizen_service"
+          operator: "equals"
+          value: true
+        - field: "public_sector_context.transparency_ensured"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 15, controls_add: [C_TRANSPARENCY] }
+    severity: WARN
+    rationale: "Oeffentliche Stellen haben erhoehte Transparenzpflicht"
+
+  # Critical Infrastructure (NIS2 + Annex III Nr. 2)
+  - id: R-CRIT-001
+    category: "K. Kritische Infrastruktur"
+    title: "Sicherheitskritische KI-Steuerung ohne Redundanz"
+    condition:
+      all_of:
+        - field: "critical_infra_context.safety_critical"
+          operator: "equals"
+          value: true
+        - field: "critical_infra_context.redundancy_exists"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 30, feasibility: NO }
+    severity: BLOCK
+    rationale: "Sicherheitskritische Steuerung ohne Redundanz ist unzulaessig"
+
+  - id: R-CRIT-002
+    category: "K. Kritische Infrastruktur"
+    title: "KI steuert Netz-/Infrastruktur"
+    condition: { field: "critical_infra_context.grid_control", operator: "equals", value: true }
+    effect: { risk_add: 20, controls_add: [C_INCIDENT_RESPONSE, C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    rationale: "Netzsteuerung durch KI erfordert NIS2-konforme Absicherung"
+
+  # Automotive / Aerospace
+  - id: R-AUTO-001
+    category: "K. Automotive Hochrisiko"
+    title: "Autonomes Fahren / ADAS"
+    condition: { field: "automotive_context.autonomous_driving", operator: "equals", value: true }
+    effect: { risk_add: 30, controls_add: [C_HUMAN_OVERSIGHT, C_FRIA] }
+    severity: WARN
+    rationale: "Autonomes Fahren ist sicherheitskritisch und hochreguliert"
+
+  - id: R-AUTO-002
+    category: "K. Automotive Hochrisiko"
+    title: "Sicherheitsrelevant ohne Functional Safety"
+    condition:
+      all_of:
+        - field: "automotive_context.safety_relevant"
+          operator: "equals"
+          value: true
+        - field: "automotive_context.functional_safety"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 25, feasibility: CONDITIONAL }
+    severity: WARN
+    rationale: "Sicherheitsrelevante Systeme erfordern ISO 26262 Konformitaet"
+
+  # Retail / E-Commerce
+  - id: R-RET-001
+    category: "K. Retail"
+    title: "Personalisierte Preise durch KI"
+    condition: { field: "retail_context.pricing_personalized", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_TRANSPARENCY] }
+    severity: WARN
+    rationale: "Personalisierte Preise koennen Verbraucher benachteiligen (DSA Art. 25)"
+
+  - id: R-RET-002
+    category: "K. Retail"
+    title: "Bonitaetspruefung bei Kauf"
+    condition: { field: "retail_context.credit_scoring", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true, art22_risk: true }
+    severity: WARN
+    rationale: "Kredit-Scoring ist Annex III Nr. 5 AI Act (Zugang zu Diensten)"
+
+  - id: R-RET-003
+    category: "K. Retail"
+    title: "Dark Patterns moeglich"
+    condition: { field: "retail_context.dark_patterns", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Manipulative UI-Muster verstossen gegen DSA und Verbraucherrecht"
+
+  # IT / Cybersecurity / Telecom
+  - id: R-ITS-001
+    category: "K. IT-Sicherheit"
+    title: "KI-gestuetzte Mitarbeiterueberwachung"
+    condition: { field: "it_security_context.employee_surveillance", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Mitarbeiterueberwachung ist §87 BetrVG + DSGVO relevant"
+
+  - id: R-ITS-002
+    category: "K. IT-Sicherheit"
+    title: "Umfangreiche Log-Speicherung"
+    condition: { field: "it_security_context.data_retention_logs", operator: "equals", value: true }
+    effect: { risk_add: 10, controls_add: [C_DATA_MINIMIZATION] }
+    severity: INFO
+    rationale: "Datenminimierung beachten auch bei Security-Logs"
+
+  # Logistics
+  - id: R-LOG-001
+    category: "K. Logistik"
+    title: "Fahrer-/Kurier-Tracking"
+    condition: { field: "logistics_context.driver_tracking", operator: "equals", value: true }
+    effect: { risk_add: 20 }
+    severity: WARN
+    rationale: "GPS-Tracking ist Verhaltenskontrolle (§87 BetrVG)"
+
+  - id: R-LOG-002
+    category: "K. Logistik"
+    title: "Leistungsbewertung Lagerarbeiter"
+    condition: { field: "logistics_context.workload_scoring", operator: "equals", value: true }
+    effect: { risk_add: 20, art22_risk: true }
+    severity: WARN
+    rationale: "Leistungs-Scoring ist Annex III Nr. 4 (Employment)"
+
+  # Construction / Real Estate
+  - id: R-CON-001
+    category: "K. Bau/Immobilien"
+    title: "KI-gestuetzte Mieterauswahl"
+    condition: { field: "construction_context.tenant_screening", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Mieterauswahl betrifft Zugang zu Wohnraum (Grundrecht)"
+
+  - id: R-CON-002
+    category: "K. Bau/Immobilien"
+    title: "KI-Arbeitsschutzueberwachung"
+    condition: { field: "construction_context.worker_safety", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Arbeitsschutzueberwachung kann Verhaltenskontrolle sein"
+
+  # Marketing / Media
+  - id: R-MKT-001
+    category: "K. Marketing/Medien"
+    title: "Deepfake-Inhalte ohne Kennzeichnung"
+    condition:
+      all_of:
+        - field: "marketing_context.deepfake_content"
+          operator: "equals"
+          value: true
+        - field: "marketing_context.ai_content_labeled"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 20, feasibility: NO }
+    severity: BLOCK
+    rationale: "Art. 50 Abs. 4 AI Act: Deepfakes muessen gekennzeichnet werden"
+
+  - id: R-MKT-002
+    category: "K. Marketing/Medien"
+    title: "Minderjaehrige als Zielgruppe"
+    condition: { field: "marketing_context.minors_targeted", operator: "equals", value: true }
+    effect: { risk_add: 20, controls_add: [C_DSFA] }
+    severity: WARN
+    rationale: "Besonderer Schutz Minderjaehriger (DSA + DSGVO)"
+
+  - id: R-MKT-003
+    category: "K. Marketing/Medien"
+    title: "Verhaltensbasiertes Targeting"
+    condition: { field: "marketing_context.behavioral_targeting", operator: "equals", value: true }
+    effect: { risk_add: 15, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Behavioral Targeting ist Profiling (Art. 22 DSGVO)"
+
+  # Manufacturing / CE
+  - id: R-MFG-001
+    category: "K. Fertigung"
+    title: "KI in Maschinensicherheit ohne Validierung"
+    condition:
+      all_of:
+        - field: "manufacturing_context.machine_safety"
+          operator: "equals"
+          value: true
+        - field: "manufacturing_context.safety_validated"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 30, feasibility: NO }
+    severity: BLOCK
+    rationale: "Maschinenverordnung (EU) 2023/1230 erfordert Sicherheitsvalidierung"
+
+  - id: R-MFG-002
+    category: "K. Fertigung"
+    title: "CE-Kennzeichnung erforderlich"
+    condition: { field: "manufacturing_context.ce_marking_required", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_CE_CONFORMITY] }
+    severity: WARN
+    rationale: "CE-Kennzeichnung ist Pflicht fuer Maschinenprodukte mit KI"
+
   # ---------------------------------------------------------------------------
   # G. Aggregation & Ergebnis
   # ---------------------------------------------------------------------------