From 1cf5de1d45ddc9ebc3290698c84aba07dc679f41 Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Mon, 18 May 2026 17:56:52 +0200
Subject: [PATCH] feat(cra): CRA Compliance module Phase 1+2+3 (intake, scope,
 path, requirements, backlog, sbom, checks)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 1 — Intake + Scope + Path:
- Migration 119: compliance_cra_projects table (intake + classification + path + status state machine)
- Backend service cra_routes.py: CRUD + scope-check + path-select
- Deterministic Annex III/IV classifier (verbatim mapping from migration 059 wiki)
- Path validation per classification (CRITICAL → notified_body mandatory)
- Frontend: project list, dashboard, 3-step wizard (intake/scope/path)
- Sidebar entry under "CRA Compliance" (red)

Phase 2 — Annex I Requirements + Priorisierungs-Backlog:
- cra_annex_i_data.py: 40 Annex-I requirements (8 categories), 9 measures (M540-M548), 3 CRA deadlines
- Endpoints: /requirements (40 items), /backlog (priority-sorted with deadline pressure)
- Frontend: requirements table with filters + expandable details, backlog with deadline banner + score-ranked table
- Dashboard KPI cards (Critical count, days to CE deadline, etc.) + top-10 backlog snippet

Phase 3 — SBOM Upload + Automated Checks:
- Migration 120: compliance_cra_sboms (versioned uploads, CycloneDX + SPDX)
- SBOM endpoints: POST /sbom/upload (format detection, summary extraction), GET /sboms
- Checks reuse compliance_evidence_checks: init creates 6 default CRA checks, run executes
- Real implementations: cra_security_txt (HTTP + Contact: line) and cra_tls_cert_check (TLS handshake)
- Frontend: SBOM file upload + version list, Checks page with per-check URL input + Run button

Backend-Reuse: gap_projects (intake pre-population), compliance_evidence_checks/_check_results.
Tenant scoping via existing X-Tenant-ID header pattern.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../sdk/v1/cra/checks/[checkId]/run/route.ts  |   23 +
 .../sdk/v1/cra/projects/[id]/backlog/route.ts |   20 +
 .../sdk/v1/cra/projects/[id]/checks/route.ts  |   41 +
 .../v1/cra/projects/[id]/path-select/route.ts |   29 +
 .../cra/projects/[id]/requirements/route.ts   |   20 +
 .../app/api/sdk/v1/cra/projects/[id]/route.ts |   45 +
 .../sdk/v1/cra/projects/[id]/sbom/route.ts    |   48 +
 .../v1/cra/projects/[id]/scope-check/route.ts |   24 +
 .../app/api/sdk/v1/cra/projects/route.ts      |   56 +
 .../app/sdk/cra/[projectId]/backlog/page.tsx  |  155 +++
 .../app/sdk/cra/[projectId]/checks/page.tsx   |  195 +++
 .../app/sdk/cra/[projectId]/intake/page.tsx   |  240 ++++
 .../app/sdk/cra/[projectId]/page.tsx          |  332 +++++
 .../app/sdk/cra/[projectId]/path/page.tsx     |  256 ++++
 .../sdk/cra/[projectId]/requirements/page.tsx |  182 +++
 .../app/sdk/cra/[projectId]/sbom/page.tsx     |  171 +++
 .../app/sdk/cra/[projectId]/scope/page.tsx    |  172 +++
 .../cra/_components/ClassificationBadge.tsx   |   24 +
 .../app/sdk/cra/_components/SeverityBadge.tsx |   13 +
 .../app/sdk/cra/_components/StatusStepper.tsx |   40 +
 admin-compliance/app/sdk/cra/page.tsx         |  200 +++
 .../sdk/Sidebar/SidebarModuleList.tsx         |   22 +
 .../compliance/api/cra_annex_i_data.py        |  260 ++++
 .../compliance/api/cra_routes.py              | 1075 +++++++++++++++++
 backend-compliance/main.py                    |    4 +
 .../119_compliance_cra_projects.sql           |   44 +
 .../migrations/120_compliance_cra_sboms.sql   |   23 +
 27 files changed, 3714 insertions(+)
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/checks/[checkId]/run/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/backlog/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/checks/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/path-select/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/requirements/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/sbom/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/[id]/scope-check/route.ts
 create mode 100644 admin-compliance/app/api/sdk/v1/cra/projects/route.ts
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/backlog/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/checks/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/intake/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/path/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/requirements/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/sbom/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/[projectId]/scope/page.tsx
 create mode 100644 admin-compliance/app/sdk/cra/_components/ClassificationBadge.tsx
 create mode 100644 admin-compliance/app/sdk/cra/_components/SeverityBadge.tsx
 create mode 100644 admin-compliance/app/sdk/cra/_components/StatusStepper.tsx
 create mode 100644 admin-compliance/app/sdk/cra/page.tsx
 create mode 100644 backend-compliance/compliance/api/cra_annex_i_data.py
 create mode 100644 backend-compliance/compliance/api/cra_routes.py
 create mode 100644 backend-compliance/migrations/119_compliance_cra_projects.sql
 create mode 100644 backend-compliance/migrations/120_compliance_cra_sboms.sql

diff --git a/admin-compliance/app/api/sdk/v1/cra/checks/[checkId]/run/route.ts b/admin-compliance/app/api/sdk/v1/cra/checks/[checkId]/run/route.ts
new file mode 100644
index 00000000..69804e9e
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/checks/[checkId]/run/route.ts
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ checkId: string }> }) {
+  const { checkId } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/checks/${checkId}/run`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+      body: body || '{}',
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/backlog/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/backlog/route.ts
new file mode 100644
index 00000000..e41486df
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/backlog/route.ts
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/backlog`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/checks/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/checks/route.ts
new file mode 100644
index 00000000..e11ed699
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/checks/route.ts
@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/checks`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+/** POST /checks (no body) -> backend /checks/init creates default checks */
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/checks/init`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/path-select/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/path-select/route.ts
new file mode 100644
index 00000000..71374c49
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/path-select/route.ts
@@ -0,0 +1,29 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/path-select`, {
+      method: 'POST',
+      headers: {
+        'X-Tenant-ID': tenantId,
+        'Content-Type': 'application/json',
+      },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/requirements/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/requirements/route.ts
new file mode 100644
index 00000000..e03fba70
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/requirements/route.ts
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/requirements`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/route.ts
new file mode 100644
index 00000000..1bfb78eb
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/route.ts
@@ -0,0 +1,45 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+async function proxy(request: NextRequest, method: string, id: string, body?: string) {
+  const tenantId = tenantHeader(request)
+  const init: RequestInit = {
+    method,
+    headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+  }
+  if (body !== undefined) init.body = body
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}`, init)
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  return proxy(request, 'GET', id)
+}
+
+export async function PATCH(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const body = await request.text()
+  return proxy(request, 'PATCH', id, body)
+}
+
+export async function DELETE(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  return proxy(request, 'DELETE', id)
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/sbom/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/sbom/route.ts
new file mode 100644
index 00000000..767c331d
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/sbom/route.ts
@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+/** GET /sbom -> List uploads. We map this to the backend /sboms endpoint. */
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/sboms`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+/** POST /sbom -> multipart upload to backend /sbom/upload */
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const formData = await request.formData()
+    const upstreamForm = new FormData()
+    for (const [key, value] of formData.entries()) {
+      upstreamForm.append(key, value)
+    }
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/sbom/upload`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request) },
+      body: upstreamForm as unknown as BodyInit,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/[id]/scope-check/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/scope-check/route.ts
new file mode 100644
index 00000000..44c5dc03
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/[id]/scope-check/route.ts
@@ -0,0 +1,24 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/scope-check`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
diff --git a/admin-compliance/app/api/sdk/v1/cra/projects/route.ts b/admin-compliance/app/api/sdk/v1/cra/projects/route.ts
new file mode 100644
index 00000000..fcb19ab2
--- /dev/null
+++ b/admin-compliance/app/api/sdk/v1/cra/projects/route.ts
@@ -0,0 +1,56 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+/** GET /api/sdk/v1/cra/projects -> Backend list */
+export async function GET(request: NextRequest) {
+  const tenantId = tenantHeader(request)
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/cra/projects${qs ? `?${qs}` : ''}`,
+      { headers: { 'X-Tenant-ID': tenantId } }
+    )
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
+
+/** POST /api/sdk/v1/cra/projects -> Backend create */
+export async function POST(request: NextRequest) {
+  const tenantId = tenantHeader(request)
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects`, {
+      method: 'POST',
+      headers: {
+        'X-Tenant-ID': tenantId,
+        'Content-Type': 'application/json',
+      },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/backlog/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/backlog/page.tsx
new file mode 100644
index 00000000..118b162c
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/backlog/page.tsx
@@ -0,0 +1,155 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+import { SeverityBadge } from '../../_components/SeverityBadge'
+
+interface BacklogItem {
+  rank: number
+  req_id: string
+  title: string
+  category: string
+  severity: string
+  annex_anchor: string
+  description: string
+  effort_days: number
+  mapped_measure_names: { id: string; name: string }[]
+  status: string
+  priority_score: number
+}
+
+interface BacklogResponse {
+  project_id: string
+  classification: string | null
+  days_to_ce_deadline: number
+  deadlines: { date: string; label: string }[]
+  total: number
+  items: BacklogItem[]
+}
+
+export default function BacklogPage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const [data, setData] = useState<BacklogResponse | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState('')
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/backlog`, {
+        headers: { 'X-Tenant-ID': '00000000-0000-0000-0000-000000000001' },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      setData(await res.json())
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+  if (error) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-red-600">{error}</p></div>
+  if (!data) return null
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-6xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">Prioritaeten-Backlog</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            Sortiert nach Severity × Deadline-Druck × Effort. Was du heute tust, was naechsten Sprint, was vor 11.12.2027.
+          </p>
+        </div>
+
+        {/* Deadline-Banner */}
+        <div className="grid grid-cols-1 md:grid-cols-3 gap-3 mb-6">
+          {data.deadlines.map(d => {
+            const days = Math.max(0, Math.round((new Date(d.date).getTime() - Date.now()) / 86400000))
+            const isPast = new Date(d.date).getTime() < Date.now()
+            return (
+              <div
+                key={d.date}
+                className={`rounded-xl border p-4 ${
+                  isPast ? 'bg-gray-100 border-gray-200' :
+                  days < 90 ? 'bg-red-50 border-red-200' :
+                  days < 365 ? 'bg-orange-50 border-orange-200' :
+                  'bg-blue-50 border-blue-200'
+                }`}
+              >
+                <div className="text-xs text-gray-500">{d.date}</div>
+                <div className="font-semibold text-gray-900 text-sm mt-0.5">{d.label}</div>
+                <div className={`text-xs mt-1 ${isPast ? 'text-gray-500' : 'text-gray-700'}`}>
+                  {isPast ? 'bereits abgelaufen' : `noch ${days} Tage`}
+                </div>
+              </div>
+            )
+          })}
+        </div>
+
+        {/* Backlog */}
+        <div className="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden">
+          <table className="w-full">
+            <thead className="bg-gray-50 border-b border-gray-200">
+              <tr>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Rang</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Anforderung</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Severity</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Score</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Aufwand</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Massnahme</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Aktion</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-100">
+              {data.items.map(item => (
+                <tr key={item.req_id} className="hover:bg-gray-50">
+                  <td className="px-3 py-3 text-sm font-bold text-gray-700">{item.rank}</td>
+                  <td className="px-3 py-3">
+                    <div className="text-sm font-medium text-gray-900">{item.title}</div>
+                    <div className="text-xs text-gray-500">{item.category} · {item.annex_anchor}</div>
+                  </td>
+                  <td className="px-3 py-3"><SeverityBadge value={item.severity} /></td>
+                  <td className="px-3 py-3 text-sm font-mono text-gray-700">{item.priority_score}</td>
+                  <td className="px-3 py-3 text-sm text-gray-600">{item.effort_days} PT</td>
+                  <td className="px-3 py-3 text-xs text-gray-600">
+                    {item.mapped_measure_names.length > 0 ? (
+                      <div className="space-y-0.5">
+                        {item.mapped_measure_names.map(m => (
+                          <div key={m.id} title={m.name}>
+                            <span className="font-mono text-gray-400">{m.id}:</span> {m.name.length > 50 ? m.name.slice(0, 50) + '...' : m.name}
+                          </div>
+                        ))}
+                      </div>
+                    ) : (
+                      <span className="text-gray-400">—</span>
+                    )}
+                  </td>
+                  <td className="px-3 py-3">
+                    <button
+                      className="px-2 py-1 text-xs bg-purple-100 text-purple-800 rounded hover:bg-purple-200"
+                      onClick={() => alert(`Jira-Export fuer ${item.req_id} — Phase-4-Feature`)}
+                    >
+                      → Jira
+                    </button>
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+
+        <p className="text-xs text-gray-500 mt-4 text-center">
+          Tage bis CE-Marking-Pflicht (11.12.2027): <span className="font-semibold">{data.days_to_ce_deadline}</span>
+        </p>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/checks/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/checks/page.tsx
new file mode 100644
index 00000000..2737ad46
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/checks/page.tsx
@@ -0,0 +1,195 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+
+interface CheckItem {
+  id: string
+  check_code: string
+  title: string
+  description: string
+  check_type: string
+  target_url: string | null
+  linked_req_ids: string[]
+  last_run_at: string | null
+  is_active: boolean
+  latest_result: { status: string; message: string; ran_at: string } | null
+}
+
+interface ChecksResponse {
+  project_id: string
+  total: number
+  items: CheckItem[]
+}
+
+const STATUS_STYLE: Record<string, string> = {
+  pass: 'bg-green-100 text-green-800',
+  fail: 'bg-red-100 text-red-800',
+  manual_review_required: 'bg-yellow-100 text-yellow-800',
+}
+
+export default function ChecksPage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const [data, setData] = useState<ChecksResponse | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState('')
+  const [running, setRunning] = useState<string | null>(null)
+  const [urlInputs, setUrlInputs] = useState<Record<string, string>>({})
+
+  const tenant = '00000000-0000-0000-0000-000000000001'
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/checks`, {
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      const json: ChecksResponse = await res.json()
+      setData(json)
+      const u: Record<string, string> = {}
+      for (const c of json.items) u[c.id] = c.target_url || ''
+      setUrlInputs(u)
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  const initChecks = async () => {
+    setError('')
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/checks`, {
+        method: 'POST',
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      await load()
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Init fehlgeschlagen')
+    }
+  }
+
+  const runCheck = async (checkId: string) => {
+    setRunning(checkId)
+    setError('')
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/checks/${checkId}/run`, {
+        method: 'POST',
+        headers: { 'X-Tenant-ID': tenant, 'Content-Type': 'application/json' },
+        body: JSON.stringify({ target_url: urlInputs[checkId] || null }),
+      })
+      if (!res.ok) throw new Error(await res.text())
+      await load()
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Run fehlgeschlagen')
+    } finally {
+      setRunning(null)
+    }
+  }
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-5xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">Automatisierte Checks</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            CRA-typische Online-Pruefungen: security.txt, Update-Policy, TLS-Konfiguration, Vuln-Disclosure.
+          </p>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">
+            <pre className="whitespace-pre-wrap">{error}</pre>
+            <button onClick={() => setError('')} className="text-xs underline mt-1">Schliessen</button>
+          </div>
+        )}
+
+        {data && data.items.length === 0 && (
+          <div className="bg-white rounded-xl border border-gray-200 p-8 text-center">
+            <p className="text-gray-600 mb-3">Noch keine Checks fuer dieses Projekt konfiguriert.</p>
+            <button
+              onClick={initChecks}
+              className="px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-700 text-sm font-medium"
+            >
+              Standard-CRA-Checks erstellen (6 Stueck)
+            </button>
+          </div>
+        )}
+
+        {data && data.items.length > 0 && (
+          <div className="space-y-3">
+            {data.items.map(c => (
+              <div key={c.id} className="bg-white rounded-xl shadow-sm border border-gray-200 p-5">
+                <div className="flex items-start justify-between gap-4 mb-3">
+                  <div className="flex-1 min-w-0">
+                    <div className="flex items-center gap-2">
+                      <h3 className="font-semibold text-gray-900">{c.title}</h3>
+                      <span className="text-xs text-gray-400">{c.check_code}</span>
+                    </div>
+                    <p className="text-sm text-gray-600 mt-1">{c.description}</p>
+                    {c.linked_req_ids.length > 0 && (
+                      <div className="mt-2 flex flex-wrap gap-1">
+                        {c.linked_req_ids.map(r => (
+                          <span key={r} className="px-2 py-0.5 text-xs rounded bg-blue-100 text-blue-700">{r}</span>
+                        ))}
+                      </div>
+                    )}
+                  </div>
+                  {c.latest_result && (
+                    <span className={`px-2 py-1 text-xs rounded-full font-medium ${STATUS_STYLE[c.latest_result.status] || 'bg-gray-100 text-gray-600'}`}>
+                      {c.latest_result.status}
+                    </span>
+                  )}
+                </div>
+
+                {(c.check_type === 'url_probe' || c.check_type === 'tls_probe' || c.check_type === 'manual_review') && (
+                  <div className="flex items-center gap-2 mb-2">
+                    <input
+                      type="url"
+                      placeholder={c.check_type === 'tls_probe' ? 'https://product.example.com' : 'https://your-product.com'}
+                      value={urlInputs[c.id] ?? ''}
+                      onChange={e => setUrlInputs({ ...urlInputs, [c.id]: e.target.value })}
+                      className="flex-1 px-3 py-1.5 border border-gray-300 rounded text-sm focus:ring-2 focus:ring-red-500"
+                    />
+                    <button
+                      onClick={() => runCheck(c.id)}
+                      disabled={running === c.id}
+                      className="px-3 py-1.5 bg-red-600 text-white text-sm rounded hover:bg-red-700 disabled:bg-gray-300"
+                    >
+                      {running === c.id ? 'Laeuft...' : 'Run'}
+                    </button>
+                  </div>
+                )}
+
+                {c.latest_result && (
+                  <div className="mt-2 text-xs text-gray-600 bg-gray-50 rounded p-2 font-mono">
+                    {c.latest_result.message}
+                    <div className="text-gray-400 mt-1 text-[10px]">
+                      Geprueft: {new Date(c.latest_result.ran_at).toLocaleString('de-DE')}
+                    </div>
+                  </div>
+                )}
+              </div>
+            ))}
+          </div>
+        )}
+
+        <div className="mt-6 bg-blue-50 border border-blue-200 rounded-xl p-4 text-sm text-blue-900">
+          <strong>Hinweis:</strong> Aktuell implementiert: <code>cra_security_txt</code> (HTTP) und <code>cra_tls_cert_check</code> (TLS-Handshake).
+          Andere Check-Typen sind als <code>manual_review_required</code> markiert — der Pruefer beantwortet sie manuell.
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/intake/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/intake/page.tsx
new file mode 100644
index 00000000..6dfd0a07
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/intake/page.tsx
@@ -0,0 +1,240 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+import { useRouter } from 'next/navigation'
+
+const LANGUAGES = [
+  { value: '', label: '— bitte waehlen —' },
+  { value: 'js', label: 'JavaScript / TypeScript' },
+  { value: 'python', label: 'Python' },
+  { value: 'go', label: 'Go' },
+  { value: 'rust', label: 'Rust' },
+  { value: 'java', label: 'Java / Kotlin' },
+  { value: 'csharp', label: 'C# / .NET' },
+  { value: 'cpp', label: 'C / C++' },
+  { value: 'swift', label: 'Swift' },
+  { value: 'mixed', label: 'Mehrere Sprachen' },
+  { value: 'other', label: 'Andere' },
+]
+
+interface CRAProject {
+  id: string
+  name: string
+  description: string
+  repo_url: string | null
+  primary_language: string | null
+  has_firmware: boolean
+  connected_to_internet: boolean
+  has_software_updates: boolean
+  processes_personal_data: boolean
+  is_critical_infra_supplier: boolean
+  intended_use: string
+}
+
+export default function IntakePage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const router = useRouter()
+
+  const [loading, setLoading] = useState(true)
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState('')
+
+  const [name, setName] = useState('')
+  const [description, setDescription] = useState('')
+  const [repoUrl, setRepoUrl] = useState('')
+  const [primaryLanguage, setPrimaryLanguage] = useState('')
+  const [hasFirmware, setHasFirmware] = useState(false)
+  const [connectedInternet, setConnectedInternet] = useState(false)
+  const [hasUpdates, setHasUpdates] = useState(false)
+  const [processesPersonal, setProcessesPersonal] = useState(false)
+  const [isCriticalInfra, setIsCriticalInfra] = useState(false)
+  const [intendedUse, setIntendedUse] = useState('')
+
+  const tenant = '00000000-0000-0000-0000-000000000001'
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}`, {
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      const p: CRAProject = await res.json()
+      setName(p.name)
+      setDescription(p.description || '')
+      setRepoUrl(p.repo_url || '')
+      setPrimaryLanguage(p.primary_language || '')
+      setHasFirmware(p.has_firmware)
+      setConnectedInternet(p.connected_to_internet)
+      setHasUpdates(p.has_software_updates)
+      setProcessesPersonal(p.processes_personal_data)
+      setIsCriticalInfra(p.is_critical_infra_supplier)
+      setIntendedUse(p.intended_use || '')
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  const save = async () => {
+    setSaving(true)
+    setError('')
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenant },
+        body: JSON.stringify({
+          name,
+          description,
+          repo_url: repoUrl || null,
+          primary_language: primaryLanguage || null,
+          has_firmware: hasFirmware,
+          connected_to_internet: connectedInternet,
+          has_software_updates: hasUpdates,
+          processes_personal_data: processesPersonal,
+          is_critical_infra_supplier: isCriticalInfra,
+          intended_use: intendedUse,
+          status: 'scoped',
+        }),
+      })
+      if (!res.ok) throw new Error(await res.text())
+      router.push(`/sdk/cra/${projectId}/scope`)
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Speichern fehlgeschlagen')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-3xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">Intake — Software-Profil</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            Schritt 1 von 3 — Beschreibe Software, Firmware und Connectivity. Daraus leiten wir die CRA-Klassifikation ab.
+          </p>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">{error}</div>
+        )}
+
+        <div className="bg-white rounded-xl shadow-sm border border-gray-200 p-6 space-y-5">
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Produktname *</label>
+            <input
+              type="text"
+              value={name}
+              onChange={e => setName(e.target.value)}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+              placeholder="z.B. SmartHome Gateway v3"
+            />
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Kurzbeschreibung</label>
+            <textarea
+              value={description}
+              onChange={e => setDescription(e.target.value)}
+              rows={2}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+            />
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">
+              Intended Use — Zweck und Anwendungsbereich
+            </label>
+            <textarea
+              value={intendedUse}
+              onChange={e => setIntendedUse(e.target.value)}
+              rows={3}
+              placeholder="z.B. Mobile App fuer Industrieanlagen-Monitoring, oder: Password Manager fuer KMU, oder: VPN-Software fuer Mitarbeiter-Geraete"
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+            />
+            <p className="text-xs text-gray-500 mt-1">
+              Wichtig fuer die Klassifikation. Erwaehne konkrete Funktionen (z.B. &quot;Firewall&quot;, &quot;Betriebssystem&quot;) wenn zutreffend.
+            </p>
+          </div>
+
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Repo-URL (optional)</label>
+              <input
+                type="url"
+                value={repoUrl}
+                onChange={e => setRepoUrl(e.target.value)}
+                placeholder="https://github.com/..."
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Primaere Programmiersprache</label>
+              <select
+                value={primaryLanguage}
+                onChange={e => setPrimaryLanguage(e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+              >
+                {LANGUAGES.map(l => (
+                  <option key={l.value} value={l.value}>{l.label}</option>
+                ))}
+              </select>
+            </div>
+          </div>
+
+          <div className="border-t border-gray-200 pt-5">
+            <h3 className="text-sm font-medium text-gray-700 mb-3">Eigenschaften des Produkts</h3>
+            <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
+              {[
+                ['hasFirmware', 'Enthaelt Firmware (Embedded/IoT)', hasFirmware, setHasFirmware],
+                ['connectedInternet', 'Mit dem Internet verbunden', connectedInternet, setConnectedInternet],
+                ['hasUpdates', 'Hat Software-/Firmware-Updates', hasUpdates, setHasUpdates],
+                ['processesPersonal', 'Verarbeitet personenbezogene Daten', processesPersonal, setProcessesPersonal],
+                ['isCriticalInfra', 'Zulieferer fuer kritische Infrastruktur', isCriticalInfra, setIsCriticalInfra],
+              ].map(([key, label, value, setter]) => (
+                <label key={key as string} className="flex items-center gap-3 cursor-pointer">
+                  <input
+                    type="checkbox"
+                    checked={value as boolean}
+                    onChange={e => (setter as (b: boolean) => void)(e.target.checked)}
+                    className="w-4 h-4 rounded border-gray-300 text-red-600 focus:ring-red-500"
+                  />
+                  <span className="text-sm text-gray-700">{label as string}</span>
+                </label>
+              ))}
+            </div>
+          </div>
+
+          <div className="flex gap-3 pt-3">
+            <button
+              onClick={() => router.push(`/sdk/cra/${projectId}`)}
+              disabled={saving}
+              className="px-4 py-2 border border-gray-300 text-gray-700 rounded-lg hover:bg-gray-50"
+            >
+              Abbrechen
+            </button>
+            <button
+              onClick={save}
+              disabled={saving || !name.trim()}
+              className="flex-1 py-2 bg-red-600 text-white font-medium rounded-lg hover:bg-red-700 disabled:bg-gray-300"
+            >
+              {saving ? 'Speichert...' : 'Weiter zum Scope-Check →'}
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/page.tsx
new file mode 100644
index 00000000..ac11cfa7
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/page.tsx
@@ -0,0 +1,332 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+import { useRouter } from 'next/navigation'
+import { ClassificationBadge } from '../_components/ClassificationBadge'
+import { StatusStepper } from '../_components/StatusStepper'
+import { SeverityBadge } from '../_components/SeverityBadge'
+
+interface CRAProject {
+  id: string
+  name: string
+  description: string
+  cra_classification: string | null
+  classification_rationale: string[]
+  conformity_path: string | null
+  status: string
+  intended_use: string
+  repo_url: string | null
+  primary_language: string | null
+  created_at: string
+  updated_at: string
+}
+
+interface BacklogItem {
+  rank: number
+  req_id: string
+  title: string
+  category: string
+  severity: string
+  effort_days: number
+  priority_score: number
+}
+
+interface BacklogData {
+  days_to_ce_deadline: number
+  deadlines: { date: string; label: string }[]
+  total: number
+  items: BacklogItem[]
+}
+
+const PATH_LABEL: Record<string, string> = {
+  self_assessment: 'Modul A — Self-Assessment',
+  harmonized_standard: 'Modul B — Harmonized Standard',
+  eucc: 'Modul H — EUCC',
+  notified_body: 'Modul C — Notified Body',
+}
+
+export default function CRAProjectDashboard({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const router = useRouter()
+  const [project, setProject] = useState<CRAProject | null>(null)
+  const [backlog, setBacklog] = useState<BacklogData | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState('')
+
+  const load = useCallback(async () => {
+    try {
+      const headers = { 'X-Tenant-ID': '00000000-0000-0000-0000-000000000001' }
+      const [projRes, backlogRes] = await Promise.all([
+        fetch(`/api/sdk/v1/cra/projects/${projectId}`, { headers }),
+        fetch(`/api/sdk/v1/cra/projects/${projectId}/backlog`, { headers }),
+      ])
+      if (!projRes.ok) throw new Error(await projRes.text())
+      setProject(await projRes.json())
+      if (backlogRes.ok) {
+        setBacklog(await backlogRes.json())
+      }
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+  if (error) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-red-600">{error}</p></div>
+  if (!project) return null
+
+  const nextStep =
+    project.status === 'draft' ? { href: `/sdk/cra/${projectId}/intake`, label: 'Intake starten' } :
+    project.status === 'scoped' ? { href: `/sdk/cra/${projectId}/scope`, label: 'Scope-Check ausfuehren' } :
+    project.status === 'classified' ? { href: `/sdk/cra/${projectId}/path`, label: 'Konformitaetspfad waehlen' } :
+    project.status === 'path_selected' ? { href: null, label: 'Phase 2 (Requirements) folgt' } :
+    { href: null, label: '' }
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-5xl mx-auto px-4">
+        <div className="mb-4">
+          <a href="/sdk/cra" className="text-sm text-blue-600 hover:underline">&larr; Alle CRA-Projekte</a>
+        </div>
+
+        <div className="bg-white rounded-xl shadow-sm border border-gray-200 p-6 mb-6">
+          <div className="flex items-start justify-between gap-4 mb-4">
+            <div className="flex-1 min-w-0">
+              <h1 className="text-2xl font-bold text-gray-900">{project.name}</h1>
+              {project.description && (
+                <p className="text-gray-600 mt-1">{project.description}</p>
+              )}
+            </div>
+            <ClassificationBadge value={project.cra_classification} size="lg" />
+          </div>
+
+          <StatusStepper current={project.status} />
+        </div>
+
+        {/* KPI Cards */}
+        {backlog && (
+          <div className="grid grid-cols-2 md:grid-cols-4 gap-3 mb-6">
+            <KPICard
+              label="Annex-I Requirements"
+              value={backlog.total}
+              hint="aus Migration 059"
+              color="blue"
+            />
+            <KPICard
+              label="Critical-Anforderungen"
+              value={backlog.items.filter(i => i.severity === 'CRITICAL').length}
+              hint={`+ ${backlog.items.filter(i => i.severity === 'HIGH').length} High`}
+              color="red"
+            />
+            <KPICard
+              label="Tage bis CE-Pflicht"
+              value={backlog.days_to_ce_deadline}
+              hint="11.12.2027"
+              color={backlog.days_to_ce_deadline < 365 ? 'orange' : 'green'}
+            />
+            <KPICard
+              label="Compliance"
+              value="0%"
+              hint="Evidence in Phase 3"
+              color="gray"
+            />
+          </div>
+        )}
+
+        {/* Top-10 Backlog-Snippet */}
+        {backlog && backlog.items.length > 0 && (
+          <div className="bg-white rounded-xl shadow-sm border border-gray-200 p-5 mb-6">
+            <div className="flex items-center justify-between mb-3">
+              <h3 className="text-sm font-semibold text-gray-700 uppercase tracking-wide">Top-10 Prioritaeten</h3>
+              <a href={`/sdk/cra/${projectId}/backlog`} className="text-xs text-blue-600 hover:underline">
+                Vollstaendiges Backlog →
+              </a>
+            </div>
+            <table className="w-full text-sm">
+              <thead className="text-xs text-gray-500 uppercase">
+                <tr>
+                  <th className="text-left py-1">#</th>
+                  <th className="text-left py-1">Anforderung</th>
+                  <th className="text-left py-1">Severity</th>
+                  <th className="text-left py-1">Aufwand</th>
+                </tr>
+              </thead>
+              <tbody className="divide-y divide-gray-100">
+                {backlog.items.slice(0, 10).map(item => (
+                  <tr key={item.req_id} className="hover:bg-gray-50">
+                    <td className="py-2 text-gray-500">{item.rank}</td>
+                    <td className="py-2">
+                      <div className="font-medium text-gray-900">{item.title}</div>
+                      <div className="text-xs text-gray-500">{item.category}</div>
+                    </td>
+                    <td className="py-2"><SeverityBadge value={item.severity} /></td>
+                    <td className="py-2 text-gray-600">{item.effort_days} PT</td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        )}
+
+        <div className="grid grid-cols-2 md:grid-cols-4 gap-3 mb-6">
+          <a
+            href={`/sdk/cra/${projectId}/requirements`}
+            className="text-center py-2 bg-blue-100 text-blue-700 rounded-lg hover:bg-blue-200 text-sm font-medium"
+          >
+            → Requirements (40)
+          </a>
+          <a
+            href={`/sdk/cra/${projectId}/backlog`}
+            className="text-center py-2 bg-red-100 text-red-700 rounded-lg hover:bg-red-200 text-sm font-medium"
+          >
+            → Backlog
+          </a>
+          <a
+            href={`/sdk/cra/${projectId}/sbom`}
+            className="text-center py-2 bg-green-100 text-green-700 rounded-lg hover:bg-green-200 text-sm font-medium"
+          >
+            → SBOM
+          </a>
+          <a
+            href={`/sdk/cra/${projectId}/checks`}
+            className="text-center py-2 bg-purple-100 text-purple-700 rounded-lg hover:bg-purple-200 text-sm font-medium"
+          >
+            → Checks
+          </a>
+        </div>
+
+        <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+          <InfoCard
+            title="Intake"
+            content={
+              project.status === 'draft'
+                ? <span className="text-gray-400">Noch nicht erfasst</span>
+                : (
+                  <div className="space-y-1 text-sm">
+                    {project.intended_use && <div><span className="text-gray-500">Use:</span> {project.intended_use}</div>}
+                    {project.primary_language && <div><span className="text-gray-500">Sprache:</span> {project.primary_language}</div>}
+                    {project.repo_url && <div><span className="text-gray-500">Repo:</span> {project.repo_url}</div>}
+                  </div>
+                )
+            }
+            actionHref={`/sdk/cra/${projectId}/intake`}
+            actionLabel={project.status === 'draft' ? 'Erfassen' : 'Bearbeiten'}
+          />
+
+          <InfoCard
+            title="Klassifikation"
+            content={
+              project.cra_classification ? (
+                <div>
+                  <ClassificationBadge value={project.cra_classification} size="md" />
+                  {project.classification_rationale?.length > 0 && (
+                    <ul className="mt-2 text-xs text-gray-600 list-disc list-inside space-y-0.5">
+                      {project.classification_rationale.map((r, i) => <li key={i}>{r}</li>)}
+                    </ul>
+                  )}
+                </div>
+              ) : <span className="text-gray-400">Scope-Check ausstehend</span>
+            }
+            actionHref={`/sdk/cra/${projectId}/scope`}
+            actionLabel={project.cra_classification ? 'Neu pruefen' : 'Pruefen'}
+          />
+
+          <InfoCard
+            title="Konformitaetspfad"
+            content={
+              project.conformity_path
+                ? <span className="font-medium text-purple-700">{PATH_LABEL[project.conformity_path] || project.conformity_path}</span>
+                : <span className="text-gray-400">Noch nicht gewaehlt</span>
+            }
+            actionHref={project.cra_classification ? `/sdk/cra/${projectId}/path` : null}
+            actionLabel={project.conformity_path ? 'Aendern' : 'Waehlen'}
+          />
+
+          <InfoCard
+            title="Status"
+            content={
+              <div className="space-y-1 text-sm">
+                <div><span className="text-gray-500">Aktuell:</span> {project.status}</div>
+                <div className="text-xs text-gray-400">Aktualisiert: {new Date(project.updated_at).toLocaleString('de-DE')}</div>
+              </div>
+            }
+            actionHref={null}
+            actionLabel=""
+          />
+        </div>
+
+        {nextStep.href && (
+          <div className="bg-blue-50 border border-blue-200 rounded-xl p-5 flex items-center justify-between">
+            <div>
+              <h3 className="font-semibold text-blue-900">Naechster Schritt</h3>
+              <p className="text-sm text-blue-700 mt-1">{nextStep.label}</p>
+            </div>
+            <button
+              onClick={() => router.push(nextStep.href!)}
+              className="px-5 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 font-medium"
+            >
+              Weiter
+            </button>
+          </div>
+        )}
+        {!nextStep.href && nextStep.label && (
+          <div className="bg-gray-100 border border-gray-200 rounded-xl p-5 text-center text-gray-600">
+            {nextStep.label}
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
+
+function InfoCard({
+  title, content, actionHref, actionLabel,
+}: {
+  title: string
+  content: React.ReactNode
+  actionHref: string | null
+  actionLabel: string
+}) {
+  return (
+    <div className="bg-white rounded-xl border border-gray-200 p-5">
+      <div className="flex items-center justify-between mb-2">
+        <h3 className="text-sm font-semibold text-gray-700 uppercase tracking-wide">{title}</h3>
+        {actionHref && actionLabel && (
+          <a href={actionHref} className="text-xs text-blue-600 hover:underline">{actionLabel}</a>
+        )}
+      </div>
+      <div>{content}</div>
+    </div>
+  )
+}
+
+function KPICard({
+  label, value, hint, color,
+}: {
+  label: string
+  value: string | number
+  hint: string
+  color: 'blue' | 'red' | 'orange' | 'green' | 'gray'
+}) {
+  const colors = {
+    blue: 'bg-blue-50 border-blue-200 text-blue-700',
+    red: 'bg-red-50 border-red-200 text-red-700',
+    orange: 'bg-orange-50 border-orange-200 text-orange-700',
+    green: 'bg-green-50 border-green-200 text-green-700',
+    gray: 'bg-gray-50 border-gray-200 text-gray-700',
+  }
+  return (
+    <div className={`rounded-xl border p-4 ${colors[color]}`}>
+      <p className="text-xs text-gray-600 uppercase tracking-wide">{label}</p>
+      <p className="text-2xl font-bold mt-1">{value}</p>
+      <p className="text-xs mt-1 opacity-80">{hint}</p>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/path/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/path/page.tsx
new file mode 100644
index 00000000..a01e31f4
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/path/page.tsx
@@ -0,0 +1,256 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+import { useRouter } from 'next/navigation'
+import { ClassificationBadge } from '../../_components/ClassificationBadge'
+
+interface CRAProject {
+  id: string
+  name: string
+  cra_classification: string | null
+  conformity_path: string | null
+  status: string
+}
+
+type PathId = 'self_assessment' | 'harmonized_standard' | 'eucc' | 'notified_body'
+
+interface PathOption {
+  id: PathId
+  modul: string
+  title: string
+  short: string
+  details: string[]
+}
+
+const PATHS: PathOption[] = [
+  {
+    id: 'self_assessment',
+    modul: 'Modul A',
+    title: 'Self-Assessment',
+    short: 'Konformitaetsbewertung durch interne Pruefung',
+    details: [
+      'Hersteller fuehrt Konformitaetsbewertung selbst durch',
+      'Geringster externer Aufwand, schnelle Umsetzung',
+      'Default fuer Standard-Produkte',
+      'Technische Dokumentation + DoC bleibt Pflicht',
+    ],
+  },
+  {
+    id: 'harmonized_standard',
+    modul: 'Modul B',
+    title: 'Harmonized Standard',
+    short: 'Konformitaetsvermutung durch harmonisierte Norm',
+    details: [
+      'Anwendung einer harmonisierten EU-Norm (z.B. DIN EN 40000-1-2 Entwurf)',
+      'Konformitaetsvermutung gemaess EU-Recht',
+      'Geringeres Audit-Risiko',
+      'Empfohlen bei verfuegbarer harmonisierter Norm',
+    ],
+  },
+  {
+    id: 'eucc',
+    modul: 'Modul H',
+    title: 'EUCC Zertifizierung',
+    short: 'European Cybersecurity Certification Scheme',
+    details: [
+      'ENISA-EUCC-Zertifizierung (Common Criteria-basiert)',
+      'Hoechste Anerkennung in EU + Drittstaaten',
+      'Hoher Aufwand, ITSEF-Pruefung erforderlich',
+      'Pflicht bei einigen Important Class II-Produkten',
+    ],
+  },
+  {
+    id: 'notified_body',
+    modul: 'Modul C',
+    title: 'Notified Body Assessment',
+    short: 'Drittprueforganisation pruefn die Konformitaet',
+    details: [
+      'Externe Bewertung durch akkreditierte Stelle',
+      'PFLICHT fuer Critical-Produkte (Annex IV)',
+      'Hoechste Auditierbarkeit + Vertrauen',
+      'Laufzeit + Kosten am hoechsten',
+    ],
+  },
+]
+
+const ALLOWED: Record<string, PathId[]> = {
+  STANDARD: ['self_assessment', 'harmonized_standard', 'eucc', 'notified_body'],
+  IMPORTANT_I: ['self_assessment', 'harmonized_standard', 'eucc', 'notified_body'],
+  IMPORTANT_II: ['harmonized_standard', 'eucc', 'notified_body'],
+  CRITICAL: ['notified_body'],
+}
+
+const DEFAULT_FOR: Record<string, PathId> = {
+  STANDARD: 'self_assessment',
+  IMPORTANT_I: 'self_assessment',
+  IMPORTANT_II: 'harmonized_standard',
+  CRITICAL: 'notified_body',
+}
+
+export default function PathSelectPage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const router = useRouter()
+  const [project, setProject] = useState<CRAProject | null>(null)
+  const [selected, setSelected] = useState<PathId | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState('')
+
+  const tenant = '00000000-0000-0000-0000-000000000001'
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}`, {
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      const p: CRAProject = await res.json()
+      setProject(p)
+      if (p.conformity_path) {
+        setSelected(p.conformity_path as PathId)
+      } else if (p.cra_classification && DEFAULT_FOR[p.cra_classification]) {
+        setSelected(DEFAULT_FOR[p.cra_classification])
+      }
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  const submit = async () => {
+    if (!selected) return
+    setSaving(true)
+    setError('')
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/path-select`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenant },
+        body: JSON.stringify({ conformity_path: selected }),
+      })
+      if (!res.ok) throw new Error(await res.text())
+      router.push(`/sdk/cra/${projectId}`)
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Speichern fehlgeschlagen')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+  if (!project) return null
+
+  if (!project.cra_classification) {
+    return (
+      <div className="min-h-screen bg-gray-50 p-8">
+        <div className="max-w-2xl mx-auto bg-yellow-50 border border-yellow-200 rounded-lg p-6">
+          <p className="text-yellow-800">
+            Bitte erst den Scope-Check ausfuehren.
+            <a href={`/sdk/cra/${projectId}/scope`} className="ml-2 underline">→ Zum Scope-Check</a>
+          </p>
+        </div>
+      </div>
+    )
+  }
+
+  const allowedPaths = ALLOWED[project.cra_classification] || []
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-4xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">Konformitaetspfad waehlen</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            Schritt 3 von 3 — basierend auf der Klassifikation siehst du die zulaessigen Pfade.
+          </p>
+          <div className="mt-3 flex items-center gap-2">
+            <span className="text-sm text-gray-600">Klassifikation:</span>
+            <ClassificationBadge value={project.cra_classification} size="md" />
+          </div>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">{error}</div>
+        )}
+
+        <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+          {PATHS.map(path => {
+            const allowed = allowedPaths.includes(path.id)
+            const isSelected = selected === path.id
+            return (
+              <button
+                key={path.id}
+                onClick={() => allowed && setSelected(path.id)}
+                disabled={!allowed}
+                className={`text-left p-5 rounded-xl border-2 transition-all ${
+                  isSelected ? 'border-red-500 bg-red-50' :
+                  allowed ? 'border-gray-200 bg-white hover:border-red-300 hover:shadow-md' :
+                  'border-gray-200 bg-gray-50 opacity-50 cursor-not-allowed'
+                }`}
+              >
+                <div className="flex items-start justify-between mb-2">
+                  <div>
+                    <span className="text-xs font-semibold text-gray-500 uppercase tracking-wide">{path.modul}</span>
+                    <h3 className="text-lg font-semibold text-gray-900">{path.title}</h3>
+                  </div>
+                  {isSelected && (
+                    <span className="px-2 py-0.5 text-xs bg-red-600 text-white rounded">Gewaehlt</span>
+                  )}
+                  {!allowed && (
+                    <span className="px-2 py-0.5 text-xs bg-gray-200 text-gray-600 rounded">Nicht zulaessig</span>
+                  )}
+                </div>
+                <p className="text-sm text-gray-600 mb-3">{path.short}</p>
+                <ul className="text-xs text-gray-600 space-y-1">
+                  {path.details.map((d, i) => (
+                    <li key={i} className="flex items-start gap-1.5">
+                      <span className="text-gray-400 mt-0.5">•</span>
+                      <span>{d}</span>
+                    </li>
+                  ))}
+                </ul>
+              </button>
+            )
+          })}
+        </div>
+
+        <div className="bg-white rounded-xl border border-gray-200 p-4 flex items-center justify-between">
+          <div className="text-sm text-gray-600">
+            {selected ? (
+              <>Ausgewaehlt: <span className="font-medium text-gray-900">
+                {PATHS.find(p => p.id === selected)?.title}
+              </span></>
+            ) : (
+              'Keine Auswahl getroffen'
+            )}
+          </div>
+          <div className="flex gap-3">
+            <button
+              onClick={() => router.push(`/sdk/cra/${projectId}/scope`)}
+              disabled={saving}
+              className="px-4 py-2 border border-gray-300 text-gray-700 rounded-lg hover:bg-gray-50"
+            >
+              ← Zurueck
+            </button>
+            <button
+              onClick={submit}
+              disabled={saving || !selected}
+              className="px-6 py-2 bg-red-600 text-white font-medium rounded-lg hover:bg-red-700 disabled:bg-gray-300"
+            >
+              {saving ? 'Speichert...' : 'Pfad festlegen'}
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/requirements/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/requirements/page.tsx
new file mode 100644
index 00000000..81555ae2
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/requirements/page.tsx
@@ -0,0 +1,182 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+import { SeverityBadge } from '../../_components/SeverityBadge'
+
+interface Requirement {
+  req_id: string
+  n: number
+  category: string
+  title: string
+  annex_anchor: string
+  iso27001_ref: string[]
+  description: string
+  severity: string
+  mapped_measures: string[]
+  mapped_measure_names: { id: string; name: string }[]
+  evidence_type: string
+  effort_days: number
+  status: string
+}
+
+interface RequirementsResponse {
+  project_id: string
+  classification: string | null
+  total: number
+  items: Requirement[]
+}
+
+export default function RequirementsPage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const [data, setData] = useState<RequirementsResponse | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState('')
+  const [filterCategory, setFilterCategory] = useState<string>('all')
+  const [filterSeverity, setFilterSeverity] = useState<string>('all')
+  const [expanded, setExpanded] = useState<string | null>(null)
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/requirements`, {
+        headers: { 'X-Tenant-ID': '00000000-0000-0000-0000-000000000001' },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      setData(await res.json())
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+  if (error) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-red-600">{error}</p></div>
+  if (!data) return null
+
+  const categories = Array.from(new Set(data.items.map(i => i.category)))
+  const filtered = data.items.filter(r =>
+    (filterCategory === 'all' || r.category === filterCategory) &&
+    (filterSeverity === 'all' || r.severity === filterSeverity)
+  )
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-7xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">CRA Annex I Requirements</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            Alle {data.total} Essential Cybersecurity Requirements aus Annex I. Status bleibt &quot;unbewertet&quot; bis Evidence-Checks in Phase 3 verknuepft sind.
+          </p>
+        </div>
+
+        <div className="flex gap-3 mb-4 flex-wrap">
+          <select
+            value={filterCategory}
+            onChange={e => setFilterCategory(e.target.value)}
+            className="px-3 py-2 border border-gray-300 rounded-lg text-sm"
+          >
+            <option value="all">Alle Kategorien</option>
+            {categories.map(c => <option key={c} value={c}>{c}</option>)}
+          </select>
+          <select
+            value={filterSeverity}
+            onChange={e => setFilterSeverity(e.target.value)}
+            className="px-3 py-2 border border-gray-300 rounded-lg text-sm"
+          >
+            <option value="all">Alle Severities</option>
+            <option value="CRITICAL">Kritisch</option>
+            <option value="HIGH">Hoch</option>
+            <option value="MEDIUM">Mittel</option>
+            <option value="LOW">Niedrig</option>
+          </select>
+          <span className="text-sm text-gray-500 self-center">
+            {filtered.length} von {data.total}
+          </span>
+        </div>
+
+        <div className="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden">
+          <table className="w-full">
+            <thead className="bg-gray-50 border-b border-gray-200">
+              <tr>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">#</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Anforderung</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Kategorie</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Severity</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Aufwand</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500 uppercase">Status</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-100">
+              {filtered.map(req => (
+                <React.Fragment key={req.req_id}>
+                  <tr
+                    className="hover:bg-gray-50 cursor-pointer"
+                    onClick={() => setExpanded(expanded === req.req_id ? null : req.req_id)}
+                  >
+                    <td className="px-3 py-2 text-sm text-gray-500">{req.n}</td>
+                    <td className="px-3 py-2">
+                      <div className="text-sm font-medium text-gray-900">{req.title}</div>
+                      <div className="text-xs text-gray-500">{req.annex_anchor} · {req.req_id}</div>
+                    </td>
+                    <td className="px-3 py-2 text-sm text-gray-600">{req.category}</td>
+                    <td className="px-3 py-2"><SeverityBadge value={req.severity} /></td>
+                    <td className="px-3 py-2 text-sm text-gray-600">{req.effort_days} PT</td>
+                    <td className="px-3 py-2">
+                      <span className="px-2 py-0.5 text-xs rounded-full bg-gray-100 text-gray-600">{req.status}</span>
+                    </td>
+                  </tr>
+                  {expanded === req.req_id && (
+                    <tr>
+                      <td colSpan={6} className="px-4 py-4 bg-blue-50">
+                        <div className="space-y-3">
+                          <div>
+                            <p className="text-xs font-semibold text-gray-600 uppercase">Beschreibung</p>
+                            <p className="text-sm text-gray-700 mt-1">{req.description}</p>
+                          </div>
+                          {req.iso27001_ref.length > 0 && (
+                            <div>
+                              <p className="text-xs font-semibold text-gray-600 uppercase">ISO 27001:2022 Mapping</p>
+                              <p className="text-sm text-gray-700 mt-1">
+                                {req.iso27001_ref.map(r => (
+                                  <span key={r} className="inline-block mr-2 mb-1 px-2 py-0.5 bg-white rounded text-xs">{r}</span>
+                                ))}
+                              </p>
+                            </div>
+                          )}
+                          {req.mapped_measure_names.length > 0 && (
+                            <div>
+                              <p className="text-xs font-semibold text-gray-600 uppercase">Empfohlene Massnahmen</p>
+                              <ul className="text-sm text-gray-700 mt-1 space-y-0.5">
+                                {req.mapped_measure_names.map(m => (
+                                  <li key={m.id}>
+                                    <span className="font-mono text-xs text-gray-500">{m.id}</span> — {m.name}
+                                  </li>
+                                ))}
+                              </ul>
+                            </div>
+                          )}
+                          <div className="text-xs text-gray-500 pt-1">
+                            Evidence-Typ: <span className="font-medium">{req.evidence_type}</span>
+                          </div>
+                        </div>
+                      </td>
+                    </tr>
+                  )}
+                </React.Fragment>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/sbom/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/sbom/page.tsx
new file mode 100644
index 00000000..0934338d
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/sbom/page.tsx
@@ -0,0 +1,171 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use, useRef } from 'react'
+
+interface SBOMItem {
+  id: string
+  filename: string
+  format: string
+  spec_version: string | null
+  component_count: number
+  summary: Record<string, unknown>
+  scan_status: string
+  scan_summary: Record<string, unknown>
+  uploaded_at: string
+  scanned_at: string | null
+}
+
+interface SBOMListResponse {
+  project_id: string
+  total: number
+  items: SBOMItem[]
+}
+
+export default function SBOMPage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const [data, setData] = useState<SBOMListResponse | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [uploading, setUploading] = useState(false)
+  const [error, setError] = useState('')
+  const fileRef = useRef<HTMLInputElement>(null)
+  const tenant = '00000000-0000-0000-0000-000000000001'
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/sbom`, {
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      setData(await res.json())
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  const onUpload = async () => {
+    const f = fileRef.current?.files?.[0]
+    if (!f) return
+    setUploading(true)
+    setError('')
+    try {
+      const fd = new FormData()
+      fd.append('file', f)
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/sbom`, {
+        method: 'POST',
+        headers: { 'X-Tenant-ID': tenant },
+        body: fd,
+      })
+      if (!res.ok) throw new Error(await res.text())
+      if (fileRef.current) fileRef.current.value = ''
+      await load()
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Upload fehlgeschlagen')
+    } finally {
+      setUploading(false)
+    }
+  }
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-5xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">SBOM — Software Bill of Materials</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            CycloneDX oder SPDX hochladen. Verknuepft mit Annex-I Requirement 23 (SBOM-Pflicht).
+          </p>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">
+            <pre className="whitespace-pre-wrap">{error}</pre>
+            <button onClick={() => setError('')} className="text-red-500 mt-1 underline text-xs">Schliessen</button>
+          </div>
+        )}
+
+        <div className="bg-white rounded-xl shadow-sm border border-gray-200 p-5 mb-6">
+          <h3 className="text-sm font-semibold text-gray-700 mb-3">Neue Version hochladen</h3>
+          <div className="flex items-center gap-3">
+            <input
+              ref={fileRef}
+              type="file"
+              accept=".json,application/json"
+              className="flex-1 text-sm file:mr-3 file:py-1.5 file:px-3 file:rounded file:border-0 file:text-sm file:bg-blue-100 file:text-blue-700 hover:file:bg-blue-200"
+            />
+            <button
+              onClick={onUpload}
+              disabled={uploading}
+              className="px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:bg-gray-300 text-sm font-medium"
+            >
+              {uploading ? 'Laedt hoch...' : 'Upload'}
+            </button>
+          </div>
+          <p className="text-xs text-gray-500 mt-2">
+            Format: CycloneDX-JSON (mit <code>bomFormat: &quot;CycloneDX&quot;</code>) oder SPDX-JSON (mit <code>spdxVersion</code>).
+            Generieren z.B. via <code>npx @cyclonedx/cyclonedx-npm</code> oder <code>cyclonedx-py</code>.
+          </p>
+        </div>
+
+        {data && data.items.length === 0 && (
+          <div className="bg-gray-100 rounded-xl p-8 text-center text-gray-500">
+            Noch kein SBOM hochgeladen.
+          </div>
+        )}
+
+        {data && data.items.length > 0 && (
+          <div className="space-y-3">
+            <h3 className="text-sm font-semibold text-gray-700">Versionen ({data.total})</h3>
+            {data.items.map(s => (
+              <div key={s.id} className="bg-white rounded-xl shadow-sm border border-gray-200 p-4">
+                <div className="flex items-center justify-between gap-4">
+                  <div className="flex-1 min-w-0">
+                    <div className="flex items-center gap-2">
+                      <span className="font-semibold text-gray-900">{s.filename}</span>
+                      <span className="px-2 py-0.5 text-xs rounded bg-blue-100 text-blue-700 uppercase">{s.format}</span>
+                      {s.spec_version && (
+                        <span className="text-xs text-gray-500">v{s.spec_version}</span>
+                      )}
+                    </div>
+                    <div className="text-xs text-gray-500 mt-1">
+                      {s.component_count} Komponenten · hochgeladen {new Date(s.uploaded_at).toLocaleString('de-DE')}
+                    </div>
+                  </div>
+                  <span className={`px-2 py-1 text-xs rounded-full ${
+                    s.scan_status === 'scanned' ? 'bg-green-100 text-green-700' :
+                    s.scan_status === 'failed' ? 'bg-red-100 text-red-700' :
+                    'bg-gray-100 text-gray-600'
+                  }`}>
+                    Scan: {s.scan_status}
+                  </span>
+                </div>
+                {s.summary && Object.keys(s.summary).length > 0 && (
+                  <details className="mt-3 text-xs">
+                    <summary className="cursor-pointer text-gray-600 hover:text-gray-900">Summary-Details</summary>
+                    <pre className="mt-2 p-2 bg-gray-50 rounded overflow-x-auto text-xs">{JSON.stringify(s.summary, null, 2)}</pre>
+                  </details>
+                )}
+              </div>
+            ))}
+          </div>
+        )}
+
+        <div className="mt-6 bg-blue-50 border border-blue-200 rounded-xl p-4 text-sm text-blue-900">
+          <strong>Hinweis:</strong> Der osv.dev-Vulnerability-Scan wird durch ein separates Tool im Team durchgefuehrt.
+          Diese Seite akzeptiert SBOM-Uploads und persistiert sie versioniert.
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/[projectId]/scope/page.tsx b/admin-compliance/app/sdk/cra/[projectId]/scope/page.tsx
new file mode 100644
index 00000000..c706c0f2
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/[projectId]/scope/page.tsx
@@ -0,0 +1,172 @@
+'use client'
+
+import React, { useEffect, useState, useCallback, use } from 'react'
+import { useRouter } from 'next/navigation'
+import { ClassificationBadge } from '../../_components/ClassificationBadge'
+
+interface CRAProject {
+  id: string
+  name: string
+  intended_use: string
+  primary_language: string | null
+  connected_to_internet: boolean
+  has_software_updates: boolean
+  processes_personal_data: boolean
+  is_critical_infra_supplier: boolean
+  cra_classification: string | null
+  classification_rationale: string[]
+  status: string
+}
+
+const CLASSIFICATION_DESC: Record<string, string> = {
+  NOT_IN_SCOPE: 'Dein Produkt enthaelt keine digitalen Elemente nach CRA-Definition. Es ist nicht vom CRA betroffen.',
+  STANDARD: 'Default-Kategorie fuer Produkte mit digitalen Elementen. Self-Assessment (Modul A) ist der typische Pfad.',
+  IMPORTANT_I: 'Annex III Klasse I — Wichtige Produkte mit erhoehten Anforderungen. Self-Assessment OR Harmonized Standard moeglich.',
+  IMPORTANT_II: 'Annex III Klasse II — Wichtige Produkte mit hohem Sicherheitsbedarf. Harmonized Standard ODER EUCC ODER Notified Body.',
+  CRITICAL: 'Annex IV — Kritische Produkte (z.B. HSM, Smart-Meter-Gateways). Notified-Body-Assessment Pflicht.',
+}
+
+export default function ScopeCheckPage({
+  params,
+}: {
+  params: Promise<{ projectId: string }>
+}) {
+  const { projectId } = use(params)
+  const router = useRouter()
+  const [project, setProject] = useState<CRAProject | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [checking, setChecking] = useState(false)
+  const [error, setError] = useState('')
+
+  const tenant = '00000000-0000-0000-0000-000000000001'
+
+  const load = useCallback(async () => {
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}`, {
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      setProject(await res.json())
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [projectId])
+
+  useEffect(() => { load() }, [load])
+
+  const runScopeCheck = async () => {
+    setChecking(true)
+    setError('')
+    try {
+      const res = await fetch(`/api/sdk/v1/cra/projects/${projectId}/scope-check`, {
+        method: 'POST',
+        headers: { 'X-Tenant-ID': tenant },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      setProject(await res.json())
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Klassifikation fehlgeschlagen')
+    } finally {
+      setChecking(false)
+    }
+  }
+
+  if (loading) return <div className="min-h-screen bg-gray-50 p-8"><p className="text-gray-500">Laedt...</p></div>
+  if (!project) return null
+
+  const hasResult = !!project.cra_classification
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-3xl mx-auto px-4">
+        <div className="mb-6">
+          <a href={`/sdk/cra/${projectId}`} className="text-sm text-blue-600 hover:underline">
+            &larr; Zurueck zum Projekt
+          </a>
+          <h1 className="text-2xl font-bold text-gray-900 mt-2">Scope-Check & Klassifikation</h1>
+          <p className="text-sm text-gray-600 mt-1">
+            Schritt 2 von 3 — Wir matchen dein Intake gegen Annex III/IV des CRA.
+          </p>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">{error}</div>
+        )}
+
+        <div className="bg-white rounded-xl shadow-sm border border-gray-200 p-6 space-y-4">
+          <h3 className="text-sm font-semibold text-gray-700">Aktuelle Intake-Daten</h3>
+          <dl className="grid grid-cols-1 md:grid-cols-2 gap-2 text-sm">
+            <Field label="Produkt" value={project.name} />
+            <Field label="Sprache" value={project.primary_language || '—'} />
+            <Field label="Intended Use" value={project.intended_use || '—'} fullWidth />
+            <Field label="Internet" value={project.connected_to_internet ? 'Ja' : 'Nein'} />
+            <Field label="Software-Updates" value={project.has_software_updates ? 'Ja' : 'Nein'} />
+            <Field label="Personenbezogene Daten" value={project.processes_personal_data ? 'Ja' : 'Nein'} />
+            <Field label="Kritische Infra" value={project.is_critical_infra_supplier ? 'Ja' : 'Nein'} />
+          </dl>
+
+          <div className="border-t border-gray-200 pt-4">
+            <button
+              onClick={runScopeCheck}
+              disabled={checking}
+              className="w-full py-3 bg-red-600 text-white font-medium rounded-lg hover:bg-red-700 disabled:bg-gray-300"
+            >
+              {checking ? 'Pruefe...' : hasResult ? 'Klassifikation neu berechnen' : 'Klassifikation berechnen'}
+            </button>
+          </div>
+        </div>
+
+        {hasResult && (
+          <div className="mt-6 bg-white rounded-xl shadow-sm border border-gray-200 p-6">
+            <h3 className="text-sm font-semibold text-gray-700 uppercase tracking-wide mb-3">Ergebnis</h3>
+            <div className="flex items-center gap-4 mb-4">
+              <ClassificationBadge value={project.cra_classification} size="lg" />
+              <p className="text-sm text-gray-700">
+                {CLASSIFICATION_DESC[project.cra_classification!]}
+              </p>
+            </div>
+            {project.classification_rationale?.length > 0 && (
+              <div className="bg-gray-50 rounded-lg p-4 mb-4">
+                <p className="text-xs font-semibold text-gray-600 uppercase tracking-wide mb-2">Begruendung</p>
+                <ul className="list-disc list-inside space-y-1 text-sm text-gray-700">
+                  {project.classification_rationale.map((r, i) => <li key={i}>{r}</li>)}
+                </ul>
+              </div>
+            )}
+            <div className="flex gap-3">
+              <button
+                onClick={() => router.push(`/sdk/cra/${projectId}/intake`)}
+                className="px-4 py-2 border border-gray-300 text-gray-700 rounded-lg hover:bg-gray-50"
+              >
+                ← Intake anpassen
+              </button>
+              <button
+                onClick={() => router.push(`/sdk/cra/${projectId}/path`)}
+                disabled={project.cra_classification === 'NOT_IN_SCOPE'}
+                className="flex-1 py-2 bg-red-600 text-white font-medium rounded-lg hover:bg-red-700 disabled:bg-gray-300"
+              >
+                Weiter zum Konformitaetspfad →
+              </button>
+            </div>
+            {project.cra_classification === 'NOT_IN_SCOPE' && (
+              <p className="text-xs text-gray-500 mt-2 text-center">
+                Produkt ist nicht im CRA-Scope. Keine weiteren Schritte noetig.
+              </p>
+            )}
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
+
+function Field({ label, value, fullWidth }: { label: string; value: string; fullWidth?: boolean }) {
+  return (
+    <div className={fullWidth ? 'md:col-span-2' : ''}>
+      <dt className="text-xs text-gray-500">{label}</dt>
+      <dd className="text-gray-900 mt-0.5">{value}</dd>
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/_components/ClassificationBadge.tsx b/admin-compliance/app/sdk/cra/_components/ClassificationBadge.tsx
new file mode 100644
index 00000000..fff182db
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/_components/ClassificationBadge.tsx
@@ -0,0 +1,24 @@
+'use client'
+
+type Classification = 'NOT_IN_SCOPE' | 'STANDARD' | 'IMPORTANT_I' | 'IMPORTANT_II' | 'CRITICAL'
+
+const STYLES: Record<string, { bg: string; label: string }> = {
+  NOT_IN_SCOPE: { bg: 'bg-gray-200 text-gray-700', label: 'Nicht im Scope' },
+  STANDARD:     { bg: 'bg-blue-100 text-blue-800', label: 'Standard' },
+  IMPORTANT_I:  { bg: 'bg-yellow-100 text-yellow-800', label: 'Important Class I' },
+  IMPORTANT_II: { bg: 'bg-orange-100 text-orange-800', label: 'Important Class II' },
+  CRITICAL:     { bg: 'bg-red-100 text-red-800', label: 'Critical' },
+}
+
+export function ClassificationBadge({ value, size = 'md' }: { value: string | null; size?: 'sm' | 'md' | 'lg' }) {
+  if (!value) {
+    return <span className="px-2 py-0.5 text-xs rounded-full bg-gray-100 text-gray-500">Unbewertet</span>
+  }
+  const style = STYLES[value] || { bg: 'bg-gray-100 text-gray-700', label: value }
+  const sizeClasses = {
+    sm: 'px-2 py-0.5 text-xs',
+    md: 'px-3 py-1 text-sm font-medium',
+    lg: 'px-4 py-2 text-base font-semibold',
+  }[size]
+  return <span className={`rounded-full ${sizeClasses} ${style.bg}`}>{style.label}</span>
+}
diff --git a/admin-compliance/app/sdk/cra/_components/SeverityBadge.tsx b/admin-compliance/app/sdk/cra/_components/SeverityBadge.tsx
new file mode 100644
index 00000000..7be84cc7
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/_components/SeverityBadge.tsx
@@ -0,0 +1,13 @@
+'use client'
+
+const STYLES: Record<string, { bg: string; label: string }> = {
+  CRITICAL: { bg: 'bg-red-600 text-white', label: 'Kritisch' },
+  HIGH:     { bg: 'bg-orange-500 text-white', label: 'Hoch' },
+  MEDIUM:   { bg: 'bg-yellow-400 text-gray-900', label: 'Mittel' },
+  LOW:      { bg: 'bg-blue-100 text-blue-800', label: 'Niedrig' },
+}
+
+export function SeverityBadge({ value }: { value: string }) {
+  const s = STYLES[value] || { bg: 'bg-gray-200 text-gray-700', label: value }
+  return <span className={`px-2 py-0.5 text-xs font-bold rounded ${s.bg}`}>{s.label}</span>
+}
diff --git a/admin-compliance/app/sdk/cra/_components/StatusStepper.tsx b/admin-compliance/app/sdk/cra/_components/StatusStepper.tsx
new file mode 100644
index 00000000..fa5078f4
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/_components/StatusStepper.tsx
@@ -0,0 +1,40 @@
+'use client'
+
+const STEPS = [
+  { id: 'draft', label: 'Entwurf' },
+  { id: 'scoped', label: 'Intake' },
+  { id: 'classified', label: 'Klassifiziert' },
+  { id: 'path_selected', label: 'Pfad' },
+  { id: 'requirements_mapped', label: 'Requirements' },
+  { id: 'evidence_pending', label: 'Evidence' },
+  { id: 'ready_for_review', label: 'Review' },
+  { id: 'declaration_ready', label: 'DoC' },
+  { id: 'post_market', label: 'Post-Market' },
+]
+
+export function StatusStepper({ current }: { current: string }) {
+  const currentIdx = STEPS.findIndex(s => s.id === current)
+  return (
+    <div className="flex items-center gap-1 overflow-x-auto py-2">
+      {STEPS.map((step, idx) => {
+        const isPast = idx < currentIdx
+        const isCurrent = idx === currentIdx
+        return (
+          <div key={step.id} className="flex items-center gap-1 flex-shrink-0">
+            <div className={`w-7 h-7 rounded-full flex items-center justify-center text-xs font-medium ${
+              isCurrent ? 'bg-blue-600 text-white' :
+              isPast ? 'bg-green-500 text-white' :
+              'bg-gray-200 text-gray-500'
+            }`}>{idx + 1}</div>
+            <span className={`text-xs ${isCurrent ? 'font-semibold text-blue-700' : isPast ? 'text-gray-700' : 'text-gray-400'}`}>
+              {step.label}
+            </span>
+            {idx < STEPS.length - 1 && (
+              <span className={`mx-1 ${isPast ? 'text-green-500' : 'text-gray-300'}`}>→</span>
+            )}
+          </div>
+        )
+      })}
+    </div>
+  )
+}
diff --git a/admin-compliance/app/sdk/cra/page.tsx b/admin-compliance/app/sdk/cra/page.tsx
new file mode 100644
index 00000000..35854e0f
--- /dev/null
+++ b/admin-compliance/app/sdk/cra/page.tsx
@@ -0,0 +1,200 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+import { useRouter } from 'next/navigation'
+import { ClassificationBadge } from './_components/ClassificationBadge'
+
+interface CRAProject {
+  id: string
+  name: string
+  description: string
+  cra_classification: string | null
+  conformity_path: string | null
+  status: string
+  created_at: string
+}
+
+const PATH_LABEL: Record<string, string> = {
+  self_assessment: 'Modul A (Self-Assessment)',
+  harmonized_standard: 'Modul B (Harmonized)',
+  eucc: 'Modul H (EUCC)',
+  notified_body: 'Modul C (Notified Body)',
+}
+
+const STATUS_LABEL: Record<string, string> = {
+  draft: 'Entwurf',
+  scoped: 'Intake erfasst',
+  classified: 'Klassifiziert',
+  path_selected: 'Pfad gewaehlt',
+  requirements_mapped: 'Requirements',
+  evidence_pending: 'Evidence',
+  gaps_open: 'Gaps offen',
+  remediation: 'Remediation',
+  ready_for_review: 'In Pruefung',
+  declaration_ready: 'DoC bereit',
+  post_market: 'Post-Market',
+  archived: 'Archiviert',
+}
+
+export default function CRAProjectsPage() {
+  const router = useRouter()
+  const [projects, setProjects] = useState<CRAProject[]>([])
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState('')
+  const [showModal, setShowModal] = useState(false)
+  const [newName, setNewName] = useState('')
+  const [newDescription, setNewDescription] = useState('')
+  const [creating, setCreating] = useState(false)
+
+  const tenantHeader = '00000000-0000-0000-0000-000000000001'
+
+  const loadProjects = useCallback(async () => {
+    try {
+      const res = await fetch('/api/sdk/v1/cra/projects', {
+        headers: { 'X-Tenant-ID': tenantHeader },
+      })
+      if (!res.ok) throw new Error(await res.text())
+      const data = await res.json()
+      setProjects(data.projects || [])
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [])
+
+  useEffect(() => { loadProjects() }, [loadProjects])
+
+  const createProject = async () => {
+    if (!newName.trim()) return
+    setCreating(true)
+    setError('')
+    try {
+      const res = await fetch('/api/sdk/v1/cra/projects', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantHeader },
+        body: JSON.stringify({ name: newName, description: newDescription }),
+      })
+      if (!res.ok) throw new Error(await res.text())
+      const project = await res.json()
+      router.push(`/sdk/cra/${project.id}/intake`)
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Anlegen fehlgeschlagen')
+    } finally {
+      setCreating(false)
+    }
+  }
+
+  return (
+    <div className="min-h-screen bg-gray-50 py-8">
+      <div className="max-w-6xl mx-auto px-4">
+        <div className="mb-6">
+          <h1 className="text-3xl font-bold text-gray-900">CRA Compliance</h1>
+          <p className="text-gray-600 mt-2">
+            Cyber Resilience Act — Konformitaets-Workflow fuer Produkte mit digitalen Elementen.
+          </p>
+          <p className="text-sm text-gray-500 mt-1">
+            Fuer Entwickler / Tech-Experten. Hardware-CE-Risikobeurteilung siehe{' '}
+            <a href="/sdk/iace" className="text-blue-600 hover:underline">iACE</a>.
+          </p>
+        </div>
+
+        {error && (
+          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-4 text-sm text-red-700">
+            {error}
+            <button onClick={() => setError('')} className="ml-3 underline">Schliessen</button>
+          </div>
+        )}
+
+        <button
+          onClick={() => setShowModal(true)}
+          className="mb-6 w-full py-4 border-2 border-dashed border-red-300 rounded-xl text-red-600 hover:bg-red-50 hover:border-red-400 transition-colors font-medium"
+        >
+          + Neues CRA-Projekt
+        </button>
+
+        {loading ? (
+          <div className="text-center text-gray-500 py-12">Laedt...</div>
+        ) : projects.length === 0 ? (
+          <p className="text-center text-gray-500 mt-8">
+            Noch keine Projekte. Starten Sie Ihre erste CRA-Konformitaetsanalyse.
+          </p>
+        ) : (
+          <div className="space-y-3">
+            <h2 className="text-lg font-semibold text-gray-800">Projekte</h2>
+            {projects.map(p => (
+              <a
+                key={p.id}
+                href={`/sdk/cra/${p.id}`}
+                className="block bg-white rounded-xl shadow-sm border border-gray-200 p-5 hover:shadow-md hover:border-red-300 transition-all"
+              >
+                <div className="flex items-center justify-between gap-4">
+                  <div className="flex-1 min-w-0">
+                    <h3 className="font-semibold text-gray-900 truncate">{p.name}</h3>
+                    {p.description && (
+                      <p className="text-sm text-gray-500 mt-1 truncate">{p.description}</p>
+                    )}
+                  </div>
+                  <div className="flex items-center gap-3 flex-shrink-0">
+                    <ClassificationBadge value={p.cra_classification} size="sm" />
+                    {p.conformity_path && (
+                      <span className="px-2 py-0.5 text-xs rounded-full bg-purple-100 text-purple-800">
+                        {PATH_LABEL[p.conformity_path] || p.conformity_path}
+                      </span>
+                    )}
+                    <span className="px-2 py-0.5 text-xs rounded-full bg-gray-100 text-gray-700">
+                      {STATUS_LABEL[p.status] || p.status}
+                    </span>
+                    <span className="text-xs text-gray-400">
+                      {new Date(p.created_at).toLocaleDateString('de-DE')}
+                    </span>
+                  </div>
+                </div>
+              </a>
+            ))}
+          </div>
+        )}
+
+        {showModal && (
+          <div className="fixed inset-0 bg-black/40 flex items-center justify-center z-50">
+            <div className="bg-white rounded-xl shadow-xl max-w-md w-full mx-4 p-6">
+              <h3 className="text-lg font-semibold mb-4">Neues CRA-Projekt anlegen</h3>
+              <div className="space-y-3">
+                <input
+                  type="text"
+                  placeholder="Projektname (z.B. SmartHome Gateway v3)"
+                  value={newName}
+                  onChange={e => setNewName(e.target.value)}
+                  className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+                />
+                <textarea
+                  placeholder="Kurzbeschreibung (optional)"
+                  value={newDescription}
+                  onChange={e => setNewDescription(e.target.value)}
+                  rows={3}
+                  className="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-red-500"
+                />
+              </div>
+              <div className="flex gap-3 mt-5">
+                <button
+                  onClick={() => { setShowModal(false); setNewName(''); setNewDescription('') }}
+                  disabled={creating}
+                  className="flex-1 px-4 py-2 border border-gray-300 text-gray-700 rounded-lg hover:bg-gray-50"
+                >
+                  Abbrechen
+                </button>
+                <button
+                  onClick={createProject}
+                  disabled={creating || !newName.trim()}
+                  className="flex-1 px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:bg-gray-300"
+                >
+                  {creating ? 'Erstelle...' : 'Anlegen'}
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx b/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx
index 47c4af59..2eb34d74 100644
--- a/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx
+++ b/admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx
@@ -75,6 +75,28 @@ export function SidebarModuleList({ collapsed, projectId, pendingCRCount }: Side
         <AdditionalModuleItem href="/sdk/agent" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" /></svg>} label="Compliance Agent" isActive={pathname?.startsWith('/sdk/agent') ?? false} collapsed={collapsed} projectId={projectId} />
       </div>
 
+      {/* CRA Compliance */}
+      <div className="border-t-2 border-red-200 py-2 bg-red-50/30">
+        {!collapsed && (
+          <div className="px-4 py-2 text-xs font-semibold text-red-600 uppercase tracking-wider">
+            CRA Compliance
+          </div>
+        )}
+        <AdditionalModuleItem
+          href="/sdk/cra"
+          icon={
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+            </svg>
+          }
+          label="CRA Compliance"
+          isActive={pathname?.startsWith('/sdk/cra') ?? false}
+          collapsed={collapsed}
+          projectId={projectId}
+        />
+      </div>
+
       {/* Regulatory Gap-Analyse */}
       <div className="border-t-2 border-orange-200 py-2 bg-orange-50/30">
         {!collapsed && (
diff --git a/backend-compliance/compliance/api/cra_annex_i_data.py b/backend-compliance/compliance/api/cra_annex_i_data.py
new file mode 100644
index 00000000..6e175924
--- /dev/null
+++ b/backend-compliance/compliance/api/cra_annex_i_data.py
@@ -0,0 +1,260 @@
+"""
+CRA Annex I — Essential Cybersecurity Requirements (40 Controls)
+
+Quelle: Migration 059_wiki_cra_annex_i_detail.sql (Wiki-Artikel) +
+        ai-compliance-sdk/internal/iace/measures_library_cra.go (M540-M548).
+
+Statische Daten — eine deterministische Quelle fuer die /requirements und
+/backlog Endpoints. KEINE LLM-Calls.
+
+Schluesselfelder:
+- req_id        eindeutige Stable-ID (CRA-AI-1 .. CRA-AI-40)
+- category      eine der 8 Annex-I-Kategorien
+- annex_anchor  Verweis auf CRA Annex I Punkt (z.B. "Annex I, 1(3)(d)")
+- severity      CRITICAL | HIGH | MEDIUM | LOW — wie kritisch die Luecke ist
+- iso27001_ref  Annex A Mapping zur ISO 27001:2022
+- mapped_measures  Liste von M-IDs aus measures_library_cra.go
+- evidence_type code | process | hybrid | document — wie pruefbar
+- effort_days   Schaetzung in Personentagen fuer typische Umsetzung
+"""
+
+ANNEX_I_REQUIREMENTS = [
+    # Part 1 — Produktsicherheit
+    # Kategorie 1: Secure-by-Design
+    {"req_id": "CRA-AI-1", "n": 1, "category": "Secure-by-Design",
+     "title": "Secure-by-Default-Konfiguration",
+     "annex_anchor": "Annex I, 1(1)", "iso27001_ref": ["A.8.9"],
+     "description": "Produkte muessen mit sicheren Standardeinstellungen ausgeliefert werden. Keine offenen Ports, keine aktivierten Debug-Schnittstellen, keine unnoetig laufenden Dienste.",
+     "severity": "HIGH", "mapped_measures": ["M545"], "evidence_type": "hybrid", "effort_days": 5},
+    {"req_id": "CRA-AI-2", "n": 2, "category": "Secure-by-Design",
+     "title": "Minimale Angriffsflaeche",
+     "annex_anchor": "Annex I, 1(2)", "iso27001_ref": ["A.8.9", "A.8.20"],
+     "description": "Nur notwendige Schnittstellen, Dienste und Protokolle aktivieren.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 4},
+    {"req_id": "CRA-AI-3", "n": 3, "category": "Secure-by-Design",
+     "title": "Sichere Systemarchitektur",
+     "annex_anchor": "Annex I, 1(3)", "iso27001_ref": ["A.8.27"],
+     "description": "Sicherheitskritische Komponenten muessen isoliert werden (Sandboxing, Containerisierung, Privilege Separation).",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 10},
+    {"req_id": "CRA-AI-4", "n": 4, "category": "Secure-by-Design",
+     "title": "Least-Privilege-Prinzip",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.2", "A.8.3"],
+     "description": "Jede Komponente, jeder Prozess und jeder Benutzer erhaelt nur die minimal notwendigen Berechtigungen.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 5},
+    {"req_id": "CRA-AI-5", "n": 5, "category": "Secure-by-Design",
+     "title": "Manipulationsschutz",
+     "annex_anchor": "Annex I, 1(3)(c)", "iso27001_ref": ["A.8.24"],
+     "description": "Schutz vor unautorisierter Aenderung von Software und Konfiguration (Code Signing, Secure Boot, TPM).",
+     "severity": "HIGH", "mapped_measures": ["M541"], "evidence_type": "code", "effort_days": 8},
+    {"req_id": "CRA-AI-6", "n": 6, "category": "Secure-by-Design",
+     "title": "Integritaetspruefung",
+     "annex_anchor": "Annex I, 1(3)(c)", "iso27001_ref": ["A.8.24"],
+     "description": "Automatische Ueberpruefung der Integritaet von Software, Firmware und Konfigurationsdaten bei Start und Laufzeit.",
+     "severity": "HIGH", "mapped_measures": ["M547"], "evidence_type": "code", "effort_days": 4},
+    # Kategorie 2: Auth
+    {"req_id": "CRA-AI-7", "n": 7, "category": "Authentifizierung",
+     "title": "Starke Authentifizierung",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.5"],
+     "description": "Sichere Authentifizierungsmechanismen, MFA fuer administrative Zugriffe, FIDO2/WebAuthn.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 6},
+    {"req_id": "CRA-AI-8", "n": 8, "category": "Authentifizierung",
+     "title": "Keine Default-Passwoerter",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.5"],
+     "description": "Produkte duerfen keine universellen Standardpasswoerter verwenden. Aenderung bei Ersteinrichtung erzwingen.",
+     "severity": "CRITICAL", "mapped_measures": ["M542"], "evidence_type": "code", "effort_days": 2},
+    {"req_id": "CRA-AI-9", "n": 9, "category": "Authentifizierung",
+     "title": "Sicheres Credential-Management",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.5"],
+     "description": "Zugangsdaten verschluesselt speichern (bcrypt, Argon2id). Keine Klartextspeicherung. Tokens rotieren.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 3},
+    {"req_id": "CRA-AI-10", "n": 10, "category": "Authentifizierung",
+     "title": "Sitzungsmanagement",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.5"],
+     "description": "Session-Verwaltung mit Timeout, Token-Binding, Invalidierung bei Logout. CSRF-Schutz.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "code", "effort_days": 3},
+    {"req_id": "CRA-AI-11", "n": 11, "category": "Authentifizierung",
+     "title": "Brute-Force-Schutz",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.5", "A.8.16"],
+     "description": "Schutz vor Brute-Force und Credential-Stuffing via Rate Limiting, Account Lockout, CAPTCHA.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "code", "effort_days": 2},
+    {"req_id": "CRA-AI-12", "n": 12, "category": "Authentifizierung",
+     "title": "Rollenbasierte Autorisierung",
+     "annex_anchor": "Annex I, 1(3)(d)", "iso27001_ref": ["A.8.2", "A.8.3"],
+     "description": "RBAC implementieren. Trennung administrativ vs Nutzer. Least-Privilege durchsetzen.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 4},
+    # Kategorie 3: Krypto
+    {"req_id": "CRA-AI-13", "n": 13, "category": "Kryptografie",
+     "title": "Verschluesselung sensibler Daten",
+     "annex_anchor": "Annex I, 1(3)(e)", "iso27001_ref": ["A.8.24"],
+     "description": "Sensible Daten at rest (AES-256) und in transit (TLS 1.2+) verschluesseln.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 4},
+    {"req_id": "CRA-AI-14", "n": 14, "category": "Kryptografie",
+     "title": "Speicher-Schutz (Data at Rest)",
+     "annex_anchor": "Annex I, 1(3)(e)", "iso27001_ref": ["A.8.24"],
+     "description": "Verschluesselung von Festplatten, Datenbanken, Backups. Schluessel getrennt von Daten.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 3},
+    {"req_id": "CRA-AI-15", "n": 15, "category": "Kryptografie",
+     "title": "Transport-Schutz (Data in Transit)",
+     "annex_anchor": "Annex I, 1(3)(e)", "iso27001_ref": ["A.8.24"],
+     "description": "TLS 1.2+ fuer alle Netzwerkkommunikation. SSL/TLS 1.0/1.1 deaktivieren. Certificate Pinning.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 2},
+    {"req_id": "CRA-AI-16", "n": 16, "category": "Kryptografie",
+     "title": "Sicheres Schluesselmanagement",
+     "annex_anchor": "Annex I, 1(3)(e)", "iso27001_ref": ["A.8.24"],
+     "description": "Schluessel in HSM/Vault. Mind. jaehrliche Rotation. Dokumentation der Lebenszyklen.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "hybrid", "effort_days": 8},
+    {"req_id": "CRA-AI-17", "n": 17, "category": "Kryptografie",
+     "title": "Datenminimierung",
+     "annex_anchor": "Annex I, 1(3)(f)", "iso27001_ref": ["A.8.10", "A.8.11"],
+     "description": "Nur Daten erfassen, die fuer die Produktfunktion erforderlich sind. DSGVO-Grundsaetze beachten.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "process", "effort_days": 3},
+    # Kategorie 4: SSDLC
+    {"req_id": "CRA-AI-18", "n": 18, "category": "SSDLC",
+     "title": "Strukturierter SSDLC",
+     "annex_anchor": "Annex I, 1(1)", "iso27001_ref": ["A.8.25", "A.8.26"],
+     "description": "Formaler Secure Software Development Lifecycle mit Security Gates in jeder Phase.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "process", "effort_days": 15},
+    {"req_id": "CRA-AI-19", "n": 19, "category": "SSDLC",
+     "title": "Systematische Code Reviews",
+     "annex_anchor": "Annex I, 1(1)", "iso27001_ref": ["A.8.25"],
+     "description": "Peer Reviews mit Security-Fokus fuer jeden Commit. OWASP Top 10 + CWE Top 25 Checklisten.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "process", "effort_days": 5},
+    {"req_id": "CRA-AI-20", "n": 20, "category": "SSDLC",
+     "title": "Automatisierte Sicherheitstests",
+     "annex_anchor": "Annex I, 1(1)", "iso27001_ref": ["A.8.25"],
+     "description": "SAST, DAST, SCA und Secrets Detection in der CI/CD-Pipeline.",
+     "severity": "HIGH", "mapped_measures": ["M548"], "evidence_type": "code", "effort_days": 8},
+    # Kategorie 5: Supply Chain & SBOM
+    {"req_id": "CRA-AI-21", "n": 21, "category": "Supply Chain",
+     "title": "Supply-Chain-Security",
+     "annex_anchor": "Annex I, 1(5)", "iso27001_ref": ["A.5.19", "A.5.21"],
+     "description": "Drittanbieter-Komponenten systematisch auf Schwachstellen und Lizenz-Compliance pruefen.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "process", "effort_days": 5},
+    {"req_id": "CRA-AI-22", "n": 22, "category": "Supply Chain",
+     "title": "Dependency-Monitoring",
+     "annex_anchor": "Annex I, 1(5)", "iso27001_ref": ["A.8.8", "A.8.25"],
+     "description": "Kontinuierliche CVE-Ueberwachung aller Abhaengigkeiten. Automatische Benachrichtigungen.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "code", "effort_days": 3},
+    {"req_id": "CRA-AI-23", "n": 23, "category": "Supply Chain",
+     "title": "Software Bill of Materials (SBOM)",
+     "annex_anchor": "Annex I, 1(5)", "iso27001_ref": ["A.8.25"],
+     "description": "Maschinenlesbares SBOM (CycloneDX oder SPDX). Top-Level-Abhaengigkeiten mit Name, Version, Lizenz. Bei jedem Release aktualisieren.",
+     "severity": "CRITICAL", "mapped_measures": ["M540"], "evidence_type": "code", "effort_days": 2},
+    # Kategorie 6: Logging & Monitoring
+    {"req_id": "CRA-AI-24", "n": 24, "category": "Logging",
+     "title": "Security-Logging",
+     "annex_anchor": "Annex I, 1(3)(g)", "iso27001_ref": ["A.8.15"],
+     "description": "Logs aller sicherheitsrelevanten Ereignisse: Login, Berechtigungen, Admin-Aktionen, APIs, Fehler.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "code", "effort_days": 4},
+    {"req_id": "CRA-AI-25", "n": 25, "category": "Logging",
+     "title": "Ereignis-Monitoring",
+     "annex_anchor": "Annex I, 1(3)(g)", "iso27001_ref": ["A.8.16"],
+     "description": "Zentrale Sammlung und Echtzeit-Ueberwachung. SIEM oder vergleichbares. Event-Korrelation.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "process", "effort_days": 10},
+    {"req_id": "CRA-AI-26", "n": 26, "category": "Logging",
+     "title": "Anomalie-Erkennung",
+     "annex_anchor": "Annex I, 1(3)(g)", "iso27001_ref": ["A.8.16"],
+     "description": "Automatische Erkennung von Angriffsmustern. Alarmierung bei Baseline-Abweichungen. Threat Intel.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "process", "effort_days": 8},
+    {"req_id": "CRA-AI-27", "n": 27, "category": "Logging",
+     "title": "Log-Integritaet und -Aufbewahrung",
+     "annex_anchor": "Annex I, 1(3)(g)", "iso27001_ref": ["A.8.15"],
+     "description": "Manipulationssichere Logs (append-only, signiert oder WORM). Mind. 12 Monate Aufbewahrung.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "code", "effort_days": 4},
+    # Kategorie 7: Updates
+    {"req_id": "CRA-AI-28", "n": 28, "category": "Updates",
+     "title": "Sichere Update-Mechanismen",
+     "annex_anchor": "Annex I, 1(4)", "iso27001_ref": ["A.8.8", "A.8.19"],
+     "description": "Updates ueber sichere Kanaele (HTTPS, signiert). Automatische oder einfach zugaengliche Update-Moeglichkeit. Rollback-Faehigkeit.",
+     "severity": "HIGH", "mapped_measures": ["M541", "M547"], "evidence_type": "code", "effort_days": 8},
+    {"req_id": "CRA-AI-29", "n": 29, "category": "Updates",
+     "title": "Update-Authentizitaet",
+     "annex_anchor": "Annex I, 1(4)", "iso27001_ref": ["A.8.24"],
+     "description": "Updates digital signiert. Signaturpruefung vor Installation. Dokumentierte Key Ceremony.",
+     "severity": "CRITICAL", "mapped_measures": ["M541"], "evidence_type": "code", "effort_days": 3},
+    {"req_id": "CRA-AI-30", "n": 30, "category": "Updates",
+     "title": "Update-Integritaet",
+     "annex_anchor": "Annex I, 1(4)", "iso27001_ref": ["A.8.24"],
+     "description": "Integritaetspruefung jedes Update-Pakets (Hash, Signatur). Manipulationen waehrend Uebertragung erkennen.",
+     "severity": "HIGH", "mapped_measures": ["M547"], "evidence_type": "code", "effort_days": 2},
+    {"req_id": "CRA-AI-31", "n": 31, "category": "Updates",
+     "title": "Lifecycle-Support",
+     "annex_anchor": "Annex I, 1(4)", "iso27001_ref": ["A.8.8"],
+     "description": "Security-Updates fuer mind. 5 Jahre ab Inverkehrbringen oder erwartete Nutzungsdauer. End-of-Life klar kommunizieren.",
+     "severity": "HIGH", "mapped_measures": ["M544"], "evidence_type": "process", "effort_days": 3},
+    # Part 2 — Vulnerability Handling
+    {"req_id": "CRA-AI-32", "n": 32, "category": "Vulnerability Handling",
+     "title": "Schwachstellen-Identifikation",
+     "annex_anchor": "Annex I, 2(1)", "iso27001_ref": ["A.8.8"],
+     "description": "Kontinuierliches CVE-Monitoring aller eingesetzten Komponenten. Bug Bounty oder Responsible Disclosure.",
+     "severity": "HIGH", "mapped_measures": [], "evidence_type": "process", "effort_days": 4},
+    {"req_id": "CRA-AI-33", "n": 33, "category": "Vulnerability Handling",
+     "title": "SBOM-Pflege und Analyse",
+     "annex_anchor": "Annex I, 2(1)", "iso27001_ref": ["A.8.8", "A.8.25"],
+     "description": "SBOM aktuell halten und kontinuierlich gegen CVE-Datenbanken pruefen. Auto-Alarmierung bei neuen CVEs.",
+     "severity": "HIGH", "mapped_measures": ["M540"], "evidence_type": "code", "effort_days": 3},
+    {"req_id": "CRA-AI-34", "n": 34, "category": "Vulnerability Handling",
+     "title": "Risikobasierte Priorisierung",
+     "annex_anchor": "Annex I, 2(2)", "iso27001_ref": ["A.8.8"],
+     "description": "CVSS-basierte Priorisierung. SLAs: Kritisch 24-72h, Hoch 7 Tage, Mittel 30 Tage, Niedrig naechster Zyklus.",
+     "severity": "HIGH", "mapped_measures": ["M544"], "evidence_type": "process", "effort_days": 2},
+    {"req_id": "CRA-AI-35", "n": 35, "category": "Vulnerability Handling",
+     "title": "Coordinated Vulnerability Disclosure",
+     "annex_anchor": "Annex I, 2(5)", "iso27001_ref": ["A.5.5", "A.5.6"],
+     "description": "CVD-Policy mit Meldeprozess. Kontaktadresse fuer Forscher. Eingangsbestaetigung innerhalb 5 Werktagen.",
+     "severity": "CRITICAL", "mapped_measures": ["M543"], "evidence_type": "document", "effort_days": 2},
+    {"req_id": "CRA-AI-36", "n": 36, "category": "Vulnerability Handling",
+     "title": "Incident-Response-Prozess",
+     "annex_anchor": "Annex I, 2(5)", "iso27001_ref": ["A.5.24", "A.5.25", "A.5.26"],
+     "description": "Dokumentierter Prozess: Detection -> Classification -> Containment -> Investigation -> Recovery -> Reporting -> Lessons Learned.",
+     "severity": "HIGH", "mapped_measures": ["M546"], "evidence_type": "process", "effort_days": 10},
+    {"req_id": "CRA-AI-37", "n": 37, "category": "Vulnerability Handling",
+     "title": "Fruehwarnung (24h)",
+     "annex_anchor": "Annex I, 2(7) + Art. 14(2)(a)", "iso27001_ref": ["A.5.24", "A.5.26"],
+     "description": "Bei aktiv ausgenutzten Schwachstellen oder schweren Vorfaellen: Fruehwarnung an ENISA/CSIRT innerhalb 24 Stunden.",
+     "severity": "CRITICAL", "mapped_measures": ["M546"], "evidence_type": "process", "effort_days": 3},
+    {"req_id": "CRA-AI-38", "n": 38, "category": "Vulnerability Handling",
+     "title": "Detaillierter Vorfallsbericht (72h)",
+     "annex_anchor": "Annex I, 2(7) + Art. 14(2)(b)", "iso27001_ref": ["A.5.24", "A.5.26"],
+     "description": "72h: Detaillierter Bericht mit Umfang, Auswirkung, Ursachenanalyse, Gegenmassnahmen. Bei personenbezogenen Daten zusaetzlich DSGVO Art. 33/34.",
+     "severity": "CRITICAL", "mapped_measures": ["M546"], "evidence_type": "process", "effort_days": 2},
+    {"req_id": "CRA-AI-39", "n": 39, "category": "Vulnerability Handling",
+     "title": "Patch-Bereitstellung",
+     "annex_anchor": "Annex I, 2(3)", "iso27001_ref": ["A.8.8"],
+     "description": "Patches fuer gemeldete Schwachstellen so schnell wie moeglich. Security Advisories (CSAF-Format empfohlen).",
+     "severity": "HIGH", "mapped_measures": ["M544"], "evidence_type": "process", "effort_days": 5},
+    {"req_id": "CRA-AI-40", "n": 40, "category": "Vulnerability Handling",
+     "title": "Dokumentation und Nachbereitung",
+     "annex_anchor": "Annex I, 2(6)", "iso27001_ref": ["A.5.27"],
+     "description": "Lueckenlose Dokumentation aller Schwachstellen + Vorfaelle, mind. 10 Jahre Aufbewahrung. Lessons-Learned-Prozess.",
+     "severity": "MEDIUM", "mapped_measures": [], "evidence_type": "document", "effort_days": 3},
+]
+
+# Measure descriptions (from measures_library_cra.go)
+MEASURES = {
+    "M540": "Software Bill of Materials (SBOM) erstellen und mit der Maschine ausliefern",
+    "M541": "Signierte Software- und Firmware-Updates mit Rollback-Schutz",
+    "M542": "Initiale Default-Passwoerter beim ersten Start erzwungen aendern",
+    "M543": "CVD-Policy (Coordinated Vulnerability Disclosure) veroeffentlichen",
+    "M544": "Patch-SLA mit Severity-Tiers dokumentieren",
+    "M545": "Cybersecurity-Hardening-Guide fuer den Anwender beilegen",
+    "M546": "Incident-Meldeprozess an ENISA / nationale CSIRT definieren",
+    "M547": "Updates ueber authentisierten Kanal mit Integritaetspruefung",
+    "M548": "Sicherheitsbewertung / Penetrationstest vor Inverkehrbringen",
+}
+
+# CRA-Deadlines (deterministisch, kein DB-Lookup)
+DEADLINES = [
+    {"date": "2026-06-11", "label": "Conformity Bodies benannt"},
+    {"date": "2026-09-11", "label": "Vulnerability-Reporting-Pflicht aktiv (24h/72h)"},
+    {"date": "2027-12-11", "label": "CE-Marking nach CRA verpflichtend"},
+]
+
+
+# Severity-Gewichtung fuer Priority-Score
+SEVERITY_WEIGHT = {
+    "CRITICAL": 100,
+    "HIGH": 60,
+    "MEDIUM": 30,
+    "LOW": 10,
+}
diff --git a/backend-compliance/compliance/api/cra_routes.py b/backend-compliance/compliance/api/cra_routes.py
new file mode 100644
index 00000000..05a1e328
--- /dev/null
+++ b/backend-compliance/compliance/api/cra_routes.py
@@ -0,0 +1,1075 @@
+"""
+FastAPI routes for CRA (Cyber Resilience Act) Compliance Projects.
+
+Endpoints:
+- GET    /v1/cra/projects                         List all CRA projects for a tenant
+- POST   /v1/cra/projects                         Create a new CRA project
+- GET    /v1/cra/projects/{id}                    Get a single CRA project
+- PATCH  /v1/cra/projects/{id}                    Update intake fields / status
+- DELETE /v1/cra/projects/{id}                    Archive project
+- POST   /v1/cra/projects/{id}/scope-check        Run deterministic Annex III/IV match
+- POST   /v1/cra/projects/{id}/path-select        Set conformity path (validated against classification)
+
+Tenant scoping via X-Tenant-ID header (see tenant_utils.get_tenant_id).
+"""
+
+import json
+import logging
+import socket
+import ssl
+from datetime import date
+from typing import Optional
+from uuid import UUID
+
+import httpx
+from fastapi import APIRouter, Depends, HTTPException, UploadFile, File
+from pydantic import BaseModel
+from sqlalchemy import text
+
+from database import SessionLocal
+from .cra_annex_i_data import (
+    ANNEX_I_REQUIREMENTS, MEASURES, DEADLINES, SEVERITY_WEIGHT,
+)
+from .tenant_utils import get_tenant_id
+
+logger = logging.getLogger(__name__)
+router = APIRouter(prefix="/v1/cra/projects", tags=["cra"])
+
+
+# =============================================================================
+# CONSTANTS — Annex III/IV mapping (source: migration 059_wiki_cra_annex_i_detail.sql)
+# =============================================================================
+
+ANNEX_IV_CRITICAL = [
+    "hardware-security-module", "hardware security module", "hsm",
+    "smartcard-chip", "smartcard chip", "smart-meter-gateway", "smart meter gateway",
+    "secure-element", "secure element",
+]
+
+ANNEX_III_CLASS_II = [
+    "betriebssystem", "operating system",
+    "hypervisor",
+    "container-runtime", "container runtime",
+    "public-key-infrastruktur", "public key infrastructure", "pki",
+    "industrial-control", "industrial control", "ics", "scada",
+]
+
+ANNEX_III_CLASS_I = [
+    "passwort-manager", "password manager", "passwort manager",
+    "vpn-software", "vpn software",
+    "firewall",
+    "router",
+    "smart-home", "smart home",
+    "iot-sensor", "iot sensor", "iot-geraet",
+    "siem", "siem-system",
+]
+
+CLASSIFICATIONS = {"NOT_IN_SCOPE", "STANDARD", "IMPORTANT_I", "IMPORTANT_II", "CRITICAL"}
+CONFORMITY_PATHS = {"self_assessment", "harmonized_standard", "eucc", "notified_body"}
+
+# Allowed paths per classification (CRITICAL must use notified_body)
+ALLOWED_PATHS = {
+    "NOT_IN_SCOPE":  set(),
+    "STANDARD":      {"self_assessment", "harmonized_standard", "eucc", "notified_body"},
+    "IMPORTANT_I":   {"self_assessment", "harmonized_standard", "eucc", "notified_body"},
+    "IMPORTANT_II":  {"harmonized_standard", "eucc", "notified_body"},
+    "CRITICAL":      {"notified_body"},
+}
+
+STATUS_WHITELIST = {
+    "draft", "scoped", "classified", "path_selected", "requirements_mapped",
+    "evidence_pending", "gaps_open", "remediation", "ready_for_review",
+    "declaration_ready", "post_market", "archived",
+}
+
+
+# =============================================================================
+# REQUEST / RESPONSE MODELS
+# =============================================================================
+
+class CreateProjectRequest(BaseModel):
+    name: str
+    description: str = ""
+    gap_project_id: Optional[str] = None
+
+
+class UpdateProjectRequest(BaseModel):
+    name: Optional[str] = None
+    description: Optional[str] = None
+    repo_url: Optional[str] = None
+    primary_language: Optional[str] = None
+    has_firmware: Optional[bool] = None
+    connected_to_internet: Optional[bool] = None
+    has_software_updates: Optional[bool] = None
+    processes_personal_data: Optional[bool] = None
+    is_critical_infra_supplier: Optional[bool] = None
+    intended_use: Optional[str] = None
+    status: Optional[str] = None
+
+
+class PathSelectRequest(BaseModel):
+    conformity_path: str
+
+
+# =============================================================================
+# HELPERS
+# =============================================================================
+
+def _row_to_response(row) -> dict:
+    """Convert a DB row to dict."""
+    return {
+        "id": str(row.id),
+        "tenant_id": row.tenant_id,
+        "name": row.name,
+        "description": row.description or "",
+        "gap_project_id": str(row.gap_project_id) if row.gap_project_id else None,
+        "repo_url": row.repo_url,
+        "primary_language": row.primary_language,
+        "has_firmware": bool(row.has_firmware),
+        "connected_to_internet": bool(row.connected_to_internet),
+        "has_software_updates": bool(row.has_software_updates),
+        "processes_personal_data": bool(row.processes_personal_data),
+        "is_critical_infra_supplier": bool(row.is_critical_infra_supplier),
+        "intended_use": row.intended_use or "",
+        "cra_classification": row.cra_classification,
+        "classification_rationale": (
+            row.classification_rationale
+            if isinstance(row.classification_rationale, list)
+            else json.loads(row.classification_rationale or "[]")
+        ),
+        "conformity_path": row.conformity_path,
+        "status": row.status,
+        "created_at": row.created_at.isoformat() if row.created_at else "",
+        "updated_at": row.updated_at.isoformat() if row.updated_at else "",
+    }
+
+
+def _classify(intake: dict) -> tuple[str, list[str]]:
+    """Deterministic Annex III/IV match. Returns (classification, rationale_list)."""
+    haystack = " ".join(
+        str(intake.get(f) or "").lower()
+        for f in ("intended_use", "primary_language", "name", "description")
+    )
+
+    def _match(buckets: list[str]) -> Optional[str]:
+        for token in buckets:
+            if token.lower() in haystack:
+                return token
+        return None
+
+    rationale: list[str] = []
+
+    hit = _match(ANNEX_IV_CRITICAL)
+    if hit:
+        rationale.append(f"Annex IV (Critical): Treffer auf '{hit}'")
+        return "CRITICAL", rationale
+
+    hit = _match(ANNEX_III_CLASS_II)
+    if hit:
+        rationale.append(f"Annex III Klasse II (Important_II): Treffer auf '{hit}'")
+        return "IMPORTANT_II", rationale
+
+    hit = _match(ANNEX_III_CLASS_I)
+    if hit:
+        rationale.append(f"Annex III Klasse I (Important_I): Treffer auf '{hit}'")
+        return "IMPORTANT_I", rationale
+
+    flags = [
+        ("connected_to_internet", "Produkt ist mit dem Internet verbunden"),
+        ("has_software_updates", "Produkt hat Software-Updates (digitales Element)"),
+        ("processes_personal_data", "Produkt verarbeitet personenbezogene Daten"),
+        ("is_critical_infra_supplier", "Produkt wird in kritischer Infrastruktur eingesetzt"),
+    ]
+    for field, msg in flags:
+        if intake.get(field):
+            rationale.append(msg)
+
+    if rationale:
+        return "STANDARD", rationale
+
+    rationale.append("Kein digitales Element und keine Annex III/IV-Kategorie erkannt")
+    return "NOT_IN_SCOPE", rationale
+
+
+# =============================================================================
+# ENDPOINTS
+# =============================================================================
+
+@router.get("")
+async def list_projects(
+    tenant_id: str = Depends(get_tenant_id),
+    include_archived: bool = False,
+):
+    """List all CRA projects for the tenant."""
+    db = SessionLocal()
+    try:
+        if include_archived:
+            sql = """
+                SELECT * FROM compliance_cra_projects
+                WHERE tenant_id = :tenant_id
+                ORDER BY created_at DESC
+            """
+        else:
+            sql = """
+                SELECT * FROM compliance_cra_projects
+                WHERE tenant_id = :tenant_id AND status != 'archived'
+                ORDER BY created_at DESC
+            """
+        rows = db.execute(text(sql), {"tenant_id": tenant_id}).fetchall()
+        return {
+            "projects": [_row_to_response(row) for row in rows],
+            "total": len(rows),
+        }
+    finally:
+        db.close()
+
+
+@router.post("", status_code=201)
+async def create_project(
+    body: CreateProjectRequest,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Create a new CRA project. Optionally pre-populate intake from a gap_project."""
+    db = SessionLocal()
+    try:
+        gap_intake: dict = {}
+        if body.gap_project_id:
+            try:
+                gap_uuid = UUID(body.gap_project_id)
+            except ValueError:
+                raise HTTPException(status_code=400, detail="Invalid gap_project_id (must be UUID)")
+            gap_row = db.execute(
+                text("""
+                    SELECT connected_to_internet, has_software_updates,
+                           processes_personal_data, is_critical_infra_supplier,
+                           description
+                    FROM gap_projects
+                    WHERE id = :gid AND tenant_id = CAST(:tid AS uuid)
+                """),
+                {"gid": str(gap_uuid), "tid": tenant_id},
+            ).fetchone()
+            if gap_row:
+                gap_intake = {
+                    "connected_to_internet": bool(gap_row.connected_to_internet),
+                    "has_software_updates": bool(gap_row.has_software_updates),
+                    "processes_personal_data": bool(gap_row.processes_personal_data),
+                    "is_critical_infra_supplier": bool(gap_row.is_critical_infra_supplier),
+                    "intended_use": gap_row.description or "",
+                }
+
+        result = db.execute(
+            text("""
+                INSERT INTO compliance_cra_projects
+                    (tenant_id, name, description, gap_project_id,
+                     connected_to_internet, has_software_updates,
+                     processes_personal_data, is_critical_infra_supplier,
+                     intended_use, status)
+                VALUES
+                    (:tenant_id, :name, :description, :gap_project_id,
+                     :connected_to_internet, :has_software_updates,
+                     :processes_personal_data, :is_critical_infra_supplier,
+                     :intended_use, 'draft')
+                RETURNING *
+            """),
+            {
+                "tenant_id": tenant_id,
+                "name": body.name,
+                "description": body.description,
+                "gap_project_id": body.gap_project_id,
+                "connected_to_internet": gap_intake.get("connected_to_internet", False),
+                "has_software_updates": gap_intake.get("has_software_updates", False),
+                "processes_personal_data": gap_intake.get("processes_personal_data", False),
+                "is_critical_infra_supplier": gap_intake.get("is_critical_infra_supplier", False),
+                "intended_use": gap_intake.get("intended_use", ""),
+            },
+        )
+        row = result.fetchone()
+        db.commit()
+        logger.info("Created CRA project %s for tenant %s", row.id, tenant_id)
+        return _row_to_response(row)
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.get("/{project_id}")
+async def get_project(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Get a single CRA project (tenant-scoped)."""
+    db = SessionLocal()
+    try:
+        row = db.execute(
+            text("""
+                SELECT * FROM compliance_cra_projects
+                WHERE id = :pid AND tenant_id = :tid
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        ).fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+        return _row_to_response(row)
+    finally:
+        db.close()
+
+
+@router.patch("/{project_id}")
+async def update_project(
+    project_id: str,
+    body: UpdateProjectRequest,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Update intake / status fields. Status is whitelist-validated (no transitions)."""
+    db = SessionLocal()
+    try:
+        updates: dict = {"pid": project_id, "tid": tenant_id}
+        set_parts = ["updated_at = NOW()"]
+
+        for field in (
+            "name", "description", "repo_url", "primary_language",
+            "has_firmware", "connected_to_internet", "has_software_updates",
+            "processes_personal_data", "is_critical_infra_supplier",
+            "intended_use", "status",
+        ):
+            val = getattr(body, field)
+            if val is None:
+                continue
+            if field == "status" and val not in STATUS_WHITELIST:
+                raise HTTPException(
+                    status_code=400,
+                    detail=f"Invalid status '{val}'. Allowed: {sorted(STATUS_WHITELIST)}",
+                )
+            set_parts.append(f"{field} = :{field}")
+            updates[field] = val
+
+        if len(set_parts) == 1:
+            raise HTTPException(status_code=400, detail="No fields to update")
+
+        result = db.execute(
+            text(f"""
+                UPDATE compliance_cra_projects
+                SET {', '.join(set_parts)}
+                WHERE id = :pid AND tenant_id = :tid
+                RETURNING *
+            """),
+            updates,
+        )
+        row = result.fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+        db.commit()
+        return _row_to_response(row)
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.delete("/{project_id}")
+async def archive_project(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Soft-archive a CRA project."""
+    db = SessionLocal()
+    try:
+        result = db.execute(
+            text("""
+                UPDATE compliance_cra_projects
+                SET status = 'archived', updated_at = NOW()
+                WHERE id = :pid AND tenant_id = :tid AND status != 'archived'
+                RETURNING id
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        )
+        row = result.fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="Project not found or already archived")
+        db.commit()
+        return {"success": True, "id": str(row.id), "status": "archived"}
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.post("/{project_id}/scope-check")
+async def scope_check(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Run deterministic Annex III/IV classification on the project's intake fields.
+
+    Writes cra_classification + classification_rationale + status update.
+    """
+    db = SessionLocal()
+    try:
+        row = db.execute(
+            text("""
+                SELECT * FROM compliance_cra_projects
+                WHERE id = :pid AND tenant_id = :tid
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        ).fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+
+        intake = {
+            "name": row.name,
+            "description": row.description,
+            "intended_use": row.intended_use,
+            "primary_language": row.primary_language,
+            "connected_to_internet": row.connected_to_internet,
+            "has_software_updates": row.has_software_updates,
+            "processes_personal_data": row.processes_personal_data,
+            "is_critical_infra_supplier": row.is_critical_infra_supplier,
+        }
+        classification, rationale = _classify(intake)
+        new_status = "scoped" if classification == "NOT_IN_SCOPE" else "classified"
+
+        updated = db.execute(
+            text("""
+                UPDATE compliance_cra_projects
+                SET cra_classification = :cls,
+                    classification_rationale = CAST(:rat AS jsonb),
+                    status = :status,
+                    updated_at = NOW()
+                WHERE id = :pid AND tenant_id = :tid
+                RETURNING *
+            """),
+            {
+                "pid": project_id,
+                "tid": tenant_id,
+                "cls": classification,
+                "rat": json.dumps(rationale, ensure_ascii=False),
+                "status": new_status,
+            },
+        ).fetchone()
+        db.commit()
+        logger.info(
+            "Scope-check %s for tenant %s -> %s",
+            project_id, tenant_id, classification,
+        )
+        return _row_to_response(updated)
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.get("/{project_id}/requirements")
+async def list_requirements(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Liste der 40 Annex-I-Requirements mit per-Projekt-Status.
+
+    Phase-2-Logik: Status default 'unbewertet' (kein evidence_check linked).
+    Phase-3 wird per-req Status aus compliance_evidence_check_results
+    berechnen.
+    """
+    db = SessionLocal()
+    try:
+        row = db.execute(
+            text("""
+                SELECT id, cra_classification FROM compliance_cra_projects
+                WHERE id = :pid AND tenant_id = :tid
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        ).fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+
+        items = []
+        for req in ANNEX_I_REQUIREMENTS:
+            items.append({
+                **req,
+                "status": "unbewertet",
+                "mapped_measure_names": [
+                    {"id": m, "name": MEASURES.get(m, m)} for m in req["mapped_measures"]
+                ],
+            })
+        return {
+            "project_id": project_id,
+            "classification": row.cra_classification,
+            "total": len(items),
+            "items": items,
+        }
+    finally:
+        db.close()
+
+
+@router.get("/{project_id}/backlog")
+async def get_backlog(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Priorisierte TODO-Liste — gleiche Daten wie /requirements, aber sortiert.
+
+    Sortierung: severity_weight (desc), effort_days (asc), n (asc).
+    Deadline-Druck: Tage bis 11.12.2027 (CRA-CE-Pflicht).
+    """
+    db = SessionLocal()
+    try:
+        row = db.execute(
+            text("""
+                SELECT id, cra_classification FROM compliance_cra_projects
+                WHERE id = :pid AND tenant_id = :tid
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        ).fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+
+        ce_deadline = date(2027, 12, 11)
+        today = date.today()
+        days_to_ce = max(0, (ce_deadline - today).days)
+        max_days = 365 * 3  # 3 Jahre als Skalierungsbasis
+
+        items = []
+        for req in ANNEX_I_REQUIREMENTS:
+            severity_w = SEVERITY_WEIGHT.get(req["severity"], 0)
+            deadline_pressure = 1.0 - min(days_to_ce / max_days, 1.0)  # 0..1
+            effort_factor = 1.0 / max(req["effort_days"], 1)
+            priority_score = (
+                severity_w * (1.0 + 0.5 * deadline_pressure) * (1.0 + 0.1 * effort_factor)
+            )
+            items.append({
+                "req_id": req["req_id"],
+                "title": req["title"],
+                "category": req["category"],
+                "severity": req["severity"],
+                "annex_anchor": req["annex_anchor"],
+                "description": req["description"],
+                "effort_days": req["effort_days"],
+                "mapped_measure_names": [
+                    {"id": m, "name": MEASURES.get(m, m)} for m in req["mapped_measures"]
+                ],
+                "status": "unbewertet",
+                "priority_score": round(priority_score, 1),
+            })
+
+        items.sort(key=lambda x: (-x["priority_score"], x["effort_days"]))
+        for idx, it in enumerate(items, 1):
+            it["rank"] = idx
+
+        return {
+            "project_id": project_id,
+            "classification": row.cra_classification,
+            "days_to_ce_deadline": days_to_ce,
+            "deadlines": DEADLINES,
+            "total": len(items),
+            "items": items,
+        }
+    finally:
+        db.close()
+
+
+@router.post("/{project_id}/path-select")
+async def path_select(
+    project_id: str,
+    body: PathSelectRequest,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Set conformity_path. Validates path is allowed for the project's classification."""
+    if body.conformity_path not in CONFORMITY_PATHS:
+        raise HTTPException(
+            status_code=400,
+            detail=f"Invalid conformity_path. Allowed: {sorted(CONFORMITY_PATHS)}",
+        )
+
+    db = SessionLocal()
+    try:
+        row = db.execute(
+            text("""
+                SELECT cra_classification FROM compliance_cra_projects
+                WHERE id = :pid AND tenant_id = :tid
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        ).fetchone()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+        if not row.cra_classification:
+            raise HTTPException(
+                status_code=400,
+                detail="Run scope-check before selecting a conformity path",
+            )
+
+        allowed = ALLOWED_PATHS.get(row.cra_classification, set())
+        if body.conformity_path not in allowed:
+            raise HTTPException(
+                status_code=400,
+                detail=(
+                    f"Path '{body.conformity_path}' not allowed for classification "
+                    f"'{row.cra_classification}'. Allowed: {sorted(allowed)}"
+                ),
+            )
+
+        updated = db.execute(
+            text("""
+                UPDATE compliance_cra_projects
+                SET conformity_path = :path,
+                    status = 'path_selected',
+                    updated_at = NOW()
+                WHERE id = :pid AND tenant_id = :tid
+                RETURNING *
+            """),
+            {"pid": project_id, "tid": tenant_id, "path": body.conformity_path},
+        ).fetchone()
+        db.commit()
+        return _row_to_response(updated)
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+# =============================================================================
+# PHASE 3: SBOM Upload + Automated Checks
+# =============================================================================
+
+DEFAULT_CHECKS = [
+    {
+        "check_code": "cra_security_txt",
+        "title": "security.txt (RFC 9116)",
+        "description": "Pruefung ob /.well-known/security.txt existiert und Contact-Eintrag enthaelt",
+        "check_type": "url_probe",
+        "linked_req_ids": ["CRA-AI-35"],  # CVD
+    },
+    {
+        "check_code": "cra_vuln_disclosure_url",
+        "title": "Vulnerability-Disclosure-Policy-URL",
+        "description": "Manuelle Pflege: URL zur CVD-Policy. Wird in DoC referenziert.",
+        "check_type": "manual_review",
+        "linked_req_ids": ["CRA-AI-35"],
+    },
+    {
+        "check_code": "cra_update_policy_url",
+        "title": "Update-Policy-URL",
+        "description": "URL zur dokumentierten Patch-/Update-Policy (Lifecycle, SLAs).",
+        "check_type": "manual_review",
+        "linked_req_ids": ["CRA-AI-28", "CRA-AI-31", "CRA-AI-34"],
+    },
+    {
+        "check_code": "cra_signed_updates",
+        "title": "Signierte Updates",
+        "description": "Bestaetigung dass Updates digital signiert ausgeliefert werden.",
+        "check_type": "manual_review",
+        "linked_req_ids": ["CRA-AI-29", "CRA-AI-30"],
+    },
+    {
+        "check_code": "cra_default_password_check",
+        "title": "Keine Default-Passwoerter",
+        "description": "Bestaetigung dass das Produkt keine Default-Passwoerter ausliefert.",
+        "check_type": "manual_review",
+        "linked_req_ids": ["CRA-AI-8"],
+    },
+    {
+        "check_code": "cra_tls_cert_check",
+        "title": "TLS-Zertifikat des Produkt-Endpoints",
+        "description": "Pruefung ob TLS 1.2+ und gueltiges Zertifikat.",
+        "check_type": "tls_probe",
+        "linked_req_ids": ["CRA-AI-15"],
+    },
+]
+
+
+class CheckRunRequest(BaseModel):
+    target_url: Optional[str] = None
+
+
+def _cra_project_exists(db, project_id: str, tenant_id: str) -> bool:
+    row = db.execute(
+        text("""
+            SELECT 1 FROM compliance_cra_projects
+            WHERE id = :pid AND tenant_id = :tid
+        """),
+        {"pid": project_id, "tid": tenant_id},
+    ).fetchone()
+    return bool(row)
+
+
+@router.post("/{project_id}/sbom/upload")
+async def upload_sbom(
+    project_id: str,
+    file: UploadFile = File(...),
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Upload CycloneDX or SPDX SBOM (JSON). Persists in compliance_cra_sboms."""
+    db = SessionLocal()
+    try:
+        if not _cra_project_exists(db, project_id, tenant_id):
+            raise HTTPException(status_code=404, detail="CRA project not found")
+
+        raw = await file.read()
+        try:
+            data = json.loads(raw)
+        except json.JSONDecodeError as e:
+            raise HTTPException(status_code=400, detail=f"Invalid JSON: {e}")
+
+        # Format detection
+        fmt = None
+        spec_version = None
+        component_count = 0
+        summary: dict = {}
+
+        if isinstance(data, dict) and data.get("bomFormat") == "CycloneDX":
+            fmt = "cyclonedx"
+            spec_version = data.get("specVersion") or data.get("version")
+            components = data.get("components") or []
+            component_count = len(components)
+            summary = {
+                "bomFormat": "CycloneDX",
+                "specVersion": spec_version,
+                "serialNumber": data.get("serialNumber"),
+                "metadata_component": (data.get("metadata") or {}).get("component", {}),
+                "sample_components": components[:5],
+            }
+        elif isinstance(data, dict) and data.get("spdxVersion"):
+            fmt = "spdx"
+            spec_version = data["spdxVersion"]
+            packages = data.get("packages") or []
+            component_count = len(packages)
+            summary = {
+                "spdxVersion": spec_version,
+                "name": data.get("name"),
+                "sample_packages": [{"name": p.get("name"), "version": p.get("versionInfo")} for p in packages[:5]],
+            }
+        else:
+            raise HTTPException(
+                status_code=400,
+                detail="Unrecognized SBOM format. Expected CycloneDX (bomFormat='CycloneDX') or SPDX (spdxVersion present).",
+            )
+
+        result = db.execute(
+            text("""
+                INSERT INTO compliance_cra_sboms
+                    (cra_project_id, tenant_id, filename, format, spec_version,
+                     component_count, raw_content, summary, scan_status)
+                VALUES
+                    (:pid, :tid, :fn, :fmt, :ver, :cnt,
+                     CAST(:raw AS jsonb), CAST(:sum AS jsonb), 'pending')
+                RETURNING id, uploaded_at
+            """),
+            {
+                "pid": project_id,
+                "tid": tenant_id,
+                "fn": file.filename or "unknown.json",
+                "fmt": fmt,
+                "ver": spec_version,
+                "cnt": component_count,
+                "raw": json.dumps(data),
+                "sum": json.dumps(summary),
+            },
+        ).fetchone()
+        db.commit()
+        return {
+            "id": str(result.id),
+            "uploaded_at": result.uploaded_at.isoformat(),
+            "filename": file.filename,
+            "format": fmt,
+            "spec_version": spec_version,
+            "component_count": component_count,
+            "summary": summary,
+            "scan_status": "pending",
+            "note": "osv.dev scan wird durch separates Tool im Team durchgefuehrt.",
+        }
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.get("/{project_id}/sboms")
+async def list_sboms(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """List all SBOM uploads for this project, newest first."""
+    db = SessionLocal()
+    try:
+        if not _cra_project_exists(db, project_id, tenant_id):
+            raise HTTPException(status_code=404, detail="CRA project not found")
+        rows = db.execute(
+            text("""
+                SELECT id, filename, format, spec_version, component_count,
+                       summary, scan_status, scan_summary, uploaded_at, scanned_at
+                FROM compliance_cra_sboms
+                WHERE cra_project_id = :pid AND tenant_id = :tid
+                ORDER BY uploaded_at DESC
+            """),
+            {"pid": project_id, "tid": tenant_id},
+        ).fetchall()
+        items = []
+        for r in rows:
+            items.append({
+                "id": str(r.id),
+                "filename": r.filename,
+                "format": r.format,
+                "spec_version": r.spec_version,
+                "component_count": r.component_count,
+                "summary": r.summary if isinstance(r.summary, dict) else json.loads(r.summary or "{}"),
+                "scan_status": r.scan_status,
+                "scan_summary": r.scan_summary if isinstance(r.scan_summary, dict) else json.loads(r.scan_summary or "{}"),
+                "uploaded_at": r.uploaded_at.isoformat() if r.uploaded_at else None,
+                "scanned_at": r.scanned_at.isoformat() if r.scanned_at else None,
+            })
+        return {"project_id": project_id, "total": len(items), "items": items}
+    finally:
+        db.close()
+
+
+@router.get("/{project_id}/checks")
+async def list_checks(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """List configured checks + their latest run result."""
+    db = SessionLocal()
+    try:
+        if not _cra_project_exists(db, project_id, tenant_id):
+            raise HTTPException(status_code=404, detail="CRA project not found")
+
+        rows = db.execute(
+            text("""
+                SELECT id, check_code, title, description, check_type, target_url,
+                       linked_control_ids, last_run_at, is_active
+                FROM compliance_evidence_checks
+                WHERE tenant_id = CAST(:tid AS uuid) AND project_id = :pid_uuid
+                  AND check_code LIKE 'cra_%'
+                ORDER BY check_code
+            """),
+            {"tid": tenant_id, "pid_uuid": project_id},
+        ).fetchall()
+
+        # Latest result per check
+        results: dict = {}
+        if rows:
+            ids = [str(r.id) for r in rows]
+            for r_row in db.execute(
+                text("""
+                    SELECT check_id, status, message, ran_at
+                    FROM compliance_evidence_check_results
+                    WHERE check_id::text = ANY(:ids)
+                    ORDER BY ran_at DESC
+                """),
+                {"ids": ids},
+            ).fetchall():
+                cid = str(r_row.check_id)
+                if cid not in results:
+                    results[cid] = {
+                        "status": r_row.status,
+                        "message": r_row.message,
+                        "ran_at": r_row.ran_at.isoformat() if r_row.ran_at else None,
+                    }
+
+        items = []
+        for r in rows:
+            linked = r.linked_control_ids
+            if isinstance(linked, str):
+                try:
+                    linked = json.loads(linked)
+                except Exception:
+                    linked = []
+            items.append({
+                "id": str(r.id),
+                "check_code": r.check_code,
+                "title": r.title,
+                "description": r.description,
+                "check_type": r.check_type,
+                "target_url": r.target_url,
+                "linked_req_ids": linked or [],
+                "last_run_at": r.last_run_at.isoformat() if r.last_run_at else None,
+                "is_active": bool(r.is_active),
+                "latest_result": results.get(str(r.id)),
+            })
+        return {"project_id": project_id, "total": len(items), "items": items}
+    finally:
+        db.close()
+
+
+@router.post("/{project_id}/checks/init")
+async def init_checks(
+    project_id: str,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Create the default set of CRA checks for this project (idempotent)."""
+    db = SessionLocal()
+    try:
+        if not _cra_project_exists(db, project_id, tenant_id):
+            raise HTTPException(status_code=404, detail="CRA project not found")
+
+        existing = db.execute(
+            text("""
+                SELECT check_code FROM compliance_evidence_checks
+                WHERE tenant_id = CAST(:tid AS uuid) AND project_id = :pid AND check_code LIKE 'cra_%'
+            """),
+            {"tid": tenant_id, "pid": project_id},
+        ).fetchall()
+        existing_codes = {r.check_code for r in existing}
+
+        created = 0
+        for c in DEFAULT_CHECKS:
+            if c["check_code"] in existing_codes:
+                continue
+            db.execute(
+                text("""
+                    INSERT INTO compliance_evidence_checks
+                        (tenant_id, project_id, check_code, title, description,
+                         check_type, linked_control_ids, frequency, is_active)
+                    VALUES
+                        (CAST(:tid AS uuid), :pid, :code, :title, :desc,
+                         :ctype, CAST(:linked AS jsonb), 'monthly', true)
+                """),
+                {
+                    "tid": tenant_id,
+                    "pid": project_id,
+                    "code": c["check_code"],
+                    "title": c["title"],
+                    "desc": c["description"],
+                    "ctype": c["check_type"],
+                    "linked": json.dumps(c["linked_req_ids"]),
+                },
+            )
+            created += 1
+        db.commit()
+        return {"created": created, "already_present": len(existing_codes)}
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.post("/checks/{check_id}/run")
+async def run_check(
+    check_id: str,
+    body: CheckRunRequest,
+    tenant_id: str = Depends(get_tenant_id),
+):
+    """Manually run a single check. Currently implements:
+       - cra_security_txt: HTTP GET, looks for 'Contact:' field
+       - cra_tls_cert_check: TLS handshake + cert info
+       - others: returns 'manual_review_required' status
+    """
+    db = SessionLocal()
+    try:
+        check = db.execute(
+            text("""
+                SELECT id, check_code, target_url FROM compliance_evidence_checks
+                WHERE id = CAST(:cid AS uuid) AND tenant_id = CAST(:tid AS uuid)
+            """),
+            {"cid": check_id, "tid": tenant_id},
+        ).fetchone()
+        if not check:
+            raise HTTPException(status_code=404, detail="Check not found")
+
+        url = body.target_url or check.target_url
+        if url and url != check.target_url:
+            db.execute(
+                text("UPDATE compliance_evidence_checks SET target_url = :u WHERE id = CAST(:cid AS uuid)"),
+                {"u": url, "cid": check_id},
+            )
+
+        status = "manual_review_required"
+        message = "Dieser Check-Typ erfordert manuelle Pruefung."
+
+        if check.check_code == "cra_security_txt" and url:
+            base = url.rstrip("/")
+            probe_url = f"{base}/.well-known/security.txt"
+            try:
+                async with httpx.AsyncClient(timeout=10, follow_redirects=True) as client:
+                    resp = await client.get(probe_url)
+                if resp.status_code != 200:
+                    status = "fail"
+                    message = f"GET {probe_url} -> HTTP {resp.status_code}"
+                else:
+                    has_contact = any(
+                        line.strip().lower().startswith("contact:")
+                        for line in resp.text.splitlines()
+                    )
+                    if has_contact:
+                        status = "pass"
+                        message = f"security.txt vorhanden mit Contact-Eintrag ({len(resp.text)} bytes)"
+                    else:
+                        status = "fail"
+                        message = "security.txt vorhanden, aber KEIN 'Contact:'-Eintrag"
+            except Exception as e:
+                status = "fail"
+                message = f"Fetch error: {e}"
+
+        elif check.check_code == "cra_tls_cert_check" and url:
+            try:
+                host = url.replace("https://", "").replace("http://", "").split("/")[0].split(":")[0]
+                ctx = ssl.create_default_context()
+                with socket.create_connection((host, 443), timeout=10) as sock:
+                    with ctx.wrap_socket(sock, server_hostname=host) as ssock:
+                        cert = ssock.getpeercert()
+                        proto = ssock.version()
+                if proto and proto >= "TLSv1.2":
+                    status = "pass"
+                    message = f"TLS {proto} ok. Issuer: {dict(x[0] for x in cert.get('issuer', [])).get('organizationName', 'unknown')}"
+                else:
+                    status = "fail"
+                    message = f"TLS-Version zu alt: {proto}"
+            except Exception as e:
+                status = "fail"
+                message = f"TLS error: {e}"
+
+        # Persist result
+        db.execute(
+            text("""
+                INSERT INTO compliance_evidence_check_results
+                    (check_id, tenant_id, project_id, status, message, ran_at)
+                VALUES
+                    (CAST(:cid AS uuid), CAST(:tid AS uuid),
+                     (SELECT project_id FROM compliance_evidence_checks WHERE id = CAST(:cid AS uuid)),
+                     :status, :msg, NOW())
+            """),
+            {"cid": check_id, "tid": tenant_id, "status": status, "msg": message},
+        )
+        db.execute(
+            text("""
+                UPDATE compliance_evidence_checks
+                SET last_run_at = NOW()
+                WHERE id = CAST(:cid AS uuid)
+            """),
+            {"cid": check_id},
+        )
+        db.commit()
+        return {
+            "check_id": check_id,
+            "check_code": check.check_code,
+            "status": status,
+            "message": message,
+            "target_url": url,
+        }
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
diff --git a/backend-compliance/main.py b/backend-compliance/main.py
index 30957460..a2f66d6e 100644
--- a/backend-compliance/main.py
+++ b/backend-compliance/main.py
@@ -52,6 +52,7 @@ from compliance.api.agent_doc_check_routes import router as agent_doc_check_rout
 from compliance.api.agent_compliance_check_routes import router as agent_compliance_check_router
 from compliance.api.agent_migration_routes import router as agent_migration_router
 from compliance.api.vendor_assessment_routes import router as vendor_assessment_router
+from compliance.api.cra_routes import router as cra_router
 
 # Middleware
 from middleware import (
@@ -161,6 +162,9 @@ app.include_router(agent_migration_router, prefix="/api")
 # Vendor Contract Assessment
 app.include_router(vendor_assessment_router, prefix="/api")
 
+# CRA (Cyber Resilience Act) Compliance
+app.include_router(cra_router, prefix="/api")
+
 
 if __name__ == "__main__":
     import uvicorn
diff --git a/backend-compliance/migrations/119_compliance_cra_projects.sql b/backend-compliance/migrations/119_compliance_cra_projects.sql
new file mode 100644
index 00000000..a330cf61
--- /dev/null
+++ b/backend-compliance/migrations/119_compliance_cra_projects.sql
@@ -0,0 +1,44 @@
+-- Migration 119: CRA Compliance Projects
+-- Tracks per-product CRA conformity assessment lifecycle.
+-- Status state machine (validated as whitelist, no transition enforcement):
+--   draft -> scoped -> classified -> path_selected -> requirements_mapped ->
+--   evidence_pending -> gaps_open -> remediation -> ready_for_review ->
+--   declaration_ready -> post_market
+-- Tenant scoping via X-Tenant-ID header (validated UUID).
+
+CREATE TABLE IF NOT EXISTS compliance_cra_projects (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id VARCHAR(255) NOT NULL,
+    name VARCHAR(500) NOT NULL,
+    description TEXT DEFAULT '',
+    gap_project_id UUID,
+
+    -- Intake (Software-fokussiert, NICHT Hardware)
+    repo_url VARCHAR(1000),
+    primary_language VARCHAR(50),
+    has_firmware BOOLEAN DEFAULT false,
+    connected_to_internet BOOLEAN DEFAULT false,
+    has_software_updates BOOLEAN DEFAULT false,
+    processes_personal_data BOOLEAN DEFAULT false,
+    is_critical_infra_supplier BOOLEAN DEFAULT false,
+    intended_use TEXT DEFAULT '',
+
+    -- Scope
+    cra_classification VARCHAR(20),
+    classification_rationale JSONB DEFAULT '[]'::jsonb,
+
+    -- Path
+    conformity_path VARCHAR(30),
+
+    -- Status (whitelist)
+    status VARCHAR(40) NOT NULL DEFAULT 'draft',
+
+    -- Audit
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_cra_projects_tenant ON compliance_cra_projects(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_cra_projects_status ON compliance_cra_projects(tenant_id, status);
+CREATE INDEX IF NOT EXISTS idx_cra_projects_class ON compliance_cra_projects(cra_classification);
+CREATE INDEX IF NOT EXISTS idx_cra_projects_gap_link ON compliance_cra_projects(gap_project_id) WHERE gap_project_id IS NOT NULL;
diff --git a/backend-compliance/migrations/120_compliance_cra_sboms.sql b/backend-compliance/migrations/120_compliance_cra_sboms.sql
new file mode 100644
index 00000000..ed462043
--- /dev/null
+++ b/backend-compliance/migrations/120_compliance_cra_sboms.sql
@@ -0,0 +1,23 @@
+-- Migration 120: CRA Project SBOMs + reuse existing compliance_evidence_checks
+-- For SBOM uploads (CycloneDX/SPDX), we add a dedicated table to track versions.
+-- For automated checks (security.txt etc.), we reuse compliance_evidence_checks.
+
+CREATE TABLE IF NOT EXISTS compliance_cra_sboms (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    cra_project_id UUID NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+    filename VARCHAR(500) NOT NULL,
+    format VARCHAR(20) NOT NULL,                -- 'cyclonedx' | 'spdx'
+    spec_version VARCHAR(20),
+    component_count INTEGER DEFAULT 0,
+    raw_content JSONB NOT NULL DEFAULT '{}'::jsonb,
+    summary JSONB DEFAULT '{}'::jsonb,           -- top-level metadata extracted
+    scan_status VARCHAR(20) DEFAULT 'pending',   -- pending | scanned | failed
+    scan_summary JSONB DEFAULT '{}'::jsonb,      -- osv.dev results (Phase 3.5)
+    uploaded_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    scanned_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_cra_sboms_project ON compliance_cra_sboms(cra_project_id);
+CREATE INDEX IF NOT EXISTS idx_cra_sboms_tenant ON compliance_cra_sboms(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_cra_sboms_uploaded ON compliance_cra_sboms(cra_project_id, uploaded_at DESC);