feat: Phase 6 — Integration + QS (categories, scope defaults, examples)

Phase 6 of the Document Templates Masterplan:

- Categories: Consolidated AI governance into internal_policies,
  removed redundant category
- scopeDefaults.ts: Added getRecommendedDocuments() function that
  maps L1-L4 compliance levels to required/recommended/optional
  document types (~60 types across 4 tiers)
- Examples: Added dpa_de.json, tom_de.json, whistleblower_de.json
  example contexts for the document generator

Document recommendation per level:
- L1 (Startup): 5 required (DSI, Impressum, AGB, Cookie)
- L2 (KMU): +6 recommended (AVV, TOM, VVT, Löschkonzept, etc.)
- L3 (Extended): +16 recommended (Security concepts, policies, HR DSI)
- L4 (Enterprise): +25 recommended (ISMS, BCM, all policies)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

admin-compliance/app/sdk/document-generator/scopeDefaults.ts

@@ -268,3 +268,53 @@ export function getProfileLabel(level: ComplianceDepthLevel): string {
   }
   return labels[level]
 }
+
+/**
+ * Empfiehlt relevante Dokumenttypen basierend auf dem Compliance-Level.
+ * Hilft dem Kunden zu verstehen, welche Dokumente er braucht.
+ */
+export function getRecommendedDocuments(level: ComplianceDepthLevel): {
+  required: string[]
+  recommended: string[]
+  optional: string[]
+} {
+  const always = [
+    'privacy_policy', 'impressum', 'agb', 'cookie_banner', 'cookie_policy',
+  ]
+  const l2plus = [
+    'dpa', 'tom_documentation', 'vvt_register', 'loeschkonzept',
+    'community_guidelines', 'terms_of_use',
+  ]
+  const l3plus = [
+    'it_security_concept', 'data_protection_concept', 'incident_response_plan',
+    'access_control_concept', 'backup_recovery_concept', 'logging_concept',
+    'risk_management_concept', 'pflichtenregister',
+    'password_policy', 'encryption_policy', 'information_security_policy',
+    'access_control_policy', 'whistleblower_policy',
+    'employee_dsi', 'applicant_dsi', 'ai_usage_policy',
+  ]
+  const l4only = [
+    'isms_manual', 'cybersecurity_policy', 'byod_policy',
+    'dsfa', 'social_media_dsi', 'media_content_policy',
+    'video_conference_dsi', 'consent_texts',
+    'data_protection_policy', 'data_classification_policy',
+    'data_retention_policy', 'data_transfer_policy',
+    'privacy_incident_policy', 'employee_security_policy',
+    'security_awareness_policy', 'remote_work_policy',
+    'offboarding_policy', 'vendor_risk_management_policy',
+    'third_party_security_policy', 'supplier_security_policy',
+    'business_continuity_policy', 'disaster_recovery_policy',
+    'crisis_management_policy',
+  ]
+
+  switch (level) {
+    case 'L1':
+      return { required: always, recommended: [], optional: l2plus }
+    case 'L2':
+      return { required: always, recommended: l2plus, optional: l3plus }
+    case 'L3':
+      return { required: [...always, ...l2plus], recommended: l3plus, optional: l4only }
+    case 'L4':
+      return { required: [...always, ...l2plus, ...l3plus], recommended: l4only, optional: [] }
+  }
+}