feat: Phase 6 — Integration + QS (categories, scope defaults, examples)

Phase 6 of the Document Templates Masterplan:

- Categories: Consolidated AI governance into internal_policies,
  removed redundant category
- scopeDefaults.ts: Added getRecommendedDocuments() function that
  maps L1-L4 compliance levels to required/recommended/optional
  document types (~60 types across 4 tiers)
- Examples: Added dpa_de.json, tom_de.json, whistleblower_de.json
  example contexts for the document generator

Document recommendation per level:
- L1 (Startup): 5 required (DSI, Impressum, AGB, Cookie)
- L2 (KMU): +6 recommended (AVV, TOM, VVT, Löschkonzept, etc.)
- L3 (Extended): +16 recommended (Security concepts, policies, HR DSI)
- L4 (Enterprise): +25 recommended (ISMS, BCM, all policies)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

admin-compliance/app/sdk/document-generator/_constants.ts

@@ -28,11 +28,10 @@ export const CATEGORIES: { key: string; label: string; types: string[] | null }[
   { key: 'social_media', label: 'Social Media DSI', types: ['social_media_dsi'] },
   { key: 'whistleblower', label: 'Whistleblower', types: ['whistleblower_policy'] },
   { key: 'hr_dsi', label: 'HR-Datenschutz', types: ['applicant_dsi', 'employee_dsi'] },
-  { key: 'ai_governance', label: 'KI-Governance', types: ['ai_usage_policy'] },
   { key: 'isms', label: 'ISMS', types: ['isms_manual'] },
   { key: 'consent_texts', label: 'Einwilligungen', types: ['consent_texts'] },
   { key: 'special_dsi', label: 'Spezial-DSI', types: ['video_conference_dsi'] },
-  { key: 'internal_policies', label: 'Interne Richtlinien', types: ['byod_policy'] },
+  { key: 'internal_policies', label: 'Interne Richtlinien', types: ['byod_policy', 'ai_usage_policy'] },
   { key: 'module_docs', label: 'Konzepte', types: ['vvt_register', 'loeschkonzept', 'pflichtenregister', 'it_security_concept', 'data_protection_concept', 'backup_recovery_concept', 'logging_concept', 'incident_response_plan', 'access_control_concept', 'risk_management_concept'] },
   { key: 'security_policies', label: 'Sicherheitsrichtlinien', types: ['information_security_policy', 'access_control_policy', 'password_policy', 'encryption_policy', 'cybersecurity_policy'] },
   { key: 'hr_policies', label: 'HR-Richtlinien', types: ['employee_security_policy', 'security_awareness_policy', 'remote_work_policy', 'offboarding_policy'] },

admin-compliance/app/sdk/document-generator/examples/dpa_de.json

@@ -0,0 +1,36 @@
+{
+  "document_type": "dpa",
+  "language": "de",
+  "context": {
+    "DPA": {
+      "AG_NAME": "Muster GmbH",
+      "AG_STRASSE": "Musterstrasse 1",
+      "AG_PLZ_ORT": "10115 Berlin",
+      "AN_NAME": "BreakPilot GmbH",
+      "AN_STRASSE": "Hardtring 6",
+      "AN_PLZ_ORT": "78224 Singen",
+      "VERARBEITUNGSGEGENSTAND": "Bereitstellung und Betrieb einer SaaS-Compliance-Plattform",
+      "VERARBEITUNGSZWECK": "Compliance-Management, Dokumentengenerierung, Risikobewertung",
+      "VERARBEITUNGSARTEN": "Erheben, Speichern, Veraendern, Auslesen, Abfragen, Uebermitteln, Loeschen",
+      "DATENKATEGORIEN": "Stammdaten, Kontaktdaten, Vertragsdaten, Nutzungsdaten, Kommunikationsdaten",
+      "PERSONENKATEGORIEN": "Mitarbeitende des Auftraggebers, Kunden des Auftraggebers, Ansprechpartner",
+      "BREACH_NOTIFICATION_HOURS": 24,
+      "INSTRUCTION_RETENTION_YEARS": 3,
+      "SUB_PROCESSOR_NOTICE_WEEKS": 4,
+      "SUB_PROCESSOR_OBJECTION_WEEKS": 2,
+      "DATA_EXPORT_FORMAT": "CSV/JSON",
+      "RETURN_CHOICE_WEEKS": 4,
+      "DELETION_DAYS": 90,
+      "AN_DSB_NAME": "Max Mustermann",
+      "AN_DSB_EMAIL": "datenschutz@breakpilot.ai",
+      "VERTRAGSDATUM": "2026-05-01",
+      "AG_ORT": "Berlin",
+      "AN_ORT": "Singen",
+      "AG_UNTERZEICHNER_NAME": "Anna Beispiel",
+      "AG_UNTERZEICHNER_FUNKTION": "Geschaeftsfuehrerin",
+      "AN_UNTERZEICHNER_NAME": "Benjamin Boenisch",
+      "AN_UNTERZEICHNER_FUNKTION": "Geschaeftsfuehrer",
+      "GERICHTSSTAND": "Singen"
+    }
+  }
+}

admin-compliance/app/sdk/document-generator/examples/tom_de.json

@@ -0,0 +1,30 @@
+{
+  "document_type": "tom_documentation",
+  "language": "de",
+  "context": {
+    "TOM": {
+      "ISB_NAME": "Thomas Sicher",
+      "GF_NAME": "Benjamin Boenisch",
+      "DOCUMENT_VERSION": "2.0.0",
+      "NEXT_REVIEW_DATE": "2027-05-01",
+      "HAS_MFA": true,
+      "HAS_USB_LOCKED": false,
+      "HAS_MOBILE_MEDIA": false,
+      "HAS_FOUR_EYES_DELETE": true,
+      "HAS_EXTERNAL_DESTRUCTION": true,
+      "HAS_PHYSICAL_TRANSPORT": false,
+      "HAS_THIRD_COUNTRY_TRANSFER": false,
+      "HAS_CLOUD_SERVICES": true,
+      "HAS_REDUNDANCY": true,
+      "HAS_GEO_REDUNDANCY": false,
+      "HAS_USV": true,
+      "HAS_OWN_SERVER_ROOM": true,
+      "HAS_MULTI_TENANT": true,
+      "HAS_TEST_DATA_ANONYMIZED": true,
+      "LOG_RETENTION_MONTHS": 12,
+      "DIN_66399_LEVEL": "4",
+      "AVAILABILITY_TARGET": "99.9",
+      "SEPARATION_TYPE": "logisch"
+    }
+  }
+}

admin-compliance/app/sdk/document-generator/examples/whistleblower_de.json

@@ -0,0 +1,18 @@
+{
+  "document_type": "whistleblower_policy",
+  "language": "de",
+  "context": {
+    "PROVIDER": {
+      "LEGAL_NAME": "Muster GmbH"
+    },
+    "FEATURES": {
+      "WHISTLEBLOWER_CONTACT_NAME": "Dr. Maria Compliance",
+      "WHISTLEBLOWER_CONTACT_ROLE": "Compliance-Beauftragte / Meldestellenbeauftragte",
+      "WHISTLEBLOWER_EMAIL": "meldestelle@muster.de",
+      "WHISTLEBLOWER_PHONE": "+49 123 456789",
+      "WHISTLEBLOWER_URL": "https://muster.de/meldestelle",
+      "HAS_ANONYMOUS_REPORTING": true,
+      "HAS_EXTERNAL_REPORTING": true
+    }
+  }
+}

admin-compliance/app/sdk/document-generator/scopeDefaults.ts

@@ -268,3 +268,53 @@ export function getProfileLabel(level: ComplianceDepthLevel): string {
   }
   return labels[level]
 }
+
+/**
+ * Empfiehlt relevante Dokumenttypen basierend auf dem Compliance-Level.
+ * Hilft dem Kunden zu verstehen, welche Dokumente er braucht.
+ */
+export function getRecommendedDocuments(level: ComplianceDepthLevel): {
+  required: string[]
+  recommended: string[]
+  optional: string[]
+} {
+  const always = [
+    'privacy_policy', 'impressum', 'agb', 'cookie_banner', 'cookie_policy',
+  ]
+  const l2plus = [
+    'dpa', 'tom_documentation', 'vvt_register', 'loeschkonzept',
+    'community_guidelines', 'terms_of_use',
+  ]
+  const l3plus = [
+    'it_security_concept', 'data_protection_concept', 'incident_response_plan',
+    'access_control_concept', 'backup_recovery_concept', 'logging_concept',
+    'risk_management_concept', 'pflichtenregister',
+    'password_policy', 'encryption_policy', 'information_security_policy',
+    'access_control_policy', 'whistleblower_policy',
+    'employee_dsi', 'applicant_dsi', 'ai_usage_policy',
+  ]
+  const l4only = [
+    'isms_manual', 'cybersecurity_policy', 'byod_policy',
+    'dsfa', 'social_media_dsi', 'media_content_policy',
+    'video_conference_dsi', 'consent_texts',
+    'data_protection_policy', 'data_classification_policy',
+    'data_retention_policy', 'data_transfer_policy',
+    'privacy_incident_policy', 'employee_security_policy',
+    'security_awareness_policy', 'remote_work_policy',
+    'offboarding_policy', 'vendor_risk_management_policy',
+    'third_party_security_policy', 'supplier_security_policy',
+    'business_continuity_policy', 'disaster_recovery_policy',
+    'crisis_management_policy',
+  ]
+
+  switch (level) {
+    case 'L1':
+      return { required: always, recommended: [], optional: l2plus }
+    case 'L2':
+      return { required: always, recommended: l2plus, optional: l3plus }
+    case 'L3':
+      return { required: [...always, ...l2plus], recommended: l3plus, optional: l4only }
+    case 'L4':
+      return { required: [...always, ...l2plus, ...l3plus], recommended: l4only, optional: [] }
+  }
+}