From 49ce41742861f0501b32b3244ffcadf0339f8bbd Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.fritz.box>
Date: Sat, 14 Mar 2026 21:03:04 +0100
Subject: [PATCH] feat: add compliance modules 2-5 (dashboard, security
 templates, process manager, evidence collector)

Module 2: Extended Compliance Dashboard with roadmap, module-status, next-actions, snapshots, score-history
Module 3: 7 German security document templates (IT-Sicherheitskonzept, Datenschutz, Backup, Logging, Incident-Response, Zugriff, Risikomanagement)
Module 4: Compliance Process Manager with CRUD, complete/skip/seed, ~50 seed tasks, 3-tab UI
Module 5: Evidence Collector Extended with automated checks, control-mapping, coverage report, 4-tab UI

Also includes: canonical control library enhancements (verification method, categories, dedup), control generator improvements, RAG client extensions

52 tests pass, frontend builds clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../app/api/sdk/v1/canonical/route.ts         |    2 +
 .../app/sdk/compliance-hub/page.tsx           |  938 +++++++----
 .../components/ControlDetail.tsx              |   56 +-
 .../components/ControlForm.tsx                |   20 +-
 .../control-library/components/helpers.tsx    |   16 +
 .../app/sdk/control-library/page.tsx          |  126 +-
 .../app/sdk/document-generator/page.tsx       |    1 +
 admin-compliance/app/sdk/evidence/page.tsx    |  425 +++++
 .../app/sdk/process-tasks/page.tsx            | 1383 +++++++++++++++++
 ai-compliance-sdk/cmd/server/main.go          |    1 +
 .../internal/api/handlers/rag_handlers.go     |   45 +
 .../api/handlers/rag_handlers_test.go         |   66 +
 ai-compliance-sdk/internal/ucca/legal_rag.go  |  136 ++
 .../internal/ucca/legal_rag_test.go           |  191 +++
 backend-compliance/compliance/api/__init__.py |    2 +
 .../api/canonical_control_routes.py           |   19 +-
 .../api/control_generator_routes.py           |  103 +-
 .../compliance/api/dashboard_routes.py        |  279 +++-
 .../compliance/api/evidence_check_routes.py   | 1151 ++++++++++++++
 .../compliance/api/legal_template_routes.py   |    8 +
 .../compliance/api/process_task_routes.py     | 1072 +++++++++++++
 .../compliance/services/control_generator.py  |  387 ++++-
 .../compliance/services/rag_client.py         |   50 +
 backend-compliance/main.py                    |    6 +
 .../migrations/048_processing_path_expand.sql |   17 +
 .../migrations/049_target_audience.sql        |    8 +
 .../migrations/050_score_snapshots.sql        |   22 +
 .../migrations/051_security_templates.sql     | 1098 +++++++++++++
 .../migrations/052_process_tasks.sql          |   53 +
 .../migrations/053_evidence_checks.sql        |   62 +
 .../tests/test_dashboard_routes_extended.py   |  209 +++
 .../tests/test_evidence_check_routes.py       |  374 +++++
 .../tests/test_process_task_routes.py         |  525 +++++++
 .../tests/test_security_templates.py          |  175 +++
 .../sdk-modules/canonical-control-library.md  |  137 +-
 35 files changed, 8741 insertions(+), 422 deletions(-)
 create mode 100644 admin-compliance/app/sdk/process-tasks/page.tsx
 create mode 100644 backend-compliance/compliance/api/evidence_check_routes.py
 create mode 100644 backend-compliance/compliance/api/process_task_routes.py
 create mode 100644 backend-compliance/migrations/048_processing_path_expand.sql
 create mode 100644 backend-compliance/migrations/049_target_audience.sql
 create mode 100644 backend-compliance/migrations/050_score_snapshots.sql
 create mode 100644 backend-compliance/migrations/051_security_templates.sql
 create mode 100644 backend-compliance/migrations/052_process_tasks.sql
 create mode 100644 backend-compliance/migrations/053_evidence_checks.sql
 create mode 100644 backend-compliance/tests/test_dashboard_routes_extended.py
 create mode 100644 backend-compliance/tests/test_evidence_check_routes.py
 create mode 100644 backend-compliance/tests/test_process_task_routes.py
 create mode 100644 backend-compliance/tests/test_security_templates.py

diff --git a/admin-compliance/app/api/sdk/v1/canonical/route.ts b/admin-compliance/app/api/sdk/v1/canonical/route.ts
index 83ed5ad..1febef0 100644
--- a/admin-compliance/app/api/sdk/v1/canonical/route.ts
+++ b/admin-compliance/app/api/sdk/v1/canonical/route.ts
@@ -29,11 +29,13 @@ export async function GET(request: NextRequest) {
         const domain = searchParams.get('domain')
         const verificationMethod = searchParams.get('verification_method')
         const categoryFilter = searchParams.get('category')
+        const targetAudience = searchParams.get('target_audience')
         const params = new URLSearchParams()
         if (severity) params.set('severity', severity)
         if (domain) params.set('domain', domain)
         if (verificationMethod) params.set('verification_method', verificationMethod)
         if (categoryFilter) params.set('category', categoryFilter)
+        if (targetAudience) params.set('target_audience', targetAudience)
         const qs = params.toString()
         backendPath = `/api/compliance/v1/canonical/controls${qs ? `?${qs}` : ''}`
         break
diff --git a/admin-compliance/app/sdk/compliance-hub/page.tsx b/admin-compliance/app/sdk/compliance-hub/page.tsx
index c089bd8..28e571c 100644
--- a/admin-compliance/app/sdk/compliance-hub/page.tsx
+++ b/admin-compliance/app/sdk/compliance-hub/page.tsx
@@ -3,12 +3,11 @@
 /**
  * Compliance Hub Page (SDK Version - Zusatzmodul)
  *
- * Central compliance management dashboard with:
- * - Compliance Score Overview
- * - Quick Access to all compliance modules (SDK paths)
- * - Control-Mappings with statistics
- * - Audit Findings
- * - Regulations overview
+ * Central compliance management dashboard with tabs:
+ * - Uebersicht: Score, Stats, Quick Access, Findings
+ * - Roadmap: 4-column Kanban (Quick Wins / Must Have / Should Have / Nice to Have)
+ * - Module: Grid with module cards + progress bars
+ * - Trend: Score history chart
  */
 
 import { useState, useEffect } from 'react'
@@ -53,6 +52,62 @@ interface FindingsData {
   open_minors: number
 }
 
+interface RoadmapItem {
+  id: string
+  control_id: string
+  title: string
+  status: string
+  domain: string
+  owner: string | null
+  next_review_at: string | null
+  days_overdue: number
+  weight: number
+}
+
+interface RoadmapData {
+  buckets: Record<string, RoadmapItem[]>
+  counts: Record<string, number>
+}
+
+interface ModuleInfo {
+  key: string
+  label: string
+  count: number
+  status: string
+  progress: number
+}
+
+interface ModuleStatusData {
+  modules: ModuleInfo[]
+  total: number
+  started: number
+  complete: number
+  overall_progress: number
+}
+
+interface NextAction {
+  id: string
+  control_id: string
+  title: string
+  status: string
+  domain: string
+  owner: string | null
+  days_overdue: number
+  urgency_score: number
+  reason: string
+}
+
+interface ScoreSnapshot {
+  id: string
+  score: number
+  controls_total: number
+  controls_pass: number
+  snapshot_date: string
+  created_at: string
+}
+
+type TabKey = 'overview' | 'roadmap' | 'modules' | 'trend'
+
 const DOMAIN_LABELS: Record<string, string> = {
   gov: 'Governance',
   priv: 'Datenschutz',
@@ -65,44 +120,67 @@ const DOMAIN_LABELS: Record<string, string> = {
   aud: 'Audit',
 }
 
+const BUCKET_LABELS: Record<string, { label: string; color: string; bg: string }> = {
+  quick_wins: { label: 'Quick Wins', color: 'text-green-700', bg: 'bg-green-50 border-green-200' },
+  must_have: { label: 'Must Have', color: 'text-red-700', bg: 'bg-red-50 border-red-200' },
+  should_have: { label: 'Should Have', color: 'text-yellow-700', bg: 'bg-yellow-50 border-yellow-200' },
+  nice_to_have: { label: 'Nice to Have', color: 'text-slate-700', bg: 'bg-slate-50 border-slate-200' },
+}
+
+const MODULE_ICONS: Record<string, string> = {
+  vvt: '📋', tom: '🔒', dsfa: '⚠️', loeschfristen: '🗑️', risks: '🎯',
+  controls: '✅', evidence: '📎', obligations: '📜', incidents: '🚨',
+  vendor: '🤝', legal_templates: '📄', training: '🎓', audit: '🔍',
+  security_backlog: '🛡️', quality: '⭐',
+}
+
 export default function ComplianceHubPage() {
+  const [activeTab, setActiveTab] = useState<TabKey>('overview')
   const [dashboard, setDashboard] = useState<DashboardData | null>(null)
   const [regulations, setRegulations] = useState<Regulation[]>([])
   const [mappings, setMappings] = useState<MappingsData | null>(null)
   const [findings, setFindings] = useState<FindingsData | null>(null)
+  const [roadmap, setRoadmap] = useState<RoadmapData | null>(null)
+  const [moduleStatus, setModuleStatus] = useState<ModuleStatusData | null>(null)
+  const [nextActions, setNextActions] = useState<NextAction[]>([])
+  const [scoreHistory, setScoreHistory] = useState<ScoreSnapshot[]>([])
   const [loading, setLoading] = useState(true)
   const [error, setError] = useState<string | null>(null)
   const [seeding, setSeeding] = useState(false)
+  const [savingSnapshot, setSavingSnapshot] = useState(false)
 
   useEffect(() => {
     loadData()
   }, [])
 
+  useEffect(() => {
+    if (activeTab === 'roadmap' && !roadmap) loadRoadmap()
+    if (activeTab === 'modules' && !moduleStatus) loadModuleStatus()
+    if (activeTab === 'trend' && scoreHistory.length === 0) loadScoreHistory()
+  }, [activeTab]) // eslint-disable-line react-hooks/exhaustive-deps
+
   const loadData = async () => {
     setLoading(true)
     setError(null)
     try {
-      const [dashboardRes, regulationsRes, mappingsRes, findingsRes] = await Promise.all([
+      const [dashboardRes, regulationsRes, mappingsRes, findingsRes, actionsRes] = await Promise.all([
         fetch('/api/sdk/v1/compliance/dashboard'),
         fetch('/api/sdk/v1/compliance/regulations'),
         fetch('/api/sdk/v1/compliance/mappings'),
         fetch('/api/sdk/v1/isms/findings?status=open'),
+        fetch('/api/sdk/v1/compliance/dashboard/next-actions?limit=5'),
       ])
 
-      if (dashboardRes.ok) {
-        setDashboard(await dashboardRes.json())
-      }
+      if (dashboardRes.ok) setDashboard(await dashboardRes.json())
       if (regulationsRes.ok) {
         const data = await regulationsRes.json()
         setRegulations(data.regulations || [])
       }
-      if (mappingsRes.ok) {
-        const data = await mappingsRes.json()
-        setMappings(data)
-      }
-      if (findingsRes.ok) {
-        const data = await findingsRes.json()
-        setFindings(data)
+      if (mappingsRes.ok) setMappings(await mappingsRes.json())
+      if (findingsRes.ok) setFindings(await findingsRes.json())
+      if (actionsRes.ok) {
+        const data = await actionsRes.json()
+        setNextActions(data.actions || [])
       }
     } catch (err) {
       console.error('Failed to load compliance data:', err)
@@ -112,6 +190,41 @@ export default function ComplianceHubPage() {
     }
   }
 
+  const loadRoadmap = async () => {
+    try {
+      const res = await fetch('/api/sdk/v1/compliance/dashboard/roadmap')
+      if (res.ok) setRoadmap(await res.json())
+    } catch { /* silent */ }
+  }
+
+  const loadModuleStatus = async () => {
+    try {
+      const res = await fetch('/api/sdk/v1/compliance/dashboard/module-status')
+      if (res.ok) setModuleStatus(await res.json())
+    } catch { /* silent */ }
+  }
+
+  const loadScoreHistory = async () => {
+    try {
+      const res = await fetch('/api/sdk/v1/compliance/dashboard/score-history?months=12')
+      if (res.ok) {
+        const data = await res.json()
+        setScoreHistory(data.snapshots || [])
+      }
+    } catch { /* silent */ }
+  }
+
+  const saveSnapshot = async () => {
+    setSavingSnapshot(true)
+    try {
+      const res = await fetch('/api/sdk/v1/compliance/dashboard/snapshot', { method: 'POST' })
+      if (res.ok) {
+        loadScoreHistory()
+      }
+    } catch { /* silent */ }
+    finally { setSavingSnapshot(false) }
+  }
+
   const seedDatabase = async () => {
     setSeeding(true)
     try {
@@ -141,14 +254,51 @@ export default function ComplianceHubPage() {
   const scoreColor = score >= 80 ? 'text-green-600' : score >= 60 ? 'text-yellow-600' : 'text-red-600'
   const scoreBgColor = score >= 80 ? 'bg-green-500' : score >= 60 ? 'bg-yellow-500' : 'bg-red-500'
 
+  const tabs: { key: TabKey; label: string }[] = [
+    { key: 'overview', label: 'Uebersicht' },
+    { key: 'roadmap', label: 'Roadmap' },
+    { key: 'modules', label: 'Module' },
+    { key: 'trend', label: 'Trend' },
+  ]
+
   return (
     <div className="space-y-6">
-      {/* Title Card (Zusatzmodul - no StepHeader) */}
+      {/* Title Card */}
       <div className="bg-white rounded-xl shadow-sm border p-6">
-        <h1 className="text-2xl font-bold text-slate-900">Compliance Hub</h1>
-        <p className="text-slate-500 mt-1">
-          Zentrale Verwaltung aller Compliance-Anforderungen nach DSGVO, AI Act, BSI TR-03161 und weiteren Regulierungen.
-        </p>
+        <div className="flex items-center justify-between">
+          <div>
+            <h1 className="text-2xl font-bold text-slate-900">Compliance Hub</h1>
+            <p className="text-slate-500 mt-1">
+              Zentrale Verwaltung aller Compliance-Anforderungen nach DSGVO, AI Act, BSI TR-03161 und weiteren Regulierungen.
+            </p>
+          </div>
+          <button
+            onClick={saveSnapshot}
+            disabled={savingSnapshot}
+            className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 text-sm"
+          >
+            {savingSnapshot ? 'Speichere...' : 'Score-Snapshot speichern'}
+          </button>
+        </div>
+      </div>
+
+      {/* Tabs */}
+      <div className="bg-white rounded-xl shadow-sm border">
+        <div className="flex border-b">
+          {tabs.map(tab => (
+            <button
+              key={tab.key}
+              onClick={() => setActiveTab(tab.key)}
+              className={`px-6 py-3 text-sm font-medium transition-colors ${
+                activeTab === tab.key
+                  ? 'text-purple-600 border-b-2 border-purple-600'
+                  : 'text-slate-500 hover:text-slate-700'
+              }`}
+            >
+              {tab.label}
+            </button>
+          ))}
+        </div>
       </div>
 
       {/* Error Banner */}
@@ -183,332 +333,478 @@ export default function ComplianceHubPage() {
         </div>
       )}
 
-      {/* Quick Actions */}
-      <div className="bg-white rounded-xl shadow-sm border p-6">
-        <h3 className="text-lg font-semibold text-slate-900 mb-4">Schnellzugriff</h3>
-        <div className="grid grid-cols-2 sm:grid-cols-3 md:grid-cols-6 gap-4">
-          <Link
-            href="/sdk/audit-checklist"
-            className="p-4 rounded-lg border border-slate-200 hover:border-purple-500 hover:bg-purple-50 transition-colors text-center"
-          >
-            <div className="text-purple-600 mb-2 flex justify-center">
-              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-3 7h3m-3 4h3m-6-4h.01M9 16h.01" />
-              </svg>
-            </div>
-            <p className="font-medium text-slate-900 text-sm">Audit Checkliste</p>
-            <p className="text-xs text-slate-500 mt-1">{dashboard?.total_requirements || '...'} Anforderungen</p>
-          </Link>
-
-          <Link
-            href="/sdk/controls"
-            className="p-4 rounded-lg border border-slate-200 hover:border-green-500 hover:bg-green-50 transition-colors text-center"
-          >
-            <div className="text-green-600 mb-2 flex justify-center">
-              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-              </svg>
-            </div>
-            <p className="font-medium text-slate-900 text-sm">Controls</p>
-            <p className="text-xs text-slate-500 mt-1">{dashboard?.total_controls || '...'} Massnahmen</p>
-          </Link>
-
-          <Link
-            href="/sdk/evidence"
-            className="p-4 rounded-lg border border-slate-200 hover:border-blue-500 hover:bg-blue-50 transition-colors text-center"
-          >
-            <div className="text-blue-600 mb-2 flex justify-center">
-              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M7 21h10a2 2 0 002-2V9.414a1 1 0 00-.293-.707l-5.414-5.414A1 1 0 0012.586 3H7a2 2 0 00-2 2v14a2 2 0 002 2z" />
-              </svg>
-            </div>
-            <p className="font-medium text-slate-900 text-sm">Evidence</p>
-            <p className="text-xs text-slate-500 mt-1">Nachweise</p>
-          </Link>
-
-          <Link
-            href="/sdk/risks"
-            className="p-4 rounded-lg border border-slate-200 hover:border-red-500 hover:bg-red-50 transition-colors text-center"
-          >
-            <div className="text-red-600 mb-2 flex justify-center">
-              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
-              </svg>
-            </div>
-            <p className="font-medium text-slate-900 text-sm">Risk Matrix</p>
-            <p className="text-xs text-slate-500 mt-1">5x5 Risiken</p>
-          </Link>
-
-          <Link
-            href="/sdk/modules"
-            className="p-4 rounded-lg border border-slate-200 hover:border-pink-500 hover:bg-pink-50 transition-colors text-center"
-          >
-            <div className="text-pink-600 mb-2 flex justify-center">
-              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 11H5m14 0a2 2 0 012 2v6a2 2 0 01-2 2H5a2 2 0 01-2-2v-6a2 2 0 012-2m14 0V9a2 2 0 00-2-2M5 11V9a2 2 0 012-2m0 0V5a2 2 0 012-2h6a2 2 0 012 2v2M7 7h10" />
-              </svg>
-            </div>
-            <p className="font-medium text-slate-900 text-sm">Service Registry</p>
-            <p className="text-xs text-slate-500 mt-1">Module</p>
-          </Link>
-
-          <Link
-            href="/sdk/audit-report"
-            className="p-4 rounded-lg border border-slate-200 hover:border-orange-500 hover:bg-orange-50 transition-colors text-center"
-          >
-            <div className="text-orange-600 mb-2 flex justify-center">
-              <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 17v-2m3 2v-4m3 4v-6m2 10H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
-              </svg>
-            </div>
-            <p className="font-medium text-slate-900 text-sm">Audit Report</p>
-            <p className="text-xs text-slate-500 mt-1">PDF Export</p>
-          </Link>
-        </div>
-      </div>
-
       {loading ? (
         <div className="flex items-center justify-center h-64">
           <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-purple-600" />
         </div>
       ) : (
         <>
-          {/* Score and Stats Row */}
-          <div className="grid grid-cols-1 lg:grid-cols-5 gap-4">
-            <div className="bg-white rounded-xl shadow-sm border p-6">
-              <h3 className="text-sm font-medium text-slate-500 mb-4">Compliance Score</h3>
-              <div className={`text-5xl font-bold ${scoreColor}`}>
-                {score.toFixed(0)}%
+          {/* ============================================================ */}
+          {/* TAB: Uebersicht */}
+          {/* ============================================================ */}
+          {activeTab === 'overview' && (
+            <>
+              {/* Quick Actions */}
+              <div className="bg-white rounded-xl shadow-sm border p-6">
+                <h3 className="text-lg font-semibold text-slate-900 mb-4">Schnellzugriff</h3>
+                <div className="grid grid-cols-2 sm:grid-cols-3 md:grid-cols-6 gap-4">
+                  {[
+                    { href: '/sdk/audit-checklist', icon: 'M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-3 7h3m-3 4h3m-6-4h.01M9 16h.01', label: 'Audit Checkliste', sub: `${dashboard?.total_requirements || '...'} Anforderungen`, color: 'purple' },
+                    { href: '/sdk/controls', icon: 'M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z', label: 'Controls', sub: `${dashboard?.total_controls || '...'} Massnahmen`, color: 'green' },
+                    { href: '/sdk/evidence', icon: 'M7 21h10a2 2 0 002-2V9.414a1 1 0 00-.293-.707l-5.414-5.414A1 1 0 0012.586 3H7a2 2 0 00-2 2v14a2 2 0 002 2z', label: 'Evidence', sub: 'Nachweise', color: 'blue' },
+                    { href: '/sdk/risks', icon: 'M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z', label: 'Risk Matrix', sub: '5x5 Risiken', color: 'red' },
+                    { href: '/sdk/process-tasks', icon: 'M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4', label: 'Prozesse', sub: 'Aufgaben', color: 'indigo' },
+                    { href: '/sdk/audit-report', icon: 'M9 17v-2m3 2v-4m3 4v-6m2 10H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z', label: 'Audit Report', sub: 'PDF Export', color: 'orange' },
+                  ].map(item => (
+                    <Link
+                      key={item.href}
+                      href={item.href}
+                      className={`p-4 rounded-lg border border-slate-200 hover:border-${item.color}-500 hover:bg-${item.color}-50 transition-colors text-center`}
+                    >
+                      <div className={`text-${item.color}-600 mb-2 flex justify-center`}>
+                        <svg className="w-8 h-8" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d={item.icon} />
+                        </svg>
+                      </div>
+                      <p className="font-medium text-slate-900 text-sm">{item.label}</p>
+                      <p className="text-xs text-slate-500 mt-1">{item.sub}</p>
+                    </Link>
+                  ))}
+                </div>
               </div>
-              <div className="mt-4 h-2 bg-slate-200 rounded-full overflow-hidden">
-                <div
-                  className={`h-full transition-all duration-500 ${scoreBgColor}`}
-                  style={{ width: `${score}%` }}
-                />
-              </div>
-              <p className="mt-2 text-sm text-slate-500">
-                {dashboard?.controls_by_status?.pass || 0} von {dashboard?.total_controls || 0} Controls bestanden
-              </p>
-            </div>
 
-            <div className="bg-white rounded-xl shadow-sm border p-6">
-              <div className="flex items-center justify-between">
-                <div>
-                  <p className="text-sm text-slate-500">Verordnungen</p>
-                  <p className="text-2xl font-bold text-slate-900">{dashboard?.total_regulations || 0}</p>
+              {/* Score and Stats Row */}
+              <div className="grid grid-cols-1 lg:grid-cols-5 gap-4">
+                <div className="bg-white rounded-xl shadow-sm border p-6">
+                  <h3 className="text-sm font-medium text-slate-500 mb-4">Compliance Score</h3>
+                  <div className={`text-5xl font-bold ${scoreColor}`}>
+                    {score.toFixed(0)}%
+                  </div>
+                  <div className="mt-4 h-2 bg-slate-200 rounded-full overflow-hidden">
+                    <div className={`h-full transition-all duration-500 ${scoreBgColor}`} style={{ width: `${score}%` }} />
+                  </div>
+                  <p className="mt-2 text-sm text-slate-500">
+                    {dashboard?.controls_by_status?.pass || 0} von {dashboard?.total_controls || 0} Controls bestanden
+                  </p>
                 </div>
-                <div className="w-10 h-10 bg-blue-100 rounded-lg flex items-center justify-center">
-                  <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
-                  </svg>
-                </div>
-              </div>
-              <p className="mt-2 text-sm text-slate-500">{dashboard?.total_requirements || 0} Anforderungen</p>
-            </div>
 
-            <div className="bg-white rounded-xl shadow-sm border p-6">
-              <div className="flex items-center justify-between">
-                <div>
-                  <p className="text-sm text-slate-500">Controls</p>
-                  <p className="text-2xl font-bold text-slate-900">{dashboard?.total_controls || 0}</p>
-                </div>
-                <div className="w-10 h-10 bg-green-100 rounded-lg flex items-center justify-center">
-                  <svg className="w-5 h-5 text-green-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-                  </svg>
-                </div>
+                {[
+                  { label: 'Verordnungen', value: dashboard?.total_regulations || 0, sub: `${dashboard?.total_requirements || 0} Anforderungen`, iconColor: 'blue', icon: 'M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z' },
+                  { label: 'Controls', value: dashboard?.total_controls || 0, sub: `${dashboard?.controls_by_status?.pass || 0} bestanden`, iconColor: 'green', icon: 'M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z' },
+                  { label: 'Nachweise', value: dashboard?.total_evidence || 0, sub: `${dashboard?.evidence_by_status?.valid || 0} aktiv`, iconColor: 'purple', icon: 'M7 21h10a2 2 0 002-2V9.414a1 1 0 00-.293-.707l-5.414-5.414A1 1 0 0012.586 3H7a2 2 0 00-2 2v14a2 2 0 002 2z' },
+                  { label: 'Risiken', value: dashboard?.total_risks || 0, sub: `${(dashboard?.risks_by_level?.high || 0) + (dashboard?.risks_by_level?.critical || 0)} kritisch`, iconColor: 'red', icon: 'M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z' },
+                ].map(stat => (
+                  <div key={stat.label} className="bg-white rounded-xl shadow-sm border p-6">
+                    <div className="flex items-center justify-between">
+                      <div>
+                        <p className="text-sm text-slate-500">{stat.label}</p>
+                        <p className="text-2xl font-bold text-slate-900">{stat.value}</p>
+                      </div>
+                      <div className={`w-10 h-10 bg-${stat.iconColor}-100 rounded-lg flex items-center justify-center`}>
+                        <svg className={`w-5 h-5 text-${stat.iconColor}-600`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d={stat.icon} />
+                        </svg>
+                      </div>
+                    </div>
+                    <p className="mt-2 text-sm text-slate-500">{stat.sub}</p>
+                  </div>
+                ))}
               </div>
-              <p className="mt-2 text-sm text-slate-500">{dashboard?.controls_by_status?.pass || 0} bestanden</p>
-            </div>
 
-            <div className="bg-white rounded-xl shadow-sm border p-6">
-              <div className="flex items-center justify-between">
-                <div>
-                  <p className="text-sm text-slate-500">Nachweise</p>
-                  <p className="text-2xl font-bold text-slate-900">{dashboard?.total_evidence || 0}</p>
+              {/* Next Actions + Findings */}
+              <div className="grid grid-cols-1 lg:grid-cols-2 gap-4">
+                {/* Next Actions */}
+                <div className="bg-white rounded-xl shadow-sm border p-6">
+                  <h3 className="text-lg font-semibold text-slate-900 mb-4">Naechste Aktionen</h3>
+                  {nextActions.length === 0 ? (
+                    <p className="text-sm text-slate-500">Keine offenen Aktionen.</p>
+                  ) : (
+                    <div className="space-y-3">
+                      {nextActions.map(action => (
+                        <div key={action.id} className="flex items-center gap-3 p-3 rounded-lg bg-slate-50">
+                          <div className={`w-2 h-2 rounded-full flex-shrink-0 ${
+                            action.days_overdue > 0 ? 'bg-red-500' : 'bg-yellow-500'
+                          }`} />
+                          <div className="flex-1 min-w-0">
+                            <p className="text-sm font-medium text-slate-900 truncate">{action.title}</p>
+                            <p className="text-xs text-slate-500">
+                              {action.control_id} · {DOMAIN_LABELS[action.domain] || action.domain}
+                              {action.days_overdue > 0 && <span className="text-red-600 ml-2">{action.days_overdue}d ueberfaellig</span>}
+                            </p>
+                          </div>
+                          <span className={`px-2 py-0.5 text-xs rounded-full ${
+                            action.status === 'partial' ? 'bg-yellow-100 text-yellow-700' : 'bg-slate-100 text-slate-600'
+                          }`}>
+                            {action.status}
+                          </span>
+                        </div>
+                      ))}
+                    </div>
+                  )}
                 </div>
-                <div className="w-10 h-10 bg-purple-100 rounded-lg flex items-center justify-center">
-                  <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M7 21h10a2 2 0 002-2V9.414a1 1 0 00-.293-.707l-5.414-5.414A1 1 0 0012.586 3H7a2 2 0 00-2 2v14a2 2 0 002 2z" />
-                  </svg>
-                </div>
-              </div>
-              <p className="mt-2 text-sm text-slate-500">{dashboard?.evidence_by_status?.valid || 0} aktiv</p>
-            </div>
 
-            <div className="bg-white rounded-xl shadow-sm border p-6">
-              <div className="flex items-center justify-between">
-                <div>
-                  <p className="text-sm text-slate-500">Risiken</p>
-                  <p className="text-2xl font-bold text-slate-900">{dashboard?.total_risks || 0}</p>
-                </div>
-                <div className="w-10 h-10 bg-red-100 rounded-lg flex items-center justify-center">
-                  <svg className="w-5 h-5 text-red-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
-                  </svg>
-                </div>
-              </div>
-              <p className="mt-2 text-sm text-slate-500">
-                {(dashboard?.risks_by_level?.high || 0) + (dashboard?.risks_by_level?.critical || 0)} kritisch
-              </p>
-            </div>
-          </div>
-
-          {/* Control-Mappings & Findings Row */}
-          <div className="grid grid-cols-1 lg:grid-cols-2 gap-4">
-            <div className="bg-white rounded-xl shadow-sm border p-6">
-              <div className="flex items-center justify-between mb-4">
-                <h3 className="text-lg font-semibold text-slate-900">Control-Mappings</h3>
-                <Link href="/sdk/controls" className="text-sm text-purple-600 hover:text-purple-700">
-                  Alle anzeigen →
-                </Link>
-              </div>
-              <div className="flex items-center gap-6 mb-4">
-                <div>
-                  <p className="text-4xl font-bold text-purple-600">{mappings?.total || 0}</p>
-                  <p className="text-sm text-slate-500">Mappings gesamt</p>
-                </div>
-                <div className="flex-1 h-16 bg-slate-50 rounded-lg p-3">
-                  <p className="text-xs text-slate-500 mb-1">Nach Verordnung</p>
-                  <div className="flex gap-1 flex-wrap">
-                    {mappings?.by_regulation && Object.entries(mappings.by_regulation).slice(0, 5).map(([reg, count]) => (
-                      <span key={reg} className="px-2 py-0.5 bg-purple-100 text-purple-700 rounded text-xs">
-                        {reg}: {count}
+                {/* Audit Findings */}
+                <div className="bg-white rounded-xl shadow-sm border p-6">
+                  <div className="flex items-center justify-between mb-4">
+                    <h3 className="text-lg font-semibold text-slate-900">Audit Findings</h3>
+                    <Link href="/sdk/audit-checklist" className="text-sm text-purple-600 hover:text-purple-700">
+                      Audit Checkliste →
+                    </Link>
+                  </div>
+                  <div className="grid grid-cols-2 gap-4 mb-4">
+                    <div className="p-4 bg-red-50 border border-red-200 rounded-lg">
+                      <div className="flex items-center gap-2 mb-1">
+                        <div className="w-3 h-3 bg-red-500 rounded-full" />
+                        <span className="text-sm font-medium text-red-800">Hauptabweichungen</span>
+                      </div>
+                      <p className="text-3xl font-bold text-red-600">{findings?.open_majors || 0}</p>
+                      <p className="text-xs text-red-600">offen (blockiert Zertifizierung)</p>
+                    </div>
+                    <div className="p-4 bg-yellow-50 border border-yellow-200 rounded-lg">
+                      <div className="flex items-center gap-2 mb-1">
+                        <div className="w-3 h-3 bg-yellow-500 rounded-full" />
+                        <span className="text-sm font-medium text-yellow-800">Nebenabweichungen</span>
+                      </div>
+                      <p className="text-3xl font-bold text-yellow-600">{findings?.open_minors || 0}</p>
+                      <p className="text-xs text-yellow-600">offen (erfordert CAPA)</p>
+                    </div>
+                  </div>
+                  <div className="flex items-center justify-between text-sm">
+                    <span className="text-slate-500">
+                      Gesamt: {findings?.total || 0} Findings ({findings?.major_count || 0} Major, {findings?.minor_count || 0} Minor, {findings?.ofi_count || 0} OFI)
+                    </span>
+                    {(findings?.open_majors || 0) === 0 ? (
+                      <span className="px-2 py-1 bg-green-100 text-green-700 rounded-full text-xs font-medium">
+                        Zertifizierung moeglich
+                      </span>
+                    ) : (
+                      <span className="px-2 py-1 bg-red-100 text-red-700 rounded-full text-xs font-medium">
+                        Zertifizierung blockiert
                       </span>
-                    ))}
-                    {!mappings?.by_regulation && (
-                      <span className="px-2 py-0.5 bg-slate-100 text-slate-500 rounded text-xs">Keine Mappings vorhanden</span>
                     )}
                   </div>
                 </div>
               </div>
-              <p className="text-sm text-slate-600">
-                Automatisch generierte Verknuepfungen zwischen {dashboard?.total_controls || 0} Controls
-                und {dashboard?.total_requirements || 0} Anforderungen aus {dashboard?.total_regulations || 0} Verordnungen.
-              </p>
-            </div>
 
+              {/* Control-Mappings & Domain Chart */}
+              <div className="grid grid-cols-1 lg:grid-cols-2 gap-4">
+                <div className="bg-white rounded-xl shadow-sm border p-6">
+                  <div className="flex items-center justify-between mb-4">
+                    <h3 className="text-lg font-semibold text-slate-900">Control-Mappings</h3>
+                    <Link href="/sdk/controls" className="text-sm text-purple-600 hover:text-purple-700">
+                      Alle anzeigen →
+                    </Link>
+                  </div>
+                  <div className="flex items-center gap-6 mb-4">
+                    <div>
+                      <p className="text-4xl font-bold text-purple-600">{mappings?.total || 0}</p>
+                      <p className="text-sm text-slate-500">Mappings gesamt</p>
+                    </div>
+                    <div className="flex-1 h-16 bg-slate-50 rounded-lg p-3">
+                      <p className="text-xs text-slate-500 mb-1">Nach Verordnung</p>
+                      <div className="flex gap-1 flex-wrap">
+                        {mappings?.by_regulation && Object.entries(mappings.by_regulation).slice(0, 5).map(([reg, count]) => (
+                          <span key={reg} className="px-2 py-0.5 bg-purple-100 text-purple-700 rounded text-xs">
+                            {reg}: {count}
+                          </span>
+                        ))}
+                        {!mappings?.by_regulation && (
+                          <span className="px-2 py-0.5 bg-slate-100 text-slate-500 rounded text-xs">Keine Mappings vorhanden</span>
+                        )}
+                      </div>
+                    </div>
+                  </div>
+                </div>
+
+                <div className="bg-white rounded-xl shadow-sm border p-6">
+                  <h3 className="text-lg font-semibold text-slate-900 mb-4">Controls nach Domain</h3>
+                  <div className="space-y-2">
+                    {Object.entries(dashboard?.controls_by_domain || {}).slice(0, 6).map(([domain, stats]) => {
+                      const total = stats.total || 0
+                      const pass = stats.pass || 0
+                      const partial = stats.partial || 0
+                      const passPercent = total > 0 ? ((pass + partial * 0.5) / total) * 100 : 0
+
+                      return (
+                        <div key={domain} className="flex items-center gap-3">
+                          <span className="text-xs font-medium text-slate-600 w-24 truncate">
+                            {DOMAIN_LABELS[domain] || domain}
+                          </span>
+                          <div className="flex-1 h-2 bg-slate-200 rounded-full overflow-hidden flex">
+                            <div className="bg-green-500 h-full" style={{ width: `${(pass / (total || 1)) * 100}%` }} />
+                            <div className="bg-yellow-500 h-full" style={{ width: `${(partial / (total || 1)) * 100}%` }} />
+                          </div>
+                          <span className="text-xs text-slate-500 w-16 text-right">{passPercent.toFixed(0)}%</span>
+                        </div>
+                      )
+                    })}
+                  </div>
+                </div>
+              </div>
+
+              {/* Regulations Table */}
+              <div className="bg-white rounded-xl shadow-sm border overflow-hidden">
+                <div className="p-4 border-b flex items-center justify-between">
+                  <h3 className="text-lg font-semibold text-slate-900">Verordnungen & Standards ({regulations.length})</h3>
+                  <button onClick={loadData} className="text-sm text-purple-600 hover:text-purple-700">
+                    Aktualisieren
+                  </button>
+                </div>
+                <div className="overflow-x-auto">
+                  <table className="w-full">
+                    <thead className="bg-slate-50">
+                      <tr>
+                        <th className="px-4 py-3 text-left text-xs font-medium text-slate-500 uppercase">Code</th>
+                        <th className="px-4 py-3 text-left text-xs font-medium text-slate-500 uppercase">Name</th>
+                        <th className="px-4 py-3 text-left text-xs font-medium text-slate-500 uppercase">Typ</th>
+                        <th className="px-4 py-3 text-center text-xs font-medium text-slate-500 uppercase">Anforderungen</th>
+                      </tr>
+                    </thead>
+                    <tbody className="divide-y divide-slate-200">
+                      {regulations.slice(0, 15).map((reg) => (
+                        <tr key={reg.id} className="hover:bg-slate-50">
+                          <td className="px-4 py-3">
+                            <span className="font-mono font-medium text-purple-600">{reg.code}</span>
+                          </td>
+                          <td className="px-4 py-3">
+                            <p className="font-medium text-slate-900">{reg.name}</p>
+                          </td>
+                          <td className="px-4 py-3">
+                            <span className={`px-2 py-1 text-xs rounded-full ${
+                              reg.regulation_type === 'eu_regulation' ? 'bg-blue-100 text-blue-700' :
+                              reg.regulation_type === 'eu_directive' ? 'bg-purple-100 text-purple-700' :
+                              reg.regulation_type === 'bsi_standard' ? 'bg-green-100 text-green-700' :
+                              'bg-slate-100 text-slate-700'
+                            }`}>
+                              {reg.regulation_type === 'eu_regulation' ? 'EU-VO' :
+                               reg.regulation_type === 'eu_directive' ? 'EU-RL' :
+                               reg.regulation_type === 'bsi_standard' ? 'BSI' :
+                               reg.regulation_type === 'de_law' ? 'DE' : reg.regulation_type}
+                            </span>
+                          </td>
+                          <td className="px-4 py-3 text-center">
+                            <span className="font-medium">{reg.requirement_count}</span>
+                          </td>
+                        </tr>
+                      ))}
+                    </tbody>
+                  </table>
+                </div>
+              </div>
+            </>
+          )}
+
+          {/* ============================================================ */}
+          {/* TAB: Roadmap */}
+          {/* ============================================================ */}
+          {activeTab === 'roadmap' && (
+            <div>
+              {!roadmap ? (
+                <div className="flex items-center justify-center h-48">
+                  <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+                </div>
+              ) : (
+                <div className="grid grid-cols-1 md:grid-cols-2 xl:grid-cols-4 gap-4">
+                  {(['quick_wins', 'must_have', 'should_have', 'nice_to_have'] as const).map(bucketKey => {
+                    const meta = BUCKET_LABELS[bucketKey]
+                    const items = roadmap.buckets[bucketKey] || []
+
+                    return (
+                      <div key={bucketKey} className={`rounded-xl border p-4 ${meta.bg}`}>
+                        <div className="flex items-center justify-between mb-3">
+                          <h3 className={`font-semibold ${meta.color}`}>{meta.label}</h3>
+                          <span className={`text-xs font-medium px-2 py-0.5 rounded-full bg-white ${meta.color}`}>
+                            {items.length}
+                          </span>
+                        </div>
+                        <div className="space-y-2 max-h-96 overflow-y-auto">
+                          {items.length === 0 ? (
+                            <p className="text-sm text-slate-400 text-center py-4">Keine Eintraege</p>
+                          ) : (
+                            items.map(item => (
+                              <div key={item.id} className="bg-white rounded-lg p-3 shadow-sm">
+                                <p className="text-sm font-medium text-slate-900 truncate">{item.title}</p>
+                                <div className="mt-1 flex items-center gap-2 text-xs text-slate-500">
+                                  <span className="font-mono">{item.control_id}</span>
+                                  <span>·</span>
+                                  <span>{DOMAIN_LABELS[item.domain] || item.domain}</span>
+                                </div>
+                                {item.days_overdue > 0 && (
+                                  <p className="mt-1 text-xs text-red-600">{item.days_overdue}d ueberfaellig</p>
+                                )}
+                                {item.owner && (
+                                  <p className="mt-1 text-xs text-slate-400">{item.owner}</p>
+                                )}
+                              </div>
+                            ))
+                          )}
+                        </div>
+                      </div>
+                    )
+                  })}
+                </div>
+              )}
+            </div>
+          )}
+
+          {/* ============================================================ */}
+          {/* TAB: Module */}
+          {/* ============================================================ */}
+          {activeTab === 'modules' && (
+            <div>
+              {!moduleStatus ? (
+                <div className="flex items-center justify-center h-48">
+                  <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+                </div>
+              ) : (
+                <>
+                  {/* Summary */}
+                  <div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-6">
+                    <div className="bg-white rounded-xl shadow-sm border p-6 text-center">
+                      <p className="text-sm text-slate-500">Gesamt-Fortschritt</p>
+                      <p className="text-3xl font-bold text-purple-600">{moduleStatus.overall_progress.toFixed(0)}%</p>
+                    </div>
+                    <div className="bg-white rounded-xl shadow-sm border p-6 text-center">
+                      <p className="text-sm text-slate-500">Module gestartet</p>
+                      <p className="text-3xl font-bold text-blue-600">{moduleStatus.started}/{moduleStatus.total}</p>
+                    </div>
+                    <div className="bg-white rounded-xl shadow-sm border p-6 text-center">
+                      <p className="text-sm text-slate-500">Module abgeschlossen</p>
+                      <p className="text-3xl font-bold text-green-600">{moduleStatus.complete}/{moduleStatus.total}</p>
+                    </div>
+                  </div>
+
+                  {/* Module Grid */}
+                  <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                    {moduleStatus.modules.map(mod => (
+                      <div key={mod.key} className="bg-white rounded-xl shadow-sm border p-5">
+                        <div className="flex items-center gap-3 mb-3">
+                          <span className="text-2xl">{MODULE_ICONS[mod.key] || '📦'}</span>
+                          <div>
+                            <h4 className="font-medium text-slate-900">{mod.label}</h4>
+                            <p className="text-xs text-slate-500">{mod.count} Eintraege</p>
+                          </div>
+                          <span className={`ml-auto px-2 py-0.5 text-xs rounded-full font-medium ${
+                            mod.status === 'complete' ? 'bg-green-100 text-green-700' :
+                            mod.status === 'in_progress' ? 'bg-yellow-100 text-yellow-700' :
+                            'bg-slate-100 text-slate-500'
+                          }`}>
+                            {mod.status === 'complete' ? 'Fertig' :
+                             mod.status === 'in_progress' ? 'In Arbeit' : 'Offen'}
+                          </span>
+                        </div>
+                        <div className="h-2 bg-slate-200 rounded-full overflow-hidden">
+                          <div
+                            className={`h-full transition-all duration-500 ${
+                              mod.status === 'complete' ? 'bg-green-500' :
+                              mod.status === 'in_progress' ? 'bg-yellow-500' : 'bg-slate-300'
+                            }`}
+                            style={{ width: `${mod.progress}%` }}
+                          />
+                        </div>
+                      </div>
+                    ))}
+                  </div>
+                </>
+              )}
+            </div>
+          )}
+
+          {/* ============================================================ */}
+          {/* TAB: Trend */}
+          {/* ============================================================ */}
+          {activeTab === 'trend' && (
             <div className="bg-white rounded-xl shadow-sm border p-6">
-              <div className="flex items-center justify-between mb-4">
-                <h3 className="text-lg font-semibold text-slate-900">Audit Findings</h3>
-                <Link href="/sdk/audit-checklist" className="text-sm text-purple-600 hover:text-purple-700">
-                  Audit Checkliste →
-                </Link>
+              <div className="flex items-center justify-between mb-6">
+                <h3 className="text-lg font-semibold text-slate-900">Score-Verlauf</h3>
+                <button
+                  onClick={saveSnapshot}
+                  disabled={savingSnapshot}
+                  className="px-3 py-1.5 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50"
+                >
+                  {savingSnapshot ? 'Speichere...' : 'Aktuellen Score speichern'}
+                </button>
               </div>
-              <div className="grid grid-cols-2 gap-4 mb-4">
-                <div className="p-4 bg-red-50 border border-red-200 rounded-lg">
-                  <div className="flex items-center gap-2 mb-1">
-                    <div className="w-3 h-3 bg-red-500 rounded-full" />
-                    <span className="text-sm font-medium text-red-800">Hauptabweichungen</span>
-                  </div>
-                  <p className="text-3xl font-bold text-red-600">{findings?.open_majors || 0}</p>
-                  <p className="text-xs text-red-600">offen (blockiert Zertifizierung)</p>
-                </div>
-                <div className="p-4 bg-yellow-50 border border-yellow-200 rounded-lg">
-                  <div className="flex items-center gap-2 mb-1">
-                    <div className="w-3 h-3 bg-yellow-500 rounded-full" />
-                    <span className="text-sm font-medium text-yellow-800">Nebenabweichungen</span>
-                  </div>
-                  <p className="text-3xl font-bold text-yellow-600">{findings?.open_minors || 0}</p>
-                  <p className="text-xs text-yellow-600">offen (erfordert CAPA)</p>
-                </div>
-              </div>
-              <div className="flex items-center justify-between text-sm">
-                <span className="text-slate-500">
-                  Gesamt: {findings?.total || 0} Findings ({findings?.major_count || 0} Major, {findings?.minor_count || 0} Minor, {findings?.ofi_count || 0} OFI)
-                </span>
-                {(findings?.open_majors || 0) === 0 ? (
-                  <span className="px-2 py-1 bg-green-100 text-green-700 rounded-full text-xs font-medium">
-                    Zertifizierung moeglich
-                  </span>
-                ) : (
-                  <span className="px-2 py-1 bg-red-100 text-red-700 rounded-full text-xs font-medium">
-                    Zertifizierung blockiert
-                  </span>
-                )}
-              </div>
-            </div>
-          </div>
 
-          {/* Domain Chart */}
-          <div className="bg-white rounded-xl shadow-sm border p-6">
-            <h3 className="text-lg font-semibold text-slate-900 mb-4">Controls nach Domain</h3>
-            <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-              {Object.entries(dashboard?.controls_by_domain || {}).map(([domain, stats]) => {
-                const total = stats.total || 0
-                const pass = stats.pass || 0
-                const partial = stats.partial || 0
-                const passPercent = total > 0 ? ((pass + partial * 0.5) / total) * 100 : 0
-
-                return (
-                  <div key={domain} className="p-3 rounded-lg bg-slate-50">
-                    <div className="flex justify-between text-sm mb-1">
-                      <span className="font-medium text-slate-700">
-                        {DOMAIN_LABELS[domain] || domain.toUpperCase()}
-                      </span>
-                      <span className="text-slate-500">
-                        {pass}/{total} ({passPercent.toFixed(0)}%)
-                      </span>
-                    </div>
-                    <div className="h-2 bg-slate-200 rounded-full overflow-hidden flex">
-                      <div className="bg-green-500 h-full" style={{ width: `${(pass / total) * 100}%` }} />
-                      <div className="bg-yellow-500 h-full" style={{ width: `${(partial / total) * 100}%` }} />
+              {scoreHistory.length === 0 ? (
+                <div className="text-center py-12">
+                  <p className="text-slate-500">Noch keine Score-Snapshots vorhanden.</p>
+                  <p className="text-sm text-slate-400 mt-1">Klicken Sie auf "Aktuellen Score speichern", um den ersten Datenpunkt zu erstellen.</p>
+                </div>
+              ) : (
+                <>
+                  {/* Simple SVG Line Chart */}
+                  <div className="relative h-64 mb-6">
+                    <svg className="w-full h-full" viewBox="0 0 800 200" preserveAspectRatio="none">
+                      {/* Grid lines */}
+                      {[0, 25, 50, 75, 100].map(pct => (
+                        <line key={pct} x1="0" y1={200 - pct * 2} x2="800" y2={200 - pct * 2}
+                          stroke="#e2e8f0" strokeWidth="1" />
+                      ))}
+                      {/* Score line */}
+                      <polyline
+                        fill="none"
+                        stroke="#9333ea"
+                        strokeWidth="3"
+                        strokeLinejoin="round"
+                        points={scoreHistory.map((s, i) => {
+                          const x = scoreHistory.length === 1 ? 400 : (i / (scoreHistory.length - 1)) * 780 + 10
+                          const y = 200 - (s.score / 100) * 200
+                          return `${x},${y}`
+                        }).join(' ')}
+                      />
+                      {/* Points */}
+                      {scoreHistory.map((s, i) => {
+                        const x = scoreHistory.length === 1 ? 400 : (i / (scoreHistory.length - 1)) * 780 + 10
+                        const y = 200 - (s.score / 100) * 200
+                        return (
+                          <circle key={i} cx={x} cy={y} r="5" fill="#9333ea" stroke="white" strokeWidth="2" />
+                        )
+                      })}
+                    </svg>
+                    {/* Y-axis labels */}
+                    <div className="absolute left-0 top-0 h-full flex flex-col justify-between text-xs text-slate-400 -ml-2">
+                      <span>100%</span>
+                      <span>75%</span>
+                      <span>50%</span>
+                      <span>25%</span>
+                      <span>0%</span>
                     </div>
                   </div>
-                )
-              })}
-            </div>
-          </div>
 
-          {/* Regulations Table */}
-          <div className="bg-white rounded-xl shadow-sm border overflow-hidden">
-            <div className="p-4 border-b flex items-center justify-between">
-              <h3 className="text-lg font-semibold text-slate-900">Verordnungen & Standards ({regulations.length})</h3>
-              <button onClick={loadData} className="text-sm text-purple-600 hover:text-purple-700">
-                Aktualisieren
-              </button>
+                  {/* Snapshot Table */}
+                  <div className="overflow-x-auto">
+                    <table className="w-full text-sm">
+                      <thead className="bg-slate-50">
+                        <tr>
+                          <th className="px-4 py-2 text-left text-xs font-medium text-slate-500 uppercase">Datum</th>
+                          <th className="px-4 py-2 text-center text-xs font-medium text-slate-500 uppercase">Score</th>
+                          <th className="px-4 py-2 text-center text-xs font-medium text-slate-500 uppercase">Controls</th>
+                          <th className="px-4 py-2 text-center text-xs font-medium text-slate-500 uppercase">Bestanden</th>
+                        </tr>
+                      </thead>
+                      <tbody className="divide-y divide-slate-200">
+                        {scoreHistory.slice().reverse().map(snap => (
+                          <tr key={snap.id} className="hover:bg-slate-50">
+                            <td className="px-4 py-2 text-slate-700">{new Date(snap.snapshot_date).toLocaleDateString('de-DE')}</td>
+                            <td className="px-4 py-2 text-center">
+                              <span className={`font-bold ${
+                                snap.score >= 80 ? 'text-green-600' : snap.score >= 60 ? 'text-yellow-600' : 'text-red-600'
+                              }`}>
+                                {typeof snap.score === 'number' ? snap.score.toFixed(1) : snap.score}%
+                              </span>
+                            </td>
+                            <td className="px-4 py-2 text-center text-slate-600">{snap.controls_total}</td>
+                            <td className="px-4 py-2 text-center text-slate-600">{snap.controls_pass}</td>
+                          </tr>
+                        ))}
+                      </tbody>
+                    </table>
+                  </div>
+                </>
+              )}
             </div>
-            <div className="overflow-x-auto">
-              <table className="w-full">
-                <thead className="bg-slate-50">
-                  <tr>
-                    <th className="px-4 py-3 text-left text-xs font-medium text-slate-500 uppercase">Code</th>
-                    <th className="px-4 py-3 text-left text-xs font-medium text-slate-500 uppercase">Name</th>
-                    <th className="px-4 py-3 text-left text-xs font-medium text-slate-500 uppercase">Typ</th>
-                    <th className="px-4 py-3 text-center text-xs font-medium text-slate-500 uppercase">Anforderungen</th>
-                  </tr>
-                </thead>
-                <tbody className="divide-y divide-slate-200">
-                  {regulations.slice(0, 15).map((reg) => (
-                    <tr key={reg.id} className="hover:bg-slate-50">
-                      <td className="px-4 py-3">
-                        <span className="font-mono font-medium text-purple-600">{reg.code}</span>
-                      </td>
-                      <td className="px-4 py-3">
-                        <p className="font-medium text-slate-900">{reg.name}</p>
-                      </td>
-                      <td className="px-4 py-3">
-                        <span className={`px-2 py-1 text-xs rounded-full ${
-                          reg.regulation_type === 'eu_regulation' ? 'bg-blue-100 text-blue-700' :
-                          reg.regulation_type === 'eu_directive' ? 'bg-purple-100 text-purple-700' :
-                          reg.regulation_type === 'bsi_standard' ? 'bg-green-100 text-green-700' :
-                          'bg-slate-100 text-slate-700'
-                        }`}>
-                          {reg.regulation_type === 'eu_regulation' ? 'EU-VO' :
-                           reg.regulation_type === 'eu_directive' ? 'EU-RL' :
-                           reg.regulation_type === 'bsi_standard' ? 'BSI' :
-                           reg.regulation_type === 'de_law' ? 'DE' : reg.regulation_type}
-                        </span>
-                      </td>
-                      <td className="px-4 py-3 text-center">
-                        <span className="font-medium">{reg.requirement_count}</span>
-                      </td>
-                    </tr>
-                  ))}
-                </tbody>
-              </table>
-            </div>
-          </div>
+          )}
         </>
       )}
     </div>
diff --git a/admin-compliance/app/sdk/control-library/components/ControlDetail.tsx b/admin-compliance/app/sdk/control-library/components/ControlDetail.tsx
index 2f8518b..58d0b51 100644
--- a/admin-compliance/app/sdk/control-library/components/ControlDetail.tsx
+++ b/admin-compliance/app/sdk/control-library/components/ControlDetail.tsx
@@ -8,7 +8,7 @@ import {
 } from 'lucide-react'
 import {
   CanonicalControl, EFFORT_LABELS, BACKEND_URL,
-  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge,
+  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge, TargetAudienceBadge,
   VERIFICATION_METHODS, CATEGORY_OPTIONS,
 } from './helpers'
 
@@ -124,6 +124,7 @@ export function ControlDetail({
               <LicenseRuleBadge rule={ctrl.license_rule} />
               <VerificationMethodBadge method={ctrl.verification_method} />
               <CategoryBadge category={ctrl.category} />
+              <TargetAudienceBadge audience={ctrl.target_audience} />
             </div>
             <h2 className="text-lg font-semibold text-gray-900 mt-1">{ctrl.title}</h2>
           </div>
@@ -163,22 +164,46 @@ export function ControlDetail({
           <p className="text-sm text-gray-700 leading-relaxed">{ctrl.rationale}</p>
         </section>
 
-        {/* Source Info (Rule 1 + 2) */}
+        {/* Gesetzliche Grundlage (Rule 1 + 2) */}
         {ctrl.source_citation && (
           <section className="bg-blue-50 border border-blue-200 rounded-lg p-4">
-            <div className="flex items-center gap-2 mb-2">
+            <div className="flex items-center gap-2 mb-3">
               <Scale className="w-4 h-4 text-blue-600" />
-              <h3 className="text-sm font-semibold text-blue-900">Quellenangabe</h3>
+              <h3 className="text-sm font-semibold text-blue-900">Gesetzliche Grundlage</h3>
+              {ctrl.license_rule === 1 && (
+                <span className="text-xs bg-blue-100 text-blue-700 px-2 py-0.5 rounded-full">Direkte gesetzliche Pflicht</span>
+              )}
+              {ctrl.license_rule === 2 && (
+                <span className="text-xs bg-teal-100 text-teal-700 px-2 py-0.5 rounded-full">Standard mit Zitationspflicht</span>
+              )}
             </div>
-            <div className="text-xs text-blue-700 space-y-1">
-              {Object.entries(ctrl.source_citation).map(([k, v]) => (
-                <p key={k}><span className="font-medium">{k}:</span> {v}</p>
-              ))}
+            <div className="flex items-start gap-3">
+              <div className="flex-1">
+                {ctrl.source_citation.source && (
+                  <p className="text-sm font-medium text-blue-900 mb-1">{ctrl.source_citation.source}</p>
+                )}
+                {ctrl.source_citation.license && (
+                  <p className="text-xs text-blue-600">Lizenz: {ctrl.source_citation.license}</p>
+                )}
+                {ctrl.source_citation.license_notice && (
+                  <p className="text-xs text-blue-600 mt-0.5">{ctrl.source_citation.license_notice}</p>
+                )}
+              </div>
+              {ctrl.source_citation.url && (
+                <a
+                  href={ctrl.source_citation.url}
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="flex items-center gap-1 text-xs text-blue-600 hover:text-blue-800 whitespace-nowrap"
+                >
+                  <ExternalLink className="w-3.5 h-3.5" />Quelle
+                </a>
+              )}
             </div>
             {ctrl.source_original_text && (
               <details className="mt-3">
                 <summary className="text-xs text-blue-600 cursor-pointer hover:text-blue-800">Originaltext anzeigen</summary>
-                <p className="text-xs text-gray-600 mt-2 p-2 bg-white rounded border border-blue-100 leading-relaxed max-h-40 overflow-y-auto">
+                <p className="text-xs text-gray-600 mt-2 p-2 bg-white rounded border border-blue-100 leading-relaxed max-h-40 overflow-y-auto whitespace-pre-wrap">
                   {ctrl.source_original_text}
                 </p>
               </details>
@@ -186,6 +211,19 @@ export function ControlDetail({
           </section>
         )}
 
+        {/* Impliziter Gesetzesbezug (Rule 3 — kein Originaltext, aber ggf. Gesetzesbezug ueber Anchors) */}
+        {!ctrl.source_citation && ctrl.open_anchors.length > 0 && (
+          <section className="bg-amber-50 border border-amber-200 rounded-lg p-3">
+            <div className="flex items-center gap-2">
+              <Scale className="w-4 h-4 text-amber-600" />
+              <p className="text-xs text-amber-700">
+                Dieser Control setzt implizit gesetzliche Anforderungen um (z.B. DSGVO Art. 32, NIS2 Art. 21).
+                Die konkreten Massnahmen leiten sich aus den Open-Source-Referenzen unten ab.
+              </p>
+            </div>
+          </section>
+        )}
+
         {/* Scope */}
         {(ctrl.scope.platforms?.length || ctrl.scope.components?.length || ctrl.scope.data_classes?.length) ? (
           <section>
diff --git a/admin-compliance/app/sdk/control-library/components/ControlForm.tsx b/admin-compliance/app/sdk/control-library/components/ControlForm.tsx
index 95218c5..4e8a664 100644
--- a/admin-compliance/app/sdk/control-library/components/ControlForm.tsx
+++ b/admin-compliance/app/sdk/control-library/components/ControlForm.tsx
@@ -2,7 +2,7 @@
 
 import { useState } from 'react'
 import { BookOpen, Trash2, Save, X } from 'lucide-react'
-import { EMPTY_CONTROL, VERIFICATION_METHODS, CATEGORY_OPTIONS } from './helpers'
+import { EMPTY_CONTROL, VERIFICATION_METHODS, CATEGORY_OPTIONS, TARGET_AUDIENCE_OPTIONS } from './helpers'
 
 export function ControlForm({
   initial,
@@ -268,8 +268,8 @@ export function ControlForm({
         </div>
       </div>
 
-      {/* Verification Method & Category */}
-      <div className="grid grid-cols-2 gap-4">
+      {/* Verification Method, Category & Target Audience */}
+      <div className="grid grid-cols-3 gap-4">
         <div>
           <label className="block text-xs font-medium text-gray-600 mb-1">Nachweismethode</label>
           <select
@@ -297,6 +297,20 @@ export function ControlForm({
             ))}
           </select>
         </div>
+        <div>
+          <label className="block text-xs font-medium text-gray-600 mb-1">Zielgruppe</label>
+          <select
+            value={form.target_audience || ''}
+            onChange={e => setForm({ ...form, target_audience: e.target.value || null })}
+            className="w-full px-3 py-2 text-sm border border-gray-300 rounded-lg"
+          >
+            <option value="">— Nicht zugewiesen —</option>
+            {Object.entries(TARGET_AUDIENCE_OPTIONS).map(([k, v]) => (
+              <option key={k} value={k}>{v.label}</option>
+            ))}
+          </select>
+          <p className="text-xs text-gray-400 mt-1">Fuer wen ist dieses Control relevant?</p>
+        </div>
       </div>
     </div>
   )
diff --git a/admin-compliance/app/sdk/control-library/components/helpers.tsx b/admin-compliance/app/sdk/control-library/components/helpers.tsx
index bf765d0..c0d9d37 100644
--- a/admin-compliance/app/sdk/control-library/components/helpers.tsx
+++ b/admin-compliance/app/sdk/control-library/components/helpers.tsx
@@ -44,6 +44,7 @@ export interface CanonicalControl {
   customer_visible?: boolean
   verification_method: string | null
   category: string | null
+  target_audience: string | null
   generation_metadata?: Record<string, unknown> | null
   created_at: string
   updated_at: string
@@ -96,6 +97,7 @@ export const EMPTY_CONTROL = {
   tags: [] as string[],
   verification_method: null as string | null,
   category: null as string | null,
+  target_audience: null as string | null,
 }
 
 export const DOMAIN_OPTIONS = [
@@ -138,6 +140,13 @@ export const CATEGORY_OPTIONS = [
   { value: 'identity', label: 'Identitaetsmanagement' },
 ]
 
+export const TARGET_AUDIENCE_OPTIONS: Record<string, { bg: string; label: string }> = {
+  enterprise: { bg: 'bg-cyan-100 text-cyan-700', label: 'Unternehmen' },
+  authority: { bg: 'bg-rose-100 text-rose-700', label: 'Behoerden' },
+  provider: { bg: 'bg-violet-100 text-violet-700', label: 'Anbieter' },
+  all: { bg: 'bg-gray-100 text-gray-700', label: 'Alle' },
+}
+
 export const COLLECTION_OPTIONS = [
   { value: 'bp_compliance_ce', label: 'CE (OWASP, ENISA, BSI)' },
   { value: 'bp_compliance_gesetze', label: 'Gesetze (EU, DE, BSI)' },
@@ -213,6 +222,13 @@ export function CategoryBadge({ category }: { category: string | null }) {
   )
 }
 
+export function TargetAudienceBadge({ audience }: { audience: string | null }) {
+  if (!audience) return null
+  const config = TARGET_AUDIENCE_OPTIONS[audience]
+  if (!config) return null
+  return <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${config.bg}`}>{config.label}</span>
+}
+
 export function getDomain(controlId: string): string {
   return controlId.split('-')[0] || ''
 }
diff --git a/admin-compliance/app/sdk/control-library/page.tsx b/admin-compliance/app/sdk/control-library/page.tsx
index 2cdd51e..dc1b7d4 100644
--- a/admin-compliance/app/sdk/control-library/page.tsx
+++ b/admin-compliance/app/sdk/control-library/page.tsx
@@ -2,13 +2,14 @@
 
 import { useState, useEffect, useMemo, useCallback } from 'react'
 import {
-  Shield, Search, ChevronRight, Filter, Lock,
+  Shield, Search, ChevronRight, ChevronLeft, Filter, Lock,
   BookOpen, Plus, Zap, BarChart3, ListChecks,
+  ChevronsLeft, ChevronsRight,
 } from 'lucide-react'
 import {
   CanonicalControl, Framework, BACKEND_URL, EMPTY_CONTROL,
-  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge,
-  getDomain, VERIFICATION_METHODS, CATEGORY_OPTIONS,
+  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge, TargetAudienceBadge,
+  getDomain, VERIFICATION_METHODS, CATEGORY_OPTIONS, TARGET_AUDIENCE_OPTIONS,
 } from './components/helpers'
 import { ControlForm } from './components/ControlForm'
 import { ControlDetail } from './components/ControlDetail'
@@ -32,6 +33,7 @@ export default function ControlLibraryPage() {
   const [stateFilter, setStateFilter] = useState<string>('')
   const [verificationFilter, setVerificationFilter] = useState<string>('')
   const [categoryFilter, setCategoryFilter] = useState<string>('')
+  const [audienceFilter, setAudienceFilter] = useState<string>('')
 
   // CRUD state
   const [mode, setMode] = useState<'list' | 'detail' | 'create' | 'edit'>('list')
@@ -42,6 +44,10 @@ export default function ControlLibraryPage() {
   const [processedStats, setProcessedStats] = useState<Array<Record<string, unknown>>>([])
   const [showStats, setShowStats] = useState(false)
 
+  // Pagination
+  const [currentPage, setCurrentPage] = useState(1)
+  const PAGE_SIZE = 50
+
   // Review mode
   const [reviewMode, setReviewMode] = useState(false)
   const [reviewIndex, setReviewIndex] = useState(0)
@@ -80,6 +86,7 @@ export default function ControlLibraryPage() {
       if (stateFilter && c.release_state !== stateFilter) return false
       if (verificationFilter && c.verification_method !== verificationFilter) return false
       if (categoryFilter && c.category !== categoryFilter) return false
+      if (audienceFilter && c.target_audience !== audienceFilter) return false
       if (searchQuery) {
         const q = searchQuery.toLowerCase()
         return (
@@ -91,7 +98,17 @@ export default function ControlLibraryPage() {
       }
       return true
     })
-  }, [controls, severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, searchQuery])
+  }, [controls, severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, audienceFilter, searchQuery])
+
+  // Reset page when filters change
+  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, audienceFilter, searchQuery])
+
+  // Pagination
+  const totalPages = Math.max(1, Math.ceil(filteredControls.length / PAGE_SIZE))
+  const paginatedControls = useMemo(() => {
+    const start = (currentPage - 1) * PAGE_SIZE
+    return filteredControls.slice(start, start + PAGE_SIZE)
+  }, [filteredControls, currentPage])
 
   // Review queue items
   const reviewItems = useMemo(() => {
@@ -413,6 +430,16 @@ export default function ControlLibraryPage() {
               <option key={c.value} value={c.value}>{c.label}</option>
             ))}
           </select>
+          <select
+            value={audienceFilter}
+            onChange={e => setAudienceFilter(e.target.value)}
+            className="text-sm border border-gray-300 rounded-lg px-3 py-2 focus:outline-none focus:ring-2 focus:ring-purple-500"
+          >
+            <option value="">Alle Zielgruppen</option>
+            {Object.entries(TARGET_AUDIENCE_OPTIONS).map(([k, v]) => (
+              <option key={k} value={k}>{v.label}</option>
+            ))}
+          </select>
         </div>
 
         {/* Processing Stats */}
@@ -443,10 +470,19 @@ export default function ControlLibraryPage() {
         />
       )}
 
+      {/* Pagination Header */}
+      <div className="px-6 py-2 bg-gray-50 border-b border-gray-200 flex items-center justify-between text-xs text-gray-500">
+        <span>
+          {filteredControls.length} Controls gefunden
+          {filteredControls.length !== controls.length && ` (von ${controls.length} gesamt)`}
+        </span>
+        <span>Seite {currentPage} von {totalPages}</span>
+      </div>
+
       {/* Control List */}
       <div className="flex-1 overflow-y-auto p-6">
         <div className="space-y-3">
-          {filteredControls.map(ctrl => (
+          {paginatedControls.map(ctrl => (
             <button
               key={ctrl.control_id}
               onClick={() => { setSelectedControl(ctrl); setMode('detail') }}
@@ -454,13 +490,14 @@ export default function ControlLibraryPage() {
             >
               <div className="flex items-start justify-between">
                 <div className="flex-1 min-w-0">
-                  <div className="flex items-center gap-2 mb-1">
+                  <div className="flex items-center gap-2 mb-1 flex-wrap">
                     <span className="text-xs font-mono text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded">{ctrl.control_id}</span>
                     <SeverityBadge severity={ctrl.severity} />
                     <StateBadge state={ctrl.release_state} />
                     <LicenseRuleBadge rule={ctrl.license_rule} />
                     <VerificationMethodBadge method={ctrl.verification_method} />
                     <CategoryBadge category={ctrl.category} />
+                    <TargetAudienceBadge audience={ctrl.target_audience} />
                     {ctrl.risk_score !== null && (
                       <span className="text-xs text-gray-400">Score: {ctrl.risk_score}</span>
                     )}
@@ -472,11 +509,14 @@ export default function ControlLibraryPage() {
                   <div className="flex items-center gap-2 mt-2">
                     <BookOpen className="w-3 h-3 text-green-600" />
                     <span className="text-xs text-green-700">
-                      {ctrl.open_anchors.length} Open-Source-Referenzen:
-                    </span>
-                    <span className="text-xs text-gray-500">
-                      {ctrl.open_anchors.map(a => a.framework).filter((v, i, arr) => arr.indexOf(v) === i).join(', ')}
+                      {ctrl.open_anchors.length} Referenzen
                     </span>
+                    {ctrl.source_citation?.source && (
+                      <>
+                        <span className="text-gray-300">|</span>
+                        <span className="text-xs text-blue-600">{ctrl.source_citation.source}</span>
+                      </>
+                    )}
                   </div>
                 </div>
                 <ChevronRight className="w-4 h-4 text-gray-300 group-hover:text-purple-500 flex-shrink-0 mt-1 ml-4" />
@@ -492,6 +532,72 @@ export default function ControlLibraryPage() {
             </div>
           )}
         </div>
+
+        {/* Pagination Controls */}
+        {totalPages > 1 && (
+          <div className="flex items-center justify-center gap-2 mt-6 pb-4">
+            <button
+              onClick={() => setCurrentPage(1)}
+              disabled={currentPage === 1}
+              className="p-2 text-gray-500 hover:text-purple-600 disabled:opacity-30 disabled:cursor-not-allowed"
+              title="Erste Seite"
+            >
+              <ChevronsLeft className="w-4 h-4" />
+            </button>
+            <button
+              onClick={() => setCurrentPage(p => Math.max(1, p - 1))}
+              disabled={currentPage === 1}
+              className="p-2 text-gray-500 hover:text-purple-600 disabled:opacity-30 disabled:cursor-not-allowed"
+              title="Vorherige Seite"
+            >
+              <ChevronLeft className="w-4 h-4" />
+            </button>
+
+            {/* Page numbers */}
+            {Array.from({ length: totalPages }, (_, i) => i + 1)
+              .filter(p => p === 1 || p === totalPages || Math.abs(p - currentPage) <= 2)
+              .reduce<(number | 'dots')[]>((acc, p, i, arr) => {
+                if (i > 0 && p - (arr[i - 1] as number) > 1) acc.push('dots')
+                acc.push(p)
+                return acc
+              }, [])
+              .map((p, i) =>
+                p === 'dots' ? (
+                  <span key={`dots-${i}`} className="px-1 text-gray-400">...</span>
+                ) : (
+                  <button
+                    key={p}
+                    onClick={() => setCurrentPage(p as number)}
+                    className={`w-8 h-8 text-sm rounded-lg ${
+                      currentPage === p
+                        ? 'bg-purple-600 text-white'
+                        : 'text-gray-600 hover:bg-purple-50 hover:text-purple-600'
+                    }`}
+                  >
+                    {p}
+                  </button>
+                )
+              )
+            }
+
+            <button
+              onClick={() => setCurrentPage(p => Math.min(totalPages, p + 1))}
+              disabled={currentPage === totalPages}
+              className="p-2 text-gray-500 hover:text-purple-600 disabled:opacity-30 disabled:cursor-not-allowed"
+              title="Naechste Seite"
+            >
+              <ChevronRight className="w-4 h-4" />
+            </button>
+            <button
+              onClick={() => setCurrentPage(totalPages)}
+              disabled={currentPage === totalPages}
+              className="p-2 text-gray-500 hover:text-purple-600 disabled:opacity-30 disabled:cursor-not-allowed"
+              title="Letzte Seite"
+            >
+              <ChevronsRight className="w-4 h-4" />
+            </button>
+          </div>
+        )}
       </div>
     </div>
   )
diff --git a/admin-compliance/app/sdk/document-generator/page.tsx b/admin-compliance/app/sdk/document-generator/page.tsx
index 51a39d5..dfae88d 100644
--- a/admin-compliance/app/sdk/document-generator/page.tsx
+++ b/admin-compliance/app/sdk/document-generator/page.tsx
@@ -44,6 +44,7 @@ const CATEGORIES: { key: string; label: string; types: string[] | null }[] = [
   { key: 'cloud', label: 'Cloud', types: ['cloud_service_agreement'] },
   { key: 'misc', label: 'Weitere', types: ['community_guidelines', 'copyright_policy', 'data_usage_clause'] },
   { key: 'dsfa', label: 'DSFA', types: ['dsfa'] },
+  { key: 'security', label: 'Sicherheitskonzepte', types: ['it_security_concept', 'data_protection_concept', 'backup_recovery_concept', 'logging_concept', 'incident_response_plan', 'access_control_concept', 'risk_management_concept'] },
 ]
 
 // =============================================================================
diff --git a/admin-compliance/app/sdk/evidence/page.tsx b/admin-compliance/app/sdk/evidence/page.tsx
index a66844f..a5bb1a9 100644
--- a/admin-compliance/app/sdk/evidence/page.tsx
+++ b/admin-compliance/app/sdk/evidence/page.tsx
@@ -303,8 +303,76 @@ function LoadingSkeleton() {
 // MAIN PAGE
 // =============================================================================
 
+// =============================================================================
+// EVIDENCE CHECK TYPES
+// =============================================================================
+
+interface EvidenceCheck {
+  id: string
+  check_code: string
+  title: string
+  description: string | null
+  check_type: string
+  target_url: string | null
+  frequency: string
+  is_active: boolean
+  last_run_at: string | null
+  next_run_at: string | null
+}
+
+interface CheckResult {
+  id: string
+  check_id: string
+  run_status: string
+  summary: string | null
+  findings_count: number
+  critical_findings: number
+  duration_ms: number
+  run_at: string
+}
+
+interface EvidenceMapping {
+  id: string
+  evidence_id: string
+  control_code: string
+  mapping_type: string
+  verified_at: string | null
+  verified_by: string | null
+  notes: string | null
+}
+
+interface CoverageReport {
+  total_controls: number
+  controls_with_evidence: number
+  controls_without_evidence: number
+  coverage_percent: number
+}
+
+type EvidenceTabKey = 'evidence' | 'checks' | 'mapping' | 'report'
+
+const CHECK_TYPE_LABELS: Record<string, { label: string; color: string }> = {
+  tls_scan: { label: 'TLS-Scan', color: 'bg-blue-100 text-blue-700' },
+  header_check: { label: 'Header-Check', color: 'bg-green-100 text-green-700' },
+  certificate_check: { label: 'Zertifikat', color: 'bg-yellow-100 text-yellow-700' },
+  dns_check: { label: 'DNS-Check', color: 'bg-purple-100 text-purple-700' },
+  api_scan: { label: 'API-Scan', color: 'bg-indigo-100 text-indigo-700' },
+  config_scan: { label: 'Config-Scan', color: 'bg-orange-100 text-orange-700' },
+  port_scan: { label: 'Port-Scan', color: 'bg-red-100 text-red-700' },
+}
+
+const RUN_STATUS_LABELS: Record<string, { label: string; color: string }> = {
+  running: { label: 'Laeuft...', color: 'bg-blue-100 text-blue-700' },
+  passed: { label: 'Bestanden', color: 'bg-green-100 text-green-700' },
+  failed: { label: 'Fehlgeschlagen', color: 'bg-red-100 text-red-700' },
+  warning: { label: 'Warnung', color: 'bg-yellow-100 text-yellow-700' },
+  error: { label: 'Fehler', color: 'bg-red-100 text-red-700' },
+}
+
+const CHECK_API = '/api/sdk/v1/compliance/evidence-checks'
+
 export default function EvidencePage() {
   const { state, dispatch } = useSDK()
+  const [activeTab, setActiveTab] = useState<EvidenceTabKey>('evidence')
   const [filter, setFilter] = useState<string>('all')
   const [loading, setLoading] = useState(true)
   const [error, setError] = useState<string | null>(null)
@@ -314,6 +382,17 @@ export default function EvidencePage() {
   const [pageSize] = useState(20)
   const [total, setTotal] = useState(0)
 
+  // Evidence Checks state
+  const [checks, setChecks] = useState<EvidenceCheck[]>([])
+  const [checksLoading, setChecksLoading] = useState(false)
+  const [runningCheckId, setRunningCheckId] = useState<string | null>(null)
+  const [checkResults, setCheckResults] = useState<Record<string, CheckResult[]>>({})
+
+  // Mappings state
+  const [mappings, setMappings] = useState<EvidenceMapping[]>([])
+  const [coverageReport, setCoverageReport] = useState<CoverageReport | null>(null)
+  const [seedingChecks, setSeedingChecks] = useState(false)
+
   // Fetch evidence from backend on mount and when page changes
   useEffect(() => {
     const fetchEvidence = async () => {
@@ -511,8 +590,86 @@ export default function EvidencePage() {
     }
   }
 
+  // Load checks when tab changes
+  const loadChecks = async () => {
+    setChecksLoading(true)
+    try {
+      const res = await fetch(`${CHECK_API}?limit=50`)
+      if (res.ok) {
+        const data = await res.json()
+        setChecks(data.checks || [])
+      }
+    } catch { /* silent */ }
+    finally { setChecksLoading(false) }
+  }
+
+  const runCheck = async (checkId: string) => {
+    setRunningCheckId(checkId)
+    try {
+      const res = await fetch(`${CHECK_API}/${checkId}/run`, { method: 'POST' })
+      if (res.ok) {
+        const result = await res.json()
+        setCheckResults(prev => ({
+          ...prev,
+          [checkId]: [result, ...(prev[checkId] || [])].slice(0, 5),
+        }))
+        loadChecks() // refresh last_run_at
+      }
+    } catch { /* silent */ }
+    finally { setRunningCheckId(null) }
+  }
+
+  const loadCheckResults = async (checkId: string) => {
+    try {
+      const res = await fetch(`${CHECK_API}/${checkId}/results?limit=5`)
+      if (res.ok) {
+        const data = await res.json()
+        setCheckResults(prev => ({ ...prev, [checkId]: data.results || [] }))
+      }
+    } catch { /* silent */ }
+  }
+
+  const seedChecks = async () => {
+    setSeedingChecks(true)
+    try {
+      await fetch(`${CHECK_API}/seed`, { method: 'POST' })
+      loadChecks()
+    } catch { /* silent */ }
+    finally { setSeedingChecks(false) }
+  }
+
+  const loadMappings = async () => {
+    try {
+      const res = await fetch(`${CHECK_API}/mappings`)
+      if (res.ok) {
+        const data = await res.json()
+        setMappings(data.mappings || [])
+      }
+    } catch { /* silent */ }
+  }
+
+  const loadCoverageReport = async () => {
+    try {
+      const res = await fetch(`${CHECK_API}/mappings/report`)
+      if (res.ok) setCoverageReport(await res.json())
+    } catch { /* silent */ }
+  }
+
+  useEffect(() => {
+    if (activeTab === 'checks' && checks.length === 0) loadChecks()
+    if (activeTab === 'mapping') { loadMappings(); loadCoverageReport() }
+    if (activeTab === 'report') loadCoverageReport()
+  }, [activeTab]) // eslint-disable-line react-hooks/exhaustive-deps
+
   const stepInfo = STEP_EXPLANATIONS['evidence']
 
+  const evidenceTabs: { key: EvidenceTabKey; label: string }[] = [
+    { key: 'evidence', label: 'Nachweise' },
+    { key: 'checks', label: 'Automatische Checks' },
+    { key: 'mapping', label: 'Control-Mapping' },
+    { key: 'report', label: 'Report' },
+  ]
+
   return (
     <div className="space-y-6">
       {/* Hidden file input */}
@@ -556,6 +713,25 @@ export default function EvidencePage() {
         </button>
       </StepHeader>
 
+      {/* Tab Navigation */}
+      <div className="bg-white rounded-xl shadow-sm border">
+        <div className="flex border-b">
+          {evidenceTabs.map(tab => (
+            <button
+              key={tab.key}
+              onClick={() => setActiveTab(tab.key)}
+              className={`px-6 py-3 text-sm font-medium transition-colors ${
+                activeTab === tab.key
+                  ? 'text-purple-600 border-b-2 border-purple-600'
+                  : 'text-gray-500 hover:text-gray-700'
+              }`}
+            >
+              {tab.label}
+            </button>
+          ))}
+        </div>
+      </div>
+
       {/* Error Banner */}
       {error && (
         <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
@@ -564,6 +740,11 @@ export default function EvidencePage() {
         </div>
       )}
 
+      {/* ============================================================ */}
+      {/* TAB: Nachweise (existing content) */}
+      {/* ============================================================ */}
+      {activeTab === 'evidence' && <>
+
       {/* Controls Alert */}
       {state.controls.length === 0 && !loading && (
         <div className="bg-amber-50 border border-amber-200 rounded-xl p-4">
@@ -681,6 +862,250 @@ export default function EvidencePage() {
           <p className="mt-2 text-gray-500">Passen Sie den Filter an oder laden Sie neue Nachweise hoch.</p>
         </div>
       )}
+
+      </>}
+
+      {/* ============================================================ */}
+      {/* TAB: Automatische Checks */}
+      {/* ============================================================ */}
+      {activeTab === 'checks' && (
+        <>
+          {/* Seed if empty */}
+          {!checksLoading && checks.length === 0 && (
+            <div className="p-4 bg-yellow-50 border border-yellow-200 rounded-lg flex items-center justify-between">
+              <div>
+                <p className="font-medium text-yellow-800">Keine automatischen Checks vorhanden</p>
+                <p className="text-sm text-yellow-700">Laden Sie ca. 15 Standard-Checks (TLS, Header, Zertifikate, etc.).</p>
+              </div>
+              <button onClick={seedChecks} disabled={seedingChecks}
+                className="px-4 py-2 bg-yellow-600 text-white rounded-lg hover:bg-yellow-700 disabled:opacity-50">
+                {seedingChecks ? 'Lade...' : 'Standard-Checks laden'}
+              </button>
+            </div>
+          )}
+
+          {checksLoading ? (
+            <div className="flex justify-center py-12">
+              <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+            </div>
+          ) : (
+            <div className="space-y-3">
+              {checks.map(check => {
+                const typeMeta = CHECK_TYPE_LABELS[check.check_type] || { label: check.check_type, color: 'bg-gray-100 text-gray-700' }
+                const results = checkResults[check.id] || []
+                const lastResult = results[0]
+                const isRunning = runningCheckId === check.id
+
+                return (
+                  <div key={check.id} className="bg-white rounded-xl border border-gray-200 p-5">
+                    <div className="flex items-start justify-between">
+                      <div className="flex-1">
+                        <div className="flex items-center gap-2">
+                          <h4 className="font-medium text-gray-900">{check.title}</h4>
+                          <span className={`px-2 py-0.5 text-xs rounded ${typeMeta.color}`}>{typeMeta.label}</span>
+                          {!check.is_active && (
+                            <span className="px-2 py-0.5 text-xs rounded bg-gray-100 text-gray-500">Deaktiviert</span>
+                          )}
+                        </div>
+                        {check.description && <p className="text-sm text-gray-500 mt-1">{check.description}</p>}
+                        <div className="flex items-center gap-4 mt-2 text-xs text-gray-400">
+                          <span>Code: {check.check_code}</span>
+                          {check.target_url && <span>Ziel: {check.target_url}</span>}
+                          <span>Frequenz: {check.frequency}</span>
+                          {check.last_run_at && <span>Letzter Lauf: {new Date(check.last_run_at).toLocaleDateString('de-DE')}</span>}
+                        </div>
+                      </div>
+                      <div className="flex items-center gap-2 ml-4">
+                        {lastResult && (
+                          <span className={`px-2 py-0.5 text-xs rounded ${RUN_STATUS_LABELS[lastResult.run_status]?.color || ''}`}>
+                            {RUN_STATUS_LABELS[lastResult.run_status]?.label || lastResult.run_status}
+                          </span>
+                        )}
+                        <button
+                          onClick={() => { runCheck(check.id); loadCheckResults(check.id) }}
+                          disabled={isRunning}
+                          className="px-3 py-1.5 text-xs bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50"
+                        >
+                          {isRunning ? 'Laeuft...' : 'Ausfuehren'}
+                        </button>
+                        <button
+                          onClick={() => loadCheckResults(check.id)}
+                          className="px-3 py-1.5 text-xs border rounded-lg hover:bg-gray-50"
+                        >
+                          Historie
+                        </button>
+                      </div>
+                    </div>
+
+                    {/* Results */}
+                    {results.length > 0 && (
+                      <div className="mt-3 border-t pt-3">
+                        <p className="text-xs font-medium text-gray-500 mb-2">Letzte Ergebnisse</p>
+                        <div className="space-y-1">
+                          {results.slice(0, 3).map(r => (
+                            <div key={r.id} className="flex items-center gap-3 text-xs">
+                              <span className={`px-1.5 py-0.5 rounded ${RUN_STATUS_LABELS[r.run_status]?.color || 'bg-gray-100'}`}>
+                                {RUN_STATUS_LABELS[r.run_status]?.label || r.run_status}
+                              </span>
+                              <span className="text-gray-500">{new Date(r.run_at).toLocaleString('de-DE')}</span>
+                              <span className="text-gray-400">{r.duration_ms}ms</span>
+                              {r.findings_count > 0 && (
+                                <span className="text-orange-600">{r.findings_count} Findings ({r.critical_findings} krit.)</span>
+                              )}
+                              {r.summary && <span className="text-gray-600 truncate">{r.summary}</span>}
+                            </div>
+                          ))}
+                        </div>
+                      </div>
+                    )}
+                  </div>
+                )
+              })}
+            </div>
+          )}
+        </>
+      )}
+
+      {/* ============================================================ */}
+      {/* TAB: Control-Mapping */}
+      {/* ============================================================ */}
+      {activeTab === 'mapping' && (
+        <>
+          {coverageReport && (
+            <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+              <div className="bg-white rounded-xl border border-gray-200 p-6">
+                <p className="text-sm text-gray-500">Gesamt Controls</p>
+                <p className="text-3xl font-bold text-gray-900">{coverageReport.total_controls}</p>
+              </div>
+              <div className="bg-white rounded-xl border border-green-200 p-6">
+                <p className="text-sm text-green-600">Mit Nachweis</p>
+                <p className="text-3xl font-bold text-green-600">{coverageReport.controls_with_evidence}</p>
+              </div>
+              <div className="bg-white rounded-xl border border-red-200 p-6">
+                <p className="text-sm text-red-600">Ohne Nachweis</p>
+                <p className="text-3xl font-bold text-red-600">{coverageReport.controls_without_evidence}</p>
+              </div>
+              <div className="bg-white rounded-xl border border-purple-200 p-6">
+                <p className="text-sm text-purple-600">Abdeckung</p>
+                <p className="text-3xl font-bold text-purple-600">{coverageReport.coverage_percent.toFixed(0)}%</p>
+              </div>
+            </div>
+          )}
+
+          <div className="bg-white rounded-xl shadow-sm border overflow-hidden">
+            <div className="p-4 border-b">
+              <h3 className="font-semibold text-gray-900">Evidence-Control-Verknuepfungen ({mappings.length})</h3>
+            </div>
+            {mappings.length === 0 ? (
+              <div className="p-8 text-center text-gray-500">
+                <p>Noch keine Verknuepfungen erstellt.</p>
+                <p className="text-sm mt-1">Fuehren Sie automatische Checks aus, um Nachweise automatisch mit Controls zu verknuepfen.</p>
+              </div>
+            ) : (
+              <table className="w-full">
+                <thead className="bg-gray-50">
+                  <tr>
+                    <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Control</th>
+                    <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Evidence</th>
+                    <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Typ</th>
+                    <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Verifiziert</th>
+                  </tr>
+                </thead>
+                <tbody className="divide-y divide-gray-200">
+                  {mappings.map(m => (
+                    <tr key={m.id} className="hover:bg-gray-50">
+                      <td className="px-4 py-3 font-mono text-sm text-purple-600">{m.control_code}</td>
+                      <td className="px-4 py-3 text-sm text-gray-700">{m.evidence_id.slice(0, 8)}...</td>
+                      <td className="px-4 py-3">
+                        <span className="px-2 py-0.5 text-xs rounded bg-blue-100 text-blue-700">{m.mapping_type}</span>
+                      </td>
+                      <td className="px-4 py-3 text-sm text-gray-500">
+                        {m.verified_at ? `${new Date(m.verified_at).toLocaleDateString('de-DE')} von ${m.verified_by || '—'}` : 'Ausstehend'}
+                      </td>
+                    </tr>
+                  ))}
+                </tbody>
+              </table>
+            )}
+          </div>
+        </>
+      )}
+
+      {/* ============================================================ */}
+      {/* TAB: Report */}
+      {/* ============================================================ */}
+      {activeTab === 'report' && (
+        <div className="bg-white rounded-xl shadow-sm border p-6">
+          <h3 className="text-lg font-semibold text-gray-900 mb-6">Evidence Coverage Report</h3>
+
+          {!coverageReport ? (
+            <div className="flex justify-center py-12">
+              <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+            </div>
+          ) : (
+            <>
+              {/* Coverage Bar */}
+              <div className="mb-8">
+                <div className="flex items-center justify-between mb-2">
+                  <span className="text-sm font-medium text-gray-700">Gesamt-Abdeckung</span>
+                  <span className={`text-2xl font-bold ${
+                    coverageReport.coverage_percent >= 80 ? 'text-green-600' :
+                    coverageReport.coverage_percent >= 50 ? 'text-yellow-600' : 'text-red-600'
+                  }`}>
+                    {coverageReport.coverage_percent.toFixed(1)}%
+                  </span>
+                </div>
+                <div className="h-4 bg-gray-200 rounded-full overflow-hidden">
+                  <div
+                    className={`h-full transition-all duration-500 ${
+                      coverageReport.coverage_percent >= 80 ? 'bg-green-500' :
+                      coverageReport.coverage_percent >= 50 ? 'bg-yellow-500' : 'bg-red-500'
+                    }`}
+                    style={{ width: `${coverageReport.coverage_percent}%` }}
+                  />
+                </div>
+              </div>
+
+              {/* Summary */}
+              <div className="grid grid-cols-1 md:grid-cols-3 gap-4 mb-8">
+                <div className="p-4 bg-gray-50 rounded-lg text-center">
+                  <p className="text-3xl font-bold text-gray-900">{coverageReport.total_controls}</p>
+                  <p className="text-sm text-gray-500">Controls gesamt</p>
+                </div>
+                <div className="p-4 bg-green-50 rounded-lg text-center">
+                  <p className="text-3xl font-bold text-green-600">{coverageReport.controls_with_evidence}</p>
+                  <p className="text-sm text-green-600">Mit Nachweis belegt</p>
+                </div>
+                <div className="p-4 bg-red-50 rounded-lg text-center">
+                  <p className="text-3xl font-bold text-red-600">{coverageReport.controls_without_evidence}</p>
+                  <p className="text-sm text-red-600">Ohne Nachweis</p>
+                </div>
+              </div>
+
+              {/* Check Summary */}
+              <div className="border-t pt-6">
+                <h4 className="font-medium text-gray-900 mb-3">Automatische Checks</h4>
+                <div className="flex items-center gap-4 text-sm text-gray-600">
+                  <span>{checks.length} Check-Definitionen</span>
+                  <span>{checks.filter(c => c.is_active).length} aktiv</span>
+                  <span>{checks.filter(c => c.last_run_at).length} mindestens 1x ausgefuehrt</span>
+                </div>
+              </div>
+
+              {/* Evidence Summary */}
+              <div className="border-t pt-6 mt-6">
+                <h4 className="font-medium text-gray-900 mb-3">Nachweise</h4>
+                <div className="flex items-center gap-4 text-sm text-gray-600">
+                  <span>{displayEvidence.length} Nachweise gesamt</span>
+                  <span className="text-green-600">{validCount} gueltig</span>
+                  <span className="text-red-600">{expiredCount} abgelaufen</span>
+                  <span className="text-yellow-600">{pendingCount} ausstehend</span>
+                </div>
+              </div>
+            </>
+          )}
+        </div>
+      )}
     </div>
   )
 }
diff --git a/admin-compliance/app/sdk/process-tasks/page.tsx b/admin-compliance/app/sdk/process-tasks/page.tsx
new file mode 100644
index 0000000..32d2bf4
--- /dev/null
+++ b/admin-compliance/app/sdk/process-tasks/page.tsx
@@ -0,0 +1,1383 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+import { useSDK } from '@/lib/sdk'
+
+// =============================================================================
+// Types
+// =============================================================================
+
+interface ProcessTask {
+  id: string
+  tenant_id: string
+  project_id: string | null
+  task_code: string
+  title: string
+  description: string | null
+  category: string
+  priority: string
+  frequency: string
+  assigned_to: string | null
+  responsible_team: string | null
+  linked_control_ids: string[]
+  linked_module: string | null
+  last_completed_at: string | null
+  next_due_date: string | null
+  due_reminder_days: number
+  status: string
+  completion_date: string | null
+  completion_result: string | null
+  completion_evidence_id: string | null
+  follow_up_actions: string[]
+  is_seed: boolean
+  notes: string | null
+  tags: string[]
+  created_at: string
+  updated_at: string
+}
+
+interface TaskStats {
+  total: number
+  by_status: Record<string, number>
+  by_category: Record<string, number>
+  overdue_count: number
+  due_7_days: number
+  due_14_days: number
+  due_30_days: number
+}
+
+interface TaskFormData {
+  task_code: string
+  title: string
+  description: string
+  category: string
+  priority: string
+  frequency: string
+  assigned_to: string
+  responsible_team: string
+  linked_module: string
+  next_due_date: string
+  due_reminder_days: number
+  notes: string
+}
+
+interface CompleteFormData {
+  completed_by: string
+  result: string
+  notes: string
+}
+
+interface HistoryEntry {
+  id: string
+  task_id: string
+  completed_by: string | null
+  completed_at: string
+  result: string | null
+  evidence_id: string | null
+  notes: string | null
+  status: string
+}
+
+const EMPTY_FORM: TaskFormData = {
+  task_code: '',
+  title: '',
+  description: '',
+  category: 'dsgvo',
+  priority: 'medium',
+  frequency: 'yearly',
+  assigned_to: '',
+  responsible_team: '',
+  linked_module: '',
+  next_due_date: '',
+  due_reminder_days: 14,
+  notes: '',
+}
+
+const EMPTY_COMPLETE: CompleteFormData = {
+  completed_by: '',
+  result: '',
+  notes: '',
+}
+
+const API = '/api/sdk/v1/compliance/process-tasks'
+
+// =============================================================================
+// Constants
+// =============================================================================
+
+const CATEGORY_LABELS: Record<string, string> = {
+  dsgvo: 'DSGVO',
+  nis2: 'NIS2',
+  bsi: 'BSI',
+  iso27001: 'ISO 27001',
+  ai_act: 'AI Act',
+  internal: 'Intern',
+}
+
+const CATEGORY_COLORS: Record<string, string> = {
+  dsgvo: 'bg-blue-100 text-blue-700',
+  nis2: 'bg-purple-100 text-purple-700',
+  bsi: 'bg-green-100 text-green-700',
+  iso27001: 'bg-indigo-100 text-indigo-700',
+  ai_act: 'bg-orange-100 text-orange-700',
+  internal: 'bg-gray-100 text-gray-600',
+}
+
+const PRIORITY_LABELS: Record<string, string> = {
+  critical: 'Kritisch',
+  high: 'Hoch',
+  medium: 'Mittel',
+  low: 'Niedrig',
+}
+
+const PRIORITY_COLORS: Record<string, string> = {
+  critical: 'bg-red-100 text-red-700',
+  high: 'bg-orange-100 text-orange-700',
+  medium: 'bg-yellow-100 text-yellow-700',
+  low: 'bg-green-100 text-green-700',
+}
+
+const STATUS_LABELS: Record<string, string> = {
+  pending: 'Ausstehend',
+  in_progress: 'In Bearbeitung',
+  completed: 'Erledigt',
+  overdue: 'Ueberfaellig',
+  skipped: 'Uebersprungen',
+}
+
+const STATUS_COLORS: Record<string, string> = {
+  pending: 'bg-gray-100 text-gray-600',
+  in_progress: 'bg-blue-100 text-blue-700',
+  completed: 'bg-green-100 text-green-700',
+  overdue: 'bg-red-100 text-red-700',
+  skipped: 'bg-yellow-100 text-yellow-700',
+}
+
+const STATUS_ICONS: Record<string, string> = {
+  pending: '\u25CB',
+  in_progress: '\u25D4',
+  completed: '\u2714',
+  overdue: '\u26A0',
+  skipped: '\u2192',
+}
+
+const FREQUENCY_LABELS: Record<string, string> = {
+  weekly: 'Woechentlich',
+  monthly: 'Monatlich',
+  quarterly: 'Quartalsweise',
+  semi_annual: 'Halbjaehrlich',
+  yearly: 'Jaehrlich',
+  once: 'Einmalig',
+}
+
+// =============================================================================
+// Helpers
+// =============================================================================
+
+function formatDate(d: string | null): string {
+  if (!d) return '\u2014'
+  const dt = new Date(d)
+  return dt.toLocaleDateString('de-DE', { day: '2-digit', month: '2-digit', year: 'numeric' })
+}
+
+function daysUntil(d: string | null): number | null {
+  if (!d) return null
+  return Math.ceil((new Date(d).getTime() - Date.now()) / 86400000)
+}
+
+function dueLabel(d: string | null): string {
+  const days = daysUntil(d)
+  if (days === null) return '\u2014'
+  if (days < 0) return `${Math.abs(days)} Tage ueberfaellig`
+  if (days === 0) return 'Heute faellig'
+  if (days === 1) return 'Morgen faellig'
+  return `In ${days} Tagen`
+}
+
+function dueLabelColor(d: string | null): string {
+  const days = daysUntil(d)
+  if (days === null) return 'text-gray-400'
+  if (days < 0) return 'text-red-600 font-semibold'
+  if (days <= 7) return 'text-orange-600'
+  if (days <= 30) return 'text-yellow-600'
+  return 'text-green-600'
+}
+
+// =============================================================================
+// Toast
+// =============================================================================
+
+function Toast({ message, onClose }: { message: string; onClose: () => void }) {
+  useEffect(() => {
+    const t = setTimeout(onClose, 3000)
+    return () => clearTimeout(t)
+  }, [onClose])
+
+  return (
+    <div className="fixed bottom-6 right-6 z-[60] bg-gray-900 text-white px-5 py-3 rounded-xl shadow-xl text-sm animate-slide-up">
+      {message}
+    </div>
+  )
+}
+
+// =============================================================================
+// Complete Modal
+// =============================================================================
+
+function CompleteModal({
+  task,
+  onClose,
+  onComplete,
+}: {
+  task: ProcessTask
+  onClose: () => void
+  onComplete: (data: CompleteFormData) => Promise<void>
+}) {
+  const [form, setForm] = useState<CompleteFormData>({ ...EMPTY_COMPLETE })
+  const [saving, setSaving] = useState(false)
+
+  const handleSave = async () => {
+    setSaving(true)
+    try {
+      await onComplete(form)
+      onClose()
+    } catch {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/40 z-50 flex items-center justify-center p-4" onClick={e => e.target === e.currentTarget && onClose()}>
+      <div className="bg-white rounded-2xl shadow-2xl w-full max-w-md">
+        <div className="flex items-center justify-between p-6 border-b">
+          <h2 className="text-lg font-semibold text-gray-900">Aufgabe erledigen</h2>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 text-xl">{'\u2715'}</button>
+        </div>
+        <div className="p-6 space-y-4">
+          <p className="text-sm text-gray-600 font-medium">{task.title}</p>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Erledigt von</label>
+            <input
+              type="text"
+              value={form.completed_by}
+              onChange={e => setForm(prev => ({ ...prev, completed_by: e.target.value }))}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+              placeholder="Name / Rolle"
+            />
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Ergebnis</label>
+            <textarea
+              value={form.result}
+              onChange={e => setForm(prev => ({ ...prev, result: e.target.value }))}
+              rows={3}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+              placeholder="Ergebnis der Pruefung / Massnahme..."
+            />
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Notizen</label>
+            <textarea
+              value={form.notes}
+              onChange={e => setForm(prev => ({ ...prev, notes: e.target.value }))}
+              rows={2}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+              placeholder="Zusaetzliche Hinweise..."
+            />
+          </div>
+        </div>
+        <div className="flex justify-end gap-3 p-6 border-t">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg">Abbrechen</button>
+          <button
+            onClick={handleSave}
+            disabled={saving}
+            className="px-5 py-2 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50"
+          >
+            {saving ? 'Speichern...' : 'Als erledigt markieren'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// Skip Modal
+// =============================================================================
+
+function SkipModal({
+  task,
+  onClose,
+  onSkip,
+}: {
+  task: ProcessTask
+  onClose: () => void
+  onSkip: (reason: string) => Promise<void>
+}) {
+  const [reason, setReason] = useState('')
+  const [saving, setSaving] = useState(false)
+
+  const handleSkip = async () => {
+    if (!reason.trim()) return
+    setSaving(true)
+    try {
+      await onSkip(reason)
+      onClose()
+    } catch {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/40 z-50 flex items-center justify-center p-4" onClick={e => e.target === e.currentTarget && onClose()}>
+      <div className="bg-white rounded-2xl shadow-2xl w-full max-w-md">
+        <div className="flex items-center justify-between p-6 border-b">
+          <h2 className="text-lg font-semibold text-gray-900">Aufgabe ueberspringen</h2>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 text-xl">{'\u2715'}</button>
+        </div>
+        <div className="p-6 space-y-4">
+          <p className="text-sm text-gray-600 font-medium">{task.title}</p>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Begruendung *</label>
+            <textarea
+              value={reason}
+              onChange={e => setReason(e.target.value)}
+              rows={3}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+              placeholder="Warum wird diese Aufgabe uebersprungen?"
+            />
+          </div>
+        </div>
+        <div className="flex justify-end gap-3 p-6 border-t">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg">Abbrechen</button>
+          <button
+            onClick={handleSkip}
+            disabled={saving || !reason.trim()}
+            className="px-5 py-2 text-sm bg-yellow-500 text-white rounded-lg hover:bg-yellow-600 disabled:opacity-50"
+          >
+            {saving ? 'Speichern...' : 'Ueberspringen'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// Task Form Modal (Create / Edit)
+// =============================================================================
+
+function TaskFormModal({
+  initial,
+  onClose,
+  onSave,
+}: {
+  initial?: Partial<TaskFormData>
+  onClose: () => void
+  onSave: (data: TaskFormData) => Promise<void>
+}) {
+  const [form, setForm] = useState<TaskFormData>({ ...EMPTY_FORM, ...initial })
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const update = (field: keyof TaskFormData, value: string | number) =>
+    setForm(prev => ({ ...prev, [field]: value }))
+
+  const handleSave = async () => {
+    if (!form.title.trim()) { setError('Titel ist erforderlich'); return }
+    if (!form.task_code.trim()) { setError('Task-Code ist erforderlich'); return }
+    setSaving(true)
+    setError(null)
+    try {
+      await onSave(form)
+      onClose()
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Speichern')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/40 z-50 flex items-center justify-center p-4" onClick={e => e.target === e.currentTarget && onClose()}>
+      <div className="bg-white rounded-2xl shadow-2xl w-full max-w-xl max-h-[90vh] overflow-y-auto">
+        <div className="flex items-center justify-between p-6 border-b">
+          <h2 className="text-lg font-semibold text-gray-900">
+            {initial?.title ? 'Aufgabe bearbeiten' : 'Neue Aufgabe erstellen'}
+          </h2>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 text-xl">{'\u2715'}</button>
+        </div>
+        <div className="p-6 space-y-4">
+          {error && <div className="text-red-600 text-sm bg-red-50 rounded-lg p-3">{error}</div>}
+
+          <div className="grid grid-cols-2 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Task-Code *</label>
+              <input
+                type="text"
+                value={form.task_code}
+                onChange={e => update('task_code', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+                placeholder="z.B. DSGVO-VVT-REVIEW"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Kategorie</label>
+              <select
+                value={form.category}
+                onChange={e => update('category', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+              >
+                {Object.entries(CATEGORY_LABELS).map(([k, v]) => (
+                  <option key={k} value={k}>{v}</option>
+                ))}
+              </select>
+            </div>
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Titel *</label>
+            <input
+              type="text"
+              value={form.title}
+              onChange={e => update('title', e.target.value)}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+              placeholder="z.B. VVT-Review und Aktualisierung"
+            />
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Beschreibung</label>
+            <textarea
+              value={form.description}
+              onChange={e => update('description', e.target.value)}
+              rows={3}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500"
+              placeholder="Detaillierte Beschreibung..."
+            />
+          </div>
+
+          <div className="grid grid-cols-3 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Prioritaet</label>
+              <select
+                value={form.priority}
+                onChange={e => update('priority', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+              >
+                {Object.entries(PRIORITY_LABELS).map(([k, v]) => (
+                  <option key={k} value={k}>{v}</option>
+                ))}
+              </select>
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Frequenz</label>
+              <select
+                value={form.frequency}
+                onChange={e => update('frequency', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+              >
+                {Object.entries(FREQUENCY_LABELS).map(([k, v]) => (
+                  <option key={k} value={k}>{v}</option>
+                ))}
+              </select>
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Faellig am</label>
+              <input
+                type="date"
+                value={form.next_due_date}
+                onChange={e => update('next_due_date', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+              />
+            </div>
+          </div>
+
+          <div className="grid grid-cols-2 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Zustaendig</label>
+              <input
+                type="text"
+                value={form.assigned_to}
+                onChange={e => update('assigned_to', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+                placeholder="z.B. DSB, CISO"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Team</label>
+              <input
+                type="text"
+                value={form.responsible_team}
+                onChange={e => update('responsible_team', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+                placeholder="z.B. IT-Sicherheit"
+              />
+            </div>
+          </div>
+
+          <div className="grid grid-cols-2 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Verknuepftes Modul</label>
+              <input
+                type="text"
+                value={form.linked_module}
+                onChange={e => update('linked_module', e.target.value)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+                placeholder="z.B. vvt, tom, dsfa"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Erinnerung (Tage vorher)</label>
+              <input
+                type="number"
+                value={form.due_reminder_days}
+                onChange={e => update('due_reminder_days', parseInt(e.target.value) || 14)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+                min={0}
+                max={90}
+              />
+            </div>
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Notizen</label>
+            <textarea
+              value={form.notes}
+              onChange={e => update('notes', e.target.value)}
+              rows={2}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm"
+              placeholder="Interne Hinweise..."
+            />
+          </div>
+        </div>
+        <div className="flex justify-end gap-3 p-6 border-t">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg">Abbrechen</button>
+          <button
+            onClick={handleSave}
+            disabled={saving}
+            className="px-5 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50"
+          >
+            {saving ? 'Speichern...' : 'Speichern'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// Detail Modal (with History)
+// =============================================================================
+
+function TaskDetailModal({
+  task,
+  onClose,
+  onComplete,
+  onSkip,
+  onEdit,
+  onDelete,
+}: {
+  task: ProcessTask
+  onClose: () => void
+  onComplete: (task: ProcessTask) => void
+  onSkip: (task: ProcessTask) => void
+  onEdit: (task: ProcessTask) => void
+  onDelete: (id: string) => Promise<void>
+}) {
+  const [history, setHistory] = useState<HistoryEntry[]>([])
+  const [loadingHistory, setLoadingHistory] = useState(true)
+
+  useEffect(() => {
+    loadHistory()
+  }, [task.id])
+
+  const loadHistory = async () => {
+    try {
+      const res = await fetch(`${API}/${task.id}/history`)
+      if (res.ok) {
+        const data = await res.json()
+        setHistory(data.history || [])
+      }
+    } catch { /* ignore */ }
+    setLoadingHistory(false)
+  }
+
+  const handleDelete = async () => {
+    if (!confirm('Aufgabe wirklich loeschen?')) return
+    await onDelete(task.id)
+    onClose()
+  }
+
+  const days = daysUntil(task.next_due_date)
+
+  return (
+    <div className="fixed inset-0 bg-black/40 z-50 flex items-center justify-center p-4" onClick={e => e.target === e.currentTarget && onClose()}>
+      <div className="bg-white rounded-2xl shadow-2xl w-full max-w-lg max-h-[85vh] overflow-y-auto">
+        <div className="flex items-start justify-between p-6 border-b gap-4">
+          <div className="flex-1">
+            <div className="flex items-center gap-2 mb-2 flex-wrap">
+              <span className={`px-2 py-0.5 text-xs rounded-full ${CATEGORY_COLORS[task.category] || 'bg-gray-100 text-gray-600'}`}>
+                {CATEGORY_LABELS[task.category] || task.category}
+              </span>
+              <span className={`px-2 py-0.5 text-xs rounded-full ${PRIORITY_COLORS[task.priority]}`}>
+                {PRIORITY_LABELS[task.priority]}
+              </span>
+              <span className={`px-2 py-0.5 text-xs rounded-full ${STATUS_COLORS[task.status]}`}>
+                {STATUS_LABELS[task.status]}
+              </span>
+            </div>
+            <h2 className="text-base font-semibold text-gray-900">{task.title}</h2>
+            <p className="text-xs text-gray-400 mt-0.5">{task.task_code}</p>
+          </div>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 flex-shrink-0">{'\u2715'}</button>
+        </div>
+
+        <div className="p-6 space-y-4 text-sm">
+          {task.description && (
+            <p className="text-gray-700 whitespace-pre-wrap">{task.description}</p>
+          )}
+
+          <div className="grid grid-cols-2 gap-3">
+            <div>
+              <span className="text-gray-500">Frequenz</span>
+              <p className="font-medium text-gray-900">{FREQUENCY_LABELS[task.frequency] || task.frequency}</p>
+            </div>
+            <div>
+              <span className="text-gray-500">Faellig</span>
+              <p className={`font-medium ${dueLabelColor(task.next_due_date)}`}>
+                {task.next_due_date ? `${formatDate(task.next_due_date)} (${dueLabel(task.next_due_date)})` : '\u2014'}
+              </p>
+            </div>
+            <div>
+              <span className="text-gray-500">Zustaendig</span>
+              <p className="font-medium text-gray-900">{task.assigned_to || '\u2014'}</p>
+            </div>
+            <div>
+              <span className="text-gray-500">Team</span>
+              <p className="font-medium text-gray-900">{task.responsible_team || '\u2014'}</p>
+            </div>
+            {task.linked_module && (
+              <div>
+                <span className="text-gray-500">Modul</span>
+                <p className="font-medium text-purple-700">{task.linked_module}</p>
+              </div>
+            )}
+            {task.last_completed_at && (
+              <div>
+                <span className="text-gray-500">Zuletzt erledigt</span>
+                <p className="font-medium text-gray-900">{formatDate(task.last_completed_at)}</p>
+              </div>
+            )}
+          </div>
+
+          {task.notes && (
+            <div className="bg-gray-50 rounded-lg p-3">
+              <span className="text-gray-500 text-xs">Notizen</span>
+              <p className="text-gray-700 mt-1">{task.notes}</p>
+            </div>
+          )}
+
+          {/* History */}
+          <div className="border-t pt-4">
+            <h3 className="font-semibold text-gray-900 mb-2">Verlauf</h3>
+            {loadingHistory ? (
+              <div className="animate-pulse space-y-2">
+                <div className="h-4 bg-gray-200 rounded w-3/4"></div>
+                <div className="h-4 bg-gray-200 rounded w-1/2"></div>
+              </div>
+            ) : history.length === 0 ? (
+              <p className="text-gray-400 text-sm">Noch keine Eintraege</p>
+            ) : (
+              <div className="space-y-2 max-h-48 overflow-y-auto">
+                {history.map(h => (
+                  <div key={h.id} className="flex items-start gap-2 text-xs bg-gray-50 rounded-lg p-2">
+                    <span className={`px-1.5 py-0.5 rounded ${h.status === 'completed' ? 'bg-green-100 text-green-700' : 'bg-yellow-100 text-yellow-700'}`}>
+                      {h.status === 'completed' ? 'Erledigt' : 'Uebersprungen'}
+                    </span>
+                    <div className="flex-1">
+                      <p className="text-gray-600">{formatDate(h.completed_at)} {h.completed_by ? `von ${h.completed_by}` : ''}</p>
+                      {h.result && <p className="text-gray-700 mt-0.5">{h.result}</p>}
+                      {h.notes && <p className="text-gray-500 mt-0.5">{h.notes}</p>}
+                    </div>
+                  </div>
+                ))}
+              </div>
+            )}
+          </div>
+        </div>
+
+        <div className="flex items-center gap-2 p-6 border-t flex-wrap">
+          {task.status !== 'completed' && (
+            <>
+              <button
+                onClick={() => { onClose(); onComplete(task) }}
+                className="px-3 py-1.5 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700"
+              >
+                Erledigen
+              </button>
+              <button
+                onClick={() => { onClose(); onSkip(task) }}
+                className="px-3 py-1.5 text-sm bg-yellow-500 text-white rounded-lg hover:bg-yellow-600"
+              >
+                Ueberspringen
+              </button>
+            </>
+          )}
+          <button
+            onClick={() => { onClose(); onEdit(task) }}
+            className="px-3 py-1.5 text-sm text-gray-600 hover:bg-gray-100 rounded-lg border"
+          >
+            Bearbeiten
+          </button>
+          <button
+            onClick={handleDelete}
+            className="px-3 py-1.5 text-sm text-red-600 hover:bg-red-50 rounded-lg border border-red-200 ml-auto"
+          >
+            Loeschen
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// Calendar View
+// =============================================================================
+
+function CalendarView({ tasks }: { tasks: ProcessTask[] }) {
+  const [currentMonth, setCurrentMonth] = useState(() => {
+    const now = new Date()
+    return new Date(now.getFullYear(), now.getMonth(), 1)
+  })
+
+  const year = currentMonth.getFullYear()
+  const month = currentMonth.getMonth()
+  const daysInMonth = new Date(year, month + 1, 0).getDate()
+  const firstDayOfWeek = new Date(year, month, 1).getDay()
+  const startOffset = firstDayOfWeek === 0 ? 6 : firstDayOfWeek - 1 // Monday start
+
+  const monthLabel = currentMonth.toLocaleDateString('de-DE', { month: 'long', year: 'numeric' })
+
+  // Group tasks by date
+  const tasksByDate: Record<string, ProcessTask[]> = {}
+  tasks.forEach(t => {
+    if (!t.next_due_date) return
+    const key = t.next_due_date.substring(0, 10)
+    if (!tasksByDate[key]) tasksByDate[key] = []
+    tasksByDate[key].push(t)
+  })
+
+  const prev = () => setCurrentMonth(new Date(year, month - 1, 1))
+  const next = () => setCurrentMonth(new Date(year, month + 1, 1))
+
+  const today = new Date().toISOString().substring(0, 10)
+
+  return (
+    <div>
+      <div className="flex items-center justify-between mb-4">
+        <button onClick={prev} className="px-3 py-1 text-sm text-gray-600 hover:bg-gray-100 rounded-lg">&larr; Vorher</button>
+        <h3 className="text-lg font-semibold text-gray-900">{monthLabel}</h3>
+        <button onClick={next} className="px-3 py-1 text-sm text-gray-600 hover:bg-gray-100 rounded-lg">Weiter &rarr;</button>
+      </div>
+
+      <div className="grid grid-cols-7 gap-px bg-gray-200 rounded-xl overflow-hidden border border-gray-200">
+        {['Mo', 'Di', 'Mi', 'Do', 'Fr', 'Sa', 'So'].map(d => (
+          <div key={d} className="bg-gray-50 p-2 text-xs font-medium text-gray-500 text-center">{d}</div>
+        ))}
+        {Array.from({ length: startOffset }).map((_, i) => (
+          <div key={`empty-${i}`} className="bg-white p-2 min-h-[80px]"></div>
+        ))}
+        {Array.from({ length: daysInMonth }).map((_, i) => {
+          const day = i + 1
+          const dateStr = `${year}-${String(month + 1).padStart(2, '0')}-${String(day).padStart(2, '0')}`
+          const dayTasks = tasksByDate[dateStr] || []
+          const isToday = dateStr === today
+
+          return (
+            <div key={day} className={`bg-white p-2 min-h-[80px] ${isToday ? 'ring-2 ring-purple-400 ring-inset' : ''}`}>
+              <span className={`text-xs font-medium ${isToday ? 'text-purple-600' : 'text-gray-500'}`}>{day}</span>
+              <div className="mt-1 space-y-0.5">
+                {dayTasks.slice(0, 3).map(t => {
+                  const days = daysUntil(t.next_due_date)
+                  let dotColor = 'bg-gray-400'
+                  if (t.status === 'completed') dotColor = 'bg-green-500'
+                  else if (days !== null && days < 0) dotColor = 'bg-red-500'
+                  else if (days !== null && days <= 7) dotColor = 'bg-orange-500'
+
+                  return (
+                    <div key={t.id} className="flex items-center gap-1" title={t.title}>
+                      <span className={`w-1.5 h-1.5 rounded-full flex-shrink-0 ${dotColor}`}></span>
+                      <span className="text-[10px] text-gray-600 truncate">{t.title}</span>
+                    </div>
+                  )
+                })}
+                {dayTasks.length > 3 && (
+                  <span className="text-[10px] text-gray-400">+{dayTasks.length - 3} mehr</span>
+                )}
+              </div>
+            </div>
+          )
+        })}
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// Main Page
+// =============================================================================
+
+export default function ProcessTasksPage() {
+  const sdk = useSDK()
+  const [activeTab, setActiveTab] = useState<'overview' | 'all' | 'calendar'>('overview')
+
+  // Data
+  const [tasks, setTasks] = useState<ProcessTask[]>([])
+  const [totalTasks, setTotalTasks] = useState(0)
+  const [stats, setStats] = useState<TaskStats | null>(null)
+  const [upcomingTasks, setUpcomingTasks] = useState<ProcessTask[]>([])
+
+  // Filters
+  const [filterStatus, setFilterStatus] = useState('')
+  const [filterCategory, setFilterCategory] = useState('')
+  const [filterFrequency, setFilterFrequency] = useState('')
+  const [page, setPage] = useState(0)
+  const PAGE_SIZE = 25
+
+  // UI State
+  const [loading, setLoading] = useState(true)
+  const [toast, setToast] = useState<string | null>(null)
+  const [showForm, setShowForm] = useState(false)
+  const [editTask, setEditTask] = useState<ProcessTask | null>(null)
+  const [detailTask, setDetailTask] = useState<ProcessTask | null>(null)
+  const [completeTask, setCompleteTask] = useState<ProcessTask | null>(null)
+  const [skipTask, setSkipTask] = useState<ProcessTask | null>(null)
+
+  // Load data
+  const loadStats = useCallback(async () => {
+    try {
+      const res = await fetch(`${API}/stats`)
+      if (res.ok) setStats(await res.json())
+    } catch { /* ignore */ }
+  }, [])
+
+  const loadUpcoming = useCallback(async () => {
+    try {
+      const res = await fetch(`${API}/upcoming?days=30`)
+      if (res.ok) {
+        const data = await res.json()
+        setUpcomingTasks(data.tasks || [])
+      }
+    } catch { /* ignore */ }
+  }, [])
+
+  const loadTasks = useCallback(async () => {
+    setLoading(true)
+    try {
+      const params = new URLSearchParams()
+      if (filterStatus) params.set('status', filterStatus)
+      if (filterCategory) params.set('category', filterCategory)
+      if (filterFrequency) params.set('frequency', filterFrequency)
+      params.set('limit', String(PAGE_SIZE))
+      params.set('offset', String(page * PAGE_SIZE))
+
+      const res = await fetch(`${API}?${params}`)
+      if (res.ok) {
+        const data = await res.json()
+        setTasks(data.tasks || [])
+        setTotalTasks(data.total || 0)
+      }
+    } catch { /* ignore */ }
+    setLoading(false)
+  }, [filterStatus, filterCategory, filterFrequency, page])
+
+  useEffect(() => {
+    loadStats()
+    loadUpcoming()
+    loadTasks()
+  }, [loadStats, loadUpcoming, loadTasks])
+
+  // Actions
+  const handleCreate = async (data: TaskFormData) => {
+    const res = await fetch(API, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data),
+    })
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}))
+      throw new Error(err.detail || 'Fehler beim Erstellen')
+    }
+    setToast('Aufgabe erstellt')
+    loadTasks()
+    loadStats()
+    loadUpcoming()
+  }
+
+  const handleUpdate = async (data: TaskFormData) => {
+    if (!editTask) return
+    const res = await fetch(`${API}/${editTask.id}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data),
+    })
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}))
+      throw new Error(err.detail || 'Fehler beim Speichern')
+    }
+    setEditTask(null)
+    setToast('Aufgabe aktualisiert')
+    loadTasks()
+    loadStats()
+    loadUpcoming()
+  }
+
+  const handleComplete = async (data: CompleteFormData) => {
+    if (!completeTask) return
+    const res = await fetch(`${API}/${completeTask.id}/complete`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data),
+    })
+    if (!res.ok) throw new Error('Fehler')
+    setCompleteTask(null)
+    setToast('Aufgabe als erledigt markiert')
+    loadTasks()
+    loadStats()
+    loadUpcoming()
+  }
+
+  const handleSkip = async (reason: string) => {
+    if (!skipTask) return
+    const res = await fetch(`${API}/${skipTask.id}/skip`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ reason }),
+    })
+    if (!res.ok) throw new Error('Fehler')
+    setSkipTask(null)
+    setToast('Aufgabe uebersprungen')
+    loadTasks()
+    loadStats()
+    loadUpcoming()
+  }
+
+  const handleDelete = async (id: string) => {
+    const res = await fetch(`${API}/${id}`, { method: 'DELETE' })
+    if (!res.ok) throw new Error('Fehler beim Loeschen')
+    setToast('Aufgabe geloescht')
+    loadTasks()
+    loadStats()
+    loadUpcoming()
+  }
+
+  const handleSeed = async () => {
+    const res = await fetch(`${API}/seed`, { method: 'POST' })
+    if (res.ok) {
+      const data = await res.json()
+      setToast(`${data.seeded} Standard-Aufgaben erstellt`)
+      loadTasks()
+      loadStats()
+      loadUpcoming()
+    }
+  }
+
+  const totalPages = Math.ceil(totalTasks / PAGE_SIZE)
+
+  // =============================================================================
+  // Render
+  // =============================================================================
+
+  return (
+    <div className="max-w-7xl mx-auto p-6">
+      {/* Header */}
+      <div className="flex items-center justify-between mb-6">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">Compliance Process Manager</h1>
+          <p className="text-sm text-gray-500 mt-1">Wiederkehrende Compliance-Aufgaben verwalten und nachverfolgen</p>
+        </div>
+        <div className="flex gap-2">
+          <button
+            onClick={handleSeed}
+            className="px-4 py-2 text-sm text-purple-600 border border-purple-200 rounded-lg hover:bg-purple-50"
+          >
+            Standard-Aufgaben laden
+          </button>
+          <button
+            onClick={() => setShowForm(true)}
+            className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700"
+          >
+            + Neue Aufgabe
+          </button>
+        </div>
+      </div>
+
+      {/* Tabs */}
+      <div className="flex gap-1 bg-gray-100 rounded-xl p-1 mb-6 w-fit">
+        {[
+          { key: 'overview' as const, label: 'Uebersicht' },
+          { key: 'all' as const, label: 'Alle Aufgaben' },
+          { key: 'calendar' as const, label: 'Kalender' },
+        ].map(tab => (
+          <button
+            key={tab.key}
+            onClick={() => setActiveTab(tab.key)}
+            className={`px-4 py-2 text-sm rounded-lg transition-colors ${
+              activeTab === tab.key
+                ? 'bg-white text-gray-900 shadow-sm font-medium'
+                : 'text-gray-500 hover:text-gray-700'
+            }`}
+          >
+            {tab.label}
+          </button>
+        ))}
+      </div>
+
+      {/* ===== OVERVIEW TAB ===== */}
+      {activeTab === 'overview' && (
+        <div className="space-y-6">
+          {/* Stat Cards */}
+          {stats ? (
+            <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-4 gap-4">
+              <div className="bg-white rounded-xl border border-red-200 p-5">
+                <div className="text-sm text-red-600 font-medium">Ueberfaellig</div>
+                <div className="text-3xl font-bold text-red-700 mt-1">{stats.overdue_count}</div>
+                <div className="text-xs text-gray-500 mt-1">Sofortiger Handlungsbedarf</div>
+              </div>
+              <div className="bg-white rounded-xl border border-orange-200 p-5">
+                <div className="text-sm text-orange-600 font-medium">Diese Woche</div>
+                <div className="text-3xl font-bold text-orange-700 mt-1">{stats.due_7_days}</div>
+                <div className="text-xs text-gray-500 mt-1">Naechste 7 Tage</div>
+              </div>
+              <div className="bg-white rounded-xl border border-yellow-200 p-5">
+                <div className="text-sm text-yellow-600 font-medium">Diesen Monat</div>
+                <div className="text-3xl font-bold text-yellow-700 mt-1">{stats.due_30_days}</div>
+                <div className="text-xs text-gray-500 mt-1">Naechste 30 Tage</div>
+              </div>
+              <div className="bg-white rounded-xl border border-green-200 p-5">
+                <div className="text-sm text-green-600 font-medium">Erledigt</div>
+                <div className="text-3xl font-bold text-green-700 mt-1">{stats.by_status.completed || 0}</div>
+                <div className="text-xs text-gray-500 mt-1">von {stats.total} Aufgaben</div>
+              </div>
+            </div>
+          ) : (
+            <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-4 gap-4">
+              {[1, 2, 3, 4].map(i => (
+                <div key={i} className="bg-white rounded-xl border p-5 animate-pulse">
+                  <div className="h-4 bg-gray-200 rounded w-24 mb-2"></div>
+                  <div className="h-8 bg-gray-200 rounded w-12 mb-1"></div>
+                  <div className="h-3 bg-gray-200 rounded w-32"></div>
+                </div>
+              ))}
+            </div>
+          )}
+
+          {/* Category Breakdown */}
+          {stats && Object.keys(stats.by_category).length > 0 && (
+            <div className="bg-white rounded-xl border p-5">
+              <h3 className="text-sm font-semibold text-gray-900 mb-3">Nach Kategorie</h3>
+              <div className="flex flex-wrap gap-2">
+                {Object.entries(stats.by_category).map(([cat, count]) => (
+                  <span key={cat} className={`px-3 py-1.5 text-sm rounded-lg ${CATEGORY_COLORS[cat] || 'bg-gray-100 text-gray-600'}`}>
+                    {CATEGORY_LABELS[cat] || cat}: {count}
+                  </span>
+                ))}
+              </div>
+            </div>
+          )}
+
+          {/* Upcoming Tasks */}
+          <div className="bg-white rounded-xl border">
+            <div className="p-5 border-b">
+              <h3 className="text-sm font-semibold text-gray-900">Naechste faellige Aufgaben</h3>
+            </div>
+            {upcomingTasks.length === 0 ? (
+              <div className="p-8 text-center text-gray-400">
+                <p className="text-sm">Keine Aufgaben in den naechsten 30 Tagen faellig.</p>
+                {stats && stats.total === 0 && (
+                  <button
+                    onClick={handleSeed}
+                    className="mt-3 px-4 py-2 text-sm text-purple-600 border border-purple-200 rounded-lg hover:bg-purple-50"
+                  >
+                    Standard-Aufgaben laden
+                  </button>
+                )}
+              </div>
+            ) : (
+              <div className="divide-y">
+                {upcomingTasks.slice(0, 5).map(t => (
+                  <div
+                    key={t.id}
+                    className="flex items-center gap-4 p-4 hover:bg-gray-50 cursor-pointer"
+                    onClick={() => setDetailTask(t)}
+                  >
+                    <span className={`w-8 h-8 flex items-center justify-center rounded-full text-sm ${STATUS_COLORS[t.status]}`}>
+                      {STATUS_ICONS[t.status]}
+                    </span>
+                    <div className="flex-1 min-w-0">
+                      <p className="text-sm font-medium text-gray-900 truncate">{t.title}</p>
+                      <div className="flex items-center gap-2 mt-0.5">
+                        <span className={`text-xs rounded px-1.5 py-0.5 ${CATEGORY_COLORS[t.category]}`}>
+                          {CATEGORY_LABELS[t.category]}
+                        </span>
+                        <span className="text-xs text-gray-400">{FREQUENCY_LABELS[t.frequency]}</span>
+                      </div>
+                    </div>
+                    <div className="text-right flex-shrink-0">
+                      <p className={`text-sm ${dueLabelColor(t.next_due_date)}`}>{dueLabel(t.next_due_date)}</p>
+                      <p className="text-xs text-gray-400">{formatDate(t.next_due_date)}</p>
+                    </div>
+                    <button
+                      onClick={e => { e.stopPropagation(); setCompleteTask(t) }}
+                      className="px-3 py-1 text-xs bg-green-600 text-white rounded-lg hover:bg-green-700 flex-shrink-0"
+                    >
+                      Erledigen
+                    </button>
+                  </div>
+                ))}
+              </div>
+            )}
+          </div>
+        </div>
+      )}
+
+      {/* ===== ALL TASKS TAB ===== */}
+      {activeTab === 'all' && (
+        <div className="space-y-4">
+          {/* Filters */}
+          <div className="flex flex-wrap items-center gap-3">
+            <select
+              value={filterStatus}
+              onChange={e => { setFilterStatus(e.target.value); setPage(0) }}
+              className="px-3 py-2 text-sm border border-gray-300 rounded-lg bg-white"
+            >
+              <option value="">Alle Status</option>
+              {Object.entries(STATUS_LABELS).map(([k, v]) => (
+                <option key={k} value={k}>{v}</option>
+              ))}
+            </select>
+            <select
+              value={filterCategory}
+              onChange={e => { setFilterCategory(e.target.value); setPage(0) }}
+              className="px-3 py-2 text-sm border border-gray-300 rounded-lg bg-white"
+            >
+              <option value="">Alle Kategorien</option>
+              {Object.entries(CATEGORY_LABELS).map(([k, v]) => (
+                <option key={k} value={k}>{v}</option>
+              ))}
+            </select>
+            <select
+              value={filterFrequency}
+              onChange={e => { setFilterFrequency(e.target.value); setPage(0) }}
+              className="px-3 py-2 text-sm border border-gray-300 rounded-lg bg-white"
+            >
+              <option value="">Alle Frequenzen</option>
+              {Object.entries(FREQUENCY_LABELS).map(([k, v]) => (
+                <option key={k} value={k}>{v}</option>
+              ))}
+            </select>
+            <span className="text-sm text-gray-400 ml-auto">{totalTasks} Aufgaben</span>
+          </div>
+
+          {/* Table */}
+          <div className="bg-white rounded-xl border overflow-hidden">
+            {loading ? (
+              <div className="p-6 space-y-3">
+                {[1, 2, 3, 4, 5].map(i => (
+                  <div key={i} className="flex gap-4 animate-pulse">
+                    <div className="h-8 w-8 bg-gray-200 rounded-full"></div>
+                    <div className="flex-1 space-y-2">
+                      <div className="h-4 bg-gray-200 rounded w-1/2"></div>
+                      <div className="h-3 bg-gray-200 rounded w-1/4"></div>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            ) : tasks.length === 0 ? (
+              <div className="p-12 text-center text-gray-400">
+                <p className="text-lg mb-1">Keine Aufgaben gefunden</p>
+                <p className="text-sm">Erstellen Sie eine neue Aufgabe oder laden Sie die Standard-Aufgaben.</p>
+              </div>
+            ) : (
+              <table className="w-full text-sm">
+                <thead>
+                  <tr className="border-b bg-gray-50">
+                    <th className="text-left py-3 px-4 font-medium text-gray-500 w-10">Status</th>
+                    <th className="text-left py-3 px-4 font-medium text-gray-500">Titel</th>
+                    <th className="text-left py-3 px-4 font-medium text-gray-500">Kategorie</th>
+                    <th className="text-left py-3 px-4 font-medium text-gray-500">Frequenz</th>
+                    <th className="text-left py-3 px-4 font-medium text-gray-500">Faellig am</th>
+                    <th className="text-left py-3 px-4 font-medium text-gray-500">Zustaendig</th>
+                    <th className="text-right py-3 px-4 font-medium text-gray-500">Aktionen</th>
+                  </tr>
+                </thead>
+                <tbody className="divide-y">
+                  {tasks.map(t => (
+                    <tr
+                      key={t.id}
+                      className="hover:bg-gray-50 cursor-pointer"
+                      onClick={() => setDetailTask(t)}
+                    >
+                      <td className="py-3 px-4">
+                        <span className={`w-7 h-7 flex items-center justify-center rounded-full text-xs ${STATUS_COLORS[t.status]}`}>
+                          {STATUS_ICONS[t.status]}
+                        </span>
+                      </td>
+                      <td className="py-3 px-4">
+                        <p className="font-medium text-gray-900">{t.title}</p>
+                        <p className="text-xs text-gray-400">{t.task_code}</p>
+                      </td>
+                      <td className="py-3 px-4">
+                        <span className={`px-2 py-0.5 text-xs rounded-full ${CATEGORY_COLORS[t.category]}`}>
+                          {CATEGORY_LABELS[t.category] || t.category}
+                        </span>
+                      </td>
+                      <td className="py-3 px-4 text-gray-600">
+                        {FREQUENCY_LABELS[t.frequency] || t.frequency}
+                      </td>
+                      <td className="py-3 px-4">
+                        <span className={dueLabelColor(t.next_due_date)}>{formatDate(t.next_due_date)}</span>
+                        <p className={`text-xs ${dueLabelColor(t.next_due_date)}`}>{dueLabel(t.next_due_date)}</p>
+                      </td>
+                      <td className="py-3 px-4 text-gray-600">{t.assigned_to || '\u2014'}</td>
+                      <td className="py-3 px-4 text-right" onClick={e => e.stopPropagation()}>
+                        <div className="flex items-center justify-end gap-1">
+                          {t.status !== 'completed' && (
+                            <button
+                              onClick={() => setCompleteTask(t)}
+                              className="px-2 py-1 text-xs bg-green-600 text-white rounded hover:bg-green-700"
+                              title="Erledigen"
+                            >
+                              {'\u2714'}
+                            </button>
+                          )}
+                          {t.status !== 'completed' && (
+                            <button
+                              onClick={() => setSkipTask(t)}
+                              className="px-2 py-1 text-xs bg-yellow-500 text-white rounded hover:bg-yellow-600"
+                              title="Ueberspringen"
+                            >
+                              {'\u2192'}
+                            </button>
+                          )}
+                          <button
+                            onClick={() => {
+                              setEditTask(t)
+                            }}
+                            className="px-2 py-1 text-xs text-gray-500 hover:bg-gray-100 rounded border"
+                            title="Bearbeiten"
+                          >
+                            {'\u270E'}
+                          </button>
+                          <button
+                            onClick={() => {
+                              if (confirm('Aufgabe wirklich loeschen?')) handleDelete(t.id)
+                            }}
+                            className="px-2 py-1 text-xs text-red-500 hover:bg-red-50 rounded border border-red-200"
+                            title="Loeschen"
+                          >
+                            {'\u2716'}
+                          </button>
+                        </div>
+                      </td>
+                    </tr>
+                  ))}
+                </tbody>
+              </table>
+            )}
+          </div>
+
+          {/* Pagination */}
+          {totalPages > 1 && (
+            <div className="flex items-center justify-between">
+              <button
+                onClick={() => setPage(p => Math.max(0, p - 1))}
+                disabled={page === 0}
+                className="px-3 py-1.5 text-sm text-gray-600 hover:bg-gray-100 rounded-lg border disabled:opacity-40"
+              >
+                Zurueck
+              </button>
+              <span className="text-sm text-gray-500">
+                Seite {page + 1} von {totalPages}
+              </span>
+              <button
+                onClick={() => setPage(p => Math.min(totalPages - 1, p + 1))}
+                disabled={page >= totalPages - 1}
+                className="px-3 py-1.5 text-sm text-gray-600 hover:bg-gray-100 rounded-lg border disabled:opacity-40"
+              >
+                Weiter
+              </button>
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* ===== CALENDAR TAB ===== */}
+      {activeTab === 'calendar' && (
+        <div className="bg-white rounded-xl border p-5">
+          <CalendarView tasks={[...tasks, ...upcomingTasks].filter((t, i, arr) => arr.findIndex(x => x.id === t.id) === i)} />
+        </div>
+      )}
+
+      {/* ===== MODALS ===== */}
+      {showForm && (
+        <TaskFormModal
+          onClose={() => setShowForm(false)}
+          onSave={handleCreate}
+        />
+      )}
+
+      {editTask && (
+        <TaskFormModal
+          initial={{
+            task_code: editTask.task_code,
+            title: editTask.title,
+            description: editTask.description || '',
+            category: editTask.category,
+            priority: editTask.priority,
+            frequency: editTask.frequency,
+            assigned_to: editTask.assigned_to || '',
+            responsible_team: editTask.responsible_team || '',
+            linked_module: editTask.linked_module || '',
+            next_due_date: editTask.next_due_date ? editTask.next_due_date.substring(0, 10) : '',
+            due_reminder_days: editTask.due_reminder_days,
+            notes: editTask.notes || '',
+          }}
+          onClose={() => setEditTask(null)}
+          onSave={handleUpdate}
+        />
+      )}
+
+      {detailTask && (
+        <TaskDetailModal
+          task={detailTask}
+          onClose={() => setDetailTask(null)}
+          onComplete={t => { setDetailTask(null); setCompleteTask(t) }}
+          onSkip={t => { setDetailTask(null); setSkipTask(t) }}
+          onEdit={t => { setDetailTask(null); setEditTask(t) }}
+          onDelete={handleDelete}
+        />
+      )}
+
+      {completeTask && (
+        <CompleteModal
+          task={completeTask}
+          onClose={() => setCompleteTask(null)}
+          onComplete={handleComplete}
+        />
+      )}
+
+      {skipTask && (
+        <SkipModal
+          task={skipTask}
+          onClose={() => setSkipTask(null)}
+          onSkip={handleSkip}
+        />
+      )}
+
+      {toast && <Toast message={toast} onClose={() => setToast(null)} />}
+    </div>
+  )
+}
diff --git a/ai-compliance-sdk/cmd/server/main.go b/ai-compliance-sdk/cmd/server/main.go
index e57f188..60ee3a2 100644
--- a/ai-compliance-sdk/cmd/server/main.go
+++ b/ai-compliance-sdk/cmd/server/main.go
@@ -280,6 +280,7 @@ func main() {
 			ragRoutes.GET("/regulations", ragHandlers.ListRegulations)
 			ragRoutes.GET("/corpus-status", ragHandlers.CorpusStatus)
 			ragRoutes.GET("/corpus-versions/:collection", ragHandlers.CorpusVersionHistory)
+			ragRoutes.GET("/scroll", ragHandlers.HandleScrollChunks)
 		}
 
 		// Roadmap routes - Compliance Implementation Roadmaps
diff --git a/ai-compliance-sdk/internal/api/handlers/rag_handlers.go b/ai-compliance-sdk/internal/api/handlers/rag_handlers.go
index ca7a780..9d997d8 100644
--- a/ai-compliance-sdk/internal/api/handlers/rag_handlers.go
+++ b/ai-compliance-sdk/internal/api/handlers/rag_handlers.go
@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"net/http"
+	"strconv"
 
 	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
 	"github.com/gin-gonic/gin"
@@ -157,3 +158,47 @@ func (h *RAGHandlers) CorpusVersionHistory(c *gin.Context) {
 		"count":      len(versions),
 	})
 }
+
+// HandleScrollChunks scrolls/lists all chunks in a Qdrant collection with pagination.
+// GET /sdk/v1/rag/scroll?collection=...&offset=...&limit=...
+func (h *RAGHandlers) HandleScrollChunks(c *gin.Context) {
+	collection := c.Query("collection")
+	if collection == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "query parameter 'collection' is required"})
+		return
+	}
+
+	if !AllowedCollections[collection] {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Unknown collection: " + collection})
+		return
+	}
+
+	// Parse limit (default 100, max 500)
+	limit := 100
+	if limitStr := c.Query("limit"); limitStr != "" {
+		parsed, err := strconv.Atoi(limitStr)
+		if err != nil || parsed < 1 {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "limit must be a positive integer"})
+			return
+		}
+		limit = parsed
+	}
+	if limit > 500 {
+		limit = 500
+	}
+
+	// Offset is optional (empty string = start from beginning)
+	offset := c.Query("offset")
+
+	chunks, nextOffset, err := h.ragClient.ScrollChunks(c.Request.Context(), collection, offset, limit)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "scroll failed: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"chunks":      chunks,
+		"next_offset": nextOffset,
+		"total":       len(chunks),
+	})
+}
diff --git a/ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go b/ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go
index 3f61c7f..8000611 100644
--- a/ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go
+++ b/ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go
@@ -91,6 +91,72 @@ func TestSearch_WithCollectionParam_BindsCorrectly(t *testing.T) {
 	}
 }
 
+func TestHandleScrollChunks_MissingCollection_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	handler := &RAGHandlers{}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request, _ = http.NewRequest("GET", "/sdk/v1/rag/scroll", nil)
+
+	handler.HandleScrollChunks(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected 400, got %d", w.Code)
+	}
+
+	var resp map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &resp)
+	if resp["error"] == nil {
+		t.Error("Expected error message in response")
+	}
+}
+
+func TestHandleScrollChunks_InvalidCollection_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	handler := &RAGHandlers{}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request, _ = http.NewRequest("GET", "/sdk/v1/rag/scroll?collection=bp_evil_collection", nil)
+
+	handler.HandleScrollChunks(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected 400, got %d", w.Code)
+	}
+}
+
+func TestHandleScrollChunks_InvalidLimit_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	handler := &RAGHandlers{}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request, _ = http.NewRequest("GET", "/sdk/v1/rag/scroll?collection=bp_compliance_ce&limit=abc", nil)
+
+	handler.HandleScrollChunks(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected 400, got %d", w.Code)
+	}
+}
+
+func TestHandleScrollChunks_NegativeLimit_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	handler := &RAGHandlers{}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request, _ = http.NewRequest("GET", "/sdk/v1/rag/scroll?collection=bp_compliance_ce&limit=-5", nil)
+
+	handler.HandleScrollChunks(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected 400, got %d", w.Code)
+	}
+}
+
 func TestSearch_EmptyCollection_IsAllowed(t *testing.T) {
 	// Empty collection should be allowed (falls back to default in the handler)
 	body := `{"query":"test"}`
diff --git a/ai-compliance-sdk/internal/ucca/legal_rag.go b/ai-compliance-sdk/internal/ucca/legal_rag.go
index 4a1fbad..d83515a 100644
--- a/ai-compliance-sdk/internal/ucca/legal_rag.go
+++ b/ai-compliance-sdk/internal/ucca/legal_rag.go
@@ -443,6 +443,142 @@ func (c *LegalRAGClient) FormatLegalContextForPrompt(lc *LegalContext) string {
 	return buf.String()
 }
 
+// ScrollChunkResult represents a single chunk from the scroll/list endpoint.
+type ScrollChunkResult struct {
+	ID              string `json:"id"`
+	Text            string `json:"text"`
+	RegulationCode  string `json:"regulation_code"`
+	RegulationName  string `json:"regulation_name"`
+	RegulationShort string `json:"regulation_short"`
+	Category        string `json:"category"`
+	Article         string `json:"article,omitempty"`
+	Paragraph       string `json:"paragraph,omitempty"`
+	SourceURL       string `json:"source_url,omitempty"`
+}
+
+// qdrantScrollRequest for the Qdrant scroll API.
+type qdrantScrollRequest struct {
+	Limit       int         `json:"limit"`
+	Offset      interface{} `json:"offset,omitempty"` // string (UUID) or null
+	WithPayload bool        `json:"with_payload"`
+	WithVectors bool        `json:"with_vectors"`
+}
+
+// qdrantScrollResponse from the Qdrant scroll API.
+type qdrantScrollResponse struct {
+	Result struct {
+		Points         []qdrantScrollPoint `json:"points"`
+		NextPageOffset interface{}         `json:"next_page_offset"`
+	} `json:"result"`
+}
+
+type qdrantScrollPoint struct {
+	ID      interface{}            `json:"id"`
+	Payload map[string]interface{} `json:"payload"`
+}
+
+// ScrollChunks iterates over all chunks in a Qdrant collection using the scroll API.
+// Pass an empty offset to start from the beginning. Returns chunks, next offset ID, and error.
+func (c *LegalRAGClient) ScrollChunks(ctx context.Context, collection string, offset string, limit int) ([]ScrollChunkResult, string, error) {
+	scrollReq := qdrantScrollRequest{
+		Limit:       limit,
+		WithPayload: true,
+		WithVectors: false,
+	}
+	if offset != "" {
+		// Qdrant expects integer point IDs — parse the offset string back to a number
+		// Try parsing as integer first, fall back to string (for UUID-based collections)
+		var offsetInt uint64
+		if _, err := fmt.Sscanf(offset, "%d", &offsetInt); err == nil {
+			scrollReq.Offset = offsetInt
+		} else {
+			scrollReq.Offset = offset
+		}
+	}
+
+	jsonBody, err := json.Marshal(scrollReq)
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to marshal scroll request: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/collections/%s/points/scroll", c.qdrantURL, collection)
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(jsonBody))
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to create scroll request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	if c.qdrantAPIKey != "" {
+		req.Header.Set("api-key", c.qdrantAPIKey)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, "", fmt.Errorf("scroll request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, "", fmt.Errorf("qdrant returned %d: %s", resp.StatusCode, string(body))
+	}
+
+	var scrollResp qdrantScrollResponse
+	if err := json.NewDecoder(resp.Body).Decode(&scrollResp); err != nil {
+		return nil, "", fmt.Errorf("failed to decode scroll response: %w", err)
+	}
+
+	// Convert points to results
+	chunks := make([]ScrollChunkResult, len(scrollResp.Result.Points))
+	for i, pt := range scrollResp.Result.Points {
+		// Extract point ID as string
+		pointID := ""
+		if pt.ID != nil {
+			pointID = fmt.Sprintf("%v", pt.ID)
+		}
+
+		chunks[i] = ScrollChunkResult{
+			ID:              pointID,
+			Text:            getString(pt.Payload, "text"),
+			RegulationCode:  getString(pt.Payload, "regulation_code"),
+			RegulationName:  getString(pt.Payload, "regulation_name"),
+			RegulationShort: getString(pt.Payload, "regulation_short"),
+			Category:        getString(pt.Payload, "category"),
+			Article:         getString(pt.Payload, "article"),
+			Paragraph:       getString(pt.Payload, "paragraph"),
+			SourceURL:       getString(pt.Payload, "source_url"),
+		}
+
+		// Fallback: try alternate payload field names used in ingestion
+		if chunks[i].Text == "" {
+			chunks[i].Text = getString(pt.Payload, "chunk_text")
+		}
+		if chunks[i].RegulationCode == "" {
+			chunks[i].RegulationCode = getString(pt.Payload, "regulation_id")
+		}
+		if chunks[i].RegulationName == "" {
+			chunks[i].RegulationName = getString(pt.Payload, "regulation_name_de")
+		}
+		if chunks[i].SourceURL == "" {
+			chunks[i].SourceURL = getString(pt.Payload, "source")
+		}
+	}
+
+	// Extract next offset — Qdrant returns integer point IDs
+	nextOffset := ""
+	if scrollResp.Result.NextPageOffset != nil {
+		switch v := scrollResp.Result.NextPageOffset.(type) {
+		case float64:
+			nextOffset = fmt.Sprintf("%.0f", v)
+		case string:
+			nextOffset = v
+		default:
+			nextOffset = fmt.Sprintf("%v", v)
+		}
+	}
+
+	return chunks, nextOffset, nil
+}
+
 // Helper functions
 
 func getString(m map[string]interface{}, key string) string {
diff --git a/ai-compliance-sdk/internal/ucca/legal_rag_test.go b/ai-compliance-sdk/internal/ucca/legal_rag_test.go
index 8a2d2c9..7855bc1 100644
--- a/ai-compliance-sdk/internal/ucca/legal_rag_test.go
+++ b/ai-compliance-sdk/internal/ucca/legal_rag_test.go
@@ -87,6 +87,197 @@ func TestSearchCollection_FallbackDefault(t *testing.T) {
 	}
 }
 
+func TestScrollChunks_ReturnsChunksAndNextOffset(t *testing.T) {
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !strings.Contains(r.URL.Path, "/points/scroll") {
+			t.Errorf("Expected scroll endpoint, got: %s", r.URL.Path)
+		}
+
+		// Decode request to verify fields
+		var reqBody map[string]interface{}
+		json.NewDecoder(r.Body).Decode(&reqBody)
+
+		if reqBody["with_vectors"] != false {
+			t.Error("Expected with_vectors=false")
+		}
+		if reqBody["with_payload"] != true {
+			t.Error("Expected with_payload=true")
+		}
+
+		resp := map[string]interface{}{
+			"result": map[string]interface{}{
+				"points": []map[string]interface{}{
+					{
+						"id": "abc-123",
+						"payload": map[string]interface{}{
+							"text":             "Artikel 35 DSGVO",
+							"regulation_code":  "eu_2016_679",
+							"regulation_name":  "DSGVO",
+							"regulation_short": "DSGVO",
+							"category":         "regulation",
+							"article":          "Art. 35",
+							"paragraph":        "1",
+							"source_url":       "https://example.com/dsgvo",
+						},
+					},
+					{
+						"id": "def-456",
+						"payload": map[string]interface{}{
+							"chunk_text":         "AI Act Titel III",
+							"regulation_id":      "eu_2024_1689",
+							"regulation_name_de": "KI-Verordnung",
+							"regulation_short":   "AI Act",
+							"category":           "regulation",
+							"source":             "https://example.com/ai-act",
+						},
+					},
+				},
+				"next_page_offset": "def-456",
+			},
+		}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:  qdrantMock.URL,
+		httpClient: http.DefaultClient,
+	}
+
+	chunks, nextOffset, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "", 100)
+	if err != nil {
+		t.Fatalf("ScrollChunks failed: %v", err)
+	}
+
+	if len(chunks) != 2 {
+		t.Fatalf("Expected 2 chunks, got %d", len(chunks))
+	}
+
+	// First chunk uses direct field names
+	if chunks[0].ID != "abc-123" {
+		t.Errorf("Expected ID abc-123, got %s", chunks[0].ID)
+	}
+	if chunks[0].Text != "Artikel 35 DSGVO" {
+		t.Errorf("Expected text 'Artikel 35 DSGVO', got '%s'", chunks[0].Text)
+	}
+	if chunks[0].RegulationCode != "eu_2016_679" {
+		t.Errorf("Expected regulation_code eu_2016_679, got %s", chunks[0].RegulationCode)
+	}
+	if chunks[0].Article != "Art. 35" {
+		t.Errorf("Expected article 'Art. 35', got '%s'", chunks[0].Article)
+	}
+
+	// Second chunk uses fallback field names (chunk_text, regulation_id, etc.)
+	if chunks[1].Text != "AI Act Titel III" {
+		t.Errorf("Expected fallback text 'AI Act Titel III', got '%s'", chunks[1].Text)
+	}
+	if chunks[1].RegulationCode != "eu_2024_1689" {
+		t.Errorf("Expected fallback regulation_code eu_2024_1689, got '%s'", chunks[1].RegulationCode)
+	}
+	if chunks[1].RegulationName != "KI-Verordnung" {
+		t.Errorf("Expected fallback regulation_name 'KI-Verordnung', got '%s'", chunks[1].RegulationName)
+	}
+
+	if nextOffset != "def-456" {
+		t.Errorf("Expected next_offset 'def-456', got '%s'", nextOffset)
+	}
+}
+
+func TestScrollChunks_EmptyCollection_ReturnsEmpty(t *testing.T) {
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		resp := map[string]interface{}{
+			"result": map[string]interface{}{
+				"points":           []interface{}{},
+				"next_page_offset": nil,
+			},
+		}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:  qdrantMock.URL,
+		httpClient: http.DefaultClient,
+	}
+
+	chunks, nextOffset, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "", 100)
+	if err != nil {
+		t.Fatalf("ScrollChunks failed: %v", err)
+	}
+
+	if len(chunks) != 0 {
+		t.Errorf("Expected 0 chunks, got %d", len(chunks))
+	}
+
+	if nextOffset != "" {
+		t.Errorf("Expected empty next_offset, got '%s'", nextOffset)
+	}
+}
+
+func TestScrollChunks_WithOffset_SendsOffset(t *testing.T) {
+	var receivedBody map[string]interface{}
+
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		json.NewDecoder(r.Body).Decode(&receivedBody)
+		resp := map[string]interface{}{
+			"result": map[string]interface{}{
+				"points":           []interface{}{},
+				"next_page_offset": nil,
+			},
+		}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:  qdrantMock.URL,
+		httpClient: http.DefaultClient,
+	}
+
+	_, _, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "some-offset-id", 50)
+	if err != nil {
+		t.Fatalf("ScrollChunks failed: %v", err)
+	}
+
+	if receivedBody["offset"] != "some-offset-id" {
+		t.Errorf("Expected offset 'some-offset-id', got '%v'", receivedBody["offset"])
+	}
+	if receivedBody["limit"] != float64(50) {
+		t.Errorf("Expected limit 50, got %v", receivedBody["limit"])
+	}
+}
+
+func TestScrollChunks_SendsAPIKey(t *testing.T) {
+	var receivedAPIKey string
+
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAPIKey = r.Header.Get("api-key")
+		resp := map[string]interface{}{
+			"result": map[string]interface{}{
+				"points":           []interface{}{},
+				"next_page_offset": nil,
+			},
+		}
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:    qdrantMock.URL,
+		qdrantAPIKey: "test-api-key-123",
+		httpClient:   http.DefaultClient,
+	}
+
+	_, _, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "", 10)
+	if err != nil {
+		t.Fatalf("ScrollChunks failed: %v", err)
+	}
+
+	if receivedAPIKey != "test-api-key-123" {
+		t.Errorf("Expected api-key 'test-api-key-123', got '%s'", receivedAPIKey)
+	}
+}
+
 func TestSearch_StillWorks(t *testing.T) {
 	var requestedURL string
 
diff --git a/backend-compliance/compliance/api/__init__.py b/backend-compliance/compliance/api/__init__.py
index 0ba0f4b..d456d7a 100644
--- a/backend-compliance/compliance/api/__init__.py
+++ b/backend-compliance/compliance/api/__init__.py
@@ -53,6 +53,8 @@ _ROUTER_MODULES = [
     "wiki_routes",
     "canonical_control_routes",
     "control_generator_routes",
+    "process_task_routes",
+    "evidence_check_routes",
 ]
 
 _loaded_count = 0
diff --git a/backend-compliance/compliance/api/canonical_control_routes.py b/backend-compliance/compliance/api/canonical_control_routes.py
index ff43428..126ab7e 100644
--- a/backend-compliance/compliance/api/canonical_control_routes.py
+++ b/backend-compliance/compliance/api/canonical_control_routes.py
@@ -78,6 +78,7 @@ class ControlResponse(BaseModel):
     customer_visible: Optional[bool] = None
     verification_method: Optional[str] = None
     category: Optional[str] = None
+    target_audience: Optional[str] = None
     generation_metadata: Optional[dict] = None
     created_at: str
     updated_at: str
@@ -106,6 +107,7 @@ class ControlCreateRequest(BaseModel):
     customer_visible: Optional[bool] = True
     verification_method: Optional[str] = None
     category: Optional[str] = None
+    target_audience: Optional[str] = None
     generation_metadata: Optional[dict] = None
 
 
@@ -130,6 +132,7 @@ class ControlUpdateRequest(BaseModel):
     customer_visible: Optional[bool] = None
     verification_method: Optional[str] = None
     category: Optional[str] = None
+    target_audience: Optional[str] = None
     generation_metadata: Optional[dict] = None
 
 
@@ -158,7 +161,7 @@ _CONTROL_COLS = """id, framework_id, control_id, title, objective, rationale,
                    evidence_confidence, open_anchors, release_state, tags,
                    license_rule, source_original_text, source_citation,
                    customer_visible, verification_method, category,
-                   generation_metadata,
+                   target_audience, generation_metadata,
                    created_at, updated_at"""
 
 
@@ -241,6 +244,7 @@ async def list_framework_controls(
     release_state: Optional[str] = Query(None),
     verification_method: Optional[str] = Query(None),
     category: Optional[str] = Query(None),
+    target_audience: Optional[str] = Query(None),
 ):
     """List controls belonging to a framework."""
     with SessionLocal() as db:
@@ -271,6 +275,9 @@ async def list_framework_controls(
         if category:
             query += " AND category = :cat"
             params["cat"] = category
+        if target_audience:
+            query += " AND target_audience = :ta"
+            params["ta"] = target_audience
 
         query += " ORDER BY control_id"
         rows = db.execute(text(query), params).fetchall()
@@ -289,6 +296,7 @@ async def list_controls(
     release_state: Optional[str] = Query(None),
     verification_method: Optional[str] = Query(None),
     category: Optional[str] = Query(None),
+    target_audience: Optional[str] = Query(None),
 ):
     """List all canonical controls, with optional filters."""
     query = f"""
@@ -313,6 +321,9 @@ async def list_controls(
     if category:
         query += " AND category = :cat"
         params["cat"] = category
+    if target_audience:
+        query += " AND target_audience = :ta"
+        params["ta"] = target_audience
 
     query += " ORDER BY control_id"
 
@@ -384,7 +395,7 @@ async def create_control(body: ControlCreateRequest):
                     open_anchors, release_state, tags,
                     license_rule, source_original_text, source_citation,
                     customer_visible, verification_method, category,
-                    generation_metadata
+                    target_audience, generation_metadata
                 ) VALUES (
                     :fw_id, :cid, :title, :objective, :rationale,
                     CAST(:scope AS jsonb), CAST(:requirements AS jsonb),
@@ -394,7 +405,7 @@ async def create_control(body: ControlCreateRequest):
                     :license_rule, :source_original_text,
                     CAST(:source_citation AS jsonb),
                     :customer_visible, :verification_method, :category,
-                    CAST(:generation_metadata AS jsonb)
+                    :target_audience, CAST(:generation_metadata AS jsonb)
                 )
                 RETURNING {_CONTROL_COLS}
             """),
@@ -421,6 +432,7 @@ async def create_control(body: ControlCreateRequest):
                 "customer_visible": body.customer_visible,
                 "verification_method": body.verification_method,
                 "category": body.category,
+                "target_audience": body.target_audience,
                 "generation_metadata": _json.dumps(body.generation_metadata) if body.generation_metadata else None,
             },
         ).fetchone()
@@ -647,6 +659,7 @@ def _control_row(r) -> dict:
         "customer_visible": r.customer_visible,
         "verification_method": r.verification_method,
         "category": r.category,
+        "target_audience": r.target_audience,
         "generation_metadata": r.generation_metadata,
         "created_at": r.created_at.isoformat() if r.created_at else None,
         "updated_at": r.updated_at.isoformat() if r.updated_at else None,
diff --git a/backend-compliance/compliance/api/control_generator_routes.py b/backend-compliance/compliance/api/control_generator_routes.py
index 92280ef..a0de281 100644
--- a/backend-compliance/compliance/api/control_generator_routes.py
+++ b/backend-compliance/compliance/api/control_generator_routes.py
@@ -12,6 +12,7 @@ Endpoints:
   POST /v1/canonical/blocked-sources/cleanup      — Start cleanup workflow
 """
 
+import asyncio
 import json
 import logging
 from typing import Optional, List
@@ -89,9 +90,42 @@ class BlockedSourceResponse(BaseModel):
 # ENDPOINTS
 # =============================================================================
 
+async def _run_pipeline_background(config: GeneratorConfig, job_id: str):
+    """Run the pipeline in the background. Uses its own DB session."""
+    db = SessionLocal()
+    try:
+        config.existing_job_id = job_id
+        pipeline = ControlGeneratorPipeline(db=db, rag_client=get_rag_client())
+        result = await pipeline.run(config)
+        logger.info(
+            "Background generation job %s completed: %d controls from %d chunks",
+            job_id, result.controls_generated, result.total_chunks_scanned,
+        )
+    except Exception as e:
+        logger.error("Background generation job %s failed: %s", job_id, e)
+        # Update job as failed
+        try:
+            db.execute(
+                text("""
+                    UPDATE canonical_generation_jobs
+                    SET status = 'failed', errors = :errors, completed_at = NOW()
+                    WHERE id = CAST(:job_id AS uuid)
+                """),
+                {"job_id": job_id, "errors": json.dumps([str(e)])},
+            )
+            db.commit()
+        except Exception:
+            pass
+    finally:
+        db.close()
+
+
 @router.post("/generate", response_model=GenerateResponse)
 async def start_generation(req: GenerateRequest):
-    """Start a control generation run."""
+    """Start a control generation run (runs in background).
+
+    Returns immediately with job_id. Use GET /generate/status/{job_id} to poll progress.
+    """
     config = GeneratorConfig(
         collections=req.collections,
         domain=req.domain,
@@ -101,30 +135,63 @@ async def start_generation(req: GenerateRequest):
         dry_run=req.dry_run,
     )
 
+    if req.dry_run:
+        # Dry run: execute synchronously and return controls
+        db = SessionLocal()
+        try:
+            pipeline = ControlGeneratorPipeline(db=db, rag_client=get_rag_client())
+            result = await pipeline.run(config)
+            return GenerateResponse(
+                job_id=result.job_id,
+                status=result.status,
+                message=f"Dry run: {result.controls_generated} controls from {result.total_chunks_scanned} chunks",
+                total_chunks_scanned=result.total_chunks_scanned,
+                controls_generated=result.controls_generated,
+                controls_verified=result.controls_verified,
+                controls_needs_review=result.controls_needs_review,
+                controls_too_close=result.controls_too_close,
+                controls_duplicates_found=result.controls_duplicates_found,
+                errors=result.errors,
+                controls=result.controls,
+            )
+        except Exception as e:
+            logger.error("Dry run failed: %s", e)
+            raise HTTPException(status_code=500, detail=str(e))
+        finally:
+            db.close()
+
+    # Create job record first so we can return the ID
     db = SessionLocal()
     try:
-        pipeline = ControlGeneratorPipeline(db=db, rag_client=get_rag_client())
-        result = await pipeline.run(config)
-
-        return GenerateResponse(
-            job_id=result.job_id,
-            status=result.status,
-            message=f"Generated {result.controls_generated} controls from {result.total_chunks_scanned} chunks",
-            total_chunks_scanned=result.total_chunks_scanned,
-            controls_generated=result.controls_generated,
-            controls_verified=result.controls_verified,
-            controls_needs_review=result.controls_needs_review,
-            controls_too_close=result.controls_too_close,
-            controls_duplicates_found=result.controls_duplicates_found,
-            errors=result.errors,
-            controls=result.controls if req.dry_run else [],
+        result = db.execute(
+            text("""
+                INSERT INTO canonical_generation_jobs (status, config)
+                VALUES ('running', :config)
+                RETURNING id
+            """),
+            {"config": json.dumps(config.model_dump())},
         )
+        db.commit()
+        row = result.fetchone()
+        job_id = str(row[0]) if row else None
     except Exception as e:
-        logger.error("Generation failed: %s", e)
-        raise HTTPException(status_code=500, detail=str(e))
+        logger.error("Failed to create job: %s", e)
+        raise HTTPException(status_code=500, detail=f"Failed to create job: {e}")
     finally:
         db.close()
 
+    if not job_id:
+        raise HTTPException(status_code=500, detail="Failed to create job record")
+
+    # Launch pipeline in background
+    asyncio.create_task(_run_pipeline_background(config, job_id))
+
+    return GenerateResponse(
+        job_id=job_id,
+        status="running",
+        message="Generation started in background. Poll /generate/status/{job_id} for progress.",
+    )
+
 
 @router.get("/generate/status/{job_id}")
 async def get_job_status(job_id: str):
diff --git a/backend-compliance/compliance/api/dashboard_routes.py b/backend-compliance/compliance/api/dashboard_routes.py
index 182876d..3e303e9 100644
--- a/backend-compliance/compliance/api/dashboard_routes.py
+++ b/backend-compliance/compliance/api/dashboard_routes.py
@@ -5,16 +5,23 @@ Endpoints:
 - /dashboard: Main compliance dashboard
 - /dashboard/executive: Executive summary for managers
 - /dashboard/trend: Compliance score trend over time
+- /dashboard/roadmap: Prioritised controls in 4 buckets
+- /dashboard/module-status: Completion status of each SDK module
+- /dashboard/next-actions: Top 5 most important actions
+- /dashboard/snapshot: Save / query compliance score snapshots
 - /score: Quick compliance score
 - /reports: Report generation
 """
 
 import logging
-from datetime import datetime, timedelta
+from datetime import datetime, date, timedelta
 from calendar import month_abbr
-from typing import Optional
+from typing import Optional, Dict, Any, List
+from decimal import Decimal
 
 from fastapi import APIRouter, Depends, HTTPException, Query
+from pydantic import BaseModel
+from sqlalchemy import text
 from sqlalchemy.orm import Session
 
 from classroom_engine.database import get_db
@@ -34,6 +41,8 @@ from .schemas import (
     DeadlineItem,
     TeamWorkloadItem,
 )
+from .tenant_utils import get_tenant_id as _get_tenant_id
+from .db_utils import row_to_dict as _row_to_dict
 
 logger = logging.getLogger(__name__)
 router = APIRouter(tags=["compliance-dashboard"])
@@ -322,6 +331,272 @@ async def get_compliance_trend(
     }
 
 
+# ============================================================================
+# Dashboard Extended — Roadmap, Module-Status, Next-Actions, Snapshots
+# ============================================================================
+
+# Weight map for control prioritisation
+_PRIORITY_WEIGHTS = {"legal": 5, "security": 3, "best_practice": 1, "operational": 2}
+
+# SDK module definitions → DB table used for counting completion
+_MODULE_DEFS: List[Dict[str, str]] = [
+    {"key": "vvt", "label": "VVT", "table": "compliance_vvt_activities"},
+    {"key": "tom", "label": "TOM", "table": "compliance_toms"},
+    {"key": "dsfa", "label": "DSFA", "table": "compliance_dsfa_assessments"},
+    {"key": "loeschfristen", "label": "Loeschfristen", "table": "compliance_loeschfristen"},
+    {"key": "risks", "label": "Risiken", "table": "compliance_risks"},
+    {"key": "controls", "label": "Controls", "table": "compliance_controls"},
+    {"key": "evidence", "label": "Nachweise", "table": "compliance_evidence"},
+    {"key": "obligations", "label": "Pflichten", "table": "compliance_obligations"},
+    {"key": "incidents", "label": "Vorfaelle", "table": "compliance_notfallplan_incidents"},
+    {"key": "vendor", "label": "Auftragsverarbeiter", "table": "compliance_vendor_assessments"},
+    {"key": "legal_templates", "label": "Rechtl. Dokumente", "table": "compliance_legal_templates"},
+    {"key": "training", "label": "Schulungen", "table": "training_modules"},
+    {"key": "audit", "label": "Audit", "table": "compliance_audit_sessions"},
+    {"key": "security_backlog", "label": "Security-Backlog", "table": "compliance_security_backlog"},
+    {"key": "quality", "label": "Qualitaet", "table": "compliance_quality_items"},
+]
+
+
+@router.get("/dashboard/roadmap")
+async def get_dashboard_roadmap(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Prioritised controls in 4 buckets: Quick Wins, Must Have, Should Have, Nice to Have."""
+    ctrl_repo = ControlRepository(db)
+    controls = ctrl_repo.get_all()
+    today = datetime.utcnow().date()
+
+    buckets: Dict[str, list] = {
+        "quick_wins": [],
+        "must_have": [],
+        "should_have": [],
+        "nice_to_have": [],
+    }
+
+    for ctrl in controls:
+        status = ctrl.status.value if ctrl.status else "planned"
+        if status == "pass":
+            continue  # already done
+
+        weight = _PRIORITY_WEIGHTS.get(ctrl.category if hasattr(ctrl, "category") else "best_practice", 1)
+        days_overdue = 0
+        if ctrl.next_review_at:
+            review_date = ctrl.next_review_at.date() if hasattr(ctrl.next_review_at, "date") else ctrl.next_review_at
+            days_overdue = (today - review_date).days
+
+        urgency = weight * 2 + (1 if days_overdue > 0 else 0)
+
+        item = {
+            "id": str(ctrl.id),
+            "control_id": ctrl.control_id,
+            "title": ctrl.title,
+            "status": status,
+            "domain": ctrl.domain.value if ctrl.domain else "unknown",
+            "owner": ctrl.owner,
+            "next_review_at": ctrl.next_review_at.isoformat() if ctrl.next_review_at else None,
+            "days_overdue": max(0, days_overdue),
+            "weight": weight,
+        }
+
+        if weight >= 5 and days_overdue > 0:
+            buckets["quick_wins"].append(item)
+        elif weight >= 4:
+            buckets["must_have"].append(item)
+        elif weight >= 2:
+            buckets["should_have"].append(item)
+        else:
+            buckets["nice_to_have"].append(item)
+
+    # Sort each bucket by urgency desc
+    for key in buckets:
+        buckets[key].sort(key=lambda x: x["days_overdue"], reverse=True)
+
+    return {
+        "buckets": buckets,
+        "counts": {k: len(v) for k, v in buckets.items()},
+        "generated_at": datetime.utcnow().isoformat(),
+    }
+
+
+@router.get("/dashboard/module-status")
+async def get_module_status(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Completion status for each SDK module based on DB record counts."""
+    modules = []
+    for mod in _MODULE_DEFS:
+        try:
+            row = db.execute(
+                text(f"SELECT COUNT(*) FROM {mod['table']} WHERE tenant_id = :tid"),
+                {"tid": tenant_id},
+            ).fetchone()
+            count = int(row[0]) if row else 0
+        except Exception:
+            count = 0
+
+        # Simple heuristic: 0 = not started, 1-2 = in progress, 3+ = complete
+        if count == 0:
+            status = "not_started"
+            progress = 0
+        elif count < 3:
+            status = "in_progress"
+            progress = min(60, count * 30)
+        else:
+            status = "complete"
+            progress = 100
+
+        modules.append({
+            "key": mod["key"],
+            "label": mod["label"],
+            "count": count,
+            "status": status,
+            "progress": progress,
+        })
+
+    started = sum(1 for m in modules if m["status"] != "not_started")
+    complete = sum(1 for m in modules if m["status"] == "complete")
+
+    return {
+        "modules": modules,
+        "total": len(modules),
+        "started": started,
+        "complete": complete,
+        "overall_progress": round((complete / len(modules)) * 100, 1) if modules else 0,
+    }
+
+
+@router.get("/dashboard/next-actions")
+async def get_next_actions(
+    limit: int = Query(5, ge=1, le=20),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Top N most important actions sorted by urgency*impact."""
+    ctrl_repo = ControlRepository(db)
+    controls = ctrl_repo.get_all()
+    today = datetime.utcnow().date()
+
+    actions = []
+    for ctrl in controls:
+        status = ctrl.status.value if ctrl.status else "planned"
+        if status == "pass":
+            continue
+
+        days_overdue = 0
+        if ctrl.next_review_at:
+            review_date = ctrl.next_review_at.date() if hasattr(ctrl.next_review_at, "date") else ctrl.next_review_at
+            days_overdue = max(0, (today - review_date).days)
+
+        weight = _PRIORITY_WEIGHTS.get(ctrl.category if hasattr(ctrl, "category") else "best_practice", 1)
+        urgency_score = weight * 10 + days_overdue
+
+        actions.append({
+            "id": str(ctrl.id),
+            "control_id": ctrl.control_id,
+            "title": ctrl.title,
+            "status": status,
+            "domain": ctrl.domain.value if ctrl.domain else "unknown",
+            "owner": ctrl.owner,
+            "days_overdue": days_overdue,
+            "urgency_score": urgency_score,
+            "reason": "Ueberfaellig" if days_overdue > 0 else "Offen",
+        })
+
+    actions.sort(key=lambda x: x["urgency_score"], reverse=True)
+    return {"actions": actions[:limit]}
+
+
+@router.post("/dashboard/snapshot")
+async def create_score_snapshot(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Save current compliance score as a historical snapshot."""
+    ctrl_repo = ControlRepository(db)
+    evidence_repo = EvidenceRepository(db)
+    risk_repo = RiskRepository(db)
+
+    ctrl_stats = ctrl_repo.get_statistics()
+    evidence_stats = evidence_repo.get_statistics()
+    risks = risk_repo.get_all()
+
+    total = ctrl_stats.get("total", 0)
+    passing = ctrl_stats.get("pass", 0)
+    partial = ctrl_stats.get("partial", 0)
+    score = round(((passing + partial * 0.5) / total) * 100, 2) if total > 0 else 0
+
+    risks_high = sum(1 for r in risks if (r.inherent_risk.value if r.inherent_risk else "low") in ("high", "critical"))
+
+    today = date.today()
+
+    row = db.execute(text("""
+        INSERT INTO compliance_score_snapshots (
+            tenant_id, score, controls_total, controls_pass, controls_partial,
+            evidence_total, evidence_valid, risks_total, risks_high, snapshot_date
+        ) VALUES (
+            :tenant_id, :score, :controls_total, :controls_pass, :controls_partial,
+            :evidence_total, :evidence_valid, :risks_total, :risks_high, :snapshot_date
+        )
+        ON CONFLICT (tenant_id, project_id, snapshot_date) DO UPDATE SET
+            score = EXCLUDED.score,
+            controls_total = EXCLUDED.controls_total,
+            controls_pass = EXCLUDED.controls_pass,
+            controls_partial = EXCLUDED.controls_partial,
+            evidence_total = EXCLUDED.evidence_total,
+            evidence_valid = EXCLUDED.evidence_valid,
+            risks_total = EXCLUDED.risks_total,
+            risks_high = EXCLUDED.risks_high
+        RETURNING *
+    """), {
+        "tenant_id": tenant_id,
+        "score": score,
+        "controls_total": total,
+        "controls_pass": passing,
+        "controls_partial": partial,
+        "evidence_total": evidence_stats.get("total", 0),
+        "evidence_valid": evidence_stats.get("by_status", {}).get("valid", 0),
+        "risks_total": len(risks),
+        "risks_high": risks_high,
+        "snapshot_date": today,
+    }).fetchone()
+    db.commit()
+
+    return _row_to_dict(row)
+
+
+@router.get("/dashboard/score-history")
+async def get_score_history(
+    months: int = Query(12, ge=1, le=36),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Get compliance score history from snapshots."""
+    since = date.today() - timedelta(days=months * 30)
+
+    rows = db.execute(text("""
+        SELECT * FROM compliance_score_snapshots
+        WHERE tenant_id = :tenant_id AND snapshot_date >= :since
+        ORDER BY snapshot_date ASC
+    """), {"tenant_id": tenant_id, "since": since}).fetchall()
+
+    snapshots = []
+    for r in rows:
+        d = _row_to_dict(r)
+        # Convert Decimal to float for JSON
+        if isinstance(d.get("score"), Decimal):
+            d["score"] = float(d["score"])
+        snapshots.append(d)
+
+    return {
+        "snapshots": snapshots,
+        "total": len(snapshots),
+        "period_months": months,
+    }
+
+
 # ============================================================================
 # Reports
 # ============================================================================
diff --git a/backend-compliance/compliance/api/evidence_check_routes.py b/backend-compliance/compliance/api/evidence_check_routes.py
new file mode 100644
index 0000000..d38ae9b
--- /dev/null
+++ b/backend-compliance/compliance/api/evidence_check_routes.py
@@ -0,0 +1,1151 @@
+"""
+FastAPI routes for Evidence Checks — automated compliance verification.
+
+Endpoints:
+  GET    /evidence-checks                      — list checks (filter: check_type, is_active, frequency)
+  POST   /evidence-checks                      — create check definition
+  GET    /evidence-checks/{id}                 — single check with last 5 results
+  PUT    /evidence-checks/{id}                 — update check
+  DELETE /evidence-checks/{id}                 — delete check (204)
+  POST   /evidence-checks/{id}/run             — execute check now
+  GET    /evidence-checks/{id}/results         — result history
+  POST   /evidence-checks/run-due              — run all due checks
+  POST   /evidence-checks/seed                 — seed standard check definitions
+  GET    /evidence-checks/mappings             — list evidence-control mappings
+  POST   /evidence-checks/mappings             — create mapping
+  DELETE /evidence-checks/mappings/{id}        — delete mapping (204)
+  GET    /evidence-checks/mappings/by-control/{code} — evidence for a control
+  GET    /evidence-checks/mappings/report      — coverage report
+"""
+
+import json
+import logging
+import ssl
+import socket
+import time
+from datetime import datetime, timedelta
+from typing import Optional, List, Any, Dict
+
+from fastapi import APIRouter, Depends, HTTPException, Query
+from pydantic import BaseModel
+from sqlalchemy import text
+from sqlalchemy.orm import Session
+
+from classroom_engine.database import get_db
+from .tenant_utils import get_tenant_id as _get_tenant_id
+from .db_utils import row_to_dict as _row_to_dict
+
+logger = logging.getLogger(__name__)
+router = APIRouter(prefix="/evidence-checks", tags=["evidence-checks"])
+
+# =============================================================================
+# Validation sets
+# =============================================================================
+
+VALID_CHECK_TYPES = {
+    "tls_scan", "header_check", "certificate_check",
+    "config_scan", "api_scan", "dns_check", "port_scan",
+}
+
+VALID_FREQUENCIES = {"daily", "weekly", "monthly", "quarterly", "manual"}
+
+FREQUENCY_DELTAS = {
+    "daily": timedelta(days=1),
+    "weekly": timedelta(weeks=1),
+    "monthly": timedelta(days=30),
+    "quarterly": timedelta(days=90),
+    "manual": None,
+}
+
+JSONB_FIELDS = {"target_config", "linked_control_ids"}
+
+
+# =============================================================================
+# Pydantic Schemas
+# =============================================================================
+
+class EvidenceCheckCreate(BaseModel):
+    check_code: str
+    title: str
+    description: Optional[str] = None
+    check_type: str
+    target_url: Optional[str] = None
+    target_config: Optional[dict] = {}
+    linked_control_ids: Optional[List] = []
+    frequency: str = "monthly"
+    is_active: bool = True
+
+
+class EvidenceCheckUpdate(BaseModel):
+    check_code: Optional[str] = None
+    title: Optional[str] = None
+    description: Optional[str] = None
+    check_type: Optional[str] = None
+    target_url: Optional[str] = None
+    target_config: Optional[dict] = None
+    linked_control_ids: Optional[List] = None
+    frequency: Optional[str] = None
+    is_active: Optional[bool] = None
+
+
+class EvidenceControlMapCreate(BaseModel):
+    evidence_id: str
+    control_code: str
+    mapping_type: str = "supports"
+    notes: Optional[str] = None
+
+
+# =============================================================================
+# Check execution helpers
+# =============================================================================
+
+async def _run_tls_scan(target_url: str, config: dict) -> dict:
+    """Check TLS version, cipher suite, certificate validity."""
+    try:
+        from urllib.parse import urlparse
+        parsed = urlparse(target_url)
+        hostname = parsed.hostname or target_url
+        port = parsed.port or 443
+
+        context = ssl.create_default_context()
+        start = time.time()
+        with socket.create_connection((hostname, port), timeout=10) as sock:
+            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+                cert = ssock.getpeercert()
+                cipher = ssock.cipher()
+                version = ssock.version()
+        duration = int((time.time() - start) * 1000)
+
+        # Check cert expiry
+        not_after = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
+        days_until_expiry = (not_after - datetime.utcnow()).days
+
+        findings = []
+        critical = 0
+        if version in ('TLSv1', 'TLSv1.1'):
+            findings.append({"severity": "critical", "finding": f"Veraltete TLS-Version: {version}"})
+            critical += 1
+        if days_until_expiry < 30:
+            findings.append({"severity": "warning", "finding": f"Zertifikat laeuft in {days_until_expiry} Tagen ab"})
+        if days_until_expiry < 0:
+            findings.append({"severity": "critical", "finding": "Zertifikat abgelaufen"})
+            critical += 1
+
+        status = "passed" if not findings else ("failed" if critical > 0 else "warning")
+        return {
+            "run_status": status,
+            "result_data": {
+                "tls_version": version,
+                "cipher": cipher[0] if cipher else None,
+                "cert_expiry": not_after.isoformat(),
+                "days_until_expiry": days_until_expiry,
+                "findings": findings,
+            },
+            "summary": f"TLS {version}, Zertifikat gueltig bis {not_after.strftime('%d.%m.%Y')}",
+            "findings_count": len(findings),
+            "critical_findings": critical,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+async def _run_header_check(target_url: str, config: dict) -> dict:
+    """Check security headers on the target URL."""
+    try:
+        import httpx
+
+        required_headers = {
+            "strict-transport-security": "HSTS",
+            "x-frame-options": "X-Frame-Options",
+            "x-content-type-options": "X-Content-Type-Options",
+            "content-security-policy": "Content-Security-Policy",
+            "referrer-policy": "Referrer-Policy",
+            "permissions-policy": "Permissions-Policy",
+        }
+
+        start = time.time()
+        async with httpx.AsyncClient(verify=False, timeout=10) as client:
+            resp = await client.get(target_url)
+        duration = int((time.time() - start) * 1000)
+
+        findings = []
+        critical = 0
+        present = []
+        missing = []
+
+        for header_key, display_name in required_headers.items():
+            val = resp.headers.get(header_key)
+            if val:
+                present.append(display_name)
+            else:
+                missing.append(display_name)
+                severity = "critical" if header_key == "strict-transport-security" else "warning"
+                findings.append({"severity": severity, "finding": f"Fehlender Header: {display_name}"})
+                if severity == "critical":
+                    critical += 1
+
+        status = "passed" if not findings else ("failed" if critical > 0 else "warning")
+        return {
+            "run_status": status,
+            "result_data": {
+                "status_code": resp.status_code,
+                "present_headers": present,
+                "missing_headers": missing,
+                "findings": findings,
+            },
+            "summary": f"{len(present)}/{len(required_headers)} Security-Header vorhanden",
+            "findings_count": len(findings),
+            "critical_findings": critical,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+async def _run_certificate_check(target_url: str, config: dict) -> dict:
+    """Check certificate chain, key length, SAN."""
+    try:
+        from urllib.parse import urlparse
+        parsed = urlparse(target_url)
+        hostname = parsed.hostname or target_url
+        port = parsed.port or 443
+
+        context = ssl.create_default_context()
+        start = time.time()
+        with socket.create_connection((hostname, port), timeout=10) as sock:
+            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+                cert = ssock.getpeercert()
+                der_cert = ssock.getpeercert(binary_form=True)
+        duration = int((time.time() - start) * 1000)
+
+        subject = dict(x[0] for x in cert.get("subject", ()))
+        issuer = dict(x[0] for x in cert.get("issuer", ()))
+        san_entries = [entry[1] for entry in cert.get("subjectAltName", ())]
+        not_after = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
+        not_before = datetime.strptime(cert['notBefore'], '%b %d %H:%M:%S %Y %Z')
+        days_until_expiry = (not_after - datetime.utcnow()).days
+
+        findings = []
+        critical = 0
+
+        if days_until_expiry < 0:
+            findings.append({"severity": "critical", "finding": "Zertifikat abgelaufen"})
+            critical += 1
+        elif days_until_expiry < 14:
+            findings.append({"severity": "critical", "finding": f"Zertifikat laeuft in {days_until_expiry} Tagen ab"})
+            critical += 1
+        elif days_until_expiry < 30:
+            findings.append({"severity": "warning", "finding": f"Zertifikat laeuft in {days_until_expiry} Tagen ab"})
+
+        if hostname not in san_entries and f"*.{'.'.join(hostname.split('.')[1:])}" not in san_entries:
+            findings.append({"severity": "warning", "finding": f"Hostname {hostname} nicht in SAN enthalten"})
+
+        # Key size from DER cert length as rough heuristic
+        key_bits = len(der_cert) * 8 // 10  # rough estimate
+        if key_bits < 2048:
+            findings.append({"severity": "warning", "finding": f"Schluessellaenge moeglicherweise zu kurz"})
+
+        status = "passed" if not findings else ("failed" if critical > 0 else "warning")
+        return {
+            "run_status": status,
+            "result_data": {
+                "subject": subject,
+                "issuer": issuer,
+                "san": san_entries,
+                "not_before": not_before.isoformat(),
+                "not_after": not_after.isoformat(),
+                "days_until_expiry": days_until_expiry,
+                "serial_number": cert.get("serialNumber"),
+                "findings": findings,
+            },
+            "summary": f"Zertifikat von {issuer.get('organizationName', 'Unknown')}, gueltig bis {not_after.strftime('%d.%m.%Y')}",
+            "findings_count": len(findings),
+            "critical_findings": critical,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+async def _run_dns_check(target_url: str, config: dict) -> dict:
+    """Basic DNS resolution check."""
+    try:
+        from urllib.parse import urlparse
+        parsed = urlparse(target_url)
+        hostname = parsed.hostname or target_url
+
+        start = time.time()
+        results = socket.getaddrinfo(hostname, None)
+        duration = int((time.time() - start) * 1000)
+
+        addresses = list(set(r[4][0] for r in results))
+        families = list(set(r[0].name for r in results))
+
+        findings = []
+        if not any("AF_INET6" in f for f in families):
+            findings.append({"severity": "info", "finding": "Kein IPv6 (AAAA) Record gefunden"})
+
+        return {
+            "run_status": "passed" if addresses else "failed",
+            "result_data": {
+                "hostname": hostname,
+                "addresses": addresses,
+                "address_families": families,
+                "record_count": len(addresses),
+                "findings": findings,
+            },
+            "summary": f"DNS aufgeloest: {len(addresses)} Adresse(n) fuer {hostname}",
+            "findings_count": len(findings),
+            "critical_findings": 0,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"DNS-Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+async def _run_api_scan(target_url: str, config: dict) -> dict:
+    """Check that health endpoints respond with 200."""
+    try:
+        import httpx
+
+        start = time.time()
+        async with httpx.AsyncClient(verify=False, timeout=10) as client:
+            resp = await client.get(target_url)
+        duration = int((time.time() - start) * 1000)
+
+        findings = []
+        critical = 0
+        if resp.status_code != 200:
+            findings.append({"severity": "critical", "finding": f"HTTP {resp.status_code} statt 200"})
+            critical += 1
+
+        try:
+            body = resp.json()
+        except Exception:
+            body = resp.text[:500]
+
+        return {
+            "run_status": "passed" if resp.status_code == 200 else "failed",
+            "result_data": {
+                "status_code": resp.status_code,
+                "response_body": body,
+                "response_time_ms": duration,
+                "findings": findings,
+            },
+            "summary": f"HTTP {resp.status_code}, Antwortzeit {duration}ms",
+            "findings_count": len(findings),
+            "critical_findings": critical,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+async def _run_config_scan(target_url: str, config: dict) -> dict:
+    """Check a config endpoint returns expected keys."""
+    try:
+        import httpx
+
+        expected_keys = config.get("expected_keys", [])
+
+        start = time.time()
+        async with httpx.AsyncClient(verify=False, timeout=10) as client:
+            resp = await client.get(target_url)
+        duration = int((time.time() - start) * 1000)
+
+        findings = []
+        critical = 0
+
+        if resp.status_code != 200:
+            findings.append({"severity": "critical", "finding": f"Endpunkt nicht erreichbar: HTTP {resp.status_code}"})
+            critical += 1
+            return {
+                "run_status": "failed",
+                "result_data": {"status_code": resp.status_code, "findings": findings},
+                "summary": f"Endpunkt nicht erreichbar: HTTP {resp.status_code}",
+                "findings_count": len(findings),
+                "critical_findings": critical,
+                "duration_ms": duration,
+            }
+
+        try:
+            body = resp.json()
+        except Exception:
+            findings.append({"severity": "critical", "finding": "Antwort ist kein gueltiges JSON"})
+            return {
+                "run_status": "failed",
+                "result_data": {"findings": findings},
+                "summary": "Ungueltige JSON-Antwort",
+                "findings_count": 1,
+                "critical_findings": 1,
+                "duration_ms": duration,
+            }
+
+        present_keys = []
+        missing_keys = []
+        if expected_keys and isinstance(body, dict):
+            for key in expected_keys:
+                if key in body:
+                    present_keys.append(key)
+                else:
+                    missing_keys.append(key)
+                    findings.append({"severity": "warning", "finding": f"Fehlender Config-Key: {key}"})
+
+        status = "passed" if not findings else ("failed" if critical > 0 else "warning")
+        return {
+            "run_status": status,
+            "result_data": {
+                "status_code": resp.status_code,
+                "present_keys": present_keys,
+                "missing_keys": missing_keys,
+                "findings": findings,
+            },
+            "summary": f"{len(present_keys)}/{len(expected_keys)} erwartete Keys vorhanden" if expected_keys else "Config erreichbar",
+            "findings_count": len(findings),
+            "critical_findings": critical,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+async def _run_port_scan(target_url: str, config: dict) -> dict:
+    """Check common ports — only open/closed status."""
+    try:
+        from urllib.parse import urlparse
+        parsed = urlparse(target_url)
+        hostname = parsed.hostname or target_url
+
+        common_ports = config.get("ports", [80, 443, 22, 3306, 5432, 6379, 8080])
+        start = time.time()
+
+        port_results = []
+        open_ports = []
+        closed_ports = []
+
+        for port in common_ports:
+            try:
+                with socket.create_connection((hostname, port), timeout=3) as sock:
+                    port_results.append({"port": port, "status": "open"})
+                    open_ports.append(port)
+            except (socket.timeout, ConnectionRefusedError, OSError):
+                port_results.append({"port": port, "status": "closed"})
+                closed_ports.append(port)
+
+        duration = int((time.time() - start) * 1000)
+
+        findings = []
+        # Flag unexpected open ports
+        expected_open = config.get("expected_open", [80, 443])
+        unexpected = [p for p in open_ports if p not in expected_open]
+        for p in unexpected:
+            findings.append({"severity": "warning", "finding": f"Unerwarteter offener Port: {p}"})
+
+        status = "passed" if not findings else "warning"
+        return {
+            "run_status": status,
+            "result_data": {
+                "hostname": hostname,
+                "ports": port_results,
+                "open_ports": open_ports,
+                "closed_ports": closed_ports,
+                "findings": findings,
+            },
+            "summary": f"{len(open_ports)} offene, {len(closed_ports)} geschlossene Ports",
+            "findings_count": len(findings),
+            "critical_findings": 0,
+            "duration_ms": duration,
+        }
+    except Exception as e:
+        return {
+            "run_status": "error",
+            "result_data": {"error": str(e)},
+            "summary": f"Fehler: {str(e)}",
+            "findings_count": 1,
+            "critical_findings": 1,
+            "duration_ms": 0,
+        }
+
+
+# Dispatcher
+CHECK_RUNNERS = {
+    "tls_scan": _run_tls_scan,
+    "header_check": _run_header_check,
+    "certificate_check": _run_certificate_check,
+    "dns_check": _run_dns_check,
+    "api_scan": _run_api_scan,
+    "config_scan": _run_config_scan,
+    "port_scan": _run_port_scan,
+}
+
+
+# =============================================================================
+# Routes — Check Definitions
+# =============================================================================
+
+@router.get("")
+async def list_checks(
+    check_type: Optional[str] = Query(None),
+    is_active: Optional[bool] = Query(None),
+    frequency: Optional[str] = Query(None),
+    limit: int = Query(100, ge=1, le=500),
+    offset: int = Query(0, ge=0),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """List evidence checks with optional filters."""
+    where_clauses = ["tenant_id = :tenant_id"]
+    params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
+
+    if check_type:
+        where_clauses.append("check_type = :check_type")
+        params["check_type"] = check_type
+    if is_active is not None:
+        where_clauses.append("is_active = :is_active")
+        params["is_active"] = is_active
+    if frequency:
+        where_clauses.append("frequency = :frequency")
+        params["frequency"] = frequency
+
+    where_sql = " AND ".join(where_clauses)
+
+    total_row = db.execute(
+        text(f"SELECT COUNT(*) FROM compliance_evidence_checks WHERE {where_sql}"),
+        params,
+    ).fetchone()
+    total = total_row[0] if total_row else 0
+
+    rows = db.execute(
+        text(f"""
+            SELECT * FROM compliance_evidence_checks
+            WHERE {where_sql}
+            ORDER BY created_at DESC
+            LIMIT :limit OFFSET :offset
+        """),
+        params,
+    ).fetchall()
+
+    return {"checks": [_row_to_dict(r) for r in rows], "total": total}
+
+
+@router.post("", status_code=201)
+async def create_check(
+    body: EvidenceCheckCreate,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Create a new evidence check definition."""
+    if body.check_type not in VALID_CHECK_TYPES:
+        raise HTTPException(400, f"Ungueltiger check_type: {body.check_type}. Erlaubt: {sorted(VALID_CHECK_TYPES)}")
+    if body.frequency not in VALID_FREQUENCIES:
+        raise HTTPException(400, f"Ungueltige frequency: {body.frequency}. Erlaubt: {sorted(VALID_FREQUENCIES)}")
+
+    row = db.execute(
+        text("""
+            INSERT INTO compliance_evidence_checks
+                (tenant_id, check_code, title, description, check_type,
+                 target_url, target_config, linked_control_ids, frequency, is_active)
+            VALUES
+                (:tenant_id, :check_code, :title, :description, :check_type,
+                 :target_url, CAST(:target_config AS jsonb), CAST(:linked_control_ids AS jsonb),
+                 :frequency, :is_active)
+            RETURNING *
+        """),
+        {
+            "tenant_id": tenant_id,
+            "check_code": body.check_code,
+            "title": body.title,
+            "description": body.description,
+            "check_type": body.check_type,
+            "target_url": body.target_url,
+            "target_config": json.dumps(body.target_config or {}),
+            "linked_control_ids": json.dumps(body.linked_control_ids or []),
+            "frequency": body.frequency,
+            "is_active": body.is_active,
+        },
+    ).fetchone()
+    db.commit()
+    return _row_to_dict(row)
+
+
+@router.get("/mappings")
+async def list_mappings(
+    control_code: Optional[str] = Query(None),
+    evidence_id: Optional[str] = Query(None),
+    limit: int = Query(100, ge=1, le=500),
+    offset: int = Query(0, ge=0),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """List evidence-control mappings."""
+    where_clauses = ["tenant_id = :tenant_id"]
+    params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
+
+    if control_code:
+        where_clauses.append("control_code = :control_code")
+        params["control_code"] = control_code
+    if evidence_id:
+        where_clauses.append("evidence_id = CAST(:evidence_id AS uuid)")
+        params["evidence_id"] = evidence_id
+
+    where_sql = " AND ".join(where_clauses)
+
+    rows = db.execute(
+        text(f"""
+            SELECT * FROM compliance_evidence_control_map
+            WHERE {where_sql}
+            ORDER BY created_at DESC
+            LIMIT :limit OFFSET :offset
+        """),
+        params,
+    ).fetchall()
+
+    return {"mappings": [_row_to_dict(r) for r in rows]}
+
+
+@router.post("/mappings", status_code=201)
+async def create_mapping(
+    body: EvidenceControlMapCreate,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Create an evidence-control mapping."""
+    valid_mapping_types = {"supports", "partially_supports", "required"}
+    if body.mapping_type not in valid_mapping_types:
+        raise HTTPException(400, f"Ungueltiger mapping_type: {body.mapping_type}")
+
+    row = db.execute(
+        text("""
+            INSERT INTO compliance_evidence_control_map
+                (tenant_id, evidence_id, control_code, mapping_type, notes)
+            VALUES
+                (:tenant_id, CAST(:evidence_id AS uuid), :control_code, :mapping_type, :notes)
+            ON CONFLICT (tenant_id, evidence_id, control_code) DO NOTHING
+            RETURNING *
+        """),
+        {
+            "tenant_id": tenant_id,
+            "evidence_id": body.evidence_id,
+            "control_code": body.control_code,
+            "mapping_type": body.mapping_type,
+            "notes": body.notes,
+        },
+    ).fetchone()
+    db.commit()
+
+    if not row:
+        raise HTTPException(409, "Mapping existiert bereits")
+    return _row_to_dict(row)
+
+
+@router.delete("/mappings/{mapping_id}", status_code=204)
+async def delete_mapping(
+    mapping_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Delete an evidence-control mapping."""
+    result = db.execute(
+        text("""
+            DELETE FROM compliance_evidence_control_map
+            WHERE id = CAST(:id AS uuid) AND tenant_id = :tenant_id
+        """),
+        {"id": mapping_id, "tenant_id": tenant_id},
+    )
+    db.commit()
+    if result.rowcount == 0:
+        raise HTTPException(404, "Mapping nicht gefunden")
+    return None
+
+
+@router.get("/mappings/by-control/{code}")
+async def mappings_by_control(
+    code: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Get all evidence mapped to a specific control."""
+    rows = db.execute(
+        text("""
+            SELECT * FROM compliance_evidence_control_map
+            WHERE tenant_id = :tenant_id AND control_code = :code
+            ORDER BY created_at DESC
+        """),
+        {"tenant_id": tenant_id, "code": code},
+    ).fetchall()
+
+    return {"control_code": code, "mappings": [_row_to_dict(r) for r in rows]}
+
+
+@router.get("/mappings/report")
+async def mappings_report(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Coverage report: controls with/without evidence."""
+    # Get all distinct control codes from canonical controls
+    all_controls = db.execute(
+        text("""
+            SELECT DISTINCT control_code FROM compliance_canonical_controls
+            WHERE tenant_id = :tenant_id
+        """),
+        {"tenant_id": tenant_id},
+    ).fetchall()
+    total_controls = len(all_controls)
+    all_codes = {r[0] for r in all_controls}
+
+    # Get controls that have evidence
+    covered = db.execute(
+        text("""
+            SELECT DISTINCT control_code FROM compliance_evidence_control_map
+            WHERE tenant_id = :tenant_id
+        """),
+        {"tenant_id": tenant_id},
+    ).fetchall()
+    covered_codes = {r[0] for r in covered}
+
+    controls_with_evidence = len(covered_codes & all_codes)
+    controls_without = total_controls - controls_with_evidence
+    coverage_pct = round((controls_with_evidence / total_controls * 100), 1) if total_controls > 0 else 0.0
+
+    return {
+        "total_controls": total_controls,
+        "controls_with_evidence": controls_with_evidence,
+        "controls_without_evidence": controls_without,
+        "coverage_percentage": coverage_pct,
+        "uncovered_controls": sorted(all_codes - covered_codes),
+    }
+
+
+@router.post("/seed")
+async def seed_checks(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Seed standard check definitions."""
+    seeds = [
+        ("TLS-SCAN-001", "TLS-Scan Hauptwebseite", "tls_scan", "monthly",
+         "Prueft TLS-Version, Cipher-Suite und Zertifikatsgueltigkeit der Hauptwebseite"),
+        ("TLS-SCAN-002", "TLS-Scan API-Server", "tls_scan", "monthly",
+         "Prueft TLS-Version, Cipher-Suite und Zertifikatsgueltigkeit des API-Servers"),
+        ("HEADER-001", "Security-Header-Check Webseite", "header_check", "monthly",
+         "Prueft Sicherheitsheader (HSTS, CSP, X-Frame-Options) der Hauptwebseite"),
+        ("HEADER-002", "Security-Header-Check API", "header_check", "monthly",
+         "Prueft Sicherheitsheader des API-Servers"),
+        ("CERT-001", "Zertifikat-Check Hauptdomain", "certificate_check", "weekly",
+         "Prueft Zertifikatskette, Schluessellaenge und SAN der Hauptdomain"),
+        ("CERT-002", "Zertifikat-Check API-Domain", "certificate_check", "weekly",
+         "Prueft Zertifikatskette, Schluessellaenge und SAN der API-Domain"),
+        ("DNS-001", "DNS-Check Hauptdomain", "dns_check", "monthly",
+         "DNS-Aufloesung und Record-Pruefung der Hauptdomain"),
+        ("API-HEALTH-001", "API Health-Check Backend", "api_scan", "daily",
+         "Prueft ob der Backend-Health-Endpoint HTTP 200 liefert"),
+        ("API-HEALTH-002", "API Health-Check SDK", "api_scan", "daily",
+         "Prueft ob der SDK-Health-Endpoint HTTP 200 liefert"),
+        ("API-HEALTH-003", "API Health-Check Frontend", "api_scan", "daily",
+         "Prueft ob der Frontend-Health-Endpoint HTTP 200 liefert"),
+        ("PORT-SCAN-001", "Port-Scan Webserver", "port_scan", "quarterly",
+         "Prueft offene/geschlossene Ports des Webservers"),
+        ("PORT-SCAN-002", "Port-Scan Datenbankserver", "port_scan", "quarterly",
+         "Prueft offene/geschlossene Ports des Datenbankservers"),
+        ("CONFIG-001", "Konfiguration-Check Backend", "config_scan", "monthly",
+         "Prueft ob Backend-Konfiguration erwartete Keys enthaelt"),
+        ("CONFIG-002", "Konfiguration-Check SDK", "config_scan", "monthly",
+         "Prueft ob SDK-Konfiguration erwartete Keys enthaelt"),
+        ("HEADER-003", "CORS-Header-Check API", "header_check", "quarterly",
+         "Prueft CORS-Header-Konfiguration des API-Servers"),
+    ]
+
+    created = 0
+    for code, title, ctype, freq, desc in seeds:
+        result = db.execute(
+            text("""
+                INSERT INTO compliance_evidence_checks
+                    (tenant_id, check_code, title, description, check_type, frequency)
+                VALUES
+                    (:tenant_id, :code, :title, :desc, :ctype, :freq)
+                ON CONFLICT (tenant_id, project_id, check_code) DO NOTHING
+            """),
+            {
+                "tenant_id": tenant_id,
+                "code": code,
+                "title": title,
+                "desc": desc,
+                "ctype": ctype,
+                "freq": freq,
+            },
+        )
+        created += result.rowcount
+
+    db.commit()
+    return {"seeded": created, "total_definitions": len(seeds)}
+
+
+@router.post("/run-due")
+async def run_due_checks(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Run all checks where next_run_at <= NOW() and is_active=true."""
+    rows = db.execute(
+        text("""
+            SELECT * FROM compliance_evidence_checks
+            WHERE tenant_id = :tenant_id
+              AND is_active = true
+              AND (next_run_at IS NULL OR next_run_at <= NOW())
+            ORDER BY created_at
+        """),
+        {"tenant_id": tenant_id},
+    ).fetchall()
+
+    results_summary = {"total": len(rows), "passed": 0, "failed": 0, "warning": 0, "error": 0}
+
+    for row in rows:
+        check = _row_to_dict(row)
+        check_id = check["id"]
+        check_type = check["check_type"]
+        target_url = check.get("target_url") or ""
+        target_config = check.get("target_config") or {}
+
+        runner = CHECK_RUNNERS.get(check_type)
+        if not runner:
+            continue
+
+        # Insert running result
+        result_row = db.execute(
+            text("""
+                INSERT INTO compliance_evidence_check_results
+                    (check_id, tenant_id, run_status)
+                VALUES
+                    (CAST(:check_id AS uuid), :tenant_id, 'running')
+                RETURNING id
+            """),
+            {"check_id": check_id, "tenant_id": tenant_id},
+        ).fetchone()
+        db.commit()
+        result_id = result_row[0] if result_row else None
+
+        # Run
+        run_result = await runner(target_url, target_config)
+
+        # Update result
+        if result_id:
+            db.execute(
+                text("""
+                    UPDATE compliance_evidence_check_results
+                    SET run_status = :run_status,
+                        result_data = CAST(:result_data AS jsonb),
+                        summary = :summary,
+                        findings_count = :findings_count,
+                        critical_findings = :critical_findings,
+                        duration_ms = :duration_ms
+                    WHERE id = CAST(:id AS uuid)
+                """),
+                {
+                    "id": str(result_id),
+                    "run_status": run_result["run_status"],
+                    "result_data": json.dumps(run_result["result_data"]),
+                    "summary": run_result["summary"],
+                    "findings_count": run_result["findings_count"],
+                    "critical_findings": run_result["critical_findings"],
+                    "duration_ms": run_result["duration_ms"],
+                },
+            )
+
+        # Update check timestamps
+        delta = FREQUENCY_DELTAS.get(check.get("frequency", "monthly"))
+        next_run = (datetime.utcnow() + delta).isoformat() if delta else None
+        db.execute(
+            text("""
+                UPDATE compliance_evidence_checks
+                SET last_run_at = NOW(),
+                    next_run_at = CAST(:next_run AS timestamptz),
+                    updated_at = NOW()
+                WHERE id = CAST(:id AS uuid)
+            """),
+            {"id": check_id, "next_run": next_run},
+        )
+        db.commit()
+
+        results_summary[run_result["run_status"]] = results_summary.get(run_result["run_status"], 0) + 1
+
+    return results_summary
+
+
+@router.get("/{check_id}")
+async def get_check(
+    check_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Get single check with last 5 results."""
+    row = db.execute(
+        text("""
+            SELECT * FROM compliance_evidence_checks
+            WHERE id = CAST(:id AS uuid) AND tenant_id = :tenant_id
+        """),
+        {"id": check_id, "tenant_id": tenant_id},
+    ).fetchone()
+
+    if not row:
+        raise HTTPException(404, "Check nicht gefunden")
+
+    check = _row_to_dict(row)
+
+    # Last 5 results
+    result_rows = db.execute(
+        text("""
+            SELECT * FROM compliance_evidence_check_results
+            WHERE check_id = CAST(:check_id AS uuid)
+            ORDER BY run_at DESC
+            LIMIT 5
+        """),
+        {"check_id": check_id},
+    ).fetchall()
+
+    check["recent_results"] = [_row_to_dict(r) for r in result_rows]
+    return check
+
+
+@router.put("/{check_id}")
+async def update_check(
+    check_id: str,
+    body: EvidenceCheckUpdate,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Update a check definition."""
+    # Validate if provided
+    if body.check_type and body.check_type not in VALID_CHECK_TYPES:
+        raise HTTPException(400, f"Ungueltiger check_type: {body.check_type}")
+    if body.frequency and body.frequency not in VALID_FREQUENCIES:
+        raise HTTPException(400, f"Ungueltige frequency: {body.frequency}")
+
+    # Build dynamic SET
+    updates = body.model_dump(exclude_unset=True)
+    if not updates:
+        raise HTTPException(400, "Keine Felder zum Aktualisieren")
+
+    set_parts = []
+    params: Dict[str, Any] = {"id": check_id, "tenant_id": tenant_id}
+
+    for key, val in updates.items():
+        if key in JSONB_FIELDS:
+            set_parts.append(f"{key} = CAST(:{key} AS jsonb)")
+            params[key] = json.dumps(val)
+        else:
+            set_parts.append(f"{key} = :{key}")
+            params[key] = val
+
+    set_parts.append("updated_at = NOW()")
+    set_sql = ", ".join(set_parts)
+
+    row = db.execute(
+        text(f"""
+            UPDATE compliance_evidence_checks
+            SET {set_sql}
+            WHERE id = CAST(:id AS uuid) AND tenant_id = :tenant_id
+            RETURNING *
+        """),
+        params,
+    ).fetchone()
+    db.commit()
+
+    if not row:
+        raise HTTPException(404, "Check nicht gefunden")
+    return _row_to_dict(row)
+
+
+@router.delete("/{check_id}", status_code=204)
+async def delete_check(
+    check_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Delete a check definition (cascades to results)."""
+    result = db.execute(
+        text("""
+            DELETE FROM compliance_evidence_checks
+            WHERE id = CAST(:id AS uuid) AND tenant_id = :tenant_id
+        """),
+        {"id": check_id, "tenant_id": tenant_id},
+    )
+    db.commit()
+    if result.rowcount == 0:
+        raise HTTPException(404, "Check nicht gefunden")
+    return None
+
+
+@router.post("/{check_id}/run")
+async def run_check(
+    check_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Execute a specific check now."""
+    # Load check
+    row = db.execute(
+        text("""
+            SELECT * FROM compliance_evidence_checks
+            WHERE id = CAST(:id AS uuid) AND tenant_id = :tenant_id
+        """),
+        {"id": check_id, "tenant_id": tenant_id},
+    ).fetchone()
+
+    if not row:
+        raise HTTPException(404, "Check nicht gefunden")
+
+    check = _row_to_dict(row)
+    check_type = check["check_type"]
+    target_url = check.get("target_url") or ""
+    target_config = check.get("target_config") or {}
+
+    runner = CHECK_RUNNERS.get(check_type)
+    if not runner:
+        raise HTTPException(400, f"Kein Runner fuer check_type: {check_type}")
+
+    # Insert running result
+    result_row = db.execute(
+        text("""
+            INSERT INTO compliance_evidence_check_results
+                (check_id, tenant_id, run_status)
+            VALUES
+                (CAST(:check_id AS uuid), :tenant_id, 'running')
+            RETURNING *
+        """),
+        {"check_id": check_id, "tenant_id": tenant_id},
+    ).fetchone()
+    db.commit()
+    result_id = str(result_row._mapping["id"]) if result_row else None
+
+    # Execute
+    run_result = await runner(target_url, target_config)
+
+    # Update result
+    if result_id:
+        updated_row = db.execute(
+            text("""
+                UPDATE compliance_evidence_check_results
+                SET run_status = :run_status,
+                    result_data = CAST(:result_data AS jsonb),
+                    summary = :summary,
+                    findings_count = :findings_count,
+                    critical_findings = :critical_findings,
+                    duration_ms = :duration_ms
+                WHERE id = CAST(:id AS uuid)
+                RETURNING *
+            """),
+            {
+                "id": result_id,
+                "run_status": run_result["run_status"],
+                "result_data": json.dumps(run_result["result_data"]),
+                "summary": run_result["summary"],
+                "findings_count": run_result["findings_count"],
+                "critical_findings": run_result["critical_findings"],
+                "duration_ms": run_result["duration_ms"],
+            },
+        ).fetchone()
+        db.commit()
+
+    # Update check timestamps
+    delta = FREQUENCY_DELTAS.get(check.get("frequency", "monthly"))
+    next_run = (datetime.utcnow() + delta).isoformat() if delta else None
+    db.execute(
+        text("""
+            UPDATE compliance_evidence_checks
+            SET last_run_at = NOW(),
+                next_run_at = CAST(:next_run AS timestamptz),
+                updated_at = NOW()
+            WHERE id = CAST(:id AS uuid)
+        """),
+        {"id": check_id, "next_run": next_run},
+    )
+    db.commit()
+
+    return _row_to_dict(updated_row) if updated_row else run_result
+
+
+@router.get("/{check_id}/results")
+async def list_results(
+    check_id: str,
+    limit: int = Query(50, ge=1, le=200),
+    offset: int = Query(0, ge=0),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Result history for a specific check."""
+    # Verify check exists
+    exists = db.execute(
+        text("""
+            SELECT 1 FROM compliance_evidence_checks
+            WHERE id = CAST(:id AS uuid) AND tenant_id = :tenant_id
+        """),
+        {"id": check_id, "tenant_id": tenant_id},
+    ).fetchone()
+
+    if not exists:
+        raise HTTPException(404, "Check nicht gefunden")
+
+    total_row = db.execute(
+        text("""
+            SELECT COUNT(*) FROM compliance_evidence_check_results
+            WHERE check_id = CAST(:check_id AS uuid)
+        """),
+        {"check_id": check_id},
+    ).fetchone()
+    total = total_row[0] if total_row else 0
+
+    rows = db.execute(
+        text("""
+            SELECT * FROM compliance_evidence_check_results
+            WHERE check_id = CAST(:check_id AS uuid)
+            ORDER BY run_at DESC
+            LIMIT :limit OFFSET :offset
+        """),
+        {"check_id": check_id, "limit": limit, "offset": offset},
+    ).fetchall()
+
+    return {"results": [_row_to_dict(r) for r in rows], "total": total}
diff --git a/backend-compliance/compliance/api/legal_template_routes.py b/backend-compliance/compliance/api/legal_template_routes.py
index 9fb14b2..c0ad8a9 100644
--- a/backend-compliance/compliance/api/legal_template_routes.py
+++ b/backend-compliance/compliance/api/legal_template_routes.py
@@ -50,6 +50,14 @@ VALID_DOCUMENT_TYPES = {
     "cookie_banner",
     "agb",
     "clause",
+    # Security document templates (Migration 051)
+    "it_security_concept",
+    "data_protection_concept",
+    "backup_recovery_concept",
+    "logging_concept",
+    "incident_response_plan",
+    "access_control_concept",
+    "risk_management_concept",
 }
 VALID_STATUSES = {"published", "draft", "archived"}
 
diff --git a/backend-compliance/compliance/api/process_task_routes.py b/backend-compliance/compliance/api/process_task_routes.py
new file mode 100644
index 0000000..6c63833
--- /dev/null
+++ b/backend-compliance/compliance/api/process_task_routes.py
@@ -0,0 +1,1072 @@
+"""
+FastAPI routes for Compliance Process Manager — recurring compliance tasks.
+
+Endpoints:
+  GET    /process-tasks              — list with filters (status, category, frequency, overdue, etc.)
+  GET    /process-tasks/stats        — counts by status, category, due windows
+  GET    /process-tasks/upcoming     — tasks due in next N days
+  POST   /process-tasks              — create task
+  GET    /process-tasks/{id}         — single task
+  PUT    /process-tasks/{id}         — update task
+  DELETE /process-tasks/{id}         — delete task
+  POST   /process-tasks/{id}/complete — complete a task (with history + next_due recalc)
+  POST   /process-tasks/{id}/skip    — skip a task (with reason + next_due recalc)
+  GET    /process-tasks/{id}/history  — task history entries
+  POST   /process-tasks/seed         — seed ~50 standard tasks (idempotent)
+"""
+
+import json
+import logging
+from datetime import datetime
+from typing import Optional, List, Any, Dict
+
+from fastapi import APIRouter, Depends, HTTPException, Query, Header
+from pydantic import BaseModel
+from sqlalchemy import text
+from sqlalchemy.orm import Session
+
+from classroom_engine.database import get_db
+from .tenant_utils import get_tenant_id as _get_tenant_id
+from .db_utils import row_to_dict as _row_to_dict
+
+logger = logging.getLogger(__name__)
+router = APIRouter(prefix="/process-tasks", tags=["process-tasks"])
+
+# =============================================================================
+# Constants
+# =============================================================================
+
+VALID_CATEGORIES = {"dsgvo", "nis2", "bsi", "iso27001", "ai_act", "internal"}
+VALID_PRIORITIES = {"critical", "high", "medium", "low"}
+VALID_FREQUENCIES = {"weekly", "monthly", "quarterly", "semi_annual", "yearly", "once"}
+VALID_STATUSES = {"pending", "in_progress", "completed", "overdue", "skipped"}
+
+FREQUENCY_DAYS = {
+    "weekly": 7,
+    "monthly": 30,
+    "quarterly": 90,
+    "semi_annual": 182,
+    "yearly": 365,
+    "once": None,
+}
+
+# =============================================================================
+# Pydantic Schemas
+# =============================================================================
+
+
+class ProcessTaskCreate(BaseModel):
+    task_code: str
+    title: str
+    description: Optional[str] = None
+    category: str
+    priority: str = "medium"
+    frequency: str = "yearly"
+    assigned_to: Optional[str] = None
+    responsible_team: Optional[str] = None
+    linked_control_ids: Optional[List] = []
+    linked_module: Optional[str] = None
+    next_due_date: Optional[str] = None
+    due_reminder_days: int = 14
+    notes: Optional[str] = None
+    tags: Optional[List] = []
+
+
+class ProcessTaskUpdate(BaseModel):
+    title: Optional[str] = None
+    description: Optional[str] = None
+    category: Optional[str] = None
+    priority: Optional[str] = None
+    frequency: Optional[str] = None
+    assigned_to: Optional[str] = None
+    responsible_team: Optional[str] = None
+    linked_control_ids: Optional[List] = None
+    linked_module: Optional[str] = None
+    next_due_date: Optional[str] = None
+    due_reminder_days: Optional[int] = None
+    status: Optional[str] = None
+    notes: Optional[str] = None
+    tags: Optional[List] = None
+
+
+class ProcessTaskComplete(BaseModel):
+    completed_by: Optional[str] = None
+    result: Optional[str] = None
+    evidence_id: Optional[str] = None
+    notes: Optional[str] = None
+
+
+class ProcessTaskSkip(BaseModel):
+    reason: str
+
+
+# =============================================================================
+# Routes
+# =============================================================================
+
+
+@router.get("")
+async def list_tasks(
+    status: Optional[str] = Query(None),
+    category: Optional[str] = Query(None),
+    frequency: Optional[str] = Query(None),
+    assigned_to: Optional[str] = Query(None),
+    overdue: Optional[bool] = Query(None),
+    limit: int = Query(100, ge=1, le=500),
+    offset: int = Query(0, ge=0),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """List process tasks with optional filters."""
+
+    where_clauses = ["tenant_id = :tenant_id"]
+    params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
+
+    if status:
+        where_clauses.append("status = :status")
+        params["status"] = status
+    if category:
+        where_clauses.append("category = :category")
+        params["category"] = category
+    if frequency:
+        where_clauses.append("frequency = :frequency")
+        params["frequency"] = frequency
+    if assigned_to:
+        where_clauses.append("assigned_to ILIKE :assigned_to")
+        params["assigned_to"] = f"%{assigned_to}%"
+    if overdue:
+        where_clauses.append("next_due_date < CURRENT_DATE AND status NOT IN ('completed','skipped')")
+
+    where_sql = " AND ".join(where_clauses)
+
+    total_row = db.execute(
+        text(f"SELECT COUNT(*) FROM compliance_process_tasks WHERE {where_sql}"),
+        params,
+    ).fetchone()
+    total = total_row[0] if total_row else 0
+
+    rows = db.execute(
+        text(f"""
+            SELECT * FROM compliance_process_tasks
+            WHERE {where_sql}
+            ORDER BY
+                CASE priority
+                    WHEN 'critical' THEN 0
+                    WHEN 'high' THEN 1
+                    WHEN 'medium' THEN 2
+                    ELSE 3
+                END,
+                next_due_date ASC NULLS LAST,
+                created_at DESC
+            LIMIT :limit OFFSET :offset
+        """),
+        params,
+    ).fetchall()
+
+    return {
+        "tasks": [_row_to_dict(r) for r in rows],
+        "total": total,
+    }
+
+
+@router.get("/stats")
+async def get_stats(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Return task counts by status, category, and due windows."""
+
+    row = db.execute(text("""
+        SELECT
+            COUNT(*)                                                         AS total,
+            COUNT(*) FILTER (WHERE status = 'pending')                       AS pending,
+            COUNT(*) FILTER (WHERE status = 'in_progress')                   AS in_progress,
+            COUNT(*) FILTER (WHERE status = 'completed')                     AS completed,
+            COUNT(*) FILTER (WHERE status = 'overdue')                       AS overdue,
+            COUNT(*) FILTER (WHERE status = 'skipped')                       AS skipped,
+            COUNT(*) FILTER (WHERE next_due_date < CURRENT_DATE
+                             AND status NOT IN ('completed','skipped'))       AS overdue_count,
+            COUNT(*) FILTER (WHERE next_due_date <= CURRENT_DATE + 7
+                             AND next_due_date >= CURRENT_DATE
+                             AND status NOT IN ('completed','skipped'))       AS due_7_days,
+            COUNT(*) FILTER (WHERE next_due_date <= CURRENT_DATE + 14
+                             AND next_due_date >= CURRENT_DATE
+                             AND status NOT IN ('completed','skipped'))       AS due_14_days,
+            COUNT(*) FILTER (WHERE next_due_date <= CURRENT_DATE + 30
+                             AND next_due_date >= CURRENT_DATE
+                             AND status NOT IN ('completed','skipped'))       AS due_30_days
+        FROM compliance_process_tasks
+        WHERE tenant_id = :tenant_id
+    """), {"tenant_id": tenant_id}).fetchone()
+
+    by_status = {}
+    by_category = {}
+    if row:
+        d = dict(row._mapping)
+        by_status = {
+            "pending": d.get("pending", 0) or 0,
+            "in_progress": d.get("in_progress", 0) or 0,
+            "completed": d.get("completed", 0) or 0,
+            "overdue": d.get("overdue", 0) or 0,
+            "skipped": d.get("skipped", 0) or 0,
+        }
+    else:
+        d = {}
+
+    # Category counts
+    cat_rows = db.execute(text("""
+        SELECT category, COUNT(*) AS cnt
+        FROM compliance_process_tasks
+        WHERE tenant_id = :tenant_id
+        GROUP BY category
+    """), {"tenant_id": tenant_id}).fetchall()
+    by_category = {r._mapping["category"]: r._mapping["cnt"] for r in cat_rows}
+
+    return {
+        "total": (d.get("total", 0) or 0),
+        "by_status": by_status,
+        "by_category": by_category,
+        "overdue_count": (d.get("overdue_count", 0) or 0),
+        "due_7_days": (d.get("due_7_days", 0) or 0),
+        "due_14_days": (d.get("due_14_days", 0) or 0),
+        "due_30_days": (d.get("due_30_days", 0) or 0),
+    }
+
+
+@router.get("/upcoming")
+async def get_upcoming(
+    days: int = Query(30, ge=1, le=365),
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Tasks due in next N days."""
+
+    rows = db.execute(text("""
+        SELECT * FROM compliance_process_tasks
+        WHERE tenant_id = :tenant_id
+          AND next_due_date IS NOT NULL
+          AND next_due_date <= CURRENT_DATE + :days
+          AND next_due_date >= CURRENT_DATE
+          AND status NOT IN ('completed','skipped')
+        ORDER BY next_due_date ASC
+    """), {"tenant_id": tenant_id, "days": days}).fetchall()
+
+    return {"tasks": [_row_to_dict(r) for r in rows]}
+
+
+@router.post("", status_code=201)
+async def create_task(
+    payload: ProcessTaskCreate,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Create a new process task."""
+    logger.info("create_task user_id=%s tenant_id=%s code=%s", x_user_id, tenant_id, payload.task_code)
+
+    if payload.category not in VALID_CATEGORIES:
+        raise HTTPException(status_code=400, detail=f"Invalid category. Must be one of: {', '.join(sorted(VALID_CATEGORIES))}")
+    if payload.priority not in VALID_PRIORITIES:
+        raise HTTPException(status_code=400, detail=f"Invalid priority. Must be one of: {', '.join(sorted(VALID_PRIORITIES))}")
+    if payload.frequency not in VALID_FREQUENCIES:
+        raise HTTPException(status_code=400, detail=f"Invalid frequency. Must be one of: {', '.join(sorted(VALID_FREQUENCIES))}")
+
+    row = db.execute(text("""
+        INSERT INTO compliance_process_tasks
+            (tenant_id, task_code, title, description, category, priority, frequency,
+             assigned_to, responsible_team, linked_control_ids, linked_module,
+             next_due_date, due_reminder_days, notes, tags)
+        VALUES
+            (:tenant_id, :task_code, :title, :description, :category, :priority, :frequency,
+             :assigned_to, :responsible_team, CAST(:linked_control_ids AS jsonb), :linked_module,
+             :next_due_date, :due_reminder_days, :notes, CAST(:tags AS jsonb))
+        RETURNING *
+    """), {
+        "tenant_id": tenant_id,
+        "task_code": payload.task_code,
+        "title": payload.title,
+        "description": payload.description,
+        "category": payload.category,
+        "priority": payload.priority,
+        "frequency": payload.frequency,
+        "assigned_to": payload.assigned_to,
+        "responsible_team": payload.responsible_team,
+        "linked_control_ids": json.dumps(payload.linked_control_ids or []),
+        "linked_module": payload.linked_module,
+        "next_due_date": payload.next_due_date,
+        "due_reminder_days": payload.due_reminder_days,
+        "notes": payload.notes,
+        "tags": json.dumps(payload.tags or []),
+    }).fetchone()
+    db.commit()
+    return _row_to_dict(row)
+
+
+@router.get("/{task_id}")
+async def get_task(
+    task_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Get single process task."""
+    row = db.execute(text("""
+        SELECT * FROM compliance_process_tasks
+        WHERE id = :id AND tenant_id = :tenant_id
+    """), {"id": task_id, "tenant_id": tenant_id}).fetchone()
+    if not row:
+        raise HTTPException(status_code=404, detail="Task not found")
+    return _row_to_dict(row)
+
+
+@router.put("/{task_id}")
+async def update_task(
+    task_id: str,
+    payload: ProcessTaskUpdate,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Update a process task."""
+    logger.info("update_task user_id=%s tenant_id=%s id=%s", x_user_id, tenant_id, task_id)
+
+    updates: Dict[str, Any] = {"id": task_id, "tenant_id": tenant_id, "updated_at": datetime.utcnow()}
+    set_clauses = ["updated_at = :updated_at"]
+
+    data = payload.model_dump(exclude_unset=True)
+
+    # Validate enum fields if provided
+    if "category" in data and data["category"] not in VALID_CATEGORIES:
+        raise HTTPException(status_code=400, detail=f"Invalid category. Must be one of: {', '.join(sorted(VALID_CATEGORIES))}")
+    if "priority" in data and data["priority"] not in VALID_PRIORITIES:
+        raise HTTPException(status_code=400, detail=f"Invalid priority. Must be one of: {', '.join(sorted(VALID_PRIORITIES))}")
+    if "frequency" in data and data["frequency"] not in VALID_FREQUENCIES:
+        raise HTTPException(status_code=400, detail=f"Invalid frequency. Must be one of: {', '.join(sorted(VALID_FREQUENCIES))}")
+    if "status" in data and data["status"] not in VALID_STATUSES:
+        raise HTTPException(status_code=400, detail=f"Invalid status. Must be one of: {', '.join(sorted(VALID_STATUSES))}")
+
+    for field, value in data.items():
+        if field in ("linked_control_ids", "tags", "follow_up_actions"):
+            updates[field] = json.dumps(value or [])
+            set_clauses.append(f"{field} = CAST(:{field} AS jsonb)")
+        else:
+            updates[field] = value
+            set_clauses.append(f"{field} = :{field}")
+
+    if len(set_clauses) == 1:
+        raise HTTPException(status_code=400, detail="No fields to update")
+
+    row = db.execute(text(f"""
+        UPDATE compliance_process_tasks
+        SET {', '.join(set_clauses)}
+        WHERE id = :id AND tenant_id = :tenant_id
+        RETURNING *
+    """), updates).fetchone()
+    db.commit()
+
+    if not row:
+        raise HTTPException(status_code=404, detail="Task not found")
+    return _row_to_dict(row)
+
+
+@router.delete("/{task_id}", status_code=204)
+async def delete_task(
+    task_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Delete a process task."""
+    logger.info("delete_task user_id=%s tenant_id=%s id=%s", x_user_id, tenant_id, task_id)
+    result = db.execute(text("""
+        DELETE FROM compliance_process_tasks
+        WHERE id = :id AND tenant_id = :tenant_id
+    """), {"id": task_id, "tenant_id": tenant_id})
+    db.commit()
+    if result.rowcount == 0:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+
+@router.post("/{task_id}/complete")
+async def complete_task(
+    task_id: str,
+    payload: ProcessTaskComplete,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Complete a task: insert history, update task, calculate next due date."""
+    logger.info("complete_task user_id=%s tenant_id=%s id=%s", x_user_id, tenant_id, task_id)
+
+    # Fetch current task
+    task_row = db.execute(text("""
+        SELECT * FROM compliance_process_tasks
+        WHERE id = :id AND tenant_id = :tenant_id
+    """), {"id": task_id, "tenant_id": tenant_id}).fetchone()
+
+    if not task_row:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task = dict(task_row._mapping)
+
+    # Insert history entry
+    db.execute(text("""
+        INSERT INTO compliance_process_task_history
+            (task_id, completed_by, completed_at, result, evidence_id, notes, status)
+        VALUES
+            (:task_id, :completed_by, NOW(), :result, :evidence_id, :notes, 'completed')
+    """), {
+        "task_id": task_id,
+        "completed_by": payload.completed_by,
+        "result": payload.result,
+        "evidence_id": payload.evidence_id,
+        "notes": payload.notes,
+    })
+
+    # Calculate next due date
+    freq = task.get("frequency", "yearly")
+    days_delta = FREQUENCY_DAYS.get(freq)
+
+    if days_delta is not None:
+        # Recurring task — set next due and reset to pending
+        row = db.execute(text("""
+            UPDATE compliance_process_tasks
+            SET last_completed_at = NOW(),
+                status = 'pending',
+                completion_date = NOW(),
+                completion_result = :result,
+                completion_evidence_id = :evidence_id,
+                next_due_date = CURRENT_DATE + :days_delta,
+                updated_at = NOW()
+            WHERE id = :id AND tenant_id = :tenant_id
+            RETURNING *
+        """), {
+            "id": task_id,
+            "tenant_id": tenant_id,
+            "result": payload.result,
+            "evidence_id": payload.evidence_id,
+            "days_delta": days_delta,
+        }).fetchone()
+    else:
+        # One-time task — mark completed, no next due
+        row = db.execute(text("""
+            UPDATE compliance_process_tasks
+            SET last_completed_at = NOW(),
+                status = 'completed',
+                completion_date = NOW(),
+                completion_result = :result,
+                completion_evidence_id = :evidence_id,
+                next_due_date = NULL,
+                updated_at = NOW()
+            WHERE id = :id AND tenant_id = :tenant_id
+            RETURNING *
+        """), {
+            "id": task_id,
+            "tenant_id": tenant_id,
+            "result": payload.result,
+            "evidence_id": payload.evidence_id,
+        }).fetchone()
+
+    db.commit()
+    return _row_to_dict(row)
+
+
+@router.post("/{task_id}/skip")
+async def skip_task(
+    task_id: str,
+    payload: ProcessTaskSkip,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Skip a task with reason: insert history, calculate next due date."""
+    logger.info("skip_task user_id=%s tenant_id=%s id=%s", x_user_id, tenant_id, task_id)
+
+    # Fetch current task
+    task_row = db.execute(text("""
+        SELECT * FROM compliance_process_tasks
+        WHERE id = :id AND tenant_id = :tenant_id
+    """), {"id": task_id, "tenant_id": tenant_id}).fetchone()
+
+    if not task_row:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task = dict(task_row._mapping)
+
+    # Insert history entry
+    db.execute(text("""
+        INSERT INTO compliance_process_task_history
+            (task_id, completed_by, completed_at, result, notes, status)
+        VALUES
+            (:task_id, :completed_by, NOW(), :reason, :reason, 'skipped')
+    """), {
+        "task_id": task_id,
+        "completed_by": x_user_id,
+        "reason": payload.reason,
+    })
+
+    # Calculate next due date
+    freq = task.get("frequency", "yearly")
+    days_delta = FREQUENCY_DAYS.get(freq)
+
+    if days_delta is not None:
+        row = db.execute(text("""
+            UPDATE compliance_process_tasks
+            SET status = 'pending',
+                next_due_date = CURRENT_DATE + :days_delta,
+                updated_at = NOW()
+            WHERE id = :id AND tenant_id = :tenant_id
+            RETURNING *
+        """), {
+            "id": task_id,
+            "tenant_id": tenant_id,
+            "days_delta": days_delta,
+        }).fetchone()
+    else:
+        row = db.execute(text("""
+            UPDATE compliance_process_tasks
+            SET status = 'skipped',
+                next_due_date = NULL,
+                updated_at = NOW()
+            WHERE id = :id AND tenant_id = :tenant_id
+            RETURNING *
+        """), {
+            "id": task_id,
+            "tenant_id": tenant_id,
+        }).fetchone()
+
+    db.commit()
+    return _row_to_dict(row)
+
+
+@router.get("/{task_id}/history")
+async def get_task_history(
+    task_id: str,
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Return history entries for a task."""
+    # Verify task belongs to tenant
+    task_row = db.execute(text("""
+        SELECT id FROM compliance_process_tasks
+        WHERE id = :id AND tenant_id = :tenant_id
+    """), {"id": task_id, "tenant_id": tenant_id}).fetchone()
+
+    if not task_row:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    rows = db.execute(text("""
+        SELECT * FROM compliance_process_task_history
+        WHERE task_id = :task_id
+        ORDER BY completed_at DESC
+    """), {"task_id": task_id}).fetchall()
+
+    return {"history": [_row_to_dict(r) for r in rows]}
+
+
+@router.post("/seed")
+async def seed_tasks(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Seed ~50 standard compliance tasks. Idempotent via ON CONFLICT."""
+    logger.info("seed_tasks user_id=%s tenant_id=%s", x_user_id, tenant_id)
+
+    seeds = _get_seed_tasks()
+    inserted = 0
+
+    for s in seeds:
+        result = db.execute(text("""
+            INSERT INTO compliance_process_tasks
+                (tenant_id, task_code, title, description, category, priority, frequency,
+                 linked_module, is_seed, next_due_date)
+            VALUES
+                (:tenant_id, :task_code, :title, :description, :category, :priority, :frequency,
+                 :linked_module, TRUE, CURRENT_DATE + :initial_days)
+            ON CONFLICT (tenant_id, project_id, task_code) DO NOTHING
+        """), {
+            "tenant_id": tenant_id,
+            "task_code": s["task_code"],
+            "title": s["title"],
+            "description": s["description"],
+            "category": s["category"],
+            "priority": s["priority"],
+            "frequency": s["frequency"],
+            "linked_module": s.get("linked_module"),
+            "initial_days": FREQUENCY_DAYS.get(s["frequency"], 365) or 365,
+        })
+        if result.rowcount > 0:
+            inserted += 1
+
+    db.commit()
+
+    return {"seeded": inserted, "total_available": len(seeds)}
+
+
+# =============================================================================
+# Seed Data
+# =============================================================================
+
+def _get_seed_tasks() -> List[Dict[str, Any]]:
+    """Return ~50 standard compliance tasks for seeding."""
+    return [
+        # ─── DSGVO (~15) ─────────────────────────────────────────────
+        {
+            "task_code": "DSGVO-VVT-REVIEW",
+            "title": "VVT-Review und Aktualisierung",
+            "description": "Jaehrliche Ueberpruefung und Aktualisierung des Verzeichnisses von Verarbeitungstaetigkeiten gemaess Art. 30 DSGVO.",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "vvt",
+        },
+        {
+            "task_code": "DSGVO-TOM-REVIEW",
+            "title": "TOM-Review und Aktualisierung",
+            "description": "Jaehrliche Ueberpruefung der technischen und organisatorischen Massnahmen gemaess Art. 32 DSGVO.",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "tom",
+        },
+        {
+            "task_code": "DSGVO-LOESCHFRISTEN",
+            "title": "Loeschfristen-Pruefung",
+            "description": "Quartalspruefung aller Loeschfristen und Durchfuehrung faelliger Loeschungen.",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": "loeschfristen",
+        },
+        {
+            "task_code": "DSGVO-DSB-BERICHT",
+            "title": "DSB-Taetigkeitsbericht",
+            "description": "Jaehrlicher Taetigkeitsbericht des Datenschutzbeauftragten an die Geschaeftsfuehrung.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "DSGVO-DSFA-UPDATE",
+            "title": "DSFA-Aktualisierung",
+            "description": "Jaehrliche Ueberpruefung und Aktualisierung der Datenschutz-Folgenabschaetzungen.",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "dsfa",
+        },
+        {
+            "task_code": "DSGVO-SCHULUNG",
+            "title": "Datenschutz-Schulung Mitarbeiter",
+            "description": "Jaehrliche Datenschutz-Schulung fuer alle Mitarbeiter mit Nachweis.",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "training",
+        },
+        {
+            "task_code": "DSGVO-BETROFFENENRECHTE",
+            "title": "Betroffenenrechte-Prozess testen",
+            "description": "Quartalstest der Prozesse fuer Auskunft, Berichtigung, Loeschung und Datenportabilitaet.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": "dsr",
+        },
+        {
+            "task_code": "DSGVO-AV-VERTRAEGE",
+            "title": "AV-Vertraege pruefen",
+            "description": "Jaehrliche Pruefung aller Auftragsverarbeitungsvertraege auf Aktualitaet und Vollstaendigkeit.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": "vendor-compliance",
+        },
+        {
+            "task_code": "DSGVO-DATENPANNE-TEST",
+            "title": "Datenpannen-Meldeprozess testen",
+            "description": "Halbjahrestest des Meldeprozesses fuer Datenschutzverletzungen gemaess Art. 33/34 DSGVO.",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "semi_annual",
+            "linked_module": "incident-response",
+        },
+        {
+            "task_code": "DSGVO-COOKIE-PRUEFUNG",
+            "title": "Cookie-Banner und Consent pruefen",
+            "description": "Quartalspruefung des Cookie-Banners und der Einwilligungsmechanismen.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": "consent",
+        },
+        {
+            "task_code": "DSGVO-DSE-REVIEW",
+            "title": "Datenschutzerklaerung Review",
+            "description": "Halbjaehrliche Ueberpruefung der Datenschutzerklaerung auf Aktualitaet.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "semi_annual",
+            "linked_module": "document-generator",
+        },
+        {
+            "task_code": "DSGVO-EINWILLIGUNG-REVIEW",
+            "title": "Einwilligungen Review",
+            "description": "Quartalspruefung der eingeholten Einwilligungen auf Gueltigkeit und Widerrufbarkeit.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": "consent",
+        },
+        {
+            "task_code": "DSGVO-DRITTLAND",
+            "title": "Drittlandsuebermittlung pruefen",
+            "description": "Jaehrliche Pruefung aller Datenuebermittlungen in Drittlaender und deren Rechtsgrundlage.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "DSGVO-VERPFLICHTUNG",
+            "title": "Mitarbeiter-Verpflichtung Datengeheimnis",
+            "description": "Jaehrliche Pruefung, ob alle Mitarbeiter auf das Datengeheimnis verpflichtet wurden.",
+            "category": "dsgvo",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "DSGVO-DATENKATEGORIEN",
+            "title": "Datenkategorien-Review",
+            "description": "Jaehrliche Ueberpruefung der erfassten Datenkategorien und deren Zuordnung.",
+            "category": "dsgvo",
+            "priority": "low",
+            "frequency": "yearly",
+            "linked_module": "vvt",
+        },
+
+        # ─── NIS2 (~10) ──────────────────────────────────────────────
+        {
+            "task_code": "NIS2-RISIKOBEWERTUNG",
+            "title": "NIS2 Risikobewertung",
+            "description": "Jaehrliche umfassende Risikobewertung der Netz- und Informationssicherheit.",
+            "category": "nis2",
+            "priority": "critical",
+            "frequency": "yearly",
+            "linked_module": "risks",
+        },
+        {
+            "task_code": "NIS2-LIEFERKETTE",
+            "title": "Lieferketten-Sicherheitspruefung",
+            "description": "Jaehrliche Ueberpruefung der Sicherheitsmassnahmen bei Zulieferern und Dienstleistern.",
+            "category": "nis2",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "vendor-compliance",
+        },
+        {
+            "task_code": "NIS2-INCIDENT-UEBUNG",
+            "title": "Incident-Response-Uebung",
+            "description": "Jaehrliche Uebung des Incident-Response-Prozesses mit Dokumentation.",
+            "category": "nis2",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "incident-response",
+        },
+        {
+            "task_code": "NIS2-VULNSCAN",
+            "title": "Vulnerability-Scan",
+            "description": "Monatlicher automatisierter Vulnerability-Scan aller IT-Systeme.",
+            "category": "nis2",
+            "priority": "critical",
+            "frequency": "monthly",
+            "linked_module": "security-backlog",
+        },
+        {
+            "task_code": "NIS2-PATCHMGMT",
+            "title": "Patch-Management-Review",
+            "description": "Monatliche Pruefung des Patch-Status aller Systeme.",
+            "category": "nis2",
+            "priority": "high",
+            "frequency": "monthly",
+            "linked_module": "security-backlog",
+        },
+        {
+            "task_code": "NIS2-BCM-TEST",
+            "title": "Business-Continuity-Test",
+            "description": "Jaehrlicher Test des Business-Continuity-Plans.",
+            "category": "nis2",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "NIS2-ZUGANGSKONTROLLE",
+            "title": "Zugangskontrollen-Review",
+            "description": "Quartalspruefung aller Zugangsberechtigungen und Accounts.",
+            "category": "nis2",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "NIS2-KRYPTOGRAFIE",
+            "title": "Kryptografie-Review",
+            "description": "Jaehrliche Ueberpruefung der eingesetzten kryptografischen Verfahren.",
+            "category": "nis2",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "NIS2-MELDEPFLICHT",
+            "title": "Meldepflicht-Prozess testen",
+            "description": "Halbjaehrlicher Test des NIS2-Meldeprozesses (24h/72h Fristen).",
+            "category": "nis2",
+            "priority": "high",
+            "frequency": "semi_annual",
+            "linked_module": None,
+        },
+        {
+            "task_code": "NIS2-NETZSEGMENT",
+            "title": "Netzwerksegmentierung-Review",
+            "description": "Jaehrliche Ueberpruefung der Netzwerksegmentierung und Firewall-Regeln.",
+            "category": "nis2",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+
+        # ─── BSI (~10) ───────────────────────────────────────────────
+        {
+            "task_code": "BSI-GRUNDSCHUTZ",
+            "title": "IT-Grundschutz-Check",
+            "description": "Jaehrlicher IT-Grundschutz-Check nach BSI-Standard 200-2.",
+            "category": "bsi",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-BAUSTEIN",
+            "title": "Baustein-Review",
+            "description": "Quartalspruefung der implementierten BSI-Bausteine.",
+            "category": "bsi",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-NOTFALLPLAN",
+            "title": "Notfallplan-Test",
+            "description": "Jaehrlicher Test des IT-Notfallplans mit Uebungsszenario.",
+            "category": "bsi",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": "notfallplan",
+        },
+        {
+            "task_code": "BSI-BACKUP-TEST",
+            "title": "Backup-Restore-Test",
+            "description": "Quartalstest der Backup-Wiederherstellung fuer kritische Systeme.",
+            "category": "bsi",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-FIREWALL",
+            "title": "Firewall-Rule-Review",
+            "description": "Quartalspruefung aller Firewall-Regeln auf Aktualitaet und Minimalitaet.",
+            "category": "bsi",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-LOGGING",
+            "title": "Logging-Review",
+            "description": "Monatliche Pruefung der Log-Einstellungen und Log-Auswertung.",
+            "category": "bsi",
+            "priority": "medium",
+            "frequency": "monthly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-HAERTUNG",
+            "title": "Haertungs-Check",
+            "description": "Quartalspruefung der System-Haertung nach BSI-Empfehlungen.",
+            "category": "bsi",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-ZERTIFIKATE",
+            "title": "Zertifikats-Erneuerung pruefen",
+            "description": "Monatliche Pruefung ablaufender TLS/SSL-Zertifikate.",
+            "category": "bsi",
+            "priority": "high",
+            "frequency": "monthly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-RAUMSICHERHEIT",
+            "title": "Raumsicherheit-Pruefung",
+            "description": "Jaehrliche Pruefung der physischen Sicherheit der Serverraeume.",
+            "category": "bsi",
+            "priority": "low",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "BSI-MEDIEN",
+            "title": "Medienentsorgung-Kontrolle",
+            "description": "Quartalskontrolle der ordnungsgemaessen Entsorgung von Datentraegern.",
+            "category": "bsi",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+
+        # ─── ISO 27001 (~8) ──────────────────────────────────────────
+        {
+            "task_code": "ISO-MGMT-REVIEW",
+            "title": "Management-Review",
+            "description": "Jaehrliches Management-Review des ISMS gemaess ISO 27001 Kap. 9.3.",
+            "category": "iso27001",
+            "priority": "critical",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "ISO-INT-AUDIT",
+            "title": "Internes ISMS-Audit",
+            "description": "Jaehrliches internes Audit des ISMS gemaess ISO 27001 Kap. 9.2.",
+            "category": "iso27001",
+            "priority": "critical",
+            "frequency": "yearly",
+            "linked_module": "audit",
+        },
+        {
+            "task_code": "ISO-KORREKTUR",
+            "title": "Korrekturmassnahmen-Review",
+            "description": "Quartalspruefung offener Korrekturmassnahmen aus Audits.",
+            "category": "iso27001",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "ISO-RISK-OWNER",
+            "title": "Risiko-Owner-Review",
+            "description": "Quartalspruefung der Risiko-Zuordnungen und Verantwortlichkeiten.",
+            "category": "iso27001",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": "risks",
+        },
+        {
+            "task_code": "ISO-KENNZAHLEN",
+            "title": "Kennzahlen-Erhebung",
+            "description": "Monatliche Erhebung der ISMS-Kennzahlen und KPIs.",
+            "category": "iso27001",
+            "priority": "medium",
+            "frequency": "monthly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "ISO-SCOPE",
+            "title": "ISMS-Scope-Review",
+            "description": "Jaehrliche Ueberpruefung des ISMS-Geltungsbereichs.",
+            "category": "iso27001",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": "compliance-scope",
+        },
+        {
+            "task_code": "ISO-POLICY",
+            "title": "Policy-Aktualisierung",
+            "description": "Jaehrliche Ueberpruefung und Aktualisierung aller ISMS-Policies.",
+            "category": "iso27001",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": "document-generator",
+        },
+        {
+            "task_code": "ISO-ZERTIFIZIERUNG",
+            "title": "Zertifizierungs-Vorbereitung",
+            "description": "Jaehrliche Vorbereitung auf externes Zertifizierungsaudit.",
+            "category": "iso27001",
+            "priority": "high",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+
+        # ─── AI Act (~7) ─────────────────────────────────────────────
+        {
+            "task_code": "AIACT-INVENTAR",
+            "title": "KI-Inventar aktualisieren",
+            "description": "Quartalsaktualisierung des Inventars aller KI-Systeme im Einsatz.",
+            "category": "ai_act",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": "ai-act",
+        },
+        {
+            "task_code": "AIACT-RISIKO",
+            "title": "KI-Risikobewertung",
+            "description": "Jaehrliche Risikobewertung aller KI-Systeme gemaess EU AI Act.",
+            "category": "ai_act",
+            "priority": "critical",
+            "frequency": "yearly",
+            "linked_module": "ai-act",
+        },
+        {
+            "task_code": "AIACT-TRANSPARENZ",
+            "title": "Transparenzpflicht-Check",
+            "description": "Quartalspruefung der Transparenzpflichten fuer KI-Systeme.",
+            "category": "ai_act",
+            "priority": "high",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "AIACT-OVERSIGHT",
+            "title": "Human-Oversight-Validierung",
+            "description": "Halbjaehrliche Validierung der menschlichen Aufsicht ueber KI-Systeme.",
+            "category": "ai_act",
+            "priority": "high",
+            "frequency": "semi_annual",
+            "linked_module": None,
+        },
+        {
+            "task_code": "AIACT-BIAS",
+            "title": "Bias-Monitoring",
+            "description": "Quartalspruefung auf Bias und Diskriminierung in KI-Ausgaben.",
+            "category": "ai_act",
+            "priority": "medium",
+            "frequency": "quarterly",
+            "linked_module": None,
+        },
+        {
+            "task_code": "AIACT-SCHULUNG",
+            "title": "KI-Schulung Mitarbeiter",
+            "description": "Jaehrliche Schulung aller Mitarbeiter zu KI-Kompetenz und AI Act.",
+            "category": "ai_act",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": "training",
+        },
+        {
+            "task_code": "AIACT-DOKU",
+            "title": "KI-Dokumentations-Review",
+            "description": "Jaehrliche Ueberpruefung der technischen Dokumentation aller KI-Systeme.",
+            "category": "ai_act",
+            "priority": "medium",
+            "frequency": "yearly",
+            "linked_module": None,
+        },
+    ]
diff --git a/backend-compliance/compliance/services/control_generator.py b/backend-compliance/compliance/services/control_generator.py
index 8058e29..23867a6 100644
--- a/backend-compliance/compliance/services/control_generator.py
+++ b/backend-compliance/compliance/services/control_generator.py
@@ -46,7 +46,7 @@ EMBEDDING_URL = os.getenv("EMBEDDING_URL", "http://embedding-service:8087")
 ANTHROPIC_API_KEY = os.getenv("ANTHROPIC_API_KEY", "")
 ANTHROPIC_MODEL = os.getenv("CONTROL_GEN_ANTHROPIC_MODEL", "claude-sonnet-4-6")
 OLLAMA_URL = os.getenv("OLLAMA_URL", "http://host.docker.internal:11434")
-OLLAMA_MODEL = os.getenv("CONTROL_GEN_OLLAMA_MODEL", "qwen3:30b-a3b")
+OLLAMA_MODEL = os.getenv("CONTROL_GEN_OLLAMA_MODEL", "qwen3.5:35b-a3b")
 LLM_TIMEOUT = float(os.getenv("CONTROL_GEN_LLM_TIMEOUT", "120"))
 
 HARMONIZATION_THRESHOLD = 0.85  # Cosine similarity above this = duplicate
@@ -157,6 +157,9 @@ REGULATION_LICENSE_MAP: dict[str, dict] = {
     "edpb_transfers_07_2020":{"license": "EU_PUBLIC",           "rule": 1, "name": "EDPB Transfers 07/2020"},
     "edpb_video_03_2019":    {"license": "EU_PUBLIC",           "rule": 1, "name": "EDPB Video Surveillance"},
     "edps_dpia_list":        {"license": "EU_PUBLIC",           "rule": 1, "name": "EDPS DPIA Liste"},
+    "edpb_certification_01_2018": {"license": "EU_PUBLIC",     "rule": 1, "name": "EDPB Certification 01/2018"},
+    "edpb_certification_01_2019": {"license": "EU_PUBLIC",     "rule": 1, "name": "EDPB Certification 01/2019"},
+    "eaa":                   {"license": "EU_LAW",              "rule": 1, "name": "European Accessibility Act"},
     # WP29 (pre-EDPB) Guidelines
     "wp244_profiling":       {"license": "EU_PUBLIC",           "rule": 1, "name": "WP29 Profiling"},
     "wp251_profiling":       {"license": "EU_PUBLIC",           "rule": 1, "name": "WP29 Data Portability"},
@@ -240,6 +243,83 @@ DOMAIN_KEYWORDS = {
 }
 
 
+CATEGORY_KEYWORDS = {
+    "encryption": ["encryption", "cryptography", "tls", "ssl", "certificate", "hashing",
+                    "aes", "rsa", "verschlüsselung", "kryptographie", "zertifikat", "cipher"],
+    "authentication": ["authentication", "login", "password", "credential", "mfa", "2fa",
+                       "session", "oauth", "authentifizierung", "anmeldung", "passwort"],
+    "network": ["network", "firewall", "dns", "vpn", "proxy", "segmentation",
+                "netzwerk", "routing", "port", "intrusion", "ids", "ips"],
+    "data_protection": ["data protection", "privacy", "personal data", "datenschutz",
+                        "personenbezogen", "dsgvo", "gdpr", "löschung", "verarbeitung", "einwilligung"],
+    "logging": ["logging", "monitoring", "audit trail", "siem", "alert", "anomaly",
+                "protokollierung", "überwachung", "nachvollziehbar"],
+    "incident": ["incident", "response", "breach", "recovery", "vorfall", "sicherheitsvorfall"],
+    "continuity": ["backup", "disaster recovery", "notfall", "wiederherstellung", "notfallplan",
+                   "business continuity", "ausfallsicherheit"],
+    "compliance": ["compliance", "audit", "regulation", "certification", "konformität",
+                   "prüfung", "zertifizierung", "nachweis"],
+    "supply_chain": ["supplier", "vendor", "third party", "lieferant", "auftragnehmer",
+                     "unterauftragnehmer", "supply chain", "dienstleister"],
+    "physical": ["physical", "building", "access zone", "physisch", "gebäude", "zutritt",
+                 "schließsystem", "rechenzentrum"],
+    "personnel": ["training", "awareness", "employee", "schulung", "mitarbeiter",
+                  "sensibilisierung", "personal", "unterweisung"],
+    "application": ["application", "software", "code review", "sdlc", "secure coding",
+                    "anwendung", "entwicklung", "software-entwicklung", "api"],
+    "system": ["hardening", "patch", "configuration", "update", "härtung", "konfiguration",
+               "betriebssystem", "system", "server"],
+    "risk": ["risk assessment", "risk management", "risiko", "bewertung", "risikobewertung",
+             "risikoanalyse", "bedrohung", "threat"],
+    "governance": ["governance", "policy", "organization", "isms", "sicherheitsorganisation",
+                   "richtlinie", "verantwortlichkeit", "rolle"],
+    "hardware": ["hardware", "platform", "firmware", "bios", "tpm", "chip",
+                 "plattform", "geräte"],
+    "identity": ["identity", "iam", "directory", "ldap", "sso", "provisioning",
+                 "identität", "identitätsmanagement", "benutzerverzeichnis"],
+}
+
+VERIFICATION_KEYWORDS = {
+    "code_review": ["source code", "code review", "static analysis", "sast", "dast",
+                    "dependency check", "quellcode", "codeanalyse", "secure coding",
+                    "software development", "api", "input validation", "output encoding"],
+    "document": ["policy", "procedure", "documentation", "training", "awareness",
+                 "richtlinie", "dokumentation", "schulung", "nachweis", "vertrag",
+                 "organizational", "process", "role", "responsibility"],
+    "tool": ["scanner", "monitoring", "siem", "ids", "ips", "firewall", "antivirus",
+             "vulnerability scan", "penetration test", "tool", "automated"],
+    "hybrid": [],  # Assigned when multiple methods match equally
+}
+
+
+def _detect_category(text: str) -> Optional[str]:
+    """Detect the most likely category from text content."""
+    text_lower = text.lower()
+    scores: dict[str, int] = {}
+    for cat, keywords in CATEGORY_KEYWORDS.items():
+        scores[cat] = sum(1 for kw in keywords if kw in text_lower)
+    if not scores or max(scores.values()) == 0:
+        return None
+    return max(scores, key=scores.get)
+
+
+def _detect_verification_method(text: str) -> Optional[str]:
+    """Detect verification method from text content."""
+    text_lower = text.lower()
+    scores: dict[str, int] = {}
+    for method, keywords in VERIFICATION_KEYWORDS.items():
+        if method == "hybrid":
+            continue
+        scores[method] = sum(1 for kw in keywords if kw in text_lower)
+    if not scores or max(scores.values()) == 0:
+        return None
+    top = sorted(scores.items(), key=lambda x: -x[1])
+    # If top two are close, it's hybrid
+    if len(top) >= 2 and top[0][1] > 0 and top[1][1] > 0 and top[1][1] >= top[0][1] * 0.7:
+        return "hybrid"
+    return top[0][0] if top[0][1] > 0 else None
+
+
 def _detect_domain(text: str) -> str:
     """Detect the most likely domain from text content."""
     text_lower = text.lower()
@@ -259,10 +339,11 @@ class GeneratorConfig(BaseModel):
     collections: Optional[List[str]] = None
     domain: Optional[str] = None
     batch_size: int = 5
-    max_controls: int = 50
+    max_controls: int = 0  # 0 = unlimited (process ALL chunks)
     skip_processed: bool = True
     skip_web_search: bool = False
     dry_run: bool = False
+    existing_job_id: Optional[str] = None  # If set, reuse this job instead of creating a new one
 
 
 @dataclass
@@ -287,6 +368,9 @@ class GeneratedControl:
     source_citation: Optional[dict] = None
     customer_visible: bool = True
     generation_metadata: dict = field(default_factory=dict)
+    # Classification fields
+    verification_method: Optional[str] = None  # code_review, document, tool, hybrid
+    category: Optional[str] = None  # one of 17 categories
 
 
 @dataclass
@@ -299,6 +383,7 @@ class GeneratorResult:
     controls_needs_review: int = 0
     controls_too_close: int = 0
     controls_duplicates_found: int = 0
+    chunks_skipped_prefilter: int = 0
     errors: list = field(default_factory=list)
     controls: list = field(default_factory=list)
 
@@ -310,14 +395,68 @@ class GeneratorResult:
 async def _llm_chat(prompt: str, system_prompt: Optional[str] = None) -> str:
     """Call LLM — Anthropic Claude (primary) or Ollama (fallback)."""
     if ANTHROPIC_API_KEY:
+        logger.info("Calling Anthropic API (model=%s)...", ANTHROPIC_MODEL)
         result = await _llm_anthropic(prompt, system_prompt)
         if result:
+            logger.info("Anthropic API success (%d chars)", len(result))
             return result
         logger.warning("Anthropic failed, falling back to Ollama")
 
+    logger.info("Calling Ollama (model=%s)...", OLLAMA_MODEL)
     return await _llm_ollama(prompt, system_prompt)
 
 
+async def _llm_local(prompt: str, system_prompt: Optional[str] = None) -> str:
+    """Call local Ollama LLM only (for pre-filtering and classification tasks)."""
+    return await _llm_ollama(prompt, system_prompt)
+
+
+PREFILTER_SYSTEM_PROMPT = """Du bist ein Compliance-Analyst. Deine Aufgabe: Prüfe ob ein Textabschnitt eine konkrete Sicherheitsanforderung, Datenschutzpflicht, oder technische/organisatorische Maßnahme enthält.
+
+Antworte NUR mit einem JSON-Objekt: {"relevant": true/false, "reason": "kurze Begründung"}
+
+Relevant = true wenn der Text mindestens EINE der folgenden enthält:
+- Konkrete Pflicht/Anforderung ("muss", "soll", "ist sicherzustellen")
+- Technische Sicherheitsmaßnahme (Verschlüsselung, Zugriffskontrolle, Logging)
+- Organisatorische Maßnahme (Schulung, Dokumentation, Audit)
+- Datenschutz-Vorgabe (Löschpflicht, Einwilligung, Zweckbindung)
+- Risikomanagement-Anforderung
+
+Relevant = false wenn der Text NUR enthält:
+- Definitionen ohne Pflichten
+- Inhaltsverzeichnisse oder Verweise
+- Reine Begriffsbestimmungen
+- Übergangsvorschriften ohne Substanz
+- Adressaten/Geltungsbereich ohne Anforderung"""
+
+
+async def _prefilter_chunk(chunk_text: str) -> tuple[bool, str]:
+    """Use local LLM to check if a chunk contains an actionable requirement.
+
+    Returns (is_relevant, reason).
+    Much cheaper than sending every chunk to Anthropic.
+    """
+    prompt = f"""Prüfe ob dieser Textabschnitt eine konkrete Sicherheitsanforderung oder Compliance-Pflicht enthält.
+
+Text:
+---
+{chunk_text[:1500]}
+---
+
+Antworte NUR mit JSON: {{"relevant": true/false, "reason": "kurze Begründung"}}"""
+
+    try:
+        raw = await _llm_local(prompt, PREFILTER_SYSTEM_PROMPT)
+        data = _parse_llm_json(raw)
+        if data:
+            return data.get("relevant", True), data.get("reason", "")
+        # If parsing fails, assume relevant (don't skip)
+        return True, "parse_failed"
+    except Exception as e:
+        logger.warning("Prefilter failed: %s — treating as relevant", e)
+        return True, f"error: {e}"
+
+
 async def _llm_anthropic(prompt: str, system_prompt: Optional[str] = None) -> str:
     """Call Anthropic Messages API."""
     headers = {
@@ -364,6 +503,8 @@ async def _llm_ollama(prompt: str, system_prompt: Optional[str] = None) -> str:
         "model": OLLAMA_MODEL,
         "messages": messages,
         "stream": False,
+        "options": {"num_predict": 512},  # Limit response length for speed
+        "think": False,  # Disable thinking for faster responses
     }
 
     try:
@@ -397,6 +538,26 @@ async def _get_embedding(text: str) -> list[float]:
         return []
 
 
+async def _get_embeddings_batch(texts: list[str], batch_size: int = 32) -> list[list[float]]:
+    """Get embedding vectors for multiple texts in batches."""
+    all_embeddings: list[list[float]] = []
+    for i in range(0, len(texts), batch_size):
+        batch = texts[i:i + batch_size]
+        try:
+            async with httpx.AsyncClient(timeout=30.0) as client:
+                resp = await client.post(
+                    f"{EMBEDDING_URL}/embed",
+                    json={"texts": batch},
+                )
+                resp.raise_for_status()
+                embeddings = resp.json().get("embeddings", [])
+                all_embeddings.extend(embeddings)
+        except Exception as e:
+            logger.warning("Batch embedding failed for %d texts: %s", len(batch), e)
+            all_embeddings.extend([[] for _ in batch])
+    return all_embeddings
+
+
 def _cosine_sim(a: list[float], b: list[float]) -> float:
     """Compute cosine similarity between two vectors."""
     if not a or not b or len(a) != len(b):
@@ -464,50 +625,96 @@ class ControlGeneratorPipeline:
     # ── Stage 1: RAG Scan ──────────────────────────────────────────────
 
     async def _scan_rag(self, config: GeneratorConfig) -> list[RAGSearchResult]:
-        """Load unprocessed chunks from RAG collections."""
+        """Scroll through ALL chunks in RAG collections.
+
+        Uses the scroll endpoint to iterate over every chunk (not just top-K search).
+        Filters out already-processed chunks by hash.
+        """
         collections = config.collections or ALL_COLLECTIONS
         all_results: list[RAGSearchResult] = []
 
-        queries = [
-            "security requirement control measure",
-            "Sicherheitsanforderung Maßnahme Prüfaspekt",
-            "compliance requirement audit criterion",
-            "data protection privacy obligation",
-            "access control authentication authorization",
-        ]
+        # Pre-load all processed hashes for fast filtering
+        processed_hashes: set[str] = set()
+        if config.skip_processed:
+            try:
+                result = self.db.execute(
+                    text("SELECT chunk_hash FROM canonical_processed_chunks")
+                )
+                processed_hashes = {row[0] for row in result}
+                logger.info("Loaded %d processed chunk hashes", len(processed_hashes))
+            except Exception as e:
+                logger.warning("Error loading processed hashes: %s", e)
 
-        if config.domain:
-            domain_kw = DOMAIN_KEYWORDS.get(config.domain, [])
-            if domain_kw:
-                queries.append(" ".join(domain_kw[:5]))
+        seen_hashes: set[str] = set()
 
         for collection in collections:
-            for query in queries:
-                results = await self.rag.search(
-                    query=query,
+            offset = None
+            page = 0
+            collection_total = 0
+            collection_new = 0
+            seen_offsets: set[str] = set()  # Detect scroll loops
+
+            while True:
+                chunks, next_offset = await self.rag.scroll(
                     collection=collection,
-                    top_k=20,
+                    offset=offset,
+                    limit=200,
                 )
-                all_results.extend(results)
 
-        # Deduplicate by text hash
-        seen_hashes: set[str] = set()
-        unique: list[RAGSearchResult] = []
-        for r in all_results:
-            h = hashlib.sha256(r.text.encode()).hexdigest()
-            if h not in seen_hashes:
-                seen_hashes.add(h)
-                unique.append(r)
+                if not chunks:
+                    break
 
-        # Filter out already-processed chunks
-        if config.skip_processed and unique:
-            hashes = [hashlib.sha256(r.text.encode()).hexdigest() for r in unique]
-            processed = self._get_processed_hashes(hashes)
-            unique = [r for r, h in zip(unique, hashes) if h not in processed]
+                collection_total += len(chunks)
 
-        logger.info("RAG scan: %d unique chunks (%d after filtering processed)",
-                     len(seen_hashes), len(unique))
-        return unique[:config.max_controls * 3]  # Over-fetch to account for duplicates
+                for chunk in chunks:
+                    if not chunk.text or len(chunk.text.strip()) < 50:
+                        continue  # Skip empty/tiny chunks
+
+                    h = hashlib.sha256(chunk.text.encode()).hexdigest()
+
+                    # Skip duplicates (same text in multiple collections)
+                    if h in seen_hashes:
+                        continue
+                    seen_hashes.add(h)
+
+                    # Skip already-processed
+                    if h in processed_hashes:
+                        continue
+
+                    all_results.append(chunk)
+                    collection_new += 1
+
+                page += 1
+                if page % 50 == 0:
+                    logger.info(
+                        "Scrolling %s: page %d, %d total chunks, %d new unprocessed",
+                        collection, page, collection_total, collection_new,
+                    )
+
+                # Stop conditions
+                if not next_offset:
+                    break
+                # Detect infinite scroll loops (Qdrant mixed ID types)
+                if next_offset in seen_offsets:
+                    logger.warning(
+                        "Scroll loop detected in %s at offset %s (page %d) — stopping",
+                        collection, next_offset, page,
+                    )
+                    break
+                seen_offsets.add(next_offset)
+
+                offset = next_offset
+
+            logger.info(
+                "Collection %s: %d total chunks scrolled, %d new unprocessed",
+                collection, collection_total, collection_new,
+            )
+
+        logger.info(
+            "RAG scroll complete: %d total unique seen, %d new unprocessed to process",
+            len(seen_hashes), len(all_results),
+        )
+        return all_results
 
     def _get_processed_hashes(self, hashes: list[str]) -> set[str]:
         """Check which chunk hashes are already processed."""
@@ -568,6 +775,8 @@ Quelle: {chunk.regulation_name} ({chunk.regulation_code}), {chunk.article}"""
             "url": chunk.source_url or "",
         }
         control.customer_visible = True
+        control.verification_method = _detect_verification_method(chunk.text)
+        control.category = _detect_category(chunk.text)
         control.generation_metadata = {
             "processing_path": "structured",
             "license_rule": 1,
@@ -617,6 +826,8 @@ Quelle: {chunk.regulation_name}, {chunk.article}"""
             "url": chunk.source_url or "",
         }
         control.customer_visible = True
+        control.verification_method = _detect_verification_method(chunk.text)
+        control.category = _detect_category(chunk.text)
         control.generation_metadata = {
             "processing_path": "structured",
             "license_rule": 2,
@@ -661,6 +872,8 @@ Gib JSON zurück mit diesen Feldern:
         control.source_original_text = None   # NEVER store original
         control.source_citation = None        # NEVER cite source
         control.customer_visible = False      # Only our formulation
+        control.verification_method = _detect_verification_method(chunk.text)
+        control.category = _detect_category(chunk.text)
         # generation_metadata: NO source names, NO original texts
         control.generation_metadata = {
             "processing_path": "llm_reform",
@@ -676,6 +889,10 @@ Gib JSON zurück mit diesen Feldern:
         if not existing:
             return None
 
+        # Pre-load all existing embeddings in batch (once per pipeline run)
+        if not self._existing_embeddings:
+            await self._preload_embeddings(existing)
+
         new_text = f"{new_control.title} {new_control.objective}"
         new_emb = await _get_embedding(new_text)
         if not new_emb:
@@ -684,14 +901,7 @@ Gib JSON zurück mit diesen Feldern:
         similar = []
         for ex in existing:
             ex_key = ex.get("control_id", "")
-            ex_text = f"{ex.get('title', '')} {ex.get('objective', '')}"
-
-            # Get or compute embedding for existing control
-            if ex_key not in self._existing_embeddings:
-                emb = await _get_embedding(ex_text)
-                self._existing_embeddings[ex_key] = emb
             ex_emb = self._existing_embeddings.get(ex_key, [])
-
             if not ex_emb:
                 continue
 
@@ -705,6 +915,20 @@ Gib JSON zurück mit diesen Feldern:
 
         return similar if similar else None
 
+    async def _preload_embeddings(self, existing: list[dict]):
+        """Pre-load embeddings for all existing controls in batches."""
+        texts = [f"{ex.get('title', '')} {ex.get('objective', '')}" for ex in existing]
+        keys = [ex.get("control_id", "") for ex in existing]
+
+        logger.info("Pre-loading embeddings for %d existing controls...", len(texts))
+        embeddings = await _get_embeddings_batch(texts)
+
+        for key, emb in zip(keys, embeddings):
+            self._existing_embeddings[key] = emb
+
+        loaded = sum(1 for emb in embeddings if emb)
+        logger.info("Pre-loaded %d/%d embeddings", loaded, len(texts))
+
     def _load_existing_controls(self) -> list[dict]:
         """Load existing controls from DB (cached per pipeline run)."""
         if self._existing_controls is not None:
@@ -799,10 +1023,11 @@ Gib JSON zurück mit diesen Feldern:
             return str(uuid.uuid4())
 
     def _update_job(self, job_id: str, result: GeneratorResult):
-        """Update job with final stats."""
+        """Update job with current stats. Sets completed_at only when status is final."""
+        is_final = result.status in ("completed", "failed")
         try:
             self.db.execute(
-                text("""
+                text(f"""
                     UPDATE canonical_generation_jobs
                     SET status = :status,
                         total_chunks_scanned = :scanned,
@@ -811,8 +1036,8 @@ Gib JSON zurück mit diesen Feldern:
                         controls_needs_review = :needs_review,
                         controls_too_close = :too_close,
                         controls_duplicates_found = :duplicates,
-                        errors = :errors,
-                        completed_at = NOW()
+                        errors = :errors
+                        {"" if not is_final else ", completed_at = NOW()"}
                     WHERE id = CAST(:job_id AS uuid)
                 """),
                 {
@@ -857,14 +1082,16 @@ Gib JSON zurück mit diesen Feldern:
                         severity, risk_score, implementation_effort,
                         open_anchors, release_state, tags,
                         license_rule, source_original_text, source_citation,
-                        customer_visible, generation_metadata
+                        customer_visible, generation_metadata,
+                        verification_method, category
                     ) VALUES (
                         :framework_id, :control_id, :title, :objective, :rationale,
                         :scope, :requirements, :test_procedure, :evidence,
                         :severity, :risk_score, :implementation_effort,
                         :open_anchors, :release_state, :tags,
                         :license_rule, :source_original_text, :source_citation,
-                        :customer_visible, :generation_metadata
+                        :customer_visible, :generation_metadata,
+                        :verification_method, :category
                     )
                     ON CONFLICT (framework_id, control_id) DO NOTHING
                     RETURNING id
@@ -890,6 +1117,8 @@ Gib JSON zurück mit diesen Feldern:
                     "source_citation": json.dumps(control.source_citation) if control.source_citation else None,
                     "customer_visible": control.customer_visible,
                     "generation_metadata": json.dumps(control.generation_metadata) if control.generation_metadata else None,
+                    "verification_method": control.verification_method,
+                    "category": control.category,
                 },
             )
             self.db.commit()
@@ -926,7 +1155,7 @@ Gib JSON zurück mit diesen Feldern:
                 """),
                 {
                     "hash": chunk_hash,
-                    "collection": "bp_compliance_ce",  # Default, we don't track collection per result
+                    "collection": chunk.collection or "bp_compliance_ce",
                     "regulation_code": chunk.regulation_code,
                     "doc_version": "1.0",
                     "license": license_info.get("license", ""),
@@ -946,8 +1175,11 @@ Gib JSON zurück mit diesen Feldern:
         """Execute the full 7-stage pipeline."""
         result = GeneratorResult()
 
-        # Create job
-        job_id = self._create_job(config)
+        # Create or reuse job
+        if config.existing_job_id:
+            job_id = config.existing_job_id
+        else:
+            job_id = self._create_job(config)
         result.job_id = job_id
 
         try:
@@ -962,13 +1194,37 @@ Gib JSON zurück mit diesen Feldern:
 
             # Process chunks
             controls_count = 0
-            for chunk in chunks:
-                if controls_count >= config.max_controls:
-                    break
-
+            chunks_skipped_prefilter = 0
+            for i, chunk in enumerate(chunks):
                 try:
+                    # Progress logging every 50 chunks
+                    if i > 0 and i % 50 == 0:
+                        logger.info(
+                            "Progress: %d/%d chunks processed, %d controls generated, %d skipped by prefilter",
+                            i, len(chunks), controls_count, chunks_skipped_prefilter,
+                        )
+                        self._update_job(job_id, result)
+
+                    # Stage 1.5: Local LLM pre-filter — skip chunks without requirements
+                    if not config.dry_run:
+                        is_relevant, prefilter_reason = await _prefilter_chunk(chunk.text)
+                        if not is_relevant:
+                            chunks_skipped_prefilter += 1
+                            # Mark as processed so we don't re-check next time
+                            license_info = self._classify_license(chunk)
+                            self._mark_chunk_processed(
+                                chunk, license_info, "prefilter_skip", [], job_id
+                            )
+                            continue
+
                     control = await self._process_single_chunk(chunk, config, job_id)
                     if control is None:
+                        # No control generated — still mark as processed
+                        if not config.dry_run:
+                            license_info = self._classify_license(chunk)
+                            self._mark_chunk_processed(
+                                chunk, license_info, "no_control", [], job_id
+                            )
                         continue
 
                     # Count by state
@@ -989,6 +1245,12 @@ Gib JSON zurück mit diesen Feldern:
                             license_info = self._classify_license(chunk)
                             path = "llm_reform" if license_info["rule"] == 3 else "structured"
                             self._mark_chunk_processed(chunk, license_info, path, [ctrl_uuid], job_id)
+                        else:
+                            # Store failed — still mark as processed
+                            license_info = self._classify_license(chunk)
+                            self._mark_chunk_processed(
+                                chunk, license_info, "store_failed", [], job_id
+                            )
 
                     result.controls_generated += 1
                     result.controls.append(asdict(control))
@@ -1006,6 +1268,21 @@ Gib JSON zurück mit diesen Feldern:
                     error_msg = f"Error processing chunk {chunk.regulation_code}/{chunk.article}: {e}"
                     logger.error(error_msg)
                     result.errors.append(error_msg)
+                    # Mark failed chunks as processed too (so we don't retry endlessly)
+                    try:
+                        if not config.dry_run:
+                            license_info = self._classify_license(chunk)
+                            self._mark_chunk_processed(
+                                chunk, license_info, "error", [], job_id
+                            )
+                    except Exception:
+                        pass
+
+            result.chunks_skipped_prefilter = chunks_skipped_prefilter
+            logger.info(
+                "Pipeline complete: %d controls generated, %d chunks skipped by prefilter, %d total chunks",
+                controls_count, chunks_skipped_prefilter, len(chunks),
+            )
 
             result.status = "completed"
 
diff --git a/backend-compliance/compliance/services/rag_client.py b/backend-compliance/compliance/services/rag_client.py
index 2e0a22e..3847f2e 100644
--- a/backend-compliance/compliance/services/rag_client.py
+++ b/backend-compliance/compliance/services/rag_client.py
@@ -33,6 +33,7 @@ class RAGSearchResult:
     paragraph: str
     source_url: str
     score: float
+    collection: str = ""
 
 
 class ComplianceRAGClient:
@@ -91,6 +92,7 @@ class ComplianceRAGClient:
                     paragraph=r.get("paragraph", ""),
                     source_url=r.get("source_url", ""),
                     score=r.get("score", 0.0),
+                    collection=collection,
                 ))
             return results
 
@@ -98,6 +100,54 @@ class ComplianceRAGClient:
             logger.warning("RAG search failed: %s", e)
             return []
 
+    async def scroll(
+        self,
+        collection: str,
+        offset: Optional[str] = None,
+        limit: int = 100,
+    ) -> tuple[List[RAGSearchResult], Optional[str]]:
+        """
+        Scroll through ALL chunks in a collection (paginated).
+
+        Returns (chunks, next_offset). next_offset is None when done.
+        """
+        scroll_url = self._search_url.replace("/search", "/scroll")
+        params = {"collection": collection, "limit": str(limit)}
+        if offset:
+            params["offset"] = offset
+
+        try:
+            async with httpx.AsyncClient(timeout=30.0) as client:
+                resp = await client.get(scroll_url, params=params)
+
+            if resp.status_code != 200:
+                logger.warning(
+                    "RAG scroll returned %d: %s", resp.status_code, resp.text[:200]
+                )
+                return [], None
+
+            data = resp.json()
+            results = []
+            for r in data.get("chunks", []):
+                results.append(RAGSearchResult(
+                    text=r.get("text", ""),
+                    regulation_code=r.get("regulation_code", ""),
+                    regulation_name=r.get("regulation_name", ""),
+                    regulation_short=r.get("regulation_short", ""),
+                    category=r.get("category", ""),
+                    article=r.get("article", ""),
+                    paragraph=r.get("paragraph", ""),
+                    source_url=r.get("source_url", ""),
+                    score=0.0,
+                    collection=collection,
+                ))
+            next_offset = data.get("next_offset") or None
+            return results, next_offset
+
+        except Exception as e:
+            logger.warning("RAG scroll failed: %s", e)
+            return [], None
+
     def format_for_prompt(
         self, results: List[RAGSearchResult], max_results: int = 5
     ) -> str:
diff --git a/backend-compliance/main.py b/backend-compliance/main.py
index 7d5f93d..e007598 100644
--- a/backend-compliance/main.py
+++ b/backend-compliance/main.py
@@ -14,6 +14,12 @@ from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
+# Configure root logging so all modules' logger.info() etc. are visible
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(levelname)s:%(name)s: %(message)s",
+)
+
 logger = logging.getLogger(__name__)
 
 # Compliance-specific API routers
diff --git a/backend-compliance/migrations/048_processing_path_expand.sql b/backend-compliance/migrations/048_processing_path_expand.sql
new file mode 100644
index 0000000..2712239
--- /dev/null
+++ b/backend-compliance/migrations/048_processing_path_expand.sql
@@ -0,0 +1,17 @@
+-- 048: Expand processing_path CHECK constraint for new pipeline paths
+-- New values: prefilter_skip, no_control, store_failed, error
+
+ALTER TABLE canonical_processed_chunks
+    DROP CONSTRAINT IF EXISTS canonical_processed_chunks_processing_path_check;
+
+ALTER TABLE canonical_processed_chunks
+    ADD CONSTRAINT canonical_processed_chunks_processing_path_check
+    CHECK (processing_path IN (
+        'structured',       -- Rule 1/2: structured from original text
+        'llm_reform',       -- Rule 3: LLM reformulated
+        'skipped',          -- Legacy: skipped for other reasons
+        'prefilter_skip',   -- Local LLM determined chunk has no requirement
+        'no_control',       -- Processing ran but no control could be derived
+        'store_failed',     -- Control generated but DB store failed
+        'error'             -- Processing error occurred
+    ));
diff --git a/backend-compliance/migrations/049_target_audience.sql b/backend-compliance/migrations/049_target_audience.sql
new file mode 100644
index 0000000..7d1f93c
--- /dev/null
+++ b/backend-compliance/migrations/049_target_audience.sql
@@ -0,0 +1,8 @@
+-- 049: Add target_audience field to canonical_controls
+-- Distinguishes who a control is relevant for: enterprises, authorities, providers, or all.
+
+ALTER TABLE canonical_controls ADD COLUMN IF NOT EXISTS
+    target_audience VARCHAR(20) DEFAULT NULL
+    CHECK (target_audience IN ('enterprise', 'authority', 'provider', 'all'));
+
+CREATE INDEX IF NOT EXISTS idx_cc_target_audience ON canonical_controls(target_audience);
diff --git a/backend-compliance/migrations/050_score_snapshots.sql b/backend-compliance/migrations/050_score_snapshots.sql
new file mode 100644
index 0000000..081c9c1
--- /dev/null
+++ b/backend-compliance/migrations/050_score_snapshots.sql
@@ -0,0 +1,22 @@
+-- Score Snapshots: Historical compliance score tracking
+-- Migration 050
+
+CREATE TABLE IF NOT EXISTS compliance_score_snapshots (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    project_id UUID,
+    score DECIMAL(5,2) NOT NULL,
+    controls_total INTEGER DEFAULT 0,
+    controls_pass INTEGER DEFAULT 0,
+    controls_partial INTEGER DEFAULT 0,
+    evidence_total INTEGER DEFAULT 0,
+    evidence_valid INTEGER DEFAULT 0,
+    risks_total INTEGER DEFAULT 0,
+    risks_high INTEGER DEFAULT 0,
+    snapshot_date DATE NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, project_id, snapshot_date)
+);
+
+CREATE INDEX IF NOT EXISTS idx_score_snap_tenant ON compliance_score_snapshots(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_score_snap_date ON compliance_score_snapshots(snapshot_date);
diff --git a/backend-compliance/migrations/051_security_templates.sql b/backend-compliance/migrations/051_security_templates.sql
new file mode 100644
index 0000000..36d6636
--- /dev/null
+++ b/backend-compliance/migrations/051_security_templates.sql
@@ -0,0 +1,1098 @@
+-- Migration 051: Security Document Templates
+-- 7 security/compliance document templates (German, jurisdiction DE)
+-- Normative: ISO 27001, BSI IT-Grundschutz, DSGVO Art. 32, NIS2, ISO 31000
+
+-- Template 1: IT-Sicherheitskonzept
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'it_security_concept',
+    'IT-Sicherheitskonzept (ISO 27001 / BSI IT-Grundschutz)',
+    'Umfassendes IT-Sicherheitskonzept nach ISO/IEC 27001:2022 und BSI IT-Grundschutz. Definiert Sicherheitsziele, Organisation, technische und organisatorische Massnahmen.',
+    $template$# IT-Sicherheitskonzept
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Dokumenttyp | IT-Sicherheitskonzept |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Klassifizierung | Vertraulich |
+| Autor | {{ISB_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+### Aenderungshistorie
+
+| Version | Datum | Autor | Aenderung |
+|---------|-------|-------|-----------|
+| {{DOCUMENT_VERSION}} | {{VERSION_DATE}} | {{ISB_NAME}} | Erstfassung |
+
+---
+
+## 1. Managementzusammenfassung
+
+Dieses IT-Sicherheitskonzept definiert den Rahmen fuer die Informationssicherheit bei {{COMPANY_NAME}}. Es legt Sicherheitsziele, organisatorische Strukturen, technische und organisatorische Massnahmen sowie Prozesse fest, die den Schutz der Vertraulichkeit, Integritaet und Verfuegbarkeit aller Informationswerte sicherstellen.
+
+Das Konzept orientiert sich an:
+- ISO/IEC 27001:2022 (Annex A Controls)
+- BSI IT-Grundschutz (Kompendium Edition 2023)
+- DSGVO Art. 32 (Sicherheit der Verarbeitung)
+- NIS2-Richtlinie Art. 21 (Risikomanagementmassnahmen)
+
+**Geltungsbereich**: {{SCOPE_DESCRIPTION}}
+
+---
+
+## 2. Geltungsbereich und Abgrenzung
+
+### 2.1 Eingeschlossene Bereiche
+- Alle IT-Systeme, Netzwerke und Anwendungen der {{COMPANY_NAME}}
+- Cloud-Dienste und externe Hosting-Umgebungen
+- Mobile Endgeraete und Remote-Arbeitsplaetze
+- Entwicklungs-, Test- und Produktionsumgebungen
+
+### 2.2 Ausgeschlossene Bereiche
+- _[Hier ausgeschlossene Bereiche definieren]_
+
+### 2.3 Schnittstellen
+- Auftragsverarbeiter gemaess Art. 28 DSGVO
+- Kunden-Schnittstellen (APIs, Portale)
+- Lieferanten und Dienstleister
+
+---
+
+## 3. Normative Referenzen
+
+| Standard | Relevanz |
+|----------|----------|
+| ISO/IEC 27001:2022 | ISMS-Anforderungen, Annex A Controls |
+| ISO/IEC 27002:2022 | Umsetzungsempfehlungen fuer Controls |
+| BSI IT-Grundschutz 200-1 | Managementsysteme fuer Informationssicherheit |
+| BSI IT-Grundschutz 200-2 | IT-Grundschutz-Methodik |
+| BSI IT-Grundschutz 200-3 | Risikoanalyse |
+| DSGVO | Datenschutz-Grundverordnung (EU) 2016/679 |
+| BDSG | Bundesdatenschutzgesetz |
+| NIS2-Richtlinie | (EU) 2022/2555 |
+
+---
+
+## 4. IT-Sicherheitsorganisation
+
+### 4.1 Rollen und Verantwortlichkeiten
+
+| Rolle | Person | Verantwortung |
+|-------|--------|---------------|
+| Geschaeftsfuehrung | {{GF_NAME}} | Gesamtverantwortung, Budget, Freigabe |
+| ISB | {{ISB_NAME}} | Operative Steuerung, Konzepte, Audits |
+| DSB | {{DPO_NAME}} | Datenschutz-Compliance, Beratung |
+| IT-Leitung | _[Name]_ | Technische Umsetzung, Betrieb |
+| Alle Mitarbeiter | — | Einhaltung der Richtlinien, Meldung von Vorfaellen |
+
+### 4.2 Berichtswege
+- ISB berichtet direkt an die Geschaeftsfuehrung (mind. quartalsweise)
+- Jaehrlicher Sicherheitsbericht an die Geschaeftsfuehrung
+- Ad-hoc-Meldungen bei Sicherheitsvorfaellen
+
+### 4.3 Sicherheitsgremium
+- Zusammensetzung: GF, ISB, DSB, IT-Leitung
+- Sitzungsrhythmus: quartalsweise
+- Aufgaben: Risikobewertung, Massnahmenfreigabe, Budget
+
+---
+
+## 5. Informationsklassifizierung
+
+| Stufe | Kennzeichnung | Schutzbedarf |
+|-------|--------------|--------------|
+| Stufe 1 | OEFFENTLICH | Normal |
+| Stufe 2 | INTERN | Normal |
+| Stufe 3 | VERTRAULICH | Hoch |
+| Stufe 4 | STRENG VERTRAULICH | Sehr hoch |
+
+---
+
+## 6. Risikoanalyse und -bewertung
+
+Risikobewertung nach BSI-Standard 200-3 mit 5x5-Matrix. Risikoakzeptanzkriterium: Score <= 8 akzeptabel. Score 9-15 erfordert Massnahmen innerhalb 90 Tagen. Score >= 16 erfordert sofortige Massnahmen.
+
+---
+
+## 7. Technische Sicherheitsmassnahmen
+
+### 7.1 Netzwerksicherheit
+- Netzwerksegmentierung (DMZ, internes Netz, Management-Netz)
+- Firewall-Regelwerk mit Default-Deny-Prinzip
+- IDS/IPS, VPN fuer Remote-Zugriffe
+
+### 7.2 Systemsicherheit
+- Haertung aller Server und Endgeraete (CIS Benchmarks)
+- Patch-Management: Kritische Patches innerhalb 72h
+- EDR auf allen Endgeraeten
+- Festplattenverschluesselung auf allen mobilen Geraeten
+
+### 7.3 Anwendungssicherheit
+- Secure Development Lifecycle (SDLC)
+- Code-Reviews, SAST/DAST-Scans in CI/CD
+- OWASP Top 10 als Mindeststandard
+
+### 7.4 Datensicherheit
+- Verschluesselung at-rest (AES-256), TLS 1.2+ fuer alle Uebertragungen
+- Schluesselmanagement: Rotation alle 12 Monate
+
+### 7.5 Kryptografie
+- Zugelassene Algorithmen: AES-256, RSA-2048+, SHA-256+
+- Verbotene Algorithmen: MD5, SHA-1, DES, 3DES, RC4
+
+---
+
+## 8. Organisatorische Massnahmen
+
+- IT-Nutzungsrichtlinie, Passwortrichtlinie (mind. 12 Zeichen, MFA)
+- Onboarding-Sicherheitsschulung, jaehrliche Auffrischung
+- Phishing-Simulationen quartalsweise
+- Geordnetes Offboarding: Entzug aller Berechtigungen innerhalb 24h
+
+---
+
+## 9. Physische Sicherheit
+
+- Zutrittskontrollsystem mit Protokollierung
+- Serverraum: Klimatisierung, USV, Brandmeldeanlage
+- Clean-Desk-Policy, Bildschirmsperre nach 5 Minuten
+
+---
+
+## 10. Business Continuity und Notfallmanagement
+
+- Business Impact Analyse (BIA)
+- RTO und RPO je System festgelegt
+- Jaehrliche Notfalluebung
+
+---
+
+## 11. Compliance-Anforderungen
+
+- DSGVO Art. 32: TOMs, Art. 33/34: Meldepflicht
+- NIS2 Art. 21: Risikomanagementmassnahmen
+- AI Act Art. 9/15 (falls zutreffend)
+
+---
+
+## 12. Kennzahlen und Berichtswesen
+
+| KPI | Zielwert | Erhebung |
+|-----|---------|----------|
+| Patch-Compliance (kritisch) | >= 95% innerhalb 72h | Monatlich |
+| Phishing-Klickrate | < 5% | Quartalsweise |
+| MFA-Abdeckung | 100% | Monatlich |
+| Schulungsquote | 100% | Jaehrlich |
+| MTTD | < 24h | Quartalsweise |
+| MTTR | < 4h (kritisch) | Quartalsweise |
+
+---
+
+## 13. Revision und Fortschreibung
+
+Regelmaessige Pruefung jaehrlich durch ISB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","COMPANY_ADDRESS","COMPANY_LEGAL_FORM","COMPANY_INDUSTRY","COMPANY_SIZE","DPO_NAME","DPO_EMAIL","DPO_PHONE","ISB_NAME","ISB_EMAIL","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE","SCOPE_DESCRIPTION","WEBSITE_URL","CLASSIFICATION_LEVELS"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Template 2: Datenschutzkonzept
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'data_protection_concept',
+    'Datenschutzkonzept (DSGVO)',
+    'Datenschutzkonzept gemaess DSGVO Art. 5, 6, 12-22, 24, 25, 28, 32-35. Beschreibt Datenschutzstrategie, Betroffenenrechte, TOMs und Auftragsverarbeitung.',
+    $template$# Datenschutzkonzept
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Autor | {{DPO_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+---
+
+## 1. Zweck und Geltungsbereich
+
+Dieses Datenschutzkonzept beschreibt die Strategie und Massnahmen der {{COMPANY_NAME}} zum Schutz personenbezogener Daten gemaess DSGVO und BDSG.
+
+**Geltungsbereich**: {{SCOPE_DESCRIPTION}}
+
+---
+
+## 2. Datenschutzorganisation
+
+### 2.1 Datenschutzbeauftragter
+
+| Feld | Wert |
+|------|------|
+| Name | {{DPO_NAME}} |
+| E-Mail | {{DPO_EMAIL}} |
+| Telefon | {{DPO_PHONE}} |
+
+### 2.2 Verantwortlicher
+{{COMPANY_NAME}}, {{COMPANY_ADDRESS}}, vertreten durch {{GF_NAME}}.
+
+---
+
+## 3. Grundsaetze der Verarbeitung (Art. 5 DSGVO)
+
+| Grundsatz | Umsetzung |
+|-----------|-----------|
+| Rechtmaessigkeit | Jede Verarbeitung hat eine Rechtsgrundlage (Art. 6) |
+| Zweckbindung | Daten nur fuer festgelegte Zwecke |
+| Datenminimierung | Nur erforderliche Daten erheben |
+| Richtigkeit | Regelmaessige Aktualisierung |
+| Speicherbegrenzung | Loeschfristen gemaess Loeschkonzept |
+| Integritaet/Vertraulichkeit | TOMs gemaess Art. 32 |
+| Rechenschaftspflicht | Dokumentation aller Massnahmen |
+
+---
+
+## 4. Rechtsgrundlagen (Art. 6 DSGVO)
+
+- **Einwilligung (Art. 6 Abs. 1 lit. a)**: Newsletter, Marketing, Cookies, Analytics
+- **Vertragserfullung (Art. 6 Abs. 1 lit. b)**: Kundenvertragsdaten, Support
+- **Rechtliche Verpflichtung (Art. 6 Abs. 1 lit. c)**: Steuerliche Aufbewahrung
+- **Berechtigtes Interesse (Art. 6 Abs. 1 lit. f)**: IT-Sicherheit, Betrugspraevention
+
+---
+
+## 5. Verarbeitungstaetigkeiten
+
+Alle Verarbeitungen im VVT gemaess Art. 30 DSGVO dokumentiert.
+
+---
+
+## 6. Betroffenenrechte (Art. 12-22 DSGVO)
+
+| Recht | Artikel | Frist |
+|-------|---------|-------|
+| Auskunft | Art. 15 | 1 Monat |
+| Berichtigung | Art. 16 | Unverzueglich |
+| Loeschung | Art. 17 | 1 Monat |
+| Einschraenkung | Art. 18 | Unverzueglich |
+| Datenportabilitaet | Art. 20 | 1 Monat |
+| Widerspruch | Art. 21 | Unverzueglich |
+
+---
+
+## 7. Technisch-Organisatorische Massnahmen (Art. 32 DSGVO)
+
+| Bereich | Massnahme |
+|---------|-----------|
+| Zutrittskontrolle | Zutrittskontrollsystem, Besucherregelung |
+| Zugangskontrolle | MFA, Passwortrichtlinie, Bildschirmsperre |
+| Zugriffskontrolle | RBAC, Least Privilege |
+| Weitergabekontrolle | TLS 1.2+, VPN |
+| Eingabekontrolle | Audit-Logging |
+| Auftragskontrolle | AV-Vertraege, Lieferantenbewertung |
+| Verfuegbarkeitskontrolle | Backup, USV, Redundanz |
+| Trennungskontrolle | Mandantentrennung |
+
+---
+
+## 8. Auftragsverarbeitung (Art. 28 DSGVO)
+
+- Schriftlicher AV-Vertrag mit allen Inhalten gemaess Art. 28 Abs. 3
+- Nachweis angemessener TOMs
+- Jaehrliche Neubewertung
+
+---
+
+## 9. Drittlandsuebermittlung (Art. 44-49 DSGVO)
+
+Uebermittlung nur bei Angemessenheitsbeschluss (Art. 45) oder SCC (Art. 46). Transfer Impact Assessment fuer jede Drittlandsuebermittlung ohne Angemessenheitsbeschluss.
+
+---
+
+## 10. DSFA (Art. 35 DSGVO)
+
+DSFA bei voraussichtlich hohem Risiko fuer Rechte und Freiheiten. Schwellwertanalyse mit 9 Pruefkriterien (mind. 2 zutreffend = DSFA erforderlich).
+
+---
+
+## 11. Datenpannenmanagement (Art. 33/34 DSGVO)
+
+1. Erkennung und interne Meldung an DSB (unverzueglich)
+2. Risikobewertung
+3. Meldung an Aufsichtsbehoerde innerhalb 72h (Art. 33)
+4. Benachrichtigung Betroffener bei hohem Risiko (Art. 34)
+5. Dokumentation aller Vorfaelle
+
+---
+
+## 12. Loeschkonzept
+
+| Datenkategorie | Aufbewahrungsfrist | Rechtsgrundlage |
+|---------------|-------------------|----------------|
+| Vertragsdaten | 10 Jahre | § 257 HGB, § 147 AO |
+| Bewerberdaten | 6 Monate nach Absage | AGG-Frist |
+| Logdaten | 90 Tage | Berechtigtes Interesse |
+
+---
+
+## 13. Schulung und Sensibilisierung
+
+- Onboarding: Datenschutz-Grundschulung (Pflicht, innerhalb 30 Tagen)
+- Jaehrliche Auffrischungsschulung
+- Spezialschulungen fuer HR, IT, Vertrieb
+
+---
+
+## 14. Revision
+
+Jaehrliche Pruefung durch DSB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","COMPANY_ADDRESS","DPO_NAME","DPO_EMAIL","DPO_PHONE","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE","SCOPE_DESCRIPTION"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Template 3: Backup- und Recovery-Konzept
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'backup_recovery_concept',
+    'Backup- und Recovery-Konzept',
+    'Backup- und Recovery-Konzept nach BSI IT-Grundschutz CON.3 und ISO 27001. Definiert Backup-Strategie, RTO/RPO, Speicherorte und Testplan.',
+    $template$# Backup- und Recovery-Konzept
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Autor | {{ISB_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+---
+
+## 1. Ziele und Anforderungen
+
+### 1.1 Schutzziele
+- **Verfuegbarkeit**: Wiederherstellung innerhalb definierter Zeiten
+- **Integritaet**: Datenkonsistenz nach Wiederherstellung
+- **Vertraulichkeit**: Schutz der Backup-Daten
+
+### 1.2 Recovery-Ziele
+
+| Klasse | RTO | RPO | Beispiele |
+|--------|-----|-----|-----------|
+| Tier 1 | 4h | 1h | Produktions-DB, ERP, E-Mail |
+| Tier 2 | 24h | 4h | Intranet, File-Server, CRM |
+| Tier 3 | 72h | 24h | Entwicklungsumgebung, Archiv |
+
+---
+
+## 2. Backup-Strategie (3-2-1-Regel)
+
+- **3** Kopien jeder Datei
+- **2** unterschiedliche Speichermedien
+- **1** Kopie offsite
+
+### 2.1 Backup-Typen
+
+| Typ | Haeufigkeit | Speicherdauer |
+|-----|-------------|---------------|
+| Voll-Backup | Woechentlich (So) | 90 Tage |
+| Inkrementelles Backup | Taeglich (Mo-Sa) | 30 Tage |
+| Snapshot | Stuendlich (Tier 1) | 7 Tage |
+| Datenbank-Dump | Taeglich | 30 Tage |
+
+---
+
+## 3. Speicherorte und Verschluesselung
+
+| Speicherort | Verschluesselung | Aufbewahrung |
+|-------------|-----------------|--------------|
+| Lokaler Storage | AES-256 at-rest | 30 Tage |
+| Offsite/Cloud | AES-256 + TLS | 90 Tage |
+| Langzeitarchiv | AES-256 | 10 Jahre |
+
+---
+
+## 4. Aufbewahrungsfristen
+
+| Datenkategorie | Frist | Grundlage |
+|---------------|-------|-----------|
+| Handelsbuecher | 10 Jahre | § 257 HGB |
+| Steuerunterlagen | 10 Jahre | § 147 AO |
+| Geschaeftskorrespondenz | 6 Jahre | § 257 HGB |
+| Logdaten | 90 Tage | Berechtigtes Interesse |
+
+---
+
+## 5. Recovery-Verfahren
+
+| Szenario | Verfahren | Dauer |
+|----------|-----------|-------|
+| Einzelne Datei | Granularer Restore | 15-60 Min |
+| Datenbank | Point-in-Time Recovery | 1-4h |
+| Server | VM-Snapshot + Inkr. | 2-8h |
+| Kompletter Standort | Disaster Recovery | 8-24h |
+
+---
+
+## 6. Testplan
+
+| Test | Haeufigkeit | Verantwortlich |
+|------|-------------|---------------|
+| Restore einzelne Datei | Monatlich | IT-Admin |
+| Datenbank-Restore | Quartalsweise | DBA |
+| Komplett-Restore | Halbjaehrlich | IT-Leitung |
+| Disaster-Recovery-Test | Jaehrlich | ISB |
+
+---
+
+## 7. Monitoring und Alerting
+
+- Automatische Ueberwachung aller Backup-Jobs
+- Alerting bei fehlgeschlagenen Backups, Speicherplatz < 20%
+- Woechentlicher Status-Report an IT-Leitung
+
+---
+
+## 8. Revision
+
+Jaehrliche Pruefung durch ISB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","ISB_NAME","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Template 4: Logging-Konzept
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'logging_concept',
+    'Logging-Konzept',
+    'Logging-Konzept nach BSI IT-Grundschutz OPS.1.1.5 und BSI TR-03161. Definiert zu protokollierende Ereignisse, Speicherung, SIEM-Integration.',
+    $template$# Logging-Konzept
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Autor | {{ISB_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+---
+
+## 1. Zweck und rechtliche Grundlagen
+
+### 1.1 Zweck
+- Erkennung von Sicherheitsvorfaellen
+- Forensische Analyse und Nachverfolgbarkeit
+- Erfuellung gesetzlicher Nachweispflichten
+
+### 1.2 Rechtliche Grundlagen
+
+| Norm | Anforderung |
+|------|------------|
+| DSGVO Art. 32 | Sicherheit der Verarbeitung |
+| DSGVO Art. 5 Abs. 2 | Rechenschaftspflicht |
+| BSI OPS.1.1.5 | Protokollierung |
+| ISO 27001 A.8.15 | Logging |
+
+### 1.3 Datenschutzaspekte
+- Logdaten koennen personenbezogene Daten enthalten
+- Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO
+- Pseudonymisierung wo moeglich
+
+---
+
+## 2. Zu protokollierende Ereignisse
+
+### 2.1 Pflicht-Ereignisse
+
+| Kategorie | Ereignisse |
+|-----------|-----------|
+| Authentifizierung | Login/Logout, Passwort-Aenderung, MFA-Events |
+| Autorisierung | Zugriffsverweigerung, Berechtigungsaenderung |
+| Datenzugriff | Lesen/Schreiben/Loeschen sensibler Daten |
+| Administration | Konfigurationsaenderungen, Benutzeranlage/-loeschung |
+| Sicherheit | Firewall-Events, IDS-Alarme, Malware-Erkennung |
+
+### 2.2 Verbotene Protokollierung
+- Passwoerter im Klartext (NIEMALS)
+- Vollstaendige Kreditkartennummern
+- Gesundheitsdaten ohne Erforderlichkeit
+
+---
+
+## 3. Log-Format
+
+### 3.1 Pflichtfelder
+
+| Feld | Beschreibung |
+|------|-------------|
+| timestamp | ISO 8601 mit Zeitzone |
+| severity | INFO, WARN, ERROR, CRITICAL |
+| source | System/Anwendung |
+| event_type | Ereigniskategorie |
+| user_id | Pseudonymisierter Benutzer |
+| ip_address | Quell-IP |
+| action | Durchgefuehrte Aktion |
+| resource | Betroffene Ressource |
+| result | Ergebnis |
+
+---
+
+## 4. Speicherung und Aufbewahrung
+
+| Log-Kategorie | Aufbewahrung |
+|--------------|-------------|
+| Sicherheits-Logs | 12 Monate |
+| Zugriffs-Logs | 6 Monate |
+| System-Logs | 90 Tage |
+| Debug-Logs | 30 Tage |
+| Audit-Logs | 10 Jahre |
+
+---
+
+## 5. Zugriff auf Logs
+
+| Rolle | Zugriff | Bedingung |
+|-------|---------|-----------|
+| IT-Admin | System-Logs, Debug-Logs | Dienstlich erforderlich |
+| ISB | Sicherheits-Logs | Anlassbezogen oder routinemaessig |
+| DSB | Audit-Logs (anonymisiert) | Datenschutzaudit |
+
+Zugriff wird selbst protokolliert (Meta-Logging).
+
+---
+
+## 6. Integritaetsschutz
+
+- Log-Dateien: Append-Only
+- Hashketten: Jeder Eintrag referenziert Hash des vorherigen
+- Zentrale Sammlung an Aggregator
+- 4-Augen-Prinzip fuer Loeschberechtigung
+
+---
+
+## 7. SIEM-Integration
+
+- Zentrales Log-Management
+- Log-Weiterleitung via Syslog (TLS)
+- Korrelation von Events aus verschiedenen Quellen
+- Echtzeit-Dashboards fuer ISB
+
+---
+
+## 8. Auswertung und Monitoring
+
+| Regel | Schwellwert | Aktion |
+|-------|-----------|--------|
+| Brute-Force | >5 fehlgeschlagene Logins/5min | Alert + Sperre |
+| Privilege Escalation | Jede Admin-Rollenaenderung | Alert an ISB |
+| Ungewoehnlicher Datenzugriff | >100 Records/min | Alert |
+
+---
+
+## 9. Revision
+
+Jaehrliche Pruefung durch ISB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","ISB_NAME","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Template 5: Incident-Response-Plan
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'incident_response_plan',
+    'Incident-Response-Plan (DSGVO Art. 33/34, NIS2)',
+    'Incident-Response-Plan fuer Sicherheitsvorfaelle und Datenpannen. Definiert Klassifizierung, Response-Team, Meldepflichten und Kommunikationsplan.',
+    $template$# Incident-Response-Plan
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Autor | {{ISB_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+**WICHTIG: Dieses Dokument muss auch offline verfuegbar sein!**
+
+---
+
+## 1. Zweck und Geltungsbereich
+
+Dieser Plan definiert das Vorgehen bei Informationssicherheitsvorfaellen und Datenschutzverletzungen bei {{COMPANY_NAME}}.
+
+**Ziel**: Schnelle Erkennung, Eindaemmung, Behebung und Nachbereitung bei gleichzeitiger Erfuellung gesetzlicher Meldepflichten (DSGVO Art. 33: 72h, NIS2 Art. 23: 24h).
+
+---
+
+## 2. Incident-Klassifizierung
+
+| Severity | Beschreibung | Reaktionszeit |
+|----------|-------------|---------------|
+| SEV-1 (Kritisch) | Existenzbedrohend, groesserer Datenverlust | Sofort (< 1h) |
+| SEV-2 (Hoch) | Erheblicher Schaden, begrenzte Datenpanne | < 4h |
+| SEV-3 (Mittel) | Begrenzter Schaden, keine Datenpanne | < 24h |
+| SEV-4 (Niedrig) | Geringes Risiko, Regelverstoesse | < 72h |
+
+---
+
+## 3. Incident-Response-Team
+
+| Rolle | Person | Aufgabe |
+|-------|--------|---------|
+| Incident Manager | {{ISB_NAME}} | Gesamtkoordination |
+| DSB | {{DPO_NAME}} | Datenschutz-Bewertung, Meldung |
+| Geschaeftsfuehrung | {{GF_NAME}} | Entscheidungen, Krisenkommunikation |
+
+---
+
+## 4. Meldewege und Eskalation
+
+Alle Mitarbeiter melden Sicherheitsvorfaelle an: security@{{COMPANY_NAME}}
+
+| Stufe | Ausloeser | Informierte Personen |
+|-------|-----------|---------------------|
+| 1 | Jeder Verdacht | IT-Support, ISB |
+| 2 | Bestaetigt SEV-3+ | ISB, IT-Security, DSB |
+| 3 | SEV-2 oder Datenpanne | + GF, Recht |
+| 4 | SEV-1 | + Krisenstab, ext. Partner |
+
+---
+
+## 5. Phase 1: Erkennung und Bewertung
+
+Innerhalb von 30 Minuten nach Meldung:
+- Was ist passiert?
+- Sind personenbezogene Daten betroffen?
+- Severity-Einstufung
+- Eskalation erforderlich?
+
+---
+
+## 6. Phase 2: Eindaemmung
+
+- Betroffenes System isolieren
+- Kompromittierte Accounts sperren
+- **WICHTIG**: Beweissicherung VOR Bereinigung!
+
+---
+
+## 7. Phase 3: Beseitigung
+
+- Root Cause Analysis
+- Schadsoftware entfernen, Schwachstelle patchen
+- Kompromittierte Credentials rotieren
+
+---
+
+## 8. Phase 4: Wiederherstellung
+
+- Systeme aus sauberen Backups wiederherstellen
+- Schrittweise Wiederinbetriebnahme
+- Erhoehtes Monitoring fuer 30 Tage
+
+---
+
+## 9. Phase 5: Nachbereitung
+
+Innerhalb von 14 Tagen: Post-Incident-Review mit Timeline, Lessons Learned, Massnahmenplan.
+
+---
+
+## 10. Gesetzliche Meldepflichten
+
+### DSGVO Art. 33 — Aufsichtsbehoerde
+- Frist: 72 Stunden nach Kenntnis
+- Inhalt: Art der Verletzung, Kategorien/Anzahl Betroffene, Folgen, Gegenmassnahmen
+
+### DSGVO Art. 34 — Betroffene
+- Erforderlich bei hohem Risiko fuer Rechte und Freiheiten
+
+### NIS2 Art. 23 — BSI
+- Fruehwarnung: 24h, Erstbewertung: 72h, Abschlussbericht: 1 Monat
+
+---
+
+## 11. Kommunikationsplan
+
+| Zielgruppe | Kanal | Verantwortlich |
+|-----------|-------|----------------|
+| Mitarbeiter | E-Mail / Intranet | Kommunikation |
+| Kunden | E-Mail / Portal | GF |
+| Presse | Pressemitteilung | GF |
+| Behoerden | Meldeformular | DSB |
+
+---
+
+## 12. Testplan
+
+| Uebung | Haeufigkeit | Art |
+|--------|-------------|-----|
+| Tabletop-Uebung | Halbjaehrlich | Szenario-Durchsprache |
+| Technische Uebung | Jaehrlich | Simulierter Angriff |
+| Meldeprozess-Test | Jaehrlich | DSGVO-Meldung simulieren |
+
+---
+
+## 13. Revision
+
+Jaehrliche Pruefung durch ISB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","ISB_NAME","ISB_EMAIL","DPO_NAME","DPO_EMAIL","DPO_PHONE","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Template 6: Zugriffskonzept
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'access_control_concept',
+    'Zugriffskonzept (ISO 27001 / BSI IT-Grundschutz)',
+    'Zugriffskonzept nach ISO 27001 und BSI IT-Grundschutz ORP.4. Definiert RBAC, Benutzerlebenszyklus, Authentifizierung und privilegierten Zugriff.',
+    $template$# Zugriffskonzept
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Autor | {{ISB_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+---
+
+## 1. Grundsaetze
+
+- **Need-to-Know**: Zugriff nur bei Erforderlichkeit
+- **Least Privilege**: Minimal notwendige Berechtigungen
+- **Separation of Duties**: Kritische Vorgaenge erfordern mehrere Personen
+
+---
+
+## 2. Rollen und Berechtigungskonzept (RBAC)
+
+| Rolle | Berechtigungen |
+|-------|---------------|
+| Benutzer (Standard) | Lesen eigener Daten |
+| Fachadministrator | Lesen/Schreiben Fachdaten |
+| IT-Administrator | Systemkonfiguration, Benutzerverwaltung |
+| Privilegierter Admin | Root/Domain-Admin |
+| Auditor | Lesezugriff auf Logs |
+| Service-Account | API-Zugriff, automatisiert |
+
+---
+
+## 3. Benutzerlebenszyklus
+
+### 3.1 Onboarding
+- Vorgesetzter beantragt Berechtigungen
+- IT richtet Zugang ein (innerhalb 2 Werktage)
+- Sicherheitsunterweisung innerhalb 30 Tage
+
+### 3.2 Versetzung
+- Neue Berechtigungen beantragen
+- Alte Berechtigungen entziehen
+
+### 3.3 Offboarding
+- Alle Accounts deaktivieren am letzten Arbeitstag
+- VPN/Remote sofort sperren
+- Account-Loeschung nach 30 Tagen
+
+---
+
+## 4. Authentifizierung
+
+### 4.1 Passwortrichtlinie
+
+| Anforderung | Wert |
+|-------------|------|
+| Mindestlaenge | 12 Zeichen |
+| Komplexitaet | Mind. 3 von 4 Kategorien |
+| Sperrung | Nach 5 Fehlversuchen |
+
+### 4.2 MFA
+
+| System | MFA Pflicht | Methode |
+|--------|------------|---------|
+| E-Mail | Ja | TOTP oder FIDO2 |
+| VPN | Ja | TOTP oder FIDO2 |
+| Admin-Zugaenge | Ja | FIDO2 (Hardware-Token) |
+
+---
+
+## 5. Privilegierter Zugriff (PAM)
+
+- Namentlich zugeordnete Admin-Accounts
+- Separater Account fuer Admin-Taetigkeiten
+- Vollstaendige Session-Protokollierung
+- Break-Glass-Verfahren fuer Notfallzugang (4-Augen-Prinzip)
+
+---
+
+## 6. Rezertifizierung
+
+| Pruefung | Haeufigkeit | Verantwortlich |
+|----------|-------------|---------------|
+| Standard-Berechtigungen | Halbjaehrlich | Fachabteilungsleitung |
+| Privilegierte Zugaenge | Quartalsweise | ISB + IT-Leitung |
+| Service-Accounts | Jaehrlich | IT-Leitung |
+| Externe Zugaenge | Quartalsweise | Account Manager |
+
+---
+
+## 7. Protokollierung
+
+Alle Zugriffsereignisse werden protokolliert (siehe Logging-Konzept):
+- Erfolgreiche und fehlgeschlagene Anmeldungen
+- Berechtigungsaenderungen
+- Zugriff auf sensible Daten
+- Break-Glass-Nutzung
+
+---
+
+## 8. Revision
+
+Jaehrliche Pruefung durch ISB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","ISB_NAME","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
+
+-- Template 7: Risikomanagement-Konzept
+INSERT INTO compliance_legal_templates (
+    id, tenant_id, document_type, title, description, content,
+    placeholders, language, jurisdiction,
+    license_id, license_name, source_name,
+    attribution_required, is_complete_document, version, status,
+    created_at, updated_at
+) VALUES (
+    gen_random_uuid(),
+    '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+    'risk_management_concept',
+    'Risikomanagement-Konzept (ISO 31000)',
+    'Risikomanagement-Konzept nach ISO 31000:2018 und ISO 27005:2022. Definiert Risikoprozess, 5x5-Matrix, Behandlungsoptionen und KPIs.',
+    $template$# Risikomanagement-Konzept
+
+## Dokumentenkontrolle
+
+| Feld | Wert |
+|------|------|
+| Unternehmen | {{COMPANY_NAME}} |
+| Version | {{DOCUMENT_VERSION}} |
+| Datum | {{VERSION_DATE}} |
+| Autor | {{ISB_NAME}} |
+| Freigabe | {{GF_NAME}} |
+| Naechste Pruefung | {{NEXT_REVIEW_DATE}} |
+
+---
+
+## 1. Zweck und Geltungsbereich
+
+Systematischer Prozess zur Identifikation, Bewertung, Behandlung und Ueberwachung von Risiken bei {{COMPANY_NAME}}.
+
+Umfasst:
+- Informationssicherheitsrisiken (ISO 27001)
+- Datenschutzrisiken (DSGVO Art. 35)
+- KI-Risiken (AI Act Art. 9, falls zutreffend)
+- Operative IT-Risiken
+
+---
+
+## 2. Risikomanagement-Organisation
+
+| Rolle | Person | Aufgabe |
+|-------|--------|---------|
+| Risk Owner | {{GF_NAME}} | Gesamtverantwortung, Risikoakzeptanz |
+| Risikomanager | {{ISB_NAME}} | Prozesssteuerung, Methodik, Reporting |
+| DSB | {{DPO_NAME}} | Datenschutzrisiken, DSFA |
+
+Quartalsmaessiges Risiko-Review im Sicherheitsgremium.
+
+---
+
+## 3. Risikomanagement-Prozess (ISO 31000)
+
+Kontext festlegen → Risikoidentifikation → Risikoanalyse → Risikobewertung → Risikobehandlung → Ueberwachung & Review
+
+---
+
+## 4. Risikoidentifikation
+
+### 4.1 Methoden
+- Asset-basierte Analyse
+- Szenario-basierte Analyse
+- Audit-Findings und Incident-Analyse
+- Bedrohungsintelligenz (BSI-Lageberichte)
+
+### 4.2 Risikokategorien
+
+| Kategorie | Beispiele |
+|-----------|-----------|
+| Vertraulichkeit | Datenleck, unbefugter Zugriff |
+| Integritaet | Datenmanipulation, Malware |
+| Verfuegbarkeit | Systemausfall, Ransomware |
+| Compliance | DSGVO-Verstoss, Bussgeld |
+| Reputation | Datenskandal, Kundenvertrauen |
+
+---
+
+## 5. Risikoanalyse und -bewertung
+
+### 5.1 Bewertungskriterien (5x5-Matrix)
+
+**Eintrittswahrscheinlichkeit**: 1 (sehr gering) bis 5 (sehr hoch)
+**Schadenshoehe**: 1 (vernachlaessigbar) bis 5 (existenzbedrohend)
+
+### 5.2 Risikoklassen
+
+| Score | Klasse | Massnahme |
+|-------|--------|-----------|
+| 1-4 | Niedrig | Akzeptieren oder beobachten |
+| 5-9 | Mittel | Massnahmen innerhalb 6 Monaten |
+| 10-15 | Hoch | Massnahmen innerhalb 90 Tagen |
+| 16-25 | Kritisch | Sofortmassnahmen erforderlich |
+
+---
+
+## 6. Risikobehandlung
+
+| Option | Beschreibung |
+|--------|-------------|
+| Vermeiden | Risikoquelle beseitigen |
+| Vermindern | Wahrscheinlichkeit oder Schaden reduzieren |
+| Uebertragen | Cyberversicherung, Outsourcing |
+| Akzeptieren | Dokumentierte Entscheidung |
+
+### Risikoakzeptanzkriterien
+
+| Bedingung | Entscheider |
+|-----------|-------------|
+| Score <= 4 | Risiko-Owner (Fachbereich) |
+| Score 5-9 | ISB |
+| Score 10-15 | Geschaeftsfuehrung |
+| Score >= 16 | Akzeptanz NICHT zulaessig |
+
+---
+
+## 7. KI-Risikobewertung (AI Act)
+
+| Risikoklasse | Anforderungen |
+|-------------|---------------|
+| Unakzeptabel (Art. 5) | Verboten |
+| Hochrisiko (Art. 6) | Risikomanagementsystem, Dokumentation, Human Oversight |
+| Begrenzt (Art. 50) | Transparenzpflicht |
+| Minimal | Keine besonderen Anforderungen |
+
+---
+
+## 8. Ueberwachung und Berichterstattung
+
+| Aktivitaet | Haeufigkeit |
+|-----------|-------------|
+| Risikoregister-Update | Quartalsweise |
+| Massnahmenwirksamkeit pruefen | Quartalsweise |
+| Risikobericht an GF | Quartalsweise |
+| Vollstaendige Risikobewertung | Jaehrlich |
+
+### KPIs
+
+| KPI | Zielwert |
+|-----|---------|
+| Kritische Risiken (Score >= 16) | 0 |
+| Durchschnittliches Restrisiko | < 8 |
+| Massnahmen-Umsetzungsquote | >= 90% |
+| Ueberfallige Massnahmen | 0 |
+
+---
+
+## 9. Revision
+
+Jaehrliche Pruefung durch ISB. Naechste Pruefung: {{NEXT_REVIEW_DATE}}.
+$template$,
+    CAST('["COMPANY_NAME","ISB_NAME","DPO_NAME","GF_NAME","DOCUMENT_VERSION","VERSION_DATE","NEXT_REVIEW_DATE"]' AS jsonb),
+    'de', 'DE',
+    'mit', 'MIT License', 'BreakPilot Compliance',
+    false, true, '1.0.0', 'published',
+    NOW(), NOW()
+) ON CONFLICT DO NOTHING;
diff --git a/backend-compliance/migrations/052_process_tasks.sql b/backend-compliance/migrations/052_process_tasks.sql
new file mode 100644
index 0000000..c777cc5
--- /dev/null
+++ b/backend-compliance/migrations/052_process_tasks.sql
@@ -0,0 +1,53 @@
+-- Process Manager: Recurring compliance tasks with audit trail
+-- Migration 052
+
+CREATE TABLE compliance_process_tasks (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    project_id UUID,
+    task_code VARCHAR(50) NOT NULL,
+    title VARCHAR(500) NOT NULL,
+    description TEXT,
+    category VARCHAR(50) NOT NULL
+        CHECK (category IN ('dsgvo','nis2','bsi','iso27001','ai_act','internal')),
+    priority VARCHAR(20) NOT NULL DEFAULT 'medium'
+        CHECK (priority IN ('critical','high','medium','low')),
+    frequency VARCHAR(20) NOT NULL DEFAULT 'yearly'
+        CHECK (frequency IN ('weekly','monthly','quarterly','semi_annual','yearly','once')),
+    assigned_to VARCHAR(255),
+    responsible_team VARCHAR(255),
+    linked_control_ids JSONB DEFAULT '[]',
+    linked_module VARCHAR(100),
+    last_completed_at TIMESTAMPTZ,
+    next_due_date DATE,
+    due_reminder_days INTEGER DEFAULT 14,
+    status VARCHAR(20) NOT NULL DEFAULT 'pending'
+        CHECK (status IN ('pending','in_progress','completed','overdue','skipped')),
+    completion_date TIMESTAMPTZ,
+    completion_result TEXT,
+    completion_evidence_id UUID,
+    follow_up_actions JSONB DEFAULT '[]',
+    is_seed BOOLEAN DEFAULT FALSE,
+    notes TEXT,
+    tags JSONB DEFAULT '[]',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, project_id, task_code)
+);
+
+CREATE TABLE compliance_process_task_history (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    task_id UUID NOT NULL REFERENCES compliance_process_tasks(id) ON DELETE CASCADE,
+    completed_by VARCHAR(255),
+    completed_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    result TEXT,
+    evidence_id UUID,
+    notes TEXT,
+    status VARCHAR(20) NOT NULL
+);
+
+CREATE INDEX idx_process_tasks_tenant ON compliance_process_tasks(tenant_id);
+CREATE INDEX idx_process_tasks_status ON compliance_process_tasks(status);
+CREATE INDEX idx_process_tasks_due ON compliance_process_tasks(next_due_date);
+CREATE INDEX idx_process_tasks_category ON compliance_process_tasks(category);
+CREATE INDEX idx_task_history_task ON compliance_process_task_history(task_id);
diff --git a/backend-compliance/migrations/053_evidence_checks.sql b/backend-compliance/migrations/053_evidence_checks.sql
new file mode 100644
index 0000000..b096d29
--- /dev/null
+++ b/backend-compliance/migrations/053_evidence_checks.sql
@@ -0,0 +1,62 @@
+-- Evidence Checks: Automated compliance verification
+-- Migration 053
+
+CREATE TABLE compliance_evidence_checks (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    project_id UUID,
+    check_code VARCHAR(50) NOT NULL,
+    title VARCHAR(500) NOT NULL,
+    description TEXT,
+    check_type VARCHAR(30) NOT NULL
+        CHECK (check_type IN ('tls_scan','header_check','certificate_check',
+               'config_scan','api_scan','dns_check','port_scan')),
+    target_url TEXT,
+    target_config JSONB DEFAULT '{}',
+    linked_control_ids JSONB DEFAULT '[]',
+    frequency VARCHAR(20) DEFAULT 'monthly'
+        CHECK (frequency IN ('daily','weekly','monthly','quarterly','manual')),
+    last_run_at TIMESTAMPTZ,
+    next_run_at TIMESTAMPTZ,
+    is_active BOOLEAN DEFAULT TRUE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, project_id, check_code)
+);
+
+CREATE TABLE compliance_evidence_check_results (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    check_id UUID NOT NULL REFERENCES compliance_evidence_checks(id) ON DELETE CASCADE,
+    tenant_id UUID NOT NULL,
+    run_status VARCHAR(20) NOT NULL DEFAULT 'running'
+        CHECK (run_status IN ('running','passed','failed','warning','error')),
+    result_data JSONB NOT NULL DEFAULT '{}',
+    summary TEXT,
+    findings_count INTEGER DEFAULT 0,
+    critical_findings INTEGER DEFAULT 0,
+    evidence_id UUID,
+    duration_ms INTEGER,
+    run_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE compliance_evidence_control_map (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    evidence_id UUID NOT NULL,
+    control_code VARCHAR(50) NOT NULL,
+    mapping_type VARCHAR(20) DEFAULT 'supports'
+        CHECK (mapping_type IN ('supports','partially_supports','required')),
+    verified_at TIMESTAMPTZ,
+    verified_by VARCHAR(255),
+    notes TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, evidence_id, control_code)
+);
+
+CREATE INDEX idx_evidence_checks_tenant ON compliance_evidence_checks(tenant_id);
+CREATE INDEX idx_evidence_checks_type ON compliance_evidence_checks(check_type);
+CREATE INDEX idx_evidence_checks_active ON compliance_evidence_checks(is_active);
+CREATE INDEX idx_check_results_check ON compliance_evidence_check_results(check_id);
+CREATE INDEX idx_check_results_status ON compliance_evidence_check_results(run_status);
+CREATE INDEX idx_evidence_control_map_tenant ON compliance_evidence_control_map(tenant_id);
+CREATE INDEX idx_evidence_control_map_control ON compliance_evidence_control_map(control_code);
diff --git a/backend-compliance/tests/test_dashboard_routes_extended.py b/backend-compliance/tests/test_dashboard_routes_extended.py
new file mode 100644
index 0000000..87bad34
--- /dev/null
+++ b/backend-compliance/tests/test_dashboard_routes_extended.py
@@ -0,0 +1,209 @@
+"""Tests for extended dashboard routes (roadmap, module-status, next-actions, snapshots)."""
+
+import pytest
+from unittest.mock import MagicMock, patch
+from fastapi.testclient import TestClient
+from fastapi import FastAPI
+from datetime import datetime, date, timedelta
+from decimal import Decimal
+
+from compliance.api.dashboard_routes import router
+from classroom_engine.database import get_db
+from compliance.api.tenant_utils import get_tenant_id
+
+DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
+
+
+# =============================================================================
+# Test App Setup
+# =============================================================================
+
+app = FastAPI()
+app.include_router(router)
+
+mock_db = MagicMock()
+
+
+def override_get_db():
+    yield mock_db
+
+
+def override_tenant():
+    return DEFAULT_TENANT_ID
+
+
+app.dependency_overrides[get_db] = override_get_db
+app.dependency_overrides[get_tenant_id] = override_tenant
+
+client = TestClient(app)
+
+
+# =============================================================================
+# Helpers
+# =============================================================================
+
+class MockControl:
+    def __init__(self, id="ctrl-001", control_id="CTRL-001", title="Test Control",
+                 status_val="planned", domain_val="gov", owner="ISB",
+                 next_review_at=None, category="security"):
+        self.id = id
+        self.control_id = control_id
+        self.title = title
+        self.status = MagicMock(value=status_val)
+        self.domain = MagicMock(value=domain_val)
+        self.owner = owner
+        self.next_review_at = next_review_at
+        self.category = category
+
+
+class MockRisk:
+    def __init__(self, inherent_risk_val="high", status="open"):
+        self.inherent_risk = MagicMock(value=inherent_risk_val)
+        self.status = status
+
+
+def make_snapshot_row(overrides=None):
+    data = {
+        "id": "snap-001",
+        "tenant_id": DEFAULT_TENANT_ID,
+        "project_id": None,
+        "score": Decimal("72.50"),
+        "controls_total": 20,
+        "controls_pass": 12,
+        "controls_partial": 5,
+        "evidence_total": 10,
+        "evidence_valid": 8,
+        "risks_total": 5,
+        "risks_high": 2,
+        "snapshot_date": date(2026, 3, 14),
+        "created_at": datetime(2026, 3, 14),
+    }
+    if overrides:
+        data.update(overrides)
+    row = MagicMock()
+    row._mapping = data
+    return row
+
+
+# =============================================================================
+# Tests
+# =============================================================================
+
+class TestDashboardRoadmap:
+    def test_roadmap_returns_buckets(self):
+        """Roadmap returns 4 buckets with controls."""
+        overdue = datetime.utcnow() - timedelta(days=10)
+        future = datetime.utcnow() + timedelta(days=30)
+
+        with patch("compliance.api.dashboard_routes.ControlRepository") as MockCtrlRepo:
+            instance = MockCtrlRepo.return_value
+            instance.get_all.return_value = [
+                MockControl(id="c1", status_val="planned", category="legal", next_review_at=overdue),
+                MockControl(id="c2", status_val="partial", category="security"),
+                MockControl(id="c3", status_val="planned", category="best_practice"),
+                MockControl(id="c4", status_val="pass"),  # should be excluded
+            ]
+
+            resp = client.get("/dashboard/roadmap")
+            assert resp.status_code == 200
+            data = resp.json()
+            assert "buckets" in data
+            assert "counts" in data
+            # c4 is pass, so excluded; c1 is legal+overdue → quick_wins
+            total_in_buckets = sum(data["counts"].values())
+            assert total_in_buckets == 3
+
+    def test_roadmap_empty_controls(self):
+        """Roadmap with no controls returns empty buckets."""
+        with patch("compliance.api.dashboard_routes.ControlRepository") as MockCtrlRepo:
+            MockCtrlRepo.return_value.get_all.return_value = []
+            resp = client.get("/dashboard/roadmap")
+            assert resp.status_code == 200
+            assert all(v == 0 for v in resp.json()["counts"].values())
+
+
+class TestModuleStatus:
+    def test_module_status_returns_modules(self):
+        """Module status returns list of modules with counts."""
+        # Mock db.execute for each module's COUNT query
+        count_result = MagicMock()
+        count_result.fetchone.return_value = (5,)
+        mock_db.execute.return_value = count_result
+
+        resp = client.get("/dashboard/module-status")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert "modules" in data
+        assert data["total"] > 0
+        assert all(m["count"] == 5 for m in data["modules"])
+
+    def test_module_status_handles_missing_tables(self):
+        """Module status handles missing tables gracefully."""
+        mock_db.execute.side_effect = Exception("relation does not exist")
+
+        resp = client.get("/dashboard/module-status")
+        assert resp.status_code == 200
+        data = resp.json()
+        # All modules should have count=0 and status=not_started
+        assert all(m["count"] == 0 for m in data["modules"])
+        assert all(m["status"] == "not_started" for m in data["modules"])
+
+        mock_db.execute.side_effect = None  # reset
+
+
+class TestNextActions:
+    def test_next_actions_returns_sorted(self):
+        """Next actions returns controls sorted by urgency."""
+        overdue = datetime.utcnow() - timedelta(days=30)
+
+        with patch("compliance.api.dashboard_routes.ControlRepository") as MockCtrlRepo:
+            instance = MockCtrlRepo.return_value
+            instance.get_all.return_value = [
+                MockControl(id="c1", status_val="planned", category="legal", next_review_at=overdue),
+                MockControl(id="c2", status_val="partial", category="best_practice"),
+                MockControl(id="c3", status_val="pass"),  # excluded
+            ]
+
+            resp = client.get("/dashboard/next-actions?limit=5")
+            assert resp.status_code == 200
+            data = resp.json()
+            assert len(data["actions"]) == 2
+            # c1 should be first (higher urgency due to legal + overdue)
+            assert data["actions"][0]["control_id"] == "CTRL-001"
+
+
+class TestScoreSnapshot:
+    def test_create_snapshot(self):
+        """Creating a snapshot saves current score."""
+        with patch("compliance.api.dashboard_routes.ControlRepository") as MockCtrlRepo, \
+             patch("compliance.api.dashboard_routes.EvidenceRepository") as MockEvRepo, \
+             patch("compliance.api.dashboard_routes.RiskRepository") as MockRiskRepo:
+
+            MockCtrlRepo.return_value.get_statistics.return_value = {
+                "total": 20, "pass": 12, "partial": 5, "by_status": {}
+            }
+            MockEvRepo.return_value.get_statistics.return_value = {
+                "total": 10, "by_status": {"valid": 8}
+            }
+            MockRiskRepo.return_value.get_all.return_value = [
+                MockRisk("high"), MockRisk("critical"), MockRisk("low")
+            ]
+
+            snap_row = make_snapshot_row()
+            mock_db.execute.return_value.fetchone.return_value = snap_row
+
+            resp = client.post("/dashboard/snapshot")
+            assert resp.status_code == 200
+            data = resp.json()
+            assert "score" in data
+
+    def test_score_history(self):
+        """Score history returns snapshots."""
+        rows = [make_snapshot_row({"snapshot_date": date(2026, 3, i)}) for i in range(1, 4)]
+        mock_db.execute.return_value.fetchall.return_value = rows
+
+        resp = client.get("/dashboard/score-history?months=3")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total"] == 3
+        assert len(data["snapshots"]) == 3
diff --git a/backend-compliance/tests/test_evidence_check_routes.py b/backend-compliance/tests/test_evidence_check_routes.py
new file mode 100644
index 0000000..4a90244
--- /dev/null
+++ b/backend-compliance/tests/test_evidence_check_routes.py
@@ -0,0 +1,374 @@
+"""Tests for Evidence Check routes (evidence_check_routes.py)."""
+
+import json
+import pytest
+from unittest.mock import MagicMock, patch, AsyncMock
+from datetime import datetime
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+
+from compliance.api.evidence_check_routes import router, VALID_CHECK_TYPES
+from classroom_engine.database import get_db
+from compliance.api.tenant_utils import get_tenant_id
+
+# ---------------------------------------------------------------------------
+# App setup with mocked DB dependency
+# ---------------------------------------------------------------------------
+
+app = FastAPI()
+app.include_router(router)
+
+DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
+CHECK_ID = "ffffffff-0001-0001-0001-000000000001"
+RESULT_ID = "eeeeeeee-0001-0001-0001-000000000001"
+MAPPING_ID = "dddddddd-0001-0001-0001-000000000001"
+EVIDENCE_ID = "cccccccc-0001-0001-0001-000000000001"
+NOW = datetime(2026, 3, 14, 12, 0, 0)
+
+
+def override_get_tenant_id():
+    return DEFAULT_TENANT_ID
+
+
+app.dependency_overrides[get_tenant_id] = override_get_tenant_id
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+def _make_check_row(overrides=None):
+    """Create a mock DB row for a check."""
+    data = {
+        "id": CHECK_ID,
+        "tenant_id": DEFAULT_TENANT_ID,
+        "project_id": None,
+        "check_code": "TLS-SCAN-001",
+        "title": "TLS-Scan Hauptwebseite",
+        "description": "Prueft TLS",
+        "check_type": "tls_scan",
+        "target_url": "https://example.com",
+        "target_config": {},
+        "linked_control_ids": [],
+        "frequency": "monthly",
+        "last_run_at": None,
+        "next_run_at": None,
+        "is_active": True,
+        "created_at": NOW,
+        "updated_at": NOW,
+    }
+    if overrides:
+        data.update(overrides)
+    row = MagicMock()
+    row._mapping = data
+    row.__getitem__ = lambda self, i: list(data.values())[i]
+    return row
+
+
+def _make_result_row(overrides=None):
+    """Create a mock DB row for a result."""
+    data = {
+        "id": RESULT_ID,
+        "check_id": CHECK_ID,
+        "tenant_id": DEFAULT_TENANT_ID,
+        "run_status": "passed",
+        "result_data": {"tls_version": "TLSv1.3"},
+        "summary": "TLS TLSv1.3",
+        "findings_count": 0,
+        "critical_findings": 0,
+        "evidence_id": None,
+        "duration_ms": 150,
+        "run_at": NOW,
+    }
+    if overrides:
+        data.update(overrides)
+    row = MagicMock()
+    row._mapping = data
+    row.__getitem__ = lambda self, i: list(data.values())[i]
+    return row
+
+
+def _make_mapping_row(overrides=None):
+    data = {
+        "id": MAPPING_ID,
+        "tenant_id": DEFAULT_TENANT_ID,
+        "evidence_id": EVIDENCE_ID,
+        "control_code": "TOM-001",
+        "mapping_type": "supports",
+        "verified_at": None,
+        "verified_by": None,
+        "notes": "Test mapping",
+        "created_at": NOW,
+    }
+    if overrides:
+        data.update(overrides)
+    row = MagicMock()
+    row._mapping = data
+    row.__getitem__ = lambda self, i: list(data.values())[i]
+    return row
+
+
+# ---------------------------------------------------------------------------
+# Tests
+# ---------------------------------------------------------------------------
+
+class TestListChecks:
+    def test_list_checks(self):
+        mock_db = MagicMock()
+        # COUNT query
+        count_row = MagicMock()
+        count_row.__getitem__ = lambda self, i: 2
+        # Data rows
+        rows = [_make_check_row(), _make_check_row({"check_code": "TLS-SCAN-002"})]
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=count_row)),
+            MagicMock(fetchall=MagicMock(return_value=rows)),
+        ]
+
+        app.dependency_overrides[get_db] = lambda: (yield mock_db).__next__() or mock_db
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.get("/evidence-checks")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert "checks" in data
+        assert len(data["checks"]) == 2
+
+
+class TestCreateCheck:
+    def test_create_check(self):
+        mock_db = MagicMock()
+        mock_db.execute.return_value.fetchone.return_value = _make_check_row()
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.post("/evidence-checks", json={
+            "check_code": "TLS-SCAN-001",
+            "title": "TLS-Scan Hauptwebseite",
+            "check_type": "tls_scan",
+            "frequency": "monthly",
+        })
+        assert resp.status_code == 201
+        data = resp.json()
+        assert data["check_code"] == "TLS-SCAN-001"
+
+    def test_create_check_invalid_type(self):
+        mock_db = MagicMock()
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.post("/evidence-checks", json={
+            "check_code": "INVALID-001",
+            "title": "Invalid Check",
+            "check_type": "invalid_type",
+        })
+        assert resp.status_code == 400
+        assert "Ungueltiger check_type" in resp.json()["detail"]
+
+
+class TestGetSingleCheck:
+    def test_get_single_check(self):
+        mock_db = MagicMock()
+        check_row = _make_check_row()
+        result_rows = [_make_result_row()]
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=check_row)),
+            MagicMock(fetchall=MagicMock(return_value=result_rows)),
+        ]
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.get(f"/evidence-checks/{CHECK_ID}")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["check_code"] == "TLS-SCAN-001"
+        assert "recent_results" in data
+        assert len(data["recent_results"]) == 1
+
+
+class TestUpdateCheck:
+    def test_update_check(self):
+        mock_db = MagicMock()
+        updated_row = _make_check_row({"title": "Updated Title"})
+        mock_db.execute.return_value.fetchone.return_value = updated_row
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.put(f"/evidence-checks/{CHECK_ID}", json={
+            "title": "Updated Title",
+        })
+        assert resp.status_code == 200
+        assert resp.json()["title"] == "Updated Title"
+
+
+class TestDeleteCheck:
+    def test_delete_check(self):
+        mock_db = MagicMock()
+        mock_db.execute.return_value.rowcount = 1
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.delete(f"/evidence-checks/{CHECK_ID}")
+        assert resp.status_code == 204
+
+
+class TestRunCheckTLS:
+    def test_run_check_tls(self):
+        mock_db = MagicMock()
+        check_row = _make_check_row()
+        result_insert_row = _make_result_row({"run_status": "running"})
+        result_update_row = _make_result_row({"run_status": "passed"})
+
+        mock_db.execute.side_effect = [
+            # Load check
+            MagicMock(fetchone=MagicMock(return_value=check_row)),
+            # Insert running result
+            MagicMock(fetchone=MagicMock(return_value=result_insert_row)),
+            # Update result
+            MagicMock(fetchone=MagicMock(return_value=result_update_row)),
+            # Update check timestamps
+            MagicMock(),
+        ]
+        mock_db.commit = MagicMock()
+
+        tls_result = {
+            "run_status": "passed",
+            "result_data": {"tls_version": "TLSv1.3", "findings": []},
+            "summary": "TLS TLSv1.3, Zertifikat gueltig",
+            "findings_count": 0,
+            "critical_findings": 0,
+            "duration_ms": 100,
+        }
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        with patch("compliance.api.evidence_check_routes._run_tls_scan", new_callable=AsyncMock, return_value=tls_result):
+            resp = client.post(f"/evidence-checks/{CHECK_ID}/run")
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["run_status"] == "passed"
+
+
+class TestRunCheckHeader:
+    def test_run_check_header(self):
+        mock_db = MagicMock()
+        check_row = _make_check_row({"check_type": "header_check"})
+        result_insert_row = _make_result_row({"run_status": "running"})
+        result_update_row = _make_result_row({"run_status": "warning"})
+
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=check_row)),
+            MagicMock(fetchone=MagicMock(return_value=result_insert_row)),
+            MagicMock(fetchone=MagicMock(return_value=result_update_row)),
+            MagicMock(),
+        ]
+        mock_db.commit = MagicMock()
+
+        header_result = {
+            "run_status": "warning",
+            "result_data": {"missing_headers": ["Permissions-Policy"], "findings": []},
+            "summary": "5/6 Security-Header vorhanden",
+            "findings_count": 1,
+            "critical_findings": 0,
+            "duration_ms": 200,
+        }
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        with patch("compliance.api.evidence_check_routes._run_header_check", new_callable=AsyncMock, return_value=header_result):
+            resp = client.post(f"/evidence-checks/{CHECK_ID}/run")
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["run_status"] == "warning"
+
+
+class TestSeedChecks:
+    def test_seed_checks(self):
+        mock_db = MagicMock()
+        # Each seed INSERT returns rowcount=1
+        mock_result = MagicMock()
+        mock_result.rowcount = 1
+        mock_db.execute.return_value = mock_result
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        resp = client.post("/evidence-checks/seed")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total_definitions"] == 15
+        assert data["seeded"] == 15
+
+
+class TestMappingsCRUD:
+    def test_mappings_crud(self):
+        mock_db = MagicMock()
+
+        def override_db():
+            yield mock_db
+
+        app.dependency_overrides[get_db] = override_db
+        client = TestClient(app)
+
+        # Create mapping
+        mapping_row = _make_mapping_row()
+        mock_db.execute.return_value.fetchone.return_value = mapping_row
+
+        resp = client.post("/evidence-checks/mappings", json={
+            "evidence_id": EVIDENCE_ID,
+            "control_code": "TOM-001",
+            "mapping_type": "supports",
+            "notes": "Test mapping",
+        })
+        assert resp.status_code == 201
+        data = resp.json()
+        assert data["control_code"] == "TOM-001"
+
+        # List mappings
+        mock_db.execute.return_value.fetchall.return_value = [mapping_row]
+        resp = client.get("/evidence-checks/mappings")
+        assert resp.status_code == 200
+        assert "mappings" in resp.json()
+
+        # Delete mapping
+        mock_db.execute.return_value.rowcount = 1
+        resp = client.delete(f"/evidence-checks/mappings/{MAPPING_ID}")
+        assert resp.status_code == 204
diff --git a/backend-compliance/tests/test_process_task_routes.py b/backend-compliance/tests/test_process_task_routes.py
new file mode 100644
index 0000000..6d4020d
--- /dev/null
+++ b/backend-compliance/tests/test_process_task_routes.py
@@ -0,0 +1,525 @@
+"""Tests for compliance process task routes (process_task_routes.py)."""
+
+import pytest
+from unittest.mock import MagicMock, patch, call
+from datetime import datetime, date, timedelta
+
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+
+from compliance.api.process_task_routes import (
+    router,
+    ProcessTaskCreate,
+    ProcessTaskUpdate,
+    ProcessTaskComplete,
+    ProcessTaskSkip,
+    VALID_CATEGORIES,
+    VALID_FREQUENCIES,
+    VALID_PRIORITIES,
+    VALID_STATUSES,
+    FREQUENCY_DAYS,
+)
+from classroom_engine.database import get_db
+from compliance.api.tenant_utils import get_tenant_id
+
+DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
+TASK_ID = "ffffffff-0001-0001-0001-000000000001"
+
+app = FastAPI()
+app.include_router(router)
+
+
+# ---------------------------------------------------------------------------
+# Mock helpers
+# ---------------------------------------------------------------------------
+
+class _MockRow:
+    """Simulates a SQLAlchemy row with _mapping attribute."""
+    def __init__(self, data: dict):
+        self._mapping = data
+
+    def __getitem__(self, idx):
+        vals = list(self._mapping.values())
+        return vals[idx]
+
+
+def _make_task_row(overrides=None):
+    now = datetime(2026, 3, 14, 12, 0, 0)
+    data = {
+        "id": TASK_ID,
+        "tenant_id": DEFAULT_TENANT_ID,
+        "project_id": None,
+        "task_code": "DSGVO-VVT-REVIEW",
+        "title": "VVT-Review und Aktualisierung",
+        "description": "Jaehrliche Ueberpruefung des VVT.",
+        "category": "dsgvo",
+        "priority": "high",
+        "frequency": "yearly",
+        "assigned_to": None,
+        "responsible_team": None,
+        "linked_control_ids": [],
+        "linked_module": "vvt",
+        "last_completed_at": None,
+        "next_due_date": date(2027, 3, 14),
+        "due_reminder_days": 14,
+        "status": "pending",
+        "completion_date": None,
+        "completion_result": None,
+        "completion_evidence_id": None,
+        "follow_up_actions": [],
+        "is_seed": False,
+        "notes": None,
+        "tags": [],
+        "created_at": now,
+        "updated_at": now,
+    }
+    if overrides:
+        data.update(overrides)
+    return _MockRow(data)
+
+
+def _make_history_row(overrides=None):
+    now = datetime(2026, 3, 14, 12, 0, 0)
+    data = {
+        "id": "eeeeeeee-0001-0001-0001-000000000001",
+        "task_id": TASK_ID,
+        "completed_by": "admin",
+        "completed_at": now,
+        "result": "Alles in Ordnung",
+        "evidence_id": None,
+        "notes": "Keine Auffaelligkeiten",
+        "status": "completed",
+    }
+    if overrides:
+        data.update(overrides)
+    return _MockRow(data)
+
+
+def _count_row(val):
+    """Simulates a COUNT(*) row — fetchone()[0] returns the value."""
+    row = MagicMock()
+    row.__getitem__ = lambda self, idx: val
+    return row
+
+
+@pytest.fixture
+def mock_db():
+    db = MagicMock()
+    app.dependency_overrides[get_db] = lambda: db
+    yield db
+    app.dependency_overrides.pop(get_db, None)
+
+
+@pytest.fixture
+def client(mock_db):
+    return TestClient(app)
+
+
+# =============================================================================
+# Test 1: List Tasks
+# =============================================================================
+
+class TestListTasks:
+    def test_list_tasks(self, client, mock_db):
+        """List tasks returns items and total."""
+        row = _make_task_row()
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=_count_row(1))),
+            MagicMock(fetchall=MagicMock(return_value=[row])),
+        ]
+        resp = client.get("/process-tasks")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total"] == 1
+        assert len(data["tasks"]) == 1
+        assert data["tasks"][0]["id"] == TASK_ID
+        assert data["tasks"][0]["task_code"] == "DSGVO-VVT-REVIEW"
+
+    def test_list_tasks_empty(self, client, mock_db):
+        """List tasks returns empty when no tasks."""
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=_count_row(0))),
+            MagicMock(fetchall=MagicMock(return_value=[])),
+        ]
+        resp = client.get("/process-tasks")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total"] == 0
+        assert data["tasks"] == []
+
+
+# =============================================================================
+# Test 2: List Tasks with Filters
+# =============================================================================
+
+class TestListTasksWithFilters:
+    def test_list_tasks_with_filters(self, client, mock_db):
+        """Filter by status and category."""
+        row = _make_task_row({"status": "overdue", "category": "nis2"})
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=_count_row(1))),
+            MagicMock(fetchall=MagicMock(return_value=[row])),
+        ]
+        resp = client.get("/process-tasks?status=overdue&category=nis2")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["tasks"][0]["status"] == "overdue"
+        assert data["tasks"][0]["category"] == "nis2"
+
+    def test_list_tasks_overdue_filter(self, client, mock_db):
+        """Filter overdue=true adds date condition."""
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=_count_row(0))),
+            MagicMock(fetchall=MagicMock(return_value=[])),
+        ]
+        resp = client.get("/process-tasks?overdue=true")
+        assert resp.status_code == 200
+        # Verify the SQL was called (mock_db.execute called twice: count + select)
+        assert mock_db.execute.call_count == 2
+
+
+# =============================================================================
+# Test 3: Get Stats
+# =============================================================================
+
+class TestGetStats:
+    def test_get_stats(self, client, mock_db):
+        """Verify stat counts structure."""
+        stats_row = MagicMock()
+        stats_row._mapping = {
+            "total": 50,
+            "pending": 20,
+            "in_progress": 5,
+            "completed": 15,
+            "overdue": 8,
+            "skipped": 2,
+            "overdue_count": 8,
+            "due_7_days": 3,
+            "due_14_days": 7,
+            "due_30_days": 12,
+        }
+        cat_row1 = MagicMock()
+        cat_row1._mapping = {"category": "dsgvo", "cnt": 15}
+        cat_row2 = MagicMock()
+        cat_row2._mapping = {"category": "nis2", "cnt": 10}
+
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=stats_row)),
+            MagicMock(fetchall=MagicMock(return_value=[cat_row1, cat_row2])),
+        ]
+        resp = client.get("/process-tasks/stats")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total"] == 50
+        assert data["by_status"]["pending"] == 20
+        assert data["by_status"]["completed"] == 15
+        assert data["overdue_count"] == 8
+        assert data["due_7_days"] == 3
+        assert data["due_30_days"] == 12
+        assert data["by_category"]["dsgvo"] == 15
+        assert data["by_category"]["nis2"] == 10
+
+    def test_get_stats_empty(self, client, mock_db):
+        """Stats with no tasks returns zeros."""
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=None)),
+            MagicMock(fetchall=MagicMock(return_value=[])),
+        ]
+        resp = client.get("/process-tasks/stats")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["total"] == 0
+        assert data["by_category"] == {}
+
+
+# =============================================================================
+# Test 4: Create Task
+# =============================================================================
+
+class TestCreateTask:
+    def test_create_task(self, client, mock_db):
+        """Create a valid task returns 201."""
+        row = _make_task_row()
+        mock_db.execute.return_value = MagicMock(fetchone=MagicMock(return_value=row))
+        resp = client.post("/process-tasks", json={
+            "task_code": "DSGVO-VVT-REVIEW",
+            "title": "VVT-Review und Aktualisierung",
+            "category": "dsgvo",
+            "priority": "high",
+            "frequency": "yearly",
+        })
+        assert resp.status_code == 201
+        data = resp.json()
+        assert data["id"] == TASK_ID
+        assert data["task_code"] == "DSGVO-VVT-REVIEW"
+        mock_db.commit.assert_called_once()
+
+
+# =============================================================================
+# Test 5: Create Task Invalid Category
+# =============================================================================
+
+class TestCreateTaskInvalidCategory:
+    def test_create_task_invalid_category(self, client, mock_db):
+        """Invalid category returns 400."""
+        resp = client.post("/process-tasks", json={
+            "task_code": "TEST-001",
+            "title": "Test",
+            "category": "invalid_category",
+        })
+        assert resp.status_code == 400
+        assert "Invalid category" in resp.json()["detail"]
+
+    def test_create_task_invalid_priority(self, client, mock_db):
+        """Invalid priority returns 400."""
+        resp = client.post("/process-tasks", json={
+            "task_code": "TEST-001",
+            "title": "Test",
+            "category": "dsgvo",
+            "priority": "super_high",
+        })
+        assert resp.status_code == 400
+        assert "Invalid priority" in resp.json()["detail"]
+
+    def test_create_task_invalid_frequency(self, client, mock_db):
+        """Invalid frequency returns 400."""
+        resp = client.post("/process-tasks", json={
+            "task_code": "TEST-001",
+            "title": "Test",
+            "category": "dsgvo",
+            "frequency": "biweekly",
+        })
+        assert resp.status_code == 400
+        assert "Invalid frequency" in resp.json()["detail"]
+
+
+# =============================================================================
+# Test 6: Get Single Task
+# =============================================================================
+
+class TestGetSingleTask:
+    def test_get_single_task(self, client, mock_db):
+        """Get existing task by ID."""
+        row = _make_task_row()
+        mock_db.execute.return_value = MagicMock(fetchone=MagicMock(return_value=row))
+        resp = client.get(f"/process-tasks/{TASK_ID}")
+        assert resp.status_code == 200
+        assert resp.json()["id"] == TASK_ID
+
+    def test_get_task_not_found(self, client, mock_db):
+        """Get non-existent task returns 404."""
+        mock_db.execute.return_value = MagicMock(fetchone=MagicMock(return_value=None))
+        resp = client.get("/process-tasks/nonexistent-id")
+        assert resp.status_code == 404
+
+
+# =============================================================================
+# Test 7: Complete Task
+# =============================================================================
+
+class TestCompleteTask:
+    def test_complete_task(self, client, mock_db):
+        """Complete a task: verify history insert and next_due recalculation."""
+        task_row = _make_task_row({"frequency": "quarterly"})
+        updated_row = _make_task_row({
+            "frequency": "quarterly",
+            "status": "pending",
+            "last_completed_at": datetime(2026, 3, 14, 12, 0, 0),
+            "next_due_date": date(2026, 6, 12),
+        })
+
+        # First call: SELECT task, Second: INSERT history, Third: UPDATE task
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=task_row)),
+            MagicMock(),  # history INSERT
+            MagicMock(fetchone=MagicMock(return_value=updated_row)),
+        ]
+
+        resp = client.post(f"/process-tasks/{TASK_ID}/complete", json={
+            "completed_by": "admin",
+            "result": "Alles geprueft",
+            "notes": "Keine Auffaelligkeiten",
+        })
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["status"] == "pending"  # Reset for recurring
+        mock_db.commit.assert_called_once()
+
+    def test_complete_once_task(self, client, mock_db):
+        """Complete a one-time task stays completed."""
+        task_row = _make_task_row({"frequency": "once"})
+        updated_row = _make_task_row({
+            "frequency": "once",
+            "status": "completed",
+            "next_due_date": None,
+        })
+
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=task_row)),
+            MagicMock(),
+            MagicMock(fetchone=MagicMock(return_value=updated_row)),
+        ]
+
+        resp = client.post(f"/process-tasks/{TASK_ID}/complete", json={
+            "completed_by": "admin",
+        })
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "completed"
+
+    def test_complete_task_not_found(self, client, mock_db):
+        """Complete non-existent task returns 404."""
+        mock_db.execute.return_value = MagicMock(fetchone=MagicMock(return_value=None))
+        resp = client.post("/process-tasks/nonexistent-id/complete", json={
+            "completed_by": "admin",
+        })
+        assert resp.status_code == 404
+
+
+# =============================================================================
+# Test 8: Skip Task
+# =============================================================================
+
+class TestSkipTask:
+    def test_skip_task(self, client, mock_db):
+        """Skip task with reason, verify next_due recalculation."""
+        task_row = _make_task_row({"frequency": "monthly"})
+        updated_row = _make_task_row({
+            "frequency": "monthly",
+            "status": "pending",
+            "next_due_date": date(2026, 4, 13),
+        })
+
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=task_row)),
+            MagicMock(),  # history INSERT
+            MagicMock(fetchone=MagicMock(return_value=updated_row)),
+        ]
+
+        resp = client.post(f"/process-tasks/{TASK_ID}/skip", json={
+            "reason": "Kein Handlungsbedarf diesen Monat",
+        })
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "pending"
+        mock_db.commit.assert_called_once()
+
+    def test_skip_task_not_found(self, client, mock_db):
+        """Skip non-existent task returns 404."""
+        mock_db.execute.return_value = MagicMock(fetchone=MagicMock(return_value=None))
+        resp = client.post("/process-tasks/nonexistent-id/skip", json={
+            "reason": "Test",
+        })
+        assert resp.status_code == 404
+
+
+# =============================================================================
+# Test 9: Seed Idempotent
+# =============================================================================
+
+class TestSeedIdempotent:
+    def test_seed_idempotent(self, client, mock_db):
+        """Seed twice — ON CONFLICT ensures idempotency."""
+        # First seed: all inserted (rowcount=1 for each)
+        mock_result = MagicMock()
+        mock_result.rowcount = 1
+        mock_db.execute.return_value = mock_result
+
+        resp = client.post("/process-tasks/seed")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["seeded"] == data["total_available"]
+        assert data["total_available"] == 50
+        mock_db.commit.assert_called_once()
+
+    def test_seed_second_time_no_inserts(self, client, mock_db):
+        """Second seed inserts nothing (ON CONFLICT DO NOTHING)."""
+        mock_result = MagicMock()
+        mock_result.rowcount = 0
+        mock_db.execute.return_value = mock_result
+
+        resp = client.post("/process-tasks/seed")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["seeded"] == 0
+        assert data["total_available"] == 50
+
+
+# =============================================================================
+# Test 10: Get History
+# =============================================================================
+
+class TestGetHistory:
+    def test_get_history(self, client, mock_db):
+        """Return history entries for a task."""
+        task_id_row = _MockRow({"id": TASK_ID})
+        history_row = _make_history_row()
+
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=task_id_row)),
+            MagicMock(fetchall=MagicMock(return_value=[history_row])),
+        ]
+
+        resp = client.get(f"/process-tasks/{TASK_ID}/history")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert len(data["history"]) == 1
+        assert data["history"][0]["task_id"] == TASK_ID
+        assert data["history"][0]["status"] == "completed"
+        assert data["history"][0]["completed_by"] == "admin"
+
+    def test_get_history_task_not_found(self, client, mock_db):
+        """History for non-existent task returns 404."""
+        mock_db.execute.return_value = MagicMock(fetchone=MagicMock(return_value=None))
+        resp = client.get("/process-tasks/nonexistent-id/history")
+        assert resp.status_code == 404
+
+    def test_get_history_empty(self, client, mock_db):
+        """Task with no history returns empty list."""
+        task_id_row = _MockRow({"id": TASK_ID})
+
+        mock_db.execute.side_effect = [
+            MagicMock(fetchone=MagicMock(return_value=task_id_row)),
+            MagicMock(fetchall=MagicMock(return_value=[])),
+        ]
+
+        resp = client.get(f"/process-tasks/{TASK_ID}/history")
+        assert resp.status_code == 200
+        assert resp.json()["history"] == []
+
+
+# =============================================================================
+# Constant / Schema Validation Tests
+# =============================================================================
+
+class TestConstants:
+    def test_valid_categories(self):
+        assert VALID_CATEGORIES == {"dsgvo", "nis2", "bsi", "iso27001", "ai_act", "internal"}
+
+    def test_valid_frequencies(self):
+        assert VALID_FREQUENCIES == {"weekly", "monthly", "quarterly", "semi_annual", "yearly", "once"}
+
+    def test_valid_priorities(self):
+        assert VALID_PRIORITIES == {"critical", "high", "medium", "low"}
+
+    def test_valid_statuses(self):
+        assert VALID_STATUSES == {"pending", "in_progress", "completed", "overdue", "skipped"}
+
+    def test_frequency_days_mapping(self):
+        assert FREQUENCY_DAYS["weekly"] == 7
+        assert FREQUENCY_DAYS["monthly"] == 30
+        assert FREQUENCY_DAYS["quarterly"] == 90
+        assert FREQUENCY_DAYS["semi_annual"] == 182
+        assert FREQUENCY_DAYS["yearly"] == 365
+        assert FREQUENCY_DAYS["once"] is None
+
+
+class TestDeleteTask:
+    def test_delete_existing(self, client, mock_db):
+        mock_db.execute.return_value = MagicMock(rowcount=1)
+        resp = client.delete(f"/process-tasks/{TASK_ID}")
+        assert resp.status_code == 204
+        mock_db.commit.assert_called_once()
+
+    def test_delete_not_found(self, client, mock_db):
+        mock_db.execute.return_value = MagicMock(rowcount=0)
+        resp = client.delete(f"/process-tasks/{TASK_ID}")
+        assert resp.status_code == 404
diff --git a/backend-compliance/tests/test_security_templates.py b/backend-compliance/tests/test_security_templates.py
new file mode 100644
index 0000000..e8f893e
--- /dev/null
+++ b/backend-compliance/tests/test_security_templates.py
@@ -0,0 +1,175 @@
+"""Tests for security document templates (Module 3)."""
+
+import pytest
+from unittest.mock import MagicMock, patch
+from fastapi.testclient import TestClient
+from fastapi import FastAPI
+from datetime import datetime
+
+from compliance.api.legal_template_routes import router
+from classroom_engine.database import get_db
+from compliance.api.tenant_utils import get_tenant_id
+
+DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
+
+# =============================================================================
+# Test App Setup
+# =============================================================================
+
+app = FastAPI()
+app.include_router(router)
+
+mock_db = MagicMock()
+
+
+def override_get_db():
+    yield mock_db
+
+
+def override_tenant():
+    return DEFAULT_TENANT_ID
+
+
+app.dependency_overrides[get_db] = override_get_db
+app.dependency_overrides[get_tenant_id] = override_tenant
+
+client = TestClient(app)
+
+SECURITY_TEMPLATE_TYPES = [
+    "it_security_concept",
+    "data_protection_concept",
+    "backup_recovery_concept",
+    "logging_concept",
+    "incident_response_plan",
+    "access_control_concept",
+    "risk_management_concept",
+]
+
+
+# =============================================================================
+# Helpers
+# =============================================================================
+
+def make_template_row(doc_type, title="Test Template", content="# Test"):
+    row = MagicMock()
+    row._mapping = {
+        "id": "tmpl-001",
+        "tenant_id": DEFAULT_TENANT_ID,
+        "document_type": doc_type,
+        "title": title,
+        "description": f"Test {doc_type}",
+        "content": content,
+        "placeholders": ["COMPANY_NAME", "ISB_NAME"],
+        "language": "de",
+        "jurisdiction": "DE",
+        "status": "published",
+        "license_id": None,
+        "license_name": None,
+        "source_name": None,
+        "inspiration_sources": [],
+        "created_at": datetime(2026, 3, 14),
+        "updated_at": datetime(2026, 3, 14),
+    }
+    return row
+
+
+# =============================================================================
+# Tests
+# =============================================================================
+
+class TestSecurityTemplateTypes:
+    """Verify the 7 security template types are accepted by the API."""
+
+    def test_all_security_types_in_valid_set(self):
+        """All 7 security template types are in VALID_DOCUMENT_TYPES."""
+        from compliance.api.legal_template_routes import VALID_DOCUMENT_TYPES
+
+        for doc_type in SECURITY_TEMPLATE_TYPES:
+            assert doc_type in VALID_DOCUMENT_TYPES, (
+                f"{doc_type} not in VALID_DOCUMENT_TYPES"
+            )
+
+    def test_security_template_count(self):
+        """There are exactly 7 security template types."""
+        assert len(SECURITY_TEMPLATE_TYPES) == 7
+
+    def test_create_security_template_accepted(self):
+        """Creating a template with a security type is accepted (not 400)."""
+        insert_row = MagicMock()
+        insert_row._mapping = {
+            "id": "new-tmpl",
+            "tenant_id": DEFAULT_TENANT_ID,
+            "document_type": "it_security_concept",
+            "title": "IT-Sicherheitskonzept",
+            "description": "Test",
+            "content": "# IT-Sicherheitskonzept",
+            "placeholders": [],
+            "language": "de",
+            "jurisdiction": "DE",
+            "status": "draft",
+            "license_id": None,
+            "license_name": None,
+            "source_name": None,
+            "inspiration_sources": [],
+            "created_at": datetime(2026, 3, 14),
+            "updated_at": datetime(2026, 3, 14),
+        }
+        mock_db.execute.return_value.fetchone.return_value = insert_row
+        mock_db.commit = MagicMock()
+
+        resp = client.post("/legal-templates", json={
+            "document_type": "it_security_concept",
+            "title": "IT-Sicherheitskonzept",
+            "content": "# IT-Sicherheitskonzept\n\n## 1. Managementzusammenfassung",
+            "language": "de",
+            "jurisdiction": "DE",
+        })
+        # Should NOT be 400 (invalid type)
+        assert resp.status_code != 400 or "Invalid document_type" not in resp.text
+
+    def test_invalid_type_rejected(self):
+        """A non-existent template type is rejected with 400."""
+        resp = client.post("/legal-templates", json={
+            "document_type": "nonexistent_type",
+            "title": "Test",
+            "content": "# Test",
+        })
+        assert resp.status_code == 400
+        assert "Invalid document_type" in resp.json()["detail"]
+
+
+class TestSecurityTemplateFilter:
+    """Verify filtering templates by security document types."""
+
+    def test_filter_by_security_type(self):
+        """GET /legal-templates?document_type=it_security_concept returns matching templates."""
+        row = make_template_row("it_security_concept", "IT-Sicherheitskonzept")
+        mock_db.execute.return_value.fetchall.return_value = [row]
+
+        resp = client.get("/legal-templates?document_type=it_security_concept")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert "templates" in data or isinstance(data, list)
+
+
+class TestSecurityTemplatePlaceholders:
+    """Verify placeholder structure for security templates."""
+
+    def test_common_placeholders_present(self):
+        """Security templates should use standard placeholders."""
+        common_placeholders = [
+            "COMPANY_NAME", "GF_NAME", "ISB_NAME",
+            "DOCUMENT_VERSION", "VERSION_DATE", "NEXT_REVIEW_DATE",
+        ]
+        row = make_template_row(
+            "it_security_concept",
+            content="# IT-Sicherheitskonzept\n{{COMPANY_NAME}} {{ISB_NAME}}"
+        )
+        row._mapping["placeholders"] = common_placeholders
+        mock_db.execute.return_value.fetchone.return_value = row
+
+        # Verify the mock has all expected placeholders
+        assert all(
+            p in row._mapping["placeholders"]
+            for p in ["COMPANY_NAME", "GF_NAME", "ISB_NAME"]
+        )
diff --git a/docs-src/services/sdk-modules/canonical-control-library.md b/docs-src/services/sdk-modules/canonical-control-library.md
index 01c7b63..5177a81 100644
--- a/docs-src/services/sdk-modules/canonical-control-library.md
+++ b/docs-src/services/sdk-modules/canonical-control-library.md
@@ -222,14 +222,149 @@ Der Validator (`scripts/validate-controls.py`) prueft bei jedem Commit:
 
 ---
 
+## Control Generator Pipeline
+
+Automatische Generierung von Controls aus dem gesamten RAG-Korpus (170.000+ Chunks aus Gesetzen, Verordnungen und Standards).
+
+### 8-Stufen-Pipeline
+
+```mermaid
+flowchart TD
+    A[1. RAG Scroll] -->|Alle Chunks| B[2. Prefilter - Lokales LLM]
+    B -->|Irrelevant| C[Als processed markieren]
+    B -->|Relevant| D[3. License Classify]
+    D -->|Rule 1/2| E[4a. Structure - Anthropic]
+    D -->|Rule 3| F[4b. LLM Reform - Anthropic]
+    E --> G[5. Harmonization - Embeddings]
+    F --> G
+    G -->|Duplikat| H[Als Duplikat speichern]
+    G -->|Neu| I[6. Anchor Search]
+    I --> J[7. Store Control]
+    J --> K[8. Mark Processed]
+```
+
+### Stufe 1: RAG Scroll (Vollstaendig)
+
+Scrollt durch **ALLE** Chunks in allen RAG-Collections mittels Qdrant Scroll-API.
+Kein Limit — jeder Chunk wird verarbeitet, um keine gesetzlichen Anforderungen zu uebersehen.
+
+Bereits verarbeitete Chunks werden per SHA-256-Hash uebersprungen (`canonical_processed_chunks`).
+
+### Stufe 2: Lokaler LLM-Vorfilter (Qwen 30B)
+
+**Kostenoptimierung:** Bevor ein Chunk an die Anthropic API geht, prueft das lokale Qwen-Modell (`qwen3:30b-a3b` auf Mac Mini), ob der Chunk eine konkrete Anforderung enthaelt.
+
+- **Relevant:** Pflichten ("muss", "soll"), technische Massnahmen, Datenschutz-Vorgaben
+- **Irrelevant:** Definitionen, Inhaltsverzeichnisse, Begriffsbestimmungen, Uebergangsvorschriften
+
+Irrelevante Chunks werden als `prefilter_skip` markiert und nie wieder verarbeitet.
+Dies spart >50% der Anthropic-API-Kosten.
+
+### Stufe 3: Lizenz-Klassifikation (3-Regel-System)
+
+| Regel | Lizenz | Original erlaubt? | Beispiel |
+|-------|--------|-------------------|----------|
+| **Rule 1** (free_use) | EU-Gesetze, NIST, DE-Gesetze | Ja | DSGVO, BDSG, NIS2 |
+| **Rule 2** (citation_required) | CC-BY, CC-BY-SA | Ja, mit Zitation | OWASP ASVS |
+| **Rule 3** (restricted) | Proprietaer | Nein, volle Reformulierung | BSI TR-03161 |
+
+### Stufe 4a/4b: Strukturierung / Reformulierung
+
+- **Rule 1+2:** Anthropic strukturiert den Originaltext in Control-Format (Titel, Ziel, Anforderungen)
+- **Rule 3:** Anthropic reformuliert vollstaendig — kein Originaltext, keine Quellennamen
+
+### Stufe 5: Harmonisierung (Embedding-basiert)
+
+Prueft per bge-m3 Embeddings (Cosine Similarity > 0.85), ob ein aehnliches Control existiert.
+Embeddings werden in Batches vorgeladen (32 Texte/Request) fuer maximale Performance.
+
+### Stufe 6-8: Anchor Search, Store, Mark Processed
+
+- **Anchor Search:** Findet Open-Source-Referenzen (OWASP, NIST, ENISA)
+- **Store:** Persistiert Control mit `verification_method` und `category`
+- **Mark Processed:** Markiert **JEDEN** Chunk als verarbeitet (auch bei Skip/Error/Duplikat)
+
+### Automatische Klassifikation
+
+Bei der Generierung werden automatisch zugewiesen:
+
+**Verification Method** (Nachweis-Methode):
+
+| Methode | Beschreibung |
+|---------|-------------|
+| `code_review` | Im Source Code pruefbar |
+| `document` | Dokument/Prozess-Nachweis |
+| `tool` | Tool-basierte Pruefung |
+| `hybrid` | Kombination mehrerer Methoden |
+
+**Category** (17 thematische Kategorien):
+encryption, authentication, network, data_protection, logging, incident,
+continuity, compliance, supply_chain, physical, personnel, application,
+system, risk, governance, hardware, identity
+
+### Konfiguration
+
+| ENV-Variable | Default | Beschreibung |
+|-------------|---------|-------------|
+| `ANTHROPIC_API_KEY` | — | API-Key fuer Anthropic Claude |
+| `CONTROL_GEN_ANTHROPIC_MODEL` | `claude-sonnet-4-6` | Anthropic-Modell fuer Formulierung |
+| `OLLAMA_URL` | `http://host.docker.internal:11434` | Lokaler Ollama-Server (Vorfilter) |
+| `CONTROL_GEN_OLLAMA_MODEL` | `qwen3:30b-a3b` | Lokales LLM fuer Vorfilter |
+| `CONTROL_GEN_LLM_TIMEOUT` | `120` | Timeout in Sekunden |
+
+### Architektur-Entscheidung: Gesetzesverweise
+
+Controls leiten sich aus zwei Quellen ab:
+
+1. **Direkte gesetzliche Pflichten (Rule 1):** z.B. DSGVO Art. 32 erzwingt "technische und organisatorische Massnahmen". Diese Controls haben `source_citation` mit exakter Gesetzesreferenz und Originaltext.
+
+2. **Implizite Umsetzung ueber Best Practices (Rule 2/3):** z.B. OWASP ASVS V2.7 fordert MFA — das ist keine gesetzliche Pflicht, aber eine Best Practice um NIS2 Art. 21 oder DSGVO Art. 32 zu erfuellen. Diese Controls haben Open-Source-Referenzen (Anchors).
+
+**Im Frontend:**
+- Rule 1/2 Controls zeigen eine blaue "Gesetzliche Grundlage" Box mit Gesetz, Artikel und Link
+- Rule 3 Controls zeigen einen Hinweis dass sie implizit Gesetze umsetzen, mit Verweis auf die Referenzen
+
+### API
+
+```bash
+# Job starten (laeuft im Hintergrund)
+curl -X POST https://macmini:8002/api/compliance/v1/canonical/generate \
+  -H 'Content-Type: application/json' \
+  -H 'X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000' \
+  -d '{"collections": ["bp_compliance_gesetze"]}'
+
+# Job-Status abfragen
+curl https://macmini:8002/api/compliance/v1/canonical/generate/jobs \
+  -H 'X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000'
+```
+
+### RAG Collections
+
+| Collection | Inhalte | Erwartete Regel |
+|-----------|---------|----------------|
+| `bp_compliance_gesetze` | Deutsche Gesetze (BDSG, TTDSG, TKG etc.) | Rule 1 |
+| `bp_compliance_recht` | EU-Verordnungen (DSGVO, NIS2, AI Act etc.) | Rule 1 |
+| `bp_compliance_datenschutz` | Datenschutz-Leitlinien | Rule 1/2 |
+| `bp_compliance_ce` | CE/Sicherheitsstandards | Rule 1/2/3 |
+| `bp_dsfa_corpus` | DSFA-Korpus | Rule 1/2 |
+| `bp_legal_templates` | Rechtsvorlagen | Rule 1 |
+
+---
+
 ## Dateien
 
 | Datei | Typ | Beschreibung |
 |-------|-----|-------------|
 | `backend-compliance/migrations/044_canonical_control_library.sql` | SQL | 5 Tabellen + Seed-Daten |
-| `backend-compliance/compliance/api/canonical_control_routes.py` | Python | REST API (8 Endpoints) |
+| `backend-compliance/migrations/047_verification_method_category.sql` | SQL | verification_method + category Felder |
+| `backend-compliance/compliance/api/canonical_control_routes.py` | Python | REST API (8+ Endpoints) |
+| `backend-compliance/compliance/api/control_generator_routes.py` | Python | Generator API (Start/Status/Jobs) |
+| `backend-compliance/compliance/services/control_generator.py` | Python | 8-Stufen-Pipeline |
 | `backend-compliance/compliance/services/license_gate.py` | Python | Lizenz-Gate-Logik |
 | `backend-compliance/compliance/services/similarity_detector.py` | Python | Too-Close-Detektor (5 Metriken) |
+| `backend-compliance/compliance/services/rag_client.py` | Python | RAG-Client (Search + Scroll) |
+| `ai-compliance-sdk/internal/ucca/legal_rag.go` | Go | RAG Search + Scroll (Qdrant) |
+| `ai-compliance-sdk/internal/api/handlers/rag_handlers.go` | Go | RAG HTTP-Handler |
 | `ai-compliance-sdk/policies/canonical_controls_v1.json` | JSON | 10 Seed Controls, 39 Open Anchors |
 | `ai-compliance-sdk/internal/ucca/canonical_control_loader.go` | Go | Control Loader mit Multi-Index |
 | `admin-compliance/app/sdk/control-library/page.tsx` | TSX | Control Library Browser |