feat(tom): audit document, compliance checks, 25 controls, canonical control mapping

Phase A: TOM document HTML generator (12 sections, inline CSS, A4 print)
Phase B: TOMDocumentTab component (org-header form, revisions, print/download)
Phase C: 11 compliance checks with severity-weighted scoring
Phase D: MkDocs documentation for TOM module
Phase E: 25 new controls (63 → 88) in 13 categories

Canonical Control Mapping (three-layer architecture):
- Migration 068: tom_control_mappings + tom_control_sync_state tables
- 6 API endpoints: sync, list, by-tom, stats, manual add, delete
- Category mapping: 13 TOM categories → 17 canonical categories
- Frontend: sync button + coverage card (Overview), drill-down (Editor),
  belegende Controls count (Document)
- 20 tests (unit + API with mocked DB)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

admin-compliance/components/sdk/tom-dashboard/TOMOverviewTab.tsx

@@ -1,6 +1,6 @@
 'use client'
 
-import { useMemo, useState } from 'react'
+import { useMemo, useState, useEffect, useCallback } from 'react'
 import { DerivedTOM, TOMGeneratorState } from '@/lib/sdk/tom-generator/types'
 import { getControlById, getControlsByCategory, getAllCategories } from '@/lib/sdk/tom-generator/controls/loader'
 import { SDM_GOAL_LABELS, getSDMCoverageStats, SDMGewaehrleistungsziel } from '@/lib/sdk/tom-generator/sdm-mapping'
@@ -11,6 +11,18 @@ interface TOMOverviewTabProps {
   onStartGenerator: () => void
 }
 
+interface MappingStats {
+  sync_state: {
+    profile_hash: string | null
+    total_mappings: number
+    canonical_controls_matched: number
+    tom_controls_covered: number
+    last_synced_at: string | null
+  }
+  category_breakdown: { tom_category: string; total_mappings: number; unique_controls: number }[]
+  total_canonical_controls_available: number
+}
+
 const STATUS_BADGES: Record<string, { label: string; className: string }> = {
   IMPLEMENTED: { label: 'Implementiert', className: 'bg-green-100 text-green-700' },
   PARTIAL: { label: 'Teilweise', className: 'bg-yellow-100 text-yellow-700' },
@@ -34,9 +46,41 @@ export function TOMOverviewTab({ state, onSelectTOM, onStartGenerator }: TOMOver
   const [typeFilter, setTypeFilter] = useState<string>('ALL')
   const [statusFilter, setStatusFilter] = useState<string>('ALL')
   const [applicabilityFilter, setApplicabilityFilter] = useState<string>('ALL')
+  const [mappingStats, setMappingStats] = useState<MappingStats | null>(null)
+  const [syncing, setSyncing] = useState(false)
 
   const categories = useMemo(() => getAllCategories(), [])
 
+  // Load mapping stats
+  useEffect(() => {
+    if (state.derivedTOMs.length === 0) return
+    fetch('/api/sdk/v1/compliance/tom-mappings/stats')
+      .then(r => r.ok ? r.json() : null)
+      .then(data => { if (data) setMappingStats(data) })
+      .catch(() => {})
+  }, [state.derivedTOMs.length])
+
+  const handleSyncControls = useCallback(async () => {
+    setSyncing(true)
+    try {
+      const resp = await fetch('/api/sdk/v1/compliance/tom-mappings/sync', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          industry: state.companyProfile?.industry || null,
+          company_size: state.companyProfile?.size || null,
+          force: false,
+        }),
+      })
+      if (resp.ok) {
+        // Reload stats after sync
+        const statsResp = await fetch('/api/sdk/v1/compliance/tom-mappings/stats')
+        if (statsResp.ok) setMappingStats(await statsResp.json())
+      }
+    } catch { /* ignore */ }
+    setSyncing(false)
+  }, [state.companyProfile])
+
   const stats = useMemo(() => {
     const toms = state.derivedTOMs
     return {
@@ -159,6 +203,59 @@ export function TOMOverviewTab({ state, onSelectTOM, onStartGenerator }: TOMOver
         </div>
       </div>
 
+      {/* Canonical Control Library Coverage */}
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <div className="flex items-center justify-between mb-3">
+          <div>
+            <h3 className="text-sm font-semibold text-gray-700">Canonical Control Library</h3>
+            <p className="text-xs text-gray-500 mt-0.5">
+              Belegende Security-Controls aus OWASP, NIST, ENISA
+            </p>
+          </div>
+          <button
+            onClick={handleSyncControls}
+            disabled={syncing}
+            className="bg-purple-600 text-white hover:bg-purple-700 disabled:bg-gray-300 rounded-lg px-4 py-2 text-xs font-medium transition-colors"
+          >
+            {syncing ? 'Synchronisiere...' : 'Controls synchronisieren'}
+          </button>
+        </div>
+        {mappingStats ? (
+          <div className="grid grid-cols-2 lg:grid-cols-4 gap-3">
+            <div className="bg-gray-50 rounded-lg p-3 text-center">
+              <div className="text-xl font-bold text-gray-900">{mappingStats.sync_state.total_mappings}</div>
+              <div className="text-xs text-gray-500">Zugeordnete Controls</div>
+            </div>
+            <div className="bg-gray-50 rounded-lg p-3 text-center">
+              <div className="text-xl font-bold text-purple-600">{mappingStats.sync_state.canonical_controls_matched}</div>
+              <div className="text-xs text-gray-500">Einzigartige Controls</div>
+            </div>
+            <div className="bg-gray-50 rounded-lg p-3 text-center">
+              <div className="text-xl font-bold text-gray-900">{mappingStats.sync_state.tom_controls_covered}/13</div>
+              <div className="text-xs text-gray-500">Kategorien abgedeckt</div>
+            </div>
+            <div className="bg-gray-50 rounded-lg p-3 text-center">
+              <div className="text-xl font-bold text-gray-900">{mappingStats.total_canonical_controls_available}</div>
+              <div className="text-xs text-gray-500">Verfuegbare Controls</div>
+            </div>
+          </div>
+        ) : (
+          <div className="text-center py-4">
+            <p className="text-sm text-gray-400">
+              Noch keine Controls synchronisiert. Klicken Sie &quot;Controls synchronisieren&quot;, um relevante
+              Security-Controls aus der Canonical Control Library zuzuordnen.
+            </p>
+          </div>
+        )}
+        {mappingStats?.sync_state?.last_synced_at && (
+          <p className="text-xs text-gray-400 mt-2">
+            Letzte Synchronisation: {new Date(mappingStats.sync_state.last_synced_at).toLocaleDateString('de-DE', {
+              day: '2-digit', month: '2-digit', year: 'numeric', hour: '2-digit', minute: '2-digit'
+            })}
+          </p>
+        )}
+      </div>
+
       {/* Filter Controls */}
       <div className="bg-white rounded-xl border border-gray-200 p-4">
         <div className="grid grid-cols-2 lg:grid-cols-4 gap-3">