diff --git a/admin-compliance/app/sdk/api-docs/page.tsx b/admin-compliance/app/sdk/api-docs/page.tsx
index a1ba63d..6d62052 100644
--- a/admin-compliance/app/sdk/api-docs/page.tsx
+++ b/admin-compliance/app/sdk/api-docs/page.tsx
@@ -2,7 +2,7 @@
 
 import { useState, useMemo, useRef } from 'react'
 import { apiModules } from '@/lib/sdk/api-docs/endpoints'
-import type { HttpMethod, BackendService } from '@/lib/sdk/api-docs/types'
+import type { HttpMethod, BackendService, ApiExposure } from '@/lib/sdk/api-docs/types'
 
 const METHOD_COLORS: Record<HttpMethod, string> = {
   GET: 'bg-green-100 text-green-800',
@@ -12,12 +12,30 @@ const METHOD_COLORS: Record<HttpMethod, string> = {
   PATCH: 'bg-purple-100 text-purple-800',
 }
 
+const EXPOSURE_CONFIG: Record<ApiExposure, { label: string; color: string; description: string }> = {
+  public: { label: 'Oeffentlich', color: 'bg-green-100 text-green-800 border-green-200', description: 'Internet-exponiert' },
+  partner: { label: 'Integration', color: 'bg-blue-100 text-blue-800 border-blue-200', description: 'API-Key/OAuth' },
+  internal: { label: 'Intern', color: 'bg-gray-100 text-gray-700 border-gray-200', description: 'Nur Admin' },
+  admin: { label: 'Wartung', color: 'bg-orange-100 text-orange-800 border-orange-200', description: 'Nur Setup' },
+}
+
 type ServiceFilter = 'all' | BackendService
+type ExposureFilter = 'all' | ApiExposure
+
+function ExposureBadge({ exposure }: { exposure: ApiExposure }) {
+  const config = EXPOSURE_CONFIG[exposure]
+  return (
+    <span className={`inline-block text-[10px] font-medium px-1.5 py-0.5 rounded border ${config.color}`}>
+      {config.label}
+    </span>
+  )
+}
 
 export default function ApiDocsPage() {
   const [search, setSearch] = useState('')
   const [serviceFilter, setServiceFilter] = useState<ServiceFilter>('all')
   const [methodFilter, setMethodFilter] = useState<HttpMethod | 'all'>('all')
+  const [exposureFilter, setExposureFilter] = useState<ExposureFilter>('all')
   const [expandedModules, setExpandedModules] = useState<Set<string>>(new Set())
   const moduleRefs = useRef<Record<string, HTMLDivElement | null>>({})
 
@@ -25,9 +43,15 @@ export default function ApiDocsPage() {
     const q = search.toLowerCase()
     return apiModules
       .filter((m) => serviceFilter === 'all' || m.service === serviceFilter)
+      .filter((m) => {
+        if (exposureFilter === 'all') return true
+        if (m.exposure === exposureFilter) return true
+        return m.endpoints.some((e) => (e.exposure || m.exposure) === exposureFilter)
+      })
       .map((m) => {
         const eps = m.endpoints.filter((e) => {
           if (methodFilter !== 'all' && e.method !== methodFilter) return false
+          if (exposureFilter !== 'all' && (e.exposure || m.exposure) !== exposureFilter) return false
           if (!q) return true
           return (
             e.path.toLowerCase().includes(q) ||
@@ -39,13 +63,22 @@ export default function ApiDocsPage() {
         return { ...m, endpoints: eps }
       })
       .filter((m) => m.endpoints.length > 0)
-  }, [search, serviceFilter, methodFilter])
+  }, [search, serviceFilter, methodFilter, exposureFilter])
 
   const stats = useMemo(() => {
     const total = apiModules.reduce((s, m) => s + m.endpoints.length, 0)
     const python = apiModules.filter((m) => m.service === 'python').reduce((s, m) => s + m.endpoints.length, 0)
     const go = apiModules.filter((m) => m.service === 'go').reduce((s, m) => s + m.endpoints.length, 0)
-    return { total, python, go, modules: apiModules.length }
+
+    const exposureCounts = { public: 0, partner: 0, internal: 0, admin: 0 }
+    apiModules.forEach((m) => {
+      m.endpoints.forEach((e) => {
+        const exp = e.exposure || m.exposure
+        exposureCounts[exp]++
+      })
+    })
+
+    return { total, python, go, modules: apiModules.length, exposure: exposureCounts }
   }, [])
 
   const filteredTotal = filteredModules.reduce((s, m) => s + m.endpoints.length, 0)
@@ -97,6 +130,26 @@ export default function ApiDocsPage() {
             </div>
           </div>
 
+          {/* Exposure Stats */}
+          <div className="flex flex-wrap gap-2 mb-3 text-xs">
+            <span className="text-gray-500">Exposure:</span>
+            <span className="px-2 py-0.5 rounded bg-green-50 text-green-700 font-medium">
+              {stats.exposure.public} oeffentlich
+            </span>
+            <span className="px-2 py-0.5 rounded bg-blue-50 text-blue-700 font-medium">
+              {stats.exposure.partner} Integration
+            </span>
+            <span className="px-2 py-0.5 rounded bg-gray-100 text-gray-600 font-medium">
+              {stats.exposure.internal} intern
+            </span>
+            <span className="px-2 py-0.5 rounded bg-orange-50 text-orange-700 font-medium">
+              {stats.exposure.admin} Wartung
+            </span>
+            <span className="text-gray-400 ml-1">
+              ({Math.round((stats.exposure.public + stats.exposure.partner) / stats.total * 100)}% exponiert)
+            </span>
+          </div>
+
           {/* Search + Filters */}
           <div className="flex flex-wrap gap-3 items-center">
             <div className="relative flex-1 min-w-[240px]">
@@ -144,6 +197,29 @@ export default function ApiDocsPage() {
               ))}
             </div>
 
+            {/* Exposure Filter */}
+            <div className="flex rounded-lg border border-gray-300 overflow-hidden">
+              {([
+                ['all', 'Alle'],
+                ['public', 'Oeffentlich'],
+                ['partner', 'Integration'],
+                ['internal', 'Intern'],
+                ['admin', 'Wartung'],
+              ] as const).map(([val, label]) => (
+                <button
+                  key={val}
+                  onClick={() => setExposureFilter(val)}
+                  className={`px-3 py-2 text-xs font-medium transition-colors ${
+                    exposureFilter === val
+                      ? 'bg-gray-900 text-white'
+                      : 'bg-white text-gray-600 hover:bg-gray-50'
+                  }`}
+                >
+                  {label}
+                </button>
+              ))}
+            </div>
+
             {/* Method Filter */}
             <div className="flex gap-1.5">
               {(['all', 'GET', 'POST', 'PUT', 'DELETE', 'PATCH'] as const).map((m) => (
@@ -185,7 +261,7 @@ export default function ApiDocsPage() {
         <div className="flex gap-6">
           {/* Module Index (Sidebar) */}
           <div className="hidden lg:block w-64 flex-shrink-0">
-            <div className="bg-white rounded-lg border border-gray-200 p-4 sticky top-[140px] max-h-[calc(100vh-180px)] overflow-y-auto">
+            <div className="bg-white rounded-lg border border-gray-200 p-4 sticky top-[170px] max-h-[calc(100vh-210px)] overflow-y-auto">
               <h3 className="text-xs font-semibold text-gray-400 uppercase tracking-wider mb-3">
                 Modul-Index ({filteredModules.length})
               </h3>
@@ -194,15 +270,18 @@ export default function ApiDocsPage() {
                   <button
                     key={m.id}
                     onClick={() => scrollToModule(m.id)}
-                    className="w-full text-left px-2 py-1.5 text-xs rounded hover:bg-gray-100 transition-colors group flex items-center justify-between"
+                    className="w-full text-left px-2 py-1.5 text-xs rounded hover:bg-gray-100 transition-colors group flex items-center justify-between gap-1"
                   >
                     <span className="truncate text-gray-700 group-hover:text-gray-900">
                       {m.id}
                     </span>
-                    <span className={`text-[10px] px-1.5 py-0.5 rounded-full ${
-                      m.service === 'python' ? 'bg-blue-50 text-blue-600' : 'bg-emerald-50 text-emerald-600'
-                    }`}>
-                      {m.endpoints.length}
+                    <span className="flex items-center gap-1 flex-shrink-0">
+                      <ExposureBadge exposure={m.exposure} />
+                      <span className={`text-[10px] px-1.5 py-0.5 rounded-full ${
+                        m.service === 'python' ? 'bg-blue-50 text-blue-600' : 'bg-emerald-50 text-emerald-600'
+                      }`}>
+                        {m.endpoints.length}
+                      </span>
                     </span>
                   </button>
                 ))}
@@ -246,6 +325,7 @@ export default function ApiDocsPage() {
                         }`}>
                           {m.service === 'python' ? 'PY' : 'GO'}
                         </span>
+                        <ExposureBadge exposure={m.exposure} />
                         <span className="text-sm font-medium text-gray-900 truncate">{m.name}</span>
                       </div>
                       <div className="flex items-center gap-2 flex-shrink-0 ml-3">
@@ -265,27 +345,39 @@ export default function ApiDocsPage() {
                               <th className="text-left px-4 py-2 w-20">Methode</th>
                               <th className="text-left px-4 py-2">Pfad</th>
                               <th className="text-left px-4 py-2">Beschreibung</th>
+                              <th className="text-left px-4 py-2 w-24">Exposure</th>
                             </tr>
                           </thead>
                           <tbody>
-                            {m.endpoints.map((e, i) => (
-                              <tr
-                                key={`${e.method}-${e.path}-${i}`}
-                                className="border-t border-gray-50 hover:bg-gray-50/50 transition-colors"
-                              >
-                                <td className="px-4 py-2">
-                                  <span className={`inline-block text-[11px] font-mono font-bold px-2 py-0.5 rounded ${METHOD_COLORS[e.method]}`}>
-                                    {e.method}
-                                  </span>
-                                </td>
-                                <td className="px-4 py-2 font-mono text-xs text-gray-800">
-                                  {e.path}
-                                </td>
-                                <td className="px-4 py-2 text-xs text-gray-600">
-                                  {e.description}
-                                </td>
-                              </tr>
-                            ))}
+                            {m.endpoints.map((e, i) => {
+                              const endpointExposure = e.exposure || m.exposure
+                              const hasOverride = e.exposure && e.exposure !== m.exposure
+                              return (
+                                <tr
+                                  key={`${e.method}-${e.path}-${i}`}
+                                  className="border-t border-gray-50 hover:bg-gray-50/50 transition-colors"
+                                >
+                                  <td className="px-4 py-2">
+                                    <span className={`inline-block text-[11px] font-mono font-bold px-2 py-0.5 rounded ${METHOD_COLORS[e.method]}`}>
+                                      {e.method}
+                                    </span>
+                                  </td>
+                                  <td className="px-4 py-2 font-mono text-xs text-gray-800">
+                                    {e.path}
+                                  </td>
+                                  <td className="px-4 py-2 text-xs text-gray-600">
+                                    {e.description}
+                                  </td>
+                                  <td className="px-4 py-2">
+                                    {hasOverride ? (
+                                      <ExposureBadge exposure={endpointExposure} />
+                                    ) : (
+                                      <span className="text-[10px] text-gray-300">—</span>
+                                    )}
+                                  </td>
+                                </tr>
+                              )
+                            })}
                           </tbody>
                         </table>
                       </div>
diff --git a/admin-compliance/lib/sdk/api-docs/endpoints.ts b/admin-compliance/lib/sdk/api-docs/endpoints.ts
index 28b1567..c0817aa 100644
--- a/admin-compliance/lib/sdk/api-docs/endpoints.ts
+++ b/admin-compliance/lib/sdk/api-docs/endpoints.ts
@@ -10,6 +10,7 @@ export const apiModules: ApiModule[] = [
     name: 'Compliance Framework — Regulierungen, Anforderungen & Controls',
     service: 'python',
     basePath: '/api/compliance',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/regulations', description: 'Alle Regulierungen auflisten', service: 'python' },
       { method: 'GET', path: '/regulations/{code}', description: 'Regulierung nach Code laden', service: 'python' },
@@ -29,10 +30,10 @@ export const apiModules: ApiModule[] = [
       { method: 'GET', path: '/export/{export_id}', description: 'Export-Status abfragen', service: 'python' },
       { method: 'GET', path: '/export/{export_id}/download', description: 'Export-Datei herunterladen', service: 'python' },
       { method: 'GET', path: '/exports', description: 'Alle Exports auflisten', service: 'python' },
-      { method: 'POST', path: '/init-tables', description: 'Datenbanktabellen initialisieren', service: 'python' },
-      { method: 'POST', path: '/create-indexes', description: 'Datenbank-Indizes erstellen', service: 'python' },
-      { method: 'POST', path: '/seed-risks', description: 'Risikodaten einspielen', service: 'python' },
-      { method: 'POST', path: '/seed', description: 'Systemdaten einspielen', service: 'python' },
+      { method: 'POST', path: '/init-tables', description: 'Datenbanktabellen initialisieren', service: 'python', exposure: 'admin' },
+      { method: 'POST', path: '/create-indexes', description: 'Datenbank-Indizes erstellen', service: 'python', exposure: 'admin' },
+      { method: 'POST', path: '/seed-risks', description: 'Risikodaten einspielen', service: 'python', exposure: 'admin' },
+      { method: 'POST', path: '/seed', description: 'Systemdaten einspielen', service: 'python', exposure: 'admin' },
     ],
   },
 
@@ -41,6 +42,7 @@ export const apiModules: ApiModule[] = [
     name: 'Audit — Sitzungen & Checklisten',
     service: 'python',
     basePath: '/api/compliance/audit',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/sessions', description: 'Audit-Sitzung erstellen', service: 'python' },
       { method: 'GET', path: '/sessions', description: 'Alle Audit-Sitzungen auflisten', service: 'python' },
@@ -61,6 +63,7 @@ export const apiModules: ApiModule[] = [
     name: 'AI Act — KI-Systeme & Risikobewertung',
     service: 'python',
     basePath: '/api/compliance/ai',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/systems', description: 'KI-Systeme auflisten', service: 'python' },
       { method: 'POST', path: '/systems', description: 'KI-System erstellen', service: 'python' },
@@ -76,12 +79,13 @@ export const apiModules: ApiModule[] = [
     name: 'Cookie-Banner & Consent Management',
     service: 'python',
     basePath: '/api/compliance/consent',
+    exposure: 'internal',
     endpoints: [
-      { method: 'POST', path: '/consent', description: 'Einwilligung erfassen', service: 'python' },
+      { method: 'POST', path: '/consent', description: 'Einwilligung erfassen', service: 'python', exposure: 'public' },
       { method: 'GET', path: '/consent', description: 'Einwilligungen auflisten', service: 'python' },
       { method: 'DELETE', path: '/consent/{consent_id}', description: 'Einwilligung loeschen', service: 'python' },
       { method: 'GET', path: '/consent/export', description: 'Einwilligungsdaten exportieren', service: 'python' },
-      { method: 'GET', path: '/config/{site_id}', description: 'Seitenkonfiguration laden', service: 'python' },
+      { method: 'GET', path: '/config/{site_id}', description: 'Seitenkonfiguration laden', service: 'python', exposure: 'public' },
       { method: 'GET', path: '/admin/sites', description: 'Alle Seiten auflisten', service: 'python' },
       { method: 'POST', path: '/admin/sites', description: 'Seite erstellen', service: 'python' },
       { method: 'PUT', path: '/admin/sites/{site_id}', description: 'Seite aktualisieren', service: 'python' },
@@ -101,6 +105,7 @@ export const apiModules: ApiModule[] = [
     name: 'Change Requests — Aenderungsantraege',
     service: 'python',
     basePath: '/api/compliance/change-requests',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/stats', description: 'CR-Statistiken laden', service: 'python' },
       { method: 'GET', path: '/{cr_id}', description: 'Einzelnen CR laden', service: 'python' },
@@ -116,6 +121,7 @@ export const apiModules: ApiModule[] = [
     name: 'Stammdaten — Unternehmensprofil',
     service: 'python',
     basePath: '/api/v1/company-profile',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Unternehmensprofil laden', service: 'python' },
       { method: 'POST', path: '/', description: 'Profil erstellen/aktualisieren', service: 'python' },
@@ -130,6 +136,7 @@ export const apiModules: ApiModule[] = [
     name: 'Compliance Scope — Geltungsbereich',
     service: 'python',
     basePath: '/api/v1/compliance-scope',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Compliance-Scope laden', service: 'python' },
       { method: 'POST', path: '/', description: 'Compliance-Scope erstellen/aktualisieren', service: 'python' },
@@ -141,6 +148,7 @@ export const apiModules: ApiModule[] = [
     name: 'Einwilligungsvorlagen — Consent Templates',
     service: 'python',
     basePath: '/api/compliance/consent-templates',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/consent-templates', description: 'Vorlagen auflisten', service: 'python' },
       { method: 'POST', path: '/consent-templates', description: 'Vorlage erstellen', service: 'python' },
@@ -156,6 +164,7 @@ export const apiModules: ApiModule[] = [
     name: 'Dashboard — Compliance-Uebersicht & Reports',
     service: 'python',
     basePath: '/api/compliance/dashboard',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/dashboard', description: 'Haupt-Dashboard laden', service: 'python' },
       { method: 'GET', path: '/score', description: 'Compliance-Score berechnen', service: 'python' },
@@ -171,6 +180,7 @@ export const apiModules: ApiModule[] = [
     name: 'DSFA — Datenschutz-Folgenabschaetzung',
     service: 'python',
     basePath: '/api/compliance/dsfa',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'DSFAs auflisten', service: 'python' },
       { method: 'POST', path: '/', description: 'DSFA erstellen', service: 'python' },
@@ -195,6 +205,7 @@ export const apiModules: ApiModule[] = [
     name: 'DSR — Betroffenenrechte (Admin)',
     service: 'python',
     basePath: '/api/compliance/dsr',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/', description: 'DSR erstellen', service: 'python' },
       { method: 'GET', path: '/', description: 'DSRs auflisten', service: 'python' },
@@ -229,6 +240,7 @@ export const apiModules: ApiModule[] = [
     name: 'Einwilligungen — DSGVO-Einwilligungsverwaltung',
     service: 'python',
     basePath: '/api/compliance/einwilligungen',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/catalog', description: 'Einwilligungskatalog laden', service: 'python' },
       { method: 'PUT', path: '/catalog', description: 'Katalog aktualisieren', service: 'python' },
@@ -249,6 +261,7 @@ export const apiModules: ApiModule[] = [
     name: 'E-Mail-Vorlagen — Template-Verwaltung',
     service: 'python',
     basePath: '/api/compliance/email-templates',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/types', description: 'Vorlagentypen laden', service: 'python' },
       { method: 'GET', path: '/stats', description: 'E-Mail-Statistiken laden', service: 'python' },
@@ -279,6 +292,7 @@ export const apiModules: ApiModule[] = [
     name: 'Eskalationen — Eskalationsmanagement',
     service: 'python',
     basePath: '/api/compliance/escalations',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Eskalationen auflisten', service: 'python' },
       { method: 'POST', path: '/', description: 'Eskalation erstellen', service: 'python' },
@@ -295,13 +309,14 @@ export const apiModules: ApiModule[] = [
     name: 'Nachweise — Evidence Management',
     service: 'python',
     basePath: '/api/compliance/evidence',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/evidence', description: 'Nachweise auflisten', service: 'python' },
       { method: 'POST', path: '/evidence', description: 'Nachweis erstellen', service: 'python' },
       { method: 'DELETE', path: '/evidence/{evidence_id}', description: 'Nachweis loeschen', service: 'python' },
       { method: 'POST', path: '/evidence/upload', description: 'Nachweis-Datei hochladen', service: 'python' },
-      { method: 'POST', path: '/evidence/collect', description: 'CI-Nachweis sammeln', service: 'python' },
-      { method: 'GET', path: '/evidence/ci-status', description: 'CI-Nachweis-Status laden', service: 'python' },
+      { method: 'POST', path: '/evidence/collect', description: 'CI-Nachweis sammeln', service: 'python', exposure: 'partner' },
+      { method: 'GET', path: '/evidence/ci-status', description: 'CI-Nachweis-Status laden', service: 'python', exposure: 'partner' },
     ],
   },
 
@@ -310,6 +325,7 @@ export const apiModules: ApiModule[] = [
     name: 'Extraktion — Anforderungen aus RAG',
     service: 'python',
     basePath: '/api/compliance',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/extract-requirements-from-rag', description: 'Anforderungen aus RAG-Korpus extrahieren', service: 'python' },
     ],
@@ -320,6 +336,7 @@ export const apiModules: ApiModule[] = [
     name: 'Dokumentengenerierung — Automatische Erstellung',
     service: 'python',
     basePath: '/api/compliance/generation',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/preview/{doc_type}', description: 'Generierungs-Vorschau laden', service: 'python' },
       { method: 'POST', path: '/apply/{doc_type}', description: 'Dokument generieren und anwenden', service: 'python' },
@@ -331,6 +348,7 @@ export const apiModules: ApiModule[] = [
     name: 'Dokument-Import & Gap-Analyse',
     service: 'python',
     basePath: '/api/import',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/analyze', description: 'Dokument analysieren', service: 'python' },
       { method: 'GET', path: '/gap-analysis/{document_id}', description: 'Gap-Analyse laden', service: 'python' },
@@ -344,6 +362,7 @@ export const apiModules: ApiModule[] = [
     name: 'Datenschutz-Vorfaelle — Incident Management',
     service: 'python',
     basePath: '/api/compliance/incidents',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/', description: 'Vorfall erstellen', service: 'python' },
       { method: 'GET', path: '/', description: 'Vorfaelle auflisten', service: 'python' },
@@ -368,6 +387,7 @@ export const apiModules: ApiModule[] = [
     name: 'ISMS — ISO 27001 Managementsystem',
     service: 'python',
     basePath: '/api/compliance/isms',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/scope', description: 'ISMS-Scope laden', service: 'python' },
       { method: 'POST', path: '/scope', description: 'ISMS-Scope erstellen', service: 'python' },
@@ -416,6 +436,7 @@ export const apiModules: ApiModule[] = [
     name: 'Rechtliche Dokumente — Verwaltung & Versionen',
     service: 'python',
     basePath: '/api/compliance/legal-documents',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/documents', description: 'Dokumente auflisten', service: 'python' },
       { method: 'POST', path: '/documents', description: 'Dokument erstellen', service: 'python' },
@@ -431,8 +452,8 @@ export const apiModules: ApiModule[] = [
       { method: 'POST', path: '/versions/{version_id}/reject', description: 'Version ablehnen', service: 'python' },
       { method: 'POST', path: '/versions/{version_id}/publish', description: 'Version veroeffentlichen', service: 'python' },
       { method: 'GET', path: '/versions/{version_id}/approval-history', description: 'Genehmigungshistorie laden', service: 'python' },
-      { method: 'GET', path: '/public', description: 'Oeffentliche Dokumente laden', service: 'python' },
-      { method: 'GET', path: '/public/{document_type}/latest', description: 'Aktuellstes Dokument laden', service: 'python' },
+      { method: 'GET', path: '/public', description: 'Oeffentliche Dokumente laden', service: 'python', exposure: 'public' },
+      { method: 'GET', path: '/public/{document_type}/latest', description: 'Aktuellstes Dokument laden', service: 'python', exposure: 'public' },
       { method: 'POST', path: '/consents', description: 'Einwilligung erfassen', service: 'python' },
       { method: 'GET', path: '/consents/my', description: 'Eigene Einwilligungen laden', service: 'python' },
       { method: 'GET', path: '/consents/check/{document_type}', description: 'Einwilligungsstatus pruefen', service: 'python' },
@@ -451,6 +472,7 @@ export const apiModules: ApiModule[] = [
     name: 'Dokumentvorlagen — DSGVO-Generatoren',
     service: 'python',
     basePath: '/api/compliance/legal-templates',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Vorlagen auflisten', service: 'python' },
       { method: 'GET', path: '/status', description: 'Vorlagenstatus laden', service: 'python' },
@@ -467,6 +489,7 @@ export const apiModules: ApiModule[] = [
     name: 'Loeschfristen — Aufbewahrung & Loeschung',
     service: 'python',
     basePath: '/api/compliance/loeschfristen',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Loeschrichtlinien auflisten', service: 'python' },
       { method: 'POST', path: '/', description: 'Richtlinie erstellen', service: 'python' },
@@ -485,11 +508,12 @@ export const apiModules: ApiModule[] = [
     name: 'Module — Compliance-Modul-Verwaltung',
     service: 'python',
     basePath: '/api/compliance/modules',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/modules', description: 'Module auflisten', service: 'python' },
       { method: 'GET', path: '/modules/overview', description: 'Modul-Uebersicht laden', service: 'python' },
       { method: 'GET', path: '/modules/{module_id}', description: 'Modul laden', service: 'python' },
-      { method: 'POST', path: '/modules/seed', description: 'Module einspielen', service: 'python' },
+      { method: 'POST', path: '/modules/seed', description: 'Module einspielen', service: 'python', exposure: 'admin' },
       { method: 'POST', path: '/modules/{module_id}/activate', description: 'Modul aktivieren', service: 'python' },
       { method: 'POST', path: '/modules/{module_id}/deactivate', description: 'Modul deaktivieren', service: 'python' },
       { method: 'POST', path: '/modules/{module_id}/regulations', description: 'Regulierungs-Zuordnung hinzufuegen', service: 'python' },
@@ -501,6 +525,7 @@ export const apiModules: ApiModule[] = [
     name: 'Notfallplan — Kontakte, Szenarien & Uebungen',
     service: 'python',
     basePath: '/api/compliance/notfallplan',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/contacts', description: 'Notfallkontakte laden', service: 'python' },
       { method: 'POST', path: '/contacts', description: 'Kontakt erstellen', service: 'python' },
@@ -533,6 +558,7 @@ export const apiModules: ApiModule[] = [
     name: 'Pflichten — Compliance-Obligations',
     service: 'python',
     basePath: '/api/compliance/obligations',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Pflichten auflisten', service: 'python' },
       { method: 'POST', path: '/', description: 'Pflicht erstellen', service: 'python' },
@@ -551,6 +577,7 @@ export const apiModules: ApiModule[] = [
     name: 'Quality — KI-Qualitaetsmetriken & Tests',
     service: 'python',
     basePath: '/api/compliance/quality',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/stats', description: 'Qualitaets-Statistiken laden', service: 'python' },
       { method: 'GET', path: '/metrics', description: 'Metriken auflisten', service: 'python' },
@@ -569,6 +596,7 @@ export const apiModules: ApiModule[] = [
     name: 'Risikomanagement — Bewertung & Matrix',
     service: 'python',
     basePath: '/api/compliance/risks',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/risks', description: 'Risiken auflisten', service: 'python' },
       { method: 'POST', path: '/risks', description: 'Risiko erstellen', service: 'python' },
@@ -583,8 +611,9 @@ export const apiModules: ApiModule[] = [
     name: 'Screening — Abhaengigkeiten-Pruefung',
     service: 'python',
     basePath: '/api/compliance/screening',
+    exposure: 'internal',
     endpoints: [
-      { method: 'POST', path: '/scan', description: 'Abhaengigkeiten scannen', service: 'python' },
+      { method: 'POST', path: '/scan', description: 'Abhaengigkeiten scannen', service: 'python', exposure: 'partner' },
       { method: 'GET', path: '/{screening_id}', description: 'Screening-Ergebnis laden', service: 'python' },
       { method: 'GET', path: '/', description: 'Screenings auflisten', service: 'python' },
     ],
@@ -595,6 +624,7 @@ export const apiModules: ApiModule[] = [
     name: 'Scraper — Rechtsquellen-Aktualisierung',
     service: 'python',
     basePath: '/api/compliance/scraper',
+    exposure: 'partner',
     endpoints: [
       { method: 'GET', path: '/scraper/status', description: 'Scraper-Status laden', service: 'python' },
       { method: 'GET', path: '/scraper/sources', description: 'Quellen auflisten', service: 'python' },
@@ -611,6 +641,7 @@ export const apiModules: ApiModule[] = [
     name: 'Security Backlog — Sicherheitsmassnahmen',
     service: 'python',
     basePath: '/api/compliance/security-backlog',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Backlog-Eintraege auflisten', service: 'python' },
       { method: 'POST', path: '/', description: 'Eintrag erstellen', service: 'python' },
@@ -625,6 +656,7 @@ export const apiModules: ApiModule[] = [
     name: 'Source Policy — Datenquellen & PII-Regeln',
     service: 'python',
     basePath: '/api/compliance/source-policy',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/sources', description: 'Datenquellen auflisten', service: 'python' },
       { method: 'POST', path: '/sources', description: 'Quelle erstellen', service: 'python' },
@@ -649,6 +681,7 @@ export const apiModules: ApiModule[] = [
     name: 'TOM — Technisch-Organisatorische Massnahmen',
     service: 'python',
     basePath: '/api/compliance/tom',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/state', description: 'TOM-Zustand laden', service: 'python' },
       { method: 'POST', path: '/state', description: 'TOM-Zustand speichern', service: 'python' },
@@ -669,6 +702,7 @@ export const apiModules: ApiModule[] = [
     name: 'Vendor Compliance — Auftragsverarbeitung',
     service: 'python',
     basePath: '/api/compliance/vendors',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/vendors/stats', description: 'Anbieter-Statistiken laden', service: 'python' },
       { method: 'GET', path: '/vendors', description: 'Anbieter auflisten', service: 'python' },
@@ -703,6 +737,7 @@ export const apiModules: ApiModule[] = [
     name: 'VVT — Verarbeitungsverzeichnis (Art. 30 DSGVO)',
     service: 'python',
     basePath: '/api/compliance/vvt',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/organization', description: 'Organisationskopf laden', service: 'python' },
       { method: 'PUT', path: '/organization', description: 'Organisationskopf speichern', service: 'python' },
@@ -724,6 +759,7 @@ export const apiModules: ApiModule[] = [
     name: 'Consent API — Nutzer-Einwilligungen',
     service: 'python',
     basePath: '/api/consents',
+    exposure: 'public',
     endpoints: [
       { method: 'GET', path: '/token/demo', description: 'Demo-Token laden', service: 'python' },
       { method: 'GET', path: '/check/{document_type}', description: 'Einwilligungsstatus pruefen', service: 'python' },
@@ -744,6 +780,7 @@ export const apiModules: ApiModule[] = [
     name: 'Consent Admin — Dokumenten- & Versionsverwaltung',
     service: 'python',
     basePath: '/api/admin/consents',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/documents', description: 'Dokumente auflisten', service: 'python' },
       { method: 'POST', path: '/documents', description: 'Dokument erstellen', service: 'python' },
@@ -777,6 +814,7 @@ export const apiModules: ApiModule[] = [
     name: 'DSR API — Nutzer-Betroffenenrechte',
     service: 'python',
     basePath: '/api/dsr',
+    exposure: 'public',
     endpoints: [
       { method: 'POST', path: '/', description: 'Antrag stellen', service: 'python' },
       { method: 'GET', path: '/', description: 'Eigene Antraege laden', service: 'python' },
@@ -790,6 +828,7 @@ export const apiModules: ApiModule[] = [
     name: 'DSR Admin — Antrags-Verwaltung',
     service: 'python',
     basePath: '/api/admin/dsr',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/', description: 'Alle Antraege laden', service: 'python' },
       { method: 'GET', path: '/stats', description: 'DSR-Statistiken laden', service: 'python' },
@@ -817,6 +856,7 @@ export const apiModules: ApiModule[] = [
     name: 'GDPR / Datenschutz — Nutzerdaten & Export',
     service: 'python',
     basePath: '/api/gdpr',
+    exposure: 'public',
     endpoints: [
       { method: 'POST', path: '/export-pdf', description: 'Nutzerdaten als PDF exportieren', service: 'python' },
       { method: 'GET', path: '/export-html', description: 'Nutzerdaten als HTML exportieren', service: 'python' },
@@ -835,8 +875,9 @@ export const apiModules: ApiModule[] = [
     name: 'Health — System-Status',
     service: 'go',
     basePath: '/sdk/v1',
+    exposure: 'admin',
     endpoints: [
-      { method: 'GET', path: '/health', description: 'API Health-Check', service: 'go' },
+      { method: 'GET', path: '/health', description: 'API Health-Check', service: 'go', exposure: 'admin' },
     ],
   },
 
@@ -845,6 +886,7 @@ export const apiModules: ApiModule[] = [
     name: 'RBAC — Tenant, Rollen & Berechtigungen',
     service: 'go',
     basePath: '/sdk/v1',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/tenants', description: 'Alle Tenants auflisten', service: 'go' },
       { method: 'GET', path: '/tenants/:id', description: 'Tenant laden', service: 'go' },
@@ -871,6 +913,7 @@ export const apiModules: ApiModule[] = [
     name: 'LLM — KI-Textverarbeitung & Policies',
     service: 'go',
     basePath: '/sdk/v1/llm',
+    exposure: 'partner',
     endpoints: [
       { method: 'GET', path: '/policies', description: 'LLM-Policies auflisten', service: 'go' },
       { method: 'GET', path: '/policies/:id', description: 'Policy laden', service: 'go' },
@@ -891,6 +934,7 @@ export const apiModules: ApiModule[] = [
     name: 'Audit (Go) — LLM-Audit & Compliance-Reports',
     service: 'go',
     basePath: '/sdk/v1/audit',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/llm', description: 'LLM-Audit-Logs laden', service: 'go' },
       { method: 'GET', path: '/general', description: 'Allgemeine Audit-Logs laden', service: 'go' },
@@ -909,6 +953,7 @@ export const apiModules: ApiModule[] = [
     name: 'UCCA — Use-Case Compliance Advisor',
     service: 'go',
     basePath: '/sdk/v1/ucca',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/assess', description: 'Compliance-Bewertung durchfuehren', service: 'go' },
       { method: 'GET', path: '/assessments', description: 'Bewertungen auflisten', service: 'go' },
@@ -951,6 +996,7 @@ export const apiModules: ApiModule[] = [
     name: 'RAG — Legal Corpus & Vektorsuche',
     service: 'go',
     basePath: '/sdk/v1/rag',
+    exposure: 'partner',
     endpoints: [
       { method: 'POST', path: '/search', description: 'Rechtskorpus durchsuchen', service: 'go' },
       { method: 'GET', path: '/regulations', description: 'Regulierungen auflisten', service: 'go' },
@@ -964,6 +1010,7 @@ export const apiModules: ApiModule[] = [
     name: 'Roadmaps — Compliance-Implementierungsplaene',
     service: 'go',
     basePath: '/sdk/v1/roadmaps',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/', description: 'Roadmap erstellen', service: 'go' },
       { method: 'GET', path: '/', description: 'Roadmaps auflisten', service: 'go' },
@@ -984,6 +1031,7 @@ export const apiModules: ApiModule[] = [
     name: 'Roadmap Items — Einzelne Massnahmen',
     service: 'go',
     basePath: '/sdk/v1/roadmap-items',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/:id', description: 'Item laden', service: 'go' },
       { method: 'PUT', path: '/:id', description: 'Item aktualisieren', service: 'go' },
@@ -997,6 +1045,7 @@ export const apiModules: ApiModule[] = [
     name: 'Workshops — Kollaborative Compliance-Workshops',
     service: 'go',
     basePath: '/sdk/v1/workshops',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/', description: 'Workshop erstellen', service: 'go' },
       { method: 'GET', path: '/', description: 'Workshops auflisten', service: 'go' },
@@ -1027,6 +1076,7 @@ export const apiModules: ApiModule[] = [
     name: 'Portfolios — KI-Use-Case-Portfolio',
     service: 'go',
     basePath: '/sdk/v1/portfolios',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/', description: 'Portfolio erstellen', service: 'go' },
       { method: 'GET', path: '/', description: 'Portfolios auflisten', service: 'go' },
@@ -1053,6 +1103,7 @@ export const apiModules: ApiModule[] = [
     name: 'Academy — E-Learning & Zertifikate',
     service: 'go',
     basePath: '/sdk/v1/academy',
+    exposure: 'internal',
     endpoints: [
       { method: 'POST', path: '/courses', description: 'Kurs erstellen', service: 'go' },
       { method: 'GET', path: '/courses', description: 'Kurse auflisten', service: 'go' },
@@ -1080,6 +1131,7 @@ export const apiModules: ApiModule[] = [
     name: 'Training — Schulungsmodule & Content-Pipeline',
     service: 'go',
     basePath: '/sdk/v1/training',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/modules', description: 'Schulungsmodule auflisten', service: 'go' },
       { method: 'GET', path: '/modules/:id', description: 'Modul laden', service: 'go' },
@@ -1115,7 +1167,7 @@ export const apiModules: ApiModule[] = [
       { method: 'POST', path: '/escalation/check', description: 'Eskalation pruefen', service: 'go' },
       { method: 'GET', path: '/audit-log', description: 'Schulungs-Audit-Log laden', service: 'go' },
       { method: 'GET', path: '/stats', description: 'Schulungs-Statistiken laden', service: 'go' },
-      { method: 'GET', path: '/certificates/:id/verify', description: 'Zertifikat verifizieren', service: 'go' },
+      { method: 'GET', path: '/certificates/:id/verify', description: 'Zertifikat verifizieren', service: 'go', exposure: 'partner' },
     ],
   },
 
@@ -1124,10 +1176,11 @@ export const apiModules: ApiModule[] = [
     name: 'Whistleblower — Hinweisgebersystem (HinSchG)',
     service: 'go',
     basePath: '/sdk/v1/whistleblower',
+    exposure: 'internal',
     endpoints: [
-      { method: 'POST', path: '/reports/submit', description: 'Anonymen Hinweis einreichen', service: 'go' },
-      { method: 'GET', path: '/reports/access/:accessKey', description: 'Hinweis per Zugangscode laden', service: 'go' },
-      { method: 'POST', path: '/reports/access/:accessKey/messages', description: 'Nachricht senden (anonym)', service: 'go' },
+      { method: 'POST', path: '/reports/submit', description: 'Anonymen Hinweis einreichen', service: 'go', exposure: 'public' },
+      { method: 'GET', path: '/reports/access/:accessKey', description: 'Hinweis per Zugangscode laden', service: 'go', exposure: 'public' },
+      { method: 'POST', path: '/reports/access/:accessKey/messages', description: 'Nachricht senden (anonym)', service: 'go', exposure: 'public' },
       { method: 'GET', path: '/reports', description: 'Alle Hinweise auflisten', service: 'go' },
       { method: 'GET', path: '/reports/:id', description: 'Hinweis laden', service: 'go' },
       { method: 'PUT', path: '/reports/:id', description: 'Hinweis aktualisieren', service: 'go' },
@@ -1147,6 +1200,7 @@ export const apiModules: ApiModule[] = [
     name: 'IACE — Industrial AI / CE-Compliance Engine',
     service: 'go',
     basePath: '/sdk/v1/iace',
+    exposure: 'internal',
     endpoints: [
       { method: 'GET', path: '/hazard-library', description: 'Gefahrenbibliothek laden', service: 'go' },
       { method: 'GET', path: '/controls-library', description: 'Controls-Bibliothek laden', service: 'go' },
diff --git a/admin-compliance/lib/sdk/api-docs/types.ts b/admin-compliance/lib/sdk/api-docs/types.ts
index a2c2423..400c6f5 100644
--- a/admin-compliance/lib/sdk/api-docs/types.ts
+++ b/admin-compliance/lib/sdk/api-docs/types.ts
@@ -1,11 +1,13 @@
 export type HttpMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH'
 export type BackendService = 'python' | 'go'
+export type ApiExposure = 'public' | 'partner' | 'internal' | 'admin'
 
 export interface ApiEndpoint {
   method: HttpMethod
   path: string
   description: string
   service: BackendService
+  exposure?: ApiExposure
 }
 
 export interface ApiModule {
@@ -13,5 +15,6 @@ export interface ApiModule {
   name: string
   service: BackendService
   basePath: string
+  exposure: ApiExposure
   endpoints: ApiEndpoint[]
 }
diff --git a/developer-portal/app/api/page.tsx b/developer-portal/app/api/page.tsx
index c89b183..64ae5a7 100644
--- a/developer-portal/app/api/page.tsx
+++ b/developer-portal/app/api/page.tsx
@@ -1,6 +1,20 @@
 import Link from 'next/link'
 import { DevPortalLayout, ApiEndpoint, InfoBox } from '@/components/DevPortalLayout'
 
+function ExposureBadge({ type }: { type: 'public' | 'partner' | 'internal' | 'admin' }) {
+  const config = {
+    public: { label: 'Oeffentlich', className: 'bg-green-100 text-green-800' },
+    partner: { label: 'Integration', className: 'bg-blue-100 text-blue-800' },
+    internal: { label: 'Intern', className: 'bg-gray-100 text-gray-700' },
+    admin: { label: 'Wartung', className: 'bg-orange-100 text-orange-800' },
+  }[type]
+  return (
+    <span className={`inline-block text-[10px] font-medium px-1.5 py-0.5 rounded ml-2 ${config.className}`}>
+      {config.label}
+    </span>
+  )
+}
+
 export default function ApiReferencePage() {
   return (
     <DevPortalLayout
@@ -18,6 +32,18 @@ export default function ApiReferencePage() {
         Für Self-Hosted-Installationen verwenden Sie Ihre eigene Domain.
       </p>
 
+      <InfoBox type="info" title="API Exposure">
+        Jeder Endpoint ist mit einer Exposure-Kategorie gekennzeichnet:
+        <span className="inline-block text-[10px] font-medium px-1.5 py-0.5 rounded bg-green-100 text-green-800 mx-1">Oeffentlich</span>
+        Internet-exponiert,
+        <span className="inline-block text-[10px] font-medium px-1.5 py-0.5 rounded bg-blue-100 text-blue-800 mx-1">Integration</span>
+        API-Key-authentifiziert,
+        <span className="inline-block text-[10px] font-medium px-1.5 py-0.5 rounded bg-gray-100 text-gray-700 mx-1">Intern</span>
+        nur Admin-Dashboard,
+        <span className="inline-block text-[10px] font-medium px-1.5 py-0.5 rounded bg-orange-100 text-orange-800 mx-1">Wartung</span>
+        nur Setup.
+      </InfoBox>
+
       <h2>Authentifizierung</h2>
       <p>
         Alle API-Anfragen erfordern einen gültigen API Key im Header:
@@ -33,7 +59,7 @@ export default function ApiReferencePage() {
 
       <h2>API Endpoints</h2>
 
-      <h3>State Management</h3>
+      <h3>State Management <ExposureBadge type="internal" /></h3>
       <p>
         Verwalten Sie den SDK-State für Ihren Tenant.
       </p>
@@ -60,7 +86,7 @@ export default function ApiReferencePage() {
         </Link>
       </p>
 
-      <h3>RAG Search</h3>
+      <h3>RAG Search <ExposureBadge type="partner" /></h3>
       <p>
         Durchsuchen Sie den Compliance-Korpus (DSGVO, AI Act, NIS2).
       </p>
@@ -82,7 +108,7 @@ export default function ApiReferencePage() {
         </Link>
       </p>
 
-      <h3>Document Generation</h3>
+      <h3>Document Generation <ExposureBadge type="internal" /></h3>
       <p>
         Generieren Sie Compliance-Dokumente automatisch.
       </p>
@@ -109,7 +135,7 @@ export default function ApiReferencePage() {
         </Link>
       </p>
 
-      <h3>Export</h3>
+      <h3>Export <ExposureBadge type="internal" /></h3>
       <p>
         Exportieren Sie den Compliance-Stand in verschiedenen Formaten.
       </p>
@@ -126,7 +152,7 @@ export default function ApiReferencePage() {
         </Link>
       </p>
 
-      <h3>Consent Management</h3>
+      <h3>Consent Management <ExposureBadge type="public" /></h3>
       <p>
         Verwalten Sie Einwilligungen, rechtliche Dokumente und Cookie-Banner-Konfigurationen.
       </p>
@@ -142,7 +168,7 @@ export default function ApiReferencePage() {
         </Link>
       </p>
 
-      <h3>DSFA — Datenschutz-Folgenabschätzung</h3>
+      <h3>DSFA — Datenschutz-Folgenabschätzung <ExposureBadge type="internal" /></h3>
       <p>
         Verwalten Sie Datenschutz-Folgenabschätzungen gemäß Art. 35 DSGVO mit vollständigem
         Audit-Trail, Status-Workflow und Risikobewertung.
diff --git a/developer-portal/app/page.tsx b/developer-portal/app/page.tsx
index 0e98f81..5bea0cd 100644
--- a/developer-portal/app/page.tsx
+++ b/developer-portal/app/page.tsx
@@ -132,6 +132,68 @@ function ComplianceDashboard() {
         </ul>
       </InfoBox>
 
+      {/* API Exposure Classification */}
+      <h2>API-Exposure-Klassifikation</h2>
+      <p>
+        Das SDK klassifiziert alle API-Endpoints nach ihrer Netzwerk-Exposition.
+        Von den ~640 Endpoints sind nur ~9% oeffentlich exponiert.
+      </p>
+
+      <div className="my-4 overflow-x-auto not-prose">
+        <table className="min-w-full divide-y divide-gray-200">
+          <thead className="bg-gray-50">
+            <tr>
+              <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Kategorie</th>
+              <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Badge</th>
+              <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Bedeutung</th>
+              <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">~Endpoints</th>
+            </tr>
+          </thead>
+          <tbody className="bg-white divide-y divide-gray-200 text-sm">
+            <tr>
+              <td className="px-4 py-3 font-medium">public</td>
+              <td className="px-4 py-3">
+                <span className="inline-block text-xs font-medium px-2 py-0.5 rounded bg-green-100 text-green-800">Oeffentlich</span>
+              </td>
+              <td className="px-4 py-3 text-gray-600">Von Endnutzern/Browsern erreichbar (Internet)</td>
+              <td className="px-4 py-3">~30</td>
+            </tr>
+            <tr>
+              <td className="px-4 py-3 font-medium">partner</td>
+              <td className="px-4 py-3">
+                <span className="inline-block text-xs font-medium px-2 py-0.5 rounded bg-blue-100 text-blue-800">Integration</span>
+              </td>
+              <td className="px-4 py-3 text-gray-600">Fuer externe Systeme (CI/CD, LLM-Provider, API-Key/OAuth)</td>
+              <td className="px-4 py-3">~25</td>
+            </tr>
+            <tr>
+              <td className="px-4 py-3 font-medium">internal</td>
+              <td className="px-4 py-3">
+                <span className="inline-block text-xs font-medium px-2 py-0.5 rounded bg-gray-100 text-gray-700">Intern</span>
+              </td>
+              <td className="px-4 py-3 text-gray-600">Nur Admin-Dashboard, nicht Internet-exponiert</td>
+              <td className="px-4 py-3">~550</td>
+            </tr>
+            <tr>
+              <td className="px-4 py-3 font-medium">admin</td>
+              <td className="px-4 py-3">
+                <span className="inline-block text-xs font-medium px-2 py-0.5 rounded bg-orange-100 text-orange-800">Wartung</span>
+              </td>
+              <td className="px-4 py-3 text-gray-600">Setup/Maintenance — nach Deployment deaktivieren</td>
+              <td className="px-4 py-3">~4</td>
+            </tr>
+          </tbody>
+        </table>
+      </div>
+
+      <InfoBox type="info" title="Sicherheitshinweis">
+        <p>
+          Bei Self-Hosted-Deployments stellen Sie sicher, dass nur <strong>public</strong> und
+          <strong> partner</strong> Endpoints ueber den Reverse Proxy erreichbar sind.
+          Interne und Wartungs-Endpoints sollten ausschliesslich im Docker-Netzwerk / VPN erreichbar sein.
+        </p>
+      </InfoBox>
+
       {/* Features */}
       <h2>Hauptfunktionen</h2>
       <div className="grid grid-cols-1 md:grid-cols-2 gap-4 not-prose">

Kategorie	Badge	Bedeutung	~Endpoints
public	+ Oeffentlich +	Von Endnutzern/Browsern erreichbar (Internet)	~30
partner	+ Integration +	Fuer externe Systeme (CI/CD, LLM-Provider, API-Key/OAuth)	~25
internal	+ Intern +	Nur Admin-Dashboard, nicht Internet-exponiert	~550
admin	+ Wartung +	Setup/Maintenance — nach Deployment deaktivieren	~4