feat(reporting+docs): tenant-ID-Validierung, Go-Tests, 4 MkDocs-Einzelseiten

- reporting_handlers.go: uuid.Nil-Check vor Store-Aufruf (→ 400)
- reporting_handlers_test.go: 4 MissingTenantID-Tests (PASS) + 4 WithTenant-Tests (SKIP)
- docs-src: requirements.md, controls.md, evidence.md, risks.md (je mit API, Schema, Tests)
- mkdocs.yml: 4 neue Nav-Einträge + \n-Bug auf Zeile 91 behoben
- compliance-kern.md: Link-Hinweise zu Detailseiten ergänzt

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ai-compliance-sdk/internal/api/handlers/reporting_handlers.go

@@ -6,6 +6,7 @@ import (
 	"github.com/breakpilot/ai-compliance-sdk/internal/rbac"
 	"github.com/breakpilot/ai-compliance-sdk/internal/reporting"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 )
 
 type ReportingHandlers struct {
@@ -20,6 +21,10 @@ func NewReportingHandlers(store *reporting.Store) *ReportingHandlers {
 // GET /sdk/v1/reporting/executive
 func (h *ReportingHandlers) GetExecutiveReport(c *gin.Context) {
 	tenantID := rbac.GetTenantID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
 
 	report, err := h.store.GenerateReport(c.Request.Context(), tenantID)
 	if err != nil {
@@ -34,6 +39,10 @@ func (h *ReportingHandlers) GetExecutiveReport(c *gin.Context) {
 // GET /sdk/v1/reporting/score
 func (h *ReportingHandlers) GetComplianceScore(c *gin.Context) {
 	tenantID := rbac.GetTenantID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
 
 	report, err := h.store.GenerateReport(c.Request.Context(), tenantID)
 	if err != nil {
@@ -52,6 +61,10 @@ func (h *ReportingHandlers) GetComplianceScore(c *gin.Context) {
 // GET /sdk/v1/reporting/deadlines
 func (h *ReportingHandlers) GetUpcomingDeadlines(c *gin.Context) {
 	tenantID := rbac.GetTenantID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
 
 	report, err := h.store.GenerateReport(c.Request.Context(), tenantID)
 	if err != nil {
@@ -69,6 +82,10 @@ func (h *ReportingHandlers) GetUpcomingDeadlines(c *gin.Context) {
 // GET /sdk/v1/reporting/risks
 func (h *ReportingHandlers) GetRiskOverview(c *gin.Context) {
 	tenantID := rbac.GetTenantID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
 
 	report, err := h.store.GenerateReport(c.Request.Context(), tenantID)
 	if err != nil {

ai-compliance-sdk/internal/api/handlers/reporting_handlers_test.go

@@ -0,0 +1,179 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// ============================================================================
+// ReportingHandlers — Missing Tenant ID Tests (no store required)
+// ============================================================================
+
+func TestReportingHandlers_GetExecutiveReport_MissingTenantID(t *testing.T) {
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/executive", nil)
+
+	handler.GetExecutiveReport(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected status 400 for missing tenant ID, got %d", w.Code)
+	}
+
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("Failed to parse response: %v", err)
+	}
+	if _, ok := resp["error"]; !ok {
+		t.Error("Expected error field in response")
+	}
+}
+
+func TestReportingHandlers_GetComplianceScore_MissingTenantID(t *testing.T) {
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/score", nil)
+
+	handler.GetComplianceScore(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected status 400 for missing tenant ID, got %d", w.Code)
+	}
+
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("Failed to parse response: %v", err)
+	}
+	if _, ok := resp["error"]; !ok {
+		t.Error("Expected error field in response")
+	}
+}
+
+func TestReportingHandlers_GetUpcomingDeadlines_MissingTenantID(t *testing.T) {
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/deadlines", nil)
+
+	handler.GetUpcomingDeadlines(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected status 400 for missing tenant ID, got %d", w.Code)
+	}
+
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("Failed to parse response: %v", err)
+	}
+	if _, ok := resp["error"]; !ok {
+		t.Error("Expected error field in response")
+	}
+}
+
+func TestReportingHandlers_GetRiskOverview_MissingTenantID(t *testing.T) {
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/risks", nil)
+
+	handler.GetRiskOverview(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected status 400 for missing tenant ID, got %d", w.Code)
+	}
+
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("Failed to parse response: %v", err)
+	}
+	if _, ok := resp["error"]; !ok {
+		t.Error("Expected error field in response")
+	}
+}
+
+// ============================================================================
+// ReportingHandlers — With Tenant ID (skip if no DB store)
+// ============================================================================
+
+func TestReportingHandlers_GetExecutiveReport_WithTenant(t *testing.T) {
+	t.Skipf("Skipping integration test — requires live DB store")
+
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/executive", nil)
+	c.Set("tenant_id", uuid.New())
+	c.Set("user_id", uuid.New())
+
+	handler.GetExecutiveReport(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status 200, got %d", w.Code)
+	}
+}
+
+func TestReportingHandlers_GetComplianceScore_WithTenant(t *testing.T) {
+	t.Skipf("Skipping integration test — requires live DB store")
+
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/score", nil)
+	c.Set("tenant_id", uuid.New())
+	c.Set("user_id", uuid.New())
+
+	handler.GetComplianceScore(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status 200, got %d", w.Code)
+	}
+}
+
+func TestReportingHandlers_GetUpcomingDeadlines_WithTenant(t *testing.T) {
+	t.Skipf("Skipping integration test — requires live DB store")
+
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/deadlines", nil)
+	c.Set("tenant_id", uuid.New())
+	c.Set("user_id", uuid.New())
+
+	handler.GetUpcomingDeadlines(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status 200, got %d", w.Code)
+	}
+}
+
+func TestReportingHandlers_GetRiskOverview_WithTenant(t *testing.T) {
+	t.Skipf("Skipping integration test — requires live DB store")
+
+	handler := &ReportingHandlers{store: nil}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Request = httptest.NewRequest("GET", "/reporting/risks", nil)
+	c.Set("tenant_id", uuid.New())
+	c.Set("user_id", uuid.New())
+
+	handler.GetRiskOverview(c)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected status 200, got %d", w.Code)
+	}
+}