refactor(admin): split lib/sdk/types.ts (2511 LOC) into per-domain modules under types/

Replace the monolithic types.ts with 11 focused modules:
- enums.ts, company-profile.ts, sdk-flow.ts, sdk-steps.ts, assessment.ts,
  compliance.ts, sdk-state.ts, iace.ts, helpers.ts, document-generator.ts
- Barrel index.ts re-exports everything so existing imports work unchanged

All files under 500 LOC hard cap. tsc error count unchanged (185), next build passes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

admin-compliance/lib/sdk/types/assessment.ts

@@ -0,0 +1,286 @@
+/**
+ * Checkpoint system, use case assessment, and screening types.
+ */
+
+import type {
+  ValidationSeverity,
+  CheckpointType,
+  ReviewerType,
+  RiskSeverity,
+  SecurityIssueSeverity,
+  SecurityIssueStatus,
+  ScreeningStatus,
+  SDKPackageId,
+} from './enums'
+
+// =============================================================================
+// CHECKPOINT SYSTEM
+// =============================================================================
+
+export interface ValidationRule {
+  id: string
+  field: string
+  condition: 'NOT_EMPTY' | 'MIN_COUNT' | 'MIN_VALUE' | 'CUSTOM' | 'REGEX'
+  value?: number | string
+  message: string
+  severity: ValidationSeverity
+}
+
+export interface ValidationError {
+  ruleId: string
+  field: string
+  message: string
+  severity: ValidationSeverity
+}
+
+export interface Checkpoint {
+  id: string
+  step: string
+  name: string
+  type: CheckpointType
+  validation: ValidationRule[]
+  blocksProgress: boolean
+  requiresReview: ReviewerType
+  autoValidate: boolean
+}
+
+export interface CheckpointStatus {
+  checkpointId: string
+  passed: boolean
+  validatedAt: Date | null
+  validatedBy: string | null
+  errors: ValidationError[]
+  warnings: ValidationError[]
+  overrideReason?: string
+  overriddenBy?: string
+  overriddenAt?: Date
+}
+
+// =============================================================================
+// USE CASE ASSESSMENT
+// =============================================================================
+
+export interface UseCaseStep {
+  id: string
+  name: string
+  completed: boolean
+  data: Record<string, unknown>
+}
+
+export interface AssessmentResult {
+  riskLevel: RiskSeverity
+  applicableRegulations: string[]
+  recommendedControls: string[]
+  dsfaRequired: boolean
+  aiActClassification: string
+}
+
+export interface UseCaseIntake {
+  domain: string
+  dataCategories: string[]
+  processesPersonalData: boolean
+  specialCategories: boolean
+  healthData: boolean
+  biometricData: boolean
+  minorsData: boolean
+  financialData: boolean
+  customDataTypes: string[]
+  legalBasis: string
+  purposes: {
+    profiling: boolean
+    automatedDecision: boolean
+    marketing: boolean
+    analytics: boolean
+    serviceDelivery: boolean
+  }
+  automation: 'assistive' | 'semi_automated' | 'fully_automated'
+  hosting: {
+    provider: string
+    region: string
+  }
+  modelUsage: {
+    inference: boolean
+    rag: boolean
+    finetune: boolean
+    training: boolean
+  }
+  aiTechnologies: string[]
+  internationalTransfer: {
+    enabled: boolean
+    countries: string[]
+    mechanism: string
+  }
+  retention: {
+    days: number
+    purpose: string
+  }
+  contracts: {
+    hasDpa: boolean
+    hasAiaDocumentation: boolean
+    hasRiskAssessment: boolean
+    subprocessors: string
+  }
+}
+
+export interface UseCaseAssessment {
+  id: string
+  name: string
+  description: string
+  category: string
+  stepsCompleted: number
+  steps: UseCaseStep[]
+  assessmentResult: AssessmentResult | null
+  intake?: UseCaseIntake
+  uccaAssessmentId?: string
+  createdAt: Date
+  updatedAt: Date
+}
+
+// =============================================================================
+// SCREENING & SECURITY
+// =============================================================================
+
+export interface Vulnerability {
+  id: string
+  cve: string
+  severity: SecurityIssueSeverity
+  title: string
+  description: string
+  cvss: number | null
+  fixedIn: string | null
+}
+
+export interface SBOMComponent {
+  name: string
+  version: string
+  type: 'library' | 'framework' | 'application' | 'container'
+  purl: string
+  licenses: string[]
+  vulnerabilities: Vulnerability[]
+}
+
+export interface SBOMDependency {
+  from: string
+  to: string
+}
+
+export interface RAGCorpusCollectionStatus {
+  id: string
+  current_version: string
+  documents_count: number
+  chunks_count: number
+  regulations: string[]
+  last_updated: string
+  digest: string
+}
+
+export interface RAGCorpusStatus {
+  collections: Record<string, RAGCorpusCollectionStatus>
+  fetchedAt: string
+}
+
+export interface SBOM {
+  format: 'CycloneDX' | 'SPDX'
+  version: string
+  components: SBOMComponent[]
+  dependencies: SBOMDependency[]
+  generatedAt: Date
+}
+
+export interface SecurityScanResult {
+  totalIssues: number
+  critical: number
+  high: number
+  medium: number
+  low: number
+  issues: SecurityIssue[]
+}
+
+export interface SecurityIssue {
+  id: string
+  severity: SecurityIssueSeverity
+  title: string
+  description: string
+  cve: string | null
+  cvss: number | null
+  affectedComponent: string
+  remediation: string
+  status: SecurityIssueStatus
+}
+
+export interface ScreeningResult {
+  id: string
+  status: ScreeningStatus
+  startedAt: Date
+  completedAt: Date | null
+  sbom: SBOM | null
+  securityScan: SecurityScanResult | null
+  error: string | null
+}
+
+export interface BacklogItem {
+  id: string
+  title: string
+  description: string
+  severity: SecurityIssueSeverity
+  securityIssueId: string
+  status: 'OPEN' | 'IN_PROGRESS' | 'DONE'
+  assignee: string | null
+  dueDate: Date | null
+  createdAt: Date
+}
+
+// =============================================================================
+// IMPORTED DOCUMENTS (fuer Bestandskunden)
+// =============================================================================
+
+export type ImportedDocumentType =
+  | 'DSFA'
+  | 'TOM'
+  | 'VVT'
+  | 'AGB'
+  | 'PRIVACY_POLICY'
+  | 'COOKIE_POLICY'
+  | 'RISK_ASSESSMENT'
+  | 'AUDIT_REPORT'
+  | 'OTHER'
+
+export interface ImportedDocument {
+  id: string
+  name: string
+  type: ImportedDocumentType
+  fileUrl: string
+  uploadedAt: Date
+  analyzedAt: Date | null
+  analysisResult: DocumentAnalysisResult | null
+}
+
+export interface DocumentAnalysisResult {
+  detectedType: ImportedDocumentType
+  confidence: number
+  extractedEntities: string[]
+  gaps: GapItem[]
+  recommendations: string[]
+}
+
+export interface GapItem {
+  id: string
+  category: string
+  description: string
+  severity: RiskSeverity
+  regulation: string
+  requiredAction: string
+  relatedStepId: string | null
+}
+
+export interface GapAnalysis {
+  id: string
+  createdAt: Date
+  totalGaps: number
+  criticalGaps: number
+  highGaps: number
+  mediumGaps: number
+  lowGaps: number
+  gaps: GapItem[]
+  recommendedPackages: SDKPackageId[]
+}

admin-compliance/lib/sdk/types/company-profile.ts

@@ -0,0 +1,222 @@
+/**
+ * Company profile, machine builder profile, and related label constants.
+ */
+
+import type {
+  BusinessModel,
+  OfferingType,
+  TargetMarket,
+  CompanySize,
+  LegalForm,
+  MachineProductType,
+  AIIntegrationType,
+  HumanOversightLevel,
+  CriticalSector,
+} from './enums'
+
+// =============================================================================
+// PROJECT INFO (Multi-Projekt-Architektur)
+// =============================================================================
+
+export interface ProjectInfo {
+  id: string
+  name: string
+  description: string
+  customerType: 'new' | 'existing'
+  status: 'active' | 'archived'
+  projectVersion: number
+  completionPercentage: number
+  createdAt: string
+  updatedAt: string
+}
+
+// =============================================================================
+// MACHINE BUILDER PROFILE (IACE)
+// =============================================================================
+
+export interface MachineBuilderProfile {
+  // Produkt
+  productTypes: MachineProductType[]
+  productDescription: string
+  productPride: string
+  containsSoftware: boolean
+  containsFirmware: boolean
+  containsAI: boolean
+  aiIntegrationType: AIIntegrationType[]
+
+  // Sicherheit
+  hasSafetyFunction: boolean
+  safetyFunctionDescription: string
+  autonomousBehavior: boolean
+  humanOversightLevel: HumanOversightLevel
+
+  // Konnektivitaet
+  isNetworked: boolean
+  hasRemoteAccess: boolean
+  hasOTAUpdates: boolean
+  updateMechanism: string
+
+  // Markt & Kunden
+  exportMarkets: string[]
+  criticalSectorClients: boolean
+  criticalSectors: CriticalSector[]
+  oemClients: boolean
+
+  // CE
+  ceMarkingRequired: boolean
+  existingCEProcess: boolean
+  hasRiskAssessment: boolean
+}
+
+// =============================================================================
+// COMPANY PROFILE
+// =============================================================================
+
+export interface CompanyProfile {
+  // Basic Info
+  companyName: string
+  legalForm: LegalForm
+  industry: string[]
+  industryOther: string
+  foundedYear: number | null
+
+  // Business Model
+  businessModel: BusinessModel
+  offerings: OfferingType[]
+  offeringUrls: Partial<Record<string, string>>
+
+  // Size & Scope
+  companySize: CompanySize
+  employeeCount: string
+  annualRevenue: string
+
+  // Locations
+  headquartersCountry: string
+  headquartersCountryOther: string
+  headquartersStreet: string
+  headquartersZip: string
+  headquartersCity: string
+  headquartersState: string
+  hasInternationalLocations: boolean
+  internationalCountries: string[]
+
+  // Target Markets & Legal Scope
+  targetMarkets: TargetMarket[]
+  primaryJurisdiction: string
+
+  // Data Processing Role
+  isDataController: boolean
+  isDataProcessor: boolean
+
+  // Contact Persons
+  dpoName: string | null
+  dpoEmail: string | null
+  legalContactName: string | null
+  legalContactEmail: string | null
+
+  // Machine Builder (IACE)
+  machineBuilder?: MachineBuilderProfile
+
+  // Completion Status
+  isComplete: boolean
+  completedAt: Date | null
+}
+
+// =============================================================================
+// LABEL CONSTANTS
+// =============================================================================
+
+export const MACHINE_PRODUCT_TYPE_LABELS: Record<MachineProductType, string> = {
+  test_stand: 'Pruefstand',
+  robot_cell: 'Roboterzelle',
+  special_machine: 'Sondermaschine',
+  production_line: 'Produktionslinie',
+  other: 'Sonstige',
+}
+
+export const AI_INTEGRATION_TYPE_LABELS: Record<AIIntegrationType, string> = {
+  vision: 'Bildverarbeitung / Machine Vision',
+  predictive_maintenance: 'Predictive Maintenance',
+  quality_control: 'Qualitaetskontrolle',
+  robot_control: 'Robotersteuerung',
+  process_optimization: 'Prozessoptimierung',
+  other: 'Sonstige',
+}
+
+export const HUMAN_OVERSIGHT_LABELS: Record<HumanOversightLevel, string> = {
+  full: 'Vollstaendig (Mensch entscheidet immer)',
+  partial: 'Teilweise (Mensch ueberwacht)',
+  minimal: 'Minimal (Mensch greift nur bei Stoerung ein)',
+  none: 'Keine (vollautonomer Betrieb)',
+}
+
+export const CRITICAL_SECTOR_LABELS: Record<CriticalSector, string> = {
+  energy: 'Energie',
+  water: 'Wasser',
+  transport: 'Transport / Verkehr',
+  health: 'Gesundheit',
+  pharma: 'Pharma',
+  automotive: 'Automotive',
+  defense: 'Verteidigung',
+}
+
+export const COMPANY_SIZE_LABELS: Record<CompanySize, string> = {
+  micro: 'Kleinstunternehmen (< 10 MA)',
+  small: 'Kleinunternehmen (10-49 MA)',
+  medium: 'Mittelstand (50-249 MA)',
+  large: 'Gro\u00dfunternehmen (250-999 MA)',
+  enterprise: 'Konzern (1000+ MA)',
+}
+
+export const BUSINESS_MODEL_LABELS: Record<BusinessModel, { short: string; description: string }> = {
+  B2B: { short: 'B2B', description: 'Verkauf an Gesch\u00e4ftskunden' },
+  B2C: { short: 'B2C', description: 'Verkauf an Privatkunden' },
+  B2B_B2C: { short: 'B2B + B2C', description: 'Verkauf an Gesch\u00e4fts- und Privatkunden' },
+  B2B2C: { short: 'B2B2C', description: '\u00dcber Partner an Endkunden (z.B. Plattform, White-Label)' },
+}
+
+export const OFFERING_TYPE_LABELS: Record<OfferingType, { label: string; description: string }> = {
+  app_mobile: { label: 'Mobile App', description: 'iOS/Android Anwendungen' },
+  app_web: { label: 'Web-Anwendung', description: 'Browser-basierte Software' },
+  website: { label: 'Website', description: 'Informationsseiten, Landing Pages' },
+  webshop: { label: 'Online-Shop', description: 'Physische Produkte oder Hardware-Abos verkaufen' },
+  hardware: { label: 'Hardware-Verkauf', description: 'Physische Produkte' },
+  software_saas: { label: 'SaaS/Cloud', description: 'Software online bereitstellen (auch wenn ueber einen Shop verkauft)' },
+  software_onpremise: { label: 'On-Premise Software', description: 'Lokale Installation' },
+  services_consulting: { label: 'Beratung', description: 'Consulting, Professional Services' },
+  services_agency: { label: 'Agentur', description: 'Marketing, Design, Entwicklung' },
+  internal_only: { label: 'Nur intern', description: 'Interne Unternehmensanwendungen' },
+}
+
+export const TARGET_MARKET_LABELS: Record<TargetMarket, { label: string; description: string; regulations: string[] }> = {
+  germany_only: {
+    label: 'Nur Deutschland',
+    description: 'Verkauf nur in Deutschland',
+    regulations: ['DSGVO', 'BDSG', 'TTDSG', 'AI Act'],
+  },
+  dach: {
+    label: 'DACH-Region',
+    description: 'Deutschland, \u00d6sterreich, Schweiz',
+    regulations: ['DSGVO', 'BDSG', 'DSG (AT)', 'DSG (CH)', 'AI Act'],
+  },
+  eu: {
+    label: 'Europ\u00e4ische Union',
+    description: 'Alle EU-Mitgliedsstaaten',
+    regulations: ['DSGVO', 'AI Act', 'NIS2', 'DMA/DSA'],
+  },
+  ewr: {
+    label: 'EWR',
+    description: 'EU + Island, Liechtenstein, Norwegen',
+    regulations: ['DSGVO', 'AI Act', 'NIS2', 'EWR-Sonderregelungen'],
+  },
+  eu_uk: {
+    label: 'EU + Gro\u00dfbritannien',
+    description: 'EU plus Vereinigtes K\u00f6nigreich',
+    regulations: ['DSGVO', 'UK GDPR', 'AI Act', 'UK AI Framework'],
+  },
+  worldwide: {
+    label: 'Weltweit',
+    description: 'Globaler Verkauf/Betrieb',
+    regulations: ['DSGVO', 'CCPA', 'LGPD', 'POPIA', 'und weitere...'],
+  },
+}

admin-compliance/lib/sdk/types/compliance.ts

@@ -0,0 +1,383 @@
+/**
+ * Compliance, risk management, AI Act, obligations, DSFA, TOM, retention,
+ * VVT, legal documents, cookie banner, consent, DSR, and escalation types.
+ *
+ * These are the core domain data structures referenced by SDKState.
+ */
+
+import type {
+  RiskSeverity,
+  RequirementStatus,
+  ControlType,
+  ImplementationStatus,
+  EvidenceType,
+  RiskLikelihood,
+  RiskImpact,
+  RiskStatus,
+  MitigationType,
+  AIActRiskCategory,
+  DSFAStatus,
+  CookieBannerStyle,
+  CookieBannerPosition,
+  CookieBannerTheme,
+  CommandType,
+} from './enums'
+
+// =============================================================================
+// COMPLIANCE
+// =============================================================================
+
+export interface ServiceModule {
+  id: string
+  name: string
+  description: string
+  regulations: string[]
+  criticality: RiskSeverity
+  processesPersonalData: boolean
+  hasAIComponents: boolean
+}
+
+export interface Requirement {
+  id: string
+  regulation: string
+  article: string
+  title: string
+  description: string
+  criticality: RiskSeverity
+  applicableModules: string[]
+  status: RequirementStatus
+  controls: string[]
+}
+
+export interface Control {
+  id: string
+  name: string
+  description: string
+  type: ControlType
+  category: string
+  implementationStatus: ImplementationStatus
+  effectiveness: RiskSeverity
+  evidence: string[]
+  owner: string | null
+  dueDate: Date | null
+}
+
+export interface Evidence {
+  id: string
+  controlId: string
+  type: EvidenceType
+  name: string
+  description: string
+  fileUrl: string | null
+  validFrom: Date
+  validUntil: Date | null
+  uploadedBy: string
+  uploadedAt: Date
+}
+
+export interface ChecklistItem {
+  id: string
+  requirementId: string
+  title: string
+  description: string
+  status: 'PENDING' | 'PASSED' | 'FAILED' | 'NOT_APPLICABLE'
+  notes: string
+  verifiedBy: string | null
+  verifiedAt: Date | null
+}
+
+// =============================================================================
+// RISK MANAGEMENT
+// =============================================================================
+
+export interface RiskMitigation {
+  id: string
+  description: string
+  type: MitigationType
+  status: 'PLANNED' | 'IN_PROGRESS' | 'COMPLETED'
+  effectiveness: number // 0-100
+  controlId: string | null
+}
+
+export interface Risk {
+  id: string
+  title: string
+  description: string
+  category: string
+  likelihood: RiskLikelihood
+  impact: RiskImpact
+  severity: RiskSeverity
+  inherentRiskScore: number
+  residualRiskScore: number
+  status: RiskStatus
+  mitigation: RiskMitigation[]
+  owner: string | null
+  relatedControls: string[]
+  relatedRequirements: string[]
+}
+
+// =============================================================================
+// AI ACT & OBLIGATIONS
+// =============================================================================
+
+export interface AIActObligation {
+  id: string
+  article: string
+  title: string
+  description: string
+  deadline: Date | null
+  status: 'PENDING' | 'IN_PROGRESS' | 'COMPLETED'
+}
+
+export interface AIActResult {
+  riskCategory: AIActRiskCategory
+  systemType: string
+  obligations: AIActObligation[]
+  assessmentDate: Date
+  assessedBy: string
+  justification: string
+}
+
+export interface Obligation {
+  id: string
+  regulation: string
+  article: string
+  title: string
+  description: string
+  deadline: Date | null
+  penalty: string | null
+  status: 'PENDING' | 'IN_PROGRESS' | 'COMPLETED'
+  responsible: string | null
+}
+
+// =============================================================================
+// DSFA
+// =============================================================================
+
+export interface DSFASection {
+  id: string
+  title: string
+  content: string
+  status: 'DRAFT' | 'COMPLETED'
+  order: number
+}
+
+export interface DSFAApproval {
+  id: string
+  approver: string
+  role: string
+  status: 'PENDING' | 'APPROVED' | 'REJECTED'
+  comment: string | null
+  approvedAt: Date | null
+}
+
+export interface DSFA {
+  id: string
+  status: DSFAStatus
+  version: number
+  sections: DSFASection[]
+  approvals: DSFAApproval[]
+  createdAt: Date
+  updatedAt: Date
+}
+
+// =============================================================================
+// TOMs & RETENTION
+// =============================================================================
+
+export interface TOM {
+  id: string
+  category: string
+  name: string
+  description: string
+  type: 'TECHNICAL' | 'ORGANIZATIONAL'
+  implementationStatus: ImplementationStatus
+  priority: RiskSeverity
+  responsiblePerson: string | null
+  implementationDate: Date | null
+  reviewDate: Date | null
+  evidence: string[]
+}
+
+export interface RetentionPolicy {
+  id: string
+  dataCategory: string
+  description: string
+  legalBasis: string
+  retentionPeriod: string
+  deletionMethod: string
+  exceptions: string[]
+}
+
+// =============================================================================
+// VVT (Processing Register)
+// =============================================================================
+
+export interface ProcessingActivity {
+  id: string
+  name: string
+  purpose: string
+  legalBasis: string
+  dataCategories: string[]
+  dataSubjects: string[]
+  recipients: string[]
+  thirdCountryTransfers: boolean
+  retentionPeriod: string
+  technicalMeasures: string[]
+  organizationalMeasures: string[]
+}
+
+// =============================================================================
+// LEGAL DOCUMENTS
+// =============================================================================
+
+export interface LegalDocument {
+  id: string
+  type: 'AGB' | 'PRIVACY_POLICY' | 'TERMS_OF_USE' | 'IMPRINT' | 'COOKIE_POLICY'
+  title: string
+  content: string
+  version: string
+  status: 'DRAFT' | 'PUBLISHED' | 'ARCHIVED'
+  publishedAt: Date | null
+  createdAt: Date
+  updatedAt: Date
+}
+
+// =============================================================================
+// COOKIE BANNER
+// =============================================================================
+
+export interface Cookie {
+  id: string
+  name: string
+  provider: string
+  purpose: string
+  expiry: string
+  type: 'NECESSARY' | 'FUNCTIONAL' | 'ANALYTICS' | 'MARKETING'
+}
+
+export interface CookieCategory {
+  id: string
+  name: string
+  description: string
+  required: boolean
+  cookies: Cookie[]
+}
+
+export interface CookieBannerTexts {
+  title: string
+  description: string
+  acceptAll: string
+  rejectAll: string
+  settings: string
+  save: string
+}
+
+export interface CookieBannerGeneratedCode {
+  html: string
+  css: string
+  js: string
+}
+
+export interface CookieBannerConfig {
+  id: string
+  style: CookieBannerStyle
+  position: CookieBannerPosition
+  theme: CookieBannerTheme
+  texts: CookieBannerTexts
+  categories: CookieCategory[]
+  generatedCode: CookieBannerGeneratedCode | null
+}
+
+// =============================================================================
+// CONSENT & DSR
+// =============================================================================
+
+export interface ConsentRecord {
+  id: string
+  userId: string
+  documentId: string
+  documentVersion: string
+  consentType: string
+  granted: boolean
+  grantedAt: Date
+  revokedAt: Date | null
+  ipAddress: string | null
+  userAgent: string | null
+}
+
+export interface DSRRequest {
+  id: string
+  type: 'ACCESS' | 'RECTIFICATION' | 'ERASURE' | 'PORTABILITY' | 'RESTRICTION' | 'OBJECTION'
+  status: 'RECEIVED' | 'VERIFIED' | 'PROCESSING' | 'COMPLETED' | 'REJECTED'
+  requesterEmail: string
+  requesterName: string
+  requestedAt: Date
+  dueDate: Date
+  completedAt: Date | null
+  notes: string
+}
+
+export interface DSRConfig {
+  id: string
+  enabled: boolean
+  portalUrl: string
+  emailTemplates: Record<string, string>
+  automatedResponses: boolean
+  verificationRequired: boolean
+}
+
+// =============================================================================
+// ESCALATIONS
+// =============================================================================
+
+export interface EscalationWorkflow {
+  id: string
+  name: string
+  description: string
+  triggerConditions: string[]
+  steps: EscalationStep[]
+  enabled: boolean
+}
+
+export interface EscalationStep {
+  id: string
+  order: number
+  action: string
+  assignee: string
+  timeLimit: string // ISO 8601 Duration
+  escalateOnTimeout: boolean
+}
+
+// =============================================================================
+// COMMAND BAR & USER PREFERENCES
+// =============================================================================
+
+export interface CommandSuggestion {
+  id: string
+  type: CommandType
+  label: string
+  description: string
+  shortcut?: string
+  icon?: string
+  action: () => void | Promise<void>
+  relevanceScore: number
+}
+
+export interface CommandHistory {
+  id: string
+  query: string
+  type: CommandType
+  timestamp: Date
+  success: boolean
+}
+
+export interface UserPreferences {
+  language: 'de' | 'en'
+  theme: 'light' | 'dark' | 'system'
+  compactMode: boolean
+  showHints: boolean
+  autoSave: boolean
+  autoValidate: boolean
+  allowParallelWork: boolean
+}

admin-compliance/lib/sdk/types/document-generator.ts

@@ -0,0 +1,468 @@
+/**
+ * Document generator types (Legal Templates RAG), DSFA RAG types,
+ * and Compliance Wiki types.
+ */
+
+import type { CompanyProfile } from './company-profile'
+
+// =============================================================================
+// DOCUMENT GENERATOR (Legal Templates RAG)
+// =============================================================================
+
+export type LicenseType =
+  | 'public_domain'
+  | 'cc0'
+  | 'unlicense'
+  | 'mit'
+  | 'cc_by_4'
+  | 'reuse_notice'
+
+export type TemplateType =
+  | 'privacy_policy'
+  | 'terms_of_service'
+  | 'agb'
+  | 'cookie_banner'
+  | 'cookie_policy'
+  | 'impressum'
+  | 'widerruf'
+  | 'dpa'
+  | 'sla'
+  | 'nda'
+  | 'cloud_service_agreement'
+  | 'data_usage_clause'
+  | 'acceptable_use'
+  | 'community_guidelines'
+  | 'copyright_policy'
+  | 'clause'
+  | 'dsfa'
+
+export type Jurisdiction = 'DE' | 'AT' | 'CH' | 'EU' | 'US' | 'INTL'
+
+export interface LegalTemplateResult {
+  id: string
+  score: number
+  text: string
+  documentTitle: string | null
+  templateType: TemplateType | null
+  clauseCategory: string | null
+  language: 'de' | 'en'
+  jurisdiction: Jurisdiction | null
+  licenseId: LicenseType | null
+  licenseName: string | null
+  licenseUrl: string | null
+  attributionRequired: boolean
+  attributionText: string | null
+  sourceName: string | null
+  sourceUrl: string | null
+  sourceRepo: string | null
+  placeholders: string[]
+  isCompleteDocument: boolean
+  isModular: boolean
+  requiresCustomization: boolean
+  outputAllowed: boolean
+  modificationAllowed: boolean
+  distortionProhibited: boolean
+}
+
+export interface TemplateReference {
+  templateId: string
+  sourceName: string
+  sourceUrl: string
+  licenseId: LicenseType
+  licenseName: string
+  attributionRequired: boolean
+  attributionText: string | null
+  usedAt: string
+}
+
+export interface GeneratedDocument {
+  id: string
+  documentType: TemplateType
+  title: string
+  content: string
+  language: 'de' | 'en'
+  jurisdiction: Jurisdiction
+  usedTemplates: TemplateReference[]
+  attributionFooter: string
+  placeholderValues: Record<string, string>
+  customizations: DocumentCustomization[]
+  generatedAt: string
+  generatedBy: string
+  version: number
+}
+
+export interface DocumentCustomization {
+  type: 'add_section' | 'modify_section' | 'remove_section' | 'replace_placeholder'
+  section: string | null
+  originalText: string | null
+  newText: string | null
+  reason: string | null
+  appliedAt: string
+}
+
+export interface DocumentGeneratorState {
+  searchQuery: string
+  searchResults: LegalTemplateResult[]
+  selectedTemplates: string[]
+  currentDocumentType: TemplateType | null
+  currentLanguage: 'de' | 'en'
+  currentJurisdiction: Jurisdiction
+  editorContent: string
+  editorMode: 'preview' | 'edit'
+  unsavedChanges: boolean
+  placeholderValues: Record<string, string>
+  generatedDocuments: GeneratedDocument[]
+  isGenerating: boolean
+  isSearching: boolean
+  lastError: string | null
+}
+
+export interface TemplateSearchRequest {
+  query: string
+  templateType?: TemplateType
+  licenseTypes?: LicenseType[]
+  language?: 'de' | 'en'
+  jurisdiction?: Jurisdiction
+  attributionRequired?: boolean
+  limit?: number
+}
+
+export interface DocumentGenerationRequest {
+  documentType: TemplateType
+  language: 'de' | 'en'
+  jurisdiction: Jurisdiction
+  templateIds: string[]
+  placeholderValues: Record<string, string>
+  companyProfile?: Partial<CompanyProfile>
+  additionalContext?: string
+}
+
+export interface TemplateSource {
+  name: string
+  description: string
+  licenseType: LicenseType
+  licenseName: string
+  templateTypes: TemplateType[]
+  languages: ('de' | 'en')[]
+  jurisdiction: Jurisdiction
+  repoUrl: string | null
+  webUrl: string | null
+  priority: number
+  enabled: boolean
+  attributionRequired: boolean
+}
+
+export interface TemplateIngestionStatus {
+  running: boolean
+  lastRun: string | null
+  currentSource: string | null
+  results: Record<string, SourceIngestionResult>
+}
+
+export interface SourceIngestionResult {
+  status: 'pending' | 'running' | 'completed' | 'failed'
+  documentsFound: number
+  chunksIndexed: number
+  errors: string[]
+}
+
+export interface TemplateCollectionStats {
+  collection: string
+  vectorsCount: number
+  pointsCount: number
+  status: string
+  templateTypes: Record<TemplateType, number>
+  languages: Record<string, number>
+  licenses: Record<LicenseType, number>
+}
+
+// =============================================================================
+// LABEL CONSTANTS
+// =============================================================================
+
+export const DEFAULT_PLACEHOLDERS: Record<string, string> = {
+  '[COMPANY_NAME]': '',
+  '[FIRMENNAME]': '',
+  '[ADDRESS]': '',
+  '[ADRESSE]': '',
+  '[EMAIL]': '',
+  '[PHONE]': '',
+  '[TELEFON]': '',
+  '[WEBSITE]': '',
+  '[LEGAL_REPRESENTATIVE]': '',
+  '[GESCHAEFTSFUEHRER]': '',
+  '[REGISTER_COURT]': '',
+  '[REGISTERGERICHT]': '',
+  '[REGISTER_NUMBER]': '',
+  '[REGISTERNUMMER]': '',
+  '[VAT_ID]': '',
+  '[UST_ID]': '',
+  '[DPO_NAME]': '',
+  '[DSB_NAME]': '',
+  '[DPO_EMAIL]': '',
+  '[DSB_EMAIL]': '',
+}
+
+export const TEMPLATE_TYPE_LABELS: Record<TemplateType, string> = {
+  privacy_policy: 'Datenschutzerkl\u00e4rung',
+  terms_of_service: 'Nutzungsbedingungen',
+  agb: 'Allgemeine Gesch\u00e4ftsbedingungen',
+  cookie_banner: 'Cookie-Banner',
+  cookie_policy: 'Cookie-Richtlinie',
+  impressum: 'Impressum',
+  widerruf: 'Widerrufsbelehrung',
+  dpa: 'Auftragsverarbeitungsvertrag',
+  sla: 'Service Level Agreement',
+  nda: 'Geheimhaltungsvereinbarung',
+  cloud_service_agreement: 'Cloud-Dienstleistungsvertrag',
+  data_usage_clause: 'Datennutzungsklausel',
+  acceptable_use: 'Acceptable Use Policy',
+  community_guidelines: 'Community-Richtlinien',
+  copyright_policy: 'Urheberrechtsrichtlinie',
+  clause: 'Vertragsklausel',
+  dsfa: 'Datenschutz-Folgenabsch\u00e4tzung',
+}
+
+export const LICENSE_TYPE_LABELS: Record<LicenseType, string> = {
+  public_domain: 'Public Domain (\u00a75 UrhG)',
+  cc0: 'CC0 1.0 Universal',
+  unlicense: 'Unlicense',
+  mit: 'MIT License',
+  cc_by_4: 'CC BY 4.0 International',
+  reuse_notice: 'EU Reuse Notice',
+}
+
+export const JURISDICTION_LABELS: Record<Jurisdiction, string> = {
+  DE: 'Deutschland',
+  AT: '\u00d6sterreich',
+  CH: 'Schweiz',
+  EU: 'Europ\u00e4ische Union',
+  US: 'United States',
+  INTL: 'International',
+}
+
+// =============================================================================
+// DSFA RAG TYPES (Source Attribution & Corpus Management)
+// =============================================================================
+
+export type DSFALicenseCode =
+  | 'DL-DE-BY-2.0'
+  | 'DL-DE-ZERO-2.0'
+  | 'CC-BY-4.0'
+  | 'EDPB-LICENSE'
+  | 'PUBLIC_DOMAIN'
+  | 'PROPRIETARY'
+
+export type DSFADocumentType = 'guideline' | 'checklist' | 'regulation' | 'template'
+
+export type DSFACategory =
+  | 'threshold_analysis'
+  | 'risk_assessment'
+  | 'mitigation'
+  | 'consultation'
+  | 'documentation'
+  | 'process'
+  | 'criteria'
+
+export interface DSFASource {
+  id: string
+  sourceCode: string
+  name: string
+  fullName?: string
+  organization?: string
+  sourceUrl?: string
+  eurLexCelex?: string
+  licenseCode: DSFALicenseCode
+  licenseName: string
+  licenseUrl?: string
+  attributionRequired: boolean
+  attributionText: string
+  documentType?: DSFADocumentType
+  language: string
+}
+
+export interface DSFADocument {
+  id: string
+  sourceId: string
+  title: string
+  description?: string
+  fileName?: string
+  fileType?: string
+  fileSizeBytes?: number
+  minioBucket: string
+  minioPath?: string
+  originalUrl?: string
+  ocrProcessed: boolean
+  textExtracted: boolean
+  chunksGenerated: number
+  lastIndexedAt?: string
+  metadata: Record<string, unknown>
+  createdAt: string
+  updatedAt: string
+}
+
+export interface DSFAChunk {
+  chunkId: string
+  content: string
+  sectionTitle?: string
+  pageNumber?: number
+  category?: DSFACategory
+  documentId: string
+  documentTitle?: string
+  sourceId: string
+  sourceCode: string
+  sourceName: string
+  attributionText: string
+  licenseCode: DSFALicenseCode
+  licenseName: string
+  licenseUrl?: string
+  attributionRequired: boolean
+  sourceUrl?: string
+  documentType?: DSFADocumentType
+}
+
+export interface DSFASearchResult {
+  chunkId: string
+  content: string
+  score: number
+  sourceCode: string
+  sourceName: string
+  attributionText: string
+  licenseCode: DSFALicenseCode
+  licenseName: string
+  licenseUrl?: string
+  attributionRequired: boolean
+  sourceUrl?: string
+  documentType?: DSFADocumentType
+  category?: DSFACategory
+  sectionTitle?: string
+  pageNumber?: number
+}
+
+export interface DSFASearchResponse {
+  query: string
+  results: DSFASearchResult[]
+  totalResults: number
+  licensesUsed: string[]
+  attributionNotice: string
+}
+
+export interface DSFASourceStats {
+  sourceId: string
+  sourceCode: string
+  name: string
+  organization?: string
+  licenseCode: DSFALicenseCode
+  documentType?: DSFADocumentType
+  documentCount: number
+  chunkCount: number
+  lastIndexedAt?: string
+}
+
+export interface DSFACorpusStats {
+  sources: DSFASourceStats[]
+  totalSources: number
+  totalDocuments: number
+  totalChunks: number
+  qdrantCollection: string
+  qdrantPointsCount: number
+  qdrantStatus: string
+}
+
+export interface DSFALicenseInfo {
+  code: DSFALicenseCode
+  name: string
+  url?: string
+  attributionRequired: boolean
+  modificationAllowed: boolean
+  commercialUse: boolean
+}
+
+export interface DSFAIngestRequest {
+  documentUrl?: string
+  documentText?: string
+  title?: string
+}
+
+export interface DSFAIngestResponse {
+  sourceCode: string
+  documentId?: string
+  chunksCreated: number
+  message: string
+}
+
+export interface SourceAttributionProps {
+  sources: Array<{
+    sourceCode: string
+    sourceName: string
+    attributionText: string
+    licenseCode: DSFALicenseCode
+    sourceUrl?: string
+    score?: number
+  }>
+  compact?: boolean
+  showScores?: boolean
+}
+
+export const DSFA_LICENSE_LABELS: Record<DSFALicenseCode, string> = {
+  'DL-DE-BY-2.0': 'Datenlizenz DE \u2013 Namensnennung 2.0',
+  'DL-DE-ZERO-2.0': 'Datenlizenz DE \u2013 Zero 2.0',
+  'CC-BY-4.0': 'CC BY 4.0 International',
+  'EDPB-LICENSE': 'EDPB Document License',
+  'PUBLIC_DOMAIN': 'Public Domain',
+  'PROPRIETARY': 'Proprietary',
+}
+
+export const DSFA_DOCUMENT_TYPE_LABELS: Record<DSFADocumentType, string> = {
+  guideline: 'Leitlinie',
+  checklist: 'Pr\u00fcfliste',
+  regulation: 'Verordnung',
+  template: 'Vorlage',
+}
+
+export const DSFA_CATEGORY_LABELS: Record<DSFACategory, string> = {
+  threshold_analysis: 'Schwellwertanalyse',
+  risk_assessment: 'Risikobewertung',
+  mitigation: 'Risikominderung',
+  consultation: 'Beh\u00f6rdenkonsultation',
+  documentation: 'Dokumentation',
+  process: 'Prozessschritte',
+  criteria: 'Kriterien',
+}
+
+// =============================================================================
+// COMPLIANCE WIKI
+// =============================================================================
+
+export interface WikiCategory {
+  id: string
+  name: string
+  description: string
+  icon: string
+  sortOrder: number
+  articleCount: number
+}
+
+export interface WikiArticle {
+  id: string
+  categoryId: string
+  categoryName: string
+  title: string
+  summary: string
+  content: string
+  legalRefs: string[]
+  tags: string[]
+  relevance: 'critical' | 'important' | 'info'
+  sourceUrls: string[]
+  version: number
+  updatedAt: string
+}
+
+export interface WikiSearchResult {
+  id: string
+  title: string
+  summary: string
+  categoryName: string
+  relevance: string
+  highlight: string
+}

admin-compliance/lib/sdk/types/enums.ts

@@ -0,0 +1,98 @@
+/**
+ * Base type aliases and enums for the AI Compliance SDK.
+ */
+
+export type SubscriptionTier = 'FREE' | 'STARTER' | 'PROFESSIONAL' | 'ENTERPRISE'
+
+export type SDKPhase = 1 | 2
+
+export type SDKPackageId = 'vorbereitung' | 'analyse' | 'dokumentation' | 'rechtliche-texte' | 'betrieb'
+
+export type CustomerType = 'new' | 'existing'
+
+export type CheckpointType = 'REQUIRED' | 'RECOMMENDED' | 'OPTIONAL'
+
+export type ReviewerType = 'NONE' | 'TEAM_LEAD' | 'DSB' | 'LEGAL'
+
+export type ValidationSeverity = 'ERROR' | 'WARNING' | 'INFO'
+
+export type RiskSeverity = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL'
+
+export type RiskLikelihood = 1 | 2 | 3 | 4 | 5
+
+export type RiskImpact = 1 | 2 | 3 | 4 | 5
+
+export type ImplementationStatus = 'NOT_IMPLEMENTED' | 'PARTIAL' | 'IMPLEMENTED'
+
+export type RequirementStatus = 'NOT_STARTED' | 'IN_PROGRESS' | 'IMPLEMENTED' | 'VERIFIED'
+
+export type ControlType = 'TECHNICAL' | 'ORGANIZATIONAL' | 'PHYSICAL'
+
+export type EvidenceType = 'DOCUMENT' | 'SCREENSHOT' | 'LOG' | 'CERTIFICATE' | 'AUDIT_REPORT'
+
+export type RiskStatus = 'IDENTIFIED' | 'ASSESSED' | 'MITIGATED' | 'ACCEPTED' | 'CLOSED'
+
+export type MitigationType = 'AVOID' | 'TRANSFER' | 'MITIGATE' | 'ACCEPT'
+
+export type AIActRiskCategory = 'MINIMAL' | 'LIMITED' | 'HIGH' | 'UNACCEPTABLE'
+
+export type DSFAStatus = 'DRAFT' | 'IN_REVIEW' | 'APPROVED' | 'REJECTED'
+
+export type ScreeningStatus = 'PENDING' | 'RUNNING' | 'COMPLETED' | 'FAILED'
+
+export type SecurityIssueSeverity = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW'
+
+export type SecurityIssueStatus = 'OPEN' | 'IN_PROGRESS' | 'RESOLVED' | 'ACCEPTED'
+
+export type CookieBannerStyle = 'BANNER' | 'MODAL' | 'FLOATING'
+
+export type CookieBannerPosition = 'TOP' | 'BOTTOM' | 'CENTER'
+
+export type CookieBannerTheme = 'LIGHT' | 'DARK' | 'CUSTOM'
+
+export type CommandType = 'ACTION' | 'NAVIGATION' | 'SEARCH' | 'GENERATE' | 'HELP'
+
+export type BusinessModel = 'B2B' | 'B2C' | 'B2B_B2C' | 'B2B2C'
+
+export type OfferingType =
+  | 'app_mobile'
+  | 'app_web'
+  | 'website'
+  | 'webshop'
+  | 'hardware'
+  | 'software_saas'
+  | 'software_onpremise'
+  | 'services_consulting'
+  | 'services_agency'
+  | 'internal_only'
+
+export type TargetMarket =
+  | 'germany_only'
+  | 'dach'
+  | 'eu'
+  | 'ewr'
+  | 'eu_uk'
+  | 'worldwide'
+
+export type CompanySize = 'micro' | 'small' | 'medium' | 'large' | 'enterprise'
+
+export type LegalForm =
+  | 'einzelunternehmen'
+  | 'gbr'
+  | 'ohg'
+  | 'kg'
+  | 'gmbh'
+  | 'ug'
+  | 'ag'
+  | 'gmbh_co_kg'
+  | 'ev'
+  | 'stiftung'
+  | 'other'
+
+export type MachineProductType = 'test_stand' | 'robot_cell' | 'special_machine' | 'production_line' | 'other'
+
+export type AIIntegrationType = 'vision' | 'predictive_maintenance' | 'quality_control' | 'robot_control' | 'process_optimization' | 'other'
+
+export type HumanOversightLevel = 'full' | 'partial' | 'minimal' | 'none'
+
+export type CriticalSector = 'energy' | 'water' | 'transport' | 'health' | 'pharma' | 'automotive' | 'defense'

admin-compliance/lib/sdk/types/helpers.ts

@@ -0,0 +1,194 @@
+/**
+ * Helper functions for SDK navigation, risk calculation, and package management.
+ */
+
+import type { SDKPhase, SDKPackageId, CustomerType, RiskLikelihood, RiskImpact, RiskSeverity } from './enums'
+import type { SDKStep, SDKPackage, SDK_PACKAGES } from './sdk-flow'
+import type { SDK_STEPS } from './sdk-steps'
+import type { SDKState } from './sdk-state'
+import type { Risk } from './compliance'
+
+// Re-import values (not just types) for runtime use
+import { SDK_PACKAGES as _SDK_PACKAGES } from './sdk-flow'
+import { SDK_STEPS as _SDK_STEPS } from './sdk-steps'
+
+// =============================================================================
+// STEP HELPERS
+// =============================================================================
+
+export function getStepById(stepId: string): SDKStep | undefined {
+  return _SDK_STEPS.find(s => s.id === stepId)
+}
+
+export function getStepByUrl(url: string): SDKStep | undefined {
+  return _SDK_STEPS.find(s => s.url === url)
+}
+
+export function getStepsForPhase(phase: SDKPhase): SDKStep[] {
+  return _SDK_STEPS.filter(s => s.phase === phase).sort((a, b) => a.seq - b.seq)
+}
+
+// Alle Steps global nach seq sortiert
+function getAllStepsSorted(): SDKStep[] {
+  return [..._SDK_STEPS].sort((a, b) => a.seq - b.seq)
+}
+
+// Sichtbare Steps (state-abhaengig)
+export function getVisibleSteps(state: SDKState): SDKStep[] {
+  return getAllStepsSorted().filter(step => {
+    if (step.visibleWhen) return step.visibleWhen(state)
+    return true
+  })
+}
+
+// Naechster sichtbarer Step
+export function getNextVisibleStep(currentStepId: string, state: SDKState): SDKStep | undefined {
+  const visible = getVisibleSteps(state)
+  const idx = visible.findIndex(s => s.id === currentStepId)
+  if (idx >= 0 && idx < visible.length - 1) return visible[idx + 1]
+  return undefined
+}
+
+// Vorheriger sichtbarer Step
+export function getPreviousVisibleStep(currentStepId: string, state: SDKState): SDKStep | undefined {
+  const visible = getVisibleSteps(state)
+  const idx = visible.findIndex(s => s.id === currentStepId)
+  if (idx > 0) return visible[idx - 1]
+  return undefined
+}
+
+export function getNextStep(currentStepId: string, state?: SDKState): SDKStep | undefined {
+  if (!state) {
+    // Fallback: seq-sortiert ohne Sichtbarkeitspruefung
+    const sorted = getAllStepsSorted()
+    const idx = sorted.findIndex(s => s.id === currentStepId)
+    if (idx >= 0 && idx < sorted.length - 1) return sorted[idx + 1]
+    return undefined
+  }
+  return getNextVisibleStep(currentStepId, state)
+}
+
+export function getPreviousStep(currentStepId: string, state?: SDKState): SDKStep | undefined {
+  if (!state) {
+    const sorted = getAllStepsSorted()
+    const idx = sorted.findIndex(s => s.id === currentStepId)
+    if (idx > 0) return sorted[idx - 1]
+    return undefined
+  }
+  return getPreviousVisibleStep(currentStepId, state)
+}
+
+// =============================================================================
+// RISK HELPERS
+// =============================================================================
+
+export function calculateRiskScore(likelihood: RiskLikelihood, impact: RiskImpact): number {
+  return likelihood * impact
+}
+
+export function getRiskSeverityFromScore(score: number): RiskSeverity {
+  if (score >= 20) return 'CRITICAL'
+  if (score >= 12) return 'HIGH'
+  if (score >= 6) return 'MEDIUM'
+  return 'LOW'
+}
+
+export function calculateResidualRisk(risk: Risk): number {
+  const inherentScore = calculateRiskScore(risk.likelihood, risk.impact)
+  const totalEffectiveness = risk.mitigation
+    .filter(m => m.status === 'COMPLETED')
+    .reduce((sum, m) => sum + m.effectiveness, 0)
+
+  const effectivenessMultiplier = Math.min(totalEffectiveness, 100) / 100
+  return Math.max(1, Math.round(inherentScore * (1 - effectivenessMultiplier)))
+}
+
+// =============================================================================
+// COMPLETION HELPERS
+// =============================================================================
+
+export function getCompletionPercentage(state: SDKState): number {
+  const totalSteps = _SDK_STEPS.length
+  const completedSteps = state.completedSteps.length
+  return Math.round((completedSteps / totalSteps) * 100)
+}
+
+export function getPhaseCompletionPercentage(state: SDKState, phase: SDKPhase): number {
+  const phaseSteps = getStepsForPhase(phase)
+  const completedPhaseSteps = phaseSteps.filter(s => state.completedSteps.includes(s.id))
+  return Math.round((completedPhaseSteps.length / phaseSteps.length) * 100)
+}
+
+// =============================================================================
+// PACKAGE HELPERS
+// =============================================================================
+
+export function getPackageById(packageId: SDKPackageId): SDKPackage | undefined {
+  return _SDK_PACKAGES.find(p => p.id === packageId)
+}
+
+export function getStepsForPackage(packageId: SDKPackageId): SDKStep[] {
+  return _SDK_STEPS.filter(s => s.package === packageId).sort((a, b) => a.seq - b.seq)
+}
+
+export function getPackageCompletionPercentage(state: SDKState, packageId: SDKPackageId): number {
+  const packageSteps = getStepsForPackage(packageId)
+  if (packageSteps.length === 0) return 0
+  const completedPackageSteps = packageSteps.filter(s => state.completedSteps.includes(s.id))
+  return Math.round((completedPackageSteps.length / packageSteps.length) * 100)
+}
+
+export function getCurrentPackage(currentStepId: string): SDKPackage | undefined {
+  const step = getStepById(currentStepId)
+  if (!step) return undefined
+  return getPackageById(step.package)
+}
+
+export function getNextPackageStep(currentStepId: string): SDKStep | undefined {
+  const currentStep = getStepById(currentStepId)
+  if (!currentStep) return undefined
+
+  const packageSteps = getStepsForPackage(currentStep.package)
+  const currentIndex = packageSteps.findIndex(s => s.id === currentStepId)
+
+  // Next step in same package
+  if (currentIndex < packageSteps.length - 1) {
+    return packageSteps[currentIndex + 1]
+  }
+
+  // Move to next package
+  const currentPackage = getPackageById(currentStep.package)
+  if (!currentPackage) return undefined
+
+  const nextPackage = _SDK_PACKAGES.find(p => p.order === currentPackage.order + 1)
+  if (!nextPackage) return undefined
+
+  const nextPackageSteps = getStepsForPackage(nextPackage.id)
+  return nextPackageSteps[0]
+}
+
+export function isPackageUnlocked(state: SDKState, packageId: SDKPackageId): boolean {
+  if (state.preferences?.allowParallelWork) return true
+
+  const currentPackage = getPackageById(packageId)
+  if (!currentPackage) return false
+
+  // First package is always unlocked
+  if (currentPackage.order === 1) return true
+
+  // Previous package must be completed
+  const prevPackage = _SDK_PACKAGES.find(p => p.order === currentPackage.order - 1)
+  if (!prevPackage) return true
+
+  return getPackageCompletionPercentage(state, prevPackage.id) === 100
+}
+
+/** @deprecated Use getVisibleSteps(state) instead */
+export function getVisibleStepsForCustomerType(customerType: CustomerType): SDKStep[] {
+  return getAllStepsSorted().filter(step => {
+    if (step.id === 'import') {
+      return customerType === 'existing'
+    }
+    return true
+  })
+}

admin-compliance/lib/sdk/types/iace.ts

@@ -0,0 +1,23 @@
+/**
+ * IACE (Industrial AI Compliance Engine) project types.
+ */
+
+import type { MachineProductType } from './enums'
+
+export type IACEProjectStatus = 'draft' | 'onboarding' | 'classification' | 'hazard_analysis' | 'mitigation' | 'verification' | 'tech_file' | 'completed' | 'archived'
+
+export interface IACEProjectSummary {
+  id: string
+  machineName: string
+  machineType: MachineProductType
+  status: IACEProjectStatus
+  completenessScore: number
+  riskSummary: {
+    critical: number
+    high: number
+    medium: number
+    low: number
+  }
+  createdAt: string
+  updatedAt: string
+}

admin-compliance/lib/sdk/types/index.ts

@@ -0,0 +1,18 @@
+/**
+ * AI Compliance SDK - TypeScript Interfaces
+ *
+ * Barrel re-export of all domain modules.
+ * Existing imports like `import { CompanyProfile, SDKState } from '@/lib/sdk/types'`
+ * continue to work unchanged.
+ */
+
+export * from './enums'
+export * from './company-profile'
+export * from './sdk-flow'
+export * from './sdk-steps'
+export * from './assessment'
+export * from './compliance'
+export * from './sdk-state'
+export * from './iace'
+export * from './helpers'
+export * from './document-generator'

admin-compliance/lib/sdk/types/sdk-flow.ts

@@ -0,0 +1,104 @@
+/**
+ * SDK flow, navigation, coverage assessment, and package definitions.
+ *
+ * The SDK_STEPS array lives in ./sdk-steps.ts to keep both files under 500 LOC.
+ */
+
+import type { SDKPackageId } from './enums'
+import type { SDKState } from './sdk-state'
+
+// =============================================================================
+// SDK COVERAGE
+// =============================================================================
+
+export interface SDKCoverageAssessment {
+  isFullyCovered: boolean
+  coveredRegulations: string[]
+  partiallyCoveredRegulations: string[]
+  notCoveredRegulations: string[]
+  requiresLegalCounsel: boolean
+  reasons: string[]
+  recommendations: string[]
+}
+
+// =============================================================================
+// SDK PACKAGES
+// =============================================================================
+
+export interface SDKPackage {
+  id: SDKPackageId
+  order: number
+  name: string
+  nameShort: string
+  description: string
+  icon: string
+  result: string
+}
+
+export const SDK_PACKAGES: SDKPackage[] = [
+  {
+    id: 'vorbereitung',
+    order: 1,
+    name: 'Vorbereitung',
+    nameShort: 'Vorbereitung',
+    description: 'Grundlagen erfassen, Ausgangssituation verstehen',
+    icon: '\uD83C\uDFAF',
+    result: 'Klares Verst\u00e4ndnis, welche Regulierungen greifen',
+  },
+  {
+    id: 'analyse',
+    order: 2,
+    name: 'Analyse',
+    nameShort: 'Analyse',
+    description: 'Risiken erkennen, Anforderungen ableiten',
+    icon: '\uD83D\uDD0D',
+    result: 'Vollst\u00e4ndige Risikobewertung, Audit-Ready',
+  },
+  {
+    id: 'dokumentation',
+    order: 3,
+    name: 'Dokumentation',
+    nameShort: 'Doku',
+    description: 'Rechtliche Pflichtnachweise erstellen',
+    icon: '\uD83D\uDCCB',
+    result: 'DSFA, TOMs, VVT, L\u00f6schkonzept',
+  },
+  {
+    id: 'rechtliche-texte',
+    order: 4,
+    name: 'Rechtliche Texte',
+    nameShort: 'Legal',
+    description: 'Kundenf\u00e4hige Dokumente generieren',
+    icon: '\uD83D\uDCDD',
+    result: 'AGB, DSI, Nutzungsbedingungen, Cookie-Banner (Code)',
+  },
+  {
+    id: 'betrieb',
+    order: 5,
+    name: 'Betrieb',
+    nameShort: 'Betrieb',
+    description: 'Laufender Compliance-Betrieb',
+    icon: '\u2699\uFE0F',
+    result: 'DSR-Portal, Eskalationsprozesse, Vendor-Management',
+  },
+]
+
+// =============================================================================
+// SDK STEP (interface only — data in sdk-steps.ts)
+// =============================================================================
+
+export interface SDKStep {
+  id: string
+  seq: number
+  phase: 1 | 2
+  package: SDKPackageId
+  order: number
+  name: string
+  nameShort: string
+  description: string
+  url: string
+  checkpointId: string
+  prerequisiteSteps: string[]
+  isOptional: boolean
+  visibleWhen?: (state: SDKState) => boolean
+}

admin-compliance/lib/sdk/types/sdk-state.ts

@@ -0,0 +1,192 @@
+/**
+ * Central SDKState interface and SDKAction discriminated union.
+ */
+
+import type { CustomCatalogs, CatalogId, CustomCatalogEntry } from '../catalog-manager/types'
+import type { SubscriptionTier, SDKPhase, CustomerType } from './enums'
+import type { ProjectInfo, CompanyProfile } from './company-profile'
+import type {
+  CheckpointStatus,
+  UseCaseAssessment,
+  ScreeningResult,
+  SecurityIssue,
+  BacklogItem,
+  SBOM,
+  ImportedDocument,
+  GapAnalysis,
+  RAGCorpusStatus,
+} from './assessment'
+import type {
+  ServiceModule,
+  Requirement,
+  Control,
+  Evidence,
+  ChecklistItem,
+  Risk,
+  AIActResult,
+  Obligation,
+  DSFA,
+  TOM,
+  RetentionPolicy,
+  ProcessingActivity,
+  LegalDocument,
+  CookieBannerConfig,
+  ConsentRecord,
+  DSRConfig,
+  EscalationWorkflow,
+  CommandHistory,
+  UserPreferences,
+} from './compliance'
+import type { IACEProjectSummary } from './iace'
+
+// =============================================================================
+// SDK STATE
+// =============================================================================
+
+export interface SDKState {
+  // Metadata
+  version: string
+  projectVersion: number
+  lastModified: Date
+
+  // Tenant & User
+  tenantId: string
+  userId: string
+  subscription: SubscriptionTier
+
+  // Project Context (Multi-Projekt)
+  projectId: string
+  projectInfo: ProjectInfo | null
+
+  // Customer Type (new vs existing)
+  customerType: CustomerType | null
+
+  // Company Profile (collected before use cases)
+  companyProfile: CompanyProfile | null
+
+  // Compliance Scope (determines depth level L1-L4)
+  complianceScope: import('../compliance-scope-types').ComplianceScopeState | null
+
+  // Source Policy (checkpoint tracking — actual data in backend)
+  sourcePolicy: {
+    configured: boolean
+    sourcesCount: number
+    piiRulesCount: number
+    lastAuditAt: string | null
+  } | null
+
+  // Progress
+  currentPhase: SDKPhase
+  currentStep: string
+  completedSteps: string[]
+  checkpoints: Record<string, CheckpointStatus>
+
+  // Imported Documents (for existing customers)
+  importedDocuments: ImportedDocument[]
+  gapAnalysis: GapAnalysis | null
+
+  // Phase 1 Data
+  useCases: UseCaseAssessment[]
+  activeUseCase: string | null
+  screening: ScreeningResult | null
+  modules: ServiceModule[]
+  requirements: Requirement[]
+  controls: Control[]
+  evidence: Evidence[]
+  checklist: ChecklistItem[]
+  risks: Risk[]
+
+  // Phase 2 Data
+  aiActClassification: AIActResult | null
+  obligations: Obligation[]
+  dsfa: DSFA | null
+  toms: TOM[]
+  retentionPolicies: RetentionPolicy[]
+  vvt: ProcessingActivity[]
+  documents: LegalDocument[]
+  cookieBanner: CookieBannerConfig | null
+  consents: ConsentRecord[]
+  dsrConfig: DSRConfig | null
+  escalationWorkflows: EscalationWorkflow[]
+
+  // IACE (Industrial AI Compliance Engine)
+  iaceProjects: IACEProjectSummary[]
+
+  // RAG Corpus Versioning
+  ragCorpusStatus: RAGCorpusStatus | null
+
+  // Security
+  sbom: SBOM | null
+  securityIssues: SecurityIssue[]
+  securityBacklog: BacklogItem[]
+
+  // Catalog Manager
+  customCatalogs: CustomCatalogs
+
+  // UI State
+  commandBarHistory: CommandHistory[]
+  recentSearches: string[]
+  preferences: UserPreferences
+}
+
+// =============================================================================
+// SDK ACTIONS
+// =============================================================================
+
+export type SDKAction =
+  | { type: 'SET_STATE'; payload: Partial<SDKState> }
+  | { type: 'SET_CURRENT_STEP'; payload: string }
+  | { type: 'COMPLETE_STEP'; payload: string }
+  | { type: 'SET_CHECKPOINT_STATUS'; payload: { id: string; status: CheckpointStatus } }
+  | { type: 'SET_CUSTOMER_TYPE'; payload: CustomerType }
+  | { type: 'SET_COMPANY_PROFILE'; payload: CompanyProfile }
+  | { type: 'UPDATE_COMPANY_PROFILE'; payload: Partial<CompanyProfile> }
+  | { type: 'SET_COMPLIANCE_SCOPE'; payload: import('../compliance-scope-types').ComplianceScopeState }
+  | { type: 'UPDATE_COMPLIANCE_SCOPE'; payload: Partial<import('../compliance-scope-types').ComplianceScopeState> }
+  | { type: 'ADD_IMPORTED_DOCUMENT'; payload: ImportedDocument }
+  | { type: 'UPDATE_IMPORTED_DOCUMENT'; payload: { id: string; data: Partial<ImportedDocument> } }
+  | { type: 'DELETE_IMPORTED_DOCUMENT'; payload: string }
+  | { type: 'SET_GAP_ANALYSIS'; payload: GapAnalysis }
+  | { type: 'ADD_USE_CASE'; payload: UseCaseAssessment }
+  | { type: 'UPDATE_USE_CASE'; payload: { id: string; data: Partial<UseCaseAssessment> } }
+  | { type: 'DELETE_USE_CASE'; payload: string }
+  | { type: 'SET_ACTIVE_USE_CASE'; payload: string | null }
+  | { type: 'SET_SCREENING'; payload: ScreeningResult }
+  | { type: 'ADD_MODULE'; payload: ServiceModule }
+  | { type: 'UPDATE_MODULE'; payload: { id: string; data: Partial<ServiceModule> } }
+  | { type: 'ADD_REQUIREMENT'; payload: Requirement }
+  | { type: 'UPDATE_REQUIREMENT'; payload: { id: string; data: Partial<Requirement> } }
+  | { type: 'ADD_CONTROL'; payload: Control }
+  | { type: 'UPDATE_CONTROL'; payload: { id: string; data: Partial<Control> } }
+  | { type: 'ADD_EVIDENCE'; payload: Evidence }
+  | { type: 'UPDATE_EVIDENCE'; payload: { id: string; data: Partial<Evidence> } }
+  | { type: 'DELETE_EVIDENCE'; payload: string }
+  | { type: 'ADD_RISK'; payload: Risk }
+  | { type: 'UPDATE_RISK'; payload: { id: string; data: Partial<Risk> } }
+  | { type: 'DELETE_RISK'; payload: string }
+  | { type: 'SET_AI_ACT_RESULT'; payload: AIActResult }
+  | { type: 'ADD_OBLIGATION'; payload: Obligation }
+  | { type: 'UPDATE_OBLIGATION'; payload: { id: string; data: Partial<Obligation> } }
+  | { type: 'SET_DSFA'; payload: DSFA }
+  | { type: 'ADD_TOM'; payload: TOM }
+  | { type: 'UPDATE_TOM'; payload: { id: string; data: Partial<TOM> } }
+  | { type: 'ADD_RETENTION_POLICY'; payload: RetentionPolicy }
+  | { type: 'UPDATE_RETENTION_POLICY'; payload: { id: string; data: Partial<RetentionPolicy> } }
+  | { type: 'ADD_PROCESSING_ACTIVITY'; payload: ProcessingActivity }
+  | { type: 'UPDATE_PROCESSING_ACTIVITY'; payload: { id: string; data: Partial<ProcessingActivity> } }
+  | { type: 'ADD_DOCUMENT'; payload: LegalDocument }
+  | { type: 'UPDATE_DOCUMENT'; payload: { id: string; data: Partial<LegalDocument> } }
+  | { type: 'SET_COOKIE_BANNER'; payload: CookieBannerConfig }
+  | { type: 'SET_DSR_CONFIG'; payload: DSRConfig }
+  | { type: 'ADD_ESCALATION_WORKFLOW'; payload: EscalationWorkflow }
+  | { type: 'UPDATE_ESCALATION_WORKFLOW'; payload: { id: string; data: Partial<EscalationWorkflow> } }
+  | { type: 'ADD_SECURITY_ISSUE'; payload: SecurityIssue }
+  | { type: 'UPDATE_SECURITY_ISSUE'; payload: { id: string; data: Partial<SecurityIssue> } }
+  | { type: 'ADD_BACKLOG_ITEM'; payload: BacklogItem }
+  | { type: 'UPDATE_BACKLOG_ITEM'; payload: { id: string; data: Partial<BacklogItem> } }
+  | { type: 'ADD_COMMAND_HISTORY'; payload: CommandHistory }
+  | { type: 'SET_PREFERENCES'; payload: Partial<UserPreferences> }
+  | { type: 'ADD_CUSTOM_CATALOG_ENTRY'; payload: CustomCatalogEntry }
+  | { type: 'UPDATE_CUSTOM_CATALOG_ENTRY'; payload: { catalogId: CatalogId; entryId: string; data: Record<string, unknown> } }
+  | { type: 'DELETE_CUSTOM_CATALOG_ENTRY'; payload: { catalogId: CatalogId; entryId: string } }
+  | { type: 'RESET_STATE' }

admin-compliance/lib/sdk/types/sdk-steps.ts

@@ -0,0 +1,495 @@
+/** SDK_STEPS data array — all compliance SDK steps, ordered by seq. */
+import type { SDKStep } from './sdk-flow'
+
+export const SDK_STEPS: SDKStep[] = [
+  // PAKET 1: VORBEREITUNG
+  {
+    id: 'company-profile',
+    seq: 100,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 1,
+    name: 'Unternehmensprofil',
+    nameShort: 'Profil',
+    description: 'Gesch\u00e4ftsmodell, Gr\u00f6\u00dfe und Zielm\u00e4rkte erfassen',
+    url: '/sdk/company-profile',
+    checkpointId: 'CP-PROF',
+    prerequisiteSteps: [], isOptional: false,
+  },
+  {
+    id: 'compliance-scope',
+    seq: 200,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 2,
+    name: 'Compliance Scope',
+    nameShort: 'Scope',
+    description: 'Umfang und Tiefe Ihrer Compliance-Dokumentation bestimmen',
+    url: '/sdk/compliance-scope',
+    checkpointId: 'CP-SCOPE',
+    prerequisiteSteps: ['company-profile'],
+    isOptional: false },
+  {
+    id: 'use-case-assessment',
+    seq: 300,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 3,
+    name: 'Anwendungsfall-Erfassung',
+    nameShort: 'Anwendung',
+    description: 'AI-Anwendungsf\u00e4lle strukturiert dokumentieren',
+    url: '/sdk/advisory-board',
+    checkpointId: 'CP-UC',
+    prerequisiteSteps: ['company-profile'],
+    isOptional: false },
+  {
+    id: 'import',
+    seq: 400,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 4,
+    name: 'Dokument-Import',
+    nameShort: 'Import',
+    description: 'Bestehende Dokumente hochladen (Bestandskunden)',
+    url: '/sdk/import',
+    checkpointId: 'CP-IMP',
+    prerequisiteSteps: ['use-case-assessment'],
+    isOptional: true,
+    visibleWhen: (state) => state.customerType === 'existing',
+  },
+  {
+    id: 'screening',
+    seq: 500,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 5,
+    name: 'System Screening',
+    nameShort: 'Screening',
+    description: 'SBOM + Security Check',
+    url: '/sdk/screening',
+    checkpointId: 'CP-SCAN',
+    prerequisiteSteps: ['use-case-assessment'],
+    isOptional: false },
+  {
+    id: 'modules',
+    seq: 600,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 6,
+    name: 'Compliance Modules',
+    nameShort: 'Module',
+    description: 'Abgleich welche Regulierungen gelten',
+    url: '/sdk/modules',
+    checkpointId: 'CP-MOD',
+    prerequisiteSteps: ['screening'],
+    isOptional: false },
+  {
+    id: 'source-policy',
+    seq: 700,
+    phase: 1,
+    package: 'vorbereitung',
+    order: 7,
+    name: 'Source Policy',
+    nameShort: 'Quellen',
+    description: 'Datenquellen-Governance & Whitelist',
+    url: '/sdk/source-policy',
+    checkpointId: 'CP-SPOL',
+    prerequisiteSteps: ['modules'],
+    isOptional: false },
+
+  // PAKET 2: ANALYSE (Assessment)
+  {
+    id: 'requirements',
+    seq: 1000,
+    phase: 1,
+    package: 'analyse',
+    order: 1,
+    name: 'Requirements',
+    nameShort: 'Anforderungen',
+    description: 'Pr\u00fcfaspekte aus Regulierungen ableiten',
+    url: '/sdk/requirements',
+    checkpointId: 'CP-REQ',
+    prerequisiteSteps: ['source-policy'],
+    isOptional: false },
+  {
+    id: 'controls',
+    seq: 1100,
+    phase: 1,
+    package: 'analyse',
+    order: 2,
+    name: 'Controls',
+    nameShort: 'Controls',
+    description: 'Erforderliche Ma\u00dfnahmen ermitteln',
+    url: '/sdk/controls',
+    checkpointId: 'CP-CTRL',
+    prerequisiteSteps: ['requirements'],
+    isOptional: false },
+  {
+    id: 'evidence',
+    seq: 1200,
+    phase: 1,
+    package: 'analyse',
+    order: 3,
+    name: 'Evidence',
+    nameShort: 'Nachweise',
+    description: 'Nachweise dokumentieren',
+    url: '/sdk/evidence',
+    checkpointId: 'CP-EVI',
+    prerequisiteSteps: ['controls'],
+    isOptional: false },
+  {
+    id: 'risks',
+    seq: 1300,
+    phase: 1,
+    package: 'analyse',
+    order: 4,
+    name: 'Risk Matrix',
+    nameShort: 'Risiken',
+    description: 'Risikobewertung & Residual Risk',
+    url: '/sdk/risks',
+    checkpointId: 'CP-RISK',
+    prerequisiteSteps: ['evidence'],
+    isOptional: false },
+  {
+    id: 'ai-act',
+    seq: 1400,
+    phase: 1,
+    package: 'analyse',
+    order: 5,
+    name: 'AI Act Klassifizierung',
+    nameShort: 'AI Act',
+    description: 'Risikostufe nach EU AI Act',
+    url: '/sdk/ai-act',
+    checkpointId: 'CP-AI',
+    prerequisiteSteps: ['risks'],
+    isOptional: false },
+  {
+    id: 'audit-checklist',
+    seq: 1500,
+    phase: 1,
+    package: 'analyse',
+    order: 6,
+    name: 'Audit Checklist',
+    nameShort: 'Checklist',
+    description: 'Pr\u00fcfliste generieren',
+    url: '/sdk/audit-checklist',
+    checkpointId: 'CP-CHK',
+    prerequisiteSteps: ['ai-act'],
+    isOptional: false },
+  {
+    id: 'audit-report',
+    seq: 1600,
+    phase: 1,
+    package: 'analyse',
+    order: 7,
+    name: 'Audit Report',
+    nameShort: 'Report',
+    description: 'Audit-Sitzungen & PDF-Report',
+    url: '/sdk/audit-report',
+    checkpointId: 'CP-AREP',
+    prerequisiteSteps: ['audit-checklist'],
+    isOptional: false },
+
+  // PAKET 3: DOKUMENTATION (Compliance Docs)
+  {
+    id: 'obligations',
+    seq: 2000,
+    phase: 2,
+    package: 'dokumentation',
+    order: 1,
+    name: 'Pflichten\u00fcbersicht',
+    nameShort: 'Pflichten',
+    description: 'NIS2, DSGVO, AI Act Pflichten',
+    url: '/sdk/obligations',
+    checkpointId: 'CP-OBL',
+    prerequisiteSteps: ['audit-report'],
+    isOptional: false },
+  {
+    id: 'dsfa',
+    seq: 2100,
+    phase: 2,
+    package: 'dokumentation',
+    order: 2,
+    name: 'DSFA',
+    nameShort: 'DSFA',
+    description: 'Datenschutz-Folgenabsch\u00e4tzung',
+    url: '/sdk/dsfa',
+    checkpointId: 'CP-DSFA',
+    prerequisiteSteps: ['obligations'],
+    isOptional: true,
+    visibleWhen: (state) => {
+      const level = state.complianceScope?.decision?.determinedLevel
+      if (level && ['L2', 'L3', 'L4'].includes(level)) return true
+      const triggers = state.complianceScope?.decision?.triggeredHardTriggers || []
+      return triggers.some(t => t.rule.dsfaRequired)
+    },
+  },
+  {
+    id: 'tom',
+    seq: 2200,
+    phase: 2,
+    package: 'dokumentation',
+    order: 3,
+    name: 'TOMs',
+    nameShort: 'TOMs',
+    description: 'Technische & Org. Ma\u00dfnahmen',
+    url: '/sdk/tom',
+    checkpointId: 'CP-TOM',
+    prerequisiteSteps: ['obligations'],
+    isOptional: false },
+  {
+    id: 'loeschfristen',
+    seq: 2300,
+    phase: 2,
+    package: 'dokumentation',
+    order: 4,
+    name: 'L\u00f6schfristen',
+    nameShort: 'L\u00f6schfristen',
+    description: 'Aufbewahrungsrichtlinien',
+    url: '/sdk/loeschfristen',
+    checkpointId: 'CP-RET',
+    prerequisiteSteps: ['tom'],
+    isOptional: false },
+  {
+    id: 'vvt',
+    seq: 2400,
+    phase: 2,
+    package: 'dokumentation',
+    order: 5,
+    name: 'Verarbeitungsverzeichnis',
+    nameShort: 'VVT',
+    description: 'Art. 30 DSGVO Dokumentation',
+    url: '/sdk/vvt',
+    checkpointId: 'CP-VVT',
+    prerequisiteSteps: ['loeschfristen'],
+    isOptional: false },
+
+  // PAKET 4: RECHTLICHE TEXTE (Legal Outputs)
+  {
+    id: 'einwilligungen',
+    seq: 3000,
+    phase: 2,
+    package: 'rechtliche-texte',
+    order: 1,
+    name: 'Einwilligungen',
+    nameShort: 'Einwilligungen',
+    description: 'Datenpunktkatalog & DSI-Generator',
+    url: '/sdk/einwilligungen',
+    checkpointId: 'CP-CONS',
+    prerequisiteSteps: ['vvt'],
+    isOptional: false },
+  {
+    id: 'consent',
+    seq: 3100,
+    phase: 2,
+    package: 'rechtliche-texte',
+    order: 2,
+    name: 'Rechtliche Vorlagen',
+    nameShort: 'Vorlagen',
+    description: 'AGB, Datenschutz, Nutzungsbedingungen',
+    url: '/sdk/consent',
+    checkpointId: 'CP-DOC',
+    prerequisiteSteps: ['einwilligungen'],
+    isOptional: false },
+  {
+    id: 'cookie-banner',
+    seq: 3200,
+    phase: 2,
+    package: 'rechtliche-texte',
+    order: 3,
+    name: 'Cookie Banner',
+    nameShort: 'Cookies',
+    description: 'Cookie-Consent Generator',
+    url: '/sdk/cookie-banner',
+    checkpointId: 'CP-COOK',
+    prerequisiteSteps: ['consent'],
+    isOptional: false },
+  {
+    id: 'document-generator',
+    seq: 3300,
+    phase: 2,
+    package: 'rechtliche-texte',
+    order: 4,
+    name: 'Dokumentengenerator',
+    nameShort: 'Generator',
+    description: 'Rechtliche Dokumente aus Vorlagen erstellen',
+    url: '/sdk/document-generator',
+    checkpointId: 'CP-DOCGEN',
+    prerequisiteSteps: ['cookie-banner'],
+    isOptional: true,
+    visibleWhen: () => true,
+  },
+  {
+    id: 'workflow',
+    seq: 3400,
+    phase: 2,
+    package: 'rechtliche-texte',
+    order: 5,
+    name: 'Document Workflow',
+    nameShort: 'Workflow',
+    description: 'Versionierung & Freigabe-Workflow',
+    url: '/sdk/workflow',
+    checkpointId: 'CP-WRKF',
+    prerequisiteSteps: ['cookie-banner'],
+    isOptional: false },
+
+  // PAKET 5: BETRIEB (Operations)
+  {
+    id: 'dsr',
+    seq: 4000,
+    phase: 2,
+    package: 'betrieb',
+    order: 1,
+    name: 'DSR Portal',
+    nameShort: 'DSR',
+    description: 'Betroffenenrechte-Portal',
+    url: '/sdk/dsr',
+    checkpointId: 'CP-DSR',
+    prerequisiteSteps: ['workflow'],
+    isOptional: false },
+  {
+    id: 'escalations',
+    seq: 4100,
+    phase: 2,
+    package: 'betrieb',
+    order: 2,
+    name: 'Escalations',
+    nameShort: 'Eskalationen',
+    description: 'Management-Workflows',
+    url: '/sdk/escalations',
+    checkpointId: 'CP-ESC',
+    prerequisiteSteps: ['dsr'],
+    isOptional: false },
+  {
+    id: 'vendor-compliance',
+    seq: 4200,
+    phase: 2,
+    package: 'betrieb',
+    order: 3,
+    name: 'Vendor Compliance',
+    nameShort: 'Vendor',
+    description: 'Dienstleister-Management',
+    url: '/sdk/vendor-compliance',
+    checkpointId: 'CP-VEND',
+    prerequisiteSteps: ['escalations'],
+    isOptional: false },
+  {
+    id: 'consent-management',
+    seq: 4300,
+    phase: 2,
+    package: 'betrieb',
+    order: 4,
+    name: 'Consent Verwaltung',
+    nameShort: 'Consent Mgmt',
+    description: 'Dokument-Lifecycle & DSGVO-Prozesse',
+    url: '/sdk/consent-management',
+    checkpointId: 'CP-CMGMT',
+    prerequisiteSteps: ['vendor-compliance'],
+    isOptional: false },
+  {
+    id: 'email-templates',
+    seq: 4350,
+    phase: 2,
+    package: 'betrieb',
+    order: 5,
+    name: 'E-Mail-Templates',
+    nameShort: 'E-Mails',
+    description: 'Benachrichtigungs-Vorlagen verwalten',
+    url: '/sdk/email-templates',
+    checkpointId: 'CP-EMAIL',
+    prerequisiteSteps: ['consent-management'],
+    isOptional: false },
+  {
+    id: 'notfallplan',
+    seq: 4400,
+    phase: 2,
+    package: 'betrieb',
+    order: 6,
+    name: 'Notfallplan & Breach Response',
+    nameShort: 'Notfallplan',
+    description: 'Datenpannen-Management nach Art. 33/34 DSGVO',
+    url: '/sdk/notfallplan',
+    checkpointId: 'CP-NOTF',
+    prerequisiteSteps: ['email-templates'],
+    isOptional: false },
+  {
+    id: 'incidents',
+    seq: 4500,
+    phase: 2,
+    package: 'betrieb',
+    order: 7,
+    name: 'Incident Management',
+    nameShort: 'Incidents',
+    description: 'Datenpannen erfassen, bewerten und melden (Art. 33/34 DSGVO)',
+    url: '/sdk/incidents',
+    checkpointId: 'CP-INC',
+    prerequisiteSteps: ['notfallplan'],
+    isOptional: false },
+  {
+    id: 'whistleblower',
+    seq: 4600,
+    phase: 2,
+    package: 'betrieb',
+    order: 8,
+    name: 'Hinweisgebersystem',
+    nameShort: 'Whistleblower',
+    description: 'Anonymes Meldesystem gemaess HinSchG',
+    url: '/sdk/whistleblower',
+    checkpointId: 'CP-WB',
+    prerequisiteSteps: ['incidents'],
+    isOptional: false },
+  {
+    id: 'academy',
+    seq: 4700,
+    phase: 2,
+    package: 'betrieb',
+    order: 9,
+    name: 'Compliance Academy',
+    nameShort: 'Academy',
+    description: 'Mitarbeiter-Schulungen & Zertifikate',
+    url: '/sdk/academy',
+    checkpointId: 'CP-ACAD',
+    prerequisiteSteps: ['whistleblower'],
+    isOptional: false },
+  {
+    id: 'training',
+    seq: 4800,
+    phase: 2,
+    package: 'betrieb',
+    order: 10,
+    name: 'Training Engine',
+    nameShort: 'Training',
+    description: 'KI-generierte Schulungsinhalte, Quiz & Medien',
+    url: '/sdk/training',
+    checkpointId: 'CP-TRAIN',
+    prerequisiteSteps: ['academy'],
+    isOptional: false },
+  {
+    id: 'control-library',
+    seq: 4900,
+    phase: 2,
+    package: 'betrieb',
+    order: 11,
+    name: 'Control Library',
+    nameShort: 'Controls',
+    description: 'Canonical Security Controls mit Open-Source-Referenzen',
+    url: '/sdk/control-library',
+    checkpointId: 'CP-CLIB',
+    prerequisiteSteps: [],
+    isOptional: true,
+  },
+  {
+    id: 'control-provenance',
+    seq: 4950,
+    phase: 2,
+    package: 'betrieb',
+    order: 12,
+    name: 'Control Provenance',
+    nameShort: 'Provenance',
+    description: 'Herkunftsnachweis: Offene Quellen, Lizenzen, Too-Close-Pruefung',
+    url: '/sdk/control-provenance',
+    checkpointId: 'CP-CPROV',
+    prerequisiteSteps: [],
+    isOptional: true,
+  },
+]