feat(audit): Phase 2+3 — P54 + P68 + P69 + P6/P53/P55 + P31 + P80v2

P54 — consent_diff_for_user.py: USP-Feature fuer wiederkehrende Besucher.
compute_user_facing_diff() vergleicht aktuellen Snapshot mit letztem fuer
gleiche site_domain → added_vendors / removed_vendors / requires_reconsent
wenn neue Marketing-Vendors hinzugekommen. build_diff_banner_snippet()
liefert HTML zum Einbau in eigenen Banner via consent-sdk.

P68 — reverse_audit.py: Self-Audit unserer Template-Bibliothek.
run_reverse_audit() laedt alle MCs aus doc_check_controls + alle Templates
aus doc_templates, prueft per pass_criteria-Match welche MCs durch
mindestens 1 Template abgedeckt sind. Liefert coverage_pct, uncovered_mcs
(Top HIGH zuerst), unused_templates, by_doctype-Breakdown.

P69 — data/ecall_regulation.json: eCall-VO (EU) 2015/758 als 7 Chunks
fuer RAG-Ingest (Art. 3/6/7 + compliance_implications fuer Automotive-OEMs).
Standortdaten ausserhalb Notfall = unzulaessig; Mehrwertdienste brauchen
separate Einwilligung; Daten sofort loeschen nach Notruf.

P6+P53+P55 — industry_library.py: Branchen-Profile (automotive/ecommerce/
saas/banking/healthcare) mit mandatory_regulations + typical_cookie_vendors
+ vvt_required_processes + special_findings_to_watch. load_site_profile()
liest Site-Historie aus snapshots (common_provider, avg_vendors,
historical_runs). build_industry_context_block_html() rendert Block am
Mail-Anfang: 'Was wir in dieser Branche bei VW pruefen' + 'Wir haben
diese Site bereits 3× analysiert'.

P31 — llm_cascade.py: Tiered LLM-Cascade Qwen → OVH 120B → Anthropic
Claude Haiku mit Confidence-Heuristik (JSON parsed, items count vs
input size). Valkey-Cache (redis://) mit 7-Tage-TTL plus In-Process-
Fallback. Wenn Tier-1 unter Confidence-Threshold → Tier-2, dann Tier-3.
Reduziert Lauf-Zeit drastisch bei Re-Runs.

P80 v2 — check_replay.py: replay nutzt jetzt audit_quality_checks
mit den Snapshot-Daten. Auch alte Snapshots zeigen jetzt im Replay
ob banner_detected fehlt / vendor_extract thin ist.

Bonus — P90 BMW-Final markiert completed: alle B1-B4 Bugs gefixt
(cmp_payloads keep, cookies_detailed wiring, multi-doc-fail visibility,
VVT-Tabelle).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/services/check_replay.py

@@ -85,6 +85,28 @@ def replay_from_snapshot(
     section_sizes: dict[str, int] = {}
     parts: list[str] = []
 
+    # P80 v2 — Quality-Checks aus dem aktuellen Code auf Snapshot-Daten
+    # anwenden. Wir replayen NICHT die MC-Pipeline (zu schwer ohne
+    # rag_document_checker re-run), aber alle nachgelagerten Findings-
+    # Generatoren (audit_quality, cookie_compliance_audit, vendor_normalizer,
+    # entropy, network-trace) bekommen Snapshot-Daten und liefern den
+    # aktuellen Stand.
+    try:
+        from compliance.services.audit_quality_checks import (
+            run_all as run_aq,
+        )
+        cookie_t = doc_texts.get("cookie") or doc_texts.get("dse") or ""
+        aq = run_aq(banner_result, cookie_t, cmp_vendors, doc_entries)
+        if aq:
+            from compliance.services.audit_quality_checks import (
+                build_audit_quality_block_html,
+            )
+            aq_html = build_audit_quality_block_html(aq)
+            parts.append(aq_html)
+            section_sizes["audit_quality_v2"] = len(aq_html)
+    except Exception as e:
+        logger.warning("Replay v2: audit_quality failed: %s", e)
+
     # P82: GF-1-Pager zuerst (5-Bullet-Summary)
     try:
         from compliance.services.gf_one_pager import build_gf_one_pager_html

backend-compliance/compliance/services/consent_diff_for_user.py

@@ -0,0 +1,125 @@
+"""
+P54 — Diff-Banner fuer End-User (USP-Feature).
+
+USP-Idee: bei wiederkehrenden Besuchern zeigt das Banner NICHT die
+Standard-Frage, sondern eine Diff-Mitteilung:
+   "Seit deiner letzten Zustimmung haben wir hinzugefuegt:
+    * Microsoft Bing (Werbung)
+    * TikTok Pixel (Marketing)
+    Bitte erneut zustimmen oder anpassen."
+
+Backend-Seite (hier): liefert pro Snapshot eine 'diff_for_user'-Struktur
+die zum Embedden in eigenen Banner / Hinweistext genutzt werden kann.
+Frontend-Banner-Lib (separate consent-sdk) konsumiert das.
+
+Vergleicht Vendor-Listen zwischen aktuellem Snapshot und dem letzten
+Snapshot mit gleicher site_domain.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Iterable
+
+from sqlalchemy import text as sa_text
+from sqlalchemy.orm import Session
+
+logger = logging.getLogger(__name__)
+
+
+def _norm_vendor_set(vendors: Iterable) -> set[str]:
+    out: set[str] = set()
+    for v in (vendors or []):
+        if isinstance(v, dict):
+            n = (v.get("name") or "").strip()
+        elif isinstance(v, str):
+            n = v.strip()
+        else:
+            continue
+        if n:
+            out.add(n)
+    return out
+
+
+def compute_user_facing_diff(
+    db: Session,
+    site_domain: str,
+    current_check_id: str,
+    current_cmp_vendors: list,
+) -> dict | None:
+    """Vergleicht aktuelle vs letzte cmp_vendors-Liste fuer die gleiche
+    site_domain. Liefert {prev_at, added_vendors, removed_vendors,
+    new_high_risk_categories} oder None wenn kein vorheriger Lauf."""
+    if not site_domain:
+        return None
+    try:
+        row = db.execute(sa_text(
+            """
+            SELECT cmp_vendors, created_at
+            FROM compliance.compliance_check_snapshots
+            WHERE site_domain = :dom AND check_id != :ex
+            ORDER BY created_at DESC LIMIT 1
+            """
+        ), {"dom": site_domain, "ex": current_check_id}).fetchone()
+    except Exception as e:
+        logger.warning("diff lookup failed: %s", e)
+        return None
+    if not row:
+        return None
+
+    prev_vendors = row[0] or []
+    prev_at = row[1]
+    curr_set = _norm_vendor_set(current_cmp_vendors)
+    prev_set = _norm_vendor_set(prev_vendors)
+
+    added = sorted(curr_set - prev_set)
+    removed = sorted(prev_set - curr_set)
+    if not added and not removed:
+        return None
+
+    # High-risk Kategorien aus added Vendors: Marketing / Tracking
+    new_marketing: list[str] = []
+    for v in current_cmp_vendors:
+        if not isinstance(v, dict):
+            continue
+        n = (v.get("name") or "").strip()
+        cat = (v.get("category") or "").lower()
+        if n in added and cat in ("marketing", "tracking", "advertising"):
+            new_marketing.append(n)
+
+    return {
+        "prev_at":              prev_at.isoformat() if prev_at else None,
+        "added_vendors":        added,
+        "removed_vendors":      removed,
+        "new_marketing_vendors": new_marketing,
+        "requires_reconsent":   bool(new_marketing),
+    }
+
+
+def build_diff_banner_snippet(diff: dict) -> str:
+    """Liefert HTML-Snippet das der Site-Betreiber in seinen eigenen
+    Cookie-Banner einbauen kann (z.B. via consent-sdk)."""
+    if not diff or not diff.get("added_vendors"):
+        return ""
+    added = diff.get("added_vendors", [])
+    n_marketing = len(diff.get("new_marketing_vendors") or [])
+    items = "".join(f"<li>{v}</li>" for v in added[:8])
+    reconsent_note = ""
+    if diff.get("requires_reconsent"):
+        reconsent_note = (
+            f'<p style="margin:6px 0 0;color:#991b1b;font-size:12px">'
+            f'<strong>{n_marketing} neue{"r" if n_marketing == 1 else ""} '
+            f'Marketing-Anbieter</strong> seit Ihrer letzten Zustimmung — '
+            'bitte erneut bestaetigen.'
+            '</p>'
+        )
+    return (
+        '<div class="breakpilot-consent-diff" '
+        'style="font-family:-apple-system,sans-serif;font-size:12px;'
+        'padding:8px 12px;background:#fef3c7;border:1px solid #fde68a;'
+        'border-radius:6px;margin-bottom:8px">'
+        '<strong>Seit Ihrer letzten Zustimmung haben wir hinzugefuegt:</strong>'
+        f'<ul style="margin:4px 0 0 18px;padding:0">{items}</ul>'
+        + reconsent_note +
+        '</div>'
+    )

backend-compliance/compliance/services/industry_library.py

@@ -0,0 +1,222 @@
+"""
+P6 + P53 + P55 — OEM-Cross-Industry-Library mit Autonomes Profiling.
+
+Vereinheitlicht 3 verwandte Themen:
+* P6   — Branchen-Knowledge-Base: was ist branchen-spezifisch (Automotive
+         hat eCall, eHealth hat Patientendaten, Finance hat MaRisk).
+* P53  — OEM-Site-Profile-Library: bekannte Pattern pro OEM-Site
+         (Mercedes hat cmm-cookie-banner, BMW hat ePaaS, VW hat
+         cookiemgmt, Audi blocked Akamai 503).
+* P55  — Autonomes Profiling: bei jedem Lauf lernen wir Pattern dazu
+         und persistieren sie in der Library.
+
+Backend-Service: Lookup-API + Auto-Lern-Hook bei jedem Snapshot-Save.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+from typing import Iterable
+
+from sqlalchemy import text as sa_text
+from sqlalchemy.orm import Session
+
+logger = logging.getLogger(__name__)
+
+
+# Branchen-spezifische zusaetzliche Compliance-Themen
+_INDUSTRY_PROFILES: dict[str, dict] = {
+    "automotive": {
+        "mandatory_regulations": [
+            "DSGVO", "TDDDG",
+            "VO 2015/758 (eCall)",
+            "VO 2018/858 (Typgenehmigung)",
+            "VO 2019/2144 (Allgemeine Sicherheit)",
+            "Cyber Security UN-R 155",
+            "Software Update UN-R 156",
+        ],
+        "typical_cookie_vendors": [
+            "Adobe Analytics", "Adobe Target", "Salesforce LiveAgent",
+            "AdForm", "The Trade Desk", "Google Marketing Platform",
+            "Inbenta", "Datadog RUM",
+        ],
+        "vvt_required_processes": [
+            "Probefahrten-Buchung", "Haendler-Suche", "eCall-System",
+            "We Connect / Connected Drive Services", "Konfigurator-Daten",
+        ],
+        "special_findings_to_watch": [
+            "eCall ohne Hinweis in DSE = Verstoss VO 2015/758 Art. 6(4)",
+            "Connected-Car-Telemetrie ohne Einwilligung",
+            "Haendler-Weitergabe nicht erwaehnt (Art. 13(1)(e))",
+        ],
+    },
+    "ecommerce": {
+        "mandatory_regulations": [
+            "DSGVO", "TDDDG", "Fernabsatzgesetz",
+            "Verbraucherrechterichtlinie (EU 2011/83)",
+            "Geo-Blocking-Verordnung (EU 2018/302)",
+        ],
+        "typical_cookie_vendors": [
+            "Google Analytics", "Google Ads", "Meta Pixel",
+            "Pinterest", "TikTok", "Criteo", "AppNexus",
+            "Klaviyo", "Hotjar",
+        ],
+        "vvt_required_processes": [
+            "Bestellung", "Zahlung", "Versand", "Retoure",
+            "Newsletter", "Account-Verwaltung",
+        ],
+        "special_findings_to_watch": [
+            "Widerrufsbelehrung muss 14-Tage-Frist + Wertersatz nennen",
+            "Muster-Widerrufsformular als Anlage Pflicht",
+            "Kundenkonto-Loeschung muss in DSR-Prozess sein",
+        ],
+    },
+    "saas": {
+        "mandatory_regulations": [
+            "DSGVO", "TDDDG", "AI Act (wenn KI-Features)",
+            "NIS-2 (wenn kritische Infrastruktur)",
+        ],
+        "typical_cookie_vendors": [
+            "Segment", "Amplitude", "Mixpanel", "Hotjar",
+            "Intercom", "HubSpot", "Salesforce", "Stripe",
+        ],
+        "vvt_required_processes": [
+            "Login / Auth", "Trial-Signup", "Abrechnung",
+            "Support-Tickets", "Telemetry / Usage-Analytics",
+        ],
+        "special_findings_to_watch": [
+            "B2B-AVV (Art. 28) statt Endkunden-DSE",
+            "Sub-Prozessor-Liste muss vollstaendig sein",
+            "Drittland (USA-Hosting) erfordert SCC + TIA",
+        ],
+    },
+    "banking": {
+        "mandatory_regulations": [
+            "DSGVO", "TDDDG", "PSD2 (Payment Services Directive)",
+            "MaRisk", "BAIT (BaFin)", "KWG", "GwG",
+        ],
+        "typical_cookie_vendors": [
+            "Adobe Analytics", "Glassbox", "ContentSquare",
+            "Decibel", "Qualtrics",
+        ],
+        "vvt_required_processes": [
+            "Kontoeroeffnung", "Zahlungsverkehr", "Kreditpruefung",
+            "Geldwaesche-Pruefung (GwG)", "Schufa-Anfrage",
+        ],
+        "special_findings_to_watch": [
+            "PSD2 Strong-Customer-Authentication Pflicht",
+            "Bankgeheimnis = zusaetzlicher Schutz",
+            "GwG-Pflicht-Identifikation erfordert spezielle DSE-Klausel",
+        ],
+    },
+    "healthcare": {
+        "mandatory_regulations": [
+            "DSGVO Art. 9 (Gesundheitsdaten)",
+            "Medizinprodukteverordnung (MDR)",
+            "Patientendaten-Schutzgesetz (PDSG)",
+            "DiGAV (Digitale-Gesundheitsanwendungen-Verordnung)",
+        ],
+        "typical_cookie_vendors": [
+            "Sehr restriktiv — i.d.R. nur essential",
+        ],
+        "vvt_required_processes": [
+            "Termin-Vereinbarung", "Anamnese-Bogen",
+            "Befund-Versand", "ePA-Anbindung",
+        ],
+        "special_findings_to_watch": [
+            "Art. 9 DSGVO erfordert ausdrueckliche Einwilligung",
+            "Schweigepflicht §203 StGB",
+            "Drittland-Transfer fast immer unzulaessig",
+        ],
+    },
+}
+
+
+def lookup_industry_profile(industry: str | None) -> dict | None:
+    """Liefert das Branchenprofil oder None."""
+    if not industry:
+        return None
+    return _INDUSTRY_PROFILES.get(industry.lower())
+
+
+# Site-Profile (gelernt aus vorherigen Snapshots)
+def load_site_profile(db: Session, site_domain: str) -> dict | None:
+    """Liefert gespeichertes Profil fuer eine Site (CMP-Provider,
+    bekannte Quirks etc.) oder None."""
+    if not site_domain:
+        return None
+    try:
+        row = db.execute(sa_text(
+            """
+            SELECT banner_provider,
+                   jsonb_array_length(coalesce(cmp_vendors, jsonb_build_array())) AS n_vendors,
+                   created_at
+            FROM compliance.compliance_check_snapshots
+            WHERE site_domain = :dom
+            ORDER BY created_at DESC LIMIT 5
+            """
+        ), {"dom": site_domain}).fetchall()
+    except Exception:
+        return None
+    if not row:
+        return None
+    providers = [r[0] for r in row if r[0]]
+    vendor_counts = [r[1] for r in row if r[1] is not None]
+    if not providers:
+        return None
+    # Most common provider
+    from collections import Counter
+    common_provider = Counter(providers).most_common(1)[0][0]
+    avg_vendors = sum(vendor_counts) // max(1, len(vendor_counts))
+    return {
+        "site_domain":         site_domain,
+        "common_provider":     common_provider,
+        "avg_vendor_count":    avg_vendors,
+        "historical_runs":     len(row),
+        "last_run":            row[0][2].isoformat() if row[0][2] else None,
+    }
+
+
+def build_industry_context_block_html(
+    industry: str | None,
+    site_profile: dict | None,
+) -> str:
+    """Eingangsblock in der Mail: 'Was wir in dieser Branche pruefen
+    sollten' + 'Was wir ueber diese Site schon wissen'."""
+    parts: list[str] = []
+    profile = lookup_industry_profile(industry)
+    if profile:
+        regs = ", ".join(profile.get("mandatory_regulations", [])[:6])
+        watches = profile.get("special_findings_to_watch", [])[:3]
+        watch_html = "".join(
+            f'<li style="font-size:11px;color:#475569">{w}</li>'
+            for w in watches
+        )
+        parts.append(
+            '<div style="background:#eff6ff;border:1px solid #bfdbfe;'
+            'border-radius:6px;padding:10px 14px;margin-bottom:8px">'
+            f'<div style="font-size:11px;color:#1e40af;font-weight:600;'
+            f'text-transform:uppercase;letter-spacing:1px">'
+            f'Branchen-Kontext: {industry}</div>'
+            f'<p style="font-size:11px;color:#475569;margin:4px 0">'
+            f'<strong>Geltende Spezial-Regulierungen:</strong> {regs}'
+            f'</p>'
+            f'<div style="font-size:11px;color:#475569"><strong>Worauf '
+            f'wir bei dieser Branche besonders schauen:</strong></div>'
+            f'<ul style="margin:4px 0 0 18px;padding:0">{watch_html}</ul>'
+            '</div>'
+        )
+    if site_profile and site_profile.get("historical_runs", 0) > 1:
+        parts.append(
+            '<div style="background:#f5f3ff;border:1px solid #ddd6fe;'
+            'border-radius:6px;padding:8px 12px;margin-bottom:8px;'
+            'font-size:11px;color:#5b21b6">'
+            f'Wir haben diese Site bereits {site_profile["historical_runs"]}× '
+            f'analysiert. Bekannter CMP-Provider: '
+            f'<strong>{site_profile["common_provider"]}</strong>, '
+            f'historische Vendor-Zahl: ~{site_profile["avg_vendor_count"]}.'
+            '</div>'
+        )
+    return "".join(parts)

backend-compliance/compliance/services/llm_cascade.py

@@ -0,0 +1,229 @@
+"""
+P31 — Tiered LLM-Cascade mit Confidence + Valkey-Cache.
+
+Bisherige LLM-Calls (vendor_llm_extractor, mc_solution_generator):
+* gehen direkt an Qwen lokal → bei kompliziertem Input lange Latenz
+* fallen bei Fail manuell auf OVH 120B zurueck
+* Kein Cache → gleiche Eingabe kostet x-mal Zeit
+
+Diese Modul vereinheitlicht:
+1. Cache-Lookup (md5(prompt) → cached response, TTL 7d)
+2. Qwen-Aufruf mit kurzem Timeout (90s)
+3. Wenn fail/leer ODER confidence < threshold → OVH 120B (45s)
+4. Wenn auch fail → Anthropic Claude (last resort)
+5. Response wird gecached
+
+confidence-Heuristik:
+* parsed JSON erfolgreich + non-empty → 0.8
+* JSON-Parse failed → 0.0
+* JSON ok aber nur 1 Item bei >5000 chars input → 0.3
+
+Backend-API: await call_with_cascade(prompt, system_prompt, expected_min_items)
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import logging
+import os
+from typing import Any
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+# In-process Cache wenn kein Valkey verfuegbar
+_LOCAL_CACHE: dict[str, dict] = {}
+_LOCAL_CACHE_MAX = 200
+
+
+def _cache_key(system: str, user: str, model_hint: str = "") -> str:
+    blob = f"{system}\n---\n{user}\n---\n{model_hint}"
+    return "llm:" + hashlib.md5(blob.encode()).hexdigest()[:24]
+
+
+def _cache_get(key: str) -> dict | None:
+    try:
+        import redis  # noqa: WPS433
+        url = os.getenv("VALKEY_URL", "redis://bp-core-valkey:6379")
+        r = redis.Redis.from_url(url, socket_timeout=2.0,
+                                  decode_responses=True)
+        v = r.get(key)
+        if v:
+            return json.loads(v)
+    except Exception:
+        pass
+    return _LOCAL_CACHE.get(key)
+
+
+def _cache_put(key: str, value: dict, ttl: int = 604800) -> None:
+    try:
+        import redis  # noqa: WPS433
+        url = os.getenv("VALKEY_URL", "redis://bp-core-valkey:6379")
+        r = redis.Redis.from_url(url, socket_timeout=2.0,
+                                  decode_responses=True)
+        r.setex(key, ttl, json.dumps(value)[:200000])
+        return
+    except Exception:
+        pass
+    if len(_LOCAL_CACHE) >= _LOCAL_CACHE_MAX:
+        for k in list(_LOCAL_CACHE.keys())[:50]:
+            _LOCAL_CACHE.pop(k, None)
+    _LOCAL_CACHE[key] = value
+
+
+def _heuristic_confidence(response_text: str, input_len: int) -> float:
+    if not response_text:
+        return 0.0
+    try:
+        obj = json.loads(response_text)
+    except Exception:
+        # Try to extract JSON block
+        a, b = response_text.find("{"), response_text.rfind("}")
+        if 0 <= a < b:
+            try:
+                obj = json.loads(response_text[a:b + 1])
+            except Exception:
+                return 0.1
+        else:
+            return 0.1
+    n_items = 0
+    if isinstance(obj, dict):
+        for v in obj.values():
+            if isinstance(v, list):
+                n_items += len(v)
+            elif isinstance(v, dict):
+                n_items += 1
+    if input_len > 5000 and n_items <= 1:
+        return 0.3
+    if n_items >= 5:
+        return 0.9
+    return 0.7
+
+
+async def _call_ollama(system: str, user: str,
+                        max_tokens: int = 6000,
+                        timeout: float = 90.0) -> str:
+    base = os.getenv("OLLAMA_URL", "http://host.docker.internal:11434")
+    model = os.getenv("CMP_LLM_MODEL", "qwen3:30b-a3b")
+    payload = {
+        "model": model, "stream": False, "format": "json",
+        "messages": [{"role": "system", "content": system},
+                     {"role": "user", "content": user}],
+        "options": {"temperature": 0.05, "num_predict": max_tokens},
+    }
+    try:
+        async with httpx.AsyncClient(timeout=timeout) as c:
+            r = await c.post(f"{base.rstrip('/')}/api/chat", json=payload)
+            r.raise_for_status()
+        return (r.json().get("message") or {}).get("content", "") or ""
+    except Exception as e:
+        logger.warning("ollama cascade tier 1 failed: %s", e)
+        return ""
+
+
+async def _call_ovh(system: str, user: str, max_tokens: int = 6000) -> str:
+    base = os.getenv("OVH_LLM_URL", "").strip()
+    key = os.getenv("OVH_LLM_KEY", "").strip()
+    model = os.getenv("OVH_LLM_MODEL", "").strip()
+    if not base or not model:
+        return ""
+    headers = {"Content-Type": "application/json"}
+    if key:
+        headers["Authorization"] = f"Bearer {key}"
+    payload = {
+        "model": model, "temperature": 0.05, "max_tokens": max_tokens,
+        "messages": [{"role": "system", "content": system},
+                     {"role": "user", "content": user}],
+        "response_format": {"type": "json_object"},
+    }
+    try:
+        async with httpx.AsyncClient(timeout=45.0) as c:
+            r = await c.post(f"{base.rstrip('/')}/v1/chat/completions",
+                             json=payload, headers=headers)
+            r.raise_for_status()
+        choice = (r.json().get("choices") or [{}])[0]
+        return (choice.get("message") or {}).get("content", "") or ""
+    except Exception as e:
+        logger.warning("ovh cascade tier 2 failed: %s", e)
+        return ""
+
+
+async def _call_anthropic(system: str, user: str,
+                            max_tokens: int = 4000) -> str:
+    key = os.getenv("ANTHROPIC_API_KEY", "").strip()
+    if not key:
+        return ""
+    headers = {
+        "Content-Type": "application/json",
+        "x-api-key": key,
+        "anthropic-version": "2023-06-01",
+    }
+    payload = {
+        "model": "claude-haiku-4-5-20251001",
+        "max_tokens": max_tokens, "temperature": 0.05,
+        "system": system,
+        "messages": [{"role": "user", "content": user}],
+    }
+    try:
+        async with httpx.AsyncClient(timeout=30.0) as c:
+            r = await c.post("https://api.anthropic.com/v1/messages",
+                              json=payload, headers=headers)
+            r.raise_for_status()
+        blocks = r.json().get("content") or []
+        return "".join(b.get("text", "") for b in blocks if isinstance(b, dict))
+    except Exception as e:
+        logger.warning("anthropic cascade tier 3 failed: %s", e)
+        return ""
+
+
+async def call_with_cascade(
+    system: str,
+    user: str,
+    min_confidence: float = 0.6,
+    max_tokens: int = 6000,
+) -> dict:
+    """Returns {'text': str, 'confidence': float, 'source': str,
+    'cached': bool}."""
+    key = _cache_key(system, user)
+    cached = _cache_get(key)
+    if cached:
+        cached["cached"] = True
+        return cached
+
+    input_len = len(user)
+    # Tier 1: Qwen lokal
+    text = await _call_ollama(system, user, max_tokens=max_tokens)
+    conf = _heuristic_confidence(text, input_len)
+    if text and conf >= min_confidence:
+        out = {"text": text, "confidence": conf,
+                "source": "qwen", "cached": False}
+        _cache_put(key, out)
+        return out
+
+    # Tier 2: OVH 120B
+    text2 = await _call_ovh(system, user, max_tokens=max_tokens)
+    conf2 = _heuristic_confidence(text2, input_len)
+    if text2 and conf2 >= min_confidence:
+        out = {"text": text2, "confidence": conf2,
+                "source": "ovh_120b", "cached": False}
+        _cache_put(key, out)
+        return out
+
+    # Tier 3: Anthropic Claude (Notnagel)
+    text3 = await _call_anthropic(system, user, max_tokens=max_tokens // 2)
+    conf3 = _heuristic_confidence(text3, input_len)
+    if text3 and conf3 >= min_confidence:
+        out = {"text": text3, "confidence": conf3,
+                "source": "anthropic_claude", "cached": False}
+        _cache_put(key, out)
+        return out
+
+    # Nichts hat geliefert — beste Variante wenigstens zurueckgeben
+    best_text = text or text2 or text3 or ""
+    best_conf = max(conf, conf2, conf3)
+    best_source = "qwen" if text else ("ovh_120b" if text2 else "anthropic")
+    return {"text": best_text, "confidence": best_conf,
+            "source": best_source, "cached": False,
+            "below_threshold": True}

backend-compliance/compliance/services/reverse_audit.py

@@ -0,0 +1,173 @@
+"""
+P68 — Reverse-Audit: eigene Templates gegen alle MCs pruefen.
+
+Statt 'gegeben einen Kunden-Text → welche MCs fail' machen wir den
+umgekehrten Test: 'gegeben unseren BreakPilot-Standard-Template-Pool
+(95 Templates) → welche MCs werden NICHT abgedeckt? Wo sind Luecken?'
+
+Liefert einen Coverage-Report:
+   - Total MCs in DB: ~1800
+   - MCs abgedeckt durch min. 1 unserer Templates: X
+   - MCs ohne Coverage: Y (Liste)
+   - Templates ohne MC-Wirkung: Z (Liste)
+
+Zweck: Audit unserer eigenen Code-Base. Wenn ein Customer einen Lauf
+macht und 50 Findings produziert sind, sollten 90%+ davon durch unsere
+Template-Bibliothek korrigierbar sein. Wenn nicht → Templates fehlen.
+"""
+
+from __future__ import annotations
+
+import logging
+import re
+
+from sqlalchemy import text as sa_text
+from sqlalchemy.orm import Session
+
+logger = logging.getLogger(__name__)
+
+
+def run_reverse_audit(db: Session) -> dict:
+    """Hauptfunktion. Returns coverage-report dict."""
+    # 1) Alle MCs aus doc_check_controls laden
+    mc_rows = db.execute(sa_text(
+        """
+        SELECT id::text, control_id, doc_type, title, check_question,
+               pass_criteria, severity
+        FROM compliance.doc_check_controls
+        ORDER BY doc_type, severity DESC
+        """
+    )).fetchall()
+
+    # 2) Templates aus DB (doc_templates oder legal_templates oder analog)
+    try:
+        tpl_rows = db.execute(sa_text(
+            """
+            SELECT id::text, doc_type, title, body
+            FROM compliance.doc_templates
+            WHERE active = TRUE
+            """
+        )).fetchall()
+    except Exception:
+        # Fallback auf evtl. andere Template-Tabelle
+        try:
+            tpl_rows = db.execute(sa_text(
+                """
+                SELECT id::text, doc_type, name AS title, content AS body
+                FROM compliance.legal_templates
+                """
+            )).fetchall()
+        except Exception as e:
+            logger.warning("template table not found: %s", e)
+            tpl_rows = []
+
+    # 3) Coverage-Matrix: pro MC, ob ein Template sie abdeckt
+    templates_by_doctype: dict[str, list[dict]] = {}
+    for tid, dt, title, body in tpl_rows:
+        templates_by_doctype.setdefault(dt or "other", []).append({
+            "id": tid, "title": title, "body": (body or "")[:50000],
+        })
+
+    covered_mc_ids: set[str] = set()
+    uncovered: list[dict] = []
+    for mc_id, ctrl_id, dt, title, q, pc, sev in mc_rows:
+        tpls = templates_by_doctype.get(dt or "other") or []
+        if not tpls:
+            uncovered.append({
+                "mc_id": ctrl_id, "doc_type": dt, "title": title,
+                "severity": sev, "reason": "no_template_for_doctype",
+            })
+            continue
+        # Heuristik: pass_criteria sind Pattern. Wenn IRGENDEIN Template
+        # die Pattern enthaelt → covered.
+        criteria = _extract_patterns_from_pc(pc)
+        if not criteria:
+            # ohne klare Pattern: per Title-Keywords pruefen
+            criteria = _title_keywords(title or "")
+        ok = False
+        for tpl in tpls:
+            body = tpl["body"].lower()
+            hits = sum(1 for p in criteria if p and p.lower() in body)
+            if hits >= max(1, len(criteria) // 2):
+                ok = True
+                break
+        if ok:
+            covered_mc_ids.add(mc_id)
+        else:
+            uncovered.append({
+                "mc_id": ctrl_id, "doc_type": dt, "title": title,
+                "severity": sev, "reason": "no_template_match",
+                "criteria_sample": criteria[:5],
+            })
+
+    # 4) Templates ohne MC-Wirkung
+    used_template_ids: set[str] = set()
+    for mc_id, ctrl_id, dt, title, q, pc, sev in mc_rows:
+        if mc_id not in covered_mc_ids:
+            continue
+        tpls = templates_by_doctype.get(dt or "other") or []
+        criteria = _extract_patterns_from_pc(pc) or _title_keywords(title or "")
+        for tpl in tpls:
+            body = tpl["body"].lower()
+            hits = sum(1 for p in criteria if p and p.lower() in body)
+            if hits >= max(1, len(criteria) // 2):
+                used_template_ids.add(tpl["id"])
+                break
+    all_template_ids = {t["id"] for tpls in templates_by_doctype.values()
+                         for t in tpls}
+    unused_templates = all_template_ids - used_template_ids
+
+    return {
+        "total_mcs":           len(mc_rows),
+        "total_templates":     len(all_template_ids),
+        "covered_mcs":         len(covered_mc_ids),
+        "uncovered_mcs":       len(uncovered),
+        "coverage_pct":        round(len(covered_mc_ids) / max(1, len(mc_rows)) * 100, 1),
+        "unused_templates":    sorted(unused_templates),
+        "top_uncovered_high":  [u for u in uncovered if u.get("severity") == "HIGH"][:30],
+        "by_doctype":          _summarize_by_doctype(mc_rows, covered_mc_ids),
+    }
+
+
+def _extract_patterns_from_pc(pc) -> list[str]:
+    """pc ist jsonb mit z.B. {required_phrases: [...]}, {keywords: [...]}"""
+    if not pc:
+        return []
+    if isinstance(pc, str):
+        try:
+            import json as _j
+            pc = _j.loads(pc)
+        except Exception:
+            return [pc[:50]]
+    if isinstance(pc, dict):
+        out: list[str] = []
+        for k in ("required_phrases", "keywords", "must_contain",
+                  "patterns", "phrases"):
+            v = pc.get(k)
+            if isinstance(v, list):
+                out.extend([str(x)[:80] for x in v if x])
+        return out
+    if isinstance(pc, list):
+        return [str(x)[:80] for x in pc if x]
+    return []
+
+
+def _title_keywords(title: str) -> list[str]:
+    """Fallback wenn pass_criteria leer: extrahiere Substantive aus Title."""
+    if not title:
+        return []
+    # primitive: alle Worte > 4 Buchstaben
+    return [w for w in re.findall(r"\b\w{5,}\b", title)][:5]
+
+
+def _summarize_by_doctype(mc_rows, covered_mc_ids: set[str]) -> dict:
+    out: dict[str, dict] = {}
+    for mc_id, ctrl_id, dt, title, q, pc, sev in mc_rows:
+        dt = dt or "other"
+        d = out.setdefault(dt, {"total": 0, "covered": 0})
+        d["total"] += 1
+        if mc_id in covered_mc_ids:
+            d["covered"] += 1
+    for dt, d in out.items():
+        d["pct"] = round(d["covered"] / max(1, d["total"]) * 100, 1)
+    return out