feat(licenses): Task #25 — SDK module attribution rollout (11 modules)

Per project_sdk_module_attribution_matrix.md the Stufe-3 rollout is
prioritized by audit visibility. This batch covers Schritte 2-9 in one
sweep:

New reusable component:
  components/sdk/LicenseModuleBanner.tsx — single-line license banner
  placed at the top of an SDK module page. Renders rule pill (R1/R2/R3),
  source label, descriptor and link to /sdk/licenses. Replaces the
  copy-paste banner blocks I inlined in the earlier modules.

Integration points (per cluster):

  Cluster B (DSGVO/EU-Recht, R1):
    - vvt: existing "Vorlage" pill upgraded with R1 marker + tooltip
      explaining Bundeslaender-DSGVO provenance
    - dsfa: inline R1 banner citing DSGVO Art. 35

  Cluster C (EU AI Act / CRA, R1):
    - ai-act: inline R1 banner citing EU 2024/1689
    - cra:    inline R1 banner citing EU 2024/2847 + ENISA-Guidance

  Cluster D (Mix R2/R3):
    - isms: R3 banner + ISO/IEC 27001 reference disclaimer
    - security-backlog: R2 banner with OWASP CC-BY-SA attribution

  Cluster A (Eigenwerk, R3):
    - tom-generator: R1 source (DSGVO Art. 32) + R3 own-work disclaimer
    - audit-checklist: R3 banner for own audit methodology
    - document-generator: own templates R3 + cited rights R1

  Cluster E (Direct controls listing):
    - catalog-manager: System/User tag upgraded with rule classification
    - iace hazards: pattern_id pill upgraded with R3 + tooltip explaining
      BreakPilot Pattern-Engine provenance

The 11-module sweep brings audit transparency to the modules a paying
customer encounters most often. Stufe 3 of the attribution renderer
is now actually visible across the platform — previously it shipped
only the reusable <SourceBadge> component without integration points.

Pre-existing TS errors (drafting-engine constraint-enforcer, dsfa
types tests) untouched — not in scope for this licensing rollout.

admin-compliance/app/sdk/iace/[projectId]/hazards/_components/HazardTable.tsx

@@ -39,11 +39,19 @@ export function HazardTable({ hazards, lifecyclePhases, onDelete }: {
               .map((hazard) => (
                 <tr key={hazard.id} className="hover:bg-gray-50 dark:hover:bg-gray-750 transition-colors">
                   <td className="px-4 py-3">
-                    <div className="flex items-center gap-2">
+                    <div className="flex items-center gap-2 flex-wrap">
                       <div className="text-sm font-medium text-gray-900 dark:text-white">{hazard.name}</div>
                       {hazard.name.startsWith('Auto:') && (
                         <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-green-100 text-green-700">Auto</span>
                       )}
+                      {(hazard as { pattern_id?: string }).pattern_id && (
+                        <span
+                          className="inline-flex items-center px-1.5 py-0.5 rounded text-[10px] font-mono font-medium bg-slate-100 text-slate-700 border border-slate-200 cursor-help"
+                          title={`Quelle: BreakPilot IACE Pattern-Engine (${(hazard as { pattern_id?: string }).pattern_id}). Lizenzregel R3 — Eigenwerk, kein externer Lizenz-Footer noetig. Pattern-Definition mit Norm-Referenzen siehe Library.`}
+                        >
+                          {(hazard as { pattern_id?: string }).pattern_id} · R3
+                        </span>
+                      )}
                     </div>
                     {hazard.description && (
                       <div className="text-xs text-gray-500 truncate max-w-[250px]">{hazard.description}</div>