feat(licenses): Task #25 — SDK module attribution rollout (11 modules)

Per project_sdk_module_attribution_matrix.md the Stufe-3 rollout is
prioritized by audit visibility. This batch covers Schritte 2-9 in one
sweep:

New reusable component:
  components/sdk/LicenseModuleBanner.tsx — single-line license banner
  placed at the top of an SDK module page. Renders rule pill (R1/R2/R3),
  source label, descriptor and link to /sdk/licenses. Replaces the
  copy-paste banner blocks I inlined in the earlier modules.

Integration points (per cluster):

  Cluster B (DSGVO/EU-Recht, R1):
    - vvt: existing "Vorlage" pill upgraded with R1 marker + tooltip
      explaining Bundeslaender-DSGVO provenance
    - dsfa: inline R1 banner citing DSGVO Art. 35

  Cluster C (EU AI Act / CRA, R1):
    - ai-act: inline R1 banner citing EU 2024/1689
    - cra:    inline R1 banner citing EU 2024/2847 + ENISA-Guidance

  Cluster D (Mix R2/R3):
    - isms: R3 banner + ISO/IEC 27001 reference disclaimer
    - security-backlog: R2 banner with OWASP CC-BY-SA attribution

  Cluster A (Eigenwerk, R3):
    - tom-generator: R1 source (DSGVO Art. 32) + R3 own-work disclaimer
    - audit-checklist: R3 banner for own audit methodology
    - document-generator: own templates R3 + cited rights R1

  Cluster E (Direct controls listing):
    - catalog-manager: System/User tag upgraded with rule classification
    - iace hazards: pattern_id pill upgraded with R3 + tooltip explaining
      BreakPilot Pattern-Engine provenance

The 11-module sweep brings audit transparency to the modules a paying
customer encounters most often. Stufe 3 of the attribution renderer
is now actually visible across the platform — previously it shipped
only the reusable <SourceBadge> component without integration points.

Pre-existing TS errors (drafting-engine constraint-enforcer, dsfa
types tests) untouched — not in scope for this licensing rollout.

admin-compliance/components/catalog-manager/CatalogTable.tsx

@@ -195,12 +195,18 @@ export default function CatalogTable({
                   )}
                   <td className="px-4 py-2.5">
                     {entry.source === 'system' ? (
-                      <span className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300">
-                        System
+                      <span
+                        className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300 cursor-help"
+                        title="System-Katalog — Quellen aus EU-Recht, BAuA, NIST u.a. Lizenzregel je Eintrag (siehe /sdk/licenses)."
+                      >
+                        System · R1/R2/R3
                       </span>
                     ) : (
-                      <span className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 dark:bg-blue-900/40 text-blue-700 dark:text-blue-300">
-                        Benutzerdefiniert
+                      <span
+                        className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 dark:bg-blue-900/40 text-blue-700 dark:text-blue-300 cursor-help"
+                        title="Benutzerdefinierter Eintrag — BreakPilot/Anwender-Eigenwerk. Lizenzregel R3 (Identifier-Verweis), keine externe Attribution noetig."
+                      >
+                        Benutzerdefiniert · R3
                       </span>
                     )}
                   </td>

admin-compliance/components/sdk/LicenseModuleBanner.tsx

@@ -0,0 +1,62 @@
+'use client'
+
+// Reusable licence-source banner placed at the top of an SDK module page.
+// One-line context that tells the user (and any auditor) which sources
+// the module draws on and which BreakPilot licence rule applies.
+//
+// Usage:
+//   <LicenseModuleBanner
+//     rule={1}
+//     sourceLabel="DSGVO Art. 30 (EU 2016/679)"
+//   />
+//
+// For modules that are pure BreakPilot eigenwerk:
+//   <LicenseModuleBanner rule={3} sourceLabel="BreakPilot-Eigenwerk" />
+
+type Props = {
+  rule: 1 | 2 | 3
+  sourceLabel: string
+  /** Optional extended note shown after sourceLabel */
+  detail?: string
+}
+
+const RULE_META: Record<number, { bg: string; text: string; pill: string; descr: string }> = {
+  1: {
+    bg: 'bg-emerald-50 border-emerald-200',
+    text: 'text-emerald-800',
+    pill: 'bg-emerald-600 text-white',
+    descr: 'Hoheitsrecht/Public Domain — woertlich uebernehmbar',
+  },
+  2: {
+    bg: 'bg-amber-50 border-amber-200',
+    text: 'text-amber-800',
+    pill: 'bg-amber-600 text-white',
+    descr: 'Woertlich mit Attribution-Pflicht',
+  },
+  3: {
+    bg: 'bg-slate-50 border-slate-200',
+    text: 'text-slate-700',
+    pill: 'bg-slate-600 text-white',
+    descr: 'Identifier-Verweis / BreakPilot-Eigenwerk',
+  },
+}
+
+export function LicenseModuleBanner({ rule, sourceLabel, detail }: Props) {
+  const m = RULE_META[rule]
+  return (
+    <div className={`px-3 py-2 ${m.bg} border rounded-lg text-xs ${m.text} flex items-start gap-2`}>
+      <span className={`inline-flex items-center justify-center w-6 h-6 rounded-full text-[10px] font-bold ${m.pill} flex-shrink-0`}>
+        R{rule}
+      </span>
+      <div className="flex-1">
+        <span className="font-semibold">Quellen &amp; Lizenz:</span>{' '}
+        <span>{sourceLabel}</span>
+        <span className="text-slate-500"> — {m.descr}.</span>
+        {detail && <span className="block mt-0.5 text-[11px] opacity-80">{detail}</span>}
+        <a href="/sdk/licenses" className="underline ml-1">Quellenverzeichnis</a>
+      </div>
+    </div>
+  )
+}
+
+export default LicenseModuleBanner