fix: Self-Signed SSL Zertifikat in SDK State Store akzeptieren

Die Hetzner PostgreSQL nutzt ein Self-Signed Zertifikat. Der Node.js
pg Pool lehnte es ab (DEPTH_ZERO_SELF_SIGNED_CERT), wodurch der SDK
State nicht laden konnte → Application Error in ALLEN Modulen.

Fix: rejectUnauthorized: false wenn sslmode=require in der URL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

admin-compliance/app/api/sdk/v1/state/route.ts

@@ -97,6 +97,10 @@ class PostgreSQLStateStore implements StateStore {
       max: 5,
       // Set search_path for compliance schema
       options: '-c search_path=compliance,core,public',
+      // Accept self-signed certificates (Hetzner PostgreSQL)
+      ssl: connectionString.includes('sslmode=require')
+        ? { rejectUnauthorized: false }
+        : false,
     })
   }
 

admin-compliance/app/sdk/architecture/architecture-data.ts

@@ -228,24 +228,39 @@ export const ARCH_SERVICES: ArchService[] = [
     dependsOn: ['qdrant', 'ollama', 'postgresql'],
   },
   {
-    id: 'document-crawler',
-    name: 'Document Crawler',
-    nameShort: 'Crawler',
+    id: 'control-pipeline',
+    name: 'Control Pipeline',
+    nameShort: 'Pipeline',
     layer: 'backend',
     tech: 'Python / FastAPI',
     port: 8098,
     url: 'https://macmini:8098',
-    container: 'bp-compliance-document-crawler',
-    description: 'Dokument-Analyse (PDF, DOCX, XLSX, PPTX), Gap-Analyse, IPFS-Archivierung.',
-    descriptionLong: 'Der Document Crawler nimmt hochgeladene Dokumente (PDF, DOCX, XLSX, PPTX) entgegen, extrahiert deren Inhalt und fuehrt eine Gap-Analyse gegen bestehende Compliance-Anforderungen durch. Dafuer leitet er die Textinhalte an den AI Compliance SDK weiter, der die semantische Analyse uebernimmt. Abgeschlossene Dokumente koennen ueber den DSMS-Service dezentral auf IPFS archiviert werden.',
-    dbTables: [],
-    ragCollections: [],
-    apiEndpoints: [
-      'POST /analyze',
-      'POST /gap-analysis',
-      'POST /archive',
+    container: 'bp-core-control-pipeline',
+    description: 'RAG-zu-Controls Pipeline: Control Generation, Pass 0a/0b, Ontology, Dedup, Dependency Engine, Applicability.',
+    descriptionLong: 'Die Control Pipeline ist das Herzsttueck der automatisierten Compliance-Control-Generierung. Sie verarbeitet ~105.000 RAG-Chunks aus EU/DE-Regulierungen in 6 Phasen: (1) RAG Ingestion, (2) 7-Stufen Control Generation (Lizenz-Gate + Claude LLM), (3) Pass 0a Obligation Extraction (~181k Obligations), (4) Pass 0b Atomic Composition (MCP-taugliche Controls mit assertion/pass_criteria/fail_criteria), (5) Embedding-basierte Deduplizierung mit LLM-Verifikation, (6) Dependency Engine (5 Typen: supersedes, prerequisite, compensating_control, scope_exclusion, conditional_requirement) mit automatischer Generierung via Ontology, Pattern-Regeln und Domain Packs (DSGVO, AI Act, CRA, Security, Arbeitsrecht). 126+ Tests, alle bestanden.',
+    dbTables: [
+      'canonical_controls', 'obligation_candidates', 'control_parent_links',
+      'control_dependencies', 'control_evaluation_results',
+      'canonical_processed_chunks', 'canonical_generation_jobs',
+      'control_dedup_reviews', 'control_patterns',
     ],
-    dependsOn: ['ai-compliance-sdk', 'dsms'],
+    ragCollections: [
+      'bp_compliance_gesetze', 'bp_compliance_datenschutz',
+      'bp_compliance_ce', 'bp_dsfa_corpus', 'bp_legal_templates',
+    ],
+    apiEndpoints: [
+      'POST /v1/canonical/generate',
+      'GET /v1/canonical/controls',
+      'POST /v1/canonical/controls/applicable',
+      'POST /v1/canonical/generate/submit-pass0b',
+      'POST /v1/canonical/generate/process-batch',
+      'GET /v1/canonical/generate/quality-metrics',
+      'POST /v1/dependencies/generate',
+      'POST /v1/dependencies/evaluate',
+      'GET /v1/dependencies/graph',
+      'POST /v1/document-compliance/required',
+    ],
+    dependsOn: ['postgresql', 'qdrant', 'ollama'],
   },
   {
     id: 'compliance-tts',
@@ -383,7 +398,7 @@ export const ARCH_EDGES: ArchEdge[] = [
   // Frontend → Backend
   { source: 'admin-compliance', target: 'backend-compliance', label: 'REST API' },
   { source: 'admin-compliance', target: 'ai-compliance-sdk', label: 'REST API' },
-  { source: 'admin-compliance', target: 'document-crawler', label: 'REST API' },
+  { source: 'admin-compliance', target: 'control-pipeline', label: 'REST API' },
 
   // Backend → Infrastructure
   { source: 'backend-compliance', target: 'postgresql', label: 'SQLAlchemy' },
@@ -392,12 +407,9 @@ export const ARCH_EDGES: ArchEdge[] = [
   { source: 'ai-compliance-sdk', target: 'ollama', label: 'LLM Inference' },
   { source: 'ai-compliance-sdk', target: 'postgresql', label: 'GORM' },
   { source: 'compliance-tts', target: 'minio', label: 'Audio/Video' },
-
-  // Backend → Backend
-  { source: 'document-crawler', target: 'ai-compliance-sdk', label: 'LLM Gateway' },
-
-  // Backend → Data Sovereignty
-  { source: 'document-crawler', target: 'dsms', label: 'IPFS Archive' },
+  { source: 'control-pipeline', target: 'postgresql', label: 'SQLAlchemy' },
+  { source: 'control-pipeline', target: 'qdrant', label: 'Embedding + Dedup' },
+  { source: 'control-pipeline', target: 'ollama', label: 'LLM Dedup (qwen3.5)' },
 ]
 
 // =============================================================================

admin-compliance/app/sdk/sdk-flow/steps-betrieb.ts

@@ -250,4 +250,95 @@ export const STEPS_BETRIEB: SDKFlowStep[] = [
     url: '/sdk/isms',
     completion: 100,
   },
+
+  // ── Control Pipeline ─────────────────────────────────────────────────────
+  {
+    id: 'control-library',
+    name: 'Canonical Control Library',
+    nameShort: 'Control Library',
+    package: 'betrieb',
+    seq: 5200,
+    checkpointId: 'CP-CLIB',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: 'Verwaltung der ~33.000 Rich Controls aus dem RAG-Korpus. 7-Stufen-Pipeline mit Lizenz-Gate.',
+    descriptionLong: 'Die Canonical Control Library ist das zentrale Verzeichnis aller aus Regulierungstexten generierten Compliance Controls. Die 7-Stufen-Pipeline verarbeitet ~105.000 RAG-Chunks: (1) RAG Scan, (2) Lizenz-Klassifikation (Rule 1/2/3), (3a) Strukturierung (Rule 1+2) oder (3b) Reformulierung (Rule 3), (4) Harmonisierung (Embedding-Dedup), (5) Anchor Search (Open-Source-Referenzen), (6) Speicherung, (7) Chunk-Tracking. Domains: AUTH, CRYP, NET, DATA, SEC, AI, COMP, GOV, LAB, FIN u.a.',
+    legalBasis: 'UrhG §44b (Text & Data Mining), UrhG §23 (Hinreichender Abstand)',
+    inputs: ['ragChunks'],
+    outputs: ['canonicalControls'],
+    prerequisiteSteps: [],
+    dbTables: ['canonical_controls', 'canonical_processed_chunks', 'canonical_generation_jobs'],
+    dbMode: 'read/write',
+    ragCollections: ['bp_compliance_gesetze', 'bp_compliance_datenschutz', 'bp_compliance_ce', 'bp_dsfa_corpus', 'bp_legal_templates'],
+    ragPurpose: 'Quelldokumente fuer Control-Generierung (Gesetze, Verordnungen, Standards)',
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 100,
+  },
+  {
+    id: 'obligation-extraction',
+    name: 'Pass 0a: Obligation Extraction',
+    nameShort: 'Pass 0a',
+    package: 'betrieb',
+    seq: 5300,
+    checkpointId: 'CP-P0A',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: 'Extraktion von ~181.000 normativen Pflichten aus Rich Controls via Claude Haiku (Batch API).',
+    descriptionLong: 'Pass 0a zerlegt jeden Rich Control in einzelne normative Obligations via Claude Haiku (Anthropic Batch API, 50% Kostenreduktion). Jede Obligation wird klassifiziert: Pflicht/Empfehlung/Kann, Test-Obligation ja/nein, Reporting-Obligation ja/nein. Quality Gate mit 6 Regeln: nur normative Aussagen, ein Hauptverb, Test/Reporting separat, kein Evidence-Level-Split. Ergebnis: ~181.000 validierte Obligations mit action, object, condition, normative_strength.',
+    legalBasis: 'Pipeline-intern (Normative Obligation Extraction)',
+    inputs: ['canonicalControls'],
+    outputs: ['obligationCandidates'],
+    prerequisiteSteps: ['control-library'],
+    dbTables: ['obligation_candidates'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 90,
+  },
+  {
+    id: 'atomic-composition',
+    name: 'Pass 0b: Atomic Composition',
+    nameShort: 'Pass 0b',
+    package: 'betrieb',
+    seq: 5400,
+    checkpointId: 'CP-P0B',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: 'Komposition atomarer MCP-tauglicher Controls aus Obligations via Claude Sonnet + Pre-LLM Ontology-Filter.',
+    descriptionLong: 'Pass 0b verwandelt jede validierte Obligation in ein eigenstaendiges atomares Control via Claude Sonnet (Anthropic Batch API). Vor dem LLM-Call klassifiziert die Control Ontology (26 Action Types) jede Obligation: atomic (an LLM senden), composite (ueberspringen), evidence (ueberspringen), framework_container (ueberspringen). MCP-taugliche Output-Felder: assertion (pruefbare Aussage), pass_criteria, fail_criteria, check_type (technical_config_check, document_clause_check, code_pattern_check), dependency_hints, lifecycle_phase_order (1-13). Canonical Key Format: action_type:normalized_object:control_phase.',
+    legalBasis: 'Pipeline-intern (Atomic Control Composition)',
+    inputs: ['obligationCandidates'],
+    outputs: ['atomicControls'],
+    prerequisiteSteps: ['obligation-extraction'],
+    dbTables: ['canonical_controls', 'control_parent_links'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 80,
+  },
+  {
+    id: 'dependency-engine',
+    name: 'Dependency Engine + Evaluation',
+    nameShort: 'Dependencies',
+    package: 'betrieb',
+    seq: 5500,
+    checkpointId: 'CP-DEP',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: '5 Dependency-Typen, generische Condition Language, automatische Generierung via Ontology + Domain Packs.',
+    descriptionLong: 'Die Dependency Engine modelliert logische Abhaengigkeiten zwischen Controls: supersedes (A ersetzt B), prerequisite (A muss vor B), compensating_control (A kompensiert B-Failure), scope_exclusion (A schliesst B aus), conditional_requirement (B nur unter Bedingung). Generische Condition Language (AND/OR/NOT + Feldoperatoren). Priority-basierte Konfliktloesung. Zykluserkennung (DFS). Automatische Generierung via: (1) Ontology (Phase-Sequenz), (2) Pattern-Regeln, (3) Domain Packs (DSGVO, AI Act, CRA, Security, Arbeitsrecht). MCP-Output mit dependency_resolution Trace.',
+    legalBasis: 'Pipeline-intern (Control Dependency Resolution)',
+    inputs: ['atomicControls'],
+    outputs: ['evaluatedControls', 'dependencyGraph'],
+    prerequisiteSteps: ['atomic-composition'],
+    dbTables: ['control_dependencies', 'control_evaluation_results'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 100,
+  },
 ]

compliance-tts-service/main.py

@@ -141,6 +141,13 @@ os.makedirs(TTS_CACHE_DIR, exist_ok=True)
 EDGE_TTS_VOICES = {
     "de": "de-DE-ConradNeural",
     "en": "en-US-GuyNeural",
+    "tr": "tr-TR-AhmetNeural",
+    "ar": "ar-SA-HamedNeural",
+    "uk": "uk-UA-OstapNeural",
+    "ru": "ru-RU-DmitryNeural",
+    "pl": "pl-PL-MarekNeural",
+    "fr": "fr-FR-HenriNeural",
+    "es": "es-ES-AlvaroNeural",
 }
 
 async def _edge_tts_synthesize(text: str, language: str, output_path: str) -> bool:

docs-src/Dockerfile

@@ -10,8 +10,8 @@ WORKDIR /docs
 
 RUN pip install --no-cache-dir \
     mkdocs==1.6.1 \
-    mkdocs-material==9.5.47 \
-    pymdown-extensions==10.12
+    mkdocs-material \
+    pymdown-extensions
 
 COPY mkdocs.yml /docs/
 COPY docs-src/ /docs/docs-src/

docs-src/development/testing.md

@@ -19,7 +19,7 @@
 
 **Speicherort:** Im gleichen Verzeichnis wie der Code
 
-```
+```text
 internal/
 ├── services/
 │   ├── auth_service.go
@@ -93,7 +93,7 @@ func TestValidateEmail(t *testing.T) {
 
 **Speicherort:** `/backend/tests/`
 
-```
+```text
 backend/
 ├── consent_client.py
 ├── gdpr_api.py
@@ -174,11 +174,11 @@ class TestMyFeature:
 
 Vor dem Abschluss einer Aufgabe:
 
-- [ ] Gibt es Tests fuer alle neuen Funktionen?
-- [ ] Gibt es Tests fuer alle Edge Cases?
-- [ ] Gibt es Tests fuer Fehlerfaelle?
-- [ ] Laufen alle bestehenden Tests noch? (`go test ./...` / `pytest`)
-- [ ] Ist die Test-Coverage angemessen?
+- Gibt es Tests fuer alle neuen Funktionen?
+- Gibt es Tests fuer alle Edge Cases?
+- Gibt es Tests fuer Fehlerfaelle?
+- Laufen alle bestehenden Tests noch? (`go test ./...` / `pytest`)
+- Ist die Test-Coverage angemessen?
 
 ## Tests ausfuehren
 

docs-src/services/onepager_de.html

@@ -0,0 +1,419 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>CERTifAI — Investor One-Pager</title>
+<link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
+<style>
+  @page { size: A4; margin: 0; }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: 'Plus Jakarta Sans', -apple-system, sans-serif;
+    background: #fff;
+    color: #1a1a2e;
+    width: 210mm;
+    height: 297mm;
+    overflow: hidden;
+    position: relative;
+  }
+
+  .top-bar {
+    height: 6px;
+    background: linear-gradient(90deg, #6366f1, #8b5cf6, #a78bfa, #06b6d4);
+  }
+
+  .container { padding: 16px 34px 10px; }
+
+  .header {
+    display: flex;
+    justify-content: space-between;
+    align-items: flex-start;
+    margin-bottom: 10px;
+  }
+  .logo-area h1 {
+    font-size: 26px;
+    font-weight: 800;
+    letter-spacing: -1px;
+    color: #4f46e5;
+  }
+  .logo-area .tagline {
+    font-size: 11px;
+    color: #64748b;
+    margin-top: 1px;
+  }
+  .contact-info {
+    text-align: right;
+    font-size: 9px;
+    color: #94a3b8;
+    line-height: 1.5;
+  }
+
+  .hero {
+    background: linear-gradient(135deg, #eef2ff, #f0f9ff);
+    border-radius: 10px;
+    padding: 10px 16px;
+    margin-bottom: 10px;
+    border-left: 4px solid #6366f1;
+  }
+  .hero p {
+    font-size: 11px;
+    line-height: 1.4;
+    color: #334155;
+  }
+  .hero strong { color: #4f46e5; font-weight: 700; }
+
+  .columns {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 12px;
+    margin-bottom: 9px;
+  }
+
+  .product-card {
+    border: 1px solid #e2e8f0;
+    border-radius: 10px;
+    padding: 10px 13px;
+    position: relative;
+    overflow: hidden;
+  }
+  .product-card::before {
+    content: '';
+    position: absolute;
+    top: 0; left: 0; right: 0;
+    height: 3px;
+  }
+  .product-card.scanner::before { background: linear-gradient(90deg, #6366f1, #8b5cf6); }
+  .product-card.platform::before { background: linear-gradient(90deg, #06b6d4, #0ea5e9); }
+  .product-card h2 {
+    font-size: 13px;
+    font-weight: 800;
+    margin-bottom: 1px;
+  }
+  .product-card.scanner h2 { color: #4f46e5; }
+  .product-card.platform h2 { color: #0891b2; }
+  .product-card .subtitle {
+    font-size: 9px;
+    color: #94a3b8;
+    margin-bottom: 6px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .product-card ul { list-style: none; padding: 0; }
+  .product-card li {
+    font-size: 9.5px;
+    line-height: 1.25;
+    padding: 1.8px 0;
+    padding-left: 13px;
+    position: relative;
+    color: #475569;
+  }
+  .product-card li::before {
+    content: '';
+    position: absolute;
+    left: 0;
+    top: 6.5px;
+    width: 5px;
+    height: 5px;
+    border-radius: 50%;
+  }
+  .product-card.scanner li::before { background: #818cf8; }
+  .product-card.platform li::before { background: #22d3ee; }
+
+  .metrics {
+    display: grid;
+    grid-template-columns: repeat(5, 1fr);
+    gap: 8px;
+    margin-bottom: 9px;
+  }
+  .metric {
+    text-align: center;
+    padding: 8px 4px;
+    border-radius: 8px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+  }
+  .metric .number {
+    font-size: 17px;
+    font-weight: 800;
+    color: #4f46e5;
+  }
+  .metric .label {
+    font-size: 8px;
+    color: #64748b;
+    margin-top: 1px;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.3px;
+  }
+
+  .diff-section { margin-bottom: 9px; }
+  .section-title {
+    font-size: 10.5px;
+    font-weight: 700;
+    color: #1e293b;
+    margin-bottom: 5px;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .diff-grid {
+    display: grid;
+    grid-template-columns: repeat(3, 1fr);
+    gap: 6px;
+  }
+  .diff-item {
+    padding: 7px 9px;
+    border-radius: 7px;
+    background: linear-gradient(135deg, #faf5ff, #f0f9ff);
+    border: 1px solid #e0e7ff;
+  }
+  .diff-item .diff-title {
+    font-size: 9px;
+    font-weight: 700;
+    color: #4f46e5;
+    margin-bottom: 1px;
+  }
+  .diff-item .diff-desc {
+    font-size: 8px;
+    color: #64748b;
+    line-height: 1.25;
+  }
+
+  .roadmap { margin-bottom: 9px; }
+  .roadmap-grid {
+    display: grid;
+    grid-template-columns: repeat(4, 1fr);
+    gap: 6px;
+  }
+  .roadmap-item {
+    padding: 6px 9px;
+    border-radius: 7px;
+    border: 1px dashed #c7d2fe;
+    background: #fefce8;
+  }
+  .roadmap-item .rm-title {
+    font-size: 9px;
+    font-weight: 700;
+    color: #92400e;
+    margin-bottom: 1px;
+  }
+  .roadmap-item .rm-desc {
+    font-size: 7.5px;
+    color: #78716c;
+    line-height: 1.25;
+  }
+
+  .bottom-row {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 12px;
+    margin-bottom: 6px;
+  }
+  .bottom-section .section-title { margin-bottom: 4px; }
+  .bottom-section ul { list-style: none; padding: 0; }
+  .bottom-section li {
+    font-size: 9px;
+    color: #475569;
+    padding: 1.5px 0;
+    padding-left: 11px;
+    position: relative;
+    line-height: 1.3;
+  }
+  .bottom-section li::before {
+    content: '→';
+    position: absolute;
+    left: 0;
+    color: #8b5cf6;
+    font-weight: 700;
+  }
+
+  .footer {
+    position: absolute;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    padding: 9px 34px;
+    background: #f8fafc;
+    border-top: 1px solid #e2e8f0;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+  }
+  .footer .conf {
+    font-size: 8px;
+    color: #94a3b8;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .footer .date {
+    font-size: 8px;
+    color: #94a3b8;
+  }
+</style>
+</head>
+<body>
+<div class="top-bar"></div>
+<div class="container">
+
+  <div class="header">
+    <div class="logo-area">
+      <h1>CERTifAI</h1>
+      <div class="tagline">KI-native Sicherheits- & Compliance-Plattform</div>
+    </div>
+    <div class="contact-info">
+      Vertraulich — Nur für Investoren<br>
+      März 2026
+    </div>
+  </div>
+
+  <div class="hero">
+    <p>
+      CERTifAI ist eine <strong>DSGVO-konforme, datensouveräne KI-Plattform</strong>, die autonomes
+      Sicherheitsscanning mit intelligenter Compliance-Automatisierung vereint. Wir helfen Unternehmen,
+      ihren <strong>Code abzusichern</strong>, <strong>Compliance skalierbar durchzusetzen</strong> und
+      <strong>volle Datensouveränität zu bewahren</strong> — gestützt auf über 200 atomare Sicherheitskontrollen,
+      KI-gesteuerte Triage und einen lückenlosen Audit-Trail für jeden Befund.
+    </p>
+  </div>
+
+  <div class="columns">
+    <div class="product-card scanner">
+      <h2>Compliance Scanner</h2>
+      <div class="subtitle">Autonomer KI-Sicherheitsagent</div>
+      <ul>
+        <li><strong>200+ atomare Kontrollen</strong> — Feingranulare Sicherheitsprüfungen mit vollständiger Herkunftsverfolgung</li>
+        <li><strong>SAST + DAST + SBOM</strong> — Vollumfängliche Sicherheitstests mit Schwachstellenverfolgung</li>
+        <li><strong>KI-gesteuerte Pentests</strong> — Autonome, LLM-orchestrierte Penetrationstests mit verschlüsselten Berichten</li>
+        <li><strong>Automatische PR-Reviews</strong> — Sicherheitsbewusste Code-Review-Kommentare bei jedem Pull Request</li>
+        <li><strong>Audit-Trail</strong> — Unveränderliche Befund-Nachverfolgung von Erkennung bis Behebung</li>
+        <li><strong>LLM-basierte Triage</strong> — Intelligente False-Positive-Filterung mit Konfidenz-Scoring</li>
+        <li><strong>Code-Wissensgraph</strong> — Architekturvisualisierung mit Auswirkungs- & Datenflussanalyse</li>
+        <li><strong>Multi-Tracker-Sync</strong> — Automatische Issues in GitHub, GitLab, Jira, Gitea</li>
+        <li><strong>MCP-Server</strong> — Live-Sicherheitsdaten in Claude, Cursor & anderen KI-Tools</li>
+      </ul>
+    </div>
+
+    <div class="product-card platform">
+      <h2>CERTifAI Plattform</h2>
+      <div class="subtitle">Souveräne GenAI-Infrastruktur</div>
+      <ul>
+        <li><strong>Multi-Provider LLM-Verwaltung</strong> — Einheitliche Schnittstelle für LiteLLM, OpenAI, HuggingFace, Anthropic</li>
+        <li><strong>KI-Agenten-Orchestrierung</strong> — LangGraph-Integration mit Live-Monitoring & Agenten-Registry</li>
+        <li><strong>Enterprise SSO</strong> — Keycloak-basiertes OAuth2/PKCE, LDAP, Multi-Realm-Authentifizierung</li>
+        <li><strong>Nutzungs- & Abrechnungsanalyse</strong> — Token-Tracking, modellbasierte Aufschlüsselung</li>
+        <li><strong>News-Intelligence</strong> — KI-gestützte Nachrichtenzusammenfassung, Trendanalyse, Follow-up-Chat</li>
+        <li><strong>Entwickler-Toolchain</strong> — LangFlow, Langfuse, LangChain sofort einsatzbereit</li>
+        <li><strong>RBAC & Feature Flags</strong> — Rollenbasierter Zugriff mit kontrolliertem GenAI-Rollout pro Org</li>
+        <li><strong>Mehrsprachigkeit</strong> — Vollständige i18n-Unterstützung (DE, FR, ES, PT)</li>
+        <li><strong>RAG-basierter Chat</strong> — Natürlichsprachliche Q&A auf Basis Ihrer Codebasis</li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="metrics">
+    <div class="metric">
+      <div class="number">15 Mrd.+</div>
+      <div class="label">AppSec TAM bis 2027</div>
+    </div>
+    <div class="metric">
+      <div class="number">200+</div>
+      <div class="label">Atomare Sicherheits-<br>kontrollen</div>
+    </div>
+    <div class="metric">
+      <div class="number">80%</div>
+      <div class="label">Zeitersparnis bei<br>Compliance-Prüfungen</div>
+    </div>
+    <div class="metric">
+      <div class="number">10x</div>
+      <div class="label">Günstiger als<br>manuelle Pentests</div>
+    </div>
+    <div class="metric">
+      <div class="number">100%</div>
+      <div class="label">Datensouveränität<br>garantiert</div>
+    </div>
+  </div>
+
+  <div class="diff-section">
+    <div class="section-title">Warum CERTifAI gewinnt</div>
+    <div class="diff-grid">
+      <div class="diff-item">
+        <div class="diff-title">KI-native Sicherheit</div>
+        <div class="diff-desc">LLM-gesteuerte Pentests & Triage ersetzen manuelle Audits (5.000–50.000 €). Kein Wettbewerber bietet autonome KI-Pentests.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Volle Provenienz</div>
+        <div class="diff-desc">Jeder Befund rückverfolgbar zu Kontrolle, Regel und Quelle. Lückenloser Audit-Trail von Erkennung bis Behebung.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Datensouveränität</div>
+        <div class="diff-desc">Keine Daten verlassen Ihre Infrastruktur. DSGVO-konform durch Architektur. EU-Hosting-Optionen verfügbar.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Shift-Left PR-Reviews</div>
+        <div class="diff-desc">Sicherheitsbefunde erscheinen als PR-Kommentare vor dem Merge. Entwickler beheben Probleme direkt am Code.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Entwickelt in Rust</div>
+        <div class="diff-desc">Speichersicherer, hochperformanter Stack. Fullstack-WASM + SSR mit Dioxus. Enterprise-taugliche Zuverlässigkeit.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Einheitliche Steuerung</div>
+        <div class="diff-desc">Sicherheit + KI-Infrastruktur in einem Dashboard. Wettbewerber benötigen 5+ separate Tools.</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="roadmap">
+    <div class="section-title">Roadmap — In Kürze verfügbar</div>
+    <div class="roadmap-grid">
+      <div class="roadmap-item">
+        <div class="rm-title">SOC2 & ISO 27001</div>
+        <div class="rm-desc">Vorgefertigte Kontroll-Mappings für Zertifizierungsreife</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Policy-as-Code</div>
+        <div class="rm-desc">Eigene Compliance-Regeln via deklarative YAML-Policies</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">CI/CD-Gates</div>
+        <div class="rm-desc">Deployments bei kritischen Befunden blockieren</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Executive Reports</div>
+        <div class="rm-desc">Auto-generierte Compliance-Berichte für die Geschäftsführung</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="bottom-row">
+    <div class="bottom-section">
+      <div class="section-title">Geschäftsmodell</div>
+      <ul>
+        <li><strong>SaaS Cloud</strong> — Verwaltete Multi-Tenant-Plattform für KMUs</li>
+        <li><strong>Enterprise-Lizenz</strong> — Dedizierte Bereitstellung mit Support & Integrationen</li>
+        <li><strong>Professional Services</strong> — Individuelle Regeln, Pentest-Berichte, Compliance-Audits</li>
+        <li><strong>API-Stufen</strong> — Kostenlose Community-Stufe, kostenpflichtiger Enterprise-Zugang</li>
+      </ul>
+    </div>
+    <div class="bottom-section">
+      <div class="section-title">Zielmärkte</div>
+      <ul>
+        <li><strong>Regulierte Branchen</strong> — Finanzen, Gesundheitswesen, Behörden (DSGVO, HIPAA, SOC2)</li>
+        <li><strong>Enterprise DevSecOps</strong> — Shift-Left-Security für Entwicklungsteams</li>
+        <li><strong>EU-Datensouveränität</strong> — Unternehmen mit souveräner KI-Infrastruktur</li>
+        <li><strong>Sicherheitsberatungen</strong> — Automatisierte Pentests & Berichtserstellung</li>
+      </ul>
+    </div>
+  </div>
+
+</div>
+
+<div class="footer">
+  <div class="conf">Vertraulich — Nicht zur Weitergabe bestimmt</div>
+  <div class="date">CERTifAI — März 2026</div>
+</div>
+
+</body>
+</html>

docs-src/services/onepager_en.html

@@ -0,0 +1,421 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>CERTifAI — Investor One-Pager</title>
+<link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
+<style>
+  @page { size: A4; margin: 0; }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: 'Plus Jakarta Sans', -apple-system, sans-serif;
+    background: #fff;
+    color: #1a1a2e;
+    width: 210mm;
+    height: 297mm;
+    overflow: hidden;
+    position: relative;
+  }
+
+  .top-bar {
+    height: 6px;
+    background: linear-gradient(90deg, #6366f1, #8b5cf6, #a78bfa, #06b6d4);
+  }
+
+  .container { padding: 18px 34px 12px; }
+
+  .header {
+    display: flex;
+    justify-content: space-between;
+    align-items: flex-start;
+    margin-bottom: 12px;
+  }
+  .logo-area h1 {
+    font-size: 28px;
+    font-weight: 800;
+    letter-spacing: -1px;
+    color: #4f46e5;
+  }
+  .logo-area .tagline {
+    font-size: 12px;
+    color: #64748b;
+    margin-top: 1px;
+  }
+  .contact-info {
+    text-align: right;
+    font-size: 9.5px;
+    color: #94a3b8;
+    line-height: 1.5;
+  }
+
+  .hero {
+    background: linear-gradient(135deg, #eef2ff, #f0f9ff);
+    border-radius: 10px;
+    padding: 11px 18px;
+    margin-bottom: 11px;
+    border-left: 4px solid #6366f1;
+  }
+  .hero p {
+    font-size: 11.5px;
+    line-height: 1.45;
+    color: #334155;
+  }
+  .hero strong { color: #4f46e5; font-weight: 700; }
+
+  .columns {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 14px;
+    margin-bottom: 10px;
+  }
+
+  .product-card {
+    border: 1px solid #e2e8f0;
+    border-radius: 10px;
+    padding: 12px 14px;
+    position: relative;
+    overflow: hidden;
+  }
+  .product-card::before {
+    content: '';
+    position: absolute;
+    top: 0; left: 0; right: 0;
+    height: 3px;
+  }
+  .product-card.scanner::before { background: linear-gradient(90deg, #6366f1, #8b5cf6); }
+  .product-card.platform::before { background: linear-gradient(90deg, #06b6d4, #0ea5e9); }
+  .product-card h2 {
+    font-size: 13.5px;
+    font-weight: 800;
+    margin-bottom: 2px;
+  }
+  .product-card.scanner h2 { color: #4f46e5; }
+  .product-card.platform h2 { color: #0891b2; }
+  .product-card .subtitle {
+    font-size: 9.5px;
+    color: #94a3b8;
+    margin-bottom: 7px;
+    font-weight: 600;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .product-card ul { list-style: none; padding: 0; }
+  .product-card li {
+    font-size: 10px;
+    line-height: 1.3;
+    padding: 2px 0;
+    padding-left: 14px;
+    position: relative;
+    color: #475569;
+  }
+  .product-card li::before {
+    content: '';
+    position: absolute;
+    left: 0;
+    top: 7px;
+    width: 5px;
+    height: 5px;
+    border-radius: 50%;
+  }
+  .product-card.scanner li::before { background: #818cf8; }
+  .product-card.platform li::before { background: #22d3ee; }
+
+  .metrics {
+    display: grid;
+    grid-template-columns: repeat(5, 1fr);
+    gap: 9px;
+    margin-bottom: 10px;
+  }
+  .metric {
+    text-align: center;
+    padding: 9px 5px;
+    border-radius: 8px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+  }
+  .metric .number {
+    font-size: 18px;
+    font-weight: 800;
+    color: #4f46e5;
+  }
+  .metric .label {
+    font-size: 8.5px;
+    color: #64748b;
+    margin-top: 1px;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.3px;
+  }
+
+  .diff-section { margin-bottom: 10px; }
+  .section-title {
+    font-size: 11px;
+    font-weight: 700;
+    color: #1e293b;
+    margin-bottom: 6px;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .diff-grid {
+    display: grid;
+    grid-template-columns: repeat(3, 1fr);
+    gap: 7px;
+  }
+  .diff-item {
+    padding: 8px 10px;
+    border-radius: 7px;
+    background: linear-gradient(135deg, #faf5ff, #f0f9ff);
+    border: 1px solid #e0e7ff;
+  }
+  .diff-item .diff-title {
+    font-size: 9.5px;
+    font-weight: 700;
+    color: #4f46e5;
+    margin-bottom: 2px;
+  }
+  .diff-item .diff-desc {
+    font-size: 8.5px;
+    color: #64748b;
+    line-height: 1.3;
+  }
+
+  /* Roadmap */
+  .roadmap {
+    margin-bottom: 10px;
+  }
+  .roadmap-grid {
+    display: grid;
+    grid-template-columns: repeat(4, 1fr);
+    gap: 7px;
+  }
+  .roadmap-item {
+    padding: 7px 10px;
+    border-radius: 7px;
+    border: 1px dashed #c7d2fe;
+    background: #fefce8;
+  }
+  .roadmap-item .rm-title {
+    font-size: 9.5px;
+    font-weight: 700;
+    color: #92400e;
+    margin-bottom: 1px;
+  }
+  .roadmap-item .rm-desc {
+    font-size: 8px;
+    color: #78716c;
+    line-height: 1.3;
+  }
+
+  .bottom-row {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 14px;
+    margin-bottom: 8px;
+  }
+  .bottom-section .section-title { margin-bottom: 5px; }
+  .bottom-section ul { list-style: none; padding: 0; }
+  .bottom-section li {
+    font-size: 9.5px;
+    color: #475569;
+    padding: 2px 0;
+    padding-left: 12px;
+    position: relative;
+    line-height: 1.35;
+  }
+  .bottom-section li::before {
+    content: '→';
+    position: absolute;
+    left: 0;
+    color: #8b5cf6;
+    font-weight: 700;
+  }
+
+  .footer {
+    position: absolute;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    padding: 10px 34px;
+    background: #f8fafc;
+    border-top: 1px solid #e2e8f0;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+  }
+  .footer .conf {
+    font-size: 8.5px;
+    color: #94a3b8;
+    font-weight: 500;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+  }
+  .footer .date {
+    font-size: 8.5px;
+    color: #94a3b8;
+  }
+</style>
+</head>
+<body>
+<div class="top-bar"></div>
+<div class="container">
+
+  <div class="header">
+    <div class="logo-area">
+      <h1>CERTifAI</h1>
+      <div class="tagline">AI-Native Security & Compliance Platform</div>
+    </div>
+    <div class="contact-info">
+      Confidential — For Investor Review<br>
+      March 2026
+    </div>
+  </div>
+
+  <div class="hero">
+    <p>
+      CERTifAI is a <strong>GDPR-compliant, data-sovereign AI platform</strong> combining autonomous security scanning
+      with intelligent compliance automation. We help enterprises <strong>secure their code</strong>,
+      <strong>enforce compliance at scale</strong>, and <strong>maintain full data sovereignty</strong> — powered by
+      200+ atomic security controls, AI-driven triage, and a complete audit trail for every finding.
+    </p>
+  </div>
+
+  <div class="columns">
+    <div class="product-card scanner">
+      <h2>Compliance Scanner</h2>
+      <div class="subtitle">Autonomous AI Security Agent</div>
+      <ul>
+        <li><strong>200+ Atomic Controls</strong> — Fine-grained security checks with full provenance tracking per finding</li>
+        <li><strong>SAST + DAST + SBOM</strong> — Full-spectrum security testing with dependency vulnerability tracking</li>
+        <li><strong>AI-Driven Pentesting</strong> — Autonomous LLM-orchestrated penetration testing with encrypted reports</li>
+        <li><strong>Automated PR Reviews</strong> — Security-aware code review comments on every pull request</li>
+        <li><strong>Audit Trail</strong> — Immutable finding lifecycle tracking from detection to remediation</li>
+        <li><strong>LLM-Powered Triage</strong> — Intelligent false-positive filtering with confidence scoring</li>
+        <li><strong>Code Knowledge Graph</strong> — Architecture visualization with impact & data-flow analysis</li>
+        <li><strong>Multi-Tracker Sync</strong> — Auto-creates issues in GitHub, GitLab, Jira, Gitea</li>
+        <li><strong>MCP Server</strong> — Live security data in Claude, Cursor & other AI dev tools</li>
+      </ul>
+    </div>
+
+    <div class="product-card platform">
+      <h2>CERTifAI Platform</h2>
+      <div class="subtitle">Sovereign GenAI Infrastructure</div>
+      <ul>
+        <li><strong>Multi-Provider LLM Management</strong> — Unified interface for LiteLLM, OpenAI, HuggingFace, Anthropic</li>
+        <li><strong>AI Agent Orchestration</strong> — LangGraph integration with live monitoring & agent registry</li>
+        <li><strong>Enterprise SSO</strong> — Keycloak-based OAuth2/PKCE, LDAP, multi-realm authentication</li>
+        <li><strong>Usage & Billing Analytics</strong> — Token tracking, per-model breakdown, seat management</li>
+        <li><strong>News Intelligence</strong> — AI-powered news summarization, trend analysis, follow-up chat</li>
+        <li><strong>Developer Toolchain</strong> — LangFlow, Langfuse, LangChain integrations out of the box</li>
+        <li><strong>RBAC & Feature Flags</strong> — Role-based access with controlled GenAI rollout per org</li>
+        <li><strong>Full i18n</strong> — Multi-language support (DE, FR, ES, PT) for global teams</li>
+        <li><strong>RAG-Powered Chat</strong> — Natural language Q&A grounded in your codebase</li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="metrics">
+    <div class="metric">
+      <div class="number">$15B+</div>
+      <div class="label">AppSec TAM by 2027</div>
+    </div>
+    <div class="metric">
+      <div class="number">200+</div>
+      <div class="label">Atomic Security<br>Controls</div>
+    </div>
+    <div class="metric">
+      <div class="number">80%</div>
+      <div class="label">Compliance Review<br>Time Saved</div>
+    </div>
+    <div class="metric">
+      <div class="number">10x</div>
+      <div class="label">Cheaper than<br>Manual Pentests</div>
+    </div>
+    <div class="metric">
+      <div class="number">100%</div>
+      <div class="label">Data Sovereignty<br>Guaranteed</div>
+    </div>
+  </div>
+
+  <div class="diff-section">
+    <div class="section-title">Why CERTifAI Wins</div>
+    <div class="diff-grid">
+      <div class="diff-item">
+        <div class="diff-title">AI-Native Security</div>
+        <div class="diff-desc">LLM-driven pentesting & triage replace $5K–$50K manual engagements. No competitor offers autonomous AI pentests.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Full Provenance</div>
+        <div class="diff-desc">Every finding traces back to its control, rule, and source. Complete audit trail from detection through remediation.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Data Sovereignty</div>
+        <div class="diff-desc">Zero data leaves your infrastructure. GDPR-compliant by architecture. EU-hosted deployment options.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Shift-Left PR Reviews</div>
+        <div class="diff-desc">Security findings surface as PR comments before code merges. Developers fix issues at the source, not in production.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Built in Rust</div>
+        <div class="diff-desc">Memory-safe, high-performance stack. Fullstack WASM + SSR with Dioxus. Enterprise-grade reliability.</div>
+      </div>
+      <div class="diff-item">
+        <div class="diff-title">Unified Control Plane</div>
+        <div class="diff-desc">Security + AI infrastructure in one dashboard. Competitors require 5+ separate tools to match.</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="roadmap">
+    <div class="section-title">Roadmap — Coming Soon</div>
+    <div class="roadmap-grid">
+      <div class="roadmap-item">
+        <div class="rm-title">SOC2 & ISO 27001</div>
+        <div class="rm-desc">Pre-built control mappings for certification readiness</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Policy-as-Code</div>
+        <div class="rm-desc">Custom compliance rules via declarative YAML policies</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">CI/CD Gates</div>
+        <div class="rm-desc">Block deploys on critical findings with pipeline integration</div>
+      </div>
+      <div class="roadmap-item">
+        <div class="rm-title">Executive Reports</div>
+        <div class="rm-desc">Auto-generated compliance posture reports for leadership</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="bottom-row">
+    <div class="bottom-section">
+      <div class="section-title">Business Model</div>
+      <ul>
+        <li><strong>SaaS Cloud</strong> — Managed multi-tenant platform for SMBs</li>
+        <li><strong>Enterprise License</strong> — Dedicated deployment with support & custom integrations</li>
+        <li><strong>Professional Services</strong> — Custom rules, pentest reports, compliance audits</li>
+        <li><strong>API Tiers</strong> — Free community tier, paid enterprise API access</li>
+      </ul>
+    </div>
+    <div class="bottom-section">
+      <div class="section-title">Target Markets</div>
+      <ul>
+        <li><strong>Regulated Industries</strong> — Finance, healthcare, government (GDPR, HIPAA, SOC2)</li>
+        <li><strong>Enterprise DevSecOps</strong> — Shift-left security for engineering teams</li>
+        <li><strong>EU Data Sovereignty</strong> — Companies requiring sovereign AI infrastructure</li>
+        <li><strong>Security Consultancies</strong> — Automated pentesting & report generation</li>
+      </ul>
+    </div>
+  </div>
+
+</div>
+
+<div class="footer">
+  <div class="conf">Confidential — Do Not Distribute</div>
+  <div class="date">CERTifAI — March 2026</div>
+</div>
+
+</body>
+</html>

docs-src/services/sdk-modules/dependency-engine.md

@@ -0,0 +1,228 @@
+# Control Dependency Engine
+
+Generische Engine zur Modellierung und Auswertung von Abhaengigkeiten zwischen Compliance Controls. Stellt sicher, dass Controls nicht isoliert bewertet werden, sondern im Kontext ihrer logischen Beziehungen.
+
+**Datei:** `control-pipeline/services/dependency_engine.py`
+**Generator:** `control-pipeline/services/dependency_generator.py`
+**Domain Packs:** `control-pipeline/data/domain_packs/`
+**API:** `/v1/dependencies/`
+
+---
+
+## Motivation
+
+Ohne Dependency-Logik:
+
+- System fordert Schulung obwohl Vertrag vorhanden
+- Kunde verliert Vertrauen
+- Falsche Findings, unnoetige Massnahmen
+
+Mit Dependency-Logik:
+
+- "Control B wurde nicht geprueft, weil Control A bestanden hat"
+- "Control C ist fehlgeschlagen, aber durch Control E kompensiert"
+- Korrekte Audit-Ergebnisse, weniger False Positives
+
+---
+
+## 5 Dependency-Typen (v1)
+
+```mermaid
+flowchart LR
+    subgraph Stark
+        A[supersedes Prio=10]
+        B[scope_exclusion Prio=20]
+    end
+    subgraph Mittel
+        C[prerequisite Prio=50]
+        D[conditional_requirement Prio=70]
+    end
+    subgraph Schwach
+        E[compensating_control Prio=80]
+    end
+```
+
+| Typ | Prioritaet | Bedeutung | Beispiel |
+|-----|-----------|-----------|---------|
+| `supersedes` | 10 | A macht B ueberfluessig | GHV-Klausel → Schulung |
+| `scope_exclusion` | 20 | A schliesst B aus | Kein KI → KI-Controls |
+| `prerequisite` | 50 | A muss vor B existieren | Policy definieren → implementieren |
+| `conditional_requirement` | 70 | B nur unter Bedingung | Enhanced Logging nur fuer Grosse |
+| `compensating_control` | 80 | A kompensiert B-Failure | ISO-Cert → Einzelcontrols |
+
+---
+
+## Condition Language
+
+Jede Dependency hat eine `condition` (JSONB) die gegen einen Kontext ausgewertet wird:
+
+### Einfache Bedingung
+
+```json
+{"field": "source.status", "op": "==", "value": "pass"}
+```
+
+### Zusammengesetzte Bedingung
+
+```json
+{
+  "operator": "AND",
+  "clauses": [
+    {"field": "source.status", "op": "==", "value": "pass"},
+    {"field": "context.company_size", "op": "in", "value": ["large", "enterprise"]}
+  ]
+}
+```
+
+### Negation
+
+```json
+{
+  "operator": "NOT",
+  "clause": {"field": "context.scope_signals", "op": "contains", "value": "uses_ai"}
+}
+```
+
+### Verfuegbare Felder
+
+| Feld | Beschreibung |
+|------|-------------|
+| `source.status` | Status des Quell-Controls |
+| `target.status` | Status des Ziel-Controls |
+| `context.industry` | Branche des Unternehmens |
+| `context.company_size` | Unternehmensgroesse |
+| `context.scope_signals` | Scope-Signale (Liste) |
+
+### Operatoren
+
+`==`, `!=`, `in`, `not_in`, `>`, `<`, `>=`, `<=`, `contains`, `AND`, `OR`, `NOT`
+
+---
+
+## Evaluation-Algorithmus
+
+```mermaid
+flowchart TD
+    A[Alle Dependencies laden] --> B[Zyklen erkennen DFS]
+    B --> C{Zyklen?}
+    C -->|Ja| D[Betroffene Controls = review_required]
+    C -->|Nein| E[Topologisch sortieren]
+    E --> F[Fuer jedes Control:]
+    F --> G[Conditions pruefen]
+    G --> H[Matching Effects sammeln]
+    H --> I[Hoechste Prioritaet gewinnt]
+    I --> J[Status setzen + Trace schreiben]
+```
+
+### Priority-basierte Konfliktloesung
+
+Wenn mehrere Dependencies auf dasselbe Control wirken, gewinnt die mit der **niedrigsten** Prioritaetsnummer:
+
+- `scope_exclusion` (Prio 20) schlaegt `compensating_control` (Prio 80)
+- `supersedes` (Prio 10) schlaegt alles
+
+### Cycle Detection
+
+Zyklen (A → B → A) werden via DFS erkannt. Betroffene Controls erhalten `review_required` mit Confidence 0.5.
+
+---
+
+## Automatische Generierung
+
+### 1. Ontology-basiert
+
+Controls mit gleichem `normalized_object` und verschiedenen Lifecycle-Phasen:
+
+```
+define:access_policy (Phase 2)
+  → prerequisite fuer →
+implement:access_policy (Phase 4)
+  → prerequisite fuer →
+test:access_policy (Phase 8)
+```
+
+### 2. Pattern-basiert
+
+| Regel | Source | Target | Dependency |
+|-------|--------|--------|-----------|
+| define_before_implement | define | implement | prerequisite |
+| implement_before_monitor | implement/configure | monitor/test | prerequisite |
+| define_before_enforce | define | enforce | prerequisite |
+| train_before_review | train | review/assess | prerequisite |
+
+### 3. Domain Packs (YAML)
+
+Regulierungsspezifische Regeln in YAML-Dateien:
+
+**DSGVO (`gdpr.yaml`):**
+- Verarbeitungsverzeichnis → DSFA (prerequisite)
+- Rechtsgrundlage → Datenverarbeitung (prerequisite)
+
+**Security (`security.yaml`):**
+- MFA → Passwortkomplexitaet (compensating_control)
+- ISO-Cert → Einzelcontrols (compensating_control)
+
+**AI Act (`ai_act.yaml`):**
+- Risikoklassifizierung → High-Risk-Anforderungen (prerequisite)
+- FRIA → KI-Einsatz (prerequisite)
+
+**CRA (`cra.yaml`):**
+- SBOM → Vulnerability Monitoring (prerequisite)
+- CE-Zertifizierung → Einzelnachweise (compensating_control)
+
+**Arbeitsrecht (`labor_contracts.yaml`):**
+- GHV-Klausel → Schulung (supersedes)
+- Erstschulung → Nachschulung (prerequisite)
+
+---
+
+## API Endpoints
+
+| Methode | Pfad | Beschreibung |
+|---------|------|-------------|
+| `GET` | `/v1/dependencies/` | Dependencies auflisten (filterbar) |
+| `POST` | `/v1/dependencies/` | Dependency manuell erstellen |
+| `DELETE` | `/v1/dependencies/{id}` | Dependency deaktivieren |
+| `POST` | `/v1/dependencies/generate` | Auto-Generierung (dry_run default) |
+| `POST` | `/v1/dependencies/evaluate` | Controls evaluieren |
+| `GET` | `/v1/dependencies/evaluate/{run_id}` | Ergebnisse abrufen |
+| `POST` | `/v1/dependencies/validate` | Zyklen pruefen |
+| `GET` | `/v1/dependencies/graph` | Graph (Nodes + Edges) |
+
+---
+
+## DB-Schema
+
+### `control_dependencies`
+
+| Spalte | Typ | Beschreibung |
+|--------|-----|-------------|
+| `id` | UUID | Primaerschluessel |
+| `source_control_id` | UUID FK | Quell-Control |
+| `target_control_id` | UUID FK | Ziel-Control (wird beeinflusst) |
+| `dependency_type` | VARCHAR(30) | Typ (5 Werte) |
+| `condition` | JSONB | Generische Bedingung |
+| `effect` | JSONB | Effekt bei Bedingung=true |
+| `priority` | INT | Niedrig = hohe Prioritaet |
+| `generation_method` | VARCHAR(30) | manual / ontology / pattern / domain_pack |
+| `is_active` | BOOLEAN | Soft-Delete |
+
+### `control_evaluation_results`
+
+| Spalte | Typ | Beschreibung |
+|--------|-----|-------------|
+| `control_id` | UUID FK | Ausgewertetes Control |
+| `evaluation_run_id` | UUID | Gruppiert einen Lauf |
+| `raw_status` | VARCHAR(30) | Status vor Dependencies |
+| `resolved_status` | VARCHAR(30) | Status nach Dependencies |
+| `dependency_resolution` | JSONB | Vollstaendiger Trace |
+| `confidence` | FLOAT | 0.0-1.0 |
+
+---
+
+## Tests
+
+| Testdatei | Tests | Beschreibung |
+|-----------|-------|-------------|
+| `test_dependency_engine.py` | 39 | Condition Evaluator, Effect Applier, Cycle Detection, Topological Sort, GHV-Szenario |
+| `test_dependency_generator.py` | 14 | Ontology, Pattern, Domain Pack Generation |

mkdocs.yml

@@ -45,6 +45,7 @@ markdown_extensions:
       alternate_style: true
   - pymdownx.highlight:
       anchor_linenums: true
+      guess_lang: false
   - pymdownx.inlinehilite
   - pymdownx.snippets
   - tables
@@ -107,6 +108,7 @@ nav:
       - Policy-Bibliothek (29 Richtlinien): services/sdk-modules/policy-bibliothek.md
       - Canonical Control Library (CP-CLIB): services/sdk-modules/canonical-control-library.md
       - Control Generator Pipeline: services/sdk-modules/control-generator-pipeline.md
+      - Dependency Engine: services/sdk-modules/dependency-engine.md
       - Deduplizierungs-Engine: services/sdk-modules/dedup-engine.md
       - Control Provenance Wiki: services/sdk-modules/control-provenance.md
       - Normative Verbindlichkeit (Dreistufenmodell): services/sdk-modules/normative-verbindlichkeit.md