fix(mc): defensive mapping queries + MinIO env overridable + iace migration 151

- master-controls route: guard all mapping queries with hasMappingTables() so an unseeded DB degrades to empty filters instead of a 500. - docker-compose: MinIO endpoint/keys/secure overridable via env (prod defaults preserved) — enables per-environment local config. - migration 151: reproducible iace_projects.parent_project_id (was ad-hoc). [migration-approved] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore(loc): except agent_doc_check_extras.py to unblock loc-budget CI
2026-06-10 13:06:22 +02:00 · 2026-06-10 12:37:05 +02:00 · 2026-06-09 23:19:56 +02:00 · 2026-06-09 19:02:18 +02:00 · 2026-06-09 18:43:43 +02:00 · 2026-06-09 17:24:52 +02:00
370 changed files with 50094 additions and 2899 deletions
@@ -122,9 +122,9 @@ consent-sdk/src/mobile/ios/ConsentManager.swift
 consent-tester/services/dsi_discovery.py
 # --- backend-compliance: unified compliance check orchestrator ---
-# Sequential 7-step pipeline (text resolve, profile detect, check documents,
+# 2026-06-06: REMOVED — file split into agent_check/ subpackage
-# banner scan, cross-check, profile extract, report). Phase 5 split target.
+# (19 files, main module now 347 LOC). Phase 5 target completed.
-backend-compliance/compliance/api/agent_compliance_check_routes.py
+# [guardrail-change]
 # --- docs-src: binary office files (not source code) ---
 # (Also excluded by extension in scripts/check-loc.sh — kept here for legibility.)
@@ -134,6 +134,14 @@ docs-src/Breakpilot ComplAI Finanzplan.xlsm
 # Phase 5+ target for splitting into smaller subcomponents per wizard step.
 admin-compliance/components/sdk/ai-act/DecisionTreeWizard.tsx
 # --- admin-compliance: zentrale SDK-Schritt-Registry ---
 # Flache Liste aller 38 SDK-Steps mit kanonischer Reihenfolge (seq).
 # Splits nach Paket würden die globale Ordnungs-Garantie zerreißen und
 # Imports an mehreren Stellen aufblähen — der Wert dieser Datei ist
 # *eine* sortierte Source-of-Truth.
 # [guardrail-change]
 admin-compliance/lib/sdk/types/sdk-steps.ts
 # --- ai-compliance-sdk: oversized handler refactor backlog ---
 # Phase 5+ target for splitting handler groups into per-resource files.
 ai-compliance-sdk/internal/api/handlers/tender_handlers.go
@@ -182,3 +190,44 @@ admin-compliance/lib/sdk/einwilligungen/generator/cookie-banner-embed.ts
 # Polling, Storage, History, Agent-Toggle, TDM-Override. Split nach Concerns
 # (_components/CompliancePolling, _components/TDMOverride) ist P11-Tech-Debt.
 admin-compliance/app/sdk/agent/_components/ComplianceCheckTab.tsx
 # --- 2026-05-22 batch: P83-CI-Hardening backlog ---
 # Diese 5 Files verletzen den 500-LOC-Hard-Cap aktuell und blockieren
 # jeden PR der sie touched. Refactor ist Phase-2-Ziel (charakterisierungs-
 # tests + Sub-Module). Bis dahin: explizite Exception mit Rationale,
 # damit die CI nicht orthogonal an pre-existing Tech-Debt scheitert.
 #
 # vendor_detail_extractor.py (675): Playwright-Browser-Orchestrierung mit
 # eng verflochtenen Page-State-Operationen (Banner-Reopen, Category-
 # Expand, Anti-Audit-Detection, TDM-Check). Split braucht Page-Context-
 # Shared-State zwischen Modulen — Aufwand > Nutzen ohne klares Refactor-
 # Konzept. Phase 2: vendor_detail/ Subpackage mit Page-Wrapper-Klasse.
 consent-tester/services/vendor_detail_extractor.py
 # consent_scanner.py (567): 460-Zeilen-Funktion run_consent_test() —
 # Browser-Phasen (initial fetch, banner detect, button click, reject,
 # accept, screenshot, cookie diff). Split nach Phasen ist Phase-2-Ziel
 # (consent_scanner/_phase_*.py).
 consent-tester/services/consent_scanner.py
 # rag_document_checker.py (559): Doc-Check-Pipeline (control loading,
 # canonical-scope filter, deterministic MC checks, LLM enrichment).
 # Splitbar in _control_loader.py + _llm_enrichment.py — kandidat fuer
 # naechsten Sprint mit Charakterisierungs-Test gegen 5 GT-Doc-Samples.
 backend-compliance/compliance/services/rag_document_checker.py
 # banner_text_checker.py (531): 500-Zeilen-Funktion check_banner_text()
 # mit eng-verflochtener DOM-Erkennungs-Logik (Save-Label, Ablehnen-
 # Button, Dark-Patterns, Wortwahl-Heuristik). Phase-2-Split nach
 # Pruef-Aspekt.
 consent-tester/services/banner_text_checker.py
 # ai-act/page.tsx (503): React-Page mit Form-State, Risiko-Klassifikation,
 # Demo-Daten und Export. Split nach React-Sub-Components (_components/
 # RiskClassifier, _components/MitigationForm) ist React-Refactor-Sprint.
 admin-compliance/app/sdk/ai-act/page.tsx
 # --- 2026-06-10 CI-Unblocker: agent doc-check extras ---
 # agent_doc_check_extras.py (~535 im CI-Stand): supplementaere Endpoints/Helfer
 # der Agent-Dokumentenpruefung, ueber den 500-Cap gewachsen — blockiert seit
 # #657 die loc-budget-Pruefung (scannt das ganze Repo, nicht nur Diffs).
 # Pre-existing Tech-Debt (nicht aus IACE-Arbeit). Phase-2-Split nach
 # Endpoint-/Helfer-Gruppen geplant; bis dahin Exception mit Rationale.
 # [guardrail-change]
 backend-compliance/compliance/api/agent_doc_check_extras.py
@@ -411,6 +411,50 @@ jobs:
          pip install --quiet --no-cache-dir pytest pytest-asyncio
          python -m pytest test_main.py -v --tb=short
  # ── P83: BUILD_SHA integrity (always) ────────────────────────────────────
  # Every Dockerfile must declare ARG BUILD_SHA + ENV BUILD_SHA so the
  # check-rebuild-needed.sh script can detect "old code in container" drift.
  # Every docker-compose build: block must pass BUILD_SHA through as a build
  # arg — otherwise the ARG defaults to "unknown" and the check is toothless.
  build-sha-integrity:
    runs-on: docker
    container: alpine:3.20
    steps:
      - name: Checkout
        run: |
          apk add --no-cache git python3
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Validate every Dockerfile + compose block declares BUILD_SHA
        run: |
          python3 - <<'PY'
          import re, sys, glob
          fails = []
          # 1. Each Dockerfile must have ARG BUILD_SHA + ENV BUILD_SHA=${BUILD_SHA}
          for df in sorted(glob.glob("*/Dockerfile")):
              # Skip nested non-canonical Dockerfiles (e.g. admin-compliance/ai-compliance-sdk/Dockerfile)
              if df.count("/") > 1: continue
              src = open(df).read()
              if "ARG BUILD_SHA" not in src:
                  fails.append(f"{df}: missing ARG BUILD_SHA")
              if "ENV BUILD_SHA" not in src:
                  fails.append(f"{df}: missing ENV BUILD_SHA")
          # 2. Every build: block in docker-compose.yml must pass BUILD_SHA
          import yaml
          compose = yaml.safe_load(open("docker-compose.yml"))
          for name, svc in (compose.get("services") or {}).items():
              build = svc.get("build")
              if not isinstance(build, dict):
                  continue  # skipping pre-built image refs
              args = (build.get("args") or {})
              if "BUILD_SHA" not in args:
                  fails.append(f"docker-compose.yml: service '{name}' build.args missing BUILD_SHA")
          if fails:
              print("::error::BUILD_SHA integrity check failed:")
              for f in fails: print(f"  - {f}")
              sys.exit(1)
          print(f"OK: BUILD_SHA wired in all Dockerfiles + compose build blocks.")
          PY
  # ── OpenAPI contract validation (always) ─────────────────────────────────
  validate-canonical-controls:
    runs-on: docker
@@ -55,5 +55,9 @@ EXPOSE 3000
 # Set hostname
 ENV HOSTNAME="0.0.0.0"
 # P83 — Build-SHA fuer check-rebuild-needed.sh
 ARG BUILD_SHA="unknown"
 ENV BUILD_SHA=${BUILD_SHA}
 # Start the application
 CMD ["node", "server.js"]
@@ -0,0 +1,27 @@
 /**
 * Proxy: Admin → Backend /api/compliance/agent/admin/benchmark
 * (P107 — Branchen-Benchmark-Cockpit)
 */
 import { NextRequest, NextResponse } from 'next/server'
 const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
 export async function GET(request: NextRequest) {
  const qs = request.nextUrl.searchParams.toString()
  try {
    const r = await fetch(
      `${BACKEND_URL}/api/compliance/agent/admin/benchmark?${qs}`,
      { signal: AbortSignal.timeout(20000) },
    )
    const body = await r.text()
    return new NextResponse(body, {
      status: r.status,
      headers: { 'Content-Type': r.headers.get('content-type') || 'application/json' },
    })
  } catch (e: any) {
    return NextResponse.json(
      { error: 'Benchmark-API nicht erreichbar', detail: String(e) },
      { status: 503 },
    )
  }
 }
@@ -66,18 +66,31 @@ async function proxyRequest(
    const response = await fetch(url, fetchOptions)
-    // Handle non-JSON responses (PDF exports, ZIP CE technical file)
+    // Handle non-JSON responses (PDF/ZIP CE technical file, XLSX/DOCX/MD exports).
-    const responseContentType = response.headers.get('content-type')
+    const responseContentType = response.headers.get('content-type') || ''
-    if (responseContentType?.includes('application/pdf') ||
+    const isBinary =
-        responseContentType?.includes('application/zip') ||
+      responseContentType.includes('application/pdf') ||
-        responseContentType?.includes('application/octet-stream')) {
+      responseContentType.includes('application/zip') ||
      responseContentType.includes('application/octet-stream') ||
      responseContentType.includes('application/vnd.openxmlformats-officedocument') ||
      responseContentType.includes('application/vnd.ms-excel') ||
      responseContentType.includes('application/msword') ||
      responseContentType.includes('text/markdown')
    if (isBinary) {
      const blob = await response.blob()
      const forwardedHeaders: Record<string, string> = {
        'Content-Type': responseContentType,
        'Content-Disposition': response.headers.get('content-disposition') || '',
      }
      // Forward DSMS archive metadata so the frontend can render the CID badge
      // (set by archiveTechFile when the backend persisted the export to DSMS).
      for (const h of ['x-dsms-cid', 'x-dsms-filename', 'x-dsms-size']) {
        const v = response.headers.get(h)
        if (v) forwardedHeaders[h] = v
      }
      return new NextResponse(blob, {
        status: response.status,
-        headers: {
+        headers: forwardedHeaders,
          'Content-Type': responseContentType,
          'Content-Disposition': response.headers.get('content-disposition') || '',
        },
      })
    }
@@ -10,6 +10,38 @@ const dbUrl = process.env.COMPLIANCE_DATABASE_URL ||
 const pool = new Pool({ connectionString: dbUrl })
 // handleMeta returns global (filter-independent) counts incl. a ~2s member-join
 // facet. It is refetched on every filter change, so cache it briefly.
 let metaCache: { at: number; data: unknown } | null = null
 const META_TTL_MS = 120_000
 // The use-case mapping tables (mc_use_case_mappings/mc_verification/mc_regulations)
 // are seeded per-environment and may not exist yet on a fresh/unseeded DB. Guard
 // every mapping query so the route degrades to empty filters instead of a 500.
 // Cached with a short TTL so it picks up the tables once that DB gets seeded.
 let mappingTablesCache: { at: number; present: boolean } | null = null
 async function hasMappingTables(): Promise<boolean> {
  if (mappingTablesCache && Date.now() - mappingTablesCache.at < 300_000) {
    return mappingTablesCache.present
  }
  let present = false
  try {
    const r = await pool.query(
      "SELECT to_regclass('compliance.mc_use_case_mappings') IS NOT NULL AS present")
    present = !!r.rows[0]?.present
  } catch { present = false }
  mappingTablesCache = { at: Date.now(), present }
  return present
 }
 type MCListRow = {
  id: string; control_id: string; title: string; objective: string
  severity: string; category: string; total_controls: number
  phases_covered: string[] | null; created_at: string
  verification_method: string | null; use_cases: string[] | null
  primary_regulation: string | null
 }
 /**
 * MC API that returns data in the same format as the canonical controls
 * endpoint. This allows the MC page to reuse ControlListView components.
@@ -43,17 +75,14 @@ export async function GET(request: NextRequest) {
  }
 }
-async function handleControls(params: URLSearchParams) {
+// Shared WHERE builder so list + count stay in lock-step (incl. the
-  const search = params.get('search') || ''
+// use_case / verification_method / source_regulation mapping filters).
-  const limit = Math.min(parseInt(params.get('limit') || '50'), 200)
+function buildControlsWhere(params: URLSearchParams, hasMapping: boolean): { where: string; args: unknown[]; idx: number } {
  const offset = parseInt(params.get('offset') || '0')
  const sort = params.get('sort') || 'control_id'
  const order = params.get('order') === 'desc' ? 'DESC' : 'ASC'
  let where = "WHERE 1=1"
  const args: unknown[] = []
  let idx = 1
  const search = params.get('search') || ''
  if (search) {
    where += ` AND mc.canonical_name ILIKE $${idx}`
    args.push(`%${search}%`)
@@ -61,11 +90,9 @@ async function handleControls(params: URLSearchParams) {
  }
  const severity = params.get('severity') || ''
-  if (severity) {
+  if (severity === 'high') { where += ` AND mc.total_controls > 100` }
-    if (severity === 'high') { where += ` AND mc.total_controls > 100` }
+  else if (severity === 'medium') { where += ` AND mc.total_controls BETWEEN 20 AND 100` }
-    else if (severity === 'medium') { where += ` AND mc.total_controls BETWEEN 20 AND 100` }
+  else if (severity === 'low') { where += ` AND mc.total_controls < 20` }
    else if (severity === 'low') { where += ` AND mc.total_controls < 20` }
  }
  const domain = params.get('domain') || ''
  if (domain) {
@@ -74,10 +101,85 @@ async function handleControls(params: URLSearchParams) {
    idx++
  }
  // Mapping-based filters only apply when the mapping tables exist (seeded DB).
  if (hasMapping) {
    const useCase = params.get('use_case') || ''
    const primaryOnly = params.get('primary') === '1'
    if (useCase) {
      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_use_case_mappings m
                   WHERE m.master_control_uuid = mc.id AND m.use_case = $${idx}${primaryOnly ? ' AND m.is_primary' : ''})`
      args.push(useCase)
      idx++
    }
    const verification = params.get('verification_method') || ''
    if (verification === '__none__') {
      where += ` AND NOT EXISTS (SELECT 1 FROM compliance.mc_verification v
                   WHERE v.master_control_uuid = mc.id)`
    } else if (verification) {
      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_verification v
                   WHERE v.master_control_uuid = mc.id AND v.verification_method = $${idx})`
      args.push(verification)
      idx++
    }
    const regulation = params.get('source_regulation') || ''
    if (regulation) {
      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_regulations r
                   WHERE r.master_control_uuid = mc.id AND r.source_regulation = $${idx})`
      args.push(regulation)
      idx++
    }
    const mapped = params.get('mapped') || ''
    if (mapped === 'mapped') {
      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_use_case_mappings m
                   WHERE m.master_control_uuid = mc.id)`
    } else if (mapped === 'unmapped') {
      where += ` AND NOT EXISTS (SELECT 1 FROM compliance.mc_use_case_mappings m
                   WHERE m.master_control_uuid = mc.id)`
    }
  }
  // Member-based filter: an MC matches if ANY of its atomic members has the
  // category. Only category/severity/release_state are populated on the
  // deduplicated members; evidence_type, target_audience and source_citation
  // are 100% NULL there, so those canonical filters cannot apply to MCs
  // without an upstream backfill (wiring them would just return 0).
  const category = params.get('category') || ''
  if (category) {
    where += ` AND EXISTS (SELECT 1 FROM compliance.master_control_members mcm
                 JOIN compliance.canonical_controls cc ON cc.id = mcm.control_uuid
                 WHERE mcm.master_control_uuid = mc.id AND cc.category = $${idx})`
    args.push(category); idx++
  }
  return { where, args, idx }
 }
 async function handleControls(params: URLSearchParams) {
  const limit = Math.min(parseInt(params.get('limit') || '50'), 200)
  const offset = parseInt(params.get('offset') || '0')
  const sort = params.get('sort') || 'control_id'
  const order = params.get('order') === 'desc' ? 'DESC' : 'ASC'
  const hasMapping = await hasMappingTables()
  const { where, args, idx } = buildControlsWhere(params, hasMapping)
  const sortCol = sort === 'control_id' ? 'mc.master_control_id' :
                  sort === 'created_at' ? 'mc.created_at' :
                  sort === 'source' ? 'mc.canonical_name' : 'mc.master_control_id'
  const mapCols = hasMapping ? `,
           (SELECT v.verification_method FROM compliance.mc_verification v
             WHERE v.master_control_uuid = mc.id) as verification_method,
           (SELECT array_agg(m.use_case ORDER BY m.is_primary DESC, m.use_case)
              FROM compliance.mc_use_case_mappings m
             WHERE m.master_control_uuid = mc.id) as use_cases,
           (SELECT r.source_regulation FROM compliance.mc_regulations r
             WHERE r.master_control_uuid = mc.id AND r.is_primary LIMIT 1) as primary_regulation`
    : `, NULL as verification_method, NULL::text[] as use_cases, NULL as primary_regulation`
  args.push(limit, offset)
  const res = await pool.query(`
    SELECT mc.master_control_id as control_id,
@@ -90,7 +192,7 @@ async function handleControls(params: URLSearchParams) {
           mc.total_controls,
           mc.phases_covered,
           mc.id,
-           mc.created_at
+           mc.created_at${mapCols}
    FROM compliance.master_controls mc
    ${where}
    ORDER BY ${sortCol} ${order}
@@ -98,7 +200,7 @@ async function handleControls(params: URLSearchParams) {
  `, args)
  // Map to canonical control format
-  const controls = res.rows.map(r => ({
+  const controls = res.rows.map((r: MCListRow) => ({
    id: r.id,
    control_id: r.control_id,
    title: r.title,
@@ -106,10 +208,11 @@ async function handleControls(params: URLSearchParams) {
    severity: r.severity,
    category: r.category,
    release_state: 'active',
-    source_citation: null,
+    source_citation: r.primary_regulation ? { source: r.primary_regulation } : null,
-    verification_method: null,
+    verification_method: r.verification_method,
    evidence_type: null,
    target_audience: [],
    use_cases: r.use_cases || [],
    requirements: [],
    test_procedure: [],
    evidence: [],
@@ -126,22 +229,18 @@ async function handleControls(params: URLSearchParams) {
 }
 async function handleCount(params: URLSearchParams) {
-  const search = params.get('search') || ''
+  const hasMapping = await hasMappingTables()
-  let where = "WHERE 1=1"
+  const { where, args } = buildControlsWhere(params, hasMapping)
  const args: unknown[] = []
  if (search) {
    where += ` AND mc.canonical_name ILIKE $1`
    args.push(`%${search}%`)
  }
  const res = await pool.query(
    `SELECT count(*) FROM compliance.master_controls mc ${where}`, args
  )
  return NextResponse.json({ total: parseInt(res.rows[0].count) })
 }
-async function handleMeta(params: URLSearchParams) {
+async function handleMeta(_params: URLSearchParams) {
  if (metaCache && Date.now() - metaCache.at < META_TTL_MS) {
    return NextResponse.json(metaCache.data)
  }
  const res = await pool.query(`
    SELECT count(*) as total,
           count(CASE WHEN total_controls > 100 THEN 1 END) as high_count,
@@ -158,21 +257,62 @@ async function handleMeta(params: URLSearchParams) {
    GROUP BY 1 ORDER BY 2 DESC LIMIT 30
  `)
-  return NextResponse.json({
+  // category facet is member-based (those tables always exist); the mapping
-    total: parseInt(r.total),
+  // facets only when the mapping tables are present (seeded DB).
  const hasMapping = await hasMappingTables()
  const catRes = await pool.query(`SELECT cc.category v, count(DISTINCT mcm.master_control_uuid) c
                FROM compliance.master_control_members mcm
                JOIN compliance.canonical_controls cc ON cc.id = mcm.control_uuid
                WHERE cc.category IS NOT NULL GROUP BY 1 ORDER BY 2 DESC`)
  const emptyRows = { rows: [] as Array<Record<string, string>> }
  const [ucRes, vRes, regRes, mappedRes] = hasMapping
    ? await Promise.all([
        pool.query(`SELECT use_case, count(DISTINCT master_control_uuid) c
                    FROM compliance.mc_use_case_mappings GROUP BY 1 ORDER BY 2 DESC`),
        pool.query(`SELECT verification_method, count(*) c
                    FROM compliance.mc_verification GROUP BY 1 ORDER BY 2 DESC`),
        pool.query(`SELECT source_regulation, count(DISTINCT master_control_uuid) c
                    FROM compliance.mc_regulations GROUP BY 1 ORDER BY 2 DESC LIMIT 200`),
        pool.query(`SELECT count(DISTINCT master_control_uuid) c
                    FROM compliance.mc_use_case_mappings`),
      ])
    : [emptyRows, emptyRows, emptyRows, { rows: [{ c: '0' }] }]
  const facet = (rows: Array<{ v: string; c: string }>) =>
    Object.fromEntries(rows.filter(x => x.v).map(x => [x.v, parseInt(x.c)]))
  const total = parseInt(r.total)
  const mappedTotal = parseInt(mappedRes.rows[0].c)
  const payload = {
    total,
    severity_counts: {
      high: parseInt(r.high_count),
      medium: parseInt(r.medium_count),
      low: parseInt(r.low_count),
    },
-    domains: domainRes.rows.map(d => ({ domain: d.domain, count: parseInt(d.count) })),
+    domains: domainRes.rows.map((d: { domain: string; count: string }) =>
      ({ domain: d.domain, count: parseInt(d.count) })),
    sources: [],
    no_source_count: 0,
-    release_state_counts: { active: parseInt(r.total) },
+    release_state_counts: { active: total },
-    verification_method_counts: {},
+    verification_method_counts: Object.fromEntries(
-    category_counts: {},
+      vRes.rows.map((x: { verification_method: string; c: string }) =>
        [x.verification_method, parseInt(x.c)])),
    category_counts: facet(catRes.rows),
    evidence_type_counts: {},
-  })
+    use_case_counts: Object.fromEntries(
      ucRes.rows
        .filter((x: { use_case: string | null }) => x.use_case)
        .map((x: { use_case: string; c: string }) => [x.use_case, parseInt(x.c)])),
    regulations: regRes.rows
      .filter((x: { source_regulation: string | null }) => x.source_regulation)
      .map((x: { source_regulation: string; c: string }) =>
        ({ source_regulation: x.source_regulation, count: parseInt(x.c) })),
    mapped_total: mappedTotal,
    unmapped_count: total - mappedTotal,
  }
  metaCache = { at: Date.now(), data: payload }
  return NextResponse.json(payload)
 }
 async function handleDetail(params: URLSearchParams) {
@@ -201,6 +341,24 @@ async function handleDetail(params: URLSearchParams) {
    LIMIT 100
  `, [mc.id])
  // Use-case / verification / regulation mapping (only when the tables exist).
  const mapping: Record<string, any> = (await hasMappingTables())
    ? ((await pool.query(`
    SELECT
      (SELECT json_agg(json_build_object('use_case', m.use_case, 'is_primary', m.is_primary)
                ORDER BY m.is_primary DESC, m.use_case)
         FROM compliance.mc_use_case_mappings m WHERE m.master_control_uuid = $1) as use_cases,
      (SELECT v.verification_method FROM compliance.mc_verification v
         WHERE v.master_control_uuid = $1) as verification_method,
      (SELECT json_agg(json_build_object('source_regulation', r.source_regulation,
                'is_primary', r.is_primary, 'member_count', r.member_count)
                ORDER BY r.is_primary DESC, r.member_count DESC)
         FROM compliance.mc_regulations r WHERE r.master_control_uuid = $1) as regulations
  `, [mc.id])).rows[0] || {})
    : {}
  const regs = mapping.regulations || []
  const primaryReg = regs.find((x: { is_primary: boolean }) => x.is_primary) || regs[0]
  return NextResponse.json({
    id: mc.id,
    control_id: mc.control_id,
@@ -220,7 +378,10 @@ async function handleDetail(params: URLSearchParams) {
    evidence: [],
    open_anchors: [],
    target_audience: [],
-    source_citation: null,
+    verification_method: mapping.verification_method || null,
    use_cases: mapping.use_cases || [],
    regulations: regs,
    source_citation: primaryReg ? { source: primaryReg.source_regulation } : null,
    scope: { platforms: [], components: [], data_classes: [] },
    risk_score: null,
    implementation_effort: null,
@@ -0,0 +1,112 @@
 /**
 * Specialist-Agent API Proxy
 * Proxies /api/sdk/v1/specialist-agent/* → backend-compliance:8002/api/v1/specialist-agent/*
 *
 * Streaming routes (SSE /test/stream/{run_id}) pass through unmodified.
 */
 import { NextRequest, NextResponse } from 'next/server'
 const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 async function proxyRequest(
  request: NextRequest,
  pathSegments: string[] | undefined,
  method: string,
 ) {
  const pathStr = pathSegments?.join('/') || ''
  const searchParams = request.nextUrl.searchParams.toString()
  const basePath = `${BACKEND_URL}/api/compliance/specialist-agent`
  const url = pathStr
    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
  const isSSE = pathStr.startsWith('test/stream/')
  try {
    const headers: HeadersInit = {}
    if (!isSSE) headers['Content-Type'] = 'application/json'
    const fetchOptions: RequestInit = {
      method,
      headers,
      signal: AbortSignal.timeout(isSSE ? 600000 : 60000),
    }
    if (method === 'POST' || method === 'PUT' || method === 'PATCH' ||
        method === 'DELETE') {
      const body = await request.text()
      if (body) fetchOptions.body = body
    }
    const response = await fetch(url, fetchOptions)
    if (isSSE) {
      return new NextResponse(response.body, {
        status: response.status,
        headers: {
          'Content-Type': 'text/event-stream',
          'Cache-Control': 'no-cache',
          'Connection': 'keep-alive',
          'X-Accel-Buffering': 'no',
        },
      })
    }
    if (!response.ok) {
      const errText = await response.text()
      let errJson
      try { errJson = JSON.parse(errText) }
      catch { errJson = { error: errText } }
      return NextResponse.json(
        { error: `Backend Error: ${response.status}`, ...errJson },
        { status: response.status },
      )
    }
    const ct = response.headers.get('content-type') || ''
    if (ct.includes('application/json')) {
      const data = await response.json()
      return NextResponse.json(data)
    }
    // Binary asset (image/video/csv etc.)
    const blob = await response.blob()
    return new NextResponse(blob, {
      status: response.status,
      headers: {
        'Content-Type': ct || 'application/octet-stream',
        'Content-Disposition':
          response.headers.get('content-disposition') || '',
      },
    })
  } catch (e) {
    console.error('specialist-agent proxy error:', e)
    return NextResponse.json(
      { error: 'Verbindung zum Backend fehlgeschlagen' },
      { status: 503 },
    )
  }
 }
 export async function GET(
  request: NextRequest,
  { params }: { params: Promise<{ path?: string[] }> },
 ) {
  const { path } = await params
  return proxyRequest(request, path, 'GET')
 }
 export async function POST(
  request: NextRequest,
  { params }: { params: Promise<{ path?: string[] }> },
 ) {
  const { path } = await params
  return proxyRequest(request, path, 'POST')
 }
 export async function DELETE(
  request: NextRequest,
  { params }: { params: Promise<{ path?: string[] }> },
 ) {
  const { path } = await params
  return proxyRequest(request, path, 'DELETE')
 }
@@ -0,0 +1,134 @@
 'use client'
 /**
 * Strukturierte Finding-Anzeige.
 * Layout:
 *   [Severity-Badge]  [Methodik-Badge(s)]
 *   [Titel]
 *   ┌ Gesetzliche Basis / Norm ─────────┐
 *   │ § 5 Abs. 1 Nr. 1 TMG               │
 *   └────────────────────────────────────┘
 *   ┌ Befund / Wörtlich ───────────────┐
 *   │ "Vorstand: …"                     │
 *   └────────────────────────────────────┘
 *   ┌ Empfehlung / Best Practice ──────┐
 *   │ → Konkrete Maßnahme               │
 *   └────────────────────────────────────┘
 */
 import React from 'react'
 import type { Finding, SourceType } from './_agentTypes'
 import {
  METHODIK_COLOR,
  METHODIK_LABEL,
  METHODIK_SHORT,
  SEVERITY_BG,
  SEVERITY_COLOR,
 } from './_agentTypes'
 export function AgentFindingCard({ f }: { f: Finding }) {
  const sev = f.severity
  const color = SEVERITY_COLOR[sev]
  const bg = SEVERITY_BG[sev]
  const sources = f.sources || []
  return (
    <div
      className="rounded border-l-4 p-3 space-y-2"
      style={{ borderLeftColor: color, background: bg }}
    >
      <div className="flex items-center flex-wrap gap-2">
        <span
          className="text-xs font-bold px-2 py-0.5 rounded text-white"
          style={{ background: color }}
        >
          {sev}
        </span>
        <code className="text-[11px] text-gray-500">{f.check_id}</code>
        {sources.map((s, i) => (
          <MethodikBadge key={i} src={s.source_type} sourceId={s.source_id} />
        ))}
        {f.confidence !== undefined && (
          <span className="text-[10px] text-gray-500 ml-auto">
            Konfidenz {(f.confidence * 100).toFixed(0)}%
          </span>
        )}
      </div>
      <div className="text-sm font-medium text-gray-900">{f.title}</div>
      {f.norm && (
        <Block label="Gesetzliche Basis" tone="purple">
          {f.norm}
        </Block>
      )}
      {f.evidence && (
        <Block label="Befund" tone="amber">
          <span className="italic">„{f.evidence}"</span>
        </Block>
      )}
      {f.action && (
        <Block
          label={
            sources.some(s =>
              s.source_type === 'llm_local' ||
              s.source_type === 'llm_local_big' ||
              s.source_type === 'llm_cloud'
            )
              ? 'Empfehlung (LLM-Vorschlag)'
              : sev === 'HIGH'
                ? 'Pflicht-Maßnahme'
                : 'Best-Practice-Empfehlung'
          }
          tone="green"
        >
          {f.action}
        </Block>
      )}
    </div>
  )
 }
 function MethodikBadge({
  src, sourceId,
 }: { src: SourceType; sourceId?: string }) {
  const { bg, fg } = METHODIK_COLOR[src] || { bg: '#e5e7eb', fg: '#374151' }
  const title = `${METHODIK_LABEL[src]}${sourceId ? ` · ${sourceId}` : ''}`
  return (
    <span
      title={title}
      className="text-[10px] px-1.5 py-0.5 rounded font-mono"
      style={{ background: bg, color: fg }}
    >
      {METHODIK_SHORT[src]}
    </span>
  )
 }
 function Block({
  label, tone, children,
 }: {
  label: string
  tone: 'purple' | 'amber' | 'green'
  children: React.ReactNode
 }) {
  const toneMap = {
    purple: { border: '#a78bfa', bg: '#f5f3ff', label: '#5b21b6' },
    amber: { border: '#fbbf24', bg: '#fffbeb', label: '#92400e' },
    green: { border: '#34d399', bg: '#ecfdf5', label: '#065f46' },
  } as const
  const t = toneMap[tone]
  return (
    <div
      className="rounded px-2 py-1.5 text-xs"
      style={{ background: t.bg, borderLeft: `3px solid ${t.border}` }}
    >
      <div className="font-semibold mb-0.5" style={{ color: t.label }}>
        {label}
      </div>
      <div className="text-gray-800">{children}</div>
    </div>
  )
 }
@@ -0,0 +1,63 @@
 'use client'
 /**
 * "Was wurde geprüft" — listet alle MCs eines Agents mit ihrem Status.
 * Standardmäßig collapsed; zeigt sofort, was Methodik des Agents war.
 */
 import React, { useState } from 'react'
 import type { McCoverage } from './_agentTypes'
 const STATUS_COLOR: Record<string, string> = {
  ok: '#10b981',
  na: '#94a3b8',
  skipped: '#cbd5e1',
  high: '#dc2626',
  medium: '#f59e0b',
  low: '#3b82f6',
 }
 const STATUS_LABEL: Record<string, string> = {
  ok: 'OK',
  na: 'n/a',
  skipped: 'übersprungen',
  high: 'HIGH',
  medium: 'MEDIUM',
  low: 'LOW',
 }
 export function AgentMcCoverage({ coverage }: { coverage: McCoverage[] }) {
  const [open, setOpen] = useState(false)
  if (!coverage?.length) return null
  return (
    <div className="border rounded bg-slate-50">
      <button
        onClick={() => setOpen(o => !o)}
        className="w-full text-left px-3 py-2 text-xs font-semibold uppercase text-gray-700 flex justify-between items-center"
      >
        <span>Was wurde geprüft? ({coverage.length} MCs)</span>
        <span className="text-gray-400">{open ? '▾' : '▸'}</span>
      </button>
      {open && (
        <div className="border-t bg-white p-2 space-y-0.5 max-h-60 overflow-y-auto">
          {coverage.map(c => (
            <div key={c.mc_id} className="flex items-center gap-2 text-xs">
              <span
                className="w-2 h-2 rounded-full inline-block"
                style={{ background: STATUS_COLOR[c.status] || '#cbd5e1' }}
              />
              <code className="text-gray-500">{c.mc_id}</code>
              <span className="text-gray-700">
                {STATUS_LABEL[c.status] || c.status}
              </span>
              {c.reason && (
                <span className="text-gray-400 italic">— {c.reason}</span>
              )}
            </div>
          ))}
        </div>
      )}
    </div>
  )
 }
@@ -0,0 +1,51 @@
 'use client'
 /**
 * Recommendation-Card: zeigt die gerollupten Maßnahmen.
 * Eine Recommendation bündelt 1..N Findings mit gleicher Maßnahme.
 */
 import React from 'react'
 import type { Recommendation } from './_agentTypes'
 import { SEVERITY_COLOR } from './_agentTypes'
 export function AgentRecommendationCard({ r }: { r: Recommendation }) {
  const color = SEVERITY_COLOR[r.severity]
  return (
    <div
      className="rounded p-3 space-y-1 text-sm bg-emerald-50"
      style={{ borderLeft: `3px solid ${color}` }}
    >
      <div className="flex items-baseline gap-2 flex-wrap">
        <span
          className="text-[10px] font-bold px-1.5 py-0.5 rounded text-white"
          style={{ background: color }}
        >
          {r.severity}
        </span>
        <span className="font-semibold text-gray-900">{r.title}</span>
        <span className="text-[10px] text-gray-500 ml-auto">
          {r.related_finding_ids.length} Finding(s)
          {' · '}
          {r.estimated_effort_hours.toFixed(1)}h geschätzt
        </span>
      </div>
      {r.body && r.body !== r.title && (
        <div className="text-xs text-gray-700 whitespace-pre-wrap">
          {r.body}
        </div>
      )}
      {r.related_finding_ids.length > 0 && (
        <details className="text-[10px] text-gray-500">
          <summary className="cursor-pointer">Aus diesen Findings abgeleitet</summary>
          <ul className="mt-1 list-disc ml-4 space-y-0.5">
            {r.related_finding_ids.map(id => (
              <li key={id}><code>{id}</code></li>
            ))}
          </ul>
        </details>
      )}
    </div>
  )
 }
@@ -0,0 +1,136 @@
 'use client'
 /**
 * SlotCard — ein Slot im Agent-Test mit Sections:
 *  1. Header (Slot-Name, duration, Vault-Link)
 *  2. Was wurde geprüft (MC-Coverage, collapsible)
 *  3. Speedometer
 *  4. Eskalationslog (wenn vorhanden)
 *  5. Findings (sortiert HIGH → LOW)
 *  6. Recommendations (gerollupt)
 */
 import React, { useState } from 'react'
 import type { SlotOutput, Severity } from './_agentTypes'
 import { AgentFindingCard } from './AgentFindingCard'
 import { AgentMcCoverage } from './AgentMcCoverage'
 import { AgentRecommendationCard } from './AgentRecommendationCard'
 import { AgentSpeedometer } from './AgentSpeedometer'
 const SEV_ORDER: Record<Severity, number> = {
  HIGH: 0, MEDIUM: 1, LOW: 2, INFO: 3,
 }
 export function AgentSlotCard({
  slot, output, runId,
 }: {
  slot: string
  output: SlotOutput
  runId: string
 }) {
  const [showAll, setShowAll] = useState(false)
  const wasSkipped = output.mc_total > 0 &&
    output.mc_ok === 0 && output.mc_na === 0 &&
    output.mc_high === 0 && output.mc_medium === 0 && output.mc_low === 0
  const allGreen = !wasSkipped && output.findings.length === 0
  const sortedFindings = [...output.findings].sort(
    (a, b) => SEV_ORDER[a.severity] - SEV_ORDER[b.severity],
  )
  const visible = showAll ? sortedFindings : sortedFindings.slice(0, 12)
  return (
    <div className="rounded-lg border bg-white p-4 space-y-3 shadow-sm">
      <div className="flex items-baseline gap-3 flex-wrap">
        <h3 className="font-semibold text-gray-900">Slot: {slot}</h3>
        <span className="text-xs text-gray-500">
          {output.duration_ms} ms · Konfidenz {(output.confidence * 100).toFixed(0)}%
        </span>
        {wasSkipped && (
          <span className="text-xs bg-amber-100 text-amber-800 px-2 py-0.5 rounded">
            Dokument konnte nicht geladen werden
          </span>
        )}
        {allGreen && (
          <span className="text-xs bg-emerald-100 text-emerald-800 px-2 py-0.5 rounded">
            Alle anwendbaren MCs erfüllt
          </span>
        )}
        <a
          className="text-xs text-blue-600 hover:underline ml-auto"
          href={`/api/sdk/v1/specialist-agent/run/${runId}/artifacts`}
          target="_blank"
          rel="noreferrer"
        >
          Artefakte ↗
        </a>
      </div>
      {output.notes && (
        <div className="text-xs text-amber-700 bg-amber-50 px-2 py-1 rounded">
          Hinweis: {output.notes}
        </div>
      )}
      <AgentMcCoverage coverage={output.mc_coverage} />
      <AgentSpeedometer
        total={output.mc_total}
        ok={output.mc_ok}
        na={output.mc_na}
        high={output.mc_high}
        medium={output.mc_medium}
        low={output.mc_low}
      />
      {output.escalation_log.length > 0 && (
        <div className="text-xs text-gray-600 border-l-2 border-violet-400 pl-2 space-y-0.5">
          <div className="font-semibold text-violet-700">
            LLM-Eskalation eingesetzt:
          </div>
          {output.escalation_log.map((e, i) => (
            <div key={i}>
              {e.stage} <code className="text-violet-700">{e.model}</code>{' '}
              · {e.duration_ms} ms{' '}
              {e.tokens_in ? `· ${e.tokens_in}→${e.tokens_out} tok` : ''}{' '}
              {e.success ? '✓' : `✗ ${e.error || ''}`}
            </div>
          ))}
        </div>
      )}
      {sortedFindings.length > 0 && (
        <div className="space-y-2">
          <div className="text-xs font-semibold uppercase text-gray-700">
            Findings ({sortedFindings.length}) — nach Schwere sortiert
          </div>
          <div className="space-y-2">
            {visible.map(f => (
              <AgentFindingCard key={f.check_id} f={f} />
            ))}
          </div>
          {sortedFindings.length > 12 && (
            <button
              onClick={() => setShowAll(x => !x)}
              className="text-xs text-blue-600 hover:underline"
            >
              {showAll ? 'Weniger anzeigen' : `Alle ${sortedFindings.length} anzeigen`}
            </button>
          )}
        </div>
      )}
      {output.recommendations.length > 0 && (
        <div className="space-y-2">
          <div className="text-xs font-semibold uppercase text-gray-700">
            Maßnahmen-Plan ({output.recommendations.length} konsolidiert)
          </div>
          <div className="space-y-2">
            {output.recommendations.map(r => (
              <AgentRecommendationCard key={r.recommendation_id} r={r} />
            ))}
          </div>
        </div>
      )}
    </div>
  )
 }
@@ -0,0 +1,57 @@
 'use client'
 /**
 * Speedometer + Color-Legende für eine MC-Auswertung.
 * Zeigt 5 Klassen: OK / n/a / HIGH / MEDIUM / LOW als horizontaler Balken.
 */
 import React from 'react'
 interface Props {
  total: number
  ok: number
  na: number
  high: number
  medium: number
  low: number
 }
 export function AgentSpeedometer({ total, ok, na, high, medium, low }: Props) {
  const safeTotal = Math.max(total, 1)
  return (
    <div className="space-y-1">
      <div className="text-xs text-gray-500">
        {total} Machine-Checks (MCs) durchlaufen
      </div>
      <div className="flex h-4 rounded overflow-hidden border">
        <Bar pct={(ok / safeTotal) * 100} color="#10b981" />
        <Bar pct={(na / safeTotal) * 100} color="#94a3b8" />
        <Bar pct={(high / safeTotal) * 100} color="#dc2626" />
        <Bar pct={(medium / safeTotal) * 100} color="#f59e0b" />
        <Bar pct={(low / safeTotal) * 100} color="#3b82f6" />
      </div>
      <div className="flex flex-wrap gap-3 text-xs">
        <Legend color="#10b981" label={`OK ${ok}`} title="Geprüft & erfüllt" />
        <Legend color="#94a3b8" label={`n/a ${na}`} title="Nicht anwendbar (Branche, B2C, …)" />
        <Legend color="#dc2626" label={`HIGH ${high}`} title="Pflichtangabe fehlt / hartes Risiko" />
        <Legend color="#f59e0b" label={`MEDIUM ${medium}`} title="Ergänzung empfohlen" />
        <Legend color="#3b82f6" label={`LOW ${low}`} title="Best-Practice-Hinweis" />
      </div>
    </div>
  )
 }
 function Bar({ pct, color }: { pct: number; color: string }) {
  return <div style={{ width: `${pct}%`, background: color }} />
 }
 function Legend({
  color, label, title,
 }: { color: string; label: string; title?: string }) {
  return (
    <span className="inline-flex items-center gap-1" title={title}>
      <span style={{ background: color }} className="w-2 h-2 inline-block rounded" />
      <span>{label}</span>
    </span>
  )
 }
@@ -0,0 +1,337 @@
 'use client'
 /**
 * AgentTestTab — Top-Level für den 5-URL-Test eines Specialist-Agents.
 * Sections:
 *   1. Agent-Wähler + 5 URL-Slots + Start-Button
 *   2. Methodik-Erklärung (was wir tun, warum)
 *   3. Live-Event-Log
 *   4. Pro Slot: SlotCard (siehe AgentSlotCard.tsx)
 */
 import React, { useEffect, useMemo, useRef, useState } from 'react'
 import type { AgentInfo, RunResult, SlotOutput, StreamEvent } from './_agentTypes'
 import { AgentSlotCard } from './AgentSlotCard'
 const STORAGE_KEY = 'agent-test-state-v1'
 const MAX_SLOTS = 5
 export function AgentTestTab() {
  const [agents, setAgents] = useState<AgentInfo[]>([])
  const [agentId, setAgentId] = useState<string>('')
  const [urls, setUrls] = useState<string[]>(['', '', '', '', ''])
  const [running, setRunning] = useState(false)
  const [runId, setRunId] = useState<string>('')
  const [events, setEvents] = useState<StreamEvent[]>([])
  const [result, setResult] = useState<RunResult | null>(null)
  const [error, setError] = useState<string>('')
  const eventSrcRef = useRef<EventSource | null>(null)
  // Restore state from localStorage
  useEffect(() => {
    try {
      const s = localStorage.getItem(STORAGE_KEY)
      if (s) {
        const parsed = JSON.parse(s)
        if (parsed.agentId) setAgentId(parsed.agentId)
        if (Array.isArray(parsed.urls)) {
          const padded = [...parsed.urls.slice(0, MAX_SLOTS),
            ...new Array(MAX_SLOTS).fill('')].slice(0, MAX_SLOTS)
          setUrls(padded)
        }
      }
    } catch { /* noop */ }
  }, [])
  useEffect(() => {
    try {
      localStorage.setItem(STORAGE_KEY,
        JSON.stringify({ agentId, urls }))
    } catch { /* quota */ }
  }, [agentId, urls])
  // Load agents
  useEffect(() => {
    fetch('/api/sdk/v1/specialist-agent/agents')
      .then(r => r.json())
      .then(d => {
        const list: AgentInfo[] = d.agents || []
        setAgents(list)
        if (list.length && !agentId) setAgentId(list[0].agent_id)
      })
      .catch(e => setError(`Agent-Liste fehlgeschlagen: ${e}`))
    // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [])
  const startTest = async () => {
    setError('')
    setResult(null)
    setEvents([])
    const cleanUrls = urls.map(u => u.trim()).filter(Boolean)
    if (!agentId) { setError('Kein Agent ausgewählt.'); return }
    if (cleanUrls.length === 0) { setError('Mind. eine URL angeben.'); return }
    setRunning(true)
    try {
      const r = await fetch('/api/sdk/v1/specialist-agent/test/start', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ agent_id: agentId, urls: cleanUrls }),
      })
      if (!r.ok) {
        const j = await r.json().catch(() => ({}))
        throw new Error(j.error || `HTTP ${r.status}`)
      }
      const data = await r.json()
      setRunId(data.run_id)
      openStream(data.run_id)
      pollResult(data.run_id)
    } catch (e: any) {
      setError(e.message || String(e))
      setRunning(false)
    }
  }
  const openStream = (rid: string) => {
    try { eventSrcRef.current?.close() } catch { /* noop */ }
    const es = new EventSource(
      `/api/sdk/v1/specialist-agent/test/stream/${rid}`,
    )
    eventSrcRef.current = es
    es.onmessage = (ev) => {
      try {
        const data: StreamEvent = JSON.parse(ev.data)
        setEvents(prev => [...prev, data])
        if (data.type === 'stream_close' || data.type === 'run_complete') {
          try { es.close() } catch { /* noop */ }
        }
      } catch { /* noop */ }
    }
    es.onerror = () => { try { es.close() } catch { /* noop */ } }
  }
  const pollResult = async (rid: string) => {
    for (let i = 0; i < 360; i++) {
      try {
        const r = await fetch(
          `/api/sdk/v1/specialist-agent/run/${rid}/result`,
        )
        if (r.ok) {
          const d: RunResult = await r.json()
          if (d.finished) {
            setResult(d); setRunning(false); return
          }
        }
      } catch { /* noop */ }
      await new Promise(s => setTimeout(s, 2000))
    }
    setRunning(false)
  }
  const slotOutputs = useMemo(() => {
    if (!result) return []
    const items: { slot: string; output: SlotOutput }[] = []
    for (const slot of Object.keys(result.results)) {
      items.push({ slot, output: result.results[slot] })
    }
    return items.sort((a, b) => a.slot.localeCompare(b.slot))
  }, [result])
  const selectedAgent = agents.find(a => a.agent_id === agentId)
  return (
    <div className="space-y-4">
      <InputCard
        agents={agents}
        agentId={agentId}
        setAgentId={setAgentId}
        selectedAgent={selectedAgent}
        urls={urls}
        setUrls={setUrls}
        running={running}
        runId={runId}
        startTest={startTest}
        error={error}
      />
      <MethodikInfo />
      {running && events.length > 0 && <EventLog events={events} />}
      {slotOutputs.length > 0 && (
        <div className="space-y-3">
          {slotOutputs.map(({ slot, output }) => (
            <AgentSlotCard
              key={slot} slot={slot} output={output} runId={runId}
            />
          ))}
        </div>
      )}
    </div>
  )
 }
 function InputCard({
  agents, agentId, setAgentId, selectedAgent, urls, setUrls,
  running, runId, startTest, error,
 }: {
  agents: AgentInfo[]
  agentId: string
  setAgentId: (s: string) => void
  selectedAgent?: AgentInfo
  urls: string[]
  setUrls: (urls: string[]) => void
  running: boolean
  runId: string
  startTest: () => void
  error: string
 }) {
  return (
    <div className="rounded-lg border bg-white p-4 space-y-3 shadow-sm">
      <h2 className="text-lg font-semibold">Agent-Test (max. {MAX_SLOTS} URLs)</h2>
      <div className="flex flex-wrap gap-3 items-end">
        <div>
          <label className="block text-xs font-medium text-gray-600">Agent</label>
          <select
            value={agentId}
            onChange={e => setAgentId(e.target.value)}
            className="border rounded px-2 py-1 text-sm"
          >
            {agents.map(a => (
              <option key={a.agent_id} value={a.agent_id}>
                {a.agent_id} v{a.agent_version} ({a.mc_count} MCs)
              </option>
            ))}
          </select>
        </div>
        {selectedAgent && (
          <div className="text-xs text-gray-500">
            Doc-Type: <code>{selectedAgent.doc_type}</code>
          </div>
        )}
      </div>
      <div className="space-y-1">
        {urls.map((u, i) => (
          <div key={i} className="flex gap-2">
            <span className="text-xs font-mono text-gray-500 w-8 pt-1.5">
              URL{i + 1}
            </span>
            <input
              value={u}
              onChange={e => {
                const next = [...urls]; next[i] = e.target.value
                setUrls(next)
              }}
              placeholder="https://example.com/impressum"
              className="flex-1 border rounded px-2 py-1 text-sm font-mono"
            />
          </div>
        ))}
      </div>
      <div className="flex gap-2">
        <button
          onClick={startTest}
          disabled={running}
          className="bg-blue-600 hover:bg-blue-700 disabled:bg-gray-400 text-white text-sm px-4 py-2 rounded"
        >
          {running ? 'Laufend...' : 'Test starten'}
        </button>
        {runId && (
          <span className="text-xs text-gray-500 self-center">
            Run-ID: <code>{runId}</code>
          </span>
        )}
      </div>
      {error && (
        <div className="bg-red-50 border-l-4 border-red-400 p-2 text-sm text-red-700">
          {error}
        </div>
      )}
    </div>
  )
 }
 function MethodikInfo() {
  return (
    <details className="rounded border bg-slate-50 px-3 py-2 text-xs text-gray-700">
      <summary className="cursor-pointer font-semibold">
        Methodik — wie geprüft wird
      </summary>
      <ol className="list-decimal ml-5 mt-2 space-y-1">
        <li>
          <strong>Pattern-Checks</strong> — deterministische Regex-Tests
          gegen Pflichtangaben-Schema (z.B. § 5 TMG/DDG). Schnell,
          reproduzierbar. <em>Hinweis:</em> diese Pattern-IDs (z.B.
          <code>IMP-MC-001</code>) sind <strong>interne Test-IDs</strong>,
          nicht die Master-Control-IDs aus der Datenbank. BreakPilot hat
          313k Atomic-Controls → 13.588 dedup. Master-Controls; davon
          ~1.778 für dieses Compliance-Agent-Tool ausgewählt. Die formale
          Verknüpfung Pattern-Check → Master-Control folgt in einem
          späteren Schritt (Sprint 1.12).
        </li>
        <li>
          <strong>Knowledge-Base</strong> — kuratierte Patterns aus
          anonymisierten Mandanten-FAQs.
        </li>
        <li>
          <strong>Auto-Learning-Pattern-Library</strong> — Labels die
          der LLM-Validator gefunden hat (z.B. „Telefonnr." statt
          „Telefon") werden persistiert. Beim nächsten Run sind sie
          deterministisch erkennbar — der LLM wird seltener gerufen.
        </li>
        <li>
          <strong>Semantic-Validator (LLM)</strong> — nur bei
          missing-Pflichtangabe: ein Aufruf des Self-Hosted-LLM
          (<code>qwen3.5:35b-a3b</code> auf macmini) prüft ob die
          Angabe doch da ist, nur unter abweichendem Label. Bei
          Treffer wird HIGH→LOW demoted und „Umbenennen zu Standard"
          empfohlen.
        </li>
        <li>
          <strong>LLM-Eskalation (Fallback)</strong> — wenn der
          Validator unsicher bleibt: OVH 120b, dann anonymisierter
          Claude-Cloud-Call. Aktuell deaktiviert (OVH-Key leer).
        </li>
        <li>
          <strong>Cross-Placement-Agent</strong> — erkennt deplatzierten
          Content (Copyright, Disclaimer, WEEE im Impressum) +
          empfiehlt Footer-Reiter „Legal".
        </li>
      </ol>
      <p className="mt-2 italic text-gray-500">
        Disclaimer: keine Aussagen wie „rechtssicher" oder „konform" —
        nur Findings + Empfehlungen + Herleitung. Verbotene Begriffe
        werden vom Linter aus Agent-Outputs entfernt.
      </p>
    </details>
  )
 }
 function EventLog({ events }: { events: StreamEvent[] }) {
  return (
    <div className="rounded border bg-gray-50 p-3 max-h-48 overflow-y-auto">
      <div className="text-xs font-mono space-y-0.5">
        {events.slice(-30).map((ev, i) => (
          <div key={i}>
            <span className="text-gray-400">[{ev.type}]</span>{' '}
            {ev.slot && <span className="text-blue-600">{ev.slot}</span>}{' '}
            {ev.severity && (
              <span className={severityColor(ev.severity)}>{ev.severity}</span>
            )}{' '}
            {ev.title || ev.error || ev.label || ev.model || ev.url || ''}
            {ev.word_count !== undefined && (
              <span className="text-gray-500">
                {' '}({ev.word_count} Wörter)
              </span>
            )}
          </div>
        ))}
      </div>
    </div>
  )
 }
 function severityColor(sev: string) {
  return sev === 'HIGH' ? 'text-red-600 font-semibold' :
         sev === 'MEDIUM' ? 'text-amber-600 font-semibold' :
         sev === 'LOW' ? 'text-blue-600' : 'text-gray-600'
 }
@@ -4,74 +4,20 @@ import React, { useState, useCallback } from 'react'
 import { ChecklistView } from './ChecklistView'
 import { DocumentRow } from './DocumentRow'
 import { MigrationPanel } from './MigrationPanel'
 import { PreScanWizard, useScanContext, isContextComplete } from './PreScanWizard'
 import { DOCUMENT_TYPES, type DocTypeId } from './_document_types'
 import {
  STORAGE_KEY_STATE, STORAGE_KEY_RESULTS, STORAGE_KEY_HISTORY,
  STORAGE_KEY_CHECK_ID, countWords, initState,
  type DocState, type DocsState, type HistoryEntry,
 } from './_compliance_storage'
 import { useCompanyOrigin } from './_useCompanyOrigin'
 const DOCUMENT_TYPES = [
  { id: 'dse', label: 'DSI (Datenschutzinformation)', required: true },
  { id: 'impressum', label: 'Impressum', required: true },
  { id: 'social_media', label: 'Social Media DSE', required: false },
  { id: 'cookie', label: 'Cookie-Richtlinie', required: false },
  { id: 'agb', label: 'AGB', required: false },
  { id: 'nutzungsbedingungen', label: 'Nutzungsbedingungen', required: false },
  { id: 'widerruf', label: 'Widerrufsbelehrung', required: false },
  { id: 'dsb', label: 'DSB-Kontakt', required: false },
 ] as const
 type DocTypeId = typeof DOCUMENT_TYPES[number]['id']
 interface DocState {
  url: string
  text: string
  loading: boolean
  error: string | null
 }
 type DocsState = Record<DocTypeId, DocState>
 const STORAGE_KEY_STATE = 'compliance-check-state'
 const STORAGE_KEY_RESULTS = 'compliance-check-results'
 const STORAGE_KEY_HISTORY = 'compliance-check-history'
 const STORAGE_KEY_CHECK_ID = 'compliance-check-active-id'
 function emptyDocState(): DocState {
  return { url: '', text: '', loading: false, error: null }
 }
 function initState(): DocsState {
  if (typeof window === 'undefined') {
    return Object.fromEntries(DOCUMENT_TYPES.map(d => [d.id, emptyDocState()])) as DocsState
  }
  try {
    const saved = localStorage.getItem(STORAGE_KEY_STATE)
    if (saved) {
      const parsed = JSON.parse(saved) as Record<string, { url?: string; text?: string }>
      return Object.fromEntries(
        DOCUMENT_TYPES.map(d => [d.id, {
          url: parsed[d.id]?.url || '',
          text: parsed[d.id]?.text || '',
          loading: false,
          error: null,
        }])
      ) as DocsState
    }
  } catch { /* ignore */ }
  return Object.fromEntries(DOCUMENT_TYPES.map(d => [d.id, emptyDocState()])) as DocsState
 }
 function countWords(text: string): number {
  if (!text.trim()) return 0
  return text.trim().split(/\s+/).length
 }
 interface HistoryEntry {
  date: string
  docCount: number
  findings: number
  resultKey: string
  checkId?: string
 }
 export function ComplianceCheckTab() {
  const [docs, setDocs] = useState<DocsState>(initState)
  const { companyName, setCompanyName, originDomain, setOriginDomain } = useCompanyOrigin()
  const [scanContext, setScanContext] = useScanContext()
  const [useAgent, setUseAgent] = useState(false)
  const [tdmOverride, setTdmOverride] = useState(false)
  const [tdmOverrideReason, setTdmOverrideReason] = useState('')
@@ -201,6 +147,10 @@ export function ComplianceCheckTab() {
          use_agent: useAgent,
          tdm_override: tdmOverride && tdmOverrideReason.trim().length >= 10,
          tdm_override_reason: tdmOverrideReason.trim(),
          company_name: companyName.trim() || undefined,
          origin_domain: originDomain.trim() || undefined,
          // P79 — Pre-Scan-Wizard 8 Pflichtfelder; treibt MC-Scope-Filter (P72)
          scan_context: scanContext,
        }),
      })
      if (!startRes.ok) throw new Error(`Pruefung konnte nicht gestartet werden: ${startRes.status}`)
@@ -270,6 +220,8 @@ export function ComplianceCheckTab() {
    } catch { /* ignore */ }
  }
  const contextReady = isContextComplete(scanContext)
  return (
    <div className="space-y-4">
      {/* Info box */}
@@ -282,6 +234,33 @@ export function ComplianceCheckTab() {
        </p>
      </div>
      {/* Firma + Domain (priorisiert vor extracted_profile-LLM-Inferenz) */}
      <div className="bg-white border border-slate-200 rounded-lg p-4 grid grid-cols-1 md:grid-cols-2 gap-3">
        <label className="block">
          <span className="block text-xs font-medium text-slate-700 mb-1">Firma</span>
          <input
            type="text"
            value={companyName}
            onChange={e => setCompanyName(e.target.value)}
            placeholder="z.B. Tesla Germany GmbH"
            className="w-full text-sm border border-slate-300 rounded px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
          />
        </label>
        <label className="block">
          <span className="block text-xs font-medium text-slate-700 mb-1">Domain (Site-Origin)</span>
          <input
            type="url"
            value={originDomain}
            onChange={e => setOriginDomain(e.target.value)}
            placeholder="z.B. https://www.tesla.com/de_de"
            className="w-full text-sm border border-slate-300 rounded px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
          />
        </label>
      </div>
      {/* P79 Pre-Scan-Wizard — 8 Pflichtfelder zum MC-Scope-Filter (P72) */}
      <PreScanWizard value={scanContext} onChange={setScanContext} />
      {/* Document rows */}
      <div className="space-y-2">
        {DOCUMENT_TYPES.map(dt => (
@@ -328,10 +307,11 @@ export function ComplianceCheckTab() {
        {tdmOverride && <input type="text" value={tdmOverrideReason} onChange={e => setTdmOverrideReason(e.target.value)} placeholder="z.B. Auftragsbeziehung Safetykon GmbH, Email Hr. X vom 18.05.2026" className="w-full px-3 py-2 text-xs border border-amber-300 rounded bg-white" />}
        {tdmOverride && tdmOverrideReason.trim().length < 10 && <p className="text-[10px] text-amber-700">Pflicht: Reason mit min. 10 Zeichen (Audit-Spur).</p>}
      </div>
-      {/* Submit button */}
+      {/* Submit button — Wizard muss vollstaendig sein (P79) */}
      <button
        onClick={handleSubmit}
-        disabled={loading || filledCount === 0 || (tdmOverride && tdmOverrideReason.trim().length < 10)}
+        disabled={loading || filledCount === 0 || !contextReady || (tdmOverride && tdmOverrideReason.trim().length < 10)}
        title={!contextReady ? 'Pre-Scan-Wizard zuerst vollstaendig ausfuellen' : ''}
        className="w-full px-4 py-3 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 disabled:opacity-50 transition-colors text-sm flex items-center justify-center gap-2"
      >
        {loading ? (
@@ -342,6 +322,8 @@ export function ComplianceCheckTab() {
            </svg>
            Pruefe...
          </>
        ) : !contextReady ? (
          'Pre-Scan-Wizard vollstaendig ausfuellen (oben)'
        ) : (
          `Compliance-Check starten (${filledCount} Dokument${filledCount !== 1 ? 'e' : ''})`
        )}
@@ -2,6 +2,7 @@
 import React, { useState } from 'react'
 import { ChecklistView } from './ChecklistView'
 import { ResultsTabsView } from './ResultsTabsView'
 import { PreScanWizard, useScanContext, isContextComplete } from './PreScanWizard'
 import { safeSetItem } from './storageHelpers'
@@ -312,41 +313,9 @@ export function DocCheckTab() {
        <div className="bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">{error}</div>
      )}
-      {/* Results */}
+      {/* Results — als Tab-Ansicht (Übersicht/Cookies/DSE/Impressum/AGB/Banner/Mail) */}
      {results && results.results && (
-        <div className="bg-white border border-gray-200 rounded-xl p-6 shadow-sm">
+        <ResultsTabsView results={results} />
          <ChecklistView results={results.results} />
          {/* Cookie Banner Result */}
          {results.cookie_banner_result && (
            <div className="mt-4 pt-4 border-t border-gray-200">
              <h4 className="text-sm font-semibold text-gray-800 mb-2">Cookie-Banner</h4>
              <div className="text-sm text-gray-600">
                {results.cookie_banner_result.banner_detected
                  ? `Banner erkannt: ${results.cookie_banner_result.banner_provider || 'unbekannt'}`
                  : 'Kein Banner erkannt'}
              </div>
              {results.cookie_banner_result.banner_checks?.violations?.length > 0 && (
                <div className="mt-2 space-y-1">
                  {results.cookie_banner_result.banner_checks.violations.map((v: any, i: number) => (
                    <div key={i} className="text-xs text-red-600 flex items-start gap-1.5">
                      <span className="shrink-0 mt-0.5">!!</span>
                      <span>{v.text}</span>
                    </div>
                  ))}
                </div>
              )}
            </div>
          )}
          {/* Email Status */}
          {results.email_status && (
            <div className="mt-3 text-xs text-gray-500 flex items-center gap-2">
              <span className={`w-2 h-2 rounded-full ${results.email_status === 'sent' ? 'bg-green-400' : 'bg-gray-300'}`} />
              E-Mail: {results.email_status === 'sent' ? 'Gesendet' : results.email_status}
            </div>
          )}
        </div>
      )}
      {/* History */}
@@ -0,0 +1,353 @@
 'use client'
 /**
 * ResultsTabsView — strukturierte Tab-Ansicht der Audit-Ergebnisse.
 *
 * Statt einer langen Scroll-Seite gibt es:
 *   1. Übersicht (Score + GF-Kurzfassung)
 *   2. Cookies (3-Quellen-Compliance-Vergleich + Vendor-/Cookie-Listen)
 *   3. Datenschutzerklärung
 *   4. Impressum
 *   5. AGB / Widerruf
 *   6. Banner (Cookie-Banner-Checks)
 *   7. Vollständige Mail (HTML-Preview)
 *
 * Tab-Headers sticky oben, Content scrollbar unten.
 */
 import React, { useState, useMemo } from 'react'
 import { ChecklistView } from './ChecklistView'
 interface ResultsTabsViewProps {
  results: any
 }
 type TabId = 'overview' | 'cookies' | 'dse' | 'impressum' | 'agb' | 'banner' | 'mail'
 const TABS: { id: TabId; label: string; icon: string }[] = [
  { id: 'overview',  label: 'Übersicht',          icon: '◉' },
  { id: 'cookies',   label: 'Cookies & VVT',      icon: '🍪' },
  { id: 'dse',       label: 'Datenschutzerkl.',   icon: '📄' },
  { id: 'impressum', label: 'Impressum',          icon: '🏢' },
  { id: 'agb',       label: 'AGB / Widerruf',     icon: '⚖️' },
  { id: 'banner',    label: 'Cookie-Banner',      icon: '🎛' },
  { id: 'mail',      label: 'Mail-Vorschau',      icon: '✉️' },
 ]
 export function ResultsTabsView({ results }: ResultsTabsViewProps) {
  const [active, setActive] = useState<TabId>('overview')
  const r = results || {}
  const docs: any[] = r.results || []
  const banner = r.banner_result || r.cookie_banner_result || {}
  const cmpVendors: any[] = r.cmp_vendors || []
  const cookieAudit = r.cookie_audit || {}
  const docsByType = useMemo(() => {
    const m: Record<string, any> = {}
    for (const d of docs) {
      const t = (d.doc_type || '').toLowerCase()
      if (!m[t]) m[t] = d
    }
    return m
  }, [docs])
  return (
    <div className="border border-gray-200 rounded-lg overflow-hidden bg-white">
      {/* Sticky Tab-Header */}
      <div className="flex border-b border-gray-200 bg-gray-50 overflow-x-auto sticky top-0 z-10">
        {TABS.map(t => (
          <button
            key={t.id}
            onClick={() => setActive(t.id)}
            className={`px-4 py-3 text-sm font-medium whitespace-nowrap border-b-2 transition-colors ${
              active === t.id
                ? 'border-purple-600 text-purple-700 bg-white'
                : 'border-transparent text-gray-600 hover:bg-gray-100'
            }`}
          >
            <span className="mr-1.5">{t.icon}</span>
            {t.label}
          </button>
        ))}
      </div>
      {/* Tab-Content */}
      <div className="p-4 min-h-[400px]">
        {active === 'overview' && <OverviewTab results={r} />}
        {active === 'cookies' && (
          <CookiesTab
            audit={cookieAudit}
            vendors={cmpVendors}
            banner={banner}
          />
        )}
        {active === 'dse'       && <DocTab doc={docsByType['dse']} label="Datenschutzerklärung" />}
        {active === 'impressum' && <DocTab doc={docsByType['impressum']} label="Impressum" />}
        {active === 'agb'       && <AgbWiderrufTab docs={docsByType} />}
        {active === 'banner'    && <BannerTab banner={banner} />}
        {active === 'mail'      && <MailPreviewTab results={r} />}
      </div>
    </div>
  )
 }
 // ── Übersicht ──────────────────────────────────────────────────────────
 function OverviewTab({ results }: { results: any }) {
  const totalDocs = results.total_documents || (results.results?.length ?? 0)
  const totalFindings = results.total_findings ?? 0
  const banner = results.banner_result || results.cookie_banner_result || {}
  const score = banner.compliance_score ?? banner.completeness_pct ?? null
  const emailStatus = results.email_status
  return (
    <div className="space-y-4">
      <div className="grid grid-cols-2 md:grid-cols-4 gap-3">
        <Kpi label="Geprüfte Dokumente" value={totalDocs} />
        <Kpi label="Findings gesamt" value={totalFindings} tone={totalFindings > 5 ? 'warn' : 'ok'} />
        <Kpi label="Vendors erkannt" value={results.cmp_vendors?.length || 0} />
        <Kpi label="Score" value={score !== null ? `${score}%` : '—'}
             tone={score === null ? 'neutral' : score >= 80 ? 'ok' : score >= 60 ? 'warn' : 'bad'} />
      </div>
      {emailStatus && (
        <div className={`text-sm px-3 py-2 rounded ${
          emailStatus === 'sent' ? 'bg-green-50 text-green-800' : 'bg-gray-100 text-gray-700'
        }`}>
          E-Mail: {emailStatus === 'sent' ? '✓ Gesendet an Empfänger' : emailStatus}
        </div>
      )}
      <div className="bg-blue-50 border border-blue-200 rounded p-3 text-xs text-blue-900">
        <strong>Wo welcher Inhalt steckt:</strong> in den Tabs oben findest du die
        Detail-Auswertung pro Doc-Typ. Im Cookie-Tab steht der 3-Quellen-Compliance-
        Vergleich (deklariert vs Browser vs Library) — das ist der wichtigste
        rechtliche Knackpunkt. Banner-Tab zeigt die echten Browser-Phasen-Checks.
      </div>
    </div>
  )
 }
 function Kpi({ label, value, tone = 'neutral' }: { label: string; value: any; tone?: string }) {
  const colors: Record<string, string> = {
    ok: 'text-green-700 bg-green-50 border-green-200',
    warn: 'text-amber-700 bg-amber-50 border-amber-200',
    bad: 'text-red-700 bg-red-50 border-red-200',
    neutral: 'text-gray-700 bg-gray-50 border-gray-200',
  }
  return (
    <div className={`border rounded p-3 ${colors[tone]}`}>
      <div className="text-[10px] uppercase tracking-wider opacity-70">{label}</div>
      <div className="text-2xl font-bold mt-1">{value}</div>
    </div>
  )
 }
 // ── Cookies & VVT ──────────────────────────────────────────────────────
 function CookiesTab({ audit, vendors, banner }: { audit: any; vendors: any[]; banner: any }) {
  const declared = audit?.declared_count ?? 0
  const browser  = audit?.browser_count ?? 0
  const both     = (audit?.compliant ?? []).length
  const undecl   = (audit?.undeclared_in_browser ?? []).length
  const decOnly  = (audit?.declared_not_loaded ?? []).length
  return (
    <div className="space-y-4">
      {/* Top-Bar mit Counts */}
      <div className="grid grid-cols-3 md:grid-cols-5 gap-2">
        <Kpi label="Deklariert" value={declared} />
        <Kpi label="Im Browser" value={browser} />
        <Kpi label="Compliant" value={both} tone="ok" />
        <Kpi label="Undokumentiert" value={undecl} tone={undecl > 0 ? 'bad' : 'ok'} />
        <Kpi label="Nicht geladen" value={decOnly} tone={decOnly > 0 ? 'warn' : 'neutral'} />
      </div>
      {/* 3-Spalten-Vergleichstabelle */}
      <div className="grid grid-cols-1 md:grid-cols-3 gap-3">
        <CookieColumn
          title={`❌ Undokumentiert (${undecl})`}
          tone="bad"
          subtitle="Geladen ABER nicht in der Richtlinie — Art. 13(1)(c) DSGVO Verstoß"
          cookies={audit?.undeclared_in_browser ?? []}
        />
        <CookieColumn
          title={`✓ Compliant (${both})`}
          tone="ok"
          subtitle="Beide Quellen stimmen überein"
          cookies={audit?.compliant ?? []}
        />
        <CookieColumn
          title={`⚠️ Nicht geladen (${decOnly})`}
          tone="warn"
          subtitle="In Richtlinie deklariert, aber bei diesem Lauf nicht im Browser"
          cookies={audit?.declared_not_loaded ?? []}
        />
      </div>
      {/* Vendor-Liste (deduped) */}
      <div>
        <h3 className="text-sm font-semibold mb-2 text-gray-800">
          Vendor-Liste ({vendors.length} unique nach Deduplizierung)
        </h3>
        <div className="overflow-x-auto border border-gray-200 rounded">
          <table className="w-full text-xs">
            <thead className="bg-gray-50">
              <tr>
                <th className="text-left px-3 py-2">Vendor</th>
                <th className="text-left px-3 py-2">Kategorie</th>
                <th className="text-left px-3 py-2">Quelle</th>
                <th className="text-right px-3 py-2">Cookies</th>
              </tr>
            </thead>
            <tbody>
              {vendors.map((v, i) => (
                <tr key={i} className="border-t border-gray-100 hover:bg-gray-50">
                  <td className="px-3 py-2 font-medium">{v.name}</td>
                  <td className="px-3 py-2 text-gray-600">{v.category || '—'}</td>
                  <td className="px-3 py-2 text-gray-500 font-mono text-[10px]">
                    {v.source || '—'}
                  </td>
                  <td className="px-3 py-2 text-right">{(v.cookies || []).length}</td>
                </tr>
              ))}
            </tbody>
          </table>
        </div>
      </div>
    </div>
  )
 }
 function CookieColumn({ title, tone, subtitle, cookies }: {
  title: string; tone: string; subtitle: string; cookies: string[]
 }) {
  const colors: Record<string, string> = {
    bad: 'bg-red-50 border-red-200 text-red-900',
    ok: 'bg-green-50 border-green-200 text-green-900',
    warn: 'bg-amber-50 border-amber-200 text-amber-900',
  }
  return (
    <div className={`border rounded p-3 ${colors[tone]}`}>
      <div className="text-xs font-semibold mb-1">{title}</div>
      <div className="text-[10px] opacity-80 mb-2">{subtitle}</div>
      <div className="font-mono text-[10px] max-h-56 overflow-auto">
        {cookies.length === 0 && <span className="opacity-60">— keine —</span>}
        {cookies.map((c, i) => (
          <div key={i} className="py-0.5">{c}</div>
        ))}
      </div>
    </div>
  )
 }
 // ── Generic Doc-Tab ────────────────────────────────────────────────────
 function DocTab({ doc, label }: { doc: any; label: string }) {
  if (!doc) return <Empty label={label} />
  const checks = doc.checks || []
  const failed = checks.filter((c: any) => !c.passed && !c.skipped)
  const passed = checks.filter((c: any) => c.passed)
  return (
    <div className="space-y-3">
      <div className="flex items-center justify-between">
        <h3 className="text-sm font-semibold">{label}</h3>
        <div className="text-xs text-gray-600">
          {doc.word_count?.toLocaleString('de-DE') || 0} Wörter ·{' '}
          <span className="text-red-600">{failed.length} Findings</span> ·{' '}
          <span className="text-green-600">{passed.length} OK</span>
        </div>
      </div>
      {doc.url && (
        <a href={doc.url} target="_blank" rel="noreferrer"
           className="text-xs text-blue-600 hover:underline break-all">
          {doc.url}
        </a>
      )}
      <ChecklistView results={[doc]} />
    </div>
  )
 }
 function AgbWiderrufTab({ docs }: { docs: Record<string, any> }) {
  const agb = docs['agb'] || docs['nutzungsbedingungen']
  const wid = docs['widerruf']
  return (
    <div className="space-y-6">
      <div>
        <h3 className="text-sm font-semibold mb-2">AGB / Nutzungsbedingungen</h3>
        {agb ? <ChecklistView results={[agb]} /> : <Empty label="AGB" inline />}
      </div>
      <div>
        <h3 className="text-sm font-semibold mb-2">Widerrufsbelehrung</h3>
        {wid ? <ChecklistView results={[wid]} /> : <Empty label="Widerruf" inline />}
      </div>
    </div>
  )
 }
 function BannerTab({ banner }: { banner: any }) {
  if (!banner || Object.keys(banner).length === 0) return <Empty label="Cookie-Banner" />
  const phases = banner.phases || {}
  const violations = banner.banner_checks?.violations || []
  return (
    <div className="space-y-3">
      <div className="text-xs text-gray-700">
        Banner erkannt: <strong>{banner.banner_detected ? 'Ja' : 'Nein'}</strong> ·{' '}
        Provider: <strong>{banner.banner_provider || '—'}</strong> ·{' '}
        Verstöße: <strong>{violations.length}</strong>
      </div>
      {violations.length > 0 && (
        <div className="border border-red-200 bg-red-50 rounded p-3">
          <div className="text-xs font-semibold text-red-800 mb-2">Verstöße</div>
          <ul className="text-xs text-red-900 space-y-1">
            {violations.map((v: any, i: number) => (
              <li key={i}>• {v.label || v.message || JSON.stringify(v)}</li>
            ))}
          </ul>
        </div>
      )}
      <div className="grid grid-cols-3 gap-2">
        {Object.entries(phases).map(([name, ph]: [string, any]) => (
          <div key={name} className="border border-gray-200 rounded p-2">
            <div className="text-[10px] uppercase text-gray-500">{name}</div>
            <div className="text-xs mt-1">
              Cookies: <strong>{ph.cookies?.length || 0}</strong>
            </div>
            <div className="text-xs">
              Vendors: <strong>{ph.vendors?.length || 0}</strong>
            </div>
          </div>
        ))}
      </div>
    </div>
  )
 }
 function MailPreviewTab({ results }: { results: any }) {
  return (
    <div className="text-xs text-gray-600 space-y-2">
      <p>
        Die vollständige Mail wurde {results.email_status === 'sent' ? 'gesendet' : 'erstellt'}.
        Snapshot-ID:{' '}
        <code className="bg-gray-100 px-1.5 py-0.5 rounded">{results.check_id || '—'}</code>
      </p>
      {results.check_id && (
        <a
          href={`/api/compliance/agent/snapshots/${results.check_id}/pdf`}
          target="_blank" rel="noreferrer"
          className="inline-block text-purple-600 hover:underline"
        >
          → PDF der Mail herunterladen
        </a>
      )}
    </div>
  )
 }
 function Empty({ label, inline }: { label: string; inline?: boolean }) {
  return (
    <div className={`text-xs text-gray-500 ${inline ? '' : 'py-8 text-center'}`}>
      Keine Daten für „{label}" in diesem Lauf.
    </div>
  )
 }
@@ -0,0 +1,153 @@
 // Shared types for the agent-test UI.
 //
 // SourceType-Mapping zur Methodik-Anzeige:
 //   mc / regex          → "Machine-Check (deterministisch)"
 //   kb_faq              → "Knowledge-Base (kuratiert)"
 //   llm_local           → "Lokales LLM (qwen2.5:7b)"
 //   llm_local_big       → "Externes LLM (OVH 120b)"
 //   llm_cloud           → "Cloud-LLM (Claude, anonymisiert)"
 //   cross               → "Cross-Doc-Vergleich"
 export type Severity = 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO'
 export type SourceType =
  | 'mc'
  | 'regex'
  | 'kb_faq'
  | 'llm_local'
  | 'llm_local_big'
  | 'llm_cloud'
  | 'cross'
 export interface EvidenceSource {
  source_type: SourceType
  source_id: string
  detail?: string
  confidence?: number
 }
 export interface Finding {
  check_id: string
  agent: string
  agent_version: string
  field_id?: string
  severity: Severity
  severity_reason?: string
  title: string
  norm?: string
  evidence?: string
  action?: string
  confidence?: number
  sources?: EvidenceSource[]
 }
 export interface Recommendation {
  recommendation_id: string
  title: string
  body: string
  severity: Severity
  related_finding_ids: string[]
  estimated_effort_hours: number
 }
 export interface McCoverage {
  mc_id: string
  status: 'ok' | 'na' | 'high' | 'medium' | 'low' | 'skipped'
  reason?: string
 }
 export interface EscalationLog {
  stage: SourceType
  model: string
  duration_ms: number
  tokens_in?: number
  tokens_out?: number
  success: boolean
  error?: string
 }
 export interface SlotOutput {
  agent: string
  agent_version: string
  findings: Finding[]
  recommendations: Recommendation[]
  mc_coverage: McCoverage[]
  escalation_log: EscalationLog[]
  mc_total: number
  mc_ok: number
  mc_na: number
  mc_high: number
  mc_medium: number
  mc_low: number
  duration_ms: number
  confidence: number
  notes?: string
 }
 export interface AgentInfo {
  agent_id: string
  agent_version: string
  doc_type: string
  mc_count: number
 }
 export interface RunResult {
  run_id: string
  agent_id: string
  finished: boolean
  results: Record<string, SlotOutput>
  vault_url: string
 }
 export interface StreamEvent {
  type: string
  slot?: string
  [key: string]: any
 }
 // ── Methodik-Labels für die Source-Type-Badge ───────────────────────
 export const METHODIK_LABEL: Record<SourceType, string> = {
  mc: 'Machine-Check (deterministisch)',
  regex: 'Pattern-Match (deterministisch)',
  kb_faq: 'Knowledge-Base (kuratiert)',
  llm_local: 'Lokales LLM (qwen2.5:7b)',
  llm_local_big: 'Externes LLM (OVH 120b)',
  llm_cloud: 'Cloud-LLM (anonymisiert)',
  cross: 'Cross-Doc-Vergleich',
 }
 export const METHODIK_SHORT: Record<SourceType, string> = {
  mc: 'MC',
  regex: 'Regex',
  kb_faq: 'KB',
  llm_local: 'LLM',
  llm_local_big: 'LLM⁺',
  llm_cloud: 'Claude',
  cross: 'Cross',
 }
 // Background/foreground colors für die Methodik-Badge.
 export const METHODIK_COLOR: Record<SourceType, { bg: string; fg: string }> = {
  mc:            { bg: '#e0e7ff', fg: '#3730a3' },
  regex:         { bg: '#e0e7ff', fg: '#3730a3' },
  kb_faq:        { bg: '#fef3c7', fg: '#92400e' },
  llm_local:     { bg: '#dcfce7', fg: '#166534' },
  llm_local_big: { bg: '#bbf7d0', fg: '#14532d' },
  llm_cloud:     { bg: '#fce7f3', fg: '#9d174d' },
  cross:         { bg: '#fed7aa', fg: '#9a3412' },
 }
 export const SEVERITY_COLOR: Record<Severity, string> = {
  HIGH: '#dc2626',
  MEDIUM: '#f59e0b',
  LOW: '#3b82f6',
  INFO: '#64748b',
 }
 export const SEVERITY_BG: Record<Severity, string> = {
  HIGH: '#fef2f2',
  MEDIUM: '#fffbeb',
  LOW: '#eff6ff',
  INFO: '#f8fafc',
 }
@@ -0,0 +1,86 @@
 /**
 * Storage-Helfer für ComplianceCheckTab.
 *
 * Extrahiert aus ComplianceCheckTab.tsx (P11-Tech-Debt-Sprint) damit
 * die zentrale UI unter der 500-LOC-Hard-Cap bleibt.
 */
 import { DOCUMENT_TYPES, type DocTypeId } from './_document_types'
 export const STORAGE_KEY_STATE = 'compliance-check-state'
 export const STORAGE_KEY_RESULTS = 'compliance-check-results'
 export const STORAGE_KEY_HISTORY = 'compliance-check-history'
 export const STORAGE_KEY_CHECK_ID = 'compliance-check-active-id'
 export interface DocState {
  url: string
  text: string
  loading: boolean
  error: string | null
 }
 export type DocsState = Record<DocTypeId, DocState>
 export interface HistoryEntry {
  date: string
  docCount: number
  findings: number
  resultKey: string
  checkId?: string
 }
 export function emptyDocState(): DocState {
  return { url: '', text: '', loading: false, error: null }
 }
 export function initState(): DocsState {
  if (typeof window === 'undefined') {
    return Object.fromEntries(
      DOCUMENT_TYPES.map(d => [d.id, emptyDocState()]),
    ) as DocsState
  }
  try {
    const saved = localStorage.getItem(STORAGE_KEY_STATE)
    if (saved) {
      const parsed = JSON.parse(saved) as Record<
        string, { url?: string; text?: string }
      >
      return Object.fromEntries(
        DOCUMENT_TYPES.map(d => [d.id, {
          url: parsed[d.id]?.url || '',
          text: parsed[d.id]?.text || '',
          loading: false,
          error: null,
        }]),
      ) as DocsState
    }
  } catch { /* ignore */ }
  return Object.fromEntries(
    DOCUMENT_TYPES.map(d => [d.id, emptyDocState()]),
  ) as DocsState
 }
 export function readResultsFromStorage(): unknown | null {
  if (typeof window === 'undefined') return null
  try {
    const s = localStorage.getItem(STORAGE_KEY_RESULTS)
    return s ? JSON.parse(s) : null
  } catch { return null }
 }
 export function readHistoryFromStorage(): HistoryEntry[] {
  if (typeof window === 'undefined') return []
  try {
    return JSON.parse(localStorage.getItem(STORAGE_KEY_HISTORY) || '[]')
  } catch { return [] }
 }
 export function readActiveCheckId(): string {
  if (typeof window === 'undefined') return ''
  return localStorage.getItem(STORAGE_KEY_CHECK_ID) || ''
 }
 export function countWords(text: string): number {
  if (!text.trim()) return 0
  return text.trim().split(/\s+/).length
 }
@@ -0,0 +1,21 @@
 /**
 * DOCUMENT_TYPES — canonical compliance-doc taxonomy for the
 * /sdk/agent ComplianceCheckTab form.
 *
 * Each entry maps to a doc_type that the backend Phase-A discovery /
 * Phase-B per-doc-check pipeline recognises.
 */
 export const DOCUMENT_TYPES = [
  { id: 'dse', label: 'DSI (Datenschutzinformation)', required: true },
  { id: 'impressum', label: 'Impressum', required: true },
  { id: 'social_media', label: 'Social Media DSE', required: false },
  { id: 'cookie', label: 'Cookie-Richtlinie', required: false },
  { id: 'agb', label: 'AGB', required: false },
  { id: 'nutzungsbedingungen', label: 'Nutzungsbedingungen', required: false },
  { id: 'widerruf', label: 'Widerrufsbelehrung', required: false },
  { id: 'dsb', label: 'DSB-Kontakt', required: false },
  { id: 'news', label: 'Blog/Newsroom (für § 18 MStV)', required: false },
 ] as const
 export type DocTypeId = typeof DOCUMENT_TYPES[number]['id']
@@ -0,0 +1,40 @@
 /**
 * Custom hook: persistente Firmenname + Origin-Domain für die
 * ComplianceCheckTab-Form. Priorisierte Werte vor der LLM-basierten
 * extracted_profile-Inferenz.
 */
 import { useEffect, useState } from 'react'
 const STORAGE_KEY_COMPANY = 'compliance-check-company-name'
 const STORAGE_KEY_DOMAIN = 'compliance-check-origin-domain'
 function readInitial(key: string): string {
  if (typeof window === 'undefined') return ''
  return localStorage.getItem(key) || ''
 }
 export function useCompanyOrigin() {
  const [companyName, setCompanyName] = useState<string>(
    () => readInitial(STORAGE_KEY_COMPANY),
  )
  const [originDomain, setOriginDomain] = useState<string>(
    () => readInitial(STORAGE_KEY_DOMAIN),
  )
  useEffect(() => {
    try {
      localStorage.setItem(STORAGE_KEY_COMPANY, companyName)
    } catch { /* quota */ }
  }, [companyName])
  useEffect(() => {
    try {
      localStorage.setItem(STORAGE_KEY_DOMAIN, originDomain)
    } catch { /* quota */ }
  }, [originDomain])
  return { companyName, setCompanyName, originDomain, setOriginDomain }
 }
@@ -0,0 +1,83 @@
 /**
 * Custom hook: resume-polling für eine laufende Compliance-Check-Pruefung.
 *
 * Beim Mount: wenn localStorage eine `STORAGE_KEY_CHECK_ID` enthaelt aber
 * noch kein Result da ist, pollt der Hook alle 3s den Status. Setzt
 * Result, Progress, Error oder cleared den active-check-id beim
 * Abschluss.
 */
 import { useEffect } from 'react'
 import {
  STORAGE_KEY_CHECK_ID, STORAGE_KEY_RESULTS,
 } from './_compliance_storage'
 interface ResumePollingArgs {
  activeCheckId: string
  results: unknown | null
  setLoading: (b: boolean) => void
  setProgress: (s: string) => void
  setProgressPct: (n: number) => void
  setResults: (r: unknown) => void
  setActiveCheckId: (s: string) => void
  setError: (s: string | null) => void
 }
 export function useCompliancePollingResume({
  activeCheckId, results, setLoading, setProgress, setProgressPct,
  setResults, setActiveCheckId, setError,
 }: ResumePollingArgs) {
  useEffect(() => {
    if (!activeCheckId || results) return
    let cancelled = false
    setLoading(true)
    setProgress('Pruefung laeuft noch...')
    const poll = async () => {
      while (!cancelled) {
        await new Promise(r => setTimeout(r, 3000))
        try {
          const res = await fetch(
            `/api/sdk/v1/agent/compliance-check?check_id=${activeCheckId}`,
          )
          if (!res.ok) continue
          const data = await res.json()
          if (data.progress) setProgress(data.progress)
          if (typeof data.progress_pct === 'number') {
            setProgressPct(data.progress_pct)
          }
          if (data.status === 'completed' && data.result) {
            setResults(data.result)
            setProgress('')
            setProgressPct(0)
            setLoading(false)
            localStorage.setItem(
              STORAGE_KEY_RESULTS, JSON.stringify(data.result),
            )
            localStorage.removeItem(STORAGE_KEY_CHECK_ID)
            setActiveCheckId('')
            return
          }
          if (['failed', 'not_found', 'skipped_tdm'].includes(data.status)) {
            if (data.status !== 'not_found') {
              setError(
                data.error
                || (data.status === 'skipped_tdm'
                    ? 'TDM-Vorbehalt erkannt — Crawl uebersprungen'
                    : 'Pruefung fehlgeschlagen'),
              )
            }
            setProgress('')
            setProgressPct(0)
            setLoading(false)
            localStorage.removeItem(STORAGE_KEY_CHECK_ID)
            setActiveCheckId('')
            return
          }
        } catch { /* retry */ }
      }
    }
    poll()
    return () => { cancelled = true }
    // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [])
 }
@@ -5,13 +5,15 @@ import { ScanResult } from './_components/ScanResult'
 import { ComplianceCheckTab } from './_components/ComplianceCheckTab'
 import { BannerCheckTab } from './_components/BannerCheckTab'
 import { ComplianceFAQ } from './_components/ComplianceFAQ'
 import { AgentTestTab } from './_components/AgentTestTab'
-type AnalysisTab = 'scan' | 'compliance-check' | 'banner-check'
+type AnalysisTab = 'scan' | 'compliance-check' | 'banner-check' | 'agent-test'
 const TABS: { id: AnalysisTab; label: string; desc: string }[] = [
  { id: 'scan', label: 'Website-Scan', desc: 'Rechtliche Dokumente finden + Dienstleister erkennen' },
  { id: 'compliance-check', label: 'Compliance-Check', desc: 'Alle rechtlichen Dokumente zusammen pruefen' },
  { id: 'banner-check', label: 'Banner-Check', desc: 'Cookie-Banner auf DSGVO-Konformitaet testen' },
  { id: 'agent-test', label: 'Agent-Test', desc: 'Specialist-Agent gegen 5 URLs isoliert testen' },
 ]
 export default function AgentPage() {
@@ -186,6 +188,7 @@ export default function AgentPage() {
      {tab === 'compliance-check' && <ComplianceCheckTab />}
      {tab === 'banner-check' && <BannerCheckTab />}
      {tab === 'agent-test' && <AgentTestTab />}
      <ComplianceFAQ />
    </div>
@@ -362,6 +362,16 @@ export default function AIActPage() {
        )}
      </StepHeader>
      <div className="px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
        <span className="font-semibold">Quellen &amp; Lizenz:</span>
        <span>
          Inhalte gemaess <strong>EU-Verordnung 2024/1689 (KI-Verordnung / AI Act)</strong> —
          Lizenzregel R1 (EU_LAW, woertlich uebernehmbar).
          Risiko-Klassifizierungslogik basiert auf Anhang III der Verordnung.{' '}
          <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
        </span>
      </div>
      {/* Tabs */}
      <div className="flex items-center gap-1 bg-gray-100 p-1 rounded-lg w-fit">
        {TABS.map(tab => (
@@ -13,6 +13,7 @@ import {
  CATEGORY_OPTIONS,
 } from '../control-library/components/helpers'
 import { ControlDetail } from '../control-library/components/ControlDetail'
 import { SourceBadge } from '@/components/sdk/SourceBadge'
 // =============================================================================
 // TYPES
@@ -310,6 +311,7 @@ export default function AtomicControlsPage() {
                    <TargetAudienceBadge audience={ctrl.target_audience} />
                    <GenerationStrategyBadge strategy={ctrl.generation_strategy} pipelineInfo={ctrl} />
                    <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
                    <SourceBadge controlUuid={ctrl.id} compact />
                  </div>
                  <h3 className="text-sm font-medium text-gray-900 group-hover:text-violet-700">{ctrl.title}</h3>
                  <p className="text-xs text-gray-500 mt-1 line-clamp-2">{ctrl.objective}</p>
@@ -3,6 +3,7 @@
 import React, { useState } from 'react'
 import { useRouter } from 'next/navigation'
 import { StepHeader, STEP_EXPLANATIONS } from '@/components/sdk/StepHeader'
 import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 import { useAuditChecklist } from './_hooks/useAuditChecklist'
 import { ChecklistItemCard } from './_components/ChecklistItemCard'
 import { LoadingSkeleton } from './_components/LoadingSkeleton'
@@ -89,6 +90,12 @@ export default function AuditChecklistPage() {
        </div>
      </StepHeader>
      <LicenseModuleBanner
        rule={3}
        sourceLabel="BreakPilot-Audit-Methodik"
        detail="Eigene Audit-Checklisten und -Workflows. Zitierte Rechtsquellen (DSGVO/ISO 27001/...) jeweils mit eigener Lizenzregel."
      />
      {error && (
        <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
          <span>{error}</span>
@@ -0,0 +1,175 @@
 'use client'
 import { useEffect, useState } from 'react'
 interface BulkDiffStep {
  from: string
  from_version: string | null
  to: string
  to_version: string | null
  created_at: string | null
  kind: 'text' | 'binary'
  added_lines: number
  removed_lines: number
  metadata_diff_fields: string[]
 }
 interface BulkDiffResponse {
  cid_latest: string
  cid_baseline: string
  versions: number
  steps: BulkDiffStep[]
  totals: {
    added_lines: number
    removed_lines: number
    metadata_fields_changed: number
    binary_steps: number
  }
  note?: string
 }
 interface Props {
  cid: string
  onClose: () => void
 }
 function shorten(cid: string): string {
  if (cid.length <= 14) return cid
  return cid.slice(0, 8) + '…' + cid.slice(-6)
 }
 export default function BulkDiffPanel({ cid, onClose }: Props) {
  const [data, setData] = useState<BulkDiffResponse | null>(null)
  const [loading, setLoading] = useState(true)
  const [error, setError] = useState<string | null>(null)
  useEffect(() => {
    let cancel = false
    setLoading(true)
    setError(null)
    fetch(`/api/sdk/v1/dsms/documents/${encodeURIComponent(cid)}/bulk-diff`)
      .then(async (r) => {
        if (!r.ok) throw new Error(`HTTP ${r.status}`)
        const json = (await r.json()) as BulkDiffResponse
        if (!cancel) setData(json)
      })
      .catch((e) => {
        if (!cancel) setError(e?.message || 'Fehler beim Laden')
      })
      .finally(() => {
        if (!cancel) setLoading(false)
      })
    return () => {
      cancel = true
    }
  }, [cid])
  return (
    <div className="border-t border-gray-200 dark:border-gray-700 pt-4 space-y-3">
      <div className="flex items-center justify-between">
        <h3 className="text-sm font-semibold text-gray-900 dark:text-white">
          Aggregierter Diff: V1 → V_latest
        </h3>
        <button
          onClick={onClose}
          className="text-[11px] text-gray-500 hover:text-gray-700"
          aria-label="Bulk-Diff schliessen"
        >
          Schliessen
        </button>
      </div>
      {loading && <div className="text-xs text-gray-500">Bulk-Diff wird berechnet…</div>}
      {error && <div className="text-xs text-red-600 dark:text-red-400">{error}</div>}
      {!loading && !error && data && (
        <>
          <div className="grid grid-cols-2 sm:grid-cols-4 gap-2 text-center">
            <Stat label="Versionen" value={data.versions} tone="neutral" />
            <Stat label="Zeilen +" value={data.totals.added_lines} tone="positive" />
            <Stat label="Zeilen −" value={data.totals.removed_lines} tone="negative" />
            <Stat label="Metadaten-Felder" value={data.totals.metadata_fields_changed} tone="neutral" />
          </div>
          {data.totals.binary_steps > 0 && (
            <div className="text-[11px] text-amber-700 dark:text-amber-400 italic">
              {data.totals.binary_steps} von {data.steps.length} Schritten binaer — Text-Diff nicht moeglich.
            </div>
          )}
          {data.steps.length === 0 ? (
            <div className="text-xs text-gray-500 italic">{data.note || 'Keine Vorgaengerversion vorhanden.'}</div>
          ) : (
            <div className="overflow-x-auto">
              <table className="w-full text-[11px]">
                <thead>
                  <tr className="text-left text-gray-500 border-b border-gray-200 dark:border-gray-700">
                    <th className="py-1 pr-2 font-medium">Schritt</th>
                    <th className="py-1 pr-2 font-medium">Datum</th>
                    <th className="py-1 pr-2 font-medium">Typ</th>
                    <th className="py-1 pr-2 font-medium text-right">+</th>
                    <th className="py-1 pr-2 font-medium text-right">−</th>
                    <th className="py-1 font-medium">Metadaten-Felder</th>
                  </tr>
                </thead>
                <tbody>
                  {data.steps.map((step, i) => (
                    <tr key={`${step.from}-${step.to}`} className="border-b border-gray-100 dark:border-gray-800">
                      <td className="py-1 pr-2 text-gray-700 dark:text-gray-300">
                        V{step.from_version || '?'} → V{step.to_version || '?'}
                        <div className="text-[9px] font-mono text-gray-400">
                          {shorten(step.from)} → {shorten(step.to)}
                        </div>
                      </td>
                      <td className="py-1 pr-2 text-gray-500">
                        {step.created_at ? new Date(step.created_at).toLocaleDateString('de-DE') : '—'}
                      </td>
                      <td className="py-1 pr-2">
                        <span
                          className={
                            step.kind === 'binary'
                              ? 'text-amber-700 dark:text-amber-400'
                              : 'text-gray-700 dark:text-gray-300'
                          }
                        >
                          {step.kind === 'binary' ? 'binaer' : 'text'}
                        </span>
                      </td>
                      <td className="py-1 pr-2 text-right text-emerald-700 dark:text-emerald-400">
                        {step.kind === 'binary' ? '—' : step.added_lines}
                      </td>
                      <td className="py-1 pr-2 text-right text-red-700 dark:text-red-400">
                        {step.kind === 'binary' ? '—' : step.removed_lines}
                      </td>
                      <td className="py-1 text-gray-600 dark:text-gray-400">
                        {step.metadata_diff_fields.length === 0
                          ? '—'
                          : step.metadata_diff_fields.slice(0, 3).join(', ') +
                            (step.metadata_diff_fields.length > 3 ? ` (+${step.metadata_diff_fields.length - 3})` : '')}
                      </td>
                    </tr>
                  ))}
                </tbody>
              </table>
            </div>
          )}
        </>
      )}
    </div>
  )
 }
 function Stat({ label, value, tone }: { label: string; value: number; tone: 'positive' | 'negative' | 'neutral' }) {
  const color =
    tone === 'positive'
      ? 'text-emerald-700 dark:text-emerald-400'
      : tone === 'negative'
        ? 'text-red-700 dark:text-red-400'
        : 'text-gray-800 dark:text-gray-200'
  return (
    <div className="bg-gray-50 dark:bg-gray-900/40 rounded p-2 border border-gray-200 dark:border-gray-700">
      <div className={`text-base font-semibold ${color}`}>{value.toLocaleString('de-DE')}</div>
      <div className="text-[10px] uppercase tracking-wide text-gray-500">{label}</div>
    </div>
  )
 }
@@ -0,0 +1,222 @@
 'use client'
 import { useEffect, useState } from 'react'
 import BulkDiffPanel from './BulkDiffPanel'
 interface HistoryEntry {
  cid: string
  version: string | null
  document_type: string | null
  document_id: string | null
  parent_cid: string | null
  created_at: string | null
  checksum: string | null
 }
 interface DiffResponse {
  kind: 'text' | 'binary'
  cid_a: string
  cid_b: string
  metadata_diff: Record<string, { old: unknown; new: unknown }>
  diff?: string
  added_lines?: number
  removed_lines?: number
  note?: string
 }
 interface Props {
  cid: string
  onClose: () => void
 }
 function shorten(cid: string): string {
  if (cid.length <= 14) return cid
  return cid.slice(0, 8) + '…' + cid.slice(-6)
 }
 export default function CIDHistoryModal({ cid, onClose }: Props) {
  const [history, setHistory] = useState<HistoryEntry[]>([])
  const [loading, setLoading] = useState(true)
  const [error, setError] = useState<string | null>(null)
  const [diffPair, setDiffPair] = useState<{ a: string; b: string } | null>(null)
  const [diff, setDiff] = useState<DiffResponse | null>(null)
  const [diffLoading, setDiffLoading] = useState(false)
  const [showBulkDiff, setShowBulkDiff] = useState(false)
  useEffect(() => {
    let cancel = false
    setLoading(true)
    setError(null)
    fetch(`/api/sdk/v1/dsms/documents/${encodeURIComponent(cid)}/history`)
      .then(async (r) => {
        if (!r.ok) throw new Error(`HTTP ${r.status}`)
        const json = await r.json()
        if (!cancel) setHistory(json.history || [])
      })
      .catch((e) => {
        if (!cancel) setError(e?.message || 'Fehler beim Laden')
      })
      .finally(() => {
        if (!cancel) setLoading(false)
      })
    return () => {
      cancel = true
    }
  }, [cid])
  async function loadDiff(a: string, b: string) {
    setDiffPair({ a, b })
    setDiff(null)
    setDiffLoading(true)
    try {
      const res = await fetch(
        `/api/sdk/v1/dsms/documents/${encodeURIComponent(a)}/diff/${encodeURIComponent(b)}`
      )
      if (res.ok) {
        const json = (await res.json()) as DiffResponse
        setDiff(json)
      } else {
        setDiff({ kind: 'binary', cid_a: a, cid_b: b, metadata_diff: {}, note: `HTTP ${res.status}` })
      }
    } finally {
      setDiffLoading(false)
    }
  }
  return (
    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/40 p-4" onClick={onClose}>
      <div
        className="w-full max-w-3xl max-h-[90vh] overflow-hidden flex flex-col bg-white dark:bg-gray-800 rounded-xl shadow-xl"
        onClick={(e) => e.stopPropagation()}
      >
        <div className="flex items-center justify-between px-5 py-3 border-b border-gray-200 dark:border-gray-700">
          <div>
            <h2 className="text-sm font-semibold text-gray-900 dark:text-white">DSMS-Versionsverlauf</h2>
            <code className="text-[10px] font-mono text-gray-500 dark:text-gray-400">{shorten(cid)}</code>
          </div>
          <button onClick={onClose} className="text-gray-500 hover:text-gray-700 dark:text-gray-400 text-sm">
            Schliessen
          </button>
        </div>
        <div className="flex-1 overflow-y-auto p-5 space-y-4">
          {loading && <div className="text-sm text-gray-500">Verlauf wird geladen…</div>}
          {error && <div className="text-sm text-red-600 dark:text-red-400">{error}</div>}
          {!loading && !error && history.length === 0 && (
            <div className="text-sm text-gray-500 italic">
              Kein Versionsverlauf gefunden. Diese CID hat keine parent_cid-Kette.
            </div>
          )}
          {!loading && !error && history.length > 0 && (
            <>
              <div className="flex items-center justify-between gap-3 flex-wrap">
                <div className="text-xs text-gray-500 dark:text-gray-400">
                  {history.length} Version{history.length > 1 ? 'en' : ''} in der Kette (neueste oben).
                </div>
                {history.length > 1 && (
                  <button
                    onClick={() => setShowBulkDiff((v) => !v)}
                    className="text-[11px] px-2 py-1 rounded border border-purple-300 text-purple-700 hover:bg-purple-50 dark:border-purple-700 dark:text-purple-300 dark:hover:bg-purple-900/30"
                    title="Aggregierter Diff ueber alle Versionen"
                  >
                    {showBulkDiff ? 'Bulk-Diff ausblenden' : `Bulk-Diff V1 → V${history[0].version || '?'} anzeigen`}
                  </button>
                )}
              </div>
              {showBulkDiff && <BulkDiffPanel cid={cid} onClose={() => setShowBulkDiff(false)} />}
              <ol className="relative border-l-2 border-emerald-500/40 pl-4 space-y-3">
                {history.map((entry, idx) => {
                  const next = history[idx + 1]
                  return (
                    <li key={entry.cid} className="relative">
                      <div className="absolute -left-[1.4rem] top-1.5 w-3 h-3 rounded-full bg-emerald-500 ring-2 ring-white dark:ring-gray-800" />
                      <div className="bg-gray-50 dark:bg-gray-900/40 rounded-lg p-3 border border-gray-200 dark:border-gray-700">
                        <div className="flex items-center justify-between gap-2">
                          <div className="min-w-0">
                            <div className="text-sm font-medium text-gray-900 dark:text-white">
                              Version {entry.version || '?'} {idx === 0 && <span className="ml-2 text-[10px] text-emerald-600 font-semibold">AKTUELL</span>}
                            </div>
                            <code className="text-[10px] font-mono text-gray-500 dark:text-gray-400 break-all">{entry.cid}</code>
                          </div>
                          {next && (
                            <button
                              onClick={() => loadDiff(next.cid, entry.cid)}
                              className="shrink-0 text-[11px] text-purple-600 hover:text-purple-800 dark:text-purple-400 hover:underline"
                              title="Aenderungen zur Vorversion anzeigen"
                            >
                              Diff zu V{next.version || '?'}
                            </button>
                          )}
                        </div>
                        <div className="mt-1 text-[11px] text-gray-500 dark:text-gray-400 flex flex-wrap gap-x-3 gap-y-0.5">
                          {entry.document_type && <span>Typ: {entry.document_type}</span>}
                          {entry.document_id && <span>Dok-ID: {entry.document_id}</span>}
                          {entry.created_at && <span>{new Date(entry.created_at).toLocaleString('de-DE')}</span>}
                        </div>
                        {entry.checksum && (
                          <div className="mt-1 text-[10px] text-gray-400 font-mono">SHA-256: {entry.checksum.slice(0, 16)}…</div>
                        )}
                      </div>
                    </li>
                  )
                })}
              </ol>
            </>
          )}
          {diffPair && (
            <div className="mt-4 border-t border-gray-200 dark:border-gray-700 pt-4 space-y-2">
              <div className="flex items-center justify-between">
                <h3 className="text-xs font-semibold text-gray-900 dark:text-white">
                  Diff: {shorten(diffPair.a)} → {shorten(diffPair.b)}
                </h3>
                <button onClick={() => { setDiff(null); setDiffPair(null) }} className="text-[11px] text-gray-500 hover:text-gray-700">
                  Schliessen
                </button>
              </div>
              {diffLoading && <div className="text-xs text-gray-500">Diff wird geladen…</div>}
              {!diffLoading && diff && (
                <>
                  {Object.keys(diff.metadata_diff || {}).length > 0 && (
                    <div className="text-xs">
                      <div className="font-medium text-gray-700 dark:text-gray-300 mb-1">Metadaten-Aenderungen</div>
                      <table className="w-full">
                        <tbody>
                          {Object.entries(diff.metadata_diff).map(([field, { old, new: nv }]) => (
                            <tr key={field} className="border-b border-gray-100 dark:border-gray-800">
                              <td className="py-0.5 pr-2 font-mono text-[10px] text-gray-500">{field}</td>
                              <td className="py-0.5 pr-2 text-red-600 dark:text-red-400 line-through">{JSON.stringify(old)}</td>
                              <td className="py-0.5 text-green-700 dark:text-green-400">{JSON.stringify(nv)}</td>
                            </tr>
                          ))}
                        </tbody>
                      </table>
                    </div>
                  )}
                  {diff.kind === 'text' && diff.diff && (
                    <>
                      <div className="text-[11px] text-gray-500">
                        {diff.added_lines ?? 0} Zeilen hinzu, {diff.removed_lines ?? 0} entfernt
                      </div>
                      <pre className="text-[10px] font-mono whitespace-pre-wrap bg-gray-900 text-gray-100 p-3 rounded max-h-64 overflow-y-auto">
                        {diff.diff}
                      </pre>
                    </>
                  )}
                  {diff.kind === 'binary' && (
                    <div className="text-xs text-amber-700 dark:text-amber-400 italic">
                      {diff.note || 'Binaere Datei — kein Text-Diff verfuegbar.'}
                    </div>
                  )}
                </>
              )}
            </div>
          )}
        </div>
      </div>
    </div>
  )
 }
@@ -1,6 +1,8 @@
 'use client'
 import { useState } from 'react'
 import { useAuditTimeline, type AuditEntry } from './_hooks/useAuditTimeline'
 import CIDHistoryModal from './_components/CIDHistoryModal'
 const ENTITY_LABELS: Record<string, string> = {
  evidence: 'Nachweis', control: 'Control', document: 'Dokument',
@@ -16,8 +18,24 @@ const ACTION_COLORS: Record<string, string> = {
 const FILTER_OPTIONS = ['all', 'evidence', 'dsms_archive', 'control', 'document', 'dsfa', 'vvt', 'tom']
 // new_value may be a plain CID (from Python evidence flow) or a JSON envelope
 // {"cid":"X","filename":"...","size":"..."} (from the Go IACE tech-file flow).
 function extractCID(value: string): string {
  const trimmed = value.trim()
  if (trimmed.startsWith('{')) {
    try {
      const parsed = JSON.parse(trimmed)
      if (typeof parsed.cid === 'string') return parsed.cid
    } catch {
      // fall through
    }
  }
  return trimmed
 }
 export default function AuditTimelinePage() {
  const { entries, loading, filter, setFilter } = useAuditTimeline()
  const [historyCID, setHistoryCID] = useState<string | null>(null)
  return (
    <div className="max-w-4xl mx-auto space-y-6">
@@ -58,16 +76,18 @@ export default function AuditTimelinePage() {
          <div className="space-y-4">
            {entries.map((entry) => (
-              <TimelineEntry key={entry.id} entry={entry} />
+              <TimelineEntry key={entry.id} entry={entry} onShowHistory={setHistoryCID} />
            ))}
          </div>
        </div>
      )}
      {historyCID && <CIDHistoryModal cid={historyCID} onClose={() => setHistoryCID(null)} />}
    </div>
  )
 }
-function TimelineEntry({ entry }: { entry: AuditEntry }) {
+function TimelineEntry({ entry, onShowHistory }: { entry: AuditEntry; onShowHistory: (cid: string) => void }) {
  const dotColor = ACTION_COLORS[entry.action] || 'bg-gray-400'
  const isCID = entry.field_changed === 'dsms_cid' || entry.action === 'archive'
  const date = new Date(entry.performed_at)
@@ -94,7 +114,7 @@ function TimelineEntry({ entry }: { entry: AuditEntry }) {
              <p className="text-xs text-gray-600 dark:text-gray-400 mt-1">{entry.change_summary}</p>
            )}
            {isCID && entry.new_value && (
-              <div className="mt-2 flex items-center gap-2">
+              <div className="mt-2 flex items-center gap-2 flex-wrap">
                <svg className="w-3.5 h-3.5 text-emerald-600 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
                </svg>
@@ -102,6 +122,16 @@ function TimelineEntry({ entry }: { entry: AuditEntry }) {
                  {entry.new_value.length > 20 ? entry.new_value.slice(0, 8) + '...' + entry.new_value.slice(-6) : entry.new_value}
                </code>
                <span className="text-[10px] text-emerald-500">DSMS/IPFS</span>
                <button
                  onClick={(e) => {
                    e.stopPropagation()
                    if (entry.new_value) onShowHistory(extractCID(entry.new_value))
                  }}
                  className="text-[10px] text-purple-600 hover:text-purple-800 dark:text-purple-400 underline-offset-2 hover:underline"
                  title="DSMS-Versionsverlauf und Diff zur Vorversion anzeigen"
                >
                  Verlauf anzeigen
                </button>
              </div>
            )}
          </div>
@@ -0,0 +1,266 @@
 'use client'
 /**
 * P107 — Branchen-Benchmark-Cockpit.
 *
 * Multi-Site-Vergleich auf einen Blick. Anonymize-Toggle für Big-4-
 * Wirtschaftspruefer-Demos.
 *
 * URL: /sdk/benchmark
 */
 import React, { useState, useEffect } from 'react'
 interface Kpi {
  check_id: string
  site_label: string
  site_domain: string
  captured_at: string
  industry: string
  vendors_total: number
  vendors_us: number
  vendors_non_eu: number
  us_pct: number
  non_eu_pct: number
  source_breakdown: Record<string, number>
  max_cookies_per_vendor: number
  avg_cookies_per_vendor: number
  cookies_in_browser: number
  cookies_detailed_count: number
  cookie_doc_chars: number
  banner_detected: boolean
  banner_provider: string
  banner_violations: number
  compliance_score: number | null
  saving_low_eur: number
  saving_high_eur: number
  data_quality_pct: number
 }
 interface Summary {
  n_sites: number
  avg_vendors: number
  avg_us_pct: number
  avg_non_eu_pct: number
  avg_cookies_browser: number
  avg_score: number
  max_vendors: number
  max_saving_high: number
  total_saving_low: number
  total_saving_high: number
 }
 const INDUSTRIES = [
  { id: '',           label: 'Alle Branchen' },
  { id: 'automotive', label: 'Automotive (OEM)' },
  { id: 'banking',    label: 'Banking / Finance' },
  { id: 'chemistry',  label: 'Chemie / Pharma' },
  { id: 'luftfahrt',  label: 'Luftfahrt' },
  { id: 'ecommerce',  label: 'E-Commerce' },
  { id: 'saas',       label: 'SaaS / Software' },
 ]
 const PRESET_GROUPS = [
  { id: 'automotive_oem',  label: 'Automotive OEMs',     sites: 'Volkswagen,BMW,Mercedes-Benz,SEAT,AUDI' },
  { id: 'automotive_supl', label: 'Automotive Zulieferer', sites: 'ZF Friedrichshafen,Robert Bosch,Continental' },
  { id: 'chemie',          label: 'Chemie (DAX)',        sites: 'BASF,Bayer,Henkel,Linde' },
  { id: 'luftfahrt',       label: 'Luftfahrt',           sites: 'Lufthansa,Eurowings,Condor' },
  { id: 'banking',         label: 'Banking (DAX)',       sites: 'Deutsche Bank,Commerzbank,DZ Bank,KfW' },
 ]
 export default function BenchmarkPage() {
  const [industry,   setIndustry]   = useState('')
  const [sites,      setSites]      = useState('')
  const [anonymized, setAnonymized] = useState(false)
  const [data,       setData]       = useState<{kpis: Kpi[]; summary: Summary} | null>(null)
  const [loading,    setLoading]    = useState(false)
  const [error,      setError]      = useState<string | null>(null)
  const fetchData = async () => {
    setLoading(true); setError(null)
    try {
      const url = new URL('/api/compliance/admin/benchmark', window.location.origin)
      if (industry) url.searchParams.set('industry', industry)
      if (sites)    url.searchParams.set('sites', sites)
      if (anonymized) url.searchParams.set('anonymized', 'true')
      const r = await fetch(url.toString())
      if (!r.ok) throw new Error(`HTTP ${r.status}`)
      setData(await r.json())
    } catch (e: any) {
      setError(e.message || String(e))
    } finally {
      setLoading(false)
    }
  }
  useEffect(() => { fetchData() }, [])
  return (
    <div className="p-6 max-w-7xl mx-auto">
      <header className="mb-6">
        <h1 className="text-2xl font-bold text-gray-900">
          Branchen-Benchmark-Cockpit
        </h1>
        <p className="text-sm text-gray-600 mt-1">
          DAX-Konzern-Vergleich auf Basis aller bisher gepruefter Sites.
          Mit Anonymize-Toggle fuer Wirtschaftspruefer-Demos.
        </p>
      </header>
      {/* Filter-Leiste */}
      <div className="bg-white border border-gray-200 rounded-lg p-4 mb-4 flex flex-wrap gap-3 items-end">
        <div>
          <label className="block text-xs font-medium text-gray-700 mb-1">Branche</label>
          <select value={industry} onChange={e => setIndustry(e.target.value)}
                  className="px-3 py-2 border rounded text-sm">
            {INDUSTRIES.map(i => <option key={i.id} value={i.id}>{i.label}</option>)}
          </select>
        </div>
        <div className="flex-1 min-w-[300px]">
          <label className="block text-xs font-medium text-gray-700 mb-1">
            Sites (komma-getrennt) oder Preset wählen
          </label>
          <input value={sites} onChange={e => setSites(e.target.value)}
                 placeholder="Volkswagen,BMW,Mercedes-Benz"
                 className="w-full px-3 py-2 border rounded text-sm font-mono" />
          <div className="flex flex-wrap gap-1 mt-1">
            {PRESET_GROUPS.map(p => (
              <button key={p.id} onClick={() => setSites(p.sites)}
                      className="px-2 py-0.5 text-[10px] bg-gray-100 hover:bg-gray-200 rounded">
                {p.label}
              </button>
            ))}
          </div>
        </div>
        <label className="flex items-center gap-2 text-sm cursor-pointer">
          <input type="checkbox" checked={anonymized}
                 onChange={e => setAnonymized(e.target.checked)}
                 className="rounded" />
          <span><strong>Anonymisieren</strong> (OEM 1/2/3 statt Hersteller-Namen)</span>
        </label>
        <button onClick={fetchData} disabled={loading}
                className="px-4 py-2 bg-purple-600 text-white rounded font-medium hover:bg-purple-700 disabled:opacity-50">
          {loading ? 'Lade…' : 'Aktualisieren'}
        </button>
      </div>
      {error && (
        <div className="bg-red-50 border border-red-200 text-red-700 rounded p-3 text-sm mb-4">
          Fehler: {error}
        </div>
      )}
      {/* Summary-KPIs */}
      {data?.summary && (
        <div className="grid grid-cols-2 md:grid-cols-5 gap-2 mb-4">
          <Kpi label="Sites im Vergleich"    value={data.summary.n_sites} />
          <Kpi label="⌀ Vendors"             value={data.summary.avg_vendors} />
          <Kpi label="⌀ US-Anteil"           value={`${data.summary.avg_us_pct}%`}
               tone={data.summary.avg_us_pct > 60 ? 'warn' : 'ok'} />
          <Kpi label="⌀ Score"               value={data.summary.avg_score || '—'} />
          <Kpi label="Saving-Potenzial (Σ)"  value={`${Math.round(data.summary.total_saving_high/1000)}k €`}
               tone="ok" />
        </div>
      )}
      {/* Vergleichstabelle */}
      {data?.kpis && data.kpis.length > 0 ? (
        <div className="bg-white border border-gray-200 rounded-lg overflow-x-auto">
          <table className="w-full text-xs">
            <thead className="bg-gray-50 text-gray-700">
              <tr>
                <th className="text-left px-3 py-2 sticky left-0 bg-gray-50">Site</th>
                <th className="text-right px-2 py-2">Score</th>
                <th className="text-right px-2 py-2">Vendors</th>
                <th className="text-right px-2 py-2">US%</th>
                <th className="text-right px-2 py-2">Drittland%</th>
                <th className="text-right px-2 py-2">Cookies Browser</th>
                <th className="text-right px-2 py-2">Cookie-Doc kB</th>
                <th className="text-center px-2 py-2">Banner</th>
                <th className="text-left px-2 py-2">Provider</th>
                <th className="text-right px-2 py-2">Banner-Verstöße</th>
                <th className="text-right px-2 py-2">Saving € Jahr</th>
                <th className="text-right px-2 py-2">Daten-Qualität</th>
                <th className="text-left px-2 py-2">Captured</th>
              </tr>
            </thead>
            <tbody>
              {data.kpis.map((k, i) => (
                <tr key={i} className={`border-t hover:bg-gray-50 ${i%2 ? 'bg-gray-50/30' : ''}`}>
                  <td className="px-3 py-2 font-semibold sticky left-0 bg-inherit">
                    {k.site_label}
                    <div className="text-[9px] text-gray-400 font-mono">{k.check_id}</div>
                  </td>
                  <td className={`px-2 py-2 text-right ${
                    !k.compliance_score ? 'text-gray-400' :
                    k.compliance_score >= 80 ? 'text-green-700' :
                    k.compliance_score >= 60 ? 'text-amber-700' : 'text-red-700'
                  }`}>
                    {k.compliance_score ?? '—'}
                  </td>
                  <td className="px-2 py-2 text-right font-mono">{k.vendors_total}</td>
                  <td className={`px-2 py-2 text-right ${k.us_pct > 60 ? 'text-red-700 font-semibold' : ''}`}>
                    {k.us_pct}%
                  </td>
                  <td className={`px-2 py-2 text-right ${k.non_eu_pct > 70 ? 'text-red-700' : ''}`}>
                    {k.non_eu_pct}%
                  </td>
                  <td className="px-2 py-2 text-right font-mono">{k.cookies_in_browser}</td>
                  <td className="px-2 py-2 text-right text-gray-500">
                    {Math.round(k.cookie_doc_chars / 1000)}k
                  </td>
                  <td className="px-2 py-2 text-center">{k.banner_detected ? '✓' : '✗'}</td>
                  <td className="px-2 py-2 text-gray-600">{k.banner_provider || '—'}</td>
                  <td className={`px-2 py-2 text-right ${k.banner_violations ? 'text-red-700' : 'text-gray-400'}`}>
                    {k.banner_violations || 0}
                  </td>
                  <td className="px-2 py-2 text-right text-green-700 font-mono">
                    {k.saving_high_eur ? `${(k.saving_high_eur/1000).toFixed(0)}k` : '—'}
                  </td>
                  <td className={`px-2 py-2 text-right ${
                    k.data_quality_pct >= 70 ? 'text-green-700' :
                    k.data_quality_pct >= 40 ? 'text-amber-700' : 'text-red-700'
                  }`}>
                    {k.data_quality_pct}%
                  </td>
                  <td className="px-2 py-2 text-[10px] text-gray-500">
                    {k.captured_at?.substring(0, 16).replace('T', ' ')}
                  </td>
                </tr>
              ))}
            </tbody>
          </table>
        </div>
      ) : !loading && (
        <div className="bg-gray-50 border border-gray-200 rounded-lg p-8 text-center text-gray-500">
          Keine Snapshots gefunden — Filter anpassen oder einen Audit-Lauf starten.
        </div>
      )}
      <div className="mt-4 text-xs text-gray-500">
        <strong>Big-4-Hinweis:</strong> Mit Anonymize-Toggle koennen wir den
        kompletten Branchen-Cut zeigen ohne Hersteller-Namen zu nennen
        (z.B. "OEM 3 hat 78% US-Vendor-Anteil"). Damit ist die Daten-
        Hoheit bei BreakPilot und Big 4 sieht den Mehrwert ohne dass
        Wettbewerber-Vergleiche extern werden.
      </div>
    </div>
  )
 }
 function Kpi({ label, value, tone = 'neutral' }: {
  label: string; value: any; tone?: 'ok' | 'warn' | 'bad' | 'neutral'
 }) {
  const colors: Record<string, string> = {
    ok: 'text-green-700 bg-green-50 border-green-200',
    warn: 'text-amber-700 bg-amber-50 border-amber-200',
    bad: 'text-red-700 bg-red-50 border-red-200',
    neutral: 'text-gray-700 bg-white border-gray-200',
  }
  return (
    <div className={`border rounded p-3 ${colors[tone]}`}>
      <div className="text-[10px] uppercase tracking-wider opacity-70">{label}</div>
      <div className="text-xl font-bold mt-1">{value}</div>
    </div>
  )
 }
@@ -0,0 +1,44 @@
 import { describe, it, expect } from 'vitest'
 import {
  USE_CASE_LABELS, MC_VERIFICATION_LABELS, useCaseLabel, mcVerificationLabel,
 } from '../components/mcMappingLabels'
 describe('useCaseLabel', () => {
  it('maps known use-case keys to German labels', () => {
    expect(useCaseLabel('impressum')).toBe('Impressum')
    expect(useCaseLabel('cookie_banner')).toBe('Cookie-Banner')
    expect(useCaseLabel('code_security')).toBe('Code Security')
    expect(useCaseLabel('dse')).toBe('Datenschutzerklärung')
  })
  it('humanizes an unknown key instead of showing the raw slug', () => {
    expect(useCaseLabel('brand_new_thing')).toBe('Brand New Thing')
  })
 })
 describe('mcVerificationLabel', () => {
  it('maps the master-control verification methods', () => {
    expect(mcVerificationLabel('source_code')).toBe('Source Code')
    expect(mcVerificationLabel('it_process')).toBe('IT-Prozess')
    expect(mcVerificationLabel('network')).toBe('Netzwerk/Infra')
    expect(mcVerificationLabel('document')).toBe('Dokument')
  })
  it('humanizes an unknown method', () => {
    expect(mcVerificationLabel('telepathy')).toBe('Telepathy')
  })
 })
 describe('label coverage', () => {
  it('labels the security/code use cases (>=50% code+process focus)', () => {
    for (const k of ['code_security', 'network_security', 'cra', 'isms', 'tisax']) {
      expect(USE_CASE_LABELS[k]).toBeTruthy()
    }
  })
  it('covers every master-control verification method', () => {
    for (const m of ['document', 'source_code', 'network', 'it_process', 'hybrid', 'manual']) {
      expect(MC_VERIFICATION_LABELS[m]).toBeTruthy()
    }
  })
 })
@@ -12,6 +12,7 @@ import {
  VERIFICATION_METHODS, CATEGORY_OPTIONS, EVIDENCE_TYPE_OPTIONS,
 } from './helpers'
 import { ControlsMeta } from './useControlLibraryState'
 import { useCaseLabel, mcVerificationLabel } from './mcMappingLabels'
 import { GeneratorModal } from './GeneratorModal'
 interface ControlListViewProps {
@@ -34,6 +35,10 @@ interface ControlListViewProps {
  domainFilter: string
  stateFilter: string
  verificationFilter: string
  useCaseFilter: string
  primaryOnly: boolean
  regulationFilter: string
  mappedFilter: string
  categoryFilter: string
  evidenceTypeFilter: string
  audienceFilter: string
@@ -46,6 +51,10 @@ interface ControlListViewProps {
  setDomainFilter: (v: string) => void
  setStateFilter: (v: string) => void
  setVerificationFilter: (v: string) => void
  setUseCaseFilter: (v: string) => void
  setPrimaryOnly: (v: boolean) => void
  setRegulationFilter: (v: string) => void
  setMappedFilter: (v: string) => void
  setCategoryFilter: (v: string) => void
  setEvidenceTypeFilter: (v: string) => void
  setAudienceFilter: (v: string) => void
@@ -71,10 +80,12 @@ export function ControlListView({
  reviewCount, bulkProcessing, showStats, processedStats,
  showGenerator, currentPage, totalPages, sortBy,
  searchQuery, severityFilter, domainFilter, stateFilter,
-  verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter,
+  verificationFilter, useCaseFilter, primaryOnly, regulationFilter, mappedFilter,
  categoryFilter, evidenceTypeFilter, audienceFilter,
  sourceFilter, typeFilter, hideDuplicates,
  setSearchQuery, setSeverityFilter, setDomainFilter, setStateFilter,
-  setVerificationFilter, setCategoryFilter, setEvidenceTypeFilter, setAudienceFilter,
+  setVerificationFilter, setUseCaseFilter, setPrimaryOnly, setRegulationFilter, setMappedFilter,
  setCategoryFilter, setEvidenceTypeFilter, setAudienceFilter,
  setSourceFilter, setTypeFilter, setHideDuplicates, setSortBy,
  setShowStats, setShowGenerator, setCurrentPage,
  onSelectControl, onCreateMode, onEnterReview, onBulkReject, onRefresh, onLoadStats, onFullReload,
@@ -176,18 +187,60 @@ export function ControlListView({
                className="rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
              Duplikate ausblenden
            </label>
            {meta?.use_case_counts && (
              <select value={useCaseFilter} onChange={e => setUseCaseFilter(e.target.value)}
                className="text-sm border border-purple-300 bg-purple-50 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500 max-w-[260px]">
                <option value="">Use Case (alle)</option>
                {Object.entries(meta.use_case_counts).sort((a, b) => b[1] - a[1]).map(([k, c]) => (
                  <option key={k} value={k}>{useCaseLabel(k)} ({c})</option>
                ))}
              </select>
            )}
            {meta?.use_case_counts && useCaseFilter && (
              <label className="flex items-center gap-1.5 text-xs text-gray-600 cursor-pointer whitespace-nowrap"
                title="Nur Master Controls, deren Primärzweck dieser Use Case ist (blendet über-geclusterte Mehrfachzwecke aus)">
                <input type="checkbox" checked={primaryOnly} onChange={e => setPrimaryOnly(e.target.checked)}
                  className="rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
                nur Primärzweck
              </label>
            )}
            {meta?.regulations && meta.regulations.length > 0 && (
              <select value={regulationFilter} onChange={e => setRegulationFilter(e.target.value)}
                className="text-sm border border-blue-300 bg-blue-50 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500 max-w-[260px]">
                <option value="">Regulierung (alle)</option>
                {meta.regulations.map(rg => (
                  <option key={rg.source_regulation} value={rg.source_regulation}>{rg.source_regulation} ({rg.count})</option>
                ))}
              </select>
            )}
            <select value={verificationFilter} onChange={e => setVerificationFilter(e.target.value)}
              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500">
              <option value="">Nachweis</option>
              {Object.entries(VERIFICATION_METHODS).map(([k, v]) => (
                <option key={k} value={k}>{v.label}{meta?.verification_method_counts?.[k] ? ` (${meta.verification_method_counts[k]})` : ''}</option>
              ))}
              {Object.keys(meta?.verification_method_counts || {})
                .filter(k => k !== '__none__' && !(k in VERIFICATION_METHODS))
                .map(k => (
                  <option key={k} value={k}>{mcVerificationLabel(k)} ({meta!.verification_method_counts![k]})</option>
                ))}
              {meta?.verification_method_counts?.['__none__'] ? <option value="__none__">Ohne Nachweis ({meta.verification_method_counts['__none__']})</option> : null}
            </select>
            {meta?.mapped_total != null && (
              <select value={mappedFilter} onChange={e => setMappedFilter(e.target.value)}
                className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500">
                <option value="">Coverage: alle</option>
                <option value="mapped">Zugeordnet ({meta.mapped_total})</option>
                <option value="unmapped">Offen ({meta.unmapped_count ?? 0})</option>
              </select>
            )}
            <select value={categoryFilter} onChange={e => setCategoryFilter(e.target.value)}
              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500">
              <option value="">Kategorie</option>
              {CATEGORY_OPTIONS.map(c => <option key={c.value} value={c.value}>{c.label}{meta?.category_counts?.[c.value] ? ` (${meta.category_counts[c.value]})` : ''}</option>)}
              {Object.keys(meta?.category_counts || {})
                .filter(k => k !== '__none__' && !CATEGORY_OPTIONS.some(c => c.value === k))
                .map(k => <option key={k} value={k}>{k} ({meta!.category_counts![k]})</option>)}
              {meta?.category_counts?.['__none__'] ? <option value="__none__">Ohne Kategorie ({meta.category_counts['__none__']})</option> : null}
            </select>
            <select value={evidenceTypeFilter} onChange={e => setEvidenceTypeFilter(e.target.value)}
@@ -232,14 +232,25 @@ export function StateBadge({ state }: { state: string }) {
 export function LicenseRuleBadge({ rule }: { rule: number | null | undefined }) {
  if (!rule) return null
-  const config: Record<number, { bg: string; label: string }> = {
+  // Corrected labels per Task #21 LICENSE_RULES.md mapping:
-    1: { bg: 'bg-green-100 text-green-700', label: 'Free Use' },
+  // R1 = woertlich (Hoheitsrecht/Public Domain, no attribution required)
-    2: { bg: 'bg-blue-100 text-blue-700', label: 'Zitation' },
+  // R2 = woertlich + Attribution-Pflicht (CC-BY, OWASP, OECD, ENISA)
-    3: { bg: 'bg-amber-100 text-amber-700', label: 'Reformuliert' },
+  // R3 = nur Identifier zitieren (DIN/ANSI/IEC/DGUV/proprietary — pipeline drops full text)
  const config: Record<number, { bg: string; label: string; title: string }> = {
    1: { bg: 'bg-emerald-100 text-emerald-800', label: 'R1', title: 'Woertlich uebernehmbar (Hoheitsrecht/Public Domain)' },
    2: { bg: 'bg-amber-100 text-amber-800', label: 'R2', title: 'Woertlich mit Attribution (CC-BY/OWASP/OECD/ENISA)' },
    3: { bg: 'bg-slate-100 text-slate-700', label: 'R3', title: 'Nur Identifier-Verweis (DIN/ANSI/IEC/proprietaer)' },
  }
  const c = config[rule]
  if (!c) return null
-  return <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${c.bg}`}>{c.label}</span>
+  return (
    <span
      className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${c.bg}`}
      title={c.title}
    >
      {c.label}
    </span>
  )
 }
 export function VerificationMethodBadge({ method }: { method: string | null }) {
@@ -0,0 +1,65 @@
 // Display labels for the master-control mapping dimensions (use case +
 // verification method). Keys mirror the backend use_case_registry; an unknown
 // key humanizes gracefully so a newly-seeded use case still renders.
 export const USE_CASE_LABELS: Record<string, string> = {
  impressum: 'Impressum',
  telekommunikation: 'Telekommunikation (TKG)',
  dse: 'Datenschutzerklärung',
  agb: 'AGB',
  cookie_banner: 'Cookie-Banner',
  widerruf: 'Widerruf',
  dsr: 'Betroffenenrechte (DSR)',
  loeschkonzept: 'Löschkonzept',
  avv: 'Auftragsverarbeitung (AVV)',
  dsfa: 'DSFA',
  code_security: 'Code Security',
  network_security: 'Network Security',
  cra: 'Cyber Resilience Act',
  isms: 'ISMS',
  tisax: 'TISAX',
  kritis: 'KRITIS',
  dora: 'DORA',
  ai_act: 'AI Act',
  mica: 'MiCA',
  mdr: 'Medizinprodukte (MDR)',
  maschinen: 'Maschinenverordnung',
  batterie: 'Batterieverordnung',
  ehds: 'EHDS',
  produktsicherheit: 'Produktsicherheit',
  dsa: 'Digital Services Act',
  dma: 'Digital Markets Act',
  data_governance: 'Data Governance Act',
  zahlungsdienste: 'Zahlungsdienste (PSD2)',
  geldwaesche: 'Geldwäsche (GwG)',
  lieferkette: 'Lieferkettengesetz',
  whistleblowing: 'Whistleblowing',
  barrierefreiheit: 'Barrierefreiheit (BFSG)',
  verbraucherschutz: 'Verbraucherschutz',
  urheberrecht: 'Urheberrecht',
  wettbewerbsrecht: 'Wettbewerbsrecht',
  gleichbehandlung: 'Gleichbehandlung (AGG)',
  steuerrecht: 'Steuerrecht',
  handelsrecht: 'Handelsrecht',
 }
 export const MC_VERIFICATION_LABELS: Record<string, string> = {
  document: 'Dokument',
  source_code: 'Source Code',
  network: 'Netzwerk/Infra',
  it_process: 'IT-Prozess',
  hybrid: 'Hybrid',
  manual: 'Manuell',
 }
 function humanize(key: string): string {
  return key.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase())
 }
 export function useCaseLabel(key: string): string {
  return USE_CASE_LABELS[key] || humanize(key)
 }
 export function mcVerificationLabel(key: string): string {
  return MC_VERIFICATION_LABELS[key] || humanize(key)
 }
@@ -14,6 +14,11 @@ export interface ControlsMeta {
  category_counts?: Record<string, number>
  evidence_type_counts?: Record<string, number>
  release_state_counts?: Record<string, number>
  // Master-control mapping dimensions (only returned by the MC endpoint)
  use_case_counts?: Record<string, number>
  regulations?: Array<{ source_regulation: string; count: number }>
  mapped_total?: number
  unmapped_count?: number
 }
 const PAGE_SIZE = 50
@@ -35,6 +40,10 @@ export function useControlLibraryState(backendUrlOverride?: string) {
  const [domainFilter, setDomainFilter] = useState<string>('')
  const [stateFilter, setStateFilter] = useState<string>('')
  const [verificationFilter, setVerificationFilter] = useState<string>('')
  const [useCaseFilter, setUseCaseFilter] = useState<string>('')
  const [primaryOnly, setPrimaryOnly] = useState<boolean>(false)
  const [regulationFilter, setRegulationFilter] = useState<string>('')
  const [mappedFilter, setMappedFilter] = useState<string>('')
  const [categoryFilter, setCategoryFilter] = useState<string>('')
  const [evidenceTypeFilter, setEvidenceTypeFilter] = useState<string>('')
  const [audienceFilter, setAudienceFilter] = useState<string>('')
@@ -88,6 +97,10 @@ export function useControlLibraryState(backendUrlOverride?: string) {
    if (domainFilter) p.set('domain', domainFilter)
    if (stateFilter) p.set('release_state', stateFilter)
    if (verificationFilter) p.set('verification_method', verificationFilter)
    if (useCaseFilter) p.set('use_case', useCaseFilter)
    if (primaryOnly) p.set('primary', '1')
    if (regulationFilter) p.set('source_regulation', regulationFilter)
    if (mappedFilter) p.set('mapped', mappedFilter)
    if (categoryFilter) p.set('category', categoryFilter)
    if (evidenceTypeFilter) p.set('evidence_type', evidenceTypeFilter)
    if (audienceFilter) p.set('target_audience', audienceFilter)
@@ -97,7 +110,7 @@ export function useControlLibraryState(backendUrlOverride?: string) {
    if (debouncedSearch) p.set('search', debouncedSearch)
    if (extra) for (const [k, v] of Object.entries(extra)) p.set(k, v)
    return p.toString()
-  }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch])
+  }, [severityFilter, domainFilter, stateFilter, verificationFilter, useCaseFilter, primaryOnly, regulationFilter, mappedFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch])
  const loadFrameworks = useCallback(async () => {
    try {
@@ -156,7 +169,7 @@ export function useControlLibraryState(backendUrlOverride?: string) {
  useEffect(() => { loadFrameworks(); loadReviewCount() }, [loadFrameworks, loadReviewCount])
  useEffect(() => { loadMeta() }, [loadMeta])
  useEffect(() => { loadControls() }, [loadControls])
-  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch, sortBy])
+  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, useCaseFilter, primaryOnly, regulationFilter, mappedFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch, sortBy])
  const totalPages = Math.max(1, Math.ceil(totalCount / PAGE_SIZE))
@@ -212,6 +225,10 @@ export function useControlLibraryState(backendUrlOverride?: string) {
    domainFilter, setDomainFilter,
    stateFilter, setStateFilter,
    verificationFilter, setVerificationFilter,
    useCaseFilter, setUseCaseFilter,
    primaryOnly, setPrimaryOnly,
    regulationFilter, setRegulationFilter,
    mappedFilter, setMappedFilter,
    categoryFilter, setCategoryFilter,
    evidenceTypeFilter, setEvidenceTypeFilter,
    audienceFilter, setAudienceFilter,
@@ -232,6 +232,10 @@ export default function ControlLibraryPage() {
      domainFilter={state.domainFilter}
      stateFilter={state.stateFilter}
      verificationFilter={state.verificationFilter}
      useCaseFilter={state.useCaseFilter}
      primaryOnly={state.primaryOnly}
      regulationFilter={state.regulationFilter}
      mappedFilter={state.mappedFilter}
      categoryFilter={state.categoryFilter}
      evidenceTypeFilter={state.evidenceTypeFilter}
      audienceFilter={state.audienceFilter}
@@ -243,6 +247,10 @@ export default function ControlLibraryPage() {
      setDomainFilter={state.setDomainFilter}
      setStateFilter={state.setStateFilter}
      setVerificationFilter={state.setVerificationFilter}
      setUseCaseFilter={state.setUseCaseFilter}
      setPrimaryOnly={state.setPrimaryOnly}
      setRegulationFilter={state.setRegulationFilter}
      setMappedFilter={state.setMappedFilter}
      setCategoryFilter={state.setCategoryFilter}
      setEvidenceTypeFilter={state.setEvidenceTypeFilter}
      setAudienceFilter={state.setAudienceFilter}
@@ -99,6 +99,16 @@ export default function CRAProjectsPage() {
          </p>
        </div>
        <div className="mb-4 px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
          <span className="font-semibold">Quellen &amp; Lizenz:</span>
          <span>
            Inhalte gemaess <strong>EU-Verordnung 2024/2847 (Cyber Resilience Act)</strong> —
            Lizenzregel R1 (EU_LAW, woertlich uebernehmbar). ENISA-Implementation-Guidance
            ergaenzend (R1 EU_PUBLIC).{' '}
            <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
          </span>
        </div>
        {error && (
          <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-4 text-sm text-red-700">
            {error}
@@ -0,0 +1,433 @@
 'use client'
 /**
 * Bulk-Generate-Modal: ruft den Compliance-Recommend-Endpoint mit dem aktuellen
 * Profil/Scope-Stand, matched die empfohlenen Dokumenttypen gegen die geladenen
 * Templates, und rendert + speichert alle markierten Dokumente in einem Rutsch
 * (als compliance_legal_documents + version v1.0 draft).
 *
 * Verwendet die existierende Render-Pipeline aus GeneratorSection.tsx:
 *   runRuleset -> applyBlockRemoval -> applyConditionalBlocks -> placeholder-Replace
 */
 import { useEffect, useMemo, useState } from 'react'
 import {
  applyBlockRemoval,
  applyConditionalBlocks,
  buildBoolContext,
  getDocType,
  runRuleset,
 } from '../ruleEngine'
 import { contextToPlaceholders, type TemplateContext } from '../contextBridge'
 import type { LegalTemplateResult } from '@/lib/sdk/types'
 import type { CompanyProfile } from '@/lib/sdk/types/company-profile'
 import type { ComplianceScopeState } from '@/lib/sdk/compliance-scope-types/state'
 const RECOMMEND_ENDPOINT = '/api/sdk/v1/compliance/recommend'
 const DOC_ENDPOINT       = '/api/sdk/v1/compliance/legal-documents/documents'
 const VERSION_ENDPOINT   = '/api/sdk/v1/compliance/legal-documents/versions'
 interface RecommendedItem {
  document_type: string
  title: string
  rule_id: string
  rule_key: string
  classification: 'required' | 'recommended' | 'optional'
  base_classification: 'required' | 'recommended' | 'optional'
  source_citation: string
  reason: string
  override_applied: boolean
 }
 interface RecommendationResult {
  required: RecommendedItem[]
  recommended: RecommendedItem[]
  optional: RecommendedItem[]
 }
 interface Row {
  item: RecommendedItem
  template: LegalTemplateResult | undefined
  selected: boolean
  state: 'idle' | 'generating' | 'done' | 'skipped' | 'error'
  errorMessage?: string
 }
 interface Props {
  allTemplates: LegalTemplateResult[]
  context: TemplateContext
  extraPlaceholders: Record<string, string>
  enabledModules: string[]
  companyProfile: CompanyProfile | null
  complianceScope: ComplianceScopeState | null
  onClose: () => void
 }
 export default function BulkGenerateModal({
  allTemplates, context, extraPlaceholders, enabledModules,
  companyProfile, complianceScope, onClose,
 }: Props) {
  const [loading, setLoading] = useState(true)
  const [loadError, setLoadError] = useState<string | null>(null)
  const [rows, setRows] = useState<Row[]>([])
  const [running, setRunning] = useState(false)
  const [summary, setSummary] = useState<{ done: number; skipped: number; failed: number } | null>(null)
  const recommendProfile = useMemo(
    () => buildRecommendProfile(companyProfile, complianceScope),
    [companyProfile, complianceScope],
  )
  // Templates nach document_type indizieren — ein Document_type hat oft nur EIN Template
  const templatesByType = useMemo(() => {
    const map = new Map<string, LegalTemplateResult>()
    for (const t of allTemplates) {
      if (t.templateType && !map.has(t.templateType)) {
        map.set(t.templateType, t)
      }
    }
    return map
  }, [allTemplates])
  // Recommend abrufen sobald das Modal geöffnet ist
  useEffect(() => {
    let cancelled = false
    async function load() {
      setLoading(true)
      setLoadError(null)
      try {
        const res = await fetch(RECOMMEND_ENDPOINT, {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({
            profile: recommendProfile,
            compliance_depth_level: recommendProfile.compliance_depth_level ?? 'L2',
          }),
        })
        if (!res.ok) throw new Error(`Recommend-API: ${res.status}`)
        const data = (await res.json()) as RecommendationResult
        if (cancelled) return
        const all: RecommendedItem[] = [...data.required, ...data.recommended, ...data.optional]
        const newRows: Row[] = all.map((item) => ({
          item,
          template: templatesByType.get(item.document_type),
          // Default: required + recommended sind aktiv, optional inaktiv,
          // und ohne Template generell deaktiviert
          selected: item.classification !== 'optional' && templatesByType.has(item.document_type),
          state: 'idle',
        }))
        setRows(newRows)
      } catch (e) {
        if (!cancelled) setLoadError((e as Error).message)
      } finally {
        if (!cancelled) setLoading(false)
      }
    }
    load()
    return () => { cancelled = true }
    // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [])
  const selectedCount = rows.filter((r) => r.selected && r.template).length
  const unmatchedCount = rows.filter((r) => !r.template).length
  function toggle(i: number) {
    setRows((rs) => rs.map((r, idx) => idx === i ? { ...r, selected: !r.selected } : r))
  }
  function setAll(selected: boolean) {
    setRows((rs) => rs.map((r) => r.template ? { ...r, selected } : r))
  }
  async function runBulk() {
    setRunning(true)
    setSummary(null)
    let done = 0
    let failed = 0
    let skipped = 0
    for (let i = 0; i < rows.length; i++) {
      const row = rows[i]
      if (!row.selected) continue
      if (!row.template) { skipped++; continue }
      setRows((rs) => rs.map((r, idx) => idx === i ? { ...r, state: 'generating' } : r))
      try {
        const rendered = renderTemplate(row.template, context, extraPlaceholders, enabledModules)
        await saveDocAndVersion(row.template, rendered)
        setRows((rs) => rs.map((r, idx) => idx === i ? { ...r, state: 'done' } : r))
        done++
      } catch (e) {
        setRows((rs) => rs.map((r, idx) =>
          idx === i ? { ...r, state: 'error', errorMessage: (e as Error).message } : r,
        ))
        failed++
      }
    }
    setSummary({ done, skipped, failed })
    setRunning(false)
  }
  return (
    <div className="fixed inset-0 bg-black/40 z-50 flex items-center justify-center p-4" onClick={onClose}>
      <div
        className="bg-white rounded-lg shadow-2xl w-[820px] max-h-[90vh] flex flex-col"
        onClick={(e) => e.stopPropagation()}
      >
        <header className="px-5 py-3 border-b border-gray-200 flex items-center justify-between">
          <div>
            <h3 className="font-semibold text-gray-800">Alle empfohlenen Dokumente generieren</h3>
            <p className="text-xs text-gray-500 mt-0.5">
              Compliance-Recommend wertet das aktuelle CompanyProfile + ComplianceScope aus
              und schlägt Vorlagen vor. Markierte werden client-seitig gerendert und als
              Drafts v1.0 in der Document-Library angelegt.
            </p>
          </div>
          <button className="text-gray-400 hover:text-gray-700 text-2xl" onClick={onClose}>×</button>
        </header>
        <div className="flex-1 overflow-y-auto">
          {loading && (
            <div className="p-8 text-center text-sm text-gray-500">Lade Empfehlungen…</div>
          )}
          {loadError && (
            <div className="m-5 p-3 text-sm text-rose-800 bg-rose-50 border border-rose-200 rounded">
              {loadError}
            </div>
          )}
          {!loading && !loadError && rows.length === 0 && (
            <div className="p-8 text-center text-sm text-gray-500">
              Keine Empfehlungen für dieses Profil.
              Stell sicher dass CompanyProfile + ComplianceScope ausgefüllt sind.
            </div>
          )}
          {!loading && rows.length > 0 && (
            <>
              <div className="px-5 py-2 bg-gray-50 border-b border-gray-200 flex items-center justify-between text-xs">
                <div className="text-gray-600">
                  <b>{selectedCount}</b> von {rows.length} ausgewählt
                  {unmatchedCount > 0 && (
                    <span className="ml-2 text-amber-700">
                      ({unmatchedCount} ohne Template — kann nicht generiert werden)
                    </span>
                  )}
                </div>
                <div className="flex gap-1">
                  <button
                    className="px-2 py-1 border border-gray-300 rounded hover:bg-white"
                    onClick={() => setAll(true)}
                    disabled={running}
                  >
                    Alle wählen
                  </button>
                  <button
                    className="px-2 py-1 border border-gray-300 rounded hover:bg-white"
                    onClick={() => setAll(false)}
                    disabled={running}
                  >
                    Keine wählen
                  </button>
                </div>
              </div>
              <ul className="divide-y divide-gray-100">
                {rows.map((row, i) => (
                  <BulkRow key={row.item.rule_id} row={row} onToggle={() => toggle(i)} running={running} />
                ))}
              </ul>
            </>
          )}
        </div>
        <footer className="px-5 py-3 border-t border-gray-200 bg-gray-50 flex items-center gap-3">
          {summary ? (
            <div className="text-sm text-gray-700">
              <b className="text-emerald-700">{summary.done} erstellt</b>
              {summary.skipped > 0 && <span className="ml-2 text-amber-700">· {summary.skipped} übersprungen</span>}
              {summary.failed > 0 && <span className="ml-2 text-rose-700">· {summary.failed} fehlgeschlagen</span>}
            </div>
          ) : (
            <div className="text-xs text-gray-500">
              Erzeugt {selectedCount} neue Drafts in der Document-Library.
            </div>
          )}
          <button className="ml-auto px-3 py-1.5 text-sm text-gray-600 hover:text-gray-800" onClick={onClose}>
            Schließen
          </button>
          {!summary && (
            <button
              className="px-4 py-1.5 text-sm bg-emerald-600 text-white rounded hover:bg-emerald-700 disabled:opacity-50"
              disabled={running || loading || selectedCount === 0}
              onClick={runBulk}
            >
              {running ? 'Generiere…' : `${selectedCount} Dokumente generieren`}
            </button>
          )}
        </footer>
      </div>
    </div>
  )
 }
 function BulkRow({ row, onToggle, running }: { row: Row; onToggle: () => void; running: boolean }) {
  const hasTemplate = !!row.template
  const cls = row.item.classification
  const stateBadge = (() => {
    switch (row.state) {
      case 'generating': return <span className="text-amber-700">⏳ generiere…</span>
      case 'done':       return <span className="text-emerald-700">✓ erstellt</span>
      case 'error':      return <span className="text-rose-700" title={row.errorMessage}>✗ Fehler</span>
      case 'skipped':    return <span className="text-gray-500">— übersprungen</span>
      default:           return null
    }
  })()
  return (
    <li className="px-5 py-2 flex items-start gap-3 hover:bg-gray-50">
      <input
        type="checkbox"
        className="mt-1"
        checked={row.selected}
        onChange={onToggle}
        disabled={!hasTemplate || running}
      />
      <div className="flex-1 min-w-0">
        <div className="flex items-center gap-2 flex-wrap">
          <ClassChip classification={cls} />
          <span className="text-sm font-medium text-gray-800">{row.item.title}</span>
          {!hasTemplate && (
            <span className="px-1.5 py-0.5 text-xs rounded border bg-amber-50 text-amber-800 border-amber-300">
              kein Template
            </span>
          )}
          <span className="ml-auto text-xs">{stateBadge}</span>
        </div>
        <div className="text-xs text-gray-500 mt-0.5">
          <code>{row.item.document_type}</code>
          {row.item.source_citation && <> · {row.item.source_citation}</>}
        </div>
        {row.errorMessage && (
          <div className="text-xs text-rose-700 mt-0.5">{row.errorMessage}</div>
        )}
      </div>
    </li>
  )
 }
 function ClassChip({ classification }: { classification: 'required' | 'recommended' | 'optional' }) {
  const map = {
    required:    { label: 'Pflicht',    cls: 'bg-rose-100 text-rose-800 border-rose-300' },
    recommended: { label: 'Empfohlen',  cls: 'bg-amber-100 text-amber-800 border-amber-300' },
    optional:    { label: 'Optional',   cls: 'bg-slate-100 text-slate-700 border-slate-300' },
  }[classification]
  return (
    <span className={`px-1.5 py-0.5 text-xs rounded border ${map.cls}`}>{map.label}</span>
  )
 }
 // ----- Render-Pipeline (Kopie aus GeneratorSection mit gleicher Logik) -----
 function renderTemplate(
  template: LegalTemplateResult,
  context: TemplateContext,
  extraPlaceholders: Record<string, string>,
  enabledModules: string[],
 ): string {
  const ruleResult = runRuleset({
    doc_type: getDocType(template.templateType ?? '', template.language ?? 'de'),
    render: { lang: template.language ?? 'de', variant: 'standard' },
    context,
    modules: { enabled: enabledModules },
  })
  const allValues = {
    ...contextToPlaceholders(ruleResult?.contextAfterDefaults ?? context),
    ...extraPlaceholders,
  }
  const boolCtx = ruleResult
    ? buildBoolContext(ruleResult.contextAfterDefaults, ruleResult.computedFlags)
    : {}
  let content = applyBlockRemoval(template.text, ruleResult?.removedBlocks ?? [])
  content = applyConditionalBlocks(content, boolCtx)
  for (const [key, value] of Object.entries(allValues)) {
    if (value) {
      content = content.replace(
        new RegExp(key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'),
        value,
      )
    }
  }
  return content
 }
 async function saveDocAndVersion(
  template: LegalTemplateResult,
  renderedContent: string,
 ): Promise<void> {
  const docRes = await fetch(DOC_ENDPOINT, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      type: template.templateType || 'custom',
      name: template.documentTitle || 'Dokument',
      description: `Bulk-generiert aus Template ${template.templateType}`,
    }),
  })
  if (!docRes.ok) {
    throw new Error(`Document anlegen fehlgeschlagen: ${docRes.status} ${await docRes.text().catch(() => '')}`)
  }
  const doc = await docRes.json()
  const verRes = await fetch(VERSION_ENDPOINT, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      document_id: doc.id,
      title: template.documentTitle || 'Dokument',
      content: renderedContent,
      language: template.language || 'de',
      version: '1.0',
    }),
  })
  if (!verRes.ok) {
    throw new Error(`Version anlegen fehlgeschlagen: ${verRes.status} ${await verRes.text().catch(() => '')}`)
  }
 }
 // ----- Profile-Builder: SDK-State → /recommend Body -----
 function buildRecommendProfile(
  companyProfile: CompanyProfile | null,
  complianceScope: ComplianceScopeState | null,
 ): Record<string, unknown> {
  const profile: Record<string, unknown> = {}
  // Aus CompanyProfile (camelCase TS-Modell)
  if (companyProfile) {
    if (companyProfile.employeeCount) {
      profile.org_employee_count = String(companyProfile.employeeCount).replace(/-/g, '_')
    }
    if (companyProfile.businessModel) {
      profile.org_business_model = String(companyProfile.businessModel).toLowerCase().replace(/\s+/g, '_')
    }
    if (companyProfile.isDataProcessor) {
      profile.comp_has_processors = 'yes'
    }
  }
  // ComplianceScope-Antworten: questionId entspricht direkt unserer Profil-
  // Feld-Konvention (proc_ai_usage, tech_third_country, prod_webshop, etc.)
  if (complianceScope?.answers) {
    for (const a of complianceScope.answers) {
      if (!a.questionId) continue
      if (a.value === null || a.value === undefined || a.value === '') continue
      profile[a.questionId] = a.value
    }
  }
  if (complianceScope?.decision?.determinedLevel) {
    profile.compliance_depth_level = complianceScope.decision.determinedLevel
  }
  return profile
 }
@@ -16,6 +16,7 @@ import TemplateLibrary from './_components/TemplateLibrary'
 import GeneratorSection from './_components/GeneratorSection'
 import RecommendedDocuments from './_components/RecommendedDocuments'
 import { LifecycleFilter, filterTemplatesByStage } from './_components/LifecycleFilter'
 import BulkGenerateModal from './_components/BulkGenerateModal'
 import type { LifecycleStage } from '@/lib/sdk/founding/template-categories'
 function DocumentGeneratorPageInner() {
@@ -39,6 +40,7 @@ function DocumentGeneratorPageInner() {
  const generatorRef = useRef<HTMLDivElement>(null)
  const [totalCount, setTotalCount] = useState<number>(0)
  const [showBulkGenerate, setShowBulkGenerate] = useState(false)
  // Load all templates on mount
  useEffect(() => {
@@ -297,6 +299,16 @@ function DocumentGeneratorPageInner() {
        tips={stepInfo.tips}
      />
      <div className="px-4 py-2 bg-slate-50 border border-slate-200 rounded-lg text-xs text-slate-700 flex items-start gap-2">
        <span className="font-semibold">Quellen &amp; Lizenz:</span>
        <span>
          Die 91 Standard-Vorlagen sind <strong>BreakPilot-Eigenwerke</strong> (Lizenzregel R3 — Identifier-Verweis,
          eigene Lizenz). Vorlagen mit gesetzlicher Grundlage (z.B. VVT nach Art. 30 DSGVO,
          Loeschkonzept nach Art. 17 DSGVO) zitieren die jeweilige Rechtsquelle als R1.{' '}
          <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
        </span>
      </div>
      {/* Status bar */}
      <div className="grid grid-cols-3 gap-4">
        <div className="bg-white rounded-xl border border-gray-200 p-5">
@@ -322,6 +334,23 @@ function DocumentGeneratorPageInner() {
        countsByStage={countsByStage}
      />
      {/* Bulk-Generate-Knopf — alle empfohlenen Dokumente in einem Rutsch */}
      <div className="flex items-center justify-between bg-emerald-50 border border-emerald-200 rounded p-3">
        <div className="text-sm text-gray-700">
          <b>Alle empfohlenen Dokumente in einem Rutsch generieren.</b>
          <div className="text-xs text-gray-600 mt-0.5">
            Profil + Scope-Antworten werden gegen die Empfehlungs-Regeln ausgewertet —
            markierte Templates werden als Drafts v1.0 in die Document-Library angelegt.
          </div>
        </div>
        <button
          className="px-4 py-2 text-sm bg-emerald-600 text-white rounded hover:bg-emerald-700 whitespace-nowrap"
          onClick={() => setShowBulkGenerate(true)}
        >
          Empfohlene generieren →
        </button>
      </div>
      {/* Recommended documents based on scope profile */}
      <RecommendedDocuments
        allTemplates={allTemplates}
@@ -381,6 +410,18 @@ function DocumentGeneratorPageInner() {
          )}
        </div>
      )}
      {showBulkGenerate && (
        <BulkGenerateModal
          allTemplates={allTemplates}
          context={context}
          extraPlaceholders={extraPlaceholders}
          enabledModules={enabledModules}
          companyProfile={state.companyProfile ?? null}
          complianceScope={state.complianceScope ?? null}
          onClose={() => setShowBulkGenerate(false)}
        />
      )}
    </div>
  )
 }
@@ -0,0 +1,350 @@
 'use client'
 /**
 * Document-Library — zentraler Tab für alle für den Mandanten erzeugten
 * Dokumente. Listet compliance_legal_documents + jeweils latest/published
 * Version, gruppiert nach Empfehlungs-Klassifikation (required/recommended/
 * optional/uncategorized).
 *
 * Recommend-Engine (compliance_template_rules) wird gegen das aktuelle
 * CompanyProfile + ComplianceScope ausgewertet, um document_type → Klassifi-
 * kation zu mappen.
 *
 * Click auf eine Zeile → /sdk/workflow?doc=<uuid> (Workflow-Editor öffnet
 * den Doc automatisch).
 */
 import { useEffect, useMemo, useState } from 'react'
 import { useRouter } from 'next/navigation'
 import { useSDK } from '@/lib/sdk'
 import { StepHeader } from '@/components/sdk/StepHeader'
 import type { CompanyProfile } from '@/lib/sdk/types/company-profile'
 import type { ComplianceScopeState } from '@/lib/sdk/compliance-scope-types/state'
 const DOCS_ENDPOINT = '/api/sdk/v1/compliance/legal-documents/documents-with-versions'
 const RECOMMEND_ENDPOINT = '/api/sdk/v1/compliance/recommend'
 type Classification = 'required' | 'recommended' | 'optional' | 'uncategorized'
 type VersionStatus =
  | 'draft' | 'review' | 'review_internal' | 'review_client'
  | 'approved' | 'published' | 'archived' | 'rejected'
 interface DocVersion {
  id: string
  document_id: string
  version: string
  status: VersionStatus
  title: string
  created_at: string
  updated_at: string | null
  approved_internal_at: string | null
  approved_client_at: string | null
 }
 interface DocWithVersions {
  id: string
  type: string
  name: string
  description: string | null
  created_at: string
  updated_at: string | null
  latest_version: DocVersion | null
  published_version: DocVersion | null
 }
 interface Rec {
  document_type: string
  title: string
  classification: 'required' | 'recommended' | 'optional'
  source_citation: string
  override_applied: boolean
 }
 export default function DocumentLibraryPage() {
  const { state } = useSDK()
  const router = useRouter()
  const [docs, setDocs] = useState<DocWithVersions[]>([])
  const [recommendations, setRecommendations] = useState<Map<string, Rec>>(new Map())
  const [loading, setLoading] = useState(true)
  const [error, setError] = useState<string | null>(null)
  const [search, setSearch] = useState('')
  const [statusFilter, setStatusFilter] = useState<VersionStatus | 'all'>('all')
  useEffect(() => {
    let cancelled = false
    async function load() {
      setLoading(true)
      setError(null)
      try {
        const profile = buildRecommendProfile(state.companyProfile ?? null, state.complianceScope ?? null)
        const [docsRes, recRes] = await Promise.all([
          fetch(DOCS_ENDPOINT),
          fetch(RECOMMEND_ENDPOINT, {
            method: 'POST',
            headers: { 'Content-Type': 'application/json' },
            body: JSON.stringify({
              profile,
              compliance_depth_level: profile.compliance_depth_level ?? 'L2',
            }),
          }),
        ])
        if (!docsRes.ok) throw new Error(`Docs-API: ${docsRes.status}`)
        if (!recRes.ok) throw new Error(`Recommend-API: ${recRes.status}`)
        const docsData = await docsRes.json() as { documents: DocWithVersions[] }
        const recData = await recRes.json()
        const recMap = new Map<string, Rec>()
        for (const cls of ['required', 'recommended', 'optional'] as const) {
          for (const item of (recData[cls] ?? []) as Rec[]) {
            recMap.set(item.document_type, { ...item, classification: cls })
          }
        }
        if (!cancelled) {
          setDocs(docsData.documents ?? [])
          setRecommendations(recMap)
        }
      } catch (e) {
        if (!cancelled) setError((e as Error).message)
      } finally {
        if (!cancelled) setLoading(false)
      }
    }
    load()
    return () => { cancelled = true }
  }, [state.companyProfile, state.complianceScope])
  const grouped = useMemo(() => {
    const groups: Record<Classification, DocWithVersions[]> = {
      required: [], recommended: [], optional: [], uncategorized: [],
    }
    const q = search.toLowerCase().trim()
    for (const doc of docs) {
      // Filter
      if (q) {
        const hit =
          doc.name.toLowerCase().includes(q) ||
          doc.type.toLowerCase().includes(q) ||
          (doc.description?.toLowerCase() ?? '').includes(q)
        if (!hit) continue
      }
      if (statusFilter !== 'all') {
        const s = doc.latest_version?.status
        if (s !== statusFilter) continue
      }
      const rec = recommendations.get(doc.type)
      const klass: Classification = rec?.classification ?? 'uncategorized'
      groups[klass].push(doc)
    }
    return groups
  }, [docs, recommendations, search, statusFilter])
  const totalShown = grouped.required.length + grouped.recommended.length
    + grouped.optional.length + grouped.uncategorized.length
  return (
    <div className="h-full flex flex-col bg-white">
      <StepHeader
        stepId="document-library"
        title="Document Library"
        description="Zentrale Übersicht aller erzeugten Dokumente — gruppiert nach Empfehlung (Pflicht/Empfohlen/Optional), gefiltert nach Status. Klick auf eine Zeile öffnet den Workflow-Editor."
      />
      <div className="px-5 py-3 border-b border-gray-200 bg-gray-50 flex items-center gap-3 flex-wrap">
        <input
          type="text"
          placeholder="Suchen (Titel, Type, Beschreibung)…"
          value={search}
          onChange={(e) => setSearch(e.target.value)}
          className="text-sm px-3 py-1.5 border border-gray-300 rounded w-72"
        />
        <select
          className="text-sm px-2 py-1.5 border border-gray-300 rounded bg-white"
          value={statusFilter}
          onChange={(e) => setStatusFilter(e.target.value as VersionStatus | 'all')}
        >
          <option value="all">Alle Stati</option>
          <option value="draft">Entwurf</option>
          <option value="review_internal">DSB-Prüfung</option>
          <option value="review_client">Mandanten-Prüfung</option>
          <option value="approved">Freigegeben</option>
          <option value="published">Live</option>
          <option value="archived">Archiviert</option>
          <option value="rejected">Abgelehnt</option>
        </select>
        <div className="ml-auto text-xs text-gray-600">
          {loading ? 'lädt…' : `${totalShown} sichtbar · ${docs.length} insgesamt`}
        </div>
      </div>
      {error && (
        <div className="m-5 p-3 text-sm text-rose-800 bg-rose-50 border border-rose-200 rounded">
          {error}
        </div>
      )}
      <div className="flex-1 overflow-y-auto">
        {!loading && docs.length === 0 && (
          <div className="p-8 text-center text-sm text-gray-500">
            Noch keine Dokumente vorhanden. Generiere welche über den{' '}
            <a href="/sdk/document-generator" className="underline text-blue-700">Document Generator</a>{' '}
            (Bulk-Modus „Empfohlene generieren →").
          </div>
        )}
        <Group
          title="Pflichtdokumente"
          chipCls="bg-rose-100 text-rose-800 border-rose-300"
          docs={grouped.required}
          recommendations={recommendations}
          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
        />
        <Group
          title="Empfohlene Dokumente"
          chipCls="bg-amber-100 text-amber-800 border-amber-300"
          docs={grouped.recommended}
          recommendations={recommendations}
          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
        />
        <Group
          title="Optionale Dokumente"
          chipCls="bg-slate-100 text-slate-700 border-slate-300"
          docs={grouped.optional}
          recommendations={recommendations}
          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
        />
        <Group
          title="Nicht klassifiziert"
          chipCls="bg-gray-100 text-gray-600 border-gray-300"
          docs={grouped.uncategorized}
          recommendations={recommendations}
          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
        />
      </div>
    </div>
  )
 }
 function Group({
  title, chipCls, docs, recommendations, onOpen,
 }: {
  title: string
  chipCls: string
  docs: DocWithVersions[]
  recommendations: Map<string, Rec>
  onOpen: (id: string) => void
 }) {
  if (docs.length === 0) return null
  return (
    <section className="border-b border-gray-200">
      <h3 className="px-5 py-2 bg-gray-50 text-sm font-semibold text-gray-700 flex items-center gap-2">
        <span className={`px-2 py-0.5 text-xs rounded border ${chipCls}`}>{title}</span>
        <span className="text-xs font-normal text-gray-500">{docs.length}</span>
      </h3>
      <table className="w-full text-sm">
        <thead className="text-xs uppercase text-gray-500">
          <tr>
            <th className="px-5 py-2 text-left">Titel</th>
            <th className="px-3 py-2 text-left">Type</th>
            <th className="px-3 py-2 text-left">Status</th>
            <th className="px-3 py-2 text-left">Version</th>
            <th className="px-3 py-2 text-left">Geändert</th>
            <th className="px-3 py-2 text-left">Override</th>
          </tr>
        </thead>
        <tbody>
          {docs.map((doc) => (
            <DocRow key={doc.id} doc={doc} rec={recommendations.get(doc.type)} onOpen={onOpen} />
          ))}
        </tbody>
      </table>
    </section>
  )
 }
 function DocRow({
  doc, rec, onOpen,
 }: {
  doc: DocWithVersions
  rec: Rec | undefined
  onOpen: (id: string) => void
 }) {
  const latest = doc.latest_version
  const updated = doc.updated_at ?? doc.created_at
  return (
    <tr
      className="border-t border-gray-100 hover:bg-amber-50 cursor-pointer"
      onClick={() => onOpen(doc.id)}
    >
      <td className="px-5 py-2 font-medium text-gray-800">{doc.name}</td>
      <td className="px-3 py-2 text-xs"><code>{doc.type}</code></td>
      <td className="px-3 py-2">
        {latest ? <StatusBadge status={latest.status} /> : <span className="text-xs text-gray-400">—</span>}
      </td>
      <td className="px-3 py-2 text-xs text-gray-700">
        {latest?.version ?? '—'}
        {doc.published_version && doc.published_version.id !== latest?.id && (
          <span className="ml-1 text-emerald-700">(live: {doc.published_version.version})</span>
        )}
      </td>
      <td className="px-3 py-2 text-xs text-gray-500">
        {new Date(updated).toLocaleString('de-DE')}
      </td>
      <td className="px-3 py-2 text-xs">
        {rec?.override_applied && (
          <span className="px-1.5 py-0.5 bg-blue-50 text-blue-700 border border-blue-300 rounded">
            Override
          </span>
        )}
      </td>
    </tr>
  )
 }
 function StatusBadge({ status }: { status: VersionStatus }) {
  const map: Record<VersionStatus, { label: string; cls: string }> = {
    draft:            { label: 'Entwurf',        cls: 'bg-slate-100 text-slate-700 border-slate-300' },
    review:           { label: 'Prüfung',         cls: 'bg-amber-50 text-amber-800 border-amber-300' },
    review_internal:  { label: 'DSB-Prüfung',     cls: 'bg-amber-50 text-amber-800 border-amber-300' },
    review_client:    { label: 'Mandant-Prüfung', cls: 'bg-blue-50 text-blue-800 border-blue-300' },
    approved:         { label: 'Freigegeben',     cls: 'bg-emerald-50 text-emerald-800 border-emerald-300' },
    published:        { label: 'Live',            cls: 'bg-emerald-100 text-emerald-900 border-emerald-400 font-medium' },
    archived:         { label: 'Archiviert',      cls: 'bg-gray-100 text-gray-600 border-gray-300' },
    rejected:         { label: 'Abgelehnt',       cls: 'bg-rose-50 text-rose-800 border-rose-300' },
  }
  const { label, cls } = map[status] ?? { label: status, cls: 'bg-gray-100 text-gray-700 border-gray-300' }
  return <span className={`px-1.5 py-0.5 text-xs rounded border ${cls}`}>{label}</span>
 }
 // ----- Profile-Builder (gleich wie in BulkGenerateModal — könnten wir später extrahieren) -----
 function buildRecommendProfile(
  companyProfile: CompanyProfile | null,
  complianceScope: ComplianceScopeState | null,
 ): Record<string, unknown> {
  const profile: Record<string, unknown> = {}
  if (companyProfile) {
    if (companyProfile.employeeCount) {
      profile.org_employee_count = String(companyProfile.employeeCount).replace(/-/g, '_')
    }
    if (companyProfile.businessModel) {
      profile.org_business_model = String(companyProfile.businessModel).toLowerCase().replace(/\s+/g, '_')
    }
    if (companyProfile.isDataProcessor) {
      profile.comp_has_processors = 'yes'
    }
  }
  if (complianceScope?.answers) {
    for (const a of complianceScope.answers) {
      if (!a.questionId) continue
      if (a.value === null || a.value === undefined || a.value === '') continue
      profile[a.questionId] = a.value
    }
  }
  if (complianceScope?.decision?.determinedLevel) {
    profile.compliance_depth_level = complianceScope.decision.determinedLevel
  }
  return profile
 }
@@ -132,6 +132,16 @@ export default function DSFAPage() {
        )}
      </StepHeader>
      <div className="px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
        <span className="font-semibold">Quellen &amp; Lizenz:</span>
        <span>
          Inhalte gemaess <strong>DSGVO Art. 35</strong> (EU 2016/679) — Lizenzregel R1
          (Hoheitsrecht/EU_LAW, woertlich uebernehmbar). Vorlagen-Texte aus
          Aufsichtsbehoerden ebenfalls R1.{' '}
          <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
        </span>
      </div>
      {/* DSFA Requirement Check */}
      {dsfaCheck.required && dsfas.length === 0 && (
        <div className="bg-red-50 border border-red-200 rounded-xl p-5">
@@ -87,7 +87,7 @@ export function HazardComparisonTable({ matched, missing, extra }: Props) {
      <div className="overflow-x-auto">
        {tab === 'matched' && <MatchedTable pairs={realMatched} clarStatusByHazard={clarStatusByHazard} projectId={projectId} />}
        {tab === 'missing' && <MissingTable entries={allMissing} />}
-        {tab === 'extra' && <ExtraTable entries={allExtra} />}
+        {tab === 'extra' && <ExtraTable entries={allExtra} clarStatusByHazard={clarStatusByHazard} projectId={projectId} />}
      </div>
    </div>
  )
@@ -175,6 +175,73 @@ function formatLifecycles(raw: string): string {
  return raw.split(',').map(s => s.trim()).map(s => LIFECYCLE_LABELS[s] || s).join(', ')
 }
 function Chevron({ open }: { open: boolean }) {
  return (
    <svg className={`w-3 h-3 text-gray-400 transition-transform ${open ? 'rotate-90' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor">
      <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5l7 7-7 7" />
    </svg>
  )
 }
 /** Ground Truth (professional) detail block — reused by matched + missing rows. */
 function GTDetailBlock({ gt }: { gt: GroundTruthEntry }) {
  return (
    <div className="space-y-2">
      <div className="font-semibold text-red-700 dark:text-red-400 uppercase text-[10px]">Ground Truth (Fachmann)</div>
      <DetailRow label="Gefaehrdung" gt={gt.hazard_type} />
      <DetailRow label="Ursache" gt={gt.hazard_cause} />
      <DetailRow label="Gefahrenstelle" gt={gt.component_zone} />
      <DetailRow label="Lebensphasen" gt={gt.lifecycle_phases?.join(', ') || '-'} />
      <DetailRow label="Risiko" gt={`F=${gt.risk_in.f} W=${gt.risk_in.w} P=${gt.risk_in.p} S=${gt.risk_in.s} => R=${gt.risk_in.r}`} />
      {gt.risk_out.r > 0 && (
        <DetailRow label="Restrisiko" gt={`F=${gt.risk_out.f} W=${gt.risk_out.w} P=${gt.risk_out.p} S=${gt.risk_out.s} => R=${gt.risk_out.r}`} />
      )}
      <DetailRow label="Massnahmen" gt={gt.measures?.join('\n') || '-'} multiline />
      <DetailRow label="Typ" gt={gt.measure_type || '-'} />
      {gt.norm_references?.length > 0 && (
        <DetailRow label="Normen" gt={gt.norm_references.join(', ')} />
      )}
      <DetailRow label="Hinreichend" gt={gt.sufficient ? 'JA' : 'NEIN'} />
      {gt.comment && <DetailRow label="Kommentar" gt={gt.comment} />}
    </div>
  )
 }
 /** Engine (automatic) detail block — reused by matched + extra rows. */
 function EngineDetailBlock({ engine, clarStatus, projectId }: {
  engine: HazardSummary; clarStatus?: HazardClarStatus; projectId?: string
 }) {
  return (
    <div className="space-y-2">
      <div className="font-semibold text-purple-700 dark:text-purple-400 uppercase text-[10px]">Engine (automatisch)</div>
      <DetailRow label="Gefaehrdung" gt={engine.name} />
      <DetailRow label="Szenario" gt={engine.scenario || extractScenario(engine.description) || '-'} />
      <DetailRow label="Gefahrenstelle" gt={engine.zone || '-'} />
      {engine.lifecycle_phase && (
        <DetailRow label="Lebensphasen" gt={formatLifecycles(engine.lifecycle_phase)} />
      )}
      <DetailRow label="Moeglicher Schaden" gt={engine.possible_harm || '-'} />
      <DetailRow label="Trigger" gt={engine.trigger_event || '-'} />
      {engine.affected_person && (
        <DetailRow label="Betroffene Personen" gt={engine.affected_person} />
      )}
      {engine.mitigations && engine.mitigations.length > 0 ? (
        <DetailRow label="Massnahmen" gt={engine.mitigations.join('\n')} multiline />
      ) : (
        <DetailRow label="Massnahmen" gt="(keine zugeordnet)" />
      )}
      {clarStatus && clarStatus.total > 0 && (
        <ClarificationBanner status={clarStatus} projectId={projectId} />
      )}
      {(() => {
        const norms = extractEngineNorms(engine.description)
        if (norms.length === 0) return null
        return <DetailRow label="Referenzierte Normen" gt={norms.join(' | ')} />
      })()}
    </div>
  )
 }
 /** Side-by-side detail comparison of GT entry vs. Engine hazard */
 function DetailComparison({ gt, engine, clarStatus, projectId }: {
  gt: GroundTruthEntry
@@ -184,53 +251,8 @@ function DetailComparison({ gt, engine, clarStatus, projectId }: {
 }) {
  return (
    <div className="grid grid-cols-2 gap-4 text-xs">
-      {/* Left: Ground Truth */}
+      <GTDetailBlock gt={gt} />
-      <div className="space-y-2">
+      <EngineDetailBlock engine={engine} clarStatus={clarStatus} projectId={projectId} />
        <div className="font-semibold text-red-700 dark:text-red-400 uppercase text-[10px]">Ground Truth (Fachmann)</div>
        <DetailRow label="Gefaehrdung" gt={gt.hazard_type} />
        <DetailRow label="Ursache" gt={gt.hazard_cause} />
        <DetailRow label="Gefahrenstelle" gt={gt.component_zone} />
        <DetailRow label="Lebensphasen" gt={gt.lifecycle_phases?.join(', ') || '-'} />
        <DetailRow label="Risiko" gt={`F=${gt.risk_in.f} W=${gt.risk_in.w} P=${gt.risk_in.p} S=${gt.risk_in.s} => R=${gt.risk_in.r}`} />
        {gt.risk_out.r > 0 && (
          <DetailRow label="Restrisiko" gt={`F=${gt.risk_out.f} W=${gt.risk_out.w} P=${gt.risk_out.p} S=${gt.risk_out.s} => R=${gt.risk_out.r}`} />
        )}
        <DetailRow label="Massnahmen" gt={gt.measures?.join('\n') || '-'} multiline />
        <DetailRow label="Typ" gt={gt.measure_type || '-'} />
        {gt.norm_references?.length > 0 && (
          <DetailRow label="Normen" gt={gt.norm_references.join(', ')} />
        )}
        <DetailRow label="Hinreichend" gt={gt.sufficient ? 'JA' : 'NEIN'} />
        {gt.comment && <DetailRow label="Kommentar" gt={gt.comment} />}
      </div>
      {/* Right: Engine */}
      <div className="space-y-2">
        <div className="font-semibold text-purple-700 dark:text-purple-400 uppercase text-[10px]">Engine (automatisch)</div>
        <DetailRow label="Gefaehrdung" gt={engine.name} />
        <DetailRow label="Szenario" gt={engine.scenario || extractScenario(engine.description) || '-'} />
        <DetailRow label="Gefahrenstelle" gt={engine.zone || '-'} />
        {engine.lifecycle_phase && (
          <DetailRow label="Lebensphasen" gt={formatLifecycles(engine.lifecycle_phase)} />
        )}
        <DetailRow label="Moeglicher Schaden" gt={engine.possible_harm || '-'} />
        <DetailRow label="Trigger" gt={engine.trigger_event || '-'} />
        {engine.affected_person && (
          <DetailRow label="Betroffene Personen" gt={engine.affected_person} />
        )}
        {engine.mitigations && engine.mitigations.length > 0 ? (
          <DetailRow label="Massnahmen" gt={engine.mitigations.join('\n')} multiline />
        ) : (
          <DetailRow label="Massnahmen" gt="(keine zugeordnet)" />
        )}
        {clarStatus && clarStatus.total > 0 && (
          <ClarificationBanner status={clarStatus} projectId={projectId} />
        )}
        {(() => {
          const norms = extractEngineNorms(engine.description)
          if (norms.length === 0) return null
          return <DetailRow label="Referenzierte Normen" gt={norms.join(' | ')} />
        })()}
      </div>
    </div>
  )
 }
@@ -310,6 +332,7 @@ function DetailRow({ label, gt, multiline }: { label: string; gt: string; multil
 }
 function MissingTable({ entries }: { entries: GroundTruthEntry[] }) {
  const [expanded, setExpanded] = useState<Record<number, boolean>>({})
  if (entries.length === 0) return <EmptyState text="Keine fehlenden Gefaehrdungen" />
  return (
    <table className="w-full text-xs">
@@ -324,22 +347,37 @@ function MissingTable({ entries }: { entries: GroundTruthEntry[] }) {
        </tr>
      </thead>
      <tbody className="divide-y divide-gray-100 dark:divide-gray-700">
-        {entries.map((e, i) => (
+        {entries.map((e, i) => {
-          <tr key={i} className="hover:bg-red-50/50">
+          const isOpen = expanded[i]
-            <td className="px-3 py-2 text-gray-400">{e.nr}</td>
+          return (
-            <td className="px-3 py-2 font-medium text-gray-800 dark:text-gray-200">{e.hazard_type}</td>
+            <React.Fragment key={i}>
-            <td className="px-3 py-2 text-gray-600 truncate max-w-[200px]">{e.hazard_cause}</td>
+              <tr className="hover:bg-red-50/50 cursor-pointer" onClick={() => setExpanded(p => ({ ...p, [i]: !p[i] }))}>
-            <td className="px-3 py-2 text-gray-500">{e.component_zone}</td>
+                <td className="px-3 py-2 text-gray-400">
-            <td className="px-3 py-2 text-center"><RiskBadge risk={e.risk_in.r} /></td>
+                  <div className="flex items-center gap-1"><Chevron open={isOpen} />{e.nr}</div>
-            <td className="px-3 py-2 text-gray-500">{e.measure_type}</td>
+                </td>
-          </tr>
+                <td className="px-3 py-2 font-medium text-gray-800 dark:text-gray-200">{e.hazard_type}</td>
-        ))}
+                <td className="px-3 py-2 text-gray-600 truncate max-w-[200px]">{e.hazard_cause}</td>
                <td className="px-3 py-2 text-gray-500">{e.component_zone}</td>
                <td className="px-3 py-2 text-center"><RiskBadge risk={e.risk_in.r} /></td>
                <td className="px-3 py-2 text-gray-500">{e.measure_type}</td>
              </tr>
              {isOpen && (
                <tr className="bg-gray-50/70 dark:bg-gray-850">
                  <td colSpan={6} className="px-4 py-3"><GTDetailBlock gt={e} /></td>
                </tr>
              )}
            </React.Fragment>
          )
        })}
      </tbody>
    </table>
  )
 }
-function ExtraTable({ entries }: { entries: HazardSummary[] }) {
+function ExtraTable({ entries, clarStatusByHazard, projectId }: {
  entries: HazardSummary[]; clarStatusByHazard: Record<string, HazardClarStatus>; projectId?: string
 }) {
  const [expanded, setExpanded] = useState<Record<number, boolean>>({})
  if (entries.length === 0) return <EmptyState text="Keine zusaetzlichen Engine-Gefaehrdungen" />
  return (
    <table className="w-full text-xs">
@@ -351,13 +389,27 @@ function ExtraTable({ entries }: { entries: HazardSummary[] }) {
        </tr>
      </thead>
      <tbody className="divide-y divide-gray-100 dark:divide-gray-700">
-        {entries.map((e, i) => (
+        {entries.map((e, i) => {
-          <tr key={i} className="hover:bg-gray-50 dark:hover:bg-gray-700/30">
+          const isOpen = expanded[i]
-            <td className="px-3 py-2 text-gray-800 dark:text-gray-200">{e.name}</td>
+          return (
-            <td className="px-3 py-2 text-gray-500">{e.category}</td>
+            <React.Fragment key={i}>
-            <td className="px-3 py-2 text-gray-400">{e.zone || '-'}</td>
+              <tr className="hover:bg-gray-50 dark:hover:bg-gray-700/30 cursor-pointer" onClick={() => setExpanded(p => ({ ...p, [i]: !p[i] }))}>
-          </tr>
+                <td className="px-3 py-2 text-gray-800 dark:text-gray-200">
-        ))}
+                  <div className="flex items-center gap-1"><Chevron open={isOpen} />{e.name}</div>
                </td>
                <td className="px-3 py-2 text-gray-500">{e.category}</td>
                <td className="px-3 py-2 text-gray-400">{e.zone || '-'}</td>
              </tr>
              {isOpen && (
                <tr className="bg-gray-50/70 dark:bg-gray-850">
                  <td colSpan={3} className="px-4 py-3">
                    <EngineDetailBlock engine={e} clarStatus={clarStatusByHazard[e.id]} projectId={projectId} />
                  </td>
                </tr>
              )}
            </React.Fragment>
          )
        })}
      </tbody>
    </table>
  )
@@ -0,0 +1,100 @@
 'use client'
 import type { RiskComparisonPair, RiskAgreement } from '../_hooks/useBenchmark'
 type Ampel = 'green' | 'yellow' | 'red'
 // EN-62061-style risk number R = S * (F + W + P) → traffic light (like the Excel).
 function ampelEN(r: number): Ampel {
  if (r >= 30) return 'red'
  if (r >= 18) return 'yellow'
  return 'green'
 }
 function ampelBand(band: string): Ampel {
  if (band === 'sehr hoch' || band === 'hoch') return 'red'
  if (band === 'wesentlich' || band === 'moeglich') return 'yellow'
  return 'green'
 }
 const cellColor: Record<Ampel, string> = {
  red: 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300',
  yellow: 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/40 dark:text-yellow-300',
  green: 'bg-green-100 text-green-700 dark:bg-green-900/40 dark:text-green-300',
 }
 function pctColor(p: number): Ampel {
  if (p >= 80) return 'green'
  if (p >= 50) return 'yellow'
  return 'red'
 }
 function Stat({ label, pct }: { label: string; pct: number }) {
  const c = pctColor(pct)
  return (
    <div className={`rounded-lg border-2 p-3 text-center ${c === 'green' ? 'border-green-200 dark:border-green-800' : c === 'yellow' ? 'border-yellow-200 dark:border-yellow-800' : 'border-red-200 dark:border-red-800'}`}>
      <div className={`text-xl font-bold ${c === 'green' ? 'text-green-600' : c === 'yellow' ? 'text-yellow-600' : 'text-red-600'}`}>{Math.round(pct)}%</div>
      <div className="text-[10px] text-gray-500 mt-0.5">{label}</div>
    </div>
  )
 }
 export function RiskComparison({ pairs, agreement }: { pairs?: RiskComparisonPair[]; agreement?: RiskAgreement }) {
  if (!pairs || pairs.length === 0) return null
  return (
    <div className="bg-white dark:bg-gray-800 rounded-lg border border-gray-200 dark:border-gray-700 p-4 space-y-4">
      <div>
        <h3 className="text-sm font-semibold text-gray-700 dark:text-gray-300">Risikozahlen-Vergleich (Fachmann vs. Tool)</h3>
        <p className="text-xs text-gray-500 mt-0.5">
          R = S × (F + W + P), Ampel wie in der Excel. Fine-Kinney (P×E×C) als zweite, US-anerkannte Bewertung.
        </p>
      </div>
      {agreement && agreement.n > 0 && (
        <div className="grid grid-cols-2 md:grid-cols-5 gap-3">
          <Stat label="Schwere S ±1" pct={agreement.severity_within1} />
          <Stat label="Haeufigkeit F ±1" pct={agreement.frequency_within1} />
          <Stat label="Wahrsch. W ±1" pct={agreement.probability_within1} />
          <Stat label="Vermeidb. P ±1" pct={agreement.avoidance_within1} />
          <Stat label="Ranking (FK)" pct={agreement.rank_concordance} />
        </div>
      )}
      <div className="overflow-x-auto">
        <table className="w-full text-xs">
          <thead>
            <tr className="text-gray-500 border-b border-gray-200 dark:border-gray-700">
              <th className="text-left py-1.5 px-2">Gefaehrdung</th>
              <th className="px-1 text-center" colSpan={5}>Fachmann · S F W P <strong>R</strong></th>
              <th className="px-1 text-center border-l border-gray-200 dark:border-gray-700" colSpan={5}>Tool · S F W P <strong>R</strong> / FK</th>
            </tr>
          </thead>
          <tbody>
            {pairs.map((p, i) => {
              const engR = p.eng_severity * (p.eng_frequency + p.eng_probability + p.eng_avoidance)
              return (
                <tr key={i} className="border-b border-gray-100 dark:border-gray-700/50">
                  <td className="py-1 px-2 text-gray-700 dark:text-gray-300">{p.hazard_name || '—'}</td>
                  <td className="text-center text-gray-500">{p.gt_severity}</td>
                  <td className="text-center text-gray-500">{p.gt_frequency}</td>
                  <td className="text-center text-gray-500">{p.gt_probability}</td>
                  <td className="text-center text-gray-500">{p.gt_avoidance}</td>
                  <td className={`text-center font-bold rounded ${cellColor[ampelEN(p.gt_risk)]}`}>{p.gt_risk}</td>
                  <td className="text-center text-gray-500 border-l border-gray-200 dark:border-gray-700">{p.eng_severity}</td>
                  <td className="text-center text-gray-500">{p.eng_frequency}</td>
                  <td className="text-center text-gray-500">{p.eng_probability}</td>
                  <td className="text-center text-gray-500">{p.eng_avoidance}</td>
                  <td className="text-center">
                    <span className={`inline-block font-bold rounded px-1.5 ${cellColor[ampelEN(engR)]}`}>{engR}</span>
                    <span className={`ml-1 inline-block rounded px-1 ${cellColor[ampelBand(p.fk_band)]}`} title={`Fine-Kinney ${p.fk_band}`}>FK&nbsp;{Math.round(p.fk_score)}</span>
                  </td>
                </tr>
              )
            })}
          </tbody>
        </table>
      </div>
    </div>
  )
 }
@@ -48,6 +48,20 @@ export interface CategoryScore {
  category: string; gt_count: number; match_count: number; coverage: number
 }
 export interface RiskComparisonPair {
  hazard_name: string
  gt_severity: number; gt_frequency: number; gt_probability: number; gt_avoidance: number; gt_risk: number
  eng_severity: number; eng_frequency: number; eng_probability: number; eng_avoidance: number
  fk_score: number; fk_band: string
 }
 export interface RiskAgreement {
  n: number
  severity_within1: number; frequency_within1: number
  probability_within1: number; avoidance_within1: number
  rank_concordance: number
 }
 export interface BenchmarkResult {
  coverage_score: number
  measure_coverage: number
@@ -58,6 +72,8 @@ export interface BenchmarkResult {
  extra_in_engine: HazardSummary[]
  category_breakdown: CategoryScore[]
  risk_rank_pairs: { gt_rank: number; engine_rank: number; hazard_name: string; gt_risk_score: number }[]
  risk_comparison?: RiskComparisonPair[]
  risk_agreement?: RiskAgreement
 }
 interface UseBenchmarkReturn {
@@ -6,6 +6,7 @@ import { useBenchmark } from './_hooks/useBenchmark'
 import { GTImportForm } from './_components/GTImportForm'
 import { HazardComparisonTable } from './_components/HazardComparisonTable'
 import { CategoryBreakdown } from './_components/CategoryBreakdown'
 import { RiskComparison } from './_components/RiskComparison'
 export default function BenchmarkPage() {
  const { projectId } = useParams<{ projectId: string }>()
@@ -102,6 +103,9 @@ export default function BenchmarkPage() {
          {/* Category Breakdown */}
          <CategoryBreakdown breakdown={result.category_breakdown || []} />
          {/* Risk-number comparison (tool vs professional) with traffic lights */}
          <RiskComparison pairs={result.risk_comparison} agreement={result.risk_agreement} />
          {/* Hazard Comparison Table */}
          <HazardComparisonTable
            matched={result.matched_pairs || []}
@@ -0,0 +1,36 @@
 import { describe, expect, it } from 'vitest'
 import { calculateAP } from './useFMEA'
 describe('calculateAP — AIAG-VDA 2019 Handbook Action Priority', () => {
  it('returns H for severity 10 with mid occurrence', () => {
    expect(calculateAP(10, 5, 5)).toBe('H')
  })
  it('returns H for severity 9 with low detection', () => {
    expect(calculateAP(9, 4, 7)).toBe('H')
  })
  it('returns M for severity 9 with low occurrence and good detection', () => {
    expect(calculateAP(9, 2, 5)).toBe('M')
  })
  it('returns L for severity 9 with very low occurrence and detection', () => {
    expect(calculateAP(9, 1, 4)).toBe('L')
  })
  it('returns H for severity 7 with high occurrence', () => {
    expect(calculateAP(7, 5, 1)).toBe('H')
  })
  it('returns M for severity 7 with mid occurrence', () => {
    expect(calculateAP(7, 3, 5)).toBe('M')
  })
  it('returns L for low-severity well-controlled mode', () => {
    expect(calculateAP(3, 1, 1)).toBe('L')
  })
  it('returns L for severity 5 with very low occurrence and detection', () => {
    expect(calculateAP(5, 1, 1)).toBe('L')
  })
 })
@@ -156,5 +156,52 @@ export function useFMEA(projectId: string) {
  // Get unique components for the suggest button
  const components = [...new Map(rows.map((r) => [r.component.id, r.component])).values()]
-  return { rows, loading, stats, components, suggestFMs, suggesting, suggestions, suggestSource, setSuggestions }
+  /**
   * Accept a suggested FM: build an FMEA row from the FM defaults, prepend it
   * to the table state, and remove the FM from the suggestion list.
   * Returns false if the (component, fm.id) combo already exists in rows.
   */
  function acceptSuggestion(fm: FailureMode, componentId: string): boolean {
    const comp = components.find((c) => c.id === componentId)
    if (!comp) return false
    const dup = rows.find((r) => r.component.id === componentId && r.failureMode.id === fm.id)
    if (dup) {
      // Still drop the suggestion so the UI does not keep offering it.
      setSuggestions((prev) => prev.filter((s) => s.id !== fm.id))
      return false
    }
    const s = fm.default_severity || 5
    const o = fm.default_occurrence || 5
    const d = fm.default_detection || 5
    const newRow: FMEARow = {
      component: comp,
      failureMode: fm,
      severity: s,
      occurrence: o,
      detection: d,
      rpz: s * o * d,
      ap: calculateAP(s, o, d),
    }
    setRows((prev) => [newRow, ...prev].sort((a, b) => b.rpz - a.rpz))
    setSuggestions((prev) => prev.filter((sg) => sg.id !== fm.id))
    return true
  }
  function rejectSuggestion(fmId: string) {
    setSuggestions((prev) => prev.filter((sg) => sg.id !== fmId))
  }
  return {
    rows,
    loading,
    stats,
    components,
    suggestFMs,
    suggesting,
    suggestions,
    suggestSource,
    setSuggestions,
    acceptSuggestion,
    rejectSuggestion,
  }
 }
@@ -1,6 +1,6 @@
 'use client'
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
 import { useParams } from 'next/navigation'
 import { useFMEA, type FMEARow } from './_hooks/useFMEA'
@@ -27,8 +27,17 @@ function rpzLabel(rpz: number): string {
 export default function FMEAPage() {
  const { projectId } = useParams<{ projectId: string }>()
-  const { rows, loading, stats, components, suggestFMs, suggesting, suggestions, suggestSource, setSuggestions } = useFMEA(projectId)
+  const { rows, loading, stats, components, suggestFMs, suggesting, suggestions, suggestSource, setSuggestions, acceptSuggestion, rejectSuggestion } = useFMEA(projectId)
  const [suggestComp, setSuggestComp] = useState<string | null>(null)
  const [acceptedCount, setAcceptedCount] = useState(0)
  // Reset accepted-count when a fresh suggestion run is loaded or the panel closes.
  useEffect(() => {
    if (suggesting) setAcceptedCount(0)
  }, [suggesting])
  useEffect(() => {
    if (suggestions.length === 0) setAcceptedCount(0)
  }, [suggestions.length])
  if (loading) {
    return (
@@ -97,26 +106,60 @@ export default function FMEAPage() {
      {suggestions.length > 0 && (
        <div className="bg-purple-50 dark:bg-purple-900/20 border border-purple-200 dark:border-purple-800 rounded-xl p-4">
          <div className="flex items-center justify-between mb-3">
-            <h3 className="text-sm font-semibold text-purple-800 dark:text-purple-300">
+            <div>
-              KI-Vorschlaege ({suggestions.length}) — {suggestSource === 'llm' ? 'LLM-generiert' : 'Bibliothek'}
+              <h3 className="text-sm font-semibold text-purple-800 dark:text-purple-300">
-            </h3>
+                KI-Vorschlaege ({suggestions.length}) — {suggestSource === 'llm' ? 'LLM-generiert' : 'Bibliothek-Fallback'}
              </h3>
              {acceptedCount > 0 && (
                <div className="text-xs text-green-700 dark:text-green-400 mt-0.5">
                  {acceptedCount} Vorschlag{acceptedCount > 1 ? 'e' : ''} uebernommen
                </div>
              )}
            </div>
            <button onClick={() => setSuggestions([])} className="text-xs text-purple-600 hover:text-purple-800">Schliessen</button>
          </div>
          <div className="space-y-2">
-            {suggestions.map((fm, i) => (
+            {suggestions.map((fm) => {
-              <div key={i} className="flex items-center justify-between bg-white dark:bg-gray-800 rounded-lg p-3 border border-purple-100 dark:border-purple-800">
+              const rpz = fm.default_severity * fm.default_occurrence * fm.default_detection
-                <div className="flex-1 min-w-0">
+              return (
-                  <div className="text-sm font-medium text-gray-900 dark:text-white">{fm.name_de}</div>
+                <div key={fm.id} className="flex items-start justify-between gap-3 bg-white dark:bg-gray-800 rounded-lg p-3 border border-purple-100 dark:border-purple-800">
-                  <div className="text-xs text-gray-500 mt-0.5">{fm.effect}</div>
+                  <div className="flex-1 min-w-0">
-                  <div className="flex gap-3 mt-1 text-xs text-gray-400">
+                    <div className="text-sm font-medium text-gray-900 dark:text-white">{fm.name_de}</div>
-                    <span>S={fm.default_severity}</span>
+                    <div className="text-xs text-gray-500 mt-0.5">{fm.effect}</div>
-                    <span>O={fm.default_occurrence}</span>
+                    <div className="flex gap-3 mt-1 text-xs text-gray-400">
-                    <span>D={fm.default_detection}</span>
+                      <span>S={fm.default_severity}</span>
-                    <span className="font-bold">RPZ={fm.default_severity * fm.default_occurrence * fm.default_detection}</span>
+                      <span>O={fm.default_occurrence}</span>
                      <span>D={fm.default_detection}</span>
                      <span className={`font-bold ${rpz > 200 ? 'text-red-600' : rpz > 100 ? 'text-orange-600' : 'text-gray-500'}`}>RPZ={rpz}</span>
                    </div>
                  </div>
                  <div className="flex items-center gap-1.5 shrink-0">
                    <button
                      onClick={() => {
                        if (!suggestComp) return
                        const ok = acceptSuggestion(fm, suggestComp)
                        if (ok) setAcceptedCount((c) => c + 1)
                      }}
                      disabled={!suggestComp}
                      className="px-3 py-1.5 bg-green-600 hover:bg-green-700 disabled:opacity-50 disabled:cursor-not-allowed text-white text-xs font-medium rounded transition-colors"
                      title="Diesen Fehlermodus der FMEA-Tabelle hinzufuegen"
                    >
                      Uebernehmen
                    </button>
                    <button
                      onClick={() => rejectSuggestion(fm.id)}
                      className="px-3 py-1.5 bg-gray-200 dark:bg-gray-700 hover:bg-gray-300 dark:hover:bg-gray-600 text-gray-700 dark:text-gray-300 text-xs font-medium rounded transition-colors"
                      title="Diesen Vorschlag verwerfen"
                    >
                      Ablehnen
                    </button>
                  </div>
                </div>
-              </div>
+              )
-            ))}
+            })}
          </div>
          <div className="text-[10px] text-purple-700 dark:text-purple-400 mt-3">
            Hinweis: Uebernommene Fehlermodi erscheinen sofort in der Tabelle unten. Bewertung (S/O/D) ist anpassbar — Standardwerte aus der Bibliothek.
          </div>
        </div>
      )}
@@ -39,11 +39,19 @@ export function HazardTable({ hazards, lifecyclePhases, onDelete }: {
              .map((hazard) => (
                <tr key={hazard.id} className="hover:bg-gray-50 dark:hover:bg-gray-750 transition-colors">
                  <td className="px-4 py-3">
-                    <div className="flex items-center gap-2">
+                    <div className="flex items-center gap-2 flex-wrap">
                      <div className="text-sm font-medium text-gray-900 dark:text-white">{hazard.name}</div>
                      {hazard.name.startsWith('Auto:') && (
                        <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-green-100 text-green-700">Auto</span>
                      )}
                      {(hazard as { pattern_id?: string }).pattern_id && (
                        <span
                          className="inline-flex items-center px-1.5 py-0.5 rounded text-[10px] font-mono font-medium bg-slate-100 text-slate-700 border border-slate-200 cursor-help"
                          title={`Quelle: BreakPilot IACE Pattern-Engine (${(hazard as { pattern_id?: string }).pattern_id}). Lizenzregel R3 — Eigenwerk, kein externer Lizenz-Footer noetig. Pattern-Definition mit Norm-Referenzen siehe Library.`}
                        >
                          {(hazard as { pattern_id?: string }).pattern_id} · R3
                        </span>
                      )}
                    </div>
                    {hazard.description && (
                      <div className="text-xs text-gray-500 truncate max-w-[250px]">{hazard.description}</div>
@@ -0,0 +1,218 @@
 'use client'
 // LLM Gap-Review Modal — Task #8.
 //
 // Triggers POST /projects/:id/llm-gap-review on mount and lists the
 // LLM's gap suggestions with an Adopt / Reject UX. Adoption goes through
 // the regular CreateHazard / CreateMitigation endpoints — the modal
 // itself never mutates project state on its own.
 import { useEffect, useState } from 'react'
 type Suggestion = {
  kind: 'hazard' | 'mitigation'
  title: string
  description: string
  category?: string
  hazard_ref?: string
  pattern_ref?: string
  norm_refs?: string[]
  confidence?: 'high' | 'medium' | 'low'
  rationale?: string
 }
 type Response = {
  project_id: string
  source: 'llm_gap_review' | 'fallback_static'
  model?: string
  suggestions: Suggestion[]
  input_summary: {
    hazard_count: number
    mitigation_count: number
    limits_form_fields: number
  }
 }
 const CONF_COLOR: Record<string, string> = {
  high: 'bg-emerald-100 text-emerald-800 border-emerald-200',
  medium: 'bg-amber-100 text-amber-800 border-amber-200',
  low: 'bg-slate-100 text-slate-600 border-slate-200',
 }
 interface Props {
  projectId: string
  onClose: () => void
  onAdoptHazard?: (s: Suggestion) => Promise<void>
  onAdoptMitigation?: (s: Suggestion) => Promise<void>
 }
 export function LLMGapReviewModal({ projectId, onClose, onAdoptHazard, onAdoptMitigation }: Props) {
  const [data, setData] = useState<Response | null>(null)
  const [loading, setLoading] = useState(true)
  const [error, setError] = useState<string | null>(null)
  const [adopted, setAdopted] = useState<Set<number>>(new Set())
  const [rejected, setRejected] = useState<Set<number>>(new Set())
  const [adopting, setAdopting] = useState<number | null>(null)
  useEffect(() => {
    setLoading(true)
    fetch(`/api/sdk/v1/iace/projects/${projectId}/llm-gap-review`, { method: 'POST' })
      .then((r) => (r.ok ? r.json() : Promise.reject(`HTTP ${r.status}`)))
      .then(setData)
      .catch((e) => setError(String(e)))
      .finally(() => setLoading(false))
  }, [projectId])
  async function adopt(idx: number) {
    if (!data) return
    const s = data.suggestions[idx]
    setAdopting(idx)
    try {
      if (s.kind === 'hazard' && onAdoptHazard) await onAdoptHazard(s)
      else if (s.kind === 'mitigation' && onAdoptMitigation) await onAdoptMitigation(s)
      setAdopted((prev) => new Set(prev).add(idx))
    } catch (e) {
      setError(`Adopt fehlgeschlagen: ${e}`)
    } finally {
      setAdopting(null)
    }
  }
  function reject(idx: number) {
    setRejected((prev) => new Set(prev).add(idx))
  }
  return (
    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50">
      <div className="bg-white rounded-xl shadow-2xl w-full max-w-3xl max-h-[90vh] overflow-hidden flex flex-col">
        <div className="px-6 py-4 border-b border-gray-200 flex items-center justify-between flex-shrink-0">
          <div>
            <h2 className="text-lg font-semibold text-gray-900">KI-Gap-Review</h2>
            <p className="text-xs text-gray-500 mt-0.5">
              LLM-gestuetzte Suche nach fehlenden Gefaehrdungen und Schutzmassnahmen — Vorschlaege sind unverbindlich bis explizit uebernommen.
            </p>
          </div>
          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 text-2xl leading-none">&times;</button>
        </div>
        <div className="flex-1 overflow-y-auto p-6 space-y-3">
          {loading && (
            <div className="text-center py-12">
              <div className="animate-spin rounded-full h-10 w-10 border-b-2 border-purple-600 mx-auto" />
              <p className="text-sm text-gray-500 mt-3">LLM laeuft (Qwen/Claude). Das kann bis zu 30 Sekunden dauern.</p>
            </div>
          )}
          {error && (
            <div className="bg-red-50 border border-red-200 rounded-lg p-4 text-sm text-red-700">
              Fehler: {error}
            </div>
          )}
          {data && (
            <>
              <div className="text-xs text-gray-500 flex items-center gap-3 border-b border-gray-100 pb-2">
                <span>
                  Eingabe: {data.input_summary.hazard_count} Gefaehrdungen,{' '}
                  {data.input_summary.mitigation_count} Massnahmen, {data.input_summary.limits_form_fields} Grenzen-Felder
                </span>
                <span className="text-gray-300">·</span>
                <span>
                  Quelle: {data.source === 'llm_gap_review'
                    ? `LLM (${data.model ?? 'unbekannt'})`
                    : 'Statische Fallback-Liste'}
                </span>
              </div>
              {data.suggestions.length === 0 && (
                <div className="text-center text-gray-500 py-12 text-sm">
                  Keine Lueckenvorschlaege. Die deterministische Pattern-Engine hat vermutlich bereits alle Standard-Gefaehrdungen abgedeckt.
                </div>
              )}
              {data.suggestions.map((s, i) => {
                const isAdopted = adopted.has(i)
                const isRejected = rejected.has(i)
                const isWorking = adopting === i
                return (
                  <div
                    key={i}
                    className={`border rounded-lg p-3 ${
                      isAdopted ? 'border-emerald-200 bg-emerald-50' :
                      isRejected ? 'border-slate-200 bg-slate-50 opacity-50' :
                      'border-gray-200 bg-white'
                    }`}
                  >
                    <div className="flex items-start justify-between gap-3">
                      <div className="flex-1 min-w-0">
                        <div className="flex items-center gap-2 flex-wrap mb-1">
                          <span className={`px-1.5 py-0.5 text-[10px] rounded font-medium ${
                            s.kind === 'hazard' ? 'bg-red-100 text-red-700' : 'bg-blue-100 text-blue-700'
                          }`}>
                            {s.kind === 'hazard' ? 'Gefaehrdung' : 'Massnahme'}
                          </span>
                          {s.category && (
                            <span className="px-1.5 py-0.5 text-[10px] rounded bg-gray-100 text-gray-700">{s.category}</span>
                          )}
                          {s.confidence && (
                            <span className={`px-1.5 py-0.5 text-[10px] rounded border ${CONF_COLOR[s.confidence]}`}>
                              {s.confidence}
                            </span>
                          )}
                          {(s.norm_refs ?? []).map((n) => (
                            <span key={n} className="px-1.5 py-0.5 text-[10px] rounded bg-indigo-50 text-indigo-700 font-mono">{n}</span>
                          ))}
                          {s.pattern_ref && (
                            <span className="px-1.5 py-0.5 text-[10px] rounded bg-purple-50 text-purple-700 font-mono">{s.pattern_ref}</span>
                          )}
                        </div>
                        <h3 className="text-sm font-semibold text-gray-900">{s.title}</h3>
                        <p className="text-xs text-gray-600 mt-1">{s.description}</p>
                        {s.hazard_ref && (
                          <p className="text-[11px] text-gray-500 mt-1">Bezogen auf: <em>{s.hazard_ref}</em></p>
                        )}
                        {s.rationale && (
                          <p className="text-[11px] text-gray-400 mt-1 italic">{s.rationale}</p>
                        )}
                      </div>
                      <div className="flex flex-col gap-1 flex-shrink-0">
                        {!isAdopted && !isRejected && (
                          <>
                            <button
                              onClick={() => adopt(i)}
                              disabled={isWorking}
                              className="px-3 py-1 text-xs bg-emerald-600 text-white rounded hover:bg-emerald-700 disabled:opacity-50"
                            >
                              {isWorking ? '…' : 'Uebernehmen'}
                            </button>
                            <button
                              onClick={() => reject(i)}
                              className="px-3 py-1 text-xs text-gray-600 border border-gray-300 rounded hover:bg-gray-50"
                            >
                              Verwerfen
                            </button>
                          </>
                        )}
                        {isAdopted && <span className="text-xs text-emerald-700 font-medium">✓ Uebernommen</span>}
                        {isRejected && <span className="text-xs text-gray-500">Verworfen</span>}
                      </div>
                    </div>
                  </div>
                )
              })}
            </>
          )}
        </div>
        <div className="px-6 py-3 border-t border-gray-200 bg-gray-50 flex items-center justify-between flex-shrink-0">
          <p className="text-[11px] text-gray-500">
            Hinweis: LLM-Vorschlaege sind NICHT die deterministische Engine-Output. Jede Uebernahme wird als <code>source=llm_gap_review</code> markiert.
          </p>
          <button onClick={onClose} className="px-3 py-1.5 text-sm border border-gray-300 rounded hover:bg-white">
            Schliessen
          </button>
        </div>
      </div>
    </div>
  )
 }
 export default LLMGapReviewModal
@@ -12,6 +12,7 @@ import type { ResidualFilter } from './_components/ResidualRiskPanel'
 import { LibraryModal } from './_components/LibraryModal'
 import { AutoSuggestPanel } from './_components/AutoSuggestPanel'
 import { CustomHazardModal } from './_components/CustomHazardModal'
 import { LLMGapReviewModal } from './_components/LLMGapReviewModal'
 import { useHazards } from './_hooks/useHazards'
 type ViewMode = 'list' | 'risk' | 'blocks'
@@ -22,6 +23,7 @@ export default function HazardsPage() {
  const h = useHazards(projectId)
  const [view, setView] = useState<ViewMode>('risk')
  const [showCustomModal, setShowCustomModal] = useState(false)
  const [showGapReview, setShowGapReview] = useState(false)
  const [residualFilter, setResidualFilter] = useState<ResidualFilter>('all')
  const [decisions, setDecisions] = useState<Record<string, boolean | null>>({})
@@ -104,6 +106,15 @@ export default function HazardsPage() {
            </svg>
            Eigene Gefaehrdung
          </button>
          <button
            onClick={() => setShowGapReview(true)}
            title="LLM (Qwen/Claude) prueft auf fehlende Gefaehrdungen und Massnahmen — Vorschlaege sind unverbindlich."
            className="flex items-center gap-2 px-3 py-2 border border-indigo-300 text-indigo-700 rounded-lg hover:bg-indigo-50 transition-colors text-sm">
            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.663 17h4.673M12 3v1m6.364 1.636l-.707.707M21 12h-1M4 12H3m3.343-5.657l-.707-.707m2.828 9.9a5 5 0 117.072 0l-.548.547A3.374 3.374 0 0014 18.469V19a2 2 0 11-4 0v-.531c0-.895-.356-1.754-.988-2.386l-.548-.547z" />
            </svg>
            KI-Gap-Review
          </button>
          <button onClick={() => h.setShowForm(true)}
            className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors text-sm">
            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
@@ -170,6 +181,13 @@ export default function HazardsPage() {
          onClose={() => setShowCustomModal(false)} />
      )}
      {showGapReview && (
        <LLMGapReviewModal
          projectId={projectId}
          onClose={() => setShowGapReview(false)}
        />
      )}
      {h.hazards.length > 0 ? (
        view === 'risk' ? (
          <>
@@ -0,0 +1,160 @@
 'use client'
 import { useEffect, useState } from 'react'
 import type { HazardLite, RiskSuggestion } from '../_hooks/useRiskAssessment'
 function enLevel(idx: number): string {
  if (idx >= 45) return 'kritisch'
  if (idx >= 30) return 'hoch'
  if (idx >= 18) return 'mittel'
  if (idx >= 9) return 'gering'
  return 'vernachlaessigbar'
 }
 function fkBand(score: number): string {
  if (score > 400) return 'sehr hoch'
  if (score > 200) return 'hoch'
  if (score > 70) return 'wesentlich'
  if (score > 20) return 'moeglich'
  return 'gering'
 }
 function badgeColor(label: string): string {
  switch (label) {
    case 'kritisch':
    case 'sehr hoch':
      return 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300'
    case 'hoch':
      return 'bg-orange-100 text-orange-700 dark:bg-orange-900/40 dark:text-orange-300'
    case 'mittel':
    case 'wesentlich':
      return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/40 dark:text-yellow-300'
    case 'gering':
    case 'moeglich':
      return 'bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300'
    default:
      return 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-300'
  }
 }
 function Field({
  label,
  value,
  step,
  justification,
  onChange,
 }: {
  label: string
  value: number
  step?: number
  justification: string
  onChange: (v: number) => void
 }) {
  return (
    <div className="flex items-start gap-2">
      <div className="flex-1">
        <div className="text-xs font-medium text-gray-700 dark:text-gray-300">{label}</div>
        <div className="text-[11px] text-gray-400 leading-tight" title={justification}>
          {justification}
        </div>
      </div>
      <input
        type="number"
        step={step || 1}
        value={value}
        onChange={(e) => onChange(parseFloat(e.target.value) || 0)}
        className="w-16 px-2 py-1 text-sm rounded border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-800 text-right"
      />
    </div>
  )
 }
 function Panel({
  title,
  formula,
  score,
  badge,
  children,
 }: {
  title: string
  formula: string
  score: number
  badge: string
  children: React.ReactNode
 }) {
  return (
    <div className="rounded-lg border border-gray-200 dark:border-gray-700 p-3 space-y-2">
      <div className="flex items-center justify-between">
        <div className="text-sm font-semibold text-gray-800 dark:text-gray-200">{title}</div>
        <span className={`text-[11px] px-2 py-0.5 rounded-full ${badgeColor(badge)}`}>{badge}</span>
      </div>
      <div className="space-y-1.5">{children}</div>
      <div className="pt-2 border-t border-gray-100 dark:border-gray-700 flex items-center justify-between">
        <code className="text-[11px] text-gray-500">{formula}</code>
        <span className="text-sm font-bold text-gray-900 dark:text-gray-100">
          R = {Number.isInteger(score) ? score : score.toFixed(1)}
        </span>
      </div>
    </div>
  )
 }
 export function RiskModelCard({
  hazard,
  suggestion,
 }: {
  hazard: HazardLite
  suggestion?: RiskSuggestion
 }) {
  const [en, setEn] = useState({ s: 0, f: 0, w: 0, p: 0 })
  const [fk, setFk] = useState({ p: 0, e: 0, c: 0 })
  useEffect(() => {
    if (!suggestion) return
    setEn({
      s: suggestion.en62061.severity.value,
      f: suggestion.en62061.frequency.value,
      w: suggestion.en62061.probability.value,
      p: suggestion.en62061.avoidance.value,
    })
    setFk({
      p: suggestion.fine_kinney.probability.value,
      e: suggestion.fine_kinney.exposure.value,
      c: suggestion.fine_kinney.consequence.value,
    })
  }, [suggestion])
  if (!suggestion) {
    return (
      <div className="rounded-xl border border-gray-200 dark:border-gray-700 p-4 text-sm text-gray-500">
        {hazard.name} — keine Bewertung verfuegbar
      </div>
    )
  }
  const enScore = en.s * (en.f + en.w + en.p)
  const fkScore = fk.p * fk.e * fk.c
  return (
    <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4 space-y-3">
      <div className="flex items-center justify-between gap-3 flex-wrap">
        <div className="font-semibold text-gray-900 dark:text-gray-100">{hazard.name}</div>
        <span className="text-xs text-gray-400">Kontaktart: {suggestion.contact_mode}</span>
      </div>
      <div className="grid md:grid-cols-2 gap-4">
        <Panel title="EN-62061-Stil" formula={suggestion.en62061.formula} score={enScore} badge={enLevel(enScore)}>
          <Field label="Schwere S" value={en.s} justification={suggestion.en62061.severity.justification} onChange={(v) => setEn({ ...en, s: v })} />
          <Field label="Haeufigkeit F" value={en.f} justification={suggestion.en62061.frequency.justification} onChange={(v) => setEn({ ...en, f: v })} />
          <Field label="Wahrscheinlichkeit W" value={en.w} justification={suggestion.en62061.probability.justification} onChange={(v) => setEn({ ...en, w: v })} />
          <Field label="Vermeidbarkeit P" value={en.p} justification={suggestion.en62061.avoidance.justification} onChange={(v) => setEn({ ...en, p: v })} />
        </Panel>
        <Panel title="Fine-Kinney (US)" formula={suggestion.fine_kinney.formula} score={fkScore} badge={fkBand(fkScore)}>
          <Field label="Wahrscheinlichkeit P" value={fk.p} step={0.1} justification={suggestion.fine_kinney.probability.justification} onChange={(v) => setFk({ ...fk, p: v })} />
          <Field label="Exposition E" value={fk.e} step={0.5} justification={suggestion.fine_kinney.exposure.justification} onChange={(v) => setFk({ ...fk, e: v })} />
          <Field label="Konsequenz C" value={fk.c} justification={suggestion.fine_kinney.consequence.justification} onChange={(v) => setFk({ ...fk, c: v })} />
        </Panel>
      </div>
      <p className="text-[11px] text-gray-400">{suggestion.note}</p>
    </div>
  )
 }
@@ -0,0 +1,85 @@
 'use client'
 import { useEffect, useState } from 'react'
 export interface SuggestedValue {
  value: number
  justification: string
 }
 export interface RiskSuggestion {
  hazard_id: string
  contact_mode: string
  en62061: {
    severity: SuggestedValue
    frequency: SuggestedValue
    probability: SuggestedValue
    avoidance: SuggestedValue
    score: number
    level: string
    formula: string
  }
  fine_kinney: {
    probability: SuggestedValue
    exposure: SuggestedValue
    consequence: SuggestedValue
    score: number
    band: string
    action: string
    formula: string
  }
  note: string
 }
 export interface HazardLite {
  id: string
  name: string
  category: string
  scenario?: string
 }
 export function useRiskAssessment(projectId: string) {
  const [hazards, setHazards] = useState<HazardLite[]>([])
  const [suggestions, setSuggestions] = useState<Record<string, RiskSuggestion>>({})
  const [loading, setLoading] = useState(true)
  useEffect(() => {
    let cancelled = false
    async function load() {
      setLoading(true)
      try {
        const res = await fetch(`/api/sdk/v1/iace/projects/${projectId}/hazards`)
        const json = res.ok ? await res.json() : {}
        const hz: HazardLite[] = json.hazards || json || []
        if (cancelled) return
        setHazards(hz)
        const entries = await Promise.all(
          hz.map(async (h) => {
            try {
              const r = await fetch(
                `/api/sdk/v1/iace/projects/${projectId}/hazards/${h.id}/risk-suggestion`,
              )
              return r.ok ? ([h.id, (await r.json()) as RiskSuggestion] as const) : null
            } catch {
              return null
            }
          }),
        )
        if (cancelled) return
        const map: Record<string, RiskSuggestion> = {}
        for (const e of entries) if (e) map[e[0]] = e[1]
        setSuggestions(map)
      } catch (err) {
        console.error('Failed to load risk assessment:', err)
      } finally {
        if (!cancelled) setLoading(false)
      }
    }
    load()
    return () => {
      cancelled = true
    }
  }, [projectId])
  return { hazards, suggestions, loading }
 }
@@ -0,0 +1,41 @@
 'use client'
 import { useParams } from 'next/navigation'
 import { useRiskAssessment } from './_hooks/useRiskAssessment'
 import { RiskModelCard } from './_components/RiskModelCard'
 export default function RisikobewertungPage() {
  const params = useParams<{ projectId: string }>()
  const projectId = params.projectId
  const { hazards, suggestions, loading } = useRiskAssessment(projectId)
  return (
    <div className="space-y-6">
      <div>
        <h1 className="text-2xl font-bold text-gray-900 dark:text-gray-100">Risikobewertung</h1>
        <p className="text-sm text-gray-500 dark:text-gray-400 max-w-3xl mt-1">
          Zwei Modelle pro Gefaehrdung: <strong>EN-62061-Stil</strong> (F/W/P/S) und{' '}
          <strong>Fine-Kinney</strong> (P/E/C, US-anerkannt). BreakPilot schlaegt begruendete
          Werte aus oeffentlichen Datenquellen vor (ESAW/NIOSH/OSHA) — passen Sie sie nach Ihrer
          Erfahrung bzw. Ihren eigenen Normdaten an; das Tool rechnet die Formel live aus.
        </p>
      </div>
      {loading && (
        <div className="text-sm text-gray-500 dark:text-gray-400">Lade Gefaehrdungen…</div>
      )}
      {!loading && hazards.length === 0 && (
        <div className="rounded-xl border border-dashed border-gray-300 dark:border-gray-700 p-6 text-sm text-gray-500">
          Keine Gefaehrdungen vorhanden. Bitte zuerst im <strong>Hazard Log</strong> erzeugen.
        </div>
      )}
      <div className="space-y-4">
        {hazards.map((h) => (
          <RiskModelCard key={h.id} hazard={h} suggestion={suggestions[h.id]} />
        ))}
      </div>
    </div>
  )
 }
@@ -0,0 +1,95 @@
 'use client'
 import { useState } from 'react'
 import CIDHistoryModal from '@/app/sdk/audit-timeline/_components/CIDHistoryModal'
 export interface LastExport {
  cid: string
  filename: string
  size: number
  format: string
 }
 interface Props {
  lastExport: LastExport | null
  onDismiss: () => void
 }
 function formatBytes(n: number): string {
  if (n < 1024) return `${n} B`
  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`
  return `${(n / 1024 / 1024).toFixed(2)} MB`
 }
 export function ExportCIDBadge({ lastExport, onDismiss }: Props) {
  const [showHistory, setShowHistory] = useState(false)
  const [copied, setCopied] = useState(false)
  if (!lastExport) return null
  async function copyToClipboard() {
    if (!lastExport) return
    try {
      await navigator.clipboard.writeText(lastExport.cid)
      setCopied(true)
      setTimeout(() => setCopied(false), 1500)
    } catch {
      // clipboard not available — silent
    }
  }
  return (
    <>
      <div className="rounded-xl border border-emerald-200 bg-emerald-50 dark:border-emerald-800 dark:bg-emerald-900/20 p-4">
        <div className="flex items-start gap-3">
          <div className="rounded-full bg-emerald-500 p-1 flex-shrink-0 mt-0.5">
            <svg className="w-4 h-4 text-white" fill="none" viewBox="0 0 24 24" stroke="currentColor">
              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M5 13l4 4L19 7" />
            </svg>
          </div>
          <div className="flex-1 min-w-0">
            <div className="text-sm font-semibold text-emerald-900 dark:text-emerald-200">
              CE-Akte exportiert und in DSMS archiviert
            </div>
            <div className="mt-1 text-xs text-emerald-800 dark:text-emerald-300">
              {lastExport.filename} · {formatBytes(lastExport.size)} · Format {lastExport.format.toUpperCase()}
            </div>
            <div className="mt-2 flex items-center gap-2 flex-wrap">
              <span className="text-[10px] uppercase tracking-wide text-emerald-700 dark:text-emerald-400 font-semibold">
                CID
              </span>
              <code className="font-mono text-xs text-emerald-900 dark:text-emerald-100 bg-white/60 dark:bg-black/20 px-2 py-0.5 rounded select-all break-all">
                {lastExport.cid}
              </code>
              <button
                onClick={copyToClipboard}
                className="text-[11px] text-emerald-700 hover:text-emerald-900 dark:text-emerald-400 dark:hover:text-emerald-200 underline"
                title="CID in Zwischenablage kopieren"
              >
                {copied ? '✓ Kopiert' : 'Kopieren'}
              </button>
              <button
                onClick={() => setShowHistory(true)}
                className="text-[11px] text-emerald-700 hover:text-emerald-900 dark:text-emerald-400 dark:hover:text-emerald-200 underline"
                title="DSMS-Versionsverlauf und Diffs anzeigen"
              >
                Verlauf anzeigen
              </button>
            </div>
          </div>
          <button
            onClick={onDismiss}
            className="text-emerald-600 hover:text-emerald-800 dark:text-emerald-400 dark:hover:text-emerald-200 p-1 flex-shrink-0"
            title="Hinweis schliessen"
            aria-label="Hinweis schliessen"
          >
            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
            </svg>
          </button>
        </div>
      </div>
      {showHistory && <CIDHistoryModal cid={lastExport.cid} onClose={() => setShowHistory(false)} />}
    </>
  )
 }
@@ -4,6 +4,7 @@ import React, { useState, useEffect, useRef } from 'react'
 import { useParams } from 'next/navigation'
 import { TechFileEditor } from '@/components/sdk/iace/TechFileEditor'
 import { ReportGenerator } from './_components/ReportGenerator'
 import { ExportCIDBadge, type LastExport } from './_components/ExportCIDBadge'
 import { SECTION_TYPES, STATUS_CONFIG, EXPORT_FORMATS } from './_constants'
 interface TechFileSection {
@@ -116,6 +117,7 @@ export default function TechFilePage() {
  const [viewingSection, setViewingSection] = useState<TechFileSection | null>(null)
  const [exporting, setExporting] = useState(false)
  const [showExportMenu, setShowExportMenu] = useState(false)
  const [lastExport, setLastExport] = useState<LastExport | null>(null)
  const exportMenuRef = useRef<HTMLDivElement>(null)
  // Close export menu when clicking outside
@@ -224,6 +226,19 @@ export default function TechFilePage() {
        a.click()
        document.body.removeChild(a)
        window.URL.revokeObjectURL(url)
        // DSMS archive metadata is forwarded by the backend in X-DSMS-* headers
        // when archiving succeeded. If headers are absent (DSMS gateway down)
        // the export still works but no badge is shown.
        const cid = res.headers.get('x-dsms-cid')
        if (cid) {
          setLastExport({
            cid,
            filename: res.headers.get('x-dsms-filename') || `CE-Akte-${projectId}${extension}`,
            size: parseInt(res.headers.get('x-dsms-size') || '0', 10) || blob.size,
            format,
          })
        }
      }
    } catch (err) {
      console.error('Failed to export:', err)
@@ -305,6 +320,9 @@ export default function TechFilePage() {
        </div>
      </div>
      {/* DSMS-CID badge nach erfolgreichem Export */}
      <ExportCIDBadge lastExport={lastExport} onDismiss={() => setLastExport(null)} />
      {/* Progress */}
      <div className="bg-white dark:bg-gray-800 rounded-xl border border-gray-200 dark:border-gray-700 p-4">
        <div className="flex items-center justify-between mb-2">
@@ -13,6 +13,7 @@ const IACE_NAV_ITEMS = [
  { id: 'norms', label: 'Normenrecherche', href: '/norms', icon: 'book' },
  { id: 'components', label: 'Komponenten', href: '/components', icon: 'cube' },
  { id: 'hazards', label: 'Hazard Log', href: '/hazards', icon: 'warning' },
  { id: 'risikobewertung', label: 'Risikobewertung', href: '/risikobewertung', icon: 'activity' },
  { id: 'mitigations', label: 'Massnahmen', href: '/mitigations', icon: 'shield' },
  { id: 'clarifications', label: 'Klärungen', href: '/clarifications', icon: 'chat' },
  { id: 'verification', label: 'Verifikation', href: '/verification', icon: 'check' },
@@ -0,0 +1,176 @@
 'use client'
 import React, { useState } from 'react'
 interface NormMapping {
  region: string
  identifier: string
  relation: string
  confidence: string
  notes?: string
  source_url?: string
 }
 interface CrossRefResponse {
  norm_id: string
  mappings: NormMapping[]
  notes?: string
  batch_id?: string
 }
 const RELATION_COLORS: Record<string, string> = {
  identical: 'bg-green-100 dark:bg-green-900/30 text-green-700 dark:text-green-300',
  equivalent: 'bg-blue-100 dark:bg-blue-900/30 text-blue-700 dark:text-blue-300',
  partial: 'bg-yellow-100 dark:bg-yellow-900/30 text-yellow-700 dark:text-yellow-300',
  supersedes: 'bg-purple-100 dark:bg-purple-900/30 text-purple-700 dark:text-purple-300',
  superseded_by: 'bg-gray-200 dark:bg-gray-700 text-gray-600 dark:text-gray-400',
 }
 const CONFIDENCE_COLORS: Record<string, string> = {
  verified: 'text-emerald-700 dark:text-emerald-300 font-semibold',
  high: 'text-blue-700 dark:text-blue-300',
  medium: 'text-amber-700 dark:text-amber-300',
  low: 'text-red-700 dark:text-red-300',
 }
 const REGION_LABELS: Record<string, string> = {
  'EU-DIN': 'EU (DIN)',
  'INTL-ISO': 'International (ISO/IEC)',
  'US-ANSI': 'US — ANSI',
  'US-NFPA': 'US — NFPA',
  'US-UL': 'US — UL',
  'US-OSHA': 'US — OSHA',
  'US-ASME': 'US — ASME',
  'US-ASTM': 'US — ASTM',
  'US-SAE': 'US — SAE',
  'US-NIOSH': 'US — NIOSH',
  'US-FDA': 'US — FDA',
  'US-EPA': 'US — EPA',
  'US-NEMA': 'US — NEMA',
  'US-NSF': 'US — NSF',
  'US-API': 'US — API',
  'US-CPSC': 'US — CPSC',
  'US-AHRI': 'US — AHRI',
  'US-ASHRAE': 'US — ASHRAE',
  'US-FCC': 'US — FCC',
  'US-DOT': 'US — DOT',
  'CN-GB': 'China (GB)',
  'JP-JIS': 'Japan (JIS)',
 }
 function formatRegion(region: string): string {
  return REGION_LABELS[region] || region
 }
 interface Props {
  normId: string
 }
 export default function NormCrossRefPanel({ normId }: Props) {
  const [loaded, setLoaded] = useState(false)
  const [loading, setLoading] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const [data, setData] = useState<CrossRefResponse | null>(null)
  const handleLoad = async () => {
    if (loaded || loading) return
    setLoading(true)
    setError(null)
    try {
      const res = await fetch(`/api/sdk/v1/iace/norms-library/${encodeURIComponent(normId)}/crossref`)
      if (!res.ok) throw new Error(`HTTP ${res.status}`)
      const json = (await res.json()) as CrossRefResponse
      setData(json)
      setLoaded(true)
    } catch (e: any) {
      setError(e?.message || 'Fehler beim Laden')
    } finally {
      setLoading(false)
    }
  }
  if (!loaded && !loading && !error) {
    return (
      <button
        type="button"
        onClick={handleLoad}
        className="text-xs text-purple-600 hover:text-purple-800 dark:text-purple-400 dark:hover:text-purple-200 font-medium underline-offset-2 hover:underline"
      >
        Internationale Aequivalenzen anzeigen (DIN/ANSI/GB/JIS)
      </button>
    )
  }
  if (loading) {
    return <div className="text-xs text-gray-500 dark:text-gray-400">Cross-Reference wird geladen…</div>
  }
  if (error) {
    return (
      <div className="text-xs text-red-600 dark:text-red-400">
        Cross-Reference konnte nicht geladen werden: {error}
      </div>
    )
  }
  if (!data || data.mappings.length === 0) {
    return (
      <div className="text-xs text-gray-500 dark:text-gray-400 italic">
        Fuer diese Norm liegt (noch) kein internationales Mapping in der Bibliothek vor.
      </div>
    )
  }
  return (
    <div className="space-y-2 mt-2 border-t border-gray-200 dark:border-gray-700 pt-2">
      <div className="text-xs font-medium text-gray-700 dark:text-gray-300">
        Internationale Aequivalenzen
      </div>
      {data.notes && (
        <div className="text-xs text-gray-500 dark:text-gray-400 italic">{data.notes}</div>
      )}
      <div className="overflow-x-auto">
        <table className="w-full text-xs">
          <thead>
            <tr className="text-gray-500 dark:text-gray-400 border-b border-gray-200 dark:border-gray-700">
              <th className="text-left py-1 pr-3 font-medium">Region</th>
              <th className="text-left py-1 pr-3 font-medium">Identifier</th>
              <th className="text-left py-1 pr-3 font-medium">Relation</th>
              <th className="text-left py-1 pr-3 font-medium">Confidence</th>
            </tr>
          </thead>
          <tbody>
            {data.mappings.map((m, i) => (
              <tr key={i} className="border-b border-gray-100 dark:border-gray-800 last:border-0 align-top">
                <td className="py-1 pr-3 text-gray-600 dark:text-gray-400 whitespace-nowrap">{formatRegion(m.region)}</td>
                <td className="py-1 pr-3 font-mono text-gray-800 dark:text-gray-200">
                  {m.source_url ? (
                    <a href={m.source_url} target="_blank" rel="noopener noreferrer" className="text-purple-600 hover:text-purple-800 dark:text-purple-400">
                      {m.identifier}
                    </a>
                  ) : (
                    m.identifier
                  )}
                  {m.notes && (
                    <div className="text-[10px] text-gray-500 dark:text-gray-400 mt-0.5 font-sans">{m.notes}</div>
                  )}
                </td>
                <td className="py-1 pr-3">
                  <span className={`inline-block px-1.5 py-0.5 rounded ${RELATION_COLORS[m.relation] || 'bg-gray-100 dark:bg-gray-800 text-gray-600'}`}>
                    {m.relation}
                  </span>
                </td>
                <td className={`py-1 pr-3 ${CONFIDENCE_COLORS[m.confidence] || 'text-gray-600'}`}>
                  {m.confidence}
                </td>
              </tr>
            ))}
          </tbody>
        </table>
      </div>
      <div className="text-[10px] text-gray-400 dark:text-gray-500">
        Vor Nutzung in einem Drittmarkt durch eine sachkundige Person verifizieren.
      </div>
    </div>
  )
 }
@@ -2,6 +2,7 @@
 import React, { useMemo, useState, useRef, useEffect } from 'react'
 import { SearchInput, FilterDropdown, Pagination, ExpandableRow, ExternalLinkIcon } from './LibraryTable'
 import NormCrossRefPanel from './NormCrossRefPanel'
 export interface Norm {
  id: string
@@ -128,6 +129,7 @@ export default function NormenTab({ norms }: Props) {
                        {n.tags.map((t) => <span key={t} className="px-1.5 py-0.5 rounded text-xs bg-purple-100 dark:bg-purple-900/30 text-purple-700 dark:text-purple-300">{t}</span>)}
                      </div>
                    )}
                    <NormCrossRefPanel normId={n.id} />
                  </div>
                }
              />
@@ -9,6 +9,7 @@ import { ObjectivesTab } from './_components/ObjectivesTab'
 import { AuditsTab } from './_components/AuditsTab'
 import { ReviewsTab } from './_components/ReviewsTab'
 import { AssetsTab } from './_components/AssetsTab'
 import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 // =============================================================================
 // MAIN PAGE
@@ -38,6 +39,13 @@ export default function ISMSPage() {
          <p className="text-xs text-amber-600 mt-2">
            Hinweis: Basierend auf eigenen Pruefaspekten, kein ISO-Normtext. Ersetzt kein Zertifizierungsaudit.
          </p>
          <div className="mt-3">
            <LicenseModuleBanner
              rule={3}
              sourceLabel="BreakPilot-ISMS-Methodik mit Verweis auf ISO/IEC 27001"
              detail="ISO-Normtexte sind copyright-geschuetzt (R3 — nur Identifier-Verweise). Eigene Pruefaspekte sind BreakPilot-Eigenwerk."
            />
          </div>
        </div>
        {/* Tabs */}
@@ -3,6 +3,7 @@
 import React, { useState, useEffect } from 'react'
 import { ControlListView } from '../control-library/components/ControlListView'
 import { useControlLibraryState } from '../control-library/components/useControlLibraryState'
 import { useCaseLabel, mcVerificationLabel } from '../control-library/components/mcMappingLabels'
 /**
 * Master Controls page — reuses the Control Library UI exactly,
@@ -38,7 +39,7 @@ export default function MasterControlsPage() {
  if (state.mode === 'detail' && state.selectedControl) {
    return (
      <MCDetail
-        mc={state.selectedControl}
+        mc={state.selectedControl as unknown as Record<string, unknown>}
        onBack={() => { state.setMode('list'); state.setSelectedControl(null) }}
      />
    )
@@ -65,6 +66,10 @@ export default function MasterControlsPage() {
      domainFilter={state.domainFilter}
      stateFilter={state.stateFilter}
      verificationFilter={state.verificationFilter}
      useCaseFilter={state.useCaseFilter}
      primaryOnly={state.primaryOnly}
      regulationFilter={state.regulationFilter}
      mappedFilter={state.mappedFilter}
      categoryFilter={state.categoryFilter}
      evidenceTypeFilter={state.evidenceTypeFilter}
      audienceFilter={state.audienceFilter}
@@ -76,6 +81,10 @@ export default function MasterControlsPage() {
      setDomainFilter={state.setDomainFilter}
      setStateFilter={state.setStateFilter}
      setVerificationFilter={state.setVerificationFilter}
      setUseCaseFilter={state.setUseCaseFilter}
      setPrimaryOnly={state.setPrimaryOnly}
      setRegulationFilter={state.setRegulationFilter}
      setMappedFilter={state.setMappedFilter}
      setCategoryFilter={state.setCategoryFilter}
      setEvidenceTypeFilter={state.setEvidenceTypeFilter}
      setAudienceFilter={state.setAudienceFilter}
@@ -116,8 +125,15 @@ const SEV = {
  low: 'bg-blue-100 text-blue-800',
 } as Record<string, string>
 interface MCMapping {
  use_cases?: Array<{ use_case: string; is_primary: boolean }>
  verification_method?: string | null
  regulations?: Array<{ source_regulation: string; is_primary: boolean; member_count: number }>
 }
 function MCDetail({ mc, onBack }: { mc: Record<string, unknown>; onBack: () => void }) {
  const [members, setMembers] = useState<Member[]>([])
  const [mapping, setMapping] = useState<MCMapping>({})
  const [loading, setLoading] = useState(true)
  const [phaseFilter, setPhaseFilter] = useState('')
@@ -131,6 +147,10 @@ function MCDetail({ mc, onBack }: { mc: Record<string, unknown>; onBack: () => v
    fetch(`/api/sdk/v1/master-controls?endpoint=control&id=${mcId}`)
      .then(r => r.ok ? r.json() : null)
      .then(data => {
        if (data) setMapping({
          use_cases: data.use_cases, verification_method: data.verification_method,
          regulations: data.regulations,
        })
        if (data?.members) setMembers(data.members)
        else if (data?.requirements) {
          // Fallback: parse requirements strings
@@ -164,6 +184,33 @@ function MCDetail({ mc, onBack }: { mc: Record<string, unknown>; onBack: () => v
        <h1 className="text-2xl font-bold text-gray-900">{mcName}</h1>
        <p className="text-gray-500 mt-1">{mcId} — {totalControls} Atomic Controls</p>
        {/* Zuordnung: Use Cases + Verifikation + Quell-Regulierung */}
        {(mapping.use_cases?.length || mapping.verification_method || mapping.regulations?.length) ? (
          <div className="mt-4 flex flex-wrap items-center gap-2">
            {(mapping.use_cases || []).map(u => (
              <span key={u.use_case}
                className={`px-2 py-0.5 rounded text-xs font-medium ${u.is_primary
                  ? 'bg-purple-100 text-purple-800 border border-purple-300'
                  : 'bg-purple-50 text-purple-600'}`}
                title={u.is_primary ? 'Primärzweck' : 'Mehrfachzweck'}>
                {useCaseLabel(u.use_case)}{u.is_primary ? ' ★' : ''}
              </span>
            ))}
            {mapping.verification_method && (
              <span className="px-2 py-0.5 rounded text-xs font-medium bg-emerald-100 text-emerald-800 border border-emerald-300">
                Nachweis: {mcVerificationLabel(mapping.verification_method)}
              </span>
            )}
            {(mapping.regulations || []).slice(0, 4).map(r => (
              <span key={r.source_regulation}
                className="px-2 py-0.5 rounded text-xs bg-blue-50 text-blue-700"
                title={`${r.member_count} Member${r.is_primary ? ' · Primärquelle' : ''}`}>
                {r.source_regulation}{r.is_primary ? ' ★' : ''}
              </span>
            ))}
          </div>
        ) : null}
        {/* Phase badges */}
        <div className="flex flex-wrap gap-2 mt-4">
          {uniquePhases.map(p => (
@@ -5,6 +5,7 @@ import { SecurityItemCard } from './_components/SecurityItemCard'
 import { ItemModal } from './_components/ItemModal'
 import { useSecurityBacklog, EMPTY_NEW_ITEM } from './_hooks/useSecurityBacklog'
 import type { SecurityItem } from './_hooks/useSecurityBacklog'
 import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 export default function SecurityBacklogPage() {
  const [filter, setFilter] = useState<string>('all')
@@ -37,6 +38,11 @@ export default function SecurityBacklogPage() {
  return (
    <div className="space-y-6">
      <LicenseModuleBanner
        rule={2}
        sourceLabel="OWASP Top 10 / ASVS / SAMM (CC-BY-SA 4.0) + NIST SP 800-53 (US PD)"
        detail="OWASP-Inhalte zitiert mit Pflicht-Attribution 'OWASP Foundation, CC BY-SA 4.0'. NIST woertlich (R1)."
      />
      {/* Header */}
      <div className="flex items-center justify-between">
        <div>
@@ -0,0 +1,232 @@
 'use client'
 /**
 * Strukturierter Editor fuer JSONB-Conditions:
 *   { kind: 'all'|'any', clauses: [{field, op, value}] }
 *
 * Wird im RuleEditor verwendet. Reine Praesentations-Komponente — Parent
 * verwaltet State.
 */
 import type {
  ClauseOperator, RuleClause, RuleCondition,
 } from '../_types'
 import { OPERATOR_LABELS, PROFILE_FIELDS } from '../_types'
 interface Props {
  value: RuleCondition
  onChange: (next: RuleCondition) => void
  readOnly?: boolean
 }
 export default function ConditionBuilder({ value, onChange, readOnly }: Props) {
  const setKind = (kind: 'all' | 'any') => onChange({ ...value, kind })
  const setClause = (idx: number, clause: RuleClause) => {
    const next = [...value.clauses]
    next[idx] = clause
    onChange({ ...value, clauses: next })
  }
  const addClause = () =>
    onChange({
      ...value,
      clauses: [
        ...value.clauses,
        { field: PROFILE_FIELDS[0].key, op: 'eq', value: '' },
      ],
    })
  const removeClause = (idx: number) =>
    onChange({ ...value, clauses: value.clauses.filter((_, i) => i !== idx) })
  return (
    <div className="space-y-2">
      <div className="flex items-center gap-2">
        <span className="text-xs text-gray-600">Bedingung:</span>
        <select
          className="text-xs px-2 py-1 border border-gray-300 rounded"
          value={value.kind}
          disabled={readOnly}
          onChange={(e) => setKind(e.target.value as 'all' | 'any')}
        >
          <option value="all">ALLE Klauseln müssen zutreffen (AND)</option>
          <option value="any">MIND. EINE Klausel trifft zu (OR)</option>
        </select>
      </div>
      {value.clauses.length === 0 && (
        <div className="text-xs text-gray-500 italic px-1">
          Keine Klauseln — Regel gilt für jedes Profil.
        </div>
      )}
      <ul className="space-y-1">
        {value.clauses.map((clause, idx) => (
          <li key={idx} className="flex items-start gap-1 p-1.5 bg-gray-50 rounded border border-gray-200">
            <ClauseRow
              clause={clause}
              onChange={(c) => setClause(idx, c)}
              readOnly={!!readOnly}
            />
            {!readOnly && (
              <button
                className="text-xs px-1.5 py-0.5 text-rose-700 hover:bg-rose-50 rounded"
                onClick={() => removeClause(idx)}
                title="Klausel entfernen"
              >
                ×
              </button>
            )}
          </li>
        ))}
      </ul>
      {!readOnly && (
        <button
          className="text-xs px-2 py-1 border border-gray-300 rounded text-gray-700 hover:bg-gray-50"
          onClick={addClause}
        >
          + Klausel hinzufügen
        </button>
      )}
    </div>
  )
 }
 function ClauseRow({
  clause, onChange, readOnly,
 }: {
  clause: RuleClause
  onChange: (c: RuleClause) => void
  readOnly: boolean
 }) {
  const field = PROFILE_FIELDS.find((f) => f.key === clause.field) || PROFILE_FIELDS[0]
  const operators: ClauseOperator[] =
    field.type === 'enum'
      ? ['eq', 'neq', 'in', 'not_in', 'exists', 'truthy', 'falsy']
      : field.type === 'boolean'
      ? ['truthy', 'falsy', 'eq', 'neq']
      : field.type === 'number'
      ? ['eq', 'neq', 'gt', 'gte', 'lt', 'lte']
      : ['eq', 'neq', 'in', 'not_in', 'exists']
  const requiresValue = !['exists', 'truthy', 'falsy'].includes(clause.op)
  const multiValue = clause.op === 'in' || clause.op === 'not_in'
  return (
    <div className="flex-1 grid grid-cols-12 gap-1 items-center text-xs">
      <select
        className="col-span-4 px-1 py-0.5 border border-gray-300 rounded bg-white truncate"
        value={clause.field}
        disabled={readOnly}
        onChange={(e) => onChange({ ...clause, field: e.target.value })}
      >
        {PROFILE_FIELDS.map((f) => (
          <option key={f.key} value={f.key}>{f.label} ({f.key})</option>
        ))}
      </select>
      <select
        className="col-span-3 px-1 py-0.5 border border-gray-300 rounded bg-white"
        value={clause.op}
        disabled={readOnly}
        onChange={(e) => onChange({ ...clause, op: e.target.value as ClauseOperator })}
      >
        {operators.map((op) => (
          <option key={op} value={op}>{OPERATOR_LABELS[op]}</option>
        ))}
      </select>
      <div className="col-span-5">
        {requiresValue && (
          <ValueInput
            field={field}
            multi={multiValue}
            value={clause.value}
            onChange={(v) => onChange({ ...clause, value: v })}
            readOnly={readOnly}
          />
        )}
      </div>
    </div>
  )
 }
 function ValueInput({
  field, multi, value, onChange, readOnly,
 }: {
  field: typeof PROFILE_FIELDS[number]
  multi: boolean
  value: unknown
  onChange: (v: unknown) => void
  readOnly: boolean
 }) {
  if (field.type === 'enum' && field.options) {
    if (multi) {
      const selected = Array.isArray(value) ? (value as string[]) : []
      return (
        <select
          multiple
          className="w-full px-1 py-0.5 border border-gray-300 rounded bg-white h-16"
          value={selected}
          disabled={readOnly}
          onChange={(e) => {
            const opts = Array.from(e.target.selectedOptions, (o) => o.value)
            onChange(opts)
          }}
        >
          {field.options.map((o) => (
            <option key={o.value} value={o.value}>{o.label}</option>
          ))}
        </select>
      )
    }
    return (
      <select
        className="w-full px-1 py-0.5 border border-gray-300 rounded bg-white"
        value={typeof value === 'string' ? value : ''}
        disabled={readOnly}
        onChange={(e) => onChange(e.target.value)}
      >
        <option value="">— wählen —</option>
        {field.options.map((o) => (
          <option key={o.value} value={o.value}>{o.label}</option>
        ))}
      </select>
    )
  }
  if (field.type === 'number') {
    return (
      <input
        type="number"
        className="w-full px-1 py-0.5 border border-gray-300 rounded"
        value={typeof value === 'number' ? value : 0}
        disabled={readOnly}
        onChange={(e) => onChange(Number(e.target.value))}
      />
    )
  }
  if (field.type === 'boolean') {
    return (
      <select
        className="w-full px-1 py-0.5 border border-gray-300 rounded bg-white"
        value={value ? 'true' : 'false'}
        disabled={readOnly}
        onChange={(e) => onChange(e.target.value === 'true')}
      >
        <option value="true">true</option>
        <option value="false">false</option>
      </select>
    )
  }
  return (
    <input
      type="text"
      className="w-full px-1 py-0.5 border border-gray-300 rounded"
      value={typeof value === 'string' ? value : ''}
      disabled={readOnly}
      onChange={(e) => onChange(e.target.value)}
    />
  )
 }
@@ -0,0 +1,414 @@
 'use client'
 /**
 * Rechte Spalte: Detail-Editor fuer die ausgewaehlte Regel.
 *
 * - Zeigt Live-Version + offenen Draft (falls vorhanden)
 * - Erlaubt Draft-Edit (classification, conditions, source_citation, rationale)
 * - Buttons: "Neuen Draft starten" (kopiert von Live), "Einreichen" (mit Pflicht
 *   change_summary-Modal), "Intern freigeben" (DSB), "Publish" (= Mandanten-Freigabe)
 * - Versionshistorie + Approval-Trail unten als Akkordeon
 */
 import { useEffect, useMemo, useState } from 'react'
 import type {
  ApprovalHistoryEntry, Classification, Rule, RuleCondition, RuleVersion,
 } from '../_types'
 import { CLASSIFICATION_LABELS, STATUS_LABELS } from '../_types'
 import ConditionBuilder from './ConditionBuilder'
 interface Props {
  rule: Rule
  versions: RuleVersion[]
  history: ApprovalHistoryEntry[]
  onCreateDraft: (payload: {
    classification: Classification
    conditions: RuleCondition
    source_citation: string
    rationale?: string | null
  }) => Promise<void>
  onUpdateDraft: (versionId: string, patch: {
    classification?: Classification
    conditions?: RuleCondition
    source_citation?: string
    rationale?: string | null
  }) => Promise<void>
  onSubmitForReview: (versionId: string, changeSummary: string) => Promise<void>
  onApprove: (versionId: string) => Promise<void>
  onPublish: (versionId: string) => Promise<void>
  onReject: (versionId: string, reason: string) => Promise<void>
 }
 export default function RuleEditor({
  rule, versions, history,
  onCreateDraft, onUpdateDraft,
  onSubmitForReview, onApprove, onPublish, onReject,
 }: Props) {
  const liveVersion = useMemo(
    () => versions.find((v) => v.is_live) || null,
    [versions],
  )
  const draftVersion = useMemo(
    () => versions.find((v) => ['draft', 'review'].includes(v.status)) || null,
    [versions],
  )
  // Edit-State
  const [classification, setClassification] = useState<Classification>('required')
  const [conditions, setConditions] = useState<RuleCondition>({ kind: 'all', clauses: [] })
  const [sourceCitation, setSourceCitation] = useState('')
  const [rationale, setRationale] = useState('')
  // Modal-State
  const [showSubmit, setShowSubmit] = useState(false)
  const [changeSummary, setChangeSummary] = useState('')
  const [showHistory, setShowHistory] = useState(false)
  const [rejectReason, setRejectReason] = useState('')
  const [showReject, setShowReject] = useState(false)
  // Sync Edit-State mit ausgewaehltem Version (Draft hat Vorrang)
  const sourceVersion = draftVersion || liveVersion
  useEffect(() => {
    if (sourceVersion) {
      setClassification(sourceVersion.classification)
      setConditions(sourceVersion.conditions)
      setSourceCitation(sourceVersion.source_citation)
      setRationale(sourceVersion.rationale || '')
    }
  }, [sourceVersion?.id])
  const isDraftMode = !!draftVersion && draftVersion.status === 'draft'
  const isReviewMode = !!draftVersion && draftVersion.status === 'review'
  const readOnly = !isDraftMode
  const handleCreateDraft = () => {
    onCreateDraft({
      classification: liveVersion?.classification || 'recommended',
      conditions: liveVersion?.conditions || { kind: 'all', clauses: [] },
      source_citation: liveVersion?.source_citation || '',
      rationale: liveVersion?.rationale,
    })
  }
  const handleSaveDraft = () => {
    if (!draftVersion) return
    onUpdateDraft(draftVersion.id, {
      classification, conditions, source_citation: sourceCitation, rationale,
    })
  }
  const handleSubmit = () => {
    if (!draftVersion || !changeSummary.trim()) return
    onSubmitForReview(draftVersion.id, changeSummary.trim())
    setShowSubmit(false)
    setChangeSummary('')
  }
  return (
    <div className="h-full flex flex-col overflow-hidden bg-white">
      <header className="px-5 py-3 border-b border-gray-200">
        <div className="flex items-baseline justify-between gap-3">
          <div className="min-w-0">
            <h2 className="text-base font-semibold text-gray-800 truncate">{rule.title}</h2>
            <div className="text-xs text-gray-500">
              <code>{rule.document_type}</code> · {rule.rule_key}
            </div>
          </div>
          <div className="flex items-center gap-2 text-xs text-gray-600">
            {liveVersion && (
              <span>
                Live: v{liveVersion.version_number} (
                <code>{liveVersion.classification}</code>)
              </span>
            )}
            {draftVersion && (
              <span className="px-1.5 py-0.5 bg-amber-100 text-amber-800 rounded border border-amber-300">
                Draft v{draftVersion.version_number} · {STATUS_LABELS[draftVersion.status]}
              </span>
            )}
          </div>
        </div>
      </header>
      <div className="flex-1 overflow-y-auto p-5 space-y-4">
        {!draftVersion && (
          <div className="bg-amber-50 border border-amber-200 rounded p-3 flex items-center justify-between">
            <span className="text-sm text-amber-800">
              Kein offener Draft. Starte einen neuen Draft, um die Regel zu ändern.
            </span>
            <button
              className="px-3 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700"
              onClick={handleCreateDraft}
            >
              + Neuen Draft starten
            </button>
          </div>
        )}
        {/* Klassifikation */}
        <section>
          <label className="text-xs font-medium text-gray-700 block mb-1">
            Klassifikation
          </label>
          <select
            className="text-sm px-2 py-1 border border-gray-300 rounded"
            value={classification}
            disabled={readOnly}
            onChange={(e) => setClassification(e.target.value as Classification)}
          >
            {(['required', 'recommended', 'optional'] as const).map((c) => (
              <option key={c} value={c}>{CLASSIFICATION_LABELS[c]}</option>
            ))}
          </select>
        </section>
        {/* Bedingung */}
        <section>
          <label className="text-xs font-medium text-gray-700 block mb-1">
            Bedingung
          </label>
          <ConditionBuilder
            value={conditions}
            onChange={setConditions}
            readOnly={readOnly}
          />
        </section>
        {/* Source Citation (Pflicht) */}
        <section>
          <label className="text-xs font-medium text-gray-700 block mb-1">
            Quelle / Norm-Citation <span className="text-rose-600">*</span>
          </label>
          <input
            type="text"
            className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
            placeholder="z.B. § 12 HinSchG, Art. 28 DSGVO, EuGH C-311/18"
            value={sourceCitation}
            disabled={readOnly}
            onChange={(e) => setSourceCitation(e.target.value)}
          />
        </section>
        {/* Rationale */}
        <section>
          <label className="text-xs font-medium text-gray-700 block mb-1">
            Begründung / Rationale (optional)
          </label>
          <textarea
            className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
            rows={3}
            placeholder="Anwalts-Kommentar, warum die Regel so klassifiziert ist…"
            value={rationale}
            disabled={readOnly}
            onChange={(e) => setRationale(e.target.value)}
          />
        </section>
        {/* Versionshistorie */}
        <section>
          <button
            className="text-xs text-gray-600 hover:text-gray-800"
            onClick={() => setShowHistory((v) => !v)}
          >
            {showHistory ? '▾' : '▸'} Versionshistorie + Approval-Trail ({versions.length} Versionen)
          </button>
          {showHistory && (
            <HistoryList versions={versions} history={history} />
          )}
        </section>
      </div>
      {/* Footer-Aktionen */}
      <footer className="px-5 py-3 border-t border-gray-200 bg-gray-50 flex items-center gap-2 flex-wrap">
        {isDraftMode && (
          <>
            <button
              className="px-3 py-1.5 text-sm border border-gray-300 rounded text-gray-700 hover:bg-white"
              onClick={handleSaveDraft}
            >
              Draft speichern
            </button>
            <button
              className="px-3 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700 disabled:opacity-50"
              disabled={!sourceCitation.trim()}
              onClick={() => setShowSubmit(true)}
              title={!sourceCitation.trim() ? 'Source Citation ist Pflicht' : ''}
            >
              Zur internen Prüfung einreichen
            </button>
          </>
        )}
        {isReviewMode && (
          <>
            <button
              className="px-3 py-1.5 text-sm bg-emerald-600 text-white rounded hover:bg-emerald-700"
              onClick={() => draftVersion && onApprove(draftVersion.id)}
            >
              Intern freigeben → Mandant
            </button>
            <button
              className="px-3 py-1.5 text-sm bg-blue-600 text-white rounded hover:bg-blue-700"
              onClick={() => draftVersion && onPublish(draftVersion.id)}
              title="Wird sofort live (Test-Modus)"
            >
              Publish (sofort live)
            </button>
            <button
              className="px-3 py-1.5 text-sm border border-rose-300 text-rose-700 rounded hover:bg-rose-50"
              onClick={() => setShowReject(true)}
            >
              Ablehnen
            </button>
          </>
        )}
      </footer>
      {showSubmit && (
        <SubmitDialog
          value={changeSummary}
          onChange={setChangeSummary}
          onCancel={() => setShowSubmit(false)}
          onSubmit={handleSubmit}
        />
      )}
      {showReject && (
        <RejectDialog
          value={rejectReason}
          onChange={setRejectReason}
          onCancel={() => { setShowReject(false); setRejectReason('') }}
          onSubmit={() => {
            if (!draftVersion || !rejectReason.trim()) return
            onReject(draftVersion.id, rejectReason.trim())
            setShowReject(false); setRejectReason('')
          }}
        />
      )}
    </div>
  )
 }
 function HistoryList({ versions, history }: { versions: RuleVersion[]; history: ApprovalHistoryEntry[] }) {
  return (
    <div className="mt-2 space-y-2 text-xs">
      <div>
        <div className="font-medium text-gray-700 mb-1">Versionen:</div>
        <ul className="space-y-1">
          {versions.map((v) => (
            <li key={v.id} className="bg-white border border-gray-200 rounded p-2">
              <div className="flex items-center gap-2">
                <span className="font-medium">v{v.version_number}</span>
                <span className="px-1.5 py-0.5 bg-gray-100 rounded">{STATUS_LABELS[v.status]}</span>
                {v.is_live && <span className="text-emerald-700">● Live</span>}
                <span className="text-gray-500 ml-auto">
                  {new Date(v.created_at).toLocaleString('de-DE')}
                </span>
              </div>
              {v.change_summary && (
                <div className="mt-1 text-gray-600">Änderung: {v.change_summary}</div>
              )}
              {v.source_citation && (
                <div className="mt-0.5 text-gray-500">Quelle: {v.source_citation}</div>
              )}
            </li>
          ))}
        </ul>
      </div>
      <div>
        <div className="font-medium text-gray-700 mb-1">Approval-Trail:</div>
        <ul className="space-y-0.5">
          {history.map((h) => (
            <li key={h.id} className="text-gray-600">
              {new Date(h.created_at).toLocaleString('de-DE')} · {h.action}
              {h.approver && ` · ${h.approver}`}
              {h.comment && ` — ${h.comment}`}
            </li>
          ))}
        </ul>
      </div>
    </div>
  )
 }
 function SubmitDialog({
  value, onChange, onCancel, onSubmit,
 }: {
  value: string
  onChange: (s: string) => void
  onCancel: () => void
  onSubmit: () => void
 }) {
  return (
    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
      <div className="bg-white rounded-lg shadow-xl w-[520px]" onClick={(e) => e.stopPropagation()}>
        <header className="px-5 py-3 border-b border-gray-200">
          <h3 className="font-semibold">Zur internen Prüfung einreichen</h3>
        </header>
        <div className="p-5">
          <label className="text-xs font-medium text-gray-700">
            Was wurde geändert? <span className="text-rose-600">*</span>
          </label>
          <textarea
            autoFocus
            rows={4}
            className="w-full mt-1 text-sm px-2 py-1.5 border border-gray-300 rounded"
            placeholder="z.B. Schwelle auf 50 MA angehoben (BAG-Urteil X)"
            value={value}
            onChange={(e) => onChange(e.target.value)}
          />
        </div>
        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>Abbrechen</button>
          <button
            className="px-4 py-1.5 text-sm bg-amber-600 text-white rounded disabled:opacity-50"
            disabled={!value.trim()}
            onClick={onSubmit}
          >
            Einreichen
          </button>
        </footer>
      </div>
    </div>
  )
 }
 function RejectDialog({
  value, onChange, onCancel, onSubmit,
 }: {
  value: string
  onChange: (s: string) => void
  onCancel: () => void
  onSubmit: () => void
 }) {
  return (
    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
      <div className="bg-white rounded-lg shadow-xl w-[480px]" onClick={(e) => e.stopPropagation()}>
        <header className="px-5 py-3 border-b border-gray-200">
          <h3 className="font-semibold">Draft ablehnen</h3>
        </header>
        <div className="p-5">
          <label className="text-xs font-medium text-gray-700">
            Ablehnungsgrund <span className="text-rose-600">*</span>
          </label>
          <textarea
            autoFocus
            rows={3}
            className="w-full mt-1 text-sm px-2 py-1.5 border border-gray-300 rounded"
            value={value}
            onChange={(e) => onChange(e.target.value)}
          />
        </div>
        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>Abbrechen</button>
          <button
            className="px-4 py-1.5 text-sm bg-rose-600 text-white rounded disabled:opacity-50"
            disabled={!value.trim()}
            onClick={onSubmit}
          >
            Ablehnen
          </button>
        </footer>
      </div>
    </div>
  )
 }
@@ -0,0 +1,111 @@
 'use client'
 /**
 * Linke Spalte: Liste der globalen Empfehlungs-Regeln.
 *
 * Filterbar nach document_type. Klassifikations-Chip + Live-Indikator.
 */
 import { useMemo, useState } from 'react'
 import type { Rule, RuleVersion } from '../_types'
 import { CLASSIFICATION_LABELS, STATUS_LABELS } from '../_types'
 interface Props {
  rules: Rule[]
  versionsByRule: Record<string, RuleVersion | undefined>
  selectedRuleId: string | null
  onSelectRule: (ruleId: string) => void
 }
 export default function RuleList({
  rules, versionsByRule, selectedRuleId, onSelectRule,
 }: Props) {
  const [filter, setFilter] = useState('')
  const filtered = useMemo(() => {
    if (!filter.trim()) return rules
    const q = filter.toLowerCase()
    return rules.filter(
      (r) =>
        r.title.toLowerCase().includes(q) ||
        r.rule_key.toLowerCase().includes(q) ||
        r.document_type.toLowerCase().includes(q),
    )
  }, [rules, filter])
  return (
    <div className="h-full flex flex-col overflow-hidden border-r border-gray-200 bg-gray-50">
      <div className="p-3 border-b border-gray-200 bg-white">
        <input
          type="text"
          placeholder="Suchen (Titel, Key, Doc-Type)…"
          value={filter}
          onChange={(e) => setFilter(e.target.value)}
          className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
        />
        <div className="text-xs text-gray-500 mt-1">
          {filtered.length} von {rules.length} Regeln
        </div>
      </div>
      <ul className="flex-1 overflow-y-auto">
        {filtered.map((rule) => {
          const live = versionsByRule[rule.id]
          const isSelected = rule.id === selectedRuleId
          return (
            <li key={rule.id}>
              <button
                className={`w-full text-left px-3 py-2 border-b border-gray-100 hover:bg-white ${
                  isSelected ? 'bg-white border-l-4 border-l-amber-500' : ''
                }`}
                onClick={() => onSelectRule(rule.id)}
              >
                <div className="flex items-center gap-2 mb-0.5">
                  {live && (
                    <ClassificationChip classification={live.classification} />
                  )}
                  {!live && (
                    <span className="px-1.5 py-0.5 text-xs rounded bg-gray-200 text-gray-600">
                      ohne Live-Version
                    </span>
                  )}
                </div>
                <div className="text-sm font-medium text-gray-800 truncate">
                  {rule.title}
                </div>
                <div className="text-xs text-gray-500 truncate">
                  <code>{rule.document_type}</code> · {rule.rule_key}
                </div>
                {live && (
                  <div className="text-[10px] text-gray-500 mt-0.5">
                    v{live.version_number} · {STATUS_LABELS[live.status]}
                    {live.is_live && (
                      <span className="ml-1 inline-block w-1.5 h-1.5 bg-emerald-500 rounded-full" />
                    )}
                  </div>
                )}
              </button>
            </li>
          )
        })}
        {filtered.length === 0 && (
          <li className="px-3 py-4 text-sm text-gray-500 italic">
            Keine Regeln gefunden.
          </li>
        )}
      </ul>
    </div>
  )
 }
 function ClassificationChip({ classification }: { classification: 'required' | 'recommended' | 'optional' }) {
  const colorMap = {
    required: 'bg-rose-100 text-rose-800 border-rose-300',
    recommended: 'bg-amber-100 text-amber-800 border-amber-300',
    optional: 'bg-slate-100 text-slate-700 border-slate-300',
  } as const
  return (
    <span className={`px-1.5 py-0.5 text-[10px] font-medium rounded border ${colorMap[classification]}`}>
      {CLASSIFICATION_LABELS[classification]}
    </span>
  )
 }
@@ -0,0 +1,398 @@
 'use client'
 /**
 * Pro-Tenant Override-Liste: zeigt alle Overrides der eigenen Kanzlei
 * + Add/Edit/Delete.
 *
 * Reuse: Backend /tenant-rule-overrides (upsert via POST, delete via DELETE).
 * Read-only Klassifikation wird aus der live_version der Regel gezogen.
 */
 import { useMemo, useState } from 'react'
 import type {
  Classification, Rule, RuleVersion, TenantRuleOverride,
 } from '../_types'
 import { CLASSIFICATION_LABELS } from '../_types'
 interface Props {
  rules: Rule[]
  liveVersionsByRule: Record<string, RuleVersion | undefined>
  overrides: TenantRuleOverride[]
  onUpsert: (payload: {
    rule_id: string
    override_classification: Classification | null
    reason: string
  }) => Promise<void>
  onDelete: (overrideId: string) => Promise<void>
 }
 export default function TenantOverrideList({
  rules, liveVersionsByRule, overrides, onUpsert, onDelete,
 }: Props) {
  const [filter, setFilter] = useState('')
  const [showAdd, setShowAdd] = useState(false)
  const [editing, setEditing] = useState<TenantRuleOverride | null>(null)
  const [confirmDelete, setConfirmDelete] = useState<TenantRuleOverride | null>(null)
  const rulesById = useMemo(
    () => Object.fromEntries(rules.map((r) => [r.id, r])),
    [rules],
  )
  const rows = useMemo(() => {
    return overrides
      .map((o) => {
        const rule = rulesById[o.rule_id]
        const live = liveVersionsByRule[o.rule_id]
        return { override: o, rule, live }
      })
      .filter(({ rule }) => {
        if (!filter.trim()) return true
        const q = filter.toLowerCase()
        return (
          (rule?.title || '').toLowerCase().includes(q) ||
          (rule?.document_type || '').toLowerCase().includes(q) ||
          (rule?.rule_key || '').toLowerCase().includes(q)
        )
      })
  }, [overrides, rulesById, liveVersionsByRule, filter])
  return (
    <div className="h-full flex flex-col overflow-hidden bg-white">
      <header className="px-5 py-3 border-b border-gray-200 flex items-center justify-between gap-3">
        <div className="min-w-0">
          <h2 className="text-base font-semibold text-gray-800">Meine Overrides</h2>
          <p className="text-xs text-gray-500">
            Globale Regeln, die für meine Mandanten abweichend gelten.
            {overrides.length > 0 && ` ${overrides.length} aktiv.`}
          </p>
        </div>
        <div className="flex items-center gap-2">
          <input
            type="text"
            placeholder="Suchen…"
            value={filter}
            onChange={(e) => setFilter(e.target.value)}
            className="text-sm px-2 py-1.5 border border-gray-300 rounded"
          />
          <button
            className="px-3 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700"
            onClick={() => setShowAdd(true)}
          >
            + Override hinzufügen
          </button>
        </div>
      </header>
      <div className="flex-1 overflow-auto">
        {rows.length === 0 ? (
          <div className="p-8 text-center text-sm text-gray-500">
            {overrides.length === 0
              ? 'Noch keine Overrides angelegt. Klicke oben rechts „+ Override hinzufügen“, um die globale Klassifikation einer Regel für deine Kanzlei abweichend zu setzen.'
              : 'Keine Treffer für den Filter.'}
          </div>
        ) : (
          <table className="w-full text-sm">
            <thead className="bg-gray-50 text-xs uppercase text-gray-600 sticky top-0">
              <tr>
                <th className="px-5 py-2 text-left">Regel</th>
                <th className="px-3 py-2 text-left">Original</th>
                <th className="px-3 py-2 text-left">Mein Override</th>
                <th className="px-3 py-2 text-left">Grund</th>
                <th className="px-3 py-2 text-left">Erstellt</th>
                <th className="px-3 py-2 text-left">Aktionen</th>
              </tr>
            </thead>
            <tbody>
              {rows.map(({ override, rule, live }) => (
                <tr key={override.id} className="border-t border-gray-100 hover:bg-gray-50">
                  <td className="px-5 py-2">
                    <div className="font-medium text-gray-800">{rule?.title ?? '(unbekannt)'}</div>
                    <div className="text-xs text-gray-500">
                      <code>{rule?.document_type ?? '?'}</code> · {rule?.rule_key ?? '?'}
                    </div>
                  </td>
                  <td className="px-3 py-2">
                    {live ? (
                      <ClassChip classification={live.classification} />
                    ) : (
                      <span className="text-xs text-gray-400">—</span>
                    )}
                  </td>
                  <td className="px-3 py-2">
                    {override.override_classification ? (
                      <ClassChip classification={override.override_classification} />
                    ) : (
                      <span className="px-1.5 py-0.5 text-xs rounded bg-gray-200 text-gray-700">
                        deaktiviert
                      </span>
                    )}
                  </td>
                  <td className="px-3 py-2 text-xs text-gray-700 max-w-xs">
                    <span className="line-clamp-2">{override.reason}</span>
                  </td>
                  <td className="px-3 py-2 text-xs text-gray-500 whitespace-nowrap">
                    {new Date(override.created_at).toLocaleDateString('de-DE')}
                    {override.created_by && (
                      <div className="text-[10px]">{override.created_by}</div>
                    )}
                  </td>
                  <td className="px-3 py-2">
                    <div className="flex items-center gap-1">
                      <button
                        className="text-xs px-2 py-1 border border-gray-300 rounded hover:bg-gray-100"
                        onClick={() => setEditing(override)}
                      >
                        Bearbeiten
                      </button>
                      <button
                        className="text-xs px-2 py-1 border border-rose-300 text-rose-700 rounded hover:bg-rose-50"
                        onClick={() => setConfirmDelete(override)}
                      >
                        Löschen
                      </button>
                    </div>
                  </td>
                </tr>
              ))}
            </tbody>
          </table>
        )}
      </div>
      {showAdd && (
        <OverrideDialog
          title="Neuen Override anlegen"
          rules={rules}
          liveVersionsByRule={liveVersionsByRule}
          existingOverrideRuleIds={new Set(overrides.map((o) => o.rule_id))}
          onCancel={() => setShowAdd(false)}
          onSubmit={async (payload) => {
            await onUpsert(payload)
            setShowAdd(false)
          }}
        />
      )}
      {editing && (
        <OverrideDialog
          title="Override bearbeiten"
          rules={rules}
          liveVersionsByRule={liveVersionsByRule}
          existingOverrideRuleIds={new Set()}
          initial={editing}
          fixedRuleId={editing.rule_id}
          onCancel={() => setEditing(null)}
          onSubmit={async (payload) => {
            await onUpsert(payload)
            setEditing(null)
          }}
        />
      )}
      {confirmDelete && (
        <ConfirmDialog
          message={`Override für „${rulesById[confirmDelete.rule_id]?.title || 'Regel'}" wirklich löschen?`}
          onCancel={() => setConfirmDelete(null)}
          onConfirm={async () => {
            await onDelete(confirmDelete.id)
            setConfirmDelete(null)
          }}
        />
      )}
    </div>
  )
 }
 function ClassChip({ classification }: { classification: Classification }) {
  const colorMap = {
    required: 'bg-rose-100 text-rose-800 border-rose-300',
    recommended: 'bg-amber-100 text-amber-800 border-amber-300',
    optional: 'bg-slate-100 text-slate-700 border-slate-300',
  } as const
  return (
    <span className={`px-1.5 py-0.5 text-xs rounded border ${colorMap[classification]}`}>
      {CLASSIFICATION_LABELS[classification]}
    </span>
  )
 }
 interface OverrideDialogProps {
  title: string
  rules: Rule[]
  liveVersionsByRule: Record<string, RuleVersion | undefined>
  existingOverrideRuleIds: Set<string>
  initial?: TenantRuleOverride
  fixedRuleId?: string
  onCancel: () => void
  onSubmit: (payload: {
    rule_id: string
    override_classification: Classification | null
    reason: string
  }) => Promise<void>
 }
 function OverrideDialog({
  title, rules, liveVersionsByRule, existingOverrideRuleIds,
  initial, fixedRuleId, onCancel, onSubmit,
 }: OverrideDialogProps) {
  const [ruleId, setRuleId] = useState<string>(
    fixedRuleId ?? initial?.rule_id ?? '',
  )
  const [classification, setClassification] = useState<Classification | 'disabled'>(
    initial?.override_classification ?? 'optional',
  )
  const [reason, setReason] = useState<string>(initial?.reason ?? '')
  const [submitting, setSubmitting] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const availableRules = useMemo(() => {
    if (fixedRuleId) {
      // Edit-Mode: nur die eine Regel zeigen
      return rules.filter((r) => r.id === fixedRuleId)
    }
    return rules.filter((r) => !existingOverrideRuleIds.has(r.id))
  }, [rules, existingOverrideRuleIds, fixedRuleId])
  const selectedRule = rules.find((r) => r.id === ruleId)
  const selectedLive = ruleId ? liveVersionsByRule[ruleId] : undefined
  const canSubmit = !!ruleId && reason.trim().length > 0 && !submitting
  const handleSubmit = async () => {
    setSubmitting(true)
    setError(null)
    try {
      await onSubmit({
        rule_id: ruleId,
        override_classification: classification === 'disabled' ? null : classification,
        reason: reason.trim(),
      })
    } catch (e) {
      setError((e as Error).message)
    } finally {
      setSubmitting(false)
    }
  }
  return (
    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
      <div
        className="bg-white rounded-lg shadow-xl w-[560px] max-h-[90vh] flex flex-col"
        onClick={(e) => e.stopPropagation()}
      >
        <header className="px-5 py-3 border-b border-gray-200">
          <h3 className="font-semibold">{title}</h3>
        </header>
        <div className="p-5 space-y-4 overflow-y-auto">
          <section>
            <label className="text-xs font-medium text-gray-700 block mb-1">
              Regel <span className="text-rose-600">*</span>
            </label>
            <select
              className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded bg-white"
              value={ruleId}
              disabled={!!fixedRuleId}
              onChange={(e) => setRuleId(e.target.value)}
            >
              <option value="">— Regel wählen —</option>
              {availableRules.map((r) => (
                <option key={r.id} value={r.id}>{r.title} ({r.document_type})</option>
              ))}
            </select>
            {selectedRule && selectedLive && (
              <div className="text-xs text-gray-600 mt-1">
                Original-Klassifikation: <ClassChip classification={selectedLive.classification} />{' '}
                · Quelle: {selectedLive.source_citation}
              </div>
            )}
          </section>
          <section>
            <label className="text-xs font-medium text-gray-700 block mb-1">
              Meine abweichende Klassifikation
            </label>
            <div className="space-y-1">
              {(['required', 'recommended', 'optional', 'disabled'] as const).map((c) => (
                <label key={c} className="flex items-center gap-2 text-sm">
                  <input
                    type="radio"
                    name="classification"
                    value={c}
                    checked={classification === c}
                    onChange={() => setClassification(c)}
                  />
                  {c === 'disabled' ? (
                    <span className="text-gray-700">
                      Deaktivieren (Regel gilt für meine Mandanten gar nicht)
                    </span>
                  ) : (
                    <ClassChip classification={c} />
                  )}
                </label>
              ))}
            </div>
          </section>
          <section>
            <label className="text-xs font-medium text-gray-700 block mb-1">
              Grund <span className="text-rose-600">*</span>
            </label>
            <textarea
              rows={4}
              className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
              placeholder="Warum gilt diese Regel bei meinen Mandanten abweichend? (z.B. Bei Maschinenbauern haben wir CRA-Doku statt isolierter ISMS-Manuale.)"
              value={reason}
              onChange={(e) => setReason(e.target.value)}
            />
          </section>
          {error && (
            <div className="bg-rose-50 border border-rose-200 text-rose-800 text-sm px-3 py-2 rounded">
              {error}
            </div>
          )}
        </div>
        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>
            Abbrechen
          </button>
          <button
            className="px-4 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700 disabled:opacity-50"
            disabled={!canSubmit}
            onClick={handleSubmit}
          >
            {submitting ? 'Speichere…' : 'Speichern'}
          </button>
        </footer>
      </div>
    </div>
  )
 }
 function ConfirmDialog({
  message, onCancel, onConfirm,
 }: {
  message: string
  onCancel: () => void
  onConfirm: () => Promise<void>
 }) {
  const [busy, setBusy] = useState(false)
  return (
    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
      <div className="bg-white rounded-lg shadow-xl w-[420px]" onClick={(e) => e.stopPropagation()}>
        <div className="p-5 text-sm text-gray-800">{message}</div>
        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>Abbrechen</button>
          <button
            className="px-4 py-1.5 text-sm bg-rose-600 text-white rounded disabled:opacity-50"
            disabled={busy}
            onClick={async () => { setBusy(true); await onConfirm(); setBusy(false) }}
          >
            {busy ? 'Lösche…' : 'Löschen'}
          </button>
        </footer>
      </div>
    </div>
  )
 }
@@ -0,0 +1,183 @@
 /**
 * Hook fuer Template-Rule-Editor: laedt Regeln/Versions/History und exponiert
 * Lifecycle-Actions (submit/approve/publish/reject) + Tenant-Override-CRUD.
 *
 * Alle API-Calls gehen ueber /api/sdk/v1/compliance/* (Next.js-Proxy zum
 * backend-compliance).
 */
 import { useCallback } from 'react'
 import type {
  ApprovalHistoryEntry,
  Classification,
  Rule,
  RuleCondition,
  RuleVersion,
  TenantRuleOverride,
 } from '../_types'
 const API_BASE = '/api/sdk/v1/compliance'
 async function req<T>(url: string, init?: RequestInit): Promise<T> {
  const res = await fetch(url, {
    ...init,
    headers: {
      'Content-Type': 'application/json',
      ...(init?.headers || {}),
    },
  })
  if (!res.ok) {
    const text = await res.text().catch(() => res.statusText)
    throw new Error(`${res.status}: ${text}`)
  }
  if (res.status === 204) return undefined as T
  return res.json() as Promise<T>
 }
 export function useRuleEditorActions() {
  const listRules = useCallback(
    (documentType?: string) => {
      const q = documentType ? `?document_type=${encodeURIComponent(documentType)}` : ''
      return req<Rule[]>(`${API_BASE}/template-rules${q}`)
    },
    [],
  )
  const getRule = useCallback(
    (ruleId: string) => req<Rule>(`${API_BASE}/template-rules/${ruleId}`),
    [],
  )
  const listVersions = useCallback(
    (ruleId: string) => req<RuleVersion[]>(`${API_BASE}/template-rules/${ruleId}/versions`),
    [],
  )
  const getVersion = useCallback(
    (versionId: string) => req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}`),
    [],
  )
  const createDraftVersion = useCallback(
    (
      ruleId: string,
      payload: {
        classification: Classification
        conditions: RuleCondition
        source_citation: string
        rationale?: string | null
        created_by?: string | null
      },
    ) =>
      req<RuleVersion>(`${API_BASE}/template-rules/${ruleId}/versions`, {
        method: 'POST',
        body: JSON.stringify({
          rule_id: ruleId,
          ...payload,
        }),
      }),
    [],
  )
  const updateDraftVersion = useCallback(
    (
      versionId: string,
      patch: {
        classification?: Classification
        conditions?: RuleCondition
        source_citation?: string
        rationale?: string | null
        change_summary?: string | null
      },
    ) =>
      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}`, {
        method: 'PATCH',
        body: JSON.stringify(patch),
      }),
    [],
  )
  const submitForReview = useCallback(
    (
      versionId: string,
      payload: { change_summary: string; submitter?: string; comment?: string },
    ) =>
      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/submit-review`, {
        method: 'POST',
        body: JSON.stringify(payload),
      }),
    [],
  )
  const approveVersion = useCallback(
    (versionId: string, payload: { approver?: string; comment?: string } = {}) =>
      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/approve`, {
        method: 'POST',
        body: JSON.stringify(payload),
      }),
    [],
  )
  const publishVersion = useCallback(
    (versionId: string, payload: { approver?: string; comment?: string } = {}) =>
      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/publish`, {
        method: 'POST',
        body: JSON.stringify(payload),
      }),
    [],
  )
  const rejectVersion = useCallback(
    (
      versionId: string,
      payload: { rejection_reason: string; rejector?: string; comment?: string },
    ) =>
      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/reject`, {
        method: 'POST',
        body: JSON.stringify(payload),
      }),
    [],
  )
  const getApprovalHistory = useCallback(
    (versionId: string) =>
      req<ApprovalHistoryEntry[]>(
        `${API_BASE}/template-rule-versions/${versionId}/approval-history`,
      ),
    [],
  )
  const listOverrides = useCallback(
    () => req<TenantRuleOverride[]>(`${API_BASE}/tenant-rule-overrides`),
    [],
  )
  const upsertOverride = useCallback(
    (payload: {
      rule_id: string
      override_classification: Classification | null
      reason: string
      created_by?: string
    }) =>
      req<TenantRuleOverride>(`${API_BASE}/tenant-rule-overrides`, {
        method: 'POST',
        body: JSON.stringify(payload),
      }),
    [],
  )
  const deleteOverride = useCallback(
    (overrideId: string) =>
      req<void>(`${API_BASE}/tenant-rule-overrides/${overrideId}`, { method: 'DELETE' }),
    [],
  )
  return {
    listRules, getRule,
    listVersions, getVersion,
    createDraftVersion, updateDraftVersion,
    submitForReview, approveVersion, publishVersion, rejectVersion,
    getApprovalHistory,
    listOverrides, upsertOverride, deleteOverride,
  }
 }
@@ -0,0 +1,246 @@
 /**
 * Types fuer den Template-Rule-Editor (SDK).
 *
 * Spiegeln die Pydantic-Modelle aus
 * backend-compliance/compliance/schemas/template_rule.py.
 */
 export type Classification = 'required' | 'recommended' | 'optional'
 export type RuleStatus =
  | 'draft' | 'review' | 'approved' | 'published' | 'archived' | 'rejected'
 export type ClauseOperator =
  | 'eq' | 'neq' | 'in' | 'not_in'
  | 'gt' | 'gte' | 'lt' | 'lte'
  | 'exists' | 'truthy' | 'falsy'
 export interface RuleClause {
  field: string
  op: ClauseOperator
  value?: unknown
 }
 export interface RuleCondition {
  kind: 'all' | 'any'
  clauses: RuleClause[]
 }
 export interface Rule {
  id: string
  rule_key: string
  document_type: string
  title: string
  current_version_id: string | null
  created_at: string
  updated_at: string | null
 }
 export interface RuleVersion {
  id: string
  rule_id: string
  version_number: number
  status: RuleStatus
  is_live: boolean
  classification: Classification
  conditions: RuleCondition
  source_citation: string
  rationale: string | null
  change_summary: string | null
  created_by: string | null
  submitted_by: string | null
  submitted_at: string | null
  approved_by: string | null
  approved_at: string | null
  published_by: string | null
  published_at: string | null
  rejected_by: string | null
  rejected_at: string | null
  rejection_reason: string | null
  created_at: string
  updated_at: string | null
 }
 export interface ApprovalHistoryEntry {
  id: string
  version_id: string
  action: string
  approver: string | null
  comment: string | null
  created_at: string
 }
 export interface TenantRuleOverride {
  id: string
  tenant_id: string
  rule_id: string
  override_classification: Classification | null
  reason: string
  created_by: string | null
  created_at: string
  updated_at: string | null
 }
 // ---- Profil-Felder fuer Condition-Builder ----
 export interface ProfileFieldOption {
  /** Key der im Profil verwendet wird */
  key: string
  /** Label fuer die UI */
  label: string
  /** Kategorie fuer Gruppierung */
  category: 'org' | 'proc' | 'prod' | 'comp' | 'tech' | 'compliance'
  /** Erwarteter Datentyp */
  type: 'string' | 'number' | 'boolean' | 'enum'
  /** Wenn enum: Mögliche Werte mit Label */
  options?: { value: string; label: string }[]
 }
 /**
 * Die 17 Profil-Felder, die in den 33 Initial-Regeln verwendet werden.
 * Aus templateRecommendations.ts portiert + compliance_depth_level ergaenzt.
 */
 export const PROFILE_FIELDS: ProfileFieldOption[] = [
  {
    key: 'compliance_depth_level',
    label: 'Compliance-Tiefe',
    category: 'compliance', type: 'enum',
    options: [
      { value: 'L1', label: 'L1 — Lean Startup' },
      { value: 'L2', label: 'L2 — Standard' },
      { value: 'L3', label: 'L3 — Strict' },
      { value: 'L4', label: 'L4 — Zertifizierungsbereit' },
    ],
  },
  {
    key: 'org_employee_count',
    label: 'Mitarbeiterzahl',
    category: 'org', type: 'enum',
    options: [
      { value: 'none', label: 'Keine' },
      { value: '1_9', label: '1–9' },
      { value: '10_49', label: '10–49' },
      { value: '50_249', label: '50–249' },
      { value: '250_999', label: '250–999' },
      { value: '1000_plus', label: '1000+' },
    ],
  },
  {
    key: 'org_has_employees', label: 'Hat Mitarbeiter', category: 'org', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'org_business_model', label: 'Geschäftsmodell', category: 'org', type: 'enum',
    options: [
      { value: 'b2b_saas', label: 'B2B SaaS' },
      { value: 'b2c_shop', label: 'B2C Shop' },
      { value: 'platform', label: 'Plattform' },
      { value: 'marketplace', label: 'Marktplatz' },
      { value: 'social', label: 'Social Media' },
      { value: 'saas', label: 'SaaS' },
      { value: 'media', label: 'Media' },
      { value: 'manufacturing', label: 'Maschinenbau' },
      { value: 'other', label: 'Sonstiges' },
    ],
  },
  {
    key: 'org_has_social_media', label: 'Hat Social Media', category: 'org', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'org_has_video_conferencing', label: 'Hat Video-Konferenzen', category: 'org', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'org_cert_target', label: 'Zertifizierungsziel', category: 'org', type: 'enum',
    options: [
      { value: 'none', label: 'Keines' },
      { value: 'iso27001', label: 'ISO 27001' },
      { value: 'iso27701', label: 'ISO 27701' },
      { value: 'tisax', label: 'TISAX' },
    ],
  },
  {
    key: 'proc_ai_usage', label: 'KI-Nutzung', category: 'proc', type: 'enum',
    options: [
      { value: 'none', label: 'Keine' },
      { value: 'limited', label: 'Begrenzt' },
      { value: 'extensive', label: 'Umfangreich' },
    ],
  },
  {
    key: 'proc_uses_ai_tools', label: 'Nutzt KI-Tools', category: 'proc', type: 'boolean',
  },
  {
    key: 'proc_byod_allowed', label: 'BYOD erlaubt', category: 'proc', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'proc_dsfa_required', label: 'DSFA erforderlich', category: 'proc', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'prod_webshop', label: 'Webshop', category: 'prod', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'prod_ugc_platform', label: 'UGC-Plattform', category: 'prod', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'prod_consent_management', label: 'Consent Management', category: 'prod', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'comp_has_processors', label: 'Auftragsverarbeiter', category: 'comp', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'comp_vendor_management', label: 'Vendor-Management', category: 'comp', type: 'enum',
    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
  },
  {
    key: 'comp_dsfa_processes', label: 'DSFA-Prozesse', category: 'comp', type: 'enum',
    options: [{ value: 'required', label: 'Erforderlich' }, { value: 'optional', label: 'Optional' }],
  },
  {
    key: 'tech_third_country', label: 'Drittland-Transfer', category: 'tech', type: 'enum',
    options: [
      { value: 'no', label: 'Nein' },
      { value: 'us_dpf_only', label: 'Nur US-DPF' },
      { value: 'adequate_only', label: 'Nur Angemessenheitsbeschluss' },
      { value: 'yes_us', label: 'Ja, USA' },
      { value: 'yes_other', label: 'Ja, Sonstige' },
    ],
  },
 ]
 export const OPERATOR_LABELS: Record<ClauseOperator, string> = {
  eq: 'gleich (=)',
  neq: 'ungleich (≠)',
  in: 'in Liste',
  not_in: 'nicht in Liste',
  gt: 'größer (>)',
  gte: 'größer/gleich (≥)',
  lt: 'kleiner (<)',
  lte: 'kleiner/gleich (≤)',
  exists: 'existiert',
  truthy: 'ist gesetzt',
  falsy: 'ist leer',
 }
 export const CLASSIFICATION_LABELS: Record<Classification, string> = {
  required: 'Pflicht',
  recommended: 'Empfohlen',
  optional: 'Optional',
 }
 export const STATUS_LABELS: Record<RuleStatus, string> = {
  draft: 'Entwurf',
  review: 'In Prüfung',
  approved: 'Freigegeben',
  published: 'Live',
  archived: 'Archiviert',
  rejected: 'Abgelehnt',
 }
@@ -0,0 +1,280 @@
 'use client'
 /**
 * Template Rule Editor — Editorial-UI fuer Anwaelte/DSBs.
 *
 * Architektur:
 * - Links: RuleList mit Filter
 * - Rechts: RuleEditor mit Klassifikation, Condition-Builder, Source-Citation,
 *   Approval-Workflow (draft → review → approved → published)
 *
 * Backend: /api/sdk/v1/compliance/template-rules + /template-rule-versions/*
 */
 import { useEffect, useState, useCallback } from 'react'
 import { useSDK } from '@/lib/sdk'
 import StepHeader from '@/components/sdk/StepHeader/StepHeader'
 import { useRuleEditorActions } from './_hooks/useRuleEditorActions'
 import type {
  ApprovalHistoryEntry, Classification, Rule, RuleCondition, RuleVersion,
  TenantRuleOverride,
 } from './_types'
 import RuleList from './_components/RuleList'
 import RuleEditor from './_components/RuleEditor'
 import TenantOverrideList from './_components/TenantOverrideList'
 type Tab = 'rules' | 'overrides'
 export default function TemplateRuleEditorPage() {
  useSDK()
  const actions = useRuleEditorActions()
  const [tab, setTab] = useState<Tab>('rules')
  const [rules, setRules] = useState<Rule[]>([])
  const [liveVersionsByRule, setLiveVersionsByRule] = useState<Record<string, RuleVersion | undefined>>({})
  const [selectedRuleId, setSelectedRuleId] = useState<string | null>(null)
  const [selectedVersions, setSelectedVersions] = useState<RuleVersion[]>([])
  const [selectedHistory, setSelectedHistory] = useState<ApprovalHistoryEntry[]>([])
  const [overrides, setOverrides] = useState<TenantRuleOverride[]>([])
  const [loading, setLoading] = useState(true)
  const [error, setError] = useState<string | null>(null)
  // Initial: Regeln laden + Live-Versions
  const loadRules = useCallback(async () => {
    setLoading(true)
    setError(null)
    try {
      const list = await actions.listRules()
      setRules(list)
      const byRule: Record<string, RuleVersion | undefined> = {}
      // Live-Versionen parallel
      await Promise.all(
        list.map(async (r) => {
          try {
            const versions = await actions.listVersions(r.id)
            const live = versions.find((v) => v.is_live)
            byRule[r.id] = live
          } catch {
            byRule[r.id] = undefined
          }
        }),
      )
      setLiveVersionsByRule(byRule)
      if (list.length > 0 && !selectedRuleId) {
        setSelectedRuleId(list[0].id)
      }
    } catch (e) {
      setError((e as Error).message)
    } finally {
      setLoading(false)
    }
  }, [actions, selectedRuleId])
  // Bei Selektions-Wechsel: Versions + History laden
  const loadSelected = useCallback(async () => {
    if (!selectedRuleId) {
      setSelectedVersions([])
      setSelectedHistory([])
      return
    }
    try {
      const versions = await actions.listVersions(selectedRuleId)
      setSelectedVersions(versions)
      const live = versions.find((v) => v.is_live)
      if (live) {
        const history = await actions.getApprovalHistory(live.id)
        setSelectedHistory(history)
      } else {
        setSelectedHistory([])
      }
    } catch (e) {
      setError((e as Error).message)
    }
  }, [actions, selectedRuleId])
  useEffect(() => { loadRules() }, [])
  useEffect(() => { loadSelected() }, [selectedRuleId])
  const handleCreateDraft = async (payload: {
    classification: Classification
    conditions: RuleCondition
    source_citation: string
    rationale?: string | null
  }) => {
    if (!selectedRuleId) return
    try {
      await actions.createDraftVersion(selectedRuleId, payload)
      await loadSelected()
    } catch (e) {
      setError((e as Error).message)
    }
  }
  const handleUpdateDraft = async (versionId: string, patch: {
    classification?: Classification
    conditions?: RuleCondition
    source_citation?: string
    rationale?: string | null
  }) => {
    try {
      await actions.updateDraftVersion(versionId, patch)
      await loadSelected()
    } catch (e) {
      setError((e as Error).message)
    }
  }
  const handleSubmitForReview = async (versionId: string, changeSummary: string) => {
    try {
      await actions.submitForReview(versionId, { change_summary: changeSummary })
      await loadSelected()
    } catch (e) {
      setError((e as Error).message)
    }
  }
  const handleApprove = async (versionId: string) => {
    try {
      await actions.approveVersion(versionId)
      await loadSelected()
    } catch (e) {
      setError((e as Error).message)
    }
  }
  const handlePublish = async (versionId: string) => {
    try {
      await actions.publishVersion(versionId)
      await loadRules()
      await loadSelected()
    } catch (e) {
      setError((e as Error).message)
    }
  }
  const handleReject = async (versionId: string, reason: string) => {
    try {
      await actions.rejectVersion(versionId, { rejection_reason: reason })
      await loadSelected()
    } catch (e) {
      setError((e as Error).message)
    }
  }
  const loadOverrides = useCallback(async () => {
    try {
      const list = await actions.listOverrides()
      setOverrides(list)
    } catch (e) {
      setError((e as Error).message)
    }
  }, [actions])
  useEffect(() => { loadOverrides() }, [])
  const handleUpsertOverride = async (payload: {
    rule_id: string
    override_classification: Classification | null
    reason: string
  }) => {
    await actions.upsertOverride(payload)
    await loadOverrides()
  }
  const handleDeleteOverride = async (overrideId: string) => {
    await actions.deleteOverride(overrideId)
    await loadOverrides()
  }
  const selectedRule = rules.find((r) => r.id === selectedRuleId)
  return (
    <div className="h-full flex flex-col bg-white">
      <StepHeader
        stepId="template-rule-editor"
        title="Empfehlungs-Regeln"
        description="Editorial-UI für profilbasierte Dokument-Empfehlungen. Anwälte/DSBs editieren globale Regeln mit Approval-Workflow + Quellen-Attribution."
      />
      {error && (
        <div className="px-5 py-2 bg-rose-50 border-b border-rose-200 text-sm text-rose-800">
          {error}
        </div>
      )}
      {loading && (
        <div className="p-5 text-sm text-gray-500">Lade Regeln…</div>
      )}
      {!loading && (
        <>
          <nav className="px-5 border-b border-gray-200 bg-white flex gap-1">
            <TabButton active={tab === 'rules'} onClick={() => setTab('rules')}>
              Globale Regeln <span className="text-xs text-gray-500">({rules.length})</span>
            </TabButton>
            <TabButton active={tab === 'overrides'} onClick={() => setTab('overrides')}>
              Meine Overrides <span className="text-xs text-gray-500">({overrides.length})</span>
            </TabButton>
          </nav>
          {tab === 'rules' && (
            <div className="flex-1 grid grid-cols-[320px_1fr] overflow-hidden">
              <RuleList
                rules={rules}
                versionsByRule={liveVersionsByRule}
                selectedRuleId={selectedRuleId}
                onSelectRule={setSelectedRuleId}
              />
              {selectedRule ? (
                <RuleEditor
                  rule={selectedRule}
                  versions={selectedVersions}
                  history={selectedHistory}
                  onCreateDraft={handleCreateDraft}
                  onUpdateDraft={handleUpdateDraft}
                  onSubmitForReview={handleSubmitForReview}
                  onApprove={handleApprove}
                  onPublish={handlePublish}
                  onReject={handleReject}
                />
              ) : (
                <div className="h-full grid place-items-center text-sm text-gray-500">
                  Wähle links eine Regel zum Bearbeiten.
                </div>
              )}
            </div>
          )}
          {tab === 'overrides' && (
            <div className="flex-1 overflow-hidden">
              <TenantOverrideList
                rules={rules}
                liveVersionsByRule={liveVersionsByRule}
                overrides={overrides}
                onUpsert={handleUpsertOverride}
                onDelete={handleDeleteOverride}
              />
            </div>
          )}
        </>
      )}
    </div>
  )
 }
 function TabButton({
  active, onClick, children,
 }: {
  active: boolean
  onClick: () => void
  children: React.ReactNode
 }) {
  return (
    <button
      className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
        active
          ? 'border-amber-500 text-gray-900'
          : 'border-transparent text-gray-600 hover:text-gray-800 hover:border-gray-300'
      }`}
      onClick={onClick}
    >
      {children}
    </button>
  )
 }
@@ -4,6 +4,7 @@ import React from 'react'
 import { useRouter } from 'next/navigation'
 import { useTOMGenerator } from '@/lib/sdk/tom-generator'
 import { TOM_GENERATOR_STEPS } from '@/lib/sdk/tom-generator/types'
 import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 /**
 * TOM Generator Landing Page
@@ -45,6 +46,14 @@ export default function TOMGeneratorPage() {
        </p>
      </div>
      <div className="mb-6">
        <LicenseModuleBanner
          rule={1}
          sourceLabel="DSGVO Art. 32 (EU 2016/679) — TOM-Anforderungen"
          detail="Generator-Logik und Vorlagen sind BreakPilot-Eigenwerk (R3); zitierte Rechtsquelle EU_LAW (R1)."
        />
      </div>
      {/* Progress Card */}
      {hasProgress && (
        <div className="bg-white rounded-xl border border-gray-200 p-6 mb-8">
@@ -350,7 +350,12 @@ function ActivityCard({ activity, onEdit, onDelete }: { activity: VVTActivity; o
              <span className="px-2 py-0.5 text-xs bg-purple-100 text-purple-700 rounded-full">DSFA</span>
            )}
            {(activity as any).sourceTemplateId && (
-              <span className="px-2 py-0.5 text-xs bg-indigo-100 text-indigo-700 rounded-full">Vorlage</span>
+              <span
                className="px-2 py-0.5 text-xs bg-indigo-100 text-indigo-700 rounded-full cursor-help"
                title="Erstellt aus Bundeslaender-DSGVO-Vorlage (Art. 30 DSGVO). Lizenzregel R1 — Hoheitsrecht/DE_LAW, woertlich uebernehmbar."
              >
                Vorlage · R1
              </span>
            )}
          </div>
          <h3 className="text-base font-semibold text-gray-900 truncate">{activity.name || '(Ohne Namen)'}</h3>
@@ -1,7 +1,9 @@
 'use client'
 export type ApprovalModalMode = 'approve-internal' | 'approve-client' | 'reject'
 interface ApprovalModalProps {
-  mode: 'approve' | 'reject'
+  mode: ApprovalModalMode
  approvalComment: string
  onCommentChange: (comment: string) => void
  onCancel: () => void
@@ -9,6 +11,26 @@ interface ApprovalModalProps {
  saving: boolean
 }
 const TITLES: Record<ApprovalModalMode, string> = {
  'approve-internal': 'DSB-Freigabe → an Mandant weiterleiten',
  'approve-client': 'Mandanten-Freigabe erteilen',
  reject: 'Version ablehnen',
 }
 const BUTTON_LABELS: Record<ApprovalModalMode, string> = {
  'approve-internal': 'DSB-Freigabe erteilen',
  'approve-client': 'Mandanten-Freigabe erteilen',
  reject: 'Ablehnen',
 }
 const PLACEHOLDERS: Record<ApprovalModalMode, string> = {
  'approve-internal':
    'Kommentar (optional) — Hinweise für den Mandanten...',
  'approve-client':
    'Kommentar (optional) — z.B. Freigabe durch Geschäftsführung...',
  reject: 'Ablehnungsgrund...',
 }
 export default function ApprovalModal({
  mode,
  approvalComment,
@@ -17,18 +39,17 @@ export default function ApprovalModal({
  onConfirm,
  saving,
 }: ApprovalModalProps) {
  const isReject = mode === 'reject'
  return (
    <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
      <div className="bg-white rounded-xl shadow-xl p-6 w-full max-w-md">
-        <h3 className="text-lg font-semibold text-slate-900 mb-4">
+        <h3 className="text-lg font-semibold text-slate-900 mb-4">{TITLES[mode]}</h3>
          {mode === 'approve' ? 'Version freigeben' : 'Version ablehnen'}
        </h3>
        <textarea
          value={approvalComment}
          onChange={(e) => onCommentChange(e.target.value)}
-          placeholder={mode === 'approve' ? 'Kommentar (optional)...' : 'Ablehnungsgrund...'}
+          placeholder={PLACEHOLDERS[mode]}
          className="w-full px-3 py-2 border border-slate-300 rounded-lg min-h-[100px] mb-4"
-          required={mode === 'reject'}
+          required={isReject}
        />
        <div className="flex justify-end gap-3">
          <button
@@ -39,14 +60,12 @@ export default function ApprovalModal({
          </button>
          <button
            onClick={onConfirm}
-            disabled={saving || (mode === 'reject' && !approvalComment)}
+            disabled={saving || (isReject && !approvalComment)}
            className={`px-4 py-2 text-white rounded-lg disabled:opacity-50 ${
-              mode === 'approve'
+              isReject ? 'bg-red-600 hover:bg-red-700' : 'bg-green-600 hover:bg-green-700'
                ? 'bg-green-600 hover:bg-green-700'
                : 'bg-red-600 hover:bg-red-700'
            }`}
          >
-            {saving ? 'Wird verarbeitet...' : mode === 'approve' ? 'Freigeben' : 'Ablehnen'}
+            {saving ? 'Wird verarbeitet...' : BUTTON_LABELS[mode]}
          </button>
        </div>
      </div>
@@ -1,6 +1,7 @@
 'use client'
 import { Version, STATUS_LABELS } from '../_types'
 import type { ApprovalModalMode } from './ApprovalModal'
 interface CompareViewProps {
  currentVersion: Version | null
@@ -9,7 +10,7 @@ interface CompareViewProps {
  onClose: () => void
  onSaveDraft: () => void
  onSubmitForReview: () => void
-  onShowApprovalModal: (mode: 'approve' | 'reject') => void
+  onShowApprovalModal: (mode: ApprovalModalMode) => void
  onPublishVersion: () => void
 }
@@ -64,28 +65,26 @@ export default function CompareView({
        {/* Right: Draft */}
        <div className="bg-white flex flex-col">
-          <div className={`border-b px-4 py-2 ${
+          <div
-            draftVersion?.status === 'draft' ? 'bg-yellow-100 border-yellow-200' :
+            className={`border-b px-4 py-2 ${
-            draftVersion?.status === 'review' ? 'bg-blue-100 border-blue-200' :
+              draftVersion?.status === 'draft'
-            draftVersion?.status === 'approved' ? 'bg-green-100 border-green-200' :
+                ? 'bg-yellow-100 border-yellow-200'
-            'bg-slate-100 border-slate-200'
+                : draftVersion?.status === 'review' || draftVersion?.status === 'review_internal'
-          }`}>
+                  ? 'bg-blue-100 border-blue-200'
-            <span className={`font-medium ${
+                  : draftVersion?.status === 'review_client'
-              draftVersion?.status === 'draft' ? 'text-yellow-800' :
+                    ? 'bg-indigo-100 border-indigo-200'
-              draftVersion?.status === 'review' ? 'text-blue-800' :
+                    : draftVersion?.status === 'approved'
-              draftVersion?.status === 'approved' ? 'text-green-800' :
+                      ? 'bg-green-100 border-green-200'
-              'text-slate-800'
+                      : 'bg-slate-100 border-slate-200'
-            }`}>
+            }`}
          >
            <span className="font-medium text-slate-800">
              {draftVersion ? 'Aenderungsversion' : 'Neue Version'}
            </span>
            {draftVersion && (
-              <span className={`ml-2 ${
+              <span className="ml-2 text-slate-600">
-                draftVersion.status === 'draft' ? 'text-yellow-600' :
+                v{draftVersion.version} -{' '}
-                draftVersion.status === 'review' ? 'text-blue-600' :
+                {STATUS_LABELS[draftVersion.status]?.label ?? draftVersion.status}
                draftVersion.status === 'approved' ? 'text-green-600' :
                'text-slate-600'
              }`}>
                v{draftVersion.version} - {STATUS_LABELS[draftVersion.status].label}
              </span>
            )}
          </div>
@@ -113,7 +112,7 @@ export default function CompareView({
            </button>
          </>
        )}
-        {draftVersion?.status === 'review' && (
+        {draftVersion?.status === 'review_internal' && (
          <>
            <button
              onClick={() => { onClose(); onShowApprovalModal('reject') }}
@@ -122,10 +121,26 @@ export default function CompareView({
              Ablehnen
            </button>
            <button
-              onClick={() => { onClose(); onShowApprovalModal('approve') }}
+              onClick={() => { onClose(); onShowApprovalModal('approve-internal') }}
              className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-500"
            >
-              Freigeben
+              DSB-Freigabe → Mandant
            </button>
          </>
        )}
        {draftVersion?.status === 'review_client' && (
          <>
            <button
              onClick={() => { onClose(); onShowApprovalModal('reject') }}
              className="px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-500"
            >
              Ablehnen
            </button>
            <button
              onClick={() => { onClose(); onShowApprovalModal('approve-client') }}
              className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-500"
            >
              Mandanten-Freigabe
            </button>
          </>
        )}
@@ -9,6 +9,32 @@ interface HistoryPanelProps {
  currentVersion: Version | null
 }
 // Backend-Actions (compliance/services/legal_document_service.py):
 //   submitted_internal, approved_internal, approved_client,
 //   published, rejected, plus alte Werte 'submitted'/'approved'.
 const ACTION_LABELS: Record<string, string> = {
  submitted: 'Eingereicht',
  submitted_internal: 'An DSB eingereicht',
  approved: 'Freigegeben',
  approved_internal: 'DSB-Freigabe → Mandant',
  approved_client: 'Mandanten-Freigabe',
  published: 'Veroeffentlicht',
  rejected: 'Abgelehnt',
 }
 function actionLabel(action: string): string {
  return ACTION_LABELS[action] || action
 }
 function actionBadgeClass(action: string): string {
  if (action.startsWith('approved') || action === 'published') {
    return 'bg-green-100 text-green-700'
  }
  if (action === 'rejected') return 'bg-red-100 text-red-700'
  if (action.startsWith('submitted')) return 'bg-blue-100 text-blue-700'
  return 'bg-slate-100 text-slate-700'
 }
 export default function HistoryPanel({
  approvalHistory,
  versions,
@@ -22,12 +48,9 @@ export default function HistoryPanel({
        <div className="space-y-3">
          {approvalHistory.map((item, idx) => (
            <div key={idx} className="flex items-center gap-4 p-3 border border-slate-200 rounded-lg">
-              <span className={`px-2 py-1 rounded text-xs ${
+              <span className={`px-2 py-1 rounded text-xs ${actionBadgeClass(item.action)}`}>
-                item.action === 'approved' ? 'bg-green-100 text-green-700' :
+                {actionLabel(item.action)}
-                item.action === 'rejected' ? 'bg-red-100 text-red-700' :
+              </span>
                item.action === 'submitted' ? 'bg-blue-100 text-blue-700' :
                'bg-slate-100 text-slate-700'
              }`}>{item.action}</span>
              <span className="text-sm text-slate-600">{item.approver || 'System'}</span>
              {item.comment && (
                <span className="text-sm text-slate-500 italic">&quot;{item.comment}&quot;</span>
@@ -56,8 +79,12 @@ export default function HistoryPanel({
            <div className="flex items-center justify-between">
              <div className="flex items-center gap-3">
                <span className="font-mono font-medium">v{v.version}</span>
-                <span className={`px-2 py-0.5 rounded text-xs ${STATUS_LABELS[v.status].color}`}>
+                <span
-                  {STATUS_LABELS[v.status].label}
+                  className={`px-2 py-0.5 rounded text-xs ${
                    STATUS_LABELS[v.status]?.color ?? 'bg-slate-100 text-slate-700'
                  }`}
                >
                  {STATUS_LABELS[v.status]?.label ?? v.status}
                </span>
                <span className="text-sm text-slate-500">{v.title}</span>
              </div>
@@ -70,29 +70,27 @@ export default function SplitViewEditor({
      {/* Right: Draft/Edit Version */}
      <div className="bg-white rounded-xl shadow-sm border overflow-hidden">
-        <div className={`border-b px-4 py-3 flex items-center justify-between ${
+        <div
-          draftVersion?.status === 'draft' ? 'bg-yellow-50 border-yellow-200' :
+          className={`border-b px-4 py-3 flex items-center justify-between ${
-          draftVersion?.status === 'review' ? 'bg-blue-50 border-blue-200' :
+            draftVersion?.status === 'draft'
-          draftVersion?.status === 'approved' ? 'bg-green-50 border-green-200' :
+              ? 'bg-yellow-50 border-yellow-200'
-          'bg-slate-50 border-slate-200'
+              : draftVersion?.status === 'review' || draftVersion?.status === 'review_internal'
-        }`}>
+                ? 'bg-blue-50 border-blue-200'
                : draftVersion?.status === 'review_client'
                  ? 'bg-indigo-50 border-indigo-200'
                  : draftVersion?.status === 'approved'
                    ? 'bg-green-50 border-green-200'
                    : 'bg-slate-50 border-slate-200'
          }`}
        >
          <div>
-            <h3 className={`font-semibold ${
+            <h3 className="font-semibold text-slate-900">
              draftVersion?.status === 'draft' ? 'text-yellow-900' :
              draftVersion?.status === 'review' ? 'text-blue-900' :
              draftVersion?.status === 'approved' ? 'text-green-900' :
              'text-slate-900'
            }`}>
              {draftVersion ? 'Aenderungsversion' : 'Neue Version'}
            </h3>
            {draftVersion && (
-              <p className={`text-sm ${
+              <p className="text-sm text-slate-700">
-                draftVersion.status === 'draft' ? 'text-yellow-700' :
+                v{draftVersion.version} -{' '}
-                draftVersion.status === 'review' ? 'text-blue-700' :
+                {STATUS_LABELS[draftVersion.status]?.label ?? draftVersion.status}
                draftVersion.status === 'approved' ? 'text-green-700' :
                'text-slate-700'
              }`}>
                v{draftVersion.version} - {STATUS_LABELS[draftVersion.status].label}
              </p>
            )}
          </div>
@@ -2,16 +2,35 @@
 import { Version } from '../_types'
 export type ApprovalMode = 'approve-internal' | 'approve-client' | 'reject'
 interface WorkflowStatusBarProps {
  draftVersion: Version | null
  saving: boolean
  onCreateNewDraft: () => void
  onSaveDraft: () => void
  onSubmitForReview: () => void
-  onShowApprovalModal: (mode: 'approve' | 'reject') => void
+  onShowApprovalModal: (mode: ApprovalMode) => void
  onPublishVersion: () => void
 }
 // 5-Stage Lifecycle:
 //   draft → review_internal (DSB-Pruefung) → review_client (Mandant-Pruefung)
 //        → approved → published
 // Buttons sind v1 nicht role-gefiltert — alle relevanten Aktionen sichtbar.
 const STAGES: { status: string; label: string }[] = [
  { status: 'draft', label: 'Entwurf' },
  { status: 'review_internal', label: 'DSB-Pruefung' },
  { status: 'review_client', label: 'Mandant-Pruefung' },
  { status: 'approved', label: 'Freigegeben' },
  { status: 'published', label: 'Veroeffentlicht' },
 ]
 function isActiveStage(stageStatus: string, draftStatus: string | undefined, hasDraft: boolean) {
  if (stageStatus === 'published') return !hasDraft
  return draftStatus === stageStatus
 }
 export default function WorkflowStatusBar({
  draftVersion,
  saving,
@@ -21,34 +40,31 @@ export default function WorkflowStatusBar({
  onShowApprovalModal,
  onPublishVersion,
 }: WorkflowStatusBarProps) {
  const status = draftVersion?.status
  return (
    <div className="bg-white rounded-xl shadow-sm border p-4">
-      <div className="flex items-center justify-between">
+      <div className="flex items-center justify-between flex-wrap gap-4">
-        <div className="flex items-center gap-6">
+        <div className="flex items-center gap-4 flex-wrap">
-          {['draft', 'review', 'approved', 'published'].map((status, idx) => (
+          {STAGES.map((stage, idx) => (
-            <div key={status} className="flex items-center">
+            <div key={stage.status} className="flex items-center">
-              {idx > 0 && <div className="w-8 h-0.5 bg-slate-200 mr-2" />}
+              {idx > 0 && <div className="w-6 h-0.5 bg-slate-200 mr-2" />}
              <div className="flex items-center gap-2">
-                <div className={`w-8 h-8 rounded-full flex items-center justify-center text-sm font-medium ${
+                <div
-                  (status === 'draft' && draftVersion?.status === 'draft') ||
+                  className={`w-8 h-8 rounded-full flex items-center justify-center text-sm font-medium ${
-                  (status === 'review' && draftVersion?.status === 'review') ||
+                    isActiveStage(stage.status, status, Boolean(draftVersion))
-                  (status === 'approved' && draftVersion?.status === 'approved') ||
+                      ? 'bg-purple-500 text-white'
-                  (status === 'published' && !draftVersion)
+                      : 'bg-slate-200 text-slate-600'
-                    ? 'bg-purple-500 text-white'
+                  }`}
-                    : 'bg-slate-200 text-slate-600'
+                >
-                }`}>{idx + 1}</div>
+                  {idx + 1}
-                <span className="text-sm text-slate-600">
+                </div>
-                  {status === 'draft' ? 'Entwurf' :
+                <span className="text-sm text-slate-600">{stage.label}</span>
                   status === 'review' ? 'Pruefung' :
                   status === 'approved' ? 'Freigegeben' : 'Veroeffentlicht'}
                </span>
              </div>
            </div>
          ))}
        </div>
-        {/* Action Buttons */}
+        <div className="flex items-center gap-2 flex-wrap">
        <div className="flex items-center gap-2">
          {!draftVersion && (
            <button
              onClick={onCreateNewDraft}
@@ -59,7 +75,7 @@ export default function WorkflowStatusBar({
            </button>
          )}
-          {draftVersion?.status === 'draft' && (
+          {status === 'draft' && (
            <>
              <button
                onClick={onSaveDraft}
@@ -73,12 +89,12 @@ export default function WorkflowStatusBar({
                disabled={saving}
                className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:opacity-50 text-sm font-medium"
              >
-                Zur Pruefung einreichen
+                An DSB einreichen
              </button>
            </>
          )}
-          {draftVersion?.status === 'review' && (
+          {status === 'review_internal' && (
            <>
              <button
                onClick={() => onShowApprovalModal('reject')}
@@ -88,16 +104,35 @@ export default function WorkflowStatusBar({
                Ablehnen
              </button>
              <button
-                onClick={() => onShowApprovalModal('approve')}
+                onClick={() => onShowApprovalModal('approve-internal')}
                disabled={saving}
                className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 text-sm font-medium"
              >
-                Freigeben
+                DSB-Freigabe → Mandant
              </button>
            </>
          )}
-          {draftVersion?.status === 'approved' && (
+          {status === 'review_client' && (
            <>
              <button
                onClick={() => onShowApprovalModal('reject')}
                disabled={saving}
                className="px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:opacity-50 text-sm font-medium"
              >
                Ablehnen
              </button>
              <button
                onClick={() => onShowApprovalModal('approve-client')}
                disabled={saving}
                className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 text-sm font-medium"
              >
                Mandant-Freigabe
              </button>
            </>
          )}
          {status === 'approved' && (
            <button
              onClick={onPublishVersion}
              disabled={saving}
@@ -107,9 +142,11 @@ export default function WorkflowStatusBar({
            </button>
          )}
-          {draftVersion?.status === 'rejected' && (
+          {status === 'rejected' && (
            <div className="flex items-center gap-2">
-              <span className="text-sm text-red-600">Abgelehnt: {draftVersion.rejection_reason}</span>
+              <span className="text-sm text-red-600">
                Abgelehnt: {draftVersion?.rejection_reason}
              </span>
              <button
                onClick={onCreateNewDraft}
                disabled={saving}
@@ -2,6 +2,7 @@
 import { useState } from 'react'
 import { Document, Version, ApprovalHistoryItem } from '../_types'
 import type { ApprovalModalMode } from '../_components/ApprovalModal'
 interface UseWorkflowActionsParams {
  selectedDocument: Document | null
@@ -27,7 +28,7 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
  const [saving, setSaving] = useState(false)
  const [approvalComment, setApprovalComment] = useState('')
-  const [showApprovalModal, setShowApprovalModal] = useState<'approve' | 'reject' | null>(null)
+  const [showApprovalModal, setShowApprovalModal] = useState<ApprovalModalMode | null>(null)
  const [approvalHistory, setApprovalHistory] = useState<ApprovalHistoryItem[]>([])
  const [showNewDocModal, setShowNewDocModal] = useState(false)
  const [newDocForm, setNewDocForm] = useState({ type: 'privacy_policy', name: '', description: '' })
@@ -123,10 +124,15 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
  }
  const approveVersion = async () => {
    // Backward-compat alias — leitet auf approve-internal (DSB → Mandant)
    return approveInternal()
  }
  const approveInternal = async () => {
    if (!draftVersion) return
    setSaving(true)
    try {
-      const res = await fetch(`/api/admin/consent/versions/${draftVersion.id}/approve`, {
+      const res = await fetch(`/api/admin/consent/versions/${draftVersion.id}/approve-internal`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ comment: approvalComment }),
@@ -138,10 +144,35 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
        await loadVersions(selectedDocument!.id)
      } else {
        const err = await res.json()
-        setError(err.error || 'Fehler bei der Freigabe')
+        setError(err.error || 'Fehler bei der DSB-Freigabe')
      }
    } catch {
-      setError('Fehler bei der Freigabe')
+      setError('Fehler bei der DSB-Freigabe')
    } finally {
      setSaving(false)
    }
  }
  const approveClient = async () => {
    if (!draftVersion) return
    setSaving(true)
    try {
      const res = await fetch(`/api/admin/consent/versions/${draftVersion.id}/approve-client`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ comment: approvalComment }),
      })
      if (res.ok) {
        setShowApprovalModal(null)
        setApprovalComment('')
        await loadVersions(selectedDocument!.id)
      } else {
        const err = await res.json()
        setError(err.error || 'Fehler bei der Mandanten-Freigabe')
      }
    } catch {
      setError('Fehler bei der Mandanten-Freigabe')
    } finally {
      setSaving(false)
    }
@@ -242,7 +273,8 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
    newDocForm, setNewDocForm,
    creatingDoc,
    createNewDraft, saveDraft, submitForReview,
-    approveVersion, rejectVersion, publishVersion,
+    approveVersion, approveInternal, approveClient,
    rejectVersion, publishVersion,
    createDocument, loadApprovalHistory,
  }
 }
@@ -16,7 +16,15 @@ export interface Version {
  title: string
  content: string
  summary?: string
-  status: 'draft' | 'review' | 'approved' | 'published' | 'archived' | 'rejected'
+  status:
    | 'draft'
    | 'review' // backward-compat (alte Daten, vor 5-Stage Migration 148)
    | 'review_internal'
    | 'review_client'
    | 'approved'
    | 'published'
    | 'archived'
    | 'rejected'
  created_at: string
  updated_at?: string
  created_by?: string
@@ -35,6 +43,8 @@ export interface ApprovalHistoryItem {
 export const STATUS_LABELS: Record<string, { label: string; color: string }> = {
  draft: { label: 'Entwurf', color: 'bg-yellow-100 text-yellow-700' },
  review: { label: 'In Pruefung', color: 'bg-blue-100 text-blue-700' },
  review_internal: { label: 'DSB-Pruefung', color: 'bg-blue-100 text-blue-700' },
  review_client: { label: 'Mandant-Pruefung', color: 'bg-indigo-100 text-indigo-700' },
  approved: { label: 'Freigegeben', color: 'bg-green-100 text-green-700' },
  published: { label: 'Veroeffentlicht', color: 'bg-emerald-100 text-emerald-700' },
  archived: { label: 'Archiviert', color: 'bg-slate-100 text-slate-700' },
@@ -59,9 +59,18 @@ export default function WorkflowPage() {
      const res = await fetch('/api/admin/consent/documents')
      if (res.ok) {
        const data = await res.json()
-        setDocuments(data.documents || [])
+        const list: Document[] = data.documents || []
-        if (data.documents?.length > 0 && !selectedDocument) {
+        setDocuments(list)
-          setSelectedDocument(data.documents[0])
+        // Auto-Select: erst ?doc=<uuid> URL-Param, sonst erstes Element
        const params = typeof window !== 'undefined'
          ? new URLSearchParams(window.location.search)
          : null
        const wantedId = params?.get('doc')
        const wanted = wantedId ? list.find((d) => d.id === wantedId) : null
        if (wanted) {
          setSelectedDocument(wanted)
        } else if (list.length > 0 && !selectedDocument) {
          setSelectedDocument(list[0])
        }
      }
    } catch {
@@ -83,7 +92,11 @@ export default function WorkflowPage() {
        setCurrentVersion(published || null)
        const draft = versionList.find((v: Version) =>
-          v.status === 'draft' || v.status === 'review' || v.status === 'approved'
+          v.status === 'draft' ||
          v.status === 'review' || // backward-compat: alte Daten
          v.status === 'review_internal' ||
          v.status === 'review_client' ||
          v.status === 'approved'
        )
        if (draft) {
          setDraftVersion(draft)
@@ -247,7 +260,13 @@ export default function WorkflowPage() {
            actions.setShowApprovalModal(null)
            actions.setApprovalComment('')
          }}
-          onConfirm={actions.showApprovalModal === 'approve' ? actions.approveVersion : actions.rejectVersion}
+          onConfirm={
            actions.showApprovalModal === 'approve-internal'
              ? actions.approveInternal
              : actions.showApprovalModal === 'approve-client'
                ? actions.approveClient
                : actions.rejectVersion
          }
          saving={actions.saving}
        />
      )}
@@ -195,12 +195,18 @@ export default function CatalogTable({
                  )}
                  <td className="px-4 py-2.5">
                    {entry.source === 'system' ? (
-                      <span className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300">
+                      <span
-                        System
+                        className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300 cursor-help"
                        title="System-Katalog — Quellen aus EU-Recht, BAuA, NIST u.a. Lizenzregel je Eintrag (siehe /sdk/licenses)."
                      >
                        System · R1/R2/R3
                      </span>
                    ) : (
-                      <span className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 dark:bg-blue-900/40 text-blue-700 dark:text-blue-300">
+                      <span
-                        Benutzerdefiniert
+                        className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 dark:bg-blue-900/40 text-blue-700 dark:text-blue-300 cursor-help"
                        title="Benutzerdefinierter Eintrag — BreakPilot/Anwender-Eigenwerk. Lizenzregel R3 (Identifier-Verweis), keine externe Attribution noetig."
                      >
                        Benutzerdefiniert · R3
                      </span>
                    )}
                  </td>
@@ -0,0 +1,62 @@
 'use client'
 // Reusable licence-source banner placed at the top of an SDK module page.
 // One-line context that tells the user (and any auditor) which sources
 // the module draws on and which BreakPilot licence rule applies.
 //
 // Usage:
 //   <LicenseModuleBanner
 //     rule={1}
 //     sourceLabel="DSGVO Art. 30 (EU 2016/679)"
 //   />
 //
 // For modules that are pure BreakPilot eigenwerk:
 //   <LicenseModuleBanner rule={3} sourceLabel="BreakPilot-Eigenwerk" />
 type Props = {
  rule: 1 | 2 | 3
  sourceLabel: string
  /** Optional extended note shown after sourceLabel */
  detail?: string
 }
 const RULE_META: Record<number, { bg: string; text: string; pill: string; descr: string }> = {
  1: {
    bg: 'bg-emerald-50 border-emerald-200',
    text: 'text-emerald-800',
    pill: 'bg-emerald-600 text-white',
    descr: 'Hoheitsrecht/Public Domain — woertlich uebernehmbar',
  },
  2: {
    bg: 'bg-amber-50 border-amber-200',
    text: 'text-amber-800',
    pill: 'bg-amber-600 text-white',
    descr: 'Woertlich mit Attribution-Pflicht',
  },
  3: {
    bg: 'bg-slate-50 border-slate-200',
    text: 'text-slate-700',
    pill: 'bg-slate-600 text-white',
    descr: 'Identifier-Verweis / BreakPilot-Eigenwerk',
  },
 }
 export function LicenseModuleBanner({ rule, sourceLabel, detail }: Props) {
  const m = RULE_META[rule]
  return (
    <div className={`px-3 py-2 ${m.bg} border rounded-lg text-xs ${m.text} flex items-start gap-2`}>
      <span className={`inline-flex items-center justify-center w-6 h-6 rounded-full text-[10px] font-bold ${m.pill} flex-shrink-0`}>
        R{rule}
      </span>
      <div className="flex-1">
        <span className="font-semibold">Quellen &amp; Lizenz:</span>{' '}
        <span>{sourceLabel}</span>
        <span className="text-slate-500"> — {m.descr}.</span>
        {detail && <span className="block mt-0.5 text-[11px] opacity-80">{detail}</span>}
        <a href="/sdk/licenses" className="underline ml-1">Quellenverzeichnis</a>
      </div>
    </div>
  )
 }
 export default LicenseModuleBanner
@@ -224,6 +224,19 @@ export function SDKSidebar({ collapsed = false, onCollapsedChange }: SDKSidebarP
            <span>Exportieren</span>
          </button>
        )}
        {!collapsed && (
          <a
            href="/sdk/licenses"
            className="mt-2 w-full flex items-center justify-center gap-2 px-4 py-2 text-xs text-gray-500 hover:text-gray-700 hover:bg-gray-100 rounded-lg transition-colors"
            title="Quellen und Lizenzen aller verwendeten Compliance-Controls"
          >
            <svg className="w-3.5 h-3.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
            </svg>
            <span>Quellen &amp; Lizenzen</span>
          </a>
        )}
      </div>
    </aside>
  )
@@ -73,6 +73,7 @@ export function SidebarModuleList({ collapsed, projectId, pendingCRCount }: Side
        <AdditionalModuleItem href="/sdk/ai-registration" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 21V5a2 2 0 00-2-2H7a2 2 0 00-2 2v16m14 0h2m-2 0h-5m-9 0H3m2 0h5M9 7h1m-1 4h1m4-4h1m-1 4h1m-5 10v-5a1 1 0 011-1h2a1 1 0 011 1v5m-4 0h4" /></svg>} label="EU Registrierung" isActive={pathname?.startsWith('/sdk/ai-registration') ?? false} collapsed={collapsed} projectId={projectId} />
        <AdditionalModuleItem href="/sdk/compliance-optimizer" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 7h8m0 0v8m0-8l-8 8-4-4-6 6" /></svg>} label="Compliance Optimizer" isActive={pathname?.startsWith('/sdk/compliance-optimizer') ?? false} collapsed={collapsed} projectId={projectId} />
        <AdditionalModuleItem href="/sdk/agent" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" /></svg>} label="Compliance Agent" isActive={pathname?.startsWith('/sdk/agent') ?? false} collapsed={collapsed} projectId={projectId} />
        <AdditionalModuleItem href="/sdk/benchmark" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" /></svg>} label="Branchen-Benchmark" isActive={pathname?.startsWith('/sdk/benchmark') ?? false} collapsed={collapsed} projectId={projectId} />
      </div>
      {/* CRA Compliance */}
@@ -494,4 +494,32 @@ export const SDK_STEPS: SDKStep[] = [
    prerequisiteSteps: [],
    isOptional: true,
  },
  {
    id: 'template-rule-editor',
    seq: 5000,
    phase: 2,
    package: 'betrieb',
    order: 13,
    name: 'Empfehlungs-Regeln',
    nameShort: 'Regeln',
    description: 'Editorial-UI fuer profilbasierte Dokument-Empfehlungen (Anwalt/DSB)',
    url: '/sdk/template-rule-editor',
    checkpointId: 'CP-RULES',
    prerequisiteSteps: [],
    isOptional: true,
  },
  {
    id: 'document-library',
    seq: 2500,
    phase: 2,
    package: 'dokumentation',
    order: 99,
    name: 'Document Library',
    nameShort: 'Library',
    description: 'Zentrale Uebersicht aller erzeugten Dokumente, gruppiert nach Empfehlung',
    url: '/sdk/document-library',
    checkpointId: 'CP-DOCLIB',
    prerequisiteSteps: [],
    isOptional: false,
  },
 ]
@@ -38,6 +38,9 @@ RUN adduser -D -u 1000 appuser
 USER appuser
 # Expose port
 ARG BUILD_SHA="unknown"
 ENV BUILD_SHA=${BUILD_SHA}
 EXPOSE 8090
 # Health check
@@ -105,6 +105,7 @@ func (h *IACEHandler) RunBenchmark(c *gin.Context) {
 	}
 	result := iace.CompareBenchmark(gt, hazards, mitigations)
 	result.RiskComparison, result.RiskAgreement = iace.ComputeRiskComparison(result.MatchedPairs)
 	c.JSON(http.StatusOK, result)
 }
@@ -0,0 +1,288 @@
 package handlers
 // LLM Gap-Review handler — Task #7.
 //
 // After the deterministic Pattern-Engine has generated hazards and
 // mitigations for an IACE project, this endpoint asks a configured LLM
 // (Qwen / Claude / OpenAI) to spot what the engine MISSED. The LLM is
 // fed the Limits-Form, the current hazard list, and a compressed
 // pattern catalogue summary; it returns a list of suggested additional
 // hazards or mitigations.
 //
 // Important guardrails:
 //   - Every suggestion must point to an existing pattern_id or norm
 //     identifier — pure free-form LLM hallucinations are filtered.
 //   - The response is provenance-tagged source="llm_gap_review" so
 //     the frontend renders an Adopt/Reject UX rather than committing.
 //   - Engine output (deterministic patterns) is never overwritten by
 //     LLM output; the gap-review is a SUPPLEMENT, not a replacement.
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/breakpilot/ai-compliance-sdk/internal/llm"
 )
 // GapSuggestion is one LLM-proposed addition. Each suggestion is
 // non-binding until the user adopts it via the frontend.
 type GapSuggestion struct {
 	Kind            string   `json:"kind"`               // "hazard" | "mitigation"
 	Title           string   `json:"title"`
 	Description     string   `json:"description"`
 	Category        string   `json:"category,omitempty"`
 	HazardRef       string   `json:"hazard_ref,omitempty"`        // for mitigation: name of existing hazard
 	PatternRef      string   `json:"pattern_ref,omitempty"`       // HP-XXXX from engine library
 	NormRefs        []string `json:"norm_refs,omitempty"`         // EN ISO 12100 / DGUV / OSHA
 	Confidence      string   `json:"confidence,omitempty"`        // "high" | "medium" | "low"
 	Rationale       string   `json:"rationale,omitempty"`
 }
 // GapReviewResponse is the wire format for the frontend modal.
 type GapReviewResponse struct {
 	ProjectID    string          `json:"project_id"`
 	Source       string          `json:"source"`        // "llm_gap_review" | "fallback_static"
 	Model        string          `json:"model,omitempty"`
 	Suggestions  []GapSuggestion `json:"suggestions"`
 	InputSummary struct {
 		HazardCount    int `json:"hazard_count"`
 		MitigationCount int `json:"mitigation_count"`
 		LimitsFormFields int `json:"limits_form_fields"`
 	} `json:"input_summary"`
 }
 // LLMGapReview handles POST /projects/:id/llm-gap-review.
 //
 // The endpoint is intentionally idempotent — repeated calls do not mutate
 // project state. The Adopt step (user-driven) is what changes data, via
 // the existing CreateHazard / CreateMitigation handlers.
 func (h *IACEHandler) LLMGapReview(c *gin.Context) {
 	projectID, err := uuid.Parse(c.Param("id"))
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid project id"})
 		return
 	}
 	ctx := c.Request.Context()
 	project, err := h.store.GetProject(ctx, projectID)
 	if err != nil {
 		c.JSON(http.StatusNotFound, gin.H{"error": "project not found"})
 		return
 	}
 	hazards, err := h.store.ListHazards(ctx, projectID)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "list hazards: " + err.Error()})
 		return
 	}
 	mitigations, err := h.store.ListMitigationsByProject(ctx, projectID)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "list mitigations: " + err.Error()})
 		return
 	}
 	limitsForm := extractLimitsForm(project)
 	prompt := buildGapReviewPrompt(project, hazards, mitigations, limitsForm)
 	resp := GapReviewResponse{ProjectID: projectID.String()}
 	resp.InputSummary.HazardCount = len(hazards)
 	resp.InputSummary.MitigationCount = len(mitigations)
 	resp.InputSummary.LimitsFormFields = countLimitsFields(limitsForm)
 	suggestions, model, err := callLLMForGapReview(ctx, h.llmRegistry, prompt)
 	if err != nil {
 		resp.Source = "fallback_static"
 		resp.Suggestions = staticFallbackSuggestions(hazards)
 		c.JSON(http.StatusOK, resp)
 		return
 	}
 	resp.Source = "llm_gap_review"
 	resp.Model = model
 	resp.Suggestions = filterAndProvenance(suggestions)
 	c.JSON(http.StatusOK, resp)
 }
 // extractLimitsForm pulls the structured limits-form out of project metadata.
 func extractLimitsForm(p *iace.Project) map[string]any {
 	if len(p.Metadata) == 0 {
 		return nil
 	}
 	var md map[string]any
 	if err := json.Unmarshal(p.Metadata, &md); err != nil {
 		return nil
 	}
 	lf, _ := md["limits_form"].(map[string]any)
 	return lf
 }
 func countLimitsFields(lf map[string]any) int {
 	n := 0
 	for _, v := range lf {
 		if s, ok := v.(string); ok && strings.TrimSpace(s) != "" {
 			n++
 		} else if arr, ok := v.([]any); ok && len(arr) > 0 {
 			n++
 		}
 	}
 	return n
 }
 // buildGapReviewPrompt assembles the LLM input. Kept compact — the LLM
 // only needs the limits-form context, the current hazard headlines, and
 // a reminder of the pattern-id naming so its suggestions can be linked
 // back to engine output later.
 func buildGapReviewPrompt(p *iace.Project, hz []iace.Hazard, mt []iace.Mitigation, lf map[string]any) string {
 	var sb strings.Builder
 	sb.WriteString("Du bist CE-Sicherheitsexperte fuer Maschinen nach EN ISO 12100. ")
 	sb.WriteString("Analysiere die folgende Risikobeurteilung und identifiziere FEHLENDE ")
 	sb.WriteString("Gefaehrdungen oder Schutzmassnahmen, die ein erfahrener Auditor ergaenzen wuerde.\n\n")
 	sb.WriteString(fmt.Sprintf("Maschine: %s (Typ: %s, Hersteller: %s)\n",
 		p.MachineName, p.MachineType, p.Manufacturer))
 	if p.CEMarkingTarget != "" {
 		sb.WriteString(fmt.Sprintf("CE-Ziel: %s\n", p.CEMarkingTarget))
 	}
 	sb.WriteString("\nGrenzen-Form (Limits & Verwendung):\n")
 	for k, v := range lf {
 		sb.WriteString(fmt.Sprintf("- %s: %v\n", k, truncForPrompt(v, 200)))
 	}
 	sb.WriteString(fmt.Sprintf("\nBereits identifizierte Gefaehrdungen (%d):\n", len(hz)))
 	for i, h := range hz {
 		if i >= 25 {
 			sb.WriteString(fmt.Sprintf("... und %d weitere\n", len(hz)-25))
 			break
 		}
 		sb.WriteString(fmt.Sprintf("- [%s] %s\n", h.Category, h.Name))
 	}
 	sb.WriteString(fmt.Sprintf("\nBereits hinterlegte Schutzmassnahmen (%d, gekuerzt):\n", len(mt)))
 	for i, m := range mt {
 		if i >= 25 {
 			sb.WriteString(fmt.Sprintf("... und %d weitere\n", len(mt)-25))
 			break
 		}
 		sb.WriteString(fmt.Sprintf("- [%s] %s\n", m.ReductionType, m.Name))
 	}
 	sb.WriteString("\nAufgabe: Liste max. 8 LUECKEN als JSON-Array. Jede Luecke MUSS einer der folgenden Kategorien entsprechen ")
 	sb.WriteString("und SOLL eine Norm- oder Pattern-Referenz nennen (HP-XXXX, EN ISO 12100, EN 13849, EN 13855, DGUV-Info, OSHA 29 CFR).\n")
 	sb.WriteString("Kategorien: mechanical_hazard, electrical_hazard, thermal_hazard, noise_vibration, ergonomic, ")
 	sb.WriteString("material_environmental, pneumatic_hydraulic, radiation_hazard.\n\n")
 	sb.WriteString(`Antworte NUR mit JSON, keine Erklaerung:
 [
  {"kind":"hazard","title":"...","description":"...","category":"...","norm_refs":["EN ISO 12100"],"confidence":"high","rationale":"..."},
  {"kind":"mitigation","title":"...","description":"...","hazard_ref":"Name der bestehenden Gefahr","norm_refs":["DGUV 209-072"],"confidence":"medium","rationale":"..."}
 ]`)
 	return sb.String()
 }
 func truncForPrompt(v any, max int) string {
 	s := fmt.Sprintf("%v", v)
 	if len(s) <= max {
 		return s
 	}
 	return s[:max] + "…"
 }
 // callLLMForGapReview sends the prompt and parses the JSON suggestion list.
 func callLLMForGapReview(ctx context.Context, registry *llm.ProviderRegistry, prompt string) ([]GapSuggestion, string, error) {
 	if registry == nil {
 		return nil, "", fmt.Errorf("no LLM registry configured")
 	}
 	provider, err := registry.GetAvailable(ctx)
 	if err != nil {
 		return nil, "", fmt.Errorf("no LLM provider available: %w", err)
 	}
 	resp, err := provider.Chat(ctx, &llm.ChatRequest{
 		Messages:    []llm.Message{{Role: "user", Content: prompt}},
 		Temperature: 0.25,
 		MaxTokens:   2000,
 	})
 	if err != nil {
 		return nil, "", fmt.Errorf("llm chat: %w", err)
 	}
 	body := strings.TrimSpace(resp.Message.Content)
 	// LLMs occasionally wrap JSON in ```json … ``` fences; strip them.
 	body = strings.TrimPrefix(body, "```json")
 	body = strings.TrimPrefix(body, "```")
 	body = strings.TrimSuffix(body, "```")
 	body = strings.TrimSpace(body)
 	// Find first '[' so any leading prose is ignored.
 	if i := strings.Index(body, "["); i > 0 {
 		body = body[i:]
 	}
 	var out []GapSuggestion
 	if err := json.Unmarshal([]byte(body), &out); err != nil {
 		return nil, "", fmt.Errorf("parse llm response: %w (body=%.200s)", err, body)
 	}
 	return out, provider.Name(), nil
 }
 // filterAndProvenance drops obviously malformed suggestions and stamps
 // every survivor with a `confidence` default. Pure-free-form suggestions
 // without any norm reference are demoted to "low".
 func filterAndProvenance(in []GapSuggestion) []GapSuggestion {
 	out := make([]GapSuggestion, 0, len(in))
 	for _, s := range in {
 		if strings.TrimSpace(s.Title) == "" || s.Kind == "" {
 			continue
 		}
 		if s.Confidence == "" {
 			if len(s.NormRefs) == 0 && s.PatternRef == "" {
 				s.Confidence = "low"
 			} else {
 				s.Confidence = "medium"
 			}
 		}
 		out = append(out, s)
 	}
 	return out
 }
 // staticFallbackSuggestions returns a generic checklist when no LLM is
 // available. Conservative, all confidence="low".
 func staticFallbackSuggestions(hz []iace.Hazard) []GapSuggestion {
 	hasMechanical := false
 	for _, h := range hz {
 		if strings.Contains(h.Category, "mechanical") {
 			hasMechanical = true
 			break
 		}
 	}
 	out := []GapSuggestion{
 		{
 			Kind: "hazard", Title: "Fuss-Quetschung unter absenkendem Werkstueck/Hubeinheit",
 			Description: "Wenn die Maschine eine Hubbewegung ausfuehrt, pruefe ob Fuesse/Beine im Verfahrbereich gequetscht werden koennen.",
 			Category: "mechanical_hazard", NormRefs: []string{"EN ISO 12100 6.3.5.5"},
 			Confidence: "low", Rationale: "Static checklist fallback — LLM nicht verfuegbar.",
 		},
 		{
 			Kind: "hazard", Title: "Hand-Quetschung gegen feste Strukturen beim Hochfahren",
 			Description: "Pruefe Mindestabstand zu festen Strukturen oberhalb der hoechsten Hubposition.",
 			Category: "mechanical_hazard", NormRefs: []string{"EN ISO 13854"},
 			Confidence: "low",
 		},
 		{
 			Kind: "mitigation", Title: "Kriechgeschwindigkeit am Endanschlag (Hubgeraete)",
 			Description: "Hubgeschwindigkeit am Ende der Verfahrbewegung auf <=15 mm/s reduzieren.",
 			NormRefs: []string{"OSHA 29 CFR 1910.217 (Hand-Speed-Konstante)"},
 			Confidence: "low",
 		},
 	}
 	if !hasMechanical {
 		// Trim if not a mechanical context
 		out = out[:1]
 	}
 	return out
 }
@@ -123,7 +123,7 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 	matchOutput := engine.Match(iace.MatchInput{
 		ComponentLibraryIDs: componentIDs,
 		EnergySourceIDs:     energyIDs,
-		LifecyclePhases:     parseResult.LifecyclePhases,
+		LifecyclePhases:     withUniversalLifecycles(parseResult.LifecyclePhases),
 		CustomTags:          parseResult.CustomTags,
 		OperationalStates:   operationalStates,
 		StateTransitions:    parseResult.StateTransitions,
@@ -219,26 +219,21 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 				// scenario itself. Only the aggregated norm-references
 				// block is appended below for an at-a-glance audit trail.
 				desc := mp.ScenarioDE
-				// Phase 17: PLr per EN ISO 13849-1 Anhang A. The graph
+				// BreakPilot's OWN risk model (NOT a norm reproduction):
-				// inputs come from the pattern's DefaultSeverity/Exposure
+				// severity + frequency from the pattern defaults; probability
-				// (mapped to S1/S2 and F1/F2 at threshold 3) plus
+				// (W) and avoidance (P) from public accident-statistics anchors
-				// DefaultAvoidability (P1/P2). If avoidability is unset
+				// (see iace/risk_estimation.go + DATA_SOURCES.md). No EN ISO
-				// we default to P1 — the conservative direction is
+				// 13849-1 risk-graph table or parameter binning is reproduced.
 				// downward (lower PLr), the operator can raise it
 				// manually after expert review.
 				avoid := 1
 				if mp.DefaultAvoidability == 2 {
 					avoid = 2
 				}
 				if mp.DefaultSeverity > 0 && mp.DefaultExposure > 0 {
-					sBin := iace.SeverityToS(mp.DefaultSeverity)
+					s := iace.EstimateSeverity(mp.HazardCats, mp.ScenarioDE, mp.DefaultSeverity)
-					fBin := iace.ExposureToF(mp.DefaultExposure)
+					w := iace.EstimateProbabilityW(mp.HazardCats, mp.ScenarioDE)
-					plr := iace.ComputePLr(sBin, fBin, avoid)
+					p := iace.EstimateAvoidabilityP(mp.HazardCats, mp.ScenarioDE)
-					desc += fmt.Sprintf("\n\nRisikograph EN ISO 13849-1 (Anhang A): S%d · F%d · P%d → PLr %s",
+					_, level := iace.EstimateRiskLevel(s, mp.DefaultExposure, w, p)
-						sBin, fBin, avoid, plr)
+					desc += fmt.Sprintf("\n\nRisikoeinschaetzung (BreakPilot-Modell): S%d · F%d · W%d · P%d → Risiko: %s",
 						s, mp.DefaultExposure, w, p, level)
 				}
 				if mp.ISO12100Section != "" {
-					desc += "\n\nKlassifikation: EN ISO 12100 Anhang B, Abschnitt " + mp.ISO12100Section
+					desc += "\n\nKlassifikation: EN ISO 12100 Abschnitt " + mp.ISO12100Section
 				}
 				hz, cerr := h.store.CreateHazard(ctx, iace.CreateHazardRequest{
@@ -2,12 +2,35 @@ package handlers
 import (
 	"encoding/json"
 	"sort"
 	"strings"
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/google/uuid"
 )
 // withUniversalLifecycles ensures the lifecycle phases that occur on virtually
 // every machine — normal operation, setup, maintenance, cleaning — are always
 // present, so their hazards are derived even when the limits form does not list
 // them explicitly. The professional assesses these phases on most devices.
 func withUniversalLifecycles(parsed []string) []string {
 	seen := make(map[string]bool, len(parsed)+4)
 	out := make([]string, 0, len(parsed)+4)
 	for _, p := range parsed {
 		if p != "" && !seen[p] {
 			seen[p] = true
 			out = append(out, p)
 		}
 	}
 	for _, u := range []string{"normal_operation", "setup", "maintenance", "cleaning"} {
 		if !seen[u] {
 			seen[u] = true
 			out = append(out, u)
 		}
 	}
 	return out
 }
 // extractNarrativeFromMetadata builds a combined text from the limits_form.
 func extractNarrativeFromMetadata(metadata json.RawMessage) string {
 	if metadata == nil {
@@ -26,23 +49,37 @@ func extractNarrativeFromMetadata(metadata json.RawMessage) string {
 		return ""
 	}
-	textFields := []string{
+	// Read EVERY field of the limits form — intended use, foreseeable misuse,
-		"general_description", "intended_purpose", "foreseeable_misuse",
+	// machine limits, and ALL interfaces (electrical/mechanical/pneumatic/
-		"space_limits", "time_limits", "environmental_conditions",
+	// software). Each is a hazard source. We don't whitelist field names (the
-		"energy_sources", "materials_processed", "operating_modes",
+	// form schema evolves); noise fields like serial number / year are harmless
-		"maintenance_requirements", "personnel_requirements",
+	// because the parser only extracts from recognised keywords. Keys are
-		"interfaces_description", "control_system_description",
+	// sorted for deterministic output.
-		"safety_functions_description",
+	keys := make([]string, 0, len(limits))
 	for k := range limits {
 		keys = append(keys, k)
 	}
-	var result string
+	sort.Strings(keys)
-	for _, field := range textFields {
+
-		if v, ok := limits[field]; ok {
+	var sb strings.Builder
-			if s, ok := v.(string); ok && s != "" {
+	for _, k := range keys {
-				result += s + "\n\n"
+		switch val := limits[k].(type) {
 		case string:
 			if strings.TrimSpace(val) != "" {
 				sb.WriteString(val)
 				sb.WriteString("\n\n")
 			}
 		case []interface{}:
 			for _, e := range val {
 				if s, ok := e.(string); ok && s != "" {
 					sb.WriteString(s)
 					sb.WriteString(", ")
 				}
 			}
 			sb.WriteString("\n\n")
 		}
 	}
-	return result
+	return sb.String()
 }
 // acceptableMeasureCategories returns the set of measure HazardCategory values
@@ -46,6 +46,8 @@ func (h *IACEHandler) ListNormsLibrary(c *gin.Context) {
 	allNorms = append(allNorms, iace.GetWave3dHvacCNorms()...)
 	allNorms = append(allNorms, iace.GetFinalCNorms()...)
 	includeCrossRef := c.Query("include_crossref") == "true"
 	var filtered []iace.NormReference
 	for _, norm := range allNorms {
 		if normType != "" && norm.NormType != normType {
@@ -54,6 +56,12 @@ func (h *IACEHandler) ListNormsLibrary(c *gin.Context) {
 		if hazardCat != "" && !containsString(norm.HazardCats, hazardCat) {
 			continue
 		}
 		if includeCrossRef {
 			cr := iace.GetNormCrossRef(norm.ID)
 			if len(cr.Mappings) > 0 {
 				norm.CrossRef = &cr
 			}
 		}
 		filtered = append(filtered, norm)
 	}
@@ -61,9 +69,36 @@ func (h *IACEHandler) ListNormsLibrary(c *gin.Context) {
 		filtered = []iace.NormReference{}
 	}
 	covered, total := iace.CrossRefCoverage(len(allNorms))
 	c.JSON(http.StatusOK, gin.H{
 		"norms": filtered,
 		"total": len(filtered),
 		"crossref_coverage": gin.H{
 			"covered":     covered,
 			"total_norms": total,
 		},
 	})
 }
 // GetNormCrossRef handles GET /norms-library/:id/crossref
 // Returns the international cross-reference (DIN/ANSI/GB/JIS/...) for a single norm.
 func (h *IACEHandler) GetNormCrossRef(c *gin.Context) {
 	normID := c.Param("id")
 	if normID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "norm id required"})
 		return
 	}
 	cr := iace.GetNormCrossRef(normID)
 	c.JSON(http.StatusOK, cr)
 }
 // ListNormCrossRefs handles GET /norms-library/crossref
 // Returns the entire cross-reference matrix (all populated entries).
 func (h *IACEHandler) ListNormCrossRefs(c *gin.Context) {
 	entries := iace.ListNormCrossRefs()
 	c.JSON(http.StatusOK, gin.H{
 		"entries": entries,
 		"total":   len(entries),
 	})
 }
@@ -0,0 +1,110 @@
 package handlers
 import (
 	"encoding/json"
 	"testing"
 	"github.com/gin-gonic/gin"
 )
 // Contract tests for the new /norms-library/crossref endpoints.
 // These are the practical equivalent of an OpenAPI snapshot: they pin
 // the response shape so a downstream consumer (admin-compliance,
 // developer-portal, SDK) cannot be silently broken.
 func TestGetNormCrossRef_KnownID_ReturnsExpectedShape(t *testing.T) {
 	handler := &IACEHandler{}
 	w, c := newTestContext("GET", "/norms-library/ISO-12100/crossref", nil, nil, gin.Params{
 		{Key: "id", Value: "ISO-12100"},
 	})
 	handler.GetNormCrossRef(c)
 	if w.Code != 200 {
 		t.Fatalf("expected 200, got %d body=%s", w.Code, w.Body.String())
 	}
 	var resp struct {
 		NormID   string `json:"norm_id"`
 		Mappings []struct {
 			Region     string `json:"region"`
 			Identifier string `json:"identifier"`
 			Relation   string `json:"relation"`
 			Confidence string `json:"confidence"`
 		} `json:"mappings"`
 		BatchID string `json:"batch_id"`
 	}
 	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("response not parsable: %v body=%s", err, w.Body.String())
 	}
 	if resp.NormID != "ISO-12100" {
 		t.Errorf("expected norm_id ISO-12100, got %q", resp.NormID)
 	}
 	if len(resp.Mappings) < 3 {
 		t.Errorf("expected ISO-12100 to have at least 3 mappings, got %d", len(resp.Mappings))
 	}
 }
 func TestGetNormCrossRef_MissingID_Returns400(t *testing.T) {
 	handler := &IACEHandler{}
 	w, c := newTestContext("GET", "/norms-library//crossref", nil, nil, gin.Params{
 		{Key: "id", Value: ""},
 	})
 	handler.GetNormCrossRef(c)
 	if w.Code != 400 {
 		t.Errorf("expected 400 for missing id, got %d", w.Code)
 	}
 }
 func TestGetNormCrossRef_UnknownID_ReturnsEmptyMappings(t *testing.T) {
 	handler := &IACEHandler{}
 	w, c := newTestContext("GET", "/norms-library/ISO-DOESNOTEXIST/crossref", nil, nil, gin.Params{
 		{Key: "id", Value: "ISO-DOESNOTEXIST"},
 	})
 	handler.GetNormCrossRef(c)
 	if w.Code != 200 {
 		t.Fatalf("expected 200 for unknown id (returns empty), got %d", w.Code)
 	}
 	var resp struct {
 		NormID   string        `json:"norm_id"`
 		Mappings []interface{} `json:"mappings"`
 	}
 	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("response not parsable: %v", err)
 	}
 	if resp.NormID != "ISO-DOESNOTEXIST" {
 		t.Errorf("expected norm_id to echo back, got %q", resp.NormID)
 	}
 	if len(resp.Mappings) != 0 {
 		t.Errorf("expected empty mappings, got %d", len(resp.Mappings))
 	}
 }
 func TestListNormCrossRefs_ReturnsAll(t *testing.T) {
 	handler := &IACEHandler{}
 	w, c := newTestContext("GET", "/norms-library/crossref", nil, nil, nil)
 	handler.ListNormCrossRefs(c)
 	if w.Code != 200 {
 		t.Fatalf("expected 200, got %d", w.Code)
 	}
 	var resp struct {
 		Entries []struct {
 			NormID string `json:"norm_id"`
 		} `json:"entries"`
 		Total int `json:"total"`
 	}
 	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("response not parsable: %v", err)
 	}
 	if resp.Total != 671 {
 		t.Errorf("expected 671 cross-ref entries, got %d", resp.Total)
 	}
 	if len(resp.Entries) != resp.Total {
 		t.Errorf("entries count %d does not match total %d", len(resp.Entries), resp.Total)
 	}
 }
@@ -0,0 +1,30 @@
 package handlers
 import (
 	"net/http"
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
 // GetRiskSuggestion returns BreakPilot's justified dual-model risk suggestion
 // for a hazard: the EN-62061-style F/W/P/S model and the Fine-Kinney P/E/C
 // model, each with suggested values, justifications and the visible formula.
 // Read-only and computed from public-data anchors — the professional adjusts
 // the values; no norm table is stored or reproduced.
 //
 // GET /projects/:id/hazards/:hid/risk-suggestion
 func (h *IACEHandler) GetRiskSuggestion(c *gin.Context) {
 	hid, err := uuid.Parse(c.Param("hid"))
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid hazard ID"})
 		return
 	}
 	hz, err := h.store.GetHazard(c.Request.Context(), hid)
 	if err != nil || hz == nil {
 		c.JSON(http.StatusNotFound, gin.H{"error": "hazard not found"})
 		return
 	}
 	c.JSON(http.StatusOK, iace.BuildRiskSuggestion(hz))
 }
@@ -5,7 +5,6 @@ import (
 	"net/http"
 	"strings"
 	"github.com/breakpilot/ai-compliance-sdk/internal/dsms"
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/breakpilot/ai-compliance-sdk/internal/rbac"
 	"github.com/gin-gonic/gin"
@@ -366,7 +365,10 @@ func (h *IACEHandler) ApproveTechFileSection(c *gin.Context) {
 }
 // ExportTechFile handles GET /projects/:id/tech-file/export?format=pdf|xlsx|docx|md|json
-// Exports all tech file sections in the requested format.
+// Exports all tech file sections in the requested format. When the archive
 // succeeds, archiveTechFile (in iace_handler_techfile_archive.go) attaches
 // X-DSMS-* response headers carrying the resulting CID so the frontend can
 // render an inline CID-badge in the export-success path.
 func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 	projectID, err := uuid.Parse(c.Param("id"))
 	if err != nil {
@@ -412,7 +414,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("PDF export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.pdf", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.pdf", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.pdf"`, safeName))
 		c.Data(http.StatusOK, "application/pdf", data)
@@ -422,7 +424,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("Excel export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.xlsx", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.xlsx", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.xlsx"`, safeName))
 		c.Data(http.StatusOK, "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", data)
@@ -432,7 +434,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("DOCX export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.docx", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.docx", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.docx"`, safeName))
 		c.Data(http.StatusOK, "application/vnd.openxmlformats-officedocument.wordprocessingml.document", data)
@@ -442,7 +444,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("Markdown export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.md", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.md", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.md"`, safeName))
 		c.Data(http.StatusOK, "text/markdown", data)
@@ -467,8 +469,3 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 		})
 	}
 }
 // archiveTechFile stores a tech-file export to DSMS (best-effort, non-blocking).
 func archiveTechFile(data []byte, filename, projectID string) {
 	dsms.Archive(data, filename, "ce_techfile", projectID, "1")
 }
@@ -0,0 +1,65 @@
 package handlers
 import (
 	"encoding/json"
 	"fmt"
 	"github.com/breakpilot/ai-compliance-sdk/internal/dsms"
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/breakpilot/ai-compliance-sdk/internal/rbac"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
 // archiveTechFile stores a tech-file export to DSMS (best-effort, non-blocking)
 // AND records the resulting CID in the IACE audit trail so the export is
 // traceable. The "new_values" JSON carries the CID + filename so the audit
 // timeline can later resolve the CID against the DSMS gateway for verify.
 //
 // Side-effect: when the archive succeeds, X-DSMS-CID / X-DSMS-Filename /
 // X-DSMS-Size response headers are attached so the frontend can render an
 // inline CID-badge directly in the export-success path (no separate audit
 // query needed). Headers are written before c.Data() and survive the binary
 // blob response.
 func (h *IACEHandler) archiveTechFile(c *gin.Context, data []byte, filename string, projectID uuid.UUID) {
 	result := dsms.Archive(data, filename, "ce_techfile", projectID.String(), "1")
 	if result == nil || result.CID == "" {
 		return
 	}
 	setDSMSResponseHeaders(c, result.CID, filename, result.Size)
 	if h.store == nil {
 		return
 	}
 	payload := map[string]string{
 		"cid":      result.CID,
 		"filename": filename,
 		"size":     fmt.Sprintf("%d", result.Size),
 	}
 	newValues, _ := json.Marshal(payload)
 	userID := rbac.GetUserID(c)
 	_ = h.store.AddAuditEntry(
 		c.Request.Context(),
 		projectID,
 		"tech_file_export",
 		projectID,
 		iace.AuditActionCreate,
 		userID.String(),
 		nil,
 		newValues,
 	)
 }
 // setDSMSResponseHeaders attaches the X-DSMS-* headers so the frontend can
 // surface the archived CID inline (export-success badge) without re-querying
 // the audit trail. Pure helper — no store, no side effects beyond headers.
 func setDSMSResponseHeaders(c *gin.Context, cid, filename string, size int) {
 	if cid == "" {
 		return
 	}
 	c.Header("X-DSMS-CID", cid)
 	c.Header("X-DSMS-Filename", filename)
 	c.Header("X-DSMS-Size", fmt.Sprintf("%d", size))
 	c.Header("Access-Control-Expose-Headers", "X-DSMS-CID, X-DSMS-Filename, X-DSMS-Size")
 }
@@ -0,0 +1,76 @@
 package handlers
 import (
 	"net/http/httptest"
 	"testing"
 	"github.com/gin-gonic/gin"
 )
 func TestSetDSMSResponseHeaders_NonEmptyCID_WritesAllHeaders(t *testing.T) {
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
 	setDSMSResponseHeaders(c, "bafytest123", "CE-Akte-FOO.pdf", 42)
 	if got := w.Header().Get("X-DSMS-CID"); got != "bafytest123" {
 		t.Errorf("X-DSMS-CID: want bafytest123, got %q", got)
 	}
 	if got := w.Header().Get("X-DSMS-Filename"); got != "CE-Akte-FOO.pdf" {
 		t.Errorf("X-DSMS-Filename: want CE-Akte-FOO.pdf, got %q", got)
 	}
 	if got := w.Header().Get("X-DSMS-Size"); got != "42" {
 		t.Errorf("X-DSMS-Size: want 42, got %q", got)
 	}
 	expose := w.Header().Get("Access-Control-Expose-Headers")
 	if expose == "" {
 		t.Error("Access-Control-Expose-Headers should be set so the browser surfaces the X-DSMS-* headers across same-origin proxies and CORS")
 	}
 	for _, h := range []string{"X-DSMS-CID", "X-DSMS-Filename", "X-DSMS-Size"} {
 		if !contains(expose, h) {
 			t.Errorf("Access-Control-Expose-Headers missing %s, got %q", h, expose)
 		}
 	}
 }
 func TestSetDSMSResponseHeaders_EmptyCID_WritesNothing(t *testing.T) {
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
 	setDSMSResponseHeaders(c, "", "irrelevant.pdf", 100)
 	if got := w.Header().Get("X-DSMS-CID"); got != "" {
 		t.Errorf("X-DSMS-CID should be absent for empty CID, got %q", got)
 	}
 	if got := w.Header().Get("X-DSMS-Filename"); got != "" {
 		t.Errorf("X-DSMS-Filename should be absent for empty CID, got %q", got)
 	}
 	if got := w.Header().Get("X-DSMS-Size"); got != "" {
 		t.Errorf("X-DSMS-Size should be absent for empty CID, got %q", got)
 	}
 }
 func TestSetDSMSResponseHeaders_ZeroSize_StillWritesHeader(t *testing.T) {
 	// A 0-byte archive is degenerate but valid — the frontend still needs the
 	// CID badge to expose the chain to the user. Don't suppress the header.
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
 	setDSMSResponseHeaders(c, "bafyzero", "empty.pdf", 0)
 	if got := w.Header().Get("X-DSMS-CID"); got != "bafyzero" {
 		t.Errorf("X-DSMS-CID: want bafyzero, got %q", got)
 	}
 	if got := w.Header().Get("X-DSMS-Size"); got != "0" {
 		t.Errorf("X-DSMS-Size: want 0, got %q", got)
 	}
 }
 func contains(s, sub string) bool {
 	for i := 0; i+len(sub) <= len(s); i++ {
 		if s[i:i+len(sub)] == sub {
 			return true
 		}
 	}
 	return false
 }
@@ -355,117 +355,6 @@ func registerWhistleblowerRoutes(v1 *gin.RouterGroup, h *handlers.WhistleblowerH
 	}
 }
 func registerIACERoutes(v1 *gin.RouterGroup, h *handlers.IACEHandler) {
 	iaceRoutes := v1.Group("/iace")
 	{
 		iaceRoutes.GET("/hazard-library", h.ListHazardLibrary)
 		iaceRoutes.GET("/controls-library", h.ListControlsLibrary)
 		iaceRoutes.GET("/norms-library", h.ListNormsLibrary)
 		iaceRoutes.GET("/lifecycle-phases", h.ListLifecyclePhases)
 		iaceRoutes.GET("/roles", h.ListRoles)
 		iaceRoutes.GET("/evidence-types", h.ListEvidenceTypes)
 		iaceRoutes.GET("/protective-measures-library", h.ListProtectiveMeasures)
 		iaceRoutes.GET("/failure-modes", h.ListFailureModes)
 		iaceRoutes.GET("/operational-states", h.ListOperationalStates)
 		iaceRoutes.GET("/component-library", h.ListComponentLibrary)
 		iaceRoutes.GET("/energy-sources", h.ListEnergySources)
 		iaceRoutes.GET("/tags", h.ListTags)
 		iaceRoutes.GET("/hazard-patterns", h.ListHazardPatterns)
 		iaceRoutes.POST("/projects", h.CreateProject)
 		iaceRoutes.GET("/projects", h.ListProjects)
 		iaceRoutes.GET("/projects/:id", h.GetProject)
 		iaceRoutes.PUT("/projects/:id", h.UpdateProject)
 		iaceRoutes.DELETE("/projects/:id", h.ArchiveProject)
 		iaceRoutes.POST("/projects/:id/init-from-profile", h.InitFromProfile)
 		iaceRoutes.POST("/projects/:id/variants", h.CreateVariant)
 		iaceRoutes.GET("/projects/:id/variants", h.ListVariants)
 		iaceRoutes.GET("/projects/:id/variant-gap", h.GetVariantGap)
 		iaceRoutes.POST("/projects/:id/completeness-check", h.CheckCompleteness)
 		iaceRoutes.POST("/projects/:id/components", h.CreateComponent)
 		iaceRoutes.GET("/projects/:id/components", h.ListComponents)
 		iaceRoutes.PUT("/projects/:id/components/:cid", h.UpdateComponent)
 		iaceRoutes.DELETE("/projects/:id/components/:cid", h.DeleteComponent)
 		iaceRoutes.POST("/projects/:id/classify", h.Classify)
 		iaceRoutes.GET("/projects/:id/classifications", h.GetClassifications)
 		iaceRoutes.POST("/projects/:id/classify/:regulation", h.ClassifySingle)
 		iaceRoutes.POST("/projects/:id/hazards", h.CreateHazard)
 		iaceRoutes.GET("/projects/:id/hazards", h.ListHazards)
 		iaceRoutes.PUT("/projects/:id/hazards/:hid", h.UpdateHazard)
 		iaceRoutes.POST("/projects/:id/hazards/suggest", h.SuggestHazards)
 		iaceRoutes.POST("/projects/:id/match-patterns", h.MatchPatterns)
 		iaceRoutes.POST("/projects/:id/parse-narrative", h.ParseNarrative)
 		iaceRoutes.POST("/projects/:id/delta-analysis", h.DeltaAnalysis)
 		iaceRoutes.GET("/projects/:id/fmea/export", h.ExportFMEA)
 		iaceRoutes.POST("/projects/:id/components/:cid/suggest-fms", h.SuggestFailureModes)
 		iaceRoutes.POST("/projects/:id/apply-patterns", h.ApplyPatternResults)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/suggest-measures", h.SuggestMeasuresForHazard)
 		iaceRoutes.POST("/projects/:id/mitigations/:mid/suggest-evidence", h.SuggestEvidenceForMitigation)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/assess", h.AssessRisk)
 		iaceRoutes.GET("/projects/:id/risk-summary", h.GetRiskSummary)
 		iaceRoutes.GET("/projects/:id/suggested-norms", h.SuggestProjectNorms)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/reassess", h.ReassessRisk)
 		iaceRoutes.GET("/projects/:id/mitigations", h.ListProjectMitigations)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/mitigations", h.CreateMitigation)
 		iaceRoutes.DELETE("/projects/:id/mitigations/:mid", h.DeleteMitigation)
 		iaceRoutes.PUT("/mitigations/:mid", h.UpdateMitigation)
 		iaceRoutes.POST("/mitigations/:mid/verify", h.VerifyMitigation)
 		iaceRoutes.POST("/projects/:id/validate-mitigation-hierarchy", h.ValidateMitigationHierarchy)
 		iaceRoutes.POST("/projects/:id/evidence", h.UploadEvidence)
 		iaceRoutes.GET("/projects/:id/evidence", h.ListEvidence)
 		iaceRoutes.POST("/projects/:id/verification-plan", h.CreateVerificationPlan)
 		iaceRoutes.PUT("/verification-plan/:vid", h.UpdateVerificationPlan)
 		iaceRoutes.POST("/verification-plan/:vid/complete", h.CompleteVerification)
 		iaceRoutes.GET("/projects/:id/verifications", h.ListVerificationPlans)
 		iaceRoutes.POST("/projects/:id/verifications", h.CreateVerificationAlias)
 		iaceRoutes.DELETE("/projects/:id/verifications/:vid", h.DeleteVerificationPlan)
 		iaceRoutes.POST("/projects/:id/verifications/:vid/complete", h.CompleteVerificationAlias)
 		iaceRoutes.POST("/projects/:id/tech-file/generate", h.GenerateTechFile)
 		iaceRoutes.GET("/projects/:id/tech-file", h.ListTechFileSections)
 		iaceRoutes.PUT("/projects/:id/tech-file/:section", h.UpdateTechFileSection)
 		iaceRoutes.POST("/projects/:id/tech-file/:section/approve", h.ApproveTechFileSection)
 		iaceRoutes.POST("/projects/:id/tech-file/:section/generate", h.GenerateSingleSection)
 		iaceRoutes.GET("/projects/:id/tech-file/export", h.ExportTechFile)
 		iaceRoutes.POST("/projects/:id/monitoring", h.CreateMonitoringEvent)
 		iaceRoutes.GET("/projects/:id/monitoring", h.ListMonitoringEvents)
 		iaceRoutes.PUT("/projects/:id/monitoring/:eid", h.UpdateMonitoringEvent)
 		iaceRoutes.GET("/projects/:id/audit-trail", h.GetAuditTrail)
 		iaceRoutes.POST("/library-search", h.SearchLibrary)
 		iaceRoutes.GET("/ce-corpus-documents", h.ListCECorpusDocuments)
 		iaceRoutes.POST("/projects/:id/initialize", h.InitializeProject)
 		iaceRoutes.GET("/projects/:id/hazard-blocks", h.GetHazardBlocks)
 		iaceRoutes.POST("/projects/:id/benchmark/import-gt", h.ImportGroundTruth)
 		iaceRoutes.GET("/projects/:id/benchmark", h.RunBenchmark)
 		iaceRoutes.GET("/projects/:id/benchmark/summary", h.GetBenchmarkSummary)
 		iaceRoutes.GET("/projects/:id/hazards/:hid/regulatory-hints", h.EnrichHazardWithRegulations)
 		iaceRoutes.GET("/projects/:id/mitigations/:mid/regulatory-hints", h.EnrichMitigationWithRegulations)
 		iaceRoutes.GET("/projects/:id/regulatory-hints", h.EnrichProjectHazardsBatch)
 		iaceRoutes.POST("/projects/:id/tech-file/:section/enrich", h.EnrichTechFileSection)
 		// Production Lines
 		iaceRoutes.POST("/production-lines", h.CreateProductionLine)
 		iaceRoutes.GET("/production-lines", h.ListProductionLines)
 		iaceRoutes.GET("/production-lines/:lid/dashboard", h.GetProductionLineDashboard)
 		iaceRoutes.POST("/production-lines/:lid/stations", h.AddStationToLine)
 		iaceRoutes.DELETE("/production-lines/:lid/stations/:sid", h.RemoveStationFromLine)
 		// CE x Compliance Crossover
 		iaceRoutes.GET("/projects/:id/compliance-triggers", h.GetComplianceTriggers)
 		iaceRoutes.GET("/compliance-faq", h.GetComplianceFAQ)
 		// Clarifications — aggregated open questions per project
 		iaceRoutes.GET("/projects/:id/clarifications", h.ListClarifications)
 		iaceRoutes.GET("/projects/:id/clarifications.csv", h.ExportClarificationsCSV)
 		iaceRoutes.GET("/projects/:id/clarifications.html", h.ExportClarificationsHTML)
 		iaceRoutes.GET("/projects/:id/clarifications/:cid/detail", h.ListClarificationDetail)
 		iaceRoutes.POST("/projects/:id/clarifications/:cid/answer", h.AnswerClarification)
 		iaceRoutes.POST("/projects/:id/clarifications/:cid/comment", h.PostClarificationComment)
 		// Customer-Standard Reuse (migration 031): pull reusable mitigations
 		// across prior projects of the same customer.
 		iaceRoutes.GET("/projects/:id/customer-standards", h.ListCustomerStandardSuggestions)
 		iaceRoutes.POST("/projects/:id/customer-standards/import", h.ImportCustomerStandardSuggestion)
 	}
 }
 func registerMaximizerRoutes(v1 *gin.RouterGroup, h *handlers.MaximizerHandlers) {
 	m := v1.Group("/maximizer")
@@ -0,0 +1,139 @@
 package app
 // IACE route registration extracted from routes.go (2026-05-21) because
 // routes.go hit the 500-LOC hard cap when the LLM gap-review endpoint
 // (Task #7) was added. Splitting keeps every routes file under the cap
 // without changing behaviour — `registerRoutes` in routes.go still
 // invokes `registerIACERoutes` exactly once at the same point in the
 // startup sequence.
 import (
 	"github.com/breakpilot/ai-compliance-sdk/internal/api/handlers"
 	"github.com/gin-gonic/gin"
 )
 func registerIACERoutes(v1 *gin.RouterGroup, h *handlers.IACEHandler) {
 	iaceRoutes := v1.Group("/iace")
 	{
 		// Library catalogues (read-only reference data).
 		iaceRoutes.GET("/hazard-library", h.ListHazardLibrary)
 		iaceRoutes.GET("/controls-library", h.ListControlsLibrary)
 		iaceRoutes.GET("/norms-library", h.ListNormsLibrary)
 		iaceRoutes.GET("/norms-library/crossref", h.ListNormCrossRefs)
 		iaceRoutes.GET("/norms-library/:id/crossref", h.GetNormCrossRef)
 		iaceRoutes.GET("/lifecycle-phases", h.ListLifecyclePhases)
 		iaceRoutes.GET("/roles", h.ListRoles)
 		iaceRoutes.GET("/evidence-types", h.ListEvidenceTypes)
 		iaceRoutes.GET("/protective-measures-library", h.ListProtectiveMeasures)
 		iaceRoutes.GET("/failure-modes", h.ListFailureModes)
 		iaceRoutes.GET("/operational-states", h.ListOperationalStates)
 		iaceRoutes.GET("/component-library", h.ListComponentLibrary)
 		iaceRoutes.GET("/energy-sources", h.ListEnergySources)
 		iaceRoutes.GET("/tags", h.ListTags)
 		iaceRoutes.GET("/hazard-patterns", h.ListHazardPatterns)
 		// Project CRUD.
 		iaceRoutes.POST("/projects", h.CreateProject)
 		iaceRoutes.GET("/projects", h.ListProjects)
 		iaceRoutes.GET("/projects/:id", h.GetProject)
 		iaceRoutes.PUT("/projects/:id", h.UpdateProject)
 		iaceRoutes.DELETE("/projects/:id", h.ArchiveProject)
 		iaceRoutes.POST("/projects/:id/init-from-profile", h.InitFromProfile)
 		iaceRoutes.POST("/projects/:id/variants", h.CreateVariant)
 		iaceRoutes.GET("/projects/:id/variants", h.ListVariants)
 		iaceRoutes.GET("/projects/:id/variant-gap", h.GetVariantGap)
 		iaceRoutes.POST("/projects/:id/completeness-check", h.CheckCompleteness)
 		// Components.
 		iaceRoutes.POST("/projects/:id/components", h.CreateComponent)
 		iaceRoutes.GET("/projects/:id/components", h.ListComponents)
 		iaceRoutes.PUT("/projects/:id/components/:cid", h.UpdateComponent)
 		iaceRoutes.DELETE("/projects/:id/components/:cid", h.DeleteComponent)
 		// Classification + hazards.
 		iaceRoutes.POST("/projects/:id/classify", h.Classify)
 		iaceRoutes.GET("/projects/:id/classifications", h.GetClassifications)
 		iaceRoutes.POST("/projects/:id/classify/:regulation", h.ClassifySingle)
 		iaceRoutes.POST("/projects/:id/hazards", h.CreateHazard)
 		iaceRoutes.GET("/projects/:id/hazards", h.ListHazards)
 		iaceRoutes.PUT("/projects/:id/hazards/:hid", h.UpdateHazard)
 		iaceRoutes.POST("/projects/:id/hazards/suggest", h.SuggestHazards)
 		iaceRoutes.POST("/projects/:id/match-patterns", h.MatchPatterns)
 		iaceRoutes.POST("/projects/:id/parse-narrative", h.ParseNarrative)
 		iaceRoutes.POST("/projects/:id/delta-analysis", h.DeltaAnalysis)
 		iaceRoutes.POST("/projects/:id/llm-gap-review", h.LLMGapReview)
 		iaceRoutes.GET("/projects/:id/fmea/export", h.ExportFMEA)
 		iaceRoutes.POST("/projects/:id/components/:cid/suggest-fms", h.SuggestFailureModes)
 		iaceRoutes.POST("/projects/:id/apply-patterns", h.ApplyPatternResults)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/suggest-measures", h.SuggestMeasuresForHazard)
 		iaceRoutes.POST("/projects/:id/mitigations/:mid/suggest-evidence", h.SuggestEvidenceForMitigation)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/assess", h.AssessRisk)
 		iaceRoutes.GET("/projects/:id/hazards/:hid/risk-suggestion", h.GetRiskSuggestion)
 		iaceRoutes.GET("/projects/:id/risk-summary", h.GetRiskSummary)
 		iaceRoutes.GET("/projects/:id/suggested-norms", h.SuggestProjectNorms)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/reassess", h.ReassessRisk)
 		// Mitigations + evidence + verification.
 		iaceRoutes.GET("/projects/:id/mitigations", h.ListProjectMitigations)
 		iaceRoutes.POST("/projects/:id/hazards/:hid/mitigations", h.CreateMitigation)
 		iaceRoutes.DELETE("/projects/:id/mitigations/:mid", h.DeleteMitigation)
 		iaceRoutes.PUT("/mitigations/:mid", h.UpdateMitigation)
 		iaceRoutes.POST("/mitigations/:mid/verify", h.VerifyMitigation)
 		iaceRoutes.POST("/projects/:id/validate-mitigation-hierarchy", h.ValidateMitigationHierarchy)
 		iaceRoutes.POST("/projects/:id/evidence", h.UploadEvidence)
 		iaceRoutes.GET("/projects/:id/evidence", h.ListEvidence)
 		iaceRoutes.POST("/projects/:id/verification-plan", h.CreateVerificationPlan)
 		iaceRoutes.PUT("/verification-plan/:vid", h.UpdateVerificationPlan)
 		iaceRoutes.POST("/verification-plan/:vid/complete", h.CompleteVerification)
 		iaceRoutes.GET("/projects/:id/verifications", h.ListVerificationPlans)
 		iaceRoutes.POST("/projects/:id/verifications", h.CreateVerificationAlias)
 		iaceRoutes.DELETE("/projects/:id/verifications/:vid", h.DeleteVerificationPlan)
 		iaceRoutes.POST("/projects/:id/verifications/:vid/complete", h.CompleteVerificationAlias)
 		// Tech file + monitoring + audit.
 		iaceRoutes.POST("/projects/:id/tech-file/generate", h.GenerateTechFile)
 		iaceRoutes.GET("/projects/:id/tech-file", h.ListTechFileSections)
 		iaceRoutes.PUT("/projects/:id/tech-file/:section", h.UpdateTechFileSection)
 		iaceRoutes.POST("/projects/:id/tech-file/:section/approve", h.ApproveTechFileSection)
 		iaceRoutes.POST("/projects/:id/tech-file/:section/generate", h.GenerateSingleSection)
 		iaceRoutes.GET("/projects/:id/tech-file/export", h.ExportTechFile)
 		iaceRoutes.POST("/projects/:id/monitoring", h.CreateMonitoringEvent)
 		iaceRoutes.GET("/projects/:id/monitoring", h.ListMonitoringEvents)
 		iaceRoutes.PUT("/projects/:id/monitoring/:eid", h.UpdateMonitoringEvent)
 		iaceRoutes.GET("/projects/:id/audit-trail", h.GetAuditTrail)
 		// Library + corpus + benchmark.
 		iaceRoutes.POST("/library-search", h.SearchLibrary)
 		iaceRoutes.GET("/ce-corpus-documents", h.ListCECorpusDocuments)
 		iaceRoutes.POST("/projects/:id/initialize", h.InitializeProject)
 		iaceRoutes.GET("/projects/:id/hazard-blocks", h.GetHazardBlocks)
 		iaceRoutes.POST("/projects/:id/benchmark/import-gt", h.ImportGroundTruth)
 		iaceRoutes.GET("/projects/:id/benchmark", h.RunBenchmark)
 		iaceRoutes.GET("/projects/:id/benchmark/summary", h.GetBenchmarkSummary)
 		// Regulatory enrichment.
 		iaceRoutes.GET("/projects/:id/hazards/:hid/regulatory-hints", h.EnrichHazardWithRegulations)
 		iaceRoutes.GET("/projects/:id/mitigations/:mid/regulatory-hints", h.EnrichMitigationWithRegulations)
 		iaceRoutes.GET("/projects/:id/regulatory-hints", h.EnrichProjectHazardsBatch)
 		iaceRoutes.POST("/projects/:id/tech-file/:section/enrich", h.EnrichTechFileSection)
 		// Production lines.
 		iaceRoutes.POST("/production-lines", h.CreateProductionLine)
 		iaceRoutes.GET("/production-lines", h.ListProductionLines)
 		iaceRoutes.GET("/production-lines/:lid/dashboard", h.GetProductionLineDashboard)
 		iaceRoutes.POST("/production-lines/:lid/stations", h.AddStationToLine)
 		iaceRoutes.DELETE("/production-lines/:lid/stations/:sid", h.RemoveStationFromLine)
 		// CE x Compliance crossover + clarifications + customer standards.
 		iaceRoutes.GET("/projects/:id/compliance-triggers", h.GetComplianceTriggers)
 		iaceRoutes.GET("/compliance-faq", h.GetComplianceFAQ)
 		iaceRoutes.GET("/projects/:id/clarifications", h.ListClarifications)
 		iaceRoutes.GET("/projects/:id/clarifications.csv", h.ExportClarificationsCSV)
 		iaceRoutes.GET("/projects/:id/clarifications.html", h.ExportClarificationsHTML)
 		iaceRoutes.GET("/projects/:id/clarifications/:cid/detail", h.ListClarificationDetail)
 		iaceRoutes.POST("/projects/:id/clarifications/:cid/answer", h.AnswerClarification)
 		iaceRoutes.POST("/projects/:id/clarifications/:cid/comment", h.PostClarificationComment)
 		iaceRoutes.GET("/projects/:id/customer-standards", h.ListCustomerStandardSuggestions)
 		iaceRoutes.POST("/projects/:id/customer-standards/import", h.ImportCustomerStandardSuggestion)
 	}
 }
@@ -0,0 +1,74 @@
 package dsms
 import (
 	"encoding/json"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 )
 func TestArchive_Success_ReturnsCID(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "POST" || r.URL.Path != "/api/v1/documents" {
 			http.Error(w, "wrong route", http.StatusNotFound)
 			return
 		}
 		if !strings.HasPrefix(r.Header.Get("Content-Type"), "multipart/form-data") {
 			http.Error(w, "wrong content-type", http.StatusBadRequest)
 			return
 		}
 		if r.Header.Get("Authorization") == "" {
 			http.Error(w, "missing auth", http.StatusUnauthorized)
 			return
 		}
 		io.ReadAll(r.Body)
 		w.Header().Set("Content-Type", "application/json")
 		_ = json.NewEncoder(w).Encode(ArchiveResult{
 			CID:        "bafytest123",
 			Size:       42,
 			GatewayURL: "/ipfs/bafytest123",
 		})
 	}))
 	defer server.Close()
 	old := gatewayURL
 	defer func() { gatewayURL = old }()
 	gatewayURL = server.URL
 	got := Archive([]byte("hello"), "test.pdf", "ce_techfile", "proj-1", "1")
 	if got == nil {
 		t.Fatal("expected non-nil result on 200 OK")
 	}
 	if got.CID != "bafytest123" {
 		t.Errorf("expected CID bafytest123, got %q", got.CID)
 	}
 	if got.Size != 42 {
 		t.Errorf("expected Size 42, got %d", got.Size)
 	}
 }
 func TestArchive_GatewayDown_ReturnsNil(t *testing.T) {
 	old := gatewayURL
 	defer func() { gatewayURL = old }()
 	gatewayURL = "http://127.0.0.1:1" // unreachable
 	got := Archive([]byte("hello"), "test.pdf", "ce_techfile", "proj-1", "1")
 	if got != nil {
 		t.Errorf("expected nil when gateway unreachable, got %+v", got)
 	}
 }
 func TestArchive_GatewayReturnsError_ReturnsNil(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "internal error", http.StatusInternalServerError)
 	}))
 	defer server.Close()
 	old := gatewayURL
 	defer func() { gatewayURL = old }()
 	gatewayURL = server.URL
 	got := Archive([]byte("hello"), "test.pdf", "ce_techfile", "proj-1", "1")
 	if got != nil {
 		t.Errorf("expected nil on 500 response, got %+v", got)
 	}
 }
@@ -0,0 +1,54 @@
 # Risk-estimation data sources & licenses
 Provenance for the probability (W) / avoidance (P) tiers in `risk_estimation.go`
 (`contactModeTable`). We do **not** vendor any raw dataset — only the small
 aggregate facts used as anchors plus our own calibrated tiers live in code.
 ## What we use and how
 The tiers are derived in two steps:
 1. **Anchor** — the *relative ordering* of injury contact modes from public,
   permissively-licensed occupational-accident statistics (which mechanisms are
   more vs. less frequent).
 2. **Calibrate** — adjust the tier *values* to our own ground-truth corpus
   (the professional's W/P per mode). Well-sampled modes are set to the GT mean;
   sparse modes use conservative defaults (no overfitting to a 2-GT sample).
 The numbers in code are therefore **ours**, not a copy of any dataset, and they
 do **not** reproduce any standard's risk-graph table, decision tree or matrix.
 ## Primary source — Eurostat ESAW
 - **Dataset:** European Statistics on Accidents at Work (ESAW), contact mode of injury.
 - **License:** **CC BY 4.0** — commercial and non-commercial reuse permitted,
  source acknowledgement required.
 - **Attribution string:** `Source: Eurostat (ESAW), CC BY 4.0` — surface this in
  any generated risk-assessment export that shows engine risk numbers.
 - **URL:** https://ec.europa.eu/eurostat/statistics-explained/index.php/Accidents_at_work_-_statistics_on_causes_and_circumstances
 - **Aggregate facts used (anchor only):** contact-mode shares of accidents at
  work, e.g. impact with stationary object ~24%, struck by moving object ~13%
  (non-fatal) / ~24% (fatal), trapped/crushed ~14% (fatal), contact with sharp
  agent ~15%. Retrieved 2026-06.
 ## Acceptable supplements
 - **US BLS / OSHA** (Bureau of Labor Statistics, occupational injuries) — **U.S.
  Government work, public domain**; free for any use.
 - **UK HSE** (RIDDOR / kinds-of-accident) — **Open Government Licence v3**;
  commercial reuse with attribution.
 ## Explicitly excluded
 - **DGUV statistics** — terms grant only editorial use and forbid modification
  / re-licensing; **unsuitable for a commercial product**. Not used.
 - **DIN / Beuth / ISO / IEC standards** (e.g. risk-graph tables, parameter
  decision trees, SIL/PL matrices) — copyrighted; **not reproduced or
  re-implemented**. Our model uses only the universal, non-protectable risk
  *dimensions* (severity, frequency, probability, avoidance).
 ## Maintenance
 When a tier in `contactModeTable` changes, record the source figure and the GT
 calibration basis here. Add this file to the repository SBOM / license register
 alongside software dependencies.
@@ -18,6 +18,7 @@ func CompareBenchmark(gt *GroundTruth, hazards []Hazard, mitigations []Mitigatio
 	if gt == nil || len(gt.Entries) == 0 {
 		return &BenchmarkResult{}
 	}
 	gt = filterPlaceholderEntries(gt)
 	// Build mitigation names per hazard
 	mitNamesByHazard := make(map[string][]string)
@@ -73,8 +74,12 @@ func CompareBenchmark(gt *GroundTruth, hazards []Hazard, mitigations []Mitigatio
 	usedEng := make(map[int]bool)
 	var matched []HazardMatchPair
 	// 1:n matching: a single broad engine hazard may legitimately cover several
 	// fine-grained GT sub-scenarios (e.g. one "crush under descending load"
 	// pattern covers the GT's separate foot / hand / leg crush rows). We only
 	// block a GT entry from matching twice; an engine hazard may match several.
 	for _, p := range pairs {
-		if usedGT[p.gtIdx] || usedEng[p.engIdx] {
+		if usedGT[p.gtIdx] {
 			continue
 		}
 		usedGT[p.gtIdx] = true
@@ -456,3 +461,26 @@ func buildRiskRankPairs(matched []HazardMatchPair) []RiskRankPair {
 	}
 	return pairs
 }
 // filterPlaceholderEntries drops GT rows that are not real hazards — empty
 // causes with placeholder/section-heading types like "[weitere Risikominderung]"
 // or "Allgemeine ... Anforderungen aus der MaschinenRiL". They are not engine-
 // matchable and unfairly depress the coverage metric, so they are excluded
 // from TotalGT.
 func filterPlaceholderEntries(gt *GroundTruth) *GroundTruth {
 	kept := make([]GroundTruthEntry, 0, len(gt.Entries))
 	for _, e := range gt.Entries {
 		cause := strings.TrimSpace(e.HazardCause)
 		typ := normalizeDE(e.HazardType)
 		isPlaceholder := cause == "" && (typ == "" ||
 			strings.HasPrefix(typ, "[") ||
 			strings.Contains(typ, "allgemeine") ||
 			strings.Contains(typ, "weitere risikominderung"))
 		if !isPlaceholder {
 			kept = append(kept, e)
 		}
 	}
 	out := *gt
 	out.Entries = kept
 	return &out
 }
@@ -80,6 +80,9 @@ type BenchmarkResult struct {
 	ExtraInEngine     []HazardSummary    `json:"extra_in_engine"`
 	CategoryBreakdown []CategoryScore    `json:"category_breakdown"`
 	RiskRankPairs     []RiskRankPair     `json:"risk_rank_pairs"`
 	// Risk-number comparison (tool vs professional) per matched hazard + aggregate.
 	RiskComparison    []RiskComparisonPair `json:"risk_comparison,omitempty"`
 	RiskAgreement     RiskAgreement        `json:"risk_agreement"`
 }
 // HazardMatchPair links a GT entry to an engine hazard.
--- a/Show More
+++ b/Show More