fix(mc): defensive mapping queries + MinIO env overridable + iace migration 151

- master-controls route: guard all mapping queries with hasMappingTables() so
  an unseeded DB degrades to empty filters instead of a 500.
- docker-compose: MinIO endpoint/keys/secure overridable via env (prod defaults
  preserved) — enables per-environment local config.
- migration 151: reproducible iace_projects.parent_project_id (was ad-hoc).

[migration-approved]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.claude/rules/loc-exceptions.txt

@@ -122,9 +122,9 @@ consent-sdk/src/mobile/ios/ConsentManager.swift
 consent-tester/services/dsi_discovery.py
 
 # --- backend-compliance: unified compliance check orchestrator ---
-# Sequential 7-step pipeline (text resolve, profile detect, check documents,
-# banner scan, cross-check, profile extract, report). Phase 5 split target.
-backend-compliance/compliance/api/agent_compliance_check_routes.py
+# 2026-06-06: REMOVED — file split into agent_check/ subpackage
+# (19 files, main module now 347 LOC). Phase 5 target completed.
+# [guardrail-change]
 
 # --- docs-src: binary office files (not source code) ---
 # (Also excluded by extension in scripts/check-loc.sh — kept here for legibility.)
@@ -134,6 +134,14 @@ docs-src/Breakpilot ComplAI Finanzplan.xlsm
 # Phase 5+ target for splitting into smaller subcomponents per wizard step.
 admin-compliance/components/sdk/ai-act/DecisionTreeWizard.tsx
 
+# --- admin-compliance: zentrale SDK-Schritt-Registry ---
+# Flache Liste aller 38 SDK-Steps mit kanonischer Reihenfolge (seq).
+# Splits nach Paket würden die globale Ordnungs-Garantie zerreißen und
+# Imports an mehreren Stellen aufblähen — der Wert dieser Datei ist
+# *eine* sortierte Source-of-Truth.
+# [guardrail-change]
+admin-compliance/lib/sdk/types/sdk-steps.ts
+
 # --- ai-compliance-sdk: oversized handler refactor backlog ---
 # Phase 5+ target for splitting handler groups into per-resource files.
 ai-compliance-sdk/internal/api/handlers/tender_handlers.go
@@ -182,3 +190,44 @@ admin-compliance/lib/sdk/einwilligungen/generator/cookie-banner-embed.ts
 # Polling, Storage, History, Agent-Toggle, TDM-Override. Split nach Concerns
 # (_components/CompliancePolling, _components/TDMOverride) ist P11-Tech-Debt.
 admin-compliance/app/sdk/agent/_components/ComplianceCheckTab.tsx
+
+# --- 2026-05-22 batch: P83-CI-Hardening backlog ---
+# Diese 5 Files verletzen den 500-LOC-Hard-Cap aktuell und blockieren
+# jeden PR der sie touched. Refactor ist Phase-2-Ziel (charakterisierungs-
+# tests + Sub-Module). Bis dahin: explizite Exception mit Rationale,
+# damit die CI nicht orthogonal an pre-existing Tech-Debt scheitert.
+#
+# vendor_detail_extractor.py (675): Playwright-Browser-Orchestrierung mit
+# eng verflochtenen Page-State-Operationen (Banner-Reopen, Category-
+# Expand, Anti-Audit-Detection, TDM-Check). Split braucht Page-Context-
+# Shared-State zwischen Modulen — Aufwand > Nutzen ohne klares Refactor-
+# Konzept. Phase 2: vendor_detail/ Subpackage mit Page-Wrapper-Klasse.
+consent-tester/services/vendor_detail_extractor.py
+# consent_scanner.py (567): 460-Zeilen-Funktion run_consent_test() —
+# Browser-Phasen (initial fetch, banner detect, button click, reject,
+# accept, screenshot, cookie diff). Split nach Phasen ist Phase-2-Ziel
+# (consent_scanner/_phase_*.py).
+consent-tester/services/consent_scanner.py
+# rag_document_checker.py (559): Doc-Check-Pipeline (control loading,
+# canonical-scope filter, deterministic MC checks, LLM enrichment).
+# Splitbar in _control_loader.py + _llm_enrichment.py — kandidat fuer
+# naechsten Sprint mit Charakterisierungs-Test gegen 5 GT-Doc-Samples.
+backend-compliance/compliance/services/rag_document_checker.py
+# banner_text_checker.py (531): 500-Zeilen-Funktion check_banner_text()
+# mit eng-verflochtener DOM-Erkennungs-Logik (Save-Label, Ablehnen-
+# Button, Dark-Patterns, Wortwahl-Heuristik). Phase-2-Split nach
+# Pruef-Aspekt.
+consent-tester/services/banner_text_checker.py
+# ai-act/page.tsx (503): React-Page mit Form-State, Risiko-Klassifikation,
+# Demo-Daten und Export. Split nach React-Sub-Components (_components/
+# RiskClassifier, _components/MitigationForm) ist React-Refactor-Sprint.
+admin-compliance/app/sdk/ai-act/page.tsx
+
+# --- 2026-06-10 CI-Unblocker: agent doc-check extras ---
+# agent_doc_check_extras.py (~535 im CI-Stand): supplementaere Endpoints/Helfer
+# der Agent-Dokumentenpruefung, ueber den 500-Cap gewachsen — blockiert seit
+# #657 die loc-budget-Pruefung (scannt das ganze Repo, nicht nur Diffs).
+# Pre-existing Tech-Debt (nicht aus IACE-Arbeit). Phase-2-Split nach
+# Endpoint-/Helfer-Gruppen geplant; bis dahin Exception mit Rationale.
+# [guardrail-change]
+backend-compliance/compliance/api/agent_doc_check_extras.py

.gitea/workflows/ci.yaml

@@ -411,6 +411,50 @@ jobs:
           pip install --quiet --no-cache-dir pytest pytest-asyncio
           python -m pytest test_main.py -v --tb=short
 
+  # ── P83: BUILD_SHA integrity (always) ────────────────────────────────────
+  # Every Dockerfile must declare ARG BUILD_SHA + ENV BUILD_SHA so the
+  # check-rebuild-needed.sh script can detect "old code in container" drift.
+  # Every docker-compose build: block must pass BUILD_SHA through as a build
+  # arg — otherwise the ARG defaults to "unknown" and the check is toothless.
+  build-sha-integrity:
+    runs-on: docker
+    container: alpine:3.20
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git python3
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Validate every Dockerfile + compose block declares BUILD_SHA
+        run: |
+          python3 - <<'PY'
+          import re, sys, glob
+          fails = []
+          # 1. Each Dockerfile must have ARG BUILD_SHA + ENV BUILD_SHA=${BUILD_SHA}
+          for df in sorted(glob.glob("*/Dockerfile")):
+              # Skip nested non-canonical Dockerfiles (e.g. admin-compliance/ai-compliance-sdk/Dockerfile)
+              if df.count("/") > 1: continue
+              src = open(df).read()
+              if "ARG BUILD_SHA" not in src:
+                  fails.append(f"{df}: missing ARG BUILD_SHA")
+              if "ENV BUILD_SHA" not in src:
+                  fails.append(f"{df}: missing ENV BUILD_SHA")
+          # 2. Every build: block in docker-compose.yml must pass BUILD_SHA
+          import yaml
+          compose = yaml.safe_load(open("docker-compose.yml"))
+          for name, svc in (compose.get("services") or {}).items():
+              build = svc.get("build")
+              if not isinstance(build, dict):
+                  continue  # skipping pre-built image refs
+              args = (build.get("args") or {})
+              if "BUILD_SHA" not in args:
+                  fails.append(f"docker-compose.yml: service '{name}' build.args missing BUILD_SHA")
+          if fails:
+              print("::error::BUILD_SHA integrity check failed:")
+              for f in fails: print(f"  - {f}")
+              sys.exit(1)
+          print(f"OK: BUILD_SHA wired in all Dockerfiles + compose build blocks.")
+          PY
+
   # ── OpenAPI contract validation (always) ─────────────────────────────────
   validate-canonical-controls:
     runs-on: docker

admin-compliance/Dockerfile

@@ -55,5 +55,9 @@ EXPOSE 3000
 # Set hostname
 ENV HOSTNAME="0.0.0.0"
 
+# P83 — Build-SHA fuer check-rebuild-needed.sh
+ARG BUILD_SHA="unknown"
+ENV BUILD_SHA=${BUILD_SHA}
+
 # Start the application
 CMD ["node", "server.js"]

admin-compliance/app/api/compliance/admin/benchmark/route.ts

@@ -0,0 +1,27 @@
+/**
+ * Proxy: Admin → Backend /api/compliance/agent/admin/benchmark
+ * (P107 — Branchen-Benchmark-Cockpit)
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest) {
+  const qs = request.nextUrl.searchParams.toString()
+  try {
+    const r = await fetch(
+      `${BACKEND_URL}/api/compliance/agent/admin/benchmark?${qs}`,
+      { signal: AbortSignal.timeout(20000) },
+    )
+    const body = await r.text()
+    return new NextResponse(body, {
+      status: r.status,
+      headers: { 'Content-Type': r.headers.get('content-type') || 'application/json' },
+    })
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: 'Benchmark-API nicht erreichbar', detail: String(e) },
+      { status: 503 },
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/iace/[[...path]]/route.ts

@@ -66,18 +66,31 @@ async function proxyRequest(
 
     const response = await fetch(url, fetchOptions)
 
-    // Handle non-JSON responses (PDF exports, ZIP CE technical file)
-    const responseContentType = response.headers.get('content-type')
-    if (responseContentType?.includes('application/pdf') ||
-        responseContentType?.includes('application/zip') ||
-        responseContentType?.includes('application/octet-stream')) {
+    // Handle non-JSON responses (PDF/ZIP CE technical file, XLSX/DOCX/MD exports).
+    const responseContentType = response.headers.get('content-type') || ''
+    const isBinary =
+      responseContentType.includes('application/pdf') ||
+      responseContentType.includes('application/zip') ||
+      responseContentType.includes('application/octet-stream') ||
+      responseContentType.includes('application/vnd.openxmlformats-officedocument') ||
+      responseContentType.includes('application/vnd.ms-excel') ||
+      responseContentType.includes('application/msword') ||
+      responseContentType.includes('text/markdown')
+    if (isBinary) {
       const blob = await response.blob()
+      const forwardedHeaders: Record<string, string> = {
+        'Content-Type': responseContentType,
+        'Content-Disposition': response.headers.get('content-disposition') || '',
+      }
+      // Forward DSMS archive metadata so the frontend can render the CID badge
+      // (set by archiveTechFile when the backend persisted the export to DSMS).
+      for (const h of ['x-dsms-cid', 'x-dsms-filename', 'x-dsms-size']) {
+        const v = response.headers.get(h)
+        if (v) forwardedHeaders[h] = v
+      }
       return new NextResponse(blob, {
         status: response.status,
-        headers: {
-          'Content-Type': responseContentType,
-          'Content-Disposition': response.headers.get('content-disposition') || '',
-        },
+        headers: forwardedHeaders,
       })
     }
 

admin-compliance/app/api/sdk/v1/master-controls/route.ts

@@ -10,6 +10,38 @@ const dbUrl = process.env.COMPLIANCE_DATABASE_URL ||
 
 const pool = new Pool({ connectionString: dbUrl })
 
+// handleMeta returns global (filter-independent) counts incl. a ~2s member-join
+// facet. It is refetched on every filter change, so cache it briefly.
+let metaCache: { at: number; data: unknown } | null = null
+const META_TTL_MS = 120_000
+
+// The use-case mapping tables (mc_use_case_mappings/mc_verification/mc_regulations)
+// are seeded per-environment and may not exist yet on a fresh/unseeded DB. Guard
+// every mapping query so the route degrades to empty filters instead of a 500.
+// Cached with a short TTL so it picks up the tables once that DB gets seeded.
+let mappingTablesCache: { at: number; present: boolean } | null = null
+async function hasMappingTables(): Promise<boolean> {
+  if (mappingTablesCache && Date.now() - mappingTablesCache.at < 300_000) {
+    return mappingTablesCache.present
+  }
+  let present = false
+  try {
+    const r = await pool.query(
+      "SELECT to_regclass('compliance.mc_use_case_mappings') IS NOT NULL AS present")
+    present = !!r.rows[0]?.present
+  } catch { present = false }
+  mappingTablesCache = { at: Date.now(), present }
+  return present
+}
+
+type MCListRow = {
+  id: string; control_id: string; title: string; objective: string
+  severity: string; category: string; total_controls: number
+  phases_covered: string[] | null; created_at: string
+  verification_method: string | null; use_cases: string[] | null
+  primary_regulation: string | null
+}
+
 /**
  * MC API that returns data in the same format as the canonical controls
  * endpoint. This allows the MC page to reuse ControlListView components.
@@ -43,17 +75,14 @@ export async function GET(request: NextRequest) {
   }
 }
 
-async function handleControls(params: URLSearchParams) {
-  const search = params.get('search') || ''
-  const limit = Math.min(parseInt(params.get('limit') || '50'), 200)
-  const offset = parseInt(params.get('offset') || '0')
-  const sort = params.get('sort') || 'control_id'
-  const order = params.get('order') === 'desc' ? 'DESC' : 'ASC'
-
+// Shared WHERE builder so list + count stay in lock-step (incl. the
+// use_case / verification_method / source_regulation mapping filters).
+function buildControlsWhere(params: URLSearchParams, hasMapping: boolean): { where: string; args: unknown[]; idx: number } {
   let where = "WHERE 1=1"
   const args: unknown[] = []
   let idx = 1
 
+  const search = params.get('search') || ''
   if (search) {
     where += ` AND mc.canonical_name ILIKE $${idx}`
     args.push(`%${search}%`)
@@ -61,11 +90,9 @@ async function handleControls(params: URLSearchParams) {
   }
 
   const severity = params.get('severity') || ''
-  if (severity) {
-    if (severity === 'high') { where += ` AND mc.total_controls > 100` }
-    else if (severity === 'medium') { where += ` AND mc.total_controls BETWEEN 20 AND 100` }
-    else if (severity === 'low') { where += ` AND mc.total_controls < 20` }
-  }
+  if (severity === 'high') { where += ` AND mc.total_controls > 100` }
+  else if (severity === 'medium') { where += ` AND mc.total_controls BETWEEN 20 AND 100` }
+  else if (severity === 'low') { where += ` AND mc.total_controls < 20` }
 
   const domain = params.get('domain') || ''
   if (domain) {
@@ -74,10 +101,85 @@ async function handleControls(params: URLSearchParams) {
     idx++
   }
 
+  // Mapping-based filters only apply when the mapping tables exist (seeded DB).
+  if (hasMapping) {
+    const useCase = params.get('use_case') || ''
+    const primaryOnly = params.get('primary') === '1'
+    if (useCase) {
+      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_use_case_mappings m
+                   WHERE m.master_control_uuid = mc.id AND m.use_case = $${idx}${primaryOnly ? ' AND m.is_primary' : ''})`
+      args.push(useCase)
+      idx++
+    }
+
+    const verification = params.get('verification_method') || ''
+    if (verification === '__none__') {
+      where += ` AND NOT EXISTS (SELECT 1 FROM compliance.mc_verification v
+                   WHERE v.master_control_uuid = mc.id)`
+    } else if (verification) {
+      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_verification v
+                   WHERE v.master_control_uuid = mc.id AND v.verification_method = $${idx})`
+      args.push(verification)
+      idx++
+    }
+
+    const regulation = params.get('source_regulation') || ''
+    if (regulation) {
+      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_regulations r
+                   WHERE r.master_control_uuid = mc.id AND r.source_regulation = $${idx})`
+      args.push(regulation)
+      idx++
+    }
+
+    const mapped = params.get('mapped') || ''
+    if (mapped === 'mapped') {
+      where += ` AND EXISTS (SELECT 1 FROM compliance.mc_use_case_mappings m
+                   WHERE m.master_control_uuid = mc.id)`
+    } else if (mapped === 'unmapped') {
+      where += ` AND NOT EXISTS (SELECT 1 FROM compliance.mc_use_case_mappings m
+                   WHERE m.master_control_uuid = mc.id)`
+    }
+  }
+
+  // Member-based filter: an MC matches if ANY of its atomic members has the
+  // category. Only category/severity/release_state are populated on the
+  // deduplicated members; evidence_type, target_audience and source_citation
+  // are 100% NULL there, so those canonical filters cannot apply to MCs
+  // without an upstream backfill (wiring them would just return 0).
+  const category = params.get('category') || ''
+  if (category) {
+    where += ` AND EXISTS (SELECT 1 FROM compliance.master_control_members mcm
+                 JOIN compliance.canonical_controls cc ON cc.id = mcm.control_uuid
+                 WHERE mcm.master_control_uuid = mc.id AND cc.category = $${idx})`
+    args.push(category); idx++
+  }
+
+  return { where, args, idx }
+}
+
+async function handleControls(params: URLSearchParams) {
+  const limit = Math.min(parseInt(params.get('limit') || '50'), 200)
+  const offset = parseInt(params.get('offset') || '0')
+  const sort = params.get('sort') || 'control_id'
+  const order = params.get('order') === 'desc' ? 'DESC' : 'ASC'
+
+  const hasMapping = await hasMappingTables()
+  const { where, args, idx } = buildControlsWhere(params, hasMapping)
+
   const sortCol = sort === 'control_id' ? 'mc.master_control_id' :
                   sort === 'created_at' ? 'mc.created_at' :
                   sort === 'source' ? 'mc.canonical_name' : 'mc.master_control_id'
 
+  const mapCols = hasMapping ? `,
+           (SELECT v.verification_method FROM compliance.mc_verification v
+             WHERE v.master_control_uuid = mc.id) as verification_method,
+           (SELECT array_agg(m.use_case ORDER BY m.is_primary DESC, m.use_case)
+              FROM compliance.mc_use_case_mappings m
+             WHERE m.master_control_uuid = mc.id) as use_cases,
+           (SELECT r.source_regulation FROM compliance.mc_regulations r
+             WHERE r.master_control_uuid = mc.id AND r.is_primary LIMIT 1) as primary_regulation`
+    : `, NULL as verification_method, NULL::text[] as use_cases, NULL as primary_regulation`
+
   args.push(limit, offset)
   const res = await pool.query(`
     SELECT mc.master_control_id as control_id,
@@ -90,7 +192,7 @@ async function handleControls(params: URLSearchParams) {
            mc.total_controls,
            mc.phases_covered,
            mc.id,
-           mc.created_at
+           mc.created_at${mapCols}
     FROM compliance.master_controls mc
     ${where}
     ORDER BY ${sortCol} ${order}
@@ -98,7 +200,7 @@ async function handleControls(params: URLSearchParams) {
   `, args)
 
   // Map to canonical control format
-  const controls = res.rows.map(r => ({
+  const controls = res.rows.map((r: MCListRow) => ({
     id: r.id,
     control_id: r.control_id,
     title: r.title,
@@ -106,10 +208,11 @@ async function handleControls(params: URLSearchParams) {
     severity: r.severity,
     category: r.category,
     release_state: 'active',
-    source_citation: null,
-    verification_method: null,
+    source_citation: r.primary_regulation ? { source: r.primary_regulation } : null,
+    verification_method: r.verification_method,
     evidence_type: null,
     target_audience: [],
+    use_cases: r.use_cases || [],
     requirements: [],
     test_procedure: [],
     evidence: [],
@@ -126,22 +229,18 @@ async function handleControls(params: URLSearchParams) {
 }
 
 async function handleCount(params: URLSearchParams) {
-  const search = params.get('search') || ''
-  let where = "WHERE 1=1"
-  const args: unknown[] = []
-
-  if (search) {
-    where += ` AND mc.canonical_name ILIKE $1`
-    args.push(`%${search}%`)
-  }
-
+  const hasMapping = await hasMappingTables()
+  const { where, args } = buildControlsWhere(params, hasMapping)
   const res = await pool.query(
     `SELECT count(*) FROM compliance.master_controls mc ${where}`, args
   )
   return NextResponse.json({ total: parseInt(res.rows[0].count) })
 }
 
-async function handleMeta(params: URLSearchParams) {
+async function handleMeta(_params: URLSearchParams) {
+  if (metaCache && Date.now() - metaCache.at < META_TTL_MS) {
+    return NextResponse.json(metaCache.data)
+  }
   const res = await pool.query(`
     SELECT count(*) as total,
            count(CASE WHEN total_controls > 100 THEN 1 END) as high_count,
@@ -158,21 +257,62 @@ async function handleMeta(params: URLSearchParams) {
     GROUP BY 1 ORDER BY 2 DESC LIMIT 30
   `)
 
-  return NextResponse.json({
-    total: parseInt(r.total),
+  // category facet is member-based (those tables always exist); the mapping
+  // facets only when the mapping tables are present (seeded DB).
+  const hasMapping = await hasMappingTables()
+  const catRes = await pool.query(`SELECT cc.category v, count(DISTINCT mcm.master_control_uuid) c
+                FROM compliance.master_control_members mcm
+                JOIN compliance.canonical_controls cc ON cc.id = mcm.control_uuid
+                WHERE cc.category IS NOT NULL GROUP BY 1 ORDER BY 2 DESC`)
+  const emptyRows = { rows: [] as Array<Record<string, string>> }
+  const [ucRes, vRes, regRes, mappedRes] = hasMapping
+    ? await Promise.all([
+        pool.query(`SELECT use_case, count(DISTINCT master_control_uuid) c
+                    FROM compliance.mc_use_case_mappings GROUP BY 1 ORDER BY 2 DESC`),
+        pool.query(`SELECT verification_method, count(*) c
+                    FROM compliance.mc_verification GROUP BY 1 ORDER BY 2 DESC`),
+        pool.query(`SELECT source_regulation, count(DISTINCT master_control_uuid) c
+                    FROM compliance.mc_regulations GROUP BY 1 ORDER BY 2 DESC LIMIT 200`),
+        pool.query(`SELECT count(DISTINCT master_control_uuid) c
+                    FROM compliance.mc_use_case_mappings`),
+      ])
+    : [emptyRows, emptyRows, emptyRows, { rows: [{ c: '0' }] }]
+  const facet = (rows: Array<{ v: string; c: string }>) =>
+    Object.fromEntries(rows.filter(x => x.v).map(x => [x.v, parseInt(x.c)]))
+
+  const total = parseInt(r.total)
+  const mappedTotal = parseInt(mappedRes.rows[0].c)
+
+  const payload = {
+    total,
     severity_counts: {
       high: parseInt(r.high_count),
       medium: parseInt(r.medium_count),
       low: parseInt(r.low_count),
     },
-    domains: domainRes.rows.map(d => ({ domain: d.domain, count: parseInt(d.count) })),
+    domains: domainRes.rows.map((d: { domain: string; count: string }) =>
+      ({ domain: d.domain, count: parseInt(d.count) })),
     sources: [],
     no_source_count: 0,
-    release_state_counts: { active: parseInt(r.total) },
-    verification_method_counts: {},
-    category_counts: {},
+    release_state_counts: { active: total },
+    verification_method_counts: Object.fromEntries(
+      vRes.rows.map((x: { verification_method: string; c: string }) =>
+        [x.verification_method, parseInt(x.c)])),
+    category_counts: facet(catRes.rows),
     evidence_type_counts: {},
-  })
+    use_case_counts: Object.fromEntries(
+      ucRes.rows
+        .filter((x: { use_case: string | null }) => x.use_case)
+        .map((x: { use_case: string; c: string }) => [x.use_case, parseInt(x.c)])),
+    regulations: regRes.rows
+      .filter((x: { source_regulation: string | null }) => x.source_regulation)
+      .map((x: { source_regulation: string; c: string }) =>
+        ({ source_regulation: x.source_regulation, count: parseInt(x.c) })),
+    mapped_total: mappedTotal,
+    unmapped_count: total - mappedTotal,
+  }
+  metaCache = { at: Date.now(), data: payload }
+  return NextResponse.json(payload)
 }
 
 async function handleDetail(params: URLSearchParams) {
@@ -201,6 +341,24 @@ async function handleDetail(params: URLSearchParams) {
     LIMIT 100
   `, [mc.id])
 
+  // Use-case / verification / regulation mapping (only when the tables exist).
+  const mapping: Record<string, any> = (await hasMappingTables())
+    ? ((await pool.query(`
+    SELECT
+      (SELECT json_agg(json_build_object('use_case', m.use_case, 'is_primary', m.is_primary)
+                ORDER BY m.is_primary DESC, m.use_case)
+         FROM compliance.mc_use_case_mappings m WHERE m.master_control_uuid = $1) as use_cases,
+      (SELECT v.verification_method FROM compliance.mc_verification v
+         WHERE v.master_control_uuid = $1) as verification_method,
+      (SELECT json_agg(json_build_object('source_regulation', r.source_regulation,
+                'is_primary', r.is_primary, 'member_count', r.member_count)
+                ORDER BY r.is_primary DESC, r.member_count DESC)
+         FROM compliance.mc_regulations r WHERE r.master_control_uuid = $1) as regulations
+  `, [mc.id])).rows[0] || {})
+    : {}
+  const regs = mapping.regulations || []
+  const primaryReg = regs.find((x: { is_primary: boolean }) => x.is_primary) || regs[0]
+
   return NextResponse.json({
     id: mc.id,
     control_id: mc.control_id,
@@ -220,7 +378,10 @@ async function handleDetail(params: URLSearchParams) {
     evidence: [],
     open_anchors: [],
     target_audience: [],
-    source_citation: null,
+    verification_method: mapping.verification_method || null,
+    use_cases: mapping.use_cases || [],
+    regulations: regs,
+    source_citation: primaryReg ? { source: primaryReg.source_regulation } : null,
     scope: { platforms: [], components: [], data_classes: [] },
     risk_score: null,
     implementation_effort: null,

admin-compliance/app/api/sdk/v1/specialist-agent/[[...path]]/route.ts

@@ -0,0 +1,112 @@
+/**
+ * Specialist-Agent API Proxy
+ * Proxies /api/sdk/v1/specialist-agent/* → backend-compliance:8002/api/v1/specialist-agent/*
+ *
+ * Streaming routes (SSE /test/stream/{run_id}) pass through unmodified.
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string,
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${BACKEND_URL}/api/compliance/specialist-agent`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  const isSSE = pathStr.startsWith('test/stream/')
+
+  try {
+    const headers: HeadersInit = {}
+    if (!isSSE) headers['Content-Type'] = 'application/json'
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(isSSE ? 600000 : 60000),
+    }
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH' ||
+        method === 'DELETE') {
+      const body = await request.text()
+      if (body) fetchOptions.body = body
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (isSSE) {
+      return new NextResponse(response.body, {
+        status: response.status,
+        headers: {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          'Connection': 'keep-alive',
+          'X-Accel-Buffering': 'no',
+        },
+      })
+    }
+
+    if (!response.ok) {
+      const errText = await response.text()
+      let errJson
+      try { errJson = JSON.parse(errText) }
+      catch { errJson = { error: errText } }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errJson },
+        { status: response.status },
+      )
+    }
+
+    const ct = response.headers.get('content-type') || ''
+    if (ct.includes('application/json')) {
+      const data = await response.json()
+      return NextResponse.json(data)
+    }
+    // Binary asset (image/video/csv etc.)
+    const blob = await response.blob()
+    return new NextResponse(blob, {
+      status: response.status,
+      headers: {
+        'Content-Type': ct || 'application/octet-stream',
+        'Content-Disposition':
+          response.headers.get('content-disposition') || '',
+      },
+    })
+  } catch (e) {
+    console.error('specialist-agent proxy error:', e)
+    return NextResponse.json(
+      { error: 'Verbindung zum Backend fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> },
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> },
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> },
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/sdk/agent/_components/AgentFindingCard.tsx

@@ -0,0 +1,134 @@
+'use client'
+
+/**
+ * Strukturierte Finding-Anzeige.
+ * Layout:
+ *   [Severity-Badge]  [Methodik-Badge(s)]
+ *   [Titel]
+ *   ┌ Gesetzliche Basis / Norm ─────────┐
+ *   │ § 5 Abs. 1 Nr. 1 TMG               │
+ *   └────────────────────────────────────┘
+ *   ┌ Befund / Wörtlich ───────────────┐
+ *   │ "Vorstand: …"                     │
+ *   └────────────────────────────────────┘
+ *   ┌ Empfehlung / Best Practice ──────┐
+ *   │ → Konkrete Maßnahme               │
+ *   └────────────────────────────────────┘
+ */
+
+import React from 'react'
+
+import type { Finding, SourceType } from './_agentTypes'
+import {
+  METHODIK_COLOR,
+  METHODIK_LABEL,
+  METHODIK_SHORT,
+  SEVERITY_BG,
+  SEVERITY_COLOR,
+} from './_agentTypes'
+
+export function AgentFindingCard({ f }: { f: Finding }) {
+  const sev = f.severity
+  const color = SEVERITY_COLOR[sev]
+  const bg = SEVERITY_BG[sev]
+  const sources = f.sources || []
+  return (
+    <div
+      className="rounded border-l-4 p-3 space-y-2"
+      style={{ borderLeftColor: color, background: bg }}
+    >
+      <div className="flex items-center flex-wrap gap-2">
+        <span
+          className="text-xs font-bold px-2 py-0.5 rounded text-white"
+          style={{ background: color }}
+        >
+          {sev}
+        </span>
+        <code className="text-[11px] text-gray-500">{f.check_id}</code>
+        {sources.map((s, i) => (
+          <MethodikBadge key={i} src={s.source_type} sourceId={s.source_id} />
+        ))}
+        {f.confidence !== undefined && (
+          <span className="text-[10px] text-gray-500 ml-auto">
+            Konfidenz {(f.confidence * 100).toFixed(0)}%
+          </span>
+        )}
+      </div>
+
+      <div className="text-sm font-medium text-gray-900">{f.title}</div>
+
+      {f.norm && (
+        <Block label="Gesetzliche Basis" tone="purple">
+          {f.norm}
+        </Block>
+      )}
+
+      {f.evidence && (
+        <Block label="Befund" tone="amber">
+          <span className="italic">„{f.evidence}"</span>
+        </Block>
+      )}
+
+      {f.action && (
+        <Block
+          label={
+            sources.some(s =>
+              s.source_type === 'llm_local' ||
+              s.source_type === 'llm_local_big' ||
+              s.source_type === 'llm_cloud'
+            )
+              ? 'Empfehlung (LLM-Vorschlag)'
+              : sev === 'HIGH'
+                ? 'Pflicht-Maßnahme'
+                : 'Best-Practice-Empfehlung'
+          }
+          tone="green"
+        >
+          {f.action}
+        </Block>
+      )}
+    </div>
+  )
+}
+
+function MethodikBadge({
+  src, sourceId,
+}: { src: SourceType; sourceId?: string }) {
+  const { bg, fg } = METHODIK_COLOR[src] || { bg: '#e5e7eb', fg: '#374151' }
+  const title = `${METHODIK_LABEL[src]}${sourceId ? ` · ${sourceId}` : ''}`
+  return (
+    <span
+      title={title}
+      className="text-[10px] px-1.5 py-0.5 rounded font-mono"
+      style={{ background: bg, color: fg }}
+    >
+      {METHODIK_SHORT[src]}
+    </span>
+  )
+}
+
+function Block({
+  label, tone, children,
+}: {
+  label: string
+  tone: 'purple' | 'amber' | 'green'
+  children: React.ReactNode
+}) {
+  const toneMap = {
+    purple: { border: '#a78bfa', bg: '#f5f3ff', label: '#5b21b6' },
+    amber: { border: '#fbbf24', bg: '#fffbeb', label: '#92400e' },
+    green: { border: '#34d399', bg: '#ecfdf5', label: '#065f46' },
+  } as const
+  const t = toneMap[tone]
+  return (
+    <div
+      className="rounded px-2 py-1.5 text-xs"
+      style={{ background: t.bg, borderLeft: `3px solid ${t.border}` }}
+    >
+      <div className="font-semibold mb-0.5" style={{ color: t.label }}>
+        {label}
+      </div>
+      <div className="text-gray-800">{children}</div>
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/AgentMcCoverage.tsx

@@ -0,0 +1,63 @@
+'use client'
+
+/**
+ * "Was wurde geprüft" — listet alle MCs eines Agents mit ihrem Status.
+ * Standardmäßig collapsed; zeigt sofort, was Methodik des Agents war.
+ */
+
+import React, { useState } from 'react'
+
+import type { McCoverage } from './_agentTypes'
+
+const STATUS_COLOR: Record<string, string> = {
+  ok: '#10b981',
+  na: '#94a3b8',
+  skipped: '#cbd5e1',
+  high: '#dc2626',
+  medium: '#f59e0b',
+  low: '#3b82f6',
+}
+
+const STATUS_LABEL: Record<string, string> = {
+  ok: 'OK',
+  na: 'n/a',
+  skipped: 'übersprungen',
+  high: 'HIGH',
+  medium: 'MEDIUM',
+  low: 'LOW',
+}
+
+export function AgentMcCoverage({ coverage }: { coverage: McCoverage[] }) {
+  const [open, setOpen] = useState(false)
+  if (!coverage?.length) return null
+  return (
+    <div className="border rounded bg-slate-50">
+      <button
+        onClick={() => setOpen(o => !o)}
+        className="w-full text-left px-3 py-2 text-xs font-semibold uppercase text-gray-700 flex justify-between items-center"
+      >
+        <span>Was wurde geprüft? ({coverage.length} MCs)</span>
+        <span className="text-gray-400">{open ? '▾' : '▸'}</span>
+      </button>
+      {open && (
+        <div className="border-t bg-white p-2 space-y-0.5 max-h-60 overflow-y-auto">
+          {coverage.map(c => (
+            <div key={c.mc_id} className="flex items-center gap-2 text-xs">
+              <span
+                className="w-2 h-2 rounded-full inline-block"
+                style={{ background: STATUS_COLOR[c.status] || '#cbd5e1' }}
+              />
+              <code className="text-gray-500">{c.mc_id}</code>
+              <span className="text-gray-700">
+                {STATUS_LABEL[c.status] || c.status}
+              </span>
+              {c.reason && (
+                <span className="text-gray-400 italic">— {c.reason}</span>
+              )}
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/AgentRecommendationCard.tsx

@@ -0,0 +1,51 @@
+'use client'
+
+/**
+ * Recommendation-Card: zeigt die gerollupten Maßnahmen.
+ * Eine Recommendation bündelt 1..N Findings mit gleicher Maßnahme.
+ */
+
+import React from 'react'
+
+import type { Recommendation } from './_agentTypes'
+import { SEVERITY_COLOR } from './_agentTypes'
+
+export function AgentRecommendationCard({ r }: { r: Recommendation }) {
+  const color = SEVERITY_COLOR[r.severity]
+  return (
+    <div
+      className="rounded p-3 space-y-1 text-sm bg-emerald-50"
+      style={{ borderLeft: `3px solid ${color}` }}
+    >
+      <div className="flex items-baseline gap-2 flex-wrap">
+        <span
+          className="text-[10px] font-bold px-1.5 py-0.5 rounded text-white"
+          style={{ background: color }}
+        >
+          {r.severity}
+        </span>
+        <span className="font-semibold text-gray-900">{r.title}</span>
+        <span className="text-[10px] text-gray-500 ml-auto">
+          {r.related_finding_ids.length} Finding(s)
+          {' · '}
+          {r.estimated_effort_hours.toFixed(1)}h geschätzt
+        </span>
+      </div>
+      {r.body && r.body !== r.title && (
+        <div className="text-xs text-gray-700 whitespace-pre-wrap">
+          {r.body}
+        </div>
+      )}
+      {r.related_finding_ids.length > 0 && (
+        <details className="text-[10px] text-gray-500">
+          <summary className="cursor-pointer">Aus diesen Findings abgeleitet</summary>
+          <ul className="mt-1 list-disc ml-4 space-y-0.5">
+            {r.related_finding_ids.map(id => (
+              <li key={id}><code>{id}</code></li>
+            ))}
+          </ul>
+        </details>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/AgentSlotCard.tsx

@@ -0,0 +1,136 @@
+'use client'
+
+/**
+ * SlotCard — ein Slot im Agent-Test mit Sections:
+ *  1. Header (Slot-Name, duration, Vault-Link)
+ *  2. Was wurde geprüft (MC-Coverage, collapsible)
+ *  3. Speedometer
+ *  4. Eskalationslog (wenn vorhanden)
+ *  5. Findings (sortiert HIGH → LOW)
+ *  6. Recommendations (gerollupt)
+ */
+
+import React, { useState } from 'react'
+
+import type { SlotOutput, Severity } from './_agentTypes'
+import { AgentFindingCard } from './AgentFindingCard'
+import { AgentMcCoverage } from './AgentMcCoverage'
+import { AgentRecommendationCard } from './AgentRecommendationCard'
+import { AgentSpeedometer } from './AgentSpeedometer'
+
+const SEV_ORDER: Record<Severity, number> = {
+  HIGH: 0, MEDIUM: 1, LOW: 2, INFO: 3,
+}
+
+export function AgentSlotCard({
+  slot, output, runId,
+}: {
+  slot: string
+  output: SlotOutput
+  runId: string
+}) {
+  const [showAll, setShowAll] = useState(false)
+  const wasSkipped = output.mc_total > 0 &&
+    output.mc_ok === 0 && output.mc_na === 0 &&
+    output.mc_high === 0 && output.mc_medium === 0 && output.mc_low === 0
+  const allGreen = !wasSkipped && output.findings.length === 0
+  const sortedFindings = [...output.findings].sort(
+    (a, b) => SEV_ORDER[a.severity] - SEV_ORDER[b.severity],
+  )
+  const visible = showAll ? sortedFindings : sortedFindings.slice(0, 12)
+  return (
+    <div className="rounded-lg border bg-white p-4 space-y-3 shadow-sm">
+      <div className="flex items-baseline gap-3 flex-wrap">
+        <h3 className="font-semibold text-gray-900">Slot: {slot}</h3>
+        <span className="text-xs text-gray-500">
+          {output.duration_ms} ms · Konfidenz {(output.confidence * 100).toFixed(0)}%
+        </span>
+        {wasSkipped && (
+          <span className="text-xs bg-amber-100 text-amber-800 px-2 py-0.5 rounded">
+            Dokument konnte nicht geladen werden
+          </span>
+        )}
+        {allGreen && (
+          <span className="text-xs bg-emerald-100 text-emerald-800 px-2 py-0.5 rounded">
+            Alle anwendbaren MCs erfüllt
+          </span>
+        )}
+        <a
+          className="text-xs text-blue-600 hover:underline ml-auto"
+          href={`/api/sdk/v1/specialist-agent/run/${runId}/artifacts`}
+          target="_blank"
+          rel="noreferrer"
+        >
+          Artefakte ↗
+        </a>
+      </div>
+
+      {output.notes && (
+        <div className="text-xs text-amber-700 bg-amber-50 px-2 py-1 rounded">
+          Hinweis: {output.notes}
+        </div>
+      )}
+
+      <AgentMcCoverage coverage={output.mc_coverage} />
+
+      <AgentSpeedometer
+        total={output.mc_total}
+        ok={output.mc_ok}
+        na={output.mc_na}
+        high={output.mc_high}
+        medium={output.mc_medium}
+        low={output.mc_low}
+      />
+
+      {output.escalation_log.length > 0 && (
+        <div className="text-xs text-gray-600 border-l-2 border-violet-400 pl-2 space-y-0.5">
+          <div className="font-semibold text-violet-700">
+            LLM-Eskalation eingesetzt:
+          </div>
+          {output.escalation_log.map((e, i) => (
+            <div key={i}>
+              {e.stage} <code className="text-violet-700">{e.model}</code>{' '}
+              · {e.duration_ms} ms{' '}
+              {e.tokens_in ? `· ${e.tokens_in}→${e.tokens_out} tok` : ''}{' '}
+              {e.success ? '✓' : `✗ ${e.error || ''}`}
+            </div>
+          ))}
+        </div>
+      )}
+
+      {sortedFindings.length > 0 && (
+        <div className="space-y-2">
+          <div className="text-xs font-semibold uppercase text-gray-700">
+            Findings ({sortedFindings.length}) — nach Schwere sortiert
+          </div>
+          <div className="space-y-2">
+            {visible.map(f => (
+              <AgentFindingCard key={f.check_id} f={f} />
+            ))}
+          </div>
+          {sortedFindings.length > 12 && (
+            <button
+              onClick={() => setShowAll(x => !x)}
+              className="text-xs text-blue-600 hover:underline"
+            >
+              {showAll ? 'Weniger anzeigen' : `Alle ${sortedFindings.length} anzeigen`}
+            </button>
+          )}
+        </div>
+      )}
+
+      {output.recommendations.length > 0 && (
+        <div className="space-y-2">
+          <div className="text-xs font-semibold uppercase text-gray-700">
+            Maßnahmen-Plan ({output.recommendations.length} konsolidiert)
+          </div>
+          <div className="space-y-2">
+            {output.recommendations.map(r => (
+              <AgentRecommendationCard key={r.recommendation_id} r={r} />
+            ))}
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/AgentSpeedometer.tsx

@@ -0,0 +1,57 @@
+'use client'
+
+/**
+ * Speedometer + Color-Legende für eine MC-Auswertung.
+ * Zeigt 5 Klassen: OK / n/a / HIGH / MEDIUM / LOW als horizontaler Balken.
+ */
+
+import React from 'react'
+
+interface Props {
+  total: number
+  ok: number
+  na: number
+  high: number
+  medium: number
+  low: number
+}
+
+export function AgentSpeedometer({ total, ok, na, high, medium, low }: Props) {
+  const safeTotal = Math.max(total, 1)
+  return (
+    <div className="space-y-1">
+      <div className="text-xs text-gray-500">
+        {total} Machine-Checks (MCs) durchlaufen
+      </div>
+      <div className="flex h-4 rounded overflow-hidden border">
+        <Bar pct={(ok / safeTotal) * 100} color="#10b981" />
+        <Bar pct={(na / safeTotal) * 100} color="#94a3b8" />
+        <Bar pct={(high / safeTotal) * 100} color="#dc2626" />
+        <Bar pct={(medium / safeTotal) * 100} color="#f59e0b" />
+        <Bar pct={(low / safeTotal) * 100} color="#3b82f6" />
+      </div>
+      <div className="flex flex-wrap gap-3 text-xs">
+        <Legend color="#10b981" label={`OK ${ok}`} title="Geprüft & erfüllt" />
+        <Legend color="#94a3b8" label={`n/a ${na}`} title="Nicht anwendbar (Branche, B2C, …)" />
+        <Legend color="#dc2626" label={`HIGH ${high}`} title="Pflichtangabe fehlt / hartes Risiko" />
+        <Legend color="#f59e0b" label={`MEDIUM ${medium}`} title="Ergänzung empfohlen" />
+        <Legend color="#3b82f6" label={`LOW ${low}`} title="Best-Practice-Hinweis" />
+      </div>
+    </div>
+  )
+}
+
+function Bar({ pct, color }: { pct: number; color: string }) {
+  return <div style={{ width: `${pct}%`, background: color }} />
+}
+
+function Legend({
+  color, label, title,
+}: { color: string; label: string; title?: string }) {
+  return (
+    <span className="inline-flex items-center gap-1" title={title}>
+      <span style={{ background: color }} className="w-2 h-2 inline-block rounded" />
+      <span>{label}</span>
+    </span>
+  )
+}

admin-compliance/app/sdk/agent/_components/AgentTestTab.tsx

@@ -0,0 +1,337 @@
+'use client'
+
+/**
+ * AgentTestTab — Top-Level für den 5-URL-Test eines Specialist-Agents.
+ * Sections:
+ *   1. Agent-Wähler + 5 URL-Slots + Start-Button
+ *   2. Methodik-Erklärung (was wir tun, warum)
+ *   3. Live-Event-Log
+ *   4. Pro Slot: SlotCard (siehe AgentSlotCard.tsx)
+ */
+
+import React, { useEffect, useMemo, useRef, useState } from 'react'
+
+import type { AgentInfo, RunResult, SlotOutput, StreamEvent } from './_agentTypes'
+import { AgentSlotCard } from './AgentSlotCard'
+
+const STORAGE_KEY = 'agent-test-state-v1'
+const MAX_SLOTS = 5
+
+export function AgentTestTab() {
+  const [agents, setAgents] = useState<AgentInfo[]>([])
+  const [agentId, setAgentId] = useState<string>('')
+  const [urls, setUrls] = useState<string[]>(['', '', '', '', ''])
+  const [running, setRunning] = useState(false)
+  const [runId, setRunId] = useState<string>('')
+  const [events, setEvents] = useState<StreamEvent[]>([])
+  const [result, setResult] = useState<RunResult | null>(null)
+  const [error, setError] = useState<string>('')
+  const eventSrcRef = useRef<EventSource | null>(null)
+
+  // Restore state from localStorage
+  useEffect(() => {
+    try {
+      const s = localStorage.getItem(STORAGE_KEY)
+      if (s) {
+        const parsed = JSON.parse(s)
+        if (parsed.agentId) setAgentId(parsed.agentId)
+        if (Array.isArray(parsed.urls)) {
+          const padded = [...parsed.urls.slice(0, MAX_SLOTS),
+            ...new Array(MAX_SLOTS).fill('')].slice(0, MAX_SLOTS)
+          setUrls(padded)
+        }
+      }
+    } catch { /* noop */ }
+  }, [])
+  useEffect(() => {
+    try {
+      localStorage.setItem(STORAGE_KEY,
+        JSON.stringify({ agentId, urls }))
+    } catch { /* quota */ }
+  }, [agentId, urls])
+
+  // Load agents
+  useEffect(() => {
+    fetch('/api/sdk/v1/specialist-agent/agents')
+      .then(r => r.json())
+      .then(d => {
+        const list: AgentInfo[] = d.agents || []
+        setAgents(list)
+        if (list.length && !agentId) setAgentId(list[0].agent_id)
+      })
+      .catch(e => setError(`Agent-Liste fehlgeschlagen: ${e}`))
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [])
+
+  const startTest = async () => {
+    setError('')
+    setResult(null)
+    setEvents([])
+    const cleanUrls = urls.map(u => u.trim()).filter(Boolean)
+    if (!agentId) { setError('Kein Agent ausgewählt.'); return }
+    if (cleanUrls.length === 0) { setError('Mind. eine URL angeben.'); return }
+    setRunning(true)
+    try {
+      const r = await fetch('/api/sdk/v1/specialist-agent/test/start', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ agent_id: agentId, urls: cleanUrls }),
+      })
+      if (!r.ok) {
+        const j = await r.json().catch(() => ({}))
+        throw new Error(j.error || `HTTP ${r.status}`)
+      }
+      const data = await r.json()
+      setRunId(data.run_id)
+      openStream(data.run_id)
+      pollResult(data.run_id)
+    } catch (e: any) {
+      setError(e.message || String(e))
+      setRunning(false)
+    }
+  }
+
+  const openStream = (rid: string) => {
+    try { eventSrcRef.current?.close() } catch { /* noop */ }
+    const es = new EventSource(
+      `/api/sdk/v1/specialist-agent/test/stream/${rid}`,
+    )
+    eventSrcRef.current = es
+    es.onmessage = (ev) => {
+      try {
+        const data: StreamEvent = JSON.parse(ev.data)
+        setEvents(prev => [...prev, data])
+        if (data.type === 'stream_close' || data.type === 'run_complete') {
+          try { es.close() } catch { /* noop */ }
+        }
+      } catch { /* noop */ }
+    }
+    es.onerror = () => { try { es.close() } catch { /* noop */ } }
+  }
+
+  const pollResult = async (rid: string) => {
+    for (let i = 0; i < 360; i++) {
+      try {
+        const r = await fetch(
+          `/api/sdk/v1/specialist-agent/run/${rid}/result`,
+        )
+        if (r.ok) {
+          const d: RunResult = await r.json()
+          if (d.finished) {
+            setResult(d); setRunning(false); return
+          }
+        }
+      } catch { /* noop */ }
+      await new Promise(s => setTimeout(s, 2000))
+    }
+    setRunning(false)
+  }
+
+  const slotOutputs = useMemo(() => {
+    if (!result) return []
+    const items: { slot: string; output: SlotOutput }[] = []
+    for (const slot of Object.keys(result.results)) {
+      items.push({ slot, output: result.results[slot] })
+    }
+    return items.sort((a, b) => a.slot.localeCompare(b.slot))
+  }, [result])
+
+  const selectedAgent = agents.find(a => a.agent_id === agentId)
+
+  return (
+    <div className="space-y-4">
+      <InputCard
+        agents={agents}
+        agentId={agentId}
+        setAgentId={setAgentId}
+        selectedAgent={selectedAgent}
+        urls={urls}
+        setUrls={setUrls}
+        running={running}
+        runId={runId}
+        startTest={startTest}
+        error={error}
+      />
+
+      <MethodikInfo />
+
+      {running && events.length > 0 && <EventLog events={events} />}
+
+      {slotOutputs.length > 0 && (
+        <div className="space-y-3">
+          {slotOutputs.map(({ slot, output }) => (
+            <AgentSlotCard
+              key={slot} slot={slot} output={output} runId={runId}
+            />
+          ))}
+        </div>
+      )}
+    </div>
+  )
+}
+
+function InputCard({
+  agents, agentId, setAgentId, selectedAgent, urls, setUrls,
+  running, runId, startTest, error,
+}: {
+  agents: AgentInfo[]
+  agentId: string
+  setAgentId: (s: string) => void
+  selectedAgent?: AgentInfo
+  urls: string[]
+  setUrls: (urls: string[]) => void
+  running: boolean
+  runId: string
+  startTest: () => void
+  error: string
+}) {
+  return (
+    <div className="rounded-lg border bg-white p-4 space-y-3 shadow-sm">
+      <h2 className="text-lg font-semibold">Agent-Test (max. {MAX_SLOTS} URLs)</h2>
+      <div className="flex flex-wrap gap-3 items-end">
+        <div>
+          <label className="block text-xs font-medium text-gray-600">Agent</label>
+          <select
+            value={agentId}
+            onChange={e => setAgentId(e.target.value)}
+            className="border rounded px-2 py-1 text-sm"
+          >
+            {agents.map(a => (
+              <option key={a.agent_id} value={a.agent_id}>
+                {a.agent_id} v{a.agent_version} ({a.mc_count} MCs)
+              </option>
+            ))}
+          </select>
+        </div>
+        {selectedAgent && (
+          <div className="text-xs text-gray-500">
+            Doc-Type: <code>{selectedAgent.doc_type}</code>
+          </div>
+        )}
+      </div>
+      <div className="space-y-1">
+        {urls.map((u, i) => (
+          <div key={i} className="flex gap-2">
+            <span className="text-xs font-mono text-gray-500 w-8 pt-1.5">
+              URL{i + 1}
+            </span>
+            <input
+              value={u}
+              onChange={e => {
+                const next = [...urls]; next[i] = e.target.value
+                setUrls(next)
+              }}
+              placeholder="https://example.com/impressum"
+              className="flex-1 border rounded px-2 py-1 text-sm font-mono"
+            />
+          </div>
+        ))}
+      </div>
+      <div className="flex gap-2">
+        <button
+          onClick={startTest}
+          disabled={running}
+          className="bg-blue-600 hover:bg-blue-700 disabled:bg-gray-400 text-white text-sm px-4 py-2 rounded"
+        >
+          {running ? 'Laufend...' : 'Test starten'}
+        </button>
+        {runId && (
+          <span className="text-xs text-gray-500 self-center">
+            Run-ID: <code>{runId}</code>
+          </span>
+        )}
+      </div>
+      {error && (
+        <div className="bg-red-50 border-l-4 border-red-400 p-2 text-sm text-red-700">
+          {error}
+        </div>
+      )}
+    </div>
+  )
+}
+
+function MethodikInfo() {
+  return (
+    <details className="rounded border bg-slate-50 px-3 py-2 text-xs text-gray-700">
+      <summary className="cursor-pointer font-semibold">
+        Methodik — wie geprüft wird
+      </summary>
+      <ol className="list-decimal ml-5 mt-2 space-y-1">
+        <li>
+          <strong>Pattern-Checks</strong> — deterministische Regex-Tests
+          gegen Pflichtangaben-Schema (z.B. § 5 TMG/DDG). Schnell,
+          reproduzierbar. <em>Hinweis:</em> diese Pattern-IDs (z.B.
+          <code>IMP-MC-001</code>) sind <strong>interne Test-IDs</strong>,
+          nicht die Master-Control-IDs aus der Datenbank. BreakPilot hat
+          313k Atomic-Controls → 13.588 dedup. Master-Controls; davon
+          ~1.778 für dieses Compliance-Agent-Tool ausgewählt. Die formale
+          Verknüpfung Pattern-Check → Master-Control folgt in einem
+          späteren Schritt (Sprint 1.12).
+        </li>
+        <li>
+          <strong>Knowledge-Base</strong> — kuratierte Patterns aus
+          anonymisierten Mandanten-FAQs.
+        </li>
+        <li>
+          <strong>Auto-Learning-Pattern-Library</strong> — Labels die
+          der LLM-Validator gefunden hat (z.B. „Telefonnr." statt
+          „Telefon") werden persistiert. Beim nächsten Run sind sie
+          deterministisch erkennbar — der LLM wird seltener gerufen.
+        </li>
+        <li>
+          <strong>Semantic-Validator (LLM)</strong> — nur bei
+          missing-Pflichtangabe: ein Aufruf des Self-Hosted-LLM
+          (<code>qwen3.5:35b-a3b</code> auf macmini) prüft ob die
+          Angabe doch da ist, nur unter abweichendem Label. Bei
+          Treffer wird HIGH→LOW demoted und „Umbenennen zu Standard"
+          empfohlen.
+        </li>
+        <li>
+          <strong>LLM-Eskalation (Fallback)</strong> — wenn der
+          Validator unsicher bleibt: OVH 120b, dann anonymisierter
+          Claude-Cloud-Call. Aktuell deaktiviert (OVH-Key leer).
+        </li>
+        <li>
+          <strong>Cross-Placement-Agent</strong> — erkennt deplatzierten
+          Content (Copyright, Disclaimer, WEEE im Impressum) +
+          empfiehlt Footer-Reiter „Legal".
+        </li>
+      </ol>
+      <p className="mt-2 italic text-gray-500">
+        Disclaimer: keine Aussagen wie „rechtssicher" oder „konform" —
+        nur Findings + Empfehlungen + Herleitung. Verbotene Begriffe
+        werden vom Linter aus Agent-Outputs entfernt.
+      </p>
+    </details>
+  )
+}
+
+function EventLog({ events }: { events: StreamEvent[] }) {
+  return (
+    <div className="rounded border bg-gray-50 p-3 max-h-48 overflow-y-auto">
+      <div className="text-xs font-mono space-y-0.5">
+        {events.slice(-30).map((ev, i) => (
+          <div key={i}>
+            <span className="text-gray-400">[{ev.type}]</span>{' '}
+            {ev.slot && <span className="text-blue-600">{ev.slot}</span>}{' '}
+            {ev.severity && (
+              <span className={severityColor(ev.severity)}>{ev.severity}</span>
+            )}{' '}
+            {ev.title || ev.error || ev.label || ev.model || ev.url || ''}
+            {ev.word_count !== undefined && (
+              <span className="text-gray-500">
+                {' '}({ev.word_count} Wörter)
+              </span>
+            )}
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
+
+function severityColor(sev: string) {
+  return sev === 'HIGH' ? 'text-red-600 font-semibold' :
+         sev === 'MEDIUM' ? 'text-amber-600 font-semibold' :
+         sev === 'LOW' ? 'text-blue-600' : 'text-gray-600'
+}

admin-compliance/app/sdk/agent/_components/ComplianceCheckTab.tsx

@@ -4,74 +4,20 @@ import React, { useState, useCallback } from 'react'
 import { ChecklistView } from './ChecklistView'
 import { DocumentRow } from './DocumentRow'
 import { MigrationPanel } from './MigrationPanel'
+import { PreScanWizard, useScanContext, isContextComplete } from './PreScanWizard'
+import { DOCUMENT_TYPES, type DocTypeId } from './_document_types'
+import {
+  STORAGE_KEY_STATE, STORAGE_KEY_RESULTS, STORAGE_KEY_HISTORY,
+  STORAGE_KEY_CHECK_ID, countWords, initState,
+  type DocState, type DocsState, type HistoryEntry,
+} from './_compliance_storage'
+import { useCompanyOrigin } from './_useCompanyOrigin'
 
-const DOCUMENT_TYPES = [
-  { id: 'dse', label: 'DSI (Datenschutzinformation)', required: true },
-  { id: 'impressum', label: 'Impressum', required: true },
-  { id: 'social_media', label: 'Social Media DSE', required: false },
-  { id: 'cookie', label: 'Cookie-Richtlinie', required: false },
-  { id: 'agb', label: 'AGB', required: false },
-  { id: 'nutzungsbedingungen', label: 'Nutzungsbedingungen', required: false },
-  { id: 'widerruf', label: 'Widerrufsbelehrung', required: false },
-  { id: 'dsb', label: 'DSB-Kontakt', required: false },
-] as const
-
-type DocTypeId = typeof DOCUMENT_TYPES[number]['id']
-
-interface DocState {
-  url: string
-  text: string
-  loading: boolean
-  error: string | null
-}
-
-type DocsState = Record<DocTypeId, DocState>
-
-const STORAGE_KEY_STATE = 'compliance-check-state'
-const STORAGE_KEY_RESULTS = 'compliance-check-results'
-const STORAGE_KEY_HISTORY = 'compliance-check-history'
-const STORAGE_KEY_CHECK_ID = 'compliance-check-active-id'
-
-function emptyDocState(): DocState {
-  return { url: '', text: '', loading: false, error: null }
-}
-
-function initState(): DocsState {
-  if (typeof window === 'undefined') {
-    return Object.fromEntries(DOCUMENT_TYPES.map(d => [d.id, emptyDocState()])) as DocsState
-  }
-  try {
-    const saved = localStorage.getItem(STORAGE_KEY_STATE)
-    if (saved) {
-      const parsed = JSON.parse(saved) as Record<string, { url?: string; text?: string }>
-      return Object.fromEntries(
-        DOCUMENT_TYPES.map(d => [d.id, {
-          url: parsed[d.id]?.url || '',
-          text: parsed[d.id]?.text || '',
-          loading: false,
-          error: null,
-        }])
-      ) as DocsState
-    }
-  } catch { /* ignore */ }
-  return Object.fromEntries(DOCUMENT_TYPES.map(d => [d.id, emptyDocState()])) as DocsState
-}
-
-function countWords(text: string): number {
-  if (!text.trim()) return 0
-  return text.trim().split(/\s+/).length
-}
-
-interface HistoryEntry {
-  date: string
-  docCount: number
-  findings: number
-  resultKey: string
-  checkId?: string
-}
 
 export function ComplianceCheckTab() {
   const [docs, setDocs] = useState<DocsState>(initState)
+  const { companyName, setCompanyName, originDomain, setOriginDomain } = useCompanyOrigin()
+  const [scanContext, setScanContext] = useScanContext()
   const [useAgent, setUseAgent] = useState(false)
   const [tdmOverride, setTdmOverride] = useState(false)
   const [tdmOverrideReason, setTdmOverrideReason] = useState('')
@@ -201,6 +147,10 @@ export function ComplianceCheckTab() {
           use_agent: useAgent,
           tdm_override: tdmOverride && tdmOverrideReason.trim().length >= 10,
           tdm_override_reason: tdmOverrideReason.trim(),
+          company_name: companyName.trim() || undefined,
+          origin_domain: originDomain.trim() || undefined,
+          // P79 — Pre-Scan-Wizard 8 Pflichtfelder; treibt MC-Scope-Filter (P72)
+          scan_context: scanContext,
         }),
       })
       if (!startRes.ok) throw new Error(`Pruefung konnte nicht gestartet werden: ${startRes.status}`)
@@ -270,6 +220,8 @@ export function ComplianceCheckTab() {
     } catch { /* ignore */ }
   }
 
+  const contextReady = isContextComplete(scanContext)
+
   return (
     <div className="space-y-4">
       {/* Info box */}
@@ -282,6 +234,33 @@ export function ComplianceCheckTab() {
         </p>
       </div>
 
+      {/* Firma + Domain (priorisiert vor extracted_profile-LLM-Inferenz) */}
+      <div className="bg-white border border-slate-200 rounded-lg p-4 grid grid-cols-1 md:grid-cols-2 gap-3">
+        <label className="block">
+          <span className="block text-xs font-medium text-slate-700 mb-1">Firma</span>
+          <input
+            type="text"
+            value={companyName}
+            onChange={e => setCompanyName(e.target.value)}
+            placeholder="z.B. Tesla Germany GmbH"
+            className="w-full text-sm border border-slate-300 rounded px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
+          />
+        </label>
+        <label className="block">
+          <span className="block text-xs font-medium text-slate-700 mb-1">Domain (Site-Origin)</span>
+          <input
+            type="url"
+            value={originDomain}
+            onChange={e => setOriginDomain(e.target.value)}
+            placeholder="z.B. https://www.tesla.com/de_de"
+            className="w-full text-sm border border-slate-300 rounded px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
+          />
+        </label>
+      </div>
+
+      {/* P79 Pre-Scan-Wizard — 8 Pflichtfelder zum MC-Scope-Filter (P72) */}
+      <PreScanWizard value={scanContext} onChange={setScanContext} />
+
       {/* Document rows */}
       <div className="space-y-2">
         {DOCUMENT_TYPES.map(dt => (
@@ -328,10 +307,11 @@ export function ComplianceCheckTab() {
         {tdmOverride && <input type="text" value={tdmOverrideReason} onChange={e => setTdmOverrideReason(e.target.value)} placeholder="z.B. Auftragsbeziehung Safetykon GmbH, Email Hr. X vom 18.05.2026" className="w-full px-3 py-2 text-xs border border-amber-300 rounded bg-white" />}
         {tdmOverride && tdmOverrideReason.trim().length < 10 && <p className="text-[10px] text-amber-700">Pflicht: Reason mit min. 10 Zeichen (Audit-Spur).</p>}
       </div>
-      {/* Submit button */}
+      {/* Submit button — Wizard muss vollstaendig sein (P79) */}
       <button
         onClick={handleSubmit}
-        disabled={loading || filledCount === 0 || (tdmOverride && tdmOverrideReason.trim().length < 10)}
+        disabled={loading || filledCount === 0 || !contextReady || (tdmOverride && tdmOverrideReason.trim().length < 10)}
+        title={!contextReady ? 'Pre-Scan-Wizard zuerst vollstaendig ausfuellen' : ''}
         className="w-full px-4 py-3 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 disabled:opacity-50 transition-colors text-sm flex items-center justify-center gap-2"
       >
         {loading ? (
@@ -342,6 +322,8 @@ export function ComplianceCheckTab() {
             </svg>
             Pruefe...
           </>
+        ) : !contextReady ? (
+          'Pre-Scan-Wizard vollstaendig ausfuellen (oben)'
         ) : (
           `Compliance-Check starten (${filledCount} Dokument${filledCount !== 1 ? 'e' : ''})`
         )}

admin-compliance/app/sdk/agent/_components/DocCheckTab.tsx

@@ -2,30 +2,41 @@
 
 import React, { useState } from 'react'
 import { ChecklistView } from './ChecklistView'
+import { ResultsTabsView } from './ResultsTabsView'
+import { PreScanWizard, useScanContext, isContextComplete } from './PreScanWizard'
+import { safeSetItem } from './storageHelpers'
 
 interface DocEntry {
   id: string
   type: string
   label: string
   url: string
+  text: string       // P-Paste: User kopiert Doc-Text direkt rein
+  mode: 'url' | 'text'  // welcher Input wird aktiv genutzt
 }
 
 const DOC_TYPES = [
-  { id: 'dse', label: 'DSI (Datenschutzinformation)' },
+  { id: 'dse', label: 'Datenschutzerklärung / DSI' },
+  { id: 'cookie', label: 'Cookie-Richtlinie' },
+  { id: 'impressum', label: 'Impressum' },
+  { id: 'agb', label: 'AGB' },
+  { id: 'nutzungsbedingungen', label: 'Nutzungsbedingungen' },
+  { id: 'widerruf', label: 'Widerrufsbelehrung' },
   { id: 'social_media', label: 'DSE Social Media (Art. 26)' },
   { id: 'dsfa', label: 'DSFA (Art. 35)' },
-  { id: 'agb', label: 'AGB / Nutzungsbedingungen' },
-  { id: 'impressum', label: 'Impressum' },
-  { id: 'cookie', label: 'Cookie-Richtlinie' },
-  { id: 'widerruf', label: 'Widerrufsbelehrung' },
+  { id: 'dsa', label: 'DSA / Digital Services Act' },
+  { id: 'legal_notice', label: 'Rechtliche Hinweise (IP, Forward-Looking)' },
+  { id: 'lizenzhinweise', label: 'Lizenzhinweise Dritter (OSS)' },
   { id: 'other', label: 'Sonstiges' },
 ]
 
 function newEntry(): DocEntry {
-  return { id: crypto.randomUUID().slice(0, 8), type: 'dse', label: '', url: '' }
+  return { id: crypto.randomUUID().slice(0, 8), type: 'dse', label: '',
+            url: '', text: '', mode: 'url' }
 }
 
 export function DocCheckTab() {
+  const [scanContext, setScanContext] = useScanContext()
   const [entries, setEntries] = useState<DocEntry[]>(() => {
     if (typeof window === 'undefined') return [newEntry()]
     try { const s = localStorage.getItem('doc-check-entries'); return s ? JSON.parse(s) : [newEntry()] } catch { return [newEntry()] }
@@ -74,7 +85,7 @@ export function DocCheckTab() {
   }
 
   const handleSubmit = async () => {
-    const validEntries = entries.filter(e => e.url.trim())
+    const validEntries = entries.filter(e => e.url.trim() || e.text.trim())
     if (validEntries.length === 0) return
 
     setLoading(true)
@@ -89,11 +100,17 @@ export function DocCheckTab() {
         body: JSON.stringify({
           entries: validEntries.map(e => ({
             doc_type: e.type,
-            label: e.label || e.url.split('/').pop() || 'Dokument',
-            url: e.url.trim(),
+            label: e.label
+                   || (e.url ? e.url.split('/').pop() : '')
+                   || `${e.type}-paste`,
+            url:  e.mode === 'text' ? '' : e.url.trim(),
+            // Backend nimmt text > url. Wenn beide gefuellt sind und
+            // mode='url', schicken wir den text NICHT mit.
+            text: e.mode === 'text' ? e.text.trim() : '',
           })),
           check_cookie_banner: checkCookieBanner,
           use_agent: useAgent,
+          scan_context: scanContext,
         }),
       })
       if (!startRes.ok) throw new Error(`Pruefung konnte nicht gestartet werden: ${startRes.status}`)
@@ -111,13 +128,13 @@ export function DocCheckTab() {
         if (pollData.status === 'completed' && pollData.result) {
           setResults(pollData.result)
           setProgress('')
-          localStorage.setItem('doc-check-results', JSON.stringify(pollData.result))
+          safeSetItem('doc-check-results', JSON.stringify(pollData.result))
           const resultKey = `doc-check-result-${Date.now()}`
-          try { localStorage.setItem(resultKey, JSON.stringify(pollData.result)) } catch { /* quota */ }
+          safeSetItem(resultKey, JSON.stringify(pollData.result))
           const entry = { date: new Date().toISOString(), urls: validEntries.length, findings: pollData.result.total_findings || 0, resultKey }
           const updated = [entry, ...history].slice(0, 30)
           setHistory(updated)
-          localStorage.setItem('doc-check-history', JSON.stringify(updated))
+          safeSetItem('doc-check-history', JSON.stringify(updated))
           break
         }
         if (pollData.status === 'failed') {
@@ -133,43 +150,90 @@ export function DocCheckTab() {
     }
   }
 
+  const contextReady = isContextComplete(scanContext)
+
   return (
     <div className="space-y-4">
-      {/* URL Entries */}
-      <div className="space-y-2">
+      {/* P79 Pre-Scan-Wizard — 8 Pflichtfelder */}
+      <PreScanWizard value={scanContext} onChange={setScanContext} />
+
+      {/* URL / Text Entries */}
+      <div className="space-y-3">
         {entries.map((entry, i) => (
-          <div key={entry.id} className="flex items-center gap-2">
-            <select
-              value={entry.type}
-              onChange={e => updateEntry(entry.id, 'type', e.target.value)}
-              className="w-48 px-3 py-2.5 border border-gray-300 rounded-lg text-sm bg-white shrink-0"
-            >
-              {DOC_TYPES.map(t => (
-                <option key={t.id} value={t.id}>{t.label}</option>
-              ))}
-            </select>
-            <input
-              type="text"
-              value={entry.label}
-              onChange={e => updateEntry(entry.id, 'label', e.target.value)}
-              placeholder={entry.type === 'other' ? 'Dokumentname' : 'Version / Stand (optional)'}
-              className="w-40 px-3 py-2.5 border border-gray-300 rounded-lg text-sm shrink-0"
-            />
-            <input
-              type="url"
-              value={entry.url}
-              onChange={e => updateEntry(entry.id, 'url', e.target.value)}
-              onBlur={() => autoLabel(entry)}
-              placeholder="https://example.com/datenschutz"
-              className="flex-1 px-3 py-2.5 border border-gray-300 rounded-lg text-sm"
-            />
-            {entries.length > 1 && (
-              <button onClick={() => removeEntry(entry.id)}
-                className="p-2 text-gray-400 hover:text-red-500 shrink-0">
-                <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
-                </svg>
-              </button>
+          <div key={entry.id} className="space-y-1.5">
+            <div className="flex items-center gap-2">
+              <select
+                value={entry.type}
+                onChange={e => updateEntry(entry.id, 'type', e.target.value)}
+                className="w-48 px-3 py-2.5 border border-gray-300 rounded-lg text-sm bg-white shrink-0"
+              >
+                {DOC_TYPES.map(t => (
+                  <option key={t.id} value={t.id}>{t.label}</option>
+                ))}
+              </select>
+              <input
+                type="text"
+                value={entry.label}
+                onChange={e => updateEntry(entry.id, 'label', e.target.value)}
+                placeholder={entry.type === 'other' ? 'Dokumentname' : 'Version / Stand (optional)'}
+                className="w-40 px-3 py-2.5 border border-gray-300 rounded-lg text-sm shrink-0"
+              />
+
+              {/* Mode-Toggle URL / Text */}
+              <div className="inline-flex border border-gray-300 rounded-lg overflow-hidden text-xs shrink-0">
+                <button type="button"
+                  onClick={() => updateEntry(entry.id, 'mode', 'url')}
+                  className={`px-3 py-2 ${entry.mode === 'url'
+                    ? 'bg-purple-600 text-white' : 'bg-white text-gray-600 hover:bg-gray-50'}`}>
+                  URL
+                </button>
+                <button type="button"
+                  onClick={() => updateEntry(entry.id, 'mode', 'text')}
+                  className={`px-3 py-2 ${entry.mode === 'text'
+                    ? 'bg-purple-600 text-white' : 'bg-white text-gray-600 hover:bg-gray-50'}`}>
+                  Text einfügen
+                </button>
+              </div>
+
+              {entry.mode === 'url' && (
+                <input
+                  type="url"
+                  value={entry.url}
+                  onChange={e => updateEntry(entry.id, 'url', e.target.value)}
+                  onBlur={() => autoLabel(entry)}
+                  placeholder="https://example.com/datenschutz"
+                  className="flex-1 px-3 py-2.5 border border-gray-300 rounded-lg text-sm"
+                />
+              )}
+
+              {entries.length > 1 && (
+                <button onClick={() => removeEntry(entry.id)}
+                  className="p-2 text-gray-400 hover:text-red-500 shrink-0">
+                  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+                  </svg>
+                </button>
+              )}
+            </div>
+
+            {entry.mode === 'text' && (
+              <div className="ml-[400px]">
+                <textarea
+                  value={entry.text}
+                  onChange={e => updateEntry(entry.id, 'text', e.target.value)}
+                  placeholder={
+                    entry.type === 'cookie'
+                      ? 'Kopiere hier die komplette Cookie-Tabelle rein (Tab-getrennt oder mit | als Trenner — wir parsen alle Spalten deterministisch)…'
+                      : 'Kopiere hier den vollständigen Doc-Text rein. Wir erkennen automatisch ob es zu „' + (DOC_TYPES.find(t => t.id === entry.type)?.label ?? entry.type) + '" passt.'
+                  }
+                  className="w-full h-32 px-3 py-2 border border-gray-300 rounded-lg text-xs font-mono resize-y"
+                />
+                <div className="text-[10px] text-gray-500 mt-1">
+                  {entry.text.trim().length > 0
+                    ? `${entry.text.trim().length.toLocaleString('de-DE')} Zeichen · ${entry.text.trim().split(/\s+/).length.toLocaleString('de-DE')} Wörter`
+                    : 'Der Crawler wird übersprungen — die Analyse läuft direkt auf dem eingefügten Text.'}
+                </div>
+              </div>
             )}
           </div>
         ))}
@@ -212,8 +276,11 @@ export function DocCheckTab() {
       {/* Submit */}
       <button
         onClick={handleSubmit}
-        disabled={loading || entries.every(e => !e.url.trim())}
+        disabled={loading
+                  || entries.every(e => !e.url.trim() && !e.text.trim())
+                  || !contextReady}
         className="w-full px-4 py-3 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 disabled:opacity-50 transition-colors text-sm flex items-center justify-center gap-2"
+        title={!contextReady ? 'Bitte zuerst die 8 Pflichtfelder ausfüllen' : undefined}
       >
         {loading ? (
           <>
@@ -223,6 +290,8 @@ export function DocCheckTab() {
             </svg>
             Pruefe...
           </>
+        ) : !contextReady ? (
+          `Klassifizierung unvollständig (8 Pflichtfelder)`
         ) : (
           `${entries.filter(e => e.url.trim()).length} Dokument${entries.filter(e => e.url.trim()).length !== 1 ? 'e' : ''} pruefen`
         )}
@@ -244,41 +313,9 @@ export function DocCheckTab() {
         <div className="bg-red-50 border border-red-200 rounded-lg p-3 text-sm text-red-700">{error}</div>
       )}
 
-      {/* Results */}
+      {/* Results — als Tab-Ansicht (Übersicht/Cookies/DSE/Impressum/AGB/Banner/Mail) */}
       {results && results.results && (
-        <div className="bg-white border border-gray-200 rounded-xl p-6 shadow-sm">
-          <ChecklistView results={results.results} />
-
-          {/* Cookie Banner Result */}
-          {results.cookie_banner_result && (
-            <div className="mt-4 pt-4 border-t border-gray-200">
-              <h4 className="text-sm font-semibold text-gray-800 mb-2">Cookie-Banner</h4>
-              <div className="text-sm text-gray-600">
-                {results.cookie_banner_result.banner_detected
-                  ? `Banner erkannt: ${results.cookie_banner_result.banner_provider || 'unbekannt'}`
-                  : 'Kein Banner erkannt'}
-              </div>
-              {results.cookie_banner_result.banner_checks?.violations?.length > 0 && (
-                <div className="mt-2 space-y-1">
-                  {results.cookie_banner_result.banner_checks.violations.map((v: any, i: number) => (
-                    <div key={i} className="text-xs text-red-600 flex items-start gap-1.5">
-                      <span className="shrink-0 mt-0.5">!!</span>
-                      <span>{v.text}</span>
-                    </div>
-                  ))}
-                </div>
-              )}
-            </div>
-          )}
-
-          {/* Email Status */}
-          {results.email_status && (
-            <div className="mt-3 text-xs text-gray-500 flex items-center gap-2">
-              <span className={`w-2 h-2 rounded-full ${results.email_status === 'sent' ? 'bg-green-400' : 'bg-gray-300'}`} />
-              E-Mail: {results.email_status === 'sent' ? 'Gesendet' : results.email_status}
-            </div>
-          )}
-        </div>
+        <ResultsTabsView results={results} />
       )}
 
       {/* History */}

admin-compliance/app/sdk/agent/_components/PreScanWizard.tsx

@@ -0,0 +1,269 @@
+'use client'
+
+/**
+ * P79 — Pre-Scan-Wizard (8 Pflichtfelder).
+ *
+ * 8 Pflichtfelder die vor dem Lauf abgefragt werden. Werte landen im
+ * scan_context und filtern später die MC-Auswertung (zusammen mit P72
+ * scope_doc_type + applicable_industries). Erwartete Noise-Reduktion:
+ * 70-80% bei falsch zugeordneten HIGH-MCs.
+ */
+
+import React, { useState, useEffect } from 'react'
+
+export interface ScanContext {
+  industry: string
+  business_model: string
+  direct_sales: string
+  legal_form: string
+  group_structure: string
+  employee_count: string
+  special_data: string[]
+  third_country_transfer: string
+}
+
+const INDUSTRIES = [
+  { id: '', label: '— bitte wählen —' },
+  { id: 'automotive', label: 'Automotive / OEM' },
+  { id: 'ecommerce', label: 'E-Commerce / Online-Handel' },
+  { id: 'saas', label: 'SaaS / Software' },
+  { id: 'banking', label: 'Banking / Finance' },
+  { id: 'insurance', label: 'Insurance / Versicherung' },
+  { id: 'healthcare', label: 'Healthcare / Gesundheit' },
+  { id: 'education', label: 'Bildung / Schule' },
+  { id: 'public', label: 'Öffentliche Verwaltung' },
+  { id: 'manufacturing', label: 'Industrie / Manufacturing' },
+  { id: 'media', label: 'Medien / Verlag' },
+  { id: 'other', label: 'Sonstige' },
+]
+
+const LEGAL_FORMS = [
+  { id: '', label: '— bitte wählen —' },
+  { id: 'ag', label: 'AG (Aktiengesellschaft)' },
+  { id: 'gmbh', label: 'GmbH' },
+  { id: 'gmbh_co_kg', label: 'GmbH & Co. KG' },
+  { id: 'kg', label: 'KG' },
+  { id: 'ohg', label: 'OHG' },
+  { id: 'ug', label: 'UG (haftungsbeschränkt)' },
+  { id: 'ek', label: 'e.K. / Einzelunternehmen' },
+  { id: 'verein', label: 'Verein' },
+  { id: 'stiftung', label: 'Stiftung' },
+  { id: 'behoerde', label: 'Behörde / Körperschaft öff. Rechts' },
+  { id: 'other', label: 'Sonstige' },
+]
+
+const GROUP_STRUCTURES = [
+  { id: '', label: '— bitte wählen —' },
+  { id: 'standalone', label: 'Eigenständig' },
+  { id: 'parent', label: 'Konzern-Mutter' },
+  { id: 'subsidiary', label: 'Konzern-Tochter' },
+  { id: 'joint_venture', label: 'Joint Venture' },
+  { id: 'processor', label: 'Reiner Auftragsverarbeiter' },
+]
+
+const EMPLOYEE_COUNTS = [
+  { id: '', label: '— bitte wählen —' },
+  { id: 'lt10', label: 'unter 10' },
+  { id: '10_19', label: '10-19' },
+  { id: '20_49', label: '20-49 (DSB ab 20 Pflicht)' },
+  { id: '50_249', label: '50-249 (Whistleblower-Pflicht)' },
+  { id: '250_499', label: '250-499' },
+  { id: '500_999', label: '500-999' },
+  { id: '1000_plus', label: '1.000+ (Konzern)' },
+]
+
+const SPECIAL_DATA_OPTIONS = [
+  { id: 'health', label: 'Gesundheitsdaten' },
+  { id: 'biometric', label: 'Biometrische Daten' },
+  { id: 'ethnicity', label: 'Religiöse / ethnische Herkunft' },
+  { id: 'sexual', label: 'Sexuelle Orientierung' },
+  { id: 'criminal', label: 'Strafrechtliche Daten' },
+  { id: 'minors', label: 'Minderjährige (<16)' },
+  { id: 'none', label: 'Keine besonderen Daten' },
+]
+
+const STORAGE_KEY = 'compliance-scan-context'
+
+function emptyContext(): ScanContext {
+  return {
+    industry: '',
+    business_model: '',
+    direct_sales: '',
+    legal_form: '',
+    group_structure: '',
+    employee_count: '',
+    special_data: [],
+    third_country_transfer: '',
+  }
+}
+
+export function isContextComplete(ctx: ScanContext): boolean {
+  return Boolean(
+    ctx.industry &&
+    ctx.business_model &&
+    ctx.direct_sales &&
+    ctx.legal_form &&
+    ctx.group_structure &&
+    ctx.employee_count &&
+    ctx.special_data.length > 0 &&
+    ctx.third_country_transfer
+  )
+}
+
+export function PreScanWizard({
+  value,
+  onChange,
+}: {
+  value: ScanContext
+  onChange: (ctx: ScanContext) => void
+}) {
+  const update = <K extends keyof ScanContext>(key: K, val: ScanContext[K]) => {
+    onChange({ ...value, [key]: val })
+  }
+
+  const toggleSpecialData = (id: string) => {
+    const next = value.special_data.includes(id)
+      ? value.special_data.filter(x => x !== id)
+      : [...value.special_data.filter(x => x !== 'none' || id === 'none'), id]
+    onChange({ ...value, special_data: id === 'none' ? ['none'] : next.filter(x => x !== 'none') })
+  }
+
+  return (
+    <div style={{
+      background: '#f0f9ff',
+      border: '1px solid #bfdbfe',
+      borderRadius: 8,
+      padding: '14px 16px',
+      marginBottom: 14,
+    }}>
+      <div style={{ fontSize: 11, color: '#1e40af', textTransform: 'uppercase',
+                    letterSpacing: 1.2, marginBottom: 4, fontWeight: 600 }}>
+        Pflichtangaben zur Klassifizierung des Audits
+      </div>
+      <h3 style={{ margin: '0 0 6px', fontSize: 14, color: '#1e293b' }}>
+        Vor dem Scan: 8 Angaben zum Unternehmen
+      </h3>
+      <p style={{ margin: '0 0 12px', fontSize: 11, color: '#475569', lineHeight: 1.5 }}>
+        Diese Angaben filtern irrelevante Compliance-Themen heraus (z.B. eHealth-
+        Vorschriften bei einem Autobauer) und liefern eine realistische
+        Einschätzung statt pauschaler Verstoss-Listen.
+      </p>
+
+      <div style={{ display: 'grid', gridTemplateColumns: 'repeat(2, 1fr)', gap: 10 }}>
+        <Field label="1. Branche*">
+          <select value={value.industry} onChange={e => update('industry', e.target.value)} style={inputStyle}>
+            {INDUSTRIES.map(o => <option key={o.id} value={o.id}>{o.label}</option>)}
+          </select>
+        </Field>
+
+        <Field label="2. Geschäftsmodell*">
+          <select value={value.business_model} onChange={e => update('business_model', e.target.value)} style={inputStyle}>
+            <option value="">— bitte wählen —</option>
+            <option value="b2b">B2B</option>
+            <option value="b2c">B2C</option>
+            <option value="both">Beides (B2B + B2C)</option>
+          </select>
+        </Field>
+
+        <Field label="3. Direkt-Vertrieb (Webshop/Buchung)*">
+          <select value={value.direct_sales} onChange={e => update('direct_sales', e.target.value)} style={inputStyle}>
+            <option value="">— bitte wählen —</option>
+            <option value="yes">Ja</option>
+            <option value="no">Nein</option>
+            <option value="lead_funnel">Nur Lead-Funnel (Probefahrten, Anfragen)</option>
+          </select>
+        </Field>
+
+        <Field label="4. Rechtsform*">
+          <select value={value.legal_form} onChange={e => update('legal_form', e.target.value)} style={inputStyle}>
+            {LEGAL_FORMS.map(o => <option key={o.id} value={o.id}>{o.label}</option>)}
+          </select>
+        </Field>
+
+        <Field label="5. Konzern-Struktur*">
+          <select value={value.group_structure} onChange={e => update('group_structure', e.target.value)} style={inputStyle}>
+            {GROUP_STRUCTURES.map(o => <option key={o.id} value={o.id}>{o.label}</option>)}
+          </select>
+        </Field>
+
+        <Field label="6. Mitarbeiterzahl*">
+          <select value={value.employee_count} onChange={e => update('employee_count', e.target.value)} style={inputStyle}>
+            {EMPLOYEE_COUNTS.map(o => <option key={o.id} value={o.id}>{o.label}</option>)}
+          </select>
+        </Field>
+
+        <Field label="7. Besondere Datenkategorien*" colSpan={2}>
+          <div style={{ display: 'flex', flexWrap: 'wrap', gap: 8 }}>
+            {SPECIAL_DATA_OPTIONS.map(o => (
+              <label key={o.id} style={{ fontSize: 12, display: 'inline-flex',
+                                          alignItems: 'center', gap: 4,
+                                          padding: '4px 8px', background: '#fff',
+                                          border: '1px solid #cbd5e1',
+                                          borderRadius: 4 }}>
+                <input type="checkbox"
+                       checked={value.special_data.includes(o.id)}
+                       onChange={() => toggleSpecialData(o.id)} />
+                {o.label}
+              </label>
+            ))}
+          </div>
+        </Field>
+
+        <Field label="8. Bekannter Drittland-Transfer*" colSpan={2}>
+          <select value={value.third_country_transfer} onChange={e => update('third_country_transfer', e.target.value)} style={inputStyle}>
+            <option value="">— bitte wählen —</option>
+            <option value="yes">Ja (USA, CN, IN, UK, ...)</option>
+            <option value="no">Nein (nur EU/EWR)</option>
+            <option value="unknown">Weiß nicht (bitte automatisch prüfen)</option>
+          </select>
+        </Field>
+      </div>
+
+      {!isContextComplete(value) && (
+        <div style={{ marginTop: 10, fontSize: 11, color: '#92400e',
+                       background: '#fef3c7', padding: '6px 10px',
+                       borderRadius: 4, border: '1px solid #fde68a' }}>
+          Bitte alle 8 Pflichtfelder ausfüllen — der Scan-Button wird erst aktiv,
+          wenn die Klassifizierung komplett ist.
+        </div>
+      )}
+    </div>
+  )
+}
+
+const inputStyle: React.CSSProperties = {
+  width: '100%',
+  padding: '6px 8px',
+  fontSize: 12,
+  border: '1px solid #cbd5e1',
+  borderRadius: 4,
+  background: '#fff',
+}
+
+function Field({ label, children, colSpan }: { label: string; children: React.ReactNode; colSpan?: number }) {
+  return (
+    <div style={{ gridColumn: colSpan ? `span ${colSpan}` : undefined }}>
+      <label style={{ display: 'block', fontSize: 11, color: '#475569',
+                       marginBottom: 4, fontWeight: 600 }}>
+        {label}
+      </label>
+      {children}
+    </div>
+  )
+}
+
+export function useScanContext(): [ScanContext, (ctx: ScanContext) => void] {
+  const [ctx, setCtx] = useState<ScanContext>(() => {
+    if (typeof window === 'undefined') return emptyContext()
+    try {
+      const s = localStorage.getItem(STORAGE_KEY)
+      return s ? { ...emptyContext(), ...JSON.parse(s) } : emptyContext()
+    } catch {
+      return emptyContext()
+    }
+  })
+  useEffect(() => {
+    try { localStorage.setItem(STORAGE_KEY, JSON.stringify(ctx)) } catch {}
+  }, [ctx])
+  return [ctx, setCtx]
+}

admin-compliance/app/sdk/agent/_components/ResultsTabsView.tsx

@@ -0,0 +1,353 @@
+'use client'
+
+/**
+ * ResultsTabsView — strukturierte Tab-Ansicht der Audit-Ergebnisse.
+ *
+ * Statt einer langen Scroll-Seite gibt es:
+ *   1. Übersicht (Score + GF-Kurzfassung)
+ *   2. Cookies (3-Quellen-Compliance-Vergleich + Vendor-/Cookie-Listen)
+ *   3. Datenschutzerklärung
+ *   4. Impressum
+ *   5. AGB / Widerruf
+ *   6. Banner (Cookie-Banner-Checks)
+ *   7. Vollständige Mail (HTML-Preview)
+ *
+ * Tab-Headers sticky oben, Content scrollbar unten.
+ */
+
+import React, { useState, useMemo } from 'react'
+import { ChecklistView } from './ChecklistView'
+
+interface ResultsTabsViewProps {
+  results: any
+}
+
+type TabId = 'overview' | 'cookies' | 'dse' | 'impressum' | 'agb' | 'banner' | 'mail'
+
+const TABS: { id: TabId; label: string; icon: string }[] = [
+  { id: 'overview',  label: 'Übersicht',          icon: '◉' },
+  { id: 'cookies',   label: 'Cookies & VVT',      icon: '🍪' },
+  { id: 'dse',       label: 'Datenschutzerkl.',   icon: '📄' },
+  { id: 'impressum', label: 'Impressum',          icon: '🏢' },
+  { id: 'agb',       label: 'AGB / Widerruf',     icon: '⚖️' },
+  { id: 'banner',    label: 'Cookie-Banner',      icon: '🎛' },
+  { id: 'mail',      label: 'Mail-Vorschau',      icon: '✉️' },
+]
+
+export function ResultsTabsView({ results }: ResultsTabsViewProps) {
+  const [active, setActive] = useState<TabId>('overview')
+
+  const r = results || {}
+  const docs: any[] = r.results || []
+  const banner = r.banner_result || r.cookie_banner_result || {}
+  const cmpVendors: any[] = r.cmp_vendors || []
+  const cookieAudit = r.cookie_audit || {}
+
+  const docsByType = useMemo(() => {
+    const m: Record<string, any> = {}
+    for (const d of docs) {
+      const t = (d.doc_type || '').toLowerCase()
+      if (!m[t]) m[t] = d
+    }
+    return m
+  }, [docs])
+
+  return (
+    <div className="border border-gray-200 rounded-lg overflow-hidden bg-white">
+      {/* Sticky Tab-Header */}
+      <div className="flex border-b border-gray-200 bg-gray-50 overflow-x-auto sticky top-0 z-10">
+        {TABS.map(t => (
+          <button
+            key={t.id}
+            onClick={() => setActive(t.id)}
+            className={`px-4 py-3 text-sm font-medium whitespace-nowrap border-b-2 transition-colors ${
+              active === t.id
+                ? 'border-purple-600 text-purple-700 bg-white'
+                : 'border-transparent text-gray-600 hover:bg-gray-100'
+            }`}
+          >
+            <span className="mr-1.5">{t.icon}</span>
+            {t.label}
+          </button>
+        ))}
+      </div>
+
+      {/* Tab-Content */}
+      <div className="p-4 min-h-[400px]">
+        {active === 'overview' && <OverviewTab results={r} />}
+        {active === 'cookies' && (
+          <CookiesTab
+            audit={cookieAudit}
+            vendors={cmpVendors}
+            banner={banner}
+          />
+        )}
+        {active === 'dse'       && <DocTab doc={docsByType['dse']} label="Datenschutzerklärung" />}
+        {active === 'impressum' && <DocTab doc={docsByType['impressum']} label="Impressum" />}
+        {active === 'agb'       && <AgbWiderrufTab docs={docsByType} />}
+        {active === 'banner'    && <BannerTab banner={banner} />}
+        {active === 'mail'      && <MailPreviewTab results={r} />}
+      </div>
+    </div>
+  )
+}
+
+// ── Übersicht ──────────────────────────────────────────────────────────
+function OverviewTab({ results }: { results: any }) {
+  const totalDocs = results.total_documents || (results.results?.length ?? 0)
+  const totalFindings = results.total_findings ?? 0
+  const banner = results.banner_result || results.cookie_banner_result || {}
+  const score = banner.compliance_score ?? banner.completeness_pct ?? null
+  const emailStatus = results.email_status
+
+  return (
+    <div className="space-y-4">
+      <div className="grid grid-cols-2 md:grid-cols-4 gap-3">
+        <Kpi label="Geprüfte Dokumente" value={totalDocs} />
+        <Kpi label="Findings gesamt" value={totalFindings} tone={totalFindings > 5 ? 'warn' : 'ok'} />
+        <Kpi label="Vendors erkannt" value={results.cmp_vendors?.length || 0} />
+        <Kpi label="Score" value={score !== null ? `${score}%` : '—'}
+             tone={score === null ? 'neutral' : score >= 80 ? 'ok' : score >= 60 ? 'warn' : 'bad'} />
+      </div>
+
+      {emailStatus && (
+        <div className={`text-sm px-3 py-2 rounded ${
+          emailStatus === 'sent' ? 'bg-green-50 text-green-800' : 'bg-gray-100 text-gray-700'
+        }`}>
+          E-Mail: {emailStatus === 'sent' ? '✓ Gesendet an Empfänger' : emailStatus}
+        </div>
+      )}
+
+      <div className="bg-blue-50 border border-blue-200 rounded p-3 text-xs text-blue-900">
+        <strong>Wo welcher Inhalt steckt:</strong> in den Tabs oben findest du die
+        Detail-Auswertung pro Doc-Typ. Im Cookie-Tab steht der 3-Quellen-Compliance-
+        Vergleich (deklariert vs Browser vs Library) — das ist der wichtigste
+        rechtliche Knackpunkt. Banner-Tab zeigt die echten Browser-Phasen-Checks.
+      </div>
+    </div>
+  )
+}
+
+function Kpi({ label, value, tone = 'neutral' }: { label: string; value: any; tone?: string }) {
+  const colors: Record<string, string> = {
+    ok: 'text-green-700 bg-green-50 border-green-200',
+    warn: 'text-amber-700 bg-amber-50 border-amber-200',
+    bad: 'text-red-700 bg-red-50 border-red-200',
+    neutral: 'text-gray-700 bg-gray-50 border-gray-200',
+  }
+  return (
+    <div className={`border rounded p-3 ${colors[tone]}`}>
+      <div className="text-[10px] uppercase tracking-wider opacity-70">{label}</div>
+      <div className="text-2xl font-bold mt-1">{value}</div>
+    </div>
+  )
+}
+
+// ── Cookies & VVT ──────────────────────────────────────────────────────
+function CookiesTab({ audit, vendors, banner }: { audit: any; vendors: any[]; banner: any }) {
+  const declared = audit?.declared_count ?? 0
+  const browser  = audit?.browser_count ?? 0
+  const both     = (audit?.compliant ?? []).length
+  const undecl   = (audit?.undeclared_in_browser ?? []).length
+  const decOnly  = (audit?.declared_not_loaded ?? []).length
+
+  return (
+    <div className="space-y-4">
+      {/* Top-Bar mit Counts */}
+      <div className="grid grid-cols-3 md:grid-cols-5 gap-2">
+        <Kpi label="Deklariert" value={declared} />
+        <Kpi label="Im Browser" value={browser} />
+        <Kpi label="Compliant" value={both} tone="ok" />
+        <Kpi label="Undokumentiert" value={undecl} tone={undecl > 0 ? 'bad' : 'ok'} />
+        <Kpi label="Nicht geladen" value={decOnly} tone={decOnly > 0 ? 'warn' : 'neutral'} />
+      </div>
+
+      {/* 3-Spalten-Vergleichstabelle */}
+      <div className="grid grid-cols-1 md:grid-cols-3 gap-3">
+        <CookieColumn
+          title={`❌ Undokumentiert (${undecl})`}
+          tone="bad"
+          subtitle="Geladen ABER nicht in der Richtlinie — Art. 13(1)(c) DSGVO Verstoß"
+          cookies={audit?.undeclared_in_browser ?? []}
+        />
+        <CookieColumn
+          title={`✓ Compliant (${both})`}
+          tone="ok"
+          subtitle="Beide Quellen stimmen überein"
+          cookies={audit?.compliant ?? []}
+        />
+        <CookieColumn
+          title={`⚠️ Nicht geladen (${decOnly})`}
+          tone="warn"
+          subtitle="In Richtlinie deklariert, aber bei diesem Lauf nicht im Browser"
+          cookies={audit?.declared_not_loaded ?? []}
+        />
+      </div>
+
+      {/* Vendor-Liste (deduped) */}
+      <div>
+        <h3 className="text-sm font-semibold mb-2 text-gray-800">
+          Vendor-Liste ({vendors.length} unique nach Deduplizierung)
+        </h3>
+        <div className="overflow-x-auto border border-gray-200 rounded">
+          <table className="w-full text-xs">
+            <thead className="bg-gray-50">
+              <tr>
+                <th className="text-left px-3 py-2">Vendor</th>
+                <th className="text-left px-3 py-2">Kategorie</th>
+                <th className="text-left px-3 py-2">Quelle</th>
+                <th className="text-right px-3 py-2">Cookies</th>
+              </tr>
+            </thead>
+            <tbody>
+              {vendors.map((v, i) => (
+                <tr key={i} className="border-t border-gray-100 hover:bg-gray-50">
+                  <td className="px-3 py-2 font-medium">{v.name}</td>
+                  <td className="px-3 py-2 text-gray-600">{v.category || '—'}</td>
+                  <td className="px-3 py-2 text-gray-500 font-mono text-[10px]">
+                    {v.source || '—'}
+                  </td>
+                  <td className="px-3 py-2 text-right">{(v.cookies || []).length}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+function CookieColumn({ title, tone, subtitle, cookies }: {
+  title: string; tone: string; subtitle: string; cookies: string[]
+}) {
+  const colors: Record<string, string> = {
+    bad: 'bg-red-50 border-red-200 text-red-900',
+    ok: 'bg-green-50 border-green-200 text-green-900',
+    warn: 'bg-amber-50 border-amber-200 text-amber-900',
+  }
+  return (
+    <div className={`border rounded p-3 ${colors[tone]}`}>
+      <div className="text-xs font-semibold mb-1">{title}</div>
+      <div className="text-[10px] opacity-80 mb-2">{subtitle}</div>
+      <div className="font-mono text-[10px] max-h-56 overflow-auto">
+        {cookies.length === 0 && <span className="opacity-60">— keine —</span>}
+        {cookies.map((c, i) => (
+          <div key={i} className="py-0.5">{c}</div>
+        ))}
+      </div>
+    </div>
+  )
+}
+
+// ── Generic Doc-Tab ────────────────────────────────────────────────────
+function DocTab({ doc, label }: { doc: any; label: string }) {
+  if (!doc) return <Empty label={label} />
+  const checks = doc.checks || []
+  const failed = checks.filter((c: any) => !c.passed && !c.skipped)
+  const passed = checks.filter((c: any) => c.passed)
+
+  return (
+    <div className="space-y-3">
+      <div className="flex items-center justify-between">
+        <h3 className="text-sm font-semibold">{label}</h3>
+        <div className="text-xs text-gray-600">
+          {doc.word_count?.toLocaleString('de-DE') || 0} Wörter ·{' '}
+          <span className="text-red-600">{failed.length} Findings</span> ·{' '}
+          <span className="text-green-600">{passed.length} OK</span>
+        </div>
+      </div>
+      {doc.url && (
+        <a href={doc.url} target="_blank" rel="noreferrer"
+           className="text-xs text-blue-600 hover:underline break-all">
+          {doc.url}
+        </a>
+      )}
+      <ChecklistView results={[doc]} />
+    </div>
+  )
+}
+
+function AgbWiderrufTab({ docs }: { docs: Record<string, any> }) {
+  const agb = docs['agb'] || docs['nutzungsbedingungen']
+  const wid = docs['widerruf']
+  return (
+    <div className="space-y-6">
+      <div>
+        <h3 className="text-sm font-semibold mb-2">AGB / Nutzungsbedingungen</h3>
+        {agb ? <ChecklistView results={[agb]} /> : <Empty label="AGB" inline />}
+      </div>
+      <div>
+        <h3 className="text-sm font-semibold mb-2">Widerrufsbelehrung</h3>
+        {wid ? <ChecklistView results={[wid]} /> : <Empty label="Widerruf" inline />}
+      </div>
+    </div>
+  )
+}
+
+function BannerTab({ banner }: { banner: any }) {
+  if (!banner || Object.keys(banner).length === 0) return <Empty label="Cookie-Banner" />
+  const phases = banner.phases || {}
+  const violations = banner.banner_checks?.violations || []
+  return (
+    <div className="space-y-3">
+      <div className="text-xs text-gray-700">
+        Banner erkannt: <strong>{banner.banner_detected ? 'Ja' : 'Nein'}</strong> ·{' '}
+        Provider: <strong>{banner.banner_provider || '—'}</strong> ·{' '}
+        Verstöße: <strong>{violations.length}</strong>
+      </div>
+      {violations.length > 0 && (
+        <div className="border border-red-200 bg-red-50 rounded p-3">
+          <div className="text-xs font-semibold text-red-800 mb-2">Verstöße</div>
+          <ul className="text-xs text-red-900 space-y-1">
+            {violations.map((v: any, i: number) => (
+              <li key={i}>• {v.label || v.message || JSON.stringify(v)}</li>
+            ))}
+          </ul>
+        </div>
+      )}
+      <div className="grid grid-cols-3 gap-2">
+        {Object.entries(phases).map(([name, ph]: [string, any]) => (
+          <div key={name} className="border border-gray-200 rounded p-2">
+            <div className="text-[10px] uppercase text-gray-500">{name}</div>
+            <div className="text-xs mt-1">
+              Cookies: <strong>{ph.cookies?.length || 0}</strong>
+            </div>
+            <div className="text-xs">
+              Vendors: <strong>{ph.vendors?.length || 0}</strong>
+            </div>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
+
+function MailPreviewTab({ results }: { results: any }) {
+  return (
+    <div className="text-xs text-gray-600 space-y-2">
+      <p>
+        Die vollständige Mail wurde {results.email_status === 'sent' ? 'gesendet' : 'erstellt'}.
+        Snapshot-ID:{' '}
+        <code className="bg-gray-100 px-1.5 py-0.5 rounded">{results.check_id || '—'}</code>
+      </p>
+      {results.check_id && (
+        <a
+          href={`/api/compliance/agent/snapshots/${results.check_id}/pdf`}
+          target="_blank" rel="noreferrer"
+          className="inline-block text-purple-600 hover:underline"
+        >
+          → PDF der Mail herunterladen
+        </a>
+      )}
+    </div>
+  )
+}
+
+function Empty({ label, inline }: { label: string; inline?: boolean }) {
+  return (
+    <div className={`text-xs text-gray-500 ${inline ? '' : 'py-8 text-center'}`}>
+      Keine Daten für „{label}" in diesem Lauf.
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/_agentTypes.ts

@@ -0,0 +1,153 @@
+// Shared types for the agent-test UI.
+//
+// SourceType-Mapping zur Methodik-Anzeige:
+//   mc / regex          → "Machine-Check (deterministisch)"
+//   kb_faq              → "Knowledge-Base (kuratiert)"
+//   llm_local           → "Lokales LLM (qwen2.5:7b)"
+//   llm_local_big       → "Externes LLM (OVH 120b)"
+//   llm_cloud           → "Cloud-LLM (Claude, anonymisiert)"
+//   cross               → "Cross-Doc-Vergleich"
+
+export type Severity = 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO'
+
+export type SourceType =
+  | 'mc'
+  | 'regex'
+  | 'kb_faq'
+  | 'llm_local'
+  | 'llm_local_big'
+  | 'llm_cloud'
+  | 'cross'
+
+export interface EvidenceSource {
+  source_type: SourceType
+  source_id: string
+  detail?: string
+  confidence?: number
+}
+
+export interface Finding {
+  check_id: string
+  agent: string
+  agent_version: string
+  field_id?: string
+  severity: Severity
+  severity_reason?: string
+  title: string
+  norm?: string
+  evidence?: string
+  action?: string
+  confidence?: number
+  sources?: EvidenceSource[]
+}
+
+export interface Recommendation {
+  recommendation_id: string
+  title: string
+  body: string
+  severity: Severity
+  related_finding_ids: string[]
+  estimated_effort_hours: number
+}
+
+export interface McCoverage {
+  mc_id: string
+  status: 'ok' | 'na' | 'high' | 'medium' | 'low' | 'skipped'
+  reason?: string
+}
+
+export interface EscalationLog {
+  stage: SourceType
+  model: string
+  duration_ms: number
+  tokens_in?: number
+  tokens_out?: number
+  success: boolean
+  error?: string
+}
+
+export interface SlotOutput {
+  agent: string
+  agent_version: string
+  findings: Finding[]
+  recommendations: Recommendation[]
+  mc_coverage: McCoverage[]
+  escalation_log: EscalationLog[]
+  mc_total: number
+  mc_ok: number
+  mc_na: number
+  mc_high: number
+  mc_medium: number
+  mc_low: number
+  duration_ms: number
+  confidence: number
+  notes?: string
+}
+
+export interface AgentInfo {
+  agent_id: string
+  agent_version: string
+  doc_type: string
+  mc_count: number
+}
+
+export interface RunResult {
+  run_id: string
+  agent_id: string
+  finished: boolean
+  results: Record<string, SlotOutput>
+  vault_url: string
+}
+
+export interface StreamEvent {
+  type: string
+  slot?: string
+  [key: string]: any
+}
+
+// ── Methodik-Labels für die Source-Type-Badge ───────────────────────
+
+export const METHODIK_LABEL: Record<SourceType, string> = {
+  mc: 'Machine-Check (deterministisch)',
+  regex: 'Pattern-Match (deterministisch)',
+  kb_faq: 'Knowledge-Base (kuratiert)',
+  llm_local: 'Lokales LLM (qwen2.5:7b)',
+  llm_local_big: 'Externes LLM (OVH 120b)',
+  llm_cloud: 'Cloud-LLM (anonymisiert)',
+  cross: 'Cross-Doc-Vergleich',
+}
+
+export const METHODIK_SHORT: Record<SourceType, string> = {
+  mc: 'MC',
+  regex: 'Regex',
+  kb_faq: 'KB',
+  llm_local: 'LLM',
+  llm_local_big: 'LLM⁺',
+  llm_cloud: 'Claude',
+  cross: 'Cross',
+}
+
+// Background/foreground colors für die Methodik-Badge.
+export const METHODIK_COLOR: Record<SourceType, { bg: string; fg: string }> = {
+  mc:            { bg: '#e0e7ff', fg: '#3730a3' },
+  regex:         { bg: '#e0e7ff', fg: '#3730a3' },
+  kb_faq:        { bg: '#fef3c7', fg: '#92400e' },
+  llm_local:     { bg: '#dcfce7', fg: '#166534' },
+  llm_local_big: { bg: '#bbf7d0', fg: '#14532d' },
+  llm_cloud:     { bg: '#fce7f3', fg: '#9d174d' },
+  cross:         { bg: '#fed7aa', fg: '#9a3412' },
+}
+
+export const SEVERITY_COLOR: Record<Severity, string> = {
+  HIGH: '#dc2626',
+  MEDIUM: '#f59e0b',
+  LOW: '#3b82f6',
+  INFO: '#64748b',
+}
+
+export const SEVERITY_BG: Record<Severity, string> = {
+  HIGH: '#fef2f2',
+  MEDIUM: '#fffbeb',
+  LOW: '#eff6ff',
+  INFO: '#f8fafc',
+}

admin-compliance/app/sdk/agent/_components/_compliance_storage.ts

@@ -0,0 +1,86 @@
+/**
+ * Storage-Helfer für ComplianceCheckTab.
+ *
+ * Extrahiert aus ComplianceCheckTab.tsx (P11-Tech-Debt-Sprint) damit
+ * die zentrale UI unter der 500-LOC-Hard-Cap bleibt.
+ */
+
+import { DOCUMENT_TYPES, type DocTypeId } from './_document_types'
+
+export const STORAGE_KEY_STATE = 'compliance-check-state'
+export const STORAGE_KEY_RESULTS = 'compliance-check-results'
+export const STORAGE_KEY_HISTORY = 'compliance-check-history'
+export const STORAGE_KEY_CHECK_ID = 'compliance-check-active-id'
+
+export interface DocState {
+  url: string
+  text: string
+  loading: boolean
+  error: string | null
+}
+
+export type DocsState = Record<DocTypeId, DocState>
+
+export interface HistoryEntry {
+  date: string
+  docCount: number
+  findings: number
+  resultKey: string
+  checkId?: string
+}
+
+export function emptyDocState(): DocState {
+  return { url: '', text: '', loading: false, error: null }
+}
+
+export function initState(): DocsState {
+  if (typeof window === 'undefined') {
+    return Object.fromEntries(
+      DOCUMENT_TYPES.map(d => [d.id, emptyDocState()]),
+    ) as DocsState
+  }
+  try {
+    const saved = localStorage.getItem(STORAGE_KEY_STATE)
+    if (saved) {
+      const parsed = JSON.parse(saved) as Record<
+        string, { url?: string; text?: string }
+      >
+      return Object.fromEntries(
+        DOCUMENT_TYPES.map(d => [d.id, {
+          url: parsed[d.id]?.url || '',
+          text: parsed[d.id]?.text || '',
+          loading: false,
+          error: null,
+        }]),
+      ) as DocsState
+    }
+  } catch { /* ignore */ }
+  return Object.fromEntries(
+    DOCUMENT_TYPES.map(d => [d.id, emptyDocState()]),
+  ) as DocsState
+}
+
+export function readResultsFromStorage(): unknown | null {
+  if (typeof window === 'undefined') return null
+  try {
+    const s = localStorage.getItem(STORAGE_KEY_RESULTS)
+    return s ? JSON.parse(s) : null
+  } catch { return null }
+}
+
+export function readHistoryFromStorage(): HistoryEntry[] {
+  if (typeof window === 'undefined') return []
+  try {
+    return JSON.parse(localStorage.getItem(STORAGE_KEY_HISTORY) || '[]')
+  } catch { return [] }
+}
+
+export function readActiveCheckId(): string {
+  if (typeof window === 'undefined') return ''
+  return localStorage.getItem(STORAGE_KEY_CHECK_ID) || ''
+}
+
+export function countWords(text: string): number {
+  if (!text.trim()) return 0
+  return text.trim().split(/\s+/).length
+}

admin-compliance/app/sdk/agent/_components/_document_types.ts

@@ -0,0 +1,21 @@
+/**
+ * DOCUMENT_TYPES — canonical compliance-doc taxonomy for the
+ * /sdk/agent ComplianceCheckTab form.
+ *
+ * Each entry maps to a doc_type that the backend Phase-A discovery /
+ * Phase-B per-doc-check pipeline recognises.
+ */
+
+export const DOCUMENT_TYPES = [
+  { id: 'dse', label: 'DSI (Datenschutzinformation)', required: true },
+  { id: 'impressum', label: 'Impressum', required: true },
+  { id: 'social_media', label: 'Social Media DSE', required: false },
+  { id: 'cookie', label: 'Cookie-Richtlinie', required: false },
+  { id: 'agb', label: 'AGB', required: false },
+  { id: 'nutzungsbedingungen', label: 'Nutzungsbedingungen', required: false },
+  { id: 'widerruf', label: 'Widerrufsbelehrung', required: false },
+  { id: 'dsb', label: 'DSB-Kontakt', required: false },
+  { id: 'news', label: 'Blog/Newsroom (für § 18 MStV)', required: false },
+] as const
+
+export type DocTypeId = typeof DOCUMENT_TYPES[number]['id']

admin-compliance/app/sdk/agent/_components/_useCompanyOrigin.ts

@@ -0,0 +1,40 @@
+/**
+ * Custom hook: persistente Firmenname + Origin-Domain für die
+ * ComplianceCheckTab-Form. Priorisierte Werte vor der LLM-basierten
+ * extracted_profile-Inferenz.
+ */
+
+import { useEffect, useState } from 'react'
+
+const STORAGE_KEY_COMPANY = 'compliance-check-company-name'
+const STORAGE_KEY_DOMAIN = 'compliance-check-origin-domain'
+
+
+function readInitial(key: string): string {
+  if (typeof window === 'undefined') return ''
+  return localStorage.getItem(key) || ''
+}
+
+
+export function useCompanyOrigin() {
+  const [companyName, setCompanyName] = useState<string>(
+    () => readInitial(STORAGE_KEY_COMPANY),
+  )
+  const [originDomain, setOriginDomain] = useState<string>(
+    () => readInitial(STORAGE_KEY_DOMAIN),
+  )
+
+  useEffect(() => {
+    try {
+      localStorage.setItem(STORAGE_KEY_COMPANY, companyName)
+    } catch { /* quota */ }
+  }, [companyName])
+
+  useEffect(() => {
+    try {
+      localStorage.setItem(STORAGE_KEY_DOMAIN, originDomain)
+    } catch { /* quota */ }
+  }, [originDomain])
+
+  return { companyName, setCompanyName, originDomain, setOriginDomain }
+}

admin-compliance/app/sdk/agent/_components/_useCompliancePolling.ts

@@ -0,0 +1,83 @@
+/**
+ * Custom hook: resume-polling für eine laufende Compliance-Check-Pruefung.
+ *
+ * Beim Mount: wenn localStorage eine `STORAGE_KEY_CHECK_ID` enthaelt aber
+ * noch kein Result da ist, pollt der Hook alle 3s den Status. Setzt
+ * Result, Progress, Error oder cleared den active-check-id beim
+ * Abschluss.
+ */
+
+import { useEffect } from 'react'
+import {
+  STORAGE_KEY_CHECK_ID, STORAGE_KEY_RESULTS,
+} from './_compliance_storage'
+
+interface ResumePollingArgs {
+  activeCheckId: string
+  results: unknown | null
+  setLoading: (b: boolean) => void
+  setProgress: (s: string) => void
+  setProgressPct: (n: number) => void
+  setResults: (r: unknown) => void
+  setActiveCheckId: (s: string) => void
+  setError: (s: string | null) => void
+}
+
+export function useCompliancePollingResume({
+  activeCheckId, results, setLoading, setProgress, setProgressPct,
+  setResults, setActiveCheckId, setError,
+}: ResumePollingArgs) {
+  useEffect(() => {
+    if (!activeCheckId || results) return
+    let cancelled = false
+    setLoading(true)
+    setProgress('Pruefung laeuft noch...')
+    const poll = async () => {
+      while (!cancelled) {
+        await new Promise(r => setTimeout(r, 3000))
+        try {
+          const res = await fetch(
+            `/api/sdk/v1/agent/compliance-check?check_id=${activeCheckId}`,
+          )
+          if (!res.ok) continue
+          const data = await res.json()
+          if (data.progress) setProgress(data.progress)
+          if (typeof data.progress_pct === 'number') {
+            setProgressPct(data.progress_pct)
+          }
+          if (data.status === 'completed' && data.result) {
+            setResults(data.result)
+            setProgress('')
+            setProgressPct(0)
+            setLoading(false)
+            localStorage.setItem(
+              STORAGE_KEY_RESULTS, JSON.stringify(data.result),
+            )
+            localStorage.removeItem(STORAGE_KEY_CHECK_ID)
+            setActiveCheckId('')
+            return
+          }
+          if (['failed', 'not_found', 'skipped_tdm'].includes(data.status)) {
+            if (data.status !== 'not_found') {
+              setError(
+                data.error
+                || (data.status === 'skipped_tdm'
+                    ? 'TDM-Vorbehalt erkannt — Crawl uebersprungen'
+                    : 'Pruefung fehlgeschlagen'),
+              )
+            }
+            setProgress('')
+            setProgressPct(0)
+            setLoading(false)
+            localStorage.removeItem(STORAGE_KEY_CHECK_ID)
+            setActiveCheckId('')
+            return
+          }
+        } catch { /* retry */ }
+      }
+    }
+    poll()
+    return () => { cancelled = true }
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [])
+}

admin-compliance/app/sdk/agent/_components/storageHelpers.ts

@@ -0,0 +1,71 @@
+/**
+ * P47 — localStorage-Quota-Management.
+ *
+ * Wenn alte Compliance-Check-Ergebnisse den Browser-Storage fuellen,
+ * versucht das setItem mit QuotaExceededError zu fangen, prunet
+ * alte doc-check-result-*-Eintraege (oldest first) und retried.
+ *
+ * Wird von DocCheckTab/BannerCheckTab/etc beim Persistieren der
+ * Result-Bloebs benutzt.
+ */
+
+const RESULT_KEY_PREFIX = 'doc-check-result-'
+const MAX_KEEP = 10  // Maximal 10 alte Result-Bloebs behalten.
+
+export function safeSetItem(key: string, value: string): boolean {
+  try {
+    localStorage.setItem(key, value)
+    return true
+  } catch (err: any) {
+    if (err?.name !== 'QuotaExceededError'
+        && err?.code !== 22 && err?.code !== 1014) {
+      console.warn('localStorage setItem failed:', err)
+      return false
+    }
+    pruneOldResults()
+    try {
+      localStorage.setItem(key, value)
+      return true
+    } catch {
+      // Pruning hat nicht gereicht — aggressiver pruefen
+      pruneOldResults(0)
+      try {
+        localStorage.setItem(key, value)
+        return true
+      } catch {
+        console.warn('localStorage immer noch voll, wert wird verworfen')
+        return false
+      }
+    }
+  }
+}
+
+function pruneOldResults(keep: number = MAX_KEEP): void {
+  try {
+    const keys: { key: string; ts: number }[] = []
+    for (let i = 0; i < localStorage.length; i++) {
+      const k = localStorage.key(i)
+      if (!k || !k.startsWith(RESULT_KEY_PREFIX)) continue
+      const ts = Number(k.slice(RESULT_KEY_PREFIX.length)) || 0
+      keys.push({ key: k, ts })
+    }
+    keys.sort((a, b) => a.ts - b.ts)  // oldest first
+    const toRemove = keys.slice(0, Math.max(0, keys.length - keep))
+    for (const k of toRemove) {
+      try { localStorage.removeItem(k.key) } catch {}
+    }
+  } catch {}
+}
+
+export function getStorageUsageMB(): number {
+  let bytes = 0
+  try {
+    for (let i = 0; i < localStorage.length; i++) {
+      const k = localStorage.key(i)
+      if (!k) continue
+      const v = localStorage.getItem(k) || ''
+      bytes += k.length + v.length
+    }
+  } catch {}
+  return bytes / (1024 * 1024)
+}

admin-compliance/app/sdk/agent/page.tsx

@@ -5,13 +5,15 @@ import { ScanResult } from './_components/ScanResult'
 import { ComplianceCheckTab } from './_components/ComplianceCheckTab'
 import { BannerCheckTab } from './_components/BannerCheckTab'
 import { ComplianceFAQ } from './_components/ComplianceFAQ'
+import { AgentTestTab } from './_components/AgentTestTab'
 
-type AnalysisTab = 'scan' | 'compliance-check' | 'banner-check'
+type AnalysisTab = 'scan' | 'compliance-check' | 'banner-check' | 'agent-test'
 
 const TABS: { id: AnalysisTab; label: string; desc: string }[] = [
   { id: 'scan', label: 'Website-Scan', desc: 'Rechtliche Dokumente finden + Dienstleister erkennen' },
   { id: 'compliance-check', label: 'Compliance-Check', desc: 'Alle rechtlichen Dokumente zusammen pruefen' },
   { id: 'banner-check', label: 'Banner-Check', desc: 'Cookie-Banner auf DSGVO-Konformitaet testen' },
+  { id: 'agent-test', label: 'Agent-Test', desc: 'Specialist-Agent gegen 5 URLs isoliert testen' },
 ]
 
 export default function AgentPage() {
@@ -186,6 +188,7 @@ export default function AgentPage() {
 
       {tab === 'compliance-check' && <ComplianceCheckTab />}
       {tab === 'banner-check' && <BannerCheckTab />}
+      {tab === 'agent-test' && <AgentTestTab />}
 
       <ComplianceFAQ />
     </div>

admin-compliance/app/sdk/ai-act/page.tsx

@@ -362,6 +362,16 @@ export default function AIActPage() {
         )}
       </StepHeader>
 
+      <div className="px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
+        <span className="font-semibold">Quellen &amp; Lizenz:</span>
+        <span>
+          Inhalte gemaess <strong>EU-Verordnung 2024/1689 (KI-Verordnung / AI Act)</strong> —
+          Lizenzregel R1 (EU_LAW, woertlich uebernehmbar).
+          Risiko-Klassifizierungslogik basiert auf Anhang III der Verordnung.{' '}
+          <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
+        </span>
+      </div>
+
       {/* Tabs */}
       <div className="flex items-center gap-1 bg-gray-100 p-1 rounded-lg w-fit">
         {TABS.map(tab => (

admin-compliance/app/sdk/atomic-controls/page.tsx

@@ -13,6 +13,7 @@ import {
   CATEGORY_OPTIONS,
 } from '../control-library/components/helpers'
 import { ControlDetail } from '../control-library/components/ControlDetail'
+import { SourceBadge } from '@/components/sdk/SourceBadge'
 
 // =============================================================================
 // TYPES
@@ -310,6 +311,7 @@ export default function AtomicControlsPage() {
                     <TargetAudienceBadge audience={ctrl.target_audience} />
                     <GenerationStrategyBadge strategy={ctrl.generation_strategy} pipelineInfo={ctrl} />
                     <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
+                    <SourceBadge controlUuid={ctrl.id} compact />
                   </div>
                   <h3 className="text-sm font-medium text-gray-900 group-hover:text-violet-700">{ctrl.title}</h3>
                   <p className="text-xs text-gray-500 mt-1 line-clamp-2">{ctrl.objective}</p>

admin-compliance/app/sdk/audit-checklist/page.tsx

@@ -3,6 +3,7 @@
 import React, { useState } from 'react'
 import { useRouter } from 'next/navigation'
 import { StepHeader, STEP_EXPLANATIONS } from '@/components/sdk/StepHeader'
+import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 import { useAuditChecklist } from './_hooks/useAuditChecklist'
 import { ChecklistItemCard } from './_components/ChecklistItemCard'
 import { LoadingSkeleton } from './_components/LoadingSkeleton'
@@ -89,6 +90,12 @@ export default function AuditChecklistPage() {
         </div>
       </StepHeader>
 
+      <LicenseModuleBanner
+        rule={3}
+        sourceLabel="BreakPilot-Audit-Methodik"
+        detail="Eigene Audit-Checklisten und -Workflows. Zitierte Rechtsquellen (DSGVO/ISO 27001/...) jeweils mit eigener Lizenzregel."
+      />
+
       {error && (
         <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
           <span>{error}</span>

admin-compliance/app/sdk/audit-timeline/_components/BulkDiffPanel.tsx

@@ -0,0 +1,175 @@
+'use client'
+
+import { useEffect, useState } from 'react'
+
+interface BulkDiffStep {
+  from: string
+  from_version: string | null
+  to: string
+  to_version: string | null
+  created_at: string | null
+  kind: 'text' | 'binary'
+  added_lines: number
+  removed_lines: number
+  metadata_diff_fields: string[]
+}
+
+interface BulkDiffResponse {
+  cid_latest: string
+  cid_baseline: string
+  versions: number
+  steps: BulkDiffStep[]
+  totals: {
+    added_lines: number
+    removed_lines: number
+    metadata_fields_changed: number
+    binary_steps: number
+  }
+  note?: string
+}
+
+interface Props {
+  cid: string
+  onClose: () => void
+}
+
+function shorten(cid: string): string {
+  if (cid.length <= 14) return cid
+  return cid.slice(0, 8) + '…' + cid.slice(-6)
+}
+
+export default function BulkDiffPanel({ cid, onClose }: Props) {
+  const [data, setData] = useState<BulkDiffResponse | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => {
+    let cancel = false
+    setLoading(true)
+    setError(null)
+    fetch(`/api/sdk/v1/dsms/documents/${encodeURIComponent(cid)}/bulk-diff`)
+      .then(async (r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`)
+        const json = (await r.json()) as BulkDiffResponse
+        if (!cancel) setData(json)
+      })
+      .catch((e) => {
+        if (!cancel) setError(e?.message || 'Fehler beim Laden')
+      })
+      .finally(() => {
+        if (!cancel) setLoading(false)
+      })
+    return () => {
+      cancel = true
+    }
+  }, [cid])
+
+  return (
+    <div className="border-t border-gray-200 dark:border-gray-700 pt-4 space-y-3">
+      <div className="flex items-center justify-between">
+        <h3 className="text-sm font-semibold text-gray-900 dark:text-white">
+          Aggregierter Diff: V1 → V_latest
+        </h3>
+        <button
+          onClick={onClose}
+          className="text-[11px] text-gray-500 hover:text-gray-700"
+          aria-label="Bulk-Diff schliessen"
+        >
+          Schliessen
+        </button>
+      </div>
+
+      {loading && <div className="text-xs text-gray-500">Bulk-Diff wird berechnet…</div>}
+      {error && <div className="text-xs text-red-600 dark:text-red-400">{error}</div>}
+
+      {!loading && !error && data && (
+        <>
+          <div className="grid grid-cols-2 sm:grid-cols-4 gap-2 text-center">
+            <Stat label="Versionen" value={data.versions} tone="neutral" />
+            <Stat label="Zeilen +" value={data.totals.added_lines} tone="positive" />
+            <Stat label="Zeilen −" value={data.totals.removed_lines} tone="negative" />
+            <Stat label="Metadaten-Felder" value={data.totals.metadata_fields_changed} tone="neutral" />
+          </div>
+
+          {data.totals.binary_steps > 0 && (
+            <div className="text-[11px] text-amber-700 dark:text-amber-400 italic">
+              {data.totals.binary_steps} von {data.steps.length} Schritten binaer — Text-Diff nicht moeglich.
+            </div>
+          )}
+
+          {data.steps.length === 0 ? (
+            <div className="text-xs text-gray-500 italic">{data.note || 'Keine Vorgaengerversion vorhanden.'}</div>
+          ) : (
+            <div className="overflow-x-auto">
+              <table className="w-full text-[11px]">
+                <thead>
+                  <tr className="text-left text-gray-500 border-b border-gray-200 dark:border-gray-700">
+                    <th className="py-1 pr-2 font-medium">Schritt</th>
+                    <th className="py-1 pr-2 font-medium">Datum</th>
+                    <th className="py-1 pr-2 font-medium">Typ</th>
+                    <th className="py-1 pr-2 font-medium text-right">+</th>
+                    <th className="py-1 pr-2 font-medium text-right">−</th>
+                    <th className="py-1 font-medium">Metadaten-Felder</th>
+                  </tr>
+                </thead>
+                <tbody>
+                  {data.steps.map((step, i) => (
+                    <tr key={`${step.from}-${step.to}`} className="border-b border-gray-100 dark:border-gray-800">
+                      <td className="py-1 pr-2 text-gray-700 dark:text-gray-300">
+                        V{step.from_version || '?'} → V{step.to_version || '?'}
+                        <div className="text-[9px] font-mono text-gray-400">
+                          {shorten(step.from)} → {shorten(step.to)}
+                        </div>
+                      </td>
+                      <td className="py-1 pr-2 text-gray-500">
+                        {step.created_at ? new Date(step.created_at).toLocaleDateString('de-DE') : '—'}
+                      </td>
+                      <td className="py-1 pr-2">
+                        <span
+                          className={
+                            step.kind === 'binary'
+                              ? 'text-amber-700 dark:text-amber-400'
+                              : 'text-gray-700 dark:text-gray-300'
+                          }
+                        >
+                          {step.kind === 'binary' ? 'binaer' : 'text'}
+                        </span>
+                      </td>
+                      <td className="py-1 pr-2 text-right text-emerald-700 dark:text-emerald-400">
+                        {step.kind === 'binary' ? '—' : step.added_lines}
+                      </td>
+                      <td className="py-1 pr-2 text-right text-red-700 dark:text-red-400">
+                        {step.kind === 'binary' ? '—' : step.removed_lines}
+                      </td>
+                      <td className="py-1 text-gray-600 dark:text-gray-400">
+                        {step.metadata_diff_fields.length === 0
+                          ? '—'
+                          : step.metadata_diff_fields.slice(0, 3).join(', ') +
+                            (step.metadata_diff_fields.length > 3 ? ` (+${step.metadata_diff_fields.length - 3})` : '')}
+                      </td>
+                    </tr>
+                  ))}
+                </tbody>
+              </table>
+            </div>
+          )}
+        </>
+      )}
+    </div>
+  )
+}
+
+function Stat({ label, value, tone }: { label: string; value: number; tone: 'positive' | 'negative' | 'neutral' }) {
+  const color =
+    tone === 'positive'
+      ? 'text-emerald-700 dark:text-emerald-400'
+      : tone === 'negative'
+        ? 'text-red-700 dark:text-red-400'
+        : 'text-gray-800 dark:text-gray-200'
+  return (
+    <div className="bg-gray-50 dark:bg-gray-900/40 rounded p-2 border border-gray-200 dark:border-gray-700">
+      <div className={`text-base font-semibold ${color}`}>{value.toLocaleString('de-DE')}</div>
+      <div className="text-[10px] uppercase tracking-wide text-gray-500">{label}</div>
+    </div>
+  )
+}

admin-compliance/app/sdk/audit-timeline/_components/CIDHistoryModal.tsx

@@ -0,0 +1,222 @@
+'use client'
+
+import { useEffect, useState } from 'react'
+import BulkDiffPanel from './BulkDiffPanel'
+
+interface HistoryEntry {
+  cid: string
+  version: string | null
+  document_type: string | null
+  document_id: string | null
+  parent_cid: string | null
+  created_at: string | null
+  checksum: string | null
+}
+
+interface DiffResponse {
+  kind: 'text' | 'binary'
+  cid_a: string
+  cid_b: string
+  metadata_diff: Record<string, { old: unknown; new: unknown }>
+  diff?: string
+  added_lines?: number
+  removed_lines?: number
+  note?: string
+}
+
+interface Props {
+  cid: string
+  onClose: () => void
+}
+
+function shorten(cid: string): string {
+  if (cid.length <= 14) return cid
+  return cid.slice(0, 8) + '…' + cid.slice(-6)
+}
+
+export default function CIDHistoryModal({ cid, onClose }: Props) {
+  const [history, setHistory] = useState<HistoryEntry[]>([])
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+  const [diffPair, setDiffPair] = useState<{ a: string; b: string } | null>(null)
+  const [diff, setDiff] = useState<DiffResponse | null>(null)
+  const [diffLoading, setDiffLoading] = useState(false)
+  const [showBulkDiff, setShowBulkDiff] = useState(false)
+
+  useEffect(() => {
+    let cancel = false
+    setLoading(true)
+    setError(null)
+    fetch(`/api/sdk/v1/dsms/documents/${encodeURIComponent(cid)}/history`)
+      .then(async (r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`)
+        const json = await r.json()
+        if (!cancel) setHistory(json.history || [])
+      })
+      .catch((e) => {
+        if (!cancel) setError(e?.message || 'Fehler beim Laden')
+      })
+      .finally(() => {
+        if (!cancel) setLoading(false)
+      })
+    return () => {
+      cancel = true
+    }
+  }, [cid])
+
+  async function loadDiff(a: string, b: string) {
+    setDiffPair({ a, b })
+    setDiff(null)
+    setDiffLoading(true)
+    try {
+      const res = await fetch(
+        `/api/sdk/v1/dsms/documents/${encodeURIComponent(a)}/diff/${encodeURIComponent(b)}`
+      )
+      if (res.ok) {
+        const json = (await res.json()) as DiffResponse
+        setDiff(json)
+      } else {
+        setDiff({ kind: 'binary', cid_a: a, cid_b: b, metadata_diff: {}, note: `HTTP ${res.status}` })
+      }
+    } finally {
+      setDiffLoading(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/40 p-4" onClick={onClose}>
+      <div
+        className="w-full max-w-3xl max-h-[90vh] overflow-hidden flex flex-col bg-white dark:bg-gray-800 rounded-xl shadow-xl"
+        onClick={(e) => e.stopPropagation()}
+      >
+        <div className="flex items-center justify-between px-5 py-3 border-b border-gray-200 dark:border-gray-700">
+          <div>
+            <h2 className="text-sm font-semibold text-gray-900 dark:text-white">DSMS-Versionsverlauf</h2>
+            <code className="text-[10px] font-mono text-gray-500 dark:text-gray-400">{shorten(cid)}</code>
+          </div>
+          <button onClick={onClose} className="text-gray-500 hover:text-gray-700 dark:text-gray-400 text-sm">
+            Schliessen
+          </button>
+        </div>
+
+        <div className="flex-1 overflow-y-auto p-5 space-y-4">
+          {loading && <div className="text-sm text-gray-500">Verlauf wird geladen…</div>}
+          {error && <div className="text-sm text-red-600 dark:text-red-400">{error}</div>}
+
+          {!loading && !error && history.length === 0 && (
+            <div className="text-sm text-gray-500 italic">
+              Kein Versionsverlauf gefunden. Diese CID hat keine parent_cid-Kette.
+            </div>
+          )}
+
+          {!loading && !error && history.length > 0 && (
+            <>
+              <div className="flex items-center justify-between gap-3 flex-wrap">
+                <div className="text-xs text-gray-500 dark:text-gray-400">
+                  {history.length} Version{history.length > 1 ? 'en' : ''} in der Kette (neueste oben).
+                </div>
+                {history.length > 1 && (
+                  <button
+                    onClick={() => setShowBulkDiff((v) => !v)}
+                    className="text-[11px] px-2 py-1 rounded border border-purple-300 text-purple-700 hover:bg-purple-50 dark:border-purple-700 dark:text-purple-300 dark:hover:bg-purple-900/30"
+                    title="Aggregierter Diff ueber alle Versionen"
+                  >
+                    {showBulkDiff ? 'Bulk-Diff ausblenden' : `Bulk-Diff V1 → V${history[0].version || '?'} anzeigen`}
+                  </button>
+                )}
+              </div>
+
+              {showBulkDiff && <BulkDiffPanel cid={cid} onClose={() => setShowBulkDiff(false)} />}
+              <ol className="relative border-l-2 border-emerald-500/40 pl-4 space-y-3">
+                {history.map((entry, idx) => {
+                  const next = history[idx + 1]
+                  return (
+                    <li key={entry.cid} className="relative">
+                      <div className="absolute -left-[1.4rem] top-1.5 w-3 h-3 rounded-full bg-emerald-500 ring-2 ring-white dark:ring-gray-800" />
+                      <div className="bg-gray-50 dark:bg-gray-900/40 rounded-lg p-3 border border-gray-200 dark:border-gray-700">
+                        <div className="flex items-center justify-between gap-2">
+                          <div className="min-w-0">
+                            <div className="text-sm font-medium text-gray-900 dark:text-white">
+                              Version {entry.version || '?'} {idx === 0 && <span className="ml-2 text-[10px] text-emerald-600 font-semibold">AKTUELL</span>}
+                            </div>
+                            <code className="text-[10px] font-mono text-gray-500 dark:text-gray-400 break-all">{entry.cid}</code>
+                          </div>
+                          {next && (
+                            <button
+                              onClick={() => loadDiff(next.cid, entry.cid)}
+                              className="shrink-0 text-[11px] text-purple-600 hover:text-purple-800 dark:text-purple-400 hover:underline"
+                              title="Aenderungen zur Vorversion anzeigen"
+                            >
+                              Diff zu V{next.version || '?'}
+                            </button>
+                          )}
+                        </div>
+                        <div className="mt-1 text-[11px] text-gray-500 dark:text-gray-400 flex flex-wrap gap-x-3 gap-y-0.5">
+                          {entry.document_type && <span>Typ: {entry.document_type}</span>}
+                          {entry.document_id && <span>Dok-ID: {entry.document_id}</span>}
+                          {entry.created_at && <span>{new Date(entry.created_at).toLocaleString('de-DE')}</span>}
+                        </div>
+                        {entry.checksum && (
+                          <div className="mt-1 text-[10px] text-gray-400 font-mono">SHA-256: {entry.checksum.slice(0, 16)}…</div>
+                        )}
+                      </div>
+                    </li>
+                  )
+                })}
+              </ol>
+            </>
+          )}
+
+          {diffPair && (
+            <div className="mt-4 border-t border-gray-200 dark:border-gray-700 pt-4 space-y-2">
+              <div className="flex items-center justify-between">
+                <h3 className="text-xs font-semibold text-gray-900 dark:text-white">
+                  Diff: {shorten(diffPair.a)} → {shorten(diffPair.b)}
+                </h3>
+                <button onClick={() => { setDiff(null); setDiffPair(null) }} className="text-[11px] text-gray-500 hover:text-gray-700">
+                  Schliessen
+                </button>
+              </div>
+              {diffLoading && <div className="text-xs text-gray-500">Diff wird geladen…</div>}
+              {!diffLoading && diff && (
+                <>
+                  {Object.keys(diff.metadata_diff || {}).length > 0 && (
+                    <div className="text-xs">
+                      <div className="font-medium text-gray-700 dark:text-gray-300 mb-1">Metadaten-Aenderungen</div>
+                      <table className="w-full">
+                        <tbody>
+                          {Object.entries(diff.metadata_diff).map(([field, { old, new: nv }]) => (
+                            <tr key={field} className="border-b border-gray-100 dark:border-gray-800">
+                              <td className="py-0.5 pr-2 font-mono text-[10px] text-gray-500">{field}</td>
+                              <td className="py-0.5 pr-2 text-red-600 dark:text-red-400 line-through">{JSON.stringify(old)}</td>
+                              <td className="py-0.5 text-green-700 dark:text-green-400">{JSON.stringify(nv)}</td>
+                            </tr>
+                          ))}
+                        </tbody>
+                      </table>
+                    </div>
+                  )}
+                  {diff.kind === 'text' && diff.diff && (
+                    <>
+                      <div className="text-[11px] text-gray-500">
+                        {diff.added_lines ?? 0} Zeilen hinzu, {diff.removed_lines ?? 0} entfernt
+                      </div>
+                      <pre className="text-[10px] font-mono whitespace-pre-wrap bg-gray-900 text-gray-100 p-3 rounded max-h-64 overflow-y-auto">
+                        {diff.diff}
+                      </pre>
+                    </>
+                  )}
+                  {diff.kind === 'binary' && (
+                    <div className="text-xs text-amber-700 dark:text-amber-400 italic">
+                      {diff.note || 'Binaere Datei — kein Text-Diff verfuegbar.'}
+                    </div>
+                  )}
+                </>
+              )}
+            </div>
+          )}
+        </div>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/audit-timeline/page.tsx

@@ -1,6 +1,8 @@
 'use client'
 
+import { useState } from 'react'
 import { useAuditTimeline, type AuditEntry } from './_hooks/useAuditTimeline'
+import CIDHistoryModal from './_components/CIDHistoryModal'
 
 const ENTITY_LABELS: Record<string, string> = {
   evidence: 'Nachweis', control: 'Control', document: 'Dokument',
@@ -16,8 +18,24 @@ const ACTION_COLORS: Record<string, string> = {
 
 const FILTER_OPTIONS = ['all', 'evidence', 'dsms_archive', 'control', 'document', 'dsfa', 'vvt', 'tom']
 
+// new_value may be a plain CID (from Python evidence flow) or a JSON envelope
+// {"cid":"X","filename":"...","size":"..."} (from the Go IACE tech-file flow).
+function extractCID(value: string): string {
+  const trimmed = value.trim()
+  if (trimmed.startsWith('{')) {
+    try {
+      const parsed = JSON.parse(trimmed)
+      if (typeof parsed.cid === 'string') return parsed.cid
+    } catch {
+      // fall through
+    }
+  }
+  return trimmed
+}
+
 export default function AuditTimelinePage() {
   const { entries, loading, filter, setFilter } = useAuditTimeline()
+  const [historyCID, setHistoryCID] = useState<string | null>(null)
 
   return (
     <div className="max-w-4xl mx-auto space-y-6">
@@ -58,16 +76,18 @@ export default function AuditTimelinePage() {
 
           <div className="space-y-4">
             {entries.map((entry) => (
-              <TimelineEntry key={entry.id} entry={entry} />
+              <TimelineEntry key={entry.id} entry={entry} onShowHistory={setHistoryCID} />
             ))}
           </div>
         </div>
       )}
+
+      {historyCID && <CIDHistoryModal cid={historyCID} onClose={() => setHistoryCID(null)} />}
     </div>
   )
 }
 
-function TimelineEntry({ entry }: { entry: AuditEntry }) {
+function TimelineEntry({ entry, onShowHistory }: { entry: AuditEntry; onShowHistory: (cid: string) => void }) {
   const dotColor = ACTION_COLORS[entry.action] || 'bg-gray-400'
   const isCID = entry.field_changed === 'dsms_cid' || entry.action === 'archive'
   const date = new Date(entry.performed_at)
@@ -94,7 +114,7 @@ function TimelineEntry({ entry }: { entry: AuditEntry }) {
               <p className="text-xs text-gray-600 dark:text-gray-400 mt-1">{entry.change_summary}</p>
             )}
             {isCID && entry.new_value && (
-              <div className="mt-2 flex items-center gap-2">
+              <div className="mt-2 flex items-center gap-2 flex-wrap">
                 <svg className="w-3.5 h-3.5 text-emerald-600 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor">
                   <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
                 </svg>
@@ -102,6 +122,16 @@ function TimelineEntry({ entry }: { entry: AuditEntry }) {
                   {entry.new_value.length > 20 ? entry.new_value.slice(0, 8) + '...' + entry.new_value.slice(-6) : entry.new_value}
                 </code>
                 <span className="text-[10px] text-emerald-500">DSMS/IPFS</span>
+                <button
+                  onClick={(e) => {
+                    e.stopPropagation()
+                    if (entry.new_value) onShowHistory(extractCID(entry.new_value))
+                  }}
+                  className="text-[10px] text-purple-600 hover:text-purple-800 dark:text-purple-400 underline-offset-2 hover:underline"
+                  title="DSMS-Versionsverlauf und Diff zur Vorversion anzeigen"
+                >
+                  Verlauf anzeigen
+                </button>
               </div>
             )}
           </div>

admin-compliance/app/sdk/benchmark/page.tsx

@@ -0,0 +1,266 @@
+'use client'
+
+/**
+ * P107 — Branchen-Benchmark-Cockpit.
+ *
+ * Multi-Site-Vergleich auf einen Blick. Anonymize-Toggle für Big-4-
+ * Wirtschaftspruefer-Demos.
+ *
+ * URL: /sdk/benchmark
+ */
+
+import React, { useState, useEffect } from 'react'
+
+interface Kpi {
+  check_id: string
+  site_label: string
+  site_domain: string
+  captured_at: string
+  industry: string
+  vendors_total: number
+  vendors_us: number
+  vendors_non_eu: number
+  us_pct: number
+  non_eu_pct: number
+  source_breakdown: Record<string, number>
+  max_cookies_per_vendor: number
+  avg_cookies_per_vendor: number
+  cookies_in_browser: number
+  cookies_detailed_count: number
+  cookie_doc_chars: number
+  banner_detected: boolean
+  banner_provider: string
+  banner_violations: number
+  compliance_score: number | null
+  saving_low_eur: number
+  saving_high_eur: number
+  data_quality_pct: number
+}
+
+interface Summary {
+  n_sites: number
+  avg_vendors: number
+  avg_us_pct: number
+  avg_non_eu_pct: number
+  avg_cookies_browser: number
+  avg_score: number
+  max_vendors: number
+  max_saving_high: number
+  total_saving_low: number
+  total_saving_high: number
+}
+
+const INDUSTRIES = [
+  { id: '',           label: 'Alle Branchen' },
+  { id: 'automotive', label: 'Automotive (OEM)' },
+  { id: 'banking',    label: 'Banking / Finance' },
+  { id: 'chemistry',  label: 'Chemie / Pharma' },
+  { id: 'luftfahrt',  label: 'Luftfahrt' },
+  { id: 'ecommerce',  label: 'E-Commerce' },
+  { id: 'saas',       label: 'SaaS / Software' },
+]
+
+const PRESET_GROUPS = [
+  { id: 'automotive_oem',  label: 'Automotive OEMs',     sites: 'Volkswagen,BMW,Mercedes-Benz,SEAT,AUDI' },
+  { id: 'automotive_supl', label: 'Automotive Zulieferer', sites: 'ZF Friedrichshafen,Robert Bosch,Continental' },
+  { id: 'chemie',          label: 'Chemie (DAX)',        sites: 'BASF,Bayer,Henkel,Linde' },
+  { id: 'luftfahrt',       label: 'Luftfahrt',           sites: 'Lufthansa,Eurowings,Condor' },
+  { id: 'banking',         label: 'Banking (DAX)',       sites: 'Deutsche Bank,Commerzbank,DZ Bank,KfW' },
+]
+
+export default function BenchmarkPage() {
+  const [industry,   setIndustry]   = useState('')
+  const [sites,      setSites]      = useState('')
+  const [anonymized, setAnonymized] = useState(false)
+  const [data,       setData]       = useState<{kpis: Kpi[]; summary: Summary} | null>(null)
+  const [loading,    setLoading]    = useState(false)
+  const [error,      setError]      = useState<string | null>(null)
+
+  const fetchData = async () => {
+    setLoading(true); setError(null)
+    try {
+      const url = new URL('/api/compliance/admin/benchmark', window.location.origin)
+      if (industry) url.searchParams.set('industry', industry)
+      if (sites)    url.searchParams.set('sites', sites)
+      if (anonymized) url.searchParams.set('anonymized', 'true')
+      const r = await fetch(url.toString())
+      if (!r.ok) throw new Error(`HTTP ${r.status}`)
+      setData(await r.json())
+    } catch (e: any) {
+      setError(e.message || String(e))
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  useEffect(() => { fetchData() }, [])
+
+  return (
+    <div className="p-6 max-w-7xl mx-auto">
+      <header className="mb-6">
+        <h1 className="text-2xl font-bold text-gray-900">
+          Branchen-Benchmark-Cockpit
+        </h1>
+        <p className="text-sm text-gray-600 mt-1">
+          DAX-Konzern-Vergleich auf Basis aller bisher gepruefter Sites.
+          Mit Anonymize-Toggle fuer Wirtschaftspruefer-Demos.
+        </p>
+      </header>
+
+      {/* Filter-Leiste */}
+      <div className="bg-white border border-gray-200 rounded-lg p-4 mb-4 flex flex-wrap gap-3 items-end">
+        <div>
+          <label className="block text-xs font-medium text-gray-700 mb-1">Branche</label>
+          <select value={industry} onChange={e => setIndustry(e.target.value)}
+                  className="px-3 py-2 border rounded text-sm">
+            {INDUSTRIES.map(i => <option key={i.id} value={i.id}>{i.label}</option>)}
+          </select>
+        </div>
+        <div className="flex-1 min-w-[300px]">
+          <label className="block text-xs font-medium text-gray-700 mb-1">
+            Sites (komma-getrennt) oder Preset wählen
+          </label>
+          <input value={sites} onChange={e => setSites(e.target.value)}
+                 placeholder="Volkswagen,BMW,Mercedes-Benz"
+                 className="w-full px-3 py-2 border rounded text-sm font-mono" />
+          <div className="flex flex-wrap gap-1 mt-1">
+            {PRESET_GROUPS.map(p => (
+              <button key={p.id} onClick={() => setSites(p.sites)}
+                      className="px-2 py-0.5 text-[10px] bg-gray-100 hover:bg-gray-200 rounded">
+                {p.label}
+              </button>
+            ))}
+          </div>
+        </div>
+        <label className="flex items-center gap-2 text-sm cursor-pointer">
+          <input type="checkbox" checked={anonymized}
+                 onChange={e => setAnonymized(e.target.checked)}
+                 className="rounded" />
+          <span><strong>Anonymisieren</strong> (OEM 1/2/3 statt Hersteller-Namen)</span>
+        </label>
+        <button onClick={fetchData} disabled={loading}
+                className="px-4 py-2 bg-purple-600 text-white rounded font-medium hover:bg-purple-700 disabled:opacity-50">
+          {loading ? 'Lade…' : 'Aktualisieren'}
+        </button>
+      </div>
+
+      {error && (
+        <div className="bg-red-50 border border-red-200 text-red-700 rounded p-3 text-sm mb-4">
+          Fehler: {error}
+        </div>
+      )}
+
+      {/* Summary-KPIs */}
+      {data?.summary && (
+        <div className="grid grid-cols-2 md:grid-cols-5 gap-2 mb-4">
+          <Kpi label="Sites im Vergleich"    value={data.summary.n_sites} />
+          <Kpi label="⌀ Vendors"             value={data.summary.avg_vendors} />
+          <Kpi label="⌀ US-Anteil"           value={`${data.summary.avg_us_pct}%`}
+               tone={data.summary.avg_us_pct > 60 ? 'warn' : 'ok'} />
+          <Kpi label="⌀ Score"               value={data.summary.avg_score || '—'} />
+          <Kpi label="Saving-Potenzial (Σ)"  value={`${Math.round(data.summary.total_saving_high/1000)}k €`}
+               tone="ok" />
+        </div>
+      )}
+
+      {/* Vergleichstabelle */}
+      {data?.kpis && data.kpis.length > 0 ? (
+        <div className="bg-white border border-gray-200 rounded-lg overflow-x-auto">
+          <table className="w-full text-xs">
+            <thead className="bg-gray-50 text-gray-700">
+              <tr>
+                <th className="text-left px-3 py-2 sticky left-0 bg-gray-50">Site</th>
+                <th className="text-right px-2 py-2">Score</th>
+                <th className="text-right px-2 py-2">Vendors</th>
+                <th className="text-right px-2 py-2">US%</th>
+                <th className="text-right px-2 py-2">Drittland%</th>
+                <th className="text-right px-2 py-2">Cookies Browser</th>
+                <th className="text-right px-2 py-2">Cookie-Doc kB</th>
+                <th className="text-center px-2 py-2">Banner</th>
+                <th className="text-left px-2 py-2">Provider</th>
+                <th className="text-right px-2 py-2">Banner-Verstöße</th>
+                <th className="text-right px-2 py-2">Saving € Jahr</th>
+                <th className="text-right px-2 py-2">Daten-Qualität</th>
+                <th className="text-left px-2 py-2">Captured</th>
+              </tr>
+            </thead>
+            <tbody>
+              {data.kpis.map((k, i) => (
+                <tr key={i} className={`border-t hover:bg-gray-50 ${i%2 ? 'bg-gray-50/30' : ''}`}>
+                  <td className="px-3 py-2 font-semibold sticky left-0 bg-inherit">
+                    {k.site_label}
+                    <div className="text-[9px] text-gray-400 font-mono">{k.check_id}</div>
+                  </td>
+                  <td className={`px-2 py-2 text-right ${
+                    !k.compliance_score ? 'text-gray-400' :
+                    k.compliance_score >= 80 ? 'text-green-700' :
+                    k.compliance_score >= 60 ? 'text-amber-700' : 'text-red-700'
+                  }`}>
+                    {k.compliance_score ?? '—'}
+                  </td>
+                  <td className="px-2 py-2 text-right font-mono">{k.vendors_total}</td>
+                  <td className={`px-2 py-2 text-right ${k.us_pct > 60 ? 'text-red-700 font-semibold' : ''}`}>
+                    {k.us_pct}%
+                  </td>
+                  <td className={`px-2 py-2 text-right ${k.non_eu_pct > 70 ? 'text-red-700' : ''}`}>
+                    {k.non_eu_pct}%
+                  </td>
+                  <td className="px-2 py-2 text-right font-mono">{k.cookies_in_browser}</td>
+                  <td className="px-2 py-2 text-right text-gray-500">
+                    {Math.round(k.cookie_doc_chars / 1000)}k
+                  </td>
+                  <td className="px-2 py-2 text-center">{k.banner_detected ? '✓' : '✗'}</td>
+                  <td className="px-2 py-2 text-gray-600">{k.banner_provider || '—'}</td>
+                  <td className={`px-2 py-2 text-right ${k.banner_violations ? 'text-red-700' : 'text-gray-400'}`}>
+                    {k.banner_violations || 0}
+                  </td>
+                  <td className="px-2 py-2 text-right text-green-700 font-mono">
+                    {k.saving_high_eur ? `${(k.saving_high_eur/1000).toFixed(0)}k` : '—'}
+                  </td>
+                  <td className={`px-2 py-2 text-right ${
+                    k.data_quality_pct >= 70 ? 'text-green-700' :
+                    k.data_quality_pct >= 40 ? 'text-amber-700' : 'text-red-700'
+                  }`}>
+                    {k.data_quality_pct}%
+                  </td>
+                  <td className="px-2 py-2 text-[10px] text-gray-500">
+                    {k.captured_at?.substring(0, 16).replace('T', ' ')}
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      ) : !loading && (
+        <div className="bg-gray-50 border border-gray-200 rounded-lg p-8 text-center text-gray-500">
+          Keine Snapshots gefunden — Filter anpassen oder einen Audit-Lauf starten.
+        </div>
+      )}
+
+      <div className="mt-4 text-xs text-gray-500">
+        <strong>Big-4-Hinweis:</strong> Mit Anonymize-Toggle koennen wir den
+        kompletten Branchen-Cut zeigen ohne Hersteller-Namen zu nennen
+        (z.B. "OEM 3 hat 78% US-Vendor-Anteil"). Damit ist die Daten-
+        Hoheit bei BreakPilot und Big 4 sieht den Mehrwert ohne dass
+        Wettbewerber-Vergleiche extern werden.
+      </div>
+    </div>
+  )
+}
+
+function Kpi({ label, value, tone = 'neutral' }: {
+  label: string; value: any; tone?: 'ok' | 'warn' | 'bad' | 'neutral'
+}) {
+  const colors: Record<string, string> = {
+    ok: 'text-green-700 bg-green-50 border-green-200',
+    warn: 'text-amber-700 bg-amber-50 border-amber-200',
+    bad: 'text-red-700 bg-red-50 border-red-200',
+    neutral: 'text-gray-700 bg-white border-gray-200',
+  }
+  return (
+    <div className={`border rounded p-3 ${colors[tone]}`}>
+      <div className="text-[10px] uppercase tracking-wider opacity-70">{label}</div>
+      <div className="text-xl font-bold mt-1">{value}</div>
+    </div>
+  )
+}

admin-compliance/app/sdk/control-library/__tests__/mcMappingLabels.test.ts

@@ -0,0 +1,44 @@
+import { describe, it, expect } from 'vitest'
+import {
+  USE_CASE_LABELS, MC_VERIFICATION_LABELS, useCaseLabel, mcVerificationLabel,
+} from '../components/mcMappingLabels'
+
+describe('useCaseLabel', () => {
+  it('maps known use-case keys to German labels', () => {
+    expect(useCaseLabel('impressum')).toBe('Impressum')
+    expect(useCaseLabel('cookie_banner')).toBe('Cookie-Banner')
+    expect(useCaseLabel('code_security')).toBe('Code Security')
+    expect(useCaseLabel('dse')).toBe('Datenschutzerklärung')
+  })
+
+  it('humanizes an unknown key instead of showing the raw slug', () => {
+    expect(useCaseLabel('brand_new_thing')).toBe('Brand New Thing')
+  })
+})
+
+describe('mcVerificationLabel', () => {
+  it('maps the master-control verification methods', () => {
+    expect(mcVerificationLabel('source_code')).toBe('Source Code')
+    expect(mcVerificationLabel('it_process')).toBe('IT-Prozess')
+    expect(mcVerificationLabel('network')).toBe('Netzwerk/Infra')
+    expect(mcVerificationLabel('document')).toBe('Dokument')
+  })
+
+  it('humanizes an unknown method', () => {
+    expect(mcVerificationLabel('telepathy')).toBe('Telepathy')
+  })
+})
+
+describe('label coverage', () => {
+  it('labels the security/code use cases (>=50% code+process focus)', () => {
+    for (const k of ['code_security', 'network_security', 'cra', 'isms', 'tisax']) {
+      expect(USE_CASE_LABELS[k]).toBeTruthy()
+    }
+  })
+
+  it('covers every master-control verification method', () => {
+    for (const m of ['document', 'source_code', 'network', 'it_process', 'hybrid', 'manual']) {
+      expect(MC_VERIFICATION_LABELS[m]).toBeTruthy()
+    }
+  })
+})

admin-compliance/app/sdk/control-library/components/ControlListView.tsx

@@ -12,6 +12,7 @@ import {
   VERIFICATION_METHODS, CATEGORY_OPTIONS, EVIDENCE_TYPE_OPTIONS,
 } from './helpers'
 import { ControlsMeta } from './useControlLibraryState'
+import { useCaseLabel, mcVerificationLabel } from './mcMappingLabels'
 import { GeneratorModal } from './GeneratorModal'
 
 interface ControlListViewProps {
@@ -34,6 +35,10 @@ interface ControlListViewProps {
   domainFilter: string
   stateFilter: string
   verificationFilter: string
+  useCaseFilter: string
+  primaryOnly: boolean
+  regulationFilter: string
+  mappedFilter: string
   categoryFilter: string
   evidenceTypeFilter: string
   audienceFilter: string
@@ -46,6 +51,10 @@ interface ControlListViewProps {
   setDomainFilter: (v: string) => void
   setStateFilter: (v: string) => void
   setVerificationFilter: (v: string) => void
+  setUseCaseFilter: (v: string) => void
+  setPrimaryOnly: (v: boolean) => void
+  setRegulationFilter: (v: string) => void
+  setMappedFilter: (v: string) => void
   setCategoryFilter: (v: string) => void
   setEvidenceTypeFilter: (v: string) => void
   setAudienceFilter: (v: string) => void
@@ -71,10 +80,12 @@ export function ControlListView({
   reviewCount, bulkProcessing, showStats, processedStats,
   showGenerator, currentPage, totalPages, sortBy,
   searchQuery, severityFilter, domainFilter, stateFilter,
-  verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter,
+  verificationFilter, useCaseFilter, primaryOnly, regulationFilter, mappedFilter,
+  categoryFilter, evidenceTypeFilter, audienceFilter,
   sourceFilter, typeFilter, hideDuplicates,
   setSearchQuery, setSeverityFilter, setDomainFilter, setStateFilter,
-  setVerificationFilter, setCategoryFilter, setEvidenceTypeFilter, setAudienceFilter,
+  setVerificationFilter, setUseCaseFilter, setPrimaryOnly, setRegulationFilter, setMappedFilter,
+  setCategoryFilter, setEvidenceTypeFilter, setAudienceFilter,
   setSourceFilter, setTypeFilter, setHideDuplicates, setSortBy,
   setShowStats, setShowGenerator, setCurrentPage,
   onSelectControl, onCreateMode, onEnterReview, onBulkReject, onRefresh, onLoadStats, onFullReload,
@@ -176,18 +187,60 @@ export function ControlListView({
                 className="rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
               Duplikate ausblenden
             </label>
+            {meta?.use_case_counts && (
+              <select value={useCaseFilter} onChange={e => setUseCaseFilter(e.target.value)}
+                className="text-sm border border-purple-300 bg-purple-50 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500 max-w-[260px]">
+                <option value="">Use Case (alle)</option>
+                {Object.entries(meta.use_case_counts).sort((a, b) => b[1] - a[1]).map(([k, c]) => (
+                  <option key={k} value={k}>{useCaseLabel(k)} ({c})</option>
+                ))}
+              </select>
+            )}
+            {meta?.use_case_counts && useCaseFilter && (
+              <label className="flex items-center gap-1.5 text-xs text-gray-600 cursor-pointer whitespace-nowrap"
+                title="Nur Master Controls, deren Primärzweck dieser Use Case ist (blendet über-geclusterte Mehrfachzwecke aus)">
+                <input type="checkbox" checked={primaryOnly} onChange={e => setPrimaryOnly(e.target.checked)}
+                  className="rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                nur Primärzweck
+              </label>
+            )}
+            {meta?.regulations && meta.regulations.length > 0 && (
+              <select value={regulationFilter} onChange={e => setRegulationFilter(e.target.value)}
+                className="text-sm border border-blue-300 bg-blue-50 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500 max-w-[260px]">
+                <option value="">Regulierung (alle)</option>
+                {meta.regulations.map(rg => (
+                  <option key={rg.source_regulation} value={rg.source_regulation}>{rg.source_regulation} ({rg.count})</option>
+                ))}
+              </select>
+            )}
             <select value={verificationFilter} onChange={e => setVerificationFilter(e.target.value)}
               className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500">
               <option value="">Nachweis</option>
               {Object.entries(VERIFICATION_METHODS).map(([k, v]) => (
                 <option key={k} value={k}>{v.label}{meta?.verification_method_counts?.[k] ? ` (${meta.verification_method_counts[k]})` : ''}</option>
               ))}
+              {Object.keys(meta?.verification_method_counts || {})
+                .filter(k => k !== '__none__' && !(k in VERIFICATION_METHODS))
+                .map(k => (
+                  <option key={k} value={k}>{mcVerificationLabel(k)} ({meta!.verification_method_counts![k]})</option>
+                ))}
               {meta?.verification_method_counts?.['__none__'] ? <option value="__none__">Ohne Nachweis ({meta.verification_method_counts['__none__']})</option> : null}
             </select>
+            {meta?.mapped_total != null && (
+              <select value={mappedFilter} onChange={e => setMappedFilter(e.target.value)}
+                className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500">
+                <option value="">Coverage: alle</option>
+                <option value="mapped">Zugeordnet ({meta.mapped_total})</option>
+                <option value="unmapped">Offen ({meta.unmapped_count ?? 0})</option>
+              </select>
+            )}
             <select value={categoryFilter} onChange={e => setCategoryFilter(e.target.value)}
               className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500">
               <option value="">Kategorie</option>
               {CATEGORY_OPTIONS.map(c => <option key={c.value} value={c.value}>{c.label}{meta?.category_counts?.[c.value] ? ` (${meta.category_counts[c.value]})` : ''}</option>)}
+              {Object.keys(meta?.category_counts || {})
+                .filter(k => k !== '__none__' && !CATEGORY_OPTIONS.some(c => c.value === k))
+                .map(k => <option key={k} value={k}>{k} ({meta!.category_counts![k]})</option>)}
               {meta?.category_counts?.['__none__'] ? <option value="__none__">Ohne Kategorie ({meta.category_counts['__none__']})</option> : null}
             </select>
             <select value={evidenceTypeFilter} onChange={e => setEvidenceTypeFilter(e.target.value)}

admin-compliance/app/sdk/control-library/components/helpers.tsx

@@ -232,14 +232,25 @@ export function StateBadge({ state }: { state: string }) {
 
 export function LicenseRuleBadge({ rule }: { rule: number | null | undefined }) {
   if (!rule) return null
-  const config: Record<number, { bg: string; label: string }> = {
-    1: { bg: 'bg-green-100 text-green-700', label: 'Free Use' },
-    2: { bg: 'bg-blue-100 text-blue-700', label: 'Zitation' },
-    3: { bg: 'bg-amber-100 text-amber-700', label: 'Reformuliert' },
+  // Corrected labels per Task #21 LICENSE_RULES.md mapping:
+  // R1 = woertlich (Hoheitsrecht/Public Domain, no attribution required)
+  // R2 = woertlich + Attribution-Pflicht (CC-BY, OWASP, OECD, ENISA)
+  // R3 = nur Identifier zitieren (DIN/ANSI/IEC/DGUV/proprietary — pipeline drops full text)
+  const config: Record<number, { bg: string; label: string; title: string }> = {
+    1: { bg: 'bg-emerald-100 text-emerald-800', label: 'R1', title: 'Woertlich uebernehmbar (Hoheitsrecht/Public Domain)' },
+    2: { bg: 'bg-amber-100 text-amber-800', label: 'R2', title: 'Woertlich mit Attribution (CC-BY/OWASP/OECD/ENISA)' },
+    3: { bg: 'bg-slate-100 text-slate-700', label: 'R3', title: 'Nur Identifier-Verweis (DIN/ANSI/IEC/proprietaer)' },
   }
   const c = config[rule]
   if (!c) return null
-  return <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${c.bg}`}>{c.label}</span>
+  return (
+    <span
+      className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${c.bg}`}
+      title={c.title}
+    >
+      {c.label}
+    </span>
+  )
 }
 
 export function VerificationMethodBadge({ method }: { method: string | null }) {

admin-compliance/app/sdk/control-library/components/mcMappingLabels.ts

@@ -0,0 +1,65 @@
+// Display labels for the master-control mapping dimensions (use case +
+// verification method). Keys mirror the backend use_case_registry; an unknown
+// key humanizes gracefully so a newly-seeded use case still renders.
+
+export const USE_CASE_LABELS: Record<string, string> = {
+  impressum: 'Impressum',
+  telekommunikation: 'Telekommunikation (TKG)',
+  dse: 'Datenschutzerklärung',
+  agb: 'AGB',
+  cookie_banner: 'Cookie-Banner',
+  widerruf: 'Widerruf',
+  dsr: 'Betroffenenrechte (DSR)',
+  loeschkonzept: 'Löschkonzept',
+  avv: 'Auftragsverarbeitung (AVV)',
+  dsfa: 'DSFA',
+  code_security: 'Code Security',
+  network_security: 'Network Security',
+  cra: 'Cyber Resilience Act',
+  isms: 'ISMS',
+  tisax: 'TISAX',
+  kritis: 'KRITIS',
+  dora: 'DORA',
+  ai_act: 'AI Act',
+  mica: 'MiCA',
+  mdr: 'Medizinprodukte (MDR)',
+  maschinen: 'Maschinenverordnung',
+  batterie: 'Batterieverordnung',
+  ehds: 'EHDS',
+  produktsicherheit: 'Produktsicherheit',
+  dsa: 'Digital Services Act',
+  dma: 'Digital Markets Act',
+  data_governance: 'Data Governance Act',
+  zahlungsdienste: 'Zahlungsdienste (PSD2)',
+  geldwaesche: 'Geldwäsche (GwG)',
+  lieferkette: 'Lieferkettengesetz',
+  whistleblowing: 'Whistleblowing',
+  barrierefreiheit: 'Barrierefreiheit (BFSG)',
+  verbraucherschutz: 'Verbraucherschutz',
+  urheberrecht: 'Urheberrecht',
+  wettbewerbsrecht: 'Wettbewerbsrecht',
+  gleichbehandlung: 'Gleichbehandlung (AGG)',
+  steuerrecht: 'Steuerrecht',
+  handelsrecht: 'Handelsrecht',
+}
+
+export const MC_VERIFICATION_LABELS: Record<string, string> = {
+  document: 'Dokument',
+  source_code: 'Source Code',
+  network: 'Netzwerk/Infra',
+  it_process: 'IT-Prozess',
+  hybrid: 'Hybrid',
+  manual: 'Manuell',
+}
+
+function humanize(key: string): string {
+  return key.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase())
+}
+
+export function useCaseLabel(key: string): string {
+  return USE_CASE_LABELS[key] || humanize(key)
+}
+
+export function mcVerificationLabel(key: string): string {
+  return MC_VERIFICATION_LABELS[key] || humanize(key)
+}

admin-compliance/app/sdk/control-library/components/useControlLibraryState.ts

@@ -14,6 +14,11 @@ export interface ControlsMeta {
   category_counts?: Record<string, number>
   evidence_type_counts?: Record<string, number>
   release_state_counts?: Record<string, number>
+  // Master-control mapping dimensions (only returned by the MC endpoint)
+  use_case_counts?: Record<string, number>
+  regulations?: Array<{ source_regulation: string; count: number }>
+  mapped_total?: number
+  unmapped_count?: number
 }
 
 const PAGE_SIZE = 50
@@ -35,6 +40,10 @@ export function useControlLibraryState(backendUrlOverride?: string) {
   const [domainFilter, setDomainFilter] = useState<string>('')
   const [stateFilter, setStateFilter] = useState<string>('')
   const [verificationFilter, setVerificationFilter] = useState<string>('')
+  const [useCaseFilter, setUseCaseFilter] = useState<string>('')
+  const [primaryOnly, setPrimaryOnly] = useState<boolean>(false)
+  const [regulationFilter, setRegulationFilter] = useState<string>('')
+  const [mappedFilter, setMappedFilter] = useState<string>('')
   const [categoryFilter, setCategoryFilter] = useState<string>('')
   const [evidenceTypeFilter, setEvidenceTypeFilter] = useState<string>('')
   const [audienceFilter, setAudienceFilter] = useState<string>('')
@@ -88,6 +97,10 @@ export function useControlLibraryState(backendUrlOverride?: string) {
     if (domainFilter) p.set('domain', domainFilter)
     if (stateFilter) p.set('release_state', stateFilter)
     if (verificationFilter) p.set('verification_method', verificationFilter)
+    if (useCaseFilter) p.set('use_case', useCaseFilter)
+    if (primaryOnly) p.set('primary', '1')
+    if (regulationFilter) p.set('source_regulation', regulationFilter)
+    if (mappedFilter) p.set('mapped', mappedFilter)
     if (categoryFilter) p.set('category', categoryFilter)
     if (evidenceTypeFilter) p.set('evidence_type', evidenceTypeFilter)
     if (audienceFilter) p.set('target_audience', audienceFilter)
@@ -97,7 +110,7 @@ export function useControlLibraryState(backendUrlOverride?: string) {
     if (debouncedSearch) p.set('search', debouncedSearch)
     if (extra) for (const [k, v] of Object.entries(extra)) p.set(k, v)
     return p.toString()
-  }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch])
+  }, [severityFilter, domainFilter, stateFilter, verificationFilter, useCaseFilter, primaryOnly, regulationFilter, mappedFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch])
 
   const loadFrameworks = useCallback(async () => {
     try {
@@ -156,7 +169,7 @@ export function useControlLibraryState(backendUrlOverride?: string) {
   useEffect(() => { loadFrameworks(); loadReviewCount() }, [loadFrameworks, loadReviewCount])
   useEffect(() => { loadMeta() }, [loadMeta])
   useEffect(() => { loadControls() }, [loadControls])
-  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch, sortBy])
+  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, useCaseFilter, primaryOnly, regulationFilter, mappedFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch, sortBy])
 
   const totalPages = Math.max(1, Math.ceil(totalCount / PAGE_SIZE))
 
@@ -212,6 +225,10 @@ export function useControlLibraryState(backendUrlOverride?: string) {
     domainFilter, setDomainFilter,
     stateFilter, setStateFilter,
     verificationFilter, setVerificationFilter,
+    useCaseFilter, setUseCaseFilter,
+    primaryOnly, setPrimaryOnly,
+    regulationFilter, setRegulationFilter,
+    mappedFilter, setMappedFilter,
     categoryFilter, setCategoryFilter,
     evidenceTypeFilter, setEvidenceTypeFilter,
     audienceFilter, setAudienceFilter,

admin-compliance/app/sdk/control-library/page.tsx

@@ -232,6 +232,10 @@ export default function ControlLibraryPage() {
       domainFilter={state.domainFilter}
       stateFilter={state.stateFilter}
       verificationFilter={state.verificationFilter}
+      useCaseFilter={state.useCaseFilter}
+      primaryOnly={state.primaryOnly}
+      regulationFilter={state.regulationFilter}
+      mappedFilter={state.mappedFilter}
       categoryFilter={state.categoryFilter}
       evidenceTypeFilter={state.evidenceTypeFilter}
       audienceFilter={state.audienceFilter}
@@ -243,6 +247,10 @@ export default function ControlLibraryPage() {
       setDomainFilter={state.setDomainFilter}
       setStateFilter={state.setStateFilter}
       setVerificationFilter={state.setVerificationFilter}
+      setUseCaseFilter={state.setUseCaseFilter}
+      setPrimaryOnly={state.setPrimaryOnly}
+      setRegulationFilter={state.setRegulationFilter}
+      setMappedFilter={state.setMappedFilter}
       setCategoryFilter={state.setCategoryFilter}
       setEvidenceTypeFilter={state.setEvidenceTypeFilter}
       setAudienceFilter={state.setAudienceFilter}

admin-compliance/app/sdk/cra/page.tsx

@@ -99,6 +99,16 @@ export default function CRAProjectsPage() {
           </p>
         </div>
 
+        <div className="mb-4 px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
+          <span className="font-semibold">Quellen &amp; Lizenz:</span>
+          <span>
+            Inhalte gemaess <strong>EU-Verordnung 2024/2847 (Cyber Resilience Act)</strong> —
+            Lizenzregel R1 (EU_LAW, woertlich uebernehmbar). ENISA-Implementation-Guidance
+            ergaenzend (R1 EU_PUBLIC).{' '}
+            <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
+          </span>
+        </div>
+
         {error && (
           <div className="mb-4 bg-red-50 border border-red-200 rounded-lg p-4 text-sm text-red-700">
             {error}

admin-compliance/app/sdk/document-generator/_components/BulkGenerateModal.tsx

@@ -0,0 +1,433 @@
+'use client'
+
+/**
+ * Bulk-Generate-Modal: ruft den Compliance-Recommend-Endpoint mit dem aktuellen
+ * Profil/Scope-Stand, matched die empfohlenen Dokumenttypen gegen die geladenen
+ * Templates, und rendert + speichert alle markierten Dokumente in einem Rutsch
+ * (als compliance_legal_documents + version v1.0 draft).
+ *
+ * Verwendet die existierende Render-Pipeline aus GeneratorSection.tsx:
+ *   runRuleset -> applyBlockRemoval -> applyConditionalBlocks -> placeholder-Replace
+ */
+
+import { useEffect, useMemo, useState } from 'react'
+import {
+  applyBlockRemoval,
+  applyConditionalBlocks,
+  buildBoolContext,
+  getDocType,
+  runRuleset,
+} from '../ruleEngine'
+import { contextToPlaceholders, type TemplateContext } from '../contextBridge'
+import type { LegalTemplateResult } from '@/lib/sdk/types'
+import type { CompanyProfile } from '@/lib/sdk/types/company-profile'
+import type { ComplianceScopeState } from '@/lib/sdk/compliance-scope-types/state'
+
+const RECOMMEND_ENDPOINT = '/api/sdk/v1/compliance/recommend'
+const DOC_ENDPOINT       = '/api/sdk/v1/compliance/legal-documents/documents'
+const VERSION_ENDPOINT   = '/api/sdk/v1/compliance/legal-documents/versions'
+
+interface RecommendedItem {
+  document_type: string
+  title: string
+  rule_id: string
+  rule_key: string
+  classification: 'required' | 'recommended' | 'optional'
+  base_classification: 'required' | 'recommended' | 'optional'
+  source_citation: string
+  reason: string
+  override_applied: boolean
+}
+
+interface RecommendationResult {
+  required: RecommendedItem[]
+  recommended: RecommendedItem[]
+  optional: RecommendedItem[]
+}
+
+interface Row {
+  item: RecommendedItem
+  template: LegalTemplateResult | undefined
+  selected: boolean
+  state: 'idle' | 'generating' | 'done' | 'skipped' | 'error'
+  errorMessage?: string
+}
+
+interface Props {
+  allTemplates: LegalTemplateResult[]
+  context: TemplateContext
+  extraPlaceholders: Record<string, string>
+  enabledModules: string[]
+  companyProfile: CompanyProfile | null
+  complianceScope: ComplianceScopeState | null
+  onClose: () => void
+}
+
+export default function BulkGenerateModal({
+  allTemplates, context, extraPlaceholders, enabledModules,
+  companyProfile, complianceScope, onClose,
+}: Props) {
+  const [loading, setLoading] = useState(true)
+  const [loadError, setLoadError] = useState<string | null>(null)
+  const [rows, setRows] = useState<Row[]>([])
+  const [running, setRunning] = useState(false)
+  const [summary, setSummary] = useState<{ done: number; skipped: number; failed: number } | null>(null)
+
+  const recommendProfile = useMemo(
+    () => buildRecommendProfile(companyProfile, complianceScope),
+    [companyProfile, complianceScope],
+  )
+
+  // Templates nach document_type indizieren — ein Document_type hat oft nur EIN Template
+  const templatesByType = useMemo(() => {
+    const map = new Map<string, LegalTemplateResult>()
+    for (const t of allTemplates) {
+      if (t.templateType && !map.has(t.templateType)) {
+        map.set(t.templateType, t)
+      }
+    }
+    return map
+  }, [allTemplates])
+
+  // Recommend abrufen sobald das Modal geöffnet ist
+  useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      setLoadError(null)
+      try {
+        const res = await fetch(RECOMMEND_ENDPOINT, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            profile: recommendProfile,
+            compliance_depth_level: recommendProfile.compliance_depth_level ?? 'L2',
+          }),
+        })
+        if (!res.ok) throw new Error(`Recommend-API: ${res.status}`)
+        const data = (await res.json()) as RecommendationResult
+        if (cancelled) return
+        const all: RecommendedItem[] = [...data.required, ...data.recommended, ...data.optional]
+        const newRows: Row[] = all.map((item) => ({
+          item,
+          template: templatesByType.get(item.document_type),
+          // Default: required + recommended sind aktiv, optional inaktiv,
+          // und ohne Template generell deaktiviert
+          selected: item.classification !== 'optional' && templatesByType.has(item.document_type),
+          state: 'idle',
+        }))
+        setRows(newRows)
+      } catch (e) {
+        if (!cancelled) setLoadError((e as Error).message)
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => { cancelled = true }
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [])
+
+  const selectedCount = rows.filter((r) => r.selected && r.template).length
+  const unmatchedCount = rows.filter((r) => !r.template).length
+
+  function toggle(i: number) {
+    setRows((rs) => rs.map((r, idx) => idx === i ? { ...r, selected: !r.selected } : r))
+  }
+
+  function setAll(selected: boolean) {
+    setRows((rs) => rs.map((r) => r.template ? { ...r, selected } : r))
+  }
+
+  async function runBulk() {
+    setRunning(true)
+    setSummary(null)
+    let done = 0
+    let failed = 0
+    let skipped = 0
+
+    for (let i = 0; i < rows.length; i++) {
+      const row = rows[i]
+      if (!row.selected) continue
+      if (!row.template) { skipped++; continue }
+
+      setRows((rs) => rs.map((r, idx) => idx === i ? { ...r, state: 'generating' } : r))
+      try {
+        const rendered = renderTemplate(row.template, context, extraPlaceholders, enabledModules)
+        await saveDocAndVersion(row.template, rendered)
+        setRows((rs) => rs.map((r, idx) => idx === i ? { ...r, state: 'done' } : r))
+        done++
+      } catch (e) {
+        setRows((rs) => rs.map((r, idx) =>
+          idx === i ? { ...r, state: 'error', errorMessage: (e as Error).message } : r,
+        ))
+        failed++
+      }
+    }
+
+    setSummary({ done, skipped, failed })
+    setRunning(false)
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/40 z-50 flex items-center justify-center p-4" onClick={onClose}>
+      <div
+        className="bg-white rounded-lg shadow-2xl w-[820px] max-h-[90vh] flex flex-col"
+        onClick={(e) => e.stopPropagation()}
+      >
+        <header className="px-5 py-3 border-b border-gray-200 flex items-center justify-between">
+          <div>
+            <h3 className="font-semibold text-gray-800">Alle empfohlenen Dokumente generieren</h3>
+            <p className="text-xs text-gray-500 mt-0.5">
+              Compliance-Recommend wertet das aktuelle CompanyProfile + ComplianceScope aus
+              und schlägt Vorlagen vor. Markierte werden client-seitig gerendert und als
+              Drafts v1.0 in der Document-Library angelegt.
+            </p>
+          </div>
+          <button className="text-gray-400 hover:text-gray-700 text-2xl" onClick={onClose}>×</button>
+        </header>
+
+        <div className="flex-1 overflow-y-auto">
+          {loading && (
+            <div className="p-8 text-center text-sm text-gray-500">Lade Empfehlungen…</div>
+          )}
+          {loadError && (
+            <div className="m-5 p-3 text-sm text-rose-800 bg-rose-50 border border-rose-200 rounded">
+              {loadError}
+            </div>
+          )}
+          {!loading && !loadError && rows.length === 0 && (
+            <div className="p-8 text-center text-sm text-gray-500">
+              Keine Empfehlungen für dieses Profil.
+              Stell sicher dass CompanyProfile + ComplianceScope ausgefüllt sind.
+            </div>
+          )}
+
+          {!loading && rows.length > 0 && (
+            <>
+              <div className="px-5 py-2 bg-gray-50 border-b border-gray-200 flex items-center justify-between text-xs">
+                <div className="text-gray-600">
+                  <b>{selectedCount}</b> von {rows.length} ausgewählt
+                  {unmatchedCount > 0 && (
+                    <span className="ml-2 text-amber-700">
+                      ({unmatchedCount} ohne Template — kann nicht generiert werden)
+                    </span>
+                  )}
+                </div>
+                <div className="flex gap-1">
+                  <button
+                    className="px-2 py-1 border border-gray-300 rounded hover:bg-white"
+                    onClick={() => setAll(true)}
+                    disabled={running}
+                  >
+                    Alle wählen
+                  </button>
+                  <button
+                    className="px-2 py-1 border border-gray-300 rounded hover:bg-white"
+                    onClick={() => setAll(false)}
+                    disabled={running}
+                  >
+                    Keine wählen
+                  </button>
+                </div>
+              </div>
+              <ul className="divide-y divide-gray-100">
+                {rows.map((row, i) => (
+                  <BulkRow key={row.item.rule_id} row={row} onToggle={() => toggle(i)} running={running} />
+                ))}
+              </ul>
+            </>
+          )}
+        </div>
+
+        <footer className="px-5 py-3 border-t border-gray-200 bg-gray-50 flex items-center gap-3">
+          {summary ? (
+            <div className="text-sm text-gray-700">
+              <b className="text-emerald-700">{summary.done} erstellt</b>
+              {summary.skipped > 0 && <span className="ml-2 text-amber-700">· {summary.skipped} übersprungen</span>}
+              {summary.failed > 0 && <span className="ml-2 text-rose-700">· {summary.failed} fehlgeschlagen</span>}
+            </div>
+          ) : (
+            <div className="text-xs text-gray-500">
+              Erzeugt {selectedCount} neue Drafts in der Document-Library.
+            </div>
+          )}
+          <button className="ml-auto px-3 py-1.5 text-sm text-gray-600 hover:text-gray-800" onClick={onClose}>
+            Schließen
+          </button>
+          {!summary && (
+            <button
+              className="px-4 py-1.5 text-sm bg-emerald-600 text-white rounded hover:bg-emerald-700 disabled:opacity-50"
+              disabled={running || loading || selectedCount === 0}
+              onClick={runBulk}
+            >
+              {running ? 'Generiere…' : `${selectedCount} Dokumente generieren`}
+            </button>
+          )}
+        </footer>
+      </div>
+    </div>
+  )
+}
+
+function BulkRow({ row, onToggle, running }: { row: Row; onToggle: () => void; running: boolean }) {
+  const hasTemplate = !!row.template
+  const cls = row.item.classification
+
+  const stateBadge = (() => {
+    switch (row.state) {
+      case 'generating': return <span className="text-amber-700">⏳ generiere…</span>
+      case 'done':       return <span className="text-emerald-700">✓ erstellt</span>
+      case 'error':      return <span className="text-rose-700" title={row.errorMessage}>✗ Fehler</span>
+      case 'skipped':    return <span className="text-gray-500">— übersprungen</span>
+      default:           return null
+    }
+  })()
+
+  return (
+    <li className="px-5 py-2 flex items-start gap-3 hover:bg-gray-50">
+      <input
+        type="checkbox"
+        className="mt-1"
+        checked={row.selected}
+        onChange={onToggle}
+        disabled={!hasTemplate || running}
+      />
+      <div className="flex-1 min-w-0">
+        <div className="flex items-center gap-2 flex-wrap">
+          <ClassChip classification={cls} />
+          <span className="text-sm font-medium text-gray-800">{row.item.title}</span>
+          {!hasTemplate && (
+            <span className="px-1.5 py-0.5 text-xs rounded border bg-amber-50 text-amber-800 border-amber-300">
+              kein Template
+            </span>
+          )}
+          <span className="ml-auto text-xs">{stateBadge}</span>
+        </div>
+        <div className="text-xs text-gray-500 mt-0.5">
+          <code>{row.item.document_type}</code>
+          {row.item.source_citation && <> · {row.item.source_citation}</>}
+        </div>
+        {row.errorMessage && (
+          <div className="text-xs text-rose-700 mt-0.5">{row.errorMessage}</div>
+        )}
+      </div>
+    </li>
+  )
+}
+
+function ClassChip({ classification }: { classification: 'required' | 'recommended' | 'optional' }) {
+  const map = {
+    required:    { label: 'Pflicht',    cls: 'bg-rose-100 text-rose-800 border-rose-300' },
+    recommended: { label: 'Empfohlen',  cls: 'bg-amber-100 text-amber-800 border-amber-300' },
+    optional:    { label: 'Optional',   cls: 'bg-slate-100 text-slate-700 border-slate-300' },
+  }[classification]
+  return (
+    <span className={`px-1.5 py-0.5 text-xs rounded border ${map.cls}`}>{map.label}</span>
+  )
+}
+
+// ----- Render-Pipeline (Kopie aus GeneratorSection mit gleicher Logik) -----
+
+function renderTemplate(
+  template: LegalTemplateResult,
+  context: TemplateContext,
+  extraPlaceholders: Record<string, string>,
+  enabledModules: string[],
+): string {
+  const ruleResult = runRuleset({
+    doc_type: getDocType(template.templateType ?? '', template.language ?? 'de'),
+    render: { lang: template.language ?? 'de', variant: 'standard' },
+    context,
+    modules: { enabled: enabledModules },
+  })
+  const allValues = {
+    ...contextToPlaceholders(ruleResult?.contextAfterDefaults ?? context),
+    ...extraPlaceholders,
+  }
+  const boolCtx = ruleResult
+    ? buildBoolContext(ruleResult.contextAfterDefaults, ruleResult.computedFlags)
+    : {}
+  let content = applyBlockRemoval(template.text, ruleResult?.removedBlocks ?? [])
+  content = applyConditionalBlocks(content, boolCtx)
+  for (const [key, value] of Object.entries(allValues)) {
+    if (value) {
+      content = content.replace(
+        new RegExp(key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'),
+        value,
+      )
+    }
+  }
+  return content
+}
+
+async function saveDocAndVersion(
+  template: LegalTemplateResult,
+  renderedContent: string,
+): Promise<void> {
+  const docRes = await fetch(DOC_ENDPOINT, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      type: template.templateType || 'custom',
+      name: template.documentTitle || 'Dokument',
+      description: `Bulk-generiert aus Template ${template.templateType}`,
+    }),
+  })
+  if (!docRes.ok) {
+    throw new Error(`Document anlegen fehlgeschlagen: ${docRes.status} ${await docRes.text().catch(() => '')}`)
+  }
+  const doc = await docRes.json()
+  const verRes = await fetch(VERSION_ENDPOINT, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      document_id: doc.id,
+      title: template.documentTitle || 'Dokument',
+      content: renderedContent,
+      language: template.language || 'de',
+      version: '1.0',
+    }),
+  })
+  if (!verRes.ok) {
+    throw new Error(`Version anlegen fehlgeschlagen: ${verRes.status} ${await verRes.text().catch(() => '')}`)
+  }
+}
+
+// ----- Profile-Builder: SDK-State → /recommend Body -----
+
+function buildRecommendProfile(
+  companyProfile: CompanyProfile | null,
+  complianceScope: ComplianceScopeState | null,
+): Record<string, unknown> {
+  const profile: Record<string, unknown> = {}
+
+  // Aus CompanyProfile (camelCase TS-Modell)
+  if (companyProfile) {
+    if (companyProfile.employeeCount) {
+      profile.org_employee_count = String(companyProfile.employeeCount).replace(/-/g, '_')
+    }
+    if (companyProfile.businessModel) {
+      profile.org_business_model = String(companyProfile.businessModel).toLowerCase().replace(/\s+/g, '_')
+    }
+    if (companyProfile.isDataProcessor) {
+      profile.comp_has_processors = 'yes'
+    }
+  }
+
+  // ComplianceScope-Antworten: questionId entspricht direkt unserer Profil-
+  // Feld-Konvention (proc_ai_usage, tech_third_country, prod_webshop, etc.)
+  if (complianceScope?.answers) {
+    for (const a of complianceScope.answers) {
+      if (!a.questionId) continue
+      if (a.value === null || a.value === undefined || a.value === '') continue
+      profile[a.questionId] = a.value
+    }
+  }
+
+  if (complianceScope?.decision?.determinedLevel) {
+    profile.compliance_depth_level = complianceScope.decision.determinedLevel
+  }
+
+  return profile
+}

admin-compliance/app/sdk/document-generator/page.tsx

@@ -16,6 +16,7 @@ import TemplateLibrary from './_components/TemplateLibrary'
 import GeneratorSection from './_components/GeneratorSection'
 import RecommendedDocuments from './_components/RecommendedDocuments'
 import { LifecycleFilter, filterTemplatesByStage } from './_components/LifecycleFilter'
+import BulkGenerateModal from './_components/BulkGenerateModal'
 import type { LifecycleStage } from '@/lib/sdk/founding/template-categories'
 
 function DocumentGeneratorPageInner() {
@@ -39,6 +40,7 @@ function DocumentGeneratorPageInner() {
   const generatorRef = useRef<HTMLDivElement>(null)
 
   const [totalCount, setTotalCount] = useState<number>(0)
+  const [showBulkGenerate, setShowBulkGenerate] = useState(false)
 
   // Load all templates on mount
   useEffect(() => {
@@ -297,6 +299,16 @@ function DocumentGeneratorPageInner() {
         tips={stepInfo.tips}
       />
 
+      <div className="px-4 py-2 bg-slate-50 border border-slate-200 rounded-lg text-xs text-slate-700 flex items-start gap-2">
+        <span className="font-semibold">Quellen &amp; Lizenz:</span>
+        <span>
+          Die 91 Standard-Vorlagen sind <strong>BreakPilot-Eigenwerke</strong> (Lizenzregel R3 — Identifier-Verweis,
+          eigene Lizenz). Vorlagen mit gesetzlicher Grundlage (z.B. VVT nach Art. 30 DSGVO,
+          Loeschkonzept nach Art. 17 DSGVO) zitieren die jeweilige Rechtsquelle als R1.{' '}
+          <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
+        </span>
+      </div>
+
       {/* Status bar */}
       <div className="grid grid-cols-3 gap-4">
         <div className="bg-white rounded-xl border border-gray-200 p-5">
@@ -322,6 +334,23 @@ function DocumentGeneratorPageInner() {
         countsByStage={countsByStage}
       />
 
+      {/* Bulk-Generate-Knopf — alle empfohlenen Dokumente in einem Rutsch */}
+      <div className="flex items-center justify-between bg-emerald-50 border border-emerald-200 rounded p-3">
+        <div className="text-sm text-gray-700">
+          <b>Alle empfohlenen Dokumente in einem Rutsch generieren.</b>
+          <div className="text-xs text-gray-600 mt-0.5">
+            Profil + Scope-Antworten werden gegen die Empfehlungs-Regeln ausgewertet —
+            markierte Templates werden als Drafts v1.0 in die Document-Library angelegt.
+          </div>
+        </div>
+        <button
+          className="px-4 py-2 text-sm bg-emerald-600 text-white rounded hover:bg-emerald-700 whitespace-nowrap"
+          onClick={() => setShowBulkGenerate(true)}
+        >
+          Empfohlene generieren →
+        </button>
+      </div>
+
       {/* Recommended documents based on scope profile */}
       <RecommendedDocuments
         allTemplates={allTemplates}
@@ -381,6 +410,18 @@ function DocumentGeneratorPageInner() {
           )}
         </div>
       )}
+
+      {showBulkGenerate && (
+        <BulkGenerateModal
+          allTemplates={allTemplates}
+          context={context}
+          extraPlaceholders={extraPlaceholders}
+          enabledModules={enabledModules}
+          companyProfile={state.companyProfile ?? null}
+          complianceScope={state.complianceScope ?? null}
+          onClose={() => setShowBulkGenerate(false)}
+        />
+      )}
     </div>
   )
 }

admin-compliance/app/sdk/document-library/page.tsx

@@ -0,0 +1,350 @@
+'use client'
+
+/**
+ * Document-Library — zentraler Tab für alle für den Mandanten erzeugten
+ * Dokumente. Listet compliance_legal_documents + jeweils latest/published
+ * Version, gruppiert nach Empfehlungs-Klassifikation (required/recommended/
+ * optional/uncategorized).
+ *
+ * Recommend-Engine (compliance_template_rules) wird gegen das aktuelle
+ * CompanyProfile + ComplianceScope ausgewertet, um document_type → Klassifi-
+ * kation zu mappen.
+ *
+ * Click auf eine Zeile → /sdk/workflow?doc=<uuid> (Workflow-Editor öffnet
+ * den Doc automatisch).
+ */
+
+import { useEffect, useMemo, useState } from 'react'
+import { useRouter } from 'next/navigation'
+import { useSDK } from '@/lib/sdk'
+import { StepHeader } from '@/components/sdk/StepHeader'
+import type { CompanyProfile } from '@/lib/sdk/types/company-profile'
+import type { ComplianceScopeState } from '@/lib/sdk/compliance-scope-types/state'
+
+const DOCS_ENDPOINT = '/api/sdk/v1/compliance/legal-documents/documents-with-versions'
+const RECOMMEND_ENDPOINT = '/api/sdk/v1/compliance/recommend'
+
+type Classification = 'required' | 'recommended' | 'optional' | 'uncategorized'
+type VersionStatus =
+  | 'draft' | 'review' | 'review_internal' | 'review_client'
+  | 'approved' | 'published' | 'archived' | 'rejected'
+
+interface DocVersion {
+  id: string
+  document_id: string
+  version: string
+  status: VersionStatus
+  title: string
+  created_at: string
+  updated_at: string | null
+  approved_internal_at: string | null
+  approved_client_at: string | null
+}
+
+interface DocWithVersions {
+  id: string
+  type: string
+  name: string
+  description: string | null
+  created_at: string
+  updated_at: string | null
+  latest_version: DocVersion | null
+  published_version: DocVersion | null
+}
+
+interface Rec {
+  document_type: string
+  title: string
+  classification: 'required' | 'recommended' | 'optional'
+  source_citation: string
+  override_applied: boolean
+}
+
+export default function DocumentLibraryPage() {
+  const { state } = useSDK()
+  const router = useRouter()
+
+  const [docs, setDocs] = useState<DocWithVersions[]>([])
+  const [recommendations, setRecommendations] = useState<Map<string, Rec>>(new Map())
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+  const [search, setSearch] = useState('')
+  const [statusFilter, setStatusFilter] = useState<VersionStatus | 'all'>('all')
+
+  useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      setError(null)
+      try {
+        const profile = buildRecommendProfile(state.companyProfile ?? null, state.complianceScope ?? null)
+        const [docsRes, recRes] = await Promise.all([
+          fetch(DOCS_ENDPOINT),
+          fetch(RECOMMEND_ENDPOINT, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              profile,
+              compliance_depth_level: profile.compliance_depth_level ?? 'L2',
+            }),
+          }),
+        ])
+        if (!docsRes.ok) throw new Error(`Docs-API: ${docsRes.status}`)
+        if (!recRes.ok) throw new Error(`Recommend-API: ${recRes.status}`)
+
+        const docsData = await docsRes.json() as { documents: DocWithVersions[] }
+        const recData = await recRes.json()
+
+        const recMap = new Map<string, Rec>()
+        for (const cls of ['required', 'recommended', 'optional'] as const) {
+          for (const item of (recData[cls] ?? []) as Rec[]) {
+            recMap.set(item.document_type, { ...item, classification: cls })
+          }
+        }
+
+        if (!cancelled) {
+          setDocs(docsData.documents ?? [])
+          setRecommendations(recMap)
+        }
+      } catch (e) {
+        if (!cancelled) setError((e as Error).message)
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => { cancelled = true }
+  }, [state.companyProfile, state.complianceScope])
+
+  const grouped = useMemo(() => {
+    const groups: Record<Classification, DocWithVersions[]> = {
+      required: [], recommended: [], optional: [], uncategorized: [],
+    }
+    const q = search.toLowerCase().trim()
+    for (const doc of docs) {
+      // Filter
+      if (q) {
+        const hit =
+          doc.name.toLowerCase().includes(q) ||
+          doc.type.toLowerCase().includes(q) ||
+          (doc.description?.toLowerCase() ?? '').includes(q)
+        if (!hit) continue
+      }
+      if (statusFilter !== 'all') {
+        const s = doc.latest_version?.status
+        if (s !== statusFilter) continue
+      }
+      const rec = recommendations.get(doc.type)
+      const klass: Classification = rec?.classification ?? 'uncategorized'
+      groups[klass].push(doc)
+    }
+    return groups
+  }, [docs, recommendations, search, statusFilter])
+
+  const totalShown = grouped.required.length + grouped.recommended.length
+    + grouped.optional.length + grouped.uncategorized.length
+
+  return (
+    <div className="h-full flex flex-col bg-white">
+      <StepHeader
+        stepId="document-library"
+        title="Document Library"
+        description="Zentrale Übersicht aller erzeugten Dokumente — gruppiert nach Empfehlung (Pflicht/Empfohlen/Optional), gefiltert nach Status. Klick auf eine Zeile öffnet den Workflow-Editor."
+      />
+
+      <div className="px-5 py-3 border-b border-gray-200 bg-gray-50 flex items-center gap-3 flex-wrap">
+        <input
+          type="text"
+          placeholder="Suchen (Titel, Type, Beschreibung)…"
+          value={search}
+          onChange={(e) => setSearch(e.target.value)}
+          className="text-sm px-3 py-1.5 border border-gray-300 rounded w-72"
+        />
+        <select
+          className="text-sm px-2 py-1.5 border border-gray-300 rounded bg-white"
+          value={statusFilter}
+          onChange={(e) => setStatusFilter(e.target.value as VersionStatus | 'all')}
+        >
+          <option value="all">Alle Stati</option>
+          <option value="draft">Entwurf</option>
+          <option value="review_internal">DSB-Prüfung</option>
+          <option value="review_client">Mandanten-Prüfung</option>
+          <option value="approved">Freigegeben</option>
+          <option value="published">Live</option>
+          <option value="archived">Archiviert</option>
+          <option value="rejected">Abgelehnt</option>
+        </select>
+        <div className="ml-auto text-xs text-gray-600">
+          {loading ? 'lädt…' : `${totalShown} sichtbar · ${docs.length} insgesamt`}
+        </div>
+      </div>
+
+      {error && (
+        <div className="m-5 p-3 text-sm text-rose-800 bg-rose-50 border border-rose-200 rounded">
+          {error}
+        </div>
+      )}
+
+      <div className="flex-1 overflow-y-auto">
+        {!loading && docs.length === 0 && (
+          <div className="p-8 text-center text-sm text-gray-500">
+            Noch keine Dokumente vorhanden. Generiere welche über den{' '}
+            <a href="/sdk/document-generator" className="underline text-blue-700">Document Generator</a>{' '}
+            (Bulk-Modus „Empfohlene generieren →").
+          </div>
+        )}
+
+        <Group
+          title="Pflichtdokumente"
+          chipCls="bg-rose-100 text-rose-800 border-rose-300"
+          docs={grouped.required}
+          recommendations={recommendations}
+          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
+        />
+        <Group
+          title="Empfohlene Dokumente"
+          chipCls="bg-amber-100 text-amber-800 border-amber-300"
+          docs={grouped.recommended}
+          recommendations={recommendations}
+          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
+        />
+        <Group
+          title="Optionale Dokumente"
+          chipCls="bg-slate-100 text-slate-700 border-slate-300"
+          docs={grouped.optional}
+          recommendations={recommendations}
+          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
+        />
+        <Group
+          title="Nicht klassifiziert"
+          chipCls="bg-gray-100 text-gray-600 border-gray-300"
+          docs={grouped.uncategorized}
+          recommendations={recommendations}
+          onOpen={(id) => router.push(`/sdk/workflow?doc=${id}`)}
+        />
+      </div>
+    </div>
+  )
+}
+
+function Group({
+  title, chipCls, docs, recommendations, onOpen,
+}: {
+  title: string
+  chipCls: string
+  docs: DocWithVersions[]
+  recommendations: Map<string, Rec>
+  onOpen: (id: string) => void
+}) {
+  if (docs.length === 0) return null
+  return (
+    <section className="border-b border-gray-200">
+      <h3 className="px-5 py-2 bg-gray-50 text-sm font-semibold text-gray-700 flex items-center gap-2">
+        <span className={`px-2 py-0.5 text-xs rounded border ${chipCls}`}>{title}</span>
+        <span className="text-xs font-normal text-gray-500">{docs.length}</span>
+      </h3>
+      <table className="w-full text-sm">
+        <thead className="text-xs uppercase text-gray-500">
+          <tr>
+            <th className="px-5 py-2 text-left">Titel</th>
+            <th className="px-3 py-2 text-left">Type</th>
+            <th className="px-3 py-2 text-left">Status</th>
+            <th className="px-3 py-2 text-left">Version</th>
+            <th className="px-3 py-2 text-left">Geändert</th>
+            <th className="px-3 py-2 text-left">Override</th>
+          </tr>
+        </thead>
+        <tbody>
+          {docs.map((doc) => (
+            <DocRow key={doc.id} doc={doc} rec={recommendations.get(doc.type)} onOpen={onOpen} />
+          ))}
+        </tbody>
+      </table>
+    </section>
+  )
+}
+
+function DocRow({
+  doc, rec, onOpen,
+}: {
+  doc: DocWithVersions
+  rec: Rec | undefined
+  onOpen: (id: string) => void
+}) {
+  const latest = doc.latest_version
+  const updated = doc.updated_at ?? doc.created_at
+  return (
+    <tr
+      className="border-t border-gray-100 hover:bg-amber-50 cursor-pointer"
+      onClick={() => onOpen(doc.id)}
+    >
+      <td className="px-5 py-2 font-medium text-gray-800">{doc.name}</td>
+      <td className="px-3 py-2 text-xs"><code>{doc.type}</code></td>
+      <td className="px-3 py-2">
+        {latest ? <StatusBadge status={latest.status} /> : <span className="text-xs text-gray-400">—</span>}
+      </td>
+      <td className="px-3 py-2 text-xs text-gray-700">
+        {latest?.version ?? '—'}
+        {doc.published_version && doc.published_version.id !== latest?.id && (
+          <span className="ml-1 text-emerald-700">(live: {doc.published_version.version})</span>
+        )}
+      </td>
+      <td className="px-3 py-2 text-xs text-gray-500">
+        {new Date(updated).toLocaleString('de-DE')}
+      </td>
+      <td className="px-3 py-2 text-xs">
+        {rec?.override_applied && (
+          <span className="px-1.5 py-0.5 bg-blue-50 text-blue-700 border border-blue-300 rounded">
+            Override
+          </span>
+        )}
+      </td>
+    </tr>
+  )
+}
+
+function StatusBadge({ status }: { status: VersionStatus }) {
+  const map: Record<VersionStatus, { label: string; cls: string }> = {
+    draft:            { label: 'Entwurf',        cls: 'bg-slate-100 text-slate-700 border-slate-300' },
+    review:           { label: 'Prüfung',         cls: 'bg-amber-50 text-amber-800 border-amber-300' },
+    review_internal:  { label: 'DSB-Prüfung',     cls: 'bg-amber-50 text-amber-800 border-amber-300' },
+    review_client:    { label: 'Mandant-Prüfung', cls: 'bg-blue-50 text-blue-800 border-blue-300' },
+    approved:         { label: 'Freigegeben',     cls: 'bg-emerald-50 text-emerald-800 border-emerald-300' },
+    published:        { label: 'Live',            cls: 'bg-emerald-100 text-emerald-900 border-emerald-400 font-medium' },
+    archived:         { label: 'Archiviert',      cls: 'bg-gray-100 text-gray-600 border-gray-300' },
+    rejected:         { label: 'Abgelehnt',       cls: 'bg-rose-50 text-rose-800 border-rose-300' },
+  }
+  const { label, cls } = map[status] ?? { label: status, cls: 'bg-gray-100 text-gray-700 border-gray-300' }
+  return <span className={`px-1.5 py-0.5 text-xs rounded border ${cls}`}>{label}</span>
+}
+
+// ----- Profile-Builder (gleich wie in BulkGenerateModal — könnten wir später extrahieren) -----
+
+function buildRecommendProfile(
+  companyProfile: CompanyProfile | null,
+  complianceScope: ComplianceScopeState | null,
+): Record<string, unknown> {
+  const profile: Record<string, unknown> = {}
+  if (companyProfile) {
+    if (companyProfile.employeeCount) {
+      profile.org_employee_count = String(companyProfile.employeeCount).replace(/-/g, '_')
+    }
+    if (companyProfile.businessModel) {
+      profile.org_business_model = String(companyProfile.businessModel).toLowerCase().replace(/\s+/g, '_')
+    }
+    if (companyProfile.isDataProcessor) {
+      profile.comp_has_processors = 'yes'
+    }
+  }
+  if (complianceScope?.answers) {
+    for (const a of complianceScope.answers) {
+      if (!a.questionId) continue
+      if (a.value === null || a.value === undefined || a.value === '') continue
+      profile[a.questionId] = a.value
+    }
+  }
+  if (complianceScope?.decision?.determinedLevel) {
+    profile.compliance_depth_level = complianceScope.decision.determinedLevel
+  }
+  return profile
+}

admin-compliance/app/sdk/dsfa/page.tsx

@@ -132,6 +132,16 @@ export default function DSFAPage() {
         )}
       </StepHeader>
 
+      <div className="px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
+        <span className="font-semibold">Quellen &amp; Lizenz:</span>
+        <span>
+          Inhalte gemaess <strong>DSGVO Art. 35</strong> (EU 2016/679) — Lizenzregel R1
+          (Hoheitsrecht/EU_LAW, woertlich uebernehmbar). Vorlagen-Texte aus
+          Aufsichtsbehoerden ebenfalls R1.{' '}
+          <a href="/sdk/licenses" className="underline">Quellenverzeichnis</a>
+        </span>
+      </div>
+
       {/* DSFA Requirement Check */}
       {dsfaCheck.required && dsfas.length === 0 && (
         <div className="bg-red-50 border border-red-200 rounded-xl p-5">

admin-compliance/app/sdk/founding-wizard/_components/StepBasics.tsx

@@ -1,5 +1,6 @@
 'use client'
 
+import { useState } from 'react'
 import type { FoundingWizardState } from '@/lib/sdk/founding/types'
 
 interface Props {
@@ -9,8 +10,73 @@ interface Props {
 
 export function StepBasics({ state, update }: Props) {
   const b = state.basics
+  const [prefillStatus, setPrefillStatus] = useState<'idle' | 'loading' | 'success' | 'error'>('idle')
+
+  async function prefillFromCompanyProfile() {
+    setPrefillStatus('loading')
+    try {
+      const res = await fetch('/api/sdk/v1/company-profile', { cache: 'no-store' })
+      if (!res.ok) throw new Error(`HTTP ${res.status}`)
+      const payload = await res.json()
+      const p = payload?.profile ?? payload
+      if (!p || typeof p !== 'object') throw new Error('leeres Profil')
+      const industries = Array.isArray(p.industry) ? p.industry.filter(Boolean) : []
+      const industry = industries.length > 0
+        ? industries.join(', ')
+        : (p.industryOther || b.industry)
+      const address = [p.headquartersStreet, [p.headquartersZip, p.headquartersCity].filter(Boolean).join(' ')]
+        .filter(Boolean).join(', ') || b.company_address
+      const seat = p.headquartersCity || b.company_seat
+      // Purpose ableiten aus offerings/businessModel — Fallback wenn nichts da
+      const purposeBits: string[] = []
+      if (p.businessModel) purposeBits.push(`Geschäftsmodell: ${p.businessModel}`)
+      if (Array.isArray(p.offerings) && p.offerings.length > 0)
+        purposeBits.push(`Leistungen: ${p.offerings.join(', ')}`)
+      const purpose = purposeBits.length > 0
+        ? purposeBits.join('; ')
+        : b.company_purpose_description
+      update('basics', {
+        ...b,
+        company_name: p.companyName || b.company_name,
+        legal_form: (p.legalForm === 'UG' ? 'UG' : (p.legalForm === 'GmbH' ? 'GmbH' : b.legal_form)),
+        company_seat: seat,
+        company_address: address,
+        industry,
+        company_purpose_description: b.company_purpose_description.trim() === '' ? purpose : b.company_purpose_description,
+      })
+      setPrefillStatus('success')
+    } catch (err) {
+      console.error('[founding-wizard] prefill failed', err)
+      setPrefillStatus('error')
+    }
+  }
+
   return (
     <div className="space-y-4">
+      <div className="flex items-center justify-between">
+        <p className="text-sm text-gray-600">
+          Stammdaten der Gesellschaft. Pflicht für Satzung, HRB-Anmeldung und SHA.
+        </p>
+        <button
+          type="button"
+          onClick={prefillFromCompanyProfile}
+          disabled={prefillStatus === 'loading'}
+          className="px-3 py-1.5 text-sm rounded-lg border border-blue-300 bg-blue-50 hover:bg-blue-100 disabled:opacity-50"
+        >
+          {prefillStatus === 'loading' ? 'Lade…' : 'Aus Unternehmensprofil vorbefüllen'}
+        </button>
+      </div>
+      {prefillStatus === 'success' && (
+        <div className="text-xs text-green-700 bg-green-50 border border-green-200 rounded px-2 py-1">
+          Daten aus Unternehmensprofil übernommen. Bitte prüfen und ergänzen.
+        </div>
+      )}
+      {prefillStatus === 'error' && (
+        <div className="text-xs text-amber-700 bg-amber-50 border border-amber-200 rounded px-2 py-1">
+          Konnte Unternehmensprofil nicht laden — bitte Felder manuell ausfüllen.
+        </div>
+      )}
+
       <div className="grid grid-cols-2 gap-4">
         <div>
           <label className="block text-sm font-medium text-gray-700 mb-1">Firmenname</label>
@@ -78,6 +144,35 @@ export function StepBasics({ state, update }: Props) {
             className="w-full px-3 py-2 border rounded-lg"
           />
         </div>
+        <div>
+          <label className="block text-sm font-medium text-gray-700 mb-1">
+            Registergericht
+          </label>
+          <input
+            data-testid="register-court"
+            type="text"
+            value={b.register_court || ''}
+            onChange={e => update('basics', { ...b, register_court: e.target.value })}
+            placeholder="z.B. Amtsgericht Stuttgart"
+            className="w-full px-3 py-2 border rounded-lg"
+          />
+          <p className="text-xs text-gray-500 mt-1">
+            Zuständiges Amtsgericht für HRB-Eintragung
+          </p>
+        </div>
+        <div>
+          <label className="block text-sm font-medium text-gray-700 mb-1">
+            HRB-Nummer <span className="text-gray-400">(optional)</span>
+          </label>
+          <input
+            data-testid="hrb-number"
+            type="text"
+            value={b.hrb_number || ''}
+            onChange={e => update('basics', { ...b, hrb_number: e.target.value })}
+            placeholder="z.B. HRB 12345 (leer falls noch nicht eingetragen)"
+            className="w-full px-3 py-2 border rounded-lg"
+          />
+        </div>
       </div>
 
       <div>

admin-compliance/app/sdk/founding-wizard/_components/StepGesellschafter.tsx

@@ -14,7 +14,7 @@ export function StepGesellschafter({ state, addGesellschafter, updateGesellschaf
   const [form, setForm] = useState({
     name: '', geburtsdatum: '', adresse: '', email: '',
     nennbetrag_eur: 12500, is_geschaeftsfuehrer: true, internal_role: '',
-    has_academic_background: false,
+    has_academic_background: false, ip_areas: '',
   })
 
   const totalNennbetrag = state.gesellschafter.reduce((s, g) => s + g.nennbetrag_eur, 0)
@@ -22,6 +22,8 @@ export function StepGesellschafter({ state, addGesellschafter, updateGesellschaf
 
   const handleAdd = () => {
     if (!form.name.trim()) return
+    const ip_areas = form.ip_areas
+      .split('\n').map(s => s.trim()).filter(Boolean)
     addGesellschafter({
       rolle: 'founder',
       name: form.name,
@@ -32,9 +34,10 @@ export function StepGesellschafter({ state, addGesellschafter, updateGesellschaf
       is_geschaeftsfuehrer: form.is_geschaeftsfuehrer,
       internal_role: form.internal_role || undefined,
       has_academic_background: form.has_academic_background,
+      ip_areas: ip_areas.length > 0 ? ip_areas : undefined,
     })
     setForm({ name: '', geburtsdatum: '', adresse: '', email: '', nennbetrag_eur: 12500,
-              is_geschaeftsfuehrer: true, internal_role: '', has_academic_background: false })
+              is_geschaeftsfuehrer: true, internal_role: '', has_academic_background: false, ip_areas: '' })
   }
 
   return (
@@ -82,13 +85,22 @@ export function StepGesellschafter({ state, addGesellschafter, updateGesellschaf
             onChange={e => setForm({ ...form, nennbetrag_eur: parseInt(e.target.value) || 0 })}
             className="px-3 py-2 border rounded"
           />
-          <input
+          <select
             data-testid="gs-role"
-            placeholder="Interne Rolle (z.B. CEO, CTO)"
             value={form.internal_role}
             onChange={e => setForm({ ...form, internal_role: e.target.value })}
-            className="px-3 py-2 border rounded"
-          />
+            className="px-3 py-2 border rounded bg-white"
+          >
+            <option value="">Rolle wählen…</option>
+            <option value="CEO">CEO (Chief Executive Officer)</option>
+            <option value="CTO">CTO (Chief Technical Officer)</option>
+            <option value="CFO">CFO (Chief Financial Officer)</option>
+            <option value="COO">COO (Chief Operating Officer)</option>
+            <option value="CPO">CPO (Chief Product Officer)</option>
+            <option value="Geschäftsführer">Geschäftsführer (ohne Spezialisierung)</option>
+            <option value="Gesellschafter">Gesellschafter (kein GF)</option>
+            <option value="Sonstige">Sonstige</option>
+          </select>
           <div className="flex items-center gap-2">
             <input
               type="checkbox"
@@ -108,6 +120,23 @@ export function StepGesellschafter({ state, addGesellschafter, updateGesellschaf
             <label className="text-sm">Akademischer Hintergrund</label>
           </div>
         </div>
+        <div className="mt-3">
+          <label className="block text-sm font-medium text-gray-700 mb-1">
+            IP-Bereiche, die diese Person in die Gesellschaft einbringt
+            <span className="text-gray-400"> (optional, eine Zeile pro Bereich)</span>
+          </label>
+          <textarea
+            data-testid="gs-ip-areas"
+            value={form.ip_areas}
+            onChange={e => setForm({ ...form, ip_areas: e.target.value })}
+            rows={3}
+            placeholder={'z.B.\nCompliance-Engine (Quellcode + Architektur)\nRAG-Pipeline\nKonfigurationsdaten'}
+            className="w-full px-3 py-2 border rounded font-mono text-xs"
+          />
+          <p className="text-xs text-gray-500 mt-1">
+            Bei mehreren Gründern wird pro Person ein eigener IP-Assignment-Vertrag generiert.
+          </p>
+        </div>
         <button
           data-testid="add-gesellschafter"
           onClick={handleAdd}
@@ -139,7 +168,14 @@ export function StepGesellschafter({ state, addGesellschafter, updateGesellschaf
               {state.gesellschafter.map(g => (
                 <tr key={g.id} className="border-t" data-testid={`gs-row-${g.anteil_nr}`}>
                   <td className="px-3 py-2">{g.anteil_nr}</td>
-                  <td className="px-3 py-2 font-medium">{g.name}{g.internal_role ? ` (${g.internal_role})` : ''}</td>
+                  <td className="px-3 py-2 font-medium">
+                    {g.name}{g.internal_role ? ` (${g.internal_role})` : ''}
+                    {g.ip_areas && g.ip_areas.length > 0 && (
+                      <div className="text-xs text-gray-500 mt-0.5">
+                        IP: {g.ip_areas.join(', ')}
+                      </div>
+                    )}
+                  </td>
                   <td className="px-3 py-2">{g.geburtsdatum || '—'}</td>
                   <td className="px-3 py-2 text-right">{g.nennbetrag_eur.toLocaleString('de-DE')} €</td>
                   <td className="px-3 py-2 text-right">{((g.nennbetrag_eur / Math.max(target, 1)) * 100).toFixed(2)}%</td>

admin-compliance/app/sdk/iace/[projectId]/benchmark/_components/HazardComparisonTable.tsx

@@ -87,7 +87,7 @@ export function HazardComparisonTable({ matched, missing, extra }: Props) {
       <div className="overflow-x-auto">
         {tab === 'matched' && <MatchedTable pairs={realMatched} clarStatusByHazard={clarStatusByHazard} projectId={projectId} />}
         {tab === 'missing' && <MissingTable entries={allMissing} />}
-        {tab === 'extra' && <ExtraTable entries={allExtra} />}
+        {tab === 'extra' && <ExtraTable entries={allExtra} clarStatusByHazard={clarStatusByHazard} projectId={projectId} />}
       </div>
     </div>
   )
@@ -175,6 +175,73 @@ function formatLifecycles(raw: string): string {
   return raw.split(',').map(s => s.trim()).map(s => LIFECYCLE_LABELS[s] || s).join(', ')
 }
 
+function Chevron({ open }: { open: boolean }) {
+  return (
+    <svg className={`w-3 h-3 text-gray-400 transition-transform ${open ? 'rotate-90' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor">
+      <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5l7 7-7 7" />
+    </svg>
+  )
+}
+
+/** Ground Truth (professional) detail block — reused by matched + missing rows. */
+function GTDetailBlock({ gt }: { gt: GroundTruthEntry }) {
+  return (
+    <div className="space-y-2">
+      <div className="font-semibold text-red-700 dark:text-red-400 uppercase text-[10px]">Ground Truth (Fachmann)</div>
+      <DetailRow label="Gefaehrdung" gt={gt.hazard_type} />
+      <DetailRow label="Ursache" gt={gt.hazard_cause} />
+      <DetailRow label="Gefahrenstelle" gt={gt.component_zone} />
+      <DetailRow label="Lebensphasen" gt={gt.lifecycle_phases?.join(', ') || '-'} />
+      <DetailRow label="Risiko" gt={`F=${gt.risk_in.f} W=${gt.risk_in.w} P=${gt.risk_in.p} S=${gt.risk_in.s} => R=${gt.risk_in.r}`} />
+      {gt.risk_out.r > 0 && (
+        <DetailRow label="Restrisiko" gt={`F=${gt.risk_out.f} W=${gt.risk_out.w} P=${gt.risk_out.p} S=${gt.risk_out.s} => R=${gt.risk_out.r}`} />
+      )}
+      <DetailRow label="Massnahmen" gt={gt.measures?.join('\n') || '-'} multiline />
+      <DetailRow label="Typ" gt={gt.measure_type || '-'} />
+      {gt.norm_references?.length > 0 && (
+        <DetailRow label="Normen" gt={gt.norm_references.join(', ')} />
+      )}
+      <DetailRow label="Hinreichend" gt={gt.sufficient ? 'JA' : 'NEIN'} />
+      {gt.comment && <DetailRow label="Kommentar" gt={gt.comment} />}
+    </div>
+  )
+}
+
+/** Engine (automatic) detail block — reused by matched + extra rows. */
+function EngineDetailBlock({ engine, clarStatus, projectId }: {
+  engine: HazardSummary; clarStatus?: HazardClarStatus; projectId?: string
+}) {
+  return (
+    <div className="space-y-2">
+      <div className="font-semibold text-purple-700 dark:text-purple-400 uppercase text-[10px]">Engine (automatisch)</div>
+      <DetailRow label="Gefaehrdung" gt={engine.name} />
+      <DetailRow label="Szenario" gt={engine.scenario || extractScenario(engine.description) || '-'} />
+      <DetailRow label="Gefahrenstelle" gt={engine.zone || '-'} />
+      {engine.lifecycle_phase && (
+        <DetailRow label="Lebensphasen" gt={formatLifecycles(engine.lifecycle_phase)} />
+      )}
+      <DetailRow label="Moeglicher Schaden" gt={engine.possible_harm || '-'} />
+      <DetailRow label="Trigger" gt={engine.trigger_event || '-'} />
+      {engine.affected_person && (
+        <DetailRow label="Betroffene Personen" gt={engine.affected_person} />
+      )}
+      {engine.mitigations && engine.mitigations.length > 0 ? (
+        <DetailRow label="Massnahmen" gt={engine.mitigations.join('\n')} multiline />
+      ) : (
+        <DetailRow label="Massnahmen" gt="(keine zugeordnet)" />
+      )}
+      {clarStatus && clarStatus.total > 0 && (
+        <ClarificationBanner status={clarStatus} projectId={projectId} />
+      )}
+      {(() => {
+        const norms = extractEngineNorms(engine.description)
+        if (norms.length === 0) return null
+        return <DetailRow label="Referenzierte Normen" gt={norms.join(' | ')} />
+      })()}
+    </div>
+  )
+}
+
 /** Side-by-side detail comparison of GT entry vs. Engine hazard */
 function DetailComparison({ gt, engine, clarStatus, projectId }: {
   gt: GroundTruthEntry
@@ -184,53 +251,8 @@ function DetailComparison({ gt, engine, clarStatus, projectId }: {
 }) {
   return (
     <div className="grid grid-cols-2 gap-4 text-xs">
-      {/* Left: Ground Truth */}
-      <div className="space-y-2">
-        <div className="font-semibold text-red-700 dark:text-red-400 uppercase text-[10px]">Ground Truth (Fachmann)</div>
-        <DetailRow label="Gefaehrdung" gt={gt.hazard_type} />
-        <DetailRow label="Ursache" gt={gt.hazard_cause} />
-        <DetailRow label="Gefahrenstelle" gt={gt.component_zone} />
-        <DetailRow label="Lebensphasen" gt={gt.lifecycle_phases?.join(', ') || '-'} />
-        <DetailRow label="Risiko" gt={`F=${gt.risk_in.f} W=${gt.risk_in.w} P=${gt.risk_in.p} S=${gt.risk_in.s} => R=${gt.risk_in.r}`} />
-        {gt.risk_out.r > 0 && (
-          <DetailRow label="Restrisiko" gt={`F=${gt.risk_out.f} W=${gt.risk_out.w} P=${gt.risk_out.p} S=${gt.risk_out.s} => R=${gt.risk_out.r}`} />
-        )}
-        <DetailRow label="Massnahmen" gt={gt.measures?.join('\n') || '-'} multiline />
-        <DetailRow label="Typ" gt={gt.measure_type || '-'} />
-        {gt.norm_references?.length > 0 && (
-          <DetailRow label="Normen" gt={gt.norm_references.join(', ')} />
-        )}
-        <DetailRow label="Hinreichend" gt={gt.sufficient ? 'JA' : 'NEIN'} />
-        {gt.comment && <DetailRow label="Kommentar" gt={gt.comment} />}
-      </div>
-      {/* Right: Engine */}
-      <div className="space-y-2">
-        <div className="font-semibold text-purple-700 dark:text-purple-400 uppercase text-[10px]">Engine (automatisch)</div>
-        <DetailRow label="Gefaehrdung" gt={engine.name} />
-        <DetailRow label="Szenario" gt={engine.scenario || extractScenario(engine.description) || '-'} />
-        <DetailRow label="Gefahrenstelle" gt={engine.zone || '-'} />
-        {engine.lifecycle_phase && (
-          <DetailRow label="Lebensphasen" gt={formatLifecycles(engine.lifecycle_phase)} />
-        )}
-        <DetailRow label="Moeglicher Schaden" gt={engine.possible_harm || '-'} />
-        <DetailRow label="Trigger" gt={engine.trigger_event || '-'} />
-        {engine.affected_person && (
-          <DetailRow label="Betroffene Personen" gt={engine.affected_person} />
-        )}
-        {engine.mitigations && engine.mitigations.length > 0 ? (
-          <DetailRow label="Massnahmen" gt={engine.mitigations.join('\n')} multiline />
-        ) : (
-          <DetailRow label="Massnahmen" gt="(keine zugeordnet)" />
-        )}
-        {clarStatus && clarStatus.total > 0 && (
-          <ClarificationBanner status={clarStatus} projectId={projectId} />
-        )}
-        {(() => {
-          const norms = extractEngineNorms(engine.description)
-          if (norms.length === 0) return null
-          return <DetailRow label="Referenzierte Normen" gt={norms.join(' | ')} />
-        })()}
-      </div>
+      <GTDetailBlock gt={gt} />
+      <EngineDetailBlock engine={engine} clarStatus={clarStatus} projectId={projectId} />
     </div>
   )
 }
@@ -310,6 +332,7 @@ function DetailRow({ label, gt, multiline }: { label: string; gt: string; multil
 }
 
 function MissingTable({ entries }: { entries: GroundTruthEntry[] }) {
+  const [expanded, setExpanded] = useState<Record<number, boolean>>({})
   if (entries.length === 0) return <EmptyState text="Keine fehlenden Gefaehrdungen" />
   return (
     <table className="w-full text-xs">
@@ -324,22 +347,37 @@ function MissingTable({ entries }: { entries: GroundTruthEntry[] }) {
         </tr>
       </thead>
       <tbody className="divide-y divide-gray-100 dark:divide-gray-700">
-        {entries.map((e, i) => (
-          <tr key={i} className="hover:bg-red-50/50">
-            <td className="px-3 py-2 text-gray-400">{e.nr}</td>
-            <td className="px-3 py-2 font-medium text-gray-800 dark:text-gray-200">{e.hazard_type}</td>
-            <td className="px-3 py-2 text-gray-600 truncate max-w-[200px]">{e.hazard_cause}</td>
-            <td className="px-3 py-2 text-gray-500">{e.component_zone}</td>
-            <td className="px-3 py-2 text-center"><RiskBadge risk={e.risk_in.r} /></td>
-            <td className="px-3 py-2 text-gray-500">{e.measure_type}</td>
-          </tr>
-        ))}
+        {entries.map((e, i) => {
+          const isOpen = expanded[i]
+          return (
+            <React.Fragment key={i}>
+              <tr className="hover:bg-red-50/50 cursor-pointer" onClick={() => setExpanded(p => ({ ...p, [i]: !p[i] }))}>
+                <td className="px-3 py-2 text-gray-400">
+                  <div className="flex items-center gap-1"><Chevron open={isOpen} />{e.nr}</div>
+                </td>
+                <td className="px-3 py-2 font-medium text-gray-800 dark:text-gray-200">{e.hazard_type}</td>
+                <td className="px-3 py-2 text-gray-600 truncate max-w-[200px]">{e.hazard_cause}</td>
+                <td className="px-3 py-2 text-gray-500">{e.component_zone}</td>
+                <td className="px-3 py-2 text-center"><RiskBadge risk={e.risk_in.r} /></td>
+                <td className="px-3 py-2 text-gray-500">{e.measure_type}</td>
+              </tr>
+              {isOpen && (
+                <tr className="bg-gray-50/70 dark:bg-gray-850">
+                  <td colSpan={6} className="px-4 py-3"><GTDetailBlock gt={e} /></td>
+                </tr>
+              )}
+            </React.Fragment>
+          )
+        })}
       </tbody>
     </table>
   )
 }
 
-function ExtraTable({ entries }: { entries: HazardSummary[] }) {
+function ExtraTable({ entries, clarStatusByHazard, projectId }: {
+  entries: HazardSummary[]; clarStatusByHazard: Record<string, HazardClarStatus>; projectId?: string
+}) {
+  const [expanded, setExpanded] = useState<Record<number, boolean>>({})
   if (entries.length === 0) return <EmptyState text="Keine zusaetzlichen Engine-Gefaehrdungen" />
   return (
     <table className="w-full text-xs">
@@ -351,13 +389,27 @@ function ExtraTable({ entries }: { entries: HazardSummary[] }) {
         </tr>
       </thead>
       <tbody className="divide-y divide-gray-100 dark:divide-gray-700">
-        {entries.map((e, i) => (
-          <tr key={i} className="hover:bg-gray-50 dark:hover:bg-gray-700/30">
-            <td className="px-3 py-2 text-gray-800 dark:text-gray-200">{e.name}</td>
-            <td className="px-3 py-2 text-gray-500">{e.category}</td>
-            <td className="px-3 py-2 text-gray-400">{e.zone || '-'}</td>
-          </tr>
-        ))}
+        {entries.map((e, i) => {
+          const isOpen = expanded[i]
+          return (
+            <React.Fragment key={i}>
+              <tr className="hover:bg-gray-50 dark:hover:bg-gray-700/30 cursor-pointer" onClick={() => setExpanded(p => ({ ...p, [i]: !p[i] }))}>
+                <td className="px-3 py-2 text-gray-800 dark:text-gray-200">
+                  <div className="flex items-center gap-1"><Chevron open={isOpen} />{e.name}</div>
+                </td>
+                <td className="px-3 py-2 text-gray-500">{e.category}</td>
+                <td className="px-3 py-2 text-gray-400">{e.zone || '-'}</td>
+              </tr>
+              {isOpen && (
+                <tr className="bg-gray-50/70 dark:bg-gray-850">
+                  <td colSpan={3} className="px-4 py-3">
+                    <EngineDetailBlock engine={e} clarStatus={clarStatusByHazard[e.id]} projectId={projectId} />
+                  </td>
+                </tr>
+              )}
+            </React.Fragment>
+          )
+        })}
       </tbody>
     </table>
   )

admin-compliance/app/sdk/iace/[projectId]/benchmark/_components/RiskComparison.tsx

@@ -0,0 +1,100 @@
+'use client'
+
+import type { RiskComparisonPair, RiskAgreement } from '../_hooks/useBenchmark'
+
+type Ampel = 'green' | 'yellow' | 'red'
+
+// EN-62061-style risk number R = S * (F + W + P) → traffic light (like the Excel).
+function ampelEN(r: number): Ampel {
+  if (r >= 30) return 'red'
+  if (r >= 18) return 'yellow'
+  return 'green'
+}
+
+function ampelBand(band: string): Ampel {
+  if (band === 'sehr hoch' || band === 'hoch') return 'red'
+  if (band === 'wesentlich' || band === 'moeglich') return 'yellow'
+  return 'green'
+}
+
+const cellColor: Record<Ampel, string> = {
+  red: 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300',
+  yellow: 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/40 dark:text-yellow-300',
+  green: 'bg-green-100 text-green-700 dark:bg-green-900/40 dark:text-green-300',
+}
+
+function pctColor(p: number): Ampel {
+  if (p >= 80) return 'green'
+  if (p >= 50) return 'yellow'
+  return 'red'
+}
+
+function Stat({ label, pct }: { label: string; pct: number }) {
+  const c = pctColor(pct)
+  return (
+    <div className={`rounded-lg border-2 p-3 text-center ${c === 'green' ? 'border-green-200 dark:border-green-800' : c === 'yellow' ? 'border-yellow-200 dark:border-yellow-800' : 'border-red-200 dark:border-red-800'}`}>
+      <div className={`text-xl font-bold ${c === 'green' ? 'text-green-600' : c === 'yellow' ? 'text-yellow-600' : 'text-red-600'}`}>{Math.round(pct)}%</div>
+      <div className="text-[10px] text-gray-500 mt-0.5">{label}</div>
+    </div>
+  )
+}
+
+export function RiskComparison({ pairs, agreement }: { pairs?: RiskComparisonPair[]; agreement?: RiskAgreement }) {
+  if (!pairs || pairs.length === 0) return null
+
+  return (
+    <div className="bg-white dark:bg-gray-800 rounded-lg border border-gray-200 dark:border-gray-700 p-4 space-y-4">
+      <div>
+        <h3 className="text-sm font-semibold text-gray-700 dark:text-gray-300">Risikozahlen-Vergleich (Fachmann vs. Tool)</h3>
+        <p className="text-xs text-gray-500 mt-0.5">
+          R = S × (F + W + P), Ampel wie in der Excel. Fine-Kinney (P×E×C) als zweite, US-anerkannte Bewertung.
+        </p>
+      </div>
+
+      {agreement && agreement.n > 0 && (
+        <div className="grid grid-cols-2 md:grid-cols-5 gap-3">
+          <Stat label="Schwere S ±1" pct={agreement.severity_within1} />
+          <Stat label="Haeufigkeit F ±1" pct={agreement.frequency_within1} />
+          <Stat label="Wahrsch. W ±1" pct={agreement.probability_within1} />
+          <Stat label="Vermeidb. P ±1" pct={agreement.avoidance_within1} />
+          <Stat label="Ranking (FK)" pct={agreement.rank_concordance} />
+        </div>
+      )}
+
+      <div className="overflow-x-auto">
+        <table className="w-full text-xs">
+          <thead>
+            <tr className="text-gray-500 border-b border-gray-200 dark:border-gray-700">
+              <th className="text-left py-1.5 px-2">Gefaehrdung</th>
+              <th className="px-1 text-center" colSpan={5}>Fachmann · S F W P <strong>R</strong></th>
+              <th className="px-1 text-center border-l border-gray-200 dark:border-gray-700" colSpan={5}>Tool · S F W P <strong>R</strong> / FK</th>
+            </tr>
+          </thead>
+          <tbody>
+            {pairs.map((p, i) => {
+              const engR = p.eng_severity * (p.eng_frequency + p.eng_probability + p.eng_avoidance)
+              return (
+                <tr key={i} className="border-b border-gray-100 dark:border-gray-700/50">
+                  <td className="py-1 px-2 text-gray-700 dark:text-gray-300">{p.hazard_name || '—'}</td>
+                  <td className="text-center text-gray-500">{p.gt_severity}</td>
+                  <td className="text-center text-gray-500">{p.gt_frequency}</td>
+                  <td className="text-center text-gray-500">{p.gt_probability}</td>
+                  <td className="text-center text-gray-500">{p.gt_avoidance}</td>
+                  <td className={`text-center font-bold rounded ${cellColor[ampelEN(p.gt_risk)]}`}>{p.gt_risk}</td>
+                  <td className="text-center text-gray-500 border-l border-gray-200 dark:border-gray-700">{p.eng_severity}</td>
+                  <td className="text-center text-gray-500">{p.eng_frequency}</td>
+                  <td className="text-center text-gray-500">{p.eng_probability}</td>
+                  <td className="text-center text-gray-500">{p.eng_avoidance}</td>
+                  <td className="text-center">
+                    <span className={`inline-block font-bold rounded px-1.5 ${cellColor[ampelEN(engR)]}`}>{engR}</span>
+                    <span className={`ml-1 inline-block rounded px-1 ${cellColor[ampelBand(p.fk_band)]}`} title={`Fine-Kinney ${p.fk_band}`}>FK&nbsp;{Math.round(p.fk_score)}</span>
+                  </td>
+                </tr>
+              )
+            })}
+          </tbody>
+        </table>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/iace/[projectId]/benchmark/_hooks/useBenchmark.ts

@@ -48,6 +48,20 @@ export interface CategoryScore {
   category: string; gt_count: number; match_count: number; coverage: number
 }
 
+export interface RiskComparisonPair {
+  hazard_name: string
+  gt_severity: number; gt_frequency: number; gt_probability: number; gt_avoidance: number; gt_risk: number
+  eng_severity: number; eng_frequency: number; eng_probability: number; eng_avoidance: number
+  fk_score: number; fk_band: string
+}
+
+export interface RiskAgreement {
+  n: number
+  severity_within1: number; frequency_within1: number
+  probability_within1: number; avoidance_within1: number
+  rank_concordance: number
+}
+
 export interface BenchmarkResult {
   coverage_score: number
   measure_coverage: number
@@ -58,6 +72,8 @@ export interface BenchmarkResult {
   extra_in_engine: HazardSummary[]
   category_breakdown: CategoryScore[]
   risk_rank_pairs: { gt_rank: number; engine_rank: number; hazard_name: string; gt_risk_score: number }[]
+  risk_comparison?: RiskComparisonPair[]
+  risk_agreement?: RiskAgreement
 }
 
 interface UseBenchmarkReturn {

admin-compliance/app/sdk/iace/[projectId]/benchmark/page.tsx

@@ -6,6 +6,7 @@ import { useBenchmark } from './_hooks/useBenchmark'
 import { GTImportForm } from './_components/GTImportForm'
 import { HazardComparisonTable } from './_components/HazardComparisonTable'
 import { CategoryBreakdown } from './_components/CategoryBreakdown'
+import { RiskComparison } from './_components/RiskComparison'
 
 export default function BenchmarkPage() {
   const { projectId } = useParams<{ projectId: string }>()
@@ -102,6 +103,9 @@ export default function BenchmarkPage() {
           {/* Category Breakdown */}
           <CategoryBreakdown breakdown={result.category_breakdown || []} />
 
+          {/* Risk-number comparison (tool vs professional) with traffic lights */}
+          <RiskComparison pairs={result.risk_comparison} agreement={result.risk_agreement} />
+
           {/* Hazard Comparison Table */}
           <HazardComparisonTable
             matched={result.matched_pairs || []}

admin-compliance/app/sdk/iace/[projectId]/fmea/_hooks/useFMEA.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, it } from 'vitest'
+import { calculateAP } from './useFMEA'
+
+describe('calculateAP — AIAG-VDA 2019 Handbook Action Priority', () => {
+  it('returns H for severity 10 with mid occurrence', () => {
+    expect(calculateAP(10, 5, 5)).toBe('H')
+  })
+
+  it('returns H for severity 9 with low detection', () => {
+    expect(calculateAP(9, 4, 7)).toBe('H')
+  })
+
+  it('returns M for severity 9 with low occurrence and good detection', () => {
+    expect(calculateAP(9, 2, 5)).toBe('M')
+  })
+
+  it('returns L for severity 9 with very low occurrence and detection', () => {
+    expect(calculateAP(9, 1, 4)).toBe('L')
+  })
+
+  it('returns H for severity 7 with high occurrence', () => {
+    expect(calculateAP(7, 5, 1)).toBe('H')
+  })
+
+  it('returns M for severity 7 with mid occurrence', () => {
+    expect(calculateAP(7, 3, 5)).toBe('M')
+  })
+
+  it('returns L for low-severity well-controlled mode', () => {
+    expect(calculateAP(3, 1, 1)).toBe('L')
+  })
+
+  it('returns L for severity 5 with very low occurrence and detection', () => {
+    expect(calculateAP(5, 1, 1)).toBe('L')
+  })
+})

admin-compliance/app/sdk/iace/[projectId]/fmea/_hooks/useFMEA.ts

@@ -156,5 +156,52 @@ export function useFMEA(projectId: string) {
   // Get unique components for the suggest button
   const components = [...new Map(rows.map((r) => [r.component.id, r.component])).values()]
 
-  return { rows, loading, stats, components, suggestFMs, suggesting, suggestions, suggestSource, setSuggestions }
+  /**
+   * Accept a suggested FM: build an FMEA row from the FM defaults, prepend it
+   * to the table state, and remove the FM from the suggestion list.
+   * Returns false if the (component, fm.id) combo already exists in rows.
+   */
+  function acceptSuggestion(fm: FailureMode, componentId: string): boolean {
+    const comp = components.find((c) => c.id === componentId)
+    if (!comp) return false
+    const dup = rows.find((r) => r.component.id === componentId && r.failureMode.id === fm.id)
+    if (dup) {
+      // Still drop the suggestion so the UI does not keep offering it.
+      setSuggestions((prev) => prev.filter((s) => s.id !== fm.id))
+      return false
+    }
+    const s = fm.default_severity || 5
+    const o = fm.default_occurrence || 5
+    const d = fm.default_detection || 5
+    const newRow: FMEARow = {
+      component: comp,
+      failureMode: fm,
+      severity: s,
+      occurrence: o,
+      detection: d,
+      rpz: s * o * d,
+      ap: calculateAP(s, o, d),
+    }
+    setRows((prev) => [newRow, ...prev].sort((a, b) => b.rpz - a.rpz))
+    setSuggestions((prev) => prev.filter((sg) => sg.id !== fm.id))
+    return true
+  }
+
+  function rejectSuggestion(fmId: string) {
+    setSuggestions((prev) => prev.filter((sg) => sg.id !== fmId))
+  }
+
+  return {
+    rows,
+    loading,
+    stats,
+    components,
+    suggestFMs,
+    suggesting,
+    suggestions,
+    suggestSource,
+    setSuggestions,
+    acceptSuggestion,
+    rejectSuggestion,
+  }
 }

admin-compliance/app/sdk/iace/[projectId]/fmea/page.tsx

@@ -1,6 +1,6 @@
 'use client'
 
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
 import { useParams } from 'next/navigation'
 import { useFMEA, type FMEARow } from './_hooks/useFMEA'
 
@@ -27,8 +27,17 @@ function rpzLabel(rpz: number): string {
 
 export default function FMEAPage() {
   const { projectId } = useParams<{ projectId: string }>()
-  const { rows, loading, stats, components, suggestFMs, suggesting, suggestions, suggestSource, setSuggestions } = useFMEA(projectId)
+  const { rows, loading, stats, components, suggestFMs, suggesting, suggestions, suggestSource, setSuggestions, acceptSuggestion, rejectSuggestion } = useFMEA(projectId)
   const [suggestComp, setSuggestComp] = useState<string | null>(null)
+  const [acceptedCount, setAcceptedCount] = useState(0)
+
+  // Reset accepted-count when a fresh suggestion run is loaded or the panel closes.
+  useEffect(() => {
+    if (suggesting) setAcceptedCount(0)
+  }, [suggesting])
+  useEffect(() => {
+    if (suggestions.length === 0) setAcceptedCount(0)
+  }, [suggestions.length])
 
   if (loading) {
     return (
@@ -97,26 +106,60 @@ export default function FMEAPage() {
       {suggestions.length > 0 && (
         <div className="bg-purple-50 dark:bg-purple-900/20 border border-purple-200 dark:border-purple-800 rounded-xl p-4">
           <div className="flex items-center justify-between mb-3">
-            <h3 className="text-sm font-semibold text-purple-800 dark:text-purple-300">
-              KI-Vorschlaege ({suggestions.length}) — {suggestSource === 'llm' ? 'LLM-generiert' : 'Bibliothek'}
-            </h3>
+            <div>
+              <h3 className="text-sm font-semibold text-purple-800 dark:text-purple-300">
+                KI-Vorschlaege ({suggestions.length}) — {suggestSource === 'llm' ? 'LLM-generiert' : 'Bibliothek-Fallback'}
+              </h3>
+              {acceptedCount > 0 && (
+                <div className="text-xs text-green-700 dark:text-green-400 mt-0.5">
+                  {acceptedCount} Vorschlag{acceptedCount > 1 ? 'e' : ''} uebernommen
+                </div>
+              )}
+            </div>
             <button onClick={() => setSuggestions([])} className="text-xs text-purple-600 hover:text-purple-800">Schliessen</button>
           </div>
           <div className="space-y-2">
-            {suggestions.map((fm, i) => (
-              <div key={i} className="flex items-center justify-between bg-white dark:bg-gray-800 rounded-lg p-3 border border-purple-100 dark:border-purple-800">
-                <div className="flex-1 min-w-0">
-                  <div className="text-sm font-medium text-gray-900 dark:text-white">{fm.name_de}</div>
-                  <div className="text-xs text-gray-500 mt-0.5">{fm.effect}</div>
-                  <div className="flex gap-3 mt-1 text-xs text-gray-400">
-                    <span>S={fm.default_severity}</span>
-                    <span>O={fm.default_occurrence}</span>
-                    <span>D={fm.default_detection}</span>
-                    <span className="font-bold">RPZ={fm.default_severity * fm.default_occurrence * fm.default_detection}</span>
+            {suggestions.map((fm) => {
+              const rpz = fm.default_severity * fm.default_occurrence * fm.default_detection
+              return (
+                <div key={fm.id} className="flex items-start justify-between gap-3 bg-white dark:bg-gray-800 rounded-lg p-3 border border-purple-100 dark:border-purple-800">
+                  <div className="flex-1 min-w-0">
+                    <div className="text-sm font-medium text-gray-900 dark:text-white">{fm.name_de}</div>
+                    <div className="text-xs text-gray-500 mt-0.5">{fm.effect}</div>
+                    <div className="flex gap-3 mt-1 text-xs text-gray-400">
+                      <span>S={fm.default_severity}</span>
+                      <span>O={fm.default_occurrence}</span>
+                      <span>D={fm.default_detection}</span>
+                      <span className={`font-bold ${rpz > 200 ? 'text-red-600' : rpz > 100 ? 'text-orange-600' : 'text-gray-500'}`}>RPZ={rpz}</span>
+                    </div>
+                  </div>
+                  <div className="flex items-center gap-1.5 shrink-0">
+                    <button
+                      onClick={() => {
+                        if (!suggestComp) return
+                        const ok = acceptSuggestion(fm, suggestComp)
+                        if (ok) setAcceptedCount((c) => c + 1)
+                      }}
+                      disabled={!suggestComp}
+                      className="px-3 py-1.5 bg-green-600 hover:bg-green-700 disabled:opacity-50 disabled:cursor-not-allowed text-white text-xs font-medium rounded transition-colors"
+                      title="Diesen Fehlermodus der FMEA-Tabelle hinzufuegen"
+                    >
+                      Uebernehmen
+                    </button>
+                    <button
+                      onClick={() => rejectSuggestion(fm.id)}
+                      className="px-3 py-1.5 bg-gray-200 dark:bg-gray-700 hover:bg-gray-300 dark:hover:bg-gray-600 text-gray-700 dark:text-gray-300 text-xs font-medium rounded transition-colors"
+                      title="Diesen Vorschlag verwerfen"
+                    >
+                      Ablehnen
+                    </button>
                   </div>
                 </div>
-              </div>
-            ))}
+              )
+            })}
+          </div>
+          <div className="text-[10px] text-purple-700 dark:text-purple-400 mt-3">
+            Hinweis: Uebernommene Fehlermodi erscheinen sofort in der Tabelle unten. Bewertung (S/O/D) ist anpassbar — Standardwerte aus der Bibliothek.
           </div>
         </div>
       )}

admin-compliance/app/sdk/iace/[projectId]/hazards/_components/HazardTable.tsx

@@ -39,11 +39,19 @@ export function HazardTable({ hazards, lifecyclePhases, onDelete }: {
               .map((hazard) => (
                 <tr key={hazard.id} className="hover:bg-gray-50 dark:hover:bg-gray-750 transition-colors">
                   <td className="px-4 py-3">
-                    <div className="flex items-center gap-2">
+                    <div className="flex items-center gap-2 flex-wrap">
                       <div className="text-sm font-medium text-gray-900 dark:text-white">{hazard.name}</div>
                       {hazard.name.startsWith('Auto:') && (
                         <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-green-100 text-green-700">Auto</span>
                       )}
+                      {(hazard as { pattern_id?: string }).pattern_id && (
+                        <span
+                          className="inline-flex items-center px-1.5 py-0.5 rounded text-[10px] font-mono font-medium bg-slate-100 text-slate-700 border border-slate-200 cursor-help"
+                          title={`Quelle: BreakPilot IACE Pattern-Engine (${(hazard as { pattern_id?: string }).pattern_id}). Lizenzregel R3 — Eigenwerk, kein externer Lizenz-Footer noetig. Pattern-Definition mit Norm-Referenzen siehe Library.`}
+                        >
+                          {(hazard as { pattern_id?: string }).pattern_id} · R3
+                        </span>
+                      )}
                     </div>
                     {hazard.description && (
                       <div className="text-xs text-gray-500 truncate max-w-[250px]">{hazard.description}</div>

admin-compliance/app/sdk/iace/[projectId]/hazards/_components/LLMGapReviewModal.tsx

@@ -0,0 +1,218 @@
+'use client'
+
+// LLM Gap-Review Modal — Task #8.
+//
+// Triggers POST /projects/:id/llm-gap-review on mount and lists the
+// LLM's gap suggestions with an Adopt / Reject UX. Adoption goes through
+// the regular CreateHazard / CreateMitigation endpoints — the modal
+// itself never mutates project state on its own.
+
+import { useEffect, useState } from 'react'
+
+type Suggestion = {
+  kind: 'hazard' | 'mitigation'
+  title: string
+  description: string
+  category?: string
+  hazard_ref?: string
+  pattern_ref?: string
+  norm_refs?: string[]
+  confidence?: 'high' | 'medium' | 'low'
+  rationale?: string
+}
+
+type Response = {
+  project_id: string
+  source: 'llm_gap_review' | 'fallback_static'
+  model?: string
+  suggestions: Suggestion[]
+  input_summary: {
+    hazard_count: number
+    mitigation_count: number
+    limits_form_fields: number
+  }
+}
+
+const CONF_COLOR: Record<string, string> = {
+  high: 'bg-emerald-100 text-emerald-800 border-emerald-200',
+  medium: 'bg-amber-100 text-amber-800 border-amber-200',
+  low: 'bg-slate-100 text-slate-600 border-slate-200',
+}
+
+interface Props {
+  projectId: string
+  onClose: () => void
+  onAdoptHazard?: (s: Suggestion) => Promise<void>
+  onAdoptMitigation?: (s: Suggestion) => Promise<void>
+}
+
+export function LLMGapReviewModal({ projectId, onClose, onAdoptHazard, onAdoptMitigation }: Props) {
+  const [data, setData] = useState<Response | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+  const [adopted, setAdopted] = useState<Set<number>>(new Set())
+  const [rejected, setRejected] = useState<Set<number>>(new Set())
+  const [adopting, setAdopting] = useState<number | null>(null)
+
+  useEffect(() => {
+    setLoading(true)
+    fetch(`/api/sdk/v1/iace/projects/${projectId}/llm-gap-review`, { method: 'POST' })
+      .then((r) => (r.ok ? r.json() : Promise.reject(`HTTP ${r.status}`)))
+      .then(setData)
+      .catch((e) => setError(String(e)))
+      .finally(() => setLoading(false))
+  }, [projectId])
+
+  async function adopt(idx: number) {
+    if (!data) return
+    const s = data.suggestions[idx]
+    setAdopting(idx)
+    try {
+      if (s.kind === 'hazard' && onAdoptHazard) await onAdoptHazard(s)
+      else if (s.kind === 'mitigation' && onAdoptMitigation) await onAdoptMitigation(s)
+      setAdopted((prev) => new Set(prev).add(idx))
+    } catch (e) {
+      setError(`Adopt fehlgeschlagen: ${e}`)
+    } finally {
+      setAdopting(null)
+    }
+  }
+
+  function reject(idx: number) {
+    setRejected((prev) => new Set(prev).add(idx))
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50">
+      <div className="bg-white rounded-xl shadow-2xl w-full max-w-3xl max-h-[90vh] overflow-hidden flex flex-col">
+        <div className="px-6 py-4 border-b border-gray-200 flex items-center justify-between flex-shrink-0">
+          <div>
+            <h2 className="text-lg font-semibold text-gray-900">KI-Gap-Review</h2>
+            <p className="text-xs text-gray-500 mt-0.5">
+              LLM-gestuetzte Suche nach fehlenden Gefaehrdungen und Schutzmassnahmen — Vorschlaege sind unverbindlich bis explizit uebernommen.
+            </p>
+          </div>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 text-2xl leading-none">&times;</button>
+        </div>
+
+        <div className="flex-1 overflow-y-auto p-6 space-y-3">
+          {loading && (
+            <div className="text-center py-12">
+              <div className="animate-spin rounded-full h-10 w-10 border-b-2 border-purple-600 mx-auto" />
+              <p className="text-sm text-gray-500 mt-3">LLM laeuft (Qwen/Claude). Das kann bis zu 30 Sekunden dauern.</p>
+            </div>
+          )}
+          {error && (
+            <div className="bg-red-50 border border-red-200 rounded-lg p-4 text-sm text-red-700">
+              Fehler: {error}
+            </div>
+          )}
+          {data && (
+            <>
+              <div className="text-xs text-gray-500 flex items-center gap-3 border-b border-gray-100 pb-2">
+                <span>
+                  Eingabe: {data.input_summary.hazard_count} Gefaehrdungen,{' '}
+                  {data.input_summary.mitigation_count} Massnahmen, {data.input_summary.limits_form_fields} Grenzen-Felder
+                </span>
+                <span className="text-gray-300">·</span>
+                <span>
+                  Quelle: {data.source === 'llm_gap_review'
+                    ? `LLM (${data.model ?? 'unbekannt'})`
+                    : 'Statische Fallback-Liste'}
+                </span>
+              </div>
+
+              {data.suggestions.length === 0 && (
+                <div className="text-center text-gray-500 py-12 text-sm">
+                  Keine Lueckenvorschlaege. Die deterministische Pattern-Engine hat vermutlich bereits alle Standard-Gefaehrdungen abgedeckt.
+                </div>
+              )}
+
+              {data.suggestions.map((s, i) => {
+                const isAdopted = adopted.has(i)
+                const isRejected = rejected.has(i)
+                const isWorking = adopting === i
+                return (
+                  <div
+                    key={i}
+                    className={`border rounded-lg p-3 ${
+                      isAdopted ? 'border-emerald-200 bg-emerald-50' :
+                      isRejected ? 'border-slate-200 bg-slate-50 opacity-50' :
+                      'border-gray-200 bg-white'
+                    }`}
+                  >
+                    <div className="flex items-start justify-between gap-3">
+                      <div className="flex-1 min-w-0">
+                        <div className="flex items-center gap-2 flex-wrap mb-1">
+                          <span className={`px-1.5 py-0.5 text-[10px] rounded font-medium ${
+                            s.kind === 'hazard' ? 'bg-red-100 text-red-700' : 'bg-blue-100 text-blue-700'
+                          }`}>
+                            {s.kind === 'hazard' ? 'Gefaehrdung' : 'Massnahme'}
+                          </span>
+                          {s.category && (
+                            <span className="px-1.5 py-0.5 text-[10px] rounded bg-gray-100 text-gray-700">{s.category}</span>
+                          )}
+                          {s.confidence && (
+                            <span className={`px-1.5 py-0.5 text-[10px] rounded border ${CONF_COLOR[s.confidence]}`}>
+                              {s.confidence}
+                            </span>
+                          )}
+                          {(s.norm_refs ?? []).map((n) => (
+                            <span key={n} className="px-1.5 py-0.5 text-[10px] rounded bg-indigo-50 text-indigo-700 font-mono">{n}</span>
+                          ))}
+                          {s.pattern_ref && (
+                            <span className="px-1.5 py-0.5 text-[10px] rounded bg-purple-50 text-purple-700 font-mono">{s.pattern_ref}</span>
+                          )}
+                        </div>
+                        <h3 className="text-sm font-semibold text-gray-900">{s.title}</h3>
+                        <p className="text-xs text-gray-600 mt-1">{s.description}</p>
+                        {s.hazard_ref && (
+                          <p className="text-[11px] text-gray-500 mt-1">Bezogen auf: <em>{s.hazard_ref}</em></p>
+                        )}
+                        {s.rationale && (
+                          <p className="text-[11px] text-gray-400 mt-1 italic">{s.rationale}</p>
+                        )}
+                      </div>
+                      <div className="flex flex-col gap-1 flex-shrink-0">
+                        {!isAdopted && !isRejected && (
+                          <>
+                            <button
+                              onClick={() => adopt(i)}
+                              disabled={isWorking}
+                              className="px-3 py-1 text-xs bg-emerald-600 text-white rounded hover:bg-emerald-700 disabled:opacity-50"
+                            >
+                              {isWorking ? '…' : 'Uebernehmen'}
+                            </button>
+                            <button
+                              onClick={() => reject(i)}
+                              className="px-3 py-1 text-xs text-gray-600 border border-gray-300 rounded hover:bg-gray-50"
+                            >
+                              Verwerfen
+                            </button>
+                          </>
+                        )}
+                        {isAdopted && <span className="text-xs text-emerald-700 font-medium">✓ Uebernommen</span>}
+                        {isRejected && <span className="text-xs text-gray-500">Verworfen</span>}
+                      </div>
+                    </div>
+                  </div>
+                )
+              })}
+            </>
+          )}
+        </div>
+
+        <div className="px-6 py-3 border-t border-gray-200 bg-gray-50 flex items-center justify-between flex-shrink-0">
+          <p className="text-[11px] text-gray-500">
+            Hinweis: LLM-Vorschlaege sind NICHT die deterministische Engine-Output. Jede Uebernahme wird als <code>source=llm_gap_review</code> markiert.
+          </p>
+          <button onClick={onClose} className="px-3 py-1.5 text-sm border border-gray-300 rounded hover:bg-white">
+            Schliessen
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+export default LLMGapReviewModal

admin-compliance/app/sdk/iace/[projectId]/hazards/page.tsx

@@ -12,6 +12,7 @@ import type { ResidualFilter } from './_components/ResidualRiskPanel'
 import { LibraryModal } from './_components/LibraryModal'
 import { AutoSuggestPanel } from './_components/AutoSuggestPanel'
 import { CustomHazardModal } from './_components/CustomHazardModal'
+import { LLMGapReviewModal } from './_components/LLMGapReviewModal'
 import { useHazards } from './_hooks/useHazards'
 
 type ViewMode = 'list' | 'risk' | 'blocks'
@@ -22,6 +23,7 @@ export default function HazardsPage() {
   const h = useHazards(projectId)
   const [view, setView] = useState<ViewMode>('risk')
   const [showCustomModal, setShowCustomModal] = useState(false)
+  const [showGapReview, setShowGapReview] = useState(false)
   const [residualFilter, setResidualFilter] = useState<ResidualFilter>('all')
   const [decisions, setDecisions] = useState<Record<string, boolean | null>>({})
 
@@ -104,6 +106,15 @@ export default function HazardsPage() {
             </svg>
             Eigene Gefaehrdung
           </button>
+          <button
+            onClick={() => setShowGapReview(true)}
+            title="LLM (Qwen/Claude) prueft auf fehlende Gefaehrdungen und Massnahmen — Vorschlaege sind unverbindlich."
+            className="flex items-center gap-2 px-3 py-2 border border-indigo-300 text-indigo-700 rounded-lg hover:bg-indigo-50 transition-colors text-sm">
+            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.663 17h4.673M12 3v1m6.364 1.636l-.707.707M21 12h-1M4 12H3m3.343-5.657l-.707-.707m2.828 9.9a5 5 0 117.072 0l-.548.547A3.374 3.374 0 0014 18.469V19a2 2 0 11-4 0v-.531c0-.895-.356-1.754-.988-2.386l-.548-.547z" />
+            </svg>
+            KI-Gap-Review
+          </button>
           <button onClick={() => h.setShowForm(true)}
             className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors text-sm">
             <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
@@ -170,6 +181,13 @@ export default function HazardsPage() {
           onClose={() => setShowCustomModal(false)} />
       )}
 
+      {showGapReview && (
+        <LLMGapReviewModal
+          projectId={projectId}
+          onClose={() => setShowGapReview(false)}
+        />
+      )}
+
       {h.hazards.length > 0 ? (
         view === 'risk' ? (
           <>

admin-compliance/app/sdk/iace/[projectId]/risikobewertung/_components/RiskModelCard.tsx

@@ -0,0 +1,160 @@
+'use client'
+
+import { useEffect, useState } from 'react'
+import type { HazardLite, RiskSuggestion } from '../_hooks/useRiskAssessment'
+
+function enLevel(idx: number): string {
+  if (idx >= 45) return 'kritisch'
+  if (idx >= 30) return 'hoch'
+  if (idx >= 18) return 'mittel'
+  if (idx >= 9) return 'gering'
+  return 'vernachlaessigbar'
+}
+
+function fkBand(score: number): string {
+  if (score > 400) return 'sehr hoch'
+  if (score > 200) return 'hoch'
+  if (score > 70) return 'wesentlich'
+  if (score > 20) return 'moeglich'
+  return 'gering'
+}
+
+function badgeColor(label: string): string {
+  switch (label) {
+    case 'kritisch':
+    case 'sehr hoch':
+      return 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300'
+    case 'hoch':
+      return 'bg-orange-100 text-orange-700 dark:bg-orange-900/40 dark:text-orange-300'
+    case 'mittel':
+    case 'wesentlich':
+      return 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/40 dark:text-yellow-300'
+    case 'gering':
+    case 'moeglich':
+      return 'bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300'
+    default:
+      return 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-300'
+  }
+}
+
+function Field({
+  label,
+  value,
+  step,
+  justification,
+  onChange,
+}: {
+  label: string
+  value: number
+  step?: number
+  justification: string
+  onChange: (v: number) => void
+}) {
+  return (
+    <div className="flex items-start gap-2">
+      <div className="flex-1">
+        <div className="text-xs font-medium text-gray-700 dark:text-gray-300">{label}</div>
+        <div className="text-[11px] text-gray-400 leading-tight" title={justification}>
+          {justification}
+        </div>
+      </div>
+      <input
+        type="number"
+        step={step || 1}
+        value={value}
+        onChange={(e) => onChange(parseFloat(e.target.value) || 0)}
+        className="w-16 px-2 py-1 text-sm rounded border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-800 text-right"
+      />
+    </div>
+  )
+}
+
+function Panel({
+  title,
+  formula,
+  score,
+  badge,
+  children,
+}: {
+  title: string
+  formula: string
+  score: number
+  badge: string
+  children: React.ReactNode
+}) {
+  return (
+    <div className="rounded-lg border border-gray-200 dark:border-gray-700 p-3 space-y-2">
+      <div className="flex items-center justify-between">
+        <div className="text-sm font-semibold text-gray-800 dark:text-gray-200">{title}</div>
+        <span className={`text-[11px] px-2 py-0.5 rounded-full ${badgeColor(badge)}`}>{badge}</span>
+      </div>
+      <div className="space-y-1.5">{children}</div>
+      <div className="pt-2 border-t border-gray-100 dark:border-gray-700 flex items-center justify-between">
+        <code className="text-[11px] text-gray-500">{formula}</code>
+        <span className="text-sm font-bold text-gray-900 dark:text-gray-100">
+          R = {Number.isInteger(score) ? score : score.toFixed(1)}
+        </span>
+      </div>
+    </div>
+  )
+}
+
+export function RiskModelCard({
+  hazard,
+  suggestion,
+}: {
+  hazard: HazardLite
+  suggestion?: RiskSuggestion
+}) {
+  const [en, setEn] = useState({ s: 0, f: 0, w: 0, p: 0 })
+  const [fk, setFk] = useState({ p: 0, e: 0, c: 0 })
+
+  useEffect(() => {
+    if (!suggestion) return
+    setEn({
+      s: suggestion.en62061.severity.value,
+      f: suggestion.en62061.frequency.value,
+      w: suggestion.en62061.probability.value,
+      p: suggestion.en62061.avoidance.value,
+    })
+    setFk({
+      p: suggestion.fine_kinney.probability.value,
+      e: suggestion.fine_kinney.exposure.value,
+      c: suggestion.fine_kinney.consequence.value,
+    })
+  }, [suggestion])
+
+  if (!suggestion) {
+    return (
+      <div className="rounded-xl border border-gray-200 dark:border-gray-700 p-4 text-sm text-gray-500">
+        {hazard.name} — keine Bewertung verfuegbar
+      </div>
+    )
+  }
+
+  const enScore = en.s * (en.f + en.w + en.p)
+  const fkScore = fk.p * fk.e * fk.c
+
+  return (
+    <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4 space-y-3">
+      <div className="flex items-center justify-between gap-3 flex-wrap">
+        <div className="font-semibold text-gray-900 dark:text-gray-100">{hazard.name}</div>
+        <span className="text-xs text-gray-400">Kontaktart: {suggestion.contact_mode}</span>
+      </div>
+      <div className="grid md:grid-cols-2 gap-4">
+        <Panel title="EN-62061-Stil" formula={suggestion.en62061.formula} score={enScore} badge={enLevel(enScore)}>
+          <Field label="Schwere S" value={en.s} justification={suggestion.en62061.severity.justification} onChange={(v) => setEn({ ...en, s: v })} />
+          <Field label="Haeufigkeit F" value={en.f} justification={suggestion.en62061.frequency.justification} onChange={(v) => setEn({ ...en, f: v })} />
+          <Field label="Wahrscheinlichkeit W" value={en.w} justification={suggestion.en62061.probability.justification} onChange={(v) => setEn({ ...en, w: v })} />
+          <Field label="Vermeidbarkeit P" value={en.p} justification={suggestion.en62061.avoidance.justification} onChange={(v) => setEn({ ...en, p: v })} />
+        </Panel>
+        <Panel title="Fine-Kinney (US)" formula={suggestion.fine_kinney.formula} score={fkScore} badge={fkBand(fkScore)}>
+          <Field label="Wahrscheinlichkeit P" value={fk.p} step={0.1} justification={suggestion.fine_kinney.probability.justification} onChange={(v) => setFk({ ...fk, p: v })} />
+          <Field label="Exposition E" value={fk.e} step={0.5} justification={suggestion.fine_kinney.exposure.justification} onChange={(v) => setFk({ ...fk, e: v })} />
+          <Field label="Konsequenz C" value={fk.c} justification={suggestion.fine_kinney.consequence.justification} onChange={(v) => setFk({ ...fk, c: v })} />
+        </Panel>
+      </div>
+      <p className="text-[11px] text-gray-400">{suggestion.note}</p>
+    </div>
+  )
+}

admin-compliance/app/sdk/iace/[projectId]/risikobewertung/_hooks/useRiskAssessment.ts

@@ -0,0 +1,85 @@
+'use client'
+
+import { useEffect, useState } from 'react'
+
+export interface SuggestedValue {
+  value: number
+  justification: string
+}
+
+export interface RiskSuggestion {
+  hazard_id: string
+  contact_mode: string
+  en62061: {
+    severity: SuggestedValue
+    frequency: SuggestedValue
+    probability: SuggestedValue
+    avoidance: SuggestedValue
+    score: number
+    level: string
+    formula: string
+  }
+  fine_kinney: {
+    probability: SuggestedValue
+    exposure: SuggestedValue
+    consequence: SuggestedValue
+    score: number
+    band: string
+    action: string
+    formula: string
+  }
+  note: string
+}
+
+export interface HazardLite {
+  id: string
+  name: string
+  category: string
+  scenario?: string
+}
+
+export function useRiskAssessment(projectId: string) {
+  const [hazards, setHazards] = useState<HazardLite[]>([])
+  const [suggestions, setSuggestions] = useState<Record<string, RiskSuggestion>>({})
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      try {
+        const res = await fetch(`/api/sdk/v1/iace/projects/${projectId}/hazards`)
+        const json = res.ok ? await res.json() : {}
+        const hz: HazardLite[] = json.hazards || json || []
+        if (cancelled) return
+        setHazards(hz)
+        const entries = await Promise.all(
+          hz.map(async (h) => {
+            try {
+              const r = await fetch(
+                `/api/sdk/v1/iace/projects/${projectId}/hazards/${h.id}/risk-suggestion`,
+              )
+              return r.ok ? ([h.id, (await r.json()) as RiskSuggestion] as const) : null
+            } catch {
+              return null
+            }
+          }),
+        )
+        if (cancelled) return
+        const map: Record<string, RiskSuggestion> = {}
+        for (const e of entries) if (e) map[e[0]] = e[1]
+        setSuggestions(map)
+      } catch (err) {
+        console.error('Failed to load risk assessment:', err)
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => {
+      cancelled = true
+    }
+  }, [projectId])
+
+  return { hazards, suggestions, loading }
+}

admin-compliance/app/sdk/iace/[projectId]/risikobewertung/page.tsx

@@ -0,0 +1,41 @@
+'use client'
+
+import { useParams } from 'next/navigation'
+import { useRiskAssessment } from './_hooks/useRiskAssessment'
+import { RiskModelCard } from './_components/RiskModelCard'
+
+export default function RisikobewertungPage() {
+  const params = useParams<{ projectId: string }>()
+  const projectId = params.projectId
+  const { hazards, suggestions, loading } = useRiskAssessment(projectId)
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h1 className="text-2xl font-bold text-gray-900 dark:text-gray-100">Risikobewertung</h1>
+        <p className="text-sm text-gray-500 dark:text-gray-400 max-w-3xl mt-1">
+          Zwei Modelle pro Gefaehrdung: <strong>EN-62061-Stil</strong> (F/W/P/S) und{' '}
+          <strong>Fine-Kinney</strong> (P/E/C, US-anerkannt). BreakPilot schlaegt begruendete
+          Werte aus oeffentlichen Datenquellen vor (ESAW/NIOSH/OSHA) — passen Sie sie nach Ihrer
+          Erfahrung bzw. Ihren eigenen Normdaten an; das Tool rechnet die Formel live aus.
+        </p>
+      </div>
+
+      {loading && (
+        <div className="text-sm text-gray-500 dark:text-gray-400">Lade Gefaehrdungen…</div>
+      )}
+
+      {!loading && hazards.length === 0 && (
+        <div className="rounded-xl border border-dashed border-gray-300 dark:border-gray-700 p-6 text-sm text-gray-500">
+          Keine Gefaehrdungen vorhanden. Bitte zuerst im <strong>Hazard Log</strong> erzeugen.
+        </div>
+      )}
+
+      <div className="space-y-4">
+        {hazards.map((h) => (
+          <RiskModelCard key={h.id} hazard={h} suggestion={suggestions[h.id]} />
+        ))}
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/iace/[projectId]/tech-file/_components/ExportCIDBadge.tsx

@@ -0,0 +1,95 @@
+'use client'
+
+import { useState } from 'react'
+import CIDHistoryModal from '@/app/sdk/audit-timeline/_components/CIDHistoryModal'
+
+export interface LastExport {
+  cid: string
+  filename: string
+  size: number
+  format: string
+}
+
+interface Props {
+  lastExport: LastExport | null
+  onDismiss: () => void
+}
+
+function formatBytes(n: number): string {
+  if (n < 1024) return `${n} B`
+  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`
+  return `${(n / 1024 / 1024).toFixed(2)} MB`
+}
+
+export function ExportCIDBadge({ lastExport, onDismiss }: Props) {
+  const [showHistory, setShowHistory] = useState(false)
+  const [copied, setCopied] = useState(false)
+
+  if (!lastExport) return null
+
+  async function copyToClipboard() {
+    if (!lastExport) return
+    try {
+      await navigator.clipboard.writeText(lastExport.cid)
+      setCopied(true)
+      setTimeout(() => setCopied(false), 1500)
+    } catch {
+      // clipboard not available — silent
+    }
+  }
+
+  return (
+    <>
+      <div className="rounded-xl border border-emerald-200 bg-emerald-50 dark:border-emerald-800 dark:bg-emerald-900/20 p-4">
+        <div className="flex items-start gap-3">
+          <div className="rounded-full bg-emerald-500 p-1 flex-shrink-0 mt-0.5">
+            <svg className="w-4 h-4 text-white" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M5 13l4 4L19 7" />
+            </svg>
+          </div>
+          <div className="flex-1 min-w-0">
+            <div className="text-sm font-semibold text-emerald-900 dark:text-emerald-200">
+              CE-Akte exportiert und in DSMS archiviert
+            </div>
+            <div className="mt-1 text-xs text-emerald-800 dark:text-emerald-300">
+              {lastExport.filename} · {formatBytes(lastExport.size)} · Format {lastExport.format.toUpperCase()}
+            </div>
+            <div className="mt-2 flex items-center gap-2 flex-wrap">
+              <span className="text-[10px] uppercase tracking-wide text-emerald-700 dark:text-emerald-400 font-semibold">
+                CID
+              </span>
+              <code className="font-mono text-xs text-emerald-900 dark:text-emerald-100 bg-white/60 dark:bg-black/20 px-2 py-0.5 rounded select-all break-all">
+                {lastExport.cid}
+              </code>
+              <button
+                onClick={copyToClipboard}
+                className="text-[11px] text-emerald-700 hover:text-emerald-900 dark:text-emerald-400 dark:hover:text-emerald-200 underline"
+                title="CID in Zwischenablage kopieren"
+              >
+                {copied ? '✓ Kopiert' : 'Kopieren'}
+              </button>
+              <button
+                onClick={() => setShowHistory(true)}
+                className="text-[11px] text-emerald-700 hover:text-emerald-900 dark:text-emerald-400 dark:hover:text-emerald-200 underline"
+                title="DSMS-Versionsverlauf und Diffs anzeigen"
+              >
+                Verlauf anzeigen
+              </button>
+            </div>
+          </div>
+          <button
+            onClick={onDismiss}
+            className="text-emerald-600 hover:text-emerald-800 dark:text-emerald-400 dark:hover:text-emerald-200 p-1 flex-shrink-0"
+            title="Hinweis schliessen"
+            aria-label="Hinweis schliessen"
+          >
+            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+            </svg>
+          </button>
+        </div>
+      </div>
+      {showHistory && <CIDHistoryModal cid={lastExport.cid} onClose={() => setShowHistory(false)} />}
+    </>
+  )
+}

admin-compliance/app/sdk/iace/[projectId]/tech-file/page.tsx

@@ -4,6 +4,7 @@ import React, { useState, useEffect, useRef } from 'react'
 import { useParams } from 'next/navigation'
 import { TechFileEditor } from '@/components/sdk/iace/TechFileEditor'
 import { ReportGenerator } from './_components/ReportGenerator'
+import { ExportCIDBadge, type LastExport } from './_components/ExportCIDBadge'
 import { SECTION_TYPES, STATUS_CONFIG, EXPORT_FORMATS } from './_constants'
 
 interface TechFileSection {
@@ -116,6 +117,7 @@ export default function TechFilePage() {
   const [viewingSection, setViewingSection] = useState<TechFileSection | null>(null)
   const [exporting, setExporting] = useState(false)
   const [showExportMenu, setShowExportMenu] = useState(false)
+  const [lastExport, setLastExport] = useState<LastExport | null>(null)
   const exportMenuRef = useRef<HTMLDivElement>(null)
 
   // Close export menu when clicking outside
@@ -224,6 +226,19 @@ export default function TechFilePage() {
         a.click()
         document.body.removeChild(a)
         window.URL.revokeObjectURL(url)
+
+        // DSMS archive metadata is forwarded by the backend in X-DSMS-* headers
+        // when archiving succeeded. If headers are absent (DSMS gateway down)
+        // the export still works but no badge is shown.
+        const cid = res.headers.get('x-dsms-cid')
+        if (cid) {
+          setLastExport({
+            cid,
+            filename: res.headers.get('x-dsms-filename') || `CE-Akte-${projectId}${extension}`,
+            size: parseInt(res.headers.get('x-dsms-size') || '0', 10) || blob.size,
+            format,
+          })
+        }
       }
     } catch (err) {
       console.error('Failed to export:', err)
@@ -305,6 +320,9 @@ export default function TechFilePage() {
         </div>
       </div>
 
+      {/* DSMS-CID badge nach erfolgreichem Export */}
+      <ExportCIDBadge lastExport={lastExport} onDismiss={() => setLastExport(null)} />
+
       {/* Progress */}
       <div className="bg-white dark:bg-gray-800 rounded-xl border border-gray-200 dark:border-gray-700 p-4">
         <div className="flex items-center justify-between mb-2">

admin-compliance/app/sdk/iace/layout.tsx

@@ -13,6 +13,7 @@ const IACE_NAV_ITEMS = [
   { id: 'norms', label: 'Normenrecherche', href: '/norms', icon: 'book' },
   { id: 'components', label: 'Komponenten', href: '/components', icon: 'cube' },
   { id: 'hazards', label: 'Hazard Log', href: '/hazards', icon: 'warning' },
+  { id: 'risikobewertung', label: 'Risikobewertung', href: '/risikobewertung', icon: 'activity' },
   { id: 'mitigations', label: 'Massnahmen', href: '/mitigations', icon: 'shield' },
   { id: 'clarifications', label: 'Klärungen', href: '/clarifications', icon: 'chat' },
   { id: 'verification', label: 'Verifikation', href: '/verification', icon: 'check' },

admin-compliance/app/sdk/iace/library/_components/NormCrossRefPanel.tsx

@@ -0,0 +1,176 @@
+'use client'
+
+import React, { useState } from 'react'
+
+interface NormMapping {
+  region: string
+  identifier: string
+  relation: string
+  confidence: string
+  notes?: string
+  source_url?: string
+}
+
+interface CrossRefResponse {
+  norm_id: string
+  mappings: NormMapping[]
+  notes?: string
+  batch_id?: string
+}
+
+const RELATION_COLORS: Record<string, string> = {
+  identical: 'bg-green-100 dark:bg-green-900/30 text-green-700 dark:text-green-300',
+  equivalent: 'bg-blue-100 dark:bg-blue-900/30 text-blue-700 dark:text-blue-300',
+  partial: 'bg-yellow-100 dark:bg-yellow-900/30 text-yellow-700 dark:text-yellow-300',
+  supersedes: 'bg-purple-100 dark:bg-purple-900/30 text-purple-700 dark:text-purple-300',
+  superseded_by: 'bg-gray-200 dark:bg-gray-700 text-gray-600 dark:text-gray-400',
+}
+
+const CONFIDENCE_COLORS: Record<string, string> = {
+  verified: 'text-emerald-700 dark:text-emerald-300 font-semibold',
+  high: 'text-blue-700 dark:text-blue-300',
+  medium: 'text-amber-700 dark:text-amber-300',
+  low: 'text-red-700 dark:text-red-300',
+}
+
+const REGION_LABELS: Record<string, string> = {
+  'EU-DIN': 'EU (DIN)',
+  'INTL-ISO': 'International (ISO/IEC)',
+  'US-ANSI': 'US — ANSI',
+  'US-NFPA': 'US — NFPA',
+  'US-UL': 'US — UL',
+  'US-OSHA': 'US — OSHA',
+  'US-ASME': 'US — ASME',
+  'US-ASTM': 'US — ASTM',
+  'US-SAE': 'US — SAE',
+  'US-NIOSH': 'US — NIOSH',
+  'US-FDA': 'US — FDA',
+  'US-EPA': 'US — EPA',
+  'US-NEMA': 'US — NEMA',
+  'US-NSF': 'US — NSF',
+  'US-API': 'US — API',
+  'US-CPSC': 'US — CPSC',
+  'US-AHRI': 'US — AHRI',
+  'US-ASHRAE': 'US — ASHRAE',
+  'US-FCC': 'US — FCC',
+  'US-DOT': 'US — DOT',
+  'CN-GB': 'China (GB)',
+  'JP-JIS': 'Japan (JIS)',
+}
+
+function formatRegion(region: string): string {
+  return REGION_LABELS[region] || region
+}
+
+interface Props {
+  normId: string
+}
+
+export default function NormCrossRefPanel({ normId }: Props) {
+  const [loaded, setLoaded] = useState(false)
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const [data, setData] = useState<CrossRefResponse | null>(null)
+
+  const handleLoad = async () => {
+    if (loaded || loading) return
+    setLoading(true)
+    setError(null)
+    try {
+      const res = await fetch(`/api/sdk/v1/iace/norms-library/${encodeURIComponent(normId)}/crossref`)
+      if (!res.ok) throw new Error(`HTTP ${res.status}`)
+      const json = (await res.json()) as CrossRefResponse
+      setData(json)
+      setLoaded(true)
+    } catch (e: any) {
+      setError(e?.message || 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  if (!loaded && !loading && !error) {
+    return (
+      <button
+        type="button"
+        onClick={handleLoad}
+        className="text-xs text-purple-600 hover:text-purple-800 dark:text-purple-400 dark:hover:text-purple-200 font-medium underline-offset-2 hover:underline"
+      >
+        Internationale Aequivalenzen anzeigen (DIN/ANSI/GB/JIS)
+      </button>
+    )
+  }
+
+  if (loading) {
+    return <div className="text-xs text-gray-500 dark:text-gray-400">Cross-Reference wird geladen…</div>
+  }
+
+  if (error) {
+    return (
+      <div className="text-xs text-red-600 dark:text-red-400">
+        Cross-Reference konnte nicht geladen werden: {error}
+      </div>
+    )
+  }
+
+  if (!data || data.mappings.length === 0) {
+    return (
+      <div className="text-xs text-gray-500 dark:text-gray-400 italic">
+        Fuer diese Norm liegt (noch) kein internationales Mapping in der Bibliothek vor.
+      </div>
+    )
+  }
+
+  return (
+    <div className="space-y-2 mt-2 border-t border-gray-200 dark:border-gray-700 pt-2">
+      <div className="text-xs font-medium text-gray-700 dark:text-gray-300">
+        Internationale Aequivalenzen
+      </div>
+      {data.notes && (
+        <div className="text-xs text-gray-500 dark:text-gray-400 italic">{data.notes}</div>
+      )}
+      <div className="overflow-x-auto">
+        <table className="w-full text-xs">
+          <thead>
+            <tr className="text-gray-500 dark:text-gray-400 border-b border-gray-200 dark:border-gray-700">
+              <th className="text-left py-1 pr-3 font-medium">Region</th>
+              <th className="text-left py-1 pr-3 font-medium">Identifier</th>
+              <th className="text-left py-1 pr-3 font-medium">Relation</th>
+              <th className="text-left py-1 pr-3 font-medium">Confidence</th>
+            </tr>
+          </thead>
+          <tbody>
+            {data.mappings.map((m, i) => (
+              <tr key={i} className="border-b border-gray-100 dark:border-gray-800 last:border-0 align-top">
+                <td className="py-1 pr-3 text-gray-600 dark:text-gray-400 whitespace-nowrap">{formatRegion(m.region)}</td>
+                <td className="py-1 pr-3 font-mono text-gray-800 dark:text-gray-200">
+                  {m.source_url ? (
+                    <a href={m.source_url} target="_blank" rel="noopener noreferrer" className="text-purple-600 hover:text-purple-800 dark:text-purple-400">
+                      {m.identifier}
+                    </a>
+                  ) : (
+                    m.identifier
+                  )}
+                  {m.notes && (
+                    <div className="text-[10px] text-gray-500 dark:text-gray-400 mt-0.5 font-sans">{m.notes}</div>
+                  )}
+                </td>
+                <td className="py-1 pr-3">
+                  <span className={`inline-block px-1.5 py-0.5 rounded ${RELATION_COLORS[m.relation] || 'bg-gray-100 dark:bg-gray-800 text-gray-600'}`}>
+                    {m.relation}
+                  </span>
+                </td>
+                <td className={`py-1 pr-3 ${CONFIDENCE_COLORS[m.confidence] || 'text-gray-600'}`}>
+                  {m.confidence}
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </div>
+      <div className="text-[10px] text-gray-400 dark:text-gray-500">
+        Vor Nutzung in einem Drittmarkt durch eine sachkundige Person verifizieren.
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/iace/library/_components/NormenTab.tsx

@@ -2,6 +2,7 @@
 
 import React, { useMemo, useState, useRef, useEffect } from 'react'
 import { SearchInput, FilterDropdown, Pagination, ExpandableRow, ExternalLinkIcon } from './LibraryTable'
+import NormCrossRefPanel from './NormCrossRefPanel'
 
 export interface Norm {
   id: string
@@ -128,6 +129,7 @@ export default function NormenTab({ norms }: Props) {
                         {n.tags.map((t) => <span key={t} className="px-1.5 py-0.5 rounded text-xs bg-purple-100 dark:bg-purple-900/30 text-purple-700 dark:text-purple-300">{t}</span>)}
                       </div>
                     )}
+                    <NormCrossRefPanel normId={n.id} />
                   </div>
                 }
               />

admin-compliance/app/sdk/isms/page.tsx

@@ -9,6 +9,7 @@ import { ObjectivesTab } from './_components/ObjectivesTab'
 import { AuditsTab } from './_components/AuditsTab'
 import { ReviewsTab } from './_components/ReviewsTab'
 import { AssetsTab } from './_components/AssetsTab'
+import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 
 // =============================================================================
 // MAIN PAGE
@@ -38,6 +39,13 @@ export default function ISMSPage() {
           <p className="text-xs text-amber-600 mt-2">
             Hinweis: Basierend auf eigenen Pruefaspekten, kein ISO-Normtext. Ersetzt kein Zertifizierungsaudit.
           </p>
+          <div className="mt-3">
+            <LicenseModuleBanner
+              rule={3}
+              sourceLabel="BreakPilot-ISMS-Methodik mit Verweis auf ISO/IEC 27001"
+              detail="ISO-Normtexte sind copyright-geschuetzt (R3 — nur Identifier-Verweise). Eigene Pruefaspekte sind BreakPilot-Eigenwerk."
+            />
+          </div>
         </div>
 
         {/* Tabs */}

admin-compliance/app/sdk/licenses/page.tsx

@@ -0,0 +1,160 @@
+'use client'
+
+import { useEffect, useState } from 'react'
+
+// Stufe 1 of the Attribution Renderer (Task #23): the global
+// "Quellen & Lizenzen" overview. Aggregates all 314k canonical_controls
+// by their license_rule and shows the source regulations behind each
+// bucket. Drives the footer link and gives auditors a one-page view of
+// what licence classes the platform is operating under.
+
+type SourceCount = {
+  regulation_id: string
+  regulation_name_de: string | null
+  license_rule: number
+  license_type: string | null
+  attribution: string | null
+  jurisdiction: string | null
+  source_type: string | null
+  n_controls: number
+}
+
+type RuleBucket = {
+  rule: number
+  label_de: string
+  label_en: string
+  attribution_required: boolean
+  render_full_text: boolean
+  total_controls: number
+  distinct_sources: number
+  sources: SourceCount[]
+}
+
+type Overview = {
+  total_controls: number
+  buckets: RuleBucket[]
+}
+
+const RULE_COLOR: Record<number, string> = {
+  1: 'border-emerald-200 bg-emerald-50',
+  2: 'border-amber-200 bg-amber-50',
+  3: 'border-slate-200 bg-slate-50',
+}
+
+const RULE_BADGE: Record<number, string> = {
+  1: 'bg-emerald-600 text-white',
+  2: 'bg-amber-600 text-white',
+  3: 'bg-slate-600 text-white',
+}
+
+export default function LicensesPage() {
+  const [data, setData] = useState<Overview | null>(null)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => {
+    fetch('/api/sdk/v1/compliance/licenses/overview')
+      .then((r) => (r.ok ? r.json() : Promise.reject(`HTTP ${r.status}`)))
+      .then(setData)
+      .catch((e) => setError(String(e)))
+  }, [])
+
+  if (error) {
+    return (
+      <div className="p-6">
+        <h1 className="text-xl font-semibold mb-2">Quellen &amp; Lizenzen</h1>
+        <p className="text-red-600">Fehler beim Laden: {error}</p>
+      </div>
+    )
+  }
+  if (!data) {
+    return (
+      <div className="p-6">
+        <h1 className="text-xl font-semibold">Quellen &amp; Lizenzen</h1>
+        <p className="text-slate-500 mt-2">Lade …</p>
+      </div>
+    )
+  }
+
+  return (
+    <div className="p-6 max-w-7xl">
+      <header className="mb-6">
+        <h1 className="text-2xl font-semibold">Quellen &amp; Lizenzen</h1>
+        <p className="text-sm text-slate-600 mt-1">
+          Diese Plattform stützt sich auf {data.total_controls.toLocaleString('de-DE')}{' '}
+          klassifizierte Compliance-Controls aus den unten genannten Quellen.
+          Jeder Control trägt eine deterministische Lizenzregel (R1–R3), die das
+          Render-Verhalten in Berichten und im Frontend steuert.
+        </p>
+      </header>
+
+      <section className="mb-8">
+        <h2 className="text-lg font-medium mb-3">Klassifizierungs-Schema</h2>
+        <div className="grid grid-cols-1 md:grid-cols-3 gap-3 text-sm">
+          {data.buckets.map((b) => (
+            <div key={b.rule} className={`rounded border ${RULE_COLOR[b.rule] ?? 'border-slate-200'} p-3`}>
+              <div className="flex items-center gap-2 mb-2">
+                <span className={`inline-flex items-center justify-center w-7 h-7 rounded-full text-xs font-bold ${RULE_BADGE[b.rule] ?? 'bg-slate-600 text-white'}`}>
+                  R{b.rule}
+                </span>
+                <span className="font-medium">{b.label_de}</span>
+              </div>
+              <ul className="text-xs text-slate-700 space-y-1">
+                <li>{b.total_controls.toLocaleString('de-DE')} Controls</li>
+                <li>{b.distinct_sources} Quellen</li>
+                <li>{b.render_full_text ? 'Volltext-Anzeige erlaubt' : 'Nur Identifier-Verweis'}</li>
+                <li>{b.attribution_required ? 'Attribution-Pflicht in Output' : 'keine Attribution-Pflicht'}</li>
+              </ul>
+            </div>
+          ))}
+        </div>
+      </section>
+
+      {data.buckets.map((b) => (
+        <section key={b.rule} className="mb-8">
+          <h2 className="text-lg font-medium mb-3 flex items-center gap-2">
+            <span className={`inline-flex items-center justify-center w-7 h-7 rounded-full text-xs font-bold ${RULE_BADGE[b.rule] ?? 'bg-slate-600 text-white'}`}>
+              R{b.rule}
+            </span>
+            {b.label_de}{' '}
+            <span className="text-sm text-slate-500 font-normal">
+              ({b.total_controls.toLocaleString('de-DE')} Controls aus {b.distinct_sources} Quellen)
+            </span>
+          </h2>
+
+          <div className="overflow-x-auto border rounded">
+            <table className="w-full text-sm">
+              <thead className="bg-slate-100 text-slate-700">
+                <tr>
+                  <th className="text-left p-2">Quelle</th>
+                  <th className="text-left p-2">Lizenztyp</th>
+                  <th className="text-left p-2">Rechtsraum</th>
+                  <th className="text-left p-2">Attribution</th>
+                  <th className="text-right p-2">Controls</th>
+                </tr>
+              </thead>
+              <tbody>
+                {b.sources.map((s) => (
+                  <tr key={`${b.rule}-${s.regulation_id}`} className="border-t">
+                    <td className="p-2">{s.regulation_name_de ?? s.regulation_id}</td>
+                    <td className="p-2 text-slate-600">{s.license_type ?? '—'}</td>
+                    <td className="p-2 text-slate-600">{s.jurisdiction ?? '—'}</td>
+                    <td className="p-2 text-slate-600">{s.attribution ?? '—'}</td>
+                    <td className="p-2 text-right tabular-nums">{s.n_controls.toLocaleString('de-DE')}</td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        </section>
+      ))}
+
+      <footer className="text-xs text-slate-500 border-t pt-4 mt-8">
+        Klassifizierung: deterministisch über parent_control_uuid-Vererbung,
+        control_parent_links → regulation_registry, source_citation,
+        canonical_processed_chunks (Pipeline-Ground-Truth) und LLM-Aggregat-
+        Identifikation für eigene Werke. Audit-Skripte unter
+        breakpilot-core/control-pipeline/scripts/.
+      </footer>
+    </div>
+  )
+}

admin-compliance/app/sdk/master-controls/page.tsx

@@ -3,6 +3,7 @@
 import React, { useState, useEffect } from 'react'
 import { ControlListView } from '../control-library/components/ControlListView'
 import { useControlLibraryState } from '../control-library/components/useControlLibraryState'
+import { useCaseLabel, mcVerificationLabel } from '../control-library/components/mcMappingLabels'
 
 /**
  * Master Controls page — reuses the Control Library UI exactly,
@@ -38,7 +39,7 @@ export default function MasterControlsPage() {
   if (state.mode === 'detail' && state.selectedControl) {
     return (
       <MCDetail
-        mc={state.selectedControl}
+        mc={state.selectedControl as unknown as Record<string, unknown>}
         onBack={() => { state.setMode('list'); state.setSelectedControl(null) }}
       />
     )
@@ -65,6 +66,10 @@ export default function MasterControlsPage() {
       domainFilter={state.domainFilter}
       stateFilter={state.stateFilter}
       verificationFilter={state.verificationFilter}
+      useCaseFilter={state.useCaseFilter}
+      primaryOnly={state.primaryOnly}
+      regulationFilter={state.regulationFilter}
+      mappedFilter={state.mappedFilter}
       categoryFilter={state.categoryFilter}
       evidenceTypeFilter={state.evidenceTypeFilter}
       audienceFilter={state.audienceFilter}
@@ -76,6 +81,10 @@ export default function MasterControlsPage() {
       setDomainFilter={state.setDomainFilter}
       setStateFilter={state.setStateFilter}
       setVerificationFilter={state.setVerificationFilter}
+      setUseCaseFilter={state.setUseCaseFilter}
+      setPrimaryOnly={state.setPrimaryOnly}
+      setRegulationFilter={state.setRegulationFilter}
+      setMappedFilter={state.setMappedFilter}
       setCategoryFilter={state.setCategoryFilter}
       setEvidenceTypeFilter={state.setEvidenceTypeFilter}
       setAudienceFilter={state.setAudienceFilter}
@@ -116,8 +125,15 @@ const SEV = {
   low: 'bg-blue-100 text-blue-800',
 } as Record<string, string>
 
+interface MCMapping {
+  use_cases?: Array<{ use_case: string; is_primary: boolean }>
+  verification_method?: string | null
+  regulations?: Array<{ source_regulation: string; is_primary: boolean; member_count: number }>
+}
+
 function MCDetail({ mc, onBack }: { mc: Record<string, unknown>; onBack: () => void }) {
   const [members, setMembers] = useState<Member[]>([])
+  const [mapping, setMapping] = useState<MCMapping>({})
   const [loading, setLoading] = useState(true)
   const [phaseFilter, setPhaseFilter] = useState('')
 
@@ -131,6 +147,10 @@ function MCDetail({ mc, onBack }: { mc: Record<string, unknown>; onBack: () => v
     fetch(`/api/sdk/v1/master-controls?endpoint=control&id=${mcId}`)
       .then(r => r.ok ? r.json() : null)
       .then(data => {
+        if (data) setMapping({
+          use_cases: data.use_cases, verification_method: data.verification_method,
+          regulations: data.regulations,
+        })
         if (data?.members) setMembers(data.members)
         else if (data?.requirements) {
           // Fallback: parse requirements strings
@@ -164,6 +184,33 @@ function MCDetail({ mc, onBack }: { mc: Record<string, unknown>; onBack: () => v
         <h1 className="text-2xl font-bold text-gray-900">{mcName}</h1>
         <p className="text-gray-500 mt-1">{mcId} — {totalControls} Atomic Controls</p>
 
+        {/* Zuordnung: Use Cases + Verifikation + Quell-Regulierung */}
+        {(mapping.use_cases?.length || mapping.verification_method || mapping.regulations?.length) ? (
+          <div className="mt-4 flex flex-wrap items-center gap-2">
+            {(mapping.use_cases || []).map(u => (
+              <span key={u.use_case}
+                className={`px-2 py-0.5 rounded text-xs font-medium ${u.is_primary
+                  ? 'bg-purple-100 text-purple-800 border border-purple-300'
+                  : 'bg-purple-50 text-purple-600'}`}
+                title={u.is_primary ? 'Primärzweck' : 'Mehrfachzweck'}>
+                {useCaseLabel(u.use_case)}{u.is_primary ? ' ★' : ''}
+              </span>
+            ))}
+            {mapping.verification_method && (
+              <span className="px-2 py-0.5 rounded text-xs font-medium bg-emerald-100 text-emerald-800 border border-emerald-300">
+                Nachweis: {mcVerificationLabel(mapping.verification_method)}
+              </span>
+            )}
+            {(mapping.regulations || []).slice(0, 4).map(r => (
+              <span key={r.source_regulation}
+                className="px-2 py-0.5 rounded text-xs bg-blue-50 text-blue-700"
+                title={`${r.member_count} Member${r.is_primary ? ' · Primärquelle' : ''}`}>
+                {r.source_regulation}{r.is_primary ? ' ★' : ''}
+              </span>
+            ))}
+          </div>
+        ) : null}
+
         {/* Phase badges */}
         <div className="flex flex-wrap gap-2 mt-4">
           {uniquePhases.map(p => (

admin-compliance/app/sdk/security-backlog/page.tsx

@@ -5,6 +5,7 @@ import { SecurityItemCard } from './_components/SecurityItemCard'
 import { ItemModal } from './_components/ItemModal'
 import { useSecurityBacklog, EMPTY_NEW_ITEM } from './_hooks/useSecurityBacklog'
 import type { SecurityItem } from './_hooks/useSecurityBacklog'
+import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 
 export default function SecurityBacklogPage() {
   const [filter, setFilter] = useState<string>('all')
@@ -37,6 +38,11 @@ export default function SecurityBacklogPage() {
 
   return (
     <div className="space-y-6">
+      <LicenseModuleBanner
+        rule={2}
+        sourceLabel="OWASP Top 10 / ASVS / SAMM (CC-BY-SA 4.0) + NIST SP 800-53 (US PD)"
+        detail="OWASP-Inhalte zitiert mit Pflicht-Attribution 'OWASP Foundation, CC BY-SA 4.0'. NIST woertlich (R1)."
+      />
       {/* Header */}
       <div className="flex items-center justify-between">
         <div>

admin-compliance/app/sdk/template-rule-editor/_components/ConditionBuilder.tsx

@@ -0,0 +1,232 @@
+'use client'
+
+/**
+ * Strukturierter Editor fuer JSONB-Conditions:
+ *   { kind: 'all'|'any', clauses: [{field, op, value}] }
+ *
+ * Wird im RuleEditor verwendet. Reine Praesentations-Komponente — Parent
+ * verwaltet State.
+ */
+
+import type {
+  ClauseOperator, RuleClause, RuleCondition,
+} from '../_types'
+import { OPERATOR_LABELS, PROFILE_FIELDS } from '../_types'
+
+interface Props {
+  value: RuleCondition
+  onChange: (next: RuleCondition) => void
+  readOnly?: boolean
+}
+
+export default function ConditionBuilder({ value, onChange, readOnly }: Props) {
+  const setKind = (kind: 'all' | 'any') => onChange({ ...value, kind })
+  const setClause = (idx: number, clause: RuleClause) => {
+    const next = [...value.clauses]
+    next[idx] = clause
+    onChange({ ...value, clauses: next })
+  }
+  const addClause = () =>
+    onChange({
+      ...value,
+      clauses: [
+        ...value.clauses,
+        { field: PROFILE_FIELDS[0].key, op: 'eq', value: '' },
+      ],
+    })
+  const removeClause = (idx: number) =>
+    onChange({ ...value, clauses: value.clauses.filter((_, i) => i !== idx) })
+
+  return (
+    <div className="space-y-2">
+      <div className="flex items-center gap-2">
+        <span className="text-xs text-gray-600">Bedingung:</span>
+        <select
+          className="text-xs px-2 py-1 border border-gray-300 rounded"
+          value={value.kind}
+          disabled={readOnly}
+          onChange={(e) => setKind(e.target.value as 'all' | 'any')}
+        >
+          <option value="all">ALLE Klauseln müssen zutreffen (AND)</option>
+          <option value="any">MIND. EINE Klausel trifft zu (OR)</option>
+        </select>
+      </div>
+
+      {value.clauses.length === 0 && (
+        <div className="text-xs text-gray-500 italic px-1">
+          Keine Klauseln — Regel gilt für jedes Profil.
+        </div>
+      )}
+
+      <ul className="space-y-1">
+        {value.clauses.map((clause, idx) => (
+          <li key={idx} className="flex items-start gap-1 p-1.5 bg-gray-50 rounded border border-gray-200">
+            <ClauseRow
+              clause={clause}
+              onChange={(c) => setClause(idx, c)}
+              readOnly={!!readOnly}
+            />
+            {!readOnly && (
+              <button
+                className="text-xs px-1.5 py-0.5 text-rose-700 hover:bg-rose-50 rounded"
+                onClick={() => removeClause(idx)}
+                title="Klausel entfernen"
+              >
+                ×
+              </button>
+            )}
+          </li>
+        ))}
+      </ul>
+
+      {!readOnly && (
+        <button
+          className="text-xs px-2 py-1 border border-gray-300 rounded text-gray-700 hover:bg-gray-50"
+          onClick={addClause}
+        >
+          + Klausel hinzufügen
+        </button>
+      )}
+    </div>
+  )
+}
+
+function ClauseRow({
+  clause, onChange, readOnly,
+}: {
+  clause: RuleClause
+  onChange: (c: RuleClause) => void
+  readOnly: boolean
+}) {
+  const field = PROFILE_FIELDS.find((f) => f.key === clause.field) || PROFILE_FIELDS[0]
+  const operators: ClauseOperator[] =
+    field.type === 'enum'
+      ? ['eq', 'neq', 'in', 'not_in', 'exists', 'truthy', 'falsy']
+      : field.type === 'boolean'
+      ? ['truthy', 'falsy', 'eq', 'neq']
+      : field.type === 'number'
+      ? ['eq', 'neq', 'gt', 'gte', 'lt', 'lte']
+      : ['eq', 'neq', 'in', 'not_in', 'exists']
+
+  const requiresValue = !['exists', 'truthy', 'falsy'].includes(clause.op)
+  const multiValue = clause.op === 'in' || clause.op === 'not_in'
+
+  return (
+    <div className="flex-1 grid grid-cols-12 gap-1 items-center text-xs">
+      <select
+        className="col-span-4 px-1 py-0.5 border border-gray-300 rounded bg-white truncate"
+        value={clause.field}
+        disabled={readOnly}
+        onChange={(e) => onChange({ ...clause, field: e.target.value })}
+      >
+        {PROFILE_FIELDS.map((f) => (
+          <option key={f.key} value={f.key}>{f.label} ({f.key})</option>
+        ))}
+      </select>
+
+      <select
+        className="col-span-3 px-1 py-0.5 border border-gray-300 rounded bg-white"
+        value={clause.op}
+        disabled={readOnly}
+        onChange={(e) => onChange({ ...clause, op: e.target.value as ClauseOperator })}
+      >
+        {operators.map((op) => (
+          <option key={op} value={op}>{OPERATOR_LABELS[op]}</option>
+        ))}
+      </select>
+
+      <div className="col-span-5">
+        {requiresValue && (
+          <ValueInput
+            field={field}
+            multi={multiValue}
+            value={clause.value}
+            onChange={(v) => onChange({ ...clause, value: v })}
+            readOnly={readOnly}
+          />
+        )}
+      </div>
+    </div>
+  )
+}
+
+function ValueInput({
+  field, multi, value, onChange, readOnly,
+}: {
+  field: typeof PROFILE_FIELDS[number]
+  multi: boolean
+  value: unknown
+  onChange: (v: unknown) => void
+  readOnly: boolean
+}) {
+  if (field.type === 'enum' && field.options) {
+    if (multi) {
+      const selected = Array.isArray(value) ? (value as string[]) : []
+      return (
+        <select
+          multiple
+          className="w-full px-1 py-0.5 border border-gray-300 rounded bg-white h-16"
+          value={selected}
+          disabled={readOnly}
+          onChange={(e) => {
+            const opts = Array.from(e.target.selectedOptions, (o) => o.value)
+            onChange(opts)
+          }}
+        >
+          {field.options.map((o) => (
+            <option key={o.value} value={o.value}>{o.label}</option>
+          ))}
+        </select>
+      )
+    }
+    return (
+      <select
+        className="w-full px-1 py-0.5 border border-gray-300 rounded bg-white"
+        value={typeof value === 'string' ? value : ''}
+        disabled={readOnly}
+        onChange={(e) => onChange(e.target.value)}
+      >
+        <option value="">— wählen —</option>
+        {field.options.map((o) => (
+          <option key={o.value} value={o.value}>{o.label}</option>
+        ))}
+      </select>
+    )
+  }
+
+  if (field.type === 'number') {
+    return (
+      <input
+        type="number"
+        className="w-full px-1 py-0.5 border border-gray-300 rounded"
+        value={typeof value === 'number' ? value : 0}
+        disabled={readOnly}
+        onChange={(e) => onChange(Number(e.target.value))}
+      />
+    )
+  }
+
+  if (field.type === 'boolean') {
+    return (
+      <select
+        className="w-full px-1 py-0.5 border border-gray-300 rounded bg-white"
+        value={value ? 'true' : 'false'}
+        disabled={readOnly}
+        onChange={(e) => onChange(e.target.value === 'true')}
+      >
+        <option value="true">true</option>
+        <option value="false">false</option>
+      </select>
+    )
+  }
+
+  return (
+    <input
+      type="text"
+      className="w-full px-1 py-0.5 border border-gray-300 rounded"
+      value={typeof value === 'string' ? value : ''}
+      disabled={readOnly}
+      onChange={(e) => onChange(e.target.value)}
+    />
+  )
+}

admin-compliance/app/sdk/template-rule-editor/_components/RuleEditor.tsx

@@ -0,0 +1,414 @@
+'use client'
+
+/**
+ * Rechte Spalte: Detail-Editor fuer die ausgewaehlte Regel.
+ *
+ * - Zeigt Live-Version + offenen Draft (falls vorhanden)
+ * - Erlaubt Draft-Edit (classification, conditions, source_citation, rationale)
+ * - Buttons: "Neuen Draft starten" (kopiert von Live), "Einreichen" (mit Pflicht
+ *   change_summary-Modal), "Intern freigeben" (DSB), "Publish" (= Mandanten-Freigabe)
+ * - Versionshistorie + Approval-Trail unten als Akkordeon
+ */
+
+import { useEffect, useMemo, useState } from 'react'
+import type {
+  ApprovalHistoryEntry, Classification, Rule, RuleCondition, RuleVersion,
+} from '../_types'
+import { CLASSIFICATION_LABELS, STATUS_LABELS } from '../_types'
+import ConditionBuilder from './ConditionBuilder'
+
+interface Props {
+  rule: Rule
+  versions: RuleVersion[]
+  history: ApprovalHistoryEntry[]
+  onCreateDraft: (payload: {
+    classification: Classification
+    conditions: RuleCondition
+    source_citation: string
+    rationale?: string | null
+  }) => Promise<void>
+  onUpdateDraft: (versionId: string, patch: {
+    classification?: Classification
+    conditions?: RuleCondition
+    source_citation?: string
+    rationale?: string | null
+  }) => Promise<void>
+  onSubmitForReview: (versionId: string, changeSummary: string) => Promise<void>
+  onApprove: (versionId: string) => Promise<void>
+  onPublish: (versionId: string) => Promise<void>
+  onReject: (versionId: string, reason: string) => Promise<void>
+}
+
+export default function RuleEditor({
+  rule, versions, history,
+  onCreateDraft, onUpdateDraft,
+  onSubmitForReview, onApprove, onPublish, onReject,
+}: Props) {
+  const liveVersion = useMemo(
+    () => versions.find((v) => v.is_live) || null,
+    [versions],
+  )
+  const draftVersion = useMemo(
+    () => versions.find((v) => ['draft', 'review'].includes(v.status)) || null,
+    [versions],
+  )
+
+  // Edit-State
+  const [classification, setClassification] = useState<Classification>('required')
+  const [conditions, setConditions] = useState<RuleCondition>({ kind: 'all', clauses: [] })
+  const [sourceCitation, setSourceCitation] = useState('')
+  const [rationale, setRationale] = useState('')
+
+  // Modal-State
+  const [showSubmit, setShowSubmit] = useState(false)
+  const [changeSummary, setChangeSummary] = useState('')
+  const [showHistory, setShowHistory] = useState(false)
+  const [rejectReason, setRejectReason] = useState('')
+  const [showReject, setShowReject] = useState(false)
+
+  // Sync Edit-State mit ausgewaehltem Version (Draft hat Vorrang)
+  const sourceVersion = draftVersion || liveVersion
+  useEffect(() => {
+    if (sourceVersion) {
+      setClassification(sourceVersion.classification)
+      setConditions(sourceVersion.conditions)
+      setSourceCitation(sourceVersion.source_citation)
+      setRationale(sourceVersion.rationale || '')
+    }
+  }, [sourceVersion?.id])
+
+  const isDraftMode = !!draftVersion && draftVersion.status === 'draft'
+  const isReviewMode = !!draftVersion && draftVersion.status === 'review'
+  const readOnly = !isDraftMode
+
+  const handleCreateDraft = () => {
+    onCreateDraft({
+      classification: liveVersion?.classification || 'recommended',
+      conditions: liveVersion?.conditions || { kind: 'all', clauses: [] },
+      source_citation: liveVersion?.source_citation || '',
+      rationale: liveVersion?.rationale,
+    })
+  }
+
+  const handleSaveDraft = () => {
+    if (!draftVersion) return
+    onUpdateDraft(draftVersion.id, {
+      classification, conditions, source_citation: sourceCitation, rationale,
+    })
+  }
+
+  const handleSubmit = () => {
+    if (!draftVersion || !changeSummary.trim()) return
+    onSubmitForReview(draftVersion.id, changeSummary.trim())
+    setShowSubmit(false)
+    setChangeSummary('')
+  }
+
+  return (
+    <div className="h-full flex flex-col overflow-hidden bg-white">
+      <header className="px-5 py-3 border-b border-gray-200">
+        <div className="flex items-baseline justify-between gap-3">
+          <div className="min-w-0">
+            <h2 className="text-base font-semibold text-gray-800 truncate">{rule.title}</h2>
+            <div className="text-xs text-gray-500">
+              <code>{rule.document_type}</code> · {rule.rule_key}
+            </div>
+          </div>
+          <div className="flex items-center gap-2 text-xs text-gray-600">
+            {liveVersion && (
+              <span>
+                Live: v{liveVersion.version_number} (
+                <code>{liveVersion.classification}</code>)
+              </span>
+            )}
+            {draftVersion && (
+              <span className="px-1.5 py-0.5 bg-amber-100 text-amber-800 rounded border border-amber-300">
+                Draft v{draftVersion.version_number} · {STATUS_LABELS[draftVersion.status]}
+              </span>
+            )}
+          </div>
+        </div>
+      </header>
+
+      <div className="flex-1 overflow-y-auto p-5 space-y-4">
+        {!draftVersion && (
+          <div className="bg-amber-50 border border-amber-200 rounded p-3 flex items-center justify-between">
+            <span className="text-sm text-amber-800">
+              Kein offener Draft. Starte einen neuen Draft, um die Regel zu ändern.
+            </span>
+            <button
+              className="px-3 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700"
+              onClick={handleCreateDraft}
+            >
+              + Neuen Draft starten
+            </button>
+          </div>
+        )}
+
+        {/* Klassifikation */}
+        <section>
+          <label className="text-xs font-medium text-gray-700 block mb-1">
+            Klassifikation
+          </label>
+          <select
+            className="text-sm px-2 py-1 border border-gray-300 rounded"
+            value={classification}
+            disabled={readOnly}
+            onChange={(e) => setClassification(e.target.value as Classification)}
+          >
+            {(['required', 'recommended', 'optional'] as const).map((c) => (
+              <option key={c} value={c}>{CLASSIFICATION_LABELS[c]}</option>
+            ))}
+          </select>
+        </section>
+
+        {/* Bedingung */}
+        <section>
+          <label className="text-xs font-medium text-gray-700 block mb-1">
+            Bedingung
+          </label>
+          <ConditionBuilder
+            value={conditions}
+            onChange={setConditions}
+            readOnly={readOnly}
+          />
+        </section>
+
+        {/* Source Citation (Pflicht) */}
+        <section>
+          <label className="text-xs font-medium text-gray-700 block mb-1">
+            Quelle / Norm-Citation <span className="text-rose-600">*</span>
+          </label>
+          <input
+            type="text"
+            className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
+            placeholder="z.B. § 12 HinSchG, Art. 28 DSGVO, EuGH C-311/18"
+            value={sourceCitation}
+            disabled={readOnly}
+            onChange={(e) => setSourceCitation(e.target.value)}
+          />
+        </section>
+
+        {/* Rationale */}
+        <section>
+          <label className="text-xs font-medium text-gray-700 block mb-1">
+            Begründung / Rationale (optional)
+          </label>
+          <textarea
+            className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
+            rows={3}
+            placeholder="Anwalts-Kommentar, warum die Regel so klassifiziert ist…"
+            value={rationale}
+            disabled={readOnly}
+            onChange={(e) => setRationale(e.target.value)}
+          />
+        </section>
+
+        {/* Versionshistorie */}
+        <section>
+          <button
+            className="text-xs text-gray-600 hover:text-gray-800"
+            onClick={() => setShowHistory((v) => !v)}
+          >
+            {showHistory ? '▾' : '▸'} Versionshistorie + Approval-Trail ({versions.length} Versionen)
+          </button>
+          {showHistory && (
+            <HistoryList versions={versions} history={history} />
+          )}
+        </section>
+      </div>
+
+      {/* Footer-Aktionen */}
+      <footer className="px-5 py-3 border-t border-gray-200 bg-gray-50 flex items-center gap-2 flex-wrap">
+        {isDraftMode && (
+          <>
+            <button
+              className="px-3 py-1.5 text-sm border border-gray-300 rounded text-gray-700 hover:bg-white"
+              onClick={handleSaveDraft}
+            >
+              Draft speichern
+            </button>
+            <button
+              className="px-3 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700 disabled:opacity-50"
+              disabled={!sourceCitation.trim()}
+              onClick={() => setShowSubmit(true)}
+              title={!sourceCitation.trim() ? 'Source Citation ist Pflicht' : ''}
+            >
+              Zur internen Prüfung einreichen
+            </button>
+          </>
+        )}
+        {isReviewMode && (
+          <>
+            <button
+              className="px-3 py-1.5 text-sm bg-emerald-600 text-white rounded hover:bg-emerald-700"
+              onClick={() => draftVersion && onApprove(draftVersion.id)}
+            >
+              Intern freigeben → Mandant
+            </button>
+            <button
+              className="px-3 py-1.5 text-sm bg-blue-600 text-white rounded hover:bg-blue-700"
+              onClick={() => draftVersion && onPublish(draftVersion.id)}
+              title="Wird sofort live (Test-Modus)"
+            >
+              Publish (sofort live)
+            </button>
+            <button
+              className="px-3 py-1.5 text-sm border border-rose-300 text-rose-700 rounded hover:bg-rose-50"
+              onClick={() => setShowReject(true)}
+            >
+              Ablehnen
+            </button>
+          </>
+        )}
+      </footer>
+
+      {showSubmit && (
+        <SubmitDialog
+          value={changeSummary}
+          onChange={setChangeSummary}
+          onCancel={() => setShowSubmit(false)}
+          onSubmit={handleSubmit}
+        />
+      )}
+
+      {showReject && (
+        <RejectDialog
+          value={rejectReason}
+          onChange={setRejectReason}
+          onCancel={() => { setShowReject(false); setRejectReason('') }}
+          onSubmit={() => {
+            if (!draftVersion || !rejectReason.trim()) return
+            onReject(draftVersion.id, rejectReason.trim())
+            setShowReject(false); setRejectReason('')
+          }}
+        />
+      )}
+    </div>
+  )
+}
+
+function HistoryList({ versions, history }: { versions: RuleVersion[]; history: ApprovalHistoryEntry[] }) {
+  return (
+    <div className="mt-2 space-y-2 text-xs">
+      <div>
+        <div className="font-medium text-gray-700 mb-1">Versionen:</div>
+        <ul className="space-y-1">
+          {versions.map((v) => (
+            <li key={v.id} className="bg-white border border-gray-200 rounded p-2">
+              <div className="flex items-center gap-2">
+                <span className="font-medium">v{v.version_number}</span>
+                <span className="px-1.5 py-0.5 bg-gray-100 rounded">{STATUS_LABELS[v.status]}</span>
+                {v.is_live && <span className="text-emerald-700">● Live</span>}
+                <span className="text-gray-500 ml-auto">
+                  {new Date(v.created_at).toLocaleString('de-DE')}
+                </span>
+              </div>
+              {v.change_summary && (
+                <div className="mt-1 text-gray-600">Änderung: {v.change_summary}</div>
+              )}
+              {v.source_citation && (
+                <div className="mt-0.5 text-gray-500">Quelle: {v.source_citation}</div>
+              )}
+            </li>
+          ))}
+        </ul>
+      </div>
+      <div>
+        <div className="font-medium text-gray-700 mb-1">Approval-Trail:</div>
+        <ul className="space-y-0.5">
+          {history.map((h) => (
+            <li key={h.id} className="text-gray-600">
+              {new Date(h.created_at).toLocaleString('de-DE')} · {h.action}
+              {h.approver && ` · ${h.approver}`}
+              {h.comment && ` — ${h.comment}`}
+            </li>
+          ))}
+        </ul>
+      </div>
+    </div>
+  )
+}
+
+function SubmitDialog({
+  value, onChange, onCancel, onSubmit,
+}: {
+  value: string
+  onChange: (s: string) => void
+  onCancel: () => void
+  onSubmit: () => void
+}) {
+  return (
+    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
+      <div className="bg-white rounded-lg shadow-xl w-[520px]" onClick={(e) => e.stopPropagation()}>
+        <header className="px-5 py-3 border-b border-gray-200">
+          <h3 className="font-semibold">Zur internen Prüfung einreichen</h3>
+        </header>
+        <div className="p-5">
+          <label className="text-xs font-medium text-gray-700">
+            Was wurde geändert? <span className="text-rose-600">*</span>
+          </label>
+          <textarea
+            autoFocus
+            rows={4}
+            className="w-full mt-1 text-sm px-2 py-1.5 border border-gray-300 rounded"
+            placeholder="z.B. Schwelle auf 50 MA angehoben (BAG-Urteil X)"
+            value={value}
+            onChange={(e) => onChange(e.target.value)}
+          />
+        </div>
+        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
+          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>Abbrechen</button>
+          <button
+            className="px-4 py-1.5 text-sm bg-amber-600 text-white rounded disabled:opacity-50"
+            disabled={!value.trim()}
+            onClick={onSubmit}
+          >
+            Einreichen
+          </button>
+        </footer>
+      </div>
+    </div>
+  )
+}
+
+function RejectDialog({
+  value, onChange, onCancel, onSubmit,
+}: {
+  value: string
+  onChange: (s: string) => void
+  onCancel: () => void
+  onSubmit: () => void
+}) {
+  return (
+    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
+      <div className="bg-white rounded-lg shadow-xl w-[480px]" onClick={(e) => e.stopPropagation()}>
+        <header className="px-5 py-3 border-b border-gray-200">
+          <h3 className="font-semibold">Draft ablehnen</h3>
+        </header>
+        <div className="p-5">
+          <label className="text-xs font-medium text-gray-700">
+            Ablehnungsgrund <span className="text-rose-600">*</span>
+          </label>
+          <textarea
+            autoFocus
+            rows={3}
+            className="w-full mt-1 text-sm px-2 py-1.5 border border-gray-300 rounded"
+            value={value}
+            onChange={(e) => onChange(e.target.value)}
+          />
+        </div>
+        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
+          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>Abbrechen</button>
+          <button
+            className="px-4 py-1.5 text-sm bg-rose-600 text-white rounded disabled:opacity-50"
+            disabled={!value.trim()}
+            onClick={onSubmit}
+          >
+            Ablehnen
+          </button>
+        </footer>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/template-rule-editor/_components/RuleList.tsx

@@ -0,0 +1,111 @@
+'use client'
+
+/**
+ * Linke Spalte: Liste der globalen Empfehlungs-Regeln.
+ *
+ * Filterbar nach document_type. Klassifikations-Chip + Live-Indikator.
+ */
+
+import { useMemo, useState } from 'react'
+import type { Rule, RuleVersion } from '../_types'
+import { CLASSIFICATION_LABELS, STATUS_LABELS } from '../_types'
+
+interface Props {
+  rules: Rule[]
+  versionsByRule: Record<string, RuleVersion | undefined>
+  selectedRuleId: string | null
+  onSelectRule: (ruleId: string) => void
+}
+
+export default function RuleList({
+  rules, versionsByRule, selectedRuleId, onSelectRule,
+}: Props) {
+  const [filter, setFilter] = useState('')
+  const filtered = useMemo(() => {
+    if (!filter.trim()) return rules
+    const q = filter.toLowerCase()
+    return rules.filter(
+      (r) =>
+        r.title.toLowerCase().includes(q) ||
+        r.rule_key.toLowerCase().includes(q) ||
+        r.document_type.toLowerCase().includes(q),
+    )
+  }, [rules, filter])
+
+  return (
+    <div className="h-full flex flex-col overflow-hidden border-r border-gray-200 bg-gray-50">
+      <div className="p-3 border-b border-gray-200 bg-white">
+        <input
+          type="text"
+          placeholder="Suchen (Titel, Key, Doc-Type)…"
+          value={filter}
+          onChange={(e) => setFilter(e.target.value)}
+          className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
+        />
+        <div className="text-xs text-gray-500 mt-1">
+          {filtered.length} von {rules.length} Regeln
+        </div>
+      </div>
+
+      <ul className="flex-1 overflow-y-auto">
+        {filtered.map((rule) => {
+          const live = versionsByRule[rule.id]
+          const isSelected = rule.id === selectedRuleId
+          return (
+            <li key={rule.id}>
+              <button
+                className={`w-full text-left px-3 py-2 border-b border-gray-100 hover:bg-white ${
+                  isSelected ? 'bg-white border-l-4 border-l-amber-500' : ''
+                }`}
+                onClick={() => onSelectRule(rule.id)}
+              >
+                <div className="flex items-center gap-2 mb-0.5">
+                  {live && (
+                    <ClassificationChip classification={live.classification} />
+                  )}
+                  {!live && (
+                    <span className="px-1.5 py-0.5 text-xs rounded bg-gray-200 text-gray-600">
+                      ohne Live-Version
+                    </span>
+                  )}
+                </div>
+                <div className="text-sm font-medium text-gray-800 truncate">
+                  {rule.title}
+                </div>
+                <div className="text-xs text-gray-500 truncate">
+                  <code>{rule.document_type}</code> · {rule.rule_key}
+                </div>
+                {live && (
+                  <div className="text-[10px] text-gray-500 mt-0.5">
+                    v{live.version_number} · {STATUS_LABELS[live.status]}
+                    {live.is_live && (
+                      <span className="ml-1 inline-block w-1.5 h-1.5 bg-emerald-500 rounded-full" />
+                    )}
+                  </div>
+                )}
+              </button>
+            </li>
+          )
+        })}
+        {filtered.length === 0 && (
+          <li className="px-3 py-4 text-sm text-gray-500 italic">
+            Keine Regeln gefunden.
+          </li>
+        )}
+      </ul>
+    </div>
+  )
+}
+
+function ClassificationChip({ classification }: { classification: 'required' | 'recommended' | 'optional' }) {
+  const colorMap = {
+    required: 'bg-rose-100 text-rose-800 border-rose-300',
+    recommended: 'bg-amber-100 text-amber-800 border-amber-300',
+    optional: 'bg-slate-100 text-slate-700 border-slate-300',
+  } as const
+  return (
+    <span className={`px-1.5 py-0.5 text-[10px] font-medium rounded border ${colorMap[classification]}`}>
+      {CLASSIFICATION_LABELS[classification]}
+    </span>
+  )
+}

admin-compliance/app/sdk/template-rule-editor/_components/TenantOverrideList.tsx

@@ -0,0 +1,398 @@
+'use client'
+
+/**
+ * Pro-Tenant Override-Liste: zeigt alle Overrides der eigenen Kanzlei
+ * + Add/Edit/Delete.
+ *
+ * Reuse: Backend /tenant-rule-overrides (upsert via POST, delete via DELETE).
+ * Read-only Klassifikation wird aus der live_version der Regel gezogen.
+ */
+
+import { useMemo, useState } from 'react'
+import type {
+  Classification, Rule, RuleVersion, TenantRuleOverride,
+} from '../_types'
+import { CLASSIFICATION_LABELS } from '../_types'
+
+interface Props {
+  rules: Rule[]
+  liveVersionsByRule: Record<string, RuleVersion | undefined>
+  overrides: TenantRuleOverride[]
+  onUpsert: (payload: {
+    rule_id: string
+    override_classification: Classification | null
+    reason: string
+  }) => Promise<void>
+  onDelete: (overrideId: string) => Promise<void>
+}
+
+export default function TenantOverrideList({
+  rules, liveVersionsByRule, overrides, onUpsert, onDelete,
+}: Props) {
+  const [filter, setFilter] = useState('')
+  const [showAdd, setShowAdd] = useState(false)
+  const [editing, setEditing] = useState<TenantRuleOverride | null>(null)
+  const [confirmDelete, setConfirmDelete] = useState<TenantRuleOverride | null>(null)
+
+  const rulesById = useMemo(
+    () => Object.fromEntries(rules.map((r) => [r.id, r])),
+    [rules],
+  )
+
+  const rows = useMemo(() => {
+    return overrides
+      .map((o) => {
+        const rule = rulesById[o.rule_id]
+        const live = liveVersionsByRule[o.rule_id]
+        return { override: o, rule, live }
+      })
+      .filter(({ rule }) => {
+        if (!filter.trim()) return true
+        const q = filter.toLowerCase()
+        return (
+          (rule?.title || '').toLowerCase().includes(q) ||
+          (rule?.document_type || '').toLowerCase().includes(q) ||
+          (rule?.rule_key || '').toLowerCase().includes(q)
+        )
+      })
+  }, [overrides, rulesById, liveVersionsByRule, filter])
+
+  return (
+    <div className="h-full flex flex-col overflow-hidden bg-white">
+      <header className="px-5 py-3 border-b border-gray-200 flex items-center justify-between gap-3">
+        <div className="min-w-0">
+          <h2 className="text-base font-semibold text-gray-800">Meine Overrides</h2>
+          <p className="text-xs text-gray-500">
+            Globale Regeln, die für meine Mandanten abweichend gelten.
+            {overrides.length > 0 && ` ${overrides.length} aktiv.`}
+          </p>
+        </div>
+        <div className="flex items-center gap-2">
+          <input
+            type="text"
+            placeholder="Suchen…"
+            value={filter}
+            onChange={(e) => setFilter(e.target.value)}
+            className="text-sm px-2 py-1.5 border border-gray-300 rounded"
+          />
+          <button
+            className="px-3 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700"
+            onClick={() => setShowAdd(true)}
+          >
+            + Override hinzufügen
+          </button>
+        </div>
+      </header>
+
+      <div className="flex-1 overflow-auto">
+        {rows.length === 0 ? (
+          <div className="p-8 text-center text-sm text-gray-500">
+            {overrides.length === 0
+              ? 'Noch keine Overrides angelegt. Klicke oben rechts „+ Override hinzufügen“, um die globale Klassifikation einer Regel für deine Kanzlei abweichend zu setzen.'
+              : 'Keine Treffer für den Filter.'}
+          </div>
+        ) : (
+          <table className="w-full text-sm">
+            <thead className="bg-gray-50 text-xs uppercase text-gray-600 sticky top-0">
+              <tr>
+                <th className="px-5 py-2 text-left">Regel</th>
+                <th className="px-3 py-2 text-left">Original</th>
+                <th className="px-3 py-2 text-left">Mein Override</th>
+                <th className="px-3 py-2 text-left">Grund</th>
+                <th className="px-3 py-2 text-left">Erstellt</th>
+                <th className="px-3 py-2 text-left">Aktionen</th>
+              </tr>
+            </thead>
+            <tbody>
+              {rows.map(({ override, rule, live }) => (
+                <tr key={override.id} className="border-t border-gray-100 hover:bg-gray-50">
+                  <td className="px-5 py-2">
+                    <div className="font-medium text-gray-800">{rule?.title ?? '(unbekannt)'}</div>
+                    <div className="text-xs text-gray-500">
+                      <code>{rule?.document_type ?? '?'}</code> · {rule?.rule_key ?? '?'}
+                    </div>
+                  </td>
+                  <td className="px-3 py-2">
+                    {live ? (
+                      <ClassChip classification={live.classification} />
+                    ) : (
+                      <span className="text-xs text-gray-400">—</span>
+                    )}
+                  </td>
+                  <td className="px-3 py-2">
+                    {override.override_classification ? (
+                      <ClassChip classification={override.override_classification} />
+                    ) : (
+                      <span className="px-1.5 py-0.5 text-xs rounded bg-gray-200 text-gray-700">
+                        deaktiviert
+                      </span>
+                    )}
+                  </td>
+                  <td className="px-3 py-2 text-xs text-gray-700 max-w-xs">
+                    <span className="line-clamp-2">{override.reason}</span>
+                  </td>
+                  <td className="px-3 py-2 text-xs text-gray-500 whitespace-nowrap">
+                    {new Date(override.created_at).toLocaleDateString('de-DE')}
+                    {override.created_by && (
+                      <div className="text-[10px]">{override.created_by}</div>
+                    )}
+                  </td>
+                  <td className="px-3 py-2">
+                    <div className="flex items-center gap-1">
+                      <button
+                        className="text-xs px-2 py-1 border border-gray-300 rounded hover:bg-gray-100"
+                        onClick={() => setEditing(override)}
+                      >
+                        Bearbeiten
+                      </button>
+                      <button
+                        className="text-xs px-2 py-1 border border-rose-300 text-rose-700 rounded hover:bg-rose-50"
+                        onClick={() => setConfirmDelete(override)}
+                      >
+                        Löschen
+                      </button>
+                    </div>
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        )}
+      </div>
+
+      {showAdd && (
+        <OverrideDialog
+          title="Neuen Override anlegen"
+          rules={rules}
+          liveVersionsByRule={liveVersionsByRule}
+          existingOverrideRuleIds={new Set(overrides.map((o) => o.rule_id))}
+          onCancel={() => setShowAdd(false)}
+          onSubmit={async (payload) => {
+            await onUpsert(payload)
+            setShowAdd(false)
+          }}
+        />
+      )}
+
+      {editing && (
+        <OverrideDialog
+          title="Override bearbeiten"
+          rules={rules}
+          liveVersionsByRule={liveVersionsByRule}
+          existingOverrideRuleIds={new Set()}
+          initial={editing}
+          fixedRuleId={editing.rule_id}
+          onCancel={() => setEditing(null)}
+          onSubmit={async (payload) => {
+            await onUpsert(payload)
+            setEditing(null)
+          }}
+        />
+      )}
+
+      {confirmDelete && (
+        <ConfirmDialog
+          message={`Override für „${rulesById[confirmDelete.rule_id]?.title || 'Regel'}" wirklich löschen?`}
+          onCancel={() => setConfirmDelete(null)}
+          onConfirm={async () => {
+            await onDelete(confirmDelete.id)
+            setConfirmDelete(null)
+          }}
+        />
+      )}
+    </div>
+  )
+}
+
+function ClassChip({ classification }: { classification: Classification }) {
+  const colorMap = {
+    required: 'bg-rose-100 text-rose-800 border-rose-300',
+    recommended: 'bg-amber-100 text-amber-800 border-amber-300',
+    optional: 'bg-slate-100 text-slate-700 border-slate-300',
+  } as const
+  return (
+    <span className={`px-1.5 py-0.5 text-xs rounded border ${colorMap[classification]}`}>
+      {CLASSIFICATION_LABELS[classification]}
+    </span>
+  )
+}
+
+interface OverrideDialogProps {
+  title: string
+  rules: Rule[]
+  liveVersionsByRule: Record<string, RuleVersion | undefined>
+  existingOverrideRuleIds: Set<string>
+  initial?: TenantRuleOverride
+  fixedRuleId?: string
+  onCancel: () => void
+  onSubmit: (payload: {
+    rule_id: string
+    override_classification: Classification | null
+    reason: string
+  }) => Promise<void>
+}
+
+function OverrideDialog({
+  title, rules, liveVersionsByRule, existingOverrideRuleIds,
+  initial, fixedRuleId, onCancel, onSubmit,
+}: OverrideDialogProps) {
+  const [ruleId, setRuleId] = useState<string>(
+    fixedRuleId ?? initial?.rule_id ?? '',
+  )
+  const [classification, setClassification] = useState<Classification | 'disabled'>(
+    initial?.override_classification ?? 'optional',
+  )
+  const [reason, setReason] = useState<string>(initial?.reason ?? '')
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const availableRules = useMemo(() => {
+    if (fixedRuleId) {
+      // Edit-Mode: nur die eine Regel zeigen
+      return rules.filter((r) => r.id === fixedRuleId)
+    }
+    return rules.filter((r) => !existingOverrideRuleIds.has(r.id))
+  }, [rules, existingOverrideRuleIds, fixedRuleId])
+
+  const selectedRule = rules.find((r) => r.id === ruleId)
+  const selectedLive = ruleId ? liveVersionsByRule[ruleId] : undefined
+
+  const canSubmit = !!ruleId && reason.trim().length > 0 && !submitting
+
+  const handleSubmit = async () => {
+    setSubmitting(true)
+    setError(null)
+    try {
+      await onSubmit({
+        rule_id: ruleId,
+        override_classification: classification === 'disabled' ? null : classification,
+        reason: reason.trim(),
+      })
+    } catch (e) {
+      setError((e as Error).message)
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
+      <div
+        className="bg-white rounded-lg shadow-xl w-[560px] max-h-[90vh] flex flex-col"
+        onClick={(e) => e.stopPropagation()}
+      >
+        <header className="px-5 py-3 border-b border-gray-200">
+          <h3 className="font-semibold">{title}</h3>
+        </header>
+        <div className="p-5 space-y-4 overflow-y-auto">
+          <section>
+            <label className="text-xs font-medium text-gray-700 block mb-1">
+              Regel <span className="text-rose-600">*</span>
+            </label>
+            <select
+              className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded bg-white"
+              value={ruleId}
+              disabled={!!fixedRuleId}
+              onChange={(e) => setRuleId(e.target.value)}
+            >
+              <option value="">— Regel wählen —</option>
+              {availableRules.map((r) => (
+                <option key={r.id} value={r.id}>{r.title} ({r.document_type})</option>
+              ))}
+            </select>
+            {selectedRule && selectedLive && (
+              <div className="text-xs text-gray-600 mt-1">
+                Original-Klassifikation: <ClassChip classification={selectedLive.classification} />{' '}
+                · Quelle: {selectedLive.source_citation}
+              </div>
+            )}
+          </section>
+
+          <section>
+            <label className="text-xs font-medium text-gray-700 block mb-1">
+              Meine abweichende Klassifikation
+            </label>
+            <div className="space-y-1">
+              {(['required', 'recommended', 'optional', 'disabled'] as const).map((c) => (
+                <label key={c} className="flex items-center gap-2 text-sm">
+                  <input
+                    type="radio"
+                    name="classification"
+                    value={c}
+                    checked={classification === c}
+                    onChange={() => setClassification(c)}
+                  />
+                  {c === 'disabled' ? (
+                    <span className="text-gray-700">
+                      Deaktivieren (Regel gilt für meine Mandanten gar nicht)
+                    </span>
+                  ) : (
+                    <ClassChip classification={c} />
+                  )}
+                </label>
+              ))}
+            </div>
+          </section>
+
+          <section>
+            <label className="text-xs font-medium text-gray-700 block mb-1">
+              Grund <span className="text-rose-600">*</span>
+            </label>
+            <textarea
+              rows={4}
+              className="w-full text-sm px-2 py-1.5 border border-gray-300 rounded"
+              placeholder="Warum gilt diese Regel bei meinen Mandanten abweichend? (z.B. Bei Maschinenbauern haben wir CRA-Doku statt isolierter ISMS-Manuale.)"
+              value={reason}
+              onChange={(e) => setReason(e.target.value)}
+            />
+          </section>
+
+          {error && (
+            <div className="bg-rose-50 border border-rose-200 text-rose-800 text-sm px-3 py-2 rounded">
+              {error}
+            </div>
+          )}
+        </div>
+        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
+          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>
+            Abbrechen
+          </button>
+          <button
+            className="px-4 py-1.5 text-sm bg-amber-600 text-white rounded hover:bg-amber-700 disabled:opacity-50"
+            disabled={!canSubmit}
+            onClick={handleSubmit}
+          >
+            {submitting ? 'Speichere…' : 'Speichern'}
+          </button>
+        </footer>
+      </div>
+    </div>
+  )
+}
+
+function ConfirmDialog({
+  message, onCancel, onConfirm,
+}: {
+  message: string
+  onCancel: () => void
+  onConfirm: () => Promise<void>
+}) {
+  const [busy, setBusy] = useState(false)
+  return (
+    <div className="fixed inset-0 bg-black/30 z-50 flex items-center justify-center" onClick={onCancel}>
+      <div className="bg-white rounded-lg shadow-xl w-[420px]" onClick={(e) => e.stopPropagation()}>
+        <div className="p-5 text-sm text-gray-800">{message}</div>
+        <footer className="px-5 py-3 border-t border-gray-200 flex justify-end gap-2">
+          <button className="px-3 py-1.5 text-sm text-gray-600" onClick={onCancel}>Abbrechen</button>
+          <button
+            className="px-4 py-1.5 text-sm bg-rose-600 text-white rounded disabled:opacity-50"
+            disabled={busy}
+            onClick={async () => { setBusy(true); await onConfirm(); setBusy(false) }}
+          >
+            {busy ? 'Lösche…' : 'Löschen'}
+          </button>
+        </footer>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/template-rule-editor/_hooks/useRuleEditorActions.ts

@@ -0,0 +1,183 @@
+/**
+ * Hook fuer Template-Rule-Editor: laedt Regeln/Versions/History und exponiert
+ * Lifecycle-Actions (submit/approve/publish/reject) + Tenant-Override-CRUD.
+ *
+ * Alle API-Calls gehen ueber /api/sdk/v1/compliance/* (Next.js-Proxy zum
+ * backend-compliance).
+ */
+
+import { useCallback } from 'react'
+import type {
+  ApprovalHistoryEntry,
+  Classification,
+  Rule,
+  RuleCondition,
+  RuleVersion,
+  TenantRuleOverride,
+} from '../_types'
+
+const API_BASE = '/api/sdk/v1/compliance'
+
+async function req<T>(url: string, init?: RequestInit): Promise<T> {
+  const res = await fetch(url, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      ...(init?.headers || {}),
+    },
+  })
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText)
+    throw new Error(`${res.status}: ${text}`)
+  }
+  if (res.status === 204) return undefined as T
+  return res.json() as Promise<T>
+}
+
+export function useRuleEditorActions() {
+  const listRules = useCallback(
+    (documentType?: string) => {
+      const q = documentType ? `?document_type=${encodeURIComponent(documentType)}` : ''
+      return req<Rule[]>(`${API_BASE}/template-rules${q}`)
+    },
+    [],
+  )
+
+  const getRule = useCallback(
+    (ruleId: string) => req<Rule>(`${API_BASE}/template-rules/${ruleId}`),
+    [],
+  )
+
+  const listVersions = useCallback(
+    (ruleId: string) => req<RuleVersion[]>(`${API_BASE}/template-rules/${ruleId}/versions`),
+    [],
+  )
+
+  const getVersion = useCallback(
+    (versionId: string) => req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}`),
+    [],
+  )
+
+  const createDraftVersion = useCallback(
+    (
+      ruleId: string,
+      payload: {
+        classification: Classification
+        conditions: RuleCondition
+        source_citation: string
+        rationale?: string | null
+        created_by?: string | null
+      },
+    ) =>
+      req<RuleVersion>(`${API_BASE}/template-rules/${ruleId}/versions`, {
+        method: 'POST',
+        body: JSON.stringify({
+          rule_id: ruleId,
+          ...payload,
+        }),
+      }),
+    [],
+  )
+
+  const updateDraftVersion = useCallback(
+    (
+      versionId: string,
+      patch: {
+        classification?: Classification
+        conditions?: RuleCondition
+        source_citation?: string
+        rationale?: string | null
+        change_summary?: string | null
+      },
+    ) =>
+      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}`, {
+        method: 'PATCH',
+        body: JSON.stringify(patch),
+      }),
+    [],
+  )
+
+  const submitForReview = useCallback(
+    (
+      versionId: string,
+      payload: { change_summary: string; submitter?: string; comment?: string },
+    ) =>
+      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/submit-review`, {
+        method: 'POST',
+        body: JSON.stringify(payload),
+      }),
+    [],
+  )
+
+  const approveVersion = useCallback(
+    (versionId: string, payload: { approver?: string; comment?: string } = {}) =>
+      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/approve`, {
+        method: 'POST',
+        body: JSON.stringify(payload),
+      }),
+    [],
+  )
+
+  const publishVersion = useCallback(
+    (versionId: string, payload: { approver?: string; comment?: string } = {}) =>
+      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/publish`, {
+        method: 'POST',
+        body: JSON.stringify(payload),
+      }),
+    [],
+  )
+
+  const rejectVersion = useCallback(
+    (
+      versionId: string,
+      payload: { rejection_reason: string; rejector?: string; comment?: string },
+    ) =>
+      req<RuleVersion>(`${API_BASE}/template-rule-versions/${versionId}/reject`, {
+        method: 'POST',
+        body: JSON.stringify(payload),
+      }),
+    [],
+  )
+
+  const getApprovalHistory = useCallback(
+    (versionId: string) =>
+      req<ApprovalHistoryEntry[]>(
+        `${API_BASE}/template-rule-versions/${versionId}/approval-history`,
+      ),
+    [],
+  )
+
+  const listOverrides = useCallback(
+    () => req<TenantRuleOverride[]>(`${API_BASE}/tenant-rule-overrides`),
+    [],
+  )
+
+  const upsertOverride = useCallback(
+    (payload: {
+      rule_id: string
+      override_classification: Classification | null
+      reason: string
+      created_by?: string
+    }) =>
+      req<TenantRuleOverride>(`${API_BASE}/tenant-rule-overrides`, {
+        method: 'POST',
+        body: JSON.stringify(payload),
+      }),
+    [],
+  )
+
+  const deleteOverride = useCallback(
+    (overrideId: string) =>
+      req<void>(`${API_BASE}/tenant-rule-overrides/${overrideId}`, { method: 'DELETE' }),
+    [],
+  )
+
+  return {
+    listRules, getRule,
+    listVersions, getVersion,
+    createDraftVersion, updateDraftVersion,
+    submitForReview, approveVersion, publishVersion, rejectVersion,
+    getApprovalHistory,
+    listOverrides, upsertOverride, deleteOverride,
+  }
+}

admin-compliance/app/sdk/template-rule-editor/_types.ts

@@ -0,0 +1,246 @@
+/**
+ * Types fuer den Template-Rule-Editor (SDK).
+ *
+ * Spiegeln die Pydantic-Modelle aus
+ * backend-compliance/compliance/schemas/template_rule.py.
+ */
+
+export type Classification = 'required' | 'recommended' | 'optional'
+
+export type RuleStatus =
+  | 'draft' | 'review' | 'approved' | 'published' | 'archived' | 'rejected'
+
+export type ClauseOperator =
+  | 'eq' | 'neq' | 'in' | 'not_in'
+  | 'gt' | 'gte' | 'lt' | 'lte'
+  | 'exists' | 'truthy' | 'falsy'
+
+export interface RuleClause {
+  field: string
+  op: ClauseOperator
+  value?: unknown
+}
+
+export interface RuleCondition {
+  kind: 'all' | 'any'
+  clauses: RuleClause[]
+}
+
+export interface Rule {
+  id: string
+  rule_key: string
+  document_type: string
+  title: string
+  current_version_id: string | null
+  created_at: string
+  updated_at: string | null
+}
+
+export interface RuleVersion {
+  id: string
+  rule_id: string
+  version_number: number
+  status: RuleStatus
+  is_live: boolean
+  classification: Classification
+  conditions: RuleCondition
+  source_citation: string
+  rationale: string | null
+  change_summary: string | null
+  created_by: string | null
+  submitted_by: string | null
+  submitted_at: string | null
+  approved_by: string | null
+  approved_at: string | null
+  published_by: string | null
+  published_at: string | null
+  rejected_by: string | null
+  rejected_at: string | null
+  rejection_reason: string | null
+  created_at: string
+  updated_at: string | null
+}
+
+export interface ApprovalHistoryEntry {
+  id: string
+  version_id: string
+  action: string
+  approver: string | null
+  comment: string | null
+  created_at: string
+}
+
+export interface TenantRuleOverride {
+  id: string
+  tenant_id: string
+  rule_id: string
+  override_classification: Classification | null
+  reason: string
+  created_by: string | null
+  created_at: string
+  updated_at: string | null
+}
+
+// ---- Profil-Felder fuer Condition-Builder ----
+
+export interface ProfileFieldOption {
+  /** Key der im Profil verwendet wird */
+  key: string
+  /** Label fuer die UI */
+  label: string
+  /** Kategorie fuer Gruppierung */
+  category: 'org' | 'proc' | 'prod' | 'comp' | 'tech' | 'compliance'
+  /** Erwarteter Datentyp */
+  type: 'string' | 'number' | 'boolean' | 'enum'
+  /** Wenn enum: Mögliche Werte mit Label */
+  options?: { value: string; label: string }[]
+}
+
+/**
+ * Die 17 Profil-Felder, die in den 33 Initial-Regeln verwendet werden.
+ * Aus templateRecommendations.ts portiert + compliance_depth_level ergaenzt.
+ */
+export const PROFILE_FIELDS: ProfileFieldOption[] = [
+  {
+    key: 'compliance_depth_level',
+    label: 'Compliance-Tiefe',
+    category: 'compliance', type: 'enum',
+    options: [
+      { value: 'L1', label: 'L1 — Lean Startup' },
+      { value: 'L2', label: 'L2 — Standard' },
+      { value: 'L3', label: 'L3 — Strict' },
+      { value: 'L4', label: 'L4 — Zertifizierungsbereit' },
+    ],
+  },
+  {
+    key: 'org_employee_count',
+    label: 'Mitarbeiterzahl',
+    category: 'org', type: 'enum',
+    options: [
+      { value: 'none', label: 'Keine' },
+      { value: '1_9', label: '1–9' },
+      { value: '10_49', label: '10–49' },
+      { value: '50_249', label: '50–249' },
+      { value: '250_999', label: '250–999' },
+      { value: '1000_plus', label: '1000+' },
+    ],
+  },
+  {
+    key: 'org_has_employees', label: 'Hat Mitarbeiter', category: 'org', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'org_business_model', label: 'Geschäftsmodell', category: 'org', type: 'enum',
+    options: [
+      { value: 'b2b_saas', label: 'B2B SaaS' },
+      { value: 'b2c_shop', label: 'B2C Shop' },
+      { value: 'platform', label: 'Plattform' },
+      { value: 'marketplace', label: 'Marktplatz' },
+      { value: 'social', label: 'Social Media' },
+      { value: 'saas', label: 'SaaS' },
+      { value: 'media', label: 'Media' },
+      { value: 'manufacturing', label: 'Maschinenbau' },
+      { value: 'other', label: 'Sonstiges' },
+    ],
+  },
+  {
+    key: 'org_has_social_media', label: 'Hat Social Media', category: 'org', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'org_has_video_conferencing', label: 'Hat Video-Konferenzen', category: 'org', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'org_cert_target', label: 'Zertifizierungsziel', category: 'org', type: 'enum',
+    options: [
+      { value: 'none', label: 'Keines' },
+      { value: 'iso27001', label: 'ISO 27001' },
+      { value: 'iso27701', label: 'ISO 27701' },
+      { value: 'tisax', label: 'TISAX' },
+    ],
+  },
+  {
+    key: 'proc_ai_usage', label: 'KI-Nutzung', category: 'proc', type: 'enum',
+    options: [
+      { value: 'none', label: 'Keine' },
+      { value: 'limited', label: 'Begrenzt' },
+      { value: 'extensive', label: 'Umfangreich' },
+    ],
+  },
+  {
+    key: 'proc_uses_ai_tools', label: 'Nutzt KI-Tools', category: 'proc', type: 'boolean',
+  },
+  {
+    key: 'proc_byod_allowed', label: 'BYOD erlaubt', category: 'proc', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'proc_dsfa_required', label: 'DSFA erforderlich', category: 'proc', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'prod_webshop', label: 'Webshop', category: 'prod', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'prod_ugc_platform', label: 'UGC-Plattform', category: 'prod', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'prod_consent_management', label: 'Consent Management', category: 'prod', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'comp_has_processors', label: 'Auftragsverarbeiter', category: 'comp', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'comp_vendor_management', label: 'Vendor-Management', category: 'comp', type: 'enum',
+    options: [{ value: 'yes', label: 'Ja' }, { value: 'no', label: 'Nein' }],
+  },
+  {
+    key: 'comp_dsfa_processes', label: 'DSFA-Prozesse', category: 'comp', type: 'enum',
+    options: [{ value: 'required', label: 'Erforderlich' }, { value: 'optional', label: 'Optional' }],
+  },
+  {
+    key: 'tech_third_country', label: 'Drittland-Transfer', category: 'tech', type: 'enum',
+    options: [
+      { value: 'no', label: 'Nein' },
+      { value: 'us_dpf_only', label: 'Nur US-DPF' },
+      { value: 'adequate_only', label: 'Nur Angemessenheitsbeschluss' },
+      { value: 'yes_us', label: 'Ja, USA' },
+      { value: 'yes_other', label: 'Ja, Sonstige' },
+    ],
+  },
+]
+
+
+export const OPERATOR_LABELS: Record<ClauseOperator, string> = {
+  eq: 'gleich (=)',
+  neq: 'ungleich (≠)',
+  in: 'in Liste',
+  not_in: 'nicht in Liste',
+  gt: 'größer (>)',
+  gte: 'größer/gleich (≥)',
+  lt: 'kleiner (<)',
+  lte: 'kleiner/gleich (≤)',
+  exists: 'existiert',
+  truthy: 'ist gesetzt',
+  falsy: 'ist leer',
+}
+
+export const CLASSIFICATION_LABELS: Record<Classification, string> = {
+  required: 'Pflicht',
+  recommended: 'Empfohlen',
+  optional: 'Optional',
+}
+
+export const STATUS_LABELS: Record<RuleStatus, string> = {
+  draft: 'Entwurf',
+  review: 'In Prüfung',
+  approved: 'Freigegeben',
+  published: 'Live',
+  archived: 'Archiviert',
+  rejected: 'Abgelehnt',
+}

admin-compliance/app/sdk/template-rule-editor/page.tsx

@@ -0,0 +1,280 @@
+'use client'
+
+/**
+ * Template Rule Editor — Editorial-UI fuer Anwaelte/DSBs.
+ *
+ * Architektur:
+ * - Links: RuleList mit Filter
+ * - Rechts: RuleEditor mit Klassifikation, Condition-Builder, Source-Citation,
+ *   Approval-Workflow (draft → review → approved → published)
+ *
+ * Backend: /api/sdk/v1/compliance/template-rules + /template-rule-versions/*
+ */
+
+import { useEffect, useState, useCallback } from 'react'
+import { useSDK } from '@/lib/sdk'
+import StepHeader from '@/components/sdk/StepHeader/StepHeader'
+import { useRuleEditorActions } from './_hooks/useRuleEditorActions'
+import type {
+  ApprovalHistoryEntry, Classification, Rule, RuleCondition, RuleVersion,
+  TenantRuleOverride,
+} from './_types'
+import RuleList from './_components/RuleList'
+import RuleEditor from './_components/RuleEditor'
+import TenantOverrideList from './_components/TenantOverrideList'
+
+type Tab = 'rules' | 'overrides'
+
+export default function TemplateRuleEditorPage() {
+  useSDK()
+
+  const actions = useRuleEditorActions()
+
+  const [tab, setTab] = useState<Tab>('rules')
+  const [rules, setRules] = useState<Rule[]>([])
+  const [liveVersionsByRule, setLiveVersionsByRule] = useState<Record<string, RuleVersion | undefined>>({})
+  const [selectedRuleId, setSelectedRuleId] = useState<string | null>(null)
+  const [selectedVersions, setSelectedVersions] = useState<RuleVersion[]>([])
+  const [selectedHistory, setSelectedHistory] = useState<ApprovalHistoryEntry[]>([])
+  const [overrides, setOverrides] = useState<TenantRuleOverride[]>([])
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+
+  // Initial: Regeln laden + Live-Versions
+  const loadRules = useCallback(async () => {
+    setLoading(true)
+    setError(null)
+    try {
+      const list = await actions.listRules()
+      setRules(list)
+      const byRule: Record<string, RuleVersion | undefined> = {}
+      // Live-Versionen parallel
+      await Promise.all(
+        list.map(async (r) => {
+          try {
+            const versions = await actions.listVersions(r.id)
+            const live = versions.find((v) => v.is_live)
+            byRule[r.id] = live
+          } catch {
+            byRule[r.id] = undefined
+          }
+        }),
+      )
+      setLiveVersionsByRule(byRule)
+      if (list.length > 0 && !selectedRuleId) {
+        setSelectedRuleId(list[0].id)
+      }
+    } catch (e) {
+      setError((e as Error).message)
+    } finally {
+      setLoading(false)
+    }
+  }, [actions, selectedRuleId])
+
+  // Bei Selektions-Wechsel: Versions + History laden
+  const loadSelected = useCallback(async () => {
+    if (!selectedRuleId) {
+      setSelectedVersions([])
+      setSelectedHistory([])
+      return
+    }
+    try {
+      const versions = await actions.listVersions(selectedRuleId)
+      setSelectedVersions(versions)
+      const live = versions.find((v) => v.is_live)
+      if (live) {
+        const history = await actions.getApprovalHistory(live.id)
+        setSelectedHistory(history)
+      } else {
+        setSelectedHistory([])
+      }
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }, [actions, selectedRuleId])
+
+  useEffect(() => { loadRules() }, [])
+  useEffect(() => { loadSelected() }, [selectedRuleId])
+
+  const handleCreateDraft = async (payload: {
+    classification: Classification
+    conditions: RuleCondition
+    source_citation: string
+    rationale?: string | null
+  }) => {
+    if (!selectedRuleId) return
+    try {
+      await actions.createDraftVersion(selectedRuleId, payload)
+      await loadSelected()
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }
+
+  const handleUpdateDraft = async (versionId: string, patch: {
+    classification?: Classification
+    conditions?: RuleCondition
+    source_citation?: string
+    rationale?: string | null
+  }) => {
+    try {
+      await actions.updateDraftVersion(versionId, patch)
+      await loadSelected()
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }
+
+  const handleSubmitForReview = async (versionId: string, changeSummary: string) => {
+    try {
+      await actions.submitForReview(versionId, { change_summary: changeSummary })
+      await loadSelected()
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }
+
+  const handleApprove = async (versionId: string) => {
+    try {
+      await actions.approveVersion(versionId)
+      await loadSelected()
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }
+
+  const handlePublish = async (versionId: string) => {
+    try {
+      await actions.publishVersion(versionId)
+      await loadRules()
+      await loadSelected()
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }
+
+  const handleReject = async (versionId: string, reason: string) => {
+    try {
+      await actions.rejectVersion(versionId, { rejection_reason: reason })
+      await loadSelected()
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }
+
+  const loadOverrides = useCallback(async () => {
+    try {
+      const list = await actions.listOverrides()
+      setOverrides(list)
+    } catch (e) {
+      setError((e as Error).message)
+    }
+  }, [actions])
+
+  useEffect(() => { loadOverrides() }, [])
+
+  const handleUpsertOverride = async (payload: {
+    rule_id: string
+    override_classification: Classification | null
+    reason: string
+  }) => {
+    await actions.upsertOverride(payload)
+    await loadOverrides()
+  }
+
+  const handleDeleteOverride = async (overrideId: string) => {
+    await actions.deleteOverride(overrideId)
+    await loadOverrides()
+  }
+
+  const selectedRule = rules.find((r) => r.id === selectedRuleId)
+
+  return (
+    <div className="h-full flex flex-col bg-white">
+      <StepHeader
+        stepId="template-rule-editor"
+        title="Empfehlungs-Regeln"
+        description="Editorial-UI für profilbasierte Dokument-Empfehlungen. Anwälte/DSBs editieren globale Regeln mit Approval-Workflow + Quellen-Attribution."
+      />
+      {error && (
+        <div className="px-5 py-2 bg-rose-50 border-b border-rose-200 text-sm text-rose-800">
+          {error}
+        </div>
+      )}
+      {loading && (
+        <div className="p-5 text-sm text-gray-500">Lade Regeln…</div>
+      )}
+      {!loading && (
+        <>
+          <nav className="px-5 border-b border-gray-200 bg-white flex gap-1">
+            <TabButton active={tab === 'rules'} onClick={() => setTab('rules')}>
+              Globale Regeln <span className="text-xs text-gray-500">({rules.length})</span>
+            </TabButton>
+            <TabButton active={tab === 'overrides'} onClick={() => setTab('overrides')}>
+              Meine Overrides <span className="text-xs text-gray-500">({overrides.length})</span>
+            </TabButton>
+          </nav>
+          {tab === 'rules' && (
+            <div className="flex-1 grid grid-cols-[320px_1fr] overflow-hidden">
+              <RuleList
+                rules={rules}
+                versionsByRule={liveVersionsByRule}
+                selectedRuleId={selectedRuleId}
+                onSelectRule={setSelectedRuleId}
+              />
+              {selectedRule ? (
+                <RuleEditor
+                  rule={selectedRule}
+                  versions={selectedVersions}
+                  history={selectedHistory}
+                  onCreateDraft={handleCreateDraft}
+                  onUpdateDraft={handleUpdateDraft}
+                  onSubmitForReview={handleSubmitForReview}
+                  onApprove={handleApprove}
+                  onPublish={handlePublish}
+                  onReject={handleReject}
+                />
+              ) : (
+                <div className="h-full grid place-items-center text-sm text-gray-500">
+                  Wähle links eine Regel zum Bearbeiten.
+                </div>
+              )}
+            </div>
+          )}
+          {tab === 'overrides' && (
+            <div className="flex-1 overflow-hidden">
+              <TenantOverrideList
+                rules={rules}
+                liveVersionsByRule={liveVersionsByRule}
+                overrides={overrides}
+                onUpsert={handleUpsertOverride}
+                onDelete={handleDeleteOverride}
+              />
+            </div>
+          )}
+        </>
+      )}
+    </div>
+  )
+}
+
+function TabButton({
+  active, onClick, children,
+}: {
+  active: boolean
+  onClick: () => void
+  children: React.ReactNode
+}) {
+  return (
+    <button
+      className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
+        active
+          ? 'border-amber-500 text-gray-900'
+          : 'border-transparent text-gray-600 hover:text-gray-800 hover:border-gray-300'
+      }`}
+      onClick={onClick}
+    >
+      {children}
+    </button>
+  )
+}

admin-compliance/app/sdk/tom-generator/page.tsx

@@ -4,6 +4,7 @@ import React from 'react'
 import { useRouter } from 'next/navigation'
 import { useTOMGenerator } from '@/lib/sdk/tom-generator'
 import { TOM_GENERATOR_STEPS } from '@/lib/sdk/tom-generator/types'
+import { LicenseModuleBanner } from '@/components/sdk/LicenseModuleBanner'
 
 /**
  * TOM Generator Landing Page
@@ -45,6 +46,14 @@ export default function TOMGeneratorPage() {
         </p>
       </div>
 
+      <div className="mb-6">
+        <LicenseModuleBanner
+          rule={1}
+          sourceLabel="DSGVO Art. 32 (EU 2016/679) — TOM-Anforderungen"
+          detail="Generator-Logik und Vorlagen sind BreakPilot-Eigenwerk (R3); zitierte Rechtsquelle EU_LAW (R1)."
+        />
+      </div>
+
       {/* Progress Card */}
       {hasProgress && (
         <div className="bg-white rounded-xl border border-gray-200 p-6 mb-8">

admin-compliance/app/sdk/vvt/_components/TabVerzeichnis.tsx

@@ -350,7 +350,12 @@ function ActivityCard({ activity, onEdit, onDelete }: { activity: VVTActivity; o
               <span className="px-2 py-0.5 text-xs bg-purple-100 text-purple-700 rounded-full">DSFA</span>
             )}
             {(activity as any).sourceTemplateId && (
-              <span className="px-2 py-0.5 text-xs bg-indigo-100 text-indigo-700 rounded-full">Vorlage</span>
+              <span
+                className="px-2 py-0.5 text-xs bg-indigo-100 text-indigo-700 rounded-full cursor-help"
+                title="Erstellt aus Bundeslaender-DSGVO-Vorlage (Art. 30 DSGVO). Lizenzregel R1 — Hoheitsrecht/DE_LAW, woertlich uebernehmbar."
+              >
+                Vorlage · R1
+              </span>
             )}
           </div>
           <h3 className="text-base font-semibold text-gray-900 truncate">{activity.name || '(Ohne Namen)'}</h3>

admin-compliance/app/sdk/workflow/_components/ApprovalModal.tsx

@@ -1,7 +1,9 @@
 'use client'
 
+export type ApprovalModalMode = 'approve-internal' | 'approve-client' | 'reject'
+
 interface ApprovalModalProps {
-  mode: 'approve' | 'reject'
+  mode: ApprovalModalMode
   approvalComment: string
   onCommentChange: (comment: string) => void
   onCancel: () => void
@@ -9,6 +11,26 @@ interface ApprovalModalProps {
   saving: boolean
 }
 
+const TITLES: Record<ApprovalModalMode, string> = {
+  'approve-internal': 'DSB-Freigabe → an Mandant weiterleiten',
+  'approve-client': 'Mandanten-Freigabe erteilen',
+  reject: 'Version ablehnen',
+}
+
+const BUTTON_LABELS: Record<ApprovalModalMode, string> = {
+  'approve-internal': 'DSB-Freigabe erteilen',
+  'approve-client': 'Mandanten-Freigabe erteilen',
+  reject: 'Ablehnen',
+}
+
+const PLACEHOLDERS: Record<ApprovalModalMode, string> = {
+  'approve-internal':
+    'Kommentar (optional) — Hinweise für den Mandanten...',
+  'approve-client':
+    'Kommentar (optional) — z.B. Freigabe durch Geschäftsführung...',
+  reject: 'Ablehnungsgrund...',
+}
+
 export default function ApprovalModal({
   mode,
   approvalComment,
@@ -17,18 +39,17 @@ export default function ApprovalModal({
   onConfirm,
   saving,
 }: ApprovalModalProps) {
+  const isReject = mode === 'reject'
   return (
     <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
       <div className="bg-white rounded-xl shadow-xl p-6 w-full max-w-md">
-        <h3 className="text-lg font-semibold text-slate-900 mb-4">
-          {mode === 'approve' ? 'Version freigeben' : 'Version ablehnen'}
-        </h3>
+        <h3 className="text-lg font-semibold text-slate-900 mb-4">{TITLES[mode]}</h3>
         <textarea
           value={approvalComment}
           onChange={(e) => onCommentChange(e.target.value)}
-          placeholder={mode === 'approve' ? 'Kommentar (optional)...' : 'Ablehnungsgrund...'}
+          placeholder={PLACEHOLDERS[mode]}
           className="w-full px-3 py-2 border border-slate-300 rounded-lg min-h-[100px] mb-4"
-          required={mode === 'reject'}
+          required={isReject}
         />
         <div className="flex justify-end gap-3">
           <button
@@ -39,14 +60,12 @@ export default function ApprovalModal({
           </button>
           <button
             onClick={onConfirm}
-            disabled={saving || (mode === 'reject' && !approvalComment)}
+            disabled={saving || (isReject && !approvalComment)}
             className={`px-4 py-2 text-white rounded-lg disabled:opacity-50 ${
-              mode === 'approve'
-                ? 'bg-green-600 hover:bg-green-700'
-                : 'bg-red-600 hover:bg-red-700'
+              isReject ? 'bg-red-600 hover:bg-red-700' : 'bg-green-600 hover:bg-green-700'
             }`}
           >
-            {saving ? 'Wird verarbeitet...' : mode === 'approve' ? 'Freigeben' : 'Ablehnen'}
+            {saving ? 'Wird verarbeitet...' : BUTTON_LABELS[mode]}
           </button>
         </div>
       </div>

admin-compliance/app/sdk/workflow/_components/CompareView.tsx

@@ -1,6 +1,7 @@
 'use client'
 
 import { Version, STATUS_LABELS } from '../_types'
+import type { ApprovalModalMode } from './ApprovalModal'
 
 interface CompareViewProps {
   currentVersion: Version | null
@@ -9,7 +10,7 @@ interface CompareViewProps {
   onClose: () => void
   onSaveDraft: () => void
   onSubmitForReview: () => void
-  onShowApprovalModal: (mode: 'approve' | 'reject') => void
+  onShowApprovalModal: (mode: ApprovalModalMode) => void
   onPublishVersion: () => void
 }
 
@@ -64,28 +65,26 @@ export default function CompareView({
 
         {/* Right: Draft */}
         <div className="bg-white flex flex-col">
-          <div className={`border-b px-4 py-2 ${
-            draftVersion?.status === 'draft' ? 'bg-yellow-100 border-yellow-200' :
-            draftVersion?.status === 'review' ? 'bg-blue-100 border-blue-200' :
-            draftVersion?.status === 'approved' ? 'bg-green-100 border-green-200' :
-            'bg-slate-100 border-slate-200'
-          }`}>
-            <span className={`font-medium ${
-              draftVersion?.status === 'draft' ? 'text-yellow-800' :
-              draftVersion?.status === 'review' ? 'text-blue-800' :
-              draftVersion?.status === 'approved' ? 'text-green-800' :
-              'text-slate-800'
-            }`}>
+          <div
+            className={`border-b px-4 py-2 ${
+              draftVersion?.status === 'draft'
+                ? 'bg-yellow-100 border-yellow-200'
+                : draftVersion?.status === 'review' || draftVersion?.status === 'review_internal'
+                  ? 'bg-blue-100 border-blue-200'
+                  : draftVersion?.status === 'review_client'
+                    ? 'bg-indigo-100 border-indigo-200'
+                    : draftVersion?.status === 'approved'
+                      ? 'bg-green-100 border-green-200'
+                      : 'bg-slate-100 border-slate-200'
+            }`}
+          >
+            <span className="font-medium text-slate-800">
               {draftVersion ? 'Aenderungsversion' : 'Neue Version'}
             </span>
             {draftVersion && (
-              <span className={`ml-2 ${
-                draftVersion.status === 'draft' ? 'text-yellow-600' :
-                draftVersion.status === 'review' ? 'text-blue-600' :
-                draftVersion.status === 'approved' ? 'text-green-600' :
-                'text-slate-600'
-              }`}>
-                v{draftVersion.version} - {STATUS_LABELS[draftVersion.status].label}
+              <span className="ml-2 text-slate-600">
+                v{draftVersion.version} -{' '}
+                {STATUS_LABELS[draftVersion.status]?.label ?? draftVersion.status}
               </span>
             )}
           </div>
@@ -113,7 +112,7 @@ export default function CompareView({
             </button>
           </>
         )}
-        {draftVersion?.status === 'review' && (
+        {draftVersion?.status === 'review_internal' && (
           <>
             <button
               onClick={() => { onClose(); onShowApprovalModal('reject') }}
@@ -122,10 +121,26 @@ export default function CompareView({
               Ablehnen
             </button>
             <button
-              onClick={() => { onClose(); onShowApprovalModal('approve') }}
+              onClick={() => { onClose(); onShowApprovalModal('approve-internal') }}
               className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-500"
             >
-              Freigeben
+              DSB-Freigabe → Mandant
+            </button>
+          </>
+        )}
+        {draftVersion?.status === 'review_client' && (
+          <>
+            <button
+              onClick={() => { onClose(); onShowApprovalModal('reject') }}
+              className="px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-500"
+            >
+              Ablehnen
+            </button>
+            <button
+              onClick={() => { onClose(); onShowApprovalModal('approve-client') }}
+              className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-500"
+            >
+              Mandanten-Freigabe
             </button>
           </>
         )}

admin-compliance/app/sdk/workflow/_components/HistoryPanel.tsx

@@ -9,6 +9,32 @@ interface HistoryPanelProps {
   currentVersion: Version | null
 }
 
+// Backend-Actions (compliance/services/legal_document_service.py):
+//   submitted_internal, approved_internal, approved_client,
+//   published, rejected, plus alte Werte 'submitted'/'approved'.
+const ACTION_LABELS: Record<string, string> = {
+  submitted: 'Eingereicht',
+  submitted_internal: 'An DSB eingereicht',
+  approved: 'Freigegeben',
+  approved_internal: 'DSB-Freigabe → Mandant',
+  approved_client: 'Mandanten-Freigabe',
+  published: 'Veroeffentlicht',
+  rejected: 'Abgelehnt',
+}
+
+function actionLabel(action: string): string {
+  return ACTION_LABELS[action] || action
+}
+
+function actionBadgeClass(action: string): string {
+  if (action.startsWith('approved') || action === 'published') {
+    return 'bg-green-100 text-green-700'
+  }
+  if (action === 'rejected') return 'bg-red-100 text-red-700'
+  if (action.startsWith('submitted')) return 'bg-blue-100 text-blue-700'
+  return 'bg-slate-100 text-slate-700'
+}
+
 export default function HistoryPanel({
   approvalHistory,
   versions,
@@ -22,12 +48,9 @@ export default function HistoryPanel({
         <div className="space-y-3">
           {approvalHistory.map((item, idx) => (
             <div key={idx} className="flex items-center gap-4 p-3 border border-slate-200 rounded-lg">
-              <span className={`px-2 py-1 rounded text-xs ${
-                item.action === 'approved' ? 'bg-green-100 text-green-700' :
-                item.action === 'rejected' ? 'bg-red-100 text-red-700' :
-                item.action === 'submitted' ? 'bg-blue-100 text-blue-700' :
-                'bg-slate-100 text-slate-700'
-              }`}>{item.action}</span>
+              <span className={`px-2 py-1 rounded text-xs ${actionBadgeClass(item.action)}`}>
+                {actionLabel(item.action)}
+              </span>
               <span className="text-sm text-slate-600">{item.approver || 'System'}</span>
               {item.comment && (
                 <span className="text-sm text-slate-500 italic">&quot;{item.comment}&quot;</span>
@@ -56,8 +79,12 @@ export default function HistoryPanel({
             <div className="flex items-center justify-between">
               <div className="flex items-center gap-3">
                 <span className="font-mono font-medium">v{v.version}</span>
-                <span className={`px-2 py-0.5 rounded text-xs ${STATUS_LABELS[v.status].color}`}>
-                  {STATUS_LABELS[v.status].label}
+                <span
+                  className={`px-2 py-0.5 rounded text-xs ${
+                    STATUS_LABELS[v.status]?.color ?? 'bg-slate-100 text-slate-700'
+                  }`}
+                >
+                  {STATUS_LABELS[v.status]?.label ?? v.status}
                 </span>
                 <span className="text-sm text-slate-500">{v.title}</span>
               </div>

admin-compliance/app/sdk/workflow/_components/SplitViewEditor.tsx

@@ -70,29 +70,27 @@ export default function SplitViewEditor({
 
       {/* Right: Draft/Edit Version */}
       <div className="bg-white rounded-xl shadow-sm border overflow-hidden">
-        <div className={`border-b px-4 py-3 flex items-center justify-between ${
-          draftVersion?.status === 'draft' ? 'bg-yellow-50 border-yellow-200' :
-          draftVersion?.status === 'review' ? 'bg-blue-50 border-blue-200' :
-          draftVersion?.status === 'approved' ? 'bg-green-50 border-green-200' :
-          'bg-slate-50 border-slate-200'
-        }`}>
+        <div
+          className={`border-b px-4 py-3 flex items-center justify-between ${
+            draftVersion?.status === 'draft'
+              ? 'bg-yellow-50 border-yellow-200'
+              : draftVersion?.status === 'review' || draftVersion?.status === 'review_internal'
+                ? 'bg-blue-50 border-blue-200'
+                : draftVersion?.status === 'review_client'
+                  ? 'bg-indigo-50 border-indigo-200'
+                  : draftVersion?.status === 'approved'
+                    ? 'bg-green-50 border-green-200'
+                    : 'bg-slate-50 border-slate-200'
+          }`}
+        >
           <div>
-            <h3 className={`font-semibold ${
-              draftVersion?.status === 'draft' ? 'text-yellow-900' :
-              draftVersion?.status === 'review' ? 'text-blue-900' :
-              draftVersion?.status === 'approved' ? 'text-green-900' :
-              'text-slate-900'
-            }`}>
+            <h3 className="font-semibold text-slate-900">
               {draftVersion ? 'Aenderungsversion' : 'Neue Version'}
             </h3>
             {draftVersion && (
-              <p className={`text-sm ${
-                draftVersion.status === 'draft' ? 'text-yellow-700' :
-                draftVersion.status === 'review' ? 'text-blue-700' :
-                draftVersion.status === 'approved' ? 'text-green-700' :
-                'text-slate-700'
-              }`}>
-                v{draftVersion.version} - {STATUS_LABELS[draftVersion.status].label}
+              <p className="text-sm text-slate-700">
+                v{draftVersion.version} -{' '}
+                {STATUS_LABELS[draftVersion.status]?.label ?? draftVersion.status}
               </p>
             )}
           </div>

admin-compliance/app/sdk/workflow/_components/WorkflowStatusBar.tsx

@@ -2,16 +2,35 @@
 
 import { Version } from '../_types'
 
+export type ApprovalMode = 'approve-internal' | 'approve-client' | 'reject'
+
 interface WorkflowStatusBarProps {
   draftVersion: Version | null
   saving: boolean
   onCreateNewDraft: () => void
   onSaveDraft: () => void
   onSubmitForReview: () => void
-  onShowApprovalModal: (mode: 'approve' | 'reject') => void
+  onShowApprovalModal: (mode: ApprovalMode) => void
   onPublishVersion: () => void
 }
 
+// 5-Stage Lifecycle:
+//   draft → review_internal (DSB-Pruefung) → review_client (Mandant-Pruefung)
+//        → approved → published
+// Buttons sind v1 nicht role-gefiltert — alle relevanten Aktionen sichtbar.
+const STAGES: { status: string; label: string }[] = [
+  { status: 'draft', label: 'Entwurf' },
+  { status: 'review_internal', label: 'DSB-Pruefung' },
+  { status: 'review_client', label: 'Mandant-Pruefung' },
+  { status: 'approved', label: 'Freigegeben' },
+  { status: 'published', label: 'Veroeffentlicht' },
+]
+
+function isActiveStage(stageStatus: string, draftStatus: string | undefined, hasDraft: boolean) {
+  if (stageStatus === 'published') return !hasDraft
+  return draftStatus === stageStatus
+}
+
 export default function WorkflowStatusBar({
   draftVersion,
   saving,
@@ -21,34 +40,31 @@ export default function WorkflowStatusBar({
   onShowApprovalModal,
   onPublishVersion,
 }: WorkflowStatusBarProps) {
+  const status = draftVersion?.status
   return (
     <div className="bg-white rounded-xl shadow-sm border p-4">
-      <div className="flex items-center justify-between">
-        <div className="flex items-center gap-6">
-          {['draft', 'review', 'approved', 'published'].map((status, idx) => (
-            <div key={status} className="flex items-center">
-              {idx > 0 && <div className="w-8 h-0.5 bg-slate-200 mr-2" />}
+      <div className="flex items-center justify-between flex-wrap gap-4">
+        <div className="flex items-center gap-4 flex-wrap">
+          {STAGES.map((stage, idx) => (
+            <div key={stage.status} className="flex items-center">
+              {idx > 0 && <div className="w-6 h-0.5 bg-slate-200 mr-2" />}
               <div className="flex items-center gap-2">
-                <div className={`w-8 h-8 rounded-full flex items-center justify-center text-sm font-medium ${
-                  (status === 'draft' && draftVersion?.status === 'draft') ||
-                  (status === 'review' && draftVersion?.status === 'review') ||
-                  (status === 'approved' && draftVersion?.status === 'approved') ||
-                  (status === 'published' && !draftVersion)
-                    ? 'bg-purple-500 text-white'
-                    : 'bg-slate-200 text-slate-600'
-                }`}>{idx + 1}</div>
-                <span className="text-sm text-slate-600">
-                  {status === 'draft' ? 'Entwurf' :
-                   status === 'review' ? 'Pruefung' :
-                   status === 'approved' ? 'Freigegeben' : 'Veroeffentlicht'}
-                </span>
+                <div
+                  className={`w-8 h-8 rounded-full flex items-center justify-center text-sm font-medium ${
+                    isActiveStage(stage.status, status, Boolean(draftVersion))
+                      ? 'bg-purple-500 text-white'
+                      : 'bg-slate-200 text-slate-600'
+                  }`}
+                >
+                  {idx + 1}
+                </div>
+                <span className="text-sm text-slate-600">{stage.label}</span>
               </div>
             </div>
           ))}
         </div>
 
-        {/* Action Buttons */}
-        <div className="flex items-center gap-2">
+        <div className="flex items-center gap-2 flex-wrap">
           {!draftVersion && (
             <button
               onClick={onCreateNewDraft}
@@ -59,7 +75,7 @@ export default function WorkflowStatusBar({
             </button>
           )}
 
-          {draftVersion?.status === 'draft' && (
+          {status === 'draft' && (
             <>
               <button
                 onClick={onSaveDraft}
@@ -73,12 +89,12 @@ export default function WorkflowStatusBar({
                 disabled={saving}
                 className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:opacity-50 text-sm font-medium"
               >
-                Zur Pruefung einreichen
+                An DSB einreichen
               </button>
             </>
           )}
 
-          {draftVersion?.status === 'review' && (
+          {status === 'review_internal' && (
             <>
               <button
                 onClick={() => onShowApprovalModal('reject')}
@@ -88,16 +104,35 @@ export default function WorkflowStatusBar({
                 Ablehnen
               </button>
               <button
-                onClick={() => onShowApprovalModal('approve')}
+                onClick={() => onShowApprovalModal('approve-internal')}
                 disabled={saving}
                 className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 text-sm font-medium"
               >
-                Freigeben
+                DSB-Freigabe → Mandant
               </button>
             </>
           )}
 
-          {draftVersion?.status === 'approved' && (
+          {status === 'review_client' && (
+            <>
+              <button
+                onClick={() => onShowApprovalModal('reject')}
+                disabled={saving}
+                className="px-4 py-2 bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:opacity-50 text-sm font-medium"
+              >
+                Ablehnen
+              </button>
+              <button
+                onClick={() => onShowApprovalModal('approve-client')}
+                disabled={saving}
+                className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 text-sm font-medium"
+              >
+                Mandant-Freigabe
+              </button>
+            </>
+          )}
+
+          {status === 'approved' && (
             <button
               onClick={onPublishVersion}
               disabled={saving}
@@ -107,9 +142,11 @@ export default function WorkflowStatusBar({
             </button>
           )}
 
-          {draftVersion?.status === 'rejected' && (
+          {status === 'rejected' && (
             <div className="flex items-center gap-2">
-              <span className="text-sm text-red-600">Abgelehnt: {draftVersion.rejection_reason}</span>
+              <span className="text-sm text-red-600">
+                Abgelehnt: {draftVersion?.rejection_reason}
+              </span>
               <button
                 onClick={onCreateNewDraft}
                 disabled={saving}

admin-compliance/app/sdk/workflow/_hooks/useWorkflowActions.ts

@@ -2,6 +2,7 @@
 
 import { useState } from 'react'
 import { Document, Version, ApprovalHistoryItem } from '../_types'
+import type { ApprovalModalMode } from '../_components/ApprovalModal'
 
 interface UseWorkflowActionsParams {
   selectedDocument: Document | null
@@ -27,7 +28,7 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
 
   const [saving, setSaving] = useState(false)
   const [approvalComment, setApprovalComment] = useState('')
-  const [showApprovalModal, setShowApprovalModal] = useState<'approve' | 'reject' | null>(null)
+  const [showApprovalModal, setShowApprovalModal] = useState<ApprovalModalMode | null>(null)
   const [approvalHistory, setApprovalHistory] = useState<ApprovalHistoryItem[]>([])
   const [showNewDocModal, setShowNewDocModal] = useState(false)
   const [newDocForm, setNewDocForm] = useState({ type: 'privacy_policy', name: '', description: '' })
@@ -123,10 +124,15 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
   }
 
   const approveVersion = async () => {
+    // Backward-compat alias — leitet auf approve-internal (DSB → Mandant)
+    return approveInternal()
+  }
+
+  const approveInternal = async () => {
     if (!draftVersion) return
     setSaving(true)
     try {
-      const res = await fetch(`/api/admin/consent/versions/${draftVersion.id}/approve`, {
+      const res = await fetch(`/api/admin/consent/versions/${draftVersion.id}/approve-internal`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ comment: approvalComment }),
@@ -138,10 +144,35 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
         await loadVersions(selectedDocument!.id)
       } else {
         const err = await res.json()
-        setError(err.error || 'Fehler bei der Freigabe')
+        setError(err.error || 'Fehler bei der DSB-Freigabe')
       }
     } catch {
-      setError('Fehler bei der Freigabe')
+      setError('Fehler bei der DSB-Freigabe')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  const approveClient = async () => {
+    if (!draftVersion) return
+    setSaving(true)
+    try {
+      const res = await fetch(`/api/admin/consent/versions/${draftVersion.id}/approve-client`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ comment: approvalComment }),
+      })
+
+      if (res.ok) {
+        setShowApprovalModal(null)
+        setApprovalComment('')
+        await loadVersions(selectedDocument!.id)
+      } else {
+        const err = await res.json()
+        setError(err.error || 'Fehler bei der Mandanten-Freigabe')
+      }
+    } catch {
+      setError('Fehler bei der Mandanten-Freigabe')
     } finally {
       setSaving(false)
     }
@@ -242,7 +273,8 @@ export function useWorkflowActions(params: UseWorkflowActionsParams) {
     newDocForm, setNewDocForm,
     creatingDoc,
     createNewDraft, saveDraft, submitForReview,
-    approveVersion, rejectVersion, publishVersion,
+    approveVersion, approveInternal, approveClient,
+    rejectVersion, publishVersion,
     createDocument, loadApprovalHistory,
   }
 }

admin-compliance/app/sdk/workflow/_types.ts

@@ -16,7 +16,15 @@ export interface Version {
   title: string
   content: string
   summary?: string
-  status: 'draft' | 'review' | 'approved' | 'published' | 'archived' | 'rejected'
+  status:
+    | 'draft'
+    | 'review' // backward-compat (alte Daten, vor 5-Stage Migration 148)
+    | 'review_internal'
+    | 'review_client'
+    | 'approved'
+    | 'published'
+    | 'archived'
+    | 'rejected'
   created_at: string
   updated_at?: string
   created_by?: string
@@ -35,6 +43,8 @@ export interface ApprovalHistoryItem {
 export const STATUS_LABELS: Record<string, { label: string; color: string }> = {
   draft: { label: 'Entwurf', color: 'bg-yellow-100 text-yellow-700' },
   review: { label: 'In Pruefung', color: 'bg-blue-100 text-blue-700' },
+  review_internal: { label: 'DSB-Pruefung', color: 'bg-blue-100 text-blue-700' },
+  review_client: { label: 'Mandant-Pruefung', color: 'bg-indigo-100 text-indigo-700' },
   approved: { label: 'Freigegeben', color: 'bg-green-100 text-green-700' },
   published: { label: 'Veroeffentlicht', color: 'bg-emerald-100 text-emerald-700' },
   archived: { label: 'Archiviert', color: 'bg-slate-100 text-slate-700' },

admin-compliance/app/sdk/workflow/page.tsx

@@ -59,9 +59,18 @@ export default function WorkflowPage() {
       const res = await fetch('/api/admin/consent/documents')
       if (res.ok) {
         const data = await res.json()
-        setDocuments(data.documents || [])
-        if (data.documents?.length > 0 && !selectedDocument) {
-          setSelectedDocument(data.documents[0])
+        const list: Document[] = data.documents || []
+        setDocuments(list)
+        // Auto-Select: erst ?doc=<uuid> URL-Param, sonst erstes Element
+        const params = typeof window !== 'undefined'
+          ? new URLSearchParams(window.location.search)
+          : null
+        const wantedId = params?.get('doc')
+        const wanted = wantedId ? list.find((d) => d.id === wantedId) : null
+        if (wanted) {
+          setSelectedDocument(wanted)
+        } else if (list.length > 0 && !selectedDocument) {
+          setSelectedDocument(list[0])
         }
       }
     } catch {
@@ -83,7 +92,11 @@ export default function WorkflowPage() {
         setCurrentVersion(published || null)
 
         const draft = versionList.find((v: Version) =>
-          v.status === 'draft' || v.status === 'review' || v.status === 'approved'
+          v.status === 'draft' ||
+          v.status === 'review' || // backward-compat: alte Daten
+          v.status === 'review_internal' ||
+          v.status === 'review_client' ||
+          v.status === 'approved'
         )
         if (draft) {
           setDraftVersion(draft)
@@ -247,7 +260,13 @@ export default function WorkflowPage() {
             actions.setShowApprovalModal(null)
             actions.setApprovalComment('')
           }}
-          onConfirm={actions.showApprovalModal === 'approve' ? actions.approveVersion : actions.rejectVersion}
+          onConfirm={
+            actions.showApprovalModal === 'approve-internal'
+              ? actions.approveInternal
+              : actions.showApprovalModal === 'approve-client'
+                ? actions.approveClient
+                : actions.rejectVersion
+          }
           saving={actions.saving}
         />
       )}

admin-compliance/components/catalog-manager/CatalogTable.tsx

@@ -195,12 +195,18 @@ export default function CatalogTable({
                   )}
                   <td className="px-4 py-2.5">
                     {entry.source === 'system' ? (
-                      <span className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300">
-                        System
+                      <span
+                        className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300 cursor-help"
+                        title="System-Katalog — Quellen aus EU-Recht, BAuA, NIST u.a. Lizenzregel je Eintrag (siehe /sdk/licenses)."
+                      >
+                        System · R1/R2/R3
                       </span>
                     ) : (
-                      <span className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 dark:bg-blue-900/40 text-blue-700 dark:text-blue-300">
-                        Benutzerdefiniert
+                      <span
+                        className="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 dark:bg-blue-900/40 text-blue-700 dark:text-blue-300 cursor-help"
+                        title="Benutzerdefinierter Eintrag — BreakPilot/Anwender-Eigenwerk. Lizenzregel R3 (Identifier-Verweis), keine externe Attribution noetig."
+                      >
+                        Benutzerdefiniert · R3
                       </span>
                     )}
                   </td>

admin-compliance/components/sdk/LicenseModuleBanner.tsx

@@ -0,0 +1,62 @@
+'use client'
+
+// Reusable licence-source banner placed at the top of an SDK module page.
+// One-line context that tells the user (and any auditor) which sources
+// the module draws on and which BreakPilot licence rule applies.
+//
+// Usage:
+//   <LicenseModuleBanner
+//     rule={1}
+//     sourceLabel="DSGVO Art. 30 (EU 2016/679)"
+//   />
+//
+// For modules that are pure BreakPilot eigenwerk:
+//   <LicenseModuleBanner rule={3} sourceLabel="BreakPilot-Eigenwerk" />
+
+type Props = {
+  rule: 1 | 2 | 3
+  sourceLabel: string
+  /** Optional extended note shown after sourceLabel */
+  detail?: string
+}
+
+const RULE_META: Record<number, { bg: string; text: string; pill: string; descr: string }> = {
+  1: {
+    bg: 'bg-emerald-50 border-emerald-200',
+    text: 'text-emerald-800',
+    pill: 'bg-emerald-600 text-white',
+    descr: 'Hoheitsrecht/Public Domain — woertlich uebernehmbar',
+  },
+  2: {
+    bg: 'bg-amber-50 border-amber-200',
+    text: 'text-amber-800',
+    pill: 'bg-amber-600 text-white',
+    descr: 'Woertlich mit Attribution-Pflicht',
+  },
+  3: {
+    bg: 'bg-slate-50 border-slate-200',
+    text: 'text-slate-700',
+    pill: 'bg-slate-600 text-white',
+    descr: 'Identifier-Verweis / BreakPilot-Eigenwerk',
+  },
+}
+
+export function LicenseModuleBanner({ rule, sourceLabel, detail }: Props) {
+  const m = RULE_META[rule]
+  return (
+    <div className={`px-3 py-2 ${m.bg} border rounded-lg text-xs ${m.text} flex items-start gap-2`}>
+      <span className={`inline-flex items-center justify-center w-6 h-6 rounded-full text-[10px] font-bold ${m.pill} flex-shrink-0`}>
+        R{rule}
+      </span>
+      <div className="flex-1">
+        <span className="font-semibold">Quellen &amp; Lizenz:</span>{' '}
+        <span>{sourceLabel}</span>
+        <span className="text-slate-500"> — {m.descr}.</span>
+        {detail && <span className="block mt-0.5 text-[11px] opacity-80">{detail}</span>}
+        <a href="/sdk/licenses" className="underline ml-1">Quellenverzeichnis</a>
+      </div>
+    </div>
+  )
+}
+
+export default LicenseModuleBanner

admin-compliance/components/sdk/Sidebar/SDKSidebar.tsx

@@ -224,6 +224,19 @@ export function SDKSidebar({ collapsed = false, onCollapsedChange }: SDKSidebarP
             <span>Exportieren</span>
           </button>
         )}
+
+        {!collapsed && (
+          <a
+            href="/sdk/licenses"
+            className="mt-2 w-full flex items-center justify-center gap-2 px-4 py-2 text-xs text-gray-500 hover:text-gray-700 hover:bg-gray-100 rounded-lg transition-colors"
+            title="Quellen und Lizenzen aller verwendeten Compliance-Controls"
+          >
+            <svg className="w-3.5 h-3.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+            </svg>
+            <span>Quellen &amp; Lizenzen</span>
+          </a>
+        )}
       </div>
     </aside>
   )

admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx

@@ -73,6 +73,7 @@ export function SidebarModuleList({ collapsed, projectId, pendingCRCount }: Side
         <AdditionalModuleItem href="/sdk/ai-registration" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 21V5a2 2 0 00-2-2H7a2 2 0 00-2 2v16m14 0h2m-2 0h-5m-9 0H3m2 0h5M9 7h1m-1 4h1m4-4h1m-1 4h1m-5 10v-5a1 1 0 011-1h2a1 1 0 011 1v5m-4 0h4" /></svg>} label="EU Registrierung" isActive={pathname?.startsWith('/sdk/ai-registration') ?? false} collapsed={collapsed} projectId={projectId} />
         <AdditionalModuleItem href="/sdk/compliance-optimizer" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 7h8m0 0v8m0-8l-8 8-4-4-6 6" /></svg>} label="Compliance Optimizer" isActive={pathname?.startsWith('/sdk/compliance-optimizer') ?? false} collapsed={collapsed} projectId={projectId} />
         <AdditionalModuleItem href="/sdk/agent" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" /></svg>} label="Compliance Agent" isActive={pathname?.startsWith('/sdk/agent') ?? false} collapsed={collapsed} projectId={projectId} />
+        <AdditionalModuleItem href="/sdk/benchmark" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" /></svg>} label="Branchen-Benchmark" isActive={pathname?.startsWith('/sdk/benchmark') ?? false} collapsed={collapsed} projectId={projectId} />
       </div>
 
       {/* CRA Compliance */}

admin-compliance/components/sdk/SourceBadge.tsx

@@ -0,0 +1,138 @@
+'use client'
+
+import { useEffect, useState } from 'react'
+
+// Stufe 3 of the Attribution Renderer (Task #23): an inline source
+// badge that any rendered control/hazard/measure can attach to itself.
+//
+// Visually a small license-rule pill (R1/R2/R3); on hover/click it
+// reveals the underlying regulation, license type, and — for Rule 2 —
+// the mandatory attribution string.
+//
+// Usage:
+//   <SourceBadge controlUuid={hazard.id} />
+//
+// The component lazily fetches /licenses/source-info/{uuid} on first
+// expand so the surrounding list view stays cheap.
+
+type SourceInfo = {
+  control_uuid: string
+  license_rule: number | null
+  license_label_de: string | null
+  attribution_required: boolean
+  render_full_text: boolean
+  regulation_id: string | null
+  regulation_name_de: string | null
+  license_type: string | null
+  attribution: string | null
+  source_url: string | null
+}
+
+const RULE_BADGE: Record<number, string> = {
+  1: 'bg-emerald-100 text-emerald-800 border-emerald-300',
+  2: 'bg-amber-100 text-amber-800 border-amber-300',
+  3: 'bg-slate-100 text-slate-700 border-slate-300',
+}
+
+const RULE_TITLE: Record<number, string> = {
+  1: 'R1 — wörtlich übernehmbar',
+  2: 'R2 — wörtlich mit Attribution',
+  3: 'R3 — nur Identifier zitieren',
+}
+
+interface SourceBadgeProps {
+  controlUuid: string
+  /** Optional: skip the fetch and render from already-known data. */
+  prefetched?: SourceInfo
+  /** Compact mode for tight UI rows (smaller pill). */
+  compact?: boolean
+}
+
+export function SourceBadge({ controlUuid, prefetched, compact }: SourceBadgeProps) {
+  const [data, setData] = useState<SourceInfo | null>(prefetched ?? null)
+  const [open, setOpen] = useState(false)
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => {
+    if (!open || data) return
+    setLoading(true)
+    fetch(`/api/sdk/v1/compliance/licenses/source-info/${controlUuid}`)
+      .then((r) => (r.ok ? r.json() : Promise.reject(`HTTP ${r.status}`)))
+      .then(setData)
+      .catch((e) => setError(String(e)))
+      .finally(() => setLoading(false))
+  }, [open, data, controlUuid])
+
+  const rule = data?.license_rule ?? prefetched?.license_rule ?? null
+  const badgeClass = rule ? RULE_BADGE[rule] ?? RULE_BADGE[3] : 'bg-slate-100 text-slate-500 border-slate-200'
+  const sizeClass = compact ? 'text-[10px] px-1.5 py-0.5' : 'text-xs px-2 py-0.5'
+
+  return (
+    <span className="relative inline-block">
+      <button
+        type="button"
+        onClick={() => setOpen((v) => !v)}
+        className={`inline-flex items-center gap-1 rounded border font-medium ${sizeClass} ${badgeClass} hover:opacity-80 transition`}
+        title={rule ? RULE_TITLE[rule] : 'Lizenz unbekannt'}
+        aria-expanded={open}
+      >
+        <svg width="10" height="10" viewBox="0 0 16 16" fill="currentColor" aria-hidden>
+          <path d="M8 0a8 8 0 1 0 0 16A8 8 0 0 0 8 0Zm0 4.5a1 1 0 1 1 0 2 1 1 0 0 1 0-2ZM7 8h2v4.5H7V8Z" />
+        </svg>
+        {rule ? `R${rule}` : '?'}
+      </button>
+
+      {open && (
+        <div className="absolute left-0 mt-1 z-40 w-80 rounded-md border border-slate-200 bg-white shadow-lg p-3 text-xs">
+          {loading && <p className="text-slate-500">Lade Quellen-Info…</p>}
+          {error && <p className="text-red-600">Fehler: {error}</p>}
+          {data && (
+            <div className="space-y-2">
+              <div className="font-semibold text-slate-800">
+                {data.license_label_de ?? 'Lizenz unbekannt'}
+              </div>
+              {data.regulation_name_de && (
+                <div>
+                  <span className="text-slate-500">Quelle:</span>{' '}
+                  <span className="text-slate-800">{data.regulation_name_de}</span>
+                </div>
+              )}
+              {data.license_type && (
+                <div>
+                  <span className="text-slate-500">Lizenztyp:</span>{' '}
+                  <span className="text-slate-700">{data.license_type}</span>
+                </div>
+              )}
+              {data.attribution && (
+                <div className="rounded bg-amber-50 border border-amber-200 px-2 py-1.5">
+                  <div className="text-[10px] font-semibold text-amber-800 uppercase tracking-wide">
+                    Attribution-Pflicht
+                  </div>
+                  <div className="text-amber-900">{data.attribution}</div>
+                </div>
+              )}
+              {!data.render_full_text && (
+                <div className="text-[10px] text-slate-500 italic">
+                  Volltext wird im Output nicht gerendert — nur Identifier-Verweis.
+                </div>
+              )}
+              {data.source_url && (
+                <a
+                  href={data.source_url}
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="inline-block text-[10px] text-blue-600 hover:underline mt-1"
+                >
+                  Originalquelle öffnen ↗
+                </a>
+              )}
+            </div>
+          )}
+        </div>
+      )}
+    </span>
+  )
+}
+
+export default SourceBadge

admin-compliance/e2e/specs/founding-wizard.spec.ts

@@ -0,0 +1,355 @@
+/**
+ * E2E-Test fuer den Founding-Wizard
+ *
+ * Prueft den vollstaendigen 8-Step-Flow:
+ *  - Application-Errors / Console-Errors auf jeder Seite
+ *  - StepBasics: Prefill-Button + Registergericht/HRB-Felder
+ *  - StepGesellschafter: Rollen-Dropdown + IP-Bereiche fuer 2 Gruender
+ *  - Per-Person Generation: 2 IP-Assignment-Dokumente
+ *  - localStorage-Persistenz
+ *
+ * Backend wird per route.fulfill() gemockt — Test ist hermetisch.
+ */
+
+import { test, expect, type Page, type ConsoleMessage } from '@playwright/test'
+
+const BASE = process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:3002'
+const WIZARD_PATH = '/sdk/founding-wizard'
+
+/** Filtert Browser-Console auf echte App-Errors (ignoriert Next.js / Hydration / 3rd-party Warnings). */
+function isRealAppError(msg: ConsoleMessage): boolean {
+  if (msg.type() !== 'error') return false
+  const text = msg.text()
+  // Bekanntes Rauschen ausschliessen
+  const ignored = [
+    'Failed to load resource',           // 404 fuer Icons etc.
+    'Download the React DevTools',       // React-Hinweis
+    'net::ERR_',                          // Netzwerk (gemockt → erwartete Misses)
+    'Hydration failed because',           // Next 15 Pseudo-Errors bei dev
+    '[founding-wizard] prefill failed',   // Intentional UX-Logging im Prefill-Fehlerpfad
+  ]
+  return !ignored.some(p => text.includes(p))
+}
+
+const IGNORED_PAGE_ERRORS = [
+  // Hydration mismatches durch dynamische Zeitstempel ("Gerade eben" vs "vor 1 Min")
+  // im SDK-Header — pure dev-Mode-Symptom, kein App-Bug.
+  'Hydration failed because the server rendered text didn',
+  'There was an error while hydrating',
+  // Next.js dev-mode signals fuer Hydration-Issues
+  'Text content does not match server-rendered HTML',
+]
+
+function isIgnoredPageError(err: Error): boolean {
+  return IGNORED_PAGE_ERRORS.some(p => err.message.includes(p))
+}
+
+/** Setzt Console-Error- und PageError-Listener. Wirft am Ende, wenn welche aufgetreten sind. */
+function installErrorTraps(page: Page): { assertNoErrors: () => void } {
+  const consoleErrors: string[] = []
+  const pageErrors: string[] = []
+
+  page.on('console', msg => {
+    if (isRealAppError(msg)) consoleErrors.push(msg.text())
+  })
+  page.on('pageerror', err => {
+    if (!isIgnoredPageError(err)) pageErrors.push(`${err.name}: ${err.message}`)
+  })
+
+  return {
+    assertNoErrors() {
+      const all = [...pageErrors.map(e => `[pageerror] ${e}`), ...consoleErrors.map(e => `[console.error] ${e}`)]
+      if (all.length > 0) {
+        throw new Error(`Application-Errors waehrend des Flows:\n${all.join('\n')}`)
+      }
+    },
+  }
+}
+
+/** Mockt die zwei API-Endpoints, die der Wizard aufruft. */
+async function mockBackend(page: Page) {
+  // 1) Company-Profile Prefill
+  await page.route('**/api/sdk/v1/company-profile**', async route => {
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify({
+        profile: {
+          companyName: 'Breakpilot GmbH',
+          legalForm: 'GmbH',
+          industry: ['Software', 'KI/ML'],
+          businessModel: 'SaaS',
+          offerings: ['SaaS-Plattform', 'Compliance-API'],
+          headquartersStreet: 'Königstraße 1',
+          headquartersZip: '70173',
+          headquartersCity: 'Stuttgart',
+        },
+      }),
+    })
+  })
+
+  // 2) Founding-Wizard Generate (gibt 9 Dokumente zurueck: 7 normale + 2 per-person IP-Assignments)
+  await page.route('**/api/v1/founding-wizard/generate', async route => {
+    const request = route.request()
+    const body = JSON.parse(request.postData() || '{}')
+    const selected: string[] = body.selected_documents || []
+    const gesellschafter: Array<{ name?: string; is_geschaeftsfuehrer?: boolean }> = body.gesellschafter || []
+
+    const PER_PERSON = ['ip_assignment_agreement', 'managing_director_employment_contract']
+    const docs: unknown[] = []
+    const tinyDocx = 'UEsDBBQAAAAIAA==' // gueltige base64-Stub (Playwright braucht keinen echten DOCX)
+
+    for (const docType of selected) {
+      if (PER_PERSON.includes(docType)) {
+        const persons = docType === 'managing_director_employment_contract'
+          ? gesellschafter.filter(g => g.is_geschaeftsfuehrer)
+          : gesellschafter
+        for (const p of persons) {
+          docs.push({
+            document_type: docType,
+            title: `${docType} — ${p.name}`,
+            filename: `${docType}_${(p.name || 'X').replace(/\s/g, '_')}.docx`,
+            download_url: `data:application/vnd.openxmlformats-officedocument.wordprocessingml.document;base64,${tinyDocx}`,
+            size_bytes: 12345,
+            generated_at: '2026-05-21T12:00:00Z',
+          })
+        }
+      } else {
+        docs.push({
+          document_type: docType,
+          title: docType,
+          filename: `${docType}.docx`,
+          download_url: `data:application/vnd.openxmlformats-officedocument.wordprocessingml.document;base64,${tinyDocx}`,
+          size_bytes: 12345,
+          generated_at: '2026-05-21T12:00:00Z',
+        })
+      }
+    }
+
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify({ documents: docs, warnings: [] }),
+    })
+  })
+}
+
+/** Clears wizard-state and pre-accepts cookies so the CookieBannerOverlay
+ *  does not intercept clicks during the test. */
+async function resetWizardState(page: Page) {
+  await page.addInitScript(() => {
+    try {
+      window.localStorage.removeItem('breakpilot:founding-wizard:state:v1')
+      // CookieBannerOverlay liest 'bp-sdk-cookie-consent' und blendet sich aus,
+      // sobald ein Eintrag existiert. Wir setzen Minimal-Consent.
+      window.localStorage.setItem('bp-sdk-cookie-consent', JSON.stringify({
+        necessary: true, statistics: false, marketing: false, functional: false,
+        ewrOnly: false, blockedVendors: [], timestamp: new Date().toISOString(),
+      }))
+    } catch {}
+  })
+}
+
+test.describe('Founding-Wizard E2E', () => {
+  test.beforeEach(async ({ page }) => {
+    await resetWizardState(page)
+    await mockBackend(page)
+  })
+
+  test('vollstaendiger 8-Step-Flow ohne Application-Errors', async ({ page }) => {
+    const errors = installErrorTraps(page)
+
+    await page.goto(`${BASE}${WIZARD_PATH}`)
+    await expect(page.getByTestId('founding-wizard')).toBeVisible()
+    await expect(page.getByTestId('step-content-1')).toBeVisible()
+
+    // --- Step 1: Basics + Prefill ---
+    await page.getByRole('button', { name: /Aus Unternehmensprofil vorbef/i }).click()
+    await expect(page.getByTestId('company-name')).toHaveValue('Breakpilot GmbH', { timeout: 5000 })
+    await expect(page.getByTestId('company-seat')).toHaveValue('Stuttgart')
+
+    // Pflichtfeld: company_purpose_description (mind. 10 Zeichen)
+    await page.getByTestId('company-purpose').fill(
+      'die Entwicklung, Bereitstellung und der Betrieb von KI-gestuetzten Compliance-Werkzeugen sowie damit verbundener Beratungsleistungen.'
+    )
+
+    // Neue Felder: Registergericht + HRB
+    await page.getByTestId('register-court').fill('Amtsgericht Stuttgart')
+    await page.getByTestId('hrb-number').fill('')  // noch nicht eingetragen
+
+    await page.getByTestId('next-step').click()
+
+    // --- Step 2: Gesellschafter ---
+    await expect(page.getByTestId('step-content-2')).toBeVisible()
+
+    // Benjamin (CEO, IP: Compliance + RAG)
+    await page.getByTestId('gs-name').fill('Benjamin Bönisch')
+    await page.getByTestId('gs-birthdate').fill('1985-01-15')
+    await page.getByTestId('gs-address').fill('Teststraße 1, 70173 Stuttgart')
+    await page.getByTestId('gs-email').fill('benjamin@breakpilot.ai')
+    await page.getByTestId('gs-nennbetrag').fill('12500')
+    await page.getByTestId('gs-role').selectOption('CEO')
+    await page.getByTestId('gs-ip-areas').fill(
+      'Compliance-Engine (Quellcode + Architektur)\nRAG-Pipeline\nProdukt-Konzepte'
+    )
+    await page.getByTestId('add-gesellschafter').click()
+    await expect(page.getByTestId('gs-row-1')).toBeVisible()
+
+    // Sharang (CTO, IP: Security + Infrastruktur)
+    await page.getByTestId('gs-name').fill('Sharang Parnerkar')
+    await page.getByTestId('gs-birthdate').fill('1990-06-20')
+    await page.getByTestId('gs-address').fill('Teststraße 2, 70173 Stuttgart')
+    await page.getByTestId('gs-email').fill('sharang@breakpilot.ai')
+    await page.getByTestId('gs-nennbetrag').fill('12500')
+    await page.getByTestId('gs-role').selectOption('CTO')
+    await page.getByTestId('gs-ip-areas').fill('Security-Modul\nInfrastructure-as-Code')
+    await page.getByTestId('add-gesellschafter').click()
+    await expect(page.getByTestId('gs-row-2')).toBeVisible()
+
+    // Summe Nennbetraege muss Stammkapital entsprechen (25.000)
+    await expect(page.getByTestId('gs-total')).toContainText('25.000')
+
+    await page.getByTestId('next-step').click()
+
+    // --- Step 3: GF-Assignment (Defaults sind ok, beide bereits GF) ---
+    await expect(page.getByTestId('step-content-3')).toBeVisible()
+    await expect(page.getByTestId('gf-assignment-table')).toBeVisible()
+    await page.getByTestId('next-step').click()
+
+    // --- Step 4: Kapital (Defaults: 25000) ---
+    await expect(page.getByTestId('step-content-4')).toBeVisible()
+    await expect(page.getByTestId('stammkapital')).toHaveValue('25000')
+    await page.getByTestId('next-step').click()
+
+    // --- Step 5: Notar ---
+    await expect(page.getByTestId('step-content-5')).toBeVisible()
+    await page.getByTestId('notary-name').fill('Dr. Max Mustermann')
+    await page.getByTestId('notary-place').fill('Stuttgart')
+    await page.getByTestId('notary-address').fill('Königstraße 99, 70173 Stuttgart')
+    await page.getByTestId('notarial-date').fill('2026-06-15')
+    await page.getByTestId('next-step').click()
+
+    // --- Step 6: SHA-Optionen (Defaults sind ok) ---
+    await expect(page.getByTestId('step-content-6')).toBeVisible()
+    await expect(page.getByTestId('has-sha')).toBeChecked()
+    await page.getByTestId('next-step').click()
+
+    // --- Step 7: GF-Vertraege (fuer jeden GF einen) ---
+    await expect(page.getByTestId('step-content-7')).toBeVisible()
+    // Beide GF-Contract-Karten muessen sichtbar sein
+    const contractCards = page.locator('[data-testid^="contract-"]')
+    await expect(contractCards).toHaveCount(2)
+    // Salary in beiden Cards anfassen → registriert Contracts (canProceed-Bedingung).
+    // Wir setzen einen anderen Wert als Default (84000) damit React onChange feuert.
+    const salaryInputs = page.locator('[data-testid^="salary-"]')
+    const salaryCount = await salaryInputs.count()
+    for (let i = 0; i < salaryCount; i++) {
+      await salaryInputs.nth(i).fill('90000')
+    }
+    // Warten bis "Weiter" enabled ist
+    await expect(page.getByTestId('next-step')).toBeEnabled()
+    await page.getByTestId('next-step').click()
+
+    // --- Step 8: Generate ---
+    await expect(page.getByTestId('step-content-8')).toBeVisible()
+    await expect(page.getByTestId('generate-summary')).toContainText('Breakpilot GmbH')
+    await expect(page.getByTestId('generate-summary')).toContainText('2', { useInnerText: true })
+
+    // Notartermin-Bundle auswaehlen
+    await page.getByTestId('select-notary-bundle').click()
+
+    // Generieren (Backend gemockt)
+    await page.getByTestId('generate-docs').click()
+
+    // Generated-Docs-Block muss erscheinen
+    await expect(page.getByTestId('generated-docs')).toBeVisible({ timeout: 10000 })
+
+    // Per-Person Verifikation: zwei IP-Assignment-Downloads erwartet
+    const ipDownloads = page.locator('[data-testid="download-ip_assignment_agreement"]')
+    await expect(ipDownloads).toHaveCount(2)
+
+    // Per-Person Verifikation: zwei GF-Vertraege erwartet
+    const gfDownloads = page.locator('[data-testid="download-managing_director_employment_contract"]')
+    await expect(gfDownloads).toHaveCount(2)
+
+    // Kein generate-error sichtbar
+    await expect(page.getByTestId('generate-error')).toBeHidden()
+
+    // Final: keine Errors auf der Konsole
+    errors.assertNoErrors()
+  })
+
+  test('Prefill-Button setzt Fehler bei Backend-Fehler ohne Application-Error', async ({ page }) => {
+    // Spezial-Mock: company-profile gibt 500 zurueck
+    await page.route('**/api/sdk/v1/company-profile**', async route => {
+      await route.fulfill({ status: 500, body: 'boom' })
+    })
+
+    const errors = installErrorTraps(page)
+    await page.goto(`${BASE}${WIZARD_PATH}`)
+
+    await page.getByRole('button', { name: /Aus Unternehmensprofil vorbef/i }).click()
+    // UI muss Fehlermeldung anzeigen, NICHT crashen
+    await expect(page.getByText('Konnte Unternehmensprofil nicht laden')).toBeVisible()
+
+    errors.assertNoErrors()
+  })
+
+  test('Step-Navigation: Zurueck und Reset funktionieren ohne Errors', async ({ page }) => {
+    const errors = installErrorTraps(page)
+    await page.goto(`${BASE}${WIZARD_PATH}`)
+
+    // Minimum Step 1 fuellen
+    await page.getByTestId('company-name').fill('Breakpilot GmbH')
+    await page.getByTestId('company-seat').fill('Stuttgart')
+    await page.getByTestId('company-purpose').fill('die Entwicklung von Compliance-Software fuer Unternehmen.')
+
+    await page.getByTestId('next-step').click()
+    await expect(page.getByTestId('step-content-2')).toBeVisible()
+
+    // Zurueck
+    await page.getByTestId('prev-step').click()
+    await expect(page.getByTestId('step-content-1')).toBeVisible()
+
+    // Eingaben muessen erhalten geblieben sein (localStorage-persistence)
+    await expect(page.getByTestId('company-name')).toHaveValue('Breakpilot GmbH')
+
+    // Reset (mit Dialog-Bestaetigung)
+    page.once('dialog', dialog => dialog.accept())
+    await page.getByTestId('reset-wizard').click()
+    await expect(page.getByTestId('company-name')).toHaveValue('')
+
+    errors.assertNoErrors()
+  })
+
+  test('IP-Areas + Rollen-Dropdown in Step 2', async ({ page }) => {
+    const errors = installErrorTraps(page)
+    await page.goto(`${BASE}${WIZARD_PATH}`)
+
+    // Step 1 zuegig fuellen
+    await page.getByTestId('company-name').fill('Breakpilot GmbH')
+    await page.getByTestId('company-seat').fill('Stuttgart')
+    await page.getByTestId('company-purpose').fill('die Entwicklung von Compliance-Software fuer Unternehmen.')
+    await page.getByTestId('next-step').click()
+
+    // Rollen-Dropdown muss ein <select> sein, nicht <input>
+    const role = page.getByTestId('gs-role')
+    await expect(role).toHaveJSProperty('tagName', 'SELECT')
+
+    // CEO-Option waehlbar
+    await page.getByTestId('gs-name').fill('Benjamin Bönisch')
+    await page.getByTestId('gs-address').fill('Test 1')
+    await page.getByTestId('gs-nennbetrag').fill('25000')
+    await role.selectOption('CEO')
+    await page.getByTestId('gs-ip-areas').fill('Compliance-Engine\nRAG-Pipeline')
+    await page.getByTestId('add-gesellschafter').click()
+
+    // Tabelle muss IP-Bereiche anzeigen
+    const row = page.getByTestId('gs-row-1')
+    await expect(row).toContainText('Benjamin Bönisch')
+    await expect(row).toContainText('CEO')
+    await expect(row).toContainText('Compliance-Engine')
+
+    errors.assertNoErrors()
+  })
+})

admin-compliance/lib/sdk/founding/types.ts

@@ -25,6 +25,8 @@ export interface Gesellschafter {
   internal_role?: string
   /** Falls Gründer akademischen Hintergrund hat (Professur etc.) */
   has_academic_background?: boolean
+  /** IP-Bereiche die der Gründer für die GmbH einbringt (z.B. ["Compliance-Engine", "RAG-Pipeline"]) */
+  ip_areas?: string[]
 }
 
 export interface NotarData {
@@ -46,6 +48,10 @@ export interface CompanyBasics {
   industry: string
   business_year: string  // z.B. "Kalenderjahr"
   has_research_focus: boolean
+  /** Registergericht (z.B. "Amtsgericht Stuttgart"). Pflicht für HRB-Anmeldung. */
+  register_court?: string
+  /** HRB-Nummer (z.B. "HRB 12345"). Leer falls noch nicht eingetragen. */
+  hrb_number?: string
 }
 
 export interface CapitalConfig {
@@ -145,6 +151,8 @@ export function defaultFoundingWizardState(): FoundingWizardState {
       industry: '',
       business_year: 'Kalenderjahr',
       has_research_focus: false,
+      register_court: '',
+      hrb_number: '',
     },
     gesellschafter: [],
     capital: {

admin-compliance/lib/sdk/types/sdk-steps.ts

@@ -494,4 +494,32 @@ export const SDK_STEPS: SDKStep[] = [
     prerequisiteSteps: [],
     isOptional: true,
   },
+  {
+    id: 'template-rule-editor',
+    seq: 5000,
+    phase: 2,
+    package: 'betrieb',
+    order: 13,
+    name: 'Empfehlungs-Regeln',
+    nameShort: 'Regeln',
+    description: 'Editorial-UI fuer profilbasierte Dokument-Empfehlungen (Anwalt/DSB)',
+    url: '/sdk/template-rule-editor',
+    checkpointId: 'CP-RULES',
+    prerequisiteSteps: [],
+    isOptional: true,
+  },
+  {
+    id: 'document-library',
+    seq: 2500,
+    phase: 2,
+    package: 'dokumentation',
+    order: 99,
+    name: 'Document Library',
+    nameShort: 'Library',
+    description: 'Zentrale Uebersicht aller erzeugten Dokumente, gruppiert nach Empfehlung',
+    url: '/sdk/document-library',
+    checkpointId: 'CP-DOCLIB',
+    prerequisiteSteps: [],
+    isOptional: false,
+  },
 ]

ai-compliance-sdk/Dockerfile

@@ -38,6 +38,9 @@ RUN adduser -D -u 1000 appuser
 USER appuser
 
 # Expose port
+ARG BUILD_SHA="unknown"
+ENV BUILD_SHA=${BUILD_SHA}
+
 EXPOSE 8090
 
 # Health check

ai-compliance-sdk/cmd/iace-audit/main.go

@@ -0,0 +1,241 @@
+// Command iace-audit runs static and runtime audits on the IACE pattern
+// engine to find gaps without a ground-truth reference.
+//
+// Subcommands:
+//
+//	reachability  — Method A: which patterns can never fire given the library?
+//	consistency   — Method B: do components cover their TypicalHazardCategories?
+//	vocabulary    — Method C: which limits-form words are unknown to the dict?
+//	echo          — Method D: which limits-form sentences have no hazard echo?
+//	hierarchy     — Method E: which hazards lack design/protection/information?
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/iace/audit"
+)
+
+func main() {
+	if len(os.Args) < 2 {
+		usage()
+		os.Exit(2)
+	}
+	switch os.Args[1] {
+	case "reachability":
+		cmdReachability(os.Args[2:])
+	case "consistency":
+		cmdConsistency(os.Args[2:])
+	case "vocabulary":
+		cmdVocabulary(os.Args[2:])
+	case "echo":
+		cmdEcho(os.Args[2:])
+	case "hierarchy":
+		cmdHierarchy(os.Args[2:])
+	default:
+		usage()
+		os.Exit(2)
+	}
+}
+
+func usage() {
+	fmt.Fprintln(os.Stderr, "Usage: iace-audit <reachability|consistency|vocabulary|echo|hierarchy> [args]")
+}
+
+func cmdReachability(_ []string) {
+	r := audit.RunReachability()
+	printSummary(fmt.Sprintf("Method A — Pattern Reachability"), map[string]int{
+		"total":            r.TotalPatterns,
+		"reachable":        r.Reachable,
+		"weakly_reachable": r.WeaklyReachable,
+		"unreachable":      r.Unreachable,
+		"universe_tags":    len(r.UniverseTags),
+	})
+	if len(r.UnreachablePatterns) > 0 {
+		fmt.Println("\n## Unreachable patterns (top 30 by priority):\n")
+		printPatternRows(r.UnreachablePatterns, 30)
+	}
+	if len(r.WeakPatterns) > 0 {
+		fmt.Println("\n## Weakly reachable (top 20 by priority):\n")
+		printPatternRows(r.WeakPatterns, 20)
+	}
+	writeJSON("audit-reports/reachability.json", r)
+}
+
+func cmdConsistency(_ []string) {
+	r := audit.RunConsistency()
+	printSummary("Method B — Component Self-Consistency", map[string]int{
+		"total_components":   r.TotalComponents,
+		"consistent":         r.Consistent,
+		"incomplete":         r.Incomplete,
+	})
+	if len(r.IncompleteComponents) > 0 {
+		fmt.Println("\n## Components missing tags for declared hazard categories:\n")
+		for _, c := range r.IncompleteComponents {
+			fmt.Printf("- %s (%s)\n", c.ComponentID, c.NameDE)
+			for _, miss := range c.MissingForCategories {
+				fmt.Printf("    %s: no pattern fires (suggest tags: %s)\n", miss.Category, joinFirst(miss.SuggestedTags, 5))
+			}
+		}
+	}
+	writeJSON("audit-reports/consistency.json", r)
+}
+
+func cmdVocabulary(args []string) {
+	if len(args) < 1 {
+		fmt.Fprintln(os.Stderr, "vocabulary: missing path to limits-form JSON")
+		os.Exit(2)
+	}
+	data, err := os.ReadFile(args[0])
+	must(err)
+	var form map[string]any
+	must(json.Unmarshal(data, &form))
+	r := audit.RunVocabulary(form)
+	printSummary("Method C — Vocabulary Diff", map[string]int{
+		"unique_tokens":            r.UniqueTokens,
+		"unknown_tokens":           len(r.UnknownTokens),
+		"unknown_with_pattern_hit": len(r.SuggestedDictionaryEntries),
+	})
+	if len(r.SuggestedDictionaryEntries) > 0 {
+		fmt.Println("\n## Suggested dictionary additions (token appears in pattern scenarios but not in dict):\n")
+		for _, s := range r.SuggestedDictionaryEntries {
+			fmt.Printf("- '%s' → seen in %d patterns. Examples: %s\n", s.Token, len(s.PatternIDs), joinFirst(s.PatternIDs, 5))
+		}
+	}
+	writeJSON("audit-reports/vocabulary.json", r)
+}
+
+func cmdEcho(args []string) {
+	if len(args) < 2 {
+		fmt.Fprintln(os.Stderr, "echo: usage: iace-audit echo <limits-form.json> <hazards.json>")
+		os.Exit(2)
+	}
+	limitsData, err := os.ReadFile(args[0])
+	must(err)
+	hazardsData, err := os.ReadFile(args[1])
+	must(err)
+	var form map[string]any
+	must(json.Unmarshal(limitsData, &form))
+	var hwrap struct {
+		Hazards []map[string]any `json:"hazards"`
+	}
+	must(json.Unmarshal(hazardsData, &hwrap))
+	r := audit.RunEcho(form, hwrap.Hazards)
+	printSummary("Method D — Limits-Form Echo", map[string]int{
+		"total_phrases":  r.TotalPhrases,
+		"echoed":         r.Echoed,
+		"orphaned":       r.Orphaned,
+	})
+	if len(r.OrphanedPhrases) > 0 {
+		fmt.Println("\n## Orphaned phrases (no hazard echoes them):\n")
+		for _, o := range r.OrphanedPhrases {
+			fmt.Printf("- [%s] %s\n", o.Field, truncate(o.Phrase, 120))
+		}
+	}
+	writeJSON("audit-reports/echo.json", r)
+}
+
+func cmdHierarchy(args []string) {
+	if len(args) < 2 {
+		fmt.Fprintln(os.Stderr, "hierarchy: usage: iace-audit hierarchy <hazards.json> <mitigations.json>")
+		os.Exit(2)
+	}
+	hData, err := os.ReadFile(args[0])
+	must(err)
+	mData, err := os.ReadFile(args[1])
+	must(err)
+	var hwrap struct {
+		Hazards []map[string]any `json:"hazards"`
+	}
+	must(json.Unmarshal(hData, &hwrap))
+	var mwrap struct {
+		Mitigations []map[string]any `json:"mitigations"`
+	}
+	must(json.Unmarshal(mData, &mwrap))
+	r := audit.RunHierarchy(hwrap.Hazards, mwrap.Mitigations)
+	printSummary("Method E — Hierarchy Completeness", map[string]int{
+		"total_hazards":      r.TotalHazards,
+		"complete":           r.Complete,
+		"missing_design":     r.MissingDesign,
+		"missing_protection": r.MissingProtection,
+		"missing_info":       r.MissingInfo,
+	})
+	if len(r.IncompleteHazards) > 0 {
+		fmt.Println("\n## Hazards with incomplete hierarchy:\n")
+		for _, h := range r.IncompleteHazards {
+			fmt.Printf("- [%s] %s — missing: %s\n", h.Category, truncate(h.Name, 70), joinFirst(h.MissingLevels, 3))
+		}
+	}
+	writeJSON("audit-reports/hierarchy.json", r)
+}
+
+func printSummary(title string, kv map[string]int) {
+	fmt.Println("=", title, "=")
+	for k, v := range kv {
+		fmt.Printf("  %-22s %d\n", k, v)
+	}
+}
+
+func printPatternRows(rows []audit.ReachabilityResult, max int) {
+	if max > len(rows) {
+		max = len(rows)
+	}
+	for i := 0; i < max; i++ {
+		r := rows[i]
+		fmt.Printf("- %s (P%d) %s\n", r.PatternID, r.Priority, truncate(r.Name, 60))
+		if len(r.UnreachableTags) > 0 {
+			fmt.Printf("    missing tags: %s\n", joinFirst(r.UnreachableTags, 8))
+		}
+		for _, s := range r.FixSuggestions {
+			fmt.Printf("    fix: %s\n", s)
+		}
+	}
+}
+
+func writeJSON(path string, v any) {
+	_ = os.MkdirAll("audit-reports", 0o755)
+	f, err := os.Create(path)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "warn: could not write report:", err)
+		return
+	}
+	defer f.Close()
+	enc := json.NewEncoder(f)
+	enc.SetIndent("", "  ")
+	_ = enc.Encode(v)
+	fmt.Println("→ wrote", path)
+}
+
+func must(err error) {
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+func truncate(s string, n int) string {
+	if len(s) <= n {
+		return s
+	}
+	return s[:n] + "…"
+}
+
+func joinFirst(list []string, n int) string {
+	if len(list) <= n {
+		return join(list)
+	}
+	return join(list[:n]) + ", …"
+}
+
+func join(list []string) string {
+	out := ""
+	for i, s := range list {
+		if i > 0 {
+			out += ", "
+		}
+		out += s
+	}
+	return out
+}

ai-compliance-sdk/internal/api/handlers/iace_handler_benchmark.go

@@ -105,6 +105,7 @@ func (h *IACEHandler) RunBenchmark(c *gin.Context) {
 	}
 
 	result := iace.CompareBenchmark(gt, hazards, mitigations)
+	result.RiskComparison, result.RiskAgreement = iace.ComputeRiskComparison(result.MatchedPairs)
 	c.JSON(http.StatusOK, result)
 }
 

ai-compliance-sdk/internal/api/handlers/iace_handler_gap_review.go

@@ -0,0 +1,288 @@
+package handlers
+
+// LLM Gap-Review handler — Task #7.
+//
+// After the deterministic Pattern-Engine has generated hazards and
+// mitigations for an IACE project, this endpoint asks a configured LLM
+// (Qwen / Claude / OpenAI) to spot what the engine MISSED. The LLM is
+// fed the Limits-Form, the current hazard list, and a compressed
+// pattern catalogue summary; it returns a list of suggested additional
+// hazards or mitigations.
+//
+// Important guardrails:
+//   - Every suggestion must point to an existing pattern_id or norm
+//     identifier — pure free-form LLM hallucinations are filtered.
+//   - The response is provenance-tagged source="llm_gap_review" so
+//     the frontend renders an Adopt/Reject UX rather than committing.
+//   - Engine output (deterministic patterns) is never overwritten by
+//     LLM output; the gap-review is a SUPPLEMENT, not a replacement.
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
+	"github.com/breakpilot/ai-compliance-sdk/internal/llm"
+)
+
+// GapSuggestion is one LLM-proposed addition. Each suggestion is
+// non-binding until the user adopts it via the frontend.
+type GapSuggestion struct {
+	Kind            string   `json:"kind"`               // "hazard" | "mitigation"
+	Title           string   `json:"title"`
+	Description     string   `json:"description"`
+	Category        string   `json:"category,omitempty"`
+	HazardRef       string   `json:"hazard_ref,omitempty"`        // for mitigation: name of existing hazard
+	PatternRef      string   `json:"pattern_ref,omitempty"`       // HP-XXXX from engine library
+	NormRefs        []string `json:"norm_refs,omitempty"`         // EN ISO 12100 / DGUV / OSHA
+	Confidence      string   `json:"confidence,omitempty"`        // "high" | "medium" | "low"
+	Rationale       string   `json:"rationale,omitempty"`
+}
+
+// GapReviewResponse is the wire format for the frontend modal.
+type GapReviewResponse struct {
+	ProjectID    string          `json:"project_id"`
+	Source       string          `json:"source"`        // "llm_gap_review" | "fallback_static"
+	Model        string          `json:"model,omitempty"`
+	Suggestions  []GapSuggestion `json:"suggestions"`
+	InputSummary struct {
+		HazardCount    int `json:"hazard_count"`
+		MitigationCount int `json:"mitigation_count"`
+		LimitsFormFields int `json:"limits_form_fields"`
+	} `json:"input_summary"`
+}
+
+// LLMGapReview handles POST /projects/:id/llm-gap-review.
+//
+// The endpoint is intentionally idempotent — repeated calls do not mutate
+// project state. The Adopt step (user-driven) is what changes data, via
+// the existing CreateHazard / CreateMitigation handlers.
+func (h *IACEHandler) LLMGapReview(c *gin.Context) {
+	projectID, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid project id"})
+		return
+	}
+
+	ctx := c.Request.Context()
+	project, err := h.store.GetProject(ctx, projectID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "project not found"})
+		return
+	}
+
+	hazards, err := h.store.ListHazards(ctx, projectID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "list hazards: " + err.Error()})
+		return
+	}
+	mitigations, err := h.store.ListMitigationsByProject(ctx, projectID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "list mitigations: " + err.Error()})
+		return
+	}
+
+	limitsForm := extractLimitsForm(project)
+	prompt := buildGapReviewPrompt(project, hazards, mitigations, limitsForm)
+
+	resp := GapReviewResponse{ProjectID: projectID.String()}
+	resp.InputSummary.HazardCount = len(hazards)
+	resp.InputSummary.MitigationCount = len(mitigations)
+	resp.InputSummary.LimitsFormFields = countLimitsFields(limitsForm)
+
+	suggestions, model, err := callLLMForGapReview(ctx, h.llmRegistry, prompt)
+	if err != nil {
+		resp.Source = "fallback_static"
+		resp.Suggestions = staticFallbackSuggestions(hazards)
+		c.JSON(http.StatusOK, resp)
+		return
+	}
+
+	resp.Source = "llm_gap_review"
+	resp.Model = model
+	resp.Suggestions = filterAndProvenance(suggestions)
+	c.JSON(http.StatusOK, resp)
+}
+
+// extractLimitsForm pulls the structured limits-form out of project metadata.
+func extractLimitsForm(p *iace.Project) map[string]any {
+	if len(p.Metadata) == 0 {
+		return nil
+	}
+	var md map[string]any
+	if err := json.Unmarshal(p.Metadata, &md); err != nil {
+		return nil
+	}
+	lf, _ := md["limits_form"].(map[string]any)
+	return lf
+}
+
+func countLimitsFields(lf map[string]any) int {
+	n := 0
+	for _, v := range lf {
+		if s, ok := v.(string); ok && strings.TrimSpace(s) != "" {
+			n++
+		} else if arr, ok := v.([]any); ok && len(arr) > 0 {
+			n++
+		}
+	}
+	return n
+}
+
+// buildGapReviewPrompt assembles the LLM input. Kept compact — the LLM
+// only needs the limits-form context, the current hazard headlines, and
+// a reminder of the pattern-id naming so its suggestions can be linked
+// back to engine output later.
+func buildGapReviewPrompt(p *iace.Project, hz []iace.Hazard, mt []iace.Mitigation, lf map[string]any) string {
+	var sb strings.Builder
+	sb.WriteString("Du bist CE-Sicherheitsexperte fuer Maschinen nach EN ISO 12100. ")
+	sb.WriteString("Analysiere die folgende Risikobeurteilung und identifiziere FEHLENDE ")
+	sb.WriteString("Gefaehrdungen oder Schutzmassnahmen, die ein erfahrener Auditor ergaenzen wuerde.\n\n")
+
+	sb.WriteString(fmt.Sprintf("Maschine: %s (Typ: %s, Hersteller: %s)\n",
+		p.MachineName, p.MachineType, p.Manufacturer))
+	if p.CEMarkingTarget != "" {
+		sb.WriteString(fmt.Sprintf("CE-Ziel: %s\n", p.CEMarkingTarget))
+	}
+	sb.WriteString("\nGrenzen-Form (Limits & Verwendung):\n")
+	for k, v := range lf {
+		sb.WriteString(fmt.Sprintf("- %s: %v\n", k, truncForPrompt(v, 200)))
+	}
+
+	sb.WriteString(fmt.Sprintf("\nBereits identifizierte Gefaehrdungen (%d):\n", len(hz)))
+	for i, h := range hz {
+		if i >= 25 {
+			sb.WriteString(fmt.Sprintf("... und %d weitere\n", len(hz)-25))
+			break
+		}
+		sb.WriteString(fmt.Sprintf("- [%s] %s\n", h.Category, h.Name))
+	}
+
+	sb.WriteString(fmt.Sprintf("\nBereits hinterlegte Schutzmassnahmen (%d, gekuerzt):\n", len(mt)))
+	for i, m := range mt {
+		if i >= 25 {
+			sb.WriteString(fmt.Sprintf("... und %d weitere\n", len(mt)-25))
+			break
+		}
+		sb.WriteString(fmt.Sprintf("- [%s] %s\n", m.ReductionType, m.Name))
+	}
+
+	sb.WriteString("\nAufgabe: Liste max. 8 LUECKEN als JSON-Array. Jede Luecke MUSS einer der folgenden Kategorien entsprechen ")
+	sb.WriteString("und SOLL eine Norm- oder Pattern-Referenz nennen (HP-XXXX, EN ISO 12100, EN 13849, EN 13855, DGUV-Info, OSHA 29 CFR).\n")
+	sb.WriteString("Kategorien: mechanical_hazard, electrical_hazard, thermal_hazard, noise_vibration, ergonomic, ")
+	sb.WriteString("material_environmental, pneumatic_hydraulic, radiation_hazard.\n\n")
+	sb.WriteString(`Antworte NUR mit JSON, keine Erklaerung:
+[
+  {"kind":"hazard","title":"...","description":"...","category":"...","norm_refs":["EN ISO 12100"],"confidence":"high","rationale":"..."},
+  {"kind":"mitigation","title":"...","description":"...","hazard_ref":"Name der bestehenden Gefahr","norm_refs":["DGUV 209-072"],"confidence":"medium","rationale":"..."}
+]`)
+	return sb.String()
+}
+
+func truncForPrompt(v any, max int) string {
+	s := fmt.Sprintf("%v", v)
+	if len(s) <= max {
+		return s
+	}
+	return s[:max] + "…"
+}
+
+// callLLMForGapReview sends the prompt and parses the JSON suggestion list.
+func callLLMForGapReview(ctx context.Context, registry *llm.ProviderRegistry, prompt string) ([]GapSuggestion, string, error) {
+	if registry == nil {
+		return nil, "", fmt.Errorf("no LLM registry configured")
+	}
+	provider, err := registry.GetAvailable(ctx)
+	if err != nil {
+		return nil, "", fmt.Errorf("no LLM provider available: %w", err)
+	}
+	resp, err := provider.Chat(ctx, &llm.ChatRequest{
+		Messages:    []llm.Message{{Role: "user", Content: prompt}},
+		Temperature: 0.25,
+		MaxTokens:   2000,
+	})
+	if err != nil {
+		return nil, "", fmt.Errorf("llm chat: %w", err)
+	}
+
+	body := strings.TrimSpace(resp.Message.Content)
+	// LLMs occasionally wrap JSON in ```json … ``` fences; strip them.
+	body = strings.TrimPrefix(body, "```json")
+	body = strings.TrimPrefix(body, "```")
+	body = strings.TrimSuffix(body, "```")
+	body = strings.TrimSpace(body)
+
+	// Find first '[' so any leading prose is ignored.
+	if i := strings.Index(body, "["); i > 0 {
+		body = body[i:]
+	}
+	var out []GapSuggestion
+	if err := json.Unmarshal([]byte(body), &out); err != nil {
+		return nil, "", fmt.Errorf("parse llm response: %w (body=%.200s)", err, body)
+	}
+	return out, provider.Name(), nil
+}
+
+// filterAndProvenance drops obviously malformed suggestions and stamps
+// every survivor with a `confidence` default. Pure-free-form suggestions
+// without any norm reference are demoted to "low".
+func filterAndProvenance(in []GapSuggestion) []GapSuggestion {
+	out := make([]GapSuggestion, 0, len(in))
+	for _, s := range in {
+		if strings.TrimSpace(s.Title) == "" || s.Kind == "" {
+			continue
+		}
+		if s.Confidence == "" {
+			if len(s.NormRefs) == 0 && s.PatternRef == "" {
+				s.Confidence = "low"
+			} else {
+				s.Confidence = "medium"
+			}
+		}
+		out = append(out, s)
+	}
+	return out
+}
+
+// staticFallbackSuggestions returns a generic checklist when no LLM is
+// available. Conservative, all confidence="low".
+func staticFallbackSuggestions(hz []iace.Hazard) []GapSuggestion {
+	hasMechanical := false
+	for _, h := range hz {
+		if strings.Contains(h.Category, "mechanical") {
+			hasMechanical = true
+			break
+		}
+	}
+	out := []GapSuggestion{
+		{
+			Kind: "hazard", Title: "Fuss-Quetschung unter absenkendem Werkstueck/Hubeinheit",
+			Description: "Wenn die Maschine eine Hubbewegung ausfuehrt, pruefe ob Fuesse/Beine im Verfahrbereich gequetscht werden koennen.",
+			Category: "mechanical_hazard", NormRefs: []string{"EN ISO 12100 6.3.5.5"},
+			Confidence: "low", Rationale: "Static checklist fallback — LLM nicht verfuegbar.",
+		},
+		{
+			Kind: "hazard", Title: "Hand-Quetschung gegen feste Strukturen beim Hochfahren",
+			Description: "Pruefe Mindestabstand zu festen Strukturen oberhalb der hoechsten Hubposition.",
+			Category: "mechanical_hazard", NormRefs: []string{"EN ISO 13854"},
+			Confidence: "low",
+		},
+		{
+			Kind: "mitigation", Title: "Kriechgeschwindigkeit am Endanschlag (Hubgeraete)",
+			Description: "Hubgeschwindigkeit am Ende der Verfahrbewegung auf <=15 mm/s reduzieren.",
+			NormRefs: []string{"OSHA 29 CFR 1910.217 (Hand-Speed-Konstante)"},
+			Confidence: "low",
+		},
+	}
+	if !hasMechanical {
+		// Trim if not a mechanical context
+		out = out[:1]
+	}
+	return out
+}

ai-compliance-sdk/internal/api/handlers/iace_handler_init.go

@@ -123,7 +123,7 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 	matchOutput := engine.Match(iace.MatchInput{
 		ComponentLibraryIDs: componentIDs,
 		EnergySourceIDs:     energyIDs,
-		LifecyclePhases:     parseResult.LifecyclePhases,
+		LifecyclePhases:     withUniversalLifecycles(parseResult.LifecyclePhases),
 		CustomTags:          parseResult.CustomTags,
 		OperationalStates:   operationalStates,
 		StateTransitions:    parseResult.StateTransitions,
@@ -219,26 +219,21 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 				// scenario itself. Only the aggregated norm-references
 				// block is appended below for an at-a-glance audit trail.
 				desc := mp.ScenarioDE
-				// Phase 17: PLr per EN ISO 13849-1 Anhang A. The graph
-				// inputs come from the pattern's DefaultSeverity/Exposure
-				// (mapped to S1/S2 and F1/F2 at threshold 3) plus
-				// DefaultAvoidability (P1/P2). If avoidability is unset
-				// we default to P1 — the conservative direction is
-				// downward (lower PLr), the operator can raise it
-				// manually after expert review.
-				avoid := 1
-				if mp.DefaultAvoidability == 2 {
-					avoid = 2
-				}
+				// BreakPilot's OWN risk model (NOT a norm reproduction):
+				// severity + frequency from the pattern defaults; probability
+				// (W) and avoidance (P) from public accident-statistics anchors
+				// (see iace/risk_estimation.go + DATA_SOURCES.md). No EN ISO
+				// 13849-1 risk-graph table or parameter binning is reproduced.
 				if mp.DefaultSeverity > 0 && mp.DefaultExposure > 0 {
-					sBin := iace.SeverityToS(mp.DefaultSeverity)
-					fBin := iace.ExposureToF(mp.DefaultExposure)
-					plr := iace.ComputePLr(sBin, fBin, avoid)
-					desc += fmt.Sprintf("\n\nRisikograph EN ISO 13849-1 (Anhang A): S%d · F%d · P%d → PLr %s",
-						sBin, fBin, avoid, plr)
+					s := iace.EstimateSeverity(mp.HazardCats, mp.ScenarioDE, mp.DefaultSeverity)
+					w := iace.EstimateProbabilityW(mp.HazardCats, mp.ScenarioDE)
+					p := iace.EstimateAvoidabilityP(mp.HazardCats, mp.ScenarioDE)
+					_, level := iace.EstimateRiskLevel(s, mp.DefaultExposure, w, p)
+					desc += fmt.Sprintf("\n\nRisikoeinschaetzung (BreakPilot-Modell): S%d · F%d · W%d · P%d → Risiko: %s",
+						s, mp.DefaultExposure, w, p, level)
 				}
 				if mp.ISO12100Section != "" {
-					desc += "\n\nKlassifikation: EN ISO 12100 Anhang B, Abschnitt " + mp.ISO12100Section
+					desc += "\n\nKlassifikation: EN ISO 12100 Abschnitt " + mp.ISO12100Section
 				}
 
 				hz, cerr := h.store.CreateHazard(ctx, iace.CreateHazardRequest{

ai-compliance-sdk/internal/api/handlers/iace_handler_init_helpers.go

@@ -2,12 +2,35 @@ package handlers
 
 import (
 	"encoding/json"
+	"sort"
 	"strings"
 
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/google/uuid"
 )
 
+// withUniversalLifecycles ensures the lifecycle phases that occur on virtually
+// every machine — normal operation, setup, maintenance, cleaning — are always
+// present, so their hazards are derived even when the limits form does not list
+// them explicitly. The professional assesses these phases on most devices.
+func withUniversalLifecycles(parsed []string) []string {
+	seen := make(map[string]bool, len(parsed)+4)
+	out := make([]string, 0, len(parsed)+4)
+	for _, p := range parsed {
+		if p != "" && !seen[p] {
+			seen[p] = true
+			out = append(out, p)
+		}
+	}
+	for _, u := range []string{"normal_operation", "setup", "maintenance", "cleaning"} {
+		if !seen[u] {
+			seen[u] = true
+			out = append(out, u)
+		}
+	}
+	return out
+}
+
 // extractNarrativeFromMetadata builds a combined text from the limits_form.
 func extractNarrativeFromMetadata(metadata json.RawMessage) string {
 	if metadata == nil {
@@ -26,23 +49,37 @@ func extractNarrativeFromMetadata(metadata json.RawMessage) string {
 		return ""
 	}
 
-	textFields := []string{
-		"general_description", "intended_purpose", "foreseeable_misuse",
-		"space_limits", "time_limits", "environmental_conditions",
-		"energy_sources", "materials_processed", "operating_modes",
-		"maintenance_requirements", "personnel_requirements",
-		"interfaces_description", "control_system_description",
-		"safety_functions_description",
+	// Read EVERY field of the limits form — intended use, foreseeable misuse,
+	// machine limits, and ALL interfaces (electrical/mechanical/pneumatic/
+	// software). Each is a hazard source. We don't whitelist field names (the
+	// form schema evolves); noise fields like serial number / year are harmless
+	// because the parser only extracts from recognised keywords. Keys are
+	// sorted for deterministic output.
+	keys := make([]string, 0, len(limits))
+	for k := range limits {
+		keys = append(keys, k)
 	}
-	var result string
-	for _, field := range textFields {
-		if v, ok := limits[field]; ok {
-			if s, ok := v.(string); ok && s != "" {
-				result += s + "\n\n"
+	sort.Strings(keys)
+
+	var sb strings.Builder
+	for _, k := range keys {
+		switch val := limits[k].(type) {
+		case string:
+			if strings.TrimSpace(val) != "" {
+				sb.WriteString(val)
+				sb.WriteString("\n\n")
 			}
+		case []interface{}:
+			for _, e := range val {
+				if s, ok := e.(string); ok && s != "" {
+					sb.WriteString(s)
+					sb.WriteString(", ")
+				}
+			}
+			sb.WriteString("\n\n")
 		}
 	}
-	return result
+	return sb.String()
 }
 
 // acceptableMeasureCategories returns the set of measure HazardCategory values

ai-compliance-sdk/internal/api/handlers/iace_handler_norms.go

@@ -46,6 +46,8 @@ func (h *IACEHandler) ListNormsLibrary(c *gin.Context) {
 	allNorms = append(allNorms, iace.GetWave3dHvacCNorms()...)
 	allNorms = append(allNorms, iace.GetFinalCNorms()...)
 
+	includeCrossRef := c.Query("include_crossref") == "true"
+
 	var filtered []iace.NormReference
 	for _, norm := range allNorms {
 		if normType != "" && norm.NormType != normType {
@@ -54,6 +56,12 @@ func (h *IACEHandler) ListNormsLibrary(c *gin.Context) {
 		if hazardCat != "" && !containsString(norm.HazardCats, hazardCat) {
 			continue
 		}
+		if includeCrossRef {
+			cr := iace.GetNormCrossRef(norm.ID)
+			if len(cr.Mappings) > 0 {
+				norm.CrossRef = &cr
+			}
+		}
 		filtered = append(filtered, norm)
 	}
 
@@ -61,9 +69,36 @@ func (h *IACEHandler) ListNormsLibrary(c *gin.Context) {
 		filtered = []iace.NormReference{}
 	}
 
+	covered, total := iace.CrossRefCoverage(len(allNorms))
 	c.JSON(http.StatusOK, gin.H{
 		"norms": filtered,
 		"total": len(filtered),
+		"crossref_coverage": gin.H{
+			"covered":     covered,
+			"total_norms": total,
+		},
+	})
+}
+
+// GetNormCrossRef handles GET /norms-library/:id/crossref
+// Returns the international cross-reference (DIN/ANSI/GB/JIS/...) for a single norm.
+func (h *IACEHandler) GetNormCrossRef(c *gin.Context) {
+	normID := c.Param("id")
+	if normID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "norm id required"})
+		return
+	}
+	cr := iace.GetNormCrossRef(normID)
+	c.JSON(http.StatusOK, cr)
+}
+
+// ListNormCrossRefs handles GET /norms-library/crossref
+// Returns the entire cross-reference matrix (all populated entries).
+func (h *IACEHandler) ListNormCrossRefs(c *gin.Context) {
+	entries := iace.ListNormCrossRefs()
+	c.JSON(http.StatusOK, gin.H{
+		"entries": entries,
+		"total":   len(entries),
 	})
 }
 

ai-compliance-sdk/internal/api/handlers/iace_handler_norms_crossref_test.go

@@ -0,0 +1,110 @@
+package handlers
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+)
+
+// Contract tests for the new /norms-library/crossref endpoints.
+// These are the practical equivalent of an OpenAPI snapshot: they pin
+// the response shape so a downstream consumer (admin-compliance,
+// developer-portal, SDK) cannot be silently broken.
+
+func TestGetNormCrossRef_KnownID_ReturnsExpectedShape(t *testing.T) {
+	handler := &IACEHandler{}
+	w, c := newTestContext("GET", "/norms-library/ISO-12100/crossref", nil, nil, gin.Params{
+		{Key: "id", Value: "ISO-12100"},
+	})
+
+	handler.GetNormCrossRef(c)
+
+	if w.Code != 200 {
+		t.Fatalf("expected 200, got %d body=%s", w.Code, w.Body.String())
+	}
+
+	var resp struct {
+		NormID   string `json:"norm_id"`
+		Mappings []struct {
+			Region     string `json:"region"`
+			Identifier string `json:"identifier"`
+			Relation   string `json:"relation"`
+			Confidence string `json:"confidence"`
+		} `json:"mappings"`
+		BatchID string `json:"batch_id"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("response not parsable: %v body=%s", err, w.Body.String())
+	}
+	if resp.NormID != "ISO-12100" {
+		t.Errorf("expected norm_id ISO-12100, got %q", resp.NormID)
+	}
+	if len(resp.Mappings) < 3 {
+		t.Errorf("expected ISO-12100 to have at least 3 mappings, got %d", len(resp.Mappings))
+	}
+}
+
+func TestGetNormCrossRef_MissingID_Returns400(t *testing.T) {
+	handler := &IACEHandler{}
+	w, c := newTestContext("GET", "/norms-library//crossref", nil, nil, gin.Params{
+		{Key: "id", Value: ""},
+	})
+
+	handler.GetNormCrossRef(c)
+	if w.Code != 400 {
+		t.Errorf("expected 400 for missing id, got %d", w.Code)
+	}
+}
+
+func TestGetNormCrossRef_UnknownID_ReturnsEmptyMappings(t *testing.T) {
+	handler := &IACEHandler{}
+	w, c := newTestContext("GET", "/norms-library/ISO-DOESNOTEXIST/crossref", nil, nil, gin.Params{
+		{Key: "id", Value: "ISO-DOESNOTEXIST"},
+	})
+
+	handler.GetNormCrossRef(c)
+
+	if w.Code != 200 {
+		t.Fatalf("expected 200 for unknown id (returns empty), got %d", w.Code)
+	}
+	var resp struct {
+		NormID   string        `json:"norm_id"`
+		Mappings []interface{} `json:"mappings"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("response not parsable: %v", err)
+	}
+	if resp.NormID != "ISO-DOESNOTEXIST" {
+		t.Errorf("expected norm_id to echo back, got %q", resp.NormID)
+	}
+	if len(resp.Mappings) != 0 {
+		t.Errorf("expected empty mappings, got %d", len(resp.Mappings))
+	}
+}
+
+func TestListNormCrossRefs_ReturnsAll(t *testing.T) {
+	handler := &IACEHandler{}
+	w, c := newTestContext("GET", "/norms-library/crossref", nil, nil, nil)
+
+	handler.ListNormCrossRefs(c)
+
+	if w.Code != 200 {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	var resp struct {
+		Entries []struct {
+			NormID string `json:"norm_id"`
+		} `json:"entries"`
+		Total int `json:"total"`
+	}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("response not parsable: %v", err)
+	}
+	if resp.Total != 671 {
+		t.Errorf("expected 671 cross-ref entries, got %d", resp.Total)
+	}
+	if len(resp.Entries) != resp.Total {
+		t.Errorf("entries count %d does not match total %d", len(resp.Entries), resp.Total)
+	}
+}

ai-compliance-sdk/internal/api/handlers/iace_handler_risk.go

@@ -0,0 +1,30 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// GetRiskSuggestion returns BreakPilot's justified dual-model risk suggestion
+// for a hazard: the EN-62061-style F/W/P/S model and the Fine-Kinney P/E/C
+// model, each with suggested values, justifications and the visible formula.
+// Read-only and computed from public-data anchors — the professional adjusts
+// the values; no norm table is stored or reproduced.
+//
+// GET /projects/:id/hazards/:hid/risk-suggestion
+func (h *IACEHandler) GetRiskSuggestion(c *gin.Context) {
+	hid, err := uuid.Parse(c.Param("hid"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid hazard ID"})
+		return
+	}
+	hz, err := h.store.GetHazard(c.Request.Context(), hid)
+	if err != nil || hz == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "hazard not found"})
+		return
+	}
+	c.JSON(http.StatusOK, iace.BuildRiskSuggestion(hz))
+}