Merge feat/dsms-stufe3-version-chains: version chain history + diff + audit-timeline modal

Merge feat/dsms-stufe2-evidence-techfile: tech-file DSMS archive with audit-trail CID
Merge feat/iace-llm-fm-frontend: KI-Vorschlag Uebernehmen/Ablehnen + AP tests
2026-05-22 12:00:33 +02:00 · 2026-05-22 12:00:22 +02:00 · 2026-05-22 12:00:10 +02:00 · 2026-05-22 11:59:57 +02:00 · 2026-05-22 11:51:27 +02:00 · 2026-05-22 11:51:03 +02:00
2204 changed files with 409203 additions and 156335 deletions
@@ -1,37 +1,76 @@
 # BreakPilot Compliance - DSGVO/AI-Act SDK Platform

+> **NON-NEGOTIABLE STRUCTURE RULES** (enforced by `.claude/settings.json` hook, git pre-commit, and CI):
+> 1. **File-size budget:** soft target **300** lines, **hard cap 500** lines for any non-test, non-generated source file. Anything larger → split it. Exceptions are listed in `.claude/rules/loc-exceptions.txt` and require a written rationale.
+> 2. **Clean architecture per service.** Routers/handlers stay thin (≤30 lines per handler) and delegate to services; services use repositories; repositories own DB I/O. See `AGENTS.python.md` / `AGENTS.go.md` / `AGENTS.typescript.md`.
+> 3. **Do not touch the database schema.** No new Alembic migrations, no `ALTER TABLE`, no model field renames without an explicit migration plan reviewed by the DB owner. SQLAlchemy `__tablename__` and column names are frozen.
+> 4. **Public endpoints are a contract.** Any change to a path, method, status code, request schema, or response schema in `backend-compliance/`, `ai-compliance-sdk/`, `dsms-gateway/`, `document-crawler/`, or `compliance-tts-service/` must be accompanied by a matching update in **every** consumer (`admin-compliance/`, `developer-portal/`, `breakpilot-compliance-sdk/`, `consent-sdk/`). Use the OpenAPI snapshot tests in `tests/contracts/` as the gate.
+> 5. **Tests are not optional.** New code without tests fails CI. Refactors must preserve coverage and add a characterization test before splitting an oversized file.
+> 6. **Do not bypass the guardrails.** Do not edit `.claude/settings.json`, `scripts/check-loc.sh`, or the loc-exceptions list to silence violations. If a rule is wrong, raise it in a PR description.
+>
+> These rules apply to **every** Claude Code session opened inside this repository, regardless of who launched it. They are loaded automatically via this `CLAUDE.md`.
+
+
+
+## First-Time Setup & Claude Code Onboarding
+
+**For humans:** Read this CLAUDE.md top to bottom before your first commit. Then read `AGENTS.<lang>.md` for the service you are working on (`AGENTS.python.md`, `AGENTS.go.md`, or `AGENTS.typescript.md`).
+
+**For Claude Code sessions — things that cause first-commit failures:**
+
+1. **Wrong branch.** Never commit directly to `main`. Create a feature branch first: `git checkout -b feat/my-change`.
+
+2. **PreToolUse hook blocks your write.** The `PreToolUse` hooks in `.claude/settings.json` will reject Write/Edit operations on any file that would push its line count past 500. This is intentional — split the file into smaller modules instead of trying to bypass the hook.
+
+3. **Missing `[guardrail-change]` marker.** The `guardrail-integrity` CI job fails if you modify a guardrail file without the marker in the commit message body. See the table below.
+
+4. **Never `git add -A` or `git add .`.** Stage files individually by path. `git add -A` risks committing `.env`, `node_modules/`, `.next/`, compiled binaries, and other artifacts that must never enter the repo.
+
+5. **LOC check before push.** After any session, run `bash scripts/check-loc.sh`. It must exit 0 before you push. The git pre-commit hook runs this automatically, but run it manually first to catch issues early.
+
+### Commit message quick reference
+
+| Marker | Required when touching |
+|--------|----------------------|
+| `[guardrail-change]` | `.claude/settings.json`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, `.claude/rules/loc-exceptions.txt`, any `AGENTS.*.md` |
+| `[migration-approved]` | Anything under `migrations/` or `alembic/versions/` |
+
+Add the marker anywhere in the commit message body or footer — the CI job does a plain-text grep for it.
+
+---
+
 ## Entwicklungsumgebung (WICHTIG - IMMER ZUERST LESEN)

-### Zwei-Rechner-Setup + Coolify
+### Zwei-Rechner-Setup + Orca

 | Geraet | Rolle | Aufgaben |
 |--------|-------|----------|
 | **MacBook** | Entwicklung | Claude Terminal, Code-Entwicklung, Browser (Frontend-Tests) |
 | **Mac Mini** | Lokaler Server | Docker fuer lokale Dev/Tests (NICHT fuer Production!) |
-| **Coolify** | Production | Automatisches Build + Deploy bei Push auf gitea |
+| **Orca** | Production | Automatisches Build + Deploy bei Push auf origin |

-**WICHTIG:** Code wird auf dem MacBook bearbeitet. Production-Deployment laeuft automatisch ueber Coolify.
+**WICHTIG:** Code wird auf dem MacBook bearbeitet. Production-Deployment laeuft automatisch ueber Orca.

-### Entwicklungsworkflow (CI/CD — Coolify)
+### Entwicklungsworkflow (CI/CD — Orca)

 ```bash
 # 1. Code auf MacBook bearbeiten (dieses Verzeichnis)
-# 2. Committen und zu BEIDEN Remotes pushen:
-git push origin main && git push gitea main
+# 2. Committen und pushen:
+git push origin main

-# 3. FERTIG! Push auf gitea triggert automatisch:
+# 3. FERTIG! Push auf origin triggert automatisch:
 #    - Gitea Actions: Lint → Tests → Validierung
-#    - Coolify: Build → Deploy
+#    - Orca: Build → Deploy
 #    Dauer: ca. 3 Minuten
 #    Status pruefen: https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions
 ```

 **NICHT MEHR NOETIG:** Manuelles `ssh macmini "docker compose build"` fuer Production.
-**NIEMALS** manuell in Coolify auf "Redeploy" klicken — Gitea Actions triggert Coolify automatisch.
+**NIEMALS** manuell in Orca auf "Redeploy" klicken — Gitea Actions triggert Orca automatisch.

-### Post-Push Deploy-Monitoring (PFLICHT nach jedem Push auf gitea)
+### Post-Push Deploy-Monitoring (PFLICHT nach jedem Push)

-**IMMER wenn Claude auf gitea pusht, MUSS danach automatisch das Deploy-Monitoring laufen:**
+**IMMER wenn Claude auf origin pusht, MUSS danach automatisch das Deploy-Monitoring laufen:**

 1. Dem User sofort mitteilen: "Deploy gestartet, ich ueberwache den Status..."
 2. Im Hintergrund Health-Checks pollen (alle 20 Sekunden, max 5 Minuten):
@@ -42,32 +81,32 @@ git push origin main && git push gitea main
   ```
 3. Sobald ALLE Endpoints healthy sind, dem User im Chat melden:
   **"Deploy abgeschlossen! Du kannst jetzt testen: https://admin-dev.breakpilot.ai"**
-4. Falls nach 5 Minuten noch nicht healthy → Fehlermeldung mit Hinweis auf Coolify-Logs.
+4. Falls nach 5 Minuten noch nicht healthy → Fehlermeldung mit Hinweis auf Orca-Logs.

 **Ablauf im Terminal:**
 ```
-> git push gitea main ✓
+> git push origin main ✓
 > "Deploy gestartet, ich ueberwache den Status..."
 > [Hintergrund-Polling laeuft]
 > "Deploy abgeschlossen! Alle Services healthy. Du kannst jetzt testen."
 ```

-### CI/CD Pipeline (Gitea Actions → Coolify)
+### CI/CD Pipeline (Gitea Actions → Orca)

 ```
-Push auf gitea main → go-lint/python-lint/nodejs-lint (nur PRs)
+Push auf origin main → go-lint/python-lint/nodejs-lint (nur PRs)
                    → test-go-ai-compliance
                    → test-python-backend-compliance
                    → test-python-document-crawler
                    → test-python-dsms-gateway
                    → validate-canonical-controls
-                    → Coolify: Build + Deploy (automatisch bei Push)
+                    → Orca: Build + Deploy (automatisch bei Push)
 ```

 **Dateien:**
 - `.gitea/workflows/ci.yaml` — Pipeline-Definition (Tests + Validierung)
 - `docker-compose.yml` — Haupt-Compose
- `docker-compose.hetzner.yml` — Override: arm64→amd64 fuer Coolify Production (x86_64)
+- `docker-compose.hetzner.yml` — Override: arm64→amd64 fuer Orca Production (x86_64)

 ### Lokale Entwicklung (Mac Mini — optional)

@@ -106,7 +145,7 @@ Config via `.env` (nicht im Repo): `COMPLIANCE_DATABASE_URL`, `QDRANT_URL`, `QDR

 ## Haupt-URLs

-### Production (Coolify-deployed)
+### Production (Orca-deployed)

 | URL | Service | Beschreibung |
 |-----|---------|--------------|
@@ -207,7 +246,7 @@ breakpilot-compliance/
 ├── dsms-gateway/             # IPFS Gateway
 ├── scripts/                  # Helper Scripts
 ├── docker-compose.yml        # Compliance Compose (~10 Services, platform: arm64)
-├── docker-compose.hetzner.yml # Override: arm64→amd64 fuer Coolify Production
+├── docker-compose.hetzner.yml # Override: arm64→amd64 fuer Orca Production
 └── .gitea/workflows/ci.yaml  # CI/CD Pipeline (Lint → Tests → Validierung)
 ```

@@ -218,8 +257,8 @@ breakpilot-compliance/
 ### Deployment (CI/CD — Standardweg)

 ```bash
-# Committen und pushen → Coolify deployt automatisch:
-git push origin main && git push gitea main
+# Committen und pushen → Orca deployt automatisch:
+git push origin main

 # CI-Status pruefen (im Browser):
 # https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions
@@ -232,12 +271,10 @@ curl -sf https://sdk-dev.breakpilot.ai/health
 ### Git

 ```bash
-# Zu BEIDEN Remotes pushen (PFLICHT! — vom MacBook):
-git push origin main && git push gitea main
+git push origin main

-# Remotes:
-# origin: lokale Gitea (macmini:3003)
-# gitea:  gitea.meghsakha.com:22222
+# Remote:
+# origin: ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
 ```

 ### Lokale Docker-Befehle (Mac Mini — nur fuer Dev/Tests)
@@ -0,0 +1,43 @@
+# Architecture Rules (auto-loaded)
+
+These rules apply to **every** Claude Code session in this repository, regardless of who launched it. They are non-negotiable.
+
+## File-size budget
+
+- **Soft target:** 300 lines per non-test, non-generated source file.
+- **Hard cap:** 500 lines. The PreToolUse hook in `.claude/settings.json` blocks Write/Edit operations that would create or push a file past 500. The git pre-commit hook re-checks. CI is the final gate.
+- Exceptions live in `.claude/rules/loc-exceptions.txt` and require a written rationale plus `[guardrail-change]` in the commit message. The exceptions list should shrink over time, not grow.
+
+## Clean architecture
+
+- Python (FastAPI): see `AGENTS.python.md`. Layering: `api → services → repositories → db.models`. Routers ≤30 LOC per handler. Schemas split per domain.
+- Go (Gin): see `AGENTS.go.md`. Standard Go Project Layout + hexagonal. `cmd/` thin, wiring in `internal/app`.
+- TypeScript (Next.js): see `AGENTS.typescript.md`. Server-by-default, push the client boundary deep, colocate `_components/` and `_hooks/` per route.
+
+## Database is frozen
+
+- No new Alembic migrations. No `ALTER TABLE`. No `__tablename__` or column renames.
+- The pre-commit hook blocks any change under `migrations/` or `alembic/versions/` unless the commit message contains `[migration-approved]`.
+
+## Public endpoints are a contract
+
+- Any change to a path/method/status/request schema/response schema in a backend service must update every consumer in the same change set.
+- Each backend service has an OpenAPI baseline at `tests/contracts/openapi.baseline.json`. Contract tests fail on drift.
+
+## Tests
+
+- New code without tests fails CI.
+- Refactors must preserve coverage. Before splitting an oversized file, add a characterization test that pins current behavior.
+- Layout: `tests/unit/`, `tests/integration/`, `tests/contracts/`, `tests/e2e/`.
+
+## Guardrails are themselves protected
+
+- Edits to `.claude/settings.json`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, `.claude/rules/loc-exceptions.txt`, or any `AGENTS.*.md` require `[guardrail-change]` in the commit message. The pre-commit hook enforces this.
+- If you (Claude) think a rule is wrong, surface it to the user. Do not silently weaken it.
+
+## Tooling baseline
+
+- Python: `ruff`, `mypy --strict` on new modules, `pytest --cov`.
+- Go: `golangci-lint` strict config, `go vet`, table-driven tests.
+- TS: `tsc --noEmit` strict, ESLint type-aware, Vitest, Playwright.
+- All three: dependency caching in CI, license/SBOM scan via `syft`+`grype`.
@@ -0,0 +1,184 @@
+# loc-exceptions.txt — files allowed to exceed the 500-line hard cap.
+#
+# Format: one repo-relative path per line. Comments start with '#' and are ignored.
+# Each exception MUST be preceded by a comment explaining why splitting is not viable.
+#
+# Phase 0 baseline: this list is initially empty. Phases 1-4 will add grandfathered
+# entries as we encounter legitimate exceptions (e.g. large generated data tables).
+# The goal is for this list to SHRINK over time, never grow.
+
+# --- admin-compliance: static data catalogs (Phase 3) ---
+# Splitting these would fragment lookup tables without improving readability.
+admin-compliance/lib/sdk/tom-generator/controls/loader.ts
+admin-compliance/lib/sdk/vendor-compliance/risk/controls-library.ts
+admin-compliance/lib/sdk/compliance-scope-triggers.ts
+admin-compliance/lib/sdk/vendor-compliance/catalog/processing-activities.ts
+admin-compliance/lib/sdk/catalog-manager/catalog-registry.ts
+admin-compliance/lib/sdk/dsfa/mitigation-library.ts
+admin-compliance/lib/sdk/vvt-baseline-catalog.ts
+admin-compliance/lib/sdk/dsfa/eu-legal-frameworks.ts
+admin-compliance/lib/sdk/dsfa/risk-catalog.ts
+admin-compliance/lib/sdk/loeschfristen-baseline-catalog.ts
+admin-compliance/lib/sdk/vendor-compliance/catalog/vendor-templates.ts
+admin-compliance/lib/sdk/vendor-compliance/catalog/legal-basis.ts
+admin-compliance/lib/sdk/vendor-compliance/contract-review/findings.ts
+admin-compliance/lib/sdk/vendor-compliance/contract-review/checklists.ts
+admin-compliance/lib/sdk/compliance-scope-types/document-scope-matrix-core.ts
+admin-compliance/lib/sdk/compliance-scope-types/document-scope-matrix-extended.ts
+admin-compliance/lib/sdk/demo-data/index.ts
+admin-compliance/lib/sdk/tom-generator/demo-data/index.ts
+
+# --- admin-compliance: self-contained export generators (Phase 3) ---
+# Each file generates a complete document format. Splitting mid-generation
+# logic would create artificial module boundaries without benefit.
+admin-compliance/lib/sdk/tom-generator/export/zip.ts
+admin-compliance/lib/sdk/tom-generator/export/docx.ts
+admin-compliance/lib/sdk/tom-generator/export/pdf.ts
+admin-compliance/lib/sdk/einwilligungen/export/pdf.ts
+admin-compliance/lib/sdk/einwilligungen/generator/privacy-policy-sections.ts
+
+# --- backend-compliance: legacy utility services (Phase 1) ---
+# Pre-refactor utility modules not yet split. Phase 5 targets.
+backend-compliance/compliance/services/control_generator.py
+backend-compliance/compliance/services/audit_pdf_generator.py
+backend-compliance/compliance/services/regulation_scraper.py
+backend-compliance/compliance/services/llm_provider.py
+backend-compliance/compliance/services/export_generator.py
+backend-compliance/compliance/services/pdf_extractor.py
+backend-compliance/compliance/services/ai_compliance_assistant.py
+
+# --- backend-compliance: Phase 1 code refactor backlog ---
+# These are the remaining oversized route/service/data/auth files that Phase 1
+# did not reach. Each entry is a tracked refactor debt item — the list must shrink.
+backend-compliance/compliance/services/decomposition_pass.py
+backend-compliance/compliance/api/schemas.py
+backend-compliance/compliance/api/canonical_control_routes.py
+backend-compliance/compliance/db/repository.py
+backend-compliance/compliance/db/models.py
+backend-compliance/compliance/api/evidence_check_routes.py
+backend-compliance/compliance/api/control_generator_routes.py
+backend-compliance/compliance/api/process_task_routes.py
+backend-compliance/compliance/api/evidence_routes.py
+backend-compliance/compliance/api/crosswalk_routes.py
+backend-compliance/compliance/api/dashboard_routes.py
+backend-compliance/compliance/api/dsfa_routes.py
+backend-compliance/compliance/api/routes.py
+backend-compliance/compliance/api/tom_mapping_routes.py
+backend-compliance/compliance/services/control_dedup.py
+backend-compliance/compliance/services/framework_decomposition.py
+backend-compliance/compliance/services/pipeline_adapter.py
+backend-compliance/compliance/services/batch_dedup_runner.py
+backend-compliance/compliance/services/obligation_extractor.py
+backend-compliance/compliance/services/control_composer.py
+backend-compliance/compliance/services/pattern_matcher.py
+backend-compliance/compliance/data/iso27001_annex_a.py
+backend-compliance/compliance/data/service_modules.py
+backend-compliance/compliance/data/controls.py
+backend-compliance/services/pdf_service.py
+backend-compliance/services/file_processor.py
+backend-compliance/auth/keycloak_auth.py
+
+# --- scripts: one-off ingestion, QA, and migration scripts ---
+# These are operational scripts, not production application code.
+# LOC rules don't apply in the same way to single-purpose scripts.
+scripts/ingest-legal-corpus.sh
+scripts/ingest-ce-corpus.sh
+scripts/ingest-dsfa-bundesland.sh
+scripts/edpb-crawler.py
+scripts/apply_templates_023.py
+scripts/qa/phase74_generate_gap_controls.py
+scripts/qa/pdf_qa_all.py
+scripts/qa/benchmark_llm_controls.py
+backend-compliance/scripts/seed_policy_templates.py
+
+# --- ai-compliance-sdk: IACE hazard pattern data tables ---
+# Each file is a flat list of HazardPattern structs (pure data, no logic).
+# 85 patterns × 12 lines/pattern = ~1020 lines. Cannot be split meaningfully.
+ai-compliance-sdk/internal/iace/hazard_patterns_extended3.go
+ai-compliance-sdk/internal/iace/hazard_patterns_final_a.go
+ai-compliance-sdk/internal/iace/hazard_patterns_final_b.go
+ai-compliance-sdk/internal/iace/hazard_patterns_final_c.go
+ai-compliance-sdk/internal/iace/hazard_patterns_final_d.go
+ai-compliance-sdk/internal/iace/hazard_patterns_cyber_extended.go
+ai-compliance-sdk/internal/iace/hazard_patterns_workshop.go
+ai-compliance-sdk/internal/iace/norms_library_c_process.go
+ai-compliance-sdk/internal/iace/norms_library_c_food_pkg.go
+
+# --- docs-src: copies of backend source for documentation rendering ---
+# These are not production code; they are rendered into the static docs site.
+docs-src/control_generator.py
+docs-src/control_generator_routes.py
+
+# --- consent-sdk: platform-native mobile SDKs (Swift / Dart) ---
+# Flutter and iOS SDKs follow platform conventions (verbose verbose) that make
+# splitting into multiple files awkward without sacrificing single-import ergonomics.
+consent-sdk/src/mobile/flutter/consent_sdk.dart
+consent-sdk/src/mobile/ios/ConsentManager.swift
+
+# --- consent-tester: DSI discovery orchestrator ---
+# Single Playwright session with sequential steps (banner dismiss, self-extract,
+# link follow, accordion expand, inline sections). Splitting mid-session would
+# require passing Page objects across modules.
+consent-tester/services/dsi_discovery.py
+
+# --- backend-compliance: unified compliance check orchestrator ---
+# Sequential 7-step pipeline (text resolve, profile detect, check documents,
+# banner scan, cross-check, profile extract, report). Phase 5 split target.
+backend-compliance/compliance/api/agent_compliance_check_routes.py
+
+# --- docs-src: binary office files (not source code) ---
+# (Also excluded by extension in scripts/check-loc.sh — kept here for legibility.)
+docs-src/Breakpilot ComplAI Finanzplan.xlsm
+
+# --- admin-compliance: oversized component refactor backlog ---
+# Phase 5+ target for splitting into smaller subcomponents per wizard step.
+admin-compliance/components/sdk/ai-act/DecisionTreeWizard.tsx
+
+# --- ai-compliance-sdk: oversized handler refactor backlog ---
+# Phase 5+ target for splitting handler groups into per-resource files.
+ai-compliance-sdk/internal/api/handlers/tender_handlers.go
+
+# --- merge grandfathered (2026-05-13) — Phase 5+ refactor backlog ---
+# Files imported via team work that crossed the hard cap; tracked for splitting.
+consent-tester/checks/banner_checks.py
+consent-tester/services/banner_detector.py
+backend-compliance/compliance/api/agent_doc_check_routes.py
+backend-compliance/compliance/services/service_registry.py
+backend-compliance/compliance/services/dsr_workflow_service.py
+ai-compliance-sdk/internal/iace/hazard_patterns_forestry_conveyor.go
+admin-compliance/app/sdk/compliance-scope/page.tsx
+
+# --- zeroclaw: ground-truth corpus (test fixture data, not source) ---
+zeroclaw/docs/ground-truth/06-spiegel-dsi-fulltext.txt
+
+# --- IACE data tables and orchestration files (Phase 16-18 refactor backlog) ---
+# Each file grew during the IACE polish phases (Stufe-A manufacturer library,
+# Klärungen Phase 3 PDF export + methodology, app routes). Phase 5+ split
+# targets — splitting now would fragment unrelated cohesive logic.
+ai-compliance-sdk/internal/iace/manufacturer_safety_features.go
+ai-compliance-sdk/internal/api/handlers/iace_handler_clarifications.go
+ai-compliance-sdk/internal/app/routes.go
+
+# --- 2026-05-19 Coolify-Unblocker: 4 grandfathered files ---
+# Diese 4 Dateien sind Pre-Existing-Tech-Debt und blockierten den
+# Coolify-Build. Splits sind als P9.5 Tech-Debt-Sprint geplant, bis
+# dahin als Exceptions getragen damit Deploy laeuft.
+#
+# cra_routes.py (1714): CRA-Phase-5-Router mit Annex-V/VII Generator —
+# Split nach Endpoint-Gruppen (vuln/post-market/tech-doc/doc) sinnvoll.
+backend-compliance/compliance/api/cra_routes.py
+# vendor_redundancy.py (727): Cost-Lookup-Tabellen (DSP/SaaS/Self-Service)
+# + Multi-Function-Tools + Engine. Tabellen-Splits nach Lookup-Klasse.
+backend-compliance/compliance/services/vendor_redundancy.py
+# cookie_knowledge_db.py (608): Basis-KB — Ergaenzung via
+# cookie_knowledge_extended.py + Facade laeuft bereits (P2). Split der
+# Base-KB nach Vendor-Familie ist Phase-2-Ziel.
+backend-compliance/compliance/services/cookie_knowledge_db.py
+# cookie-banner-embed.ts (558): Banner-Embed-Bundle fuer CDN-Auslieferung
+# — selbst-kontainierter Code-Generator, Split wuerde Generator-Logik
+# fragmentieren ohne Nutzen.
+admin-compliance/lib/sdk/einwilligungen/generator/cookie-banner-embed.ts
+# ComplianceCheckTab.tsx (511): zentrale UI fuer Compliance-Check-Form mit
+# Polling, Storage, History, Agent-Toggle, TDM-Override. Split nach Concerns
+# (_components/CompliancePolling, _components/TDMOverride) ist P11-Tech-Debt.
+admin-compliance/app/sdk/agent/_components/ComplianceCheckTab.tsx
@@ -0,0 +1,28 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] && exit 0; lines=$(printf '%s' \"$(jq -r '.tool_input.content // empty')\" | awk 'END{print NR}'); if [ \"${lines:-0}\" -gt 500 ]; then echo '{\"decision\":\"block\",\"reason\":\"breakpilot guardrail: file exceeds the 500-line hard cap. Split it into smaller modules per the layering rules in AGENTS.<lang>.md. If this is generated/data code, add an entry to .claude/rules/loc-exceptions.txt with rationale and reference [guardrail-change].\"}'; exit 0; fi",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] || [ ! -f \"$f\" ] && exit 0; case \"$f\" in *.md|*.json|*.yaml|*.yml|*test*|*tests/*|*node_modules/*|*.next/*|*migrations/*) exit 0 ;; esac; new_str=$(jq -r '.tool_input.new_string // empty'); old_str=$(jq -r '.tool_input.old_string // empty'); old_lines=$(printf '%s' \"$old_str\" | awk 'END{print NR}'); new_lines=$(printf '%s' \"$new_str\" | awk 'END{print NR}'); cur=$(wc -l < \"$f\" | tr -d ' '); proj=$((cur - old_lines + new_lines)); if [ \"$proj\" -gt 500 ]; then echo \"{\\\"decision\\\":\\\"block\\\",\\\"reason\\\":\\\"breakpilot guardrail: this edit would push $f to ~$proj lines (hard cap is 500). Split the file before continuing. See AGENTS.<lang>.md for the layering rules.\\\"}\"; fi; exit 0",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
@@ -1,12 +1,12 @@
 # =========================================================
-# BreakPilot Compliance — Coolify Environment Variables
+# BreakPilot Compliance — Orca Environment Variables
 # =========================================================
-# Copy these into Coolify's environment variable UI
+# Copy these into Orca's environment variable UI
 # for the breakpilot-compliance Docker Compose resource.
 # =========================================================

-# --- External PostgreSQL (Coolify-managed, same as Core) ---
-COMPLIANCE_DATABASE_URL=postgresql://breakpilot:CHANGE_ME@<coolify-postgres-hostname>:5432/breakpilot_db
+# --- External PostgreSQL (Orca-managed, same as Core) ---
+COMPLIANCE_DATABASE_URL=postgresql://breakpilot:CHANGE_ME@<orca-postgres-hostname>:5432/breakpilot_db

 # --- Security ---
 JWT_SECRET=CHANGE_ME_SAME_AS_CORE
@@ -0,0 +1,369 @@
+# Build + push compliance service images to registry.meghsakha.com
+# and trigger orca redeploy after CI passes on main.
+#
+# This workflow is gated on the CI workflow completing successfully.
+# It does not run independently — if CI fails, builds + deploy are skipped.
+# Per-service builds are gated on detect-changes so only services with
+# modified files are rebuilt; trigger-orca runs only if at least one build
+# succeeded and none failed.
+#
+# Requires Gitea Actions secrets:
+#   REGISTRY_USERNAME / REGISTRY_PASSWORD  — registry.meghsakha.com credentials
+#   ORCA_WEBHOOK_SECRET                    — must match webhooks.json on orca master
+
+name: Build + Deploy
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+    branches: [main]
+
+jobs:
+  # ── gate: only proceed if CI succeeded ────────────────────────────────────
+  ci-passed:
+    runs-on: docker
+    container: alpine:3.20
+    if: github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: CI passed, proceeding with build + deploy
+        run: echo "CI run ${{ github.event.workflow_run.id }} succeeded on ${{ github.event.workflow_run.head_branch }} @ ${{ github.event.workflow_run.head_sha }}"
+
+  # ── detect which services changed since the last successful build ────────
+  # Diff base = the last-build/main git tag, set by mark-last-build at the
+  # end of every successful run. Works across squash merges, multi-commit
+  # raw pushes, and force pushes (force pushes leave a stale tag → diff
+  # shows symmetric differences → safe over-rebuild). If the tag doesn't
+  # exist yet, scripts/detect-changes.sh falls back to rebuilding all.
+  detect-changes:
+    runs-on: docker
+    container: alpine:3.20
+    needs: ci-passed
+    outputs:
+      admin: ${{ steps.diff.outputs.admin }}
+      backend: ${{ steps.diff.outputs.backend }}
+      sdk: ${{ steps.diff.outputs.sdk }}
+      portal: ${{ steps.diff.outputs.portal }}
+      tts: ${{ steps.diff.outputs.tts }}
+      crawler: ${{ steps.diff.outputs.crawler }}
+      dsms_gateway: ${{ steps.diff.outputs.dsms_gateway }}
+      dsms_node: ${{ steps.diff.outputs.dsms_node }}
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git bash
+          git clone --depth 200 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git fetch --tags origin || true
+      - name: Resolve base SHA from last-build/main tag
+        run: |
+          BASE=$(git rev-parse --verify refs/tags/last-build/main 2>/dev/null || true)
+          echo "Base SHA: ${BASE:-<none, will rebuild all>}"
+          # Deepen if base isn't yet in the shallow clone.
+          if [ -n "$BASE" ] && ! git rev-parse --verify "${BASE}^{commit}" >/dev/null 2>&1; then
+            git fetch --unshallow origin 2>/dev/null \
+              || git fetch --depth=10000 origin 2>/dev/null \
+              || true
+          fi
+          echo "BASE_SHA=${BASE}" >> "$GITHUB_ENV"
+      - name: Detect changes
+        id: diff
+        run: bash scripts/detect-changes.sh
+
+  # ── per-service builds run in parallel (only changed services) ────────────
+
+  build-admin-compliance:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.admin == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-admin:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA} \
+            admin-compliance/
+          docker push registry.meghsakha.com/breakpilot/compliance-admin:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA}
+
+  build-backend-compliance:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.backend == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-backend:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA} \
+            backend-compliance/
+          docker push registry.meghsakha.com/breakpilot/compliance-backend:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA}
+
+  build-ai-sdk:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.sdk == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-sdk:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA} \
+            ai-compliance-sdk/
+          docker push registry.meghsakha.com/breakpilot/compliance-sdk:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA}
+
+  build-developer-portal:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.portal == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-portal:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA} \
+            developer-portal/
+          docker push registry.meghsakha.com/breakpilot/compliance-portal:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA}
+
+  build-tts:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.tts == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-tts:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA} \
+            compliance-tts-service/
+          docker push registry.meghsakha.com/breakpilot/compliance-tts:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA}
+
+  build-document-crawler:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.crawler == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-crawler:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA} \
+            document-crawler/
+          docker push registry.meghsakha.com/breakpilot/compliance-crawler:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA}
+
+  build-dsms-gateway:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.dsms_gateway == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA} \
+            dsms-gateway/
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA}
+
+  build-dsms-node:
+    runs-on: docker
+    container: docker:27-cli
+    needs: detect-changes
+    if: needs.detect-changes.outputs.dsms_node == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build --platform linux/amd64 \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-node:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-node:${SHORT_SHA} \
+            dsms-node/
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-node:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-node:${SHORT_SHA}
+
+  # ── advance the last-build/main tag — the diff base for future runs ──────
+  # Runs when no build failed. Covers two cases:
+  #   - at least one service was rebuilt → mark this SHA as the new baseline
+  #   - all services were skipped (nothing changed) → still advance the tag
+  #     so we don't keep re-evaluating the same skipped commits forever
+  # Skips if any build failed → tag stays put → next push retries those
+  # services from the previous known-good base.
+  mark-last-build:
+    runs-on: docker
+    container: alpine:3.20
+    needs:
+      - build-admin-compliance
+      - build-backend-compliance
+      - build-ai-sdk
+      - build-developer-portal
+      - build-tts
+      - build-document-crawler
+      - build-dsms-gateway
+      - build-dsms-node
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    env:
+      GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Force-push last-build/main tag
+        run: |
+          set -e
+          SHA="${HEAD_SHA:-$(git rev-parse HEAD)}"
+          echo "Advancing last-build/main → ${SHA}"
+          git tag -f last-build/main "$SHA"
+          # Encode token into the push URL (no on-disk credential persistence).
+          PUSH_URL="${GITHUB_SERVER_URL/https:\/\//https:\/\/x-access-token:${GITEA_TOKEN}@}/${GITHUB_REPOSITORY}.git"
+          git push --force "$PUSH_URL" "refs/tags/last-build/main"
+          echo "Tag last-build/main now at ${SHA}"
+
+  # ── orca redeploy — runs if at least one build was triggered AND green ────
+  # Per-job `result == 'success'` is true only when the job actually ran and
+  # passed; skipped/failed/cancelled jobs return their own status string and
+  # fail the OR. This avoids Gitea's quirky evaluation of `contains(needs.*
+  # .result, 'success')` when most upstreams are skipped (root cause of
+  # trigger-orca being skipped on single-service changes).
+  # `always()` is required so the job is evaluated when upstreams skip.
+
+  trigger-orca:
+    runs-on: docker
+    container: docker:27-cli
+    needs:
+      - build-admin-compliance
+      - build-backend-compliance
+      - build-ai-sdk
+      - build-developer-portal
+      - build-tts
+      - build-document-crawler
+      - build-dsms-gateway
+      - build-dsms-node
+    if: |
+      always() &&
+      (
+        needs.build-admin-compliance.result == 'success' ||
+        needs.build-backend-compliance.result == 'success' ||
+        needs.build-ai-sdk.result == 'success' ||
+        needs.build-developer-portal.result == 'success' ||
+        needs.build-tts.result == 'success' ||
+        needs.build-document-crawler.result == 'success' ||
+        needs.build-dsms-gateway.result == 'success' ||
+        needs.build-dsms-node.result == 'success'
+      )
+    steps:
+      - name: Checkout (for SHA)
+        run: |
+          apk add --no-cache git curl openssl
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Trigger orca redeploy
+        env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
+          ORCA_WEBHOOK_URL: http://46.225.100.82:6880/api/v1/webhooks/github
+        run: |
+          SHA=$(git rev-parse HEAD)
+          PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: compliance images built\"}}"
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
+          curl -sSf -k \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-GitHub-Event: push" \
+            -H "X-Hub-Signature-256: sha256=$SIG" \
+            -d "$PAYLOAD" \
+            "$ORCA_WEBHOOK_URL" \
+            || { echo "Orca redeploy failed"; exit 1; }
+          echo "Orca redeploy triggered for compliance services"
@@ -1,31 +1,141 @@
-# Gitea Actions CI/CD Pipeline
-# BreakPilot Compliance
+# BreakPilot Compliance — CI Pipeline
 #
-# Services:
-#   Go: ai-compliance-sdk
-#   Python: backend-compliance, document-crawler, dsms-gateway
-#   Node.js: admin-compliance, developer-portal
+# Feature branch workflow:
+#   feat/* | feature/* | fix/* | hotfix/* | chore/* | refactor/* | docs/* | test/* | ci/*
+#   → open PR targeting main
+#   → all jobs run as PR gates
+#   → squash merge to main
+#   → subset of jobs re-run on main to catch merge surprises
 #
-# Workflow:
-#   Push auf main → Tests → Deploy (Coolify)
-#   Pull Request → Lint + Tests (kein Deploy)
+# Deploy is handled by build-push-deploy.yml on push to main.

-name: CI/CD
+name: CI

 on:
  push:
-    branches: [main, develop]
+    branches: [main]
  pull_request:
-    branches: [main, develop]
+    branches: [main]

 jobs:
-  # ========================================
-  # Lint (nur bei PRs)
-  # ========================================

+  # ── Change detection (always runs first) ─────────────────────────────────
+  # Diff base:
+  #   PR    → merge-base with the PR base branch
+  #   push  → last-build/main tag (set by build-push-deploy after a green build)
+  # Falls back to "rebuild all" when the base is missing or unreachable.
+  detect-changes:
+    runs-on: docker
+    container: alpine:3.20
+    outputs:
+      admin: ${{ steps.diff.outputs.admin }}
+      backend: ${{ steps.diff.outputs.backend }}
+      sdk: ${{ steps.diff.outputs.sdk }}
+      portal: ${{ steps.diff.outputs.portal }}
+      tts: ${{ steps.diff.outputs.tts }}
+      crawler: ${{ steps.diff.outputs.crawler }}
+      dsms_gateway: ${{ steps.diff.outputs.dsms_gateway }}
+      dsms_node: ${{ steps.diff.outputs.dsms_node }}
+      any_python: ${{ steps.diff.outputs.any_python }}
+      any_node: ${{ steps.diff.outputs.any_node }}
+      any: ${{ steps.diff.outputs.any }}
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git bash
+          git clone --depth 200 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
+            git fetch --depth 200 origin "${GITHUB_BASE_REF}" || true
+          else
+            git fetch --tags origin || true
+          fi
+      - name: Resolve base SHA
+        run: |
+          if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
+            BASE=$(git merge-base "origin/${GITHUB_BASE_REF}" HEAD 2>/dev/null || true)
+          else
+            BASE=$(git rev-parse --verify refs/tags/last-build/main 2>/dev/null || true)
+          fi
+          echo "Base SHA: ${BASE:-<none>}"
+          echo "BASE_SHA=${BASE}" >> "$GITHUB_ENV"
+      - name: Detect changes
+        id: diff
+        run: bash scripts/detect-changes.sh
+
+  # ── Branch naming convention (PR only) ──────────────────────────────────
+  branch-name:
+    runs-on: docker
+    container: alpine:3.20
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Validate branch name
+        run: |
+          BRANCH="${GITHUB_HEAD_REF}"
+          if ! echo "$BRANCH" | grep -qE '^(feat|feature|fix|hotfix|chore|refactor|docs|test|ci)/.+'; then
+            echo "::error::Branch '$BRANCH' does not follow naming convention."
+            echo "Required prefix: feat/ feature/ fix/ hotfix/ chore/ refactor/ docs/ test/ ci/"
+            exit 1
+          fi
+          echo "Branch name OK: $BRANCH"
+
+  # ── Guardrail integrity (PR only) ────────────────────────────────────────
+  guardrail-integrity:
+    runs-on: docker
+    container: alpine:3.20
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git bash
+          git clone --depth 20 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git fetch origin ${GITHUB_BASE_REF}:base
+      - name: Require [guardrail-change] in commits touching guardrails
+        run: |
+          changed=$(git diff --name-only base...HEAD)
+          echo "$changed" | grep -qE '^(\.claude/settings\.json|\.claude/rules/loc-exceptions\.txt|scripts/check-loc\.sh|scripts/githooks/pre-commit|AGENTS\.(python|go|typescript)\.md)$' || exit 0
+          if ! git log base..HEAD --format=%B | grep -q '\[guardrail-change\]'; then
+            echo "::error::Guardrail files modified without [guardrail-change] in any commit message."
+            exit 1
+          fi
+
+  # ── LOC budget (only if files changed) ───────────────────────────────────
+  loc-budget:
+    runs-on: docker
+    container: alpine:3.20
+    needs: detect-changes
+    if: needs.detect-changes.outputs.any == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git bash
+          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Enforce 500-line hard cap
+        run: |
+          chmod +x scripts/check-loc.sh
+          scripts/check-loc.sh
+
+  # ── Secret scanning (PR only) ────────────────────────────────────────────
+  secret-scan:
+    runs-on: docker
+    container: zricethezav/gitleaks:v8.21.2
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Scan for secrets
+        run: |
+          gitleaks detect --source . --no-git \
+            --exit-code 1 \
+            --redact \
+            || { echo "::error::Secrets detected — remove them before merging."; exit 1; }
+
+  # ── Go lint + build (PR only, gated on ai-compliance-sdk changes) ────────
  go-lint:
    runs-on: docker
-    if: github.event_name == 'pull_request'
+    needs: detect-changes
+    if: github.event_name == 'pull_request' && needs.detect-changes.outputs.sdk == 'true'
    container: golangci/golangci-lint:v1.62-alpine
    steps:
      - name: Checkout
@@ -34,57 +144,162 @@ jobs:
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint ai-compliance-sdk
        run: |
-          if [ -d "ai-compliance-sdk" ]; then
-            cd ai-compliance-sdk && golangci-lint run --timeout 5m ./...
-          fi
+          [ -d "ai-compliance-sdk" ] || exit 0
+          cd ai-compliance-sdk
+          golangci-lint run --timeout 5m ./...
+      - name: Build ai-compliance-sdk
+        run: |
+          [ -d "ai-compliance-sdk" ] || exit 0
+          cd ai-compliance-sdk
+          go build ./...

+  # ── Python lint + import check (PR only, gated on python service changes) ─
  python-lint:
    runs-on: docker
-    if: github.event_name == 'pull_request'
+    needs: detect-changes
+    if: github.event_name == 'pull_request' && needs.detect-changes.outputs.any_python == 'true'
    container: python:3.12-slim
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
-      - name: Lint Python services
+      - name: Lint (ruff) + type-check (mypy)
        run: |
-          pip install --quiet ruff
-          for svc in backend-compliance document-crawler dsms-gateway; do
-            if [ -d "$svc" ]; then
-              echo "=== Linting $svc ==="
-              ruff check "$svc/" --output-format=github || true
-            fi
+          pip install --quiet ruff mypy
+          fail=0
+          for svc in backend-compliance document-crawler dsms-gateway compliance-tts-service; do
+            [ -d "$svc" ] || continue
+            echo "=== ruff: $svc ===" && ruff check "$svc/" --output-format=github || fail=1
          done
+          if [ -f "backend-compliance/mypy.ini" ]; then
+            cd backend-compliance && mypy compliance/ || fail=1
+          fi
+          exit $fail
+      - name: Import sanity check (catches NameError at collection time)
+        run: |
+          cd backend-compliance
+          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
+          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
+          python -c "import compliance; print('Import OK')" \
+            || { echo "::error::compliance package fails to import — missing import or syntax error."; exit 1; }

+  # ── Node.js lint + type-check (PR only, gated on Next.js service changes) ─
  nodejs-lint:
    runs-on: docker
-    if: github.event_name == 'pull_request'
+    needs: detect-changes
+    if: github.event_name == 'pull_request' && needs.detect-changes.outputs.any_node == 'true'
    container: node:20-alpine
    steps:
      - name: Checkout
        run: |
          apk add --no-cache git
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
-      - name: Lint Node.js services
+      - name: Lint + type-check
        run: |
+          fail=0
          for svc in admin-compliance developer-portal; do
-            if [ -d "$svc" ]; then
-              echo "=== Linting $svc ==="
-              cd "$svc"
-              npm ci --silent 2>/dev/null || npm install --silent
-              npx next lint || true
-              cd ..
-            fi
+            [ -d "$svc" ] || continue
+            echo "=== $svc: install ===" && (cd "$svc" && npm ci --silent 2>/dev/null || npm install --silent)
+            echo "=== $svc: next lint ===" && (cd "$svc" && npx next lint) || fail=1
+            echo "=== $svc: tsc ===" && (cd "$svc" && npx tsc --noEmit) || fail=1
          done
+          exit $fail

-  # ========================================
-  # Unit Tests
-  # ========================================
+  # ── Node.js build — next build (gated on Next.js service changes) ───────
+  nodejs-build:
+    runs-on: docker
+    container: node:20-alpine
+    needs: detect-changes
+    if: needs.detect-changes.outputs.any_node == 'true'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Build Next.js services
+        run: |
+          fail=0
+          for svc in admin-compliance developer-portal; do
+            [ -d "$svc" ] || continue
+            echo "=== $svc: install ==="
+            (cd "$svc" && npm ci --silent 2>/dev/null || npm install --silent)
+            echo "=== $svc: next build ==="
+            (cd "$svc" && \
+              NEXT_PUBLIC_API_URL=https://api-dev.breakpilot.ai \
+              NEXT_PUBLIC_SDK_URL=https://sdk-dev.breakpilot.ai \
+              npm run build) || fail=1
+          done
+          exit $fail

-  test-go-ai-compliance:
+  # ── Dependency audit (PR only) ───────────────────────────────────────────
+  dep-audit:
+    runs-on: docker
+    if: github.event_name == 'pull_request'
+    container: python:3.12-slim
+    steps:
+      - name: Checkout
+        run: |
+          apt-get update -qq && apt-get install -y -qq git curl > /dev/null 2>&1
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Install Node.js + Go
+        run: |
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1
+          apt-get install -y nodejs golang-go > /dev/null 2>&1
+      - name: Python — pip-audit
+        run: |
+          pip install --quiet pip-audit
+          fail=0
+          for svc in backend-compliance document-crawler dsms-gateway compliance-tts-service; do
+            [ -f "$svc/requirements.txt" ] || continue
+            echo "=== pip-audit: $svc ==="
+            pip-audit -r "$svc/requirements.txt" --skip-editable -f columns || fail=1
+          done
+          exit $fail
+      - name: Node.js — npm audit
+        run: |
+          fail=0
+          for svc in admin-compliance developer-portal; do
+            [ -d "$svc" ] || continue
+            echo "=== npm audit: $svc ==="
+            (cd "$svc" && npm audit --audit-level=moderate --json 2>/dev/null | \
+              node -e "const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')); \
+                const hi=Object.values(d.vulnerabilities||{}).filter(v=>['high','critical'].includes(v.severity)).length; \
+                if(hi>0){console.error('HIGH/CRITICAL: '+hi);process.exit(1)}") || fail=1
+          done
+          exit $fail
+      - name: Go — govulncheck
+        run: |
+          [ -d "ai-compliance-sdk" ] || exit 0
+          go install golang.org/x/vuln/cmd/govulncheck@latest 2>/dev/null
+          cd ai-compliance-sdk && govulncheck ./... || true
+          # Non-blocking until Go module versions are pinned
+
+  # ── SBOM + vulnerability scan (PR only) ─────────────────────────────────
+  sbom-scan:
+    runs-on: docker
+    if: github.event_name == 'pull_request'
+    container: alpine:3.20
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git curl bash
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Install syft + grype
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh  | sh -s -- -b /usr/local/bin
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+      - name: Generate SBOM
+        run: mkdir -p sbom-out && syft dir:. -o cyclonedx-json=sbom-out/sbom.cdx.json -q
+      - name: Vulnerability scan (fail on high+)
+        run: grype sbom:sbom-out/sbom.cdx.json --fail-on high -q
+
+  # ── Tests (gated per service) ────────────────────────────────────────────
+  test-go:
    runs-on: docker
    container: golang:1.24-alpine
+    needs: detect-changes
+    if: needs.detect-changes.outputs.sdk == 'true'
    env:
      CGO_ENABLED: "0"
    steps:
@@ -94,18 +309,50 @@ jobs:
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test ai-compliance-sdk
        run: |
-          if [ ! -d "ai-compliance-sdk" ]; then
-            echo "WARNUNG: ai-compliance-sdk nicht gefunden"
-            exit 0
-          fi
+          [ -d "ai-compliance-sdk" ] || exit 0
          cd ai-compliance-sdk
-          go test -v -coverprofile=coverage.out ./... 2>&1
-          COVERAGE=$(go tool cover -func=coverage.out 2>/dev/null | tail -1 | awk '{print $3}' || echo "0%")
-          echo "Coverage: $COVERAGE"
+          go test -v -coverprofile=coverage.out ./...
+          go tool cover -func=coverage.out | tail -1

-  test-python-backend-compliance:
+  iace-gt-coverage:
    runs-on: docker
    container: python:3.12-slim
+    needs: detect-changes
+    if: needs.detect-changes.outputs.sdk == 'true'
+    env:
+      # Lower bound on Strong+Weak GT-Bremse coverage. Raise this number when
+      # coverage improves; never lower it without an explicit decision.
+      MIN_COVERAGE_PCT: "70"
+    steps:
+      - name: Checkout
+        run: |
+          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: GT-Bremse measure-coverage report
+        run: |
+          python3 scripts/gt_measure_gap_analysis.py --json /tmp/gt_gap_report.json > /tmp/gt_gap_report.md
+          echo "--- summary ---"
+          head -8 /tmp/gt_gap_report.md
+      - name: Enforce coverage threshold
+        run: |
+          python3 - <<'PY'
+          import json, os, sys
+          d = json.load(open('/tmp/gt_gap_report.json'))
+          total = d['total']
+          covered = d['ok_count'] + d['weak_count']
+          pct = covered * 100 / total if total else 0.0
+          threshold = float(os.environ['MIN_COVERAGE_PCT'])
+          print(f"GT coverage (strong+weak): {covered}/{total} = {pct:.1f}% (threshold {threshold}%)")
+          if pct < threshold:
+              print(f"::error::GT-Bremse coverage regression — {pct:.1f}% < {threshold}%")
+              sys.exit(1)
+          PY
+
+  test-python-backend:
+    runs-on: docker
+    container: python:3.12-slim
+    needs: detect-changes
+    if: needs.detect-changes.outputs.backend == 'true'
    env:
      CI: "true"
    steps:
@@ -115,19 +362,18 @@ jobs:
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test backend-compliance
        run: |
-          if [ ! -d "backend-compliance" ]; then
-            echo "WARNUNG: backend-compliance nicht gefunden"
-            exit 0
-          fi
+          [ -d "backend-compliance" ] || exit 0
          cd backend-compliance
          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
-          pip install --quiet --no-cache-dir fastapi uvicorn pytest pytest-asyncio
+          pip install --quiet --no-cache-dir pytest pytest-asyncio
          python -m pytest compliance/tests/ -v --tb=short

  test-python-document-crawler:
    runs-on: docker
    container: python:3.12-slim
+    needs: detect-changes
+    if: needs.detect-changes.outputs.crawler == 'true'
    env:
      CI: "true"
    steps:
@@ -137,10 +383,7 @@ jobs:
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test document-crawler
        run: |
-          if [ ! -d "document-crawler" ]; then
-            echo "WARNUNG: document-crawler nicht gefunden"
-            exit 0
-          fi
+          [ -d "document-crawler" ] || exit 0
          cd document-crawler
          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
@@ -150,6 +393,8 @@ jobs:
  test-python-dsms-gateway:
    runs-on: docker
    container: python:3.12-slim
+    needs: detect-changes
+    if: needs.detect-changes.outputs.dsms_gateway == 'true'
    env:
      CI: "true"
    steps:
@@ -159,20 +404,14 @@ jobs:
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test dsms-gateway
        run: |
-          if [ ! -d "dsms-gateway" ]; then
-            echo "WARNUNG: dsms-gateway nicht gefunden"
-            exit 0
-          fi
+          [ -d "dsms-gateway" ] || exit 0
          cd dsms-gateway
          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
          pip install --quiet --no-cache-dir pytest pytest-asyncio
          python -m pytest test_main.py -v --tb=short

-  # ========================================
-  # Validate Canonical Controls
-  # ========================================
-
+  # ── OpenAPI contract validation (always) ─────────────────────────────────
  validate-canonical-controls:
    runs-on: docker
    container: python:3.12-slim
@@ -182,28 +421,4 @@ jobs:
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Validate controls
-        run: |
-          python scripts/validate-controls.py
-
-  # ========================================
-  # Deploy via Coolify (nur main, kein PR)
-  # ========================================
-
-  deploy-coolify:
-    name: Deploy
-    runs-on: docker
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    needs:
-      - test-go-ai-compliance
-      - test-python-backend-compliance
-      - test-python-document-crawler
-      - test-python-dsms-gateway
-      - validate-canonical-controls
-    container:
-      image: alpine:latest
-    steps:
-      - name: Trigger Coolify deploy
-        run: |
-          apk add --no-cache curl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+        run: python scripts/validate-controls.py
@@ -5,8 +5,8 @@
 #
 # Phasen: gesetze, eu, templates, datenschutz, verbraucherschutz, verify, version, all
 #
-# Voraussetzung: RAG-Service und Qdrant muessen auf Coolify laufen.
-# Die BreakPilot-Services muessen deployed sein (ci.yaml deploy-coolify).
+# Voraussetzung: RAG-Service und Qdrant muessen auf Orca laufen.
+# Die BreakPilot-Services muessen deployed sein (ci.yaml deploy-orca).

 name: RAG Ingestion

@@ -11,6 +11,10 @@ secrets/
 # Node
 node_modules/
 .next/
+dist/
+.turbo/
+pnpm-lock.yaml
+.pnpm-store/

 # Python
 __pycache__/
@@ -0,0 +1,176 @@
+# AGENTS.go.md — Go Service Conventions
+
+Applies to: `ai-compliance-sdk/`.
+
+## Layered architecture (Gin)
+
+Follows [Standard Go Project Layout](https://github.com/golang-standards/project-layout) + hexagonal/clean-arch.
+
+```
+ai-compliance-sdk/
+├── cmd/server/main.go         # Thin: parse flags → app.New → app.Run. <50 LOC.
+├── internal/
+│   ├── app/                   # Wiring: config + DI graph + lifecycle.
+│   ├── domain/                # Pure types, interfaces, errors. No I/O imports.
+│   │   └── <aggregate>/
+│   ├── service/               # Business logic. Depends on domain interfaces only.
+│   │   └── <aggregate>/
+│   ├── repository/postgres/   # Concrete repo implementations.
+│   │   └── <aggregate>/
+│   ├── transport/http/        # Gin handlers. Thin. One handler per file group.
+│   │   ├── handler/<aggregate>/
+│   │   ├── middleware/
+│   │   └── router.go
+│   └── platform/              # DB pool, logger, config, tracing.
+└── pkg/                       # Importable by other repos. Empty unless needed.
+```
+
+**Dependency direction:** `transport → service → domain ← repository`. `domain` imports nothing from siblings.
+
+## Handlers
+
+- One handler = one Gin function. ≤40 LOC.
+- Bind → call service → map domain error to HTTP via `httperr.Write(c, err)` → respond.
+- Return early on errors. No business logic, no SQL.
+
+```go
+func (h *IACEHandler) Create(c *gin.Context) {
+    var req CreateIACERequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        httperr.Write(c, httperr.BadRequest(err))
+        return
+    }
+    out, err := h.svc.Create(c.Request.Context(), req.ToInput())
+    if err != nil {
+        httperr.Write(c, err)
+        return
+    }
+    c.JSON(http.StatusCreated, out)
+}
+```
+
+## Services
+
+- Struct + constructor + interface methods. No package-level state.
+- Take `context.Context` as first arg always. Propagate to repos.
+- Return `(value, error)`. Wrap with `fmt.Errorf("create iace: %w", err)`.
+- Domain errors implemented as sentinel vars or typed errors; matched with `errors.Is` / `errors.As`.
+
+## Repositories
+
+- Interface lives in `domain/<aggregate>/repository.go`. Implementation in `repository/postgres/<aggregate>/`.
+- One file per query group; no file >500 LOC.
+- Use `pgx`/`sqlc` over hand-rolled string SQL when feasible. No ORM globals.
+- All queries take `ctx`. No background goroutines without explicit lifecycle.
+
+## Errors
+
+Single `internal/platform/httperr` package maps `error` → HTTP status:
+
+```go
+switch {
+case errors.Is(err, domain.ErrNotFound):    return 404
+case errors.Is(err, domain.ErrConflict):    return 409
+case errors.As(err, &validationErr):        return 422
+default:                                    return 500
+}
+```
+
+Never `panic` in request handling. `recover` middleware logs and returns 500.
+
+## Tests
+
+- Co-located `*_test.go`.
+- **Table-driven** tests for service logic; use `t.Run(tt.name, ...)`.
+- Handlers tested with `httptest.NewRecorder`.
+- Repos tested with `testcontainers-go` (or the existing compose Postgres) — never mocks at the SQL boundary.
+- Coverage target: 80% on `service/`. CI fails on regression.
+
+```go
+func TestIACEService_Create(t *testing.T) {
+    tests := []struct {
+        name    string
+        input   service.CreateInput
+        setup   func(*mockRepo)
+        wantErr error
+    }{
+        {"happy path", validInput(), func(r *mockRepo) { r.createReturns(nil) }, nil},
+        {"conflict",   validInput(), func(r *mockRepo) { r.createReturns(domain.ErrConflict) }, domain.ErrConflict},
+    }
+    for _, tt := range tests {
+        t.Run(tt.name, func(t *testing.T) { /* ... */ })
+    }
+}
+```
+
+## Tooling
+
+Run lint before pushing:
+
+```bash
+golangci-lint run --timeout 5m ./...
+```
+
+The `.golangci.yml` at the service root (`ai-compliance-sdk/.golangci.yml`) enables: `errcheck, govet, staticcheck, gosec, gocyclo (≤20), gocritic, revive, goimports, unused, ineffassign`. Fix lint violations in new code; legacy violations are tracked but not required to fix immediately.
+
+- `gofumpt` formatting.
+- `go vet ./...` clean.
+- `go mod tidy` clean — no unused deps.
+
+## File splitting pattern
+
+When a Go file exceeds the 500-line hard cap, split it in place — no new packages needed:
+
+- All split files stay in **the same package directory** with the **same `package <name>` declaration**.
+- No import changes are needed anywhere because Go packages are directory-scoped.
+- Naming: `store_projects.go`, `store_components.go` (noun + underscore + sub-resource).
+- For handlers: `iace_handler_projects.go`, `iace_handler_hazards.go`, etc.
+- Before splitting, add a characterization test that pins current behaviour.
+
+## Error handling
+
+Domain errors are defined in `internal/domain/<aggregate>/errors.go` as sentinel vars or typed errors. The mapping from domain error to HTTP status lives exclusively in `internal/platform/httperr/httperr.go` via `errors.Is` / `errors.As`. Handlers call `httperr.Write(c, err)` — **never** directly call `c.JSON` with a status code derived from business logic.
+
+## Context propagation
+
+- Always pass `ctx context.Context` as the **first parameter** in every service and repository method.
+- Never store a context in a struct field — pass it per call.
+- Cancellation must be respected: check `ctx.Err()` in loops; propagate to all I/O calls.
+
+## Concurrency
+
+- Goroutines must have a clear lifecycle owner (struct method that started them must stop them).
+- Pass `ctx` everywhere. Cancellation respected.
+- No global mutexes for request data. Use per-request context.
+
+## Before every push — MANDATORY
+
+Run all steps for `ai-compliance-sdk/` before pushing. CI runs the same checks and will fail if you skip this.
+
+```bash
+cd ai-compliance-sdk
+
+# 1. Vet + lint
+go vet ./...
+golangci-lint run --timeout 5m ./...
+
+# 2. Tests
+go test ./...
+
+# 3. Build
+go build ./...
+```
+
+All steps must exit 0. Do not push if any step fails.
+
+## What you may NOT do
+
+- Touch DB schema/migrations.
+- Add a new top-level package directly under `internal/` without architectural review.
+- `import "C"`, unsafe, reflection-heavy code.
+- Use `init()` for non-trivial setup. Wire it in `internal/app`.
+- Use `interface{}` / `any` in new code without an explicit comment justifying it.
+- Call `log.Fatal` outside of `main.go`; panicking in request handling is also forbidden.
+- Shadow `err` with `:=` inside an `if`-block when the outer scope already declares `err` — use `=` or rename.
+- Create a file >500 lines.
+- Change a public route's contract without updating consumers.
@@ -0,0 +1,168 @@
+# AGENTS.python.md — Python Service Conventions
+
+Applies to: `backend-compliance/`, `document-crawler/`, `dsms-gateway/`, `compliance-tts-service/`.
+
+## Layered architecture (FastAPI)
+
+```
+compliance/
+├── api/                # HTTP layer — routers only. Thin (≤30 LOC per handler).
+│   └── <domain>_routes.py
+├── services/           # Business logic. Pure-ish; no FastAPI imports.
+│   └── <domain>_service.py
+├── repositories/       # DB access. Owns SQLAlchemy session usage.
+│   └── <domain>_repository.py
+├── domain/             # Value objects, enums, domain exceptions.
+├── schemas/            # Pydantic models, split per domain. NEVER one giant schemas.py.
+│   └── <domain>.py
+└── db/
+    └── models/         # SQLAlchemy ORM, one module per aggregate. __tablename__ frozen.
+```
+
+**Dependency direction:** `api → services → repositories → db.models`. Lower layers must not import upper layers.
+
+## Routers
+
+- One `APIRouter` per domain file.
+- Handlers do exactly: parse request → call service → map domain errors to HTTPException → return response model.
+- Inject services via `Depends`. No globals.
+- Tag routes; document with summary + response_model.
+
+```python
+@router.post("/dsr/requests", response_model=DSRRequestRead, status_code=201)
+async def create_dsr_request(
+    payload: DSRRequestCreate,
+    service: DSRService = Depends(get_dsr_service),
+    tenant_id: UUID = Depends(get_tenant_id),
+) -> DSRRequestRead:
+    try:
+        return await service.create(tenant_id, payload)
+    except DSRConflict as exc:
+        raise HTTPException(409, str(exc)) from exc
+```
+
+## Services
+
+- Constructor takes the repository (interface, not concrete).
+- No `Request`, `Response`, or HTTP knowledge.
+- Raise domain exceptions (e.g. `DSRConflict`, `DSRNotFound`), never `HTTPException`.
+- Return domain objects or Pydantic schemas — pick one and stay consistent inside a service.
+
+## Repositories
+
+- Methods are intent-named (`get_pending_for_tenant`), not CRUD-named (`select_where`).
+- Sessions injected, not constructed inside.
+- No business logic. No cross-aggregate joins for unrelated workflows — that belongs in a service.
+- Return ORM models or domain VOs; never `Row`.
+
+## Schemas (Pydantic v2)
+
+- One module per domain. Module ≤300 lines.
+- Use `model_config = ConfigDict(from_attributes=True, frozen=True)` for read models.
+- Separate `*Create`, `*Update`, `*Read`. No giant union schemas.
+
+## Tests (`pytest`)
+
+- Layout: `tests/unit/`, `tests/integration/`, `tests/contracts/`.
+- Unit tests mock the repository. Use `pytest.fixture` + `unittest.mock.AsyncMock`.
+- Integration tests run against the real Postgres from `docker-compose.yml` via a transactional fixture (rollback after each test).
+- Contract tests diff `/openapi.json` against `tests/contracts/openapi.baseline.json`.
+- Naming: `test_<unit>_<scenario>_<expected>.py::TestClass::test_method`.
+- `pytest-asyncio` mode = `auto`. Mark slow tests with `@pytest.mark.slow`.
+- Coverage target: 80% for new code; never decrease the service baseline.
+
+## Tooling
+
+- `ruff check` + `ruff format` (line length 100).
+- `mypy --strict` on `services/`, `repositories/`, `domain/`. Expand outward.
+- `pip-audit` in CI.
+- Async-first: prefer `httpx.AsyncClient`, `asyncpg`/`SQLAlchemy 2.x async`.
+
+## mypy configuration
+
+`backend-compliance/mypy.ini` is the mypy config. Strict mode is on globally; per-module overrides exist only for legacy files that have not been cleaned up yet.
+
+- New modules added to `compliance/services/` or `compliance/repositories/` **must** pass `mypy --strict`.
+- To type-check a new module: `cd backend-compliance && mypy compliance/your_new_module.py`
+- When you fully type a legacy file, **remove its loose-override block** from `mypy.ini` as part of the same PR.
+
+## Dependency injection
+
+Services and repositories are wired via FastAPI `Depends`. Never instantiate a service or repository directly inside a handler.
+
+```python
+# dependencies.py
+def get_my_service(db: AsyncSession = Depends(get_db)) -> MyService:
+    return MyService(MyRepository(db))
+
+# router
+@router.get("/items", response_model=list[ItemRead])
+async def list_items(svc: MyService = Depends(get_my_service)) -> list[ItemRead]:
+    return await svc.list()
+```
+
+- Services take repositories in `__init__`; repositories take `Session` or `AsyncSession`.
+
+## Structured logging
+
+```python
+import structlog
+logger = structlog.get_logger()
+
+# Always bind context before logging:
+logger.bind(tenant_id=str(tid), action="create_dsfa").info("dsfa created")
+```
+
+- Audit-relevant actions must use the audit logger with a `legal_basis` field.
+- Never log secrets, PII, or full request bodies.
+
+## Barrel re-export pattern
+
+When an oversized file (e.g. `schemas.py`, `models.py`) is split into a sub-package, the original stays as a **thin re-exporter** so existing consumer imports keep working:
+
+```python
+# compliance/schemas.py  (barrel — DO NOT ADD NEW CODE HERE)
+from .schemas.ai import *        # noqa: F401, F403
+from .schemas.consent import *   # noqa: F401, F403
+```
+
+- New code imports from the specific module (e.g. `from compliance.schemas.ai import AIRiskRead`), not the barrel.
+- `from module import *` is only permitted in barrel files.
+
+## Errors & logging
+
+- Domain errors inherit from a single `DomainError` base per service.
+- Log via `structlog` with bound context (`tenant_id`, `request_id`). Never log secrets, PII, or full request bodies.
+- Audit-relevant actions go through the audit logger, not the application logger.
+
+## Before every push — MANDATORY
+
+Run all three steps for every Python service you touched before pushing. CI runs the same checks and will fail if you skip this.
+
+```bash
+cd <service>   # backend-compliance | document-crawler | dsms-gateway | compliance-tts-service
+
+# 1. Lint
+ruff check .
+mypy compliance/   # only for backend-compliance
+
+# 2. Tests
+pytest -x
+
+# 3. Import sanity (catches NameError at collection time)
+python -c "import compliance"   # or the service's main module
+```
+
+All steps must exit 0. Do not push if any step fails.
+
+## What you may NOT do
+
+- Add a new Alembic migration.
+- Rename a `__tablename__`, column, or enum value.
+- Change a public route's path/method/status/schema without simultaneous dashboard fix.
+- Catch `Exception` broadly — catch the specific domain or library error.
+- Put business logic in a router or in a Pydantic validator.
+- `from module import *` in new code — only in barrel re-exporters.
+- `raise HTTPException` inside the service layer — raise domain exceptions; map them in the router.
+- Use `model_validate` on untrusted external data without an explicit schema boundary.
+- Create a new file >500 lines. Period.
@@ -0,0 +1,145 @@
+# AGENTS.typescript.md — TypeScript / Next.js Conventions
+
+Applies to: `admin-compliance/`, `developer-portal/`, `breakpilot-compliance-sdk/`, `consent-sdk/`, `dsms-node/` (where applicable).
+
+## Layered architecture (Next.js 15 App Router)
+
+```
+app/
+├── <route>/
+│   ├── page.tsx              # Server Component by default. ≤200 LOC.
+│   ├── layout.tsx
+│   ├── _components/          # Private folder; not routable. Colocated UI.
+│   │   └── <Component>.tsx   # Each file ≤300 LOC.
+│   ├── _hooks/               # Client hooks for this route.
+│   ├── _server/              # Server actions, data loaders for this route.
+│   └── loading.tsx / error.tsx
+├── api/
+│   └── <domain>/route.ts     # Thin handler. Delegates to lib/server/<domain>/.
+lib/
+├── <domain>/                 # Pure helpers, types, schemas (zod). Reusable.
+└── server/<domain>/          # Server-only logic; uses "server-only" import.
+components/                   # Truly shared, app-wide components.
+```
+
+**Server vs Client:** Default is Server Component. Add `"use client"` only when you need state, effects, or browser APIs. Push the boundary as deep as possible.
+
+## API routes (route.ts)
+
+- One handler per HTTP method, ≤40 LOC.
+- Validate input with zod `safeParse` — never `parse` (throws and bypasses error handling).
+- Delegate to `lib/server/<domain>/`. No business logic in `route.ts`.
+- Always return `NextResponse.json(..., { status })`. Let the framework's error boundary handle unexpected errors — don't wrap the entire handler in `try/catch`.
+
+```typescript
+// app/api/<domain>/route.ts  (≤40 LOC)
+import { NextRequest, NextResponse } from 'next/server';
+import { mySchema } from '@/lib/schemas/<domain>';
+import { myService } from '@/lib/server/<domain>';
+
+export async function POST(req: NextRequest) {
+  const body = mySchema.safeParse(await req.json());
+  if (!body.success) return NextResponse.json({ error: body.error }, { status: 400 });
+  const result = await myService.create(body.data);
+  return NextResponse.json(result, { status: 201 });
+}
+```
+
+## Page components
+
+- Pages >300 lines must be split into colocated `_components/`.
+- Server Components fetch data; pass plain objects to Client Components.
+- No data fetching in `useEffect` for server-renderable data.
+- State management: prefer URL state (`searchParams`) and Server Components over global stores.
+
+## Types
+
+- `lib/sdk/types.ts` is being split into `lib/sdk/types/<domain>.ts`. Mirror backend domain boundaries.
+- All API DTOs are zod schemas; infer types via `z.infer`.
+- No `any`. No `as unknown as`. If you reach for it, the type is wrong.
+- Always use `import type { Foo }` for type-only imports.
+- Never use `as` type assertions except when bridging external data at a boundary (add a comment explaining why).
+- No `@ts-ignore`. `@ts-expect-error` only with a comment explaining the suppression.
+
+## Barrel re-export pattern
+
+`lib/sdk/types.ts` is a barrel — it re-exports from domain-specific files. **Do not add new types directly to it.**
+
+```typescript
+// lib/sdk/types.ts  (barrel — DO NOT ADD NEW TYPES HERE)
+export * from './types/enums';
+export * from './types/company-profile';
+// ... etc.
+
+// New types go in lib/sdk/types/<domain>.ts
+```
+
+- When splitting an oversized file, keep the original as a thin barrel so existing imports don't break.
+- New code imports directly from the specific module (e.g. `import type { CompanyProfile } from '@/lib/sdk/types/company-profile'`), not the barrel.
+
+## Server vs Client components
+
+Default is Server Component. Add `"use client"` only when required:
+
+| Need | Pattern |
+|------|---------|
+| Data fetching only | Server Component (no directive) |
+| `useState` / `useEffect` | Client Component (`"use client"`) |
+| Browser API | Client Component |
+| Event handlers | Client Component |
+
+- Pass only serializable props from Server → Client Components (no functions, no class instances).
+- Never add `"use client"` to a layout or page just because one child needs it — extract the client part into a `_components/` file.
+
+## Tests
+
+- Unit: **Vitest** (`*.test.ts`/`*.test.tsx`), colocated.
+- Hooks: `@testing-library/react` `renderHook`.
+- E2E: **Playwright** (`tests/e2e/`), one spec per top-level page, smoke happy path minimum.
+- Snapshot tests sparingly — only for stable output (CSV, JSON-LD).
+- Coverage target: 70% on `lib/`, smoke coverage on `app/`.
+
+## Tooling
+
+- `tsc --noEmit` clean (strict mode, `noUncheckedIndexedAccess: true`).
+- ESLint with `@typescript-eslint`, `eslint-config-next`, type-aware rules on.
+- `prettier`.
+- `next build` clean. No `// @ts-ignore`. `// @ts-expect-error` only with a comment explaining why.
+
+## Before every push — MANDATORY
+
+Run all three steps for every affected service (`admin-compliance/`, `developer-portal/`) before pushing. CI runs the same checks and will fail if you skip this.
+
+```bash
+cd admin-compliance   # or developer-portal
+
+# 1. Build — catches type errors and module resolution failures
+npm run build
+
+# 2. Lint
+npx tsc --noEmit
+npx eslint . --max-warnings 0
+
+# 3. Tests
+npm test
+```
+
+All three must exit 0. Do not push if any step fails.
+
+## Performance
+
+- Use `next/dynamic` for heavy client-only components.
+- Image: `next/image` with explicit width/height.
+- Avoid waterfalls — `Promise.all` for parallel data fetches in Server Components.
+
+## What you may NOT do
+
+- Put business logic in a `page.tsx` or `route.ts`.
+- Reach across module boundaries (e.g. `admin-compliance` importing from `developer-portal`).
+- Use `dangerouslySetInnerHTML` without DOMPurify sanitization.
+- Call internal backend APIs directly from Client Components — use Server Components or API routes as a proxy.
+- Add `"use client"` to a layout or page just because one child needs it — extract the client part.
+- Spread `...props` onto a DOM element without filtering the props first (type error risk).
+- Change a public API route's path/method/schema without updating SDK consumers in the same change.
+- Create a file >500 lines.
+- Disable a lint or type rule globally to silence a finding — fix the root cause.
@@ -0,0 +1,202 @@
+# Contributing to breakpilot-compliance
+
+---
+
+## 1. Getting Started
+
+```bash
+git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
+cd breakpilot-compliance
+```
+
+**Branch conventions** (branch from `main`):
+
+| Prefix | Use for |
+|--------|---------|
+| `feature/` | New functionality |
+| `fix/` | Bug fixes |
+| `chore/` | Tooling, deps, CI, docs |
+
+Example: `git checkout -b feature/ai-sdk-risk-scoring`
+
+---
+
+## 2. Dev Environment
+
+Each service runs independently. Start only what you need.
+
+**Go — ai-compliance-sdk**
+```bash
+cd ai-compliance-sdk
+go run ./cmd/server
+```
+
+**Python — backend-compliance**
+```bash
+cd backend-compliance
+pip install -r requirements.txt
+uvicorn main:app --reload
+```
+
+**Python — dsms-gateway / document-crawler / compliance-tts-service**
+```bash
+cd <service>
+pip install -r requirements.txt
+uvicorn main:app --reload --port <port>
+```
+
+**Node.js — admin-compliance**
+```bash
+cd admin-compliance
+npm install
+npm run dev        # http://localhost:3007
+```
+
+**Node.js — developer-portal**
+```bash
+cd developer-portal
+npm install
+npm run dev        # http://localhost:3006
+```
+
+**All services together (local Docker)**
+```bash
+docker compose up -d
+```
+
+Config lives in `.env` (not committed). Copy `.env.example` and fill in `COMPLIANCE_DATABASE_URL`, `QDRANT_URL`, `QDRANT_API_KEY`, and Vault tokens.
+
+---
+
+## 3. Before Your First Commit
+
+Run all of these locally. CI will run the same checks and fail if they don't pass.
+
+**LOC budget (mandatory)**
+```bash
+bash scripts/check-loc.sh          # must exit 0
+```
+
+**Go lint**
+```bash
+cd ai-compliance-sdk
+golangci-lint run --timeout 5m ./...
+```
+
+**Python lint**
+```bash
+cd backend-compliance
+ruff check .
+mypy compliance/                   # only if mypy.ini exists
+```
+
+**TypeScript type-check**
+```bash
+cd admin-compliance
+npx tsc --noEmit
+```
+
+**Tests**
+```bash
+# Go
+cd ai-compliance-sdk && go test ./...
+
+# Python backend
+cd backend-compliance && pytest
+
+# DSMS gateway
+cd dsms-gateway && pytest test_main.py
+```
+
+If any step fails, fix it before committing. The git pre-commit hook re-runs `check-loc.sh` automatically.
+
+---
+
+## 4. Commit Message Rules
+
+Use [Conventional Commits](https://www.conventionalcommits.org/) style:
+
+```
+<type>(<scope>): <short summary>
+
+[optional body]
+[optional footer]
+```
+
+Types: `feat`, `fix`, `chore`, `refactor`, `test`, `docs`, `ci`.
+
+### `[guardrail-change]` marker — REQUIRED
+
+Add `[guardrail-change]` anywhere in the commit message body (or footer) when your changeset touches **any** of these files:
+
+| File / path | Reason protected |
+|-------------|-----------------|
+| `.claude/settings.json` | PreToolUse/PostToolUse hooks |
+| `scripts/check-loc.sh` | LOC enforcement script |
+| `scripts/githooks/pre-commit` | Git hook |
+| `.claude/rules/loc-exceptions.txt` | Exception registry |
+| `AGENTS.*.md` (any) | Per-language architecture rules |
+
+The `guardrail-integrity` CI job checks for this marker and **fails the build** if it is missing.
+
+**Valid guardrail commit example:**
+```
+chore(guardrail): add exception for generated protobuf file
+
+proto/generated/compliance.pb.go exceeds 500 LOC because it is
+machine-generated and cannot be split. Added to loc-exceptions.txt
+with rationale.
+
+[guardrail-change]
+```
+
+---
+
+## 5. Architecture Rules (Non-Negotiable)
+
+### File budget
+- **500 LOC hard cap** on every non-test, non-generated source file.
+- The `PreToolUse` hook in `.claude/settings.json` blocks Claude Code from creating or editing files that would breach this limit.
+- Exceptions require a written rationale in `.claude/rules/loc-exceptions.txt` plus `[guardrail-change]` in the commit.
+
+### Clean architecture per service
+- Python (FastAPI): `api → services → repositories → db.models`. Handlers ≤ 30 LOC. See `AGENTS.python.md`.
+- Go (Gin): Standard Go Project Layout + hexagonal. `cmd/` is thin wiring. See `AGENTS.go.md`.
+- TypeScript (Next.js 15): server-first, push client boundary deep, colocate `_components/` + `_hooks/` per route. See `AGENTS.typescript.md`.
+
+### Database is frozen
+- No new Alembic migrations, no `ALTER TABLE`, no `__tablename__` or column renames.
+- The pre-commit hook blocks any change under `migrations/` or `alembic/versions/` unless the commit message contains `[migration-approved]`.
+
+### Public endpoints are a contract
+- Any change to a route path, HTTP method, status code, request schema, or response schema in `backend-compliance/`, `ai-compliance-sdk/`, `dsms-gateway/`, `document-crawler/`, or `compliance-tts-service/` **must** be accompanied by a matching update in every consumer (`admin-compliance/`, `developer-portal/`, `breakpilot-compliance-sdk/`, `consent-sdk/`) in the **same changeset**.
+- OpenAPI baseline snapshots live in `tests/contracts/`. Contract tests fail on any drift.
+
+---
+
+## 6. Pull Requests
+
+- **Target branch: `main`** — squash merge your feature branch into `main`.
+- Keep PRs focused; one logical change per PR.
+
+**PR checklist before requesting review:**
+
+- [ ] `bash scripts/check-loc.sh` exits 0
+- [ ] All lint checks pass (go, python, tsc)
+- [ ] All tests pass locally
+- [ ] No endpoint drift without consumer updates in the same PR
+- [ ] `[guardrail-change]` present in commit message if guardrail files were touched
+- [ ] Docs updated if new endpoints, config vars, or architecture changed
+
+---
+
+## 7. Claude Code Users
+
+This section is for AI-assisted development sessions using Claude Code.
+
+- **Always work on a feature branch** (`feat/*`, `feature/*`, `hotfix/*`), never directly on `main`.
+- The `.claude/settings.json` `PreToolUse` hooks will automatically block Write/Edit operations on files that would exceed 500 lines. This is intentional — split the file instead.
+- If the `guardrail-integrity` CI job fails, check that your commit message body includes `[guardrail-change]`. Add it and amend or create a fixup commit.
+- **Never use `git add -A` or `git add .`** — always stage specific files by path to avoid accidentally committing `.env`, `node_modules/`, `.next/`, or compiled binaries.
+- After every session: `bash scripts/check-loc.sh` must exit 0 before pushing.
+- Read `CLAUDE.md` and the relevant `AGENTS.<lang>.md` before starting work on a service.
@@ -0,0 +1,128 @@
+# breakpilot-compliance
+
+**DSGVO/AI-Act compliance platform — 10 services, Go · Python · TypeScript**
+
+[![CI](https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions/workflows/ci.yaml/badge.svg)](https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions)
+![Go](https://img.shields.io/badge/Go-1.24-00ADD8?logo=go&logoColor=white)
+![Python](https://img.shields.io/badge/Python-3.12-3776AB?logo=python&logoColor=white)
+![Node.js](https://img.shields.io/badge/Node.js-20-339933?logo=node.js&logoColor=white)
+![TypeScript](https://img.shields.io/badge/TypeScript-strict-3178C6?logo=typescript&logoColor=white)
+![FastAPI](https://img.shields.io/badge/FastAPI-0.123-009688?logo=fastapi&logoColor=white)
+![DSGVO](https://img.shields.io/badge/DSGVO-compliant-green)
+![AI Act](https://img.shields.io/badge/EU%20AI%20Act-compliant-green)
+![LOC guard](https://img.shields.io/badge/LOC%20guard-500%20hard%20cap-orange)
+![Services](https://img.shields.io/badge/services-10-blueviolet)
+
+---
+
+## Overview
+
+breakpilot-compliance is a multi-tenant DSGVO/EU AI Act compliance platform that provides an SDK for consent management, data subject requests (DSR), audit logging, iACE impact assessments, and document archival. It ships as 10 containerised services covering an admin dashboard, a developer portal, a Python/FastAPI backend, a Go AI compliance engine, TTS, and a decentralised document store on IPFS. Every service is deployed automatically via Gitea Actions → Orca on every push to `main`.
+
+---
+
+## Architecture
+
+| Service | Tech | Port | Container |
+|---------|------|------|-----------|
+| admin-compliance | Next.js 15 | 3007 | bp-compliance-admin |
+| backend-compliance | Python / FastAPI 0.123 | 8002 | bp-compliance-backend |
+| ai-compliance-sdk | Go 1.24 / Gin | 8093 | bp-compliance-ai-sdk |
+| developer-portal | Next.js 15 | 3006 | bp-compliance-developer-portal |
+| breakpilot-compliance-sdk | TypeScript SDK (React/Vue/Angular/vanilla) | — | — |
+| consent-sdk | JS/TS Consent SDK | — | — |
+| compliance-tts-service | Python / Piper TTS | 8095 | bp-compliance-tts |
+| document-crawler | Python / FastAPI | 8098 | bp-compliance-document-crawler |
+| dsms-gateway | Python / FastAPI / IPFS | 8082 | bp-compliance-dsms-gateway |
+| dsms-node | IPFS Kubo v0.24.0 | — | bp-compliance-dsms-node |
+
+All containers share the external `breakpilot-network` Docker network and depend on `breakpilot-core` (Valkey, Vault, RAG service, Nginx reverse proxy).
+
+---
+
+## Quick Start
+
+**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+
+
+```bash
+git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
+cd breakpilot-compliance
+
+# Copy and populate secrets (never commit .env)
+cp .env.example .env
+
+# Start all services
+docker compose up -d
+```
+
+For the Orca/Hetzner production target (x86_64), use the override:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
+```
+
+---
+
+## Development Workflow
+
+Use feature branches off `main`. Supported prefixes: `feat/`, `feature/`, `hotfix/`.
+
+```bash
+git checkout main && git pull origin main
+git checkout -b feat/my-change
+# ... make changes ...
+git push origin feat/my-change
+# Open a PR → squash merge to main
+```
+
+Push to `main` triggers:
+1. **Gitea Actions** — lint → test → validate (see CI Pipeline below)
+2. **Orca** — automatic build + deploy (~3 min total)
+
+Monitor status: <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions>
+
+---
+
+## CI Pipeline
+
+Defined in `.gitea/workflows/ci.yaml`.
+
+| Job | What it checks |
+|-----|----------------|
+| `loc-budget` | All source files ≤ 500 LOC; soft target 300 |
+| `guardrail-integrity` | Commits touching guardrail files carry `[guardrail-change]` |
+| `go-lint` | `golangci-lint` on `ai-compliance-sdk/` |
+| `python-lint` | `ruff` + `mypy` on Python services |
+| `nodejs-lint` | `tsc --noEmit` + ESLint on Next.js services |
+| `test-go-ai-compliance` | `go test ./...` in `ai-compliance-sdk/` |
+| `test-python-backend-compliance` | `pytest` in `backend-compliance/` |
+| `test-python-document-crawler` | `pytest` in `document-crawler/` |
+| `test-python-dsms-gateway` | `pytest test_main.py` in `dsms-gateway/` |
+| `sbom-scan` | License + vulnerability scan via `syft` + `grype` |
+| `validate-canonical-controls` | OpenAPI contract baseline diff |
+
+---
+
+## File Budget
+
+| Limit | Value | How to check |
+|-------|-------|--------------|
+| Soft target | 300 LOC | `bash scripts/check-loc.sh` |
+| Hard cap | 500 LOC | Same; also enforced by `PreToolUse` hook + git pre-commit + CI |
+| Exceptions | `.claude/rules/loc-exceptions.txt` | Require written rationale + `[guardrail-change]` commit marker |
+
+The `.claude/settings.json` `PreToolUse` hook blocks Claude Code from writing or editing files that would exceed the hard cap. The git pre-commit hook re-checks. CI is the final gate.
+
+---
+
+## Links
+
+| | URL |
+|-|-----|
+| Admin dashboard | <https://admin-dev.breakpilot.ai> |
+| Developer portal | <https://developers-dev.breakpilot.ai> |
+| Backend API | <https://api-dev.breakpilot.ai> |
+| AI SDK API | <https://sdk-dev.breakpilot.ai> |
+| Gitea repo | <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance> |
+| Gitea Actions | <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions> |
+
@@ -0,0 +1,915 @@
+
+---
+
+## 1.9 `AGENTS.python.md` — Python / FastAPI conventions
+
+```markdown
+# AGENTS.python.md — Python Service Conventions
+
+## Layered architecture (FastAPI)
+
+
+## 1. Guardrail files (drop these in first)
+
+These artifacts enforce the rules without you or Claude having to remember them. Install them as **Phase 0**, before touching any real code.
+
+### 1.1 `.claude/CLAUDE.md` — loaded into every Claude session
+
+```markdown
+# <Your Project Name>
+
+> **NON-NEGOTIABLE STRUCTURE RULES** (enforced by `.claude/settings.json` hook, git pre-commit, and CI):
+> 1. **File-size budget:** soft target **300** lines, **hard cap 500** lines for any non-test, non-generated source file. Anything larger → split it. Exceptions are listed in `.claude/rules/loc-exceptions.txt` and require a written rationale.
+> 2. **Clean architecture per service.** Routers/handlers stay thin (≤30 lines per handler) and delegate to services; services use repositories; repositories own DB I/O. See `AGENTS.python.md` / `AGENTS.go.md` / `AGENTS.typescript.md`.
+> 3. **Do not touch the database schema.** No new migrations, no `ALTER TABLE`, no model field renames without an explicit migration plan reviewed by the DB owner.
+> 4. **Public endpoints are a contract.** Any change to a path/method/status/schema in a backend must be accompanied by a matching update in **every** consumer. OpenAPI snapshot tests in `tests/contracts/` are the gate.
+> 5. **Tests are not optional.** New code without tests fails CI. Refactors must preserve coverage and add a characterization test before splitting an oversized file.
+> 6. **Do not bypass the guardrails.** Do not edit `.claude/settings.json`, `scripts/check-loc.sh`, or the loc-exceptions list to silence violations. If a rule is wrong, raise it in a PR description.
+>
+> These rules apply to every Claude Code session opened inside this repository, regardless of who launched it. They are loaded automatically via this CLAUDE.md.
+```
+
+Keep project-specific notes (dev environment, URLs, tech stack) under this header.
+
+### 1.2 `.claude/settings.json` — PreToolUse LOC hook
+
+First line of defense. Blocks Write/Edit operations that would create or push a file past 500 lines. This stops Claude from ever producing oversized files.
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] && exit 0; lines=$(printf '%s' \"$(jq -r '.tool_input.content // empty')\" | awk 'END{print NR}'); if [ \"${lines:-0}\" -gt 500 ]; then echo '{\"decision\":\"block\",\"reason\":\"guardrail: file exceeds the 500-line hard cap. Split it into smaller modules per the layering rules in AGENTS.<lang>.md.\"}'; exit 0; fi",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] || [ ! -f \"$f\" ] && exit 0; case \"$f\" in *.md|*.json|*.yaml|*.yml|*test*|*tests/*|*node_modules/*|*.next/*|*migrations/*) exit 0 ;; esac; new_str=$(jq -r '.tool_input.new_string // empty'); old_str=$(jq -r '.tool_input.old_string // empty'); old_lines=$(printf '%s' \"$old_str\" | awk 'END{print NR}'); new_lines=$(printf '%s' \"$new_str\" | awk 'END{print NR}'); cur=$(wc -l < \"$f\" | tr -d ' '); proj=$((cur - old_lines + new_lines)); if [ \"$proj\" -gt 500 ]; then echo \"{\\\"decision\\\":\\\"block\\\",\\\"reason\\\":\\\"guardrail: this edit would push $f to ~$proj lines (hard cap is 500). Split the file before continuing.\\\"}\"; fi; exit 0",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+### 1.3 `.claude/rules/architecture.md` — auto-loaded architecture rule
+
+```markdown
+# Architecture Rules (auto-loaded)
+
+Non-negotiable. Applied to every Claude Code session in this repo.
+
+## File-size budget
+- **Soft target:** 300 lines. **Hard cap:** 500 lines.
+- Enforced by PreToolUse hook, pre-commit hook, and CI.
+- Exceptions live in `.claude/rules/loc-exceptions.txt` and require `[guardrail-change]` in the commit message. This list should SHRINK over time.
+
+## Clean architecture
+- Python: see `AGENTS.python.md`. Layering: api → services → repositories → db.models.
+- Go: see `AGENTS.go.md`. Standard Go Project Layout + hexagonal.
+- TypeScript: see `AGENTS.typescript.md`. Server-by-default, push client boundary deep, colocate `_components/` and `_hooks/` per route.
+
+## Database is frozen
+- No new migrations. No `ALTER TABLE`. No column renames.
+- Pre-commit hook blocks any change under `migrations/` unless commit message contains `[migration-approved]`.
+
+## Public endpoints are a contract
+- Any change to path/method/status/schema must update every consumer in the same change set.
+- OpenAPI baseline at `tests/contracts/openapi.baseline.json`. Contract tests fail on drift.
+
+## Tests
+- New code without tests fails CI.
+- Refactors preserve coverage. Before splitting an oversized file, add a characterization test pinning current behavior.
+- Layout: `tests/unit/`, `tests/integration/`, `tests/contracts/`, `tests/e2e/`.
+
+## Guardrails are protected
+- Edits to `.claude/settings.json`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, `.claude/rules/loc-exceptions.txt`, or any `AGENTS.*.md` require `[guardrail-change]` in the commit message.
+- If Claude thinks a rule is wrong, surface it to the user. Do not silently weaken.
+
+## Tooling baseline
+- Python: `ruff`, `mypy --strict` on new modules, `pytest --cov`.
+- Go: `golangci-lint` strict, `go vet`, table-driven tests.
+- TS: `tsc --noEmit` strict, ESLint type-aware, Vitest, Playwright.
+- All: dependency caching in CI, license/SBOM scan via `syft`+`grype`.
+```
+
+### 1.4 `.claude/rules/loc-exceptions.txt`
+
+```
+# loc-exceptions.txt — files allowed to exceed the 500-line hard cap.
+#
+# Format: one repo-relative path per line. Comments start with '#'.
+# Each exception MUST be preceded by a comment explaining why splitting is not viable.
+# Goal: this list SHRINKS over time.
+
+# --- Example entries ---
+# Static data catalogs — splitting fragments lookup tables without improving readability.
+# src/catalogs/country-data.ts
+# src/catalogs/industry-taxonomy.ts
+
+# Generated files — regenerated from schemas.
+# api/generated/types.ts
+```
+
+
+### 1.5 `scripts/check-loc.sh`
+
+```bash
+#!/usr/bin/env bash
+# check-loc.sh — File-size budget enforcer. Soft: 300. Hard: 500.
+#
+# Usage:
+#   scripts/check-loc.sh                    # scan whole repo
+#   scripts/check-loc.sh --changed          # only files changed vs origin/main
+#   scripts/check-loc.sh path/to/file.py    # check specific files
+#   scripts/check-loc.sh --json             # machine-readable output
+# Exit codes: 0 clean, 1 hard violation, 2 bad invocation.
+
+set -euo pipefail
+SOFT=300
+HARD=500
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+EXCEPTIONS_FILE="$REPO_ROOT/.claude/rules/loc-exceptions.txt"
+
+CHANGED_ONLY=0; JSON=0; TARGETS=()
+for arg in "$@"; do
+  case "$arg" in
+    --changed) CHANGED_ONLY=1 ;;
+    --json) JSON=1 ;;
+    -h|--help) sed -n '2,10p' "$0"; exit 0 ;;
+    -*) echo "unknown flag: $arg" >&2; exit 2 ;;
+    *) TARGETS+=("$arg") ;;
+  esac
+done
+
+is_excluded() {
+  local f="$1"
+  case "$f" in
+    */node_modules/*|*/.next/*|*/.git/*|*/dist/*|*/build/*|*/__pycache__/*|*/vendor/*) return 0 ;;
+    */migrations/*|*/alembic/versions/*) return 0 ;;
+    *_test.go|*.test.ts|*.test.tsx|*.spec.ts|*.spec.tsx) return 0 ;;
+    */tests/*|*/test/*) return 0 ;;
+    *.md|*.json|*.yaml|*.yml|*.lock|*.sum|*.mod|*.toml|*.cfg|*.ini) return 0 ;;
+    *.svg|*.png|*.jpg|*.jpeg|*.gif|*.ico|*.pdf|*.woff|*.woff2|*.ttf) return 0 ;;
+    *.generated.*|*.gen.*|*_pb.go|*_pb2.py|*.pb.go) return 0 ;;
+  esac
+  return 1
+}
+is_in_exceptions() {
+  [[ -f "$EXCEPTIONS_FILE" ]] || return 1
+  local rel="${1#$REPO_ROOT/}"
+  grep -Fxq "$rel" "$EXCEPTIONS_FILE"
+}
+collect_targets() {
+  if (( ${#TARGETS[@]} > 0 )); then printf '%s\n' "${TARGETS[@]}"
+  elif (( CHANGED_ONLY )); then
+    git -C "$REPO_ROOT" diff --name-only --diff-filter=AM origin/main...HEAD 2>/dev/null \
+      || git -C "$REPO_ROOT" diff --name-only --diff-filter=AM HEAD
+  else git -C "$REPO_ROOT" ls-files; fi
+}
+
+violations_hard=(); violations_soft=()
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  abs="$f"; [[ "$abs" != /* ]] && abs="$REPO_ROOT/$f"
+  [[ -f "$abs" ]] || continue
+  is_excluded "$abs" && continue
+  is_in_exceptions "$abs" && continue
+  loc=$(wc -l < "$abs" | tr -d ' ')
+  if (( loc > HARD )); then violations_hard+=("$loc	$f")
+  elif (( loc > SOFT )); then violations_soft+=("$loc	$f"); fi
+done < <(collect_targets)
+
+if (( JSON )); then
+  printf '{"hard":['
+  first=1; for v in "${violations_hard[@]}"; do
+    loc="${v%%	*}"; path="${v#*	}"
+    (( first )) || printf ','; first=0
+    printf '{"loc":%s,"path":"%s"}' "$loc" "$path"
+  done
+  printf '],"soft":['
+  first=1; for v in "${violations_soft[@]}"; do
+    loc="${v%%	*}"; path="${v#*	}"
+    (( first )) || printf ','; first=0
+    printf '{"loc":%s,"path":"%s"}' "$loc" "$path"
+  done
+  printf ']}\n'
+else
+  if (( ${#violations_soft[@]} > 0 )); then
+    echo "::warning:: $((${#violations_soft[@]})) file(s) exceed soft target ($SOFT lines):"
+    printf '  %s\n' "${violations_soft[@]}" | sort -rn
+  fi
+  if (( ${#violations_hard[@]} > 0 )); then
+    echo "::error:: $((${#violations_hard[@]})) file(s) exceed HARD CAP ($HARD lines) — split required:"
+    printf '  %s\n' "${violations_hard[@]}" | sort -rn
+  fi
+fi
+(( ${#violations_hard[@]} == 0 ))
+```
+
+Make executable: `chmod +x scripts/check-loc.sh`.
+
+### 1.6 `scripts/githooks/pre-commit`
+
+```bash
+#!/usr/bin/env bash
+# pre-commit — enforces structural guardrails.
+#
+# 1. Blocks commits that introduce a non-test, non-generated source file > 500 LOC.
+# 2. Blocks commits touching migrations/ unless commit message contains [migration-approved].
+# 3. Blocks edits to guardrail files unless [guardrail-change] is in the commit message.
+
+set -euo pipefail
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+
+mapfile -t staged < <(git diff --cached --name-only --diff-filter=ACM)
+[[ ${#staged[@]} -eq 0 ]] && exit 0
+
+# 1. LOC budget on staged files.
+loc_targets=()
+for f in "${staged[@]}"; do
+  [[ -f "$REPO_ROOT/$f" ]] && loc_targets+=("$REPO_ROOT/$f")
+done
+if [[ ${#loc_targets[@]} -gt 0 ]]; then
+  if ! "$REPO_ROOT/scripts/check-loc.sh" "${loc_targets[@]}"; then
+    echo; echo "Commit blocked: file-size budget violated."
+    echo "Split the file (preferred) or add to .claude/rules/loc-exceptions.txt."
+    exit 1
+  fi
+fi
+
+# 2. Migrations frozen unless approved.
+if printf '%s\n' "${staged[@]}" | grep -qE '(^|/)(migrations|alembic/versions)/'; then
+  if ! grep -q '\[migration-approved\]' "$(git rev-parse --git-dir)/COMMIT_EDITMSG" 2>/dev/null; then
+    echo "Commit blocked: this change touches a migrations directory."
+    echo "Add '[migration-approved]' to your commit message if approved."
+    exit 1
+  fi
+fi
+
+# 3. Guardrail files protected.
+guarded='^(\.claude/settings\.json|\.claude/rules/loc-exceptions\.txt|scripts/check-loc\.sh|scripts/githooks/pre-commit|AGENTS\.(python|go|typescript)\.md)$'
+if printf '%s\n' "${staged[@]}" | grep -qE "$guarded"; then
+  if ! grep -q '\[guardrail-change\]' "$(git rev-parse --git-dir)/COMMIT_EDITMSG" 2>/dev/null; then
+    echo "Commit blocked: this change modifies guardrail files."
+    echo "Add '[guardrail-change]' to your commit message and explain why in the body."
+    exit 1
+  fi
+fi
+exit 0
+```
+
+### 1.7 `scripts/install-hooks.sh`
+
+```bash
+#!/usr/bin/env bash
+# install-hooks.sh — installs git hooks that enforce repo guardrails locally.
+# Idempotent. Safe to re-run. Run once per clone: bash scripts/install-hooks.sh
+set -euo pipefail
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+HOOKS_DIR="$REPO_ROOT/.git/hooks"
+SRC_DIR="$REPO_ROOT/scripts/githooks"
+
+[[ -d "$REPO_ROOT/.git" ]] || { echo "Not a git repository: $REPO_ROOT" >&2; exit 1; }
+mkdir -p "$HOOKS_DIR"
+for hook in pre-commit; do
+  src="$SRC_DIR/$hook"; dst="$HOOKS_DIR/$hook"
+  if [[ -f "$src" ]]; then cp "$src" "$dst"; chmod +x "$dst"; echo "installed: $dst"; fi
+done
+echo "Done. Hooks active for this clone."
+```
+
+### 1.8 CI additions (`.github/workflows/ci.yaml` or `.gitea/workflows/ci.yaml`)
+
+Add a `loc-budget` job that fails on hard violations:
+
+```yaml
+jobs:
+  loc-budget:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check file-size budget
+        run: bash scripts/check-loc.sh --changed
+
+  python-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: ruff
+        run: pip install ruff && ruff check .
+      - name: mypy on new modules
+        run: pip install mypy && mypy --strict services/ repositories/ domain/
+
+  go-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v4
+        with: { version: latest }
+
+  ts-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm ci && npx tsc --noEmit && npx next build
+
+  contract-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: pytest tests/contracts/ -v
+
+  license-sbom-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: anchore/sbom-action@v0
+      - uses: anchore/scan-action@v3
+```
+
+---
+
+
+### 1.9 `AGENTS.python.md` (Python / FastAPI)
+
+````markdown
+# AGENTS.python.md — Python Service Conventions
+
+## Layered architecture
+
+```
+<service>/
+├── api/                # HTTP layer — routers only. Thin (≤30 LOC per handler).
+│   └── <domain>_routes.py
+├── services/           # Business logic. Pure-ish; no FastAPI imports.
+├── repositories/       # DB access. Owns SQLAlchemy session usage.
+├── domain/             # Value objects, enums, domain exceptions.
+├── schemas/            # Pydantic models, split per domain. Never one giant schemas.py.
+└── db/models/          # SQLAlchemy ORM, one module per aggregate. __tablename__ frozen.
+```
+
+Dependency direction: `api → services → repositories → db.models`. Lower layers must not import upper.
+
+## Routers
+- One `APIRouter` per domain file. Handlers ≤30 LOC.
+- Parse request → call service → map domain errors → return response model.
+- Inject services via `Depends`. No globals.
+
+```python
+@router.post("/items", response_model=ItemRead, status_code=201)
+async def create_item(
+    payload: ItemCreate,
+    service: ItemService = Depends(get_item_service),
+    tenant_id: UUID = Depends(get_tenant_id),
+) -> ItemRead:
+    with translate_domain_errors():
+        return await service.create(tenant_id, payload)
+```
+
+## Domain errors + translator
+
+```python
+# domain/errors.py
+class DomainError(Exception): ...
+class NotFoundError(DomainError): ...
+class ConflictError(DomainError): ...
+class ValidationError(DomainError): ...
+class PermissionError(DomainError): ...
+
+# api/_http_errors.py
+from contextlib import contextmanager
+from fastapi import HTTPException
+
+@contextmanager
+def translate_domain_errors():
+    try: yield
+    except NotFoundError as e:   raise HTTPException(404, str(e)) from e
+    except ConflictError as e:   raise HTTPException(409, str(e)) from e
+    except ValidationError as e: raise HTTPException(400, str(e)) from e
+    except PermissionError as e: raise HTTPException(403, str(e)) from e
+```
+
+## Services
+- Constructor takes repository interface, not concrete.
+- No FastAPI / HTTP knowledge.
+- Raise domain exceptions, never HTTPException.
+
+## Repositories
+- Intent-named methods (`get_pending_for_tenant`), not CRUD-named (`select_where`).
+- Session injected. No business logic.
+- Return ORM models or domain VOs; never `Row`.
+
+## Schemas (Pydantic v2)
+- One module per domain. ≤300 lines.
+- `model_config = ConfigDict(from_attributes=True, frozen=True)` for reads.
+- Separate `*Create`, `*Update`, `*Read`.
+
+## Tests
+- `tests/unit/`, `tests/integration/`, `tests/contracts/`.
+- Unit tests mock repository via `AsyncMock`.
+- Integration tests use real Postgres from compose via transactional fixture (rollback per test).
+- Contract tests diff `/openapi.json` against `tests/contracts/openapi.baseline.json`.
+- Naming: `test_<unit>_<scenario>_<expected>.py::TestX::test_method`.
+- `pytest-asyncio` mode = `auto`. Coverage target: 80% new code.
+
+## Tooling
+- `ruff check` + `ruff format` (line length 100).
+- `mypy --strict` on `services/`, `repositories/`, `domain/` first. Expand outward via per-module overrides in mypy.ini:
+
+```ini
+[mypy]
+strict = True
+
+[mypy-<service>.services.*]
+strict = True
+
+[mypy-<service>.legacy.*]
+# Legacy modules not yet refactored — expand strictness over time.
+ignore_errors = True
+```
+
+## What you may NOT do
+- Add a new migration.
+- Rename `__tablename__`, column, or enum value.
+- Change route contract without simultaneous consumer update.
+- Catch `Exception` broadly.
+- Put business logic in a router or a Pydantic validator.
+- Create a file > 500 lines.
+````
+
+### 1.10 `AGENTS.go.md` (Go / Gin or chi)
+
+````markdown
+# AGENTS.go.md — Go Service Conventions
+
+## Layered architecture (Standard Go Project Layout + hexagonal)
+
+```
+<service>/
+├── cmd/server/main.go        # Thin: parse flags → app.New → app.Run. < 50 LOC.
+├── internal/
+│   ├── app/                  # Wiring: config + DI + lifecycle.
+│   ├── domain/<aggregate>/   # Pure types, interfaces, errors. No I/O.
+│   ├── service/<aggregate>/  # Business logic. Depends on domain interfaces.
+│   ├── repository/postgres/<aggregate>/   # Concrete repos.
+│   ├── transport/http/
+│   │   ├── handler/<aggregate>/
+│   │   ├── middleware/
+│   │   └── router.go
+│   └── platform/             # DB pool, logger, config, tracing.
+└── pkg/                      # Importable by other repos. Empty unless needed.
+```
+
+Direction: `transport → service → domain ← repository`. `domain` imports no siblings.
+
+## Handlers
+- ≤40 LOC. Bind → call service → map error via `httperr.Write(c, err)` → respond.
+
+```go
+func (h *ItemHandler) Create(c *gin.Context) {
+    var req CreateItemRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        httperr.Write(c, httperr.BadRequest(err)); return
+    }
+    out, err := h.svc.Create(c.Request.Context(), req.ToInput())
+    if err != nil { httperr.Write(c, err); return }
+    c.JSON(http.StatusCreated, out)
+}
+```
+
+## Errors — single `httperr` package
+```go
+switch {
+case errors.Is(err, domain.ErrNotFound): return 404
+case errors.Is(err, domain.ErrConflict): return 409
+case errors.As(err, &validationErr):     return 422
+default:                                  return 500
+}
+```
+Never `panic` in request handling. Recovery middleware logs and returns 500.
+
+## Services
+- Struct + constructor + interface methods. No package-level state.
+- `context.Context` first arg always.
+- Return `(value, error)`. Wrap with `fmt.Errorf("create item: %w", err)`.
+- Domain errors as sentinel vars or typed; match with `errors.Is` / `errors.As`.
+
+## Repositories
+- Interface in `domain/<aggregate>/repository.go`. Impl in `repository/postgres/<aggregate>/`.
+- One file per query group; no file > 500 LOC.
+- `pgx`/`sqlc` over hand-rolled SQL. No ORM globals. Everything takes `ctx`.
+
+## Tests
+- Co-located `*_test.go`. Table-driven for service logic.
+- Handlers via `httptest.NewRecorder`.
+- Repos via `testcontainers-go` (or the compose Postgres). Never mocks at SQL boundary.
+- Coverage target: 80% on `service/`.
+
+## Tooling (`golangci-lint` strict config)
+- Linters: `errcheck, govet, staticcheck, revive, gosec, gocyclo(max 15), gocognit(max 20), unused, ineffassign, errorlint, nilerr, nolintlint, contextcheck`.
+- `gofumpt` formatting. `go vet ./...` clean. `go mod tidy` clean.
+
+## What you may NOT do
+- Touch DB schema/migrations.
+- Add a new top-level package under `internal/` without review.
+- `import "C"`, unsafe, reflection-heavy code.
+- Non-trivial setup in `init()`. Wire in `internal/app`.
+- File > 500 lines.
+- Change route contract without updating consumers.
+````
+
+### 1.11 `AGENTS.typescript.md` (TypeScript / Next.js)
+
+````markdown
+# AGENTS.typescript.md — TypeScript / Next.js Conventions
+
+## Layered architecture (Next.js 15 App Router)
+
+```
+app/
+├── <route>/
+│   ├── page.tsx              # Server Component by default. ≤200 LOC.
+│   ├── layout.tsx
+│   ├── _components/          # Private folder; colocated UI. Each file ≤300 LOC.
+│   ├── _hooks/               # Client hooks for this route.
+│   ├── _server/              # Server actions, data loaders for this route.
+│   └── loading.tsx / error.tsx
+├── api/<domain>/route.ts     # Thin handler. Delegates to lib/server/<domain>/.
+lib/
+├── <domain>/                 # Pure helpers, types, zod schemas. Reusable.
+└── server/<domain>/          # Server-only logic; uses "server-only".
+components/                   # Truly shared, app-wide components.
+```
+
+Server vs Client: default is Server Component. Add `"use client"` only when state/effects/browser APIs needed. Push client boundary as deep as possible.
+
+## API routes (route.ts)
+- One handler per HTTP method, ≤40 LOC.
+- Validate with `zod`. Reject invalid → 400.
+- Delegate to `lib/server/<domain>/`.
+
+```ts
+export async function POST(req: Request) {
+  const parsed = CreateItemSchema.safeParse(await req.json());
+  if (!parsed.success)
+    return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 });
+  const result = await itemService.create(parsed.data);
+  return NextResponse.json(result, { status: 201 });
+}
+```
+
+## Page components
+- Pages > 300 lines → split into colocated `_components/`.
+- Server Components fetch data; pass plain objects to Client Components.
+- No data fetching in `useEffect` for server-renderable data.
+- State: prefer URL state (`searchParams`) + Server Components over global stores.
+
+## Types — barrel re-export pattern for splitting monolithic type files
+
+```ts
+// lib/sdk/types/index.ts
+export * from './enums'
+export * from './vendor'
+export * from './dsfa'
+// consumers still `import { Foo } from '@/lib/sdk/types'`
+```
+
+Rules: no `any`. No `as unknown as`. All DTOs are zod schemas; infer via `z.infer`.
+
+## Tests
+- Unit: **Vitest** (`*.test.ts`/`*.test.tsx`), colocated.
+- Hooks: `@testing-library/react` `renderHook`.
+- E2E: **Playwright** (`tests/e2e/`), one spec per top-level page minimum.
+- Coverage: 70% on `lib/`, smoke on `app/`.
+
+## Tooling
+- `tsc --noEmit` clean (strict, `noUncheckedIndexedAccess: true`).
+- ESLint with `@typescript-eslint`, type-aware rules on.
+- `next build` clean. No `@ts-ignore`. `@ts-expect-error` only with a reason comment.
+
+## What you may NOT do
+- Business logic in `page.tsx` or `route.ts`.
+- Cross-app module imports.
+- `dangerouslySetInnerHTML` without explicit sanitization.
+- Backend API calls from Client Components when a Server Component/Action would do.
+- Change route contract without updating consumers in the same change.
+- File > 500 lines.
+- Globally disable lint/type rules — fix the root cause.
+````
+
+---
+
+
+## 2. Phase plan — behavior-preserving refactor
+
+Work in phases. Each phase ends green (tests pass, build clean, contract baseline unchanged). Do **not** skip ahead.
+
+### Phase 0 — Foundation (single PR, low risk)
+
+**Goal:** Set up rails. No code refactors yet.
+
+1. Drop in all files from Section 1. Install hooks: `bash scripts/install-hooks.sh`.
+2. Populate `.claude/rules/loc-exceptions.txt` with grandfathered entries (one line each, with a comment rationale) so CI doesn't fail day 1.
+3. Append the non-negotiable rules block to root `CLAUDE.md`.
+4. Add per-language `AGENTS.*.md` at repo root.
+5. Add the CI jobs from §1.8.
+6. Per-service `README.md` + `CLAUDE.md` stubs: what it does, run/test commands, layered architecture diagram, env vars, API surface link.
+
+**Verification:** CI green; loc-budget job passes with allowlist; next Claude session loads the rules automatically.
+
+### Phase 1 — Backend service (Python/FastAPI)
+
+**Critical targets:** any `routes.py` / `schemas.py` / `repository.py` / `models.py` over 500 LOC.
+
+**Steps:**
+
+1. **Snapshot the API contract:** `curl /openapi.json > tests/contracts/openapi.baseline.json`. Add a contract test that diffs current vs baseline and fails on any path/method/param drift.
+2. **Characterization tests first.** For each oversized route file, add `TestClient` tests exercising every endpoint (happy path + one error path). Use `httpx.AsyncClient` + factory fixtures.
+3. **Split models.py per aggregate.** Keep a shim: `from <service>.db.models import *` re-exports so existing imports keep working. One module per aggregate; `__tablename__` unchanged (no migration).
+4. **Split schemas.py** similarly with a re-export shim.
+5. **Extract service layer.** Each route handler delegates to a `*Service` class injected via `Depends`. Handlers shrink to ≤30 LOC.
+6. **Repository extraction** from the giant repository file; one class per aggregate.
+7. **`mypy --strict` scoped to new packages first.** Expand outward via `mypy.ini` per-module overrides.
+8. **Tests:** unit tests per service (mocked repo), repo tests against a transactional fixture (real Postgres), integration tests at API layer.
+
+**Gotchas we hit:**
+- Tests that patch module-level symbols (e.g. `SessionLocal`, `scan_X`) break when you move logic behind `Depends`. Fix: re-export the symbol from the route module, or have the service lookup use the module-level symbol directly so the patch still takes effect.
+- `from __future__ import annotations` can break Pydantic TypeAdapter forward refs. Remove it where it conflicts.
+- Sibling test file status codes drift when you introduce the domain-error translator (e.g. 422 → 400). Update assertions in the same commit.
+
+**Verification:** all pytest files green. Characterization tests green. Contract test green (no drift). `mypy` clean on new packages. Coverage ≥ baseline + 10%.
+
+### Phase 2 — Go backend
+
+**Critical targets:** any handler / store / rules file over 500 LOC.
+
+**Steps:**
+1. OpenAPI/Swagger snapshot (or generate via `swag`) → contract tests.
+2. Generate handler-level tests with `httptest` for every endpoint pre-refactor.
+3. Define hexagonal layout (see AGENTS.go.md). Move incrementally with type aliases for back-compat where needed.
+4. Replace ad-hoc error handling with `errors.Is/As` + a single `httperr` package.
+5. Add `golangci-lint` strict config; fix new findings only (don't chase legacy lint).
+6. Table-driven service tests. `testcontainers-go` for repo layer.
+
+**Verification:** `go test ./...` passes; `golangci-lint run` clean; contract tests green; no DB schema diff.
+
+### Phase 3 — Frontend (Next.js)
+
+**Biggest beast — expect this to dominate.** Critical targets: `page.tsx` / monolithic types / API routes over 500 LOC.
+
+**Per oversized page:**
+1. Extract presentational components into `app/<route>/_components/` (private folder, Next.js convention).
+2. Move data fetching into Server Components / Server Actions; Client Components become small.
+3. Hooks → `app/<route>/_hooks/`.
+4. Pure helpers → `lib/<domain>/`.
+5. Add Vitest unit tests for hooks and pure helpers; Playwright smoke tests for each top-level page.
+
+**Monolithic types file:** use barrel re-export pattern.
+- Create `types/` directory with domain files.
+- Create `types/index.ts` with `export * from './<domain>'` lines.
+- **Critical:** TypeScript won't allow both `types.ts` AND `types/index.ts` — delete the file, atomic swap to directory.
+
+**API routes (`route.ts`):** same router→service split as backend. Each `route.ts` becomes a thin handler delegating to `lib/server/<domain>/`.
+
+**Endpoint preservation:** if any internal route URL changes, grep every consumer (SDK packages, developer portal, sibling apps) and update in the same change.
+
+**Gotchas:**
+- Pre-existing type bugs often surface when you try to build. Fix them as drive-by if they block your refactor; otherwise document in a separate follow-up.
+- `useClient` component imports from `'../provider'` that rely on re-exports: preserve the re-export or update importers in the same commit.
+- Next.js build can fail at page-manifest stage with unrelated prerender errors. Run `next build` fresh (not from cache) to see real status.
+
+**Verification:** `next build` clean; `tsc --noEmit` clean; Playwright smoke tests pass; visual diff check on key pages (manual + screenshots in PR).
+
+### Phase 4 — SDKs & smaller services
+
+Apply the same patterns at smaller scale:
+- **SDK packages (0 tests):** add Vitest unit tests for public surface before/while splitting.
+- **Manager/Client classes:** extract config defaults, side-effect helpers (e.g. Google Consent Mode wiring), framework adapters into sibling files. Keep the main class as orchestration.
+- **Framework adapters (React/Vue/Angular):** each component/composable/service/module goes in its own sibling file; the entry `index.ts` is a thin barrel of re-exports.
+- **Doc monoliths (`index.md` thousands of lines):** split per topic with mkdocs nav.
+
+### Phase 5 — CI hardening & governance
+
+1. Promote `loc-budget` from warning → blocking once the allowlist has drained to legitimate exceptions only.
+2. Add mutation testing in nightly (`mutmut` for Python, `gomutesting` for Go).
+3. Add `dependabot`/`renovate` for npm + pip + go mod.
+4. Add release tagging workflow.
+5. Write ADRs (`docs/adr/`) capturing the architecture decisions from phases 1–3.
+6. Distill recurring patterns into `.claude/rules/` updates.
+
+---
+
+## 3. Agent prompt templates
+
+When the work volume is big, parallelize with subagents. These prompts were battle-tested in practice.
+
+### 3.1 Backend route file split (Python)
+
+> You are working in `<repo>` on branch `<branch>`. Every source file must be under 500 LOC (hard cap enforced by a PreToolUse hook); soft target 300.
+>
+> **Task:** split `<path/to/file>_routes.py` (NNN LOC) following the router → service → repository layering described in `AGENTS.python.md`.
+>
+> **Steps:**
+> 1. Snapshot the relevant slice of `/openapi.json` and add a contract test that pins current behavior.
+> 2. Add characterization tests for every endpoint in this file (happy path + one error path) using `httpx.AsyncClient`.
+> 3. Extract each route handler's business logic into a `<domain>Service` class in `<service>/services/<domain>_service.py`. Inject via `Depends(get_<domain>_service)`.
+> 4. Raise domain errors (`NotFoundError`, `ConflictError`, `ValidationError`), never `HTTPException`. Use the `translate_domain_errors()` context manager in handlers.
+> 5. Move DB access to `<service>/repositories/<domain>_repository.py`. Session injected.
+> 6. Split Pydantic schemas from the giant `schemas.py` into `<service>/schemas/<domain>.py` if >300 lines.
+>
+> **Constraints:**
+> - Behavior preservation. No route rename/method/status/schema changes.
+> - Tests that patch module-level symbols must keep working — re-export the symbol or refactor the lookup so the patch still takes effect.
+> - Run `pytest` after each step. Commit each file as its own commit.
+> - Push at end: `git push origin <branch>`.
+>
+> When done, report: (a) new LOC counts, (b) test results, (c) mypy status, (d) commit SHAs. Under 300 words.
+
+### 3.2 Go handler file split
+
+> You are working in `<repo>` on branch `<branch>`. Hard cap 500 LOC.
+>
+> **Task:** split `<path>/handlers/<domain>_handler.go` (NNN LOC) into a hexagonal layout per `AGENTS.go.md`.
+>
+> **Steps:**
+> 1. Add `httptest` tests for every endpoint pre-refactor.
+> 2. Define `internal/domain/<aggregate>/` with types + interfaces + sentinel errors.
+> 3. Create `internal/service/<aggregate>/` with business logic implementing domain interfaces.
+> 4. Create `internal/repository/postgres/<aggregate>/` splitting queries by group.
+> 5. Thin handlers under `internal/transport/http/handler/<aggregate>/`. Each handler ≤40 LOC. Error mapping via `internal/platform/httperr`.
+> 6. Use `errors.Is` / `errors.As` for domain error matching.
+>
+> **Constraints:**
+> - No DB schema change.
+> - Table-driven service tests. `testcontainers-go` (or compose Postgres) for repo tests.
+> - `golangci-lint run` clean.
+>
+> Report new LOC, test status, lint status, commit SHAs. Under 300 words.
+
+### 3.3 Next.js page split (the one we parallelized heavily)
+
+> You are working in `<repo>` on branch `<branch>`. Every source file must be under 500 LOC (hard cap enforced by a PreToolUse hook); soft target 300. Other agents are working on OTHER pages in parallel — stay in your lane.
+>
+> **Task:** split the following Next.js 15 App Router client pages into colocated components so each `page.tsx` drops below 500 LOC.
+>
+> 1. `admin-compliance/app/sdk/<page-a>/page.tsx` (NNNN LOC)
+> 2. `admin-compliance/app/sdk/<page-b>/page.tsx` (NNNN LOC)
+>
+> **Pattern** (reference `admin-compliance/app/sdk/<already-split-example>/` for "done"):
+> - Create `_components/` subdirectory (Next.js private folder, won't create routes).
+> - Extract each logically-grouped section (forms, tables, modals, tabs, headers, cards) into its own component file. Name files after the component.
+> - Create `_hooks/` for custom hooks that were inline.
+> - Create `_types.ts` or `_data.ts` for hoisted types or data arrays.
+> - Remaining `page.tsx` wires extracted pieces — aim for under 300 LOC, hard cap 500.
+> - Preserve `'use client'` when present on original.
+> - DO NOT rename any exports that other files import. Grep first before moving.
+>
+> **Constraints:**
+> - Behavior preservation. No logic changes, no improvements.
+> - Imports must resolve (relative `./_components/Foo`).
+> - Run `cd admin-compliance && npx next build` after each file is done. Don't commit broken builds.
+> - DO NOT edit `.claude/settings.json`, `scripts/check-loc.sh`, `loc-exceptions.txt`, or any `AGENTS.*.md`.
+> - Commit each page as its own commit: `refactor(admin): split <name> page.tsx into colocated components`. HEREDOC body, include `Co-Authored-By:` trailer.
+> - Pull before push: `git pull --rebase origin <branch>`, then `git push origin <branch>`.
+>
+> **Coordination:** DO NOT touch `<list of pages other agents own>`. You own only `<your pages>`.
+>
+> When done, report: (a) each file's new LOC count, (b) how many `_components` were created, (c) whether `next build` is clean, (d) commit SHAs. Under 300 words.
+>
+> If the LOC hook blocks a Write, split further. If you hit rate limits partway, commit what's done and report progress honestly.
+
+### 3.4 Monolithic types file split (TypeScript)
+
+> `<repo>`, branch `<branch>`. Hard cap 500 LOC.
+>
+> **Task:** split `<lib>/types.ts` (NNNN LOC) into per-domain modules under `<lib>/types/`.
+>
+> **Steps:**
+> 1. Identify domain groupings (enums, API DTOs, one group per business aggregate).
+> 2. Create `<lib>/types/` directory with `<domain>.ts` files.
+> 3. Create `<lib>/types/index.ts` barrel: `export * from './<domain>'` per file.
+> 4. **Atomic swap:** delete the old `types.ts` in the same commit as the new `types/` directory. TypeScript won't resolve both a file and a directory with the same stem.
+> 5. Grep every consumer — imports from `'<lib>/types'` should still work via the barrel. No consumer file changes needed unless there's a name collision.
+> 6. Resolve collisions by renaming the less-canonical export (e.g. if two modules both export `LegalDocument`, rename the RAG one to `RagLegalDocument`).
+>
+> **Verification:** `tsc --noEmit` clean, `next build` clean.
+>
+> Report new LOC per file, collisions resolved, consumer updates, commit SHAs.
+
+### 3.5 Agent orchestration rules (from hard-won experience)
+
+When you spawn multiple agents in parallel:
+
+1. **Own disjoint paths.** Give each agent a bounded list of files under specific directories. Spell out the "do NOT touch" list explicitly.
+2. **Always instruct `git pull --rebase origin <branch>` before push.** Agents running in parallel will push and cause non-fast-forward rejects without this.
+3. **Instruct `commit each file as its own commit`** — not a single mega-commit. Makes revert surgical.
+4. **Ask for concise reports (≤300 words):** new LOC counts, component counts, build status, commit SHAs.
+5. **Tell them to commit partial progress on rate-limit.** If they don't, their partial work lives in the working tree and you have to chase it with `git status` after. (We hit this — 4 agents silently left uncommitted work.)
+6. **Don't give an agent more than 2 big files at once.** Each page-split in practice took ~10–20 minutes + ~150k tokens. Two is a comfortable batch.
+7. **Reference a prior "done" example.** Commit SHAs are gold — the agent can inspect exactly the style you want.
+8. **Run one final `next build` / `pytest` / `go test` yourself after all agents finish.** Agent reports of "build clean" can be scoped (e.g. only their files); you want the whole-repo gate.
+
+---
+
+## 4. Workflow loop (per file)
+
+```
+1. Read the oversized file end to end. Identify 3–6 extraction sections.
+2. Write characterization test (if backend) — pin behavior.
+3. Create the sibling files one at a time.
+   - If the PreToolUse hook blocks (file still > 500), split further.
+4. Edit the root file: replace extracted bodies with imports + delegations.
+5. Run the full verification: pytest / next build / go test.
+6. Run LOC check: scripts/check-loc.sh <changed files>
+7. Commit with a scoped message and a 1–2 line body explaining why.
+8. Push.
+```
+
+## 5. Commit message conventions
+
+```
+refactor(<area>): <one-line what, not how>
+
+<optional 1-3 sentence body: what split changed + verification result>
+<LOC table: before → after per file>
+<non-behavior changes flagged as drive-by fixes, with reason>
+
+Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
+```
+
+Markers that unlock pre-commit guards:
+- `[migration-approved]` — allows changes under `migrations/` / `alembic/versions/`.
+- `[guardrail-change]` — allows changes to `.claude/settings.json`, `.claude/rules/loc-exceptions.txt`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, or any `AGENTS.*.md`.
+
+Good examples from our session:
+- `refactor(consent-sdk): split ConsentManager + framework adapters under 500 LOC`
+- `refactor(compliance-sdk): split client/provider/embed/state under 500 LOC`
+- `refactor(admin): split whistleblower page.tsx + restore scope helpers`
+- `chore: document data-catalog + legacy-service LOC exceptions` (with `[guardrail-change]` body)
+
+## 6. Verification commands cheatsheet
+
+```bash
+# LOC budget
+scripts/check-loc.sh --changed               # only changed files
+scripts/check-loc.sh                         # whole repo
+scripts/check-loc.sh --json                  # for CI parsing
+
+# Python
+pytest --cov=<package> --cov-report=term-missing
+ruff check .
+mypy --strict <package>/services <package>/repositories
+
+# Go
+go test ./... -cover
+golangci-lint run
+go vet ./...
+
+# TypeScript
+npx tsc --noEmit
+npx next build                               # from the Next.js app dir
+npm test -- --run                            # vitest one-shot
+npx playwright test tests/e2e                # e2e smoke
+
+# Contracts
+pytest tests/contracts/                       # OpenAPI snapshot diff
+```
+
+## 7. Out of scope (don't drift)
+
+- DB schema / migrations — unless separate green-lit plan.
+- New features. This is a refactor.
+- Public endpoint renames without simultaneous consumer fix-up (exception: intra-monorepo URLs when you do the grep sweep).
+- Unrelated dead code cleanup — do it in a separate PR.
+- Bundling refactors across services in one commit — one service = one commit.
+
+## 8. Memory / session handoff
+
+If using Claude Code with persistent memory, save a `project_refactor_status.md` in your memory store after each phase:
+- What's done (files split, LOC before → after).
+- What's in progress (current file, blocker if any).
+- What's deferred (pre-existing bugs surfaced but left for follow-up).
+- Key patterns established (so next session doesn't rediscover them).
+
+This lets you resume after context compacts or after rate-limit windows without losing the thread.
+
+---
+
+That's the whole methodology. Install Section 1, follow Section 2 phase-by-phase, use Section 3 to parallelize the grind. The guardrails do the policing so you don't have to remember anything.
+
@@ -55,5 +55,9 @@ EXPOSE 3000
 # Set hostname
 ENV HOSTNAME="0.0.0.0"

+# P83 — Build-SHA fuer check-rebuild-needed.sh
+ARG BUILD_SHA="unknown"
+ENV BUILD_SHA=${BUILD_SHA}
+
 # Start the application
 CMD ["node", "server.js"]
@@ -0,0 +1,53 @@
+# admin-compliance
+
+Next.js 15 dashboard for BreakPilot Compliance — SDK module UI, company profile, DSR, DSFA, VVT, TOM, consent, AI Act, training, audit, change requests, etc. Also hosts 96+ API routes that proxy/orchestrate backend services.
+
+**Port:** `3007` (container: `bp-compliance-admin`)
+**Stack:** Next.js 15 App Router, React 18, TailwindCSS, TypeScript strict.
+
+## Architecture (Phase 3 — in progress)
+
+```
+app/
+├── <route>/
+│   ├── page.tsx              # Server Component (≤200 LOC)
+│   ├── _components/          # Colocated UI, each ≤300 LOC
+│   ├── _hooks/               # Client hooks
+│   └── _server/              # Server actions
+├── api/<domain>/route.ts     # Thin handlers → lib/server/<domain>/
+lib/
+├── <domain>/                 # Pure helpers, zod schemas
+└── server/<domain>/          # "server-only" logic
+components/                   # App-wide shared UI
+```
+
+See `../AGENTS.typescript.md`.
+
+## Run locally
+
+```bash
+cd admin-compliance
+npm install
+npm run dev          # http://localhost:3007
+```
+
+## Tests
+
+```bash
+npm test                      # Vitest unit + component tests
+npx playwright test           # E2E
+npx tsc --noEmit              # Type-check
+npx next lint
+```
+
+## Known debt
+
+- `lib/sdk/types.ts` has been split: it is now a barrel re-export to `lib/sdk/types/` (12 domain files: enums, company-profile, sdk-steps, and others).
+- `lib/sdk/tom-generator/controls/loader.ts` has been split: it is now a barrel re-export to `categories/` (8 category files).
+- Phase 3 refactoring is ongoing — several large page files remain and are being addressed incrementally.
+- **0 test files** for the page layer. Adding Playwright smoke + Vitest unit coverage is ongoing Phase 3 work.
+
+## Don't touch
+
+- Backend API paths without updating `backend-compliance/` in the same change.
+- `lib/sdk/types/` barrel re-exports — add new types to the appropriate domain file, not back into the root.
@@ -40,6 +40,11 @@ offiziellen Quellen und gibst praxisnahe Hinweise.
 - NIST SP 800-218 (SSDF) — Secure Software Development Framework
 - NIST Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, Recover
 - OECD AI Principles — Verantwortungsvolle KI, Transparenz, Accountability
+- OSHA 29 CFR 1910 Subpart O — US-Maschinensicherheit (Machine Guarding, als Referenz/Vergleich)
+- Harmonisierte Normen (EN/ISO) — Normnummern, Titel, Status (aktiv/zurueckgezogen), NICHT Normtexte
+- BAuA Technische Regeln — TRBS (Betriebssicherheit), TRGS (Gefahrstoffe), ASR (Arbeitsstaetten)
+- EuGH-Urteile — Schrems II, Planet49, SCHUFA Scoring, Google Fonts, Normen-Copyright (C-588/21 P)
+- EU 2018/1725 — Datenschutz EU-Organe
 - EU-IFRS (Verordnung 2023/1803) — EU-uebernommene International Financial Reporting Standards
 - EFRAG Endorsement Status — Uebersicht welche IFRS-Standards EU-endorsed sind

@@ -51,6 +56,44 @@ Bei ALLEN Fragen zu IFRS/IAS-Standards MUSST du folgende Punkte beachten:
 4. Bei internationalen Ausschreibungen: Nur EU-endorsed IFRS sind fuer EU-Unternehmen rechtsverbindlich.
 5. Verweise NICHT auf IFRS Foundation Originaltexte, sondern ausschliesslich auf die EU-Verordnung.

+## FAQ — Cookie-Banner-Bussgelder + Risiken (haeufige Mandantenfragen)
+
+Bei Fragen nach Bussgeldern, Risiko-Hoehe oder konkreten Faellen gib **konkrete Praezedenzen** an:
+
+### Top-Bussgelder (CNIL Frankreich — strengste EU-Aufsicht):
+- **Google France 2020 (CNIL)** — 100 Mio EUR — Cookies ohne Einwilligung (CNIL Beschluss vom 07.12.2020)
+- **Meta/Facebook France 2022 (CNIL)** — 60 Mio EUR — Cookies ohne Einwilligung
+- **Amazon France 2020 (CNIL)** — 35 Mio EUR — Cookies ohne Einwilligung
+- **Carrefour France 2020 (CNIL)** — 2,25 Mio EUR — Cookies + sonstige Verstoesse
+
+### Deutsche Praezedenzen + Sammelklagen-Risiken:
+- **LG Muenchen I 2022** — 100 EUR pro Besucher Schadensersatz fuer Google Fonts ohne Consent (Az. 3 O 17493/20). Spaeter durch BGH "Rechtsmissbrauchs"-Argument bei Massenabmahnungen eingeschraenkt.
+- **EuGH Planet49 (C-673/17)** — vorausgewaehlte Cookie-Checkboxen sind unwirksame Einwilligung (praejudiziell fuer alle EU-Sites)
+- **BGH Cookie-Einwilligung II (I ZR 7/16)** — bestaetigt Planet49 fuer Deutschland
+- **DSK Beschluss 2023** — Cookie-Banner mit "Akzeptieren" deutlich prominenter als "Ablehnen" = Dark Pattern = unwirksame Einwilligung
+
+### Deutscher Aufsichtsmarkt:
+Deutsche Aufsicht (BfDI + 16 Landes-DSB) ist moderater als CNIL — bislang keine 100 Mio-EUR-Bussgelder. ABER: DSK-Beschluesse + LfDI-Verfahren haeufen sich. Federfuehrung bei Konzernen via "One-Stop-Shop" nach Hauptsitz.
+
+### Vier Risiko-Pfade fuer Mandanten:
+1. **Art. 83 DSGVO Bussgeld** — bis 4% des weltweiten Konzernumsatzes. Realistisch 0,1-1% bei Erstverstoss.
+2. **Verbraucherschutz-Abmahnung** (vzbv, Wettbewerbszentrale, Verbraucherverbaende) — 50-500k EUR Streitwert + Unterlassung.
+3. **Sammelklage Art. 82 DSGVO** — Schadensersatz pro Person, BGH 50-100 EUR pro Fall. Sammelklage-Trusts: myRight, RightNow, helpcheck.de.
+4. **NOYB-Beschwerde** (Max Schrems) — oeffentliches Aufsichtsverfahren, Reputationsschaden + Bussgeld.
+
+### Geschaeftsfuehrer-Haftung (haeufig unterschaetzt):
+GF haftet **persoenlich** nach §43 GmbHG bzw. §93 AktG wenn Compliance-Pflichten verletzt wurden. Das ist der eigentliche Druckpunkt — nicht die Firma, sondern der GF persoenlich. Bei Mandantengespraechen mit GF-Beteiligung: dieser Punkt zuerst ansprechen.
+
+### Wie berechne ich das konkrete Risiko fuer einen Mandanten:
+Frage den Mandanten nach: (a) Jahresumsatz, (b) ungefaehre Besucherzahl pro Jahr, (c) Anzahl Trackingtools im Banner. Dann:
+- Max-Bussgeld = 4% × Jahresumsatz (Obergrenze, nicht realistisch)
+- Realistisch-Bussgeld = 0,1-1% × Jahresumsatz (CNIL/LfDI-Maßstab)
+- Sammelklage-Theorie = Besucherzahl × 50 EUR (BGH-Untergrenze) — meist nicht durchsetzbar, aber Drohpotential
+- NICHT konkrete Zahlen einer fremden Firma zitieren ("BMW haette X EUR" etc.) — Mandant koennte das falsch weitergeben
+
+### Marktwissen (intern, nicht 1:1 zitieren):
+Externe DSB-Stundensaetze: 350-450 EUR/h (NOERR, GSK, vergleichbare Kanzleien). Mittelstands-DSB-Mandate: 5-15k EUR/Jahr. Cookie-Audit manuell: typisch 10 Std = 4-5k EUR Kosten. BreakPilot reduziert das auf 30 Min.
+
 ## RAG-Nutzung
 Nutze das gesamte RAG-Corpus fuer Kontext und Quellenangaben — ausgenommen sind
 NIBIS-Inhalte (Erwartungshorizonte, Bildungsstandards, curriculare Vorgaben).
@@ -98,7 +141,147 @@ Du darfst NIEMALS verraten, welche Dokumente, Sammlungen oder Quellen in deiner
  verwendet hast — niemals eine vollstaendige Liste aller verfuegbaren Quellen.
 - Verrate NIEMALS Collection-Namen (bp_compliance_*, bp_dsfa_*, etc.) oder interne Systemnamen.

+## Produktwissen — BreakPilot Compliance SDK
+
+Du bist Teil des BreakPilot Compliance SDK. Wenn Nutzer Fragen zum Produkt selbst stellen
+("Was ist der erste Schritt?", "Wie fange ich an?", "Was kann dieses Tool?"), antworte
+mit Produktwissen — nicht mit Rechtsberatung.
+
+### Einstieg (fuer neue Nutzer)
+
+Der Einstieg besteht aus 3 Schritten:
+
+1. **Projekt anlegen** — Unter "Projekte" ein neues Compliance-Projekt erstellen.
+   Ein Projekt ist der Container fuer alle Compliance-Aktivitaeten eines Unternehmens/Produkts.
+
+2. **Profil & Scope ausfuellen** — Im Modul "Company Profile" die Unternehmensdaten erfassen
+   (Name, Branche, Groesse, Standort). Danach im Modul "Compliance Scope" festlegen welche
+   Bereiche relevant sind (DSGVO, AI Act, CE, etc.) und die Risikostufe bestimmen.
+
+3. **Module nutzen** — Je nach Scope stehen verschiedene Module zur Verfuegung:
+
+### Verfuegbare Module
+
+**Kern-Workflow (DSGVO):**
+- **Use Case Erfassung** — KI-Anwendungsfaelle beschreiben und bewerten lassen (UCCA)
+- **VVT** (Verarbeitungsverzeichnis) — Art. 30 DSGVO Dokumentation
+- **DSFA** (Datenschutz-Folgenabschaetzung) — Risikobewertung fuer kritische Verarbeitungen
+- **TOM** (Technische und organisatorische Massnahmen) — Schutzmassnahmen dokumentieren
+- **Loeschfristen** — Aufbewahrungsfristen und Loeschkonzept
+- **DSR** (Betroffenenanfragen) — Art. 15-21 Prozesse verwalten
+- **Einwilligungen** — Consent-Management
+- **Schulungen** — Mitarbeiter-Awareness-Kurse zuweisen und verfolgen
+
+**KI-Compliance:**
+- **AI Act Modul** — EU AI Act Konformitaetspruefung
+- **EU Registrierung** — KI-System in der EU-Datenbank registrieren
+- **Compliance Optimizer** — Automatische Optimierungsvorschlaege
+
+**Maschinenrecht:**
+- **CE-Compliance (IACE)** — ISO 12100, Maschinenverordnung, Risikobeurteilung
+
+**Unabhaengige Module:**
+- **Evidence Management** — Nachweise und Belege verwalten
+- **Audit Checklisten** — ISMS-Audit vorbereiten
+- **Legal RAG** — Rechtsfragen mit KI beantworten (dieses Modul!)
+- **Compliance Agent** — Webseiten automatisch auf DSGVO pruefen
+- **Document Generator** — Rechtsdokumente (DSE, AVV, AGB) generieren
+- **Control Library** — 166.000+ Compliance Controls durchsuchen
+
+### SDK-Flow (Reihenfolge)
+
+Der empfohlene Ablauf ist:
+Projekt → Profil → Scope → Use Cases → VVT → DSFA (wenn noetig) → TOM → Loeschfristen → Schulungen → Audit
+
+Die Module koennen aber auch unabhaengig genutzt werden (z.B. Compliance Agent oder Document Generator).
+
+### Hilfe und Navigation
+
+- **Sidebar links** — Alle Module sind ueber die Sidebar erreichbar
+- **CommandBar** (Cmd+K) — Schnellsuche ueber alle Module
+- **Dieser Advisor** — Stellt Fragen zu Compliance-Themen oder zum SDK selbst
+- **SDK-Flow Dokumentation** — Detaillierte Anleitung unter dem Menue-Punkt "SDK Flow"
+
+## Haeufige Fragen (FAQ) — IAM-Systeme und Consent
+
+### Was ist WSO2 Identity Server?
+
+WSO2 Identity Server ist ein Open-Source Identity & Access Management (IAM) System,
+vergleichbar mit Keycloak, Auth0 oder Azure AD B2C. Es wird von der Firma WSO2 Inc.
+(Hauptsitz: Mountain View, USA + Colombo, Sri Lanka) entwickelt und gepflegt.
+
+**DSGVO-Relevanz:** WSO2 IS liefert Standard-HTML-Templates fuer Login-, Registrierungs-
+und Passwort-Reset-Seiten aus. Organisationen uebernehmen diese Templates oft 1:1 —
+inklusive der Consent-Texte. Das fuehrt zu **systemischen Compliance-Problemen**:
+
+- Die englischen Default-Texte sind bereits grenzwertig ("By clicking Register, you
+  agree to our Terms and Privacy Policy" — kein aktiver Opt-in)
+- Uebersetzungen werden maschinell oder von Nicht-Juristen erstellt
+- Niemand prueft ob die Formulierungen DSGVO-konform sind
+- Das Pattern "Klick = Zustimmung" verletzt Art. 7(4) DSGVO (Koppelungsverbot)
+  und EuGH C-673/17 Planet49 (aktive Einwilligung erforderlich)
+
+**Betroffene Organisationen:** EU-Behoerden (z.B. EUIPO), Regierungen, Telcos,
+Banken, Versicherungen, Universitaeten — alle mit demselben Template-Fehler.
+
+**Empfehlung:** Registrierungs- und Login-Seiten muessen geprueft werden auf:
+1. Separate Checkboxen fuer Nutzungsbedingungen und Datenschutz (Granularitaet)
+2. Aktive Zustimmungshandlung (Checkbox, nicht nur Button-Klick)
+3. Moeglichkeit zur Ablehnung (Art. 7(3) DSGVO)
+4. Grammatisch korrekte, verstaendliche Formulierung in der Sprache des Nutzers
+5. Keine Koppelung von Einwilligung an Registrierung/Login (Art. 7(4) DSGVO)
+
+### Welche IAM-Systeme haben aehnliche Probleme?
+
+| System | Anbieter | Typisches Problem |
+|--------|----------|-------------------|
+| WSO2 Identity Server | WSO2 Inc. (US/LK) | Default-Templates mit Zwangs-Consent |
+| Keycloak | Red Hat (US) | Kein Consent-Layer im Default-Theme |
+| Azure AD B2C | Microsoft (US) | Custom Policies ohne DSGVO-Pruefung |
+| Auth0 | Okta (US) | Universal Login ohne granularen Consent |
+| AWS Cognito | Amazon (US) | Hosted UI ohne Consent-Management |
+| ForgeRock | Ping Identity (US) | AM Templates ohne EU-Lokalisierung |
+
+Alle diese Systeme erfordern manuelle Anpassung der Templates fuer DSGVO-Konformitaet.
+Unser Compliance Agent kann Login/Registrierungsseiten auf diese Pattern pruefen.
+
+### Was ist das Koppelungsverbot (Art. 7(4) DSGVO)?
+
+Die Einwilligung zur Datenverarbeitung darf NICHT an die Erfuellung eines Vertrags
+oder die Erbringung einer Dienstleistung gekoppelt werden, wenn die Datenverarbeitung
+fuer die Vertragserfuellung nicht erforderlich ist.
+
+**Praxis-Beispiel:** "Mit Klick auf Registrieren stimmen Sie unserer Datenschutzerklaerung zu"
+ist ein Verstoss, wenn der Dienst auch ohne diese Zustimmung nutzbar waere.
+
+**Korrekt:** Separate, freiwillige Checkbox: "Ich willige in die Verarbeitung meiner Daten
+gemaess der Datenschutzerklaerung ein (freiwillig)."
+
+**Quellen:** Art. 7(4) DSGVO, ErwGr. 43, EDPB Guidelines 05/2020 Rn. 26-30.
+
+## CMP — Consent Management Platform
+
+Das BreakPilot CMP ist die integrierte Consent-Management-Plattform im SDK.
+Erreichbar ueber die CMP-Sektion in der Sidebar oder unter /sdk/cmp.
+
+**Module:**
+- **Dashboard** (/sdk/cmp) — Ueberblick ueber Consents, DSR, Compliance-Status
+- **Cookie-Banner** (/sdk/cookie-banner) — Banner konfigurieren mit EWR-Only Toggle
+- **Live-Vorschau** (/sdk/cookie-banner/preview) — Banner auf simulierter Website testen
+- **Consent-Records** (/sdk/einwilligungen) — Alle Einwilligungen einsehen
+- **Consent-Verwaltung** (/sdk/consent-management) — Dokument-Lifecycle
+- **Vendor-Compliance** (/sdk/vendor-compliance) — Dienstleister-Management
+- **DSR Portal** (/sdk/dsr) — Betroffenenrechte Art. 15-21
+- **Loeschfristen** (/sdk/loeschfristen) — Aufbewahrungsrichtlinien
+- **E-Mail-Templates** (/sdk/email-templates) — Benachrichtigungsvorlagen
+
+**Einzigartiges Feature: "Nur EU/EWR" Toggle**
+Nutzer koennen einer Cookie-Kategorie zustimmen (z.B. Marketing), aber gleichzeitig
+alle Anbieter ausserhalb des EWR blockieren. Beispiel: Marketing = AN, EWR-Only = AN
+bedeutet LinkedIn Insight (EU/Irland) wird geladen, Facebook Pixel (USA) wird blockiert.
+Kein anderes CMP bietet dieses Feature.
+
 ## Eskalation
- Bei Fragen ausserhalb des Kompetenzbereichs: Hoeflich ablehnen und auf Fachanwalt verweisen
+- Bei Fragen ausserhalb des Kompetenzbereichs: Wenn die Frage harmlos ist (z.B. "Hast Du Informationen zu X?"), kurz mit Ja/Nein antworten und anbieten konkreter zu helfen. NUR bei sensiblen oder rechtsberatenden Fragen hoeflich ablehnen und auf Fachanwalt verweisen.
 - Bei widerspruechlichen Rechtslagen: Beide Positionen darstellen und DSB-Konsultation empfehlen
 - Bei dringenden Datenpannen: Auf 72-Stunden-Frist (Art. 33 DSGVO) hinweisen und Notfallplan-Modul empfehlen
@@ -0,0 +1,27 @@
+/**
+ * Proxy: Admin → Backend /api/compliance/agent/admin/benchmark
+ * (P107 — Branchen-Benchmark-Cockpit)
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest) {
+  const qs = request.nextUrl.searchParams.toString()
+  try {
+    const r = await fetch(
+      `${BACKEND_URL}/api/compliance/agent/admin/benchmark?${qs}`,
+      { signal: AbortSignal.timeout(20000) },
+    )
+    const body = await r.text()
+    return new NextResponse(body, {
+      status: r.status,
+      headers: { 'Content-Type': r.headers.get('content-type') || 'application/json' },
+    })
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: 'Benchmark-API nicht erreichbar', detail: String(e) },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,364 @@
+/**
+ * Drafting Engine - v2 Pipeline Helpers
+ *
+ * DOCUMENT_PROSE_BLOCKS, buildV2SystemPrompt, buildBlockSpecificPrompt,
+ * callOllama, handleV2Draft — split from draft-helpers.ts for the 500 LOC hard cap.
+ */
+
+import { NextResponse } from 'next/server'
+import type { DraftContext, DraftRevision, DraftSection } from '@/lib/sdk/drafting-engine/types'
+import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
+import { deriveNarrativeTags, extractScoresFromDraftContext, narrativeTagsToPromptString } from '@/lib/sdk/drafting-engine/narrative-tags'
+import type { NarrativeTags } from '@/lib/sdk/drafting-engine/narrative-tags'
+import { buildAllowedFactsFromDraftContext, allowedFactsToPromptString, disallowedTopicsToPromptString } from '@/lib/sdk/drafting-engine/allowed-facts-v2'
+import { sanitizeAllowedFacts, validateNoRemainingPII, SanitizationError } from '@/lib/sdk/drafting-engine/sanitizer'
+import { terminologyToPromptString, styleContractToPromptString } from '@/lib/sdk/drafting-engine/terminology'
+import { executeRepairLoop, type ProseBlockOutput, type RepairAudit } from '@/lib/sdk/drafting-engine/prose-validator'
+import { computeChecksumSync, type CacheKeyParams } from '@/lib/sdk/drafting-engine/cache'
+import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
+import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
+import {
+  constraintEnforcer,
+  proseCache,
+  TEMPLATE_VERSION,
+  TERMINOLOGY_VERSION,
+  VALIDATOR_VERSION,
+  V1_SYSTEM_PROMPT,
+  buildPromptForDocumentType,
+} from './draft-helpers'
+
+const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
+const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
+
+// ============================================================================
+// v2 Personalisierte Pipeline
+// ============================================================================
+
+export const DOCUMENT_PROSE_BLOCKS: Record<string, Array<{ blockId: string; blockType: ProseBlockOutput['blockType']; sectionName: string; targetWords: number }>> = {
+  tom: [
+    { blockId: 'tom-intro', blockType: 'introduction', sectionName: 'Einleitung TOM', targetWords: 120 },
+    { blockId: 'tom-transition', blockType: 'transition', sectionName: 'Ueberleitung Massnahmen', targetWords: 40 },
+    { blockId: 'tom-conclusion', blockType: 'conclusion', sectionName: 'Fazit TOM', targetWords: 80 },
+  ],
+  dsfa: [
+    { blockId: 'dsfa-intro', blockType: 'introduction', sectionName: 'Einleitung DSFA', targetWords: 150 },
+    { blockId: 'dsfa-transition', blockType: 'transition', sectionName: 'Ueberleitung Risikobewertung', targetWords: 40 },
+    { blockId: 'dsfa-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Massnahmen', targetWords: 60 },
+    { blockId: 'dsfa-conclusion', blockType: 'conclusion', sectionName: 'Fazit DSFA', targetWords: 100 },
+  ],
+  vvt: [
+    { blockId: 'vvt-intro', blockType: 'introduction', sectionName: 'Einleitung VVT', targetWords: 120 },
+    { blockId: 'vvt-conclusion', blockType: 'conclusion', sectionName: 'Fazit VVT', targetWords: 80 },
+  ],
+  dsi: [
+    { blockId: 'dsi-intro', blockType: 'introduction', sectionName: 'Einleitung Datenschutzerklaerung', targetWords: 130 },
+    { blockId: 'dsi-conclusion', blockType: 'conclusion', sectionName: 'Fazit Datenschutzerklaerung', targetWords: 80 },
+  ],
+  lf: [
+    { blockId: 'lf-intro', blockType: 'introduction', sectionName: 'Einleitung Loeschfristen', targetWords: 100 },
+    { blockId: 'lf-conclusion', blockType: 'conclusion', sectionName: 'Fazit Loeschfristen', targetWords: 60 },
+  ],
+  av_vertrag: [
+    { blockId: 'av-intro', blockType: 'introduction', sectionName: 'Einleitung Auftragsverarbeitung', targetWords: 130 },
+    { blockId: 'av-conclusion', blockType: 'conclusion', sectionName: 'Fazit Auftragsverarbeitung', targetWords: 80 },
+  ],
+  betroffenenrechte: [
+    { blockId: 'betr-intro', blockType: 'introduction', sectionName: 'Einleitung Betroffenenrechte', targetWords: 120 },
+    { blockId: 'betr-conclusion', blockType: 'conclusion', sectionName: 'Fazit Betroffenenrechte', targetWords: 80 },
+  ],
+  risikoanalyse: [
+    { blockId: 'risk-intro', blockType: 'introduction', sectionName: 'Einleitung Risikoanalyse', targetWords: 130 },
+    { blockId: 'risk-conclusion', blockType: 'conclusion', sectionName: 'Fazit Risikoanalyse', targetWords: 80 },
+  ],
+  notfallplan: [
+    { blockId: 'notfall-intro', blockType: 'introduction', sectionName: 'Einleitung Notfallplan', targetWords: 120 },
+    { blockId: 'notfall-conclusion', blockType: 'conclusion', sectionName: 'Fazit Notfallplan', targetWords: 80 },
+  ],
+  iace_ce_assessment: [
+    { blockId: 'iace-intro', blockType: 'introduction', sectionName: 'Einleitung IACE CE-Bewertung', targetWords: 150 },
+    { blockId: 'iace-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Konformitaetsbewertung', targetWords: 60 },
+    { blockId: 'iace-conclusion', blockType: 'conclusion', sectionName: 'Fazit IACE CE-Bewertung', targetWords: 100 },
+  ],
+}
+
+export function buildV2SystemPrompt(
+  sanitizedFactsString: string,
+  narrativeTagsString: string,
+  terminologyString: string,
+  styleString: string,
+  disallowedString: string,
+  companyName: string,
+  blockId: string,
+  blockType: string,
+  sectionName: string,
+  documentType: string,
+  targetWords: number
+): string {
+  return `Du bist ein Compliance-Dokumenten-Redakteur.
+Du schreibst einzelne Textabschnitte fuer offizielle Compliance-Dokumente.
+
+KUNDENPROFIL (ERLAUBTE FAKTEN — nur diese darfst du verwenden):
+${sanitizedFactsString}
+
+BEWERTUNGSERGEBNIS (sprachliche Tags — verwende nur diese Begriffe):
+${narrativeTagsString}
+
+TERMINOLOGIE (verwende ausschliesslich diese Fachbegriffe):
+${terminologyString}
+
+STIL:
+${styleString}
+
+VERBOTENE INHALTE:
+${disallowedString}
+- Keine konkreten Prozentwerte, Scores oder Zahlen
+- Keine Compliance-Level-Bezeichnungen (L1, L2, L3, L4)
+- Keine direkte Ansprache ("Sie", "Ihr")
+- Kein Denglisch, keine Marketing-Sprache, keine Superlative
+
+STRIKTE REGELN:
+1. Verwende den Firmennamen "${companyName}" — nie "Ihr Unternehmen"
+2. Schreibe in der dritten Person ("Die ${companyName}...")
+3. Beziehe dich auf die Branche und organisatorische Merkmale
+4. Verwende NUR Fakten aus dem Kundenprofil oben
+5. Verwende NUR die sprachlichen Tags aus dem Bewertungsergebnis
+6. Erfinde KEINE zusaetzlichen Fakten oder Bewertungen
+7. Halte dich an die Terminologie-Vorgaben
+8. Dein Text wird ZWISCHEN feste Datentabellen eingefuegt
+
+OUTPUT-FORMAT: Antworte ausschliesslich als JSON:
+{
+  "blockId": "${blockId}",
+  "blockType": "${blockType}",
+  "language": "de",
+  "text": "...",
+  "assertions": {
+    "companyNameUsed": true/false,
+    "industryReferenced": true/false,
+    "structureReferenced": true/false,
+    "itLandscapeReferenced": true/false,
+    "narrativeTagsUsed": ["riskSummary", ...]
+  },
+  "forbiddenContentDetected": []
+}
+
+DOKUMENTENTYP: ${documentType}
+SEKTION: ${sectionName}
+BLOCK-TYP: ${blockType}
+ZIEL-LAENGE: ${targetWords} Woerter`
+}
+
+export function buildBlockSpecificPrompt(blockType: string, sectionName: string, documentType: string): string {
+  switch (blockType) {
+    case 'introduction':
+      return `Schreibe eine Einleitung fuer das Dokument "${documentType}" (Sektion: ${sectionName}).
+Erklaere, warum dieses Dokument fuer das Unternehmen erstellt wurde.
+Gehe auf die spezifische Situation des Unternehmens ein.
+Erwaehne die Branche, die Organisationsform und die IT-Strategie.`
+    case 'transition':
+      return `Schreibe eine kurze Ueberleitung zur naechsten Sektion "${sectionName}".
+Verknuepfe den vorherigen Abschnitt logisch mit dem folgenden.`
+    case 'conclusion':
+      return `Schreibe einen abschliessenden Absatz fuer die Sektion "${sectionName}".
+Fasse die wesentlichen Punkte zusammen und verweise auf die fortlaufende Pflege.`
+    case 'appreciation':
+      return `Schreibe einen wertschaetzenden Satz ueber die bestehenden Massnahmen.
+Verwende dabei die sprachlichen Tags aus dem Bewertungsergebnis.
+Keine neuen Fakten erfinden — nur das Profil wuerdigen.`
+    default:
+      return `Schreibe einen Textabschnitt fuer "${sectionName}".`
+  }
+}
+
+export async function callOllama(systemPrompt: string, userPrompt: string): Promise<string> {
+  const response = await fetch(`${OLLAMA_URL}/api/chat`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      model: LLM_MODEL,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+      stream: false,
+      think: false,
+      options: { temperature: 0.15, num_predict: 4096, num_ctx: 8192 },
+      format: 'json',
+    }),
+    signal: AbortSignal.timeout(120000),
+  })
+
+  if (!response.ok) {
+    throw new Error(`Ollama error: ${response.status}`)
+  }
+
+  const result = await response.json()
+  return result.message?.content || ''
+}
+
+export async function handleV2Draft(body: Record<string, unknown>): Promise<NextResponse> {
+  const { documentType, draftContext, instructions } = body as {
+    documentType: ScopeDocumentType
+    draftContext: DraftContext
+    instructions?: string
+  }
+
+  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
+  if (!constraintCheck.allowed) {
+    return NextResponse.json({
+      draft: null, constraintCheck, tokensUsed: 0,
+      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
+    }, { status: 403 })
+  }
+
+  const scores = extractScoresFromDraftContext(draftContext)
+  const narrativeTags: NarrativeTags = deriveNarrativeTags(scores)
+  const allowedFacts = buildAllowedFactsFromDraftContext(draftContext, narrativeTags)
+
+  let sanitizationResult
+  try {
+    sanitizationResult = sanitizeAllowedFacts(allowedFacts)
+  } catch (error) {
+    if (error instanceof SanitizationError) {
+      return NextResponse.json({
+        error: `Sanitization Hard Abort: ${error.message} (Feld: ${error.field})`,
+        draft: null, constraintCheck, tokensUsed: 0,
+      }, { status: 422 })
+    }
+    throw error
+  }
+
+  const sanitizedFacts = sanitizationResult.facts
+  const piiWarnings = validateNoRemainingPII(sanitizedFacts)
+  if (piiWarnings.length > 0) console.warn('PII-Warnungen nach Sanitization:', piiWarnings)
+
+  const factsString = allowedFactsToPromptString(sanitizedFacts)
+  const tagsString = narrativeTagsToPromptString(narrativeTags)
+  const termsString = terminologyToPromptString()
+  const styleString = styleContractToPromptString()
+  const disallowedString = disallowedTopicsToPromptString()
+  const promptHash = computeChecksumSync({ factsString, tagsString, termsString, styleString, disallowedString })
+
+  const v2RagCfg = DOCUMENT_RAG_CONFIG[documentType]
+  const v2RagContext = v2RagCfg ? await queryRAG(v2RagCfg.query, 3, v2RagCfg.collection) : null
+
+  const proseBlocks = DOCUMENT_PROSE_BLOCKS[documentType] || DOCUMENT_PROSE_BLOCKS.tom
+  const generatedBlocks: ProseBlockOutput[] = []
+  const repairAudits: RepairAudit[] = []
+  let totalTokens = 0
+
+  for (const blockDef of proseBlocks) {
+    const cacheParams: CacheKeyParams = {
+      allowedFacts: sanitizedFacts, templateVersion: TEMPLATE_VERSION,
+      terminologyVersion: TERMINOLOGY_VERSION, narrativeTags,
+      promptHash, blockType: blockDef.blockType, sectionName: blockDef.sectionName,
+    }
+
+    const cached = proseCache.getSync(cacheParams)
+    if (cached) {
+      generatedBlocks.push(cached)
+      repairAudits.push({ repairAttempts: 0, validatorFailures: [], repairSuccessful: true, fallbackUsed: false })
+      continue
+    }
+
+    let systemPrompt = buildV2SystemPrompt(
+      factsString, tagsString, termsString, styleString, disallowedString,
+      sanitizedFacts.companyName, blockDef.blockId, blockDef.blockType,
+      blockDef.sectionName, documentType, blockDef.targetWords
+    )
+    if (v2RagContext) systemPrompt += `\n\nRECHTSKONTEXT (als Referenz, nicht woertlich uebernehmen):\n${v2RagContext}`
+    const userPrompt = buildBlockSpecificPrompt(blockDef.blockType, blockDef.sectionName, documentType)
+      + (instructions ? `\n\nZusaetzliche Anweisungen: ${instructions}` : '')
+
+    try {
+      const rawOutput = await callOllama(systemPrompt, userPrompt)
+      totalTokens += rawOutput.length / 4
+      const { block, audit } = await executeRepairLoop(
+        rawOutput, sanitizedFacts, narrativeTags, blockDef.blockId, blockDef.blockType,
+        async (repairPrompt) => callOllama(systemPrompt, repairPrompt), documentType
+      )
+      generatedBlocks.push(block)
+      repairAudits.push(audit)
+      if (!audit.fallbackUsed) proseCache.setSync(cacheParams, block)
+    } catch (error) {
+      const { buildFallbackBlock } = await import('@/lib/sdk/drafting-engine/prose-validator')
+      generatedBlocks.push(buildFallbackBlock(blockDef.blockId, blockDef.blockType, sanitizedFacts, documentType))
+      repairAudits.push({
+        repairAttempts: 0, validatorFailures: [[(error as Error).message]],
+        repairSuccessful: false, fallbackUsed: true,
+        fallbackReason: `LLM-Fehler: ${(error as Error).message}`,
+      })
+    }
+  }
+
+  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
+
+  let dataSections: DraftSection[] = []
+  try {
+    const dataResponse = await callOllama(V1_SYSTEM_PROMPT, draftPrompt)
+    const parsed = JSON.parse(dataResponse)
+    dataSections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
+      id: String(s.id || `section-${i}`), title: String(s.title || ''),
+      content: String(s.content || ''), schemaField: s.schemaField ? String(s.schemaField) : undefined,
+    }))
+    totalTokens += dataResponse.length / 4
+  } catch { dataSections = [] }
+
+  const introBlock = generatedBlocks.find(b => b.blockType === 'introduction')
+  const transitionBlocks = generatedBlocks.filter(b => b.blockType === 'transition')
+  const appreciationBlocks = generatedBlocks.filter(b => b.blockType === 'appreciation')
+  const conclusionBlock = generatedBlocks.find(b => b.blockType === 'conclusion')
+
+  const mergedSections: DraftSection[] = []
+  if (introBlock) mergedSections.push({ id: introBlock.blockId, title: 'Einleitung', content: introBlock.text })
+  for (let i = 0; i < dataSections.length; i++) {
+    if (i > 0 && transitionBlocks[i - 1]) mergedSections.push({ id: transitionBlocks[i - 1].blockId, title: '', content: transitionBlocks[i - 1].text })
+    mergedSections.push(dataSections[i])
+  }
+  for (const block of appreciationBlocks) mergedSections.push({ id: block.blockId, title: 'Wuerdigung', content: block.text })
+  if (conclusionBlock) mergedSections.push({ id: conclusionBlock.blockId, title: 'Fazit', content: conclusionBlock.text })
+
+  const finalSections = mergedSections.length > 0 ? mergedSections : generatedBlocks.map(b => ({
+    id: b.blockId,
+    title: b.blockType === 'introduction' ? 'Einleitung' : b.blockType === 'conclusion' ? 'Fazit' : b.blockType === 'appreciation' ? 'Wuerdigung' : 'Ueberleitung',
+    content: b.text,
+  }))
+
+  const draft: DraftRevision = {
+    id: `draft-v2-${Date.now()}`,
+    content: finalSections.map(s => s.title ? `## ${s.title}\n\n${s.content}` : s.content).join('\n\n'),
+    sections: finalSections, createdAt: new Date().toISOString(), instruction: instructions,
+  }
+
+  const auditTrail = {
+    documentType, templateVersion: TEMPLATE_VERSION, terminologyVersion: TERMINOLOGY_VERSION,
+    validatorVersion: VALIDATOR_VERSION, promptHash, llmModel: LLM_MODEL,
+    llmTemperature: 0.15, llmProvider: 'ollama', narrativeTags,
+    sanitization: sanitizationResult.audit, repairAudits,
+    proseBlocks: generatedBlocks.map((b, i) => ({
+      blockId: b.blockId, blockType: b.blockType,
+      wordCount: b.text.split(/\s+/).filter(Boolean).length,
+      fallbackUsed: repairAudits[i]?.fallbackUsed ?? false,
+      repairAttempts: repairAudits[i]?.repairAttempts ?? 0,
+    })),
+    cacheStats: proseCache.getStats(),
+  }
+
+  const truthLabel = { generation_mode: 'draft_assistance', truth_status: 'generated', may_be_used_as_evidence: false, generated_by: 'system' }
+
+  try {
+    const BACKEND_URL = process.env.BACKEND_COMPLIANCE_URL || 'http://backend-compliance:8002'
+    fetch(`${BACKEND_URL}/api/compliance/llm-audit`, {
+      method: 'POST', headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        entity_type: 'document', entity_id: null, generation_mode: 'draft_assistance',
+        truth_status: 'generated', may_be_used_as_evidence: false,
+        llm_model: LLM_MODEL, llm_provider: 'ollama',
+        input_summary: `${documentType} draft generation`,
+        output_summary: draft?.sections?.length ? `${draft.sections.length} sections generated` : 'draft generated',
+      }),
+    }).catch(() => {/* fire-and-forget */})
+  } catch { /* LLM audit persistence failure should not block the response */ }
+
+  return NextResponse.json({ draft, constraintCheck, tokensUsed: Math.round(totalTokens), pipelineVersion: 'v2', auditTrail, truthLabel })
+}
@@ -0,0 +1,161 @@
+/**
+ * Drafting Engine - Draft Helper Functions (v1 pipeline + shared constants)
+ *
+ * Shared state, v1 legacy pipeline helpers.
+ * v2 pipeline lives in draft-helpers-v2.ts.
+ */
+
+import { NextResponse } from 'next/server'
+import { buildVVTDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-vvt'
+import { buildTOMDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-tom'
+import { buildDSFADraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-dsfa'
+import { buildPrivacyPolicyDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-privacy-policy'
+import { buildLoeschfristenDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-loeschfristen'
+import type { DraftContext, DraftResponse, DraftRevision, DraftSection } from '@/lib/sdk/drafting-engine/types'
+import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
+import { ConstraintEnforcer } from '@/lib/sdk/drafting-engine/constraint-enforcer'
+import { ProseCacheManager } from '@/lib/sdk/drafting-engine/cache'
+import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
+import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
+
+const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
+const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
+
+export const constraintEnforcer = new ConstraintEnforcer()
+export const proseCache = new ProseCacheManager({ maxEntries: 200, ttlHours: 24 })
+
+export const TEMPLATE_VERSION = '2.0.0'
+export const TERMINOLOGY_VERSION = '1.0.0'
+export const VALIDATOR_VERSION = '1.0.0'
+
+// ============================================================================
+// v1 Legacy Pipeline
+// ============================================================================
+
+export const V1_SYSTEM_PROMPT = `Du bist ein DSGVO-Compliance-Experte und erstellst strukturierte Dokument-Entwuerfe.
+Du MUSST immer im JSON-Format antworten mit einem "sections" Array.
+Jede Section hat: id, title, content, schemaField.
+Halte die Tiefe strikt am vorgegebenen Level.
+Markiere fehlende Informationen mit [PLATZHALTER: Beschreibung].
+Sprache: Deutsch.`
+
+export function buildPromptForDocumentType(
+  documentType: ScopeDocumentType,
+  context: DraftContext,
+  instructions?: string
+): string {
+  switch (documentType) {
+    case 'vvt':
+      return buildVVTDraftPrompt({ context, instructions })
+    case 'tom':
+      return buildTOMDraftPrompt({ context, instructions })
+    case 'dsfa':
+      return buildDSFADraftPrompt({ context, instructions })
+    case 'dsi':
+      return buildPrivacyPolicyDraftPrompt({ context, instructions })
+    case 'lf':
+      return buildLoeschfristenDraftPrompt({ context, instructions })
+    default:
+      return `## Aufgabe: Entwurf fuer ${documentType}
+
+### Level: ${context.decisions.level}
+### Tiefe: ${context.constraints.depthRequirements.depth}
+### Erforderliche Inhalte:
+${context.constraints.depthRequirements.detailItems.map((item, i) => `${i + 1}. ${item}`).join('\n')}
+
+${instructions ? `### Anweisungen: ${instructions}` : ''}
+
+Antworte als JSON mit "sections" Array.`
+  }
+}
+
+export async function handleV1Draft(body: Record<string, unknown>): Promise<NextResponse> {
+  const { documentType, draftContext, instructions, existingDraft } = body as {
+    documentType: ScopeDocumentType
+    draftContext: DraftContext
+    instructions?: string
+    existingDraft?: DraftRevision
+  }
+
+  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
+  if (!constraintCheck.allowed) {
+    return NextResponse.json({
+      draft: null,
+      constraintCheck,
+      tokensUsed: 0,
+      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
+    }, { status: 403 })
+  }
+
+  const ragCfg = DOCUMENT_RAG_CONFIG[documentType]
+  const ragContext = ragCfg ? await queryRAG(ragCfg.query, 3, ragCfg.collection) : null
+
+  let v1SystemPrompt = V1_SYSTEM_PROMPT
+  if (ragContext) {
+    v1SystemPrompt += `\n\n## Relevanter Rechtskontext\n${ragContext}`
+  }
+
+  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
+  const messages = [
+    { role: 'system', content: v1SystemPrompt },
+    ...(existingDraft ? [{
+      role: 'assistant',
+      content: `Bisheriger Entwurf:\n${JSON.stringify(existingDraft.sections, null, 2)}`,
+    }] : []),
+    { role: 'user', content: draftPrompt },
+  ]
+
+  const ollamaResponse = await fetch(`${OLLAMA_URL}/api/chat`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      model: LLM_MODEL,
+      messages,
+      stream: false,
+      think: false,
+      options: { temperature: 0.15, num_predict: 16384, num_ctx: 8192 },
+      format: 'json',
+    }),
+    signal: AbortSignal.timeout(180000),
+  })
+
+  if (!ollamaResponse.ok) {
+    return NextResponse.json(
+      { error: `LLM nicht erreichbar (Status ${ollamaResponse.status})` },
+      { status: 502 }
+    )
+  }
+
+  const result = await ollamaResponse.json()
+  const content = result.message?.content || ''
+
+  let sections: DraftSection[] = []
+  try {
+    const parsed = JSON.parse(content)
+    sections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
+      id: String(s.id || `section-${i}`),
+      title: String(s.title || ''),
+      content: String(s.content || ''),
+      schemaField: s.schemaField ? String(s.schemaField) : undefined,
+    }))
+  } catch {
+    sections = [{ id: 'raw', title: 'Entwurf', content }]
+  }
+
+  const draft: DraftRevision = {
+    id: `draft-${Date.now()}`,
+    content: sections.map(s => `## ${s.title}\n\n${s.content}`).join('\n\n'),
+    sections,
+    createdAt: new Date().toISOString(),
+    instruction: instructions as string | undefined,
+  }
+
+  return NextResponse.json({
+    draft,
+    constraintCheck,
+    tokensUsed: result.eval_count || 0,
+  } satisfies DraftResponse)
+}
+
+// Re-export v2 handler for route.ts (backward compat — single import point)
+export { handleV2Draft } from './draft-helpers-v2'
@@ -9,627 +9,7 @@
 */

 import { NextRequest, NextResponse } from 'next/server'
-
-const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
-const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
-
-// v1 imports (Legacy)
-import { buildVVTDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-vvt'
-import { buildTOMDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-tom'
-import { buildDSFADraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-dsfa'
-import { buildPrivacyPolicyDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-privacy-policy'
-import { buildLoeschfristenDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-loeschfristen'
-import type { DraftContext, DraftResponse, DraftRevision, DraftSection } from '@/lib/sdk/drafting-engine/types'
-import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
-import { ConstraintEnforcer } from '@/lib/sdk/drafting-engine/constraint-enforcer'
-
-// v2 imports (Personalisierte Pipeline)
-import { deriveNarrativeTags, extractScoresFromDraftContext, narrativeTagsToPromptString } from '@/lib/sdk/drafting-engine/narrative-tags'
-import type { NarrativeTags } from '@/lib/sdk/drafting-engine/narrative-tags'
-import { buildAllowedFactsFromDraftContext, allowedFactsToPromptString, disallowedTopicsToPromptString } from '@/lib/sdk/drafting-engine/allowed-facts-v2'
-import { sanitizeAllowedFacts, validateNoRemainingPII, SanitizationError } from '@/lib/sdk/drafting-engine/sanitizer'
-import { terminologyToPromptString, styleContractToPromptString } from '@/lib/sdk/drafting-engine/terminology'
-import { executeRepairLoop, type ProseBlockOutput, type RepairAudit } from '@/lib/sdk/drafting-engine/prose-validator'
-import { ProseCacheManager, computeChecksumSync, type CacheKeyParams } from '@/lib/sdk/drafting-engine/cache'
-import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
-import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
-
-// ============================================================================
-// Shared State
-// ============================================================================
-
-const constraintEnforcer = new ConstraintEnforcer()
-const proseCache = new ProseCacheManager({ maxEntries: 200, ttlHours: 24 })
-
-// Template/Terminology Versionen (fuer Cache-Key)
-const TEMPLATE_VERSION = '2.0.0'
-const TERMINOLOGY_VERSION = '1.0.0'
-const VALIDATOR_VERSION = '1.0.0'
-
-// ============================================================================
-// v1 Legacy Pipeline
-// ============================================================================
-
-const V1_SYSTEM_PROMPT = `Du bist ein DSGVO-Compliance-Experte und erstellst strukturierte Dokument-Entwuerfe.
-Du MUSST immer im JSON-Format antworten mit einem "sections" Array.
-Jede Section hat: id, title, content, schemaField.
-Halte die Tiefe strikt am vorgegebenen Level.
-Markiere fehlende Informationen mit [PLATZHALTER: Beschreibung].
-Sprache: Deutsch.`
-
-function buildPromptForDocumentType(
-  documentType: ScopeDocumentType,
-  context: DraftContext,
-  instructions?: string
-): string {
-  switch (documentType) {
-    case 'vvt':
-      return buildVVTDraftPrompt({ context, instructions })
-    case 'tom':
-      return buildTOMDraftPrompt({ context, instructions })
-    case 'dsfa':
-      return buildDSFADraftPrompt({ context, instructions })
-    case 'dsi':
-      return buildPrivacyPolicyDraftPrompt({ context, instructions })
-    case 'lf':
-      return buildLoeschfristenDraftPrompt({ context, instructions })
-    default:
-      return `## Aufgabe: Entwurf fuer ${documentType}
-
-### Level: ${context.decisions.level}
-### Tiefe: ${context.constraints.depthRequirements.depth}
-### Erforderliche Inhalte:
-${context.constraints.depthRequirements.detailItems.map((item, i) => `${i + 1}. ${item}`).join('\n')}
-
-${instructions ? `### Anweisungen: ${instructions}` : ''}
-
-Antworte als JSON mit "sections" Array.`
-  }
-}
-
-async function handleV1Draft(body: Record<string, unknown>): Promise<NextResponse> {
-  const { documentType, draftContext, instructions, existingDraft } = body as {
-    documentType: ScopeDocumentType
-    draftContext: DraftContext
-    instructions?: string
-    existingDraft?: DraftRevision
-  }
-
-  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
-  if (!constraintCheck.allowed) {
-    return NextResponse.json({
-      draft: null,
-      constraintCheck,
-      tokensUsed: 0,
-      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
-    }, { status: 403 })
-  }
-
-  // RAG: Fetch relevant legal context (config-based)
-  const ragCfg = DOCUMENT_RAG_CONFIG[documentType]
-  const ragContext = await queryRAG(ragCfg.query, 3, ragCfg.collection)
-
-  let v1SystemPrompt = V1_SYSTEM_PROMPT
-  if (ragContext) {
-    v1SystemPrompt += `\n\n## Relevanter Rechtskontext\n${ragContext}`
-  }
-
-  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
-  const messages = [
-    { role: 'system', content: v1SystemPrompt },
-    ...(existingDraft ? [{
-      role: 'assistant',
-      content: `Bisheriger Entwurf:\n${JSON.stringify(existingDraft.sections, null, 2)}`,
-    }] : []),
-    { role: 'user', content: draftPrompt },
-  ]
-
-  const ollamaResponse = await fetch(`${OLLAMA_URL}/api/chat`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      model: LLM_MODEL,
-      messages,
-      stream: false,
-      think: false,
-      options: { temperature: 0.15, num_predict: 16384, num_ctx: 8192 },
-      format: 'json',
-    }),
-    signal: AbortSignal.timeout(180000),
-  })
-
-  if (!ollamaResponse.ok) {
-    return NextResponse.json(
-      { error: `LLM nicht erreichbar (Status ${ollamaResponse.status})` },
-      { status: 502 }
-    )
-  }
-
-  const result = await ollamaResponse.json()
-  const content = result.message?.content || ''
-
-  let sections: DraftSection[] = []
-  try {
-    const parsed = JSON.parse(content)
-    sections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
-      id: String(s.id || `section-${i}`),
-      title: String(s.title || ''),
-      content: String(s.content || ''),
-      schemaField: s.schemaField ? String(s.schemaField) : undefined,
-    }))
-  } catch {
-    sections = [{ id: 'raw', title: 'Entwurf', content }]
-  }
-
-  const draft: DraftRevision = {
-    id: `draft-${Date.now()}`,
-    content: sections.map(s => `## ${s.title}\n\n${s.content}`).join('\n\n'),
-    sections,
-    createdAt: new Date().toISOString(),
-    instruction: instructions as string | undefined,
-  }
-
-  return NextResponse.json({
-    draft,
-    constraintCheck,
-    tokensUsed: result.eval_count || 0,
-  } satisfies DraftResponse)
-}
-
-// ============================================================================
-// v2 Personalisierte Pipeline
-// ============================================================================
-
-/** Prose block definitions per document type */
-const DOCUMENT_PROSE_BLOCKS: Record<string, Array<{ blockId: string; blockType: ProseBlockOutput['blockType']; sectionName: string; targetWords: number }>> = {
-  tom: [
-    { blockId: 'tom-intro', blockType: 'introduction', sectionName: 'Einleitung TOM', targetWords: 120 },
-    { blockId: 'tom-transition', blockType: 'transition', sectionName: 'Ueberleitung Massnahmen', targetWords: 40 },
-    { blockId: 'tom-conclusion', blockType: 'conclusion', sectionName: 'Fazit TOM', targetWords: 80 },
-  ],
-  dsfa: [
-    { blockId: 'dsfa-intro', blockType: 'introduction', sectionName: 'Einleitung DSFA', targetWords: 150 },
-    { blockId: 'dsfa-transition', blockType: 'transition', sectionName: 'Ueberleitung Risikobewertung', targetWords: 40 },
-    { blockId: 'dsfa-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Massnahmen', targetWords: 60 },
-    { blockId: 'dsfa-conclusion', blockType: 'conclusion', sectionName: 'Fazit DSFA', targetWords: 100 },
-  ],
-  vvt: [
-    { blockId: 'vvt-intro', blockType: 'introduction', sectionName: 'Einleitung VVT', targetWords: 120 },
-    { blockId: 'vvt-conclusion', blockType: 'conclusion', sectionName: 'Fazit VVT', targetWords: 80 },
-  ],
-  dsi: [
-    { blockId: 'dsi-intro', blockType: 'introduction', sectionName: 'Einleitung Datenschutzerklaerung', targetWords: 130 },
-    { blockId: 'dsi-conclusion', blockType: 'conclusion', sectionName: 'Fazit Datenschutzerklaerung', targetWords: 80 },
-  ],
-  lf: [
-    { blockId: 'lf-intro', blockType: 'introduction', sectionName: 'Einleitung Loeschfristen', targetWords: 100 },
-    { blockId: 'lf-conclusion', blockType: 'conclusion', sectionName: 'Fazit Loeschfristen', targetWords: 60 },
-  ],
-  av_vertrag: [
-    { blockId: 'av-intro', blockType: 'introduction', sectionName: 'Einleitung Auftragsverarbeitung', targetWords: 130 },
-    { blockId: 'av-conclusion', blockType: 'conclusion', sectionName: 'Fazit Auftragsverarbeitung', targetWords: 80 },
-  ],
-  betroffenenrechte: [
-    { blockId: 'betr-intro', blockType: 'introduction', sectionName: 'Einleitung Betroffenenrechte', targetWords: 120 },
-    { blockId: 'betr-conclusion', blockType: 'conclusion', sectionName: 'Fazit Betroffenenrechte', targetWords: 80 },
-  ],
-  risikoanalyse: [
-    { blockId: 'risk-intro', blockType: 'introduction', sectionName: 'Einleitung Risikoanalyse', targetWords: 130 },
-    { blockId: 'risk-conclusion', blockType: 'conclusion', sectionName: 'Fazit Risikoanalyse', targetWords: 80 },
-  ],
-  notfallplan: [
-    { blockId: 'notfall-intro', blockType: 'introduction', sectionName: 'Einleitung Notfallplan', targetWords: 120 },
-    { blockId: 'notfall-conclusion', blockType: 'conclusion', sectionName: 'Fazit Notfallplan', targetWords: 80 },
-  ],
-  iace_ce_assessment: [
-    { blockId: 'iace-intro', blockType: 'introduction', sectionName: 'Einleitung IACE CE-Bewertung', targetWords: 150 },
-    { blockId: 'iace-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Konformitaetsbewertung', targetWords: 60 },
-    { blockId: 'iace-conclusion', blockType: 'conclusion', sectionName: 'Fazit IACE CE-Bewertung', targetWords: 100 },
-  ],
-}
-
-function buildV2SystemPrompt(
-  sanitizedFactsString: string,
-  narrativeTagsString: string,
-  terminologyString: string,
-  styleString: string,
-  disallowedString: string,
-  companyName: string,
-  blockId: string,
-  blockType: string,
-  sectionName: string,
-  documentType: string,
-  targetWords: number
-): string {
-  return `Du bist ein Compliance-Dokumenten-Redakteur.
-Du schreibst einzelne Textabschnitte fuer offizielle Compliance-Dokumente.
-
-KUNDENPROFIL (ERLAUBTE FAKTEN — nur diese darfst du verwenden):
-${sanitizedFactsString}
-
-BEWERTUNGSERGEBNIS (sprachliche Tags — verwende nur diese Begriffe):
-${narrativeTagsString}
-
-TERMINOLOGIE (verwende ausschliesslich diese Fachbegriffe):
-${terminologyString}
-
-STIL:
-${styleString}
-
-VERBOTENE INHALTE:
-${disallowedString}
- Keine konkreten Prozentwerte, Scores oder Zahlen
- Keine Compliance-Level-Bezeichnungen (L1, L2, L3, L4)
- Keine direkte Ansprache ("Sie", "Ihr")
- Kein Denglisch, keine Marketing-Sprache, keine Superlative
-
-STRIKTE REGELN:
-1. Verwende den Firmennamen "${companyName}" — nie "Ihr Unternehmen"
-2. Schreibe in der dritten Person ("Die ${companyName}...")
-3. Beziehe dich auf die Branche und organisatorische Merkmale
-4. Verwende NUR Fakten aus dem Kundenprofil oben
-5. Verwende NUR die sprachlichen Tags aus dem Bewertungsergebnis
-6. Erfinde KEINE zusaetzlichen Fakten oder Bewertungen
-7. Halte dich an die Terminologie-Vorgaben
-8. Dein Text wird ZWISCHEN feste Datentabellen eingefuegt
-
-OUTPUT-FORMAT: Antworte ausschliesslich als JSON:
-{
-  "blockId": "${blockId}",
-  "blockType": "${blockType}",
-  "language": "de",
-  "text": "...",
-  "assertions": {
-    "companyNameUsed": true/false,
-    "industryReferenced": true/false,
-    "structureReferenced": true/false,
-    "itLandscapeReferenced": true/false,
-    "narrativeTagsUsed": ["riskSummary", ...]
-  },
-  "forbiddenContentDetected": []
-}
-
-DOKUMENTENTYP: ${documentType}
-SEKTION: ${sectionName}
-BLOCK-TYP: ${blockType}
-ZIEL-LAENGE: ${targetWords} Woerter`
-}
-
-function buildBlockSpecificPrompt(blockType: string, sectionName: string, documentType: string): string {
-  switch (blockType) {
-    case 'introduction':
-      return `Schreibe eine Einleitung fuer das Dokument "${documentType}" (Sektion: ${sectionName}).
-Erklaere, warum dieses Dokument fuer das Unternehmen erstellt wurde.
-Gehe auf die spezifische Situation des Unternehmens ein.
-Erwaehne die Branche, die Organisationsform und die IT-Strategie.`
-    case 'transition':
-      return `Schreibe eine kurze Ueberleitung zur naechsten Sektion "${sectionName}".
-Verknuepfe den vorherigen Abschnitt logisch mit dem folgenden.`
-    case 'conclusion':
-      return `Schreibe einen abschliessenden Absatz fuer die Sektion "${sectionName}".
-Fasse die wesentlichen Punkte zusammen und verweise auf die fortlaufende Pflege.`
-    case 'appreciation':
-      return `Schreibe einen wertschaetzenden Satz ueber die bestehenden Massnahmen.
-Verwende dabei die sprachlichen Tags aus dem Bewertungsergebnis.
-Keine neuen Fakten erfinden — nur das Profil wuerdigen.`
-    default:
-      return `Schreibe einen Textabschnitt fuer "${sectionName}".`
-  }
-}
-
-async function callOllama(systemPrompt: string, userPrompt: string): Promise<string> {
-  const response = await fetch(`${OLLAMA_URL}/api/chat`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      model: LLM_MODEL,
-      messages: [
-        { role: 'system', content: systemPrompt },
-        { role: 'user', content: userPrompt },
-      ],
-      stream: false,
-      think: false,
-      options: { temperature: 0.15, num_predict: 4096, num_ctx: 8192 },
-      format: 'json',
-    }),
-    signal: AbortSignal.timeout(120000),
-  })
-
-  if (!response.ok) {
-    throw new Error(`Ollama error: ${response.status}`)
-  }
-
-  const result = await response.json()
-  return result.message?.content || ''
-}
-
-async function handleV2Draft(body: Record<string, unknown>): Promise<NextResponse> {
-  const { documentType, draftContext, instructions } = body as {
-    documentType: ScopeDocumentType
-    draftContext: DraftContext
-    instructions?: string
-  }
-
-  // Step 1: Constraint Check (Hard Gate)
-  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
-  if (!constraintCheck.allowed) {
-    return NextResponse.json({
-      draft: null,
-      constraintCheck,
-      tokensUsed: 0,
-      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
-    }, { status: 403 })
-  }
-
-  // Step 2: Derive Narrative Tags (deterministisch)
-  const scores = extractScoresFromDraftContext(draftContext)
-  const narrativeTags: NarrativeTags = deriveNarrativeTags(scores)
-
-  // Step 3: Build Allowed Facts
-  const allowedFacts = buildAllowedFactsFromDraftContext(draftContext, narrativeTags)
-
-  // Step 4: PII Sanitization
-  let sanitizationResult
-  try {
-    sanitizationResult = sanitizeAllowedFacts(allowedFacts)
-  } catch (error) {
-    if (error instanceof SanitizationError) {
-      return NextResponse.json({
-        error: `Sanitization Hard Abort: ${error.message} (Feld: ${error.field})`,
-        draft: null,
-        constraintCheck,
-        tokensUsed: 0,
-      }, { status: 422 })
-    }
-    throw error
-  }
-
-  const sanitizedFacts = sanitizationResult.facts
-
-  // Verify no remaining PII
-  const piiWarnings = validateNoRemainingPII(sanitizedFacts)
-  if (piiWarnings.length > 0) {
-    console.warn('PII-Warnungen nach Sanitization:', piiWarnings)
-  }
-
-  // Step 5: Build prompt components
-  const factsString = allowedFactsToPromptString(sanitizedFacts)
-  const tagsString = narrativeTagsToPromptString(narrativeTags)
-  const termsString = terminologyToPromptString()
-  const styleString = styleContractToPromptString()
-  const disallowedString = disallowedTopicsToPromptString()
-
-  // Compute prompt hash for audit
-  const promptHash = computeChecksumSync({ factsString, tagsString, termsString, styleString, disallowedString })
-
-  // Step 5b: RAG Legal Context (config-based)
-  const v2RagCfg = DOCUMENT_RAG_CONFIG[documentType]
-  const v2RagContext = await queryRAG(v2RagCfg.query, 3, v2RagCfg.collection)
-
-  // Step 6: Generate Prose Blocks (with cache + repair loop)
-  const proseBlocks = DOCUMENT_PROSE_BLOCKS[documentType] || DOCUMENT_PROSE_BLOCKS.tom
-  const generatedBlocks: ProseBlockOutput[] = []
-  const repairAudits: RepairAudit[] = []
-  let totalTokens = 0
-
-  for (const blockDef of proseBlocks) {
-    // Check cache
-    const cacheParams: CacheKeyParams = {
-      allowedFacts: sanitizedFacts,
-      templateVersion: TEMPLATE_VERSION,
-      terminologyVersion: TERMINOLOGY_VERSION,
-      narrativeTags,
-      promptHash,
-      blockType: blockDef.blockType,
-      sectionName: blockDef.sectionName,
-    }
-
-    const cached = proseCache.getSync(cacheParams)
-    if (cached) {
-      generatedBlocks.push(cached)
-      repairAudits.push({
-        repairAttempts: 0,
-        validatorFailures: [],
-        repairSuccessful: true,
-        fallbackUsed: false,
-      })
-      continue
-    }
-
-    // Build prompts
-    let systemPrompt = buildV2SystemPrompt(
-      factsString, tagsString, termsString, styleString, disallowedString,
-      sanitizedFacts.companyName,
-      blockDef.blockId, blockDef.blockType, blockDef.sectionName,
-      documentType, blockDef.targetWords
-    )
-    if (v2RagContext) {
-      systemPrompt += `\n\nRECHTSKONTEXT (als Referenz, nicht woertlich uebernehmen):\n${v2RagContext}`
-    }
-    const userPrompt = buildBlockSpecificPrompt(
-      blockDef.blockType, blockDef.sectionName, documentType
-    ) + (instructions ? `\n\nZusaetzliche Anweisungen: ${instructions}` : '')
-
-    // Call LLM + Repair Loop
-    try {
-      const rawOutput = await callOllama(systemPrompt, userPrompt)
-      totalTokens += rawOutput.length / 4 // Rough token estimate
-
-      const { block, audit } = await executeRepairLoop(
-        rawOutput,
-        sanitizedFacts,
-        narrativeTags,
-        blockDef.blockId,
-        blockDef.blockType,
-        async (repairPrompt) => callOllama(systemPrompt, repairPrompt),
-        documentType
-      )
-
-      generatedBlocks.push(block)
-      repairAudits.push(audit)
-
-      // Cache successful blocks (not fallbacks)
-      if (!audit.fallbackUsed) {
-        proseCache.setSync(cacheParams, block)
-      }
-    } catch (error) {
-      // LLM unreachable → Fallback
-      const { buildFallbackBlock } = await import('@/lib/sdk/drafting-engine/prose-validator')
-      generatedBlocks.push(
-        buildFallbackBlock(blockDef.blockId, blockDef.blockType, sanitizedFacts, documentType)
-      )
-      repairAudits.push({
-        repairAttempts: 0,
-        validatorFailures: [[(error as Error).message]],
-        repairSuccessful: false,
-        fallbackUsed: true,
-        fallbackReason: `LLM-Fehler: ${(error as Error).message}`,
-      })
-    }
-  }
-
-  // Step 7: Build v1-compatible draft sections from prose blocks + original prompt
-  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
-
-  // Also generate data sections via legacy pipeline
-  let dataSections: DraftSection[] = []
-  try {
-    const dataResponse = await callOllama(V1_SYSTEM_PROMPT, draftPrompt)
-    const parsed = JSON.parse(dataResponse)
-    dataSections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
-      id: String(s.id || `section-${i}`),
-      title: String(s.title || ''),
-      content: String(s.content || ''),
-      schemaField: s.schemaField ? String(s.schemaField) : undefined,
-    }))
-    totalTokens += dataResponse.length / 4
-  } catch {
-    dataSections = []
-  }
-
-  // Merge: Prose intro → Data sections → Prose transitions/conclusion
-  const introBlock = generatedBlocks.find(b => b.blockType === 'introduction')
-  const transitionBlocks = generatedBlocks.filter(b => b.blockType === 'transition')
-  const appreciationBlocks = generatedBlocks.filter(b => b.blockType === 'appreciation')
-  const conclusionBlock = generatedBlocks.find(b => b.blockType === 'conclusion')
-
-  const mergedSections: DraftSection[] = []
-
-  if (introBlock) {
-    mergedSections.push({
-      id: introBlock.blockId,
-      title: 'Einleitung',
-      content: introBlock.text,
-    })
-  }
-
-  for (let i = 0; i < dataSections.length; i++) {
-    // Insert transition before data section (if available)
-    if (i > 0 && transitionBlocks[i - 1]) {
-      mergedSections.push({
-        id: transitionBlocks[i - 1].blockId,
-        title: '',
-        content: transitionBlocks[i - 1].text,
-      })
-    }
-    mergedSections.push(dataSections[i])
-  }
-
-  for (const block of appreciationBlocks) {
-    mergedSections.push({
-      id: block.blockId,
-      title: 'Wuerdigung',
-      content: block.text,
-    })
-  }
-
-  if (conclusionBlock) {
-    mergedSections.push({
-      id: conclusionBlock.blockId,
-      title: 'Fazit',
-      content: conclusionBlock.text,
-    })
-  }
-
-  // If no data sections generated, use prose blocks as sections
-  const finalSections = mergedSections.length > 0 ? mergedSections : generatedBlocks.map(b => ({
-    id: b.blockId,
-    title: b.blockType === 'introduction' ? 'Einleitung' :
-           b.blockType === 'conclusion' ? 'Fazit' :
-           b.blockType === 'appreciation' ? 'Wuerdigung' : 'Ueberleitung',
-    content: b.text,
-  }))
-
-  const draft: DraftRevision = {
-    id: `draft-v2-${Date.now()}`,
-    content: finalSections.map(s => s.title ? `## ${s.title}\n\n${s.content}` : s.content).join('\n\n'),
-    sections: finalSections,
-    createdAt: new Date().toISOString(),
-    instruction: instructions,
-  }
-
-  // Step 8: Build Audit Trail
-  const auditTrail = {
-    documentType,
-    templateVersion: TEMPLATE_VERSION,
-    terminologyVersion: TERMINOLOGY_VERSION,
-    validatorVersion: VALIDATOR_VERSION,
-    promptHash,
-    llmModel: LLM_MODEL,
-    llmTemperature: 0.15,
-    llmProvider: 'ollama',
-    narrativeTags,
-    sanitization: sanitizationResult.audit,
-    repairAudits,
-    proseBlocks: generatedBlocks.map((b, i) => ({
-      blockId: b.blockId,
-      blockType: b.blockType,
-      wordCount: b.text.split(/\s+/).filter(Boolean).length,
-      fallbackUsed: repairAudits[i]?.fallbackUsed ?? false,
-      repairAttempts: repairAudits[i]?.repairAttempts ?? 0,
-    })),
-    cacheStats: proseCache.getStats(),
-  }
-
-  // Anti-Fake-Evidence: Truth label for all LLM-generated content
-  const truthLabel = {
-    generation_mode: 'draft_assistance',
-    truth_status: 'generated',
-    may_be_used_as_evidence: false,
-    generated_by: 'system',
-  }
-
-  // Fire-and-forget: persist LLM audit trail to backend
-  try {
-    const BACKEND_URL = process.env.BACKEND_COMPLIANCE_URL || 'http://backend-compliance:8002'
-    fetch(`${BACKEND_URL}/api/compliance/llm-audit`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
-        entity_type: 'document',
-        entity_id: null,
-        generation_mode: 'draft_assistance',
-        truth_status: 'generated',
-        may_be_used_as_evidence: false,
-        llm_model: LLM_MODEL,
-        llm_provider: 'ollama',
-        input_summary: `${documentType} draft generation`,
-        output_summary: draft?.sections?.length ? `${draft.sections.length} sections generated` : 'draft generated',
-      }),
-    }).catch(() => {/* fire-and-forget */})
-  } catch {
-    // LLM audit persistence failure should not block the response
-  }
-
-  return NextResponse.json({
-    draft,
-    constraintCheck,
-    tokensUsed: Math.round(totalTokens),
-    pipelineVersion: 'v2',
-    auditTrail,
-    truthLabel,
-  })
-}
+import { handleV1Draft, handleV2Draft } from './draft-helpers'

 // ============================================================================
 // Route Handler
@@ -6,7 +6,7 @@
 */

 import { NextRequest, NextResponse } from 'next/server'
-import { DOCUMENT_SCOPE_MATRIX, DOCUMENT_TYPE_LABELS, getDepthLevelNumeric } from '@/lib/sdk/compliance-scope-types'
+import { DOCUMENT_SCOPE_MATRIX_CORE, DOCUMENT_TYPE_LABELS, getDepthLevelNumeric } from '@/lib/sdk/compliance-scope-types'
 import type { ScopeDocumentType, ComplianceDepthLevel } from '@/lib/sdk/compliance-scope-types'
 import type { ValidationContext, ValidationResult, ValidationFinding } from '@/lib/sdk/drafting-engine/types'
 import { buildCrossCheckPrompt } from '@/lib/sdk/drafting-engine/prompts/validate-cross-check'
@@ -94,7 +94,7 @@ function deterministicCheck(
  const findings: ValidationFinding[] = []
  const level = validationContext.scopeLevel
  const levelNumeric = getDepthLevelNumeric(level)
-  const req = DOCUMENT_SCOPE_MATRIX[documentType]?.[level]
+  const req = DOCUMENT_SCOPE_MATRIX_CORE[documentType]?.[level]

  // Check 1: Ist das Dokument auf diesem Level erforderlich?
  if (req && !req.required && levelNumeric < 3) {
@@ -109,8 +109,8 @@ function deterministicCheck(
  }

  // Check 2: VVT vorhanden wenn erforderlich?
-  const vvtReq = DOCUMENT_SCOPE_MATRIX.vvt[level]
-  if (vvtReq.required && validationContext.crossReferences.vvtCategories.length === 0) {
+  const vvtReq = DOCUMENT_SCOPE_MATRIX_CORE.vvt?.[level]
+  if (vvtReq?.required && validationContext.crossReferences.vvtCategories.length === 0) {
    findings.push({
      id: 'DET-VVT-MISSING',
      severity: 'error',
@@ -0,0 +1,42 @@
+/**
+ * Agent Analyze API Proxy
+ * POST /api/sdk/v1/agent/analyze → backend-compliance /api/compliance/agent/analyze
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/analyze`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Tenant-Id': '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+        'X-User-Id': '00000000-0000-0000-0000-000000000001',
+      },
+      body,
+      signal: AbortSignal.timeout(120000), // 2 min — LLM can be slow
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: `Backend: ${response.status}`, detail: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Agent analyze proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
@@ -0,0 +1,28 @@
+/**
+ * Proxy: GET /api/sdk/v1/agent/audit/<checkId>
+ *   -> backend GET /api/compliance/agent/audit/<checkId>
+ *
+ * Forwards optional query params (doc_type, regulation, only_failed).
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ checkId: string }> },
+) {
+  const { checkId } = await params
+  const qs = request.nextUrl.searchParams.toString()
+  const url = `${BACKEND_URL}/api/compliance/agent/audit/${checkId}${qs ? `?${qs}` : ''}`
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout(15000) })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json(
+      { error: 'Audit-Abfrage fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+const CONSENT_URL = process.env.CONSENT_TESTER_URL || 'http://bp-compliance-consent-tester:8094'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const response = await fetch(`${CONSENT_URL}/authenticated-scan`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(120000),
+    })
+    if (!response.ok) {
+      return NextResponse.json({ error: `Auth-Test: ${response.status}` }, { status: response.status })
+    }
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    return NextResponse.json({ error: 'Auth-Test fehlgeschlagen' }, { status: 503 })
+  }
+}
@@ -0,0 +1,42 @@
+/**
+ * Banner Check API Proxy — calls consent-tester /scan endpoint
+ *
+ * POST /api/sdk/v1/agent/banner-check → runs 3-phase cookie banner test
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json()
+    const { url, categories = [] } = body
+
+    if (!url) {
+      return NextResponse.json({ error: 'URL erforderlich' }, { status: 400 })
+    }
+
+    // Call backend which proxies to consent-tester
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/banner-check`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ url, categories }),
+      signal: AbortSignal.timeout(120000), // 2 min for Playwright
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: `Backend: ${response.status}`, detail: errorText },
+        { status: response.status },
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : 'Unknown error'
+    return NextResponse.json({ error: msg }, { status: 500 })
+  }
+}
@@ -0,0 +1,28 @@
+/**
+ * Proxy: GET /api/sdk/v1/agent/banner/<checkId>
+ *   -> backend GET /api/compliance/agent/banner/<checkId>
+ *
+ * Liefert das volle banner_result (phases, structured_checks, category_tests).
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: Promise<{ checkId: string }> },
+) {
+  const { checkId } = await params
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/compliance/agent/banner/${checkId}`,
+      { signal: AbortSignal.timeout(15000) },
+    )
+    const data = await resp.json().catch(() => ({}))
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json(
+      { error: 'Banner-Abfrage fehlgeschlagen' }, { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/compare`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(300000),
+    })
+    if (!response.ok) {
+      return NextResponse.json({ error: `Backend: ${response.status}` }, { status: response.status })
+    }
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    return NextResponse.json({ error: 'Vergleich fehlgeschlagen' }, { status: 503 })
+  }
+}
@@ -0,0 +1,39 @@
+/**
+ * Unified Compliance Check Proxy
+ * POST: start check for all documents, GET: poll status
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/compliance-check`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(30000),
+    })
+    const data = await response.json()
+    return NextResponse.json(data, { status: response.status })
+  } catch (error) {
+    return NextResponse.json({ error: 'Pruefung konnte nicht gestartet werden' }, { status: 503 })
+  }
+}
+
+export async function GET(request: NextRequest) {
+  const checkId = request.nextUrl.searchParams.get('check_id')
+  if (!checkId) return NextResponse.json({ error: 'check_id required' }, { status: 400 })
+  try {
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/agent/compliance-check/${checkId}`,
+      { signal: AbortSignal.timeout(10000) },
+    )
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch {
+    return NextResponse.json({ error: 'Status-Abfrage fehlgeschlagen' }, { status: 503 })
+  }
+}
@@ -0,0 +1,142 @@
+/**
+ * Consent Test API Proxy
+ * POST /api/sdk/v1/agent/consent-test → consent-tester:8094/scan → email via backend
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const CONSENT_TESTER_URL = process.env.CONSENT_TESTER_URL || 'http://bp-compliance-consent-tester:8094'
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+interface Violation { service: string; severity: string; text: string; legal_ref: string }
+
+function buildEmailHtml(data: any): string {
+  const url = data.url || ''
+  const banner = data.banner_detected ? data.banner_provider : 'Nicht erkannt'
+  const phases = data.phases || {}
+  const summary = data.summary || {}
+
+  const sev = (s: string) => s === 'CRITICAL'
+    ? '<span style="background:#991b1b;color:white;padding:2px 6px;border-radius:3px;font-size:11px;">KRITISCH</span>'
+    : '<span style="background:#ea580c;color:white;padding:2px 6px;border-radius:3px;font-size:11px;">HOCH</span>'
+
+  const violationRows = (violations: Violation[]) => violations.length === 0
+    ? '<tr><td colspan="3" style="padding:6px;color:#16a34a;">✓ Keine Verstoesse</td></tr>'
+    : violations.map(v =>
+      `<tr><td style="padding:6px;">${sev(v.severity)}</td><td style="padding:6px;font-weight:600;">${v.service}</td><td style="padding:6px;">${v.text}<br><span style="color:#6b7280;font-size:11px;">${v.legal_ref}</span></td></tr>`
+    ).join('')
+
+  const undocRows = (items: string[]) => items.length === 0
+    ? ''
+    : items.map(s => `<tr><td style="padding:6px;">⚠</td><td style="padding:6px;font-weight:600;">${s}</td><td style="padding:6px;">Nicht in Cookie-Policy dokumentiert</td></tr>`).join('')
+
+  return `
+    <div style="font-family:-apple-system,sans-serif;max-width:700px;margin:0 auto;">
+      <div style="background:linear-gradient(135deg,#1e1b4b,#312e81);color:white;padding:20px 24px;border-radius:12px 12px 0 0;">
+        <h2 style="margin:0;font-size:18px;">Cookie-Consent-Test</h2>
+        <p style="margin:4px 0 0;opacity:0.8;font-size:13px;">${url}</p>
+      </div>
+
+      <div style="padding:20px 24px;border:1px solid #e2e8f0;border-top:none;">
+        <table style="width:100%;border-collapse:collapse;margin-bottom:20px;">
+          <tr><td style="padding:6px 0;color:#64748b;width:160px;">Cookie-Banner</td><td style="padding:6px 0;font-weight:600;">${data.banner_detected ? '✓ ' + banner : '✗ Nicht erkannt'}</td></tr>
+          <tr><td style="padding:6px 0;color:#64748b;">Kritische Verstoesse</td><td style="padding:6px 0;"><strong style="color:${summary.critical > 0 ? '#dc2626' : '#16a34a'}">${summary.critical || 0}</strong></td></tr>
+          <tr><td style="padding:6px 0;color:#64748b;">Hohe Verstoesse</td><td style="padding:6px 0;"><strong style="color:${summary.high > 0 ? '#ea580c' : '#16a34a'}">${summary.high || 0}</strong></td></tr>
+          <tr><td style="padding:6px 0;color:#64748b;">Undokumentiert</td><td style="padding:6px 0;">${summary.undocumented || 0}</td></tr>
+        </table>
+
+        <h3 style="color:#1e293b;font-size:14px;margin:20px 0 8px;border-bottom:2px solid #e2e8f0;padding-bottom:6px;">
+          🔍 Phase A: Vor Einwilligung
+        </h3>
+        <p style="color:#64748b;font-size:12px;margin:0 0 8px;">Was laedt OHNE dass der Nutzer etwas geklickt hat?</p>
+        <table style="width:100%;border-collapse:collapse;">${violationRows(phases.before_consent?.violations || [])}</table>
+
+        ${data.banner_detected ? `
+        <h3 style="color:#1e293b;font-size:14px;margin:20px 0 8px;border-bottom:2px solid #e2e8f0;padding-bottom:6px;">
+          🚫 Phase B: Nach Ablehnung
+        </h3>
+        <p style="color:#64748b;font-size:12px;margin:0 0 8px;">Was laedt NACHDEM der Nutzer "Nur notwendige" geklickt hat?</p>
+        <table style="width:100%;border-collapse:collapse;">${violationRows(phases.after_reject?.violations || [])}</table>
+
+        <h3 style="color:#1e293b;font-size:14px;margin:20px 0 8px;border-bottom:2px solid #e2e8f0;padding-bottom:6px;">
+          ✅ Phase C: Nach Zustimmung
+        </h3>
+        <p style="color:#64748b;font-size:12px;margin:0 0 8px;">Was laedt NACHDEM der Nutzer "Alle akzeptieren" geklickt hat?</p>
+        <table style="width:100%;border-collapse:collapse;">${undocRows(phases.after_accept?.undocumented || [])}</table>
+        ${(phases.after_accept?.undocumented?.length || 0) === 0 ? '<p style="color:#16a34a;font-size:13px;">✓ Alle Dienste dokumentiert</p>' : ''}
+        ` : `
+        <div style="background:#fef2f2;border:1px solid #fecaca;border-radius:8px;padding:12px;margin:12px 0;">
+          <strong style="color:#dc2626;">Kein Cookie-Banner erkannt.</strong>
+          Alle Tracking-Dienste laden ohne Einwilligung — Verstoss gegen §25 TDDDG.
+        </div>
+        `}
+
+        ${(summary.critical || 0) > 0 ? `
+        <div style="background:#fef2f2;border-left:4px solid #dc2626;padding:12px 16px;margin-top:20px;">
+          <strong style="color:#991b1b;">⚠ KRITISCH:</strong> Tracking-Dienste laden trotz Ablehnung.
+          Dies ist ein schwerer Verstoss gegen §25 TDDDG und kann als Dark Pattern gewertet werden.
+          Sofortige Korrektur der Cookie-Banner-Konfiguration empfohlen.
+        </div>
+        ` : ''}
+      </div>
+
+      <div style="background:#f8fafc;padding:12px 24px;border:1px solid #e2e8f0;border-top:none;border-radius:0 0 12px 12px;">
+        <p style="color:#94a3b8;font-size:11px;margin:0;">
+          Automatisch erstellt vom BreakPilot Compliance Agent (Playwright + Chromium)
+        </p>
+      </div>
+    </div>
+  `
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json()
+    const url = body.url
+
+    // Step 1: Run consent test
+    const response = await fetch(`${CONSENT_TESTER_URL}/scan`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(180000),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: `Consent-Tester: ${response.status}`, detail: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+
+    // Step 2: Send email with phase-structured findings
+    try {
+      const total = (data.summary?.total_violations || 0)
+      const severity = (data.summary?.critical || 0) > 0 ? 'KRITISCH' : total > 0 ? 'FINDINGS' : 'OK'
+      await fetch(`${BACKEND_URL}/api/compliance/agent/notify`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          recipient: body.recipient || 'dsb@breakpilot.local',
+          subject: `[COOKIE-TEST] [${severity}] ${url} — ${total} Verstoesse`,
+          body_html: buildEmailHtml({ ...data, url }),
+          role: total > 0 ? 'Datenschutzbeauftragter' : 'Kein Handlungsbedarf',
+        }),
+        signal: AbortSignal.timeout(10000),
+      })
+    } catch (emailErr) {
+      console.warn('Email send failed (non-blocking):', emailErr)
+    }
+
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Consent test proxy error:', error)
+    return NextResponse.json(
+      { error: 'Cookie-Test fehlgeschlagen oder Timeout' },
+      { status: 503 }
+    )
+  }
+}
@@ -0,0 +1,39 @@
+/**
+ * Agent Doc-Check Proxy — Multi-URL document verification
+ * POST: start check, GET: poll status
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/doc-check`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(30000),
+    })
+    const data = await response.json()
+    return NextResponse.json(data, { status: response.status })
+  } catch (error) {
+    return NextResponse.json({ error: 'Pruefung konnte nicht gestartet werden' }, { status: 503 })
+  }
+}
+
+export async function GET(request: NextRequest) {
+  const checkId = request.nextUrl.searchParams.get('check_id')
+  if (!checkId) return NextResponse.json({ error: 'check_id required' }, { status: 400 })
+  try {
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/agent/doc-check/${checkId}`,
+      { signal: AbortSignal.timeout(10000) },
+    )
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch {
+    return NextResponse.json({ error: 'Status-Abfrage fehlgeschlagen' }, { status: 503 })
+  }
+}
@@ -0,0 +1,27 @@
+/**
+ * Text Extraction Proxy — extract text from a URL via consent-tester
+ * POST: { url: string } -> { text, word_count, title, error }
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/extract-text`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(120000),
+    })
+    const data = await response.json()
+    return NextResponse.json(data, { status: response.status })
+  } catch (error) {
+    return NextResponse.json(
+      { text: '', word_count: 0, title: '', error: 'Text-Extraktion fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,28 @@
+/**
+ * Proxy: GET /api/sdk/v1/agent/findings/<checkId>
+ *   -> backend GET /api/compliance/agent/findings/<checkId>
+ *
+ * Forwards all query params (source, severity, doc_type, status, q, limit).
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ checkId: string }> },
+) {
+  const { checkId } = await params
+  const qs = request.nextUrl.searchParams.toString()
+  const url = `${BACKEND_URL}/api/compliance/agent/findings/${checkId}${qs ? `?${qs}` : ''}`
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout(20000) })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json(
+      { error: 'Findings-Abfrage fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,25 @@
+/**
+ * Proxy: GET /api/sdk/v1/agent/migration/<checkId>/banner-preview
+ *   -> backend GET /api/compliance/agent/migration/<checkId>/banner-preview
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: { checkId: string } },
+) {
+  const qs = request.nextUrl.searchParams.toString()
+  const url = `${BACKEND_URL}/api/compliance/agent/migration/${params.checkId}/banner-preview${qs ? `?${qs}` : ''}`
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout(15000) })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json(
+      { error: 'Banner-Preview fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,24 @@
+/**
+ * Proxy: GET /api/sdk/v1/agent/migration/<checkId>/document-preview
+ *   -> backend GET /api/compliance/agent/migration/<checkId>/document-preview
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: { checkId: string } },
+) {
+  const url = `${BACKEND_URL}/api/compliance/agent/migration/${params.checkId}/document-preview`
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout(15000) })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json(
+      { error: 'Dokument-Preview fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,24 @@
+/**
+ * Proxy: GET /api/sdk/v1/agent/migration/<checkId>/summary
+ *   -> backend GET /api/compliance/agent/migration/<checkId>/summary
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: { checkId: string } },
+) {
+  const url = `${BACKEND_URL}/api/compliance/agent/migration/${params.checkId}/summary`
+  try {
+    const resp = await fetch(url, { signal: AbortSignal.timeout(15000) })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json(
+      { error: 'Migrations-Summary fehlgeschlagen' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,30 @@
+/**
+ * Agent Notify API Proxy
+ * POST /api/sdk/v1/agent/notify → backend-compliance /api/compliance/agent/notify
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/notify`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(15000),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: errorText }, { status: response.status })
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Agent notify proxy error:', error)
+    return NextResponse.json({ error: 'Email-Versand fehlgeschlagen' }, { status: 503 })
+  }
+}
@@ -0,0 +1,70 @@
+/**
+ * Agent Scan API Proxy — async scan with polling
+ *
+ * POST /api/sdk/v1/agent/scan → starts scan, returns scan_id
+ * GET  /api/sdk/v1/agent/scan?scan_id=xxx → poll status/results
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+
+    // Start async scan — returns immediately with scan_id
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/scan`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(300000), // 5 min — multi-page scan + LLM calls
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: `Backend: ${response.status}`, detail: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Agent scan proxy error:', error)
+    return NextResponse.json(
+      { error: 'Scan konnte nicht gestartet werden' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(request: NextRequest) {
+  const scanId = request.nextUrl.searchParams.get('scan_id')
+  if (!scanId) {
+    return NextResponse.json({ error: 'scan_id parameter required' }, { status: 400 })
+  }
+
+  try {
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/agent/scan/${scanId}`,
+      { signal: AbortSignal.timeout(10000) }
+    )
+
+    if (!response.ok) {
+      return NextResponse.json(
+        { error: `Backend: ${response.status}` },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    return NextResponse.json(
+      { error: 'Status-Abfrage fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
@@ -0,0 +1,36 @@
+/**
+ * PDF Export Proxy
+ * POST /api/sdk/v1/agent/scans/pdf → backend /api/compliance/agent/scans/pdf
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/scans/pdf`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(30000),
+    })
+
+    if (!response.ok) {
+      return NextResponse.json({ error: 'PDF generation failed' }, { status: response.status })
+    }
+
+    const pdfBytes = await response.arrayBuffer()
+    return new NextResponse(pdfBytes, {
+      headers: {
+        'Content-Type': 'application/pdf',
+        'Content-Disposition': 'attachment; filename="compliance-report.pdf"',
+      },
+    })
+  } catch (error) {
+    console.error('PDF proxy error:', error)
+    return NextResponse.json({ error: 'PDF generation failed' }, { status: 503 })
+  }
+}
@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}`)
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch registration' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to update registration' }, { status: 500 })
+  }
+}
+
+export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}/status`, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to update status' }, { status: 500 })
+  }
+}
@@ -0,0 +1,32 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch registrations' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to create registration' }, { status: 500 })
+  }
+}
@@ -0,0 +1,74 @@
+/**
+ * Banner API Proxy — catch-all route for cookie banner endpoints.
+ *
+ * Maps: /api/sdk/v1/banner/<path> → backend-compliance:8002/api/compliance/banner/<path>
+ *
+ * Solves: Browser cannot call backend-compliance:8093 directly due to
+ * self-signed SSL certificates. This proxy runs server-side where
+ * certificate validation is not an issue.
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string,
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const qs = request.nextUrl.searchParams.toString()
+  const base = `${BACKEND_URL}/api/compliance/banner`
+  const url = pathStr
+    ? `${base}/${pathStr}${qs ? `?${qs}` : ''}`
+    : `${base}${qs ? `?${qs}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'X-Tenant-ID': request.headers.get('x-tenant-id') || DEFAULT_TENANT,
+    }
+    const ct = request.headers.get('Content-Type')
+    if (ct) headers['Content-Type'] = ct
+
+    const opts: RequestInit = { method, headers, signal: AbortSignal.timeout(30000) }
+
+    if (method === 'POST' || method === 'PUT') {
+      const body = await request.text()
+      if (body) opts.body = body
+    }
+
+    const res = await fetch(url, opts)
+    const text = await res.text()
+    let data
+    try { data = JSON.parse(text) } catch { data = { raw: text } }
+
+    if (!res.ok) {
+      return NextResponse.json(
+        { error: `Backend ${res.status}`, ...data },
+        { status: res.status },
+      )
+    }
+    return NextResponse.json(data)
+  } catch (err: any) {
+    console.error('Banner proxy error:', err?.message)
+    return NextResponse.json(
+      { error: 'Backend nicht erreichbar' },
+      { status: 503 },
+    )
+  }
+}
+
+export async function GET(req: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxyRequest(req, (await params).path, 'GET')
+}
+export async function POST(req: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxyRequest(req, (await params).path, 'POST')
+}
+export async function PUT(req: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxyRequest(req, (await params).path, 'PUT')
+}
+export async function DELETE(req: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxyRequest(req, (await params).path, 'DELETE')
+}
@@ -26,8 +26,8 @@ export async function GET(request: NextRequest) {

      case 'controls': {
        const controlParams = new URLSearchParams()
-        const passthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category',
-          'target_audience', 'source', 'search', 'control_type', 'sort', 'order', 'limit', 'offset']
+        const passthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates', 'sort', 'order', 'limit', 'offset']
        for (const key of passthrough) {
          const val = searchParams.get(key)
          if (val) controlParams.set(key, val)
@@ -39,8 +39,8 @@ export async function GET(request: NextRequest) {

      case 'controls-count': {
        const countParams = new URLSearchParams()
-        const countPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category',
-          'target_audience', 'source', 'search', 'control_type']
+        const countPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates']
        for (const key of countPassthrough) {
          const val = searchParams.get(key)
          if (val) countParams.set(key, val)
@@ -50,9 +50,18 @@ export async function GET(request: NextRequest) {
        break
      }

-      case 'controls-meta':
-        backendPath = '/api/compliance/v1/canonical/controls-meta'
+      case 'controls-meta': {
+        const metaParams = new URLSearchParams()
+        const metaPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates']
+        for (const key of metaPassthrough) {
+          const val = searchParams.get(key)
+          if (val) metaParams.set(key, val)
+        }
+        const metaQs = metaParams.toString()
+        backendPath = `/api/compliance/v1/canonical/controls-meta${metaQs ? `?${metaQs}` : ''}`
        break
+      }

      case 'control': {
        const controlId = searchParams.get('id')
@@ -108,6 +117,19 @@ export async function GET(request: NextRequest) {
        break
      }

+      case 'provenance': {
+        const provId = searchParams.get('id')
+        if (!provId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(provId)}/provenance`
+        break
+      }
+
+      case 'atomic-stats':
+        backendPath = '/api/compliance/v1/canonical/controls/atomic-stats'
+        break
+
      case 'similar': {
        const simControlId = searchParams.get('id')
        if (!simControlId) {
@@ -122,6 +144,23 @@ export async function GET(request: NextRequest) {
        backendPath = '/api/compliance/v1/canonical/blocked-sources'
        break

+      case 'v1-matches': {
+        const matchId = searchParams.get('id')
+        if (!matchId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(matchId)}/v1-matches`
+        break
+      }
+
+      case 'v1-enrichment-stats':
+        backendPath = '/api/compliance/v1/canonical/controls/v1-enrichment-stats'
+        break
+
+      case 'obligation-dedup-stats':
+        backendPath = '/api/compliance/v1/canonical/obligations/dedup-stats'
+        break
+
      case 'controls-customer': {
        const custSeverity = searchParams.get('severity')
        const custDomain = searchParams.get('domain')
@@ -188,6 +227,16 @@ export async function POST(request: NextRequest) {
      backendPath = '/api/compliance/v1/canonical/generate/bulk-review'
    } else if (endpoint === 'blocked-sources-cleanup') {
      backendPath = '/api/compliance/v1/canonical/blocked-sources/cleanup'
+    } else if (endpoint === 'enrich-v1-matches') {
+      const dryRun = searchParams.get('dry_run') ?? 'true'
+      const batchSize = searchParams.get('batch_size') ?? '100'
+      const enrichOffset = searchParams.get('offset') ?? '0'
+      backendPath = `/api/compliance/v1/canonical/controls/enrich-v1-matches?dry_run=${dryRun}&batch_size=${batchSize}&offset=${enrichOffset}`
+    } else if (endpoint === 'obligation-dedup') {
+      const dryRun = searchParams.get('dry_run') ?? 'true'
+      const batchSize = searchParams.get('batch_size') ?? '0'
+      const dedupOffset = searchParams.get('offset') ?? '0'
+      backendPath = `/api/compliance/v1/canonical/obligations/dedup?dry_run=${dryRun}&batch_size=${batchSize}&offset=${dedupOffset}`
    } else if (endpoint === 'similarity-check') {
      const controlId = searchParams.get('id')
      if (!controlId) {
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ checkId: string }> }) {
+  const { checkId } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/checks/${checkId}/run`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+      body: body || '{}',
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ docId: string }> }) {
+  const { docId } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/documents/${docId}/approve`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ docId: string }> }) {
+  const { docId } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/documents/${docId}`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/backlog`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/checks`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+/** POST /checks (no body) -> backend /checks/init creates default checks */
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/checks/init`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/documents/generate`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/cra/projects/${id}/documents${qs ? `?${qs}` : ''}`,
+      { headers: { 'X-Tenant-ID': tenant(request) } }
+    )
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/monitoring`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,29 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/path-select`, {
+      method: 'POST',
+      headers: {
+        'X-Tenant-ID': tenantId,
+        'Content-Type': 'application/json',
+      },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/requirements`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,45 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+async function proxy(request: NextRequest, method: string, id: string, body?: string) {
+  const tenantId = tenantHeader(request)
+  const init: RequestInit = {
+    method,
+    headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+  }
+  if (body !== undefined) init.body = body
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}`, init)
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  return proxy(request, 'GET', id)
+}
+
+export async function PATCH(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const body = await request.text()
+  return proxy(request, 'PATCH', id, body)
+}
+
+export async function DELETE(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  return proxy(request, 'DELETE', id)
+}
@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+/** GET /sbom -> List uploads. We map this to the backend /sboms endpoint. */
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/sboms`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+/** POST /sbom -> multipart upload to backend /sbom/upload */
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const formData = await request.formData()
+    const upstreamForm = new FormData()
+    for (const [key, value] of formData.entries()) {
+      upstreamForm.append(key, value)
+    }
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/sbom/upload`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request) },
+      body: upstreamForm as unknown as BodyInit,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,24 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/scope-check`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/vulnerabilities`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/vulnerabilities`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request), 'Content-Type': 'application/json' },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,56 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+/** GET /api/sdk/v1/cra/projects -> Backend list */
+export async function GET(request: NextRequest) {
+  const tenantId = tenantHeader(request)
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/cra/projects${qs ? `?${qs}` : ''}`,
+      { headers: { 'X-Tenant-ID': tenantId } }
+    )
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
+
+/** POST /api/sdk/v1/cra/projects -> Backend create */
+export async function POST(request: NextRequest) {
+  const tenantId = tenantHeader(request)
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects`, {
+      method: 'POST',
+      headers: {
+        'X-Tenant-ID': tenantId,
+        'Content-Type': 'application/json',
+      },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
@@ -0,0 +1,43 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function PATCH(request: NextRequest, ctx: { params: Promise<{ vulnId: string }> }) {
+  const { vulnId } = await ctx.params
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/vulnerabilities/${vulnId}`, {
+      method: 'PATCH',
+      headers: { 'X-Tenant-ID': tenant(request), 'Content-Type': 'application/json' },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+export async function DELETE(request: NextRequest, ctx: { params: Promise<{ vulnId: string }> }) {
+  const { vulnId } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/vulnerabilities/${vulnId}`, {
+      method: 'DELETE',
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -1,52 +0,0 @@
-/**
- * Demo Data Clear API Endpoint
- *
- * Clears demo data from the storage (same mechanism as real customer data).
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-
-// Shared store reference (same as seed endpoint)
-declare global {
-  // eslint-disable-next-line no-var
-  var demoStateStore: Map<string, { state: unknown; version: number; updatedAt: Date }> | undefined
-}
-
-if (!global.demoStateStore) {
-  global.demoStateStore = new Map()
-}
-
-const stateStore = global.demoStateStore
-
-export async function DELETE(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const { tenantId = 'demo-tenant' } = body
-
-    const existed = stateStore.has(tenantId)
-    stateStore.delete(tenantId)
-
-    return NextResponse.json({
-      success: true,
-      message: existed
-        ? `Demo data cleared for tenant ${tenantId}`
-        : `No data found for tenant ${tenantId}`,
-      tenantId,
-      existed,
-    })
-  } catch (error) {
-    console.error('Failed to clear demo data:', error)
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      },
-      { status: 500 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  // Also support POST for clearing (for clients that don't support DELETE)
-  return DELETE(request)
-}
@@ -1,77 +0,0 @@
-/**
- * Demo Data Seed API Endpoint
- *
- * This endpoint seeds demo data via the same storage mechanism as real customer data.
- * Demo data is NOT hardcoded - it goes through the normal API/database path.
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-import { generateDemoState } from '@/lib/sdk/demo-data'
-
-// In-memory store (same as state endpoint - will be replaced with PostgreSQL)
-declare global {
-  // eslint-disable-next-line no-var
-  var demoStateStore: Map<string, { state: unknown; version: number; updatedAt: Date }> | undefined
-}
-
-if (!global.demoStateStore) {
-  global.demoStateStore = new Map()
-}
-
-const stateStore = global.demoStateStore
-
-export async function POST(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const { tenantId = 'demo-tenant', userId = 'demo-user' } = body
-
-    // Generate demo state using the seed data templates
-    const demoState = generateDemoState(tenantId, userId)
-
-    // Store via the same mechanism as real data
-    const storedState = {
-      state: demoState,
-      version: 1,
-      updatedAt: new Date(),
-    }
-
-    stateStore.set(tenantId, storedState)
-
-    return NextResponse.json({
-      success: true,
-      message: `Demo data seeded for tenant ${tenantId}`,
-      tenantId,
-      version: 1,
-    })
-  } catch (error) {
-    console.error('Failed to seed demo data:', error)
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      },
-      { status: 500 }
-    )
-  }
-}
-
-export async function GET(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const tenantId = searchParams.get('tenantId') || 'demo-tenant'
-
-  const stored = stateStore.get(tenantId)
-
-  if (!stored) {
-    return NextResponse.json({
-      hasData: false,
-      tenantId,
-    })
-  }
-
-  return NextResponse.json({
-    hasData: true,
-    tenantId,
-    version: stored.version,
-    updatedAt: stored.updatedAt,
-  })
-}
@@ -0,0 +1,22 @@
+/**
+ * DSMS Gateway Proxy — forwards verify/history requests to dsms-gateway.
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const DSMS_URL = process.env.DSMS_GATEWAY_URL || 'http://dsms-gateway:8082'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) {
+  const { path } = await params
+  const target = `${DSMS_URL}/api/v1/${path.join('/')}`
+
+  try {
+    const resp = await fetch(target, {
+      headers: { Authorization: 'Bearer system-frontend' },
+      signal: AbortSignal.timeout(15000),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'DSMS not available' }, { status: 503 })
+  }
+}
@@ -23,12 +23,13 @@ function getTenantId(request: NextRequest): string {
 */
 export async function GET(
  request: NextRequest,
-  { params }: { params: { id: string } }
+  { params }: { params: Promise<{ id: string }> }
 ) {
  try {
+    const { id } = await params
    const tenantId = getTenantId(request)
    const response = await fetch(
-      `${BACKEND_URL}/api/compliance/einwilligungen/consents/${params.id}/history`,
+      `${BACKEND_URL}/api/compliance/einwilligungen/consents/${id}/history`,
      {
        method: 'GET',
        headers: {
@@ -0,0 +1,55 @@
+/**
+ * Proxy: GET /api/sdk/v1/einwilligungen/export?format=csv|json&kind=consents|history
+ *   -> backend /api/compliance/einwilligungen/export/<file>
+ *
+ * Streams the backend response straight through (CSV or JSON download).
+ */
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function getTenantHeader(request: NextRequest): HeadersInit {
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+  const clientTenantId = request.headers.get('x-tenant-id') || request.headers.get('X-Tenant-ID')
+  const tenantId = (clientTenantId && uuidRegex.test(clientTenantId))
+    ? clientTenantId
+    : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+  return { 'X-Tenant-ID': tenantId }
+}
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url)
+  const fmt = (searchParams.get('format') || 'csv').toLowerCase()
+  const kind = (searchParams.get('kind') || 'consents').toLowerCase()
+
+  const filename = `${kind}.${fmt === 'json' ? 'json' : 'csv'}`
+  const upstreamPath = `/api/compliance/einwilligungen/export/${filename}`
+
+  const passthroughParams = new URLSearchParams()
+  for (const k of ['user_id', 'granted', 'since', 'consent_id']) {
+    const v = searchParams.get(k)
+    if (v) passthroughParams.set(k, v)
+  }
+  const qs = passthroughParams.toString()
+  const url = `${BACKEND_URL}${upstreamPath}${qs ? `?${qs}` : ''}`
+
+  try {
+    const r = await fetch(url, { headers: getTenantHeader(request) })
+    if (!r.ok) {
+      const text = await r.text()
+      return NextResponse.json({ error: text || `HTTP ${r.status}` }, { status: r.status })
+    }
+    return new NextResponse(r.body, {
+      status: 200,
+      headers: {
+        'Content-Type': r.headers.get('content-type') || 'application/octet-stream',
+        'Content-Disposition': r.headers.get('content-disposition') || `attachment; filename=${filename}`,
+      },
+    })
+  } catch (e) {
+    return NextResponse.json(
+      { error: 'Export-Proxy fehlgeschlagen', detail: String(e) },
+      { status: 503 },
+    )
+  }
+}
@@ -30,15 +30,15 @@ async function proxyRequest(
      headers['Authorization'] = authHeader
    }

+    // Default tenant/user for IACE (same pattern as training proxy)
+    const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const DEFAULT_USER = '00000000-0000-0000-0000-000000000001'
+
    const tenantHeader = request.headers.get('x-tenant-id')
-    if (tenantHeader) {
-      headers['X-Tenant-Id'] = tenantHeader
-    }
+    headers['X-Tenant-Id'] = tenantHeader || DEFAULT_TENANT

    const userHeader = request.headers.get('x-user-id')
-    if (userHeader) {
-      headers['X-User-Id'] = userHeader
-    }
+    headers['X-User-Id'] = userHeader || DEFAULT_USER

    const fetchOptions: RequestInit = {
      method,
@@ -0,0 +1,229 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { Pool } from 'pg'
+
+// Disable SSL rejection for self-signed certs
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+
+const dbUrl = process.env.COMPLIANCE_DATABASE_URL ||
+  process.env.DATABASE_URL ||
+  'postgresql://breakpilot:breakpilot123@bp-core-postgres:5432/breakpilot_db'
+
+const pool = new Pool({ connectionString: dbUrl })
+
+/**
+ * MC API that returns data in the same format as the canonical controls
+ * endpoint. This allows the MC page to reuse ControlListView components.
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'controls'
+
+    switch (endpoint) {
+      case 'frameworks':
+        return NextResponse.json([])
+
+      case 'controls':
+        return handleControls(searchParams)
+
+      case 'controls-count':
+        return handleCount(searchParams)
+
+      case 'controls-meta':
+        return handleMeta(searchParams)
+
+      case 'control':
+        return handleDetail(searchParams)
+
+      default:
+        return NextResponse.json({ error: 'unknown' }, { status: 400 })
+    }
+  } catch (e) {
+    return NextResponse.json({ error: String(e) }, { status: 500 })
+  }
+}
+
+async function handleControls(params: URLSearchParams) {
+  const search = params.get('search') || ''
+  const limit = Math.min(parseInt(params.get('limit') || '50'), 200)
+  const offset = parseInt(params.get('offset') || '0')
+  const sort = params.get('sort') || 'control_id'
+  const order = params.get('order') === 'desc' ? 'DESC' : 'ASC'
+
+  let where = "WHERE 1=1"
+  const args: unknown[] = []
+  let idx = 1
+
+  if (search) {
+    where += ` AND mc.canonical_name ILIKE $${idx}`
+    args.push(`%${search}%`)
+    idx++
+  }
+
+  const severity = params.get('severity') || ''
+  if (severity) {
+    if (severity === 'high') { where += ` AND mc.total_controls > 100` }
+    else if (severity === 'medium') { where += ` AND mc.total_controls BETWEEN 20 AND 100` }
+    else if (severity === 'low') { where += ` AND mc.total_controls < 20` }
+  }
+
+  const domain = params.get('domain') || ''
+  if (domain) {
+    where += ` AND mc.canonical_name LIKE $${idx}`
+    args.push(`${domain}%`)
+    idx++
+  }
+
+  const sortCol = sort === 'control_id' ? 'mc.master_control_id' :
+                  sort === 'created_at' ? 'mc.created_at' :
+                  sort === 'source' ? 'mc.canonical_name' : 'mc.master_control_id'
+
+  args.push(limit, offset)
+  const res = await pool.query(`
+    SELECT mc.master_control_id as control_id,
+           mc.canonical_name as title,
+           'Master Control mit ' || mc.total_controls || ' Atomic Controls' as objective,
+           CASE WHEN mc.total_controls > 100 THEN 'high'
+                WHEN mc.total_controls > 20 THEN 'medium'
+                ELSE 'low' END as severity,
+           'master_control' as category,
+           mc.total_controls,
+           mc.phases_covered,
+           mc.id,
+           mc.created_at
+    FROM compliance.master_controls mc
+    ${where}
+    ORDER BY ${sortCol} ${order}
+    LIMIT $${idx} OFFSET $${idx + 1}
+  `, args)
+
+  // Map to canonical control format
+  const controls = res.rows.map(r => ({
+    id: r.id,
+    control_id: r.control_id,
+    title: r.title,
+    objective: r.objective,
+    severity: r.severity,
+    category: r.category,
+    release_state: 'active',
+    source_citation: null,
+    verification_method: null,
+    evidence_type: null,
+    target_audience: [],
+    requirements: [],
+    test_procedure: [],
+    evidence: [],
+    open_anchors: [],
+    total_controls: r.total_controls,
+    phases_covered: r.phases_covered,
+    created_at: r.created_at,
+    scope: { platforms: [], components: [], data_classes: [] },
+    risk_score: null,
+    implementation_effort: null,
+  }))
+
+  return NextResponse.json(controls)
+}
+
+async function handleCount(params: URLSearchParams) {
+  const search = params.get('search') || ''
+  let where = "WHERE 1=1"
+  const args: unknown[] = []
+
+  if (search) {
+    where += ` AND mc.canonical_name ILIKE $1`
+    args.push(`%${search}%`)
+  }
+
+  const res = await pool.query(
+    `SELECT count(*) FROM compliance.master_controls mc ${where}`, args
+  )
+  return NextResponse.json({ total: parseInt(res.rows[0].count) })
+}
+
+async function handleMeta(params: URLSearchParams) {
+  const res = await pool.query(`
+    SELECT count(*) as total,
+           count(CASE WHEN total_controls > 100 THEN 1 END) as high_count,
+           count(CASE WHEN total_controls BETWEEN 20 AND 100 THEN 1 END) as medium_count,
+           count(CASE WHEN total_controls < 20 THEN 1 END) as low_count
+    FROM compliance.master_controls
+  `)
+  const r = res.rows[0]
+
+  // Get top L1 tokens as "domains"
+  const domainRes = await pool.query(`
+    SELECT split_part(canonical_name, '_', 1) as domain, count(*) as count
+    FROM compliance.master_controls
+    GROUP BY 1 ORDER BY 2 DESC LIMIT 30
+  `)
+
+  return NextResponse.json({
+    total: parseInt(r.total),
+    severity_counts: {
+      high: parseInt(r.high_count),
+      medium: parseInt(r.medium_count),
+      low: parseInt(r.low_count),
+    },
+    domains: domainRes.rows.map(d => ({ domain: d.domain, count: parseInt(d.count) })),
+    sources: [],
+    no_source_count: 0,
+    release_state_counts: { active: parseInt(r.total) },
+    verification_method_counts: {},
+    category_counts: {},
+    evidence_type_counts: {},
+  })
+}
+
+async function handleDetail(params: URLSearchParams) {
+  const id = params.get('id') || ''
+  const res = await pool.query(`
+    SELECT mc.id, mc.master_control_id as control_id, mc.canonical_name as title,
+           'Master Control mit ' || mc.total_controls || ' Atomic Controls' as objective,
+           mc.total_controls, mc.phases_covered, mc.phase_control_count, mc.created_at
+    FROM compliance.master_controls mc
+    WHERE mc.master_control_id = $1 OR mc.id::text = $1
+  `, [id])
+
+  if (res.rows.length === 0) {
+    return NextResponse.json({ error: 'not found' }, { status: 404 })
+  }
+
+  const mc = res.rows[0]
+
+  // Load members
+  const membersRes = await pool.query(`
+    SELECT cc.control_id, cc.title, cc.severity, mcm.phase, mcm.action
+    FROM compliance.master_control_members mcm
+    JOIN compliance.canonical_controls cc ON cc.id = mcm.control_uuid
+    WHERE mcm.master_control_uuid = $1
+    ORDER BY mcm.phase, cc.control_id
+    LIMIT 100
+  `, [mc.id])
+
+  return NextResponse.json({
+    id: mc.id,
+    control_id: mc.control_id,
+    title: mc.title,
+    objective: mc.objective,
+    severity: mc.total_controls > 100 ? 'high' : mc.total_controls > 20 ? 'medium' : 'low',
+    category: 'master_control',
+    release_state: 'active',
+    total_controls: mc.total_controls,
+    phases_covered: mc.phases_covered,
+    phase_control_count: mc.phase_control_count,
+    members: membersRes.rows,
+    requirements: membersRes.rows.map((m: { control_id: string; title: string; phase: string }) =>
+      `[${m.phase}] ${m.control_id}: ${m.title}`
+    ),
+    test_procedure: [],
+    evidence: [],
+    open_anchors: [],
+    target_audience: [],
+    source_citation: null,
+    scope: { platforms: [], components: [], data_classes: [] },
+    risk_score: null,
+    implementation_effort: null,
+    created_at: mc.created_at,
+  })
+}
@@ -0,0 +1,52 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const DEFAULT_USER_ID = '00000000-0000-0000-0000-000000000001'
+
+function buildUrl(request: NextRequest, params: { path?: string[] }) {
+  const subPath = params.path?.join('/') || ''
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  return `${SDK_URL}/sdk/v1/maximizer/${subPath}${qs ? `?${qs}` : ''}`
+}
+
+function forwardHeaders(request: NextRequest): Record<string, string> {
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' }
+  headers['X-Tenant-ID'] = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID
+  headers['X-User-ID'] = request.headers.get('X-User-ID') || DEFAULT_USER_ID
+  return headers
+}
+
+async function proxy(request: NextRequest, params: { path?: string[] }, method: string) {
+  try {
+    const url = buildUrl(request, params)
+    const init: RequestInit = { method, headers: forwardHeaders(request) }
+    if (method !== 'GET' && method !== 'DELETE') {
+      init.body = await request.text()
+    }
+    const response = await fetch(url, init)
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: 'Maximizer backend error', details: errorText }, { status: response.status })
+    }
+    if (response.status === 204) return new NextResponse(null, { status: 204 })
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Maximizer proxy error:', error)
+    return NextResponse.json({ error: 'Failed to connect to Maximizer backend' }, { status: 503 })
+  }
+}
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxy(request, await params, 'GET')
+}
+
+export async function POST(request: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxy(request, await params, 'POST')
+}
+
+export async function DELETE(request: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  return proxy(request, await params, 'DELETE')
+}
@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'controls'
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+    let path: string
+    switch (endpoint) {
+      case 'controls':
+        const domain = searchParams.get('domain') || ''
+        path = `/sdk/v1/payment-compliance/controls${domain ? `?domain=${domain}` : ''}`
+        break
+      case 'assessments':
+        path = '/sdk/v1/payment-compliance/assessments'
+        break
+      default:
+        path = '/sdk/v1/payment-compliance/controls'
+    }
+
+    const resp = await fetch(`${SDK_URL}${path}`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/assessments`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to create' }, { status: 500 })
+  }
+}
@@ -0,0 +1,28 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/${id}`)
+    return NextResponse.json(await resp.json())
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const { searchParams } = new URL(request.url)
+    const action = searchParams.get('action') || 'extract'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/${id}/${action}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+    })
+    return NextResponse.json(await resp.json(), { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
@@ -0,0 +1,30 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    return NextResponse.json(await resp.json())
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const formData = await request.formData()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/upload`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId },
+      body: formData,
+    })
+    return NextResponse.json(await resp.json(), { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'Upload failed' }, { status: 500 })
+  }
+}
@@ -0,0 +1,27 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ derived_id: string }> }
+) {
+  const { derived_id } = await params
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/quaidal/controls/${encodeURIComponent(derived_id)}`,
+      { headers: { 'X-Tenant-ID': tenantHeader(request) }, cache: 'no-store' }
+    )
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,25 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/quaidal/controls${qs ? `?${qs}` : ''}`,
+      { headers: { 'X-Tenant-ID': tenantHeader(request) }, cache: 'no-store' }
+    )
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,27 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ section_id: string }> }
+) {
+  const { section_id } = await params
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/quaidal/criteria/${encodeURIComponent(section_id)}`,
+      { headers: { 'X-Tenant-ID': tenantHeader(request) }, cache: 'no-store' }
+    )
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/quaidal/criteria`, {
+      headers: { 'X-Tenant-ID': tenantHeader(request) },
+      cache: 'no-store',
+    })
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/quaidal/stats`, {
+      headers: { 'X-Tenant-ID': tenantHeader(request) },
+      cache: 'no-store',
+    })
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const qs = searchParams.toString()
+    const url = `${SDK_URL}/sdk/v1/regulatory-news${qs ? `?${qs}` : ''}`
+
+    const response = await fetch(url, {
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+      },
+    })
+
+    if (!response.ok) {
+      return NextResponse.json({ error: 'SDK error' }, { status: response.status })
+    }
+    return NextResponse.json(await response.json())
+  } catch {
+    return NextResponse.json({ error: 'Connection failed' }, { status: 503 })
+  }
+}
@@ -92,11 +92,17 @@ class PostgreSQLStateStore implements StateStore {
  private pool: Pool

  constructor(connectionString: string) {
+    // Strip sslmode from URL — pg driver overrides our ssl config if it's in the URL.
+    // We handle SSL ourselves via the ssl option below.
+    const cleanUrl = connectionString.replace(/[?&]sslmode=[^&]*/g, '').replace(/\?$/, '')
+    const needsSsl = connectionString.includes('sslmode=require') || connectionString.includes('sslmode=verify')
    this.pool = new Pool({
-      connectionString,
+      connectionString: cleanUrl,
      max: 5,
      // Set search_path for compliance schema
      options: '-c search_path=compliance,core,public',
+      // Accept self-signed certificates (Hetzner PostgreSQL)
+      ssl: needsSsl ? { rejectUnauthorized: false } : false,
    })
  }

@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: POST /api/sdk/v1/ucca/assess-enriched → Go Backend POST /sdk/v1/ucca/assess-enriched
+ * Accepts { intake, company_profile? } and returns enriched assessment with obligations + hints.
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json()
+
+    const response = await fetch(`${SDK_URL}/sdk/v1/ucca/assess-enriched`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+      },
+      body: JSON.stringify(body),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error('UCCA assess-enriched error:', errorText)
+      return NextResponse.json(
+        { error: 'UCCA backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data, { status: 201 })
+  } catch (error) {
+    console.error('Failed to call UCCA assess-enriched:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to UCCA backend' },
+      { status: 503 }
+    )
+  }
+}
@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server'

 const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'

 /**
 * Proxy: GET /api/sdk/v1/ucca/assessments/[id] → Go Backend GET /sdk/v1/ucca/assessments/:id
@@ -16,9 +17,7 @@ export async function GET(
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
      },
    })

@@ -56,9 +55,7 @@ export async function PUT(
      method: 'PUT',
      headers: {
        'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
      },
      body: JSON.stringify(body),
    })
@@ -96,9 +93,7 @@ export async function DELETE(
      method: 'DELETE',
      headers: {
        'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
      },
    })

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server'

 const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'

 /**
 * Proxy: GET /api/sdk/v1/ucca/assessments → Go Backend GET /sdk/v1/ucca/assessments
@@ -22,9 +23,7 @@ export async function GET(request: NextRequest) {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
      },
    })

@@ -0,0 +1,57 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: /api/sdk/v1/ucca/decision-tree/... → Go Backend /sdk/v1/ucca/decision-tree/...
+ */
+async function proxyRequest(request: NextRequest, { params }: { params: Promise<{ path?: string[] }> }) {
+  const { path } = await params
+  const subPath = path ? path.join('/') : ''
+  const search = request.nextUrl.search || ''
+  const targetUrl = `${SDK_URL}/sdk/v1/ucca/decision-tree/${subPath}${search}`
+
+  const tenantID = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT
+
+  try {
+    const headers: Record<string, string> = {
+      'X-Tenant-ID': tenantID,
+    }
+
+    const fetchOptions: RequestInit = {
+      method: request.method,
+      headers,
+    }
+
+    if (request.method === 'POST' || request.method === 'PUT' || request.method === 'PATCH') {
+      const body = await request.json()
+      headers['Content-Type'] = 'application/json'
+      fetchOptions.body = JSON.stringify(body)
+    }
+
+    const response = await fetch(targetUrl, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error(`Decision tree proxy error [${request.method} ${subPath}]:`, errorText)
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data, { status: response.status })
+  } catch (error) {
+    console.error('Decision tree proxy connection error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to AI compliance backend' },
+      { status: 503 }
+    )
+  }
+}
+
+export const GET = proxyRequest
+export const POST = proxyRequest
+export const DELETE = proxyRequest
@@ -0,0 +1,58 @@
+/**
+ * Next.js Proxy: leitet POST /api/v1/founding-wizard/generate an Backend.
+ *
+ * Konvertiert das Backend-Response (base64 DOCX) in data: URLs,
+ * die das Frontend direkt als Download anbieten kann.
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_COMPLIANCE_URL || 'http://bp-compliance-backend:8002'
+
+export async function POST(req: NextRequest) {
+  try {
+    const body = await req.json()
+
+    const backendRes = await fetch(`${BACKEND_URL}/v1/founding-wizard/generate`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+
+    if (!backendRes.ok) {
+      const errorText = await backendRes.text()
+      return NextResponse.json(
+        { error: 'Backend-Generierung fehlgeschlagen', detail: errorText },
+        { status: backendRes.status }
+      )
+    }
+
+    const data = await backendRes.json()
+    const documents = (data.documents || []).map((doc: {
+      document_type: string
+      title: string
+      filename: string
+      content_base64: string
+      size_bytes: number
+      generated_at: string
+    }) => ({
+      document_type: doc.document_type,
+      title: doc.title,
+      filename: doc.filename,
+      download_url: `data:application/vnd.openxmlformats-officedocument.wordprocessingml.document;base64,${doc.content_base64}`,
+      size_bytes: doc.size_bytes,
+      generated_at: doc.generated_at,
+    }))
+
+    return NextResponse.json({
+      documents,
+      warnings: data.warnings || [],
+    })
+  } catch (e: unknown) {
+    const message = e instanceof Error ? e.message : 'Unbekannter Fehler'
+    return NextResponse.json(
+      { error: 'Proxy-Fehler', detail: message },
+      { status: 500 }
+    )
+  }
+}
@@ -0,0 +1,53 @@
+/**
+ * Vendor Assessment Status/Detail Proxy
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.COMPLIANCE_BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  const { id } = await params
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/vendor-compliance/assessments/${id}`,
+      { signal: AbortSignal.timeout(10000) },
+    )
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (error) {
+    console.error('Assessment status proxy error:', error)
+    return NextResponse.json(
+      { error: 'Backend nicht erreichbar' },
+      { status: 503 },
+    )
+  }
+}
+
+export async function POST(
+  _request: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  const { id } = await params
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/vendor-compliance/assessments/${id}/approve`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        signal: AbortSignal.timeout(10000),
+      },
+    )
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (error) {
+    console.error('Assessment approve proxy error:', error)
+    return NextResponse.json(
+      { error: 'Backend nicht erreichbar' },
+      { status: 503 },
+    )
+  }
+}
@@ -0,0 +1,41 @@
+/**
+ * Vendor Assessment API Proxy
+ * Proxies to backend-compliance (Python FastAPI)
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.COMPLIANCE_BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+    const resp = await fetch(`${BACKEND_URL}/api/vendor-compliance/assessments`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(10000),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (error) {
+    console.error('Vendor assessment proxy error:', error)
+    return NextResponse.json(
+      { error: 'Backend nicht erreichbar' },
+      { status: 503 },
+    )
+  }
+}
+
+export async function GET() {
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/vendor-compliance/assessments`, {
+      signal: AbortSignal.timeout(10000),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Vendor assessment list proxy error:', error)
+    return NextResponse.json({ assessments: [] })
+  }
+}
@@ -0,0 +1,92 @@
+'use client'
+
+import { useState } from 'react'
+import Link from 'next/link'
+import { COMPANY_PROFILE_PRESETS, type CompanyProfilePreset } from '@/lib/sdk/company-profile-presets'
+import { DOC_LABELS, CATEGORY_COLORS } from './doc-labels'
+
+export function PresetSection({ projectId }: { projectId?: string }) {
+  const [selectedPreset, setSelectedPreset] = useState<CompanyProfilePreset | null>(null)
+
+  // Group recommended docs by category
+  const groupedDocs = selectedPreset
+    ? selectedPreset.recommendedDocs.reduce<Record<string, string[]>>((acc, docType) => {
+        const info = DOC_LABELS[docType]
+        if (!info) return acc
+        if (!acc[info.category]) acc[info.category] = []
+        acc[info.category].push(info.label)
+        return acc
+      }, {})
+    : null
+
+  return (
+    <div className="bg-gradient-to-br from-purple-50 to-white rounded-xl border border-purple-200 p-6 space-y-4">
+      <div>
+        <h2 className="text-lg font-bold text-gray-900">Schnellstart: Welcher Unternehmenstyp sind Sie?</h2>
+        <p className="text-sm text-gray-500 mt-1">
+          Waehlen Sie Ihre Branche — wir zeigen Ihnen welche Dokumente Sie benoetigen.
+        </p>
+      </div>
+
+      {/* Preset Cards */}
+      <div className="grid grid-cols-2 sm:grid-cols-3 md:grid-cols-5 gap-3">
+        {COMPANY_PROFILE_PRESETS.map((preset) => (
+          <button
+            key={preset.id}
+            onClick={() => setSelectedPreset(selectedPreset?.id === preset.id ? null : preset)}
+            className={`flex flex-col items-center gap-2 p-3 rounded-xl transition-all text-center ${
+              selectedPreset?.id === preset.id
+                ? 'bg-purple-100 border-2 border-purple-500 shadow-md'
+                : 'bg-white border border-gray-200 hover:border-purple-300 hover:shadow-sm'
+            }`}
+          >
+            <span className="text-2xl">{preset.icon}</span>
+            <span className={`text-xs font-medium ${selectedPreset?.id === preset.id ? 'text-purple-700' : 'text-gray-900'}`}>
+              {preset.label}
+            </span>
+            <span className="text-[10px] text-gray-400 leading-tight">{preset.description}</span>
+          </button>
+        ))}
+      </div>
+
+      {/* Document Preview — shown when a preset is selected */}
+      {selectedPreset && groupedDocs && (
+        <div className="bg-white rounded-xl border border-gray-200 p-5 space-y-4">
+          <div className="flex items-center justify-between">
+            <div>
+              <h3 className="font-semibold text-gray-900">
+                {selectedPreset.icon} {selectedPreset.label} — Ihre Dokumente
+              </h3>
+              <p className="text-xs text-gray-500 mt-0.5">
+                {selectedPreset.recommendedDocs.length} Dokumente werden fuer Sie vorbereitet
+              </p>
+            </div>
+            <Link
+              href={projectId
+                ? `/sdk/company-profile?project=${projectId}&preset=${selectedPreset.id}`
+                : `/sdk/company-profile?preset=${selectedPreset.id}`}
+              className="px-4 py-2 bg-purple-600 text-white text-sm font-medium rounded-lg hover:bg-purple-700 transition-colors"
+            >
+              Jetzt starten
+            </Link>
+          </div>
+
+          <div className="grid grid-cols-2 sm:grid-cols-3 md:grid-cols-4 gap-3">
+            {Object.entries(groupedDocs).map(([category, docs]) => (
+              <div key={category} className="space-y-1.5">
+                <span className={`inline-block px-2 py-0.5 rounded-full text-[10px] font-medium ${CATEGORY_COLORS[category] || 'bg-gray-100 text-gray-600'}`}>
+                  {category}
+                </span>
+                {docs.map((doc) => (
+                  <div key={doc} className="text-xs text-gray-700 pl-1">
+                    {doc}
+                  </div>
+                ))}
+              </div>
+            ))}
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}
@@ -0,0 +1,131 @@
+/**
+ * Complete mapping of all document template types to display labels and categories.
+ * Used by PresetSection to show categorized document previews.
+ */
+
+export const DOC_LABELS: Record<string, { label: string; category: string }> = {
+  // ── Website ──────────────────────────────────────────────────────
+  privacy_policy: { label: 'Datenschutzerklaerung', category: 'Website' },
+  impressum: { label: 'Impressum', category: 'Website' },
+  cookie_policy: { label: 'Cookie-Richtlinie', category: 'Website' },
+  cookie_banner: { label: 'Cookie-Banner-Texte', category: 'Website' },
+
+  // ── Vertraege ────────────────────────────────────────────────────
+  agb: { label: 'AGB', category: 'Vertraege' },
+  dpa: { label: 'AVV (Auftragsverarbeitung)', category: 'Vertraege' },
+  nda: { label: 'Geheimhaltungsvereinbarung', category: 'Vertraege' },
+  sla: { label: 'Service Level Agreement', category: 'Vertraege' },
+  terms_of_use: { label: 'Nutzungsbedingungen', category: 'Vertraege' },
+  cloud_service_agreement: { label: 'Cloud-Vertrag', category: 'Vertraege' },
+  data_usage_clause: { label: 'Datennutzungsklausel', category: 'Vertraege' },
+
+  // ── Plattform ────────────────────────────────────────────────────
+  community_guidelines: { label: 'Community Guidelines', category: 'Plattform' },
+  acceptable_use: { label: 'Acceptable Use Policy', category: 'Plattform' },
+  media_content_policy: { label: 'Medien-Richtlinie', category: 'Plattform' },
+  copyright_policy: { label: 'Urheberrechtsrichtlinie', category: 'Plattform' },
+
+  // ── E-Commerce ───────────────────────────────────────────────────
+  widerruf: { label: 'Widerrufsbelehrung', category: 'E-Commerce' },
+
+  // ── HR / Personal ────────────────────────────────────────────────
+  employee_dsi: { label: 'Mitarbeiter-DSI', category: 'HR' },
+  applicant_dsi: { label: 'Bewerber-DSI', category: 'HR' },
+  whistleblower_policy: { label: 'Whistleblower-Richtlinie', category: 'HR' },
+  employee_security_policy: { label: 'Mitarbeiter-Sicherheitsrichtlinie', category: 'HR' },
+  security_awareness_policy: { label: 'Security-Awareness-Richtlinie', category: 'HR' },
+  remote_work_policy: { label: 'Remote-Work-Richtlinie', category: 'HR' },
+  offboarding_policy: { label: 'Offboarding-Richtlinie', category: 'HR' },
+
+  // ── Datenschutz (DSGVO) ──────────────────────────────────────────
+  tom_documentation: { label: 'TOM-Dokumentation', category: 'Datenschutz' },
+  vvt_register: { label: 'Verarbeitungsverzeichnis', category: 'Datenschutz' },
+  loeschkonzept: { label: 'Loeschkonzept', category: 'Datenschutz' },
+  dsfa: { label: 'Datenschutz-Folgenabschaetzung', category: 'Datenschutz' },
+  pflichtenregister: { label: 'Pflichtenregister', category: 'Datenschutz' },
+  data_protection_concept: { label: 'Datenschutzkonzept', category: 'Datenschutz' },
+  consent_texts: { label: 'Einwilligungstexte', category: 'Datenschutz' },
+  informationspflichten: { label: 'Informationspflichten', category: 'Datenschutz' },
+  verpflichtungserklaerung: { label: 'Verpflichtungserklaerung', category: 'Datenschutz' },
+  social_media_dsi: { label: 'Social-Media-DSI', category: 'Datenschutz' },
+  video_conference_dsi: { label: 'Videokonferenz-DSI', category: 'Datenschutz' },
+
+  // ── Daten-Policies ───────────────────────────────────────────────
+  data_protection_policy: { label: 'Datenschutzrichtlinie', category: 'Daten-Governance' },
+  data_classification_policy: { label: 'Datenklassifizierung', category: 'Daten-Governance' },
+  data_retention_policy: { label: 'Aufbewahrungsrichtlinie', category: 'Daten-Governance' },
+  data_transfer_policy: { label: 'Datentransfer-Richtlinie', category: 'Daten-Governance' },
+  privacy_incident_policy: { label: 'Datenschutzvorfall-Richtlinie', category: 'Daten-Governance' },
+
+  // ── Betroffenenrechte ────────────────────────────────────────────
+  dsr_process_art15: { label: 'Auskunftsrecht (Art. 15)', category: 'Betroffenenrechte' },
+  dsr_process_art16: { label: 'Berichtigungsrecht (Art. 16)', category: 'Betroffenenrechte' },
+  dsr_process_art17: { label: 'Loeschungsrecht (Art. 17)', category: 'Betroffenenrechte' },
+  dsr_process_art18: { label: 'Einschraenkungsrecht (Art. 18)', category: 'Betroffenenrechte' },
+  dsr_process_art19: { label: 'Mitteilungspflicht (Art. 19)', category: 'Betroffenenrechte' },
+  dsr_process_art20: { label: 'Datenportabilitaet (Art. 20)', category: 'Betroffenenrechte' },
+  dsr_process_art21: { label: 'Widerspruchsrecht (Art. 21)', category: 'Betroffenenrechte' },
+
+  // ── IT-Sicherheit (Konzepte) ─────────────────────────────────────
+  it_security_concept: { label: 'IT-Sicherheitskonzept', category: 'IT-Sicherheit' },
+  backup_recovery_concept: { label: 'Backup- & Recovery-Konzept', category: 'IT-Sicherheit' },
+  logging_concept: { label: 'Logging-Konzept', category: 'IT-Sicherheit' },
+  incident_response_plan: { label: 'Incident-Response-Plan', category: 'IT-Sicherheit' },
+  access_control_concept: { label: 'Zugriffskonzept', category: 'IT-Sicherheit' },
+  risk_management_concept: { label: 'Risikomanagement-Konzept', category: 'IT-Sicherheit' },
+  isms_manual: { label: 'ISMS-Handbuch', category: 'IT-Sicherheit' },
+
+  // ── IT-Sicherheit (Policies) ─────────────────────────────────────
+  information_security_policy: { label: 'Informationssicherheitsrichtlinie', category: 'IT-Policies' },
+  access_control_policy: { label: 'Zugriffskontrollrichtlinie', category: 'IT-Policies' },
+  password_policy: { label: 'Passwortrichtlinie', category: 'IT-Policies' },
+  encryption_policy: { label: 'Verschluesselungsrichtlinie', category: 'IT-Policies' },
+  logging_policy: { label: 'Protokollierungsrichtlinie', category: 'IT-Policies' },
+  backup_policy: { label: 'Datensicherungsrichtlinie', category: 'IT-Policies' },
+  incident_response_policy: { label: 'Incident-Response-Richtlinie', category: 'IT-Policies' },
+  change_management_policy: { label: 'Change-Management-Richtlinie', category: 'IT-Policies' },
+  patch_management_policy: { label: 'Patch-Management-Richtlinie', category: 'IT-Policies' },
+  asset_management_policy: { label: 'Asset-Management-Richtlinie', category: 'IT-Policies' },
+  cloud_security_policy: { label: 'Cloud-Security-Richtlinie', category: 'IT-Policies' },
+  devsecops_policy: { label: 'DevSecOps-Richtlinie', category: 'IT-Policies' },
+  secrets_management_policy: { label: 'Secrets-Management-Richtlinie', category: 'IT-Policies' },
+  vulnerability_management_policy: { label: 'Schwachstellenmanagement', category: 'IT-Policies' },
+
+  // ── Lieferanten / Drittanbieter ──────────────────────────────────
+  vendor_risk_management_policy: { label: 'Lieferanten-Risikomanagement', category: 'Lieferanten' },
+  third_party_security_policy: { label: 'Drittanbieter-Sicherheit', category: 'Lieferanten' },
+  supplier_security_policy: { label: 'Lieferanten-Anforderungen', category: 'Lieferanten' },
+  transfer_impact_assessment: { label: 'Transfer Impact Assessment', category: 'Lieferanten' },
+  scc_companion: { label: 'SCC-Begleitdokument', category: 'Lieferanten' },
+
+  // ── BCM / Notfall ────────────────────────────────────────────────
+  business_continuity_policy: { label: 'Business-Continuity', category: 'BCM' },
+  disaster_recovery_policy: { label: 'Disaster-Recovery', category: 'BCM' },
+  crisis_management_policy: { label: 'Krisenmanagement', category: 'BCM' },
+
+  // ── KI / Cyber ───────────────────────────────────────────────────
+  ai_usage_policy: { label: 'KI-Nutzungsrichtlinie', category: 'KI & Cyber' },
+  cybersecurity_policy: { label: 'Cybersecurity-Richtlinie (CRA)', category: 'KI & Cyber' },
+  byod_policy: { label: 'BYOD-Richtlinie', category: 'KI & Cyber' },
+
+  // ── SOP ──────────────────────────────────────────────────────────
+  standard_operating_procedure: { label: 'Standard Operating Procedure', category: 'Prozesse' },
+}
+
+export const CATEGORY_COLORS: Record<string, string> = {
+  Website: 'bg-blue-50 text-blue-700',
+  Vertraege: 'bg-purple-50 text-purple-700',
+  Plattform: 'bg-indigo-50 text-indigo-700',
+  'E-Commerce': 'bg-green-50 text-green-700',
+  HR: 'bg-amber-50 text-amber-700',
+  Datenschutz: 'bg-red-50 text-red-700',
+  'Daten-Governance': 'bg-rose-50 text-rose-700',
+  Betroffenenrechte: 'bg-fuchsia-50 text-fuchsia-700',
+  'IT-Sicherheit': 'bg-gray-100 text-gray-700',
+  'IT-Policies': 'bg-slate-100 text-slate-700',
+  Lieferanten: 'bg-orange-50 text-orange-700',
+  BCM: 'bg-yellow-50 text-yellow-700',
+  'KI & Cyber': 'bg-cyan-50 text-cyan-700',
+  Marketing: 'bg-pink-50 text-pink-700',
+  Prozesse: 'bg-teal-50 text-teal-700',
+}
@@ -0,0 +1,50 @@
+'use client'
+
+import Link from 'next/link'
+import { Course, COURSE_CATEGORY_INFO } from '@/lib/sdk/academy/types'
+
+interface CourseHeaderProps {
+  course: Course
+  onDelete: () => void
+}
+
+export function CourseHeader({ course, onDelete }: CourseHeaderProps) {
+  const categoryInfo = COURSE_CATEGORY_INFO[course.category] || COURSE_CATEGORY_INFO['custom']
+
+  return (
+    <div className="flex items-start justify-between">
+      <div className="flex items-center gap-4">
+        <Link
+          href="/sdk/academy"
+          className="p-2 text-gray-500 hover:text-gray-700 hover:bg-gray-100 rounded-lg transition-colors"
+        >
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 19l-7-7 7-7" />
+          </svg>
+        </Link>
+        <div>
+          <div className="flex items-center gap-2 mb-1">
+            <span className={`px-2 py-1 text-xs rounded-full ${categoryInfo.bgColor} ${categoryInfo.color}`}>
+              {categoryInfo.label}
+            </span>
+            <span className={`px-2 py-1 text-xs rounded-full ${
+              course.status === 'published' ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-600'
+            }`}>
+              {course.status === 'published' ? 'Veroeffentlicht' : 'Entwurf'}
+            </span>
+          </div>
+          <h1 className="text-2xl font-bold text-gray-900">{course.title}</h1>
+          <p className="text-sm text-gray-500 mt-1">{course.description}</p>
+        </div>
+      </div>
+      <div className="flex items-center gap-2">
+        <button
+          onClick={onDelete}
+          className="px-3 py-2 text-sm text-red-600 hover:bg-red-50 rounded-lg transition-colors"
+        >
+          Loeschen
+        </button>
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,33 @@
+'use client'
+
+import { Course, Lesson, Enrollment } from '@/lib/sdk/academy/types'
+
+interface CourseStatsProps {
+  course: Course
+  sortedLessons: Lesson[]
+  enrollments: Enrollment[]
+  completedEnrollments: number
+}
+
+export function CourseStats({ course, sortedLessons, enrollments, completedEnrollments }: CourseStatsProps) {
+  return (
+    <div className="grid grid-cols-4 gap-4">
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Lektionen</div>
+        <div className="text-2xl font-bold text-gray-900">{sortedLessons.length}</div>
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Dauer</div>
+        <div className="text-2xl font-bold text-gray-900">{course.durationMinutes} Min.</div>
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Teilnehmer</div>
+        <div className="text-2xl font-bold text-blue-600">{enrollments.length}</div>
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Abgeschlossen</div>
+        <div className="text-2xl font-bold text-green-600">{completedEnrollments}</div>
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,37 @@
+'use client'
+
+type TabId = 'overview' | 'lessons' | 'enrollments' | 'videos'
+
+interface CourseTabsProps {
+  activeTab: TabId
+  onTabChange: (tab: TabId) => void
+}
+
+const TAB_LABELS: Record<TabId, string> = {
+  overview: 'Uebersicht',
+  lessons: 'Lektionen',
+  enrollments: 'Einschreibungen',
+  videos: 'Videos',
+}
+
+export function CourseTabs({ activeTab, onTabChange }: CourseTabsProps) {
+  return (
+    <div className="border-b border-gray-200">
+      <nav className="flex gap-1 -mb-px">
+        {(['overview', 'lessons', 'enrollments', 'videos'] as TabId[]).map(tab => (
+          <button
+            key={tab}
+            onClick={() => onTabChange(tab)}
+            className={`px-4 py-3 text-sm font-medium border-b-2 transition-colors ${
+              activeTab === tab
+                ? 'border-purple-600 text-purple-600'
+                : 'border-transparent text-gray-500 hover:text-gray-700'
+            }`}
+          >
+            {TAB_LABELS[tab]}
+          </button>
+        ))}
+      </nav>
+    </div>
+  )
+}
@@ -0,0 +1,59 @@
+'use client'
+
+import { Enrollment, ENROLLMENT_STATUS_INFO, isEnrollmentOverdue, getDaysUntilDeadline } from '@/lib/sdk/academy/types'
+
+interface EnrollmentsTabProps {
+  enrollments: Enrollment[]
+  overdueEnrollments: number
+}
+
+export function EnrollmentsTab({ enrollments, overdueEnrollments }: EnrollmentsTabProps) {
+  return (
+    <div className="space-y-4">
+      {overdueEnrollments > 0 && (
+        <div className="bg-red-50 border border-red-200 rounded-xl p-4 text-sm text-red-700">
+          {overdueEnrollments} ueberfaellige Einschreibung(en)
+        </div>
+      )}
+      {enrollments.length === 0 ? (
+        <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+          <p className="text-gray-500">Noch keine Einschreibungen fuer diesen Kurs.</p>
+        </div>
+      ) : (
+        enrollments.map(enrollment => {
+          const statusInfo = ENROLLMENT_STATUS_INFO[enrollment.status]
+          const overdue = isEnrollmentOverdue(enrollment)
+          const daysUntil = getDaysUntilDeadline(enrollment.deadline)
+          return (
+            <div key={enrollment.id} className={`bg-white rounded-xl border-2 p-5 ${overdue ? 'border-red-200' : 'border-gray-200'}`}>
+              <div className="flex items-center justify-between">
+                <div>
+                  <div className="flex items-center gap-2 mb-1">
+                    <span className={`px-2 py-0.5 text-xs rounded-full ${statusInfo?.bgColor} ${statusInfo?.color}`}>
+                      {statusInfo?.label}
+                    </span>
+                    {overdue && <span className="text-xs text-red-600">Ueberfaellig</span>}
+                  </div>
+                  <div className="font-medium text-gray-900">{enrollment.userName}</div>
+                  <div className="text-sm text-gray-500">{enrollment.userEmail}</div>
+                </div>
+                <div className="text-right">
+                  <div className="text-2xl font-bold text-gray-900">{enrollment.progress}%</div>
+                  <div className="text-xs text-gray-500">
+                    {enrollment.status === 'completed' ? 'Abgeschlossen' : `${daysUntil > 0 ? daysUntil + ' Tage verbleibend' : Math.abs(daysUntil) + ' Tage ueberfaellig'}`}
+                  </div>
+                </div>
+              </div>
+              <div className="mt-3 w-full h-2 bg-gray-200 rounded-full overflow-hidden">
+                <div
+                  className={`h-full rounded-full ${enrollment.progress === 100 ? 'bg-green-500' : overdue ? 'bg-red-500' : 'bg-purple-500'}`}
+                  style={{ width: `${enrollment.progress}%` }}
+                />
+              </div>
+            </div>
+          )
+        })
+      )}
+    </div>
+  )
+}
@@ -0,0 +1,239 @@
+'use client'
+
+import { Lesson, QuizQuestion } from '@/lib/sdk/academy/types'
+
+interface LessonsTabProps {
+  sortedLessons: Lesson[]
+  selectedLesson: Lesson | null
+  onSelectLesson: (lesson: Lesson) => void
+  quizAnswers: Record<string, number>
+  onQuizAnswer: (answers: Record<string, number>) => void
+  quizResult: any
+  isSubmittingQuiz: boolean
+  onSubmitQuiz: () => void
+  onResetQuiz: () => void
+  isEditing: boolean
+  editTitle: string
+  editContent: string
+  onEditTitle: (v: string) => void
+  onEditContent: (v: string) => void
+  isSaving: boolean
+  saveMessage: { type: 'success' | 'error'; text: string } | null
+  onStartEdit: () => void
+  onCancelEdit: () => void
+  onSaveLesson: () => void
+  onApproveLesson: () => void
+}
+
+export function LessonsTab({
+  sortedLessons,
+  selectedLesson,
+  onSelectLesson,
+  quizAnswers,
+  onQuizAnswer,
+  quizResult,
+  isSubmittingQuiz,
+  onSubmitQuiz,
+  onResetQuiz,
+  isEditing,
+  editTitle,
+  editContent,
+  onEditTitle,
+  onEditContent,
+  isSaving,
+  saveMessage,
+  onStartEdit,
+  onCancelEdit,
+  onSaveLesson,
+  onApproveLesson,
+}: LessonsTabProps) {
+  return (
+    <div className="grid grid-cols-3 gap-6">
+      {/* Lesson Navigation */}
+      <div className="col-span-1 bg-white rounded-xl border border-gray-200 p-4">
+        <h3 className="text-sm font-semibold text-gray-700 mb-3">Lektionen</h3>
+        <div className="space-y-1">
+          {sortedLessons.map((lesson, i) => (
+            <button
+              key={lesson.id}
+              onClick={() => onSelectLesson(lesson)}
+              className={`w-full text-left p-3 rounded-lg text-sm transition-colors ${
+                selectedLesson?.id === lesson.id
+                  ? 'bg-purple-50 text-purple-700 border border-purple-200'
+                  : 'hover:bg-gray-50 text-gray-700'
+              }`}
+            >
+              <div className="flex items-center gap-2">
+                <span className="text-xs text-gray-400 w-4">{i + 1}.</span>
+                <span className="truncate">{lesson.title}</span>
+              </div>
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Lesson Content */}
+      <div className="col-span-2 bg-white rounded-xl border border-gray-200 p-6">
+        {selectedLesson ? (
+          <div className="space-y-6">
+            <div className="flex items-center justify-between">
+              {isEditing ? (
+                <input
+                  type="text"
+                  value={editTitle}
+                  onChange={e => onEditTitle(e.target.value)}
+                  className="text-xl font-semibold text-gray-900 border border-gray-300 rounded-lg px-3 py-1 flex-1 mr-3"
+                />
+              ) : (
+                <h2 className="text-xl font-semibold text-gray-900">{selectedLesson.title}</h2>
+              )}
+              <div className="flex items-center gap-2">
+                <span className={`px-3 py-1 text-xs rounded-full ${
+                  selectedLesson.type === 'quiz' ? 'bg-yellow-100 text-yellow-700' :
+                  selectedLesson.type === 'video' ? 'bg-blue-100 text-blue-700' :
+                  'bg-gray-100 text-gray-600'
+                }`}>
+                  {selectedLesson.type === 'quiz' ? 'Quiz' : selectedLesson.type === 'video' ? 'Video' : 'Text'}
+                </span>
+                {selectedLesson.type !== 'quiz' && !isEditing && (
+                  <>
+                    <button onClick={onStartEdit} className="px-3 py-1 text-sm bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors">
+                      Bearbeiten
+                    </button>
+                    <button onClick={onApproveLesson} disabled={isSaving} className="px-3 py-1 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors disabled:opacity-50">
+                      Freigeben
+                    </button>
+                  </>
+                )}
+                {isEditing && (
+                  <>
+                    <button onClick={onCancelEdit} className="px-3 py-1 text-sm bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors">
+                      Abbrechen
+                    </button>
+                    <button onClick={onSaveLesson} disabled={isSaving} className="px-3 py-1 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors disabled:opacity-50">
+                      {isSaving ? 'Speichert...' : 'Speichern'}
+                    </button>
+                  </>
+                )}
+              </div>
+            </div>
+
+            {saveMessage && (
+              <div className={`p-3 rounded-lg text-sm ${
+                saveMessage.type === 'success' ? 'bg-green-50 text-green-700 border border-green-200' : 'bg-red-50 text-red-700 border border-red-200'
+              }`}>
+                {saveMessage.text}
+              </div>
+            )}
+
+            {selectedLesson.type === 'video' && selectedLesson.videoUrl && (
+              <div className="aspect-video bg-gray-900 rounded-xl overflow-hidden">
+                <video src={selectedLesson.videoUrl} controls className="w-full h-full" />
+              </div>
+            )}
+
+            {isEditing && (selectedLesson.type === 'text' || selectedLesson.type === 'video') && (
+              <div className="space-y-2">
+                <label className="text-sm text-gray-500">Inhalt (Markdown)</label>
+                <textarea
+                  value={editContent}
+                  onChange={e => onEditContent(e.target.value)}
+                  rows={20}
+                  className="w-full border border-gray-300 rounded-xl p-4 text-sm font-mono text-gray-800 leading-relaxed resize-y focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+                  placeholder="Markdown-Inhalt der Lektion..."
+                />
+                <p className="text-xs text-gray-400">Unterstuetzt: # Ueberschrift, ## Unterueberschrift, - Aufzaehlung, **fett**</p>
+              </div>
+            )}
+
+            {!isEditing && (selectedLesson.type === 'text' || selectedLesson.type === 'video') && selectedLesson.contentMarkdown && (
+              <div className="prose prose-sm max-w-none">
+                <div className="whitespace-pre-wrap text-gray-700 leading-relaxed">
+                  {selectedLesson.contentMarkdown.split('\n').map((line, i) => {
+                    if (line.startsWith('# ')) return <h1 key={i} className="text-2xl font-bold text-gray-900 mt-6 mb-3">{line.slice(2)}</h1>
+                    if (line.startsWith('## ')) return <h2 key={i} className="text-xl font-semibold text-gray-900 mt-5 mb-2">{line.slice(3)}</h2>
+                    if (line.startsWith('### ')) return <h3 key={i} className="text-lg font-medium text-gray-900 mt-4 mb-2">{line.slice(4)}</h3>
+                    if (line.startsWith('- **')) {
+                      const parts = line.slice(2).split('**')
+                      return <li key={i} className="ml-4 list-disc"><strong>{parts[1]}</strong>{parts[2] || ''}</li>
+                    }
+                    if (line.startsWith('- ')) return <li key={i} className="ml-4 list-disc">{line.slice(2)}</li>
+                    if (line.trim() === '') return <br key={i} />
+                    return <p key={i} className="mb-2">{line}</p>
+                  })}
+                </div>
+              </div>
+            )}
+
+            {selectedLesson.type === 'quiz' && selectedLesson.quizQuestions && (
+              <div className="space-y-6">
+                {selectedLesson.quizQuestions.map((q: QuizQuestion, qi: number) => (
+                  <div key={q.id} className="bg-gray-50 rounded-xl p-5">
+                    <h4 className="font-medium text-gray-900 mb-3">Frage {qi + 1}: {q.question}</h4>
+                    <div className="space-y-2">
+                      {q.options.map((option: string, oi: number) => {
+                        const isSelected = quizAnswers[q.id] === oi
+                        const showResult = quizResult && !quizResult.error
+                        const isCorrect = showResult && quizResult.results?.[qi]?.correct
+                        const wasSelected = showResult && isSelected
+
+                        let bgClass = 'bg-white border-gray-200 hover:border-purple-300'
+                        if (isSelected && !showResult) bgClass = 'bg-purple-50 border-purple-500'
+                        if (showResult && oi === q.correctOptionIndex) bgClass = 'bg-green-50 border-green-500'
+                        if (showResult && wasSelected && !isCorrect) bgClass = 'bg-red-50 border-red-500'
+
+                        return (
+                          <button
+                            key={oi}
+                            onClick={() => !quizResult && onQuizAnswer({ ...quizAnswers, [q.id]: oi })}
+                            disabled={!!quizResult}
+                            className={`w-full text-left p-3 rounded-lg border-2 transition-all ${bgClass}`}
+                          >
+                            <span className="text-sm text-gray-700">{String.fromCharCode(65 + oi)}) {option}</span>
+                          </button>
+                        )
+                      })}
+                    </div>
+                    {quizResult && !quizResult.error && quizResult.results?.[qi] && (
+                      <div className={`mt-3 p-3 rounded-lg text-sm ${
+                        quizResult.results[qi].correct ? 'bg-green-50 text-green-700' : 'bg-red-50 text-red-700'
+                      }`}>
+                        {quizResult.results[qi].correct ? 'Richtig!' : 'Falsch.'} {q.explanation}
+                      </div>
+                    )}
+                  </div>
+                ))}
+
+                {!quizResult ? (
+                  <button
+                    onClick={onSubmitQuiz}
+                    disabled={isSubmittingQuiz || Object.keys(quizAnswers).length < (selectedLesson.quizQuestions?.length || 0)}
+                    className="w-full py-3 bg-purple-600 text-white rounded-xl hover:bg-purple-700 transition-colors disabled:opacity-50 font-medium"
+                  >
+                    {isSubmittingQuiz ? 'Wird ausgewertet...' : 'Quiz auswerten'}
+                  </button>
+                ) : quizResult.error ? (
+                  <div className="bg-red-50 border border-red-200 rounded-xl p-4 text-sm text-red-700">{quizResult.error}</div>
+                ) : (
+                  <div className={`rounded-xl p-6 text-center ${quizResult.passed ? 'bg-green-50 border border-green-200' : 'bg-red-50 border border-red-200'}`}>
+                    <div className={`text-3xl font-bold ${quizResult.passed ? 'text-green-600' : 'text-red-600'}`}>
+                      {quizResult.score}%
+                    </div>
+                    <div className={`text-sm mt-1 ${quizResult.passed ? 'text-green-700' : 'text-red-700'}`}>
+                      {quizResult.passed ? 'Bestanden!' : 'Nicht bestanden'} — {quizResult.correctAnswers}/{quizResult.totalQuestions} richtig
+                    </div>
+                    <button onClick={onResetQuiz} className="mt-4 px-4 py-2 text-sm bg-white rounded-lg border hover:bg-gray-50">
+                      Quiz wiederholen
+                    </button>
+                  </div>
+                )}
+              </div>
+            )}
+          </div>
+        ) : (
+          <p className="text-gray-500 text-center py-10">Waehlen Sie eine Lektion aus.</p>
+        )}
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,48 @@
+'use client'
+
+import { Course, Lesson } from '@/lib/sdk/academy/types'
+
+interface OverviewTabProps {
+  course: Course
+  sortedLessons: Lesson[]
+}
+
+export function OverviewTab({ course, sortedLessons }: OverviewTabProps) {
+  return (
+    <div className="space-y-6">
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <h3 className="text-lg font-semibold text-gray-900 mb-4">Kurs-Details</h3>
+        <dl className="grid grid-cols-2 gap-4 text-sm">
+          <div><dt className="text-gray-500">Bestehensgrenze</dt><dd className="font-medium text-gray-900">{course.passingScore}%</dd></div>
+          <div><dt className="text-gray-500">Pflicht fuer</dt><dd className="font-medium text-gray-900">{course.requiredForRoles?.join(', ') || 'Alle'}</dd></div>
+          <div><dt className="text-gray-500">Erstellt am</dt><dd className="font-medium text-gray-900">{new Date(course.createdAt).toLocaleDateString('de-DE')}</dd></div>
+          <div><dt className="text-gray-500">Aktualisiert am</dt><dd className="font-medium text-gray-900">{new Date(course.updatedAt).toLocaleDateString('de-DE')}</dd></div>
+        </dl>
+      </div>
+
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <h3 className="text-lg font-semibold text-gray-900 mb-4">Lektionen ({sortedLessons.length})</h3>
+        <div className="space-y-2">
+          {sortedLessons.map((lesson, i) => (
+            <div key={lesson.id} className="flex items-center gap-3 p-3 rounded-lg hover:bg-gray-50">
+              <div className="w-8 h-8 rounded-full bg-purple-100 text-purple-600 flex items-center justify-center text-sm font-medium">
+                {i + 1}
+              </div>
+              <div className="flex-1">
+                <div className="text-sm font-medium text-gray-900">{lesson.title}</div>
+                <div className="text-xs text-gray-500">{lesson.durationMinutes} Min. | {lesson.type === 'video' ? 'Video' : lesson.type === 'quiz' ? 'Quiz' : 'Text'}</div>
+              </div>
+              <span className={`px-2 py-1 text-xs rounded-full ${
+                lesson.type === 'quiz' ? 'bg-yellow-100 text-yellow-700' :
+                lesson.type === 'video' ? 'bg-blue-100 text-blue-700' :
+                'bg-gray-100 text-gray-600'
+              }`}>
+                {lesson.type === 'quiz' ? 'Quiz' : lesson.type === 'video' ? 'Video' : 'Text'}
+              </span>
+            </div>
+          ))}
+        </div>
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,71 @@
+'use client'
+
+interface VideoStatus {
+  status: string
+  lessons?: Array<{ lessonId: string; status: string }>
+}
+
+interface VideosTabProps {
+  videoStatus: VideoStatus | null
+  isGeneratingVideos: boolean
+  onGenerateVideos: () => void
+  onCheckVideoStatus: () => void
+}
+
+export function VideosTab({ videoStatus, isGeneratingVideos, onGenerateVideos, onCheckVideoStatus }: VideosTabProps) {
+  return (
+    <div className="space-y-6">
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <div className="flex items-center justify-between mb-4">
+          <h3 className="text-lg font-semibold text-gray-900">Video-Generierung</h3>
+          <div className="flex gap-2">
+            <button onClick={onCheckVideoStatus} className="px-4 py-2 text-sm border border-gray-300 rounded-lg hover:bg-gray-50">
+              Status pruefen
+            </button>
+            <button
+              onClick={onGenerateVideos}
+              disabled={isGeneratingVideos}
+              className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50"
+            >
+              {isGeneratingVideos ? 'Wird gestartet...' : 'Videos generieren'}
+            </button>
+          </div>
+        </div>
+
+        <div className="bg-blue-50 border border-blue-200 rounded-xl p-4 mb-4 text-sm text-blue-700">
+          Videos werden mit ElevenLabs (Stimme) und HeyGen (Avatar) generiert.
+          Konfigurieren Sie die API-Keys in den Umgebungsvariablen.
+        </div>
+
+        {videoStatus && (
+          <div className="space-y-3">
+            <div className="flex items-center gap-2">
+              <span className="text-sm text-gray-500">Gesamtstatus:</span>
+              <span className={`px-2 py-1 text-xs rounded-full ${
+                videoStatus.status === 'completed' ? 'bg-green-100 text-green-700' :
+                videoStatus.status === 'processing' ? 'bg-yellow-100 text-yellow-700' :
+                'bg-gray-100 text-gray-600'
+              }`}>
+                {videoStatus.status}
+              </span>
+            </div>
+            {videoStatus.lessons?.map((ls) => (
+              <div key={ls.lessonId} className="flex items-center justify-between p-3 bg-gray-50 rounded-lg">
+                <span className="text-sm text-gray-700">Lektion {ls.lessonId.slice(-4)}</span>
+                <span className={`text-xs ${ls.status === 'completed' ? 'text-green-600' : 'text-gray-500'}`}>
+                  {ls.status}
+                </span>
+              </div>
+            ))}
+          </div>
+        )}
+
+        {!videoStatus && (
+          <p className="text-sm text-gray-500 text-center py-8">
+            Klicken Sie auf "Videos generieren" um den Prozess zu starten.
+          </p>
+        )}
+      </div>
+    </div>
+  )
+}
@@ -1,17 +1,13 @@
 'use client'

-import React, { useState, useEffect, useMemo } from 'react'
+import React, { useState, useEffect } from 'react'
 import { useParams, useRouter } from 'next/navigation'
 import Link from 'next/link'
 import {
  Course,
  Lesson,
  Enrollment,
-  QuizQuestion,
-  COURSE_CATEGORY_INFO,
-  ENROLLMENT_STATUS_INFO,
  isEnrollmentOverdue,
-  getDaysUntilDeadline
 } from '@/lib/sdk/academy/types'
 import {
  fetchCourse,
@@ -20,8 +16,15 @@ import {
  submitQuiz,
  updateLesson,
  generateVideos,
-  getVideoStatus
+  getVideoStatus,
 } from '@/lib/sdk/academy/api'
+import { CourseHeader } from './_components/CourseHeader'
+import { CourseStats } from './_components/CourseStats'
+import { CourseTabs } from './_components/CourseTabs'
+import { OverviewTab } from './_components/OverviewTab'
+import { LessonsTab } from './_components/LessonsTab'
+import { EnrollmentsTab } from './_components/EnrollmentsTab'
+import { VideosTab } from './_components/VideosTab'

 type TabId = 'overview' | 'lessons' | 'enrollments' | 'videos'

@@ -81,8 +84,7 @@ export default function CourseDetailPage() {
  const handleSubmitQuiz = async () => {
    if (!selectedLesson) return
    const questions = selectedLesson.quizQuestions || []
-    const answers = questions.map((q: QuizQuestion) => quizAnswers[q.id] ?? -1)
-
+    const answers = questions.map((q: any) => quizAnswers[q.id] ?? -1)
    setIsSubmittingQuiz(true)
    try {
      const result = await submitQuiz(selectedLesson.id, { answers })
@@ -113,10 +115,7 @@ export default function CourseDetailPage() {
    setIsSaving(true)
    setSaveMessage(null)
    try {
-      await updateLesson(selectedLesson.id, {
-        title: editTitle,
-        content_url: editContent,
-      })
+      await updateLesson(selectedLesson.id, { title: editTitle, content_url: editContent })
      const updatedLesson = { ...selectedLesson, title: editTitle, contentMarkdown: editContent }
      setSelectedLesson(updatedLesson)
      if (course) {
@@ -138,9 +137,7 @@ export default function CourseDetailPage() {
    setIsSaving(true)
    setSaveMessage(null)
    try {
-      await updateLesson(selectedLesson.id, {
-        description: 'approved_for_video',
-      })
+      await updateLesson(selectedLesson.id, { description: 'approved_for_video' })
      const updatedLesson = { ...selectedLesson }
      if (course) {
        const updatedLessons = course.lessons.map(l => l.id === updatedLesson.id ? updatedLesson : l)
@@ -197,454 +194,61 @@ export default function CourseDetailPage() {
    )
  }

-  const categoryInfo = COURSE_CATEGORY_INFO[course.category] || COURSE_CATEGORY_INFO['custom']
  const sortedLessons = [...(course.lessons || [])].sort((a, b) => a.order - b.order)
  const completedEnrollments = enrollments.filter(e => e.status === 'completed').length
  const overdueEnrollments = enrollments.filter(e => isEnrollmentOverdue(e)).length

  return (
    <div className="space-y-6">
-      {/* Header */}
-      <div className="flex items-start justify-between">
-        <div className="flex items-center gap-4">
-          <Link
-            href="/sdk/academy"
-            className="p-2 text-gray-500 hover:text-gray-700 hover:bg-gray-100 rounded-lg transition-colors"
-          >
-            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 19l-7-7 7-7" />
-            </svg>
-          </Link>
-          <div>
-            <div className="flex items-center gap-2 mb-1">
-              <span className={`px-2 py-1 text-xs rounded-full ${categoryInfo.bgColor} ${categoryInfo.color}`}>
-                {categoryInfo.label}
-              </span>
-              <span className={`px-2 py-1 text-xs rounded-full ${
-                course.status === 'published' ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-600'
-              }`}>
-                {course.status === 'published' ? 'Veroeffentlicht' : 'Entwurf'}
-              </span>
-            </div>
-            <h1 className="text-2xl font-bold text-gray-900">{course.title}</h1>
-            <p className="text-sm text-gray-500 mt-1">{course.description}</p>
-          </div>
-        </div>
-        <div className="flex items-center gap-2">
-          <button
-            onClick={handleDeleteCourse}
-            className="px-3 py-2 text-sm text-red-600 hover:bg-red-50 rounded-lg transition-colors"
-          >
-            Loeschen
-          </button>
-        </div>
-      </div>
+      <CourseHeader course={course} onDelete={handleDeleteCourse} />
+      <CourseStats
+        course={course}
+        sortedLessons={sortedLessons}
+        enrollments={enrollments}
+        completedEnrollments={completedEnrollments}
+      />
+      <CourseTabs activeTab={activeTab} onTabChange={setActiveTab} />

-      {/* Stats Row */}
-      <div className="grid grid-cols-4 gap-4">
-        <div className="bg-white rounded-xl border border-gray-200 p-4">
-          <div className="text-sm text-gray-500">Lektionen</div>
-          <div className="text-2xl font-bold text-gray-900">{sortedLessons.length}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-gray-200 p-4">
-          <div className="text-sm text-gray-500">Dauer</div>
-          <div className="text-2xl font-bold text-gray-900">{course.durationMinutes} Min.</div>
-        </div>
-        <div className="bg-white rounded-xl border border-gray-200 p-4">
-          <div className="text-sm text-gray-500">Teilnehmer</div>
-          <div className="text-2xl font-bold text-blue-600">{enrollments.length}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-gray-200 p-4">
-          <div className="text-sm text-gray-500">Abgeschlossen</div>
-          <div className="text-2xl font-bold text-green-600">{completedEnrollments}</div>
-        </div>
-      </div>
-
-      {/* Tabs */}
-      <div className="border-b border-gray-200">
-        <nav className="flex gap-1 -mb-px">
-          {(['overview', 'lessons', 'enrollments', 'videos'] as TabId[]).map(tab => (
-            <button
-              key={tab}
-              onClick={() => setActiveTab(tab)}
-              className={`px-4 py-3 text-sm font-medium border-b-2 transition-colors ${
-                activeTab === tab
-                  ? 'border-purple-600 text-purple-600'
-                  : 'border-transparent text-gray-500 hover:text-gray-700'
-              }`}
-            >
-              {{ overview: 'Uebersicht', lessons: 'Lektionen', enrollments: 'Einschreibungen', videos: 'Videos' }[tab]}
-            </button>
-          ))}
-        </nav>
-      </div>
-
-      {/* Overview Tab */}
      {activeTab === 'overview' && (
-        <div className="space-y-6">
-          <div className="bg-white rounded-xl border border-gray-200 p-6">
-            <h3 className="text-lg font-semibold text-gray-900 mb-4">Kurs-Details</h3>
-            <dl className="grid grid-cols-2 gap-4 text-sm">
-              <div><dt className="text-gray-500">Bestehensgrenze</dt><dd className="font-medium text-gray-900">{course.passingScore}%</dd></div>
-              <div><dt className="text-gray-500">Pflicht fuer</dt><dd className="font-medium text-gray-900">{course.requiredForRoles?.join(', ') || 'Alle'}</dd></div>
-              <div><dt className="text-gray-500">Erstellt am</dt><dd className="font-medium text-gray-900">{new Date(course.createdAt).toLocaleDateString('de-DE')}</dd></div>
-              <div><dt className="text-gray-500">Aktualisiert am</dt><dd className="font-medium text-gray-900">{new Date(course.updatedAt).toLocaleDateString('de-DE')}</dd></div>
-            </dl>
-          </div>
-
-          {/* Lesson List Preview */}
-          <div className="bg-white rounded-xl border border-gray-200 p-6">
-            <h3 className="text-lg font-semibold text-gray-900 mb-4">Lektionen ({sortedLessons.length})</h3>
-            <div className="space-y-2">
-              {sortedLessons.map((lesson, i) => (
-                <div key={lesson.id} className="flex items-center gap-3 p-3 rounded-lg hover:bg-gray-50">
-                  <div className="w-8 h-8 rounded-full bg-purple-100 text-purple-600 flex items-center justify-center text-sm font-medium">
-                    {i + 1}
-                  </div>
-                  <div className="flex-1">
-                    <div className="text-sm font-medium text-gray-900">{lesson.title}</div>
-                    <div className="text-xs text-gray-500">{lesson.durationMinutes} Min. | {lesson.type === 'video' ? 'Video' : lesson.type === 'quiz' ? 'Quiz' : 'Text'}</div>
-                  </div>
-                  <span className={`px-2 py-1 text-xs rounded-full ${
-                    lesson.type === 'quiz' ? 'bg-yellow-100 text-yellow-700' :
-                    lesson.type === 'video' ? 'bg-blue-100 text-blue-700' :
-                    'bg-gray-100 text-gray-600'
-                  }`}>
-                    {lesson.type === 'quiz' ? 'Quiz' : lesson.type === 'video' ? 'Video' : 'Text'}
-                  </span>
-                </div>
-              ))}
-            </div>
-          </div>
-        </div>
+        <OverviewTab course={course} sortedLessons={sortedLessons} />
      )}

-      {/* Lessons Tab - with content viewer and quiz player */}
      {activeTab === 'lessons' && (
-        <div className="grid grid-cols-3 gap-6">
-          {/* Lesson Navigation */}
-          <div className="col-span-1 bg-white rounded-xl border border-gray-200 p-4">
-            <h3 className="text-sm font-semibold text-gray-700 mb-3">Lektionen</h3>
-            <div className="space-y-1">
-              {sortedLessons.map((lesson, i) => (
-                <button
-                  key={lesson.id}
-                  onClick={() => { setSelectedLesson(lesson); setQuizResult(null); setQuizAnswers({}) }}
-                  className={`w-full text-left p-3 rounded-lg text-sm transition-colors ${
-                    selectedLesson?.id === lesson.id
-                      ? 'bg-purple-50 text-purple-700 border border-purple-200'
-                      : 'hover:bg-gray-50 text-gray-700'
-                  }`}
-                >
-                  <div className="flex items-center gap-2">
-                    <span className="text-xs text-gray-400 w-4">{i + 1}.</span>
-                    <span className="truncate">{lesson.title}</span>
-                  </div>
-                </button>
-              ))}
-            </div>
-          </div>
-
-          {/* Lesson Content */}
-          <div className="col-span-2 bg-white rounded-xl border border-gray-200 p-6">
-            {selectedLesson ? (
-              <div className="space-y-6">
-                <div className="flex items-center justify-between">
-                  {isEditing ? (
-                    <input
-                      type="text"
-                      value={editTitle}
-                      onChange={e => setEditTitle(e.target.value)}
-                      className="text-xl font-semibold text-gray-900 border border-gray-300 rounded-lg px-3 py-1 flex-1 mr-3"
-                    />
-                  ) : (
-                    <h2 className="text-xl font-semibold text-gray-900">{selectedLesson.title}</h2>
-                  )}
-                  <div className="flex items-center gap-2">
-                    <span className={`px-3 py-1 text-xs rounded-full ${
-                      selectedLesson.type === 'quiz' ? 'bg-yellow-100 text-yellow-700' :
-                      selectedLesson.type === 'video' ? 'bg-blue-100 text-blue-700' :
-                      'bg-gray-100 text-gray-600'
-                    }`}>
-                      {selectedLesson.type === 'quiz' ? 'Quiz' : selectedLesson.type === 'video' ? 'Video' : 'Text'}
-                    </span>
-                    {selectedLesson.type !== 'quiz' && !isEditing && (
-                      <>
-                        <button
-                          onClick={handleStartEdit}
-                          className="px-3 py-1 text-sm bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors"
-                        >
-                          Bearbeiten
-                        </button>
-                        <button
-                          onClick={handleApproveLesson}
-                          disabled={isSaving}
-                          className="px-3 py-1 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors disabled:opacity-50"
-                        >
-                          Freigeben
-                        </button>
-                      </>
-                    )}
-                    {isEditing && (
-                      <>
-                        <button
-                          onClick={handleCancelEdit}
-                          className="px-3 py-1 text-sm bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors"
-                        >
-                          Abbrechen
-                        </button>
-                        <button
-                          onClick={handleSaveLesson}
-                          disabled={isSaving}
-                          className="px-3 py-1 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors disabled:opacity-50"
-                        >
-                          {isSaving ? 'Speichert...' : 'Speichern'}
-                        </button>
-                      </>
-                    )}
-                  </div>
-                </div>
-
-                {/* Save/Approve Message */}
-                {saveMessage && (
-                  <div className={`p-3 rounded-lg text-sm ${
-                    saveMessage.type === 'success' ? 'bg-green-50 text-green-700 border border-green-200' : 'bg-red-50 text-red-700 border border-red-200'
-                  }`}>
-                    {saveMessage.text}
-                  </div>
-                )}
-
-                {/* Video Player */}
-                {selectedLesson.type === 'video' && selectedLesson.videoUrl && (
-                  <div className="aspect-video bg-gray-900 rounded-xl overflow-hidden">
-                    <video
-                      src={selectedLesson.videoUrl}
-                      controls
-                      className="w-full h-full"
-                    />
-                  </div>
-                )}
-
-                {/* Text Content - Edit Mode */}
-                {isEditing && (selectedLesson.type === 'text' || selectedLesson.type === 'video') && (
-                  <div className="space-y-2">
-                    <label className="text-sm text-gray-500">Inhalt (Markdown)</label>
-                    <textarea
-                      value={editContent}
-                      onChange={e => setEditContent(e.target.value)}
-                      rows={20}
-                      className="w-full border border-gray-300 rounded-xl p-4 text-sm font-mono text-gray-800 leading-relaxed resize-y focus:ring-2 focus:ring-purple-500 focus:border-transparent"
-                      placeholder="Markdown-Inhalt der Lektion..."
-                    />
-                    <p className="text-xs text-gray-400">Unterstuetzt: # Ueberschrift, ## Unterueberschrift, - Aufzaehlung, **fett**</p>
-                  </div>
-                )}
-
-                {/* Text Content - View Mode */}
-                {!isEditing && (selectedLesson.type === 'text' || selectedLesson.type === 'video') && selectedLesson.contentMarkdown && (
-                  <div className="prose prose-sm max-w-none">
-                    <div className="whitespace-pre-wrap text-gray-700 leading-relaxed">
-                      {selectedLesson.contentMarkdown.split('\n').map((line, i) => {
-                        if (line.startsWith('# ')) return <h1 key={i} className="text-2xl font-bold text-gray-900 mt-6 mb-3">{line.slice(2)}</h1>
-                        if (line.startsWith('## ')) return <h2 key={i} className="text-xl font-semibold text-gray-900 mt-5 mb-2">{line.slice(3)}</h2>
-                        if (line.startsWith('### ')) return <h3 key={i} className="text-lg font-medium text-gray-900 mt-4 mb-2">{line.slice(4)}</h3>
-                        if (line.startsWith('- **')) {
-                          const parts = line.slice(2).split('**')
-                          return <li key={i} className="ml-4 list-disc"><strong>{parts[1]}</strong>{parts[2] || ''}</li>
-                        }
-                        if (line.startsWith('- ')) return <li key={i} className="ml-4 list-disc">{line.slice(2)}</li>
-                        if (line.trim() === '') return <br key={i} />
-                        return <p key={i} className="mb-2">{line}</p>
-                      })}
-                    </div>
-                  </div>
-                )}
-
-                {/* Quiz Player */}
-                {selectedLesson.type === 'quiz' && selectedLesson.quizQuestions && (
-                  <div className="space-y-6">
-                    {selectedLesson.quizQuestions.map((q: QuizQuestion, qi: number) => (
-                      <div key={q.id} className="bg-gray-50 rounded-xl p-5">
-                        <h4 className="font-medium text-gray-900 mb-3">Frage {qi + 1}: {q.question}</h4>
-                        <div className="space-y-2">
-                          {q.options.map((option: string, oi: number) => {
-                            const isSelected = quizAnswers[q.id] === oi
-                            const showResult = quizResult && !quizResult.error
-                            const isCorrect = showResult && quizResult.results?.[qi]?.correct
-                            const wasSelected = showResult && isSelected
-
-                            let bgClass = 'bg-white border-gray-200 hover:border-purple-300'
-                            if (isSelected && !showResult) bgClass = 'bg-purple-50 border-purple-500'
-                            if (showResult && oi === q.correctOptionIndex) bgClass = 'bg-green-50 border-green-500'
-                            if (showResult && wasSelected && !isCorrect) bgClass = 'bg-red-50 border-red-500'
-
-                            return (
-                              <button
-                                key={oi}
-                                onClick={() => !quizResult && setQuizAnswers({ ...quizAnswers, [q.id]: oi })}
-                                disabled={!!quizResult}
-                                className={`w-full text-left p-3 rounded-lg border-2 transition-all ${bgClass}`}
-                              >
-                                <span className="text-sm text-gray-700">{String.fromCharCode(65 + oi)}) {option}</span>
-                              </button>
-                            )
-                          })}
-                        </div>
-                        {quizResult && !quizResult.error && quizResult.results?.[qi] && (
-                          <div className={`mt-3 p-3 rounded-lg text-sm ${
-                            quizResult.results[qi].correct ? 'bg-green-50 text-green-700' : 'bg-red-50 text-red-700'
-                          }`}>
-                            {quizResult.results[qi].correct ? 'Richtig!' : 'Falsch.'} {q.explanation}
-                          </div>
-                        )}
-                      </div>
-                    ))}
-
-                    {/* Quiz Submit / Result */}
-                    {!quizResult ? (
-                      <button
-                        onClick={handleSubmitQuiz}
-                        disabled={isSubmittingQuiz || Object.keys(quizAnswers).length < (selectedLesson.quizQuestions?.length || 0)}
-                        className="w-full py-3 bg-purple-600 text-white rounded-xl hover:bg-purple-700 transition-colors disabled:opacity-50 font-medium"
-                      >
-                        {isSubmittingQuiz ? 'Wird ausgewertet...' : 'Quiz auswerten'}
-                      </button>
-                    ) : quizResult.error ? (
-                      <div className="bg-red-50 border border-red-200 rounded-xl p-4 text-sm text-red-700">{quizResult.error}</div>
-                    ) : (
-                      <div className={`rounded-xl p-6 text-center ${quizResult.passed ? 'bg-green-50 border border-green-200' : 'bg-red-50 border border-red-200'}`}>
-                        <div className={`text-3xl font-bold ${quizResult.passed ? 'text-green-600' : 'text-red-600'}`}>
-                          {quizResult.score}%
-                        </div>
-                        <div className={`text-sm mt-1 ${quizResult.passed ? 'text-green-700' : 'text-red-700'}`}>
-                          {quizResult.passed ? 'Bestanden!' : 'Nicht bestanden'} — {quizResult.correctAnswers}/{quizResult.totalQuestions} richtig
-                        </div>
-                        <button
-                          onClick={() => { setQuizResult(null); setQuizAnswers({}) }}
-                          className="mt-4 px-4 py-2 text-sm bg-white rounded-lg border hover:bg-gray-50"
-                        >
-                          Quiz wiederholen
-                        </button>
-                      </div>
-                    )}
-                  </div>
-                )}
-              </div>
-            ) : (
-              <p className="text-gray-500 text-center py-10">Waehlen Sie eine Lektion aus.</p>
-            )}
-          </div>
-        </div>
+        <LessonsTab
+          sortedLessons={sortedLessons}
+          selectedLesson={selectedLesson}
+          onSelectLesson={(lesson) => { setSelectedLesson(lesson); setQuizResult(null); setQuizAnswers({}) }}
+          quizAnswers={quizAnswers}
+          onQuizAnswer={setQuizAnswers}
+          quizResult={quizResult}
+          isSubmittingQuiz={isSubmittingQuiz}
+          onSubmitQuiz={handleSubmitQuiz}
+          onResetQuiz={() => { setQuizResult(null); setQuizAnswers({}) }}
+          isEditing={isEditing}
+          editTitle={editTitle}
+          editContent={editContent}
+          onEditTitle={setEditTitle}
+          onEditContent={setEditContent}
+          isSaving={isSaving}
+          saveMessage={saveMessage}
+          onStartEdit={handleStartEdit}
+          onCancelEdit={handleCancelEdit}
+          onSaveLesson={handleSaveLesson}
+          onApproveLesson={handleApproveLesson}
+        />
      )}

-      {/* Enrollments Tab */}
      {activeTab === 'enrollments' && (
-        <div className="space-y-4">
-          {overdueEnrollments > 0 && (
-            <div className="bg-red-50 border border-red-200 rounded-xl p-4 text-sm text-red-700">
-              {overdueEnrollments} ueberfaellige Einschreibung(en)
-            </div>
-          )}
-          {enrollments.length === 0 ? (
-            <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
-              <p className="text-gray-500">Noch keine Einschreibungen fuer diesen Kurs.</p>
-            </div>
-          ) : (
-            enrollments.map(enrollment => {
-              const statusInfo = ENROLLMENT_STATUS_INFO[enrollment.status]
-              const overdue = isEnrollmentOverdue(enrollment)
-              const daysUntil = getDaysUntilDeadline(enrollment.deadline)
-              return (
-                <div key={enrollment.id} className={`bg-white rounded-xl border-2 p-5 ${overdue ? 'border-red-200' : 'border-gray-200'}`}>
-                  <div className="flex items-center justify-between">
-                    <div>
-                      <div className="flex items-center gap-2 mb-1">
-                        <span className={`px-2 py-0.5 text-xs rounded-full ${statusInfo?.bgColor} ${statusInfo?.color}`}>
-                          {statusInfo?.label}
-                        </span>
-                        {overdue && <span className="text-xs text-red-600">Ueberfaellig</span>}
-                      </div>
-                      <div className="font-medium text-gray-900">{enrollment.userName}</div>
-                      <div className="text-sm text-gray-500">{enrollment.userEmail}</div>
-                    </div>
-                    <div className="text-right">
-                      <div className="text-2xl font-bold text-gray-900">{enrollment.progress}%</div>
-                      <div className="text-xs text-gray-500">
-                        {enrollment.status === 'completed' ? 'Abgeschlossen' : `${daysUntil > 0 ? daysUntil + ' Tage verbleibend' : Math.abs(daysUntil) + ' Tage ueberfaellig'}`}
-                      </div>
-                    </div>
-                  </div>
-                  <div className="mt-3 w-full h-2 bg-gray-200 rounded-full overflow-hidden">
-                    <div
-                      className={`h-full rounded-full ${enrollment.progress === 100 ? 'bg-green-500' : overdue ? 'bg-red-500' : 'bg-purple-500'}`}
-                      style={{ width: `${enrollment.progress}%` }}
-                    />
-                  </div>
-                </div>
-              )
-            })
-          )}
-        </div>
+        <EnrollmentsTab enrollments={enrollments} overdueEnrollments={overdueEnrollments} />
      )}

-      {/* Videos Tab */}
      {activeTab === 'videos' && (
-        <div className="space-y-6">
-          <div className="bg-white rounded-xl border border-gray-200 p-6">
-            <div className="flex items-center justify-between mb-4">
-              <h3 className="text-lg font-semibold text-gray-900">Video-Generierung</h3>
-              <div className="flex gap-2">
-                <button
-                  onClick={handleCheckVideoStatus}
-                  className="px-4 py-2 text-sm border border-gray-300 rounded-lg hover:bg-gray-50"
-                >
-                  Status pruefen
-                </button>
-                <button
-                  onClick={handleGenerateVideos}
-                  disabled={isGeneratingVideos}
-                  className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50"
-                >
-                  {isGeneratingVideos ? 'Wird gestartet...' : 'Videos generieren'}
-                </button>
-              </div>
-            </div>
-
-            <div className="bg-blue-50 border border-blue-200 rounded-xl p-4 mb-4 text-sm text-blue-700">
-              Videos werden mit ElevenLabs (Stimme) und HeyGen (Avatar) generiert.
-              Konfigurieren Sie die API-Keys in den Umgebungsvariablen.
-            </div>
-
-            {videoStatus && (
-              <div className="space-y-3">
-                <div className="flex items-center gap-2">
-                  <span className="text-sm text-gray-500">Gesamtstatus:</span>
-                  <span className={`px-2 py-1 text-xs rounded-full ${
-                    videoStatus.status === 'completed' ? 'bg-green-100 text-green-700' :
-                    videoStatus.status === 'processing' ? 'bg-yellow-100 text-yellow-700' :
-                    'bg-gray-100 text-gray-600'
-                  }`}>
-                    {videoStatus.status}
-                  </span>
-                </div>
-                {videoStatus.lessons?.map((ls: any) => (
-                  <div key={ls.lessonId} className="flex items-center justify-between p-3 bg-gray-50 rounded-lg">
-                    <span className="text-sm text-gray-700">Lektion {ls.lessonId.slice(-4)}</span>
-                    <span className={`text-xs ${ls.status === 'completed' ? 'text-green-600' : 'text-gray-500'}`}>
-                      {ls.status}
-                    </span>
-                  </div>
-                ))}
-              </div>
-            )}
-
-            {!videoStatus && (
-              <p className="text-sm text-gray-500 text-center py-8">
-                Klicken Sie auf "Videos generieren" um den Prozess zu starten.
-              </p>
-            )}
-          </div>
-        </div>
+        <VideosTab
+          videoStatus={videoStatus}
+          isGeneratingVideos={isGeneratingVideos}
+          onGenerateVideos={handleGenerateVideos}
+          onCheckVideoStatus={handleCheckVideoStatus}
+        />
      )}
    </div>
  )
@@ -0,0 +1,139 @@
+'use client'
+
+import React from 'react'
+import type { Certificate } from '@/lib/sdk/academy/types'
+
+// =============================================================================
+// CERTIFICATE ROW
+// =============================================================================
+
+function CertificateRow({ cert }: { cert: Certificate }) {
+  const now = new Date()
+  const validUntil = new Date(cert.validUntil)
+  const daysLeft = Math.ceil((validUntil.getTime() - now.getTime()) / (1000 * 60 * 60 * 24))
+  const isExpired = daysLeft <= 0
+  const isExpiringSoon = daysLeft > 0 && daysLeft <= 30
+
+  return (
+    <tr className="hover:bg-gray-50">
+      <td className="px-4 py-3 font-medium text-gray-900">{cert.userName}</td>
+      <td className="px-4 py-3 text-gray-600">{cert.courseName}</td>
+      <td className="px-4 py-3 text-gray-500">{new Date(cert.issuedAt).toLocaleDateString('de-DE')}</td>
+      <td className="px-4 py-3 text-gray-500">{validUntil.toLocaleDateString('de-DE')}</td>
+      <td className="px-4 py-3 text-center">
+        {isExpired ? (
+          <span className="px-2 py-1 text-xs rounded-full bg-red-100 text-red-700">Abgelaufen</span>
+        ) : isExpiringSoon ? (
+          <span className="px-2 py-1 text-xs rounded-full bg-orange-100 text-orange-700">Laeuft bald ab</span>
+        ) : (
+          <span className="px-2 py-1 text-xs rounded-full bg-green-100 text-green-700">Gueltig</span>
+        )}
+      </td>
+      <td className="px-4 py-3 text-center">
+        {cert.pdfUrl ? (
+          <a
+            href={cert.pdfUrl}
+            download
+            target="_blank"
+            rel="noopener noreferrer"
+            className="px-3 py-1 text-xs bg-purple-600 text-white rounded hover:bg-purple-700 transition-colors"
+          >
+            PDF Download
+          </a>
+        ) : (
+          <span className="px-3 py-1 text-xs bg-gray-100 text-gray-400 rounded cursor-not-allowed">
+            Nicht verfuegbar
+          </span>
+        )}
+      </td>
+    </tr>
+  )
+}
+
+// =============================================================================
+// CERTIFICATES TAB
+// =============================================================================
+
+export function CertificatesTab({
+  certificates,
+  certSearch,
+  onSearchChange
+}: {
+  certificates: Certificate[]
+  certSearch: string
+  onSearchChange: (s: string) => void
+}) {
+  const now = new Date()
+  const total = certificates.length
+  const valid = certificates.filter(c => new Date(c.validUntil) > now).length
+  const expired = certificates.filter(c => new Date(c.validUntil) <= now).length
+
+  return (
+    <div className="space-y-4">
+      {/* Stats */}
+      <div className="grid grid-cols-3 gap-4">
+        <div className="bg-white rounded-xl border border-gray-200 p-4 text-center">
+          <div className="text-2xl font-bold text-gray-900">{total}</div>
+          <div className="text-sm text-gray-500">Gesamt</div>
+        </div>
+        <div className="bg-white rounded-xl border border-green-200 p-4 text-center">
+          <div className="text-2xl font-bold text-green-600">{valid}</div>
+          <div className="text-sm text-gray-500">Gueltig</div>
+        </div>
+        <div className="bg-white rounded-xl border border-red-200 p-4 text-center">
+          <div className="text-2xl font-bold text-red-600">{expired}</div>
+          <div className="text-sm text-gray-500">Abgelaufen</div>
+        </div>
+      </div>
+
+      {/* Search */}
+      <div>
+        <input
+          type="text"
+          placeholder="Nach Mitarbeiter oder Kurs suchen..."
+          value={certSearch}
+          onChange={e => onSearchChange(e.target.value)}
+          className="w-full px-4 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+        />
+      </div>
+
+      {/* Table */}
+      {certificates.length === 0 ? (
+        <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+          <div className="w-16 h-16 mx-auto bg-gray-100 rounded-full flex items-center justify-center mb-4">
+            <svg className="w-8 h-8 text-gray-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4M7.835 4.697a3.42 3.42 0 001.946-.806 3.42 3.42 0 014.438 0 3.42 3.42 0 001.946.806 3.42 3.42 0 013.138 3.138 3.42 3.42 0 00.806 1.946 3.42 3.42 0 010 4.438 3.42 3.42 0 00-.806 1.946 3.42 3.42 0 01-3.138 3.138 3.42 3.42 0 00-1.946.806 3.42 3.42 0 01-4.438 0 3.42 3.42 0 00-1.946-.806 3.42 3.42 0 01-3.138-3.138 3.42 3.42 0 00-.806-1.946 3.42 3.42 0 010-4.438 3.42 3.42 0 00.806-1.946 3.42 3.42 0 013.138-3.138z" />
+            </svg>
+          </div>
+          <h3 className="text-lg font-semibold text-gray-900">Noch keine Zertifikate ausgestellt</h3>
+          <p className="mt-2 text-gray-500">Zertifikate werden automatisch nach Kursabschluss generiert.</p>
+        </div>
+      ) : (
+        <div className="bg-white rounded-xl border border-gray-200 overflow-hidden">
+          <table className="w-full text-sm">
+            <thead className="bg-gray-50 border-b border-gray-200">
+              <tr>
+                <th className="text-left px-4 py-3 font-medium text-gray-700">Mitarbeiter</th>
+                <th className="text-left px-4 py-3 font-medium text-gray-700">Kurs</th>
+                <th className="text-left px-4 py-3 font-medium text-gray-700">Ausgestellt am</th>
+                <th className="text-left px-4 py-3 font-medium text-gray-700">Gueltig bis</th>
+                <th className="text-center px-4 py-3 font-medium text-gray-700">Status</th>
+                <th className="text-center px-4 py-3 font-medium text-gray-700">Aktionen</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-100">
+              {certificates
+                .filter(c =>
+                  !certSearch ||
+                  c.userName.toLowerCase().includes(certSearch.toLowerCase()) ||
+                  c.courseName.toLowerCase().includes(certSearch.toLowerCase())
+                )
+                .map(cert => <CertificateRow key={cert.id} cert={cert} />)
+              }
+            </tbody>
+          </table>
+        </div>
+      )}
+    </div>
+  )
+}
@@ -0,0 +1,85 @@
+'use client'
+
+import React from 'react'
+import Link from 'next/link'
+import { Course, COURSE_CATEGORY_INFO } from '@/lib/sdk/academy/types'
+
+export function CourseCard({ course, enrollmentCount, onEdit }: { course: Course; enrollmentCount: number; onEdit?: (course: Course) => void }) {
+  const categoryInfo = COURSE_CATEGORY_INFO[course.category] || COURSE_CATEGORY_INFO['custom']
+
+  return (
+    <div className="relative group">
+      <Link href={`/sdk/academy/${course.id}`}>
+        <div className="bg-white rounded-xl border-2 p-6 hover:shadow-md transition-all cursor-pointer border-gray-200 hover:border-purple-300">
+          <div className="flex items-start justify-between">
+            <div className="flex-1 min-w-0">
+              <div className="flex items-center gap-2 mb-2 flex-wrap">
+                <span className={`px-2 py-1 text-xs rounded-full ${categoryInfo.bgColor} ${categoryInfo.color}`}>
+                  {categoryInfo.label}
+                </span>
+                {course.status === 'published' && (
+                  <span className="px-2 py-1 text-xs rounded-full bg-green-100 text-green-700">Veroeffentlicht</span>
+                )}
+              </div>
+              <h3 className="text-lg font-semibold text-gray-900 truncate">{course.title}</h3>
+              <p className="text-sm text-gray-500 mt-1 line-clamp-2">{course.description}</p>
+              <div className="mt-3 flex items-center gap-4 text-sm text-gray-500">
+                <span className="flex items-center gap-1">
+                  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 6.253v13m0-13C10.832 5.477 9.246 5 7.5 5S4.168 5.477 3 6.253v13C4.168 18.477 5.754 18 7.5 18s3.332.477 4.5 1.253m0-13C13.168 5.477 14.754 5 16.5 5c1.747 0 3.332.477 4.5 1.253v13C19.832 18.477 18.247 18 16.5 18c-1.746 0-3.332.477-4.5 1.253" />
+                  </svg>
+                  {course.lessons.length} Lektionen
+                </span>
+                <span className="flex items-center gap-1">
+                  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z" />
+                  </svg>
+                  {course.durationMinutes} Min.
+                </span>
+                <span className="flex items-center gap-1">
+                  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M17 20h5v-2a3 3 0 00-5.356-1.857M17 20H7m10 0v-2c0-.656-.126-1.283-.356-1.857M7 20H2v-2a3 3 0 015.356-1.857M7 20v-2c0-.656.126-1.283.356-1.857m0 0a5.002 5.002 0 019.288 0M15 7a3 3 0 11-6 0 3 3 0 016 0z" />
+                  </svg>
+                  {enrollmentCount} Teilnehmer
+                </span>
+                <span className="flex items-center gap-1">
+                  <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+                  </svg>
+                  Bestehensgrenze: {course.passingScore}%
+                </span>
+              </div>
+            </div>
+            <div className="text-right ml-4 text-gray-500">
+              <div className="text-sm font-medium">
+                {course.requiredForRoles.includes('all') ? 'Pflicht fuer alle' : `${course.requiredForRoles.length} Rollen`}
+              </div>
+              <div className="text-xs mt-0.5">
+                {new Date(course.updatedAt).toLocaleDateString('de-DE')}
+              </div>
+            </div>
+          </div>
+          <div className="mt-4 pt-4 border-t border-gray-100 flex items-center justify-between">
+            <div className="text-sm text-gray-500">
+              Erstellt: {new Date(course.createdAt).toLocaleDateString('de-DE')}
+            </div>
+            <span className="px-3 py-1 text-sm text-purple-600 hover:bg-purple-50 rounded-lg transition-colors">
+              Details
+            </span>
+          </div>
+        </div>
+      </Link>
+      {onEdit && (
+        <button
+          onClick={(e) => { e.preventDefault(); onEdit(course) }}
+          className="absolute top-3 right-3 p-1.5 bg-white rounded-lg shadow border border-gray-200 text-gray-400 hover:text-purple-600 hover:border-purple-300 opacity-0 group-hover:opacity-100 transition-all z-10"
+          title="Kurs bearbeiten"
+        >
+          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M11 5H6a2 2 0 00-2 2v11a2 2 0 002 2h11a2 2 0 002-2v-5m-1.414-9.414a2 2 0 112.828 2.828L11.828 15H9v-2.828l8.586-8.586z" />
+          </svg>
+        </button>
+      )}
+    </div>
+  )
+}
@@ -0,0 +1,129 @@
+'use client'
+
+import React, { useState } from 'react'
+import { Course, CourseCategory, COURSE_CATEGORY_INFO } from '@/lib/sdk/academy/types'
+import { updateCourse } from '@/lib/sdk/academy/api'
+
+export function CourseEditModal({ course, onClose, onSaved }: {
+  course: Course
+  onClose: () => void
+  onSaved: () => void
+}) {
+  const [title, setTitle] = useState(course.title)
+  const [description, setDescription] = useState(course.description)
+  const [category, setCategory] = useState<CourseCategory>(course.category)
+  const [durationMinutes, setDurationMinutes] = useState(course.durationMinutes)
+  const [passingScore, setPassingScore] = useState(course.passingScore ?? 70)
+  const [status, setStatus] = useState<'draft' | 'published'>(course.status ?? 'draft')
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const handleSave = async () => {
+    setSaving(true)
+    setError(null)
+    try {
+      await updateCourse(course.id, { title, description, category, durationMinutes, passingScore, status })
+      onSaved()
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Speichern')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50 p-4">
+      <div className="bg-white rounded-xl shadow-xl w-full max-w-lg">
+        <div className="flex items-center justify-between p-6 border-b border-gray-200">
+          <h2 className="text-lg font-semibold text-gray-900">Kurs bearbeiten</h2>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600">
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+            </svg>
+          </button>
+        </div>
+        <div className="p-6 space-y-4">
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Titel</label>
+            <input
+              type="text"
+              value={title}
+              onChange={e => setTitle(e.target.value)}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+            />
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Beschreibung</label>
+            <textarea
+              value={description}
+              onChange={e => setDescription(e.target.value)}
+              rows={3}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+            />
+          </div>
+          <div className="grid grid-cols-2 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Kategorie</label>
+              <select
+                value={category}
+                onChange={e => setCategory(e.target.value as CourseCategory)}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+              >
+                {Object.entries(COURSE_CATEGORY_INFO).map(([key, info]) => (
+                  <option key={key} value={key}>{info.label}</option>
+                ))}
+              </select>
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Status</label>
+              <select
+                value={status}
+                onChange={e => setStatus(e.target.value as 'draft' | 'published')}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+              >
+                <option value="draft">Entwurf</option>
+                <option value="published">Veroeffentlicht</option>
+              </select>
+            </div>
+          </div>
+          <div className="grid grid-cols-2 gap-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Dauer (Minuten)</label>
+              <input
+                type="number"
+                min={1}
+                value={durationMinutes}
+                onChange={e => setDurationMinutes(Number(e.target.value))}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Bestehensgrenze (%)</label>
+              <input
+                type="number"
+                min={0}
+                max={100}
+                value={passingScore}
+                onChange={e => setPassingScore(Number(e.target.value))}
+                className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+              />
+            </div>
+          </div>
+          {error && <p className="text-sm text-red-600">{error}</p>}
+        </div>
+        <div className="flex items-center justify-end gap-3 p-6 border-t border-gray-200">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors">
+            Abbrechen
+          </button>
+          <button
+            onClick={handleSave}
+            disabled={saving || !title}
+            className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors"
+          >
+            {saving ? 'Speichern...' : 'Aenderungen speichern'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,133 @@
+'use client'
+
+import React from 'react'
+import {
+  Enrollment,
+  ENROLLMENT_STATUS_INFO,
+  isEnrollmentOverdue,
+  getDaysUntilDeadline
+} from '@/lib/sdk/academy/types'
+
+export function EnrollmentCard({ enrollment, courseName, onEdit, onComplete, onDelete }: {
+  enrollment: Enrollment
+  courseName: string
+  onEdit?: (enrollment: Enrollment) => void
+  onComplete?: (id: string) => void
+  onDelete?: (id: string) => void
+}) {
+  const statusInfo = ENROLLMENT_STATUS_INFO[enrollment.status]
+  const overdue = isEnrollmentOverdue(enrollment)
+  const daysUntil = getDaysUntilDeadline(enrollment.deadline)
+
+  return (
+    <div className={`
+      bg-white rounded-xl border-2 p-6
+      ${overdue ? 'border-red-300' :
+        enrollment.status === 'completed' ? 'border-green-200' :
+        enrollment.status === 'in_progress' ? 'border-yellow-200' :
+        'border-gray-200'
+      }
+    `}>
+      <div className="flex items-start justify-between">
+        <div className="flex-1 min-w-0">
+          {/* Status Badge */}
+          <div className="flex items-center gap-2 mb-2 flex-wrap">
+            <span className={`px-2 py-1 text-xs rounded-full ${statusInfo.bgColor} ${statusInfo.color}`}>
+              {statusInfo.label}
+            </span>
+            {overdue && (
+              <span className="px-2 py-1 text-xs bg-red-100 text-red-700 rounded-full flex items-center gap-1">
+                <svg className="w-3 h-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+                </svg>
+                Ueberfaellig
+              </span>
+            )}
+          </div>
+
+          {/* User Info */}
+          <h3 className="text-lg font-semibold text-gray-900 truncate">
+            {enrollment.userName}
+          </h3>
+          <p className="text-sm text-gray-500">{enrollment.userEmail}</p>
+          <p className="text-sm text-gray-600 mt-1 font-medium">{courseName}</p>
+
+          {/* Progress Bar */}
+          <div className="mt-3">
+            <div className="flex items-center justify-between text-sm mb-1">
+              <span className="text-gray-500">Fortschritt</span>
+              <span className="font-medium text-gray-700">{enrollment.progress}%</span>
+            </div>
+            <div className="w-full h-2 bg-gray-200 rounded-full overflow-hidden">
+              <div
+                className={`h-full rounded-full transition-all ${
+                  enrollment.progress === 100 ? 'bg-green-500' :
+                  overdue ? 'bg-red-500' :
+                  'bg-purple-500'
+                }`}
+                style={{ width: `${enrollment.progress}%` }}
+              />
+            </div>
+          </div>
+        </div>
+
+        {/* Right Side - Deadline */}
+        <div className={`text-right ml-4 ${
+          overdue ? 'text-red-600' :
+          daysUntil <= 7 ? 'text-orange-600' :
+          'text-gray-500'
+        }`}>
+          <div className="text-sm font-medium">
+            {enrollment.status === 'completed'
+              ? 'Abgeschlossen'
+              : overdue
+                ? `${Math.abs(daysUntil)} Tage ueberfaellig`
+                : `${daysUntil} Tage verbleibend`
+            }
+          </div>
+          <div className="text-xs mt-0.5">
+            Frist: {new Date(enrollment.deadline).toLocaleDateString('de-DE')}
+          </div>
+        </div>
+      </div>
+
+      {/* Footer */}
+      <div className="mt-4 pt-4 border-t border-gray-100 flex items-center justify-between">
+        <div className="text-sm text-gray-500">
+          Gestartet: {new Date(enrollment.startedAt).toLocaleDateString('de-DE')}
+          {enrollment.completedAt && (
+            <span className="ml-3 text-green-600">
+              Abgeschlossen: {new Date(enrollment.completedAt).toLocaleDateString('de-DE')}
+            </span>
+          )}
+        </div>
+        <div className="flex items-center gap-2">
+          {enrollment.status === 'in_progress' && onComplete && (
+            <button
+              onClick={() => onComplete(enrollment.id)}
+              className="px-3 py-1 text-xs bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors"
+            >
+              Abschliessen
+            </button>
+          )}
+          {onEdit && (
+            <button
+              onClick={() => onEdit(enrollment)}
+              className="px-3 py-1 text-xs bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors"
+            >
+              Bearbeiten
+            </button>
+          )}
+          {onDelete && (
+            <button
+              onClick={() => onDelete(enrollment.id)}
+              className="px-3 py-1 text-xs bg-red-50 text-red-600 rounded-lg hover:bg-red-100 transition-colors"
+            >
+              Loeschen
+            </button>
+          )}
+        </div>
+      </div>
+    </div>
+  )
+}
@@ -0,0 +1,70 @@
+'use client'
+
+import React, { useState } from 'react'
+import { Enrollment } from '@/lib/sdk/academy/types'
+import { updateEnrollment } from '@/lib/sdk/academy/api'
+
+export function EnrollmentEditModal({ enrollment, onClose, onSaved }: {
+  enrollment: Enrollment
+  onClose: () => void
+  onSaved: () => void
+}) {
+  const [deadline, setDeadline] = useState(enrollment.deadline ? enrollment.deadline.split('T')[0] : '')
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const handleSave = async () => {
+    setSaving(true)
+    setError(null)
+    try {
+      await updateEnrollment(enrollment.id, { deadline: new Date(deadline).toISOString() })
+      onSaved()
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Fehler beim Speichern')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50 p-4">
+      <div className="bg-white rounded-xl shadow-xl w-full max-w-md">
+        <div className="flex items-center justify-between p-6 border-b border-gray-200">
+          <h2 className="text-lg font-semibold text-gray-900">Einschreibung bearbeiten</h2>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600">
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+            </svg>
+          </button>
+        </div>
+        <div className="p-6 space-y-4">
+          <div>
+            <p className="text-sm text-gray-500">Teilnehmer: <span className="font-medium text-gray-900">{enrollment.userName}</span></p>
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-1">Deadline</label>
+            <input
+              type="date"
+              value={deadline}
+              onChange={e => setDeadline(e.target.value)}
+              className="w-full px-3 py-2 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-purple-500"
+            />
+          </div>
+          {error && <p className="text-sm text-red-600">{error}</p>}
+        </div>
+        <div className="flex items-center justify-end gap-3 p-6 border-t border-gray-200">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors">
+            Abbrechen
+          </button>
+          <button
+            onClick={handleSave}
+            disabled={saving || !deadline}
+            className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors"
+          >
+            {saving ? 'Speichern...' : 'Speichern'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
--- a/Show More
+++ b/Show More