fix(dsms-gateway): Dockerfile kopiert alle Dateien nach Refactoring

Das Refactoring hat main.py in models.py, routers/, config.py und dependencies.py aufgesplittet — das Dockerfile kopierte aber nur main.py. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat: FISA 702 / Drittlandrisiko — YAML-Regeln + DSGVO Obligations
2026-04-22 22:17:02 +02:00 · 2026-04-15 00:39:30 +02:00 · 2026-04-13 18:21:35 +02:00 · 2026-04-13 17:40:46 +02:00 · 2026-04-13 14:59:49 +02:00 · 2026-04-13 12:57:05 +02:00
190 changed files with 44190 additions and 1040 deletions
--- a/admin-compliance/tests/ingest-industry-compliance.test.ts
+++ b/admin-compliance/tests/ingest-industry-compliance.test.ts
@@ -48,12 +48,12 @@ describe('Ingestion Script: ingest-industry-compliance.sh', () => {
      expect(scriptContent).toContain('chunk_strategy=recursive')
    })

-    it('should use chunk_size=512', () => {
-      expect(scriptContent).toContain('chunk_size=512')
+    it('should use chunk_size=1024', () => {
+      expect(scriptContent).toContain('chunk_size=1024')
    })

-    it('should use chunk_overlap=50', () => {
-      expect(scriptContent).toContain('chunk_overlap=50')
+    it('should use chunk_overlap=128', () => {
+      expect(scriptContent).toContain('chunk_overlap=128')
    })

    it('should validate minimum file size', () => {
--- a/admin-compliance/app/api/sdk/drafting-engine/draft/route.ts
+++ b/admin-compliance/app/api/sdk/drafting-engine/draft/route.ts
@@ -591,12 +591,43 @@ async function handleV2Draft(body: Record<string, unknown>): Promise<NextRespons
    cacheStats: proseCache.getStats(),
  }

+  // Anti-Fake-Evidence: Truth label for all LLM-generated content
+  const truthLabel = {
+    generation_mode: 'draft_assistance',
+    truth_status: 'generated',
+    may_be_used_as_evidence: false,
+    generated_by: 'system',
+  }
+
+  // Fire-and-forget: persist LLM audit trail to backend
+  try {
+    const BACKEND_URL = process.env.BACKEND_COMPLIANCE_URL || 'http://backend-compliance:8002'
+    fetch(`${BACKEND_URL}/api/compliance/llm-audit`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        entity_type: 'document',
+        entity_id: null,
+        generation_mode: 'draft_assistance',
+        truth_status: 'generated',
+        may_be_used_as_evidence: false,
+        llm_model: LLM_MODEL,
+        llm_provider: 'ollama',
+        input_summary: `${documentType} draft generation`,
+        output_summary: draft?.sections?.length ? `${draft.sections.length} sections generated` : 'draft generated',
+      }),
+    }).catch(() => {/* fire-and-forget */})
+  } catch {
+    // LLM audit persistence failure should not block the response
+  }
+
  return NextResponse.json({
    draft,
    constraintCheck,
    tokensUsed: Math.round(totalTokens),
    pipelineVersion: 'v2',
    auditTrail,
+    truthLabel,
  })
 }

--- a/admin-compliance/app/api/sdk/drafting-engine/validate/route.ts
+++ b/admin-compliance/app/api/sdk/drafting-engine/validate/route.ts
@@ -14,6 +14,76 @@ import { buildCrossCheckPrompt } from '@/lib/sdk/drafting-engine/prompts/validat
 const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
 const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'

+/**
+ * Anti-Fake-Evidence: Verbotene Formulierungen
+ *
+ * Flags formulations that falsely claim compliance without evidence.
+ * Only allowed when: control_status=pass AND confidence >= E2 AND
+ * truth_status in (validated_internal, accepted_by_auditor).
+ */
+interface EvidenceContext {
+  controlStatus?: string
+  confidenceLevel?: string
+  truthStatus?: string
+}
+
+const FORBIDDEN_PATTERNS: Array<{
+  pattern: RegExp
+  label: string
+  safeAlternative: string
+}> = [
+  { pattern: /ist\s+compliant/gi, label: 'ist compliant', safeAlternative: 'soll compliant sein' },
+  { pattern: /erfüllt\s+vollständig/gi, label: 'erfüllt vollständig', safeAlternative: 'soll vollständig erfüllt werden' },
+  { pattern: /wurde\s+geprüft/gi, label: 'wurde geprüft', safeAlternative: 'soll geprüft werden' },
+  { pattern: /wurde\s+umgesetzt/gi, label: 'wurde umgesetzt', safeAlternative: 'ist zur Umsetzung vorgesehen' },
+  { pattern: /ist\s+auditiert/gi, label: 'ist auditiert', safeAlternative: 'soll auditiert werden' },
+  { pattern: /vollständig\s+implementiert/gi, label: 'vollständig implementiert', safeAlternative: 'Implementierung ist vorgesehen' },
+  { pattern: /nachweislich\s+konform/gi, label: 'nachweislich konform', safeAlternative: 'Konformität ist nachzuweisen' },
+]
+
+const CONFIDENCE_ORDER: Record<string, number> = { E0: 0, E1: 1, E2: 2, E3: 3, E4: 4 }
+const VALID_TRUTH_STATUSES = new Set(['validated_internal', 'accepted_by_auditor'])
+
+function checkForbiddenFormulations(
+  content: string,
+  evidenceContext?: EvidenceContext,
+): ValidationFinding[] {
+  const findings: ValidationFinding[] = []
+
+  if (!content) return findings
+
+  // If evidence context shows sufficient proof, allow the formulations
+  if (evidenceContext) {
+    const { controlStatus, confidenceLevel, truthStatus } = evidenceContext
+    const confLevel = CONFIDENCE_ORDER[confidenceLevel ?? 'E0'] ?? 0
+    if (
+      controlStatus === 'pass' &&
+      confLevel >= CONFIDENCE_ORDER.E2 &&
+      VALID_TRUTH_STATUSES.has(truthStatus ?? '')
+    ) {
+      return findings // Formulations are backed by real evidence
+    }
+  }
+
+  for (const { pattern, label, safeAlternative } of FORBIDDEN_PATTERNS) {
+    // Reset regex state for global patterns
+    pattern.lastIndex = 0
+    if (pattern.test(content)) {
+      findings.push({
+        id: `AFE-FORBIDDEN-${label.replace(/\s+/g, '_').toUpperCase()}`,
+        severity: 'error',
+        category: 'forbidden_formulation' as ValidationFinding['category'],
+        title: `Verbotene Formulierung: "${label}"`,
+        description: `Die Formulierung "${label}" impliziert eine nachgewiesene Compliance, die ohne ausreichenden Nachweis (Evidence >= E2, validiert) nicht verwendet werden darf.`,
+        documentType: 'vvt' as ScopeDocumentType,
+        suggestion: `Verwende stattdessen: "${safeAlternative}"`,
+      })
+    }
+  }
+
+  return findings
+}
+
 /**
 * Stufe 1: Deterministische Pruefung
 */
@@ -221,10 +291,18 @@ export async function POST(request: NextRequest) {
      // LLM unavailable, continue with deterministic results only
    }

+    // ---------------------------------------------------------------
+    // Stufe 1b: Verbotene Formulierungen (Anti-Fake-Evidence)
+    // ---------------------------------------------------------------
+    const forbiddenFindings = checkForbiddenFormulations(
+      draftContent || '',
+      validationContext.evidenceContext,
+    )
+
    // ---------------------------------------------------------------
    // Combine results
    // ---------------------------------------------------------------
-    const allFindings = [...deterministicFindings, ...llmFindings]
+    const allFindings = [...deterministicFindings, ...forbiddenFindings, ...llmFindings]
    const errors = allFindings.filter(f => f.severity === 'error')
    const warnings = allFindings.filter(f => f.severity === 'warning')
    const suggestions = allFindings.filter(f => f.severity === 'suggestion')
--- a/admin-compliance/app/api/sdk/v1/ai-registration/[id]/route.ts
+++ b/admin-compliance/app/api/sdk/v1/ai-registration/[id]/route.ts
@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}`)
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch registration' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to update registration' }, { status: 500 })
+  }
+}
+
+export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}/status`, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to update status' }, { status: 500 })
+  }
+}
--- a/admin-compliance/app/api/sdk/v1/ai-registration/route.ts
+++ b/admin-compliance/app/api/sdk/v1/ai-registration/route.ts
@@ -0,0 +1,32 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch registrations' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to create registration' }, { status: 500 })
+  }
+}
--- a/admin-compliance/app/api/sdk/v1/canonical/route.ts
+++ b/admin-compliance/app/api/sdk/v1/canonical/route.ts
@@ -26,8 +26,8 @@ export async function GET(request: NextRequest) {

      case 'controls': {
        const controlParams = new URLSearchParams()
-        const passthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category',
-          'target_audience', 'source', 'search', 'sort', 'order', 'limit', 'offset']
+        const passthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates', 'sort', 'order', 'limit', 'offset']
        for (const key of passthrough) {
          const val = searchParams.get(key)
          if (val) controlParams.set(key, val)
@@ -39,8 +39,8 @@ export async function GET(request: NextRequest) {

      case 'controls-count': {
        const countParams = new URLSearchParams()
-        const countPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category',
-          'target_audience', 'source', 'search']
+        const countPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates']
        for (const key of countPassthrough) {
          const val = searchParams.get(key)
          if (val) countParams.set(key, val)
@@ -50,9 +50,18 @@ export async function GET(request: NextRequest) {
        break
      }

-      case 'controls-meta':
-        backendPath = '/api/compliance/v1/canonical/controls-meta'
+      case 'controls-meta': {
+        const metaParams = new URLSearchParams()
+        const metaPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates']
+        for (const key of metaPassthrough) {
+          const val = searchParams.get(key)
+          if (val) metaParams.set(key, val)
+        }
+        const metaQs = metaParams.toString()
+        backendPath = `/api/compliance/v1/canonical/controls-meta${metaQs ? `?${metaQs}` : ''}`
        break
+      }

      case 'control': {
        const controlId = searchParams.get('id')
@@ -99,6 +108,28 @@ export async function GET(request: NextRequest) {
        backendPath = '/api/compliance/v1/canonical/categories'
        break

+      case 'traceability': {
+        const traceId = searchParams.get('id')
+        if (!traceId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(traceId)}/traceability`
+        break
+      }
+
+      case 'provenance': {
+        const provId = searchParams.get('id')
+        if (!provId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(provId)}/provenance`
+        break
+      }
+
+      case 'atomic-stats':
+        backendPath = '/api/compliance/v1/canonical/controls/atomic-stats'
+        break
+
      case 'similar': {
        const simControlId = searchParams.get('id')
        if (!simControlId) {
@@ -113,6 +144,23 @@ export async function GET(request: NextRequest) {
        backendPath = '/api/compliance/v1/canonical/blocked-sources'
        break

+      case 'v1-matches': {
+        const matchId = searchParams.get('id')
+        if (!matchId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(matchId)}/v1-matches`
+        break
+      }
+
+      case 'v1-enrichment-stats':
+        backendPath = '/api/compliance/v1/canonical/controls/v1-enrichment-stats'
+        break
+
+      case 'obligation-dedup-stats':
+        backendPath = '/api/compliance/v1/canonical/obligations/dedup-stats'
+        break
+
      case 'controls-customer': {
        const custSeverity = searchParams.get('severity')
        const custDomain = searchParams.get('domain')
@@ -179,6 +227,16 @@ export async function POST(request: NextRequest) {
      backendPath = '/api/compliance/v1/canonical/generate/bulk-review'
    } else if (endpoint === 'blocked-sources-cleanup') {
      backendPath = '/api/compliance/v1/canonical/blocked-sources/cleanup'
+    } else if (endpoint === 'enrich-v1-matches') {
+      const dryRun = searchParams.get('dry_run') ?? 'true'
+      const batchSize = searchParams.get('batch_size') ?? '100'
+      const enrichOffset = searchParams.get('offset') ?? '0'
+      backendPath = `/api/compliance/v1/canonical/controls/enrich-v1-matches?dry_run=${dryRun}&batch_size=${batchSize}&offset=${enrichOffset}`
+    } else if (endpoint === 'obligation-dedup') {
+      const dryRun = searchParams.get('dry_run') ?? 'true'
+      const batchSize = searchParams.get('batch_size') ?? '0'
+      const dedupOffset = searchParams.get('offset') ?? '0'
+      backendPath = `/api/compliance/v1/canonical/obligations/dedup?dry_run=${dryRun}&batch_size=${batchSize}&offset=${dedupOffset}`
    } else if (endpoint === 'similarity-check') {
      const controlId = searchParams.get('id')
      if (!controlId) {
--- a/admin-compliance/app/api/sdk/v1/payment-compliance/route.ts
+++ b/admin-compliance/app/api/sdk/v1/payment-compliance/route.ts
@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'controls'
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+    let path: string
+    switch (endpoint) {
+      case 'controls':
+        const domain = searchParams.get('domain') || ''
+        path = `/sdk/v1/payment-compliance/controls${domain ? `?domain=${domain}` : ''}`
+        break
+      case 'assessments':
+        path = '/sdk/v1/payment-compliance/assessments'
+        break
+      default:
+        path = '/sdk/v1/payment-compliance/controls'
+    }
+
+    const resp = await fetch(`${SDK_URL}${path}`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/assessments`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to create' }, { status: 500 })
+  }
+}
--- a/admin-compliance/app/api/sdk/v1/payment-compliance/tender/[id]/route.ts
+++ b/admin-compliance/app/api/sdk/v1/payment-compliance/tender/[id]/route.ts
@@ -0,0 +1,28 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/${id}`)
+    return NextResponse.json(await resp.json())
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const { searchParams } = new URL(request.url)
+    const action = searchParams.get('action') || 'extract'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/${id}/${action}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+    })
+    return NextResponse.json(await resp.json(), { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
--- a/admin-compliance/app/api/sdk/v1/payment-compliance/tender/route.ts
+++ b/admin-compliance/app/api/sdk/v1/payment-compliance/tender/route.ts
@@ -0,0 +1,30 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    return NextResponse.json(await resp.json())
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const formData = await request.formData()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/upload`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId },
+      body: formData,
+    })
+    return NextResponse.json(await resp.json(), { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'Upload failed' }, { status: 500 })
+  }
+}
--- a/admin-compliance/app/api/sdk/v1/ucca/decision-tree/[[...path]]/route.ts
+++ b/admin-compliance/app/api/sdk/v1/ucca/decision-tree/[[...path]]/route.ts
@@ -0,0 +1,57 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: /api/sdk/v1/ucca/decision-tree/... → Go Backend /sdk/v1/ucca/decision-tree/...
+ */
+async function proxyRequest(request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) {
+  const { path } = await params
+  const subPath = path ? path.join('/') : ''
+  const search = request.nextUrl.search || ''
+  const targetUrl = `${SDK_URL}/sdk/v1/ucca/decision-tree/${subPath}${search}`
+
+  const tenantID = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT
+
+  try {
+    const headers: Record<string, string> = {
+      'X-Tenant-ID': tenantID,
+    }
+
+    const fetchOptions: RequestInit = {
+      method: request.method,
+      headers,
+    }
+
+    if (request.method === 'POST' || request.method === 'PUT' || request.method === 'PATCH') {
+      const body = await request.json()
+      headers['Content-Type'] = 'application/json'
+      fetchOptions.body = JSON.stringify(body)
+    }
+
+    const response = await fetch(targetUrl, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error(`Decision tree proxy error [${request.method} ${subPath}]:`, errorText)
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data, { status: response.status })
+  } catch (error) {
+    console.error('Decision tree proxy connection error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to AI compliance backend' },
+      { status: 503 }
+    )
+  }
+}
+
+export const GET = proxyRequest
+export const POST = proxyRequest
+export const DELETE = proxyRequest
--- a/admin-compliance/app/api/sdk/v1/ucca/decision-tree/route.ts
+++ b/admin-compliance/app/api/sdk/v1/ucca/decision-tree/route.ts
@@ -0,0 +1,36 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: GET /api/sdk/v1/ucca/decision-tree → Go Backend GET /sdk/v1/ucca/decision-tree
+ * Returns the decision tree definition (questions, structure)
+ */
+export async function GET(request: NextRequest) {
+  const tenantID = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT
+
+  try {
+    const response = await fetch(`${SDK_URL}/sdk/v1/ucca/decision-tree`, {
+      headers: { 'X-Tenant-ID': tenantID },
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error('Decision tree GET error:', errorText)
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Decision tree proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to AI compliance backend' },
+      { status: 503 }
+    )
+  }
+}
--- a/admin-compliance/app/sdk/advisory-board/page.tsx
+++ b/admin-compliance/app/sdk/advisory-board/page.tsx
@@ -333,6 +333,71 @@ function AdvisoryBoardPageInner() {
    purposes: [] as string[],
    // Automation (single-select tile)
    automation: '' as string,
+    // BetrVG / works council
+    employee_monitoring: false,
+    hr_decision_support: false,
+    works_council_consulted: false,
+    // Domain-specific contexts (Annex III)
+    hr_automated_screening: false,
+    hr_automated_rejection: false,
+    hr_candidate_ranking: false,
+    hr_bias_audits: false,
+    hr_agg_visible: false,
+    hr_human_review: false,
+    hr_performance_eval: false,
+    edu_grade_influence: false,
+    edu_exam_evaluation: false,
+    edu_student_selection: false,
+    edu_minors: false,
+    edu_teacher_review: false,
+    hc_diagnosis: false,
+    hc_treatment: false,
+    hc_triage: false,
+    hc_patient_data: false,
+    hc_medical_device: false,
+    hc_clinical_validation: false,
+    // Legal
+    leg_legal_advice: false, leg_court_prediction: false, leg_client_confidential: false,
+    // Public Sector
+    pub_admin_decision: false, pub_benefit_allocation: false, pub_transparency: false,
+    // Critical Infrastructure
+    crit_grid_control: false, crit_safety_critical: false, crit_redundancy: false,
+    // Automotive
+    auto_autonomous: false, auto_safety: false, auto_functional_safety: false,
+    // Retail
+    ret_pricing: false, ret_profiling: false, ret_credit_scoring: false, ret_dark_patterns: false,
+    // IT Security
+    its_surveillance: false, its_threat_detection: false, its_data_retention: false,
+    // Logistics
+    log_driver_tracking: false, log_workload_scoring: false,
+    // Construction
+    con_tenant_screening: false, con_worker_safety: false,
+    // Marketing
+    mkt_deepfake: false, mkt_minors: false, mkt_targeting: false, mkt_labeled: false,
+    // Manufacturing
+    mfg_machine_safety: false, mfg_ce_required: false, mfg_validated: false,
+    // Agriculture
+    agr_pesticide: false, agr_animal_welfare: false, agr_environmental: false,
+    // Social Services
+    soc_vulnerable: false, soc_benefit: false, soc_case_mgmt: false,
+    // Hospitality
+    hos_guest_profiling: false, hos_dynamic_pricing: false, hos_review_manipulation: false,
+    // Insurance
+    ins_risk_class: false, ins_claims: false, ins_premium: false, ins_fraud: false,
+    // Investment
+    inv_algo_trading: false, inv_advice: false, inv_robo: false,
+    // Defense
+    def_dual_use: false, def_export: false, def_classified: false,
+    // Supply Chain
+    sch_supplier: false, sch_human_rights: false, sch_environmental: false,
+    // Facility
+    fac_access: false, fac_occupancy: false, fac_energy: false,
+    // Sports
+    spo_athlete: false, spo_fan: false, spo_doping: false,
+    // Finance / Banking
+    fin_credit_scoring: false, fin_aml_kyc: false, fin_algo_decisions: false, fin_customer_profiling: false,
+    // General
+    gen_affects_people: false, gen_automated_decisions: false, gen_sensitive_data: false,
    // Hosting (single-select tile)
    hosting_provider: '' as string,
    hosting_region: '' as string,
@@ -420,7 +485,131 @@ function AdvisoryBoardPageInner() {
        retention_purpose: form.retention_purpose,
        contracts_list: form.contracts,
        subprocessors: form.subprocessors,
+        employee_monitoring: form.employee_monitoring,
+        hr_decision_support: form.hr_decision_support,
+        works_council_consulted: form.works_council_consulted,
+        // Domain-specific contexts
+        hr_context: ['hr', 'recruiting'].includes(form.domain) ? {
+          automated_screening: form.hr_automated_screening,
+          automated_rejection: form.hr_automated_rejection,
+          candidate_ranking: form.hr_candidate_ranking,
+          bias_audits_done: form.hr_bias_audits,
+          agg_categories_visible: form.hr_agg_visible,
+          human_review_enforced: form.hr_human_review,
+          performance_evaluation: form.hr_performance_eval,
+        } : undefined,
+        education_context: ['education', 'higher_education', 'vocational_training', 'research'].includes(form.domain) ? {
+          grade_influence: form.edu_grade_influence,
+          exam_evaluation: form.edu_exam_evaluation,
+          student_selection: form.edu_student_selection,
+          minors_involved: form.edu_minors,
+          teacher_review_required: form.edu_teacher_review,
+        } : undefined,
+        healthcare_context: ['healthcare', 'medical_devices', 'pharma', 'elderly_care'].includes(form.domain) ? {
+          diagnosis_support: form.hc_diagnosis,
+          treatment_recommendation: form.hc_treatment,
+          triage_decision: form.hc_triage,
+          patient_data_processed: form.hc_patient_data,
+          medical_device: form.hc_medical_device,
+          clinical_validation: form.hc_clinical_validation,
+        } : undefined,
+        legal_context: ['legal', 'consulting', 'tax_advisory'].includes(form.domain) ? {
+          legal_advice: form.leg_legal_advice,
+          court_prediction: form.leg_court_prediction,
+          client_confidential: form.leg_client_confidential,
+        } : undefined,
+        public_sector_context: ['public_sector', 'defense', 'justice'].includes(form.domain) ? {
+          admin_decision: form.pub_admin_decision,
+          benefit_allocation: form.pub_benefit_allocation,
+          transparency_ensured: form.pub_transparency,
+        } : undefined,
+        critical_infra_context: ['energy', 'utilities', 'oil_gas'].includes(form.domain) ? {
+          grid_control: form.crit_grid_control,
+          safety_critical: form.crit_safety_critical,
+          redundancy_exists: form.crit_redundancy,
+        } : undefined,
+        automotive_context: ['automotive', 'aerospace'].includes(form.domain) ? {
+          autonomous_driving: form.auto_autonomous,
+          safety_relevant: form.auto_safety,
+          functional_safety: form.auto_functional_safety,
+        } : undefined,
+        retail_context: ['retail', 'ecommerce', 'wholesale'].includes(form.domain) ? {
+          pricing_personalized: form.ret_pricing,
+          credit_scoring: form.ret_credit_scoring,
+          dark_patterns: form.ret_dark_patterns,
+        } : undefined,
+        it_security_context: ['it_services', 'cybersecurity', 'telecom'].includes(form.domain) ? {
+          employee_surveillance: form.its_surveillance,
+          threat_detection: form.its_threat_detection,
+          data_retention_logs: form.its_data_retention,
+        } : undefined,
+        logistics_context: ['logistics'].includes(form.domain) ? {
+          driver_tracking: form.log_driver_tracking,
+          workload_scoring: form.log_workload_scoring,
+        } : undefined,
+        construction_context: ['construction', 'real_estate', 'facility_management'].includes(form.domain) ? {
+          tenant_screening: form.con_tenant_screening,
+          worker_safety: form.con_worker_safety,
+        } : undefined,
+        marketing_context: ['marketing', 'media', 'entertainment'].includes(form.domain) ? {
+          deepfake_content: form.mkt_deepfake,
+          behavioral_targeting: form.mkt_targeting,
+          minors_targeted: form.mkt_minors,
+          ai_content_labeled: form.mkt_labeled,
+        } : undefined,
+        manufacturing_context: ['mechanical_engineering', 'electrical_engineering', 'plant_engineering', 'chemicals', 'food_beverage'].includes(form.domain) ? {
+          machine_safety: form.mfg_machine_safety,
+          ce_marking_required: form.mfg_ce_required,
+          safety_validated: form.mfg_validated,
+        } : undefined,
+        agriculture_context: ['agriculture', 'forestry', 'fishing'].includes(form.domain) ? {
+          pesticide_ai: form.agr_pesticide,
+          animal_welfare: form.agr_animal_welfare,
+          environmental_data: form.agr_environmental,
+        } : undefined,
+        social_services_context: ['social_services', 'nonprofit'].includes(form.domain) ? {
+          vulnerable_groups: form.soc_vulnerable,
+          benefit_decision: form.soc_benefit,
+          case_management: form.soc_case_mgmt,
+        } : undefined,
+        hospitality_context: ['hospitality', 'tourism'].includes(form.domain) ? {
+          guest_profiling: form.hos_guest_profiling,
+          dynamic_pricing: form.hos_dynamic_pricing,
+          review_manipulation: form.hos_review_manipulation,
+        } : undefined,
+        insurance_context: ['insurance'].includes(form.domain) ? {
+          risk_classification: form.ins_risk_class,
+          claims_automation: form.ins_claims,
+          premium_calculation: form.ins_premium,
+          fraud_detection: form.ins_fraud,
+        } : undefined,
+        investment_context: ['investment'].includes(form.domain) ? {
+          algo_trading: form.inv_algo_trading,
+          investment_advice: form.inv_advice,
+          robo_advisor: form.inv_robo,
+        } : undefined,
+        defense_context: ['defense'].includes(form.domain) ? {
+          dual_use: form.def_dual_use,
+          export_controlled: form.def_export,
+          classified_data: form.def_classified,
+        } : undefined,
+        supply_chain_context: ['textiles', 'packaging'].includes(form.domain) ? {
+          supplier_monitoring: form.sch_supplier,
+          human_rights_check: form.sch_human_rights,
+          environmental_impact: form.sch_environmental,
+        } : undefined,
+        facility_context: ['facility_management'].includes(form.domain) ? {
+          access_control_ai: form.fac_access,
+          occupancy_tracking: form.fac_occupancy,
+          energy_optimization: form.fac_energy,
+        } : undefined,
+        sports_context: ['sports'].includes(form.domain) ? {
+          athlete_tracking: form.spo_athlete,
+          fan_profiling: form.spo_fan,
+        } : undefined,
        store_raw_text: true,
+        // Finance/Banking and General don't need separate context structs —
+        // their fields are evaluated via existing FinancialContext or generic rules
      }

      const url = isEditMode
@@ -777,6 +966,567 @@ function AdvisoryBoardPageInner() {
                Informationspflicht, Recht auf menschliche Ueberpruefung und Anfechtungsmoeglichkeit.
              </p>
            </div>
+
+            {/* BetrVG Section */}
+            <div className="mt-6 pt-6 border-t border-gray-200">
+              <h3 className="text-sm font-semibold text-gray-900 mb-1">Betriebsrat & Beschaeftigtendaten</h3>
+              <p className="text-xs text-gray-500 mb-4">
+                Relevant fuer deutsche Unternehmen mit Betriebsrat (§87 Abs.1 Nr.6 BetrVG).
+              </p>
+              <div className="space-y-3">
+                <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                  <input
+                    type="checkbox"
+                    checked={form.employee_monitoring}
+                    onChange={(e) => updateForm({ employee_monitoring: e.target.checked })}
+                    className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500"
+                  />
+                  <div>
+                    <span className="text-sm font-medium text-gray-900">System kann Verhalten/Leistung ueberwachen</span>
+                    <p className="text-xs text-gray-500">Nutzungslogs, Produktivitaetskennzahlen, Kommunikationsanalyse</p>
+                  </div>
+                </label>
+                <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                  <input
+                    type="checkbox"
+                    checked={form.hr_decision_support}
+                    onChange={(e) => updateForm({ hr_decision_support: e.target.checked })}
+                    className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500"
+                  />
+                  <div>
+                    <span className="text-sm font-medium text-gray-900">System unterstuetzt HR-Entscheidungen</span>
+                    <p className="text-xs text-gray-500">Recruiting, Bewertung, Befoerderung, Kuendigung</p>
+                  </div>
+                </label>
+                <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                  <input
+                    type="checkbox"
+                    checked={form.works_council_consulted}
+                    onChange={(e) => updateForm({ works_council_consulted: e.target.checked })}
+                    className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500"
+                  />
+                  <div>
+                    <span className="text-sm font-medium text-gray-900">Betriebsrat wurde konsultiert</span>
+                    <p className="text-xs text-gray-500">Betriebsvereinbarung liegt vor oder ist in Verhandlung</p>
+                  </div>
+                </label>
+              </div>
+            </div>
+
+            {/* Domain-specific questions — HR/Recruiting */}
+            {['hr', 'recruiting'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">HR & Recruiting — Hochrisiko-Pruefung</h3>
+                <p className="text-xs text-gray-500 mb-4">AI Act Annex III Nr. 4 + AGG — Pflichtfragen bei KI im Personalbereich.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hr_automated_screening} onChange={(e) => updateForm({ hr_automated_screening: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Bewerber werden automatisch vorsortiert/gerankt</span><p className="text-xs text-gray-500">CV-Screening, Score-basierte Vorauswahl</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.hr_automated_rejection} onChange={(e) => updateForm({ hr_automated_rejection: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Absagen werden automatisch versendet</span><p className="text-xs text-red-700">Art. 22 DSGVO: Vollautomatische Absagen grundsaetzlich unzulaessig!</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hr_agg_visible} onChange={(e) => updateForm({ hr_agg_visible: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">System kann AGG-Merkmale erkennen (Name, Foto, Alter)</span><p className="text-xs text-gray-500">Proxy-Diskriminierung: Name→Herkunft, Foto→Geschlecht</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hr_performance_eval} onChange={(e) => updateForm({ hr_performance_eval: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">System bewertet Mitarbeiterleistung</span><p className="text-xs text-gray-500">Performance Reviews, KPI-Tracking</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.hr_bias_audits} onChange={(e) => updateForm({ hr_bias_audits: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Regelmaessige Bias-Audits durchgefuehrt</span><p className="text-xs text-green-700">Analyse nach Geschlecht, Alter, Herkunft</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.hr_human_review} onChange={(e) => updateForm({ hr_human_review: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Mensch prueft jede KI-Empfehlung</span><p className="text-xs text-green-700">Kein Rubber Stamping — echte Pruefung</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Domain-specific questions — Education */}
+            {['education', 'higher_education', 'vocational_training', 'research'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Bildung — Hochrisiko-Pruefung</h3>
+                <p className="text-xs text-gray-500 mb-4">AI Act Annex III Nr. 3 — bei KI in Bildung und Ausbildung.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.edu_grade_influence} onChange={(e) => updateForm({ edu_grade_influence: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI beeinflusst Noten oder Bewertungen</span><p className="text-xs text-gray-500">Notenvorschlaege, Bewertungsunterstuetzung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.edu_exam_evaluation} onChange={(e) => updateForm({ edu_exam_evaluation: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI bewertet Pruefungen/Klausuren</span><p className="text-xs text-gray-500">Automatische Korrektur, Bewertungsvorschlaege</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.edu_student_selection} onChange={(e) => updateForm({ edu_student_selection: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI beeinflusst Zugang zu Bildungsangeboten</span><p className="text-xs text-gray-500">Zulassung, Kursempfehlungen, Einstufung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.edu_minors} onChange={(e) => updateForm({ edu_minors: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Minderjaehrige sind betroffen</span><p className="text-xs text-red-700">Besonderer Schutz (Art. 24 EU-Grundrechtecharta)</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.edu_teacher_review} onChange={(e) => updateForm({ edu_teacher_review: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Lehrkraft prueft jedes KI-Ergebnis</span><p className="text-xs text-green-700">Human Oversight vor Mitteilung an Schueler</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Domain-specific questions — Healthcare */}
+            {['healthcare', 'medical_devices', 'pharma', 'elderly_care'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Gesundheitswesen — Hochrisiko-Pruefung</h3>
+                <p className="text-xs text-gray-500 mb-4">AI Act Annex III Nr. 5 + MDR (EU) 2017/745.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hc_diagnosis} onChange={(e) => updateForm({ hc_diagnosis: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI unterstuetzt Diagnosen</span><p className="text-xs text-gray-500">Diagnosevorschlaege, Bildgebungsauswertung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hc_treatment} onChange={(e) => updateForm({ hc_treatment: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI empfiehlt Behandlungen</span><p className="text-xs text-gray-500">Therapievorschlaege, Medikation</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.hc_triage} onChange={(e) => updateForm({ hc_triage: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">KI priorisiert Patienten (Triage)</span><p className="text-xs text-red-700">Lebenskritisch — erhoehte Anforderungen</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hc_patient_data} onChange={(e) => updateForm({ hc_patient_data: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Gesundheitsdaten verarbeitet</span><p className="text-xs text-gray-500">Art. 9 DSGVO — besondere Kategorie</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hc_medical_device} onChange={(e) => updateForm({ hc_medical_device: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">System ist Medizinprodukt (MDR)</span><p className="text-xs text-gray-500">MDR (EU) 2017/745 — Zertifizierung erforderlich</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.hc_clinical_validation} onChange={(e) => updateForm({ hc_clinical_validation: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Klinisch validiert</span><p className="text-xs text-green-700">System wurde in klinischer Studie geprueft</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Legal / Justice */}
+            {['legal', 'consulting', 'tax_advisory'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Recht & Beratung — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">AI Act Annex III Nr. 8 — KI in Rechtspflege und Demokratie.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.leg_legal_advice} onChange={(e) => updateForm({ leg_legal_advice: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI gibt Rechtsberatung oder rechtliche Empfehlungen</span><p className="text-xs text-gray-500">Vertragsanalyse, rechtliche Einschaetzungen, Compliance-Checks</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.leg_court_prediction} onChange={(e) => updateForm({ leg_court_prediction: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI prognostiziert Verfahrensausgaenge</span><p className="text-xs text-gray-500">Urteilsprognosen, Risikoeinschaetzung von Rechtsstreitigkeiten</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.leg_client_confidential} onChange={(e) => updateForm({ leg_client_confidential: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Mandantengeheimnis betroffen</span><p className="text-xs text-gray-500">Vertrauliche Mandantendaten werden durch KI verarbeitet (§ 203 StGB)</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Public Sector */}
+            {['public_sector', 'defense', 'justice'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Oeffentlicher Sektor — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">Art. 27 AI Act — FRIA-Pflicht fuer oeffentliche Stellen.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.pub_admin_decision} onChange={(e) => updateForm({ pub_admin_decision: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">KI beeinflusst Verwaltungsentscheidungen</span><p className="text-xs text-red-700">Bescheide, Bewilligungen, Genehmigungen — FRIA erforderlich</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.pub_benefit_allocation} onChange={(e) => updateForm({ pub_benefit_allocation: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI verteilt Leistungen oder Foerderung</span><p className="text-xs text-gray-500">Sozialleistungen, Subventionen, Zuteilungen</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.pub_transparency} onChange={(e) => updateForm({ pub_transparency: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Transparenz gegenueber Buergern sichergestellt</span><p className="text-xs text-green-700">Buerger werden ueber KI-Nutzung informiert</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Critical Infrastructure */}
+            {['energy', 'utilities', 'oil_gas'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Kritische Infrastruktur — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">AI Act Annex III Nr. 2 + NIS2.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.crit_grid_control} onChange={(e) => updateForm({ crit_grid_control: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI steuert Netz oder Infrastruktur</span><p className="text-xs text-gray-500">Stromnetz, Wasserversorgung, Gasverteilung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.crit_safety_critical} onChange={(e) => updateForm({ crit_safety_critical: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Sicherheitskritische Steuerung</span><p className="text-xs text-red-700">Fehler koennen Menschenleben gefaehrden</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.crit_redundancy} onChange={(e) => updateForm({ crit_redundancy: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Redundante Systeme vorhanden</span><p className="text-xs text-green-700">Fallback bei KI-Ausfall sichergestellt</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Automotive / Aerospace */}
+            {['automotive', 'aerospace'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Automotive / Aerospace — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">Safety-critical AI — Typgenehmigung + Functional Safety.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.auto_autonomous} onChange={(e) => updateForm({ auto_autonomous: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Autonomes Fahren / ADAS</span><p className="text-xs text-red-700">Hochrisiko — erfordert Typgenehmigung und extensive Validierung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.auto_safety} onChange={(e) => updateForm({ auto_safety: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Sicherheitsrelevante Funktion</span><p className="text-xs text-gray-500">Bremsen, Lenkung, Kollisionsvermeidung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.auto_functional_safety} onChange={(e) => updateForm({ auto_functional_safety: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">ISO 26262 Functional Safety beruecksichtigt</span><p className="text-xs text-green-700">ASIL-Einstufung und Sicherheitsvalidierung durchgefuehrt</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Retail / E-Commerce */}
+            {['retail', 'ecommerce', 'wholesale'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Handel & E-Commerce — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">DSA, Verbraucherrecht, DSGVO Art. 22.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ret_pricing} onChange={(e) => updateForm({ ret_pricing: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Personalisierte Preisgestaltung</span><p className="text-xs text-gray-500">Individuelle Preise basierend auf Nutzerprofil</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ret_credit_scoring} onChange={(e) => updateForm({ ret_credit_scoring: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Bonitaetspruefung bei Kauf auf Rechnung</span><p className="text-xs text-gray-500">Kredit-Scoring beeinflusst Zugang zu Zahlungsarten</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ret_dark_patterns} onChange={(e) => updateForm({ ret_dark_patterns: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Manipulative UI-Muster moeglich (Dark Patterns)</span><p className="text-xs text-gray-500">Kuenstliche Verknappung, Social Proof, versteckte Kosten</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* IT / Cybersecurity / Telecom */}
+            {['it_services', 'cybersecurity', 'telecom'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">IT & Cybersecurity — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">NIS2, DSGVO, BetrVG §87.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.its_surveillance} onChange={(e) => updateForm({ its_surveillance: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Mitarbeiterueberwachung (SIEM, DLP, UBA)</span><p className="text-xs text-gray-500">User Behavior Analytics, Data Loss Prevention mit Personenbezug</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.its_threat_detection} onChange={(e) => updateForm({ its_threat_detection: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI-gestuetzte Bedrohungserkennung</span><p className="text-xs text-gray-500">Anomalie-Erkennung, Intrusion Detection</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.its_data_retention} onChange={(e) => updateForm({ its_data_retention: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Umfangreiche Log-Speicherung</span><p className="text-xs text-gray-500">Security-Logs mit Personenbezug werden langfristig gespeichert</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Logistics */}
+            {['logistics'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Logistik — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">BetrVG §87, DSGVO — Worker Tracking.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.log_driver_tracking} onChange={(e) => updateForm({ log_driver_tracking: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Fahrer-/Kurier-Tracking (GPS)</span><p className="text-xs text-gray-500">Standortverfolgung von Mitarbeitern</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.log_workload_scoring} onChange={(e) => updateForm({ log_workload_scoring: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Leistungsbewertung von Lager-/Liefermitarbeitern</span><p className="text-xs text-gray-500">Picks/Stunde, Liefergeschwindigkeit, Performance-Scores</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Construction / Real Estate */}
+            {['construction', 'real_estate', 'facility_management'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Bau & Immobilien — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">AGG, DSGVO, Arbeitsschutz.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.con_tenant_screening} onChange={(e) => updateForm({ con_tenant_screening: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI-gestuetzte Mieterauswahl</span><p className="text-xs text-gray-500">Bonitaetspruefung, Bewerber-Ranking fuer Wohnungen</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.con_worker_safety} onChange={(e) => updateForm({ con_worker_safety: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI-Arbeitsschutzueberwachung auf Baustellen</span><p className="text-xs text-gray-500">Kamera-basierte Sicherheitsueberwachung, Helm-Erkennung</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Marketing / Media */}
+            {['marketing', 'media', 'entertainment'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Marketing & Medien — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">Art. 50 AI Act (Deepfakes), DSA, DSGVO.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.mkt_deepfake} onChange={(e) => updateForm({ mkt_deepfake: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Synthetische Inhalte (Deepfakes)</span><p className="text-xs text-red-700">KI-generierte Bilder, Videos oder Stimmen — Kennzeichnungspflicht!</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.mkt_targeting} onChange={(e) => updateForm({ mkt_targeting: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Verhaltensbasiertes Targeting</span><p className="text-xs text-gray-500">Personalisierte Werbung basierend auf Nutzerverhalten</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.mkt_minors} onChange={(e) => updateForm({ mkt_minors: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Minderjaehrige als Zielgruppe</span><p className="text-xs text-red-700">Besonderer Schutz — DSA Art. 28 verbietet Profiling Minderjaehriger</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.mkt_labeled} onChange={(e) => updateForm({ mkt_labeled: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">KI-Inhalte werden als solche gekennzeichnet</span><p className="text-xs text-green-700">Art. 50 AI Act: Pflicht zur Kennzeichnung synthetischer Inhalte</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Manufacturing */}
+            {['mechanical_engineering', 'electrical_engineering', 'plant_engineering', 'chemicals', 'food_beverage', 'textiles', 'packaging'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Fertigung — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">Maschinenverordnung (EU) 2023/1230, CE-Kennzeichnung.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.mfg_machine_safety} onChange={(e) => updateForm({ mfg_machine_safety: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">KI in Maschinensicherheit</span><p className="text-xs text-red-700">Sicherheitsrelevante Steuerung — Validierung erforderlich</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.mfg_ce_required} onChange={(e) => updateForm({ mfg_ce_required: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">CE-Kennzeichnung erforderlich</span><p className="text-xs text-gray-500">Maschinenverordnung (EU) 2023/1230</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-green-200 bg-green-50 hover:bg-green-100 cursor-pointer">
+                    <input type="checkbox" checked={form.mfg_validated} onChange={(e) => updateForm({ mfg_validated: e.target.checked })} className="w-4 h-4 rounded border-green-300 text-green-600 focus:ring-green-500" />
+                    <div><span className="text-sm font-medium text-green-900">Sicherheitsvalidierung durchgefuehrt</span><p className="text-xs text-green-700">Konformitaetsbewertung nach Maschinenverordnung abgeschlossen</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Agriculture */}
+            {['agriculture', 'forestry', 'fishing'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Landwirtschaft — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.agr_pesticide} onChange={(e) => updateForm({ agr_pesticide: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI steuert Pestizideinsatz</span><p className="text-xs text-gray-500">Precision Farming, automatisierte Ausbringung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.agr_animal_welfare} onChange={(e) => updateForm({ agr_animal_welfare: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI beeinflusst Tierhaltungsentscheidungen</span><p className="text-xs text-gray-500">Fuetterung, Gesundheit, Stallmanagement</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.agr_environmental} onChange={(e) => updateForm({ agr_environmental: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Umweltdaten werden verarbeitet</span><p className="text-xs text-gray-500">Boden, Wasser, Emissionen</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Social Services */}
+            {['social_services', 'nonprofit'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Soziales — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.soc_vulnerable} onChange={(e) => updateForm({ soc_vulnerable: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Schutzbeduerftiger Personenkreis betroffen</span><p className="text-xs text-red-700">Kinder, Senioren, Gefluechtete, Menschen mit Behinderung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.soc_benefit} onChange={(e) => updateForm({ soc_benefit: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI beeinflusst Leistungszuteilung</span><p className="text-xs text-gray-500">Sozialleistungen, Hilfsangebote, Foerderung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.soc_case_mgmt} onChange={(e) => updateForm({ soc_case_mgmt: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI in Fallmanagement</span><p className="text-xs text-gray-500">Priorisierung, Zuordnung, Verlaufsprognose</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Hospitality / Tourism */}
+            {['hospitality', 'tourism'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Tourismus & Gastronomie — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hos_guest_profiling} onChange={(e) => updateForm({ hos_guest_profiling: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Gaeste-Profilbildung</span><p className="text-xs text-gray-500">Praeferenzen, Buchungsverhalten, Segmentierung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.hos_dynamic_pricing} onChange={(e) => updateForm({ hos_dynamic_pricing: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Dynamische Preisgestaltung</span><p className="text-xs text-gray-500">Personalisierte Zimmer-/Flugreise</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.hos_review_manipulation} onChange={(e) => updateForm({ hos_review_manipulation: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">KI manipuliert oder generiert Bewertungen</span><p className="text-xs text-red-700">Fake Reviews sind unzulaessig (UWG, DSA)</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Insurance */}
+            {['insurance'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Versicherung — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ins_premium} onChange={(e) => updateForm({ ins_premium: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI berechnet individuelle Praemien</span><p className="text-xs text-gray-500">Risikoadjustierte Preisgestaltung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ins_claims} onChange={(e) => updateForm({ ins_claims: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Automatisierte Schadenbearbeitung</span><p className="text-xs text-gray-500">KI entscheidet ueber Schadenregulierung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ins_fraud} onChange={(e) => updateForm({ ins_fraud: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI-Betrugserkennung</span><p className="text-xs text-gray-500">Automatische Verdachtsfallerkennung</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Investment */}
+            {['investment'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Investment — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.inv_algo_trading} onChange={(e) => updateForm({ inv_algo_trading: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Algorithmischer Handel</span><p className="text-xs text-gray-500">Automated Trading, HFT — MiFID II relevant</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.inv_robo} onChange={(e) => updateForm({ inv_robo: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Robo Advisor / KI-Anlageberatung</span><p className="text-xs text-gray-500">Automatisierte Vermoegensberatung — WpHG-Pflichten</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Defense */}
+            {['defense'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Verteidigung — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-red-200 bg-red-50 hover:bg-red-100 cursor-pointer">
+                    <input type="checkbox" checked={form.def_dual_use} onChange={(e) => updateForm({ def_dual_use: e.target.checked })} className="w-4 h-4 rounded border-red-300 text-red-600 focus:ring-red-500" />
+                    <div><span className="text-sm font-medium text-red-900">Dual-Use KI-Technologie</span><p className="text-xs text-red-700">Exportkontrolle (EU VO 2021/821) beachten</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.def_classified} onChange={(e) => updateForm({ def_classified: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Verschlusssachen werden verarbeitet</span><p className="text-xs text-gray-500">VS-NfD oder hoeher — besondere Schutzmassnahmen</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Supply Chain (Textiles, Packaging) */}
+            {['textiles', 'packaging'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Lieferkette — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">LkSG — Lieferkettensorgfaltspflichtengesetz.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.sch_supplier} onChange={(e) => updateForm({ sch_supplier: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI ueberwacht Lieferanten</span><p className="text-xs text-gray-500">Lieferantenbewertung, Risikoanalyse</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.sch_human_rights} onChange={(e) => updateForm({ sch_human_rights: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI prueft Menschenrechte in Lieferkette</span><p className="text-xs text-gray-500">LkSG-Sorgfaltspflichten, Kinderarbeit, Zwangsarbeit</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Sports */}
+            {['sports'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Sport — Compliance-Fragen</h3>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.spo_athlete} onChange={(e) => updateForm({ spo_athlete: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Athleten-Performance-Tracking</span><p className="text-xs text-gray-500">GPS, Biometrie, Leistungsdaten</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.spo_fan} onChange={(e) => updateForm({ spo_fan: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Fan-/Zuschauer-Profilbildung</span><p className="text-xs text-gray-500">Ticketing, Merchandising, Stadion-Tracking</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* Finance / Banking */}
+            {['finance', 'banking'].includes(form.domain) && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Finanzdienstleistungen — Compliance-Fragen</h3>
+                <p className="text-xs text-gray-500 mb-4">DORA, MaRisk, BAIT, AI Act Annex III Nr. 5.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.fin_credit_scoring} onChange={(e) => updateForm({ fin_credit_scoring: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">KI-gestuetztes Kredit-Scoring</span><p className="text-xs text-gray-500">Bonitaetsbewertung, Kreditwuerdigkeitspruefung — Art. 22 DSGVO + AGG</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.fin_aml_kyc} onChange={(e) => updateForm({ fin_aml_kyc: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">AML/KYC Automatisierung</span><p className="text-xs text-gray-500">Geldwaeschebekacmpfung, Kundenidentifizierung durch KI</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.fin_algo_decisions} onChange={(e) => updateForm({ fin_algo_decisions: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Automatisierte Finanzentscheidungen</span><p className="text-xs text-gray-500">Kreditvergabe, Kontosperrung, Limitaenderungen</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.fin_customer_profiling} onChange={(e) => updateForm({ fin_customer_profiling: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Kunden-Profilbildung / Segmentierung</span><p className="text-xs text-gray-500">Risikoklassifikation, Produkt-Empfehlungen</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
+
+            {/* General — universal AI governance questions */}
+            {form.domain === 'general' && (
+              <div className="mt-6 pt-6 border-t border-gray-200">
+                <h3 className="text-sm font-semibold text-gray-900 mb-1">Allgemeine KI-Governance</h3>
+                <p className="text-xs text-gray-500 mb-4">Grundlegende Compliance-Fragen fuer jeden KI-Einsatz.</p>
+                <div className="space-y-3">
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.gen_affects_people} onChange={(e) => updateForm({ gen_affects_people: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">System hat Auswirkungen auf natuerliche Personen</span><p className="text-xs text-gray-500">Entscheidungen, Empfehlungen oder Bewertungen betreffen Menschen direkt</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.gen_automated_decisions} onChange={(e) => updateForm({ gen_automated_decisions: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Automatisierte Entscheidungen werden getroffen</span><p className="text-xs text-gray-500">KI trifft oder beeinflusst Entscheidungen ohne menschliche Pruefung</p></div>
+                  </label>
+                  <label className="flex items-center gap-3 p-3 rounded-lg border border-gray-200 hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.gen_sensitive_data} onChange={(e) => updateForm({ gen_sensitive_data: e.target.checked })} className="w-4 h-4 rounded border-gray-300 text-purple-600 focus:ring-purple-500" />
+                    <div><span className="text-sm font-medium text-gray-900">Sensible oder vertrauliche Daten verarbeitet</span><p className="text-xs text-gray-500">Geschaeftsgeheimnisse, personenbezogene Daten, vertrauliche Informationen</p></div>
+                  </label>
+                </div>
+              </div>
+            )}
          </div>
        )}

--- a/admin-compliance/app/sdk/ai-act/page.tsx
+++ b/admin-compliance/app/sdk/ai-act/page.tsx
@@ -3,6 +3,7 @@
 import React, { useState, useEffect } from 'react'
 import { useSDK } from '@/lib/sdk'
 import { StepHeader, STEP_EXPLANATIONS } from '@/components/sdk/StepHeader'
+import DecisionTreeWizard from '@/components/sdk/ai-act/DecisionTreeWizard'

 // =============================================================================
 // TYPES
@@ -21,6 +22,8 @@ interface AISystem {
  assessmentResult: Record<string, unknown> | null
 }

+type TabId = 'overview' | 'decision-tree' | 'results'
+
 // =============================================================================
 // LOADING SKELETON
 // =============================================================================
@@ -306,12 +309,178 @@ function AISystemCard({
  )
 }

+// =============================================================================
+// SAVED RESULTS TAB
+// =============================================================================
+
+interface SavedResult {
+  id: string
+  system_name: string
+  system_description?: string
+  high_risk_result: string
+  gpai_result: { gpai_category: string; is_systemic_risk: boolean }
+  combined_obligations: string[]
+  created_at: string
+}
+
+function SavedResultsTab() {
+  const [results, setResults] = useState<SavedResult[]>([])
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    const load = async () => {
+      try {
+        const res = await fetch('/api/sdk/v1/ucca/decision-tree/results')
+        if (res.ok) {
+          const data = await res.json()
+          setResults(data.results || [])
+        }
+      } catch {
+        // Ignore
+      } finally {
+        setLoading(false)
+      }
+    }
+    load()
+  }, [])
+
+  const handleDelete = async (id: string) => {
+    if (!confirm('Ergebnis wirklich löschen?')) return
+    try {
+      const res = await fetch(`/api/sdk/v1/ucca/decision-tree/results/${id}`, { method: 'DELETE' })
+      if (res.ok) {
+        setResults(prev => prev.filter(r => r.id !== id))
+      }
+    } catch {
+      // Ignore
+    }
+  }
+
+  const riskLabels: Record<string, string> = {
+    unacceptable: 'Unzulässig',
+    high_risk: 'Hochrisiko',
+    limited_risk: 'Begrenztes Risiko',
+    minimal_risk: 'Minimales Risiko',
+    not_applicable: 'Nicht anwendbar',
+  }
+
+  const riskColors: Record<string, string> = {
+    unacceptable: 'bg-red-100 text-red-700',
+    high_risk: 'bg-orange-100 text-orange-700',
+    limited_risk: 'bg-yellow-100 text-yellow-700',
+    minimal_risk: 'bg-green-100 text-green-700',
+    not_applicable: 'bg-gray-100 text-gray-500',
+  }
+
+  const gpaiLabels: Record<string, string> = {
+    none: 'Kein GPAI',
+    standard: 'GPAI Standard',
+    systemic: 'GPAI Systemisch',
+  }
+
+  const gpaiColors: Record<string, string> = {
+    none: 'bg-gray-100 text-gray-500',
+    standard: 'bg-blue-100 text-blue-700',
+    systemic: 'bg-purple-100 text-purple-700',
+  }
+
+  if (loading) {
+    return <LoadingSkeleton />
+  }
+
+  if (results.length === 0) {
+    return (
+      <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+        <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
+          <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
+          </svg>
+        </div>
+        <h3 className="text-lg font-semibold text-gray-900">Keine Ergebnisse vorhanden</h3>
+        <p className="mt-2 text-gray-500">Nutzen Sie den Entscheidungsbaum, um KI-Systeme zu klassifizieren.</p>
+      </div>
+    )
+  }
+
+  return (
+    <div className="space-y-4">
+      {results.map(r => (
+        <div key={r.id} className="bg-white rounded-xl border border-gray-200 p-5">
+          <div className="flex items-start justify-between">
+            <div>
+              <h4 className="font-semibold text-gray-900">{r.system_name}</h4>
+              {r.system_description && (
+                <p className="text-sm text-gray-500 mt-0.5">{r.system_description}</p>
+              )}
+              <div className="flex items-center gap-2 mt-2">
+                <span className={`px-2 py-1 text-xs rounded-full ${riskColors[r.high_risk_result] || 'bg-gray-100 text-gray-500'}`}>
+                  {riskLabels[r.high_risk_result] || r.high_risk_result}
+                </span>
+                <span className={`px-2 py-1 text-xs rounded-full ${gpaiColors[r.gpai_result?.gpai_category] || 'bg-gray-100 text-gray-500'}`}>
+                  {gpaiLabels[r.gpai_result?.gpai_category] || 'Kein GPAI'}
+                </span>
+                {r.gpai_result?.is_systemic_risk && (
+                  <span className="px-2 py-1 text-xs rounded-full bg-red-100 text-red-700">Systemisch</span>
+                )}
+              </div>
+              <div className="text-xs text-gray-400 mt-2">
+                {r.combined_obligations?.length || 0} Pflichten &middot; {new Date(r.created_at).toLocaleDateString('de-DE')}
+              </div>
+            </div>
+            <button
+              onClick={() => handleDelete(r.id)}
+              className="px-3 py-1 text-xs text-red-600 hover:bg-red-50 rounded transition-colors"
+            >
+              Löschen
+            </button>
+          </div>
+        </div>
+      ))}
+    </div>
+  )
+}
+
+// =============================================================================
+// TABS
+// =============================================================================
+
+const TABS: { id: TabId; label: string; icon: React.ReactNode }[] = [
+  {
+    id: 'overview',
+    label: 'Übersicht',
+    icon: (
+      <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+        <path strokeLinecap="round" strokeLinejoin="round" d="M3.75 6A2.25 2.25 0 016 3.75h2.25A2.25 2.25 0 0110.5 6v2.25a2.25 2.25 0 01-2.25 2.25H6a2.25 2.25 0 01-2.25-2.25V6zM3.75 15.75A2.25 2.25 0 016 13.5h2.25a2.25 2.25 0 012.25 2.25V18a2.25 2.25 0 01-2.25 2.25H6A2.25 2.25 0 013.75 18v-2.25zM13.5 6a2.25 2.25 0 012.25-2.25H18A2.25 2.25 0 0120.25 6v2.25A2.25 2.25 0 0118 10.5h-2.25a2.25 2.25 0 01-2.25-2.25V6zM13.5 15.75a2.25 2.25 0 012.25-2.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-2.25A2.25 2.25 0 0113.5 18v-2.25z" />
+      </svg>
+    ),
+  },
+  {
+    id: 'decision-tree',
+    label: 'Entscheidungsbaum',
+    icon: (
+      <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+        <path strokeLinecap="round" strokeLinejoin="round" d="M3.75 12h16.5m-16.5 3.75h16.5M3.75 19.5h16.5M5.625 4.5h12.75a1.875 1.875 0 010 3.75H5.625a1.875 1.875 0 010-3.75z" />
+      </svg>
+    ),
+  },
+  {
+    id: 'results',
+    label: 'Ergebnisse',
+    icon: (
+      <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+        <path strokeLinecap="round" strokeLinejoin="round" d="M9 12h3.75M9 15h3.75M9 18h3.75m3 .75H18a2.25 2.25 0 002.25-2.25V6.108c0-1.135-.845-2.098-1.976-2.192a48.424 48.424 0 00-1.123-.08m-5.801 0c-.065.21-.1.433-.1.664 0 .414.336.75.75.75h4.5a.75.75 0 00.75-.75 2.25 2.25 0 00-.1-.664m-5.8 0A2.251 2.251 0 0113.5 2.25H15c1.012 0 1.867.668 2.15 1.586m-5.8 0c-.376.023-.75.05-1.124.08C9.095 4.01 8.25 4.973 8.25 6.108V8.25m0 0H4.875c-.621 0-1.125.504-1.125 1.125v11.25c0 .621.504 1.125 1.125 1.125h9.75c.621 0 1.125-.504 1.125-1.125V9.375c0-.621-.504-1.125-1.125-1.125H8.25z" />
+      </svg>
+    ),
+  },
+]
+
 // =============================================================================
 // MAIN PAGE
 // =============================================================================

 export default function AIActPage() {
  const { state } = useSDK()
+  const [activeTab, setActiveTab] = useState<TabId>('overview')
  const [systems, setSystems] = useState<AISystem[]>([])
  const [filter, setFilter] = useState<string>('all')
  const [showAddForm, setShowAddForm] = useState(false)
@@ -354,7 +523,6 @@ export default function AIActPage() {
  const handleAddSystem = async (data: Omit<AISystem, 'id' | 'assessmentDate' | 'assessmentResult'>) => {
    setError(null)
    if (editingSystem) {
-      // Edit existing system via PUT
      try {
        const res = await fetch(`/api/sdk/v1/compliance/ai/systems/${editingSystem.id}`, {
          method: 'PUT',
@@ -380,14 +548,12 @@ export default function AIActPage() {
          setError('Speichern fehlgeschlagen')
        }
      } catch {
-        // Fallback: update locally
        setSystems(prev => prev.map(s =>
          s.id === editingSystem.id ? { ...s, ...data } : s
        ))
      }
      setEditingSystem(null)
    } else {
-      // Create new system via POST
      try {
        const res = await fetch('/api/sdk/v1/compliance/ai/systems', {
          method: 'POST',
@@ -415,7 +581,6 @@ export default function AIActPage() {
          setError('Registrierung fehlgeschlagen')
        }
      } catch {
-        // Fallback: add locally
        const newSystem: AISystem = {
          ...data,
          id: `ai-${Date.now()}`,
@@ -503,17 +668,37 @@ export default function AIActPage() {
        explanation={stepInfo.explanation}
        tips={stepInfo.tips}
      >
-        <button
-          onClick={() => setShowAddForm(true)}
-          className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
-        >
-          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
-          </svg>
-          KI-System registrieren
-        </button>
+        {activeTab === 'overview' && (
+          <button
+            onClick={() => setShowAddForm(true)}
+            className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+          >
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
+            </svg>
+            KI-System registrieren
+          </button>
+        )}
      </StepHeader>

+      {/* Tabs */}
+      <div className="flex items-center gap-1 bg-gray-100 p-1 rounded-lg w-fit">
+        {TABS.map(tab => (
+          <button
+            key={tab.id}
+            onClick={() => setActiveTab(tab.id)}
+            className={`flex items-center gap-2 px-4 py-2 text-sm font-medium rounded-md transition-colors ${
+              activeTab === tab.id
+                ? 'bg-white text-purple-700 shadow-sm'
+                : 'text-gray-600 hover:text-gray-900'
+            }`}
+          >
+            {tab.icon}
+            {tab.label}
+          </button>
+        ))}
+      </div>
+
      {/* Error Banner */}
      {error && (
        <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
@@ -522,90 +707,105 @@ export default function AIActPage() {
        </div>
      )}

-      {/* Add/Edit System Form */}
-      {showAddForm && (
-        <AddSystemForm
-          onSubmit={handleAddSystem}
-          onCancel={() => { setShowAddForm(false); setEditingSystem(null) }}
-          initialData={editingSystem}
-        />
-      )}
-
-      {/* Stats */}
-      <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
-        <div className="bg-white rounded-xl border border-gray-200 p-6">
-          <div className="text-sm text-gray-500">KI-Systeme gesamt</div>
-          <div className="text-3xl font-bold text-gray-900">{systems.length}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-orange-200 p-6">
-          <div className="text-sm text-orange-600">Hochrisiko</div>
-          <div className="text-3xl font-bold text-orange-600">{highRiskCount}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-green-200 p-6">
-          <div className="text-sm text-green-600">Konform</div>
-          <div className="text-3xl font-bold text-green-600">{compliantCount}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-gray-200 p-6">
-          <div className="text-sm text-gray-500">Nicht klassifiziert</div>
-          <div className="text-3xl font-bold text-gray-500">{unclassifiedCount}</div>
-        </div>
-      </div>
-
-      {/* Risk Pyramid */}
-      <RiskPyramid systems={systems} />
-
-      {/* Filter */}
-      <div className="flex items-center gap-2 flex-wrap">
-        <span className="text-sm text-gray-500">Filter:</span>
-        {['all', 'high-risk', 'limited-risk', 'minimal-risk', 'unclassified', 'compliant', 'non-compliant'].map(f => (
-          <button
-            key={f}
-            onClick={() => setFilter(f)}
-            className={`px-3 py-1 text-sm rounded-full transition-colors ${
-              filter === f
-                ? 'bg-purple-600 text-white'
-                : 'bg-gray-100 text-gray-600 hover:bg-gray-200'
-            }`}
-          >
-            {f === 'all' ? 'Alle' :
-             f === 'high-risk' ? 'Hochrisiko' :
-             f === 'limited-risk' ? 'Begrenztes Risiko' :
-             f === 'minimal-risk' ? 'Minimales Risiko' :
-             f === 'unclassified' ? 'Nicht klassifiziert' :
-             f === 'compliant' ? 'Konform' : 'Nicht konform'}
-          </button>
-        ))}
-      </div>
-
-      {/* Loading */}
-      {loading && <LoadingSkeleton />}
-
-      {/* AI Systems List */}
-      {!loading && (
-        <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-          {filteredSystems.map(system => (
-            <AISystemCard
-              key={system.id}
-              system={system}
-              onAssess={() => handleAssess(system.id)}
-              onEdit={() => handleEdit(system)}
-              onDelete={() => handleDelete(system.id)}
-              assessing={assessingId === system.id}
+      {/* Tab: Overview */}
+      {activeTab === 'overview' && (
+        <>
+          {/* Add/Edit System Form */}
+          {showAddForm && (
+            <AddSystemForm
+              onSubmit={handleAddSystem}
+              onCancel={() => { setShowAddForm(false); setEditingSystem(null) }}
+              initialData={editingSystem}
            />
-          ))}
-        </div>
+          )}
+
+          {/* Stats */}
+          <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+            <div className="bg-white rounded-xl border border-gray-200 p-6">
+              <div className="text-sm text-gray-500">KI-Systeme gesamt</div>
+              <div className="text-3xl font-bold text-gray-900">{systems.length}</div>
+            </div>
+            <div className="bg-white rounded-xl border border-orange-200 p-6">
+              <div className="text-sm text-orange-600">Hochrisiko</div>
+              <div className="text-3xl font-bold text-orange-600">{highRiskCount}</div>
+            </div>
+            <div className="bg-white rounded-xl border border-green-200 p-6">
+              <div className="text-sm text-green-600">Konform</div>
+              <div className="text-3xl font-bold text-green-600">{compliantCount}</div>
+            </div>
+            <div className="bg-white rounded-xl border border-gray-200 p-6">
+              <div className="text-sm text-gray-500">Nicht klassifiziert</div>
+              <div className="text-3xl font-bold text-gray-500">{unclassifiedCount}</div>
+            </div>
+          </div>
+
+          {/* Risk Pyramid */}
+          <RiskPyramid systems={systems} />
+
+          {/* Filter */}
+          <div className="flex items-center gap-2 flex-wrap">
+            <span className="text-sm text-gray-500">Filter:</span>
+            {['all', 'high-risk', 'limited-risk', 'minimal-risk', 'unclassified', 'compliant', 'non-compliant'].map(f => (
+              <button
+                key={f}
+                onClick={() => setFilter(f)}
+                className={`px-3 py-1 text-sm rounded-full transition-colors ${
+                  filter === f
+                    ? 'bg-purple-600 text-white'
+                    : 'bg-gray-100 text-gray-600 hover:bg-gray-200'
+                }`}
+              >
+                {f === 'all' ? 'Alle' :
+                 f === 'high-risk' ? 'Hochrisiko' :
+                 f === 'limited-risk' ? 'Begrenztes Risiko' :
+                 f === 'minimal-risk' ? 'Minimales Risiko' :
+                 f === 'unclassified' ? 'Nicht klassifiziert' :
+                 f === 'compliant' ? 'Konform' : 'Nicht konform'}
+              </button>
+            ))}
+          </div>
+
+          {/* Loading */}
+          {loading && <LoadingSkeleton />}
+
+          {/* AI Systems List */}
+          {!loading && (
+            <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
+              {filteredSystems.map(system => (
+                <AISystemCard
+                  key={system.id}
+                  system={system}
+                  onAssess={() => handleAssess(system.id)}
+                  onEdit={() => handleEdit(system)}
+                  onDelete={() => handleDelete(system.id)}
+                  assessing={assessingId === system.id}
+                />
+              ))}
+            </div>
+          )}
+
+          {!loading && filteredSystems.length === 0 && (
+            <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+              <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
+                <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+                </svg>
+              </div>
+              <h3 className="text-lg font-semibold text-gray-900">Keine KI-Systeme gefunden</h3>
+              <p className="mt-2 text-gray-500">Passen Sie den Filter an oder registrieren Sie ein neues KI-System.</p>
+            </div>
+          )}
+        </>
      )}

-      {!loading && filteredSystems.length === 0 && (
-        <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
-          <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
-            <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
-            </svg>
-          </div>
-          <h3 className="text-lg font-semibold text-gray-900">Keine KI-Systeme gefunden</h3>
-          <p className="mt-2 text-gray-500">Passen Sie den Filter an oder registrieren Sie ein neues KI-System.</p>
-        </div>
+      {/* Tab: Decision Tree */}
+      {activeTab === 'decision-tree' && (
+        <DecisionTreeWizard />
+      )}
+
+      {/* Tab: Results */}
+      {activeTab === 'results' && (
+        <SavedResultsTab />
      )}
    </div>
  )
--- a/admin-compliance/app/sdk/ai-registration/page.tsx
+++ b/admin-compliance/app/sdk/ai-registration/page.tsx
@@ -0,0 +1,491 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+
+interface Registration {
+  id: string
+  system_name: string
+  system_version: string
+  risk_classification: string
+  gpai_classification: string
+  registration_status: string
+  eu_database_id: string
+  provider_name: string
+  created_at: string
+}
+
+const STATUS_STYLES: Record<string, { bg: string; text: string; label: string }> = {
+  draft: { bg: 'bg-gray-100', text: 'text-gray-700', label: 'Entwurf' },
+  ready: { bg: 'bg-blue-100', text: 'text-blue-700', label: 'Bereit' },
+  submitted: { bg: 'bg-yellow-100', text: 'text-yellow-700', label: 'Eingereicht' },
+  registered: { bg: 'bg-green-100', text: 'text-green-700', label: 'Registriert' },
+  update_required: { bg: 'bg-orange-100', text: 'text-orange-700', label: 'Update noetig' },
+  withdrawn: { bg: 'bg-red-100', text: 'text-red-700', label: 'Zurueckgezogen' },
+}
+
+const RISK_STYLES: Record<string, { bg: string; text: string }> = {
+  high_risk: { bg: 'bg-red-100', text: 'text-red-700' },
+  limited_risk: { bg: 'bg-yellow-100', text: 'text-yellow-700' },
+  minimal_risk: { bg: 'bg-green-100', text: 'text-green-700' },
+  not_classified: { bg: 'bg-gray-100', text: 'text-gray-500' },
+}
+
+const INITIAL_FORM = {
+  system_name: '',
+  system_version: '1.0',
+  system_description: '',
+  intended_purpose: '',
+  provider_name: '',
+  provider_legal_form: '',
+  provider_address: '',
+  provider_country: 'DE',
+  eu_representative_name: '',
+  eu_representative_contact: '',
+  risk_classification: 'not_classified',
+  annex_iii_category: '',
+  gpai_classification: 'none',
+  conformity_assessment_type: 'internal',
+  notified_body_name: '',
+  notified_body_id: '',
+  ce_marking: false,
+  training_data_summary: '',
+}
+
+export default function AIRegistrationPage() {
+  const [registrations, setRegistrations] = useState<Registration[]>([])
+  const [loading, setLoading] = useState(true)
+  const [showWizard, setShowWizard] = useState(false)
+  const [wizardStep, setWizardStep] = useState(1)
+  const [form, setForm] = useState({ ...INITIAL_FORM })
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => { loadRegistrations() }, [])
+
+  async function loadRegistrations() {
+    try {
+      setLoading(true)
+      const resp = await fetch('/api/sdk/v1/ai-registration')
+      if (resp.ok) {
+        const data = await resp.json()
+        setRegistrations(data.registrations || [])
+      }
+    } catch {
+      setError('Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  async function handleSubmit() {
+    setSubmitting(true)
+    try {
+      const resp = await fetch('/api/sdk/v1/ai-registration', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(form),
+      })
+      if (resp.ok) {
+        setShowWizard(false)
+        setForm({ ...INITIAL_FORM })
+        setWizardStep(1)
+        loadRegistrations()
+      } else {
+        const data = await resp.json()
+        setError(data.error || 'Fehler beim Erstellen')
+      }
+    } catch {
+      setError('Netzwerkfehler')
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  async function handleExport(id: string) {
+    try {
+      const resp = await fetch(`/api/sdk/v1/ai-registration/${id}`)
+      if (resp.ok) {
+        const reg = await resp.json()
+        // Build export JSON client-side
+        const exportData = {
+          schema_version: '1.0',
+          submission_type: 'ai_system_registration',
+          regulation: 'EU AI Act (EU) 2024/1689',
+          article: 'Art. 49',
+          provider: { name: reg.provider_name, address: reg.provider_address, country: reg.provider_country },
+          system: { name: reg.system_name, version: reg.system_version, description: reg.system_description, purpose: reg.intended_purpose },
+          classification: { risk_level: reg.risk_classification, annex_iii: reg.annex_iii_category, gpai: reg.gpai_classification },
+          conformity: { type: reg.conformity_assessment_type, ce_marking: reg.ce_marking },
+        }
+        const blob = new Blob([JSON.stringify(exportData, null, 2)], { type: 'application/json' })
+        const url = URL.createObjectURL(blob)
+        const a = document.createElement('a')
+        a.href = url
+        a.download = `eu_ai_registration_${reg.system_name.replace(/\s+/g, '_')}.json`
+        a.click()
+        URL.revokeObjectURL(url)
+      }
+    } catch {
+      setError('Export fehlgeschlagen')
+    }
+  }
+
+  async function handleStatusChange(id: string, status: string) {
+    try {
+      await fetch(`/api/sdk/v1/ai-registration/${id}`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ status }),
+      })
+      loadRegistrations()
+    } catch {
+      setError('Status-Aenderung fehlgeschlagen')
+    }
+  }
+
+  const updateForm = (updates: Partial<typeof form>) => setForm(prev => ({ ...prev, ...updates }))
+
+  const STEPS = [
+    { id: 1, title: 'Anbieter', desc: 'Unternehmensangaben' },
+    { id: 2, title: 'System', desc: 'KI-System Details' },
+    { id: 3, title: 'Klassifikation', desc: 'Risikoeinstufung' },
+    { id: 4, title: 'Konformitaet', desc: 'CE & Notified Body' },
+    { id: 5, title: 'Trainingsdaten', desc: 'Datenzusammenfassung' },
+    { id: 6, title: 'Pruefung', desc: 'Zusammenfassung & Export' },
+  ]
+
+  return (
+    <div className="max-w-5xl mx-auto p-6">
+      {/* Header */}
+      <div className="flex items-center justify-between mb-8">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">EU AI Database Registrierung</h1>
+          <p className="text-sm text-gray-500 mt-1">Art. 49 KI-Verordnung (EU) 2024/1689 — Registrierung von Hochrisiko-KI-Systemen</p>
+        </div>
+        <button
+          onClick={() => setShowWizard(true)}
+          className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+        >
+          + Neue Registrierung
+        </button>
+      </div>
+
+      {error && (
+        <div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg text-sm text-red-700">
+          {error}
+          <button onClick={() => setError(null)} className="ml-2 underline">Schliessen</button>
+        </div>
+      )}
+
+      {/* Stats */}
+      <div className="grid grid-cols-4 gap-4 mb-8">
+        {['draft', 'ready', 'submitted', 'registered'].map(status => {
+          const count = registrations.filter(r => r.registration_status === status).length
+          const style = STATUS_STYLES[status]
+          return (
+            <div key={status} className={`p-4 rounded-xl border ${style.bg}`}>
+              <div className={`text-2xl font-bold ${style.text}`}>{count}</div>
+              <div className="text-sm text-gray-600">{style.label}</div>
+            </div>
+          )
+        })}
+      </div>
+
+      {/* Registrations List */}
+      {loading ? (
+        <div className="text-center py-12 text-gray-500">Lade...</div>
+      ) : registrations.length === 0 ? (
+        <div className="text-center py-12 text-gray-400">
+          <p className="text-lg mb-2">Noch keine Registrierungen</p>
+          <p className="text-sm">Erstelle eine neue Registrierung fuer dein Hochrisiko-KI-System.</p>
+        </div>
+      ) : (
+        <div className="space-y-4">
+          {registrations.map(reg => {
+            const status = STATUS_STYLES[reg.registration_status] || STATUS_STYLES.draft
+            const risk = RISK_STYLES[reg.risk_classification] || RISK_STYLES.not_classified
+            return (
+              <div key={reg.id} className="bg-white rounded-xl border border-gray-200 p-6 hover:border-purple-300 transition-all">
+                <div className="flex items-center justify-between">
+                  <div>
+                    <div className="flex items-center gap-2 mb-1">
+                      <h3 className="text-lg font-semibold text-gray-900">{reg.system_name}</h3>
+                      <span className="text-sm text-gray-400">v{reg.system_version}</span>
+                      <span className={`px-2 py-0.5 text-xs rounded-full ${status.bg} ${status.text}`}>{status.label}</span>
+                      <span className={`px-2 py-0.5 text-xs rounded-full ${risk.bg} ${risk.text}`}>{reg.risk_classification.replace('_', ' ')}</span>
+                      {reg.gpai_classification !== 'none' && (
+                        <span className="px-2 py-0.5 text-xs rounded-full bg-blue-100 text-blue-700">GPAI: {reg.gpai_classification}</span>
+                      )}
+                    </div>
+                    <div className="text-sm text-gray-500">
+                      {reg.provider_name && <span>{reg.provider_name} · </span>}
+                      {reg.eu_database_id && <span>EU-ID: {reg.eu_database_id} · </span>}
+                      <span>{new Date(reg.created_at).toLocaleDateString('de-DE')}</span>
+                    </div>
+                  </div>
+                  <div className="flex gap-2">
+                    <button onClick={() => handleExport(reg.id)} className="px-3 py-1.5 text-sm border border-gray-300 rounded-lg hover:bg-gray-50">
+                      JSON Export
+                    </button>
+                    {reg.registration_status === 'draft' && (
+                      <button onClick={() => handleStatusChange(reg.id, 'ready')} className="px-3 py-1.5 text-sm bg-blue-600 text-white rounded-lg hover:bg-blue-700">
+                        Bereit markieren
+                      </button>
+                    )}
+                    {reg.registration_status === 'ready' && (
+                      <button onClick={() => handleStatusChange(reg.id, 'submitted')} className="px-3 py-1.5 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700">
+                        Als eingereicht markieren
+                      </button>
+                    )}
+                  </div>
+                </div>
+              </div>
+            )
+          })}
+        </div>
+      )}
+
+      {/* Wizard Modal */}
+      {showWizard && (
+        <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50 p-4">
+          <div className="bg-white rounded-2xl shadow-2xl w-full max-w-3xl max-h-[90vh] overflow-y-auto">
+            <div className="p-6 border-b">
+              <div className="flex items-center justify-between mb-4">
+                <h2 className="text-xl font-bold text-gray-900">Neue EU AI Registrierung</h2>
+                <button onClick={() => { setShowWizard(false); setWizardStep(1) }} className="text-gray-400 hover:text-gray-600 text-2xl">&times;</button>
+              </div>
+              {/* Step Indicator */}
+              <div className="flex gap-1">
+                {STEPS.map(step => (
+                  <button key={step.id} onClick={() => setWizardStep(step.id)}
+                    className={`flex-1 py-2 text-xs rounded-lg transition-all ${
+                      wizardStep === step.id ? 'bg-purple-100 text-purple-700 font-medium' :
+                      wizardStep > step.id ? 'bg-green-50 text-green-700' : 'bg-gray-50 text-gray-400'
+                    }`}>
+                    {wizardStep > step.id ? '✓ ' : ''}{step.title}
+                  </button>
+                ))}
+              </div>
+            </div>
+
+            <div className="p-6 space-y-4">
+              {/* Step 1: Provider */}
+              {wizardStep === 1 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Anbieter-Informationen</h3>
+                  <p className="text-sm text-gray-500">Angaben zum Anbieter des KI-Systems gemaess Art. 49 KI-VO.</p>
+                  <div className="grid grid-cols-2 gap-4">
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Firmenname *</label>
+                      <input value={form.provider_name} onChange={e => updateForm({ provider_name: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Acme GmbH" />
+                    </div>
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Rechtsform</label>
+                      <input value={form.provider_legal_form} onChange={e => updateForm({ provider_legal_form: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="GmbH" />
+                    </div>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Adresse</label>
+                    <input value={form.provider_address} onChange={e => updateForm({ provider_address: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Musterstr. 1, 20095 Hamburg" />
+                  </div>
+                  <div className="grid grid-cols-2 gap-4">
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Land</label>
+                      <select value={form.provider_country} onChange={e => updateForm({ provider_country: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                        <option value="DE">Deutschland</option>
+                        <option value="AT">Oesterreich</option>
+                        <option value="CH">Schweiz</option>
+                        <option value="OTHER">Anderes Land</option>
+                      </select>
+                    </div>
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">EU-Repraesentant (falls Non-EU)</label>
+                      <input value={form.eu_representative_name} onChange={e => updateForm({ eu_representative_name: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Optional" />
+                    </div>
+                  </div>
+                </>
+              )}
+
+              {/* Step 2: System */}
+              {wizardStep === 2 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">KI-System Details</h3>
+                  <div className="grid grid-cols-2 gap-4">
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Systemname *</label>
+                      <input value={form.system_name} onChange={e => updateForm({ system_name: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="z.B. HR Copilot" />
+                    </div>
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Version</label>
+                      <input value={form.system_version} onChange={e => updateForm({ system_version: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="1.0" />
+                    </div>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Systembeschreibung</label>
+                    <textarea value={form.system_description} onChange={e => updateForm({ system_description: e.target.value })} rows={3}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Beschreibe was das KI-System tut..." />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Einsatzzweck (Intended Purpose)</label>
+                    <textarea value={form.intended_purpose} onChange={e => updateForm({ intended_purpose: e.target.value })} rows={2}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Wofuer wird das System eingesetzt?" />
+                  </div>
+                </>
+              )}
+
+              {/* Step 3: Classification */}
+              {wizardStep === 3 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Risiko-Klassifikation</h3>
+                  <p className="text-sm text-gray-500">Basierend auf dem AI Act Decision Tree oder manueller Einstufung.</p>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Risikoklasse</label>
+                    <select value={form.risk_classification} onChange={e => updateForm({ risk_classification: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                      <option value="not_classified">Noch nicht klassifiziert</option>
+                      <option value="minimal_risk">Minimal Risk</option>
+                      <option value="limited_risk">Limited Risk</option>
+                      <option value="high_risk">High Risk</option>
+                    </select>
+                  </div>
+                  {form.risk_classification === 'high_risk' && (
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Annex III Kategorie</label>
+                      <select value={form.annex_iii_category} onChange={e => updateForm({ annex_iii_category: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                        <option value="">Bitte waehlen...</option>
+                        <option value="biometric">1. Biometrische Identifizierung</option>
+                        <option value="critical_infrastructure">2. Kritische Infrastruktur</option>
+                        <option value="education">3. Bildung und Berufsausbildung</option>
+                        <option value="employment">4. Beschaeftigung und Arbeitnehmerverwaltung</option>
+                        <option value="essential_services">5. Zugang zu wesentlichen Diensten</option>
+                        <option value="law_enforcement">6. Strafverfolgung</option>
+                        <option value="migration">7. Migration und Grenzkontrolle</option>
+                        <option value="justice">8. Rechtspflege und Demokratie</option>
+                      </select>
+                    </div>
+                  )}
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">GPAI Klassifikation</label>
+                    <select value={form.gpai_classification} onChange={e => updateForm({ gpai_classification: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                      <option value="none">Kein GPAI</option>
+                      <option value="standard">GPAI (Standard)</option>
+                      <option value="systemic">GPAI mit systemischem Risiko</option>
+                    </select>
+                  </div>
+                  <div className="bg-blue-50 border border-blue-200 rounded-lg p-4 text-sm text-blue-800">
+                    <strong>Tipp:</strong> Nutze den <a href="/sdk/ai-act" className="underline">AI Act Decision Tree</a> fuer eine strukturierte Klassifikation.
+                  </div>
+                </>
+              )}
+
+              {/* Step 4: Conformity */}
+              {wizardStep === 4 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Konformitaetsbewertung</h3>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Art der Konformitaetsbewertung</label>
+                    <select value={form.conformity_assessment_type} onChange={e => updateForm({ conformity_assessment_type: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                      <option value="not_required">Nicht erforderlich</option>
+                      <option value="internal">Interne Konformitaetsbewertung</option>
+                      <option value="third_party">Drittpartei-Bewertung (Notified Body)</option>
+                    </select>
+                  </div>
+                  {form.conformity_assessment_type === 'third_party' && (
+                    <div className="grid grid-cols-2 gap-4">
+                      <div>
+                        <label className="block text-sm font-medium text-gray-700 mb-1">Notified Body Name</label>
+                        <input value={form.notified_body_name} onChange={e => updateForm({ notified_body_name: e.target.value })}
+                          className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+                      </div>
+                      <div>
+                        <label className="block text-sm font-medium text-gray-700 mb-1">Notified Body ID</label>
+                        <input value={form.notified_body_id} onChange={e => updateForm({ notified_body_id: e.target.value })}
+                          className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+                      </div>
+                    </div>
+                  )}
+                  <label className="flex items-center gap-3 p-3 rounded-lg border hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ce_marking} onChange={e => updateForm({ ce_marking: e.target.checked })}
+                      className="w-4 h-4 rounded border-gray-300 text-purple-600" />
+                    <span className="text-sm font-medium text-gray-900">CE-Kennzeichnung angebracht</span>
+                  </label>
+                </>
+              )}
+
+              {/* Step 5: Training Data */}
+              {wizardStep === 5 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Trainingsdaten-Zusammenfassung</h3>
+                  <p className="text-sm text-gray-500">Art. 10 KI-VO — Keine vollstaendige Offenlegung, sondern Kategorien und Herkunft.</p>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Zusammenfassung der Trainingsdaten</label>
+                    <textarea value={form.training_data_summary} onChange={e => updateForm({ training_data_summary: e.target.value })} rows={5}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+                      placeholder="Beschreibe die verwendeten Datenquellen:&#10;- Oeffentliche Daten (z.B. Wikipedia, Common Crawl)&#10;- Lizenzierte Daten (z.B. Fachpublikationen)&#10;- Synthetische Daten&#10;- Unternehmensinterne Daten" />
+                  </div>
+                </>
+              )}
+
+              {/* Step 6: Review */}
+              {wizardStep === 6 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Zusammenfassung</h3>
+                  <div className="space-y-3 text-sm">
+                    <div className="grid grid-cols-2 gap-4 p-4 bg-gray-50 rounded-lg">
+                      <div><span className="text-gray-500">Anbieter:</span> <strong>{form.provider_name || '–'}</strong></div>
+                      <div><span className="text-gray-500">Land:</span> <strong>{form.provider_country}</strong></div>
+                      <div><span className="text-gray-500">System:</span> <strong>{form.system_name || '–'}</strong></div>
+                      <div><span className="text-gray-500">Version:</span> <strong>{form.system_version}</strong></div>
+                      <div><span className="text-gray-500">Risiko:</span> <strong>{form.risk_classification}</strong></div>
+                      <div><span className="text-gray-500">GPAI:</span> <strong>{form.gpai_classification}</strong></div>
+                      <div><span className="text-gray-500">Konformitaet:</span> <strong>{form.conformity_assessment_type}</strong></div>
+                      <div><span className="text-gray-500">CE:</span> <strong>{form.ce_marking ? 'Ja' : 'Nein'}</strong></div>
+                    </div>
+                    {form.intended_purpose && (
+                      <div className="p-4 bg-gray-50 rounded-lg">
+                        <span className="text-gray-500">Zweck:</span> {form.intended_purpose}
+                      </div>
+                    )}
+                  </div>
+                  <div className="bg-yellow-50 border border-yellow-200 rounded-lg p-4 text-sm text-yellow-800">
+                    <strong>Hinweis:</strong> Die EU AI Datenbank befindet sich noch im Aufbau. Die Registrierung wird lokal gespeichert und kann spaeter uebermittelt werden.
+                  </div>
+                </>
+              )}
+            </div>
+
+            {/* Navigation */}
+            <div className="p-6 border-t flex justify-between">
+              <button onClick={() => wizardStep > 1 ? setWizardStep(wizardStep - 1) : setShowWizard(false)}
+                className="px-4 py-2 text-gray-700 border rounded-lg hover:bg-gray-50">
+                {wizardStep === 1 ? 'Abbrechen' : 'Zurueck'}
+              </button>
+              {wizardStep < 6 ? (
+                <button onClick={() => setWizardStep(wizardStep + 1)}
+                  disabled={wizardStep === 2 && !form.system_name}
+                  className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50">
+                  Weiter
+                </button>
+              ) : (
+                <button onClick={handleSubmit} disabled={submitting || !form.system_name}
+                  className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50">
+                  {submitting ? 'Speichere...' : 'Registrierung erstellen'}
+                </button>
+              )}
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}
--- a/admin-compliance/app/sdk/assertions/page.tsx
+++ b/admin-compliance/app/sdk/assertions/page.tsx
@@ -0,0 +1,468 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+interface Assertion {
+  id: string
+  tenant_id: string | null
+  entity_type: string
+  entity_id: string
+  sentence_text: string
+  sentence_index: number
+  assertion_type: string // 'assertion' | 'fact' | 'rationale'
+  evidence_ids: string[]
+  confidence: number
+  normative_tier: string | null // 'pflicht' | 'empfehlung' | 'kann'
+  verified_by: string | null
+  verified_at: string | null
+  created_at: string | null
+  updated_at: string | null
+}
+
+interface AssertionSummary {
+  total_assertions: number
+  total_facts: number
+  total_rationale: number
+  unverified_count: number
+}
+
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+
+const TIER_COLORS: Record<string, string> = {
+  pflicht: 'bg-red-100 text-red-700',
+  empfehlung: 'bg-yellow-100 text-yellow-700',
+  kann: 'bg-blue-100 text-blue-700',
+}
+
+const TIER_LABELS: Record<string, string> = {
+  pflicht: 'Pflicht',
+  empfehlung: 'Empfehlung',
+  kann: 'Kann',
+}
+
+const TYPE_COLORS: Record<string, string> = {
+  assertion: 'bg-orange-100 text-orange-700',
+  fact: 'bg-green-100 text-green-700',
+  rationale: 'bg-purple-100 text-purple-700',
+}
+
+const TYPE_LABELS: Record<string, string> = {
+  assertion: 'Behauptung',
+  fact: 'Fakt',
+  rationale: 'Begruendung',
+}
+
+const API_BASE = '/api/sdk/v1/compliance'
+
+type TabKey = 'overview' | 'list' | 'extract'
+
+// =============================================================================
+// ASSERTION CARD
+// =============================================================================
+
+function AssertionCard({
+  assertion,
+  onVerify,
+}: {
+  assertion: Assertion
+  onVerify: (id: string) => void
+}) {
+  const tierColor = assertion.normative_tier ? TIER_COLORS[assertion.normative_tier] || 'bg-gray-100 text-gray-600' : 'bg-gray-100 text-gray-600'
+  const tierLabel = assertion.normative_tier ? TIER_LABELS[assertion.normative_tier] || assertion.normative_tier : '—'
+  const typeColor = TYPE_COLORS[assertion.assertion_type] || 'bg-gray-100 text-gray-600'
+  const typeLabel = TYPE_LABELS[assertion.assertion_type] || assertion.assertion_type
+
+  return (
+    <div className="bg-white rounded-xl border border-gray-200 p-5">
+      <div className="flex items-start justify-between gap-3">
+        <div className="flex-1">
+          <div className="flex items-center gap-2 mb-2">
+            <span className={`px-2 py-0.5 text-xs rounded font-medium ${tierColor}`}>
+              {tierLabel}
+            </span>
+            <span className={`px-2 py-0.5 text-xs rounded ${typeColor}`}>
+              {typeLabel}
+            </span>
+            {assertion.entity_type && (
+              <span className="px-2 py-0.5 text-xs bg-gray-100 text-gray-500 rounded">
+                {assertion.entity_type}: {assertion.entity_id?.slice(0, 8) || '—'}
+              </span>
+            )}
+            {assertion.confidence > 0 && (
+              <span className="text-xs text-gray-400">
+                Konfidenz: {(assertion.confidence * 100).toFixed(0)}%
+              </span>
+            )}
+          </div>
+          <p className="text-sm text-gray-900 leading-relaxed">
+            &ldquo;{assertion.sentence_text}&rdquo;
+          </p>
+          <div className="mt-2 flex items-center gap-3 text-xs text-gray-400">
+            {assertion.verified_by && (
+              <span className="text-green-600">
+                Verifiziert von {assertion.verified_by} am {assertion.verified_at ? new Date(assertion.verified_at).toLocaleDateString('de-DE') : '—'}
+              </span>
+            )}
+            {assertion.evidence_ids.length > 0 && (
+              <span>
+                {assertion.evidence_ids.length} Evidence verknuepft
+              </span>
+            )}
+          </div>
+        </div>
+        <div className="flex flex-col gap-1">
+          {assertion.assertion_type !== 'fact' && (
+            <button
+              onClick={() => onVerify(assertion.id)}
+              className="px-3 py-1.5 text-xs bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors whitespace-nowrap"
+            >
+              Als Fakt pruefen
+            </button>
+          )}
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// MAIN PAGE
+// =============================================================================
+
+export default function AssertionsPage() {
+  const [activeTab, setActiveTab] = useState<TabKey>('overview')
+  const [summary, setSummary] = useState<AssertionSummary | null>(null)
+  const [assertions, setAssertions] = useState<Assertion[]>([])
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+
+  // Filters
+  const [filterEntityType, setFilterEntityType] = useState('')
+  const [filterAssertionType, setFilterAssertionType] = useState('')
+
+  // Extract tab
+  const [extractText, setExtractText] = useState('')
+  const [extractEntityType, setExtractEntityType] = useState('control')
+  const [extractEntityId, setExtractEntityId] = useState('')
+  const [extracting, setExtracting] = useState(false)
+  const [extractedAssertions, setExtractedAssertions] = useState<Assertion[]>([])
+
+  // Verify dialog
+  const [verifyingId, setVerifyingId] = useState<string | null>(null)
+  const [verifyEmail, setVerifyEmail] = useState('')
+
+  useEffect(() => {
+    loadSummary()
+  }, [])
+
+  useEffect(() => {
+    if (activeTab === 'list') loadAssertions()
+  }, [activeTab, filterEntityType, filterAssertionType]) // eslint-disable-line react-hooks/exhaustive-deps
+
+  const loadSummary = async () => {
+    try {
+      const res = await fetch(`${API_BASE}/assertions/summary`)
+      if (res.ok) setSummary(await res.json())
+    } catch { /* silent */ }
+    finally { setLoading(false) }
+  }
+
+  const loadAssertions = async () => {
+    setLoading(true)
+    try {
+      const params = new URLSearchParams()
+      if (filterEntityType) params.set('entity_type', filterEntityType)
+      if (filterAssertionType) params.set('assertion_type', filterAssertionType)
+      params.set('limit', '200')
+
+      const res = await fetch(`${API_BASE}/assertions?${params}`)
+      if (res.ok) {
+        const data = await res.json()
+        setAssertions(data.assertions || [])
+      }
+    } catch {
+      setError('Assertions konnten nicht geladen werden')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  const handleExtract = async () => {
+    if (!extractText.trim()) { setError('Bitte Text eingeben'); return }
+    setExtracting(true)
+    setError(null)
+    setExtractedAssertions([])
+    try {
+      const res = await fetch(`${API_BASE}/assertions/extract`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          text: extractText,
+          entity_type: extractEntityType || 'control',
+          entity_id: extractEntityId || undefined,
+        }),
+      })
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({ detail: 'Extraktion fehlgeschlagen' }))
+        throw new Error(typeof err.detail === 'string' ? err.detail : JSON.stringify(err.detail))
+      }
+      const data = await res.json()
+      setExtractedAssertions(data.assertions || [])
+      // Refresh summary
+      loadSummary()
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Extraktion fehlgeschlagen')
+    } finally {
+      setExtracting(false)
+    }
+  }
+
+  const handleVerify = async (assertionId: string) => {
+    setVerifyingId(assertionId)
+  }
+
+  const submitVerify = async () => {
+    if (!verifyingId || !verifyEmail.trim()) return
+    try {
+      const res = await fetch(`${API_BASE}/assertions/${verifyingId}/verify?verified_by=${encodeURIComponent(verifyEmail)}`, {
+        method: 'POST',
+      })
+      if (res.ok) {
+        setVerifyingId(null)
+        setVerifyEmail('')
+        loadAssertions()
+        loadSummary()
+      } else {
+        const err = await res.json().catch(() => ({ detail: 'Verifizierung fehlgeschlagen' }))
+        setError(typeof err.detail === 'string' ? err.detail : 'Verifizierung fehlgeschlagen')
+      }
+    } catch {
+      setError('Netzwerkfehler')
+    }
+  }
+
+  const tabs: { key: TabKey; label: string }[] = [
+    { key: 'overview', label: 'Uebersicht' },
+    { key: 'list', label: 'Assertion-Liste' },
+    { key: 'extract', label: 'Extraktion' },
+  ]
+
+  return (
+    <div className="space-y-6">
+      {/* Header */}
+      <div className="bg-white rounded-xl shadow-sm border p-6">
+        <h1 className="text-2xl font-bold text-slate-900">Assertions</h1>
+        <p className="text-slate-500 mt-1">
+          Behauptungen vs. Fakten in Compliance-Texten trennen und verifizieren.
+        </p>
+      </div>
+
+      {/* Tabs */}
+      <div className="bg-white rounded-xl shadow-sm border">
+        <div className="flex border-b">
+          {tabs.map(tab => (
+            <button
+              key={tab.key}
+              onClick={() => setActiveTab(tab.key)}
+              className={`px-6 py-3 text-sm font-medium transition-colors ${
+                activeTab === tab.key
+                  ? 'text-purple-600 border-b-2 border-purple-600'
+                  : 'text-slate-500 hover:text-slate-700'
+              }`}
+            >
+              {tab.label}
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Error */}
+      {error && (
+        <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
+          <span>{error}</span>
+          <button onClick={() => setError(null)} className="text-red-500 hover:text-red-700">&times;</button>
+        </div>
+      )}
+
+      {/* ============================================================ */}
+      {/* TAB: Uebersicht */}
+      {/* ============================================================ */}
+      {activeTab === 'overview' && (
+        <>
+          {loading ? (
+            <div className="flex justify-center py-12">
+              <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+            </div>
+          ) : summary ? (
+            <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+              <div className="bg-white rounded-xl border border-gray-200 p-6">
+                <div className="text-sm text-gray-500">Gesamt Assertions</div>
+                <div className="text-3xl font-bold text-gray-900">{summary.total_assertions}</div>
+              </div>
+              <div className="bg-white rounded-xl border border-green-200 p-6">
+                <div className="text-sm text-green-600">Verifizierte Fakten</div>
+                <div className="text-3xl font-bold text-green-600">{summary.total_facts}</div>
+              </div>
+              <div className="bg-white rounded-xl border border-purple-200 p-6">
+                <div className="text-sm text-purple-600">Begruendungen</div>
+                <div className="text-3xl font-bold text-purple-600">{summary.total_rationale}</div>
+              </div>
+              <div className="bg-white rounded-xl border border-orange-200 p-6">
+                <div className="text-sm text-orange-600">Unverifizizt</div>
+                <div className="text-3xl font-bold text-orange-600">{summary.unverified_count}</div>
+              </div>
+            </div>
+          ) : (
+            <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+              <p className="text-gray-500">Keine Assertions vorhanden. Nutzen Sie die Extraktion, um Behauptungen aus Texten zu identifizieren.</p>
+            </div>
+          )}
+        </>
+      )}
+
+      {/* ============================================================ */}
+      {/* TAB: Assertion-Liste */}
+      {/* ============================================================ */}
+      {activeTab === 'list' && (
+        <>
+          {/* Filters */}
+          <div className="flex items-center gap-4 flex-wrap">
+            <div>
+              <label className="block text-xs text-gray-500 mb-1">Entity-Typ</label>
+              <select value={filterEntityType} onChange={e => setFilterEntityType(e.target.value)}
+                className="px-3 py-1.5 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                <option value="">Alle</option>
+                <option value="control">Control</option>
+                <option value="evidence">Evidence</option>
+                <option value="requirement">Requirement</option>
+              </select>
+            </div>
+            <div>
+              <label className="block text-xs text-gray-500 mb-1">Assertion-Typ</label>
+              <select value={filterAssertionType} onChange={e => setFilterAssertionType(e.target.value)}
+                className="px-3 py-1.5 border border-gray-300 rounded-lg text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                <option value="">Alle</option>
+                <option value="assertion">Behauptung</option>
+                <option value="fact">Fakt</option>
+                <option value="rationale">Begruendung</option>
+              </select>
+            </div>
+          </div>
+
+          {loading ? (
+            <div className="flex justify-center py-12">
+              <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+            </div>
+          ) : assertions.length === 0 ? (
+            <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+              <p className="text-gray-500">Keine Assertions gefunden.</p>
+            </div>
+          ) : (
+            <div className="space-y-3">
+              <p className="text-sm text-gray-500">{assertions.length} Assertions</p>
+              {assertions.map(a => (
+                <AssertionCard key={a.id} assertion={a} onVerify={handleVerify} />
+              ))}
+            </div>
+          )}
+        </>
+      )}
+
+      {/* ============================================================ */}
+      {/* TAB: Extraktion */}
+      {/* ============================================================ */}
+      {activeTab === 'extract' && (
+        <div className="bg-white rounded-xl shadow-sm border p-6">
+          <h3 className="text-lg font-semibold text-gray-900 mb-4">Assertions aus Text extrahieren</h3>
+          <p className="text-sm text-gray-500 mb-4">
+            Geben Sie einen Compliance-Text ein. Das System identifiziert automatisch Behauptungen, Fakten und Begruendungen.
+          </p>
+
+          <div className="grid grid-cols-2 gap-4 mb-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Entity-Typ</label>
+              <select value={extractEntityType} onChange={e => setExtractEntityType(e.target.value)}
+                className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                <option value="control">Control</option>
+                <option value="evidence">Evidence</option>
+                <option value="requirement">Requirement</option>
+                <option value="policy">Policy</option>
+              </select>
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Entity-ID (optional)</label>
+              <input type="text" value={extractEntityId} onChange={e => setExtractEntityId(e.target.value)}
+                placeholder="z.B. GOV-001 oder UUID"
+                className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+            </div>
+          </div>
+
+          <div className="mb-4">
+            <label className="block text-sm font-medium text-gray-700 mb-1">Text</label>
+            <textarea
+              value={extractText}
+              onChange={e => setExtractText(e.target.value)}
+              placeholder="Die Organisation muss ein ISMS gemaess ISO 27001 implementieren. Es sollte regelmaessig ein internes Audit durchgefuehrt werden. Optional kann ein externer Auditor hinzugezogen werden."
+              rows={6}
+              className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent resize-none"
+            />
+          </div>
+
+          <button
+            onClick={handleExtract}
+            disabled={extracting || !extractText.trim()}
+            className={`px-5 py-2 rounded-lg font-medium transition-colors ${
+              extracting || !extractText.trim()
+                ? 'bg-gray-200 text-gray-400 cursor-not-allowed'
+                : 'bg-purple-600 text-white hover:bg-purple-700'
+            }`}
+          >
+            {extracting ? 'Extrahiere...' : 'Extrahieren'}
+          </button>
+
+          {/* Extracted results */}
+          {extractedAssertions.length > 0 && (
+            <div className="mt-6">
+              <h4 className="text-sm font-semibold text-gray-800 mb-3">{extractedAssertions.length} Assertions extrahiert:</h4>
+              <div className="space-y-3">
+                {extractedAssertions.map(a => (
+                  <AssertionCard key={a.id} assertion={a} onVerify={handleVerify} />
+                ))}
+              </div>
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* Verify Dialog */}
+      {verifyingId && (
+        <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50" onClick={() => setVerifyingId(null)}>
+          <div className="bg-white rounded-2xl shadow-xl w-full max-w-md mx-4 p-6" onClick={e => e.stopPropagation()}>
+            <h2 className="text-lg font-bold text-gray-900 mb-4">Als Fakt verifizieren</h2>
+            <div className="mb-4">
+              <label className="block text-sm font-medium text-gray-700 mb-1">Verifiziert von (E-Mail)</label>
+              <input type="email" value={verifyEmail} onChange={e => setVerifyEmail(e.target.value)}
+                placeholder="auditor@unternehmen.de"
+                className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+            </div>
+            <div className="flex justify-end gap-3">
+              <button onClick={() => setVerifyingId(null)} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors">
+                Abbrechen
+              </button>
+              <button onClick={submitVerify} disabled={!verifyEmail.trim()}
+                className="px-4 py-2 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors disabled:opacity-50">
+                Verifizieren
+              </button>
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}
--- a/admin-compliance/app/sdk/atomic-controls/page.tsx
+++ b/admin-compliance/app/sdk/atomic-controls/page.tsx
@@ -0,0 +1,413 @@
+'use client'
+
+import { useState, useEffect, useCallback, useRef } from 'react'
+import {
+  Atom, Search, ChevronRight, ChevronLeft, Filter,
+  BarChart3, ChevronsLeft, ChevronsRight, ArrowUpDown,
+  Clock, RefreshCw,
+} from 'lucide-react'
+import {
+  CanonicalControl, BACKEND_URL,
+  SeverityBadge, StateBadge, CategoryBadge, TargetAudienceBadge,
+  GenerationStrategyBadge, ObligationTypeBadge, RegulationCountBadge,
+  CATEGORY_OPTIONS,
+} from '../control-library/components/helpers'
+import { ControlDetail } from '../control-library/components/ControlDetail'
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+interface AtomicStats {
+  total_active: number
+  total_duplicate: number
+  by_domain: Array<{ domain: string; count: number }>
+  by_regulation: Array<{ regulation: string; count: number }>
+  avg_regulation_coverage: number
+}
+
+// =============================================================================
+// ATOMIC CONTROLS PAGE
+// =============================================================================
+
+const PAGE_SIZE = 50
+
+export default function AtomicControlsPage() {
+  const [controls, setControls] = useState<CanonicalControl[]>([])
+  const [totalCount, setTotalCount] = useState(0)
+  const [stats, setStats] = useState<AtomicStats | null>(null)
+  const [selectedControl, setSelectedControl] = useState<CanonicalControl | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+
+  // Filters
+  const [searchQuery, setSearchQuery] = useState('')
+  const [debouncedSearch, setDebouncedSearch] = useState('')
+  const [severityFilter, setSeverityFilter] = useState<string>('')
+  const [domainFilter, setDomainFilter] = useState<string>('')
+  const [categoryFilter, setCategoryFilter] = useState<string>('')
+  const [sortBy, setSortBy] = useState<'id' | 'newest' | 'oldest'>('id')
+
+  // Pagination
+  const [currentPage, setCurrentPage] = useState(1)
+
+  // Mode
+  const [mode, setMode] = useState<'list' | 'detail'>('list')
+
+  // Debounce search
+  const searchTimer = useRef<ReturnType<typeof setTimeout> | null>(null)
+  useEffect(() => {
+    if (searchTimer.current) clearTimeout(searchTimer.current)
+    searchTimer.current = setTimeout(() => setDebouncedSearch(searchQuery), 400)
+    return () => { if (searchTimer.current) clearTimeout(searchTimer.current) }
+  }, [searchQuery])
+
+  // Build query params
+  const buildParams = useCallback((extra?: Record<string, string>) => {
+    const p = new URLSearchParams()
+    p.set('control_type', 'atomic')
+    // Exclude duplicates — show only active masters
+    if (!extra?.release_state) {
+      // Don't filter by state for count queries that already have it
+    }
+    if (severityFilter) p.set('severity', severityFilter)
+    if (domainFilter) p.set('domain', domainFilter)
+    if (categoryFilter) p.set('category', categoryFilter)
+    if (debouncedSearch) p.set('search', debouncedSearch)
+    if (extra) for (const [k, v] of Object.entries(extra)) p.set(k, v)
+    return p.toString()
+  }, [severityFilter, domainFilter, categoryFilter, debouncedSearch])
+
+  // Load stats
+  const loadStats = useCallback(async () => {
+    try {
+      const res = await fetch(`${BACKEND_URL}?endpoint=atomic-stats`)
+      if (res.ok) setStats(await res.json())
+    } catch { /* ignore */ }
+  }, [])
+
+  // Load controls page
+  const loadControls = useCallback(async () => {
+    try {
+      setLoading(true)
+      const sortField = sortBy === 'id' ? 'control_id' : 'created_at'
+      const sortOrder = sortBy === 'newest' ? 'desc' : 'asc'
+      const offset = (currentPage - 1) * PAGE_SIZE
+
+      const qs = buildParams({
+        sort: sortField,
+        order: sortOrder,
+        limit: String(PAGE_SIZE),
+        offset: String(offset),
+      })
+
+      const countQs = buildParams()
+
+      const [ctrlRes, countRes] = await Promise.all([
+        fetch(`${BACKEND_URL}?endpoint=controls&${qs}`),
+        fetch(`${BACKEND_URL}?endpoint=controls-count&${countQs}`),
+      ])
+
+      if (ctrlRes.ok) setControls(await ctrlRes.json())
+      if (countRes.ok) {
+        const data = await countRes.json()
+        setTotalCount(data.total || 0)
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }, [buildParams, sortBy, currentPage])
+
+  // Initial load
+  useEffect(() => { loadStats() }, [loadStats])
+  useEffect(() => { loadControls() }, [loadControls])
+  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, categoryFilter, debouncedSearch, sortBy])
+
+  const totalPages = Math.max(1, Math.ceil(totalCount / PAGE_SIZE))
+
+  // Loading
+  if (loading && controls.length === 0) {
+    return (
+      <div className="flex items-center justify-center h-96">
+        <div className="animate-spin rounded-full h-8 w-8 border-2 border-violet-600 border-t-transparent" />
+      </div>
+    )
+  }
+
+  if (error) {
+    return (
+      <div className="flex items-center justify-center h-96">
+        <p className="text-red-600">{error}</p>
+      </div>
+    )
+  }
+
+  // DETAIL MODE
+  if (mode === 'detail' && selectedControl) {
+    return (
+      <div className="flex flex-col h-full">
+        <div className="flex-1 overflow-hidden">
+          <ControlDetail
+            ctrl={selectedControl}
+            onBack={() => { setMode('list'); setSelectedControl(null) }}
+            onEdit={() => {}}
+            onDelete={() => {}}
+            onReview={() => {}}
+            onNavigateToControl={async (controlId: string) => {
+              try {
+                const res = await fetch(`${BACKEND_URL}?endpoint=control&id=${controlId}`)
+                if (res.ok) {
+                  const data = await res.json()
+                  setSelectedControl(data)
+                }
+              } catch { /* ignore */ }
+            }}
+          />
+        </div>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // LIST VIEW
+  // =========================================================================
+
+  return (
+    <div className="flex flex-col h-full">
+      {/* Header */}
+      <div className="border-b border-gray-200 bg-white px-6 py-4">
+        <div className="flex items-center justify-between mb-4">
+          <div className="flex items-center gap-3">
+            <Atom className="w-6 h-6 text-violet-600" />
+            <div>
+              <h1 className="text-lg font-semibold text-gray-900">Atomare Controls</h1>
+              <p className="text-xs text-gray-500">
+                Deduplizierte atomare Controls mit Herkunftsnachweis
+              </p>
+            </div>
+          </div>
+          <button
+            onClick={() => { loadControls(); loadStats() }}
+            className="p-2 text-gray-400 hover:text-violet-600"
+            title="Aktualisieren"
+          >
+            <RefreshCw className={`w-4 h-4 ${loading ? 'animate-spin' : ''}`} />
+          </button>
+        </div>
+
+        {/* Stats Bar */}
+        {stats && (
+          <div className="grid grid-cols-4 gap-3 mb-4">
+            <div className="bg-violet-50 border border-violet-200 rounded-lg p-3">
+              <div className="text-2xl font-bold text-violet-700">{stats.total_active.toLocaleString('de-DE')}</div>
+              <div className="text-xs text-violet-500">Master Controls</div>
+            </div>
+            <div className="bg-gray-50 border border-gray-200 rounded-lg p-3">
+              <div className="text-2xl font-bold text-gray-600">{stats.total_duplicate.toLocaleString('de-DE')}</div>
+              <div className="text-xs text-gray-500">Duplikate (entfernt)</div>
+            </div>
+            <div className="bg-indigo-50 border border-indigo-200 rounded-lg p-3">
+              <div className="text-2xl font-bold text-indigo-700">{stats.by_regulation.length}</div>
+              <div className="text-xs text-indigo-500">Regulierungen</div>
+            </div>
+            <div className="bg-emerald-50 border border-emerald-200 rounded-lg p-3">
+              <div className="text-2xl font-bold text-emerald-700">{stats.avg_regulation_coverage}</div>
+              <div className="text-xs text-emerald-500">Avg. Regulierungen / Control</div>
+            </div>
+          </div>
+        )}
+
+        {/* Filters */}
+        <div className="space-y-3">
+          <div className="flex items-center gap-3">
+            <div className="relative flex-1">
+              <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-400" />
+              <input
+                type="text"
+                placeholder="Atomare Controls durchsuchen (ID, Titel, Objective)..."
+                value={searchQuery}
+                onChange={e => setSearchQuery(e.target.value)}
+                className="w-full pl-9 pr-4 py-2 text-sm border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-violet-500"
+              />
+            </div>
+          </div>
+          <div className="flex items-center gap-2 flex-wrap">
+            <Filter className="w-4 h-4 text-gray-400" />
+            <select
+              value={domainFilter}
+              onChange={e => setDomainFilter(e.target.value)}
+              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-violet-500"
+            >
+              <option value="">Domain</option>
+              {stats?.by_domain.map(d => (
+                <option key={d.domain} value={d.domain}>{d.domain} ({d.count})</option>
+              ))}
+            </select>
+            <select
+              value={severityFilter}
+              onChange={e => setSeverityFilter(e.target.value)}
+              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-violet-500"
+            >
+              <option value="">Schweregrad</option>
+              <option value="critical">Kritisch</option>
+              <option value="high">Hoch</option>
+              <option value="medium">Mittel</option>
+              <option value="low">Niedrig</option>
+            </select>
+            <select
+              value={categoryFilter}
+              onChange={e => setCategoryFilter(e.target.value)}
+              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-violet-500"
+            >
+              <option value="">Kategorie</option>
+              {CATEGORY_OPTIONS.map(c => (
+                <option key={c.value} value={c.value}>{c.label}</option>
+              ))}
+            </select>
+            <span className="text-gray-300 mx-1">|</span>
+            <ArrowUpDown className="w-4 h-4 text-gray-400" />
+            <select
+              value={sortBy}
+              onChange={e => setSortBy(e.target.value as 'id' | 'newest' | 'oldest')}
+              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-violet-500"
+            >
+              <option value="id">Sortierung: ID</option>
+              <option value="newest">Neueste zuerst</option>
+              <option value="oldest">Aelteste zuerst</option>
+            </select>
+          </div>
+        </div>
+      </div>
+
+      {/* Pagination Header */}
+      <div className="px-6 py-2 bg-gray-50 border-b border-gray-200 flex items-center justify-between text-xs text-gray-500">
+        <span>
+          {totalCount} Controls gefunden
+          {stats && totalCount !== stats.total_active && ` (von ${stats.total_active.toLocaleString('de-DE')} Master Controls)`}
+          {loading && <span className="ml-2 text-violet-500">Lade...</span>}
+        </span>
+        <span>Seite {currentPage} von {totalPages}</span>
+      </div>
+
+      {/* Control List */}
+      <div className="flex-1 overflow-y-auto p-6">
+        <div className="space-y-3">
+          {controls.map((ctrl) => (
+            <button
+              key={ctrl.control_id}
+              onClick={() => { setSelectedControl(ctrl); setMode('detail') }}
+              className="w-full text-left bg-white border border-gray-200 rounded-lg p-4 hover:border-violet-300 hover:shadow-sm transition-all group"
+            >
+              <div className="flex items-start justify-between">
+                <div className="flex-1 min-w-0">
+                  <div className="flex items-center gap-2 mb-1 flex-wrap">
+                    <span className="text-xs font-mono text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded">{ctrl.control_id}</span>
+                    <SeverityBadge severity={ctrl.severity} />
+                    <StateBadge state={ctrl.release_state} />
+                    <CategoryBadge category={ctrl.category} />
+                    <TargetAudienceBadge audience={ctrl.target_audience} />
+                    <GenerationStrategyBadge strategy={ctrl.generation_strategy} pipelineInfo={ctrl} />
+                    <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
+                  </div>
+                  <h3 className="text-sm font-medium text-gray-900 group-hover:text-violet-700">{ctrl.title}</h3>
+                  <p className="text-xs text-gray-500 mt-1 line-clamp-2">{ctrl.objective}</p>
+                  <div className="flex items-center gap-2 mt-2">
+                    {ctrl.source_citation?.source && (
+                      <>
+                        <span className="text-xs text-blue-600">
+                          {ctrl.source_citation.source}
+                          {ctrl.source_citation.article && ` ${ctrl.source_citation.article}`}
+                        </span>
+                        <span className="text-gray-300">|</span>
+                      </>
+                    )}
+                    {ctrl.parent_control_id && (
+                      <>
+                        <span className="text-xs text-violet-500">via {ctrl.parent_control_id}</span>
+                        <span className="text-gray-300">|</span>
+                      </>
+                    )}
+                    <Clock className="w-3 h-3 text-gray-400" />
+                    <span className="text-xs text-gray-400" title={ctrl.created_at}>
+                      {ctrl.created_at ? new Date(ctrl.created_at).toLocaleDateString('de-DE', { day: '2-digit', month: '2-digit', year: '2-digit' }) : '-'}
+                    </span>
+                  </div>
+                </div>
+                <ChevronRight className="w-4 h-4 text-gray-300 group-hover:text-violet-500 flex-shrink-0 mt-1 ml-4" />
+              </div>
+            </button>
+          ))}
+
+          {controls.length === 0 && !loading && (
+            <div className="text-center py-12 text-gray-400 text-sm">
+              Keine atomaren Controls gefunden.
+            </div>
+          )}
+        </div>
+
+        {/* Pagination Controls */}
+        {totalPages > 1 && (
+          <div className="flex items-center justify-center gap-2 mt-6 pb-4">
+            <button
+              onClick={() => setCurrentPage(1)}
+              disabled={currentPage === 1}
+              className="p-2 text-gray-500 hover:text-violet-600 disabled:opacity-30 disabled:cursor-not-allowed"
+            >
+              <ChevronsLeft className="w-4 h-4" />
+            </button>
+            <button
+              onClick={() => setCurrentPage(p => Math.max(1, p - 1))}
+              disabled={currentPage === 1}
+              className="p-2 text-gray-500 hover:text-violet-600 disabled:opacity-30 disabled:cursor-not-allowed"
+            >
+              <ChevronLeft className="w-4 h-4" />
+            </button>
+
+            {Array.from({ length: totalPages }, (_, i) => i + 1)
+              .filter(p => p === 1 || p === totalPages || Math.abs(p - currentPage) <= 2)
+              .reduce<(number | 'dots')[]>((acc, p, i, arr) => {
+                if (i > 0 && p - (arr[i - 1] as number) > 1) acc.push('dots')
+                acc.push(p)
+                return acc
+              }, [])
+              .map((p, i) =>
+                p === 'dots' ? (
+                  <span key={`dots-${i}`} className="px-1 text-gray-400">...</span>
+                ) : (
+                  <button
+                    key={p}
+                    onClick={() => setCurrentPage(p as number)}
+                    className={`w-8 h-8 text-sm rounded-lg ${
+                      currentPage === p
+                        ? 'bg-violet-600 text-white'
+                        : 'text-gray-600 hover:bg-violet-50 hover:text-violet-600'
+                    }`}
+                  >
+                    {p}
+                  </button>
+                )
+              )
+            }
+
+            <button
+              onClick={() => setCurrentPage(p => Math.min(totalPages, p + 1))}
+              disabled={currentPage === totalPages}
+              className="p-2 text-gray-500 hover:text-violet-600 disabled:opacity-30 disabled:cursor-not-allowed"
+            >
+              <ChevronRight className="w-4 h-4" />
+            </button>
+            <button
+              onClick={() => setCurrentPage(totalPages)}
+              disabled={currentPage === totalPages}
+              className="p-2 text-gray-500 hover:text-violet-600 disabled:opacity-30 disabled:cursor-not-allowed"
+            >
+              <ChevronsRight className="w-4 h-4" />
+            </button>
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
--- a/admin-compliance/app/sdk/compliance-hub/page.tsx
+++ b/admin-compliance/app/sdk/compliance-hub/page.tsx
@@ -12,6 +12,7 @@

 import { useState, useEffect } from 'react'
 import Link from 'next/link'
+import { ConfidenceLevelBadge } from '../evidence/components/anti-fake-badges'

 // Types
 interface DashboardData {
@@ -25,6 +26,15 @@ interface DashboardData {
  evidence_by_status: Record<string, number>
  total_risks: number
  risks_by_level: Record<string, number>
+  multi_score?: {
+    requirement_coverage: number
+    evidence_strength: number
+    validation_quality: number
+    evidence_freshness: number
+    control_effectiveness: number
+    overall_readiness: number
+    hard_blocks: string[]
+  } | null
 }

 interface Regulation {
@@ -106,7 +116,46 @@ interface ScoreSnapshot {
  created_at: string
 }

-type TabKey = 'overview' | 'roadmap' | 'modules' | 'trend'
+interface TraceabilityAssertion {
+  id: string
+  sentence_text: string
+  assertion_type: string
+  confidence: number
+  verified: boolean
+}
+
+interface TraceabilityEvidence {
+  id: string
+  title: string
+  evidence_type: string
+  confidence_level: string
+  status: string
+  assertions: TraceabilityAssertion[]
+}
+
+interface TraceabilityCoverage {
+  has_evidence: boolean
+  has_assertions: boolean
+  all_assertions_verified: boolean
+  min_confidence_level: string | null
+}
+
+interface TraceabilityControl {
+  id: string
+  control_id: string
+  title: string
+  status: string
+  domain: string
+  evidence: TraceabilityEvidence[]
+  coverage: TraceabilityCoverage
+}
+
+interface TraceabilityMatrixData {
+  controls: TraceabilityControl[]
+  summary: Record<string, number>
+}
+
+type TabKey = 'overview' | 'roadmap' | 'modules' | 'trend' | 'traceability'

 const DOMAIN_LABELS: Record<string, string> = {
  gov: 'Governance',
@@ -148,6 +197,17 @@ export default function ComplianceHubPage() {
  const [error, setError] = useState<string | null>(null)
  const [seeding, setSeeding] = useState(false)
  const [savingSnapshot, setSavingSnapshot] = useState(false)
+  const [evidenceDistribution, setEvidenceDistribution] = useState<{
+    by_confidence: Record<string, number>
+    four_eyes_pending: number
+    total: number
+  } | null>(null)
+  const [traceabilityMatrix, setTraceabilityMatrix] = useState<TraceabilityMatrixData | null>(null)
+  const [traceabilityLoading, setTraceabilityLoading] = useState(false)
+  const [traceabilityFilter, setTraceabilityFilter] = useState<'all' | 'covered' | 'uncovered' | 'fully_verified'>('all')
+  const [traceabilityDomainFilter, setTraceabilityDomainFilter] = useState<string>('all')
+  const [expandedControls, setExpandedControls] = useState<Set<string>>(new Set())
+  const [expandedEvidence, setExpandedEvidence] = useState<Set<string>>(new Set())

  useEffect(() => {
    loadData()
@@ -157,6 +217,7 @@ export default function ComplianceHubPage() {
    if (activeTab === 'roadmap' && !roadmap) loadRoadmap()
    if (activeTab === 'modules' && !moduleStatus) loadModuleStatus()
    if (activeTab === 'trend' && scoreHistory.length === 0) loadScoreHistory()
+    if (activeTab === 'traceability' && !traceabilityMatrix) loadTraceabilityMatrix()
  }, [activeTab]) // eslint-disable-line react-hooks/exhaustive-deps

  const loadData = async () => {
@@ -182,6 +243,12 @@ export default function ComplianceHubPage() {
        const data = await actionsRes.json()
        setNextActions(data.actions || [])
      }
+
+      // Evidence distribution (Anti-Fake-Evidence Phase 3)
+      try {
+        const evidenceDistRes = await fetch('/api/sdk/v1/compliance/dashboard/evidence-distribution')
+        if (evidenceDistRes.ok) setEvidenceDistribution(await evidenceDistRes.json())
+      } catch { /* silent */ }
    } catch (err) {
      console.error('Failed to load compliance data:', err)
      setError('Verbindung zum Backend fehlgeschlagen')
@@ -214,6 +281,31 @@ export default function ComplianceHubPage() {
    } catch { /* silent */ }
  }

+  const loadTraceabilityMatrix = async () => {
+    setTraceabilityLoading(true)
+    try {
+      const res = await fetch('/api/sdk/v1/compliance/dashboard/traceability-matrix')
+      if (res.ok) setTraceabilityMatrix(await res.json())
+    } catch { /* silent */ }
+    finally { setTraceabilityLoading(false) }
+  }
+
+  const toggleControlExpanded = (id: string) => {
+    setExpandedControls(prev => {
+      const next = new Set(prev)
+      if (next.has(id)) next.delete(id); else next.add(id)
+      return next
+    })
+  }
+
+  const toggleEvidenceExpanded = (id: string) => {
+    setExpandedEvidence(prev => {
+      const next = new Set(prev)
+      if (next.has(id)) next.delete(id); else next.add(id)
+      return next
+    })
+  }
+
  const saveSnapshot = async () => {
    setSavingSnapshot(true)
    try {
@@ -259,6 +351,7 @@ export default function ComplianceHubPage() {
    { key: 'roadmap', label: 'Roadmap' },
    { key: 'modules', label: 'Module' },
    { key: 'trend', label: 'Trend' },
+    { key: 'traceability', label: 'Traceability' },
  ]

  return (
@@ -411,6 +504,115 @@ export default function ComplianceHubPage() {
                ))}
              </div>

+              {/* Anti-Fake-Evidence Section (Phase 3) */}
+              {dashboard && (
+                <div className="bg-white rounded-xl shadow-sm border p-6">
+                  <h3 className="text-lg font-semibold text-slate-900 mb-4">Anti-Fake-Evidence Status</h3>
+
+                  {/* Confidence Distribution Bar */}
+                  {evidenceDistribution && evidenceDistribution.total > 0 && (
+                    <div className="mb-6">
+                      <p className="text-sm text-slate-500 mb-2">Confidence-Verteilung ({evidenceDistribution.total} Nachweise)</p>
+                      <div className="flex h-6 rounded-full overflow-hidden">
+                        {(['E0', 'E1', 'E2', 'E3', 'E4'] as const).map(level => {
+                          const count = evidenceDistribution.by_confidence[level] || 0
+                          const pct = (count / evidenceDistribution.total) * 100
+                          if (pct === 0) return null
+                          const colors: Record<string, string> = {
+                            E0: 'bg-red-400', E1: 'bg-yellow-400', E2: 'bg-blue-400', E3: 'bg-green-400', E4: 'bg-emerald-400'
+                          }
+                          return (
+                            <div key={level} className={`${colors[level]} flex items-center justify-center text-xs text-white font-medium`}
+                              style={{ width: `${pct}%` }} title={`${level}: ${count}`}>
+                              {pct >= 10 ? `${level} (${count})` : ''}
+                            </div>
+                          )
+                        })}
+                      </div>
+                      <div className="flex items-center gap-4 mt-2 text-xs text-slate-500">
+                        {(['E0', 'E1', 'E2', 'E3', 'E4'] as const).map(level => {
+                          const count = evidenceDistribution.by_confidence[level] || 0
+                          const dotColors: Record<string, string> = {
+                            E0: 'bg-red-400', E1: 'bg-yellow-400', E2: 'bg-blue-400', E3: 'bg-green-400', E4: 'bg-emerald-400'
+                          }
+                          return (
+                            <span key={level} className="flex items-center gap-1">
+                              <span className={`w-2 h-2 rounded-full ${dotColors[level]}`} />
+                              {level}: {count}
+                            </span>
+                          )
+                        })}
+                      </div>
+                    </div>
+                  )}
+
+                  {/* Multi-Score Dimensions */}
+                  {dashboard.multi_score && (
+                    <div className="mb-6">
+                      <p className="text-sm text-slate-500 mb-2">Multi-dimensionaler Score</p>
+                      <div className="space-y-2">
+                        {([
+                          { key: 'requirement_coverage', label: 'Anforderungsabdeckung', color: 'bg-blue-500' },
+                          { key: 'evidence_strength', label: 'Evidence-Staerke', color: 'bg-green-500' },
+                          { key: 'validation_quality', label: 'Validierungsqualitaet', color: 'bg-purple-500' },
+                          { key: 'evidence_freshness', label: 'Aktualitaet', color: 'bg-yellow-500' },
+                          { key: 'control_effectiveness', label: 'Control-Wirksamkeit', color: 'bg-indigo-500' },
+                        ] as const).map(dim => {
+                          const value = (dashboard.multi_score as Record<string, number>)[dim.key] || 0
+                          return (
+                            <div key={dim.key} className="flex items-center gap-3">
+                              <span className="text-xs text-slate-600 w-44 truncate">{dim.label}</span>
+                              <div className="flex-1 h-2 bg-slate-200 rounded-full overflow-hidden">
+                                <div className={`h-full ${dim.color} rounded-full transition-all`} style={{ width: `${value}%` }} />
+                              </div>
+                              <span className="text-xs text-slate-600 w-12 text-right">{typeof value === 'number' ? value.toFixed(0) : value}%</span>
+                            </div>
+                          )
+                        })}
+                        <div className="flex items-center gap-3 pt-2 border-t border-slate-100">
+                          <span className="text-xs font-semibold text-slate-700 w-44">Audit-Readiness</span>
+                          <div className="flex-1 h-3 bg-slate-200 rounded-full overflow-hidden">
+                            <div className={`h-full rounded-full transition-all ${
+                              (dashboard.multi_score.overall_readiness || 0) >= 80 ? 'bg-green-500' :
+                              (dashboard.multi_score.overall_readiness || 0) >= 60 ? 'bg-yellow-500' : 'bg-red-500'
+                            }`} style={{ width: `${dashboard.multi_score.overall_readiness || 0}%` }} />
+                          </div>
+                          <span className="text-xs font-semibold text-slate-700 w-12 text-right">
+                            {typeof dashboard.multi_score.overall_readiness === 'number' ? dashboard.multi_score.overall_readiness.toFixed(0) : 0}%
+                          </span>
+                        </div>
+                      </div>
+                    </div>
+                  )}
+
+                  {/* Bottom row: Four-Eyes + Hard Blocks */}
+                  <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+                    <div className="text-center p-3 rounded-lg bg-yellow-50">
+                      <div className="text-2xl font-bold text-yellow-700">{evidenceDistribution?.four_eyes_pending || 0}</div>
+                      <div className="text-xs text-yellow-600 mt-1">Four-Eyes Reviews ausstehend</div>
+                    </div>
+                    {dashboard.multi_score?.hard_blocks && dashboard.multi_score.hard_blocks.length > 0 ? (
+                      <div className="p-3 rounded-lg bg-red-50">
+                        <div className="text-xs font-medium text-red-700 mb-1">Hard Blocks ({dashboard.multi_score.hard_blocks.length})</div>
+                        <ul className="space-y-1">
+                          {dashboard.multi_score.hard_blocks.slice(0, 3).map((block: string, i: number) => (
+                            <li key={i} className="text-xs text-red-600 flex items-start gap-1">
+                              <span className="text-red-400 mt-0.5">&#8226;</span>
+                              <span>{block}</span>
+                            </li>
+                          ))}
+                        </ul>
+                      </div>
+                    ) : (
+                      <div className="text-center p-3 rounded-lg bg-green-50">
+                        <div className="text-2xl font-bold text-green-700">0</div>
+                        <div className="text-xs text-green-600 mt-1">Keine Hard Blocks</div>
+                      </div>
+                    )}
+                  </div>
+                </div>
+              )}
+
              {/* Next Actions + Findings */}
              <div className="grid grid-cols-1 lg:grid-cols-2 gap-4">
                {/* Next Actions */}
@@ -805,6 +1007,232 @@ export default function ComplianceHubPage() {
              )}
            </div>
          )}
+
+          {/* Traceability Tab */}
+          {activeTab === 'traceability' && (
+            <div className="p-6 space-y-6">
+              {traceabilityLoading ? (
+                <div className="flex items-center justify-center py-12">
+                  <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+                  <span className="ml-3 text-slate-500">Traceability Matrix wird geladen...</span>
+                </div>
+              ) : !traceabilityMatrix ? (
+                <div className="text-center py-12 text-slate-500">
+                  Keine Daten verfuegbar. Stellen Sie sicher, dass Controls und Evidence vorhanden sind.
+                </div>
+              ) : (() => {
+                const summary = traceabilityMatrix.summary
+                const totalControls = summary.total_controls || 0
+                const covered = summary.covered || 0
+                const fullyVerified = summary.fully_verified || 0
+                const uncovered = summary.uncovered || 0
+
+                const filteredControls = (traceabilityMatrix.controls || []).filter(ctrl => {
+                  if (traceabilityFilter === 'covered' && !ctrl.coverage.has_evidence) return false
+                  if (traceabilityFilter === 'uncovered' && ctrl.coverage.has_evidence) return false
+                  if (traceabilityFilter === 'fully_verified' && !ctrl.coverage.all_assertions_verified) return false
+                  if (traceabilityDomainFilter !== 'all' && ctrl.domain !== traceabilityDomainFilter) return false
+                  return true
+                })
+
+                const domains = [...new Set(traceabilityMatrix.controls.map(c => c.domain))].sort()
+
+                return (
+                  <>
+                    {/* Summary Cards */}
+                    <div className="grid grid-cols-2 md:grid-cols-4 gap-4">
+                      <div className="bg-purple-50 border border-purple-200 rounded-lg p-4">
+                        <div className="text-2xl font-bold text-purple-700">{totalControls}</div>
+                        <div className="text-sm text-purple-600">Total Controls</div>
+                      </div>
+                      <div className="bg-blue-50 border border-blue-200 rounded-lg p-4">
+                        <div className="text-2xl font-bold text-blue-700">{covered}</div>
+                        <div className="text-sm text-blue-600">Abgedeckt</div>
+                      </div>
+                      <div className="bg-green-50 border border-green-200 rounded-lg p-4">
+                        <div className="text-2xl font-bold text-green-700">{fullyVerified}</div>
+                        <div className="text-sm text-green-600">Vollst. verifiziert</div>
+                      </div>
+                      <div className="bg-red-50 border border-red-200 rounded-lg p-4">
+                        <div className="text-2xl font-bold text-red-700">{uncovered}</div>
+                        <div className="text-sm text-red-600">Unabgedeckt</div>
+                      </div>
+                    </div>
+
+                    {/* Filter Bar */}
+                    <div className="flex flex-wrap gap-4 items-center">
+                      <div className="flex gap-1">
+                        {([
+                          { key: 'all', label: 'Alle' },
+                          { key: 'covered', label: 'Abgedeckt' },
+                          { key: 'uncovered', label: 'Nicht abgedeckt' },
+                          { key: 'fully_verified', label: 'Vollst. verifiziert' },
+                        ] as const).map(f => (
+                          <button
+                            key={f.key}
+                            onClick={() => setTraceabilityFilter(f.key)}
+                            className={`px-3 py-1 text-xs rounded-full transition-colors ${
+                              traceabilityFilter === f.key
+                                ? 'bg-purple-600 text-white'
+                                : 'bg-slate-100 text-slate-600 hover:bg-slate-200'
+                            }`}
+                          >
+                            {f.label}
+                          </button>
+                        ))}
+                      </div>
+                      <div className="h-4 w-px bg-slate-300" />
+                      <div className="flex gap-1 flex-wrap">
+                        <button
+                          onClick={() => setTraceabilityDomainFilter('all')}
+                          className={`px-3 py-1 text-xs rounded-full transition-colors ${
+                            traceabilityDomainFilter === 'all'
+                              ? 'bg-purple-600 text-white'
+                              : 'bg-slate-100 text-slate-600 hover:bg-slate-200'
+                          }`}
+                        >
+                          Alle Domains
+                        </button>
+                        {domains.map(d => (
+                          <button
+                            key={d}
+                            onClick={() => setTraceabilityDomainFilter(d)}
+                            className={`px-3 py-1 text-xs rounded-full transition-colors ${
+                              traceabilityDomainFilter === d
+                                ? 'bg-purple-600 text-white'
+                                : 'bg-slate-100 text-slate-600 hover:bg-slate-200'
+                            }`}
+                          >
+                            {DOMAIN_LABELS[d] || d}
+                          </button>
+                        ))}
+                      </div>
+                    </div>
+
+                    {/* Controls List */}
+                    <div className="space-y-2">
+                      {filteredControls.length === 0 ? (
+                        <div className="text-center py-8 text-slate-400">
+                          Keine Controls fuer diesen Filter gefunden.
+                        </div>
+                      ) : filteredControls.map(ctrl => {
+                        const isExpanded = expandedControls.has(ctrl.id)
+                        const coverageIcon = ctrl.coverage.all_assertions_verified
+                          ? { symbol: '\u2713', color: 'text-green-600 bg-green-50' }
+                          : ctrl.coverage.has_evidence
+                            ? { symbol: '\u25D0', color: 'text-yellow-600 bg-yellow-50' }
+                            : { symbol: '\u2717', color: 'text-red-600 bg-red-50' }
+
+                        return (
+                          <div key={ctrl.id} className="border rounded-lg overflow-hidden">
+                            {/* Control Row */}
+                            <button
+                              onClick={() => toggleControlExpanded(ctrl.id)}
+                              className="w-full flex items-center gap-3 px-4 py-3 text-left hover:bg-slate-50 transition-colors"
+                            >
+                              <span className="text-slate-400 text-xs">{isExpanded ? '\u25BC' : '\u25B6'}</span>
+                              <span className={`w-7 h-7 flex items-center justify-center rounded-full text-sm font-medium ${coverageIcon.color}`}>
+                                {coverageIcon.symbol}
+                              </span>
+                              <code className="text-xs bg-slate-100 px-2 py-0.5 rounded text-slate-600 font-mono">{ctrl.control_id}</code>
+                              <span className="text-sm text-slate-800 flex-1 truncate">{ctrl.title}</span>
+                              <span className="text-xs bg-slate-100 text-slate-500 px-2 py-0.5 rounded">{DOMAIN_LABELS[ctrl.domain] || ctrl.domain}</span>
+                              <span className={`text-xs px-2 py-0.5 rounded ${
+                                ctrl.status === 'implemented' ? 'bg-green-100 text-green-700'
+                                  : ctrl.status === 'in_progress' ? 'bg-blue-100 text-blue-700'
+                                  : 'bg-slate-100 text-slate-600'
+                              }`}>
+                                {ctrl.status}
+                              </span>
+                              <ConfidenceLevelBadge level={ctrl.coverage.min_confidence_level} />
+                              <span className="text-xs text-slate-400 min-w-[3rem] text-right">
+                                {ctrl.evidence.length} Ev.
+                              </span>
+                            </button>
+
+                            {/* Expanded: Evidence list */}
+                            {isExpanded && (
+                              <div className="border-t bg-slate-50">
+                                {ctrl.evidence.length === 0 ? (
+                                  <div className="px-8 py-3 text-xs text-slate-400 italic">
+                                    Kein Evidence verknuepft.
+                                  </div>
+                                ) : ctrl.evidence.map(ev => {
+                                  const evExpanded = expandedEvidence.has(ev.id)
+                                  return (
+                                    <div key={ev.id} className="border-b last:border-b-0">
+                                      <button
+                                        onClick={() => toggleEvidenceExpanded(ev.id)}
+                                        className="w-full flex items-center gap-3 px-8 py-2 text-left hover:bg-slate-100 transition-colors"
+                                      >
+                                        <span className="text-slate-400 text-xs">{evExpanded ? '\u25BC' : '\u25B6'}</span>
+                                        <span className="text-sm text-slate-700 flex-1 truncate">{ev.title}</span>
+                                        <span className="text-xs bg-white border px-2 py-0.5 rounded text-slate-500">{ev.evidence_type}</span>
+                                        <ConfidenceLevelBadge level={ev.confidence_level} />
+                                        <span className={`text-xs px-2 py-0.5 rounded ${
+                                          ev.status === 'valid' ? 'bg-green-100 text-green-700'
+                                            : ev.status === 'expired' ? 'bg-red-100 text-red-700'
+                                            : 'bg-slate-100 text-slate-600'
+                                        }`}>
+                                          {ev.status}
+                                        </span>
+                                        <span className="text-xs text-slate-400 min-w-[3rem] text-right">
+                                          {ev.assertions.length} Ass.
+                                        </span>
+                                      </button>
+
+                                      {/* Expanded: Assertions list */}
+                                      {evExpanded && ev.assertions.length > 0 && (
+                                        <div className="bg-white border-t">
+                                          <table className="w-full text-xs">
+                                            <thead className="bg-slate-50">
+                                              <tr>
+                                                <th className="px-12 py-1.5 text-left text-slate-500 font-medium">Aussage</th>
+                                                <th className="px-3 py-1.5 text-center text-slate-500 font-medium w-20">Typ</th>
+                                                <th className="px-3 py-1.5 text-center text-slate-500 font-medium w-24">Konfidenz</th>
+                                                <th className="px-3 py-1.5 text-center text-slate-500 font-medium w-16">Status</th>
+                                              </tr>
+                                            </thead>
+                                            <tbody className="divide-y divide-slate-100">
+                                              {ev.assertions.map(a => (
+                                                <tr key={a.id} className="hover:bg-slate-50">
+                                                  <td className="px-12 py-1.5 text-slate-700">{a.sentence_text}</td>
+                                                  <td className="px-3 py-1.5 text-center text-slate-500">{a.assertion_type}</td>
+                                                  <td className="px-3 py-1.5 text-center">
+                                                    <span className={`font-medium ${
+                                                      a.confidence >= 0.8 ? 'text-green-600'
+                                                        : a.confidence >= 0.5 ? 'text-yellow-600'
+                                                        : 'text-red-600'
+                                                    }`}>
+                                                      {(a.confidence * 100).toFixed(0)}%
+                                                    </span>
+                                                  </td>
+                                                  <td className="px-3 py-1.5 text-center">
+                                                    {a.verified
+                                                      ? <span className="text-green-600 font-medium">{'\u2713'}</span>
+                                                      : <span className="text-slate-400">{'\u2717'}</span>
+                                                    }
+                                                  </td>
+                                                </tr>
+                                              ))}
+                                            </tbody>
+                                          </table>
+                                        </div>
+                                      )}
+                                    </div>
+                                  )
+                                })}
+                              </div>
+                            )}
+                          </div>
+                        )
+                      })}
+                    </div>
+                  </>
+                )
+              })()}
+            </div>
+          )}
        </>
      )}
    </div>
--- a/admin-compliance/app/sdk/control-library/components/ControlDetail.tsx
+++ b/admin-compliance/app/sdk/control-library/components/ControlDetail.tsx
@@ -1,15 +1,18 @@
 'use client'

-import { useState, useEffect } from 'react'
+import { useState, useEffect, useCallback } from 'react'
 import {
  ArrowLeft, ExternalLink, BookOpen, Scale, FileText,
  Eye, CheckCircle2, Trash2, Pencil, Clock,
-  ChevronLeft, SkipForward, GitMerge, Search,
+  ChevronLeft, SkipForward, GitMerge, Search, Landmark,
 } from 'lucide-react'
 import {
  CanonicalControl, EFFORT_LABELS, BACKEND_URL,
-  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge, TargetAudienceBadge,
-  VERIFICATION_METHODS, CATEGORY_OPTIONS,
+  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge, EvidenceTypeBadge, TargetAudienceBadge,
+  ObligationTypeBadge, GenerationStrategyBadge, isEigenentwicklung,
+  ExtractionMethodBadge, RegulationCountBadge,
+  VERIFICATION_METHODS, CATEGORY_OPTIONS, EVIDENCE_TYPE_OPTIONS,
+  ObligationInfo, DocumentReference, MergedDuplicate, RegulationSummary,
 } from './helpers'

 interface SimilarControl {
@@ -24,6 +27,58 @@ interface SimilarControl {
  similarity: number
 }

+interface ParentLink {
+  parent_control_id: string
+  parent_title: string
+  link_type: string
+  confidence: number
+  source_regulation: string | null
+  source_article: string | null
+  parent_citation: Record<string, string> | null
+  obligation: {
+    text: string
+    action: string
+    object: string
+    normative_strength: string
+  } | null
+}
+
+interface TraceabilityData {
+  control_id: string
+  title: string
+  is_atomic: boolean
+  parent_links: ParentLink[]
+  children: Array<{
+    control_id: string
+    title: string
+    category: string
+    severity: string
+    decomposition_method: string
+  }>
+  source_count: number
+  // Extended provenance fields
+  obligations?: ObligationInfo[]
+  obligation_count?: number
+  document_references?: DocumentReference[]
+  merged_duplicates?: MergedDuplicate[]
+  merged_duplicates_count?: number
+  regulations_summary?: RegulationSummary[]
+}
+
+interface V1Match {
+  matched_control_id: string
+  matched_title: string
+  matched_objective: string
+  matched_severity: string
+  matched_category: string
+  matched_source: string | null
+  matched_article: string | null
+  matched_source_citation: Record<string, string> | null
+  similarity_score: number
+  match_rank: number
+  match_method: string
+}
+
 interface ControlDetailProps {
  ctrl: CanonicalControl
  onBack: () => void
@@ -31,6 +86,8 @@ interface ControlDetailProps {
  onDelete: (controlId: string) => void
  onReview: (controlId: string, action: string) => void
  onRefresh?: () => void
+  onNavigateToControl?: (controlId: string) => void
+  onCompare?: (ctrl: CanonicalControl, matches: V1Match[]) => void
  // Review mode navigation
  reviewMode?: boolean
  reviewIndex?: number
@@ -46,6 +103,8 @@ export function ControlDetail({
  onDelete,
  onReview,
  onRefresh,
+  onNavigateToControl,
+  onCompare,
  reviewMode,
  reviewIndex = 0,
  reviewTotal = 0,
@@ -56,9 +115,42 @@ export function ControlDetail({
  const [loadingSimilar, setLoadingSimilar] = useState(false)
  const [selectedDuplicates, setSelectedDuplicates] = useState<Set<string>>(new Set())
  const [merging, setMerging] = useState(false)
+  const [traceability, setTraceability] = useState<TraceabilityData | null>(null)
+  const [loadingTrace, setLoadingTrace] = useState(false)
+  const [v1Matches, setV1Matches] = useState<V1Match[]>([])
+  const [loadingV1, setLoadingV1] = useState(false)
+  const eigenentwicklung = isEigenentwicklung(ctrl)
+
+  const loadTraceability = useCallback(async () => {
+    setLoadingTrace(true)
+    try {
+      // Try provenance first (extended data), fall back to traceability
+      let res = await fetch(`${BACKEND_URL}?endpoint=provenance&id=${ctrl.control_id}`)
+      if (!res.ok) {
+        res = await fetch(`${BACKEND_URL}?endpoint=traceability&id=${ctrl.control_id}`)
+      }
+      if (res.ok) {
+        setTraceability(await res.json())
+      }
+    } catch { /* ignore */ }
+    finally { setLoadingTrace(false) }
+  }, [ctrl.control_id])
+
+  const loadV1Matches = useCallback(async () => {
+    if (!eigenentwicklung) { setV1Matches([]); return }
+    setLoadingV1(true)
+    try {
+      const res = await fetch(`${BACKEND_URL}?endpoint=v1-matches&id=${ctrl.control_id}`)
+      if (res.ok) setV1Matches(await res.json())
+      else setV1Matches([])
+    } catch { setV1Matches([]) }
+    finally { setLoadingV1(false) }
+  }, [ctrl.control_id, eigenentwicklung])

  useEffect(() => {
    loadSimilarControls()
+    loadTraceability()
+    loadV1Matches()
    setSelectedDuplicates(new Set())
  // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [ctrl.control_id])
@@ -124,7 +216,10 @@ export function ControlDetail({
              <LicenseRuleBadge rule={ctrl.license_rule} />
              <VerificationMethodBadge method={ctrl.verification_method} />
              <CategoryBadge category={ctrl.category} />
+              <EvidenceTypeBadge type={ctrl.evidence_type} />
              <TargetAudienceBadge audience={ctrl.target_audience} />
+              <GenerationStrategyBadge strategy={ctrl.generation_strategy} pipelineInfo={ctrl} />
+              <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
            </div>
            <h2 className="text-lg font-semibold text-gray-900 mt-1">{ctrl.title}</h2>
          </div>
@@ -239,6 +334,304 @@ export function ControlDetail({
          </section>
        )}

+        {/* Regulatorische Abdeckung (Eigenentwicklung) */}
+        {eigenentwicklung && (
+          <section className="bg-orange-50 border border-orange-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-3">
+              <Scale className="w-4 h-4 text-orange-600" />
+              <h3 className="text-sm font-semibold text-orange-900">
+                Regulatorische Abdeckung
+              </h3>
+              {loadingV1 && <span className="text-xs text-orange-400">Laden...</span>}
+            </div>
+            {v1Matches.length > 0 ? (
+              <div className="space-y-2">
+                {v1Matches.map((match, i) => (
+                  <div key={i} className="bg-white/60 border border-orange-100 rounded-lg p-3">
+                    <div className="flex items-start justify-between gap-2">
+                      <div className="flex-1 min-w-0">
+                        <div className="flex items-center gap-2 flex-wrap mb-1">
+                          {match.matched_source && (
+                            <span className="text-xs font-semibold text-blue-800 bg-blue-100 px-1.5 py-0.5 rounded">
+                              {match.matched_source}
+                            </span>
+                          )}
+                          {match.matched_article && (
+                            <span className="text-xs text-blue-700 bg-blue-50 px-1.5 py-0.5 rounded">
+                              {match.matched_article}
+                            </span>
+                          )}
+                          <span className={`text-xs font-medium px-1.5 py-0.5 rounded ${
+                            match.similarity_score >= 0.85 ? 'bg-green-100 text-green-700' :
+                            match.similarity_score >= 0.80 ? 'bg-yellow-100 text-yellow-700' :
+                            'bg-gray-100 text-gray-600'
+                          }`}>
+                            {(match.similarity_score * 100).toFixed(0)}%
+                          </span>
+                        </div>
+                        <p className="text-sm text-gray-800">
+                          {onNavigateToControl ? (
+                            <button
+                              onClick={() => onNavigateToControl(match.matched_control_id)}
+                              className="font-mono text-xs text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded hover:bg-purple-100 hover:underline mr-1.5"
+                            >
+                              {match.matched_control_id}
+                            </button>
+                          ) : (
+                            <span className="font-mono text-xs text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded mr-1.5">
+                              {match.matched_control_id}
+                            </span>
+                          )}
+                          {match.matched_title}
+                        </p>
+                      </div>
+                      {onCompare && (
+                        <button
+                          onClick={() => onCompare(ctrl, v1Matches)}
+                          className="text-xs text-orange-600 border border-orange-300 rounded px-2 py-1 hover:bg-orange-100 whitespace-nowrap flex-shrink-0"
+                        >
+                          Vergleichen
+                        </button>
+                      )}
+                    </div>
+                  </div>
+                ))}
+              </div>
+            ) : !loadingV1 ? (
+              <p className="text-sm text-orange-600">Keine regulatorische Abdeckung gefunden. Dieses Control ist eine reine Eigenentwicklung.</p>
+            ) : null}
+          </section>
+        )}
+
+        {/* Rechtsgrundlagen / Traceability (atomic controls) */}
+        {traceability && traceability.parent_links.length > 0 && (
+          <section className="bg-violet-50 border border-violet-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-3">
+              <Landmark className="w-4 h-4 text-violet-600" />
+              <h3 className="text-sm font-semibold text-violet-900">
+                Rechtsgrundlagen ({traceability.source_count} {traceability.source_count === 1 ? 'Quelle' : 'Quellen'})
+              </h3>
+              <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
+              {traceability.regulations_summary && traceability.regulations_summary.map(rs => (
+                <span key={rs.regulation_code} className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-violet-200 text-violet-800">
+                  {rs.regulation_code}
+                </span>
+              ))}
+              {loadingTrace && <span className="text-xs text-violet-400">Laden...</span>}
+            </div>
+            <div className="space-y-3">
+              {traceability.parent_links.map((link, i) => (
+                <div key={i} className="bg-white/60 border border-violet-100 rounded-lg p-3">
+                  <div className="flex items-start gap-2">
+                    <Scale className="w-4 h-4 text-violet-500 mt-0.5 flex-shrink-0" />
+                    <div className="flex-1 min-w-0">
+                      <div className="flex items-center gap-2 flex-wrap">
+                        {link.source_regulation && (
+                          <span className="text-sm font-semibold text-violet-900">{link.source_regulation}</span>
+                        )}
+                        {link.source_article && (
+                          <span className="text-sm text-violet-700">{link.source_article}</span>
+                        )}
+                        {!link.source_regulation && link.parent_citation?.source && (
+                          <span className="text-sm font-semibold text-violet-900">
+                            {link.parent_citation.source}
+                            {link.parent_citation.article && ` — ${link.parent_citation.article}`}
+                          </span>
+                        )}
+                        <span className={`text-xs px-1.5 py-0.5 rounded ${
+                          link.link_type === 'decomposition' ? 'bg-violet-100 text-violet-600' :
+                          link.link_type === 'dedup_merge' ? 'bg-blue-100 text-blue-600' :
+                          'bg-gray-100 text-gray-600'
+                        }`}>
+                          {link.link_type === 'decomposition' ? 'Ableitung' :
+                           link.link_type === 'dedup_merge' ? 'Dedup' :
+                           link.link_type}
+                        </span>
+                      </div>
+                      <p className="text-xs text-violet-600 mt-1">
+                        via{' '}
+                        {onNavigateToControl ? (
+                          <button
+                            onClick={() => onNavigateToControl(link.parent_control_id)}
+                            className="font-mono font-medium text-purple-700 bg-purple-50 px-1 py-0.5 rounded hover:bg-purple-100 hover:underline"
+                          >
+                            {link.parent_control_id}
+                          </button>
+                        ) : (
+                          <span className="font-mono font-medium text-purple-700 bg-purple-50 px-1 py-0.5 rounded">
+                            {link.parent_control_id}
+                          </span>
+                        )}
+                        {link.parent_title && (
+                          <span className="text-violet-500 ml-1">— {link.parent_title}</span>
+                        )}
+                      </p>
+                      {link.obligation && (
+                        <p className="text-xs text-violet-500 mt-1.5 bg-violet-50 rounded p-2">
+                          <span className={`inline-block mr-1.5 px-1.5 py-0.5 rounded text-xs font-medium ${
+                            link.obligation.normative_strength === 'must' ? 'bg-red-100 text-red-700' :
+                            link.obligation.normative_strength === 'should' ? 'bg-amber-100 text-amber-700' :
+                            'bg-green-100 text-green-700'
+                          }`}>
+                            {link.obligation.normative_strength === 'must' ? 'MUSS' :
+                             link.obligation.normative_strength === 'should' ? 'SOLL' : 'KANN'}
+                          </span>
+                          {link.obligation.text.slice(0, 200)}
+                          {link.obligation.text.length > 200 ? '...' : ''}
+                        </p>
+                      )}
+                    </div>
+                  </div>
+                </div>
+              ))}
+            </div>
+          </section>
+        )}
+
+        {/* Fallback: simple parent display when traceability not loaded yet */}
+        {ctrl.parent_control_uuid && (!traceability || traceability.parent_links.length === 0) && !loadingTrace && (
+          <section className="bg-violet-50 border border-violet-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-1">
+              <GitMerge className="w-4 h-4 text-violet-600" />
+              <h3 className="text-sm font-semibold text-violet-900">Atomares Control</h3>
+              <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
+            </div>
+            <p className="text-sm text-violet-800">
+              Abgeleitet aus Eltern-Control{' '}
+              <span className="font-mono font-semibold text-purple-700 bg-purple-100 px-1.5 py-0.5 rounded">
+                {ctrl.parent_control_id || ctrl.parent_control_uuid}
+              </span>
+              {ctrl.parent_control_title && (
+                <span className="text-violet-700 ml-1">— {ctrl.parent_control_title}</span>
+              )}
+            </p>
+          </section>
+        )}
+
+        {/* Document References (atomic controls) */}
+        {traceability && traceability.is_atomic && traceability.document_references && traceability.document_references.length > 0 && (
+          <section className="bg-indigo-50 border border-indigo-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-3">
+              <FileText className="w-4 h-4 text-indigo-600" />
+              <h3 className="text-sm font-semibold text-indigo-900">
+                Original-Dokumente ({traceability.document_references.length})
+              </h3>
+            </div>
+            <div className="space-y-2">
+              {traceability.document_references.map((dr, i) => (
+                <div key={i} className="flex items-center gap-2 text-sm bg-white/60 border border-indigo-100 rounded-lg p-2">
+                  <span className="font-semibold text-indigo-900">{dr.regulation_code}</span>
+                  {dr.article && <span className="text-indigo-700">{dr.article}</span>}
+                  {dr.paragraph && <span className="text-indigo-600 text-xs">{dr.paragraph}</span>}
+                  <span className="ml-auto flex items-center gap-1.5">
+                    <ExtractionMethodBadge method={dr.extraction_method} />
+                    {dr.confidence !== null && (
+                      <span className="text-xs text-gray-500">{(dr.confidence * 100).toFixed(0)}%</span>
+                    )}
+                  </span>
+                </div>
+              ))}
+            </div>
+          </section>
+        )}
+
+        {/* Obligations (rich controls) */}
+        {traceability && !traceability.is_atomic && traceability.obligations && traceability.obligations.length > 0 && (
+          <section className="bg-amber-50 border border-amber-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-3">
+              <Scale className="w-4 h-4 text-amber-600" />
+              <h3 className="text-sm font-semibold text-amber-900">
+                Abgeleitete Pflichten ({traceability.obligation_count ?? traceability.obligations.length})
+              </h3>
+            </div>
+            <div className="space-y-2">
+              {traceability.obligations.map((ob) => (
+                <div key={ob.candidate_id} className="bg-white/60 border border-amber-100 rounded-lg p-3">
+                  <div className="flex items-center gap-2 mb-1 flex-wrap">
+                    <span className="font-mono text-xs text-amber-700 bg-amber-100 px-1.5 py-0.5 rounded">{ob.candidate_id}</span>
+                    <span className={`inline-block px-1.5 py-0.5 rounded text-xs font-medium ${
+                      ob.normative_strength === 'must' ? 'bg-red-100 text-red-700' :
+                      ob.normative_strength === 'should' ? 'bg-amber-100 text-amber-700' :
+                      'bg-green-100 text-green-700'
+                    }`}>
+                      {ob.normative_strength === 'must' ? 'MUSS' :
+                       ob.normative_strength === 'should' ? 'SOLL' : 'KANN'}
+                    </span>
+                    {ob.action && <span className="text-xs text-amber-600">{ob.action}</span>}
+                    {ob.object && <span className="text-xs text-amber-500">→ {ob.object}</span>}
+                  </div>
+                  <p className="text-xs text-gray-700 leading-relaxed">
+                    {ob.obligation_text.slice(0, 300)}
+                    {ob.obligation_text.length > 300 ? '...' : ''}
+                  </p>
+                </div>
+              ))}
+            </div>
+          </section>
+        )}
+
+        {/* Merged Duplicates */}
+        {traceability && traceability.merged_duplicates && traceability.merged_duplicates.length > 0 && (
+          <section className="bg-slate-50 border border-slate-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-3">
+              <GitMerge className="w-4 h-4 text-slate-600" />
+              <h3 className="text-sm font-semibold text-slate-900">
+                Zusammengefuehrte Duplikate ({traceability.merged_duplicates_count ?? traceability.merged_duplicates.length})
+              </h3>
+            </div>
+            <div className="space-y-1.5">
+              {traceability.merged_duplicates.map((dup) => (
+                <div key={dup.control_id} className="flex items-center gap-2 text-sm">
+                  {onNavigateToControl ? (
+                    <button
+                      onClick={() => onNavigateToControl(dup.control_id)}
+                      className="font-mono text-xs text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded hover:bg-purple-100 hover:underline"
+                    >
+                      {dup.control_id}
+                    </button>
+                  ) : (
+                    <span className="font-mono text-xs text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded">{dup.control_id}</span>
+                  )}
+                  <span className="text-gray-700 flex-1 truncate">{dup.title}</span>
+                  {dup.source_regulation && (
+                    <span className="text-xs text-slate-500 bg-slate-100 px-1.5 py-0.5 rounded">{dup.source_regulation}</span>
+                  )}
+                </div>
+              ))}
+            </div>
+          </section>
+        )}
+
+        {/* Child controls (rich controls that have atomic children) */}
+        {traceability && traceability.children.length > 0 && (
+          <section className="bg-emerald-50 border border-emerald-200 rounded-lg p-4">
+            <div className="flex items-center gap-2 mb-3">
+              <GitMerge className="w-4 h-4 text-emerald-600" />
+              <h3 className="text-sm font-semibold text-emerald-900">
+                Abgeleitete Controls ({traceability.children.length})
+              </h3>
+            </div>
+            <div className="space-y-1.5">
+              {traceability.children.map((child) => (
+                <div key={child.control_id} className="flex items-center gap-2 text-sm">
+                  {onNavigateToControl ? (
+                    <button
+                      onClick={() => onNavigateToControl(child.control_id)}
+                      className="font-mono text-xs text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded hover:bg-purple-100 hover:underline"
+                    >
+                      {child.control_id}
+                    </button>
+                  ) : (
+                    <span className="font-mono text-xs text-purple-600 bg-purple-50 px-1.5 py-0.5 rounded">{child.control_id}</span>
+                  )}
+                  <span className="text-gray-700 flex-1 truncate">{child.title}</span>
+                  <SeverityBadge severity={child.severity} />
+                </div>
+              ))}
+            </div>
+          </section>
+        )}
+
        {/* Impliziter Gesetzesbezug (Rule 3 — reformuliert, kein Originaltext) */}
        {!ctrl.source_citation && ctrl.open_anchors.length > 0 && (
          <section className="bg-amber-50 border border-amber-200 rounded-lg p-3">
@@ -297,7 +690,7 @@ export function ControlDetail({
          </section>
        )}

-        {/* Evidence */}
+        {/* Evidence — handles both {type, description} objects and plain strings */}
        {ctrl.evidence.length > 0 && (
          <section>
            <h3 className="text-sm font-semibold text-gray-900 mb-2">Nachweise</h3>
@@ -305,7 +698,11 @@ export function ControlDetail({
              {ctrl.evidence.map((ev, i) => (
                <div key={i} className="flex items-start gap-2 text-sm text-gray-700">
                  <FileText className="w-4 h-4 text-gray-400 flex-shrink-0 mt-0.5" />
-                  <div><span className="font-medium">{ev.type}:</span> {ev.description}</div>
+                  {typeof ev === 'string' ? (
+                    <div>{ev}</div>
+                  ) : (
+                    <div><span className="font-medium">{ev.type}:</span> {ev.description}</div>
+                  )}
                </div>
              ))}
            </div>
@@ -359,7 +756,18 @@ export function ControlDetail({
              <h3 className="text-sm font-semibold text-gray-700">Generierungsdetails (intern)</h3>
            </div>
            <div className="text-xs text-gray-600 space-y-1">
-              <p>Pfad: {String(ctrl.generation_metadata.processing_path || '-')}</p>
+              {ctrl.generation_metadata.processing_path && (
+                <p>Pfad: {String(ctrl.generation_metadata.processing_path)}</p>
+              )}
+              {ctrl.generation_metadata.decomposition_method && (
+                <p>Methode: {String(ctrl.generation_metadata.decomposition_method)}</p>
+              )}
+              {ctrl.generation_metadata.pass0b_model && (
+                <p>LLM: {String(ctrl.generation_metadata.pass0b_model)}</p>
+              )}
+              {ctrl.generation_metadata.obligation_type && (
+                <p>Obligation-Typ: {String(ctrl.generation_metadata.obligation_type)}</p>
+              )}
              {ctrl.generation_metadata.similarity_status && (
                <p className="text-red-600">Similarity: {String(ctrl.generation_metadata.similarity_status)}</p>
              )}
--- a/admin-compliance/app/sdk/control-library/components/ReviewCompare.tsx
+++ b/admin-compliance/app/sdk/control-library/components/ReviewCompare.tsx
@@ -15,7 +15,7 @@ import {
 // Compact Control Panel (used on both sides of the comparison)
 // =============================================================================

-function ControlPanel({ ctrl, label, highlight }: { ctrl: CanonicalControl; label: string; highlight?: boolean }) {
+export function ControlPanel({ ctrl, label, highlight }: { ctrl: CanonicalControl; label: string; highlight?: boolean }) {
  return (
    <div className={`flex flex-col h-full overflow-y-auto ${highlight ? 'bg-yellow-50' : 'bg-white'}`}>
      {/* Panel Header */}
--- a/admin-compliance/app/sdk/control-library/components/V1CompareView.tsx
+++ b/admin-compliance/app/sdk/control-library/components/V1CompareView.tsx
@@ -0,0 +1,155 @@
+'use client'
+
+import { useState, useEffect } from 'react'
+import {
+  ArrowLeft, ChevronLeft, SkipForward, Scale,
+} from 'lucide-react'
+import { CanonicalControl, BACKEND_URL } from './helpers'
+import { ControlPanel } from './ReviewCompare'
+
+interface V1Match {
+  matched_control_id: string
+  matched_title: string
+  matched_objective: string
+  matched_severity: string
+  matched_category: string
+  matched_source: string | null
+  matched_article: string | null
+  matched_source_citation: Record<string, string> | null
+  similarity_score: number
+  match_rank: number
+  match_method: string
+}
+
+interface V1CompareViewProps {
+  v1Control: CanonicalControl
+  matches: V1Match[]
+  onBack: () => void
+  onNavigateToControl?: (controlId: string) => void
+}
+
+export function V1CompareView({ v1Control, matches, onBack, onNavigateToControl }: V1CompareViewProps) {
+  const [currentMatchIndex, setCurrentMatchIndex] = useState(0)
+  const [matchedControl, setMatchedControl] = useState<CanonicalControl | null>(null)
+  const [loading, setLoading] = useState(false)
+
+  const currentMatch = matches[currentMatchIndex]
+
+  // Load the full matched control when index changes
+  useEffect(() => {
+    if (!currentMatch) return
+    const load = async () => {
+      setLoading(true)
+      try {
+        const res = await fetch(`${BACKEND_URL}?endpoint=control&id=${encodeURIComponent(currentMatch.matched_control_id)}`)
+        if (res.ok) {
+          setMatchedControl(await res.json())
+        } else {
+          setMatchedControl(null)
+        }
+      } catch {
+        setMatchedControl(null)
+      } finally {
+        setLoading(false)
+      }
+    }
+    load()
+  }, [currentMatch])
+
+  return (
+    <div className="flex flex-col h-full">
+      {/* Header */}
+      <div className="border-b border-gray-200 bg-white px-6 py-3 flex items-center justify-between">
+        <div className="flex items-center gap-3">
+          <button onClick={onBack} className="text-gray-400 hover:text-gray-600">
+            <ArrowLeft className="w-5 h-5" />
+          </button>
+          <div>
+            <div className="flex items-center gap-2">
+              <Scale className="w-4 h-4 text-orange-500" />
+              <span className="text-sm font-semibold text-gray-900">V1-Vergleich</span>
+              {currentMatch && (
+                <span className={`text-xs font-medium px-2 py-0.5 rounded-full ${
+                  currentMatch.similarity_score >= 0.85 ? 'bg-green-100 text-green-700' :
+                  currentMatch.similarity_score >= 0.80 ? 'bg-yellow-100 text-yellow-700' :
+                  'bg-gray-100 text-gray-600'
+                }`}>
+                  {(currentMatch.similarity_score * 100).toFixed(1)}% Aehnlichkeit
+                </span>
+              )}
+            </div>
+          </div>
+        </div>
+
+        <div className="flex items-center gap-2">
+          {/* Navigation */}
+          <div className="flex items-center gap-1">
+            <button
+              onClick={() => setCurrentMatchIndex(Math.max(0, currentMatchIndex - 1))}
+              disabled={currentMatchIndex === 0}
+              className="p-1 text-gray-400 hover:text-gray-600 disabled:opacity-30"
+            >
+              <ChevronLeft className="w-4 h-4" />
+            </button>
+            <span className="text-xs text-gray-500 font-medium">
+              {currentMatchIndex + 1} / {matches.length}
+            </span>
+            <button
+              onClick={() => setCurrentMatchIndex(Math.min(matches.length - 1, currentMatchIndex + 1))}
+              disabled={currentMatchIndex >= matches.length - 1}
+              className="p-1 text-gray-400 hover:text-gray-600 disabled:opacity-30"
+            >
+              <SkipForward className="w-4 h-4" />
+            </button>
+          </div>
+
+          {/* Navigate to matched control */}
+          {onNavigateToControl && matchedControl && (
+            <button
+              onClick={() => { onBack(); onNavigateToControl(matchedControl.control_id) }}
+              className="px-3 py-1.5 text-sm text-purple-600 border border-purple-300 rounded-lg hover:bg-purple-50"
+            >
+              Zum Control
+            </button>
+          )}
+        </div>
+      </div>
+
+      {/* Source info bar */}
+      {currentMatch && (currentMatch.matched_source || currentMatch.matched_article) && (
+        <div className="px-6 py-2 bg-blue-50 border-b border-blue-200 flex items-center gap-2 text-sm">
+          <Scale className="w-3.5 h-3.5 text-blue-600" />
+          {currentMatch.matched_source && (
+            <span className="font-semibold text-blue-900">{currentMatch.matched_source}</span>
+          )}
+          {currentMatch.matched_article && (
+            <span className="text-blue-700">{currentMatch.matched_article}</span>
+          )}
+        </div>
+      )}
+
+      {/* Side-by-Side Panels */}
+      <div className="flex-1 flex overflow-hidden">
+        {/* Left: V1 Eigenentwicklung */}
+        <div className="w-1/2 border-r border-gray-200 overflow-y-auto">
+          <ControlPanel ctrl={v1Control} label="Eigenentwicklung" highlight />
+        </div>
+
+        {/* Right: Regulatory match */}
+        <div className="w-1/2 overflow-y-auto">
+          {loading ? (
+            <div className="flex items-center justify-center h-full">
+              <div className="animate-spin rounded-full h-6 w-6 border-2 border-purple-600 border-t-transparent" />
+            </div>
+          ) : matchedControl ? (
+            <ControlPanel ctrl={matchedControl} label="Regulatorisch gedeckt" />
+          ) : (
+            <div className="flex items-center justify-center h-full text-gray-400 text-sm">
+              Control konnte nicht geladen werden
+            </div>
+          )}
+        </div>
+      </div>
+    </div>
+  )
+}
--- a/admin-compliance/app/sdk/control-library/components/helpers.tsx
+++ b/admin-compliance/app/sdk/control-library/components/helpers.tsx
@@ -30,7 +30,7 @@ export interface CanonicalControl {
  }
  requirements: string[]
  test_procedure: string[]
-  evidence: EvidenceItem[]
+  evidence: (EvidenceItem | string)[]
  severity: string
  risk_score: number | null
  implementation_effort: string | null
@@ -44,9 +44,15 @@ export interface CanonicalControl {
  customer_visible?: boolean
  verification_method: string | null
  category: string | null
+  evidence_type: string | null
  target_audience: string | string[] | null
  generation_metadata?: Record<string, unknown> | null
  generation_strategy?: string | null
+  parent_control_uuid?: string | null
+  parent_control_id?: string | null
+  parent_control_title?: string | null
+  decomposition_method?: string | null
+  pipeline_version?: number | string | null
  created_at: string
  updated_at: string
 }
@@ -98,6 +104,7 @@ export const EMPTY_CONTROL = {
  tags: [] as string[],
  verification_method: null as string | null,
  category: null as string | null,
+  evidence_type: null as string | null,
  target_audience: null as string | null,
 }

@@ -141,6 +148,18 @@ export const CATEGORY_OPTIONS = [
  { value: 'identity', label: 'Identitaetsmanagement' },
 ]

+export const EVIDENCE_TYPE_CONFIG: Record<string, { bg: string; label: string }> = {
+  code: { bg: 'bg-sky-100 text-sky-700', label: 'Code' },
+  process: { bg: 'bg-amber-100 text-amber-700', label: 'Prozess' },
+  hybrid: { bg: 'bg-violet-100 text-violet-700', label: 'Hybrid' },
+}
+
+export const EVIDENCE_TYPE_OPTIONS = [
+  { value: 'code', label: 'Code — Technisch (Source Code, IaC, CI/CD)' },
+  { value: 'process', label: 'Prozess — Organisatorisch (Dokumente, Policies)' },
+  { value: 'hybrid', label: 'Hybrid — Code + Prozess' },
+]
+
 export const TARGET_AUDIENCE_OPTIONS: Record<string, { bg: string; label: string }> = {
  // Legacy English keys
  enterprise: { bg: 'bg-cyan-100 text-cyan-700', label: 'Unternehmen' },
@@ -240,6 +259,13 @@ export function CategoryBadge({ category }: { category: string | null }) {
  )
 }

+export function EvidenceTypeBadge({ type }: { type: string | null }) {
+  if (!type) return null
+  const config = EVIDENCE_TYPE_CONFIG[type]
+  if (!config) return null
+  return <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${config.bg}`}>{config.label}</span>
+}
+
 export function TargetAudienceBadge({ audience }: { audience: string | string[] | null }) {
  if (!audience) return null

@@ -268,16 +294,115 @@ export function TargetAudienceBadge({ audience }: { audience: string | string[]
  )
 }

-export function GenerationStrategyBadge({ strategy }: { strategy: string | null | undefined }) {
+export interface CanonicalControlPipelineInfo {
+  pipeline_version?: number | string | null
+  source_citation?: Record<string, string> | null
+  parent_control_uuid?: string | null
+}
+
+export function isEigenentwicklung(ctrl: CanonicalControlPipelineInfo & { generation_strategy?: string | null }): boolean {
+  return (
+    (!ctrl.generation_strategy || ctrl.generation_strategy === 'ungrouped') &&
+    (!ctrl.pipeline_version || String(ctrl.pipeline_version) === '1') &&
+    !ctrl.source_citation &&
+    !ctrl.parent_control_uuid
+  )
+}
+
+export function GenerationStrategyBadge({ strategy, pipelineInfo }: {
+  strategy: string | null | undefined
+  pipelineInfo?: CanonicalControlPipelineInfo & { generation_strategy?: string | null }
+}) {
+  // Eigenentwicklung detection: v1 + no source + no parent
+  if (pipelineInfo && isEigenentwicklung(pipelineInfo)) {
+    return <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-orange-100 text-orange-700">Eigenentwicklung</span>
+  }
  if (!strategy || strategy === 'ungrouped') {
    return <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-gray-100 text-gray-500">v1</span>
  }
  if (strategy === 'document_grouped') {
    return <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-emerald-100 text-emerald-700">v2</span>
  }
-  return null
+  if (strategy === 'phase74_gap_fill') {
+    return <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-blue-100 text-blue-700">v5 Gap</span>
+  }
+  if (strategy === 'pass0b_atomic' || strategy === 'pass0b') {
+    return <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-violet-100 text-violet-700">Atomar</span>
+  }
+  return <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-gray-100 text-gray-500">{strategy}</span>
+}
+
+export const OBLIGATION_TYPE_CONFIG: Record<string, { bg: string; label: string }> = {
+  pflicht: { bg: 'bg-red-100 text-red-700', label: 'Pflicht' },
+  empfehlung: { bg: 'bg-amber-100 text-amber-700', label: 'Empfehlung' },
+  kann: { bg: 'bg-green-100 text-green-700', label: 'Kann' },
+}
+
+export function ObligationTypeBadge({ type }: { type: string | null | undefined }) {
+  if (!type) return null
+  const config = OBLIGATION_TYPE_CONFIG[type]
+  if (!config) return null
+  return <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium ${config.bg}`}>{config.label}</span>
 }

 export function getDomain(controlId: string): string {
  return controlId.split('-')[0] || ''
 }
+
+// =============================================================================
+// PROVENANCE TYPES
+// =============================================================================
+
+export interface ObligationInfo {
+  candidate_id: string
+  obligation_text: string
+  action: string | null
+  object: string | null
+  normative_strength: string
+  release_state: string
+}
+
+export interface DocumentReference {
+  regulation_code: string
+  article: string | null
+  paragraph: string | null
+  extraction_method: string
+  confidence: number | null
+}
+
+export interface MergedDuplicate {
+  control_id: string
+  title: string
+  source_regulation: string | null
+}
+
+export interface RegulationSummary {
+  regulation_code: string
+  articles: string[]
+  link_types: string[]
+}
+
+// =============================================================================
+// PROVENANCE BADGES
+// =============================================================================
+
+const EXTRACTION_METHOD_CONFIG: Record<string, { bg: string; label: string }> = {
+  exact_match: { bg: 'bg-green-100 text-green-700', label: 'Exakt' },
+  embedding_match: { bg: 'bg-blue-100 text-blue-700', label: 'Embedding' },
+  llm_extracted: { bg: 'bg-violet-100 text-violet-700', label: 'LLM' },
+  inferred: { bg: 'bg-gray-100 text-gray-600', label: 'Abgeleitet' },
+}
+
+export function ExtractionMethodBadge({ method }: { method: string }) {
+  const config = EXTRACTION_METHOD_CONFIG[method] || EXTRACTION_METHOD_CONFIG.inferred
+  return <span className={`inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium ${config.bg}`}>{config.label}</span>
+}
+
+export function RegulationCountBadge({ count }: { count: number }) {
+  if (count <= 0) return null
+  return (
+    <span className="inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium bg-violet-100 text-violet-700">
+      {count} {count === 1 ? 'Regulierung' : 'Regulierungen'}
+    </span>
+  )
+}
--- a/admin-compliance/app/sdk/control-library/page.tsx
+++ b/admin-compliance/app/sdk/control-library/page.tsx
@@ -8,13 +8,14 @@ import {
 } from 'lucide-react'
 import {
  CanonicalControl, Framework, BACKEND_URL, EMPTY_CONTROL,
-  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge, TargetAudienceBadge,
-  GenerationStrategyBadge,
-  VERIFICATION_METHODS, CATEGORY_OPTIONS, TARGET_AUDIENCE_OPTIONS,
+  SeverityBadge, StateBadge, LicenseRuleBadge, VerificationMethodBadge, CategoryBadge, EvidenceTypeBadge, TargetAudienceBadge,
+  GenerationStrategyBadge, ObligationTypeBadge,
+  VERIFICATION_METHODS, CATEGORY_OPTIONS, EVIDENCE_TYPE_OPTIONS, TARGET_AUDIENCE_OPTIONS,
 } from './components/helpers'
 import { ControlForm } from './components/ControlForm'
 import { ControlDetail } from './components/ControlDetail'
 import { ReviewCompare } from './components/ReviewCompare'
+import { V1CompareView } from './components/V1CompareView'
 import { GeneratorModal } from './components/GeneratorModal'

 // =============================================================================
@@ -26,6 +27,16 @@ interface ControlsMeta {
  domains: Array<{ domain: string; count: number }>
  sources: Array<{ source: string; count: number }>
  no_source_count: number
+  type_counts?: {
+    rich: number
+    atomic: number
+    eigenentwicklung: number
+  }
+  severity_counts?: Record<string, number>
+  verification_method_counts?: Record<string, number>
+  category_counts?: Record<string, number>
+  evidence_type_counts?: Record<string, number>
+  release_state_counts?: Record<string, number>
 }

 // =============================================================================
@@ -51,8 +62,11 @@ export default function ControlLibraryPage() {
  const [stateFilter, setStateFilter] = useState<string>('')
  const [verificationFilter, setVerificationFilter] = useState<string>('')
  const [categoryFilter, setCategoryFilter] = useState<string>('')
+  const [evidenceTypeFilter, setEvidenceTypeFilter] = useState<string>('')
  const [audienceFilter, setAudienceFilter] = useState<string>('')
  const [sourceFilter, setSourceFilter] = useState<string>('')
+  const [typeFilter, setTypeFilter] = useState<string>('')
+  const [hideDuplicates, setHideDuplicates] = useState(true)
  const [sortBy, setSortBy] = useState<'id' | 'newest' | 'oldest' | 'source'>('id')

  // CRUD state
@@ -76,6 +90,21 @@ export default function ControlLibraryPage() {
  const [reviewDuplicates, setReviewDuplicates] = useState<CanonicalControl[]>([])
  const [reviewRule3, setReviewRule3] = useState<CanonicalControl[]>([])

+  // V1 Compare mode
+  const [compareMode, setCompareMode] = useState(false)
+  const [compareV1Control, setCompareV1Control] = useState<CanonicalControl | null>(null)
+  const [compareMatches, setCompareMatches] = useState<Array<{
+    matched_control_id: string; matched_title: string; matched_objective: string
+    matched_severity: string; matched_category: string
+    matched_source: string | null; matched_article: string | null
+    matched_source_citation: Record<string, string> | null
+    similarity_score: number; match_rank: number; match_method: string
+  }>>([])
+
+  // Abort controllers for cancelling stale requests
+  const metaAbortRef = useRef<AbortController | null>(null)
+  const controlsAbortRef = useRef<AbortController | null>(null)
+
  // Debounce search
  const searchTimer = useRef<ReturnType<typeof setTimeout> | null>(null)
  useEffect(() => {
@@ -92,27 +121,43 @@ export default function ControlLibraryPage() {
    if (stateFilter) p.set('release_state', stateFilter)
    if (verificationFilter) p.set('verification_method', verificationFilter)
    if (categoryFilter) p.set('category', categoryFilter)
+    if (evidenceTypeFilter) p.set('evidence_type', evidenceTypeFilter)
    if (audienceFilter) p.set('target_audience', audienceFilter)
    if (sourceFilter) p.set('source', sourceFilter)
+    if (typeFilter) p.set('control_type', typeFilter)
+    if (hideDuplicates) p.set('exclude_duplicates', 'true')
    if (debouncedSearch) p.set('search', debouncedSearch)
    if (extra) for (const [k, v] of Object.entries(extra)) p.set(k, v)
    return p.toString()
-  }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, audienceFilter, sourceFilter, debouncedSearch])
+  }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch])

-  // Load metadata (domains, sources — once + on refresh)
-  const loadMeta = useCallback(async () => {
+  // Load frameworks (once)
+  const loadFrameworks = useCallback(async () => {
    try {
-      const [fwRes, metaRes] = await Promise.all([
-        fetch(`${BACKEND_URL}?endpoint=frameworks`),
-        fetch(`${BACKEND_URL}?endpoint=controls-meta`),
-      ])
-      if (fwRes.ok) setFrameworks(await fwRes.json())
-      if (metaRes.ok) setMeta(await metaRes.json())
+      const res = await fetch(`${BACKEND_URL}?endpoint=frameworks`)
+      if (res.ok) setFrameworks(await res.json())
    } catch { /* ignore */ }
  }, [])

-  // Load controls page
+  // Load faceted metadata (reloads when filters change, cancels stale requests)
+  const loadMeta = useCallback(async () => {
+    if (metaAbortRef.current) metaAbortRef.current.abort()
+    const controller = new AbortController()
+    metaAbortRef.current = controller
+    try {
+      const qs = buildParams()
+      const res = await fetch(`${BACKEND_URL}?endpoint=controls-meta${qs ? `&${qs}` : ''}`, { signal: controller.signal })
+      if (res.ok && !controller.signal.aborted) setMeta(await res.json())
+    } catch (e) {
+      if (e instanceof DOMException && e.name === 'AbortError') return
+    }
+  }, [buildParams])
+
+  // Load controls page (cancels stale requests)
  const loadControls = useCallback(async () => {
+    if (controlsAbortRef.current) controlsAbortRef.current.abort()
+    const controller = new AbortController()
+    controlsAbortRef.current = controller
    try {
      setLoading(true)

@@ -131,19 +176,22 @@ export default function ControlLibraryPage() {
      const countQs = buildParams()

      const [ctrlRes, countRes] = await Promise.all([
-        fetch(`${BACKEND_URL}?endpoint=controls&${qs}`),
-        fetch(`${BACKEND_URL}?endpoint=controls-count&${countQs}`),
+        fetch(`${BACKEND_URL}?endpoint=controls&${qs}`, { signal: controller.signal }),
+        fetch(`${BACKEND_URL}?endpoint=controls-count&${countQs}`, { signal: controller.signal }),
      ])

-      if (ctrlRes.ok) setControls(await ctrlRes.json())
-      if (countRes.ok) {
-        const data = await countRes.json()
-        setTotalCount(data.total || 0)
+      if (!controller.signal.aborted) {
+        if (ctrlRes.ok) setControls(await ctrlRes.json())
+        if (countRes.ok) {
+          const data = await countRes.json()
+          setTotalCount(data.total || 0)
+        }
      }
    } catch (err) {
+      if (err instanceof DOMException && err.name === 'AbortError') return
      setError(err instanceof Error ? err.message : 'Fehler beim Laden')
    } finally {
-      setLoading(false)
+      if (!controller.signal.aborted) setLoading(false)
    }
  }, [buildParams, sortBy, currentPage])

@@ -158,22 +206,25 @@ export default function ControlLibraryPage() {
    } catch { /* ignore */ }
  }, [])

-  // Initial load
-  useEffect(() => { loadMeta(); loadReviewCount() }, [loadMeta, loadReviewCount])
+  // Initial load (frameworks only once)
+  useEffect(() => { loadFrameworks(); loadReviewCount() }, [loadFrameworks, loadReviewCount])
+
+  // Load faceted meta when filters change
+  useEffect(() => { loadMeta() }, [loadMeta])

  // Load controls when filters/page/sort change
  useEffect(() => { loadControls() }, [loadControls])

  // Reset page when filters change
-  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, audienceFilter, sourceFilter, debouncedSearch, sortBy])
+  useEffect(() => { setCurrentPage(1) }, [severityFilter, domainFilter, stateFilter, verificationFilter, categoryFilter, evidenceTypeFilter, audienceFilter, sourceFilter, typeFilter, hideDuplicates, debouncedSearch, sortBy])

  // Pagination
  const totalPages = Math.max(1, Math.ceil(totalCount / PAGE_SIZE))

  // Full reload (after CRUD)
  const fullReload = useCallback(async () => {
-    await Promise.all([loadControls(), loadMeta(), loadReviewCount()])
-  }, [loadControls, loadMeta, loadReviewCount])
+    await Promise.all([loadControls(), loadMeta(), loadFrameworks(), loadReviewCount()])
+  }, [loadControls, loadMeta, loadFrameworks, loadReviewCount])

  // CRUD handlers
  const handleCreate = async (data: typeof EMPTY_CONTROL) => {
@@ -392,6 +443,27 @@ export default function ControlLibraryPage() {
    )
  }

+  // V1 COMPARE MODE
+  if (compareMode && compareV1Control) {
+    return (
+      <V1CompareView
+        v1Control={compareV1Control}
+        matches={compareMatches}
+        onBack={() => { setCompareMode(false) }}
+        onNavigateToControl={async (controlId: string) => {
+          try {
+            const res = await fetch(`${BACKEND_URL}?endpoint=control&id=${controlId}`)
+            if (res.ok) {
+              setCompareMode(false)
+              setSelectedControl(await res.json())
+              setMode('detail')
+            }
+          } catch { /* ignore */ }
+        }}
+      />
+    )
+  }
+
  // DETAIL MODE
  if (mode === 'detail' && selectedControl) {
    const isDuplicateReview = reviewMode && reviewTab === 'duplicates'
@@ -461,6 +533,21 @@ export default function ControlLibraryPage() {
            onDelete={handleDelete}
            onReview={handleReview}
            onRefresh={fullReload}
+            onCompare={(ctrl, matches) => {
+              setCompareV1Control(ctrl)
+              setCompareMatches(matches)
+              setCompareMode(true)
+            }}
+            onNavigateToControl={async (controlId: string) => {
+              try {
+                const res = await fetch(`${BACKEND_URL}?endpoint=control&id=${controlId}`)
+                if (res.ok) {
+                  const data = await res.json()
+                  setSelectedControl(data)
+                  setMode('detail')
+                }
+              } catch { /* ignore */ }
+            }}
            reviewMode={reviewMode}
            reviewIndex={reviewIndex}
            reviewTotal={reviewItems.length}
@@ -568,7 +655,7 @@ export default function ControlLibraryPage() {
              />
            </div>
            <button
-              onClick={() => { loadControls(); loadMeta(); loadReviewCount() }}
+              onClick={() => { loadControls(); loadMeta(); loadFrameworks(); loadReviewCount() }}
              className="p-2 text-gray-400 hover:text-purple-600"
              title="Aktualisieren"
            >
@@ -583,10 +670,10 @@ export default function ControlLibraryPage() {
              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
            >
              <option value="">Schweregrad</option>
-              <option value="critical">Kritisch</option>
-              <option value="high">Hoch</option>
-              <option value="medium">Mittel</option>
-              <option value="low">Niedrig</option>
+              <option value="critical">Kritisch{meta?.severity_counts?.critical ? ` (${meta.severity_counts.critical})` : ''}</option>
+              <option value="high">Hoch{meta?.severity_counts?.high ? ` (${meta.severity_counts.high})` : ''}</option>
+              <option value="medium">Mittel{meta?.severity_counts?.medium ? ` (${meta.severity_counts.medium})` : ''}</option>
+              <option value="low">Niedrig{meta?.severity_counts?.low ? ` (${meta.severity_counts.low})` : ''}</option>
            </select>
            <select
              value={domainFilter}
@@ -604,13 +691,22 @@ export default function ControlLibraryPage() {
              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
            >
              <option value="">Status</option>
-              <option value="draft">Draft</option>
-              <option value="approved">Approved</option>
-              <option value="needs_review">Review noetig</option>
-              <option value="too_close">Zu aehnlich</option>
-              <option value="duplicate">Duplikat</option>
-              <option value="deprecated">Deprecated</option>
+              <option value="draft">Draft{meta?.release_state_counts?.draft ? ` (${meta.release_state_counts.draft})` : ''}</option>
+              <option value="approved">Approved{meta?.release_state_counts?.approved ? ` (${meta.release_state_counts.approved})` : ''}</option>
+              <option value="needs_review">Review noetig{meta?.release_state_counts?.needs_review ? ` (${meta.release_state_counts.needs_review})` : ''}</option>
+              <option value="too_close">Zu aehnlich{meta?.release_state_counts?.too_close ? ` (${meta.release_state_counts.too_close})` : ''}</option>
+              <option value="duplicate">Duplikat{meta?.release_state_counts?.duplicate ? ` (${meta.release_state_counts.duplicate})` : ''}</option>
+              <option value="deprecated">Deprecated{meta?.release_state_counts?.deprecated ? ` (${meta.release_state_counts.deprecated})` : ''}</option>
            </select>
+            <label className="flex items-center gap-1.5 text-sm text-gray-600 cursor-pointer whitespace-nowrap">
+              <input
+                type="checkbox"
+                checked={hideDuplicates}
+                onChange={e => setHideDuplicates(e.target.checked)}
+                className="rounded border-gray-300 text-purple-600 focus:ring-purple-500"
+              />
+              Duplikate ausblenden
+            </label>
            <select
              value={verificationFilter}
              onChange={e => setVerificationFilter(e.target.value)}
@@ -618,8 +714,9 @@ export default function ControlLibraryPage() {
            >
              <option value="">Nachweis</option>
              {Object.entries(VERIFICATION_METHODS).map(([k, v]) => (
-                <option key={k} value={k}>{v.label}</option>
+                <option key={k} value={k}>{v.label}{meta?.verification_method_counts?.[k] ? ` (${meta.verification_method_counts[k]})` : ''}</option>
              ))}
+              {meta?.verification_method_counts?.['__none__'] ? <option value="__none__">Ohne Nachweis ({meta.verification_method_counts['__none__']})</option> : null}
            </select>
            <select
              value={categoryFilter}
@@ -628,8 +725,20 @@ export default function ControlLibraryPage() {
            >
              <option value="">Kategorie</option>
              {CATEGORY_OPTIONS.map(c => (
-                <option key={c.value} value={c.value}>{c.label}</option>
+                <option key={c.value} value={c.value}>{c.label}{meta?.category_counts?.[c.value] ? ` (${meta.category_counts[c.value]})` : ''}</option>
              ))}
+              {meta?.category_counts?.['__none__'] ? <option value="__none__">Ohne Kategorie ({meta.category_counts['__none__']})</option> : null}
+            </select>
+            <select
+              value={evidenceTypeFilter}
+              onChange={e => setEvidenceTypeFilter(e.target.value)}
+              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
+            >
+              <option value="">Nachweisart</option>
+              {EVIDENCE_TYPE_OPTIONS.map(c => (
+                <option key={c.value} value={c.value}>{c.label}{meta?.evidence_type_counts?.[c.value] ? ` (${meta.evidence_type_counts[c.value]})` : ''}</option>
+              ))}
+              {meta?.evidence_type_counts?.['__none__'] ? <option value="__none__">Ohne Nachweisart ({meta.evidence_type_counts['__none__']})</option> : null}
            </select>
            <select
              value={audienceFilter}
@@ -664,6 +773,16 @@ export default function ControlLibraryPage() {
                <option key={s.source} value={s.source}>{s.source} ({s.count})</option>
              ))}
            </select>
+            <select
+              value={typeFilter}
+              onChange={e => setTypeFilter(e.target.value)}
+              className="text-sm border border-gray-300 rounded-lg px-2 py-1.5 focus:outline-none focus:ring-2 focus:ring-purple-500"
+            >
+              <option value="">Alle Typen</option>
+              <option value="rich">Rich Controls{meta?.type_counts ? ` (${meta.type_counts.rich})` : ''}</option>
+              <option value="atomic">Atomare Controls{meta?.type_counts ? ` (${meta.type_counts.atomic})` : ''}</option>
+              <option value="eigenentwicklung">Eigenentwicklung{meta?.type_counts ? ` (${meta.type_counts.eigenentwicklung})` : ''}</option>
+            </select>
            <span className="text-gray-300 mx-1">|</span>
            <ArrowUpDown className="w-4 h-4 text-gray-400" />
            <select
@@ -760,8 +879,10 @@ export default function ControlLibraryPage() {
                    <LicenseRuleBadge rule={ctrl.license_rule} />
                    <VerificationMethodBadge method={ctrl.verification_method} />
                    <CategoryBadge category={ctrl.category} />
+                    <EvidenceTypeBadge type={ctrl.evidence_type} />
                    <TargetAudienceBadge audience={ctrl.target_audience} />
-                    <GenerationStrategyBadge strategy={ctrl.generation_strategy} />
+                    <GenerationStrategyBadge strategy={ctrl.generation_strategy} pipelineInfo={ctrl} />
+                    <ObligationTypeBadge type={ctrl.generation_metadata?.obligation_type as string} />
                    {ctrl.risk_score !== null && (
                      <span className="text-xs text-gray-400">Score: {ctrl.risk_score}</span>
                    )}
--- a/admin-compliance/app/sdk/controls/page.tsx
+++ b/admin-compliance/app/sdk/controls/page.tsx
@@ -196,7 +196,15 @@ function ControlCard({
      {/* Linked Evidence */}
      {control.linkedEvidence.length > 0 && (
        <div className="mt-3 pt-3 border-t border-gray-100">
-          <span className="text-xs text-gray-500 mb-1 block">Nachweise:</span>
+          <span className="text-xs text-gray-500 mb-1 block">
+            Nachweise: {control.linkedEvidence.length}
+            {(() => {
+              const e2plus = control.linkedEvidence.filter((ev: { confidenceLevel?: string }) =>
+                ev.confidenceLevel && ['E2', 'E3', 'E4'].includes(ev.confidenceLevel)
+              ).length
+              return e2plus > 0 ? ` (${e2plus} E2+)` : ''
+            })()}
+          </span>
          <div className="flex items-center gap-1 flex-wrap">
            {control.linkedEvidence.map(ev => (
              <span key={ev.id} className={`px-2 py-0.5 text-xs rounded ${
@@ -205,6 +213,9 @@ function ControlCard({
                'bg-yellow-50 text-yellow-700'
              }`}>
                {ev.title}
+                {(ev as { confidenceLevel?: string }).confidenceLevel && (
+                  <span className="ml-1 opacity-70">({(ev as { confidenceLevel?: string }).confidenceLevel})</span>
+                )}
              </span>
            ))}
          </div>
@@ -359,6 +370,49 @@ interface RAGControlSuggestion {
 // MAIN PAGE
 // =============================================================================

+function TransitionErrorBanner({
+  controlId,
+  violations,
+  onDismiss,
+}: {
+  controlId: string
+  violations: string[]
+  onDismiss: () => void
+}) {
+  return (
+    <div className="p-4 bg-orange-50 border border-orange-200 rounded-lg">
+      <div className="flex items-start justify-between">
+        <div className="flex items-start gap-3">
+          <svg className="w-5 h-5 text-orange-600 mt-0.5 flex-shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+          </svg>
+          <div>
+            <h4 className="font-medium text-orange-800">
+              Status-Transition blockiert ({controlId})
+            </h4>
+            <ul className="mt-2 space-y-1">
+              {violations.map((v, i) => (
+                <li key={i} className="text-sm text-orange-700 flex items-start gap-2">
+                  <span className="text-orange-400 mt-0.5">•</span>
+                  <span>{v}</span>
+                </li>
+              ))}
+            </ul>
+            <a href="/sdk/evidence" className="mt-2 inline-block text-sm text-purple-600 hover:text-purple-700 font-medium">
+              Evidence hinzufuegen →
+            </a>
+          </div>
+        </div>
+        <button onClick={onDismiss} className="text-orange-400 hover:text-orange-600 ml-4">
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+          </svg>
+        </button>
+      </div>
+    </div>
+  )
+}
+
 export default function ControlsPage() {
  const { state, dispatch } = useSDK()
  const router = useRouter()
@@ -373,6 +427,9 @@ export default function ControlsPage() {
  const [showRagPanel, setShowRagPanel] = useState(false)
  const [selectedRequirementId, setSelectedRequirementId] = useState<string>('')

+  // Transition error from Anti-Fake-Evidence state machine (409 Conflict)
+  const [transitionError, setTransitionError] = useState<{ controlId: string; violations: string[] } | null>(null)
+
  // Track effectiveness locally as it's not in the SDK state type
  const [effectivenessMap, setEffectivenessMap] = useState<Record<string, number>>({})
  // Track linked evidence per control
@@ -385,7 +442,7 @@ export default function ControlsPage() {
        const data = await res.json()
        const allEvidence = data.evidence || data
        if (Array.isArray(allEvidence)) {
-          const map: Record<string, { id: string; title: string; status: string }[]> = {}
+          const map: Record<string, { id: string; title: string; status: string; confidenceLevel?: string }[]> = {}
          for (const ev of allEvidence) {
            const ctrlId = ev.control_id || ''
            if (!map[ctrlId]) map[ctrlId] = []
@@ -393,6 +450,7 @@ export default function ControlsPage() {
              id: ev.id,
              title: ev.title || ev.name || 'Nachweis',
              status: ev.status || 'pending',
+              confidenceLevel: ev.confidence_level || undefined,
            })
          }
          setEvidenceMap(map)
@@ -483,20 +541,56 @@ export default function ControlsPage() {
    : 0
  const partialCount = displayControls.filter(c => c.displayStatus === 'partial').length

-  const handleStatusChange = async (controlId: string, status: ImplementationStatus) => {
+  const handleStatusChange = async (controlId: string, newStatus: ImplementationStatus) => {
+    // Remember old status for rollback
+    const oldControl = state.controls.find(c => c.id === controlId)
+    const oldStatus = oldControl?.implementationStatus
+
+    // Optimistic update
    dispatch({
      type: 'UPDATE_CONTROL',
-      payload: { id: controlId, data: { implementationStatus: status } },
+      payload: { id: controlId, data: { implementationStatus: newStatus } },
    })

    try {
-      await fetch(`/api/sdk/v1/compliance/controls/${controlId}`, {
+      const res = await fetch(`/api/sdk/v1/compliance/controls/${controlId}`, {
        method: 'PUT',
        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ implementation_status: status }),
+        body: JSON.stringify({ implementation_status: newStatus }),
      })
+
+      if (!res.ok) {
+        // Rollback optimistic update
+        if (oldStatus) {
+          dispatch({
+            type: 'UPDATE_CONTROL',
+            payload: { id: controlId, data: { implementationStatus: oldStatus } },
+          })
+        }
+
+        const err = await res.json().catch(() => ({ detail: 'Status-Aenderung fehlgeschlagen' }))
+
+        if (res.status === 409 && err.detail?.violations) {
+          setTransitionError({ controlId, violations: err.detail.violations })
+        } else {
+          const msg = typeof err.detail === 'string' ? err.detail : err.detail?.error || 'Status-Aenderung fehlgeschlagen'
+          setError(msg)
+        }
+      } else {
+        // Clear any previous transition error for this control
+        if (transitionError?.controlId === controlId) {
+          setTransitionError(null)
+        }
+      }
    } catch {
-      // Silently fail — SDK state is already updated
+      // Network error — rollback
+      if (oldStatus) {
+        dispatch({
+          type: 'UPDATE_CONTROL',
+          payload: { id: controlId, data: { implementationStatus: oldStatus } },
+        })
+      }
+      setError('Netzwerkfehler bei Status-Aenderung')
    }
  }

@@ -745,6 +839,15 @@ export default function ControlsPage() {
        </div>
      )}

+      {/* Transition Error Banner (Anti-Fake-Evidence 409 violations) */}
+      {transitionError && (
+        <TransitionErrorBanner
+          controlId={transitionError.controlId}
+          violations={transitionError.violations}
+          onDismiss={() => setTransitionError(null)}
+        />
+      )}
+
      {/* Requirements Alert */}
      {state.requirements.length === 0 && !loading && (
        <div className="bg-amber-50 border border-amber-200 rounded-xl p-4">
--- a/admin-compliance/app/sdk/evidence/components/anti-fake-badges.tsx
+++ b/admin-compliance/app/sdk/evidence/components/anti-fake-badges.tsx
@@ -0,0 +1,111 @@
+"use client"
+
+import React from "react"
+
+const badgeBase = "inline-flex items-center px-2 py-0.5 rounded text-xs font-medium"
+
+// ---------------------------------------------------------------------------
+// Confidence Level Badge (E0–E4)
+// ---------------------------------------------------------------------------
+
+const confidenceColors: Record<string, string> = {
+  E0: "bg-red-100 text-red-800",
+  E1: "bg-yellow-100 text-yellow-800",
+  E2: "bg-blue-100 text-blue-800",
+  E3: "bg-green-100 text-green-800",
+  E4: "bg-emerald-100 text-emerald-800",
+}
+
+const confidenceLabels: Record<string, string> = {
+  E0: "E0 — Generiert",
+  E1: "E1 — Manuell",
+  E2: "E2 — Intern validiert",
+  E3: "E3 — System-beobachtet",
+  E4: "E4 — Extern auditiert",
+}
+
+export function ConfidenceLevelBadge({ level }: { level?: string | null }) {
+  if (!level) return null
+  const color = confidenceColors[level] || "bg-gray-100 text-gray-800"
+  const label = confidenceLabels[level] || level
+  return <span className={`${badgeBase} ${color}`}>{label}</span>
+}
+
+// ---------------------------------------------------------------------------
+// Truth Status Badge
+// ---------------------------------------------------------------------------
+
+const truthColors: Record<string, string> = {
+  generated: "bg-violet-100 text-violet-800",
+  uploaded: "bg-gray-100 text-gray-800",
+  observed: "bg-blue-100 text-blue-800",
+  validated: "bg-green-100 text-green-800",
+  rejected: "bg-red-100 text-red-800",
+  audited: "bg-emerald-100 text-emerald-800",
+}
+
+const truthLabels: Record<string, string> = {
+  generated: "Generiert",
+  uploaded: "Hochgeladen",
+  observed: "Beobachtet",
+  validated: "Validiert",
+  rejected: "Abgelehnt",
+  audited: "Auditiert",
+}
+
+export function TruthStatusBadge({ status }: { status?: string | null }) {
+  if (!status) return null
+  const color = truthColors[status] || "bg-gray-100 text-gray-800"
+  const label = truthLabels[status] || status
+  return <span className={`${badgeBase} ${color}`}>{label}</span>
+}
+
+// ---------------------------------------------------------------------------
+// Generation Mode Badge (sparkles icon)
+// ---------------------------------------------------------------------------
+
+export function GenerationModeBadge({ mode }: { mode?: string | null }) {
+  if (!mode) return null
+  return (
+    <span className={`${badgeBase} bg-violet-100 text-violet-800`}>
+      <svg className="w-3 h-3 mr-1" fill="currentColor" viewBox="0 0 20 20">
+        <path d="M5 2a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0V6H3a1 1 0 010-2h1V3a1 1 0 011-1zm0 10a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0v-1H3a1 1 0 010-2h1v-1a1 1 0 011-1zm7-10a1 1 0 01.967.744L14.146 7.2 17.5 7.512a1 1 0 010 1.976l-3.354.313-1.18 4.456a1 1 0 01-1.932 0l-1.18-4.456-3.354-.313a1 1 0 010-1.976l3.354-.313 1.18-4.456A1 1 0 0112 2z" />
+      </svg>
+      KI-generiert
+    </span>
+  )
+}
+
+// ---------------------------------------------------------------------------
+// Approval Status Badge (Four-Eyes)
+// ---------------------------------------------------------------------------
+
+const approvalColors: Record<string, string> = {
+  none: "bg-gray-100 text-gray-600",
+  pending_first: "bg-yellow-100 text-yellow-800",
+  first_approved: "bg-blue-100 text-blue-800",
+  approved: "bg-green-100 text-green-800",
+  rejected: "bg-red-100 text-red-800",
+}
+
+const approvalLabels: Record<string, string> = {
+  none: "Kein Review",
+  pending_first: "Warte auf 1. Review",
+  first_approved: "1. Review OK",
+  approved: "Genehmigt (4-Augen)",
+  rejected: "Abgelehnt",
+}
+
+export function ApprovalStatusBadge({
+  status,
+  requiresFourEyes,
+}: {
+  status?: string | null
+  requiresFourEyes?: boolean | null
+}) {
+  if (!requiresFourEyes) return null
+  const s = status || "none"
+  const color = approvalColors[s] || "bg-gray-100 text-gray-600"
+  const label = approvalLabels[s] || s
+  return <span className={`${badgeBase} ${color}`}>{label}</span>
+}
--- a/admin-compliance/app/sdk/evidence/page.tsx
+++ b/admin-compliance/app/sdk/evidence/page.tsx
@@ -3,6 +3,12 @@
 import React, { useState, useEffect, useRef } from 'react'
 import { useSDK, Evidence as SDKEvidence, EvidenceType } from '@/lib/sdk'
 import { StepHeader, STEP_EXPLANATIONS } from '@/components/sdk/StepHeader'
+import {
+  ConfidenceLevelBadge,
+  TruthStatusBadge,
+  GenerationModeBadge,
+  ApprovalStatusBadge,
+} from './components/anti-fake-badges'

 // =============================================================================
 // TYPES
@@ -28,6 +34,12 @@ interface DisplayEvidence {
  status: DisplayStatus
  fileSize: string
  fileUrl: string | null
+  // Anti-Fake-Evidence Phase 2
+  confidenceLevel: string | null
+  truthStatus: string | null
+  generationMode: string | null
+  approvalStatus: string | null
+  requiresFourEyes: boolean
 }

 // =============================================================================
@@ -162,7 +174,327 @@ const evidenceTemplates: EvidenceTemplate[] = [
 // COMPONENTS
 // =============================================================================

-function EvidenceCard({ evidence, onDelete, onView, onDownload }: { evidence: DisplayEvidence; onDelete: () => void; onView: () => void; onDownload: () => void }) {
+// =============================================================================
+// CONFIDENCE FILTER COLORS (matching anti-fake-badges)
+// =============================================================================
+
+const confidenceFilterColors: Record<string, string> = {
+  E0: 'bg-red-200 text-red-800',
+  E1: 'bg-yellow-200 text-yellow-800',
+  E2: 'bg-blue-200 text-blue-800',
+  E3: 'bg-green-200 text-green-800',
+  E4: 'bg-emerald-200 text-emerald-800',
+}
+
+// =============================================================================
+// REVIEW MODAL
+// =============================================================================
+
+function ReviewModal({ evidence, onClose, onSuccess }: { evidence: DisplayEvidence; onClose: () => void; onSuccess: () => void }) {
+  const [confidenceLevel, setConfidenceLevel] = useState(evidence.confidenceLevel || 'E1')
+  const [truthStatus, setTruthStatus] = useState(evidence.truthStatus || 'uploaded')
+  const [reviewedBy, setReviewedBy] = useState('')
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const handleSubmit = async () => {
+    if (!reviewedBy.trim()) { setError('Bitte E-Mail-Adresse angeben'); return }
+    setSubmitting(true)
+    setError(null)
+    try {
+      const res = await fetch(`/api/sdk/v1/compliance/evidence/${evidence.id}/review`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ confidence_level: confidenceLevel, truth_status: truthStatus, reviewed_by: reviewedBy }),
+      })
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({ detail: 'Review fehlgeschlagen' }))
+        throw new Error(typeof err.detail === 'string' ? err.detail : JSON.stringify(err.detail))
+      }
+      onSuccess()
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Unbekannter Fehler')
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  const confidenceLevels = [
+    { value: 'E0', label: 'E0 — Generiert' },
+    { value: 'E1', label: 'E1 — Manuell' },
+    { value: 'E2', label: 'E2 — Intern validiert' },
+    { value: 'E3', label: 'E3 — System-beobachtet' },
+    { value: 'E4', label: 'E4 — Extern auditiert' },
+  ]
+
+  const truthStatuses = [
+    { value: 'generated', label: 'Generiert' },
+    { value: 'uploaded', label: 'Hochgeladen' },
+    { value: 'observed', label: 'Beobachtet' },
+    { value: 'validated', label: 'Validiert' },
+    { value: 'audited', label: 'Auditiert' },
+  ]
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50" onClick={onClose}>
+      <div className="bg-white rounded-2xl shadow-xl w-full max-w-lg mx-4 p-6" onClick={e => e.stopPropagation()}>
+        <h2 className="text-xl font-bold text-gray-900 mb-4">Evidence Reviewen</h2>
+        <p className="text-sm text-gray-500 mb-4">{evidence.name}</p>
+
+        {/* Current values */}
+        <div className="mb-4 p-3 bg-gray-50 rounded-lg text-sm space-y-1">
+          <div className="flex justify-between">
+            <span className="text-gray-500">Aktuelles Confidence-Level:</span>
+            <span className="font-medium">{evidence.confidenceLevel || '—'}</span>
+          </div>
+          <div className="flex justify-between">
+            <span className="text-gray-500">Aktueller Truth-Status:</span>
+            <span className="font-medium">{evidence.truthStatus || '—'}</span>
+          </div>
+        </div>
+
+        {/* New confidence level */}
+        <div className="mb-4">
+          <label className="block text-sm font-medium text-gray-700 mb-1">Neues Confidence-Level</label>
+          <select value={confidenceLevel} onChange={e => setConfidenceLevel(e.target.value)}
+            className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+            {confidenceLevels.map(l => <option key={l.value} value={l.value}>{l.label}</option>)}
+          </select>
+        </div>
+
+        {/* New truth status */}
+        <div className="mb-4">
+          <label className="block text-sm font-medium text-gray-700 mb-1">Neuer Truth-Status</label>
+          <select value={truthStatus} onChange={e => setTruthStatus(e.target.value)}
+            className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+            {truthStatuses.map(s => <option key={s.value} value={s.value}>{s.label}</option>)}
+          </select>
+        </div>
+
+        {/* Reviewed by */}
+        <div className="mb-4">
+          <label className="block text-sm font-medium text-gray-700 mb-1">Reviewer (E-Mail)</label>
+          <input type="email" value={reviewedBy} onChange={e => setReviewedBy(e.target.value)}
+            placeholder="reviewer@unternehmen.de"
+            className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+        </div>
+
+        {/* Four-eyes warning */}
+        {evidence.requiresFourEyes && evidence.approvalStatus !== 'approved' && (
+          <div className="mb-4 p-3 bg-yellow-50 border border-yellow-200 rounded-lg">
+            <div className="flex items-start gap-2">
+              <svg className="w-5 h-5 text-yellow-600 mt-0.5 flex-shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+              </svg>
+              <div className="text-sm text-yellow-800">
+                <p className="font-medium">4-Augen-Prinzip aktiv</p>
+                <p>Dieser Nachweis erfordert eine zusaetzliche Freigabe durch einen zweiten Reviewer.</p>
+              </div>
+            </div>
+          </div>
+        )}
+
+        {/* Error */}
+        {error && (
+          <div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg text-sm text-red-700">{error}</div>
+        )}
+
+        {/* Actions */}
+        <div className="flex justify-end gap-3">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors">
+            Abbrechen
+          </button>
+          <button onClick={handleSubmit} disabled={submitting}
+            className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors disabled:opacity-50">
+            {submitting ? 'Wird gespeichert...' : 'Review abschliessen'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// REJECT MODAL
+// =============================================================================
+
+function RejectModal({ evidence, onClose, onSuccess }: { evidence: DisplayEvidence; onClose: () => void; onSuccess: () => void }) {
+  const [reviewedBy, setReviewedBy] = useState('')
+  const [rejectionReason, setRejectionReason] = useState('')
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const handleSubmit = async () => {
+    if (!reviewedBy.trim()) { setError('Bitte E-Mail-Adresse angeben'); return }
+    if (!rejectionReason.trim()) { setError('Bitte Ablehnungsgrund angeben'); return }
+    setSubmitting(true)
+    setError(null)
+    try {
+      const res = await fetch(`/api/sdk/v1/compliance/evidence/${evidence.id}/reject`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ reviewed_by: reviewedBy, rejection_reason: rejectionReason }),
+      })
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({ detail: 'Ablehnung fehlgeschlagen' }))
+        throw new Error(typeof err.detail === 'string' ? err.detail : JSON.stringify(err.detail))
+      }
+      onSuccess()
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Unbekannter Fehler')
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50" onClick={onClose}>
+      <div className="bg-white rounded-2xl shadow-xl w-full max-w-lg mx-4 p-6" onClick={e => e.stopPropagation()}>
+        <h2 className="text-xl font-bold text-gray-900 mb-4">Evidence Ablehnen</h2>
+        <p className="text-sm text-gray-500 mb-4">{evidence.name}</p>
+
+        {/* Reviewed by */}
+        <div className="mb-4">
+          <label className="block text-sm font-medium text-gray-700 mb-1">Reviewer (E-Mail)</label>
+          <input type="email" value={reviewedBy} onChange={e => setReviewedBy(e.target.value)}
+            placeholder="reviewer@unternehmen.de"
+            className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-red-500 focus:border-transparent" />
+        </div>
+
+        {/* Rejection reason */}
+        <div className="mb-4">
+          <label className="block text-sm font-medium text-gray-700 mb-1">Ablehnungsgrund</label>
+          <textarea value={rejectionReason} onChange={e => setRejectionReason(e.target.value)}
+            placeholder="Bitte beschreiben Sie den Grund fuer die Ablehnung..."
+            rows={4}
+            className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm focus:ring-2 focus:ring-red-500 focus:border-transparent resize-none" />
+        </div>
+
+        {/* Error */}
+        {error && (
+          <div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg text-sm text-red-700">{error}</div>
+        )}
+
+        {/* Actions */}
+        <div className="flex justify-end gap-3">
+          <button onClick={onClose} className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors">
+            Abbrechen
+          </button>
+          <button onClick={handleSubmit} disabled={submitting}
+            className="px-4 py-2 text-sm bg-red-600 text-white rounded-lg hover:bg-red-700 transition-colors disabled:opacity-50">
+            {submitting ? 'Wird abgelehnt...' : 'Ablehnen'}
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// AUDIT TRAIL PANEL
+// =============================================================================
+
+function AuditTrailPanel({ evidenceId, onClose }: { evidenceId: string; onClose: () => void }) {
+  const [entries, setEntries] = useState<{ id: string; action: string; actor: string; timestamp: string; details: Record<string, unknown> | null }[]>([])
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    fetch(`/api/sdk/v1/compliance/audit-trail?entity_type=evidence&entity_id=${evidenceId}`)
+      .then(res => res.json())
+      .then(data => {
+        const mapped = (data.entries || []).map((e: Record<string, unknown>) => ({
+          id: e.id as string,
+          action: e.action as string,
+          actor: (e.performed_by || 'System') as string,
+          timestamp: (e.performed_at || '') as string,
+          details: {
+            ...(e.field_changed ? { field: e.field_changed } : {}),
+            ...(e.old_value ? { old: e.old_value } : {}),
+            ...(e.new_value ? { new: e.new_value } : {}),
+            ...(e.change_summary ? { summary: e.change_summary } : {}),
+          } as Record<string, unknown>,
+        }))
+        setEntries(mapped)
+      })
+      .catch(() => {})
+      .finally(() => setLoading(false))
+  }, [evidenceId])
+
+  const actionLabels: Record<string, { label: string; color: string }> = {
+    created: { label: 'Erstellt', color: 'bg-blue-100 text-blue-700' },
+    uploaded: { label: 'Hochgeladen', color: 'bg-purple-100 text-purple-700' },
+    reviewed: { label: 'Reviewed', color: 'bg-green-100 text-green-700' },
+    rejected: { label: 'Abgelehnt', color: 'bg-red-100 text-red-700' },
+    updated: { label: 'Aktualisiert', color: 'bg-yellow-100 text-yellow-700' },
+    deleted: { label: 'Geloescht', color: 'bg-gray-100 text-gray-700' },
+    approved: { label: 'Genehmigt', color: 'bg-emerald-100 text-emerald-700' },
+    four_eyes_first: { label: '1. Review (4-Augen)', color: 'bg-blue-100 text-blue-700' },
+    four_eyes_final: { label: 'Finale Freigabe (4-Augen)', color: 'bg-emerald-100 text-emerald-700' },
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50" onClick={onClose}>
+      <div className="bg-white rounded-2xl shadow-xl w-full max-w-2xl mx-4 p-6 max-h-[80vh] overflow-y-auto" onClick={e => e.stopPropagation()}>
+        <div className="flex items-center justify-between mb-4">
+          <h2 className="text-xl font-bold text-gray-900">Audit-Trail</h2>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600 text-xl">&times;</button>
+        </div>
+
+        {loading ? (
+          <div className="flex justify-center py-12">
+            <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600" />
+          </div>
+        ) : entries.length === 0 ? (
+          <div className="py-12 text-center text-gray-500">
+            <p>Keine Audit-Trail-Eintraege vorhanden.</p>
+          </div>
+        ) : (
+          <div className="relative">
+            {/* Timeline line */}
+            <div className="absolute left-4 top-0 bottom-0 w-0.5 bg-gray-200" />
+
+            <div className="space-y-4">
+              {entries.map((entry, idx) => {
+                const meta = actionLabels[entry.action] || { label: entry.action, color: 'bg-gray-100 text-gray-700' }
+                return (
+                  <div key={entry.id || idx} className="relative flex items-start gap-4 pl-10">
+                    {/* Timeline dot */}
+                    <div className="absolute left-2.5 top-1.5 w-3 h-3 rounded-full bg-white border-2 border-purple-400" />
+
+                    <div className="flex-1 bg-gray-50 rounded-lg p-3">
+                      <div className="flex items-center gap-2 mb-1">
+                        <span className={`px-2 py-0.5 text-xs rounded ${meta.color}`}>{meta.label}</span>
+                        <span className="text-xs text-gray-400">
+                          {entry.timestamp ? new Date(entry.timestamp).toLocaleString('de-DE') : '—'}
+                        </span>
+                      </div>
+                      <div className="text-sm text-gray-600">
+                        <span className="font-medium">{entry.actor || 'System'}</span>
+                      </div>
+                      {entry.details && Object.keys(entry.details).length > 0 && (
+                        <div className="mt-2 text-xs text-gray-500 font-mono bg-white rounded p-2 border">
+                          {Object.entries(entry.details).map(([k, v]) => (
+                            <div key={k}><span className="text-gray-400">{k}:</span> {String(v)}</div>
+                          ))}
+                        </div>
+                      )}
+                    </div>
+                  </div>
+                )
+              })}
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// EVIDENCE CARD
+// =============================================================================
+
+function EvidenceCard({ evidence, onDelete, onView, onDownload, onReview, onReject, onShowHistory }: { evidence: DisplayEvidence; onDelete: () => void; onView: () => void; onDownload: () => void; onReview: () => void; onReject: () => void; onShowHistory: () => void }) {
  const typeIcons = {
    document: (
      <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
@@ -221,9 +553,15 @@ function EvidenceCard({ evidence, onDelete, onView, onDownload }: { evidence: Di
        <div className="flex-1">
          <div className="flex items-center justify-between">
            <h3 className="text-lg font-semibold text-gray-900">{evidence.name}</h3>
-            <span className={`px-3 py-1 text-xs rounded-full ${statusColors[evidence.status]}`}>
-              {statusLabels[evidence.status]}
-            </span>
+            <div className="flex items-center gap-1.5 flex-wrap">
+              <span className={`px-3 py-1 text-xs rounded-full ${statusColors[evidence.status]}`}>
+                {statusLabels[evidence.status]}
+              </span>
+              <ConfidenceLevelBadge level={evidence.confidenceLevel} />
+              <TruthStatusBadge status={evidence.truthStatus} />
+              <GenerationModeBadge mode={evidence.generationMode} />
+              <ApprovalStatusBadge status={evidence.approvalStatus} requiresFourEyes={evidence.requiresFourEyes} />
+            </div>
          </div>
          <p className="text-sm text-gray-500 mt-1">{evidence.description}</p>

@@ -275,6 +613,31 @@ function EvidenceCard({ evidence, onDelete, onView, onDownload }: { evidence: Di
          >
            Loeschen
          </button>
+          {/* Review button — visible when review is possible */}
+          {(evidence.approvalStatus === 'none' || evidence.approvalStatus === 'pending_first' || evidence.approvalStatus === 'first_approved' || !evidence.approvalStatus) && evidence.approvalStatus !== 'approved' && evidence.approvalStatus !== 'rejected' && (
+            <button
+              onClick={onReview}
+              className="px-3 py-1 text-sm text-green-600 hover:bg-green-50 rounded-lg transition-colors font-medium"
+            >
+              Reviewen
+            </button>
+          )}
+          {/* Reject button — visible for four-eyes evidence that's not yet resolved */}
+          {evidence.requiresFourEyes && evidence.approvalStatus !== 'rejected' && evidence.approvalStatus !== 'approved' && (
+            <button
+              onClick={onReject}
+              className="px-3 py-1 text-sm text-orange-600 hover:bg-orange-50 rounded-lg transition-colors"
+            >
+              Ablehnen
+            </button>
+          )}
+          {/* History button */}
+          <button
+            onClick={onShowHistory}
+            className="px-3 py-1 text-sm text-gray-500 hover:bg-gray-100 rounded-lg transition-colors"
+          >
+            Historie
+          </button>
        </div>
      </div>
    </div>
@@ -382,6 +745,15 @@ export default function EvidencePage() {
  const [pageSize] = useState(20)
  const [total, setTotal] = useState(0)

+  // Anti-Fake-Evidence metadata (keyed by evidence ID)
+  const [antiFakeMeta, setAntiFakeMeta] = useState<Record<string, {
+    confidenceLevel: string | null
+    truthStatus: string | null
+    generationMode: string | null
+    approvalStatus: string | null
+    requiresFourEyes: boolean
+  }>>({})
+
  // Evidence Checks state
  const [checks, setChecks] = useState<EvidenceCheck[]>([])
  const [checksLoading, setChecksLoading] = useState(false)
@@ -393,6 +765,13 @@ export default function EvidencePage() {
  const [coverageReport, setCoverageReport] = useState<CoverageReport | null>(null)
  const [seedingChecks, setSeedingChecks] = useState(false)

+  // Phase 3: Review/Reject/AuditTrail state
+  const [reviewEvidence, setReviewEvidence] = useState<DisplayEvidence | null>(null)
+  const [rejectEvidence, setRejectEvidence] = useState<DisplayEvidence | null>(null)
+  const [auditTrailId, setAuditTrailId] = useState<string | null>(null)
+  const [confidenceFilter, setConfidenceFilter] = useState<string | null>(null)
+  const [refreshKey, setRefreshKey] = useState(0)
+
  // Fetch evidence from backend on mount and when page changes
  useEffect(() => {
    const fetchEvidence = async () => {
@@ -404,18 +783,30 @@ export default function EvidencePage() {
          if (data.total !== undefined) setTotal(data.total)
          const backendEvidence = data.evidence || data
          if (Array.isArray(backendEvidence) && backendEvidence.length > 0) {
-            const mapped: SDKEvidence[] = backendEvidence.map((e: Record<string, unknown>) => ({
-              id: (e.id || '') as string,
-              controlId: (e.control_id || '') as string,
-              type: ((e.evidence_type || 'DOCUMENT') as string).toUpperCase() as EvidenceType,
-              name: (e.title || e.name || '') as string,
-              description: (e.description || '') as string,
-              fileUrl: (e.artifact_url || null) as string | null,
-              validFrom: e.valid_from ? new Date(e.valid_from as string) : new Date(),
-              validUntil: e.valid_until ? new Date(e.valid_until as string) : null,
-              uploadedBy: (e.uploaded_by || 'System') as string,
-              uploadedAt: e.created_at ? new Date(e.created_at as string) : new Date(),
-            }))
+            const metaMap: typeof antiFakeMeta = {}
+            const mapped: SDKEvidence[] = backendEvidence.map((e: Record<string, unknown>) => {
+              const id = (e.id || '') as string
+              metaMap[id] = {
+                confidenceLevel: (e.confidence_level || null) as string | null,
+                truthStatus: (e.truth_status || null) as string | null,
+                generationMode: (e.generation_mode || null) as string | null,
+                approvalStatus: (e.approval_status || null) as string | null,
+                requiresFourEyes: !!e.requires_four_eyes,
+              }
+              return {
+                id,
+                controlId: (e.control_id || '') as string,
+                type: ((e.evidence_type || 'DOCUMENT') as string).toUpperCase() as EvidenceType,
+                name: (e.title || e.name || '') as string,
+                description: (e.description || '') as string,
+                fileUrl: (e.artifact_url || null) as string | null,
+                validFrom: e.valid_from ? new Date(e.valid_from as string) : new Date(),
+                validUntil: e.valid_until ? new Date(e.valid_until as string) : null,
+                uploadedBy: (e.uploaded_by || 'System') as string,
+                uploadedAt: e.created_at ? new Date(e.created_at as string) : new Date(),
+              }
+            })
+            setAntiFakeMeta(metaMap)
            dispatch({ type: 'SET_STATE', payload: { evidence: mapped } })
            setError(null)
            return
@@ -463,12 +854,13 @@ export default function EvidencePage() {
    }

    fetchEvidence()
-  }, [page, pageSize]) // eslint-disable-line react-hooks/exhaustive-deps
+  }, [page, pageSize, refreshKey]) // eslint-disable-line react-hooks/exhaustive-deps

  // Convert SDK evidence to display evidence
  const displayEvidence: DisplayEvidence[] = state.evidence.map(ev => {
    const template = evidenceTemplates.find(t => t.id === ev.id)

+    const meta = antiFakeMeta[ev.id]
    return {
      id: ev.id,
      name: ev.name,
@@ -485,12 +877,18 @@ export default function EvidencePage() {
      status: getEvidenceStatus(ev.validUntil),
      fileSize: template?.fileSize || 'Unbekannt',
      fileUrl: ev.fileUrl,
+      confidenceLevel: meta?.confidenceLevel || null,
+      truthStatus: meta?.truthStatus || null,
+      generationMode: meta?.generationMode || null,
+      approvalStatus: meta?.approvalStatus || null,
+      requiresFourEyes: meta?.requiresFourEyes || false,
    }
  })

-  const filteredEvidence = filter === 'all'
+  const filteredEvidence = (filter === 'all'
    ? displayEvidence
    : displayEvidence.filter(e => e.status === filter || e.displayType === filter)
+  ).filter(e => !confidenceFilter || e.confidenceLevel === confidenceFilter)

  const validCount = displayEvidence.filter(e => e.status === 'valid').length
  const expiredCount = displayEvidence.filter(e => e.status === 'expired').length
@@ -803,6 +1201,20 @@ export default function EvidencePage() {
             f === 'certificate' ? 'Zertifikate' : 'Audit-Berichte'}
          </button>
        ))}
+        <span className="text-gray-300 mx-1">|</span>
+        {['E0', 'E1', 'E2', 'E3', 'E4'].map(level => (
+          <button
+            key={level}
+            onClick={() => setConfidenceFilter(confidenceFilter === level ? null : level)}
+            className={`px-3 py-1 text-sm rounded-full transition-colors ${
+              confidenceFilter === level
+                ? confidenceFilterColors[level]
+                : 'bg-gray-100 text-gray-600 hover:bg-gray-200'
+            }`}
+          >
+            {level}
+          </button>
+        ))}
      </div>

      {/* Loading State */}
@@ -818,6 +1230,9 @@ export default function EvidencePage() {
              onDelete={() => handleDelete(ev.id)}
              onView={() => handleView(ev)}
              onDownload={() => handleDownload(ev)}
+              onReview={() => setReviewEvidence(ev)}
+              onReject={() => setRejectEvidence(ev)}
+              onShowHistory={() => setAuditTrailId(ev.id)}
            />
          ))}
        </div>
@@ -1106,6 +1521,28 @@ export default function EvidencePage() {
          )}
        </div>
      )}
+
+      {/* Phase 3 Modals */}
+      {reviewEvidence && (
+        <ReviewModal
+          evidence={reviewEvidence}
+          onClose={() => setReviewEvidence(null)}
+          onSuccess={() => { setReviewEvidence(null); setRefreshKey(k => k + 1) }}
+        />
+      )}
+      {rejectEvidence && (
+        <RejectModal
+          evidence={rejectEvidence}
+          onClose={() => setRejectEvidence(null)}
+          onSuccess={() => { setRejectEvidence(null); setRefreshKey(k => k + 1) }}
+        />
+      )}
+      {auditTrailId && (
+        <AuditTrailPanel
+          evidenceId={auditTrailId}
+          onClose={() => setAuditTrailId(null)}
+        />
+      )}
    </div>
  )
 }
--- a/admin-compliance/app/sdk/payment-compliance/page.tsx
+++ b/admin-compliance/app/sdk/payment-compliance/page.tsx
@@ -0,0 +1,496 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+
+interface PaymentControl {
+  control_id: string
+  domain: string
+  title: string
+  objective: string
+  check_target: string
+  evidence: string[]
+  automation: string
+}
+
+interface PaymentDomain {
+  id: string
+  name: string
+  description: string
+}
+
+interface Assessment {
+  id: string
+  project_name: string
+  tender_reference: string
+  customer_name: string
+  system_type: string
+  total_controls: number
+  controls_passed: number
+  controls_failed: number
+  controls_partial: number
+  controls_not_applicable: number
+  controls_not_checked: number
+  compliance_score: number
+  status: string
+  created_at: string
+}
+
+interface TenderAnalysis {
+  id: string
+  file_name: string
+  file_size: number
+  project_name: string
+  customer_name: string
+  status: string
+  total_requirements: number
+  matched_count: number
+  unmatched_count: number
+  partial_count: number
+  requirements?: Array<{ req_id: string; text: string; obligation_level: string; technical_domain: string; confidence: number }>
+  match_results?: Array<{ req_id: string; req_text: string; verdict: string; matched_controls: Array<{ control_id: string; title: string; relevance: number }>; gap_description?: string }>
+  created_at: string
+}
+
+const AUTOMATION_STYLES: Record<string, { bg: string; text: string }> = {
+  high: { bg: 'bg-green-100', text: 'text-green-700' },
+  medium: { bg: 'bg-yellow-100', text: 'text-yellow-700' },
+  partial: { bg: 'bg-orange-100', text: 'text-orange-700' },
+  low: { bg: 'bg-red-100', text: 'text-red-700' },
+}
+
+const TARGET_ICONS: Record<string, string> = {
+  code: '💻', system: '🖥️', config: '⚙️', process: '📋',
+  repository: '📦', certificate: '📜',
+}
+
+export default function PaymentCompliancePage() {
+  const [controls, setControls] = useState<PaymentControl[]>([])
+  const [domains, setDomains] = useState<PaymentDomain[]>([])
+  const [assessments, setAssessments] = useState<Assessment[]>([])
+  const [tenderAnalyses, setTenderAnalyses] = useState<TenderAnalysis[]>([])
+  const [selectedTender, setSelectedTender] = useState<TenderAnalysis | null>(null)
+  const [selectedDomain, setSelectedDomain] = useState<string>('all')
+  const [loading, setLoading] = useState(true)
+  const [tab, setTab] = useState<'controls' | 'assessments' | 'tender'>('controls')
+  const [uploading, setUploading] = useState(false)
+  const [processing, setProcessing] = useState(false)
+  const [showNewAssessment, setShowNewAssessment] = useState(false)
+  const [newProject, setNewProject] = useState({ project_name: '', tender_reference: '', customer_name: '', system_type: 'full_stack' })
+
+  useEffect(() => {
+    loadData()
+  }, [])
+
+  async function loadData() {
+    try {
+      setLoading(true)
+      const [ctrlResp, assessResp, tenderResp] = await Promise.all([
+        fetch('/api/sdk/v1/payment-compliance?endpoint=controls'),
+        fetch('/api/sdk/v1/payment-compliance?endpoint=assessments'),
+        fetch('/api/sdk/v1/payment-compliance/tender'),
+      ])
+      if (ctrlResp.ok) {
+        const data = await ctrlResp.json()
+        setControls(data.controls || [])
+        setDomains(data.domains || [])
+      }
+      if (assessResp.ok) {
+        const data = await assessResp.json()
+        setAssessments(data.assessments || [])
+      }
+      if (tenderResp.ok) {
+        const data = await tenderResp.json()
+        setTenderAnalyses(data.analyses || [])
+      }
+    } catch {}
+    finally { setLoading(false) }
+  }
+
+  async function handleTenderUpload(e: React.ChangeEvent<HTMLInputElement>) {
+    const file = e.target.files?.[0]
+    if (!file) return
+    setUploading(true)
+    try {
+      const formData = new FormData()
+      formData.append('file', file)
+      formData.append('project_name', file.name.replace(/\.[^.]+$/, ''))
+      const resp = await fetch('/api/sdk/v1/payment-compliance/tender', { method: 'POST', body: formData })
+      if (resp.ok) {
+        const data = await resp.json()
+        // Auto-start extraction + matching
+        setProcessing(true)
+        const extractResp = await fetch(`/api/sdk/v1/payment-compliance/tender/${data.id}?action=extract`, { method: 'POST' })
+        if (extractResp.ok) {
+          await fetch(`/api/sdk/v1/payment-compliance/tender/${data.id}?action=match`, { method: 'POST' })
+        }
+        // Reload and show result
+        const detailResp = await fetch(`/api/sdk/v1/payment-compliance/tender/${data.id}`)
+        if (detailResp.ok) {
+          const detail = await detailResp.json()
+          setSelectedTender(detail)
+        }
+        loadData()
+      }
+    } catch {} finally {
+      setUploading(false)
+      setProcessing(false)
+    }
+  }
+
+  async function handleViewTender(id: string) {
+    const resp = await fetch(`/api/sdk/v1/payment-compliance/tender/${id}`)
+    if (resp.ok) {
+      setSelectedTender(await resp.json())
+    }
+  }
+
+  async function handleCreateAssessment() {
+    const resp = await fetch('/api/sdk/v1/payment-compliance', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(newProject),
+    })
+    if (resp.ok) {
+      setShowNewAssessment(false)
+      setNewProject({ project_name: '', tender_reference: '', customer_name: '', system_type: 'full_stack' })
+      loadData()
+    }
+  }
+
+  const filteredControls = selectedDomain === 'all'
+    ? controls
+    : controls.filter(c => c.domain === selectedDomain)
+
+  const domainStats = domains.map(d => ({
+    ...d,
+    count: controls.filter(c => c.domain === d.id).length,
+  }))
+
+  return (
+    <div className="max-w-6xl mx-auto p-6">
+      {/* Header */}
+      <div className="flex items-center justify-between mb-8">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">Payment Terminal Compliance</h1>
+          <p className="text-sm text-gray-500 mt-1">
+            Technische Pruefbibliothek fuer Zahlungssysteme — {controls.length} Controls in {domains.length} Domaenen
+          </p>
+        </div>
+        <div className="flex gap-2">
+          <button onClick={() => setTab('controls')}
+            className={`px-4 py-2 rounded-lg text-sm font-medium ${tab === 'controls' ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-700'}`}>
+            Controls ({controls.length})
+          </button>
+          <button onClick={() => setTab('assessments')}
+            className={`px-4 py-2 rounded-lg text-sm font-medium ${tab === 'assessments' ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-700'}`}>
+            Assessments ({assessments.length})
+          </button>
+          <button onClick={() => setTab('tender')}
+            className={`px-4 py-2 rounded-lg text-sm font-medium ${tab === 'tender' ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-700'}`}>
+            Ausschreibung ({tenderAnalyses.length})
+          </button>
+        </div>
+      </div>
+
+      {/* Info Box */}
+      <div className="mb-6 p-4 bg-blue-50 border border-blue-200 rounded-xl text-sm text-blue-800">
+        <div className="font-semibold mb-2">Wie funktioniert Payment Terminal Compliance?</div>
+        <div className="grid grid-cols-3 gap-4">
+          <div>
+            <div className="font-medium mb-1">1. Controls durchsuchen</div>
+            <p className="text-xs text-blue-700">Unsere Bibliothek enthaelt {controls.length} technische Pruefregeln fuer Zahlungssysteme — von Transaktionslogik ueber Kryptographie bis ZVT/OPI-Protokollverhalten. Jeder Control definiert was geprueft wird und welche Evidenz noetig ist.</p>
+          </div>
+          <div>
+            <div className="font-medium mb-1">2. Assessment erstellen</div>
+            <p className="text-xs text-blue-700">Ein Assessment ist eine projektbezogene Pruefung — z.B. fuer eine bestimmte Ausschreibung oder einen Kunden. Sie ordnet jedem Control einen Status zu: bestanden, fehlgeschlagen, teilweise oder nicht anwendbar.</p>
+          </div>
+          <div>
+            <div className="font-medium mb-1">3. Ausschreibung analysieren</div>
+            <p className="text-xs text-blue-700">Laden Sie ein Ausschreibungsdokument hoch. Die KI extrahiert automatisch die Anforderungen und matcht sie gegen unsere Controls. Ergebnis: Welche Anforderungen sind abgedeckt und wo gibt es Luecken.</p>
+          </div>
+        </div>
+      </div>
+
+      {loading ? (
+        <div className="text-center py-12 text-gray-500">Lade...</div>
+      ) : tab === 'controls' ? (
+        <>
+          {/* Domain Filter */}
+          <div className="grid grid-cols-5 gap-3 mb-6">
+            <button onClick={() => setSelectedDomain('all')}
+              className={`p-3 rounded-xl border text-center ${selectedDomain === 'all' ? 'border-purple-500 bg-purple-50' : 'border-gray-200 hover:border-purple-300'}`}>
+              <div className="text-lg font-bold text-purple-700">{controls.length}</div>
+              <div className="text-xs text-gray-500">Alle</div>
+            </button>
+            {domainStats.map(d => (
+              <button key={d.id} onClick={() => setSelectedDomain(d.id)}
+                className={`p-3 rounded-xl border text-center ${selectedDomain === d.id ? 'border-purple-500 bg-purple-50' : 'border-gray-200 hover:border-purple-300'}`}>
+                <div className="text-lg font-bold text-gray-900">{d.count}</div>
+                <div className="text-xs text-gray-500 truncate">{d.id}</div>
+              </button>
+            ))}
+          </div>
+
+          {/* Domain Description */}
+          {selectedDomain !== 'all' && (
+            <div className="mb-4 p-3 bg-blue-50 border border-blue-200 rounded-lg text-sm text-blue-800">
+              <strong>{domains.find(d => d.id === selectedDomain)?.name}:</strong>{' '}
+              {domains.find(d => d.id === selectedDomain)?.description}
+            </div>
+          )}
+
+          {/* Controls List */}
+          <div className="space-y-3">
+            {filteredControls.map(ctrl => {
+              const autoStyle = AUTOMATION_STYLES[ctrl.automation] || AUTOMATION_STYLES.low
+              return (
+                <div key={ctrl.control_id} className="bg-white rounded-xl border border-gray-200 p-4 hover:border-purple-300 transition-all">
+                  <div className="flex items-start justify-between">
+                    <div className="flex-1">
+                      <div className="flex items-center gap-2 mb-1">
+                        <span className="text-xs font-mono text-purple-600 bg-purple-50 px-2 py-0.5 rounded">{ctrl.control_id}</span>
+                        <span className="text-xs text-gray-400">{TARGET_ICONS[ctrl.check_target] || '🔍'} {ctrl.check_target}</span>
+                        <span className={`text-xs px-2 py-0.5 rounded-full ${autoStyle.bg} ${autoStyle.text}`}>
+                          {ctrl.automation}
+                        </span>
+                      </div>
+                      <h3 className="text-sm font-semibold text-gray-900">{ctrl.title}</h3>
+                      <p className="text-xs text-gray-500 mt-1">{ctrl.objective}</p>
+                    </div>
+                  </div>
+                  <div className="flex gap-1 mt-2">
+                    {ctrl.evidence.map(ev => (
+                      <span key={ev} className="text-xs bg-gray-100 text-gray-600 px-2 py-0.5 rounded">{ev}</span>
+                    ))}
+                  </div>
+                </div>
+              )
+            })}
+          </div>
+        </>
+      ) : tab === 'assessments' ? (
+        <>
+          {/* Assessments Tab */}
+          <div className="mb-4">
+            <button onClick={() => setShowNewAssessment(true)}
+              className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700">
+              + Neues Assessment
+            </button>
+          </div>
+
+          {showNewAssessment && (
+            <div className="mb-6 p-6 bg-white rounded-xl border border-purple-200">
+              <h3 className="font-semibold text-gray-900 mb-4">Neues Payment Compliance Assessment</h3>
+              <div className="grid grid-cols-2 gap-4">
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Projektname *</label>
+                  <input value={newProject.project_name} onChange={e => setNewProject(p => ({ ...p, project_name: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500" placeholder="z.B. Ausschreibung Muenchen 2026" />
+                </div>
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Ausschreibungs-Referenz</label>
+                  <input value={newProject.tender_reference} onChange={e => setNewProject(p => ({ ...p, tender_reference: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500" placeholder="z.B. 2026-PAY-001" />
+                </div>
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Kunde</label>
+                  <input value={newProject.customer_name} onChange={e => setNewProject(p => ({ ...p, customer_name: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500" placeholder="z.B. Stadt Muenchen" />
+                </div>
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Systemtyp</label>
+                  <select value={newProject.system_type} onChange={e => setNewProject(p => ({ ...p, system_type: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500">
+                    <option value="full_stack">Full Stack (Terminal + Backend)</option>
+                    <option value="terminal">Nur Terminal</option>
+                    <option value="backend">Nur Backend</option>
+                  </select>
+                </div>
+              </div>
+              <div className="flex gap-2 mt-4">
+                <button onClick={handleCreateAssessment} disabled={!newProject.project_name}
+                  className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50">Erstellen</button>
+                <button onClick={() => setShowNewAssessment(false)}
+                  className="px-4 py-2 bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200">Abbrechen</button>
+              </div>
+            </div>
+          )}
+
+          {assessments.length === 0 ? (
+            <div className="text-center py-12 text-gray-400">
+              <p className="text-lg mb-2">Noch keine Assessments</p>
+              <p className="text-sm">Erstelle ein neues Assessment fuer eine Ausschreibung.</p>
+            </div>
+          ) : (
+            <div className="space-y-4">
+              {assessments.map(a => (
+                <div key={a.id} className="bg-white rounded-xl border border-gray-200 p-6">
+                  <div className="flex items-center justify-between mb-3">
+                    <div>
+                      <h3 className="text-lg font-semibold text-gray-900">{a.project_name}</h3>
+                      <div className="text-sm text-gray-500">
+                        {a.customer_name && <span>{a.customer_name} · </span>}
+                        {a.tender_reference && <span>Ref: {a.tender_reference} · </span>}
+                        <span>{new Date(a.created_at).toLocaleDateString('de-DE')}</span>
+                      </div>
+                    </div>
+                    <span className={`px-3 py-1 rounded-full text-sm font-medium ${
+                      a.status === 'completed' ? 'bg-green-100 text-green-700' :
+                      a.status === 'in_progress' ? 'bg-yellow-100 text-yellow-700' :
+                      'bg-gray-100 text-gray-700'
+                    }`}>{a.status}</span>
+                  </div>
+                  <div className="grid grid-cols-6 gap-2">
+                    <div className="text-center p-2 bg-gray-50 rounded">
+                      <div className="text-lg font-bold">{a.total_controls}</div>
+                      <div className="text-xs text-gray-500">Total</div>
+                    </div>
+                    <div className="text-center p-2 bg-green-50 rounded">
+                      <div className="text-lg font-bold text-green-700">{a.controls_passed}</div>
+                      <div className="text-xs text-gray-500">Passed</div>
+                    </div>
+                    <div className="text-center p-2 bg-red-50 rounded">
+                      <div className="text-lg font-bold text-red-700">{a.controls_failed}</div>
+                      <div className="text-xs text-gray-500">Failed</div>
+                    </div>
+                    <div className="text-center p-2 bg-yellow-50 rounded">
+                      <div className="text-lg font-bold text-yellow-700">{a.controls_partial}</div>
+                      <div className="text-xs text-gray-500">Partial</div>
+                    </div>
+                    <div className="text-center p-2 bg-gray-50 rounded">
+                      <div className="text-lg font-bold text-gray-400">{a.controls_not_applicable}</div>
+                      <div className="text-xs text-gray-500">N/A</div>
+                    </div>
+                    <div className="text-center p-2 bg-gray-50 rounded">
+                      <div className="text-lg font-bold text-gray-400">{a.controls_not_checked}</div>
+                      <div className="text-xs text-gray-500">Offen</div>
+                    </div>
+                  </div>
+                </div>
+              ))}
+            </div>
+          )}
+        </>
+      ) : tab === 'tender' ? (
+        <>
+          {/* Tender Analysis Tab */}
+          <div className="mb-6 p-6 bg-white rounded-xl border-2 border-dashed border-purple-300 text-center">
+            <h3 className="text-lg font-semibold text-gray-900 mb-2">Ausschreibung analysieren</h3>
+            <p className="text-sm text-gray-500 mb-4">
+              Laden Sie ein Ausschreibungsdokument hoch. Die KI extrahiert automatisch alle Anforderungen und matcht sie gegen die Control-Bibliothek.
+            </p>
+            <label className="inline-block px-6 py-3 bg-purple-600 text-white rounded-lg hover:bg-purple-700 cursor-pointer">
+              {uploading ? 'Hochladen...' : processing ? 'Analysiere...' : 'PDF / Dokument hochladen'}
+              <input type="file" className="hidden" accept=".pdf,.txt,.doc,.docx" onChange={handleTenderUpload} disabled={uploading || processing} />
+            </label>
+            <p className="text-xs text-gray-400 mt-2">PDF, TXT oder Word. Max 50 MB. Dokument wird nur fuer diese Analyse verwendet.</p>
+          </div>
+
+          {/* Selected Tender Detail */}
+          {selectedTender && (
+            <div className="mb-6 p-6 bg-white rounded-xl border border-purple-200">
+              <div className="flex items-center justify-between mb-4">
+                <div>
+                  <h3 className="text-lg font-semibold text-gray-900">{selectedTender.project_name}</h3>
+                  <p className="text-sm text-gray-500">{selectedTender.file_name} — {selectedTender.status}</p>
+                </div>
+                <button onClick={() => setSelectedTender(null)} className="text-gray-400 hover:text-gray-600 text-xl">&times;</button>
+              </div>
+
+              {/* Stats */}
+              <div className="grid grid-cols-4 gap-3 mb-6">
+                <div className="text-center p-3 bg-gray-50 rounded-lg">
+                  <div className="text-2xl font-bold">{selectedTender.total_requirements}</div>
+                  <div className="text-xs text-gray-500">Anforderungen</div>
+                </div>
+                <div className="text-center p-3 bg-green-50 rounded-lg">
+                  <div className="text-2xl font-bold text-green-700">{selectedTender.matched_count}</div>
+                  <div className="text-xs text-gray-500">Abgedeckt</div>
+                </div>
+                <div className="text-center p-3 bg-yellow-50 rounded-lg">
+                  <div className="text-2xl font-bold text-yellow-700">{selectedTender.partial_count}</div>
+                  <div className="text-xs text-gray-500">Teilweise</div>
+                </div>
+                <div className="text-center p-3 bg-red-50 rounded-lg">
+                  <div className="text-2xl font-bold text-red-700">{selectedTender.unmatched_count}</div>
+                  <div className="text-xs text-gray-500">Luecken</div>
+                </div>
+              </div>
+
+              {/* Match Results */}
+              {selectedTender.match_results && selectedTender.match_results.length > 0 && (
+                <div className="space-y-3">
+                  <h4 className="font-semibold text-gray-900">Requirement → Control Matching</h4>
+                  {selectedTender.match_results.map((mr, idx) => (
+                    <div key={idx} className={`p-4 rounded-lg border ${
+                      mr.verdict === 'matched' ? 'border-green-200 bg-green-50' :
+                      mr.verdict === 'partial' ? 'border-yellow-200 bg-yellow-50' :
+                      'border-red-200 bg-red-50'
+                    }`}>
+                      <div className="flex items-start justify-between mb-2">
+                        <div className="flex-1">
+                          <div className="flex items-center gap-2 mb-1">
+                            <span className="text-xs font-mono bg-white px-2 py-0.5 rounded border">{mr.req_id}</span>
+                            <span className={`text-xs px-2 py-0.5 rounded-full ${
+                              mr.verdict === 'matched' ? 'bg-green-200 text-green-800' :
+                              mr.verdict === 'partial' ? 'bg-yellow-200 text-yellow-800' :
+                              'bg-red-200 text-red-800'
+                            }`}>
+                              {mr.verdict === 'matched' ? 'Abgedeckt' : mr.verdict === 'partial' ? 'Teilweise' : 'Luecke'}
+                            </span>
+                          </div>
+                          <p className="text-sm text-gray-900">{mr.req_text}</p>
+                        </div>
+                      </div>
+                      {mr.matched_controls && mr.matched_controls.length > 0 && (
+                        <div className="mt-2 flex flex-wrap gap-1">
+                          {mr.matched_controls.map(mc => (
+                            <span key={mc.control_id} className="text-xs bg-white border px-2 py-0.5 rounded">
+                              {mc.control_id} ({Math.round(mc.relevance * 100)}%)
+                            </span>
+                          ))}
+                        </div>
+                      )}
+                      {mr.gap_description && (
+                        <p className="text-xs text-orange-700 mt-2">{mr.gap_description}</p>
+                      )}
+                    </div>
+                  ))}
+                </div>
+              )}
+            </div>
+          )}
+
+          {/* Previous Analyses */}
+          {tenderAnalyses.length > 0 && (
+            <div>
+              <h4 className="font-semibold text-gray-900 mb-3">Bisherige Analysen</h4>
+              <div className="space-y-3">
+                {tenderAnalyses.map(ta => (
+                  <button key={ta.id} onClick={() => handleViewTender(ta.id)}
+                    className="w-full text-left bg-white rounded-xl border border-gray-200 p-4 hover:border-purple-300 transition-all">
+                    <div className="flex items-center justify-between">
+                      <div>
+                        <h3 className="font-medium text-gray-900">{ta.project_name}</h3>
+                        <p className="text-xs text-gray-500">{ta.file_name} — {new Date(ta.created_at).toLocaleDateString('de-DE')}</p>
+                      </div>
+                      <div className="flex gap-2">
+                        <span className="text-xs bg-green-100 text-green-700 px-2 py-0.5 rounded-full">{ta.matched_count} matched</span>
+                        {ta.unmatched_count > 0 && (
+                          <span className="text-xs bg-red-100 text-red-700 px-2 py-0.5 rounded-full">{ta.unmatched_count} gaps</span>
+                        )}
+                        <span className={`text-xs px-2 py-0.5 rounded-full ${
+                          ta.status === 'matched' ? 'bg-blue-100 text-blue-700' : 'bg-gray-100 text-gray-700'
+                        }`}>{ta.status}</span>
+                      </div>
+                    </div>
+                  </button>
+                ))}
+              </div>
+            </div>
+          )}
+        </>
+      ) : null}
+    </div>
+  )
+}
--- a/admin-compliance/app/sdk/sdk-flow/flow-data.ts
+++ b/admin-compliance/app/sdk/sdk-flow/flow-data.ts
@@ -142,8 +142,8 @@ export const SDK_FLOW_STEPS: SDKFlowStep[] = [
    checkpointId: 'CP-UC',
    checkpointType: 'REQUIRED',
    checkpointReviewer: 'NONE',
-    description: 'Systematische Erfassung aller Datenverarbeitungs- und KI-Anwendungsfaelle ueber einen 8-Schritte-Wizard mit Kachel-Auswahl.',
-    descriptionLong: 'In einem 8-Schritte-Wizard werden alle Use Cases erfasst: (1) Grundlegendes — Titel, Beschreibung, KI-Kategorie (21 Kacheln), Branche wird automatisch aus dem Profil abgeleitet. (2) Datenkategorien — ~60 Kategorien in 10 Gruppen als Kacheln (inkl. Art. 9 hervorgehoben). (3) Verarbeitungszweck — 16 Zweck-Kacheln, Rechtsgrundlage wird vom SDK automatisch ermittelt. (4) Automatisierungsgrad — assistiv/teilautomatisiert/vollautomatisiert. (5) Hosting & Modell — Provider, Region, Modellnutzung (Inferenz/RAG/Fine-Tuning/Training). (6) Datentransfer — Transferziele und Schutzmechanismen. (7) Datenhaltung — Aufbewahrungsfristen. (8) Vertraege — vorhandene Compliance-Dokumente. Die RAG-Collection bp_compliance_ce wird verwendet, um relevante CE-Regulierungen automatisch den Use Cases zuzuordnen (UCCA).',
+    description: 'Systematische Erfassung aller Datenverarbeitungs- und KI-Anwendungsfaelle ueber einen 8-Schritte-Wizard mit Kachel-Auswahl. Inkl. BetrVG-Mitbestimmungspruefung und Betriebsrats-Konflikt-Score.',
+    descriptionLong: 'In einem 8-Schritte-Wizard werden alle Use Cases erfasst: (1) Grundlegendes — Titel, Beschreibung, KI-Kategorie (21 Kacheln), Branche wird automatisch aus dem Profil abgeleitet. (2) Datenkategorien — ~60 Kategorien in 10 Gruppen als Kacheln (inkl. Art. 9 hervorgehoben). (3) Verarbeitungszweck — 16 Zweck-Kacheln, Rechtsgrundlage wird vom SDK automatisch ermittelt. (4) Automatisierungsgrad + BetrVG — assistiv/teilautomatisiert/vollautomatisiert, plus 3 BetrVG-Toggles: Ueberwachungseignung, HR-Entscheidungsunterstuetzung, BR-Konsultation. Das SDK berechnet daraus einen Betriebsrats-Konflikt-Score (0-100) und leitet BetrVG-Pflichten ab (§87, §90, §94, §95). (5) Hosting & Modell — Provider, Region, Modellnutzung (Inferenz/RAG/Fine-Tuning/Training). (6) Datentransfer — Transferziele und Schutzmechanismen. (7) Datenhaltung — Aufbewahrungsfristen. (8) Vertraege — vorhandene Compliance-Dokumente. Die RAG-Collection bp_compliance_ce wird verwendet, um relevante CE-Regulierungen automatisch den Use Cases zuzuordnen (UCCA). Die Collection bp_compliance_datenschutz enthaelt 14 BAG-Urteile zu IT-Mitbestimmung (M365, SAP, SaaS, Video).',
    legalBasis: 'Art. 30 DSGVO (Verzeichnis von Verarbeitungstaetigkeiten)',
    inputs: ['companyProfile'],
    outputs: ['useCases'],
@@ -155,6 +155,27 @@ export const SDK_FLOW_STEPS: SDKFlowStep[] = [
    isOptional: false,
    url: '/sdk/use-cases',
  },
+  {
+    id: 'ai-registration',
+    name: 'EU AI Database Registrierung',
+    nameShort: 'EU-Reg',
+    package: 'vorbereitung',
+    seq: 350,
+    checkpointId: 'CP-REG',
+    checkpointType: 'CONDITIONAL',
+    checkpointReviewer: 'NONE',
+    description: 'Registrierung von Hochrisiko-KI-Systemen in der EU AI Database gemaess Art. 49 KI-Verordnung.',
+    descriptionLong: 'Fuer Hochrisiko-KI-Systeme (Annex III) ist eine Registrierung in der EU AI Database Pflicht. Ein 6-Schritte-Wizard fuehrt durch den Prozess: (1) Anbieter-Daten — Name, Rechtsform, Adresse, EU-Repraesentant. (2) System-Details — Name, Version, Beschreibung, Einsatzzweck (vorausgefuellt aus UCCA Assessment). (3) Klassifikation — Risikoklasse und Annex III Kategorie (aus Decision Tree). (4) Konformitaet — CE-Kennzeichnung, Notified Body. (5) Trainingsdaten — Zusammenfassung der Datenquellen (Art. 10). (6) Pruefung + Export — JSON-Download fuer EU-Datenbank-Submission. Der Status-Workflow ist: Entwurf → Bereit → Eingereicht → Registriert.',
+    legalBasis: 'Art. 49 KI-Verordnung (EU) 2024/1689',
+    inputs: ['useCases', 'companyProfile'],
+    outputs: ['euRegistration'],
+    prerequisiteSteps: ['use-case-assessment'],
+    dbTables: ['ai_system_registrations'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: true,
+    url: '/sdk/ai-registration',
+  },
  {
    id: 'import',
    name: 'Dokument-Import',
--- a/admin-compliance/app/sdk/use-cases/[id]/page.tsx
+++ b/admin-compliance/app/sdk/use-cases/[id]/page.tsx
@@ -57,6 +57,8 @@ interface FullAssessment {
  dsfa_recommended: boolean
  art22_risk: boolean
  training_allowed: string
+  betrvg_conflict_score?: number
+  betrvg_consultation_required?: boolean
  triggered_rules?: TriggeredRule[]
  required_controls?: RequiredControl[]
  recommended_architecture?: PatternRecommendation[]
@@ -167,6 +169,8 @@ export default function AssessmentDetailPage() {
    dsfa_recommended: assessment.dsfa_recommended,
    art22_risk: assessment.art22_risk,
    training_allowed: assessment.training_allowed,
+    betrvg_conflict_score: assessment.betrvg_conflict_score,
+    betrvg_consultation_required: assessment.betrvg_consultation_required,
    // AssessmentResultCard expects rule_code; backend stores code — map here
    triggered_rules: assessment.triggered_rules?.map(r => ({
      rule_code: r.code,
--- a/admin-compliance/app/sdk/use-cases/page.tsx
+++ b/admin-compliance/app/sdk/use-cases/page.tsx
@@ -10,6 +10,8 @@ interface Assessment {
  feasibility: string
  risk_level: string
  risk_score: number
+  betrvg_conflict_score?: number
+  betrvg_consultation_required?: boolean
  domain: string
  created_at: string
 }
@@ -194,6 +196,16 @@ export default function UseCasesPage() {
                      <span className={`px-2 py-0.5 text-xs rounded-full ${feasibility.bg} ${feasibility.text}`}>
                        {feasibility.label}
                      </span>
+                      {assessment.betrvg_conflict_score != null && assessment.betrvg_conflict_score > 0 && (
+                        <span className={`px-2 py-0.5 text-xs rounded-full ${
+                          assessment.betrvg_conflict_score >= 75 ? 'bg-red-100 text-red-700' :
+                          assessment.betrvg_conflict_score >= 50 ? 'bg-orange-100 text-orange-700' :
+                          assessment.betrvg_conflict_score >= 25 ? 'bg-yellow-100 text-yellow-700' :
+                          'bg-green-100 text-green-700'
+                        }`}>
+                          BR {assessment.betrvg_conflict_score}
+                        </span>
+                      )}
                    </div>
                    <div className="flex items-center gap-4 text-sm text-gray-500">
                      <span>{assessment.domain}</span>
--- a/admin-compliance/components/sdk/Sidebar/SDKSidebar.tsx
+++ b/admin-compliance/components/sdk/Sidebar/SDKSidebar.tsx
@@ -546,6 +546,89 @@ export function SDKSidebar({ collapsed = false, onCollapsedChange }: SDKSidebarP
          />
        </div>

+        {/* KI-Compliance */}
+        <div className="border-t border-gray-100 py-2">
+          {!collapsed && (
+            <div className="px-4 py-2 text-xs font-medium text-gray-400 uppercase tracking-wider">
+              KI-Compliance
+            </div>
+          )}
+          <AdditionalModuleItem
+            href="/sdk/advisory-board"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
+              </svg>
+            }
+            label="Use Case Erfassung"
+            isActive={pathname === '/sdk/advisory-board'}
+            collapsed={collapsed}
+            projectId={projectId}
+          />
+          <AdditionalModuleItem
+            href="/sdk/use-cases"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M4 6h16M4 10h16M4 14h16M4 18h16" />
+              </svg>
+            }
+            label="Use Cases"
+            isActive={pathname?.startsWith('/sdk/use-cases') ?? false}
+            collapsed={collapsed}
+            projectId={projectId}
+          />
+          <AdditionalModuleItem
+            href="/sdk/ai-act"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M13 10V3L4 14h7v7l9-11h-7z" />
+              </svg>
+            }
+            label="AI Act"
+            isActive={pathname?.startsWith('/sdk/ai-act') ?? false}
+            collapsed={collapsed}
+            projectId={projectId}
+          />
+          <AdditionalModuleItem
+            href="/sdk/ai-registration"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M19 21V5a2 2 0 00-2-2H7a2 2 0 00-2 2v16m14 0h2m-2 0h-5m-9 0H3m2 0h5M9 7h1m-1 4h1m4-4h1m-1 4h1m-5 10v-5a1 1 0 011-1h2a1 1 0 011 1v5m-4 0h4" />
+              </svg>
+            }
+            label="EU Registrierung"
+            isActive={pathname?.startsWith('/sdk/ai-registration') ?? false}
+            collapsed={collapsed}
+            projectId={projectId}
+          />
+        </div>
+
+        {/* Payment Compliance */}
+        <div className="border-t border-gray-100 py-2">
+          {!collapsed && (
+            <div className="px-4 py-2 text-xs font-medium text-gray-400 uppercase tracking-wider">
+              Payment / Terminal
+            </div>
+          )}
+          <AdditionalModuleItem
+            href="/sdk/payment-compliance"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M3 10h18M7 15h1m4 0h1m-7 4h12a3 3 0 003-3V8a3 3 0 00-3-3H6a3 3 0 00-3 3v8a3 3 0 003 3z" />
+              </svg>
+            }
+            label="Payment Compliance"
+            isActive={pathname?.startsWith('/sdk/payment-compliance') ?? false}
+            collapsed={collapsed}
+            projectId={projectId}
+          />
+        </div>
+
        {/* Additional Modules */}
        <div className="border-t border-gray-100 py-2">
          {!collapsed && (
@@ -643,6 +726,19 @@ export function SDKSidebar({ collapsed = false, onCollapsedChange }: SDKSidebarP
            collapsed={collapsed}
            projectId={projectId}
          />
+          <AdditionalModuleItem
+            href="/sdk/assertions"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4" />
+              </svg>
+            }
+            label="Assertions"
+            isActive={pathname === '/sdk/assertions'}
+            collapsed={collapsed}
+            projectId={projectId}
+          />
          <AdditionalModuleItem
            href="/sdk/dsms"
            icon={
--- a/admin-compliance/components/sdk/ai-act/DecisionTreeWizard.tsx
+++ b/admin-compliance/components/sdk/ai-act/DecisionTreeWizard.tsx
@@ -0,0 +1,554 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+interface DecisionTreeQuestion {
+  id: string
+  axis: 'high_risk' | 'gpai'
+  question: string
+  description: string
+  article_ref: string
+  skip_if?: string
+}
+
+interface DecisionTreeDefinition {
+  id: string
+  name: string
+  version: string
+  questions: DecisionTreeQuestion[]
+}
+
+interface DecisionTreeAnswer {
+  question_id: string
+  value: boolean
+  note?: string
+}
+
+interface GPAIClassification {
+  is_gpai: boolean
+  is_systemic_risk: boolean
+  gpai_category: 'none' | 'standard' | 'systemic'
+  applicable_articles: string[]
+  obligations: string[]
+}
+
+interface DecisionTreeResult {
+  id: string
+  tenant_id: string
+  system_name: string
+  system_description?: string
+  answers: Record<string, DecisionTreeAnswer>
+  high_risk_result: string
+  gpai_result: GPAIClassification
+  combined_obligations: string[]
+  applicable_articles: string[]
+  created_at: string
+}
+
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+
+const RISK_LEVEL_CONFIG: Record<string, { label: string; color: string; bg: string; border: string }> = {
+  unacceptable: { label: 'Unzulässig', color: 'text-red-700', bg: 'bg-red-50', border: 'border-red-200' },
+  high_risk: { label: 'Hochrisiko', color: 'text-orange-700', bg: 'bg-orange-50', border: 'border-orange-200' },
+  limited_risk: { label: 'Begrenztes Risiko', color: 'text-yellow-700', bg: 'bg-yellow-50', border: 'border-yellow-200' },
+  minimal_risk: { label: 'Minimales Risiko', color: 'text-green-700', bg: 'bg-green-50', border: 'border-green-200' },
+  not_applicable: { label: 'Nicht anwendbar', color: 'text-gray-500', bg: 'bg-gray-50', border: 'border-gray-200' },
+}
+
+const GPAI_CONFIG: Record<string, { label: string; color: string; bg: string; border: string }> = {
+  none: { label: 'Kein GPAI', color: 'text-gray-500', bg: 'bg-gray-50', border: 'border-gray-200' },
+  standard: { label: 'GPAI Standard', color: 'text-blue-700', bg: 'bg-blue-50', border: 'border-blue-200' },
+  systemic: { label: 'GPAI Systemisches Risiko', color: 'text-purple-700', bg: 'bg-purple-50', border: 'border-purple-200' },
+}
+
+// =============================================================================
+// MAIN COMPONENT
+// =============================================================================
+
+export default function DecisionTreeWizard() {
+  const [definition, setDefinition] = useState<DecisionTreeDefinition | null>(null)
+  const [answers, setAnswers] = useState<Record<string, DecisionTreeAnswer>>({})
+  const [currentIdx, setCurrentIdx] = useState(0)
+  const [systemName, setSystemName] = useState('')
+  const [systemDescription, setSystemDescription] = useState('')
+  const [result, setResult] = useState<DecisionTreeResult | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const [phase, setPhase] = useState<'intro' | 'questions' | 'result'>('intro')
+
+  // Load decision tree definition
+  useEffect(() => {
+    const load = async () => {
+      try {
+        const res = await fetch('/api/sdk/v1/ucca/decision-tree')
+        if (res.ok) {
+          const data = await res.json()
+          setDefinition(data)
+        } else {
+          setError('Entscheidungsbaum konnte nicht geladen werden')
+        }
+      } catch {
+        setError('Verbindung zum Backend fehlgeschlagen')
+      } finally {
+        setLoading(false)
+      }
+    }
+    load()
+  }, [])
+
+  // Get visible questions (respecting skip logic)
+  const getVisibleQuestions = useCallback((): DecisionTreeQuestion[] => {
+    if (!definition) return []
+    return definition.questions.filter(q => {
+      if (!q.skip_if) return true
+      // Skip this question if the gate question was answered "no"
+      const gateAnswer = answers[q.skip_if]
+      if (gateAnswer && !gateAnswer.value) return false
+      return true
+    })
+  }, [definition, answers])
+
+  const visibleQuestions = getVisibleQuestions()
+  const currentQuestion = visibleQuestions[currentIdx]
+  const totalVisible = visibleQuestions.length
+
+  const highRiskQuestions = visibleQuestions.filter(q => q.axis === 'high_risk')
+  const gpaiQuestions = visibleQuestions.filter(q => q.axis === 'gpai')
+
+  const handleAnswer = (value: boolean) => {
+    if (!currentQuestion) return
+    setAnswers(prev => ({
+      ...prev,
+      [currentQuestion.id]: {
+        question_id: currentQuestion.id,
+        value,
+      },
+    }))
+
+    // Auto-advance
+    if (currentIdx < totalVisible - 1) {
+      setCurrentIdx(prev => prev + 1)
+    }
+  }
+
+  const handleBack = () => {
+    if (currentIdx > 0) {
+      setCurrentIdx(prev => prev - 1)
+    }
+  }
+
+  const handleSubmit = async () => {
+    setSaving(true)
+    setError(null)
+
+    try {
+      const res = await fetch('/api/sdk/v1/ucca/decision-tree/evaluate', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          system_name: systemName,
+          system_description: systemDescription,
+          answers,
+        }),
+      })
+
+      if (res.ok) {
+        const data = await res.json()
+        setResult(data)
+        setPhase('result')
+      } else {
+        const err = await res.json().catch(() => ({ error: 'Auswertung fehlgeschlagen' }))
+        setError(err.error || 'Auswertung fehlgeschlagen')
+      }
+    } catch {
+      setError('Verbindung zum Backend fehlgeschlagen')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  const handleReset = () => {
+    setAnswers({})
+    setCurrentIdx(0)
+    setSystemName('')
+    setSystemDescription('')
+    setResult(null)
+    setPhase('intro')
+    setError(null)
+  }
+
+  const allAnswered = visibleQuestions.every(q => answers[q.id] !== undefined)
+
+  if (loading) {
+    return (
+      <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+        <div className="w-10 h-10 border-2 border-purple-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
+        <p className="text-gray-500">Entscheidungsbaum wird geladen...</p>
+      </div>
+    )
+  }
+
+  if (error && !definition) {
+    return (
+      <div className="bg-red-50 border border-red-200 rounded-xl p-6 text-center">
+        <p className="text-red-700">{error}</p>
+        <p className="text-red-500 text-sm mt-2">Bitte stellen Sie sicher, dass der AI Compliance SDK Service läuft.</p>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // INTRO PHASE
+  // =========================================================================
+  if (phase === 'intro') {
+    return (
+      <div className="space-y-6">
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <h3 className="text-lg font-semibold text-gray-900 mb-2">AI Act Entscheidungsbaum</h3>
+          <p className="text-sm text-gray-500 mb-6">
+            Klassifizieren Sie Ihr KI-System anhand von 12 Fragen auf zwei Achsen:
+            <strong> High-Risk</strong> (Anhang III) und <strong>GPAI</strong> (Art. 51–56).
+          </p>
+
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+            <div className="p-4 bg-orange-50 border border-orange-200 rounded-lg">
+              <div className="flex items-center gap-2 mb-2">
+                <svg className="w-5 h-5 text-orange-600" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                  <path strokeLinecap="round" strokeLinejoin="round" d="M12 9v3.75m-9.303 3.376c-.866 1.5.217 3.374 1.948 3.374h14.71c1.73 0 2.813-1.874 1.948-3.374L13.949 3.378c-.866-1.5-3.032-1.5-3.898 0L2.697 16.126z" />
+                </svg>
+                <span className="font-medium text-orange-700">Achse 1: High-Risk</span>
+              </div>
+              <p className="text-sm text-orange-600">7 Fragen zu Anhang III Kategorien (Biometrie, kritische Infrastruktur, Bildung, Beschäftigung, etc.)</p>
+            </div>
+            <div className="p-4 bg-blue-50 border border-blue-200 rounded-lg">
+              <div className="flex items-center gap-2 mb-2">
+                <svg className="w-5 h-5 text-blue-600" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                  <path strokeLinecap="round" strokeLinejoin="round" d="M9.813 15.904L9 18.75l-.813-2.846a4.5 4.5 0 00-3.09-3.09L2.25 12l2.846-.813a4.5 4.5 0 003.09-3.09L9 5.25l.813 2.846a4.5 4.5 0 003.09 3.09L15.75 12l-2.846.813a4.5 4.5 0 00-3.09 3.09z" />
+                </svg>
+                <span className="font-medium text-blue-700">Achse 2: GPAI</span>
+              </div>
+              <p className="text-sm text-blue-600">5 Fragen zu General-Purpose AI (Foundation Models, systemisches Risiko, Art. 51–56)</p>
+            </div>
+          </div>
+
+          <div className="space-y-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Name des KI-Systems *</label>
+              <input
+                type="text"
+                value={systemName}
+                onChange={e => setSystemName(e.target.value)}
+                placeholder="z.B. Dokumenten-Analyse-KI, Chatbot-Service, Code-Assistent"
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Beschreibung (optional)</label>
+              <textarea
+                value={systemDescription}
+                onChange={e => setSystemDescription(e.target.value)}
+                placeholder="Kurze Beschreibung des KI-Systems und seines Einsatzzwecks..."
+                rows={2}
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+              />
+            </div>
+          </div>
+
+          <div className="mt-6 flex justify-end">
+            <button
+              onClick={() => setPhase('questions')}
+              disabled={!systemName.trim()}
+              className={`px-6 py-2 rounded-lg font-medium transition-colors ${
+                systemName.trim()
+                  ? 'bg-purple-600 text-white hover:bg-purple-700'
+                  : 'bg-gray-200 text-gray-400 cursor-not-allowed'
+              }`}
+            >
+              Klassifizierung starten
+            </button>
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // RESULT PHASE
+  // =========================================================================
+  if (phase === 'result' && result) {
+    const riskConfig = RISK_LEVEL_CONFIG[result.high_risk_result] || RISK_LEVEL_CONFIG.not_applicable
+    const gpaiConfig = GPAI_CONFIG[result.gpai_result.gpai_category] || GPAI_CONFIG.none
+
+    return (
+      <div className="space-y-6">
+        {/* Header */}
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <div className="flex items-center justify-between mb-4">
+            <h3 className="text-lg font-semibold text-gray-900">Klassifizierungsergebnis: {result.system_name}</h3>
+            <button
+              onClick={handleReset}
+              className="px-4 py-2 text-sm text-purple-600 hover:bg-purple-50 rounded-lg transition-colors"
+            >
+              Neue Klassifizierung
+            </button>
+          </div>
+
+          {/* Two-Axis Result Cards */}
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+            <div className={`p-5 rounded-xl border-2 ${riskConfig.border} ${riskConfig.bg}`}>
+              <div className="text-sm font-medium text-gray-500 mb-1">Achse 1: High-Risk (Anhang III)</div>
+              <div className={`text-xl font-bold ${riskConfig.color}`}>{riskConfig.label}</div>
+            </div>
+            <div className={`p-5 rounded-xl border-2 ${gpaiConfig.border} ${gpaiConfig.bg}`}>
+              <div className="text-sm font-medium text-gray-500 mb-1">Achse 2: GPAI (Art. 51–56)</div>
+              <div className={`text-xl font-bold ${gpaiConfig.color}`}>{gpaiConfig.label}</div>
+              {result.gpai_result.is_systemic_risk && (
+                <div className="mt-1 text-xs text-purple-600 font-medium">Systemisches Risiko</div>
+              )}
+            </div>
+          </div>
+        </div>
+
+        {/* Applicable Articles */}
+        {result.applicable_articles && result.applicable_articles.length > 0 && (
+          <div className="bg-white rounded-xl border border-gray-200 p-6">
+            <h4 className="text-sm font-semibold text-gray-900 mb-3">Anwendbare Artikel</h4>
+            <div className="flex flex-wrap gap-2">
+              {result.applicable_articles.map(art => (
+                <span key={art} className="px-3 py-1 text-xs bg-indigo-50 text-indigo-700 rounded-full border border-indigo-200">
+                  {art}
+                </span>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {/* Combined Obligations */}
+        {result.combined_obligations && result.combined_obligations.length > 0 && (
+          <div className="bg-white rounded-xl border border-gray-200 p-6">
+            <h4 className="text-sm font-semibold text-gray-900 mb-3">
+              Pflichten ({result.combined_obligations.length})
+            </h4>
+            <div className="space-y-2">
+              {result.combined_obligations.map((obl, i) => (
+                <div key={i} className="flex items-start gap-2 text-sm">
+                  <svg className="w-4 h-4 text-purple-500 mt-0.5 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                    <path strokeLinecap="round" strokeLinejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+                  </svg>
+                  <span className="text-gray-700">{obl}</span>
+                </div>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {/* GPAI-specific obligations */}
+        {result.gpai_result.is_gpai && result.gpai_result.obligations.length > 0 && (
+          <div className="bg-blue-50 rounded-xl border border-blue-200 p-6">
+            <h4 className="text-sm font-semibold text-blue-900 mb-3">
+              GPAI-spezifische Pflichten ({result.gpai_result.obligations.length})
+            </h4>
+            <div className="space-y-2">
+              {result.gpai_result.obligations.map((obl, i) => (
+                <div key={i} className="flex items-start gap-2 text-sm">
+                  <svg className="w-4 h-4 text-blue-500 mt-0.5 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                    <path strokeLinecap="round" strokeLinejoin="round" d="M11.25 11.25l.041-.02a.75.75 0 011.063.852l-.708 2.836a.75.75 0 001.063.853l.041-.021M21 12a9 9 0 11-18 0 9 9 0 0118 0zm-9-3.75h.008v.008H12V8.25z" />
+                  </svg>
+                  <span className="text-blue-800">{obl}</span>
+                </div>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {/* Answer Summary */}
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <h4 className="text-sm font-semibold text-gray-900 mb-3">Ihre Antworten</h4>
+          <div className="space-y-2">
+            {definition?.questions.map(q => {
+              const answer = result.answers[q.id]
+              if (!answer) return null
+              return (
+                <div key={q.id} className="flex items-center gap-3 text-sm py-1.5 border-b border-gray-100 last:border-0">
+                  <span className="text-xs font-mono text-gray-400 w-8">{q.id}</span>
+                  <span className="flex-1 text-gray-600">{q.question}</span>
+                  <span className={`px-2 py-0.5 rounded text-xs font-medium ${
+                    answer.value ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-500'
+                  }`}>
+                    {answer.value ? 'Ja' : 'Nein'}
+                  </span>
+                </div>
+              )
+            })}
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // QUESTIONS PHASE
+  // =========================================================================
+  return (
+    <div className="space-y-6">
+      {/* Progress */}
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="flex items-center justify-between mb-3">
+          <span className="text-sm font-medium text-gray-700">
+            {systemName} — Frage {currentIdx + 1} von {totalVisible}
+          </span>
+          <span className={`px-2 py-1 text-xs rounded-full font-medium ${
+            currentQuestion?.axis === 'high_risk'
+              ? 'bg-orange-100 text-orange-700'
+              : 'bg-blue-100 text-blue-700'
+          }`}>
+            {currentQuestion?.axis === 'high_risk' ? 'High-Risk' : 'GPAI'}
+          </span>
+        </div>
+
+        {/* Dual progress bar */}
+        <div className="flex gap-2">
+          <div className="flex-1">
+            <div className="text-[10px] text-orange-600 mb-1 font-medium">
+              Achse 1: High-Risk ({highRiskQuestions.filter(q => answers[q.id] !== undefined).length}/{highRiskQuestions.length})
+            </div>
+            <div className="h-1.5 bg-gray-100 rounded-full overflow-hidden">
+              <div
+                className="h-full bg-orange-500 rounded-full transition-all"
+                style={{ width: `${highRiskQuestions.length ? (highRiskQuestions.filter(q => answers[q.id] !== undefined).length / highRiskQuestions.length) * 100 : 0}%` }}
+              />
+            </div>
+          </div>
+          <div className="flex-1">
+            <div className="text-[10px] text-blue-600 mb-1 font-medium">
+              Achse 2: GPAI ({gpaiQuestions.filter(q => answers[q.id] !== undefined).length}/{gpaiQuestions.length})
+            </div>
+            <div className="h-1.5 bg-gray-100 rounded-full overflow-hidden">
+              <div
+                className="h-full bg-blue-500 rounded-full transition-all"
+                style={{ width: `${gpaiQuestions.length ? (gpaiQuestions.filter(q => answers[q.id] !== undefined).length / gpaiQuestions.length) * 100 : 0}%` }}
+              />
+            </div>
+          </div>
+        </div>
+      </div>
+
+      {/* Error */}
+      {error && (
+        <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
+          <span>{error}</span>
+          <button onClick={() => setError(null)} className="text-red-500 hover:text-red-700">&times;</button>
+        </div>
+      )}
+
+      {/* Current Question */}
+      {currentQuestion && (
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <div className="flex items-start gap-3 mb-4">
+            <span className="px-2 py-1 text-xs font-mono bg-gray-100 text-gray-500 rounded">{currentQuestion.id}</span>
+            <span className="px-2 py-1 text-xs bg-purple-50 text-purple-700 rounded">{currentQuestion.article_ref}</span>
+          </div>
+
+          <h3 className="text-lg font-semibold text-gray-900 mb-3">{currentQuestion.question}</h3>
+          <p className="text-sm text-gray-500 mb-6">{currentQuestion.description}</p>
+
+          {/* Answer buttons */}
+          <div className="grid grid-cols-2 gap-4">
+            <button
+              onClick={() => handleAnswer(true)}
+              className={`p-4 rounded-xl border-2 transition-all text-center font-medium ${
+                answers[currentQuestion.id]?.value === true
+                  ? 'border-green-500 bg-green-50 text-green-700'
+                  : 'border-gray-200 hover:border-green-300 hover:bg-green-50/50 text-gray-700'
+              }`}
+            >
+              <svg className="w-8 h-8 mx-auto mb-2 text-green-500" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                <path strokeLinecap="round" strokeLinejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+              Ja
+            </button>
+            <button
+              onClick={() => handleAnswer(false)}
+              className={`p-4 rounded-xl border-2 transition-all text-center font-medium ${
+                answers[currentQuestion.id]?.value === false
+                  ? 'border-gray-500 bg-gray-50 text-gray-700'
+                  : 'border-gray-200 hover:border-gray-300 hover:bg-gray-50/50 text-gray-700'
+              }`}
+            >
+              <svg className="w-8 h-8 mx-auto mb-2 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                <path strokeLinecap="round" strokeLinejoin="round" d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+              Nein
+            </button>
+          </div>
+        </div>
+      )}
+
+      {/* Navigation */}
+      <div className="flex items-center justify-between">
+        <button
+          onClick={currentIdx === 0 ? () => setPhase('intro') : handleBack}
+          className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors"
+        >
+          Zurück
+        </button>
+
+        <div className="flex items-center gap-1">
+          {visibleQuestions.map((q, i) => (
+            <button
+              key={q.id}
+              onClick={() => setCurrentIdx(i)}
+              className={`w-2.5 h-2.5 rounded-full transition-colors ${
+                i === currentIdx
+                  ? q.axis === 'high_risk' ? 'bg-orange-500' : 'bg-blue-500'
+                  : answers[q.id] !== undefined
+                    ? 'bg-green-400'
+                    : 'bg-gray-200'
+              }`}
+              title={`${q.id}: ${q.question}`}
+            />
+          ))}
+        </div>
+
+        {allAnswered ? (
+          <button
+            onClick={handleSubmit}
+            disabled={saving}
+            className={`px-6 py-2 rounded-lg font-medium transition-colors ${
+              saving
+                ? 'bg-purple-300 text-white cursor-wait'
+                : 'bg-purple-600 text-white hover:bg-purple-700'
+            }`}
+          >
+            {saving ? (
+              <span className="flex items-center gap-2">
+                <svg className="w-4 h-4 animate-spin" fill="none" viewBox="0 0 24 24">
+                  <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+                  <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z" />
+                </svg>
+                Auswertung...
+              </span>
+            ) : (
+              'Auswerten'
+            )}
+          </button>
+        ) : (
+          <button
+            onClick={() => setCurrentIdx(prev => Math.min(prev + 1, totalVisible - 1))}
+            disabled={currentIdx >= totalVisible - 1}
+            className="px-4 py-2 text-sm text-purple-600 hover:bg-purple-50 rounded-lg transition-colors disabled:opacity-30"
+          >
+            Weiter
+          </button>
+        )}
+      </div>
+    </div>
+  )
+}
--- a/admin-compliance/components/sdk/use-case-assessment/AssessmentResultCard.tsx
+++ b/admin-compliance/components/sdk/use-case-assessment/AssessmentResultCard.tsx
@@ -10,6 +10,8 @@ interface AssessmentResult {
  dsfa_recommended: boolean
  art22_risk: boolean
  training_allowed: string
+  betrvg_conflict_score?: number
+  betrvg_consultation_required?: boolean
  summary: string
  recommendation: string
  alternative_approach?: string
@@ -76,6 +78,21 @@ export function AssessmentResultCard({ result }: AssessmentResultCardProps) {
                  Art. 22 Risiko
                </span>
              )}
+              {result.betrvg_conflict_score != null && result.betrvg_conflict_score > 0 && (
+                <span className={`px-3 py-1 rounded-full text-sm font-medium ${
+                  result.betrvg_conflict_score >= 75 ? 'bg-red-100 text-red-700' :
+                  result.betrvg_conflict_score >= 50 ? 'bg-orange-100 text-orange-700' :
+                  result.betrvg_conflict_score >= 25 ? 'bg-yellow-100 text-yellow-700' :
+                  'bg-green-100 text-green-700'
+                }`}>
+                  BR-Konflikt: {result.betrvg_conflict_score}/100
+                </span>
+              )}
+              {result.betrvg_consultation_required && (
+                <span className="px-3 py-1 rounded-full text-sm bg-purple-100 text-purple-700">
+                  BR-Konsultation erforderlich
+                </span>
+              )}
            </div>
            <p className="text-gray-700">{result.summary}</p>
            <p className="text-sm text-gray-500 mt-2">{result.recommendation}</p>
--- a/admin-compliance/lib/sdk/types.ts
+++ b/admin-compliance/lib/sdk/types.ts
@@ -920,6 +920,20 @@ export const SDK_STEPS: SDKStep[] = [
    prerequisiteSteps: [],
    isOptional: true,
  },
+  {
+    id: 'atomic-controls',
+    seq: 4925,
+    phase: 2,
+    package: 'betrieb',
+    order: 11.5,
+    name: 'Atomare Controls',
+    nameShort: 'Atomar',
+    description: 'Deduplizierte atomare Controls mit Herkunftsnachweis',
+    url: '/sdk/atomic-controls',
+    checkpointId: 'CP-ATOM',
+    prerequisiteSteps: [],
+    isOptional: true,
+  },
  {
    id: 'control-provenance',
    seq: 4950,
--- a/admin-compliance/migrations/wiki_betrvg_article.sql
+++ b/admin-compliance/migrations/wiki_betrvg_article.sql
@@ -0,0 +1,53 @@
+-- Wiki Article: BetrVG & KI — Mitbestimmung bei IT-Systemen
+-- Kategorie: arbeitsrecht (existiert bereits)
+-- Ausfuehren auf Production-DB nach Compliance-Refactoring
+
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES
+('betrvg-ki-mitbestimmung', 'arbeitsrecht',
+ 'BetrVG & KI — Mitbestimmung bei IT-Systemen',
+ 'Uebersicht der Mitbestimmungsrechte des Betriebsrats bei Einfuehrung von KI- und IT-Systemen gemaess §87 Abs.1 Nr.6 BetrVG. Inkl. BAG-Rechtsprechung und Konflikt-Score.',
+ '# BetrVG & KI — Mitbestimmung bei IT-Systemen
+
+## Kernregel: §87 Abs.1 Nr.6 BetrVG
+
+Die **Einfuehrung und Anwendung** von technischen Einrichtungen, die dazu **geeignet** sind, das Verhalten oder die Leistung der Arbeitnehmer zu ueberwachen, beduerfen der **Zustimmung des Betriebsrats**.
+
+### Wichtig: Eignung genuegt!
+Das BAG hat klargestellt: Bereits die **objektive Eignung** zur Ueberwachung genuegt — eine tatsaechliche Nutzung zu diesem Zweck ist nicht erforderlich.
+
+---
+
+## Leitentscheidungen des BAG
+
+### Microsoft Office 365 (BAG 1 ABR 20/21, 08.03.2022)
+Das BAG hat ausdruecklich entschieden, dass Microsoft Office 365 der Mitbestimmung unterliegt.
+
+### Standardsoftware (BAG 1 ABN 36/18, 23.10.2018)
+Auch alltaegliche Standardsoftware wie Excel ist mitbestimmungsrelevant. Keine Geringfuegigkeitsschwelle.
+
+### SAP ERP (BAG 1 ABR 45/11, 25.09.2012)
+HR-/ERP-Systeme erheben und verknuepfen individualisierbare Verhaltens- und Leistungsdaten.
+
+### SaaS/Cloud (BAG 1 ABR 68/13, 21.07.2015)
+Auch bei Ueberwachung ueber Dritt-Systeme bleibt der Betriebsrat zu beteiligen.
+
+### Belastungsstatistik (BAG 1 ABR 46/15, 25.04.2017)
+Dauerhafte Kennzahlenueberwachung ist ein schwerwiegender Eingriff in das Persoenlichkeitsrecht.
+
+---
+
+## Betriebsrats-Konflikt-Score (SDK)
+
+Das SDK berechnet automatisch einen Konflikt-Score (0-100):
+- Beschaeftigtendaten (+10), Ueberwachungseignung (+20), HR-Bezug (+20)
+- Individualisierbare Logs (+15), Kommunikationsanalyse (+10)
+- Scoring/Ranking (+10), Vollautomatisiert (+10), Keine BR-Konsultation (+5)
+
+Eskalation: Score >= 50 ohne BR → E2, Score >= 75 → E3.',
+ '["§87 Abs.1 Nr.6 BetrVG", "§90 BetrVG", "§94 BetrVG", "§95 BetrVG", "Art. 88 DSGVO", "§26 BDSG"]',
+ ARRAY['BetrVG', 'Mitbestimmung', 'Betriebsrat', 'KI', 'Ueberwachung', 'Microsoft 365'],
+ 'critical',
+ '["https://www.bundesarbeitsgericht.de/entscheidung/1-abr-20-21/", "https://www.bundesarbeitsgericht.de/entscheidung/1-abn-36-18/"]',
+ 1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, summary = EXCLUDED.summary, updated_at = NOW();
--- a/admin-compliance/migrations/wiki_domain_articles.sql
+++ b/admin-compliance/migrations/wiki_domain_articles.sql
@@ -0,0 +1,157 @@
+-- Wiki Articles: Domain-spezifische KI-Compliance
+-- 4 Artikel fuer die wichtigsten Hochrisiko-Domains
+
+-- 1. KI im Recruiting
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-recruiting-compliance', 'arbeitsrecht',
+'KI im Recruiting — AGG, DSGVO Art. 22, AI Act Hochrisiko',
+'Compliance-Anforderungen bei KI-gestuetzter Personalauswahl: Automatisierte Absagen, Bias-Risiken, Beweislastumkehr.',
+'# KI im Recruiting — Compliance-Anforderungen
+
+## AI Act Einstufung
+KI im Recruiting faellt unter **Annex III Nr. 4 (Employment)** = **High-Risk**.
+
+## Kritische Punkte
+
+### Art. 22 DSGVO — Automatisierte Entscheidungen
+Vollautomatische Absagen ohne menschliche Pruefung sind **grundsaetzlich unzulaessig**.
+Erlaubt: KI erstellt Vorschlag → Mensch prueft → Mensch entscheidet → Mensch gibt Absage frei.
+
+### AGG — Diskriminierungsverbot
+- § 1 AGG: Keine Benachteiligung nach Geschlecht, Alter, Herkunft, Religion, Behinderung
+- § 22 AGG: **Beweislastumkehr** — Arbeitgeber muss beweisen, dass KEINE Diskriminierung vorliegt
+- § 15 AGG: Schadensersatz bis 3 Monatsgehaelter pro Fall
+- Proxy-Merkmale vermeiden: Name→Herkunft, Foto→Alter
+
+### BetrVG — Mitbestimmung
+- § 87 Abs. 1 Nr. 6: Betriebsrat muss zustimmen
+- § 95: Auswahlrichtlinien mitbestimmungspflichtig
+- BAG 1 ABR 20/21: Gilt auch fuer Standardsoftware
+
+## Pflichtmassnahmen
+1. Human-in-the-Loop (echt, kein Rubber Stamping)
+2. Regelmaessige Bias-Audits
+3. DSFA durchfuehren
+4. Betriebsvereinbarung abschliessen
+5. Bewerber ueber KI-Nutzung informieren',
+'["Art. 22 DSGVO", "§ 1 AGG", "§ 22 AGG", "§ 15 AGG", "§ 87 BetrVG", "§ 95 BetrVG", "Annex III Nr. 4 AI Act"]',
+ARRAY['Recruiting', 'HR', 'AGG', 'Bias', 'Art. 22', 'Beweislastumkehr', 'Betriebsrat'],
+'critical',
+'["https://www.bundesarbeitsgericht.de/entscheidung/1-abr-20-21/"]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
+
+-- 2. KI in der Bildung
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-bildung-compliance', 'branchenspezifisch',
+'KI in der Bildung — Notenvergabe, Pruefungsbewertung, Minderjaehrige',
+'AI Act Annex III Nr. 3: Hochrisiko bei KI-gestuetzter Bewertung in Bildung und Ausbildung.',
+'# KI in der Bildung — Compliance-Anforderungen
+
+## AI Act Einstufung
+KI in Bildung/Ausbildung faellt unter **Annex III Nr. 3 (Education)** = **High-Risk**.
+
+## Kritische Szenarien
+- KI beeinflusst Noten → High-Risk
+- KI bewertet Pruefungen → High-Risk
+- KI steuert Zugang zu Bildungsangeboten → High-Risk
+- Minderjaehrige betroffen → Besonderer Schutz (Art. 24 EU-Grundrechtecharta)
+
+## BLOCK-Regel
+**Minderjaehrige betroffen + keine Lehrkraft-Pruefung = UNZULAESSIG**
+
+## Pflichtmassnahmen
+1. Lehrkraft prueft JEDES KI-Ergebnis vor Mitteilung an Schueler
+2. Chancengleichheit unabhaengig von sozioekonomischem Hintergrund
+3. Keine Benachteiligung durch Sprache oder Behinderung
+4. FRIA durchfuehren (Grundrechte-Folgenabschaetzung)
+5. DSFA bei Verarbeitung von Schuelerdaten
+
+## Grundrechte
+- Recht auf Bildung (Art. 14 EU-Charta)
+- Rechte des Kindes (Art. 24 EU-Charta)
+- Nicht-Diskriminierung (Art. 21 EU-Charta)',
+'["Annex III Nr. 3 AI Act", "Art. 14 EU-Grundrechtecharta", "Art. 24 EU-Grundrechtecharta", "Art. 35 DSGVO"]',
+ARRAY['Bildung', 'Education', 'Noten', 'Pruefung', 'Minderjaehrige', 'Schule'],
+'critical',
+'[]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
+
+-- 3. KI im Gesundheitswesen
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-gesundheit-compliance', 'branchenspezifisch',
+'KI im Gesundheitswesen — MDR, Diagnose, Triage',
+'AI Act Annex III Nr. 5 + MDR: Hochrisiko bei KI in Diagnose, Behandlung und Triage.',
+'# KI im Gesundheitswesen — Compliance-Anforderungen
+
+## Regulatorischer Rahmen
+- **AI Act Annex III Nr. 5** — Zugang zu wesentlichen Diensten (Gesundheit)
+- **MDR (EU) 2017/745** — Medizinprodukteverordnung
+- **DSGVO Art. 9** — Gesundheitsdaten = besondere Kategorie
+
+## Kritische Szenarien
+- KI unterstuetzt Diagnosen → High-Risk + DSFA Pflicht
+- KI priorisiert Patienten (Triage) → Lebenskritisch, hoechste Anforderungen
+- KI empfiehlt Behandlungen → High-Risk
+- System ist Medizinprodukt → MDR-Zertifizierung erforderlich
+
+## BLOCK-Regeln
+- **Medizinprodukt ohne klinische Validierung = UNZULAESSIG**
+- MDR Art. 61: Klinische Bewertung ist Pflicht
+
+## Grundrechte
+- Menschenwuerde (Art. 1 EU-Charta)
+- Schutz personenbezogener Daten (Art. 8 EU-Charta)
+- Patientenautonomie
+
+## Pflichtmassnahmen
+1. Klinische Validierung vor Einsatz
+2. Human Oversight durch qualifiziertes Fachpersonal
+3. DSFA fuer Gesundheitsdatenverarbeitung
+4. Genauigkeitsmetriken definieren und messen
+5. Incident Reporting bei Fehlfunktionen',
+'["Annex III Nr. 5 AI Act", "MDR (EU) 2017/745", "Art. 9 DSGVO", "Art. 35 DSGVO"]',
+ARRAY['Gesundheit', 'Healthcare', 'MDR', 'Diagnose', 'Triage', 'Medizinprodukt'],
+'critical',
+'[]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
+
+-- 4. KI in Finanzdienstleistungen
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-finance-compliance', 'branchenspezifisch',
+'KI in Finanzdienstleistungen — Scoring, DORA, Versicherung',
+'AI Act Annex III Nr. 5 + DORA + MaRisk: Compliance bei Kredit-Scoring, Algo-Trading, Versicherungspraemien.',
+'# KI in Finanzdienstleistungen — Compliance-Anforderungen
+
+## Regulatorischer Rahmen
+- **AI Act Annex III Nr. 5** — Zugang zu wesentlichen Diensten
+- **DORA** — Digital Operational Resilience Act
+- **MaRisk/BAIT** — Bankaufsichtliche Anforderungen
+- **MiFID II** — Algorithmischer Handel
+
+## Kritische Szenarien
+- Kredit-Scoring → High-Risk (Art. 22 DSGVO + Annex III)
+- Automatisierte Schadenbearbeitung → Art. 22 Risiko
+- Individuelle Praemienberechnung → Diskriminierungsrisiko
+- Algo-Trading → MiFID II Anforderungen
+- Robo Advisor → WpHG-Pflichten
+
+## Pflichtmassnahmen
+1. Transparenz bei Scoring-Entscheidungen
+2. Bias-Audits bei Kreditvergabe
+3. Human Oversight bei Ablehnungen
+4. DORA-konforme IT-Resilienz
+5. Incident Reporting
+
+## Besondere Risiken
+- Diskriminierendes Kredit-Scoring (AGG + AI Act)
+- Ungerechtfertigte Verweigerung von Finanzdienstleistungen
+- Mangelnde Erklaerbarkeit bei Scoring-Algorithmen',
+'["Annex III Nr. 5 AI Act", "DORA", "MaRisk", "MiFID II", "Art. 22 DSGVO", "§ 1 AGG"]',
+ARRAY['Finance', 'Banking', 'Versicherung', 'Scoring', 'DORA', 'Kredit', 'Algo-Trading'],
+'critical',
+'[]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
--- a/ai-compliance-sdk/cmd/server/main.go
+++ b/ai-compliance-sdk/cmd/server/main.go
@@ -104,6 +104,10 @@ func main() {
 	auditHandlers := handlers.NewAuditHandlers(auditStore, exporter)
 	uccaHandlers := handlers.NewUCCAHandlers(uccaStore, escalationStore, providerRegistry)
 	escalationHandlers := handlers.NewEscalationHandlers(escalationStore, uccaStore)
+	registrationStore := ucca.NewRegistrationStore(pool)
+	registrationHandlers := handlers.NewRegistrationHandlers(registrationStore, uccaStore)
+	paymentHandlers := handlers.NewPaymentHandlers(pool)
+	tenderHandlers := handlers.NewTenderHandlers(pool, paymentHandlers.GetControlLibrary())
 	roadmapHandlers := handlers.NewRoadmapHandlers(roadmapStore)
 	workshopHandlers := handlers.NewWorkshopHandlers(workshopStore)
 	portfolioHandlers := handlers.NewPortfolioHandlers(portfolioStore)
@@ -270,10 +274,49 @@ func main() {
 			uccaRoutes.POST("/escalations/:id/review", escalationHandlers.StartReview)
 			uccaRoutes.POST("/escalations/:id/decide", escalationHandlers.DecideEscalation)

+			// AI Act Decision Tree
+			dtRoutes := uccaRoutes.Group("/decision-tree")
+			{
+				dtRoutes.GET("", uccaHandlers.GetDecisionTree)
+				dtRoutes.POST("/evaluate", uccaHandlers.EvaluateDecisionTree)
+				dtRoutes.GET("/results", uccaHandlers.ListDecisionTreeResults)
+				dtRoutes.GET("/results/:id", uccaHandlers.GetDecisionTreeResult)
+				dtRoutes.DELETE("/results/:id", uccaHandlers.DeleteDecisionTreeResult)
+			}
+
 			// Obligations framework (v2 with TOM mapping)
 			obligationsHandlers.RegisterRoutes(uccaRoutes)
 		}

+		// AI Registration routes - EU AI Database (Art. 49)
+		regRoutes := v1.Group("/ai-registration")
+		{
+			regRoutes.POST("", registrationHandlers.Create)
+			regRoutes.GET("", registrationHandlers.List)
+			regRoutes.GET("/:id", registrationHandlers.Get)
+			regRoutes.PUT("/:id", registrationHandlers.Update)
+			regRoutes.PATCH("/:id/status", registrationHandlers.UpdateStatus)
+			regRoutes.POST("/prefill/:assessment_id", registrationHandlers.Prefill)
+			regRoutes.GET("/:id/export", registrationHandlers.Export)
+		}
+
+		// Payment Compliance routes
+		payRoutes := v1.Group("/payment-compliance")
+		{
+			payRoutes.GET("/controls", paymentHandlers.ListControls)
+			payRoutes.POST("/assessments", paymentHandlers.CreateAssessment)
+			payRoutes.GET("/assessments", paymentHandlers.ListAssessments)
+			payRoutes.GET("/assessments/:id", paymentHandlers.GetAssessment)
+			payRoutes.PATCH("/assessments/:id/verdict", paymentHandlers.UpdateControlVerdict)
+
+			// Tender Analysis
+			payRoutes.POST("/tender/upload", tenderHandlers.Upload)
+			payRoutes.POST("/tender/:id/extract", tenderHandlers.Extract)
+			payRoutes.POST("/tender/:id/match", tenderHandlers.Match)
+			payRoutes.GET("/tender", tenderHandlers.ListAnalyses)
+			payRoutes.GET("/tender/:id", tenderHandlers.GetAnalysis)
+		}
+
 		// RAG routes - Legal Corpus Search & Versioning
 		ragRoutes := v1.Group("/rag")
 		{
--- a/ai-compliance-sdk/internal/api/handlers/payment_handlers.go
+++ b/ai-compliance-sdk/internal/api/handlers/payment_handlers.go
@@ -0,0 +1,290 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// PaymentHandlers handles payment compliance endpoints
+type PaymentHandlers struct {
+	pool     *pgxpool.Pool
+	controls *PaymentControlLibrary
+}
+
+// PaymentControlLibrary holds the control catalog
+type PaymentControlLibrary struct {
+	Domains  []PaymentDomain  `json:"domains"`
+	Controls []PaymentControl `json:"controls"`
+}
+
+type PaymentDomain struct {
+	ID          string `json:"id"`
+	Name        string `json:"name"`
+	Description string `json:"description"`
+}
+
+type PaymentControl struct {
+	ControlID  string   `json:"control_id"`
+	Domain     string   `json:"domain"`
+	Title      string   `json:"title"`
+	Objective  string   `json:"objective"`
+	CheckTarget string  `json:"check_target"`
+	Evidence   []string `json:"evidence"`
+	Automation string   `json:"automation"`
+}
+
+type PaymentAssessment struct {
+	ID              uuid.UUID       `json:"id"`
+	TenantID        uuid.UUID       `json:"tenant_id"`
+	ProjectName     string          `json:"project_name"`
+	TenderReference string          `json:"tender_reference,omitempty"`
+	CustomerName    string          `json:"customer_name,omitempty"`
+	Description     string          `json:"description,omitempty"`
+	SystemType      string          `json:"system_type,omitempty"`
+	PaymentMethods  json.RawMessage `json:"payment_methods,omitempty"`
+	Protocols       json.RawMessage `json:"protocols,omitempty"`
+	TotalControls   int             `json:"total_controls"`
+	ControlsPassed  int             `json:"controls_passed"`
+	ControlsFailed  int             `json:"controls_failed"`
+	ControlsPartial int             `json:"controls_partial"`
+	ControlsNA      int             `json:"controls_not_applicable"`
+	ControlsUnchecked int           `json:"controls_not_checked"`
+	ComplianceScore float64         `json:"compliance_score"`
+	Status          string          `json:"status"`
+	ControlResults  json.RawMessage `json:"control_results,omitempty"`
+	CreatedAt       time.Time       `json:"created_at"`
+	UpdatedAt       time.Time       `json:"updated_at"`
+	CreatedBy       string          `json:"created_by,omitempty"`
+}
+
+// NewPaymentHandlers creates payment handlers with loaded control library
+func NewPaymentHandlers(pool *pgxpool.Pool) *PaymentHandlers {
+	lib := loadControlLibrary()
+	return &PaymentHandlers{pool: pool, controls: lib}
+}
+
+func loadControlLibrary() *PaymentControlLibrary {
+	// Try to load from policies directory
+	paths := []string{
+		"policies/payment_controls_v1.json",
+		"/app/policies/payment_controls_v1.json",
+	}
+	for _, p := range paths {
+		data, err := os.ReadFile(p)
+		if err != nil {
+			// Try relative to executable
+			execDir, _ := os.Executable()
+			altPath := filepath.Join(filepath.Dir(execDir), p)
+			data, err = os.ReadFile(altPath)
+			if err != nil {
+				continue
+			}
+		}
+		var lib PaymentControlLibrary
+		if err := json.Unmarshal(data, &lib); err == nil {
+			return &lib
+		}
+	}
+	return &PaymentControlLibrary{}
+}
+
+// GetControlLibrary returns the loaded control library (for tender matching)
+func (h *PaymentHandlers) GetControlLibrary() *PaymentControlLibrary {
+	return h.controls
+}
+
+// ListControls returns the control library
+func (h *PaymentHandlers) ListControls(c *gin.Context) {
+	domain := c.Query("domain")
+	automation := c.Query("automation")
+
+	controls := h.controls.Controls
+	if domain != "" {
+		var filtered []PaymentControl
+		for _, ctrl := range controls {
+			if ctrl.Domain == domain {
+				filtered = append(filtered, ctrl)
+			}
+		}
+		controls = filtered
+	}
+	if automation != "" {
+		var filtered []PaymentControl
+		for _, ctrl := range controls {
+			if ctrl.Automation == automation {
+				filtered = append(filtered, ctrl)
+			}
+		}
+		controls = filtered
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"controls": controls,
+		"domains":  h.controls.Domains,
+		"total":    len(controls),
+	})
+}
+
+// CreateAssessment creates a new payment compliance assessment
+func (h *PaymentHandlers) CreateAssessment(c *gin.Context) {
+	var req PaymentAssessment
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	req.ID = uuid.New()
+	req.TenantID = tenantID
+	req.Status = "draft"
+	req.TotalControls = len(h.controls.Controls)
+	req.ControlsUnchecked = req.TotalControls
+	req.CreatedAt = time.Now()
+	req.UpdatedAt = time.Now()
+
+	_, err := h.pool.Exec(c.Request.Context(), `
+		INSERT INTO payment_compliance_assessments (
+			id, tenant_id, project_name, tender_reference, customer_name, description,
+			system_type, payment_methods, protocols,
+			total_controls, controls_not_checked, status, created_by
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)`,
+		req.ID, req.TenantID, req.ProjectName, req.TenderReference, req.CustomerName, req.Description,
+		req.SystemType, req.PaymentMethods, req.Protocols,
+		req.TotalControls, req.ControlsUnchecked, req.Status, req.CreatedBy,
+	)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, req)
+}
+
+// ListAssessments lists all payment assessments for a tenant
+func (h *PaymentHandlers) ListAssessments(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	rows, err := h.pool.Query(c.Request.Context(), `
+		SELECT id, tenant_id, project_name, tender_reference, customer_name,
+			system_type, total_controls, controls_passed, controls_failed,
+			controls_partial, controls_not_applicable, controls_not_checked,
+			compliance_score, status, created_at, updated_at
+		FROM payment_compliance_assessments
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC`, tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	defer rows.Close()
+
+	var assessments []PaymentAssessment
+	for rows.Next() {
+		var a PaymentAssessment
+		rows.Scan(&a.ID, &a.TenantID, &a.ProjectName, &a.TenderReference, &a.CustomerName,
+			&a.SystemType, &a.TotalControls, &a.ControlsPassed, &a.ControlsFailed,
+			&a.ControlsPartial, &a.ControlsNA, &a.ControlsUnchecked,
+			&a.ComplianceScore, &a.Status, &a.CreatedAt, &a.UpdatedAt)
+		assessments = append(assessments, a)
+	}
+	if assessments == nil {
+		assessments = []PaymentAssessment{}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"assessments": assessments, "total": len(assessments)})
+}
+
+// GetAssessment returns a single assessment with control results
+func (h *PaymentHandlers) GetAssessment(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	var a PaymentAssessment
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT id, tenant_id, project_name, tender_reference, customer_name, description,
+			system_type, payment_methods, protocols,
+			total_controls, controls_passed, controls_failed, controls_partial,
+			controls_not_applicable, controls_not_checked, compliance_score,
+			status, control_results, created_at, updated_at, created_by
+		FROM payment_compliance_assessments WHERE id = $1`, id).Scan(
+		&a.ID, &a.TenantID, &a.ProjectName, &a.TenderReference, &a.CustomerName, &a.Description,
+		&a.SystemType, &a.PaymentMethods, &a.Protocols,
+		&a.TotalControls, &a.ControlsPassed, &a.ControlsFailed, &a.ControlsPartial,
+		&a.ControlsNA, &a.ControlsUnchecked, &a.ComplianceScore,
+		&a.Status, &a.ControlResults, &a.CreatedAt, &a.UpdatedAt, &a.CreatedBy)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "assessment not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, a)
+}
+
+// UpdateControlVerdict updates the verdict for a single control
+func (h *PaymentHandlers) UpdateControlVerdict(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	var body struct {
+		ControlID string `json:"control_id"`
+		Verdict   string `json:"verdict"` // passed, failed, partial, na, unchecked
+		Evidence  string `json:"evidence,omitempty"`
+		Notes     string `json:"notes,omitempty"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Update the control_results JSONB and recalculate scores
+	_, err = h.pool.Exec(c.Request.Context(), `
+		WITH updated AS (
+			SELECT id,
+				COALESCE(control_results, '[]'::jsonb) AS existing_results
+			FROM payment_compliance_assessments WHERE id = $1
+		)
+		UPDATE payment_compliance_assessments SET
+			control_results = (
+				SELECT jsonb_agg(
+					CASE WHEN elem->>'control_id' = $2 THEN
+						jsonb_build_object('control_id', $2, 'verdict', $3, 'evidence', $4, 'notes', $5)
+					ELSE elem END
+				) FROM updated, jsonb_array_elements(
+					CASE WHEN existing_results @> jsonb_build_array(jsonb_build_object('control_id', $2))
+					THEN existing_results
+					ELSE existing_results || jsonb_build_array(jsonb_build_object('control_id', $2, 'verdict', $3, 'evidence', $4, 'notes', $5))
+					END
+				) AS elem
+			),
+			updated_at = NOW()
+		WHERE id = $1`,
+		id, body.ControlID, body.Verdict, body.Evidence, body.Notes)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"status": "updated", "control_id": body.ControlID, "verdict": body.Verdict})
+}
--- a/ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go
+++ b/ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go
@@ -13,11 +13,14 @@ import (
 func TestAllowedCollections(t *testing.T) {
 	allowed := []string{
 		"bp_compliance_ce",
-		"bp_compliance_recht",
 		"bp_compliance_gesetze",
 		"bp_compliance_datenschutz",
+		"bp_compliance_gdpr",
 		"bp_dsfa_corpus",
+		"bp_dsfa_templates",
+		"bp_dsfa_risks",
 		"bp_legal_templates",
+		"bp_iace_libraries",
 	}

 	for _, c := range allowed {
--- a/ai-compliance-sdk/internal/api/handlers/registration_handlers.go
+++ b/ai-compliance-sdk/internal/api/handlers/registration_handlers.go
@@ -0,0 +1,220 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// RegistrationHandlers handles EU AI Database registration endpoints
+type RegistrationHandlers struct {
+	store     *ucca.RegistrationStore
+	uccaStore *ucca.Store
+}
+
+// NewRegistrationHandlers creates new registration handlers
+func NewRegistrationHandlers(store *ucca.RegistrationStore, uccaStore *ucca.Store) *RegistrationHandlers {
+	return &RegistrationHandlers{store: store, uccaStore: uccaStore}
+}
+
+// Create creates a new registration
+func (h *RegistrationHandlers) Create(c *gin.Context) {
+	var reg ucca.AIRegistration
+	if err := c.ShouldBindJSON(&reg); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request: " + err.Error()})
+		return
+	}
+
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+	reg.TenantID = tenantID
+
+	if reg.SystemName == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "system_name required"})
+		return
+	}
+
+	if err := h.store.Create(c.Request.Context(), &reg); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create registration: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, reg)
+}
+
+// List lists all registrations for the tenant
+func (h *RegistrationHandlers) List(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	registrations, err := h.store.List(c.Request.Context(), tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to list registrations: " + err.Error()})
+		return
+	}
+	if registrations == nil {
+		registrations = []ucca.AIRegistration{}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"registrations": registrations, "total": len(registrations)})
+}
+
+// Get returns a single registration
+func (h *RegistrationHandlers) Get(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	reg, err := h.store.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Registration not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, reg)
+}
+
+// Update updates a registration
+func (h *RegistrationHandlers) Update(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	existing, err := h.store.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Registration not found"})
+		return
+	}
+
+	var updates ucca.AIRegistration
+	if err := c.ShouldBindJSON(&updates); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request: " + err.Error()})
+		return
+	}
+
+	// Merge updates into existing
+	updates.ID = existing.ID
+	updates.TenantID = existing.TenantID
+	updates.CreatedAt = existing.CreatedAt
+
+	if err := h.store.Update(c.Request.Context(), &updates); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, updates)
+}
+
+// UpdateStatus changes the registration status
+func (h *RegistrationHandlers) UpdateStatus(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	var body struct {
+		Status      string `json:"status"`
+		SubmittedBy string `json:"submitted_by"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request"})
+		return
+	}
+
+	validStatuses := map[string]bool{
+		"draft": true, "ready": true, "submitted": true,
+		"registered": true, "update_required": true, "withdrawn": true,
+	}
+	if !validStatuses[body.Status] {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid status. Valid: draft, ready, submitted, registered, update_required, withdrawn"})
+		return
+	}
+
+	if err := h.store.UpdateStatus(c.Request.Context(), id, body.Status, body.SubmittedBy); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update status: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"id": id, "status": body.Status})
+}
+
+// Prefill creates a registration pre-filled from a UCCA assessment
+func (h *RegistrationHandlers) Prefill(c *gin.Context) {
+	assessmentID, err := uuid.Parse(c.Param("assessment_id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid assessment ID"})
+		return
+	}
+
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	// Load UCCA assessment
+	assessment, err := h.uccaStore.GetAssessment(c.Request.Context(), assessmentID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Assessment not found"})
+		return
+	}
+
+	// Pre-fill registration from assessment intake
+	intake := assessment.Intake
+
+	reg := ucca.AIRegistration{
+		TenantID:           tenantID,
+		SystemName:         intake.Title,
+		SystemDescription:  intake.UseCaseText,
+		IntendedPurpose:    intake.UseCaseText,
+		RiskClassification: string(assessment.RiskLevel),
+		GPAIClassification: "none",
+		RegistrationStatus: "draft",
+		UCCAAssessmentID:   &assessmentID,
+	}
+
+	// Map domain to readable text
+	if intake.Domain != "" {
+		reg.IntendedPurpose = string(intake.Domain) + ": " + intake.UseCaseText
+	}
+
+	c.JSON(http.StatusOK, reg)
+}
+
+// Export generates the EU AI Database submission JSON
+func (h *RegistrationHandlers) Export(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	reg, err := h.store.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Registration not found"})
+		return
+	}
+
+	exportJSON := h.store.BuildExportJSON(reg)
+
+	// Save export data to DB
+	reg.ExportData = exportJSON
+	h.store.Update(c.Request.Context(), reg)
+
+	c.Header("Content-Type", "application/json")
+	c.Header("Content-Disposition", "attachment; filename=eu_ai_registration_"+reg.SystemName+".json")
+	c.Data(http.StatusOK, "application/json", exportJSON)
+}
--- a/ai-compliance-sdk/internal/api/handlers/tender_handlers.go
+++ b/ai-compliance-sdk/internal/api/handlers/tender_handlers.go
@@ -0,0 +1,557 @@
+package handlers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// TenderHandlers handles tender upload and requirement extraction
+type TenderHandlers struct {
+	pool     *pgxpool.Pool
+	controls *PaymentControlLibrary
+}
+
+// TenderAnalysis represents a tender document analysis
+type TenderAnalysis struct {
+	ID               uuid.UUID          `json:"id"`
+	TenantID         uuid.UUID          `json:"tenant_id"`
+	FileName         string             `json:"file_name"`
+	FileSize         int64              `json:"file_size"`
+	ProjectName      string             `json:"project_name"`
+	CustomerName     string             `json:"customer_name,omitempty"`
+	Status           string             `json:"status"` // uploaded, extracting, extracted, matched, completed
+	Requirements     []ExtractedReq     `json:"requirements,omitempty"`
+	MatchResults     []MatchResult      `json:"match_results,omitempty"`
+	TotalRequirements int               `json:"total_requirements"`
+	MatchedCount     int                `json:"matched_count"`
+	UnmatchedCount   int                `json:"unmatched_count"`
+	PartialCount     int                `json:"partial_count"`
+	CreatedAt        time.Time          `json:"created_at"`
+	UpdatedAt        time.Time          `json:"updated_at"`
+}
+
+// ExtractedReq represents a single requirement extracted from a tender document
+type ExtractedReq struct {
+	ReqID          string   `json:"req_id"`
+	Text           string   `json:"text"`
+	SourcePage     int      `json:"source_page,omitempty"`
+	SourceSection  string   `json:"source_section,omitempty"`
+	ObligationLevel string  `json:"obligation_level"` // MUST, SHALL, SHOULD, MAY
+	TechnicalDomain string  `json:"technical_domain"` // crypto, logging, payment_flow, etc.
+	CheckTarget    string   `json:"check_target"`     // code, system, config, process, certificate
+	Confidence     float64  `json:"confidence"`
+}
+
+// MatchResult represents the matching of a requirement to controls
+type MatchResult struct {
+	ReqID          string          `json:"req_id"`
+	ReqText        string          `json:"req_text"`
+	ObligationLevel string         `json:"obligation_level"`
+	MatchedControls []ControlMatch `json:"matched_controls"`
+	Verdict        string          `json:"verdict"` // matched, partial, unmatched
+	GapDescription string          `json:"gap_description,omitempty"`
+}
+
+// ControlMatch represents a single control match for a requirement
+type ControlMatch struct {
+	ControlID  string  `json:"control_id"`
+	Title      string  `json:"title"`
+	Relevance  float64 `json:"relevance"` // 0-1
+	CheckTarget string `json:"check_target"`
+}
+
+// NewTenderHandlers creates tender handlers
+func NewTenderHandlers(pool *pgxpool.Pool, controls *PaymentControlLibrary) *TenderHandlers {
+	return &TenderHandlers{pool: pool, controls: controls}
+}
+
+// Upload handles tender document upload
+func (h *TenderHandlers) Upload(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	file, header, err := c.Request.FormFile("file")
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "file required"})
+		return
+	}
+	defer file.Close()
+
+	projectName := c.PostForm("project_name")
+	if projectName == "" {
+		projectName = header.Filename
+	}
+	customerName := c.PostForm("customer_name")
+
+	// Read file content
+	content, err := io.ReadAll(file)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to read file"})
+		return
+	}
+
+	// Store analysis record
+	analysisID := uuid.New()
+	now := time.Now()
+
+	_, err = h.pool.Exec(c.Request.Context(), `
+		INSERT INTO tender_analyses (
+			id, tenant_id, file_name, file_size, file_content,
+			project_name, customer_name, status, created_at, updated_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, 'uploaded', $8, $9)`,
+		analysisID, tenantID, header.Filename, header.Size, content,
+		projectName, customerName, now, now,
+	)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to store: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"id":           analysisID,
+		"file_name":    header.Filename,
+		"file_size":    header.Size,
+		"project_name": projectName,
+		"status":       "uploaded",
+		"message":      "Dokument hochgeladen. Starte Analyse mit POST /extract.",
+	})
+}
+
+// Extract extracts requirements from an uploaded tender document using LLM
+func (h *TenderHandlers) Extract(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	// Get file content
+	var fileContent []byte
+	var fileName string
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT file_content, file_name FROM tender_analyses WHERE id = $1`, id,
+	).Scan(&fileContent, &fileName)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "analysis not found"})
+		return
+	}
+
+	// Update status
+	h.pool.Exec(c.Request.Context(), `
+		UPDATE tender_analyses SET status = 'extracting', updated_at = NOW() WHERE id = $1`, id)
+
+	// Extract text (simple: treat as text for now, PDF extraction would use embedding-service)
+	text := string(fileContent)
+
+	// Use LLM to extract requirements
+	requirements := h.extractRequirementsWithLLM(c.Request.Context(), text)
+
+	// Store results
+	reqJSON, _ := json.Marshal(requirements)
+	h.pool.Exec(c.Request.Context(), `
+		UPDATE tender_analyses SET
+			status = 'extracted',
+			requirements = $2,
+			total_requirements = $3,
+			updated_at = NOW()
+		WHERE id = $1`, id, reqJSON, len(requirements))
+
+	c.JSON(http.StatusOK, gin.H{
+		"id":            id,
+		"status":        "extracted",
+		"requirements":  requirements,
+		"total":         len(requirements),
+	})
+}
+
+// Match matches extracted requirements against the control library
+func (h *TenderHandlers) Match(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	// Get requirements
+	var reqJSON json.RawMessage
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT requirements FROM tender_analyses WHERE id = $1`, id,
+	).Scan(&reqJSON)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "analysis not found"})
+		return
+	}
+
+	var requirements []ExtractedReq
+	json.Unmarshal(reqJSON, &requirements)
+
+	// Match each requirement against controls
+	var results []MatchResult
+	matched, unmatched, partial := 0, 0, 0
+
+	for _, req := range requirements {
+		matches := h.findMatchingControls(req)
+		result := MatchResult{
+			ReqID:           req.ReqID,
+			ReqText:         req.Text,
+			ObligationLevel: req.ObligationLevel,
+			MatchedControls: matches,
+		}
+
+		if len(matches) == 0 {
+			result.Verdict = "unmatched"
+			result.GapDescription = "Kein passender Control gefunden — manueller Review erforderlich"
+			unmatched++
+		} else if matches[0].Relevance >= 0.7 {
+			result.Verdict = "matched"
+			matched++
+		} else {
+			result.Verdict = "partial"
+			result.GapDescription = "Teilweise Abdeckung — Control deckt Anforderung nicht vollstaendig ab"
+			partial++
+		}
+
+		results = append(results, result)
+	}
+
+	// Store results
+	resultsJSON, _ := json.Marshal(results)
+	h.pool.Exec(c.Request.Context(), `
+		UPDATE tender_analyses SET
+			status = 'matched',
+			match_results = $2,
+			matched_count = $3,
+			unmatched_count = $4,
+			partial_count = $5,
+			updated_at = NOW()
+		WHERE id = $1`, id, resultsJSON, matched, unmatched, partial)
+
+	c.JSON(http.StatusOK, gin.H{
+		"id":        id,
+		"status":    "matched",
+		"results":   results,
+		"matched":   matched,
+		"unmatched": unmatched,
+		"partial":   partial,
+		"total":     len(requirements),
+	})
+}
+
+// ListAnalyses lists all tender analyses for a tenant
+func (h *TenderHandlers) ListAnalyses(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	rows, err := h.pool.Query(c.Request.Context(), `
+		SELECT id, tenant_id, file_name, file_size, project_name, customer_name,
+			status, total_requirements, matched_count, unmatched_count, partial_count,
+			created_at, updated_at
+		FROM tender_analyses
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC`, tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	defer rows.Close()
+
+	var analyses []TenderAnalysis
+	for rows.Next() {
+		var a TenderAnalysis
+		rows.Scan(&a.ID, &a.TenantID, &a.FileName, &a.FileSize, &a.ProjectName, &a.CustomerName,
+			&a.Status, &a.TotalRequirements, &a.MatchedCount, &a.UnmatchedCount, &a.PartialCount,
+			&a.CreatedAt, &a.UpdatedAt)
+		analyses = append(analyses, a)
+	}
+	if analyses == nil {
+		analyses = []TenderAnalysis{}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"analyses": analyses, "total": len(analyses)})
+}
+
+// GetAnalysis returns a single analysis with all details
+func (h *TenderHandlers) GetAnalysis(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	var a TenderAnalysis
+	var reqJSON, matchJSON json.RawMessage
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT id, tenant_id, file_name, file_size, project_name, customer_name,
+			status, requirements, match_results,
+			total_requirements, matched_count, unmatched_count, partial_count,
+			created_at, updated_at
+		FROM tender_analyses WHERE id = $1`, id).Scan(
+		&a.ID, &a.TenantID, &a.FileName, &a.FileSize, &a.ProjectName, &a.CustomerName,
+		&a.Status, &reqJSON, &matchJSON,
+		&a.TotalRequirements, &a.MatchedCount, &a.UnmatchedCount, &a.PartialCount,
+		&a.CreatedAt, &a.UpdatedAt)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
+		return
+	}
+
+	if reqJSON != nil {
+		json.Unmarshal(reqJSON, &a.Requirements)
+	}
+	if matchJSON != nil {
+		json.Unmarshal(matchJSON, &a.MatchResults)
+	}
+
+	c.JSON(http.StatusOK, a)
+}
+
+// --- Internal helpers ---
+
+func (h *TenderHandlers) extractRequirementsWithLLM(ctx context.Context, text string) []ExtractedReq {
+	// Try Anthropic API for requirement extraction
+	apiKey := os.Getenv("ANTHROPIC_API_KEY")
+	if apiKey == "" {
+		// Fallback: simple keyword-based extraction
+		return h.extractRequirementsKeyword(text)
+	}
+
+	prompt := fmt.Sprintf(`Analysiere das folgende Ausschreibungsdokument und extrahiere alle technischen Anforderungen.
+
+Fuer jede Anforderung gib zurueck:
+- req_id: fortlaufende ID (REQ-001, REQ-002, ...)
+- text: die Anforderung als kurzer Satz
+- obligation_level: MUST, SHALL, SHOULD oder MAY
+- technical_domain: eines von: payment_flow, logging, crypto, api_security, terminal_comm, firmware, reporting, access_control, error_handling, build_deploy
+- check_target: eines von: code, system, config, process, certificate
+
+Antworte NUR mit JSON Array. Keine Erklaerung.
+
+Dokument:
+%s`, text[:min(len(text), 15000)])
+
+	body := map[string]interface{}{
+		"model":      "claude-haiku-4-5-20251001",
+		"max_tokens": 4096,
+		"messages":   []map[string]string{{"role": "user", "content": prompt}},
+	}
+	bodyJSON, _ := json.Marshal(body)
+
+	req, _ := http.NewRequestWithContext(ctx, "POST", "https://api.anthropic.com/v1/messages", strings.NewReader(string(bodyJSON)))
+	req.Header.Set("x-api-key", apiKey)
+	req.Header.Set("anthropic-version", "2023-06-01")
+	req.Header.Set("content-type", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil || resp.StatusCode != 200 {
+		return h.extractRequirementsKeyword(text)
+	}
+	defer resp.Body.Close()
+
+	var result struct {
+		Content []struct {
+			Text string `json:"text"`
+		} `json:"content"`
+	}
+	json.NewDecoder(resp.Body).Decode(&result)
+
+	if len(result.Content) == 0 {
+		return h.extractRequirementsKeyword(text)
+	}
+
+	// Parse LLM response
+	responseText := result.Content[0].Text
+	// Find JSON array in response
+	start := strings.Index(responseText, "[")
+	end := strings.LastIndex(responseText, "]")
+	if start < 0 || end < 0 {
+		return h.extractRequirementsKeyword(text)
+	}
+
+	var reqs []ExtractedReq
+	if err := json.Unmarshal([]byte(responseText[start:end+1]), &reqs); err != nil {
+		return h.extractRequirementsKeyword(text)
+	}
+
+	// Set confidence for LLM-extracted requirements
+	for i := range reqs {
+		reqs[i].Confidence = 0.8
+	}
+
+	return reqs
+}
+
+func (h *TenderHandlers) extractRequirementsKeyword(text string) []ExtractedReq {
+	// Simple keyword-based extraction as fallback
+	keywords := map[string]string{
+		"muss":           "MUST",
+		"muessen":        "MUST",
+		"ist sicherzustellen": "MUST",
+		"soll":           "SHOULD",
+		"sollte":         "SHOULD",
+		"kann":           "MAY",
+		"wird gefordert": "MUST",
+		"nachzuweisen":   "MUST",
+		"zertifiziert":   "MUST",
+	}
+
+	var reqs []ExtractedReq
+	lines := strings.Split(text, "\n")
+	reqNum := 1
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if len(line) < 20 || len(line) > 500 {
+			continue
+		}
+
+		for keyword, level := range keywords {
+			if strings.Contains(strings.ToLower(line), keyword) {
+				reqs = append(reqs, ExtractedReq{
+					ReqID:           fmt.Sprintf("REQ-%03d", reqNum),
+					Text:            line,
+					ObligationLevel: level,
+					TechnicalDomain: inferDomain(line),
+					CheckTarget:     inferCheckTarget(line),
+					Confidence:      0.5,
+				})
+				reqNum++
+				break
+			}
+		}
+	}
+
+	return reqs
+}
+
+func (h *TenderHandlers) findMatchingControls(req ExtractedReq) []ControlMatch {
+	var matches []ControlMatch
+
+	reqLower := strings.ToLower(req.Text + " " + req.TechnicalDomain)
+
+	for _, ctrl := range h.controls.Controls {
+		titleLower := strings.ToLower(ctrl.Title + " " + ctrl.Objective)
+		relevance := calculateRelevance(reqLower, titleLower, req.TechnicalDomain, ctrl.Domain)
+
+		if relevance > 0.3 {
+			matches = append(matches, ControlMatch{
+				ControlID:   ctrl.ControlID,
+				Title:       ctrl.Title,
+				Relevance:   relevance,
+				CheckTarget: ctrl.CheckTarget,
+			})
+		}
+	}
+
+	// Sort by relevance (simple bubble sort for small lists)
+	for i := 0; i < len(matches); i++ {
+		for j := i + 1; j < len(matches); j++ {
+			if matches[j].Relevance > matches[i].Relevance {
+				matches[i], matches[j] = matches[j], matches[i]
+			}
+		}
+	}
+
+	// Return top 5
+	if len(matches) > 5 {
+		matches = matches[:5]
+	}
+
+	return matches
+}
+
+func calculateRelevance(reqText, ctrlText, reqDomain, ctrlDomain string) float64 {
+	score := 0.0
+
+	// Domain match bonus
+	domainMap := map[string]string{
+		"payment_flow":   "PAY",
+		"logging":        "LOG",
+		"crypto":         "CRYPTO",
+		"api_security":   "API",
+		"terminal_comm":  "TERM",
+		"firmware":       "FW",
+		"reporting":      "REP",
+		"access_control": "ACC",
+		"error_handling":  "ERR",
+		"build_deploy":   "BLD",
+	}
+
+	if mapped, ok := domainMap[reqDomain]; ok && mapped == ctrlDomain {
+		score += 0.4
+	}
+
+	// Keyword overlap
+	reqWords := strings.Fields(reqText)
+	for _, word := range reqWords {
+		if len(word) > 3 && strings.Contains(ctrlText, word) {
+			score += 0.1
+		}
+	}
+
+	if score > 1.0 {
+		score = 1.0
+	}
+	return score
+}
+
+func inferDomain(text string) string {
+	textLower := strings.ToLower(text)
+	domainKeywords := map[string][]string{
+		"payment_flow":   {"zahlung", "transaktion", "buchung", "payment", "betrag"},
+		"logging":        {"log", "protokoll", "audit", "nachvollzieh"},
+		"crypto":         {"verschlüssel", "schlüssel", "krypto", "tls", "ssl", "hsm", "pin"},
+		"api_security":   {"api", "schnittstelle", "authentifiz", "autorisier"},
+		"terminal_comm":  {"terminal", "zvt", "opi", "gerät", "kontaktlos", "nfc"},
+		"firmware":       {"firmware", "update", "signatur", "boot"},
+		"reporting":      {"bericht", "report", "abrechnung", "export", "abgleich"},
+		"access_control": {"zugang", "benutzer", "passwort", "rolle", "berechtigung"},
+		"error_handling":  {"fehler", "ausfall", "recovery", "offline", "störung"},
+		"build_deploy":   {"build", "deploy", "release", "ci", "pipeline"},
+	}
+
+	for domain, keywords := range domainKeywords {
+		for _, kw := range keywords {
+			if strings.Contains(textLower, kw) {
+				return domain
+			}
+		}
+	}
+	return "general"
+}
+
+func inferCheckTarget(text string) string {
+	textLower := strings.ToLower(text)
+	if strings.Contains(textLower, "zertifik") || strings.Contains(textLower, "zulassung") {
+		return "certificate"
+	}
+	if strings.Contains(textLower, "prozess") || strings.Contains(textLower, "verfahren") {
+		return "process"
+	}
+	if strings.Contains(textLower, "konfigur") {
+		return "config"
+	}
+	return "code"
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
--- a/ai-compliance-sdk/internal/api/handlers/ucca_handlers.go
+++ b/ai-compliance-sdk/internal/api/handlers/ucca_handlers.go
@@ -1122,6 +1122,114 @@ func (h *UCCAHandlers) GetWizardSchema(c *gin.Context) {
 	})
 }

+// ============================================================================
+// AI Act Decision Tree Endpoints
+// ============================================================================
+
+// GetDecisionTree returns the decision tree structure for the frontend
+// GET /sdk/v1/ucca/decision-tree
+func (h *UCCAHandlers) GetDecisionTree(c *gin.Context) {
+	tree := ucca.BuildDecisionTreeDefinition()
+	c.JSON(http.StatusOK, tree)
+}
+
+// EvaluateDecisionTree evaluates the decision tree answers and stores the result
+// POST /sdk/v1/ucca/decision-tree/evaluate
+func (h *UCCAHandlers) EvaluateDecisionTree(c *gin.Context) {
+	tenantID := rbac.GetTenantID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	var req ucca.DecisionTreeEvalRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if req.SystemName == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "system_name is required"})
+		return
+	}
+
+	// Evaluate
+	result := ucca.EvaluateDecisionTree(&req)
+	result.TenantID = tenantID
+
+	// Parse optional project_id
+	if projectIDStr := c.Query("project_id"); projectIDStr != "" {
+		if pid, err := uuid.Parse(projectIDStr); err == nil {
+			result.ProjectID = &pid
+		}
+	}
+
+	// Store result
+	if err := h.store.CreateDecisionTreeResult(c.Request.Context(), result); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, result)
+}
+
+// ListDecisionTreeResults returns stored decision tree results for a tenant
+// GET /sdk/v1/ucca/decision-tree/results
+func (h *UCCAHandlers) ListDecisionTreeResults(c *gin.Context) {
+	tenantID := rbac.GetTenantID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	results, err := h.store.ListDecisionTreeResults(c.Request.Context(), tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"results": results, "total": len(results)})
+}
+
+// GetDecisionTreeResult returns a single decision tree result by ID
+// GET /sdk/v1/ucca/decision-tree/results/:id
+func (h *UCCAHandlers) GetDecisionTreeResult(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	result, err := h.store.GetDecisionTreeResult(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	if result == nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, result)
+}
+
+// DeleteDecisionTreeResult deletes a decision tree result
+// DELETE /sdk/v1/ucca/decision-tree/results/:id
+func (h *UCCAHandlers) DeleteDecisionTreeResult(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	if err := h.store.DeleteDecisionTreeResult(c.Request.Context(), id); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "deleted"})
+}
+
 // ============================================================================
 // Helper functions
 // ============================================================================
--- a/ai-compliance-sdk/internal/ucca/betrvg_test.go
+++ b/ai-compliance-sdk/internal/ucca/betrvg_test.go
@@ -0,0 +1,305 @@
+package ucca
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// ============================================================================
+// BetrVG Conflict Score Tests
+// ============================================================================
+
+func TestCalculateBetrvgConflictScore_NoEmployeeData(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "Chatbot fuer Kunden-FAQ",
+		Domain:      DomainUtilities,
+		DataTypes: DataTypes{
+			PersonalData: false,
+			PublicData:   true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.BetrvgConflictScore != 0 {
+		t.Errorf("Expected BetrvgConflictScore 0 for non-employee case, got %d", result.BetrvgConflictScore)
+	}
+	if result.BetrvgConsultationRequired {
+		t.Error("Expected BetrvgConsultationRequired=false for non-employee case")
+	}
+}
+
+func TestCalculateBetrvgConflictScore_EmployeeMonitoring(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "Teams Analytics mit Nutzungsstatistiken pro Mitarbeiter",
+		Domain:      DomainIT,
+		DataTypes: DataTypes{
+			PersonalData: true,
+			EmployeeData: true,
+		},
+		EmployeeMonitoring: true,
+	}
+
+	result := engine.Evaluate(intake)
+
+	// employee_data(+10) + employee_monitoring(+20) + not_consulted(+5) = 35
+	if result.BetrvgConflictScore < 30 {
+		t.Errorf("Expected BetrvgConflictScore >= 30 for employee monitoring, got %d", result.BetrvgConflictScore)
+	}
+	if !result.BetrvgConsultationRequired {
+		t.Error("Expected BetrvgConsultationRequired=true for employee monitoring")
+	}
+}
+
+func TestCalculateBetrvgConflictScore_HRDecisionSupport(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI-gestuetztes Bewerber-Screening",
+		Domain:      DomainHR,
+		DataTypes: DataTypes{
+			PersonalData: true,
+			EmployeeData: true,
+		},
+		EmployeeMonitoring: true,
+		HRDecisionSupport:  true,
+		Automation:         "fully_automated",
+		Outputs: Outputs{
+			Rankings: true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	// employee_data(+10) + monitoring(+20) + hr(+20) + rankings(+10) + fully_auto(+10) + not_consulted(+5) = 75
+	if result.BetrvgConflictScore < 70 {
+		t.Errorf("Expected BetrvgConflictScore >= 70 for HR+monitoring+automated, got %d", result.BetrvgConflictScore)
+	}
+	if !result.BetrvgConsultationRequired {
+		t.Error("Expected BetrvgConsultationRequired=true")
+	}
+}
+
+func TestCalculateBetrvgConflictScore_ConsultedReducesScore(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	// Same as above but works council consulted
+	intakeNotConsulted := &UseCaseIntake{
+		UseCaseText: "Teams mit Nutzungsstatistiken",
+		Domain:      DomainIT,
+		DataTypes: DataTypes{
+			PersonalData: true,
+			EmployeeData: true,
+		},
+		EmployeeMonitoring:    true,
+		WorksCouncilConsulted: false,
+	}
+
+	intakeConsulted := &UseCaseIntake{
+		UseCaseText: "Teams mit Nutzungsstatistiken",
+		Domain:      DomainIT,
+		DataTypes: DataTypes{
+			PersonalData: true,
+			EmployeeData: true,
+		},
+		EmployeeMonitoring:    true,
+		WorksCouncilConsulted: true,
+	}
+
+	resultNot := engine.Evaluate(intakeNotConsulted)
+	resultYes := engine.Evaluate(intakeConsulted)
+
+	if resultYes.BetrvgConflictScore >= resultNot.BetrvgConflictScore {
+		t.Errorf("Expected consulted score (%d) < not-consulted score (%d)",
+			resultYes.BetrvgConflictScore, resultNot.BetrvgConflictScore)
+	}
+}
+
+// ============================================================================
+// BetrVG Escalation Tests
+// ============================================================================
+
+func TestEscalation_BetrvgHighConflict_E3(t *testing.T) {
+	trigger := DefaultEscalationTrigger()
+
+	result := &AssessmentResult{
+		Feasibility:              FeasibilityCONDITIONAL,
+		RiskLevel:                RiskLevelMEDIUM,
+		RiskScore:                45,
+		BetrvgConflictScore:      80,
+		BetrvgConsultationRequired: true,
+		Intake: UseCaseIntake{
+			WorksCouncilConsulted: false,
+		},
+		TriggeredRules: []TriggeredRule{
+			{Code: "R-WARN-001", Severity: "WARN"},
+		},
+	}
+
+	level, reason := trigger.DetermineEscalationLevel(result)
+
+	if level != EscalationLevelE3 {
+		t.Errorf("Expected E3 for high BR conflict without consultation, got %s (reason: %s)", level, reason)
+	}
+}
+
+func TestEscalation_BetrvgMediumConflict_E2(t *testing.T) {
+	trigger := DefaultEscalationTrigger()
+
+	result := &AssessmentResult{
+		Feasibility:              FeasibilityCONDITIONAL,
+		RiskLevel:                RiskLevelLOW,
+		RiskScore:                25,
+		BetrvgConflictScore:      55,
+		BetrvgConsultationRequired: true,
+		Intake: UseCaseIntake{
+			WorksCouncilConsulted: false,
+		},
+		TriggeredRules: []TriggeredRule{
+			{Code: "R-WARN-001", Severity: "WARN"},
+		},
+	}
+
+	level, reason := trigger.DetermineEscalationLevel(result)
+
+	if level != EscalationLevelE2 {
+		t.Errorf("Expected E2 for medium BR conflict without consultation, got %s (reason: %s)", level, reason)
+	}
+}
+
+func TestEscalation_BetrvgConsulted_NoEscalation(t *testing.T) {
+	trigger := DefaultEscalationTrigger()
+
+	result := &AssessmentResult{
+		Feasibility:              FeasibilityYES,
+		RiskLevel:                RiskLevelLOW,
+		RiskScore:                15,
+		BetrvgConflictScore:      55,
+		BetrvgConsultationRequired: true,
+		Intake: UseCaseIntake{
+			WorksCouncilConsulted: true,
+		},
+		TriggeredRules: []TriggeredRule{},
+	}
+
+	level, _ := trigger.DetermineEscalationLevel(result)
+
+	// With consultation done and low risk, should not escalate for BR reasons
+	if level == EscalationLevelE3 {
+		t.Error("Should not escalate to E3 when works council is consulted")
+	}
+}
+
+// ============================================================================
+// BetrVG V2 Obligations Loading Test
+// ============================================================================
+
+func TestBetrvgV2_LoadsFromManifest(t *testing.T) {
+	root := getProjectRoot(t)
+	v2Dir := filepath.Join(root, "policies", "obligations", "v2")
+
+	// Check file exists
+	betrvgPath := filepath.Join(v2Dir, "betrvg_v2.json")
+	if _, err := os.Stat(betrvgPath); os.IsNotExist(err) {
+		t.Fatal("betrvg_v2.json not found in policies/obligations/v2/")
+	}
+
+	// Load all v2 regulations
+	regs, err := LoadAllV2Regulations()
+	if err != nil {
+		t.Fatalf("Failed to load v2 regulations: %v", err)
+	}
+
+	betrvg, ok := regs["betrvg"]
+	if !ok {
+		t.Fatal("betrvg not found in loaded regulations")
+	}
+
+	if betrvg.Regulation != "betrvg" {
+		t.Errorf("Expected regulation 'betrvg', got '%s'", betrvg.Regulation)
+	}
+
+	if len(betrvg.Obligations) < 10 {
+		t.Errorf("Expected at least 10 BetrVG obligations, got %d", len(betrvg.Obligations))
+	}
+
+	// Check first obligation has correct structure
+	obl := betrvg.Obligations[0]
+	if obl.ID != "BETRVG-OBL-001" {
+		t.Errorf("Expected first obligation ID 'BETRVG-OBL-001', got '%s'", obl.ID)
+	}
+	if len(obl.LegalBasis) == 0 {
+		t.Error("Expected legal basis for first obligation")
+	}
+	if obl.LegalBasis[0].Norm != "BetrVG" {
+		t.Errorf("Expected norm 'BetrVG', got '%s'", obl.LegalBasis[0].Norm)
+	}
+}
+
+func TestBetrvgApplicability_Germany(t *testing.T) {
+	regs, err := LoadAllV2Regulations()
+	if err != nil {
+		t.Fatalf("Failed to load v2 regulations: %v", err)
+	}
+
+	betrvgReg := regs["betrvg"]
+	module := NewJSONRegulationModule(betrvgReg)
+
+	// German company with 50 employees — should be applicable
+	factsDE := &UnifiedFacts{
+		Organization: OrganizationFacts{
+			Country:       "DE",
+			EmployeeCount: 50,
+		},
+	}
+	if !module.IsApplicable(factsDE) {
+		t.Error("BetrVG should be applicable for German company with 50 employees")
+	}
+
+	// US company — should NOT be applicable
+	factsUS := &UnifiedFacts{
+		Organization: OrganizationFacts{
+			Country:       "US",
+			EmployeeCount: 50,
+		},
+	}
+	if module.IsApplicable(factsUS) {
+		t.Error("BetrVG should NOT be applicable for US company")
+	}
+
+	// German company with 3 employees — should NOT be applicable (threshold 5)
+	factsSmall := &UnifiedFacts{
+		Organization: OrganizationFacts{
+			Country:       "DE",
+			EmployeeCount: 3,
+		},
+	}
+	if module.IsApplicable(factsSmall) {
+		t.Error("BetrVG should NOT be applicable for company with < 5 employees")
+	}
+}
--- a/ai-compliance-sdk/internal/ucca/decision_tree_engine.go
+++ b/ai-compliance-sdk/internal/ucca/decision_tree_engine.go
@@ -0,0 +1,325 @@
+package ucca
+
+// ============================================================================
+// AI Act Decision Tree Engine
+// ============================================================================
+//
+// Two-axis classification:
+//   Axis 1 (Q1–Q7): High-Risk classification based on Annex III
+//   Axis 2 (Q8–Q12): GPAI classification based on Art. 51–56
+//
+// Deterministic evaluation — no LLM involved.
+//
+// ============================================================================
+
+// Question IDs
+const (
+	Q1  = "Q1"  // Uses AI?
+	Q2  = "Q2"  // Biometric identification?
+	Q3  = "Q3"  // Critical infrastructure?
+	Q4  = "Q4"  // Education / employment / HR?
+	Q5  = "Q5"  // Essential services (credit, insurance)?
+	Q6  = "Q6"  // Law enforcement / migration / justice?
+	Q7  = "Q7"  // Autonomous decisions with legal effect?
+	Q8  = "Q8"  // Foundation Model / GPAI?
+	Q9  = "Q9"  // Generates content (text, image, code, audio)?
+	Q10 = "Q10" // Trained with >10^25 FLOP?
+	Q11 = "Q11" // Model provided as API/service for third parties?
+	Q12 = "Q12" // Significant EU market penetration?
+)
+
+// BuildDecisionTreeDefinition returns the full decision tree structure for the frontend
+func BuildDecisionTreeDefinition() *DecisionTreeDefinition {
+	return &DecisionTreeDefinition{
+		ID:      "ai_act_two_axis",
+		Name:    "AI Act Zwei-Achsen-Klassifikation",
+		Version: "1.0.0",
+		Questions: []DecisionTreeQuestion{
+			// === Axis 1: High-Risk (Annex III) ===
+			{
+				ID:          Q1,
+				Axis:        "high_risk",
+				Question:    "Setzt Ihr System KI-Technologie ein?",
+				Description: "KI im Sinne des AI Act umfasst maschinelles Lernen, logik- und wissensbasierte Ansätze sowie statistische Methoden, die für eine gegebene Reihe von Zielen Ergebnisse wie Inhalte, Vorhersagen, Empfehlungen oder Entscheidungen erzeugen.",
+				ArticleRef:  "Art. 3 Nr. 1",
+			},
+			{
+				ID:          Q2,
+				Axis:        "high_risk",
+				Question:    "Wird das System für biometrische Identifikation oder Kategorisierung natürlicher Personen verwendet?",
+				Description: "Dazu zählen Gesichtserkennung, Stimmerkennung, Fingerabdruck-Analyse, Gangerkennung oder andere biometrische Merkmale zur Identifikation oder Kategorisierung.",
+				ArticleRef:  "Anhang III Nr. 1",
+				SkipIf:      Q1,
+			},
+			{
+				ID:          Q3,
+				Axis:        "high_risk",
+				Question:    "Wird das System in kritischer Infrastruktur eingesetzt (Energie, Verkehr, Wasser, digitale Infrastruktur)?",
+				Description: "Betrifft KI-Systeme als Sicherheitskomponenten in der Verwaltung und dem Betrieb kritischer digitaler Infrastruktur, des Straßenverkehrs oder der Wasser-, Gas-, Heizungs- oder Stromversorgung.",
+				ArticleRef:  "Anhang III Nr. 2",
+				SkipIf:      Q1,
+			},
+			{
+				ID:          Q4,
+				Axis:        "high_risk",
+				Question:    "Betrifft das System Bildung, Beschäftigung oder Personalmanagement?",
+				Description: "KI zur Festlegung des Zugangs zu Bildungseinrichtungen, Bewertung von Prüfungsleistungen, Bewerbungsauswahl, Beförderungsentscheidungen oder Überwachung von Arbeitnehmern.",
+				ArticleRef:  "Anhang III Nr. 3–4",
+				SkipIf:      Q1,
+			},
+			{
+				ID:          Q5,
+				Axis:        "high_risk",
+				Question:    "Betrifft das System den Zugang zu wesentlichen Diensten (Kreditvergabe, Versicherung, öffentliche Leistungen)?",
+				Description: "KI zur Bonitätsbewertung, Risikobewertung bei Versicherungen, Bewertung der Anspruchsberechtigung für öffentliche Unterstützungsleistungen oder Notdienste.",
+				ArticleRef:  "Anhang III Nr. 5",
+				SkipIf:      Q1,
+			},
+			{
+				ID:          Q6,
+				Axis:        "high_risk",
+				Question:    "Wird das System in Strafverfolgung, Migration, Asyl oder Justiz eingesetzt?",
+				Description: "KI für Lügendetektoren, Beweisbewertung, Rückfallprognose, Asylentscheidungen, Grenzkontrolle, Risikobewertung bei Migration oder Unterstützung der Rechtspflege.",
+				ArticleRef:  "Anhang III Nr. 6–8",
+				SkipIf:      Q1,
+			},
+			{
+				ID:          Q7,
+				Axis:        "high_risk",
+				Question:    "Trifft das System autonome Entscheidungen mit rechtlicher Wirkung für natürliche Personen?",
+				Description: "Entscheidungen, die Rechtsverhältnisse begründen, ändern oder aufheben, z.B. Kreditablehnungen, Kündigungen, Sozialleistungsentscheidungen — ohne menschliche Überprüfung im Einzelfall.",
+				ArticleRef:  "Art. 22 DSGVO / Art. 14 AI Act",
+				SkipIf:      Q1,
+			},
+
+			// === Axis 2: GPAI (Art. 51–56) ===
+			{
+				ID:          Q8,
+				Axis:        "gpai",
+				Question:    "Stellst du ein KI-Modell fuer Dritte bereit (API / Plattform / SDK), das fuer viele verschiedene Zwecke einsetzbar ist?",
+				Description: "GPAI-Pflichten (Art. 51-56) gelten fuer den Modellanbieter, nicht den API-Nutzer. Wenn du nur eine API nutzt (z.B. OpenAI, Claude), bist du kein GPAI-Anbieter. GPAI-Anbieter ist, wer ein Modell trainiert/fine-tuned und Dritten zur Verfuegung stellt. Beispiele: GPT, Claude, LLaMA, Gemini, Stable Diffusion.",
+				ArticleRef:  "Art. 3 Nr. 63 / Art. 51",
+			},
+			{
+				ID:          Q9,
+				Axis:        "gpai",
+				Question:    "Kann das System Inhalte generieren (Text, Bild, Code, Audio, Video)?",
+				Description: "Generative KI erzeugt neue Inhalte auf Basis von Eingaben — dazu zählen Chatbots, Bild-/Videogeneratoren, Code-Assistenten, Sprachsynthese und ähnliche Systeme.",
+				ArticleRef:  "Art. 50 / Art. 52",
+				SkipIf:      Q8,
+			},
+			{
+				ID:          Q10,
+				Axis:        "gpai",
+				Question:    "Wurde das Modell mit mehr als 10²⁵ FLOP trainiert oder hat es gleichwertige Fähigkeiten?",
+				Description: "GPAI-Modelle mit einem kumulativen Rechenaufwand von mehr als 10²⁵ Gleitkommaoperationen gelten als Modelle mit systemischem Risiko (Art. 51 Abs. 2).",
+				ArticleRef:  "Art. 51 Abs. 2",
+				SkipIf:      Q8,
+			},
+			{
+				ID:          Q11,
+				Axis:        "gpai",
+				Question:    "Wird das Modell als API oder Service für Dritte bereitgestellt?",
+				Description: "Stellen Sie das Modell anderen Unternehmen oder Entwicklern zur Nutzung bereit (API, SaaS, Plattform-Integration)?",
+				ArticleRef:  "Art. 53",
+				SkipIf:      Q8,
+			},
+			{
+				ID:          Q12,
+				Axis:        "gpai",
+				Question:    "Hat das Modell eine signifikante Marktdurchdringung in der EU (>10.000 registrierte Geschäftsnutzer)?",
+				Description: "Modelle mit hoher Marktdurchdringung können auch ohne 10²⁵ FLOP als systemisches Risiko eingestuft werden, wenn die EU-Kommission dies feststellt.",
+				ArticleRef:  "Art. 51 Abs. 3",
+				SkipIf:      Q8,
+			},
+		},
+	}
+}
+
+// EvaluateDecisionTree evaluates the answers and returns the combined result
+func EvaluateDecisionTree(req *DecisionTreeEvalRequest) *DecisionTreeResult {
+	result := &DecisionTreeResult{
+		SystemName:        req.SystemName,
+		SystemDescription: req.SystemDescription,
+		Answers:           req.Answers,
+	}
+
+	// Evaluate Axis 1: High-Risk
+	result.HighRiskResult = evaluateHighRiskAxis(req.Answers)
+
+	// Evaluate Axis 2: GPAI
+	result.GPAIResult = evaluateGPAIAxis(req.Answers)
+
+	// Combine obligations and articles
+	result.CombinedObligations = combineObligations(result.HighRiskResult, result.GPAIResult)
+	result.ApplicableArticles = combineArticles(result.HighRiskResult, result.GPAIResult)
+
+	return result
+}
+
+// evaluateHighRiskAxis determines the AI Act risk level from Q1–Q7
+func evaluateHighRiskAxis(answers map[string]DecisionTreeAnswer) AIActRiskLevel {
+	// Q1: Uses AI at all?
+	if !answerIsYes(answers, Q1) {
+		return AIActNotApplicable
+	}
+
+	// Q2–Q6: Annex III high-risk categories
+	if answerIsYes(answers, Q2) || answerIsYes(answers, Q3) ||
+		answerIsYes(answers, Q4) || answerIsYes(answers, Q5) ||
+		answerIsYes(answers, Q6) {
+		return AIActHighRisk
+	}
+
+	// Q7: Autonomous decisions with legal effect
+	if answerIsYes(answers, Q7) {
+		return AIActHighRisk
+	}
+
+	// AI is used but no high-risk category triggered
+	return AIActMinimalRisk
+}
+
+// evaluateGPAIAxis determines the GPAI classification from Q8–Q12
+func evaluateGPAIAxis(answers map[string]DecisionTreeAnswer) GPAIClassification {
+	gpai := GPAIClassification{
+		Category:           GPAICategoryNone,
+		ApplicableArticles: []string{},
+		Obligations:        []string{},
+	}
+
+	// Q8: Is GPAI?
+	if !answerIsYes(answers, Q8) {
+		return gpai
+	}
+
+	gpai.IsGPAI = true
+	gpai.Category = GPAICategoryStandard
+	gpai.ApplicableArticles = append(gpai.ApplicableArticles, "Art. 51", "Art. 53")
+	gpai.Obligations = append(gpai.Obligations,
+		"Technische Dokumentation erstellen (Art. 53 Abs. 1a)",
+		"Informationen für nachgelagerte Anbieter bereitstellen (Art. 53 Abs. 1b)",
+		"Urheberrechtsrichtlinie einhalten (Art. 53 Abs. 1c)",
+		"Trainingsdaten-Zusammenfassung veröffentlichen (Art. 53 Abs. 1d)",
+	)
+
+	// Q9: Generative AI — adds transparency obligations
+	if answerIsYes(answers, Q9) {
+		gpai.ApplicableArticles = append(gpai.ApplicableArticles, "Art. 50")
+		gpai.Obligations = append(gpai.Obligations,
+			"KI-generierte Inhalte kennzeichnen (Art. 50 Abs. 2)",
+			"Maschinenlesbare Kennzeichnung synthetischer Inhalte (Art. 50 Abs. 2)",
+		)
+	}
+
+	// Q10: Systemic risk threshold (>10^25 FLOP)
+	if answerIsYes(answers, Q10) {
+		gpai.IsSystemicRisk = true
+		gpai.Category = GPAICategorySystemic
+		gpai.ApplicableArticles = append(gpai.ApplicableArticles, "Art. 55")
+		gpai.Obligations = append(gpai.Obligations,
+			"Modellbewertung nach Stand der Technik durchführen (Art. 55 Abs. 1a)",
+			"Systemische Risiken bewerten und mindern (Art. 55 Abs. 1b)",
+			"Schwerwiegende Vorfälle melden (Art. 55 Abs. 1c)",
+			"Angemessenes Cybersicherheitsniveau gewährleisten (Art. 55 Abs. 1d)",
+		)
+	}
+
+	// Q11: API/Service provider — additional downstream obligations
+	if answerIsYes(answers, Q11) {
+		gpai.Obligations = append(gpai.Obligations,
+			"Downstream-Informationspflichten erfüllen (Art. 53 Abs. 1b)",
+		)
+	}
+
+	// Q12: Significant market penetration — potential systemic risk
+	if answerIsYes(answers, Q12) && !gpai.IsSystemicRisk {
+		// EU Commission can designate as systemic risk
+		gpai.ApplicableArticles = append(gpai.ApplicableArticles, "Art. 51 Abs. 3")
+		gpai.Obligations = append(gpai.Obligations,
+			"Achtung: EU-Kommission kann GPAI mit hoher Marktdurchdringung als systemisches Risiko einstufen (Art. 51 Abs. 3)",
+		)
+	}
+
+	return gpai
+}
+
+// combineObligations merges obligations from both axes
+func combineObligations(highRisk AIActRiskLevel, gpai GPAIClassification) []string {
+	var obligations []string
+
+	// High-Risk obligations
+	switch highRisk {
+	case AIActHighRisk:
+		obligations = append(obligations,
+			"Risikomanagementsystem einrichten (Art. 9)",
+			"Daten-Governance sicherstellen (Art. 10)",
+			"Technische Dokumentation erstellen (Art. 11)",
+			"Protokollierungsfunktion implementieren (Art. 12)",
+			"Transparenz und Nutzerinformation (Art. 13)",
+			"Menschliche Aufsicht ermöglichen (Art. 14)",
+			"Genauigkeit, Robustheit und Cybersicherheit (Art. 15)",
+			"EU-Datenbank-Registrierung (Art. 49)",
+		)
+	case AIActMinimalRisk:
+		obligations = append(obligations,
+			"Freiwillige Verhaltenskodizes empfohlen (Art. 95)",
+		)
+	case AIActNotApplicable:
+		// No obligations
+	}
+
+	// GPAI obligations
+	obligations = append(obligations, gpai.Obligations...)
+
+	// Universal obligation for all AI users
+	if highRisk != AIActNotApplicable {
+		obligations = append(obligations,
+			"KI-Kompetenz sicherstellen (Art. 4)",
+			"Verbotene Praktiken vermeiden (Art. 5)",
+		)
+	}
+
+	return obligations
+}
+
+// combineArticles merges applicable articles from both axes
+func combineArticles(highRisk AIActRiskLevel, gpai GPAIClassification) []string {
+	articles := map[string]bool{}
+
+	// Universal
+	if highRisk != AIActNotApplicable {
+		articles["Art. 4"] = true
+		articles["Art. 5"] = true
+	}
+
+	// High-Risk
+	switch highRisk {
+	case AIActHighRisk:
+		for _, a := range []string{"Art. 9", "Art. 10", "Art. 11", "Art. 12", "Art. 13", "Art. 14", "Art. 15", "Art. 26", "Art. 49"} {
+			articles[a] = true
+		}
+	case AIActMinimalRisk:
+		articles["Art. 95"] = true
+	}
+
+	// GPAI
+	for _, a := range gpai.ApplicableArticles {
+		articles[a] = true
+	}
+
+	var result []string
+	for a := range articles {
+		result = append(result, a)
+	}
+	return result
+}
+
+// answerIsYes checks if a question was answered with "yes" (true)
+func answerIsYes(answers map[string]DecisionTreeAnswer, questionID string) bool {
+	a, ok := answers[questionID]
+	if !ok {
+		return false
+	}
+	return a.Value
+}
--- a/ai-compliance-sdk/internal/ucca/decision_tree_engine_test.go
+++ b/ai-compliance-sdk/internal/ucca/decision_tree_engine_test.go
@@ -0,0 +1,420 @@
+package ucca
+
+import (
+	"testing"
+)
+
+func TestBuildDecisionTreeDefinition_ReturnsValidTree(t *testing.T) {
+	tree := BuildDecisionTreeDefinition()
+
+	if tree == nil {
+		t.Fatal("Expected non-nil tree definition")
+	}
+	if tree.ID != "ai_act_two_axis" {
+		t.Errorf("Expected ID 'ai_act_two_axis', got '%s'", tree.ID)
+	}
+	if tree.Version != "1.0.0" {
+		t.Errorf("Expected version '1.0.0', got '%s'", tree.Version)
+	}
+	if len(tree.Questions) != 12 {
+		t.Errorf("Expected 12 questions, got %d", len(tree.Questions))
+	}
+
+	// Check axis distribution
+	hrCount := 0
+	gpaiCount := 0
+	for _, q := range tree.Questions {
+		switch q.Axis {
+		case "high_risk":
+			hrCount++
+		case "gpai":
+			gpaiCount++
+		default:
+			t.Errorf("Unexpected axis '%s' for question %s", q.Axis, q.ID)
+		}
+	}
+	if hrCount != 7 {
+		t.Errorf("Expected 7 high_risk questions, got %d", hrCount)
+	}
+	if gpaiCount != 5 {
+		t.Errorf("Expected 5 gpai questions, got %d", gpaiCount)
+	}
+
+	// Check all questions have required fields
+	for _, q := range tree.Questions {
+		if q.ID == "" {
+			t.Error("Question has empty ID")
+		}
+		if q.Question == "" {
+			t.Errorf("Question %s has empty question text", q.ID)
+		}
+		if q.Description == "" {
+			t.Errorf("Question %s has empty description", q.ID)
+		}
+		if q.ArticleRef == "" {
+			t.Errorf("Question %s has empty article_ref", q.ID)
+		}
+	}
+}
+
+func TestEvaluateDecisionTree_NotApplicable(t *testing.T) {
+	// Q1=No → AI Act not applicable
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Test System",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.HighRiskResult != AIActNotApplicable {
+		t.Errorf("Expected not_applicable, got %s", result.HighRiskResult)
+	}
+	if result.GPAIResult.IsGPAI {
+		t.Error("Expected GPAI to be false when Q8 is not answered")
+	}
+	if result.SystemName != "Test System" {
+		t.Errorf("Expected system name 'Test System', got '%s'", result.SystemName)
+	}
+}
+
+func TestEvaluateDecisionTree_MinimalRisk(t *testing.T) {
+	// Q1=Yes, Q2-Q7=No → minimal risk
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Simple Tool",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: true},
+			Q2: {QuestionID: Q2, Value: false},
+			Q3: {QuestionID: Q3, Value: false},
+			Q4: {QuestionID: Q4, Value: false},
+			Q5: {QuestionID: Q5, Value: false},
+			Q6: {QuestionID: Q6, Value: false},
+			Q7: {QuestionID: Q7, Value: false},
+			Q8: {QuestionID: Q8, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.HighRiskResult != AIActMinimalRisk {
+		t.Errorf("Expected minimal_risk, got %s", result.HighRiskResult)
+	}
+	if result.GPAIResult.IsGPAI {
+		t.Error("Expected GPAI to be false")
+	}
+	if result.GPAIResult.Category != GPAICategoryNone {
+		t.Errorf("Expected GPAI category 'none', got '%s'", result.GPAIResult.Category)
+	}
+}
+
+func TestEvaluateDecisionTree_HighRisk_Biometric(t *testing.T) {
+	// Q1=Yes, Q2=Yes → high risk (biometric)
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Face Recognition",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: true},
+			Q2: {QuestionID: Q2, Value: true},
+			Q3: {QuestionID: Q3, Value: false},
+			Q4: {QuestionID: Q4, Value: false},
+			Q5: {QuestionID: Q5, Value: false},
+			Q6: {QuestionID: Q6, Value: false},
+			Q7: {QuestionID: Q7, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.HighRiskResult != AIActHighRisk {
+		t.Errorf("Expected high_risk, got %s", result.HighRiskResult)
+	}
+
+	// Should have high-risk obligations
+	if len(result.CombinedObligations) == 0 {
+		t.Error("Expected non-empty obligations for high-risk system")
+	}
+}
+
+func TestEvaluateDecisionTree_HighRisk_CriticalInfrastructure(t *testing.T) {
+	// Q1=Yes, Q3=Yes → high risk (critical infrastructure)
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Energy Grid AI",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: true},
+			Q2: {QuestionID: Q2, Value: false},
+			Q3: {QuestionID: Q3, Value: true},
+			Q4: {QuestionID: Q4, Value: false},
+			Q5: {QuestionID: Q5, Value: false},
+			Q6: {QuestionID: Q6, Value: false},
+			Q7: {QuestionID: Q7, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.HighRiskResult != AIActHighRisk {
+		t.Errorf("Expected high_risk, got %s", result.HighRiskResult)
+	}
+}
+
+func TestEvaluateDecisionTree_HighRisk_Education(t *testing.T) {
+	// Q1=Yes, Q4=Yes → high risk (education/employment)
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Exam Grading AI",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: true},
+			Q2: {QuestionID: Q2, Value: false},
+			Q3: {QuestionID: Q3, Value: false},
+			Q4: {QuestionID: Q4, Value: true},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.HighRiskResult != AIActHighRisk {
+		t.Errorf("Expected high_risk, got %s", result.HighRiskResult)
+	}
+}
+
+func TestEvaluateDecisionTree_HighRisk_AutonomousDecisions(t *testing.T) {
+	// Q1=Yes, Q7=Yes → high risk (autonomous decisions)
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Credit Scoring AI",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: true},
+			Q2: {QuestionID: Q2, Value: false},
+			Q3: {QuestionID: Q3, Value: false},
+			Q4: {QuestionID: Q4, Value: false},
+			Q5: {QuestionID: Q5, Value: false},
+			Q6: {QuestionID: Q6, Value: false},
+			Q7: {QuestionID: Q7, Value: true},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.HighRiskResult != AIActHighRisk {
+		t.Errorf("Expected high_risk, got %s", result.HighRiskResult)
+	}
+}
+
+func TestEvaluateDecisionTree_GPAI_Standard(t *testing.T) {
+	// Q8=Yes, Q10=No → GPAI standard
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Custom LLM",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1:  {QuestionID: Q1, Value: true},
+			Q8:  {QuestionID: Q8, Value: true},
+			Q9:  {QuestionID: Q9, Value: true},
+			Q10: {QuestionID: Q10, Value: false},
+			Q11: {QuestionID: Q11, Value: false},
+			Q12: {QuestionID: Q12, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if !result.GPAIResult.IsGPAI {
+		t.Error("Expected IsGPAI to be true")
+	}
+	if result.GPAIResult.Category != GPAICategoryStandard {
+		t.Errorf("Expected category 'standard', got '%s'", result.GPAIResult.Category)
+	}
+	if result.GPAIResult.IsSystemicRisk {
+		t.Error("Expected IsSystemicRisk to be false")
+	}
+
+	// Should have Art. 51, 53, 50 (generative)
+	hasArt51 := false
+	hasArt53 := false
+	hasArt50 := false
+	for _, a := range result.GPAIResult.ApplicableArticles {
+		if a == "Art. 51" {
+			hasArt51 = true
+		}
+		if a == "Art. 53" {
+			hasArt53 = true
+		}
+		if a == "Art. 50" {
+			hasArt50 = true
+		}
+	}
+	if !hasArt51 {
+		t.Error("Expected Art. 51 in applicable articles")
+	}
+	if !hasArt53 {
+		t.Error("Expected Art. 53 in applicable articles")
+	}
+	if !hasArt50 {
+		t.Error("Expected Art. 50 in applicable articles (generative AI)")
+	}
+}
+
+func TestEvaluateDecisionTree_GPAI_SystemicRisk(t *testing.T) {
+	// Q8=Yes, Q10=Yes → GPAI systemic risk
+	req := &DecisionTreeEvalRequest{
+		SystemName: "GPT-5",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1:  {QuestionID: Q1, Value: true},
+			Q8:  {QuestionID: Q8, Value: true},
+			Q9:  {QuestionID: Q9, Value: true},
+			Q10: {QuestionID: Q10, Value: true},
+			Q11: {QuestionID: Q11, Value: true},
+			Q12: {QuestionID: Q12, Value: true},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if !result.GPAIResult.IsGPAI {
+		t.Error("Expected IsGPAI to be true")
+	}
+	if result.GPAIResult.Category != GPAICategorySystemic {
+		t.Errorf("Expected category 'systemic', got '%s'", result.GPAIResult.Category)
+	}
+	if !result.GPAIResult.IsSystemicRisk {
+		t.Error("Expected IsSystemicRisk to be true")
+	}
+
+	// Should have Art. 55
+	hasArt55 := false
+	for _, a := range result.GPAIResult.ApplicableArticles {
+		if a == "Art. 55" {
+			hasArt55 = true
+		}
+	}
+	if !hasArt55 {
+		t.Error("Expected Art. 55 in applicable articles (systemic risk)")
+	}
+}
+
+func TestEvaluateDecisionTree_Combined_HighRiskAndGPAI(t *testing.T) {
+	// Q1=Yes, Q4=Yes (high risk) + Q8=Yes, Q9=Yes (GPAI standard)
+	req := &DecisionTreeEvalRequest{
+		SystemName:        "HR Screening with LLM",
+		SystemDescription: "LLM-based applicant screening system",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1:  {QuestionID: Q1, Value: true},
+			Q2:  {QuestionID: Q2, Value: false},
+			Q3:  {QuestionID: Q3, Value: false},
+			Q4:  {QuestionID: Q4, Value: true},
+			Q5:  {QuestionID: Q5, Value: false},
+			Q6:  {QuestionID: Q6, Value: false},
+			Q7:  {QuestionID: Q7, Value: true},
+			Q8:  {QuestionID: Q8, Value: true},
+			Q9:  {QuestionID: Q9, Value: true},
+			Q10: {QuestionID: Q10, Value: false},
+			Q11: {QuestionID: Q11, Value: false},
+			Q12: {QuestionID: Q12, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	// Both axes should be triggered
+	if result.HighRiskResult != AIActHighRisk {
+		t.Errorf("Expected high_risk, got %s", result.HighRiskResult)
+	}
+	if !result.GPAIResult.IsGPAI {
+		t.Error("Expected GPAI to be true")
+	}
+	if result.GPAIResult.Category != GPAICategoryStandard {
+		t.Errorf("Expected GPAI category 'standard', got '%s'", result.GPAIResult.Category)
+	}
+
+	// Combined obligations should include both axes
+	if len(result.CombinedObligations) < 5 {
+		t.Errorf("Expected at least 5 combined obligations, got %d", len(result.CombinedObligations))
+	}
+
+	// Should have articles from both axes
+	if len(result.ApplicableArticles) < 3 {
+		t.Errorf("Expected at least 3 applicable articles, got %d", len(result.ApplicableArticles))
+	}
+
+	// Check system name preserved
+	if result.SystemName != "HR Screening with LLM" {
+		t.Errorf("Expected system name preserved, got '%s'", result.SystemName)
+	}
+	if result.SystemDescription != "LLM-based applicant screening system" {
+		t.Errorf("Expected description preserved, got '%s'", result.SystemDescription)
+	}
+}
+
+func TestEvaluateDecisionTree_GPAI_MarketPenetration(t *testing.T) {
+	// Q8=Yes, Q10=No, Q12=Yes → GPAI standard with market penetration warning
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Popular Chatbot",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1:  {QuestionID: Q1, Value: true},
+			Q8:  {QuestionID: Q8, Value: true},
+			Q9:  {QuestionID: Q9, Value: true},
+			Q10: {QuestionID: Q10, Value: false},
+			Q11: {QuestionID: Q11, Value: true},
+			Q12: {QuestionID: Q12, Value: true},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.GPAIResult.Category != GPAICategoryStandard {
+		t.Errorf("Expected category 'standard' (not systemic because Q10=No), got '%s'", result.GPAIResult.Category)
+	}
+
+	// Should have Art. 51 Abs. 3 warning
+	hasArt51_3 := false
+	for _, a := range result.GPAIResult.ApplicableArticles {
+		if a == "Art. 51 Abs. 3" {
+			hasArt51_3 = true
+		}
+	}
+	if !hasArt51_3 {
+		t.Error("Expected Art. 51 Abs. 3 in applicable articles for high market penetration")
+	}
+}
+
+func TestEvaluateDecisionTree_NoGPAI(t *testing.T) {
+	// Q8=No → No GPAI classification
+	req := &DecisionTreeEvalRequest{
+		SystemName: "Traditional ML",
+		Answers: map[string]DecisionTreeAnswer{
+			Q1: {QuestionID: Q1, Value: true},
+			Q8: {QuestionID: Q8, Value: false},
+		},
+	}
+
+	result := EvaluateDecisionTree(req)
+
+	if result.GPAIResult.IsGPAI {
+		t.Error("Expected IsGPAI to be false")
+	}
+	if result.GPAIResult.Category != GPAICategoryNone {
+		t.Errorf("Expected category 'none', got '%s'", result.GPAIResult.Category)
+	}
+	if len(result.GPAIResult.Obligations) != 0 {
+		t.Errorf("Expected 0 GPAI obligations, got %d", len(result.GPAIResult.Obligations))
+	}
+}
+
+func TestAnswerIsYes(t *testing.T) {
+	tests := []struct {
+		name     string
+		answers  map[string]DecisionTreeAnswer
+		qID      string
+		expected bool
+	}{
+		{"yes answer", map[string]DecisionTreeAnswer{"Q1": {Value: true}}, "Q1", true},
+		{"no answer", map[string]DecisionTreeAnswer{"Q1": {Value: false}}, "Q1", false},
+		{"missing answer", map[string]DecisionTreeAnswer{}, "Q1", false},
+		{"different question", map[string]DecisionTreeAnswer{"Q2": {Value: true}}, "Q1", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := answerIsYes(tt.answers, tt.qID)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}
--- a/ai-compliance-sdk/internal/ucca/domain_context_test.go
+++ b/ai-compliance-sdk/internal/ucca/domain_context_test.go
@@ -0,0 +1,542 @@
+package ucca
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// ============================================================================
+// HR Domain Context Tests
+// ============================================================================
+
+func TestHRContext_AutomatedRejection_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI generiert und versendet Absagen automatisch",
+		Domain:      DomainHR,
+		DataTypes:   DataTypes{PersonalData: true, EmployeeData: true},
+		HRContext: &HRContext{
+			AutomatedScreening: true,
+			AutomatedRejection: true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO feasibility for automated rejection, got %s", result.Feasibility)
+	}
+	if !result.Art22Risk {
+		t.Error("Expected Art22Risk=true for automated rejection")
+	}
+}
+
+func TestHRContext_ScreeningWithHumanReview_OK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI sortiert Bewerber vor, Mensch prueft jeden Vorschlag",
+		Domain:      DomainHR,
+		DataTypes:   DataTypes{PersonalData: true, EmployeeData: true},
+		HRContext: &HRContext{
+			AutomatedScreening:  true,
+			AutomatedRejection:  false,
+			HumanReviewEnforced: true,
+			BiasAuditsDone:      true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	// Should NOT block — human review is enforced
+	if result.Feasibility == FeasibilityNO {
+		t.Error("Expected feasibility != NO when human review is enforced")
+	}
+}
+
+func TestHRContext_AGGVisible_RiskIncrease(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intakeWithAGG := &UseCaseIntake{
+		UseCaseText: "CV-Screening mit Foto und Name sichtbar",
+		Domain:      DomainHR,
+		DataTypes:   DataTypes{PersonalData: true, EmployeeData: true},
+		HRContext:   &HRContext{AGGCategoriesVisible: true},
+	}
+	intakeWithout := &UseCaseIntake{
+		UseCaseText: "CV-Screening anonymisiert",
+		Domain:      DomainHR,
+		DataTypes:   DataTypes{PersonalData: true, EmployeeData: true},
+		HRContext:   &HRContext{AGGCategoriesVisible: false},
+	}
+
+	resultWith := engine.Evaluate(intakeWithAGG)
+	resultWithout := engine.Evaluate(intakeWithout)
+
+	if resultWith.RiskScore <= resultWithout.RiskScore {
+		t.Errorf("Expected higher risk with AGG visible (%d) vs without (%d)",
+			resultWith.RiskScore, resultWithout.RiskScore)
+	}
+}
+
+// ============================================================================
+// Education Domain Context Tests
+// ============================================================================
+
+func TestEducationContext_MinorsWithoutTeacher_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI bewertet Schuelerarbeiten ohne Lehrkraft-Pruefung",
+		Domain:      DomainEducation,
+		DataTypes:   DataTypes{PersonalData: true, MinorData: true},
+		EducationContext: &EducationContext{
+			GradeInfluence:        true,
+			MinorsInvolved:        true,
+			TeacherReviewRequired: false,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO feasibility for minors without teacher review, got %s", result.Feasibility)
+	}
+}
+
+func TestEducationContext_WithTeacherReview_Allowed(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI schlaegt Noten vor, Lehrkraft prueft und entscheidet",
+		Domain:      DomainEducation,
+		DataTypes:   DataTypes{PersonalData: true, MinorData: true},
+		EducationContext: &EducationContext{
+			GradeInfluence:        true,
+			MinorsInvolved:        true,
+			TeacherReviewRequired: true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility == FeasibilityNO {
+		t.Error("Expected feasibility != NO when teacher review is required")
+	}
+}
+
+// ============================================================================
+// Healthcare Domain Context Tests
+// ============================================================================
+
+func TestHealthcareContext_MDRWithoutValidation_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI-Diagnosetool als Medizinprodukt ohne klinische Validierung",
+		Domain:      DomainHealthcare,
+		DataTypes:   DataTypes{PersonalData: true, Article9Data: true},
+		HealthcareContext: &HealthcareContext{
+			DiagnosisSupport: true,
+			MedicalDevice:    true,
+			ClinicalValidation: false,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO for medical device without clinical validation, got %s", result.Feasibility)
+	}
+}
+
+func TestHealthcareContext_Triage_HighRisk(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI priorisiert Patienten in der Notaufnahme",
+		Domain:      DomainHealthcare,
+		DataTypes:   DataTypes{PersonalData: true, Article9Data: true},
+		HealthcareContext: &HealthcareContext{
+			TriageDecision:       true,
+			PatientDataProcessed: true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.RiskScore < 40 {
+		t.Errorf("Expected high risk score for triage, got %d", result.RiskScore)
+	}
+	if !result.DSFARecommended {
+		t.Error("Expected DSFA recommended for triage")
+	}
+}
+
+// ============================================================================
+// Critical Infrastructure Tests
+// ============================================================================
+
+func TestCriticalInfra_SafetyCriticalNoRedundancy_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI steuert Stromnetz ohne Fallback",
+		Domain:      DomainEnergy,
+		CriticalInfraContext: &CriticalInfraContext{
+			GridControl:    true,
+			SafetyCritical: true,
+			RedundancyExists: false,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO for safety-critical without redundancy, got %s", result.Feasibility)
+	}
+}
+
+// ============================================================================
+// Marketing — Deepfake BLOCK Test
+// ============================================================================
+
+func TestMarketing_DeepfakeUnlabeled_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI generiert Werbevideos ohne Kennzeichnung",
+		Domain:      DomainMarketing,
+		MarketingContext: &MarketingContext{
+			DeepfakeContent: true,
+			AIContentLabeled: false,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO for unlabeled deepfakes, got %s", result.Feasibility)
+	}
+}
+
+func TestMarketing_DeepfakeLabeled_OK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI generiert Werbevideos mit Kennzeichnung",
+		Domain:      DomainMarketing,
+		MarketingContext: &MarketingContext{
+			DeepfakeContent: true,
+			AIContentLabeled: true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility == FeasibilityNO {
+		t.Error("Expected feasibility != NO when deepfakes are properly labeled")
+	}
+}
+
+// ============================================================================
+// Manufacturing — Safety BLOCK Test
+// ============================================================================
+
+func TestManufacturing_SafetyUnvalidated_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI in Maschinensicherheit ohne Validierung",
+		Domain:      DomainMechanicalEngineering,
+		ManufacturingContext: &ManufacturingContext{
+			MachineSafety:   true,
+			SafetyValidated: false,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO for unvalidated machine safety, got %s", result.Feasibility)
+	}
+}
+
+// ============================================================================
+// AGG V2 Obligations Loading Test
+// ============================================================================
+
+func TestAGGV2_LoadsFromManifest(t *testing.T) {
+	regs, err := LoadAllV2Regulations()
+	if err != nil {
+		t.Fatalf("Failed to load v2 regulations: %v", err)
+	}
+
+	agg, ok := regs["agg"]
+	if !ok {
+		t.Fatal("agg not found in loaded regulations")
+	}
+
+	if len(agg.Obligations) < 8 {
+		t.Errorf("Expected at least 8 AGG obligations, got %d", len(agg.Obligations))
+	}
+
+	// Check first obligation
+	if agg.Obligations[0].ID != "AGG-OBL-001" {
+		t.Errorf("Expected first ID 'AGG-OBL-001', got '%s'", agg.Obligations[0].ID)
+	}
+}
+
+func TestAGGApplicability_Germany(t *testing.T) {
+	regs, err := LoadAllV2Regulations()
+	if err != nil {
+		t.Fatalf("Failed to load v2 regulations: %v", err)
+	}
+
+	module := NewJSONRegulationModule(regs["agg"])
+
+	factsDE := &UnifiedFacts{Organization: OrganizationFacts{Country: "DE"}}
+	if !module.IsApplicable(factsDE) {
+		t.Error("AGG should be applicable for German company")
+	}
+
+	factsUS := &UnifiedFacts{Organization: OrganizationFacts{Country: "US"}}
+	if module.IsApplicable(factsUS) {
+		t.Error("AGG should NOT be applicable for US company")
+	}
+}
+
+// ============================================================================
+// AI Act V2 Extended Obligations Test
+// ============================================================================
+
+func TestAIActV2_ExtendedObligations(t *testing.T) {
+	regs, err := LoadAllV2Regulations()
+	if err != nil {
+		t.Fatalf("Failed to load v2 regulations: %v", err)
+	}
+
+	aiAct, ok := regs["ai_act"]
+	if !ok {
+		t.Fatal("ai_act not found in loaded regulations")
+	}
+
+	if len(aiAct.Obligations) < 75 {
+		t.Errorf("Expected at least 75 AI Act obligations (expanded), got %d", len(aiAct.Obligations))
+	}
+
+	// Check GPAI obligations exist (Art. 51-56)
+	hasGPAI := false
+	for _, obl := range aiAct.Obligations {
+		if obl.ID == "AIACT-OBL-078" { // GPAI classification
+			hasGPAI = true
+			break
+		}
+	}
+	if !hasGPAI {
+		t.Error("Expected GPAI obligation AIACT-OBL-078 in expanded AI Act")
+	}
+}
+
+// ============================================================================
+// Field Resolver Tests — Domain Contexts
+// ============================================================================
+
+func TestFieldResolver_HRContext(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		HRContext: &HRContext{AutomatedScreening: true},
+	}
+
+	val := engine.getFieldValue("hr_context.automated_screening", intake)
+	if val != true {
+		t.Errorf("Expected true for hr_context.automated_screening, got %v", val)
+	}
+
+	val2 := engine.getFieldValue("hr_context.automated_rejection", intake)
+	if val2 != false {
+		t.Errorf("Expected false for hr_context.automated_rejection, got %v", val2)
+	}
+}
+
+func TestFieldResolver_NilContext(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{} // No HR context
+
+	val := engine.getFieldValue("hr_context.automated_screening", intake)
+	if val != nil {
+		t.Errorf("Expected nil for nil HR context, got %v", val)
+	}
+}
+
+func TestFieldResolver_HealthcareContext(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		HealthcareContext: &HealthcareContext{
+			TriageDecision: true,
+			MedicalDevice:  false,
+		},
+	}
+
+	val := engine.getFieldValue("healthcare_context.triage_decision", intake)
+	if val != true {
+		t.Errorf("Expected true, got %v", val)
+	}
+
+	val2 := engine.getFieldValue("healthcare_context.medical_device", intake)
+	if val2 != false {
+		t.Errorf("Expected false, got %v", val2)
+	}
+}
+
+// ============================================================================
+// Hospitality — Review Manipulation BLOCK
+// ============================================================================
+
+func TestHospitality_ReviewManipulation_BLOCK(t *testing.T) {
+	root := getProjectRoot(t)
+	policyPath := filepath.Join(root, "policies", "ucca_policy_v1.yaml")
+	engine, err := NewPolicyEngineFromPath(policyPath)
+	if err != nil {
+		t.Fatalf("Failed to create policy engine: %v", err)
+	}
+
+	intake := &UseCaseIntake{
+		UseCaseText: "KI generiert Fake-Bewertungen",
+		Domain:      DomainHospitality,
+		HospitalityContext: &HospitalityContext{
+			ReviewManipulation: true,
+		},
+	}
+
+	result := engine.Evaluate(intake)
+
+	if result.Feasibility != FeasibilityNO {
+		t.Errorf("Expected NO for review manipulation, got %s", result.Feasibility)
+	}
+}
+
+// ============================================================================
+// Total Obligations Count
+// ============================================================================
+
+func TestTotalObligationsCount(t *testing.T) {
+	regs, err := LoadAllV2Regulations()
+	if err != nil {
+		t.Fatalf("Failed to load v2 regulations: %v", err)
+	}
+
+	total := 0
+	for _, reg := range regs {
+		total += len(reg.Obligations)
+	}
+
+	// We expect at least 350 obligations across all regulations
+	if total < 350 {
+		t.Errorf("Expected at least 350 total obligations, got %d", total)
+	}
+
+	t.Logf("Total obligations across all regulations: %d", total)
+	for id, reg := range regs {
+		t.Logf("  %s: %d obligations", id, len(reg.Obligations))
+	}
+}
+
+// ============================================================================
+// Domain constant existence checks
+// ============================================================================
+
+func TestDomainConstants_Exist(t *testing.T) {
+	domains := []Domain{
+		DomainHR, DomainEducation, DomainHealthcare,
+		DomainFinance, DomainBanking, DomainInsurance,
+		DomainEnergy, DomainUtilities,
+		DomainAutomotive, DomainAerospace,
+		DomainRetail, DomainEcommerce,
+		DomainMarketing, DomainMedia,
+		DomainLogistics, DomainConstruction,
+		DomainPublicSector, DomainDefense,
+		DomainMechanicalEngineering,
+	}
+
+	for _, d := range domains {
+		if d == "" {
+			t.Error("Empty domain constant found")
+		}
+	}
+}
--- a/ai-compliance-sdk/internal/ucca/escalation_models.go
+++ b/ai-compliance-sdk/internal/ucca/escalation_models.go
@@ -1,6 +1,7 @@
 package ucca

 import (
+	"fmt"
 	"time"

 	"github.com/google/uuid"
@@ -187,6 +188,12 @@ func (t *EscalationTrigger) DetermineEscalationLevel(result *AssessmentResult) (
 		}
 	}

+	// BetrVG E3: Very high conflict score without consultation
+	if result.BetrvgConflictScore >= 75 && !result.Intake.WorksCouncilConsulted {
+		reasons = append(reasons, "BetrVG-Konfliktpotenzial sehr hoch (Score "+fmt.Sprintf("%d", result.BetrvgConflictScore)+") ohne BR-Konsultation")
+		return EscalationLevelE3, joinReasons(reasons, "E3 erforderlich: ")
+	}
+
 	if hasArt9 || result.DSFARecommended || result.RiskScore > t.E2RiskThreshold {
 		if result.DSFARecommended {
 			reasons = append(reasons, "DSFA empfohlen")
@@ -197,6 +204,12 @@ func (t *EscalationTrigger) DetermineEscalationLevel(result *AssessmentResult) (
 		return EscalationLevelE2, joinReasons(reasons, "DSB-Konsultation erforderlich: ")
 	}

+	// BetrVG E2: High conflict score
+	if result.BetrvgConflictScore >= 50 && result.BetrvgConsultationRequired && !result.Intake.WorksCouncilConsulted {
+		reasons = append(reasons, "BetrVG-Mitbestimmung erforderlich (Score "+fmt.Sprintf("%d", result.BetrvgConflictScore)+"), BR nicht konsultiert")
+		return EscalationLevelE2, joinReasons(reasons, "BR-Konsultation erforderlich: ")
+	}
+
 	// E1: Low priority checks
 	// - WARN rules triggered
 	// - Risk 20-40
--- a/ai-compliance-sdk/internal/ucca/json_regulation_module.go
+++ b/ai-compliance-sdk/internal/ucca/json_regulation_module.go
@@ -56,6 +56,10 @@ func (m *JSONRegulationModule) defaultApplicability(facts *UnifiedFacts) bool {
 		return facts.Organization.EUMember && facts.AIUsage.UsesAI
 	case "dora":
 		return facts.Financial.DORAApplies || facts.Financial.IsRegulated
+	case "betrvg":
+		return facts.Organization.Country == "DE" && facts.Organization.EmployeeCount >= 5
+	case "agg":
+		return facts.Organization.Country == "DE"
 	default:
 		return true
 	}
--- a/ai-compliance-sdk/internal/ucca/legal_rag.go
+++ b/ai-compliance-sdk/internal/ucca/legal_rag.go
@@ -14,12 +14,14 @@ import (

 // LegalRAGClient provides access to the compliance CE vector search via Qdrant + Ollama bge-m3.
 type LegalRAGClient struct {
-	qdrantURL      string
-	qdrantAPIKey   string
-	ollamaURL      string
-	embeddingModel string
-	collection     string
-	httpClient     *http.Client
+	qdrantURL        string
+	qdrantAPIKey     string
+	ollamaURL        string
+	embeddingModel   string
+	collection       string
+	httpClient       *http.Client
+	textIndexEnsured map[string]bool // tracks which collections have text index
+	hybridEnabled    bool            // use Query API with RRF fusion
 }

 // LegalSearchResult represents a single search result from the compliance corpus.
@@ -70,12 +72,16 @@ func NewLegalRAGClient() *LegalRAGClient {
 		ollamaURL = "http://localhost:11434"
 	}

+	hybridEnabled := os.Getenv("RAG_HYBRID_SEARCH") != "false" // enabled by default
+
 	return &LegalRAGClient{
-		qdrantURL:      qdrantURL,
-		qdrantAPIKey:   qdrantAPIKey,
-		ollamaURL:      ollamaURL,
-		embeddingModel: "bge-m3",
-		collection:     "bp_compliance_ce",
+		qdrantURL:        qdrantURL,
+		qdrantAPIKey:     qdrantAPIKey,
+		ollamaURL:        ollamaURL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    hybridEnabled,
 		httpClient: &http.Client{
 			Timeout: 60 * time.Second,
 		},
@@ -126,6 +132,161 @@ type qdrantSearchHit struct {
 	Payload map[string]interface{} `json:"payload"`
 }

+// --- Hybrid Search (Query API with RRF fusion) ---
+
+// qdrantQueryRequest for Qdrant Query API with prefetch + fusion.
+type qdrantQueryRequest struct {
+	Prefetch    []qdrantPrefetch `json:"prefetch"`
+	Query       *qdrantFusion    `json:"query"`
+	Limit       int              `json:"limit"`
+	WithPayload bool             `json:"with_payload"`
+	Filter      *qdrantFilter    `json:"filter,omitempty"`
+}
+
+type qdrantPrefetch struct {
+	Query  []float64     `json:"query"`
+	Limit  int           `json:"limit"`
+	Filter *qdrantFilter `json:"filter,omitempty"`
+}
+
+type qdrantFusion struct {
+	Fusion string `json:"fusion"`
+}
+
+// qdrantQueryResponse from Qdrant Query API (same shape as search).
+type qdrantQueryResponse struct {
+	Result []qdrantSearchHit `json:"result"`
+}
+
+// qdrantTextIndexRequest for creating a full-text index on a payload field.
+type qdrantTextIndexRequest struct {
+	FieldName   string                 `json:"field_name"`
+	FieldSchema qdrantTextFieldSchema  `json:"field_schema"`
+}
+
+type qdrantTextFieldSchema struct {
+	Type      string `json:"type"`
+	Tokenizer string `json:"tokenizer"`
+	MinLen    int    `json:"min_token_len,omitempty"`
+	MaxLen    int    `json:"max_token_len,omitempty"`
+}
+
+// ensureTextIndex creates a full-text index on chunk_text if not already done for this collection.
+func (c *LegalRAGClient) ensureTextIndex(ctx context.Context, collection string) error {
+	if c.textIndexEnsured[collection] {
+		return nil
+	}
+
+	indexReq := qdrantTextIndexRequest{
+		FieldName: "chunk_text",
+		FieldSchema: qdrantTextFieldSchema{
+			Type:      "text",
+			Tokenizer: "word",
+			MinLen:    2,
+			MaxLen:    40,
+		},
+	}
+
+	jsonBody, err := json.Marshal(indexReq)
+	if err != nil {
+		return fmt.Errorf("failed to marshal text index request: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/collections/%s/index", c.qdrantURL, collection)
+	req, err := http.NewRequestWithContext(ctx, "PUT", url, bytes.NewReader(jsonBody))
+	if err != nil {
+		return fmt.Errorf("failed to create text index request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	if c.qdrantAPIKey != "" {
+		req.Header.Set("api-key", c.qdrantAPIKey)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("text index request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// 200 = created, 409 = already exists — both are fine
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusConflict {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("text index creation failed %d: %s", resp.StatusCode, string(body))
+	}
+
+	c.textIndexEnsured[collection] = true
+	return nil
+}
+
+// searchHybrid performs RRF-fused hybrid search (dense + full-text) via Qdrant Query API.
+func (c *LegalRAGClient) searchHybrid(ctx context.Context, collection string, embedding []float64, regulationIDs []string, topK int) ([]qdrantSearchHit, error) {
+	// Ensure text index exists
+	if err := c.ensureTextIndex(ctx, collection); err != nil {
+		// Non-fatal: log and fall back to dense-only
+		return nil, err
+	}
+
+	// Build prefetch with dense vector (retrieve top-20 for re-ranking)
+	prefetchLimit := 20
+	if topK > 20 {
+		prefetchLimit = topK * 4
+	}
+
+	queryReq := qdrantQueryRequest{
+		Prefetch: []qdrantPrefetch{
+			{Query: embedding, Limit: prefetchLimit},
+		},
+		Query:       &qdrantFusion{Fusion: "rrf"},
+		Limit:       topK,
+		WithPayload: true,
+	}
+
+	// Add regulation filter
+	if len(regulationIDs) > 0 {
+		conditions := make([]qdrantCondition, len(regulationIDs))
+		for i, regID := range regulationIDs {
+			conditions[i] = qdrantCondition{
+				Key:   "regulation_id",
+				Match: qdrantMatch{Value: regID},
+			}
+		}
+		queryReq.Filter = &qdrantFilter{Should: conditions}
+	}
+
+	jsonBody, err := json.Marshal(queryReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal query request: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/collections/%s/points/query", c.qdrantURL, collection)
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(jsonBody))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create query request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	if c.qdrantAPIKey != "" {
+		req.Header.Set("api-key", c.qdrantAPIKey)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("query request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("qdrant query returned %d: %s", resp.StatusCode, string(body))
+	}
+
+	var queryResp qdrantQueryResponse
+	if err := json.NewDecoder(resp.Body).Decode(&queryResp); err != nil {
+		return nil, fmt.Errorf("failed to decode query response: %w", err)
+	}
+
+	return queryResp.Result, nil
+}
+
 // generateEmbedding calls Ollama bge-m3 to get a 1024-dim vector for the query.
 func (c *LegalRAGClient) generateEmbedding(ctx context.Context, text string) ([]float64, error) {
 	// Truncate to 2000 chars for bge-m3
@@ -187,6 +348,8 @@ func (c *LegalRAGClient) Search(ctx context.Context, query string, regulationIDs
 }

 // searchInternal performs the actual search against a given collection.
+// If hybrid search is enabled, it uses the Qdrant Query API with RRF fusion
+// (dense + full-text). Falls back to dense-only /points/search on failure.
 func (c *LegalRAGClient) searchInternal(ctx context.Context, collection string, query string, regulationIDs []string, topK int) ([]LegalSearchResult, error) {
 	// Generate query embedding via Ollama bge-m3
 	embedding, err := c.generateEmbedding(ctx, query)
@@ -194,14 +357,51 @@ func (c *LegalRAGClient) searchInternal(ctx context.Context, collection string,
 		return nil, fmt.Errorf("failed to generate embedding: %w", err)
 	}

-	// Build Qdrant search request
+	// Try hybrid search first (Query API + RRF), fall back to dense-only
+	var hits []qdrantSearchHit
+
+	if c.hybridEnabled {
+		hybridHits, err := c.searchHybrid(ctx, collection, embedding, regulationIDs, topK)
+		if err == nil {
+			hits = hybridHits
+		}
+		// On error, fall through to dense-only search below
+	}
+
+	if hits == nil {
+		denseHits, err := c.searchDense(ctx, collection, embedding, regulationIDs, topK)
+		if err != nil {
+			return nil, err
+		}
+		hits = denseHits
+	}
+
+	// Convert to results using bp_compliance_ce payload schema
+	results := make([]LegalSearchResult, len(hits))
+	for i, hit := range hits {
+		results[i] = LegalSearchResult{
+			Text:            getString(hit.Payload, "chunk_text"),
+			RegulationCode:  getString(hit.Payload, "regulation_id"),
+			RegulationName:  getString(hit.Payload, "regulation_name_de"),
+			RegulationShort: getString(hit.Payload, "regulation_short"),
+			Category:        getString(hit.Payload, "category"),
+			Pages:           getIntSlice(hit.Payload, "pages"),
+			SourceURL:       getString(hit.Payload, "source"),
+			Score:           hit.Score,
+		}
+	}
+
+	return results, nil
+}
+
+// searchDense performs a dense-only vector search via Qdrant /points/search.
+func (c *LegalRAGClient) searchDense(ctx context.Context, collection string, embedding []float64, regulationIDs []string, topK int) ([]qdrantSearchHit, error) {
 	searchReq := qdrantSearchRequest{
 		Vector:      embedding,
 		Limit:       topK,
 		WithPayload: true,
 	}

-	// Add filter for specific regulations if provided
 	if len(regulationIDs) > 0 {
 		conditions := make([]qdrantCondition, len(regulationIDs))
 		for i, regID := range regulationIDs {
@@ -218,7 +418,6 @@ func (c *LegalRAGClient) searchInternal(ctx context.Context, collection string,
 		return nil, fmt.Errorf("failed to marshal search request: %w", err)
 	}

-	// Call Qdrant
 	url := fmt.Sprintf("%s/collections/%s/points/search", c.qdrantURL, collection)
 	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(jsonBody))
 	if err != nil {
@@ -245,22 +444,7 @@ func (c *LegalRAGClient) searchInternal(ctx context.Context, collection string,
 		return nil, fmt.Errorf("failed to decode search response: %w", err)
 	}

-	// Convert to results using bp_compliance_ce payload schema
-	results := make([]LegalSearchResult, len(searchResp.Result))
-	for i, hit := range searchResp.Result {
-		results[i] = LegalSearchResult{
-			Text:            getString(hit.Payload, "chunk_text"),
-			RegulationCode:  getString(hit.Payload, "regulation_id"),
-			RegulationName:  getString(hit.Payload, "regulation_name_de"),
-			RegulationShort: getString(hit.Payload, "regulation_short"),
-			Category:        getString(hit.Payload, "category"),
-			Pages:           getIntSlice(hit.Payload, "pages"),
-			SourceURL:       getString(hit.Payload, "source"),
-			Score:           hit.Score,
-		}
-	}
-
-	return results, nil
+	return searchResp.Result, nil
 }

 // GetLegalContextForAssessment retrieves relevant legal context for an assessment.
--- a/ai-compliance-sdk/internal/ucca/legal_rag_test.go
+++ b/ai-compliance-sdk/internal/ucca/legal_rag_test.go
@@ -32,11 +32,13 @@ func TestSearchCollection_UsesCorrectCollection(t *testing.T) {

 	// Parse qdrant mock host/port
 	client := &LegalRAGClient{
-		qdrantURL:      qdrantMock.URL,
-		ollamaURL:      ollamaMock.URL,
-		embeddingModel: "bge-m3",
-		collection:     "bp_compliance_ce",
-		httpClient:     http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		ollamaURL:        ollamaMock.URL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    false, // dense-only for this test
+		httpClient:       http.DefaultClient,
 	}

 	// Test with explicit collection
@@ -69,11 +71,13 @@ func TestSearchCollection_FallbackDefault(t *testing.T) {
 	defer qdrantMock.Close()

 	client := &LegalRAGClient{
-		qdrantURL:      qdrantMock.URL,
-		ollamaURL:      ollamaMock.URL,
-		embeddingModel: "bge-m3",
-		collection:     "bp_compliance_ce",
-		httpClient:     http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		ollamaURL:        ollamaMock.URL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    false,
+		httpClient:       http.DefaultClient,
 	}

 	// Test with empty collection (should fall back to default)
@@ -140,8 +144,9 @@ func TestScrollChunks_ReturnsChunksAndNextOffset(t *testing.T) {
 	defer qdrantMock.Close()

 	client := &LegalRAGClient{
-		qdrantURL:  qdrantMock.URL,
-		httpClient: http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		textIndexEnsured: make(map[string]bool),
+		httpClient:       http.DefaultClient,
 	}

 	chunks, nextOffset, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "", 100)
@@ -196,8 +201,9 @@ func TestScrollChunks_EmptyCollection_ReturnsEmpty(t *testing.T) {
 	defer qdrantMock.Close()

 	client := &LegalRAGClient{
-		qdrantURL:  qdrantMock.URL,
-		httpClient: http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		textIndexEnsured: make(map[string]bool),
+		httpClient:       http.DefaultClient,
 	}

 	chunks, nextOffset, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "", 100)
@@ -230,8 +236,9 @@ func TestScrollChunks_WithOffset_SendsOffset(t *testing.T) {
 	defer qdrantMock.Close()

 	client := &LegalRAGClient{
-		qdrantURL:  qdrantMock.URL,
-		httpClient: http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		textIndexEnsured: make(map[string]bool),
+		httpClient:       http.DefaultClient,
 	}

 	_, _, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "some-offset-id", 50)
@@ -263,9 +270,10 @@ func TestScrollChunks_SendsAPIKey(t *testing.T) {
 	defer qdrantMock.Close()

 	client := &LegalRAGClient{
-		qdrantURL:    qdrantMock.URL,
-		qdrantAPIKey: "test-api-key-123",
-		httpClient:   http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		qdrantAPIKey:     "test-api-key-123",
+		textIndexEnsured: make(map[string]bool),
+		httpClient:       http.DefaultClient,
 	}

 	_, _, err := client.ScrollChunks(context.Background(), "bp_compliance_ce", "", 10)
@@ -310,11 +318,13 @@ func TestSearch_StillWorks(t *testing.T) {
 	defer qdrantMock.Close()

 	client := &LegalRAGClient{
-		qdrantURL:      qdrantMock.URL,
-		ollamaURL:      ollamaMock.URL,
-		embeddingModel: "bge-m3",
-		collection:     "bp_compliance_ce",
-		httpClient:     http.DefaultClient,
+		qdrantURL:        qdrantMock.URL,
+		ollamaURL:        ollamaMock.URL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    false,
+		httpClient:       http.DefaultClient,
 	}

 	results, err := client.Search(context.Background(), "DSGVO Art. 35", nil, 5)
@@ -334,3 +344,257 @@ func TestSearch_StillWorks(t *testing.T) {
 		t.Errorf("Expected default collection in URL, got: %s", requestedURL)
 	}
 }
+
+// --- Hybrid Search Tests ---
+
+func TestHybridSearch_UsesQueryAPI(t *testing.T) {
+	var requestedPaths []string
+
+	ollamaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(ollamaEmbeddingResponse{
+			Embedding: make([]float64, 1024),
+		})
+	}))
+	defer ollamaMock.Close()
+
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestedPaths = append(requestedPaths, r.URL.Path)
+
+		if strings.Contains(r.URL.Path, "/index") {
+			// Text index creation — return OK
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"result":{"operation_id":1,"status":"completed"}}`))
+			return
+		}
+
+		if strings.Contains(r.URL.Path, "/points/query") {
+			// Verify the query request body has prefetch + fusion
+			var reqBody map[string]interface{}
+			json.NewDecoder(r.Body).Decode(&reqBody)
+
+			if _, ok := reqBody["prefetch"]; !ok {
+				t.Error("Query request missing 'prefetch' field")
+			}
+			queryField, ok := reqBody["query"].(map[string]interface{})
+			if !ok || queryField["fusion"] != "rrf" {
+				t.Error("Query request missing 'query.fusion=rrf'")
+			}
+
+			json.NewEncoder(w).Encode(qdrantQueryResponse{
+				Result: []qdrantSearchHit{
+					{
+						ID:    "1",
+						Score: 0.88,
+						Payload: map[string]interface{}{
+							"chunk_text":         "Hybrid result",
+							"regulation_id":      "eu_2016_679",
+							"regulation_name_de": "DSGVO",
+							"regulation_short":   "DSGVO",
+							"category":           "regulation",
+							"source":             "https://example.com",
+						},
+					},
+				},
+			})
+			return
+		}
+
+		// Fallback: should not reach dense search
+		t.Error("Unexpected dense search call when hybrid succeeded")
+		json.NewEncoder(w).Encode(qdrantSearchResponse{Result: []qdrantSearchHit{}})
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:        qdrantMock.URL,
+		ollamaURL:        ollamaMock.URL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    true,
+		httpClient:       http.DefaultClient,
+	}
+
+	results, err := client.Search(context.Background(), "DSGVO Art. 35", nil, 5)
+	if err != nil {
+		t.Fatalf("Hybrid search failed: %v", err)
+	}
+
+	if len(results) != 1 {
+		t.Fatalf("Expected 1 result, got %d", len(results))
+	}
+	if results[0].Text != "Hybrid result" {
+		t.Errorf("Expected 'Hybrid result', got '%s'", results[0].Text)
+	}
+
+	// Verify text index was created
+	hasIndex := false
+	hasQuery := false
+	for _, p := range requestedPaths {
+		if strings.Contains(p, "/index") {
+			hasIndex = true
+		}
+		if strings.Contains(p, "/points/query") {
+			hasQuery = true
+		}
+	}
+	if !hasIndex {
+		t.Error("Expected text index creation call")
+	}
+	if !hasQuery {
+		t.Error("Expected Query API call")
+	}
+}
+
+func TestHybridSearch_FallbackToDense(t *testing.T) {
+	var requestedPaths []string
+
+	ollamaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(ollamaEmbeddingResponse{
+			Embedding: make([]float64, 1024),
+		})
+	}))
+	defer ollamaMock.Close()
+
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestedPaths = append(requestedPaths, r.URL.Path)
+
+		if strings.Contains(r.URL.Path, "/index") {
+			// Simulate text index failure (old Qdrant version)
+			w.WriteHeader(http.StatusBadRequest)
+			w.Write([]byte(`{"status":{"error":"not supported"}}`))
+			return
+		}
+
+		if strings.Contains(r.URL.Path, "/points/search") {
+			// Dense fallback
+			json.NewEncoder(w).Encode(qdrantSearchResponse{
+				Result: []qdrantSearchHit{
+					{
+						ID:    "2",
+						Score: 0.90,
+						Payload: map[string]interface{}{
+							"chunk_text":         "Dense fallback result",
+							"regulation_id":      "eu_2016_679",
+							"regulation_name_de": "DSGVO",
+							"regulation_short":   "DSGVO",
+							"category":           "regulation",
+							"source":             "https://example.com",
+						},
+					},
+				},
+			})
+			return
+		}
+
+		w.WriteHeader(http.StatusInternalServerError)
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:        qdrantMock.URL,
+		ollamaURL:        ollamaMock.URL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    true,
+		httpClient:       http.DefaultClient,
+	}
+
+	results, err := client.Search(context.Background(), "test query", nil, 5)
+	if err != nil {
+		t.Fatalf("Fallback search failed: %v", err)
+	}
+
+	if len(results) != 1 {
+		t.Fatalf("Expected 1 result, got %d", len(results))
+	}
+	if results[0].Text != "Dense fallback result" {
+		t.Errorf("Expected 'Dense fallback result', got '%s'", results[0].Text)
+	}
+
+	// Verify it fell back to dense search
+	hasDense := false
+	for _, p := range requestedPaths {
+		if strings.Contains(p, "/points/search") {
+			hasDense = true
+		}
+	}
+	if !hasDense {
+		t.Error("Expected fallback to dense /points/search")
+	}
+}
+
+func TestEnsureTextIndex_OnlyCalledOnce(t *testing.T) {
+	callCount := 0
+
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.Contains(r.URL.Path, "/index") {
+			callCount++
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"result":{"operation_id":1,"status":"completed"}}`))
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`{"result":[]}`))
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:        qdrantMock.URL,
+		textIndexEnsured: make(map[string]bool),
+		httpClient:       http.DefaultClient,
+	}
+
+	ctx := context.Background()
+	_ = client.ensureTextIndex(ctx, "test_collection")
+	_ = client.ensureTextIndex(ctx, "test_collection")
+	_ = client.ensureTextIndex(ctx, "test_collection")
+
+	if callCount != 1 {
+		t.Errorf("Expected ensureTextIndex to call Qdrant exactly once, called %d times", callCount)
+	}
+}
+
+func TestHybridDisabled_UsesDenseOnly(t *testing.T) {
+	var requestedPaths []string
+
+	ollamaMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		json.NewEncoder(w).Encode(ollamaEmbeddingResponse{
+			Embedding: make([]float64, 1024),
+		})
+	}))
+	defer ollamaMock.Close()
+
+	qdrantMock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestedPaths = append(requestedPaths, r.URL.Path)
+		json.NewEncoder(w).Encode(qdrantSearchResponse{
+			Result: []qdrantSearchHit{},
+		})
+	}))
+	defer qdrantMock.Close()
+
+	client := &LegalRAGClient{
+		qdrantURL:        qdrantMock.URL,
+		ollamaURL:        ollamaMock.URL,
+		embeddingModel:   "bge-m3",
+		collection:       "bp_compliance_ce",
+		textIndexEnsured: make(map[string]bool),
+		hybridEnabled:    false,
+		httpClient:       http.DefaultClient,
+	}
+
+	_, err := client.Search(context.Background(), "test", nil, 5)
+	if err != nil {
+		t.Fatalf("Search failed: %v", err)
+	}
+
+	for _, p := range requestedPaths {
+		if strings.Contains(p, "/points/query") {
+			t.Error("Query API should not be called when hybrid is disabled")
+		}
+		if strings.Contains(p, "/index") {
+			t.Error("Text index should not be created when hybrid is disabled")
+		}
+	}
+}
--- a/ai-compliance-sdk/internal/ucca/models.go
+++ b/ai-compliance-sdk/internal/ucca/models.go
@@ -217,10 +217,221 @@ type UseCaseIntake struct {
 	// Only applicable for financial domains (banking, finance, insurance, investment)
 	FinancialContext *FinancialContext `json:"financial_context,omitempty"`

+	// BetrVG / works council context (Germany)
+	EmployeeMonitoring    bool `json:"employee_monitoring,omitempty"`     // System can monitor employee behavior/performance
+	HRDecisionSupport     bool `json:"hr_decision_support,omitempty"`     // System supports HR decisions (hiring, evaluation, termination)
+	WorksCouncilConsulted bool `json:"works_council_consulted,omitempty"` // Works council has been consulted
+
+	// Domain-specific contexts (AI Act Annex III high-risk domains)
+	HRContext            *HRContext            `json:"hr_context,omitempty"`
+	EducationContext     *EducationContext     `json:"education_context,omitempty"`
+	HealthcareContext    *HealthcareContext    `json:"healthcare_context,omitempty"`
+	LegalDomainContext         *LegalDomainContext         `json:"legal_context,omitempty"`
+	PublicSectorContext  *PublicSectorContext  `json:"public_sector_context,omitempty"`
+	CriticalInfraContext *CriticalInfraContext `json:"critical_infra_context,omitempty"`
+	AutomotiveContext    *AutomotiveContext    `json:"automotive_context,omitempty"`
+	RetailContext        *RetailContext        `json:"retail_context,omitempty"`
+	ITSecurityContext    *ITSecurityContext    `json:"it_security_context,omitempty"`
+	LogisticsContext     *LogisticsContext     `json:"logistics_context,omitempty"`
+	ConstructionContext  *ConstructionContext  `json:"construction_context,omitempty"`
+	MarketingContext     *MarketingContext     `json:"marketing_context,omitempty"`
+	ManufacturingContext *ManufacturingContext `json:"manufacturing_context,omitempty"`
+	AgricultureContext   *AgricultureContext   `json:"agriculture_context,omitempty"`
+	SocialServicesCtx    *SocialServicesContext `json:"social_services_context,omitempty"`
+	HospitalityContext   *HospitalityContext   `json:"hospitality_context,omitempty"`
+	InsuranceContext     *InsuranceContext     `json:"insurance_context,omitempty"`
+	InvestmentContext    *InvestmentContext    `json:"investment_context,omitempty"`
+	DefenseContext       *DefenseContext       `json:"defense_context,omitempty"`
+	SupplyChainContext   *SupplyChainContext   `json:"supply_chain_context,omitempty"`
+	FacilityContext      *FacilityContext      `json:"facility_context,omitempty"`
+	SportsContext        *SportsContext        `json:"sports_context,omitempty"`
+
 	// Opt-in to store raw text (otherwise only hash)
 	StoreRawText bool `json:"store_raw_text,omitempty"`
 }

+// HRContext captures HR/recruiting-specific compliance data (AI Act Annex III Nr. 4 + AGG)
+type HRContext struct {
+	AutomatedScreening    bool `json:"automated_screening"`      // KI sortiert Bewerber vor
+	AutomatedRejection    bool `json:"automated_rejection"`      // KI generiert Absagen
+	CandidateRanking      bool `json:"candidate_ranking"`        // KI erstellt Bewerber-Rankings
+	BiasAuditsDone        bool `json:"bias_audits_done"`         // Regelmaessige Bias-Audits
+	AGGCategoriesVisible  bool `json:"agg_categories_visible"`   // System kann Name/Foto/Alter erkennen
+	HumanReviewEnforced   bool `json:"human_review_enforced"`    // Mensch prueft jede KI-Empfehlung
+	PerformanceEvaluation bool `json:"performance_evaluation"`   // KI bewertet Mitarbeiterleistung
+}
+
+// EducationContext captures education-specific compliance data (AI Act Annex III Nr. 3)
+type EducationContext struct {
+	GradeInfluence        bool `json:"grade_influence"`          // KI beeinflusst Noten
+	ExamEvaluation        bool `json:"exam_evaluation"`          // KI bewertet Pruefungen
+	StudentSelection      bool `json:"student_selection"`        // KI beeinflusst Zugang/Auswahl
+	MinorsInvolved        bool `json:"minors_involved"`          // Minderjaehrige betroffen
+	TeacherReviewRequired bool `json:"teacher_review_required"`  // Lehrkraft prueft KI-Ergebnis
+	LearningAdaptation    bool `json:"learning_adaptation"`      // KI passt Lernpfade an
+}
+
+// HealthcareContext captures healthcare-specific compliance data (AI Act Annex III Nr. 5 + MDR)
+type HealthcareContext struct {
+	DiagnosisSupport     bool `json:"diagnosis_support"`         // KI unterstuetzt Diagnosen
+	TreatmentRecommend   bool `json:"treatment_recommendation"`  // KI empfiehlt Behandlungen
+	TriageDecision       bool `json:"triage_decision"`           // KI priorisiert Patienten
+	PatientDataProcessed bool `json:"patient_data_processed"`    // Gesundheitsdaten verarbeitet
+	MedicalDevice        bool `json:"medical_device"`            // System ist Medizinprodukt
+	ClinicalValidation   bool `json:"clinical_validation"`       // Klinisch validiert
+}
+
+// LegalDomainContext captures legal/justice-specific compliance data (AI Act Annex III Nr. 8)
+type LegalDomainContext struct {
+	LegalAdvice          bool `json:"legal_advice"`           // KI gibt Rechtsberatung
+	ContractAnalysis     bool `json:"contract_analysis"`      // KI analysiert Vertraege
+	CourtPrediction      bool `json:"court_prediction"`       // KI prognostiziert Urteile
+	AccessToJustice      bool `json:"access_to_justice"`      // KI beeinflusst Zugang zu Recht
+	ClientConfidential   bool `json:"client_confidential"`    // Mandantengeheimnis betroffen
+}
+
+// PublicSectorContext captures public sector compliance data (Art. 27 FRIA)
+type PublicSectorContext struct {
+	AdminDecision        bool `json:"admin_decision"`         // KI beeinflusst Verwaltungsentscheidungen
+	CitizenService       bool `json:"citizen_service"`        // KI in Buergerservices
+	BenefitAllocation    bool `json:"benefit_allocation"`     // KI verteilt Leistungen/Mittel
+	PublicSafety         bool `json:"public_safety"`          // KI in oeffentlicher Sicherheit
+	TransparencyEnsured  bool `json:"transparency_ensured"`   // Transparenz gegenueber Buergern
+}
+
+// CriticalInfraContext captures critical infrastructure data (NIS2 + Annex III Nr. 2)
+type CriticalInfraContext struct {
+	GridControl          bool `json:"grid_control"`           // KI steuert Netz/Infrastruktur
+	SafetyCritical       bool `json:"safety_critical"`        // Sicherheitskritische Steuerung
+	AnomalyDetection     bool `json:"anomaly_detection"`      // KI erkennt Anomalien
+	RedundancyExists     bool `json:"redundancy_exists"`      // Redundante Systeme vorhanden
+	IncidentResponse     bool `json:"incident_response"`      // Incident Response Plan vorhanden
+}
+
+// AutomotiveContext captures automotive/aerospace safety data
+type AutomotiveContext struct {
+	AutonomousDriving    bool `json:"autonomous_driving"`     // Autonomes Fahren / ADAS
+	SafetyRelevant       bool `json:"safety_relevant"`        // Sicherheitsrelevante Funktion
+	TypeApprovalNeeded   bool `json:"type_approval_needed"`   // Typgenehmigung erforderlich
+	FunctionalSafety     bool `json:"functional_safety"`      // ISO 26262 relevant
+}
+
+// RetailContext captures retail/e-commerce compliance data
+type RetailContext struct {
+	PricingPersonalized  bool `json:"pricing_personalized"`   // Personalisierte Preise
+	CustomerProfiling    bool `json:"customer_profiling"`     // Kundenprofilbildung
+	RecommendationEngine bool `json:"recommendation_engine"`  // Empfehlungssystem
+	CreditScoring        bool `json:"credit_scoring"`         // Bonitaetspruefung bei Kauf
+	DarkPatterns         bool `json:"dark_patterns"`          // Manipulative UI-Muster moeglich
+}
+
+// ITSecurityContext captures IT/cybersecurity/telecom data
+type ITSecurityContext struct {
+	EmployeeSurveillance bool `json:"employee_surveillance"`  // Mitarbeiterueberwachung
+	NetworkMonitoring    bool `json:"network_monitoring"`     // Netzwerkueberwachung
+	ThreatDetection      bool `json:"threat_detection"`       // Bedrohungserkennung
+	AccessControl        bool `json:"access_control_ai"`      // KI-gestuetzte Zugriffskontrolle
+	DataRetention        bool `json:"data_retention_logs"`    // Umfangreiche Log-Speicherung
+}
+
+// LogisticsContext captures logistics/transport compliance data
+type LogisticsContext struct {
+	DriverTracking       bool `json:"driver_tracking"`        // Fahrer-/Kurier-Tracking
+	RouteOptimization    bool `json:"route_optimization"`     // Routenoptimierung mit Personenbezug
+	WorkloadScoring      bool `json:"workload_scoring"`       // Leistungsbewertung Lagerarbeiter
+	PredictiveMaint      bool `json:"predictive_maintenance"` // Vorausschauende Wartung
+}
+
+// ConstructionContext captures construction/real estate data
+type ConstructionContext struct {
+	SafetyMonitoring     bool `json:"safety_monitoring"`      // Baustellensicherheit per KI
+	TenantScreening      bool `json:"tenant_screening"`       // KI-gestuetzte Mieterauswahl
+	BuildingAutomation   bool `json:"building_automation"`    // Gebaeudesteuerung
+	WorkerSafety         bool `json:"worker_safety"`          // Arbeitsschutzueberwachung
+}
+
+// MarketingContext captures marketing/media compliance data
+type MarketingContext struct {
+	DeepfakeContent      bool `json:"deepfake_content"`       // Synthetische Inhalte (Deepfakes)
+	ContentModeration    bool `json:"content_moderation"`     // Automatische Inhaltsmoderation
+	BehavioralTargeting  bool `json:"behavioral_targeting"`   // Verhaltensbasiertes Targeting
+	MinorsTargeted       bool `json:"minors_targeted"`        // Minderjaehrige als Zielgruppe
+	AIContentLabeled     bool `json:"ai_content_labeled"`     // KI-Inhalte als solche gekennzeichnet
+}
+
+// ManufacturingContext captures manufacturing/CE safety data
+type ManufacturingContext struct {
+	MachineSafety        bool `json:"machine_safety"`         // Maschinensicherheit
+	QualityControl       bool `json:"quality_control"`        // KI in Qualitaetskontrolle
+	ProcessControl       bool `json:"process_control"`        // KI steuert Fertigungsprozess
+	CEMarkingRequired    bool `json:"ce_marking_required"`    // CE-Kennzeichnung erforderlich
+	SafetyValidated      bool `json:"safety_validated"`       // Sicherheitsvalidierung durchgefuehrt
+}
+
+// AgricultureContext captures agriculture/forestry compliance data
+type AgricultureContext struct {
+	PesticideAI          bool `json:"pesticide_ai"`           // KI steuert Pestizideinsatz
+	AnimalWelfare        bool `json:"animal_welfare"`         // KI beeinflusst Tierhaltung
+	EnvironmentalData    bool `json:"environmental_data"`     // Umweltdaten verarbeitet
+}
+
+// SocialServicesContext captures social services/nonprofit data
+type SocialServicesContext struct {
+	VulnerableGroups     bool `json:"vulnerable_groups"`      // Schutzbeduerftiger Personenkreis
+	BenefitDecision      bool `json:"benefit_decision"`       // KI beeinflusst Leistungszuteilung
+	CaseManagement       bool `json:"case_management"`        // KI in Fallmanagement
+}
+
+// HospitalityContext captures hospitality/tourism data
+type HospitalityContext struct {
+	GuestProfiling       bool `json:"guest_profiling"`        // Gaeste-Profilbildung
+	DynamicPricing       bool `json:"dynamic_pricing"`        // Dynamische Preisgestaltung
+	ReviewManipulation   bool `json:"review_manipulation"`    // KI beeinflusst Bewertungen
+}
+
+// InsuranceContext captures insurance-specific data (beyond FinancialContext)
+type InsuranceContext struct {
+	RiskClassification   bool `json:"risk_classification"`    // KI klassifiziert Versicherungsrisiken
+	ClaimsAutomation     bool `json:"claims_automation"`      // Automatisierte Schadenbearbeitung
+	PremiumCalculation   bool `json:"premium_calculation"`    // KI berechnet Praemien individuell
+	FraudDetection       bool `json:"fraud_detection"`        // Betrugserkennung
+}
+
+// InvestmentContext captures investment-specific data
+type InvestmentContext struct {
+	AlgoTrading          bool `json:"algo_trading"`           // Algorithmischer Handel
+	InvestmentAdvice     bool `json:"investment_advice"`      // KI-gestuetzte Anlageberatung
+	RoboAdvisor          bool `json:"robo_advisor"`           // Automatisierte Vermoegensberatung
+}
+
+// DefenseContext captures defense/dual-use data
+type DefenseContext struct {
+	DualUse              bool `json:"dual_use"`               // Dual-Use Technologie
+	ExportControlled     bool `json:"export_controlled"`      // Exportkontrolle relevant
+	ClassifiedData       bool `json:"classified_data"`        // Verschlusssachen verarbeitet
+}
+
+// SupplyChainContext captures textile/packaging/supply chain data (LkSG)
+type SupplyChainContext struct {
+	SupplierMonitoring   bool `json:"supplier_monitoring"`    // KI ueberwacht Lieferanten
+	HumanRightsCheck     bool `json:"human_rights_check"`     // Menschenrechtspruefung in Lieferkette
+	EnvironmentalImpact  bool `json:"environmental_impact"`   // Umweltauswirkungen analysiert
+}
+
+// FacilityContext captures facility management data
+type FacilityContext struct {
+	AccessControlAI      bool `json:"access_control_ai"`      // KI-Zutrittskontrolle
+	OccupancyTracking    bool `json:"occupancy_tracking"`     // Belegungsueberwachung
+	EnergyOptimization   bool `json:"energy_optimization"`    // Energieoptimierung
+}
+
+// SportsContext captures sports/general data
+type SportsContext struct {
+	AthleteTracking      bool `json:"athlete_tracking"`       // Athleten-Performance-Tracking
+	FanProfiling         bool `json:"fan_profiling"`          // Fan-/Zuschauer-Profilbildung
+	DopingDetection      bool `json:"doping_detection"`       // KI in Doping-Kontrolle
+}
+
 // DataTypes specifies what kinds of data are processed
 type DataTypes struct {
 	PersonalData     bool `json:"personal_data"`
@@ -383,6 +594,13 @@ type AssessmentResult struct {
 	Art22Risk       bool            `json:"art22_risk"` // Art. 22 GDPR automated decision risk
 	TrainingAllowed TrainingAllowed `json:"training_allowed"`

+	// BetrVG Conflict Score (0-100) — works council escalation risk
+	BetrvgConflictScore        int  `json:"betrvg_conflict_score"`
+	BetrvgConsultationRequired bool `json:"betrvg_consultation_required"`
+
+	// Input (needed for escalation logic)
+	Intake UseCaseIntake `json:"-"` // not serialized, internal use only
+
 	// Summary for humans
 	Summary         string `json:"summary"`
 	Recommendation  string `json:"recommendation"`
@@ -471,6 +689,10 @@ type Assessment struct {
 	Art22Risk               bool            `json:"art22_risk"`
 	TrainingAllowed         TrainingAllowed `json:"training_allowed"`

+	// BetrVG Conflict Score (0-100) — works council escalation risk
+	BetrvgConflictScore     int             `json:"betrvg_conflict_score"`
+	BetrvgConsultationRequired bool         `json:"betrvg_consultation_required"`
+
 	// Corpus Versioning (RAG)
 	CorpusVersionID *uuid.UUID `json:"corpus_version_id,omitempty"`
 	CorpusVersion   string     `json:"corpus_version,omitempty"`
@@ -525,3 +747,73 @@ const (
 	ExportFormatJSON     ExportFormat = "json"
 	ExportFormatMarkdown ExportFormat = "md"
 )
+
+// ============================================================================
+// AI Act Decision Tree Types
+// ============================================================================
+
+// GPAICategory represents the GPAI classification result
+type GPAICategory string
+
+const (
+	GPAICategoryNone     GPAICategory = "none"
+	GPAICategoryStandard GPAICategory = "standard"
+	GPAICategorySystemic GPAICategory = "systemic"
+)
+
+// GPAIClassification represents the result of the GPAI axis evaluation
+type GPAIClassification struct {
+	IsGPAI             bool     `json:"is_gpai"`
+	IsSystemicRisk     bool     `json:"is_systemic_risk"`
+	Category           GPAICategory `json:"gpai_category"`
+	ApplicableArticles []string `json:"applicable_articles"`
+	Obligations        []string `json:"obligations"`
+}
+
+// DecisionTreeAnswer represents a user's answer to a decision tree question
+type DecisionTreeAnswer struct {
+	QuestionID string `json:"question_id"`
+	Value      bool   `json:"value"`
+	Note       string `json:"note,omitempty"`
+}
+
+// DecisionTreeQuestion represents a single question in the decision tree
+type DecisionTreeQuestion struct {
+	ID          string `json:"id"`
+	Axis        string `json:"axis"`        // "high_risk" or "gpai"
+	Question    string `json:"question"`
+	Description string `json:"description"` // Additional context
+	ArticleRef  string `json:"article_ref"` // e.g., "Art. 5", "Anhang III"
+	SkipIf      string `json:"skip_if,omitempty"` // Question ID — skip if that was answered "no"
+}
+
+// DecisionTreeDefinition represents the full decision tree structure for the frontend
+type DecisionTreeDefinition struct {
+	ID        string                 `json:"id"`
+	Name      string                 `json:"name"`
+	Version   string                 `json:"version"`
+	Questions []DecisionTreeQuestion `json:"questions"`
+}
+
+// DecisionTreeEvalRequest is the API request for evaluating the decision tree
+type DecisionTreeEvalRequest struct {
+	SystemName        string                        `json:"system_name"`
+	SystemDescription string                        `json:"system_description,omitempty"`
+	Answers           map[string]DecisionTreeAnswer  `json:"answers"`
+}
+
+// DecisionTreeResult represents the combined evaluation result
+type DecisionTreeResult struct {
+	ID                  uuid.UUID          `json:"id"`
+	TenantID            uuid.UUID          `json:"tenant_id"`
+	ProjectID           *uuid.UUID         `json:"project_id,omitempty"`
+	SystemName          string             `json:"system_name"`
+	SystemDescription   string             `json:"system_description,omitempty"`
+	Answers             map[string]DecisionTreeAnswer `json:"answers"`
+	HighRiskResult      AIActRiskLevel     `json:"high_risk_result"`
+	GPAIResult          GPAIClassification `json:"gpai_result"`
+	CombinedObligations []string           `json:"combined_obligations"`
+	ApplicableArticles  []string           `json:"applicable_articles"`
+	CreatedAt           time.Time          `json:"created_at"`
+	UpdatedAt           time.Time          `json:"updated_at"`
+}
--- a/ai-compliance-sdk/internal/ucca/policy_engine.go
+++ b/ai-compliance-sdk/internal/ucca/policy_engine.go
@@ -220,6 +220,7 @@ func (e *PolicyEngine) Evaluate(intake *UseCaseIntake) *AssessmentResult {
 		RiskLevel:               RiskLevelMINIMAL,
 		Complexity:              ComplexityLOW,
 		RiskScore:               0,
+		Intake:                  *intake,
 		TriggeredRules:          []TriggeredRule{},
 		RequiredControls:        []RequiredControl{},
 		RecommendedArchitecture: []PatternRecommendation{},
@@ -338,6 +339,9 @@ func (e *PolicyEngine) Evaluate(intake *UseCaseIntake) *AssessmentResult {
 	// Determine complexity
 	result.Complexity = e.calculateComplexity(result)

+	// Calculate BetrVG Conflict Score (Germany only, employees >= 5)
+	result.BetrvgConflictScore, result.BetrvgConsultationRequired = e.calculateBetrvgConflictScore(intake)
+
 	// Check if DSFA is recommended
 	result.DSFARecommended = e.shouldRecommendDSFA(intake, result)

@@ -457,11 +461,382 @@ func (e *PolicyEngine) getFieldValue(field string, intake *UseCaseIntake) interf
 			return nil
 		}
 		return e.getRetentionValue(parts[1], intake)
+	case "employee_monitoring":
+		return intake.EmployeeMonitoring
+	case "hr_decision_support":
+		return intake.HRDecisionSupport
+	case "works_council_consulted":
+		return intake.WorksCouncilConsulted
+	case "hr_context":
+		if len(parts) < 2 || intake.HRContext == nil {
+			return nil
+		}
+		return e.getHRContextValue(parts[1], intake)
+	case "education_context":
+		if len(parts) < 2 || intake.EducationContext == nil {
+			return nil
+		}
+		return e.getEducationContextValue(parts[1], intake)
+	case "healthcare_context":
+		if len(parts) < 2 || intake.HealthcareContext == nil {
+			return nil
+		}
+		return e.getHealthcareContextValue(parts[1], intake)
+	case "legal_context":
+		if len(parts) < 2 || intake.LegalDomainContext == nil {
+			return nil
+		}
+		return e.getLegalContextValue(parts[1], intake)
+	case "public_sector_context":
+		if len(parts) < 2 || intake.PublicSectorContext == nil {
+			return nil
+		}
+		return e.getPublicSectorContextValue(parts[1], intake)
+	case "critical_infra_context":
+		if len(parts) < 2 || intake.CriticalInfraContext == nil {
+			return nil
+		}
+		return e.getCriticalInfraContextValue(parts[1], intake)
+	case "automotive_context":
+		if len(parts) < 2 || intake.AutomotiveContext == nil {
+			return nil
+		}
+		return e.getAutomotiveContextValue(parts[1], intake)
+	case "retail_context":
+		if len(parts) < 2 || intake.RetailContext == nil {
+			return nil
+		}
+		return e.getRetailContextValue(parts[1], intake)
+	case "it_security_context":
+		if len(parts) < 2 || intake.ITSecurityContext == nil {
+			return nil
+		}
+		return e.getITSecurityContextValue(parts[1], intake)
+	case "logistics_context":
+		if len(parts) < 2 || intake.LogisticsContext == nil {
+			return nil
+		}
+		return e.getLogisticsContextValue(parts[1], intake)
+	case "construction_context":
+		if len(parts) < 2 || intake.ConstructionContext == nil {
+			return nil
+		}
+		return e.getConstructionContextValue(parts[1], intake)
+	case "marketing_context":
+		if len(parts) < 2 || intake.MarketingContext == nil {
+			return nil
+		}
+		return e.getMarketingContextValue(parts[1], intake)
+	case "manufacturing_context":
+		if len(parts) < 2 || intake.ManufacturingContext == nil {
+			return nil
+		}
+		return e.getManufacturingContextValue(parts[1], intake)
+	case "agriculture_context":
+		if len(parts) < 2 || intake.AgricultureContext == nil { return nil }
+		return e.getAgricultureContextValue(parts[1], intake)
+	case "social_services_context":
+		if len(parts) < 2 || intake.SocialServicesCtx == nil { return nil }
+		return e.getSocialServicesContextValue(parts[1], intake)
+	case "hospitality_context":
+		if len(parts) < 2 || intake.HospitalityContext == nil { return nil }
+		return e.getHospitalityContextValue(parts[1], intake)
+	case "insurance_context":
+		if len(parts) < 2 || intake.InsuranceContext == nil { return nil }
+		return e.getInsuranceContextValue(parts[1], intake)
+	case "investment_context":
+		if len(parts) < 2 || intake.InvestmentContext == nil { return nil }
+		return e.getInvestmentContextValue(parts[1], intake)
+	case "defense_context":
+		if len(parts) < 2 || intake.DefenseContext == nil { return nil }
+		return e.getDefenseContextValue(parts[1], intake)
+	case "supply_chain_context":
+		if len(parts) < 2 || intake.SupplyChainContext == nil { return nil }
+		return e.getSupplyChainContextValue(parts[1], intake)
+	case "facility_context":
+		if len(parts) < 2 || intake.FacilityContext == nil { return nil }
+		return e.getFacilityContextValue(parts[1], intake)
+	case "sports_context":
+		if len(parts) < 2 || intake.SportsContext == nil { return nil }
+		return e.getSportsContextValue(parts[1], intake)
 	}

 	return nil
 }

+func (e *PolicyEngine) getHRContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.HRContext == nil {
+		return nil
+	}
+	switch field {
+	case "automated_screening":
+		return intake.HRContext.AutomatedScreening
+	case "automated_rejection":
+		return intake.HRContext.AutomatedRejection
+	case "candidate_ranking":
+		return intake.HRContext.CandidateRanking
+	case "bias_audits_done":
+		return intake.HRContext.BiasAuditsDone
+	case "agg_categories_visible":
+		return intake.HRContext.AGGCategoriesVisible
+	case "human_review_enforced":
+		return intake.HRContext.HumanReviewEnforced
+	case "performance_evaluation":
+		return intake.HRContext.PerformanceEvaluation
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getEducationContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.EducationContext == nil {
+		return nil
+	}
+	switch field {
+	case "grade_influence":
+		return intake.EducationContext.GradeInfluence
+	case "exam_evaluation":
+		return intake.EducationContext.ExamEvaluation
+	case "student_selection":
+		return intake.EducationContext.StudentSelection
+	case "minors_involved":
+		return intake.EducationContext.MinorsInvolved
+	case "teacher_review_required":
+		return intake.EducationContext.TeacherReviewRequired
+	case "learning_adaptation":
+		return intake.EducationContext.LearningAdaptation
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getHealthcareContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.HealthcareContext == nil {
+		return nil
+	}
+	switch field {
+	case "diagnosis_support":
+		return intake.HealthcareContext.DiagnosisSupport
+	case "treatment_recommendation":
+		return intake.HealthcareContext.TreatmentRecommend
+	case "triage_decision":
+		return intake.HealthcareContext.TriageDecision
+	case "patient_data_processed":
+		return intake.HealthcareContext.PatientDataProcessed
+	case "medical_device":
+		return intake.HealthcareContext.MedicalDevice
+	case "clinical_validation":
+		return intake.HealthcareContext.ClinicalValidation
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getLegalContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.LegalDomainContext == nil { return nil }
+	switch field {
+	case "legal_advice": return intake.LegalDomainContext.LegalAdvice
+	case "contract_analysis": return intake.LegalDomainContext.ContractAnalysis
+	case "court_prediction": return intake.LegalDomainContext.CourtPrediction
+	case "access_to_justice": return intake.LegalDomainContext.AccessToJustice
+	case "client_confidential": return intake.LegalDomainContext.ClientConfidential
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getPublicSectorContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.PublicSectorContext == nil { return nil }
+	switch field {
+	case "admin_decision": return intake.PublicSectorContext.AdminDecision
+	case "citizen_service": return intake.PublicSectorContext.CitizenService
+	case "benefit_allocation": return intake.PublicSectorContext.BenefitAllocation
+	case "public_safety": return intake.PublicSectorContext.PublicSafety
+	case "transparency_ensured": return intake.PublicSectorContext.TransparencyEnsured
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getCriticalInfraContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.CriticalInfraContext == nil { return nil }
+	switch field {
+	case "grid_control": return intake.CriticalInfraContext.GridControl
+	case "safety_critical": return intake.CriticalInfraContext.SafetyCritical
+	case "anomaly_detection": return intake.CriticalInfraContext.AnomalyDetection
+	case "redundancy_exists": return intake.CriticalInfraContext.RedundancyExists
+	case "incident_response": return intake.CriticalInfraContext.IncidentResponse
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getAutomotiveContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.AutomotiveContext == nil { return nil }
+	switch field {
+	case "autonomous_driving": return intake.AutomotiveContext.AutonomousDriving
+	case "safety_relevant": return intake.AutomotiveContext.SafetyRelevant
+	case "type_approval_needed": return intake.AutomotiveContext.TypeApprovalNeeded
+	case "functional_safety": return intake.AutomotiveContext.FunctionalSafety
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getRetailContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.RetailContext == nil { return nil }
+	switch field {
+	case "pricing_personalized": return intake.RetailContext.PricingPersonalized
+	case "customer_profiling": return intake.RetailContext.CustomerProfiling
+	case "recommendation_engine": return intake.RetailContext.RecommendationEngine
+	case "credit_scoring": return intake.RetailContext.CreditScoring
+	case "dark_patterns": return intake.RetailContext.DarkPatterns
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getITSecurityContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.ITSecurityContext == nil { return nil }
+	switch field {
+	case "employee_surveillance": return intake.ITSecurityContext.EmployeeSurveillance
+	case "network_monitoring": return intake.ITSecurityContext.NetworkMonitoring
+	case "threat_detection": return intake.ITSecurityContext.ThreatDetection
+	case "access_control_ai": return intake.ITSecurityContext.AccessControl
+	case "data_retention_logs": return intake.ITSecurityContext.DataRetention
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getLogisticsContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.LogisticsContext == nil { return nil }
+	switch field {
+	case "driver_tracking": return intake.LogisticsContext.DriverTracking
+	case "route_optimization": return intake.LogisticsContext.RouteOptimization
+	case "workload_scoring": return intake.LogisticsContext.WorkloadScoring
+	case "predictive_maintenance": return intake.LogisticsContext.PredictiveMaint
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getConstructionContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.ConstructionContext == nil { return nil }
+	switch field {
+	case "safety_monitoring": return intake.ConstructionContext.SafetyMonitoring
+	case "tenant_screening": return intake.ConstructionContext.TenantScreening
+	case "building_automation": return intake.ConstructionContext.BuildingAutomation
+	case "worker_safety": return intake.ConstructionContext.WorkerSafety
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getMarketingContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.MarketingContext == nil { return nil }
+	switch field {
+	case "deepfake_content": return intake.MarketingContext.DeepfakeContent
+	case "content_moderation": return intake.MarketingContext.ContentModeration
+	case "behavioral_targeting": return intake.MarketingContext.BehavioralTargeting
+	case "minors_targeted": return intake.MarketingContext.MinorsTargeted
+	case "ai_content_labeled": return intake.MarketingContext.AIContentLabeled
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getManufacturingContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.ManufacturingContext == nil { return nil }
+	switch field {
+	case "machine_safety": return intake.ManufacturingContext.MachineSafety
+	case "quality_control": return intake.ManufacturingContext.QualityControl
+	case "process_control": return intake.ManufacturingContext.ProcessControl
+	case "ce_marking_required": return intake.ManufacturingContext.CEMarkingRequired
+	case "safety_validated": return intake.ManufacturingContext.SafetyValidated
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getAgricultureContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.AgricultureContext == nil { return nil }
+	switch field {
+	case "pesticide_ai": return intake.AgricultureContext.PesticideAI
+	case "animal_welfare": return intake.AgricultureContext.AnimalWelfare
+	case "environmental_data": return intake.AgricultureContext.EnvironmentalData
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getSocialServicesContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.SocialServicesCtx == nil { return nil }
+	switch field {
+	case "vulnerable_groups": return intake.SocialServicesCtx.VulnerableGroups
+	case "benefit_decision": return intake.SocialServicesCtx.BenefitDecision
+	case "case_management": return intake.SocialServicesCtx.CaseManagement
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getHospitalityContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.HospitalityContext == nil { return nil }
+	switch field {
+	case "guest_profiling": return intake.HospitalityContext.GuestProfiling
+	case "dynamic_pricing": return intake.HospitalityContext.DynamicPricing
+	case "review_manipulation": return intake.HospitalityContext.ReviewManipulation
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getInsuranceContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.InsuranceContext == nil { return nil }
+	switch field {
+	case "risk_classification": return intake.InsuranceContext.RiskClassification
+	case "claims_automation": return intake.InsuranceContext.ClaimsAutomation
+	case "premium_calculation": return intake.InsuranceContext.PremiumCalculation
+	case "fraud_detection": return intake.InsuranceContext.FraudDetection
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getInvestmentContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.InvestmentContext == nil { return nil }
+	switch field {
+	case "algo_trading": return intake.InvestmentContext.AlgoTrading
+	case "investment_advice": return intake.InvestmentContext.InvestmentAdvice
+	case "robo_advisor": return intake.InvestmentContext.RoboAdvisor
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getDefenseContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.DefenseContext == nil { return nil }
+	switch field {
+	case "dual_use": return intake.DefenseContext.DualUse
+	case "export_controlled": return intake.DefenseContext.ExportControlled
+	case "classified_data": return intake.DefenseContext.ClassifiedData
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getSupplyChainContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.SupplyChainContext == nil { return nil }
+	switch field {
+	case "supplier_monitoring": return intake.SupplyChainContext.SupplierMonitoring
+	case "human_rights_check": return intake.SupplyChainContext.HumanRightsCheck
+	case "environmental_impact": return intake.SupplyChainContext.EnvironmentalImpact
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getFacilityContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.FacilityContext == nil { return nil }
+	switch field {
+	case "access_control_ai": return intake.FacilityContext.AccessControlAI
+	case "occupancy_tracking": return intake.FacilityContext.OccupancyTracking
+	case "energy_optimization": return intake.FacilityContext.EnergyOptimization
+	}
+	return nil
+}
+
+func (e *PolicyEngine) getSportsContextValue(field string, intake *UseCaseIntake) interface{} {
+	if intake.SportsContext == nil { return nil }
+	switch field {
+	case "athlete_tracking": return intake.SportsContext.AthleteTracking
+	case "fan_profiling": return intake.SportsContext.FanProfiling
+	case "doping_detection": return intake.SportsContext.DopingDetection
+	}
+	return nil
+}
+
 func (e *PolicyEngine) getDataTypeValue(field string, intake *UseCaseIntake) interface{} {
 	switch field {
 	case "personal_data":
@@ -880,3 +1255,70 @@ func categorizeControl(id string) string {
 	}
 	return "organizational"
 }
+
+// calculateBetrvgConflictScore computes a works council conflict score (0-100).
+// Higher score = higher risk of escalation with works council.
+// Only relevant for German organizations with >= 5 employees.
+func (e *PolicyEngine) calculateBetrvgConflictScore(intake *UseCaseIntake) (int, bool) {
+	if intake.Domain == "" {
+		return 0, false
+	}
+
+	score := 0
+	consultationRequired := false
+
+	// Factor 1: Employee data processing (+10)
+	if intake.DataTypes.PersonalData && intake.DataTypes.EmployeeData {
+		score += 10
+		consultationRequired = true
+	}
+
+	// Factor 2: System can monitor behavior/performance (+20)
+	if intake.EmployeeMonitoring {
+		score += 20
+		consultationRequired = true
+	}
+
+	// Factor 3: Individualized usage data / logging (+15)
+	if intake.Retention.StorePrompts || intake.Retention.StoreResponses {
+		score += 15
+	}
+
+	// Factor 4: Communication analysis (+10)
+	if intake.Purpose.CustomerSupport || intake.Purpose.Marketing {
+		// These purposes on employee data suggest communication analysis
+		if intake.DataTypes.EmployeeData {
+			score += 10
+		}
+	}
+
+	// Factor 5: HR / Recruiting context (+20)
+	if intake.HRDecisionSupport {
+		score += 20
+		consultationRequired = true
+	}
+
+	// Factor 6: Scoring / Ranking of employees (+10)
+	if intake.Outputs.RankingsOrScores || intake.Outputs.RecommendationsToUsers {
+		if intake.DataTypes.EmployeeData {
+			score += 10
+		}
+	}
+
+	// Factor 7: Fully automated decisions (+10)
+	if intake.Automation == "fully_automated" {
+		score += 10
+	}
+
+	// Factor 8: Works council NOT consulted (+5)
+	if consultationRequired && !intake.WorksCouncilConsulted {
+		score += 5
+	}
+
+	// Cap at 100
+	if score > 100 {
+		score = 100
+	}
+
+	return score, consultationRequired
+}
--- a/ai-compliance-sdk/internal/ucca/registration_store.go
+++ b/ai-compliance-sdk/internal/ucca/registration_store.go
@@ -0,0 +1,274 @@
+package ucca
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// AIRegistration represents an EU AI Database registration entry
+type AIRegistration struct {
+	ID        uuid.UUID `json:"id"`
+	TenantID  uuid.UUID `json:"tenant_id"`
+
+	// System
+	SystemName        string `json:"system_name"`
+	SystemVersion     string `json:"system_version,omitempty"`
+	SystemDescription string `json:"system_description,omitempty"`
+	IntendedPurpose   string `json:"intended_purpose,omitempty"`
+
+	// Provider
+	ProviderName            string `json:"provider_name,omitempty"`
+	ProviderLegalForm       string `json:"provider_legal_form,omitempty"`
+	ProviderAddress         string `json:"provider_address,omitempty"`
+	ProviderCountry         string `json:"provider_country,omitempty"`
+	EURepresentativeName    string `json:"eu_representative_name,omitempty"`
+	EURepresentativeContact string `json:"eu_representative_contact,omitempty"`
+
+	// Classification
+	RiskClassification string `json:"risk_classification"`
+	AnnexIIICategory   string `json:"annex_iii_category,omitempty"`
+	GPAIClassification string `json:"gpai_classification"`
+
+	// Conformity
+	ConformityAssessmentType string `json:"conformity_assessment_type,omitempty"`
+	NotifiedBodyName         string `json:"notified_body_name,omitempty"`
+	NotifiedBodyID           string `json:"notified_body_id,omitempty"`
+	CEMarking                bool   `json:"ce_marking"`
+
+	// Training data
+	TrainingDataCategories json.RawMessage `json:"training_data_categories,omitempty"`
+	TrainingDataSummary    string          `json:"training_data_summary,omitempty"`
+
+	// Status
+	RegistrationStatus string     `json:"registration_status"`
+	EUDatabaseID       string     `json:"eu_database_id,omitempty"`
+	RegistrationDate   *time.Time `json:"registration_date,omitempty"`
+	LastUpdateDate     *time.Time `json:"last_update_date,omitempty"`
+
+	// Links
+	UCCAAssessmentID     *uuid.UUID `json:"ucca_assessment_id,omitempty"`
+	DecisionTreeResultID *uuid.UUID `json:"decision_tree_result_id,omitempty"`
+
+	// Export
+	ExportData json.RawMessage `json:"export_data,omitempty"`
+
+	// Audit
+	CreatedAt   time.Time `json:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at"`
+	CreatedBy   string    `json:"created_by,omitempty"`
+	SubmittedBy string    `json:"submitted_by,omitempty"`
+}
+
+// RegistrationStore handles AI registration persistence
+type RegistrationStore struct {
+	pool *pgxpool.Pool
+}
+
+// NewRegistrationStore creates a new registration store
+func NewRegistrationStore(pool *pgxpool.Pool) *RegistrationStore {
+	return &RegistrationStore{pool: pool}
+}
+
+// Create creates a new registration
+func (s *RegistrationStore) Create(ctx context.Context, r *AIRegistration) error {
+	r.ID = uuid.New()
+	r.CreatedAt = time.Now()
+	r.UpdatedAt = time.Now()
+	if r.RegistrationStatus == "" {
+		r.RegistrationStatus = "draft"
+	}
+	if r.RiskClassification == "" {
+		r.RiskClassification = "not_classified"
+	}
+	if r.GPAIClassification == "" {
+		r.GPAIClassification = "none"
+	}
+
+	_, err := s.pool.Exec(ctx, `
+		INSERT INTO ai_system_registrations (
+			id, tenant_id, system_name, system_version, system_description, intended_purpose,
+			provider_name, provider_legal_form, provider_address, provider_country,
+			eu_representative_name, eu_representative_contact,
+			risk_classification, annex_iii_category, gpai_classification,
+			conformity_assessment_type, notified_body_name, notified_body_id, ce_marking,
+			training_data_categories, training_data_summary,
+			registration_status, ucca_assessment_id, decision_tree_result_id,
+			created_by
+		) VALUES (
+			$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12,
+			$13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25
+		)`,
+		r.ID, r.TenantID, r.SystemName, r.SystemVersion, r.SystemDescription, r.IntendedPurpose,
+		r.ProviderName, r.ProviderLegalForm, r.ProviderAddress, r.ProviderCountry,
+		r.EURepresentativeName, r.EURepresentativeContact,
+		r.RiskClassification, r.AnnexIIICategory, r.GPAIClassification,
+		r.ConformityAssessmentType, r.NotifiedBodyName, r.NotifiedBodyID, r.CEMarking,
+		r.TrainingDataCategories, r.TrainingDataSummary,
+		r.RegistrationStatus, r.UCCAAssessmentID, r.DecisionTreeResultID,
+		r.CreatedBy,
+	)
+	return err
+}
+
+// List returns all registrations for a tenant
+func (s *RegistrationStore) List(ctx context.Context, tenantID uuid.UUID) ([]AIRegistration, error) {
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, tenant_id, system_name, system_version, system_description, intended_purpose,
+			provider_name, provider_legal_form, provider_address, provider_country,
+			eu_representative_name, eu_representative_contact,
+			risk_classification, annex_iii_category, gpai_classification,
+			conformity_assessment_type, notified_body_name, notified_body_id, ce_marking,
+			training_data_categories, training_data_summary,
+			registration_status, eu_database_id, registration_date, last_update_date,
+			ucca_assessment_id, decision_tree_result_id, export_data,
+			created_at, updated_at, created_by, submitted_by
+		FROM ai_system_registrations
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC`,
+		tenantID,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var registrations []AIRegistration
+	for rows.Next() {
+		var r AIRegistration
+		err := rows.Scan(
+			&r.ID, &r.TenantID, &r.SystemName, &r.SystemVersion, &r.SystemDescription, &r.IntendedPurpose,
+			&r.ProviderName, &r.ProviderLegalForm, &r.ProviderAddress, &r.ProviderCountry,
+			&r.EURepresentativeName, &r.EURepresentativeContact,
+			&r.RiskClassification, &r.AnnexIIICategory, &r.GPAIClassification,
+			&r.ConformityAssessmentType, &r.NotifiedBodyName, &r.NotifiedBodyID, &r.CEMarking,
+			&r.TrainingDataCategories, &r.TrainingDataSummary,
+			&r.RegistrationStatus, &r.EUDatabaseID, &r.RegistrationDate, &r.LastUpdateDate,
+			&r.UCCAAssessmentID, &r.DecisionTreeResultID, &r.ExportData,
+			&r.CreatedAt, &r.UpdatedAt, &r.CreatedBy, &r.SubmittedBy,
+		)
+		if err != nil {
+			return nil, err
+		}
+		registrations = append(registrations, r)
+	}
+	return registrations, nil
+}
+
+// GetByID returns a registration by ID
+func (s *RegistrationStore) GetByID(ctx context.Context, id uuid.UUID) (*AIRegistration, error) {
+	var r AIRegistration
+	err := s.pool.QueryRow(ctx, `
+		SELECT id, tenant_id, system_name, system_version, system_description, intended_purpose,
+			provider_name, provider_legal_form, provider_address, provider_country,
+			eu_representative_name, eu_representative_contact,
+			risk_classification, annex_iii_category, gpai_classification,
+			conformity_assessment_type, notified_body_name, notified_body_id, ce_marking,
+			training_data_categories, training_data_summary,
+			registration_status, eu_database_id, registration_date, last_update_date,
+			ucca_assessment_id, decision_tree_result_id, export_data,
+			created_at, updated_at, created_by, submitted_by
+		FROM ai_system_registrations
+		WHERE id = $1`,
+		id,
+	).Scan(
+		&r.ID, &r.TenantID, &r.SystemName, &r.SystemVersion, &r.SystemDescription, &r.IntendedPurpose,
+		&r.ProviderName, &r.ProviderLegalForm, &r.ProviderAddress, &r.ProviderCountry,
+		&r.EURepresentativeName, &r.EURepresentativeContact,
+		&r.RiskClassification, &r.AnnexIIICategory, &r.GPAIClassification,
+		&r.ConformityAssessmentType, &r.NotifiedBodyName, &r.NotifiedBodyID, &r.CEMarking,
+		&r.TrainingDataCategories, &r.TrainingDataSummary,
+		&r.RegistrationStatus, &r.EUDatabaseID, &r.RegistrationDate, &r.LastUpdateDate,
+		&r.UCCAAssessmentID, &r.DecisionTreeResultID, &r.ExportData,
+		&r.CreatedAt, &r.UpdatedAt, &r.CreatedBy, &r.SubmittedBy,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &r, nil
+}
+
+// Update updates a registration
+func (s *RegistrationStore) Update(ctx context.Context, r *AIRegistration) error {
+	r.UpdatedAt = time.Now()
+	_, err := s.pool.Exec(ctx, `
+		UPDATE ai_system_registrations SET
+			system_name = $2, system_version = $3, system_description = $4, intended_purpose = $5,
+			provider_name = $6, provider_legal_form = $7, provider_address = $8, provider_country = $9,
+			eu_representative_name = $10, eu_representative_contact = $11,
+			risk_classification = $12, annex_iii_category = $13, gpai_classification = $14,
+			conformity_assessment_type = $15, notified_body_name = $16, notified_body_id = $17, ce_marking = $18,
+			training_data_categories = $19, training_data_summary = $20,
+			registration_status = $21, eu_database_id = $22,
+			export_data = $23, updated_at = $24, submitted_by = $25
+		WHERE id = $1`,
+		r.ID, r.SystemName, r.SystemVersion, r.SystemDescription, r.IntendedPurpose,
+		r.ProviderName, r.ProviderLegalForm, r.ProviderAddress, r.ProviderCountry,
+		r.EURepresentativeName, r.EURepresentativeContact,
+		r.RiskClassification, r.AnnexIIICategory, r.GPAIClassification,
+		r.ConformityAssessmentType, r.NotifiedBodyName, r.NotifiedBodyID, r.CEMarking,
+		r.TrainingDataCategories, r.TrainingDataSummary,
+		r.RegistrationStatus, r.EUDatabaseID,
+		r.ExportData, r.UpdatedAt, r.SubmittedBy,
+	)
+	return err
+}
+
+// UpdateStatus changes only the registration status
+func (s *RegistrationStore) UpdateStatus(ctx context.Context, id uuid.UUID, status string, submittedBy string) error {
+	now := time.Now()
+	_, err := s.pool.Exec(ctx, `
+		UPDATE ai_system_registrations
+		SET registration_status = $2, submitted_by = $3, updated_at = $4,
+			registration_date = CASE WHEN $2 = 'submitted' THEN $4 ELSE registration_date END,
+			last_update_date = $4
+		WHERE id = $1`,
+		id, status, submittedBy, now,
+	)
+	return err
+}
+
+// BuildExportJSON creates the EU AI Database submission JSON
+func (s *RegistrationStore) BuildExportJSON(r *AIRegistration) json.RawMessage {
+	export := map[string]interface{}{
+		"schema_version": "1.0",
+		"submission_type": "ai_system_registration",
+		"regulation": "EU AI Act (EU) 2024/1689",
+		"article": "Art. 49",
+		"provider": map[string]interface{}{
+			"name":               r.ProviderName,
+			"legal_form":         r.ProviderLegalForm,
+			"address":            r.ProviderAddress,
+			"country":            r.ProviderCountry,
+			"eu_representative":  r.EURepresentativeName,
+			"eu_rep_contact":     r.EURepresentativeContact,
+		},
+		"system": map[string]interface{}{
+			"name":        r.SystemName,
+			"version":     r.SystemVersion,
+			"description": r.SystemDescription,
+			"purpose":     r.IntendedPurpose,
+		},
+		"classification": map[string]interface{}{
+			"risk_level":         r.RiskClassification,
+			"annex_iii_category": r.AnnexIIICategory,
+			"gpai":               r.GPAIClassification,
+		},
+		"conformity": map[string]interface{}{
+			"assessment_type": r.ConformityAssessmentType,
+			"notified_body":   r.NotifiedBodyName,
+			"notified_body_id": r.NotifiedBodyID,
+			"ce_marking":      r.CEMarking,
+		},
+		"training_data": map[string]interface{}{
+			"categories": r.TrainingDataCategories,
+			"summary":    r.TrainingDataSummary,
+		},
+		"status": r.RegistrationStatus,
+	}
+	data, _ := json.Marshal(export)
+	return data
+}
--- a/ai-compliance-sdk/internal/ucca/store.go
+++ b/ai-compliance-sdk/internal/ucca/store.go
@@ -358,6 +358,128 @@ type AssessmentFilters struct {
 	Offset      int // OFFSET for pagination
 }

+// ============================================================================
+// Decision Tree Result CRUD
+// ============================================================================
+
+// CreateDecisionTreeResult stores a new decision tree result
+func (s *Store) CreateDecisionTreeResult(ctx context.Context, r *DecisionTreeResult) error {
+	r.ID = uuid.New()
+	r.CreatedAt = time.Now().UTC()
+	r.UpdatedAt = r.CreatedAt
+
+	answers, _ := json.Marshal(r.Answers)
+	gpaiResult, _ := json.Marshal(r.GPAIResult)
+	obligations, _ := json.Marshal(r.CombinedObligations)
+	articles, _ := json.Marshal(r.ApplicableArticles)
+
+	_, err := s.pool.Exec(ctx, `
+		INSERT INTO ai_act_decision_tree_results (
+			id, tenant_id, project_id, system_name, system_description,
+			answers, high_risk_level, gpai_result,
+			combined_obligations, applicable_articles,
+			created_at, updated_at
+		) VALUES (
+			$1, $2, $3, $4, $5,
+			$6, $7, $8,
+			$9, $10,
+			$11, $12
+		)
+	`,
+		r.ID, r.TenantID, r.ProjectID, r.SystemName, r.SystemDescription,
+		answers, string(r.HighRiskResult), gpaiResult,
+		obligations, articles,
+		r.CreatedAt, r.UpdatedAt,
+	)
+	return err
+}
+
+// GetDecisionTreeResult retrieves a decision tree result by ID
+func (s *Store) GetDecisionTreeResult(ctx context.Context, id uuid.UUID) (*DecisionTreeResult, error) {
+	var r DecisionTreeResult
+	var answersBytes, gpaiBytes, oblBytes, artBytes []byte
+	var highRiskLevel string
+
+	err := s.pool.QueryRow(ctx, `
+		SELECT id, tenant_id, project_id, system_name, system_description,
+			answers, high_risk_level, gpai_result,
+			combined_obligations, applicable_articles,
+			created_at, updated_at
+		FROM ai_act_decision_tree_results WHERE id = $1
+	`, id).Scan(
+		&r.ID, &r.TenantID, &r.ProjectID, &r.SystemName, &r.SystemDescription,
+		&answersBytes, &highRiskLevel, &gpaiBytes,
+		&oblBytes, &artBytes,
+		&r.CreatedAt, &r.UpdatedAt,
+	)
+
+	if err == pgx.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	json.Unmarshal(answersBytes, &r.Answers)
+	json.Unmarshal(gpaiBytes, &r.GPAIResult)
+	json.Unmarshal(oblBytes, &r.CombinedObligations)
+	json.Unmarshal(artBytes, &r.ApplicableArticles)
+	r.HighRiskResult = AIActRiskLevel(highRiskLevel)
+
+	return &r, nil
+}
+
+// ListDecisionTreeResults lists all decision tree results for a tenant
+func (s *Store) ListDecisionTreeResults(ctx context.Context, tenantID uuid.UUID) ([]DecisionTreeResult, error) {
+	rows, err := s.pool.Query(ctx, `
+		SELECT id, tenant_id, project_id, system_name, system_description,
+			answers, high_risk_level, gpai_result,
+			combined_obligations, applicable_articles,
+			created_at, updated_at
+		FROM ai_act_decision_tree_results
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC
+		LIMIT 100
+	`, tenantID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var results []DecisionTreeResult
+	for rows.Next() {
+		var r DecisionTreeResult
+		var answersBytes, gpaiBytes, oblBytes, artBytes []byte
+		var highRiskLevel string
+
+		err := rows.Scan(
+			&r.ID, &r.TenantID, &r.ProjectID, &r.SystemName, &r.SystemDescription,
+			&answersBytes, &highRiskLevel, &gpaiBytes,
+			&oblBytes, &artBytes,
+			&r.CreatedAt, &r.UpdatedAt,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		json.Unmarshal(answersBytes, &r.Answers)
+		json.Unmarshal(gpaiBytes, &r.GPAIResult)
+		json.Unmarshal(oblBytes, &r.CombinedObligations)
+		json.Unmarshal(artBytes, &r.ApplicableArticles)
+		r.HighRiskResult = AIActRiskLevel(highRiskLevel)
+
+		results = append(results, r)
+	}
+
+	return results, nil
+}
+
+// DeleteDecisionTreeResult deletes a decision tree result by ID
+func (s *Store) DeleteDecisionTreeResult(ctx context.Context, id uuid.UUID) error {
+	_, err := s.pool.Exec(ctx, "DELETE FROM ai_act_decision_tree_results WHERE id = $1", id)
+	return err
+}
+
 // ============================================================================
 // Helpers
 // ============================================================================
--- a/ai-compliance-sdk/migrations/023_ai_registration_schema.sql
+++ b/ai-compliance-sdk/migrations/023_ai_registration_schema.sql
@@ -0,0 +1,65 @@
+-- Migration 023: AI System Registration Schema (Art. 49 AI Act)
+-- Tracks EU AI Database registrations for High-Risk AI systems
+
+CREATE TABLE IF NOT EXISTS ai_system_registrations (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+
+    -- System identification
+    system_name VARCHAR(500) NOT NULL,
+    system_version VARCHAR(100),
+    system_description TEXT,
+    intended_purpose TEXT,
+
+    -- Provider info
+    provider_name VARCHAR(500),
+    provider_legal_form VARCHAR(200),
+    provider_address TEXT,
+    provider_country VARCHAR(10),
+    eu_representative_name VARCHAR(500),
+    eu_representative_contact TEXT,
+
+    -- Classification
+    risk_classification VARCHAR(50) DEFAULT 'not_classified',
+    -- CHECK (risk_classification IN ('not_classified', 'minimal_risk', 'limited_risk', 'high_risk', 'unacceptable'))
+    annex_iii_category VARCHAR(200),
+    gpai_classification VARCHAR(50) DEFAULT 'none',
+    -- CHECK (gpai_classification IN ('none', 'standard', 'systemic'))
+
+    -- Conformity
+    conformity_assessment_type VARCHAR(50),
+    -- CHECK (conformity_assessment_type IN ('internal', 'third_party', 'not_required'))
+    notified_body_name VARCHAR(500),
+    notified_body_id VARCHAR(100),
+    ce_marking BOOLEAN DEFAULT false,
+
+    -- Training data
+    training_data_categories JSONB DEFAULT '[]'::jsonb,
+    training_data_summary TEXT,
+
+    -- Registration status
+    registration_status VARCHAR(50) DEFAULT 'draft',
+    -- CHECK (registration_status IN ('draft', 'ready', 'submitted', 'registered', 'update_required', 'withdrawn'))
+    eu_database_id VARCHAR(200),
+    registration_date TIMESTAMPTZ,
+    last_update_date TIMESTAMPTZ,
+
+    -- Links to other assessments
+    ucca_assessment_id UUID,
+    decision_tree_result_id UUID,
+
+    -- Export data (cached JSON for EU submission)
+    export_data JSONB,
+
+    -- Audit
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW(),
+    created_by VARCHAR(200),
+    submitted_by VARCHAR(200)
+);
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_air_tenant ON ai_system_registrations (tenant_id);
+CREATE INDEX IF NOT EXISTS idx_air_status ON ai_system_registrations (registration_status);
+CREATE INDEX IF NOT EXISTS idx_air_classification ON ai_system_registrations (risk_classification);
+CREATE INDEX IF NOT EXISTS idx_air_ucca ON ai_system_registrations (ucca_assessment_id);
--- a/ai-compliance-sdk/migrations/024_payment_compliance_schema.sql
+++ b/ai-compliance-sdk/migrations/024_payment_compliance_schema.sql
@@ -0,0 +1,45 @@
+-- Migration 024: Payment Compliance Schema
+-- Tracks payment terminal compliance assessments against control library
+
+CREATE TABLE IF NOT EXISTS payment_compliance_assessments (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+
+    -- Project / Tender
+    project_name VARCHAR(500) NOT NULL,
+    tender_reference VARCHAR(200),
+    customer_name VARCHAR(500),
+    description TEXT,
+
+    -- Scope
+    system_type VARCHAR(100), -- terminal, backend, both, full_stack
+    payment_methods JSONB DEFAULT '[]'::jsonb, -- ["card", "nfc", "girocard", "credit"]
+    protocols JSONB DEFAULT '[]'::jsonb, -- ["zvt", "opi", "emv"]
+
+    -- Assessment
+    total_controls INT DEFAULT 0,
+    controls_passed INT DEFAULT 0,
+    controls_failed INT DEFAULT 0,
+    controls_partial INT DEFAULT 0,
+    controls_not_applicable INT DEFAULT 0,
+    controls_not_checked INT DEFAULT 0,
+    compliance_score NUMERIC(5,2) DEFAULT 0,
+
+    -- Status
+    status VARCHAR(50) DEFAULT 'draft',
+    -- CHECK (status IN ('draft', 'in_progress', 'completed', 'approved'))
+
+    -- Results (per control)
+    control_results JSONB DEFAULT '[]'::jsonb,
+    -- Each entry: {"control_id": "PAY-001", "verdict": "passed|failed|partial|na|unchecked", "evidence": "...", "notes": "..."}
+
+    -- Audit
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW(),
+    created_by VARCHAR(200),
+    approved_by VARCHAR(200),
+    approved_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_pca_tenant ON payment_compliance_assessments (tenant_id);
+CREATE INDEX IF NOT EXISTS idx_pca_status ON payment_compliance_assessments (status);
--- a/ai-compliance-sdk/migrations/025_tender_analysis_schema.sql
+++ b/ai-compliance-sdk/migrations/025_tender_analysis_schema.sql
@@ -0,0 +1,37 @@
+-- Migration 025: Tender Analysis Schema
+-- Stores uploaded tender documents, extracted requirements, and control matching results
+
+CREATE TABLE IF NOT EXISTS tender_analyses (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+
+    -- Document
+    file_name VARCHAR(500) NOT NULL,
+    file_size BIGINT DEFAULT 0,
+    file_content BYTEA,
+
+    -- Project
+    project_name VARCHAR(500),
+    customer_name VARCHAR(500),
+
+    -- Status
+    status VARCHAR(50) DEFAULT 'uploaded',
+    -- CHECK (status IN ('uploaded', 'extracting', 'extracted', 'matched', 'completed', 'error'))
+
+    -- Extracted requirements
+    requirements JSONB DEFAULT '[]'::jsonb,
+    total_requirements INT DEFAULT 0,
+
+    -- Match results
+    match_results JSONB DEFAULT '[]'::jsonb,
+    matched_count INT DEFAULT 0,
+    unmatched_count INT DEFAULT 0,
+    partial_count INT DEFAULT 0,
+
+    -- Audit
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_ta_tenant ON tender_analyses (tenant_id);
+CREATE INDEX IF NOT EXISTS idx_ta_status ON tender_analyses (status);
--- a/ai-compliance-sdk/payment-compliance-pack/README.md
+++ b/ai-compliance-sdk/payment-compliance-pack/README.md
@@ -0,0 +1,65 @@
+# Payment Compliance Pack
+
+Ausfuehrbares Pruefpaket fuer Payment-Terminal-Systeme.
+
+## Inhalt
+
+### Semgrep-Regeln (25 Regeln)
+
+| Datei | Regeln | Controls |
+|-------|--------|----------|
+| `payment_logging.yml` | 5 | LOG-001, LOG-002, LOG-014 |
+| `payment_crypto.yml` | 6 | CRYPTO-001, CRYPTO-008, CRYPTO-009, KEYMGMT-001 |
+| `payment_api.yml` | 5 | API-004, API-005, API-014, API-017 |
+| `payment_config.yml` | 5 | CONFIG-001 bis CONFIG-004 |
+| `payment_data.yml` | 5 | DATA-004, DATA-005, DATA-013, TELEMETRY-001 |
+
+### CodeQL-Specs (5 Queries)
+
+| Datei | Ziel | Controls |
+|-------|------|----------|
+| `sensitive-data-to-logs.md` | Datenfluss zu Loggern | LOG-001, LOG-002, DATA-013 |
+| `sensitive-data-to-response.md` | Datenfluss in HTTP-Responses | API-009, ERROR-005 |
+| `tenant-context-loss.md` | Mandantenkontext-Verlust | TENANT-001, TENANT-002 |
+| `sensitive-data-to-telemetry.md` | Datenfluss in Telemetrie | TELEMETRY-001, TELEMETRY-002 |
+| `cache-export-leak.md` | Leaks in Cache/Export | DATA-004, DATA-011 |
+
+### State-Machine-Tests (10 Testfaelle)
+
+| Datei | Inhalt |
+|-------|--------|
+| `terminal_states.md` | 11 Zustaende, 15 Events, Transitions |
+| `terminal_invariants.md` | 8 Invarianten |
+| `terminal_testcases.json` | 10 ausfuehrbare Testfaelle |
+
+### Finding-Schema
+
+| Datei | Beschreibung |
+|-------|-------------|
+| `finding.schema.json` | JSON Schema fuer Pruefergebnisse |
+
+## Ausfuehrung
+
+### Semgrep
+
+```bash
+semgrep --config payment-compliance-pack/semgrep/ /path/to/source
+```
+
+### State-Machine-Tests
+
+Die Testfaelle in `terminal_testcases.json` definieren:
+- Ausgangszustand
+- Event-Sequenz
+- Erwarteten Endzustand
+- Zu pruefende Invarianten
+- Gemappte Controls
+
+Diese koennen gegen einen Terminal-Adapter oder Simulator ausgefuehrt werden.
+
+## Priorisierte Umsetzung
+
+1. **Welle 1:** 25 Semgrep-Regeln sofort produktiv
+2. **Welle 2:** 5 CodeQL-Queries fuer Datenfluesse
+3. **Welle 3:** 10 State-Machine-Tests gegen Terminal-Simulator
+4. **Welle 4:** Tender-Mapping (Requirement → Control → Finding → Verdict)
--- a/ai-compliance-sdk/payment-compliance-pack/codeql/cache-export-leak.md
+++ b/ai-compliance-sdk/payment-compliance-pack/codeql/cache-export-leak.md
@@ -0,0 +1,20 @@
+# CodeQL Query: Cache and Export Leak
+
+## Ziel
+Finde Leaks sensibler Daten in Caches, Files, Reports und Exportpfaden.
+
+## Sources
+- Sensitive payment attributes (pan, cvv, track2)
+- Full transaction objects with sensitive fields
+
+## Sinks
+- Redis/Memcache writes
+- Temp file writes
+- CSV/PDF/Excel exports
+- Report builders
+
+## Mapped Controls
+- `DATA-004`: Temporaere Speicher ohne sensitive Daten
+- `DATA-005`: Sensitive Daten in Telemetrie nicht offengelegt
+- `DATA-011`: Batch/Queue ohne unnoetige sensitive Felder
+- `REPORT-005`: Berichte beruecksichtigen Zeitzonen konsistent
--- a/ai-compliance-sdk/payment-compliance-pack/codeql/sensitive-data-to-logs.md
+++ b/ai-compliance-sdk/payment-compliance-pack/codeql/sensitive-data-to-logs.md
@@ -0,0 +1,32 @@
+# CodeQL Query: Sensitive Data to Logs
+
+## Ziel
+Finde Fluesse von sensitiven Zahlungsdaten zu Loggern.
+
+## Sources
+Variablen, Felder, Parameter oder JSON-Felder mit Namen:
+- `pan`, `cardNumber`, `card_number`
+- `cvv`, `cvc`
+- `track2`, `track_2`
+- `pin`
+- `expiry`, `ablauf`
+
+## Sinks
+- Logger-Aufrufe (`logging.*`, `logger.*`, `console.*`, `log.*`)
+- Telemetrie-/Tracing-Emitter (`span.set_attribute`, `tracer.*)
+- Audit-Logger (wenn nicht maskiert)
+
+## Expected Result
+| Field | Type |
+|-------|------|
+| file | string |
+| line | int |
+| source_name | string |
+| sink_call | string |
+| path | string[] |
+
+## Mapped Controls
+- `LOG-001`: Keine sensitiven Zahlungsdaten im Log
+- `LOG-002`: PAN maskiert in Logs
+- `DATA-013`: Sensitive Daten in Telemetrie nicht offengelegt
+- `TELEMETRY-001`: Telemetriedaten ohne sensitive Zahlungsdaten
--- a/ai-compliance-sdk/payment-compliance-pack/codeql/sensitive-data-to-response.md
+++ b/ai-compliance-sdk/payment-compliance-pack/codeql/sensitive-data-to-response.md
@@ -0,0 +1,19 @@
+# CodeQL Query: Sensitive Data to HTTP Response
+
+## Ziel
+Finde Fluesse sensibler Daten in HTTP-/API-Responses oder Exception-Bodies.
+
+## Sources
+- Sensible Payment-Felder: pan, cvv, track2, cardNumber, pin, expiry
+- Interne Payment DTOs mit sensitiven Attributen
+
+## Sinks
+- JSON serializer / response builder
+- Exception payload / error handler response
+- Template rendering output
+
+## Mapped Controls
+- `API-009`: API-Antworten minimieren sensible Daten
+- `API-015`: Interne Fehler ohne sensitive Daten an Client
+- `ERROR-005`: Ausnahmebehandlung gibt keine sensitiven Rohdaten zurueck
+- `REPORT-006`: Reports offenbaren nur rollenerforderliche Daten
--- a/ai-compliance-sdk/payment-compliance-pack/codeql/sensitive-data-to-telemetry.md
+++ b/ai-compliance-sdk/payment-compliance-pack/codeql/sensitive-data-to-telemetry.md
@@ -0,0 +1,19 @@
+# CodeQL Query: Sensitive Data to Telemetry
+
+## Ziel
+Finde Fluesse sensibler Daten in Metriken, Traces und Telemetrie-Events.
+
+## Sources
+- Payment DTO fields (pan, cvv, track2, cardNumber)
+- Token/Session related fields
+
+## Sinks
+- Span attributes / trace tags
+- Metric labels
+- Telemetry events / exporters
+
+## Mapped Controls
+- `TELEMETRY-001`: Telemetriedaten ohne sensitive Zahlungsdaten
+- `TELEMETRY-002`: Tracing maskiert identifizierende Felder
+- `TELEMETRY-003`: Metriken ohne hochkartesische sensitive Labels
+- `DATA-013`: Sensitive Daten in Telemetrie nicht offengelegt
--- a/ai-compliance-sdk/payment-compliance-pack/codeql/tenant-context-loss.md
+++ b/ai-compliance-sdk/payment-compliance-pack/codeql/tenant-context-loss.md
@@ -0,0 +1,21 @@
+# CodeQL Query: Tenant Context Loss
+
+## Ziel
+Finde Datenbank-, Cache- oder Exportpfade ohne durchgehenden Tenant-Kontext.
+
+## Sources
+- Request tenant (header, token, session)
+- Device tenant
+- User tenant
+
+## Danger Patterns
+- DB Query ohne tenant filter / WHERE clause
+- Cache key ohne tenant prefix
+- Export job ohne tenant binding
+- Report query ohne Mandanteneinschraenkung
+
+## Mapped Controls
+- `TENANT-001`: Mandantenkontext serverseitig validiert
+- `TENANT-002`: Datenabfragen mandantenbeschraenkt
+- `TENANT-006`: Caching beruecksichtigt Mandantenkontext
+- `TENANT-008`: Datenexporte erzwingen Mandantenisolation
--- a/ai-compliance-sdk/payment-compliance-pack/schema/finding.schema.json
+++ b/ai-compliance-sdk/payment-compliance-pack/schema/finding.schema.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Payment Compliance Finding",
+  "type": "object",
+  "required": ["control_id", "engine", "status", "confidence", "evidence", "verdict_text"],
+  "properties": {
+    "control_id": { "type": "string" },
+    "engine": {
+      "type": "string",
+      "enum": ["semgrep", "codeql", "contract_test", "state_machine_test", "integration_test", "manual"]
+    },
+    "status": {
+      "type": "string",
+      "enum": ["passed", "failed", "warning", "not_tested", "needs_manual_review"]
+    },
+    "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
+    "severity": {
+      "type": "string",
+      "enum": ["low", "medium", "high", "critical"]
+    },
+    "evidence": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "file": { "type": "string" },
+          "line": { "type": "integer" },
+          "snippet_type": { "type": "string" },
+          "scenario": { "type": "string" },
+          "observed_state": { "type": "string" },
+          "expected_state": { "type": "string" },
+          "notes": { "type": "string" }
+        },
+        "additionalProperties": true
+      }
+    },
+    "mapped_requirements": {
+      "type": "array",
+      "items": { "type": "string" }
+    },
+    "verdict_text": { "type": "string" },
+    "next_action": { "type": "string" }
+  },
+  "additionalProperties": false
+}
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_api.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_api.yml
@@ -0,0 +1,37 @@
+rules:
+  - id: payment-debug-route
+    message: Debug- oder Diagnosepfad im produktiven API-Code pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(/debug|/internal|/test|/actuator|/swagger|/openapi)
+
+  - id: payment-admin-route-without-auth
+    message: Administrative Route ohne offensichtlichen Auth-Schutz pruefen.
+    severity: WARNING
+    languages: [python]
+    patterns:
+      - pattern: |
+          @app.$METHOD($ROUTE)
+          def $FUNC(...):
+            ...
+      - metavariable-pattern:
+          metavariable: $ROUTE
+          pattern-regex: (?i).*(admin|config|terminal|maintenance|device|key).*
+
+  - id: payment-raw-exception-response
+    message: Roh-Exceptions duerfen nicht direkt an Clients zurueckgegeben werden.
+    severity: ERROR
+    languages: [python, javascript, typescript]
+    pattern-regex: (?i)(return .*str\(e\)|res\.status\(500\)\.send\(e|json\(.*error.*e)
+
+  - id: payment-missing-input-validation
+    message: Zahlungsrelevanter Endpunkt ohne offensichtliche Validierung pruefen.
+    severity: INFO
+    languages: [python, javascript, typescript]
+    pattern-regex: (?i)(amount|currency|terminalId|transactionId)
+
+  - id: payment-idor-risk
+    message: Direkter Zugriff ueber terminalId/transactionId ohne Pruefung.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(get.*terminalId|find.*terminalId|get.*transactionId|find.*transactionId)
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_config.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_config.yml
@@ -0,0 +1,30 @@
+rules:
+  - id: payment-prod-config-test-endpoint
+    message: Test- oder Sandbox-Endpunkt in produktionsnaher Konfiguration erkannt.
+    severity: ERROR
+    languages: [yaml, json]
+    pattern-regex: (?i)(sandbox|test-endpoint|mock-terminal|dummy-acquirer)
+
+  - id: payment-prod-debug-flag
+    message: Unsicherer Debug-Flag in Konfiguration erkannt.
+    severity: WARNING
+    languages: [yaml, json]
+    pattern-regex: (?i)(debug:\s*true|"debug"\s*:\s*true)
+
+  - id: payment-open-cors
+    message: Offene CORS-Freigabe pruefen.
+    severity: WARNING
+    languages: [yaml, json, javascript, typescript]
+    pattern-regex: (?i)(Access-Control-Allow-Origin.*\*|origin:\s*["']\*["'])
+
+  - id: payment-insecure-session-cookie
+    message: Unsicher gesetzte Session-Cookies pruefen.
+    severity: ERROR
+    languages: [javascript, typescript, python]
+    pattern-regex: (?i)(httpOnly\s*:\s*false|secure\s*:\s*false|sameSite\s*:\s*["']none["'])
+
+  - id: payment-unbounded-retry
+    message: Retry-Konfiguration scheint unbegrenzt oder zu hoch.
+    severity: WARNING
+    languages: [yaml, json]
+    pattern-regex: (?i)(retry.*(9999|infinite|unbounded))
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_crypto.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_crypto.yml
@@ -0,0 +1,43 @@
+rules:
+  - id: payment-no-md5-sha1
+    message: Unsichere Hash-Algorithmen erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)\b(md5|sha1)\b
+
+  - id: payment-no-des-3des
+    message: Veraltete symmetrische Verfahren erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)\b(des|3des|tripledes)\b
+
+  - id: payment-no-ecb
+    message: ECB-Modus ist fuer sensible Daten ungeeignet.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)\becb\b
+
+  - id: payment-hardcoded-secret
+    message: Moeglicherweise hartkodiertes Secret erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    patterns:
+      - pattern-either:
+          - pattern: $KEY = "..."
+          - pattern: const $KEY = "..."
+          - pattern: final String $KEY = "..."
+      - metavariable-pattern:
+          metavariable: $KEY
+          pattern-regex: (?i).*(secret|apikey|api_key|password|passwd|privatekey|private_key|terminalkey|zvtkey|opiKey).*
+
+  - id: payment-weak-random
+    message: Nicht-kryptographischer Zufall in Sicherheitskontext erkannt.
+    severity: ERROR
+    languages: [python, javascript, typescript, java]
+    pattern-regex: (?i)(Math\.random|random\.random|new Random\()
+
+  - id: payment-disable-tls-verify
+    message: TLS-Zertifikatspruefung scheint deaktiviert zu sein.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(verify\s*=\s*False|rejectUnauthorized\s*:\s*false|InsecureSkipVerify\s*:\s*true|trustAll)
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_data.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_data.yml
@@ -0,0 +1,30 @@
+rules:
+  - id: payment-sensitive-in-telemetry
+    message: Sensitive Zahlungsdaten in Telemetrie oder Tracing pruefen.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(trace|span|metric|telemetry).*(pan|cvv|track2|cardnumber|pin|expiry)
+
+  - id: payment-sensitive-in-cache
+    message: Sensitiver Wert in Cache-Key oder Cache-Payload pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(cache|redis|memcache).*(pan|cvv|track2|cardnumber|pin)
+
+  - id: payment-sensitive-export
+    message: Export oder Report mit sensitiven Feldern pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(export|report|csv|xlsx|pdf).*(pan|cvv|track2|cardnumber|pin)
+
+  - id: payment-test-fixture-real-data
+    message: Testdaten mit moeglichen echten Kartendaten pruefen.
+    severity: WARNING
+    languages: [json, yaml, python, javascript, typescript]
+    pattern-regex: (?i)(4111111111111111|5555555555554444|track2|cvv)
+
+  - id: payment-queue-sensitive-payload
+    message: Queue-Nachricht mit sensitiven Zahlungsfeldern pruefen.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(publish|send|enqueue).*(pan|cvv|track2|cardnumber|pin)
--- a/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_logging.yml
+++ b/ai-compliance-sdk/payment-compliance-pack/semgrep/payment_logging.yml
@@ -0,0 +1,42 @@
+rules:
+  - id: payment-no-sensitive-logging-python
+    message: Sensitive Zahlungsdaten duerfen nicht geloggt werden.
+    severity: ERROR
+    languages: [python]
+    patterns:
+      - pattern-either:
+          - pattern: logging.$METHOD(..., $X, ...)
+          - pattern: logger.$METHOD(..., $X, ...)
+      - metavariable-pattern:
+          metavariable: $X
+          pattern-regex: (?i).*(pan|cvv|cvc|track2|track_2|cardnumber|card_number|karten|pin|expiry|ablauf).*
+
+  - id: payment-no-sensitive-logging-js
+    message: Sensitive Zahlungsdaten duerfen nicht geloggt werden.
+    severity: ERROR
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-either:
+          - pattern: console.$METHOD(..., $X, ...)
+          - pattern: logger.$METHOD(..., $X, ...)
+      - metavariable-pattern:
+          metavariable: $X
+          pattern-regex: (?i).*(pan|cvv|cvc|track2|cardnumber|pin|expiry).*
+
+  - id: payment-no-token-logging
+    message: Tokens oder Session-IDs duerfen nicht geloggt werden.
+    severity: ERROR
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(log|logger|logging|console)\.(debug|info|warn|error).*?(token|sessionid|session_id|authheader|authorization)
+
+  - id: payment-no-debug-logging-prod-flag
+    message: Debug-Logging darf in produktiven Pfaden nicht fest aktiviert sein.
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go]
+    pattern-regex: (?i)(DEBUG\s*=\s*true|debug\s*:\s*true|setLevel\(.*DEBUG.*\))
+
+  - id: payment-audit-log-admin-action
+    message: Administrative sicherheitsrelevante Aktion ohne Audit-Hinweis pruefen.
+    severity: INFO
+    languages: [python, javascript, typescript]
+    pattern-regex: (?i)(deleteTerminal|rotateKey|updateConfig|disableDevice|enableMaintenance)
--- a/ai-compliance-sdk/payment-compliance-pack/statemachine/terminal_invariants.md
+++ b/ai-compliance-sdk/payment-compliance-pack/statemachine/terminal_invariants.md
@@ -0,0 +1,25 @@
+# Terminal State Machine Invariants
+
+## Invariant 1
+APPROVED darf ohne expliziten Reversal-Pfad nicht in WAITING_FOR_TERMINAL zurueckgehen.
+
+## Invariant 2
+DECLINED darf keinen Buchungserfolg oder Success-Report erzeugen.
+
+## Invariant 3
+duplicate_response darf keinen zweiten Commit und keine zweite Success-Bestaetigung erzeugen.
+
+## Invariant 4
+DESYNC muss Audit-Logging und Klaerungsstatus ausloesen.
+
+## Invariant 5
+REVERSAL_PENDING darf nicht mehrfach parallel ausgeloest werden.
+
+## Invariant 6
+invalid_command darf nie zu APPROVED fuehren.
+
+## Invariant 7
+terminal_timeout darf nie stillschweigend als Erfolg interpretiert werden.
+
+## Invariant 8
+Late responses nach finalem Zustand muessen kontrolliert behandelt werden.
--- a/ai-compliance-sdk/payment-compliance-pack/statemachine/terminal_states.md
+++ b/ai-compliance-sdk/payment-compliance-pack/statemachine/terminal_states.md
@@ -0,0 +1,47 @@
+# Terminal Payment State Machine
+
+## States
+- IDLE
+- SESSION_OPEN
+- PAYMENT_REQUESTED
+- WAITING_FOR_TERMINAL
+- APPROVED
+- DECLINED
+- CANCELLED
+- REVERSAL_PENDING
+- REVERSED
+- ERROR
+- DESYNC
+
+## Events
+- open_session
+- close_session
+- send_payment
+- terminal_ack
+- terminal_approve
+- terminal_decline
+- terminal_timeout
+- backend_timeout
+- reconnect
+- cancel_request
+- reversal_request
+- reversal_success
+- reversal_fail
+- duplicate_response
+- invalid_command
+
+## Transitions
+| From | Event | To |
+|------|-------|----|
+| IDLE | open_session | SESSION_OPEN |
+| SESSION_OPEN | send_payment | PAYMENT_REQUESTED |
+| PAYMENT_REQUESTED | terminal_ack | WAITING_FOR_TERMINAL |
+| WAITING_FOR_TERMINAL | terminal_approve | APPROVED |
+| WAITING_FOR_TERMINAL | terminal_decline | DECLINED |
+| WAITING_FOR_TERMINAL | terminal_timeout | DESYNC |
+| WAITING_FOR_TERMINAL | cancel_request | CANCELLED |
+| APPROVED | reversal_request | REVERSAL_PENDING |
+| REVERSAL_PENDING | reversal_success | REVERSED |
+| REVERSAL_PENDING | reversal_fail | ERROR |
+| * | invalid_command | ERROR |
+| * | backend_timeout | DESYNC |
--- a/ai-compliance-sdk/payment-compliance-pack/statemachine/terminal_testcases.json
+++ b/ai-compliance-sdk/payment-compliance-pack/statemachine/terminal_testcases.json
@@ -0,0 +1,92 @@
+[
+  {
+    "test_id": "ZVT-SM-001",
+    "name": "Duplicate approved response",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["terminal_approve", "duplicate_response"],
+    "expected_final_state": "APPROVED",
+    "invariants": ["Invariant 3"],
+    "mapped_controls": ["TRANS-004", "TRANS-009", "ZVT-RESP-005"]
+  },
+  {
+    "test_id": "ZVT-SM-002",
+    "name": "Timeout then late success",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["terminal_timeout", "terminal_approve"],
+    "expected_final_state": "DESYNC",
+    "invariants": ["Invariant 4", "Invariant 7", "Invariant 8"],
+    "mapped_controls": ["TRANS-005", "TRANS-007", "TERMSYNC-009", "TERMSYNC-010"]
+  },
+  {
+    "test_id": "ZVT-SM-003",
+    "name": "Decline must not produce booking",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["terminal_decline"],
+    "expected_final_state": "DECLINED",
+    "invariants": ["Invariant 2"],
+    "mapped_controls": ["TRANS-011", "TRANS-025", "ZVT-RESP-002"]
+  },
+  {
+    "test_id": "ZVT-SM-004",
+    "name": "Invalid reversal before approval",
+    "initial_state": "PAYMENT_REQUESTED",
+    "events": ["reversal_request"],
+    "expected_final_state": "ERROR",
+    "invariants": ["Invariant 6"],
+    "mapped_controls": ["ZVT-REV-001", "ZVT-STATE-002", "ZVT-CMD-001"]
+  },
+  {
+    "test_id": "ZVT-SM-005",
+    "name": "Cancel during waiting",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["cancel_request"],
+    "expected_final_state": "CANCELLED",
+    "invariants": ["Invariant 7"],
+    "mapped_controls": ["TRANS-006", "ZVT-CMD-001", "ZVT-STATE-003"]
+  },
+  {
+    "test_id": "ZVT-SM-006",
+    "name": "Backend timeout after terminal ack",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["terminal_ack", "backend_timeout"],
+    "expected_final_state": "DESYNC",
+    "invariants": ["Invariant 4", "Invariant 7"],
+    "mapped_controls": ["TERMSYNC-010", "TRANS-012", "ZVT-SESSION-003"]
+  },
+  {
+    "test_id": "ZVT-SM-007",
+    "name": "Parallel reversal requests",
+    "initial_state": "APPROVED",
+    "events": ["reversal_request", "reversal_request"],
+    "expected_final_state": "REVERSAL_PENDING",
+    "invariants": ["Invariant 5"],
+    "mapped_controls": ["ZVT-REV-003", "TRANS-016", "TRANS-019"]
+  },
+  {
+    "test_id": "ZVT-SM-008",
+    "name": "Unknown response code",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["terminal_ack", "invalid_command"],
+    "expected_final_state": "ERROR",
+    "invariants": ["Invariant 6"],
+    "mapped_controls": ["ZVT-RESP-003", "ZVT-COM-005", "ZVT-STATE-005"]
+  },
+  {
+    "test_id": "ZVT-SM-009",
+    "name": "Reconnect and resume controlled",
+    "initial_state": "SESSION_OPEN",
+    "events": ["send_payment", "terminal_timeout", "reconnect"],
+    "expected_final_state": "WAITING_FOR_TERMINAL",
+    "invariants": ["Invariant 7"],
+    "mapped_controls": ["ZVT-SESSION-004", "TRANS-007", "ZVT-RT-004"]
+  },
+  {
+    "test_id": "ZVT-SM-010",
+    "name": "Late response after cancel",
+    "initial_state": "WAITING_FOR_TERMINAL",
+    "events": ["cancel_request", "terminal_approve"],
+    "expected_final_state": "DESYNC",
+    "invariants": ["Invariant 4", "Invariant 8"],
+    "mapped_controls": ["TERMSYNC-008", "TERMSYNC-009", "TRANS-018"]
+  }
+]
--- a/ai-compliance-sdk/policies/obligations/v2/_manifest.json
+++ b/ai-compliance-sdk/policies/obligations/v2/_manifest.json
@@ -5,13 +5,13 @@
      "id": "dsgvo",
      "file": "dsgvo_v2.json",
      "version": "1.0",
-      "count": 80
+      "count": 84
    },
    {
      "id": "ai_act",
      "file": "ai_act_v2.json",
      "version": "1.0",
-      "count": 60
+      "count": 81
    },
    {
      "id": "nis2",
@@ -54,8 +54,20 @@
      "file": "dora_v2.json",
      "version": "1.0",
      "count": 20
+    },
+    {
+      "id": "betrvg",
+      "file": "betrvg_v2.json",
+      "version": "1.0",
+      "count": 12
+    },
+    {
+      "id": "agg",
+      "file": "agg_v2.json",
+      "version": "1.0",
+      "count": 8
    }
  ],
  "tom_mapping_file": "_tom_mapping.json",
-  "total_obligations": 325
+  "total_obligations": 370
 }
--- a/ai-compliance-sdk/policies/obligations/v2/agg_v2.json
+++ b/ai-compliance-sdk/policies/obligations/v2/agg_v2.json
@@ -0,0 +1,140 @@
+{
+  "regulation": "agg",
+  "regulation_full_name": "Allgemeines Gleichbehandlungsgesetz (AGG)",
+  "version": "1.0",
+  "obligations": [
+    {
+      "id": "AGG-OBL-001",
+      "title": "Diskriminierungsfreie Gestaltung von KI-Auswahlverfahren",
+      "description": "KI-gestuetzte Auswahlverfahren (Recruiting, Befoerderung, Kuendigung) muessen so gestaltet sein, dass keine Benachteiligung nach § 1 AGG Merkmalen (Geschlecht, Alter, ethnische Herkunft, Religion, Behinderung, sexuelle Identitaet) erfolgt.",
+      "applies_when": "AI system used in employment decisions",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "hr_context.automated_screening", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 1, § 7", "title": "Benachteiligungsverbot" }, { "norm": "AGG", "article": "§ 11", "title": "Ausschreibung" }],
+      "sources": [{ "type": "national_law", "ref": "§ 1, § 7, § 11 AGG" }],
+      "category": "Governance",
+      "responsible": "HR / Compliance",
+      "deadline": { "type": "on_event", "event": "Vor Einsatz im Auswahlverfahren" },
+      "sanctions": { "description": "Schadensersatz bis 3 Monatsgehaelter (§ 15 AGG), Beweislastumkehr (§ 22 AGG)" },
+      "evidence": [{ "name": "Bias-Audit-Bericht", "required": true }, "AGG-Konformitaetspruefung"],
+      "priority": "kritisch",
+      "tom_control_ids": ["TOM.FAIR.01"],
+      "breakpilot_feature": "/sdk/use-cases",
+      "valid_from": "2006-08-18",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-002",
+      "title": "Keine Nutzung von Proxy-Merkmalen fuer Diskriminierung",
+      "description": "Das KI-System darf keine Proxy-Merkmale verwenden, die indirekt auf geschuetzte Kategorien schliessen lassen (z.B. Name → Herkunft, Foto → Alter/Geschlecht, PLZ → sozialer Hintergrund).",
+      "applies_when": "AI processes applicant data with identifiable features",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "hr_context.agg_categories_visible", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 3 Abs. 2", "title": "Mittelbare Benachteiligung" }],
+      "sources": [{ "type": "national_law", "ref": "§ 3 Abs. 2 AGG" }],
+      "category": "Technisch",
+      "responsible": "Data Science / Compliance",
+      "priority": "kritisch",
+      "evidence": [{ "name": "Feature-Analyse-Dokumentation (keine Proxy-Merkmale)", "required": true }],
+      "tom_control_ids": ["TOM.FAIR.01"],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-003",
+      "title": "Beweislast-Dokumentation fuehren (§ 22 AGG)",
+      "description": "Bei Indizien fuer eine Benachteiligung kehrt sich die Beweislast um (§ 22 AGG). Der Arbeitgeber muss beweisen, dass KEINE Diskriminierung vorliegt. Daher ist lueckenlose Dokumentation der KI-Entscheidungslogik zwingend.",
+      "applies_when": "AI supports employment decisions in Germany",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 22", "title": "Beweislast" }],
+      "sources": [{ "type": "national_law", "ref": "§ 22 AGG" }],
+      "category": "Governance",
+      "responsible": "HR / Legal",
+      "priority": "kritisch",
+      "deadline": { "type": "recurring", "interval": "laufend" },
+      "sanctions": { "description": "Ohne Dokumentation kann Beweislastumkehr nicht abgewehrt werden — Schadensersatz nach § 15 AGG" },
+      "evidence": [{ "name": "Entscheidungsprotokoll mit KI-Begruendung", "required": true }, "Audit-Trail aller KI-Bewertungen"],
+      "tom_control_ids": ["TOM.LOG.01", "TOM.GOV.01"],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-004",
+      "title": "Regelmaessige Bias-Audits bei KI-gestuetzter Personalauswahl",
+      "description": "KI-Systeme im Recruiting muessen regelmaessig auf Bias geprueft werden: statistische Analyse der Ergebnisse nach Geschlecht, Altersgruppen und soweit zulaessig nach Herkunft.",
+      "applies_when": "AI ranks or scores candidates",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "hr_context.candidate_ranking", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 1, § 3", "title": "Unmittelbare und mittelbare Benachteiligung" }],
+      "category": "Technisch",
+      "responsible": "Data Science",
+      "priority": "hoch",
+      "deadline": { "type": "recurring", "interval": "quartalsweise" },
+      "evidence": [{ "name": "Bias-Audit-Ergebnis (letzte 3 Monate)", "required": true }],
+      "tom_control_ids": ["TOM.FAIR.01"],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-005",
+      "title": "Schulung der HR-Entscheider ueber KI-Grenzen",
+      "description": "Personen, die KI-gestuetzte Empfehlungen im Personalbereich nutzen, muessen ueber Systemgrenzen, Bias-Risiken und ihre Pflicht zur eigenstaendigen Pruefung geschult werden.",
+      "applies_when": "AI provides recommendations for HR decisions",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 12 Abs. 2", "title": "Pflicht des Arbeitgebers zu Schutzmassnahmen" }],
+      "category": "Organisatorisch",
+      "responsible": "HR / Training",
+      "priority": "hoch",
+      "deadline": { "type": "recurring", "interval": "jaehrlich" },
+      "evidence": [{ "name": "Schulungsnachweis AGG + KI-Kompetenz", "required": true }],
+      "tom_control_ids": [],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-006",
+      "title": "Beschwerdemechanismus fuer abgelehnte Bewerber",
+      "description": "Bewerber muessen die Moeglichkeit haben, sich ueber KI-gestuetzte Auswahlentscheidungen zu beschweren. Die zustaendige Stelle (§ 13 AGG) muss benannt sein.",
+      "applies_when": "AI used in applicant selection process",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "hr_context.automated_screening", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 13", "title": "Beschwerderecht" }],
+      "category": "Organisatorisch",
+      "responsible": "HR",
+      "priority": "hoch",
+      "evidence": [{ "name": "Dokumentierter Beschwerdemechanismus", "required": true }],
+      "tom_control_ids": [],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-007",
+      "title": "Schadensersatzrisiko dokumentieren und versichern",
+      "description": "Das Schadensersatzrisiko bei AGG-Verstoessen (bis 3 Monatsgehaelter pro Fall, § 15 AGG) muss bewertet und dokumentiert werden. Bei hohem Bewerbungsvolumen kann das kumulierte Risiko erheblich sein.",
+      "applies_when": "AI processes high volume of applications",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "hr_context.automated_screening", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 15", "title": "Entschaedigung und Schadensersatz" }],
+      "category": "Governance",
+      "responsible": "Legal / Finance",
+      "priority": "hoch",
+      "evidence": [{ "name": "Risikobewertung AGG-Schadensersatz", "required": false }],
+      "tom_control_ids": [],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    },
+    {
+      "id": "AGG-OBL-008",
+      "title": "KI-Stellenausschreibungen AGG-konform gestalten",
+      "description": "Wenn KI bei der Erstellung oder Optimierung von Stellenausschreibungen eingesetzt wird, muss sichergestellt sein, dass die Ausschreibungen keine diskriminierenden Formulierungen enthalten (§ 11 AGG).",
+      "applies_when": "AI generates or optimizes job postings",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }] },
+      "legal_basis": [{ "norm": "AGG", "article": "§ 11", "title": "Ausschreibung" }],
+      "category": "Organisatorisch",
+      "responsible": "HR / Marketing",
+      "priority": "hoch",
+      "evidence": [{ "name": "Pruefprotokoll Stellenausschreibung auf AGG-Konformitaet", "required": false }],
+      "tom_control_ids": [],
+      "valid_from": "2006-08-18",
+      "version": "1.0"
+    }
+  ],
+  "controls": [],
+  "incident_deadlines": []
+}
--- a/ai-compliance-sdk/policies/obligations/v2/ai_act_v2.json
+++ b/ai-compliance-sdk/policies/obligations/v2/ai_act_v2.json
--- a/ai-compliance-sdk/policies/obligations/v2/betrvg_v2.json
+++ b/ai-compliance-sdk/policies/obligations/v2/betrvg_v2.json
@@ -0,0 +1,250 @@
+{
+  "regulation": "betrvg",
+  "regulation_full_name": "Betriebsverfassungsgesetz (BetrVG)",
+  "version": "1.0",
+  "obligations": [
+    {
+      "id": "BETRVG-OBL-001",
+      "title": "Mitbestimmung bei technischen Ueberwachungseinrichtungen",
+      "description": "Einfuehrung und Anwendung von technischen Einrichtungen, die dazu bestimmt sind, das Verhalten oder die Leistung der Arbeitnehmer zu ueberwachen, beduerfen der Zustimmung des Betriebsrats. Das BAG hat klargestellt, dass bereits die objektive Eignung zur Ueberwachung genuegt — eine tatsaechliche Nutzung zu diesem Zweck ist nicht erforderlich (BAG 1 ABR 20/21, 1 ABN 36/18).",
+      "applies_when": "technical system can monitor employee behavior or performance",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "IN_ARRAY", "value": ["DE", "AT"] }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Mitbestimmung bei technischen Ueberwachungseinrichtungen" }],
+      "sources": [{ "type": "national_law", "ref": "§ 87 Abs. 1 Nr. 6 BetrVG" }, { "type": "court_decision", "ref": "BAG 1 ABR 20/21 (Microsoft 365)" }, { "type": "court_decision", "ref": "BAG 1 ABN 36/18 (Standardsoftware)" }],
+      "category": "Mitbestimmung",
+      "responsible": "Arbeitgeber / HR",
+      "deadline": { "type": "on_event", "event": "Vor Einfuehrung des Systems" },
+      "sanctions": { "description": "Unterlassungsanspruch des Betriebsrats, einstweilige Verfuegung moeglich, Betriebsvereinbarung ueber Einigungsstelle erzwingbar (§ 87 Abs. 2 BetrVG)" },
+      "evidence": [{ "name": "Betriebsvereinbarung oder dokumentierte Zustimmung des Betriebsrats", "required": true }, "Protokoll der Betriebsratssitzung"],
+      "priority": "kritisch",
+      "tom_control_ids": ["TOM.GOV.01", "TOM.AC.01"],
+      "breakpilot_feature": "/sdk/betriebsvereinbarung",
+      "valid_from": "1972-01-19",
+      "valid_until": null,
+      "version": "1.0",
+      "how_to_implement": "Betriebsrat fruehzeitig informieren, gemeinsame Bewertung der Ueberwachungseignung durchfuehren, Betriebsvereinbarung mit Zweckbindung und verbotenen Nutzungen abschliessen."
+    },
+    {
+      "id": "BETRVG-OBL-002",
+      "title": "Keine Geringfuegigkeitsschwelle bei Standardsoftware",
+      "description": "Auch alltaegliche Standardsoftware (Excel, Word, E-Mail-Clients) unterliegt der Mitbestimmung, wenn sie objektiv geeignet ist, Verhaltens- oder Leistungsdaten zu erheben. Es gibt keine Geringfuegigkeitsschwelle (BAG 1 ABN 36/18).",
+      "applies_when": "any software used by employees that can log or track usage",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Mitbestimmung — keine Geringfuegigkeitsschwelle" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABN 36/18" }],
+      "category": "Mitbestimmung",
+      "responsible": "IT-Leitung / HR",
+      "deadline": { "type": "on_event", "event": "Vor Einfuehrung oder Aenderung" },
+      "sanctions": { "description": "Unterlassungsanspruch, einstweilige Verfuegung" },
+      "evidence": [{ "name": "Bestandsaufnahme aller IT-Systeme mit Ueberwachungseignung", "required": true }],
+      "priority": "hoch",
+      "tom_control_ids": [],
+      "breakpilot_feature": null,
+      "valid_from": "2018-10-23",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-003",
+      "title": "Mitbestimmung bei Ueberwachung durch Drittsysteme (SaaS/Cloud)",
+      "description": "Auch wenn die Ueberwachung ueber ein Dritt-System (SaaS, Cloud, externer Anbieter) laeuft, bleibt der Betriebsrat zu beteiligen. Die Verantwortung des Arbeitgebers entfaellt nicht durch Auslagerung (BAG 1 ABR 68/13).",
+      "applies_when": "cloud or SaaS system processes employee data",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Mitbestimmung bei Drittsystemen" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 68/13" }],
+      "category": "Mitbestimmung",
+      "responsible": "IT-Leitung / Einkauf",
+      "deadline": { "type": "on_event", "event": "Vor Vertragsschluss mit SaaS-Anbieter" },
+      "sanctions": { "description": "Unterlassungsanspruch" },
+      "evidence": [{ "name": "Datenschutz-Folgenabschaetzung fuer Cloud-Dienst", "required": false }, "Betriebsvereinbarung"],
+      "priority": "hoch",
+      "tom_control_ids": ["TOM.PROC.01"],
+      "breakpilot_feature": null,
+      "valid_from": "2015-07-21",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-004",
+      "title": "Mitbestimmung bei E-Mail- und Kommunikationssoftware",
+      "description": "Sowohl Einfuehrung als auch Nutzung softwarebasierter Anwendungen fuer die E-Mail-Kommunikation sind mitbestimmungspflichtig (BAG 1 ABR 31/19). Dies gilt auch fuer Teams, Slack und vergleichbare Messenger.",
+      "applies_when": "organization introduces or changes email or messaging systems",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Mitbestimmung bei Kommunikationssoftware" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 31/19" }, { "type": "court_decision", "ref": "BAG 1 ABR 46/10" }],
+      "category": "Mitbestimmung",
+      "responsible": "IT-Leitung / HR",
+      "deadline": { "type": "on_event", "event": "Vor Einfuehrung oder Funktionsaenderung" },
+      "sanctions": { "description": "Unterlassungsanspruch, einstweilige Verfuegung" },
+      "evidence": [{ "name": "Betriebsvereinbarung zu E-Mail-/Messaging-Nutzung", "required": true }],
+      "priority": "hoch",
+      "tom_control_ids": ["TOM.AC.01"],
+      "breakpilot_feature": null,
+      "valid_from": "2021-01-27",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-005",
+      "title": "Verbot der dauerhaften Leistungsueberwachung",
+      "description": "Eine dauerhafte quantitative Erfassung und Auswertung einzelner Arbeitsschritte stellt einen schwerwiegenden Eingriff in das Persoenlichkeitsrecht dar (BAG 1 ABR 46/15). Belastungsstatistiken und KPI-Dashboards auf Personenebene beduerfen besonderer Rechtfertigung.",
+      "applies_when": "system provides individual performance metrics or KPIs",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "purpose.profiling", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Persoenlichkeitsschutz bei Kennzahlenueberwachung" }, { "norm": "GG", "article": "Art. 2 Abs. 1 i.V.m. Art. 1 Abs. 1", "title": "Allgemeines Persoenlichkeitsrecht" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 46/15 (Belastungsstatistik)" }],
+      "category": "Mitbestimmung",
+      "responsible": "HR / Compliance",
+      "deadline": { "type": "recurring", "interval": "laufend" },
+      "sanctions": { "description": "Unterlassungsanspruch, Schadensersatz bei Persoenlichkeitsrechtsverletzung" },
+      "evidence": [{ "name": "Nachweis dass keine individuelle Leistungsueberwachung stattfindet", "required": true }],
+      "priority": "kritisch",
+      "tom_control_ids": ["TOM.GOV.03"],
+      "breakpilot_feature": null,
+      "valid_from": "2017-04-25",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-006",
+      "title": "Unterrichtung bei Planung technischer Anlagen",
+      "description": "Der Arbeitgeber hat den Betriebsrat ueber die Planung von technischen Anlagen rechtzeitig unter Vorlage der erforderlichen Unterlagen zu unterrichten und mit ihm zu beraten.",
+      "applies_when": "organization plans new technical infrastructure",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 90 Abs. 1 Nr. 3", "title": "Unterrichtungs- und Beratungsrechte bei Planung" }],
+      "sources": [{ "type": "national_law", "ref": "§ 90 BetrVG" }],
+      "category": "Information",
+      "responsible": "IT-Leitung",
+      "deadline": { "type": "on_event", "event": "Rechtzeitig vor Umsetzung" },
+      "sanctions": { "description": "Beratungsanspruch, ggf. Aussetzung der Massnahme" },
+      "evidence": [{ "name": "Unterrichtungsschreiben an Betriebsrat mit technischer Dokumentation", "required": true }],
+      "priority": "hoch",
+      "tom_control_ids": [],
+      "breakpilot_feature": null,
+      "valid_from": "1972-01-19",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-007",
+      "title": "Mitbestimmung bei Personalfrageboegen und Bewertungssystemen",
+      "description": "Personalfrageboegen und allgemeine Beurteilungsgrundsaetze beduerfen der Zustimmung des Betriebsrats. Dies umfasst auch KI-gestuetzte Bewertungssysteme fuer Mitarbeiterbeurteilungen (BAG 1 ABR 40/07).",
+      "applies_when": "AI or IT system supports employee evaluation or surveys",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "purpose.profiling", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 94", "title": "Personalfrageboegen, Beurteilungsgrundsaetze" }, { "norm": "BetrVG", "article": "§ 95", "title": "Auswahlrichtlinien" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 40/07" }, { "type": "court_decision", "ref": "BAG 1 ABR 16/07" }],
+      "category": "Mitbestimmung",
+      "responsible": "HR",
+      "deadline": { "type": "on_event", "event": "Vor Einfuehrung des Bewertungssystems" },
+      "sanctions": { "description": "Nichtigkeit der Bewertung, Unterlassungsanspruch" },
+      "evidence": [{ "name": "Betriebsvereinbarung zu Beurteilungsgrundsaetzen", "required": true }],
+      "priority": "kritisch",
+      "tom_control_ids": ["TOM.GOV.01"],
+      "breakpilot_feature": null,
+      "valid_from": "1972-01-19",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-008",
+      "title": "Mitbestimmung bei KI-gestuetztem Recruiting",
+      "description": "KI-Systeme im Recruiting-Prozess (CV-Screening, Ranking, Vorselektion) beruehren die Mitbestimmung bei Auswahlrichtlinien (§ 95 BetrVG) und ggf. bei Einstellungen (§ 99 BetrVG). Zusaetzlich AI Act Hochrisiko-Klassifikation (Annex III Nr. 4).",
+      "applies_when": "AI system used in hiring, promotion or termination decisions",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "purpose.automation", "operator": "EQUALS", "value": true }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 95", "title": "Auswahlrichtlinien" }, { "norm": "BetrVG", "article": "§ 99", "title": "Mitbestimmung bei personellen Einzelmassnahmen" }, { "norm": "EU AI Act", "article": "Annex III Nr. 4", "title": "Hochrisiko: Beschaeftigung" }],
+      "sources": [{ "type": "national_law", "ref": "§ 95, § 99 BetrVG" }],
+      "category": "Mitbestimmung",
+      "responsible": "HR / Legal",
+      "deadline": { "type": "on_event", "event": "Vor Einsatz im Recruiting" },
+      "sanctions": { "description": "Unterlassungsanspruch, Anfechtung der Einstellung, AI Act Bussgeld bei Hochrisiko-Verstoss" },
+      "evidence": [{ "name": "Betriebsvereinbarung KI im Recruiting", "required": true }, "DSFA", "AI Act Konformitaetsbewertung"],
+      "priority": "kritisch",
+      "tom_control_ids": ["TOM.GOV.01", "TOM.FAIR.01"],
+      "breakpilot_feature": "/sdk/ai-act",
+      "valid_from": "1972-01-19",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-009",
+      "title": "Mitbestimmung bei Betriebsaenderungen durch KI",
+      "description": "Grundlegende Aenderung der Betriebsorganisation durch KI-Einfuehrung kann eine Betriebsaenderung darstellen. In Unternehmen mit mehr als 20 wahlberechtigten Arbeitnehmern ist ein Interessenausgleich zu versuchen und ein Sozialplan aufzustellen.",
+      "applies_when": "AI introduction fundamentally changes work organization",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "organization.employee_count", "operator": "GREATER_THAN", "value": 20 }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 111", "title": "Betriebsaenderungen" }, { "norm": "BetrVG", "article": "§ 112", "title": "Interessenausgleich, Sozialplan" }],
+      "sources": [{ "type": "national_law", "ref": "§§ 111-113 BetrVG" }],
+      "category": "Mitbestimmung",
+      "responsible": "Geschaeftsfuehrung / HR",
+      "deadline": { "type": "on_event", "event": "Rechtzeitig vor Umsetzung" },
+      "sanctions": { "description": "Nachteilsausgleich, Sozialplananspruch, Anfechtung der Massnahme" },
+      "evidence": [{ "name": "Interessenausgleich", "required": false }, "Sozialplan", "Unterrichtung des Betriebsrats"],
+      "priority": "hoch",
+      "tom_control_ids": [],
+      "breakpilot_feature": null,
+      "valid_from": "1972-01-19",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-010",
+      "title": "Zustaendigkeit bei konzernweiten IT-Systemen",
+      "description": "Bei konzernweit eingesetzten IT-Systemen (z.B. M365, SAP) kann nicht der lokale Betriebsrat, sondern der Gesamt- oder Konzernbetriebsrat zustaendig sein (BAG 1 ABR 45/11). Die Zustaendigkeitsabgrenzung ist vor Einfuehrung zu klaeren.",
+      "applies_when": "IT system deployed across multiple establishments or companies",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 50 Abs. 1", "title": "Zustaendigkeit Gesamtbetriebsrat" }, { "norm": "BetrVG", "article": "§ 58 Abs. 1", "title": "Zustaendigkeit Konzernbetriebsrat" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 45/11 (SAP ERP)" }, { "type": "court_decision", "ref": "BAG 1 ABR 2/05" }],
+      "category": "Organisation",
+      "responsible": "HR / Legal",
+      "deadline": { "type": "on_event", "event": "Vor Einfuehrung" },
+      "sanctions": { "description": "Unwirksamkeit der Vereinbarung bei falschem Verhandlungspartner" },
+      "evidence": [{ "name": "Zustaendigkeitsbestimmung dokumentiert", "required": true }],
+      "priority": "hoch",
+      "tom_control_ids": [],
+      "breakpilot_feature": null,
+      "valid_from": "2012-09-25",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-011",
+      "title": "Change-Management — erneute Mitbestimmung bei Funktionserweiterungen",
+      "description": "Neue Module, Funktionen oder Konnektoren in bestehenden IT-Systemen koennen eine erneute Mitbestimmung ausloesen, wenn sie die Ueberwachungseignung aendern oder erweitern (BAG 1 ABR 20/21 — Anwendung, nicht nur Einfuehrung).",
+      "applies_when": "existing IT system receives feature updates affecting monitoring capability",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_types.employee_data", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Mitbestimmung bei Anwendung (nicht nur Einfuehrung)" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 20/21" }],
+      "category": "Mitbestimmung",
+      "responsible": "IT-Leitung / HR",
+      "deadline": { "type": "on_event", "event": "Vor Aktivierung neuer Funktionen" },
+      "sanctions": { "description": "Unterlassungsanspruch" },
+      "evidence": [{ "name": "Change-Management-Protokoll mit BR-Bewertung", "required": true }],
+      "priority": "hoch",
+      "tom_control_ids": [],
+      "breakpilot_feature": null,
+      "valid_from": "2022-03-08",
+      "valid_until": null,
+      "version": "1.0"
+    },
+    {
+      "id": "BETRVG-OBL-012",
+      "title": "Videoueberwachung — Mitbestimmung und Verhaeltnismaessigkeit",
+      "description": "Videoueberwachung am Arbeitsplatz ist grundsaetzlich mitbestimmungspflichtig. Die Regelungen ueber Einfuehrung und Ausgestaltung beduerfen der Zustimmung des Betriebsrats (BAG 1 ABR 78/11, 1 ABR 21/03).",
+      "applies_when": "organization uses video surveillance that may capture employees",
+      "applies_when_condition": { "all_of": [{ "field": "organization.country", "operator": "EQUALS", "value": "DE" }, { "field": "data_protection.video_surveillance", "operator": "EQUALS", "value": true }] },
+      "legal_basis": [{ "norm": "BetrVG", "article": "§ 87 Abs. 1 Nr. 6", "title": "Mitbestimmung bei Videoueberwachung" }],
+      "sources": [{ "type": "court_decision", "ref": "BAG 1 ABR 78/11" }, { "type": "court_decision", "ref": "BAG 1 ABR 21/03" }],
+      "category": "Mitbestimmung",
+      "responsible": "Facility Management / HR",
+      "deadline": { "type": "on_event", "event": "Vor Installation" },
+      "sanctions": { "description": "Unterlassungsanspruch, Beweisverwertungsverbot" },
+      "evidence": [{ "name": "Betriebsvereinbarung Videoueberwachung", "required": true }, "Beschilderung"],
+      "priority": "kritisch",
+      "tom_control_ids": ["TOM.PHY.01"],
+      "breakpilot_feature": null,
+      "valid_from": "2004-06-29",
+      "valid_until": null,
+      "version": "1.0"
+    }
+  ],
+  "controls": [],
+  "incident_deadlines": []
+}
--- a/ai-compliance-sdk/policies/obligations/v2/dsgvo_v2.json
+++ b/ai-compliance-sdk/policies/obligations/v2/dsgvo_v2.json
@@ -4591,6 +4591,209 @@
      "valid_from": "2018-05-25",
      "valid_until": null,
      "version": "1.0"
+    },
+    {
+      "id": "DSGVO-OBL-081",
+      "title": "Drittlanduebermittlung nur mit geeigneten Garantien",
+      "description": "Die Uebermittlung personenbezogener Daten in Drittlaender (insbesondere USA) ist nur zulaessig, wenn ein Angemessenheitsbeschluss vorliegt oder geeignete Garantien (z.B. Standardvertragsklauseln) implementiert sind. Nach Schrems II (C-311/18) muessen zusaetzliche Massnahmen geprueft werden.",
+      "applies_when": "data transferred to third country or US provider used",
+      "applies_when_condition": {
+        "all_of": [
+          {
+            "field": "data_protection.processes_personal_data",
+            "operator": "EQUALS",
+            "value": true
+          }
+        ]
+      },
+      "legal_basis": [
+        {
+          "norm": "DSGVO",
+          "article": "Art. 44",
+          "title": "Allgemeine Grundsaetze der Datenuebermittlung"
+        },
+        {
+          "norm": "DSGVO",
+          "article": "Art. 46",
+          "title": "Datenuebermittlung vorbehaltlich geeigneter Garantien"
+        }
+      ],
+      "sources": [
+        {
+          "type": "regulation",
+          "ref": "Art. 44-49 DSGVO"
+        },
+        {
+          "type": "court_decision",
+          "ref": "EuGH C-311/18 (Schrems II)"
+        }
+      ],
+      "category": "Governance",
+      "responsible": "Datenschutzbeauftragter",
+      "deadline": {
+        "type": "on_event",
+        "event": "Vor Beginn der Datenuebermittlung"
+      },
+      "sanctions": {
+        "max_fine": "20 Mio. EUR oder 4% Jahresumsatz"
+      },
+      "evidence": [
+        {
+          "name": "Transfer Impact Assessment (TIA)",
+          "required": true
+        },
+        "Standardvertragsklauseln (SCC)",
+        "Dokumentation zusaetzlicher Massnahmen"
+      ],
+      "priority": "kritisch",
+      "tom_control_ids": [
+        "TOM.GOV.01",
+        "TOM.CRY.01"
+      ],
+      "valid_from": "2018-05-25",
+      "version": "1.0"
+    },
+    {
+      "id": "DSGVO-OBL-082",
+      "title": "Transfer Impact Assessment (TIA) bei US-Anbietern",
+      "description": "Bei Nutzung von US-Cloud-Anbietern (AWS, Azure, Google etc.) muss ein Transfer Impact Assessment durchgefuehrt werden, das FISA 702 und Cloud Act Risiken bewertet und dokumentiert, ob die Standardvertragsklauseln wirksam schuetzen.",
+      "applies_when": "US cloud provider used for personal data",
+      "applies_when_condition": {
+        "all_of": [
+          {
+            "field": "data_protection.processes_personal_data",
+            "operator": "EQUALS",
+            "value": true
+          }
+        ]
+      },
+      "legal_basis": [
+        {
+          "norm": "DSGVO",
+          "article": "Art. 46 Abs. 1",
+          "title": "Geeignete Garantien"
+        },
+        {
+          "norm": "EuGH",
+          "article": "C-311/18",
+          "title": "Schrems II — Wirksamkeit von SCCs pruefen"
+        }
+      ],
+      "sources": [
+        {
+          "type": "court_decision",
+          "ref": "EuGH C-311/18 (Schrems II)"
+        },
+        {
+          "type": "guidance",
+          "ref": "EDPB Recommendations 01/2020 Supplementary Measures"
+        }
+      ],
+      "category": "Governance",
+      "responsible": "Datenschutzbeauftragter / Legal",
+      "deadline": {
+        "type": "on_event",
+        "event": "Vor Vertragsschluss mit US-Anbieter"
+      },
+      "sanctions": {
+        "max_fine": "20 Mio. EUR oder 4% Jahresumsatz"
+      },
+      "evidence": [
+        {
+          "name": "Transfer Impact Assessment",
+          "required": true
+        },
+        "FISA 702 Risikobewertung"
+      ],
+      "priority": "kritisch",
+      "tom_control_ids": [
+        "TOM.GOV.01"
+      ],
+      "valid_from": "2020-07-16",
+      "version": "1.0"
+    },
+    {
+      "id": "DSGVO-OBL-083",
+      "title": "Zusaetzliche technische Massnahmen bei Drittlanduebermittlung",
+      "description": "Wenn Standardvertragsklauseln allein nicht ausreichen (z.B. bei FISA 702 Exposure), muessen zusaetzliche technische Massnahmen implementiert werden: E2EE mit eigener Schluesselhoheit, Pseudonymisierung vor Uebermittlung, oder Verzicht auf den US-Anbieter.",
+      "applies_when": "SCC alone insufficient due to surveillance laws",
+      "applies_when_condition": {
+        "all_of": [
+          {
+            "field": "data_protection.processes_personal_data",
+            "operator": "EQUALS",
+            "value": true
+          }
+        ]
+      },
+      "legal_basis": [
+        {
+          "norm": "DSGVO",
+          "article": "Art. 46 Abs. 1",
+          "title": "Zusaetzliche Massnahmen"
+        },
+        {
+          "norm": "EDPB",
+          "article": "Recommendations 01/2020",
+          "title": "Supplementary Measures"
+        }
+      ],
+      "sources": [
+        {
+          "type": "guidance",
+          "ref": "EDPB Recommendations 01/2020"
+        }
+      ],
+      "category": "Technisch",
+      "responsible": "IT-Sicherheit / Datenschutzbeauftragter",
+      "priority": "hoch",
+      "evidence": [
+        {
+          "name": "Nachweis zusaetzlicher Schutzmassnahmen",
+          "required": true
+        },
+        "E2EE Dokumentation oder Pseudonymisierungskonzept"
+      ],
+      "tom_control_ids": [
+        "TOM.CRY.01",
+        "TOM.GOV.01"
+      ],
+      "valid_from": "2020-07-16",
+      "version": "1.0"
+    },
+    {
+      "id": "DSGVO-OBL-084",
+      "title": "Informationspflicht bei Drittlanduebermittlung",
+      "description": "Betroffene Personen muessen darueber informiert werden, dass ihre Daten in ein Drittland uebermittelt werden, einschliesslich der Angabe des Drittlands und der genutzten Garantien (Art. 13 Abs. 1 lit. f DSGVO).",
+      "applies_when": "personal data transferred to third country",
+      "applies_when_condition": {
+        "all_of": [
+          {
+            "field": "data_protection.processes_personal_data",
+            "operator": "EQUALS",
+            "value": true
+          }
+        ]
+      },
+      "legal_basis": [
+        {
+          "norm": "DSGVO",
+          "article": "Art. 13 Abs. 1 lit. f",
+          "title": "Informationspflicht bei Drittlanduebermittlung"
+        }
+      ],
+      "category": "Organisatorisch",
+      "responsible": "Datenschutzbeauftragter",
+      "priority": "hoch",
+      "evidence": [
+        {
+          "name": "Datenschutzerklaerung mit Drittland-Hinweis",
+          "required": true
+        }
+      ],
+      "tom_control_ids": [],
+      "valid_from": "2018-05-25",
+      "version": "1.0"
    }
  ],
  "controls": [
--- a/ai-compliance-sdk/policies/payment_controls_v1.json
+++ b/ai-compliance-sdk/policies/payment_controls_v1.json
--- a/ai-compliance-sdk/policies/ucca_policy_v1.yaml
+++ b/ai-compliance-sdk/policies/ucca_policy_v1.yaml
@@ -941,6 +941,676 @@ rules:
    gdpr_ref: "Art. 9(2)(h) DSGVO"
    rationale: "Gesundheitsdaten nur mit besonderen Schutzmaßnahmen"

+  # ---------------------------------------------------------------------------
+  # J. Drittlandtransfer / FISA 702
+  # ---------------------------------------------------------------------------
+
+  - id: R-FISA-001
+    category: "J. Drittlandrisiko"
+    title: "US-Cloud-Provider: FISA 702 Exposure"
+    description: "Der Hosting-Provider unterliegt US-Recht (FISA 702, Cloud Act). Ein Zugriff durch US-Behoerden auf EU-Daten ist nicht ausschliessbar, unabhaengig vom Serverstandort."
+    condition:
+      field: "hosting.provider"
+      operator: "in"
+      value: ["aws", "azure", "google", "microsoft", "amazon", "openai", "anthropic", "oracle"]
+    effect:
+      risk_add: 20
+      dsfa_recommended: true
+    severity: WARN
+    gdpr_ref: "Art. 44-49 DSGVO, Schrems II (C-311/18)"
+    rationale: "FISA 702 erlaubt US-Behoerden Zugriff auf Daten von Nicht-US-Personen ohne richterlichen Beschluss. EU-Serverstandort schuetzt nicht."
+
+  - id: R-FISA-002
+    category: "J. Drittlandrisiko"
+    title: "Personenbezogene Daten bei US-Provider ohne E2EE"
+    description: "Personenbezogene Daten werden bei einem US-Provider verarbeitet ohne dass eine Ende-zu-Ende-Verschluesselung mit kundenseitiger Schluesselhoheit vorliegt."
+    condition:
+      all_of:
+        - field: "hosting.provider"
+          operator: "in"
+          value: ["aws", "azure", "google", "microsoft", "amazon", "openai", "anthropic", "oracle"]
+        - field: "data_types.personal_data"
+          operator: "equals"
+          value: true
+    effect:
+      risk_add: 15
+      controls_add: [C_ENCRYPTION]
+    severity: WARN
+    gdpr_ref: "Art. 32 DSGVO i.V.m. Art. 44 ff. DSGVO"
+    rationale: "Ohne E2EE mit eigener Schluesselhoheit kann der Provider technisch auf Daten zugreifen und muss sie bei US-Anordnung herausgeben."
+
+  - id: R-FISA-003
+    category: "J. Drittlandrisiko"
+    title: "Besondere Datenkategorien bei US-Provider"
+    description: "Besondere Kategorien personenbezogener Daten (Art. 9 DSGVO) werden bei einem US-Provider verarbeitet."
+    condition:
+      all_of:
+        - field: "hosting.provider"
+          operator: "in"
+          value: ["aws", "azure", "google", "microsoft", "amazon", "openai", "anthropic", "oracle"]
+        - field: "data_types.article_9_data"
+          operator: "equals"
+          value: true
+    effect:
+      risk_add: 25
+      feasibility: CONDITIONAL
+      dsfa_recommended: true
+    severity: WARN
+    gdpr_ref: "Art. 9 DSGVO i.V.m. Art. 49 DSGVO"
+    rationale: "Besondere Kategorien bei FISA-exponierten Anbietern sind hochriskant. DSFA ist Pflicht."
+
+  # ---------------------------------------------------------------------------
+  # K. Domain-spezifische Hochrisiko-Fragen (Annex III)
+  # ---------------------------------------------------------------------------
+
+  # HR / Recruiting (Annex III Nr. 4)
+  - id: R-HR-001
+    category: "K. HR Hochrisiko"
+    title: "Automatisches Bewerber-Screening ohne Human Review"
+    description: "KI sortiert Bewerber vor ohne dass ein Mensch jede Empfehlung tatsaechlich prueft"
+    condition:
+      all_of:
+        - field: "hr_context.automated_screening"
+          operator: "equals"
+          value: true
+        - field: "hr_context.human_review_enforced"
+          operator: "equals"
+          value: false
+    effect:
+      risk_add: 20
+      feasibility: CONDITIONAL
+      controls_add: [C_HUMAN_OVERSIGHT]
+    severity: WARN
+    gdpr_ref: "Art. 22 DSGVO + Annex III Nr. 4 AI Act"
+    rationale: "Ohne echtes Human Review droht Art. 22 DSGVO Verstoss"
+
+  - id: R-HR-002
+    category: "K. HR Hochrisiko"
+    title: "Automatisierte Absagen — Art. 22 DSGVO Risiko"
+    description: "KI generiert und versendet Absagen automatisch ohne menschliche Freigabe"
+    condition:
+      field: "hr_context.automated_rejection"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 25
+      feasibility: NO
+      art22_risk: true
+    severity: BLOCK
+    gdpr_ref: "Art. 22 Abs. 1 DSGVO"
+    rationale: "Vollautomatische Ablehnung = ausschliesslich automatisierte Entscheidung mit rechtlicher Wirkung"
+
+  - id: R-HR-003
+    category: "K. HR Hochrisiko"
+    title: "AGG-relevante Merkmale fuer KI erkennbar"
+    description: "System kann Merkmale nach § 1 AGG erkennen (Name, Foto, Alter → Proxy-Diskriminierung)"
+    condition:
+      field: "hr_context.agg_categories_visible"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 15
+      controls_add: [C_BIAS_AUDIT]
+    severity: WARN
+    gdpr_ref: "§ 1, § 3 Abs. 2 AGG"
+    rationale: "Proxy-Merkmale koennen indirekte Diskriminierung verursachen"
+
+  - id: R-HR-004
+    category: "K. HR Hochrisiko"
+    title: "Bewerber-Ranking ohne Bias-Audit"
+    description: "KI erstellt Bewerber-Rankings ohne regelmaessige Bias-Pruefung"
+    condition:
+      all_of:
+        - field: "hr_context.candidate_ranking"
+          operator: "equals"
+          value: true
+        - field: "hr_context.bias_audits_done"
+          operator: "equals"
+          value: false
+    effect:
+      risk_add: 15
+      controls_add: [C_BIAS_AUDIT]
+    severity: WARN
+    gdpr_ref: "§ 22 AGG (Beweislastumkehr)"
+    rationale: "Ohne Bias-Audit keine Verteidigung bei AGG-Klage"
+
+  - id: R-HR-005
+    category: "K. HR Hochrisiko"
+    title: "KI-gestuetzte Mitarbeiterbewertung"
+    description: "KI bewertet Mitarbeiterleistung (Performance Review, KPI-Tracking)"
+    condition:
+      field: "hr_context.performance_evaluation"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 20
+    severity: WARN
+    gdpr_ref: "§ 87 Abs. 1 Nr. 6 BetrVG + § 94 BetrVG"
+    rationale: "Leistungsbewertung durch KI ist mitbestimmungspflichtig und diskriminierungsriskant"
+
+  # Education (Annex III Nr. 3)
+  - id: R-EDU-001
+    category: "K. Bildung Hochrisiko"
+    title: "KI beeinflusst Notenvergabe"
+    description: "KI erstellt Notenvorschlaege oder beeinflusst Bewertungen"
+    condition:
+      field: "education_context.grade_influence"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 20
+      controls_add: [C_HUMAN_OVERSIGHT]
+      dsfa_recommended: true
+    severity: WARN
+    gdpr_ref: "Annex III Nr. 3 AI Act"
+    rationale: "Notenvergabe hat erhebliche Auswirkungen auf Bildungschancen"
+
+  - id: R-EDU-002
+    category: "K. Bildung Hochrisiko"
+    title: "Minderjaehrige betroffen ohne Lehrkraft-Review"
+    description: "KI-System betrifft Minderjaehrige und Lehrkraft prueft nicht jedes Ergebnis"
+    condition:
+      all_of:
+        - field: "education_context.minors_involved"
+          operator: "equals"
+          value: true
+        - field: "education_context.teacher_review_required"
+          operator: "equals"
+          value: false
+    effect:
+      risk_add: 25
+      feasibility: NO
+    severity: BLOCK
+    gdpr_ref: "Art. 24 EU-Grundrechtecharta + Annex III Nr. 3 AI Act"
+    rationale: "KI-Entscheidungen ueber Minderjaehrige ohne Lehrkraft-Kontrolle sind unzulaessig"
+
+  - id: R-EDU-003
+    category: "K. Bildung Hochrisiko"
+    title: "KI steuert Zugang zu Bildungsangeboten"
+    description: "KI beeinflusst Zulassung, Kursempfehlungen oder Einstufungen"
+    condition:
+      field: "education_context.student_selection"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 20
+      dsfa_recommended: true
+    severity: WARN
+    gdpr_ref: "Art. 14 EU-Grundrechtecharta (Recht auf Bildung)"
+    rationale: "Zugangssteuerung zu Bildung ist hochrisiko nach AI Act"
+
+  # Healthcare (Annex III Nr. 5)
+  - id: R-HC-001
+    category: "K. Gesundheit Hochrisiko"
+    title: "KI unterstuetzt Diagnosen"
+    description: "KI erstellt Diagnosevorschlaege oder wertet Bildgebung aus"
+    condition:
+      field: "healthcare_context.diagnosis_support"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 20
+      dsfa_recommended: true
+      controls_add: [C_HUMAN_OVERSIGHT]
+    severity: WARN
+    gdpr_ref: "Annex III Nr. 5 AI Act + MDR (EU) 2017/745"
+    rationale: "Diagnoseunterstuetzung erfordert hoechste Genauigkeit und Human Oversight"
+
+  - id: R-HC-002
+    category: "K. Gesundheit Hochrisiko"
+    title: "Triage-Entscheidung durch KI"
+    description: "KI priorisiert Patienten nach Dringlichkeit"
+    condition:
+      field: "healthcare_context.triage_decision"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 30
+      feasibility: CONDITIONAL
+      controls_add: [C_HUMAN_OVERSIGHT]
+      dsfa_recommended: true
+    severity: WARN
+    gdpr_ref: "Annex III Nr. 5 AI Act"
+    rationale: "Lebenskritische Priorisierung erfordert maximale Sicherheit"
+
+  - id: R-HC-003
+    category: "K. Gesundheit Hochrisiko"
+    title: "Medizinprodukt ohne klinische Validierung"
+    description: "System ist als Medizinprodukt eingestuft aber nicht klinisch validiert"
+    condition:
+      all_of:
+        - field: "healthcare_context.medical_device"
+          operator: "equals"
+          value: true
+        - field: "healthcare_context.clinical_validation"
+          operator: "equals"
+          value: false
+    effect:
+      risk_add: 30
+      feasibility: NO
+    severity: BLOCK
+    gdpr_ref: "MDR (EU) 2017/745 Art. 61"
+    rationale: "Medizinprodukte ohne klinische Validierung duerfen nicht in Verkehr gebracht werden"
+
+  - id: R-HC-004
+    category: "K. Gesundheit Hochrisiko"
+    title: "Gesundheitsdaten ohne besondere Schutzmassnahmen"
+    description: "Gesundheitsdaten (Art. 9 DSGVO) werden verarbeitet"
+    condition:
+      field: "healthcare_context.patient_data_processed"
+      operator: "equals"
+      value: true
+    effect:
+      risk_add: 15
+      dsfa_recommended: true
+      controls_add: [C_DSFA]
+    severity: WARN
+    gdpr_ref: "Art. 9 DSGVO"
+    rationale: "Gesundheitsdaten sind besondere Kategorien mit erhoehtem Schutzbedarf"
+
+  # Legal / Justice (Annex III Nr. 8)
+  - id: R-LEG-001
+    category: "K. Legal Hochrisiko"
+    title: "KI gibt Rechtsberatung"
+    description: "KI generiert rechtliche Empfehlungen oder Einschaetzungen"
+    condition: { field: "legal_context.legal_advice", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    gdpr_ref: "Annex III Nr. 8 AI Act"
+    rationale: "Rechtsberatung durch KI kann Zugang zur Justiz beeintraechtigen"
+
+  - id: R-LEG-002
+    category: "K. Legal Hochrisiko"
+    title: "KI prognostiziert Gerichtsurteile"
+    description: "System erstellt Prognosen ueber Verfahrensausgaenge"
+    condition: { field: "legal_context.court_prediction", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Urteilsprognosen koennen rechtliches Verhalten verzerren"
+
+  - id: R-LEG-003
+    category: "K. Legal Hochrisiko"
+    title: "Mandantengeheimnis bei KI-Verarbeitung"
+    description: "Vertrauliche Mandantendaten werden durch KI verarbeitet"
+    condition: { field: "legal_context.client_confidential", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_ENCRYPTION] }
+    severity: WARN
+    rationale: "Mandantengeheimnis erfordert besonderen Schutz (§ 203 StGB)"
+
+  # Public Sector (Art. 27 FRIA)
+  - id: R-PUB-001
+    category: "K. Oeffentlicher Sektor"
+    title: "KI in Verwaltungsentscheidungen"
+    description: "KI beeinflusst Verwaltungsakte oder Bescheide"
+    condition: { field: "public_sector_context.admin_decision", operator: "equals", value: true }
+    effect: { risk_add: 25, dsfa_recommended: true, controls_add: [C_FRIA, C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    rationale: "Verwaltungsentscheidungen erfordern FRIA (Art. 27 AI Act)"
+
+  - id: R-PUB-002
+    category: "K. Oeffentlicher Sektor"
+    title: "KI verteilt oeffentliche Leistungen"
+    description: "KI entscheidet ueber Zuteilung von Sozialleistungen oder Foerderung"
+    condition: { field: "public_sector_context.benefit_allocation", operator: "equals", value: true }
+    effect: { risk_add: 25, feasibility: CONDITIONAL }
+    severity: WARN
+    rationale: "Leistungszuteilung betrifft Grundrecht auf soziale Sicherheit"
+
+  - id: R-PUB-003
+    category: "K. Oeffentlicher Sektor"
+    title: "Fehlende Transparenz gegenueber Buergern"
+    condition:
+      all_of:
+        - field: "public_sector_context.citizen_service"
+          operator: "equals"
+          value: true
+        - field: "public_sector_context.transparency_ensured"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 15, controls_add: [C_TRANSPARENCY] }
+    severity: WARN
+    rationale: "Oeffentliche Stellen haben erhoehte Transparenzpflicht"
+
+  # Critical Infrastructure (NIS2 + Annex III Nr. 2)
+  - id: R-CRIT-001
+    category: "K. Kritische Infrastruktur"
+    title: "Sicherheitskritische KI-Steuerung ohne Redundanz"
+    condition:
+      all_of:
+        - field: "critical_infra_context.safety_critical"
+          operator: "equals"
+          value: true
+        - field: "critical_infra_context.redundancy_exists"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 30, feasibility: NO }
+    severity: BLOCK
+    rationale: "Sicherheitskritische Steuerung ohne Redundanz ist unzulaessig"
+
+  - id: R-CRIT-002
+    category: "K. Kritische Infrastruktur"
+    title: "KI steuert Netz-/Infrastruktur"
+    condition: { field: "critical_infra_context.grid_control", operator: "equals", value: true }
+    effect: { risk_add: 20, controls_add: [C_INCIDENT_RESPONSE, C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    rationale: "Netzsteuerung durch KI erfordert NIS2-konforme Absicherung"
+
+  # Automotive / Aerospace
+  - id: R-AUTO-001
+    category: "K. Automotive Hochrisiko"
+    title: "Autonomes Fahren / ADAS"
+    condition: { field: "automotive_context.autonomous_driving", operator: "equals", value: true }
+    effect: { risk_add: 30, controls_add: [C_HUMAN_OVERSIGHT, C_FRIA] }
+    severity: WARN
+    rationale: "Autonomes Fahren ist sicherheitskritisch und hochreguliert"
+
+  - id: R-AUTO-002
+    category: "K. Automotive Hochrisiko"
+    title: "Sicherheitsrelevant ohne Functional Safety"
+    condition:
+      all_of:
+        - field: "automotive_context.safety_relevant"
+          operator: "equals"
+          value: true
+        - field: "automotive_context.functional_safety"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 25, feasibility: CONDITIONAL }
+    severity: WARN
+    rationale: "Sicherheitsrelevante Systeme erfordern ISO 26262 Konformitaet"
+
+  # Retail / E-Commerce
+  - id: R-RET-001
+    category: "K. Retail"
+    title: "Personalisierte Preise durch KI"
+    condition: { field: "retail_context.pricing_personalized", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_TRANSPARENCY] }
+    severity: WARN
+    rationale: "Personalisierte Preise koennen Verbraucher benachteiligen (DSA Art. 25)"
+
+  - id: R-RET-002
+    category: "K. Retail"
+    title: "Bonitaetspruefung bei Kauf"
+    condition: { field: "retail_context.credit_scoring", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true, art22_risk: true }
+    severity: WARN
+    rationale: "Kredit-Scoring ist Annex III Nr. 5 AI Act (Zugang zu Diensten)"
+
+  - id: R-RET-003
+    category: "K. Retail"
+    title: "Dark Patterns moeglich"
+    condition: { field: "retail_context.dark_patterns", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Manipulative UI-Muster verstossen gegen DSA und Verbraucherrecht"
+
+  # IT / Cybersecurity / Telecom
+  - id: R-ITS-001
+    category: "K. IT-Sicherheit"
+    title: "KI-gestuetzte Mitarbeiterueberwachung"
+    condition: { field: "it_security_context.employee_surveillance", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Mitarbeiterueberwachung ist §87 BetrVG + DSGVO relevant"
+
+  - id: R-ITS-002
+    category: "K. IT-Sicherheit"
+    title: "Umfangreiche Log-Speicherung"
+    condition: { field: "it_security_context.data_retention_logs", operator: "equals", value: true }
+    effect: { risk_add: 10, controls_add: [C_DATA_MINIMIZATION] }
+    severity: INFO
+    rationale: "Datenminimierung beachten auch bei Security-Logs"
+
+  # Logistics
+  - id: R-LOG-001
+    category: "K. Logistik"
+    title: "Fahrer-/Kurier-Tracking"
+    condition: { field: "logistics_context.driver_tracking", operator: "equals", value: true }
+    effect: { risk_add: 20 }
+    severity: WARN
+    rationale: "GPS-Tracking ist Verhaltenskontrolle (§87 BetrVG)"
+
+  - id: R-LOG-002
+    category: "K. Logistik"
+    title: "Leistungsbewertung Lagerarbeiter"
+    condition: { field: "logistics_context.workload_scoring", operator: "equals", value: true }
+    effect: { risk_add: 20, art22_risk: true }
+    severity: WARN
+    rationale: "Leistungs-Scoring ist Annex III Nr. 4 (Employment)"
+
+  # Construction / Real Estate
+  - id: R-CON-001
+    category: "K. Bau/Immobilien"
+    title: "KI-gestuetzte Mieterauswahl"
+    condition: { field: "construction_context.tenant_screening", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Mieterauswahl betrifft Zugang zu Wohnraum (Grundrecht)"
+
+  - id: R-CON-002
+    category: "K. Bau/Immobilien"
+    title: "KI-Arbeitsschutzueberwachung"
+    condition: { field: "construction_context.worker_safety", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Arbeitsschutzueberwachung kann Verhaltenskontrolle sein"
+
+  # Marketing / Media
+  - id: R-MKT-001
+    category: "K. Marketing/Medien"
+    title: "Deepfake-Inhalte ohne Kennzeichnung"
+    condition:
+      all_of:
+        - field: "marketing_context.deepfake_content"
+          operator: "equals"
+          value: true
+        - field: "marketing_context.ai_content_labeled"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 20, feasibility: NO }
+    severity: BLOCK
+    rationale: "Art. 50 Abs. 4 AI Act: Deepfakes muessen gekennzeichnet werden"
+
+  - id: R-MKT-002
+    category: "K. Marketing/Medien"
+    title: "Minderjaehrige als Zielgruppe"
+    condition: { field: "marketing_context.minors_targeted", operator: "equals", value: true }
+    effect: { risk_add: 20, controls_add: [C_DSFA] }
+    severity: WARN
+    rationale: "Besonderer Schutz Minderjaehriger (DSA + DSGVO)"
+
+  - id: R-MKT-003
+    category: "K. Marketing/Medien"
+    title: "Verhaltensbasiertes Targeting"
+    condition: { field: "marketing_context.behavioral_targeting", operator: "equals", value: true }
+    effect: { risk_add: 15, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Behavioral Targeting ist Profiling (Art. 22 DSGVO)"
+
+  # Manufacturing / CE
+  - id: R-MFG-001
+    category: "K. Fertigung"
+    title: "KI in Maschinensicherheit ohne Validierung"
+    condition:
+      all_of:
+        - field: "manufacturing_context.machine_safety"
+          operator: "equals"
+          value: true
+        - field: "manufacturing_context.safety_validated"
+          operator: "equals"
+          value: false
+    effect: { risk_add: 30, feasibility: NO }
+    severity: BLOCK
+    rationale: "Maschinenverordnung (EU) 2023/1230 erfordert Sicherheitsvalidierung"
+
+  - id: R-MFG-002
+    category: "K. Fertigung"
+    title: "CE-Kennzeichnung erforderlich"
+    condition: { field: "manufacturing_context.ce_marking_required", operator: "equals", value: true }
+    effect: { risk_add: 15, controls_add: [C_CE_CONFORMITY] }
+    severity: WARN
+    rationale: "CE-Kennzeichnung ist Pflicht fuer Maschinenprodukte mit KI"
+
+  # Agriculture
+  - id: R-AGR-001
+    category: "K. Landwirtschaft"
+    title: "KI steuert Pestizideinsatz"
+    condition: { field: "agriculture_context.pesticide_ai", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Umwelt- und Gesundheitsrisiken bei KI-gesteuertem Pflanzenschutz"
+
+  - id: R-AGR-002
+    category: "K. Landwirtschaft"
+    title: "KI beeinflusst Tierhaltung"
+    condition: { field: "agriculture_context.animal_welfare", operator: "equals", value: true }
+    effect: { risk_add: 10 }
+    severity: INFO
+    rationale: "Tierschutzrelevanz bei automatisierter Haltungsentscheidung"
+
+  # Social Services
+  - id: R-SOC-001
+    category: "K. Soziales"
+    title: "KI trifft Leistungsentscheidungen fuer schutzbeduerftiger Gruppen"
+    condition:
+      all_of:
+        - field: "social_services_context.vulnerable_groups"
+          operator: "equals"
+          value: true
+        - field: "social_services_context.benefit_decision"
+          operator: "equals"
+          value: true
+    effect: { risk_add: 25, dsfa_recommended: true, controls_add: [C_FRIA, C_HUMAN_OVERSIGHT] }
+    severity: WARN
+    rationale: "Leistungsentscheidungen fuer Schutzbeduerftiger erfordern FRIA"
+
+  - id: R-SOC-002
+    category: "K. Soziales"
+    title: "KI in Fallmanagement"
+    condition: { field: "social_services_context.case_management", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Fallmanagement betrifft Grundrechte der Betroffenen"
+
+  # Hospitality / Tourism
+  - id: R-HOS-001
+    category: "K. Tourismus"
+    title: "Dynamische Preisgestaltung"
+    condition: { field: "hospitality_context.dynamic_pricing", operator: "equals", value: true }
+    effect: { risk_add: 10, controls_add: [C_TRANSPARENCY] }
+    severity: INFO
+    rationale: "Personalisierte Preise erfordern Transparenz"
+
+  - id: R-HOS-002
+    category: "K. Tourismus"
+    title: "KI manipuliert Bewertungen"
+    condition: { field: "hospitality_context.review_manipulation", operator: "equals", value: true }
+    effect: { risk_add: 20, feasibility: NO }
+    severity: BLOCK
+    rationale: "Bewertungsmanipulation verstoesst gegen UWG und DSA"
+
+  # Insurance
+  - id: R-INS-001
+    category: "K. Versicherung"
+    title: "KI-gestuetzte Praemienberechnung"
+    condition: { field: "insurance_context.premium_calculation", operator: "equals", value: true }
+    effect: { risk_add: 20, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Individuelle Praemien koennen diskriminierend wirken (AGG, Annex III Nr. 5)"
+
+  - id: R-INS-002
+    category: "K. Versicherung"
+    title: "Automatisierte Schadenbearbeitung"
+    condition: { field: "insurance_context.claims_automation", operator: "equals", value: true }
+    effect: { risk_add: 15, art22_risk: true }
+    severity: WARN
+    rationale: "Automatische Schadensablehnung kann Art. 22 DSGVO ausloesen"
+
+  # Investment
+  - id: R-INV-001
+    category: "K. Investment"
+    title: "Algorithmischer Handel"
+    condition: { field: "investment_context.algo_trading", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "MiFID II Anforderungen an algorithmischen Handel"
+
+  - id: R-INV-002
+    category: "K. Investment"
+    title: "KI-gestuetzte Anlageberatung (Robo Advisor)"
+    condition: { field: "investment_context.robo_advisor", operator: "equals", value: true }
+    effect: { risk_add: 20, controls_add: [C_HUMAN_OVERSIGHT, C_TRANSPARENCY] }
+    severity: WARN
+    rationale: "Anlageberatung ist reguliert (WpHG, MiFID II) — Haftungsrisiko"
+
+  # Defense
+  - id: R-DEF-001
+    category: "K. Verteidigung"
+    title: "Dual-Use KI-Technologie"
+    condition: { field: "defense_context.dual_use", operator: "equals", value: true }
+    effect: { risk_add: 25 }
+    severity: WARN
+    rationale: "Dual-Use Technologie unterliegt Exportkontrolle (EU VO 2021/821)"
+
+  - id: R-DEF-002
+    category: "K. Verteidigung"
+    title: "Verschlusssachen in KI verarbeitet"
+    condition: { field: "defense_context.classified_data", operator: "equals", value: true }
+    effect: { risk_add: 20, controls_add: [C_ENCRYPTION] }
+    severity: WARN
+    rationale: "VS-NfD und hoeher erfordert besondere Schutzmassnahmen"
+
+  # Supply Chain (LkSG)
+  - id: R-SCH-001
+    category: "K. Lieferkette"
+    title: "KI-Menschenrechtspruefung in Lieferkette"
+    condition: { field: "supply_chain_context.human_rights_check", operator: "equals", value: true }
+    effect: { risk_add: 10 }
+    severity: INFO
+    rationale: "LkSG-relevante KI-Analyse — Bias bei Laenderrisiko-Bewertung beachten"
+
+  - id: R-SCH-002
+    category: "K. Lieferkette"
+    title: "KI ueberwacht Lieferanten"
+    condition: { field: "supply_chain_context.supplier_monitoring", operator: "equals", value: true }
+    effect: { risk_add: 10 }
+    severity: INFO
+    rationale: "Lieferantenbewertung durch KI kann indirekt Personen betreffen"
+
+  # Facility Management
+  - id: R-FAC-001
+    category: "K. Facility"
+    title: "KI-Zutrittskontrolle"
+    condition: { field: "facility_context.access_control_ai", operator: "equals", value: true }
+    effect: { risk_add: 15, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Biometrische oder verhaltensbasierte Zutrittskontrolle ist DSGVO-relevant"
+
+  - id: R-FAC-002
+    category: "K. Facility"
+    title: "Belegungsueberwachung"
+    condition: { field: "facility_context.occupancy_tracking", operator: "equals", value: true }
+    effect: { risk_add: 10 }
+    severity: INFO
+    rationale: "Belegungsdaten koennen Rueckschluesse auf Verhalten erlauben"
+
+  # Sports
+  - id: R-SPO-001
+    category: "K. Sport"
+    title: "Athleten-Performance-Tracking"
+    condition: { field: "sports_context.athlete_tracking", operator: "equals", value: true }
+    effect: { risk_add: 15 }
+    severity: WARN
+    rationale: "Leistungsdaten von Athleten sind besonders schuetzenswert"
+
+  - id: R-SPO-002
+    category: "K. Sport"
+    title: "Fan-/Zuschauer-Profilbildung"
+    condition: { field: "sports_context.fan_profiling", operator: "equals", value: true }
+    effect: { risk_add: 15, dsfa_recommended: true }
+    severity: WARN
+    rationale: "Massen-Profiling bei Sportevents erfordert DSFA"
+
  # ---------------------------------------------------------------------------
  # G. Aggregation & Ergebnis
  # ---------------------------------------------------------------------------
--- a/backend-compliance/Dockerfile
+++ b/backend-compliance/Dockerfile
@@ -10,13 +10,15 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

 # Copy requirements first for better caching
-COPY requirements.txt .
+COPY requirements.txt requirements-reranker.txt ./

 # Create virtual environment and install dependencies
 RUN python -m venv /opt/venv
 ENV PATH="/opt/venv/bin:$PATH"
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir -r requirements.txt
+    pip install --no-cache-dir -r requirements.txt && \
+    pip install --no-cache-dir -r requirements-reranker.txt || \
+    echo "WARNING: reranker dependencies not installed (torch/sentence-transformers)"

 # ---- Runtime stage ----
 FROM python:3.12-slim-bookworm
--- a/backend-compliance/compliance/api/init.py
+++ b/backend-compliance/compliance/api/init.py
@@ -6,6 +6,8 @@ from .routes import router

 logger = logging.getLogger(__name__)

+_failed_routers: dict[str, str] = {}
+

 def _safe_import_router(module_name: str, attr: str = "router"):
    """Import a router module safely — log error but don't crash the whole app."""
@@ -14,6 +16,7 @@ def _safe_import_router(module_name: str, attr: str = "router"):
        return getattr(mod, attr)
    except Exception as e:
        logger.error("Failed to import %s: %s", module_name, e)
+        _failed_routers[module_name] = str(e)
        return None


@@ -58,6 +61,8 @@ _ROUTER_MODULES = [
    "evidence_check_routes",
    "vvt_library_routes",
    "tom_mapping_routes",
+    "llm_audit_routes",
+    "assertion_routes",
 ]

 _loaded_count = 0
--- a/backend-compliance/compliance/api/assertion_routes.py
+++ b/backend-compliance/compliance/api/assertion_routes.py
@@ -0,0 +1,227 @@
+"""
+API routes for Assertion Engine (Anti-Fake-Evidence Phase 2).
+
+Endpoints:
+- /assertions: CRUD for assertions
+- /assertions/extract: Automatic extraction from entity text
+- /assertions/summary: Stats (total assertions, facts, unverified)
+"""
+
+import logging
+from datetime import datetime
+from typing import Optional
+
+from fastapi import APIRouter, Depends, HTTPException, Query
+from sqlalchemy.orm import Session
+
+from classroom_engine.database import get_db
+
+from ..db.models import AssertionDB
+from ..services.assertion_engine import extract_assertions
+from .schemas import (
+    AssertionCreate,
+    AssertionUpdate,
+    AssertionResponse,
+    AssertionListResponse,
+    AssertionSummaryResponse,
+    AssertionExtractRequest,
+)
+from .audit_trail_utils import log_audit_trail, generate_id
+
+logger = logging.getLogger(__name__)
+router = APIRouter(tags=["compliance-assertions"])
+
+
+def _build_assertion_response(a: AssertionDB) -> AssertionResponse:
+    return AssertionResponse(
+        id=a.id,
+        tenant_id=a.tenant_id,
+        entity_type=a.entity_type,
+        entity_id=a.entity_id,
+        sentence_text=a.sentence_text,
+        sentence_index=a.sentence_index,
+        assertion_type=a.assertion_type,
+        evidence_ids=a.evidence_ids or [],
+        confidence=a.confidence or 0.0,
+        normative_tier=a.normative_tier,
+        verified_by=a.verified_by,
+        verified_at=a.verified_at,
+        created_at=a.created_at,
+        updated_at=a.updated_at,
+    )
+
+
+@router.post("/assertions", response_model=AssertionResponse)
+async def create_assertion(
+    data: AssertionCreate,
+    tenant_id: Optional[str] = Query(None),
+    db: Session = Depends(get_db),
+):
+    """Create a single assertion manually."""
+    a = AssertionDB(
+        id=generate_id(),
+        tenant_id=tenant_id,
+        entity_type=data.entity_type,
+        entity_id=data.entity_id,
+        sentence_text=data.sentence_text,
+        assertion_type=data.assertion_type or "assertion",
+        evidence_ids=data.evidence_ids or [],
+        normative_tier=data.normative_tier,
+    )
+    db.add(a)
+    db.commit()
+    db.refresh(a)
+    return _build_assertion_response(a)
+
+
+@router.get("/assertions", response_model=AssertionListResponse)
+async def list_assertions(
+    entity_type: Optional[str] = Query(None),
+    entity_id: Optional[str] = Query(None),
+    assertion_type: Optional[str] = Query(None),
+    tenant_id: Optional[str] = Query(None),
+    limit: int = Query(100, ge=1, le=500),
+    db: Session = Depends(get_db),
+):
+    """List assertions with optional filters."""
+    query = db.query(AssertionDB)
+    if entity_type:
+        query = query.filter(AssertionDB.entity_type == entity_type)
+    if entity_id:
+        query = query.filter(AssertionDB.entity_id == entity_id)
+    if assertion_type:
+        query = query.filter(AssertionDB.assertion_type == assertion_type)
+    if tenant_id:
+        query = query.filter(AssertionDB.tenant_id == tenant_id)
+
+    total = query.count()
+    records = query.order_by(AssertionDB.sentence_index.asc()).limit(limit).all()
+
+    return AssertionListResponse(
+        assertions=[_build_assertion_response(a) for a in records],
+        total=total,
+    )
+
+
+@router.get("/assertions/summary", response_model=AssertionSummaryResponse)
+async def assertion_summary(
+    tenant_id: Optional[str] = Query(None),
+    entity_type: Optional[str] = Query(None),
+    entity_id: Optional[str] = Query(None),
+    db: Session = Depends(get_db),
+):
+    """Summary stats: total assertions, facts, rationale, unverified."""
+    query = db.query(AssertionDB)
+    if tenant_id:
+        query = query.filter(AssertionDB.tenant_id == tenant_id)
+    if entity_type:
+        query = query.filter(AssertionDB.entity_type == entity_type)
+    if entity_id:
+        query = query.filter(AssertionDB.entity_id == entity_id)
+
+    all_records = query.all()
+
+    total = len(all_records)
+    facts = sum(1 for a in all_records if a.assertion_type == "fact")
+    rationale = sum(1 for a in all_records if a.assertion_type == "rationale")
+    unverified = sum(1 for a in all_records if a.assertion_type == "assertion" and not a.verified_by)
+
+    return AssertionSummaryResponse(
+        total_assertions=total,
+        total_facts=facts,
+        total_rationale=rationale,
+        unverified_count=unverified,
+    )
+
+
+@router.get("/assertions/{assertion_id}", response_model=AssertionResponse)
+async def get_assertion(
+    assertion_id: str,
+    db: Session = Depends(get_db),
+):
+    """Get a single assertion by ID."""
+    a = db.query(AssertionDB).filter(AssertionDB.id == assertion_id).first()
+    if not a:
+        raise HTTPException(status_code=404, detail=f"Assertion {assertion_id} not found")
+    return _build_assertion_response(a)
+
+
+@router.put("/assertions/{assertion_id}", response_model=AssertionResponse)
+async def update_assertion(
+    assertion_id: str,
+    data: AssertionUpdate,
+    db: Session = Depends(get_db),
+):
+    """Update an assertion (e.g. link evidence, change type)."""
+    a = db.query(AssertionDB).filter(AssertionDB.id == assertion_id).first()
+    if not a:
+        raise HTTPException(status_code=404, detail=f"Assertion {assertion_id} not found")
+
+    update_fields = data.model_dump(exclude_unset=True)
+    for key, value in update_fields.items():
+        setattr(a, key, value)
+    a.updated_at = datetime.utcnow()
+    db.commit()
+    db.refresh(a)
+    return _build_assertion_response(a)
+
+
+@router.post("/assertions/{assertion_id}/verify", response_model=AssertionResponse)
+async def verify_assertion(
+    assertion_id: str,
+    verified_by: str = Query(...),
+    db: Session = Depends(get_db),
+):
+    """Mark an assertion as verified fact."""
+    a = db.query(AssertionDB).filter(AssertionDB.id == assertion_id).first()
+    if not a:
+        raise HTTPException(status_code=404, detail=f"Assertion {assertion_id} not found")
+
+    a.assertion_type = "fact"
+    a.verified_by = verified_by
+    a.verified_at = datetime.utcnow()
+    a.updated_at = datetime.utcnow()
+    db.commit()
+    db.refresh(a)
+    return _build_assertion_response(a)
+
+
+@router.post("/assertions/extract", response_model=AssertionListResponse)
+async def extract_assertions_endpoint(
+    data: AssertionExtractRequest,
+    tenant_id: Optional[str] = Query(None),
+    db: Session = Depends(get_db),
+):
+    """Extract assertions from free text and persist them."""
+    extracted = extract_assertions(
+        text=data.text,
+        entity_type=data.entity_type,
+        entity_id=data.entity_id,
+        tenant_id=tenant_id,
+    )
+
+    created = []
+    for item in extracted:
+        a = AssertionDB(
+            id=generate_id(),
+            tenant_id=item["tenant_id"],
+            entity_type=item["entity_type"],
+            entity_id=item["entity_id"],
+            sentence_text=item["sentence_text"],
+            sentence_index=item["sentence_index"],
+            assertion_type=item["assertion_type"],
+            evidence_ids=item["evidence_ids"],
+            normative_tier=item.get("normative_tier"),
+            confidence=item.get("confidence", 0.0),
+        )
+        db.add(a)
+        created.append(a)
+
+    db.commit()
+    for a in created:
+        db.refresh(a)
+
+    return AssertionListResponse(
+        assertions=[_build_assertion_response(a) for a in created],
+        total=len(created),
+    )
--- a/backend-compliance/compliance/api/audit_trail_utils.py
+++ b/backend-compliance/compliance/api/audit_trail_utils.py
@@ -0,0 +1,53 @@
+"""Shared audit trail utilities.
+
+Extracted from isms_routes.py for reuse across evidence, control,
+and assertion routes.
+"""
+
+import hashlib
+import uuid
+from datetime import datetime
+
+from sqlalchemy.orm import Session
+
+from ..db.models import AuditTrailDB
+
+
+def generate_id() -> str:
+    """Generate a UUID string."""
+    return str(uuid.uuid4())
+
+
+def create_signature(data: str) -> str:
+    """Create SHA-256 signature."""
+    return hashlib.sha256(data.encode()).hexdigest()
+
+
+def log_audit_trail(
+    db: Session,
+    entity_type: str,
+    entity_id: str,
+    entity_name: str,
+    action: str,
+    performed_by: str,
+    field_changed: str = None,
+    old_value: str = None,
+    new_value: str = None,
+    change_summary: str = None,
+):
+    """Log an entry to the audit trail."""
+    trail = AuditTrailDB(
+        id=generate_id(),
+        entity_type=entity_type,
+        entity_id=entity_id,
+        entity_name=entity_name,
+        action=action,
+        field_changed=field_changed,
+        old_value=old_value,
+        new_value=new_value,
+        change_summary=change_summary,
+        performed_by=performed_by,
+        performed_at=datetime.utcnow(),
+        checksum=create_signature(f"{entity_type}|{entity_id}|{action}|{performed_by}"),
+    )
+    db.add(trail)
--- a/backend-compliance/compliance/api/canonical_control_routes.py
+++ b/backend-compliance/compliance/api/canonical_control_routes.py
--- a/backend-compliance/compliance/api/crosswalk_routes.py
+++ b/backend-compliance/compliance/api/crosswalk_routes.py
@@ -13,6 +13,8 @@ Endpoints:
  GET  /v1/canonical/crosswalk/stats                   — Coverage statistics

  POST /v1/canonical/migrate/decompose                 — Pass 0a: Obligation extraction
+  POST /v1/canonical/migrate/merge-obligations         — Merge implementation-level dupes
+  POST /v1/canonical/migrate/enrich-obligations        — Add trigger_type, impl metadata
  POST /v1/canonical/migrate/compose-atomic            — Pass 0b: Atomic control composition
  POST /v1/canonical/migrate/link-obligations          — Pass 1: Obligation linkage
  POST /v1/canonical/migrate/classify-patterns         — Pass 2: Pattern classification
@@ -157,6 +159,9 @@ class DecompositionStatusResponse(BaseModel):
    rejected: int = 0
    composed: int = 0
    atomic_controls: int = 0
+    merged: int = 0
+    enriched: int = 0
+    ready_for_pass0b: int = 0
    decomposition_pct: float = 0.0
    composition_pct: float = 0.0

@@ -488,6 +493,50 @@ async def migrate_decompose(req: MigrationRequest):
        db.close()


+@router.post("/migrate/merge-obligations", response_model=MigrationResponse)
+async def migrate_merge_obligations():
+    """Merge implementation-level duplicate obligations within each parent.
+
+    Run AFTER Pass 0a, BEFORE Pass 0b. No LLM calls — rule-based.
+    Merges obligations that share similar action+object into the more
+    abstract survivor, marking the concrete duplicate as 'merged'.
+    """
+    from compliance.services.decomposition_pass import DecompositionPass
+
+    db = SessionLocal()
+    try:
+        decomp = DecompositionPass(db=db)
+        stats = decomp.run_merge_pass()
+        return MigrationResponse(status="completed", stats=stats)
+    except Exception as e:
+        logger.error("Merge pass failed: %s", e)
+        raise HTTPException(status_code=500, detail=str(e))
+    finally:
+        db.close()
+
+
+@router.post("/migrate/enrich-obligations", response_model=MigrationResponse)
+async def migrate_enrich_obligations():
+    """Add trigger_type and is_implementation_specific metadata.
+
+    Run AFTER merge pass, BEFORE Pass 0b. No LLM calls — rule-based.
+    Classifies trigger_type (event/periodic/continuous) from obligation text
+    and detects implementation-specific obligations (concrete tools/protocols).
+    """
+    from compliance.services.decomposition_pass import DecompositionPass
+
+    db = SessionLocal()
+    try:
+        decomp = DecompositionPass(db=db)
+        stats = decomp.enrich_obligations()
+        return MigrationResponse(status="completed", stats=stats)
+    except Exception as e:
+        logger.error("Enrich pass failed: %s", e)
+        raise HTTPException(status_code=500, detail=str(e))
+    finally:
+        db.close()
+
+
@router.post("/migrate/compose-atomic", response_model=MigrationResponse)
 async def migrate_compose_atomic(req: MigrationRequest):
    """Pass 0b: Compose atomic controls from obligation candidates.
@@ -715,6 +764,75 @@ async def decomposition_status():
        db.close()


+# =============================================================================
+# BATCH DEDUP ENDPOINTS
+# =============================================================================
+
+
+# Module-level runner reference for status polling
+_batch_dedup_runner = None
+
+
+@router.post("/migrate/batch-dedup", response_model=MigrationResponse)
+async def migrate_batch_dedup(
+    dry_run: bool = Query(False, description="Preview mode — no DB changes"),
+    hint_filter: Optional[str] = Query(None, description="Only process hints matching this prefix"),
+):
+    """Batch dedup: reduce ~85k Pass 0b controls to ~18-25k masters.
+
+    Phase 1: Groups by merge_group_hint, picks best quality master, links rest.
+    Phase 2: Cross-group embedding search for semantically similar masters.
+    """
+    global _batch_dedup_runner
+    from compliance.services.batch_dedup_runner import BatchDedupRunner
+
+    db = SessionLocal()
+    try:
+        runner = BatchDedupRunner(db=db)
+        _batch_dedup_runner = runner
+        stats = await runner.run(dry_run=dry_run, hint_filter=hint_filter)
+        return MigrationResponse(status="completed", stats=stats)
+    except Exception as e:
+        logger.error("Batch dedup failed: %s", e)
+        raise HTTPException(status_code=500, detail=str(e))
+    finally:
+        _batch_dedup_runner = None
+        db.close()
+
+
+@router.get("/migrate/batch-dedup/status")
+async def batch_dedup_status():
+    """Get current batch dedup progress (while running)."""
+    if _batch_dedup_runner is not None:
+        return {"running": True, **_batch_dedup_runner.get_status()}
+
+    # Not running — show DB stats
+    db = SessionLocal()
+    try:
+        row = db.execute(text("""
+            SELECT
+                count(*) FILTER (WHERE decomposition_method = 'pass0b') AS total_pass0b,
+                count(*) FILTER (WHERE decomposition_method = 'pass0b'
+                                   AND release_state = 'duplicate') AS duplicates,
+                count(*) FILTER (WHERE decomposition_method = 'pass0b'
+                                   AND release_state != 'duplicate'
+                                   AND release_state != 'deprecated') AS masters
+            FROM canonical_controls
+        """)).fetchone()
+        review_count = db.execute(text(
+            "SELECT count(*) FROM control_dedup_reviews WHERE review_status = 'pending'"
+        )).fetchone()[0]
+        return {
+            "running": False,
+            "total_pass0b": row[0],
+            "duplicates": row[1],
+            "masters": row[2],
+            "pending_reviews": review_count,
+        }
+    finally:
+        db.close()
+
+
 # =============================================================================
 # HELPERS
 # =============================================================================
--- a/backend-compliance/compliance/api/dashboard_routes.py
+++ b/backend-compliance/compliance/api/dashboard_routes.py
@@ -32,14 +32,21 @@ from ..db import (
    ControlRepository,
    EvidenceRepository,
    RiskRepository,
+    AssertionDB,
 )
 from .schemas import (
    DashboardResponse,
+    MultiDimensionalScore,
    ExecutiveDashboardResponse,
    TrendDataPoint,
    RiskSummary,
    DeadlineItem,
    TeamWorkloadItem,
+    TraceabilityAssertion,
+    TraceabilityEvidence,
+    TraceabilityCoverage,
+    TraceabilityControl,
+    TraceabilityMatrixResponse,
 )
 from .tenant_utils import get_tenant_id as _get_tenant_id
 from .db_utils import row_to_dict as _row_to_dict
@@ -95,6 +102,14 @@ async def get_dashboard(db: Session = Depends(get_db)):
    # or compute from by_status dict
    score = ctrl_stats.get("compliance_score", 0.0)

+    # Multi-dimensional score (Anti-Fake-Evidence)
+    try:
+        ms = ctrl_repo.get_multi_dimensional_score()
+        multi_score = MultiDimensionalScore(**ms)
+    except Exception as e:
+        logger.warning(f"Failed to compute multi-dimensional score: {e}")
+        multi_score = None
+
    return DashboardResponse(
        compliance_score=round(score, 1),
        total_regulations=len(regulations),
@@ -107,6 +122,7 @@ async def get_dashboard(db: Session = Depends(get_db)):
        total_risks=len(risks),
        risks_by_level=risks_by_level,
        recent_activity=[],
+        multi_score=multi_score,
    )


@@ -125,11 +141,18 @@ async def get_compliance_score(db: Session = Depends(get_db)):
    else:
        score = 0

+    # Multi-dimensional score (Anti-Fake-Evidence)
+    try:
+        multi_score = ctrl_repo.get_multi_dimensional_score()
+    except Exception:
+        multi_score = None
+
    return {
        "score": round(score, 1),
        "total_controls": total,
        "passing_controls": passing,
        "partial_controls": partial,
+        "multi_score": multi_score,
    }


@@ -597,6 +620,158 @@ async def get_score_history(
    }


+# ============================================================================
+# Evidence Distribution (Anti-Fake-Evidence Phase 3)
+# ============================================================================
+
+@router.get("/dashboard/evidence-distribution")
+async def get_evidence_distribution(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """Evidence counts by confidence level and four-eyes status."""
+    evidence_repo = EvidenceRepository(db)
+    all_evidence = evidence_repo.get_all()
+
+    by_confidence = {"E0": 0, "E1": 0, "E2": 0, "E3": 0, "E4": 0}
+    four_eyes_pending = 0
+
+    for e in all_evidence:
+        level = e.confidence_level.value if e.confidence_level else "E1"
+        if level in by_confidence:
+            by_confidence[level] += 1
+        if e.requires_four_eyes and e.approval_status not in ("approved", "rejected"):
+            four_eyes_pending += 1
+
+    return {
+        "by_confidence": by_confidence,
+        "four_eyes_pending": four_eyes_pending,
+        "total": len(all_evidence),
+    }
+
+
+# ============================================================================
+# Traceability Matrix (Anti-Fake-Evidence Phase 4a)
+# ============================================================================
+
+@router.get("/dashboard/traceability-matrix", response_model=TraceabilityMatrixResponse)
+async def get_traceability_matrix(
+    db: Session = Depends(get_db),
+    tenant_id: str = Depends(_get_tenant_id),
+):
+    """
+    Full traceability chain: Control → Evidence → Assertions.
+
+    Loads each entity set once, builds in-memory indices, and nests
+    the result so the frontend can render a matrix view.
+    """
+    ctrl_repo = ControlRepository(db)
+    evidence_repo = EvidenceRepository(db)
+
+    # 1. Load all three entity sets
+    controls = ctrl_repo.get_all()
+    all_evidence = evidence_repo.get_all()
+    all_assertions = db.query(AssertionDB).filter(
+        AssertionDB.entity_type == "evidence",
+    ).all()
+
+    # 2. Index assertions by evidence_id (entity_id)
+    assertions_by_evidence: Dict[str, list] = {}
+    for a in all_assertions:
+        assertions_by_evidence.setdefault(a.entity_id, []).append(a)
+
+    # 3. Index evidence by control_id
+    evidence_by_control: Dict[str, list] = {}
+    for e in all_evidence:
+        evidence_by_control.setdefault(str(e.control_id), []).append(e)
+
+    # 4. Build nested response
+    result_controls: list = []
+    total_controls = 0
+    covered_controls = 0
+    fully_verified = 0
+
+    for ctrl in controls:
+        total_controls += 1
+        ctrl_id = str(ctrl.id)
+        ctrl_evidence = evidence_by_control.get(ctrl_id, [])
+
+        nested_evidence: list = []
+        has_evidence = len(ctrl_evidence) > 0
+        has_assertions = False
+        all_verified = True
+        min_conf: Optional[str] = None
+        conf_order = {"E0": 0, "E1": 1, "E2": 2, "E3": 3, "E4": 4}
+
+        for e in ctrl_evidence:
+            ev_id = str(e.id)
+            ev_assertions = assertions_by_evidence.get(ev_id, [])
+
+            nested_assertions = [
+                TraceabilityAssertion(
+                    id=str(a.id),
+                    sentence_text=a.sentence_text,
+                    assertion_type=a.assertion_type or "assertion",
+                    confidence=a.confidence or 0.0,
+                    verified=a.verified_by is not None,
+                )
+                for a in ev_assertions
+            ]
+
+            if nested_assertions:
+                has_assertions = True
+            for na in nested_assertions:
+                if not na.verified:
+                    all_verified = False
+
+            conf = e.confidence_level.value if e.confidence_level else "E1"
+            if min_conf is None or conf_order.get(conf, 1) < conf_order.get(min_conf, 1):
+                min_conf = conf
+
+            nested_evidence.append(TraceabilityEvidence(
+                id=ev_id,
+                title=e.title,
+                evidence_type=e.evidence_type,
+                confidence_level=conf,
+                status=e.status.value if e.status else "valid",
+                assertions=nested_assertions,
+            ))
+
+        if not has_assertions:
+            all_verified = False
+
+        if has_evidence:
+            covered_controls += 1
+        if has_evidence and has_assertions and all_verified:
+            fully_verified += 1
+
+        coverage = TraceabilityCoverage(
+            has_evidence=has_evidence,
+            has_assertions=has_assertions,
+            all_assertions_verified=all_verified,
+            min_confidence_level=min_conf,
+        )
+
+        result_controls.append(TraceabilityControl(
+            id=ctrl_id,
+            control_id=ctrl.control_id,
+            title=ctrl.title,
+            status=ctrl.status.value if ctrl.status else "planned",
+            domain=ctrl.domain.value if ctrl.domain else "unknown",
+            evidence=nested_evidence,
+            coverage=coverage,
+        ))
+
+    summary = {
+        "total_controls": total_controls,
+        "covered_controls": covered_controls,
+        "fully_verified": fully_verified,
+        "uncovered_controls": total_controls - covered_controls,
+    }
+
+    return TraceabilityMatrixResponse(controls=result_controls, summary=summary)
+
+
 # ============================================================================
 # Reports
 # ============================================================================
--- a/backend-compliance/compliance/api/dsfa_routes.py
+++ b/backend-compliance/compliance/api/dsfa_routes.py
@@ -200,6 +200,9 @@ def _get_tenant_id(tenant_id: Optional[str]) -> str:
 def _dsfa_to_response(row) -> dict:
    """Convert a DB row to a JSON-serializable dict."""
    import json
+    # SQLAlchemy 2.0: Row objects need ._mapping for string-key access
+    if hasattr(row, "_mapping"):
+        row = row._mapping

    def _parse_arr(val):
        """Parse a JSONB array field → list."""
@@ -558,8 +561,9 @@ async def create_dsfa(
    ).fetchone()

    db.flush()
+    row_id = row._mapping["id"] if hasattr(row, "_mapping") else row[0]
    _log_audit(
-        db, tid, row["id"], "CREATE", request.created_by,
+        db, tid, row_id, "CREATE", request.created_by,
        new_values={"title": request.title, "status": request.status},
    )
    db.commit()
--- a/backend-compliance/compliance/api/evidence_routes.py
+++ b/backend-compliance/compliance/api/evidence_routes.py
@@ -26,17 +26,102 @@ from ..db import (
    ControlRepository,
    EvidenceRepository,
    EvidenceStatusEnum,
+    EvidenceConfidenceEnum,
+    EvidenceTruthStatusEnum,
 )
-from ..db.models import EvidenceDB, ControlDB
+from ..db.models import EvidenceDB, ControlDB, AuditTrailDB
 from ..services.auto_risk_updater import AutoRiskUpdater
 from .schemas import (
    EvidenceCreate, EvidenceResponse, EvidenceListResponse,
+    EvidenceRejectRequest,
 )
+from .audit_trail_utils import log_audit_trail

 logger = logging.getLogger(__name__)
 router = APIRouter(tags=["compliance-evidence"])


+# ============================================================================
+# Anti-Fake-Evidence: Four-Eyes Domain Check
+# ============================================================================
+
+FOUR_EYES_DOMAINS = {"gov", "priv"}
+
+
+def _requires_four_eyes(control_domain: str) -> bool:
+    """Controls in governance/privacy domains require two independent reviewers."""
+    return control_domain in FOUR_EYES_DOMAINS
+
+
+# ============================================================================
+# Anti-Fake-Evidence: Auto-Classification Helpers
+# ============================================================================
+
+def _classify_confidence(source: Optional[str], evidence_type: Optional[str] = None, artifact_hash: Optional[str] = None) -> EvidenceConfidenceEnum:
+    """Classify evidence confidence level based on source and metadata."""
+    if source == "ci_pipeline":
+        return EvidenceConfidenceEnum.E3
+    if source == "api" and artifact_hash:
+        return EvidenceConfidenceEnum.E3
+    if source == "api":
+        return EvidenceConfidenceEnum.E3
+    if source in ("manual", "upload"):
+        return EvidenceConfidenceEnum.E1
+    if source == "generated":
+        return EvidenceConfidenceEnum.E0
+    # Default for unknown sources
+    return EvidenceConfidenceEnum.E1
+
+
+def _classify_truth_status(source: Optional[str]) -> EvidenceTruthStatusEnum:
+    """Classify evidence truth status based on source."""
+    if source == "ci_pipeline":
+        return EvidenceTruthStatusEnum.OBSERVED
+    if source in ("manual", "upload"):
+        return EvidenceTruthStatusEnum.UPLOADED
+    if source == "generated":
+        return EvidenceTruthStatusEnum.GENERATED
+    if source == "api":
+        return EvidenceTruthStatusEnum.OBSERVED
+    return EvidenceTruthStatusEnum.UPLOADED
+
+
+def _build_evidence_response(e: EvidenceDB) -> EvidenceResponse:
+    """Build an EvidenceResponse from an EvidenceDB, including anti-fake fields."""
+    return EvidenceResponse(
+        id=e.id,
+        control_id=e.control_id,
+        evidence_type=e.evidence_type,
+        title=e.title,
+        description=e.description,
+        artifact_path=e.artifact_path,
+        artifact_url=e.artifact_url,
+        artifact_hash=e.artifact_hash,
+        file_size_bytes=e.file_size_bytes,
+        mime_type=e.mime_type,
+        valid_from=e.valid_from,
+        valid_until=e.valid_until,
+        status=e.status.value if e.status else None,
+        source=e.source,
+        ci_job_id=e.ci_job_id,
+        uploaded_by=e.uploaded_by,
+        collected_at=e.collected_at,
+        created_at=e.created_at,
+        confidence_level=e.confidence_level.value if e.confidence_level else None,
+        truth_status=e.truth_status.value if e.truth_status else None,
+        generation_mode=e.generation_mode,
+        may_be_used_as_evidence=e.may_be_used_as_evidence,
+        reviewed_by=e.reviewed_by,
+        reviewed_at=e.reviewed_at,
+        approval_status=e.approval_status,
+        first_reviewer=e.first_reviewer,
+        first_reviewed_at=e.first_reviewed_at,
+        second_reviewer=e.second_reviewer,
+        second_reviewed_at=e.second_reviewed_at,
+        requires_four_eyes=e.requires_four_eyes,
+    )
+
+
 # ============================================================================
 # Evidence
 # ============================================================================
@@ -80,29 +165,7 @@ async def list_evidence(
        offset = (page - 1) * limit
        evidence = evidence[offset:offset + limit]

-    results = [
-        EvidenceResponse(
-            id=e.id,
-            control_id=e.control_id,
-            evidence_type=e.evidence_type,
-            title=e.title,
-            description=e.description,
-            artifact_path=e.artifact_path,
-            artifact_url=e.artifact_url,
-            artifact_hash=e.artifact_hash,
-            file_size_bytes=e.file_size_bytes,
-            mime_type=e.mime_type,
-            valid_from=e.valid_from,
-            valid_until=e.valid_until,
-            status=e.status.value if e.status else None,
-            source=e.source,
-            ci_job_id=e.ci_job_id,
-            uploaded_by=e.uploaded_by,
-            collected_at=e.collected_at,
-            created_at=e.created_at,
-        )
-        for e in evidence
-    ]
+    results = [_build_evidence_response(e) for e in evidence]

    return EvidenceListResponse(evidence=results, total=total)

@@ -121,6 +184,22 @@ async def create_evidence(
    if not control:
        raise HTTPException(status_code=404, detail=f"Control {evidence_data.control_id} not found")

+    source = evidence_data.source or "api"
+    confidence = _classify_confidence(source, evidence_data.evidence_type)
+    truth = _classify_truth_status(source)
+
+    # Allow explicit override from request
+    if evidence_data.confidence_level:
+        try:
+            confidence = EvidenceConfidenceEnum(evidence_data.confidence_level)
+        except ValueError:
+            pass
+    if evidence_data.truth_status:
+        try:
+            truth = EvidenceTruthStatusEnum(evidence_data.truth_status)
+        except ValueError:
+            pass
+
    evidence = repo.create(
        control_id=control.id,
        evidence_type=evidence_data.evidence_type,
@@ -129,31 +208,34 @@ async def create_evidence(
        artifact_url=evidence_data.artifact_url,
        valid_from=evidence_data.valid_from,
        valid_until=evidence_data.valid_until,
-        source=evidence_data.source or "api",
+        source=source,
        ci_job_id=evidence_data.ci_job_id,
    )
+
+    # Set anti-fake-evidence fields
+    evidence.confidence_level = confidence
+    evidence.truth_status = truth
+    # Generated evidence should not be used as evidence by default
+    if truth == EvidenceTruthStatusEnum.GENERATED:
+        evidence.may_be_used_as_evidence = False
+
+    # Four-Eyes: check if the linked control's domain requires it
+    control_domain = control.domain.value if control.domain else ""
+    if _requires_four_eyes(control_domain):
+        evidence.requires_four_eyes = True
+        evidence.approval_status = "pending_first"
+
+    db.commit()
+
+    # Audit trail
+    log_audit_trail(
+        db, "evidence", evidence.id, evidence.title, "create",
+        performed_by=evidence_data.source or "api",
+        change_summary=f"Evidence created with confidence={confidence.value}, truth={truth.value}",
+    )
    db.commit()

-    return EvidenceResponse(
-        id=evidence.id,
-        control_id=evidence.control_id,
-        evidence_type=evidence.evidence_type,
-        title=evidence.title,
-        description=evidence.description,
-        artifact_path=evidence.artifact_path,
-        artifact_url=evidence.artifact_url,
-        artifact_hash=evidence.artifact_hash,
-        file_size_bytes=evidence.file_size_bytes,
-        mime_type=evidence.mime_type,
-        valid_from=evidence.valid_from,
-        valid_until=evidence.valid_until,
-        status=evidence.status.value if evidence.status else None,
-        source=evidence.source,
-        ci_job_id=evidence.ci_job_id,
-        uploaded_by=evidence.uploaded_by,
-        collected_at=evidence.collected_at,
-        created_at=evidence.created_at,
-    )
+    return _build_evidence_response(evidence)


@router.delete("/evidence/{evidence_id}")
@@ -223,28 +305,20 @@ async def upload_evidence(
        mime_type=file.content_type,
        source="upload",
    )
+
+    # Upload evidence → E1 + uploaded
+    evidence.confidence_level = EvidenceConfidenceEnum.E1
+    evidence.truth_status = EvidenceTruthStatusEnum.UPLOADED
+
+    # Four-Eyes: check if the linked control's domain requires it
+    control_domain = control.domain.value if control.domain else ""
+    if _requires_four_eyes(control_domain):
+        evidence.requires_four_eyes = True
+        evidence.approval_status = "pending_first"
+
    db.commit()

-    return EvidenceResponse(
-        id=evidence.id,
-        control_id=evidence.control_id,
-        evidence_type=evidence.evidence_type,
-        title=evidence.title,
-        description=evidence.description,
-        artifact_path=evidence.artifact_path,
-        artifact_url=evidence.artifact_url,
-        artifact_hash=evidence.artifact_hash,
-        file_size_bytes=evidence.file_size_bytes,
-        mime_type=evidence.mime_type,
-        valid_from=evidence.valid_from,
-        valid_until=evidence.valid_until,
-        status=evidence.status.value if evidence.status else None,
-        source=evidence.source,
-        ci_job_id=evidence.ci_job_id,
-        uploaded_by=evidence.uploaded_by,
-        collected_at=evidence.collected_at,
-        created_at=evidence.created_at,
-    )
+    return _build_evidence_response(evidence)


 # ============================================================================
@@ -357,7 +431,7 @@ def _store_evidence(
    with open(file_path, "w") as f:
        json.dump(report_data or {}, f, indent=2)

-    # Create evidence record
+    # Create evidence record with anti-fake-evidence classification
    evidence = EvidenceDB(
        id=str(uuid_module.uuid4()),
        control_id=control_db_id,
@@ -373,6 +447,10 @@ def _store_evidence(
        valid_from=datetime.utcnow(),
        valid_until=datetime.utcnow() + timedelta(days=90),
        status=EvidenceStatusEnum(parsed["evidence_status"]),
+        # CI pipeline evidence → E3 observed (system-observed, hash-verified)
+        confidence_level=EvidenceConfidenceEnum.E3,
+        truth_status=EvidenceTruthStatusEnum.OBSERVED,
+        may_be_used_as_evidence=True,
    )
    db.add(evidence)
    db.commit()
@@ -639,3 +717,169 @@ async def get_ci_evidence_status(
        "total_evidence": len(evidence_list),
        "controls": result,
    }
+
+
+# ============================================================================
+# Evidence Review (Anti-Fake-Evidence)
+# ============================================================================
+
+from pydantic import BaseModel as _BaseModel
+
+class _EvidenceReviewRequest(_BaseModel):
+    confidence_level: Optional[str] = None
+    truth_status: Optional[str] = None
+    reviewed_by: str
+
+
+@router.patch("/evidence/{evidence_id}/review", response_model=EvidenceResponse)
+async def review_evidence(
+    evidence_id: str,
+    review: _EvidenceReviewRequest,
+    db: Session = Depends(get_db),
+):
+    """
+    Review evidence: upgrade confidence level and/or change truth status.
+
+    For Four-Eyes evidence, the first reviewer sets first_reviewer and
+    approval_status='first_approved'. A second (different) reviewer then
+    sets second_reviewer and approval_status='approved'.
+    """
+    evidence = db.query(EvidenceDB).filter(EvidenceDB.id == evidence_id).first()
+    if not evidence:
+        raise HTTPException(status_code=404, detail=f"Evidence {evidence_id} not found")
+
+    old_confidence = evidence.confidence_level.value if evidence.confidence_level else None
+    old_truth = evidence.truth_status.value if evidence.truth_status else None
+
+    if review.confidence_level:
+        try:
+            evidence.confidence_level = EvidenceConfidenceEnum(review.confidence_level)
+        except ValueError:
+            raise HTTPException(status_code=400, detail=f"Invalid confidence_level: {review.confidence_level}")
+
+    if review.truth_status:
+        try:
+            evidence.truth_status = EvidenceTruthStatusEnum(review.truth_status)
+        except ValueError:
+            raise HTTPException(status_code=400, detail=f"Invalid truth_status: {review.truth_status}")
+
+    # Four-Eyes branching
+    if evidence.requires_four_eyes:
+        status = evidence.approval_status or "none"
+        if status in ("none", "pending_first"):
+            evidence.first_reviewer = review.reviewed_by
+            evidence.first_reviewed_at = datetime.utcnow()
+            evidence.approval_status = "first_approved"
+        elif status == "first_approved":
+            if review.reviewed_by == evidence.first_reviewer:
+                raise HTTPException(
+                    status_code=400,
+                    detail="Four-Eyes: second reviewer must be different from first reviewer",
+                )
+            evidence.second_reviewer = review.reviewed_by
+            evidence.second_reviewed_at = datetime.utcnow()
+            evidence.approval_status = "approved"
+        elif status == "approved":
+            raise HTTPException(status_code=400, detail="Evidence already approved")
+        elif status == "rejected":
+            raise HTTPException(status_code=400, detail="Evidence was rejected — create new evidence instead")
+
+    evidence.reviewed_by = review.reviewed_by
+    evidence.reviewed_at = datetime.utcnow()
+    db.commit()
+
+    # Audit trail
+    new_confidence = evidence.confidence_level.value if evidence.confidence_level else None
+    if old_confidence != new_confidence:
+        log_audit_trail(
+            db, "evidence", evidence_id, evidence.title, "review",
+            performed_by=review.reviewed_by,
+            field_changed="confidence_level",
+            old_value=old_confidence,
+            new_value=new_confidence,
+        )
+    new_truth = evidence.truth_status.value if evidence.truth_status else None
+    if old_truth != new_truth:
+        log_audit_trail(
+            db, "evidence", evidence_id, evidence.title, "review",
+            performed_by=review.reviewed_by,
+            field_changed="truth_status",
+            old_value=old_truth,
+            new_value=new_truth,
+        )
+    db.commit()
+
+    db.refresh(evidence)
+    return _build_evidence_response(evidence)
+
+
+@router.patch("/evidence/{evidence_id}/reject", response_model=EvidenceResponse)
+async def reject_evidence(
+    evidence_id: str,
+    body: EvidenceRejectRequest,
+    db: Session = Depends(get_db),
+):
+    """Reject evidence (sets approval_status='rejected')."""
+    evidence = db.query(EvidenceDB).filter(EvidenceDB.id == evidence_id).first()
+    if not evidence:
+        raise HTTPException(status_code=404, detail=f"Evidence {evidence_id} not found")
+
+    evidence.approval_status = "rejected"
+    evidence.reviewed_by = body.reviewed_by
+    evidence.reviewed_at = datetime.utcnow()
+    db.commit()
+
+    log_audit_trail(
+        db, "evidence", evidence_id, evidence.title, "reject",
+        performed_by=body.reviewed_by,
+        change_summary=body.rejection_reason or "Evidence rejected",
+    )
+    db.commit()
+
+    db.refresh(evidence)
+    return _build_evidence_response(evidence)
+
+
+# ============================================================================
+# Audit Trail Query
+# ============================================================================
+
+@router.get("/audit-trail")
+async def get_audit_trail(
+    entity_type: Optional[str] = Query(None),
+    entity_id: Optional[str] = Query(None),
+    action: Optional[str] = Query(None),
+    limit: int = Query(50, ge=1, le=200),
+    db: Session = Depends(get_db),
+):
+    """Query audit trail entries for an entity."""
+    query = db.query(AuditTrailDB)
+    if entity_type:
+        query = query.filter(AuditTrailDB.entity_type == entity_type)
+    if entity_id:
+        query = query.filter(AuditTrailDB.entity_id == entity_id)
+    if action:
+        query = query.filter(AuditTrailDB.action == action)
+
+    records = query.order_by(AuditTrailDB.performed_at.desc()).limit(limit).all()
+
+    return {
+        "entries": [
+            {
+                "id": r.id,
+                "entity_type": r.entity_type,
+                "entity_id": r.entity_id,
+                "entity_name": r.entity_name,
+                "action": r.action,
+                "field_changed": r.field_changed,
+                "old_value": r.old_value,
+                "new_value": r.new_value,
+                "change_summary": r.change_summary,
+                "performed_by": r.performed_by,
+                "performed_at": r.performed_at.isoformat() if r.performed_at else None,
+                "checksum": r.checksum,
+            }
+            for r in records
+        ],
+        "total": len(records),
+    }
--- a/backend-compliance/compliance/api/isms_routes.py
+++ b/backend-compliance/compliance/api/isms_routes.py
@@ -73,39 +73,8 @@ def generate_id() -> str:
    return str(uuid.uuid4())


-def create_signature(data: str) -> str:
-    """Create SHA-256 signature."""
-    return hashlib.sha256(data.encode()).hexdigest()
-
-
-def log_audit_trail(
-    db: Session,
-    entity_type: str,
-    entity_id: str,
-    entity_name: str,
-    action: str,
-    performed_by: str,
-    field_changed: str = None,
-    old_value: str = None,
-    new_value: str = None,
-    change_summary: str = None
-):
-    """Log an entry to the audit trail."""
-    trail = AuditTrailDB(
-        id=generate_id(),
-        entity_type=entity_type,
-        entity_id=entity_id,
-        entity_name=entity_name,
-        action=action,
-        field_changed=field_changed,
-        old_value=old_value,
-        new_value=new_value,
-        change_summary=change_summary,
-        performed_by=performed_by,
-        performed_at=datetime.utcnow(),
-        checksum=create_signature(f"{entity_type}|{entity_id}|{action}|{performed_by}")
-    )
-    db.add(trail)
+# Shared audit trail utilities — canonical implementation in audit_trail_utils.py
+from .audit_trail_utils import log_audit_trail, create_signature  # noqa: E402


 # =============================================================================
--- a/backend-compliance/compliance/api/llm_audit_routes.py
+++ b/backend-compliance/compliance/api/llm_audit_routes.py
@@ -0,0 +1,162 @@
+"""
+FastAPI routes for LLM Generation Audit Trail.
+
+Endpoints:
+- POST /llm-audit: Record an LLM generation event
+- GET  /llm-audit: List audit records with filters
+"""
+
+import logging
+import uuid as uuid_module
+from datetime import datetime
+from typing import Optional
+
+from fastapi import APIRouter, Depends, Query
+from pydantic import BaseModel
+from sqlalchemy.orm import Session
+
+from classroom_engine.database import get_db
+from ..db.models import LLMGenerationAuditDB
+
+logger = logging.getLogger(__name__)
+router = APIRouter(tags=["compliance-llm-audit"])
+
+
+# ============================================================================
+# Schemas
+# ============================================================================
+
+class LLMAuditCreate(BaseModel):
+    entity_type: str
+    entity_id: Optional[str] = None
+    generation_mode: str
+    truth_status: str = "generated"
+    may_be_used_as_evidence: bool = False
+    llm_model: Optional[str] = None
+    llm_provider: Optional[str] = None
+    prompt_hash: Optional[str] = None
+    input_summary: Optional[str] = None
+    output_summary: Optional[str] = None
+    metadata: Optional[dict] = None
+    tenant_id: Optional[str] = None
+
+
+class LLMAuditResponse(BaseModel):
+    id: str
+    tenant_id: Optional[str] = None
+    entity_type: str
+    entity_id: Optional[str] = None
+    generation_mode: str
+    truth_status: str
+    may_be_used_as_evidence: bool
+    llm_model: Optional[str] = None
+    llm_provider: Optional[str] = None
+    prompt_hash: Optional[str] = None
+    input_summary: Optional[str] = None
+    output_summary: Optional[str] = None
+    metadata: Optional[dict] = None
+    created_at: datetime
+
+    class Config:
+        from_attributes = True
+
+
+# ============================================================================
+# Routes
+# ============================================================================
+
+@router.post("/llm-audit", response_model=LLMAuditResponse)
+async def create_llm_audit(
+    data: LLMAuditCreate,
+    db: Session = Depends(get_db),
+):
+    """Record an LLM generation event for audit trail."""
+    from ..db.models import EvidenceTruthStatusEnum
+
+    # Validate truth_status
+    try:
+        truth_enum = EvidenceTruthStatusEnum(data.truth_status)
+    except ValueError:
+        truth_enum = EvidenceTruthStatusEnum.GENERATED
+
+    record = LLMGenerationAuditDB(
+        id=str(uuid_module.uuid4()),
+        tenant_id=data.tenant_id,
+        entity_type=data.entity_type,
+        entity_id=data.entity_id,
+        generation_mode=data.generation_mode,
+        truth_status=truth_enum,
+        may_be_used_as_evidence=data.may_be_used_as_evidence,
+        llm_model=data.llm_model,
+        llm_provider=data.llm_provider,
+        prompt_hash=data.prompt_hash,
+        input_summary=data.input_summary[:500] if data.input_summary else None,
+        output_summary=data.output_summary[:500] if data.output_summary else None,
+        extra_metadata=data.metadata or {},
+    )
+    db.add(record)
+    db.commit()
+    db.refresh(record)
+
+    return LLMAuditResponse(
+        id=record.id,
+        tenant_id=record.tenant_id,
+        entity_type=record.entity_type,
+        entity_id=record.entity_id,
+        generation_mode=record.generation_mode,
+        truth_status=record.truth_status.value if record.truth_status else "generated",
+        may_be_used_as_evidence=record.may_be_used_as_evidence,
+        llm_model=record.llm_model,
+        llm_provider=record.llm_provider,
+        prompt_hash=record.prompt_hash,
+        input_summary=record.input_summary,
+        output_summary=record.output_summary,
+        metadata=record.extra_metadata,
+        created_at=record.created_at,
+    )
+
+
+@router.get("/llm-audit")
+async def list_llm_audit(
+    entity_type: Optional[str] = Query(None),
+    entity_id: Optional[str] = Query(None),
+    page: int = Query(1, ge=1),
+    limit: int = Query(50, ge=1, le=200),
+    db: Session = Depends(get_db),
+):
+    """List LLM generation audit records with optional filters."""
+    query = db.query(LLMGenerationAuditDB)
+
+    if entity_type:
+        query = query.filter(LLMGenerationAuditDB.entity_type == entity_type)
+    if entity_id:
+        query = query.filter(LLMGenerationAuditDB.entity_id == entity_id)
+
+    total = query.count()
+    offset = (page - 1) * limit
+    records = query.order_by(LLMGenerationAuditDB.created_at.desc()).offset(offset).limit(limit).all()
+
+    return {
+        "records": [
+            LLMAuditResponse(
+                id=r.id,
+                tenant_id=r.tenant_id,
+                entity_type=r.entity_type,
+                entity_id=r.entity_id,
+                generation_mode=r.generation_mode,
+                truth_status=r.truth_status.value if r.truth_status else "generated",
+                may_be_used_as_evidence=r.may_be_used_as_evidence,
+                llm_model=r.llm_model,
+                llm_provider=r.llm_provider,
+                prompt_hash=r.prompt_hash,
+                input_summary=r.input_summary,
+                output_summary=r.output_summary,
+                metadata=r.extra_metadata,
+                created_at=r.created_at,
+            )
+            for r in records
+        ],
+        "total": total,
+        "page": page,
+        "limit": limit,
+    }
--- a/backend-compliance/compliance/api/routes.py
+++ b/backend-compliance/compliance/api/routes.py
@@ -25,6 +25,7 @@ from sqlalchemy.orm import Session

 from classroom_engine.database import get_db

+from .audit_trail_utils import log_audit_trail
 from ..db import (
    RegulationRepository,
    RequirementRepository,
@@ -595,6 +596,7 @@ async def get_control(control_id: str, db: Session = Depends(get_db)):
        review_frequency_days=control.review_frequency_days,
        status=control.status.value if control.status else None,
        status_notes=control.status_notes,
+        status_justification=control.status_justification,
        last_reviewed_at=control.last_reviewed_at,
        next_review_at=control.next_review_at,
        created_at=control.created_at,
@@ -617,16 +619,52 @@ async def update_control(

    update_data = update.model_dump(exclude_unset=True)

-    # Convert status string to enum
+    # Convert status string to enum and validate transition
    if "status" in update_data:
        try:
-            update_data["status"] = ControlStatusEnum(update_data["status"])
+            new_status_enum = ControlStatusEnum(update_data["status"])
        except ValueError:
            raise HTTPException(status_code=400, detail=f"Invalid status: {update_data['status']}")

+        # Validate status transition (Anti-Fake-Evidence)
+        from ..services.control_status_machine import validate_transition
+        current_status = control.status.value if control.status else "planned"
+        evidence_list = db.query(EvidenceDB).filter(EvidenceDB.control_id == control.id).all()
+        allowed, violations = validate_transition(
+            current_status=current_status,
+            new_status=update_data["status"],
+            evidence_list=evidence_list,
+            status_justification=update_data.get("status_justification") or update_data.get("status_notes"),
+        )
+        if not allowed:
+            raise HTTPException(
+                status_code=409,
+                detail={
+                    "error": "Status transition not allowed",
+                    "current_status": current_status,
+                    "requested_status": update_data["status"],
+                    "violations": violations,
+                }
+            )
+
+        update_data["status"] = new_status_enum
+
    updated = repo.update(control.id, **update_data)
    db.commit()

+    # Audit trail for status changes
+    new_status = updated.status.value if updated.status else None
+    if "status" in update.model_dump(exclude_unset=True) and current_status != new_status:
+        log_audit_trail(
+            db, "control", control.id, updated.control_id or updated.title,
+            "status_change",
+            performed_by=update.owner or "system",
+            field_changed="status",
+            old_value=current_status,
+            new_value=new_status,
+        )
+        db.commit()
+
    return ControlResponse(
        id=updated.id,
        control_id=updated.control_id,
@@ -645,6 +683,7 @@ async def update_control(
        review_frequency_days=updated.review_frequency_days,
        status=updated.status.value if updated.status else None,
        status_notes=updated.status_notes,
+        status_justification=updated.status_justification,
        last_reviewed_at=updated.last_reviewed_at,
        next_review_at=updated.next_review_at,
        created_at=updated.created_at,
@@ -690,6 +729,7 @@ async def review_control(
        review_frequency_days=updated.review_frequency_days,
        status=updated.status.value if updated.status else None,
        status_notes=updated.status_notes,
+        status_justification=updated.status_justification,
        last_reviewed_at=updated.last_reviewed_at,
        next_review_at=updated.next_review_at,
        created_at=updated.created_at,
--- a/backend-compliance/compliance/api/schemas.py
+++ b/backend-compliance/compliance/api/schemas.py
@@ -43,6 +43,7 @@ class ControlStatus(str):
    FAIL = "fail"
    NOT_APPLICABLE = "n/a"
    PLANNED = "planned"
+    IN_PROGRESS = "in_progress"


 class RiskLevel(str):
@@ -209,12 +210,14 @@ class ControlUpdate(BaseModel):
    owner: Optional[str] = None
    status: Optional[str] = None
    status_notes: Optional[str] = None
+    status_justification: Optional[str] = None


 class ControlResponse(ControlBase):
    id: str
    status: str
    status_notes: Optional[str] = None
+    status_justification: Optional[str] = None
    last_reviewed_at: Optional[datetime] = None
    next_review_at: Optional[datetime] = None
    created_at: datetime
@@ -291,7 +294,8 @@ class EvidenceBase(BaseModel):


 class EvidenceCreate(EvidenceBase):
-    pass
+    confidence_level: Optional[str] = None
+    truth_status: Optional[str] = None


 class EvidenceResponse(EvidenceBase):
@@ -304,6 +308,20 @@ class EvidenceResponse(EvidenceBase):
    uploaded_by: Optional[str] = None
    collected_at: datetime
    created_at: datetime
+    # Anti-Fake-Evidence fields
+    confidence_level: Optional[str] = None
+    truth_status: Optional[str] = None
+    generation_mode: Optional[str] = None
+    may_be_used_as_evidence: Optional[bool] = None
+    reviewed_by: Optional[str] = None
+    reviewed_at: Optional[datetime] = None
+    # Anti-Fake-Evidence Phase 2: Four-Eyes
+    approval_status: Optional[str] = None
+    first_reviewer: Optional[str] = None
+    first_reviewed_at: Optional[datetime] = None
+    second_reviewer: Optional[str] = None
+    second_reviewed_at: Optional[datetime] = None
+    requires_four_eyes: Optional[bool] = None

    class Config:
        from_attributes = True
@@ -435,6 +453,25 @@ class AISystemListResponse(BaseModel):
 # Dashboard & Export Schemas
 # ============================================================================

+class MultiDimensionalScore(BaseModel):
+    """Multi-dimensional compliance score (Anti-Fake-Evidence)."""
+    requirement_coverage: float = 0.0       # % requirements with linked control
+    evidence_strength: float = 0.0          # Weighted avg of evidence confidence (E0=0..E4=1)
+    validation_quality: float = 0.0         # % evidence with truth_status >= validated_internal
+    evidence_freshness: float = 0.0         # % evidence not expired + reviewed < 90 days
+    control_effectiveness: float = 0.0      # Existing formula (pass + partial*0.5)
+    overall_readiness: float = 0.0          # Weighted composite
+    hard_blocks: List[str] = []             # Blocking issues preventing audit-readiness
+
+
+class StatusTransitionError(BaseModel):
+    """Error detail for forbidden control status transitions."""
+    allowed: bool = False
+    current_status: str
+    requested_status: str
+    violations: List[str] = []
+
+
 class DashboardResponse(BaseModel):
    compliance_score: float
    total_regulations: int
@@ -447,6 +484,7 @@ class DashboardResponse(BaseModel):
    total_risks: int
    risks_by_level: Dict[str, int]
    recent_activity: List[Dict[str, Any]]
+    multi_score: Optional[MultiDimensionalScore] = None


 class ExportRequest(BaseModel):
@@ -1939,3 +1977,111 @@ class TOMStatsResponse(BaseModel):
    implemented: int = 0
    partial: int = 0
    not_implemented: int = 0
+
+
+# ============================================================================
+# Assertion Schemas (Anti-Fake-Evidence Phase 2)
+# ============================================================================
+
+class AssertionCreate(BaseModel):
+    entity_type: str
+    entity_id: str
+    sentence_text: str
+    assertion_type: Optional[str] = "assertion"
+    evidence_ids: Optional[List[str]] = []
+    normative_tier: Optional[str] = None
+
+
+class AssertionUpdate(BaseModel):
+    sentence_text: Optional[str] = None
+    assertion_type: Optional[str] = None
+    evidence_ids: Optional[List[str]] = None
+    normative_tier: Optional[str] = None
+    confidence: Optional[float] = None
+
+
+class AssertionResponse(BaseModel):
+    id: str
+    tenant_id: Optional[str] = None
+    entity_type: str
+    entity_id: str
+    sentence_text: str
+    sentence_index: int = 0
+    assertion_type: str = "assertion"
+    evidence_ids: Optional[List[str]] = []
+    confidence: float = 0.0
+    normative_tier: Optional[str] = None
+    verified_by: Optional[str] = None
+    verified_at: Optional[datetime] = None
+    created_at: Optional[datetime] = None
+    updated_at: Optional[datetime] = None
+
+    class Config:
+        from_attributes = True
+
+
+class AssertionListResponse(BaseModel):
+    assertions: List[AssertionResponse]
+    total: int
+
+
+class AssertionSummaryResponse(BaseModel):
+    total_assertions: int = 0
+    total_facts: int = 0
+    total_rationale: int = 0
+    unverified_count: int = 0
+
+
+class AssertionExtractRequest(BaseModel):
+    entity_type: str
+    entity_id: str
+    text: str
+
+
+class EvidenceRejectRequest(BaseModel):
+    reviewed_by: str
+    rejection_reason: Optional[str] = None
+
+
+# ============================================================================
+# Traceability Matrix (Anti-Fake-Evidence Phase 4a)
+# ============================================================================
+
+class TraceabilityAssertion(BaseModel):
+    """Single assertion linked to an evidence item."""
+    id: str
+    sentence_text: str
+    assertion_type: str = "assertion"
+    confidence: float = 0.0
+    verified: bool = False
+
+class TraceabilityEvidence(BaseModel):
+    """Evidence item with nested assertions."""
+    id: str
+    title: str
+    evidence_type: str
+    confidence_level: str = "E1"
+    status: str = "valid"
+    assertions: List[TraceabilityAssertion] = []
+
+class TraceabilityCoverage(BaseModel):
+    """Coverage flags for a single control."""
+    has_evidence: bool = False
+    has_assertions: bool = False
+    all_assertions_verified: bool = False
+    min_confidence_level: Optional[str] = None
+
+class TraceabilityControl(BaseModel):
+    """Control with nested evidence and coverage info."""
+    id: str
+    control_id: str
+    title: str
+    status: str = "planned"
+    domain: str = "unknown"
+    evidence: List[TraceabilityEvidence] = []
+    coverage: TraceabilityCoverage = TraceabilityCoverage()
+
+class TraceabilityMatrixResponse(BaseModel):
+    """Full traceability matrix: Controls → Evidence → Assertions."""
+    controls: List[TraceabilityControl]
+    summary: Dict[str, int]
--- a/backend-compliance/compliance/data/frameworks/init.py
+++ b/backend-compliance/compliance/data/frameworks/init.py
--- a/backend-compliance/compliance/data/frameworks/csa_ccm.json
+++ b/backend-compliance/compliance/data/frameworks/csa_ccm.json
@@ -0,0 +1,443 @@
+{
+  "framework_id": "CSA_CCM",
+  "display_name": "Cloud Security Alliance CCM v4",
+  "license": {
+    "type": "restricted",
+    "rag_allowed": false,
+    "use_as_metadata": true,
+    "note": "Abstrahierte Struktur — keine Originaltexte uebernommen"
+  },
+  "domains": [
+    {
+      "domain_id": "AIS",
+      "title": "Application and Interface Security",
+      "aliases": ["ais", "application and interface security", "anwendungssicherheit", "schnittstellensicherheit"],
+      "keywords": ["application", "anwendung", "interface", "schnittstelle", "api", "web", "eingabevalidierung"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "AIS-01",
+          "title": "Application Security Policy",
+          "statement": "Sicherheitsrichtlinien fuer Anwendungsentwicklung und Schnittstellenmanagement muessen definiert und angewendet werden.",
+          "keywords": ["policy", "richtlinie", "entwicklung"],
+          "action_hint": "document",
+          "object_hint": "Anwendungssicherheitsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "AIS-02",
+          "title": "Application Security Design",
+          "statement": "Sicherheitsanforderungen muessen in den Entwurf jeder Anwendung integriert werden.",
+          "keywords": ["design", "entwurf", "security by design"],
+          "action_hint": "implement",
+          "object_hint": "Sicherheitsanforderungen im Anwendungsentwurf",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "AIS-03",
+          "title": "Application Security Testing",
+          "statement": "Anwendungen muessen vor dem Deployment und regelmaessig auf Sicherheitsschwachstellen getestet werden.",
+          "keywords": ["testing", "test", "sast", "dast", "penetration"],
+          "action_hint": "test",
+          "object_hint": "Anwendungssicherheitstests",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "AIS-04",
+          "title": "Secure Development Practices",
+          "statement": "Sichere Entwicklungspraktiken (Code Review, Pair Programming, SAST) muessen fuer alle Entwicklungsprojekte gelten.",
+          "keywords": ["development", "entwicklung", "code review", "sast", "praktiken"],
+          "action_hint": "implement",
+          "object_hint": "Sichere Entwicklungspraktiken",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "AIS-05",
+          "title": "API Security",
+          "statement": "APIs muessen authentifiziert, autorisiert und gegen Missbrauch geschuetzt werden.",
+          "keywords": ["api", "schnittstelle", "authentifizierung", "rate limiting"],
+          "action_hint": "implement",
+          "object_hint": "API-Sicherheitskontrollen",
+          "object_class": "interface"
+        },
+        {
+          "subcontrol_id": "AIS-06",
+          "title": "Automated Application Security Testing",
+          "statement": "Automatisierte Sicherheitstests muessen in die CI/CD-Pipeline integriert werden.",
+          "keywords": ["automatisiert", "ci/cd", "pipeline", "sast", "dast"],
+          "action_hint": "configure",
+          "object_hint": "Automatisierte Sicherheitstests in CI/CD",
+          "object_class": "configuration"
+        }
+      ]
+    },
+    {
+      "domain_id": "BCR",
+      "title": "Business Continuity and Resilience",
+      "aliases": ["bcr", "business continuity", "resilience", "geschaeftskontinuitaet", "resilienz"],
+      "keywords": ["continuity", "kontinuitaet", "resilience", "resilienz", "disaster", "recovery", "backup"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "BCR-01",
+          "title": "Business Continuity Planning",
+          "statement": "Ein Geschaeftskontinuitaetsplan muss erstellt, dokumentiert und regelmaessig getestet werden.",
+          "keywords": ["plan", "kontinuitaet", "geschaeft"],
+          "action_hint": "document",
+          "object_hint": "Geschaeftskontinuitaetsplan",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "BCR-02",
+          "title": "Risk Assessment for BCM",
+          "statement": "Risikobewertungen muessen fuer geschaeftskritische Prozesse durchgefuehrt werden.",
+          "keywords": ["risiko", "bewertung", "kritisch"],
+          "action_hint": "assess",
+          "object_hint": "BCM-Risikobewertung",
+          "object_class": "risk_artifact"
+        },
+        {
+          "subcontrol_id": "BCR-03",
+          "title": "Backup and Recovery",
+          "statement": "Datensicherungen muessen regelmaessig erstellt und Wiederherstellungstests durchgefuehrt werden.",
+          "keywords": ["backup", "sicherung", "wiederherstellung", "recovery"],
+          "action_hint": "maintain",
+          "object_hint": "Datensicherung und Wiederherstellung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "BCR-04",
+          "title": "Disaster Recovery Planning",
+          "statement": "Ein Disaster-Recovery-Plan muss dokumentiert und jaehrlich getestet werden.",
+          "keywords": ["disaster", "recovery", "katastrophe"],
+          "action_hint": "document",
+          "object_hint": "Disaster-Recovery-Plan",
+          "object_class": "policy"
+        }
+      ]
+    },
+    {
+      "domain_id": "CCC",
+      "title": "Change Control and Configuration Management",
+      "aliases": ["ccc", "change control", "configuration management", "aenderungsmanagement", "konfigurationsmanagement"],
+      "keywords": ["change", "aenderung", "konfiguration", "configuration", "release", "deployment"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "CCC-01",
+          "title": "Change Management Policy",
+          "statement": "Ein Aenderungsmanagement-Prozess muss definiert und fuer alle Aenderungen angewendet werden.",
+          "keywords": ["policy", "richtlinie", "aenderung"],
+          "action_hint": "document",
+          "object_hint": "Aenderungsmanagement-Richtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "CCC-02",
+          "title": "Change Testing",
+          "statement": "Aenderungen muessen vor der Produktivsetzung getestet und genehmigt werden.",
+          "keywords": ["test", "genehmigung", "approval"],
+          "action_hint": "test",
+          "object_hint": "Aenderungstests",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "CCC-03",
+          "title": "Configuration Baseline",
+          "statement": "Basiskonfigurationen fuer alle Systeme muessen definiert und dokumentiert werden.",
+          "keywords": ["baseline", "basis", "standard"],
+          "action_hint": "define",
+          "object_hint": "Konfigurationsbaseline",
+          "object_class": "configuration"
+        }
+      ]
+    },
+    {
+      "domain_id": "CEK",
+      "title": "Cryptography, Encryption and Key Management",
+      "aliases": ["cek", "cryptography", "encryption", "key management", "kryptographie", "verschluesselung", "schluesselverwaltung"],
+      "keywords": ["kryptographie", "verschluesselung", "schluessel", "key", "encryption", "certificate", "zertifikat"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "CEK-01",
+          "title": "Encryption Policy",
+          "statement": "Verschluesselungsrichtlinien muessen definiert werden, die Algorithmen, Schluessellaengen und Einsatzbereiche festlegen.",
+          "keywords": ["policy", "richtlinie", "algorithmus"],
+          "action_hint": "document",
+          "object_hint": "Verschluesselungsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "CEK-02",
+          "title": "Key Management",
+          "statement": "Kryptographische Schluessel muessen ueber ihren Lebenszyklus sicher verwaltet werden.",
+          "keywords": ["key", "schluessel", "management", "lebenszyklus"],
+          "action_hint": "maintain",
+          "object_hint": "Schluesselverwaltung",
+          "object_class": "cryptographic_control"
+        },
+        {
+          "subcontrol_id": "CEK-03",
+          "title": "Data Encryption",
+          "statement": "Sensible Daten muessen bei Speicherung und Uebertragung verschluesselt werden.",
+          "keywords": ["data", "daten", "speicherung", "uebertragung"],
+          "action_hint": "encrypt",
+          "object_hint": "Datenverschluesselung",
+          "object_class": "cryptographic_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "DSP",
+      "title": "Data Security and Privacy",
+      "aliases": ["dsp", "data security", "privacy", "datensicherheit", "datenschutz"],
+      "keywords": ["datenschutz", "datensicherheit", "privacy", "data security", "pii", "personenbezogen", "dsgvo"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "DSP-01",
+          "title": "Data Classification",
+          "statement": "Daten muessen nach Sensibilitaet klassifiziert und entsprechend geschuetzt werden.",
+          "keywords": ["klassifizierung", "sensibilitaet", "classification"],
+          "action_hint": "define",
+          "object_hint": "Datenklassifizierung",
+          "object_class": "data"
+        },
+        {
+          "subcontrol_id": "DSP-02",
+          "title": "Data Inventory",
+          "statement": "Ein Dateninventar muss gefuehrt werden, das alle Verarbeitungen personenbezogener Daten dokumentiert.",
+          "keywords": ["inventar", "verzeichnis", "verarbeitung", "vvt"],
+          "action_hint": "maintain",
+          "object_hint": "Dateninventar",
+          "object_class": "register"
+        },
+        {
+          "subcontrol_id": "DSP-03",
+          "title": "Data Retention and Deletion",
+          "statement": "Aufbewahrungsfristen muessen definiert und Daten nach Ablauf sicher geloescht werden.",
+          "keywords": ["retention", "aufbewahrung", "loeschung", "frist"],
+          "action_hint": "delete",
+          "object_hint": "Datenloeschung nach Frist",
+          "object_class": "data"
+        },
+        {
+          "subcontrol_id": "DSP-04",
+          "title": "Privacy Impact Assessment",
+          "statement": "Datenschutz-Folgenabschaetzungen muessen fuer risikoreiche Verarbeitungen durchgefuehrt werden.",
+          "keywords": ["dsfa", "pia", "folgenabschaetzung", "impact"],
+          "action_hint": "assess",
+          "object_hint": "Datenschutz-Folgenabschaetzung",
+          "object_class": "risk_artifact"
+        },
+        {
+          "subcontrol_id": "DSP-05",
+          "title": "Data Subject Rights",
+          "statement": "Verfahren zur Bearbeitung von Betroffenenrechten muessen implementiert werden.",
+          "keywords": ["betroffenenrechte", "auskunft", "loeschung", "data subject"],
+          "action_hint": "implement",
+          "object_hint": "Betroffenenrechte-Verfahren",
+          "object_class": "process"
+        }
+      ]
+    },
+    {
+      "domain_id": "GRC",
+      "title": "Governance, Risk and Compliance",
+      "aliases": ["grc", "governance", "risk", "compliance", "risikomanagement"],
+      "keywords": ["governance", "risiko", "compliance", "management", "policy", "richtlinie"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "GRC-01",
+          "title": "Information Security Program",
+          "statement": "Ein umfassendes Informationssicherheitsprogramm muss etabliert und aufrechterhalten werden.",
+          "keywords": ["programm", "sicherheit", "information"],
+          "action_hint": "maintain",
+          "object_hint": "Informationssicherheitsprogramm",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "GRC-02",
+          "title": "Risk Management Program",
+          "statement": "Ein Risikomanagement-Programm muss implementiert werden, das Identifikation, Bewertung und Behandlung umfasst.",
+          "keywords": ["risiko", "management", "bewertung", "behandlung"],
+          "action_hint": "implement",
+          "object_hint": "Risikomanagement-Programm",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "GRC-03",
+          "title": "Compliance Monitoring",
+          "statement": "Die Einhaltung regulatorischer und vertraglicher Anforderungen muss ueberwacht werden.",
+          "keywords": ["compliance", "einhaltung", "regulatorisch", "ueberwachung"],
+          "action_hint": "monitor",
+          "object_hint": "Compliance-Ueberwachung",
+          "object_class": "process"
+        }
+      ]
+    },
+    {
+      "domain_id": "IAM",
+      "title": "Identity and Access Management",
+      "aliases": ["iam", "identity", "access management", "identitaetsmanagement", "zugriffsverwaltung"],
+      "keywords": ["identitaet", "zugriff", "identity", "access", "authentifizierung", "autorisierung", "sso"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "IAM-01",
+          "title": "Identity and Access Policy",
+          "statement": "Identitaets- und Zugriffsmanagement-Richtlinien muessen definiert werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "IAM-Richtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "IAM-02",
+          "title": "Strong Authentication",
+          "statement": "Starke Authentifizierung (MFA) muss fuer administrative und sicherheitskritische Zugriffe gefordert werden.",
+          "keywords": ["mfa", "stark", "authentifizierung", "admin"],
+          "action_hint": "implement",
+          "object_hint": "Starke Authentifizierung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "IAM-03",
+          "title": "Identity Lifecycle Management",
+          "statement": "Identitaeten muessen ueber ihren gesamten Lebenszyklus verwaltet werden.",
+          "keywords": ["lifecycle", "lebenszyklus", "onboarding", "offboarding"],
+          "action_hint": "maintain",
+          "object_hint": "Identitaets-Lebenszyklus",
+          "object_class": "account"
+        },
+        {
+          "subcontrol_id": "IAM-04",
+          "title": "Access Review",
+          "statement": "Zugriffsrechte muessen regelmaessig ueberprueft und ueberschuessige Rechte entzogen werden.",
+          "keywords": ["review", "ueberpruefen", "rechte", "rezertifizierung"],
+          "action_hint": "review",
+          "object_hint": "Zugriffsrechte-Review",
+          "object_class": "access_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "LOG",
+      "title": "Logging and Monitoring",
+      "aliases": ["log", "logging", "monitoring", "protokollierung", "ueberwachung"],
+      "keywords": ["logging", "monitoring", "protokollierung", "ueberwachung", "siem", "alarm"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "LOG-01",
+          "title": "Logging Policy",
+          "statement": "Protokollierungs-Richtlinien muessen definiert werden, die Umfang und Aufbewahrung festlegen.",
+          "keywords": ["policy", "richtlinie", "umfang", "aufbewahrung"],
+          "action_hint": "document",
+          "object_hint": "Protokollierungsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "LOG-02",
+          "title": "Security Event Logging",
+          "statement": "Sicherheitsrelevante Ereignisse muessen erfasst und zentral gespeichert werden.",
+          "keywords": ["event", "ereignis", "sicherheit", "zentral"],
+          "action_hint": "configure",
+          "object_hint": "Sicherheits-Event-Logging",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "LOG-03",
+          "title": "Monitoring and Alerting",
+          "statement": "Sicherheitsrelevante Logs muessen ueberwacht und bei Anomalien Alarme ausgeloest werden.",
+          "keywords": ["monitoring", "alerting", "alarm", "anomalie"],
+          "action_hint": "monitor",
+          "object_hint": "Log-Ueberwachung und Alarmierung",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "SEF",
+      "title": "Security Incident Management",
+      "aliases": ["sef", "security incident", "incident management", "vorfallmanagement", "sicherheitsvorfall"],
+      "keywords": ["vorfall", "incident", "sicherheitsvorfall", "reaktion", "response", "meldung"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "SEF-01",
+          "title": "Incident Management Policy",
+          "statement": "Ein Vorfallmanagement-Prozess muss definiert, dokumentiert und getestet werden.",
+          "keywords": ["policy", "richtlinie", "prozess"],
+          "action_hint": "document",
+          "object_hint": "Vorfallmanagement-Richtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "SEF-02",
+          "title": "Incident Response Team",
+          "statement": "Ein Incident-Response-Team muss benannt und geschult werden.",
+          "keywords": ["team", "response", "schulung"],
+          "action_hint": "define",
+          "object_hint": "Incident-Response-Team",
+          "object_class": "role"
+        },
+        {
+          "subcontrol_id": "SEF-03",
+          "title": "Incident Reporting",
+          "statement": "Sicherheitsvorfaelle muessen innerhalb definierter Fristen an zustaendige Stellen gemeldet werden.",
+          "keywords": ["reporting", "meldung", "frist", "behoerde"],
+          "action_hint": "report",
+          "object_hint": "Vorfallmeldung",
+          "object_class": "incident"
+        },
+        {
+          "subcontrol_id": "SEF-04",
+          "title": "Incident Lessons Learned",
+          "statement": "Nach jedem Vorfall muss eine Nachbereitung mit Lessons Learned durchgefuehrt werden.",
+          "keywords": ["lessons learned", "nachbereitung", "verbesserung"],
+          "action_hint": "review",
+          "object_hint": "Vorfall-Nachbereitung",
+          "object_class": "record"
+        }
+      ]
+    },
+    {
+      "domain_id": "TVM",
+      "title": "Threat and Vulnerability Management",
+      "aliases": ["tvm", "threat", "vulnerability", "schwachstelle", "bedrohung", "schwachstellenmanagement"],
+      "keywords": ["schwachstelle", "vulnerability", "threat", "bedrohung", "patch", "scan"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "TVM-01",
+          "title": "Vulnerability Management Policy",
+          "statement": "Schwachstellenmanagement-Richtlinien muessen definiert und umgesetzt werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Schwachstellenmanagement-Richtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "TVM-02",
+          "title": "Vulnerability Scanning",
+          "statement": "Systeme muessen regelmaessig auf Schwachstellen gescannt werden.",
+          "keywords": ["scan", "scanning", "regelmaessig"],
+          "action_hint": "test",
+          "object_hint": "Schwachstellenscan",
+          "object_class": "system"
+        },
+        {
+          "subcontrol_id": "TVM-03",
+          "title": "Vulnerability Remediation",
+          "statement": "Erkannte Schwachstellen muessen priorisiert und innerhalb definierter Fristen behoben werden.",
+          "keywords": ["remediation", "behebung", "frist", "priorisierung"],
+          "action_hint": "remediate",
+          "object_hint": "Schwachstellenbehebung",
+          "object_class": "system"
+        },
+        {
+          "subcontrol_id": "TVM-04",
+          "title": "Penetration Testing",
+          "statement": "Regelmaessige Penetrationstests muessen durchgefuehrt werden.",
+          "keywords": ["penetration", "pentest", "test"],
+          "action_hint": "test",
+          "object_hint": "Penetrationstest",
+          "object_class": "system"
+        }
+      ]
+    }
+  ]
+}
--- a/backend-compliance/compliance/data/frameworks/nist_sp800_53.json
+++ b/backend-compliance/compliance/data/frameworks/nist_sp800_53.json
@@ -0,0 +1,514 @@
+{
+  "framework_id": "NIST_SP800_53",
+  "display_name": "NIST SP 800-53 Rev. 5",
+  "license": {
+    "type": "public_domain",
+    "rag_allowed": true,
+    "use_as_metadata": true
+  },
+  "domains": [
+    {
+      "domain_id": "AC",
+      "title": "Access Control",
+      "aliases": ["access control", "zugriffskontrolle", "zugriffssteuerung"],
+      "keywords": ["access", "zugriff", "berechtigung", "authorization", "autorisierung"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "AC-1",
+          "title": "Access Control Policy and Procedures",
+          "statement": "Zugriffskontrollrichtlinien und -verfahren muessen definiert, dokumentiert und regelmaessig ueberprueft werden.",
+          "keywords": ["policy", "richtlinie", "verfahren", "procedures"],
+          "action_hint": "document",
+          "object_hint": "Zugriffskontrollrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "AC-2",
+          "title": "Account Management",
+          "statement": "Benutzerkonten muessen ueber ihren gesamten Lebenszyklus verwaltet werden: Erstellung, Aktivierung, Aenderung, Deaktivierung und Loeschung.",
+          "keywords": ["account", "konto", "benutzer", "lifecycle", "lebenszyklus"],
+          "action_hint": "maintain",
+          "object_hint": "Benutzerkontenverwaltung",
+          "object_class": "account"
+        },
+        {
+          "subcontrol_id": "AC-3",
+          "title": "Access Enforcement",
+          "statement": "Der Zugriff auf Systemressourcen muss gemaess der definierten Zugriffskontrollrichtlinie durchgesetzt werden.",
+          "keywords": ["enforcement", "durchsetzung", "ressourcen", "system"],
+          "action_hint": "restrict_access",
+          "object_hint": "Zugriffsdurchsetzung",
+          "object_class": "access_control"
+        },
+        {
+          "subcontrol_id": "AC-5",
+          "title": "Separation of Duties",
+          "statement": "Aufgabentrennung muss definiert und durchgesetzt werden, um Interessenkonflikte und Missbrauch zu verhindern.",
+          "keywords": ["separation", "trennung", "duties", "aufgaben", "funktionstrennung"],
+          "action_hint": "define",
+          "object_hint": "Aufgabentrennung",
+          "object_class": "role"
+        },
+        {
+          "subcontrol_id": "AC-6",
+          "title": "Least Privilege",
+          "statement": "Zugriffsrechte muessen nach dem Prinzip der minimalen Rechte vergeben werden.",
+          "keywords": ["least privilege", "minimal", "rechte", "privileg"],
+          "action_hint": "restrict_access",
+          "object_hint": "Minimale Rechtevergabe",
+          "object_class": "access_control"
+        },
+        {
+          "subcontrol_id": "AC-7",
+          "title": "Unsuccessful Logon Attempts",
+          "statement": "Fehlgeschlagene Anmeldeversuche muessen begrenzt und ueberwacht werden.",
+          "keywords": ["logon", "anmeldung", "fehlgeschlagen", "sperre", "lockout"],
+          "action_hint": "monitor",
+          "object_hint": "Anmeldeversuchsueberwachung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "AC-17",
+          "title": "Remote Access",
+          "statement": "Fernzugriff muss autorisiert, ueberwacht und verschluesselt werden.",
+          "keywords": ["remote", "fern", "vpn", "fernzugriff"],
+          "action_hint": "configure",
+          "object_hint": "Fernzugriffskonfiguration",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "AU",
+      "title": "Audit and Accountability",
+      "aliases": ["audit", "protokollierung", "accountability", "rechenschaftspflicht"],
+      "keywords": ["audit", "log", "protokoll", "nachvollziehbarkeit", "logging"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "AU-1",
+          "title": "Audit Policy and Procedures",
+          "statement": "Audit- und Protokollierungsrichtlinien muessen definiert und regelmaessig ueberprueft werden.",
+          "keywords": ["policy", "richtlinie", "audit"],
+          "action_hint": "document",
+          "object_hint": "Auditrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "AU-2",
+          "title": "Event Logging",
+          "statement": "Sicherheitsrelevante Ereignisse muessen identifiziert und protokolliert werden.",
+          "keywords": ["event", "ereignis", "logging", "protokollierung"],
+          "action_hint": "configure",
+          "object_hint": "Ereignisprotokollierung",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "AU-3",
+          "title": "Content of Audit Records",
+          "statement": "Audit-Eintraege muessen ausreichende Informationen enthalten: Zeitstempel, Quelle, Ergebnis, Identitaet.",
+          "keywords": ["content", "inhalt", "record", "eintrag"],
+          "action_hint": "define",
+          "object_hint": "Audit-Eintragsformat",
+          "object_class": "record"
+        },
+        {
+          "subcontrol_id": "AU-6",
+          "title": "Audit Record Review and Reporting",
+          "statement": "Audit-Eintraege muessen regelmaessig ueberprueft und bei Anomalien berichtet werden.",
+          "keywords": ["review", "ueberpruefen", "reporting", "anomalie"],
+          "action_hint": "review",
+          "object_hint": "Audit-Ueberpruefung",
+          "object_class": "record"
+        },
+        {
+          "subcontrol_id": "AU-9",
+          "title": "Protection of Audit Information",
+          "statement": "Audit-Daten muessen vor unbefugtem Zugriff, Aenderung und Loeschung geschuetzt werden.",
+          "keywords": ["schutz", "protection", "integritaet", "integrity"],
+          "action_hint": "implement",
+          "object_hint": "Audit-Datenschutz",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "AT",
+      "title": "Awareness and Training",
+      "aliases": ["awareness", "training", "schulung", "sensibilisierung"],
+      "keywords": ["training", "schulung", "awareness", "sensibilisierung", "weiterbildung"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "AT-1",
+          "title": "Policy and Procedures",
+          "statement": "Schulungs- und Sensibilisierungsrichtlinien muessen definiert und regelmaessig aktualisiert werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Schulungsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "AT-2",
+          "title": "Literacy Training and Awareness",
+          "statement": "Alle Mitarbeiter muessen regelmaessig Sicherheitsschulungen erhalten.",
+          "keywords": ["mitarbeiter", "schulung", "sicherheit"],
+          "action_hint": "train",
+          "object_hint": "Sicherheitsschulung",
+          "object_class": "training"
+        },
+        {
+          "subcontrol_id": "AT-3",
+          "title": "Role-Based Training",
+          "statement": "Rollenbasierte Sicherheitsschulungen muessen fuer Mitarbeiter mit besonderen Sicherheitsaufgaben durchgefuehrt werden.",
+          "keywords": ["rollenbasiert", "role-based", "speziell"],
+          "action_hint": "train",
+          "object_hint": "Rollenbasierte Sicherheitsschulung",
+          "object_class": "training"
+        }
+      ]
+    },
+    {
+      "domain_id": "CM",
+      "title": "Configuration Management",
+      "aliases": ["configuration management", "konfigurationsmanagement", "konfiguration"],
+      "keywords": ["konfiguration", "configuration", "baseline", "haertung", "hardening"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "CM-1",
+          "title": "Policy and Procedures",
+          "statement": "Konfigurationsmanagement-Richtlinien muessen dokumentiert und gepflegt werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Konfigurationsmanagement-Richtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "CM-2",
+          "title": "Baseline Configuration",
+          "statement": "Basiskonfigurationen fuer Systeme muessen definiert, dokumentiert und gepflegt werden.",
+          "keywords": ["baseline", "basis", "standard"],
+          "action_hint": "define",
+          "object_hint": "Basiskonfiguration",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "CM-6",
+          "title": "Configuration Settings",
+          "statement": "Sicherheitsrelevante Konfigurationseinstellungen muessen definiert und durchgesetzt werden.",
+          "keywords": ["settings", "einstellungen", "sicherheit"],
+          "action_hint": "configure",
+          "object_hint": "Sicherheitskonfiguration",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "CM-7",
+          "title": "Least Functionality",
+          "statement": "Systeme muessen so konfiguriert werden, dass nur notwendige Funktionen aktiv sind.",
+          "keywords": ["least functionality", "minimal", "dienste", "ports"],
+          "action_hint": "configure",
+          "object_hint": "Minimalkonfiguration",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "CM-8",
+          "title": "System Component Inventory",
+          "statement": "Ein Inventar aller Systemkomponenten muss gefuehrt und aktuell gehalten werden.",
+          "keywords": ["inventar", "inventory", "komponenten", "assets"],
+          "action_hint": "maintain",
+          "object_hint": "Systemkomponenten-Inventar",
+          "object_class": "register"
+        }
+      ]
+    },
+    {
+      "domain_id": "IA",
+      "title": "Identification and Authentication",
+      "aliases": ["identification", "authentication", "identifikation", "authentifizierung"],
+      "keywords": ["authentifizierung", "identifikation", "identity", "passwort", "mfa", "credential"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "IA-1",
+          "title": "Policy and Procedures",
+          "statement": "Identifikations- und Authentifizierungsrichtlinien muessen dokumentiert und regelmaessig ueberprueft werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Authentifizierungsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "IA-2",
+          "title": "Identification and Authentication",
+          "statement": "Benutzer und Geraete muessen eindeutig identifiziert und authentifiziert werden.",
+          "keywords": ["benutzer", "geraete", "identifizierung"],
+          "action_hint": "implement",
+          "object_hint": "Benutzerauthentifizierung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "IA-2(1)",
+          "title": "Multi-Factor Authentication",
+          "statement": "Multi-Faktor-Authentifizierung muss fuer privilegierte Konten implementiert werden.",
+          "keywords": ["mfa", "multi-faktor", "zwei-faktor", "2fa"],
+          "action_hint": "implement",
+          "object_hint": "Multi-Faktor-Authentifizierung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "IA-5",
+          "title": "Authenticator Management",
+          "statement": "Authentifizierungsmittel (Passwoerter, Token, Zertifikate) muessen sicher verwaltet werden.",
+          "keywords": ["passwort", "token", "zertifikat", "credential"],
+          "action_hint": "maintain",
+          "object_hint": "Authentifizierungsmittel-Verwaltung",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "IR",
+      "title": "Incident Response",
+      "aliases": ["incident response", "vorfallbehandlung", "vorfallreaktion", "incident management"],
+      "keywords": ["vorfall", "incident", "reaktion", "response", "breach", "sicherheitsvorfall"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "IR-1",
+          "title": "Policy and Procedures",
+          "statement": "Vorfallreaktionsrichtlinien und -verfahren muessen definiert und regelmaessig aktualisiert werden.",
+          "keywords": ["policy", "richtlinie", "verfahren"],
+          "action_hint": "document",
+          "object_hint": "Vorfallreaktionsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "IR-2",
+          "title": "Incident Response Training",
+          "statement": "Mitarbeiter muessen regelmaessig in der Vorfallreaktion geschult werden.",
+          "keywords": ["training", "schulung"],
+          "action_hint": "train",
+          "object_hint": "Vorfallreaktionsschulung",
+          "object_class": "training"
+        },
+        {
+          "subcontrol_id": "IR-4",
+          "title": "Incident Handling",
+          "statement": "Ein strukturierter Prozess fuer die Vorfallbehandlung muss implementiert werden: Erkennung, Analyse, Eindaemmung, Behebung.",
+          "keywords": ["handling", "behandlung", "erkennung", "eindaemmung"],
+          "action_hint": "implement",
+          "object_hint": "Vorfallbehandlungsprozess",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "IR-5",
+          "title": "Incident Monitoring",
+          "statement": "Sicherheitsvorfaelle muessen kontinuierlich ueberwacht und verfolgt werden.",
+          "keywords": ["monitoring", "ueberwachung", "tracking"],
+          "action_hint": "monitor",
+          "object_hint": "Vorfallsueberwachung",
+          "object_class": "incident"
+        },
+        {
+          "subcontrol_id": "IR-6",
+          "title": "Incident Reporting",
+          "statement": "Sicherheitsvorfaelle muessen innerhalb definierter Fristen an die zustaendigen Stellen gemeldet werden.",
+          "keywords": ["reporting", "meldung", "melden", "frist"],
+          "action_hint": "report",
+          "object_hint": "Vorfallmeldung",
+          "object_class": "incident"
+        },
+        {
+          "subcontrol_id": "IR-8",
+          "title": "Incident Response Plan",
+          "statement": "Ein Vorfallreaktionsplan muss dokumentiert und regelmaessig getestet werden.",
+          "keywords": ["plan", "dokumentation", "test"],
+          "action_hint": "document",
+          "object_hint": "Vorfallreaktionsplan",
+          "object_class": "policy"
+        }
+      ]
+    },
+    {
+      "domain_id": "RA",
+      "title": "Risk Assessment",
+      "aliases": ["risk assessment", "risikobewertung", "risikoanalyse"],
+      "keywords": ["risiko", "risk", "bewertung", "assessment", "analyse", "bedrohung", "threat"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "RA-1",
+          "title": "Policy and Procedures",
+          "statement": "Risikobewertungsrichtlinien muessen dokumentiert und regelmaessig aktualisiert werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Risikobewertungsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "RA-3",
+          "title": "Risk Assessment",
+          "statement": "Regelmaessige Risikobewertungen muessen durchgefuehrt und dokumentiert werden.",
+          "keywords": ["bewertung", "assessment", "regelmaessig"],
+          "action_hint": "assess",
+          "object_hint": "Risikobewertung",
+          "object_class": "risk_artifact"
+        },
+        {
+          "subcontrol_id": "RA-5",
+          "title": "Vulnerability Monitoring and Scanning",
+          "statement": "Systeme muessen regelmaessig auf Schwachstellen gescannt und ueberwacht werden.",
+          "keywords": ["vulnerability", "schwachstelle", "scan", "monitoring"],
+          "action_hint": "monitor",
+          "object_hint": "Schwachstellenueberwachung",
+          "object_class": "system"
+        }
+      ]
+    },
+    {
+      "domain_id": "SC",
+      "title": "System and Communications Protection",
+      "aliases": ["system protection", "communications protection", "kommunikationsschutz", "systemschutz"],
+      "keywords": ["verschluesselung", "encryption", "tls", "netzwerk", "network", "kommunikation", "firewall"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "SC-1",
+          "title": "Policy and Procedures",
+          "statement": "System- und Kommunikationsschutzrichtlinien muessen dokumentiert und aktuell gehalten werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Kommunikationsschutzrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "SC-7",
+          "title": "Boundary Protection",
+          "statement": "Netzwerkgrenzen muessen durch Firewall-Regeln und Zugangskontrollen geschuetzt werden.",
+          "keywords": ["boundary", "grenze", "firewall", "netzwerk"],
+          "action_hint": "implement",
+          "object_hint": "Netzwerkgrenzschutz",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "SC-8",
+          "title": "Transmission Confidentiality and Integrity",
+          "statement": "Daten muessen bei der Uebertragung durch Verschluesselung geschuetzt werden.",
+          "keywords": ["transmission", "uebertragung", "verschluesselung", "tls"],
+          "action_hint": "encrypt",
+          "object_hint": "Uebertragungsverschluesselung",
+          "object_class": "cryptographic_control"
+        },
+        {
+          "subcontrol_id": "SC-12",
+          "title": "Cryptographic Key Establishment and Management",
+          "statement": "Kryptographische Schluessel muessen sicher erzeugt, verteilt, gespeichert und widerrufen werden.",
+          "keywords": ["key", "schluessel", "kryptographie", "management"],
+          "action_hint": "maintain",
+          "object_hint": "Schluesselverwaltung",
+          "object_class": "cryptographic_control"
+        },
+        {
+          "subcontrol_id": "SC-13",
+          "title": "Cryptographic Protection",
+          "statement": "Kryptographische Mechanismen muessen gemaess anerkannten Standards implementiert werden.",
+          "keywords": ["kryptographie", "verschluesselung", "standard"],
+          "action_hint": "implement",
+          "object_hint": "Kryptographischer Schutz",
+          "object_class": "cryptographic_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "SI",
+      "title": "System and Information Integrity",
+      "aliases": ["system integrity", "information integrity", "systemintegritaet", "informationsintegritaet"],
+      "keywords": ["integritaet", "integrity", "malware", "patch", "flaw", "schwachstelle"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "SI-1",
+          "title": "Policy and Procedures",
+          "statement": "System- und Informationsintegritaetsrichtlinien muessen dokumentiert und regelmaessig ueberprueft werden.",
+          "keywords": ["policy", "richtlinie"],
+          "action_hint": "document",
+          "object_hint": "Integritaetsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "SI-2",
+          "title": "Flaw Remediation",
+          "statement": "Bekannte Schwachstellen muessen innerhalb definierter Fristen behoben werden.",
+          "keywords": ["flaw", "schwachstelle", "patch", "behebung", "remediation"],
+          "action_hint": "remediate",
+          "object_hint": "Schwachstellenbehebung",
+          "object_class": "system"
+        },
+        {
+          "subcontrol_id": "SI-3",
+          "title": "Malicious Code Protection",
+          "statement": "Systeme muessen vor Schadsoftware geschuetzt werden durch Erkennung und Abwehrmechanismen.",
+          "keywords": ["malware", "schadsoftware", "antivirus", "erkennung"],
+          "action_hint": "implement",
+          "object_hint": "Schadsoftwareschutz",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "SI-4",
+          "title": "System Monitoring",
+          "statement": "Systeme muessen kontinuierlich auf Sicherheitsereignisse und Anomalien ueberwacht werden.",
+          "keywords": ["monitoring", "ueberwachung", "anomalie", "siem"],
+          "action_hint": "monitor",
+          "object_hint": "Systemueberwachung",
+          "object_class": "system"
+        },
+        {
+          "subcontrol_id": "SI-5",
+          "title": "Security Alerts and Advisories",
+          "statement": "Sicherheitswarnungen muessen empfangen, bewertet und darauf reagiert werden.",
+          "keywords": ["alert", "warnung", "advisory", "cve"],
+          "action_hint": "monitor",
+          "object_hint": "Sicherheitswarnungen",
+          "object_class": "incident"
+        }
+      ]
+    },
+    {
+      "domain_id": "SA",
+      "title": "System and Services Acquisition",
+      "aliases": ["system acquisition", "services acquisition", "systembeschaffung", "secure development"],
+      "keywords": ["beschaffung", "acquisition", "entwicklung", "development", "lieferkette", "supply chain"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "SA-1",
+          "title": "Policy and Procedures",
+          "statement": "Beschaffungsrichtlinien mit Sicherheitsanforderungen muessen dokumentiert werden.",
+          "keywords": ["policy", "richtlinie", "beschaffung"],
+          "action_hint": "document",
+          "object_hint": "Beschaffungsrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "SA-8",
+          "title": "Security and Privacy Engineering Principles",
+          "statement": "Sicherheits- und Datenschutzprinzipien muessen in die Systementwicklung integriert werden.",
+          "keywords": ["engineering", "development", "prinzipien", "design"],
+          "action_hint": "implement",
+          "object_hint": "Security-by-Design-Prinzipien",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "SA-11",
+          "title": "Developer Testing and Evaluation",
+          "statement": "Entwickler muessen Sicherheitstests und Code-Reviews durchfuehren.",
+          "keywords": ["testing", "test", "code review", "evaluation"],
+          "action_hint": "test",
+          "object_hint": "Entwickler-Sicherheitstests",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "SA-12",
+          "title": "Supply Chain Protection",
+          "statement": "Lieferkettenrisiken muessen bewertet und Schutzmassnahmen implementiert werden.",
+          "keywords": ["supply chain", "lieferkette", "third party", "drittanbieter"],
+          "action_hint": "assess",
+          "object_hint": "Lieferkettenrisikobewertung",
+          "object_class": "risk_artifact"
+        }
+      ]
+    }
+  ]
+}
--- a/backend-compliance/compliance/data/frameworks/owasp_asvs.json
+++ b/backend-compliance/compliance/data/frameworks/owasp_asvs.json
@@ -0,0 +1,353 @@
+{
+  "framework_id": "OWASP_ASVS",
+  "display_name": "OWASP Application Security Verification Standard 4.0",
+  "license": {
+    "type": "cc_by_sa_4",
+    "rag_allowed": true,
+    "use_as_metadata": true
+  },
+  "domains": [
+    {
+      "domain_id": "V1",
+      "title": "Architecture, Design and Threat Modeling",
+      "aliases": ["architecture", "architektur", "design", "threat modeling", "bedrohungsmodellierung"],
+      "keywords": ["architektur", "design", "threat model", "bedrohung", "modellierung"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V1.1",
+          "title": "Secure Software Development Lifecycle",
+          "statement": "Ein sicherer Softwareentwicklungs-Lebenszyklus (SSDLC) muss definiert und angewendet werden.",
+          "keywords": ["sdlc", "lifecycle", "lebenszyklus", "entwicklung"],
+          "action_hint": "implement",
+          "object_hint": "Sicherer Entwicklungs-Lebenszyklus",
+          "object_class": "process"
+        },
+        {
+          "subcontrol_id": "V1.2",
+          "title": "Authentication Architecture",
+          "statement": "Die Authentifizierungsarchitektur muss dokumentiert und regelmaessig ueberprueft werden.",
+          "keywords": ["authentication", "authentifizierung", "architektur"],
+          "action_hint": "document",
+          "object_hint": "Authentifizierungsarchitektur",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "V1.4",
+          "title": "Access Control Architecture",
+          "statement": "Die Zugriffskontrollarchitektur muss dokumentiert und zentral durchgesetzt werden.",
+          "keywords": ["access control", "zugriffskontrolle", "architektur"],
+          "action_hint": "document",
+          "object_hint": "Zugriffskontrollarchitektur",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "V1.5",
+          "title": "Input and Output Architecture",
+          "statement": "Eingabe- und Ausgabevalidierung muss architektonisch verankert und durchgaengig angewendet werden.",
+          "keywords": ["input", "output", "eingabe", "ausgabe", "validierung"],
+          "action_hint": "implement",
+          "object_hint": "Ein-/Ausgabevalidierung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V1.6",
+          "title": "Cryptographic Architecture",
+          "statement": "Kryptographische Mechanismen muessen architektonisch definiert und standardisiert sein.",
+          "keywords": ["crypto", "kryptographie", "verschluesselung"],
+          "action_hint": "define",
+          "object_hint": "Kryptographie-Architektur",
+          "object_class": "cryptographic_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "V2",
+      "title": "Authentication",
+      "aliases": ["authentication", "authentifizierung", "anmeldung", "login"],
+      "keywords": ["authentication", "authentifizierung", "passwort", "login", "anmeldung", "credential"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V2.1",
+          "title": "Password Security",
+          "statement": "Passwortrichtlinien muessen Mindestlaenge, Komplexitaet und Sperrmechanismen definieren.",
+          "keywords": ["passwort", "password", "laenge", "komplexitaet"],
+          "action_hint": "define",
+          "object_hint": "Passwortrichtlinie",
+          "object_class": "policy"
+        },
+        {
+          "subcontrol_id": "V2.2",
+          "title": "General Authenticator Security",
+          "statement": "Authentifizierungsmittel muessen sicher gespeichert und uebertragen werden.",
+          "keywords": ["authenticator", "credential", "speicherung"],
+          "action_hint": "implement",
+          "object_hint": "Sichere Credential-Verwaltung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V2.7",
+          "title": "Out-of-Band Verification",
+          "statement": "Out-of-Band-Verifikationsmechanismen muessen sicher implementiert werden.",
+          "keywords": ["oob", "out-of-band", "sms", "push"],
+          "action_hint": "implement",
+          "object_hint": "Out-of-Band-Verifikation",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V2.8",
+          "title": "Multi-Factor Authentication",
+          "statement": "Multi-Faktor-Authentifizierung muss fuer sicherheitskritische Funktionen verfuegbar sein.",
+          "keywords": ["mfa", "multi-faktor", "totp", "fido"],
+          "action_hint": "implement",
+          "object_hint": "Multi-Faktor-Authentifizierung",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "V3",
+      "title": "Session Management",
+      "aliases": ["session", "sitzung", "session management", "sitzungsverwaltung"],
+      "keywords": ["session", "sitzung", "token", "cookie", "timeout"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V3.1",
+          "title": "Session Management Security",
+          "statement": "Sitzungstoken muessen sicher erzeugt, uebertragen und invalidiert werden.",
+          "keywords": ["token", "sitzung", "sicherheit"],
+          "action_hint": "implement",
+          "object_hint": "Sichere Sitzungsverwaltung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V3.3",
+          "title": "Session Termination",
+          "statement": "Sitzungen muessen nach Inaktivitaet und bei Abmeldung zuverlaessig beendet werden.",
+          "keywords": ["termination", "timeout", "abmeldung", "beenden"],
+          "action_hint": "configure",
+          "object_hint": "Sitzungstimeout",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "V3.5",
+          "title": "Token-Based Session Management",
+          "statement": "Tokenbasierte Sitzungsmechanismen muessen gegen Diebstahl und Replay geschuetzt sein.",
+          "keywords": ["jwt", "token", "replay", "diebstahl"],
+          "action_hint": "implement",
+          "object_hint": "Token-Schutz",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "V5",
+      "title": "Validation, Sanitization and Encoding",
+      "aliases": ["validation", "validierung", "sanitization", "encoding", "eingabevalidierung"],
+      "keywords": ["validierung", "sanitization", "encoding", "xss", "injection", "eingabe"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V5.1",
+          "title": "Input Validation",
+          "statement": "Alle Eingabedaten muessen serverseitig validiert werden.",
+          "keywords": ["input", "eingabe", "validierung", "serverseitig"],
+          "action_hint": "implement",
+          "object_hint": "Eingabevalidierung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V5.2",
+          "title": "Sanitization and Sandboxing",
+          "statement": "Eingaben muessen bereinigt und in sicherer Umgebung verarbeitet werden.",
+          "keywords": ["sanitization", "bereinigung", "sandbox"],
+          "action_hint": "implement",
+          "object_hint": "Eingabebereinigung",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V5.3",
+          "title": "Output Encoding and Injection Prevention",
+          "statement": "Ausgaben muessen kontextabhaengig kodiert werden, um Injection-Angriffe zu verhindern.",
+          "keywords": ["output", "encoding", "injection", "xss", "sql"],
+          "action_hint": "implement",
+          "object_hint": "Ausgabe-Encoding",
+          "object_class": "technical_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "V6",
+      "title": "Stored Cryptography",
+      "aliases": ["cryptography", "kryptographie", "verschluesselung", "stored cryptography"],
+      "keywords": ["kryptographie", "verschluesselung", "hashing", "schluessel", "key management"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V6.1",
+          "title": "Data Classification",
+          "statement": "Daten muessen klassifiziert und entsprechend ihrer Schutzklasse behandelt werden.",
+          "keywords": ["klassifizierung", "classification", "schutzklasse"],
+          "action_hint": "define",
+          "object_hint": "Datenklassifizierung",
+          "object_class": "data"
+        },
+        {
+          "subcontrol_id": "V6.2",
+          "title": "Algorithms",
+          "statement": "Nur zugelassene und aktuelle kryptographische Algorithmen duerfen verwendet werden.",
+          "keywords": ["algorithmus", "algorithm", "aes", "rsa"],
+          "action_hint": "configure",
+          "object_hint": "Kryptographische Algorithmen",
+          "object_class": "cryptographic_control"
+        },
+        {
+          "subcontrol_id": "V6.4",
+          "title": "Secret Management",
+          "statement": "Geheimnisse (Schluessel, Passwoerter, Tokens) muessen in einem Secret-Management-System verwaltet werden.",
+          "keywords": ["secret", "geheimnis", "vault", "key management"],
+          "action_hint": "maintain",
+          "object_hint": "Secret-Management",
+          "object_class": "cryptographic_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "V8",
+      "title": "Data Protection",
+      "aliases": ["data protection", "datenschutz", "datenverarbeitung"],
+      "keywords": ["datenschutz", "data protection", "pii", "personenbezogen", "privacy"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V8.1",
+          "title": "General Data Protection",
+          "statement": "Personenbezogene Daten muessen gemaess Datenschutzanforderungen geschuetzt werden.",
+          "keywords": ["personenbezogen", "pii", "datenschutz"],
+          "action_hint": "implement",
+          "object_hint": "Datenschutzmassnahmen",
+          "object_class": "data"
+        },
+        {
+          "subcontrol_id": "V8.2",
+          "title": "Client-Side Data Protection",
+          "statement": "Clientseitig gespeicherte sensible Daten muessen geschuetzt und minimiert werden.",
+          "keywords": ["client", "browser", "localstorage", "cookie"],
+          "action_hint": "implement",
+          "object_hint": "Clientseitiger Datenschutz",
+          "object_class": "technical_control"
+        },
+        {
+          "subcontrol_id": "V8.3",
+          "title": "Sensitive Private Data",
+          "statement": "Sensible Daten muessen bei Speicherung und Verarbeitung besonders geschuetzt werden.",
+          "keywords": ["sensibel", "vertraulich", "speicherung"],
+          "action_hint": "encrypt",
+          "object_hint": "Verschluesselung sensibler Daten",
+          "object_class": "data"
+        }
+      ]
+    },
+    {
+      "domain_id": "V9",
+      "title": "Communication",
+      "aliases": ["communication", "kommunikation", "tls", "transport"],
+      "keywords": ["tls", "ssl", "https", "transport", "kommunikation", "verschluesselung"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V9.1",
+          "title": "Client Communication Security",
+          "statement": "Alle Client-Server-Kommunikation muss ueber TLS verschluesselt werden.",
+          "keywords": ["tls", "https", "client", "server"],
+          "action_hint": "encrypt",
+          "object_hint": "TLS-Transportverschluesselung",
+          "object_class": "cryptographic_control"
+        },
+        {
+          "subcontrol_id": "V9.2",
+          "title": "Server Communication Security",
+          "statement": "Server-zu-Server-Kommunikation muss authentifiziert und verschluesselt erfolgen.",
+          "keywords": ["server", "mtls", "backend"],
+          "action_hint": "encrypt",
+          "object_hint": "Server-Kommunikationsverschluesselung",
+          "object_class": "cryptographic_control"
+        }
+      ]
+    },
+    {
+      "domain_id": "V13",
+      "title": "API and Web Service",
+      "aliases": ["api", "web service", "rest", "graphql", "webservice"],
+      "keywords": ["api", "rest", "graphql", "webservice", "endpoint", "schnittstelle"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V13.1",
+          "title": "Generic Web Service Security",
+          "statement": "Web-Services muessen gegen gaengige Angriffe abgesichert werden.",
+          "keywords": ["web service", "sicherheit", "angriff"],
+          "action_hint": "implement",
+          "object_hint": "Web-Service-Absicherung",
+          "object_class": "interface"
+        },
+        {
+          "subcontrol_id": "V13.2",
+          "title": "RESTful Web Service",
+          "statement": "REST-APIs muessen Input-Validierung, Rate Limiting und sichere Authentifizierung implementieren.",
+          "keywords": ["rest", "api", "rate limiting", "input"],
+          "action_hint": "implement",
+          "object_hint": "REST-API-Absicherung",
+          "object_class": "interface"
+        },
+        {
+          "subcontrol_id": "V13.4",
+          "title": "GraphQL and Web Services",
+          "statement": "GraphQL-Endpoints muessen gegen Query-Complexity-Angriffe und Introspection geschuetzt werden.",
+          "keywords": ["graphql", "query", "complexity", "introspection"],
+          "action_hint": "configure",
+          "object_hint": "GraphQL-Absicherung",
+          "object_class": "interface"
+        }
+      ]
+    },
+    {
+      "domain_id": "V14",
+      "title": "Configuration",
+      "aliases": ["configuration", "konfiguration", "hardening", "haertung"],
+      "keywords": ["konfiguration", "hardening", "haertung", "header", "deployment"],
+      "subcontrols": [
+        {
+          "subcontrol_id": "V14.1",
+          "title": "Build and Deploy",
+          "statement": "Build- und Deployment-Prozesse muessen sicher konfiguriert und reproduzierbar sein.",
+          "keywords": ["build", "deploy", "ci/cd", "pipeline"],
+          "action_hint": "configure",
+          "object_hint": "Sichere Build-Pipeline",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "V14.2",
+          "title": "Dependency Management",
+          "statement": "Abhaengigkeiten muessen auf Schwachstellen geprueft und aktuell gehalten werden.",
+          "keywords": ["dependency", "abhaengigkeit", "sca", "sbom"],
+          "action_hint": "maintain",
+          "object_hint": "Abhaengigkeitsverwaltung",
+          "object_class": "system"
+        },
+        {
+          "subcontrol_id": "V14.3",
+          "title": "Unintended Security Disclosure",
+          "statement": "Fehlermeldungen und Debug-Informationen duerfen keine sicherheitsrelevanten Details preisgeben.",
+          "keywords": ["disclosure", "fehlermeldung", "debug", "information leakage"],
+          "action_hint": "configure",
+          "object_hint": "Fehlerbehandlung",
+          "object_class": "configuration"
+        },
+        {
+          "subcontrol_id": "V14.4",
+          "title": "HTTP Security Headers",
+          "statement": "HTTP-Sicherheitsheader muessen korrekt konfiguriert sein.",
+          "keywords": ["header", "csp", "hsts", "x-frame"],
+          "action_hint": "configure",
+          "object_hint": "HTTP-Sicherheitsheader",
+          "object_class": "configuration"
+        }
+      ]
+    }
+  ]
+}
--- a/backend-compliance/compliance/data/source_type_classification.py
+++ b/backend-compliance/compliance/data/source_type_classification.py
@@ -0,0 +1,205 @@
+"""
+Source-Type-Klassifikation fuer Regulierungen und Frameworks.
+
+Dreistufiges Modell der normativen Verbindlichkeit:
+
+  Stufe 1 — GESETZ (law):
+    Rechtlich bindend. Bussgeld bei Verstoss.
+    Beispiele: DSGVO, NIS2, AI Act, CRA
+
+  Stufe 2 — LEITLINIE (guideline):
+    Offizielle Auslegungshilfe von Aufsichtsbehoerden.
+    Beweislastumkehr: Wer abweicht, muss begruenden warum.
+    Beispiele: EDPB-Leitlinien, BSI-Standards, WP29-Dokumente
+
+  Stufe 3 — FRAMEWORK (framework):
+    Freiwillige Best Practices, nicht rechtsverbindlich.
+    Aber: Koennen als "Stand der Technik" herangezogen werden.
+    Beispiele: ENISA, NIST, OWASP, OECD, CISA
+
+Mapping: source_regulation (aus control_parent_links) -> source_type
+"""
+
+# --- Typ-Definitionen ---
+SOURCE_TYPE_LAW = "law"           # Gesetz/Verordnung/Richtlinie — normative_strength bleibt
+SOURCE_TYPE_GUIDELINE = "guideline"  # Leitlinie/Standard — max "should"
+SOURCE_TYPE_FRAMEWORK = "framework"  # Framework/Best Practice — max "may"
+
+# Max erlaubte normative_strength pro source_type
+# DB-Constraint erlaubt: must, should, may (NICHT "can")
+NORMATIVE_STRENGTH_CAP: dict[str, str] = {
+    SOURCE_TYPE_LAW: "must",       # keine Begrenzung
+    SOURCE_TYPE_GUIDELINE: "should",  # max "should"
+    SOURCE_TYPE_FRAMEWORK: "may",     # max "may" (= "kann")
+}
+
+# Reihenfolge fuer Vergleiche (hoeher = staerker)
+STRENGTH_ORDER: dict[str, int] = {
+    "may": 1,        # KANN (DB-Wert)
+    "can": 1,        # Alias — wird in cap_normative_strength zu "may" normalisiert
+    "should": 2,
+    "must": 3,
+}
+
+
+def cap_normative_strength(original: str, source_type: str) -> str:
+    """
+    Begrenzt die normative_strength basierend auf dem source_type.
+
+    Beispiel:
+        cap_normative_strength("must", "framework") -> "may"
+        cap_normative_strength("should", "law") -> "should"
+        cap_normative_strength("must", "guideline") -> "should"
+    """
+    cap = NORMATIVE_STRENGTH_CAP.get(source_type, "must")
+    cap_level = STRENGTH_ORDER.get(cap, 3)
+    original_level = STRENGTH_ORDER.get(original, 3)
+    if original_level > cap_level:
+        return cap
+    return original
+
+
+def get_highest_source_type(source_types: list[str]) -> str:
+    """
+    Bestimmt den hoechsten source_type aus einer Liste.
+    Ein Gesetz uebertrumpft alles.
+
+    Beispiel:
+        get_highest_source_type(["framework", "law"]) -> "law"
+        get_highest_source_type(["framework", "guideline"]) -> "guideline"
+    """
+    type_order = {SOURCE_TYPE_FRAMEWORK: 1, SOURCE_TYPE_GUIDELINE: 2, SOURCE_TYPE_LAW: 3}
+    if not source_types:
+        return SOURCE_TYPE_FRAMEWORK
+    return max(source_types, key=lambda t: type_order.get(t, 0))
+
+
+# ============================================================================
+# Klassifikation: source_regulation -> source_type
+#
+# Diese Map wird fuer den Backfill und zukuenftige Pipeline-Runs verwendet.
+# Neue Regulierungen hier eintragen!
+# ============================================================================
+
+SOURCE_REGULATION_CLASSIFICATION: dict[str, str] = {
+    # --- EU-Verordnungen (unmittelbar bindend) ---
+    "DSGVO (EU) 2016/679": SOURCE_TYPE_LAW,
+    "KI-Verordnung (EU) 2024/1689": SOURCE_TYPE_LAW,
+    "Cyber Resilience Act (CRA)": SOURCE_TYPE_LAW,
+    "NIS2-Richtlinie (EU) 2022/2555": SOURCE_TYPE_LAW,
+    "Data Act": SOURCE_TYPE_LAW,
+    "Data Governance Act (DGA)": SOURCE_TYPE_LAW,
+    "Markets in Crypto-Assets (MiCA)": SOURCE_TYPE_LAW,
+    "Maschinenverordnung (EU) 2023/1230": SOURCE_TYPE_LAW,
+    "Batterieverordnung (EU) 2023/1542": SOURCE_TYPE_LAW,
+    "AML-Verordnung": SOURCE_TYPE_LAW,
+
+    # --- EU-Richtlinien (nach nationaler Umsetzung bindend) ---
+    # Fuer Compliance-Zwecke wie Gesetze behandeln
+
+    # --- Nationale Gesetze ---
+    "Bundesdatenschutzgesetz (BDSG)": SOURCE_TYPE_LAW,
+    "Telekommunikationsgesetz": SOURCE_TYPE_LAW,
+    "Telekommunikationsgesetz Oesterreich": SOURCE_TYPE_LAW,
+    "Gewerbeordnung (GewO)": SOURCE_TYPE_LAW,
+    "Handelsgesetzbuch (HGB)": SOURCE_TYPE_LAW,
+    "Abgabenordnung (AO)": SOURCE_TYPE_LAW,
+    "IFRS-Übernahmeverordnung": SOURCE_TYPE_LAW,
+    "Österreichisches Datenschutzgesetz (DSG)": SOURCE_TYPE_LAW,
+    "LOPDGDD - Ley Orgánica de Protección de Datos (Spanien)": SOURCE_TYPE_LAW,
+    "Loi Informatique et Libertés (Frankreich)": SOURCE_TYPE_LAW,
+    "Információs önrendelkezési jog törvény (Ungarn)": SOURCE_TYPE_LAW,
+    "EU Blue Guide 2022": SOURCE_TYPE_LAW,
+
+    # --- EDPB/WP29 Leitlinien (offizielle Auslegungshilfe) ---
+    "EDPB Leitlinien 01/2019 (Zertifizierung)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 01/2020 (Datentransfers)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 01/2020 (Vernetzte Fahrzeuge)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 01/2022 (BCR)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 01/2024 (Berechtigtes Interesse)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 04/2019 (Data Protection by Design)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 05/2020 - Einwilligung": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 07/2020 (Datentransfers)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 08/2020 (Social Media)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 09/2022 (Data Breach)": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien 09/2022 - Meldung von Datenschutzverletzungen": SOURCE_TYPE_GUIDELINE,
+    "EDPB Empfehlungen 01/2020 - Ergaenzende Massnahmen fuer Datentransfers": SOURCE_TYPE_GUIDELINE,
+    "EDPB Leitlinien - Berechtigtes Interesse (Art. 6(1)(f))": SOURCE_TYPE_GUIDELINE,
+    "WP244 Leitlinien (Profiling)": SOURCE_TYPE_GUIDELINE,
+    "WP251 Leitlinien (Profiling)": SOURCE_TYPE_GUIDELINE,
+    "WP260 Leitlinien (Transparenz)": SOURCE_TYPE_GUIDELINE,
+
+    # --- BSI Standards (behoerdliche technische Richtlinien) ---
+    "BSI-TR-03161-1": SOURCE_TYPE_GUIDELINE,
+    "BSI-TR-03161-2": SOURCE_TYPE_GUIDELINE,
+    "BSI-TR-03161-3": SOURCE_TYPE_GUIDELINE,
+
+    # --- ENISA (EU-Agentur, aber Empfehlungen nicht rechtsverbindlich) ---
+    "ENISA Cybersecurity State 2024": SOURCE_TYPE_FRAMEWORK,
+    "ENISA ICS/SCADA Dependencies": SOURCE_TYPE_FRAMEWORK,
+    "ENISA Supply Chain Good Practices": SOURCE_TYPE_FRAMEWORK,
+    "ENISA Threat Landscape Supply Chain": SOURCE_TYPE_FRAMEWORK,
+
+    # --- NIST (US-Standards, international als Best Practice) ---
+    "NIST AI Risk Management Framework": SOURCE_TYPE_FRAMEWORK,
+    "NIST Cybersecurity Framework 2.0": SOURCE_TYPE_FRAMEWORK,
+    "NIST SP 800-207 (Zero Trust)": SOURCE_TYPE_FRAMEWORK,
+    "NIST SP 800-218 (SSDF)": SOURCE_TYPE_FRAMEWORK,
+    "NIST SP 800-53 Rev. 5": SOURCE_TYPE_FRAMEWORK,
+    "NIST SP 800-63-3": SOURCE_TYPE_FRAMEWORK,
+
+    # --- OWASP (Community-Standards) ---
+    "OWASP API Security Top 10 (2023)": SOURCE_TYPE_FRAMEWORK,
+    "OWASP ASVS 4.0": SOURCE_TYPE_FRAMEWORK,
+    "OWASP MASVS 2.0": SOURCE_TYPE_FRAMEWORK,
+    "OWASP SAMM 2.0": SOURCE_TYPE_FRAMEWORK,
+    "OWASP Top 10 (2021)": SOURCE_TYPE_FRAMEWORK,
+
+    # --- Sonstige Frameworks ---
+    "OECD KI-Empfehlung": SOURCE_TYPE_FRAMEWORK,
+    "CISA Secure by Design": SOURCE_TYPE_FRAMEWORK,
+}
+
+
+def classify_source_regulation(source_regulation: str) -> str:
+    """
+    Klassifiziert eine source_regulation als law, guideline oder framework.
+
+    Verwendet exaktes Matching gegen die Map. Bei unbekannten Quellen
+    wird anhand von Schluesselwoertern geraten, Fallback ist 'framework'
+    (konservativstes Ergebnis).
+    """
+    if not source_regulation:
+        return SOURCE_TYPE_FRAMEWORK
+
+    # Exaktes Match
+    if source_regulation in SOURCE_REGULATION_CLASSIFICATION:
+        return SOURCE_REGULATION_CLASSIFICATION[source_regulation]
+
+    # Heuristik fuer unbekannte Quellen
+    lower = source_regulation.lower()
+
+    # Gesetze erkennen
+    law_indicators = [
+        "verordnung", "richtlinie", "gesetz", "directive", "regulation",
+        "(eu)", "(eg)", "act", "ley", "loi", "törvény", "código",
+    ]
+    if any(ind in lower for ind in law_indicators):
+        return SOURCE_TYPE_LAW
+
+    # Leitlinien erkennen
+    guideline_indicators = [
+        "edpb", "leitlinie", "guideline", "wp2", "bsi", "empfehlung",
+    ]
+    if any(ind in lower for ind in guideline_indicators):
+        return SOURCE_TYPE_GUIDELINE
+
+    # Frameworks erkennen
+    framework_indicators = [
+        "enisa", "nist", "owasp", "oecd", "cisa", "framework", "iso",
+    ]
+    if any(ind in lower for ind in framework_indicators):
+        return SOURCE_TYPE_FRAMEWORK
+
+    # Konservativ: unbekannt = framework (geringste Verbindlichkeit)
+    return SOURCE_TYPE_FRAMEWORK
--- a/backend-compliance/compliance/db/init.py
+++ b/backend-compliance/compliance/db/init.py
@@ -8,12 +8,16 @@ from .models import (
    EvidenceDB,
    RiskDB,
    AuditExportDB,
+    LLMGenerationAuditDB,
+    AssertionDB,
    RegulationTypeEnum,
    ControlTypeEnum,
    ControlDomainEnum,
    RiskLevelEnum,
    EvidenceStatusEnum,
    ControlStatusEnum,
+    EvidenceConfidenceEnum,
+    EvidenceTruthStatusEnum,
 )
 from .repository import (
    RegulationRepository,
@@ -33,6 +37,8 @@ __all__ = [
    "EvidenceDB",
    "RiskDB",
    "AuditExportDB",
+    "LLMGenerationAuditDB",
+    "AssertionDB",
    # Enums
    "RegulationTypeEnum",
    "ControlTypeEnum",
@@ -40,6 +46,8 @@ __all__ = [
    "RiskLevelEnum",
    "EvidenceStatusEnum",
    "ControlStatusEnum",
+    "EvidenceConfidenceEnum",
+    "EvidenceTruthStatusEnum",
    # Repositories
    "RegulationRepository",
    "RequirementRepository",
--- a/backend-compliance/compliance/db/models.py
+++ b/backend-compliance/compliance/db/models.py
@@ -65,6 +65,7 @@ class ControlStatusEnum(str, enum.Enum):
    FAIL = "fail"                # Not passing
    NOT_APPLICABLE = "n/a"       # Not applicable
    PLANNED = "planned"          # Planned for implementation
+    IN_PROGRESS = "in_progress"  # Implementation in progress


 class RiskLevelEnum(str, enum.Enum):
@@ -83,6 +84,26 @@ class EvidenceStatusEnum(str, enum.Enum):
    FAILED = "failed"            # Failed validation


+class EvidenceConfidenceEnum(str, enum.Enum):
+    """Confidence level of evidence (Anti-Fake-Evidence)."""
+    E0 = "E0"    # Generated / no real evidence (LLM output, placeholder)
+    E1 = "E1"    # Uploaded but unreviewed (manual upload, no hash, no reviewer)
+    E2 = "E2"    # Reviewed internally (human reviewed, hash verified)
+    E3 = "E3"    # Observed by system (CI/CD pipeline, API with hash)
+    E4 = "E4"    # Validated by external auditor
+
+
+class EvidenceTruthStatusEnum(str, enum.Enum):
+    """Truth status lifecycle for evidence (Anti-Fake-Evidence)."""
+    GENERATED = "generated"
+    UPLOADED = "uploaded"
+    OBSERVED = "observed"
+    VALIDATED_INTERNAL = "validated_internal"
+    REJECTED = "rejected"
+    PROVIDED_TO_AUDITOR = "provided_to_auditor"
+    ACCEPTED_BY_AUDITOR = "accepted_by_auditor"
+
+
 class ExportStatusEnum(str, enum.Enum):
    """Status of audit export."""
    PENDING = "pending"
@@ -239,6 +260,7 @@ class ControlDB(Base):
    # Status
    status = Column(Enum(ControlStatusEnum), default=ControlStatusEnum.PLANNED)
    status_notes = Column(Text)
+    status_justification = Column(Text)                                  # Required for n/a transitions

    # Ownership & Review
    owner = Column(String(100))                                          # Responsible person/team
@@ -321,6 +343,22 @@ class EvidenceDB(Base):
    ci_job_id = Column(String(100))                                      # CI/CD job reference
    uploaded_by = Column(String(100))                                    # User who uploaded

+    # Anti-Fake-Evidence: Confidence & Truth tracking
+    confidence_level = Column(Enum(EvidenceConfidenceEnum), default=EvidenceConfidenceEnum.E1)
+    truth_status = Column(Enum(EvidenceTruthStatusEnum), default=EvidenceTruthStatusEnum.UPLOADED)
+    generation_mode = Column(String(100))                                # e.g. "draft_assistance", "auto_generation"
+    may_be_used_as_evidence = Column(Boolean, default=True)
+    reviewed_by = Column(String(200))
+    reviewed_at = Column(DateTime)
+
+    # Anti-Fake-Evidence Phase 2: Four-Eyes review
+    approval_status = Column(String(30), default="none")
+    first_reviewer = Column(String(200))
+    first_reviewed_at = Column(DateTime)
+    second_reviewer = Column(String(200))
+    second_reviewed_at = Column(DateTime)
+    requires_four_eyes = Column(Boolean, default=False)
+
    # Timestamps
    collected_at = Column(DateTime, default=datetime.utcnow)
    created_at = Column(DateTime, default=datetime.utcnow)
@@ -332,6 +370,7 @@ class EvidenceDB(Base):
    __table_args__ = (
        Index('ix_evidence_control_type', 'control_id', 'evidence_type'),
        Index('ix_evidence_status', 'status'),
+        Index('ix_evidence_approval_status', 'approval_status'),
    )

    def __repr__(self):
@@ -1464,3 +1503,77 @@ class ISMSReadinessCheckDB(Base):

    def __repr__(self):
        return f"<ISMSReadiness {self.check_date}: {self.overall_status}>"
+
+
+class LLMGenerationAuditDB(Base):
+    """
+    Audit trail for LLM-generated content.
+
+    Every piece of content generated by an LLM is recorded here with its
+    truth_status and may_be_used_as_evidence flag, ensuring transparency
+    about what is real evidence vs. generated assistance.
+    """
+    __tablename__ = 'compliance_llm_generation_audit'
+
+    id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    tenant_id = Column(String(36), index=True)
+
+    entity_type = Column(String(50), nullable=False)           # 'evidence', 'control', 'document'
+    entity_id = Column(String(36))                             # FK to generated entity
+    generation_mode = Column(String(100), nullable=False)      # 'draft_assistance', 'auto_generation'
+    truth_status = Column(Enum(EvidenceTruthStatusEnum), nullable=False, default=EvidenceTruthStatusEnum.GENERATED)
+    may_be_used_as_evidence = Column(Boolean, nullable=False, default=False)
+
+    llm_model = Column(String(100))
+    llm_provider = Column(String(50))                          # 'ollama', 'anthropic'
+    prompt_hash = Column(String(64))                           # SHA-256 of prompt
+    input_summary = Column(Text)
+    output_summary = Column(Text)
+    extra_metadata = Column("metadata", JSON, default=dict)
+
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    __table_args__ = (
+        Index('ix_llm_audit_entity', 'entity_type', 'entity_id'),
+    )
+
+    def __repr__(self):
+        return f"<LLMGenerationAudit {self.entity_type}:{self.entity_id} mode={self.generation_mode}>"
+
+
+class AssertionDB(Base):
+    """
+    Assertion tracking — separates claims from verified facts.
+
+    Each sentence from a control/evidence/document is stored here with its
+    classification (assertion vs. fact vs. rationale) and optional evidence linkage.
+    """
+    __tablename__ = 'compliance_assertions'
+
+    id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    tenant_id = Column(String(36), index=True)
+
+    entity_type = Column(String(50), nullable=False)       # 'control', 'evidence', 'document', 'obligation'
+    entity_id = Column(String(36), nullable=False)
+    sentence_text = Column(Text, nullable=False)
+    sentence_index = Column(Integer, nullable=False, default=0)
+
+    assertion_type = Column(String(20), nullable=False, default='assertion')  # 'assertion' | 'fact' | 'rationale'
+    evidence_ids = Column(JSON, default=list)
+    confidence = Column(Float, default=0.0)
+    normative_tier = Column(String(20))                    # 'pflicht' | 'empfehlung' | 'kann'
+
+    verified_by = Column(String(200))
+    verified_at = Column(DateTime)
+
+    created_at = Column(DateTime, default=datetime.utcnow)
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    __table_args__ = (
+        Index('ix_assertion_entity', 'entity_type', 'entity_id'),
+        Index('ix_assertion_type', 'assertion_type'),
+    )
+
+    def __repr__(self):
+        return f"<Assertion {self.assertion_type}: {self.sentence_text[:50]}>"
--- a/backend-compliance/compliance/db/repository.py
+++ b/backend-compliance/compliance/db/repository.py
@@ -487,6 +487,137 @@ class ControlRepository:
            "compliance_score": round(score, 1),
        }

+    def get_multi_dimensional_score(self) -> Dict[str, Any]:
+        """
+        Calculate multi-dimensional compliance score (Anti-Fake-Evidence).
+
+        Returns 6 dimensions + hard_blocks + overall_readiness.
+        """
+        from .models import (
+            EvidenceDB, RequirementDB, ControlMappingDB,
+            EvidenceConfidenceEnum, EvidenceTruthStatusEnum,
+        )
+
+        # Weight map for confidence levels
+        conf_weights = {"E0": 0.0, "E1": 0.25, "E2": 0.5, "E3": 0.75, "E4": 1.0}
+        validated_statuses = {"validated_internal", "accepted_by_auditor", "provided_to_auditor"}
+
+        controls = self.get_all()
+        total_controls = len(controls)
+
+        if total_controls == 0:
+            return {
+                "requirement_coverage": 0.0,
+                "evidence_strength": 0.0,
+                "validation_quality": 0.0,
+                "evidence_freshness": 0.0,
+                "control_effectiveness": 0.0,
+                "overall_readiness": 0.0,
+                "hard_blocks": ["Keine Controls vorhanden"],
+            }
+
+        # 1. requirement_coverage: % requirements linked to at least one control
+        total_reqs = self.db.query(func.count(RequirementDB.id)).scalar() or 0
+        linked_reqs = (
+            self.db.query(func.count(func.distinct(ControlMappingDB.requirement_id)))
+            .scalar() or 0
+        )
+        requirement_coverage = (linked_reqs / total_reqs * 100) if total_reqs > 0 else 0.0
+
+        # 2. evidence_strength: weighted average of evidence confidence
+        all_evidence = self.db.query(EvidenceDB).all()
+        if all_evidence:
+            total_weight = 0.0
+            for e in all_evidence:
+                conf_val = e.confidence_level.value if e.confidence_level else "E1"
+                total_weight += conf_weights.get(conf_val, 0.25)
+            evidence_strength = (total_weight / len(all_evidence)) * 100
+        else:
+            evidence_strength = 0.0
+
+        # 3. validation_quality: % evidence with truth_status >= validated_internal
+        if all_evidence:
+            validated_count = sum(
+                1 for e in all_evidence
+                if (e.truth_status.value if e.truth_status else "uploaded") in validated_statuses
+            )
+            validation_quality = (validated_count / len(all_evidence)) * 100
+        else:
+            validation_quality = 0.0
+
+        # 4. evidence_freshness: % evidence not expired and reviewed < 90 days
+        now = datetime.now()
+        if all_evidence:
+            fresh_count = 0
+            for e in all_evidence:
+                is_expired = e.valid_until and e.valid_until < now
+                is_stale = e.reviewed_at and (now - e.reviewed_at).days > 90 if hasattr(e, 'reviewed_at') and e.reviewed_at else False
+                if not is_expired and not is_stale:
+                    fresh_count += 1
+            evidence_freshness = (fresh_count / len(all_evidence)) * 100
+        else:
+            evidence_freshness = 0.0
+
+        # 5. control_effectiveness: existing formula
+        passed = sum(1 for c in controls if c.status == ControlStatusEnum.PASS)
+        partial = sum(1 for c in controls if c.status == ControlStatusEnum.PARTIAL)
+        control_effectiveness = ((passed + partial * 0.5) / total_controls) * 100
+
+        # 6. overall_readiness: weighted composite
+        overall_readiness = (
+            0.20 * requirement_coverage +
+            0.25 * evidence_strength +
+            0.20 * validation_quality +
+            0.10 * evidence_freshness +
+            0.25 * control_effectiveness
+        )
+
+        # Hard blocks
+        hard_blocks = []
+
+        # Critical controls without any evidence
+        critical_no_evidence = []
+        for c in controls:
+            if c.status in (ControlStatusEnum.PASS, ControlStatusEnum.PARTIAL):
+                evidence_for_ctrl = [e for e in all_evidence if e.control_id == c.id]
+                if not evidence_for_ctrl:
+                    critical_no_evidence.append(c.control_id)
+        if critical_no_evidence:
+            hard_blocks.append(
+                f"{len(critical_no_evidence)} Controls mit Status pass/partial haben keine Evidence: "
+                f"{', '.join(critical_no_evidence[:5])}"
+            )
+
+        # Controls with only E0/E1 evidence claiming pass
+        weak_evidence_pass = []
+        for c in controls:
+            if c.status == ControlStatusEnum.PASS:
+                evidence_for_ctrl = [e for e in all_evidence if e.control_id == c.id]
+                if evidence_for_ctrl:
+                    max_conf = max(
+                        conf_weights.get(
+                            e.confidence_level.value if e.confidence_level else "E1", 0.25
+                        )
+                        for e in evidence_for_ctrl
+                    )
+                    if max_conf < 0.5:  # Only E0 or E1
+                        weak_evidence_pass.append(c.control_id)
+        if weak_evidence_pass:
+            hard_blocks.append(
+                f"{len(weak_evidence_pass)} Controls auf 'pass' haben nur E0/E1-Evidence: "
+                f"{', '.join(weak_evidence_pass[:5])}"
+            )
+
+        return {
+            "requirement_coverage": round(requirement_coverage, 1),
+            "evidence_strength": round(evidence_strength, 1),
+            "validation_quality": round(validation_quality, 1),
+            "evidence_freshness": round(evidence_freshness, 1),
+            "control_effectiveness": round(control_effectiveness, 1),
+            "overall_readiness": round(overall_readiness, 1),
+            "hard_blocks": hard_blocks,
+        }
+

 class ControlMappingRepository:
    """Repository for requirement-control mappings."""
--- a/backend-compliance/compliance/services/anchor_finder.py
+++ b/backend-compliance/compliance/services/anchor_finder.py
@@ -69,7 +69,7 @@ class AnchorFinder:
        tags_str = " ".join(control.tags[:3]) if control.tags else ""
        query = f"{control.title} {tags_str}".strip()

-        results = await self.rag.search(
+        results = await self.rag.search_with_rerank(
            query=query,
            collection="bp_compliance_ce",
            top_k=15,
--- a/Show More
+++ b/Show More