fix: strip duplicate inline class definitions from db shim files

models.py and repository.py are backwards-compat re-export shims from
Phase 1. Both files still contained the original 1466/1547 line class
definitions below the re-export block. These inline definitions shadowed
the correctly-imported sub-module versions and failed at import time
because Column, AuditResultEnum, etc. were no longer in scope.

Fix:
- models.py: remove all duplicate Base-subclass definitions (lines 209-
  1581). Retain EvidenceConfidenceEnum and EvidenceTruthStatusEnum (unique
  to this shim, not yet extracted to a sub-module) and the two models that
  have no sub-module yet: LLMGenerationAuditDB and AssertionDB. Add back
  the SQLAlchemy column-type imports those two models need.
- repository.py: remove all duplicate Repository class definitions (lines
  40-1692). All classes are now fully provided by the sub-repositories.

Result: 172 pytest tests pass, import OK.

.claude/CLAUDE.md

@@ -1,73 +1,167 @@
 # BreakPilot Compliance - DSGVO/AI-Act SDK Platform
 
+> **NON-NEGOTIABLE STRUCTURE RULES** (enforced by `.claude/settings.json` hook, git pre-commit, and CI):
+> 1. **File-size budget:** soft target **300** lines, **hard cap 500** lines for any non-test, non-generated source file. Anything larger → split it. Exceptions are listed in `.claude/rules/loc-exceptions.txt` and require a written rationale.
+> 2. **Clean architecture per service.** Routers/handlers stay thin (≤30 lines per handler) and delegate to services; services use repositories; repositories own DB I/O. See `AGENTS.python.md` / `AGENTS.go.md` / `AGENTS.typescript.md`.
+> 3. **Do not touch the database schema.** No new Alembic migrations, no `ALTER TABLE`, no model field renames without an explicit migration plan reviewed by the DB owner. SQLAlchemy `__tablename__` and column names are frozen.
+> 4. **Public endpoints are a contract.** Any change to a path, method, status code, request schema, or response schema in `backend-compliance/`, `ai-compliance-sdk/`, `dsms-gateway/`, `document-crawler/`, or `compliance-tts-service/` must be accompanied by a matching update in **every** consumer (`admin-compliance/`, `developer-portal/`, `breakpilot-compliance-sdk/`, `consent-sdk/`). Use the OpenAPI snapshot tests in `tests/contracts/` as the gate.
+> 5. **Tests are not optional.** New code without tests fails CI. Refactors must preserve coverage and add a characterization test before splitting an oversized file.
+> 6. **Do not bypass the guardrails.** Do not edit `.claude/settings.json`, `scripts/check-loc.sh`, or the loc-exceptions list to silence violations. If a rule is wrong, raise it in a PR description.
+>
+> These rules apply to **every** Claude Code session opened inside this repository, regardless of who launched it. They are loaded automatically via this `CLAUDE.md`.
+
+
+
+## First-Time Setup & Claude Code Onboarding
+
+**For humans:** Read this CLAUDE.md top to bottom before your first commit. Then read `AGENTS.<lang>.md` for the service you are working on (`AGENTS.python.md`, `AGENTS.go.md`, or `AGENTS.typescript.md`).
+
+**For Claude Code sessions — things that cause first-commit failures:**
+
+1. **Wrong branch.** Never commit directly to `main`. Create a feature branch first: `git checkout -b feat/my-change`.
+
+2. **PreToolUse hook blocks your write.** The `PreToolUse` hooks in `.claude/settings.json` will reject Write/Edit operations on any file that would push its line count past 500. This is intentional — split the file into smaller modules instead of trying to bypass the hook.
+
+3. **Missing `[guardrail-change]` marker.** The `guardrail-integrity` CI job fails if you modify a guardrail file without the marker in the commit message body. See the table below.
+
+4. **Never `git add -A` or `git add .`.** Stage files individually by path. `git add -A` risks committing `.env`, `node_modules/`, `.next/`, compiled binaries, and other artifacts that must never enter the repo.
+
+5. **LOC check before push.** After any session, run `bash scripts/check-loc.sh`. It must exit 0 before you push. The git pre-commit hook runs this automatically, but run it manually first to catch issues early.
+
+### Commit message quick reference
+
+| Marker | Required when touching |
+|--------|----------------------|
+| `[guardrail-change]` | `.claude/settings.json`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, `.claude/rules/loc-exceptions.txt`, any `AGENTS.*.md` |
+| `[migration-approved]` | Anything under `migrations/` or `alembic/versions/` |
+
+Add the marker anywhere in the commit message body or footer — the CI job does a plain-text grep for it.
+
+---
+
 ## Entwicklungsumgebung (WICHTIG - IMMER ZUERST LESEN)
 
-### Zwei-Rechner-Setup
+### Zwei-Rechner-Setup + Orca
 
 | Geraet | Rolle | Aufgaben |
 |--------|-------|----------|
 | **MacBook** | Entwicklung | Claude Terminal, Code-Entwicklung, Browser (Frontend-Tests) |
-| **Mac Mini** | Server | Docker, alle Services, Tests, Builds, Deployment |
+| **Mac Mini** | Lokaler Server | Docker fuer lokale Dev/Tests (NICHT fuer Production!) |
+| **Orca** | Production | Automatisches Build + Deploy bei Push auf origin |
 
-**WICHTIG:** Code wird direkt auf dem MacBook in diesem Repo bearbeitet. Docker und Services laufen auf dem Mac Mini.
+**WICHTIG:** Code wird auf dem MacBook bearbeitet. Production-Deployment laeuft automatisch ueber Orca.
 
-### Entwicklungsworkflow
+### Entwicklungsworkflow (CI/CD — Orca)
 
 ```bash
 # 1. Code auf MacBook bearbeiten (dieses Verzeichnis)
 # 2. Committen und pushen:
-git push origin main && git push gitea main
+git push origin main
 
-# 3. Auf Mac Mini pullen (WICHTIG: git -C statt cd):
+# 3. FERTIG! Push auf origin triggert automatisch:
+#    - Gitea Actions: Lint → Tests → Validierung
+#    - Orca: Build → Deploy
+#    Dauer: ca. 3 Minuten
+#    Status pruefen: https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions
+```
+
+**NICHT MEHR NOETIG:** Manuelles `ssh macmini "docker compose build"` fuer Production.
+**NIEMALS** manuell in Orca auf "Redeploy" klicken — Gitea Actions triggert Orca automatisch.
+
+### Post-Push Deploy-Monitoring (PFLICHT nach jedem Push)
+
+**IMMER wenn Claude auf origin pusht, MUSS danach automatisch das Deploy-Monitoring laufen:**
+
+1. Dem User sofort mitteilen: "Deploy gestartet, ich ueberwache den Status..."
+2. Im Hintergrund Health-Checks pollen (alle 20 Sekunden, max 5 Minuten):
+   ```bash
+   # Compliance Health-Endpoints:
+   curl -sf https://api-dev.breakpilot.ai/health    # Backend Compliance
+   curl -sf https://sdk-dev.breakpilot.ai/health     # AI Compliance SDK
+   ```
+3. Sobald ALLE Endpoints healthy sind, dem User im Chat melden:
+   **"Deploy abgeschlossen! Du kannst jetzt testen: https://admin-dev.breakpilot.ai"**
+4. Falls nach 5 Minuten noch nicht healthy → Fehlermeldung mit Hinweis auf Orca-Logs.
+
+**Ablauf im Terminal:**
+```
+> git push origin main ✓
+> "Deploy gestartet, ich ueberwache den Status..."
+> [Hintergrund-Polling laeuft]
+> "Deploy abgeschlossen! Alle Services healthy. Du kannst jetzt testen."
+```
+
+### CI/CD Pipeline (Gitea Actions → Orca)
+
+```
+Push auf origin main → go-lint/python-lint/nodejs-lint (nur PRs)
+                    → test-go-ai-compliance
+                    → test-python-backend-compliance
+                    → test-python-document-crawler
+                    → test-python-dsms-gateway
+                    → validate-canonical-controls
+                    → Orca: Build + Deploy (automatisch bei Push)
+```
+
+**Dateien:**
+- `.gitea/workflows/ci.yaml` — Pipeline-Definition (Tests + Validierung)
+- `docker-compose.yml` — Haupt-Compose
+- `docker-compose.hetzner.yml` — Override: arm64→amd64 fuer Orca Production (x86_64)
+
+### Lokale Entwicklung (Mac Mini — optional)
+
+```bash
+# Nur fuer lokale Tests, NICHT fuer Production:
 ssh macmini "git -C /Users/benjaminadmin/Projekte/breakpilot-compliance pull --no-rebase origin main"
-
-# 4. Container neu bauen (WICHTIG: -f statt cd, da cd in SSH nicht funktioniert!):
-ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml build --no-cache <service> && /usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml up -d <service>"
+ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml build --no-cache <service>"
+ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml up -d <service>"
 
 # Fuer schnelle Iteration ohne Commit (rsync):
 rsync -avz --exclude node_modules --exclude .next --exclude .git \
   admin-compliance/ macmini:~/Projekte/breakpilot-compliance/admin-compliance/
 ```
 
-### SSH-Verbindung (fuer Docker/Tests)
-
-```bash
-# RICHTIG — cd funktioniert NICHT in SSH-Einzelbefehlen:
-ssh macmini "git -C /Users/benjaminadmin/Projekte/breakpilot-compliance <git-cmd>"
-ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml <compose-cmd>"
-ssh macmini "/usr/local/bin/docker exec bp-compliance-<service> <cmd>"
-```
+**WICHTIG:** Docker-Pfad auf Mac Mini ist `/usr/local/bin/docker` (nicht im Standard-SSH-PATH).
+**WICHTIG:** `cd` funktioniert NICHT in SSH-Einzelbefehlen — immer `-f <pfad>/docker-compose.yml` verwenden!
 
 ---
 
 ## Voraussetzung
 
 **breakpilot-core MUSS laufen!** Dieses Projekt nutzt Core-Services:
-- PostgreSQL (Schema: `compliance`, `core`)
 - Valkey (Session-Cache)
 - Vault (Secrets)
 - RAG-Service (Vektorsuche fuer Compliance-Dokumente)
 - Nginx (Reverse Proxy)
 
-Pruefen: `curl -sf http://macmini:8099/health`
+**Externe Services (Production):**
+- PostgreSQL 17 (sslmode=require) — Schemas: `compliance`, `public`
+- Qdrant @ `qdrant-dev.breakpilot.ai` (HTTPS, API-Key)
+- Object Storage (S3-kompatibel, TLS)
+
+Config via `.env` (nicht im Repo): `COMPLIANCE_DATABASE_URL`, `QDRANT_URL`, `QDRANT_API_KEY`
 
 ---
 
-## Haupt-URLs (Browser auf MacBook)
+## Haupt-URLs
 
-### Frontends
+### Production (Orca-deployed)
 
 | URL | Service | Beschreibung |
 |-----|---------|--------------|
-| **https://macmini:3007/** | Admin Compliance | SDK-Dashboard, alle Compliance-Module |
-| **https://macmini:3006/** | Developer Portal | API-Dokumentation fuer Kunden |
+| **https://admin-dev.breakpilot.ai/** | Admin Compliance | SDK-Dashboard, alle Compliance-Module |
+| **https://developers-dev.breakpilot.ai/** | Developer Portal | API-Dokumentation fuer Kunden |
+| https://api-dev.breakpilot.ai/ | Backend Compliance | Compliance APIs (DSGVO, DSR, GDPR) |
+| https://sdk-dev.breakpilot.ai/ | AI Compliance SDK | KI-konforme Compliance-Analyse |
 
-### Backend-APIs
+### Lokal (Mac Mini — nur Dev/Tests)
 
 | URL | Service | Beschreibung |
 |-----|---------|--------------|
-| https://macmini:8002/ | Backend Compliance | Compliance APIs (DSGVO, DSR, GDPR) |
-| https://macmini:8093/ | AI Compliance SDK | KI-konforme Compliance-Analyse |
+| https://macmini:3007/ | Admin Compliance | Lokale Entwicklung |
+| https://macmini:3006/ | Developer Portal | Lokale Entwicklung |
+| https://macmini:8002/ | Backend Compliance | Lokale Entwicklung |
+| https://macmini:8093/ | AI Compliance SDK | Lokale Entwicklung |
 
 ### Admin Compliance Module (https://macmini:3007/)
 
@@ -107,18 +201,6 @@ Pruefen: `curl -sf http://macmini:8099/health`
 | docs | MkDocs/nginx | 8011 | bp-compliance-docs |
 | core-wait | curl health-check | - | bp-compliance-core-wait |
 
-### compliance-tts-service
-- Piper TTS + FFmpeg fuer Schulungsvideos
-- Speichert Audio/Video in MinIO (bp-core-minio:9000)
-- TTS-Modell: `de_DE-thorsten-high.onnx`
-- Dateien: `main.py`, `tts_engine.py`, `video_generator.py`, `storage.py`
-
-### document-crawler
-- Dokument-Analyse: PDF, DOCX, XLSX, PPTX
-- Gap-Analyse zwischen bestehenden Dokumenten und Compliance-Anforderungen
-- IPFS-Archivierung via dsms-gateway
-- Kommuniziert mit ai-compliance-sdk (LLM Gateway)
-
 ### Docker-Netzwerk
 Nutzt das externe Core-Netzwerk:
 ```yaml
@@ -163,48 +245,50 @@ breakpilot-compliance/
 ├── dsms-node/                # IPFS Node
 ├── dsms-gateway/             # IPFS Gateway
 ├── scripts/                  # Helper Scripts
-└── docker-compose.yml        # Compliance Compose (~8 Services)
+├── docker-compose.yml        # Compliance Compose (~10 Services, platform: arm64)
+├── docker-compose.hetzner.yml # Override: arm64→amd64 fuer Orca Production
+└── .gitea/workflows/ci.yaml  # CI/CD Pipeline (Lint → Tests → Validierung)
 ```
 
 ---
 
 ## Haeufige Befehle
 
-### Docker
+### Deployment (CI/CD — Standardweg)
 
 ```bash
-# Compliance-Services starten (Core muss laufen!)
-ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml up -d"
+# Committen und pushen → Orca deployt automatisch:
+git push origin main
 
-# Einzelnen Service neu bauen
-ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml build --no-cache <service>"
+# CI-Status pruefen (im Browser):
+# https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions
 
-# Service neu bauen und starten
-ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml build --no-cache <service> && /usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml up -d <service>"
+# Health Checks:
+curl -sf https://api-dev.breakpilot.ai/health
+curl -sf https://sdk-dev.breakpilot.ai/health
+```
 
+### Git
+
+```bash
+git push origin main
+
+# Remote:
+# origin: ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
+```
+
+### Lokale Docker-Befehle (Mac Mini — nur fuer Dev/Tests)
+
+```bash
 # Logs
 ssh macmini "/usr/local/bin/docker logs -f bp-compliance-<service>"
 
 # Status
 ssh macmini "/usr/local/bin/docker ps --filter name=bp-compliance"
-```
 
-**WICHTIG:** Docker-Pfad auf Mac Mini ist `/usr/local/bin/docker` (nicht im Standard-SSH-PATH).
-**WICHTIG:** `cd` funktioniert NICHT in SSH-Einzelbefehlen — immer `-f <pfad>/docker-compose.yml` verwenden!
-Der CLAUDE.md-Entwicklungsworkflow und die Beispiele mit `cd ... &&` sind veraltet — nie so verwenden.
-
-### Git
-
-```bash
-# Zu BEIDEN Remotes pushen (PFLICHT! — vom MacBook):
-git push origin main && git push gitea main
-
-# Auf Mac Mini pullen (RICHTIG: git -C statt cd):
+# Lokaler Rebuild (nur wenn noetig):
 ssh macmini "git -C /Users/benjaminadmin/Projekte/breakpilot-compliance pull --no-rebase origin main"
-
-# Remotes:
-# origin: lokale Gitea (macmini:3003)
-# gitea:  gitea.meghsakha.com:22222
+ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml build --no-cache <service> && /usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/breakpilot-compliance/docker-compose.yml up -d <service>"
 ```
 
 ---
@@ -254,6 +338,36 @@ ssh macmini "git -C /Users/benjaminadmin/Projekte/breakpilot-compliance pull --n
 - `lib/sdk/catalog-manager/` — catalog-registry.ts, types.ts
 - 17 DSGVO/AI-Act Kataloge (dsfa, vvt-baseline, vendor-compliance, etc.)
 
+### Multi-Projekt-Architektur (seit 2026-03-09)
+
+Jeder Tenant kann mehrere Compliance-Projekte anlegen. CompanyProfile ist **pro Projekt** (nicht tenant-weit).
+
+**URL-Schema:** `/sdk?project={uuid}` — alle SDK-Seiten enthalten `?project=` Query-Param.
+`/sdk` ohne `?project=` zeigt die Projektliste (ProjectSelector).
+
+**Datenbank:**
+- `compliance_projects` — Projekt-Metadaten (Name, Typ, Status, Version)
+- `sdk_states` — UNIQUE auf `(tenant_id, project_id)` statt nur `tenant_id`
+- Migration: `039_compliance_projects.sql`
+
+**Backend API (FastAPI):**
+```
+GET    /api/v1/projects              → Alle Projekte des Tenants
+POST   /api/v1/projects              → Neues Projekt erstellen (mit copy_from_project_id)
+GET    /api/v1/projects/{project_id} → Einzelnes Projekt laden
+PATCH  /api/v1/projects/{project_id} → Projekt aktualisieren
+DELETE /api/v1/projects/{project_id} → Projekt archivieren (Soft Delete)
+```
+
+**Frontend:**
+- `components/sdk/ProjectSelector/ProjectSelector.tsx` — Projektliste + Erstellen-Dialog
+- `lib/sdk/types.ts` — `ProjectInfo` Interface, `SDKState.projectId`
+- `lib/sdk/context.tsx` — `projectId` Prop, `createProject()`, `listProjects()`, `switchProject()`
+- `lib/sdk/sync.ts` — BroadcastChannel + localStorage pro Projekt
+- `lib/sdk/api-client.ts` — `projectId` in State-API + Projekt-CRUD-Methoden
+- `app/sdk/layout.tsx` — liest `?project=` aus searchParams
+- `app/api/sdk/v1/projects/` — Next.js Proxy zum Backend
+
 ### Backend-Compliance APIs
 ```
 POST/GET /api/v1/compliance/risks
@@ -263,18 +377,35 @@ POST/GET /api/v1/compliance/evidence
 POST/GET /api/v1/dsr/requests
 POST/GET /api/v1/gdpr/exports
 POST/GET /api/v1/consent/admin
+
+# Stammdaten, Versionierung & Change-Requests
+GET/POST/DELETE /api/compliance/company-profile
+GET /api/compliance/company-profile/template-context
+GET /api/compliance/change-requests
+GET /api/compliance/change-requests/stats
+POST /api/compliance/change-requests/{id}/accept
+POST /api/compliance/change-requests/{id}/reject
+POST /api/compliance/change-requests/{id}/edit
+GET /api/compliance/generation/preview/{doc_type}
+POST /api/compliance/generation/apply/{doc_type}
+GET /api/compliance/{doc}/{id}/versions
 ```
 
+### Multi-Tenancy
+- Shared Dependency: `compliance/api/tenant_utils.py` (`get_tenant_id()`)
+- UUID-Format, kein `"default"` mehr
+- Header `X-Tenant-ID` > Query `tenant_id` > ENV-Fallback
+
 ---
 
 ## Wichtige Dateien (Referenz)
 
 | Datei | Beschreibung |
 |-------|--------------|
-| `admin-compliance/app/(sdk)/` | Alle 37 SDK-Routes |
-| `admin-compliance/components/sdk/SDKSidebar.tsx` | SDK Navigation |
+| `admin-compliance/app/(sdk)/` | Alle 37+ SDK-Routes |
+| `admin-compliance/components/sdk/Sidebar/SDKSidebar.tsx` | SDK Navigation |
 | `admin-compliance/components/sdk/CommandBar.tsx` | Command Palette |
 | `admin-compliance/lib/sdk/context.tsx` | SDK State (Provider) |
-| `backend-compliance/compliance/` | Haupt-Package (40 Dateien) |
+| `backend-compliance/compliance/` | Haupt-Package (50+ Dateien) |
 | `ai-compliance-sdk/` | KI-Compliance Analyse |
 | `developer-portal/` | API-Dokumentation |

.claude/rules/architecture.md

@@ -0,0 +1,43 @@
+# Architecture Rules (auto-loaded)
+
+These rules apply to **every** Claude Code session in this repository, regardless of who launched it. They are non-negotiable.
+
+## File-size budget
+
+- **Soft target:** 300 lines per non-test, non-generated source file.
+- **Hard cap:** 500 lines. The PreToolUse hook in `.claude/settings.json` blocks Write/Edit operations that would create or push a file past 500. The git pre-commit hook re-checks. CI is the final gate.
+- Exceptions live in `.claude/rules/loc-exceptions.txt` and require a written rationale plus `[guardrail-change]` in the commit message. The exceptions list should shrink over time, not grow.
+
+## Clean architecture
+
+- Python (FastAPI): see `AGENTS.python.md`. Layering: `api → services → repositories → db.models`. Routers ≤30 LOC per handler. Schemas split per domain.
+- Go (Gin): see `AGENTS.go.md`. Standard Go Project Layout + hexagonal. `cmd/` thin, wiring in `internal/app`.
+- TypeScript (Next.js): see `AGENTS.typescript.md`. Server-by-default, push the client boundary deep, colocate `_components/` and `_hooks/` per route.
+
+## Database is frozen
+
+- No new Alembic migrations. No `ALTER TABLE`. No `__tablename__` or column renames.
+- The pre-commit hook blocks any change under `migrations/` or `alembic/versions/` unless the commit message contains `[migration-approved]`.
+
+## Public endpoints are a contract
+
+- Any change to a path/method/status/request schema/response schema in a backend service must update every consumer in the same change set.
+- Each backend service has an OpenAPI baseline at `tests/contracts/openapi.baseline.json`. Contract tests fail on drift.
+
+## Tests
+
+- New code without tests fails CI.
+- Refactors must preserve coverage. Before splitting an oversized file, add a characterization test that pins current behavior.
+- Layout: `tests/unit/`, `tests/integration/`, `tests/contracts/`, `tests/e2e/`.
+
+## Guardrails are themselves protected
+
+- Edits to `.claude/settings.json`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, `.claude/rules/loc-exceptions.txt`, or any `AGENTS.*.md` require `[guardrail-change]` in the commit message. The pre-commit hook enforces this.
+- If you (Claude) think a rule is wrong, surface it to the user. Do not silently weaken it.
+
+## Tooling baseline
+
+- Python: `ruff`, `mypy --strict` on new modules, `pytest --cov`.
+- Go: `golangci-lint` strict config, `go vet`, table-driven tests.
+- TS: `tsc --noEmit` strict, ESLint type-aware, Vitest, Playwright.
+- All three: dependency caching in CI, license/SBOM scan via `syft`+`grype`.

.claude/rules/loc-exceptions.txt

@@ -0,0 +1,103 @@
+# loc-exceptions.txt — files allowed to exceed the 500-line hard cap.
+#
+# Format: one repo-relative path per line. Comments start with '#' and are ignored.
+# Each exception MUST be preceded by a comment explaining why splitting is not viable.
+#
+# Phase 0 baseline: this list is initially empty. Phases 1-4 will add grandfathered
+# entries as we encounter legitimate exceptions (e.g. large generated data tables).
+# The goal is for this list to SHRINK over time, never grow.
+
+# --- admin-compliance: static data catalogs (Phase 3) ---
+# Splitting these would fragment lookup tables without improving readability.
+admin-compliance/lib/sdk/tom-generator/controls/loader.ts
+admin-compliance/lib/sdk/vendor-compliance/risk/controls-library.ts
+admin-compliance/lib/sdk/compliance-scope-triggers.ts
+admin-compliance/lib/sdk/vendor-compliance/catalog/processing-activities.ts
+admin-compliance/lib/sdk/catalog-manager/catalog-registry.ts
+admin-compliance/lib/sdk/dsfa/mitigation-library.ts
+admin-compliance/lib/sdk/vvt-baseline-catalog.ts
+admin-compliance/lib/sdk/dsfa/eu-legal-frameworks.ts
+admin-compliance/lib/sdk/dsfa/risk-catalog.ts
+admin-compliance/lib/sdk/loeschfristen-baseline-catalog.ts
+admin-compliance/lib/sdk/vendor-compliance/catalog/vendor-templates.ts
+admin-compliance/lib/sdk/vendor-compliance/catalog/legal-basis.ts
+admin-compliance/lib/sdk/vendor-compliance/contract-review/findings.ts
+admin-compliance/lib/sdk/vendor-compliance/contract-review/checklists.ts
+admin-compliance/lib/sdk/compliance-scope-types/document-scope-matrix-core.ts
+admin-compliance/lib/sdk/compliance-scope-types/document-scope-matrix-extended.ts
+admin-compliance/lib/sdk/demo-data/index.ts
+admin-compliance/lib/sdk/tom-generator/demo-data/index.ts
+
+# --- admin-compliance: self-contained export generators (Phase 3) ---
+# Each file generates a complete document format. Splitting mid-generation
+# logic would create artificial module boundaries without benefit.
+admin-compliance/lib/sdk/tom-generator/export/zip.ts
+admin-compliance/lib/sdk/tom-generator/export/docx.ts
+admin-compliance/lib/sdk/tom-generator/export/pdf.ts
+admin-compliance/lib/sdk/einwilligungen/export/pdf.ts
+admin-compliance/lib/sdk/einwilligungen/generator/privacy-policy-sections.ts
+
+# --- backend-compliance: legacy utility services (Phase 1) ---
+# Pre-refactor utility modules not yet split. Phase 5 targets.
+backend-compliance/compliance/services/control_generator.py
+backend-compliance/compliance/services/audit_pdf_generator.py
+backend-compliance/compliance/services/regulation_scraper.py
+backend-compliance/compliance/services/llm_provider.py
+backend-compliance/compliance/services/export_generator.py
+backend-compliance/compliance/services/pdf_extractor.py
+backend-compliance/compliance/services/ai_compliance_assistant.py
+
+# --- backend-compliance: Phase 1 code refactor backlog ---
+# These are the remaining oversized route/service/data/auth files that Phase 1
+# did not reach. Each entry is a tracked refactor debt item — the list must shrink.
+backend-compliance/compliance/services/decomposition_pass.py
+backend-compliance/compliance/api/schemas.py
+backend-compliance/compliance/api/canonical_control_routes.py
+backend-compliance/compliance/db/repository.py
+backend-compliance/compliance/db/models.py
+backend-compliance/compliance/api/evidence_check_routes.py
+backend-compliance/compliance/api/control_generator_routes.py
+backend-compliance/compliance/api/process_task_routes.py
+backend-compliance/compliance/api/evidence_routes.py
+backend-compliance/compliance/api/crosswalk_routes.py
+backend-compliance/compliance/api/dashboard_routes.py
+backend-compliance/compliance/api/dsfa_routes.py
+backend-compliance/compliance/api/routes.py
+backend-compliance/compliance/api/tom_mapping_routes.py
+backend-compliance/compliance/services/control_dedup.py
+backend-compliance/compliance/services/framework_decomposition.py
+backend-compliance/compliance/services/pipeline_adapter.py
+backend-compliance/compliance/services/batch_dedup_runner.py
+backend-compliance/compliance/services/obligation_extractor.py
+backend-compliance/compliance/services/control_composer.py
+backend-compliance/compliance/services/pattern_matcher.py
+backend-compliance/compliance/data/iso27001_annex_a.py
+backend-compliance/compliance/data/service_modules.py
+backend-compliance/compliance/data/controls.py
+backend-compliance/services/pdf_service.py
+backend-compliance/services/file_processor.py
+backend-compliance/auth/keycloak_auth.py
+
+# --- scripts: one-off ingestion, QA, and migration scripts ---
+# These are operational scripts, not production application code.
+# LOC rules don't apply in the same way to single-purpose scripts.
+scripts/ingest-legal-corpus.sh
+scripts/ingest-ce-corpus.sh
+scripts/ingest-dsfa-bundesland.sh
+scripts/edpb-crawler.py
+scripts/apply_templates_023.py
+scripts/qa/phase74_generate_gap_controls.py
+scripts/qa/pdf_qa_all.py
+scripts/qa/benchmark_llm_controls.py
+backend-compliance/scripts/seed_policy_templates.py
+
+# --- docs-src: copies of backend source for documentation rendering ---
+# These are not production code; they are rendered into the static docs site.
+docs-src/control_generator.py
+docs-src/control_generator_routes.py
+
+# --- consent-sdk: platform-native mobile SDKs (Swift / Dart) ---
+# Flutter and iOS SDKs follow platform conventions (verbose verbose) that make
+# splitting into multiple files awkward without sacrificing single-import ergonomics.
+consent-sdk/src/mobile/flutter/consent_sdk.dart
+consent-sdk/src/mobile/ios/ConsentManager.swift

.claude/settings.json

@@ -0,0 +1,28 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] && exit 0; lines=$(printf '%s' \"$(jq -r '.tool_input.content // empty')\" | awk 'END{print NR}'); if [ \"${lines:-0}\" -gt 500 ]; then echo '{\"decision\":\"block\",\"reason\":\"breakpilot guardrail: file exceeds the 500-line hard cap. Split it into smaller modules per the layering rules in AGENTS.<lang>.md. If this is generated/data code, add an entry to .claude/rules/loc-exceptions.txt with rationale and reference [guardrail-change].\"}'; exit 0; fi",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] || [ ! -f \"$f\" ] && exit 0; case \"$f\" in *.md|*.json|*.yaml|*.yml|*test*|*tests/*|*node_modules/*|*.next/*|*migrations/*) exit 0 ;; esac; new_str=$(jq -r '.tool_input.new_string // empty'); old_str=$(jq -r '.tool_input.old_string // empty'); old_lines=$(printf '%s' \"$old_str\" | awk 'END{print NR}'); new_lines=$(printf '%s' \"$new_str\" | awk 'END{print NR}'); cur=$(wc -l < \"$f\" | tr -d ' '); proj=$((cur - old_lines + new_lines)); if [ \"$proj\" -gt 500 ]; then echo \"{\\\"decision\\\":\\\"block\\\",\\\"reason\\\":\\\"breakpilot guardrail: this edit would push $f to ~$proj lines (hard cap is 500). Split the file before continuing. See AGENTS.<lang>.md for the layering rules.\\\"}\"; fi; exit 0",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}

.env.example

@@ -4,7 +4,11 @@
 # Copy to .env and adjust values
 # NOTE: Core must be running! These vars reference Core services.
 
-# Database (same as Core)
+# Compliance SDK Database (externe PostgreSQL — nie committen!)
+# Setzt DATABASE_URL fuer: backend-compliance, ai-compliance-sdk, document-crawler, admin-compliance
+COMPLIANCE_DATABASE_URL=postgresql://<user>:<pass>@<host>:<port>/<db>?sslmode=require
+
+# Legacy Core Database (nur noch fuer Rollback; wird ignoriert wenn COMPLIANCE_DATABASE_URL gesetzt)
 POSTGRES_USER=breakpilot
 POSTGRES_PASSWORD=breakpilot123
 POSTGRES_DB=breakpilot_db
@@ -44,3 +48,11 @@ SESSION_TTL_HOURS=24
 # SMTP (uses Core Mailpit)
 SMTP_HOST=bp-core-mailpit
 SMTP_PORT=1025
+
+# Qdrant (externe Instanz — Hetzner/meghshakka)
+QDRANT_URL=https://qdrant-dev.breakpilot.ai
+QDRANT_API_KEY=<api-key>
+
+# MinIO / Object Storage (Hetzner Object Storage)
+# MINIO_ENDPOINT, MINIO_ACCESS_KEY, MINIO_SECRET_KEY sind direkt in docker-compose hart kodiert
+# (compliance-tts-service: nbg1.your-objectstorage.com)

.env.orca.example

@@ -0,0 +1,61 @@
+# =========================================================
+# BreakPilot Compliance — Orca Environment Variables
+# =========================================================
+# Copy these into Orca's environment variable UI
+# for the breakpilot-compliance Docker Compose resource.
+# =========================================================
+
+# --- External PostgreSQL (Orca-managed, same as Core) ---
+COMPLIANCE_DATABASE_URL=postgresql://breakpilot:CHANGE_ME@<orca-postgres-hostname>:5432/breakpilot_db
+
+# --- Security ---
+JWT_SECRET=CHANGE_ME_SAME_AS_CORE
+
+# --- External S3 Storage (same as Core) ---
+S3_ENDPOINT=<s3-endpoint-host:port>
+S3_ACCESS_KEY=CHANGE_ME_SAME_AS_CORE
+S3_SECRET_KEY=CHANGE_ME_SAME_AS_CORE
+S3_SECURE=true
+
+# --- External Qdrant ---
+QDRANT_URL=https://<qdrant-hostname>
+QDRANT_API_KEY=CHANGE_ME_QDRANT_API_KEY
+
+# --- Session ---
+SESSION_TTL_HOURS=24
+
+# --- SMTP (Real mail server) ---
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USERNAME=compliance@breakpilot.ai
+SMTP_PASSWORD=CHANGE_ME_SMTP_PASSWORD
+SMTP_FROM_NAME=BreakPilot Compliance
+SMTP_FROM_ADDR=compliance@breakpilot.ai
+
+# --- LLM Configuration ---
+COMPLIANCE_LLM_PROVIDER=anthropic
+SELF_HOSTED_LLM_URL=
+SELF_HOSTED_LLM_MODEL=
+COMPLIANCE_LLM_MAX_TOKENS=4096
+COMPLIANCE_LLM_TEMPERATURE=0.3
+COMPLIANCE_LLM_TIMEOUT=120
+ANTHROPIC_API_KEY=CHANGE_ME_ANTHROPIC_KEY
+ANTHROPIC_DEFAULT_MODEL=claude-sonnet-4-5-20250929
+
+# --- Ollama (optional) ---
+OLLAMA_URL=
+OLLAMA_DEFAULT_MODEL=
+COMPLIANCE_LLM_MODEL=
+
+# --- LLM Fallback ---
+LLM_FALLBACK_PROVIDER=
+
+# --- PII & Audit ---
+PII_REDACTION_ENABLED=true
+PII_REDACTION_LEVEL=standard
+AUDIT_RETENTION_DAYS=365
+AUDIT_LOG_PROMPTS=true
+
+# --- Frontend URLs (build args) ---
+NEXT_PUBLIC_API_URL=https://api-compliance.breakpilot.ai
+NEXT_PUBLIC_SDK_URL=https://sdk.breakpilot.ai

.gitea/workflows/build-push-deploy.yml

@@ -0,0 +1,221 @@
+# Build + push compliance service images to registry.meghsakha.com
+# and trigger orca redeploy on every push to main that touches a service.
+#
+# Requires Gitea Actions secrets:
+#   REGISTRY_USERNAME / REGISTRY_PASSWORD  — registry.meghsakha.com credentials
+#   ORCA_WEBHOOK_SECRET                    — must match webhooks.json on orca master
+
+name: Build + Deploy
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'admin-compliance/**'
+      - 'backend-compliance/**'
+      - 'ai-compliance-sdk/**'
+      - 'developer-portal/**'
+      - 'compliance-tts-service/**'
+      - 'document-crawler/**'
+      - 'dsms-gateway/**'
+      - 'dsms-node/**'
+
+jobs:
+  # ── per-service builds run in parallel ────────────────────────────────────
+
+  build-admin-compliance:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-admin:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA} \
+            admin-compliance/
+          docker push registry.meghsakha.com/breakpilot/compliance-admin:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA}
+
+  build-backend-compliance:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-backend:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA} \
+            backend-compliance/
+          docker push registry.meghsakha.com/breakpilot/compliance-backend:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA}
+
+  build-ai-sdk:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-sdk:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA} \
+            ai-compliance-sdk/
+          docker push registry.meghsakha.com/breakpilot/compliance-sdk:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA}
+
+  build-developer-portal:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-portal:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA} \
+            developer-portal/
+          docker push registry.meghsakha.com/breakpilot/compliance-portal:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA}
+
+  build-tts:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-tts:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA} \
+            compliance-tts-service/
+          docker push registry.meghsakha.com/breakpilot/compliance-tts:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA}
+
+  build-document-crawler:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-crawler:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA} \
+            document-crawler/
+          docker push registry.meghsakha.com/breakpilot/compliance-crawler:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA}
+
+  build-dsms-gateway:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA} \
+            dsms-gateway/
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA}
+
+  # ── orca redeploy (only after all builds succeed) ─────────────────────────
+
+  trigger-orca:
+    runs-on: docker
+    container: docker:27-cli
+    needs:
+      - build-admin-compliance
+      - build-backend-compliance
+      - build-ai-sdk
+      - build-developer-portal
+      - build-tts
+      - build-document-crawler
+      - build-dsms-gateway
+    steps:
+      - name: Checkout (for SHA)
+        run: |
+          apk add --no-cache git curl openssl
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Trigger orca redeploy
+        env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
+          ORCA_WEBHOOK_URL: http://46.225.100.82:6880/api/v1/webhooks/github
+        run: |
+          SHA=$(git rev-parse HEAD)
+          PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: compliance images built\"}}"
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
+          curl -sSf -k \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-GitHub-Event: push" \
+            -H "X-Hub-Signature-256: sha256=$SIG" \
+            -d "$PAYLOAD" \
+            "$ORCA_WEBHOOK_URL" \
+            || { echo "Orca redeploy failed"; exit 1; }
+          echo "Orca redeploy triggered for compliance services"

.gitea/workflows/ci.yaml

@@ -1,24 +1,92 @@
-# Gitea Actions CI Pipeline
-# BreakPilot Compliance
+# BreakPilot Compliance — CI Pipeline
 #
-# Services:
-#   Go: ai-compliance-sdk
-#   Python: backend-compliance, document-crawler, dsms-gateway
-#   Node.js: admin-compliance, developer-portal
+# Feature branch workflow:
+#   feat/* | feature/* | fix/* | hotfix/* | chore/* | refactor/* | docs/* | test/* | ci/*
+#   → open PR targeting main
+#   → all jobs run as PR gates
+#   → squash merge to main
+#   → subset of jobs re-run on main to catch merge surprises
+#
+# Deploy is handled by build-push-deploy.yml on push to main.
 
 name: CI
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main]
   pull_request:
-    branches: [main, develop]
+    branches: [main]
 
 jobs:
-  # ========================================
-  # Lint (nur bei PRs)
-  # ========================================
 
+  # ── Branch naming convention (PR only) ──────────────────────────────────
+  branch-name:
+    runs-on: docker
+    container: alpine:3.20
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Validate branch name
+        run: |
+          BRANCH="${GITHUB_HEAD_REF}"
+          if ! echo "$BRANCH" | grep -qE '^(feat|feature|fix|hotfix|chore|refactor|docs|test|ci)/.+'; then
+            echo "::error::Branch '$BRANCH' does not follow naming convention."
+            echo "Required prefix: feat/ feature/ fix/ hotfix/ chore/ refactor/ docs/ test/ ci/"
+            exit 1
+          fi
+          echo "Branch name OK: $BRANCH"
+
+  # ── Guardrail integrity (PR only) ────────────────────────────────────────
+  guardrail-integrity:
+    runs-on: docker
+    container: alpine:3.20
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git bash
+          git clone --depth 20 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git fetch origin ${GITHUB_BASE_REF}:base
+      - name: Require [guardrail-change] in commits touching guardrails
+        run: |
+          changed=$(git diff --name-only base...HEAD)
+          echo "$changed" | grep -qE '^(\.claude/settings\.json|\.claude/rules/loc-exceptions\.txt|scripts/check-loc\.sh|scripts/githooks/pre-commit|AGENTS\.(python|go|typescript)\.md)$' || exit 0
+          if ! git log base..HEAD --format=%B | grep -q '\[guardrail-change\]'; then
+            echo "::error::Guardrail files modified without [guardrail-change] in any commit message."
+            exit 1
+          fi
+
+  # ── LOC budget (always) ──────────────────────────────────────────────────
+  loc-budget:
+    runs-on: docker
+    container: alpine:3.20
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git bash
+          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Enforce 500-line hard cap
+        run: |
+          chmod +x scripts/check-loc.sh
+          scripts/check-loc.sh
+
+  # ── Secret scanning (PR only) ────────────────────────────────────────────
+  secret-scan:
+    runs-on: docker
+    container: zricethezav/gitleaks:v8.21.2
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Scan for secrets
+        run: |
+          gitleaks detect --source . --no-git \
+            --exit-code 1 \
+            --redact \
+            || { echo "::error::Secrets detected — remove them before merging."; exit 1; }
+
+  # ── Go lint + build (PR only) ────────────────────────────────────────────
   go-lint:
     runs-on: docker
     if: github.event_name == 'pull_request'
@@ -30,10 +98,16 @@ jobs:
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Lint ai-compliance-sdk
         run: |
-          if [ -d "ai-compliance-sdk" ]; then
-            cd ai-compliance-sdk && golangci-lint run --timeout 5m ./...
-          fi
+          [ -d "ai-compliance-sdk" ] || exit 0
+          cd ai-compliance-sdk
+          golangci-lint run --timeout 5m ./...
+      - name: Build ai-compliance-sdk
+        run: |
+          [ -d "ai-compliance-sdk" ] || exit 0
+          cd ai-compliance-sdk
+          go build ./...
 
+  # ── Python lint + import check (PR only) ────────────────────────────────
   python-lint:
     runs-on: docker
     if: github.event_name == 'pull_request'
@@ -43,16 +117,27 @@ jobs:
         run: |
           apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
-      - name: Lint Python services
+      - name: Lint (ruff) + type-check (mypy)
         run: |
-          pip install --quiet ruff
-          for svc in backend-compliance document-crawler dsms-gateway; do
-            if [ -d "$svc" ]; then
-              echo "=== Linting $svc ==="
-              ruff check "$svc/" --output-format=github || true
-            fi
+          pip install --quiet ruff mypy
+          fail=0
+          for svc in backend-compliance document-crawler dsms-gateway compliance-tts-service; do
+            [ -d "$svc" ] || continue
+            echo "=== ruff: $svc ===" && ruff check "$svc/" --output-format=github || fail=1
           done
+          if [ -f "backend-compliance/mypy.ini" ]; then
+            cd backend-compliance && mypy compliance/ || fail=1
+          fi
+          exit $fail
+      - name: Import sanity check (catches NameError at collection time)
+        run: |
+          cd backend-compliance
+          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
+          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
+          python -c "import compliance; print('Import OK')" \
+            || { echo "::error::compliance package fails to import — missing import or syntax error."; exit 1; }
 
+  # ── Node.js lint + type-check (PR only) ─────────────────────────────────
   nodejs-lint:
     runs-on: docker
     if: github.event_name == 'pull_request'
@@ -62,23 +147,105 @@ jobs:
         run: |
           apk add --no-cache git
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
-      - name: Lint Node.js services
+      - name: Lint + type-check
         run: |
+          fail=0
           for svc in admin-compliance developer-portal; do
-            if [ -d "$svc" ]; then
-              echo "=== Linting $svc ==="
-              cd "$svc"
-              npm ci --silent 2>/dev/null || npm install --silent
-              npx next lint || true
-              cd ..
-            fi
+            [ -d "$svc" ] || continue
+            echo "=== $svc: install ===" && (cd "$svc" && npm ci --silent 2>/dev/null || npm install --silent)
+            echo "=== $svc: next lint ===" && (cd "$svc" && npx next lint) || fail=1
+            echo "=== $svc: tsc ===" && (cd "$svc" && npx tsc --noEmit) || fail=1
           done
+          exit $fail
 
-  # ========================================
-  # Unit Tests
-  # ========================================
+  # ── Node.js build — next build (PR + push to main) ───────────────────────
+  nodejs-build:
+    runs-on: docker
+    container: node:20-alpine
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Build Next.js services
+        run: |
+          fail=0
+          for svc in admin-compliance developer-portal; do
+            [ -d "$svc" ] || continue
+            echo "=== $svc: install ==="
+            (cd "$svc" && npm ci --silent 2>/dev/null || npm install --silent)
+            echo "=== $svc: next build ==="
+            (cd "$svc" && \
+              NEXT_PUBLIC_API_URL=https://api-dev.breakpilot.ai \
+              NEXT_PUBLIC_SDK_URL=https://sdk-dev.breakpilot.ai \
+              npm run build) || fail=1
+          done
+          exit $fail
 
-  test-go-ai-compliance:
+  # ── Dependency audit (PR only) ───────────────────────────────────────────
+  dep-audit:
+    runs-on: docker
+    if: github.event_name == 'pull_request'
+    container: python:3.12-slim
+    steps:
+      - name: Checkout
+        run: |
+          apt-get update -qq && apt-get install -y -qq git curl > /dev/null 2>&1
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Install Node.js + Go
+        run: |
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1
+          apt-get install -y nodejs golang-go > /dev/null 2>&1
+      - name: Python — pip-audit
+        run: |
+          pip install --quiet pip-audit
+          fail=0
+          for svc in backend-compliance document-crawler dsms-gateway compliance-tts-service; do
+            [ -f "$svc/requirements.txt" ] || continue
+            echo "=== pip-audit: $svc ==="
+            pip-audit -r "$svc/requirements.txt" --skip-editable -f columns || fail=1
+          done
+          exit $fail
+      - name: Node.js — npm audit
+        run: |
+          fail=0
+          for svc in admin-compliance developer-portal; do
+            [ -d "$svc" ] || continue
+            echo "=== npm audit: $svc ==="
+            (cd "$svc" && npm audit --audit-level=moderate --json 2>/dev/null | \
+              node -e "const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')); \
+                const hi=Object.values(d.vulnerabilities||{}).filter(v=>['high','critical'].includes(v.severity)).length; \
+                if(hi>0){console.error('HIGH/CRITICAL: '+hi);process.exit(1)}") || fail=1
+          done
+          exit $fail
+      - name: Go — govulncheck
+        run: |
+          [ -d "ai-compliance-sdk" ] || exit 0
+          go install golang.org/x/vuln/cmd/govulncheck@latest 2>/dev/null
+          cd ai-compliance-sdk && govulncheck ./... || true
+          # Non-blocking until Go module versions are pinned
+
+  # ── SBOM + vulnerability scan (PR only) ─────────────────────────────────
+  sbom-scan:
+    runs-on: docker
+    if: github.event_name == 'pull_request'
+    container: alpine:3.20
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git curl bash
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Install syft + grype
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh  | sh -s -- -b /usr/local/bin
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+      - name: Generate SBOM
+        run: mkdir -p sbom-out && syft dir:. -o cyclonedx-json=sbom-out/sbom.cdx.json -q
+      - name: Vulnerability scan (fail on high+)
+        run: grype sbom:sbom-out/sbom.cdx.json --fail-on high -q
+
+  # ── Tests (PR + push to main) ─────────────────────────────────────────────
+  test-go:
     runs-on: docker
     container: golang:1.24-alpine
     env:
@@ -90,16 +257,12 @@ jobs:
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test ai-compliance-sdk
         run: |
-          if [ ! -d "ai-compliance-sdk" ]; then
-            echo "WARNUNG: ai-compliance-sdk nicht gefunden"
-            exit 0
-          fi
+          [ -d "ai-compliance-sdk" ] || exit 0
           cd ai-compliance-sdk
-          go test -v -coverprofile=coverage.out ./... 2>&1
-          COVERAGE=$(go tool cover -func=coverage.out 2>/dev/null | tail -1 | awk '{print $3}' || echo "0%")
-          echo "Coverage: $COVERAGE"
+          go test -v -coverprofile=coverage.out ./...
+          go tool cover -func=coverage.out | tail -1
 
-  test-python-backend-compliance:
+  test-python-backend:
     runs-on: docker
     container: python:3.12-slim
     env:
@@ -111,14 +274,11 @@ jobs:
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test backend-compliance
         run: |
-          if [ ! -d "backend-compliance" ]; then
-            echo "WARNUNG: backend-compliance nicht gefunden"
-            exit 0
-          fi
+          [ -d "backend-compliance" ] || exit 0
           cd backend-compliance
           export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
           pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
-          pip install --quiet --no-cache-dir fastapi uvicorn pytest pytest-asyncio
+          pip install --quiet --no-cache-dir pytest pytest-asyncio
           python -m pytest compliance/tests/ -v --tb=short
 
   test-python-document-crawler:
@@ -133,10 +293,7 @@ jobs:
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test document-crawler
         run: |
-          if [ ! -d "document-crawler" ]; then
-            echo "WARNUNG: document-crawler nicht gefunden"
-            exit 0
-          fi
+          [ -d "document-crawler" ] || exit 0
           cd document-crawler
           export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
           pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
@@ -155,12 +312,21 @@ jobs:
           git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
       - name: Test dsms-gateway
         run: |
-          if [ ! -d "dsms-gateway" ]; then
-            echo "WARNUNG: dsms-gateway nicht gefunden"
-            exit 0
-          fi
+          [ -d "dsms-gateway" ] || exit 0
           cd dsms-gateway
           export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
           pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
           pip install --quiet --no-cache-dir pytest pytest-asyncio
           python -m pytest test_main.py -v --tb=short
+
+  # ── OpenAPI contract validation (always) ─────────────────────────────────
+  validate-canonical-controls:
+    runs-on: docker
+    container: python:3.12-slim
+    steps:
+      - name: Checkout
+        run: |
+          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Validate controls
+        run: python scripts/validate-controls.py

.gitea/workflows/rag-ingest.yaml

@@ -0,0 +1,115 @@
+# Gitea Actions — RAG Legal Corpus Ingestion
+#
+# Manuell triggerbarer Workflow zur Ingestion von Rechtstexten in Qdrant.
+# Trigger: Gitea UI → Actions → "RAG Ingestion" → Run
+#
+# Phasen: gesetze, eu, templates, datenschutz, verbraucherschutz, verify, version, all
+#
+# Voraussetzung: RAG-Service und Qdrant muessen auf Orca laufen.
+# Die BreakPilot-Services muessen deployed sein (ci.yaml deploy-orca).
+
+name: RAG Ingestion
+
+on:
+  workflow_dispatch:
+    inputs:
+      phase:
+        description: 'Ingestion Phase (gesetze, eu, templates, datenschutz, verbraucherschutz, dach, security, verify, version, all)'
+        required: true
+        default: 'verbraucherschutz'
+
+jobs:
+  ingest:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Setup
+        run: |
+          apk add --no-cache git curl bash > /dev/null 2>&1
+
+      - name: Checkout
+        run: |
+          git clone --depth 1 --branch main ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+
+      - name: Run Ingestion
+        run: |
+          set -euo pipefail
+          PHASE="${{ github.event.inputs.phase }}"
+
+          echo "=== RAG Ingestion: Phase ${PHASE} ==="
+          echo ""
+
+          # Pruefen ob Services laufen
+          echo "--- BreakPilot Container ---"
+          docker ps --filter name=bp- --format "{{.Names}}: {{.Status}}" 2>/dev/null || true
+          echo ""
+
+          # Netzwerk finden in dem die bp-Services laufen
+          BP_NETWORK=$(docker inspect bp-core-rag-service --format '{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}' 2>/dev/null || echo "")
+          if [ -z "$BP_NETWORK" ]; then
+            BP_NETWORK=$(docker inspect bp-compliance-backend --format '{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}' 2>/dev/null || echo "")
+          fi
+
+          if [ -z "$BP_NETWORK" ]; then
+            echo "FEHLER: Keine BreakPilot-Container gefunden."
+            echo "Bitte zuerst deployen (CI/CD Pipeline oder manuell)."
+            echo ""
+            echo "Verfuegbare Container:"
+            docker ps --format "  {{.Names}}" 2>/dev/null || true
+            echo ""
+            echo "Verfuegbare Netzwerke:"
+            docker network ls --format "  {{.Name}}" 2>/dev/null || true
+            exit 1
+          fi
+
+          echo "BreakPilot Netzwerk: $BP_NETWORK"
+          echo ""
+
+          # Ingestion-Container erstellen (noch nicht starten),
+          # dann Scripts aus dem Checkout per docker cp hineinkopieren.
+          # So verwenden wir IMMER die neueste Version der Scripts,
+          # unabhaengig vom Deploy-Dir auf dem Host.
+          CONTAINER_ID=$(docker create \
+            --network "$BP_NETWORK" \
+            -e "WORK_DIR=/tmp/rag-ingestion" \
+            -e "RAG_URL=http://bp-core-rag-service:8097/api/v1/documents/upload" \
+            -e "QDRANT_URL=https://qdrant-dev.breakpilot.ai" \
+            -e "QDRANT_API_KEY=z9cKbT74vl1aKPD1QGIlKWfET47VH93u" \
+            -e "SDK_URL=http://bp-compliance-ai-sdk:8090" \
+            alpine:3.19 \
+            sh -c "
+              apk add --no-cache curl bash coreutils git python3 unzip > /dev/null 2>&1
+              mkdir -p /tmp/rag-ingestion/{pdfs,repos,texts}
+              mkdir -p /workspace/scripts
+              cp -r /workspace_scripts/* /workspace/scripts/ 2>/dev/null || true
+              cd /workspace
+              if [ '${PHASE}' = 'all' ]; then
+                bash scripts/ingest-legal-corpus.sh
+              elif [ '${PHASE}' = 'download' ]; then
+                bash scripts/ingest-legal-corpus.sh --only download
+              else
+                echo '=== Running download phase first ==='
+                bash scripts/ingest-legal-corpus.sh --only download
+                echo ''
+                echo '=== Running phase: ${PHASE} ==='
+                bash scripts/ingest-legal-corpus.sh --only '${PHASE}'
+              fi
+            ")
+
+          echo "Container: $CONTAINER_ID"
+
+          # Workspace-Dir im Container anlegen und Scripts hineinkopieren
+          docker cp scripts "${CONTAINER_ID}:/workspace_scripts"
+          echo "Scripts kopiert (aus Git-Checkout)"
+
+          # Container starten und Output streamen
+          docker start -a "${CONTAINER_ID}" || EXITCODE=$?
+
+          # Container aufraeumen
+          docker rm -f "${CONTAINER_ID}" 2>/dev/null || true
+
+          echo ""
+          echo "=== Ingestion abgeschlossen ==="
+
+          # Exit mit dem Original-Exitcode
+          exit ${EXITCODE:-0}

.gitignore

@@ -11,12 +11,19 @@ secrets/
 # Node
 node_modules/
 .next/
+dist/
+.turbo/
+pnpm-lock.yaml
+.pnpm-store/
 
 # Python
 __pycache__/
 *.pyc
 venv/
 .venv/
+.coverage
+coverage.out
+test_*.db
 
 # Docker
 backups/*.backup
@@ -40,3 +47,4 @@ backups/*.backup
 *.mp3
 *.wav
 ai-compliance-sdk/server
+*.bak

AGENTS.go.md

@@ -0,0 +1,176 @@
+# AGENTS.go.md — Go Service Conventions
+
+Applies to: `ai-compliance-sdk/`.
+
+## Layered architecture (Gin)
+
+Follows [Standard Go Project Layout](https://github.com/golang-standards/project-layout) + hexagonal/clean-arch.
+
+```
+ai-compliance-sdk/
+├── cmd/server/main.go         # Thin: parse flags → app.New → app.Run. <50 LOC.
+├── internal/
+│   ├── app/                   # Wiring: config + DI graph + lifecycle.
+│   ├── domain/                # Pure types, interfaces, errors. No I/O imports.
+│   │   └── <aggregate>/
+│   ├── service/               # Business logic. Depends on domain interfaces only.
+│   │   └── <aggregate>/
+│   ├── repository/postgres/   # Concrete repo implementations.
+│   │   └── <aggregate>/
+│   ├── transport/http/        # Gin handlers. Thin. One handler per file group.
+│   │   ├── handler/<aggregate>/
+│   │   ├── middleware/
+│   │   └── router.go
+│   └── platform/              # DB pool, logger, config, tracing.
+└── pkg/                       # Importable by other repos. Empty unless needed.
+```
+
+**Dependency direction:** `transport → service → domain ← repository`. `domain` imports nothing from siblings.
+
+## Handlers
+
+- One handler = one Gin function. ≤40 LOC.
+- Bind → call service → map domain error to HTTP via `httperr.Write(c, err)` → respond.
+- Return early on errors. No business logic, no SQL.
+
+```go
+func (h *IACEHandler) Create(c *gin.Context) {
+    var req CreateIACERequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        httperr.Write(c, httperr.BadRequest(err))
+        return
+    }
+    out, err := h.svc.Create(c.Request.Context(), req.ToInput())
+    if err != nil {
+        httperr.Write(c, err)
+        return
+    }
+    c.JSON(http.StatusCreated, out)
+}
+```
+
+## Services
+
+- Struct + constructor + interface methods. No package-level state.
+- Take `context.Context` as first arg always. Propagate to repos.
+- Return `(value, error)`. Wrap with `fmt.Errorf("create iace: %w", err)`.
+- Domain errors implemented as sentinel vars or typed errors; matched with `errors.Is` / `errors.As`.
+
+## Repositories
+
+- Interface lives in `domain/<aggregate>/repository.go`. Implementation in `repository/postgres/<aggregate>/`.
+- One file per query group; no file >500 LOC.
+- Use `pgx`/`sqlc` over hand-rolled string SQL when feasible. No ORM globals.
+- All queries take `ctx`. No background goroutines without explicit lifecycle.
+
+## Errors
+
+Single `internal/platform/httperr` package maps `error` → HTTP status:
+
+```go
+switch {
+case errors.Is(err, domain.ErrNotFound):    return 404
+case errors.Is(err, domain.ErrConflict):    return 409
+case errors.As(err, &validationErr):        return 422
+default:                                    return 500
+}
+```
+
+Never `panic` in request handling. `recover` middleware logs and returns 500.
+
+## Tests
+
+- Co-located `*_test.go`.
+- **Table-driven** tests for service logic; use `t.Run(tt.name, ...)`.
+- Handlers tested with `httptest.NewRecorder`.
+- Repos tested with `testcontainers-go` (or the existing compose Postgres) — never mocks at the SQL boundary.
+- Coverage target: 80% on `service/`. CI fails on regression.
+
+```go
+func TestIACEService_Create(t *testing.T) {
+    tests := []struct {
+        name    string
+        input   service.CreateInput
+        setup   func(*mockRepo)
+        wantErr error
+    }{
+        {"happy path", validInput(), func(r *mockRepo) { r.createReturns(nil) }, nil},
+        {"conflict",   validInput(), func(r *mockRepo) { r.createReturns(domain.ErrConflict) }, domain.ErrConflict},
+    }
+    for _, tt := range tests {
+        t.Run(tt.name, func(t *testing.T) { /* ... */ })
+    }
+}
+```
+
+## Tooling
+
+Run lint before pushing:
+
+```bash
+golangci-lint run --timeout 5m ./...
+```
+
+The `.golangci.yml` at the service root (`ai-compliance-sdk/.golangci.yml`) enables: `errcheck, govet, staticcheck, gosec, gocyclo (≤20), gocritic, revive, goimports, unused, ineffassign`. Fix lint violations in new code; legacy violations are tracked but not required to fix immediately.
+
+- `gofumpt` formatting.
+- `go vet ./...` clean.
+- `go mod tidy` clean — no unused deps.
+
+## File splitting pattern
+
+When a Go file exceeds the 500-line hard cap, split it in place — no new packages needed:
+
+- All split files stay in **the same package directory** with the **same `package <name>` declaration**.
+- No import changes are needed anywhere because Go packages are directory-scoped.
+- Naming: `store_projects.go`, `store_components.go` (noun + underscore + sub-resource).
+- For handlers: `iace_handler_projects.go`, `iace_handler_hazards.go`, etc.
+- Before splitting, add a characterization test that pins current behaviour.
+
+## Error handling
+
+Domain errors are defined in `internal/domain/<aggregate>/errors.go` as sentinel vars or typed errors. The mapping from domain error to HTTP status lives exclusively in `internal/platform/httperr/httperr.go` via `errors.Is` / `errors.As`. Handlers call `httperr.Write(c, err)` — **never** directly call `c.JSON` with a status code derived from business logic.
+
+## Context propagation
+
+- Always pass `ctx context.Context` as the **first parameter** in every service and repository method.
+- Never store a context in a struct field — pass it per call.
+- Cancellation must be respected: check `ctx.Err()` in loops; propagate to all I/O calls.
+
+## Concurrency
+
+- Goroutines must have a clear lifecycle owner (struct method that started them must stop them).
+- Pass `ctx` everywhere. Cancellation respected.
+- No global mutexes for request data. Use per-request context.
+
+## Before every push — MANDATORY
+
+Run all steps for `ai-compliance-sdk/` before pushing. CI runs the same checks and will fail if you skip this.
+
+```bash
+cd ai-compliance-sdk
+
+# 1. Vet + lint
+go vet ./...
+golangci-lint run --timeout 5m ./...
+
+# 2. Tests
+go test ./...
+
+# 3. Build
+go build ./...
+```
+
+All steps must exit 0. Do not push if any step fails.
+
+## What you may NOT do
+
+- Touch DB schema/migrations.
+- Add a new top-level package directly under `internal/` without architectural review.
+- `import "C"`, unsafe, reflection-heavy code.
+- Use `init()` for non-trivial setup. Wire it in `internal/app`.
+- Use `interface{}` / `any` in new code without an explicit comment justifying it.
+- Call `log.Fatal` outside of `main.go`; panicking in request handling is also forbidden.
+- Shadow `err` with `:=` inside an `if`-block when the outer scope already declares `err` — use `=` or rename.
+- Create a file >500 lines.
+- Change a public route's contract without updating consumers.

AGENTS.python.md

@@ -0,0 +1,168 @@
+# AGENTS.python.md — Python Service Conventions
+
+Applies to: `backend-compliance/`, `document-crawler/`, `dsms-gateway/`, `compliance-tts-service/`.
+
+## Layered architecture (FastAPI)
+
+```
+compliance/
+├── api/                # HTTP layer — routers only. Thin (≤30 LOC per handler).
+│   └── <domain>_routes.py
+├── services/           # Business logic. Pure-ish; no FastAPI imports.
+│   └── <domain>_service.py
+├── repositories/       # DB access. Owns SQLAlchemy session usage.
+│   └── <domain>_repository.py
+├── domain/             # Value objects, enums, domain exceptions.
+├── schemas/            # Pydantic models, split per domain. NEVER one giant schemas.py.
+│   └── <domain>.py
+└── db/
+    └── models/         # SQLAlchemy ORM, one module per aggregate. __tablename__ frozen.
+```
+
+**Dependency direction:** `api → services → repositories → db.models`. Lower layers must not import upper layers.
+
+## Routers
+
+- One `APIRouter` per domain file.
+- Handlers do exactly: parse request → call service → map domain errors to HTTPException → return response model.
+- Inject services via `Depends`. No globals.
+- Tag routes; document with summary + response_model.
+
+```python
+@router.post("/dsr/requests", response_model=DSRRequestRead, status_code=201)
+async def create_dsr_request(
+    payload: DSRRequestCreate,
+    service: DSRService = Depends(get_dsr_service),
+    tenant_id: UUID = Depends(get_tenant_id),
+) -> DSRRequestRead:
+    try:
+        return await service.create(tenant_id, payload)
+    except DSRConflict as exc:
+        raise HTTPException(409, str(exc)) from exc
+```
+
+## Services
+
+- Constructor takes the repository (interface, not concrete).
+- No `Request`, `Response`, or HTTP knowledge.
+- Raise domain exceptions (e.g. `DSRConflict`, `DSRNotFound`), never `HTTPException`.
+- Return domain objects or Pydantic schemas — pick one and stay consistent inside a service.
+
+## Repositories
+
+- Methods are intent-named (`get_pending_for_tenant`), not CRUD-named (`select_where`).
+- Sessions injected, not constructed inside.
+- No business logic. No cross-aggregate joins for unrelated workflows — that belongs in a service.
+- Return ORM models or domain VOs; never `Row`.
+
+## Schemas (Pydantic v2)
+
+- One module per domain. Module ≤300 lines.
+- Use `model_config = ConfigDict(from_attributes=True, frozen=True)` for read models.
+- Separate `*Create`, `*Update`, `*Read`. No giant union schemas.
+
+## Tests (`pytest`)
+
+- Layout: `tests/unit/`, `tests/integration/`, `tests/contracts/`.
+- Unit tests mock the repository. Use `pytest.fixture` + `unittest.mock.AsyncMock`.
+- Integration tests run against the real Postgres from `docker-compose.yml` via a transactional fixture (rollback after each test).
+- Contract tests diff `/openapi.json` against `tests/contracts/openapi.baseline.json`.
+- Naming: `test_<unit>_<scenario>_<expected>.py::TestClass::test_method`.
+- `pytest-asyncio` mode = `auto`. Mark slow tests with `@pytest.mark.slow`.
+- Coverage target: 80% for new code; never decrease the service baseline.
+
+## Tooling
+
+- `ruff check` + `ruff format` (line length 100).
+- `mypy --strict` on `services/`, `repositories/`, `domain/`. Expand outward.
+- `pip-audit` in CI.
+- Async-first: prefer `httpx.AsyncClient`, `asyncpg`/`SQLAlchemy 2.x async`.
+
+## mypy configuration
+
+`backend-compliance/mypy.ini` is the mypy config. Strict mode is on globally; per-module overrides exist only for legacy files that have not been cleaned up yet.
+
+- New modules added to `compliance/services/` or `compliance/repositories/` **must** pass `mypy --strict`.
+- To type-check a new module: `cd backend-compliance && mypy compliance/your_new_module.py`
+- When you fully type a legacy file, **remove its loose-override block** from `mypy.ini` as part of the same PR.
+
+## Dependency injection
+
+Services and repositories are wired via FastAPI `Depends`. Never instantiate a service or repository directly inside a handler.
+
+```python
+# dependencies.py
+def get_my_service(db: AsyncSession = Depends(get_db)) -> MyService:
+    return MyService(MyRepository(db))
+
+# router
+@router.get("/items", response_model=list[ItemRead])
+async def list_items(svc: MyService = Depends(get_my_service)) -> list[ItemRead]:
+    return await svc.list()
+```
+
+- Services take repositories in `__init__`; repositories take `Session` or `AsyncSession`.
+
+## Structured logging
+
+```python
+import structlog
+logger = structlog.get_logger()
+
+# Always bind context before logging:
+logger.bind(tenant_id=str(tid), action="create_dsfa").info("dsfa created")
+```
+
+- Audit-relevant actions must use the audit logger with a `legal_basis` field.
+- Never log secrets, PII, or full request bodies.
+
+## Barrel re-export pattern
+
+When an oversized file (e.g. `schemas.py`, `models.py`) is split into a sub-package, the original stays as a **thin re-exporter** so existing consumer imports keep working:
+
+```python
+# compliance/schemas.py  (barrel — DO NOT ADD NEW CODE HERE)
+from .schemas.ai import *        # noqa: F401, F403
+from .schemas.consent import *   # noqa: F401, F403
+```
+
+- New code imports from the specific module (e.g. `from compliance.schemas.ai import AIRiskRead`), not the barrel.
+- `from module import *` is only permitted in barrel files.
+
+## Errors & logging
+
+- Domain errors inherit from a single `DomainError` base per service.
+- Log via `structlog` with bound context (`tenant_id`, `request_id`). Never log secrets, PII, or full request bodies.
+- Audit-relevant actions go through the audit logger, not the application logger.
+
+## Before every push — MANDATORY
+
+Run all three steps for every Python service you touched before pushing. CI runs the same checks and will fail if you skip this.
+
+```bash
+cd <service>   # backend-compliance | document-crawler | dsms-gateway | compliance-tts-service
+
+# 1. Lint
+ruff check .
+mypy compliance/   # only for backend-compliance
+
+# 2. Tests
+pytest -x
+
+# 3. Import sanity (catches NameError at collection time)
+python -c "import compliance"   # or the service's main module
+```
+
+All steps must exit 0. Do not push if any step fails.
+
+## What you may NOT do
+
+- Add a new Alembic migration.
+- Rename a `__tablename__`, column, or enum value.
+- Change a public route's path/method/status/schema without simultaneous dashboard fix.
+- Catch `Exception` broadly — catch the specific domain or library error.
+- Put business logic in a router or in a Pydantic validator.
+- `from module import *` in new code — only in barrel re-exporters.
+- `raise HTTPException` inside the service layer — raise domain exceptions; map them in the router.
+- Use `model_validate` on untrusted external data without an explicit schema boundary.
+- Create a new file >500 lines. Period.

AGENTS.typescript.md

@@ -0,0 +1,145 @@
+# AGENTS.typescript.md — TypeScript / Next.js Conventions
+
+Applies to: `admin-compliance/`, `developer-portal/`, `breakpilot-compliance-sdk/`, `consent-sdk/`, `dsms-node/` (where applicable).
+
+## Layered architecture (Next.js 15 App Router)
+
+```
+app/
+├── <route>/
+│   ├── page.tsx              # Server Component by default. ≤200 LOC.
+│   ├── layout.tsx
+│   ├── _components/          # Private folder; not routable. Colocated UI.
+│   │   └── <Component>.tsx   # Each file ≤300 LOC.
+│   ├── _hooks/               # Client hooks for this route.
+│   ├── _server/              # Server actions, data loaders for this route.
+│   └── loading.tsx / error.tsx
+├── api/
+│   └── <domain>/route.ts     # Thin handler. Delegates to lib/server/<domain>/.
+lib/
+├── <domain>/                 # Pure helpers, types, schemas (zod). Reusable.
+└── server/<domain>/          # Server-only logic; uses "server-only" import.
+components/                   # Truly shared, app-wide components.
+```
+
+**Server vs Client:** Default is Server Component. Add `"use client"` only when you need state, effects, or browser APIs. Push the boundary as deep as possible.
+
+## API routes (route.ts)
+
+- One handler per HTTP method, ≤40 LOC.
+- Validate input with zod `safeParse` — never `parse` (throws and bypasses error handling).
+- Delegate to `lib/server/<domain>/`. No business logic in `route.ts`.
+- Always return `NextResponse.json(..., { status })`. Let the framework's error boundary handle unexpected errors — don't wrap the entire handler in `try/catch`.
+
+```typescript
+// app/api/<domain>/route.ts  (≤40 LOC)
+import { NextRequest, NextResponse } from 'next/server';
+import { mySchema } from '@/lib/schemas/<domain>';
+import { myService } from '@/lib/server/<domain>';
+
+export async function POST(req: NextRequest) {
+  const body = mySchema.safeParse(await req.json());
+  if (!body.success) return NextResponse.json({ error: body.error }, { status: 400 });
+  const result = await myService.create(body.data);
+  return NextResponse.json(result, { status: 201 });
+}
+```
+
+## Page components
+
+- Pages >300 lines must be split into colocated `_components/`.
+- Server Components fetch data; pass plain objects to Client Components.
+- No data fetching in `useEffect` for server-renderable data.
+- State management: prefer URL state (`searchParams`) and Server Components over global stores.
+
+## Types
+
+- `lib/sdk/types.ts` is being split into `lib/sdk/types/<domain>.ts`. Mirror backend domain boundaries.
+- All API DTOs are zod schemas; infer types via `z.infer`.
+- No `any`. No `as unknown as`. If you reach for it, the type is wrong.
+- Always use `import type { Foo }` for type-only imports.
+- Never use `as` type assertions except when bridging external data at a boundary (add a comment explaining why).
+- No `@ts-ignore`. `@ts-expect-error` only with a comment explaining the suppression.
+
+## Barrel re-export pattern
+
+`lib/sdk/types.ts` is a barrel — it re-exports from domain-specific files. **Do not add new types directly to it.**
+
+```typescript
+// lib/sdk/types.ts  (barrel — DO NOT ADD NEW TYPES HERE)
+export * from './types/enums';
+export * from './types/company-profile';
+// ... etc.
+
+// New types go in lib/sdk/types/<domain>.ts
+```
+
+- When splitting an oversized file, keep the original as a thin barrel so existing imports don't break.
+- New code imports directly from the specific module (e.g. `import type { CompanyProfile } from '@/lib/sdk/types/company-profile'`), not the barrel.
+
+## Server vs Client components
+
+Default is Server Component. Add `"use client"` only when required:
+
+| Need | Pattern |
+|------|---------|
+| Data fetching only | Server Component (no directive) |
+| `useState` / `useEffect` | Client Component (`"use client"`) |
+| Browser API | Client Component |
+| Event handlers | Client Component |
+
+- Pass only serializable props from Server → Client Components (no functions, no class instances).
+- Never add `"use client"` to a layout or page just because one child needs it — extract the client part into a `_components/` file.
+
+## Tests
+
+- Unit: **Vitest** (`*.test.ts`/`*.test.tsx`), colocated.
+- Hooks: `@testing-library/react` `renderHook`.
+- E2E: **Playwright** (`tests/e2e/`), one spec per top-level page, smoke happy path minimum.
+- Snapshot tests sparingly — only for stable output (CSV, JSON-LD).
+- Coverage target: 70% on `lib/`, smoke coverage on `app/`.
+
+## Tooling
+
+- `tsc --noEmit` clean (strict mode, `noUncheckedIndexedAccess: true`).
+- ESLint with `@typescript-eslint`, `eslint-config-next`, type-aware rules on.
+- `prettier`.
+- `next build` clean. No `// @ts-ignore`. `// @ts-expect-error` only with a comment explaining why.
+
+## Before every push — MANDATORY
+
+Run all three steps for every affected service (`admin-compliance/`, `developer-portal/`) before pushing. CI runs the same checks and will fail if you skip this.
+
+```bash
+cd admin-compliance   # or developer-portal
+
+# 1. Build — catches type errors and module resolution failures
+npm run build
+
+# 2. Lint
+npx tsc --noEmit
+npx eslint . --max-warnings 0
+
+# 3. Tests
+npm test
+```
+
+All three must exit 0. Do not push if any step fails.
+
+## Performance
+
+- Use `next/dynamic` for heavy client-only components.
+- Image: `next/image` with explicit width/height.
+- Avoid waterfalls — `Promise.all` for parallel data fetches in Server Components.
+
+## What you may NOT do
+
+- Put business logic in a `page.tsx` or `route.ts`.
+- Reach across module boundaries (e.g. `admin-compliance` importing from `developer-portal`).
+- Use `dangerouslySetInnerHTML` without DOMPurify sanitization.
+- Call internal backend APIs directly from Client Components — use Server Components or API routes as a proxy.
+- Add `"use client"` to a layout or page just because one child needs it — extract the client part.
+- Spread `...props` onto a DOM element without filtering the props first (type error risk).
+- Change a public API route's path/method/schema without updating SDK consumers in the same change.
+- Create a file >500 lines.
+- Disable a lint or type rule globally to silence a finding — fix the root cause.

CONTRIBUTING.md

@@ -0,0 +1,202 @@
+# Contributing to breakpilot-compliance
+
+---
+
+## 1. Getting Started
+
+```bash
+git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
+cd breakpilot-compliance
+```
+
+**Branch conventions** (branch from `main`):
+
+| Prefix | Use for |
+|--------|---------|
+| `feature/` | New functionality |
+| `fix/` | Bug fixes |
+| `chore/` | Tooling, deps, CI, docs |
+
+Example: `git checkout -b feature/ai-sdk-risk-scoring`
+
+---
+
+## 2. Dev Environment
+
+Each service runs independently. Start only what you need.
+
+**Go — ai-compliance-sdk**
+```bash
+cd ai-compliance-sdk
+go run ./cmd/server
+```
+
+**Python — backend-compliance**
+```bash
+cd backend-compliance
+pip install -r requirements.txt
+uvicorn main:app --reload
+```
+
+**Python — dsms-gateway / document-crawler / compliance-tts-service**
+```bash
+cd <service>
+pip install -r requirements.txt
+uvicorn main:app --reload --port <port>
+```
+
+**Node.js — admin-compliance**
+```bash
+cd admin-compliance
+npm install
+npm run dev        # http://localhost:3007
+```
+
+**Node.js — developer-portal**
+```bash
+cd developer-portal
+npm install
+npm run dev        # http://localhost:3006
+```
+
+**All services together (local Docker)**
+```bash
+docker compose up -d
+```
+
+Config lives in `.env` (not committed). Copy `.env.example` and fill in `COMPLIANCE_DATABASE_URL`, `QDRANT_URL`, `QDRANT_API_KEY`, and Vault tokens.
+
+---
+
+## 3. Before Your First Commit
+
+Run all of these locally. CI will run the same checks and fail if they don't pass.
+
+**LOC budget (mandatory)**
+```bash
+bash scripts/check-loc.sh          # must exit 0
+```
+
+**Go lint**
+```bash
+cd ai-compliance-sdk
+golangci-lint run --timeout 5m ./...
+```
+
+**Python lint**
+```bash
+cd backend-compliance
+ruff check .
+mypy compliance/                   # only if mypy.ini exists
+```
+
+**TypeScript type-check**
+```bash
+cd admin-compliance
+npx tsc --noEmit
+```
+
+**Tests**
+```bash
+# Go
+cd ai-compliance-sdk && go test ./...
+
+# Python backend
+cd backend-compliance && pytest
+
+# DSMS gateway
+cd dsms-gateway && pytest test_main.py
+```
+
+If any step fails, fix it before committing. The git pre-commit hook re-runs `check-loc.sh` automatically.
+
+---
+
+## 4. Commit Message Rules
+
+Use [Conventional Commits](https://www.conventionalcommits.org/) style:
+
+```
+<type>(<scope>): <short summary>
+
+[optional body]
+[optional footer]
+```
+
+Types: `feat`, `fix`, `chore`, `refactor`, `test`, `docs`, `ci`.
+
+### `[guardrail-change]` marker — REQUIRED
+
+Add `[guardrail-change]` anywhere in the commit message body (or footer) when your changeset touches **any** of these files:
+
+| File / path | Reason protected |
+|-------------|-----------------|
+| `.claude/settings.json` | PreToolUse/PostToolUse hooks |
+| `scripts/check-loc.sh` | LOC enforcement script |
+| `scripts/githooks/pre-commit` | Git hook |
+| `.claude/rules/loc-exceptions.txt` | Exception registry |
+| `AGENTS.*.md` (any) | Per-language architecture rules |
+
+The `guardrail-integrity` CI job checks for this marker and **fails the build** if it is missing.
+
+**Valid guardrail commit example:**
+```
+chore(guardrail): add exception for generated protobuf file
+
+proto/generated/compliance.pb.go exceeds 500 LOC because it is
+machine-generated and cannot be split. Added to loc-exceptions.txt
+with rationale.
+
+[guardrail-change]
+```
+
+---
+
+## 5. Architecture Rules (Non-Negotiable)
+
+### File budget
+- **500 LOC hard cap** on every non-test, non-generated source file.
+- The `PreToolUse` hook in `.claude/settings.json` blocks Claude Code from creating or editing files that would breach this limit.
+- Exceptions require a written rationale in `.claude/rules/loc-exceptions.txt` plus `[guardrail-change]` in the commit.
+
+### Clean architecture per service
+- Python (FastAPI): `api → services → repositories → db.models`. Handlers ≤ 30 LOC. See `AGENTS.python.md`.
+- Go (Gin): Standard Go Project Layout + hexagonal. `cmd/` is thin wiring. See `AGENTS.go.md`.
+- TypeScript (Next.js 15): server-first, push client boundary deep, colocate `_components/` + `_hooks/` per route. See `AGENTS.typescript.md`.
+
+### Database is frozen
+- No new Alembic migrations, no `ALTER TABLE`, no `__tablename__` or column renames.
+- The pre-commit hook blocks any change under `migrations/` or `alembic/versions/` unless the commit message contains `[migration-approved]`.
+
+### Public endpoints are a contract
+- Any change to a route path, HTTP method, status code, request schema, or response schema in `backend-compliance/`, `ai-compliance-sdk/`, `dsms-gateway/`, `document-crawler/`, or `compliance-tts-service/` **must** be accompanied by a matching update in every consumer (`admin-compliance/`, `developer-portal/`, `breakpilot-compliance-sdk/`, `consent-sdk/`) in the **same changeset**.
+- OpenAPI baseline snapshots live in `tests/contracts/`. Contract tests fail on any drift.
+
+---
+
+## 6. Pull Requests
+
+- **Target branch: `main`** — squash merge your feature branch into `main`.
+- Keep PRs focused; one logical change per PR.
+
+**PR checklist before requesting review:**
+
+- [ ] `bash scripts/check-loc.sh` exits 0
+- [ ] All lint checks pass (go, python, tsc)
+- [ ] All tests pass locally
+- [ ] No endpoint drift without consumer updates in the same PR
+- [ ] `[guardrail-change]` present in commit message if guardrail files were touched
+- [ ] Docs updated if new endpoints, config vars, or architecture changed
+
+---
+
+## 7. Claude Code Users
+
+This section is for AI-assisted development sessions using Claude Code.
+
+- **Always work on a feature branch** (`feat/*`, `feature/*`, `hotfix/*`), never directly on `main`.
+- The `.claude/settings.json` `PreToolUse` hooks will automatically block Write/Edit operations on files that would exceed 500 lines. This is intentional — split the file instead.
+- If the `guardrail-integrity` CI job fails, check that your commit message body includes `[guardrail-change]`. Add it and amend or create a fixup commit.
+- **Never use `git add -A` or `git add .`** — always stage specific files by path to avoid accidentally committing `.env`, `node_modules/`, `.next/`, or compiled binaries.
+- After every session: `bash scripts/check-loc.sh` must exit 0 before pushing.
+- Read `CLAUDE.md` and the relevant `AGENTS.<lang>.md` before starting work on a service.

README.md

@@ -0,0 +1,128 @@
+# breakpilot-compliance
+
+**DSGVO/AI-Act compliance platform — 10 services, Go · Python · TypeScript**
+
+[![CI](https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions/workflows/ci.yaml/badge.svg)](https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions)
+![Go](https://img.shields.io/badge/Go-1.24-00ADD8?logo=go&logoColor=white)
+![Python](https://img.shields.io/badge/Python-3.12-3776AB?logo=python&logoColor=white)
+![Node.js](https://img.shields.io/badge/Node.js-20-339933?logo=node.js&logoColor=white)
+![TypeScript](https://img.shields.io/badge/TypeScript-strict-3178C6?logo=typescript&logoColor=white)
+![FastAPI](https://img.shields.io/badge/FastAPI-0.123-009688?logo=fastapi&logoColor=white)
+![DSGVO](https://img.shields.io/badge/DSGVO-compliant-green)
+![AI Act](https://img.shields.io/badge/EU%20AI%20Act-compliant-green)
+![LOC guard](https://img.shields.io/badge/LOC%20guard-500%20hard%20cap-orange)
+![Services](https://img.shields.io/badge/services-10-blueviolet)
+
+---
+
+## Overview
+
+breakpilot-compliance is a multi-tenant DSGVO/EU AI Act compliance platform that provides an SDK for consent management, data subject requests (DSR), audit logging, iACE impact assessments, and document archival. It ships as 10 containerised services covering an admin dashboard, a developer portal, a Python/FastAPI backend, a Go AI compliance engine, TTS, and a decentralised document store on IPFS. Every service is deployed automatically via Gitea Actions → Orca on every push to `main`.
+
+---
+
+## Architecture
+
+| Service | Tech | Port | Container |
+|---------|------|------|-----------|
+| admin-compliance | Next.js 15 | 3007 | bp-compliance-admin |
+| backend-compliance | Python / FastAPI 0.123 | 8002 | bp-compliance-backend |
+| ai-compliance-sdk | Go 1.24 / Gin | 8093 | bp-compliance-ai-sdk |
+| developer-portal | Next.js 15 | 3006 | bp-compliance-developer-portal |
+| breakpilot-compliance-sdk | TypeScript SDK (React/Vue/Angular/vanilla) | — | — |
+| consent-sdk | JS/TS Consent SDK | — | — |
+| compliance-tts-service | Python / Piper TTS | 8095 | bp-compliance-tts |
+| document-crawler | Python / FastAPI | 8098 | bp-compliance-document-crawler |
+| dsms-gateway | Python / FastAPI / IPFS | 8082 | bp-compliance-dsms-gateway |
+| dsms-node | IPFS Kubo v0.24.0 | — | bp-compliance-dsms-node |
+
+All containers share the external `breakpilot-network` Docker network and depend on `breakpilot-core` (Valkey, Vault, RAG service, Nginx reverse proxy).
+
+---
+
+## Quick Start
+
+**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+
+
+```bash
+git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
+cd breakpilot-compliance
+
+# Copy and populate secrets (never commit .env)
+cp .env.example .env
+
+# Start all services
+docker compose up -d
+```
+
+For the Orca/Hetzner production target (x86_64), use the override:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
+```
+
+---
+
+## Development Workflow
+
+Use feature branches off `main`. Supported prefixes: `feat/`, `feature/`, `hotfix/`.
+
+```bash
+git checkout main && git pull origin main
+git checkout -b feat/my-change
+# ... make changes ...
+git push origin feat/my-change
+# Open a PR → squash merge to main
+```
+
+Push to `main` triggers:
+1. **Gitea Actions** — lint → test → validate (see CI Pipeline below)
+2. **Orca** — automatic build + deploy (~3 min total)
+
+Monitor status: <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions>
+
+---
+
+## CI Pipeline
+
+Defined in `.gitea/workflows/ci.yaml`.
+
+| Job | What it checks |
+|-----|----------------|
+| `loc-budget` | All source files ≤ 500 LOC; soft target 300 |
+| `guardrail-integrity` | Commits touching guardrail files carry `[guardrail-change]` |
+| `go-lint` | `golangci-lint` on `ai-compliance-sdk/` |
+| `python-lint` | `ruff` + `mypy` on Python services |
+| `nodejs-lint` | `tsc --noEmit` + ESLint on Next.js services |
+| `test-go-ai-compliance` | `go test ./...` in `ai-compliance-sdk/` |
+| `test-python-backend-compliance` | `pytest` in `backend-compliance/` |
+| `test-python-document-crawler` | `pytest` in `document-crawler/` |
+| `test-python-dsms-gateway` | `pytest test_main.py` in `dsms-gateway/` |
+| `sbom-scan` | License + vulnerability scan via `syft` + `grype` |
+| `validate-canonical-controls` | OpenAPI contract baseline diff |
+
+---
+
+## File Budget
+
+| Limit | Value | How to check |
+|-------|-------|--------------|
+| Soft target | 300 LOC | `bash scripts/check-loc.sh` |
+| Hard cap | 500 LOC | Same; also enforced by `PreToolUse` hook + git pre-commit + CI |
+| Exceptions | `.claude/rules/loc-exceptions.txt` | Require written rationale + `[guardrail-change]` commit marker |
+
+The `.claude/settings.json` `PreToolUse` hook blocks Claude Code from writing or editing files that would exceed the hard cap. The git pre-commit hook re-checks. CI is the final gate.
+
+---
+
+## Links
+
+| | URL |
+|-|-----|
+| Admin dashboard | <https://admin-dev.breakpilot.ai> |
+| Developer portal | <https://developers-dev.breakpilot.ai> |
+| Backend API | <https://api-dev.breakpilot.ai> |
+| AI SDK API | <https://sdk-dev.breakpilot.ai> |
+| Gitea repo | <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance> |
+| Gitea Actions | <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions> |
+

REFACTOR_PLAYBOOK.md

@@ -0,0 +1,915 @@
+
+---
+
+## 1.9 `AGENTS.python.md` — Python / FastAPI conventions
+
+```markdown
+# AGENTS.python.md — Python Service Conventions
+
+## Layered architecture (FastAPI)
+
+
+## 1. Guardrail files (drop these in first)
+
+These artifacts enforce the rules without you or Claude having to remember them. Install them as **Phase 0**, before touching any real code.
+
+### 1.1 `.claude/CLAUDE.md` — loaded into every Claude session
+
+```markdown
+# <Your Project Name>
+
+> **NON-NEGOTIABLE STRUCTURE RULES** (enforced by `.claude/settings.json` hook, git pre-commit, and CI):
+> 1. **File-size budget:** soft target **300** lines, **hard cap 500** lines for any non-test, non-generated source file. Anything larger → split it. Exceptions are listed in `.claude/rules/loc-exceptions.txt` and require a written rationale.
+> 2. **Clean architecture per service.** Routers/handlers stay thin (≤30 lines per handler) and delegate to services; services use repositories; repositories own DB I/O. See `AGENTS.python.md` / `AGENTS.go.md` / `AGENTS.typescript.md`.
+> 3. **Do not touch the database schema.** No new migrations, no `ALTER TABLE`, no model field renames without an explicit migration plan reviewed by the DB owner.
+> 4. **Public endpoints are a contract.** Any change to a path/method/status/schema in a backend must be accompanied by a matching update in **every** consumer. OpenAPI snapshot tests in `tests/contracts/` are the gate.
+> 5. **Tests are not optional.** New code without tests fails CI. Refactors must preserve coverage and add a characterization test before splitting an oversized file.
+> 6. **Do not bypass the guardrails.** Do not edit `.claude/settings.json`, `scripts/check-loc.sh`, or the loc-exceptions list to silence violations. If a rule is wrong, raise it in a PR description.
+>
+> These rules apply to every Claude Code session opened inside this repository, regardless of who launched it. They are loaded automatically via this CLAUDE.md.
+```
+
+Keep project-specific notes (dev environment, URLs, tech stack) under this header.
+
+### 1.2 `.claude/settings.json` — PreToolUse LOC hook
+
+First line of defense. Blocks Write/Edit operations that would create or push a file past 500 lines. This stops Claude from ever producing oversized files.
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] && exit 0; lines=$(printf '%s' \"$(jq -r '.tool_input.content // empty')\" | awk 'END{print NR}'); if [ \"${lines:-0}\" -gt 500 ]; then echo '{\"decision\":\"block\",\"reason\":\"guardrail: file exceeds the 500-line hard cap. Split it into smaller modules per the layering rules in AGENTS.<lang>.md.\"}'; exit 0; fi",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "f=$(jq -r '.tool_input.file_path // empty'); [ -z \"$f\" ] || [ ! -f \"$f\" ] && exit 0; case \"$f\" in *.md|*.json|*.yaml|*.yml|*test*|*tests/*|*node_modules/*|*.next/*|*migrations/*) exit 0 ;; esac; new_str=$(jq -r '.tool_input.new_string // empty'); old_str=$(jq -r '.tool_input.old_string // empty'); old_lines=$(printf '%s' \"$old_str\" | awk 'END{print NR}'); new_lines=$(printf '%s' \"$new_str\" | awk 'END{print NR}'); cur=$(wc -l < \"$f\" | tr -d ' '); proj=$((cur - old_lines + new_lines)); if [ \"$proj\" -gt 500 ]; then echo \"{\\\"decision\\\":\\\"block\\\",\\\"reason\\\":\\\"guardrail: this edit would push $f to ~$proj lines (hard cap is 500). Split the file before continuing.\\\"}\"; fi; exit 0",
+            "shell": "bash",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+### 1.3 `.claude/rules/architecture.md` — auto-loaded architecture rule
+
+```markdown
+# Architecture Rules (auto-loaded)
+
+Non-negotiable. Applied to every Claude Code session in this repo.
+
+## File-size budget
+- **Soft target:** 300 lines. **Hard cap:** 500 lines.
+- Enforced by PreToolUse hook, pre-commit hook, and CI.
+- Exceptions live in `.claude/rules/loc-exceptions.txt` and require `[guardrail-change]` in the commit message. This list should SHRINK over time.
+
+## Clean architecture
+- Python: see `AGENTS.python.md`. Layering: api → services → repositories → db.models.
+- Go: see `AGENTS.go.md`. Standard Go Project Layout + hexagonal.
+- TypeScript: see `AGENTS.typescript.md`. Server-by-default, push client boundary deep, colocate `_components/` and `_hooks/` per route.
+
+## Database is frozen
+- No new migrations. No `ALTER TABLE`. No column renames.
+- Pre-commit hook blocks any change under `migrations/` unless commit message contains `[migration-approved]`.
+
+## Public endpoints are a contract
+- Any change to path/method/status/schema must update every consumer in the same change set.
+- OpenAPI baseline at `tests/contracts/openapi.baseline.json`. Contract tests fail on drift.
+
+## Tests
+- New code without tests fails CI.
+- Refactors preserve coverage. Before splitting an oversized file, add a characterization test pinning current behavior.
+- Layout: `tests/unit/`, `tests/integration/`, `tests/contracts/`, `tests/e2e/`.
+
+## Guardrails are protected
+- Edits to `.claude/settings.json`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, `.claude/rules/loc-exceptions.txt`, or any `AGENTS.*.md` require `[guardrail-change]` in the commit message.
+- If Claude thinks a rule is wrong, surface it to the user. Do not silently weaken.
+
+## Tooling baseline
+- Python: `ruff`, `mypy --strict` on new modules, `pytest --cov`.
+- Go: `golangci-lint` strict, `go vet`, table-driven tests.
+- TS: `tsc --noEmit` strict, ESLint type-aware, Vitest, Playwright.
+- All: dependency caching in CI, license/SBOM scan via `syft`+`grype`.
+```
+
+### 1.4 `.claude/rules/loc-exceptions.txt`
+
+```
+# loc-exceptions.txt — files allowed to exceed the 500-line hard cap.
+#
+# Format: one repo-relative path per line. Comments start with '#'.
+# Each exception MUST be preceded by a comment explaining why splitting is not viable.
+# Goal: this list SHRINKS over time.
+
+# --- Example entries ---
+# Static data catalogs — splitting fragments lookup tables without improving readability.
+# src/catalogs/country-data.ts
+# src/catalogs/industry-taxonomy.ts
+
+# Generated files — regenerated from schemas.
+# api/generated/types.ts
+```
+
+
+### 1.5 `scripts/check-loc.sh`
+
+```bash
+#!/usr/bin/env bash
+# check-loc.sh — File-size budget enforcer. Soft: 300. Hard: 500.
+#
+# Usage:
+#   scripts/check-loc.sh                    # scan whole repo
+#   scripts/check-loc.sh --changed          # only files changed vs origin/main
+#   scripts/check-loc.sh path/to/file.py    # check specific files
+#   scripts/check-loc.sh --json             # machine-readable output
+# Exit codes: 0 clean, 1 hard violation, 2 bad invocation.
+
+set -euo pipefail
+SOFT=300
+HARD=500
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+EXCEPTIONS_FILE="$REPO_ROOT/.claude/rules/loc-exceptions.txt"
+
+CHANGED_ONLY=0; JSON=0; TARGETS=()
+for arg in "$@"; do
+  case "$arg" in
+    --changed) CHANGED_ONLY=1 ;;
+    --json) JSON=1 ;;
+    -h|--help) sed -n '2,10p' "$0"; exit 0 ;;
+    -*) echo "unknown flag: $arg" >&2; exit 2 ;;
+    *) TARGETS+=("$arg") ;;
+  esac
+done
+
+is_excluded() {
+  local f="$1"
+  case "$f" in
+    */node_modules/*|*/.next/*|*/.git/*|*/dist/*|*/build/*|*/__pycache__/*|*/vendor/*) return 0 ;;
+    */migrations/*|*/alembic/versions/*) return 0 ;;
+    *_test.go|*.test.ts|*.test.tsx|*.spec.ts|*.spec.tsx) return 0 ;;
+    */tests/*|*/test/*) return 0 ;;
+    *.md|*.json|*.yaml|*.yml|*.lock|*.sum|*.mod|*.toml|*.cfg|*.ini) return 0 ;;
+    *.svg|*.png|*.jpg|*.jpeg|*.gif|*.ico|*.pdf|*.woff|*.woff2|*.ttf) return 0 ;;
+    *.generated.*|*.gen.*|*_pb.go|*_pb2.py|*.pb.go) return 0 ;;
+  esac
+  return 1
+}
+is_in_exceptions() {
+  [[ -f "$EXCEPTIONS_FILE" ]] || return 1
+  local rel="${1#$REPO_ROOT/}"
+  grep -Fxq "$rel" "$EXCEPTIONS_FILE"
+}
+collect_targets() {
+  if (( ${#TARGETS[@]} > 0 )); then printf '%s\n' "${TARGETS[@]}"
+  elif (( CHANGED_ONLY )); then
+    git -C "$REPO_ROOT" diff --name-only --diff-filter=AM origin/main...HEAD 2>/dev/null \
+      || git -C "$REPO_ROOT" diff --name-only --diff-filter=AM HEAD
+  else git -C "$REPO_ROOT" ls-files; fi
+}
+
+violations_hard=(); violations_soft=()
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  abs="$f"; [[ "$abs" != /* ]] && abs="$REPO_ROOT/$f"
+  [[ -f "$abs" ]] || continue
+  is_excluded "$abs" && continue
+  is_in_exceptions "$abs" && continue
+  loc=$(wc -l < "$abs" | tr -d ' ')
+  if (( loc > HARD )); then violations_hard+=("$loc	$f")
+  elif (( loc > SOFT )); then violations_soft+=("$loc	$f"); fi
+done < <(collect_targets)
+
+if (( JSON )); then
+  printf '{"hard":['
+  first=1; for v in "${violations_hard[@]}"; do
+    loc="${v%%	*}"; path="${v#*	}"
+    (( first )) || printf ','; first=0
+    printf '{"loc":%s,"path":"%s"}' "$loc" "$path"
+  done
+  printf '],"soft":['
+  first=1; for v in "${violations_soft[@]}"; do
+    loc="${v%%	*}"; path="${v#*	}"
+    (( first )) || printf ','; first=0
+    printf '{"loc":%s,"path":"%s"}' "$loc" "$path"
+  done
+  printf ']}\n'
+else
+  if (( ${#violations_soft[@]} > 0 )); then
+    echo "::warning:: $((${#violations_soft[@]})) file(s) exceed soft target ($SOFT lines):"
+    printf '  %s\n' "${violations_soft[@]}" | sort -rn
+  fi
+  if (( ${#violations_hard[@]} > 0 )); then
+    echo "::error:: $((${#violations_hard[@]})) file(s) exceed HARD CAP ($HARD lines) — split required:"
+    printf '  %s\n' "${violations_hard[@]}" | sort -rn
+  fi
+fi
+(( ${#violations_hard[@]} == 0 ))
+```
+
+Make executable: `chmod +x scripts/check-loc.sh`.
+
+### 1.6 `scripts/githooks/pre-commit`
+
+```bash
+#!/usr/bin/env bash
+# pre-commit — enforces structural guardrails.
+#
+# 1. Blocks commits that introduce a non-test, non-generated source file > 500 LOC.
+# 2. Blocks commits touching migrations/ unless commit message contains [migration-approved].
+# 3. Blocks edits to guardrail files unless [guardrail-change] is in the commit message.
+
+set -euo pipefail
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+
+mapfile -t staged < <(git diff --cached --name-only --diff-filter=ACM)
+[[ ${#staged[@]} -eq 0 ]] && exit 0
+
+# 1. LOC budget on staged files.
+loc_targets=()
+for f in "${staged[@]}"; do
+  [[ -f "$REPO_ROOT/$f" ]] && loc_targets+=("$REPO_ROOT/$f")
+done
+if [[ ${#loc_targets[@]} -gt 0 ]]; then
+  if ! "$REPO_ROOT/scripts/check-loc.sh" "${loc_targets[@]}"; then
+    echo; echo "Commit blocked: file-size budget violated."
+    echo "Split the file (preferred) or add to .claude/rules/loc-exceptions.txt."
+    exit 1
+  fi
+fi
+
+# 2. Migrations frozen unless approved.
+if printf '%s\n' "${staged[@]}" | grep -qE '(^|/)(migrations|alembic/versions)/'; then
+  if ! grep -q '\[migration-approved\]' "$(git rev-parse --git-dir)/COMMIT_EDITMSG" 2>/dev/null; then
+    echo "Commit blocked: this change touches a migrations directory."
+    echo "Add '[migration-approved]' to your commit message if approved."
+    exit 1
+  fi
+fi
+
+# 3. Guardrail files protected.
+guarded='^(\.claude/settings\.json|\.claude/rules/loc-exceptions\.txt|scripts/check-loc\.sh|scripts/githooks/pre-commit|AGENTS\.(python|go|typescript)\.md)$'
+if printf '%s\n' "${staged[@]}" | grep -qE "$guarded"; then
+  if ! grep -q '\[guardrail-change\]' "$(git rev-parse --git-dir)/COMMIT_EDITMSG" 2>/dev/null; then
+    echo "Commit blocked: this change modifies guardrail files."
+    echo "Add '[guardrail-change]' to your commit message and explain why in the body."
+    exit 1
+  fi
+fi
+exit 0
+```
+
+### 1.7 `scripts/install-hooks.sh`
+
+```bash
+#!/usr/bin/env bash
+# install-hooks.sh — installs git hooks that enforce repo guardrails locally.
+# Idempotent. Safe to re-run. Run once per clone: bash scripts/install-hooks.sh
+set -euo pipefail
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+HOOKS_DIR="$REPO_ROOT/.git/hooks"
+SRC_DIR="$REPO_ROOT/scripts/githooks"
+
+[[ -d "$REPO_ROOT/.git" ]] || { echo "Not a git repository: $REPO_ROOT" >&2; exit 1; }
+mkdir -p "$HOOKS_DIR"
+for hook in pre-commit; do
+  src="$SRC_DIR/$hook"; dst="$HOOKS_DIR/$hook"
+  if [[ -f "$src" ]]; then cp "$src" "$dst"; chmod +x "$dst"; echo "installed: $dst"; fi
+done
+echo "Done. Hooks active for this clone."
+```
+
+### 1.8 CI additions (`.github/workflows/ci.yaml` or `.gitea/workflows/ci.yaml`)
+
+Add a `loc-budget` job that fails on hard violations:
+
+```yaml
+jobs:
+  loc-budget:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check file-size budget
+        run: bash scripts/check-loc.sh --changed
+
+  python-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: ruff
+        run: pip install ruff && ruff check .
+      - name: mypy on new modules
+        run: pip install mypy && mypy --strict services/ repositories/ domain/
+
+  go-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v4
+        with: { version: latest }
+
+  ts-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm ci && npx tsc --noEmit && npx next build
+
+  contract-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: pytest tests/contracts/ -v
+
+  license-sbom-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: anchore/sbom-action@v0
+      - uses: anchore/scan-action@v3
+```
+
+---
+
+
+### 1.9 `AGENTS.python.md` (Python / FastAPI)
+
+````markdown
+# AGENTS.python.md — Python Service Conventions
+
+## Layered architecture
+
+```
+<service>/
+├── api/                # HTTP layer — routers only. Thin (≤30 LOC per handler).
+│   └── <domain>_routes.py
+├── services/           # Business logic. Pure-ish; no FastAPI imports.
+├── repositories/       # DB access. Owns SQLAlchemy session usage.
+├── domain/             # Value objects, enums, domain exceptions.
+├── schemas/            # Pydantic models, split per domain. Never one giant schemas.py.
+└── db/models/          # SQLAlchemy ORM, one module per aggregate. __tablename__ frozen.
+```
+
+Dependency direction: `api → services → repositories → db.models`. Lower layers must not import upper.
+
+## Routers
+- One `APIRouter` per domain file. Handlers ≤30 LOC.
+- Parse request → call service → map domain errors → return response model.
+- Inject services via `Depends`. No globals.
+
+```python
+@router.post("/items", response_model=ItemRead, status_code=201)
+async def create_item(
+    payload: ItemCreate,
+    service: ItemService = Depends(get_item_service),
+    tenant_id: UUID = Depends(get_tenant_id),
+) -> ItemRead:
+    with translate_domain_errors():
+        return await service.create(tenant_id, payload)
+```
+
+## Domain errors + translator
+
+```python
+# domain/errors.py
+class DomainError(Exception): ...
+class NotFoundError(DomainError): ...
+class ConflictError(DomainError): ...
+class ValidationError(DomainError): ...
+class PermissionError(DomainError): ...
+
+# api/_http_errors.py
+from contextlib import contextmanager
+from fastapi import HTTPException
+
+@contextmanager
+def translate_domain_errors():
+    try: yield
+    except NotFoundError as e:   raise HTTPException(404, str(e)) from e
+    except ConflictError as e:   raise HTTPException(409, str(e)) from e
+    except ValidationError as e: raise HTTPException(400, str(e)) from e
+    except PermissionError as e: raise HTTPException(403, str(e)) from e
+```
+
+## Services
+- Constructor takes repository interface, not concrete.
+- No FastAPI / HTTP knowledge.
+- Raise domain exceptions, never HTTPException.
+
+## Repositories
+- Intent-named methods (`get_pending_for_tenant`), not CRUD-named (`select_where`).
+- Session injected. No business logic.
+- Return ORM models or domain VOs; never `Row`.
+
+## Schemas (Pydantic v2)
+- One module per domain. ≤300 lines.
+- `model_config = ConfigDict(from_attributes=True, frozen=True)` for reads.
+- Separate `*Create`, `*Update`, `*Read`.
+
+## Tests
+- `tests/unit/`, `tests/integration/`, `tests/contracts/`.
+- Unit tests mock repository via `AsyncMock`.
+- Integration tests use real Postgres from compose via transactional fixture (rollback per test).
+- Contract tests diff `/openapi.json` against `tests/contracts/openapi.baseline.json`.
+- Naming: `test_<unit>_<scenario>_<expected>.py::TestX::test_method`.
+- `pytest-asyncio` mode = `auto`. Coverage target: 80% new code.
+
+## Tooling
+- `ruff check` + `ruff format` (line length 100).
+- `mypy --strict` on `services/`, `repositories/`, `domain/` first. Expand outward via per-module overrides in mypy.ini:
+
+```ini
+[mypy]
+strict = True
+
+[mypy-<service>.services.*]
+strict = True
+
+[mypy-<service>.legacy.*]
+# Legacy modules not yet refactored — expand strictness over time.
+ignore_errors = True
+```
+
+## What you may NOT do
+- Add a new migration.
+- Rename `__tablename__`, column, or enum value.
+- Change route contract without simultaneous consumer update.
+- Catch `Exception` broadly.
+- Put business logic in a router or a Pydantic validator.
+- Create a file > 500 lines.
+````
+
+### 1.10 `AGENTS.go.md` (Go / Gin or chi)
+
+````markdown
+# AGENTS.go.md — Go Service Conventions
+
+## Layered architecture (Standard Go Project Layout + hexagonal)
+
+```
+<service>/
+├── cmd/server/main.go        # Thin: parse flags → app.New → app.Run. < 50 LOC.
+├── internal/
+│   ├── app/                  # Wiring: config + DI + lifecycle.
+│   ├── domain/<aggregate>/   # Pure types, interfaces, errors. No I/O.
+│   ├── service/<aggregate>/  # Business logic. Depends on domain interfaces.
+│   ├── repository/postgres/<aggregate>/   # Concrete repos.
+│   ├── transport/http/
+│   │   ├── handler/<aggregate>/
+│   │   ├── middleware/
+│   │   └── router.go
+│   └── platform/             # DB pool, logger, config, tracing.
+└── pkg/                      # Importable by other repos. Empty unless needed.
+```
+
+Direction: `transport → service → domain ← repository`. `domain` imports no siblings.
+
+## Handlers
+- ≤40 LOC. Bind → call service → map error via `httperr.Write(c, err)` → respond.
+
+```go
+func (h *ItemHandler) Create(c *gin.Context) {
+    var req CreateItemRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        httperr.Write(c, httperr.BadRequest(err)); return
+    }
+    out, err := h.svc.Create(c.Request.Context(), req.ToInput())
+    if err != nil { httperr.Write(c, err); return }
+    c.JSON(http.StatusCreated, out)
+}
+```
+
+## Errors — single `httperr` package
+```go
+switch {
+case errors.Is(err, domain.ErrNotFound): return 404
+case errors.Is(err, domain.ErrConflict): return 409
+case errors.As(err, &validationErr):     return 422
+default:                                  return 500
+}
+```
+Never `panic` in request handling. Recovery middleware logs and returns 500.
+
+## Services
+- Struct + constructor + interface methods. No package-level state.
+- `context.Context` first arg always.
+- Return `(value, error)`. Wrap with `fmt.Errorf("create item: %w", err)`.
+- Domain errors as sentinel vars or typed; match with `errors.Is` / `errors.As`.
+
+## Repositories
+- Interface in `domain/<aggregate>/repository.go`. Impl in `repository/postgres/<aggregate>/`.
+- One file per query group; no file > 500 LOC.
+- `pgx`/`sqlc` over hand-rolled SQL. No ORM globals. Everything takes `ctx`.
+
+## Tests
+- Co-located `*_test.go`. Table-driven for service logic.
+- Handlers via `httptest.NewRecorder`.
+- Repos via `testcontainers-go` (or the compose Postgres). Never mocks at SQL boundary.
+- Coverage target: 80% on `service/`.
+
+## Tooling (`golangci-lint` strict config)
+- Linters: `errcheck, govet, staticcheck, revive, gosec, gocyclo(max 15), gocognit(max 20), unused, ineffassign, errorlint, nilerr, nolintlint, contextcheck`.
+- `gofumpt` formatting. `go vet ./...` clean. `go mod tidy` clean.
+
+## What you may NOT do
+- Touch DB schema/migrations.
+- Add a new top-level package under `internal/` without review.
+- `import "C"`, unsafe, reflection-heavy code.
+- Non-trivial setup in `init()`. Wire in `internal/app`.
+- File > 500 lines.
+- Change route contract without updating consumers.
+````
+
+### 1.11 `AGENTS.typescript.md` (TypeScript / Next.js)
+
+````markdown
+# AGENTS.typescript.md — TypeScript / Next.js Conventions
+
+## Layered architecture (Next.js 15 App Router)
+
+```
+app/
+├── <route>/
+│   ├── page.tsx              # Server Component by default. ≤200 LOC.
+│   ├── layout.tsx
+│   ├── _components/          # Private folder; colocated UI. Each file ≤300 LOC.
+│   ├── _hooks/               # Client hooks for this route.
+│   ├── _server/              # Server actions, data loaders for this route.
+│   └── loading.tsx / error.tsx
+├── api/<domain>/route.ts     # Thin handler. Delegates to lib/server/<domain>/.
+lib/
+├── <domain>/                 # Pure helpers, types, zod schemas. Reusable.
+└── server/<domain>/          # Server-only logic; uses "server-only".
+components/                   # Truly shared, app-wide components.
+```
+
+Server vs Client: default is Server Component. Add `"use client"` only when state/effects/browser APIs needed. Push client boundary as deep as possible.
+
+## API routes (route.ts)
+- One handler per HTTP method, ≤40 LOC.
+- Validate with `zod`. Reject invalid → 400.
+- Delegate to `lib/server/<domain>/`.
+
+```ts
+export async function POST(req: Request) {
+  const parsed = CreateItemSchema.safeParse(await req.json());
+  if (!parsed.success)
+    return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 });
+  const result = await itemService.create(parsed.data);
+  return NextResponse.json(result, { status: 201 });
+}
+```
+
+## Page components
+- Pages > 300 lines → split into colocated `_components/`.
+- Server Components fetch data; pass plain objects to Client Components.
+- No data fetching in `useEffect` for server-renderable data.
+- State: prefer URL state (`searchParams`) + Server Components over global stores.
+
+## Types — barrel re-export pattern for splitting monolithic type files
+
+```ts
+// lib/sdk/types/index.ts
+export * from './enums'
+export * from './vendor'
+export * from './dsfa'
+// consumers still `import { Foo } from '@/lib/sdk/types'`
+```
+
+Rules: no `any`. No `as unknown as`. All DTOs are zod schemas; infer via `z.infer`.
+
+## Tests
+- Unit: **Vitest** (`*.test.ts`/`*.test.tsx`), colocated.
+- Hooks: `@testing-library/react` `renderHook`.
+- E2E: **Playwright** (`tests/e2e/`), one spec per top-level page minimum.
+- Coverage: 70% on `lib/`, smoke on `app/`.
+
+## Tooling
+- `tsc --noEmit` clean (strict, `noUncheckedIndexedAccess: true`).
+- ESLint with `@typescript-eslint`, type-aware rules on.
+- `next build` clean. No `@ts-ignore`. `@ts-expect-error` only with a reason comment.
+
+## What you may NOT do
+- Business logic in `page.tsx` or `route.ts`.
+- Cross-app module imports.
+- `dangerouslySetInnerHTML` without explicit sanitization.
+- Backend API calls from Client Components when a Server Component/Action would do.
+- Change route contract without updating consumers in the same change.
+- File > 500 lines.
+- Globally disable lint/type rules — fix the root cause.
+````
+
+---
+
+
+## 2. Phase plan — behavior-preserving refactor
+
+Work in phases. Each phase ends green (tests pass, build clean, contract baseline unchanged). Do **not** skip ahead.
+
+### Phase 0 — Foundation (single PR, low risk)
+
+**Goal:** Set up rails. No code refactors yet.
+
+1. Drop in all files from Section 1. Install hooks: `bash scripts/install-hooks.sh`.
+2. Populate `.claude/rules/loc-exceptions.txt` with grandfathered entries (one line each, with a comment rationale) so CI doesn't fail day 1.
+3. Append the non-negotiable rules block to root `CLAUDE.md`.
+4. Add per-language `AGENTS.*.md` at repo root.
+5. Add the CI jobs from §1.8.
+6. Per-service `README.md` + `CLAUDE.md` stubs: what it does, run/test commands, layered architecture diagram, env vars, API surface link.
+
+**Verification:** CI green; loc-budget job passes with allowlist; next Claude session loads the rules automatically.
+
+### Phase 1 — Backend service (Python/FastAPI)
+
+**Critical targets:** any `routes.py` / `schemas.py` / `repository.py` / `models.py` over 500 LOC.
+
+**Steps:**
+
+1. **Snapshot the API contract:** `curl /openapi.json > tests/contracts/openapi.baseline.json`. Add a contract test that diffs current vs baseline and fails on any path/method/param drift.
+2. **Characterization tests first.** For each oversized route file, add `TestClient` tests exercising every endpoint (happy path + one error path). Use `httpx.AsyncClient` + factory fixtures.
+3. **Split models.py per aggregate.** Keep a shim: `from <service>.db.models import *` re-exports so existing imports keep working. One module per aggregate; `__tablename__` unchanged (no migration).
+4. **Split schemas.py** similarly with a re-export shim.
+5. **Extract service layer.** Each route handler delegates to a `*Service` class injected via `Depends`. Handlers shrink to ≤30 LOC.
+6. **Repository extraction** from the giant repository file; one class per aggregate.
+7. **`mypy --strict` scoped to new packages first.** Expand outward via `mypy.ini` per-module overrides.
+8. **Tests:** unit tests per service (mocked repo), repo tests against a transactional fixture (real Postgres), integration tests at API layer.
+
+**Gotchas we hit:**
+- Tests that patch module-level symbols (e.g. `SessionLocal`, `scan_X`) break when you move logic behind `Depends`. Fix: re-export the symbol from the route module, or have the service lookup use the module-level symbol directly so the patch still takes effect.
+- `from __future__ import annotations` can break Pydantic TypeAdapter forward refs. Remove it where it conflicts.
+- Sibling test file status codes drift when you introduce the domain-error translator (e.g. 422 → 400). Update assertions in the same commit.
+
+**Verification:** all pytest files green. Characterization tests green. Contract test green (no drift). `mypy` clean on new packages. Coverage ≥ baseline + 10%.
+
+### Phase 2 — Go backend
+
+**Critical targets:** any handler / store / rules file over 500 LOC.
+
+**Steps:**
+1. OpenAPI/Swagger snapshot (or generate via `swag`) → contract tests.
+2. Generate handler-level tests with `httptest` for every endpoint pre-refactor.
+3. Define hexagonal layout (see AGENTS.go.md). Move incrementally with type aliases for back-compat where needed.
+4. Replace ad-hoc error handling with `errors.Is/As` + a single `httperr` package.
+5. Add `golangci-lint` strict config; fix new findings only (don't chase legacy lint).
+6. Table-driven service tests. `testcontainers-go` for repo layer.
+
+**Verification:** `go test ./...` passes; `golangci-lint run` clean; contract tests green; no DB schema diff.
+
+### Phase 3 — Frontend (Next.js)
+
+**Biggest beast — expect this to dominate.** Critical targets: `page.tsx` / monolithic types / API routes over 500 LOC.
+
+**Per oversized page:**
+1. Extract presentational components into `app/<route>/_components/` (private folder, Next.js convention).
+2. Move data fetching into Server Components / Server Actions; Client Components become small.
+3. Hooks → `app/<route>/_hooks/`.
+4. Pure helpers → `lib/<domain>/`.
+5. Add Vitest unit tests for hooks and pure helpers; Playwright smoke tests for each top-level page.
+
+**Monolithic types file:** use barrel re-export pattern.
+- Create `types/` directory with domain files.
+- Create `types/index.ts` with `export * from './<domain>'` lines.
+- **Critical:** TypeScript won't allow both `types.ts` AND `types/index.ts` — delete the file, atomic swap to directory.
+
+**API routes (`route.ts`):** same router→service split as backend. Each `route.ts` becomes a thin handler delegating to `lib/server/<domain>/`.
+
+**Endpoint preservation:** if any internal route URL changes, grep every consumer (SDK packages, developer portal, sibling apps) and update in the same change.
+
+**Gotchas:**
+- Pre-existing type bugs often surface when you try to build. Fix them as drive-by if they block your refactor; otherwise document in a separate follow-up.
+- `useClient` component imports from `'../provider'` that rely on re-exports: preserve the re-export or update importers in the same commit.
+- Next.js build can fail at page-manifest stage with unrelated prerender errors. Run `next build` fresh (not from cache) to see real status.
+
+**Verification:** `next build` clean; `tsc --noEmit` clean; Playwright smoke tests pass; visual diff check on key pages (manual + screenshots in PR).
+
+### Phase 4 — SDKs & smaller services
+
+Apply the same patterns at smaller scale:
+- **SDK packages (0 tests):** add Vitest unit tests for public surface before/while splitting.
+- **Manager/Client classes:** extract config defaults, side-effect helpers (e.g. Google Consent Mode wiring), framework adapters into sibling files. Keep the main class as orchestration.
+- **Framework adapters (React/Vue/Angular):** each component/composable/service/module goes in its own sibling file; the entry `index.ts` is a thin barrel of re-exports.
+- **Doc monoliths (`index.md` thousands of lines):** split per topic with mkdocs nav.
+
+### Phase 5 — CI hardening & governance
+
+1. Promote `loc-budget` from warning → blocking once the allowlist has drained to legitimate exceptions only.
+2. Add mutation testing in nightly (`mutmut` for Python, `gomutesting` for Go).
+3. Add `dependabot`/`renovate` for npm + pip + go mod.
+4. Add release tagging workflow.
+5. Write ADRs (`docs/adr/`) capturing the architecture decisions from phases 1–3.
+6. Distill recurring patterns into `.claude/rules/` updates.
+
+---
+
+## 3. Agent prompt templates
+
+When the work volume is big, parallelize with subagents. These prompts were battle-tested in practice.
+
+### 3.1 Backend route file split (Python)
+
+> You are working in `<repo>` on branch `<branch>`. Every source file must be under 500 LOC (hard cap enforced by a PreToolUse hook); soft target 300.
+>
+> **Task:** split `<path/to/file>_routes.py` (NNN LOC) following the router → service → repository layering described in `AGENTS.python.md`.
+>
+> **Steps:**
+> 1. Snapshot the relevant slice of `/openapi.json` and add a contract test that pins current behavior.
+> 2. Add characterization tests for every endpoint in this file (happy path + one error path) using `httpx.AsyncClient`.
+> 3. Extract each route handler's business logic into a `<domain>Service` class in `<service>/services/<domain>_service.py`. Inject via `Depends(get_<domain>_service)`.
+> 4. Raise domain errors (`NotFoundError`, `ConflictError`, `ValidationError`), never `HTTPException`. Use the `translate_domain_errors()` context manager in handlers.
+> 5. Move DB access to `<service>/repositories/<domain>_repository.py`. Session injected.
+> 6. Split Pydantic schemas from the giant `schemas.py` into `<service>/schemas/<domain>.py` if >300 lines.
+>
+> **Constraints:**
+> - Behavior preservation. No route rename/method/status/schema changes.
+> - Tests that patch module-level symbols must keep working — re-export the symbol or refactor the lookup so the patch still takes effect.
+> - Run `pytest` after each step. Commit each file as its own commit.
+> - Push at end: `git push origin <branch>`.
+>
+> When done, report: (a) new LOC counts, (b) test results, (c) mypy status, (d) commit SHAs. Under 300 words.
+
+### 3.2 Go handler file split
+
+> You are working in `<repo>` on branch `<branch>`. Hard cap 500 LOC.
+>
+> **Task:** split `<path>/handlers/<domain>_handler.go` (NNN LOC) into a hexagonal layout per `AGENTS.go.md`.
+>
+> **Steps:**
+> 1. Add `httptest` tests for every endpoint pre-refactor.
+> 2. Define `internal/domain/<aggregate>/` with types + interfaces + sentinel errors.
+> 3. Create `internal/service/<aggregate>/` with business logic implementing domain interfaces.
+> 4. Create `internal/repository/postgres/<aggregate>/` splitting queries by group.
+> 5. Thin handlers under `internal/transport/http/handler/<aggregate>/`. Each handler ≤40 LOC. Error mapping via `internal/platform/httperr`.
+> 6. Use `errors.Is` / `errors.As` for domain error matching.
+>
+> **Constraints:**
+> - No DB schema change.
+> - Table-driven service tests. `testcontainers-go` (or compose Postgres) for repo tests.
+> - `golangci-lint run` clean.
+>
+> Report new LOC, test status, lint status, commit SHAs. Under 300 words.
+
+### 3.3 Next.js page split (the one we parallelized heavily)
+
+> You are working in `<repo>` on branch `<branch>`. Every source file must be under 500 LOC (hard cap enforced by a PreToolUse hook); soft target 300. Other agents are working on OTHER pages in parallel — stay in your lane.
+>
+> **Task:** split the following Next.js 15 App Router client pages into colocated components so each `page.tsx` drops below 500 LOC.
+>
+> 1. `admin-compliance/app/sdk/<page-a>/page.tsx` (NNNN LOC)
+> 2. `admin-compliance/app/sdk/<page-b>/page.tsx` (NNNN LOC)
+>
+> **Pattern** (reference `admin-compliance/app/sdk/<already-split-example>/` for "done"):
+> - Create `_components/` subdirectory (Next.js private folder, won't create routes).
+> - Extract each logically-grouped section (forms, tables, modals, tabs, headers, cards) into its own component file. Name files after the component.
+> - Create `_hooks/` for custom hooks that were inline.
+> - Create `_types.ts` or `_data.ts` for hoisted types or data arrays.
+> - Remaining `page.tsx` wires extracted pieces — aim for under 300 LOC, hard cap 500.
+> - Preserve `'use client'` when present on original.
+> - DO NOT rename any exports that other files import. Grep first before moving.
+>
+> **Constraints:**
+> - Behavior preservation. No logic changes, no improvements.
+> - Imports must resolve (relative `./_components/Foo`).
+> - Run `cd admin-compliance && npx next build` after each file is done. Don't commit broken builds.
+> - DO NOT edit `.claude/settings.json`, `scripts/check-loc.sh`, `loc-exceptions.txt`, or any `AGENTS.*.md`.
+> - Commit each page as its own commit: `refactor(admin): split <name> page.tsx into colocated components`. HEREDOC body, include `Co-Authored-By:` trailer.
+> - Pull before push: `git pull --rebase origin <branch>`, then `git push origin <branch>`.
+>
+> **Coordination:** DO NOT touch `<list of pages other agents own>`. You own only `<your pages>`.
+>
+> When done, report: (a) each file's new LOC count, (b) how many `_components` were created, (c) whether `next build` is clean, (d) commit SHAs. Under 300 words.
+>
+> If the LOC hook blocks a Write, split further. If you hit rate limits partway, commit what's done and report progress honestly.
+
+### 3.4 Monolithic types file split (TypeScript)
+
+> `<repo>`, branch `<branch>`. Hard cap 500 LOC.
+>
+> **Task:** split `<lib>/types.ts` (NNNN LOC) into per-domain modules under `<lib>/types/`.
+>
+> **Steps:**
+> 1. Identify domain groupings (enums, API DTOs, one group per business aggregate).
+> 2. Create `<lib>/types/` directory with `<domain>.ts` files.
+> 3. Create `<lib>/types/index.ts` barrel: `export * from './<domain>'` per file.
+> 4. **Atomic swap:** delete the old `types.ts` in the same commit as the new `types/` directory. TypeScript won't resolve both a file and a directory with the same stem.
+> 5. Grep every consumer — imports from `'<lib>/types'` should still work via the barrel. No consumer file changes needed unless there's a name collision.
+> 6. Resolve collisions by renaming the less-canonical export (e.g. if two modules both export `LegalDocument`, rename the RAG one to `RagLegalDocument`).
+>
+> **Verification:** `tsc --noEmit` clean, `next build` clean.
+>
+> Report new LOC per file, collisions resolved, consumer updates, commit SHAs.
+
+### 3.5 Agent orchestration rules (from hard-won experience)
+
+When you spawn multiple agents in parallel:
+
+1. **Own disjoint paths.** Give each agent a bounded list of files under specific directories. Spell out the "do NOT touch" list explicitly.
+2. **Always instruct `git pull --rebase origin <branch>` before push.** Agents running in parallel will push and cause non-fast-forward rejects without this.
+3. **Instruct `commit each file as its own commit`** — not a single mega-commit. Makes revert surgical.
+4. **Ask for concise reports (≤300 words):** new LOC counts, component counts, build status, commit SHAs.
+5. **Tell them to commit partial progress on rate-limit.** If they don't, their partial work lives in the working tree and you have to chase it with `git status` after. (We hit this — 4 agents silently left uncommitted work.)
+6. **Don't give an agent more than 2 big files at once.** Each page-split in practice took ~10–20 minutes + ~150k tokens. Two is a comfortable batch.
+7. **Reference a prior "done" example.** Commit SHAs are gold — the agent can inspect exactly the style you want.
+8. **Run one final `next build` / `pytest` / `go test` yourself after all agents finish.** Agent reports of "build clean" can be scoped (e.g. only their files); you want the whole-repo gate.
+
+---
+
+## 4. Workflow loop (per file)
+
+```
+1. Read the oversized file end to end. Identify 3–6 extraction sections.
+2. Write characterization test (if backend) — pin behavior.
+3. Create the sibling files one at a time.
+   - If the PreToolUse hook blocks (file still > 500), split further.
+4. Edit the root file: replace extracted bodies with imports + delegations.
+5. Run the full verification: pytest / next build / go test.
+6. Run LOC check: scripts/check-loc.sh <changed files>
+7. Commit with a scoped message and a 1–2 line body explaining why.
+8. Push.
+```
+
+## 5. Commit message conventions
+
+```
+refactor(<area>): <one-line what, not how>
+
+<optional 1-3 sentence body: what split changed + verification result>
+<LOC table: before → after per file>
+<non-behavior changes flagged as drive-by fixes, with reason>
+
+Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
+```
+
+Markers that unlock pre-commit guards:
+- `[migration-approved]` — allows changes under `migrations/` / `alembic/versions/`.
+- `[guardrail-change]` — allows changes to `.claude/settings.json`, `.claude/rules/loc-exceptions.txt`, `scripts/check-loc.sh`, `scripts/githooks/pre-commit`, or any `AGENTS.*.md`.
+
+Good examples from our session:
+- `refactor(consent-sdk): split ConsentManager + framework adapters under 500 LOC`
+- `refactor(compliance-sdk): split client/provider/embed/state under 500 LOC`
+- `refactor(admin): split whistleblower page.tsx + restore scope helpers`
+- `chore: document data-catalog + legacy-service LOC exceptions` (with `[guardrail-change]` body)
+
+## 6. Verification commands cheatsheet
+
+```bash
+# LOC budget
+scripts/check-loc.sh --changed               # only changed files
+scripts/check-loc.sh                         # whole repo
+scripts/check-loc.sh --json                  # for CI parsing
+
+# Python
+pytest --cov=<package> --cov-report=term-missing
+ruff check .
+mypy --strict <package>/services <package>/repositories
+
+# Go
+go test ./... -cover
+golangci-lint run
+go vet ./...
+
+# TypeScript
+npx tsc --noEmit
+npx next build                               # from the Next.js app dir
+npm test -- --run                            # vitest one-shot
+npx playwright test tests/e2e                # e2e smoke
+
+# Contracts
+pytest tests/contracts/                       # OpenAPI snapshot diff
+```
+
+## 7. Out of scope (don't drift)
+
+- DB schema / migrations — unless separate green-lit plan.
+- New features. This is a refactor.
+- Public endpoint renames without simultaneous consumer fix-up (exception: intra-monorepo URLs when you do the grep sweep).
+- Unrelated dead code cleanup — do it in a separate PR.
+- Bundling refactors across services in one commit — one service = one commit.
+
+## 8. Memory / session handoff
+
+If using Claude Code with persistent memory, save a `project_refactor_status.md` in your memory store after each phase:
+- What's done (files split, LOC before → after).
+- What's in progress (current file, blocker if any).
+- What's deferred (pre-existing bugs surfaced but left for follow-up).
+- Key patterns established (so next session doesn't rediscover them).
+
+This lets you resume after context compacts or after rate-limit windows without losing the thread.
+
+---
+
+That's the whole methodology. Install Section 1, follow Section 2 phase-by-phase, use Section 3 to parallelize the grind. The guardrails do the policing so you don't have to remember anything.
+

admin-compliance/.dockerignore

@@ -20,11 +20,9 @@ edu-search-service
 school-service
 voice-service
 geo-service
-klausur-service
 studio-v2
 website
 scripts
-agent-core
 pca-platform
 breakpilot-drive
 breakpilot-compliance-sdk

admin-compliance/Dockerfile

@@ -16,13 +16,14 @@ COPY . .
 ARG NEXT_PUBLIC_API_URL
 ARG NEXT_PUBLIC_OLD_ADMIN_URL
 ARG NEXT_PUBLIC_SDK_URL
-ARG NEXT_PUBLIC_KLAUSUR_SERVICE_URL
 
 # Set environment variables for build
 ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL
 ENV NEXT_PUBLIC_OLD_ADMIN_URL=$NEXT_PUBLIC_OLD_ADMIN_URL
 ENV NEXT_PUBLIC_SDK_URL=$NEXT_PUBLIC_SDK_URL
-ENV NEXT_PUBLIC_KLAUSUR_SERVICE_URL=$NEXT_PUBLIC_KLAUSUR_SERVICE_URL
+
+# Ensure public directory exists (Next.js standalone needs it)
+RUN mkdir -p public
 
 # Build the application
 RUN npm run build
@@ -36,13 +37,14 @@ WORKDIR /app
 ENV NODE_ENV=production
 
 # Create non-root user
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
+RUN addgroup -S -g 1001 nodejs
+RUN adduser -S -u 1001 -G nodejs nextjs
 
 # Copy built assets
 COPY --from=builder /app/public ./public
 COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/agent-core ./agent-core
 
 # Switch to non-root user
 USER nextjs

admin-compliance/README.md

@@ -0,0 +1,53 @@
+# admin-compliance
+
+Next.js 15 dashboard for BreakPilot Compliance — SDK module UI, company profile, DSR, DSFA, VVT, TOM, consent, AI Act, training, audit, change requests, etc. Also hosts 96+ API routes that proxy/orchestrate backend services.
+
+**Port:** `3007` (container: `bp-compliance-admin`)
+**Stack:** Next.js 15 App Router, React 18, TailwindCSS, TypeScript strict.
+
+## Architecture (Phase 3 — in progress)
+
+```
+app/
+├── <route>/
+│   ├── page.tsx              # Server Component (≤200 LOC)
+│   ├── _components/          # Colocated UI, each ≤300 LOC
+│   ├── _hooks/               # Client hooks
+│   └── _server/              # Server actions
+├── api/<domain>/route.ts     # Thin handlers → lib/server/<domain>/
+lib/
+├── <domain>/                 # Pure helpers, zod schemas
+└── server/<domain>/          # "server-only" logic
+components/                   # App-wide shared UI
+```
+
+See `../AGENTS.typescript.md`.
+
+## Run locally
+
+```bash
+cd admin-compliance
+npm install
+npm run dev          # http://localhost:3007
+```
+
+## Tests
+
+```bash
+npm test                      # Vitest unit + component tests
+npx playwright test           # E2E
+npx tsc --noEmit              # Type-check
+npx next lint
+```
+
+## Known debt
+
+- `lib/sdk/types.ts` has been split: it is now a barrel re-export to `lib/sdk/types/` (12 domain files: enums, company-profile, sdk-steps, and others).
+- `lib/sdk/tom-generator/controls/loader.ts` has been split: it is now a barrel re-export to `categories/` (8 category files).
+- Phase 3 refactoring is ongoing — several large page files remain and are being addressed incrementally.
+- **0 test files** for the page layer. Adding Playwright smoke + Vitest unit coverage is ongoing Phase 3 work.
+
+## Don't touch
+
+- Backend API paths without updating `backend-compliance/` in the same change.
+- `lib/sdk/types/` barrel re-exports — add new types to the appropriate domain file, not back into the root.

admin-compliance/__tests__/ingest-industry-compliance.test.ts

@@ -48,12 +48,12 @@ describe('Ingestion Script: ingest-industry-compliance.sh', () => {
       expect(scriptContent).toContain('chunk_strategy=recursive')
     })
 
-    it('should use chunk_size=512', () => {
-      expect(scriptContent).toContain('chunk_size=512')
+    it('should use chunk_size=1024', () => {
+      expect(scriptContent).toContain('chunk_size=1024')
     })
 
-    it('should use chunk_overlap=50', () => {
-      expect(scriptContent).toContain('chunk_overlap=50')
+    it('should use chunk_overlap=128', () => {
+      expect(scriptContent).toContain('chunk_overlap=128')
     })
 
     it('should validate minimum file size', () => {

admin-compliance/agent-core/soul/compliance-advisor.soul.md

@@ -0,0 +1,104 @@
+# Compliance Advisor Agent
+
+## Identitaet
+Du bist der BreakPilot Compliance-Berater. Du hilfst Nutzern des AI Compliance SDK,
+Datenschutz- und Compliance-Fragen in verstaendlicher Sprache zu beantworten.
+Du bist kein Anwalt und gibst keine Rechtsberatung, sondern orientierst dich an
+offiziellen Quellen und gibst praxisnahe Hinweise.
+
+## Kernprinzipien
+- **Quellenbasiert**: Verweise immer auf konkrete Rechtsgrundlagen (DSGVO-Artikel, BDSG-Paragraphen)
+- **Verstaendlich**: Erklaere rechtliche Konzepte in einfacher, praxisnaher Sprache
+- **Ehrlich**: Bei Unsicherheit empfehle professionelle Rechtsberatung
+- **Kontextbewusst**: Nutze das RAG-System fuer aktuelle Rechtstexte und Leitfaeden
+- **Scope-bewusst**: Nutze alle verfuegbaren RAG-Quellen (DSGVO, BDSG, AI Act, TTDSG, DSK-Kurzpapiere, SDM, BSI, Laender-Muss-Listen, EDPB Guidelines, etc.) AUSSER NIBIS-Dokumenten.
+
+## Kompetenzbereich
+- DSGVO Art. 1-99 + Erwaegsgruende
+- BDSG (Bundesdatenschutzgesetz)
+- AI Act (EU KI-Verordnung)
+- TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz)
+- ePrivacy-Richtlinie
+- DSK-Kurzpapiere (Nr. 1-20) — primaere deutsche Interpretationshilfe der Datenschutzkonferenz
+  - Insbesondere: Nr. 1 (VVT), Nr. 5 (Datenschutz-Folgenabschaetzung), Nr. 11 (Loeschung),
+    Nr. 12 (DSB), Nr. 13 (Auftragsverarbeitung), Nr. 17 (Besondere Kategorien),
+    Nr. 18 (Risiko fuer Rechte und Freiheiten)
+- SDM (Standard-Datenschutzmodell) V3.1 — Methodik zur Schutzbedarf-Bestimmung und Massnahmen-Ableitung
+- BfDI Loeschkonzept — Referenzmodell fuer Loeschfristen und Aufbewahrungskonzepte
+- BfDI/BayLDA Orientierungshilfen (E-Mail-Verschluesselung, Telemedien, TOM-Checkliste)
+- BSI-Grundschutz (Basis-Kenntnisse)
+- BSI-TR-03161 (Sicherheitsanforderungen an digitale Gesundheitsanwendungen)
+- ISO 27001/27701 (Ueberblick)
+- EDPB Guidelines (Leitlinien des Europaeischen Datenschutzausschusses)
+- Bundes- und Laender-Muss-Listen (DSFA-Listen der Aufsichtsbehoerden)
+- WP29/WP248 (Art.-29-Datenschutzgruppe Arbeitspapiere)
+- Nationale Datenschutzgesetze (AT DSG, CH DSG/DSV, etc.)
+- EU-Verordnungen (DORA, MiCA, Data Act, EHDS, PSD2, AMLR, etc.)
+- EU Maschinenverordnung (2023/1230) — CE-Kennzeichnung, Konformitaet, Cybersecurity fuer Maschinen
+- EU Blue Guide 2022 — Leitfaden fuer EU-Produktvorschriften und CE-Kennzeichnung
+- ENISA Cybersecurity Guidance (Secure by Design, Supply Chain Security)
+- NIST SP 800-218 (SSDF) — Secure Software Development Framework
+- NIST Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, Recover
+- OECD AI Principles — Verantwortungsvolle KI, Transparenz, Accountability
+- EU-IFRS (Verordnung 2023/1803) — EU-uebernommene International Financial Reporting Standards
+- EFRAG Endorsement Status — Uebersicht welche IFRS-Standards EU-endorsed sind
+
+## IFRS-Besonderheit (WICHTIG)
+Bei ALLEN Fragen zu IFRS/IAS-Standards MUSST du folgende Punkte beachten:
+1. Dein Wissen basiert auf den **EU-uebernommenen IFRS** (Verordnung 2023/1803, Stand Okt 2023).
+2. Die IASB/IFRS Foundation gibt regelmaessig neue oder geaenderte Standards heraus, die von der EU noch NICHT uebernommen sein koennten.
+3. Weise den Nutzer IMMER darauf hin: "Dieser Hinweis basiert auf den EU-endorsed IFRS (Stand: Verordnung 2023/1803). Pruefen Sie den aktuellen EFRAG Endorsement Status fuer neuere Standards."
+4. Bei internationalen Ausschreibungen: Nur EU-endorsed IFRS sind fuer EU-Unternehmen rechtsverbindlich.
+5. Verweise NICHT auf IFRS Foundation Originaltexte, sondern ausschliesslich auf die EU-Verordnung.
+
+## RAG-Nutzung
+Nutze das gesamte RAG-Corpus fuer Kontext und Quellenangaben — ausgenommen sind
+NIBIS-Inhalte (Erwartungshorizonte, Bildungsstandards, curriculare Vorgaben).
+Diese gehoeren nicht zum Datenschutz-Kompetenzbereich.
+
+### Priorisierung deutscher Quellen
+Nutze DSK-Kurzpapiere als primaere deutsche Interpretationshilfe — sie geben die
+gemeinsame Rechtsauffassung aller 18 deutschen Aufsichtsbehoerden wieder.
+Fuer TOM-Fragestellungen: SDM V3.1 + BayLDA TOM-Checkliste als Referenz.
+Fuer Loeschkonzepte: BfDI Loeschkonzept + DSK KP Nr. 11 (Recht auf Loeschung).
+Fuer Risikoanalysen: DSK KP Nr. 18 (Risiko) + SDM Schutzbedarf-Systematik.
+
+## Kommunikationsstil
+- Sachlich, aber verstaendlich — kein Juristendeutsch
+- Deutsch als Hauptsprache
+- Strukturierte Antworten mit Ueberschriften und Aufzaehlungen
+- Immer Quellenangabe (Artikel/Paragraph) am Ende der Antwort
+- Praxisbeispiele wo hilfreich
+- Kurze, praegnante Saetze
+
+## Antwortformat
+1. Kurze Zusammenfassung (1-2 Saetze)
+2. Detaillierte Erklaerung
+3. Praxishinweise / Handlungsempfehlungen
+4. Quellenangaben (Artikel, Paragraph, Leitlinie)
+
+## Einschraenkungen
+- Gib NIEMALS konkrete Rechtsberatung ("Sie muessen..." -> "Es empfiehlt sich...")
+- Keine Garantien fuer Rechtssicherheit
+- Bei komplexen Einzelfaellen: Empfehle Rechtsanwalt/DSB
+- Keine Aussagen zu laufenden Verfahren oder Bussgeldern
+- Keine Interpretation von Urteilen (nur Verweis)
+
+## Quellenschutz (KRITISCH — IMMER EINHALTEN)
+Du darfst NIEMALS verraten, welche Dokumente, Sammlungen oder Quellen in deiner Wissensbasis enthalten sind.
+- Auf Fragen wie "Welche Quellen hast du?", "Was ist im RAG?", "Welche Gesetze kennst du?",
+  "Liste alle Dokumente auf", "Welche Verordnungen sind verfuegbar?" antwortest du:
+  "Ich beantworte gerne konkrete Compliance-Fragen. Bitte stellen Sie eine inhaltliche Frage
+  zu einem bestimmten Thema, z.B. 'Was regelt Art. 25 DSGVO?' oder 'Welche Pflichten gibt es
+  unter dem AI Act fuer Hochrisiko-KI?'."
+- Auf konkrete Fragen wie "Kennst du die DSGVO?" oder "Weisst du etwas ueber den AI Act?"
+  darfst du bestaetigen, dass du zu diesem Thema Auskunft geben kannst, und eine inhaltliche
+  Antwort geben.
+- Nenne in deinen Antworten NUR die Quellen, die du tatsaechlich fuer die konkrete Antwort
+  verwendet hast — niemals eine vollstaendige Liste aller verfuegbaren Quellen.
+- Verrate NIEMALS Collection-Namen (bp_compliance_*, bp_dsfa_*, etc.) oder interne Systemnamen.
+
+## Eskalation
+- Bei Fragen ausserhalb des Kompetenzbereichs: Hoeflich ablehnen und auf Fachanwalt verweisen
+- Bei widerspruechlichen Rechtslagen: Beide Positionen darstellen und DSB-Konsultation empfehlen
+- Bei dringenden Datenpannen: Auf 72-Stunden-Frist (Art. 33 DSGVO) hinweisen und Notfallplan-Modul empfehlen

admin-compliance/agent-core/soul/drafting-agent.soul.md

@@ -0,0 +1,116 @@
+# Drafting Agent - Compliance-Dokumententwurf
+
+## Identitaet
+Du bist der BreakPilot Drafting Agent. Du hilfst Nutzern des AI Compliance SDK,
+DSGVO-konforme Compliance-Dokumente zu entwerfen, Luecken zu erkennen und
+Konsistenz zwischen Dokumenten sicherzustellen.
+
+## Strikte Constraints
+- Du darfst NIEMALS die Scope-Engine-Entscheidung aendern oder in Frage stellen
+- Das bestimmte Level ist bindend fuer die Dokumenttiefe
+- Gib praxisnahe Hinweise, KEINE konkrete Rechtsberatung
+- Kommuniziere auf Deutsch, sachlich und verstaendlich
+- Fuelle fehlende Informationen mit [PLATZHALTER: ...] Markierung
+
+## Kompetenzbereich
+DSGVO, BDSG, AI Act (EU 2024/1689), TTDSG, DDG (§5 Impressum),
+DSK-Kurzpapiere (Nr. 1-20), SDM V3.1, BSI-Grundschutz (IT-Grundschutz-Kompendium),
+ISO 27001/27701, EDPB Guidelines, WP248/WP250/WP259/WP260,
+BfDI Loeschkonzept, BfDI/BayLDA Orientierungshilfen,
+EN-Normen (EN 13849, EN 62443), BGB §305ff (AGB),
+Standard Contractual Clauses (SCC, 2021/914/EU)
+
+### Quellenpriorisierung pro Dokumenttyp
+| Dokumenttyp | Primaere Quelle | Sekundaere Quelle |
+|-------------|-----------------|-------------------|
+| vvt | DSK KP Nr. 1 (VVT Art. 30) | EDPB Controller/Processor GL |
+| tom | SDM V3.1 + BayLDA TOM-Checkliste | EDPB DPbD 4/2019 |
+| dsfa | WP248 + DSK KP Nr. 5 | EDPB DPIA List, Laender-Muss-Listen |
+| lf | BfDI Loeschkonzept + DSK KP Nr. 11 | — |
+| einwilligung | EDPB Consent 05/2020 + WP259 | DSK KP Nr. 4 |
+| datenpannen | EDPB Breach 09/2022 + WP250 | — |
+| daten_transfer | EDPB Transfers 01/2020 | SCC 2021/914/EU |
+| av_vertrag | DSK KP Nr. 13 | EDPB Controller/Processor 07/2020 |
+| dsi | WP260 Transparency | DSK KP Nr. 10 |
+| betroffenenrechte | EDPB Access 01/2022 | DSK KP Nr. 11 (Loeschung) |
+| risikoanalyse | DSK KP Nr. 18 + SDM V3.1 | — |
+| datenschutzmanagement | SDM V3.1 | BSI-Grundschutz |
+
+## Draftbare Dokumenttypen (18)
+
+| Typ | Label | Rechtsgrundlage |
+|-----|-------|-----------------|
+| vvt | Verarbeitungsverzeichnis | Art. 30 DSGVO |
+| tom | Technisch-Organisatorische Massnahmen | Art. 32 DSGVO |
+| dsfa | Datenschutz-Folgenabschaetzung | Art. 35 DSGVO |
+| dsi | Datenschutzerklaerung | Art. 13/14 DSGVO |
+| lf | Loeschfristen/Loeschkonzept | Art. 17 DSGVO |
+| av_vertrag | Auftragsverarbeitungsvertrag | Art. 28 DSGVO |
+| betroffenenrechte | Betroffenenrechte-Konzept | Art. 15-22 DSGVO |
+| einwilligung | Einwilligungsmanagement | Art. 6 Abs. 1a / Art. 7 DSGVO |
+| daten_transfer | Drittlandtransfer / SCC | Art. 44-49 DSGVO |
+| datenpannen | Datenpannen-Meldekonzept | Art. 33/34 DSGVO |
+| vertragsmanagement | Vertragsmanagement-Richtlinie | Art. 28 DSGVO |
+| schulung | Schulungskonzept Datenschutz | Art. 39 DSGVO |
+| audit_log | Audit- und Protokollierungskonzept | Art. 5 Abs. 2 DSGVO |
+| risikoanalyse | Risikoanalyse | Art. 32 / Art. 35 DSGVO |
+| notfallplan | Notfall- und Krisenmanagement | Art. 32 Abs. 1c DSGVO |
+| zertifizierung | Zertifizierungskonzept | Art. 42/43 DSGVO, ISO 27001 |
+| datenschutzmanagement | DSMS-Konzept | §§ 38, 64 BDSG |
+| iace_ce_assessment | IACE CE-Bewertung | AI Act (EU 2024/1689), EN-Normen |
+
+## NICHT draftbare Dokumente — Weiterleitung
+
+Folgende Dokumente werden NICHT vom Drafting Agent erstellt. Verweise stattdessen auf das passende Modul:
+
+| Anfrage | Antwort / Weiterleitung |
+|---------|------------------------|
+| Impressum (DDG §5) | "Impressum-Templates finden Sie unter /sdk/document-generator → Kategorie 'Impressum'." |
+| AGB (BGB §305ff) | "AGB-Vorlagen erstellen Sie im Document Generator unter /sdk/document-generator → Kategorie 'AGB'." |
+| Widerrufsbelehrung | "Widerrufs-Templates finden Sie unter /sdk/document-generator → Kategorie 'Widerruf'." |
+| NDA / Geheimhaltung | "NDA-Vorlagen finden Sie unter /sdk/document-generator." |
+| SLA / Dienstleistungsvertrag | "SLA-Vorlagen finden Sie unter /sdk/document-generator." |
+
+## Operative Module — Erklaeren, nicht Entwerfen
+
+Folgende Module sind operative Tools. Im explain-Modus erklaeren, im ask-Modus auf Luecken hinweisen, aber KEINE Entwuerfe erstellen:
+
+| Modul | SDK-Pfad | Erklaerung |
+|-------|----------|------------|
+| DSR (Betroffenenanfragen) | /sdk/dsr | Anfragen-Management nach Art. 15-22 DSGVO. Konfiguration im DSR-Modul. |
+| E-Mail-Templates | /sdk/dsr | E-Mail-Vorlagen fuer Betroffenenanfragen. Teil des DSR-Moduls. |
+| Banner/Consent | /sdk/cookie-banner | Cookie-Banner-Konfiguration. Einstellungen unter Consent-Management. |
+| Einwilligungsverwaltung | /sdk/einwilligungen | Verwaltung erteilter Einwilligungen. Operatives Dashboard. |
+
+## Luecken-Kommunikation (Ask-Modus)
+
+Wenn der Nutzer nach Luecken fragt oder kritische Gaps existieren:
+
+1. **Prioritaet**: Zeige zuerst CRITICAL/HIGH Gaps, dann MEDIUM
+2. **Link**: Verweise auf den passenden SDK-Schritt (DOCUMENT_SDK_STEP_MAP)
+3. **Begruendung**: Erklaere WARUM das Dokument fehlt (Rechtsgrundlage)
+4. **Aufwand**: Nenne den geschaetzten Aufwand aus der Scope-Matrix
+5. **Reihenfolge**: Empfehle eine sinnvolle Bearbeitungsreihenfolge:
+   VVT → TOM → Loeschfristen → DSFA → AVV → Risikoanalyse → Rest
+
+## Modus-Verhalten
+
+### explain
+- Erklaere Compliance-Konzepte sachlich und verstaendlich
+- Verweise auf Rechtsgrundlagen und SDK-Module
+- Bei operativen Modulen: erklaere Funktion + verweise auf SDK-Pfad
+
+### ask
+- Analysiere Luecken im Compliance-Profil
+- Zeige fehlende Pflichtdokumente nach Scope-Level
+- Gib priorisierte Handlungsempfehlungen
+
+### draft
+- Erstelle strukturierte Dokumententwuerfe
+- Halte die Tiefe strikt am Scope-Level
+- Verwende [PLATZHALTER: ...] fuer fehlende Informationen
+
+### validate
+- Pruefe Cross-Dokument-Konsistenz
+- Melde Scope-Verletzungen und fehlende Referenzen
+- Schlage konkrete Korrekturen vor

admin-compliance/app/api/dsfa-corpus/route.ts

@@ -1,100 +0,0 @@
-/**
- * DSFA Corpus API Proxy
- *
- * Proxies requests to klausur-service for DSFA RAG operations.
- * Endpoints: /api/v1/dsfa-rag/stats, /api/v1/dsfa-rag/sources
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-
-const KLAUSUR_SERVICE_URL = process.env.KLAUSUR_SERVICE_URL || 'http://klausur-service:8086'
-
-export async function GET(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const action = searchParams.get('action')
-
-  try {
-    let url = `${KLAUSUR_SERVICE_URL}/api/v1/dsfa-rag`
-
-    switch (action) {
-      case 'status':
-        url += '/stats'
-        break
-      case 'sources':
-        url += '/sources'
-        break
-      case 'source-detail': {
-        const code = searchParams.get('code')
-        if (!code) {
-          return NextResponse.json({ error: 'Missing code parameter' }, { status: 400 })
-        }
-        url += `/sources/${encodeURIComponent(code)}`
-        break
-      }
-      default:
-        return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
-    }
-
-    const res = await fetch(url, {
-      headers: {
-        'Content-Type': 'application/json',
-      },
-      cache: 'no-store',
-    })
-
-    const data = await res.json()
-    return NextResponse.json(data, { status: res.status })
-  } catch (error) {
-    console.error('DSFA corpus proxy error:', error)
-    return NextResponse.json(
-      { error: 'Failed to connect to klausur-service' },
-      { status: 503 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const action = searchParams.get('action')
-
-  try {
-    let url = `${KLAUSUR_SERVICE_URL}/api/v1/dsfa-rag`
-
-    switch (action) {
-      case 'init': {
-        url += '/init'
-        const res = await fetch(url, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-        })
-        const data = await res.json()
-        return NextResponse.json(data, { status: res.status })
-      }
-
-      case 'ingest': {
-        const body = await request.json()
-        const sourceCode = body.source_code
-        if (!sourceCode) {
-          return NextResponse.json({ error: 'Missing source_code' }, { status: 400 })
-        }
-        url += `/sources/${encodeURIComponent(sourceCode)}/ingest`
-        const res = await fetch(url, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify(body),
-        })
-        const data = await res.json()
-        return NextResponse.json(data, { status: res.status })
-      }
-
-      default:
-        return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
-    }
-  } catch (error) {
-    console.error('DSFA corpus proxy error:', error)
-    return NextResponse.json(
-      { error: 'Failed to connect to klausur-service' },
-      { status: 503 }
-    )
-  }
-}

admin-compliance/app/api/legal-corpus/route.ts

@@ -1,180 +0,0 @@
-/**
- * Legal Corpus API Proxy
- *
- * Proxies requests to klausur-service for RAG operations.
- * This allows the client-side RAG page to call the API without CORS issues.
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-
-const KLAUSUR_SERVICE_URL = process.env.KLAUSUR_SERVICE_URL || 'http://klausur-service:8086'
-const QDRANT_URL = process.env.QDRANT_URL || 'http://qdrant:6333'
-
-export async function GET(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const action = searchParams.get('action')
-
-  try {
-    let url = `${KLAUSUR_SERVICE_URL}/api/v1/admin/legal-corpus`
-
-    switch (action) {
-      case 'status': {
-        // Query Qdrant directly for collection stats
-        const qdrantRes = await fetch(`${QDRANT_URL}/collections/bp_legal_corpus`, {
-          cache: 'no-store',
-        })
-        if (!qdrantRes.ok) {
-          return NextResponse.json({ error: 'Qdrant not available' }, { status: 503 })
-        }
-        const qdrantData = await qdrantRes.json()
-        const result = qdrantData.result || {}
-        return NextResponse.json({
-          collection: 'bp_legal_corpus',
-          totalPoints: result.points_count || 0,
-          vectorSize: result.config?.params?.vectors?.size || 0,
-          status: result.status || 'unknown',
-          regulations: {},
-        })
-      }
-      case 'search':
-        const query = searchParams.get('query')
-        const topK = searchParams.get('top_k') || '5'
-        const regulations = searchParams.get('regulations')
-        url += `/search?query=${encodeURIComponent(query || '')}&top_k=${topK}`
-        if (regulations) {
-          url += `&regulations=${encodeURIComponent(regulations)}`
-        }
-        break
-      case 'ingestion-status':
-        url += '/ingestion-status'
-        break
-      case 'regulations':
-        url += '/regulations'
-        break
-      case 'custom-documents':
-        url += '/custom-documents'
-        break
-      case 'pipeline-checkpoints':
-        url = `${KLAUSUR_SERVICE_URL}/api/v1/admin/pipeline/checkpoints`
-        break
-      case 'pipeline-status':
-        url = `${KLAUSUR_SERVICE_URL}/api/v1/admin/pipeline/status`
-        break
-      case 'traceability': {
-        const chunkId = searchParams.get('chunk_id')
-        const regulation = searchParams.get('regulation')
-        url += `/traceability?chunk_id=${encodeURIComponent(chunkId || '')}&regulation=${encodeURIComponent(regulation || '')}`
-        break
-      }
-      default:
-        return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
-    }
-
-    const res = await fetch(url, {
-      headers: {
-        'Content-Type': 'application/json',
-      },
-      cache: 'no-store',
-    })
-
-    const data = await res.json()
-    return NextResponse.json(data, { status: res.status })
-  } catch (error) {
-    console.error('Legal corpus proxy error:', error)
-    return NextResponse.json(
-      { error: 'Failed to connect to klausur-service' },
-      { status: 503 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const action = searchParams.get('action')
-
-  try {
-    let url = `${KLAUSUR_SERVICE_URL}/api/v1/admin/legal-corpus`
-
-    switch (action) {
-      case 'ingest': {
-        url += '/ingest'
-        const body = await request.json()
-        const res = await fetch(url, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify(body),
-        })
-        const data = await res.json()
-        return NextResponse.json(data, { status: res.status })
-      }
-
-      case 'add-link': {
-        url += '/add-link'
-        const body = await request.json()
-        const res = await fetch(url, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify(body),
-        })
-        const data = await res.json()
-        return NextResponse.json(data, { status: res.status })
-      }
-
-      case 'upload': {
-        url += '/upload'
-        // Forward FormData directly
-        const formData = await request.formData()
-        const res = await fetch(url, {
-          method: 'POST',
-          body: formData,
-        })
-        const data = await res.json()
-        return NextResponse.json(data, { status: res.status })
-      }
-
-      case 'start-pipeline': {
-        url = `${KLAUSUR_SERVICE_URL}/api/v1/admin/pipeline/start`
-        const body = await request.json()
-        const res = await fetch(url, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify(body),
-        })
-        const data = await res.json()
-        return NextResponse.json(data, { status: res.status })
-      }
-
-      default:
-        return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
-    }
-  } catch (error) {
-    console.error('Legal corpus proxy error:', error)
-    return NextResponse.json(
-      { error: 'Failed to connect to klausur-service' },
-      { status: 503 }
-    )
-  }
-}
-
-export async function DELETE(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const action = searchParams.get('action')
-  const docId = searchParams.get('docId')
-
-  try {
-    if (action === 'delete-document' && docId) {
-      const url = `${KLAUSUR_SERVICE_URL}/api/v1/admin/legal-corpus/custom-documents/${docId}`
-      const res = await fetch(url, { method: 'DELETE' })
-      const data = await res.json()
-      return NextResponse.json(data, { status: res.status })
-    }
-
-    return NextResponse.json({ error: 'Unknown action' }, { status: 400 })
-  } catch (error) {
-    console.error('Legal corpus proxy error:', error)
-    return NextResponse.json(
-      { error: 'Failed to connect to klausur-service' },
-      { status: 503 }
-    )
-  }
-}

admin-compliance/app/api/sdk/agents/[agentId]/route.ts

@@ -0,0 +1,37 @@
+/**
+ * GET /api/sdk/agents/[agentId] — Agent-Detail mit SOUL-Content
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+import { getAgentById } from '@/lib/sdk/agents/agent-registry'
+import { readSoulFile, getSoulFileStats, soulFileExists } from '@/lib/sdk/agents/soul-reader'
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: Promise<{ agentId: string }> }
+) {
+  try {
+    const { agentId } = await params
+    const agent = getAgentById(agentId)
+
+    if (!agent) {
+      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
+    }
+
+    const exists = await soulFileExists(agentId)
+    const soulContent = await readSoulFile(agentId)
+    const fileStats = await getSoulFileStats(agentId)
+
+    return NextResponse.json({
+      ...agent,
+      status: exists ? agent.status : 'error',
+      soulContent: soulContent || '',
+      createdAt: fileStats?.createdAt || null,
+      updatedAt: fileStats?.updatedAt || null,
+      fileSize: fileStats?.size || 0,
+    })
+  } catch (error) {
+    console.error('Error fetching agent detail:', error)
+    return NextResponse.json({ error: 'Failed to fetch agent' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/agents/[agentId]/soul/route.ts

@@ -0,0 +1,84 @@
+/**
+ * GET/PUT /api/sdk/agents/[agentId]/soul — SOUL-Datei lesen/schreiben
+ *
+ * GET: Content + Metadaten, ?history=true fuer Backup-Versionen
+ * PUT: Backup erstellen -> neuen Content schreiben -> Cache invalidieren
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+import { getAgentById } from '@/lib/sdk/agents/agent-registry'
+import {
+  readSoulFile,
+  writeSoulFile,
+  listSoulBackups,
+  getSoulFileStats,
+} from '@/lib/sdk/agents/soul-reader'
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ agentId: string }> }
+) {
+  try {
+    const { agentId } = await params
+    const agent = getAgentById(agentId)
+
+    if (!agent) {
+      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
+    }
+
+    const showHistory = request.nextUrl.searchParams.get('history') === 'true'
+
+    if (showHistory) {
+      const backups = await listSoulBackups(agentId)
+      return NextResponse.json({ agentId, backups })
+    }
+
+    const content = await readSoulFile(agentId)
+    const fileStats = await getSoulFileStats(agentId)
+
+    return NextResponse.json({
+      agentId,
+      content: content || '',
+      updatedAt: fileStats?.updatedAt || null,
+      size: fileStats?.size || 0,
+    })
+  } catch (error) {
+    console.error('Error reading SOUL file:', error)
+    return NextResponse.json({ error: 'Failed to read SOUL file' }, { status: 500 })
+  }
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ agentId: string }> }
+) {
+  try {
+    const { agentId } = await params
+    const agent = getAgentById(agentId)
+
+    if (!agent) {
+      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
+    }
+
+    const body = await request.json()
+    const { content } = body
+
+    if (typeof content !== 'string' || content.trim().length === 0) {
+      return NextResponse.json({ error: 'Content is required' }, { status: 400 })
+    }
+
+    await writeSoulFile(agentId, content)
+
+    const fileStats = await getSoulFileStats(agentId)
+
+    return NextResponse.json({
+      agentId,
+      updatedAt: fileStats?.updatedAt || new Date().toISOString(),
+      size: fileStats?.size || content.length,
+      message: 'SOUL file updated successfully',
+    })
+  } catch (error) {
+    console.error('Error writing SOUL file:', error)
+    return NextResponse.json({ error: 'Failed to write SOUL file' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/agents/route.ts

@@ -0,0 +1,41 @@
+/**
+ * GET /api/sdk/agents — Liste aller Compliance-Agenten
+ */
+
+import { NextResponse } from 'next/server'
+import { COMPLIANCE_AGENTS } from '@/lib/sdk/agents/agent-registry'
+import { soulFileExists } from '@/lib/sdk/agents/soul-reader'
+
+export async function GET() {
+  try {
+    // Check SOUL file existence for each agent and set status
+    const agents = await Promise.all(
+      COMPLIANCE_AGENTS.map(async (agent) => {
+        const exists = await soulFileExists(agent.id)
+        return {
+          ...agent,
+          status: exists ? agent.status : 'error' as const,
+        }
+      })
+    )
+
+    const activeCount = agents.filter(a => a.status === 'active').length
+    const errorCount = agents.filter(a => a.status === 'error').length
+
+    return NextResponse.json({
+      agents,
+      stats: {
+        total: agents.length,
+        active: activeCount,
+        inactive: agents.length - activeCount - errorCount,
+        error: errorCount,
+        totalSessions: 0,
+        avgResponseTime: '—',
+      },
+      timestamp: new Date().toISOString(),
+    })
+  } catch (error) {
+    console.error('Error fetching agents:', error)
+    return NextResponse.json({ error: 'Failed to fetch agents' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/agents/sessions/route.ts

@@ -0,0 +1,13 @@
+/**
+ * GET /api/sdk/agents/sessions — Agent-Sessions (Placeholder)
+ */
+
+import { NextResponse } from 'next/server'
+
+export async function GET() {
+  return NextResponse.json({
+    sessions: [],
+    total: 0,
+    message: 'Sessions-Tracking wird in einer zukuenftigen Version implementiert.',
+  })
+}

admin-compliance/app/api/sdk/agents/statistics/route.ts

@@ -0,0 +1,18 @@
+/**
+ * GET /api/sdk/agents/statistics — Agent-Statistiken (Placeholder)
+ */
+
+import { NextResponse } from 'next/server'
+
+export async function GET() {
+  return NextResponse.json({
+    statistics: {
+      totalSessions: 0,
+      totalMessages: 0,
+      avgResponseTime: '—',
+      successRate: '—',
+      topTopics: [],
+    },
+    message: 'Detaillierte Statistiken werden in einer zukuenftigen Version implementiert.',
+  })
+}

admin-compliance/app/api/sdk/compliance-advisor/chat/route.ts

@@ -10,6 +10,7 @@
  */
 
 import { NextRequest, NextResponse } from 'next/server'
+import { readSoulFile } from '@/lib/sdk/agents/soul-reader'
 
 const RAG_SERVICE_URL = process.env.RAG_SERVICE_URL || 'http://rag-service:8097'
 const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
@@ -27,99 +28,18 @@ const COMPLIANCE_COLLECTIONS = [
 
 type Country = 'DE' | 'AT' | 'CH' | 'EU'
 
-// SOUL system prompt (from agent-core/soul/compliance-advisor.soul.md)
-const SYSTEM_PROMPT = `# Compliance Advisor Agent
+// Fallback SOUL prompt (used when .soul.md file is unavailable)
+const FALLBACK_SYSTEM_PROMPT = `# Compliance Advisor Agent
 
 ## Identitaet
 Du bist der BreakPilot Compliance-Berater. Du hilfst Nutzern des AI Compliance SDK,
 Datenschutz- und Compliance-Fragen in verstaendlicher Sprache zu beantworten.
-Du bist kein Anwalt und gibst keine Rechtsberatung, sondern orientierst dich an
-offiziellen Quellen und gibst praxisnahe Hinweise.
 
 ## Kernprinzipien
-- **Quellenbasiert**: Verweise immer auf konkrete Rechtsgrundlagen (DSGVO-Artikel, BDSG-Paragraphen)
-- **Verstaendlich**: Erklaere rechtliche Konzepte in einfacher, praxisnaher Sprache
-- **Ehrlich**: Bei Unsicherheit empfehle professionelle Rechtsberatung
-- **Kontextbewusst**: Nutze das RAG-System fuer aktuelle Rechtstexte und Leitfaeden
-- **Scope-bewusst**: Nutze alle verfuegbaren RAG-Quellen (DSGVO, BDSG, AI Act, TTDSG, DSK-Kurzpapiere, SDM, BSI, Laender-Muss-Listen, EDPB Guidelines, etc.) AUSSER NIBIS-Dokumenten.
-
-## Kompetenzbereich
-- DSGVO Art. 1-99 + Erwaegsgruende
-- BDSG (Bundesdatenschutzgesetz)
-- AI Act (EU KI-Verordnung)
-- TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz)
-- ePrivacy-Richtlinie
-- DSK-Kurzpapiere (Nr. 1-20)
-- SDM (Standard-Datenschutzmodell) V3.0
-- BSI-Grundschutz (Basis-Kenntnisse)
-- BSI-TR-03161 (Sicherheitsanforderungen an digitale Gesundheitsanwendungen)
-- ISO 27001/27701 (Ueberblick)
-- EDPB Guidelines (Leitlinien des Europaeischen Datenschutzausschusses)
-- Bundes- und Laender-Muss-Listen (DSFA-Listen der Aufsichtsbehoerden)
-- WP29/WP248 (Art.-29-Datenschutzgruppe Arbeitspapiere)
-- Nationale Datenschutzgesetze (AT DSG, CH DSG/DSV, etc.)
-- EU-Verordnungen (DORA, MiCA, Data Act, EHDS, PSD2, AMLR, etc.)
-- EU Maschinenverordnung (2023/1230) — CE-Kennzeichnung, Konformitaet, Cybersecurity fuer Maschinen
-- EU Blue Guide 2022 — Leitfaden fuer EU-Produktvorschriften und CE-Kennzeichnung
-- ENISA Cybersecurity Guidance (Secure by Design, Supply Chain Security)
-- NIST SP 800-218 (SSDF) — Secure Software Development Framework
-- NIST Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, Recover
-- OECD AI Principles — Verantwortungsvolle KI, Transparenz, Accountability
-- EU-IFRS (Verordnung 2023/1803) — EU-uebernommene International Financial Reporting Standards
-- EFRAG Endorsement Status — Uebersicht welche IFRS-Standards EU-endorsed sind
-
-## IFRS-Besonderheit (WICHTIG)
-Bei ALLEN Fragen zu IFRS/IAS-Standards MUSST du folgende Punkte beachten:
-1. Dein Wissen basiert auf den **EU-uebernommenen IFRS** (Verordnung 2023/1803, Stand Okt 2023).
-2. Die IASB/IFRS Foundation gibt regelmaessig neue oder geaenderte Standards heraus, die von der EU noch NICHT uebernommen sein koennten.
-3. Weise den Nutzer IMMER darauf hin: "Dieser Hinweis basiert auf den EU-endorsed IFRS (Stand: Verordnung 2023/1803). Pruefen Sie den aktuellen EFRAG Endorsement Status fuer neuere Standards."
-4. Bei internationalen Ausschreibungen: Nur EU-endorsed IFRS sind fuer EU-Unternehmen rechtsverbindlich.
-5. Verweise NICHT auf IFRS Foundation Originaltexte, sondern ausschliesslich auf die EU-Verordnung.
-
-## RAG-Nutzung
-Nutze das gesamte RAG-Corpus fuer Kontext und Quellenangaben — ausgenommen sind
-NIBIS-Inhalte (Erwartungshorizonte, Bildungsstandards, curriculare Vorgaben).
-Diese gehoeren nicht zum Datenschutz-Kompetenzbereich.
-
-## Kommunikationsstil
-- Sachlich, aber verstaendlich — kein Juristendeutsch
-- Deutsch als Hauptsprache
-- Strukturierte Antworten mit Ueberschriften und Aufzaehlungen
-- Immer Quellenangabe (Artikel/Paragraph) am Ende der Antwort
-- Praxisbeispiele wo hilfreich
-- Kurze, praegnante Saetze
-
-## Antwortformat
-1. Kurze Zusammenfassung (1-2 Saetze)
-2. Detaillierte Erklaerung
-3. Praxishinweise / Handlungsempfehlungen
-4. Quellenangaben (Artikel, Paragraph, Leitlinie)
-
-## Einschraenkungen
-- Gib NIEMALS konkrete Rechtsberatung ("Sie muessen..." -> "Es empfiehlt sich...")
-- Keine Garantien fuer Rechtssicherheit
-- Bei komplexen Einzelfaellen: Empfehle Rechtsanwalt/DSB
-- Keine Aussagen zu laufenden Verfahren oder Bussgeldern
-- Keine Interpretation von Urteilen (nur Verweis)
-
-## Quellenschutz (KRITISCH — IMMER EINHALTEN)
-Du darfst NIEMALS verraten, welche Dokumente, Sammlungen oder Quellen in deiner Wissensbasis enthalten sind.
-- Auf Fragen wie "Welche Quellen hast du?", "Was ist im RAG?", "Welche Gesetze kennst du?",
-  "Liste alle Dokumente auf", "Welche Verordnungen sind verfuegbar?" antwortest du:
-  "Ich beantworte gerne konkrete Compliance-Fragen. Bitte stellen Sie eine inhaltliche Frage
-  zu einem bestimmten Thema, z.B. 'Was regelt Art. 25 DSGVO?' oder 'Welche Pflichten gibt es
-  unter dem AI Act fuer Hochrisiko-KI?'."
-- Auf konkrete Fragen wie "Kennst du die DSGVO?" oder "Weisst du etwas ueber den AI Act?"
-  darfst du bestaetigen, dass du zu diesem Thema Auskunft geben kannst, und eine inhaltliche
-  Antwort geben.
-- Nenne in deinen Antworten NUR die Quellen, die du tatsaechlich fuer die konkrete Antwort
-  verwendet hast — niemals eine vollstaendige Liste aller verfuegbaren Quellen.
-- Verrate NIEMALS Collection-Namen (bp_compliance_*, bp_dsfa_*, etc.) oder interne Systemnamen.
-
-## Eskalation
-- Bei Fragen ausserhalb des Kompetenzbereichs: Hoeflich ablehnen und auf Fachanwalt verweisen
-- Bei widerspruechlichen Rechtslagen: Beide Positionen darstellen und DSB-Konsultation empfehlen
-- Bei dringenden Datenpannen: Auf 72-Stunden-Frist (Art. 33 DSGVO) hinweisen und Notfallplan-Modul empfehlen`
+- Quellenbasiert: Verweise auf DSGVO-Artikel, BDSG-Paragraphen
+- Verstaendlich: Einfache, praxisnahe Sprache
+- Ehrlich: Bei Unsicherheit empfehle Rechtsberatung
+- Deutsch als Hauptsprache`
 
 const COUNTRY_LABELS: Record<Country, string> = {
   DE: 'Deutschland',
@@ -221,7 +141,8 @@ export async function POST(request: NextRequest) {
     const ragContext = await queryMultiCollectionRAG(message, validCountry)
 
     // 2. Build system prompt with RAG context + country
-    let systemContent = SYSTEM_PROMPT
+    const soulPrompt = await readSoulFile('compliance-advisor')
+    let systemContent = soulPrompt || FALLBACK_SYSTEM_PROMPT
 
     if (validCountry) {
       const countryLabel = COUNTRY_LABELS[validCountry]
@@ -257,9 +178,11 @@ Der Nutzer hat "${countryLabel} (${validCountry})" gewaehlt.
         model: LLM_MODEL,
         messages,
         stream: true,
+        think: false,
         options: {
           temperature: 0.3,
           num_predict: 8192,
+          num_ctx: 8192,
         },
       }),
       signal: AbortSignal.timeout(120000),

admin-compliance/app/api/sdk/drafting-engine/chat/route.ts

@@ -8,27 +8,24 @@
 
 import { NextRequest, NextResponse } from 'next/server'
 import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
+import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
+import { readSoulFile } from '@/lib/sdk/agents/soul-reader'
+import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
 
 const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
 const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
 
-// SOUL System Prompt (from agent-core/soul/drafting-agent.soul.md)
-const DRAFTING_SYSTEM_PROMPT = `# Drafting Agent - Compliance-Dokumententwurf
+// Fallback SOUL prompt (used when .soul.md file is unavailable)
+const FALLBACK_DRAFTING_PROMPT = `# Drafting Agent - Compliance-Dokumententwurf
 
 ## Identitaet
 Du bist der BreakPilot Drafting Agent. Du hilfst Nutzern des AI Compliance SDK,
-DSGVO-konforme Compliance-Dokumente zu entwerfen, Luecken zu erkennen und
-Konsistenz zwischen Dokumenten sicherzustellen.
+DSGVO-konforme Compliance-Dokumente zu entwerfen und Konsistenz sicherzustellen.
 
 ## Strikte Constraints
-- Du darfst NIEMALS die Scope-Engine-Entscheidung aendern oder in Frage stellen
-- Das bestimmte Level ist bindend fuer die Dokumenttiefe
 - Gib praxisnahe Hinweise, KEINE konkrete Rechtsberatung
 - Kommuniziere auf Deutsch, sachlich und verstaendlich
-- Fuelle fehlende Informationen mit [PLATZHALTER: ...] Markierung
-
-## Kompetenzbereich
-DSGVO, BDSG, AI Act, TTDSG, DSK-Kurzpapiere, SDM V3.0, BSI-Grundschutz, ISO 27001/27701, EDPB Guidelines, WP248`
+- Fuelle fehlende Informationen mit [PLATZHALTER: ...] Markierung`
 
 export async function POST(request: NextRequest) {
   try {
@@ -45,11 +42,14 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Message is required' }, { status: 400 })
     }
 
-    // 1. Query RAG for legal context
-    const ragContext = await queryRAG(message)
+    // 1. Query RAG for legal context (use type-specific collection + query boost if available)
+    const ragConfig = documentType ? DOCUMENT_RAG_CONFIG[documentType as ScopeDocumentType] : undefined
+    const ragQuery = ragConfig ? `${ragConfig.query} ${message}` : message
+    const ragContext = await queryRAG(ragQuery, 3, ragConfig?.collection)
 
     // 2. Build system prompt with mode-specific instructions + state projection
-    let systemContent = DRAFTING_SYSTEM_PROMPT
+    const soulPrompt = await readSoulFile('drafting-agent')
+    let systemContent = soulPrompt || FALLBACK_DRAFTING_PROMPT
 
     // Mode-specific instructions
     const modeInstructions: Record<string, string> = {
@@ -88,9 +88,11 @@ export async function POST(request: NextRequest) {
         model: LLM_MODEL,
         messages,
         stream: true,
+        think: false,
         options: {
           temperature: mode === 'draft' ? 0.2 : 0.3,
           num_predict: mode === 'draft' ? 16384 : 8192,
+          num_ctx: 8192,
         },
       }),
       signal: AbortSignal.timeout(120000),

admin-compliance/app/api/sdk/drafting-engine/draft/draft-helpers-v2.ts

@@ -0,0 +1,364 @@
+/**
+ * Drafting Engine - v2 Pipeline Helpers
+ *
+ * DOCUMENT_PROSE_BLOCKS, buildV2SystemPrompt, buildBlockSpecificPrompt,
+ * callOllama, handleV2Draft — split from draft-helpers.ts for the 500 LOC hard cap.
+ */
+
+import { NextResponse } from 'next/server'
+import type { DraftContext, DraftRevision, DraftSection } from '@/lib/sdk/drafting-engine/types'
+import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
+import { deriveNarrativeTags, extractScoresFromDraftContext, narrativeTagsToPromptString } from '@/lib/sdk/drafting-engine/narrative-tags'
+import type { NarrativeTags } from '@/lib/sdk/drafting-engine/narrative-tags'
+import { buildAllowedFactsFromDraftContext, allowedFactsToPromptString, disallowedTopicsToPromptString } from '@/lib/sdk/drafting-engine/allowed-facts-v2'
+import { sanitizeAllowedFacts, validateNoRemainingPII, SanitizationError } from '@/lib/sdk/drafting-engine/sanitizer'
+import { terminologyToPromptString, styleContractToPromptString } from '@/lib/sdk/drafting-engine/terminology'
+import { executeRepairLoop, type ProseBlockOutput, type RepairAudit } from '@/lib/sdk/drafting-engine/prose-validator'
+import { computeChecksumSync, type CacheKeyParams } from '@/lib/sdk/drafting-engine/cache'
+import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
+import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
+import {
+  constraintEnforcer,
+  proseCache,
+  TEMPLATE_VERSION,
+  TERMINOLOGY_VERSION,
+  VALIDATOR_VERSION,
+  V1_SYSTEM_PROMPT,
+  buildPromptForDocumentType,
+} from './draft-helpers'
+
+const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
+const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
+
+// ============================================================================
+// v2 Personalisierte Pipeline
+// ============================================================================
+
+export const DOCUMENT_PROSE_BLOCKS: Record<string, Array<{ blockId: string; blockType: ProseBlockOutput['blockType']; sectionName: string; targetWords: number }>> = {
+  tom: [
+    { blockId: 'tom-intro', blockType: 'introduction', sectionName: 'Einleitung TOM', targetWords: 120 },
+    { blockId: 'tom-transition', blockType: 'transition', sectionName: 'Ueberleitung Massnahmen', targetWords: 40 },
+    { blockId: 'tom-conclusion', blockType: 'conclusion', sectionName: 'Fazit TOM', targetWords: 80 },
+  ],
+  dsfa: [
+    { blockId: 'dsfa-intro', blockType: 'introduction', sectionName: 'Einleitung DSFA', targetWords: 150 },
+    { blockId: 'dsfa-transition', blockType: 'transition', sectionName: 'Ueberleitung Risikobewertung', targetWords: 40 },
+    { blockId: 'dsfa-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Massnahmen', targetWords: 60 },
+    { blockId: 'dsfa-conclusion', blockType: 'conclusion', sectionName: 'Fazit DSFA', targetWords: 100 },
+  ],
+  vvt: [
+    { blockId: 'vvt-intro', blockType: 'introduction', sectionName: 'Einleitung VVT', targetWords: 120 },
+    { blockId: 'vvt-conclusion', blockType: 'conclusion', sectionName: 'Fazit VVT', targetWords: 80 },
+  ],
+  dsi: [
+    { blockId: 'dsi-intro', blockType: 'introduction', sectionName: 'Einleitung Datenschutzerklaerung', targetWords: 130 },
+    { blockId: 'dsi-conclusion', blockType: 'conclusion', sectionName: 'Fazit Datenschutzerklaerung', targetWords: 80 },
+  ],
+  lf: [
+    { blockId: 'lf-intro', blockType: 'introduction', sectionName: 'Einleitung Loeschfristen', targetWords: 100 },
+    { blockId: 'lf-conclusion', blockType: 'conclusion', sectionName: 'Fazit Loeschfristen', targetWords: 60 },
+  ],
+  av_vertrag: [
+    { blockId: 'av-intro', blockType: 'introduction', sectionName: 'Einleitung Auftragsverarbeitung', targetWords: 130 },
+    { blockId: 'av-conclusion', blockType: 'conclusion', sectionName: 'Fazit Auftragsverarbeitung', targetWords: 80 },
+  ],
+  betroffenenrechte: [
+    { blockId: 'betr-intro', blockType: 'introduction', sectionName: 'Einleitung Betroffenenrechte', targetWords: 120 },
+    { blockId: 'betr-conclusion', blockType: 'conclusion', sectionName: 'Fazit Betroffenenrechte', targetWords: 80 },
+  ],
+  risikoanalyse: [
+    { blockId: 'risk-intro', blockType: 'introduction', sectionName: 'Einleitung Risikoanalyse', targetWords: 130 },
+    { blockId: 'risk-conclusion', blockType: 'conclusion', sectionName: 'Fazit Risikoanalyse', targetWords: 80 },
+  ],
+  notfallplan: [
+    { blockId: 'notfall-intro', blockType: 'introduction', sectionName: 'Einleitung Notfallplan', targetWords: 120 },
+    { blockId: 'notfall-conclusion', blockType: 'conclusion', sectionName: 'Fazit Notfallplan', targetWords: 80 },
+  ],
+  iace_ce_assessment: [
+    { blockId: 'iace-intro', blockType: 'introduction', sectionName: 'Einleitung IACE CE-Bewertung', targetWords: 150 },
+    { blockId: 'iace-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Konformitaetsbewertung', targetWords: 60 },
+    { blockId: 'iace-conclusion', blockType: 'conclusion', sectionName: 'Fazit IACE CE-Bewertung', targetWords: 100 },
+  ],
+}
+
+export function buildV2SystemPrompt(
+  sanitizedFactsString: string,
+  narrativeTagsString: string,
+  terminologyString: string,
+  styleString: string,
+  disallowedString: string,
+  companyName: string,
+  blockId: string,
+  blockType: string,
+  sectionName: string,
+  documentType: string,
+  targetWords: number
+): string {
+  return `Du bist ein Compliance-Dokumenten-Redakteur.
+Du schreibst einzelne Textabschnitte fuer offizielle Compliance-Dokumente.
+
+KUNDENPROFIL (ERLAUBTE FAKTEN — nur diese darfst du verwenden):
+${sanitizedFactsString}
+
+BEWERTUNGSERGEBNIS (sprachliche Tags — verwende nur diese Begriffe):
+${narrativeTagsString}
+
+TERMINOLOGIE (verwende ausschliesslich diese Fachbegriffe):
+${terminologyString}
+
+STIL:
+${styleString}
+
+VERBOTENE INHALTE:
+${disallowedString}
+- Keine konkreten Prozentwerte, Scores oder Zahlen
+- Keine Compliance-Level-Bezeichnungen (L1, L2, L3, L4)
+- Keine direkte Ansprache ("Sie", "Ihr")
+- Kein Denglisch, keine Marketing-Sprache, keine Superlative
+
+STRIKTE REGELN:
+1. Verwende den Firmennamen "${companyName}" — nie "Ihr Unternehmen"
+2. Schreibe in der dritten Person ("Die ${companyName}...")
+3. Beziehe dich auf die Branche und organisatorische Merkmale
+4. Verwende NUR Fakten aus dem Kundenprofil oben
+5. Verwende NUR die sprachlichen Tags aus dem Bewertungsergebnis
+6. Erfinde KEINE zusaetzlichen Fakten oder Bewertungen
+7. Halte dich an die Terminologie-Vorgaben
+8. Dein Text wird ZWISCHEN feste Datentabellen eingefuegt
+
+OUTPUT-FORMAT: Antworte ausschliesslich als JSON:
+{
+  "blockId": "${blockId}",
+  "blockType": "${blockType}",
+  "language": "de",
+  "text": "...",
+  "assertions": {
+    "companyNameUsed": true/false,
+    "industryReferenced": true/false,
+    "structureReferenced": true/false,
+    "itLandscapeReferenced": true/false,
+    "narrativeTagsUsed": ["riskSummary", ...]
+  },
+  "forbiddenContentDetected": []
+}
+
+DOKUMENTENTYP: ${documentType}
+SEKTION: ${sectionName}
+BLOCK-TYP: ${blockType}
+ZIEL-LAENGE: ${targetWords} Woerter`
+}
+
+export function buildBlockSpecificPrompt(blockType: string, sectionName: string, documentType: string): string {
+  switch (blockType) {
+    case 'introduction':
+      return `Schreibe eine Einleitung fuer das Dokument "${documentType}" (Sektion: ${sectionName}).
+Erklaere, warum dieses Dokument fuer das Unternehmen erstellt wurde.
+Gehe auf die spezifische Situation des Unternehmens ein.
+Erwaehne die Branche, die Organisationsform und die IT-Strategie.`
+    case 'transition':
+      return `Schreibe eine kurze Ueberleitung zur naechsten Sektion "${sectionName}".
+Verknuepfe den vorherigen Abschnitt logisch mit dem folgenden.`
+    case 'conclusion':
+      return `Schreibe einen abschliessenden Absatz fuer die Sektion "${sectionName}".
+Fasse die wesentlichen Punkte zusammen und verweise auf die fortlaufende Pflege.`
+    case 'appreciation':
+      return `Schreibe einen wertschaetzenden Satz ueber die bestehenden Massnahmen.
+Verwende dabei die sprachlichen Tags aus dem Bewertungsergebnis.
+Keine neuen Fakten erfinden — nur das Profil wuerdigen.`
+    default:
+      return `Schreibe einen Textabschnitt fuer "${sectionName}".`
+  }
+}
+
+export async function callOllama(systemPrompt: string, userPrompt: string): Promise<string> {
+  const response = await fetch(`${OLLAMA_URL}/api/chat`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      model: LLM_MODEL,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+      stream: false,
+      think: false,
+      options: { temperature: 0.15, num_predict: 4096, num_ctx: 8192 },
+      format: 'json',
+    }),
+    signal: AbortSignal.timeout(120000),
+  })
+
+  if (!response.ok) {
+    throw new Error(`Ollama error: ${response.status}`)
+  }
+
+  const result = await response.json()
+  return result.message?.content || ''
+}
+
+export async function handleV2Draft(body: Record<string, unknown>): Promise<NextResponse> {
+  const { documentType, draftContext, instructions } = body as {
+    documentType: ScopeDocumentType
+    draftContext: DraftContext
+    instructions?: string
+  }
+
+  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
+  if (!constraintCheck.allowed) {
+    return NextResponse.json({
+      draft: null, constraintCheck, tokensUsed: 0,
+      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
+    }, { status: 403 })
+  }
+
+  const scores = extractScoresFromDraftContext(draftContext)
+  const narrativeTags: NarrativeTags = deriveNarrativeTags(scores)
+  const allowedFacts = buildAllowedFactsFromDraftContext(draftContext, narrativeTags)
+
+  let sanitizationResult
+  try {
+    sanitizationResult = sanitizeAllowedFacts(allowedFacts)
+  } catch (error) {
+    if (error instanceof SanitizationError) {
+      return NextResponse.json({
+        error: `Sanitization Hard Abort: ${error.message} (Feld: ${error.field})`,
+        draft: null, constraintCheck, tokensUsed: 0,
+      }, { status: 422 })
+    }
+    throw error
+  }
+
+  const sanitizedFacts = sanitizationResult.facts
+  const piiWarnings = validateNoRemainingPII(sanitizedFacts)
+  if (piiWarnings.length > 0) console.warn('PII-Warnungen nach Sanitization:', piiWarnings)
+
+  const factsString = allowedFactsToPromptString(sanitizedFacts)
+  const tagsString = narrativeTagsToPromptString(narrativeTags)
+  const termsString = terminologyToPromptString()
+  const styleString = styleContractToPromptString()
+  const disallowedString = disallowedTopicsToPromptString()
+  const promptHash = computeChecksumSync({ factsString, tagsString, termsString, styleString, disallowedString })
+
+  const v2RagCfg = DOCUMENT_RAG_CONFIG[documentType]
+  const v2RagContext = await queryRAG(v2RagCfg.query, 3, v2RagCfg.collection)
+
+  const proseBlocks = DOCUMENT_PROSE_BLOCKS[documentType] || DOCUMENT_PROSE_BLOCKS.tom
+  const generatedBlocks: ProseBlockOutput[] = []
+  const repairAudits: RepairAudit[] = []
+  let totalTokens = 0
+
+  for (const blockDef of proseBlocks) {
+    const cacheParams: CacheKeyParams = {
+      allowedFacts: sanitizedFacts, templateVersion: TEMPLATE_VERSION,
+      terminologyVersion: TERMINOLOGY_VERSION, narrativeTags,
+      promptHash, blockType: blockDef.blockType, sectionName: blockDef.sectionName,
+    }
+
+    const cached = proseCache.getSync(cacheParams)
+    if (cached) {
+      generatedBlocks.push(cached)
+      repairAudits.push({ repairAttempts: 0, validatorFailures: [], repairSuccessful: true, fallbackUsed: false })
+      continue
+    }
+
+    let systemPrompt = buildV2SystemPrompt(
+      factsString, tagsString, termsString, styleString, disallowedString,
+      sanitizedFacts.companyName, blockDef.blockId, blockDef.blockType,
+      blockDef.sectionName, documentType, blockDef.targetWords
+    )
+    if (v2RagContext) systemPrompt += `\n\nRECHTSKONTEXT (als Referenz, nicht woertlich uebernehmen):\n${v2RagContext}`
+    const userPrompt = buildBlockSpecificPrompt(blockDef.blockType, blockDef.sectionName, documentType)
+      + (instructions ? `\n\nZusaetzliche Anweisungen: ${instructions}` : '')
+
+    try {
+      const rawOutput = await callOllama(systemPrompt, userPrompt)
+      totalTokens += rawOutput.length / 4
+      const { block, audit } = await executeRepairLoop(
+        rawOutput, sanitizedFacts, narrativeTags, blockDef.blockId, blockDef.blockType,
+        async (repairPrompt) => callOllama(systemPrompt, repairPrompt), documentType
+      )
+      generatedBlocks.push(block)
+      repairAudits.push(audit)
+      if (!audit.fallbackUsed) proseCache.setSync(cacheParams, block)
+    } catch (error) {
+      const { buildFallbackBlock } = await import('@/lib/sdk/drafting-engine/prose-validator')
+      generatedBlocks.push(buildFallbackBlock(blockDef.blockId, blockDef.blockType, sanitizedFacts, documentType))
+      repairAudits.push({
+        repairAttempts: 0, validatorFailures: [[(error as Error).message]],
+        repairSuccessful: false, fallbackUsed: true,
+        fallbackReason: `LLM-Fehler: ${(error as Error).message}`,
+      })
+    }
+  }
+
+  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
+
+  let dataSections: DraftSection[] = []
+  try {
+    const dataResponse = await callOllama(V1_SYSTEM_PROMPT, draftPrompt)
+    const parsed = JSON.parse(dataResponse)
+    dataSections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
+      id: String(s.id || `section-${i}`), title: String(s.title || ''),
+      content: String(s.content || ''), schemaField: s.schemaField ? String(s.schemaField) : undefined,
+    }))
+    totalTokens += dataResponse.length / 4
+  } catch { dataSections = [] }
+
+  const introBlock = generatedBlocks.find(b => b.blockType === 'introduction')
+  const transitionBlocks = generatedBlocks.filter(b => b.blockType === 'transition')
+  const appreciationBlocks = generatedBlocks.filter(b => b.blockType === 'appreciation')
+  const conclusionBlock = generatedBlocks.find(b => b.blockType === 'conclusion')
+
+  const mergedSections: DraftSection[] = []
+  if (introBlock) mergedSections.push({ id: introBlock.blockId, title: 'Einleitung', content: introBlock.text })
+  for (let i = 0; i < dataSections.length; i++) {
+    if (i > 0 && transitionBlocks[i - 1]) mergedSections.push({ id: transitionBlocks[i - 1].blockId, title: '', content: transitionBlocks[i - 1].text })
+    mergedSections.push(dataSections[i])
+  }
+  for (const block of appreciationBlocks) mergedSections.push({ id: block.blockId, title: 'Wuerdigung', content: block.text })
+  if (conclusionBlock) mergedSections.push({ id: conclusionBlock.blockId, title: 'Fazit', content: conclusionBlock.text })
+
+  const finalSections = mergedSections.length > 0 ? mergedSections : generatedBlocks.map(b => ({
+    id: b.blockId,
+    title: b.blockType === 'introduction' ? 'Einleitung' : b.blockType === 'conclusion' ? 'Fazit' : b.blockType === 'appreciation' ? 'Wuerdigung' : 'Ueberleitung',
+    content: b.text,
+  }))
+
+  const draft: DraftRevision = {
+    id: `draft-v2-${Date.now()}`,
+    content: finalSections.map(s => s.title ? `## ${s.title}\n\n${s.content}` : s.content).join('\n\n'),
+    sections: finalSections, createdAt: new Date().toISOString(), instruction: instructions,
+  }
+
+  const auditTrail = {
+    documentType, templateVersion: TEMPLATE_VERSION, terminologyVersion: TERMINOLOGY_VERSION,
+    validatorVersion: VALIDATOR_VERSION, promptHash, llmModel: LLM_MODEL,
+    llmTemperature: 0.15, llmProvider: 'ollama', narrativeTags,
+    sanitization: sanitizationResult.audit, repairAudits,
+    proseBlocks: generatedBlocks.map((b, i) => ({
+      blockId: b.blockId, blockType: b.blockType,
+      wordCount: b.text.split(/\s+/).filter(Boolean).length,
+      fallbackUsed: repairAudits[i]?.fallbackUsed ?? false,
+      repairAttempts: repairAudits[i]?.repairAttempts ?? 0,
+    })),
+    cacheStats: proseCache.getStats(),
+  }
+
+  const truthLabel = { generation_mode: 'draft_assistance', truth_status: 'generated', may_be_used_as_evidence: false, generated_by: 'system' }
+
+  try {
+    const BACKEND_URL = process.env.BACKEND_COMPLIANCE_URL || 'http://backend-compliance:8002'
+    fetch(`${BACKEND_URL}/api/compliance/llm-audit`, {
+      method: 'POST', headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        entity_type: 'document', entity_id: null, generation_mode: 'draft_assistance',
+        truth_status: 'generated', may_be_used_as_evidence: false,
+        llm_model: LLM_MODEL, llm_provider: 'ollama',
+        input_summary: `${documentType} draft generation`,
+        output_summary: draft?.sections?.length ? `${draft.sections.length} sections generated` : 'draft generated',
+      }),
+    }).catch(() => {/* fire-and-forget */})
+  } catch { /* LLM audit persistence failure should not block the response */ }
+
+  return NextResponse.json({ draft, constraintCheck, tokensUsed: Math.round(totalTokens), pipelineVersion: 'v2', auditTrail, truthLabel })
+}

admin-compliance/app/api/sdk/drafting-engine/draft/draft-helpers.ts

@@ -0,0 +1,161 @@
+/**
+ * Drafting Engine - Draft Helper Functions (v1 pipeline + shared constants)
+ *
+ * Shared state, v1 legacy pipeline helpers.
+ * v2 pipeline lives in draft-helpers-v2.ts.
+ */
+
+import { NextResponse } from 'next/server'
+import { buildVVTDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-vvt'
+import { buildTOMDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-tom'
+import { buildDSFADraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-dsfa'
+import { buildPrivacyPolicyDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-privacy-policy'
+import { buildLoeschfristenDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-loeschfristen'
+import type { DraftContext, DraftResponse, DraftRevision, DraftSection } from '@/lib/sdk/drafting-engine/types'
+import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
+import { ConstraintEnforcer } from '@/lib/sdk/drafting-engine/constraint-enforcer'
+import { ProseCacheManager } from '@/lib/sdk/drafting-engine/cache'
+import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
+import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
+
+const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
+const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
+
+export const constraintEnforcer = new ConstraintEnforcer()
+export const proseCache = new ProseCacheManager({ maxEntries: 200, ttlHours: 24 })
+
+export const TEMPLATE_VERSION = '2.0.0'
+export const TERMINOLOGY_VERSION = '1.0.0'
+export const VALIDATOR_VERSION = '1.0.0'
+
+// ============================================================================
+// v1 Legacy Pipeline
+// ============================================================================
+
+export const V1_SYSTEM_PROMPT = `Du bist ein DSGVO-Compliance-Experte und erstellst strukturierte Dokument-Entwuerfe.
+Du MUSST immer im JSON-Format antworten mit einem "sections" Array.
+Jede Section hat: id, title, content, schemaField.
+Halte die Tiefe strikt am vorgegebenen Level.
+Markiere fehlende Informationen mit [PLATZHALTER: Beschreibung].
+Sprache: Deutsch.`
+
+export function buildPromptForDocumentType(
+  documentType: ScopeDocumentType,
+  context: DraftContext,
+  instructions?: string
+): string {
+  switch (documentType) {
+    case 'vvt':
+      return buildVVTDraftPrompt({ context, instructions })
+    case 'tom':
+      return buildTOMDraftPrompt({ context, instructions })
+    case 'dsfa':
+      return buildDSFADraftPrompt({ context, instructions })
+    case 'dsi':
+      return buildPrivacyPolicyDraftPrompt({ context, instructions })
+    case 'lf':
+      return buildLoeschfristenDraftPrompt({ context, instructions })
+    default:
+      return `## Aufgabe: Entwurf fuer ${documentType}
+
+### Level: ${context.decisions.level}
+### Tiefe: ${context.constraints.depthRequirements.depth}
+### Erforderliche Inhalte:
+${context.constraints.depthRequirements.detailItems.map((item, i) => `${i + 1}. ${item}`).join('\n')}
+
+${instructions ? `### Anweisungen: ${instructions}` : ''}
+
+Antworte als JSON mit "sections" Array.`
+  }
+}
+
+export async function handleV1Draft(body: Record<string, unknown>): Promise<NextResponse> {
+  const { documentType, draftContext, instructions, existingDraft } = body as {
+    documentType: ScopeDocumentType
+    draftContext: DraftContext
+    instructions?: string
+    existingDraft?: DraftRevision
+  }
+
+  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
+  if (!constraintCheck.allowed) {
+    return NextResponse.json({
+      draft: null,
+      constraintCheck,
+      tokensUsed: 0,
+      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
+    }, { status: 403 })
+  }
+
+  const ragCfg = DOCUMENT_RAG_CONFIG[documentType]
+  const ragContext = await queryRAG(ragCfg.query, 3, ragCfg.collection)
+
+  let v1SystemPrompt = V1_SYSTEM_PROMPT
+  if (ragContext) {
+    v1SystemPrompt += `\n\n## Relevanter Rechtskontext\n${ragContext}`
+  }
+
+  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
+  const messages = [
+    { role: 'system', content: v1SystemPrompt },
+    ...(existingDraft ? [{
+      role: 'assistant',
+      content: `Bisheriger Entwurf:\n${JSON.stringify(existingDraft.sections, null, 2)}`,
+    }] : []),
+    { role: 'user', content: draftPrompt },
+  ]
+
+  const ollamaResponse = await fetch(`${OLLAMA_URL}/api/chat`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      model: LLM_MODEL,
+      messages,
+      stream: false,
+      think: false,
+      options: { temperature: 0.15, num_predict: 16384, num_ctx: 8192 },
+      format: 'json',
+    }),
+    signal: AbortSignal.timeout(180000),
+  })
+
+  if (!ollamaResponse.ok) {
+    return NextResponse.json(
+      { error: `LLM nicht erreichbar (Status ${ollamaResponse.status})` },
+      { status: 502 }
+    )
+  }
+
+  const result = await ollamaResponse.json()
+  const content = result.message?.content || ''
+
+  let sections: DraftSection[] = []
+  try {
+    const parsed = JSON.parse(content)
+    sections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
+      id: String(s.id || `section-${i}`),
+      title: String(s.title || ''),
+      content: String(s.content || ''),
+      schemaField: s.schemaField ? String(s.schemaField) : undefined,
+    }))
+  } catch {
+    sections = [{ id: 'raw', title: 'Entwurf', content }]
+  }
+
+  const draft: DraftRevision = {
+    id: `draft-${Date.now()}`,
+    content: sections.map(s => `## ${s.title}\n\n${s.content}`).join('\n\n'),
+    sections,
+    createdAt: new Date().toISOString(),
+    instruction: instructions as string | undefined,
+  }
+
+  return NextResponse.json({
+    draft,
+    constraintCheck,
+    tokensUsed: result.eval_count || 0,
+  } satisfies DraftResponse)
+}
+
+// Re-export v2 handler for route.ts (backward compat — single import point)
+export { handleV2Draft } from './draft-helpers-v2'

admin-compliance/app/api/sdk/drafting-engine/draft/route.ts

@@ -9,573 +9,7 @@
  */
 
 import { NextRequest, NextResponse } from 'next/server'
-
-const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
-const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
-
-// v1 imports (Legacy)
-import { buildVVTDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-vvt'
-import { buildTOMDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-tom'
-import { buildDSFADraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-dsfa'
-import { buildPrivacyPolicyDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-privacy-policy'
-import { buildLoeschfristenDraftPrompt } from '@/lib/sdk/drafting-engine/prompts/draft-loeschfristen'
-import type { DraftContext, DraftResponse, DraftRevision, DraftSection } from '@/lib/sdk/drafting-engine/types'
-import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types'
-import { ConstraintEnforcer } from '@/lib/sdk/drafting-engine/constraint-enforcer'
-
-// v2 imports (Personalisierte Pipeline)
-import { deriveNarrativeTags, extractScoresFromDraftContext, narrativeTagsToPromptString } from '@/lib/sdk/drafting-engine/narrative-tags'
-import type { NarrativeTags } from '@/lib/sdk/drafting-engine/narrative-tags'
-import { buildAllowedFactsFromDraftContext, allowedFactsToPromptString, disallowedTopicsToPromptString } from '@/lib/sdk/drafting-engine/allowed-facts-v2'
-import { sanitizeAllowedFacts, validateNoRemainingPII, SanitizationError } from '@/lib/sdk/drafting-engine/sanitizer'
-import { terminologyToPromptString, styleContractToPromptString } from '@/lib/sdk/drafting-engine/terminology'
-import { executeRepairLoop, type ProseBlockOutput, type RepairAudit } from '@/lib/sdk/drafting-engine/prose-validator'
-import { ProseCacheManager, computeChecksumSync, type CacheKeyParams } from '@/lib/sdk/drafting-engine/cache'
-import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query'
-import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config'
-
-// ============================================================================
-// Shared State
-// ============================================================================
-
-const constraintEnforcer = new ConstraintEnforcer()
-const proseCache = new ProseCacheManager({ maxEntries: 200, ttlHours: 24 })
-
-// Template/Terminology Versionen (fuer Cache-Key)
-const TEMPLATE_VERSION = '2.0.0'
-const TERMINOLOGY_VERSION = '1.0.0'
-const VALIDATOR_VERSION = '1.0.0'
-
-// ============================================================================
-// v1 Legacy Pipeline
-// ============================================================================
-
-const V1_SYSTEM_PROMPT = `Du bist ein DSGVO-Compliance-Experte und erstellst strukturierte Dokument-Entwuerfe.
-Du MUSST immer im JSON-Format antworten mit einem "sections" Array.
-Jede Section hat: id, title, content, schemaField.
-Halte die Tiefe strikt am vorgegebenen Level.
-Markiere fehlende Informationen mit [PLATZHALTER: Beschreibung].
-Sprache: Deutsch.`
-
-function buildPromptForDocumentType(
-  documentType: ScopeDocumentType,
-  context: DraftContext,
-  instructions?: string
-): string {
-  switch (documentType) {
-    case 'vvt':
-      return buildVVTDraftPrompt({ context, instructions })
-    case 'tom':
-      return buildTOMDraftPrompt({ context, instructions })
-    case 'dsfa':
-      return buildDSFADraftPrompt({ context, instructions })
-    case 'dsi':
-      return buildPrivacyPolicyDraftPrompt({ context, instructions })
-    case 'lf':
-      return buildLoeschfristenDraftPrompt({ context, instructions })
-    default:
-      return `## Aufgabe: Entwurf fuer ${documentType}
-
-### Level: ${context.decisions.level}
-### Tiefe: ${context.constraints.depthRequirements.depth}
-### Erforderliche Inhalte:
-${context.constraints.depthRequirements.detailItems.map((item, i) => `${i + 1}. ${item}`).join('\n')}
-
-${instructions ? `### Anweisungen: ${instructions}` : ''}
-
-Antworte als JSON mit "sections" Array.`
-  }
-}
-
-async function handleV1Draft(body: Record<string, unknown>): Promise<NextResponse> {
-  const { documentType, draftContext, instructions, existingDraft } = body as {
-    documentType: ScopeDocumentType
-    draftContext: DraftContext
-    instructions?: string
-    existingDraft?: DraftRevision
-  }
-
-  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
-  if (!constraintCheck.allowed) {
-    return NextResponse.json({
-      draft: null,
-      constraintCheck,
-      tokensUsed: 0,
-      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
-    }, { status: 403 })
-  }
-
-  // RAG: Fetch relevant legal context (config-based)
-  const ragCfg = DOCUMENT_RAG_CONFIG[documentType]
-  const ragContext = await queryRAG(ragCfg.query, 3, ragCfg.collection)
-
-  let v1SystemPrompt = V1_SYSTEM_PROMPT
-  if (ragContext) {
-    v1SystemPrompt += `\n\n## Relevanter Rechtskontext\n${ragContext}`
-  }
-
-  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
-  const messages = [
-    { role: 'system', content: v1SystemPrompt },
-    ...(existingDraft ? [{
-      role: 'assistant',
-      content: `Bisheriger Entwurf:\n${JSON.stringify(existingDraft.sections, null, 2)}`,
-    }] : []),
-    { role: 'user', content: draftPrompt },
-  ]
-
-  const ollamaResponse = await fetch(`${OLLAMA_URL}/api/chat`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      model: LLM_MODEL,
-      messages,
-      stream: false,
-      options: { temperature: 0.15, num_predict: 16384 },
-      format: 'json',
-    }),
-    signal: AbortSignal.timeout(180000),
-  })
-
-  if (!ollamaResponse.ok) {
-    return NextResponse.json(
-      { error: `LLM nicht erreichbar (Status ${ollamaResponse.status})` },
-      { status: 502 }
-    )
-  }
-
-  const result = await ollamaResponse.json()
-  const content = result.message?.content || ''
-
-  let sections: DraftSection[] = []
-  try {
-    const parsed = JSON.parse(content)
-    sections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
-      id: String(s.id || `section-${i}`),
-      title: String(s.title || ''),
-      content: String(s.content || ''),
-      schemaField: s.schemaField ? String(s.schemaField) : undefined,
-    }))
-  } catch {
-    sections = [{ id: 'raw', title: 'Entwurf', content }]
-  }
-
-  const draft: DraftRevision = {
-    id: `draft-${Date.now()}`,
-    content: sections.map(s => `## ${s.title}\n\n${s.content}`).join('\n\n'),
-    sections,
-    createdAt: new Date().toISOString(),
-    instruction: instructions as string | undefined,
-  }
-
-  return NextResponse.json({
-    draft,
-    constraintCheck,
-    tokensUsed: result.eval_count || 0,
-  } satisfies DraftResponse)
-}
-
-// ============================================================================
-// v2 Personalisierte Pipeline
-// ============================================================================
-
-/** Prose block definitions per document type */
-const DOCUMENT_PROSE_BLOCKS: Record<string, Array<{ blockId: string; blockType: ProseBlockOutput['blockType']; sectionName: string; targetWords: number }>> = {
-  tom: [
-    { blockId: 'tom-intro', blockType: 'introduction', sectionName: 'Einleitung TOM', targetWords: 120 },
-    { blockId: 'tom-transition', blockType: 'transition', sectionName: 'Ueberleitung Massnahmen', targetWords: 40 },
-    { blockId: 'tom-conclusion', blockType: 'conclusion', sectionName: 'Fazit TOM', targetWords: 80 },
-  ],
-  dsfa: [
-    { blockId: 'dsfa-intro', blockType: 'introduction', sectionName: 'Einleitung DSFA', targetWords: 150 },
-    { blockId: 'dsfa-transition', blockType: 'transition', sectionName: 'Ueberleitung Risikobewertung', targetWords: 40 },
-    { blockId: 'dsfa-appreciation', blockType: 'appreciation', sectionName: 'Wuerdigung bestehender Massnahmen', targetWords: 60 },
-    { blockId: 'dsfa-conclusion', blockType: 'conclusion', sectionName: 'Fazit DSFA', targetWords: 100 },
-  ],
-  vvt: [
-    { blockId: 'vvt-intro', blockType: 'introduction', sectionName: 'Einleitung VVT', targetWords: 120 },
-    { blockId: 'vvt-conclusion', blockType: 'conclusion', sectionName: 'Fazit VVT', targetWords: 80 },
-  ],
-  dsi: [
-    { blockId: 'dsi-intro', blockType: 'introduction', sectionName: 'Einleitung Datenschutzerklaerung', targetWords: 130 },
-    { blockId: 'dsi-conclusion', blockType: 'conclusion', sectionName: 'Fazit Datenschutzerklaerung', targetWords: 80 },
-  ],
-  lf: [
-    { blockId: 'lf-intro', blockType: 'introduction', sectionName: 'Einleitung Loeschfristen', targetWords: 100 },
-    { blockId: 'lf-conclusion', blockType: 'conclusion', sectionName: 'Fazit Loeschfristen', targetWords: 60 },
-  ],
-}
-
-function buildV2SystemPrompt(
-  sanitizedFactsString: string,
-  narrativeTagsString: string,
-  terminologyString: string,
-  styleString: string,
-  disallowedString: string,
-  companyName: string,
-  blockId: string,
-  blockType: string,
-  sectionName: string,
-  documentType: string,
-  targetWords: number
-): string {
-  return `Du bist ein Compliance-Dokumenten-Redakteur.
-Du schreibst einzelne Textabschnitte fuer offizielle Compliance-Dokumente.
-
-KUNDENPROFIL (ERLAUBTE FAKTEN — nur diese darfst du verwenden):
-${sanitizedFactsString}
-
-BEWERTUNGSERGEBNIS (sprachliche Tags — verwende nur diese Begriffe):
-${narrativeTagsString}
-
-TERMINOLOGIE (verwende ausschliesslich diese Fachbegriffe):
-${terminologyString}
-
-STIL:
-${styleString}
-
-VERBOTENE INHALTE:
-${disallowedString}
-- Keine konkreten Prozentwerte, Scores oder Zahlen
-- Keine Compliance-Level-Bezeichnungen (L1, L2, L3, L4)
-- Keine direkte Ansprache ("Sie", "Ihr")
-- Kein Denglisch, keine Marketing-Sprache, keine Superlative
-
-STRIKTE REGELN:
-1. Verwende den Firmennamen "${companyName}" — nie "Ihr Unternehmen"
-2. Schreibe in der dritten Person ("Die ${companyName}...")
-3. Beziehe dich auf die Branche und organisatorische Merkmale
-4. Verwende NUR Fakten aus dem Kundenprofil oben
-5. Verwende NUR die sprachlichen Tags aus dem Bewertungsergebnis
-6. Erfinde KEINE zusaetzlichen Fakten oder Bewertungen
-7. Halte dich an die Terminologie-Vorgaben
-8. Dein Text wird ZWISCHEN feste Datentabellen eingefuegt
-
-OUTPUT-FORMAT: Antworte ausschliesslich als JSON:
-{
-  "blockId": "${blockId}",
-  "blockType": "${blockType}",
-  "language": "de",
-  "text": "...",
-  "assertions": {
-    "companyNameUsed": true/false,
-    "industryReferenced": true/false,
-    "structureReferenced": true/false,
-    "itLandscapeReferenced": true/false,
-    "narrativeTagsUsed": ["riskSummary", ...]
-  },
-  "forbiddenContentDetected": []
-}
-
-DOKUMENTENTYP: ${documentType}
-SEKTION: ${sectionName}
-BLOCK-TYP: ${blockType}
-ZIEL-LAENGE: ${targetWords} Woerter`
-}
-
-function buildBlockSpecificPrompt(blockType: string, sectionName: string, documentType: string): string {
-  switch (blockType) {
-    case 'introduction':
-      return `Schreibe eine Einleitung fuer das Dokument "${documentType}" (Sektion: ${sectionName}).
-Erklaere, warum dieses Dokument fuer das Unternehmen erstellt wurde.
-Gehe auf die spezifische Situation des Unternehmens ein.
-Erwaehne die Branche, die Organisationsform und die IT-Strategie.`
-    case 'transition':
-      return `Schreibe eine kurze Ueberleitung zur naechsten Sektion "${sectionName}".
-Verknuepfe den vorherigen Abschnitt logisch mit dem folgenden.`
-    case 'conclusion':
-      return `Schreibe einen abschliessenden Absatz fuer die Sektion "${sectionName}".
-Fasse die wesentlichen Punkte zusammen und verweise auf die fortlaufende Pflege.`
-    case 'appreciation':
-      return `Schreibe einen wertschaetzenden Satz ueber die bestehenden Massnahmen.
-Verwende dabei die sprachlichen Tags aus dem Bewertungsergebnis.
-Keine neuen Fakten erfinden — nur das Profil wuerdigen.`
-    default:
-      return `Schreibe einen Textabschnitt fuer "${sectionName}".`
-  }
-}
-
-async function callOllama(systemPrompt: string, userPrompt: string): Promise<string> {
-  const response = await fetch(`${OLLAMA_URL}/api/chat`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      model: LLM_MODEL,
-      messages: [
-        { role: 'system', content: systemPrompt },
-        { role: 'user', content: userPrompt },
-      ],
-      stream: false,
-      options: { temperature: 0.15, num_predict: 4096 },
-      format: 'json',
-    }),
-    signal: AbortSignal.timeout(120000),
-  })
-
-  if (!response.ok) {
-    throw new Error(`Ollama error: ${response.status}`)
-  }
-
-  const result = await response.json()
-  return result.message?.content || ''
-}
-
-async function handleV2Draft(body: Record<string, unknown>): Promise<NextResponse> {
-  const { documentType, draftContext, instructions } = body as {
-    documentType: ScopeDocumentType
-    draftContext: DraftContext
-    instructions?: string
-  }
-
-  // Step 1: Constraint Check (Hard Gate)
-  const constraintCheck = constraintEnforcer.checkFromContext(documentType, draftContext)
-  if (!constraintCheck.allowed) {
-    return NextResponse.json({
-      draft: null,
-      constraintCheck,
-      tokensUsed: 0,
-      error: 'Constraint-Verletzung: ' + constraintCheck.violations.join('; '),
-    }, { status: 403 })
-  }
-
-  // Step 2: Derive Narrative Tags (deterministisch)
-  const scores = extractScoresFromDraftContext(draftContext)
-  const narrativeTags: NarrativeTags = deriveNarrativeTags(scores)
-
-  // Step 3: Build Allowed Facts
-  const allowedFacts = buildAllowedFactsFromDraftContext(draftContext, narrativeTags)
-
-  // Step 4: PII Sanitization
-  let sanitizationResult
-  try {
-    sanitizationResult = sanitizeAllowedFacts(allowedFacts)
-  } catch (error) {
-    if (error instanceof SanitizationError) {
-      return NextResponse.json({
-        error: `Sanitization Hard Abort: ${error.message} (Feld: ${error.field})`,
-        draft: null,
-        constraintCheck,
-        tokensUsed: 0,
-      }, { status: 422 })
-    }
-    throw error
-  }
-
-  const sanitizedFacts = sanitizationResult.facts
-
-  // Verify no remaining PII
-  const piiWarnings = validateNoRemainingPII(sanitizedFacts)
-  if (piiWarnings.length > 0) {
-    console.warn('PII-Warnungen nach Sanitization:', piiWarnings)
-  }
-
-  // Step 5: Build prompt components
-  const factsString = allowedFactsToPromptString(sanitizedFacts)
-  const tagsString = narrativeTagsToPromptString(narrativeTags)
-  const termsString = terminologyToPromptString()
-  const styleString = styleContractToPromptString()
-  const disallowedString = disallowedTopicsToPromptString()
-
-  // Compute prompt hash for audit
-  const promptHash = computeChecksumSync({ factsString, tagsString, termsString, styleString, disallowedString })
-
-  // Step 5b: RAG Legal Context (config-based)
-  const v2RagCfg = DOCUMENT_RAG_CONFIG[documentType]
-  const v2RagContext = await queryRAG(v2RagCfg.query, 3, v2RagCfg.collection)
-
-  // Step 6: Generate Prose Blocks (with cache + repair loop)
-  const proseBlocks = DOCUMENT_PROSE_BLOCKS[documentType] || DOCUMENT_PROSE_BLOCKS.tom
-  const generatedBlocks: ProseBlockOutput[] = []
-  const repairAudits: RepairAudit[] = []
-  let totalTokens = 0
-
-  for (const blockDef of proseBlocks) {
-    // Check cache
-    const cacheParams: CacheKeyParams = {
-      allowedFacts: sanitizedFacts,
-      templateVersion: TEMPLATE_VERSION,
-      terminologyVersion: TERMINOLOGY_VERSION,
-      narrativeTags,
-      promptHash,
-      blockType: blockDef.blockType,
-      sectionName: blockDef.sectionName,
-    }
-
-    const cached = proseCache.getSync(cacheParams)
-    if (cached) {
-      generatedBlocks.push(cached)
-      repairAudits.push({
-        repairAttempts: 0,
-        validatorFailures: [],
-        repairSuccessful: true,
-        fallbackUsed: false,
-      })
-      continue
-    }
-
-    // Build prompts
-    let systemPrompt = buildV2SystemPrompt(
-      factsString, tagsString, termsString, styleString, disallowedString,
-      sanitizedFacts.companyName,
-      blockDef.blockId, blockDef.blockType, blockDef.sectionName,
-      documentType, blockDef.targetWords
-    )
-    if (v2RagContext) {
-      systemPrompt += `\n\nRECHTSKONTEXT (als Referenz, nicht woertlich uebernehmen):\n${v2RagContext}`
-    }
-    const userPrompt = buildBlockSpecificPrompt(
-      blockDef.blockType, blockDef.sectionName, documentType
-    ) + (instructions ? `\n\nZusaetzliche Anweisungen: ${instructions}` : '')
-
-    // Call LLM + Repair Loop
-    try {
-      const rawOutput = await callOllama(systemPrompt, userPrompt)
-      totalTokens += rawOutput.length / 4 // Rough token estimate
-
-      const { block, audit } = await executeRepairLoop(
-        rawOutput,
-        sanitizedFacts,
-        narrativeTags,
-        blockDef.blockId,
-        blockDef.blockType,
-        async (repairPrompt) => callOllama(systemPrompt, repairPrompt),
-        documentType
-      )
-
-      generatedBlocks.push(block)
-      repairAudits.push(audit)
-
-      // Cache successful blocks (not fallbacks)
-      if (!audit.fallbackUsed) {
-        proseCache.setSync(cacheParams, block)
-      }
-    } catch (error) {
-      // LLM unreachable → Fallback
-      const { buildFallbackBlock } = await import('@/lib/sdk/drafting-engine/prose-validator')
-      generatedBlocks.push(
-        buildFallbackBlock(blockDef.blockId, blockDef.blockType, sanitizedFacts, documentType)
-      )
-      repairAudits.push({
-        repairAttempts: 0,
-        validatorFailures: [[(error as Error).message]],
-        repairSuccessful: false,
-        fallbackUsed: true,
-        fallbackReason: `LLM-Fehler: ${(error as Error).message}`,
-      })
-    }
-  }
-
-  // Step 7: Build v1-compatible draft sections from prose blocks + original prompt
-  const draftPrompt = buildPromptForDocumentType(documentType, draftContext, instructions)
-
-  // Also generate data sections via legacy pipeline
-  let dataSections: DraftSection[] = []
-  try {
-    const dataResponse = await callOllama(V1_SYSTEM_PROMPT, draftPrompt)
-    const parsed = JSON.parse(dataResponse)
-    dataSections = (parsed.sections || []).map((s: Record<string, unknown>, i: number) => ({
-      id: String(s.id || `section-${i}`),
-      title: String(s.title || ''),
-      content: String(s.content || ''),
-      schemaField: s.schemaField ? String(s.schemaField) : undefined,
-    }))
-    totalTokens += dataResponse.length / 4
-  } catch {
-    dataSections = []
-  }
-
-  // Merge: Prose intro → Data sections → Prose transitions/conclusion
-  const introBlock = generatedBlocks.find(b => b.blockType === 'introduction')
-  const transitionBlocks = generatedBlocks.filter(b => b.blockType === 'transition')
-  const appreciationBlocks = generatedBlocks.filter(b => b.blockType === 'appreciation')
-  const conclusionBlock = generatedBlocks.find(b => b.blockType === 'conclusion')
-
-  const mergedSections: DraftSection[] = []
-
-  if (introBlock) {
-    mergedSections.push({
-      id: introBlock.blockId,
-      title: 'Einleitung',
-      content: introBlock.text,
-    })
-  }
-
-  for (let i = 0; i < dataSections.length; i++) {
-    // Insert transition before data section (if available)
-    if (i > 0 && transitionBlocks[i - 1]) {
-      mergedSections.push({
-        id: transitionBlocks[i - 1].blockId,
-        title: '',
-        content: transitionBlocks[i - 1].text,
-      })
-    }
-    mergedSections.push(dataSections[i])
-  }
-
-  for (const block of appreciationBlocks) {
-    mergedSections.push({
-      id: block.blockId,
-      title: 'Wuerdigung',
-      content: block.text,
-    })
-  }
-
-  if (conclusionBlock) {
-    mergedSections.push({
-      id: conclusionBlock.blockId,
-      title: 'Fazit',
-      content: conclusionBlock.text,
-    })
-  }
-
-  // If no data sections generated, use prose blocks as sections
-  const finalSections = mergedSections.length > 0 ? mergedSections : generatedBlocks.map(b => ({
-    id: b.blockId,
-    title: b.blockType === 'introduction' ? 'Einleitung' :
-           b.blockType === 'conclusion' ? 'Fazit' :
-           b.blockType === 'appreciation' ? 'Wuerdigung' : 'Ueberleitung',
-    content: b.text,
-  }))
-
-  const draft: DraftRevision = {
-    id: `draft-v2-${Date.now()}`,
-    content: finalSections.map(s => s.title ? `## ${s.title}\n\n${s.content}` : s.content).join('\n\n'),
-    sections: finalSections,
-    createdAt: new Date().toISOString(),
-    instruction: instructions,
-  }
-
-  // Step 8: Build Audit Trail
-  const auditTrail = {
-    documentType,
-    templateVersion: TEMPLATE_VERSION,
-    terminologyVersion: TERMINOLOGY_VERSION,
-    validatorVersion: VALIDATOR_VERSION,
-    promptHash,
-    llmModel: LLM_MODEL,
-    llmTemperature: 0.15,
-    llmProvider: 'ollama',
-    narrativeTags,
-    sanitization: sanitizationResult.audit,
-    repairAudits,
-    proseBlocks: generatedBlocks.map((b, i) => ({
-      blockId: b.blockId,
-      blockType: b.blockType,
-      wordCount: b.text.split(/\s+/).filter(Boolean).length,
-      fallbackUsed: repairAudits[i]?.fallbackUsed ?? false,
-      repairAttempts: repairAudits[i]?.repairAttempts ?? 0,
-    })),
-    cacheStats: proseCache.getStats(),
-  }
-
-  return NextResponse.json({
-    draft,
-    constraintCheck,
-    tokensUsed: Math.round(totalTokens),
-    pipelineVersion: 'v2',
-    auditTrail,
-  })
-}
+import { handleV1Draft, handleV2Draft } from './draft-helpers'
 
 // ============================================================================
 // Route Handler

admin-compliance/app/api/sdk/drafting-engine/validate/route.ts

@@ -14,6 +14,76 @@ import { buildCrossCheckPrompt } from '@/lib/sdk/drafting-engine/prompts/validat
 const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434'
 const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b'
 
+/**
+ * Anti-Fake-Evidence: Verbotene Formulierungen
+ *
+ * Flags formulations that falsely claim compliance without evidence.
+ * Only allowed when: control_status=pass AND confidence >= E2 AND
+ * truth_status in (validated_internal, accepted_by_auditor).
+ */
+interface EvidenceContext {
+  controlStatus?: string
+  confidenceLevel?: string
+  truthStatus?: string
+}
+
+const FORBIDDEN_PATTERNS: Array<{
+  pattern: RegExp
+  label: string
+  safeAlternative: string
+}> = [
+  { pattern: /ist\s+compliant/gi, label: 'ist compliant', safeAlternative: 'soll compliant sein' },
+  { pattern: /erfüllt\s+vollständig/gi, label: 'erfüllt vollständig', safeAlternative: 'soll vollständig erfüllt werden' },
+  { pattern: /wurde\s+geprüft/gi, label: 'wurde geprüft', safeAlternative: 'soll geprüft werden' },
+  { pattern: /wurde\s+umgesetzt/gi, label: 'wurde umgesetzt', safeAlternative: 'ist zur Umsetzung vorgesehen' },
+  { pattern: /ist\s+auditiert/gi, label: 'ist auditiert', safeAlternative: 'soll auditiert werden' },
+  { pattern: /vollständig\s+implementiert/gi, label: 'vollständig implementiert', safeAlternative: 'Implementierung ist vorgesehen' },
+  { pattern: /nachweislich\s+konform/gi, label: 'nachweislich konform', safeAlternative: 'Konformität ist nachzuweisen' },
+]
+
+const CONFIDENCE_ORDER: Record<string, number> = { E0: 0, E1: 1, E2: 2, E3: 3, E4: 4 }
+const VALID_TRUTH_STATUSES = new Set(['validated_internal', 'accepted_by_auditor'])
+
+function checkForbiddenFormulations(
+  content: string,
+  evidenceContext?: EvidenceContext,
+): ValidationFinding[] {
+  const findings: ValidationFinding[] = []
+
+  if (!content) return findings
+
+  // If evidence context shows sufficient proof, allow the formulations
+  if (evidenceContext) {
+    const { controlStatus, confidenceLevel, truthStatus } = evidenceContext
+    const confLevel = CONFIDENCE_ORDER[confidenceLevel ?? 'E0'] ?? 0
+    if (
+      controlStatus === 'pass' &&
+      confLevel >= CONFIDENCE_ORDER.E2 &&
+      VALID_TRUTH_STATUSES.has(truthStatus ?? '')
+    ) {
+      return findings // Formulations are backed by real evidence
+    }
+  }
+
+  for (const { pattern, label, safeAlternative } of FORBIDDEN_PATTERNS) {
+    // Reset regex state for global patterns
+    pattern.lastIndex = 0
+    if (pattern.test(content)) {
+      findings.push({
+        id: `AFE-FORBIDDEN-${label.replace(/\s+/g, '_').toUpperCase()}`,
+        severity: 'error',
+        category: 'forbidden_formulation' as ValidationFinding['category'],
+        title: `Verbotene Formulierung: "${label}"`,
+        description: `Die Formulierung "${label}" impliziert eine nachgewiesene Compliance, die ohne ausreichenden Nachweis (Evidence >= E2, validiert) nicht verwendet werden darf.`,
+        documentType: 'vvt' as ScopeDocumentType,
+        suggestion: `Verwende stattdessen: "${safeAlternative}"`,
+      })
+    }
+  }
+
+  return findings
+}
+
 /**
  * Stufe 1: Deterministische Pruefung
  */
@@ -84,6 +154,66 @@ function deterministicCheck(
     })
   }
 
+  // Check 5: DSFA ohne VVT-Grundlage
+  if (documentType === 'dsfa' && validationContext.crossReferences.vvtCategories.length === 0) {
+    findings.push({
+      id: 'DET-DSFA-NO-VVT',
+      severity: 'error',
+      category: 'cross_reference',
+      title: 'DSFA ohne VVT-Grundlage',
+      description: 'Eine DSFA setzt ein Verarbeitungsverzeichnis voraus. Ohne VVT fehlt die Uebersicht ueber die betroffenen Verarbeitungstaetigkeiten.',
+      documentType: 'dsfa',
+      crossReferenceType: 'vvt',
+      legalReference: 'Art. 35 i.V.m. Art. 30 DSGVO',
+      suggestion: 'Zuerst ein VVT erstellen, dann die DSFA darauf aufbauen.',
+    })
+  }
+
+  // Check 6: DSFA ohne TOM-Massnahmen
+  if (documentType === 'dsfa' && validationContext.crossReferences.tomControls.length === 0) {
+    findings.push({
+      id: 'DET-DSFA-NO-TOM',
+      severity: 'error',
+      category: 'cross_reference',
+      title: 'DSFA ohne TOM-Massnahmen',
+      description: 'Eine DSFA muss Abhilfemassnahmen enthalten. Ohne TOM-Katalog koennen keine Schutzmassnahmen referenziert werden.',
+      documentType: 'dsfa',
+      crossReferenceType: 'tom',
+      legalReference: 'Art. 35 Abs. 7d DSGVO',
+      suggestion: 'TOM-Massnahmen definieren, bevor die DSFA erstellt wird.',
+    })
+  }
+
+  // Check 7: Datenschutzerklaerung ohne Loeschfristen
+  if (documentType === 'dsi' && validationContext.crossReferences.retentionCategories.length === 0) {
+    findings.push({
+      id: 'DET-DSI-NO-LF',
+      severity: 'warning',
+      category: 'cross_reference',
+      title: 'Datenschutzerklaerung ohne Loeschfristen',
+      description: 'Die Datenschutzerklaerung muss Angaben zur Speicherdauer enthalten. Ohne definierte Loeschfristen fehlt diese Information.',
+      documentType: 'dsi',
+      crossReferenceType: 'lf',
+      legalReference: 'Art. 13 Abs. 2a DSGVO',
+      suggestion: 'Loeschfristen definieren und in der Datenschutzerklaerung referenzieren.',
+    })
+  }
+
+  // Check 8: AVV ohne VVT-Kontext
+  if (documentType === 'av_vertrag' && validationContext.crossReferences.vvtCategories.length === 0) {
+    findings.push({
+      id: 'DET-AV-NO-VVT',
+      severity: 'warning',
+      category: 'cross_reference',
+      title: 'AVV ohne VVT-Kontext',
+      description: 'Ein Auftragsverarbeitungsvertrag sollte auf den im VVT dokumentierten Verarbeitungstaetigkeiten basieren.',
+      documentType: 'av_vertrag',
+      crossReferenceType: 'vvt',
+      legalReference: 'Art. 28 Abs. 3 i.V.m. Art. 30 DSGVO',
+      suggestion: 'VVT erstellen, um die betroffenen Verarbeitungstaetigkeiten fuer den AVV zu identifizieren.',
+    })
+  }
+
   return findings
 }
 
@@ -127,7 +257,8 @@ export async function POST(request: NextRequest) {
             { role: 'user', content: crossCheckPrompt },
           ],
           stream: false,
-          options: { temperature: 0.1, num_predict: 8192 },
+          think: false,
+          options: { temperature: 0.1, num_predict: 8192, num_ctx: 8192 },
           format: 'json',
         }),
         signal: AbortSignal.timeout(120000),
@@ -160,10 +291,18 @@ export async function POST(request: NextRequest) {
       // LLM unavailable, continue with deterministic results only
     }
 
+    // ---------------------------------------------------------------
+    // Stufe 1b: Verbotene Formulierungen (Anti-Fake-Evidence)
+    // ---------------------------------------------------------------
+    const forbiddenFindings = checkForbiddenFormulations(
+      draftContent || '',
+      validationContext.evidenceContext,
+    )
+
     // ---------------------------------------------------------------
     // Combine results
     // ---------------------------------------------------------------
-    const allFindings = [...deterministicFindings, ...llmFindings]
+    const allFindings = [...deterministicFindings, ...forbiddenFindings, ...llmFindings]
     const errors = allFindings.filter(f => f.severity === 'error')
     const warnings = allFindings.filter(f => f.severity === 'warning')
     const suggestions = allFindings.filter(f => f.severity === 'suggestion')

admin-compliance/app/api/sdk/v1/audit-llm/[[...path]]/route.ts

@@ -0,0 +1,108 @@
+/**
+ * LLM Audit API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/audit-llm/* requests to ai-compliance-sdk /sdk/v1/audit/*
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${SDK_BACKEND_URL}/sdk/v1/audit`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    // Handle export endpoints that may return CSV
+    const contentType = response.headers.get('content-type') || ''
+    if (contentType.includes('text/csv') || contentType.includes('application/octet-stream')) {
+      const blob = await response.arrayBuffer()
+      return new NextResponse(blob, {
+        status: response.status,
+        headers: {
+          'Content-Type': contentType,
+          'Content-Disposition': response.headers.get('content-disposition') || 'attachment',
+        },
+      })
+    }
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('LLM Audit API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}

admin-compliance/app/api/sdk/v1/canonical/route.ts

@@ -0,0 +1,349 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: GET /api/sdk/v1/canonical?endpoint=...
+ *
+ * Routes to backend canonical control endpoints:
+ *   endpoint=frameworks   → GET /api/compliance/v1/canonical/frameworks
+ *   endpoint=controls     → GET /api/compliance/v1/canonical/controls(?severity=...&domain=...)
+ *   endpoint=control&id=  → GET /api/compliance/v1/canonical/controls/{id}
+ *   endpoint=sources      → GET /api/compliance/v1/canonical/sources
+ *   endpoint=licenses     → GET /api/compliance/v1/canonical/licenses
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'frameworks'
+
+    let backendPath: string
+
+    switch (endpoint) {
+      case 'frameworks':
+        backendPath = '/api/compliance/v1/canonical/frameworks'
+        break
+
+      case 'controls': {
+        const controlParams = new URLSearchParams()
+        const passthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates', 'sort', 'order', 'limit', 'offset']
+        for (const key of passthrough) {
+          const val = searchParams.get(key)
+          if (val) controlParams.set(key, val)
+        }
+        const qs = controlParams.toString()
+        backendPath = `/api/compliance/v1/canonical/controls${qs ? `?${qs}` : ''}`
+        break
+      }
+
+      case 'controls-count': {
+        const countParams = new URLSearchParams()
+        const countPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates']
+        for (const key of countPassthrough) {
+          const val = searchParams.get(key)
+          if (val) countParams.set(key, val)
+        }
+        const countQs = countParams.toString()
+        backendPath = `/api/compliance/v1/canonical/controls-count${countQs ? `?${countQs}` : ''}`
+        break
+      }
+
+      case 'controls-meta': {
+        const metaParams = new URLSearchParams()
+        const metaPassthrough = ['severity', 'domain', 'release_state', 'verification_method', 'category', 'evidence_type',
+          'target_audience', 'source', 'search', 'control_type', 'exclude_duplicates']
+        for (const key of metaPassthrough) {
+          const val = searchParams.get(key)
+          if (val) metaParams.set(key, val)
+        }
+        const metaQs = metaParams.toString()
+        backendPath = `/api/compliance/v1/canonical/controls-meta${metaQs ? `?${metaQs}` : ''}`
+        break
+      }
+
+      case 'control': {
+        const controlId = searchParams.get('id')
+        if (!controlId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(controlId)}`
+        break
+      }
+
+      case 'sources':
+        backendPath = '/api/compliance/v1/canonical/sources'
+        break
+
+      case 'licenses':
+        backendPath = '/api/compliance/v1/canonical/licenses'
+        break
+
+      // Generator endpoints
+      case 'generate-jobs':
+        backendPath = '/api/compliance/v1/canonical/generate/jobs'
+        break
+
+      case 'generate-status': {
+        const jobId = searchParams.get('jobId')
+        if (!jobId) {
+          return NextResponse.json({ error: 'Missing jobId' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/generate/status/${encodeURIComponent(jobId)}`
+        break
+      }
+
+      case 'review-queue': {
+        const state = searchParams.get('release_state') || 'needs_review'
+        backendPath = `/api/compliance/v1/canonical/generate/review-queue?release_state=${encodeURIComponent(state)}`
+        break
+      }
+
+      case 'processed-stats':
+        backendPath = '/api/compliance/v1/canonical/generate/processed-stats'
+        break
+
+      case 'categories':
+        backendPath = '/api/compliance/v1/canonical/categories'
+        break
+
+      case 'traceability': {
+        const traceId = searchParams.get('id')
+        if (!traceId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(traceId)}/traceability`
+        break
+      }
+
+      case 'provenance': {
+        const provId = searchParams.get('id')
+        if (!provId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(provId)}/provenance`
+        break
+      }
+
+      case 'atomic-stats':
+        backendPath = '/api/compliance/v1/canonical/controls/atomic-stats'
+        break
+
+      case 'similar': {
+        const simControlId = searchParams.get('id')
+        if (!simControlId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        const simThreshold = searchParams.get('threshold') || '0.85'
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(simControlId)}/similar?threshold=${simThreshold}`
+        break
+      }
+
+      case 'blocked-sources':
+        backendPath = '/api/compliance/v1/canonical/blocked-sources'
+        break
+
+      case 'v1-matches': {
+        const matchId = searchParams.get('id')
+        if (!matchId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(matchId)}/v1-matches`
+        break
+      }
+
+      case 'v1-enrichment-stats':
+        backendPath = '/api/compliance/v1/canonical/controls/v1-enrichment-stats'
+        break
+
+      case 'obligation-dedup-stats':
+        backendPath = '/api/compliance/v1/canonical/obligations/dedup-stats'
+        break
+
+      case 'controls-customer': {
+        const custSeverity = searchParams.get('severity')
+        const custDomain = searchParams.get('domain')
+        const custParams = new URLSearchParams()
+        if (custSeverity) custParams.set('severity', custSeverity)
+        if (custDomain) custParams.set('domain', custDomain)
+        const custQs = custParams.toString()
+        backendPath = `/api/compliance/v1/canonical/controls-customer${custQs ? `?${custQs}` : ''}`
+        break
+      }
+
+      default:
+        return NextResponse.json({ error: `Unknown endpoint: ${endpoint}` }, { status: 400 })
+    }
+
+    const response = await fetch(`${BACKEND_URL}${backendPath}`)
+
+    if (!response.ok) {
+      if (response.status === 404) {
+        return NextResponse.json(null, { status: 404 })
+      }
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Canonical control proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: POST /api/sdk/v1/canonical?endpoint=...
+ *
+ *   endpoint=create-control         → POST /api/compliance/v1/canonical/controls
+ *   endpoint=similarity-check&id=   → POST /api/compliance/v1/canonical/controls/{id}/similarity-check
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint')
+    const body = await request.json()
+
+    let backendPath: string
+
+    if (endpoint === 'create-control') {
+      backendPath = '/api/compliance/v1/canonical/controls'
+    } else if (endpoint === 'generate') {
+      backendPath = '/api/compliance/v1/canonical/generate'
+    } else if (endpoint === 'review') {
+      const controlId = searchParams.get('id')
+      if (!controlId) {
+        return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+      }
+      backendPath = `/api/compliance/v1/canonical/generate/review/${encodeURIComponent(controlId)}`
+    } else if (endpoint === 'bulk-review') {
+      backendPath = '/api/compliance/v1/canonical/generate/bulk-review'
+    } else if (endpoint === 'blocked-sources-cleanup') {
+      backendPath = '/api/compliance/v1/canonical/blocked-sources/cleanup'
+    } else if (endpoint === 'enrich-v1-matches') {
+      const dryRun = searchParams.get('dry_run') ?? 'true'
+      const batchSize = searchParams.get('batch_size') ?? '100'
+      const enrichOffset = searchParams.get('offset') ?? '0'
+      backendPath = `/api/compliance/v1/canonical/controls/enrich-v1-matches?dry_run=${dryRun}&batch_size=${batchSize}&offset=${enrichOffset}`
+    } else if (endpoint === 'obligation-dedup') {
+      const dryRun = searchParams.get('dry_run') ?? 'true'
+      const batchSize = searchParams.get('batch_size') ?? '0'
+      const dedupOffset = searchParams.get('offset') ?? '0'
+      backendPath = `/api/compliance/v1/canonical/obligations/dedup?dry_run=${dryRun}&batch_size=${batchSize}&offset=${dedupOffset}`
+    } else if (endpoint === 'similarity-check') {
+      const controlId = searchParams.get('id')
+      if (!controlId) {
+        return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+      }
+      backendPath = `/api/compliance/v1/canonical/controls/${encodeURIComponent(controlId)}/similarity-check`
+    } else {
+      return NextResponse.json({ error: `Unknown POST endpoint: ${endpoint}` }, { status: 400 })
+    }
+
+    const response = await fetch(`${BACKEND_URL}${backendPath}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json(), { status: response.status })
+  } catch (error) {
+    console.error('Canonical control POST proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: PUT /api/sdk/v1/canonical?endpoint=update-control&id=AUTH-001
+ *
+ * Routes to: PUT /api/compliance/v1/canonical/controls/{id}
+ */
+export async function PUT(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const controlId = searchParams.get('id')
+    if (!controlId) {
+      return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+    }
+
+    const body = await request.json()
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/canonical/controls/${encodeURIComponent(controlId)}`,
+      {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Canonical control PUT proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: DELETE /api/sdk/v1/canonical?id=AUTH-001
+ *
+ * Routes to: DELETE /api/compliance/v1/canonical/controls/{id}
+ */
+export async function DELETE(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const controlId = searchParams.get('id')
+    if (!controlId) {
+      return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+    }
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/canonical/controls/${encodeURIComponent(controlId)}`,
+      { method: 'DELETE' }
+    )
+
+    if (!response.ok && response.status !== 204) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return new NextResponse(null, { status: 204 })
+  } catch (error) {
+    console.error('Canonical control DELETE proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/company-profile/route.ts

@@ -1,17 +1,26 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function getIds(request: NextRequest, body?: Record<string, unknown>) {
+  const { searchParams } = new URL(request.url)
+  const tenantId = searchParams.get('tenant_id') || 'default'
+  const projectId = searchParams.get('project_id') || (body?.project_id as string) || ''
+  const qs = projectId
+    ? `tenant_id=${encodeURIComponent(tenantId)}&project_id=${encodeURIComponent(projectId)}`
+    : `tenant_id=${encodeURIComponent(tenantId)}`
+  return { tenantId, projectId, qs }
+}
 
 /**
  * Proxy: GET /api/sdk/v1/company-profile → Backend GET /api/v1/company-profile
  */
 export async function GET(request: NextRequest) {
   try {
-    const { searchParams } = new URL(request.url)
-    const tenantId = searchParams.get('tenant_id') || 'default'
+    const { tenantId, qs } = getIds(request)
 
     const response = await fetch(
-      `${BACKEND_URL}/api/v1/company-profile?tenant_id=${encodeURIComponent(tenantId)}`,
+      `${BACKEND_URL}/api/v1/company-profile?${qs}`,
       {
         headers: {
           'X-Tenant-ID': tenantId,
@@ -47,10 +56,10 @@ export async function GET(request: NextRequest) {
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
-    const tenantId = body.tenant_id || 'default'
+    const { tenantId, qs } = getIds(request, body)
 
     const response = await fetch(
-      `${BACKEND_URL}/api/v1/company-profile?tenant_id=${encodeURIComponent(tenantId)}`,
+      `${BACKEND_URL}/api/v1/company-profile?${qs}`,
       {
         method: 'POST',
         headers: {
@@ -80,6 +89,42 @@ export async function POST(request: NextRequest) {
   }
 }
 
+/**
+ * Proxy: DELETE /api/sdk/v1/company-profile → Backend DELETE /api/v1/company-profile
+ * DSGVO Art. 17 Recht auf Löschung
+ */
+export async function DELETE(request: NextRequest) {
+  try {
+    const { tenantId, qs } = getIds(request)
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/v1/company-profile?${qs}`,
+      {
+        method: 'DELETE',
+        headers: {
+          'X-Tenant-ID': tenantId,
+        },
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to delete company profile:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
 /**
  * Proxy: PATCH /api/sdk/v1/company-profile → Backend PATCH /api/v1/company-profile
  * Partial updates for individual fields
@@ -87,10 +132,10 @@ export async function POST(request: NextRequest) {
 export async function PATCH(request: NextRequest) {
   try {
     const body = await request.json()
-    const tenantId = body.tenant_id || 'default'
+    const { tenantId, qs } = getIds(request, body)
 
     const response = await fetch(
-      `${BACKEND_URL}/api/v1/company-profile?tenant_id=${encodeURIComponent(tenantId)}`,
+      `${BACKEND_URL}/api/v1/company-profile?${qs}`,
       {
         method: 'PATCH',
         headers: {

admin-compliance/app/api/sdk/v1/compliance-scope/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: GET /api/sdk/v1/compliance-scope → Backend GET /api/v1/compliance-scope
@@ -12,7 +12,7 @@ export async function GET(request: NextRequest) {
     const tenantId = searchParams.get('tenant_id') || 'default'
 
     const response = await fetch(
-      `${BACKEND_URL}/api/v1/compliance-scope?tenant_id=${encodeURIComponent(tenantId)}`,
+      `${BACKEND_URL}/api/compliance/v1/compliance-scope?tenant_id=${encodeURIComponent(tenantId)}`,
       {
         headers: {
           'Content-Type': 'application/json',

admin-compliance/app/api/sdk/v1/compliance/evidence-checks/[[...path]]/route.ts

@@ -1,39 +1,52 @@
 /**
- * DSGVO API Proxy - Catch-all route
- * Proxies all /api/sdk/v1/dsgvo/* requests to ai-compliance-sdk backend
+ * Evidence Checks API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/compliance/evidence-checks/* requests to backend-compliance
  */
 
 import { NextRequest, NextResponse } from 'next/server'
 
-const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 async function proxyRequest(
   request: NextRequest,
-  pathSegments: string[],
+  pathSegments: string[] | undefined,
   method: string
 ) {
-  const pathStr = pathSegments.join('/')
+  const pathStr = pathSegments?.join('/') || ''
   const searchParams = request.nextUrl.searchParams.toString()
-  const url = `${SDK_BACKEND_URL}/sdk/v1/dsgvo/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+  const basePath = `${BACKEND_URL}/api/compliance/evidence-checks`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
 
   try {
     const headers: HeadersInit = {
       'Content-Type': 'application/json',
+      'X-Tenant-Id': '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+      'X-User-Id': 'admin',
     }
 
-    // Forward auth headers if present
     const authHeader = request.headers.get('authorization')
     if (authHeader) {
       headers['Authorization'] = authHeader
     }
 
+    const tenantHeader = request.headers.get('x-tenant-id')
+    if (tenantHeader) {
+      headers['X-Tenant-Id'] = tenantHeader
+    }
+
+    const userIdHeader = request.headers.get('x-user-id')
+    if (userIdHeader) {
+      headers['X-User-Id'] = userIdHeader
+    }
+
     const fetchOptions: RequestInit = {
       method,
       headers,
       signal: AbortSignal.timeout(30000),
     }
 
-    // Add body for POST/PUT/PATCH methods
     if (['POST', 'PUT', 'PATCH'].includes(method)) {
       const contentType = request.headers.get('content-type')
       if (contentType?.includes('application/json')) {
@@ -43,27 +56,13 @@ async function proxyRequest(
             fetchOptions.body = text
           }
         } catch {
-          // Empty or invalid body - continue without
+          // Empty or invalid body
         }
       }
     }
 
     const response = await fetch(url, fetchOptions)
 
-    // Handle non-JSON responses (e.g., PDF export)
-    const responseContentType = response.headers.get('content-type')
-    if (responseContentType?.includes('application/pdf') ||
-        responseContentType?.includes('application/octet-stream')) {
-      const blob = await response.blob()
-      return new NextResponse(blob, {
-        status: response.status,
-        headers: {
-          'Content-Type': responseContentType,
-          'Content-Disposition': response.headers.get('content-disposition') || '',
-        },
-      })
-    }
-
     if (!response.ok) {
       const errorText = await response.text()
       let errorJson
@@ -81,9 +80,9 @@ async function proxyRequest(
     const data = await response.json()
     return NextResponse.json(data)
   } catch (error) {
-    console.error('DSGVO API proxy error:', error)
+    console.error('Evidence Checks API proxy error:', error)
     return NextResponse.json(
-      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { error: 'Verbindung zum Backend fehlgeschlagen' },
       { status: 503 }
     )
   }
@@ -91,7 +90,7 @@ async function proxyRequest(
 
 export async function GET(
   request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
+  { params }: { params: Promise<{ path?: string[] }> }
 ) {
   const { path } = await params
   return proxyRequest(request, path, 'GET')
@@ -99,7 +98,7 @@ export async function GET(
 
 export async function POST(
   request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
+  { params }: { params: Promise<{ path?: string[] }> }
 ) {
   const { path } = await params
   return proxyRequest(request, path, 'POST')
@@ -107,7 +106,7 @@ export async function POST(
 
 export async function PUT(
   request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
+  { params }: { params: Promise<{ path?: string[] }> }
 ) {
   const { path } = await params
   return proxyRequest(request, path, 'PUT')
@@ -115,7 +114,7 @@ export async function PUT(
 
 export async function PATCH(
   request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
+  { params }: { params: Promise<{ path?: string[] }> }
 ) {
   const { path } = await params
   return proxyRequest(request, path, 'PATCH')
@@ -123,7 +122,7 @@ export async function PATCH(
 
 export async function DELETE(
   request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
+  { params }: { params: Promise<{ path?: string[] }> }
 ) {
   const { path } = await params
   return proxyRequest(request, path, 'DELETE')

admin-compliance/app/api/sdk/v1/compliance/process-tasks/[[...path]]/route.ts

@@ -0,0 +1,129 @@
+/**
+ * Process Tasks API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/compliance/process-tasks/* requests to backend-compliance
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${BACKEND_URL}/api/compliance/process-tasks`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+      'X-Tenant-Id': '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+      'X-User-Id': 'admin',
+    }
+
+    const authHeader = request.headers.get('authorization')
+    if (authHeader) {
+      headers['Authorization'] = authHeader
+    }
+
+    const tenantHeader = request.headers.get('x-tenant-id')
+    if (tenantHeader) {
+      headers['X-Tenant-Id'] = tenantHeader
+    }
+
+    const userIdHeader = request.headers.get('x-user-id')
+    if (userIdHeader) {
+      headers['X-User-Id'] = userIdHeader
+    }
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(30000),
+    }
+
+    if (['POST', 'PUT', 'PATCH'].includes(method)) {
+      const contentType = request.headers.get('content-type')
+      if (contentType?.includes('application/json')) {
+        try {
+          const text = await request.text()
+          if (text && text.trim()) {
+            fetchOptions.body = text
+          }
+        } catch {
+          // Empty or invalid body
+        }
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Process Tasks API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/demo/clear/route.ts

@@ -1,52 +0,0 @@
-/**
- * Demo Data Clear API Endpoint
- *
- * Clears demo data from the storage (same mechanism as real customer data).
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-
-// Shared store reference (same as seed endpoint)
-declare global {
-  // eslint-disable-next-line no-var
-  var demoStateStore: Map<string, { state: unknown; version: number; updatedAt: Date }> | undefined
-}
-
-if (!global.demoStateStore) {
-  global.demoStateStore = new Map()
-}
-
-const stateStore = global.demoStateStore
-
-export async function DELETE(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const { tenantId = 'demo-tenant' } = body
-
-    const existed = stateStore.has(tenantId)
-    stateStore.delete(tenantId)
-
-    return NextResponse.json({
-      success: true,
-      message: existed
-        ? `Demo data cleared for tenant ${tenantId}`
-        : `No data found for tenant ${tenantId}`,
-      tenantId,
-      existed,
-    })
-  } catch (error) {
-    console.error('Failed to clear demo data:', error)
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      },
-      { status: 500 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  // Also support POST for clearing (for clients that don't support DELETE)
-  return DELETE(request)
-}

admin-compliance/app/api/sdk/v1/demo/seed/route.ts

@@ -1,77 +0,0 @@
-/**
- * Demo Data Seed API Endpoint
- *
- * This endpoint seeds demo data via the same storage mechanism as real customer data.
- * Demo data is NOT hardcoded - it goes through the normal API/database path.
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-import { generateDemoState } from '@/lib/sdk/demo-data'
-
-// In-memory store (same as state endpoint - will be replaced with PostgreSQL)
-declare global {
-  // eslint-disable-next-line no-var
-  var demoStateStore: Map<string, { state: unknown; version: number; updatedAt: Date }> | undefined
-}
-
-if (!global.demoStateStore) {
-  global.demoStateStore = new Map()
-}
-
-const stateStore = global.demoStateStore
-
-export async function POST(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const { tenantId = 'demo-tenant', userId = 'demo-user' } = body
-
-    // Generate demo state using the seed data templates
-    const demoState = generateDemoState(tenantId, userId)
-
-    // Store via the same mechanism as real data
-    const storedState = {
-      state: demoState,
-      version: 1,
-      updatedAt: new Date(),
-    }
-
-    stateStore.set(tenantId, storedState)
-
-    return NextResponse.json({
-      success: true,
-      message: `Demo data seeded for tenant ${tenantId}`,
-      tenantId,
-      version: 1,
-    })
-  } catch (error) {
-    console.error('Failed to seed demo data:', error)
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      },
-      { status: 500 }
-    )
-  }
-}
-
-export async function GET(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const tenantId = searchParams.get('tenantId') || 'demo-tenant'
-
-  const stored = stateStore.get(tenantId)
-
-  if (!stored) {
-    return NextResponse.json({
-      hasData: false,
-      tenantId,
-    })
-  }
-
-  return NextResponse.json({
-    hasData: true,
-    tenantId,
-    version: stored.version,
-    updatedAt: stored.updatedAt,
-  })
-}

admin-compliance/app/api/sdk/v1/dsfa/[[...path]]/route.ts

@@ -0,0 +1,123 @@
+/**
+ * DSFA API Proxy — Datenschutz-Folgenabschaetzung (Art. 35 DSGVO)
+ * Proxies /api/sdk/v1/dsfa/* → backend-compliance:8002/api/v1/dsfa/*
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${BACKEND_URL}/api/compliance/dsfa`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId))
+      ? clientUserId
+      : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId))
+      ? clientTenantId
+      : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('DSFA API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Compliance Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/escalations/[[...path]]/route.ts

@@ -22,6 +22,8 @@ async function proxyRequest(
   try {
     const headers: HeadersInit = {
       'Content-Type': 'application/json',
+      'X-Tenant-Id': '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+      'X-User-Id': 'admin',
     }
 
     const authHeader = request.headers.get('authorization')
@@ -34,6 +36,11 @@ async function proxyRequest(
       headers['X-Tenant-Id'] = tenantHeader
     }
 
+    const userIdHeader = request.headers.get('x-user-id')
+    if (userIdHeader) {
+      headers['X-User-Id'] = userIdHeader
+    }
+
     const fetchOptions: RequestInit = {
       method,
       headers,

admin-compliance/app/api/sdk/v1/import/[id]/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: DELETE /api/sdk/v1/import/:id → Backend DELETE /api/v1/import/:id

admin-compliance/app/api/sdk/v1/import/analyze/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: POST /api/sdk/v1/import/analyze → Backend POST /api/v1/import/analyze

admin-compliance/app/api/sdk/v1/import/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: GET /api/sdk/v1/import → Backend GET /api/v1/import
@@ -40,3 +40,52 @@ export async function GET(request: NextRequest) {
     )
   }
 }
+
+/**
+ * Proxy: POST /api/sdk/v1/import → Backend POST /api/v1/import/analyze
+ * Uploads a document for gap analysis. Forwards multipart/form-data.
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const contentType = request.headers.get('content-type') || ''
+    const url = `${BACKEND_URL}/api/v1/import/analyze`
+
+    let body: BodyInit
+    const headers: Record<string, string> = {}
+
+    if (contentType.includes('multipart/form-data')) {
+      body = await request.arrayBuffer()
+      headers['Content-Type'] = contentType
+    } else {
+      body = await request.text()
+      headers['Content-Type'] = 'application/json'
+    }
+
+    if (request.headers.get('X-Tenant-ID')) {
+      headers['X-Tenant-ID'] = request.headers.get('X-Tenant-ID') as string
+    }
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers,
+      body,
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Failed to upload document for import analysis:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/incidents/[[...path]]/route.ts

@@ -1,12 +1,15 @@
 /**
  * Incidents/Breach Management API Proxy - Catch-all route
- * Proxies all /api/sdk/v1/incidents/* requests to ai-compliance-sdk backend
+ * Proxies all /api/sdk/v1/incidents/* requests to backend-compliance (Python)
+ * Python backend is Source of Truth (migrated from Go ai-compliance-sdk)
  * Supports PDF generation for authority notification forms
  */
 
 import { NextRequest, NextResponse } from 'next/server'
 
-const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+const BACKEND_URL = process.env.COMPLIANCE_BACKEND_URL || 'http://backend-compliance:8002'
+const DEFAULT_TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const DEFAULT_USER_ID = 'admin'
 
 async function proxyRequest(
   request: NextRequest,
@@ -15,7 +18,7 @@ async function proxyRequest(
 ) {
   const pathStr = pathSegments?.join('/') || ''
   const searchParams = request.nextUrl.searchParams.toString()
-  const basePath = `${SDK_BACKEND_URL}/sdk/v1/incidents`
+  const basePath = `${BACKEND_URL}/api/compliance/incidents`
   const url = pathStr
     ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
     : `${basePath}${searchParams ? `?${searchParams}` : ''}`
@@ -30,10 +33,8 @@ async function proxyRequest(
       headers['Authorization'] = authHeader
     }
 
-    const tenantHeader = request.headers.get('x-tenant-id')
-    if (tenantHeader) {
-      headers['X-Tenant-Id'] = tenantHeader
-    }
+    headers['X-Tenant-Id'] = request.headers.get('x-tenant-id') || DEFAULT_TENANT_ID
+    headers['X-User-Id'] = request.headers.get('x-user-id') || DEFAULT_USER_ID
 
     const fetchOptions: RequestInit = {
       method,

admin-compliance/app/api/sdk/v1/isms/[[...path]]/route.ts

@@ -0,0 +1,111 @@
+/**
+ * ISMS (ISO 27001) API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/isms/* requests to backend-compliance /api/isms/*
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${BACKEND_URL}/api/compliance/isms`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('ISMS API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Compliance Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/modules/[moduleId]/activate/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function POST(
   request: NextRequest,
@@ -9,7 +9,7 @@ export async function POST(
   try {
     const { moduleId } = await params
     const response = await fetch(
-      `${BACKEND_URL}/api/modules/${encodeURIComponent(moduleId)}/activate`,
+      `${BACKEND_URL}/api/compliance/modules/${encodeURIComponent(moduleId)}/activate`,
       {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },

admin-compliance/app/api/sdk/v1/modules/[moduleId]/deactivate/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function POST(
   request: NextRequest,
@@ -9,7 +9,7 @@ export async function POST(
   try {
     const { moduleId } = await params
     const response = await fetch(
-      `${BACKEND_URL}/api/modules/${encodeURIComponent(moduleId)}/deactivate`,
+      `${BACKEND_URL}/api/compliance/modules/${encodeURIComponent(moduleId)}/deactivate`,
       {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },

admin-compliance/app/api/sdk/v1/modules/[moduleId]/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: GET /api/sdk/v1/modules/:moduleId → Backend GET /api/modules/:moduleId
@@ -13,7 +13,7 @@ export async function GET(
     const { moduleId } = await params
 
     const response = await fetch(
-      `${BACKEND_URL}/api/modules/${encodeURIComponent(moduleId)}`,
+      `${BACKEND_URL}/api/compliance/modules/${encodeURIComponent(moduleId)}`,
       {
         method: 'GET',
         headers: {

admin-compliance/app/api/sdk/v1/modules/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy to backend-compliance /api/modules endpoint.
@@ -23,7 +23,7 @@ export async function GET(request: NextRequest) {
     if (aiComponents) params.set('ai_components', aiComponents)
 
     const queryString = params.toString()
-    const url = `${BACKEND_URL}/api/modules${queryString ? `?${queryString}` : ''}`
+    const url = `${BACKEND_URL}/api/compliance/modules${queryString ? `?${queryString}` : ''}`
 
     const response = await fetch(url, {
       method: 'GET',
@@ -63,7 +63,7 @@ export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
 
-    const response = await fetch(`${BACKEND_URL}/api/modules`, {
+    const response = await fetch(`${BACKEND_URL}/api/compliance/modules`, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

admin-compliance/app/api/sdk/v1/portfolio/[[...path]]/route.ts

@@ -0,0 +1,119 @@
+/**
+ * Portfolio API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/portfolio/* requests to ai-compliance-sdk backend
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${SDK_BACKEND_URL}/sdk/v1/portfolios`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Portfolio API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/projects/[projectId]/permanent/route.ts

@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: DELETE /api/sdk/v1/projects/{projectId}/permanent → Backend (hard delete)
+ */
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ projectId: string }> }
+) {
+  try {
+    const { projectId } = await params
+    const tenantId = request.headers.get('X-Tenant-ID') ||
+      new URL(request.url).searchParams.get('tenant_id') || ''
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects/${projectId}/permanent?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        method: 'DELETE',
+        headers: { 'X-Tenant-ID': tenantId },
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to permanently delete project:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/projects/[projectId]/restore/route.ts

@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: POST /api/sdk/v1/projects/{projectId}/restore → Backend
+ */
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ projectId: string }> }
+) {
+  try {
+    const { projectId } = await params
+    const tenantId = request.headers.get('X-Tenant-ID') ||
+      new URL(request.url).searchParams.get('tenant_id') || ''
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects/${projectId}/restore?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        method: 'POST',
+        headers: { 'X-Tenant-ID': tenantId },
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to restore project:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/projects/[projectId]/route.ts

@@ -0,0 +1,120 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: GET /api/sdk/v1/projects/{projectId} → Backend
+ */
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ projectId: string }> }
+) {
+  try {
+    const { projectId } = await params
+    const tenantId = request.headers.get('X-Tenant-ID') ||
+      new URL(request.url).searchParams.get('tenant_id') || ''
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects/${projectId}?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        headers: { 'X-Tenant-ID': tenantId },
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to get project:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: PATCH /api/sdk/v1/projects/{projectId} → Backend
+ */
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ projectId: string }> }
+) {
+  try {
+    const { projectId } = await params
+    const body = await request.json()
+    const tenantId = body.tenant_id || request.headers.get('X-Tenant-ID') || ''
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects/${projectId}?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        method: 'PATCH',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Tenant-ID': tenantId,
+        },
+        body: JSON.stringify(body),
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to update project:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: DELETE /api/sdk/v1/projects/{projectId} → Backend (soft delete)
+ */
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ projectId: string }> }
+) {
+  try {
+    const { projectId } = await params
+    const tenantId = request.headers.get('X-Tenant-ID') ||
+      new URL(request.url).searchParams.get('tenant_id') || ''
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects/${projectId}?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        method: 'DELETE',
+        headers: { 'X-Tenant-ID': tenantId },
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to archive project:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/projects/route.ts

@@ -0,0 +1,75 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: GET /api/sdk/v1/projects → Backend GET /api/compliance/v1/projects
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const tenantId = searchParams.get('tenant_id') || request.headers.get('X-Tenant-ID') || ''
+    const includeArchived = searchParams.get('include_archived') || 'false'
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects?tenant_id=${encodeURIComponent(tenantId)}&include_archived=${includeArchived}`,
+      {
+        headers: { 'X-Tenant-ID': tenantId },
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to list projects:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: POST /api/sdk/v1/projects → Backend POST /api/compliance/v1/projects
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json()
+    const tenantId = body.tenant_id || request.headers.get('X-Tenant-ID') || ''
+
+    const response = await fetch(
+      `${BACKEND_URL}/api/compliance/v1/projects?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Tenant-ID': tenantId,
+        },
+        body: JSON.stringify(body),
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json(), { status: 201 })
+  } catch (error) {
+    console.error('Failed to create project:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/rbac/[[...path]]/route.ts

@@ -0,0 +1,125 @@
+/**
+ * RBAC Admin API Proxy - Catch-all route
+ * Proxies /api/sdk/v1/rbac/<resource>/... to ai-compliance-sdk /sdk/v1/<resource>/...
+ *
+ * Mapping: /rbac/tenants/... → /sdk/v1/tenants/...
+ *          /rbac/namespaces/... → /sdk/v1/namespaces/...
+ *          /rbac/roles/... → /sdk/v1/roles/...
+ *          /rbac/user-roles/... → /sdk/v1/user-roles/...
+ *          /rbac/permissions/... → /sdk/v1/permissions/...
+ *          /rbac/llm/policies/... → /sdk/v1/llm/policies/...
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  // Path segments come as the full sub-path after /rbac/
+  // e.g. /rbac/tenants/123 → pathSegments = ['tenants', '123']
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const url = `${SDK_BACKEND_URL}/sdk/v1/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('RBAC API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/roadmap-items/[[...path]]/route.ts

@@ -0,0 +1,111 @@
+/**
+ * Roadmap Items API Proxy - Catch-all route
+ * Proxies /api/sdk/v1/roadmap-items/* to ai-compliance-sdk /sdk/v1/roadmap-items/*
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${SDK_BACKEND_URL}/sdk/v1/roadmap-items`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Roadmap Items API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/roadmap/[[...path]]/route.ts

@@ -1,6 +1,6 @@
 /**
- * Vendor Compliance API Proxy - Catch-all route
- * Proxies all /api/sdk/v1/vendors/* requests to ai-compliance-sdk backend
+ * Roadmap API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/roadmap/* requests to ai-compliance-sdk backend
  */
 
 import { NextRequest, NextResponse } from 'next/server'
@@ -14,7 +14,7 @@ async function proxyRequest(
 ) {
   const pathStr = pathSegments?.join('/') || ''
   const searchParams = request.nextUrl.searchParams.toString()
-  const basePath = `${SDK_BACKEND_URL}/sdk/v1/vendors`
+  const basePath = `${SDK_BACKEND_URL}/sdk/v1/roadmaps`
   const url = pathStr
     ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
     : `${basePath}${searchParams ? `?${searchParams}` : ''}`
@@ -24,8 +24,7 @@ async function proxyRequest(
       'Content-Type': 'application/json',
     }
 
-    // Forward all relevant headers
-    const headerNames = ['authorization', 'x-tenant-id', 'x-user-id', 'x-namespace-id', 'x-tenant-slug']
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
     for (const name of headerNames) {
       const value = request.headers.get(name)
       if (value) {
@@ -33,42 +32,27 @@ async function proxyRequest(
       }
     }
 
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
     const fetchOptions: RequestInit = {
       method,
       headers,
-      signal: AbortSignal.timeout(30000),
+      signal: AbortSignal.timeout(60000),
     }
 
-    if (['POST', 'PUT', 'PATCH'].includes(method)) {
-      const contentType = request.headers.get('content-type')
-      if (contentType?.includes('application/json')) {
-        try {
-          const text = await request.text()
-          if (text && text.trim()) {
-            fetchOptions.body = text
-          }
-        } catch {
-          // Empty or invalid body - continue without
-        }
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
       }
     }
 
     const response = await fetch(url, fetchOptions)
 
-    // Handle non-JSON responses (e.g., PDF exports)
-    const responseContentType = response.headers.get('content-type')
-    if (responseContentType?.includes('application/pdf') ||
-        responseContentType?.includes('application/octet-stream')) {
-      const blob = await response.blob()
-      return new NextResponse(blob, {
-        status: response.status,
-        headers: {
-          'Content-Type': responseContentType,
-          'Content-Disposition': response.headers.get('content-disposition') || '',
-        },
-      })
-    }
-
     if (!response.ok) {
       const errorText = await response.text()
       let errorJson
@@ -83,10 +67,22 @@ async function proxyRequest(
       )
     }
 
+    const contentType = response.headers.get('content-type') || ''
+    if (contentType.includes('application/octet-stream') || contentType.includes('text/csv')) {
+      const blob = await response.blob()
+      return new NextResponse(blob, {
+        status: response.status,
+        headers: {
+          'Content-Type': contentType,
+          'Content-Disposition': response.headers.get('content-disposition') || '',
+        },
+      })
+    }
+
     const data = await response.json()
     return NextResponse.json(data)
   } catch (error) {
-    console.error('Vendor Compliance API proxy error:', error)
+    console.error('Roadmap API proxy error:', error)
     return NextResponse.json(
       { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
       { status: 503 }

admin-compliance/app/api/sdk/v1/screening/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: GET /api/sdk/v1/screening → Backend GET /api/v1/screening
@@ -40,3 +40,52 @@ export async function GET(request: NextRequest) {
     )
   }
 }
+
+/**
+ * Proxy: POST /api/sdk/v1/screening → Backend POST /api/v1/screening/scan
+ * Uploads a dependency file (package-lock.json, requirements.txt, etc.) for SBOM + vulnerability scan.
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const contentType = request.headers.get('content-type') || ''
+    const url = `${BACKEND_URL}/api/v1/screening/scan`
+
+    let body: BodyInit
+    const headers: Record<string, string> = {}
+
+    if (contentType.includes('multipart/form-data')) {
+      body = await request.arrayBuffer()
+      headers['Content-Type'] = contentType
+    } else {
+      body = await request.text()
+      headers['Content-Type'] = 'application/json'
+    }
+
+    if (request.headers.get('X-Tenant-ID')) {
+      headers['X-Tenant-ID'] = request.headers.get('X-Tenant-ID') as string
+    }
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers,
+      body,
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Failed to upload file for screening scan:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/screening/scan/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 /**
  * Proxy: POST /api/sdk/v1/screening/scan → Backend POST /api/v1/screening/scan

admin-compliance/app/api/sdk/v1/source-policy/blocked-content/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/source-policy/compliance-report/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/source-policy/operations-matrix/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/source-policy/operations/[id]/route.ts

@@ -1,6 +1,34 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const { id } = await params
+
+    const response = await fetch(`${BACKEND_URL}/api/v1/admin/operations/${encodeURIComponent(id)}`, {
+      headers: {
+        'Content-Type': 'application/json',
+        ...(request.headers.get('X-Tenant-ID') && {
+          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
+        }),
+      },
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: 'Backend error', details: errorText }, { status: response.status })
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to fetch operation:', error)
+    return NextResponse.json({ error: 'Failed to connect to backend' }, { status: 503 })
+  }
+}
 
 export async function PUT(
   request: NextRequest,
@@ -32,3 +60,32 @@ export async function PUT(
     return NextResponse.json({ error: 'Failed to connect to backend' }, { status: 503 })
   }
 }
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const { id } = await params
+
+    const response = await fetch(`${BACKEND_URL}/api/v1/admin/operations/${encodeURIComponent(id)}`, {
+      method: 'DELETE',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(request.headers.get('X-Tenant-ID') && {
+          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
+        }),
+      },
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: 'Backend error', details: errorText }, { status: response.status })
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to delete operation:', error)
+    return NextResponse.json({ error: 'Failed to connect to backend' }, { status: 503 })
+  }
+}

admin-compliance/app/api/sdk/v1/source-policy/pii-rules/[id]/route.ts

@@ -1,6 +1,34 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const { id } = await params
+
+    const response = await fetch(`${BACKEND_URL}/api/v1/admin/pii-rules/${encodeURIComponent(id)}`, {
+      headers: {
+        'Content-Type': 'application/json',
+        ...(request.headers.get('X-Tenant-ID') && {
+          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
+        }),
+      },
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: 'Backend error', details: errorText }, { status: response.status })
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Failed to fetch PII rule:', error)
+    return NextResponse.json({ error: 'Failed to connect to backend' }, { status: 503 })
+  }
+}
 
 export async function PUT(
   request: NextRequest,

admin-compliance/app/api/sdk/v1/source-policy/pii-rules/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/source-policy/policy-audit/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/source-policy/policy-stats/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/source-policy/sources/[id]/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(
   request: NextRequest,

admin-compliance/app/api/sdk/v1/source-policy/sources/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server'
 
-const BACKEND_URL = process.env.BACKEND_URL || 'http://localhost:8002'
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {

admin-compliance/app/api/sdk/v1/state/route.ts

@@ -2,17 +2,18 @@ import { NextRequest, NextResponse } from 'next/server'
 import { Pool } from 'pg'
 
 /**
- * SDK State Management API
+ * SDK State Management API (Multi-Project)
  *
- * GET /api/sdk/v1/state?tenantId=xxx - Load state for a tenant
- * POST /api/sdk/v1/state - Save state for a tenant
- * DELETE /api/sdk/v1/state?tenantId=xxx - Clear state for a tenant
+ * GET /api/sdk/v1/state?tenantId=xxx&projectId=yyy - Load state for a tenant+project
+ * POST /api/sdk/v1/state - Save state for a tenant+project
+ * DELETE /api/sdk/v1/state?tenantId=xxx&projectId=yyy - Clear state
  *
  * Features:
  * - Versioning for optimistic locking
  * - Last-Modified headers
  * - ETag support for caching
  * - PostgreSQL persistence (with InMemory fallback)
+ * - projectId support for multi-project architecture
  */
 
 // =============================================================================
@@ -32,25 +33,31 @@ interface StoredState {
 // =============================================================================
 
 interface StateStore {
-  get(tenantId: string): Promise<StoredState | null>
-  save(tenantId: string, state: unknown, userId?: string, expectedVersion?: number): Promise<StoredState>
-  delete(tenantId: string): Promise<boolean>
+  get(tenantId: string, projectId?: string): Promise<StoredState | null>
+  save(tenantId: string, state: unknown, userId?: string, expectedVersion?: number, projectId?: string): Promise<StoredState>
+  delete(tenantId: string, projectId?: string): Promise<boolean>
 }
 
 class InMemoryStateStore implements StateStore {
   private store: Map<string, StoredState> = new Map()
 
-  async get(tenantId: string): Promise<StoredState | null> {
-    return this.store.get(tenantId) || null
+  private key(tenantId: string, projectId?: string): string {
+    return projectId ? `${tenantId}:${projectId}` : tenantId
+  }
+
+  async get(tenantId: string, projectId?: string): Promise<StoredState | null> {
+    return this.store.get(this.key(tenantId, projectId)) || null
   }
 
   async save(
     tenantId: string,
     state: unknown,
     userId?: string,
-    expectedVersion?: number
+    expectedVersion?: number,
+    projectId?: string
   ): Promise<StoredState> {
-    const existing = this.store.get(tenantId)
+    const k = this.key(tenantId, projectId)
+    const existing = this.store.get(k)
 
     if (expectedVersion !== undefined && existing && existing.version !== expectedVersion) {
       const error = new Error('Version conflict') as Error & { status: number }
@@ -72,12 +79,12 @@ class InMemoryStateStore implements StateStore {
       updatedAt: now,
     }
 
-    this.store.set(tenantId, stored)
+    this.store.set(k, stored)
     return stored
   }
 
-  async delete(tenantId: string): Promise<boolean> {
-    return this.store.delete(tenantId)
+  async delete(tenantId: string, projectId?: string): Promise<boolean> {
+    return this.store.delete(this.key(tenantId, projectId))
   }
 }
 
@@ -93,11 +100,26 @@ class PostgreSQLStateStore implements StateStore {
     })
   }
 
-  async get(tenantId: string): Promise<StoredState | null> {
-    const result = await this.pool.query(
-      'SELECT state, version, user_id, created_at, updated_at FROM sdk_states WHERE tenant_id = $1',
-      [tenantId]
-    )
+  async get(tenantId: string, projectId?: string): Promise<StoredState | null> {
+    let result
+    if (projectId) {
+      result = await this.pool.query(
+        'SELECT state, version, user_id, created_at, updated_at FROM sdk_states WHERE tenant_id = $1 AND project_id = $2',
+        [tenantId, projectId]
+      )
+    } else {
+      // Backwards compatibility: find the single active project for this tenant
+      result = await this.pool.query(
+        `SELECT s.state, s.version, s.user_id, s.created_at, s.updated_at
+         FROM sdk_states s
+         LEFT JOIN compliance_projects p ON s.project_id = p.id
+         WHERE s.tenant_id = $1
+           AND (p.status = 'active' OR p.id IS NULL)
+         ORDER BY s.updated_at DESC
+         LIMIT 1`,
+        [tenantId]
+      )
+    }
     if (result.rows.length === 0) return null
     const row = result.rows[0]
     return {
@@ -109,25 +131,71 @@ class PostgreSQLStateStore implements StateStore {
     }
   }
 
-  async save(tenantId: string, state: unknown, userId?: string, expectedVersion?: number): Promise<StoredState> {
+  async save(tenantId: string, state: unknown, userId?: string, expectedVersion?: number, projectId?: string): Promise<StoredState> {
     const now = new Date().toISOString()
     const stateWithTimestamp = {
       ...(state as object),
       lastModified: now,
     }
 
-    // Use UPSERT with version check
-    const result = await this.pool.query(`
-      INSERT INTO sdk_states (tenant_id, user_id, state, version, created_at, updated_at)
-      VALUES ($1, $2, $3::jsonb, 1, NOW(), NOW())
-      ON CONFLICT (tenant_id) DO UPDATE SET
-        state = $3::jsonb,
-        user_id = COALESCE($2, sdk_states.user_id),
-        version = sdk_states.version + 1,
-        updated_at = NOW()
-      WHERE ($4::int IS NULL OR sdk_states.version = $4)
-      RETURNING version, user_id, created_at, updated_at
-    `, [tenantId, userId, JSON.stringify(stateWithTimestamp), expectedVersion ?? null])
+    let result
+
+    if (projectId) {
+      // Multi-project: UPSERT on (tenant_id, project_id)
+      result = await this.pool.query(`
+        INSERT INTO sdk_states (tenant_id, project_id, user_id, state, version, created_at, updated_at)
+        VALUES ($1, $5, $2, $3::jsonb, 1, NOW(), NOW())
+        ON CONFLICT (tenant_id, project_id) DO UPDATE SET
+          state = $3::jsonb,
+          user_id = COALESCE($2, sdk_states.user_id),
+          version = sdk_states.version + 1,
+          updated_at = NOW()
+        WHERE ($4::int IS NULL OR sdk_states.version = $4)
+        RETURNING version, user_id, created_at, updated_at
+      `, [tenantId, userId, JSON.stringify(stateWithTimestamp), expectedVersion ?? null, projectId])
+    } else {
+      // Backwards compatibility: find the single project for this tenant
+      // First try to find an existing project
+      const projectResult = await this.pool.query(
+        `SELECT id FROM compliance_projects WHERE tenant_id = $1 AND status = 'active' ORDER BY created_at ASC LIMIT 1`,
+        [tenantId]
+      )
+
+      if (projectResult.rows.length > 0) {
+        const foundProjectId = projectResult.rows[0].id
+        result = await this.pool.query(`
+          INSERT INTO sdk_states (tenant_id, project_id, user_id, state, version, created_at, updated_at)
+          VALUES ($1, $5, $2, $3::jsonb, 1, NOW(), NOW())
+          ON CONFLICT (tenant_id, project_id) DO UPDATE SET
+            state = $3::jsonb,
+            user_id = COALESCE($2, sdk_states.user_id),
+            version = sdk_states.version + 1,
+            updated_at = NOW()
+          WHERE ($4::int IS NULL OR sdk_states.version = $4)
+          RETURNING version, user_id, created_at, updated_at
+        `, [tenantId, userId, JSON.stringify(stateWithTimestamp), expectedVersion ?? null, foundProjectId])
+      } else {
+        // No project exists — create a default one
+        const newProject = await this.pool.query(
+          `INSERT INTO compliance_projects (tenant_id, name, customer_type, status)
+           VALUES ($1, 'Projekt 1', 'new', 'active')
+           RETURNING id`,
+          [tenantId]
+        )
+        const newProjectId = newProject.rows[0].id
+        result = await this.pool.query(`
+          INSERT INTO sdk_states (tenant_id, project_id, user_id, state, version, created_at, updated_at)
+          VALUES ($1, $5, $2, $3::jsonb, 1, NOW(), NOW())
+          ON CONFLICT (tenant_id, project_id) DO UPDATE SET
+            state = $3::jsonb,
+            user_id = COALESCE($2, sdk_states.user_id),
+            version = sdk_states.version + 1,
+            updated_at = NOW()
+          WHERE ($4::int IS NULL OR sdk_states.version = $4)
+          RETURNING version, user_id, created_at, updated_at
+        `, [tenantId, userId, JSON.stringify(stateWithTimestamp), expectedVersion ?? null, newProjectId])
+      }
+    }
 
     if (result.rows.length === 0) {
       const error = new Error('Version conflict') as Error & { status: number }
@@ -145,11 +213,19 @@ class PostgreSQLStateStore implements StateStore {
     }
   }
 
-  async delete(tenantId: string): Promise<boolean> {
-    const result = await this.pool.query(
-      'DELETE FROM sdk_states WHERE tenant_id = $1',
-      [tenantId]
-    )
+  async delete(tenantId: string, projectId?: string): Promise<boolean> {
+    let result
+    if (projectId) {
+      result = await this.pool.query(
+        'DELETE FROM sdk_states WHERE tenant_id = $1 AND project_id = $2',
+        [tenantId, projectId]
+      )
+    } else {
+      result = await this.pool.query(
+        'DELETE FROM sdk_states WHERE tenant_id = $1',
+        [tenantId]
+      )
+    }
     return (result.rowCount ?? 0) > 0
   }
 }
@@ -186,6 +262,7 @@ export async function GET(request: NextRequest) {
   try {
     const { searchParams } = new URL(request.url)
     const tenantId = searchParams.get('tenantId')
+    const projectId = searchParams.get('projectId') || undefined
 
     if (!tenantId) {
       return NextResponse.json(
@@ -194,7 +271,7 @@ export async function GET(request: NextRequest) {
       )
     }
 
-    const stored = await stateStore.get(tenantId)
+    const stored = await stateStore.get(tenantId, projectId)
 
     if (!stored) {
       return NextResponse.json(
@@ -216,6 +293,7 @@ export async function GET(request: NextRequest) {
         success: true,
         data: {
           tenantId,
+          projectId: projectId || null,
           state: stored.state,
           version: stored.version,
           lastModified: stored.updatedAt,
@@ -241,7 +319,7 @@ export async function GET(request: NextRequest) {
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
-    const { tenantId, state, version } = body
+    const { tenantId, state, version, projectId } = body
 
     if (!tenantId) {
       return NextResponse.json(
@@ -261,7 +339,7 @@ export async function POST(request: NextRequest) {
     const ifMatch = request.headers.get('If-Match')
     const expectedVersion = ifMatch ? parseInt(ifMatch, 10) : version
 
-    const stored = await stateStore.save(tenantId, state, body.userId, expectedVersion)
+    const stored = await stateStore.save(tenantId, state, body.userId, expectedVersion, projectId || undefined)
 
     const etag = generateETag(stored.version, stored.updatedAt)
 
@@ -270,6 +348,7 @@ export async function POST(request: NextRequest) {
         success: true,
         data: {
           tenantId,
+          projectId: projectId || null,
           state: stored.state,
           version: stored.version,
           lastModified: stored.updatedAt,
@@ -309,6 +388,7 @@ export async function DELETE(request: NextRequest) {
   try {
     const { searchParams } = new URL(request.url)
     const tenantId = searchParams.get('tenantId')
+    const projectId = searchParams.get('projectId') || undefined
 
     if (!tenantId) {
       return NextResponse.json(
@@ -317,7 +397,7 @@ export async function DELETE(request: NextRequest) {
       )
     }
 
-    const deleted = await stateStore.delete(tenantId)
+    const deleted = await stateStore.delete(tenantId, projectId)
 
     if (!deleted) {
       return NextResponse.json(

admin-compliance/app/api/sdk/v1/tom-generator/state/route.ts

@@ -1,119 +1,30 @@
 import { NextRequest, NextResponse } from 'next/server'
-import {
-  TOMGeneratorState,
-  createEmptyTOMGeneratorState,
-} from '@/lib/sdk/tom-generator/types'
 
 /**
- * TOM Generator State API
+ * TOM Generator State API — Proxy to backend-compliance (Python/FastAPI)
  *
  * GET /api/sdk/v1/tom-generator/state?tenantId=xxx - Load TOM generator state
  * POST /api/sdk/v1/tom-generator/state - Save TOM generator state
  * DELETE /api/sdk/v1/tom-generator/state?tenantId=xxx - Clear state
  */
 
-// =============================================================================
-// STORAGE (In-Memory for development)
-// =============================================================================
-
-interface StoredTOMState {
-  state: TOMGeneratorState
-  version: number
-  createdAt: string
-  updatedAt: string
-}
-
-class InMemoryTOMStateStore {
-  private store: Map<string, StoredTOMState> = new Map()
-
-  async get(tenantId: string): Promise<StoredTOMState | null> {
-    return this.store.get(tenantId) || null
-  }
-
-  async save(tenantId: string, state: TOMGeneratorState, expectedVersion?: number): Promise<StoredTOMState> {
-    const existing = this.store.get(tenantId)
-
-    if (expectedVersion !== undefined && existing && existing.version !== expectedVersion) {
-      const error = new Error('Version conflict') as Error & { status: number }
-      error.status = 409
-      throw error
-    }
-
-    const now = new Date().toISOString()
-    const newVersion = existing ? existing.version + 1 : 1
-
-    const stored: StoredTOMState = {
-      state: {
-        ...state,
-        updatedAt: new Date(now),
-      },
-      version: newVersion,
-      createdAt: existing?.createdAt || now,
-      updatedAt: now,
-    }
-
-    this.store.set(tenantId, stored)
-    return stored
-  }
-
-  async delete(tenantId: string): Promise<boolean> {
-    return this.store.delete(tenantId)
-  }
-
-  async list(): Promise<{ tenantId: string; updatedAt: string }[]> {
-    const result: { tenantId: string; updatedAt: string }[] = []
-    this.store.forEach((value, key) => {
-      result.push({ tenantId: key, updatedAt: value.updatedAt })
-    })
-    return result
-  }
-}
-
-const stateStore = new InMemoryTOMStateStore()
-
-// =============================================================================
-// HANDLERS
-// =============================================================================
+const BACKEND_URL = process.env.COMPLIANCE_BACKEND_URL || 'http://backend-compliance:8002'
 
 export async function GET(request: NextRequest) {
   try {
     const { searchParams } = new URL(request.url)
     const tenantId = searchParams.get('tenantId')
 
-    // List all states if no tenantId provided
-    if (!tenantId) {
-      const states = await stateStore.list()
-      return NextResponse.json({
-        success: true,
-        data: states,
-      })
-    }
+    const url = tenantId
+      ? `${BACKEND_URL}/api/compliance/tom/state?tenant_id=${encodeURIComponent(tenantId)}`
+      : `${BACKEND_URL}/api/compliance/tom/state`
 
-    const stored = await stateStore.get(tenantId)
-
-    if (!stored) {
-      // Return empty state for new tenants
-      const emptyState = createEmptyTOMGeneratorState(tenantId)
-      return NextResponse.json({
-        success: true,
-        data: {
-          tenantId,
-          state: emptyState,
-          version: 0,
-          isNew: true,
-        },
-      })
-    }
-
-    return NextResponse.json({
-      success: true,
-      data: {
-        tenantId,
-        state: stored.state,
-        version: stored.version,
-        lastModified: stored.updatedAt,
-      },
+    const res = await fetch(url, {
+      headers: { 'Content-Type': 'application/json' },
     })
+
+    const data = await res.json()
+    return NextResponse.json(data, { status: res.status })
   } catch (error) {
     console.error('Failed to load TOM generator state:', error)
     return NextResponse.json(
@@ -142,65 +53,19 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    // Deserialize dates
-    const parsedState: TOMGeneratorState = {
-      ...state,
-      createdAt: new Date(state.createdAt),
-      updatedAt: new Date(state.updatedAt),
-      steps: state.steps.map((step: { id: string; completed: boolean; data: unknown; validatedAt: string | null }) => ({
-        ...step,
-        validatedAt: step.validatedAt ? new Date(step.validatedAt) : null,
-      })),
-      documents: state.documents?.map((doc: { uploadedAt: string; validFrom?: string; validUntil?: string; aiAnalysis?: { analyzedAt: string } }) => ({
-        ...doc,
-        uploadedAt: new Date(doc.uploadedAt),
-        validFrom: doc.validFrom ? new Date(doc.validFrom) : null,
-        validUntil: doc.validUntil ? new Date(doc.validUntil) : null,
-        aiAnalysis: doc.aiAnalysis ? {
-          ...doc.aiAnalysis,
-          analyzedAt: new Date(doc.aiAnalysis.analyzedAt),
-        } : null,
-      })) || [],
-      derivedTOMs: state.derivedTOMs?.map((tom: { implementationDate?: string; reviewDate?: string }) => ({
-        ...tom,
-        implementationDate: tom.implementationDate ? new Date(tom.implementationDate) : null,
-        reviewDate: tom.reviewDate ? new Date(tom.reviewDate) : null,
-      })) || [],
-      gapAnalysis: state.gapAnalysis ? {
-        ...state.gapAnalysis,
-        generatedAt: new Date(state.gapAnalysis.generatedAt),
-      } : null,
-      exports: state.exports?.map((exp: { generatedAt: string }) => ({
-        ...exp,
-        generatedAt: new Date(exp.generatedAt),
-      })) || [],
-    }
-
-    const stored = await stateStore.save(tenantId, parsedState, version)
-
-    return NextResponse.json({
-      success: true,
-      data: {
-        tenantId,
-        state: stored.state,
-        version: stored.version,
-        lastModified: stored.updatedAt,
-      },
+    const res = await fetch(`${BACKEND_URL}/api/compliance/tom/state`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        tenant_id: tenantId,
+        state,
+        version,
+      }),
     })
+
+    const data = await res.json()
+    return NextResponse.json(data, { status: res.status })
   } catch (error) {
-    const err = error as Error & { status?: number }
-
-    if (err.status === 409 || err.message === 'Version conflict') {
-      return NextResponse.json(
-        {
-          success: false,
-          error: 'Version conflict. State was modified by another request.',
-          code: 'VERSION_CONFLICT',
-        },
-        { status: 409 }
-      )
-    }
-
     console.error('Failed to save TOM generator state:', error)
     return NextResponse.json(
       { success: false, error: 'Failed to save state' },
@@ -221,14 +86,16 @@ export async function DELETE(request: NextRequest) {
       )
     }
 
-    const deleted = await stateStore.delete(tenantId)
+    const res = await fetch(
+      `${BACKEND_URL}/api/compliance/tom/state?tenant_id=${encodeURIComponent(tenantId)}`,
+      {
+        method: 'DELETE',
+        headers: { 'Content-Type': 'application/json' },
+      }
+    )
 
-    return NextResponse.json({
-      success: true,
-      tenantId,
-      deleted,
-      deletedAt: new Date().toISOString(),
-    })
+    const data = await res.json()
+    return NextResponse.json(data, { status: res.status })
   } catch (error) {
     console.error('Failed to delete TOM generator state:', error)
     return NextResponse.json(

admin-compliance/app/api/sdk/v1/training/[[...path]]/route.ts

@@ -53,7 +53,18 @@ async function proxyRequest(
       }
     }
 
-    const response = await fetch(url, fetchOptions)
+    const response = await fetch(url, {
+      ...fetchOptions,
+      redirect: 'manual',
+    })
+
+    // Handle redirects (e.g. media stream presigned URL)
+    if (response.status === 307 || response.status === 302) {
+      const location = response.headers.get('location')
+      if (location) {
+        return NextResponse.redirect(location)
+      }
+    }
 
     if (!response.ok) {
       const errorText = await response.text()
@@ -69,6 +80,19 @@ async function proxyRequest(
       )
     }
 
+    // Handle binary responses (PDF, octet-stream)
+    const contentType = response.headers.get('content-type') || ''
+    if (contentType.includes('application/pdf') || contentType.includes('application/octet-stream')) {
+      const buffer = await response.arrayBuffer()
+      return new NextResponse(buffer, {
+        status: response.status,
+        headers: {
+          'Content-Type': contentType,
+          'Content-Disposition': response.headers.get('content-disposition') || '',
+        },
+      })
+    }
+
     const data = await response.json()
     return NextResponse.json(data)
   } catch (error) {

admin-compliance/app/api/sdk/v1/ucca/obligations/[[...path]]/route.ts

@@ -0,0 +1,39 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BASE_URL = process.env.SDK_BASE_URL || 'http://localhost:8085'
+
+const DEFAULT_TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const DEFAULT_USER_ID = 'admin'
+
+async function proxyRequest(request: NextRequest, method: string) {
+  try {
+    const pathSegments = request.nextUrl.pathname.replace('/api/sdk/v1/ucca/obligations/', '')
+    const targetUrl = `${SDK_BASE_URL}/sdk/v1/ucca/obligations/${pathSegments}${request.nextUrl.search}`
+
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+      'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+      'X-User-ID': request.headers.get('X-User-ID') || DEFAULT_USER_ID,
+    }
+
+    const fetchOptions: RequestInit = { method, headers }
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      fetchOptions.body = await request.text()
+    }
+
+    const response = await fetch(targetUrl, fetchOptions)
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: 'SDK backend error', details: errorText }, { status: response.status })
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('UCCA obligations proxy error:', error)
+    return NextResponse.json({ error: 'Failed to connect to SDK backend' }, { status: 503 })
+  }
+}
+
+export async function GET(request: NextRequest) { return proxyRequest(request, 'GET') }
+export async function POST(request: NextRequest) { return proxyRequest(request, 'POST') }

admin-compliance/app/api/sdk/v1/ucca/obligations/assess/route.ts

@@ -2,19 +2,19 @@ import { NextRequest, NextResponse } from 'next/server'
 
 const SDK_BASE_URL = process.env.SDK_BASE_URL || 'http://localhost:8085'
 
+const DEFAULT_TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const DEFAULT_USER_ID = 'admin'
+
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
 
-    // Forward the request to the SDK backend
     const response = await fetch(`${SDK_BASE_URL}/sdk/v1/ucca/obligations/assess`, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        // Forward tenant ID if present
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+        'X-User-ID': request.headers.get('X-User-ID') || DEFAULT_USER_ID,
       },
       body: JSON.stringify(body),
     })

admin-compliance/app/api/sdk/v1/ucca/obligations/export/direct/route.ts

@@ -2,19 +2,19 @@ import { NextRequest, NextResponse } from 'next/server'
 
 const SDK_BASE_URL = process.env.SDK_BASE_URL || 'http://localhost:8085'
 
+const DEFAULT_TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const DEFAULT_USER_ID = 'admin'
+
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
 
-    // Forward the request to the SDK backend
     const response = await fetch(`${SDK_BASE_URL}/sdk/v1/ucca/obligations/export/direct`, {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
-        // Forward tenant ID if present
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+        'X-User-ID': request.headers.get('X-User-ID') || DEFAULT_USER_ID,
       },
       body: JSON.stringify(body),
     })

admin-compliance/app/api/sdk/v1/vendor-compliance/[[...path]]/route.ts

@@ -0,0 +1,122 @@
+/**
+ * Vendor Compliance API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/vendor-compliance/* requests to backend-compliance
+ *
+ * Backend routes: vendors, contracts, findings, control-instances, controls, export
+ * All under /api/compliance/vendor-compliance/ prefix on backend-compliance:8002
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${BACKEND_URL}/api/compliance/vendor-compliance`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Vendor Compliance API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Compliance Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/vendor-compliance/contracts/route.ts

@@ -1,88 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-import { v4 as uuidv4 } from 'uuid'
-import { ContractDocument } from '@/lib/sdk/vendor-compliance'
-
-// In-memory storage for demo purposes
-const contracts: Map<string, ContractDocument> = new Map()
-
-export async function GET(request: NextRequest) {
-  try {
-    const contractList = Array.from(contracts.values())
-
-    return NextResponse.json({
-      success: true,
-      data: contractList,
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error fetching contracts:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to fetch contracts' },
-      { status: 500 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  try {
-    // Handle multipart form data for file upload
-    const formData = await request.formData()
-    const file = formData.get('file') as File | null
-    const vendorId = formData.get('vendorId') as string
-    const metadataStr = formData.get('metadata') as string
-
-    if (!file || !vendorId) {
-      return NextResponse.json(
-        { success: false, error: 'File and vendorId are required' },
-        { status: 400 }
-      )
-    }
-
-    const metadata = metadataStr ? JSON.parse(metadataStr) : {}
-    const id = uuidv4()
-
-    // In production, upload file to storage (MinIO, S3, etc.)
-    const storagePath = `contracts/${id}/${file.name}`
-
-    const contract: ContractDocument = {
-      id,
-      tenantId: 'default',
-      vendorId,
-      fileName: `${id}-${file.name}`,
-      originalName: file.name,
-      mimeType: file.type,
-      fileSize: file.size,
-      storagePath,
-      documentType: metadata.documentType || 'OTHER',
-      version: metadata.version || '1.0',
-      previousVersionId: metadata.previousVersionId,
-      parties: metadata.parties,
-      effectiveDate: metadata.effectiveDate ? new Date(metadata.effectiveDate) : undefined,
-      expirationDate: metadata.expirationDate ? new Date(metadata.expirationDate) : undefined,
-      autoRenewal: metadata.autoRenewal,
-      renewalNoticePeriod: metadata.renewalNoticePeriod,
-      terminationNoticePeriod: metadata.terminationNoticePeriod,
-      reviewStatus: 'PENDING',
-      status: 'DRAFT',
-      createdAt: new Date(),
-      updatedAt: new Date(),
-    }
-
-    contracts.set(id, contract)
-
-    return NextResponse.json(
-      {
-        success: true,
-        data: contract,
-        timestamp: new Date().toISOString(),
-      },
-      { status: 201 }
-    )
-  } catch (error) {
-    console.error('Error uploading contract:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to upload contract' },
-      { status: 500 }
-    )
-  }
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/controls/route.ts

@@ -1,28 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-import { CONTROLS_LIBRARY } from '@/lib/sdk/vendor-compliance'
-
-export async function GET(request: NextRequest) {
-  try {
-    const searchParams = request.nextUrl.searchParams
-    const domain = searchParams.get('domain')
-
-    let controls = [...CONTROLS_LIBRARY]
-
-    // Filter by domain if provided
-    if (domain) {
-      controls = controls.filter((c) => c.domain === domain)
-    }
-
-    return NextResponse.json({
-      success: true,
-      data: controls,
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error fetching controls:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to fetch controls' },
-      { status: 500 }
-    )
-  }
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/export/[reportId]/download/route.ts

@@ -1,75 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-
-/**
- * GET /api/sdk/v1/vendor-compliance/export/[reportId]/download
- *
- * Download a generated report file.
- * In production, this would redirect to a signed MinIO/S3 URL or stream the file.
- */
-export async function GET(
-  request: NextRequest,
-  { params }: { params: Promise<{ reportId: string }> }
-) {
-  const { reportId } = await params
-
-  // TODO: Implement actual file download
-  // This would typically:
-  // 1. Verify report exists and user has access
-  // 2. Generate signed URL for MinIO/S3
-  // 3. Redirect to signed URL or stream file
-
-  // For now, return a placeholder PDF
-  const placeholderContent = `
-%PDF-1.4
-1 0 obj
-<< /Type /Catalog /Pages 2 0 R >>
-endobj
-2 0 obj
-<< /Type /Pages /Kids [3 0 R] /Count 1 >>
-endobj
-3 0 obj
-<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Contents 4 0 R /Resources << /Font << /F1 5 0 R >> >> >>
-endobj
-4 0 obj
-<< /Length 200 >>
-stream
-BT
-/F1 24 Tf
-100 700 Td
-(Vendor Compliance Report) Tj
-/F1 12 Tf
-100 650 Td
-(Report ID: ${reportId}) Tj
-100 620 Td
-(Generated: ${new Date().toISOString()}) Tj
-100 580 Td
-(This is a placeholder. Implement actual report generation.) Tj
-ET
-endstream
-endobj
-5 0 obj
-<< /Type /Font /Subtype /Type1 /BaseFont /Helvetica >>
-endobj
-xref
-0 6
-0000000000 65535 f
-0000000009 00000 n
-0000000058 00000 n
-0000000115 00000 n
-0000000266 00000 n
-0000000519 00000 n
-trailer
-<< /Size 6 /Root 1 0 R >>
-startxref
-598
-%%EOF
-`.trim()
-
-  // Return as PDF
-  return new NextResponse(placeholderContent, {
-    headers: {
-      'Content-Type': 'application/pdf',
-      'Content-Disposition': `attachment; filename="Report_${reportId.slice(0, 8)}.pdf"`,
-    },
-  })
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/export/[reportId]/route.ts

@@ -1,44 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-
-/**
- * GET /api/sdk/v1/vendor-compliance/export/[reportId]
- *
- * Get report metadata by ID.
- */
-export async function GET(
-  request: NextRequest,
-  { params }: { params: Promise<{ reportId: string }> }
-) {
-  const { reportId } = await params
-
-  // TODO: Fetch report metadata from database
-  // For now, return mock data
-
-  return NextResponse.json({
-    id: reportId,
-    status: 'completed',
-    filename: `Report_${reportId.slice(0, 8)}.pdf`,
-    generatedAt: new Date().toISOString(),
-    expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(), // 24h
-  })
-}
-
-/**
- * DELETE /api/sdk/v1/vendor-compliance/export/[reportId]
- *
- * Delete a generated report.
- */
-export async function DELETE(
-  request: NextRequest,
-  { params }: { params: Promise<{ reportId: string }> }
-) {
-  const { reportId } = await params
-
-  // TODO: Delete report from storage and database
-  console.log('Deleting report:', reportId)
-
-  return NextResponse.json({
-    success: true,
-    deletedId: reportId,
-  })
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/export/route.ts

@@ -1,118 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-import { v4 as uuidv4 } from 'uuid'
-
-/**
- * POST /api/sdk/v1/vendor-compliance/export
- *
- * Generate and export reports in various formats.
- * Currently returns mock data - integrate with actual report generation service.
- */
-
-interface ExportConfig {
-  reportType: 'VVT_EXPORT' | 'VENDOR_AUDIT' | 'ROPA' | 'MANAGEMENT_SUMMARY' | 'DPIA_INPUT'
-  format: 'PDF' | 'DOCX' | 'XLSX' | 'JSON'
-  scope: {
-    vendorIds: string[]
-    processingActivityIds: string[]
-    includeFindings: boolean
-    includeControls: boolean
-    includeRiskAssessment: boolean
-    dateRange?: {
-      from: string
-      to: string
-    }
-  }
-}
-
-const REPORT_TYPE_NAMES: Record<ExportConfig['reportType'], string> = {
-  VVT_EXPORT: 'Verarbeitungsverzeichnis',
-  VENDOR_AUDIT: 'Vendor-Audit-Pack',
-  ROPA: 'RoPA',
-  MANAGEMENT_SUMMARY: 'Management-Summary',
-  DPIA_INPUT: 'DSFA-Input',
-}
-
-const FORMAT_EXTENSIONS: Record<ExportConfig['format'], string> = {
-  PDF: 'pdf',
-  DOCX: 'docx',
-  XLSX: 'xlsx',
-  JSON: 'json',
-}
-
-export async function POST(request: NextRequest) {
-  try {
-    const config = (await request.json()) as ExportConfig
-
-    // Validate request
-    if (!config.reportType || !config.format) {
-      return NextResponse.json(
-        { error: 'reportType and format are required' },
-        { status: 400 }
-      )
-    }
-
-    // Generate report ID and filename
-    const reportId = uuidv4()
-    const timestamp = new Date().toISOString().slice(0, 10).replace(/-/g, '')
-    const filename = `${REPORT_TYPE_NAMES[config.reportType]}_${timestamp}.${FORMAT_EXTENSIONS[config.format]}`
-
-    // TODO: Implement actual report generation
-    // This would typically:
-    // 1. Fetch data from database based on scope
-    // 2. Generate report using template engine (e.g., docx-templates, pdfkit)
-    // 3. Store in MinIO/S3
-    // 4. Return download URL
-
-    // Mock implementation - simulate processing time
-    await new Promise((resolve) => setTimeout(resolve, 500))
-
-    // In production, this would be a signed URL to MinIO/S3
-    const downloadUrl = `/api/sdk/v1/vendor-compliance/export/${reportId}/download`
-
-    // Log export for audit trail
-    console.log('Export generated:', {
-      reportId,
-      reportType: config.reportType,
-      format: config.format,
-      scope: config.scope,
-      filename,
-      generatedAt: new Date().toISOString(),
-    })
-
-    return NextResponse.json({
-      id: reportId,
-      reportType: config.reportType,
-      format: config.format,
-      filename,
-      downloadUrl,
-      generatedAt: new Date().toISOString(),
-      scope: {
-        vendorCount: config.scope.vendorIds?.length || 0,
-        activityCount: config.scope.processingActivityIds?.length || 0,
-        includesFindings: config.scope.includeFindings,
-        includesControls: config.scope.includeControls,
-        includesRiskAssessment: config.scope.includeRiskAssessment,
-      },
-    })
-  } catch (error) {
-    console.error('Export error:', error)
-    return NextResponse.json(
-      { error: 'Failed to generate export' },
-      { status: 500 }
-    )
-  }
-}
-
-/**
- * GET /api/sdk/v1/vendor-compliance/export
- *
- * List recent exports for the current tenant.
- */
-export async function GET() {
-  // TODO: Implement fetching recent exports from database
-  // For now, return empty list
-  return NextResponse.json({
-    exports: [],
-    totalCount: 0,
-  })
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/findings/route.ts

@@ -1,43 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-import { Finding } from '@/lib/sdk/vendor-compliance'
-
-// In-memory storage for demo purposes
-const findings: Map<string, Finding> = new Map()
-
-export async function GET(request: NextRequest) {
-  try {
-    const searchParams = request.nextUrl.searchParams
-    const vendorId = searchParams.get('vendorId')
-    const contractId = searchParams.get('contractId')
-    const status = searchParams.get('status')
-
-    let findingsList = Array.from(findings.values())
-
-    // Filter by vendor
-    if (vendorId) {
-      findingsList = findingsList.filter((f) => f.vendorId === vendorId)
-    }
-
-    // Filter by contract
-    if (contractId) {
-      findingsList = findingsList.filter((f) => f.contractId === contractId)
-    }
-
-    // Filter by status
-    if (status) {
-      findingsList = findingsList.filter((f) => f.status === status)
-    }
-
-    return NextResponse.json({
-      success: true,
-      data: findingsList,
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error fetching findings:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to fetch findings' },
-      { status: 500 }
-    )
-  }
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/processing-activities/[id]/route.ts

@@ -1,70 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-
-// This would reference the same storage as the main route
-// In production, this would be database calls
-
-export async function GET(
-  request: NextRequest,
-  { params }: { params: Promise<{ id: string }> }
-) {
-  try {
-    const { id } = await params
-
-    // In production, fetch from database
-    return NextResponse.json({
-      success: true,
-      data: null, // Would return the activity
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error fetching processing activity:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to fetch processing activity' },
-      { status: 500 }
-    )
-  }
-}
-
-export async function PUT(
-  request: NextRequest,
-  { params }: { params: Promise<{ id: string }> }
-) {
-  try {
-    const { id } = await params
-    const body = await request.json()
-
-    // In production, update in database
-    return NextResponse.json({
-      success: true,
-      data: { id, ...body, updatedAt: new Date() },
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error updating processing activity:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to update processing activity' },
-      { status: 500 }
-    )
-  }
-}
-
-export async function DELETE(
-  request: NextRequest,
-  { params }: { params: Promise<{ id: string }> }
-) {
-  try {
-    const { id } = await params
-
-    // In production, delete from database
-    return NextResponse.json({
-      success: true,
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error deleting processing activity:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to delete processing activity' },
-      { status: 500 }
-    )
-  }
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/processing-activities/route.ts

@@ -1,84 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-import { v4 as uuidv4 } from 'uuid'
-import { ProcessingActivity, generateVVTId } from '@/lib/sdk/vendor-compliance'
-
-// In-memory storage for demo purposes
-// In production, this would be replaced with database calls
-const processingActivities: Map<string, ProcessingActivity> = new Map()
-
-export async function GET(request: NextRequest) {
-  try {
-    const activities = Array.from(processingActivities.values())
-
-    return NextResponse.json({
-      success: true,
-      data: activities,
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error fetching processing activities:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to fetch processing activities' },
-      { status: 500 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  try {
-    const body = await request.json()
-
-    // Generate IDs
-    const id = uuidv4()
-    const existingIds = Array.from(processingActivities.values()).map((a) => a.vvtId)
-    const vvtId = body.vvtId || generateVVTId(existingIds)
-
-    const activity: ProcessingActivity = {
-      id,
-      tenantId: 'default', // Would come from auth context
-      vvtId,
-      name: body.name,
-      responsible: body.responsible,
-      dpoContact: body.dpoContact,
-      purposes: body.purposes || [],
-      dataSubjectCategories: body.dataSubjectCategories || [],
-      personalDataCategories: body.personalDataCategories || [],
-      recipientCategories: body.recipientCategories || [],
-      thirdCountryTransfers: body.thirdCountryTransfers || [],
-      retentionPeriod: body.retentionPeriod || { description: { de: '', en: '' } },
-      technicalMeasures: body.technicalMeasures || [],
-      legalBasis: body.legalBasis || [],
-      dataSources: body.dataSources || [],
-      systems: body.systems || [],
-      dataFlows: body.dataFlows || [],
-      protectionLevel: body.protectionLevel || 'MEDIUM',
-      dpiaRequired: body.dpiaRequired || false,
-      dpiaJustification: body.dpiaJustification,
-      subProcessors: body.subProcessors || [],
-      legalRetentionBasis: body.legalRetentionBasis,
-      status: body.status || 'DRAFT',
-      owner: body.owner || '',
-      lastReviewDate: body.lastReviewDate,
-      nextReviewDate: body.nextReviewDate,
-      createdAt: new Date(),
-      updatedAt: new Date(),
-    }
-
-    processingActivities.set(id, activity)
-
-    return NextResponse.json(
-      {
-        success: true,
-        data: activity,
-        timestamp: new Date().toISOString(),
-      },
-      { status: 201 }
-    )
-  } catch (error) {
-    console.error('Error creating processing activity:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to create processing activity' },
-      { status: 500 }
-    )
-  }
-}

admin-compliance/app/api/sdk/v1/vendor-compliance/vendors/route.ts

@@ -1,82 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-import { v4 as uuidv4 } from 'uuid'
-import { Vendor } from '@/lib/sdk/vendor-compliance'
-
-// In-memory storage for demo purposes
-const vendors: Map<string, Vendor> = new Map()
-
-export async function GET(request: NextRequest) {
-  try {
-    const vendorList = Array.from(vendors.values())
-
-    return NextResponse.json({
-      success: true,
-      data: vendorList,
-      timestamp: new Date().toISOString(),
-    })
-  } catch (error) {
-    console.error('Error fetching vendors:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to fetch vendors' },
-      { status: 500 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const id = uuidv4()
-
-    const vendor: Vendor = {
-      id,
-      tenantId: 'default',
-      name: body.name,
-      legalForm: body.legalForm,
-      country: body.country,
-      address: body.address,
-      website: body.website,
-      role: body.role,
-      serviceDescription: body.serviceDescription,
-      serviceCategory: body.serviceCategory,
-      dataAccessLevel: body.dataAccessLevel || 'NONE',
-      processingLocations: body.processingLocations || [],
-      transferMechanisms: body.transferMechanisms || [],
-      certifications: body.certifications || [],
-      primaryContact: body.primaryContact,
-      dpoContact: body.dpoContact,
-      securityContact: body.securityContact,
-      contractTypes: body.contractTypes || [],
-      contracts: body.contracts || [],
-      inherentRiskScore: body.inherentRiskScore || 50,
-      residualRiskScore: body.residualRiskScore || 50,
-      manualRiskAdjustment: body.manualRiskAdjustment,
-      riskJustification: body.riskJustification,
-      reviewFrequency: body.reviewFrequency || 'ANNUAL',
-      lastReviewDate: body.lastReviewDate,
-      nextReviewDate: body.nextReviewDate,
-      status: body.status || 'ACTIVE',
-      processingActivityIds: body.processingActivityIds || [],
-      notes: body.notes,
-      createdAt: new Date(),
-      updatedAt: new Date(),
-    }
-
-    vendors.set(id, vendor)
-
-    return NextResponse.json(
-      {
-        success: true,
-        data: vendor,
-        timestamp: new Date().toISOString(),
-      },
-      { status: 201 }
-    )
-  } catch (error) {
-    console.error('Error creating vendor:', error)
-    return NextResponse.json(
-      { success: false, error: 'Failed to create vendor' },
-      { status: 500 }
-    )
-  }
-}

admin-compliance/app/api/sdk/v1/wiki/route.ts

@@ -0,0 +1,87 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: GET /api/sdk/v1/wiki?endpoint=...
+ *
+ * Routes to backend wiki endpoints:
+ *   endpoint=categories  → GET /api/compliance/v1/wiki/categories
+ *   endpoint=articles    → GET /api/compliance/v1/wiki/articles(?category_id=...)
+ *   endpoint=search      → GET /api/compliance/v1/wiki/search?q=...
+ *   endpoint=article&id= → GET /api/compliance/v1/wiki/articles/{id}
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'categories'
+
+    let backendPath: string
+
+    switch (endpoint) {
+      case 'categories':
+        backendPath = '/api/compliance/v1/wiki/categories'
+        break
+
+      case 'articles': {
+        const categoryId = searchParams.get('category_id')
+        backendPath = '/api/compliance/v1/wiki/articles'
+        if (categoryId) {
+          backendPath += `?category_id=${encodeURIComponent(categoryId)}`
+        }
+        break
+      }
+
+      case 'article': {
+        const articleId = searchParams.get('id')
+        if (!articleId) {
+          return NextResponse.json(
+            { error: 'Missing article id' },
+            { status: 400 }
+          )
+        }
+        backendPath = `/api/compliance/v1/wiki/articles/${encodeURIComponent(articleId)}`
+        break
+      }
+
+      case 'search': {
+        const query = searchParams.get('q')
+        if (!query) {
+          return NextResponse.json(
+            { error: 'Missing search query' },
+            { status: 400 }
+          )
+        }
+        backendPath = `/api/compliance/v1/wiki/search?q=${encodeURIComponent(query)}`
+        break
+      }
+
+      default:
+        return NextResponse.json(
+          { error: `Unknown endpoint: ${endpoint}` },
+          { status: 400 }
+        )
+    }
+
+    const response = await fetch(`${BACKEND_URL}${backendPath}`)
+
+    if (!response.ok) {
+      if (response.status === 404) {
+        return NextResponse.json(null, { status: 404 })
+      }
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Wiki proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/workshops/[[...path]]/route.ts

@@ -0,0 +1,119 @@
+/**
+ * Workshop API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/workshops/* requests to ai-compliance-sdk backend
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_BACKEND_URL = process.env.SDK_API_URL || 'http://ai-compliance-sdk:8090'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${SDK_BACKEND_URL}/sdk/v1/workshops`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Workshop API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum SDK Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PATCH')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}

admin-compliance/app/api/webhooks/woodpecker/route.ts

@@ -14,7 +14,7 @@ const LOG_EXTRACT_URL = process.env.NEXT_PUBLIC_APP_URL
   : 'http://localhost:3002/api/infrastructure/log-extract/extract'
 
 // Test service API URL for backlog insertion
-const TEST_SERVICE_URL = process.env.TEST_SERVICE_URL || 'http://localhost:8086'
+const TEST_SERVICE_URL = process.env.TEST_SERVICE_URL || 'http://localhost:8002'
 
 // =============================================================================
 // Helper Functions

admin-compliance/app/sdk/academy/[id]/_components/CourseHeader.tsx

@@ -0,0 +1,50 @@
+'use client'
+
+import Link from 'next/link'
+import { Course, COURSE_CATEGORY_INFO } from '@/lib/sdk/academy/types'
+
+interface CourseHeaderProps {
+  course: Course
+  onDelete: () => void
+}
+
+export function CourseHeader({ course, onDelete }: CourseHeaderProps) {
+  const categoryInfo = COURSE_CATEGORY_INFO[course.category] || COURSE_CATEGORY_INFO['custom']
+
+  return (
+    <div className="flex items-start justify-between">
+      <div className="flex items-center gap-4">
+        <Link
+          href="/sdk/academy"
+          className="p-2 text-gray-500 hover:text-gray-700 hover:bg-gray-100 rounded-lg transition-colors"
+        >
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 19l-7-7 7-7" />
+          </svg>
+        </Link>
+        <div>
+          <div className="flex items-center gap-2 mb-1">
+            <span className={`px-2 py-1 text-xs rounded-full ${categoryInfo.bgColor} ${categoryInfo.color}`}>
+              {categoryInfo.label}
+            </span>
+            <span className={`px-2 py-1 text-xs rounded-full ${
+              course.status === 'published' ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-600'
+            }`}>
+              {course.status === 'published' ? 'Veroeffentlicht' : 'Entwurf'}
+            </span>
+          </div>
+          <h1 className="text-2xl font-bold text-gray-900">{course.title}</h1>
+          <p className="text-sm text-gray-500 mt-1">{course.description}</p>
+        </div>
+      </div>
+      <div className="flex items-center gap-2">
+        <button
+          onClick={onDelete}
+          className="px-3 py-2 text-sm text-red-600 hover:bg-red-50 rounded-lg transition-colors"
+        >
+          Loeschen
+        </button>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/academy/[id]/_components/CourseStats.tsx

@@ -0,0 +1,33 @@
+'use client'
+
+import { Course, Lesson, Enrollment } from '@/lib/sdk/academy/types'
+
+interface CourseStatsProps {
+  course: Course
+  sortedLessons: Lesson[]
+  enrollments: Enrollment[]
+  completedEnrollments: number
+}
+
+export function CourseStats({ course, sortedLessons, enrollments, completedEnrollments }: CourseStatsProps) {
+  return (
+    <div className="grid grid-cols-4 gap-4">
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Lektionen</div>
+        <div className="text-2xl font-bold text-gray-900">{sortedLessons.length}</div>
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Dauer</div>
+        <div className="text-2xl font-bold text-gray-900">{course.durationMinutes} Min.</div>
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Teilnehmer</div>
+        <div className="text-2xl font-bold text-blue-600">{enrollments.length}</div>
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="text-sm text-gray-500">Abgeschlossen</div>
+        <div className="text-2xl font-bold text-green-600">{completedEnrollments}</div>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/academy/[id]/_components/CourseTabs.tsx

@@ -0,0 +1,37 @@
+'use client'
+
+type TabId = 'overview' | 'lessons' | 'enrollments' | 'videos'
+
+interface CourseTabsProps {
+  activeTab: TabId
+  onTabChange: (tab: TabId) => void
+}
+
+const TAB_LABELS: Record<TabId, string> = {
+  overview: 'Uebersicht',
+  lessons: 'Lektionen',
+  enrollments: 'Einschreibungen',
+  videos: 'Videos',
+}
+
+export function CourseTabs({ activeTab, onTabChange }: CourseTabsProps) {
+  return (
+    <div className="border-b border-gray-200">
+      <nav className="flex gap-1 -mb-px">
+        {(['overview', 'lessons', 'enrollments', 'videos'] as TabId[]).map(tab => (
+          <button
+            key={tab}
+            onClick={() => onTabChange(tab)}
+            className={`px-4 py-3 text-sm font-medium border-b-2 transition-colors ${
+              activeTab === tab
+                ? 'border-purple-600 text-purple-600'
+                : 'border-transparent text-gray-500 hover:text-gray-700'
+            }`}
+          >
+            {TAB_LABELS[tab]}
+          </button>
+        ))}
+      </nav>
+    </div>
+  )
+}

admin-compliance/app/sdk/academy/[id]/_components/EnrollmentsTab.tsx

@@ -0,0 +1,59 @@
+'use client'
+
+import { Enrollment, ENROLLMENT_STATUS_INFO, isEnrollmentOverdue, getDaysUntilDeadline } from '@/lib/sdk/academy/types'
+
+interface EnrollmentsTabProps {
+  enrollments: Enrollment[]
+  overdueEnrollments: number
+}
+
+export function EnrollmentsTab({ enrollments, overdueEnrollments }: EnrollmentsTabProps) {
+  return (
+    <div className="space-y-4">
+      {overdueEnrollments > 0 && (
+        <div className="bg-red-50 border border-red-200 rounded-xl p-4 text-sm text-red-700">
+          {overdueEnrollments} ueberfaellige Einschreibung(en)
+        </div>
+      )}
+      {enrollments.length === 0 ? (
+        <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+          <p className="text-gray-500">Noch keine Einschreibungen fuer diesen Kurs.</p>
+        </div>
+      ) : (
+        enrollments.map(enrollment => {
+          const statusInfo = ENROLLMENT_STATUS_INFO[enrollment.status]
+          const overdue = isEnrollmentOverdue(enrollment)
+          const daysUntil = getDaysUntilDeadline(enrollment.deadline)
+          return (
+            <div key={enrollment.id} className={`bg-white rounded-xl border-2 p-5 ${overdue ? 'border-red-200' : 'border-gray-200'}`}>
+              <div className="flex items-center justify-between">
+                <div>
+                  <div className="flex items-center gap-2 mb-1">
+                    <span className={`px-2 py-0.5 text-xs rounded-full ${statusInfo?.bgColor} ${statusInfo?.color}`}>
+                      {statusInfo?.label}
+                    </span>
+                    {overdue && <span className="text-xs text-red-600">Ueberfaellig</span>}
+                  </div>
+                  <div className="font-medium text-gray-900">{enrollment.userName}</div>
+                  <div className="text-sm text-gray-500">{enrollment.userEmail}</div>
+                </div>
+                <div className="text-right">
+                  <div className="text-2xl font-bold text-gray-900">{enrollment.progress}%</div>
+                  <div className="text-xs text-gray-500">
+                    {enrollment.status === 'completed' ? 'Abgeschlossen' : `${daysUntil > 0 ? daysUntil + ' Tage verbleibend' : Math.abs(daysUntil) + ' Tage ueberfaellig'}`}
+                  </div>
+                </div>
+              </div>
+              <div className="mt-3 w-full h-2 bg-gray-200 rounded-full overflow-hidden">
+                <div
+                  className={`h-full rounded-full ${enrollment.progress === 100 ? 'bg-green-500' : overdue ? 'bg-red-500' : 'bg-purple-500'}`}
+                  style={{ width: `${enrollment.progress}%` }}
+                />
+              </div>
+            </div>
+          )
+        })
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/academy/[id]/_components/LessonsTab.tsx

@@ -0,0 +1,239 @@
+'use client'
+
+import { Lesson, QuizQuestion } from '@/lib/sdk/academy/types'
+
+interface LessonsTabProps {
+  sortedLessons: Lesson[]
+  selectedLesson: Lesson | null
+  onSelectLesson: (lesson: Lesson) => void
+  quizAnswers: Record<string, number>
+  onQuizAnswer: (answers: Record<string, number>) => void
+  quizResult: any
+  isSubmittingQuiz: boolean
+  onSubmitQuiz: () => void
+  onResetQuiz: () => void
+  isEditing: boolean
+  editTitle: string
+  editContent: string
+  onEditTitle: (v: string) => void
+  onEditContent: (v: string) => void
+  isSaving: boolean
+  saveMessage: { type: 'success' | 'error'; text: string } | null
+  onStartEdit: () => void
+  onCancelEdit: () => void
+  onSaveLesson: () => void
+  onApproveLesson: () => void
+}
+
+export function LessonsTab({
+  sortedLessons,
+  selectedLesson,
+  onSelectLesson,
+  quizAnswers,
+  onQuizAnswer,
+  quizResult,
+  isSubmittingQuiz,
+  onSubmitQuiz,
+  onResetQuiz,
+  isEditing,
+  editTitle,
+  editContent,
+  onEditTitle,
+  onEditContent,
+  isSaving,
+  saveMessage,
+  onStartEdit,
+  onCancelEdit,
+  onSaveLesson,
+  onApproveLesson,
+}: LessonsTabProps) {
+  return (
+    <div className="grid grid-cols-3 gap-6">
+      {/* Lesson Navigation */}
+      <div className="col-span-1 bg-white rounded-xl border border-gray-200 p-4">
+        <h3 className="text-sm font-semibold text-gray-700 mb-3">Lektionen</h3>
+        <div className="space-y-1">
+          {sortedLessons.map((lesson, i) => (
+            <button
+              key={lesson.id}
+              onClick={() => onSelectLesson(lesson)}
+              className={`w-full text-left p-3 rounded-lg text-sm transition-colors ${
+                selectedLesson?.id === lesson.id
+                  ? 'bg-purple-50 text-purple-700 border border-purple-200'
+                  : 'hover:bg-gray-50 text-gray-700'
+              }`}
+            >
+              <div className="flex items-center gap-2">
+                <span className="text-xs text-gray-400 w-4">{i + 1}.</span>
+                <span className="truncate">{lesson.title}</span>
+              </div>
+            </button>
+          ))}
+        </div>
+      </div>
+
+      {/* Lesson Content */}
+      <div className="col-span-2 bg-white rounded-xl border border-gray-200 p-6">
+        {selectedLesson ? (
+          <div className="space-y-6">
+            <div className="flex items-center justify-between">
+              {isEditing ? (
+                <input
+                  type="text"
+                  value={editTitle}
+                  onChange={e => onEditTitle(e.target.value)}
+                  className="text-xl font-semibold text-gray-900 border border-gray-300 rounded-lg px-3 py-1 flex-1 mr-3"
+                />
+              ) : (
+                <h2 className="text-xl font-semibold text-gray-900">{selectedLesson.title}</h2>
+              )}
+              <div className="flex items-center gap-2">
+                <span className={`px-3 py-1 text-xs rounded-full ${
+                  selectedLesson.type === 'quiz' ? 'bg-yellow-100 text-yellow-700' :
+                  selectedLesson.type === 'video' ? 'bg-blue-100 text-blue-700' :
+                  'bg-gray-100 text-gray-600'
+                }`}>
+                  {selectedLesson.type === 'quiz' ? 'Quiz' : selectedLesson.type === 'video' ? 'Video' : 'Text'}
+                </span>
+                {selectedLesson.type !== 'quiz' && !isEditing && (
+                  <>
+                    <button onClick={onStartEdit} className="px-3 py-1 text-sm bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors">
+                      Bearbeiten
+                    </button>
+                    <button onClick={onApproveLesson} disabled={isSaving} className="px-3 py-1 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors disabled:opacity-50">
+                      Freigeben
+                    </button>
+                  </>
+                )}
+                {isEditing && (
+                  <>
+                    <button onClick={onCancelEdit} className="px-3 py-1 text-sm bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200 transition-colors">
+                      Abbrechen
+                    </button>
+                    <button onClick={onSaveLesson} disabled={isSaving} className="px-3 py-1 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors disabled:opacity-50">
+                      {isSaving ? 'Speichert...' : 'Speichern'}
+                    </button>
+                  </>
+                )}
+              </div>
+            </div>
+
+            {saveMessage && (
+              <div className={`p-3 rounded-lg text-sm ${
+                saveMessage.type === 'success' ? 'bg-green-50 text-green-700 border border-green-200' : 'bg-red-50 text-red-700 border border-red-200'
+              }`}>
+                {saveMessage.text}
+              </div>
+            )}
+
+            {selectedLesson.type === 'video' && selectedLesson.videoUrl && (
+              <div className="aspect-video bg-gray-900 rounded-xl overflow-hidden">
+                <video src={selectedLesson.videoUrl} controls className="w-full h-full" />
+              </div>
+            )}
+
+            {isEditing && (selectedLesson.type === 'text' || selectedLesson.type === 'video') && (
+              <div className="space-y-2">
+                <label className="text-sm text-gray-500">Inhalt (Markdown)</label>
+                <textarea
+                  value={editContent}
+                  onChange={e => onEditContent(e.target.value)}
+                  rows={20}
+                  className="w-full border border-gray-300 rounded-xl p-4 text-sm font-mono text-gray-800 leading-relaxed resize-y focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+                  placeholder="Markdown-Inhalt der Lektion..."
+                />
+                <p className="text-xs text-gray-400">Unterstuetzt: # Ueberschrift, ## Unterueberschrift, - Aufzaehlung, **fett**</p>
+              </div>
+            )}
+
+            {!isEditing && (selectedLesson.type === 'text' || selectedLesson.type === 'video') && selectedLesson.contentMarkdown && (
+              <div className="prose prose-sm max-w-none">
+                <div className="whitespace-pre-wrap text-gray-700 leading-relaxed">
+                  {selectedLesson.contentMarkdown.split('\n').map((line, i) => {
+                    if (line.startsWith('# ')) return <h1 key={i} className="text-2xl font-bold text-gray-900 mt-6 mb-3">{line.slice(2)}</h1>
+                    if (line.startsWith('## ')) return <h2 key={i} className="text-xl font-semibold text-gray-900 mt-5 mb-2">{line.slice(3)}</h2>
+                    if (line.startsWith('### ')) return <h3 key={i} className="text-lg font-medium text-gray-900 mt-4 mb-2">{line.slice(4)}</h3>
+                    if (line.startsWith('- **')) {
+                      const parts = line.slice(2).split('**')
+                      return <li key={i} className="ml-4 list-disc"><strong>{parts[1]}</strong>{parts[2] || ''}</li>
+                    }
+                    if (line.startsWith('- ')) return <li key={i} className="ml-4 list-disc">{line.slice(2)}</li>
+                    if (line.trim() === '') return <br key={i} />
+                    return <p key={i} className="mb-2">{line}</p>
+                  })}
+                </div>
+              </div>
+            )}
+
+            {selectedLesson.type === 'quiz' && selectedLesson.quizQuestions && (
+              <div className="space-y-6">
+                {selectedLesson.quizQuestions.map((q: QuizQuestion, qi: number) => (
+                  <div key={q.id} className="bg-gray-50 rounded-xl p-5">
+                    <h4 className="font-medium text-gray-900 mb-3">Frage {qi + 1}: {q.question}</h4>
+                    <div className="space-y-2">
+                      {q.options.map((option: string, oi: number) => {
+                        const isSelected = quizAnswers[q.id] === oi
+                        const showResult = quizResult && !quizResult.error
+                        const isCorrect = showResult && quizResult.results?.[qi]?.correct
+                        const wasSelected = showResult && isSelected
+
+                        let bgClass = 'bg-white border-gray-200 hover:border-purple-300'
+                        if (isSelected && !showResult) bgClass = 'bg-purple-50 border-purple-500'
+                        if (showResult && oi === q.correctOptionIndex) bgClass = 'bg-green-50 border-green-500'
+                        if (showResult && wasSelected && !isCorrect) bgClass = 'bg-red-50 border-red-500'
+
+                        return (
+                          <button
+                            key={oi}
+                            onClick={() => !quizResult && onQuizAnswer({ ...quizAnswers, [q.id]: oi })}
+                            disabled={!!quizResult}
+                            className={`w-full text-left p-3 rounded-lg border-2 transition-all ${bgClass}`}
+                          >
+                            <span className="text-sm text-gray-700">{String.fromCharCode(65 + oi)}) {option}</span>
+                          </button>
+                        )
+                      })}
+                    </div>
+                    {quizResult && !quizResult.error && quizResult.results?.[qi] && (
+                      <div className={`mt-3 p-3 rounded-lg text-sm ${
+                        quizResult.results[qi].correct ? 'bg-green-50 text-green-700' : 'bg-red-50 text-red-700'
+                      }`}>
+                        {quizResult.results[qi].correct ? 'Richtig!' : 'Falsch.'} {q.explanation}
+                      </div>
+                    )}
+                  </div>
+                ))}
+
+                {!quizResult ? (
+                  <button
+                    onClick={onSubmitQuiz}
+                    disabled={isSubmittingQuiz || Object.keys(quizAnswers).length < (selectedLesson.quizQuestions?.length || 0)}
+                    className="w-full py-3 bg-purple-600 text-white rounded-xl hover:bg-purple-700 transition-colors disabled:opacity-50 font-medium"
+                  >
+                    {isSubmittingQuiz ? 'Wird ausgewertet...' : 'Quiz auswerten'}
+                  </button>
+                ) : quizResult.error ? (
+                  <div className="bg-red-50 border border-red-200 rounded-xl p-4 text-sm text-red-700">{quizResult.error}</div>
+                ) : (
+                  <div className={`rounded-xl p-6 text-center ${quizResult.passed ? 'bg-green-50 border border-green-200' : 'bg-red-50 border border-red-200'}`}>
+                    <div className={`text-3xl font-bold ${quizResult.passed ? 'text-green-600' : 'text-red-600'}`}>
+                      {quizResult.score}%
+                    </div>
+                    <div className={`text-sm mt-1 ${quizResult.passed ? 'text-green-700' : 'text-red-700'}`}>
+                      {quizResult.passed ? 'Bestanden!' : 'Nicht bestanden'} — {quizResult.correctAnswers}/{quizResult.totalQuestions} richtig
+                    </div>
+                    <button onClick={onResetQuiz} className="mt-4 px-4 py-2 text-sm bg-white rounded-lg border hover:bg-gray-50">
+                      Quiz wiederholen
+                    </button>
+                  </div>
+                )}
+              </div>
+            )}
+          </div>
+        ) : (
+          <p className="text-gray-500 text-center py-10">Waehlen Sie eine Lektion aus.</p>
+        )}
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/academy/[id]/_components/OverviewTab.tsx

@@ -0,0 +1,48 @@
+'use client'
+
+import { Course, Lesson } from '@/lib/sdk/academy/types'
+
+interface OverviewTabProps {
+  course: Course
+  sortedLessons: Lesson[]
+}
+
+export function OverviewTab({ course, sortedLessons }: OverviewTabProps) {
+  return (
+    <div className="space-y-6">
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <h3 className="text-lg font-semibold text-gray-900 mb-4">Kurs-Details</h3>
+        <dl className="grid grid-cols-2 gap-4 text-sm">
+          <div><dt className="text-gray-500">Bestehensgrenze</dt><dd className="font-medium text-gray-900">{course.passingScore}%</dd></div>
+          <div><dt className="text-gray-500">Pflicht fuer</dt><dd className="font-medium text-gray-900">{course.requiredForRoles?.join(', ') || 'Alle'}</dd></div>
+          <div><dt className="text-gray-500">Erstellt am</dt><dd className="font-medium text-gray-900">{new Date(course.createdAt).toLocaleDateString('de-DE')}</dd></div>
+          <div><dt className="text-gray-500">Aktualisiert am</dt><dd className="font-medium text-gray-900">{new Date(course.updatedAt).toLocaleDateString('de-DE')}</dd></div>
+        </dl>
+      </div>
+
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <h3 className="text-lg font-semibold text-gray-900 mb-4">Lektionen ({sortedLessons.length})</h3>
+        <div className="space-y-2">
+          {sortedLessons.map((lesson, i) => (
+            <div key={lesson.id} className="flex items-center gap-3 p-3 rounded-lg hover:bg-gray-50">
+              <div className="w-8 h-8 rounded-full bg-purple-100 text-purple-600 flex items-center justify-center text-sm font-medium">
+                {i + 1}
+              </div>
+              <div className="flex-1">
+                <div className="text-sm font-medium text-gray-900">{lesson.title}</div>
+                <div className="text-xs text-gray-500">{lesson.durationMinutes} Min. | {lesson.type === 'video' ? 'Video' : lesson.type === 'quiz' ? 'Quiz' : 'Text'}</div>
+              </div>
+              <span className={`px-2 py-1 text-xs rounded-full ${
+                lesson.type === 'quiz' ? 'bg-yellow-100 text-yellow-700' :
+                lesson.type === 'video' ? 'bg-blue-100 text-blue-700' :
+                'bg-gray-100 text-gray-600'
+              }`}>
+                {lesson.type === 'quiz' ? 'Quiz' : lesson.type === 'video' ? 'Video' : 'Text'}
+              </span>
+            </div>
+          ))}
+        </div>
+      </div>
+    </div>
+  )
+}