feat: Live cookie banner overlay in SDK — auto-open + FAB reopen button

- CookieBannerOverlay: opens automatically on first visit (localStorage check)
- CookieBannerFAB: shield icon button at right-[10rem] to reopen settings
- 3 consent modes: accept all, reject all (nur notwendige), custom settings
- 4 categories: Notwendig (locked on), Statistik, Marketing, Funktional
- Category toggles with descriptions in settings view
- Datenschutzerklaerung + Impressum links in banner
- Consent persisted to localStorage, custom event fired on change
- Comprehensive Playwright E2E tests (16 tests):
  - First visit auto-open, button visibility, category toggles
  - Accept all / reject all / custom settings persistence
  - FAB reopen behavior, disabled toggle for necessary category

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/build-push-deploy.yml

@@ -184,6 +184,29 @@ jobs:
           docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest
           docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA}
 
+  build-dsms-node:
+    runs-on: docker
+    container: docker:27-cli
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
+      - name: Build + push
+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          docker build --platform linux/amd64 \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-node:latest \
+            -t registry.meghsakha.com/breakpilot/compliance-dsms-node:${SHORT_SHA} \
+            dsms-node/
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-node:latest
+          docker push registry.meghsakha.com/breakpilot/compliance-dsms-node:${SHORT_SHA}
+
   # ── orca redeploy (only after all builds succeed) ─────────────────────────
 
   trigger-orca:
@@ -197,6 +220,7 @@ jobs:
       - build-tts
       - build-document-crawler
       - build-dsms-gateway
+      - build-dsms-node
     steps:
       - name: Checkout (for SHA)
         run: |

admin-compliance/app/api/sdk/v1/agent/analyze/route.ts

@@ -0,0 +1,42 @@
+/**
+ * Agent Analyze API Proxy
+ * POST /api/sdk/v1/agent/analyze → backend-compliance /api/compliance/agent/analyze
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/analyze`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Tenant-Id': '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
+        'X-User-Id': '00000000-0000-0000-0000-000000000001',
+      },
+      body,
+      signal: AbortSignal.timeout(120000), // 2 min — LLM can be slow
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: `Backend: ${response.status}`, detail: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Agent analyze proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/agent/scan/route.ts

@@ -0,0 +1,38 @@
+/**
+ * Agent Scan API Proxy
+ * POST /api/sdk/v1/agent/scan → backend-compliance /api/compliance/agent/scan
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_API_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.text()
+
+    const response = await fetch(`${BACKEND_URL}/api/compliance/agent/scan`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(180000), // 3 min — multi-page scan + LLM
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: `Backend: ${response.status}`, detail: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Agent scan proxy error:', error)
+    return NextResponse.json(
+      { error: 'Scan fehlgeschlagen oder Timeout' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/ai-registration/[id]/route.ts

@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}`)
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch registration' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to update registration' }, { status: 500 })
+  }
+}
+
+export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration/${id}/status`, {
+      method: 'PATCH',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to update status' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/v1/ai-registration/route.ts

@@ -0,0 +1,32 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch registrations' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/ai-registration`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to create registration' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/v1/demo/clear/route.ts

@@ -1,52 +0,0 @@
-/**
- * Demo Data Clear API Endpoint
- *
- * Clears demo data from the storage (same mechanism as real customer data).
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-
-// Shared store reference (same as seed endpoint)
-declare global {
-  // eslint-disable-next-line no-var
-  var demoStateStore: Map<string, { state: unknown; version: number; updatedAt: Date }> | undefined
-}
-
-if (!global.demoStateStore) {
-  global.demoStateStore = new Map()
-}
-
-const stateStore = global.demoStateStore
-
-export async function DELETE(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const { tenantId = 'demo-tenant' } = body
-
-    const existed = stateStore.has(tenantId)
-    stateStore.delete(tenantId)
-
-    return NextResponse.json({
-      success: true,
-      message: existed
-        ? `Demo data cleared for tenant ${tenantId}`
-        : `No data found for tenant ${tenantId}`,
-      tenantId,
-      existed,
-    })
-  } catch (error) {
-    console.error('Failed to clear demo data:', error)
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      },
-      { status: 500 }
-    )
-  }
-}
-
-export async function POST(request: NextRequest) {
-  // Also support POST for clearing (for clients that don't support DELETE)
-  return DELETE(request)
-}

admin-compliance/app/api/sdk/v1/demo/seed/route.ts

@@ -1,77 +0,0 @@
-/**
- * Demo Data Seed API Endpoint
- *
- * This endpoint seeds demo data via the same storage mechanism as real customer data.
- * Demo data is NOT hardcoded - it goes through the normal API/database path.
- */
-
-import { NextRequest, NextResponse } from 'next/server'
-import { generateDemoState } from '@/lib/sdk/demo-data'
-
-// In-memory store (same as state endpoint - will be replaced with PostgreSQL)
-declare global {
-  // eslint-disable-next-line no-var
-  var demoStateStore: Map<string, { state: unknown; version: number; updatedAt: Date }> | undefined
-}
-
-if (!global.demoStateStore) {
-  global.demoStateStore = new Map()
-}
-
-const stateStore = global.demoStateStore
-
-export async function POST(request: NextRequest) {
-  try {
-    const body = await request.json()
-    const { tenantId = 'demo-tenant', userId = 'demo-user' } = body
-
-    // Generate demo state using the seed data templates
-    const demoState = generateDemoState(tenantId, userId)
-
-    // Store via the same mechanism as real data
-    const storedState = {
-      state: demoState,
-      version: 1,
-      updatedAt: new Date(),
-    }
-
-    stateStore.set(tenantId, storedState)
-
-    return NextResponse.json({
-      success: true,
-      message: `Demo data seeded for tenant ${tenantId}`,
-      tenantId,
-      version: 1,
-    })
-  } catch (error) {
-    console.error('Failed to seed demo data:', error)
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error',
-      },
-      { status: 500 }
-    )
-  }
-}
-
-export async function GET(request: NextRequest) {
-  const { searchParams } = new URL(request.url)
-  const tenantId = searchParams.get('tenantId') || 'demo-tenant'
-
-  const stored = stateStore.get(tenantId)
-
-  if (!stored) {
-    return NextResponse.json({
-      hasData: false,
-      tenantId,
-    })
-  }
-
-  return NextResponse.json({
-    hasData: true,
-    tenantId,
-    version: stored.version,
-    updatedAt: stored.updatedAt,
-  })
-}

admin-compliance/app/api/sdk/v1/maximizer/[[...path]]/route.ts

@@ -0,0 +1,52 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const DEFAULT_USER_ID = '00000000-0000-0000-0000-000000000001'
+
+function buildUrl(request: NextRequest, params: { path?: string[] }) {
+  const subPath = params.path?.join('/') || ''
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  return `${SDK_URL}/sdk/v1/maximizer/${subPath}${qs ? `?${qs}` : ''}`
+}
+
+function forwardHeaders(request: NextRequest): Record<string, string> {
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' }
+  headers['X-Tenant-ID'] = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID
+  headers['X-User-ID'] = request.headers.get('X-User-ID') || DEFAULT_USER_ID
+  return headers
+}
+
+async function proxy(request: NextRequest, params: { path?: string[] }, method: string) {
+  try {
+    const url = buildUrl(request, params)
+    const init: RequestInit = { method, headers: forwardHeaders(request) }
+    if (method !== 'GET' && method !== 'DELETE') {
+      init.body = await request.text()
+    }
+    const response = await fetch(url, init)
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json({ error: 'Maximizer backend error', details: errorText }, { status: response.status })
+    }
+    if (response.status === 204) return new NextResponse(null, { status: 204 })
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Maximizer proxy error:', error)
+    return NextResponse.json({ error: 'Failed to connect to Maximizer backend' }, { status: 503 })
+  }
+}
+
+export async function GET(request: NextRequest, { params }: { params: { path?: string[] } }) {
+  return proxy(request, params, 'GET')
+}
+
+export async function POST(request: NextRequest, { params }: { params: { path?: string[] } }) {
+  return proxy(request, params, 'POST')
+}
+
+export async function DELETE(request: NextRequest, { params }: { params: { path?: string[] } }) {
+  return proxy(request, params, 'DELETE')
+}

admin-compliance/app/api/sdk/v1/payment-compliance/route.ts

@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'controls'
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+    let path: string
+    switch (endpoint) {
+      case 'controls':
+        const domain = searchParams.get('domain') || ''
+        path = `/sdk/v1/payment-compliance/controls${domain ? `?domain=${domain}` : ''}`
+        break
+      case 'assessments':
+        path = '/sdk/v1/payment-compliance/assessments'
+        break
+      default:
+        path = '/sdk/v1/payment-compliance/controls'
+    }
+
+    const resp = await fetch(`${SDK_URL}${path}`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const data = await resp.json()
+    return NextResponse.json(data)
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to fetch' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const body = await request.json()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/assessments`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'X-Tenant-ID': tenantId },
+      body: JSON.stringify(body),
+    })
+    const data = await resp.json()
+    return NextResponse.json(data, { status: resp.status })
+  } catch (err) {
+    return NextResponse.json({ error: 'Failed to create' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/v1/payment-compliance/tender/[id]/route.ts

@@ -0,0 +1,28 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/${id}`)
+    return NextResponse.json(await resp.json())
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const { id } = await params
+    const { searchParams } = new URL(request.url)
+    const action = searchParams.get('action') || 'extract'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/${id}/${action}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+    })
+    return NextResponse.json(await resp.json(), { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/v1/payment-compliance/tender/route.ts

@@ -0,0 +1,30 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+
+export async function GET(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    return NextResponse.json(await resp.json())
+  } catch {
+    return NextResponse.json({ error: 'Failed' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const tenantId = request.headers.get('x-tenant-id') || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+    const formData = await request.formData()
+    const resp = await fetch(`${SDK_URL}/sdk/v1/payment-compliance/tender/upload`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId },
+      body: formData,
+    })
+    return NextResponse.json(await resp.json(), { status: resp.status })
+  } catch {
+    return NextResponse.json({ error: 'Upload failed' }, { status: 500 })
+  }
+}

admin-compliance/app/api/sdk/v1/regulatory-news/route.ts

@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const qs = searchParams.toString()
+    const url = `${SDK_URL}/sdk/v1/regulatory-news${qs ? `?${qs}` : ''}`
+
+    const response = await fetch(url, {
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+      },
+    })
+
+    if (!response.ok) {
+      return NextResponse.json({ error: 'SDK error' }, { status: response.status })
+    }
+    return NextResponse.json(await response.json())
+  } catch {
+    return NextResponse.json({ error: 'Connection failed' }, { status: 503 })
+  }
+}

admin-compliance/app/api/sdk/v1/state/route.ts

@@ -92,11 +92,17 @@ class PostgreSQLStateStore implements StateStore {
   private pool: Pool
 
   constructor(connectionString: string) {
+    // Strip sslmode from URL — pg driver overrides our ssl config if it's in the URL.
+    // We handle SSL ourselves via the ssl option below.
+    const cleanUrl = connectionString.replace(/[?&]sslmode=[^&]*/g, '').replace(/\?$/, '')
+    const needsSsl = connectionString.includes('sslmode=require') || connectionString.includes('sslmode=verify')
     this.pool = new Pool({
-      connectionString,
+      connectionString: cleanUrl,
       max: 5,
       // Set search_path for compliance schema
       options: '-c search_path=compliance,core,public',
+      // Accept self-signed certificates (Hetzner PostgreSQL)
+      ssl: needsSsl ? { rejectUnauthorized: false } : false,
     })
   }
 

admin-compliance/app/api/sdk/v1/ucca/assess-enriched/route.ts

@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: POST /api/sdk/v1/ucca/assess-enriched → Go Backend POST /sdk/v1/ucca/assess-enriched
+ * Accepts { intake, company_profile? } and returns enriched assessment with obligations + hints.
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json()
+
+    const response = await fetch(`${SDK_URL}/sdk/v1/ucca/assess-enriched`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
+      },
+      body: JSON.stringify(body),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error('UCCA assess-enriched error:', errorText)
+      return NextResponse.json(
+        { error: 'UCCA backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data, { status: 201 })
+  } catch (error) {
+    console.error('Failed to call UCCA assess-enriched:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to UCCA backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/ucca/assessments/[id]/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server'
 
 const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
 
 /**
  * Proxy: GET /api/sdk/v1/ucca/assessments/[id] → Go Backend GET /sdk/v1/ucca/assessments/:id
@@ -16,9 +17,7 @@ export async function GET(
       method: 'GET',
       headers: {
         'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
       },
     })
 
@@ -56,9 +55,7 @@ export async function PUT(
       method: 'PUT',
       headers: {
         'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
       },
       body: JSON.stringify(body),
     })
@@ -96,9 +93,7 @@ export async function DELETE(
       method: 'DELETE',
       headers: {
         'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
       },
     })
 

admin-compliance/app/api/sdk/v1/ucca/assessments/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server'
 
 const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT_ID = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
 
 /**
  * Proxy: GET /api/sdk/v1/ucca/assessments → Go Backend GET /sdk/v1/ucca/assessments
@@ -22,9 +23,7 @@ export async function GET(request: NextRequest) {
       method: 'GET',
       headers: {
         'Content-Type': 'application/json',
-        ...(request.headers.get('X-Tenant-ID') && {
-          'X-Tenant-ID': request.headers.get('X-Tenant-ID') as string,
-        }),
+        'X-Tenant-ID': request.headers.get('X-Tenant-ID') || DEFAULT_TENANT_ID,
       },
     })
 

admin-compliance/app/api/sdk/v1/ucca/decision-tree/[[...path]]/route.ts

@@ -0,0 +1,57 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: /api/sdk/v1/ucca/decision-tree/... → Go Backend /sdk/v1/ucca/decision-tree/...
+ */
+async function proxyRequest(request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) {
+  const { path } = await params
+  const subPath = path ? path.join('/') : ''
+  const search = request.nextUrl.search || ''
+  const targetUrl = `${SDK_URL}/sdk/v1/ucca/decision-tree/${subPath}${search}`
+
+  const tenantID = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT
+
+  try {
+    const headers: Record<string, string> = {
+      'X-Tenant-ID': tenantID,
+    }
+
+    const fetchOptions: RequestInit = {
+      method: request.method,
+      headers,
+    }
+
+    if (request.method === 'POST' || request.method === 'PUT' || request.method === 'PATCH') {
+      const body = await request.json()
+      headers['Content-Type'] = 'application/json'
+      fetchOptions.body = JSON.stringify(body)
+    }
+
+    const response = await fetch(targetUrl, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error(`Decision tree proxy error [${request.method} ${subPath}]:`, errorText)
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data, { status: response.status })
+  } catch (error) {
+    console.error('Decision tree proxy connection error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to AI compliance backend' },
+      { status: 503 }
+    )
+  }
+}
+
+export const GET = proxyRequest
+export const POST = proxyRequest
+export const DELETE = proxyRequest

admin-compliance/app/api/sdk/v1/ucca/decision-tree/route.ts

@@ -0,0 +1,36 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const SDK_URL = process.env.SDK_URL || 'http://ai-compliance-sdk:8090'
+const DEFAULT_TENANT = process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+
+/**
+ * Proxy: GET /api/sdk/v1/ucca/decision-tree → Go Backend GET /sdk/v1/ucca/decision-tree
+ * Returns the decision tree definition (questions, structure)
+ */
+export async function GET(request: NextRequest) {
+  const tenantID = request.headers.get('X-Tenant-ID') || DEFAULT_TENANT
+
+  try {
+    const response = await fetch(`${SDK_URL}/sdk/v1/ucca/decision-tree`, {
+      headers: { 'X-Tenant-ID': tenantID },
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error('Decision tree GET error:', errorText)
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Decision tree proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to AI compliance backend' },
+      { status: 503 }
+    )
+  }
+}

admin-compliance/app/sdk/advisory-board/_components/ResultView.tsx

@@ -2,6 +2,7 @@
 
 import React from 'react'
 import { AssessmentResultCard } from '@/components/sdk/use-case-assessment/AssessmentResultCard'
+import { OptimizerUpsellCard } from '@/components/sdk/compliance-optimizer/OptimizerUpsellCard'
 
 interface Props {
   result: unknown
@@ -35,6 +36,13 @@ export function ResultView({ result, onGoToAssessment, onGoToOverview }: Props)
       {r.result && (
         <AssessmentResultCard result={r.result as unknown as Parameters<typeof AssessmentResultCard>[0]['result']} />
       )}
+      {r.result && r.assessment?.id && (
+        <OptimizerUpsellCard
+          feasibility={(r.result as { feasibility?: string }).feasibility || 'YES'}
+          assessmentId={r.assessment.id}
+          riskScore={(r.result as { risk_score?: number }).risk_score}
+        />
+      )}
     </div>
   )
 }

admin-compliance/app/sdk/advisory-board/_types.ts

@@ -7,6 +7,116 @@ export interface AdvisoryForm {
   custom_data_types: string[]
   purposes: string[]
   automation: string
+  // BetrVG / works council
+  employee_monitoring: boolean
+  hr_decision_support: boolean
+  works_council_consulted: boolean
+  // Domain-specific contexts (Annex III)
+  hr_automated_screening: boolean
+  hr_automated_rejection: boolean
+  hr_candidate_ranking: boolean
+  hr_bias_audits: boolean
+  hr_agg_visible: boolean
+  hr_human_review: boolean
+  hr_performance_eval: boolean
+  edu_grade_influence: boolean
+  edu_exam_evaluation: boolean
+  edu_student_selection: boolean
+  edu_minors: boolean
+  edu_teacher_review: boolean
+  hc_diagnosis: boolean
+  hc_treatment: boolean
+  hc_triage: boolean
+  hc_patient_data: boolean
+  hc_medical_device: boolean
+  hc_clinical_validation: boolean
+  // Legal
+  leg_legal_advice: boolean
+  leg_court_prediction: boolean
+  leg_client_confidential: boolean
+  // Public Sector
+  pub_admin_decision: boolean
+  pub_benefit_allocation: boolean
+  pub_transparency: boolean
+  // Critical Infrastructure
+  crit_grid_control: boolean
+  crit_safety_critical: boolean
+  crit_redundancy: boolean
+  // Automotive
+  auto_autonomous: boolean
+  auto_safety: boolean
+  auto_functional_safety: boolean
+  // Retail
+  ret_pricing: boolean
+  ret_profiling: boolean
+  ret_credit_scoring: boolean
+  ret_dark_patterns: boolean
+  // IT Security
+  its_surveillance: boolean
+  its_threat_detection: boolean
+  its_data_retention: boolean
+  // Logistics
+  log_driver_tracking: boolean
+  log_workload_scoring: boolean
+  // Construction
+  con_tenant_screening: boolean
+  con_worker_safety: boolean
+  // Marketing
+  mkt_deepfake: boolean
+  mkt_minors: boolean
+  mkt_targeting: boolean
+  mkt_labeled: boolean
+  // Manufacturing
+  mfg_machine_safety: boolean
+  mfg_ce_required: boolean
+  mfg_validated: boolean
+  // Agriculture
+  agr_pesticide: boolean
+  agr_animal_welfare: boolean
+  agr_environmental: boolean
+  // Social Services
+  soc_vulnerable: boolean
+  soc_benefit: boolean
+  soc_case_mgmt: boolean
+  // Hospitality
+  hos_guest_profiling: boolean
+  hos_dynamic_pricing: boolean
+  hos_review_manipulation: boolean
+  // Insurance
+  ins_risk_class: boolean
+  ins_claims: boolean
+  ins_premium: boolean
+  ins_fraud: boolean
+  // Investment
+  inv_algo_trading: boolean
+  inv_advice: boolean
+  inv_robo: boolean
+  // Defense
+  def_dual_use: boolean
+  def_export: boolean
+  def_classified: boolean
+  // Supply Chain
+  sch_supplier: boolean
+  sch_human_rights: boolean
+  sch_environmental: boolean
+  // Facility
+  fac_access: boolean
+  fac_occupancy: boolean
+  fac_energy: boolean
+  // Sports
+  spo_athlete: boolean
+  spo_fan: boolean
+  spo_doping: boolean
+  // Finance / Banking
+  fin_credit_scoring: boolean
+  fin_aml_kyc: boolean
+  fin_algo_decisions: boolean
+  fin_customer_profiling: boolean
+  // General
+  gen_affects_people: boolean
+  gen_automated_decisions: boolean
+  gen_sensitive_data: boolean
+  // Hosting
   hosting_provider: string
   hosting_region: string
   model_usage: string[]

admin-compliance/app/sdk/advisory-board/page.tsx

@@ -51,6 +51,71 @@ function AdvisoryBoardPageInner() {
     custom_data_types: [],
     purposes: [],
     automation: '',
+    // BetrVG / works council
+    employee_monitoring: false,
+    hr_decision_support: false,
+    works_council_consulted: false,
+    // Domain-specific contexts (Annex III)
+    hr_automated_screening: false,
+    hr_automated_rejection: false,
+    hr_candidate_ranking: false,
+    hr_bias_audits: false,
+    hr_agg_visible: false,
+    hr_human_review: false,
+    hr_performance_eval: false,
+    edu_grade_influence: false,
+    edu_exam_evaluation: false,
+    edu_student_selection: false,
+    edu_minors: false,
+    edu_teacher_review: false,
+    hc_diagnosis: false,
+    hc_treatment: false,
+    hc_triage: false,
+    hc_patient_data: false,
+    hc_medical_device: false,
+    hc_clinical_validation: false,
+    // Legal
+    leg_legal_advice: false, leg_court_prediction: false, leg_client_confidential: false,
+    // Public Sector
+    pub_admin_decision: false, pub_benefit_allocation: false, pub_transparency: false,
+    // Critical Infrastructure
+    crit_grid_control: false, crit_safety_critical: false, crit_redundancy: false,
+    // Automotive
+    auto_autonomous: false, auto_safety: false, auto_functional_safety: false,
+    // Retail
+    ret_pricing: false, ret_profiling: false, ret_credit_scoring: false, ret_dark_patterns: false,
+    // IT Security
+    its_surveillance: false, its_threat_detection: false, its_data_retention: false,
+    // Logistics
+    log_driver_tracking: false, log_workload_scoring: false,
+    // Construction
+    con_tenant_screening: false, con_worker_safety: false,
+    // Marketing
+    mkt_deepfake: false, mkt_minors: false, mkt_targeting: false, mkt_labeled: false,
+    // Manufacturing
+    mfg_machine_safety: false, mfg_ce_required: false, mfg_validated: false,
+    // Agriculture
+    agr_pesticide: false, agr_animal_welfare: false, agr_environmental: false,
+    // Social Services
+    soc_vulnerable: false, soc_benefit: false, soc_case_mgmt: false,
+    // Hospitality
+    hos_guest_profiling: false, hos_dynamic_pricing: false, hos_review_manipulation: false,
+    // Insurance
+    ins_risk_class: false, ins_claims: false, ins_premium: false, ins_fraud: false,
+    // Investment
+    inv_algo_trading: false, inv_advice: false, inv_robo: false,
+    // Defense
+    def_dual_use: false, def_export: false, def_classified: false,
+    // Supply Chain
+    sch_supplier: false, sch_human_rights: false, sch_environmental: false,
+    // Facility
+    fac_access: false, fac_occupancy: false, fac_energy: false,
+    // Sports
+    spo_athlete: false, spo_fan: false, spo_doping: false,
+    // Finance / Banking
+    fin_credit_scoring: false, fin_aml_kyc: false, fin_algo_decisions: false, fin_customer_profiling: false,
+    // General
+    gen_affects_people: false, gen_automated_decisions: false, gen_sensitive_data: false,
     hosting_provider: '',
     hosting_region: '',
     model_usage: [],
@@ -133,18 +198,164 @@ function AdvisoryBoardPageInner() {
         retention_purpose: form.retention_purpose,
         contracts_list: form.contracts,
         subprocessors: form.subprocessors,
+        employee_monitoring: form.employee_monitoring,
+        hr_decision_support: form.hr_decision_support,
+        works_council_consulted: form.works_council_consulted,
+        // Domain-specific contexts
+        hr_context: ['hr', 'recruiting'].includes(form.domain) ? {
+          automated_screening: form.hr_automated_screening,
+          automated_rejection: form.hr_automated_rejection,
+          candidate_ranking: form.hr_candidate_ranking,
+          bias_audits_done: form.hr_bias_audits,
+          agg_categories_visible: form.hr_agg_visible,
+          human_review_enforced: form.hr_human_review,
+          performance_evaluation: form.hr_performance_eval,
+        } : undefined,
+        education_context: ['education', 'higher_education', 'vocational_training', 'research'].includes(form.domain) ? {
+          grade_influence: form.edu_grade_influence,
+          exam_evaluation: form.edu_exam_evaluation,
+          student_selection: form.edu_student_selection,
+          minors_involved: form.edu_minors,
+          teacher_review_required: form.edu_teacher_review,
+        } : undefined,
+        healthcare_context: ['healthcare', 'medical_devices', 'pharma', 'elderly_care'].includes(form.domain) ? {
+          diagnosis_support: form.hc_diagnosis,
+          treatment_recommendation: form.hc_treatment,
+          triage_decision: form.hc_triage,
+          patient_data_processed: form.hc_patient_data,
+          medical_device: form.hc_medical_device,
+          clinical_validation: form.hc_clinical_validation,
+        } : undefined,
+        legal_context: ['legal', 'consulting', 'tax_advisory'].includes(form.domain) ? {
+          legal_advice: form.leg_legal_advice,
+          court_prediction: form.leg_court_prediction,
+          client_confidential: form.leg_client_confidential,
+        } : undefined,
+        public_sector_context: ['public_sector', 'defense', 'justice'].includes(form.domain) ? {
+          admin_decision: form.pub_admin_decision,
+          benefit_allocation: form.pub_benefit_allocation,
+          transparency_ensured: form.pub_transparency,
+        } : undefined,
+        critical_infra_context: ['energy', 'utilities', 'oil_gas'].includes(form.domain) ? {
+          grid_control: form.crit_grid_control,
+          safety_critical: form.crit_safety_critical,
+          redundancy_exists: form.crit_redundancy,
+        } : undefined,
+        automotive_context: ['automotive', 'aerospace'].includes(form.domain) ? {
+          autonomous_driving: form.auto_autonomous,
+          safety_relevant: form.auto_safety,
+          functional_safety: form.auto_functional_safety,
+        } : undefined,
+        retail_context: ['retail', 'ecommerce', 'wholesale'].includes(form.domain) ? {
+          pricing_personalized: form.ret_pricing,
+          credit_scoring: form.ret_credit_scoring,
+          dark_patterns: form.ret_dark_patterns,
+        } : undefined,
+        it_security_context: ['it_services', 'cybersecurity', 'telecom'].includes(form.domain) ? {
+          employee_surveillance: form.its_surveillance,
+          threat_detection: form.its_threat_detection,
+          data_retention_logs: form.its_data_retention,
+        } : undefined,
+        logistics_context: ['logistics'].includes(form.domain) ? {
+          driver_tracking: form.log_driver_tracking,
+          workload_scoring: form.log_workload_scoring,
+        } : undefined,
+        construction_context: ['construction', 'real_estate', 'facility_management'].includes(form.domain) ? {
+          tenant_screening: form.con_tenant_screening,
+          worker_safety: form.con_worker_safety,
+        } : undefined,
+        marketing_context: ['marketing', 'media', 'entertainment'].includes(form.domain) ? {
+          deepfake_content: form.mkt_deepfake,
+          behavioral_targeting: form.mkt_targeting,
+          minors_targeted: form.mkt_minors,
+          ai_content_labeled: form.mkt_labeled,
+        } : undefined,
+        manufacturing_context: ['mechanical_engineering', 'electrical_engineering', 'plant_engineering', 'chemicals', 'food_beverage'].includes(form.domain) ? {
+          machine_safety: form.mfg_machine_safety,
+          ce_marking_required: form.mfg_ce_required,
+          safety_validated: form.mfg_validated,
+        } : undefined,
+        agriculture_context: ['agriculture', 'forestry', 'fishing'].includes(form.domain) ? {
+          pesticide_ai: form.agr_pesticide,
+          animal_welfare: form.agr_animal_welfare,
+          environmental_data: form.agr_environmental,
+        } : undefined,
+        social_services_context: ['social_services', 'nonprofit'].includes(form.domain) ? {
+          vulnerable_groups: form.soc_vulnerable,
+          benefit_decision: form.soc_benefit,
+          case_management: form.soc_case_mgmt,
+        } : undefined,
+        hospitality_context: ['hospitality', 'tourism'].includes(form.domain) ? {
+          guest_profiling: form.hos_guest_profiling,
+          dynamic_pricing: form.hos_dynamic_pricing,
+          review_manipulation: form.hos_review_manipulation,
+        } : undefined,
+        insurance_context: ['insurance'].includes(form.domain) ? {
+          risk_classification: form.ins_risk_class,
+          claims_automation: form.ins_claims,
+          premium_calculation: form.ins_premium,
+          fraud_detection: form.ins_fraud,
+        } : undefined,
+        investment_context: ['investment'].includes(form.domain) ? {
+          algo_trading: form.inv_algo_trading,
+          investment_advice: form.inv_advice,
+          robo_advisor: form.inv_robo,
+        } : undefined,
+        defense_context: ['defense'].includes(form.domain) ? {
+          dual_use: form.def_dual_use,
+          export_controlled: form.def_export,
+          classified_data: form.def_classified,
+        } : undefined,
+        supply_chain_context: ['textiles', 'packaging'].includes(form.domain) ? {
+          supplier_monitoring: form.sch_supplier,
+          human_rights_check: form.sch_human_rights,
+          environmental_impact: form.sch_environmental,
+        } : undefined,
+        facility_context: ['facility_management'].includes(form.domain) ? {
+          access_control_ai: form.fac_access,
+          occupancy_tracking: form.fac_occupancy,
+          energy_optimization: form.fac_energy,
+        } : undefined,
+        sports_context: ['sports'].includes(form.domain) ? {
+          athlete_tracking: form.spo_athlete,
+          fan_profiling: form.spo_fan,
+        } : undefined,
         store_raw_text: true,
+        // Finance/Banking and General don't need separate context structs —
+        // their fields are evaluated via existing FinancialContext or generic rules
       }
 
       const url = isEditMode
         ? `/api/sdk/v1/ucca/assessments/${editId}`
-        : '/api/sdk/v1/ucca/assess'
+        : '/api/sdk/v1/ucca/assess-enriched'
       const method = isEditMode ? 'PUT' : 'POST'
 
+      // For new assessments, send enriched payload with company profile
+      const payload = isEditMode ? intake : {
+        intake,
+        company_profile: sdkState.companyProfile ? {
+          company_name: sdkState.companyProfile.companyName ?? '',
+          legal_form: sdkState.companyProfile.legalForm ?? '',
+          industry: Array.isArray(sdkState.companyProfile.industry)
+            ? sdkState.companyProfile.industry.join(', ')
+            : (sdkState.companyProfile.industry ?? ''),
+          employee_count: sdkState.companyProfile.employeeCount ?? '',
+          annual_revenue: sdkState.companyProfile.annualRevenue ?? '',
+          headquarters_country: sdkState.companyProfile.headquartersCountry ?? 'DE',
+          is_data_controller: sdkState.companyProfile.isDataController ?? true,
+          is_data_processor: sdkState.companyProfile.isDataProcessor ?? false,
+          uses_ai: true,
+          dpo_name: sdkState.companyProfile.dpoName ?? null,
+          subject_to_nis2: false,
+          subject_to_ai_act: false,
+          subject_to_iso27001: false,
+        } : undefined,
+      }
+
       const response = await fetch(url, {
         method,
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(intake),
+        body: JSON.stringify(payload),
       })
 
       if (!response.ok) {

admin-compliance/app/sdk/agent/_components/AnalysisHistory.tsx

@@ -0,0 +1,57 @@
+'use client'
+
+import React from 'react'
+import type { AnalysisResult } from '../_hooks/useAgentAnalysis'
+
+const DOC_TYPE_LABELS: Record<string, string> = {
+  privacy_policy: 'DSE',
+  cookie_banner: 'Cookie',
+  terms_of_service: 'AGB',
+  imprint: 'Impressum',
+  dpa: 'AVV',
+  other: 'Sonstig',
+}
+
+const RISK_DOT: Record<string, string> = {
+  low: 'bg-green-500',
+  medium: 'bg-yellow-500',
+  high: 'bg-orange-500',
+  critical: 'bg-red-500',
+}
+
+interface Props {
+  history: AnalysisResult[]
+  onSelect: (result: AnalysisResult) => void
+}
+
+export function AnalysisHistory({ history, onSelect }: Props) {
+  if (history.length === 0) return null
+
+  return (
+    <div>
+      <h3 className="text-sm font-medium text-gray-700 mb-3">Letzte Analysen</h3>
+      <div className="space-y-2">
+        {history.map((item, i) => (
+          <button
+            key={i}
+            onClick={() => onSelect(item)}
+            className="w-full text-left p-3 bg-white border border-gray-200 rounded-lg hover:border-purple-300 hover:bg-purple-50 transition-colors"
+          >
+            <div className="flex items-center gap-3">
+              <span className={`w-2.5 h-2.5 rounded-full ${RISK_DOT[item.risk_level] || 'bg-gray-400'}`} />
+              <span className="text-xs font-medium text-gray-500 w-16">
+                {DOC_TYPE_LABELS[item.classification] || item.classification}
+              </span>
+              <span className="text-sm text-gray-700 truncate flex-1">
+                {new URL(item.url).hostname}
+              </span>
+              <span className="text-xs text-gray-400">
+                {new Date(item.analyzed_at).toLocaleTimeString('de-DE', { hour: '2-digit', minute: '2-digit' })}
+              </span>
+            </div>
+          </button>
+        ))}
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/AnalysisResult.tsx

@@ -0,0 +1,109 @@
+'use client'
+
+import React from 'react'
+import type { AnalysisResult as AnalysisResultType } from '../_hooks/useAgentAnalysis'
+
+const RISK_COLORS: Record<string, { bg: string; text: string; label: string }> = {
+  low: { bg: 'bg-green-100', text: 'text-green-800', label: 'Niedrig' },
+  medium: { bg: 'bg-yellow-100', text: 'text-yellow-800', label: 'Mittel' },
+  high: { bg: 'bg-orange-100', text: 'text-orange-800', label: 'Hoch' },
+  critical: { bg: 'bg-red-100', text: 'text-red-800', label: 'Kritisch' },
+  unknown: { bg: 'bg-gray-100', text: 'text-gray-800', label: 'Unbekannt' },
+}
+
+const DOC_TYPE_LABELS: Record<string, string> = {
+  privacy_policy: 'Datenschutzerklaerung',
+  cookie_banner: 'Cookie-Banner',
+  terms_of_service: 'AGB',
+  imprint: 'Impressum',
+  dpa: 'Auftragsverarbeitung (AVV)',
+  other: 'Sonstiges',
+}
+
+interface Props {
+  result: AnalysisResultType
+}
+
+export function AnalysisResult({ result }: Props) {
+  const risk = RISK_COLORS[result.risk_level] || RISK_COLORS.unknown
+
+  return (
+    <div className="space-y-4">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">
+            {DOC_TYPE_LABELS[result.classification] || result.classification}
+          </h3>
+          <p className="text-sm text-gray-500 truncate max-w-md">{result.url}</p>
+        </div>
+        <span className={`px-3 py-1 rounded-full text-sm font-medium ${risk.bg} ${risk.text}`}>
+          {risk.label} ({result.risk_score}/100)
+        </span>
+      </div>
+
+      {/* Role Assignment */}
+      <div className="bg-purple-50 border border-purple-200 rounded-lg p-4">
+        <div className="flex items-center gap-2">
+          <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z" />
+          </svg>
+          <span className="text-sm font-medium text-purple-900">
+            Zugewiesen an: <strong>{result.responsible_role}</strong>
+          </span>
+          <span className="text-xs text-purple-600 ml-auto">
+            Eskalationsstufe {result.escalation_level}
+          </span>
+        </div>
+      </div>
+
+      {/* Summary */}
+      {result.summary && (
+        <div className="bg-gray-50 rounded-lg p-4">
+          <h4 className="text-sm font-medium text-gray-700 mb-2">Zusammenfassung</h4>
+          <p className="text-sm text-gray-600 whitespace-pre-wrap">{result.summary}</p>
+        </div>
+      )}
+
+      {/* Findings */}
+      {result.findings.length > 0 && (
+        <div>
+          <h4 className="text-sm font-medium text-gray-700 mb-2">Findings ({result.findings.length})</h4>
+          <ul className="space-y-1">
+            {result.findings.map((f, i) => (
+              <li key={i} className="flex items-start gap-2 text-sm text-gray-600">
+                <span className="text-orange-500 mt-0.5">!</span>
+                {f}
+              </li>
+            ))}
+          </ul>
+        </div>
+      )}
+
+      {/* Required Controls */}
+      {result.required_controls.length > 0 && (
+        <div>
+          <h4 className="text-sm font-medium text-gray-700 mb-2">Erforderliche Massnahmen</h4>
+          <ul className="space-y-1">
+            {result.required_controls.map((c, i) => (
+              <li key={i} className="flex items-start gap-2 text-sm text-gray-600">
+                <span className="text-blue-500 mt-0.5">&#10003;</span>
+                {c}
+              </li>
+            ))}
+          </ul>
+        </div>
+      )}
+
+      {/* Email Status */}
+      <div className="flex items-center gap-2 text-sm text-gray-500 pt-2 border-t">
+        <span className={result.email_status === 'sent' ? 'text-green-600' : 'text-yellow-600'}>
+          {result.email_status === 'sent' ? '&#9993; Email gesendet' : '&#9993; Email ausstehend'}
+        </span>
+        <span className="ml-auto text-xs">
+          {new Date(result.analyzed_at).toLocaleString('de-DE')}
+        </span>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/FollowUpQuestions.tsx

@@ -0,0 +1,91 @@
+'use client'
+
+import React from 'react'
+import type { FollowUpQuestion } from '../_hooks/useAgentAnalysis'
+
+const SEVERITY_STYLE: Record<string, { border: string; bg: string; icon: string }> = {
+  high: { border: 'border-red-300', bg: 'bg-red-50', icon: '!!' },
+  medium: { border: 'border-yellow-300', bg: 'bg-yellow-50', icon: '!' },
+  low: { border: 'border-blue-300', bg: 'bg-blue-50', icon: 'i' },
+}
+
+interface Props {
+  questions: FollowUpQuestion[]
+  answers: Record<string, boolean>
+  onAnswer: (questionId: string, answer: boolean) => void
+}
+
+export function FollowUpQuestions({ questions, answers, onAnswer }: Props) {
+  const unanswered = questions.filter(q => answers[q.id] === undefined)
+  const answered = questions.filter(q => answers[q.id] !== undefined)
+
+  if (questions.length === 0) return null
+
+  return (
+    <div className="space-y-3">
+      <h4 className="text-sm font-medium text-gray-700 flex items-center gap-2">
+        <svg className="w-4 h-4 text-amber-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M8.228 9c.549-1.165 2.03-2 3.772-2 2.21 0 4 1.343 4 3 0 1.4-1.278 2.575-3.006 2.907-.542.104-.994.54-.994 1.093m0 3h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+        Rueckfragen zur manuellen Pruefung ({unanswered.length} offen)
+      </h4>
+
+      {/* Unanswered questions */}
+      {unanswered.map(q => {
+        const style = SEVERITY_STYLE[q.severity] || SEVERITY_STYLE.medium
+        return (
+          <div key={q.id} className={`border ${style.border} ${style.bg} rounded-lg p-4`}>
+            <div className="flex items-start gap-3">
+              <span className={`mt-0.5 w-6 h-6 rounded-full flex items-center justify-center text-xs font-bold ${
+                q.severity === 'high' ? 'bg-red-200 text-red-800' :
+                q.severity === 'medium' ? 'bg-yellow-200 text-yellow-800' :
+                'bg-blue-200 text-blue-800'
+              }`}>
+                {SEVERITY_STYLE[q.severity]?.icon || '?'}
+              </span>
+              <div className="flex-1">
+                <p className="text-sm font-medium text-gray-900">{q.question}</p>
+                <p className="text-xs text-gray-500 mt-1">Rechtsgrundlage: {q.legal_basis}</p>
+                <div className="flex gap-2 mt-3">
+                  <button
+                    onClick={() => onAnswer(q.id, true)}
+                    className="px-4 py-1.5 text-sm bg-green-600 text-white rounded-md hover:bg-green-700 transition-colors"
+                  >
+                    Ja
+                  </button>
+                  <button
+                    onClick={() => onAnswer(q.id, false)}
+                    className="px-4 py-1.5 text-sm bg-red-600 text-white rounded-md hover:bg-red-700 transition-colors"
+                  >
+                    Nein
+                  </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        )
+      })}
+
+      {/* Answered questions */}
+      {answered.map(q => {
+        const isYes = answers[q.id]
+        return (
+          <div key={q.id} className={`border rounded-lg p-3 ${isYes ? 'border-green-200 bg-green-50' : 'border-red-200 bg-red-50'}`}>
+            <div className="flex items-center gap-2">
+              <span className={`text-sm ${isYes ? 'text-green-700' : 'text-red-700'}`}>
+                {isYes ? '✓' : '✗'}
+              </span>
+              <span className="text-sm text-gray-700">{q.question}</span>
+              <span className={`ml-auto text-xs font-medium ${isYes ? 'text-green-600' : 'text-red-600'}`}>
+                {isYes ? 'Ja — OK' : 'Nein — Finding erstellt'}
+              </span>
+            </div>
+            {!isYes && (
+              <p className="text-xs text-red-600 mt-1 ml-6">{q.finding_if_no}</p>
+            )}
+          </div>
+        )
+      })}
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_components/ScanResult.tsx

@@ -0,0 +1,190 @@
+'use client'
+
+import React, { useState } from 'react'
+
+interface ServiceInfo {
+  name: string
+  category: string
+  provider: string
+  country: string
+  eu_adequate: boolean
+  requires_consent: boolean
+  legal_ref: string
+  in_dse: boolean
+  status: string
+}
+
+interface ScanFinding {
+  code: string
+  severity: string
+  text: string
+  correction: string
+}
+
+interface ScanData {
+  pages_scanned: number
+  pages_list: string[]
+  services: ServiceInfo[]
+  findings: ScanFinding[]
+  ai_detected: boolean
+  chatbot_detected: boolean
+  chatbot_provider: string
+  missing_pages: Record<string, number>
+  email_status: string
+}
+
+const STATUS_ICON: Record<string, { icon: string; color: string }> = {
+  ok: { icon: '✓', color: 'text-green-600' },
+  undocumented: { icon: '✗', color: 'text-red-600' },
+  outdated: { icon: '~', color: 'text-yellow-600' },
+}
+
+const SEV_STYLE: Record<string, { bg: string; text: string }> = {
+  HIGH: { bg: 'bg-red-50 border-red-200', text: 'text-red-800' },
+  MEDIUM: { bg: 'bg-yellow-50 border-yellow-200', text: 'text-yellow-800' },
+  LOW: { bg: 'bg-blue-50 border-blue-200', text: 'text-blue-800' },
+}
+
+export function ScanResult({ data }: { data: ScanData }) {
+  const [expandedCorrection, setExpandedCorrection] = useState<string | null>(null)
+
+  const undocCount = data.services.filter(s => s.status === 'undocumented').length
+  const okCount = data.services.filter(s => s.status === 'ok').length
+  const outdatedCount = data.services.filter(s => s.status === 'outdated').length
+  const highCount = data.findings.filter(f => f.severity === 'HIGH').length
+
+  return (
+    <div className="space-y-5">
+      {/* Summary Bar */}
+      <div className="grid grid-cols-4 gap-3">
+        <div className="bg-gray-50 rounded-lg p-3 text-center">
+          <p className="text-2xl font-bold text-gray-900">{data.pages_scanned}</p>
+          <p className="text-xs text-gray-500">Seiten gescannt</p>
+        </div>
+        <div className="bg-green-50 rounded-lg p-3 text-center">
+          <p className="text-2xl font-bold text-green-700">{okCount}</p>
+          <p className="text-xs text-gray-500">Dokumentiert</p>
+        </div>
+        <div className="bg-red-50 rounded-lg p-3 text-center">
+          <p className="text-2xl font-bold text-red-700">{undocCount}</p>
+          <p className="text-xs text-gray-500">Nicht in DSE</p>
+        </div>
+        <div className="bg-yellow-50 rounded-lg p-3 text-center">
+          <p className="text-2xl font-bold text-yellow-700">{outdatedCount}</p>
+          <p className="text-xs text-gray-500">Veraltet</p>
+        </div>
+      </div>
+
+      {/* Scanned Pages */}
+      {data.pages_list?.length > 0 && (
+        <details className="text-sm">
+          <summary className="text-gray-600 cursor-pointer hover:text-gray-800">
+            {data.pages_scanned} Seiten gescannt — Details anzeigen
+          </summary>
+          <ul className="mt-2 space-y-1 ml-4">
+            {data.pages_list.map((p, i) => {
+              const isMissing = data.missing_pages[p]
+              return (
+                <li key={i} className={`text-xs ${isMissing ? 'text-red-600' : 'text-gray-500'}`}>
+                  {isMissing ? '✗' : '✓'} {p} {isMissing ? `(HTTP ${data.missing_pages[p]})` : ''}
+                </li>
+              )
+            })}
+          </ul>
+        </details>
+      )}
+
+      {/* AI / Chatbot Detection */}
+      <div className="flex gap-3">
+        <span className={`px-3 py-1 rounded-full text-xs font-medium ${data.ai_detected ? 'bg-purple-100 text-purple-800' : 'bg-gray-100 text-gray-600'}`}>
+          {data.ai_detected ? 'KI erkannt' : 'Keine KI erkannt'}
+        </span>
+        <span className={`px-3 py-1 rounded-full text-xs font-medium ${data.chatbot_detected ? 'bg-blue-100 text-blue-800' : 'bg-gray-100 text-gray-600'}`}>
+          {data.chatbot_detected ? `Chatbot: ${data.chatbot_provider}` : 'Kein Chatbot'}
+        </span>
+      </div>
+
+      {/* Services Table */}
+      <div>
+        <h4 className="text-sm font-medium text-gray-700 mb-2">Dienstleister-Abgleich (SOLL/IST)</h4>
+        <div className="border rounded-lg overflow-hidden">
+          <table className="w-full text-sm">
+            <thead className="bg-gray-50">
+              <tr>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500">Status</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500">Dienst</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500">Land</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500">EU</th>
+                <th className="px-3 py-2 text-left text-xs font-medium text-gray-500">In DSE</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-100">
+              {data.services.map((s, i) => {
+                const st = STATUS_ICON[s.status] || STATUS_ICON.ok
+                return (
+                  <tr key={i} className={s.status === 'undocumented' ? 'bg-red-50' : ''}>
+                    <td className={`px-3 py-2 font-bold ${st.color}`}>{st.icon}</td>
+                    <td className="px-3 py-2">
+                      <span className="font-medium text-gray-900">{s.name}</span>
+                      <span className="text-gray-400 text-xs ml-2">{s.category}</span>
+                    </td>
+                    <td className="px-3 py-2 text-gray-600">{s.country}</td>
+                    <td className="px-3 py-2">{s.eu_adequate ? '✓' : '✗'}</td>
+                    <td className="px-3 py-2">{s.in_dse ? 'Ja' : <span className="text-red-600 font-medium">Nein</span>}</td>
+                  </tr>
+                )
+              })}
+            </tbody>
+          </table>
+        </div>
+      </div>
+
+      {/* Findings */}
+      {data.findings.length > 0 && (
+        <div>
+          <h4 className="text-sm font-medium text-gray-700 mb-2">
+            Findings ({data.findings.length}, davon {highCount} kritisch)
+          </h4>
+          <div className="space-y-2">
+            {data.findings.map((f, i) => {
+              const sev = SEV_STYLE[f.severity] || SEV_STYLE.MEDIUM
+              const isExpanded = expandedCorrection === f.code
+              return (
+                <div key={i} className={`border rounded-lg p-3 ${sev.bg}`}>
+                  <div className="flex items-start gap-2">
+                    <span className={`text-xs font-bold px-2 py-0.5 rounded ${sev.text} bg-white`}>
+                      {f.severity}
+                    </span>
+                    <p className="text-sm text-gray-800 flex-1">{f.text}</p>
+                  </div>
+                  {f.correction && (
+                    <div className="mt-2">
+                      <button
+                        onClick={() => setExpandedCorrection(isExpanded ? null : f.code)}
+                        className="text-xs text-purple-600 hover:text-purple-800 font-medium"
+                      >
+                        {isExpanded ? '▼ Korrekturvorschlag ausblenden' : '▶ Korrekturvorschlag anzeigen'}
+                      </button>
+                      {isExpanded && (
+                        <div className="mt-2 bg-white border border-gray-200 rounded-lg p-3 relative">
+                          <pre className="text-xs text-gray-700 whitespace-pre-wrap font-sans">{f.correction}</pre>
+                          <button
+                            onClick={() => navigator.clipboard.writeText(f.correction)}
+                            className="absolute top-2 right-2 text-xs bg-gray-100 hover:bg-gray-200 px-2 py-1 rounded"
+                            title="Kopieren"
+                          >
+                            Kopieren
+                          </button>
+                        </div>
+                      )}
+                    </div>
+                  )}
+                </div>
+              )
+            })}
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/agent/_hooks/useAgentAnalysis.ts

@@ -0,0 +1,106 @@
+'use client'
+
+import { useState } from 'react'
+
+export interface FollowUpQuestion {
+  id: string
+  question: string
+  legal_basis: string
+  severity: 'high' | 'medium' | 'low'
+  finding_if_no: string
+}
+
+export interface AnalysisResult {
+  url: string
+  classification: string
+  risk_level: string
+  risk_score: number
+  escalation_level: string
+  responsible_role: string
+  findings: string[]
+  required_controls: string[]
+  summary: string
+  email_status: string
+  analyzed_at: string
+  follow_up_questions: FollowUpQuestion[]
+  follow_up_answers: Record<string, boolean>
+}
+
+const ESCALATION_ROLES: Record<string, string> = {
+  E0: 'Kein Handlungsbedarf',
+  E1: 'Teamleitung Datenschutz',
+  E2: 'Datenschutzbeauftragter (DSB)',
+  E3: 'DSB + Rechtsabteilung',
+}
+
+export function useAgentAnalysis() {
+  const [loading, setLoading] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const [result, setResult] = useState<AnalysisResult | null>(null)
+  const [history, setHistory] = useState<AnalysisResult[]>([])
+
+  async function analyze(url: string, mode: string = 'post_launch') {
+    setLoading(true)
+    setError(null)
+    setResult(null)
+
+    try {
+      const fetchRes = await fetch('/api/sdk/v1/agent/analyze', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ url, mode }),
+      })
+
+      if (!fetchRes.ok) {
+        throw new Error(`Analyse fehlgeschlagen: ${fetchRes.status}`)
+      }
+
+      const data = await fetchRes.json()
+      const analysisResult: AnalysisResult = {
+        url,
+        classification: data.classification || 'unknown',
+        risk_level: data.risk_level || 'unknown',
+        risk_score: data.risk_score || 0,
+        escalation_level: data.escalation_level || 'E0',
+        responsible_role: ESCALATION_ROLES[data.escalation_level] || ESCALATION_ROLES.E0,
+        findings: data.findings || [],
+        required_controls: data.required_controls || [],
+        summary: data.summary || '',
+        email_status: data.email_status || 'pending',
+        analyzed_at: new Date().toISOString(),
+        follow_up_questions: data.follow_up_questions || [],
+        follow_up_answers: {},
+      }
+
+      setResult(analysisResult)
+      setHistory(prev => [analysisResult, ...prev].slice(0, 20))
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Unbekannter Fehler')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  function answerFollowUp(questionId: string, answer: boolean) {
+    if (!result) return
+    const question = result.follow_up_questions.find(q => q.id === questionId)
+    const newAnswers = { ...result.follow_up_answers, [questionId]: answer }
+    const newFindings = [...result.findings]
+
+    // If user answered "no" → add the finding
+    if (!answer && question) {
+      newFindings.push(question.finding_if_no)
+    }
+
+    const updated = {
+      ...result,
+      findings: newFindings,
+      follow_up_answers: newAnswers,
+    }
+    setResult(updated)
+    // Update history too
+    setHistory(prev => prev.map(h => h.analyzed_at === result.analyzed_at ? updated : h))
+  }
+
+  return { analyze, answerFollowUp, loading, error, result, history }
+}

admin-compliance/app/sdk/agent/page.tsx

@@ -0,0 +1,145 @@
+'use client'
+
+import React, { useState } from 'react'
+import { useAgentAnalysis } from './_hooks/useAgentAnalysis'
+import { AnalysisResult } from './_components/AnalysisResult'
+import { AnalysisHistory } from './_components/AnalysisHistory'
+import { FollowUpQuestions } from './_components/FollowUpQuestions'
+import { ScanResult } from './_components/ScanResult'
+
+type AnalysisMode = 'pre_launch' | 'post_launch'
+type AnalysisTab = 'quick' | 'scan'
+
+const MODES: { id: AnalysisMode; label: string; desc: string; icon: string }[] = [
+  { id: 'pre_launch', label: 'Internes Dokument', desc: 'Vor Veroeffentlichung pruefen', icon: '📋' },
+  { id: 'post_launch', label: 'Live-Website', desc: 'Bereits online analysieren', icon: '🌐' },
+]
+
+const TABS: { id: AnalysisTab; label: string; desc: string }[] = [
+  { id: 'quick', label: 'Schnellanalyse', desc: 'Einzelne Seite klassifizieren + bewerten' },
+  { id: 'scan', label: 'Website-Scan', desc: 'Mehrere Seiten scannen + Dienstleister abgleichen' },
+]
+
+export default function AgentPage() {
+  const [url, setUrl] = useState('')
+  const [mode, setMode] = useState<AnalysisMode>('post_launch')
+  const [tab, setTab] = useState<AnalysisTab>('quick')
+  const [scanLoading, setScanLoading] = useState(false)
+  const [scanError, setScanError] = useState<string | null>(null)
+  const [scanData, setScanData] = useState<any>(null)
+  const { analyze, answerFollowUp, loading, error, result, history } = useAgentAnalysis()
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    if (!url.trim()) return
+
+    if (tab === 'quick') {
+      analyze(url.trim(), mode)
+    } else {
+      setScanLoading(true)
+      setScanError(null)
+      setScanData(null)
+      try {
+        const res = await fetch('/api/sdk/v1/agent/scan', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ url: url.trim(), mode }),
+        })
+        if (!res.ok) throw new Error(`Scan fehlgeschlagen: ${res.status}`)
+        setScanData(await res.json())
+      } catch (e) {
+        setScanError(e instanceof Error ? e.message : 'Unbekannter Fehler')
+      } finally {
+        setScanLoading(false)
+      }
+    }
+  }
+
+  const isLoading = tab === 'quick' ? loading : scanLoading
+  const currentError = tab === 'quick' ? error : scanError
+
+  return (
+    <div className="space-y-6 max-w-4xl">
+      <div>
+        <h1 className="text-2xl font-bold text-gray-900">Compliance Agent</h1>
+        <p className="text-gray-500 mt-1">Analysiere Dokumente und Webseiten auf DSGVO-Konformitaet.</p>
+      </div>
+
+      {/* Mode Selection */}
+      <div className="grid grid-cols-2 gap-3">
+        {MODES.map(m => (
+          <button key={m.id} onClick={() => setMode(m.id)}
+            className={`p-3 rounded-xl border-2 text-left transition-all ${
+              mode === m.id ? 'border-purple-500 bg-purple-50' : 'border-gray-200 hover:border-gray-300'}`}>
+            <div className="flex items-center gap-3">
+              <span className="text-xl">{m.icon}</span>
+              <div>
+                <p className={`text-sm font-semibold ${mode === m.id ? 'text-purple-900' : 'text-gray-900'}`}>{m.label}</p>
+                <p className="text-xs text-gray-500">{m.desc}</p>
+              </div>
+            </div>
+          </button>
+        ))}
+      </div>
+
+      {/* Tab Selection */}
+      <div className="flex border-b border-gray-200">
+        {TABS.map(t => (
+          <button key={t.id} onClick={() => setTab(t.id)}
+            className={`px-4 py-2.5 text-sm font-medium border-b-2 transition-colors ${
+              tab === t.id
+                ? 'border-purple-500 text-purple-700'
+                : 'border-transparent text-gray-500 hover:text-gray-700'}`}>
+            {t.label}
+          </button>
+        ))}
+      </div>
+
+      {/* URL Input */}
+      <form onSubmit={handleSubmit} className="flex gap-3">
+        <input type="url" value={url} onChange={e => setUrl(e.target.value)}
+          placeholder={tab === 'scan' ? 'https://www.example.com/' : 'https://example.com/datenschutz'}
+          className="flex-1 px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent text-sm"
+          disabled={isLoading} required />
+        <button type="submit" disabled={isLoading || !url.trim()}
+          className="px-6 py-3 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors flex items-center gap-2 text-sm font-medium">
+          {isLoading ? (
+            <><svg className="animate-spin w-4 h-4" fill="none" viewBox="0 0 24 24">
+              <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+              <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z" />
+            </svg>{tab === 'scan' ? 'Scanne...' : 'Analysiere...'}</>
+          ) : tab === 'scan' ? 'Website scannen' : 'Analysieren'}
+        </button>
+      </form>
+
+      {/* Error */}
+      {currentError && (
+        <div className="bg-red-50 border border-red-200 rounded-lg p-4 text-sm text-red-700">{currentError}</div>
+      )}
+
+      {/* Quick Analysis Result */}
+      {tab === 'quick' && result && (
+        <div className="bg-white border border-gray-200 rounded-xl p-6 shadow-sm space-y-6">
+          <AnalysisResult result={result} />
+          {result.follow_up_questions.length > 0 && (
+            <div className="border-t pt-4">
+              <FollowUpQuestions questions={result.follow_up_questions} answers={result.follow_up_answers} onAnswer={answerFollowUp} />
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* Scan Result */}
+      {tab === 'scan' && scanData && (
+        <div className="bg-white border border-gray-200 rounded-xl p-6 shadow-sm">
+          <ScanResult data={scanData} />
+        </div>
+      )}
+
+      {/* History (quick only) */}
+      {tab === 'quick' && (
+        <AnalysisHistory history={history} onSelect={r => { setUrl(r.url); analyze(r.url, mode) }} />
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/agents/sessions/page.tsx

@@ -1,34 +0,0 @@
-'use client'
-
-import React from 'react'
-import Link from 'next/link'
-
-export default function AgentSessionsPage() {
-  return (
-    <div className="p-8 max-w-5xl">
-      <div className="flex items-center gap-4 mb-8">
-        <Link href="/sdk/agents" className="text-gray-400 hover:text-gray-600 transition-colors">
-          <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 19l-7-7 7-7" />
-          </svg>
-        </Link>
-        <div>
-          <h1 className="text-2xl font-bold text-gray-900">Agent-Sessions</h1>
-          <p className="text-gray-500 mt-1">Chat-Verlaeufe und Session-Management</p>
-        </div>
-      </div>
-
-      <div className="bg-white border border-gray-200 rounded-xl p-12 text-center">
-        <svg className="w-20 h-20 text-gray-300 mx-auto mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5}
-            d="M8 12h.01M12 12h.01M16 12h.01M21 12c0 4.418-4.03 8-9 8a9.863 9.863 0 01-4.255-.949L3 20l1.395-3.72C3.512 15.042 3 13.574 3 12c0-4.418 4.03-8 9-8s9 3.582 9 8z" />
-        </svg>
-        <h2 className="text-xl font-medium text-gray-900 mb-2">Sessions-Tracking</h2>
-        <p className="text-gray-500 max-w-md mx-auto">
-          Das Session-Tracking fuer Compliance-Agenten wird in einer zukuenftigen Version implementiert.
-          Hier werden Chat-Verlaeufe, Antwortqualitaet und Nutzer-Feedback angezeigt.
-        </p>
-      </div>
-    </div>
-  )
-}

admin-compliance/app/sdk/agents/statistics/page.tsx

@@ -1,34 +0,0 @@
-'use client'
-
-import React from 'react'
-import Link from 'next/link'
-
-export default function AgentStatisticsPage() {
-  return (
-    <div className="p-8 max-w-5xl">
-      <div className="flex items-center gap-4 mb-8">
-        <Link href="/sdk/agents" className="text-gray-400 hover:text-gray-600 transition-colors">
-          <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 19l-7-7 7-7" />
-          </svg>
-        </Link>
-        <div>
-          <h1 className="text-2xl font-bold text-gray-900">Agent-Statistiken</h1>
-          <p className="text-gray-500 mt-1">Performance-Metriken und Nutzungsanalysen</p>
-        </div>
-      </div>
-
-      <div className="bg-white border border-gray-200 rounded-xl p-12 text-center">
-        <svg className="w-20 h-20 text-gray-300 mx-auto mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5}
-            d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z" />
-        </svg>
-        <h2 className="text-xl font-medium text-gray-900 mb-2">Agent-Statistiken</h2>
-        <p className="text-gray-500 max-w-md mx-auto">
-          Detaillierte Statistiken wie Antwortzeiten, Erfolgsraten, haeufigste Themen und
-          RAG-Trefferquoten werden in einer zukuenftigen Version implementiert.
-        </p>
-      </div>
-    </div>
-  )
-}

admin-compliance/app/sdk/ai-act/page.tsx

@@ -8,9 +8,178 @@ import { LoadingSkeleton } from './_components/LoadingSkeleton'
 import { RiskPyramid } from './_components/RiskPyramid'
 import { AddSystemForm } from './_components/AddSystemForm'
 import { AISystemCard } from './_components/AISystemCard'
+import DecisionTreeWizard from '@/components/sdk/ai-act/DecisionTreeWizard'
+
+type TabId = 'overview' | 'decision-tree' | 'results'
+
+// SAVED RESULTS TAB
+// =============================================================================
+
+interface SavedResult {
+  id: string
+  system_name: string
+  system_description?: string
+  high_risk_result: string
+  gpai_result: { gpai_category: string; is_systemic_risk: boolean }
+  combined_obligations: string[]
+  created_at: string
+}
+
+function SavedResultsTab() {
+  const [results, setResults] = useState<SavedResult[]>([])
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    const load = async () => {
+      try {
+        const res = await fetch('/api/sdk/v1/ucca/decision-tree/results')
+        if (res.ok) {
+          const data = await res.json()
+          setResults(data.results || [])
+        }
+      } catch {
+        // Ignore
+      } finally {
+        setLoading(false)
+      }
+    }
+    load()
+  }, [])
+
+  const handleDelete = async (id: string) => {
+    if (!confirm('Ergebnis wirklich löschen?')) return
+    try {
+      const res = await fetch(`/api/sdk/v1/ucca/decision-tree/results/${id}`, { method: 'DELETE' })
+      if (res.ok) {
+        setResults(prev => prev.filter(r => r.id !== id))
+      }
+    } catch {
+      // Ignore
+    }
+  }
+
+  const riskLabels: Record<string, string> = {
+    unacceptable: 'Unzulässig',
+    high_risk: 'Hochrisiko',
+    limited_risk: 'Begrenztes Risiko',
+    minimal_risk: 'Minimales Risiko',
+    not_applicable: 'Nicht anwendbar',
+  }
+
+  const riskColors: Record<string, string> = {
+    unacceptable: 'bg-red-100 text-red-700',
+    high_risk: 'bg-orange-100 text-orange-700',
+    limited_risk: 'bg-yellow-100 text-yellow-700',
+    minimal_risk: 'bg-green-100 text-green-700',
+    not_applicable: 'bg-gray-100 text-gray-500',
+  }
+
+  const gpaiLabels: Record<string, string> = {
+    none: 'Kein GPAI',
+    standard: 'GPAI Standard',
+    systemic: 'GPAI Systemisch',
+  }
+
+  const gpaiColors: Record<string, string> = {
+    none: 'bg-gray-100 text-gray-500',
+    standard: 'bg-blue-100 text-blue-700',
+    systemic: 'bg-purple-100 text-purple-700',
+  }
+
+  if (loading) {
+    return <LoadingSkeleton />
+  }
+
+  if (results.length === 0) {
+    return (
+      <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+        <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
+          <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
+          </svg>
+        </div>
+        <h3 className="text-lg font-semibold text-gray-900">Keine Ergebnisse vorhanden</h3>
+        <p className="mt-2 text-gray-500">Nutzen Sie den Entscheidungsbaum, um KI-Systeme zu klassifizieren.</p>
+      </div>
+    )
+  }
+
+  return (
+    <div className="space-y-4">
+      {results.map(r => (
+        <div key={r.id} className="bg-white rounded-xl border border-gray-200 p-5">
+          <div className="flex items-start justify-between">
+            <div>
+              <h4 className="font-semibold text-gray-900">{r.system_name}</h4>
+              {r.system_description && (
+                <p className="text-sm text-gray-500 mt-0.5">{r.system_description}</p>
+              )}
+              <div className="flex items-center gap-2 mt-2">
+                <span className={`px-2 py-1 text-xs rounded-full ${riskColors[r.high_risk_result] || 'bg-gray-100 text-gray-500'}`}>
+                  {riskLabels[r.high_risk_result] || r.high_risk_result}
+                </span>
+                <span className={`px-2 py-1 text-xs rounded-full ${gpaiColors[r.gpai_result?.gpai_category] || 'bg-gray-100 text-gray-500'}`}>
+                  {gpaiLabels[r.gpai_result?.gpai_category] || 'Kein GPAI'}
+                </span>
+                {r.gpai_result?.is_systemic_risk && (
+                  <span className="px-2 py-1 text-xs rounded-full bg-red-100 text-red-700">Systemisch</span>
+                )}
+              </div>
+              <div className="text-xs text-gray-400 mt-2">
+                {r.combined_obligations?.length || 0} Pflichten &middot; {new Date(r.created_at).toLocaleDateString('de-DE')}
+              </div>
+            </div>
+            <button
+              onClick={() => handleDelete(r.id)}
+              className="px-3 py-1 text-xs text-red-600 hover:bg-red-50 rounded transition-colors"
+            >
+              Löschen
+            </button>
+          </div>
+        </div>
+      ))}
+    </div>
+  )
+}
+
+// TABS
+// =============================================================================
+
+const TABS: { id: TabId; label: string; icon: React.ReactNode }[] = [
+  {
+    id: 'overview',
+    label: 'Übersicht',
+    icon: (
+      <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+        <path strokeLinecap="round" strokeLinejoin="round" d="M3.75 6A2.25 2.25 0 016 3.75h2.25A2.25 2.25 0 0110.5 6v2.25a2.25 2.25 0 01-2.25 2.25H6a2.25 2.25 0 01-2.25-2.25V6zM3.75 15.75A2.25 2.25 0 016 13.5h2.25a2.25 2.25 0 012.25 2.25V18a2.25 2.25 0 01-2.25 2.25H6A2.25 2.25 0 013.75 18v-2.25zM13.5 6a2.25 2.25 0 012.25-2.25H18A2.25 2.25 0 0120.25 6v2.25A2.25 2.25 0 0118 10.5h-2.25a2.25 2.25 0 01-2.25-2.25V6zM13.5 15.75a2.25 2.25 0 012.25-2.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-2.25A2.25 2.25 0 0113.5 18v-2.25z" />
+      </svg>
+    ),
+  },
+  {
+    id: 'decision-tree',
+    label: 'Entscheidungsbaum',
+    icon: (
+      <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+        <path strokeLinecap="round" strokeLinejoin="round" d="M3.75 12h16.5m-16.5 3.75h16.5M3.75 19.5h16.5M5.625 4.5h12.75a1.875 1.875 0 010 3.75H5.625a1.875 1.875 0 010-3.75z" />
+      </svg>
+    ),
+  },
+  {
+    id: 'results',
+    label: 'Ergebnisse',
+    icon: (
+      <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+        <path strokeLinecap="round" strokeLinejoin="round" d="M9 12h3.75M9 15h3.75M9 18h3.75m3 .75H18a2.25 2.25 0 002.25-2.25V6.108c0-1.135-.845-2.098-1.976-2.192a48.424 48.424 0 00-1.123-.08m-5.801 0c-.065.21-.1.433-.1.664 0 .414.336.75.75.75h4.5a.75.75 0 00.75-.75 2.25 2.25 0 00-.1-.664m-5.8 0A2.251 2.251 0 0113.5 2.25H15c1.012 0 1.867.668 2.15 1.586m-5.8 0c-.376.023-.75.05-1.124.08C9.095 4.01 8.25 4.973 8.25 6.108V8.25m0 0H4.875c-.621 0-1.125.504-1.125 1.125v11.25c0 .621.504 1.125 1.125 1.125h9.75c.621 0 1.125-.504 1.125-1.125V9.375c0-.621-.504-1.125-1.125-1.125H8.25z" />
+      </svg>
+    ),
+  },
+]
+
+// MAIN PAGE
 
 export default function AIActPage() {
   const { state } = useSDK()
+  const [activeTab, setActiveTab] = useState<TabId>('overview')
   const [systems, setSystems] = useState<AISystem[]>([])
   const [filter, setFilter] = useState<string>('all')
   const [showAddForm, setShowAddForm] = useState(false)
@@ -178,17 +347,38 @@ export default function AIActPage() {
         explanation={stepInfo.explanation}
         tips={stepInfo.tips}
       >
-        <button
-          onClick={() => setShowAddForm(true)}
-          className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
-        >
-          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
-          </svg>
-          KI-System registrieren
-        </button>
+        {activeTab === 'overview' && (
+          <button
+            onClick={() => setShowAddForm(true)}
+            className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+          >
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
+            </svg>
+            KI-System registrieren
+          </button>
+        )}
       </StepHeader>
 
+      {/* Tabs */}
+      <div className="flex items-center gap-1 bg-gray-100 p-1 rounded-lg w-fit">
+        {TABS.map(tab => (
+          <button
+            key={tab.id}
+            onClick={() => setActiveTab(tab.id)}
+            className={`flex items-center gap-2 px-4 py-2 text-sm font-medium rounded-md transition-colors ${
+              activeTab === tab.id
+                ? 'bg-white text-purple-700 shadow-sm'
+                : 'text-gray-600 hover:text-gray-900'
+            }`}
+          >
+            {tab.icon}
+            {tab.label}
+          </button>
+        ))}
+      </div>
+
+      {/* Error Banner */}
       {error && (
         <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
           <span>{error}</span>
@@ -196,82 +386,105 @@ export default function AIActPage() {
         </div>
       )}
 
-      {showAddForm && (
-        <AddSystemForm
-          onSubmit={handleAddSystem}
-          onCancel={() => { setShowAddForm(false); setEditingSystem(null) }}
-          initialData={editingSystem}
-        />
-      )}
-
-      <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
-        <div className="bg-white rounded-xl border border-gray-200 p-6">
-          <div className="text-sm text-gray-500">KI-Systeme gesamt</div>
-          <div className="text-3xl font-bold text-gray-900">{systems.length}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-orange-200 p-6">
-          <div className="text-sm text-orange-600">Hochrisiko</div>
-          <div className="text-3xl font-bold text-orange-600">{highRiskCount}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-green-200 p-6">
-          <div className="text-sm text-green-600">Konform</div>
-          <div className="text-3xl font-bold text-green-600">{compliantCount}</div>
-        </div>
-        <div className="bg-white rounded-xl border border-gray-200 p-6">
-          <div className="text-sm text-gray-500">Nicht klassifiziert</div>
-          <div className="text-3xl font-bold text-gray-500">{unclassifiedCount}</div>
-        </div>
-      </div>
-
-      <RiskPyramid systems={systems} />
-
-      <div className="flex items-center gap-2 flex-wrap">
-        <span className="text-sm text-gray-500">Filter:</span>
-        {['all', 'high-risk', 'limited-risk', 'minimal-risk', 'unclassified', 'compliant', 'non-compliant'].map(f => (
-          <button
-            key={f}
-            onClick={() => setFilter(f)}
-            className={`px-3 py-1 text-sm rounded-full transition-colors ${
-              filter === f ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-600 hover:bg-gray-200'
-            }`}
-          >
-            {f === 'all' ? 'Alle' :
-             f === 'high-risk' ? 'Hochrisiko' :
-             f === 'limited-risk' ? 'Begrenztes Risiko' :
-             f === 'minimal-risk' ? 'Minimales Risiko' :
-             f === 'unclassified' ? 'Nicht klassifiziert' :
-             f === 'compliant' ? 'Konform' : 'Nicht konform'}
-          </button>
-        ))}
-      </div>
-
-      {loading && <LoadingSkeleton />}
-
-      {!loading && (
-        <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-          {filteredSystems.map(system => (
-            <AISystemCard
-              key={system.id}
-              system={system}
-              onAssess={() => handleAssess(system.id)}
-              onEdit={() => handleEdit(system)}
-              onDelete={() => handleDelete(system.id)}
-              assessing={assessingId === system.id}
+      {/* Tab: Overview */}
+      {activeTab === 'overview' && (
+        <>
+          {/* Add/Edit System Form */}
+          {showAddForm && (
+            <AddSystemForm
+              onSubmit={handleAddSystem}
+              onCancel={() => { setShowAddForm(false); setEditingSystem(null) }}
+              initialData={editingSystem}
             />
-          ))}
-        </div>
+          )}
+
+          {/* Stats */}
+          <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+            <div className="bg-white rounded-xl border border-gray-200 p-6">
+              <div className="text-sm text-gray-500">KI-Systeme gesamt</div>
+              <div className="text-3xl font-bold text-gray-900">{systems.length}</div>
+            </div>
+            <div className="bg-white rounded-xl border border-orange-200 p-6">
+              <div className="text-sm text-orange-600">Hochrisiko</div>
+              <div className="text-3xl font-bold text-orange-600">{highRiskCount}</div>
+            </div>
+            <div className="bg-white rounded-xl border border-green-200 p-6">
+              <div className="text-sm text-green-600">Konform</div>
+              <div className="text-3xl font-bold text-green-600">{compliantCount}</div>
+            </div>
+            <div className="bg-white rounded-xl border border-gray-200 p-6">
+              <div className="text-sm text-gray-500">Nicht klassifiziert</div>
+              <div className="text-3xl font-bold text-gray-500">{unclassifiedCount}</div>
+            </div>
+          </div>
+
+          {/* Risk Pyramid */}
+          <RiskPyramid systems={systems} />
+
+          {/* Filter */}
+          <div className="flex items-center gap-2 flex-wrap">
+            <span className="text-sm text-gray-500">Filter:</span>
+            {['all', 'high-risk', 'limited-risk', 'minimal-risk', 'unclassified', 'compliant', 'non-compliant'].map(f => (
+              <button
+                key={f}
+                onClick={() => setFilter(f)}
+                className={`px-3 py-1 text-sm rounded-full transition-colors ${
+                  filter === f
+                    ? 'bg-purple-600 text-white'
+                    : 'bg-gray-100 text-gray-600 hover:bg-gray-200'
+                }`}
+              >
+                {f === 'all' ? 'Alle' :
+                 f === 'high-risk' ? 'Hochrisiko' :
+                 f === 'limited-risk' ? 'Begrenztes Risiko' :
+                 f === 'minimal-risk' ? 'Minimales Risiko' :
+                 f === 'unclassified' ? 'Nicht klassifiziert' :
+                 f === 'compliant' ? 'Konform' : 'Nicht konform'}
+              </button>
+            ))}
+          </div>
+
+          {/* Loading */}
+          {loading && <LoadingSkeleton />}
+
+          {/* AI Systems List */}
+          {!loading && (
+            <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
+              {filteredSystems.map(system => (
+                <AISystemCard
+                  key={system.id}
+                  system={system}
+                  onAssess={() => handleAssess(system.id)}
+                  onEdit={() => handleEdit(system)}
+                  onDelete={() => handleDelete(system.id)}
+                  assessing={assessingId === system.id}
+                />
+              ))}
+            </div>
+          )}
+
+          {!loading && filteredSystems.length === 0 && (
+            <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+              <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
+                <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+                </svg>
+              </div>
+              <h3 className="text-lg font-semibold text-gray-900">Keine KI-Systeme gefunden</h3>
+              <p className="mt-2 text-gray-500">Passen Sie den Filter an oder registrieren Sie ein neues KI-System.</p>
+            </div>
+          )}
+        </>
       )}
 
-      {!loading && filteredSystems.length === 0 && (
-        <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
-          <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
-            <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
-            </svg>
-          </div>
-          <h3 className="text-lg font-semibold text-gray-900">Keine KI-Systeme gefunden</h3>
-          <p className="mt-2 text-gray-500">Passen Sie den Filter an oder registrieren Sie ein neues KI-System.</p>
-        </div>
+      {/* Tab: Decision Tree */}
+      {activeTab === 'decision-tree' && (
+        <DecisionTreeWizard />
+      )}
+
+      {/* Tab: Results */}
+      {activeTab === 'results' && (
+        <SavedResultsTab />
       )}
     </div>
   )

admin-compliance/app/sdk/ai-registration/page.tsx

@@ -0,0 +1,491 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+
+interface Registration {
+  id: string
+  system_name: string
+  system_version: string
+  risk_classification: string
+  gpai_classification: string
+  registration_status: string
+  eu_database_id: string
+  provider_name: string
+  created_at: string
+}
+
+const STATUS_STYLES: Record<string, { bg: string; text: string; label: string }> = {
+  draft: { bg: 'bg-gray-100', text: 'text-gray-700', label: 'Entwurf' },
+  ready: { bg: 'bg-blue-100', text: 'text-blue-700', label: 'Bereit' },
+  submitted: { bg: 'bg-yellow-100', text: 'text-yellow-700', label: 'Eingereicht' },
+  registered: { bg: 'bg-green-100', text: 'text-green-700', label: 'Registriert' },
+  update_required: { bg: 'bg-orange-100', text: 'text-orange-700', label: 'Update noetig' },
+  withdrawn: { bg: 'bg-red-100', text: 'text-red-700', label: 'Zurueckgezogen' },
+}
+
+const RISK_STYLES: Record<string, { bg: string; text: string }> = {
+  high_risk: { bg: 'bg-red-100', text: 'text-red-700' },
+  limited_risk: { bg: 'bg-yellow-100', text: 'text-yellow-700' },
+  minimal_risk: { bg: 'bg-green-100', text: 'text-green-700' },
+  not_classified: { bg: 'bg-gray-100', text: 'text-gray-500' },
+}
+
+const INITIAL_FORM = {
+  system_name: '',
+  system_version: '1.0',
+  system_description: '',
+  intended_purpose: '',
+  provider_name: '',
+  provider_legal_form: '',
+  provider_address: '',
+  provider_country: 'DE',
+  eu_representative_name: '',
+  eu_representative_contact: '',
+  risk_classification: 'not_classified',
+  annex_iii_category: '',
+  gpai_classification: 'none',
+  conformity_assessment_type: 'internal',
+  notified_body_name: '',
+  notified_body_id: '',
+  ce_marking: false,
+  training_data_summary: '',
+}
+
+export default function AIRegistrationPage() {
+  const [registrations, setRegistrations] = useState<Registration[]>([])
+  const [loading, setLoading] = useState(true)
+  const [showWizard, setShowWizard] = useState(false)
+  const [wizardStep, setWizardStep] = useState(1)
+  const [form, setForm] = useState({ ...INITIAL_FORM })
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => { loadRegistrations() }, [])
+
+  async function loadRegistrations() {
+    try {
+      setLoading(true)
+      const resp = await fetch('/api/sdk/v1/ai-registration')
+      if (resp.ok) {
+        const data = await resp.json()
+        setRegistrations(data.registrations || [])
+      }
+    } catch {
+      setError('Fehler beim Laden')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  async function handleSubmit() {
+    setSubmitting(true)
+    try {
+      const resp = await fetch('/api/sdk/v1/ai-registration', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(form),
+      })
+      if (resp.ok) {
+        setShowWizard(false)
+        setForm({ ...INITIAL_FORM })
+        setWizardStep(1)
+        loadRegistrations()
+      } else {
+        const data = await resp.json()
+        setError(data.error || 'Fehler beim Erstellen')
+      }
+    } catch {
+      setError('Netzwerkfehler')
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  async function handleExport(id: string) {
+    try {
+      const resp = await fetch(`/api/sdk/v1/ai-registration/${id}`)
+      if (resp.ok) {
+        const reg = await resp.json()
+        // Build export JSON client-side
+        const exportData = {
+          schema_version: '1.0',
+          submission_type: 'ai_system_registration',
+          regulation: 'EU AI Act (EU) 2024/1689',
+          article: 'Art. 49',
+          provider: { name: reg.provider_name, address: reg.provider_address, country: reg.provider_country },
+          system: { name: reg.system_name, version: reg.system_version, description: reg.system_description, purpose: reg.intended_purpose },
+          classification: { risk_level: reg.risk_classification, annex_iii: reg.annex_iii_category, gpai: reg.gpai_classification },
+          conformity: { type: reg.conformity_assessment_type, ce_marking: reg.ce_marking },
+        }
+        const blob = new Blob([JSON.stringify(exportData, null, 2)], { type: 'application/json' })
+        const url = URL.createObjectURL(blob)
+        const a = document.createElement('a')
+        a.href = url
+        a.download = `eu_ai_registration_${reg.system_name.replace(/\s+/g, '_')}.json`
+        a.click()
+        URL.revokeObjectURL(url)
+      }
+    } catch {
+      setError('Export fehlgeschlagen')
+    }
+  }
+
+  async function handleStatusChange(id: string, status: string) {
+    try {
+      await fetch(`/api/sdk/v1/ai-registration/${id}`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ status }),
+      })
+      loadRegistrations()
+    } catch {
+      setError('Status-Aenderung fehlgeschlagen')
+    }
+  }
+
+  const updateForm = (updates: Partial<typeof form>) => setForm(prev => ({ ...prev, ...updates }))
+
+  const STEPS = [
+    { id: 1, title: 'Anbieter', desc: 'Unternehmensangaben' },
+    { id: 2, title: 'System', desc: 'KI-System Details' },
+    { id: 3, title: 'Klassifikation', desc: 'Risikoeinstufung' },
+    { id: 4, title: 'Konformitaet', desc: 'CE & Notified Body' },
+    { id: 5, title: 'Trainingsdaten', desc: 'Datenzusammenfassung' },
+    { id: 6, title: 'Pruefung', desc: 'Zusammenfassung & Export' },
+  ]
+
+  return (
+    <div className="max-w-5xl mx-auto p-6">
+      {/* Header */}
+      <div className="flex items-center justify-between mb-8">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">EU AI Database Registrierung</h1>
+          <p className="text-sm text-gray-500 mt-1">Art. 49 KI-Verordnung (EU) 2024/1689 — Registrierung von Hochrisiko-KI-Systemen</p>
+        </div>
+        <button
+          onClick={() => setShowWizard(true)}
+          className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+        >
+          + Neue Registrierung
+        </button>
+      </div>
+
+      {error && (
+        <div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg text-sm text-red-700">
+          {error}
+          <button onClick={() => setError(null)} className="ml-2 underline">Schliessen</button>
+        </div>
+      )}
+
+      {/* Stats */}
+      <div className="grid grid-cols-4 gap-4 mb-8">
+        {['draft', 'ready', 'submitted', 'registered'].map(status => {
+          const count = registrations.filter(r => r.registration_status === status).length
+          const style = STATUS_STYLES[status]
+          return (
+            <div key={status} className={`p-4 rounded-xl border ${style.bg}`}>
+              <div className={`text-2xl font-bold ${style.text}`}>{count}</div>
+              <div className="text-sm text-gray-600">{style.label}</div>
+            </div>
+          )
+        })}
+      </div>
+
+      {/* Registrations List */}
+      {loading ? (
+        <div className="text-center py-12 text-gray-500">Lade...</div>
+      ) : registrations.length === 0 ? (
+        <div className="text-center py-12 text-gray-400">
+          <p className="text-lg mb-2">Noch keine Registrierungen</p>
+          <p className="text-sm">Erstelle eine neue Registrierung fuer dein Hochrisiko-KI-System.</p>
+        </div>
+      ) : (
+        <div className="space-y-4">
+          {registrations.map(reg => {
+            const status = STATUS_STYLES[reg.registration_status] || STATUS_STYLES.draft
+            const risk = RISK_STYLES[reg.risk_classification] || RISK_STYLES.not_classified
+            return (
+              <div key={reg.id} className="bg-white rounded-xl border border-gray-200 p-6 hover:border-purple-300 transition-all">
+                <div className="flex items-center justify-between">
+                  <div>
+                    <div className="flex items-center gap-2 mb-1">
+                      <h3 className="text-lg font-semibold text-gray-900">{reg.system_name}</h3>
+                      <span className="text-sm text-gray-400">v{reg.system_version}</span>
+                      <span className={`px-2 py-0.5 text-xs rounded-full ${status.bg} ${status.text}`}>{status.label}</span>
+                      <span className={`px-2 py-0.5 text-xs rounded-full ${risk.bg} ${risk.text}`}>{reg.risk_classification.replace('_', ' ')}</span>
+                      {reg.gpai_classification !== 'none' && (
+                        <span className="px-2 py-0.5 text-xs rounded-full bg-blue-100 text-blue-700">GPAI: {reg.gpai_classification}</span>
+                      )}
+                    </div>
+                    <div className="text-sm text-gray-500">
+                      {reg.provider_name && <span>{reg.provider_name} · </span>}
+                      {reg.eu_database_id && <span>EU-ID: {reg.eu_database_id} · </span>}
+                      <span>{new Date(reg.created_at).toLocaleDateString('de-DE')}</span>
+                    </div>
+                  </div>
+                  <div className="flex gap-2">
+                    <button onClick={() => handleExport(reg.id)} className="px-3 py-1.5 text-sm border border-gray-300 rounded-lg hover:bg-gray-50">
+                      JSON Export
+                    </button>
+                    {reg.registration_status === 'draft' && (
+                      <button onClick={() => handleStatusChange(reg.id, 'ready')} className="px-3 py-1.5 text-sm bg-blue-600 text-white rounded-lg hover:bg-blue-700">
+                        Bereit markieren
+                      </button>
+                    )}
+                    {reg.registration_status === 'ready' && (
+                      <button onClick={() => handleStatusChange(reg.id, 'submitted')} className="px-3 py-1.5 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700">
+                        Als eingereicht markieren
+                      </button>
+                    )}
+                  </div>
+                </div>
+              </div>
+            )
+          })}
+        </div>
+      )}
+
+      {/* Wizard Modal */}
+      {showWizard && (
+        <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50 p-4">
+          <div className="bg-white rounded-2xl shadow-2xl w-full max-w-3xl max-h-[90vh] overflow-y-auto">
+            <div className="p-6 border-b">
+              <div className="flex items-center justify-between mb-4">
+                <h2 className="text-xl font-bold text-gray-900">Neue EU AI Registrierung</h2>
+                <button onClick={() => { setShowWizard(false); setWizardStep(1) }} className="text-gray-400 hover:text-gray-600 text-2xl">&times;</button>
+              </div>
+              {/* Step Indicator */}
+              <div className="flex gap-1">
+                {STEPS.map(step => (
+                  <button key={step.id} onClick={() => setWizardStep(step.id)}
+                    className={`flex-1 py-2 text-xs rounded-lg transition-all ${
+                      wizardStep === step.id ? 'bg-purple-100 text-purple-700 font-medium' :
+                      wizardStep > step.id ? 'bg-green-50 text-green-700' : 'bg-gray-50 text-gray-400'
+                    }`}>
+                    {wizardStep > step.id ? '✓ ' : ''}{step.title}
+                  </button>
+                ))}
+              </div>
+            </div>
+
+            <div className="p-6 space-y-4">
+              {/* Step 1: Provider */}
+              {wizardStep === 1 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Anbieter-Informationen</h3>
+                  <p className="text-sm text-gray-500">Angaben zum Anbieter des KI-Systems gemaess Art. 49 KI-VO.</p>
+                  <div className="grid grid-cols-2 gap-4">
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Firmenname *</label>
+                      <input value={form.provider_name} onChange={e => updateForm({ provider_name: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Acme GmbH" />
+                    </div>
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Rechtsform</label>
+                      <input value={form.provider_legal_form} onChange={e => updateForm({ provider_legal_form: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="GmbH" />
+                    </div>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Adresse</label>
+                    <input value={form.provider_address} onChange={e => updateForm({ provider_address: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Musterstr. 1, 20095 Hamburg" />
+                  </div>
+                  <div className="grid grid-cols-2 gap-4">
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Land</label>
+                      <select value={form.provider_country} onChange={e => updateForm({ provider_country: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                        <option value="DE">Deutschland</option>
+                        <option value="AT">Oesterreich</option>
+                        <option value="CH">Schweiz</option>
+                        <option value="OTHER">Anderes Land</option>
+                      </select>
+                    </div>
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">EU-Repraesentant (falls Non-EU)</label>
+                      <input value={form.eu_representative_name} onChange={e => updateForm({ eu_representative_name: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Optional" />
+                    </div>
+                  </div>
+                </>
+              )}
+
+              {/* Step 2: System */}
+              {wizardStep === 2 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">KI-System Details</h3>
+                  <div className="grid grid-cols-2 gap-4">
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Systemname *</label>
+                      <input value={form.system_name} onChange={e => updateForm({ system_name: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="z.B. HR Copilot" />
+                    </div>
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Version</label>
+                      <input value={form.system_version} onChange={e => updateForm({ system_version: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="1.0" />
+                    </div>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Systembeschreibung</label>
+                    <textarea value={form.system_description} onChange={e => updateForm({ system_description: e.target.value })} rows={3}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Beschreibe was das KI-System tut..." />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Einsatzzweck (Intended Purpose)</label>
+                    <textarea value={form.intended_purpose} onChange={e => updateForm({ intended_purpose: e.target.value })} rows={2}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" placeholder="Wofuer wird das System eingesetzt?" />
+                  </div>
+                </>
+              )}
+
+              {/* Step 3: Classification */}
+              {wizardStep === 3 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Risiko-Klassifikation</h3>
+                  <p className="text-sm text-gray-500">Basierend auf dem AI Act Decision Tree oder manueller Einstufung.</p>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Risikoklasse</label>
+                    <select value={form.risk_classification} onChange={e => updateForm({ risk_classification: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                      <option value="not_classified">Noch nicht klassifiziert</option>
+                      <option value="minimal_risk">Minimal Risk</option>
+                      <option value="limited_risk">Limited Risk</option>
+                      <option value="high_risk">High Risk</option>
+                    </select>
+                  </div>
+                  {form.risk_classification === 'high_risk' && (
+                    <div>
+                      <label className="block text-sm font-medium text-gray-700 mb-1">Annex III Kategorie</label>
+                      <select value={form.annex_iii_category} onChange={e => updateForm({ annex_iii_category: e.target.value })}
+                        className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                        <option value="">Bitte waehlen...</option>
+                        <option value="biometric">1. Biometrische Identifizierung</option>
+                        <option value="critical_infrastructure">2. Kritische Infrastruktur</option>
+                        <option value="education">3. Bildung und Berufsausbildung</option>
+                        <option value="employment">4. Beschaeftigung und Arbeitnehmerverwaltung</option>
+                        <option value="essential_services">5. Zugang zu wesentlichen Diensten</option>
+                        <option value="law_enforcement">6. Strafverfolgung</option>
+                        <option value="migration">7. Migration und Grenzkontrolle</option>
+                        <option value="justice">8. Rechtspflege und Demokratie</option>
+                      </select>
+                    </div>
+                  )}
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">GPAI Klassifikation</label>
+                    <select value={form.gpai_classification} onChange={e => updateForm({ gpai_classification: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                      <option value="none">Kein GPAI</option>
+                      <option value="standard">GPAI (Standard)</option>
+                      <option value="systemic">GPAI mit systemischem Risiko</option>
+                    </select>
+                  </div>
+                  <div className="bg-blue-50 border border-blue-200 rounded-lg p-4 text-sm text-blue-800">
+                    <strong>Tipp:</strong> Nutze den <a href="/sdk/ai-act" className="underline">AI Act Decision Tree</a> fuer eine strukturierte Klassifikation.
+                  </div>
+                </>
+              )}
+
+              {/* Step 4: Conformity */}
+              {wizardStep === 4 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Konformitaetsbewertung</h3>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Art der Konformitaetsbewertung</label>
+                    <select value={form.conformity_assessment_type} onChange={e => updateForm({ conformity_assessment_type: e.target.value })}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent">
+                      <option value="not_required">Nicht erforderlich</option>
+                      <option value="internal">Interne Konformitaetsbewertung</option>
+                      <option value="third_party">Drittpartei-Bewertung (Notified Body)</option>
+                    </select>
+                  </div>
+                  {form.conformity_assessment_type === 'third_party' && (
+                    <div className="grid grid-cols-2 gap-4">
+                      <div>
+                        <label className="block text-sm font-medium text-gray-700 mb-1">Notified Body Name</label>
+                        <input value={form.notified_body_name} onChange={e => updateForm({ notified_body_name: e.target.value })}
+                          className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+                      </div>
+                      <div>
+                        <label className="block text-sm font-medium text-gray-700 mb-1">Notified Body ID</label>
+                        <input value={form.notified_body_id} onChange={e => updateForm({ notified_body_id: e.target.value })}
+                          className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent" />
+                      </div>
+                    </div>
+                  )}
+                  <label className="flex items-center gap-3 p-3 rounded-lg border hover:bg-gray-50 cursor-pointer">
+                    <input type="checkbox" checked={form.ce_marking} onChange={e => updateForm({ ce_marking: e.target.checked })}
+                      className="w-4 h-4 rounded border-gray-300 text-purple-600" />
+                    <span className="text-sm font-medium text-gray-900">CE-Kennzeichnung angebracht</span>
+                  </label>
+                </>
+              )}
+
+              {/* Step 5: Training Data */}
+              {wizardStep === 5 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Trainingsdaten-Zusammenfassung</h3>
+                  <p className="text-sm text-gray-500">Art. 10 KI-VO — Keine vollstaendige Offenlegung, sondern Kategorien und Herkunft.</p>
+                  <div>
+                    <label className="block text-sm font-medium text-gray-700 mb-1">Zusammenfassung der Trainingsdaten</label>
+                    <textarea value={form.training_data_summary} onChange={e => updateForm({ training_data_summary: e.target.value })} rows={5}
+                      className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+                      placeholder="Beschreibe die verwendeten Datenquellen:&#10;- Oeffentliche Daten (z.B. Wikipedia, Common Crawl)&#10;- Lizenzierte Daten (z.B. Fachpublikationen)&#10;- Synthetische Daten&#10;- Unternehmensinterne Daten" />
+                  </div>
+                </>
+              )}
+
+              {/* Step 6: Review */}
+              {wizardStep === 6 && (
+                <>
+                  <h3 className="font-semibold text-gray-900">Zusammenfassung</h3>
+                  <div className="space-y-3 text-sm">
+                    <div className="grid grid-cols-2 gap-4 p-4 bg-gray-50 rounded-lg">
+                      <div><span className="text-gray-500">Anbieter:</span> <strong>{form.provider_name || '–'}</strong></div>
+                      <div><span className="text-gray-500">Land:</span> <strong>{form.provider_country}</strong></div>
+                      <div><span className="text-gray-500">System:</span> <strong>{form.system_name || '–'}</strong></div>
+                      <div><span className="text-gray-500">Version:</span> <strong>{form.system_version}</strong></div>
+                      <div><span className="text-gray-500">Risiko:</span> <strong>{form.risk_classification}</strong></div>
+                      <div><span className="text-gray-500">GPAI:</span> <strong>{form.gpai_classification}</strong></div>
+                      <div><span className="text-gray-500">Konformitaet:</span> <strong>{form.conformity_assessment_type}</strong></div>
+                      <div><span className="text-gray-500">CE:</span> <strong>{form.ce_marking ? 'Ja' : 'Nein'}</strong></div>
+                    </div>
+                    {form.intended_purpose && (
+                      <div className="p-4 bg-gray-50 rounded-lg">
+                        <span className="text-gray-500">Zweck:</span> {form.intended_purpose}
+                      </div>
+                    )}
+                  </div>
+                  <div className="bg-yellow-50 border border-yellow-200 rounded-lg p-4 text-sm text-yellow-800">
+                    <strong>Hinweis:</strong> Die EU AI Datenbank befindet sich noch im Aufbau. Die Registrierung wird lokal gespeichert und kann spaeter uebermittelt werden.
+                  </div>
+                </>
+              )}
+            </div>
+
+            {/* Navigation */}
+            <div className="p-6 border-t flex justify-between">
+              <button onClick={() => wizardStep > 1 ? setWizardStep(wizardStep - 1) : setShowWizard(false)}
+                className="px-4 py-2 text-gray-700 border rounded-lg hover:bg-gray-50">
+                {wizardStep === 1 ? 'Abbrechen' : 'Zurueck'}
+              </button>
+              {wizardStep < 6 ? (
+                <button onClick={() => setWizardStep(wizardStep + 1)}
+                  disabled={wizardStep === 2 && !form.system_name}
+                  className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50">
+                  Weiter
+                </button>
+              ) : (
+                <button onClick={handleSubmit} disabled={submitting || !form.system_name}
+                  className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50">
+                  {submitting ? 'Speichere...' : 'Registrierung erstellen'}
+                </button>
+              )}
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/architecture/architecture-data.ts

@@ -228,24 +228,39 @@ export const ARCH_SERVICES: ArchService[] = [
     dependsOn: ['qdrant', 'ollama', 'postgresql'],
   },
   {
-    id: 'document-crawler',
-    name: 'Document Crawler',
-    nameShort: 'Crawler',
+    id: 'control-pipeline',
+    name: 'Control Pipeline',
+    nameShort: 'Pipeline',
     layer: 'backend',
     tech: 'Python / FastAPI',
     port: 8098,
     url: 'https://macmini:8098',
-    container: 'bp-compliance-document-crawler',
-    description: 'Dokument-Analyse (PDF, DOCX, XLSX, PPTX), Gap-Analyse, IPFS-Archivierung.',
-    descriptionLong: 'Der Document Crawler nimmt hochgeladene Dokumente (PDF, DOCX, XLSX, PPTX) entgegen, extrahiert deren Inhalt und fuehrt eine Gap-Analyse gegen bestehende Compliance-Anforderungen durch. Dafuer leitet er die Textinhalte an den AI Compliance SDK weiter, der die semantische Analyse uebernimmt. Abgeschlossene Dokumente koennen ueber den DSMS-Service dezentral auf IPFS archiviert werden.',
-    dbTables: [],
-    ragCollections: [],
-    apiEndpoints: [
-      'POST /analyze',
-      'POST /gap-analysis',
-      'POST /archive',
+    container: 'bp-core-control-pipeline',
+    description: 'RAG-zu-Controls Pipeline: Control Generation, Pass 0a/0b, Ontology, Dedup, Dependency Engine, Applicability.',
+    descriptionLong: 'Die Control Pipeline ist das Herzsttueck der automatisierten Compliance-Control-Generierung. Sie verarbeitet ~105.000 RAG-Chunks aus EU/DE-Regulierungen in 6 Phasen: (1) RAG Ingestion, (2) 7-Stufen Control Generation (Lizenz-Gate + Claude LLM), (3) Pass 0a Obligation Extraction (~181k Obligations), (4) Pass 0b Atomic Composition (MCP-taugliche Controls mit assertion/pass_criteria/fail_criteria), (5) Embedding-basierte Deduplizierung mit LLM-Verifikation, (6) Dependency Engine (5 Typen: supersedes, prerequisite, compensating_control, scope_exclusion, conditional_requirement) mit automatischer Generierung via Ontology, Pattern-Regeln und Domain Packs (DSGVO, AI Act, CRA, Security, Arbeitsrecht). 126+ Tests, alle bestanden.',
+    dbTables: [
+      'canonical_controls', 'obligation_candidates', 'control_parent_links',
+      'control_dependencies', 'control_evaluation_results',
+      'canonical_processed_chunks', 'canonical_generation_jobs',
+      'control_dedup_reviews', 'control_patterns',
     ],
-    dependsOn: ['ai-compliance-sdk', 'dsms'],
+    ragCollections: [
+      'bp_compliance_gesetze', 'bp_compliance_datenschutz',
+      'bp_compliance_ce', 'bp_dsfa_corpus', 'bp_legal_templates',
+    ],
+    apiEndpoints: [
+      'POST /v1/canonical/generate',
+      'GET /v1/canonical/controls',
+      'POST /v1/canonical/controls/applicable',
+      'POST /v1/canonical/generate/submit-pass0b',
+      'POST /v1/canonical/generate/process-batch',
+      'GET /v1/canonical/generate/quality-metrics',
+      'POST /v1/dependencies/generate',
+      'POST /v1/dependencies/evaluate',
+      'GET /v1/dependencies/graph',
+      'POST /v1/document-compliance/required',
+    ],
+    dependsOn: ['postgresql', 'qdrant', 'ollama'],
   },
   {
     id: 'compliance-tts',
@@ -383,7 +398,7 @@ export const ARCH_EDGES: ArchEdge[] = [
   // Frontend → Backend
   { source: 'admin-compliance', target: 'backend-compliance', label: 'REST API' },
   { source: 'admin-compliance', target: 'ai-compliance-sdk', label: 'REST API' },
-  { source: 'admin-compliance', target: 'document-crawler', label: 'REST API' },
+  { source: 'admin-compliance', target: 'control-pipeline', label: 'REST API' },
 
   // Backend → Infrastructure
   { source: 'backend-compliance', target: 'postgresql', label: 'SQLAlchemy' },
@@ -392,12 +407,9 @@ export const ARCH_EDGES: ArchEdge[] = [
   { source: 'ai-compliance-sdk', target: 'ollama', label: 'LLM Inference' },
   { source: 'ai-compliance-sdk', target: 'postgresql', label: 'GORM' },
   { source: 'compliance-tts', target: 'minio', label: 'Audio/Video' },
-
-  // Backend → Backend
-  { source: 'document-crawler', target: 'ai-compliance-sdk', label: 'LLM Gateway' },
-
-  // Backend → Data Sovereignty
-  { source: 'document-crawler', target: 'dsms', label: 'IPFS Archive' },
+  { source: 'control-pipeline', target: 'postgresql', label: 'SQLAlchemy' },
+  { source: 'control-pipeline', target: 'qdrant', label: 'Embedding + Dedup' },
+  { source: 'control-pipeline', target: 'ollama', label: 'LLM Dedup (qwen3.5)' },
 ]
 
 // =============================================================================

admin-compliance/app/sdk/compliance-optimizer/[id]/page.tsx

@@ -0,0 +1,156 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+import { useParams } from 'next/navigation'
+import Link from 'next/link'
+import { ZoneBadge } from '@/components/sdk/compliance-optimizer/ZoneBadge'
+import { DimensionZoneTable } from '@/components/sdk/compliance-optimizer/DimensionZoneTable'
+import { ConfigComparison } from '@/components/sdk/compliance-optimizer/ConfigComparison'
+import { OptimizationScoreCard } from '@/components/sdk/compliance-optimizer/OptimizationScoreCard'
+
+export default function OptimizationDetailPage() {
+  const params = useParams()
+  const id = params?.id as string
+  const [data, setData] = useState<any>(null)
+  const [loading, setLoading] = useState(true)
+  const [activeVariant, setActiveVariant] = useState(0)
+
+  useEffect(() => {
+    if (!id) return
+    fetch(`/api/sdk/v1/maximizer/optimizations/${id}`)
+      .then((r) => r.ok ? r.json() : null)
+      .then(setData)
+      .finally(() => setLoading(false))
+  }, [id])
+
+  if (loading) return <div className="max-w-6xl mx-auto p-6 text-gray-500">Laden...</div>
+  if (!data) return <div className="max-w-6xl mx-auto p-6 text-red-600">Optimierung nicht gefunden.</div>
+
+  const maxSafe = data.max_safe_config
+  const variants = data.variants || []
+  const zones = data.zone_map || {}
+  const controls = data.original_evaluation?.required_controls || []
+  const patterns = data.original_evaluation?.required_patterns || []
+  const triggered = data.original_evaluation?.triggered_rules || []
+
+  return (
+    <div className="max-w-6xl mx-auto p-6 space-y-6">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div>
+          <Link href="/sdk/compliance-optimizer" className="text-sm text-blue-600 hover:underline">← Zurueck</Link>
+          <h1 className="text-2xl font-bold text-gray-900 mt-1">{data.title || 'Optimierung'}</h1>
+          <p className="text-sm text-gray-500">{new Date(data.created_at).toLocaleString('de-DE')} — v{data.constraint_version}</p>
+          {data.assessment_id && (
+            <Link href={`/sdk/use-cases/${data.assessment_id}`} className="text-sm text-purple-600 hover:underline">
+              Basierend auf Assessment
+            </Link>
+          )}
+        </div>
+        <ZoneBadge zone={data.is_compliant ? 'SAFE' : 'FORBIDDEN'} />
+      </div>
+
+      {/* 3-Zone Summary */}
+      <div className="bg-white border border-gray-200 rounded-lg p-4">
+        <h2 className="text-lg font-semibold text-gray-800 mb-3">3-Zonen-Analyse</h2>
+        <DimensionZoneTable zoneMap={zones} />
+      </div>
+
+      {/* Optimization Result */}
+      {maxSafe && (
+        <div className="bg-white border border-gray-200 rounded-lg p-4">
+          <h2 className="text-lg font-semibold text-gray-800 mb-3">Optimierte Konfiguration</h2>
+          <OptimizationScoreCard
+            safetyScore={maxSafe.safety_score}
+            utilityScore={maxSafe.utility_score}
+            compositeScore={maxSafe.composite_score}
+            deltaCount={maxSafe.delta_count}
+          />
+          <div className="mt-4">
+            <ConfigComparison deltas={maxSafe.deltas || []} />
+          </div>
+          {maxSafe.rationale && (
+            <p className="mt-3 text-sm text-gray-600 italic">{maxSafe.rationale}</p>
+          )}
+        </div>
+      )}
+
+      {/* Alternative Variants */}
+      {variants.length > 1 && (
+        <div className="bg-white border border-gray-200 rounded-lg p-4">
+          <h2 className="text-lg font-semibold text-gray-800 mb-3">Alternative Varianten ({variants.length})</h2>
+          <div className="flex gap-2 mb-3">
+            {variants.map((v: any, i: number) => (
+              <button key={i} onClick={() => setActiveVariant(i)}
+                className={`px-3 py-1 text-sm rounded ${i === activeVariant ? 'bg-blue-600 text-white' : 'bg-gray-100 text-gray-700 hover:bg-gray-200'}`}>
+                Variante {i + 1}
+              </button>
+            ))}
+          </div>
+          {variants[activeVariant] && (
+            <div>
+              <div className="flex items-center gap-4 mb-2 text-sm text-gray-600">
+                <span>Sicherheit: {variants[activeVariant].safety_score}</span>
+                <span>Nutzen: {variants[activeVariant].utility_score}</span>
+                <span>Gesamt: {Math.round(variants[activeVariant].composite_score)}</span>
+              </div>
+              <ConfigComparison deltas={variants[activeVariant].deltas || []} />
+              {variants[activeVariant].rationale && (
+                <p className="mt-2 text-sm text-gray-500 italic">{variants[activeVariant].rationale}</p>
+              )}
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* Required Controls & Patterns */}
+      {(controls.length > 0 || patterns.length > 0) && (
+        <div className="bg-white border border-gray-200 rounded-lg p-4">
+          <h2 className="text-lg font-semibold text-gray-800 mb-3">Erforderliche Massnahmen</h2>
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+            {controls.length > 0 && (
+              <div>
+                <h4 className="text-sm font-medium text-gray-700 mb-2">Controls</h4>
+                <ul className="space-y-1">
+                  {controls.map((c: string, i: number) => (
+                    <li key={i} className="text-sm text-gray-600 flex items-center gap-2">
+                      <span className="w-1.5 h-1.5 bg-blue-500 rounded-full" />{c}
+                    </li>
+                  ))}
+                </ul>
+              </div>
+            )}
+            {patterns.length > 0 && (
+              <div>
+                <h4 className="text-sm font-medium text-gray-700 mb-2">Architektur-Patterns</h4>
+                <ul className="space-y-1">
+                  {patterns.map((p: string, i: number) => (
+                    <li key={i} className="text-sm text-gray-600 flex items-center gap-2">
+                      <span className="w-1.5 h-1.5 bg-purple-500 rounded-full" />{p}
+                    </li>
+                  ))}
+                </ul>
+              </div>
+            )}
+          </div>
+        </div>
+      )}
+
+      {/* Triggered Rules (Audit Trail) */}
+      {triggered.length > 0 && (
+        <div className="bg-white border border-gray-200 rounded-lg p-4">
+          <h2 className="text-lg font-semibold text-gray-800 mb-3">Ausgeloeste Regeln ({triggered.length})</h2>
+          <div className="space-y-2">
+            {triggered.map((r: any, i: number) => (
+              <div key={i} className="flex items-start gap-3 text-sm border-b border-gray-100 pb-2">
+                <span className="font-mono text-xs text-gray-400 min-w-[120px]">{r.rule_id}</span>
+                <span className="text-gray-700">{r.title}</span>
+                <span className="text-gray-400 ml-auto text-xs">{r.article_ref}</span>
+              </div>
+            ))}
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/compliance-optimizer/new/page.tsx

@@ -0,0 +1,195 @@
+'use client'
+
+import React, { useState, useEffect, Suspense } from 'react'
+import { useRouter, useSearchParams } from 'next/navigation'
+import { ZoneBadge } from '@/components/sdk/compliance-optimizer/ZoneBadge'
+
+interface DimensionField {
+  key: string
+  label: string
+  options: { value: string; label: string }[]
+  type?: 'select' | 'toggle'
+}
+
+const DIMENSIONS: DimensionField[] = [
+  { key: 'automation_level', label: 'Automatisierungsgrad', options: [
+    { value: 'none', label: 'Keine' }, { value: 'assistive', label: 'Assistierend' },
+    { value: 'partial', label: 'Teilautomatisiert' }, { value: 'full', label: 'Vollautomatisiert' },
+  ]},
+  { key: 'decision_binding', label: 'Entscheidungsbindung', options: [
+    { value: 'non_binding', label: 'Unverbindlich' }, { value: 'human_review_required', label: 'Mensch entscheidet' },
+    { value: 'fully_binding', label: 'Vollstaendig bindend' },
+  ]},
+  { key: 'decision_impact', label: 'Entscheidungswirkung', options: [
+    { value: 'low', label: 'Niedrig' }, { value: 'medium', label: 'Mittel' }, { value: 'high', label: 'Hoch' },
+  ]},
+  { key: 'domain', label: 'Branche', options: [
+    { value: 'hr', label: 'HR / Personal' }, { value: 'finance', label: 'Finanzen' },
+    { value: 'education', label: 'Bildung' }, { value: 'health', label: 'Gesundheit' },
+    { value: 'marketing', label: 'Marketing' }, { value: 'general', label: 'Allgemein' },
+  ]},
+  { key: 'data_type', label: 'Datensensitivitaet', options: [
+    { value: 'non_personal', label: 'Keine personenbezogenen' }, { value: 'personal', label: 'Personenbezogen' },
+    { value: 'sensitive', label: 'Besondere Kategorien (Art. 9)' }, { value: 'biometric', label: 'Biometrisch' },
+  ]},
+  { key: 'human_in_loop', label: 'Menschliche Kontrolle', options: [
+    { value: 'required', label: 'Erforderlich' }, { value: 'optional', label: 'Optional' }, { value: 'none', label: 'Keine' },
+  ]},
+  { key: 'explainability', label: 'Erklaerbarkeit', options: [
+    { value: 'high', label: 'Hoch' }, { value: 'basic', label: 'Basis' }, { value: 'none', label: 'Keine' },
+  ]},
+  { key: 'risk_classification', label: 'Risikoklasse (AI Act)', options: [
+    { value: 'minimal', label: 'Minimal' }, { value: 'limited', label: 'Begrenzt' },
+    { value: 'high', label: 'Hoch' }, { value: 'prohibited', label: 'Verboten' },
+  ]},
+  { key: 'legal_basis', label: 'Rechtsgrundlage (DSGVO)', options: [
+    { value: 'consent', label: 'Einwilligung' }, { value: 'contract', label: 'Vertrag' },
+    { value: 'legal_obligation', label: 'Rechtl. Verpflichtung' },
+    { value: 'legitimate_interest', label: 'Berechtigtes Interesse' },
+    { value: 'public_interest', label: 'Oeffentl. Interesse' },
+  ]},
+  { key: 'model_type', label: 'Modelltyp', options: [
+    { value: 'rule_based', label: 'Regelbasiert' }, { value: 'statistical', label: 'Statistisch / ML' },
+    { value: 'blackbox_llm', label: 'Blackbox / LLM' },
+  ]},
+  { key: 'deployment_scope', label: 'Einsatzbereich', options: [
+    { value: 'internal', label: 'Intern' }, { value: 'external', label: 'Extern (Kunden)' },
+    { value: 'public', label: 'Oeffentlich' },
+  ]},
+]
+
+const TOGGLE_DIMENSIONS = [
+  { key: 'transparency_required', label: 'Transparenzpflicht' },
+  { key: 'logging_required', label: 'Protokollierungspflicht' },
+]
+
+function NewOptimizationPageInner() {
+  const router = useRouter()
+  const searchParams = useSearchParams()
+  const fromAssessment = searchParams.get('from_assessment')
+  const [autoOptimizing, setAutoOptimizing] = useState(false)
+  const [title, setTitle] = useState('')
+
+  useEffect(() => {
+    if (!fromAssessment) return
+    setAutoOptimizing(true)
+    fetch(`/api/sdk/v1/maximizer/optimize-from-assessment/${fromAssessment}`, { method: 'POST' })
+      .then(r => r.ok ? r.json() : Promise.reject('failed'))
+      .then(data => router.push(`/sdk/compliance-optimizer/${data.id}`))
+      .catch(() => setAutoOptimizing(false))
+  }, [fromAssessment, router])
+  const [config, setConfig] = useState<Record<string, string>>({
+    automation_level: 'assistive', decision_binding: 'non_binding', decision_impact: 'low',
+    domain: 'general', data_type: 'non_personal', human_in_loop: 'required',
+    explainability: 'basic', risk_classification: 'minimal', legal_basis: 'contract',
+    transparency_required: 'false', logging_required: 'false',
+    model_type: 'rule_based', deployment_scope: 'internal',
+  })
+  const [preview, setPreview] = useState<Record<string, { zone: string }> | null>(null)
+  const [submitting, setSubmitting] = useState(false)
+
+  async function handlePreview() {
+    try {
+      const body = { ...config, transparency_required: config.transparency_required === 'true', logging_required: config.logging_required === 'true' }
+      const res = await fetch('/api/sdk/v1/maximizer/evaluate', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })
+      if (res.ok) {
+        const data = await res.json()
+        setPreview(data.zone_map || {})
+      }
+    } catch { /* silent */ }
+  }
+
+  async function handleSubmit() {
+    setSubmitting(true)
+    try {
+      const body = {
+        config: { ...config, transparency_required: config.transparency_required === 'true', logging_required: config.logging_required === 'true' },
+        title: title || 'Optimierung ' + new Date().toLocaleDateString('de-DE'),
+      }
+      const res = await fetch('/api/sdk/v1/maximizer/optimize', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) })
+      if (res.ok) {
+        const data = await res.json()
+        router.push(`/sdk/compliance-optimizer/${data.id}`)
+      }
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  if (autoOptimizing) {
+    return (
+      <div className="max-w-4xl mx-auto p-6 text-center py-24">
+        <div className="animate-pulse">
+          <span className="text-4xl">📊</span>
+          <h2 className="text-xl font-bold text-gray-900 mt-4 mb-2">Optimierung laeuft...</h2>
+          <p className="text-sm text-gray-500">Assessment wird analysiert und optimale Konfiguration berechnet.</p>
+        </div>
+      </div>
+    )
+  }
+
+  return (
+    <div className="max-w-4xl mx-auto p-6">
+      <h1 className="text-2xl font-bold text-gray-900 mb-1">Neue Optimierung</h1>
+      <p className="text-sm text-gray-500 mb-6">Konfigurieren Sie Ihren KI-Use-Case und finden Sie den maximalen regulatorischen Spielraum.</p>
+
+      <div className="mb-4">
+        <label className="block text-sm font-medium text-gray-700 mb-1">Titel</label>
+        <input type="text" value={title} onChange={(e) => setTitle(e.target.value)} placeholder="z.B. HR Bewerber-Ranking"
+          className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm" />
+      </div>
+
+      <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+        {DIMENSIONS.map((dim) => (
+          <div key={dim.key}>
+            <label className="block text-sm font-medium text-gray-700 mb-1">
+              {dim.label}
+              {preview && preview[dim.key] && (
+                <span className="ml-2"><ZoneBadge zone={preview[dim.key].zone as 'FORBIDDEN' | 'RESTRICTED' | 'SAFE'} /></span>
+              )}
+            </label>
+            <select
+              value={config[dim.key]}
+              onChange={(e) => { setConfig({ ...config, [dim.key]: e.target.value }); setPreview(null) }}
+              className="w-full border border-gray-300 rounded-lg px-3 py-2 text-sm bg-white"
+            >
+              {dim.options.map((o) => <option key={o.value} value={o.value}>{o.label}</option>)}
+            </select>
+          </div>
+        ))}
+
+        {TOGGLE_DIMENSIONS.map((dim) => (
+          <div key={dim.key} className="flex items-center gap-3">
+            <input type="checkbox" checked={config[dim.key] === 'true'}
+              onChange={(e) => { setConfig({ ...config, [dim.key]: String(e.target.checked) }); setPreview(null) }}
+              className="h-4 w-4 rounded border-gray-300 text-blue-600" />
+            <label className="text-sm font-medium text-gray-700">
+              {dim.label}
+              {preview && preview[dim.key] && (
+                <span className="ml-2"><ZoneBadge zone={preview[dim.key].zone as 'FORBIDDEN' | 'RESTRICTED' | 'SAFE'} /></span>
+              )}
+            </label>
+          </div>
+        ))}
+      </div>
+
+      <div className="flex gap-3">
+        <button onClick={handlePreview} className="border border-gray-300 text-gray-700 px-4 py-2 rounded-lg hover:bg-gray-50 text-sm">
+          Vorschau (3-Zonen-Check)
+        </button>
+        <button onClick={handleSubmit} disabled={submitting}
+          className="bg-blue-600 text-white px-6 py-2 rounded-lg hover:bg-blue-700 text-sm font-medium disabled:opacity-50">
+          {submitting ? 'Optimiere...' : 'Optimieren'}
+        </button>
+      </div>
+    </div>
+  )
+}
+
+export default function NewOptimizationPage() {
+  return (
+    <Suspense fallback={<div className="max-w-4xl mx-auto p-6 text-gray-500">Laden...</div>}>
+      <NewOptimizationPageInner />
+    </Suspense>
+  )
+}

admin-compliance/app/sdk/compliance-optimizer/page.tsx

@@ -0,0 +1,135 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+import Link from 'next/link'
+import { ZoneBadge } from '@/components/sdk/compliance-optimizer/ZoneBadge'
+
+interface OptimizationSummary {
+  id: string
+  title: string
+  is_compliant: boolean
+  constraint_version: string
+  created_at: string
+  zone_map: Record<string, { zone: 'FORBIDDEN' | 'RESTRICTED' | 'SAFE' }>
+  max_safe_config?: { safety_score: number; utility_score: number }
+  assessment_id?: string
+}
+
+function countZones(zoneMap: Record<string, { zone: string }>) {
+  let forbidden = 0, restricted = 0, safe = 0
+  for (const v of Object.values(zoneMap || {})) {
+    if (v.zone === 'FORBIDDEN') forbidden++
+    else if (v.zone === 'RESTRICTED') restricted++
+    else safe++
+  }
+  return { forbidden, restricted, safe }
+}
+
+export default function ComplianceOptimizerPage() {
+  const [optimizations, setOptimizations] = useState<OptimizationSummary[]>([])
+  const [loading, setLoading] = useState(true)
+  const [total, setTotal] = useState(0)
+
+  useEffect(() => {
+    fetchOptimizations()
+  }, [])
+
+  async function fetchOptimizations() {
+    try {
+      setLoading(true)
+      const res = await fetch('/api/sdk/v1/maximizer/optimizations?limit=20')
+      if (res.ok) {
+        const data = await res.json()
+        setOptimizations(data.optimizations || [])
+        setTotal(data.total || 0)
+      }
+    } catch {
+      // silent
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className="max-w-6xl mx-auto p-6">
+      <div className="flex items-center justify-between mb-6">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">Compliance Optimizer</h1>
+          <p className="text-sm text-gray-500 mt-1">
+            Regulatorischen Spielraum maximieren — KI-Use-Cases optimal konfigurieren
+          </p>
+        </div>
+        <Link
+          href="/sdk/compliance-optimizer/new"
+          className="bg-blue-600 text-white px-4 py-2 rounded-lg hover:bg-blue-700 text-sm font-medium"
+        >
+          Neue Optimierung
+        </Link>
+      </div>
+
+      {loading ? (
+        <div className="text-center py-12 text-gray-500">Laden...</div>
+      ) : optimizations.length === 0 ? (
+        <div className="text-center py-12 bg-gray-50 rounded-lg border border-gray-200">
+          <p className="text-gray-600 mb-2">Noch keine Optimierungen durchgefuehrt.</p>
+          <Link href="/sdk/compliance-optimizer/new" className="text-blue-600 hover:underline text-sm">
+            Erste Optimierung starten
+          </Link>
+        </div>
+      ) : (
+        <div className="bg-white border border-gray-200 rounded-lg overflow-hidden">
+          <table className="min-w-full divide-y divide-gray-200">
+            <thead className="bg-gray-50">
+              <tr>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Titel</th>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Status</th>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Zonen</th>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Quelle</th>
+                <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">Datum</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-200">
+              {optimizations.map((o) => {
+                const zones = countZones(o.zone_map)
+                return (
+                  <tr key={o.id} className="hover:bg-gray-50">
+                    <td className="px-4 py-3">
+                      <Link href={`/sdk/compliance-optimizer/${o.id}`} className="text-blue-600 hover:underline font-medium text-sm">
+                        {o.title || 'Ohne Titel'}
+                      </Link>
+                    </td>
+                    <td className="px-4 py-3">
+                      <ZoneBadge zone={o.is_compliant ? 'SAFE' : 'FORBIDDEN'} />
+                    </td>
+                    <td className="px-4 py-3 text-sm text-gray-600">
+                      {zones.forbidden > 0 && <span className="text-red-600 mr-2">{zones.forbidden} verboten</span>}
+                      {zones.restricted > 0 && <span className="text-yellow-600 mr-2">{zones.restricted} eingeschraenkt</span>}
+                      <span className="text-green-600">{zones.safe} erlaubt</span>
+                    </td>
+                    <td className="px-4 py-3 text-sm">
+                      {o.assessment_id ? (
+                        <Link href={`/sdk/use-cases/${o.assessment_id}`} className="text-purple-600 hover:underline text-xs">
+                          Assessment
+                        </Link>
+                      ) : (
+                        <span className="text-gray-400 text-xs">Manuell</span>
+                      )}
+                    </td>
+                    <td className="px-4 py-3 text-sm text-gray-500">
+                      {new Date(o.created_at).toLocaleDateString('de-DE')}
+                    </td>
+                  </tr>
+                )
+              })}
+            </tbody>
+          </table>
+          {total > 20 && (
+            <div className="px-4 py-3 bg-gray-50 text-sm text-gray-500">
+              {total} Optimierungen insgesamt
+            </div>
+          )}
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/consent-management/_components/DeadlineTab.tsx

@@ -0,0 +1,90 @@
+'use client'
+
+import Link from 'next/link'
+
+interface DeadlineConfig {
+  gracePeriodDays: number
+  reminderDays: number[]
+  suspendOnExpiry: boolean
+}
+
+export function DeadlineTab() {
+  // Phase 4: Deadline management — backend service pending (Core integration)
+  const config: DeadlineConfig = {
+    gracePeriodDays: 30,
+    reminderDays: [28, 21, 14, 7],
+    suspendOnExpiry: true,
+  }
+
+  return (
+    <div className="p-6 space-y-6">
+      <div className="flex items-center justify-between">
+        <h2 className="text-lg font-semibold text-slate-900">Fristen & Erinnerungen</h2>
+        <span className="px-2 py-1 bg-yellow-100 text-yellow-700 rounded text-xs">In Vorbereitung</span>
+      </div>
+
+      <div className="bg-blue-50 border border-blue-200 rounded-lg p-4 text-sm text-blue-800">
+        Das Fristen-System wird automatisch Erinnerungen an Nutzer senden, die neue Pflichtdokumente
+        noch nicht akzeptiert haben. Nach Ablauf der Frist wird der Account gesperrt bis die Zustimmung erfolgt.
+        Die E-Mail-Zustellung wird ueber den Core-Service in Production bereitgestellt.
+      </div>
+
+      <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+        <div className="border border-slate-200 rounded-lg p-4">
+          <h3 className="text-sm font-medium text-slate-700">Nachfrist</h3>
+          <p className="text-2xl font-bold text-slate-900 mt-1">{config.gracePeriodDays} Tage</p>
+          <p className="text-xs text-slate-500 mt-1">Nach Veroeffentlichung eines Pflichtdokuments</p>
+        </div>
+        <div className="border border-slate-200 rounded-lg p-4">
+          <h3 className="text-sm font-medium text-slate-700">Erinnerungen</h3>
+          <p className="text-2xl font-bold text-slate-900 mt-1">{config.reminderDays.length}x</p>
+          <p className="text-xs text-slate-500 mt-1">
+            Tag {config.reminderDays.join(', ')} nach Veroeffentlichung
+          </p>
+        </div>
+        <div className="border border-slate-200 rounded-lg p-4">
+          <h3 className="text-sm font-medium text-slate-700">Auto-Sperrung</h3>
+          <p className="text-2xl font-bold text-slate-900 mt-1">{config.suspendOnExpiry ? 'Aktiv' : 'Inaktiv'}</p>
+          <p className="text-xs text-slate-500 mt-1">Account wird nach Fristablauf gesperrt</p>
+        </div>
+      </div>
+
+      <div className="border border-slate-200 rounded-lg p-4">
+        <h3 className="text-sm font-medium text-slate-700 mb-3">Erinnerungs-Timeline</h3>
+        <div className="flex items-center gap-1">
+          {Array.from({ length: 30 }, (_, i) => {
+            const day = 30 - i
+            const isReminder = config.reminderDays.includes(day)
+            const isDeadline = day === 0
+            return (
+              <div key={i} className="flex-1 relative group">
+                <div className={`h-2 rounded-sm ${
+                  isDeadline ? 'bg-red-500' : isReminder ? 'bg-yellow-400' : 'bg-slate-100'
+                }`} />
+                {isReminder && (
+                  <span className="absolute -top-5 left-1/2 -translate-x-1/2 text-[10px] text-yellow-600 whitespace-nowrap">
+                    Tag {day}
+                  </span>
+                )}
+              </div>
+            )
+          })}
+          <div className="flex-none w-3 h-2 bg-red-500 rounded-sm" title="Sperrung" />
+        </div>
+        <div className="flex justify-between mt-1 text-[10px] text-slate-400">
+          <span>Veroeffentlichung</span>
+          <span>Sperrung</span>
+        </div>
+      </div>
+
+      <div className="flex gap-3">
+        <Link href="/sdk/email-templates" className="text-sm text-purple-600 hover:underline">
+          E-Mail-Templates konfigurieren →
+        </Link>
+        <Link href="/sdk/dsr" className="text-sm text-purple-600 hover:underline">
+          Betroffenenrechte verwalten →
+        </Link>
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/consent-management/_components/IntegrationStubs.tsx

@@ -0,0 +1,72 @@
+'use client'
+
+const INTEGRATIONS = [
+  {
+    id: 'matrix',
+    name: 'Matrix Kommunikation',
+    description: 'Sichere, verschluesselte Kommunikation mit Betroffenen ueber Matrix-Protokoll. Wird in Production ueber den Core Communication Service bereitgestellt.',
+    status: 'planned',
+    icon: '💬',
+  },
+  {
+    id: 'jitsi',
+    name: 'Jitsi Video-Meetings',
+    description: 'DSGVO-konforme Video-Konsultationen mit Betroffenen fuer komplexe Datenschutzanfragen. Wird ueber den Core Jitsi Service bereitgestellt.',
+    status: 'planned',
+    icon: '📹',
+  },
+  {
+    id: 'oauth',
+    name: 'OAuth 2.0 Client-Verwaltung',
+    description: 'Verwaltung von OAuth-Clients fuer API-Zugriff auf Consent-Endpunkte. Authorization Code Flow mit PKCE-Support.',
+    status: 'planned',
+    icon: '🔑',
+  },
+  {
+    id: '2fa',
+    name: 'Zwei-Faktor-Authentifizierung',
+    description: 'TOTP-basierte Zwei-Faktor-Authentifizierung fuer Admin-Zugang. Recovery-Codes fuer Notfallzugriff.',
+    status: 'planned',
+    icon: '🛡️',
+  },
+  {
+    id: 'notifications',
+    name: 'Benachrichtigungssystem',
+    description: 'In-App und E-Mail Benachrichtigungen fuer Consent-Aenderungen, DSR-Fristen und Dokument-Updates. Praeferenz-Verwaltung pro Nutzer.',
+    status: 'planned',
+    icon: '🔔',
+  },
+]
+
+export function IntegrationStubs() {
+  return (
+    <div className="p-6 space-y-4">
+      <div className="flex items-center justify-between mb-2">
+        <h2 className="text-lg font-semibold text-slate-900">Integrationen</h2>
+        <span className="px-2 py-1 bg-blue-100 text-blue-700 rounded text-xs">Production-Anbindung</span>
+      </div>
+
+      <p className="text-sm text-slate-500">
+        Diese Dienste werden in Production ueber die Core-Services bereitgestellt und sind
+        im SDK vorbereitet.
+      </p>
+
+      <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+        {INTEGRATIONS.map(integration => (
+          <div key={integration.id} className="border border-slate-200 rounded-lg p-4 bg-slate-50">
+            <div className="flex items-start gap-3">
+              <span className="text-2xl">{integration.icon}</span>
+              <div className="flex-1">
+                <div className="flex items-center gap-2">
+                  <h3 className="text-sm font-medium text-slate-800">{integration.name}</h3>
+                  <span className="px-1.5 py-0.5 bg-yellow-100 text-yellow-700 rounded text-[10px]">Geplant</span>
+                </div>
+                <p className="text-xs text-slate-500 mt-1">{integration.description}</p>
+              </div>
+            </div>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}

admin-compliance/app/sdk/consent-management/_components/VersionsTab.tsx

@@ -2,18 +2,28 @@
 
 import type { Document, Version } from '../_types'
 
+const STATUS_STYLES: Record<string, { label: string; color: string }> = {
+  draft: { label: 'Entwurf', color: 'bg-gray-100 text-gray-700' },
+  review: { label: 'Pruefung', color: 'bg-yellow-100 text-yellow-700' },
+  approved: { label: 'Genehmigt', color: 'bg-blue-100 text-blue-700' },
+  published: { label: 'Publiziert', color: 'bg-green-100 text-green-700' },
+  archived: { label: 'Archiviert', color: 'bg-gray-100 text-gray-400' },
+  rejected: { label: 'Abgelehnt', color: 'bg-red-100 text-red-700' },
+}
+
 export function VersionsTab({
-  loading,
-  documents,
-  versions,
-  selectedDocument,
-  setSelectedDocument,
+  loading, documents, versions, selectedDocument, setSelectedDocument,
+  onSubmitReview, onApprove, onReject, onPublish,
 }: {
   loading: boolean
   documents: Document[]
   versions: Version[]
   selectedDocument: string
   setSelectedDocument: (id: string) => void
+  onSubmitReview?: (versionId: string) => void
+  onApprove?: (versionId: string) => void
+  onReject?: (versionId: string, comment: string) => void
+  onPublish?: (versionId: string) => void
 }) {
   return (
     <div className="p-6">
@@ -27,73 +37,69 @@ export function VersionsTab({
           >
             <option value="">Dokument auswaehlen...</option>
             {documents.map((doc) => (
-              <option key={doc.id} value={doc.id}>
-                {doc.name}
-              </option>
+              <option key={doc.id} value={doc.id}>{doc.name}</option>
             ))}
           </select>
         </div>
-        {selectedDocument && (
-          <button className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors text-sm font-medium">
-            + Neue Version
-          </button>
-        )}
       </div>
 
       {!selectedDocument ? (
-        <div className="text-center py-12 text-slate-500">
-          Bitte waehlen Sie ein Dokument aus
-        </div>
+        <div className="text-center py-12 text-slate-500">Bitte waehlen Sie ein Dokument aus</div>
       ) : loading ? (
         <div className="text-center py-12 text-slate-500">Lade Versionen...</div>
       ) : versions.length === 0 ? (
-        <div className="text-center py-12 text-slate-500">
-          Keine Versionen vorhanden
-        </div>
+        <div className="text-center py-12 text-slate-500">Keine Versionen vorhanden</div>
       ) : (
         <div className="space-y-4">
-          {versions.map((version) => (
-            <div
-              key={version.id}
-              className="border border-slate-200 rounded-lg p-4 hover:border-purple-300 transition-colors"
-            >
-              <div className="flex items-start justify-between">
-                <div>
-                  <div className="flex items-center gap-2 mb-1">
-                    <span className="font-semibold text-slate-900">v{version.version}</span>
-                    <span className="px-2 py-0.5 bg-slate-100 text-slate-600 rounded text-xs">
-                      {version.language.toUpperCase()}
-                    </span>
-                    <span
-                      className={`px-2 py-0.5 rounded text-xs ${
-                        version.status === 'published'
-                          ? 'bg-green-100 text-green-700'
-                          : version.status === 'draft'
-                          ? 'bg-yellow-100 text-yellow-700'
-                          : 'bg-slate-100 text-slate-600'
-                      }`}
-                    >
-                      {version.status}
-                    </span>
+          {versions.map((version) => {
+            const style = STATUS_STYLES[version.status] || STATUS_STYLES.draft
+            return (
+              <div key={version.id} className="border border-slate-200 rounded-lg p-4 hover:border-purple-300 transition-colors">
+                <div className="flex items-start justify-between">
+                  <div>
+                    <div className="flex items-center gap-2 mb-1">
+                      <span className="font-semibold text-slate-900">v{version.version}</span>
+                      <span className="px-2 py-0.5 bg-slate-100 text-slate-600 rounded text-xs">
+                        {version.language.toUpperCase()}
+                      </span>
+                      <span className={`px-2 py-0.5 rounded text-xs ${style.color}`}>{style.label}</span>
+                    </div>
+                    <h3 className="text-slate-700">{version.title}</h3>
+                    <p className="text-sm text-slate-500 mt-1">
+                      Erstellt: {new Date(version.created_at).toLocaleDateString('de-DE')}
+                      {version.published_at && ` | Publiziert: ${new Date(version.published_at).toLocaleDateString('de-DE')}`}
+                    </p>
+                  </div>
+                  <div className="flex gap-2 flex-wrap justify-end">
+                    {version.status === 'draft' && onSubmitReview && (
+                      <button onClick={() => onSubmitReview(version.id)}
+                        className="px-3 py-1.5 text-sm text-white bg-yellow-500 hover:bg-yellow-600 rounded-lg">
+                        Zur Pruefung
+                      </button>
+                    )}
+                    {version.status === 'review' && onApprove && (
+                      <button onClick={() => onApprove(version.id)}
+                        className="px-3 py-1.5 text-sm text-white bg-blue-600 hover:bg-blue-700 rounded-lg">
+                        Genehmigen
+                      </button>
+                    )}
+                    {version.status === 'review' && onReject && (
+                      <button onClick={() => { const c = prompt('Ablehnungsgrund:'); if (c) onReject(version.id, c) }}
+                        className="px-3 py-1.5 text-sm text-white bg-red-500 hover:bg-red-600 rounded-lg">
+                        Ablehnen
+                      </button>
+                    )}
+                    {version.status === 'approved' && onPublish && (
+                      <button onClick={() => onPublish(version.id)}
+                        className="px-3 py-1.5 text-sm text-white bg-green-600 hover:bg-green-700 rounded-lg">
+                        Publizieren
+                      </button>
+                    )}
                   </div>
-                  <h3 className="text-slate-700">{version.title}</h3>
-                  <p className="text-sm text-slate-500 mt-1">
-                    Erstellt: {new Date(version.created_at).toLocaleDateString('de-DE')}
-                  </p>
-                </div>
-                <div className="flex gap-2">
-                  <button className="px-3 py-1.5 text-sm text-slate-600 hover:text-slate-900 border border-slate-300 rounded-lg hover:border-slate-400">
-                    Bearbeiten
-                  </button>
-                  {version.status === 'draft' && (
-                    <button className="px-3 py-1.5 text-sm text-white bg-green-600 hover:bg-green-700 rounded-lg">
-                      Veroeffentlichen
-                    </button>
-                  )}
                 </div>
               </div>
-            </div>
-          ))}
+            )
+          })}
         </div>
       )}
     </div>

admin-compliance/app/sdk/consent-management/_hooks/useConsentData.ts

@@ -277,6 +277,45 @@ export function useConsentData(activeTab: Tab, selectedDocument: string) {
     localStorage.setItem('sdk-email-templates', JSON.stringify(updated))
   }
 
+  // Document version workflow actions (via admin consent proxy → legal-documents backend)
+  async function submitVersionForReview(versionId: string) {
+    try {
+      const res = await fetch(`${API_BASE}/versions/${versionId}/submit-review`, {
+        method: 'POST', headers: authToken ? { 'Authorization': `Bearer ${authToken}` } : {},
+      })
+      if (res.ok && selectedDocument) await loadVersions(selectedDocument)
+    } catch (err) { console.error('Submit failed:', err) }
+  }
+
+  async function approveVersion(versionId: string) {
+    try {
+      const res = await fetch(`${API_BASE}/versions/${versionId}/approve`, {
+        method: 'POST', headers: authToken ? { 'Authorization': `Bearer ${authToken}` } : {},
+      })
+      if (res.ok && selectedDocument) await loadVersions(selectedDocument)
+    } catch (err) { console.error('Approve failed:', err) }
+  }
+
+  async function rejectVersion(versionId: string, comment: string) {
+    try {
+      const res = await fetch(`${API_BASE}/versions/${versionId}/reject`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...(authToken ? { 'Authorization': `Bearer ${authToken}` } : {}) },
+        body: JSON.stringify({ comment }),
+      })
+      if (res.ok && selectedDocument) await loadVersions(selectedDocument)
+    } catch (err) { console.error('Reject failed:', err) }
+  }
+
+  async function publishVersion(versionId: string) {
+    try {
+      const res = await fetch(`${API_BASE}/versions/${versionId}/publish`, {
+        method: 'POST', headers: authToken ? { 'Authorization': `Bearer ${authToken}` } : {},
+      })
+      if (res.ok) { if (selectedDocument) await loadVersions(selectedDocument); await loadDocuments() }
+    } catch (err) { console.error('Publish failed:', err) }
+  }
+
   return {
     documents, versions, loading, error, setError,
     consentStats, dsrCounts, dsrOverview,
@@ -286,6 +325,7 @@ export function useConsentData(activeTab: Tab, selectedDocument: string) {
     savingTemplateId, savingProcessId,
     saveApiEmailTemplate, saveApiGdprProcess,
     loadApiEmailTemplates,
+    submitVersionForReview, approveVersion, rejectVersion, publishVersion,
     authToken, setAuthToken,
   }
 }

admin-compliance/app/sdk/consent-management/_types.ts

@@ -1,6 +1,6 @@
 export const API_BASE = '/api/admin/consent'
 
-export type Tab = 'documents' | 'versions' | 'emails' | 'gdpr' | 'stats'
+export type Tab = 'documents' | 'versions' | 'emails' | 'gdpr' | 'stats' | 'deadlines' | 'integrations'
 
 export interface Document {
   id: string

admin-compliance/app/sdk/consent-management/page.tsx

@@ -25,6 +25,8 @@ import { GdprTab } from './_components/GdprTab'
 import { StatsTab } from './_components/StatsTab'
 import { ConsentTemplateCreateModal } from './_components/ConsentTemplateCreateModal'
 import { EmailTemplateEditModal, EmailTemplatePreviewModal } from './_components/EmailTemplateModals'
+import { DeadlineTab } from './_components/DeadlineTab'
+import { IntegrationStubs } from './_components/IntegrationStubs'
 
 export default function ConsentManagementPage() {
   const { state } = useSDK()
@@ -45,6 +47,7 @@ export default function ConsentManagementPage() {
     savingTemplateId, savingProcessId,
     saveApiEmailTemplate, saveApiGdprProcess,
     loadApiEmailTemplates,
+    submitVersionForReview, approveVersion, rejectVersion, publishVersion,
     authToken, setAuthToken,
   } = useConsentData(activeTab, selectedDocument)
 
@@ -54,6 +57,8 @@ export default function ConsentManagementPage() {
     { id: 'emails', label: 'E-Mail Vorlagen' },
     { id: 'gdpr', label: 'DSGVO Prozesse' },
     { id: 'stats', label: 'Statistiken' },
+    { id: 'deadlines', label: 'Fristen' },
+    { id: 'integrations', label: 'Integrationen' },
   ]
 
   return (
@@ -128,6 +133,10 @@ export default function ConsentManagementPage() {
               versions={versions}
               selectedDocument={selectedDocument}
               setSelectedDocument={setSelectedDocument}
+              onSubmitReview={submitVersionForReview}
+              onApprove={approveVersion}
+              onReject={rejectVersion}
+              onPublish={publishVersion}
             />
           )}
 
@@ -157,6 +166,10 @@ export default function ConsentManagementPage() {
           )}
 
           {activeTab === 'stats' && <StatsTab consentStats={consentStats} />}
+
+          {activeTab === 'deadlines' && <DeadlineTab />}
+
+          {activeTab === 'integrations' && <IntegrationStubs />}
         </div>
       </div>
 

admin-compliance/app/sdk/document-generator/_constants.ts

@@ -18,6 +18,10 @@ export const CATEGORIES: { key: string; label: string; types: string[] | null }[
   { key: 'cloud', label: 'Cloud', types: ['cloud_service_agreement'] },
   { key: 'misc', label: 'Weitere', types: ['community_guidelines', 'copyright_policy', 'data_usage_clause'] },
   { key: 'dsfa', label: 'DSFA', types: ['dsfa'] },
+  { key: 'dsr', label: 'DSR-Prozesse', types: [
+    'dsr_process_art15', 'dsr_process_art16', 'dsr_process_art17',
+    'dsr_process_art18', 'dsr_process_art19', 'dsr_process_art20', 'dsr_process_art21',
+  ]},
 ]
 
 // =============================================================================

admin-compliance/app/sdk/dsr/_components/DSRBanners.tsx

@@ -13,20 +13,21 @@ export function LoadingSpinner() {
   )
 }
 
+export { PublicFormConfig as SettingsTabContent } from './PublicFormConfig'
+
 export function SettingsTab() {
   return (
-    <div className="bg-white rounded-xl border border-gray-200 p-8 text-center">
-      <div className="w-16 h-16 mx-auto bg-gray-100 rounded-full flex items-center justify-center mb-4">
-        <svg className="w-8 h-8 text-gray-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z" />
-          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
-        </svg>
+    <div className="space-y-6">
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <SettingsTabContent />
+      </div>
+      <div className="bg-white rounded-xl border border-gray-200 p-6">
+        <h3 className="text-base font-semibold text-slate-900 mb-2">Workflow-Konfiguration</h3>
+        <p className="text-sm text-slate-500">
+          SLA-Fristen, automatische Zuweisungen und Eskalationsregeln
+          werden in Production ueber den Core-Service konfiguriert.
+        </p>
       </div>
-      <h3 className="text-lg font-semibold text-gray-900">Einstellungen</h3>
-      <p className="mt-2 text-gray-500">
-        DSR-Portal-Einstellungen, E-Mail-Vorlagen und Workflow-Konfiguration
-        werden in einer spaeteren Version verfuegbar sein.
-      </p>
     </div>
   )
 }

admin-compliance/app/sdk/dsr/_components/PublicFormConfig.tsx

@@ -0,0 +1,97 @@
+'use client'
+
+import { useState } from 'react'
+
+interface PublicFormSettings {
+  enabled: boolean
+  formUrl: string
+  allowedTypes: string[]
+  requireIdentity: boolean
+  customCss: string
+}
+
+const DSR_TYPES = [
+  { value: 'access', label: 'Auskunft (Art. 15)' },
+  { value: 'rectification', label: 'Berichtigung (Art. 16)' },
+  { value: 'erasure', label: 'Loeschung (Art. 17)' },
+  { value: 'restriction', label: 'Einschraenkung (Art. 18)' },
+  { value: 'portability', label: 'Datenportabilitaet (Art. 20)' },
+  { value: 'objection', label: 'Widerspruch (Art. 21)' },
+]
+
+export function PublicFormConfig() {
+  const [settings, setSettings] = useState<PublicFormSettings>({
+    enabled: false,
+    formUrl: '',
+    allowedTypes: ['access', 'erasure', 'portability'],
+    requireIdentity: true,
+    customCss: '',
+  })
+
+  return (
+    <div className="space-y-6">
+      <div className="flex items-center justify-between">
+        <h3 className="text-base font-semibold text-slate-900">Oeffentliches DSR-Formular</h3>
+        <label className="flex items-center gap-2 cursor-pointer">
+          <input type="checkbox" checked={settings.enabled}
+            onChange={e => setSettings({ ...settings, enabled: e.target.checked })}
+            className="rounded border-gray-300 text-purple-600" />
+          <span className="text-sm text-slate-600">Aktiviert</span>
+        </label>
+      </div>
+
+      {!settings.enabled ? (
+        <div className="bg-gray-50 border border-gray-200 rounded-lg p-4 text-sm text-gray-600">
+          Das oeffentliche DSR-Formular ermoeglicht Betroffenen, Datenschutzanfragen direkt
+          ueber Ihre Website einzureichen — ohne Anmeldung. Aktivieren Sie es, um den
+          Embed-Code zu generieren.
+        </div>
+      ) : (
+        <div className="space-y-4">
+          <div>
+            <label className="block text-sm font-medium text-slate-700 mb-1">Erlaubte Anfragetypen</label>
+            <div className="grid grid-cols-2 gap-2">
+              {DSR_TYPES.map(type => (
+                <label key={type.value} className="flex items-center gap-2 text-sm text-slate-600">
+                  <input type="checkbox"
+                    checked={settings.allowedTypes.includes(type.value)}
+                    onChange={e => {
+                      const types = e.target.checked
+                        ? [...settings.allowedTypes, type.value]
+                        : settings.allowedTypes.filter(t => t !== type.value)
+                      setSettings({ ...settings, allowedTypes: types })
+                    }}
+                    className="rounded border-gray-300 text-purple-600" />
+                  {type.label}
+                </label>
+              ))}
+            </div>
+          </div>
+
+          <label className="flex items-center gap-2 cursor-pointer">
+            <input type="checkbox" checked={settings.requireIdentity}
+              onChange={e => setSettings({ ...settings, requireIdentity: e.target.checked })}
+              className="rounded border-gray-300 text-purple-600" />
+            <span className="text-sm text-slate-600">Identitaetsnachweis erforderlich</span>
+          </label>
+
+          <div className="bg-slate-50 border border-slate-200 rounded-lg p-4">
+            <h4 className="text-sm font-medium text-slate-700 mb-2">Embed-Code</h4>
+            <pre className="text-xs font-mono bg-white border border-slate-200 rounded p-3 overflow-x-auto">
+{`<iframe
+  src="https://ihre-domain.breakpilot.ai/dsr/public-form"
+  width="100%"
+  height="600"
+  frameborder="0"
+  title="Datenschutzanfrage"
+></iframe>`}
+            </pre>
+            <p className="text-xs text-slate-500 mt-2">
+              Embed-Code wird nach Anbindung an Production generiert.
+            </p>
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/einwilligungen/retention/page.tsx

@@ -274,7 +274,7 @@ function RetentionTimeline({ dataPoints, language }: RetentionTimelineProps) {
 // =============================================================================
 
 interface ExportOptionsProps {
-  onExport: (format: 'csv' | 'json' | 'pdf') => void
+  onExport: (format: 'csv' | 'json') => void
 }
 
 function ExportOptions({ onExport }: ExportOptionsProps) {
@@ -294,13 +294,6 @@ function ExportOptions({ onExport }: ExportOptionsProps) {
         <Download className="w-4 h-4" />
         JSON
       </button>
-      <button
-        onClick={() => onExport('pdf')}
-        className="flex items-center gap-2 px-3 py-2 bg-indigo-600 text-white rounded-lg text-sm hover:bg-indigo-700"
-      >
-        <Download className="w-4 h-4" />
-        PDF
-      </button>
     </div>
   )
 }
@@ -332,7 +325,7 @@ function RetentionContent() {
   }, [allDataPoints, filterCategory])
 
   // Handle export
-  const handleExport = (format: 'csv' | 'json' | 'pdf') => {
+  const handleExport = (format: 'csv' | 'json') => {
     if (format === 'csv') {
       const headers = ['Code', 'Name', 'Kategorie', 'Loeschfrist', 'Rechtsgrundlage']
       const rows = allDataPoints.map((dp) => [
@@ -354,8 +347,6 @@ function RetentionContent() {
         legalBasis: dp.legalBasis,
       }))
       downloadFile(JSON.stringify(data, null, 2), 'loeschfristen.json', 'application/json')
-    } else {
-      alert('PDF-Export wird noch implementiert.')
     }
   }
 

admin-compliance/app/sdk/email-templates/_components/EditorTab.tsx

@@ -15,11 +15,16 @@ interface EditorTabProps {
   onPublish: () => void
   onPreview: () => void
   onBack: () => void
+  onSubmitForReview?: () => void
+  onApprove?: (comment?: string) => void
+  onReject?: (comment: string) => void
+  onSendTest?: (email: string) => void
 }
 
 export function EditorTab({
   template, version, subject, html, previewHtml, saving,
   onSubjectChange, onHtmlChange, onSave, onPublish, onPreview, onBack,
+  onSubmitForReview, onApprove, onReject, onSendTest,
 }: EditorTabProps) {
   if (!template) {
     return (
@@ -46,30 +51,56 @@ export function EditorTab({
             </span>
           )}
         </div>
-        <div className="flex gap-2">
-          <button
-            onClick={onSave}
-            disabled={saving}
-            className="px-3 py-1.5 bg-purple-600 text-white rounded-lg text-sm hover:bg-purple-700 disabled:opacity-50"
-          >
-            {saving ? 'Speichern...' : 'Version speichern'}
-          </button>
-          {version && version.status !== 'published' && (
-            <button
-              onClick={onPublish}
-              disabled={saving}
-              className="px-3 py-1.5 bg-green-600 text-white rounded-lg text-sm hover:bg-green-700 disabled:opacity-50"
-            >
+        <div className="flex gap-2 flex-wrap">
+          {/* Save — always available for draft/review */}
+          {(!version || version.status === 'draft' || version.status === 'review') && (
+            <button onClick={onSave} disabled={saving}
+              className="px-3 py-1.5 bg-purple-600 text-white rounded-lg text-sm hover:bg-purple-700 disabled:opacity-50">
+              {saving ? 'Speichern...' : 'Version speichern'}
+            </button>
+          )}
+          {/* Submit for Review — only for draft */}
+          {version && version.status === 'draft' && onSubmitForReview && (
+            <button onClick={onSubmitForReview} disabled={saving}
+              className="px-3 py-1.5 bg-yellow-500 text-white rounded-lg text-sm hover:bg-yellow-600 disabled:opacity-50">
+              Zur Pruefung einreichen
+            </button>
+          )}
+          {/* Approve — only for review status (DSB) */}
+          {version && version.status === 'review' && onApprove && (
+            <button onClick={() => onApprove()} disabled={saving}
+              className="px-3 py-1.5 bg-blue-600 text-white rounded-lg text-sm hover:bg-blue-700 disabled:opacity-50">
+              Genehmigen
+            </button>
+          )}
+          {/* Reject — only for review status (DSB) */}
+          {version && version.status === 'review' && onReject && (
+            <button onClick={() => { const c = prompt('Ablehnungsgrund:'); if (c) onReject(c) }} disabled={saving}
+              className="px-3 py-1.5 bg-red-500 text-white rounded-lg text-sm hover:bg-red-600 disabled:opacity-50">
+              Ablehnen
+            </button>
+          )}
+          {/* Publish — only for approved */}
+          {version && version.status === 'approved' && (
+            <button onClick={onPublish} disabled={saving}
+              className="px-3 py-1.5 bg-green-600 text-white rounded-lg text-sm hover:bg-green-700 disabled:opacity-50">
               Publizieren
             </button>
           )}
+          {/* Preview + Test — always when version exists */}
           {version && (
-            <button
-              onClick={onPreview}
-              className="px-3 py-1.5 border border-gray-300 text-gray-700 rounded-lg text-sm hover:bg-gray-50"
-            >
-              Vorschau
-            </button>
+            <>
+              <button onClick={onPreview}
+                className="px-3 py-1.5 border border-gray-300 text-gray-700 rounded-lg text-sm hover:bg-gray-50">
+                Vorschau
+              </button>
+              {onSendTest && (
+                <button onClick={() => { const e = prompt('Test-E-Mail an:'); if (e) onSendTest(e) }}
+                  className="px-3 py-1.5 border border-blue-300 text-blue-700 rounded-lg text-sm hover:bg-blue-50">
+                  Test senden
+                </button>
+              )}
+            </>
           )}
         </div>
       </div>
@@ -77,7 +108,7 @@ export function EditorTab({
       {/* Variables */}
       <div className="flex flex-wrap gap-1.5">
         <span className="text-xs text-gray-500 mr-1">Variablen:</span>
-        {(template.variables || []).map(v => (
+        {(Array.isArray(template.variables) ? template.variables : []).map(v => (
           <button
             key={v}
             onClick={() => onHtmlChange(html + `{{${v}}}`)}

admin-compliance/app/sdk/email-templates/_components/TemplateCard.tsx

@@ -30,12 +30,12 @@ export function TemplateCard({ template, onEdit }: TemplateCardProps) {
         <p className="text-xs text-gray-500 mt-2 line-clamp-2">{template.description}</p>
       )}
       <div className="mt-3 flex flex-wrap gap-1">
-        {(template.variables || []).slice(0, 4).map(v => (
+        {(Array.isArray(template.variables) ? template.variables : []).slice(0, 4).map(v => (
           <span key={v} className="px-1.5 py-0.5 bg-gray-50 text-gray-500 rounded text-xs font-mono">
             {`{{${v}}}`}
           </span>
         ))}
-        {(template.variables || []).length > 4 && (
+        {Array.isArray(template.variables) && template.variables.length > 4 && (
           <span className="text-xs text-gray-400">+{template.variables.length - 4}</span>
         )}
       </div>

admin-compliance/app/sdk/email-templates/_hooks/useEmailTemplates.ts

@@ -7,6 +7,7 @@ import {
   SendLog,
   Settings,
   TabId,
+  TemplateApproval,
   TemplateType,
   TemplateVersion,
   getHeaders,
@@ -194,6 +195,72 @@ export function useEmailTemplates(activeTab: TabId) {
     }
   }, [settingsForm])
 
+  // Workflow actions
+  const submitForReview = useCallback(async () => {
+    if (!editorVersion) return
+    setSaving(true)
+    try {
+      const res = await fetch(`${API_BASE}/versions/${editorVersion.id}/submit`, {
+        method: 'POST', headers: getHeaders(),
+      })
+      if (!res.ok) throw new Error(`HTTP ${res.status}`)
+      const updated = await res.json()
+      setEditorVersion(updated)
+      await loadTemplates()
+    } catch (e: any) { setError(e.message) } finally { setSaving(false) }
+  }, [editorVersion, loadTemplates])
+
+  const approveVersion = useCallback(async (comment?: string) => {
+    if (!editorVersion) return
+    setSaving(true)
+    try {
+      const res = await fetch(`${API_BASE}/versions/${editorVersion.id}/approve`, {
+        method: 'POST', headers: getHeaders(),
+        body: JSON.stringify({ comment: comment || '' }),
+      })
+      if (!res.ok) throw new Error(`HTTP ${res.status}`)
+      const updated = await res.json()
+      setEditorVersion(updated)
+      await loadTemplates()
+    } catch (e: any) { setError(e.message) } finally { setSaving(false) }
+  }, [editorVersion, loadTemplates])
+
+  const rejectVersion = useCallback(async (comment: string) => {
+    if (!editorVersion) return
+    setSaving(true)
+    try {
+      const res = await fetch(`${API_BASE}/versions/${editorVersion.id}/reject`, {
+        method: 'POST', headers: getHeaders(),
+        body: JSON.stringify({ comment }),
+      })
+      if (!res.ok) throw new Error(`HTTP ${res.status}`)
+      const updated = await res.json()
+      setEditorVersion(updated)
+      await loadTemplates()
+    } catch (e: any) { setError(e.message) } finally { setSaving(false) }
+  }, [editorVersion, loadTemplates])
+
+  const sendTestEmail = useCallback(async (recipientEmail: string) => {
+    if (!editorVersion) return
+    try {
+      const res = await fetch(`${API_BASE}/versions/${editorVersion.id}/send-test`, {
+        method: 'POST', headers: getHeaders(),
+        body: JSON.stringify({ recipient: recipientEmail }),
+      })
+      if (!res.ok) throw new Error(`HTTP ${res.status}`)
+      return await res.json()
+    } catch (e: any) { setError(e.message) }
+  }, [editorVersion])
+
+  const loadApprovalHistory = useCallback(async (versionId: string): Promise<TemplateApproval[]> => {
+    try {
+      const res = await fetch(`${API_BASE}/versions/${versionId}/approvals`, { headers: getHeaders() })
+      if (!res.ok) return []
+      const data = await res.json()
+      return Array.isArray(data) ? data : data.approvals || []
+    } catch { return [] }
+  }, [])
+
   const initializeDefaults = useCallback(async () => {
     try {
       const res = await fetch(`${API_BASE}/initialize`, {
@@ -222,6 +289,8 @@ export function useEmailTemplates(activeTab: TabId) {
     setSettingsForm,
     // Actions
     openEditor, saveVersion, publishVersion, loadPreview,
+    submitForReview, approveVersion, rejectVersion,
+    sendTestEmail, loadApprovalHistory,
     saveSettings2, initializeDefaults,
   }
 }

admin-compliance/app/sdk/email-templates/_types.ts

@@ -42,6 +42,16 @@ export interface SendLog {
   sent_at: string | null
 }
 
+export interface TemplateApproval {
+  id: string
+  version_id: string
+  action: string // submitted, approved, rejected
+  actor_id: string
+  actor_name?: string
+  comment?: string
+  created_at: string
+}
+
 export interface Settings {
   sender_name: string
   sender_email: string

admin-compliance/app/sdk/email-templates/page.tsx

@@ -22,6 +22,8 @@ export default function EmailTemplatesPage() {
     setEditorSubject, setEditorHtml,
     setSettingsForm,
     openEditor, saveVersion, publishVersion, loadPreview,
+    submitForReview, approveVersion, rejectVersion,
+    sendTestEmail, loadApprovalHistory,
     saveSettings2, initializeDefaults,
   } = useEmailTemplates(activeTab)
 
@@ -68,6 +70,10 @@ export default function EmailTemplatesPage() {
           onPublish={publishVersion}
           onPreview={loadPreview}
           onBack={() => setActiveTab('templates')}
+          onSubmitForReview={submitForReview}
+          onApprove={approveVersion}
+          onReject={rejectVersion}
+          onSendTest={sendTestEmail}
         />
       )}
 

admin-compliance/app/sdk/layout.tsx

@@ -7,6 +7,7 @@ import { SDKSidebar } from '@/components/sdk/Sidebar/SDKSidebar'
 import { CommandBar } from '@/components/sdk/CommandBar'
 import { SDKPipelineSidebar } from '@/components/sdk/SDKPipelineSidebar'
 import { ComplianceAdvisorWidget } from '@/components/sdk/ComplianceAdvisorWidget'
+import { CookieBannerOverlay, CookieBannerFAB } from '@/components/sdk/CookieBannerOverlay'
 import { useSDK } from '@/lib/sdk'
 
 // =============================================================================
@@ -208,10 +209,14 @@ function SDKInnerLayout({ children }: { children: React.ReactNode }) {
       {isCommandBarOpen && <CommandBar onClose={() => setCommandBarOpen(false)} />}
 
       {/* Pipeline Sidebar (FAB on mobile/tablet, fixed on desktop xl+) */}
-      {projectId && <SDKPipelineSidebar />}
+      <SDKPipelineSidebar />
 
-      {/* Compliance Advisor Widget */}
-      {projectId && <ComplianceAdvisorWidget currentStep={currentStep} />}
+      {/* Compliance Advisor Widget — immer sichtbar, auch ohne Projekt */}
+      <ComplianceAdvisorWidget currentStep={currentStep} />
+
+      {/* Cookie Banner — opens on first visit, reopenable via FAB */}
+      <CookieBannerOverlay />
+      <CookieBannerFAB />
     </div>
   )
 }

admin-compliance/app/sdk/page.tsx

@@ -4,6 +4,7 @@ import React from 'react'
 import Link from 'next/link'
 import { useSDK, SDK_PACKAGES, getStepsForPackage } from '@/lib/sdk'
 import { ProjectSelector } from '@/components/sdk/ProjectSelector/ProjectSelector'
+import { RegulatoryNewsFeed } from '@/components/sdk/regulatory-news/RegulatoryNewsFeed'
 import type { SDKPackageId } from '@/lib/sdk/types'
 
 // =============================================================================
@@ -331,6 +332,9 @@ export default function SDKDashboard() {
         </div>
       )}
 
+      {/* Regulatory News */}
+      <RegulatoryNewsFeed businessModel={state.companyProfile?.businessModel as string} />
+
       {/* 5 Packages */}
       <div>
         <h2 className="text-lg font-semibold text-gray-900 mb-4">Compliance-Pakete</h2>

admin-compliance/app/sdk/payment-compliance/page.tsx

@@ -0,0 +1,496 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+
+interface PaymentControl {
+  control_id: string
+  domain: string
+  title: string
+  objective: string
+  check_target: string
+  evidence: string[]
+  automation: string
+}
+
+interface PaymentDomain {
+  id: string
+  name: string
+  description: string
+}
+
+interface Assessment {
+  id: string
+  project_name: string
+  tender_reference: string
+  customer_name: string
+  system_type: string
+  total_controls: number
+  controls_passed: number
+  controls_failed: number
+  controls_partial: number
+  controls_not_applicable: number
+  controls_not_checked: number
+  compliance_score: number
+  status: string
+  created_at: string
+}
+
+interface TenderAnalysis {
+  id: string
+  file_name: string
+  file_size: number
+  project_name: string
+  customer_name: string
+  status: string
+  total_requirements: number
+  matched_count: number
+  unmatched_count: number
+  partial_count: number
+  requirements?: Array<{ req_id: string; text: string; obligation_level: string; technical_domain: string; confidence: number }>
+  match_results?: Array<{ req_id: string; req_text: string; verdict: string; matched_controls: Array<{ control_id: string; title: string; relevance: number }>; gap_description?: string }>
+  created_at: string
+}
+
+const AUTOMATION_STYLES: Record<string, { bg: string; text: string }> = {
+  high: { bg: 'bg-green-100', text: 'text-green-700' },
+  medium: { bg: 'bg-yellow-100', text: 'text-yellow-700' },
+  partial: { bg: 'bg-orange-100', text: 'text-orange-700' },
+  low: { bg: 'bg-red-100', text: 'text-red-700' },
+}
+
+const TARGET_ICONS: Record<string, string> = {
+  code: '💻', system: '🖥️', config: '⚙️', process: '📋',
+  repository: '📦', certificate: '📜',
+}
+
+export default function PaymentCompliancePage() {
+  const [controls, setControls] = useState<PaymentControl[]>([])
+  const [domains, setDomains] = useState<PaymentDomain[]>([])
+  const [assessments, setAssessments] = useState<Assessment[]>([])
+  const [tenderAnalyses, setTenderAnalyses] = useState<TenderAnalysis[]>([])
+  const [selectedTender, setSelectedTender] = useState<TenderAnalysis | null>(null)
+  const [selectedDomain, setSelectedDomain] = useState<string>('all')
+  const [loading, setLoading] = useState(true)
+  const [tab, setTab] = useState<'controls' | 'assessments' | 'tender'>('controls')
+  const [uploading, setUploading] = useState(false)
+  const [processing, setProcessing] = useState(false)
+  const [showNewAssessment, setShowNewAssessment] = useState(false)
+  const [newProject, setNewProject] = useState({ project_name: '', tender_reference: '', customer_name: '', system_type: 'full_stack' })
+
+  useEffect(() => {
+    loadData()
+  }, [])
+
+  async function loadData() {
+    try {
+      setLoading(true)
+      const [ctrlResp, assessResp, tenderResp] = await Promise.all([
+        fetch('/api/sdk/v1/payment-compliance?endpoint=controls'),
+        fetch('/api/sdk/v1/payment-compliance?endpoint=assessments'),
+        fetch('/api/sdk/v1/payment-compliance/tender'),
+      ])
+      if (ctrlResp.ok) {
+        const data = await ctrlResp.json()
+        setControls(data.controls || [])
+        setDomains(data.domains || [])
+      }
+      if (assessResp.ok) {
+        const data = await assessResp.json()
+        setAssessments(data.assessments || [])
+      }
+      if (tenderResp.ok) {
+        const data = await tenderResp.json()
+        setTenderAnalyses(data.analyses || [])
+      }
+    } catch {}
+    finally { setLoading(false) }
+  }
+
+  async function handleTenderUpload(e: React.ChangeEvent<HTMLInputElement>) {
+    const file = e.target.files?.[0]
+    if (!file) return
+    setUploading(true)
+    try {
+      const formData = new FormData()
+      formData.append('file', file)
+      formData.append('project_name', file.name.replace(/\.[^.]+$/, ''))
+      const resp = await fetch('/api/sdk/v1/payment-compliance/tender', { method: 'POST', body: formData })
+      if (resp.ok) {
+        const data = await resp.json()
+        // Auto-start extraction + matching
+        setProcessing(true)
+        const extractResp = await fetch(`/api/sdk/v1/payment-compliance/tender/${data.id}?action=extract`, { method: 'POST' })
+        if (extractResp.ok) {
+          await fetch(`/api/sdk/v1/payment-compliance/tender/${data.id}?action=match`, { method: 'POST' })
+        }
+        // Reload and show result
+        const detailResp = await fetch(`/api/sdk/v1/payment-compliance/tender/${data.id}`)
+        if (detailResp.ok) {
+          const detail = await detailResp.json()
+          setSelectedTender(detail)
+        }
+        loadData()
+      }
+    } catch {} finally {
+      setUploading(false)
+      setProcessing(false)
+    }
+  }
+
+  async function handleViewTender(id: string) {
+    const resp = await fetch(`/api/sdk/v1/payment-compliance/tender/${id}`)
+    if (resp.ok) {
+      setSelectedTender(await resp.json())
+    }
+  }
+
+  async function handleCreateAssessment() {
+    const resp = await fetch('/api/sdk/v1/payment-compliance', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(newProject),
+    })
+    if (resp.ok) {
+      setShowNewAssessment(false)
+      setNewProject({ project_name: '', tender_reference: '', customer_name: '', system_type: 'full_stack' })
+      loadData()
+    }
+  }
+
+  const filteredControls = selectedDomain === 'all'
+    ? controls
+    : controls.filter(c => c.domain === selectedDomain)
+
+  const domainStats = domains.map(d => ({
+    ...d,
+    count: controls.filter(c => c.domain === d.id).length,
+  }))
+
+  return (
+    <div className="max-w-6xl mx-auto p-6">
+      {/* Header */}
+      <div className="flex items-center justify-between mb-8">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900">Payment Terminal Compliance</h1>
+          <p className="text-sm text-gray-500 mt-1">
+            Technische Pruefbibliothek fuer Zahlungssysteme — {controls.length} Controls in {domains.length} Domaenen
+          </p>
+        </div>
+        <div className="flex gap-2">
+          <button onClick={() => setTab('controls')}
+            className={`px-4 py-2 rounded-lg text-sm font-medium ${tab === 'controls' ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-700'}`}>
+            Controls ({controls.length})
+          </button>
+          <button onClick={() => setTab('assessments')}
+            className={`px-4 py-2 rounded-lg text-sm font-medium ${tab === 'assessments' ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-700'}`}>
+            Assessments ({assessments.length})
+          </button>
+          <button onClick={() => setTab('tender')}
+            className={`px-4 py-2 rounded-lg text-sm font-medium ${tab === 'tender' ? 'bg-purple-600 text-white' : 'bg-gray-100 text-gray-700'}`}>
+            Ausschreibung ({tenderAnalyses.length})
+          </button>
+        </div>
+      </div>
+
+      {/* Info Box */}
+      <div className="mb-6 p-4 bg-blue-50 border border-blue-200 rounded-xl text-sm text-blue-800">
+        <div className="font-semibold mb-2">Wie funktioniert Payment Terminal Compliance?</div>
+        <div className="grid grid-cols-3 gap-4">
+          <div>
+            <div className="font-medium mb-1">1. Controls durchsuchen</div>
+            <p className="text-xs text-blue-700">Unsere Bibliothek enthaelt {controls.length} technische Pruefregeln fuer Zahlungssysteme — von Transaktionslogik ueber Kryptographie bis ZVT/OPI-Protokollverhalten. Jeder Control definiert was geprueft wird und welche Evidenz noetig ist.</p>
+          </div>
+          <div>
+            <div className="font-medium mb-1">2. Assessment erstellen</div>
+            <p className="text-xs text-blue-700">Ein Assessment ist eine projektbezogene Pruefung — z.B. fuer eine bestimmte Ausschreibung oder einen Kunden. Sie ordnet jedem Control einen Status zu: bestanden, fehlgeschlagen, teilweise oder nicht anwendbar.</p>
+          </div>
+          <div>
+            <div className="font-medium mb-1">3. Ausschreibung analysieren</div>
+            <p className="text-xs text-blue-700">Laden Sie ein Ausschreibungsdokument hoch. Die KI extrahiert automatisch die Anforderungen und matcht sie gegen unsere Controls. Ergebnis: Welche Anforderungen sind abgedeckt und wo gibt es Luecken.</p>
+          </div>
+        </div>
+      </div>
+
+      {loading ? (
+        <div className="text-center py-12 text-gray-500">Lade...</div>
+      ) : tab === 'controls' ? (
+        <>
+          {/* Domain Filter */}
+          <div className="grid grid-cols-5 gap-3 mb-6">
+            <button onClick={() => setSelectedDomain('all')}
+              className={`p-3 rounded-xl border text-center ${selectedDomain === 'all' ? 'border-purple-500 bg-purple-50' : 'border-gray-200 hover:border-purple-300'}`}>
+              <div className="text-lg font-bold text-purple-700">{controls.length}</div>
+              <div className="text-xs text-gray-500">Alle</div>
+            </button>
+            {domainStats.map(d => (
+              <button key={d.id} onClick={() => setSelectedDomain(d.id)}
+                className={`p-3 rounded-xl border text-center ${selectedDomain === d.id ? 'border-purple-500 bg-purple-50' : 'border-gray-200 hover:border-purple-300'}`}>
+                <div className="text-lg font-bold text-gray-900">{d.count}</div>
+                <div className="text-xs text-gray-500 truncate">{d.id}</div>
+              </button>
+            ))}
+          </div>
+
+          {/* Domain Description */}
+          {selectedDomain !== 'all' && (
+            <div className="mb-4 p-3 bg-blue-50 border border-blue-200 rounded-lg text-sm text-blue-800">
+              <strong>{domains.find(d => d.id === selectedDomain)?.name}:</strong>{' '}
+              {domains.find(d => d.id === selectedDomain)?.description}
+            </div>
+          )}
+
+          {/* Controls List */}
+          <div className="space-y-3">
+            {filteredControls.map(ctrl => {
+              const autoStyle = AUTOMATION_STYLES[ctrl.automation] || AUTOMATION_STYLES.low
+              return (
+                <div key={ctrl.control_id} className="bg-white rounded-xl border border-gray-200 p-4 hover:border-purple-300 transition-all">
+                  <div className="flex items-start justify-between">
+                    <div className="flex-1">
+                      <div className="flex items-center gap-2 mb-1">
+                        <span className="text-xs font-mono text-purple-600 bg-purple-50 px-2 py-0.5 rounded">{ctrl.control_id}</span>
+                        <span className="text-xs text-gray-400">{TARGET_ICONS[ctrl.check_target] || '🔍'} {ctrl.check_target}</span>
+                        <span className={`text-xs px-2 py-0.5 rounded-full ${autoStyle.bg} ${autoStyle.text}`}>
+                          {ctrl.automation}
+                        </span>
+                      </div>
+                      <h3 className="text-sm font-semibold text-gray-900">{ctrl.title}</h3>
+                      <p className="text-xs text-gray-500 mt-1">{ctrl.objective}</p>
+                    </div>
+                  </div>
+                  <div className="flex gap-1 mt-2">
+                    {ctrl.evidence.map(ev => (
+                      <span key={ev} className="text-xs bg-gray-100 text-gray-600 px-2 py-0.5 rounded">{ev}</span>
+                    ))}
+                  </div>
+                </div>
+              )
+            })}
+          </div>
+        </>
+      ) : tab === 'assessments' ? (
+        <>
+          {/* Assessments Tab */}
+          <div className="mb-4">
+            <button onClick={() => setShowNewAssessment(true)}
+              className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700">
+              + Neues Assessment
+            </button>
+          </div>
+
+          {showNewAssessment && (
+            <div className="mb-6 p-6 bg-white rounded-xl border border-purple-200">
+              <h3 className="font-semibold text-gray-900 mb-4">Neues Payment Compliance Assessment</h3>
+              <div className="grid grid-cols-2 gap-4">
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Projektname *</label>
+                  <input value={newProject.project_name} onChange={e => setNewProject(p => ({ ...p, project_name: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500" placeholder="z.B. Ausschreibung Muenchen 2026" />
+                </div>
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Ausschreibungs-Referenz</label>
+                  <input value={newProject.tender_reference} onChange={e => setNewProject(p => ({ ...p, tender_reference: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500" placeholder="z.B. 2026-PAY-001" />
+                </div>
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Kunde</label>
+                  <input value={newProject.customer_name} onChange={e => setNewProject(p => ({ ...p, customer_name: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500" placeholder="z.B. Stadt Muenchen" />
+                </div>
+                <div>
+                  <label className="block text-sm font-medium text-gray-700 mb-1">Systemtyp</label>
+                  <select value={newProject.system_type} onChange={e => setNewProject(p => ({ ...p, system_type: e.target.value }))}
+                    className="w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-purple-500">
+                    <option value="full_stack">Full Stack (Terminal + Backend)</option>
+                    <option value="terminal">Nur Terminal</option>
+                    <option value="backend">Nur Backend</option>
+                  </select>
+                </div>
+              </div>
+              <div className="flex gap-2 mt-4">
+                <button onClick={handleCreateAssessment} disabled={!newProject.project_name}
+                  className="px-4 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50">Erstellen</button>
+                <button onClick={() => setShowNewAssessment(false)}
+                  className="px-4 py-2 bg-gray-100 text-gray-700 rounded-lg hover:bg-gray-200">Abbrechen</button>
+              </div>
+            </div>
+          )}
+
+          {assessments.length === 0 ? (
+            <div className="text-center py-12 text-gray-400">
+              <p className="text-lg mb-2">Noch keine Assessments</p>
+              <p className="text-sm">Erstelle ein neues Assessment fuer eine Ausschreibung.</p>
+            </div>
+          ) : (
+            <div className="space-y-4">
+              {assessments.map(a => (
+                <div key={a.id} className="bg-white rounded-xl border border-gray-200 p-6">
+                  <div className="flex items-center justify-between mb-3">
+                    <div>
+                      <h3 className="text-lg font-semibold text-gray-900">{a.project_name}</h3>
+                      <div className="text-sm text-gray-500">
+                        {a.customer_name && <span>{a.customer_name} · </span>}
+                        {a.tender_reference && <span>Ref: {a.tender_reference} · </span>}
+                        <span>{new Date(a.created_at).toLocaleDateString('de-DE')}</span>
+                      </div>
+                    </div>
+                    <span className={`px-3 py-1 rounded-full text-sm font-medium ${
+                      a.status === 'completed' ? 'bg-green-100 text-green-700' :
+                      a.status === 'in_progress' ? 'bg-yellow-100 text-yellow-700' :
+                      'bg-gray-100 text-gray-700'
+                    }`}>{a.status}</span>
+                  </div>
+                  <div className="grid grid-cols-6 gap-2">
+                    <div className="text-center p-2 bg-gray-50 rounded">
+                      <div className="text-lg font-bold">{a.total_controls}</div>
+                      <div className="text-xs text-gray-500">Total</div>
+                    </div>
+                    <div className="text-center p-2 bg-green-50 rounded">
+                      <div className="text-lg font-bold text-green-700">{a.controls_passed}</div>
+                      <div className="text-xs text-gray-500">Passed</div>
+                    </div>
+                    <div className="text-center p-2 bg-red-50 rounded">
+                      <div className="text-lg font-bold text-red-700">{a.controls_failed}</div>
+                      <div className="text-xs text-gray-500">Failed</div>
+                    </div>
+                    <div className="text-center p-2 bg-yellow-50 rounded">
+                      <div className="text-lg font-bold text-yellow-700">{a.controls_partial}</div>
+                      <div className="text-xs text-gray-500">Partial</div>
+                    </div>
+                    <div className="text-center p-2 bg-gray-50 rounded">
+                      <div className="text-lg font-bold text-gray-400">{a.controls_not_applicable}</div>
+                      <div className="text-xs text-gray-500">N/A</div>
+                    </div>
+                    <div className="text-center p-2 bg-gray-50 rounded">
+                      <div className="text-lg font-bold text-gray-400">{a.controls_not_checked}</div>
+                      <div className="text-xs text-gray-500">Offen</div>
+                    </div>
+                  </div>
+                </div>
+              ))}
+            </div>
+          )}
+        </>
+      ) : tab === 'tender' ? (
+        <>
+          {/* Tender Analysis Tab */}
+          <div className="mb-6 p-6 bg-white rounded-xl border-2 border-dashed border-purple-300 text-center">
+            <h3 className="text-lg font-semibold text-gray-900 mb-2">Ausschreibung analysieren</h3>
+            <p className="text-sm text-gray-500 mb-4">
+              Laden Sie ein Ausschreibungsdokument hoch. Die KI extrahiert automatisch alle Anforderungen und matcht sie gegen die Control-Bibliothek.
+            </p>
+            <label className="inline-block px-6 py-3 bg-purple-600 text-white rounded-lg hover:bg-purple-700 cursor-pointer">
+              {uploading ? 'Hochladen...' : processing ? 'Analysiere...' : 'PDF / Dokument hochladen'}
+              <input type="file" className="hidden" accept=".pdf,.txt,.doc,.docx" onChange={handleTenderUpload} disabled={uploading || processing} />
+            </label>
+            <p className="text-xs text-gray-400 mt-2">PDF, TXT oder Word. Max 50 MB. Dokument wird nur fuer diese Analyse verwendet.</p>
+          </div>
+
+          {/* Selected Tender Detail */}
+          {selectedTender && (
+            <div className="mb-6 p-6 bg-white rounded-xl border border-purple-200">
+              <div className="flex items-center justify-between mb-4">
+                <div>
+                  <h3 className="text-lg font-semibold text-gray-900">{selectedTender.project_name}</h3>
+                  <p className="text-sm text-gray-500">{selectedTender.file_name} — {selectedTender.status}</p>
+                </div>
+                <button onClick={() => setSelectedTender(null)} className="text-gray-400 hover:text-gray-600 text-xl">&times;</button>
+              </div>
+
+              {/* Stats */}
+              <div className="grid grid-cols-4 gap-3 mb-6">
+                <div className="text-center p-3 bg-gray-50 rounded-lg">
+                  <div className="text-2xl font-bold">{selectedTender.total_requirements}</div>
+                  <div className="text-xs text-gray-500">Anforderungen</div>
+                </div>
+                <div className="text-center p-3 bg-green-50 rounded-lg">
+                  <div className="text-2xl font-bold text-green-700">{selectedTender.matched_count}</div>
+                  <div className="text-xs text-gray-500">Abgedeckt</div>
+                </div>
+                <div className="text-center p-3 bg-yellow-50 rounded-lg">
+                  <div className="text-2xl font-bold text-yellow-700">{selectedTender.partial_count}</div>
+                  <div className="text-xs text-gray-500">Teilweise</div>
+                </div>
+                <div className="text-center p-3 bg-red-50 rounded-lg">
+                  <div className="text-2xl font-bold text-red-700">{selectedTender.unmatched_count}</div>
+                  <div className="text-xs text-gray-500">Luecken</div>
+                </div>
+              </div>
+
+              {/* Match Results */}
+              {selectedTender.match_results && selectedTender.match_results.length > 0 && (
+                <div className="space-y-3">
+                  <h4 className="font-semibold text-gray-900">Requirement → Control Matching</h4>
+                  {selectedTender.match_results.map((mr, idx) => (
+                    <div key={idx} className={`p-4 rounded-lg border ${
+                      mr.verdict === 'matched' ? 'border-green-200 bg-green-50' :
+                      mr.verdict === 'partial' ? 'border-yellow-200 bg-yellow-50' :
+                      'border-red-200 bg-red-50'
+                    }`}>
+                      <div className="flex items-start justify-between mb-2">
+                        <div className="flex-1">
+                          <div className="flex items-center gap-2 mb-1">
+                            <span className="text-xs font-mono bg-white px-2 py-0.5 rounded border">{mr.req_id}</span>
+                            <span className={`text-xs px-2 py-0.5 rounded-full ${
+                              mr.verdict === 'matched' ? 'bg-green-200 text-green-800' :
+                              mr.verdict === 'partial' ? 'bg-yellow-200 text-yellow-800' :
+                              'bg-red-200 text-red-800'
+                            }`}>
+                              {mr.verdict === 'matched' ? 'Abgedeckt' : mr.verdict === 'partial' ? 'Teilweise' : 'Luecke'}
+                            </span>
+                          </div>
+                          <p className="text-sm text-gray-900">{mr.req_text}</p>
+                        </div>
+                      </div>
+                      {mr.matched_controls && mr.matched_controls.length > 0 && (
+                        <div className="mt-2 flex flex-wrap gap-1">
+                          {mr.matched_controls.map(mc => (
+                            <span key={mc.control_id} className="text-xs bg-white border px-2 py-0.5 rounded">
+                              {mc.control_id} ({Math.round(mc.relevance * 100)}%)
+                            </span>
+                          ))}
+                        </div>
+                      )}
+                      {mr.gap_description && (
+                        <p className="text-xs text-orange-700 mt-2">{mr.gap_description}</p>
+                      )}
+                    </div>
+                  ))}
+                </div>
+              )}
+            </div>
+          )}
+
+          {/* Previous Analyses */}
+          {tenderAnalyses.length > 0 && (
+            <div>
+              <h4 className="font-semibold text-gray-900 mb-3">Bisherige Analysen</h4>
+              <div className="space-y-3">
+                {tenderAnalyses.map(ta => (
+                  <button key={ta.id} onClick={() => handleViewTender(ta.id)}
+                    className="w-full text-left bg-white rounded-xl border border-gray-200 p-4 hover:border-purple-300 transition-all">
+                    <div className="flex items-center justify-between">
+                      <div>
+                        <h3 className="font-medium text-gray-900">{ta.project_name}</h3>
+                        <p className="text-xs text-gray-500">{ta.file_name} — {new Date(ta.created_at).toLocaleDateString('de-DE')}</p>
+                      </div>
+                      <div className="flex gap-2">
+                        <span className="text-xs bg-green-100 text-green-700 px-2 py-0.5 rounded-full">{ta.matched_count} matched</span>
+                        {ta.unmatched_count > 0 && (
+                          <span className="text-xs bg-red-100 text-red-700 px-2 py-0.5 rounded-full">{ta.unmatched_count} gaps</span>
+                        )}
+                        <span className={`text-xs px-2 py-0.5 rounded-full ${
+                          ta.status === 'matched' ? 'bg-blue-100 text-blue-700' : 'bg-gray-100 text-gray-700'
+                        }`}>{ta.status}</span>
+                      </div>
+                    </div>
+                  </button>
+                ))}
+              </div>
+            </div>
+          )}
+        </>
+      ) : null}
+    </div>
+  )
+}

admin-compliance/app/sdk/sdk-flow/steps-betrieb.ts

@@ -250,4 +250,95 @@ export const STEPS_BETRIEB: SDKFlowStep[] = [
     url: '/sdk/isms',
     completion: 100,
   },
+
+  // ── Control Pipeline ─────────────────────────────────────────────────────
+  {
+    id: 'control-library',
+    name: 'Canonical Control Library',
+    nameShort: 'Control Library',
+    package: 'betrieb',
+    seq: 5200,
+    checkpointId: 'CP-CLIB',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: 'Verwaltung der ~33.000 Rich Controls aus dem RAG-Korpus. 7-Stufen-Pipeline mit Lizenz-Gate.',
+    descriptionLong: 'Die Canonical Control Library ist das zentrale Verzeichnis aller aus Regulierungstexten generierten Compliance Controls. Die 7-Stufen-Pipeline verarbeitet ~105.000 RAG-Chunks: (1) RAG Scan, (2) Lizenz-Klassifikation (Rule 1/2/3), (3a) Strukturierung (Rule 1+2) oder (3b) Reformulierung (Rule 3), (4) Harmonisierung (Embedding-Dedup), (5) Anchor Search (Open-Source-Referenzen), (6) Speicherung, (7) Chunk-Tracking. Domains: AUTH, CRYP, NET, DATA, SEC, AI, COMP, GOV, LAB, FIN u.a.',
+    legalBasis: 'UrhG §44b (Text & Data Mining), UrhG §23 (Hinreichender Abstand)',
+    inputs: ['ragChunks'],
+    outputs: ['canonicalControls'],
+    prerequisiteSteps: [],
+    dbTables: ['canonical_controls', 'canonical_processed_chunks', 'canonical_generation_jobs'],
+    dbMode: 'read/write',
+    ragCollections: ['bp_compliance_gesetze', 'bp_compliance_datenschutz', 'bp_compliance_ce', 'bp_dsfa_corpus', 'bp_legal_templates'],
+    ragPurpose: 'Quelldokumente fuer Control-Generierung (Gesetze, Verordnungen, Standards)',
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 100,
+  },
+  {
+    id: 'obligation-extraction',
+    name: 'Pass 0a: Obligation Extraction',
+    nameShort: 'Pass 0a',
+    package: 'betrieb',
+    seq: 5300,
+    checkpointId: 'CP-P0A',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: 'Extraktion von ~181.000 normativen Pflichten aus Rich Controls via Claude Haiku (Batch API).',
+    descriptionLong: 'Pass 0a zerlegt jeden Rich Control in einzelne normative Obligations via Claude Haiku (Anthropic Batch API, 50% Kostenreduktion). Jede Obligation wird klassifiziert: Pflicht/Empfehlung/Kann, Test-Obligation ja/nein, Reporting-Obligation ja/nein. Quality Gate mit 6 Regeln: nur normative Aussagen, ein Hauptverb, Test/Reporting separat, kein Evidence-Level-Split. Ergebnis: ~181.000 validierte Obligations mit action, object, condition, normative_strength.',
+    legalBasis: 'Pipeline-intern (Normative Obligation Extraction)',
+    inputs: ['canonicalControls'],
+    outputs: ['obligationCandidates'],
+    prerequisiteSteps: ['control-library'],
+    dbTables: ['obligation_candidates'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 90,
+  },
+  {
+    id: 'atomic-composition',
+    name: 'Pass 0b: Atomic Composition',
+    nameShort: 'Pass 0b',
+    package: 'betrieb',
+    seq: 5400,
+    checkpointId: 'CP-P0B',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: 'Komposition atomarer MCP-tauglicher Controls aus Obligations via Claude Sonnet + Pre-LLM Ontology-Filter.',
+    descriptionLong: 'Pass 0b verwandelt jede validierte Obligation in ein eigenstaendiges atomares Control via Claude Sonnet (Anthropic Batch API). Vor dem LLM-Call klassifiziert die Control Ontology (26 Action Types) jede Obligation: atomic (an LLM senden), composite (ueberspringen), evidence (ueberspringen), framework_container (ueberspringen). MCP-taugliche Output-Felder: assertion (pruefbare Aussage), pass_criteria, fail_criteria, check_type (technical_config_check, document_clause_check, code_pattern_check), dependency_hints, lifecycle_phase_order (1-13). Canonical Key Format: action_type:normalized_object:control_phase.',
+    legalBasis: 'Pipeline-intern (Atomic Control Composition)',
+    inputs: ['obligationCandidates'],
+    outputs: ['atomicControls'],
+    prerequisiteSteps: ['obligation-extraction'],
+    dbTables: ['canonical_controls', 'control_parent_links'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 80,
+  },
+  {
+    id: 'dependency-engine',
+    name: 'Dependency Engine + Evaluation',
+    nameShort: 'Dependencies',
+    package: 'betrieb',
+    seq: 5500,
+    checkpointId: 'CP-DEP',
+    checkpointType: 'REQUIRED',
+    checkpointReviewer: 'NONE',
+    description: '5 Dependency-Typen, generische Condition Language, automatische Generierung via Ontology + Domain Packs.',
+    descriptionLong: 'Die Dependency Engine modelliert logische Abhaengigkeiten zwischen Controls: supersedes (A ersetzt B), prerequisite (A muss vor B), compensating_control (A kompensiert B-Failure), scope_exclusion (A schliesst B aus), conditional_requirement (B nur unter Bedingung). Generische Condition Language (AND/OR/NOT + Feldoperatoren). Priority-basierte Konfliktloesung. Zykluserkennung (DFS). Automatische Generierung via: (1) Ontology (Phase-Sequenz), (2) Pattern-Regeln, (3) Domain Packs (DSGVO, AI Act, CRA, Security, Arbeitsrecht). MCP-Output mit dependency_resolution Trace.',
+    legalBasis: 'Pipeline-intern (Control Dependency Resolution)',
+    inputs: ['atomicControls'],
+    outputs: ['evaluatedControls', 'dependencyGraph'],
+    prerequisiteSteps: ['atomic-composition'],
+    dbTables: ['control_dependencies', 'control_evaluation_results'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: false,
+    url: '/sdk/control-library',
+    completion: 100,
+  },
 ]

admin-compliance/app/sdk/sdk-flow/steps-vorbereitung.ts

@@ -53,7 +53,7 @@ export const STEPS_VORBEREITUNG: SDKFlowStep[] = [
     checkpointId: 'CP-UC',
     checkpointType: 'REQUIRED',
     checkpointReviewer: 'NONE',
-    description: 'Systematische Erfassung aller Datenverarbeitungs- und KI-Anwendungsfaelle ueber einen 8-Schritte-Wizard mit Kachel-Auswahl.',
+    description: 'Systematische Erfassung aller Datenverarbeitungs- und KI-Anwendungsfaelle ueber einen 8-Schritte-Wizard mit Kachel-Auswahl. Inkl. BetrVG-Mitbestimmungspruefung und Betriebsrats-Konflikt-Score.',
     descriptionLong: 'In einem 8-Schritte-Wizard werden alle Use Cases erfasst: (1) Grundlegendes — Titel, Beschreibung, KI-Kategorie (21 Kacheln), Branche wird automatisch aus dem Profil abgeleitet. (2) Datenkategorien — ~60 Kategorien in 10 Gruppen als Kacheln (inkl. Art. 9 hervorgehoben). (3) Verarbeitungszweck — 16 Zweck-Kacheln, Rechtsgrundlage wird vom SDK automatisch ermittelt. (4) Automatisierungsgrad — assistiv/teilautomatisiert/vollautomatisiert. (5) Hosting & Modell — Provider, Region, Modellnutzung (Inferenz/RAG/Fine-Tuning/Training). (6) Datentransfer — Transferziele und Schutzmechanismen. (7) Datenhaltung — Aufbewahrungsfristen. (8) Vertraege — vorhandene Compliance-Dokumente. Die RAG-Collection bp_compliance_ce wird verwendet, um relevante CE-Regulierungen automatisch den Use Cases zuzuordnen (UCCA).',
     legalBasis: 'Art. 30 DSGVO (Verzeichnis von Verarbeitungstaetigkeiten)',
     inputs: ['companyProfile'],
@@ -66,6 +66,27 @@ export const STEPS_VORBEREITUNG: SDKFlowStep[] = [
     isOptional: false,
     url: '/sdk/use-cases',
   },
+  {
+    id: 'ai-registration',
+    name: 'EU AI Database Registrierung',
+    nameShort: 'EU-Reg',
+    package: 'vorbereitung',
+    seq: 350,
+    checkpointId: 'CP-REG',
+    checkpointType: 'CONDITIONAL',
+    checkpointReviewer: 'NONE',
+    description: 'Registrierung von Hochrisiko-KI-Systemen in der EU AI Database gemaess Art. 49 KI-Verordnung.',
+    descriptionLong: 'Fuer Hochrisiko-KI-Systeme (Annex III) ist eine Registrierung in der EU AI Database Pflicht. Ein 6-Schritte-Wizard fuehrt durch den Prozess: (1) Anbieter-Daten — Name, Rechtsform, Adresse, EU-Repraesentant. (2) System-Details — Name, Version, Beschreibung, Einsatzzweck (vorausgefuellt aus UCCA Assessment). (3) Klassifikation — Risikoklasse und Annex III Kategorie (aus Decision Tree). (4) Konformitaet — CE-Kennzeichnung, Notified Body. (5) Trainingsdaten — Zusammenfassung der Datenquellen (Art. 10). (6) Pruefung + Export — JSON-Download fuer EU-Datenbank-Submission. Der Status-Workflow ist: Entwurf → Bereit → Eingereicht → Registriert.',
+    legalBasis: 'Art. 49 KI-Verordnung (EU) 2024/1689',
+    inputs: ['useCases', 'companyProfile'],
+    outputs: ['euRegistration'],
+    prerequisiteSteps: ['use-case-assessment'],
+    dbTables: ['ai_system_registrations'],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: true,
+    url: '/sdk/ai-registration',
+  },
   {
     id: 'import',
     name: 'Dokument-Import',

admin-compliance/app/sdk/use-cases/[id]/page.tsx

@@ -4,6 +4,8 @@ import React, { useState, useEffect } from 'react'
 import { useParams, useRouter } from 'next/navigation'
 import Link from 'next/link'
 import { AssessmentResultCard } from '@/components/sdk/use-case-assessment/AssessmentResultCard'
+import { OptimizerUpsellCard } from '@/components/sdk/compliance-optimizer/OptimizerUpsellCard'
+import { EnrichmentHints } from '@/components/sdk/assessment/EnrichmentHints'
 
 interface TriggeredRule {
   code: string
@@ -57,6 +59,8 @@ interface FullAssessment {
   dsfa_recommended: boolean
   art22_risk: boolean
   training_allowed: string
+  betrvg_conflict_score?: number
+  betrvg_consultation_required?: boolean
   triggered_rules?: TriggeredRule[]
   required_controls?: RequiredControl[]
   recommended_architecture?: PatternRecommendation[]
@@ -136,6 +140,18 @@ export default function AssessmentDetailPage() {
     }
   }
 
+  const [optimizing, setOptimizing] = useState(false)
+  const handleOptimize = async () => {
+    setOptimizing(true)
+    try {
+      const res = await fetch(`/api/sdk/v1/maximizer/optimize-from-assessment/${assessmentId}`, { method: 'POST' })
+      if (res.ok) {
+        const data = await res.json()
+        router.push(`/sdk/compliance-optimizer/${data.id}`)
+      }
+    } catch { /* silent */ } finally { setOptimizing(false) }
+  }
+
   if (loading) {
     return (
       <div className="flex items-center justify-center h-64">
@@ -167,6 +183,8 @@ export default function AssessmentDetailPage() {
     dsfa_recommended: assessment.dsfa_recommended,
     art22_risk: assessment.art22_risk,
     training_allowed: assessment.training_allowed,
+    betrvg_conflict_score: assessment.betrvg_conflict_score,
+    betrvg_consultation_required: assessment.betrvg_consultation_required,
     // AssessmentResultCard expects rule_code; backend stores code — map here
     triggered_rules: assessment.triggered_rules?.map(r => ({
       rule_code: r.code,
@@ -230,6 +248,13 @@ export default function AssessmentDetailPage() {
           >
             ↓ JSON
           </a>
+          <button
+            onClick={handleOptimize}
+            disabled={optimizing}
+            className="px-4 py-2 text-sm bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-colors disabled:opacity-50"
+          >
+            {optimizing ? 'Optimiere...' : 'Optimieren'}
+          </button>
           <Link
             href={`/sdk/use-cases/new?edit=${assessmentId}`}
             className="px-4 py-2 text-sm bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
@@ -269,6 +294,18 @@ export default function AssessmentDetailPage() {
       {/* Result */}
       <AssessmentResultCard result={resultForCard as Parameters<typeof AssessmentResultCard>[0]['result']} />
 
+      {/* Enrichment Hints */}
+      {assessment.enrichment_hints && (
+        <EnrichmentHints hints={assessment.enrichment_hints} />
+      )}
+
+      {/* Compliance Optimizer Upsell */}
+      <OptimizerUpsellCard
+        feasibility={assessment.feasibility}
+        assessmentId={assessmentId}
+        riskScore={assessment.risk_score}
+      />
+
       {/* KI-Erklärung */}
       {assessment.explanation_text && (
         <div className="bg-purple-50 border border-purple-200 rounded-xl p-6">

admin-compliance/app/sdk/use-cases/page.tsx

@@ -10,6 +10,8 @@ interface Assessment {
   feasibility: string
   risk_level: string
   risk_score: number
+  betrvg_conflict_score?: number
+  betrvg_consultation_required?: boolean
   domain: string
   created_at: string
 }
@@ -194,6 +196,16 @@ export default function UseCasesPage() {
                       <span className={`px-2 py-0.5 text-xs rounded-full ${feasibility.bg} ${feasibility.text}`}>
                         {feasibility.label}
                       </span>
+                      {assessment.betrvg_conflict_score != null && assessment.betrvg_conflict_score > 0 && (
+                        <span className={`px-2 py-0.5 text-xs rounded-full ${
+                          assessment.betrvg_conflict_score >= 75 ? 'bg-red-100 text-red-700' :
+                          assessment.betrvg_conflict_score >= 50 ? 'bg-orange-100 text-orange-700' :
+                          assessment.betrvg_conflict_score >= 25 ? 'bg-yellow-100 text-yellow-700' :
+                          'bg-green-100 text-green-700'
+                        }`}>
+                          BR {assessment.betrvg_conflict_score}
+                        </span>
+                      )}
                     </div>
                     <div className="flex items-center gap-4 text-sm text-gray-500">
                       <span>{assessment.domain}</span>

admin-compliance/components/sdk/CookieBannerOverlay.tsx

@@ -0,0 +1,277 @@
+'use client'
+
+import { useState, useEffect, useCallback } from 'react'
+
+/**
+ * CookieBannerOverlay — Live cookie consent banner for the Compliance SDK.
+ *
+ * - Opens automatically on first visit (localStorage check)
+ * - Can be reopened via FAB button (right-[10rem])
+ * - Records consent choice to localStorage
+ * - Fires custom event 'sdkCookieConsentUpdated' for other components
+ */
+
+const STORAGE_KEY = 'bp-sdk-cookie-consent'
+
+interface ConsentState {
+  necessary: boolean
+  statistics: boolean
+  marketing: boolean
+  functional: boolean
+  timestamp: string
+}
+
+function getStoredConsent(): ConsentState | null {
+  if (typeof window === 'undefined') return null
+  try {
+    const raw = localStorage.getItem(STORAGE_KEY)
+    if (!raw) return null
+    return JSON.parse(raw)
+  } catch {
+    return null
+  }
+}
+
+export function CookieBannerOverlay() {
+  const [isOpen, setIsOpen] = useState(false)
+  const [showSettings, setShowSettings] = useState(false)
+  const [consent, setConsent] = useState<ConsentState>({
+    necessary: true,
+    statistics: false,
+    marketing: false,
+    functional: false,
+    timestamp: '',
+  })
+
+  // Check on mount if consent was already given
+  useEffect(() => {
+    const stored = getStoredConsent()
+    if (!stored) {
+      // First visit — show banner
+      setIsOpen(true)
+    } else {
+      setConsent(stored)
+    }
+  }, [])
+
+  // Listen for reopen event from FAB button
+  useEffect(() => {
+    const handler = () => {
+      setIsOpen(true)
+      setShowSettings(true)
+    }
+    window.addEventListener('openCookieBanner', handler)
+    return () => window.removeEventListener('openCookieBanner', handler)
+  }, [])
+
+  const saveConsent = useCallback((state: ConsentState) => {
+    const withTimestamp = { ...state, timestamp: new Date().toISOString() }
+    localStorage.setItem(STORAGE_KEY, JSON.stringify(withTimestamp))
+    setConsent(withTimestamp)
+    setIsOpen(false)
+    setShowSettings(false)
+    window.dispatchEvent(new CustomEvent('sdkCookieConsentUpdated', { detail: withTimestamp }))
+  }, [])
+
+  const handleAcceptAll = () => {
+    saveConsent({ necessary: true, statistics: true, marketing: true, functional: true, timestamp: '' })
+  }
+
+  const handleRejectAll = () => {
+    saveConsent({ necessary: true, statistics: false, marketing: false, functional: false, timestamp: '' })
+  }
+
+  const handleSaveSettings = () => {
+    saveConsent(consent)
+  }
+
+  if (!isOpen) return null
+
+  return (
+    <>
+      {/* Overlay */}
+      <div
+        className="fixed inset-0 bg-black/40 z-[9998] transition-opacity duration-300"
+        onClick={() => {/* Don't close on overlay click — consent is required */}}
+      />
+
+      {/* Banner */}
+      <div className="fixed bottom-0 left-0 right-0 z-[9999] animate-in slide-in-from-bottom duration-300">
+        <div className="max-w-3xl mx-auto m-4 bg-white rounded-2xl shadow-2xl border border-gray-200 overflow-hidden">
+          {/* Header */}
+          <div className="px-6 pt-6 pb-4">
+            <h2 className="text-lg font-semibold text-gray-900 flex items-center gap-2">
+              <svg className="w-5 h-5 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+              </svg>
+              Cookie-Einstellungen
+            </h2>
+            <p className="text-sm text-gray-600 mt-2 leading-relaxed">
+              Wir verwenden Cookies und aehnliche Technologien, um Ihnen die bestmoegliche Erfahrung zu bieten.
+              Sie koennen Ihre Praeferenzen jederzeit aendern.
+            </p>
+            <div className="flex items-center gap-4 mt-2 text-xs text-gray-500">
+              <a href="/sdk/einwilligungen/cookie-banner" className="hover:text-purple-600 underline">
+                Datenschutzerklaerung
+              </a>
+              <span>|</span>
+              <a href="/sdk/einwilligungen" className="hover:text-purple-600 underline">
+                Impressum
+              </a>
+            </div>
+          </div>
+
+          {/* Category Settings (expandable) */}
+          {showSettings && (
+            <div className="px-6 pb-4 space-y-3 border-t border-gray-100 pt-4">
+              {/* Necessary — always on */}
+              <CategoryToggle
+                label="Notwendig"
+                description="Fuer die Grundfunktionen der Website erforderlich."
+                checked={true}
+                disabled={true}
+                onChange={() => {}}
+              />
+              <CategoryToggle
+                label="Statistik"
+                description="Helfen uns zu verstehen, wie Besucher mit der Website interagieren."
+                checked={consent.statistics}
+                onChange={(v) => setConsent(prev => ({ ...prev, statistics: v }))}
+              />
+              <CategoryToggle
+                label="Marketing"
+                description="Werden verwendet, um Besuchern relevante Werbung zu zeigen."
+                checked={consent.marketing}
+                onChange={(v) => setConsent(prev => ({ ...prev, marketing: v }))}
+              />
+              <CategoryToggle
+                label="Funktional"
+                description="Ermoeglichen erweiterte Funktionen und Personalisierung."
+                checked={consent.functional}
+                onChange={(v) => setConsent(prev => ({ ...prev, functional: v }))}
+              />
+            </div>
+          )}
+
+          {/* Buttons */}
+          <div className="px-6 py-4 bg-gray-50 border-t border-gray-100 flex flex-wrap items-center gap-3">
+            {!showSettings ? (
+              <>
+                <button
+                  onClick={handleAcceptAll}
+                  className="flex-1 min-w-[140px] px-4 py-2.5 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 transition-colors text-sm"
+                >
+                  Alle akzeptieren
+                </button>
+                <button
+                  onClick={handleRejectAll}
+                  className="flex-1 min-w-[140px] px-4 py-2.5 bg-gray-200 text-gray-700 rounded-lg font-medium hover:bg-gray-300 transition-colors text-sm"
+                >
+                  Nur notwendige
+                </button>
+                <button
+                  onClick={() => setShowSettings(true)}
+                  className="flex-1 min-w-[140px] px-4 py-2.5 border border-gray-300 text-gray-700 rounded-lg font-medium hover:bg-gray-100 transition-colors text-sm"
+                >
+                  Einstellungen
+                </button>
+              </>
+            ) : (
+              <>
+                <button
+                  onClick={handleSaveSettings}
+                  className="flex-1 min-w-[140px] px-4 py-2.5 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 transition-colors text-sm"
+                >
+                  Auswahl speichern
+                </button>
+                <button
+                  onClick={handleAcceptAll}
+                  className="flex-1 min-w-[140px] px-4 py-2.5 bg-gray-200 text-gray-700 rounded-lg font-medium hover:bg-gray-300 transition-colors text-sm"
+                >
+                  Alle akzeptieren
+                </button>
+                <button
+                  onClick={() => setShowSettings(false)}
+                  className="px-4 py-2.5 text-gray-500 hover:text-gray-700 text-sm"
+                >
+                  Zurueck
+                </button>
+              </>
+            )}
+          </div>
+        </div>
+      </div>
+    </>
+  )
+}
+
+
+/**
+ * FAB button to reopen the cookie banner settings.
+ * Positioned next to ComplianceAdvisor and PipelineSidebar.
+ */
+export function CookieBannerFAB() {
+  const [hasConsent, setHasConsent] = useState(false)
+
+  useEffect(() => {
+    setHasConsent(!!getStoredConsent())
+    const handler = () => setHasConsent(true)
+    window.addEventListener('sdkCookieConsentUpdated', handler)
+    return () => window.removeEventListener('sdkCookieConsentUpdated', handler)
+  }, [])
+
+  // Only show FAB after consent was given (banner is closed)
+  if (!hasConsent) return null
+
+  return (
+    <button
+      onClick={() => window.dispatchEvent(new Event('openCookieBanner'))}
+      className="fixed bottom-6 right-[10rem] w-14 h-14 bg-gray-700 hover:bg-gray-800 text-white rounded-full shadow-lg flex items-center justify-center transition-all duration-200 hover:scale-110 z-50"
+      aria-label="Cookie-Einstellungen oeffnen"
+      title="Cookie-Einstellungen"
+    >
+      <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+        <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+      </svg>
+    </button>
+  )
+}
+
+
+function CategoryToggle({
+  label,
+  description,
+  checked,
+  disabled,
+  onChange,
+}: {
+  label: string
+  description: string
+  checked: boolean
+  disabled?: boolean
+  onChange: (v: boolean) => void
+}) {
+  return (
+    <div className="flex items-start justify-between gap-4 py-2">
+      <div className="flex-1">
+        <div className="text-sm font-medium text-gray-900">{label}</div>
+        <div className="text-xs text-gray-500 mt-0.5">{description}</div>
+      </div>
+      <button
+        onClick={() => !disabled && onChange(!checked)}
+        disabled={disabled}
+        className={`relative inline-flex h-6 w-11 items-center rounded-full transition-colors shrink-0 ${
+          checked
+            ? disabled ? 'bg-gray-400' : 'bg-purple-600'
+            : 'bg-gray-200'
+        } ${disabled ? 'cursor-not-allowed opacity-60' : 'cursor-pointer'}`}
+      >
+        <span
+          className={`inline-block h-4 w-4 transform rounded-full bg-white shadow-sm transition-transform ${
+            checked ? 'translate-x-6' : 'translate-x-1'
+          }`}
+        />
+      </button>
+    </div>
+  )
+}

admin-compliance/components/sdk/Sidebar/SidebarModuleList.tsx

@@ -42,6 +42,31 @@ export function SidebarModuleList({ collapsed, projectId, pendingCRCount }: Side
         />
       </div>
 
+      {/* KI-Compliance */}
+      <div className="border-t border-gray-100 py-2">
+        {!collapsed && (
+          <div className="px-4 py-2 text-xs font-medium text-gray-400 uppercase tracking-wider">
+            KI-Compliance
+          </div>
+        )}
+        <AdditionalModuleItem href="/sdk/advisory-board" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" /></svg>} label="Use Case Erfassung" isActive={pathname === '/sdk/advisory-board'} collapsed={collapsed} projectId={projectId} />
+        <AdditionalModuleItem href="/sdk/use-cases" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 6h16M4 10h16M4 14h16M4 18h16" /></svg>} label="Use Cases" isActive={pathname?.startsWith('/sdk/use-cases') ?? false} collapsed={collapsed} projectId={projectId} />
+        <AdditionalModuleItem href="/sdk/ai-act" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 10V3L4 14h7v7l9-11h-7z" /></svg>} label="AI Act" isActive={pathname?.startsWith('/sdk/ai-act') ?? false} collapsed={collapsed} projectId={projectId} />
+        <AdditionalModuleItem href="/sdk/ai-registration" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 21V5a2 2 0 00-2-2H7a2 2 0 00-2 2v16m14 0h2m-2 0h-5m-9 0H3m2 0h5M9 7h1m-1 4h1m4-4h1m-1 4h1m-5 10v-5a1 1 0 011-1h2a1 1 0 011 1v5m-4 0h4" /></svg>} label="EU Registrierung" isActive={pathname?.startsWith('/sdk/ai-registration') ?? false} collapsed={collapsed} projectId={projectId} />
+        <AdditionalModuleItem href="/sdk/compliance-optimizer" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 7h8m0 0v8m0-8l-8 8-4-4-6 6" /></svg>} label="Compliance Optimizer" isActive={pathname?.startsWith('/sdk/compliance-optimizer') ?? false} collapsed={collapsed} projectId={projectId} />
+        <AdditionalModuleItem href="/sdk/agent" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" /></svg>} label="Compliance Agent" isActive={pathname?.startsWith('/sdk/agent') ?? false} collapsed={collapsed} projectId={projectId} />
+      </div>
+
+      {/* Payment / Terminal */}
+      <div className="border-t border-gray-100 py-2">
+        {!collapsed && (
+          <div className="px-4 py-2 text-xs font-medium text-gray-400 uppercase tracking-wider">
+            Payment / Terminal
+          </div>
+        )}
+        <AdditionalModuleItem href="/sdk/payment-compliance" icon={<svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M3 10h18M7 15h1m4 0h1m-7 4h12a3 3 0 003-3V8a3 3 0 00-3-3H6a3 3 0 00-3 3v8a3 3 0 003 3z" /></svg>} label="Payment Compliance" isActive={pathname?.startsWith('/sdk/payment-compliance') ?? false} collapsed={collapsed} projectId={projectId} />
+      </div>
+
       {/* Additional Modules */}
       <div className="border-t border-gray-100 py-2">
         {!collapsed && (

admin-compliance/components/sdk/StepHeader/StepExplanationsPart2.ts

@@ -195,6 +195,16 @@ export const STEP_EXPLANATIONS_PART2: Record<string, ExplanationEntry> = {
       { icon: 'lightbulb' as const, title: 'Variablen', description: 'Nutzen Sie Platzhalter wie {{name}}, {{email}} und {{company}} fuer automatische Personalisierung.' },
     ],
   },
+  'ai-act': {
+    title: 'AI Act Compliance',
+    description: 'Klassifizieren Sie Ihre KI-Systeme nach dem EU AI Act',
+    explanation: 'Der EU AI Act (Verordnung 2024/1689) teilt KI-Systeme in Risikoklassen ein: verboten, Hochrisiko, begrenzt und minimal. Hier registrieren Sie Ihre KI-Systeme, klassifizieren sie ueber den Decision Tree und verwalten die daraus resultierenden Pflichten. Hochrisiko-Systeme erfordern u.a. Risikomanagementsystem, technische Dokumentation, Logging und menschliche Aufsicht.',
+    tips: [
+      { icon: 'warning' as const, title: 'Fristen beachten', description: 'Verbotene KI-Praktiken gelten seit Februar 2025. Hochrisiko-Pflichten greifen ab August 2026.' },
+      { icon: 'lightbulb' as const, title: 'Decision Tree nutzen', description: 'Der 2-Achsen Decision Tree (Hochrisiko + GPAI) hilft bei der systematischen Einstufung nach Annex III.' },
+      { icon: 'info' as const, title: 'GPAI-Modelle', description: 'General Purpose AI (z.B. LLMs) hat eigene Transparenz- und Sicherheitspflichten — pruefen Sie auch Axis 2.' },
+    ],
+  },
   'use-case-workshop': {
     title: 'Use Case Workshop',
     description: 'Erfassen und bewerten Sie Ihre KI-Anwendungsfaelle im Workshop-Format',

admin-compliance/components/sdk/StepHeader/index.ts

@@ -1,2 +1,3 @@
-export { StepHeader, STEP_EXPLANATIONS } from './StepHeader'
+export { StepHeader } from './StepHeader'
+export { STEP_EXPLANATIONS } from './StepExplanations'
 export type { StepTip } from './StepHeader'

admin-compliance/components/sdk/ai-act/DecisionTreeWizard.tsx

@@ -0,0 +1,554 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+interface DecisionTreeQuestion {
+  id: string
+  axis: 'high_risk' | 'gpai'
+  question: string
+  description: string
+  article_ref: string
+  skip_if?: string
+}
+
+interface DecisionTreeDefinition {
+  id: string
+  name: string
+  version: string
+  questions: DecisionTreeQuestion[]
+}
+
+interface DecisionTreeAnswer {
+  question_id: string
+  value: boolean
+  note?: string
+}
+
+interface GPAIClassification {
+  is_gpai: boolean
+  is_systemic_risk: boolean
+  gpai_category: 'none' | 'standard' | 'systemic'
+  applicable_articles: string[]
+  obligations: string[]
+}
+
+interface DecisionTreeResult {
+  id: string
+  tenant_id: string
+  system_name: string
+  system_description?: string
+  answers: Record<string, DecisionTreeAnswer>
+  high_risk_result: string
+  gpai_result: GPAIClassification
+  combined_obligations: string[]
+  applicable_articles: string[]
+  created_at: string
+}
+
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+
+const RISK_LEVEL_CONFIG: Record<string, { label: string; color: string; bg: string; border: string }> = {
+  unacceptable: { label: 'Unzulässig', color: 'text-red-700', bg: 'bg-red-50', border: 'border-red-200' },
+  high_risk: { label: 'Hochrisiko', color: 'text-orange-700', bg: 'bg-orange-50', border: 'border-orange-200' },
+  limited_risk: { label: 'Begrenztes Risiko', color: 'text-yellow-700', bg: 'bg-yellow-50', border: 'border-yellow-200' },
+  minimal_risk: { label: 'Minimales Risiko', color: 'text-green-700', bg: 'bg-green-50', border: 'border-green-200' },
+  not_applicable: { label: 'Nicht anwendbar', color: 'text-gray-500', bg: 'bg-gray-50', border: 'border-gray-200' },
+}
+
+const GPAI_CONFIG: Record<string, { label: string; color: string; bg: string; border: string }> = {
+  none: { label: 'Kein GPAI', color: 'text-gray-500', bg: 'bg-gray-50', border: 'border-gray-200' },
+  standard: { label: 'GPAI Standard', color: 'text-blue-700', bg: 'bg-blue-50', border: 'border-blue-200' },
+  systemic: { label: 'GPAI Systemisches Risiko', color: 'text-purple-700', bg: 'bg-purple-50', border: 'border-purple-200' },
+}
+
+// =============================================================================
+// MAIN COMPONENT
+// =============================================================================
+
+export default function DecisionTreeWizard() {
+  const [definition, setDefinition] = useState<DecisionTreeDefinition | null>(null)
+  const [answers, setAnswers] = useState<Record<string, DecisionTreeAnswer>>({})
+  const [currentIdx, setCurrentIdx] = useState(0)
+  const [systemName, setSystemName] = useState('')
+  const [systemDescription, setSystemDescription] = useState('')
+  const [result, setResult] = useState<DecisionTreeResult | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const [phase, setPhase] = useState<'intro' | 'questions' | 'result'>('intro')
+
+  // Load decision tree definition
+  useEffect(() => {
+    const load = async () => {
+      try {
+        const res = await fetch('/api/sdk/v1/ucca/decision-tree')
+        if (res.ok) {
+          const data = await res.json()
+          setDefinition(data)
+        } else {
+          setError('Entscheidungsbaum konnte nicht geladen werden')
+        }
+      } catch {
+        setError('Verbindung zum Backend fehlgeschlagen')
+      } finally {
+        setLoading(false)
+      }
+    }
+    load()
+  }, [])
+
+  // Get visible questions (respecting skip logic)
+  const getVisibleQuestions = useCallback((): DecisionTreeQuestion[] => {
+    if (!definition) return []
+    return definition.questions.filter(q => {
+      if (!q.skip_if) return true
+      // Skip this question if the gate question was answered "no"
+      const gateAnswer = answers[q.skip_if]
+      if (gateAnswer && !gateAnswer.value) return false
+      return true
+    })
+  }, [definition, answers])
+
+  const visibleQuestions = getVisibleQuestions()
+  const currentQuestion = visibleQuestions[currentIdx]
+  const totalVisible = visibleQuestions.length
+
+  const highRiskQuestions = visibleQuestions.filter(q => q.axis === 'high_risk')
+  const gpaiQuestions = visibleQuestions.filter(q => q.axis === 'gpai')
+
+  const handleAnswer = (value: boolean) => {
+    if (!currentQuestion) return
+    setAnswers(prev => ({
+      ...prev,
+      [currentQuestion.id]: {
+        question_id: currentQuestion.id,
+        value,
+      },
+    }))
+
+    // Auto-advance
+    if (currentIdx < totalVisible - 1) {
+      setCurrentIdx(prev => prev + 1)
+    }
+  }
+
+  const handleBack = () => {
+    if (currentIdx > 0) {
+      setCurrentIdx(prev => prev - 1)
+    }
+  }
+
+  const handleSubmit = async () => {
+    setSaving(true)
+    setError(null)
+
+    try {
+      const res = await fetch('/api/sdk/v1/ucca/decision-tree/evaluate', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          system_name: systemName,
+          system_description: systemDescription,
+          answers,
+        }),
+      })
+
+      if (res.ok) {
+        const data = await res.json()
+        setResult(data)
+        setPhase('result')
+      } else {
+        const err = await res.json().catch(() => ({ error: 'Auswertung fehlgeschlagen' }))
+        setError(err.error || 'Auswertung fehlgeschlagen')
+      }
+    } catch {
+      setError('Verbindung zum Backend fehlgeschlagen')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  const handleReset = () => {
+    setAnswers({})
+    setCurrentIdx(0)
+    setSystemName('')
+    setSystemDescription('')
+    setResult(null)
+    setPhase('intro')
+    setError(null)
+  }
+
+  const allAnswered = visibleQuestions.every(q => answers[q.id] !== undefined)
+
+  if (loading) {
+    return (
+      <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+        <div className="w-10 h-10 border-2 border-purple-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
+        <p className="text-gray-500">Entscheidungsbaum wird geladen...</p>
+      </div>
+    )
+  }
+
+  if (error && !definition) {
+    return (
+      <div className="bg-red-50 border border-red-200 rounded-xl p-6 text-center">
+        <p className="text-red-700">{error}</p>
+        <p className="text-red-500 text-sm mt-2">Bitte stellen Sie sicher, dass der AI Compliance SDK Service läuft.</p>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // INTRO PHASE
+  // =========================================================================
+  if (phase === 'intro') {
+    return (
+      <div className="space-y-6">
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <h3 className="text-lg font-semibold text-gray-900 mb-2">AI Act Entscheidungsbaum</h3>
+          <p className="text-sm text-gray-500 mb-6">
+            Klassifizieren Sie Ihr KI-System anhand von 12 Fragen auf zwei Achsen:
+            <strong> High-Risk</strong> (Anhang III) und <strong>GPAI</strong> (Art. 51–56).
+          </p>
+
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+            <div className="p-4 bg-orange-50 border border-orange-200 rounded-lg">
+              <div className="flex items-center gap-2 mb-2">
+                <svg className="w-5 h-5 text-orange-600" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                  <path strokeLinecap="round" strokeLinejoin="round" d="M12 9v3.75m-9.303 3.376c-.866 1.5.217 3.374 1.948 3.374h14.71c1.73 0 2.813-1.874 1.948-3.374L13.949 3.378c-.866-1.5-3.032-1.5-3.898 0L2.697 16.126z" />
+                </svg>
+                <span className="font-medium text-orange-700">Achse 1: High-Risk</span>
+              </div>
+              <p className="text-sm text-orange-600">7 Fragen zu Anhang III Kategorien (Biometrie, kritische Infrastruktur, Bildung, Beschäftigung, etc.)</p>
+            </div>
+            <div className="p-4 bg-blue-50 border border-blue-200 rounded-lg">
+              <div className="flex items-center gap-2 mb-2">
+                <svg className="w-5 h-5 text-blue-600" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                  <path strokeLinecap="round" strokeLinejoin="round" d="M9.813 15.904L9 18.75l-.813-2.846a4.5 4.5 0 00-3.09-3.09L2.25 12l2.846-.813a4.5 4.5 0 003.09-3.09L9 5.25l.813 2.846a4.5 4.5 0 003.09 3.09L15.75 12l-2.846.813a4.5 4.5 0 00-3.09 3.09z" />
+                </svg>
+                <span className="font-medium text-blue-700">Achse 2: GPAI</span>
+              </div>
+              <p className="text-sm text-blue-600">5 Fragen zu General-Purpose AI (Foundation Models, systemisches Risiko, Art. 51–56)</p>
+            </div>
+          </div>
+
+          <div className="space-y-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Name des KI-Systems *</label>
+              <input
+                type="text"
+                value={systemName}
+                onChange={e => setSystemName(e.target.value)}
+                placeholder="z.B. Dokumenten-Analyse-KI, Chatbot-Service, Code-Assistent"
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Beschreibung (optional)</label>
+              <textarea
+                value={systemDescription}
+                onChange={e => setSystemDescription(e.target.value)}
+                placeholder="Kurze Beschreibung des KI-Systems und seines Einsatzzwecks..."
+                rows={2}
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+              />
+            </div>
+          </div>
+
+          <div className="mt-6 flex justify-end">
+            <button
+              onClick={() => setPhase('questions')}
+              disabled={!systemName.trim()}
+              className={`px-6 py-2 rounded-lg font-medium transition-colors ${
+                systemName.trim()
+                  ? 'bg-purple-600 text-white hover:bg-purple-700'
+                  : 'bg-gray-200 text-gray-400 cursor-not-allowed'
+              }`}
+            >
+              Klassifizierung starten
+            </button>
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // RESULT PHASE
+  // =========================================================================
+  if (phase === 'result' && result) {
+    const riskConfig = RISK_LEVEL_CONFIG[result.high_risk_result] || RISK_LEVEL_CONFIG.not_applicable
+    const gpaiConfig = GPAI_CONFIG[result.gpai_result.gpai_category] || GPAI_CONFIG.none
+
+    return (
+      <div className="space-y-6">
+        {/* Header */}
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <div className="flex items-center justify-between mb-4">
+            <h3 className="text-lg font-semibold text-gray-900">Klassifizierungsergebnis: {result.system_name}</h3>
+            <button
+              onClick={handleReset}
+              className="px-4 py-2 text-sm text-purple-600 hover:bg-purple-50 rounded-lg transition-colors"
+            >
+              Neue Klassifizierung
+            </button>
+          </div>
+
+          {/* Two-Axis Result Cards */}
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-4 mb-6">
+            <div className={`p-5 rounded-xl border-2 ${riskConfig.border} ${riskConfig.bg}`}>
+              <div className="text-sm font-medium text-gray-500 mb-1">Achse 1: High-Risk (Anhang III)</div>
+              <div className={`text-xl font-bold ${riskConfig.color}`}>{riskConfig.label}</div>
+            </div>
+            <div className={`p-5 rounded-xl border-2 ${gpaiConfig.border} ${gpaiConfig.bg}`}>
+              <div className="text-sm font-medium text-gray-500 mb-1">Achse 2: GPAI (Art. 51–56)</div>
+              <div className={`text-xl font-bold ${gpaiConfig.color}`}>{gpaiConfig.label}</div>
+              {result.gpai_result.is_systemic_risk && (
+                <div className="mt-1 text-xs text-purple-600 font-medium">Systemisches Risiko</div>
+              )}
+            </div>
+          </div>
+        </div>
+
+        {/* Applicable Articles */}
+        {result.applicable_articles && result.applicable_articles.length > 0 && (
+          <div className="bg-white rounded-xl border border-gray-200 p-6">
+            <h4 className="text-sm font-semibold text-gray-900 mb-3">Anwendbare Artikel</h4>
+            <div className="flex flex-wrap gap-2">
+              {result.applicable_articles.map(art => (
+                <span key={art} className="px-3 py-1 text-xs bg-indigo-50 text-indigo-700 rounded-full border border-indigo-200">
+                  {art}
+                </span>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {/* Combined Obligations */}
+        {result.combined_obligations && result.combined_obligations.length > 0 && (
+          <div className="bg-white rounded-xl border border-gray-200 p-6">
+            <h4 className="text-sm font-semibold text-gray-900 mb-3">
+              Pflichten ({result.combined_obligations.length})
+            </h4>
+            <div className="space-y-2">
+              {result.combined_obligations.map((obl, i) => (
+                <div key={i} className="flex items-start gap-2 text-sm">
+                  <svg className="w-4 h-4 text-purple-500 mt-0.5 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                    <path strokeLinecap="round" strokeLinejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+                  </svg>
+                  <span className="text-gray-700">{obl}</span>
+                </div>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {/* GPAI-specific obligations */}
+        {result.gpai_result.is_gpai && result.gpai_result.obligations.length > 0 && (
+          <div className="bg-blue-50 rounded-xl border border-blue-200 p-6">
+            <h4 className="text-sm font-semibold text-blue-900 mb-3">
+              GPAI-spezifische Pflichten ({result.gpai_result.obligations.length})
+            </h4>
+            <div className="space-y-2">
+              {result.gpai_result.obligations.map((obl, i) => (
+                <div key={i} className="flex items-start gap-2 text-sm">
+                  <svg className="w-4 h-4 text-blue-500 mt-0.5 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                    <path strokeLinecap="round" strokeLinejoin="round" d="M11.25 11.25l.041-.02a.75.75 0 011.063.852l-.708 2.836a.75.75 0 001.063.853l.041-.021M21 12a9 9 0 11-18 0 9 9 0 0118 0zm-9-3.75h.008v.008H12V8.25z" />
+                  </svg>
+                  <span className="text-blue-800">{obl}</span>
+                </div>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {/* Answer Summary */}
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <h4 className="text-sm font-semibold text-gray-900 mb-3">Ihre Antworten</h4>
+          <div className="space-y-2">
+            {definition?.questions.map(q => {
+              const answer = result.answers[q.id]
+              if (!answer) return null
+              return (
+                <div key={q.id} className="flex items-center gap-3 text-sm py-1.5 border-b border-gray-100 last:border-0">
+                  <span className="text-xs font-mono text-gray-400 w-8">{q.id}</span>
+                  <span className="flex-1 text-gray-600">{q.question}</span>
+                  <span className={`px-2 py-0.5 rounded text-xs font-medium ${
+                    answer.value ? 'bg-green-100 text-green-700' : 'bg-gray-100 text-gray-500'
+                  }`}>
+                    {answer.value ? 'Ja' : 'Nein'}
+                  </span>
+                </div>
+              )
+            })}
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  // =========================================================================
+  // QUESTIONS PHASE
+  // =========================================================================
+  return (
+    <div className="space-y-6">
+      {/* Progress */}
+      <div className="bg-white rounded-xl border border-gray-200 p-4">
+        <div className="flex items-center justify-between mb-3">
+          <span className="text-sm font-medium text-gray-700">
+            {systemName} — Frage {currentIdx + 1} von {totalVisible}
+          </span>
+          <span className={`px-2 py-1 text-xs rounded-full font-medium ${
+            currentQuestion?.axis === 'high_risk'
+              ? 'bg-orange-100 text-orange-700'
+              : 'bg-blue-100 text-blue-700'
+          }`}>
+            {currentQuestion?.axis === 'high_risk' ? 'High-Risk' : 'GPAI'}
+          </span>
+        </div>
+
+        {/* Dual progress bar */}
+        <div className="flex gap-2">
+          <div className="flex-1">
+            <div className="text-[10px] text-orange-600 mb-1 font-medium">
+              Achse 1: High-Risk ({highRiskQuestions.filter(q => answers[q.id] !== undefined).length}/{highRiskQuestions.length})
+            </div>
+            <div className="h-1.5 bg-gray-100 rounded-full overflow-hidden">
+              <div
+                className="h-full bg-orange-500 rounded-full transition-all"
+                style={{ width: `${highRiskQuestions.length ? (highRiskQuestions.filter(q => answers[q.id] !== undefined).length / highRiskQuestions.length) * 100 : 0}%` }}
+              />
+            </div>
+          </div>
+          <div className="flex-1">
+            <div className="text-[10px] text-blue-600 mb-1 font-medium">
+              Achse 2: GPAI ({gpaiQuestions.filter(q => answers[q.id] !== undefined).length}/{gpaiQuestions.length})
+            </div>
+            <div className="h-1.5 bg-gray-100 rounded-full overflow-hidden">
+              <div
+                className="h-full bg-blue-500 rounded-full transition-all"
+                style={{ width: `${gpaiQuestions.length ? (gpaiQuestions.filter(q => answers[q.id] !== undefined).length / gpaiQuestions.length) * 100 : 0}%` }}
+              />
+            </div>
+          </div>
+        </div>
+      </div>
+
+      {/* Error */}
+      {error && (
+        <div className="p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 flex items-center justify-between">
+          <span>{error}</span>
+          <button onClick={() => setError(null)} className="text-red-500 hover:text-red-700">&times;</button>
+        </div>
+      )}
+
+      {/* Current Question */}
+      {currentQuestion && (
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <div className="flex items-start gap-3 mb-4">
+            <span className="px-2 py-1 text-xs font-mono bg-gray-100 text-gray-500 rounded">{currentQuestion.id}</span>
+            <span className="px-2 py-1 text-xs bg-purple-50 text-purple-700 rounded">{currentQuestion.article_ref}</span>
+          </div>
+
+          <h3 className="text-lg font-semibold text-gray-900 mb-3">{currentQuestion.question}</h3>
+          <p className="text-sm text-gray-500 mb-6">{currentQuestion.description}</p>
+
+          {/* Answer buttons */}
+          <div className="grid grid-cols-2 gap-4">
+            <button
+              onClick={() => handleAnswer(true)}
+              className={`p-4 rounded-xl border-2 transition-all text-center font-medium ${
+                answers[currentQuestion.id]?.value === true
+                  ? 'border-green-500 bg-green-50 text-green-700'
+                  : 'border-gray-200 hover:border-green-300 hover:bg-green-50/50 text-gray-700'
+              }`}
+            >
+              <svg className="w-8 h-8 mx-auto mb-2 text-green-500" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                <path strokeLinecap="round" strokeLinejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+              Ja
+            </button>
+            <button
+              onClick={() => handleAnswer(false)}
+              className={`p-4 rounded-xl border-2 transition-all text-center font-medium ${
+                answers[currentQuestion.id]?.value === false
+                  ? 'border-gray-500 bg-gray-50 text-gray-700'
+                  : 'border-gray-200 hover:border-gray-300 hover:bg-gray-50/50 text-gray-700'
+              }`}
+            >
+              <svg className="w-8 h-8 mx-auto mb-2 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+                <path strokeLinecap="round" strokeLinejoin="round" d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+              </svg>
+              Nein
+            </button>
+          </div>
+        </div>
+      )}
+
+      {/* Navigation */}
+      <div className="flex items-center justify-between">
+        <button
+          onClick={currentIdx === 0 ? () => setPhase('intro') : handleBack}
+          className="px-4 py-2 text-sm text-gray-600 hover:bg-gray-100 rounded-lg transition-colors"
+        >
+          Zurück
+        </button>
+
+        <div className="flex items-center gap-1">
+          {visibleQuestions.map((q, i) => (
+            <button
+              key={q.id}
+              onClick={() => setCurrentIdx(i)}
+              className={`w-2.5 h-2.5 rounded-full transition-colors ${
+                i === currentIdx
+                  ? q.axis === 'high_risk' ? 'bg-orange-500' : 'bg-blue-500'
+                  : answers[q.id] !== undefined
+                    ? 'bg-green-400'
+                    : 'bg-gray-200'
+              }`}
+              title={`${q.id}: ${q.question}`}
+            />
+          ))}
+        </div>
+
+        {allAnswered ? (
+          <button
+            onClick={handleSubmit}
+            disabled={saving}
+            className={`px-6 py-2 rounded-lg font-medium transition-colors ${
+              saving
+                ? 'bg-purple-300 text-white cursor-wait'
+                : 'bg-purple-600 text-white hover:bg-purple-700'
+            }`}
+          >
+            {saving ? (
+              <span className="flex items-center gap-2">
+                <svg className="w-4 h-4 animate-spin" fill="none" viewBox="0 0 24 24">
+                  <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+                  <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z" />
+                </svg>
+                Auswertung...
+              </span>
+            ) : (
+              'Auswerten'
+            )}
+          </button>
+        ) : (
+          <button
+            onClick={() => setCurrentIdx(prev => Math.min(prev + 1, totalVisible - 1))}
+            disabled={currentIdx >= totalVisible - 1}
+            className="px-4 py-2 text-sm text-purple-600 hover:bg-purple-50 rounded-lg transition-colors disabled:opacity-30"
+          >
+            Weiter
+          </button>
+        )}
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/assessment/EnrichmentHints.tsx

@@ -0,0 +1,70 @@
+'use client'
+
+import Link from 'next/link'
+
+interface EnrichmentHint {
+  field: string
+  label: string
+  impact: string
+  regulation: string
+  priority: string
+}
+
+const PRIORITY_STYLES = {
+  high: { icon: '⚠️', border: 'border-amber-300', bg: 'bg-amber-50' },
+  medium: { icon: 'ℹ️', border: 'border-blue-200', bg: 'bg-blue-50' },
+  low: { icon: '💡', border: 'border-gray-200', bg: 'bg-gray-50' },
+}
+
+export function EnrichmentHints({ hints }: { hints: EnrichmentHint[] }) {
+  if (!hints || hints.length === 0) return null
+
+  const highPriority = hints.filter(h => h.priority === 'high')
+  const otherPriority = hints.filter(h => h.priority !== 'high')
+
+  return (
+    <div className="bg-amber-50 border border-amber-200 rounded-xl p-5">
+      <div className="flex items-start gap-3">
+        <span className="text-xl">📋</span>
+        <div className="flex-1">
+          <h3 className="text-sm font-semibold text-amber-900">
+            Bewertung verbessern — {hints.length} fehlende Firmendaten
+          </h3>
+          <p className="text-xs text-amber-700 mt-1 mb-3">
+            Ergaenzen Sie diese Daten im Unternehmensprofil fuer eine vollstaendige regulatorische Bewertung.
+          </p>
+
+          <div className="space-y-2">
+            {highPriority.map((h, i) => {
+              const style = PRIORITY_STYLES[h.priority as keyof typeof PRIORITY_STYLES] || PRIORITY_STYLES.medium
+              return (
+                <div key={i} className={`flex items-start gap-2 ${style.bg} border ${style.border} rounded-lg px-3 py-2`}>
+                  <span className="text-sm">{style.icon}</span>
+                  <div className="flex-1 min-w-0">
+                    <span className="text-sm font-medium text-gray-800">{h.label}</span>
+                    <span className="text-xs text-gray-500 ml-2 px-1.5 py-0.5 bg-white rounded">{h.regulation}</span>
+                    <p className="text-xs text-gray-600 mt-0.5">{h.impact}</p>
+                  </div>
+                </div>
+              )
+            })}
+            {otherPriority.map((h, i) => (
+              <div key={`other-${i}`} className="flex items-center gap-2 text-sm text-gray-600">
+                <span>ℹ️</span>
+                <span>{h.label}</span>
+                <span className="text-xs text-gray-400">({h.regulation})</span>
+              </div>
+            ))}
+          </div>
+
+          <Link
+            href="/sdk/company-profile"
+            className="inline-flex items-center gap-1 mt-3 text-sm text-blue-600 hover:text-blue-800 font-medium"
+          >
+            Unternehmensprofil ergaenzen →
+          </Link>
+        </div>
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/compliance-optimizer/ConfigComparison.tsx

@@ -0,0 +1,52 @@
+'use client'
+
+interface DimensionDelta {
+  dimension: string
+  from: string
+  to: string
+  impact: string
+}
+
+const DIMENSION_LABELS: Record<string, string> = {
+  automation_level: 'Automatisierungsgrad',
+  decision_binding: 'Entscheidungsbindung',
+  decision_impact: 'Entscheidungswirkung',
+  domain: 'Branche',
+  data_type: 'Datensensitivitaet',
+  human_in_loop: 'Menschliche Kontrolle',
+  explainability: 'Erklaerbarkeit',
+  risk_classification: 'Risikoklasse',
+  legal_basis: 'Rechtsgrundlage',
+  transparency_required: 'Transparenzpflicht',
+  logging_required: 'Protokollierung',
+  model_type: 'Modelltyp',
+  deployment_scope: 'Einsatzbereich',
+}
+
+export function ConfigComparison({ deltas }: { deltas: DimensionDelta[] }) {
+  if (deltas.length === 0) {
+    return (
+      <div className="bg-green-50 border border-green-200 rounded-lg p-4 text-green-700 text-sm">
+        Keine Aenderungen noetig — Ihre Konfiguration ist bereits konform.
+      </div>
+    )
+  }
+
+  return (
+    <div className="space-y-2">
+      <h4 className="text-sm font-medium text-gray-700">Empfohlene Aenderungen ({deltas.length})</h4>
+      <div className="space-y-1">
+        {deltas.map((d, i) => (
+          <div key={i} className="flex items-center gap-2 bg-blue-50 border border-blue-200 rounded px-3 py-2 text-sm">
+            <span className="font-medium text-gray-800 min-w-[160px]">
+              {DIMENSION_LABELS[d.dimension] || d.dimension}
+            </span>
+            <span className="text-red-600 font-mono line-through">{d.from}</span>
+            <span className="text-gray-400">→</span>
+            <span className="text-green-700 font-mono font-bold">{d.to}</span>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/compliance-optimizer/DimensionZoneTable.tsx

@@ -0,0 +1,74 @@
+'use client'
+
+import { ZoneBadge } from './ZoneBadge'
+
+interface ZoneInfo {
+  dimension: string
+  current_value: string
+  zone: 'FORBIDDEN' | 'RESTRICTED' | 'SAFE'
+  allowed_values?: string[]
+  forbidden_values?: string[]
+  safeguards?: string[]
+  reason: string
+  obligation_refs: string[]
+}
+
+const DIMENSION_LABELS: Record<string, string> = {
+  automation_level: 'Automatisierungsgrad',
+  decision_binding: 'Entscheidungsbindung',
+  decision_impact: 'Entscheidungswirkung',
+  domain: 'Branche',
+  data_type: 'Datensensitivitaet',
+  human_in_loop: 'Menschliche Kontrolle',
+  explainability: 'Erklaerbarkeit',
+  risk_classification: 'Risikoklasse',
+  legal_basis: 'Rechtsgrundlage',
+  transparency_required: 'Transparenzpflicht',
+  logging_required: 'Protokollierung',
+  model_type: 'Modelltyp',
+  deployment_scope: 'Einsatzbereich',
+}
+
+export function DimensionZoneTable({ zoneMap }: { zoneMap: Record<string, ZoneInfo> }) {
+  const dimensions = Object.entries(zoneMap).sort(([, a], [, b]) => {
+    const order = { FORBIDDEN: 0, RESTRICTED: 1, SAFE: 2 }
+    return (order[a.zone] ?? 2) - (order[b.zone] ?? 2)
+  })
+
+  return (
+    <div className="overflow-x-auto">
+      <table className="min-w-full divide-y divide-gray-200">
+        <thead className="bg-gray-50">
+          <tr>
+            <th className="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">Dimension</th>
+            <th className="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">Aktueller Wert</th>
+            <th className="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">Zone</th>
+            <th className="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">Regelgrund</th>
+            <th className="px-4 py-2 text-left text-xs font-medium text-gray-500 uppercase">Rechtsgrundlage</th>
+          </tr>
+        </thead>
+        <tbody className="bg-white divide-y divide-gray-200">
+          {dimensions.map(([dim, info]) => (
+            <tr key={dim} className={info.zone === 'FORBIDDEN' ? 'bg-red-50' : info.zone === 'RESTRICTED' ? 'bg-yellow-50' : ''}>
+              <td className="px-4 py-2 text-sm font-medium text-gray-900">
+                {DIMENSION_LABELS[dim] || dim}
+              </td>
+              <td className="px-4 py-2 text-sm text-gray-600 font-mono">
+                {info.current_value}
+              </td>
+              <td className="px-4 py-2">
+                <ZoneBadge zone={info.zone} />
+              </td>
+              <td className="px-4 py-2 text-sm text-gray-600">
+                {info.reason || '-'}
+              </td>
+              <td className="px-4 py-2 text-sm text-gray-500">
+                {info.obligation_refs?.join(', ') || '-'}
+              </td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  )
+}

admin-compliance/components/sdk/compliance-optimizer/OptimizationScoreCard.tsx

@@ -0,0 +1,50 @@
+'use client'
+
+interface ScoreCardProps {
+  safetyScore: number
+  utilityScore: number
+  compositeScore: number
+  deltaCount: number
+}
+
+function ScoreGauge({ value, label, color }: { value: number; label: string; color: string }) {
+  return (
+    <div className="flex flex-col items-center gap-1">
+      <div className="relative w-16 h-16">
+        <svg viewBox="0 0 36 36" className="w-16 h-16">
+          <path
+            d="M18 2.0845 a 15.9155 15.9155 0 0 1 0 31.831 a 15.9155 15.9155 0 0 1 0 -31.831"
+            fill="none" stroke="#e5e7eb" strokeWidth="3"
+          />
+          <path
+            d="M18 2.0845 a 15.9155 15.9155 0 0 1 0 31.831 a 15.9155 15.9155 0 0 1 0 -31.831"
+            fill="none" stroke={color} strokeWidth="3"
+            strokeDasharray={`${value}, 100`}
+            strokeLinecap="round"
+          />
+        </svg>
+        <span className="absolute inset-0 flex items-center justify-center text-sm font-bold text-gray-800">
+          {value}
+        </span>
+      </div>
+      <span className="text-xs text-gray-500">{label}</span>
+    </div>
+  )
+}
+
+export function OptimizationScoreCard({ safetyScore, utilityScore, compositeScore, deltaCount }: ScoreCardProps) {
+  return (
+    <div className="bg-white border border-gray-200 rounded-lg p-4">
+      <h4 className="text-sm font-medium text-gray-700 mb-3">Bewertung der optimierten Konfiguration</h4>
+      <div className="flex items-center gap-6">
+        <ScoreGauge value={safetyScore} label="Sicherheit" color="#22c55e" />
+        <ScoreGauge value={utilityScore} label="Business-Nutzen" color="#3b82f6" />
+        <ScoreGauge value={Math.round(compositeScore)} label="Gesamt" color="#8b5cf6" />
+        <div className="flex flex-col items-center gap-1">
+          <span className="text-2xl font-bold text-gray-800">{deltaCount}</span>
+          <span className="text-xs text-gray-500">Aenderungen</span>
+        </div>
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/compliance-optimizer/OptimizerUpsellCard.tsx

@@ -0,0 +1,62 @@
+'use client'
+
+import Link from 'next/link'
+
+interface OptimizerUpsellCardProps {
+  feasibility: string
+  assessmentId: string
+  riskScore?: number
+}
+
+export function OptimizerUpsellCard({ feasibility, assessmentId, riskScore }: OptimizerUpsellCardProps) {
+  const isRestricted = feasibility === 'CONDITIONAL' || feasibility === 'NO'
+
+  if (isRestricted) {
+    return (
+      <div className="bg-amber-50 border-2 border-amber-300 rounded-xl p-5">
+        <div className="flex items-start gap-3">
+          <span className="text-2xl">📊</span>
+          <div className="flex-1">
+            <h3 className="text-base font-semibold text-amber-900">
+              {feasibility === 'NO' ? 'Use Case aktuell nicht umsetzbar' : 'Use Case eingeschraenkt machbar'}
+            </h3>
+            <p className="text-sm text-amber-800 mt-1">
+              Der <strong>Compliance Optimizer</strong> zeigt Ihnen die optimale Konfiguration,
+              um den regulatorischen Spielraum maximal auszunutzen — ohne Grenzen zu ueberschreiten.
+            </p>
+            {riskScore != null && riskScore >= 50 && (
+              <p className="text-xs text-amber-700 mt-1">
+                Risiko-Score {riskScore}/100 — besonders hohes Optimierungspotenzial.
+              </p>
+            )}
+            <Link
+              href={`/sdk/compliance-optimizer/new?from_assessment=${assessmentId}`}
+              className="inline-flex items-center gap-1 mt-3 px-4 py-2 bg-blue-600 text-white text-sm font-medium rounded-lg hover:bg-blue-700 transition-colors"
+            >
+              Jetzt optimieren →
+            </Link>
+          </div>
+        </div>
+      </div>
+    )
+  }
+
+  return (
+    <div className="bg-blue-50 border border-blue-200 rounded-xl p-4">
+      <div className="flex items-center justify-between">
+        <div>
+          <h3 className="text-sm font-medium text-blue-900">Regulatorischen Spielraum pruefen</h3>
+          <p className="text-xs text-blue-700 mt-0.5">
+            Pruefen Sie ob Sie den regulatorischen Spielraum noch besser nutzen koennen.
+          </p>
+        </div>
+        <Link
+          href={`/sdk/compliance-optimizer/new?from_assessment=${assessmentId}`}
+          className="text-sm text-blue-600 hover:underline whitespace-nowrap"
+        >
+          Optional optimieren →
+        </Link>
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/compliance-optimizer/ZoneBadge.tsx

@@ -0,0 +1,16 @@
+'use client'
+
+const ZONE_STYLES = {
+  FORBIDDEN: { bg: 'bg-red-100', text: 'text-red-700', border: 'border-red-300', label: 'Verboten' },
+  RESTRICTED: { bg: 'bg-yellow-100', text: 'text-yellow-700', border: 'border-yellow-300', label: 'Eingeschraenkt' },
+  SAFE: { bg: 'bg-green-100', text: 'text-green-700', border: 'border-green-300', label: 'Erlaubt' },
+}
+
+export function ZoneBadge({ zone }: { zone: 'FORBIDDEN' | 'RESTRICTED' | 'SAFE' }) {
+  const style = ZONE_STYLES[zone] || ZONE_STYLES.SAFE
+  return (
+    <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium border ${style.bg} ${style.text} ${style.border}`}>
+      {style.label}
+    </span>
+  )
+}

admin-compliance/components/sdk/regulatory-news/RegulatoryNewsCard.tsx

@@ -0,0 +1,60 @@
+'use client'
+
+import Link from 'next/link'
+
+export interface RegulatoryNewsItemData {
+  id: string
+  headline: string
+  summary: string
+  legal_reference: string
+  deadline: string
+  days_remaining: number
+  urgency: 'critical' | 'high' | 'medium' | 'low'
+  affected: string
+  action_required: string
+  action_link: string
+  regulation: string
+  sanctions?: string
+}
+
+const URGENCY_STYLES = {
+  critical: { badge: 'bg-red-100 text-red-700 border-red-200', border: 'border-l-red-500', icon: '🔴' },
+  high: { badge: 'bg-orange-100 text-orange-700 border-orange-200', border: 'border-l-orange-400', icon: '🟠' },
+  medium: { badge: 'bg-yellow-100 text-yellow-700 border-yellow-200', border: 'border-l-yellow-400', icon: '🟡' },
+  low: { badge: 'bg-gray-100 text-gray-600 border-gray-200', border: 'border-l-gray-300', icon: '🔵' },
+}
+
+export function RegulatoryNewsCard({ item }: { item: RegulatoryNewsItemData }) {
+  const style = URGENCY_STYLES[item.urgency] || URGENCY_STYLES.low
+
+  return (
+    <div className={`bg-white border border-gray-200 border-l-4 ${style.border} rounded-lg p-4`}>
+      <div className="flex items-start justify-between gap-3">
+        <div className="flex-1 min-w-0">
+          <h4 className="text-sm font-semibold text-gray-900">{item.headline}</h4>
+          <p className="text-xs text-gray-600 mt-1">{item.summary}</p>
+          <p className="text-xs text-gray-400 mt-1 italic">{item.legal_reference}</p>
+          {item.sanctions && (
+            <p className="text-xs text-red-600 mt-1">Sanktionen: {item.sanctions}</p>
+          )}
+        </div>
+        <div className="flex flex-col items-end gap-1 shrink-0">
+          <span className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-medium border ${style.badge}`}>
+            {style.icon} {item.days_remaining} Tage
+          </span>
+          <span className="text-xs text-gray-400">
+            {new Date(item.deadline).toLocaleDateString('de-DE')}
+          </span>
+        </div>
+      </div>
+      <div className="flex items-center justify-between mt-3 pt-2 border-t border-gray-100">
+        <span className="text-xs text-gray-400">{item.affected}</span>
+        {item.action_link && (
+          <Link href={item.action_link} className="text-xs text-blue-600 hover:underline font-medium">
+            Massnahme ergreifen →
+          </Link>
+        )}
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/regulatory-news/RegulatoryNewsFeed.tsx

@@ -0,0 +1,54 @@
+'use client'
+
+import React, { useState, useEffect } from 'react'
+import { RegulatoryNewsCard, RegulatoryNewsItemData } from './RegulatoryNewsCard'
+
+interface RegulatoryNewsFeedProps {
+  businessModel?: string
+  maxItems?: number
+}
+
+export function RegulatoryNewsFeed({ businessModel, maxItems = 3 }: RegulatoryNewsFeedProps) {
+  const [items, setItems] = useState<RegulatoryNewsItemData[]>([])
+  const [loading, setLoading] = useState(true)
+  const [showAll, setShowAll] = useState(false)
+
+  useEffect(() => {
+    const params = new URLSearchParams({ limit: '10', horizon_days: '365' })
+    if (businessModel) params.set('business_model', businessModel)
+
+    fetch(`/api/sdk/v1/regulatory-news?${params}`)
+      .then(r => r.ok ? r.json() : { items: [] })
+      .then(data => setItems(data.items || []))
+      .catch(() => setItems([]))
+      .finally(() => setLoading(false))
+  }, [businessModel])
+
+  if (loading) return null
+  if (items.length === 0) return null
+
+  const visible = showAll ? items : items.slice(0, maxItems)
+
+  return (
+    <div className="space-y-3">
+      <div className="flex items-center justify-between">
+        <h2 className="text-lg font-semibold text-gray-900 flex items-center gap-2">
+          <span>📢</span> Regulatorische Neuigkeiten
+        </h2>
+        {items.length > maxItems && (
+          <button
+            onClick={() => setShowAll(!showAll)}
+            className="text-sm text-blue-600 hover:underline"
+          >
+            {showAll ? 'Weniger' : `Alle ${items.length} anzeigen`}
+          </button>
+        )}
+      </div>
+      <div className="space-y-2">
+        {visible.map(item => (
+          <RegulatoryNewsCard key={item.id} item={item} />
+        ))}
+      </div>
+    </div>
+  )
+}

admin-compliance/components/sdk/use-case-assessment/AssessmentResultCard.tsx

@@ -10,6 +10,8 @@ interface AssessmentResult {
   dsfa_recommended: boolean
   art22_risk: boolean
   training_allowed: string
+  betrvg_conflict_score?: number
+  betrvg_consultation_required?: boolean
   summary: string
   recommendation: string
   alternative_approach?: string
@@ -76,6 +78,21 @@ export function AssessmentResultCard({ result }: AssessmentResultCardProps) {
                   Art. 22 Risiko
                 </span>
               )}
+              {result.betrvg_conflict_score != null && result.betrvg_conflict_score > 0 && (
+                <span className={`px-3 py-1 rounded-full text-sm font-medium ${
+                  result.betrvg_conflict_score >= 75 ? 'bg-red-100 text-red-700' :
+                  result.betrvg_conflict_score >= 50 ? 'bg-orange-100 text-orange-700' :
+                  result.betrvg_conflict_score >= 25 ? 'bg-yellow-100 text-yellow-700' :
+                  'bg-green-100 text-green-700'
+                }`}>
+                  BR-Konflikt: {result.betrvg_conflict_score}/100
+                </span>
+              )}
+              {result.betrvg_consultation_required && (
+                <span className="px-3 py-1 rounded-full text-sm bg-purple-100 text-purple-700">
+                  BR-Konsultation erforderlich
+                </span>
+              )}
             </div>
             <p className="text-gray-700">{result.summary}</p>
             <p className="text-sm text-gray-500 mt-2">{result.recommendation}</p>

admin-compliance/e2e/specs/banner-consent-api.spec.ts

@@ -0,0 +1,515 @@
+import { test, expect } from '@playwright/test'
+
+/**
+ * Banner Consent API Integration Tests
+ *
+ * Tests the complete lifecycle of cookie banner consents:
+ * - Record/retrieve/withdraw consent
+ * - Email linking for DSR integration
+ * - Consent export (Art. 15/20 DSGVO)
+ * - Consent deletion (Art. 17 DSGVO erasure)
+ * - Consent sync to Einwilligungen
+ * - Vendor sync from service registry
+ * - Site config with config_version for consent proof
+ */
+
+const API_BASE = process.env.PLAYWRIGHT_API_URL || 'https://macmini:8093'
+const TENANT_ID = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
+const HEADERS = {
+  'Content-Type': 'application/json',
+  'X-Tenant-ID': TENANT_ID,
+}
+
+// Test data
+const TEST_SITE_ID = `e2e-banner-test-${Date.now()}`
+const TEST_DEVICE_FP = `e2e-device-${Date.now()}`
+const TEST_EMAIL = `e2e-test-${Date.now()}@example.com`
+
+test.describe('Banner Consent API — Full Lifecycle', () => {
+  let siteConfigId: string | null = null
+  let consentId: string | null = null
+
+  // ─── Setup: Create site config ───────────────────────────
+  test('01 — Create site config', async ({ request }) => {
+    const res = await request.post(`${API_BASE}/banner/admin/sites`, {
+      headers: HEADERS,
+      data: {
+        site_id: TEST_SITE_ID,
+        site_name: 'E2E Test Site',
+        site_url: 'https://e2e-test.example.com',
+        banner_title: 'Cookie-Einstellungen',
+        banner_description: 'Wir verwenden Cookies fuer E2E Tests.',
+        privacy_url: '/datenschutz',
+        imprint_url: '/impressum',
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.site_id).toBe(TEST_SITE_ID)
+    expect(body.config_version).toBe(1)
+    siteConfigId = body.id
+  })
+
+  test('02 — Create categories for site', async ({ request }) => {
+    const categories = [
+      { category_key: 'necessary', name_de: 'Notwendig', is_required: true, sort_order: 0 },
+      { category_key: 'statistics', name_de: 'Statistik', is_required: false, sort_order: 1 },
+      { category_key: 'marketing', name_de: 'Marketing', is_required: false, sort_order: 2 },
+    ]
+    for (const cat of categories) {
+      const res = await request.post(`${API_BASE}/banner/admin/sites/${TEST_SITE_ID}/categories`, {
+        headers: HEADERS,
+        data: cat,
+      })
+      expect(res.ok()).toBeTruthy()
+    }
+  })
+
+  test('03 — Create vendor configs', async ({ request }) => {
+    const vendors = [
+      { vendor_name: 'Google Analytics', category_key: 'statistics', retention_days: 790, cookie_names: ['_ga', '_gid'] },
+      { vendor_name: 'Facebook Pixel', category_key: 'marketing', retention_days: 90, cookie_names: ['_fbp'] },
+    ]
+    for (const v of vendors) {
+      const res = await request.post(`${API_BASE}/banner/admin/sites/${TEST_SITE_ID}/vendors`, {
+        headers: HEADERS,
+        data: v,
+      })
+      expect(res.ok()).toBeTruthy()
+    }
+  })
+
+  // ─── Core Consent CRUD ───────────────────────────────────
+  test('04 — Get site config for banner display', async ({ request }) => {
+    const res = await request.get(`${API_BASE}/banner/config/${TEST_SITE_ID}`, { headers: HEADERS })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.site_id).toBe(TEST_SITE_ID)
+    expect(body.banner_title).toBe('Cookie-Einstellungen')
+    expect(body.categories.length).toBe(3)
+    expect(body.vendors.length).toBe(2)
+    expect(body.config_version).toBe(1)
+  })
+
+  test('05 — Record consent (accept statistics only)', async ({ request }) => {
+    const res = await request.post(`${API_BASE}/banner/consent`, {
+      headers: HEADERS,
+      data: {
+        site_id: TEST_SITE_ID,
+        device_fingerprint: TEST_DEVICE_FP,
+        categories: ['necessary', 'statistics'],
+        vendors: ['Google Analytics'],
+        ip_address: '192.168.1.100',
+        user_agent: 'Playwright E2E Test',
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.device_fingerprint).toBe(TEST_DEVICE_FP)
+    expect(body.categories).toEqual(['necessary', 'statistics'])
+    expect(body.vendors).toEqual(['Google Analytics'])
+    expect(body.ip_hash).toBeTruthy() // IP is hashed
+    expect(body.linked_email).toBeNull()
+    consentId = body.id
+  })
+
+  test('06 — Retrieve consent for device', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent?site_id=${TEST_SITE_ID}&device_fingerprint=${TEST_DEVICE_FP}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.has_consent).toBe(true)
+    expect(body.consent.categories).toEqual(['necessary', 'statistics'])
+  })
+
+  test('07 — Update consent (accept all categories)', async ({ request }) => {
+    const res = await request.post(`${API_BASE}/banner/consent`, {
+      headers: HEADERS,
+      data: {
+        site_id: TEST_SITE_ID,
+        device_fingerprint: TEST_DEVICE_FP,
+        categories: ['necessary', 'statistics', 'marketing'],
+        vendors: ['Google Analytics', 'Facebook Pixel'],
+        ip_address: '192.168.1.100',
+        user_agent: 'Playwright E2E Test',
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.categories).toEqual(['necessary', 'statistics', 'marketing'])
+    expect(body.id).toBe(consentId) // Same consent row (upsert)
+  })
+
+  // ─── Phase 3: Email Linking ──────────────────────────────
+  test('08 — Link email to device fingerprint', async ({ request }) => {
+    const res = await request.post(`${API_BASE}/banner/consent/link-email`, {
+      headers: HEADERS,
+      data: {
+        site_id: TEST_SITE_ID,
+        device_fingerprint: TEST_DEVICE_FP,
+        email: TEST_EMAIL,
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.linked_email).toBe(TEST_EMAIL.toLowerCase())
+    expect(body.device_fingerprint).toBe(TEST_DEVICE_FP)
+  })
+
+  test('09 — Find consents by email (Art. 15)', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent/by-email/${encodeURIComponent(TEST_EMAIL)}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.length).toBe(1)
+    expect(body[0].linked_email).toBe(TEST_EMAIL.toLowerCase())
+    expect(body[0].device_fingerprint).toBe(TEST_DEVICE_FP)
+  })
+
+  test('10 — Export consent data for DSR (Art. 15/20)', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent/dsr-export/${encodeURIComponent(TEST_EMAIL)}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.email).toBe(TEST_EMAIL.toLowerCase())
+    expect(body.banner_consents.length).toBe(1)
+    expect(body.audit_trail.length).toBeGreaterThan(0)
+    // Verify consent proof fields in audit trail
+    const lastAudit = body.audit_trail[0]
+    expect(lastAudit.action).toBeTruthy()
+    expect(lastAudit.site_id).toBe(TEST_SITE_ID)
+  })
+
+  // ─── Phase 4: Consent Sync ──────────────────────────────
+  test('11 — Sync banner consent to Einwilligungen', async ({ request }) => {
+    const res = await request.post(`${API_BASE}/banner/consent/sync`, {
+      headers: HEADERS,
+      data: {
+        site_id: TEST_SITE_ID,
+        device_fingerprint: TEST_DEVICE_FP,
+        email: TEST_EMAIL,
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.synced).toBeGreaterThan(0)
+    expect(body.categories).toContain('necessary')
+    expect(body.categories).toContain('statistics')
+    expect(body.categories).toContain('marketing')
+    expect(body.email).toBe(TEST_EMAIL.toLowerCase())
+  })
+
+  // ─── DSGVO Export ────────────────────────────────────────
+  test('12 — Export consent per device (existing endpoint)', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent/export?site_id=${TEST_SITE_ID}&device_fingerprint=${TEST_DEVICE_FP}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.device_fingerprint).toBe(TEST_DEVICE_FP)
+    expect(body.consents.length).toBe(1)
+    expect(body.audit_trail.length).toBeGreaterThan(0)
+  })
+
+  // ─── Stats ───────────────────────────────────────────────
+  test('13 — Get site consent statistics', async ({ request }) => {
+    const res = await request.get(`${API_BASE}/banner/admin/stats/${TEST_SITE_ID}`, {
+      headers: HEADERS,
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.site_id).toBe(TEST_SITE_ID)
+    expect(body.total_consents).toBeGreaterThan(0)
+    expect(body.category_acceptance.necessary).toBeTruthy()
+    expect(body.category_acceptance.statistics).toBeTruthy()
+  })
+
+  // ─── Withdraw + Cleanup ─────────────────────────────────
+  test('14 — Withdraw consent', async ({ request }) => {
+    expect(consentId).toBeTruthy()
+    const res = await request.delete(`${API_BASE}/banner/consent/${consentId}`, {
+      headers: HEADERS,
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.success).toBe(true)
+  })
+
+  test('15 — Verify consent withdrawn (no consent found)', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent?site_id=${TEST_SITE_ID}&device_fingerprint=${TEST_DEVICE_FP}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.has_consent).toBe(false)
+  })
+
+  // ─── Cleanup: Delete site config ────────────────────────
+  test('16 — Cleanup: Delete test site', async ({ request }) => {
+    const res = await request.delete(`${API_BASE}/banner/admin/sites/${TEST_SITE_ID}`, {
+      headers: HEADERS,
+    })
+    expect(res.status()).toBe(204)
+  })
+})
+
+
+test.describe('Banner Consent API — Art. 17 Erasure via Email', () => {
+  const ERASURE_SITE = `e2e-erasure-${Date.now()}`
+  const ERASURE_DEVICE_1 = `e2e-dev1-${Date.now()}`
+  const ERASURE_DEVICE_2 = `e2e-dev2-${Date.now()}`
+  const ERASURE_EMAIL = `erasure-${Date.now()}@example.com`
+
+  test.beforeAll(async ({ request }) => {
+    // Create site
+    await request.post(`${API_BASE}/banner/admin/sites`, {
+      headers: HEADERS,
+      data: { site_id: ERASURE_SITE, site_name: 'Erasure Test Site' },
+    })
+    // Record consent on two devices with same email
+    for (const fp of [ERASURE_DEVICE_1, ERASURE_DEVICE_2]) {
+      await request.post(`${API_BASE}/banner/consent`, {
+        headers: HEADERS,
+        data: {
+          site_id: ERASURE_SITE,
+          device_fingerprint: fp,
+          categories: ['necessary', 'statistics'],
+          vendors: [],
+        },
+      })
+      await request.post(`${API_BASE}/banner/consent/link-email`, {
+        headers: HEADERS,
+        data: { site_id: ERASURE_SITE, device_fingerprint: fp, email: ERASURE_EMAIL },
+      })
+    }
+  })
+
+  test('should find 2 consents for email', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent/by-email/${encodeURIComponent(ERASURE_EMAIL)}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.length).toBe(2)
+  })
+
+  test('should delete all consents by email (Art. 17)', async ({ request }) => {
+    const res = await request.delete(
+      `${API_BASE}/banner/consent/by-email/${encodeURIComponent(ERASURE_EMAIL)}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.deleted).toBe(2)
+    expect(body.email).toBe(ERASURE_EMAIL.toLowerCase())
+  })
+
+  test('should find 0 consents after erasure', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent/by-email/${encodeURIComponent(ERASURE_EMAIL)}`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.length).toBe(0)
+  })
+
+  test.afterAll(async ({ request }) => {
+    await request.delete(`${API_BASE}/banner/admin/sites/${ERASURE_SITE}`, {
+      headers: HEADERS,
+    })
+  })
+})
+
+
+test.describe('Banner Consent API — Vendor Sync from Registry', () => {
+  const SYNC_SITE = `e2e-sync-${Date.now()}`
+
+  test.beforeAll(async ({ request }) => {
+    await request.post(`${API_BASE}/banner/admin/sites`, {
+      headers: HEADERS,
+      data: { site_id: SYNC_SITE, site_name: 'Vendor Sync Test' },
+    })
+  })
+
+  test('should sync vendors from service registry', async ({ request }) => {
+    const res = await request.post(
+      `${API_BASE}/banner/admin/sites/${SYNC_SITE}/sync-vendors`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.total).toBeGreaterThan(0)
+    expect(body.created).toBeGreaterThan(0)
+  })
+
+  test('should list synced vendors', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/admin/sites/${SYNC_SITE}/vendors`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const vendors = await res.json()
+    expect(vendors.length).toBeGreaterThan(0)
+
+    // Verify vendor structure
+    const ga = vendors.find((v: any) => v.vendor_name === 'Google Analytics')
+    if (ga) {
+      expect(ga.category_key).toBe('statistics')
+      expect(ga.retention_days).toBe(790) // 26 months
+    }
+  })
+
+  test.afterAll(async ({ request }) => {
+    await request.delete(`${API_BASE}/banner/admin/sites/${SYNC_SITE}`, {
+      headers: HEADERS,
+    })
+  })
+})
+
+
+test.describe('Banner Consent API — Edge Cases & Validation', () => {
+  test('should return has_consent=false for unknown device', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent?site_id=nonexistent&device_fingerprint=unknown`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.has_consent).toBe(false)
+  })
+
+  test('should return default config for unconfigured site', async ({ request }) => {
+    const res = await request.get(`${API_BASE}/banner/config/nonexistent-site`, {
+      headers: HEADERS,
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body.site_id).toBe('nonexistent-site')
+    expect(body.banner_title).toBe('Cookie-Einstellungen')
+    expect(body.categories).toEqual([])
+  })
+
+  test('should reject invalid email for link-email', async ({ request }) => {
+    const res = await request.post(`${API_BASE}/banner/consent/link-email`, {
+      headers: HEADERS,
+      data: {
+        site_id: 'test',
+        device_fingerprint: 'test',
+        email: 'not-an-email',
+      },
+    })
+    // Should fail — either 400 or 404 (no consent found)
+    expect(res.status()).toBeGreaterThanOrEqual(400)
+  })
+
+  test('should return empty list for unknown email in by-email', async ({ request }) => {
+    const res = await request.get(
+      `${API_BASE}/banner/consent/by-email/nobody@nowhere.test`,
+      { headers: HEADERS },
+    )
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+    expect(body).toEqual([])
+  })
+
+  test('should hash IP address (never store plain IP)', async ({ request }) => {
+    const siteId = `e2e-ip-test-${Date.now()}`
+    const fp = `e2e-ip-fp-${Date.now()}`
+
+    // Create site
+    await request.post(`${API_BASE}/banner/admin/sites`, {
+      headers: HEADERS,
+      data: { site_id: siteId, site_name: 'IP Test' },
+    })
+
+    // Record consent with IP
+    const res = await request.post(`${API_BASE}/banner/consent`, {
+      headers: HEADERS,
+      data: {
+        site_id: siteId,
+        device_fingerprint: fp,
+        categories: ['necessary'],
+        vendors: [],
+        ip_address: '10.0.0.42',
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+
+    // IP should be hashed, not stored plain
+    expect(body.ip_hash).toBeTruthy()
+    expect(body.ip_hash).not.toBe('10.0.0.42')
+    expect(body.ip_hash.length).toBe(16) // SHA256[:16]
+
+    // Cleanup
+    await request.delete(`${API_BASE}/banner/consent/${body.id}`, { headers: HEADERS })
+    await request.delete(`${API_BASE}/banner/admin/sites/${siteId}`, { headers: HEADERS })
+  })
+})
+
+
+test.describe('Banner Consent API — Retention per Category', () => {
+  const RET_SITE = `e2e-retention-${Date.now()}`
+
+  test.beforeAll(async ({ request }) => {
+    // Create site with categories and vendors
+    await request.post(`${API_BASE}/banner/admin/sites`, {
+      headers: HEADERS,
+      data: { site_id: RET_SITE, site_name: 'Retention Test' },
+    })
+    await request.post(`${API_BASE}/banner/admin/sites/${RET_SITE}/categories`, {
+      headers: HEADERS,
+      data: { category_key: 'necessary', name_de: 'Notwendig', is_required: true },
+    })
+    await request.post(`${API_BASE}/banner/admin/sites/${RET_SITE}/categories`, {
+      headers: HEADERS,
+      data: { category_key: 'marketing', name_de: 'Marketing', is_required: false },
+    })
+    await request.post(`${API_BASE}/banner/admin/sites/${RET_SITE}/vendors`, {
+      headers: HEADERS,
+      data: { vendor_name: 'FB Pixel', category_key: 'marketing', retention_days: 90 },
+    })
+  })
+
+  test('consent expiry should match max vendor retention', async ({ request }) => {
+    const fp = `e2e-ret-fp-${Date.now()}`
+    const res = await request.post(`${API_BASE}/banner/consent`, {
+      headers: HEADERS,
+      data: {
+        site_id: RET_SITE,
+        device_fingerprint: fp,
+        categories: ['necessary', 'marketing'],
+        vendors: ['FB Pixel'],
+      },
+    })
+    expect(res.ok()).toBeTruthy()
+    const body = await res.json()
+
+    // Expiry should be based on max vendor retention (90 days for marketing)
+    const expiresAt = new Date(body.expires_at)
+    const createdAt = new Date(body.created_at)
+    const diffDays = Math.round((expiresAt.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24))
+    // Should be 90 days (marketing) not 365 (default)
+    expect(diffDays).toBeGreaterThanOrEqual(89)
+    expect(diffDays).toBeLessThanOrEqual(91)
+
+    // Cleanup
+    await request.delete(`${API_BASE}/banner/consent/${body.id}`, { headers: HEADERS })
+  })
+
+  test.afterAll(async ({ request }) => {
+    await request.delete(`${API_BASE}/banner/admin/sites/${RET_SITE}`, {
+      headers: HEADERS,
+    })
+  })
+})

admin-compliance/e2e/specs/cookie-banner-overlay.spec.ts

@@ -0,0 +1,256 @@
+import { test, expect } from '@playwright/test'
+
+/**
+ * Cookie Banner Overlay E2E Tests
+ *
+ * Tests the live cookie consent banner in the Compliance SDK:
+ * - Auto-opens on first visit
+ * - Consent choices (accept all, reject all, custom settings)
+ * - FAB button to reopen after consent
+ * - Persistence in localStorage
+ * - Correct toggle behavior for categories
+ */
+
+const SDK_URL = '/sdk'
+const STORAGE_KEY = 'bp-sdk-cookie-consent'
+
+test.describe('Cookie Banner — First Visit', () => {
+  test.beforeEach(async ({ page }) => {
+    // Clear localStorage to simulate first visit
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+  })
+
+  test('should show banner on first visit', async ({ page }) => {
+    // Banner should be visible
+    await expect(page.getByText('Cookie-Einstellungen')).toBeVisible({ timeout: 10000 })
+    await expect(page.getByText('Wir verwenden Cookies')).toBeVisible()
+  })
+
+  test('should show three buttons: accept all, reject, settings', async ({ page }) => {
+    await page.waitForTimeout(500)
+    await expect(page.getByRole('button', { name: 'Alle akzeptieren' })).toBeVisible()
+    await expect(page.getByRole('button', { name: 'Nur notwendige' })).toBeVisible()
+    await expect(page.getByRole('button', { name: 'Einstellungen' })).toBeVisible()
+  })
+
+  test('should have Datenschutzerklaerung and Impressum links', async ({ page }) => {
+    await page.waitForTimeout(500)
+    await expect(page.getByText('Datenschutzerklaerung')).toBeVisible()
+    await expect(page.getByText('Impressum')).toBeVisible()
+  })
+
+  test('should show overlay backdrop', async ({ page }) => {
+    await page.waitForTimeout(500)
+    // Check for the dark overlay behind the banner
+    const overlay = page.locator('.bg-black\\/40')
+    await expect(overlay).toBeVisible()
+  })
+})
+
+
+test.describe('Cookie Banner — Accept All', () => {
+  test('should close banner and save consent on "Alle akzeptieren"', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+
+    // Click accept all
+    await page.getByRole('button', { name: 'Alle akzeptieren' }).click()
+
+    // Banner should close
+    await expect(page.getByText('Cookie-Einstellungen').first()).not.toBeVisible({ timeout: 5000 })
+
+    // Verify localStorage
+    const consent = await page.evaluate(() => {
+      const raw = localStorage.getItem('bp-sdk-cookie-consent')
+      return raw ? JSON.parse(raw) : null
+    })
+    expect(consent).toBeTruthy()
+    expect(consent.necessary).toBe(true)
+    expect(consent.statistics).toBe(true)
+    expect(consent.marketing).toBe(true)
+    expect(consent.functional).toBe(true)
+    expect(consent.timestamp).toBeTruthy()
+  })
+})
+
+
+test.describe('Cookie Banner — Reject All', () => {
+  test('should save only necessary on "Nur notwendige"', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+
+    // Click reject all
+    await page.getByRole('button', { name: 'Nur notwendige' }).click()
+
+    // Banner should close
+    await expect(page.getByText('Cookie-Einstellungen').first()).not.toBeVisible({ timeout: 5000 })
+
+    // Verify localStorage — only necessary enabled
+    const consent = await page.evaluate(() => {
+      const raw = localStorage.getItem('bp-sdk-cookie-consent')
+      return raw ? JSON.parse(raw) : null
+    })
+    expect(consent).toBeTruthy()
+    expect(consent.necessary).toBe(true)
+    expect(consent.statistics).toBe(false)
+    expect(consent.marketing).toBe(false)
+    expect(consent.functional).toBe(false)
+  })
+})
+
+
+test.describe('Cookie Banner — Custom Settings', () => {
+  test('should expand category toggles on "Einstellungen"', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+
+    // Click settings
+    await page.getByRole('button', { name: 'Einstellungen' }).click()
+
+    // Category toggles should appear
+    await expect(page.getByText('Notwendig')).toBeVisible()
+    await expect(page.getByText('Statistik')).toBeVisible()
+    await expect(page.getByText('Marketing')).toBeVisible()
+    await expect(page.getByText('Funktional')).toBeVisible()
+  })
+
+  test('should have "Auswahl speichern" button in settings view', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+
+    await page.getByRole('button', { name: 'Einstellungen' }).click()
+    await expect(page.getByRole('button', { name: 'Auswahl speichern' })).toBeVisible()
+  })
+
+  test('should save custom selection', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+
+    // Open settings
+    await page.getByRole('button', { name: 'Einstellungen' }).click()
+    await page.waitForTimeout(300)
+
+    // Toggle statistics on (click the toggle next to "Statistik")
+    const statistikRow = page.locator('text=Statistik').locator('..')
+    const toggle = statistikRow.locator('button').last()
+    await toggle.click()
+
+    // Save
+    await page.getByRole('button', { name: 'Auswahl speichern' }).click()
+
+    // Verify
+    const consent = await page.evaluate(() => {
+      const raw = localStorage.getItem('bp-sdk-cookie-consent')
+      return raw ? JSON.parse(raw) : null
+    })
+    expect(consent).toBeTruthy()
+    expect(consent.necessary).toBe(true)
+    expect(consent.statistics).toBe(true)
+    expect(consent.marketing).toBe(false)
+  })
+
+  test('necessary toggle should be disabled', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+
+    await page.getByRole('button', { name: 'Einstellungen' }).click()
+    await page.waitForTimeout(300)
+
+    // The "Notwendig" toggle should be disabled (can't be turned off)
+    const necessaryRow = page.locator('text=Notwendig').locator('..')
+    const toggle = necessaryRow.locator('button[disabled]')
+    await expect(toggle).toBeVisible()
+  })
+})
+
+
+test.describe('Cookie Banner — Persistence', () => {
+  test('should NOT show banner on subsequent visits', async ({ page }) => {
+    await page.goto(SDK_URL)
+    // Set consent in localStorage
+    await page.evaluate(() => {
+      localStorage.setItem('bp-sdk-cookie-consent', JSON.stringify({
+        necessary: true, statistics: true, marketing: false, functional: false,
+        timestamp: new Date().toISOString(),
+      }))
+    })
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+    await page.waitForTimeout(1000)
+
+    // Banner should NOT appear
+    const bannerVisible = await page.getByText('Wir verwenden Cookies').isVisible().catch(() => false)
+    expect(bannerVisible).toBe(false)
+  })
+})
+
+
+test.describe('Cookie Banner — FAB Reopen Button', () => {
+  test('should show cookie FAB after consent is given', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => {
+      localStorage.setItem('bp-sdk-cookie-consent', JSON.stringify({
+        necessary: true, statistics: true, marketing: false, functional: false,
+        timestamp: new Date().toISOString(),
+      }))
+    })
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+    await page.waitForTimeout(1000)
+
+    // FAB button should be visible (shield icon)
+    const fab = page.locator('button[aria-label="Cookie-Einstellungen oeffnen"]')
+    await expect(fab).toBeVisible({ timeout: 5000 })
+  })
+
+  test('should reopen banner when FAB is clicked', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => {
+      localStorage.setItem('bp-sdk-cookie-consent', JSON.stringify({
+        necessary: true, statistics: true, marketing: false, functional: false,
+        timestamp: new Date().toISOString(),
+      }))
+    })
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+    await page.waitForTimeout(1000)
+
+    // Click FAB
+    const fab = page.locator('button[aria-label="Cookie-Einstellungen oeffnen"]')
+    await fab.click()
+
+    // Banner should reopen with settings expanded
+    await expect(page.getByText('Cookie-Einstellungen')).toBeVisible({ timeout: 5000 })
+    // Settings should be shown (since reopening goes straight to settings)
+    await expect(page.getByText('Statistik')).toBeVisible()
+    await expect(page.getByText('Marketing')).toBeVisible()
+  })
+
+  test('should NOT show FAB before consent is given', async ({ page }) => {
+    await page.goto(SDK_URL)
+    await page.evaluate(() => localStorage.removeItem('bp-sdk-cookie-consent'))
+    await page.reload()
+    await page.waitForLoadState('networkidle')
+    await page.waitForTimeout(1000)
+
+    // FAB should NOT be visible (banner is showing instead)
+    const fab = page.locator('button[aria-label="Cookie-Einstellungen oeffnen"]')
+    const isVisible = await fab.isVisible().catch(() => false)
+    expect(isVisible).toBe(false)
+  })
+})

admin-compliance/e2e/specs/cookie-banner-ui.spec.ts

@@ -0,0 +1,139 @@
+import { test, expect } from '@playwright/test'
+import { navigateToSDK, waitForPageLoad } from '../utils/test-helpers'
+
+/**
+ * Cookie Banner UI E2E Tests
+ *
+ * Tests the cookie banner configuration page and admin UI.
+ * Verifies that the banner builder, category management,
+ * and code export work correctly.
+ */
+
+test.describe('Cookie Banner Configuration Page', () => {
+  test.beforeEach(async ({ page }) => {
+    await navigateToSDK(page, '/cookie-banner')
+  })
+
+  test('should load cookie banner page', async ({ page }) => {
+    // The page should load with the step header
+    await expect(page.getByText('Cookie-Banner')).toBeVisible({ timeout: 10000 })
+  })
+
+  test('should display category cards', async ({ page }) => {
+    // Wait for content to load
+    await page.waitForTimeout(1000)
+
+    // Check for standard cookie categories
+    const pageContent = await page.textContent('body')
+    expect(pageContent).toBeTruthy()
+
+    // At minimum the "Notwendig" category should exist
+    const hasCategories = pageContent?.includes('Notwendig') ||
+                          pageContent?.includes('necessary') ||
+                          pageContent?.includes('Kategorie')
+    expect(hasCategories).toBeTruthy()
+  })
+
+  test('should have banner preview section', async ({ page }) => {
+    await page.waitForTimeout(1000)
+
+    // Check for preview or banner-related UI elements
+    const hasPreview = await page.locator('text=Vorschau').isVisible().catch(() => false) ||
+                       await page.locator('text=Preview').isVisible().catch(() => false) ||
+                       await page.locator('text=Banner').isVisible().catch(() => false)
+    expect(hasPreview).toBeTruthy()
+  })
+
+  test('should have export/publish buttons', async ({ page }) => {
+    // Check for action buttons
+    const exportBtn = page.getByRole('button', { name: /Code exportieren|Export/ })
+    const publishBtn = page.getByRole('button', { name: /Veroeffentlichen|Speichern|Publish/ })
+
+    const hasExport = await exportBtn.isVisible().catch(() => false)
+    const hasPublish = await publishBtn.isVisible().catch(() => false)
+
+    // At least one action button should be present
+    expect(hasExport || hasPublish).toBeTruthy()
+  })
+
+  test('should display cookie statistics', async ({ page }) => {
+    await page.waitForTimeout(1000)
+
+    // Check for statistics display (cookie count, third-party count)
+    const pageContent = await page.textContent('body')
+    const hasStats = pageContent?.includes('Cookie') || pageContent?.includes('Vendor')
+    expect(hasStats).toBeTruthy()
+  })
+})
+
+
+test.describe('Cookie Banner Navigation', () => {
+  test('should be reachable from SDK sidebar', async ({ page }) => {
+    // Navigate to SDK dashboard first
+    await navigateToSDK(page, '')
+    await page.waitForTimeout(1000)
+
+    // Look for cookie banner link in sidebar or navigation
+    const bannerLink = page.locator('a[href*="cookie-banner"]').first()
+    if (await bannerLink.isVisible().catch(() => false)) {
+      await bannerLink.click()
+      await waitForPageLoad(page)
+      await expect(page).toHaveURL(/cookie-banner/)
+    }
+  })
+
+  test('should navigate between consent management pages', async ({ page }) => {
+    await navigateToSDK(page, '/einwilligungen')
+    await page.waitForTimeout(1000)
+
+    // Check if tabs/links to cookie-banner exist
+    const cookieBannerTab = page.locator('a[href*="cookie-banner"], button:has-text("Cookie")')
+    const isVisible = await cookieBannerTab.first().isVisible().catch(() => false)
+
+    if (isVisible) {
+      await cookieBannerTab.first().click()
+      await waitForPageLoad(page)
+    }
+  })
+})
+
+
+test.describe('Consent Management Page', () => {
+  test.beforeEach(async ({ page }) => {
+    await navigateToSDK(page, '/consent-management')
+  })
+
+  test('should load consent management page', async ({ page }) => {
+    await page.waitForTimeout(1000)
+    const pageContent = await page.textContent('body')
+    // Page should have consent-related content
+    const hasContent = pageContent?.includes('Consent') ||
+                       pageContent?.includes('Einwilligung') ||
+                       pageContent?.includes('consent')
+    expect(hasContent).toBeTruthy()
+  })
+})
+
+
+test.describe('DSR Module — Banner Integration', () => {
+  test.beforeEach(async ({ page }) => {
+    await navigateToSDK(page, '/dsr')
+  })
+
+  test('should load DSR portal', async ({ page }) => {
+    await expect(page.getByRole('heading', { name: /DSR|Betroffenen/ })).toBeVisible({
+      timeout: 10000,
+    })
+  })
+
+  test('should have tab navigation for DSR workflow', async ({ page }) => {
+    await page.waitForTimeout(1000)
+
+    // DSR should have workflow tabs
+    const pageContent = await page.textContent('body')
+    const hasTabs = pageContent?.includes('Eingang') ||
+                    pageContent?.includes('Bearbeitung') ||
+                    pageContent?.includes('Abgeschlossen')
+    expect(hasTabs).toBeTruthy()
+  })
+})

admin-compliance/lib/sdk/compliance-scope-triggers.ts

@@ -5,11 +5,14 @@
 import type { HardTriggerRule } from './compliance-scope-types'
 import { HARD_TRIGGER_RULES_A_E } from './compliance-scope-triggers/triggers-a-e'
 import { HARD_TRIGGER_RULES_F_M } from './compliance-scope-triggers/triggers-f-m'
+import { HARD_TRIGGER_RULES_N_V } from './compliance-scope-triggers/triggers-n-v'
 
 export { HARD_TRIGGER_RULES_A_E } from './compliance-scope-triggers/triggers-a-e'
 export { HARD_TRIGGER_RULES_F_M } from './compliance-scope-triggers/triggers-f-m'
+export { HARD_TRIGGER_RULES_N_V } from './compliance-scope-triggers/triggers-n-v'
 
 export const HARD_TRIGGER_RULES: HardTriggerRule[] = [
   ...HARD_TRIGGER_RULES_A_E,
   ...HARD_TRIGGER_RULES_F_M,
+  ...HARD_TRIGGER_RULES_N_V,
 ]

admin-compliance/lib/sdk/compliance-scope-triggers/triggers-n-v.ts

@@ -0,0 +1,45 @@
+/**
+ * Hard Trigger Rules N–V
+ * Groups: Verbraucherrecht (N)
+ */
+import type { HardTriggerRule } from '../compliance-scope-types'
+
+export const HARD_TRIGGER_RULES_N_V: HardTriggerRule[] = [
+  // ========== N: Verbraucherrecht / E-Commerce ==========
+  {
+    id: 'HT-N01',
+    category: 'consumer_protection',
+    questionId: 'org_business_model',
+    condition: 'IN',
+    conditionValue: ['B2C', 'B2B2C'],
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['WIDERRUF', 'CONSENT'],
+    legalReference: 'EU-RL 2023/2673, § 356a BGB',
+    description: 'B2C-Geschaeftsmodell: Widerrufsbutton-Pflicht ab 19.06.2026, Widerrufsbelehrung, Button-Loesung',
+  },
+  {
+    id: 'HT-N02',
+    category: 'consumer_protection',
+    questionId: 'org_operates_online_shop',
+    condition: 'EQUALS',
+    conditionValue: 'yes',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['WIDERRUF', 'AGB', 'CONSENT'],
+    legalReference: '§ 312j BGB, EU-RL 2023/2673',
+    description: 'Online-Shop: Widerrufsbutton, Button-Loesung (zahlungspflichtig bestellen), AGB',
+  },
+  {
+    id: 'HT-N03',
+    category: 'consumer_protection',
+    questionId: 'org_offers_subscriptions',
+    condition: 'EQUALS',
+    conditionValue: 'yes',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['WIDERRUF', 'CONSENT'],
+    legalReference: 'EU-RL 2023/2673, § 356a BGB',
+    description: 'Abo-Modell: Widerrufsbutton-Pflicht, Kuendigungsbutton (§ 312k BGB)',
+  },
+]

admin-compliance/lib/sdk/dsr/types-core.ts

@@ -52,6 +52,8 @@ export interface DSRTypeInfo {
   color: string
   bgColor: string
   processDocument?: string
+  /** Document type in the legal_templates table for the Document Generator */
+  templateType?: string
 }
 
 export const DSR_TYPE_INFO: Record<DSRType, DSRTypeInfo> = {
@@ -60,41 +62,47 @@ export const DSR_TYPE_INFO: Record<DSRType, DSRTypeInfo> = {
     description: 'Recht auf Auskunft ueber gespeicherte personenbezogene Daten',
     defaultDeadlineDays: 30, maxExtensionMonths: 2,
     color: 'text-blue-700', bgColor: 'bg-blue-100',
-    processDocument: 'Prozessbeschreibung Art. 15 DSGVO_v02.pdf'
+    processDocument: 'Prozessbeschreibung Art. 15 DSGVO_v02.pdf',
+    templateType: 'dsr_process_art15',
   },
   rectification: {
     type: 'rectification', article: 'Art. 16', label: 'Berichtigungsrecht', labelShort: 'Berichtigung',
     description: 'Recht auf Berichtigung unrichtiger personenbezogener Daten',
     defaultDeadlineDays: 14, maxExtensionMonths: 2,
     color: 'text-yellow-700', bgColor: 'bg-yellow-100',
-    processDocument: 'Prozessbeschriebung Art. 16 DSGVO_v02.pdf'
+    processDocument: 'Prozessbeschreibung Art. 16 DSGVO_v02.pdf',
+    templateType: 'dsr_process_art16',
   },
   erasure: {
     type: 'erasure', article: 'Art. 17', label: 'Loeschungsrecht', labelShort: 'Loeschung',
     description: 'Recht auf Loeschung personenbezogener Daten ("Recht auf Vergessenwerden")',
     defaultDeadlineDays: 14, maxExtensionMonths: 2,
     color: 'text-red-700', bgColor: 'bg-red-100',
-    processDocument: 'Prozessbeschreibung Art. 17 DSGVO_v03.pdf'
+    processDocument: 'Prozessbeschreibung Art. 17 DSGVO_v03.pdf',
+    templateType: 'dsr_process_art17',
   },
   restriction: {
     type: 'restriction', article: 'Art. 18', label: 'Einschraenkungsrecht', labelShort: 'Einschraenkung',
     description: 'Recht auf Einschraenkung der Verarbeitung',
     defaultDeadlineDays: 14, maxExtensionMonths: 2,
     color: 'text-orange-700', bgColor: 'bg-orange-100',
-    processDocument: 'Prozessbeschreibung Art. 18 DSGVO_v01.pdf'
+    processDocument: 'Prozessbeschreibung Art. 18 DSGVO_v01.pdf',
+    templateType: 'dsr_process_art18',
   },
   portability: {
     type: 'portability', article: 'Art. 20', label: 'Datenuebertragbarkeit', labelShort: 'Uebertragung',
     description: 'Recht auf Datenuebertragbarkeit in maschinenlesbarem Format',
     defaultDeadlineDays: 30, maxExtensionMonths: 2,
     color: 'text-purple-700', bgColor: 'bg-purple-100',
-    processDocument: 'Prozessbeschreibung Art. 20 DSGVO_v02.pdf'
+    processDocument: 'Prozessbeschreibung Art. 20 DSGVO_v02.pdf',
+    templateType: 'dsr_process_art20',
   },
   objection: {
     type: 'objection', article: 'Art. 21', label: 'Widerspruchsrecht', labelShort: 'Widerspruch',
     description: 'Recht auf Widerspruch gegen die Verarbeitung',
     defaultDeadlineDays: 30, maxExtensionMonths: 0,
-    color: 'text-gray-700', bgColor: 'bg-gray-100'
+    color: 'text-gray-700', bgColor: 'bg-gray-100',
+    templateType: 'dsr_process_art21',
   }
 }
 

admin-compliance/migrations/wiki_betrvg_article.sql

@@ -0,0 +1,53 @@
+-- Wiki Article: BetrVG & KI — Mitbestimmung bei IT-Systemen
+-- Kategorie: arbeitsrecht (existiert bereits)
+-- Ausfuehren auf Production-DB nach Compliance-Refactoring
+
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES
+('betrvg-ki-mitbestimmung', 'arbeitsrecht',
+ 'BetrVG & KI — Mitbestimmung bei IT-Systemen',
+ 'Uebersicht der Mitbestimmungsrechte des Betriebsrats bei Einfuehrung von KI- und IT-Systemen gemaess §87 Abs.1 Nr.6 BetrVG. Inkl. BAG-Rechtsprechung und Konflikt-Score.',
+ '# BetrVG & KI — Mitbestimmung bei IT-Systemen
+
+## Kernregel: §87 Abs.1 Nr.6 BetrVG
+
+Die **Einfuehrung und Anwendung** von technischen Einrichtungen, die dazu **geeignet** sind, das Verhalten oder die Leistung der Arbeitnehmer zu ueberwachen, beduerfen der **Zustimmung des Betriebsrats**.
+
+### Wichtig: Eignung genuegt!
+Das BAG hat klargestellt: Bereits die **objektive Eignung** zur Ueberwachung genuegt — eine tatsaechliche Nutzung zu diesem Zweck ist nicht erforderlich.
+
+---
+
+## Leitentscheidungen des BAG
+
+### Microsoft Office 365 (BAG 1 ABR 20/21, 08.03.2022)
+Das BAG hat ausdruecklich entschieden, dass Microsoft Office 365 der Mitbestimmung unterliegt.
+
+### Standardsoftware (BAG 1 ABN 36/18, 23.10.2018)
+Auch alltaegliche Standardsoftware wie Excel ist mitbestimmungsrelevant. Keine Geringfuegigkeitsschwelle.
+
+### SAP ERP (BAG 1 ABR 45/11, 25.09.2012)
+HR-/ERP-Systeme erheben und verknuepfen individualisierbare Verhaltens- und Leistungsdaten.
+
+### SaaS/Cloud (BAG 1 ABR 68/13, 21.07.2015)
+Auch bei Ueberwachung ueber Dritt-Systeme bleibt der Betriebsrat zu beteiligen.
+
+### Belastungsstatistik (BAG 1 ABR 46/15, 25.04.2017)
+Dauerhafte Kennzahlenueberwachung ist ein schwerwiegender Eingriff in das Persoenlichkeitsrecht.
+
+---
+
+## Betriebsrats-Konflikt-Score (SDK)
+
+Das SDK berechnet automatisch einen Konflikt-Score (0-100):
+- Beschaeftigtendaten (+10), Ueberwachungseignung (+20), HR-Bezug (+20)
+- Individualisierbare Logs (+15), Kommunikationsanalyse (+10)
+- Scoring/Ranking (+10), Vollautomatisiert (+10), Keine BR-Konsultation (+5)
+
+Eskalation: Score >= 50 ohne BR → E2, Score >= 75 → E3.',
+ '["§87 Abs.1 Nr.6 BetrVG", "§90 BetrVG", "§94 BetrVG", "§95 BetrVG", "Art. 88 DSGVO", "§26 BDSG"]',
+ ARRAY['BetrVG', 'Mitbestimmung', 'Betriebsrat', 'KI', 'Ueberwachung', 'Microsoft 365'],
+ 'critical',
+ '["https://www.bundesarbeitsgericht.de/entscheidung/1-abr-20-21/", "https://www.bundesarbeitsgericht.de/entscheidung/1-abn-36-18/"]',
+ 1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, summary = EXCLUDED.summary, updated_at = NOW();

admin-compliance/migrations/wiki_domain_articles.sql

@@ -0,0 +1,157 @@
+-- Wiki Articles: Domain-spezifische KI-Compliance
+-- 4 Artikel fuer die wichtigsten Hochrisiko-Domains
+
+-- 1. KI im Recruiting
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-recruiting-compliance', 'arbeitsrecht',
+'KI im Recruiting — AGG, DSGVO Art. 22, AI Act Hochrisiko',
+'Compliance-Anforderungen bei KI-gestuetzter Personalauswahl: Automatisierte Absagen, Bias-Risiken, Beweislastumkehr.',
+'# KI im Recruiting — Compliance-Anforderungen
+
+## AI Act Einstufung
+KI im Recruiting faellt unter **Annex III Nr. 4 (Employment)** = **High-Risk**.
+
+## Kritische Punkte
+
+### Art. 22 DSGVO — Automatisierte Entscheidungen
+Vollautomatische Absagen ohne menschliche Pruefung sind **grundsaetzlich unzulaessig**.
+Erlaubt: KI erstellt Vorschlag → Mensch prueft → Mensch entscheidet → Mensch gibt Absage frei.
+
+### AGG — Diskriminierungsverbot
+- § 1 AGG: Keine Benachteiligung nach Geschlecht, Alter, Herkunft, Religion, Behinderung
+- § 22 AGG: **Beweislastumkehr** — Arbeitgeber muss beweisen, dass KEINE Diskriminierung vorliegt
+- § 15 AGG: Schadensersatz bis 3 Monatsgehaelter pro Fall
+- Proxy-Merkmale vermeiden: Name→Herkunft, Foto→Alter
+
+### BetrVG — Mitbestimmung
+- § 87 Abs. 1 Nr. 6: Betriebsrat muss zustimmen
+- § 95: Auswahlrichtlinien mitbestimmungspflichtig
+- BAG 1 ABR 20/21: Gilt auch fuer Standardsoftware
+
+## Pflichtmassnahmen
+1. Human-in-the-Loop (echt, kein Rubber Stamping)
+2. Regelmaessige Bias-Audits
+3. DSFA durchfuehren
+4. Betriebsvereinbarung abschliessen
+5. Bewerber ueber KI-Nutzung informieren',
+'["Art. 22 DSGVO", "§ 1 AGG", "§ 22 AGG", "§ 15 AGG", "§ 87 BetrVG", "§ 95 BetrVG", "Annex III Nr. 4 AI Act"]',
+ARRAY['Recruiting', 'HR', 'AGG', 'Bias', 'Art. 22', 'Beweislastumkehr', 'Betriebsrat'],
+'critical',
+'["https://www.bundesarbeitsgericht.de/entscheidung/1-abr-20-21/"]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
+
+-- 2. KI in der Bildung
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-bildung-compliance', 'branchenspezifisch',
+'KI in der Bildung — Notenvergabe, Pruefungsbewertung, Minderjaehrige',
+'AI Act Annex III Nr. 3: Hochrisiko bei KI-gestuetzter Bewertung in Bildung und Ausbildung.',
+'# KI in der Bildung — Compliance-Anforderungen
+
+## AI Act Einstufung
+KI in Bildung/Ausbildung faellt unter **Annex III Nr. 3 (Education)** = **High-Risk**.
+
+## Kritische Szenarien
+- KI beeinflusst Noten → High-Risk
+- KI bewertet Pruefungen → High-Risk
+- KI steuert Zugang zu Bildungsangeboten → High-Risk
+- Minderjaehrige betroffen → Besonderer Schutz (Art. 24 EU-Grundrechtecharta)
+
+## BLOCK-Regel
+**Minderjaehrige betroffen + keine Lehrkraft-Pruefung = UNZULAESSIG**
+
+## Pflichtmassnahmen
+1. Lehrkraft prueft JEDES KI-Ergebnis vor Mitteilung an Schueler
+2. Chancengleichheit unabhaengig von sozioekonomischem Hintergrund
+3. Keine Benachteiligung durch Sprache oder Behinderung
+4. FRIA durchfuehren (Grundrechte-Folgenabschaetzung)
+5. DSFA bei Verarbeitung von Schuelerdaten
+
+## Grundrechte
+- Recht auf Bildung (Art. 14 EU-Charta)
+- Rechte des Kindes (Art. 24 EU-Charta)
+- Nicht-Diskriminierung (Art. 21 EU-Charta)',
+'["Annex III Nr. 3 AI Act", "Art. 14 EU-Grundrechtecharta", "Art. 24 EU-Grundrechtecharta", "Art. 35 DSGVO"]',
+ARRAY['Bildung', 'Education', 'Noten', 'Pruefung', 'Minderjaehrige', 'Schule'],
+'critical',
+'[]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
+
+-- 3. KI im Gesundheitswesen
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-gesundheit-compliance', 'branchenspezifisch',
+'KI im Gesundheitswesen — MDR, Diagnose, Triage',
+'AI Act Annex III Nr. 5 + MDR: Hochrisiko bei KI in Diagnose, Behandlung und Triage.',
+'# KI im Gesundheitswesen — Compliance-Anforderungen
+
+## Regulatorischer Rahmen
+- **AI Act Annex III Nr. 5** — Zugang zu wesentlichen Diensten (Gesundheit)
+- **MDR (EU) 2017/745** — Medizinprodukteverordnung
+- **DSGVO Art. 9** — Gesundheitsdaten = besondere Kategorie
+
+## Kritische Szenarien
+- KI unterstuetzt Diagnosen → High-Risk + DSFA Pflicht
+- KI priorisiert Patienten (Triage) → Lebenskritisch, hoechste Anforderungen
+- KI empfiehlt Behandlungen → High-Risk
+- System ist Medizinprodukt → MDR-Zertifizierung erforderlich
+
+## BLOCK-Regeln
+- **Medizinprodukt ohne klinische Validierung = UNZULAESSIG**
+- MDR Art. 61: Klinische Bewertung ist Pflicht
+
+## Grundrechte
+- Menschenwuerde (Art. 1 EU-Charta)
+- Schutz personenbezogener Daten (Art. 8 EU-Charta)
+- Patientenautonomie
+
+## Pflichtmassnahmen
+1. Klinische Validierung vor Einsatz
+2. Human Oversight durch qualifiziertes Fachpersonal
+3. DSFA fuer Gesundheitsdatenverarbeitung
+4. Genauigkeitsmetriken definieren und messen
+5. Incident Reporting bei Fehlfunktionen',
+'["Annex III Nr. 5 AI Act", "MDR (EU) 2017/745", "Art. 9 DSGVO", "Art. 35 DSGVO"]',
+ARRAY['Gesundheit', 'Healthcare', 'MDR', 'Diagnose', 'Triage', 'Medizinprodukt'],
+'critical',
+'[]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();
+
+-- 4. KI in Finanzdienstleistungen
+INSERT INTO compliance.compliance_wiki_articles (id, category_id, title, summary, content, legal_refs, tags, relevance, source_urls, version)
+VALUES ('ki-finance-compliance', 'branchenspezifisch',
+'KI in Finanzdienstleistungen — Scoring, DORA, Versicherung',
+'AI Act Annex III Nr. 5 + DORA + MaRisk: Compliance bei Kredit-Scoring, Algo-Trading, Versicherungspraemien.',
+'# KI in Finanzdienstleistungen — Compliance-Anforderungen
+
+## Regulatorischer Rahmen
+- **AI Act Annex III Nr. 5** — Zugang zu wesentlichen Diensten
+- **DORA** — Digital Operational Resilience Act
+- **MaRisk/BAIT** — Bankaufsichtliche Anforderungen
+- **MiFID II** — Algorithmischer Handel
+
+## Kritische Szenarien
+- Kredit-Scoring → High-Risk (Art. 22 DSGVO + Annex III)
+- Automatisierte Schadenbearbeitung → Art. 22 Risiko
+- Individuelle Praemienberechnung → Diskriminierungsrisiko
+- Algo-Trading → MiFID II Anforderungen
+- Robo Advisor → WpHG-Pflichten
+
+## Pflichtmassnahmen
+1. Transparenz bei Scoring-Entscheidungen
+2. Bias-Audits bei Kreditvergabe
+3. Human Oversight bei Ablehnungen
+4. DORA-konforme IT-Resilienz
+5. Incident Reporting
+
+## Besondere Risiken
+- Diskriminierendes Kredit-Scoring (AGG + AI Act)
+- Ungerechtfertigte Verweigerung von Finanzdienstleistungen
+- Mangelnde Erklaerbarkeit bei Scoring-Algorithmen',
+'["Annex III Nr. 5 AI Act", "DORA", "MaRisk", "MiFID II", "Art. 22 DSGVO", "§ 1 AGG"]',
+ARRAY['Finance', 'Banking', 'Versicherung', 'Scoring', 'DORA', 'Kredit', 'Algo-Trading'],
+'critical',
+'[]',
+1)
+ON CONFLICT (id) DO UPDATE SET content = EXCLUDED.content, updated_at = NOW();

ai-compliance-sdk/internal/api/handlers/maximizer_handlers.go

@@ -0,0 +1,172 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/maximizer"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// MaximizerHandlers exposes the Compliance Maximizer API.
+type MaximizerHandlers struct {
+	svc *maximizer.Service
+}
+
+// NewMaximizerHandlers creates handlers backed by a maximizer service.
+func NewMaximizerHandlers(svc *maximizer.Service) *MaximizerHandlers {
+	return &MaximizerHandlers{svc: svc}
+}
+
+// Optimize evaluates a DimensionConfig and returns optimized variants.
+func (h *MaximizerHandlers) Optimize(c *gin.Context) {
+	var req maximizer.OptimizeInput
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	req.TenantID, _ = getTenantID(c)
+	req.UserID = maximizerGetUserID(c)
+	result, err := h.svc.Optimize(c.Request.Context(), &req)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+// OptimizeFromIntake maps a UseCaseIntake to dimensions and optimizes.
+func (h *MaximizerHandlers) OptimizeFromIntake(c *gin.Context) {
+	var req maximizer.OptimizeFromIntakeInput
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	req.TenantID, _ = getTenantID(c)
+	req.UserID = maximizerGetUserID(c)
+	result, err := h.svc.OptimizeFromIntake(c.Request.Context(), &req)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+// OptimizeFromAssessment optimizes an existing UCCA assessment.
+func (h *MaximizerHandlers) OptimizeFromAssessment(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid assessment id"})
+		return
+	}
+	tid, _ := getTenantID(c)
+	uid := maximizerGetUserID(c)
+	result, err := h.svc.OptimizeFromAssessment(c.Request.Context(), id, tid, uid)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+// OptimizeFromIntakeWithProfile maps intake + profile to dimensions and optimizes.
+func (h *MaximizerHandlers) OptimizeFromIntakeWithProfile(c *gin.Context) {
+	var req maximizer.OptimizeFromIntakeWithProfileInput
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	req.TenantID, _ = getTenantID(c)
+	req.UserID = maximizerGetUserID(c)
+	result, err := h.svc.OptimizeFromIntakeWithProfile(c.Request.Context(), &req)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+// Evaluate performs a 3-zone evaluation without persisting.
+func (h *MaximizerHandlers) Evaluate(c *gin.Context) {
+	var config maximizer.DimensionConfig
+	if err := c.ShouldBindJSON(&config); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+	result := h.svc.Evaluate(&config)
+	c.JSON(http.StatusOK, result)
+}
+
+// ListOptimizations returns stored optimizations for the tenant.
+func (h *MaximizerHandlers) ListOptimizations(c *gin.Context) {
+	f := &maximizer.OptimizationFilters{
+		Search: c.Query("search"),
+		Limit:  maximizerParseInt(c.Query("limit"), 20),
+		Offset: maximizerParseInt(c.Query("offset"), 0),
+	}
+	tid, _ := getTenantID(c)
+	results, total, err := h.svc.ListOptimizations(c.Request.Context(), tid, f)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"optimizations": results, "total": total})
+}
+
+// GetOptimization returns a single optimization.
+func (h *MaximizerHandlers) GetOptimization(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
+		return
+	}
+	result, err := h.svc.GetOptimization(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
+		return
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+// DeleteOptimization removes an optimization.
+func (h *MaximizerHandlers) DeleteOptimization(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
+		return
+	}
+	if err := h.svc.DeleteOptimization(c.Request.Context(), id); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusNoContent, nil)
+}
+
+// GetDimensionSchema returns the dimension enum values for the frontend.
+func (h *MaximizerHandlers) GetDimensionSchema(c *gin.Context) {
+	c.JSON(http.StatusOK, h.svc.GetDimensionSchema())
+}
+
+func maximizerGetUserID(c *gin.Context) uuid.UUID {
+	if id, exists := c.Get("user_id"); exists {
+		if uid, ok := id.(uuid.UUID); ok {
+			return uid
+		}
+	}
+	return uuid.Nil
+}
+
+// maximizerParseInt is a local helper for query param parsing.
+func maximizerParseInt(s string, def int) int {
+	if s == "" {
+		return def
+	}
+	n := 0
+	for _, c := range s {
+		if c < '0' || c > '9' {
+			return def
+		}
+		n = n*10 + int(c-'0')
+	}
+	return n
+}

ai-compliance-sdk/internal/api/handlers/payment_handlers.go

@@ -0,0 +1,290 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// PaymentHandlers handles payment compliance endpoints
+type PaymentHandlers struct {
+	pool     *pgxpool.Pool
+	controls *PaymentControlLibrary
+}
+
+// PaymentControlLibrary holds the control catalog
+type PaymentControlLibrary struct {
+	Domains  []PaymentDomain  `json:"domains"`
+	Controls []PaymentControl `json:"controls"`
+}
+
+type PaymentDomain struct {
+	ID          string `json:"id"`
+	Name        string `json:"name"`
+	Description string `json:"description"`
+}
+
+type PaymentControl struct {
+	ControlID  string   `json:"control_id"`
+	Domain     string   `json:"domain"`
+	Title      string   `json:"title"`
+	Objective  string   `json:"objective"`
+	CheckTarget string  `json:"check_target"`
+	Evidence   []string `json:"evidence"`
+	Automation string   `json:"automation"`
+}
+
+type PaymentAssessment struct {
+	ID              uuid.UUID       `json:"id"`
+	TenantID        uuid.UUID       `json:"tenant_id"`
+	ProjectName     string          `json:"project_name"`
+	TenderReference string          `json:"tender_reference,omitempty"`
+	CustomerName    string          `json:"customer_name,omitempty"`
+	Description     string          `json:"description,omitempty"`
+	SystemType      string          `json:"system_type,omitempty"`
+	PaymentMethods  json.RawMessage `json:"payment_methods,omitempty"`
+	Protocols       json.RawMessage `json:"protocols,omitempty"`
+	TotalControls   int             `json:"total_controls"`
+	ControlsPassed  int             `json:"controls_passed"`
+	ControlsFailed  int             `json:"controls_failed"`
+	ControlsPartial int             `json:"controls_partial"`
+	ControlsNA      int             `json:"controls_not_applicable"`
+	ControlsUnchecked int           `json:"controls_not_checked"`
+	ComplianceScore float64         `json:"compliance_score"`
+	Status          string          `json:"status"`
+	ControlResults  json.RawMessage `json:"control_results,omitempty"`
+	CreatedAt       time.Time       `json:"created_at"`
+	UpdatedAt       time.Time       `json:"updated_at"`
+	CreatedBy       string          `json:"created_by,omitempty"`
+}
+
+// NewPaymentHandlers creates payment handlers with loaded control library
+func NewPaymentHandlers(pool *pgxpool.Pool) *PaymentHandlers {
+	lib := loadControlLibrary()
+	return &PaymentHandlers{pool: pool, controls: lib}
+}
+
+func loadControlLibrary() *PaymentControlLibrary {
+	// Try to load from policies directory
+	paths := []string{
+		"policies/payment_controls_v1.json",
+		"/app/policies/payment_controls_v1.json",
+	}
+	for _, p := range paths {
+		data, err := os.ReadFile(p)
+		if err != nil {
+			// Try relative to executable
+			execDir, _ := os.Executable()
+			altPath := filepath.Join(filepath.Dir(execDir), p)
+			data, err = os.ReadFile(altPath)
+			if err != nil {
+				continue
+			}
+		}
+		var lib PaymentControlLibrary
+		if err := json.Unmarshal(data, &lib); err == nil {
+			return &lib
+		}
+	}
+	return &PaymentControlLibrary{}
+}
+
+// GetControlLibrary returns the loaded control library (for tender matching)
+func (h *PaymentHandlers) GetControlLibrary() *PaymentControlLibrary {
+	return h.controls
+}
+
+// ListControls returns the control library
+func (h *PaymentHandlers) ListControls(c *gin.Context) {
+	domain := c.Query("domain")
+	automation := c.Query("automation")
+
+	controls := h.controls.Controls
+	if domain != "" {
+		var filtered []PaymentControl
+		for _, ctrl := range controls {
+			if ctrl.Domain == domain {
+				filtered = append(filtered, ctrl)
+			}
+		}
+		controls = filtered
+	}
+	if automation != "" {
+		var filtered []PaymentControl
+		for _, ctrl := range controls {
+			if ctrl.Automation == automation {
+				filtered = append(filtered, ctrl)
+			}
+		}
+		controls = filtered
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"controls": controls,
+		"domains":  h.controls.Domains,
+		"total":    len(controls),
+	})
+}
+
+// CreateAssessment creates a new payment compliance assessment
+func (h *PaymentHandlers) CreateAssessment(c *gin.Context) {
+	var req PaymentAssessment
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	req.ID = uuid.New()
+	req.TenantID = tenantID
+	req.Status = "draft"
+	req.TotalControls = len(h.controls.Controls)
+	req.ControlsUnchecked = req.TotalControls
+	req.CreatedAt = time.Now()
+	req.UpdatedAt = time.Now()
+
+	_, err := h.pool.Exec(c.Request.Context(), `
+		INSERT INTO payment_compliance_assessments (
+			id, tenant_id, project_name, tender_reference, customer_name, description,
+			system_type, payment_methods, protocols,
+			total_controls, controls_not_checked, status, created_by
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)`,
+		req.ID, req.TenantID, req.ProjectName, req.TenderReference, req.CustomerName, req.Description,
+		req.SystemType, req.PaymentMethods, req.Protocols,
+		req.TotalControls, req.ControlsUnchecked, req.Status, req.CreatedBy,
+	)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, req)
+}
+
+// ListAssessments lists all payment assessments for a tenant
+func (h *PaymentHandlers) ListAssessments(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	rows, err := h.pool.Query(c.Request.Context(), `
+		SELECT id, tenant_id, project_name, tender_reference, customer_name,
+			system_type, total_controls, controls_passed, controls_failed,
+			controls_partial, controls_not_applicable, controls_not_checked,
+			compliance_score, status, created_at, updated_at
+		FROM payment_compliance_assessments
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC`, tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	defer rows.Close()
+
+	var assessments []PaymentAssessment
+	for rows.Next() {
+		var a PaymentAssessment
+		rows.Scan(&a.ID, &a.TenantID, &a.ProjectName, &a.TenderReference, &a.CustomerName,
+			&a.SystemType, &a.TotalControls, &a.ControlsPassed, &a.ControlsFailed,
+			&a.ControlsPartial, &a.ControlsNA, &a.ControlsUnchecked,
+			&a.ComplianceScore, &a.Status, &a.CreatedAt, &a.UpdatedAt)
+		assessments = append(assessments, a)
+	}
+	if assessments == nil {
+		assessments = []PaymentAssessment{}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"assessments": assessments, "total": len(assessments)})
+}
+
+// GetAssessment returns a single assessment with control results
+func (h *PaymentHandlers) GetAssessment(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	var a PaymentAssessment
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT id, tenant_id, project_name, tender_reference, customer_name, description,
+			system_type, payment_methods, protocols,
+			total_controls, controls_passed, controls_failed, controls_partial,
+			controls_not_applicable, controls_not_checked, compliance_score,
+			status, control_results, created_at, updated_at, created_by
+		FROM payment_compliance_assessments WHERE id = $1`, id).Scan(
+		&a.ID, &a.TenantID, &a.ProjectName, &a.TenderReference, &a.CustomerName, &a.Description,
+		&a.SystemType, &a.PaymentMethods, &a.Protocols,
+		&a.TotalControls, &a.ControlsPassed, &a.ControlsFailed, &a.ControlsPartial,
+		&a.ControlsNA, &a.ControlsUnchecked, &a.ComplianceScore,
+		&a.Status, &a.ControlResults, &a.CreatedAt, &a.UpdatedAt, &a.CreatedBy)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "assessment not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, a)
+}
+
+// UpdateControlVerdict updates the verdict for a single control
+func (h *PaymentHandlers) UpdateControlVerdict(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	var body struct {
+		ControlID string `json:"control_id"`
+		Verdict   string `json:"verdict"` // passed, failed, partial, na, unchecked
+		Evidence  string `json:"evidence,omitempty"`
+		Notes     string `json:"notes,omitempty"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Update the control_results JSONB and recalculate scores
+	_, err = h.pool.Exec(c.Request.Context(), `
+		WITH updated AS (
+			SELECT id,
+				COALESCE(control_results, '[]'::jsonb) AS existing_results
+			FROM payment_compliance_assessments WHERE id = $1
+		)
+		UPDATE payment_compliance_assessments SET
+			control_results = (
+				SELECT jsonb_agg(
+					CASE WHEN elem->>'control_id' = $2 THEN
+						jsonb_build_object('control_id', $2, 'verdict', $3, 'evidence', $4, 'notes', $5)
+					ELSE elem END
+				) FROM updated, jsonb_array_elements(
+					CASE WHEN existing_results @> jsonb_build_array(jsonb_build_object('control_id', $2))
+					THEN existing_results
+					ELSE existing_results || jsonb_build_array(jsonb_build_object('control_id', $2, 'verdict', $3, 'evidence', $4, 'notes', $5))
+					END
+				) AS elem
+			),
+			updated_at = NOW()
+		WHERE id = $1`,
+		id, body.ControlID, body.Verdict, body.Evidence, body.Notes)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"status": "updated", "control_id": body.ControlID, "verdict": body.Verdict})
+}

ai-compliance-sdk/internal/api/handlers/registration_handlers.go

@@ -0,0 +1,220 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// RegistrationHandlers handles EU AI Database registration endpoints
+type RegistrationHandlers struct {
+	store     *ucca.RegistrationStore
+	uccaStore *ucca.Store
+}
+
+// NewRegistrationHandlers creates new registration handlers
+func NewRegistrationHandlers(store *ucca.RegistrationStore, uccaStore *ucca.Store) *RegistrationHandlers {
+	return &RegistrationHandlers{store: store, uccaStore: uccaStore}
+}
+
+// Create creates a new registration
+func (h *RegistrationHandlers) Create(c *gin.Context) {
+	var reg ucca.AIRegistration
+	if err := c.ShouldBindJSON(&reg); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request: " + err.Error()})
+		return
+	}
+
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+	reg.TenantID = tenantID
+
+	if reg.SystemName == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "system_name required"})
+		return
+	}
+
+	if err := h.store.Create(c.Request.Context(), &reg); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create registration: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, reg)
+}
+
+// List lists all registrations for the tenant
+func (h *RegistrationHandlers) List(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	registrations, err := h.store.List(c.Request.Context(), tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to list registrations: " + err.Error()})
+		return
+	}
+	if registrations == nil {
+		registrations = []ucca.AIRegistration{}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"registrations": registrations, "total": len(registrations)})
+}
+
+// Get returns a single registration
+func (h *RegistrationHandlers) Get(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	reg, err := h.store.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Registration not found"})
+		return
+	}
+
+	c.JSON(http.StatusOK, reg)
+}
+
+// Update updates a registration
+func (h *RegistrationHandlers) Update(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	existing, err := h.store.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Registration not found"})
+		return
+	}
+
+	var updates ucca.AIRegistration
+	if err := c.ShouldBindJSON(&updates); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request: " + err.Error()})
+		return
+	}
+
+	// Merge updates into existing
+	updates.ID = existing.ID
+	updates.TenantID = existing.TenantID
+	updates.CreatedAt = existing.CreatedAt
+
+	if err := h.store.Update(c.Request.Context(), &updates); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, updates)
+}
+
+// UpdateStatus changes the registration status
+func (h *RegistrationHandlers) UpdateStatus(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	var body struct {
+		Status      string `json:"status"`
+		SubmittedBy string `json:"submitted_by"`
+	}
+	if err := c.ShouldBindJSON(&body); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request"})
+		return
+	}
+
+	validStatuses := map[string]bool{
+		"draft": true, "ready": true, "submitted": true,
+		"registered": true, "update_required": true, "withdrawn": true,
+	}
+	if !validStatuses[body.Status] {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid status. Valid: draft, ready, submitted, registered, update_required, withdrawn"})
+		return
+	}
+
+	if err := h.store.UpdateStatus(c.Request.Context(), id, body.Status, body.SubmittedBy); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update status: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"id": id, "status": body.Status})
+}
+
+// Prefill creates a registration pre-filled from a UCCA assessment
+func (h *RegistrationHandlers) Prefill(c *gin.Context) {
+	assessmentID, err := uuid.Parse(c.Param("assessment_id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid assessment ID"})
+		return
+	}
+
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	// Load UCCA assessment
+	assessment, err := h.uccaStore.GetAssessment(c.Request.Context(), assessmentID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Assessment not found"})
+		return
+	}
+
+	// Pre-fill registration from assessment intake
+	intake := assessment.Intake
+
+	reg := ucca.AIRegistration{
+		TenantID:           tenantID,
+		SystemName:         intake.Title,
+		SystemDescription:  intake.UseCaseText,
+		IntendedPurpose:    intake.UseCaseText,
+		RiskClassification: string(assessment.RiskLevel),
+		GPAIClassification: "none",
+		RegistrationStatus: "draft",
+		UCCAAssessmentID:   &assessmentID,
+	}
+
+	// Map domain to readable text
+	if intake.Domain != "" {
+		reg.IntendedPurpose = string(intake.Domain) + ": " + intake.UseCaseText
+	}
+
+	c.JSON(http.StatusOK, reg)
+}
+
+// Export generates the EU AI Database submission JSON
+func (h *RegistrationHandlers) Export(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid ID"})
+		return
+	}
+
+	reg, err := h.store.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Registration not found"})
+		return
+	}
+
+	exportJSON := h.store.BuildExportJSON(reg)
+
+	// Save export data to DB
+	reg.ExportData = exportJSON
+	h.store.Update(c.Request.Context(), reg)
+
+	c.Header("Content-Type", "application/json")
+	c.Header("Content-Disposition", "attachment; filename=eu_ai_registration_"+reg.SystemName+".json")
+	c.Data(http.StatusOK, "application/json", exportJSON)
+}

ai-compliance-sdk/internal/api/handlers/regulatory_news_handlers.go

@@ -0,0 +1,42 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
+	"github.com/gin-gonic/gin"
+)
+
+// RegulatoryNewsHandlers serves regulatory news from obligation v2 data.
+type RegulatoryNewsHandlers struct {
+	regulations map[string]*ucca.V2RegulationFile
+}
+
+// NewRegulatoryNewsHandlers creates a handler backed by pre-loaded regulation data.
+func NewRegulatoryNewsHandlers(regs map[string]*ucca.V2RegulationFile) *RegulatoryNewsHandlers {
+	return &RegulatoryNewsHandlers{regulations: regs}
+}
+
+// GetNews returns upcoming regulatory deadlines sorted by urgency.
+func (h *RegulatoryNewsHandlers) GetNews(c *gin.Context) {
+	filter := ucca.RegulatoryNewsFilter{
+		BusinessModel: c.Query("business_model"),
+		HorizonDays:   parseIntOrDefault(c.Query("horizon_days"), 365),
+		Limit:         parseIntOrDefault(c.Query("limit"), 5),
+	}
+
+	items := ucca.GetRegulatoryNews(h.regulations, filter)
+	c.JSON(http.StatusOK, gin.H{"items": items, "total": len(items)})
+}
+
+func parseIntOrDefault(s string, def int) int {
+	if s == "" {
+		return def
+	}
+	v, err := strconv.Atoi(s)
+	if err != nil {
+		return def
+	}
+	return v
+}

ai-compliance-sdk/internal/api/handlers/tender_handlers.go

@@ -0,0 +1,557 @@
+package handlers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// TenderHandlers handles tender upload and requirement extraction
+type TenderHandlers struct {
+	pool     *pgxpool.Pool
+	controls *PaymentControlLibrary
+}
+
+// TenderAnalysis represents a tender document analysis
+type TenderAnalysis struct {
+	ID               uuid.UUID          `json:"id"`
+	TenantID         uuid.UUID          `json:"tenant_id"`
+	FileName         string             `json:"file_name"`
+	FileSize         int64              `json:"file_size"`
+	ProjectName      string             `json:"project_name"`
+	CustomerName     string             `json:"customer_name,omitempty"`
+	Status           string             `json:"status"` // uploaded, extracting, extracted, matched, completed
+	Requirements     []ExtractedReq     `json:"requirements,omitempty"`
+	MatchResults     []MatchResult      `json:"match_results,omitempty"`
+	TotalRequirements int               `json:"total_requirements"`
+	MatchedCount     int                `json:"matched_count"`
+	UnmatchedCount   int                `json:"unmatched_count"`
+	PartialCount     int                `json:"partial_count"`
+	CreatedAt        time.Time          `json:"created_at"`
+	UpdatedAt        time.Time          `json:"updated_at"`
+}
+
+// ExtractedReq represents a single requirement extracted from a tender document
+type ExtractedReq struct {
+	ReqID          string   `json:"req_id"`
+	Text           string   `json:"text"`
+	SourcePage     int      `json:"source_page,omitempty"`
+	SourceSection  string   `json:"source_section,omitempty"`
+	ObligationLevel string  `json:"obligation_level"` // MUST, SHALL, SHOULD, MAY
+	TechnicalDomain string  `json:"technical_domain"` // crypto, logging, payment_flow, etc.
+	CheckTarget    string   `json:"check_target"`     // code, system, config, process, certificate
+	Confidence     float64  `json:"confidence"`
+}
+
+// MatchResult represents the matching of a requirement to controls
+type MatchResult struct {
+	ReqID          string          `json:"req_id"`
+	ReqText        string          `json:"req_text"`
+	ObligationLevel string         `json:"obligation_level"`
+	MatchedControls []ControlMatch `json:"matched_controls"`
+	Verdict        string          `json:"verdict"` // matched, partial, unmatched
+	GapDescription string          `json:"gap_description,omitempty"`
+}
+
+// ControlMatch represents a single control match for a requirement
+type ControlMatch struct {
+	ControlID  string  `json:"control_id"`
+	Title      string  `json:"title"`
+	Relevance  float64 `json:"relevance"` // 0-1
+	CheckTarget string `json:"check_target"`
+}
+
+// NewTenderHandlers creates tender handlers
+func NewTenderHandlers(pool *pgxpool.Pool, controls *PaymentControlLibrary) *TenderHandlers {
+	return &TenderHandlers{pool: pool, controls: controls}
+}
+
+// Upload handles tender document upload
+func (h *TenderHandlers) Upload(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	file, header, err := c.Request.FormFile("file")
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "file required"})
+		return
+	}
+	defer file.Close()
+
+	projectName := c.PostForm("project_name")
+	if projectName == "" {
+		projectName = header.Filename
+	}
+	customerName := c.PostForm("customer_name")
+
+	// Read file content
+	content, err := io.ReadAll(file)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to read file"})
+		return
+	}
+
+	// Store analysis record
+	analysisID := uuid.New()
+	now := time.Now()
+
+	_, err = h.pool.Exec(c.Request.Context(), `
+		INSERT INTO tender_analyses (
+			id, tenant_id, file_name, file_size, file_content,
+			project_name, customer_name, status, created_at, updated_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, 'uploaded', $8, $9)`,
+		analysisID, tenantID, header.Filename, header.Size, content,
+		projectName, customerName, now, now,
+	)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to store: " + err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{
+		"id":           analysisID,
+		"file_name":    header.Filename,
+		"file_size":    header.Size,
+		"project_name": projectName,
+		"status":       "uploaded",
+		"message":      "Dokument hochgeladen. Starte Analyse mit POST /extract.",
+	})
+}
+
+// Extract extracts requirements from an uploaded tender document using LLM
+func (h *TenderHandlers) Extract(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	// Get file content
+	var fileContent []byte
+	var fileName string
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT file_content, file_name FROM tender_analyses WHERE id = $1`, id,
+	).Scan(&fileContent, &fileName)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "analysis not found"})
+		return
+	}
+
+	// Update status
+	h.pool.Exec(c.Request.Context(), `
+		UPDATE tender_analyses SET status = 'extracting', updated_at = NOW() WHERE id = $1`, id)
+
+	// Extract text (simple: treat as text for now, PDF extraction would use embedding-service)
+	text := string(fileContent)
+
+	// Use LLM to extract requirements
+	requirements := h.extractRequirementsWithLLM(c.Request.Context(), text)
+
+	// Store results
+	reqJSON, _ := json.Marshal(requirements)
+	h.pool.Exec(c.Request.Context(), `
+		UPDATE tender_analyses SET
+			status = 'extracted',
+			requirements = $2,
+			total_requirements = $3,
+			updated_at = NOW()
+		WHERE id = $1`, id, reqJSON, len(requirements))
+
+	c.JSON(http.StatusOK, gin.H{
+		"id":            id,
+		"status":        "extracted",
+		"requirements":  requirements,
+		"total":         len(requirements),
+	})
+}
+
+// Match matches extracted requirements against the control library
+func (h *TenderHandlers) Match(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	// Get requirements
+	var reqJSON json.RawMessage
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT requirements FROM tender_analyses WHERE id = $1`, id,
+	).Scan(&reqJSON)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "analysis not found"})
+		return
+	}
+
+	var requirements []ExtractedReq
+	json.Unmarshal(reqJSON, &requirements)
+
+	// Match each requirement against controls
+	var results []MatchResult
+	matched, unmatched, partial := 0, 0, 0
+
+	for _, req := range requirements {
+		matches := h.findMatchingControls(req)
+		result := MatchResult{
+			ReqID:           req.ReqID,
+			ReqText:         req.Text,
+			ObligationLevel: req.ObligationLevel,
+			MatchedControls: matches,
+		}
+
+		if len(matches) == 0 {
+			result.Verdict = "unmatched"
+			result.GapDescription = "Kein passender Control gefunden — manueller Review erforderlich"
+			unmatched++
+		} else if matches[0].Relevance >= 0.7 {
+			result.Verdict = "matched"
+			matched++
+		} else {
+			result.Verdict = "partial"
+			result.GapDescription = "Teilweise Abdeckung — Control deckt Anforderung nicht vollstaendig ab"
+			partial++
+		}
+
+		results = append(results, result)
+	}
+
+	// Store results
+	resultsJSON, _ := json.Marshal(results)
+	h.pool.Exec(c.Request.Context(), `
+		UPDATE tender_analyses SET
+			status = 'matched',
+			match_results = $2,
+			matched_count = $3,
+			unmatched_count = $4,
+			partial_count = $5,
+			updated_at = NOW()
+		WHERE id = $1`, id, resultsJSON, matched, unmatched, partial)
+
+	c.JSON(http.StatusOK, gin.H{
+		"id":        id,
+		"status":    "matched",
+		"results":   results,
+		"matched":   matched,
+		"unmatched": unmatched,
+		"partial":   partial,
+		"total":     len(requirements),
+	})
+}
+
+// ListAnalyses lists all tender analyses for a tenant
+func (h *TenderHandlers) ListAnalyses(c *gin.Context) {
+	tenantID, _ := uuid.Parse(c.GetHeader("X-Tenant-ID"))
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	rows, err := h.pool.Query(c.Request.Context(), `
+		SELECT id, tenant_id, file_name, file_size, project_name, customer_name,
+			status, total_requirements, matched_count, unmatched_count, partial_count,
+			created_at, updated_at
+		FROM tender_analyses
+		WHERE tenant_id = $1
+		ORDER BY created_at DESC`, tenantID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	defer rows.Close()
+
+	var analyses []TenderAnalysis
+	for rows.Next() {
+		var a TenderAnalysis
+		rows.Scan(&a.ID, &a.TenantID, &a.FileName, &a.FileSize, &a.ProjectName, &a.CustomerName,
+			&a.Status, &a.TotalRequirements, &a.MatchedCount, &a.UnmatchedCount, &a.PartialCount,
+			&a.CreatedAt, &a.UpdatedAt)
+		analyses = append(analyses, a)
+	}
+	if analyses == nil {
+		analyses = []TenderAnalysis{}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"analyses": analyses, "total": len(analyses)})
+}
+
+// GetAnalysis returns a single analysis with all details
+func (h *TenderHandlers) GetAnalysis(c *gin.Context) {
+	id, err := uuid.Parse(c.Param("id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid ID"})
+		return
+	}
+
+	var a TenderAnalysis
+	var reqJSON, matchJSON json.RawMessage
+	err = h.pool.QueryRow(c.Request.Context(), `
+		SELECT id, tenant_id, file_name, file_size, project_name, customer_name,
+			status, requirements, match_results,
+			total_requirements, matched_count, unmatched_count, partial_count,
+			created_at, updated_at
+		FROM tender_analyses WHERE id = $1`, id).Scan(
+		&a.ID, &a.TenantID, &a.FileName, &a.FileSize, &a.ProjectName, &a.CustomerName,
+		&a.Status, &reqJSON, &matchJSON,
+		&a.TotalRequirements, &a.MatchedCount, &a.UnmatchedCount, &a.PartialCount,
+		&a.CreatedAt, &a.UpdatedAt)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "not found"})
+		return
+	}
+
+	if reqJSON != nil {
+		json.Unmarshal(reqJSON, &a.Requirements)
+	}
+	if matchJSON != nil {
+		json.Unmarshal(matchJSON, &a.MatchResults)
+	}
+
+	c.JSON(http.StatusOK, a)
+}
+
+// --- Internal helpers ---
+
+func (h *TenderHandlers) extractRequirementsWithLLM(ctx context.Context, text string) []ExtractedReq {
+	// Try Anthropic API for requirement extraction
+	apiKey := os.Getenv("ANTHROPIC_API_KEY")
+	if apiKey == "" {
+		// Fallback: simple keyword-based extraction
+		return h.extractRequirementsKeyword(text)
+	}
+
+	prompt := fmt.Sprintf(`Analysiere das folgende Ausschreibungsdokument und extrahiere alle technischen Anforderungen.
+
+Fuer jede Anforderung gib zurueck:
+- req_id: fortlaufende ID (REQ-001, REQ-002, ...)
+- text: die Anforderung als kurzer Satz
+- obligation_level: MUST, SHALL, SHOULD oder MAY
+- technical_domain: eines von: payment_flow, logging, crypto, api_security, terminal_comm, firmware, reporting, access_control, error_handling, build_deploy
+- check_target: eines von: code, system, config, process, certificate
+
+Antworte NUR mit JSON Array. Keine Erklaerung.
+
+Dokument:
+%s`, text[:min(len(text), 15000)])
+
+	body := map[string]interface{}{
+		"model":      "claude-haiku-4-5-20251001",
+		"max_tokens": 4096,
+		"messages":   []map[string]string{{"role": "user", "content": prompt}},
+	}
+	bodyJSON, _ := json.Marshal(body)
+
+	req, _ := http.NewRequestWithContext(ctx, "POST", "https://api.anthropic.com/v1/messages", strings.NewReader(string(bodyJSON)))
+	req.Header.Set("x-api-key", apiKey)
+	req.Header.Set("anthropic-version", "2023-06-01")
+	req.Header.Set("content-type", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil || resp.StatusCode != 200 {
+		return h.extractRequirementsKeyword(text)
+	}
+	defer resp.Body.Close()
+
+	var result struct {
+		Content []struct {
+			Text string `json:"text"`
+		} `json:"content"`
+	}
+	json.NewDecoder(resp.Body).Decode(&result)
+
+	if len(result.Content) == 0 {
+		return h.extractRequirementsKeyword(text)
+	}
+
+	// Parse LLM response
+	responseText := result.Content[0].Text
+	// Find JSON array in response
+	start := strings.Index(responseText, "[")
+	end := strings.LastIndex(responseText, "]")
+	if start < 0 || end < 0 {
+		return h.extractRequirementsKeyword(text)
+	}
+
+	var reqs []ExtractedReq
+	if err := json.Unmarshal([]byte(responseText[start:end+1]), &reqs); err != nil {
+		return h.extractRequirementsKeyword(text)
+	}
+
+	// Set confidence for LLM-extracted requirements
+	for i := range reqs {
+		reqs[i].Confidence = 0.8
+	}
+
+	return reqs
+}
+
+func (h *TenderHandlers) extractRequirementsKeyword(text string) []ExtractedReq {
+	// Simple keyword-based extraction as fallback
+	keywords := map[string]string{
+		"muss":           "MUST",
+		"muessen":        "MUST",
+		"ist sicherzustellen": "MUST",
+		"soll":           "SHOULD",
+		"sollte":         "SHOULD",
+		"kann":           "MAY",
+		"wird gefordert": "MUST",
+		"nachzuweisen":   "MUST",
+		"zertifiziert":   "MUST",
+	}
+
+	var reqs []ExtractedReq
+	lines := strings.Split(text, "\n")
+	reqNum := 1
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if len(line) < 20 || len(line) > 500 {
+			continue
+		}
+
+		for keyword, level := range keywords {
+			if strings.Contains(strings.ToLower(line), keyword) {
+				reqs = append(reqs, ExtractedReq{
+					ReqID:           fmt.Sprintf("REQ-%03d", reqNum),
+					Text:            line,
+					ObligationLevel: level,
+					TechnicalDomain: inferDomain(line),
+					CheckTarget:     inferCheckTarget(line),
+					Confidence:      0.5,
+				})
+				reqNum++
+				break
+			}
+		}
+	}
+
+	return reqs
+}
+
+func (h *TenderHandlers) findMatchingControls(req ExtractedReq) []ControlMatch {
+	var matches []ControlMatch
+
+	reqLower := strings.ToLower(req.Text + " " + req.TechnicalDomain)
+
+	for _, ctrl := range h.controls.Controls {
+		titleLower := strings.ToLower(ctrl.Title + " " + ctrl.Objective)
+		relevance := calculateRelevance(reqLower, titleLower, req.TechnicalDomain, ctrl.Domain)
+
+		if relevance > 0.3 {
+			matches = append(matches, ControlMatch{
+				ControlID:   ctrl.ControlID,
+				Title:       ctrl.Title,
+				Relevance:   relevance,
+				CheckTarget: ctrl.CheckTarget,
+			})
+		}
+	}
+
+	// Sort by relevance (simple bubble sort for small lists)
+	for i := 0; i < len(matches); i++ {
+		for j := i + 1; j < len(matches); j++ {
+			if matches[j].Relevance > matches[i].Relevance {
+				matches[i], matches[j] = matches[j], matches[i]
+			}
+		}
+	}
+
+	// Return top 5
+	if len(matches) > 5 {
+		matches = matches[:5]
+	}
+
+	return matches
+}
+
+func calculateRelevance(reqText, ctrlText, reqDomain, ctrlDomain string) float64 {
+	score := 0.0
+
+	// Domain match bonus
+	domainMap := map[string]string{
+		"payment_flow":   "PAY",
+		"logging":        "LOG",
+		"crypto":         "CRYPTO",
+		"api_security":   "API",
+		"terminal_comm":  "TERM",
+		"firmware":       "FW",
+		"reporting":      "REP",
+		"access_control": "ACC",
+		"error_handling":  "ERR",
+		"build_deploy":   "BLD",
+	}
+
+	if mapped, ok := domainMap[reqDomain]; ok && mapped == ctrlDomain {
+		score += 0.4
+	}
+
+	// Keyword overlap
+	reqWords := strings.Fields(reqText)
+	for _, word := range reqWords {
+		if len(word) > 3 && strings.Contains(ctrlText, word) {
+			score += 0.1
+		}
+	}
+
+	if score > 1.0 {
+		score = 1.0
+	}
+	return score
+}
+
+func inferDomain(text string) string {
+	textLower := strings.ToLower(text)
+	domainKeywords := map[string][]string{
+		"payment_flow":   {"zahlung", "transaktion", "buchung", "payment", "betrag"},
+		"logging":        {"log", "protokoll", "audit", "nachvollzieh"},
+		"crypto":         {"verschlüssel", "schlüssel", "krypto", "tls", "ssl", "hsm", "pin"},
+		"api_security":   {"api", "schnittstelle", "authentifiz", "autorisier"},
+		"terminal_comm":  {"terminal", "zvt", "opi", "gerät", "kontaktlos", "nfc"},
+		"firmware":       {"firmware", "update", "signatur", "boot"},
+		"reporting":      {"bericht", "report", "abrechnung", "export", "abgleich"},
+		"access_control": {"zugang", "benutzer", "passwort", "rolle", "berechtigung"},
+		"error_handling":  {"fehler", "ausfall", "recovery", "offline", "störung"},
+		"build_deploy":   {"build", "deploy", "release", "ci", "pipeline"},
+	}
+
+	for domain, keywords := range domainKeywords {
+		for _, kw := range keywords {
+			if strings.Contains(textLower, kw) {
+				return domain
+			}
+		}
+	}
+	return "general"
+}
+
+func inferCheckTarget(text string) string {
+	textLower := strings.ToLower(text)
+	if strings.Contains(textLower, "zertifik") || strings.Contains(textLower, "zulassung") {
+		return "certificate"
+	}
+	if strings.Contains(textLower, "prozess") || strings.Contains(textLower, "verfahren") {
+		return "process"
+	}
+	if strings.Contains(textLower, "konfigur") {
+		return "config"
+	}
+	return "code"
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}

ai-compliance-sdk/internal/api/handlers/ucca_handlers.go

@@ -330,3 +330,65 @@ func (h *UCCAHandlers) createEscalationForAssessment(c *gin.Context, assessment
 
 	return escalation
 }
+
+// AssessEnriched evaluates a use case with optional company profile context.
+func (h *UCCAHandlers) AssessEnriched(c *gin.Context) {
+	tenantID := rbac.GetTenantID(c)
+	userID := rbac.GetUserID(c)
+	if tenantID == uuid.Nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "tenant ID required"})
+		return
+	}
+
+	var req struct {
+		Intake         ucca.UseCaseIntake        `json:"intake"`
+		CompanyProfile *ucca.CompanyProfileInput  `json:"company_profile,omitempty"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Standard UCCA evaluation
+	result, policyVersion := h.evaluateIntake(&req.Intake)
+	hash := sha256.Sum256([]byte(req.Intake.UseCaseText))
+
+	assessment := &ucca.Assessment{
+		TenantID: tenantID, Title: req.Intake.Title, PolicyVersion: policyVersion,
+		Status: "completed", Intake: req.Intake,
+		UseCaseTextStored: req.Intake.StoreRawText, UseCaseTextHash: hex.EncodeToString(hash[:]),
+		Feasibility: result.Feasibility, RiskLevel: result.RiskLevel,
+		Complexity: result.Complexity, RiskScore: result.RiskScore,
+		TriggeredRules: result.TriggeredRules, RequiredControls: result.RequiredControls,
+		RecommendedArchitecture: result.RecommendedArchitecture,
+		ForbiddenPatterns: result.ForbiddenPatterns, ExampleMatches: result.ExampleMatches,
+		DSFARecommended: result.DSFARecommended, Art22Risk: result.Art22Risk,
+		TrainingAllowed: result.TrainingAllowed, Domain: req.Intake.Domain, CreatedBy: userID,
+	}
+	if !req.Intake.StoreRawText {
+		assessment.Intake.UseCaseText = ""
+	}
+	if assessment.Title == "" {
+		assessment.Title = fmt.Sprintf("Assessment vom %s", time.Now().Format("02.01.2006 15:04"))
+	}
+	if err := h.store.CreateAssessment(c.Request.Context(), assessment); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Build enriched response
+	resp := gin.H{
+		"assessment": assessment,
+		"result":     result,
+	}
+
+	// Company profile enrichment
+	if req.CompanyProfile != nil {
+		resp["enrichment_hints"] = ucca.ComputeEnrichmentHints(req.CompanyProfile)
+		resp["company_context"] = ucca.BuildCompanyContext(req.CompanyProfile)
+	} else {
+		resp["enrichment_hints"] = ucca.ComputeEnrichmentHints(nil)
+	}
+
+	c.JSON(http.StatusCreated, resp)
+}

ai-compliance-sdk/internal/app/app.go

@@ -15,6 +15,7 @@ import (
 	"github.com/breakpilot/ai-compliance-sdk/internal/config"
 	"github.com/breakpilot/ai-compliance-sdk/internal/iace"
 	"github.com/breakpilot/ai-compliance-sdk/internal/llm"
+	"github.com/breakpilot/ai-compliance-sdk/internal/maximizer"
 	"github.com/breakpilot/ai-compliance-sdk/internal/portfolio"
 	"github.com/breakpilot/ai-compliance-sdk/internal/rbac"
 	"github.com/breakpilot/ai-compliance-sdk/internal/roadmap"
@@ -132,6 +133,25 @@ func buildRouter(cfg *config.Config, pool *pgxpool.Pool) *gin.Engine {
 	trainingHandlers := handlers.NewTrainingHandlers(trainingStore, contentGenerator, blockGenerator, ttsClient)
 	ragHandlers := handlers.NewRAGHandlers(corpusVersionStore)
 	obligationsHandlers := handlers.NewObligationsHandlersWithStore(obligationsStore)
+
+	// Regulatory News
+	allV2Regs, err := ucca.LoadAllV2Regulations()
+	if err != nil {
+		log.Printf("WARNING: V2 regulations not loaded: %v", err)
+		allV2Regs = make(map[string]*ucca.V2RegulationFile)
+	}
+	regulatoryNewsHandlers := handlers.NewRegulatoryNewsHandlers(allV2Regs)
+
+	// Maximizer
+	maximizerStore := maximizer.NewStore(pool)
+	maximizerRules, err := maximizer.LoadConstraintRulesFromDefault()
+	if err != nil {
+		log.Printf("WARNING: Maximizer constraints not loaded: %v", err)
+		maximizerRules = &maximizer.ConstraintRuleSet{Version: "0.0.0"}
+	}
+	maximizerSvc := maximizer.NewService(maximizerStore, uccaStore, maximizerRules)
+	maximizerHandlers := handlers.NewMaximizerHandlers(maximizerSvc)
+
 	rbacMiddleware := rbac.NewMiddleware(rbacService, policyEngine)
 
 	// Router
@@ -155,7 +175,8 @@ func buildRouter(cfg *config.Config, pool *pgxpool.Pool) *gin.Engine {
 		rbacHandlers, llmHandlers, auditHandlers,
 		uccaHandlers, escalationHandlers, obligationsHandlers, ragHandlers,
 		roadmapHandlers, workshopHandlers, portfolioHandlers,
-		academyHandlers, trainingHandlers, whistleblowerHandlers, iaceHandler)
+		academyHandlers, trainingHandlers, whistleblowerHandlers, iaceHandler,
+		maximizerHandlers, regulatoryNewsHandlers)
 
 	return router
 }

ai-compliance-sdk/internal/app/routes.go

@@ -26,6 +26,8 @@ func registerRoutes(
 	trainingHandlers *handlers.TrainingHandlers,
 	whistleblowerHandlers *handlers.WhistleblowerHandlers,
 	iaceHandler *handlers.IACEHandler,
+	maximizerHandlers *handlers.MaximizerHandlers,
+	regulatoryNewsHandlers *handlers.RegulatoryNewsHandlers,
 ) {
 	v1 := router.Group("/sdk/v1")
 	{
@@ -46,6 +48,8 @@ func registerRoutes(
 		registerTrainingRoutes(v1, trainingHandlers)
 		registerWhistleblowerRoutes(v1, whistleblowerHandlers)
 		registerIACERoutes(v1, iaceHandler)
+		registerMaximizerRoutes(v1, maximizerHandlers)
+		v1.GET("/regulatory-news", regulatoryNewsHandlers.GetNews)
 	}
 }
 
@@ -122,6 +126,7 @@ func registerUCCARoutes(v1 *gin.RouterGroup, h *handlers.UCCAHandlers, eh *handl
 	uccaRoutes := v1.Group("/ucca")
 	{
 		uccaRoutes.POST("/assess", h.Assess)
+		uccaRoutes.POST("/assess-enriched", h.AssessEnriched)
 		uccaRoutes.GET("/assessments", h.ListAssessments)
 		uccaRoutes.GET("/assessments/:id", h.GetAssessment)
 		uccaRoutes.PUT("/assessments/:id", h.UpdateAssessment)
@@ -407,3 +412,18 @@ func registerIACERoutes(v1 *gin.RouterGroup, h *handlers.IACEHandler) {
 		iaceRoutes.POST("/projects/:id/tech-file/:section/enrich", h.EnrichTechFileSection)
 	}
 }
+
+func registerMaximizerRoutes(v1 *gin.RouterGroup, h *handlers.MaximizerHandlers) {
+	m := v1.Group("/maximizer")
+	{
+		m.POST("/optimize", h.Optimize)
+		m.POST("/optimize-from-intake", h.OptimizeFromIntake)
+		m.POST("/optimize-from-intake-enriched", h.OptimizeFromIntakeWithProfile)
+		m.POST("/optimize-from-assessment/:id", h.OptimizeFromAssessment)
+		m.POST("/evaluate", h.Evaluate)
+		m.GET("/optimizations", h.ListOptimizations)
+		m.GET("/optimizations/:id", h.GetOptimization)
+		m.DELETE("/optimizations/:id", h.DeleteOptimization)
+		m.GET("/dimensions", h.GetDimensionSchema)
+	}
+}

ai-compliance-sdk/internal/maximizer/constraint_loader.go

@@ -0,0 +1,52 @@
+package maximizer
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+)
+
+const defaultConstraintFile = "policies/maximizer_constraints_v1.json"
+
+// LoadConstraintRules reads a constraint ruleset from a JSON file.
+func LoadConstraintRules(path string) (*ConstraintRuleSet, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("read constraint file %s: %w", path, err)
+	}
+	var rs ConstraintRuleSet
+	if err := json.Unmarshal(data, &rs); err != nil {
+		return nil, fmt.Errorf("parse constraint file %s: %w", path, err)
+	}
+	if rs.Version == "" {
+		return nil, fmt.Errorf("constraint file %s: missing version", path)
+	}
+	return &rs, nil
+}
+
+// LoadConstraintRulesFromDefault loads from the default policy file
+// relative to the project root.
+func LoadConstraintRulesFromDefault() (*ConstraintRuleSet, error) {
+	root := findProjectRoot()
+	path := filepath.Join(root, defaultConstraintFile)
+	return LoadConstraintRules(path)
+}
+
+// findProjectRoot walks up from the current source file to find the
+// ai-compliance-sdk root (contains go.mod or policies/).
+func findProjectRoot() string {
+	_, filename, _, ok := runtime.Caller(0)
+	if !ok {
+		return "."
+	}
+	dir := filepath.Dir(filename)
+	for i := 0; i < 10; i++ {
+		if _, err := os.Stat(filepath.Join(dir, "policies")); err == nil {
+			return dir
+		}
+		dir = filepath.Dir(dir)
+	}
+	return "."
+}

ai-compliance-sdk/internal/maximizer/constraints.go

@@ -0,0 +1,76 @@
+package maximizer
+
+// ConstraintRuleSet is the top-level container loaded from maximizer_constraints_v1.json.
+type ConstraintRuleSet struct {
+	Version     string           `json:"version"`
+	Regulations []string         `json:"regulations"`
+	Rules       []ConstraintRule `json:"rules"`
+}
+
+// ConstraintRule maps a regulatory obligation to dimension restrictions.
+type ConstraintRule struct {
+	ID           string       `json:"id"`
+	ObligationID string       `json:"obligation_id"`
+	Regulation   string       `json:"regulation"`
+	ArticleRef   string       `json:"article_ref"`
+	Title        string       `json:"title"`
+	Description  string       `json:"description"`
+	RuleType     string       `json:"rule_type"` // hard_prohibition, requirement, classification_rule, optimizer_rule, escalation_gate
+	Constraints  []Constraint `json:"constraints"`
+}
+
+// Constraint is a single if-then rule on the dimension space.
+type Constraint struct {
+	If   ConditionSet `json:"if"`
+	Then EffectSet    `json:"then"`
+}
+
+// ConditionSet maps dimension names to their required values.
+// Values can be a string (exact match) or []string (any of).
+type ConditionSet map[string]interface{}
+
+// EffectSet defines what must be true when the condition matches.
+type EffectSet struct {
+	// Allowed=false means hard block — no optimization possible for this rule
+	Allowed *bool `json:"allowed,omitempty"`
+
+	// RequiredValues: dimension must have exactly this value
+	RequiredValues map[string]string `json:"required_values,omitempty"`
+
+	// RequiredControls: organizational/technical controls needed
+	RequiredControls []string `json:"required_controls,omitempty"`
+
+	// RequiredPatterns: architectural patterns needed
+	RequiredPatterns []string `json:"required_patterns,omitempty"`
+
+	// Classification overrides
+	SetRiskClassification string `json:"set_risk_classification,omitempty"`
+}
+
+// Matches checks if a DimensionConfig satisfies all conditions in this set.
+func (cs ConditionSet) Matches(config *DimensionConfig) bool {
+	for dim, expected := range cs {
+		actual := config.GetValue(dim)
+		if actual == "" {
+			return false
+		}
+		switch v := expected.(type) {
+		case string:
+			if actual != v {
+				return false
+			}
+		case []interface{}:
+			found := false
+			for _, item := range v {
+				if s, ok := item.(string); ok && actual == s {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return false
+			}
+		}
+	}
+	return true
+}

ai-compliance-sdk/internal/maximizer/dimensions.go

@@ -0,0 +1,306 @@
+package maximizer
+
+// DimensionConfig is the normalized representation of an AI use case
+// as a point in a 13-dimensional regulatory constraint space.
+// Each dimension maps to regulatory obligations from DSGVO, AI Act, etc.
+type DimensionConfig struct {
+	AutomationLevel      AutomationLevel     `json:"automation_level"`
+	DecisionBinding      DecisionBinding     `json:"decision_binding"`
+	DecisionImpact       DecisionImpact      `json:"decision_impact"`
+	Domain               DomainCategory      `json:"domain"`
+	DataType             DataTypeSensitivity `json:"data_type"`
+	HumanInLoop          HumanInLoopLevel    `json:"human_in_loop"`
+	Explainability       ExplainabilityLevel `json:"explainability"`
+	RiskClassification   RiskClass           `json:"risk_classification"`
+	LegalBasis           LegalBasisType      `json:"legal_basis"`
+	TransparencyRequired bool                `json:"transparency_required"`
+	LoggingRequired      bool                `json:"logging_required"`
+	ModelType            ModelType           `json:"model_type"`
+	DeploymentScope      DeploymentScope     `json:"deployment_scope"`
+}
+
+// --- Dimension Enums ---
+
+type AutomationLevel string
+
+const (
+	AutoNone      AutomationLevel = "none"
+	AutoAssistive AutomationLevel = "assistive"
+	AutoPartial   AutomationLevel = "partial"
+	AutoFull      AutomationLevel = "full"
+)
+
+type DecisionBinding string
+
+const (
+	BindingNonBinding    DecisionBinding = "non_binding"
+	BindingHumanReview   DecisionBinding = "human_review_required"
+	BindingFullyBinding  DecisionBinding = "fully_binding"
+)
+
+type DecisionImpact string
+
+const (
+	ImpactLow    DecisionImpact = "low"
+	ImpactMedium DecisionImpact = "medium"
+	ImpactHigh   DecisionImpact = "high"
+)
+
+type DomainCategory string
+
+const (
+	DomainHR        DomainCategory = "hr"
+	DomainFinance   DomainCategory = "finance"
+	DomainEducation DomainCategory = "education"
+	DomainHealth    DomainCategory = "health"
+	DomainMarketing DomainCategory = "marketing"
+	DomainGeneral   DomainCategory = "general"
+)
+
+type DataTypeSensitivity string
+
+const (
+	DataNonPersonal DataTypeSensitivity = "non_personal"
+	DataPersonal    DataTypeSensitivity = "personal"
+	DataSensitive   DataTypeSensitivity = "sensitive"
+	DataBiometric   DataTypeSensitivity = "biometric"
+)
+
+type HumanInLoopLevel string
+
+const (
+	HILNone     HumanInLoopLevel = "none"
+	HILOptional HumanInLoopLevel = "optional"
+	HILRequired HumanInLoopLevel = "required"
+)
+
+type ExplainabilityLevel string
+
+const (
+	ExplainNone  ExplainabilityLevel = "none"
+	ExplainBasic ExplainabilityLevel = "basic"
+	ExplainHigh  ExplainabilityLevel = "high"
+)
+
+type RiskClass string
+
+const (
+	RiskMinimal    RiskClass = "minimal"
+	RiskLimited    RiskClass = "limited"
+	RiskHigh       RiskClass = "high"
+	RiskProhibited RiskClass = "prohibited"
+)
+
+type LegalBasisType string
+
+const (
+	LegalConsent             LegalBasisType = "consent"
+	LegalContract            LegalBasisType = "contract"
+	LegalLegalObligation     LegalBasisType = "legal_obligation"
+	LegalLegitimateInterest  LegalBasisType = "legitimate_interest"
+	LegalPublicInterest      LegalBasisType = "public_interest"
+)
+
+type ModelType string
+
+const (
+	ModelRuleBased   ModelType = "rule_based"
+	ModelStatistical ModelType = "statistical"
+	ModelBlackboxLLM ModelType = "blackbox_llm"
+)
+
+type DeploymentScope string
+
+const (
+	ScopeInternal DeploymentScope = "internal"
+	ScopeExternal DeploymentScope = "external"
+	ScopePublic   DeploymentScope = "public"
+)
+
+// --- Ordinal Orderings (higher = more regulatory risk) ---
+
+var automationOrder = map[AutomationLevel]int{
+	AutoNone: 0, AutoAssistive: 1, AutoPartial: 2, AutoFull: 3,
+}
+
+var bindingOrder = map[DecisionBinding]int{
+	BindingNonBinding: 0, BindingHumanReview: 1, BindingFullyBinding: 2,
+}
+
+var impactOrder = map[DecisionImpact]int{
+	ImpactLow: 0, ImpactMedium: 1, ImpactHigh: 2,
+}
+
+var dataTypeOrder = map[DataTypeSensitivity]int{
+	DataNonPersonal: 0, DataPersonal: 1, DataSensitive: 2, DataBiometric: 3,
+}
+
+var hilOrder = map[HumanInLoopLevel]int{
+	HILRequired: 0, HILOptional: 1, HILNone: 2,
+}
+
+var explainOrder = map[ExplainabilityLevel]int{
+	ExplainHigh: 0, ExplainBasic: 1, ExplainNone: 2,
+}
+
+var riskOrder = map[RiskClass]int{
+	RiskMinimal: 0, RiskLimited: 1, RiskHigh: 2, RiskProhibited: 3,
+}
+
+var modelTypeOrder = map[ModelType]int{
+	ModelRuleBased: 0, ModelStatistical: 1, ModelBlackboxLLM: 2,
+}
+
+var scopeOrder = map[DeploymentScope]int{
+	ScopeInternal: 0, ScopeExternal: 1, ScopePublic: 2,
+}
+
+// AllValues returns the ordered list of allowed values for each dimension.
+var AllValues = map[string][]string{
+	"automation_level":      {"none", "assistive", "partial", "full"},
+	"decision_binding":      {"non_binding", "human_review_required", "fully_binding"},
+	"decision_impact":       {"low", "medium", "high"},
+	"domain":                {"hr", "finance", "education", "health", "marketing", "general"},
+	"data_type":             {"non_personal", "personal", "sensitive", "biometric"},
+	"human_in_loop":         {"required", "optional", "none"},
+	"explainability":        {"high", "basic", "none"},
+	"risk_classification":   {"minimal", "limited", "high", "prohibited"},
+	"legal_basis":           {"consent", "contract", "legal_obligation", "legitimate_interest", "public_interest"},
+	"transparency_required": {"true", "false"},
+	"logging_required":      {"true", "false"},
+	"model_type":            {"rule_based", "statistical", "blackbox_llm"},
+	"deployment_scope":      {"internal", "external", "public"},
+}
+
+// DimensionDelta represents a single change between two configs.
+type DimensionDelta struct {
+	Dimension string `json:"dimension"`
+	From      string `json:"from"`
+	To        string `json:"to"`
+	Impact    string `json:"impact"` // human-readable impact description
+}
+
+// GetValue returns the string value of a dimension by name.
+func (d *DimensionConfig) GetValue(dimension string) string {
+	switch dimension {
+	case "automation_level":
+		return string(d.AutomationLevel)
+	case "decision_binding":
+		return string(d.DecisionBinding)
+	case "decision_impact":
+		return string(d.DecisionImpact)
+	case "domain":
+		return string(d.Domain)
+	case "data_type":
+		return string(d.DataType)
+	case "human_in_loop":
+		return string(d.HumanInLoop)
+	case "explainability":
+		return string(d.Explainability)
+	case "risk_classification":
+		return string(d.RiskClassification)
+	case "legal_basis":
+		return string(d.LegalBasis)
+	case "transparency_required":
+		if d.TransparencyRequired {
+			return "true"
+		}
+		return "false"
+	case "logging_required":
+		if d.LoggingRequired {
+			return "true"
+		}
+		return "false"
+	case "model_type":
+		return string(d.ModelType)
+	case "deployment_scope":
+		return string(d.DeploymentScope)
+	default:
+		return ""
+	}
+}
+
+// SetValue sets a dimension value by name. Returns false if the dimension is unknown.
+func (d *DimensionConfig) SetValue(dimension, value string) bool {
+	switch dimension {
+	case "automation_level":
+		d.AutomationLevel = AutomationLevel(value)
+	case "decision_binding":
+		d.DecisionBinding = DecisionBinding(value)
+	case "decision_impact":
+		d.DecisionImpact = DecisionImpact(value)
+	case "domain":
+		d.Domain = DomainCategory(value)
+	case "data_type":
+		d.DataType = DataTypeSensitivity(value)
+	case "human_in_loop":
+		d.HumanInLoop = HumanInLoopLevel(value)
+	case "explainability":
+		d.Explainability = ExplainabilityLevel(value)
+	case "risk_classification":
+		d.RiskClassification = RiskClass(value)
+	case "legal_basis":
+		d.LegalBasis = LegalBasisType(value)
+	case "transparency_required":
+		d.TransparencyRequired = value == "true"
+	case "logging_required":
+		d.LoggingRequired = value == "true"
+	case "model_type":
+		d.ModelType = ModelType(value)
+	case "deployment_scope":
+		d.DeploymentScope = DeploymentScope(value)
+	default:
+		return false
+	}
+	return true
+}
+
+// Diff computes the changes between two configs.
+func (d *DimensionConfig) Diff(other *DimensionConfig) []DimensionDelta {
+	dimensions := []string{
+		"automation_level", "decision_binding", "decision_impact", "domain",
+		"data_type", "human_in_loop", "explainability", "risk_classification",
+		"legal_basis", "transparency_required", "logging_required",
+		"model_type", "deployment_scope",
+	}
+	var deltas []DimensionDelta
+	for _, dim := range dimensions {
+		from := d.GetValue(dim)
+		to := other.GetValue(dim)
+		if from != to {
+			deltas = append(deltas, DimensionDelta{
+				Dimension: dim,
+				From:      from,
+				To:        to,
+				Impact:    describeDeltaImpact(dim, from, to),
+			})
+		}
+	}
+	return deltas
+}
+
+// Clone returns a deep copy of the config.
+func (d *DimensionConfig) Clone() DimensionConfig {
+	return *d
+}
+
+func describeDeltaImpact(dimension, from, to string) string {
+	switch dimension {
+	case "automation_level":
+		return "Automatisierungsgrad: " + from + " → " + to
+	case "decision_binding":
+		return "Entscheidungsbindung: " + from + " → " + to
+	case "human_in_loop":
+		return "Menschliche Kontrolle: " + from + " → " + to
+	case "explainability":
+		return "Erklaerbarkeit: " + from + " → " + to
+	case "data_type":
+		return "Datensensitivitaet: " + from + " → " + to
+	case "transparency_required":
+		return "Transparenzpflicht: " + from + " → " + to
+	case "logging_required":
+		return "Protokollierungspflicht: " + from + " → " + to
+	default:
+		return dimension + ": " + from + " → " + to
+	}
+}

ai-compliance-sdk/internal/maximizer/dimensions_test.go

@@ -0,0 +1,201 @@
+package maximizer
+
+import (
+	"testing"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
+)
+
+func TestGetValueSetValueRoundtrip(t *testing.T) {
+	config := DimensionConfig{
+		AutomationLevel:      AutoFull,
+		DecisionBinding:      BindingFullyBinding,
+		DecisionImpact:       ImpactHigh,
+		Domain:               DomainHR,
+		DataType:             DataPersonal,
+		HumanInLoop:          HILNone,
+		Explainability:       ExplainNone,
+		RiskClassification:   RiskHigh,
+		LegalBasis:           LegalContract,
+		TransparencyRequired: true,
+		LoggingRequired:      false,
+		ModelType:            ModelBlackboxLLM,
+		DeploymentScope:      ScopeExternal,
+	}
+
+	for _, dim := range allDimensions {
+		val := config.GetValue(dim)
+		if val == "" {
+			t.Errorf("GetValue(%q) returned empty", dim)
+		}
+		clone := DimensionConfig{}
+		ok := clone.SetValue(dim, val)
+		if !ok {
+			t.Errorf("SetValue(%q, %q) returned false", dim, val)
+		}
+		if clone.GetValue(dim) != val {
+			t.Errorf("SetValue roundtrip failed for %q: got %q, want %q", dim, clone.GetValue(dim), val)
+		}
+	}
+}
+
+func TestGetValueUnknownDimension(t *testing.T) {
+	config := DimensionConfig{}
+	if v := config.GetValue("nonexistent"); v != "" {
+		t.Errorf("expected empty for unknown dimension, got %q", v)
+	}
+	if ok := config.SetValue("nonexistent", "x"); ok {
+		t.Error("expected false for unknown dimension")
+	}
+}
+
+func TestDiffIdentical(t *testing.T) {
+	config := DimensionConfig{
+		AutomationLevel: AutoAssistive,
+		DecisionImpact:  ImpactLow,
+		Domain:          DomainGeneral,
+	}
+	deltas := config.Diff(&config)
+	if len(deltas) != 0 {
+		t.Errorf("expected 0 deltas for identical configs, got %d", len(deltas))
+	}
+}
+
+func TestDiffDetectsChanges(t *testing.T) {
+	a := DimensionConfig{
+		AutomationLevel: AutoFull,
+		HumanInLoop:     HILNone,
+		DecisionBinding: BindingFullyBinding,
+	}
+	b := DimensionConfig{
+		AutomationLevel: AutoAssistive,
+		HumanInLoop:     HILRequired,
+		DecisionBinding: BindingHumanReview,
+	}
+	deltas := a.Diff(&b)
+
+	changed := make(map[string]bool)
+	for _, d := range deltas {
+		changed[d.Dimension] = true
+	}
+	for _, dim := range []string{"automation_level", "human_in_loop", "decision_binding"} {
+		if !changed[dim] {
+			t.Errorf("expected %q in deltas", dim)
+		}
+	}
+}
+
+func TestClone(t *testing.T) {
+	orig := DimensionConfig{
+		AutomationLevel: AutoFull,
+		Domain:          DomainHR,
+	}
+	clone := orig.Clone()
+	clone.AutomationLevel = AutoAssistive
+	if orig.AutomationLevel != AutoFull {
+		t.Error("clone modified original")
+	}
+}
+
+func TestMapIntakeToDimensions(t *testing.T) {
+	intake := &ucca.UseCaseIntake{
+		Domain:     "hr",
+		Automation: ucca.AutomationFullyAutomated,
+		DataTypes: ucca.DataTypes{
+			PersonalData: true,
+			Article9Data: true,
+		},
+		Purpose: ucca.Purpose{
+			DecisionMaking: true,
+		},
+		Outputs: ucca.Outputs{
+			LegalEffects: true,
+		},
+		ModelUsage: ucca.ModelUsage{
+			Training: true,
+		},
+	}
+
+	config := MapIntakeToDimensions(intake)
+
+	tests := []struct {
+		dimension string
+		expected  string
+	}{
+		{"automation_level", "full"},
+		{"domain", "hr"},
+		{"data_type", "sensitive"},
+		{"decision_impact", "high"},
+		{"model_type", "blackbox_llm"},
+		{"human_in_loop", "none"},
+		{"decision_binding", "fully_binding"},
+	}
+	for _, tc := range tests {
+		got := config.GetValue(tc.dimension)
+		if got != tc.expected {
+			t.Errorf("MapIntakeToDimensions: %s = %q, want %q", tc.dimension, got, tc.expected)
+		}
+	}
+}
+
+func TestMapIntakeToDimensionsBiometricWins(t *testing.T) {
+	intake := &ucca.UseCaseIntake{
+		DataTypes: ucca.DataTypes{
+			PersonalData:  true,
+			Article9Data:  true,
+			BiometricData: true,
+		},
+	}
+	config := MapIntakeToDimensions(intake)
+	if config.DataType != DataBiometric {
+		t.Errorf("expected biometric (highest sensitivity), got %s", config.DataType)
+	}
+}
+
+func TestMapDimensionsToIntakePreservesOriginal(t *testing.T) {
+	original := &ucca.UseCaseIntake{
+		UseCaseText: "Test use case",
+		Domain:      "hr",
+		Title:       "My Assessment",
+		Automation:  ucca.AutomationFullyAutomated,
+		DataTypes: ucca.DataTypes{
+			PersonalData: true,
+		},
+		Hosting: ucca.Hosting{
+			Region: "eu",
+		},
+	}
+
+	config := &DimensionConfig{
+		AutomationLevel: AutoAssistive,
+		DataType:        DataPersonal,
+		Domain:          DomainHR,
+	}
+
+	result := MapDimensionsToIntake(config, original)
+
+	if result.UseCaseText != "Test use case" {
+		t.Error("MapDimensionsToIntake did not preserve UseCaseText")
+	}
+	if result.Title != "My Assessment" {
+		t.Error("MapDimensionsToIntake did not preserve Title")
+	}
+	if result.Hosting.Region != "eu" {
+		t.Error("MapDimensionsToIntake did not preserve Hosting")
+	}
+	if result.Automation != ucca.AutomationAssistive {
+		t.Errorf("expected assistive automation, got %s", result.Automation)
+	}
+}
+
+func TestAllValuesComplete(t *testing.T) {
+	for _, dim := range allDimensions {
+		vals, ok := AllValues[dim]
+		if !ok {
+			t.Errorf("AllValues missing dimension %q", dim)
+		}
+		if len(vals) == 0 {
+			t.Errorf("AllValues[%q] is empty", dim)
+		}
+	}
+}

ai-compliance-sdk/internal/maximizer/evaluator.go

@@ -0,0 +1,218 @@
+package maximizer
+
+// Zone classifies a dimension value's regulatory status.
+type Zone string
+
+const (
+	ZoneForbidden  Zone = "FORBIDDEN"
+	ZoneRestricted Zone = "RESTRICTED"
+	ZoneSafe       Zone = "SAFE"
+)
+
+// ZoneInfo classifies a single dimension value within the constraint space.
+type ZoneInfo struct {
+	Dimension       string   `json:"dimension"`
+	CurrentValue    string   `json:"current_value"`
+	Zone            Zone     `json:"zone"`
+	AllowedValues   []string `json:"allowed_values,omitempty"`
+	ForbiddenValues []string `json:"forbidden_values,omitempty"`
+	Safeguards      []string `json:"safeguards,omitempty"`
+	Reason          string   `json:"reason"`
+	ObligationRefs  []string `json:"obligation_refs"`
+}
+
+// Violation is a hard block triggered by a constraint rule.
+type Violation struct {
+	RuleID       string `json:"rule_id"`
+	ObligationID string `json:"obligation_id"`
+	ArticleRef   string `json:"article_ref"`
+	Title        string `json:"title"`
+	Description  string `json:"description"`
+	Dimension    string `json:"dimension,omitempty"`
+}
+
+// Restriction is a safeguard requirement (yellow zone).
+type Restriction struct {
+	RuleID       string            `json:"rule_id"`
+	ObligationID string            `json:"obligation_id"`
+	ArticleRef   string            `json:"article_ref"`
+	Title        string            `json:"title"`
+	Required     map[string]string `json:"required"`
+}
+
+// TriggeredConstraint records which constraint rule was triggered and why.
+type TriggeredConstraint struct {
+	RuleID       string `json:"rule_id"`
+	ObligationID string `json:"obligation_id"`
+	Regulation   string `json:"regulation"`
+	ArticleRef   string `json:"article_ref"`
+	Title        string `json:"title"`
+	RuleType     string `json:"rule_type"`
+}
+
+// EvaluationResult is the complete 3-zone analysis of a DimensionConfig.
+type EvaluationResult struct {
+	IsCompliant        bool                    `json:"is_compliant"`
+	Violations         []Violation             `json:"violations"`
+	Restrictions       []Restriction           `json:"restrictions"`
+	ZoneMap            map[string]ZoneInfo     `json:"zone_map"`
+	RequiredControls   []string                `json:"required_controls"`
+	RequiredPatterns   []string                `json:"required_patterns"`
+	TriggeredRules     []TriggeredConstraint   `json:"triggered_rules"`
+	RiskClassification string                  `json:"risk_classification,omitempty"`
+}
+
+// Evaluator evaluates dimension configs against constraint rules.
+type Evaluator struct {
+	rules *ConstraintRuleSet
+}
+
+// NewEvaluator creates an evaluator from a loaded constraint ruleset.
+func NewEvaluator(rules *ConstraintRuleSet) *Evaluator {
+	return &Evaluator{rules: rules}
+}
+
+// Evaluate checks a config against all constraints and produces a 3-zone result.
+func (e *Evaluator) Evaluate(config *DimensionConfig) *EvaluationResult {
+	result := &EvaluationResult{
+		IsCompliant:      true,
+		ZoneMap:          make(map[string]ZoneInfo),
+		RequiredControls: []string{},
+		RequiredPatterns: []string{},
+	}
+
+	// Initialize all dimensions as SAFE
+	for _, dim := range allDimensions {
+		result.ZoneMap[dim] = ZoneInfo{
+			Dimension:    dim,
+			CurrentValue: config.GetValue(dim),
+			Zone:         ZoneSafe,
+		}
+	}
+
+	// Evaluate each rule
+	for _, rule := range e.rules.Rules {
+		e.evaluateRule(config, &rule, result)
+	}
+
+	// Apply risk classification if set
+	if result.RiskClassification == "" {
+		result.RiskClassification = string(config.RiskClassification)
+	}
+
+	return result
+}
+
+func (e *Evaluator) evaluateRule(config *DimensionConfig, rule *ConstraintRule, result *EvaluationResult) {
+	for _, constraint := range rule.Constraints {
+		if !constraint.If.Matches(config) {
+			continue
+		}
+
+		// Rule triggered
+		result.TriggeredRules = append(result.TriggeredRules, TriggeredConstraint{
+			RuleID:       rule.ID,
+			ObligationID: rule.ObligationID,
+			Regulation:   rule.Regulation,
+			ArticleRef:   rule.ArticleRef,
+			Title:        rule.Title,
+			RuleType:     rule.RuleType,
+		})
+
+		// Hard block?
+		if constraint.Then.Allowed != nil && !*constraint.Then.Allowed {
+			result.IsCompliant = false
+			result.Violations = append(result.Violations, Violation{
+				RuleID:       rule.ID,
+				ObligationID: rule.ObligationID,
+				ArticleRef:   rule.ArticleRef,
+				Title:        rule.Title,
+				Description:  rule.Description,
+			})
+			e.markForbiddenDimensions(config, constraint.If, rule, result)
+			continue
+		}
+
+		// Required values (yellow zone)?
+		if len(constraint.Then.RequiredValues) > 0 {
+			e.applyRequiredValues(config, constraint.Then.RequiredValues, rule, result)
+		}
+
+		// Risk classification override
+		if constraint.Then.SetRiskClassification != "" {
+			result.RiskClassification = constraint.Then.SetRiskClassification
+		}
+
+		// Collect controls and patterns
+		result.RequiredControls = appendUnique(result.RequiredControls, constraint.Then.RequiredControls...)
+		result.RequiredPatterns = appendUnique(result.RequiredPatterns, constraint.Then.RequiredPatterns...)
+	}
+}
+
+// markForbiddenDimensions marks the dimensions from the condition as FORBIDDEN.
+func (e *Evaluator) markForbiddenDimensions(
+	config *DimensionConfig, cond ConditionSet, rule *ConstraintRule, result *EvaluationResult,
+) {
+	for dim := range cond {
+		zi := result.ZoneMap[dim]
+		zi.Zone = ZoneForbidden
+		zi.Reason = rule.Title
+		zi.ObligationRefs = appendUnique(zi.ObligationRefs, rule.ArticleRef)
+		zi.ForbiddenValues = appendUnique(zi.ForbiddenValues, config.GetValue(dim))
+		result.ZoneMap[dim] = zi
+	}
+}
+
+// applyRequiredValues checks if required dimension values are met.
+func (e *Evaluator) applyRequiredValues(
+	config *DimensionConfig, required map[string]string, rule *ConstraintRule, result *EvaluationResult,
+) {
+	unmet := make(map[string]string)
+	for dim, requiredVal := range required {
+		actual := config.GetValue(dim)
+		if actual != requiredVal {
+			unmet[dim] = requiredVal
+			// Mark as RESTRICTED (upgrade from SAFE, but don't downgrade from FORBIDDEN)
+			zi := result.ZoneMap[dim]
+			if zi.Zone != ZoneForbidden {
+				zi.Zone = ZoneRestricted
+				zi.Reason = rule.Title
+				zi.AllowedValues = appendUnique(zi.AllowedValues, requiredVal)
+				zi.Safeguards = appendUnique(zi.Safeguards, rule.ArticleRef)
+				zi.ObligationRefs = appendUnique(zi.ObligationRefs, rule.ArticleRef)
+				result.ZoneMap[dim] = zi
+			}
+		}
+	}
+	if len(unmet) > 0 {
+		result.IsCompliant = false
+		result.Restrictions = append(result.Restrictions, Restriction{
+			RuleID:       rule.ID,
+			ObligationID: rule.ObligationID,
+			ArticleRef:   rule.ArticleRef,
+			Title:        rule.Title,
+			Required:     unmet,
+		})
+	}
+}
+
+var allDimensions = []string{
+	"automation_level", "decision_binding", "decision_impact", "domain",
+	"data_type", "human_in_loop", "explainability", "risk_classification",
+	"legal_basis", "transparency_required", "logging_required",
+	"model_type", "deployment_scope",
+}
+
+func appendUnique(slice []string, items ...string) []string {
+	seen := make(map[string]bool, len(slice))
+	for _, s := range slice {
+		seen[s] = true
+	}
+	for _, item := range items {
+		if item != "" && !seen[item] {
+			slice = append(slice, item)
+			seen[item] = true
+		}
+	}
+	return slice
+}

ai-compliance-sdk/internal/maximizer/evaluator_test.go

@@ -0,0 +1,229 @@
+package maximizer
+
+import (
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+func loadTestRules(t *testing.T) *ConstraintRuleSet {
+	t.Helper()
+	_, filename, _, ok := runtime.Caller(0)
+	if !ok {
+		t.Fatal("cannot determine test file location")
+	}
+	// Walk up from internal/maximizer/ to ai-compliance-sdk/
+	dir := filepath.Dir(filename) // internal/maximizer
+	dir = filepath.Dir(dir)       // internal
+	dir = filepath.Dir(dir)       // ai-compliance-sdk
+	path := filepath.Join(dir, "policies", "maximizer_constraints_v1.json")
+	rules, err := LoadConstraintRules(path)
+	if err != nil {
+		t.Fatalf("LoadConstraintRules: %v", err)
+	}
+	return rules
+}
+
+func TestLoadConstraintRules(t *testing.T) {
+	rules := loadTestRules(t)
+	if rules.Version != "1.0.0" {
+		t.Errorf("expected version 1.0.0, got %s", rules.Version)
+	}
+	if len(rules.Rules) < 20 {
+		t.Errorf("expected at least 20 rules, got %d", len(rules.Rules))
+	}
+}
+
+func TestEvalCompliantConfig(t *testing.T) {
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+
+	config := &DimensionConfig{
+		AutomationLevel:      AutoAssistive,
+		DecisionBinding:      BindingHumanReview,
+		DecisionImpact:       ImpactLow,
+		Domain:               DomainGeneral,
+		DataType:             DataNonPersonal,
+		HumanInLoop:          HILRequired,
+		Explainability:       ExplainBasic,
+		RiskClassification:   RiskMinimal,
+		LegalBasis:           LegalContract,
+		TransparencyRequired: false,
+		LoggingRequired:      false,
+		ModelType:            ModelRuleBased,
+		DeploymentScope:      ScopeInternal,
+	}
+
+	result := eval.Evaluate(config)
+	if !result.IsCompliant {
+		t.Errorf("expected compliant, got violations: %+v", result.Violations)
+	}
+	// All dimensions should be SAFE
+	for dim, zi := range result.ZoneMap {
+		if zi.Zone != ZoneSafe {
+			t.Errorf("dimension %s: expected SAFE, got %s", dim, zi.Zone)
+		}
+	}
+}
+
+func TestEvalHRFullAutomationBlocked(t *testing.T) {
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+
+	config := &DimensionConfig{
+		AutomationLevel:      AutoFull,
+		DecisionBinding:      BindingFullyBinding,
+		DecisionImpact:       ImpactHigh,
+		Domain:               DomainHR,
+		DataType:             DataPersonal,
+		HumanInLoop:          HILNone,
+		Explainability:       ExplainNone,
+		RiskClassification:   RiskMinimal,
+		LegalBasis:           LegalContract,
+		TransparencyRequired: false,
+		LoggingRequired:      false,
+		ModelType:            ModelBlackboxLLM,
+		DeploymentScope:      ScopeExternal,
+	}
+
+	result := eval.Evaluate(config)
+	if result.IsCompliant {
+		t.Error("expected non-compliant for HR full automation")
+	}
+	if len(result.Violations) == 0 {
+		t.Error("expected at least one violation")
+	}
+
+	// automation_level should be FORBIDDEN
+	zi := result.ZoneMap["automation_level"]
+	if zi.Zone != ZoneForbidden {
+		t.Errorf("automation_level: expected FORBIDDEN, got %s", zi.Zone)
+	}
+}
+
+func TestEvalProhibitedClassification(t *testing.T) {
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+
+	config := &DimensionConfig{
+		RiskClassification: RiskProhibited,
+		DeploymentScope:    ScopePublic,
+	}
+
+	result := eval.Evaluate(config)
+	if result.IsCompliant {
+		t.Error("expected non-compliant for prohibited classification")
+	}
+
+	found := false
+	for _, v := range result.Violations {
+		if v.RuleID == "MC-AIA-PROHIBITED-001" {
+			found = true
+		}
+	}
+	if !found {
+		t.Error("expected MC-AIA-PROHIBITED-001 violation")
+	}
+}
+
+func TestEvalSensitiveDataRequiresConsent(t *testing.T) {
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+
+	config := &DimensionConfig{
+		DataType:   DataSensitive,
+		LegalBasis: LegalLegitimateInterest, // wrong basis for sensitive
+	}
+
+	result := eval.Evaluate(config)
+	if result.IsCompliant {
+		t.Error("expected non-compliant: sensitive data without consent")
+	}
+
+	// Should require consent
+	found := false
+	for _, r := range result.Restrictions {
+		if val, ok := r.Required["legal_basis"]; ok && val == "consent" {
+			found = true
+		}
+	}
+	if !found {
+		t.Error("expected restriction requiring legal_basis=consent")
+	}
+}
+
+func TestEvalHighRiskRequiresLogging(t *testing.T) {
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+
+	config := &DimensionConfig{
+		RiskClassification:   RiskHigh,
+		LoggingRequired:      false,
+		TransparencyRequired: false,
+		HumanInLoop:          HILNone,
+		Explainability:       ExplainNone,
+	}
+
+	result := eval.Evaluate(config)
+	if result.IsCompliant {
+		t.Error("expected non-compliant: high risk without logging/transparency/hil")
+	}
+
+	// Check logging_required is RESTRICTED
+	zi := result.ZoneMap["logging_required"]
+	if zi.Zone != ZoneRestricted {
+		t.Errorf("logging_required: expected RESTRICTED, got %s", zi.Zone)
+	}
+}
+
+func TestEvalTriggeredRulesHaveObligationRefs(t *testing.T) {
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+
+	config := &DimensionConfig{
+		AutomationLevel: AutoFull,
+		DecisionImpact:  ImpactHigh,
+		Domain:          DomainHR,
+		DataType:        DataPersonal,
+	}
+
+	result := eval.Evaluate(config)
+	for _, tr := range result.TriggeredRules {
+		if tr.RuleID == "" {
+			t.Error("triggered rule missing RuleID")
+		}
+		if tr.ObligationID == "" {
+			t.Error("triggered rule missing ObligationID")
+		}
+		if tr.ArticleRef == "" {
+			t.Error("triggered rule missing ArticleRef")
+		}
+	}
+}
+
+func TestConditionSetMatchesExact(t *testing.T) {
+	config := &DimensionConfig{
+		Domain:         DomainHR,
+		DecisionImpact: ImpactHigh,
+	}
+
+	tests := []struct {
+		name    string
+		cond    ConditionSet
+		matches bool
+	}{
+		{"exact match", ConditionSet{"domain": "hr", "decision_impact": "high"}, true},
+		{"partial match fails", ConditionSet{"domain": "hr", "decision_impact": "low"}, false},
+		{"unknown value", ConditionSet{"domain": "finance"}, false},
+		{"empty condition", ConditionSet{}, true},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.cond.Matches(config)
+			if got != tc.matches {
+				t.Errorf("expected %v, got %v", tc.matches, got)
+			}
+		})
+	}
+}

ai-compliance-sdk/internal/maximizer/intake_mapper.go

@@ -0,0 +1,225 @@
+package maximizer
+
+import (
+	"strings"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
+)
+
+// MapIntakeToDimensions converts a UseCaseIntake to a normalized DimensionConfig.
+// Highest sensitivity wins for multi-value fields.
+func MapIntakeToDimensions(intake *ucca.UseCaseIntake) *DimensionConfig {
+	config := &DimensionConfig{
+		AutomationLevel:      mapAutomation(intake.Automation),
+		DecisionBinding:      deriveBinding(intake),
+		DecisionImpact:       deriveImpact(intake),
+		Domain:               mapDomain(intake.Domain),
+		DataType:             deriveDataType(intake.DataTypes),
+		HumanInLoop:          deriveHIL(intake.Automation),
+		Explainability:       ExplainBasic, // default
+		RiskClassification:   RiskMinimal,  // will be set by evaluator
+		LegalBasis:           LegalContract, // default
+		TransparencyRequired: false,
+		LoggingRequired:      false,
+		ModelType:            deriveModelType(intake.ModelUsage),
+		DeploymentScope:      deriveScope(intake),
+	}
+	return config
+}
+
+// MapDimensionsToIntake converts a DimensionConfig back to a UseCaseIntake,
+// preserving unchanged fields from the original intake.
+func MapDimensionsToIntake(config *DimensionConfig, original *ucca.UseCaseIntake) *ucca.UseCaseIntake {
+	result := *original // shallow copy
+
+	// Map automation level
+	switch config.AutomationLevel {
+	case AutoNone:
+		result.Automation = ucca.AutomationAssistive
+	case AutoAssistive:
+		result.Automation = ucca.AutomationAssistive
+	case AutoPartial:
+		result.Automation = ucca.AutomationSemiAutomated
+	case AutoFull:
+		result.Automation = ucca.AutomationFullyAutomated
+	}
+
+	// Map data type back
+	result.DataTypes = mapDataTypeBack(config.DataType, original.DataTypes)
+
+	// Map domain back
+	result.Domain = mapDomainBack(config.Domain, original.Domain)
+
+	return &result
+}
+
+func mapAutomation(a ucca.AutomationLevel) AutomationLevel {
+	switch a {
+	case ucca.AutomationAssistive:
+		return AutoAssistive
+	case ucca.AutomationSemiAutomated:
+		return AutoPartial
+	case ucca.AutomationFullyAutomated:
+		return AutoFull
+	default:
+		return AutoNone
+	}
+}
+
+func deriveBinding(intake *ucca.UseCaseIntake) DecisionBinding {
+	if intake.Outputs.LegalEffects || intake.Outputs.AccessDecisions {
+		if intake.Automation == ucca.AutomationFullyAutomated {
+			return BindingFullyBinding
+		}
+		return BindingHumanReview
+	}
+	return BindingNonBinding
+}
+
+func deriveImpact(intake *ucca.UseCaseIntake) DecisionImpact {
+	if intake.Outputs.LegalEffects || intake.Outputs.AccessDecisions {
+		return ImpactHigh
+	}
+	if intake.Outputs.RankingsOrScores || intake.Purpose.EvaluationScoring || intake.Purpose.DecisionMaking {
+		return ImpactMedium
+	}
+	return ImpactLow
+}
+
+func mapDomain(d ucca.Domain) DomainCategory {
+	switch d {
+	case "hr", "human_resources":
+		return DomainHR
+	case "finance", "banking", "insurance", "investment":
+		return DomainFinance
+	case "education", "school", "university":
+		return DomainEducation
+	case "health", "healthcare", "medical":
+		return DomainHealth
+	case "marketing", "advertising":
+		return DomainMarketing
+	default:
+		return DomainGeneral
+	}
+}
+
+func deriveDataType(dt ucca.DataTypes) DataTypeSensitivity {
+	// Highest sensitivity wins
+	if dt.BiometricData {
+		return DataBiometric
+	}
+	if dt.Article9Data {
+		return DataSensitive
+	}
+	if dt.PersonalData || dt.EmployeeData || dt.CustomerData ||
+		dt.FinancialData || dt.MinorData || dt.LocationData ||
+		dt.Images || dt.Audio {
+		return DataPersonal
+	}
+	return DataNonPersonal
+}
+
+func deriveHIL(a ucca.AutomationLevel) HumanInLoopLevel {
+	switch a {
+	case ucca.AutomationAssistive:
+		return HILRequired
+	case ucca.AutomationSemiAutomated:
+		return HILOptional
+	case ucca.AutomationFullyAutomated:
+		return HILNone
+	default:
+		return HILRequired
+	}
+}
+
+func deriveModelType(mu ucca.ModelUsage) ModelType {
+	if mu.RAG && !mu.Training && !mu.Finetune {
+		return ModelRuleBased
+	}
+	if mu.Training || mu.Finetune {
+		return ModelBlackboxLLM
+	}
+	return ModelStatistical
+}
+
+func deriveScope(intake *ucca.UseCaseIntake) DeploymentScope {
+	if intake.Purpose.PublicService || intake.Outputs.DataExport {
+		return ScopePublic
+	}
+	if intake.Purpose.CustomerSupport || intake.Purpose.Marketing {
+		return ScopeExternal
+	}
+	return ScopeInternal
+}
+
+func mapDataTypeBack(dt DataTypeSensitivity, original ucca.DataTypes) ucca.DataTypes {
+	result := original
+	switch dt {
+	case DataNonPersonal:
+		result.PersonalData = false
+		result.Article9Data = false
+		result.BiometricData = false
+	case DataPersonal:
+		result.PersonalData = true
+		result.Article9Data = false
+		result.BiometricData = false
+	case DataSensitive:
+		result.PersonalData = true
+		result.Article9Data = true
+		result.BiometricData = false
+	case DataBiometric:
+		result.PersonalData = true
+		result.Article9Data = true
+		result.BiometricData = true
+	}
+	return result
+}
+
+// EnrichDimensionsFromProfile adjusts dimensions based on company profile data.
+func EnrichDimensionsFromProfile(config *DimensionConfig, profile *ucca.CompanyProfileInput) {
+	if profile == nil {
+		return
+	}
+
+	// Domain override from company industry (if config still generic)
+	if config.Domain == DomainGeneral && profile.Industry != "" {
+		lower := strings.ToLower(profile.Industry)
+		switch {
+		case strings.Contains(lower, "gesundheit") || strings.Contains(lower, "health"):
+			config.Domain = DomainHealth
+		case strings.Contains(lower, "finanz") || strings.Contains(lower, "bank") || strings.Contains(lower, "versicherung"):
+			config.Domain = DomainFinance
+		case strings.Contains(lower, "bildung") || strings.Contains(lower, "schule"):
+			config.Domain = DomainEducation
+		case strings.Contains(lower, "personal") || strings.Contains(lower, "hr"):
+			config.Domain = DomainHR
+		case strings.Contains(lower, "marketing"):
+			config.Domain = DomainMarketing
+		}
+	}
+
+	// NIS2/AI-Act regulatory flags
+	if profile.SubjectToNIS2 {
+		config.LoggingRequired = true
+	}
+	if profile.SubjectToAIAct {
+		config.TransparencyRequired = true
+	}
+}
+
+func mapDomainBack(dc DomainCategory, original ucca.Domain) ucca.Domain {
+	switch dc {
+	case DomainHR:
+		return "hr"
+	case DomainFinance:
+		return "finance"
+	case DomainEducation:
+		return "education"
+	case DomainHealth:
+		return "health"
+	case DomainMarketing:
+		return "marketing"
+	default:
+		return original
+	}
+}

ai-compliance-sdk/internal/maximizer/optimizer.go

@@ -0,0 +1,291 @@
+package maximizer
+
+import "sort"
+
+const maxVariants = 5
+
+// OptimizedVariant is a single compliant configuration with scoring.
+type OptimizedVariant struct {
+	Config         DimensionConfig  `json:"config"`
+	Evaluation     *EvaluationResult `json:"evaluation"`
+	Deltas         []DimensionDelta `json:"deltas"`
+	DeltaCount     int              `json:"delta_count"`
+	SafetyScore    int              `json:"safety_score"`
+	UtilityScore   int              `json:"utility_score"`
+	CompositeScore float64          `json:"composite_score"`
+	Rationale      string           `json:"rationale"`
+}
+
+// OptimizationResult contains the original evaluation and ranked compliant variants.
+type OptimizationResult struct {
+	OriginalConfig    DimensionConfig    `json:"original_config"`
+	OriginalCompliant bool               `json:"original_compliant"`
+	OriginalEval      *EvaluationResult  `json:"original_evaluation"`
+	Variants          []OptimizedVariant `json:"variants"`
+	MaxSafeConfig     *OptimizedVariant  `json:"max_safe_config"`
+}
+
+// Optimizer finds the maximum compliant configuration variant.
+type Optimizer struct {
+	evaluator *Evaluator
+	weights   ScoreWeights
+}
+
+// NewOptimizer creates an optimizer backed by the given evaluator.
+func NewOptimizer(evaluator *Evaluator) *Optimizer {
+	return &Optimizer{evaluator: evaluator, weights: DefaultWeights}
+}
+
+// Optimize takes a desired (possibly non-compliant) config and returns
+// ranked compliant alternatives.
+func (o *Optimizer) Optimize(desired *DimensionConfig) *OptimizationResult {
+	eval := o.evaluator.Evaluate(desired)
+	result := &OptimizationResult{
+		OriginalConfig:    *desired,
+		OriginalCompliant: eval.IsCompliant,
+		OriginalEval:      eval,
+	}
+
+	if eval.IsCompliant {
+		variant := o.scoreVariant(desired, desired, eval)
+		variant.Rationale = "Konfiguration ist bereits konform"
+		result.Variants = []OptimizedVariant{variant}
+		result.MaxSafeConfig = &result.Variants[0]
+		return result
+	}
+
+	// Check for hard prohibitions that cannot be optimized
+	if o.hasProhibitedClassification(desired) {
+		result.Variants = []OptimizedVariant{}
+		return result
+	}
+
+	candidates := o.generateCandidates(desired, eval)
+	result.Variants = candidates
+	if len(candidates) > 0 {
+		result.MaxSafeConfig = &result.Variants[0]
+	}
+	return result
+}
+
+func (o *Optimizer) hasProhibitedClassification(config *DimensionConfig) bool {
+	return config.RiskClassification == RiskProhibited
+}
+
+// generateCandidates builds compliant variants by fixing violations.
+func (o *Optimizer) generateCandidates(desired *DimensionConfig, eval *EvaluationResult) []OptimizedVariant {
+	// Strategy 1: Fix all violations in one pass (greedy nearest fix)
+	greedy := o.greedyFix(desired, eval)
+	var candidates []OptimizedVariant
+
+	if greedy != nil {
+		greedyEval := o.evaluator.Evaluate(&greedy.Config)
+		if greedyEval.IsCompliant {
+			v := o.scoreVariant(desired, &greedy.Config, greedyEval)
+			v.Rationale = "Minimale Anpassung — naechster konformer Zustand"
+			candidates = append(candidates, v)
+		}
+	}
+
+	// Strategy 2: Conservative variant (maximum safety)
+	conservative := o.conservativeFix(desired, eval)
+	if conservative != nil {
+		consEval := o.evaluator.Evaluate(&conservative.Config)
+		if consEval.IsCompliant {
+			v := o.scoreVariant(desired, &conservative.Config, consEval)
+			v.Rationale = "Konservative Variante — maximale regulatorische Sicherheit"
+			candidates = append(candidates, v)
+		}
+	}
+
+	// Strategy 3: Fix restricted dimensions too (belt-and-suspenders)
+	enhanced := o.enhancedFix(desired, eval)
+	if enhanced != nil {
+		enhEval := o.evaluator.Evaluate(&enhanced.Config)
+		if enhEval.IsCompliant {
+			v := o.scoreVariant(desired, &enhanced.Config, enhEval)
+			v.Rationale = "Erweiterte Variante — alle Einschraenkungen vorab behoben"
+			candidates = append(candidates, v)
+		}
+	}
+
+	// Deduplicate and sort by composite score
+	candidates = deduplicateVariants(candidates)
+	sort.Slice(candidates, func(i, j int) bool {
+		return candidates[i].CompositeScore > candidates[j].CompositeScore
+	})
+	if len(candidates) > maxVariants {
+		candidates = candidates[:maxVariants]
+	}
+	return candidates
+}
+
+// greedyFix applies the minimum change per violated dimension.
+func (o *Optimizer) greedyFix(desired *DimensionConfig, eval *EvaluationResult) *OptimizedVariant {
+	fixed := desired.Clone()
+
+	// Fix FORBIDDEN zones
+	for dim, zi := range eval.ZoneMap {
+		if zi.Zone != ZoneForbidden {
+			continue
+		}
+		o.fixDimension(&fixed, dim, eval)
+	}
+
+	// Fix RESTRICTED zones (required values not met)
+	for _, restriction := range eval.Restrictions {
+		for dim, requiredVal := range restriction.Required {
+			fixed.SetValue(dim, requiredVal)
+		}
+	}
+
+	// Re-evaluate and iterate (max 3 passes to converge)
+	for i := 0; i < 3; i++ {
+		reEval := o.evaluator.Evaluate(&fixed)
+		if reEval.IsCompliant {
+			break
+		}
+		for dim, zi := range reEval.ZoneMap {
+			if zi.Zone == ZoneForbidden {
+				o.fixDimension(&fixed, dim, reEval)
+			}
+		}
+		for _, restriction := range reEval.Restrictions {
+			for dim, requiredVal := range restriction.Required {
+				fixed.SetValue(dim, requiredVal)
+			}
+		}
+	}
+
+	return &OptimizedVariant{Config: fixed}
+}
+
+// conservativeFix chooses the safest allowed value for each violated dimension.
+func (o *Optimizer) conservativeFix(desired *DimensionConfig, eval *EvaluationResult) *OptimizedVariant {
+	fixed := desired.Clone()
+
+	for dim, zi := range eval.ZoneMap {
+		if zi.Zone == ZoneSafe {
+			continue
+		}
+		// Use the safest (lowest ordinal risk) value
+		vals := AllValues[dim]
+		if len(vals) > 0 {
+			fixed.SetValue(dim, vals[0]) // index 0 = safest
+		}
+	}
+
+	// Apply all required values
+	for _, restriction := range eval.Restrictions {
+		for dim, val := range restriction.Required {
+			fixed.SetValue(dim, val)
+		}
+	}
+
+	return &OptimizedVariant{Config: fixed}
+}
+
+// enhancedFix fixes violations AND proactively resolves restrictions.
+func (o *Optimizer) enhancedFix(desired *DimensionConfig, eval *EvaluationResult) *OptimizedVariant {
+	fixed := desired.Clone()
+
+	// Fix all non-SAFE dimensions
+	for dim, zi := range eval.ZoneMap {
+		if zi.Zone == ZoneSafe {
+			continue
+		}
+		if len(zi.AllowedValues) > 0 {
+			fixed.SetValue(dim, zi.AllowedValues[0])
+		} else {
+			o.fixDimension(&fixed, dim, eval)
+		}
+	}
+
+	// Apply required values
+	for _, restriction := range eval.Restrictions {
+		for dim, val := range restriction.Required {
+			fixed.SetValue(dim, val)
+		}
+	}
+
+	// Re-evaluate to converge
+	for i := 0; i < 3; i++ {
+		reEval := o.evaluator.Evaluate(&fixed)
+		if reEval.IsCompliant {
+			break
+		}
+		for _, restriction := range reEval.Restrictions {
+			for dim, val := range restriction.Required {
+				fixed.SetValue(dim, val)
+			}
+		}
+	}
+
+	return &OptimizedVariant{Config: fixed}
+}
+
+// fixDimension steps the dimension to the nearest safer value.
+func (o *Optimizer) fixDimension(config *DimensionConfig, dim string, eval *EvaluationResult) {
+	vals := AllValues[dim]
+	if len(vals) == 0 {
+		return
+	}
+	current := config.GetValue(dim)
+	currentIdx := indexOf(vals, current)
+	if currentIdx < 0 {
+		config.SetValue(dim, vals[0])
+		return
+	}
+
+	// For risk-ordered dimensions, step toward the safer end (lower index).
+	// For inverse dimensions (human_in_loop, explainability), lower index = more safe.
+	if currentIdx > 0 {
+		config.SetValue(dim, vals[currentIdx-1])
+	}
+}
+
+func (o *Optimizer) scoreVariant(original, variant *DimensionConfig, eval *EvaluationResult) OptimizedVariant {
+	deltas := original.Diff(variant)
+	safety := ComputeSafetyScore(eval)
+	utility := ComputeUtilityScore(original, variant)
+	composite := ComputeCompositeScore(safety, utility, o.weights)
+	return OptimizedVariant{
+		Config:         *variant,
+		Evaluation:     eval,
+		Deltas:         deltas,
+		DeltaCount:     len(deltas),
+		SafetyScore:    safety,
+		UtilityScore:   utility,
+		CompositeScore: composite,
+	}
+}
+
+func indexOf(slice []string, val string) int {
+	for i, v := range slice {
+		if v == val {
+			return i
+		}
+	}
+	return -1
+}
+
+func deduplicateVariants(variants []OptimizedVariant) []OptimizedVariant {
+	seen := make(map[string]bool)
+	var unique []OptimizedVariant
+	for _, v := range variants {
+		key := configKey(&v.Config)
+		if !seen[key] {
+			seen[key] = true
+			unique = append(unique, v)
+		}
+	}
+	return unique
+}
+
+func configKey(c *DimensionConfig) string {
+	var key string
+	for _, dim := range allDimensions {
+		key += dim + "=" + c.GetValue(dim) + ";"
+	}
+	return key
+}

ai-compliance-sdk/internal/maximizer/optimizer_test.go

@@ -0,0 +1,300 @@
+package maximizer
+
+import "testing"
+
+func newTestOptimizer(t *testing.T) *Optimizer {
+	t.Helper()
+	rules := loadTestRules(t)
+	eval := NewEvaluator(rules)
+	return NewOptimizer(eval)
+}
+
+// --- Golden Test Cases ---
+
+func TestGC01_HRFullAutomationBlocked(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel:    AutoFull,
+		DecisionBinding:    BindingFullyBinding,
+		DecisionImpact:     ImpactHigh,
+		Domain:             DomainHR,
+		DataType:           DataPersonal,
+		HumanInLoop:        HILNone,
+		Explainability:     ExplainNone,
+		RiskClassification: RiskMinimal,
+		LegalBasis:         LegalContract,
+		ModelType:          ModelBlackboxLLM,
+		DeploymentScope:    ScopeExternal,
+	}
+
+	result := opt.Optimize(config)
+	if result.OriginalCompliant {
+		t.Fatal("expected original to be non-compliant")
+	}
+	if result.MaxSafeConfig == nil {
+		t.Fatal("expected an optimized variant")
+	}
+
+	max := result.MaxSafeConfig
+	if max.Config.AutomationLevel == AutoFull {
+		t.Error("optimizer must change automation_level from full")
+	}
+	if max.Config.HumanInLoop != HILRequired {
+		t.Errorf("expected human_in_loop=required, got %s", max.Config.HumanInLoop)
+	}
+	if max.Config.DecisionBinding == BindingFullyBinding {
+		t.Error("expected decision_binding to change from fully_binding")
+	}
+	// Verify the optimized config is actually compliant
+	if !max.Evaluation.IsCompliant {
+		t.Errorf("MaxSafeConfig is not compliant: violations=%+v", max.Evaluation.Violations)
+	}
+}
+
+func TestGC02_HRRankingWithHumanReviewAllowed(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel:      AutoAssistive,
+		DecisionBinding:      BindingHumanReview,
+		DecisionImpact:       ImpactHigh,
+		Domain:               DomainHR,
+		DataType:             DataPersonal,
+		HumanInLoop:          HILRequired,
+		Explainability:       ExplainBasic,
+		RiskClassification:   RiskMinimal,
+		LegalBasis:           LegalContract,
+		TransparencyRequired: true,
+		LoggingRequired:      true,
+		ModelType:            ModelBlackboxLLM,
+		DeploymentScope:      ScopeExternal,
+	}
+
+	result := opt.Optimize(config)
+	// Should be allowed with conditions (requirements from high-risk classification)
+	if result.MaxSafeConfig == nil {
+		t.Fatal("expected a variant")
+	}
+}
+
+func TestGC05_SensitiveDataWithoutLegalBasis(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		DataType:        DataSensitive,
+		LegalBasis:      LegalLegitimateInterest,
+		DecisionImpact:  ImpactHigh,
+		Domain:          DomainHR,
+		AutomationLevel: AutoAssistive,
+		HumanInLoop:     HILRequired,
+		DecisionBinding: BindingHumanReview,
+	}
+
+	result := opt.Optimize(config)
+	if result.OriginalCompliant {
+		t.Error("expected non-compliant: sensitive data with legitimate_interest")
+	}
+	if result.MaxSafeConfig == nil {
+		t.Fatal("expected optimized variant")
+	}
+	if result.MaxSafeConfig.Config.LegalBasis != LegalConsent {
+		t.Errorf("expected legal_basis=consent, got %s", result.MaxSafeConfig.Config.LegalBasis)
+	}
+}
+
+func TestGC16_ProhibitedPracticeBlocked(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		RiskClassification: RiskProhibited,
+		DeploymentScope:    ScopePublic,
+	}
+
+	result := opt.Optimize(config)
+	if result.OriginalCompliant {
+		t.Error("expected non-compliant for prohibited")
+	}
+	// Prohibited = no optimization possible
+	if len(result.Variants) > 0 {
+		t.Error("expected no variants for prohibited classification")
+	}
+}
+
+func TestGC18_OptimizerMinimalChange(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel:    AutoFull,
+		DecisionBinding:    BindingFullyBinding,
+		DecisionImpact:     ImpactHigh,
+		Domain:             DomainHR,
+		DataType:           DataPersonal,
+		HumanInLoop:        HILNone,
+		Explainability:     ExplainBasic,
+		RiskClassification: RiskMinimal,
+		LegalBasis:         LegalContract,
+		ModelType:          ModelStatistical,
+		DeploymentScope:    ScopeInternal,
+	}
+
+	result := opt.Optimize(config)
+	if result.MaxSafeConfig == nil {
+		t.Fatal("expected optimized variant")
+	}
+
+	max := result.MaxSafeConfig
+	// Domain must NOT change
+	if max.Config.Domain != DomainHR {
+		t.Errorf("optimizer must not change domain: got %s", max.Config.Domain)
+	}
+	// Explainability was already basic, should stay
+	if max.Config.Explainability != ExplainBasic {
+		t.Errorf("optimizer should keep explainability=basic, got %s", max.Config.Explainability)
+	}
+	// Model type should not change unnecessarily
+	if max.Config.ModelType != ModelStatistical {
+		t.Errorf("optimizer should not change model_type unnecessarily, got %s", max.Config.ModelType)
+	}
+}
+
+func TestGC20_AlreadyCompliantNoChanges(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel:      AutoAssistive,
+		DecisionBinding:      BindingNonBinding,
+		DecisionImpact:       ImpactLow,
+		Domain:               DomainGeneral,
+		DataType:             DataNonPersonal,
+		HumanInLoop:          HILRequired,
+		Explainability:       ExplainBasic,
+		RiskClassification:   RiskMinimal,
+		LegalBasis:           LegalContract,
+		TransparencyRequired: false,
+		LoggingRequired:      false,
+		ModelType:            ModelRuleBased,
+		DeploymentScope:      ScopeInternal,
+	}
+
+	result := opt.Optimize(config)
+	if !result.OriginalCompliant {
+		t.Error("expected compliant")
+	}
+	if result.MaxSafeConfig == nil {
+		t.Fatal("expected variant")
+	}
+	if result.MaxSafeConfig.DeltaCount != 0 {
+		t.Errorf("expected 0 deltas for compliant config, got %d", result.MaxSafeConfig.DeltaCount)
+	}
+	if result.MaxSafeConfig.UtilityScore != 100 {
+		t.Errorf("expected utility 100, got %d", result.MaxSafeConfig.UtilityScore)
+	}
+}
+
+// --- Meta Tests ---
+
+func TestMT01_Determinism(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel: AutoFull,
+		DecisionImpact:  ImpactHigh,
+		Domain:          DomainHR,
+		DataType:        DataPersonal,
+		HumanInLoop:     HILNone,
+	}
+
+	r1 := opt.Optimize(config)
+	r2 := opt.Optimize(config)
+
+	if r1.OriginalCompliant != r2.OriginalCompliant {
+		t.Error("determinism failed: different compliance result")
+	}
+	if len(r1.Variants) != len(r2.Variants) {
+		t.Errorf("determinism failed: %d vs %d variants", len(r1.Variants), len(r2.Variants))
+	}
+	if r1.MaxSafeConfig != nil && r2.MaxSafeConfig != nil {
+		if r1.MaxSafeConfig.CompositeScore != r2.MaxSafeConfig.CompositeScore {
+			t.Error("determinism failed: different composite scores")
+		}
+	}
+}
+
+func TestMT03_ViolationsReferenceObligations(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel: AutoFull,
+		DecisionImpact:  ImpactHigh,
+		DataType:        DataSensitive,
+	}
+
+	result := opt.Optimize(config)
+	for _, v := range result.OriginalEval.Violations {
+		if v.ObligationID == "" {
+			t.Errorf("violation %s missing obligation reference", v.RuleID)
+		}
+	}
+	for _, tr := range result.OriginalEval.TriggeredRules {
+		if tr.ObligationID == "" {
+			t.Errorf("triggered rule %s missing obligation reference", tr.RuleID)
+		}
+	}
+}
+
+func TestMT05_OptimizerMinimality(t *testing.T) {
+	opt := newTestOptimizer(t)
+	// Config that only violates one dimension
+	config := &DimensionConfig{
+		AutomationLevel:      AutoAssistive,
+		DecisionBinding:      BindingHumanReview,
+		DecisionImpact:       ImpactLow,
+		Domain:               DomainGeneral,
+		DataType:             DataSensitive, // only violation: needs consent
+		HumanInLoop:          HILRequired,
+		Explainability:       ExplainBasic,
+		RiskClassification:   RiskMinimal,
+		LegalBasis:           LegalLegitimateInterest, // must change to consent
+		TransparencyRequired: false,
+		LoggingRequired:      false,
+		ModelType:            ModelRuleBased,
+		DeploymentScope:      ScopeInternal,
+	}
+
+	result := opt.Optimize(config)
+	if result.MaxSafeConfig == nil {
+		t.Fatal("expected optimized variant")
+	}
+
+	// Check that only compliance-related dimensions changed
+	for _, d := range result.MaxSafeConfig.Deltas {
+		switch d.Dimension {
+		case "legal_basis", "transparency_required", "logging_required", "data_type":
+			// Expected: legal_basis→consent, transparency, logging for sensitive data
+			// data_type→personal is from optimizer meta-rule (reduce unnecessary sensitivity)
+		default:
+			t.Errorf("unexpected dimension change: %s (%s → %s)", d.Dimension, d.From, d.To)
+		}
+	}
+}
+
+func TestOptimizeProducesRankedVariants(t *testing.T) {
+	opt := newTestOptimizer(t)
+	config := &DimensionConfig{
+		AutomationLevel: AutoFull,
+		DecisionImpact:  ImpactHigh,
+		Domain:          DomainHR,
+		DataType:        DataPersonal,
+		HumanInLoop:     HILNone,
+		Explainability:  ExplainNone,
+		ModelType:       ModelBlackboxLLM,
+		DeploymentScope: ScopeExternal,
+	}
+
+	result := opt.Optimize(config)
+	if len(result.Variants) < 2 {
+		t.Skipf("only %d variants generated", len(result.Variants))
+	}
+
+	// Verify descending composite score order
+	for i := 1; i < len(result.Variants); i++ {
+		if result.Variants[i].CompositeScore > result.Variants[i-1].CompositeScore {
+			t.Errorf("variants not sorted: [%d]=%.1f > [%d]=%.1f",
+				i, result.Variants[i].CompositeScore,
+				i-1, result.Variants[i-1].CompositeScore)
+		}
+	}
+}

ai-compliance-sdk/internal/maximizer/scoring.go

@@ -0,0 +1,84 @@
+package maximizer
+
+// ScoreWeights controls the balance between safety and business utility.
+type ScoreWeights struct {
+	Safety  float64 `json:"safety"`
+	Utility float64 `json:"utility"`
+}
+
+// DefaultWeights prioritizes business utility slightly over safety margin
+// since the optimizer already ensures compliance.
+var DefaultWeights = ScoreWeights{Safety: 0.4, Utility: 0.6}
+
+// dimensionBusinessWeight indicates how much business value each dimension
+// contributes. Higher = more costly to change for the business.
+var dimensionBusinessWeight = map[string]int{
+	"automation_level":      15,
+	"decision_binding":      12,
+	"deployment_scope":      10,
+	"model_type":            8,
+	"decision_impact":       7,
+	"explainability":        5,
+	"data_type":             5,
+	"human_in_loop":         5,
+	"legal_basis":           4,
+	"domain":                3,
+	"risk_classification":   3,
+	"transparency_required": 2,
+	"logging_required":      2,
+}
+
+// ComputeSafetyScore returns 0-100 where 100 = completely safe (no restrictions).
+// Decreases with each RESTRICTED or FORBIDDEN zone.
+func ComputeSafetyScore(eval *EvaluationResult) int {
+	if eval == nil {
+		return 0
+	}
+	total := len(allDimensions)
+	safe := 0
+	for _, zi := range eval.ZoneMap {
+		if zi.Zone == ZoneSafe {
+			safe++
+		}
+	}
+	if total == 0 {
+		return 100
+	}
+	return (safe * 100) / total
+}
+
+// ComputeUtilityScore returns 0-100 where 100 = no changes from original.
+// Decreases based on the business weight of each changed dimension.
+func ComputeUtilityScore(original, variant *DimensionConfig) int {
+	if original == nil || variant == nil {
+		return 0
+	}
+	deltas := original.Diff(variant)
+	if len(deltas) == 0 {
+		return 100
+	}
+
+	maxCost := 0
+	for _, w := range dimensionBusinessWeight {
+		maxCost += w
+	}
+
+	cost := 0
+	for _, d := range deltas {
+		w := dimensionBusinessWeight[d.Dimension]
+		if w == 0 {
+			w = 3 // default
+		}
+		cost += w
+	}
+
+	if cost >= maxCost {
+		return 0
+	}
+	return 100 - (cost*100)/maxCost
+}
+
+// ComputeCompositeScore combines safety and utility into a single ranking score.
+func ComputeCompositeScore(safety, utility int, weights ScoreWeights) float64 {
+	return weights.Safety*float64(safety) + weights.Utility*float64(utility)
+}

ai-compliance-sdk/internal/maximizer/scoring_test.go

@@ -0,0 +1,88 @@
+package maximizer
+
+import "testing"
+
+func TestSafetyScoreAllSafe(t *testing.T) {
+	zm := make(map[string]ZoneInfo)
+	for _, dim := range allDimensions {
+		zm[dim] = ZoneInfo{Zone: ZoneSafe}
+	}
+	eval := &EvaluationResult{ZoneMap: zm}
+	score := ComputeSafetyScore(eval)
+	if score != 100 {
+		t.Errorf("expected 100, got %d", score)
+	}
+}
+
+func TestSafetyScoreWithRestrictions(t *testing.T) {
+	zm := make(map[string]ZoneInfo)
+	for _, dim := range allDimensions {
+		zm[dim] = ZoneInfo{Zone: ZoneSafe}
+	}
+	// Mark 3 as restricted
+	zm["automation_level"] = ZoneInfo{Zone: ZoneRestricted}
+	zm["human_in_loop"] = ZoneInfo{Zone: ZoneRestricted}
+	zm["logging_required"] = ZoneInfo{Zone: ZoneForbidden}
+
+	eval := &EvaluationResult{ZoneMap: zm}
+	score := ComputeSafetyScore(eval)
+
+	safe := len(allDimensions) - 3
+	expected := (safe * 100) / len(allDimensions)
+	if score != expected {
+		t.Errorf("expected %d, got %d", expected, score)
+	}
+}
+
+func TestSafetyScoreNil(t *testing.T) {
+	if s := ComputeSafetyScore(nil); s != 0 {
+		t.Errorf("expected 0 for nil, got %d", s)
+	}
+}
+
+func TestUtilityScoreNoChanges(t *testing.T) {
+	config := &DimensionConfig{AutomationLevel: AutoFull}
+	score := ComputeUtilityScore(config, config)
+	if score != 100 {
+		t.Errorf("expected 100 for identical configs, got %d", score)
+	}
+}
+
+func TestUtilityScoreWithChanges(t *testing.T) {
+	original := &DimensionConfig{
+		AutomationLevel: AutoFull,
+		HumanInLoop:     HILNone,
+	}
+	variant := &DimensionConfig{
+		AutomationLevel: AutoAssistive,
+		HumanInLoop:     HILRequired,
+	}
+	score := ComputeUtilityScore(original, variant)
+	if score >= 100 {
+		t.Errorf("expected < 100 with changes, got %d", score)
+	}
+	if score <= 0 {
+		t.Errorf("expected > 0 for moderate changes, got %d", score)
+	}
+}
+
+func TestUtilityScoreNil(t *testing.T) {
+	if s := ComputeUtilityScore(nil, nil); s != 0 {
+		t.Errorf("expected 0 for nil, got %d", s)
+	}
+}
+
+func TestCompositeScore(t *testing.T) {
+	score := ComputeCompositeScore(80, 60, DefaultWeights)
+	expected := 0.4*80.0 + 0.6*60.0 // 32 + 36 = 68
+	if score != expected {
+		t.Errorf("expected %.1f, got %.1f", expected, score)
+	}
+}
+
+func TestCompositeScoreCustomWeights(t *testing.T) {
+	score := ComputeCompositeScore(100, 0, ScoreWeights{Safety: 1.0, Utility: 0.0})
+	if score != 100.0 {
+		t.Errorf("expected 100, got %.1f", score)
+	}
+}

ai-compliance-sdk/internal/maximizer/service.go

@@ -0,0 +1,167 @@
+package maximizer
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/breakpilot/ai-compliance-sdk/internal/ucca"
+	"github.com/google/uuid"
+)
+
+// Service contains the business logic for the Compliance Maximizer.
+type Service struct {
+	store     *Store
+	evaluator *Evaluator
+	optimizer *Optimizer
+	uccaStore *ucca.Store
+	rules     *ConstraintRuleSet
+}
+
+// NewService creates a maximizer service.
+func NewService(store *Store, uccaStore *ucca.Store, rules *ConstraintRuleSet) *Service {
+	eval := NewEvaluator(rules)
+	opt := NewOptimizer(eval)
+	return &Service{
+		store:     store,
+		evaluator: eval,
+		optimizer: opt,
+		uccaStore: uccaStore,
+		rules:     rules,
+	}
+}
+
+// OptimizeInput is the request to optimize a dimension config.
+type OptimizeInput struct {
+	Config   DimensionConfig `json:"config"`
+	Title    string          `json:"title"`
+	TenantID uuid.UUID       `json:"-"`
+	UserID   uuid.UUID       `json:"-"`
+}
+
+// OptimizeFromIntakeInput wraps a UCCA intake for optimization.
+type OptimizeFromIntakeInput struct {
+	Intake   ucca.UseCaseIntake `json:"intake"`
+	Title    string             `json:"title"`
+	TenantID uuid.UUID          `json:"-"`
+	UserID   uuid.UUID          `json:"-"`
+}
+
+// Optimize evaluates and optimizes a dimension config.
+func (s *Service) Optimize(ctx context.Context, in *OptimizeInput) (*Optimization, error) {
+	result := s.optimizer.Optimize(&in.Config)
+
+	o := &Optimization{
+		TenantID:           in.TenantID,
+		Title:              in.Title,
+		InputConfig:        in.Config,
+		IsCompliant:        result.OriginalCompliant,
+		OriginalEvaluation: *result.OriginalEval,
+		Variants:           result.Variants,
+		ZoneMap:            result.OriginalEval.ZoneMap,
+		ConstraintVersion:  s.rules.Version,
+		CreatedBy:          in.UserID,
+	}
+	if result.MaxSafeConfig != nil {
+		o.MaxSafeConfig = result.MaxSafeConfig
+	}
+
+	if err := s.store.CreateOptimization(ctx, o); err != nil {
+		return nil, fmt.Errorf("optimize: %w", err)
+	}
+	return o, nil
+}
+
+// OptimizeFromIntake maps a UCCA intake to dimensions and optimizes.
+func (s *Service) OptimizeFromIntake(ctx context.Context, in *OptimizeFromIntakeInput) (*Optimization, error) {
+	config := MapIntakeToDimensions(&in.Intake)
+	return s.Optimize(ctx, &OptimizeInput{
+		Config:   *config,
+		Title:    in.Title,
+		TenantID: in.TenantID,
+		UserID:   in.UserID,
+	})
+}
+
+// OptimizeFromAssessment loads an existing UCCA assessment and optimizes it.
+func (s *Service) OptimizeFromAssessment(ctx context.Context, assessmentID, tenantID, userID uuid.UUID) (*Optimization, error) {
+	assessment, err := s.uccaStore.GetAssessment(ctx, assessmentID)
+	if err != nil {
+		return nil, fmt.Errorf("load assessment %s: %w", assessmentID, err)
+	}
+	config := MapIntakeToDimensions(&assessment.Intake)
+	result := s.optimizer.Optimize(config)
+
+	o := &Optimization{
+		TenantID:           tenantID,
+		AssessmentID:       &assessmentID,
+		Title:              assessment.Title,
+		InputConfig:        *config,
+		IsCompliant:        result.OriginalCompliant,
+		OriginalEvaluation: *result.OriginalEval,
+		Variants:           result.Variants,
+		ZoneMap:            result.OriginalEval.ZoneMap,
+		ConstraintVersion:  s.rules.Version,
+		CreatedBy:          userID,
+	}
+	if result.MaxSafeConfig != nil {
+		o.MaxSafeConfig = result.MaxSafeConfig
+	}
+
+	if err := s.store.CreateOptimization(ctx, o); err != nil {
+		return nil, fmt.Errorf("optimize from assessment: %w", err)
+	}
+	return o, nil
+}
+
+// OptimizeFromIntakeWithProfileInput wraps intake + optional company profile.
+type OptimizeFromIntakeWithProfileInput struct {
+	Intake         ucca.UseCaseIntake        `json:"intake"`
+	CompanyProfile *ucca.CompanyProfileInput  `json:"company_profile,omitempty"`
+	Title          string                     `json:"title"`
+	TenantID       uuid.UUID                  `json:"-"`
+	UserID         uuid.UUID                  `json:"-"`
+}
+
+// OptimizeFromIntakeWithProfile maps intake to dimensions, enriches from profile, and optimizes.
+func (s *Service) OptimizeFromIntakeWithProfile(ctx context.Context, in *OptimizeFromIntakeWithProfileInput) (*Optimization, error) {
+	config := MapIntakeToDimensions(&in.Intake)
+	if in.CompanyProfile != nil {
+		EnrichDimensionsFromProfile(config, in.CompanyProfile)
+	}
+	return s.Optimize(ctx, &OptimizeInput{
+		Config:   *config,
+		Title:    in.Title,
+		TenantID: in.TenantID,
+		UserID:   in.UserID,
+	})
+}
+
+// Evaluate only evaluates without persisting (3-zone analysis).
+func (s *Service) Evaluate(config *DimensionConfig) *EvaluationResult {
+	return s.evaluator.Evaluate(config)
+}
+
+// GetOptimization retrieves a stored optimization.
+func (s *Service) GetOptimization(ctx context.Context, id uuid.UUID) (*Optimization, error) {
+	return s.store.GetOptimization(ctx, id)
+}
+
+// ListOptimizations returns optimizations for a tenant.
+func (s *Service) ListOptimizations(ctx context.Context, tenantID uuid.UUID, f *OptimizationFilters) ([]Optimization, int, error) {
+	return s.store.ListOptimizations(ctx, tenantID, f)
+}
+
+// DeleteOptimization removes an optimization.
+func (s *Service) DeleteOptimization(ctx context.Context, id uuid.UUID) error {
+	return s.store.DeleteOptimization(ctx, id)
+}
+
+// GetDimensionSchema returns the dimension schema for the frontend.
+func (s *Service) GetDimensionSchema() map[string][]string {
+	return AllValues
+}
+
+// GetConstraintRules returns the loaded rules for transparency.
+func (s *Service) GetConstraintRules() *ConstraintRuleSet {
+	return s.rules
+}

ai-compliance-sdk/internal/maximizer/store.go

@@ -0,0 +1,209 @@
+package maximizer
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// Optimization is the DB entity for a maximizer optimization result.
+type Optimization struct {
+	ID                 uuid.UUID          `json:"id"`
+	TenantID           uuid.UUID          `json:"tenant_id"`
+	AssessmentID       *uuid.UUID         `json:"assessment_id,omitempty"`
+	Title              string             `json:"title"`
+	Status             string             `json:"status"`
+	InputConfig        DimensionConfig    `json:"input_config"`
+	IsCompliant        bool               `json:"is_compliant"`
+	OriginalEvaluation EvaluationResult   `json:"original_evaluation"`
+	MaxSafeConfig      *OptimizedVariant  `json:"max_safe_config,omitempty"`
+	Variants           []OptimizedVariant `json:"variants"`
+	ZoneMap            map[string]ZoneInfo `json:"zone_map"`
+	ConstraintVersion  string             `json:"constraint_version"`
+	CreatedAt          time.Time          `json:"created_at"`
+	UpdatedAt          time.Time          `json:"updated_at"`
+	CreatedBy          uuid.UUID          `json:"created_by"`
+}
+
+// Store handles maximizer data persistence.
+type Store struct {
+	pool *pgxpool.Pool
+}
+
+// NewStore creates a new maximizer store.
+func NewStore(pool *pgxpool.Pool) *Store {
+	return &Store{pool: pool}
+}
+
+// CreateOptimization persists a new optimization result.
+func (s *Store) CreateOptimization(ctx context.Context, o *Optimization) error {
+	o.ID = uuid.New()
+	o.CreatedAt = time.Now().UTC()
+	o.UpdatedAt = o.CreatedAt
+	if o.Status == "" {
+		o.Status = "completed"
+	}
+	if o.ConstraintVersion == "" {
+		o.ConstraintVersion = "1.0.0"
+	}
+
+	inputConfig, _ := json.Marshal(o.InputConfig)
+	originalEval, _ := json.Marshal(o.OriginalEvaluation)
+	maxSafe, _ := json.Marshal(o.MaxSafeConfig)
+	variants, _ := json.Marshal(o.Variants)
+	zoneMap, _ := json.Marshal(o.ZoneMap)
+
+	_, err := s.pool.Exec(ctx, `
+		INSERT INTO maximizer_optimizations (
+			id, tenant_id, assessment_id, title, status,
+			input_config, is_compliant, original_evaluation,
+			max_safe_config, variants, zone_map,
+			constraint_version, created_at, updated_at, created_by
+		) VALUES (
+			$1, $2, $3, $4, $5,
+			$6, $7, $8,
+			$9, $10, $11,
+			$12, $13, $14, $15
+		)`,
+		o.ID, o.TenantID, o.AssessmentID, o.Title, o.Status,
+		inputConfig, o.IsCompliant, originalEval,
+		maxSafe, variants, zoneMap,
+		o.ConstraintVersion, o.CreatedAt, o.UpdatedAt, o.CreatedBy,
+	)
+	if err != nil {
+		return fmt.Errorf("create optimization: %w", err)
+	}
+	return nil
+}
+
+// GetOptimization retrieves a single optimization by ID.
+func (s *Store) GetOptimization(ctx context.Context, id uuid.UUID) (*Optimization, error) {
+	row := s.pool.QueryRow(ctx, `
+		SELECT id, tenant_id, assessment_id, title, status,
+			input_config, is_compliant, original_evaluation,
+			max_safe_config, variants, zone_map,
+			constraint_version, created_at, updated_at, created_by
+		FROM maximizer_optimizations WHERE id = $1`, id)
+	return s.scanOptimization(row)
+}
+
+// OptimizationFilters for list queries.
+type OptimizationFilters struct {
+	IsCompliant *bool
+	Search      string
+	Limit       int
+	Offset      int
+}
+
+// ListOptimizations returns optimizations for a tenant.
+func (s *Store) ListOptimizations(ctx context.Context, tenantID uuid.UUID, f *OptimizationFilters) ([]Optimization, int, error) {
+	if f == nil {
+		f = &OptimizationFilters{}
+	}
+	if f.Limit <= 0 {
+		f.Limit = 20
+	}
+
+	where := "WHERE tenant_id = $1"
+	args := []interface{}{tenantID}
+	idx := 2
+
+	if f.IsCompliant != nil {
+		where += fmt.Sprintf(" AND is_compliant = $%d", idx)
+		args = append(args, *f.IsCompliant)
+		idx++
+	}
+	if f.Search != "" {
+		where += fmt.Sprintf(" AND title ILIKE $%d", idx)
+		args = append(args, "%"+f.Search+"%")
+		idx++
+	}
+
+	// Count
+	var total int
+	countQuery := "SELECT COUNT(*) FROM maximizer_optimizations " + where
+	if err := s.pool.QueryRow(ctx, countQuery, args...).Scan(&total); err != nil {
+		return nil, 0, fmt.Errorf("count optimizations: %w", err)
+	}
+
+	// Fetch
+	query := fmt.Sprintf(`
+		SELECT id, tenant_id, assessment_id, title, status,
+			input_config, is_compliant, original_evaluation,
+			max_safe_config, variants, zone_map,
+			constraint_version, created_at, updated_at, created_by
+		FROM maximizer_optimizations %s
+		ORDER BY created_at DESC
+		LIMIT $%d OFFSET $%d`, where, idx, idx+1)
+	args = append(args, f.Limit, f.Offset)
+
+	rows, err := s.pool.Query(ctx, query, args...)
+	if err != nil {
+		return nil, 0, fmt.Errorf("list optimizations: %w", err)
+	}
+	defer rows.Close()
+
+	var results []Optimization
+	for rows.Next() {
+		o, err := s.scanOptimizationRows(rows)
+		if err != nil {
+			return nil, 0, err
+		}
+		results = append(results, *o)
+	}
+	return results, total, nil
+}
+
+// DeleteOptimization removes an optimization.
+func (s *Store) DeleteOptimization(ctx context.Context, id uuid.UUID) error {
+	_, err := s.pool.Exec(ctx, `DELETE FROM maximizer_optimizations WHERE id = $1`, id)
+	if err != nil {
+		return fmt.Errorf("delete optimization: %w", err)
+	}
+	return nil
+}
+
+func (s *Store) scanOptimization(row pgx.Row) (*Optimization, error) {
+	var o Optimization
+	var inputConfig, originalEval, maxSafe, variants, zoneMap []byte
+	err := row.Scan(
+		&o.ID, &o.TenantID, &o.AssessmentID, &o.Title, &o.Status,
+		&inputConfig, &o.IsCompliant, &originalEval,
+		&maxSafe, &variants, &zoneMap,
+		&o.ConstraintVersion, &o.CreatedAt, &o.UpdatedAt, &o.CreatedBy,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("scan optimization: %w", err)
+	}
+	json.Unmarshal(inputConfig, &o.InputConfig)
+	json.Unmarshal(originalEval, &o.OriginalEvaluation)
+	json.Unmarshal(maxSafe, &o.MaxSafeConfig)
+	json.Unmarshal(variants, &o.Variants)
+	json.Unmarshal(zoneMap, &o.ZoneMap)
+	return &o, nil
+}
+
+func (s *Store) scanOptimizationRows(rows pgx.Rows) (*Optimization, error) {
+	var o Optimization
+	var inputConfig, originalEval, maxSafe, variants, zoneMap []byte
+	err := rows.Scan(
+		&o.ID, &o.TenantID, &o.AssessmentID, &o.Title, &o.Status,
+		&inputConfig, &o.IsCompliant, &originalEval,
+		&maxSafe, &variants, &zoneMap,
+		&o.ConstraintVersion, &o.CreatedAt, &o.UpdatedAt, &o.CreatedBy,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("scan optimization row: %w", err)
+	}
+	json.Unmarshal(inputConfig, &o.InputConfig)
+	json.Unmarshal(originalEval, &o.OriginalEvaluation)
+	json.Unmarshal(maxSafe, &o.MaxSafeConfig)
+	json.Unmarshal(variants, &o.Variants)
+	json.Unmarshal(zoneMap, &o.ZoneMap)
+	return &o, nil
+}